HPE Firmware updates on an ESXi 6.5 Host

We use HPE DL380 Gen9 servers for our Private Cloud infrastructure at work. I’m one of those people who like to update the firmware/BIOS/iLO on a regular basis.

hpe-6-0-support
Figure 1
My method to do this is simple, and for ESXi 5.5 and 6.0 this is what I do:

  1. Upload the VMware specific firmware update files from the HPE support pages (Figure 1) to a Shared Datastore on my NetApp SAN
  2. Put the host I’m updating in to Maintenance mode
  3. Enable SSH on the host
  4. Change to the /tmp directory on the host (I like to do this so that, post-reboot, no mess is left behind)
  5. Run the unzip command with the path to the firmware file and the filename at the end.
  6. Run the resulting .vmexe file and allow the firmware update to complete
  7. Reboot the host

So that’s all nice and straightforward.

However, once I had upgraded a host to ESXi 6.5 (which went pretty smoothly I hasten to add) I found that these firmware update files no longer worked – OS not recognised by installer.

Hmmmm, so I changed the OS type on the HPE Support Download page to “VMware vSphere 6.5” and there are no firmware update files available at this time.

hpe-6-5-support
Figure 2
You can see from Figure 2 that there are no firmware update files available at all for the new version of vSphere.

I chatted to HPE support who did not know when these would be available. They also pointed me at the HP SPP (Offline Updater) as an alternative. I’ve used this before but it will need some customisation to ensure the specific updates I want installed are added to the ISO. All a bit of a pain but I’m sure HPE will upload the necessary firmware files soon.

**UPDATE – 11th May, 2017**

The HPE Support site now has firmware files for ESXi 6.5…hurrah!

hpe_support
Figure 3
…and here’s me applying one of the updates:

[root@esxi01:/tmp] esxcli system version get
Product: VMware ESXi
Version: 6.5.0
Build: Releasebuild-5224529
Update: 0
Patch: 15


[root@esxi01:/tmp] ./CP031407.vmexe
OS Version found  [6.5.0]
./_CP031407.scexe: Process [6.5.0] with path [./ESXi_6.5]


iLO Flasher v2.0.0-5 for VMware ESXi
(C) Copyright 2002-2017 Hewlett Packard Enterprise Development LP
Firmware image: ./ilo4_253.bin
Current iLO 4 firmware version  2.50; Serial number ILO


Component XML file: ./CP031407.xml
./CP031407.xml reports firmware version 2.53
This operation will update the firmware on the
iLO 4 in this server with version 2.53.
Continue (y/N)?y
Current firmware is  2.50 (Sep 23 2016 00:00:00)
Firmware image is 0x1001b1c(16784156) bytes
Committing to flash part...
******** DO NOT INTERRUPT! ********
Flashing is underway... 100 percent programmed. -
Succeeded.
***** iLO 4 reboot in progress (may take up to 60 seconds.)
***** Please ignore console messages, if any.
iLO 4 reboot completed.

Resolve the Security Alert in Putty 0.68 on Cisco ASA firewalls

Not cloud related but useful to some all the same.

With the recent introduction of Putty version 0.68 you may now get the following Security Alert when SSH’ing to Cisco ASA firewalls. See this link for more info on why.

putty068-nag

Getting rid of this nag, i.e. improving the security of your firewall, is simple.

Update your crypto general-keys pair to a 2048-bit modulus, and then change the SSH key-exchange group. Here’s the code:

firewall(config)# crypto key generate rsa general-keys modulus 2048
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...

firewall(config)# ssh key-exchange group dh-group14-sha1

How to attach a Custom ESXi image to an Update Manager baseline

This may seem obvious/simple to a lot of people but I remember when I first needed to do this I had to do a fair bit of reading/googling. This post is for those people 🙂

The first time I had a reason to do this was when I spotted my host’s Image Profile name showed a version older than the version of ESXi I knew I was running on the host. Figure 1 below shows where the Image Profile name is found (this example is not mismatched).

image_profile_version
Figure 1

To update the Image Profile name and the running ESXi version, if that is not already up-to-date, you will need to attach a Custom ESXi image to an Update Manager baseline.

Most of the major OEM server vendors have a custom image for ESXi. These will have specific drivers and management utilities embedded in to the image to help ‘make things work first time’. These custom images can normally be found on the server vendor websites but you can also find them all on VMware’s Download pages. Just search for vCenter, ESXi, then click the Custom ISO tab (see Figure 2).

custom_isos
Figure 2

Download the one for your server (the ISO not the Offline Bundle) and browse to Update Manager – Manage – ESXi Images.

Click “Import ESXi Image” (see Figure 3).

add_esxi_image
Figure 3

Browse to your ISO and click Import (see Figure 4).

importing_image
Figure 4

You’ll now have the image listed but not attached to a baseline (see Figure 5).

image_list
Figure 5

Let’s attach it to a Baseline then!

Browse to “Hosts Baselines” and click the green + sign above “Baseline Name”. Give it a useful description and click “Host Upgrade” (see Figure 6).

new_baseline01
Figure 6

Click Next and select the image you’ve just uploaded (Figure 7).

new_baseline02
Figure 7

Click Next and then Finish.

Finally you need to attach the baseline to Update Manager. This ensures that when you next “Scan for Updates”, Update Manager will check compliance with the new Custom ESXi image.

Click “Update Manager” under the “Manage” tab and then “Attach Baseline”.

attach_baseline01
Figure 8

Select your new Baseline and then click OK. That’s it!

Now when you “Scan for Updates”, you will see whether your hosts need to be upgraded/remediated to the new baseline image. If they do, and once you complete remediation, your Image Profile name will now match the Custom ESXi image you just deployed.

vSphere 6.0 Update 3 – Client Integration Plugin link broken

Edit_01: As quickly as I post this it seems that VMware have fixed the broken link. Happy Days! Thanks to Mark Brookfield, a.k.a. VirtualHobbit for the heads-up 🙂 Apparently the CIP installer is also in the main vSphere .iso ….although I can’t find it in there myself.

I started the update process this morning to get our environment upgraded to vSphere 6.0 Update 3. As is best practice, I followed the official Upgrade Path KB article on VMware’s website and upgraded my vCenter instance first (we don’t have any vRA or NSX).

The vCenter Server management portal identified the required update, processed it, then rebooted itself. A few minutes later I went to login to vCenter and hoped to use SSO to sign in, as I always do, but was presented with what you see in Figure 1 instead.

sso_upgrade_plugin
Figure 1

Note the “Upgrade Client Integration Plugin” in the bottom left. OK, so let’s click that and upgrade…..nope 😦 Error!

An error occurred while processing your request.
Reference #132.4d8b1bb8.1488203316.17e2daae

The exact link tries to hit:
http://vsphereclient.vmware.com/vsphereclient/VMware-ClientIntegrationPlugin-6.0.0-4911605.exe

This is clearly broken. Manual searching on VMware’s website for this version of the plugin was to no avail.

I suspect, therefore, that we’ll need to wait until VMware fix the link before we can use SSO again for vCenter 6.0 U3? Comments welcome 👍

First, like, ever post!

Brand new website!

So for my very first post, what shall I write about?? How about some of my sources of information when I’m researching a problem or a new tech? Yeah, that’ll do.
I find a lot of very useful information on other Blogs. Take a look to the left of this page under the Blogs I Follow section for 5 of my favourites.

…but there’s way more than that out there. Take a look at this link to the Top vBlogs of 2016.

I’m excited to get to work on publishing articles with helpful tips and news stories over the coming months. Wish me well!