How to easily update your VMware Hypervisor from ESXi 6.5.x to 6.5.0d

Posted by Paul Braren on Apr 18 2017 (updated on Mar 31 2018) in
  • ESXi
  • Virtualization
  • HowTo
  • HomeLab
  • Important Update - On Mar 20 2018, VMware VMSA-2018-0004.3 announced that CVE-2017-5715 (Spectre-2) mitigation is now included in the latest patch that you should be using instead of the older patch featured in the original article below. You'll find the newer article that features an even easier update method here:

    Article below as it originally appeared.


    ESXi 6.5.0d | 18 APRIL 2017 | ISO Build 5310538

    Warning:

    1. vCenter/VCSA 6.5 should be upgraded to 6.5.0d before upgrading your host(s) to ESXi 6.5.0d Build 5310538, see:
      How to easily update your VMware vCenter Server Appliance from VCSA 6.5 to 6.5.0d
      Feb 07 2017
    2. I have only tested this method when upgrading from 6.5.0a Build 5224934 to Build 5310538, your experience from earlier 6.x versions may vary.
    3. I have been able to replicate a possible issue with the Xeon D 10GbE driver VIB after the upgrade, workaround completed, details below. There is also one report of a Xeon D 1GbE driver issue, he was able to recover by backing out.
    4. This is not official VMware documentation, it's merely a convenient upgrade technique that may help in lab tests, it's up to you to adhere to the backup-first advice detailed below.

    Why ESXCLI?

    All the background story on how this easy ESXCLI upgrade method came about was covered in my earlier articles about updating 6.0 U2 and 6.5.
    If you're in production, beware, this code just came out today. This article is for the lab, where you may want to give this critical patch a try.

    Benefits

    1. No new license needed to go from 6.0.x or 6.5.x to 6.5.0d Build 5310538
    2. Users of the free hypervisor and folks who can't download the GA Offline bundle now have a path forward as well, without needing to read TinkerTry's My VMware's "You either are not entitled or do not have permissions to download this product." error, and what to do about it.

    Prerequisites

    Once you've completed ALL of the following preparation steps:

    1. upgraded to VCSA 6.5.0d
    2. ensured your ESXi 6.5.x host has a working internet connection
    3. reviewed the release notes
    4. reviewed this VMSA-2017-0006 patch
    5. reviewed How to easily update your VMware Hypervisor to ESXi 6.0 Update 2 for the full back story that includes some warnings about potential gotchas/driver issues
    6. backed up the ESXi 6.5.x you've already got, if it's USB or SD, then use something like one of the home-lab-friendly methods such as USB Image Tools under Windows, as detailed by Florian Grehl here

    you can now continue with this simple approach to upgrading your lab environment. Unsupported, at your own risk, see the full disclaimer at below left.

    You should wind up with the same results after this upgrade as folks who upgrade by downloading the full ESXi 6.5.0d ISO and boot from it:

    VMware vSphere Hypervisor (ESXi ISO) image (Includes VMware Tools)
    File size: 331.09 MB
    File type: iso
    Name: VMware-VMvisor-Installer-201704001-5310538.x86_64.iso
    Release Date: 2017-04-18
    Build Number: 5310538

    Upgrade

    Download and upgrade to 6.5.0d update using the patch directly from the VMware Online Depot

    The entire process including reboot is usually well under 10 minutes. Triple-clicking on a line of code below highlights the whole thing, so you can then right-click and copy it into your clipboard:

    1. Open an SSH session (eg. PuTTY) to your ESXi 6.0.x server
      (if you forgot to enable SSH, here's how)
    2. Turn on maintenance mode, or ensure you've set your ESXi host to automatically gracefully shutdown all VMs upon host reboot, or shutdown all the VMs gracefully that you care about, including VCSA.
    3. Firewall allow outbound http requests - Paste the one line below into into your SSH session, then press enter:
      esxcli network firewall ruleset set -e true -r httpClient

      More details about the firewall here.

    4. Pull down ESXi Image Profile using https and run patch script - Paste the line below into into your SSH session, then hit enter and wait while nothing seems to happen, taking somewhere between roughly 3 to 10 minutes before the completion screen (sample below) appears:
      esxcli software profile install -p ESXi-6.5.0-20170404001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

      If this command fails, you may want to try changing update to install, details below. Thanks Douglas! Wait time for the successful install depending mostly on the the speed of the ESXi's connection to the internet, and a little on the speed of the storage media that ESXi is installed on.

    5. If you have Xeon D X552/X557, to regain 10GbE driver VIB that works, consider using the easy one-liner fix described below. While I have not yet tested doing this before the reboot, Alastair did, and kindly left a comment below, noting that it worked fine.
    6. Firewall disallow outbound http requests - Paste the line below into into your SSH session:
      esxcli network firewall ruleset set -e false -r httpClient
    7. If you turned on maintenance mode earlier, remember to turn maintenance mode off.
    8. If you normally leave SSH access off, go ahead and disable it now.
    9. Type reboot and hit return (to restart your ESXi server), or use your favorite ESXi UI to restart the host.
    10. After the reboot is done, it would be a good idea to test login using ESXi host client, pointing your browser to the IP or hostname of your just-graded server, to be sure everthing seems to be working right.

    You're done!

    Special thanks to VMware ESXi Patch Tracker by Andreas Peetz at the VMware Front Experience Blog. This upgrade test was performed on a TinkerTry'd VMware HCL system. Yes, on both the very popular 8 core and the rather special 12 core version of the beloved Supermicro SuperServer SYS-5028D-TN4T system.

    esxcli-update-successful-6.5.0.d-Build-5310538-TinkerTry-Apr-18-2017
    Here's how my upgrade from 6.5.0a Build 5224529 to 6.5.0d Build 5310538 looked, right after the 1 minute download/patch.
    dcui-showing-6.5.0d-build-5224529-tinkertry-2017-mar-31
    Yep, it worked! This is called the DCUI, using Supermicro's iKVM HTML5 UI to show you what my console looked like after the patch & reboot.
    esxi-host-client-6.5.0d-build-5310538-full-length-tinkertry-2017-apr-18
    ESXi Host client view of Build 5310538.

    That's it! When the reboot is complete, you'll see for yourself that you now have the latest ESXi, Build 5310538, as pictured above. Now you have more spare time to read more TinkerTry articles!

    Potential gotchas

    1. Depending upon your ESXi firewall configuration, if the above command results in a network related error such as:
      'NoneType' object has no attribute 'close'
      then you skipped the firewall configuration step above, try again!

    2. Notice that the command recommended you use when clicking on the ESXi-6.5.0-20170304101-standard link at VMware ESXi Patch Tracker:
      esxcli software profile update -p ESXi-6.5.0-20170404001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

      doesn't work, says:
      Message: Host is not changed.
      but simply changing from update to install worked for me, but your results may vary. See also the interesting comment below.

      host-is-not-changed
      Using the update parameter doesn't work, as seen above, but using install does.

    Potential SATA and Realtek NIC gotcha

    1. If you find some of your SATA/AHCI datastores disappear from view after this upgrade, worry not, the VMFS datastores are still there, you just can't see them. This article should still save you:
      For ESXi 6.0, those ESXi 5.1 VIBs for ASMedia SATA ports and Realtek NICs still seem to be working (but unsupported)
      Mar 04 2015

    Potential Intel Xeon D X552/X557 10GbE Driver gotcha

    Apr 19 2017 Update

    3262897528
    Click the image above to read the rest of the conversation thread.
    re-installed-newer-10gbe-drivers-for-x552-x557-xeon-d
    Here's how re-install of Intel X552/X557 VIB 4.5.1 looks, right-after successful easy re-install on 6.5.0d, proper way without no-sig-check takes more steps, and is detailed in the same article

    Getting past this issue was straight-forward, just re-installed my Intel's 4.5.1 X552/X557 10GbE VIB::

    then rebooted. Everything working fine again.

    Potential Intel Xeon D I-350 1GbE Driver gotcha

    Added Apr 19 2017 Update
    I haven't encountered this issue reported below, or been able to replicate it, but all the more reason to backup first.

    Closing Thoughts

    Alternatively, you could have used VMware Update Manager on a Windows system or VM, but for one-off upgrades typical in a small home lab, pasting these 3 lines of code is pretty darn easy.

    Looking ahead, since VUM is now built into VCSA 6.5, this will add another way to do future upgrades and patches, even in a small home lab environment.

    Video

    How to easily update your VCSA 6.5 to 6.5.0d Build 5318154 and ESXi to Build 5310538

    Apr 19 2017 Update

    Two new comments from TinkerTry visitors Alastair Mackinlay and Askar Kopbayev have been incorporated into the article above.


