Xtravirt — VMware UMDS – Securing vSphere Patching

1.5M ratings
277k ratings

See, that’s what the app is perfect for.

Sounds perfect Wahhhh, I don’t wanna

VMware UMDS – Securing vSphere Patching

by Curtis Brown

In a time where security is top of mind, patch management for both the health and security of a VMware vSphere® estate has never been more important.

VMware vSphere® Update Manager™ is an essential, but often under-appreciated part of VMware vSphere. However, punching VMware vCenter® straight out to the internet may not be an attractive option for several reasons, most notably security, but also scaling. If you have a large estate with many vCenter servers and Update Managers, do you want all of them pulling down updates straight from VMware?

VMware Update Manager Download Service is a software solution that provides the means to place an intervening server between Update Manager (or multiple Update Manager installations) and the internet.  It can be used as a host for updates itself, or it can be configured to publish the updates on an upstream web server.

Previous releases only supported Windows, however, we can now deploy a Linux derivative, permitting a more solid appliance to be constructed.  The guidance in this article is a combination of VMware’s documentation, guidance from noted VMware blogger William Lam and my own testing.

 Installation of UMDS on Linux

The first step is to prepare a Linux server.  For this deployment, Ubuntu 14.04 was used.  Ideally, this should be provided with a static IP address for ease of use. I tested a multi-homed configuration with an external and internal connection which worked fine.

The next step is to prepare the VM for UMDS and then install it.

Install the following pre-requisite components for Linux:

  • perl

  • tar

  • sed

  • psmisc

  • unixodbc

  • postgresql

  • postgresql-contrib

  • odbc-postgresql

William Lam has a really elegant script that automates this: (http://www.virtuallyghetto.com/2016/11/automating-the-installation-of-vum-update-manager-download-service-umds-for-linux-in-vsphere-6-5.html)

Once these are in place, it creates a PostGreSQL database and sets up a local ODBC connection to it, including establishing authentication to allow UMDS to access the database.  The script creates an answer file to configure the UMDS installation prior to installing it. This is explained very well in William’s blog post referenced above.

At this point we have a UMDS server up and running, which can be confirmed by running:

/usr/local/vmware-umds/bin/vmware-umds -vimage

Configuration of UMDS

Once UMDS is in place, it needs to be configured.  The commands are identical to the Windows release of UMDS.

Existing configuration can be checked by running the following command:

/usr/local/vmware-umds/bin/vmware-umds -G

This will show the following:

·        Configured URLs – where UMDS is configured to pull patches down from.  We can add vendor URLs to this, but the default VMware depots are listed.

·        Patch Store location – where UMDS will download files to.  The default is /var/lib/vmware-umds.

·        Export Store Location – we can specify a remote location where UMDS can export patches to – we won’t be using this here, but vmware-umds -o [ –default-export-store] (path) can configure this.

·        Proxy Server – where needed, proxy server values can be configured using vmware-umds -p.

·        Patch Content – we can select whether to enable Host and Virtual Appliance patching and define which Host Releases we wish to support.

Let’s go through some of these, firstly deciding what content to download.

Selecting whether to enable Host or VA support is simple – we run vmware-umds with the -S option.  For example, the following will prevent download of VA patches but enable Host patches:

/usr/local/vmware-umds/bin/vmware-umds -S –enable-host –disable-va

For Host patches, we can refine which releases we wish to support.  Again, this uses the -S switch.  The example below disables ESX 5.0 patching.  To enable a release, substitute -d for a -e:

/usr/local/vmware-umds/bin/vmware-umds -S -e embeddedEsx5.0.0-INTL

Next, we might want to add third party download sources for vendor-specific patches.  Obviously, you’ll need the URL for their repository. Use –remove to remove a URL.  

/usr/local/vmware-umds/bin/vmware-umds -S –add-url https://host_URL/index.xml –url-type HOST

To select where to download to, we use:

/usr/local/vmware-umds/bin/vmware-umds -S –patch-store your_new_patchstore_folder

The default in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update Manager while the default location in 64-bit Linux is /usr/local/vmware-umds.

