patch vCenter HA 6.7 U1

Maybe you think, we’ll how hard can it be ??
Yes, that was the same question I had. And to be honest… it is not that hard.
But there are some quarks or gotchas.
In this post I’ll explain the route I took for patching a vCenter HA setup.

Why don’t you use the VAMI ?

VAMI stands for ‘ Virtual Appliance Management Infrastructure ‘. It can be accessed via port 5480 like https://<FQDN VMware appliance>:5480 .
The VAMI of a vCenter Appliance (VCSA) has an update section, which you can use to patch the VCSA. This is a nice and easy way for patching the VCSA, but when you have vCenter configured as vCenter HA then this option won’t work. (I know from experience….)
After trying (and failing) I thought, why not read the manual….
VMware has a nice article about patching a vCenter in HA and you can find it here.
I still use the VAMI, but not for patching but for making a backup.

In short

These are the steps to patch the VCSA in short. The more detailed steps are further below.
Basicly we patch first the witness, then the passive node , do the failover and then new passive node.

  1. download the VCSA patch .iso file
  2. Backup VCSA
  3. put the VCSA HA in maintenance
  4. patch & reboot the witness node via SSH and its application shell
  5. patch & reboot the passive node via SSH and its application shell
  6. Initiate a manual failover of the VCSA cluster
  7. patch & reboot the new passive node via SSH and its application shell
  8. (optional) initiate a manual failover of the VCSA cluster
  9. Backup VCSA

On the side

The steps below consist of useing both shells of the VCSA, the bash and the appliance shell. Based on KB 2100508 you switch between the shells as follows:

chsh -s /bin/bash root #-- to switch to bash shell
chsh -s /bin/appliancesh root #-- to switch to the appliance shell

In detail

.1 Download the .iso patch
Download the .iso with the latest patch from this VMware site. The reason we use a .iso instead of using the url is that the witness node doesn’t have a connection to the internet.

(optional) Upload the .iso patch to the content library
From the vCenter UI it is possible to connect an .iso from the content library to a VM. We need to mount this .iso to all three the VMs

.2 Backup the VCSA
Go the VAMI interface at https://<vcenter FQDN or IP>:5480.
Log on.
Start the backup.

.3 Put the vCenter HA in maintenance mode
Go to the vCenter webclient UI.
Select the vCenter (in the top of the navigation tree).
Go to Conf

.4 Start SSH session to the Active vCenter Node

.5 SSH from active node to witness
The witness node is only accessible over the network via the active vCenter node . Execute the following in the ssh session you just started, to connect to the witness node. You need to be in the bash shell to start a SSH session.

ssh root@<ip of witness>

.6 install patch in witness node
First we patch the witness node. Go to the appliance shell (see the on-the-side section)

software-packages install --iso --acceptEula

.7 (optional) reboot witness
Multiple options to reboot the VM, I chose to restart via ‘Restart Guest OS’ on the VM.

.8 SSH from active node to the passive node

ssh root@<ip of passive node>

.9 Install patch on passive node
See step .6 & .7

.10 intiate vCenter HA failover
By initiating a failover we make the newly patched vCenter node the active node, so we can patch the final node. From this point on the vCenter is running with the installed patches.

.11 Start SSH session to the new active node
By intiating a failover all connections to the vCenter are lost, webclient ssh ….
So we need to refresh the webclient and start a new SSH session to the vCenter.

.12 see step .6 & .7

.13 (optional) Initiate vCenter HA failover
Why ? It is more a visual thing, maybe you expect that vCenter always will run on the first VM on the vCenter cluster VMs… But is it necessary ? No it isn’t.

.14 take vCenter HA out off maintenance mode & initiate backup of config

.15 unmount iso files

.16 … take a beer, sit down relax …. well done. 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: