Before you update or upgrade an ESXi host or a container object with vSphere Lifecycle Manager baselines, you must first check its compliance status.

You use vSphere Lifecycle Manager to check the compliance status of ESXi hosts against the baselines and baseline groups that you attach to the hosts or to a parent container object. You do a compliance check on hosts to determine whether they have the latest patches or extensions. During the compliance check, attributes of the host are evaluated against all patches, extensions, and upgrades from an attached baseline or baseline group.

You can check the compliance status of a single ESXi host or a valid container object. Supported groups of ESXi hosts include virtual infrastructure container objects such as folders, clusters, and data centers. When you initiate a compliance check for a container object, vSphere Lifecycle Manager scans all the ESXi hosts in that container object.

Note: If you initiate a compliance check for an inventory object, for example data center, that contains clusters that use vSphere Lifecycle Manager images, the compliance check is not performed for those clusters.

To generate compliance information, you can initiate compliance checks manually or you can schedule the compliance checks to run at regular periods. Schedule compliance checks at a data center or vCenter Server system level to make sure that the objects in your inventory are up-to-date.

You check the compliance status of vSphere objects from the vSphere Lifecycle Manager compliance view.

To initiate or schedule compliance checks, you must have the Scan for Applicable Patches, Extensions, and Upgrades privilege.

For more information about managing users, groups, roles, and permissions, see the vSphere Security documentation.

For a list of all vSphere Lifecycle Manager privileges and their descriptions, see vSphere Lifecycle Manager Privileges For Using Baselines.

Initiate a Compliance Check for ESXi Hosts Manually

Before remediation, you must check the compliance of the vSphere objects against the attached baselines and baseline groups. To check the compliance status of hosts in the vSphere inventory immediately, initiate a compliance check manually.

Prerequisites

If you want to check the compliance status of a cluster, verify that the cluster is not configured to use a single image.

Procedure

  1. In the vSphere Client, navigate to the vSphere Lifecycle Manager compliance view for an individual host or a container object.
    1. Navigate to a host, cluster, or a container object.
    2. Click the Updates tab.
  2. Select Hosts > Baselines.
    The Baselines pane shows three panels. In those panels, you obtain host information about the selected object, host compliance information, and remediation information.
  3. In the compliance information panel, click Check Compliance.

Results

The selected inventory object and all child objects are scanned against all attached patch, extension, and upgrade baselines. The larger the virtual infrastructure and the higher up in the object hierarchy that you initiate the scan, the longer the scan takes.

Schedule Regular Compliance Checks for ESXi Hosts

You can configure vSphere Lifecycle Manager to check the compliance status of ESXi hosts at specific times or at intervals that are convenient for you.

Prerequisites

If you want to check the compliance status of a cluster, verify that the cluster is not configured to use a single image.

Procedure

  1. In the vSphere Client, navigate to the vSphere Lifecycle Manager compliance view for an individual host or a container object.
    1. Navigate to a host, cluster, or a container object.
    2. Click the Updates tab.
  2. Select Hosts > Baselines.
    The Baselines pane shows three panels. In those panels, you obtain host information about the selected object, host compliance information, and remediation information.
  3. In the compliance information panel, click Schedule.
    The Automatic compliance check dialog box opens.
  4. Configure the compliance check schedule.
    1. Set the frequency and the starting point of the compliance check.
    2. Enter a unique name, and optionally, a description for the scan task.
    3. (Optional) Specify one or more email addresses to receive notification after the scan task is complete.
      You must configure mail settings for the vCenter Server system to enable this option.
  5. Click Save to exit the Automatic compliance check dialog box.

View Information About the Patches, Extensions, and ISO Images in a Baseline

You can view information about the patches, extensions, and upgrades included in a baseline or a baseline group.

For information about the different compliance statuses that an update might have, see Compliance Statuses of Updates.

Prerequisites

Procedure

  1. In the vSphere Client, navigate to a single ESXi host, cluster, or a valid container object.
  2. On the Updates tab, select Hosts > Baselines.
  3. In the Attached Baselines and Baseline Groups pane, select a baseline.
    A new pane appears below the Attached Baselines and Baseline Groups pane. Depending on the selected object, the bottom pane might contain information about the updates and ESXi images in the baseline that you select. If the selected object is a container for ESXi hosts, the bottom pane shows the compliance of each ESXi in the container object against the selected baseline.
    Baseline Type Available Information
    Patch The bottom pane contains a table that lists all patches in the baseline. For each update, you can see the following information.
    • Update Name
    • Update ID

      The update ID is a vendor-assigned identification code of the patch.

    • Status

      The Status column shows the compliance status of the update.

    • Severity
    • Category
    • Impact

      The Impact column displays the actions that you must take to install the update. For example, rebooting the system or putting the host in maintenance mode.

