ESXi 5.1 Update 1 and vCenter 5.1 Update 1(a) released – grab your fixes

[Update 23.05.2013]
Due to a bug in the authentication module in multi-domain environments VMware released another update of vCenter: vCenter 5.1 Update 1a:
https://www.vmware.com/support/vsphere5/doc/vsphere-vcenter-server-51u1a-release-notes.html#resolvedissuesvcenter
[/Update]

[Update 05.08.2013]
VMware releases another update for vCenter, 5.1 Update 1b:
https://www.vmware.com/support/vsphere5/doc/vsphere-vcenter-server-51u1b-release-notes.html#resolvedissues
[/Update]

The long anticipated first major Update bundle of ESXi and vCenter 5.1 has finally been released. Download them at the usual place.
The insane list of fixes confirms my gut feeling again that unfortunately, many VMware products only start getting usable after the first (or sometimes even the second) Update bundle. (Remember vCenter 5.1a and 5.1b or the loads of support alerts?)

ESXi 5.1 Update 1

Go and check the release notes. Seriously.
No real new features or enhancements have been added apart from a few new supported Guest OSes.
But huge loads of important issues and bugs have been fixed, a few of which were anticipated since a long time. Here are some excerpts to highlight some of the important or interesting fixes:
https://www.vmware.com/support/vsphere5/doc/vsphere-esxi-51u1-release-notes.html#resolvedissues

Continue reading

Advertisements

April HP ESXi bundle update fixes SmartArray warning

After the ridiculous mess HP caused with their last updates to the custom ESXi extensions back in January/Febuary, HP released new updates to the HP CIM providers a few days ago.
This update is fixing the issue that was probably responsible for all of these woes: HP SmartArray RAID Conrollers displaying a random warning message.
From the release notes:
Version: 1.4.5 (15 Apr 2013) hp-esxi5.0uX-bundle-1.4.5-3.zip
Version: 9.3.5 (15 Apr 2013) hp-ams-esxi5.0-bundle-9.3.5-3.zip
Continue reading

January (or Febuary?) HP ESXi updates

Attention: [Update 16.01.2013]
HP actually pulled the updates (which were titled “February” updates) from their VIBs Depot site and purged the references from the depot metadata indexes as well. I’m not sure what’s going on but you won’t be able to apply these updates (via Update Manager) unless you downloaded them already. But even if you did, you should refrain from using these bundles at this time. Unfortunately there seems to be no way of properly removing them from Update Manager if it pulled the metadata already.
[/Update]

[Update 21.02.2013]
HP re-released the VIBs available at http://vibsdepot.hp.com/hpq/feb2013/
[/Update]

[Update 23.02.2013]
(Thanks to milanod for the hint in the comments)
HP actually removed the re-released updates from the vibsdepot yet again?!
The updated bundles are still listed on the software/support/drivers lists for Proliant Servers though:
http://www.hp.com/swpublishing/MTX-c22b0c1988f147308f06bb4ab9  hp-HPUtil-esxi5.0-bundle-1.4-15.zip
http://www.hp.com/swpublishing/MTX-01441a612d354aba868f22f96a hp-esxi5.0uX-bundle-1.4-16.zip
I’m speechless in the face of this unprecedented fail.
[/Update]

[Update 25.02.2013]
Uh-oh, the updates SEEM to be back at http://vibsdepot.hp.com/hpq/feb2013/. File dates are from Jan 4th and the bundles md5sums match the ones from the initial release mid-January (which this post was about) exactly. So if there really was a bug with the release, it must still be there.
Taking bets on how long it’ll take HP to offline them again.
[/Update]

[Update 22.04.2013]
(Thanks to Wu in the comments)
The issue with the SmartArray warning which this bundle brought us has been fixed in a recent update.
[/Update]

After some very minor updates back in October that did not come with release notes it’s time for another round of updates to the ESXi HP extensions and other stuff. Unfortunately, we don’t seem to be getting release notes or general infos now either.
But these updates are publicly available on http://vibsdepot.hp.com/hpq/feb2013/ already and your VMware Update Manager should have already picked them up if you set it up to use the HP VIB depot.

Since HP is so kind to not provide release notes, we can only guess about actual fixes or improvements, but we can at least check which of the VIBs contained in the offline bundles really do provide updates (spoiler: not that much).
Continue reading

September ESXi HP updates

With the releases of vSphere 5.1, ESXi 4.1 U3 and Windows Server 2012, it’s time for hardware vendors to update their management agents again. HP did so recently and updated their bundles as follows. These bundles are supported for both, ESXi 5.0 and 5.1:

  • HP ESXi Offline Bundle for VMware ESXi 5.x (CIM providers) updated to 1.3
    Added specific HP ProLiant Gen8 servers to the server support matrix:
        HP ProLiant BL660c Gen8 server
        HP ProLiant  DL560 Gen8 server
  • HP ESXi Utilities Offline Bundle for VMware ESXi 5.x (ILO-config etc.) updated to 1.3
    Added support for the following servers:
        HP ProLiant BL660c Gen8 server
        HP ProLiant DL560 Gen8 server
  • HP NMI Sourcing Driver for VMware ESXi 5.x updated to 2.1. Note that this is not intended for HP ProLiant Gen8 servers.
    Edit 09/10/2012: Actually, the actual NMI VIB hasn’t been updated at all. It is still version  2.0.11-434156, which is exactly the same as the previous version. The only thing that changed was metadata in vendor-index.xml of the zip package to include a section to apply to version “5.1.0” too. An already installed hpnmi bundle won’t be updated because of this.
    # esxcli software sources vib list -d /vmfs/volumes/local_datastore_1/hp-nmi-esxi5.0-bundle-2.1-2.zip
    Name   Version        Vendor  Release Date  Acceptance Level  Status
    hpnmi  2.0.11-434156  hp      2011-07-29    PartnerSupported  Installed
  • HP Agentless Management Service Offline Bundle for VMware ESXi 5.x for the new HP ProLiant Gen8 servers updated to 9.2.0
    The following issues have been fixed:
    AMS Static data lost after clearing Active Health System Log
    iLO shows status Other for unplugged NIC port
    AMS crashes when new vSwitch is configured
    cpqSas trap not reported until query is made
    AMS Active Health does not handle iLO reset
    Added support for the following servers:
    HP ProLiant BL660c Gen8 server
    HP ProLiant DL560 Gen8 server
    Added support for the following:
    Memory DIMM status and iLO information for vCenter
    Logging to the OS event log
    cpqHoFWVer support for NIC and SAS controllers
    Added the Update number to the VMware version and build number
  • HP ProLiant Smart Array Controller Driver for VMware ESXi 5.0 updated to 5.0.0-28.0 (never really used this by the way).
    Add support for correctly displaying RAID 1(ADM) mode for logical volumes. Formerly, RAID 1(ADM) volumes were incorrectly displayed as RAID UNKNOWN.
    Remove code that limited the number of external target (array) device connections to 8 array ports. Exceeding 8 ports prevented logical volumes from registering with the driver. Improved code handling paths and targets.

Continue reading

July 2012 ESXi and vCenter updates

Yesterday and today VMware released an unusual Update for vCenter (and VCSA) titled “5.0 Update 1a” as well as couple regular bug fixes and security patches for ESXi 5 hosts.
Update Aug 20 2012: VMware recently released vCenter 5.0 Update 1b, which replaces 1a due to some issues with Oracle databases. Apart from that, there seem no other new fixes that weren’t present in 1a already. So if you’re on 1a already with a non-oracle database, there is no real need to upgrade to 1b.

VMware vCenter Server 5.0 Update 1a – a as in accident? Update 1b – b as in bummer

Grab the official release notes here:
https://www.vmware.com/support/vsphere5/doc/vsp_vc50_u1a_rel_notes.html
https://www.vmware.com/support/vsphere5/doc/vsp_vc50_u1b_rel_notes.html

It’s the first time VMware officially released such an official out-of-band update for vCenter with a small set of fixes and enhancements, I was quite surprised too. As expected of such a minor update, it doesn’t provide any significant new features. Adding support for using vCenter with some very specific Oracle version, or switching from DB2 to PostgreSQL for the VCSA? Ok, next please.
Much more interesting and probably the reason why they made this move in the first place, are a couple of bugs this update fixes. One of them is the infamous Storage vMotion dvSwitch issue for which until now the workaround meant some manual labor or running scripts after each Storage vMotion (including SDRS).
The other fixes don’t seem particulary interesting, but I’m glad VMware finally fixed the Storage vMotion issue.

