SUMMARY: Patching

From: Brett Lanham (blanham@cleartrack.com)
Date: Mon Oct 07 2002 - 11:18:55 EDT


Thanks to Albert White, Richard Sullivan, Todd Jensen, David Foster, Jesse
Trucks, Tim Chipman, and Deborah Santomauro.

Below find my summary for advice on patching a solaris box.

What seems to be the most popular pratice for patching Solaris is to install
the latest patch cluster on some type of schedule. Several seem to be doing
that on a quarterly basis but I guess how often you do it depends on uptime
requirements, etc. I did get a chance to try out several of the methods
myself and here is what I found or feedback I got from others on the list.
See comments mixed in below.

>
> Anybody want to comment on the best methods or best practices for patching
a
> Solaris 8 box? I've been searching some and have found that there seems
to
> be several ways to do patches:
>
> 1. search and find each patch individually and then install
> separately.
>

This method can become a very daunting task but is basically the method you
follow when security alerts come out on a sigle package that needs to be
updated. Works well in between planned patch cluster installs, but, IMHO,
is way too time consuming for broad patching.

>
> 2. Download latest patch cluster for your system and run install_cluster
script.
>

This seems to be the most popular method of patching. Most seem to have
some kind of schedule such as quarterly or ever N weeks that they apply the
latest patch cluster. Several mentioned it is always a good idea to apply
the patches to a test box first if you have that luxury. I agree. Also
since the patch clusters do include kernel patches it was suggested by
several that you might want to drop to single user mode then do the patch
cluster install and then reboot the box. I did end up installing the latest
patch cluster myself and since it was a development box that is not heavily
used I decided to risk it and install the cluster in the default runlevel
(3). I finished the install, rebooted the box and have yet to see any major
problems.

Warning: on a tangent! The only problem I did see was long delays when
trying to telnet or ftp to the box. I figured out this was due to name
lookups, but I've so far been unable to determine what changed that caused
this to start happening after the patch install. This never occured before
the patch cluster install. Any suggestions?

>
> 3. Use patchcheck to figure out what you need and then
> either create patch suite (sunsolve only) or go and download all patches
in list
> individually and install.
>

I have also tried this method. This is basically a small perl script that
uses a reference file( ftp://sunsolve.sun.com/pub/patches/patchdiag.xref),
that you must download regularly, to analyze your system and creates a html
document listing patches you may need. No one that responded made much
mention of this method so I can only speak from my own limited experience.
I found this to be a good way to compare where your box is (whats installed
at what patch level) with the latest available patches. And if you have a
sunsolve account (I currently don't) you can use this method to create your
own custom patch cluster (patchsuite).
http://sunsolve.sun.com/pub-cgi/show.pl?target=patchk

>
> 4. Use patchpro expert which is a java applet that creates a list of
> patches you need and you can download them all at once. Still have to
> install separately.
>

I got little feedback on this method as well. It works very similarly to
the above method only I think you get more of an overall listing of patches
that isn't quite as custom to your system. It is however slightly easier
provided you have X and netscape. You have to go to Sun's website
(http://patchpro.sun.com/servlet/com.sun.patchpro.servlet.PatchProServlet)
and follow the link to Patch Pro Expert. This runs a java applet and after
granting your life away and answering a few questions it gives you a list of
patches you might need. As I said before I don't believe the list is
completely custom to the system you run it on. Also I'm sure many admins
will not want to deal with Netscape or feel comfortable granting the applet
all the access it asks for.

>
> 5. Use patch manager. I have yet to try this method but it
> looks like it might be the best way but I'm not sure.
>

This method was neither mention nor have I used. Once person did comment on
wanting give it a try but that was the most I got. If anyone would like to
comment on this method then please feel free to shoot me an email.

>
> I've installed a patch or two here and there in the past but I must admit
> that I'm kind of behind so I'm looking into maybe getting a lot knocked
out
> at once. What I'm curious about is what the rest of you guys do for
> patches. Does everyone do patches one by one or do you just grab the
latest
> cluster and install that with the cluster install script?
>
> Do cluster installs take care of dependencies?
>

Yes the cluster install does take care of dependencies. When you download
and unpack the latest patch cluster you have all the patch directories, a
cluster install script, and a patch_order file. The install script uses the
patch_order file to do patchadd -M on the patches in the cluster. This
ensures they are installed in the correct order.

>
> What about kernel patches that say you have to be in single user mode?
> Do you need to go to single user mode to install a patch cluster? or are
> the kernel patches even included in the patch cluster?
>

Yes kernel patches are included in the patch clusters and it is reccommended
that you drop to single user mode to install a patch cluster. As I
mentioned above I did not drop to single user mode when I installed the
patch cluster and I have yet to have any problems, but that may only be due
to what was patched this time around. I will probably drop to single user
mode in the future unless I feel confident about what is going to be pathced
won't harm the running system.

>
> What about patch manager? Does that require sunsolve registration?
>

Nothing to add. If you haev info you'd like to chare with me I'd be
grateful.

Brett
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers



This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:25:04 EDT