To keep vSphere installs secure, it is often necessary to patch or upgrade them in a specific order, as outlined in KB 2109760, which has been our guide for the last few parts of our upgrade saga. However, patching vCenter 6.0 vCSA is not as easy as it looks. The instructions in the online manuals are only apropos for upgrading from vCenter 5.1 or 5.5. For vCenter 6.0, they contain information only valid once you have Update 1 involved. So, how do we proceed?
To the rescue, so to speak, is William Lam, who has written extensively about automation and other difficult aspects of the vSphere environment. You need to first patch all of the following, in this specific order, before you even attempt a vCenter patch:
- vCenter SSO External (if in use)
- vRealize Automation (vRA)
- vRealize Configuration Manager (VCM)
- vRealize Business, IT Cost Management (ITBM)
- vRealize Automation Application Services (vRAS)
- vCloud Director (vCD)
- vCenter Networking and Security (vCNS) (there has not been an update for a while, but always check)
- NSX Manager
- NSX Controllers
- View Composer
- View Connection Server
- View Security Server (left off the official list from VMware, but should be there)
Now we are ready to patch vCenter. I did this by following William Lam’s handy instructions.
Once vCenter is upgraded, I was able to then upgrade the following quite easily:
- VMware Update Manager
- vRealize Orchestrator
- vCenter Replication
- vRealize Operations
- VMware Data Protection
- vCenter Infrastructure Navigator
- vRealize Log Insight
- vCenter Hyperic (if I had it installed)
- vCenter Cloud Connector (if I had it installed)
- Big Data Extensions (if I had it installed)
- vCenter Site Recovery Manager
Once everything above is patched, you can safely patch all hosts in order using VMware Upgrade Manager or redeploy using Auto Deploy. If there are any firmware updates, now would be a good time to apply them as well, as you have to reboot each host to apply the U1 patch. I used the steps I developed in this post to do my upgrades.
Not much of a writeup, but it was a simple update with the only “gotcha” being the need to do a full patch of vCSA.
The next steps for me are to:
- Ensure my HP-specific VIBs are up to date (they are not)
- Ensure my Host Profiles are up to date for the new release, per this post
- Upgrade VMware Tools on appropriate VMs
- Upgrade any necessary vShield or NSX VM components (I do not use any of these normally, but with every new release there is an Endpoint Security update that comes with the new VMware Tools, so that part is part of VMware Tools updates)
- Lastly, re-create my VMware View templates with the new View Agent
Actually, Horizon View can be updated out of band if you are already at 6.0.
Edward L. Haletky, aka Texiwill, is an author, analyst, developer, technologist, and business owner. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and TVP Strategy where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization.