If your SDDC Manager appliance has a connection to the internet (either directly or through a proxy server), you can run the Async Patch Tool from the SDDC Manager appliance to download and enable an async patch. Once the patch is successfully enabled, you can use the SDDC Manager UI to apply the patch to all workload domains.

Prerequisites

  • Refer to KB 88287 to ensure that the async patch is supported with your version of VMware Cloud Foundation. Contact VMware Support if you have questions about the available async patches and which versions of VMware Cloud Foundation support them.
  • You must have the latest version of the Async Patch Tool.
    Note: If an existing or older version of the Async Patch Tool exists in the directory, you will need to remove these files before downloading the latest version of the Async Patch Tool.

    rm -r /home/vcf/asyncPatchTool

    rm -r <outputdirectory>

    The default directory is /home/vcf/apToolBundles if outputDirectory was not specified when the Async Patch Tool was previously run.

  • Configure TCP keepalive in your SSH client to prevent socket connection timeouts when using the Async Patch Tool for long-running operations.
  • The Async Patch Tool is supported with VMware Cloud Foundation 4.2.1 and later. This release also supports ESXi and VxRail Manager patching of VMware Cloud Foundation on VxRail.

Procedure

  1. Download the most recent version of the Async Patch Tool to a computer that has access to the SDDC Manager appliance.
    1. Log in to the Broadcom Support Portal and browse to My Downloads > VMware Cloud Foundation.
    2. Click your current version of VMware Cloud Foundation.
    3. Click Drivers & Tools.
    4. Click the download icon for the Async Patch Tool.
  2. Copy the Async Patch Tool to the SDDC Manager appliance and configure it for use.
    1. SSH in to the SDDC Manager appliance using the vcf user account.
    2. Create the asyncPatchTool directory. 
      mkdir /home/vcf/asyncPatchTool
    3. Copy the Async Patch Tool file (vcf-async-patch-tool-<version>.tar.gz) that you downloaded in step 1 to the /home/vcf/asyncPatchTool directory.
    4. Navigate to /home/vcf/asyncPatchTool and extract the contents of vcf-async-patch-tool-<version>.tar.gz. 
      tar -xvf vcf-async-patch-tool-<version>.tar.gz
    5. Set the permissions for the asyncPatchTool directory. 
      cd /home/vcf/
      chmod -R 755 asyncPatchTool
      chown -R vcf:vcf asyncPatchTool
  3. List the available async patches.
    1. Navigate to /home/vcf/asyncPatchTool/bin.
    2. Run the following command: 
      ./vcf-async-patch-tool --listAsyncPatch --du broadcom_support_email
      Replace customer_connect_email with your Broadcom Support portal email address.
      Optionally, you can use the --sku and --productType options to filter the list of patches. See VCF Async Patch Tool Options for details.
      --outputDirectory is optional and can be used to specify a location for the download. Select a directory that has enough free space for the bundle. If you do not specify a location, the Async Patch Tool displays the default location in its output. For example: /root/apToolBundles.
      Note: If you connect to the internet through a proxy server, use the --proxyServer, --ps option to specify the FQDN and port of the proxy server. For example, --proxyServer FQDN:port.
    3. Enter Y to confirm that you are running the latest version of the Async Patch Tool.
    4. Enter Y or N to choose whether or not to participate in the Customer Experience Improvement Program (CEIP).
    5. Enter your Broadcom Support portal password.
    The Async Patch Tool lists all available async patches.
  4. (VxRail async patch only) Copy the VxRail async patch-specific partner bundle metadata file using KB 91830.
  5. Enable an async patch.
    1. Run the following command:
      VMware Cloud Foundation: 
      ./vcf-async-patch-tool -e --patch product:version --du broadcom_support_email --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE
      VMware Cloud Foundation on Dell EMC VxRail: 
      ./vcf-async-patch-tool -e --patch product:version --du broadcom_support_email --pdu dell_emc_depot_email --sddcSSOUser SSOuser --sddcSSHUser vcf --it ONLINE
      • Replace product:version with the product and version of a patch retrieved in step 3. For example: VCENTER:7.0.3.00300-19234570.
      • Replace broadcom_support_email with your Broadcom Support portal email address.
      • Replace dell_emc_depot_email with your Dell EMC depot email address. (VxRail only)
      • Replace SSOuser with the management domain SSO user account, for example, [email protected].
      Note: If you connect to the internet through a proxy server, use the --proxyServer, --ps option to specify the FQDN and port of the proxy server. For example, --proxyServer FQDN:port.
    2. Enter Y to confirm that you are running the latest version of the Async Patch Tool.
    3. Read the information and enter Y to acknowledge the pre-requisites.
    4. Enter Y or N to choose whether or not to participate in the VMware Customer Experience Improvement Program (CEIP).
    5. Enter the password for the super user (vcf) account.
    6. Enter the password for the root user account.
    7. Enter the password for the management domain SSO user account.
    8. Enter your Broadcom Support portal password.
    9. If the product type is VX_MANAGER, enter your Dell EMC Depot user name and password. (VxRail only)
    The Async Patch Tool downloads the patch and uploads it to the internal LCM repository on the SDDC Manager appliance.
  6. Log in to the SDDC Manager UI and apply the async patch to all workload domains.
    • For clusters in workload domains with vSphere Lifecycle Manager baselines, you can upgrade ESXi to the async patch version with a custom ISO from your vendor. See "Upgrade ESXi with Custom ISOs" in VMware Cloud Foundation Lifecycle Management.
    • For clusters in workload domains with vSphere Lifecycle Manager images, you can upgrade ESXi to the async patch version by following the procedure "Upgrade ESXi with vSphere Lifecycle Manager Images for VMware Cloud Foundation" in VMware Cloud Foundation Lifecycle Management.
  7. After the async patch is successfully applied, use the Async Patch Tool to deactivate the patch.
    1. SSH in to the SDDC Manager appliance using the vcf user account.
    2. Navigate to /home/vcf/asyncPatchTool/bin.
    3. Run the following command: 
      ./vcf-async-patch-tool --disableAllPatches --sddcSSOUser SSOuser --sddcSSHUser vcf
      Replace SSOuser with the management domain SSO user account, for example, [email protected].
    4. Enter Y to confirm that you are running the latest version of the Async Patch Tool.
    5. Enter Y or N to choose whether or not to participate in the Customer Experience Improvement Program (CEIP).
    6. Enter the password for the super user (vcf) account.
    7. Enter the password for the root user account.
    8. Enter the password for the management domain SSO user account.
  8. (VxRail only) If you applied an async patch to VMware Cloud Foundation on Dell VxRail, reconnect SDDC Manager to the VMware Depot using the SDDC Manager UI or VMware Cloud Foundation API.

What to do next

Starting with VMware Cloud Foundation 5.2, if you applied a vCenter Server or NSX Manager async patch to the management domain, any new workload domains that you deploy will include the patched version of vCenter Server and/or NSX Manager.

For versions of VMware Cloud Foundation earlier than 5.2, new workload domains will not include async patch versions of vCenter Server or NSX Manager. Use this procedure to apply the async patch(es) to the new workload domain.

Note: After you update the hosts in a workload domain to an async patch version of ESXi, any new hosts that you add to the workload domain must use the async patch version of ESXi and not the version listed in the VMware Cloud Foundation BOM.