solaris patching guide

Upload: apletonprince

Post on 08-Aug-2018

212 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/22/2019 Solaris Patching Guide

    1/5

    6/27/13 Document Display

    https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_adf.ctr l-state=13z7b6ooqz_1108

    The Beginner's Guide to Oracle Solaris Patching [ID 1005835.1]

    Modified: Mar 19, 2013 Type: HOWTO Migrated ID: 208108 Status: PUBLISHED Priority: 3

    Applies to:

    Solaris SPARC Operating System - Version 8.0 to 10 1/13 U11 [Release 8.0 to 10.0]

    Solaris x64/x86 Operating System - Version 8 6/00 U1 to 10 1/13 U11 [Release 8.0 to 10.0]

    All Platforms

    Goal

    There are a lot of documents available about patching the Solaris Operating Environment, but this guide is a simple,

    quick reference for beginners to become acquainted with the patch process and common "gotchas" when installing

    patches.

    Fix

    This document covers the following topics:

    1. What is a patch anyway?

    2. What does patchadd do?

    3. What does patchrm do?

    4. patchadd and patchrm : Most common options.

    5. Patch Clusters ?

    6. What's a T-patch?

    7. Patch installation from an NFS mounted filesystem.

    8. Troubleshooting

    9. Deciphering patchadd / patchrm failure error codes

    10. Related documents

    What is a patch anyway?

    A patch fixes problems that prevent the proper execution of software. It is a collection of files and directories that

    replace or update existing files/binaries and directories.

    To be more specific: The entire OS is installed as a collection of Solaris packages. It is done during the OS installatio

    via the pkgadd command. Patches are build in a similar fashion. Patches are partial packages which replace files in th

    existing packages then they update the pkg/patch databases.

    Some patches only update one package in the OS others update several packages. To get an idea as to which

    packages might be updated by a patch look into the patch directory itself. There will be at least one sub-directory of a

    package which will be updated.

    Many 3rd party applications are also distributed and patched using the same pkgadd/patchadd mechanism

    What does patchadd do?

    # /usr/sbin/patchadd /path/to

    1. Checks package version and OS release information

  • 8/22/2019 Solaris Patching Guide

    2/5

    6/27/13 Document Display

    https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_adf.ctr l-state=13z7b6ooqz_1108

    2. Copies files from the patch directory to to their final destinations. Patches are also capable of modifying conten

    of files instead of just replacing them.

    3. Update pkginfo file with:

    patches now obsoleted

    other required patches

    incompatible patches

    its own current patch information

    4. Archives outdated files and dirs to /var/sadm/pkg/save (in a compressed format)

    5. Log patch installation to the /var/sadm/pkg/patch/{patch-id} directory. NOTE: This is not the directory tha

    patchadd -p or showrev -p look at to determine which patches are installed. Those commands look at

    /var/sadm/pkg/pkginfo file to compile a list ofinstalledpatches

    6. Updates the /var/sadm/pkg/pkginfo file

    What does patchrm do?

    #/usr/sbin/patchrm

    Attempts to restore the system to the pre-patch installation state. It returns files and directories archived in/var/sadm/pkg/save directory to their original locations and removes the versions installed by the patch.

    patchadd and patchrm: The most common options.

    # /usr/sbin/patchadd

    -d Don't back up the files to be patched. Patch can't be backed out after using this option. Sometimes people use th

    when disk space is low. Using this option is extremely discouraged as the patch cannot ever be backed out !

    Sometimes this option is used by mistake (often confuse with pkgadd -d option there is a RFE on this: 4890609 ). Als

    see document 1006707.1

    -p Print list of patches. Same as " showrev -p "

    -u Install unconditionally, even if files to be patched have been modified.

    -M Installs multiple patches. You can list multiple patches separated by a space or include a file containing a list of

    patches.

    # /usr/sbin/patchrm

    -f Forces removal. Sometimes this is needed when a later patch revision was applied.

    -B Removes a patch whose backout data was not stored in /var/sadm/patch/{patch-id}.

    -R Removes a patch from alternate root directory structure. This comes in handy when backing out a patch on a

    diskless client OS image or when removing patch while booted from a CDROM.

    (i.e. patchrm -R /export/root/client1 104945-02 or patchrm -R /a 104945-02 )

    If using this while booted from CDROM, the entire OS directory structure needs to be properly mounted on the

    alternate root directory.

