VMware ESXi 5 – Applying Patches and Updates

(ESXi 5 Update 1 and Patches)

KB ID 0000623

Problem

When VMware released ESX 4.1, they took away the “Host update utility”, (which was a mistake!). For people without VMware Update Manager, you now have to either put in the CD/DVD and do an ‘in place upgrade’, or grow a ginger pony tail and put some socks/sandals on and do some Linux.

Below I’ve got a build of ESX with no updates on it, I’m going to apply the ‘Update 1″ then the most recent patch to bring the host up to date (at time of writing).

Solution

1. Whilst connected to your host with the VI client > Select the host > Configuration > Security Profile > Services Section > Properties > SSH > Options >Start > OK > OK > Exit the VI client.

2. Connect to the host via an SSH command window (PuTTy shown). Log on as the root user, to check your current ‘build’ version issue the following command;

[box]vmware -v[/box]

3. You should have a fair idea what piece of storage has the most free space already, this host only has one datastore (datastore1). That’s the one I’m going to download the updates into. To view the Datastores issue the following command;

[box]ls -l /vmfs/volumes/[/box]

4. Change directory, so that you are ‘in’ that datastore and create a directory called ‘UPDATE’.

[box]cd /vmfs/volumes/datastore1<br /> mkdir UPDATE[/box]

5. Then change into that directory;

[box]cd UPDATE[/box]

6. From a browser visit the VMware patch portal, locate the update you want to download and install, (here it’s VMware 5.0.0 Update1). Right click the download link and copy the URL.

Note: Patches after major updates are cumulative, I also downloaded the ‘latest’ patch.

7. You need to remove the ‘s’ from the URL, I just paste the link into notepad, edit it then copy it again.

8. Back at your command window download the update with the following command;

[box]wget http://hostupdate.vmware.com/software/VUM/OFFLINE/release-328-20120312-212851/update-from-esxi5.0-5.0_update01.zip[/box]

9. When completed, download any other required patches;

[box]wget http://hostupdate.vmware.com/software/VUM/OFFLINE/release-341-20120605-165537/ESXi500-201206001.zip[/box]

10. Before applying the update/patches, the host needs to be in maintenance mode;

[box]vim-cmd hostsvc/maintenance_mode_enter[/box]

11. Then apply the update with the ‘esxcli’ command as follows;

[box]esxcli software vib install -d /vmfs/volumes/datastore1/UPDATE/update-from-esxi5.0-5.0_update01.zip[/box]

12. When complete, you will need to ‘scroll up’ and make sure it says, “Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.”

13. After the update, I am applying the latest patch with the same esxcli syntax, like so;

[box]esxcli software vib install -d /vmfs/volumes/datastore1/UPDATE/ESXi500-201206001.zip[/box]

14. Once again you will need to ‘scroll up’ and locate, “Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.”

15. Now reboot the host;

[box]reboot[/box]

16. Once the host is back online, connect and take it out of maintenance mode.

17. Then locate the folder containing the update software and patches.

18. And delete it.

19. Finally power your guest machines back on again.

Related Articles, References, Credits, or External Links

Enable SSH Access to vSphere ESXi

Upgrade vSphere 4 Environment to vSphere 5

Update VMware ESXi from 4.0 to 4.1

Upgrade ESX 3 to version 4.1.0

Cisco IOS – Setup Remote Telnet/SSH Management

KB ID 000093

Problem

Having the ability to remotely administer network devices, means I don’t have to get my lazy carcass out of my chair and start fishing console cables out of my bag, also it saves on shoe leather, and travelling time.

Solution

Cisco Router / Switch – Setup Telnet Access

These days people frown at Telnet. It’s an insecure protocol so your password is sent in clear text over the wire, and can be seen by anyone sniffing traffic. For that reason SSH is preferred, but for completeness I’ll start with Telnet.

1. Log in the the device > Go to enable mode > Go to configuration mode > Enable Telnet and set a password.

[box]

Router0>enable
Router0#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router0(config)#line vty 0 4
Router0(config-line)#transport input telnet 
Router0(config-line)# password P@ssword123

[/box]

2. Save the changes and test.

[box]

Router0(config)#exit
Router0#write mem 
Building configuration...
[OK]
Router0#

[/box]

Cisco Router / Switch – Setup SSH Access

1. SSH is a little more involved, before you can connect via SSH, you need a certificate, and before you can generate a certificate, you need a host name and a domain name.

