After successfully remediating an ESXi 7.0 against the "Critical Host Patches (Predefined)" baseline in VLCM, it is still reported as non-compliant due to missing VIBs
Article ID: 338895
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Customer is trying to bring the ESXi host to a compliance check against LifeCycle Manager / Previously vSphere Update Manager
Symptoms:
Symptoms:
You stage and remediate an ESXi 7.0 against the "critical Host Patches (Predefined)" baseline using vSphere Lifecycle Manager. This operation is finished successfully.
7.0u3b Error:
Cannot download VIB: ''. This might be because of network issues or the specified VIB does NOT exist or does NOT have a proper 'read' privilege set. Please make sure the specified VIB exists and is accessible from vCenter Server.
Environment
VMware vCenter Server 7.0.3
VMware vCenter Server 7.0.x
VMware vCenter Server 7.0.x
Cause
This issue is caused by the way the related VIBs were created. According to their metadata the older generation "intel-nvme-vmd" VIBs are supposed to replace the newer "iavmd" VIB, which according to its metadata is supposed to replace the ""intel-nvme-vmd" VIBs".
If they have patched the vCenter to 7.0u3b since we have pulled this patch the VIBS are no longer accessible through VUM as of now (11/22/2021) this should change once the VIBs are available again.
vSphere Life Cycle Manager cannot resolve this circular reference and decide which of the packages is the latest one, and therefore ends up installing none of the VIBs.
If they have patched the vCenter to 7.0u3b since we have pulled this patch the VIBS are no longer accessible through VUM as of now (11/22/2021) this should change once the VIBs are available again.
vSphere Life Cycle Manager cannot resolve this circular reference and decide which of the packages is the latest one, and therefore ends up installing none of the VIBs.
Resolution
Currently there is no solution for this issue. Please subscribe to this article for future updates.
Workaround:
To work around this issue, you can use a custom baseline instead of the predefined one, where you exclude the intel-nvme-vmd and possibly the 7.0u3b VIBs:
In vSphere Client, go in Menu > Lifecycle Manager
Workaround:
To work around this issue, you can use a custom baseline instead of the predefined one, where you exclude the intel-nvme-vmd and possibly the 7.0u3b VIBs:
In vSphere Client, go in Menu > Lifecycle Manager
- Select "Baselines"
- Select "Critical Host Patches (Predefined)" and click on DUPLICATE
- Enter a name for the baseline and confirm with DUPLICATE
- Select the new baseline and click on EDIT
- Under "Matched" un-selects the following Patches:
- Update Name: Intel NVME Driver with VMD Technology
- Update ID: intel-Volume-Mgmt-Device_2.7.0.1157-2vmw.703.0.10.18905247
- Update Name: VMware ESXi 7.0.3 Patch Release
- Update ID: ESXi70U3b-18905247
- Update Name: ESXi Component - core ESXi VIBs
- Update ID: ESXi_7.0.3-0.10.18905247
- Update Name: ESXi install/Upgrade Component
- Update ID: esx-update_7.0.3-0.10.18905247
- Detach the Critical Host Patch (Predefined) from the host or cluster
- Detach Baselines and Baseline Groups from Objects
- https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.update_manager.doc/GUID-70636F44-9DF2-4FCB-B4C6-71B899B32482.html
- Attach the new duplicated baseline
- remediate the host and check for compliance.
Feedback
Yes
No
Powered by
