VMware uses sustaining releases to provide enhancements and bug fixes to customers. The article describes the patching model available for ESXi 5.x and 6.0 platforms.
Patch release and update release are the two types of sustaining releases for ESXi 5.x and 6.0 hosts.
Both patch and update releases have bulletins that can be used by the vSphere Update Manager users to patch the ESXi host. Patch and update releases also have VIB files and image profiles that can be used by the ESXCLI users to patch the ESXi host. Even though patch and update releases are structured in the same manner, they are different in the following aspects:
Patch releases have the following version numbering scheme:
ESXi<ABC>-<YYYYMMSSS>
where A is the major version of ESXi, B is the minor version of ESXi, YYYY is the year of release, MM is the month of release, and SSS is a sequence of numbers.
Example: If an ESXi 5.0.0 Patch release is released in October 2013, then the release is named ESXi500-201310001.
Update releases are named based on the ZIP file name in the following manner:
update-from-esxi5.1-5.1_update02
Example: You can update from ESXi 5.1 to ESXi 5.1 Update 2 using the update-from-esxi5.1-5.1_update02 zip.
vSphere Update Manager enables centralized, automated patch and version management for VMware vSphere and offers support for VMware ESX/ESXi hosts, virtual machines, and virtual appliances. You can upgrade or patch ESXi hosts using the vSphere Update Manager.
A bulletin is the primary entity of a patch and update release. The bulletin was introduced in ESX 4.x as a software container and is still used in ESX 5.x. It logically defines one or more payload files called VIB files. Each VIB corresponds to a system component or driver. Each VIB file is versioned and VUM compares the version information of a VIB with what is installed on a target system to determine applicability.
A bulletin can group dependent VIBs together. Because there are very few dependent VIBs in ESXi 5.x and ESXi 6.0, most bulletins contain a single VIB file.
Note: You can only use vSphere Update Manager to patch ESXi hosts by using bulletins.
All bulletins except the update rollup bulletin have the following version numbering scheme:
ESXi<ABC>-<YYYYMM><T><SS>-<K>G
where A is the major version of ESXi, B is the minor version of ESXi, YYYY is the year of release, MM is the month of release, T is type of release (its value is 2 for a patch release, 4 for an update release, and 1 for security with some exceptions), SS is sequence of numbers, K is the kind of bulletin (its value is B for bug fix in a patch release, U for bug fix in an update release, and S for security fix in patch or update release), and G is a constant.
Every VIB file contains a cumulative set of fixes. So a VIB with a higher version number has fixes that it was built for along with all fixes from earlier versions of that VIB.
Example: The VMware_bootbank_esx-base_5.0.0-3.41.1311175.vib VIB from ESXi 5.0 Update 3 release contains fixes new to the Update 3 release and all fixes included in earlier versions of VMware_bootbank_esx-base_5.0.0.
This rule applies only within a version of ESXi. Because the version of ESXi is part of the VIB version, every ESXi 5.1.0 VIB has a later version than an ESXi 5.0.0 VIB. An ESXi 5.1.0 VIB does not contain cumulative fixes contained in ESXi 5.0.0 VIBs.
Because a bulletin is a container for VIBs, bulletins with equal VIB contents are cumulative as well.
If a VIB is not fixed in a release, then a bulletin is not created for that VIB in that release. As a result, in a patch release, patch bulletins are sparse. Applying all bulletins from the latest ESXi patch release does not imply that the system contains all available fixes.
Example: A fix for the e1000 driver was shipped in the ESXi500-201207001 release in bulletin ESXi500-201207406-BG. Because there were no new fixes for the e1000 driver in the ESXi500-201209001 release, bulletin was not created for this. If you apply all bulletins of the ESXi500-201209001 release to an unpatched ESXi 5.0.0 system, the system does not get the e1000 fix from the ESXi500-201207001 release.
This is also applicable for update release bulletins, but update releases have an additional special bulletin called the rollup bulletin.
Note: If you are using image profiles, then changes are cumulative. For more details, see the Image Profiles Are Cumulative section.
A rollup bulletin contains the latest VIBs with all the fixes since the initial release of ESXi. The rollup bulletin is named after the update release. For example, the rollup bulletin name for the ESXi 5.0.0 Update 3 release is ESXi500-Update03.
Example: Consider the e1000 driver example mentioned in the above section. Even though the ESX 5.0.0 U3 release does not have a specific bulletin that patches the e1000 driver, the ESXi500-Update03 bulletin (the rollup bulletin) includes the latest e1000 VIB which is derived from the last release it was shipped in.
In case of a patch release, if a VIB is contained in later release, it has all the fixes of that VIB from earlier releases. Because patch release does not contain the same set of VIBs of earlier releases, the best way to determine the inclusion of a fix is at VIB level of a patch. Whereas, in an update rollup bulletin, if the bulletin or VIB is from a release prior to the update release, then the fix is present in the update rollup bulletin.
