The last couple days have been busy as VMware has released updates for Virtual Appliances that are have the shellshock vulnerability.
I recently patched my Log Insight instances, but I am also responsible for Site Recovery Manager (SRM) with vSphere Replication (VR)
Based on the VMware Security Advisory, SRM 5.5 itself does not have the vulnerability but because it is bundled with VR, SRM has to be updated as well. I did not see SRM 5.8 on the list but I did see VR 5.8. I haven’t installed the new SRM so my guess is that SRM 5.8 does not bundle the VR appliance.
I won’t get into the SRM update, the VMware article is here. Please note that you have to update SRM prior to updating VR. I think that SRM upgrade process (especially for the VR bits) is a bit overkill. You basically re-install SRM in it entirety. Not a terribly difficult process, but you have to accept the new SSL certs (if regenerating) and you need to remember to re-connect the sites in the plug-in (I glossed over the last step in the article, RTFM would have saved me half an hour).
The VR upgrade process is a lot more interesting though, the VMware article is here. There are basically three methods:
- Attach the ISO and reboot the appliance
- Use VAMI from the web interface
- Use Update Manager
#1 seemed really straight forward, while #2 and #3 intrigued me. I looked at #2 but I was concerned that I wouldn’t be able to get through the firewall so I decided to go with #3 which is to use Update Manager.
I was kind of excited to use Update Manager for an Virtual Appliance, I have used it for hosts quite a bit but never for an appliance.
Check Update Manager Config
I found inconsistent settings between my Update Managers, so you should first go to Home -> Solutions and Applications -> Update Manager
Attach Baseline to VR Appliance
Home -> Inventory -> VMs and Templates
Click on the VR Appliance
Click on Update Manager
Right-Click and Choose “Attach Baseline”
Check the “VA Upgrade to Latest (Predefined)” baseline and click Attach
You should now see the compliance pie-chart say “92%” instead of 100%. I’m not sure how it calculates this, possibly it’s incorrectly looking at how many of the patches in the baseline are required and divides that by the total number of patches in the baseline (regardless if those patches apply or not).
If you still see 100%, then Update Manager may not have downloaded the updates. Repeat the previous step until you see the 220.127.116.11 vSphere Replication Appliance patch in the repository
Click Next to remediate now (instead of scheduling for later)
You can have Update Manager take a snapshot before remediating (nice option). For my first appliance I used this feature but I turned it off later once I felt that the process wasn’t bricking VR.
Click Finish on the next screen
You will see an Update Manager task showing the completion percentage.
In tasks you may see a new SSL cert get pushed out
Once complete, you will see the following in Update Manager
If you open the console, you will see that it is at 18.104.22.168
If you chose to have Update Manager create a snapshot, make sure to delete the snapshot
Right Click on VM -> Snapshot -> Snapshot Manager
Delete the snapshot
Issues Reconnecting VR Appliance
I have seen issues where one or both VR appliances may show as disconnected in SRM
I have also seen issues where the web client does not see the vSphere Replication server as installed even though SRM and the rest of the thick client does
This screenshot was from my lab environment after the VR update.
I saw the above two errors in my prod environment (no errors in my lab environment)
What I found that resolves the issue is to
- Wait for 5-10 minutes
- Re-configure the VR Connection
- Logout of the Web Client
For SRM, it seems to take a little time for the VR appliances to show back up in the list and to show as connected on both sites.
In my lab, I saw one side was up while the other side showed disconnected. At that point I re-configured the VR Connection.
In SRM both sites started to look good.
After logging out of the web client and logging back in, that looked good as well.
Note that this screenshot was from prod environment, thus the two extra vcenters in the middle that DO NOT have the VR appliance installed.
For prod I actually tried the “Break VR Connection” option and then “Configure VR Connection” option. I’m not sure if both were necessary because I didn’t logout of the web client in-between.
Using Update Manager to update appliances is pretty slick, but you don’t see it for every appliance. vCOPS and Log Insight require you to upload the PAK file via the web console (which is pretty easy) and I believe the vMA has it’s own method as well. I’m hoping that VMware unifies it’s patching methodology, it’s interesting but also a pain to patch these appliances using different methods.