One of the big news of the vSphere 8.0.3 (8.0 Update 3) version if the ability of live patch ESXi without reboot the host and without migrate the workloads!
With the new Live Patching capability in ESXi, customers can address critical bugs in the virtual machine execution environment and apply patches to all components without reboot or VM evacuation.
Virtual machines are Fast-Suspend-Resumed (FSR) as part of the host remediation process, for this reason this new feature is not compatible with some specific cases (like VM protected by vSphere FT or VM with PCI passthough).
This feature is not so new (for example some Windows Server edition implement a similar approach since 2022), and previous there where some interesting approach to make patching much faster, like Quick Boot (since vSphere 6.7) and Quick Boot with VM suspend to memory (since vSphere 7.0).
But ESXi Live Patching delivers the following key benefits to customers:
- Non-disruptive patches
- Ability to deliver critical fixes quickly within required SLAs
- Enhanced system reliable with seamless lifecycle integration
Specific patches that are compatible with live patching are clearly marked as esigible.
Why some patches will not be eligible? Because the code reload may be distruptive, like for I/O drivers. Initially only patches for the virtual machine execution component of ESXi are the first target for vSphere Live Patch.
Note that there are some requiments to use vSphere Live Patch:
- vCenter must be version 8.0 Update 3 or later.
- ESXi hosts must be version 8.0 Update 3 or later.
- The Enforce Live Patch setting must be enabled in the global vSphere Lifecycle Manager remediation settings or at the cluster remediation settings.
- DRS must be enabled on the vSphere cluster and in fully automated mode.
- For vGPU enabled VMs, enable Passthrough VM DRS Automation.
- The current build of the vSphere cluster must be eligible for a live patch.
- VMs must support FSR
- For example, VMs not compatible are VMs configured for vSphere Fault Tolerance, VMs configured with VM DirectPath I/O devices, vSphere Pods (container pods).
And what’s happen during the live patching? ESXi host will entere in partial maintenance mode, a new mount revision is loaded and patched and the vm is then fast-suspend-resumed to consume the patched mount revision.
This new type of maintenance mode will disallow VM migration across host and the creation of new VM on host in partial maintenance mode. All existing VMs continue to run!
Note that is not possible to manually enter an host in partial maintenance mode, but will be still possible manually exit an host from partial maintenance mode (for example if the update process has gone in timeout).
For more information on vSphere Live Patch, see: vSphere Live Patch.