vSphere HyperVisorにセキュリティパッチを適用する。

■vSphere HyperVisorにセキュリティパッチを適用する。

　ESXi 5.x/6.x ホストをパッチする為の「esxcli software vib」コマンド (2092895)
　https://kb.vmware.com/s/article/2092895

■Meltdown/Spectreの影響を緩和するものとしてESXi650-201712001SGがリリースされている。

　VMware、「Spectre」対策で「VMware ESXi」などにパッチ提供
　http://www.security-next.com/088928

■ホストバージョンとサポートレベルの確認

#  vmware -vl
VMware ESXi 6.5.0 build-5310538
VMware ESXi 6.5.0 GA

# esxcli software acceptance get
CommunitySupported

■vmnic1は10Mしか出ないので削除して、CommunitySupportedをPartnerSupportedに変更する。

# esxcli software vib list | awk '/CommunitySupported/'
net51-drivers                  1.0.0-1vft.510.0.0.799733            VFrontDe         CommunitySupported  2017-10-23 

# esxcli network nic list | awk '/vmnic/{gsub(" .*1500  ",",",$0);print $0}'
vmnic0,Intel Corporation 82567LM-3 Gigabit Network Connection
vmnic1,Realtek Realtek 8169 Gigabit Ethernet                 

# 仮想マシンの電源OFFを確認
# vim-cmd vmsvc
/getallvms | awk '/^[0-9]/{print "echo "$1";vim-cmd vmsvc/power.getstate "$1}' |
 sh
1
Retrieved runtime info
Powered off
...
42
Retrieved runtime info
Powered off

# メンテナンスモードに変更
# esxcli system maintenanceMode get
Disabled
# esxcli system maintenanceMode set -e true
# esxcli system maintenanceMode get
Enabled

# net51-driversの削除
# esxcli software vib remove --vibname net51-drivers
Removal Result
   Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
   Reboot Required: true
   VIBs Installed: 
   VIBs Removed: VFrontDe_bootbank_net51-drivers_1.0.0-1vft.510.0.0.799733
   VIBs Skipped: 

# システムの再起動
# esxcli system shutdown reboot -r "delete net51-drivers" && exit

# PartnerSupportedレベルに変更
# esxcli software vib list | awk '{a[$(NF-1)]+=1}END{for(n in a){print n,a[n]}}'
VMwareCertified 131
VMwareAccepted 2
PartnerSupported 14
Install 1
---------------- 1
# esxcli software acceptance set --level PartnerSupported
Host acceptance level changed to 'PartnerSupported'.

# メンテナンスモードの解除
# esxcli system maintenanceMode get
Enabled
# esxcli system maintenanceMode set -e false
# esxcli system maintenanceMode get
Disabled

■ダウンロードするパッチは以下の条件で検索

　製品　　：ESXi(Embedded and Installable)、6.5.0
　フィルタ：すべての重要度、すべてのカテゴリ

　ホーム/製品パッチ
　https://my.vmware.com/ja/group/vmware/patch#search

■「ESXi650-201704001」までは適用されているので、
　命名規則と共に以下3つのmd5sumとzipinfoでのヘッダ確認。

　ESXi 5.x および 6.0 のパッチ処理モデルについて (2088255)
　https://kb.vmware.com/s/article/2088255

$ md5sum *.zip
8a4529539c22fc764b817de0829ecbaa  ESXi650-201710001.zip
9d4823d8b79148bf39f95eb0c28ce1f8  ESXi650-201712001.zip
12ffcaa19b62adf528471047c33748b5  update-from-esxi6.5-6.5_update01.zip

$ ls *.zip | awk '{print "zipinfo -h "$1}' | sh
Archive:  ESXi650-201710001.zip
Zip file size: 339746676 bytes, number of entries: 126
Archive:  ESXi650-201712001.zip
Zip file size: 478519869 bytes, number of entries: 138
Archive:  update-from-esxi6.5-6.5_update01.zip
Zip file size: 483104113 bytes, number of entries: 151

■各パッチのImageprofileを確認する。
　一つは現在と同じバージョン。

# ls ESXi*.zip update*.zip | \
    awk '{print "echo;echo "$1";esxcli software sources profile list -d /vmfs/volumes/datastore1/"$1}' | sh

ESXi650-201704001.zip
Name                             Vendor        Acceptance Level  Creation Time        Modification Time  
-------------------------------  ------------  ----------------  -------------------  -------------------
ESXi-6.5.0-20170404001-standard  VMware, Inc.  PartnerSupported  2017-04-07T06:05:30  2017-04-07T06:05:30
ESXi-6.5.0-20170404001-no-tools  VMware, Inc.  PartnerSupported  2017-04-07T06:05:30  2017-04-07T06:05:30

