The Async Patch Tool allows you to apply critical patches outside of VMware Cloud Foundation lifecycle management process.
High-level steps
- Check your VCF version matches the patch from the VMware site
- Download Async tool and extract it on the computer with internet access
- Run a async tool list to see if your patch is listed
- Download bundles using async tool
- Copy async tool and bundles to sddc manager and change permissions
- Upload bundles using async tool to sddc manager
- Patch your environment using sddc manager gui
- Remove patch using async tool
I have VCF 4.4.1.1 installed and a advisory has come out for ESXi 7.0 update 3f patch see below link
https://www.vmware.com/security/advisories/VMSA-2022-0025.html
https://kb.vmware.com/s/article/88695
Now I need to validate my version is supported so I am looking for 4.4.x versions as I have 4.4.1.1 installed. Once I find that ill look for 3f versions I find one for vCenter and one for ESXi. So I will download both and install vCenter version first as vCenter should always be equal or high then the ESXi version.
Using the below link
https://kb.vmware.com/s/article/88287
Take note of the versions you will need it later
VCENTER:7.0.3.00700-20051473
ESX_HOST:7.0.3-20036589
One extra validation you could use is the Product Interoperability Matrix on https://interopmatrix.vmware.com/Interoperability but this is optional
Download the latest async patch tool (always have the latest)
https://customerconnect.vmware.com/downloads/details?downloadGroup=VCF4XAP_TOOLS&productId=1352
Once download extract it locally (where you have internet access)
Get list of current patches
Open command prompt as administrator and navigate to the bin directory in vcf-async-patch-tool-1.0.0.4 (your extract)
Type the below with your VMware customer email account
vcf-async-patch-tool.bat –listAsyncPatch –du customer_connect_email
Type Y – installed latest AP Tool version
Type N – no ceip
Type in password and enter (VMware customer email account password)
You should see all available patches and the ones you highlight from the advisory page previously.
VCENTER:7.0.3.00700-20051473
ESX_HOST:7.0.3-20036589
Download bundles
Run the following from the bin directory where you downloaded the AP Tool
vcf-async-patch-tool.bat -d –patch product:version –du customer_connect_email –sku sku_type
replace product:version with ESX_HOST:7.0.3-20036589
replace customer_connect_email with your VMware customer email account
Type Y – installed latest AP Tool version
Type in password and enter (VMware customer email account password)
Even though I selected only the ESXi to download it will download all SDDC manager service update bundles as well
Completed, go to the directory which it has downloaded them too (location should be in the output)
Now I will download the vCenter patch using the same method as above
vcf-async-patch-tool.bat -d –patch product:version –du customer_connect_email –sku sku_type
replace product:version with VCENTER:7.0.3.00700-20051473
replace customer_connect_email with your VMware customer email account
Type Y – installed latest AP Tool version
Type in password and enter (VMware customer email account password)
Copy aysnc tool you have extracted before and bundles to sddc manager using winsp
location
/nfs/vmware/vcf/nfs-mount/
Both folders should be there now
Set permissions on bundles and async tool
ssh to sddc manager via putty
su
root@sddc-manager [ /nfs/vmware/vcf/nfs-mount ]# chmod -R 775 vcf-async-patch-tool-1.0.0.4/
root@sddc-manager [ /nfs/vmware/vcf/nfs-mount ]# chmod -R 775 apToolBundles/
root@sddc-manager [ /nfs/vmware/vcf/nfs-mount ]# chown -R vcf:vcf vcf-async-patch-tool-1.0.0.4/
root@sddc-manager [ /nfs/vmware/vcf/nfs-mount ]# chown -R vcf:vcf apToolBundles/
Upload vCenter patch and enable aysnc patch tool
Make sure you are in the vcf login not su to run it otherwise it won’t run
Enter the bin directory where vcf-async-patch-tool-1.0.0.4 is located
I will now upload the vCenters patch to SDDC manager
Example
./vcf-async-patch-tool -e –patch VCENTER:7.0.3.00700-20051473 –sddcSSOUser [email protected] –sddcSSHUser vcf –outputDirectory /nfs/vmware/vcf/nfs-mount/apToolBundles –it OFFLINE
Bundle has been uploaded to SDDC manager
Update/patches should have the available update now in your workload domain
Click update now
After you have completed the upgrade across all clusters disable the patch
Async Patch Tool to deactivate the patch
Run the following in the bin directory where AP Tool is
./vcf-async-patch-tool –disableAllPatches –sddcSSOUser [email protected] –sddcSSHUser vcf
Y – to confirm latest AP Tool
N – for CEIP
VCF password, root password and sso password
Now I will upload ESXi using the same method
./vcf-async-patch-tool -e –patch product:version –sddcSSOUser SSOuser –sddcSSHUser vcf –outputDirectory bundleDirectory –it OFFLINE
Example
./vcf-async-patch-tool -e –patch ESX_HOST:7.0.3-20036589 –sddcSSOUser [email protected] –sddcSSHUser vcf –outputDirectory /nfs/vmware/vcf/nfs-mount/apToolBundles –it OFFLINE
Y – using the latest AP tool
Y – yes you have meet all the requirements
Enter password for vcf user, root user and sso
It will start uploading to SDDC manager
Bundle is now uploaded and available to update
After you have upgraded all cluster disable the patch
Async Patch Tool to deactivate the patch
./vcf-async-patch-tool –disableAllPatches –sddcSSOUser [email protected] –sddcSSHUser vcf
Before upgrade
After upgrade
Reference
Ray