I often get asked about “How do I keep my gold image update to date” in a VDI environment. Does not matter if we are talking about VMware View or Citrix XenDesktop, customers of both have similar questions. The fact is you work from some master image for these technologies and you need a good process for keeping them up to date and releasing new updates. So I have put together some thoughts on this and want to try and make this a collaborative effort. So if you have something that works for you share with others in the comments or get a message to me.
What needs to be done
There needs to be some form of cadence when you update an image so that things do not get missed. I don’t care if you have just one image or if you have multiple to keep updated, You’re going to miss things if you don’t have a process. So I’ve put together a list to start of what might need to be updated each time you do gold image maintenance.
- Operating System patches
- Application updates
- Antivirus Definitions – there’s better ways than this
- Add or remove applications
- Version tracking
Gold Image updates
This is the part I would like to hear feedback from others on. These are the major steps that I think should be accounted for in image management. I’ve broken them down into steps and explained my thoughts on them.
Clone image – This seems pretty obvious but wanted to make sure it was clear. You could just update your existing image but I personally make a clone of the image and perform my updates on the new clone. This clone will ultimately become the new gold image once the updates are done. I do this rather than just updating the existing and continuing to add more and more snapshots to it. I tend to keep a few versions around in case I have to roll back and also keep additional older versions on some type of backup media.
OS updates – Also a bit of an assumption here but you need some regular schedule of OS patching. This might mesh with your normal desktop patching schedule or might be specific to this. But you need to set a schedule for performing these updates. You should know if it will be done once a month will you be applying all patches, what if something of high concern comes out and you are required to update in between your regular updates.
You might manually go in and run windows update manager or maybe you have a tool for this. I read a post from Sean Massey a VMUG member from Wisconsin that he came up with for using WSUS you can read here.
Application updates – Almost no customer can completely keep applications from being installed into their images. There are just some applications that work better in the image than being presented by other methods or being virtualized in some manner. You will either need to update these at the same time you are doing the other updates or have their own schedule. To cut down on your maintenance activities I would look at doing them all in the same window when possible.
Antivirus updates – I’m not a fan of installing AV products into your gold images but if you must than look for ways to optimize the process. Vendors like Symantec have guides for using their products in VDI environments that deal with how to install, update and setup scans. There should also be guidance around how you should be updating definitions and such. Do you leave auto updates on or just update in the image update process? This will help with operations and performance. The better way would be to adopt a AV product that can scan at the hypervisor level and utilize the vShield Endpoint features from VMware.
QA testing – So you have done all your updates are you going to just put that image back into service? Well some will but I would recommend that you spend time testing and putting the updated image through some type of QA process. At minimum I would create a check list of things that you can test the image against, maybe a list of web sites or running applications that are common in your environment. Don’t forget to do some basic user tasks like web browsing, flash, java etc. To accomplish this I would recommend you create a new temp desktop pool and use the updated image. This would allow you to test the image as it will be used by your customers, rather than just testing by using the VM directly.
Update tracker – So you’ve done all these updates now what? Well I bet by lunch you will have forgotten what you all updated. This means that you will need a method for tracking what was updated in the image. To accomplish this I think a few things need to be done. The first is come up with some type of version tracking for your gold images. I think something as simple as tracking versions works for most and incorporating them into the naming convention, examples below. Also to track version info I think you should incorporate the version number into the build in some method. I have seen customers add a registry key with the version info in it. This is a good idea because you can look at this if you need to confirm what version a user is running if needed.
The last part of tracking updates is some type of a change log or build sheet. When you make updates and changes I think you need a way to see what is in the current version being used and what was in previous versions. This would help in troubleshooting and also audits. A simple idea that I had was to create a spreadsheet for this tracking. I’ve created a simple Google doc that you can use as a starting point and build from for your environment. You can access the doc direct via this link.
To wrap things up these are a few of my thoughts on this. I’m sure others have some great ideas and if we share, this list can be updated and become a great resources for others to use.
About Brian Suhr
Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design