You can update the vCenter Server with patches by using the software-packages utility available in the vCenter Server appliance shell.

Patching vCenter Server

VMware regularly releases patches for the vCenter Server. You can use the Appliance Management Interface or the appliance shell to apply patches to a vCenter Server.

VMware makes patches available on a monthly basis. These patches can only be applied in between major releases of vCenter Server. For example, patches released for the initial release of vCenter Server 8.0, are not applicable to vCenter Server 8.0 Update 1, as any patches previously made available will be included with the Update 1 release.

These patches can be for core product functionality, other packages in the vCenter Server such as Photon, or both.
Note: You must use only the patches provided by VMware to update the packages in your vCenter Server. Updating these packages through any other means may impact the product functionality.
VMware distributes the available patches in two forms, one for ISO-based and one for URL-based models of patching.
  • You can download the patch ISO images from https://my.vmware.com/group/vmware/patch.
    VMware publishes a single type of ISO image that contains patches.
    Download Filename Description
    VMware-vCenter-Server-Appliance-product_version-build_number-patch-FP.iso Full product patch for the appliance, which contains the VMware software patches and the fixes related to security and third-party products (e.g. JRE and Photon OS components).
  • You can configure the vCenter Server appliance to use a repository URL as a source of available patches. The appliance is preset with a default VMware repository URL.

    You can download the patches in ZIP format from the VMware Web site at https://my.vmware.com/web/vmware/downloads and build a custom repository on a local Web server. The download filename is VMware-vCenter-Server-Appliance-product_version-build_number-updaterepo.zip.

Patching vCenter Server Using the vCenter Server Management Interface

You can use the vCenter Server Management Interface to view the installed patches, check for new patches and install them, and configure automatic checks for available patches.

To perform ISO-based patching, you download an ISO image, attach the ISO image to the CD/DVD drive of the appliance, check for available patches in the ISO image, and install the patches.

To perform URL-based patching, you check for available patches in a repository URL and install the patches. The vCenter Server is preset with a default VMware repository URL for the build profile of the appliance. You can configure the appliance to use the default VMware repository URL or a custom repository URL, for example, a repository URL that you previously built on a local Web server running within your data center.

Automatic Creation of LVM Snapshot

The vCenter Server patching orchestrator automatically creates a Logical Volume Manager (LVM) snapshot of the vCenter Server before performing a patch installation. If the patching fails, the orchestrator provides options to either continue patching or roll back to the automatically created LVM snapshot.

The roll back option is only available when you are patching vCenter Server 8.0 Update 2 and higher versions.

When you initiate the installation of a patch, prechecks are performed to verify that a snapshot can be taken and there is sufficient disk space for the LVM snapshot. If the precheck returns an error, the patching workflow exits.

After prechecks run successfully, the VMware Directory Services (vmdird) is stopped and the orchestrator takes an image-based backup (LVM snapshot). The snapshot is saved as snapshot disk on the vCenter Server Appliance. If there is a failure while taking the snapshot, the vmdird is started in normal replication mode, an error is thrown and the patching workflow exits and the snapshot is cleaned up.

If the snapshot is taken successfully, the patching resumes with vmdird in standalone mode.

If an error occurs during patching, the vCenter Server Management Interface displays options to resume or rollback the process. You can select Resume the vCenter installation and correct the problem preventing the patching to finish staging the patches or select Revert to the last vCenter backup version to roll back.

If you choose to revert, a patching rollback API is called. The API checks if an LVM snapshot is available and reverts to the snapshot. After reverting, the snapshot is removed to reclaim the disk space and vmdird is set to normal replication mode. The API also performs a cleanup of any changes made by the patching install workflow before creating the backup. If a valid snapshot is not available, the installation exits with an error.

Figure 1. Workflow for automatic creation of LVM snapshot and roll back
Workflow for patch installation that shows the automatic creation of an LVM snapshot with the roll back option.

Log In to the vCenter Server Management Interface

Log in to the vCenter Server Management Interface to access the vCenter Server configuration settings.

Note: The login session expires if you leave the vCenter Server Management Interface idle for 10 minutes.
Prerequisites

Verify that the vCenter Server is successfully deployed and running.

Procedure
  1. In a Web browser, go to the vCenter Server Management Interface, https://appliance-IP-address-or-FQDN:5480.
  2. Log in as root.
    The default root password is the password that you set while deploying vCenter Server.

Check for and Stage Patches to the vCenter Server Appliance

Before you install available patches, you can stage the patches to the appliance. You can use the vCenter Server Management Interface to stage patches either from a local repository by attaching an ISO image to the appliance, or from a remote repository directly by using a repository URL.

During the process of staging, the vCenter Server Management Interface validates that a patch is a VMware patch, that the staging area has enough free space, and that the patches are not altered. Only new patches or patches for existing packages that can be upgraded are staged.

If you are patching vCenter Server 8.0 Update 2 and higher versions, the patching orchestrator automatically creates a backup of the vCenter Server before performing a patch installation. For more information, see Automatic Creation of LVM Snapshot.

If a problem that prevents the successful staging of the patches occurs, vCenter Server suspends the staging process. Review the error messages, correct the problem, and, in many cases, you can resume staging the patches from the point at which vCenter Server encountered the problem.

Prerequisites
  • If you are staging patches from an ISO image that you previously downloaded from https://my.vmware.com/group/vmware/patch, you must attach the ISO image to the CD/DVD drive of the vCenter Server. You can configure the ISO image as a datastore ISO file for the CD/DVD drive of the appliance using the vSphere Client. See vSphere Virtual Machine Administration.
  • If you are staging patches from a remote repository, verify that you have configured the repository settings and that the current repository URL is accessible. See Configure URL-Based Patching.
Procedure
  1. Log into the vCenter Server Management Interface as root.
    The default root password is the password you set when deploying vCenter Server.
  2. Click Update.
  3. Click Check Updates and select a source.
    Option Description
    Check URL Scans the configured repository URL for available patches.
    Check CDROM Scans the ISO image that you attached to the CD/DVD drive of the appliance for available patches.
    In the Available Updates pane, you can view the details about the available patches in the source that you selected.
    Important: Some updates might require a reboot of the system. You can see information about these updates in the Available Updates pane.
  4. You can run a pre-check of an update to verify that it is compatible with your current deployment.
  5. Click the staging option you would like to use.
    Option Description
    Stage Stages the selected patches to the vCenter Server appliance for installation at a later time.
    Stage and Install Stages and installs the selected patches to the vCenter Server appliance. For more information on installing patches, see Install vCenter Server Patches.
    Unstage Unstages the selected patches.
    Resume the vCenter installation If vCenter Server encounters a problem staging the patches, the vCenter Server Management Interface displays the Resume button. Correct the problem preventing the patches from staging, and click Resume to finish staging the patches. The staging process resumes from the point at which vCenter Server encountered the problem.
    Revert to last vCenter backup option Select this option to roll back to the automatically created snapshot. If you choose to revert, a patching rollback API is called. The API checks if a snapshot is available and reverts to the snapshot.
    Note:

    The automatic creation of a backup is available only when you are patching vCenter Server 8.0 Update 2 and higher versions.
What to do next

If you decided to stage the available patches for installation at a later time, you can now install. See Install vCenter Server Patches.

Configure the Repository for URL-Based Patching

For URL-based patching, by default the vCenter Server appliance is configured to use the default VMware repository URL that is preset for the build profile of the appliance. You can configure a custom repository URL as the current source of patches for your environment's requirements.

By default the current repository for URL-based patching is the default VMware repository URL.

If vCenter Server is not connected to the Internet or if your security policy requires it, you can build and configure a custom repository. The custom patching repository runs on a local Web server within your data center and replicates the data from the default repository. Optionally, you can set up an authentication policy for accessing the Web server that hosts the custom patching repository.

Prerequisites

Log in to the vCenter Server Management Interface as root.

Procedure
  1. If you want to configure a custom repository URL, build the repository on your local web server.
    1. Log in to VMware Customer Connect at https://customerconnect.vmware.com/downloads/#all_products.
    2. Select Download Product under VMware vSphere.
    3. Select the vCenter Server version from the Select Version drop-down.
    4. Against your license type, click GO TO DOWNLOADS in the row for VMware vCenter Server.
    5. Download the VMware vCenter Server Appliance Update Bundle ZIP file.
    6. Confirm that the md5sum is correct by using an MD5 checksum tool.
    7. On your Web server, create a repository directory under the root.
      For example, create the vc_update_repo directory.
    8. Extract the ZIP file into the repository directory.
      The extracted files are in the manifest and package-pool subdirectories.
  2. In the vCenter Server Management Interface, click Update.
  3. Click Settings.
  4. Select the Repository settings.
    Option Description
    Default repository Uses the default VMware repository URL that is preset for the build profile of the appliance.
    Specified repository Uses a custom repository. You must enter the repository URL, for example, https://web_server_name.your_company.com/vc_update_repo.

    The repository URL must use a secure protocol such as HTTPS or FTPS.
  5. If the specified repository requires authentication, enter the user name and password.
  6. (Optional) If you do not want to perform a security certificate check, deselect the Check Certificate check box.
    If you trust the URL for the repository, you can choose to bypass the certificate check for the repository URL.
  7. Click OK.
What to do next
Install vCenter Server Patches

Install vCenter Server Patches

You can check for and install patches either from an ISO image or directly from a repository URL.

Important: The services running in the vCenter Server appliance become unavailable during the installation of the patches. You must perform this procedure during a maintenance period. As a precaution if there is a failure, you can back up the vCenter Server. For information on backing up and restoring vCenter Server, see vCenter Server Installation and Setup.
Prerequisites

  • Log in to the vCenter Server Management Interface as root.

  • Before you can install available patches, you check for new patches and stage the patches to the vCenter Server appliance. See Check for and Stage Patches to the vCenter Server Appliance.

  • If you are patching the appliance from an ISO image that you previously downloaded from https://my.vmware.com/group/vmware/patch, you must attach the ISO image to the CD/DVD drive of the vCenter Server appliance. You can configure the ISO image as a datastore ISO file for the CD/DVD drive of the appliance by using the vSphere Client. See vSphere Virtual Machine Administration.

  • If you are patching the appliance from a repository URL, verify that you have configured the repository settings and that the current repository URL is accessible. See Configure the Repository for URL-Based Patching.

  • Create an image-based backup and take a powered-off snapshot of the vCenter Server Appliance you are patching as a precaution in case there is a failure during the patching process.
Procedure
  1. In the vCenter Server Management Interface, click Update.
    In the Current version details pane, you can view the vCenter Server version and build number.

    In the Available updates pane, you can view the available updates with update priority and severity.

    The update priority indicates how soon you must install the update. The values include:
    • HIGH - Install as soon as possible.
    • MEDIUM - Install at the earliest convenience.
    • LOW - Install at your discretion.
    The Update severity defines the severity of the issues fixed in the update. The values include the following:
    • CRITICAL - Vulnerabilities that can be exploited by an unauthenticated attacker from the Internet or those that break the guest/host Operating System isolation. The exploitation results in the complete compromise of confidentiality, integrity, and availability of user data and/or processing resources without user interaction. Exploitation could be leveraged to propagate an Internet worm or execute arbitrary code between Virtual Machines and/or the Host Operating System.
    • IMPORTANT - Vulnerabilities that are not rated critical but whose exploitation results in the complete compromise of confidentiality and/or integrity of user data and/or processing resources through user assistance or by authenticated attackers. This rating also applies to those vulnerabilities which could lead to the complete compromise of availability when exploitation is by a remote unauthenticated attacker from the Internet or through a breach of virtual machine isolation.
    • MODERATE - Vulnerabilities where the ability to exploit is mitigated to a significant degree by configuration or difficulty of exploitation, but in certain deployment scenarios could still lead to the compromise of confidentiality, integrity, or availability of user data and/or processing resources.
    • LOW - All other issues that have a security impact. Vulnerabilities where exploitation is believed to be extremely difficult, or where successful exploitation would have minimal impact.
  2. Select the range of staged patches to apply and click Install.
    Important: Some updates might require a reboot of the system. You can see information about these updates in the Available Updates pane.
  3. Read and accept the End User License Agreement.
  4. A system pre-check verifies that the patches can be successfully installed with the provided information.
    If the pre-check discovers missing or incorrect information, or other problems preventing a successful installation, you are prompted to correct the problem and resume the installation.
  5. After the installation finishes, click OK.
  6. If the patch installation requires the appliance to reboot, click Summary, and click Reboot to reset the appliance.
Results

