If your SDDC Manager appliance does not have a connection to the internet, you can run the Async Patch Tool from a computer that does. Download an async patch, copy the patch and the Async Patch Tool to the SDDC Manager appliance, and enable the patch. You can then use the SDDC Manager UI to apply the patch to all workload domains.

Prerequisites

  • A Windows or Linux computer with internet connectivity (either directly or through a proxy server) for downloading the bundles.
  • The computer must have Java 8 or Java 11.
  • A Windows or Linux computer with access to the SDDC Manager appliance for uploading the bundles.
  • Refer to KB 88287 to ensure that the async patch is supported with your version of VMware Cloud Foundation. Contact VMware Support if you have questions about the available async patches and which versions of VMware Cloud Foundation support them.
  • You must have the latest version of the Async Patch Tool.
    Note: If an existing or older version of the Async Patch Tool exists in the directory, you will need to remove these files from both the Linux or Windows computer and the SDDC manager before downloading the latest version of the Async Patch Tool.

    rm -r <AP Tool directory>

    rm -r <outputdirectory>

    The default directory is /home/vcf/apToolBundles if outputDirectory was not specified when the Async Patch Tool was previously run.

  • Configure TCP keepalive in your SSH client to prevent socket connection timeouts when using the Async Patch Tool for long-running operations.
  • The Async Patch Tool is supported with VMware Cloud Foundation 4.2.1 and later. This release also supports ESXi and VxRail Manager patching of VMware Cloud Foundation on VxRail.

