Overview
As with any system running software, you are going to have to apply patches to it at some point and VMware is no different. VMware recommends customers install all security patches to maximize the protection that VMware provides. For a list of all security patches, you can go here https://my.vmware.com/group/vmware/patch#search. Login with your myvmware credentials.
Once it has been determined patches are available for ESXi, download the offline bundle so they can be pushed out to each VMware host as needed. You can easily push the offline patch package out manually using the Windows client but I prefer to download the patch and move it to a local webserver for easier distribution. One caveat to using VMware free as a standalone server is that the api is not available. This means we need to login to turn on ssh so we can perform the following tasks.
Staging the patch
Login to the ESXi standalone server
Open the windows client Select your host Enter your username Enter your password click "Login"
Enable ssh on the remote ESXi host
In the "Inventory" pane on the left, select the host name Click the "Configuration" tab Click "Security Profile" in the Software section Click on "Properties" Find "SSH" in the list, select it and click "Options" Make sure "Start and stop with host" is selected and click "Start" You can click "OK" then "OK" again
SSH is now running on your VMware server and you can login with a ssh client like putty.
Login to your host using putty
Note: Not everyone will have the exact same setup so there may be inconsistencies within environments. You will have to apply this as a general practice, not necessarily as an exact procedure. I like creating a folder named Patches, which is where I upload patches(ingenious I know!) This isn’t mandatory in any way though, so it’s really up to you where you want to place the zip file.
Create a folder named “Patches” if one doesn’t exist. You can replace <host> and <datastore> with appropriate values for your environment
mkdir /vmfs/volumes/<host>\:<datastore>/Patches/
Change directories into the new folder
cd /vmfs/volumes/<host>\:<datastore>/Patches/
Pull down the patch from your local webserver
wget http://server.domain.tld/VMware/VMware-ESXi-5.5.0-Update3-3568722…Apr2016.zip
Alternatively, you can use winscp to push the file or upload the patch using the VMware GUI client from your windows machine.
Suspending running VMs
Like any other VMware server, the standalone host will need to be put into maintenance mode. To do that, the VMs need to be suspended or powered down. A one liner cli command can be used to get all VMs current state and suspend them prior to enabling maintenance mode on the host.
Suspend running VMs
for i in `vim-cmd vmsvc/getallvms |grep -v Vmid |awk '{print $1}'`; do if [ "`vim-cmd vmsvc/power.getstate $i |grep on`" == 'Powered on' ]; then vim-cmd vmsvc/power.suspend $i; echo “$i Suspended”; fi; done
Apply ESXi Patch
Put host into maintenance mode
vim-cmd hostsvc/maintenance_mode_enter
Run patch as an update
esxcli software vib update -d ‘/vmfs/volumes/host:Storage/Patch/VMware-ESXi-5.5.0-Update3-3568722…Apr2016.zip’
Bring host out of maintenance mode (the VMs will remain suspended)
vim-cmd hostsvc/maintenance_mode_exit
Now we can rebooot
reboot
Verify the state of the ESXi host
When the host comes back up, ssh should be disabled and depending on the autostart parameters, VMs should be running as well. In the event the VM’s haven’t started, login to the GUI client and power them on.
You can also login using the GUI to enable ssh and run this from the command line
for i in `vim-cmd vmsvc/getallvms |grep -v Vmid |awk '{print $1}'`; do if [ "`vim-cmd vmsvc/power.getstate $i |grep Suspended`" ]; then vim-cmd vmsvc/power.on $i; echo “$i Resumed”; fi; done