Async Patch Tool Release Notes

VMware Cloud Foundation Async Patch Tool 1.2 \| 23 JUL 2024 \| Build 24090705 Check for additions and updates to these release notes.

VMware Cloud Foundation

Async Patch Tool 1.2 | 23 JUL 2024 | Build 24090705

Check for additions and updates to these release notes.

What's New

The Async Patch Tool is a utility that allows you to apply critical patches to certain VMware Cloud Foundation components (NSX Manager, vCenter Server, and ESXi) outside of VMware Cloud Foundation releases. The Async Patch Tool also supports ESXi and VxRail Manager patching of VMware Cloud Foundation on VxRail and is supported with VMware Cloud Foundation 4.2.1 and later.

IMPORTANT: Starting with VMware Cloud Foundation 5.2, you should apply async patches directly from the SDDC Manager UI. See "Patching the Management and Workload Domains".

If you are upgrading an async patched system from VMware Cloud Foundation 4.x to 4.y, you must use the Async Patch Tool to enable the upgrade (-r, --enableVCFUpgrade). If you are upgrading an async patched system from VMware Cloud Foundation 4.x to 5.x or 5.x to 5.x, you do not need to use the Async Patch Tool to enable the upgrade. For more information, see the Async Patch Tool documentation.

See KB 88287 for information about which async patches are supported with your version of VMware Cloud Foundation. The Knowledge Base article also includes information about supported upgrade paths for VMware Cloud Foundation instances that include an async patch.

Resolved Issues

Async Patch Tool -l,--listAsyncPatch option fails: Using the --productType, --ptype option with the -l, --listAsyncPatch option fails, unless you also provide a --sku.

Known Issues

The stand-alone postcheck option fails for VxRail patches

When you run the standalone postcheck option (--post, --postcheck) for a VxRail async patch, the postcheck fails.

Workaround: None. However, when you run Async Patch Tool with the enable patch option (-e, --enableAsyncPatch) the postchecks are run automatically. If enabling a VxRail async patch succeeds, the postcheck is also considered successful.
Workload Domain enabled 7.0.451 async patch failed with error "Incompatible products found"

On environments with SDDC Manager updated to 5.0, enabling VxRail Manager patches may have issues writing AP tool Interoperability validations (Writing ESXi product).
Workaround:
1. Login to SDDC Manager.
2. Switch to root user.
3. Change the directory to/opt/vmware/vcf/lcm/lcm-app/conf.
4. In the LifeCyle Management application-prod.properties file add the following property (to exclude ESX_HOST in the supported product types):
  
  vcf.compatibility.check.supported.product.types=SDDC_MANAGER,VCENTER,NSX_T_MANAGER,VX_MANAGER
5. Restart LCM .
Restart the enable patch workflow from AP tool.
Bundle clean up script fails to clean up async patch bundle on vLCM based clusters

AP Tool disable all fails to clean up async patch bundle on vLCM based clusters with error BUNDLE_CLEANUP_FAILED.

Workaround: See KB 89719.
Async patch is not available to apply in the SDDC Manager UI

After you use the Async Patch Tool to enable a patch and successfully upload the patch to the internal LCM repository on the SDDC Manager appliance, you may not be able to apply the patch. This can happen if a workload domain is in a failed state.

Workaround: In the SDDC Manager UI, perform a precheck on all the workload domains where you intend to apply the patch and resolve any reported issues. After resolving the issues, the async patch bundle should become available to apply.
The SDDC Manager UI displays an unexpected source version when upgrading SDDC Manager

After enabling upgrade for a VMware Cloud Foundation instance that includes an async patch, the SDDC Manager UI displays an unexpected source version for SDDC Manager. For example, if you apply an async patch to your VMware Cloud Foundation 4.2.1 instance, and then you enable an upgrade to VMware Cloud Foundation 4.4.1.1, the SDDC Manager shows 4.4.1.0 as the source version (instead of 4.2.1.0).

Workaround: None. This is a cosmetic issue and has no impact on the upgrade.
It is not clear in the UI which bundle is the async patch bundle when other SDDC Manager bundles are available

If other SDDC Manager bundles are uploaded onto the SDDC Manager appliance, it might be displayed along with the async patch bundle you have enabled (uploaded) using the Async Patch Tool on the "Available Updates" section of the UI. The async patch bundle might have a similar title to the other bundles. As a result, it might be harder to locate.
Workaround: The uploaded async patch bundle can be identified by the following:
- It will be the only "VMware Software Update" bundle in the list.
- The bundle details have a Bundle ID with a suffix of -apTool to signify it is an async patch enabled by Async Patch Tool.
Async Patch Tool fails with FAILED_VCF_PERMISSIONS_ON_SDDC_OUTPUT_DIRECTORY or RUNNING_ROOT_OPERATIONS_FAILED when running on a security-hardened SDDC Manager

When running certain Async Patch workflows on an SDDC Manager that have been hardened following the VMware Cloud Foundation Security Technical Implementation Guide (STIG), the Async Patch Tool fails when attempting to run certain operations as root user. The AP tool logs mention the tool Received non-empty output for command that expect empty output.

Workaround: Contact VMware Support.

Async patch bundles display non-standard version numbers in the SDDC Manager UI

Async patch bundles include non-standard version numbers wherever information about the bundles is displayed in the SDDC Manager UI. For example, Version 1.1.1-000001 or Required Version 1.2.0-123456 as seen below.

Async Patch Bundle Versioning

Version	1.1.1-<xxxxxx>
Product Version 1.1.1.1	1.1.1.1
Required Version: NSX Manager async patch bundle	1.1.0-<xxxxxx>
Required Version: ESXi async patch bundle	1.2.0-<xxxxxx>
Required Version: vCenter Server async patch bundle	1.3.0-<xxxxxx>

Note:

The non-standard version numbering does not apply to VxRail.

Workaround: None. This is by design and ensures that async patches are prioritized and applied in the correct order.

Update history information for workload domains does not contain all updates

When you deactivate all async patches from the SDDC Manager appliance, any update history for previously enabled or applied async patches is lost. No update history will be visible from the SDDC Manager UI or in the VMware Cloud Foundation API response. Deactivating all patches happens implicitly when you run the Async Patch Tool with the enable VCF upgrade option (-r, --enableVCFUpgrade). If you previously enabled an async patch, you must disable all patches before you can run the Async Patch Tool with the enable patch option (-e, --enableAsyncPatch) again.

Workaround: View the Async Patch Tool upgrade_history logs to review the entire async patch update history. Logs are located in the /var/log/vmware/vcf/lcm/tools/asyncpatchtool directory on the SDDC Manager appliance.
Older install or upgrade bundles appear as available to download

If SDDC Manager is connected to the VMware Depot, and you enable an async patch, older bundles, that are not required, may appear as available for download in the SDDC Manager UI (Lifecycle Management > Bundle Management > Bundles). For example, if you enable an async patch for vCenter Server 7.0 Update 3d, the bundle for vCenter Server 7.0 Update 2c may appear as available for download.
Workaround: Remove the bundles that you do not require.
1. Get the bundle ID for the bundle you want to remove.
  1. In the SDDC Manager UI, browse to Lifecycle Management > Bundle Management > Bundles.
  2. Find the bundle you want to remove and click View Details.
  3. Copy the bundle ID.
2. SSH in to the SDDC Manager appliance using the vcf user account.
3. Enter su to switch to the root user.
4. Enter the following command, replacing <bundle id> with the bundle ID from step 1: python /opt/vmware/vcf/lcm/lcm-app/bin/bundle_cleanup.py <bundle id>