Hyper-V, as you probably know by now, is being introduced more and more as a virtualization host (a “host” is a physical computer/server that runs a virtualization product, and which is used to run multiple virtual machines, also called “guests”). Because Hyper-V is based on a Windows 2008/R2 operating system, we need to pay close attention to update Hyper-v ; patches, bug fixes, security fixes and critical updates that are released by Microsoft. Also remember that patches and updates can come from any number of software products (and not just Microsoft), software products such as backup agents, drivers and firmware, as well as management, monitoring and anti-virus software.
Before updating the host we need to consider several key issues.
How important is a patch management for virtual hosts?
Virtual hosts are computers running Microsoft-based operating systems (naturally, there are other options such as VMware-based or XEN-based hosts, but I do not discuss about these in this article). Virtual machine host updates are just as important as keeping any Windows-based operating system up to date, which in turn will help maintain a stable and secure virtual host environment.
Coordinating the right time to apply the patching
The coordination of your host patches is important. Your design objective should be to follow host patch management best practices with as few disruptions to your most critical VMs, mostly because:
1. Some (but not all) of the hyper-v updates might need a reboot of the host. This means that you will need to find the right point in time to do that. You can work around this by implementing Hyper-V Quick Migration, which allows you to move guest VMs to another Hyper-V host with little guest interruption. In Windows Server 2008 R2, you can use Live Migration, which allows you to move guest VMs to another Hyper-V host without any guest downtime or interruption to service.
2. When applying patches, some might require that the guest VMs be in a shutdown state when the patches are applied. This means that you cannot put these VMs in a saved state for faster resuming. To determine VM status requirements, read the patch’s release notes.
3. Sometimes, for some patches, the guest VMs might need to also be updated. For example, Service Pack 2 required that the guest VMs update the Integration Components (IC) for Hyper-V. Again, read the patch’s release notes for more information.
4. Some patches ***might*** cause issues with either the VMs or the host itself, resulting in a longer than planned downtime. So far, this wasn’t the case with Windows Server 2008 Hyper-V patches, but if you recall VMware’s update 2 for ESX/ESXi, and the fiasco that followed that, then you must be aware of that potential issue. Hopefully, we won’t see a similar ***issue*** with Microsoft’s updates
Reduce the number of needed patches by using Server Core or Hyper-V Server 2008
In Windows Server 2008 and R2, the Server Core installation provides a minimal environment for running specific server roles, which reduces the maintenance and management requirements and the attack surface for those server roles (read more about Server Core on my Understanding Windows Server 2008 Server Core and Installing Windows Server 2008 Core articles).
Besides regular Server Core, you can opt to use Microsoft Hyper-V Server 2008/R2. Hyper-V Server is a slimmed-down Server Core installation version of Windows Server 2008, but even more stripped-down than regular Server Core, and only with the functionality specific to running only the Hyper-V role. The benefit of these small, slimmed-down versions is their attack surfaces. Because there are fewer components that are installed on the system, this means that there is a decreased number of patches that is needed for the virtualization host and.
Another benefit of using Server Core or Hyper-V Server instead of the full installation of Windows Server 2008/R2, is that there is a lower resource usage by the host itself, leaving more CPU and memory to the guest VMs.
However, there are some tradeoffs with Server Core or Hyper-V Server, mostly related to the lack of GUI-based management tools and a higher learning curve. You can look for additional Server Core articles on the site for more information on how to easily manage this type of installation.
Reduce downtime by using Failover Clustering
As noted above, implementing Live Migration will greatly reduce the downtime of your virtual machine guests due to host maintenance and patching. By implementing Live Migration, you will be able to seamlessly move VM guests from one host to another in the datacenter, without ANY conceivable downtime to the VMs, the data, applications and/or services installed on them.
As a tradeoff, implementing Failover Clustering has some considerations you need to take in place, mostly due to the fact that it requires the Enterprise or Datacenter editions of Windows Server 2008 R2, plus the introduction of storage devices, if you do not have those already. However, if service level is a concern and if downtime of hosts and VMs is closely monitored, then Failover Clustering is the answer.
Performing the actual update
Installing the updates or patches is usually pretty easy. In Windows Server 2008/R2 that runs in full installation mode, installing the updates is usually done by either using Windows Updates, by using Windows Software Update Service (WSUS).
As noted above, when selecting the automatic updates options, make sure you consider the fact that, if a critical update is detected, the Hyper-V host will download it and install it that night, at 3 AM. This means that the guest VMs might need to be shut down if the host needs to reboot. This means moments of downtime for applications, data or services that are located on those guest VMs.
To help you mitigate the downtime you might consider configuring the VM behavior when the host is shutdown…
And what happens to the VM when the host restarts.
You can also install updates by manually downloading the .MSU files and installing them yourself.
Description of the Windows Update Stand-alone Installer (Wusa.exe) and of .msu files in Windows Vista and in Windows Server 2008
Msiexec (command-line options)
On Server Core installations, because there is no GUI to work with, you can use several methods to install updates. These are listed in my Installing Windows Updates on Windows Server 2008 R2 Core article.
For a good place to start looking for these updates and patches you can use these 2 links:
Comprehensive List of Hyper-V Updates
Hyper-V Update List for Windows Server 2008 R2
As a conclusion, working with virtualization does not exempt you from taking care of the patching and updating of the virtual hosts. Failing to do so might introduce security and functionality issues to your system, which is why it’s to update hyper-v.