Update Hyper-V Hosts
How important is a patch management for virtual hosts?
Virtual hosts are computers running Microsoft-based operating systems (naturally, there are other options such as VMware-based or XEN-based hosts, but I do not discuss about these in this article). Virtual machine host updates are just as important as keeping any Windows-based operating system up to date, which in turn will help maintain a stable and secure virtual host environment.
Coordinating the right time to apply the patching
The coordination of your host patches is important. Your design objective should be to follow host patch management best practices with as few disruptions to your most critical VMs, mostly because:
1. Some (but not all) of the hyper-v updates might need a reboot of the host. This means that you will need to find the right point in time to do that. You can work around this by implementing Hyper-V Quick Migration, which allows you to move guest VMs to another Hyper-V host with little guest interruption. In Windows Server 2008 R2, you can use Live Migration, which allows you to move guest VMs to another Hyper-V host without any guest downtime or interruption to service.
2. When applying patches, some might require that the guest VMs be in a shutdown state when the patches are applied. This means that you cannot put these VMs in a saved state for faster resuming. To determine VM status requirements, read the patch's release notes.
3. Sometimes, for some patches, the guest VMs might need to also be updated. For example, Service Pack 2 required that the guest VMs update the Integration Components (IC) for Hyper-V. Again, read the patch's release notes for more information.
4. Some patches ***might*** cause issues with either the VMs or the host itself, resulting in a longer than planned downtime. So far, this wasn't the case with Windows Server 2008 Hyper-V patches, but if you recall VMware's update 2 for ESX/ESXi, and the fiasco that followed that, then you must be aware of that potential issue. Hopefully, we won't see a similar ***issue*** with Microsoft's updates
Reduce the number of needed patches by using Server Core or Hyper-V Server 2008
In Windows Server 2008 and R2, the Server Core installation provides a minimal environment for running specific server roles, which reduces the maintenance and management requirements and the attack surface for those server roles
Besides regular Server Core, you can opt to use Microsoft Hyper-V Server 2008/R2. Hyper-V Server is a slimmed-down Server Core installation version of Windows Server 2008, but even more stripped-down than regular Server Core, and only with the functionality specific to running only the Hyper-V role. The benefit of these small, slimmed-down versions is their attack surfaces. Because there are fewer components that are installed on the system, this means that there is a decreased number of patches that is needed for the virtualization host and.
Another benefit of using Server Core or Hyper-V Server instead of the full installation of Windows Server 2008/R2, is that there is a lower resource usage by the host itself, leaving more CPU and memory to the guest VMs.
However, there are some tradeoffs with Server Core or Hyper-V Server, mostly related to the lack of GUI-based management tools and a higher learning curve. You can look for additional Server Core articles on the site for more information on how to easily manage this type of installation.
Reduce downtime by using Failover Clustering
As noted above, implementing Live Migration will greatly reduce the downtime of your virtual machine guests due to host maintenance and patching. By implementing Live Migration, you will be able to seamlessly move VM guests from one host to another in the datacenter, without ANY conceivable downtime to the VMs, the data, applications and/or services installed on them.
As a tradeoff, implementing Failover Clustering has some considerations you need to take in place, mostly due to the fact that it requires the Enterprise or Datacenter editions of Windows Server 2008 R2, plus the introduction of storage devices, if you do not have those already. However, if service level is a concern and if downtime of hosts and VMs is closely monitored, then Failover Clustering is the answer.
Installing the updates or patches is usually pretty easy. In Windows Server 2008/R2 that runs in full installation mode, installing the updates is usually done by either using Windows Updates, by using Windows Software Update Service (WSUS).
As noted above, when selecting the automatic updates options, make sure you consider the fact that, if a critical update is detected, the Hyper-V host will download it and install it that night, at 3 AM. This means that the guest VMs might need to be shut down if the host needs to reboot. This means moments of downtime for applications, data or services that are located on those guest VMs.
To help you mitigate the downtime you might consider configuring the VM behavior when the host is shutdown...
And what happens to the VM when the host restarts.
You can also install updates by manually downloading the .MSU files and installing them yourself.
Description of the Windows Update Stand-alone Installer (Wusa.exe) and of .msu files in Windows Vista and in Windows Server 2008
Msiexec (command-line options)
On Server Core installations, because there is no GUI to work with, you can use several methods to install updates.
For a good place to start looking for these updates and patches you can use these 2 links:
Comprehensive List of Hyper-V Updates
Hyper-V Update List for Windows Server 2008 R2
As a conclusion, working with virtualization does not exempt you from taking care of the patching and updating of the virtual hosts. Failing to do so might introduce security and functionality issues to your system, which is why it's to update hyper-v.