10.10 Compute Component Patching
Maintaining an up-to-date IT infrastructure is critical for the health, performance, and security of the entire environment, and host and vSphere component patching constitutes one part of this task. This maintenance, while a daunting undertaking for operational teams, if not performed dependably and routinely, puts the entire platform at risk.
Verify that the scheduled and emergency patches protect systems from security vulnerabilities, as well as provide stability of performance. As with other systems, vSphere components must be maintained and devices patched and updated in line with the service provider’s internal policies and customer SLAs.
The patch and update process must include the following practices:
• Documentation on the version of each hardware and software component within the environment.
• Documentation on risk acceptances for patches delayed or not installed in a timely manner.
• Research done to mitigate or to reduce the risk when patches cannot be installed.
• Following change management procedures to provide appropriate documentation and internal approvals.
• Establishing regular patch cycles for high and for low priority patches (for example, weekly and monthly).
• Establishing and testing of processes for emergency out-of-cycle patching.
• Ensuring that virtual machines are re-patched if restored from a snapshot prior to a scheduled patch date.
VMware vSphere Update Manager™ does not support the patching of vCenter Server or the Platform Service Controller. Therefore, administrators need to routinely check for, and evaluate new vCenter Server and vSphere management component updates. These must be installed in a timely fashion following their release and proper internal testing.
Further guidance with reference to the implementation of vSphere Update Manager is provided in
Section
11,
Host Management.