In VCF 9, the scope of live patches available for ESX has been significantly expanded. This includes the vmkernel, user-space daemons, NSX components, and the existing virtual machine execution runtime (vmx) that supports live patching. For example, a recently released ESX 9.0.0.0100 patch supports live patching. You can use a live patch to apply this patch to an ESX 9.0.0 (24755229) cluster.
In short, live patching allows certain ESX patches to be applied in a non-disruptive manner without having to migrate virtual machines off the host. The live patching feature will greatly reduce the maintenance window and workload for administrators performing security updates. This means that future patches can be applied quickly and without interruption using the live patching feature. Security patches are the main target for live patching, as timely updates are crucial for users. It is important to note that not all patches support live patching.
Note: To identify whether a patch supports live patching, the patch release notes will specify if the feature is supported. The VCF and vSphere Lifecycle Manager user interfaces will also indicate whether a patch supports live patching.
When patching user-space daemons, a daemon restart may be required. Depending on the user-space daemon being patched and restarted, the ESX host’s connection to vCenter may experience a brief interruption. For example, patching the hostd daemon may require a restart of that daemon. This might cause the host to briefly show as disconnected from vCenter, which is a normal occurrence and does not affect virtual machines.
If a live patch targets the virtual machine execution runtime (vmx), the virtual machine will undergo a Fast Suspend-Resume (FSR) operation during the live patching, although not all patches require virtual machines to perform an FSR. In VCF 9.0, the FSR operation for vGPU-enabled virtual machines is performed significantly faster, which allows for live patching of clusters hosting large vGPU-enabled virtual machines without interrupting AI/ML applications.
vSphere Lifecycle Manager performs a pre-check before the live patch remediation task to ensure the host has enough available resources. If a host does not have sufficient resources, it may be necessary to reduce the load on the host before proceeding with the live patch remediation.