In my previous articles in this series, I discussed patch management best practices and the benefits of a server patch management strategy. This tip focuses on virtual machine (VM) updates, patching methods and the placement of virtual machines on particular hosts.
Virtual machine updates are just as important as keeping hosts up to date. Keeping VMs patched and running at top efficiency helps maintain a stable virtual host environment. This practice applies not only to normal OS patches but also to all supporting software and agents for workloads being deployed.
Even though the method for virtual machine updates does not differ much from patching physical servers, you should consider certain factors that are based on host hardware resources, service-level obligations and your company's business model. These factors play an important role in how to provision VMs and architect an environment.
Finding virtual machine updates
Besides Microsoft's Patch Tuesday security updates, you need to know whether certain host patches require another patch or update at the VM level. In some cases, when a patch changes the hypervisor version, Integration Components/VMware tools will require an update. Here are the main locations for hypervisor patches from the major virtualization vendors:
- Microsoft Hyper-V Update List
- VMware Inc.'s patch download site
- Citrix Systems Inc.s Knowledge Center
Consult the patch release notes carefully to determine whether any such patches are directly related to the VMs on your hypervisor. Following an update, VMs that are missing patches can suffer from instability or waste host resources.
In one instance, my Hyper-V host servers required a System Center Data Protection Manager (DPM) patch. As a result, I had to update to a newer version of Integration Components. Without this update, though, the backup procedure through DPM can become unstable. The lesson here is this: Know which patch dependencies have to be installed on your VMs.
How to perform virtual machine updates
Whether your preferred method is Windows Server Update Services (WSUS), System Center Configuration Manager, VMware vSphere Update Manager or manually initiating updates, your patching process for physical servers works on VMs. If you use a tool that automates OS patching, it will work on a VM. There is no reason to treat your VMs any differently.
In my environment, most Microsoft patches are deployed with WSUS on a monthly schedule. Our software distribution product then cleans up behind it (if necessary) and helps facilitate any other software installations that are not directly Microsoft-oriented. Many of my Linux VMs, however, are manually patched from the console.
The point is: It is business as usual, with no special attention given to the VM patch installation method.
Tools for virtual machine updates
When VMs are offline for an extended period of time, they may miss the traditional monthly patch cycles -- which can be automatically installed with some of the tools mentioned in the previous section. When left offline for a considerable amount of time and then brought back online without recent patches, test and development servers, for example, can be susceptible to vulnerabilities.
For Hyper-V VMs, the free tool Offline Virtual Machine Servicing Tool helps reduce vulnerabilities and can automate the installation of patches to offline VMs. This tool requires System Center Virtual Machine Manager (SCVMM) 2008 R1 or R2, and offline VMs must be stored in the SCVMM library. But if architected correctly, this tool maintains a level of security for offline VMs.
Remember: Selecting the right tool for your environment ensures that offline VMs comply with organizations' patching policies.
About the expert
Rob McShinsky is a senior systems engineer at Dartmouth Hitchcock Medical Center in Lebanon, N.H., and has more than 12 years of experience in the industry -- including a focus on server virtualization since 2004. He has been closely involved with Microsoft as an early adopter of Hyper-V and System Center Virtual Machine Manager 2008, as well as a customer reference. In addition, he blogs at VirtuallyAware.com, writing tips and documenting experiences with various virtualization products.
Dig Deeper on Virtualization security and patch management