In the Available Updates pane, you can see the changed update status of the vCenter Server appliance.

Enable Automatic Checks for vCenter Server Patches

You can configure vCenter Server to perform automatic checks for available patches in the configured repository URL at a regular interval.

Prerequisites
Procedure
  1. In the vCenter Server Management Interface, click Update.
  2. Click Settings.
  3. Select Check for updates automatically, and select the day and time in UTC to perform automatic checks for available patches.
  4. Click OK.
Results
vCenter Server appliance performs regular checks for available patches in the configured repository URL. In the Available Updates pane, you can view information about the available patches. You can also view the vCenter Server health status for notifications about available patches. See vCenter Server Configuration.

Patching the vCenter Server Appliance by Using the Appliance Shell

You can use the software-packages utility in the appliance shell of a vCenter Server appliance to see the installed patches, stage new patches, and install new patches.

To perform ISO-based patching, you download an ISO image, mount the ISO image to the CD/DVD drive of the appliance, optionally stage the available patches from the ISO image to the appliance, and install the patches. For steps to mount the ISO image to the CD/DVD drive, see Configure a Datastore ISO File for the CD/DVD Drive section in the vSphere Virtual Machine Administration.

To perform URL-based patching, you optionally stage the available patches from a repository URL to the appliance and install the patches. The vCenter Server appliance is preset with a default VMware repository URL for the build profile of the appliance. You can use the update.set command to configure the appliance to use the default VMware repository URL or a custom repository URL, for example, a repository URL that you previously built on a local Web server running within your data center. You can also use the proxy.set command to configure a proxy server for the connection between the vCenter Server appliance and the repository URL.

View a List of All Installed Patches in the vCenter Server Appliance

You can use the software-packages utility to see a list of the patches currently applied to the vCenter Server appliance. You can also view the list of the installed patches in chronological order and details about a specific patch.

Procedure
  1. Access the appliance shell and log in as a user who has a super administrator role.
    The default user with a super administrator role is root.
  2. To view the full list of patches and software packages installed in the vCenter Server appliance, run the following command: 
    software-packages list
  3. To view all patches applied to the vCenter Server appliance in chronological order, run the following command: 
    software-packages list	--history
    You see the list in chronological order. A single patch in this list can be an update of multiple different packages.
  4. To view details about a specific patch, run the following command: 
    software-packages list --patch	patch_name
    For example, if you want to view the details about the VMware-vCenter-Server-Appliance-Patch1 patch, run the following command: 
    software-packages list --patch VMware-vCenter-Server-Appliance-Patch1
    You can see the complete list of details about the patch, such as vendor, description, and installation date.

Configure URL-Based Patching

For URL-based patching, the vCenter Server appliance is preset with a default VMware repository URL for the build profile of the appliance. You can use the update.set command to configure the appliance to use the default or a custom repository URL as the current source of patches and enable automatic checks for patches.

By default the current repository for URL-based patching is the default VMware repository URL.

Note: You can use the proxy.set command to configure a proxy server for the connection between vCenter Server and the repository URL. For more information about the API commands in the appliance shell, see vCenter Server Configuration.

If vCenter Server is not connected to the Internet or if your security policy requires it, you can build and configure a custom repository. The custom patching repository runs on a local Web server within your data center and replicates the data from the default repository. Optionally, you can set up an authentication policy for accessing the Web server that hosts the custom patching repository.

