Save to My DOJO
In this post, you will learn how to install patches and upgrade ESXi hosts using esxcli commands. I’ll start by installing a bug-fix patch followed by an ESXi OS version upgrade using a so called offline bundle. The offline upgrade option is particularly useful when vSphere Update Manager is not deployed in your environment.
Requirements
For this demo, I’ll be using WinSCP. Among other things, you can use it to upload files such as vib packages to ESXi’s file-system. For this to work, you need SSH enabled on the ESXi host so you also need to ensure that network port 22 is not being blocked by any firewall en route. I’m also using putty to SSH to the ESXi host so I can work from shell.
Installing a patch
There are 6 steps to installing patches on ESXi.
Step 1 – Download the patch. I’ve chosen to download a bug fix as described in KB214164. You can see this patch selected as shown in Figure 1.
Figure 1 – Downloading patches from my VMware
Step 2 – Upload the patch to the ESXi host using WinSCP or similar. You can also use the vSphere client to upload to a datastore using the Upload File button
Figure 2 – Uploading a file to a datastore
–
I do however prefer the former method since it gives you more control on where to place the uploaded file and allows you to resume broken or paused uploads. Using WinSCP could not, in fact, be any easier. Just create a new connection using the ESXi’s host IP address and credentials. Then just drag the file from the source folder (left hand pane) to the destination folder (right hand pane). Figure 3 shows the process of copying a patch from a local folder to one created on a datastore.
Figure 3 – Using WinSCP to transfer files to an ESXi host
Step 3 – Establish an SSH connection using putty or otherwise.
Step 4 – Place the host in maintenance mode. To this, either use the vSphere client or run the following command from shell.
vim-cmd hostsvc/maintenance_mode_enter
Figure 4 – Placing a host in maintenance mode
Step 5 – Install the patch
This is where we use the esxcli software vib command to install the patch. This step warrants some more detail. The esxcli software vib command takes on two installation parameters these being update and install. The difference between the two is important since update DOES NOT overwrite existing files with a higher version than those being installed. The install parameter on the other hand doesn’t really care and bulldozes its way through overwriting conflicting files regardless of version. Bottom-line is, be very careful when you use the install option. To be on the safe side, it’s a good idea to refer to any KB article released for the patch or update in question. For further information make sure to check this out.
For this example, I’m using the command below to apply the patch previously downloaded. The path specified the -d parameter will, of course, vary according to the datastore or folder to which you copied the update file. Keep in mind also that you must specify the full path to the patch or update that you wish to install.
esxcli software
update -d "/
/volumes/55fbd499-7588730f-f5a1-005056b87047/ESXi550-201601001.zip"
If all goes according to plan, you should see something similar to the output in Figure 5.
Figure 5 – Installing a patch using esxcli
Step 6 – Take the host out of maintenance mode and reboot it when prompted to do so.
Figure 6 – Exiting maintenance mode
–
The video coming up next illustrates the whole process from start to finish.
Upgrading ESXi using an offline bundle
I’m basically going to repeat the same steps as above except that this time, using the install option instead of update to upgrade ESXi. This method requires you to download a so called ESXi offline bundle (see Figure 7).
Figure 7 – Downloading an offline bundle from the VMware download site
In the following video, I skipped the file upload part and jumping directly to the host upgrade bit. As you’ll see shortly, you can use the vmware –v command to retrieve the host version information prior and after the upgrade process completes.
Conclusion
We’ve seen that the process of patching and upgrading ESXi hosts manually isn’t that much of a biggie. In some ways, it’s even easier than using vSphere Update Manager (VUM) even though I still think VUM is the way to go when you’re managing a significantly large number of hosts.
For other interesting posts, do have a look at the complete list of articles on this blog.
[the_ad id=”4738″][the_ad id=”4796″]
Not a DOJO Member yet?
Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!
More in this category
About the Author
Jason Fenech
33 thoughts on "Patching and Upgrading ESXi using ESXCLI commands"
Thanks a ton for this piece of information.
Was scratching my head to get a patch updated in a test environment here ( I am not VM admin) and was certainly saved due to this info.
Glad I was of help.
Thanks
Jason
Hi Jason
Please share the steps to replace ESXi host certificate
Thanks in advance
Hi,
It depends on the ESXi version you’re using and the PKI infrastructure in place. Have a look at this as reference.
regards
Jason
Hope this helps!!
https://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vsphere.security.doc_50/GUID-A261E6D8-03E4-48ED-ADB6-473C2DAAB7AD.html
Excellent explanation. I think much clearer even than the VMWare docs. Can you comment on this note I found on a VMWare blog post at https://blogs.vmware.com/vsphere/2012/02/quickest-way-to-patch-an-esxesxi-using-the-command-line.html
“Note: If you are using vSphere Hypervisor (Free ESXi), you will not be able to leverage any of the the remote CLI’s but you can still use the local CLI.”
I am using ESXi 5.0u2 and need to update through all the patches in the 5.0 branch. Since my license from VMWare was free I guess that means I have “Free ESXi.” Does the note mean I have to use the physical console to perform the patching and I can’t use the remote commands via SSH as you illustrate? I am hoping I am misunderstanding that note since the physical machine is not in a very convenient location and I need to do this after hours.
Hi Jimmy,
I appreciate the kind comment, thanks! Are you able to SSH to a remote host? If so, you should be able to run esxcli. The article, which seems reliable, states otherwise but there’s no harm in trying.
I don’t have any 5.x free ESXi installed, otherwise I’d try it out for you. One solution, for future use, would be to have your ESXi host connected to a remote KVM switch so you can connect remotely if you’re unable to SSH to it.
Hope this helps.
regards
Jason
Yes, as Jason said, if you can manage remote host thro’ SSH then you should use esxcli to get this fixed. but since you said you have free esxi host the best recommended way is to you physical console and run VUM so all patches are upto date on ESXi host. thanks.
Hi, thank you for post, Jason. Do u need to patch virtual machines too after you patched ESXi? I need to patch esxi 6 to close spectre and meltdown vulnerabilities.
Thank you
Hi. Yes, it’s always best practice to patch the OS / Software running on VMs if that’s what you mean.
Yes, patching ESXi doesn’t make any changes to VMs,. If you would like to patch the VMs you need to do it separately. Each VM might have different OS, it depends again how you would like to patch each of them to get rid of vulnerabilities.
Hi, Is there any way to backup all VIBs on ESXi so in case of upgrade failure from older version to newer version user can revert back to previous working state?
I know about Shift R during boot but I like to know how to backup/restore VIBs. Thanks in advance for your help
Hi. I would rather back the configuration as per https://kb.vmware.com/s/article/2042141. Shift-R at boot is your best option. But you could always try using something like winscp to copy what you want to back up manually.
Thanks for the tips. I concur with other users, it is lot easier to follow than VMWare.
Great Explanation Jason. May I ask if , within same family 6.5.0 for example , one needs to apply all the patches in order or just the latest patch. Is it a culmanitive patching system. thanks in advance
Hi Alan. Since 2018 it is a cumulative patching system indeed so you won’t need to go through them manually. They are called rollup bulletin.
More info there: https://blogs.vmware.com/vsphere/2018/07/new-rollup-bulletins-simplify-vmware-esxi-updating.html