vSphere 6.7 has come out, and while this release includes some very interesting security updates (virtual TPM, Credential Guard Support, etc.), my main concern at the moment is how to upgrade.
Like any upgrade of vSphere, this one has several dependencies to consider. In my case, they are:
- VMware NSX-v (security tools, not networking)
- VMware Horizon View
- VMware vRealize Suite (Operations, Log Insight, etc.)
- HPE OneView for vCenter
- Veeam Backup & Replication
- Hardware Support (always a concern)
So far, NSX-v, Horizon, vRealize Operations, and VRLI support 6.7. However, my third-party products do not.
What does this mean? I was delayed waiting for NSX-v and Horizon View to support vSphere 6.7. Now, it looks like I am delayed waiting for the third parties to support vSphere 6.7. Yet, not all is lost. This is the time to sit back and take stock. What is the upgrade process? Is there anything that has changed?
We have some breathing room between release upgrades that allows us to understand what is required. One of the things often overlooked is the hardware support. We often find out too late that hardware is an issue. With 6.7, it is an issue. Why is that the case?
vSphere 6.7 introduced many more security features than other versions of vSphere that depend on the latest CPU instruction set features. If you do not need these features, then older hardware may still work, but do not expect it to be in the HCL. In my case, I use HPE BL460c Gen8 blades. Gen8 has no HPE image yet. Gen9 does, but not Gen8. However, vSphere should still install and run as expected. A hardware upgrade is not in the cards this year.
Now the decision is whether I should stay with 6.5 or move on to 6.7. If I stay with 6.5 I upgrade to 6.5U2, but if I move to 6.7 I stay at 6.5U1 until all the dependencies are met. If I cannot go to 6.7, I should at least upgrade to 6.5U2. Decisions, decisions!
At this time, I do not see any reasons not to upgrade to vSphere 6.7 or any things that would prevent such an upgrade.
As usual, once the dependencies are met, it will be time to stage in all the pre-ESXi installation steps, which in my case always include firmware upgrades, if there are any. An upgrade to a major release is always a good time to ensure the latest firmware and microcode are available. In this case, that may not be necessary.
The recent Spectre and Meltdown patches required us to modify our firmware not too long ago. However, there are new Spectre-style attacks, and there will be new firmware. Do we now wait on the newer firmware to do the upgrade? Maybe. I would check to see if it is forthcoming. Remember, we are still waiting on third-party support for applications.
Some good information on upgrade planning:
- Important information before upgrading to vSphere 6.7 (53704)
- Update sequence for vSphere 6.7 and its compatible VMware products (53710)
Order is important, as is the compatibility information. Read before you do, and make some plans. Also, you are testing your upgrades, are you not? A good test bed is crucial to a successful upgrade.
Lastly, make use of snapshots while upgrading your virtual machines. This will save you hours of pain if something fails!