ESXi vCloud patching script.
Table of Contents
Synopsis
To ensure compliance and reduce vulnerability vectors we need to frequently update our ESXi hypervisors. If you setup your configuration with SDDC then that process is simple. However, as soon as vCloud is utilized the environment it causes some additional steps to be taken. In order to ‘properly’ patch a hypervisor within vCloud you should disable the host and then redistribute VMs. If ignored then this can cause problems, while on newer versions of vCloud this is handled rather gracefully, on older versions of vCloud that is not the case. In order to ensure that proper patching process is done I opted to write a script that did all of the proper steps with the hypervisor in all services.
Caveats
A few items to keep in mind when using this script.
- A recent version of PowerCLI installed.
- The user account provided has admin access within both vCloud and vCenter.
- Highly suggested you create a single baseline with all of the patches needed.
- If you use a domain account and have to provide “Domain" or “user@domain.com” when signing in then you will want to specify that in the $user section.
How to use it.
This script utilizes PowerCLI, simply copy/paste and save it to a .ps1 file. You will need to edit the entries to match your requirements. The script includes descriptions as to what each item is. After saved launch PowerCLI, either 32bit or 64bit will work. Once done navigate to the directory you saved the script to and execute the script with
.\ScriptName.ps1
#Script
$user = "" #The account with admin rights in both vCloud and vCenter.
$password = "" #Your password for account specified above.
$vCenterHost = "" #The hypervisor we are going to patch.
$vCloudServer = "" #The vCloud Director URL the hypervisor is located in.
$vCenterServer = "" #The vCenter server URL the hypervisor is located in.
$baseline = "" #The baseline we are going to apply to the hypervisor.
# Depending on your LDAP settings you might have to put your domain before the user variable.
Connect-CIServer -Server $vCloudServer -User $user -Password $password
Connect-VIServer -Server $vCenterServer -User $user -Password $password
# Set-PowerCLIConfiguration -Scope Session -WebOperationTimeoutSeconds 7200
# Run the above command if you keep on getting timeouts while trying to apply patches.
$ESXiHosts = Search-cloud -QueryType Host -Name $vCenterHost
foreach ($ESXiHost in $ESXiHosts) {
$CloudHost = Get-CIView -SearchResult $ESXiHost
Write-Host "Host" $CloudHost.Name
Write-Host "Disabling host" $CloudHost.Name "in VCD"
$CloudHost.Disable()
Write-Host "Putting host" $CloudHost.Name "into maintenance mode"
Set-VMHost $CloudHost.Name -State Maintenance -Evacuate | Out-Null
Write-host "Attaching $baseline to host" $CloudHost.Name "for patching"
Add-EntityBaseline -Entity $vCenterHost -Baseline (Get-Baseline -Name "$baseline")
Write-host "Applying $baseline to host" $CloudHost.Name
Get-PatchBaseline -Name "$baseline" | Update-Entity -Entity $vCenterHost -Confirm:$false -Verbose
Write-Host "Putting host" $CloudHost.Name "back into rotation in vCenter"
Set-VMHost $CloudHost.Name -State Connected | Out-Null
Write-host "Removing $baseline to host" $CloudHost.Name "for patching"
Remove-EntityBaseline -Entity $vCenterHost -Baseline (Get-Baseline -Name "$baseline")
Write-Host "Enabling host" $CloudHost.Name "in VCD"
$CloudHost.Enable()
Write-Host "This host" $CloudHost.Name "is now updated."
}