Oh joy, installing another complete vSphere Client of a whooping 350MB for just a few vCenter-side fixes! Not speaking of the actual vCenter “update” process which is essentially a whole reinstall of the new version every time.
Will VMware ever offer a proper patching method for this? Praying seems to be the only hope left.

New set of ESXi 5 patches – (a as in) adhering to a patchday policy?

Note: You do not need the above mentioned 5.0 U1a vCenter for these ESXi patches.
Less unusual appears to be the release of a series of new ESXi 5 patches for both, security and bug fixing reasons. It’s been almost exactly a month (hello patchday) since the last security patch, which was a really important one, but luckily these two new security patches for a libxml 3rd party component and a stability issue in the VMware Tools don’t seem that critical to require your immediate attention (rated important by VMware).
I will highlight a few fixes and points from the patch notes I personally deem important:

Security patches:
VMware ESXi 5.0, Patch ESXi500-201207101-SG: Updates esx-base
>This patch updates the esx-base VIB to incorporate an important libxml2 security update.
VMware ESXi 5.0, Patch ESXi500-201207102-SG: Updates tools-light
   >This patch updates the tools-light VIB to resolve a stability issue in VMware Tools.
The full advisory that came with the first patch is available here: http://www.vmware.com/security/advisories/VMSA-2012-0012.html

Other bug fixing patches:
VMware ESXi 5.0, Patch ESXi500-201207401-BG: Updates esx-base
   >PR 831801: The default value of FIN_WAIT_2 timer was erroneosly set to TCPTV_KEEPINTVL * TCP_KEEPCNT = 75* 0x400. This discrepancy results in the socket at FIN_WAIT_2 state to exist for a much longer time and if multiple such sockets are accumulated, they might impact new socket creation.
    >PR 835040: An ESXi host might not respond or get disconnected due to the esx.conf file being locked. This might happen because when updating the ESX configuration (esx.conf configuration file) a lock file /etc/vmware/esx.conf.LOCK is created and it is linked to the process attempting to lock the file. If the link (known as a symlink) is not valid then it prevents the esx.conf from being unlocked.
    >PR 838922: An ESXi host might not restart UDP logging after a temporary interruption that might be caused by target server reboot or network UDP package being lost.
    >PR 838946: During the installation of Windows Server 2012 or Windows 8 64-bits virtual machine, the virtual machine displays a black screen with a loading icon and stops responding during the start-up process.
    >PR 848382: An ESXi host might become unresponsive with a purple diagnostic screen (PSOD) that displays messages similar to the following if any changes are made to BufferCache.HardMaxDirty.
    >PR 866810: On Dvportgroup, a promiscuous port might not work in promiscuous mode if the DVMirror sessions are reconfigured.
    >PR 855177: If you configure the loghost of syslogd incorrectly via esxcli or edit the /etc/vmsyslog.conf file directly followed by syslog reload, syslogd might terminate abruptly. You might notice the following symptoms with this issue:
VMware ESXi 5.0, Patch ESXi500-201207402-BG: Updates tools-light
 >PR 751508: Windows Vista and later versions of Windows do not recommend allowing services to be interactive; however, VMware Tools Service is installed as an interactive service.
VMware ESXi 5.0, Patch ESXi500-201207403-BG: Updates scsi-mptsas
VMware ESXi 5.0, Patch ESXi500-201207405-BG: Updates misc-drivers
VMware ESXi 5.0, Patch ESXi500-201207406-BG: Updates net-e1000
Just your usual driver updates with no detailed info of the last 3 here.

You can install VMware Tools updates without maintenance mode or reboots btw. since it effectively only overwrites the Tools ISO images in /vmimages/tools-isoimages. Note that ESX(i)4 patches are also pending to be released. As per VMware support for a case we have open, I also expect a real vCenter and ESXi  5.0U2 to be released soon-ish. Maybe around VMworld 2012 and with the potential release of vSphere 5.1?

New ESXi security patch VMSA-2012-0011 released on June 14th

Today VMware released a new security update for ESX(i), from version 3.5 to 5.0, as well as other hosted virtualization platforms like Workstation/Player, and updated several older security advisories.
If you’re not signed up on the VMware security mailing list, you should do so at http://lists.vmware.com/mailman/listinfo/security-announce in order to get all the latest information on updates and advisories.