You cannot determine the order of the patch and update release from the release name. So instead of comparing release names use the bulletin names as the later released bulletins have later dates. If a bulletin contains a VIB from an earlier release, all the earlier fixes for the VIB are present in this new bulletin.
In case of an update release, compare the release date of the update bulletin with other bulletin names or release dates.
The bulletin IDs of security-only bulletins end with an SG suffix. Their VIB payload continues to be cumulative of earlier bug fixes, but they contain only security fixes for the current release.
Starting with ESXi 5.0 Update 1, patch and update releases contain general and security-only bulletins. Security-only bulletins are applicable for new security fixes only. New general bug fixes are not included, but bug fixes from earlier patch or update releases are included.
If non-security bug fix is not present for a VIB, a separate security bulletin is not created in the release.
If there is a non-security bug fix for a VIB, a separate bulletin with a suffix BG or UG is created for the fixed VIB containing both security and non-security fixes. A VIB containing security-only fix has a lower version than the VIB containing security and non-security fixes in the same release.
The purpose of these bulletins or VIBs is to provide customers with the ability to be compliant with security fixes as soon as possible while giving them time to evaluate the impact of the non-security bug fixes.
ESXCLI is a command-line tool that you can use to manage many aspects of an ESXi host. ESXCLI was introduced in ESXi 5.0 and can be used to install or update individual VIB file or image profile. Installing or updating an individual VIB file is an advanced operation and only advanced users must work with VIB files.
The VIB update operation only installs a new VIB on the system if the currently installed VIB version is lower. If the version of the currently installed VIB on the system if already equal or higher, no action is performed by VIB update.
Unlike the update operation, the install operation exactly installs what is requested even if a VIB downgrade or remove is required.
A VIB is the most basic installable in the ESXi system. ESXCLI provides an interface to upgrade, install, or remove (if permitted) a VIB file. Only advanced users must work with VIB files.
Every VIB file contains a cumulative set of fixes. A VIB with a higher version number has the latest fix, built on top of all fixes from previous versions of the same VIB.
Example: The VMware_bootbank_esx-base_5.0.0-3.41.1311175.vib VIB from ESXi 5.0 Update 3 release contains fixes new to the Update 3 release as well as all fixes included in earlier versions of VMware_bootbank_esx-base_5.0.0.
This rule is applicable only within a version of ESXi. Because the version of ESXi is part of the VIB version, every ESXi 5.1.0 VIB has a higher version than an ESXi 5.0.0 VIB. Hence it does not imply that an ESXi 5.1.0 VIB contains cumulative fixes contained in 5.0.0 VIBs.
Starting with ESXi 5.0 Update 1, patch and update releases contain general and security-only bulletins. Security-only bulletins are applicable for new security fixes only. New general bug fixes are not included, but bug fixes from earlier patch or update releases are included. Security-only VIB of each released VIB may or may not exist in a release. The only to find out is through the security-only bulletin or security-only image profile.
It is not possible to identify a security-only VIB by name or version alone. Tags inside the VIB can be used to identify a security-only VIB and information about the changes can be found in the referenced KB article.
Example:
# esxcli software sources vib get -n tools-light -d offline.zip
VMware_locker_tools-light_5.1.0-2.27.1635572
Name: tools-light
Version: 5.1.0-2.27.1635572
Type: locker
Vendor: VMware
Acceptance Level: VMwareCertified
Summary: Updates the ESX 5.1.0 tools-light
Description: see KB http://kb.vmware.com/kb/2072827 for more details.
ReferenceURLs: kb|http://kb.vmware.com/kb/2072827
Creation Date: 2014-02-27
...etc...
Tags: category:security, severity:important
Payloads: tools
An image profile is a software container that VMware uses to logically group a set of VIB files that make up a full installation of ESXi.
The set of VIBs collected in an image profile released by VMware represents the latest released VIBs at the time the image profile was created. Because VIBs contain cumulative fixes, the application of an image profile applies all fixes available as of when the image profile was released.
Note: We do not guarantee that OEM image profile contains the superset of VIBs including all VMware VIBs.
VMware releases a set of image profiles with each patch and update release of ESXi. The set consists of a standard image profile and a no-tools image profile. The standard image profile consists of both tools and no-tools.
If security-only fixes are shipped in a release, then a second pair of image profiles is provided. These security-only image profiles contain the VIBs of security-only fixes from the current release and all patched VIBs from earlier releases. All patch VIBs from earlier releases include not just security fixes, but also security and non-security bug fixes from earlier releases.
Image Profiles have the following version numbering scheme:
ESXi-<ABC>-<YYYYMMRRSSS>[s]-<Z>
where A is the major version of ESXi, B is the minor version of ESXi, YYYY is the year of release, MM is the month of release, RR is the release code, SSS is release sequence of numbers, [s] is an optional flag indicating a security-only image profile, and Z is the image profile type (its value is either standard or no-tools).
Example: A standard security-only image profile is named ESXi-5.0.0-20140501001s-standard.