Throwing Sun's Patch Management Tools Away
Posted by Ceri Davies Fri, 15 Dec 2006 19:46:00 GMT
Patching Solaris is difficult
Patching Solaris is historically hard work involving cross referencing the installed patches (showrev -p) with the installed release (cat /etc/release) and the latest Recommended patch cluster and patch report at SunSolve.
Sun tools actually make it harder
Since this is such a nightmare, Sun have offered a huge number of methods for patching Solaris systems. Some are no longer properly maintained or don’t support recent releases, some are heavy X based monsters, some have a huge dependency list (33 packages for smpatch in Solaris 10 6/06, and that’s not only the ‘light’ version, but is also incomplete). The one thing they have in common is that they suck.
smpatch is the worst of the lot
After a recent experience where smpatch not only rendered a production machine unbootable, but required three reboots to do so and then had failed to even offer all of the available patches, I’ve had enough.
From now on we’ll be using Patch Check Advanced (PCA) from http://www.par.univie.ac.at/solaris/pca/.
Patch Check Advanced
PCA is basically a Perl script that uses the daily patch cross reference file that Sun produce to find the patches that apply to a given system and it knows what order they must be installed in. It can then download and apply the patches that you want to install.
Installing PCA
At work I produce a package for the latest release of PCA; that basically just installs the script and the manpage under /usr/local as well as creating a spool directory /var/sadm/pca/spool. It also creates /etc/pca.conf, mode 0400, with the following content:
patchdir=/var/sadm/pca/spool
xrefdir=/var/sadm/pca
xrefown
# You do not need to set these parameters, but it is recommended
# in order that you get all of the patches. Fill them in with a
# valid SunSolve login.
passwd=XXXXXXXX
user=XXXXXXXXAdd a SunSolve account ID to /etc/pca.conf
Just running the script as it is will get you all patches for Solaris 8 and 9, but for Solaris 10 you only get security and critical bug fixes by default. In order to get everything, edit /etc/pca.conf and add a user name and password for SunSolve (these are free to sign up for at http://sunsolve.sun.com).
Using PCA
Using PCA is easy. The author even provides a good man page.
Here's the basic functionality though.
Viewing available patches
Use -l for list.
# /usr/local/sbin/pca -l
Download xref-file to /var/sadm/pca/patchdiag.xref: done
Using /var/sadm/pca/patchdiag.xref from Dec/13/06
Host: peon.mumble.example.ac.uk (SunOS 5.10/Generic_118833-24/sparc/sun4u)
Patch IR CR RSB Age Synopsis
------ -- - -- --- --- -------------------------------------------------------
117463 02 < 03 --- 62 SunOS 5.10: passwdutil Patch
118346 04 < 05 --- 177 SunOS 5.10: libnsl Patch
118367 03 < 04 --- 31 SunOS 5.10: csh Patch
118560 01 < 02 RS- 91 SunOS 5.10: usr/bin/telnet patch
118564 02 < 03 --- 153 SunOS 5.10: libproc.so.1 patch
118815 03 < 04 R-- 115 SunOS 5.10: awk patch
118872 02 < 04 --- 118 SunOS 5.10: ksh patch
118925 03 < 04 --- 154 SunOS 5.10: unistd header file patch
Here, Patch is the patch number, IR* is the installed revision, *CR is the current revision, RSB indicates if the patch is Recommended, Security related or Bad, Age is the number of days since the patch was released, and Synopsis is self-explanatory.
You can see that even though I patched this system with smpatch some 20 days ago, there are patches that are nearly six months old that I don't have. What a POS.
Downloading available patches
Use -d for download. If you want to download particular patches, list them after the -d.
