Patching ESXi Without Reboot – ESXi Live Patch – Yes, since ESXi 8.0 U3

Well, not quite likely, but yes, VMware is developing a system that it called ESXi Live Patching. What is it? Its basically a way to patch the ESXi and install critical fixes and security patches to the ESXi host without having to reboot the host. Remember that vSphere has already offers some other speed-ups when it comes to patching. The ESXi Live Patch feature is available in the latest version of vSphere and ESXi 8.0 U3 (Both vCenter and ESXi has to be on v8.0U3).

ESXi Live Patch isn't the first technology that VMware brings to the table when it comes to acceleration of patching. Things like Quick Boot (been here since v 6.7) for rebooting the hypervisor without restarting the entire ESXi host, as well as Suspend to Memory in Lifecycle Manager were here before. The Suspend to Memory function allow pause a VM while maintaining its state in RAM (came in v7 i believe).

ESXi Live Patch config is visible as a check box in Lifecycle Manager > Cluster Lifecycle > Images > Edit

When enabled, cluster remediation will proceed only using Live Patch. If any hosts are not eligible for Live Patching, then remediation will stop and all hosts will be skipped.

ESXi Live Patching – What is it?

Quote from VMware:

Live Patch allows vSphere clusters to be patched without migrating workloads off the target hosts and without the hosts needing to enter full maintenance mode. The patch is applied live while workloads continue to run.

This sounds nice, but, for now only the patches for VM execution component of ESXi are available. The patches “touching” the ESXi kernel are not initially supported for Live Patch. So to install those patches you'll still have to patch as you normally do – with maintenance mode and VM evacuation off the host.

ESXi Live Patching – the requirements

• vCenter 8.0U3 and ESXi 8.0U3 too
• The Enforce Live Patch setting must be enabled in the global vSphere Lifecycle Manager remediation settings or at the cluster remediation settings.
• DRS must be enabled with fully automated mode.

ESXi Live Patching – How it works?

Quote:

• ESXi host enters partial maintenance mode. Partial maintenance mode is an automatic state that each host will enter. This special state allows existing VMs to continue to run but disallows the creation of new VMs on the host or for VMs to be migrated to or from the host.
• A new revision of the target patch components is mounted in parallel to the current version
• The new mount revision files and processes are patched
• Virtual machines undergo a fast-suspend-resume to consume the patched revision

Example on how it looks like from VMware blog post.

So what happens to VMs during Live Patching – Fast suspend and resume!

Fast suspend and resume is already used in your environment without perhaps even knowing. In fact, when adding or removing virtual hardware devices to powered-on virtual machines, you are using the Fast Suspend and Resume (FSR) technology.

However, some VMs are not compatible with FSR:

• VMs configured with vSphere Fault Tolerance (FT)
• VMs using Direct Path I/O
• vSphere Pods

Also, OSs with TPM, or with DPUs using vSphere Distributed Services Engine are NOT compatible so cannot be used for FSR.

In all those above cases you cannot use FSR and need to be manually remediated. Manual remediation can either be done by migrating the virtual machine or by power cycling the virtual machine.

Links:

• VMware Live Patch blog post (technical)
• Marketing blog post is here.

Final Words

VMware/Broadcom is continuing to improve the ESXi and vSphere as a technology. ESXi Live Patching is a powerful tool that offers significant benefits in terms of minimizing downtime and enhancing system reliability. However, it is essential to be aware of its limitations and ensure that proper testing and verification are conducted before applying patches. By understanding both the benefits and limitations, administrators can make informed decisions and effectively manage their IT infrastructure.

More posts from ESX Virtualization:

• Update ESXi Host to the latest ESXi 8.0U3b without vCenter
• Upgrade your VMware VCSA to the latest VCSA 8 U3b – latest security patches and bug fixes
• VMware vSphere 8.0 U2 Released – ESXi 8.0 U2 and VCSA 8.0 U2 How to update
• What’s the purpose of those 17 virtual hard disks within VMware vCenter Server Appliance (VCSA) 8.0?
• VMware vSphere 8 Update 2 New Upgrade Process for vCenter Server details
• VMware vSAN 8 Update 2 with many enhancements announced during VMware Explore
• What’s New in VMware Virtual Hardware v21 and vSphere 8 Update 2?
• Homelab v 8.0 
  • NXJ6412 Maxtang EHL30 TPM Alert in vCenter Server 8.0 BIOS Config
  • vSphere 8 Lab with Cohesity and VMware vExpert gift – Maxtang’s NX 6412 NUC
  • VMware Cohesity vExpert Gift VMware EXPLORE 2022 Barcelona
• vSphere 8.0 Page
• Veeam Bare Metal Recovery Without using USB Stick (TIP)
• ESXi 7.x to 8.x upgrade scenarios
• A really FREE VPN that doesn’t suck
• Patch your ESXi 7.x again
• VMware vCenter Server 7.03 U3g – Download and patch
• Upgrade VMware ESXi to 7.0 U3 via command line
• VMware vCenter Server 7.0 U3e released – another maintenance release fixing vSphere with Tanzu
• What is The Difference between VMware vSphere, ESXi and vCenter
• How to Configure VMware High Availability (HA) Cluster

Stay tuned through RSS, and social media channels (Twitter, FB, YouTube)