Ansible Playbook: Patching ESXi Host

Ansible is a powerful automation tool that allows you to execute multiple tasks within one playbook. With Ansible, you can automate a wide range of tasks, from configuration management to application deployment, and more. Its ease of use and flexibility make it a popular choice for automating IT infrastructure. As you continue to learn Ansible, you’ll discover just how many things you can automate and how much time and effort it can save you in the long run.

In this article I would like to share my Ansible Playbook for ESXi Patching.

This Playbook can be found at My GitHub Repository

Prerequisites

Before using these Playbook, please get familiar with my other articles about how to prepare Ansible in your infrastructure:

How to manage and run Ansible Playbooks remotely

How to deploy Ansible to manage VMware infrastructure

Patch download

Please read the VMware Docs article Before Upgrading ESXi Hosts before installing patches. There you will find all the checks that need to be done before patching.

You can download the exact patch you want to apply here.

Upload Patch to the datastore

Upload the downloaded patch to a datastore using vCenter or connect directly to an ESXi host using WinSCP. I used WinSCP and uploaded the ZIP package to the local ESXi datastore. Copy the file path and add it to the Playbook.

Enable SSH on your ESXi host

1. To Enable SSH service on ESXi host using vCenter, login to vCenter, choose ESXi host, then Configure and Services.

2. Select SSH and click Start.

Add ESXi to your Ansible Inventory

In this Playbook I used esxcli command, so the Playbook contains hosts: esxi, where esxi is my entry in the Ansible Inventory. Some tasks, like Enable Maintenance Mode, are delegated to be executed in vCenter from localhost (Ansible VM). Therefore, you must add your ESXi to Ansible Inventory file. Add each ESXi that you want to patch.

My Ansible Inventory contains the following:

[localhost] – this is my Ansible VM from which I execute tasks in vCenter by connecting to the vCenter Server with administrator credentials.

[esxi] – this is my ESXi that I manage from Ansible VM with SSH key authentication.

In the article below you have a step by step guide how to add ESXi to Ansible Inventory:

What is Ansible Inventory and How to Add ESXi

Add ESXi to hosts file

Before using the ESXi Maintenance Mode and Reboot Ansible Playbook shown below, ESXi must be added to the hosts file on the Ansible node. This is because the Playbook contains a task called “ESXi wait for the reboot to complete”, which requires a connection by hostname. I have already tested that, if your ESXi is not added to the hosts file, the job will not complete, it will fail after a timeout. Add each ESXi you want to patch.

Follow the instructions to add ESXi to the hosts file on the Ansible node:

1. To edit hosts file, run the following command:

sudo nano /etc/hosts

2. Add your ESXi IP and hostname. Once added, press Ctrl+O to Save the file, then Enter and then Ctrl+X to exit.

Verify the Patch

This step is optional. You can verify the uploaded patch by logging into ESXi via SSH and running the following command:

esxcli software sources profile list -d /vmfs/volumes/XXXXX/Patch.zip

The expected result is as shown above. This check is to validate your patch, to avoid potential issues when running the Playbook.

Patching ESXi Host

This Ansible Playbook contains 5 tasks that are performed in the following order:

  • Enable Maintenance Mode
  • ESXi Patching
  • ESXi Reboot
  • ESXi wait for the reboot to complete
  • Exit Maintenance Mode

You can freely modify the Playbook and adapt it to your needs, you can set your own delay and timeout for reboots.

Change the file path to the Patch location.

---
- name: Patch ESXi host #vmcloud.pl
  hosts: esxi
  gather_facts: no

  vars:
    vcenter_server: "vCenter_IP_or_hostname"
    vcenter_username: "administrator@vsphere.local"
    vcenter_password: "pass"
    esxi_hostname: "ESXi_hostname"

  tasks:
    - name: Enter ESXi Maintenance Mode
      register: status
      community.vmware.vmware_maintenancemode:
        hostname: "{{ vcenter_server }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        esxi_hostname: "{{ esxi_hostname }}"
        validate_certs: no
        evacuate: false   #Value true will migrate Powered Off VMs to other host
        timeout: 600     #Timeout for the operation (sec)
        state: present
      delegate_to: localhost
      
    - debug: var=status.msg

    - name: ESXi Install Patch
      shell: "esxcli software vib install -d /vmfs/volumes/xxxxxxxxxxxxxxxxxxx/Patch.zip"
 
    - name: ESXi reboot
      vmware_host_powerstate: 
        hostname: "{{ vcenter_server }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        esxi_hostname: "{{ esxi_hostname }}"
        validate_certs: no
        timeout: 600  #Timeout for the operation (sec)
        state: reboot-host
      delegate_to: localhost
      register: reboot_host
  
    - name: ESXi wait for the reboot to complete
      wait_for:
        host: "{{ esxi_hostname }}"
        port: 443
        delay: 300         #Perform first check after delay (sec)
        state: started
        timeout: 600     #Timeout for the operation (sec)
      delegate_to: localhost  

    - name: Exit ESXi Maintenance Mode
      register: status
      community.vmware.vmware_maintenancemode:
        hostname: "{{ vcenter_server }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        esxi_hostname: "{{ esxi_hostname }}"
        validate_certs: no
        timeout: 600     #Timeout for the operation (sec)
        state: absent
      delegate_to: localhost

    - debug: var=status.msg

ESXi version before patching:

Run playbook using the following command:

ansible-playbook Patch_ESXi.yml

Results:

ESXi version after patching:

If you have more than one ESXi to patch, just add each ESXi to the Ansible Inventory and hosts file and upload the patch to a shared datastore. With this, all you have to do is change the ESXi hostname in the Ansible Playbook and you’re ready to patch another ESXi.

Thank you for reading! Here are some links you may be interested in:

Leave a comment

Create a website or blog at WordPress.com

Up ↑