As you know, previously, AutoDeploy and Image Builder played with PowerCLI only. Things have changed in vSphere 6.5 and now you have a possibility to build a custom image within the vSphere Web Client as the new GUI allows you to do that. So, today In the lab – How to create a custom ESXi 6.5 ISO.
![]()
This post will walk through updating a vendor specific ESXi image with updated VIBs. In this instance we are applying patch which bundles the esx-base, esx-tboot, vsan, and vsan health VIBs with the updated CPU microcode , to provide part of the hypervisor-assisted guest mitigation for operating systems of the Branch Target Injection issue (CVE-2017-5715) commonly known as Spectre. The appropriate patches for ESXi 6.0 and 5.5 can be found in VMware Security Announcement VMSA-2018-0004.3.
For more information on Meltdown and Spectre see blog post, VMwares responses can be found, on the VMware Security & Compliance Blog, as well as VMware Security Announcement VMSA-2018-0004. Ensure your vCenter Server is also patched accordingly by following the guidance in post. There are a number of ways to push out ESXi patches to hosts, such as,. The latest images can be downloaded from the patch repository. As we are using vendor specific images, which are typically slow to be updated from the main VMware image, there is no vendor image available that mitigates against Spectre at the time of writing.
Therefore the steps below will cover replacing VIBs in the HPE ESXi 6.5 image with the updated VIBs released by VMware. The same process can be used for other vendor images and ESXi versions by downloading the appropriate images, however the custom image we create may not be supported, and therefore may not be appropriate for production environments. The steps below assume Auto Deploy and Image Builder are already setup. You don’t need to use Auto Deploy to be able to use the Image Builder, but the services do need to be started, if they’re not then see the. Download the latest vendor image, in my case I am using, and the latest ESXi build from the patch repository. Log into the vSphere web client and click the Auto Deploy icon from the home page. Click the Software Depots tab.
Software depots contain images or software packages. If you don’t already have a custom software depot click the Add Software Depot icon to add a new custom depot where images will be stored. Use the Import Sofware Depot to upload a zip file, in this case we need to add the vendor image (in my case VMware-ESXi-6.5.0-Update1-7388607-HPE-650.U1.10.2.0.23-Feb2018-depot.zip) and the updated VMware image (ESXi601.zip). Select the software depot containing the vendor image, in my case VMware-ESXi-6.5.0-Update1-7388607-HPE-650.U1.10.2.0.23-Feb2018-depot. Under Image Profiles select the vendor image and click Clone. We are cloning the vendor image to replace the updated VIBs. Enter a name and vendor for the image, select the software depot.
On the next page the software packages are listed, those already included in the build are ticked. Ensure the Software depot is set to All depots in the drop-down.
Review the updated VIBs in the appropriate ESXi patch release.:. VMwarebootbankesx-base6.5.0-1. VMwarebootbankesx-tboot6.5.0-1.
VMwarebootbankvsan6.5.0-1. VMwarebootbankvsanhealth6.5.0-1.:. VMwarebootbankcpu-microcode6.5.0-1. Use the search function to find each of the updated VIBs.
Un-select the existing version and select the new version to add it to the build. For the Spectre patches remember to include the CPU microcode. Once complete click Next and Finish. Select the custom software depot where the image has been created. The image is now ready to use with an Auto Deploy rule, or can be exported in ISO or ZIP format by right clicking and selecting Export Image Profile. For the Spectre updates after the new image has been installed/applied to an ESXi host we can perform some verification of the hypervisor-assisted guest mitigation.
Blog post from virtuallyGhetto provides PowerCLI functions and instructions for validating the correct microcode and patches are present. In the example below I have updated host 1 but not host 2: The virtual machines can also be validated to confirm they are seeing the new CPU features, a power cycle is required for each VM. Before power cycling: After power cycling.
Comments are closed.
|
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |