Patching ESXi host using Command Line
search cancel

Patching ESXi host using Command Line

book

Article ID: 343840

calendar_today

Updated On:

Products

VMware vSphere ESXi 8.0 VMware vSphere ESXi 7.0 VMware vSphere ESXi 6.0

Issue/Introduction

This article walks you through the steps for Updating and installing patches on an ESXi host using the command-line interface.

Note:

  • The update command is the recommended method for applying patches. It applies all newer content in a patch, including security fixes, while ignoring any content with a lower revision than the existing packages on the system.
  • The install command, on the other hand, overwrites the existing packages with the content from the patch, which may include new packages or removal of old ones. It can also downgrade packages, which is why it should be used cautiously. However, the install command can be used to downgrade a system (for image profiles only) if the --allow-downgrade flag is set.

Resolution

Before performing any patch or upgrade on an ESXi host, ensure you have a backup of the ESXi host configuration. Follow Broadcom's official documentation for guidance on backing up and restoring the ESXi configuration.

  1. To download the Patch or ISO image, refer Download ESXi patches and ISOs for latest releases
  2. Upload the patch to a datastore on your ESXi host using the Datastore Browser from the vCenter Server or a direct connection to the ESXi host using the vSphere client.

    Note: Broadcom recommends creating a new directory on the datastore and uploading the patch file to this directory.

Steps to Patch or Upgrade an ESXi Host using esxcli software profile:

  1. Log in to the ESXi Shell on your host. For details on how to enable and use ESXi Shell, see Using ESXi Shell in ESXi.
  2. Migrate or power off all virtual machines and then put the host into maintenance mode:
  3. Put the Host into Maintenance Mode: 
    vim-cmd /hostsvc/maintenance_mode_enter
  4. To check if the host is in maintenance mode: 
    vim-cmd /hostsvc/hostsummary | grep inMaintenanceMode
  5. To Update the host using esxcli software profile:

    Apply the Patch Using esxcli software profile (Recommended for profile-based updates):

    1. Run the below command to list the profile name from the Image 
      esxcli software sources profile list -d <location of ZIP file>
      Example: 
      esxcli software sources profile list -d /vmfs/volumes/Datastore/DirectoryName/PatchName.zip
      or 
      esxcli software sources profile list -d /vmfs/volumes/<UUID>/DirectoryName/PatchName.zip
      Where PatchName.zip is the name of the patch file you uploaded to the datastore.
    2. Update the existing image profile by running the below command: 
      esxcli software profile update -p <profile_name> -d <filepath of ZIP file>

      Example:

      esxcli software profile update -p name_of_the_Image_Profile -d /vmfs/volumes/Datastore/DirectoryName/PatchName.zip
  6. To Install the patch using esxcli software profile: Replace esxcli software profile update to esxcli software profile install.

    Note: Options to the update and install commands allow you to perform a dry run, to bypass acceptance level verification, to ignore hardware compatibility check warnings, and so on. The option to bypass hardware compatibility check warnings is only available for ESXi 6.7 Update 1 or later. Do not bypass verification on production systems.

    Options:

    • --profile | -p Specifies the image profile name for the host update. (Required)
    • --depot | -d Specifies the full remote URL of the depot index.xml or the offline bundle (.zip) file location. (Required)
    • --dry-run Performs a simulation of the installation, reporting actions without making changes.
    • --force | -f Bypasses dependency and security checks. Not recommended unless instructed by VMware Support; triggers a warning in the vSphere Client.
    • --maintenance-mode Simulates maintenance mode for installations that require it but does not affect reboot-required remediations.
    • --allow-downgrades Installs VIBs that update, downgrade, or are new to the host. Without this option, only updates and new VIBs are installed.
    • --no-live-install Forces installation to /altbootbank even if live installation is possible; skipped for PXE-booted hosts.
    • --no-sig-check Disables security verification, including signing, posing a high security risk and triggering a SECURITY ALERT in vSphere Client.
    • --proxy Defines the proxy server for HTTP, FTP, and HTTPS connections in the format proxy-url:port.
    • --help For options help.
  7. After the patch has been installed, reboot the ESXi host 
    esxcli system shutdown reboot -r 'apply patch'
  8. After the host has finished booting, exit maintenance mode and power on the virtual machines: 
    vim-cmd hostsvc/maintenance_mode_exit

For more details, refer to the KB article: "ESXi version change is not allowed using esxcli software vib commands."

Steps to Patch or Upgrade an ESXi Host using esxcli software vib: (Alternate way to Patch prior to ESXi 8.0.2)

Note: Starting with ESXi 8.0 Update 2, upgrading or updating ESXi using the commands esxcli software vib update or esxcli software vib install is no longer supported.

  1. To Update the host using esxcli software vib:
    • Using local Setup: 
      esxcli software vib update -d "/vmfs/volumes/Datastore/DirectoryName/PatchName.zip"
      Where PatchName.zip is the name of the patch file you uploaded to the datastore.

      Note: Alternatively, you can use the datastore's UUID instead of the DirectoryName.

      Example:

      esxcli software vib update -d "/vmfs/volumes/datastore1/patch-directory/serverName-201111001.zip"
      or 
      esxcli software vib update -d "/vmfs/volumes/<UUID>/patch-directory/serverName-201111001.zip"
    • Using http setup: esxcli software vib update -v viburl

      Where viburl is the URL to the http depot where VIB packages reside.

      Example:

      esxcli software vib update -v https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/esx/vmw/vib20/tools-light/VMware_locker_tools-light_5.0.0-0.7.515841.vib
      esxcli software vib update -v /vmfs/volumes/data-store/Folder/CIS_bootbank_nenic_2.0.10.0-1OEM.700.1.0.15843807.vib
  2. To Install the patch using esxcli software vib: Replace esxcli software vib update to esxcli software vib install.
  3. Verify that the VIBs are installed on your ESXi host: 
    esxcli software vib list

    Example:

    esxcli software vib list
    Name Version Vendor Acceptance Level Install Date
    ata-pata-amd 0.3.10-3vmw.500.0.0.469512 VMware VMwareCertified ####-##-##
    ata-pata-atiixp 0.4.6-3vmw.500.0.0.469512 VMware VMwareCertified ####-##-##
    ata-pata-cmd64x 0.2.5-3vmw.500.0.0.469512 VMware VMwareCertified ####-##-##
    ata-pata-hpt3x2n 0.3.4-3vmw.500.0.0.469512 VMware VMwareCertified ####-##-##
  4. After the patch has been installed, reboot the ESX host: 
    esxcli system shutdown reboot -r 'apply patch'
  5. After the host has finished booting, exit maintenance mode and power on the virtual machines: 
    vim-cmd hostsvc/maintenance_mode_exit

Additional Information

Powered by Wolken Software