    • ESXi Version
    Upgrade The bottom pane displays the following information.
    • ESXi Version
    • Build
    • Status

      The Status column shows the compliance status of the update.

    • Release Date
    • Vendor
    • Details
    • Release Notes
    • Acceptance Level

      ESXi images can be either Signed or Unsigned, which indicates their level of acceptance by VMware.

      The software packages included in ESXi images might have any of the following acceptance levels.

      VMware Certified
      The package has gone through a rigorous certification program that verifies the functionality of the feature, and is signed by VMware with a private key. VMware provides customer support for these packages.
      VMware Accepted
      The package has gone through a less rigorous acceptance test program that only verifies that the package does not destabilize the system, and is signed by VMware with a private key. The test regimen does not validate the proper functioning of the feature. VMware support hands off support calls directly to the partner.
      Partner Supported
      The partner has signed an agreement with VMware and has demonstrated a sound test methodology. VMware provides a signed private/public key pair to the partner to use for self-signing their packages. The VMware support team redirects support calls directly to the partner.
      Community Supported
      The package is either unsigned or signed by a key that is not cross-signed by VMware. VMware does not provide support for the package. For support, customers must either use the community or contact the author of the package.
    Extension
    • Update Name
    • Update ID

      The update ID is a vendor-assigned identification code of the extension.

    • Status

      The Status column shows the compliance status of the update.

    • Severity
    • Category
    • Impact

      The Impact column displays the actions that you must take to install the update. For example, rebooting the system or putting the host in maintenance mode.

    • ESXi Version
    Baseline Group To view information about the patches, extension, and ISO images in a baseline group, select the respective tab in the bottom pane.
    • Click Baselines for information about the baselines that a baseline group contains.
    • Click ISO for information about the ESXi image that a baseline group contains.
    • Click Updates for information about the patches and extensions that the baseline group contains.

Host Upgrade Compliance Messages

When you check the compliance of ESXi hosts against an upgrade baseline, vSphere Lifecycle Manager runs a precheck script and provides informative messages in the in the bottom pane of the vSphere Lifecycle Manager compliance view. The messages notify you about potential problems with hardware or third-party software on the host, and configuration issues, which might prevent a successful upgrade to ESXi 8.0.

The messages that vSphere Lifecycle Manager provides correspond to error or warning codes from running the host upgrade precheck script.

For interactive installations and upgrades performed by using the ESXi installer, the errors or warnings from the precheck script are displayed on the final panel of the installer, where you are asked to confirm or cancel the installation or upgrade. For scripted installations and upgrades, the errors or warnings are written to the installation log.

vSphere Lifecycle Manager displays scan result information in the bottom pane of the vSphere Lifecycle Manager compliance view. To see the original errors and warnings returned by the precheck script during an vSphere Lifecycle Manager host upgrade scan operation, review the vSphere Lifecycle Manager log file.

Table 1. Scan Result Messages and Corresponding Error and Warning Codes
Scan Result Message invSphere Lifecycle Manager Description
Host CPU is unsupported. New ESXi version requires a 64-bit CPU with support for LAHF/SAHF instructions in long mode.

This message appears if the host processor is 32-bit and does not support required features.

The corresponding error code is 64BIT_LONGMODESTATUS.

Trusted boot is enabled on the host but the upgrade does not contain the software package esx-tboot. Upgrading the host will remove the trusted boot feature. This message indicates that the host upgrade scan did not locate the esx-tboot VIB on the upgrade ISO.

The corresponding error code is TBOOT_REQUIRED

VMkernel and Service Console network interfaces are sharing the same subnet subnet_name. This configuration is not supported after upgrade. Only one interface should connect to subnet subnet_name.

Warning. An IPv4 address was found on an enabled Service Console virtual NIC for which there is no corresponding address in the same subnet in the vmkernel. A separate warning appears for each such occurrence.

The corresponding error code is COS_NETWORKING.

New ESXi version requires a minimum of core_count processor cores. The host must have at least two cores.

The corresponding error code is CPU_CORES.

Processor does not support hardware virtualization or it is disabled in BIOS. Virtual machine performance may be slow.

Host performance might be impaired if the host processor does not support hardware virtualization or if hardware virtualization is not turned on in the host BIOS. Enable hardware virtualization in the host machine boot options. See your hardware vendor's documentation.

The corresponding error code is HARDWARE_VIRTUALIZATION.

Insufficient memory, minimum size_in_MB required for upgrade.

The host requires the specified amount of memory to upgrade.

The corresponding error code is MEMORY_SIZE.

Host upgrade validity checks for file_name are not successful. This test checks whether the precheck script itself can be run.

The corresponding error code is PRECHECK_INITIALIZE.

The host partition layout is not suitable for upgrade.

Upgrade is possible only if there is at most one VMFS partition on the disk that is being upgraded and the VMFS partition starts after sector 1843200.