[box]

Router0>enable
Router0#conf terminal
Router0(config)#hostname Petes-Router
Petes-Router(config)#ip domain-name petenetlive.com
Petes-Router(config)#crypto key generate rsa modulus 2048
The name for the keys will be: Petes-Router@petenetlive.com

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 17 seconds)

Petes-Router(config)#

[/box]

2. Another prerequisite is you need usernames and passwords, these can be managed by a separate AAA solution like RADIUS, TACACS+, or Active Directory. But for this example I’ll simply set them up on the device, and use local authentication.

Note: I set myself up with privilege 15, this means when I log on, I automatically log on at enable mode, the other user account does not, and needs to know the enable password to make any changes.

[box]

Petes-Router(config)#username testuser password testpassword
Petes-Router(config)#username petelong privilege 15 password P@ssword123

[/box]

3. Finally allow remote management via SSH, and save the changes.

[box]

Petes-Router(config)#line vty 0 4
Petes-Router(config-line)#transport input ssh
Petes-Router(config-line)#exit
Petes-Router(config)#exit
Petes-Router#write mem 
Building configuration...
[OK]
Petes-Router#

[/box]

4. Finally you need to enable AAA Authentication to use the local database;

[box]

Petes-Router(config)#aaa new-model
Petes-Router(config)#aaa authentication login default local
Petes-Router(config)#aaa authorization exec default local

[/box]

WARNING

This also will enable username/password authentication for ‘console‘ (rollover cable) access. I dont like that, so I remove that with the following commands;

[box]

Switch(config)#aaa authentication login CONSOLE none
Switch(config)#line console 0
Switch(config-line)#login authentication CONSOLE

[/box]

Cisco Router – Restricting Telnet and SSH Access via Access List

You can lock down access further to remote management, by allowing or denying access from an ACL.

WARNING: If doing this remotely, and just using SSH remember to generate the key and create users FIRST, or you may lock yourself out. If you are worried schedule a reload in twenty minutes, do the work, if it works cancel the reload, if it all explodes, go have a coffee, when you come back it will have reverted back!

Schedule a Router Reload

[box]

Petes-Router#reload in 20
Reload scheduled in 20 minutes by petelong on vty0 (123.123.123.123)
Reload reason: Reload Command
Proceed with reload? [confirm] {Enter}
Petes-Router#

---CARRY OUT THE CHANGES---

Petes-Router#reload cancel
Petes-Router#

***
*** --- SHUTDOWN ABORTED ---
***

[/box]

1. From the top let’s create a user, and setup the RSA key, (skip this step if you have already done this).

[box]

Router0>enable
Router0#conf terminal
Router0(config)#hostname Petes-Router
Petes-Router(config)#ip domain-name petenetlive.com
Petes-Router(config)#crypto key generate rsa modulus 2048
The name for the keys will be: Petes-Router@petenetlive.com

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 17 seconds)
Petes-Router(config)#

[/box]

2. Now create an access-list to allow and deny access, (usual ACL rules apply).

Note: Port 23 is Telnet and port 22 is SSH

[box]

Petes-Router(config)#ip access-list extended VTY_ACCESS
Petes-Router(config-ext-nacl)#10 permit tcp 123.123.123.123 0.0.0.0 any eq 23
Petes-Router(config-ext-nacl)#20 permit tcp 123.123.123.123 0.0.0.0 any eq 22
Petes-Router(config-ext-nacl)#30 permit tcp 10.1.1.0 0.0.0.255 any eq 23
Petes-Router(config-ext-nacl)#100 deny ip any any
Petes-Router(config-ext-nacl)#exit
Petes-Router(config)#

[/box]

2. In this example I will set the transport input to all (that’s Telnet AND SSH), then lock access down the the ACL we have just created.

[box]

Petes-Router(config)#line vty 0 4
Petes-Router(config-line)#transport input all
Petes-Router(config-line)#login local
Petes-Router(config-line)#access-class VTY_ACCESS in
Petes-Router(config-line)#exit
Petes-Router(config)#exit

[/box]

3. Save your changes and test.

[box]

Petes-Router#write mem 
Building configuration...
[OK]
Petes-Router#

[/box]

 

Related Articles, References, Credits, or External Links

NA