Patching questions… to VUM or not to VUM?

  • 11 February 2017
  • 8 replies

Badge +3
Still pretty new to the Nutanix platform… I have not moved any production workloads to our new vSphere / Nutanix environment as of yet. Basically, just finished up AD connection of vCenter, (VCSA). I am running ESXi 6.0 U2 and have installed an instance of VUM to run against the vCenter. With a Critical and Non-Critical patch scan, the 3 ESXi hosts each have 14 patches pending. Normally, I would just go ahead and patch those hosts with VUM. However, I wanted to see if there was a different method I should be using with Prism, or if there is a compatibility matrix for patches that I should consult before proceeding. I know verion upgrades can be acheived easily with Prism, but not sure about patches and the process around that.

Here is my list of pending patches:


Best answer by bezeddin 14 February 2017, 04:41

bc0nl33 for these patch you can utilize VUM or manual patching as well but not via Prism
as far as I know the patches is always compatible
View original

8 replies

Userlevel 2
Badge +13

You can install vmware updates on the ESXi hosts...

Unfortunately the VUM is not suitable for these updates, because a server won't be able to enter Maintenance mode, due to a running Controller VM.

Hopefully, installation of VMWare patches will be available in Prism soon.

A manual install is available right now. Be careful during an update... Always check the cluster status, before shutting down a Controller VM.
Userlevel 4
Badge +17
bc0nl33 for these patch you can utilize VUM or manual patching as well but not via Prism
as far as I know the patches is always compatible
Badge +3
Thanks bezeddin -

I did just successfully patch via VUM by evacuating VMs from hosts one by one, then shutting down CVM, going into maint mode and installing. After successful patch install, host reboots and started CVM back up. Rolled onto the remaining hosts and encountered no issues.
Userlevel 7
Badge +30
FYI, you can apply these patches through Prism and have Prism manage all of the orchestration

VUM makes people think they have more patches due than they actually have.

VUM gives you the ability to update individual modules, which customers rarely do. Generally, they apply the outstanding patches all in one group, which actually rolls up to a minor patch.

Meaning, its best to just apply a single patch, rather than the components of the patch separately.

Patches can be downloaded here:

Download the Zip and patch it up with Prism.
Badge +5
That's how I do updates, also. Just make sure you do one host at a time (shutting down the CVM on each) and it works great.
Badge +1
Hi Jon, I have a follow up question on this.
I am new to the Nutanix world and I am preparing to upgrade our ESXi hypervisor.The latest version on the Nutanix portal is 6.0.0-u2-4192238-Dell-A03.json, but we need to remidiate CVE-2017-4903/4/5 if possible which there is a specific ESXi patch for that's not 'approved' yet (KB2149673)
Are you saying that we are ok to update with a recognised dell / vmware patch using the prism upgrade binary rather than waiting for an approved nutanix patch? Or would I be violating a support agreement?
Badge +1
From what I understood speaking to a solution Engineer at Nutanix is you can roll out patches using VUM even if they are not in the approved list.
He said "Nutanix would never say they are not going to support you but risk is up to the customer if something breaks".
Badge +1
Be careful if you're updating via VUM. If you update to a minor revision level, that's not supported by the automated prism update process, you might preclude future automated updates. The automated update mechanism is pretty sweet. If you're not comfortable with the process, open a support case. Pretty smooth stuff.