The corresponding error code is PARTITION_LAYOUT.

Unsupported configuration.

The file /etc/vmware/esx.conf must exist on the host.

This message indicates that the file /etc/vmware/esx.conf is either missing, or the file data cannot be retrieved or read correctly.

The corresponding error code is SANE_ESX_CONF.

The host does not have sufficient free space on a local VMFS datastore to back up current host configuration. A minimum of size_in_MB is required.

The host disk must have enough free space to store the ESXi 5.x configuration between reboots.

The corresponding error code is SPACE_AVAIL_CONFIG.

The upgrade is not supported for current host version.

Upgrading to ESXi 8.0 is possible only from ESXi 6.7 and ESXi 7.0 hosts.

The corresponding error code is SUPPORTED_ESX_VERSION.

Unsupported devices device_name found on the host.

The script checks for unsupported devices. Some PCI devices are not supported with ESXi 8.0.

The corresponding error code is UNSUPPORTED_DEVICES.

Host software configuration requires a reboot. Reboot the host and try upgrade again.

To ensure a good bootbank for the upgrade, you must reboot the hosts before remediation.

The corresponding error code is UPDATE_PENDING.

In an environment with Cisco Nexus 1000V Distributed Virtual Switch, vSphere Lifecycle Manager displays different messages in different situations. For details, see Host Upgrade Compliance Messages When Cisco Nexus 1000V Is Present.

If Cisco's Virtual Ethernet Module (VEM) software is found on the host, the precheck script checks if the software is part of the upgrade as well, and that the VEM supports the same version of the Virtual Supervisor Module (VSM) as the existing version on the host. If the software is missing or is compatible with a different version of the VSM, the script returns a warning and the scan result indicates the version of the VEM software that was expected on the upgrade ISO, and the version, if any, that was found on the ISO.

The corresponding error code is DISTRIBUTED_VIRTUAL_SWITCH.

The host uses an EMC PowerPath multipathing module file_name to access storage. The host will not be able to access such storage after upgrade.

The script checks for installation of EMC PowerPath software, consisting of a CIM module and a kernel module. If either of these components is found on the host, the script verifies that matching components (CIM, VMkernel module) also exist in the upgrade. If they do not, the script returns a warning that indicates which PowerPath components were expected on the upgrade ISO and which, if any, were found.

The corresponding error code is POWERPATH.

Host Upgrade Compliance Messages When Cisco Nexus 1000V Is Present

When a host is managed by the Cisco Nexus 1000V virtual switch and you check the compliance of the host against an upgrade baseline, the scan messages provide information about problems with compliance between the VEM modules installed on the host and the modules available on the ESXi 8.0 image.

vSphere Lifecycle Manager supports Cisco Nexus 1000V, a virtual access software switch that works with VMware vSphere and consists of two components.
Virtual Supervisor Module (VSM)
The control plane of the switch and a virtual machine that runs NX-OS.
Virtual Ethernet Module (VEM)
A virtual line card embedded in ESXi hosts.

vSphere Lifecycle Manager determines whether a host is managed by Cisco Nexus 1000V. vSphere Lifecycle Manager verifies whether the Cisco Nexus 1000V VEM VIBs in the ESXi upgrade image are compatible with the Cisco Nexus 1000V VSM that manages the host.

By using vSphere ESXi Image Builder, you can create custom ESXi images, which contain third-party VIBs that are required for a successful remediation operation.

Table 2. Compliance Check Results for the Cisco Nexus 1000V Network Switch
Compliance Check Message Description
The upgrade does not contain any Cisco Nexus 1000V software package that is compatible with the Cisco Nexus 1000V software package on the host. Upgrading the host will remove the feature from the host. A VEM VIB is not available on the ESXi 8.0 upgrade image.
The host is currently added to a Cisco Nexus 1000V virtual network switch. The upgrade contains a Cisco Nexus 1000V software package VIB_name that is incompatible with the Cisco Nexus 1000V VSM. Upgrading the host will remove the feature from the host. The VEM VIB on the ESXi 8.0 upgrade image is not compatible with the version of the VSM.
The host is currently added to a Cisco Nexus 1000V virtual network switch. The upgrade does not contain any Cisco Nexus 1000V software package that is compatible with the Cisco Nexus 1000V VSM. Upgrading the host will remove the feature from the host. The host and the image do not contain VEM VIBs, but the host is still listed in vCenter Server as managed by Cisco Nexus 1000V.
Cannot determine whether the upgrade breaks Cisco Nexus 1000V virtual network switch feature on the host. If the host does not have the feature, you can ignore this warning. There was a problem with determining compatibility between the VEM VIB on the ESXi 8.0 upgrade image and the VSM. Check whether the version of the VSM managing the host is certified as being compatible with vCenter Server 8.0 and ESXi 8.0.