What methods are available for updating a non-Internet-connected VMWare ESXi host?

vmware-esxi patch-management isolated-network

I have a stand-alone installation of VMWare vSphere Essentials, with a vCenter Server and 3 ESXi 4.0 host servers. The environment is intended to remain as a stand-alone network, with the exception that I can "float" a workstation or server between the 'Net and the VMWare network for patches and maintenance.

With other installations, where the Internet is available, I've used the vSphere Host Update utility to connect to VMWare and then apply the patches to the ESXi hosts.

My problem is that this utility does not seem to function if it cannot connect to both VMWare and the ESXi host at the same time, as the scan for patches function will not scan the server without connecting to VMWare's site to sync its repository first. Even if I sync it, disconnect from the 'Net and connect to the VMWare network, it still won't scan hosts for required patches -- it will prompt for syncing with VMWare and if you click No to syncing, the scan does not occur.

Does anyone know of other options for updating the ESXi hosts in some automated fashion? I believe I can manually pull down required patches and apply them, but this will not scale well, and in the future I'm sure I'll want something a bit more scalable.


This VMware communities guide for patching offline ESX Servers should do the trick.

In short:

From the Update Manager program folder initiate the download to sync up a repository on an internet connected system with UMDS.

vmware-umds -D

Wait until it's completed then export:

vmware-umds -E --dest *Path-To-Export-Repository* -s 2010-01-01T00:00:00 -t 2010-03-15T23:59:59

Adjust the dates to suit your needs then copy the repository using whatever media you like to your isolated environment.

In the Update Manager program folder on the machine within the isolated network execute the following:

vmware-updateDownloadCli.exe --update-path *Path-to-copy-of-export-Repository* --config-import windows esx --vc-user *VCenterUserAccount*

If you install VCUM onto the VC box it creates an update respository postbox directory, you can manually copy updates/patched etc. into that, not sure if you need to restart VCUM for it to recognise the new files but either way it will add them to the catalogue for you to add to a baseline and remediate to your heart's content.


on no-internet-available servers, updates can be done

  • by booting from the newer installation media (CD/DVD/USB) and update instead of a clean install.
  • by obtaining, uploading and applying the .vbi to the host from the http(s)://HOST/ui/ address menu on on top in HELP/UPDATE/"Enter the URL or datastore path of the VIB below" (ESXi host path is accepted as /vmfs/volumes/.../VMware_ESXi_X.X.vib)
  • from CLI with, esxcli software vib install -v /vmfs/volumes/datastore1/.../VMware_ESXi_X.X.vib; or esxcli software vib update --depot=/vmfs/volumes/datastore1/.../ESXi###.202105001.zip
  • from Station PowerCLI, Get-VMHost ESXI-FQDN | Install-VMHostPatch -Hostpath "/vmfs/volumes/datastore1/.../ESXi###-202105001/metadata.zip".

Related

missing '=' etcd when defining service file
IP Configuration for a 10G Direct Link via NIC?
Create a tree-like structure with ansible
AWS - Connecting 2 VPC regions bi-directional?
Windows pptp VPN at startup
Followup: Finding an accurate "distance" between colors
Best way to automagically migrate tests from JUnit 3 to JUnit 4?
Creating PowerPoint presentations programmatically
py2exe fails to generate an executable
Update TextView Every Second
Use of cudamalloc(). Why the double pointer?
setExactAndAllowWhileIdle - is not exact as of developer reference