The purpose of this article is to provide guidance to upgrade just vCenter Server appliance.
VCF affected Versions : 3.10.0, 3.10.0.1, 3.10.1, 3.10.1.1, 3.10.1.2, 3.10.2, 3.10.2.1, 3.10.2.2, 3.11, and 3.11.0.1.
The information contained in this article applies to both VCF on Dell EMC VxRail environments and vSAN Ready Nodes environments.
As documented in VMSA-2022-0030, all versions of the vCenter Server 6.7 appliance that are prior to 6.7 Update 3s are affected by the vulnerabilities listed in the advisory.
Also, the VMware Cloud Foundation(VCF) 3.x versions 3.10.0, 3.10.0.1, 3.10.1, 3.10.1.1, 3.10.1.2, 3.10.2, 3.10.2.1, 3.10.2.2, 3.11, 3.11.0.1 are similarly impacted by the vulnerabilities listed in the advisory.
All the documented security issues are resolved in VMware vCenter Server 6.7 Update 3s.
VMware Cloud Foundation Version |
Upgrade Options |
---|---|
Prior to 3.10.0 |
Upgrade to 3.10.0 or later and then follow the respective recommended approach below. |
3.10.0 |
Apply the steps in the Workaround section of this article. |
3.10.0.1 |
Follow KB 85719 and then apply the steps in the Workaround section of this article. |
3.10.1.x |
Apply the steps in the Workaround section of this article. |
3.10.2.x |
Apply the steps in the Workaround section of this article. |
3.11 |
Apply the steps in the Workaround section of this article. |
3.11.0.1 |
Apply the steps in the Workaround section of this article. |
Workaround:
To workaround the issue, please follow the below mentioned steps:
STEP 1: Perform below steps on each VMware vCenter Server Virtual Machine and each External PSC deployed in your VMware Cloud Foundation environment.
Powered off concurrent snapshots should be taken of all PSC's and VC's in the SSO domain prior to patching.
Apply the VMware vCenter server 6.7 Update 3s patch available at the Product Patch page to all external PSCs and vCenter Servers (Management & VI Domain) in the environment.
STEP 2: Update inventory for each upgraded VMware vCenter Server and each External PSC
Login to SDDC manager VM via SSH and sudo to root account.
Get PSC/VC ID from VCF inventory. To get vCenter/PSC details from VCF inventory run following command/Curl/API:
For vCenter Server
$ curl localhost/inventory/vcenters | json_pp
Sample Output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 353 0 353 0 0 35300 0 --:--:-- --:--:-- --:--:-- 3530
[
{
"hostName" : "vcenter-1.vrack.vsphere.local",
"vmName" : "vcenter-1",
"id" : "<vCenter_Id>",
"version" : "<current version>",
"datastoreForVmDeploymentName" : "vsan",
"domainType" : "MANAGEMENT",
"status" : "ACTIVE",
"bundleRepoDatastore" : "lcm-bundle-repo",
"domainId" : "68ae2add-####-####-####-########ab1",
"managementIpAddress" : "10.0.0.6"
}
]
For PSC
$ curl localhost/inventory/pscs | json_pp
Sample Output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 756 0 756 0 0 84000 0 --:--:-- --:--:-- --:--:-- 84000
[
{"domain" : "vsphere.local",
"bundleRepoDatastore" : "lcm-bundle-repo",
"status" : "ACTIVE",
"vmName" : "psc-2",
"hostName" : "psc-2.vrack.vsphere.local",
"id" : "<psc_Id>",
"replica" : true,
"version" : "<current version>",
"datastoreName" : "vsan",
"domainId" : "68ae2add-####-####-####-########ab1",
"managementIpAddress" : "10.0.0.7",
"subDomain" : "vrack.vsphere.local"
},
{
"managementIpAddress" : "10.0.0.5",
"subDomain" : "vrack.vsphere.local",
"hostName" : "psc-1.vrack.vsphere.local",
"id" : "<psc_Id>",
"bundleRepoDatastore" : "lcm-bundle-repo",
"domain" : "vsphere.local",
"status" : "ACTIVE",
"vmName" : "psc-1",
"datastoreName" : "vsan",
"version" : "<current version>",
"replica" : false,
"domainId" : "68ae2add-####-####-####-########ab1"
}
]
The field "id" in response, corresponds to vCenter/PSC id.
The "version" field for each of the vCenter/PSC provides the current version of the vCenter/PSC.
Update VCF inventory for vCenter Servers and PSCs.
Note: Repeat below commands for all the vCenter Severs with their corresponding vcenter-id that were upgraded.