ESXi650-201710001.zip
Name                             Vendor        Acceptance Level
-------------------------------  ------------  ----------------
ESXi-6.5.0-20171004001-no-tools  VMware, Inc.  PartnerSupported
ESXi-6.5.0-20171004001-standard  VMware, Inc.  PartnerSupported

ESXi650-201712001.zip
Name                              Vendor        Acceptance Level
--------------------------------  ------------  ----------------
ESXi-6.5.0-20171204001-no-tools   VMware, Inc.  PartnerSupported
ESXi-6.5.0-20171201001s-no-tools  VMware, Inc.  PartnerSupported
ESXi-6.5.0-20171204001-standard   VMware, Inc.  PartnerSupported
ESXi-6.5.0-20171201001s-standard  VMware, Inc.  PartnerSupported

update-from-esxi6.5-6.5_update01.zip
Name                              Vendor        Acceptance Level
--------------------------------  ------------  ----------------
ESXi-6.5.0-20170701001s-standard  VMware, Inc.  PartnerSupported
ESXi-6.5.0-20170701001s-no-tools  VMware, Inc.  PartnerSupported
ESXi-6.5.0-20170702001-standard   VMware, Inc.  PartnerSupported
ESXi-6.5.0-20170702001-no-tools   VMware, Inc.  PartnerSupported

■「--dry-run」でupdate時に何をするのか確認
　※各VIBs行はコンソールやリダイレクトして確認。

# TARGET=/vmfs/volumes/datastore1/ESXi650-201712001.zip; \
    esxcli software sources profile list -d $TARGET | \
    awk '/ESXi/{print "echo "$1";esxcli software profile update --dry-run -d '$TARGET' -p "$1}' | \
    sh | \
    sed -e 's/\(VIBs [A-z]*:\).*/\1/'
ESXi-6.5.0-20171204001-no-tools
Update Result
   Message: Dryrun only, host not changed. The following installers will be applied: [BootBankInstaller]
   Reboot Required: true
   VIBs Installed:
   VIBs Removed:
   VIBs Skipped:
ESXi-6.5.0-20171201001s-no-tools
Update Result
   Message: Dryrun only, host not changed. The following installers will be applied: [BootBankInstaller]
   Reboot Required: true
   VIBs Installed:
   VIBs Removed:
   VIBs Skipped:
ESXi-6.5.0-20171204001-standard
Update Result
   Message: Dryrun only, host not changed. The following installers will be applied: [BootBankInstaller, LockerInstaller]
   Reboot Required: true
   VIBs Installed:
   VIBs Removed:
   VIBs Skipped:
ESXi-6.5.0-20171201001s-standard
Update Result
   Message: Dryrun only, host not changed. The following installers will be applied: [BootBankInstaller, LockerInstaller]
   Reboot Required: true
   VIBs Installed:
   VIBs Removed:
   VIBs Skipped:

■パッチの適用

# esxcli system maintenanceMode set -e true

# TARGET=/vmfs/volumes/datastore1/ESXi650-201704001.zip; \
    esxcli software sources profile list -d $TARGET | \
    awk '/ESXi/{print "echo "$1";esxcli software profile update -d '$TARGET' -p "$1}' | sh
# esxcli system shutdown reboot -r "updated ESXi650-201704001.zip" && exit

# TARGET=/vmfs/volumes/datastore1/ESXi650-201710001.zip; \
    esxcli software sources profile list -d $TARGET | \
    awk '/ESXi/{print "echo "$1";esxcli software profile update -d '$TARGET' -p "$1}' | sh
# esxcli system shutdown reboot -r "updated ESXi650-201710001.zip" && exit

# TARGET=/vmfs/volumes/datastore1/update-from-esxi6.5-6.5_update01.zip;
    esxcli software sources profile list -d $TARGET | \
    awk '/ESXi/{print "echo "$1";esxcli software profile update -d '$TARGET' -p "$1}' | sh
# esxcli system shutdown reboot -r "update-from-esxi6.5-6.5_update01.zip" && exit

# TARGET=/vmfs/volumes/datastore1/ESXi650-201712001.zip; \
    esxcli software sources profile list -d $TARGET | \
    awk '/ESXi/{print "echo "$1";esxcli software profile update -d '$TARGET' -p "$1}' | sh
# esxcli system shutdown reboot -r "ESXi650-201712001.zip" && exit