The new advisory is available here. The new patch VMware ESXi 5.0, Patch ESXi500-201206401-SG: Updates esx-base fixes two critical security issues:

VMware Host Checkpoint File Memory Corruption
Certain input data is not properly validated when loading checkpoint files. This might allow an attacker with the ability to load a specially crafted checkpoint file to execute arbitrary code on the host.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-3288 to this issue.
The following workarounds and mitigating controls might be available to remove the potential for exploiting the issue and to reduce the exposure that the issue poses.

Workaround: None identified.

Mitigation: Do not import virtual machines from untrusted sources.

VMware Virtual Machine Remote Device Denial of Service
A device (for example CD-ROM or keyboard) that is available to a virtual machine while physically connected to a system that does not run the virtual machine is referred to as a remote device. Traffic coming from remote virtual devices is incorrectly handled. This might allow an attacker who is capable of manipulating the traffic from a remote virtual device to crash the virtual machine.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-3289 to this issue.
The following workarounds and mitigating controls might be available to remove the potential for exploiting the issue and to reduce the exposure that the issue poses.

Workaround: None identified.

Mitigation:
Users need administrative privileges on the virtual machine in order to attach remote devices.
Do not attach untrusted remote devices to a virtual machine.

This is already the 2nd critical security-related patch after VMware ESXi 5.0, Patch ESXi500-201205401-SG which was released a month ago following a leak of VMware source code which raised some public attention. I really hope we’re done with this soon.

Here are the updated advisories based on older patches:
– http://www.vmware.com/security/advisories/VMSA-2012-0005.html

– http://www.vmware.com/security/advisories/VMSA-2012-0006.html

– http://www.vmware.com/security/advisories/VMSA-2012-0007.html

– http://www.vmware.com/security/advisories/VMSA-2012-0009.html

The actual changes of these advisories can be found in section 6. Change log. There doesn’t seem to be any really important information though.

And last but not least, if you’re running ESX on HP, while you’re installing this you might as well update your HP-Extensions while you’re at it.

ESXi HP Updates

HP just released a batch of new firmware for their servers and blades, Virtual Connect modules as well as updated ESXi extensions. Here’s my take on the new stuff.

HP ESXi VIBs and handling Update Manager

Updated HP Extensions and notable excerpts from the release notes:

  • The ESXi offline bundle (CIM providers) has been updated to 1.2
    Added additional support for AC Lost detection for power supplies.
    Supporting some more gen8 servers
  • The Agentless Management Service (AMS) Offline Bundle for Gen8 servers has been updated to 9.1.0
    Added network and SAS driver information reporting.
    Added performance data reporting.
    Supporting some more gen8 servers
  • The ESXi utilities bundle has been updated to 1.2
    Supporting some more gen8 servers
  • The NMI Sourcing driver has not been updated for ESXi5, but for ESXi 4.1.

If you run ESXi on HP Proliant systems, you should add the HP vibsdepot to your vCenter Update Manager repositories if haven’t done so already. But even if you did so in the past, you’ll need to add another repository for the new bundles since HP changed the way they provide bundles from their vibsdepot. Instead of just adding “http://vibsdepot.hp.com/index.xml” as a custom download source in UpdateManager, which would yield the most up-to-date bundles, HP now distributes mutliple repositories based on release cycles:

http://vibsdepot.hp.com/
The following points define how to use vibsdepot under several customer scenarios:

– VUM – connect VUM to “http://vibsdepot.hp.com/hpq/<release date>/index.xml” to download complete update patches as well as individual patches.
– ESXCLI – use command “esxcli software vib install -d http://vibsdepot.hp.com/hpq/<release date>/index.xml”.

So in a nutshell, to make use of the updated bundles in VMware  Update Manager, you’ll have to add “http://vibsdepot.hp.com/hpq/jun2012/index.xml&#8221; in UM. You can also remove or deactivate the old vibsdepot URL.
And don’t forget to update the URL once HP releases updated extensions (or HP changes this procedure all over yet again)!
[Update: You actually do not need to do that anymore if you just use http://vibsdepot.hp.com/index.xml. This links all release versions now.]

Continue reading