From: Geoff Lane (zzassgl@zoe.mcc.ac.uk)
Date: Tue Jul 13 2004 - 03:59:23 EDT
Thanks for the replies - sorry about the delayed summary.
I've had a look at the "commercial" alternatives suggested and they all seem
to be over engineered and, for us, no real improvement on patchchk.
I'm a little concerned that Sun is being pressured by "marketing" into
adopting a SMC based solution suitable for non-experts and forgetting the
rest of us who are running high profile services that cannot be interupted
on demand. I hope that Sun will ask for comments before implementing any
new patch management schemes.
I also hope Sun continues to create and publish either patchdiag.xref or
something with a similar or better level of detail. Then we can always
implement patch management schemes that suit our sites rather than be forced
to adopt a general solution.
Reply Summaries
Andy Kannberg suggested srsnet -- It does more than patchmanagement. But It
can generate a report which tells you which patches are installed on
the system, divided in recommended and security. It does not tell
you whether the patch has dependencies and if a reboot is needed,
but within the report, you can link to the patches which are not
installed/not uprev to see what the prerequisites are.
SRSnetconnect can be used for free if you have a SUN contract. It
can be downloaded from
http://www.sun.com/service/support/srs/netconnect/
Fredrik Robertsson reports that something new is coming from Sun -- we just
had our quarterly support meeting with Sun, and they told us that
they are currently working on a "new patch strategy". Mainly they
are trying to merge several tools into one tool to rule them all or
something like that. Since patchdiag.xref are used by the LISA tool
to analyze explorer dumps against I would assume that it will be
available for quite some time...
Gene Siepka suggested Traffic Light Patch Manager -- TLP will analyze your
system, and create a patch bundle for you, along with giving you a
patch order file. Also, probably the coolest thing about it is that
it can generate a patch bundle based on Explorer output. So if you
set up Explorer on your 50 or so servers, and have them sent to one
box, (like a gateway box that has internet access to send Explorer
output to Sun) you can load TLP on that box and create your patch
bundles there.
However, as with all good things, there is a catch, as we found out.
First off, TLP is not free, its not even freely available. Its used
in the UK already, however its unused it here in the US. Also, the
patches are generated from the monthly EIS cd's, which is not made
available to customers. What are sun rep told us is that they we
could build a patch management server, which also holds our explorer
output. And they could install an EIS cd on this server, for a
nominal fee. (5000 a quarter)
We are trying to get management approval for the cost, but this
sounds like the best thing Sun has available for patches right now.
Hopefully they can release TLP to everyone soon, as it seems like a
pretty cool thing to keep servers up to date.
Javier Palacios described a home grown solution based on "yum" -- Hello,
this is not exactly a solution for patching, but might be. Some
months ago, I modify yum (a rpm packages tool) to work with solaris
pkgs, and is able to install, remove and update packages from a
remote repository. As our patching policy is 'relaxed', I've not
taken too seriously. It behaves as if the latest patch were the only
one to apply, and installs the patch with a 'pkgadd' of the package
subdirectory on the patch tarball.
> Does anybody know if the patchdiag.xref file will continue to be updated and
> made available? If so, I suppose I'll just have to write my own patch
> management scheme... again.
Now that you have pointed me to patchk, I'll try to import the logic
into my yum4sol (is python). Right now, it has quite limited as
patching tool, but might be a good starting point.
Dave Foster suggested a product called "Patchlink" -- If you can go
commercial, Patchlink is a very nice product, we use it to patch our
Windows systems but it can also handle Linux and Solaris.
pdg describes a home grown python script -- I have written a python script
which parses the xref file and works out what to patch on the
current machine, then either complains it cannot find the patch or
installs the patch if it can find it (in a specified location). It
may be useful to you.
(start tirade)
However, the xref file is crap. Not only is the format ridiculously
dificult to parse, it never seems to accurately reflect the current
situation with patches and I end up having to hack the xref file to
make it agree with reality. Every month I run this, and I always end
up (according to the xref file) with patches depending on patches
that are withdrawn or superceded or similar. It drives me crazy.
(end tirade).
The whole things needs a revamp and the SUN end.
Original Question ----------------------------------------------
Since the "official" view of patchk is that it's dead[1], I've been looking
at the available alternatives.
Straight off I see that PatchPro Interactive and PatchPro Expert are useless
to us as they are purely interactive - with 50 odd machines to look after
whatever replaces patchk has generate reports automatically.
PatchPro 2.2 looks more useful but we don't add patches without first
checking them so the automatic installation features can't be used. As we
can't reboot our systems on demand, any patch that needs a reboot must be
reviewed for importance. The "smpatch analyze" command looks useful at first
glance but the report it generates doesn't distinguish between security,
recommended and general patches at all! Neither does it indicate
dependencies, reboot needs, patch ages or any of the information a sysadmin
might need to access the urgency of a particular patch. So it turns out
that we can't make use of PatchPro.
Does anybody know if the patchdiag.xref file will continue to be updated and
made available? If so, I suppose I'll just have to write my own patch
management scheme... again.
[1] "As of February 29, Patch Check will no longer be available for
download. Please transition to using Patch Manager by that date."
http://uk.sunsolve.sun.com/pub-cgi/show.pl?target=patchk
Actually, it remains available as of today.
-- | Geoff. Lane | Manchester Computing | Manchester | M13 9PL | England | IBM manuals are neither written by, nor for, humans. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:29:04 EDT