Patching a Standalone ESXi host using the shell
Overview
As with any system running software, you are going to have to apply patches to it at some point and VMware is no different. VMware recommends customers install all security patches to maximize the protection that VMware provides. For a list of all security patches, you can go here https://my.vmware.com/group/vmware/patch#search. Login with your myvmware credentials.
Once it has been determined patches are available for ESXi, download the offline bundle so they can be pushed out to each VMware host as needed. You can easily push the offline patch package out manually using the Windows client but I prefer to download the patch and move it to a local webserver for easier distribution. One caveat to using VMware free as a standalone server is that the api is not available. This means we need to log in to turn on ssh so we can perform the following tasks.
Staging the patch
Login to the ESXi standalone server
Open the windows client
Select your host
Enter your username
Enter your password
click "Login"
Enable ssh on the remote ESXi host
In the "Inventory" pane on the left, select the host name
Click the "Configuration" tab
Click "Security Profile" in the Software section
Click on "Properties"
Find "SSH" in the list, select it and click "Options"
Make sure "Start and stop with host" is selected and click "Start"
You can click "OK" then "OK" again
SSH is now running on your VMware server. Log in with an ssh client like putty.
Login to your host using putty
Note: Not everyone will have the exact same setup so there may be inconsistencies within environments. You will have to apply this as a general practice, not necessarily as an exact procedure. I like creating a folder named Patches, which is where I upload patches(ingenious I know!) This isn’t mandatory in any way though, so it’s really up to you where you want to place the zip file.
Create a folder named “Patches” if one doesn’t exist. You can replace
mkdir /vmfs/volumes/<host>\:<datastore>/Patches/
Change directories into the new folder
cd /vmfs/volumes/<host>\:<datastore>/Patches/
Pull down the patch from your local webserver
wget http://server.domain.tld/VMware/VMware-ESXi-5.5.0-Update3-3568722...Apr2016.zip
Alternatively, use winscp to push the file or upload the patch using the VMware GUI client from your Windows machine.
Suspending running VMs
Like any other VMware server, the standalone host will need to be put into maintenance mode. To do that, the VMs need to be suspended or powered down. A one-liner cli command can be used to get all VMs current state and suspend them prior to enabling maintenance mode on the host.
Suspend running VMs
for i in `vim-cmd vmsvc/getallvms |grep -v Vmid |awk '{print $1}'`; do if [ "`vim-cmd vmsvc/power.getstate $i |grep on`" == 'Powered on' ]; then vim-cmd vmsvc/power.suspend $i; echo “$i Suspended”; fi; done
Apply ESXi Patch
Put host into maintenance mode
vim-cmd hostsvc/maintenance_mode_enter
Run patch as an update
esxcli software vib update -d '/vmfs/volumes/host:Storage/Patch/VMware-ESXi-5.5.0-Update3-3568722...Apr2016.zip'
Bring host out of maintenance mode (the VMs will remain suspended)
vim-cmd hostsvc/maintenance_mode_exit
Now we can rebooot
reboot
Verify the state of the ESXi host
When the host comes back up, ssh should be disabled and depending on the autostart parameters, VMs should be running as well. In the event the VMs haven’t started, login to the GUI and power them on.
You can also login using the GUI to enable ssh and run this from the command line
for i in `vim-cmd vmsvc/getallvms |grep -v Vmid |awk '{print $1}'`; do if [ "`vim-cmd vmsvc/power.getstate $i |grep Suspended`" ]; then vim-cmd vmsvc/power.on $i; echo “$i Resumed”; fi; done