# esxcli system maintenanceMode set -e false

■バージョン、ライセンス期限、更新したvibの一覧の確認

# vmware -vl
VMware ESXi 6.5.0 build-7388607
VMware ESXi 6.5.0 Update 1

# vim-cmd vimsvc/license --show | awk '/count_disabled/'
     [count_disabled] = This license is unlimited

# esxcli software vib list | awk '/2018-01-06/{printf "%-30s%-35s%-10s%-20s\n",$1,$2,$3,$4}'
i40en                         1.3.1-5vmw.650.1.26.5969303        VMW       VMwareCertified     
igbn                          0.1.0.0-15vmw.650.1.36.7388607     VMW       VMwareCertified     
ixgben                        1.4.1-2vmw.650.1.26.5969303        VMW       VMwareCertified     
lsi-msgpt2                    20.00.01.00-3vmw.650.0.0.4564106   VMW       VMwareCertified     
misc-drivers                  6.5.0-1.36.7388607                 VMW       VMwareCertified     
ne1000                        0.8.0-16vmw.650.1.26.5969303       VMW       VMwareCertified     
net-mlx4-core                 1.9.7.0-1vmw.650.0.0.4564106       VMW       VMwareCertified     
net-mlx4-en                   1.9.7.0-1vmw.650.0.0.4564106       VMW       VMwareCertified     
nmlx4-core                    3.16.0.0-1vmw.650.0.0.4564106      VMW       VMwareCertified     
nmlx4-en                      3.16.0.0-1vmw.650.0.0.4564106      VMW       VMwareCertified     
nmlx4-rdma                    3.16.0.0-1vmw.650.0.0.4564106      VMW       VMwareCertified     
ntg3                          4.1.3.0-1vmw.650.1.36.7388607      VMW       VMwareCertified     
nvme                          1.2.0.32-5vmw.650.1.36.7388607     VMW       VMwareCertified     
nvmxnet3                      2.0.0.23-1vmw.650.1.36.7388607     VMW       VMwareCertified     
pvscsi                        0.1-1vmw.650.1.26.5969303          VMW       VMwareCertified     
sata-ahci                     3.0-26vmw.650.1.26.5969303         VMW       VMwareCertified     
scsi-mpt2sas                  19.00.00.00-1vmw.650.0.0.4564106   VMW       VMwareCertified     
usbcore-usb                   1.0-3vmw.650.1.26.5969303          VMW       VMwareCertified     
vmkata                        0.1-1vmw.650.1.36.7388607          VMW       VMwareCertified     
vmkusb                        0.1-1vmw.650.1.36.7388607          VMW       VMwareCertified     
vmw-ahci                      1.0.0-39vmw.650.1.26.5969303       VMW       VMwareCertified     
esx-base                      6.5.0-1.36.7388607                 VMware    VMwareCertified     
esx-dvfilter-generic-fastpath 6.5.0-1.36.7388607                 VMware    VMwareCertified     
esx-tboot                     6.5.0-1.36.7388607                 VMware    VMwareCertified     
esx-ui                        1.23.0-6506686                     VMware    VMwareCertified     
esx-xserver                   6.5.0-0.23.5969300                 VMware    VMwareCertified     
lsu-hp-hpsa-plugin            2.0.0-5vmw.650.1.26.5969303        VMware    VMwareCertified     
lsu-lsi-lsi-mr3-plugin        1.0.0-10vmw.650.1.26.5969303       VMware    VMwareCertified     
lsu-lsi-lsi-msgpt3-plugin     1.0.0-7vmw.650.1.26.5969303        VMware    VMwareCertified     
lsu-lsi-megaraid-sas-plugin   1.0.0-8vmw.650.1.26.5969303        VMware    VMwareCertified     
lsu-lsi-mpt2sas-plugin        2.0.0-6vmw.650.1.26.5969303        VMware    VMwareCertified     
vmware-esx-esxcli-nvme-plugin 1.2.0.10-1.26.5969303              VMware    VMwareCertified     
vsan                          6.5.0-1.36.7388608                 VMware    VMwareCertified     
vsanhealth                    6.5.0-1.36.7388609                 VMware    VMwareCertified     
tools-light                   6.5.0-1.33.7273056                 VMware    VMwareCertified     

■仮想マシンを起動する。
　ホストの台数分パスワード入力が必要な点を除けば、
　ホストのGUIにログインする頃にはすべての仮想マシンが立ち上がっている状況は地味に便利。

　bashで動く「wakeonvm.sh」を作ってみた。
　http://labunix.hateblo.jp/entry/20171020/1508498494

$ sudo ./myscripts/wakeonvm.sh 42
Password: 
Powering on VM:
Retrieved runtime info
Powered on