It's been a while since we talked SolarWinds Patch Manager and patching in general here on the Product Blog, but with VMWorld 2015 right around the corner all things virtual are on our minds. Here's a few quick considerations to make when thinking about patching and maintaining virtual systems.
Is patching virtual (guest) systems really different? Yes, and no.
At the most fundamental level, patching virtual guest systems isn't really different than patching physical systems. You back the system up (hopefully), you install patches (which you tested first, right?), and if necessary, finish with a reboot. Seems simple enough, but there's points along the way where we can really take advantage of virtual systems - and virtual systems can help back us up when we're being lazy (or hasty).
- Backing up the system: here we can take advantage of the virtual environment's ability to take snapshots, either by integration with our backup system, integration with our patching system, or by hand. Snapshots can really cover your assets when it comes to making a mistake, or if a patch has unintended consequences (not that vendors ever make a mistake, right?). If a system fails to come back after a patch or you need time to diagnose an issue, reverting to snapshot while you clone and re-test is much more simple than the old school "revert from a backup? sigh..." or relying on Windows' ability to take reliable system restore points.
- Testing patches: with snapshots and a virtual environment (or even a hybrid or cloud environment), you can clone a live system into a testbed relatively easily. Gone are the days of drive imaging and system cloning, or having standby hardware in a test environment just because it's identical to production. Now, you can clone a snapshot of a production system, tweak its network and VM configuration to move it over to your test environment, and install and test patches pretty easily.
- Installing and rebooting: while systems are patching and rebooting, virtual environment HA configurations can help plug some of the holes of down systems without dealing with operating system clustering technologies directly. Both can be admittedly cumbersome to set up the first time, but virtual HA can save your bacon and minimize impact to your downstream users.
Don't forget your hypervisor!
When it comes to Hyper-V, patching your hypervisor really is all about patching your OS. Tools like Patch Manager are going to make it easy to stay up to date with Windows patches (AND third party patches, too). With Patch Manager on top of WSUS or SCCM, you can make intelligent groupings of systems, both for status and reporting details and for patching.
For vSphere (ESXi)-based systems, patching your hypervisor is a little more complex, and patches have been coming about monthly. There's actually a handy table of build numbers to patches published in their Knowledgebase that shows the patch history, and VMware has a Patch Portal to help you find and download updates that apply to you, plus see which KB articles patches resolve. I'd recommend showing the "Severity", "Category", and "System Impact" columns to help you understand which patches are most critical (keep a keen eye on security updates) and what the impact will be to running systems.
Patching utilities for host<->guest communication is important, too
Within virtual guest systems, there are usually utilities that establish good host to guest (and vice versa) communication. These tools let you perform clean maintenance tasks like shutdown, reboot, and snapshot; provide time synchronization (very useful if you're doing any log analysis, troubleshooting, or anything certificate-based where time can matter a lot); and provide insight into what's on a guest or host OS.
When it comes to VMware Tools specifically, you won't get the tools "for free" when you bring up a clean guest OS until you install them, though thankfully most modern Linux distributions include open-vm-tools by default (or easily added). For those of you tired of this deployment process on Windows, though, we've got good news! Patch Manager now includes VMware Tools packages in our third party update catalog. With Patch Manager, you can now automatically download and deploy VMware Tools updates just like Windows (and other third party) updates.
For existing Patch Manager customers, you can add the VMware Tools library to your patching catalog by following a few steps:
1. Use the Third Party Updates Configuration Wizard to synchronize available updates from SolarWinds Administration & Reporting > Software Publishing > Patch Manager Update Configuration Wizard |
|
2. Click "Next" when the Wizard completes to see the full list of available updates from all vendors. |  |
| 3. Scroll down and make sure "VMware Tools" and "VMware Tools (Upgrade)" are selected from the list of subscriptions. |  |
| 4. Click next and finish to confirm your package synchronization schedule, then Finish. |  |
| 5. To see the available packages and versions, go to Administration and Reporting > Software Publishing, then right click and select "Refresh". After doing so, you should see "VMware, Inc" appear in the list, and see the respective packages. |  |
| 6. From here, you can select to publish the packages to your WSUS/SCCM server (click "Publish Packages" on the right). Select x86 if you've got any 32-bit systems out there, otherwise select x64, then click Next. |  |
| 7. You'll watch an awesome progress bar for a little bit as it downloads and pushes the packages... then click Next to continue. |  |
| 8. What do you know, more awesome progress bars as it pushes the packages to the Patch Manager server... (there will be two at first as it pushes the files, then one warning you to be patient as it publishes.). Once it's done, you can hit "finish" to finish the publishing step. |
|
9. If you head back up to your Updates view, you'll see the new packages in the list. Update Services > <your server> > Updates > Third Party Updates (you might have to right click on "Updates" and click "Refresh" first). |  |
| 10. From here, you can do your standard Patch Manager tasks, such as Approve the package for distribution and decide which systems should receive the package/update. Click "Approve", then click on each group to approve to and click the "Approved for Install" button (in my example, I approved the update for my Servers group), then click OK. You'll see another fancy progress bar while things finish, then confirm. |  |
You can also automatically download and approve future versions with the new-in-Patch Manager 2.1 auto-approval feature, if you check out our GA blog post there's a bunch of details on that feature - Announcing General Availability of Patch Manager v2.1 - Automated 3rd Party Patches & More!.
What's Next for Patching Virtual Systems?
If you check out the Patch Manager What We're Working On, you'll see specific mention of more features we're looking at adding regarding patching virtual systems - including the automated snapshotting (and potentially reverting) mentioned above.
What big issues do you have with patching virtual systems? What can we do to help?