VMware Lifecycle Manager: A Step-by-Step Guide
VMware vSphere 7 Lifecycle Manager (vLCM) is a tool built-in to VMware vSphere vCenter 7.0 Update 2a and higher that can be very helpful in managing ESXi versions, patches, and drivers, as well as the VM Hardware and VMware Tools versions on VMs in your vCenter. Keeping the software at a desired or required level involves a number of components, such as ESXi base images, vSphere Installation Bundles (VIBs), Bulletins which can contain VIBs, Patches and/or Patch "Roll-ups", and Extensions that add optional third-party components to ESXi. Having the ability to define which of these are required to keep your ESXi host software compliant and automate the deployment of all these components can be a huge time saver.
As mentioned, vSphere 7 Lifecycle Manager evolved from vSphere Update Manager, and has many features in common with this older tool. If you are still running vSphere 6.5, 6.7 or vSphere 7.0 vCenter prior to Update 2a , many of the features described will also apply to Update Manager in those versions. If you are running vSphere 7.0 vCenter prior to Update 2a but have ESXi 6.5 or 6.7 hosts in your vCenter, most if not all of the features described can be applied to those hosts as well as ESXi 7.0 hosts.
Note that the permissions given to your vCenter login must include those required by vLCM. These are too extensive to list here, but are detailed in this VMware document. If your login ID or Group has the "Administrator" Role, you should have all the permissions needed.
vSphere Lifecycle Manager Software Components
Before diving into how to use vSphere Lifecycle Manager, it's helpful to go through a quick overview of its software components.
VIBs: The VIB is the basic building block of installable packages for ESXi hosts.
Bulletins: This is a grouping of one or more VIBs, which is used to create vLCM Baselines.
Patches: Patches are one or more VIBs that contain enhancements to the software or bug fixes that address a particular issue.
Roll-up Bulletin: A roll-up is a bundle of patches that are more easily deployed as a group.
Extensions: These are typically provided by a third party as an optional component to ESXi.
The vSphere Lifecycle Manager Depot
The vSphere Lifecycle Manager Depot is where the software components are stored. It supports automated download of software from the official VMware online depot by default, directly over the Internet or through a Proxy if required. Alternatively, you can download offline bundles manually and import them into the vLCM depot.
In the following screenshot, you will see some of the components that have been downloaded and made available in Lifecycle Manager:
There is also an option to create and use a shared Update Manager Download Service (UMDS) repository if desired. (The name "Update Manager" has been retained for now in this feature). This involves installing optional software on a Windows or Linux server and creating a URL (Universal Resource Locator) shared path, which is then set as the download source for one or more of the patch types by browsing to "Settings" then selecting "Patch Setup" on the left:
To change the URL to a UMDS repository, click on "CHANGE DOWNLOAD SOURCE" at the upper right, and you will be presented with this dialog:
By default, automatic downloads occur daily at a specific time. You can modify the schedule, or disable automatic downloads, by selecting "Patch Downloads" on the left, then click on "EDIT" on the right:
As you can see, you can tune the schedule to meet your needs, and you can have Lifecycle Manager send notification emails to one or more addresses when completed:
Personal Recommendation: In my experience, even when managing multiple vCenters (with direct Internet access), I have not chosen to use UMDS. The use cases for UMDS would likely be where the vCenters do not have Internet access, or if there were a large number of them to maintain. In the first case, the administrator would only need to have Internet access on the server hosting the UMDS, or if not, to manually download and populate that single repository. In the second case, the primary reason to use UMDS would be to minimize the number of vCenters downloading patches and the amount of storage used for a unique depot on each vCenter.
What are Lifecycle Manager Baselines?
A Baseline is one or more bulletins, patches or extensions, combined into a group that can be applied to one or more ESXi hosts to achieve a desired level of code compliance. You will most likely find yourself using a combination of Predefined and Custom Baselines in setting up your host compliance rules. Once a baseline is defined, it can be "attached" to a single ESXi host, a Cluster of hosts, a Datacenter defined in your vCenter, or the entire vCenter. Let's explore what this means and how it will make your job easier.
ESXi Host Remediation Using Baselines
In the following example, two Predefined baselines will be used to remediate a cluster containing three ESXi hosts. The cluster contains one running VM, which we do not want powered off during the remediation. The key to enabling Lifecycle Manager to graciously manage this is to be certain that vSphere DRS (Distributed Resource Scheduler) is turned on, so any VMs can be moved from one host to another while running using vMotion, as shown here in the cluster Configuration settings:
[ Note: If you have not already done so, it would be wise to test vMotion between the hosts to verify that VMs continue running and that the network settings are consistent between all hosts. In addition to this, if the hosts are not exactly the same hardware, it is advised that EVC (Enhanced vMotion Compatibility) mode is enabled so that the CPU capabilities available to VMs are consistent between all hosts. ]
Next, click on the "Updates" tab at the top right. If you have not yet defined any custom baselines, you should still see that the Predefined Baselines that are configured with vCenter for "Host Security Patches" and "Critical Host Patches" are already attached as shown in the screenshot below under "Attached Baselines. In addition to this, there is a Predefined "Non-Critical Host Patches" baseline that you can attach if desired.
