If your SDDC Manager appliance does not have a connection to the internet, you can run the Async Patch Tool from a computer that does. Download an async patch, copy the patch and the Async Patch Tool to the SDDC Manager appliance, and enable the patch. You can then use the SDDC Manager UI to apply the patch to all workload domains.

Prerequisites

  • A Windows or Linux computer with internet connectivity (either directly or through a proxy server) for downloading the bundles.
  • The computer must have Java 8 or Java 11.
  • A Windows or Linux computer with access to the SDDC Manager appliance for uploading the bundles.
  • Refer to KB 88287 to ensure that the async patch is supported with your version of VMware Cloud Foundation. Contact VMware Support if you have questions about the available async patches and which versions of VMware Cloud Foundation support them.
  • You must have the latest version of the Async Patch Tool.
    Note: If an existing or older version of the Async Patch Tool exists in the directory, you will need to remove these files from both the Linux or Windows computer and the SDDC manager before downloading the latest version of the Async Patch Tool.

    rm -r <AP Tool directory>

    rm -r <outputdirectory>

    The default directory is /home/vcf/apToolBundles if outputDirectory was not specified when the Async Patch Tool was previously run.

  • Configure TCP keepalive in your SSH client to prevent socket connection timeouts when using the Async Patch Tool for long-running operations.
  • The Async Patch Tool is supported with VMware Cloud Foundation 4.2.1 and later. This release also supports ESXi and VxRail Manager patching of VMware Cloud Foundation on VxRail.