# /usr/local/sbin/pca -d
Using /var/sadm/pca/patchdiag.xref from Dec/13/06
Host: peon.mumble.example.ac.uk (SunOS 5.10/Generic_118833-24/sparc/sun4u)
Patch IR CR RSB Age Synopsis
------ -- - -- --- --- -------------------------------------------------------
117463 02 < 03 --- 62 SunOS 5.10: passwdutil Patch
Download 1/120: skipped - file exists
118346 04 < 05 --- 177 SunOS 5.10: libnsl Patch
Download 2/120: failed
118367 03 < 04 --- 31 SunOS 5.10: csh Patch
Download 3/120: failed
118560 01 < 02 RS- 91 SunOS 5.10: usr/bin/telnet patch
Download 4/120: done
If the file is already downloaded, it is skipped and not downloaded again.
The downloads that are listed as failed may have failed because they are not available without a SunSolve login. Sure enough, adding a valid account to /etc/pca.conf and trying again yields:
# /usr/local/sbin/pca -d
Using /var/sadm/pca/patchdiag.xref from Dec/13/06
Host: peon.mumble.example.ac.uk (SunOS 5.10/Generic_118833-24/sparc/sun4u)
Patch IR CR RSB Age Synopsis
------ -- - -- --- --- -------------------------------------------------------
117463 02 < 03 --- 62 SunOS 5.10: passwdutil Patch
Download 1/120: skipped - file exists
118346 04 < 05 --- 177 SunOS 5.10: libnsl Patch
Download 2/120: done
118367 03 < 04 --- 31 SunOS 5.10: csh Patch
Download 3/120: done
118560 01 < 02 RS- 91 SunOS 5.10: usr/bin/telnet patch
Download 4/120: skipped - file exists
Installing patches
Use -i for install. If you want to install particular patches, list them after the -i. To install only patches that do not require a reboot, add -n.
Any patches that haven't yet been downloaded will be downloaded automatically.
# /usr/local/sbin/pca -i -n
Using /var/sadm/pca/patchdiag.xref from Dec/13/06
Host: peon.mumble.example.ac.uk (SunOS 5.10/Generic_118833-24/sparc/sun4u)
Patch IR CR RSB Age Synopsis
------ -- - -- --- --- -------------------------------------------------------
117463 02 < 03 --- 62 SunOS 5.10: passwdutil Patch
Download 1/120: skipped - file exists
Install 1/120: skipped - reboot required
118346 04 < 05 --- 177 SunOS 5.10: libnsl Patch
Download 2/120: skipped - file exists
Install 2/120: skipped - reboot required
118367 03 < 04 --- 31 SunOS 5.10: csh Patch
Download 3/120: skipped - file exists
Install 3/120: done
118560 01 < 02 RS- 91 SunOS 5.10: usr/bin/telnet patch
Download 4/120: skipped - file exists
Install 4/120: done
If you installed a patch that does require a reboot, you'll be told:
# /usr/local/sbin/pca -i 117463
Using /var/sadm/pca/patchdiag.xref from Dec/13/06
Host: peon.mumble.example.ac.uk (SunOS 5.10/Generic_118833-24/sparc/sun4u)
Patch IR CR RSB Age Synopsis
------ -- - -- --- --- -------------------------------------------------------
117463 02 < 03 --- 62 SunOS 5.10: passwdutil Patch
Download 1/1: skipped - file exists
Install 1/1: done - reboot
Download Summary: 1 total, 0 successful, 1 skipped, 0 failed
Install Summary : 1 total, 1 successful, 0 skipped, 0 failed
Reboot required to complete patch process.
# init 6
That's pretty much it. I'll be using PCA for the forseeable future on all of my Solaris systems, and would like to express again my gratitude to the author.
Swell tool! Just tried it on a 5.9 scrap system that had been up for 1061 days, 421 patches downloaded and installed. Thanks for the hint! Btw, do you know of a way to clean up the backout backups after everything is determined to be fine and dandy ?
To be honest, I don't usually clean up the backout backups; it's not something I've really had to worry about. You should be able to just go through and get rid of the save/ directories though.