Hyper-v and windows updates: how do you deal with that?
-
Hi,
for a number of reasons, I'm considering to use hyper-v as my next hypervisor at work. Before starting anything serious with it, my question is: how do you deal with windows updates in a hyper-v server 201x (the free version)? I mean that everytime windows has to upgrade I'm a bit scarried because now and then something goes wrong.
Now, one thing is to "kill" an eth driver on a client (Dell win 10 certified PC, not a frankenstein stuff), another is to kill an entire legion of VMs on a host for something like this.
Have you ever got issues with hyper-v security updates? I'm mostly oriented towards the hyper-v server, not a full fledged server.
thanks,
M -
Remember that Hyper-V is a fraction of the size of Windows. While it does have update concerns, they are not at all on par with those of Windows.
-
Just like with any hypervisor, you have to allow enough space for updates.
Most provide a minimum storage for the system.
-
I have a fleet of Hyper-V Server 2012 R2 and Hyper-V Server 2016 hosts (among others, but leaving those out of this).
I have it set up via WSUS. The ordering I try to follow is like this:
-
Once per month (or bi-monthly), I go and approve tested updates on the WSUS server. (for simplicity sake, lets just say on the first Wednesday of every month, I approve some tested and researched updates for my fleet of hypervisors)
-
The following Friday night, all of my weekly backups take place and complete. This goes for a while, but never overlapping with updates.(automatically)
-
Starting Saturday evening, all the hypervisors then go ahead and install updates, and reboot automatically if needed.
Note: I have all VMs on all hosts set to either Shutdown or save state upon a host reboot, and then set to start up automatically and in a specific order when the host is back up. You'll find this in shutdown and startup action settings in the VM options.
- You will want to check in on them just to verify everything is back up.
Other notes: On my WSUS server, I have a special group for Hyper-V hosts. I only approve updates in a planned fashion when I am ready for them to update on a weekend we have planned. Then on Sunday, I'll take just a couple of minutes to verify things are back up. I'll VPN and RDP in, open Hyper-V Manager, and make sure all VM's are up. Then I'll select a couple random ones to check.
It seems like a lot, but we're only talking about 10-15 minutes of time, once every 2 months. (unless there's a critical security update that needs done) But we're talking Hyper-V Server... less likely than with full Windows Server.
-
-
Realistically speaking, you may go months before updating a Hypervisor. But you can do this kind of thing however fits your environment best.
-
@Tim_G said in Hyper-v and windows updates: how do you deal with that?:
Hyper-V Server 2016 hosts (among others, but leaving those out of this).
why? As it is a new deploymnet I was going the hyper-v 2016 route... still not ready for prime time? If so, I've to double check 2012 r2 features as I have a lot of linux VMs.
-
@Tim_G said in Hyper-v and windows updates: how do you deal with that?:
Note: I have all VMs on all hosts set to either Shutdown or save state upon a host reboot, and then set to start up automatically and in a specific order when the host is back up.
Yes this is exaclty what I'm doing now with KVM
-
@Tim_G said in Hyper-v and windows updates: how do you deal with that?:
The following Friday night, all of my weekly backups take place and complete. This goes for a while, but never overlapping with updates.(automatically)
Starting Saturday evening, all the hypervisors then go ahead and install updates, and reboot automatically if needed.
Yes, I backup VMs before any update cycle, anyway currently, the hypervisor is updated "by hand" on a best effort basis. After all backups. Only VMs are automatically patched and rebooted after a backup.
Considering what you are saying, your logic is not to stick as close as possible with security fixes, but, rather, stage them for a while having time to review them (or catch some other unfortunate guy how has hit a "bug"). am I wrong?
-
@matteo-nunziati said in Hyper-v and windows updates: how do you deal with that?:
@Tim_G said in Hyper-v and windows updates: how do you deal with that?:
Hyper-V Server 2016 hosts (among others, but leaving those out of this).
why? As it is a new deploymnet I was going the hyper-v 2016 route... still not ready for prime time? If so, I've to double check 2012 r2 features as I have a lot of linux VMs.
Don't consider any 2012 R2 today. 2016 only.
-
@matteo-nunziati said in Hyper-v and windows updates: how do you deal with that?:
@Tim_G said in Hyper-v and windows updates: how do you deal with that?:
The following Friday night, all of my weekly backups take place and complete. This goes for a while, but never overlapping with updates.(automatically)
Starting Saturday evening, all the hypervisors then go ahead and install updates, and reboot automatically if needed.
Yes, I backup VMs before any update cycle, anyway currently, the hypervisor is updated "by hand" on a best effort basis. After all backups. Only VMs are automatically patched and rebooted after a backup.
Considering what you are saying, your logic is not to stick as close as possible with security fixes, but, rather, stage them for a while having time to review them (or catch some other unfortunate guy how has hit a "bug"). am I wrong?
Yes that's right. I have some test hypervisors with test vms on a test network I will deploy the same updates to first. But I will always internet search the updates first to see if they blew up anyone elses stuff. I'm subscribed to the patch Tuesday RSS feed as well that give warnings of bad updates. If there are any, I will wait a month or two because that's how long it takes MS to fix them. I don't spend a lot of time on updates as im busy with other stuff. I manage them in as I can.
-
@matteo-nunziati said in Hyper-v and windows updates: how do you deal with that?:
@Tim_G said in Hyper-v and windows updates: how do you deal with that?:
Hyper-V Server 2016 hosts (among others, but leaving those out of this).
why? As it is a new deploymnet I was going the hyper-v 2016 route... still not ready for prime time? If so, I've to double check 2012 r2 features as I have a lot of linux VMs.
What he meant was other hypervisors than Hyper-V and leaving those out of this discussion.
