Skip to content

ESXi Patching During Install

This document describes how to configure and apply patches to an ESXi host during the initial provisioning process using Digital Rebar.

Overview

The ESXi patching system supports applying one or more patches as part of the installation workflow. Patches are applied after the ESXi base system is installed but before the node is marked complete. This ensures that the host is production-ready immediately after provisioning.

Patches are delivered via parameter configuration and downloaded by the in-memory agent. No persistent agent or VIB is required.

Required Parameters

To enable patching, the following parameters must be defined in a profile and applied to the machine:

esxi/patches-enabled

Enables patching during install.

esxi/patches-enabled: true

esxi/patch-list-override

Defines an explicit list of patch IDs (as strings) to apply in order.

esxi/patch-list-override:
  - '10000001'
  - '10000002'

esxi/patch-map

Defines metadata for each patch, including download location, checksum, reboot requirement, and a release label.

esxi/patch-map:
  '10000001':
    checksum:
      type: md5
      value: d41d8cd98f00b204e9800998ecf8427e
    filename: test-patch-1.zip
    reboot_required: false
    reference-url: https://example.com/test-patch-1
    release_name: test-patch-1.my.test

  '10000002':
    checksum:
      type: md5
      value: d41d8cd98f00b204e9800998ecf8427e
    filename: test-patch-2.zip
    reboot_required: true
    reference-url: https://example.com/test-patch-2
    release_name: test-patch-2.my.test

Important Notes

  • The ** field must not end in ** in production. Patches using a release_name ending in .my.test are treated as test-only no-op patches. These are useful for testing reboot behavior and patch logic without applying real updates.

  • Patches are applied in the order listed in patch-list-override.

  • Each patch must have a valid checksum and accessible reference-url.

  • The filename is the expected name of the patch file when downloaded.

  • If reboot_required is true, the node will reboot between patches.

Example Profile

Name: esxi9-patching-example
Params:
  esxi/patches-enabled: true
  esxi/patch-list-override:
    - '10000001'
    - '10000002'
  esxi/patch-map:
    '10000001':
      checksum:
        type: md5
        value: d41d8cd98f00b204e9800998ecf8427e
      filename: test-patch-1.zip
      reboot_required: false
      reference-url: https://example.com/test-patch-1
      release_name: test-patch-1.my.test
    '10000002':
      checksum:
        type: md5
        value: d41d8cd98f00b204e9800998ecf8427e
      filename: test-patch-2.zip
      reboot_required: true
      reference-url: https://example.com/test-patch-2
      release_name: test-patch-2.my.test

Summary

The ESXi patching system allows operators to apply updates during provisioning without needing VIBs or persistent agents. By configuring patch parameters in a profile, patches can be applied reliably, with optional reboots, and verified by checksum.

Use .my.test releases for testing only production systems should use real patch names and sources.