Procedure

  1. Download the most recent version of the Async Patch Tool to a computer that has access to the internet.
    1. Log in to the Broadcom Support Portal and browse to My Downloads > VMware Cloud Foundation.
    2. Click your current version of VMware Cloud Foundation.
    3. Click Drivers & Tools.
    4. Click the download icon for the Async Patch Tool.
  2. Extract vcf-async-patch-tool-<version>.tar.gz.
  3. Navigate to vcf-async-patch-tool-<version>/bin and confirm that you have execute permissions.
  4. List the available async patches.
    1. Run the following command:
      Linux: 
      ./vcf-async-patch-tool --listAsyncPatch --du broadcom_support_email
      Windows: 
      vcf-async-patch-tool.bat --listAsyncPatch --du broadcom_support_email
      Replace broadcom_support_email with your Broadcom Support portal email address.
      Optionally, you can use the --sku and --productType options to filter the list of patches. See VCF Async Patch Tool Options for details.
      --outputDirectory is optional and can be used to specify a location for the download. Select a directory that has enough free space for the bundle. If you do not specify a location, the Async Patch Tool displays the default location in its output. For example: /root/apToolBundles.
      Note: If you connect to the internet through a proxy server, use the --proxyServer, --ps option to specify the FQDN and port of the proxy server. For example, --proxyServer FQDN:port.
    2. Enter Y to confirm that you are running the latest version of the Async Patch Tool.
    3. Enter Y or N to choose whether or not to participate in the Customer Experience Improvement Program (CEIP).
    4. Enter your Broadcom Support portal password.
    The Async Patch Tool lists all available async patches.
  5. (VxRail async patch only) Copy the VxRail async patch-specific partner bundle metadata file using KB 91830.
  6. Download an async patch.
    1. Run the following command:
      Linux: 
      ./vcf-async-patch-tool -d --patch product:version --du broadcom_support_email --sku sku_type --pdu dell_emc_depot_email --sddcManagerVersion current_sddc_version
      Windows: 
      vcf-async-patch-tool.bat -d --patch product:version --du broadcom_support_email --sku sku_type --pdu dell_emc_depot_email --sddcManagerVersion current_sddc_version
      • Replace product:version with the product and version of a patch retrieved in step 4. For example: VCENTER:7.0.3.00300-19234570.
      • Replace broadcom_support_email with your Broadcom Support portal email address.
      • Replace sku_type with VCF or VCF_ON_VXRAIL.
      • Replace dell_emc_depot_email with your Dell EMC Depot email address. (VxRail only)
      • Replace current_sddc_version with your current version of SDDC Manager. For example: 4.5.0.0. This is optional, but limits the number of bundles that are downloaded to only those that are applicable to your current version of SDDC Manager.
      • --outputDirectory is optional and can be used to specify a location for the download. Select a directory that has enough free space for the bundle. If you do not specify a location, the Async Patch Tool displays the default location in its output. For example: /root/apToolBundles.
      Note: If you connect to the internet through a proxy server, use the --proxyServer, --ps option to specify the FQDN and port of the proxy server. For example, --proxyServer FQDN:port.
    2. Enter Y to confirm that you are running the latest version of the Async Patch Tool.
    3. Enter your Broadcom Support portal password.
    4. If the product type is VX_MANAGER, enter your Dell EMC Depot user name and password. (VxRail only)
    The Async Patch Tool downloads the patch and required artifacts (for example, the LCM manifest).
  7. Copy the patch and set permissions.
    1. Copy the entire output directory (for example, apToolBundles) to the SDDC Manager appliance.
      You can select any location that has enough free space available, for example, /nfs/vmware/vcf/nfs-mount/apToolBundles.
    2. SSH in to the SDDC Manager appliance using the vcf user account.
    3. Navigate to /nfs/vmware/vcf/nfs-mount/apToolBundles.
      If you copied the output directory to a different location, navigate to that directory instead.
    4. Run the following commands: 
      chmod -R 755 apToolBundles
      chown -R vcf:vcf apToolBundles
  8. Copy the Async Patch Tool to the SDDC Manager appliance and configure it for use.
    1. SSH in to the SDDC Manager appliance using the vcf user account.
    2. Create the asyncPatchTool directory. 
      mkdir /home/vcf/asyncPatchTool
    3. Copy the entire contents of the Async Patch Tool directory from the computer with internet access to the /home/vcf/asyncPatchTool directory on the SDDC Manager appliance.
    4. Set the permissions for the asyncPatchTool directory. 
      cd /home/vcf/
      chmod -R 755 asyncPatchTool
      chown -R vcf:vcf asyncPatchTool
  9. Enable an async patch.
    1. Navigate to /home/vcf/asyncPatchTool/bin and run the following command: 
      ./vcf-async-patch-tool -e --patch product:version --sddcSSOUser SSOuser --sddcSSHUser vcf --outputDirectory bundleDirectory --it OFFLINE
      • Replace product:version with the product and version of a patch retrieved in step 4. For example: VCENTER:7.0.3.00300-19234570.
      • Replace SSOuser with the management domain SSO user account, for example, [email protected].
      • Replace bundleDirectory with the location of the bundle directory from step 6. For example, /nfs/vmware/vcf/nfs-mount/apToolBundles.
    2. Enter Y to confirm that you are running the latest version of the Async Patch Tool.
    3. Enter Y or N to choose whether or not to participate in the Customer Experience Improvement Program (CEIP).
    4. Read the information and enter Y to acknowledge the pre-requisites.
    5. Enter the password for the super user (vcf) account.
    6. Enter the password for the root user account.
    7. Enter the password for the management domain SSO user account.
    The Async Patch Tool uploads the patch to the internal LCM repository on the SDDC Manager appliance.
  10. Log in to the SDDC Manager UI and apply the async patch to all workload domains.
    • For clusters in workload domains with vSphere Lifecycle Manager baselines, you can upgrade ESXi to the async patch version with a custom ISO from your vendor. See "Upgrade ESXi with Custom ISOs" in VMware Cloud Foundation Lifecycle Management.
    • For clusters in workload domains with vSphere Lifecycle Manager images, you can upgrade ESXi to the async patch version by following the procedure "Upgrade ESXi with vSphere Lifecycle Manager Images for VMware Cloud Foundation" in VMware Cloud Foundation Lifecycle Management.
  11. After the async patch is successfully applied, use the Async Patch Tool to deactivate the patch.
    1. SSH in to the SDDC Manager appliance using the vcf user account.
    2. Navigate to /home/vcf/asyncPatchTool/bin.
    3. Run the following command: 
      ./vcf-async-patch-tool --disableAllPatches --sddcSSOUser SSOuser --sddcSSHUser vcf
      Replace SSOuser with the management domain SSO user account, for example, [email protected].
    4. Enter Y to confirm that you are running the latest version of the Async Patch Tool.
    5. Enter Y or N to choose whether or not to participate in the Customer Experience Improvement Program (CEIP).
    6. Enter the password for the super user (vcf) account.
    7. Enter the password for the root user account.
    8. Enter the password for the management domain SSO user account.

What to do next

Starting with VMware Cloud Foundation 5.2, if you applied a vCenter Server or NSX Manager async patch to the management domain, any new workload domains that you deploy will include the patched version of vCenter Server and/or NSX Manager.

For versions of VMware Cloud Foundation earlier than 5.2, new workload domains will not include async patch versions of vCenter Server or NSX Manager. Use this procedure to apply the async patch(es) to the new workload domain.

Note: After you update the hosts in a workload domain to an async patch version of ESXi, any new hosts that you add to the workload domain must use the async patch version of ESXi and not the version listed in the VMware Cloud Foundation BOM.