You use baselines and baseline groups to update the ESXi hosts in your vSphere inventory. The vSphere Lifecycle Manager baselines are three types: predefined baselines, recommendation baselines, or custom baselines, which you create manually. Depending on their content, baselines can be patch, extension, or upgrade baselines.
When you initiate a compliance check for an ESXi host, you evaluate it against baselines and baseline groups to determine its level of compliance to those baselines or baseline groups.
If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single Sign-On domain, the baselines and baseline groups that you create and manage are applicable only to the inventory objects managed by the vCenter Server system where the selected vSphere Lifecycle Manager instance runs.
In the vSphere Client, the baselines and baseline groups are displayed on the Baselines tab of the vSphere Lifecycle Manager home view.
Predefined, Recommendation, and Custom Baselines
- Predefined baselines
-
Predefined baselines cannot be edited or deleted, you can only attach or detach them to inventory objects.
Predefined baselines can be of the following type:- Host Security Patches
The Host Security Patches baseline checks ESXi hosts for compliance with all security patches.
- Critical Host Patches
The Critical Host Patches baseline checks ESXi hosts for compliance with all critical patches.
- Non-Critical Host Patches
The Non-Critical Host Patches baseline checks ESXi hosts for compliance with all optional patches.
The Host Security Patches, and Critical Host Patches predefined baselines are attached by default to the vCenter Server instance where vSphere Lifecycle Manager runs.
- Host Security Patches
- Recommendation Baselines
-
Recommendation baselines are predefined baselines that vSAN generates.
You use recommendation baselines to update your vSAN clusters with recommended critical patches, drivers, updates, or the latest supported ESXi host version for vSAN.
These baselines appear by default when you use vSAN clusters with ESXi hosts of version 6.0 Update 2 and later in your vSphere inventory. If your vSphere environment does not contain any vSAN clusters, no recommendation baselines are created.
Recommendation baselines update their content periodically, which requires vSphere Lifecycle Manager to have constant access to the Internet. The vSAN recommendation baselines are typically refreshed every 24 hours.
Recommendation baselines cannot be edited or deleted. You do not attach recommendation baselines to inventory objects in your vSphere environment. You can create a baseline group by combining multiple recommendation baselines, but you cannot add any other type of baseline to that group. Similarly, you cannot add a recommendation baseline to a baseline group that contains upgrade, patch, and extension baselines.
Upgrade, Patch, and Extension Baselines
- Upgrade Baselines
-
Host upgrade baselines define the version to which you upgrade the hosts in your environment. With vSphere Lifecycle Manager 8.0, you can upgrade ESXi hosts from version 6.7 and 7.0 to ESXi 8.0. Host upgrades to ESXi 5.x, ESXi 6.7, or ESXi 7.0 are not supported. In case of an unsuccessful upgrade from ESXi 6.7 or ESXi 7.0 to ESXi 8.0, you cannot roll back to your previous ESXi 6.7 or ESXi 7.0 instance.
To create an upgrade baseline, you must first import an ESXi ISO image to the vCenter Server inventory. You can use the ESXi installer image distributed by VMware with the name format VMware-VMvisor-Installer-8.0-build_number.x86_64.iso or a custom image created by using vSphere ESXi Image Builder. You can also use ISO images created and distributed by OEMs.
- Patch Baselines
-
Patch baselines define a number of patches that must be applied to a given host. Patch baselines can be either dynamic or fixed.
Baseline Description Dynamic Patch Baseline A dynamic baseline is a set of patches that meet certain criteria. You specify the criteria for patch inclusion in the baseline. Only the patches that meet the criteria are included in the baseline. As the set of available patches in the vSphere Lifecycle Manager depot changes, dynamic baselines are updated as well. You can manually include or exclude patches from the baseline. Fixed Patch Baseline A fixed baseline is a set of patches that does not change as patch availability in the depot changes. You manually select the patches from the total set of patches available in the vSphere Lifecycle Manager depot. - Extension Baselines
-
Extension baselines contain additional software modules for ESXi hosts, for example device drivers. This additional software might be VMware software or third-party software. All third-party software for ESXi hosts is classified as host extension, but extensions are not restricted to just third-party software.You can install additional modules by using extension baselines, and update the installed modules by using patch baselines.
Extensions deliver additional host features, updated drivers for hardware, Common Information Model (CIM) providers for managing third-party modules on the host, improvements to the performance or usability of the existing host features, and so on.
The host extension baselines that you create are always fixed. You must carefully select the appropriate extensions for the ESXi hosts in your environment.
You use extension baselines to install extensions on the ESXi hosts in your environment. After an extension is installed on a host, you can update the extension module through either patch, or extension baselines.
Note: When you use extension baselines, you must be aware of the functional implications that the installation of new modules on the host might have. Extension modules might alter the behavior of ESXihosts. During the installation of extensions, vSphere Lifecycle Manager only performs the checks and verifications expressed at the package level.
Baseline Groups
You create a baseline group by assembling existing and non-conflicting baselines. Baseline groups allow you to scan and remediate objects against multiple baselines at the same time.
The following are valid combinations of baselines that can make up a baseline group:
- Multiple host patch and extension baselines.
- One upgrade baseline, multiple patch, and extension baselines.
To create, edit, or delete baselines and baseline groups, you must have the Manage Baseline privilege. To attach baselines and baseline groups to target inventory objects, you must have the Attach Baseline privilege. The privileges must be assigned on the vCenter Server system where vSphere Lifecycle Manager runs.
For more information about managing users, groups, roles, and permissions, see the vSphere Security vSphere Security documentation.
For a list of all vSphere Lifecycle Manager privileges and their descriptions, see vSphere Lifecycle Manager Privileges For Using Baselines.
Creating Baselines in vSphere 7.0 and Later Releases
Because in vSphere 7.0 and later releases the official VMware online depot hosts certified partner content in addition to VMware content, a broader set of OEM bulletins are available in the vSphere Lifecycle Manager depot. As a result, in the Create Baseline and Edit Baseline wizards, you also see a broader set of OEM bulletins. Some of these bulletins might have dependencies that must be pulled into the baselines that you create, so that the remediation against those baselines is successful. Always consult the KB article for an individual bulletin before you include it in a baseline. The KB article contains information about the bulletin deployment specifics and required dependencies. You must include in the baseline, only bulletins compatible with the hardware on which the host is running. Otherwise, remediation might fail.
Starting with vSphere 7.0, some changes are also introduced in the way VMware content is packaged. As a result, at patch and update releases, you might see additional bulletins on the patch selection page of the Create Baseline and Edit Baseline wizards. Those bulletins are usually of the Enhancement or BugFix category. When you include those bulletins in a baseline, you might need to also include base ESXi bulletins in that baseline. To ensure successful application of VMware patches and updates, always include the appropriate roll-up bulletin into your baselines. Otherwise, remediation might fail.