It's been a while since we talked SolarWinds Patch Manager and patching in general here on the Product Blog, but with VMWorld 2015 right around the corner all things virtual are on our minds. Here's a few quick considerations to make when thinking about patching and maintaining virtual systems.
Is patching virtual (guest) systems really different? Yes, and no.
At the most fundamental level, patching virtual guest systems isn't really different than patching physical systems. You back the system up (hopefully), you install patches (which you tested first, right?), and if necessary, finish with a reboot. Seems simple enough, but there's points along the way where we can really take advantage of virtual systems - and virtual systems can help back us up when we're being lazy (or hasty).
- Backing up the system: here we can take advantage of the virtual environment's ability to take snapshots, either by integration with our backup system, integration with our patching system, or by hand. Snapshots can really cover your assets when it comes to making a mistake, or if a patch has unintended consequences (not that vendors ever make a mistake, right?). If a system fails to come back after a patch or you need time to diagnose an issue, reverting to snapshot while you clone and re-test is much more simple than the old school "revert from a backup? sigh..." or relying on Windows' ability to take reliable system restore points.
- Testing patches: with snapshots and a virtual environment (or even a hybrid or cloud environment), you can clone a live system into a testbed relatively easily. Gone are the days of drive imaging and system cloning, or having standby hardware in a test environment just because it's identical to production. Now, you can clone a snapshot of a production system, tweak its network and VM configuration to move it over to your test environment, and install and test patches pretty easily.
- Installing and rebooting: while systems are patching and rebooting, virtual environment HA configurations can help plug some of the holes of down systems without dealing with operating system clustering technologies directly. Both can be admittedly cumbersome to set up the first time, but virtual HA can save your bacon and minimize impact to your downstream users.
Don't forget your hypervisor!
When it comes to Hyper-V, patching your hypervisor really is all about patching your OS. Tools like Patch Manager are going to make it easy to stay up to date with Windows patches (AND third party patches, too). With Patch Manager on top of WSUS or SCCM, you can make intelligent groupings of systems, both for status and reporting details and for patching.
For vSphere (ESXi)-based systems, patching your hypervisor is a little more complex, and patches have been coming about monthly. There's actually a handy table of build numbers to patches published in their Knowledgebase that shows the patch history, and VMware has a Patch Portal to help you find and download updates that apply to you, plus see which KB articles patches resolve. I'd recommend showing the "Severity", "Category", and "System Impact" columns to help you understand which patches are most critical (keep a keen eye on security updates) and what the impact will be to running systems.
Patching utilities for host<->guest communication is important, too
Within virtual guest systems, there are usually utilities that establish good host to guest (and vice versa) communication. These tools let you perform clean maintenance tasks like shutdown, reboot, and snapshot; provide time synchronization (very useful if you're doing any log analysis, troubleshooting, or anything certificate-based where time can matter a lot); and provide insight into what's on a guest or host OS.
When it comes to VMware Tools specifically, you won't get the tools "for free" when you bring up a clean guest OS until you install them, though thankfully most modern Linux distributions include open-vm-tools by default (or easily added). For those of you tired of this deployment process on Windows, though, we've got good news! Patch Manager now includes VMware Tools packages in our third party update catalog. With Patch Manager, you can now automatically download and deploy VMware Tools updates just like Windows (and other third party) updates.
For existing Patch Manager customers, you can add the VMware Tools library to your patching catalog by following a few steps:
You can also automatically download and approve future versions with the new-in-Patch Manager 2.1 auto-approval feature, if you check out our GA blog post there's a bunch of details on that feature - Announcing General Availability of Patch Manager v2.1 - Automated 3rd Party Patches & More!.
What's Next for Patching Virtual Systems?
If you check out the Patch Manager What We're Working On, you'll see specific mention of more features we're looking at adding regarding patching virtual systems - including the automated snapshotting (and potentially reverting) mentioned above.
What big issues do you have with patching virtual systems? What can we do to help?