Notice the clickable "CHECK COMPLIANCE" text at center right. Clicking this tells vCenter to analyze the hosts to see if they comply with the attached baselines. In our example you can see that they do not:
After checking for compliance, the next step is to run the "PRE-CHECK REMEDIATION", to identify any issues that may obstruct the remediation process. In our example, all is well, so we can proceed with remediation.
In the remediation step, we can select one or more, or all attached baselines to apply. Here we will select "All" by checking the top checkbox, then click "REMEDIATE". Note that since we are at the cluster level, the remediation will apply to all hosts in the current cluster, and those hosts only.
After clicking on "REMEDIATE", you will see the following dialog which lists the hosts that will be remediated, plus some other information about the process. Several areas have been expanded to show details; you can also expand the "Install 14 updates" to see what components will be installed. Note that you can also schedule the remediation to run at a later time instead of immediately
Expanding the "Remediation settings" shows the following options. Most are self-explanatory:
Once you've clicked on "REMEDIATE", the dialog will disappear. If you want to follow its progress, you can browse to the task list under "Monitor" for the cluster:
As the remediation cycles through the hosts one at a time, you will see any VMs present vMotioned to another host, the host go into Maintenance Mode, and reboot if necessary. After completed, the compliance check should show that the hosts now comply with the attached baselines.
Note that you can detach the Predefined Baselines if you so desire, but these are published regularly by VMware to address specific bugs and security vulnerabilities which are sometimes critical, so continuing to apply these on a timely basis is highly recommended. Lifecycle Manager provides a simple and expedient method to accomplish this without disruption.
What are Custom Baselines?
Custom baselines allow you to tailor your ESXi host code level, and add or update third party drivers and extensions. As mentioned earlier, there are several methods of adding these components to your Lifecycle Manager Depot. Next we will explore importing a third party software component update.
In this example, our hosts are using a Dell/EMC Unity 650F Fibre Channel (FC) storage array to provide the datastores. Without going into details about FC functionality, suffice it to say that the hosts have special adapter cards called "Host Bus Adapters" (HBAs) to connect to the FC "Fabrics" or networks. These provide fault tolerance by permitting multiple pathways from the host to the storage array. ESXi is bundled with drivers for these HBAs and has a native multipathing functionality, but the Dell/EMC software "PowerPath" can provide additional functionality that may be desired.
In order to install this software on our ESXi hosts, the most efficient method is to import the software as an update and define a custom baseline to attach to our hosts. After downloading the desired version of this software and extracting the ".zip" file for the actual update, we can import it into the Lifecycle Manager Depot by clicking on the "ACTIONS" dropdown menu and selecting "Import Updates":
You will be prompted to select the file to be imported. Lifecycle Manager will check the validity and integrity of the package before importing it. Once it has been imported, it will be found in the list of patches available to add to a new or existing baseline. Note: finding the patch you are looking for can be a bit of a challenge at first, but the search and filter functions in Lifecycle Manager are effective and fairly easy to use.
Creating a Custom Baseline. Start the new baseline wizard by selecting the Baselines 'tab', clicking on the "NEW" dropdown menu, and selecting "Baseline":
Give the Baseline a name and description, and select the correct content type. This software is considered to be a patch:
Skip the "Select Patches Automatically" section by unchecking the box next to "Automatically update…." and clicking "NEXT".
In the "Select Patches Manually" section, first slide the "on/off" button for "Show only rollup updates" to the left so it is turned off. Next, click on the small "funnel" icon next to "Name", to enter a name filter. Here, all that is needed is part of the patch name, in this case "Power". Because this ESXi host is running Version 7.0, we will select the last line which is the patch code for ESXi 7.0, by checking the box to the left of it, then clicking "NEXT":
Lifecycle Manager gives us a confirmation dialog before completion. If all looks correct, click "FINISH":
After clicking "FINISH", the Baselines list should now include our new custom baseline, as shown here:
Attaching Our New Custom Baseline – This part of the process is similar to the steps described earlier, when attaching the Predefined Baselines. In this case, we are only remediating a single host, so the host is selected and the "Updates" tab is shown. As before, click on "ATTACH" and select "Attach Baseline or Baseline Group":
Lifecycle Manager will now display the list of Baselines of Baseline Groups that are available:
Now, running remediation on this host with only this baseline checked, will install the PowerPath software on this host. The host will reboot if necessary.
What Else Can Lifecycle Manager Do?
Images: For "eligible" clusters, you can convert to using an ESXi image to manage all the hosts, instead of individual baselines. There are some eligibility requirements, so this may not be an available option or a more efficient method.
Host Firmware: Lifecycle Manager can also update the ESXi host firmware in image-managed clusters. This requires installation of a "hardware support manager" plug-in module, provided by the hardware vendor.
VM Upgrades: For Virtual Machines, Lifecycle Manager can upgrade VMware Tools and/or VM Hardware. It also can take snapshots of the VMs before upgrading, and provides options as to how long to keep the snapshots in case a rollback is needed.
VMware vSphere Lifecycle Manager has features that make keeping ESXi host code levels and patches up-to-date and consistent in your environment. As with Update Manager in the past, you can choose to use it for simply deploying critical host patches, or use it to fully manage your ESXi host images, VMware Tools, and VM Hardware versions. These capabilities should not be overlooked; they are designed to make a busy vSphere administrator's job easier.