by Curtis Brown
In a time where security is top of mind, patch management
for both the health and security of a VMware vSphere® estate has never been
more important.
VMware vSphere® Update Manager™ is an essential, but often
under-appreciated part of VMware vSphere. However, punching VMware vCenter®
straight out to the internet may not be an attractive option for several
reasons, most notably security, but also scaling. If you have a large estate with
many vCenter servers and Update Managers, do you want all of them pulling down
updates straight from VMware?
VMware Update Manager Download Service is a software
solution that provides the means to place an intervening server between Update
Manager (or multiple Update Manager installations) and the internet. It can be used as a host for updates itself,
or it can be configured to publish the updates on an upstream web server.
Previous releases only supported Windows, however, we can
now deploy a Linux derivative, permitting a more solid appliance to be
constructed. The guidance in this
article is a combination of VMware’s documentation, guidance from noted VMware
blogger William Lam and my own testing.
Installation of UMDS on Linux
The first step is to prepare a Linux server. For this deployment, Ubuntu 14.04 was
used. Ideally, this should be provided
with a static IP address for ease of use. I tested a multi-homed configuration
with an external and internal connection which worked fine.
The next step is to prepare the VM for UMDS and then install
it.
Install the following pre-requisite components for Linux:
perl
tar
sed
psmisc
unixodbc
postgresql
postgresql-contrib
odbc-postgresql
William Lam has a really elegant script that automates this:
(http://www.virtuallyghetto.com/2016/11/automating-the-installation-of-vum-update-manager-download-service-umds-for-linux-in-vsphere-6-5.html)
Once these are in place, it creates a PostGreSQL database
and sets up a local ODBC connection to it, including establishing
authentication to allow UMDS to access the database. The script creates an answer file to configure
the UMDS installation prior to installing it. This is explained very well in William’s
blog post referenced above.
At this point we have a UMDS server up and running, which
can be confirmed by running:
/usr/local/vmware-umds/bin/vmware-umds -v
Configuration of UMDS
Once UMDS is in place, it needs to be configured. The commands are identical to the Windows
release of UMDS.
Existing configuration can be checked by running the
following command:
/usr/local/vmware-umds/bin/vmware-umds -G
This will show the following:
·
Configured URLs – where UMDS is configured to
pull patches down from. We can add
vendor URLs to this, but the default VMware depots are listed.
·
Patch Store location – where UMDS will download
files to. The default is
/var/lib/vmware-umds.
·
Export Store Location – we can specify a remote
location where UMDS can export patches to – we won’t be using this here, but vmware-umds -o [ –default-export-store]
(path) can configure this.
·
Proxy Server – where needed, proxy server values
can be configured using vmware-umds -p.
·
Patch Content – we can select whether to enable
Host and Virtual Appliance patching and define which Host Releases we wish to
support.
Let’s go through some of these, firstly deciding what
content to download.
Selecting whether to enable Host or VA support is simple –
we run vmware-umds with the -S option. For example, the following will prevent
download of VA patches but enable Host patches:
/usr/local/vmware-umds/bin/vmware-umds -S –enable-host –disable-va
For Host patches, we can refine which releases we wish to
support. Again, this uses the -S switch. The example below disables ESX 5.0
patching. To enable a release,
substitute -d for a -e:
/usr/local/vmware-umds/bin/vmware-umds -S -e embeddedEsx5.0.0-INTL
Next, we might want to add third party download sources for
vendor-specific patches. Obviously,
you’ll need the URL for their repository.
Use –remove to remove a
URL.
/usr/local/vmware-umds/bin/vmware-umds
-S –add-url https://host_URL/index.xml –url-type HOST
To select where to download to, we use:
/usr/local/vmware-umds/bin/vmware-umds -S –patch-store your_new_patchstore_folder
The default in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update Manager while
the default location in 64-bit Linux is /usr/local/vmware-umds.
Running the -G
command again gives us the following:
In our example, we’ve left the default configuration for the
URLs and patch store, but have restricted ourselves to just ESXi 6.5 host
patches.
