Updating VMware vCenter Server Appliance

Terminology

Baseline
A predefined or custom set of patches, extensions, or upgrades used to update an ESXi host or VM.

Dynamic vs Fixed
Dynamic baselines have selectable criteria for which patches are included.

Fixed baselines allow you to choose specific patches to include.

Attaching / Detaching
Baselines (or baseline groups) are attached to hosts (or clusters of hosts), and then you scan. What you’re attaching is actually just the metadata of the baseline.

Baseline Group
A bunch of baselines, or an aggregate of individual patch and upgrade baselines. An upgrade involves a release number change (e.g. vSphere 6.5 to 6.7). An smaller change uses a patch or update (e.g. vSphere 6.0 Update 1).

Scanning
The process of checking if the host(s) or VMs need any of the patches (etc.) in the baseline (or group).

Staging
The process of downloading the actual data of the patches ahead of remediating.

Remediating
The process of applying the patch, extension, or upgrade to an ESXi host or VM. The data will be downloaded if needed — if you didn’t stage the patches. So you need to attach, then scan, stage if you want, and then remediate.

Patch Metadata
Index files stored in the patch repository that list all known patches available for use by Update Manager.

Patch Repository
The directory on the Update Manager Server that holds the Patch Metadata as well as the patches.

Host Extension
Additional software to apply to a host.

VAMI
vCenter Server Appliance Management Interface.
vCenter Server Appliance is a VM that runs in ESXi and manages the entire vSphere environment, and you usually access it via its web UI. But it also has a separate web ui for managing itself, which is accessed at its URL on port 5480.
vsphere.company.com:5480

To update vCenter

(For example from build 6.7.0.10000 to 6.7.0.20000.)

Go to https://my.vmware.com/group/vmware/patch#search

Choose vc and download the latest patch.

In this case:

  • Release name:
  • VC-6.7.0-update01.Appliance-Patch
  • release date
  • 10.16.2018
  • File name:
  • VMware-vCenter-Server-Appliance-6.7.20000-10244745-patch-FP.iso
Then attach the iso to the Vcenter Appliance VM.
  • Actions > Edit Settings > CD/DVD drive > attach datastore or client device file.
Make a snapshot

just in case.

Check for Updates
  • Log into the VAMI as root:
  • https://:5480
  • Navigate to Update > Check Updates > Check CD-ROM + URL
  • Twirl down the selected update and click RUN PRE-UPDATE CHECKS
  • Click Stage only
  • Click INSTALL
  • You’ll need to make a small backup.

To make the backup

You can back up to a server via SCP, HTTPS, HTTPS, FTP, or FTPS (but not SFTP).
Enter the server address like so:
– protocol://:/path
– scp://backup.server.info:22/~
You’ll enter the user name and password separately.

vcenter backup

If you get this ERROR:

vcenter_backup_error

Log into vCenter via SSH as root.

$ ssh root@vsphere.company.com

VMware vCenter Server Appliance 6.7.0.10000

Type: vCenter Server with an embedded Platform Services Controller

Password:
Connected to service

* List APIs: "help api list"
* List Plugins: "help pi list"
* Launch BASH: "shell"

Command>

Enable a BASH shell:

Command> shell

Shell access is granted to root

root@vcenter [ ~ ]#

Check the status of vCenter services with:

  • service-control --status
root@vcenter [ ~ ]# service-control --status

Stopped:
vmcam vmware-imagebuilder vmware-mbcs vmware-netdumper vmware-postgres-archiver vmware-rbd-watchdog vmware-vcha vsan-dps
Running:
applmgmt lwsmd pschealth vmafdd vmcad vmdird vmdnsd vmonapi vmware-analytics vmware-cis-license vmware-cm vmware-content-library vmware-eam vmware-perfcharts vmware-pod vmware-rhttpproxy vmware-sca vmware-sps vmware-statsmonitor vmware-sts-idmd vmware-stsd vmware-updatemgr vmware-vapi-endpoint vmware-vmon vmware-vpostgres vmware-vpxd vmware-vpxd-svcs vmware-vsan-health vmware-vsm vsphere-client vsphere-ui
root@vsphere [ ~ ]#

Start the service with

  • service-control --start
root@vcenter [ ~ ]# service-control --start vmware-postgres-archiver
Operation not cancellable. Please wait for it to finish...
Performing start operation on service vmware-postgres-archiver...
Successfully started service vmware-postgres-archiver
root@vcenter [ ~ ]#

Add a DMARC record to your mail server.

