Simplified ESX patching

Here's what I've set up for our VMware ESX servers...

I have a space that's accessible via HTTP (snippet from httpd.conf)
<Directory /usslsbds001/esxpatches>
Options +Indexes
Order allow,deny
Allow from all

Alias /esxpatches/ "/usslsbds001/esxpatches/"

In there, I have directories corresponding to dates VMware has released patches (that I'm interested in)
# pwd
# ls -l
total 33
drwxr-xr-x 5 root root 5 Dec 6 15:24 20071115
drwxr-xr-x 8 root root 8 Dec 6 15:25 20071130
drwxr-xr-x 3 root root 13 Dec 12 14:13 latest
drwxr-xr-x 2 root root 14 Dec 12 14:14 packed

packed has the downloaded tgz files. $YYYYMMDD has the extracted patches for that date, and latest has the unpacked directory of 3.0.2 update 1, and symlinks ESX-1234567 -> ../YYYYMMDD/ESX-1234567. When a patch is superceded, I `chmod 0` it, and remove its link from latest.

I also have a scriptwriter that generates a set of esxupdate commands:
# cat ../latest/make-install.sh
# generate an "install" file for the ESX patches in the current directory

DS=`date +%Y%m%d%H%M`

ls | grep -v install | while read patch ; do
echo "esxupdate -n -r http://`uname -n`/esxpatches/latest/$patch update" >> install.$DS

rm -f install && ln -s install.$DS install

All of this rolls together on the ESX service console by simply doing (make sure HTTP client is open in the firewall)
GET http://thestorageplace/esxpatches/latest/install | sh

and rebooting...



Straddling the firewall with Zones

Our zonehosts have multiple NICs, on multiple subnets. This means that they have multiple default routes defined, so non-local packets are passed to those default routers in a round-robin fashion. In the past, this has not been a problem, because these default routers are actually just routers.

However now, I am creating a set of zonehosts that will be straddling a firewall. And like any good firewall, they will drop packets that are coming in on the "wrong" interface. So here's what I had to do to make this work:

Here's the config for this example:
ce0 ( -> fw interface
ce1 ( -> fw interface

On the global zone, edit /etc/ipf/ipf.conf to add the following rules for each interface
block out quick on ce0 to ce1: from to any
block out quick on ce1 to ce0: from to any

Now all the packets are put on their correct interface.

The only remaining question is "how does this deal with IPMP and link failures". That's something for this afternoon's research.