Virtualisation 101 – VMware Update Manager (VUM)

What Is It?

Update Manager is VMware’s patching product, and is used for updating ESX/ESXi hosts, virtual appliances and guest machines.  It is a companion product to vCenter and installed via the vCenter Installer.  In smaller deployments VUM would be installed on the vCenter server, but in larger environments could be run as a dedicated server.

The application can run scheduled download of patches from VMware and Shavlik (for Microsoft updates) and store them in a local repository.   Patches can also be imported from ZIP files, or via an intermediary machine running Update Manager Download Service (UMDS).

Management of VUM is done via a vSphere Client plugin, which adds an extra icon in the Solutions section, and an Update Manager tab to each vSphere object.   Patching is done in 3 steps :-

  1. 1.       Baselinesare created to set the types of patches to apply, which are then attached to objects within the hierarchy: datacentre, cluster, resource pool, folder, vApp or an individual host or guest.  Multiple baselines can also be aggregated into a baseline groups.
  2. 2.       A scanof the attached object compares the ESX/ESXi hosts, Windows or RedHat Linux guests against the baseline profile to report which are compliant or which have patches that need to be applied. 
  3. 3.       Finally you remediatethe ESX/ESXi host or Windows guests to apply missing patches.  VUM automatically places hosts into Maintenance Mode (providing DRS is set to Automatic) before patching begins to avoid any outages, and can apply snapshots to virtual machines before patching, retaining them for a predetermined period of time afterwards, providing a handy rollback option.

VUM installs a Guest Agent on Windows or RedHat virtual machines at the first scan or remediation to facilitate patching.   Please note that — as of v4.1 — VUM cannot scan non-RedHat distributions of Linux, nor can it remediate any Linux guests with OS patches, only applying updates for VM Hardware and VMTools.  

Windows guests from XP or above can have OS patches installed — even up to full Service Packs — while online or offline.  VUM can also upgrade their VM Hardware level and VMTools.

What Do I Need to Deploy It?

The good news is that you don’t need a great deal to deploy the latest version of VUM :-

  • A 64-bit virtual or physical Windows server(XP, 2003 or 2008) with at least 2Gb of RAM (if dedicated to VUM) – if running alongside vCenter you’ll want at least 4Gb of RAM.
  • A databasefor holding the application metadata – this could be a local SQL 2005 Express database for smaller implementations (bundled with it), or a local or remote MS SQL Server 2005/2008 or Oracle 10g/11g.   The database size can be determined with the Update Manager Sizing Estimator (see link below).
  • Disk space for the patch repository.  The amount of space required will vary depending on what is to be patched.  Again the sizing estimator can gauge disk space requirements, but as an indication the install will warn if less than 20Gb is free on the chosen volume.
  • Network connectivityand firewall access for the application to communicate properly with the vCenter server, database server, ESX/ESXi hosts and the Internet.  For full details of ports used see KB article 1004543 (link below).

Should I Use VUM Instead Of Microsoft WSUS?

In theory VUM’s patching technology is sound – Shavlik has been around since 1993 – and does the job well.  However, many companies choose to stick with WSUS as the infrastructure is already in place and works, or because Windows admins feel safer staying “in-house”.  

OS patching aside, VUM is still useful for upgrading VM Hardware and VMTools on Windows guests.

How Much Does It Cost?

VUM is covered by any level of vSphere licensing, so the only implementation costs apart from time and effort are potentially OS or database licenses. 

Where Do I Go From Here?

VUM Documentation Page:

The official Install & Admin Guide:

VUM Sizing Estimator:…/doc/vsp_vum_40_sizing_estimator.xls

Network Ports Required:

Video of VUM in action: