VMware vSphere customers often rely on custom VMware ESXi images from server OEM partners, such as Cisco, Dell, and HPE, to ensure support for the specific devices that each of those manufacturers include with their hardware. This arrangement makes initial deployment easier, because all the required storage and I/O drivers are included, but often causes confusion when it comes to keeping up to date with the latest security patches published by VMware.
Since OEM partners typically only update custom images in conjunction with significant ESXi version releases or updates, vSphere admins must patch those custom images if security vulnerabilities arise. A great resource for quickly reviewing available ESXi patches and build numbers is KB 2143832. Download applicable patch bundles from My.VMware.
PowerCLI Image Builder enables admins to keep contents of an image profile up to date with the latest patches while still benefiting from the OEM images that contain hardware-specific device drivers. But selecting individual packages, known as VIBs, can be a daunting task for the uninitiated.
Fortunately, there’s a straightforward way to assemble an updated image: In a PowerCLI session, add both the OEM and VMware software depots, clone the OEM profile, and update it with the following command:
Set-ESXImageProfile $ClonedProfile -SoftwarePackage (Get-ESXSoftwarePackage -Newest )
This is the simplest way to keep OEM images up to date with the latest VMware ESXi patches. Don’t forget to export the resulting image profile to a zip or ISO file for subsequent use.
Advanced VMware ESXi Image Profile Creation and Comparison
For those interested in a more full-featured approach to image creation, I’m pleased to share a pair of PowerCLI scripts that provide more automation, as well as detailed information about the contents of your ESXi image profiles. These scripts may be found on the VMware PowerCLI Example Scripts repository, and are not officially supported by GSS.
esxi-image-creator.ps1 is a wrapper around the Image Builder commands that takes care of some of the additional tasks typically required when creating custom images. Things like mounting depot files, and excluding or including specific VIBs are all handled with ease. An advanced option gives admins the ability to select the latest VIBs by dates and not just by version number, for scenarios that warrant such fine-grained tuning. And finally, the resulting image can be written to ISO and/or zip image for use in your deployment workflows.
esxi-image-comparator.ps1 shows exactly what the differences are between two or more profiles. The results can be viewed in the console window, in a GUI, or exported to CSV for safekeeping. An interactive option and profile name include/exclude filters help whittle the selection down to exactly what you’re looking for.
Now you can confidently see every difference to know exactly what is changing in your ESXi image when applying patches!
Example VMware ESXi Image Management Use Cases
In the following section, I will go over a few sample workflows for image creation and show the resulting comparison output, using the -Grid option.
VMware ESXi 5.5 with Cisco UCS
Update the most recent Cisco custom image for ESXi 5.5 (U3b from December 2015) with the latest VMware patches and updated Cisco async drivers for enic and fnic devices. Exclude the tools-light VIB to optimize for Auto Deploy.
esxi-image-creator.ps1 -NewProfileName Cisco_5.5_OEM_with_express_patch_11 -WriteZip -Files Vmware-ESXi-5.5.0-3248547-Custom-Cisco-188.8.131.52-Bundle.zip,ESXi550-201703001.zip,enic-184.108.40.206-offline_bundle-5367272.zip,fnic_driver_220.127.116.11_ESX55-offline_bundle-4179470.zip
VMware ESXi 6.0 with Dell PowerEdge
Integrate the most recent Dell ESXi 6.0U3 image, which has already been updated by Dell to include the latest express patch 7a (5224934), with NSX VIBs and remove VMware Tools for use with Auto Deploy.
esxi-image-creator.ps1 -NewProfileName Dell_6.0_OEM_5224934_with_NSX -Files VMware-VMvisor-Installer-6.0.0.update03-5224934.x86_64-Dell_Customized-A01.zip,vxlan.zip,vShield-Endpoint-Mux-6.5.0esx60-4885300.zip -Acceptance PartnerSupported
VMware ESXi 6.5 with HPE Proliant
Generate an image that incorporates the latest HPE Proliant packages from their online repository with the most recent ESXi 6.5 offline bundle from VMware.
Add-EsxSoftwareDepot http://vibsdepot.hpe.com/index-ecli-650.xml esxi-image-creator.ps1 -LeaveCurrentDepotsMounted -NewProfileName ESXi_6.5.0d_with_HPE_drivers -Files ESXi650-201704001.zip -Acceptance PartnerSupported
Public VMware Image Profile Repository
Do not attempt to use the public VMware image profile repository to create a custom image, as it contains many different versions of image profiles and the resulting Frankenimage will likely be entirely unusable.
However, if you would like to generate a spreadsheet comparing every VMware ESXi release, try this:
Add-EsxSoftwareDepot https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml esxi-image-comparator.ps1 | Export-Csv all_profiles.csv
- Custom VMware ESXi images are the best way to get the full benefit of your preferred hardware
- VMware ESXi security and bugfix patches typically need to be added to OEM custom images manually
- These new PowerCLI scripts help streamline the workflow and provide confidence through detailed package comparisons
The post Apply the Latest VMware ESXi Security Patches to OEM Custom Images and Visualize the Differences appeared first on VMware vSphere Blog.
Source: VMware vSphere Blog