    See also at TinkerTry


    See also


    Upgrade Log

    Below, I've pasted the full text of my upgrade, helps you see what drivers were touched, use the horizonal scroll bar or shift + mousewheel to look around, Ctrl+F works as needed too:

    login as: root
    Using keyboard-interactive authentication.
    Password:
    The time and date of this login have been sent to the system logs.
    
    VMware offers supported, powerful system administration tools.  Please
    see www.vmware.com/go/sysadmintools for details.
    
    The ESXi Shell can be disabled by an administrative user. See the
    vSphere Security documentation for more information.
    [root@xd-1567-5028d:~] esxcli network firewall ruleset set -e true -r httpClient
    [root@xd-1567-5028d:~] esxcli software profile install -p ESXi-6.5.0-20170404001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
    Installation Result
       Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
       Reboot Required: true
       VIBs Installed: VMW_bootbank_net-ixgbe_3.7.13.7.14iov-20vmw.650.0.0.4564106, VMware_bootbank_esx-base_6.5.0-0.19.5310538, VMware_bootbank_esx-ui_1.18.0-5270848, VMware_bootbank_vsan_6.5.0-0.19.5310540, VMware_bootbank_vsanhealth_6.5.0-0.19.5310541
       VIBs Removed: INT_bootbank_net-ixgbe_4.5.1-1OEM.600.0.0.2494585, VMware_bootbank_esx-base_6.5.0-0.15.5224529, VMware_bootbank_esx-ui_1.15.0-5069532, VMware_bootbank_vsan_6.5.0-0.15.5224529, VMware_bootbank_vsanhealth_6.5.0-0.15.5224529
       VIBs Skipped: VMW_bootbank_ata-libata-92_3.00.9.2-16vmw.650.0.0.4564106, VMW_bootbank_ata-pata-amd_0.3.10-3vmw.650.0.0.4564106, VMW_bootbank_ata-pata-atiixp_0.4.6-4vmw.650.0.0.4564106, VMW_bootbank_ata-pata-cmd64x_0.2.5-3vmw.650.0.0.4564106, VMW_bootbank_ata-pata-hpt3x2n_0.3.4-3vmw.650.0.0.4564106, VMW_bootbank_ata-pata-pdc2027x_1.0-3vmw.650.0.0.4564106, VMW_bootbank_ata-pata-serverworks_0.4.3-3vmw.650.0.0.4564106, VMW_bootbank_ata-pata-sil680_0.4.8-3vmw.650.0.0.4564106, VMW_bootbank_ata-pata-via_0.3.3-2vmw.650.0.0.4564106, VMW_bootbank_block-cciss_3.6.14-10vmw.650.0.0.4564106, VMW_bootbank_char-random_1.0-3vmw.650.0.0.4564106, VMW_bootbank_ehci-ehci-hcd_1.0-4vmw.650.0.14.5146846, VMW_bootbank_elxnet_11.1.91.0-1vmw.650.0.0.4564106, VMW_bootbank_hid-hid_1.0-3vmw.650.0.0.4564106, VMW_bootbank_i40en_1.1.0-1vmw.650.0.0.4564106, VMW_bootbank_igbn_0.1.0.0-12vmw.650.0.0.4564106, VMW_bootbank_ima-qla4xxx_2.02.18-1vmw.650.0.0.4564106, VMW_bootbank_ipmi-ipmi-devintf_39.1-4vmw.650.0.0.4564106, VMW_bootbank_ipmi-ipmi-msghandler_39.1-4vmw.650.0.0.4564106, VMW_bootbank_ipmi-ipmi-si-drv_39.1-4vmw.650.0.0.4564106, VMW_bootbank_ixgben_1.0.0.0-9vmw.650.0.14.5146846, VMW_bootbank_lpfc_11.1.0.6-1vmw.650.0.