Running the -G command again gives us the following: image

In our example, we’ve left the default configuration for the URLs and patch store, but have restricted ourselves to just ESXi 6.5 host patches.

Once all this is set as required, we need to download the patches from VMware.  The command for this is straight forward:

/usr/local/vmware-umds/bin/vmware-umds -D

This can be set up as a scheduled task in Linux by configuring crontab.  If we need to, we can re-download patches using -R and specifying a date range as per the following example.

/vmware-umds -R –start-time 2010-11-01T00:00:00 –end-time 2010-11-30T23:59:59

At this point we have a populated UMDS server. A simple listing of our UMDS patch store shows our content: image

We then need to either export the content to an upstream location or host it on our UMDS server for collection by the VMware Update Manager installation.  VMware Update Manager can only use a local path or a Web Server URL as a local repository - the latter option is preferred.  If we have an upstream repository set up, we can use the **-E **command to upload the content.

We’ll focus on setting up a web server on our UMDS server.

Setting up Nginx to serve UMDS content

VMware provide this guidance as part of their validated design – and it’s relatively simple to use to provide a persistent web server.

Firstly, we install Nginx. A simple one-liner will suffice (though you’ll need the root password!)

sudo apt-get -y install nginx

Once complete, we need to allow access to our UMDS Patch Store:

sudo chmod -R 755 /var/lib/vmware-umds

Next, we copy out the default Nginx configuration file to create one for UMDS.  We then edit this using a text editor such as vi or nano – I’ll use vi:

sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/umds

sudo vi /etc/nginx/sites-available/umds

The amendments we make are highlighted in green below.  We amend the root path to our UMDS patch store, add the DNS short name and Fully Qualified Domain Name, and turn on autoindexing.

**               server {**

**             listen 80 default_server;**

**             listen [::]:80 default_server ipv6only=on;**

**                       root /var/lib/vmware-umds** ;      

**             index index.html index.htm;**

**                       # Make site accessible from http://localhost/**

**             server_name localhost exampleumds exampleumds.domain.local;**

**                       location / {**

**                     # First attempt to serve request as file, then**

**                             # as directory, then fall back to displaying a 404.**

**                                            try_files $uri $uri/ =404;**

**                             # Uncomment to enable naxsi on this location**

**                             # include /etc/nginx/naxsi.rules**

**                               autoindex on;**

**             }**

We then delete the default configuration, enable our UMDS configuration and restart Nginx.

sudo rm /etc/nginx/sites-enabled/default

sudo ln -s /etc/nginx/sites-available/umds /etc/nginx/sites-enabled/

sudo service nginx restart

We should then be able to browse our UMDS patch store. image

Configuring VMware Update Manager

Configuring VMware Update Manager to use a Shared Repository is a straight forward process.

From the Home Menu, select VMware Update Manager; then select the Update Manager from the Server list and go to the Settings Tab.

Pick Download Settings from the left-hand menu and select Edit Download Sources.  As per shown below, select Shared Repository and enter a URL. image

VUM will validate this setting.  After that, we can download our patches into Update manager and then it’s business as usual. Set up Baselines, scan and remediate as you would do when Update Manager pulls directly from VMware.

Closing Thoughts….

With this approach, we can provide a secure gap between VMware vCenter and the internet and still retrieve updates.  One downside of the new VMware Update Manager integration with VMware vSAN in VMware vSphere 6.5 Update 1 is that vSAN requires a direct connection to VMware in order to establish vSAN Baselines.  Currently, proxying of this through UMDS is not possible, so if this functionality is required, then vCenter will still need some internet connectivity, though at least the patch downloads are segregated.

If you need assistance in getting the best from your VMware vSphere estate,  please contact Xtravirt, and we’d be happy to use our wealth of knowledge and experience to assist you.

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He is a VMware vExpert 2017.

xtraCBrown vmware cloud virtualisation virtualization UMDS vsphere Patching sevurity Updatemanager vcenter

See more posts like this on Tumblr

#xtraCBrown #vmware #cloud #virtualisation #virtualization #UMDS #vsphere #Patching #sevurity #Updatemanager #vcenter