Infosec Scribbles

December 20, 2018

How to (offline) update standalone ESXi in your homelab

Say you have a homelab and, like me, you don’t have the space for a 42U rack and an enterprise vSphere license. Your options are Hyper-V, Xen, Proxmox or… a standalone ESXi machine on a free license.

Every now and then VMware releases updates for it, but there is no way to get them automatically on a standalone ESXi host. Thankfully, it’s not too hard to do by hand and here is a step-by-step that I wrote down for my own purposes.

Outdated ESXi hosts also may or may not be one of the most common findings in network security tests.

Check the patch tracker

There is a great patch tracker for VMware here. See if the build version is newer than yours:

You can find the build number on the main page of the ESXi Embedded Host Client

You can find the latest build number in the patch tracker

In this case, I am up to date, but if you are not, your build on the host will be older than the latest one in the patch tracker.

Install the update

Technically, there is an option to perform an online update from the CLI. Just click on the image profile link in the patch tracker for the command to run. However, in my experience offline updates are more straightforward and reliable.

Your first step is to enter maintenance mode and enable SSH access. Both can be done from the actions menu on the main page:

You can enable both maintenance mode and SSH on the main page of the ESXi Embedded Host Client

To enter maintenance mode, you will need to stop all your running VMs first. This is where your downtime begins.

Case A: version bump for a vendor customized image

Version bumps, e.g. from 6.5 to 6.7 can introduce hardware compatibility issues and are otherwise considered more risky. It is also an imageprofile update and non-customized bundles may refuse to install if you are already on a vendor profile.

Go to VMware download portal and search for %VendorName% Custom Image for ESXi %VersionNumber% Install CD. Download the offline bundle:

There are multiple variants of the install CD - pick the right one

Upload this file to any of your datastores. I have one specifically for ISOs, updates and alike, you probably have something similar.

In this case, the filename is VMware-ESXi-6.7.0-10302608-Fujitsu-v460-1-offline_bundle.zip, where you need to take note of the profile version identifier: 10302608-Fujitsu-v460-1.

Now check what your current profile name is:

You can find the image profile name on the main page of the ESXi Embedded Host Client

Given the profile name and version identifier above, the update command will be:

esxcli software profile update -p Fujitsu-VMvisor-Installer-6.7-10302608-v460-1 -d /vmfs/volumes/your_datastore/VMware-ESXi-6.7.0-10302608-Fujitsu-v460-1-offline_bundle.zip

Yours is going to be slightly different, according to your profile.

Case B: security and bug fixes

Minor updates will generally not be released by your hardware vendor. There is a separate page on VMware portal for this. Just select “ESXi (Embedded and Installable)” and your hypervisor version to get a full list of updates, then click “Download” against the ones you need.

Minor updates available on VMware patches portal

Here you don’t need to worry about the profile name. Just upload the zip file to any of your datastores. I have one specifically for ISOs, updates and alike, you probably have something similar. The update command will be simply:

esxcli software vib update -d /vmfs/volumes/your_datastore/ESXi670-201811001.zip

Monitor update progress

There is no --verbose option in esxcli and your only indicators will be vague and scarce messages at the beginning and at the very end of the process. To get a better understanding of what is going on, you can monitor the update progress by checking /var/log/esxupdate.log in another console:

tail -f /var/log/esxupdate.log

Finish the update

Once you have finished installing all the zip files and/or updating the image profile, you just need to disable maintenance mode and reboot your ESXi host. If you have autostart configured, this is it - no further action is required after booting back up.