0.4564106, VMW_bootbank_lsi-mr3_6.910.18.00-1vmw.650.0.0.4564106, VMW_bootbank_lsi-msgpt2_20.00.01.00-3vmw.650.0.0.4564106, VMW_bootbank_lsi-msgpt3_12.00.02.00-11vmw.650.0.0.4564106, VMW_bootbank_misc-cnic-register_1.78.75.v60.7-1vmw.650.0.0.4564106, VMW_bootbank_misc-drivers_6.5.0-0.14.5146846, VMW_bootbank_mtip32xx-native_3.9.5-1vmw.650.0.0.4564106, VMW_bootbank_ne1000_0.8.0-11vmw.650.0.14.5146846, VMW_bootbank_nenic_1.0.0.2-1vmw.650.0.0.4564106, VMW_bootbank_net-bnx2_2.2.4f.v60.10-2vmw.650.0.0.4564106, VMW_bootbank_net-bnx2x_1.78.80.v60.12-1vmw.650.0.0.4564106, VMW_bootbank_net-cdc-ether_1.0-3vmw.650.0.0.4564106, VMW_bootbank_net-cnic_1.78.76.v60.13-2vmw.650.0.0.4564106, VMW_bootbank_net-e1000_8.0.3.1-5vmw.650.0.0.4564106, VMW_bootbank_net-e1000e_3.2.2.1-2vmw.650.0.0.4564106, VMW_bootbank_net-enic_2.1.2.38-2vmw.650.0.0.4564106, VMW_bootbank_net-fcoe_1.0.29.9.3-7vmw.650.0.0.4564106, VMW_bootbank_net-forcedeth_0.61-2vmw.650.0.0.4564106, VMW_bootbank_net-igb_5.0.5.1.1-5vmw.650.0.0.4564106, VMW_bootbank_net-libfcoe-92_1.0.24.9.4-8vmw.650.0.0.4564106, VMW_bootbank_net-mlx4-core_1.9.7.0-1vmw.650.0.0.4564106, VMW_bootbank_net-mlx4-en_1.9.7.0-1vmw.650.0.0.4564106, VMW_bootbank_net-nx-nic_5.0.621-5vmw.650.0.0.4564106, VMW_bootbank_net-tg3_3.131d.v60.4-2vmw.650.0.0.4564106, VMW_bootbank_net-usbnet_1.0-3vmw.650.0.0.4564106, VMW_bootbank_net-vmxnet3_1.1.3.0-3vmw.650.0.0.4564106, VMW_bootbank_nhpsa_2.0.6-3vmw.650.0.0.4564106, VMW_bootbank_nmlx4-core_3.16.0.0-1vmw.650.0.0.4564106, VMW_bootbank_nmlx4-en_3.16.0.0-1vmw.650.0.0.4564106, VMW_bootbank_nmlx4-rdma_3.16.0.0-1vmw.650.0.0.4564106, VMW_bootbank_nmlx5-core_4.16.0.0-1vmw.650.0.0.4564106, VMW_bootbank_ntg3_4.1.0.0-1vmw.650.0.0.4564106, VMW_bootbank_nvme_1.2.0.32-2vmw.650.0.0.4564106, VMW_bootbank_nvmxnet3_2.0.0.22-1vmw.650.0.0.4564106, VMW_bootbank_ohci-usb-ohci_1.0-3vmw.650.0.0.4564106, VMW_bootbank_pvscsi_0.1-1vmw.650.0.0.4564106, VMW_bootbank_qedentv_2.0.3.29-1vmw.650.0.0.4564106, VMW_bootbank_qfle3_1.0.2.7-1vmw.650.0.0.4564106, VMW_bootbank_qflge_1.1.0.3-1vmw.650.0.0.4564106, VMW_bootbank_qlnativefc_2.1.30.0-11vmw.650.0.0.4564106, VMW_bootbank_sata-ahci_3.0-22vmw.650.0.0.4564106, VMW_bootbank_sata-ata-piix_2.12-10vmw.650.0.0.4564106, VMW_bootbank_sata-sata-nv_3.5-4vmw.650.0.0.4564106, VMW_bootbank_sata-sata-promise_2.12-3vmw.650.0.0.4564106, VMW_bootbank_sata-sata-sil24_1.1-1vmw.650.0.0.4564106, VMW_bootbank_sata-sata-sil_2.3-4vmw.650.0.0.4564106, VMW_bootbank_sata-sata-svw_2.3-3vmw.650.0.0.4564106, VMW_bootbank_scsi-aacraid_1.1.5.1-9vmw.650.0.0.4564106, VMW_bootbank_scsi-adp94xx_1.0.8.12-6vmw.650.0.0.4564106, VMW_bootbank_scsi-aic79xx_3.1-5vmw.650.0.0.4564106, VMW_bootbank_scsi-bnx2fc_1.78.78.v60.8-1vmw.650.0.0.4564106, VMW_bootbank_scsi-bnx2i_2.78.76.v60.8-1vmw.650.0.0.4564106, VMW_bootbank_scsi-fnic_1.5.0.45-3vmw.650.0.0.4564106, VMW_bootbank_scsi-hpsa_6.0.0.84-1vmw.650.0.0.4564106, VMW_bootbank_scsi-ips_7.12.05-4vmw.650.0.0.4564106, VMW_bootbank_scsi-iscsi-linux-92_1.0.0.2-3vmw.650.0.0.4564106, VMW_bootbank_scsi-libfc-92_1.0.40.9.3-5vmw.650.0.0.4564106, VMW_bootbank_scsi-megaraid-mbox_2.20.5.1-6vmw.650.0.0.4564106, VMW_bootbank_scsi-megaraid-sas_6.603.55.00-2vmw.650.0.0.4564106, VMW_bootbank_scsi-megaraid2_2.00.4-9vmw.650.0.0.4564106, VMW_bootbank_scsi-mpt2sas_19.00.00.00-1vmw.650.0.0.4564106, VMW_bootbank_scsi-mptsas_4.23.01.00-10vmw.650.0.0.4564106, VMW_bootbank_scsi-mptspi_4.23.01.00-10vmw.650.0.0.4564106, VMW_bootbank_scsi-qla4xxx_5.01.03.2-7vmw.650.0.0.4564106, VMW_bootbank_shim-iscsi-linux-9-2-1-0_6.5.0-0.0.4564106, VMW_bootbank_shim-iscsi-linux-9-2-2-0_6.5.0-0.0.4564106, VMW_bootbank_shim-libata-9-2-1-0_6.5.0-0.0.4564106, VMW_bootbank_shim-libata-9-2-2-0_6.5.0-0.0.4564106, VMW_bootbank_shim-libfc-9-2-1-0_6.5.0-0.0.4564106, VMW_bootbank_shim-libfc-9-2-2-0_6.5.0-0.0.4564106, VMW_bootbank_shim-libfcoe-9-2-1-0_6.5.0-0.0.4564106, VMW_bootbank_shim-libfcoe-9-2-2-0_6.5.0-0.0.4564106, VMW_bootbank_shim-vmklinux-9-2-1-0_6.5.0-0.0.4564106, VMW_bootbank_shim-vmklinux-9-2-2-0_6.5.0-0.0.4564106, VMW_bootbank_shim-vmklinux-9-2-3-0_6.5.0-0.0.4564106, VMW_bootbank_uhci-usb-uhci_1.0-3vmw.650.0.0.4564106, VMW_bootbank_usb-storage-usb-storage_1.0-3vmw.650.0.0.4564106, VMW_bootbank_usbcore-usb_1.0-3vmw.650.0.0.4564106, VMW_bootbank_vmkata_0.1-1vmw.650.0.0.4564106, VMW_bootbank_vmkplexer-vmkplexer_6.5.0-0.0.4564106, VMW_bootbank_vmkusb_0.1-1vmw.650.0.14.5146846, VMW_bootbank_vmw-ahci_1.0.0-34vmw.650.0.14.5146846, VMW_bootbank_xhci-xhci_1.0-3vmw.650.0.0.4564106, VMware_bootbank_cpu-microcode_6.5.0-0.0.4564106, VMware_bootbank_emulex-esx-elxnetcli_11.1.28.0-0.0.4564106, VMware_bootbank_esx-dvfilter-generic-fastpath_6.5.0-0.0.4564106, VMware_bootbank_esx-tboot_6.5.0-0.0.4564106, VMware_bootbank_esx-xserver_6.5.0-0.0.4564106, VMware_bootbank_lsu-hp-hpsa-plugin_2.0.0-3vmw.650.0.0.4564106, VMware_bootbank_lsu-lsi-lsi-mr3-plugin_1.0.0-7vmw.650.0.0.4564106, VMware_bootbank_lsu-lsi-lsi-msgpt3-plugin_1.0.0-6vmw.650.0.0.4564106, VMware_bootbank_lsu-lsi-megaraid-sas-plugin_1.0.0-7vmw.650.0.0.4564106, VMware_bootbank_lsu-lsi-mpt2sas-plugin_2.0.0-5vmw.650.0.0.4564106, VMware_bootbank_native-misc-drivers_6.5.0-0.0.4564106, VMware_bootbank_rste_2.0.2.0088-4vmw.650.0.0.4564106, VMware_bootbank_vmware-esx-esxcli-nvme-plugin_1.2.0.10-0.0.4564106, VMware_locker_tools-light_6.5.0-0.0.4564106
    [root@xd-1567-5028d:~] esxcli network firewall ruleset set -e false -r httpClient
    [root@xd-1567-5028d:~] reboot