Guidelines for async application of VMware ESXi 6.7, Patch Release ESXi670-202206001 on VCF 3.10.x and 3.11.x releases
search cancel

Guidelines for async application of VMware ESXi 6.7, Patch Release ESXi670-202206001 on VCF 3.10.x and 3.11.x releases

book

Article ID: 322195

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

This document is created to provide steps to consume VMware ESXi 6.7, Patch Release ESXi670-202206001 asynchronously on VMware Cloud Foundation (VCF) 3.10.x and 3.11.x releases.

Note:
  1. This document is applicable for VSAN Ready Nodes only and should not be applied on VCF on VxRail.
  2. This document is for the application of  VMware ESXi 6.7, Patch Release ESXi670-202206001, all examples given below explains the steps for VMware ESXi 6.7, Patch Release ESXi670-202206001 (6.7.0-19898906) consumption on top of VCF 3.10.x and 3.11.x and should not be used to apply any other patch.


Environment

VMware Cloud Foundation 3.10.2.1
VMware Cloud Foundation 3.10.1.0
VMware cloud foundation 3.11.0.1
VMware Cloud Foundation 3.10.2.2
VMware Cloud Foundation 3.10.1.1
VMware Cloud Foundation 3.11
VMware Cloud Foundation 3.10.2.0
VMware Cloud Foundation 3.10.0.0
VMware Cloud Foundation 3.10.1.2

Resolution

  • Steps to apply ESXi hot patch

The patch can be applied on ESXi hosts using VMware Update Manager (VUM) from vCenter.
VMware ESXi 6.7, Patch Release ESXi670-202206001

Proceed to the next section only after all hosts required to be patched are updated.
 

  • Steps to update VCF inventory

The VCF inventory has to be updated for every host on which the hot patch is applied via VUM as an asynchronous update of ESXi host will not update the host version in VCF inventory.

1. To update inventory, first capture the host id of each host on which patch was applied and version of ESXi patch used for update. To get host details from VCF inventory, login to SDDC Manager via SSH and run following command.

curl localhost/inventory/hosts | json_pp

Note: This returns list of all hosts. The field "id" in each host entry, corresponds to host id.

2. From the output, ensure to also note the version for each of the hosts.

3. Update the VCF inventory for each host on which patch was applied using following command

curl -X PATCH 'localhost/inventory/entities/<HOST_ID>' -d '{"version":"<ESXI_PATCH_VERSION>", "type":"ESXI"}' -H 'Content-Type:application/json'

<HOST_ID>  Id of host for which version is to be updated in VCF inventory
<ESXI_PATCH_VERSION>  Version of ESXi patch that was applied on hosts

Example:
<HOST_ID> - ########-####-####-####-########fde4
<ESXI_PATCH_VERSION> - 6.7.0-19898906

curl -X PATCH 'localhost/inventory/entities/########-####-####-####-########fde4' -d '{"version":"6.7.0-19898906", "type":"ESXI"}' -H 'Content-Type:application/json'

  • Update Version Alias configuration (one time activity per SDDC manager instance)

1. To update the version aliases execute the below command.

curl -k 'http://localhost/v1/system/settings/version-aliases/ESX_HOST/<Base version of ESXI host>' -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{"aliases" : [ "<Applied ESXI hot patch version>" ], "forceUpdate" : true}

<Base version of ESXI host> ESXI host version of latest release on which hot patch was installed.
<Applied ESXI hot patch version> The ESXI host version after successfully applying the hot patch.

Example:
<Base version of ESXI host> - 6.7.0-19195723
<Applied ESXI hot patch version> - 6.7.0-19898906

curl -k 'http://localhost/v1/system/settings/version-aliases/ESX_HOST/6.7.0-19195723' -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{"aliases" : [ "6.7.0-19898906" ], "forceUpdate" : true}'


Additional Information

After applying patches, the "forceHyperthreadingMitigation" advanced setting must be enabled in ESXi to mitigate CVE-2022-21123, CVE-2022-21125, and CVE-2022-21166.
See https://kb.vmware.com/s/article/88632 for details.

Powered by Wolken Software