Once all this is set as required, we need to download the
patches from VMware. The command for
this is straight forward:
/usr/local/vmware-umds/bin/vmware-umds -D
This can be set up as a scheduled task in Linux by
configuring crontab. If we need to, we can re-download patches
using -R and specifying a date range
as per the following example.
/vmware-umds -R –start-time 2010-11-01T00:00:00 –end-time
2010-11-30T23:59:59
At this point we have a populated UMDS server. A simple
listing of our UMDS patch store shows our content:
We then need to either export the content to an upstream
location or host it on our UMDS server for collection by the VMware Update
Manager installation. VMware Update
Manager can only use a local path or a Web Server URL as a local repository - the
latter option is preferred. If we have
an upstream repository set up, we can use the **-E **command to upload the content.
We’ll focus on setting up a web server on our UMDS server.
Setting up Nginx to serve UMDS content
VMware provide this guidance as part of their validated
design – and it’s relatively simple to use to provide a persistent web server.
Firstly, we install Nginx.
A simple one-liner will suffice (though you’ll need the root password!)
sudo apt-get -y install nginx
Once complete, we need to allow access to our UMDS Patch
Store:
sudo chmod -R 755 /var/lib/vmware-umds
Next, we copy out the default Nginx configuration file to
create one for UMDS. We then edit this
using a text editor such as vi or nano – I’ll use vi:
sudo cp /etc/nginx/sites-available/default
/etc/nginx/sites-available/umds
sudo vi /etc/nginx/sites-available/umds
The amendments we make are highlighted in green below. We amend the root path to our UMDS patch
store, add the DNS short name and Fully Qualified Domain Name, and turn on
autoindexing.
** server
{**
**
listen 80 default_server;**
**
listen [::]:80
default_server ipv6only=on;**
** root /var/lib/vmware-umds**
;
**
index index.html index.htm;**
** # Make site accessible from
http://localhost/**
**
server_name localhost exampleumds exampleumds.domain.local;**
** location / {**
**
# First attempt to serve request as
file, then**
** #
as directory, then fall back to displaying a 404.**
** try_files
$uri $uri/ =404;**
** # Uncomment to enable naxsi on this location**
** # include /etc/nginx/naxsi.rules**
** autoindex on;**
**
}**
We then delete the default configuration, enable our UMDS
configuration and restart Nginx.
sudo rm /etc/nginx/sites-enabled/default
sudo ln -s /etc/nginx/sites-available/umds /etc/nginx/sites-enabled/
sudo service nginx restart
We should then be able to browse our UMDS patch store.
Configuring VMware Update Manager
Configuring VMware Update Manager to use a Shared Repository
is a straight forward process.
From the Home Menu, select VMware Update Manager; then select
the Update Manager from the Server list and go to the Settings Tab.
Pick Download Settings from the left-hand menu and select
Edit Download Sources. As per shown below,
select Shared Repository and enter a URL.
VUM will validate this setting. After that, we can download our patches into
Update manager and then it’s business as usual. Set up Baselines, scan and
remediate as you would do when Update Manager pulls directly from VMware.
Closing Thoughts….
With this approach, we can provide a secure gap between
VMware vCenter and the internet and still retrieve updates. One downside of the new VMware Update Manager
integration with VMware vSAN in VMware vSphere 6.5 Update 1 is that vSAN
requires a direct connection to VMware in order to establish vSAN Baselines. Currently, proxying of this through UMDS is
not possible, so if this functionality is required, then vCenter will still need
some internet connectivity, though at least the patch downloads are segregated.
If you need assistance in getting
the best from your VMware vSphere estate, please contact Xtravirt, and
we’d be happy to use our wealth of knowledge and experience to assist you.
About
the Author
Curtis
Brown joined the Xtravirt consulting team in October 2012. His specialist areas
include End User Compute solutions and Virtual Infrastructure design and
implementation with particular strength in VDI, storage integration, backup and
Disaster Recovery design/implementation. He is a VMware vExpert 2017.