There are many situations where your VMware vCenter Server Appliance (VCSA) cannot be updated via the Internet directly. In some cases, your VCSA simply does not have direct access to the internet for security reasons or due to your company security policy. In those cases, VMware has two other methods which you can use to update or patch your VCSA to the latest version. In this post, we'll detail the upgrade of VCSA via Patch ISO.
This method can also be useful when your internet connection on-site isn't really reliable as often those patches weigh several gigs of data. So instead of trying to patch over and over while your connection isn't reliable you better download the files from a high-speed fiber or broadband and then go on-site to perform the upgrade.
Recent hacks of Apache log4j java library that affected many products, including those from VMware, had many software vendors react and release security patches and upgrades. Apache Log4j, a Java library for logging error messages in applications. This vulnerability is the most high-profile security vulnerability on the internet right now as it impacts many different platforms that run Java.
But let's get to our VCSA offline upgrade. There are two scenarios that VMware provides for offline patching of VCSA:
- You set up a web server that will serve the upgrade files from a local network – we have a detailed post on it here – How to patch VMware vCenter Server Appliance (VCSA) from Offline Depot ZIP file. This method is very simple and is using an Offline ZIP file that is available within the same location where you download your latest VCSA installation file from within your My VMware account.
- You upload the ISO patch file to a datastore (VMware-vCenter-Server-Appliance-7.0.3.00300-19234570-patch-FP.iso) and then mount the ISO to the VCSA virtual machine (VM). We'll show you the detailed procedure in this post. This file is available via VMware Patch Portal.
How to upgrade VMware VCSA 7 Offline via patch ISO – The steps:
Step 1: Go to the VMware Patch Portal > from the drop-down menu select VC > click Search.
Then pick the latest ISO file…
Once you have that file on your hard drive, you can put it on your laptop or USB drive and depending of the use case, to use it to upgrade your VCSA. We can imagine that USB drive attached to a laptop would fit most scenarios as you can also use that method and go and carry on the USB from datacenter to datacenter (if those are secured and isolated).
Step 2: Upload the file to a datastore visible by an ESXi host that runs the VCSA. In my case I have a local datastore on that particular host. You can connect via ESXi host client directly to your ESXi and browse the available datastore to upload the iso there.
So far so good.
Step 3: Go and connect to your vSphere web client (or you can do it also from ESXi host client if you want to) and go to Edit Settings > CD/DVD drive and select Datastore ISO file from the drop-down menu.
You'll pick the ISO file you have just uploaded to the datastore.
Step 4 – Go and connect to your VCA VAMI user interface via https://ip_of_vcsa:5480. You'll need to know your root password. Then go to Update > Check CD ROM. You should see the available updates which are now mounted via CD ROM of the VM.
Step 4 – create a Snapshot or backup in any other way your VCSA. As with any patches or upgrades, it's highly recommended to create a backup or snapshot. In my case I simply created a snapshot of my VCSA and in case anything goes wrong, I can go back to the state where I was before problems occurs (if any). If not after sucessfull upgrade I simply delete the snapshot which I won't need anymore. This is the best use case for snapshots, btw….
Step 5 – proceed with the upgrade. Accept the EULA and click Next.
Click finish while checking the “I have backed up vCenter Server and its associated databases”. (You see?)
You can see the estimate is about 28 min so you have time….
The downloads of the individual RPMs are quite fast, to be honest. It's way faster than on a bad connection internet indeed…..
Well this is about it.
You can also do the patching via CLI when connection to the VCSA.
Log in to the appliance shell as a user with super administrative privileges (for example, root) and run the following commands:
To stage the ISO:
software-packages stage –iso
To see the staged content:
software-packages list –staged
To install the staged rpms:
software-packages install –staged
As I said, when everything works after upgrade and reboot, just delete your snapshot (don't forget) as snapshots are affecting performance and consume a big amount of disk space on your datastores.
This second method is a bit different than the method where you setting up a web server locally and seeding the update from the web server that can be set on your laptop for example. Like this you don't have to spend more time to upload the ISO file to the datastore. However, In some cases, you might doing the way I described today. It all depends on a situation and knowledge. Someone who does not want to spend time setting up and configuring web server (now VCSA needs https acces to the installation/patch sources) might prefer the ISO method.
Today's method is also used for patching ESXi as from the same patch portal you can also download the latest ISO patch file for your ESXi hypevisor.
With all the vulnerabilities, ransomware, hacks and exploits, it seems that the IT overall is more and more shifting to security. What was secure last year, this year is not. At the same time, more and more vulnerabilities are discovered every day.
VMware Software – vSphere Direct download/buy links:
- VMware vSphere 7.0 Essentials PLUS
- VMware vSphere 7.0 Essentials
- VMware vSphere 7.0 Enterprise PLUS
- vSphere Essentials Per Incident Support
- Upgrade to vSphere Enterprise Plus
- VMware Current Promotions
More posts from ESX Virtualization:
- vSphere 7.0 U3C Released
- Upgrade VMware ESXi to 7.0 U3 via command line
- vSphere 7.0 Download Now Available
- vSphere 7.0 Page [All details about vSphere and related products here]
- VMware vSphere 7.0 Announced – vCenter Server Details
- VMware vSphere 7.0 DRS Improvements – What's New
- How to Patch vCenter Server Appliance (VCSA) – [Guide]
- What is The Difference between VMware vSphere, ESXi and vCenter
- How to Configure VMware High Availability (HA) Cluster
Stay tuned through RSS, and social media channels (Twitter, FB, YouTube)
Trent Davis says
What are the pro’s/con’s of this method vs grabbing the full U3c ISO from the Download portal and uploading manually to VAMI? I’m guessing there are just many ways to accomplish the same task of upgrading, but are there benefits or shortcomings to some?
Vladan SEGET says
As being said. This method is for offline systems or systems with poor internet connection.
Vladan SEGET says
Ah, ok, I see. The first method (via the ZIP file) needs you to setup a web server and put the uncompressed files onto the web server. Then you run the update….
Isn’t this used to update update the VCSA instead of upgrade. Where in Upgrade we use ISO mount & follow 2 stage process.
In this case we download offline patch for small update such as for 7.0U2 to 7.0U3.
Please correct me if i am wrong..
Vladan SEGET says
Not sure I follow. 7U3c is an upgrade patch ISO. Not a small one, if you see what I mean. It’s not an upgrade ISO in the sense of upgrading your 6.X version, if THATs what you mean… Got you.
currently i am on 7.0.2.0500 on my Vcenter and all my Esx is running on miror SD CARDS is upgrading to 7.0.3U versions will mess with my SD CARDS installations?
Vladan SEGET says
Maybe. I’d get a pair of small SSDs and do a RAID1 on each host.