Procedure
  1. If you want to configure a custom repository URL, build the repository on your local web server.
    1. Log in to VMware Customer Connect at https://customerconnect.vmware.com/downloads/#all_products.
    2. Select Download Product under VMware vSphere.
    3. Select the vCenter Server version from the Select Version drop-down.
    4. Against your license type, click GO TO DOWNLOADS in the row for VMware vCenter Server.
    5. Download the VMware vCenter Server Appliance Update Bundle ZIP file.
    6. Confirm that the md5sum is correct by using an MD5 checksum tool.
    7. On your Web server, create a repository directory under the root.
      For example, create the vc_update_repo directory.
    8. Extract the ZIP file into the repository directory.
      The extracted files are in the manifest and package-pool subdirectories.
  2. Access the appliance shell and log in as a user who has a super administrator role.
    The default user with a super administrator role is root.
  3. To see information about the current URL-based patching settings, run the update.get command.
    You can see information about the current repository URL, the default repository URL, the time at which the appliance last checked for patches, the time at which the appliance last installed patches, and the current configuration of automatic checks for patches.
  4. Configure the current repository for URL-based patching.
    • To configure the appliance to use the default VMware repository URL, run the following command: 
      update.set --currentURL default
    • To configure the appliance to use a custom repository URL, run the following command: 
      update.set --currentURL https://web_server_name.your_company.com/vc_update_repo [--username username] [--password password]
      The square brackets [] enclose the command options.

      If the custom repository requires authentication, use the --username username and --password password options.

  5. To activate automatic checks for vCenter Server appliance patches in the current repository URL at regular intervals, run the following command: 
    update.set	--CheckUpdates enabled [--day	day] [--time	HH:MM:SS]
    The square brackets [] enclose the command options.

    Use the --day day option to set the day for performing the regular checks for patches. You can set a particular day of the week, for example, Monday, or Everyday. The default value is Everyday.

    Use the --time HH:MM:SS option to set the time in UTC for performing the regular checks for patches. The default value is 00:00:00.

    The appliance performs regular checks for available patches in the current repository URL.
  6. To deactivate automatic checks for vCenter Server patches, run the following command: 
    update.set	--CheckUpdates disabled
What to do next

If you configured the appliance to perform automatic checks for available patches, you can regularly view the vCenter Server appliance health status for notifications about available patches. See vCenter Server Configuration.

Stage Patches to the vCenter Server Appliance

Before you install available patches, you can stage the patches to the appliance. You can use the software-packages utility to stage patches either from a local repository by attaching an ISO image to the appliance, or from a remote repository directly by using a repository URL.

Prerequisites
  • If you are staging patches from an ISO image that you previously downloaded from https://my.vmware.com/group/vmware/patch, you must attach the ISO image to the CD/DVD drive of the vCenter Server appliance. You can configure the ISO image as a datastore ISO file for the CD/DVD drive of the appliance by using the vSphere Client. See vSphere Virtual Machine Administration.
  • If you are staging patches from a remote repository, verify that you have configured the repository settings and that the current repository URL is accessible. See Configure URL-Based Patching.
Procedure
  1. Access the appliance shell and log in as a user who has a super administrator role.
    The default user with a super administrator role is root.
  2. Stage the patches.
    • To stage the patches included in the attached ISO image, run the following command: 
      software-packages stage --iso
    • To stage the patches included in the current repository URL, run the following command: 
      software-packages stage --url

      By default the current repository URL is the default VMware repository URL.

      If you want to stage only the third-party patches, use the --thirdParty option.

    • To stage the patches included in a repository URL that is not currently configured in the appliance, run the following command: 
      software-packages stage --url URL_of_the_repository

      If you want to stage only the third-party patches, use the --thirdParty option.

    If you want to directly accept the End User License Agreement, use the --acceptEulas option.
    For example, to stage only the third-party patches from the current repository URL with directly accepting the End User License Agreement, run the following command: 
    software-packages stage --url --thirdParty --acceptEulas
    In the process of staging, the command validates that a patch is a VMware patch, that the staging area has enough free space, and that the patches are not altered. Only completely new patches or patches for existing packages that can be upgraded are staged.
  3. (Optional) To see information about the staged patches, run the following command: 
    software-packages list	--staged

    Each patch includes a metadata file that contains information such as patch version, product name, whether a restart of the system is required, and so on.