DMARC is Domain-based Message Authentication Reporting and Conformance
DMARC uses SPF and DKIM to tell receiving email servers what to do (accept, reject, or quarantine) with messages that purport to be from your domain. It also reports to you.
DMARC is defined by a DNS record (TXT) and specifies:
  • An action policy for messages failing both SPF and DKIM. DMARC passes when either SPF or DKIM passes.
  • In Microsoft’s implementation of DMARC for incoming mail (which we don’t control), both SPF and DKIM must pass.
  • Allows for partial checking, e.g. 5 percent of mail.
To implement DMARC, you must first set up SPF and DKIM.
In Office 365, DMARC for incoming mail is done for you. But you must set up DMARC for your domain yourself.

SPF – Sender Policy Framework

SPF is a DNS record (TXT) that specifies which IP addresses are allowed to send mail on your domain’s behalf.
You need a single spf record for your domain, which will contain all the IP addresses that are allowed to send mail on your behalf.
Example record:

v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all

Example for Office 365:

v=spf1 include:spf.protection.outlook.com -all

Even if your domain doesn’t send mail, it is still vulnerable to spoofing and should have this SPF record:

v=spf1 -all

DKIM – DomainKeys Identified Mail

DKIM is a DNS record (TXT) that lets a domain associate its name with an email message by affixing a digital signature (using PKI) to it.
A valid signature guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed.
DKIM provides for two distinct operations, signing and verifying.
DKIM specification allows signers to choose which header fields they sign, but the From: field must always be signed.
You might need multiple DKIM records for your domain if you have different hosts, domains, or subdomains that you want to allow to send mail for you. Each host needs its own key specified in a separate TXT record, and each host is identified with a unique selector name.
Generate the keys with:

openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key

Install the private key on the MTA/Email sending systems.
Publish the public key in the DKIM record with your registrar:
Example DKIM record:
  • type:  TXT
  • host:  selector1-dzsolutions-com._domainkey
  • Points to address or value:  v=DKIM1; k=rsa; p=<public_key>; n=1024,1453276987,1

DMARC

You want to ease into your DMARC policy to make sure it’s working correctly.
  • First, make a no-action policy (p=none;) that just collects reports. You’ll see who is sending mail on your behalf, and be able to correct for any senders you left out.
  • Second, switch to a low percentage quarantine policy (p=quarantine; pct=5;). It tells receiving servers to check only 5 percent of the mail, and if DMARC fails, send it to the spam folder. That way, most of the mail will go through no matter what, and your reports will show how well it’s working for the 5 percent. You can make adjustments until it works right.
  • Third, ease into rejecting (p=reject; pct=5;). Check your reports, adjust things, and increment up to 100%
no-action DMARC record:
  • Type:  TXT
  • Host: 
  • Value:  v=DMARC1; p=none; rua=mailto:admin@your_domain.com; ruf=mailto:admin@your_domain.com; sp=reject; ri:84600;
Where:
  • v is the version.
  • p is policy for handling pass/fail messages: none | quarantine | reject.
  • rua specifies where to send aggregate reports.
  • ruf specifies where to send forensic reports.
  • sp is the subdomain policy.
    If you have no subdomains for mail, it is best to reject.
  • ri is the time period for sending reports; default is 84600 seconds (24 hours).
Check your DMARC record at:
View the reports using https://dmarcian.com/ or https://mxtoolbox.com/domain/; they have validation tools for all DNS records.