top of page
Writer's picturevP

Live Patching in ESXi: Zero-Downtime Upgrades Explained

In today's fast-paced IT environments, minimizing downtime during system updates is crucial. VMware's ESXi 8.0 U3 introduces Live Patching, a feature that enables administrators to apply critical patches without rebooting hosts or evacuating virtual machines (VMs). This capability ensures continuous operation and enhances system reliability.


What is Live Patching?

Live Patch is a technology that allows you to make changes to a running system without interrupting its operation. In the context of VMware ESXi, this means updating the hypervisor's kernel components—such as the virtual machine execution environment—while VMs continue to run uninterrupted. This approach significantly reduces maintenance windows and enhances system availability.


Considerations and Requirements

To utilize Live Patching, certain prerequisites must be met:

  • vCenter and ESXi Versions: Both vCenter and ESXi hosts must be running version 8.0 Update 3 or later.

  • vSphere Lifecycle Manager: The Enforce Live Patch setting must be enabled in the global vSphere Lifecycle Manager remediation settings or at the cluster remediation settings.

  • Distributed Resource Scheduler (DRS): DRS must be enabled on the vSphere cluster and set to fully automated mode to facilitate optimal resource allocation during patching.

  • Virtual Machine Compatibility: Certain VMs, such as those configured with vSphere Fault Tolerance, VMs using Direct Path I/O, and vSphere Pods, may not be compatible with the fast-suspend-resume process and might require manual remediation.


How Does Live Patching Work in ESXi 8.0?

The Live Patching process in ESXi 8.0 involves several key steps:

  1. Partial Maintenance Mode: The ESXi host enters a special state called partial maintenance mode. In this state, existing VMs continue to run, but no new VMs can be created on the host, and existing VMs cannot be migrated to or from the host.

  2. Mounting New Patch Components: A new revision of the target patch components is mounted in parallel with the current version. This parallel mounting allows the system to prepare the new components without disrupting ongoing operations.

  3. Patching the New Components: The new mount revision files and processes are patched, updating them to the desired state.

  4. Fast Suspend and Resume (FSR): Virtual machines undergo a fast-suspend-resume to consume the patched revision. This non-disruptive operation ensures that VMs are updated to the new environment without downtime.


A virtual machine FSR is a non-disruptive operation and is already used in virtual machine operations when adding or removing virtual hardware devices to powered-on virtual machines. 


Some virtual machines are not compatible with FSR. VMs configured with vSphere Fault Tolerance, VMs using Direct Path I/O and vSphere Pods cannot use FSR and need to be manually remediated. Manual remediation can either be done by migrating the virtual machine or by power cycling the virtual machine.

VMs participating in Shared-Disk clustering configuration (e.g. Microsoft SQL Server VMs participating in FCI) do not support FSR operations.


The vSphere Lifecycle Manager compliance scan will report virtual machines that are incompatible with FSR and the reason why. Having incompatible VMs on the host does not block live patch.


Benefits of Live Patching

Implementing Live Patching in ESXi 8.0 offers several advantages:

  • Minimized Downtime: By applying patches without rebooting hosts or evacuating VMs, Live Patching significantly reduces maintenance windows, ensuring continuous service availability.

  • Enhanced Security: Critical security patches can be applied promptly, reducing the window of vulnerability and enhancing the overall security posture of the virtualized environment.

  • Improved Operational Efficiency: The streamlined patching process reduces administrative overhead and accelerates the deployment of necessary updates.


Note: After a cluster has been successfully remediated, any hosts running VMs that do not support FSR will continue to report being out of compliance. The VMs must be manually migrated using vMotion or power cycled. Only then will the cluster report full compliance.


Live Patch is not compatible with systems configured with TPM devices, or systems configured with DPUs using vSphere Distributed Services Engine.


VMware ESXi's Live Patching feature in version 8.0 is a game-changer for managing updates in virtualized environments. By enabling zero-downtime upgrades, it ensures that critical patches can be applied without interrupting VM operations, enhancing both security and system reliability. This capability not only minimizes maintenance windows but also improves overall operational efficiency, making it a vital tool for organizations seeking to maintain high availability in their IT infrastructure.


With that, let's wrap this post here.


Thank you for reading!


*** Explore | Share | Grow ***

2 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page