Procedure

  1. Download the Async Patch Tool to a computer that has access to the internet.
    1. Log in to VMware Customer Connect and browse to the Download VMware Cloud Foundation page.
    2. In the Select Version field, select your current version of VMware Cloud Foundation.
    3. Click Drivers & Tools.
    4. Expand VMware Cloud Foundation Tools and click Go To Downloads in the Async Patch Tool row.
    5. Click Download Now.
  2. Extract vcf-async-patch-tool-<version>.tar.gz.
  3. Navigate to vcf-async-patch-tool-<version>/bin and confirm that you have execute permissions.
  4. List the available async patches.
    1. Run the following command:
      Linux: 
      ./vcf-async-patch-tool --listAsyncPatch --du customer_connect_email
      Windows: 
      vcf-async-patch-tool.bat --listAsyncPatch --du customer_connect_email
      Replace customer_connect_email with your VMware Customer Connect email address.
      Optionally, you can use the --sku and --productType options to filter the list of patches. See VCF Async Patch Tool Options for details.
      --outputDirectory is optional and can be used to specify a location for the download. Select a directory that has enough free space for the bundle. If you do not specify a location, the Async Patch Tool displays the default location in its output. For example: /root/apToolBundles.
      Note: If you connect to the internet through a proxy server, use the --proxyServer, --ps option to specify the FQDN and port of the proxy server. For example, --proxyServer FQDN:port.
    2. Enter Y to confirm that you are running the latest version of the Async Patch Tool.
    3. Enter Y or N to choose whether or not to participate in the VMware Customer Experience Improvement Program (CEIP).
    4. Enter your VMware Customer Connect (Depot) password.
    The Async Patch Tool lists all available async patches.
  5. (VxRail async patch only) Copy the VxRail async patch-specific partner bundle metadata file using KB 91830.
  6. Download an async patch.
    1. Run the following command:
      Linux: 
      ./vcf-async-patch-tool -d --patch product:version --du customer_connect_email --sku sku_type --pdu dell_emc_depot_email
      Windows: 
      vcf-async-patch-tool.bat -d --patch product:version --du customer_connect_email --sku sku_type --pdu dell_emc_depot_email
      • Replace product:version with the product and version of a patch retrieved in step 4. For example: VCENTER:7.0.3.00300-19234570.
      • Replace customer_connect_email with your VMware Customer Connect email address.
      • Replace sku_type with VCF or VCF_ON_VXRAIL.
      • Replace dell_emc_depot_email with your Dell EMC Depot email address. (VxRail only)
      • --outputDirectory is optional and can be used to specify a location for the download. Select a directory that has enough free space for the bundle. If you do not specify a location, the Async Patch Tool displays the default location in its output. For example: /root/apToolBundles.
      Note: If you connect to the internet through a proxy server, use the --proxyServer, --ps option to specify the FQDN and port of the proxy server. For example, --proxyServer FQDN:port.
    2. Enter Y to confirm that you are running the latest version of the Async Patch Tool.
    3. Enter your VMware Customer Connect (Depot) password.
    4. If the product type is VX_MANAGER, enter your Dell EMC Depot user name and password. (VxRail only)
    The Async Patch Tool downloads the patch and required artifacts (for example, the LCM manifest).
  7. Copy the patch and set permissions.
    1. Copy the entire output directory (for example, apToolBundles) to the SDDC Manager appliance.
      You can select any location that has enough free space available, for example, /nfs/vmware/vcf/nfs-mount/apToolBundles.
    2. SSH in to the SDDC Manager appliance using the vcf user account.
    3. Navigate to /nfs/vmware/vcf/nfs-mount/apToolBundles.
      If you copied the output directory to a different location, navigate to that directory instead.
    4. Run the following commands: 
      chmod -R 755 apToolBundles
      chown -R vcf:vcf apToolBundles
  8. Copy the Async Patch Tool to the SDDC Manager appliance and configure it for use.
    1. SSH in to the SDDC Manager appliance using the vcf user account.
    2. Create the asyncPatchTool directory. 
      mkdir /home/vcf/asyncPatchTool
    3. Copy the entire contents of the Async Patch Tool directory from the computer with internet access to the /home/vcf/asyncPatchTool directory on the SDDC Manager appliance.
    4. Set the permissions for the asyncPatchTool directory. 
      cd /home/vcf/
      chmod -R 755 asyncPatchTool
      chown -R vcf:vcf asyncPatchTool
  9. Enable an async patch.
    1. Navigate to /home/vcf/asyncPatchTool/bin and run the following command: 
      ./vcf-async-patch-tool -e --patch product:version --sddcSSOUser SSOuser --sddcSSHUser vcf --outputDirectory bundleDirectory --it OFFLINE
      • Replace product:version with the product and version of a patch retrieved in step 4. For example: VCENTER:7.0.3.00300-19234570.
      • Replace SSOuser with the management domain SSO user account, for example, [email protected].
      • Replace bundleDirectory with the location of the bundle directory from step 6. For example, /nfs/vmware/vcf/nfs-mount/apToolBundles.
    2. Enter Y to confirm that you are running the latest version of the Async Patch Tool.
    3. Enter Y or N to choose whether or not to participate in the VMware Customer Experience Improvement Program (CEIP).
    4. Read the information and enter Y to acknowledge the pre-requisites.
    5. Enter the password for the super user (vcf) account.
    6. Enter the password for the root user account.
    7. Enter the password for the management domain SSO user account.
    The Async Patch Tool uploads the patch to the internal LCM repository on the SDDC Manager appliance.
  10. Log in to the SDDC Manager UI and apply the async patch to all workload domains.
    • For clusters in workload domains with vSphere Lifecycle Manager baselines, you can upgrade ESXi to the async patch version with a custom ISO from your vendor. See "Upgrade ESXi with Custom ISOs" in VMware Cloud Foundation Lifecycle Management.
    • For clusters in workload domains with vSphere Lifecycle Manager images, you can upgrade ESXi to the async patch version by following the procedure "Upgrade ESXi with vSphere Lifecycle Manager Images for VMware Cloud Foundation" in VMware Cloud Foundation Lifecycle Management.
  11. After the async patch is successfully applied, use the Async Patch Tool to deactivate the patch.
    1. SSH in to the SDDC Manager appliance using the vcf user account.
    2. Navigate to /home/vcf/asyncPatchTool/bin.
    3. Run the following command: 
      ./vcf-async-patch-tool --disableAllPatches --sddcSSOUser SSOuser --sddcSSHUser vcf
      Replace SSOuser with the management domain SSO user account, for example, [email protected].
    4. Enter Y to confirm that you are running the latest version of the Async Patch Tool.
    5. Enter Y or N to choose whether or not to participate in the VMware Customer Experience Improvement Program (CEIP).
    6. Enter the password for the super user (vcf) account.
    7. Enter the password for the root user account.
    8. Enter the password for the management domain SSO user account.

What to do next

If you deploy a new workload domain after applying an async patch, that workload domain will not include the async patch. Use this procedure to apply the async patch to the new workload domain.
Note: After you update the hosts in a workload domain to an async patch version of ESXi, any new hosts that you add to the workload domain must use the async patch version of ESXi and not the version listed in the VMware Cloud Foundation BOM.