  4. (Optional) To view a list of the staged patches, run the following command: 
    software-packages list --staged --verbose
  5. (Optional) To unstage the staged patches, run the following command: 
    software-packages	unstage
    All directories and files generated by the staging process are removed.
What to do next

Install the staged patches. See Install vCenter Server Patches.

Important: If you staged the patches from an ISO image, keep the ISO image attached to the CD/DVD drive of the appliance. The ISO image must be attached to the CD/DVD drive of the appliance throughout the staging and installation processes.

Install vCenter Server Patches

You can use the software-packages utility to install the staged patches. You can also use the software-packages utility to install patches directly from an attached ISO image or repository URL without staging the patch payload.

Important: The services running in the appliance become unavailable during the installation of the patches. You must perform this procedure during a maintenance period. As a precaution in case of failure, you can back up the vCenter Server appliance. For information about backing up and restoring vCenter Server, see vCenter Server Installation and Setup.
Prerequisites
  • If you are installing staged patches, verify that you staged the correct patch payload. See Stage Patches to the vCenter Server Appliance.
  • If you are installing patches that you previously staged from an ISO image, verify that the ISO image is attached to the CD/DVD drive of the vCenter Server appliance. See Stage Patches to the vCenter Server Appliance.
  • If you are installing patches directly from an ISO image that you previously downloaded from https://my.vmware.com/group/vmware/patch, you must attach the ISO image to the CD/DVD drive of the vCenter Server Appliance. You can configure the ISO image as a datastore ISO file for the CD/DVD drive of the appliance by using the vSphere Client. See vSphere Virtual Machine Administration.
  • If you are installing patches directly from a repository, verify that you have configured the repository settings and that the current repository URL is accessible. See Configure URL-Based Patching.
  • Create an image-based backup and take a powered-off snapshot of the vCenter Server Appliance you are patching as a precaution in case there is a failure during the patching process.
Procedure
  1. Access the appliance shell and log in as a user who has a super administrator role.
    The default user with a super administrator role is root.
  2. Install the patches.
    • To install staged patches, run the following command: 
      software-packages install --staged
    • To install patches directly from an attached ISO image, run the following command: 
      software-packages install --iso
    • To install patches directly from the current repository URL, run the following command: 
      software-packages install --url

      By default the current repository URL is the default VMware repository URL.

    • To install patches directly from a repository URL that is not currently configured, run the following command: 
      software-packages install --url URL_of_the_repository
    If you want to directly accept the End User License Agreement, use the --acceptEulas option.
    For example, to install patches from the current repository URL without staging the patches with directly accepting the End User License Agreement, run the following command: 
    software-packages install --url --acceptEulas
  3. If the patch installation requires a reboot of the appliance, run the following command to reset the appliance. 
    shutdown now -r "patch reboot"

Patching a vCenter High Availability Environment

To patch a vCenter Server Appliance configured in a vCenter High Availability (HA) cluster, you must remove the vCenter Server High Availability configuration and delete the Passive and Witness nodes. After patching the vCenter Server Appliance, you must re-create your vCenter Server High Availability clusters.

This procedure describes how to remove the vCenter HA configuration.

Procedure

  1. In the vSphere Client, log in to the vCenter Server from which you want to remove the vCenter HA configuration.
  2. Click the Configure tab, and select vCenter HA.
  3. Select Remove vCenter HA .
    • The vCenter HA cluster's configuration is removed from the Active, Passive, and Witness nodes.
    • The Active node continues to run as a standalone vCenter Server Appliance.
  4. Delete the Passive and Witness nodes.

What to do next

Patch the vCenter Server Appliance as described in either Patching vCenter Server Using the vCenter Server Management Interface or Patching the vCenter Server Appliance by Using the Appliance Shell.

After patching the vCenter Server Appliance, you can configure vCenter HA. For information about configuring vCenter HA, see vSphere Availability.