<SDDC_Manager_FQDN > = Fully qualified domain name of SDDC manager.
<vCenter_Id> = Id of VCENTER for which version is to be updated in VCF inventory.
<psc_Id> = Id of PSC for which version is to be updated in VCF inventory.
The build number of VC/PSC 6.7 Update 3s is 20540798. So this is the version that needs to be inserted into the file i.e. 6.7.0-20540798.
For vCenter Server
$ curl -X PATCH '<SDDC_Manager_FQDN >/inventory/entities/<vCenter_Id>' -d '{"version":"6.7.0-20540798", "type":"VCENTER"}' -H 'Content-Type:application/json'
For PSC
$ curl -X PATCH '<SDDC_Manager_FQDN >/inventory/entities/<psc_Id>' -d '{"version":"6.7.0-20540798", "type":"PSC"}' -H 'Content-Type:application/json'
Verify vCenter Server and PSC versions.
For vCenter Server
$ curl localhost/inventory/vcenters | json_pp
Sample Output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 353 0 353 0 0 35300 0 --:--:-- --:--:-- --:--:-- 35300
[
{
"hostName" : "vcenter-1.vrack.vsphere.local",
"vmName" : "vcenter-1",
"id" : "<vCenter_Id>",
"version" : "6.7.0-20540798",
"datastoreForVmDeploymentName" : "vsan",
"domainType" : "MANAGEMENT",
"status" : "ACTIVE",
"bundleRepoDatastore" : "lcm-bundle-repo",
"domainId" : "68ae2add-####-####-####-########ab1",
"managementIpAddress" : "10.0.0.6"
}
]
For PSC
$ curl localhost/inventory/pscs | json_pp
Sample Output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 756 0 756 0 0 47250 0 --:--:-- --:--:-- --:--:-- 47250
[
{
"hostName" : "psc-2.vrack.vsphere.local",
"subDomain" : "vrack.vsphere.local",
"domain" : "vsphere.local",
"id" : "<psc_Id>",
"vmName" : "psc-2",
"version" : "6.7.0-20540798",
"datastoreName" : "vsan",
"bundleRepoDatastore" : "lcm-bundle-repo",
"domainId" : "68ae2add-####-####-####-########ab1",
"status" : "ACTIVE",
"managementIpAddress" : "10.0.0.7",
"replica" : true
},
{
"bundleRepoDatastore" : "lcm-bundle-repo",
"id" : "<psc_Id>",
"hostName" : "psc-1.vrack.vsphere.local",
"subDomain" : "vrack.vsphere.local",
"domain" : "vsphere.local",
"datastoreName" : "vsan",
"version" : "6.7.0-20540798",
"vmName" : "psc-1",
"managementIpAddress" : "10.0.0.5",
"replica" : false,
"domainId" : "68ae2add-####-####-####-########ab1",
"status" : "ACTIVE"
}
]
Go to SDDCManager UI to verify the VC/PSC version after few minutes.
STEP 3: Update Version Alias configuration (one time activity per SDDC manager instance).
To update the version aliases execute the below command from SDDC Manager Virtual Machine:
For vCenter Server:
curl '<SDDC Manager FQDN>/v1/system/settings/version-aliases/VCENTER/<Base version of VC>' -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{"aliases" : [ "<Applied VC hot patch version>" ], "forceUpdate" : true}'
<Base version of VC> VC version of latest release on which hot patch was installed.
<Applied VC hot patch version> The VC version after successfully applying the hot patch.
Example:
<Base version of VC> - 6.7.0-19300125
<Applied VC hot patch version> - 6.7.0-20540798
curl 'http://localhost/v1/system/settings/version-aliases/VCENTER/6.7.0-19300125' -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{"aliases" : [ "6.7.0-20540798" ], "forceUpdate" : true}'
For PSC:
curl '<SDDC Manager FQDN>/v1/system/settings/version-aliases/PSC/<Base version of PSC>' -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{"aliases" : [ "<Applied PSC hot patch version>" ], "forceUpdate" : true}'
<Base version of PSC> PSC version of latest release on which hot patch was installed.
<Applied PSC hot patch version> The PSC version after successfully applying the hot patch.
Example:
<Base version of PSC> - 6.7.0-19300125
<Applied PSC hot patch version> - 6.7.0-20540798
curl 'http://localhost/v1/system/settings/version-aliases/PSC/6.7.0-19300125' -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{"aliases" : [ "6.7.0-20540798" ], "forceUpdate" : true}'
Note:
Repeat for all domains in your Cloud Foundation environment.
Every time a new VI workload domain is created, steps 1 and 2 needs to be performed again.