    If the OS is installed as a flat fs, then only root slice needs to be mounted on /a

    Otherwise mount:

    root slice on /a

    var slice on /a/var

    https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1006707.1
  • 8/22/2019 Solaris Patching Guide

    3/5

    6/27/13 Document Display

    https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_adf.ctr l-state=13z7b6ooqz_1108

    use slice on /a/usr

    See patchadd(1M) and patchrm(1M) for more information on both commands.

    Troubleshooting and root cause analysis patchadd/patchrm issues - download the patchanalysis_gather.txt

    script from http://www.oracle.com/technetwork/systems/articles/patchanalysis-jsp-137407.html

    Patch Clusters -

    Recommended Patch Cluster

    A list of tested patches that the customer can download in order to be "up to date" with patch revisions at a point in

    time. They include security and other recommended patches for optimum system functionality. See bug 4899226 for

    some useful info.

    What is a "T-patch"?

    A "T-patch" is a "test patch".

    When a customer calls in a bug that is high priority and needs quick resolution, there's a separate special group that

    may opt to provide them with a T-patch.

    Patch installation from an NFS mounted filesystem :-

    Often it's a common practice to install patches from an NFS mounted filesystem...especially if several systems need to

    be patched. Patching from an NFS mounted filesystem is similar to patching locally since all the same set of rules and

    commands apply. However, patches located on an NFS mounted filesystem might have been created with a different

    userid (uid) and groupid (gid). Therefore, system(s) that need to be patched might not have the same set of uid and

    gid. In such a case, the other/world permission plays an important role (a file/directory always has user permission,

    group permission, other/world permission),

    When patchadd runs as root on the local system it switches to user "install". If the "install" user does not exist, then

    switches to the user "nobody". If user root / nobody does not belong to the same groupid (gid) as set on patches or

    directory containing the patches, then it relies on other/world permission. The directory containing the patches, and t

    individual patch files and directories, should have read(r) and execute(x) permissions set for other/world. This will

    ensure that patch install scripts do not fail.

    1339267.1 would provide more data of this also.

    Sun Bug id, 6188748 discuss the details of patchadd command for NFS in more details.

    Troubleshooting:

    1. Always review the patch README file!!!! Many patches have dependencies or require special install

    prerequisites. OpenBoot PROM (OBP or Flash) patches and patch clusters are installed by running a completely

    different script than "patchadd". So to always be safe, please read the README!

    2. Enter single user mode if at all possible. Live patching'' the kernel or system libraries while the system is in

    multiuser mode can cause problems - single user mode avoids most of these problems. This is VERY importanwhen installing any kernel or library patches or patch clusters (since they contain both of those patches).

    3. Check for free disk space in the /var directory. Old files and directories which are replaced by a patch will be

    stored in the /var directory tree.

    4. Ensure that an entry for the user nobody is in the /etc/passwd and /etc/shadow files and that it is properly

    configured. The patch scripts require the User ID nobody to function properly.

    5. Copy the entire uncompressed tar patch file to the /tmp directory. Note: on Solaris 8 and above, /var/tmp is

    also a tmpfs but thepreferredlocation is still /tmp. Using df -kl determine that /tmp is actually

    mounted as a tmpfs. This avoids permissions problems. Uncompress and extract the patch file in the /tmp

    https://support.oracle.com/epmos/faces/ui/km/BugDisplay.jspx?id=15234579https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1339267.1http://www.oracle.com/technetwork/systems/articles/patchanalysis-jsp-137407.htmlhttp://www.oracle.com/technetwork/systems/articles/patchanalysis-gather-149887.txthttp://docs.oracle.com/cd/E23823_01/html/816-5166/patchrm-1m.html#scrolltochttp://docs.oracle.com/cd/E23823_01/html/816-5166/patchadd-1m.html#scrolltoc
  • 8/22/2019 Solaris Patching Guide

    4/5

    6/27/13 Document Display

    https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_adf.ctr l-state=13z7b6ooqz_1108

    directory. Special Note for ftp downloading: Make sure customer sets binary mode before download:

    #ftp> bin

    #ftp> get

    Customers can avoid a lot of problems by downloading patch directly to Sun system they are loading the patch

    onto. Transfers between systems (especially if a PC running MS Windows is involved in the process) can be

    troublesome. If they need to transfer, make sure they do not uncompress the patch until it is on system patch

    will be loaded onto.

    6. Use the right command i.e.: installpatch , patchadd , or install_cluster . Pre-2.5.1 OS may require installpatch

    backoutpatch. The README file will always give you the appropriate command to use. Be sure you are adding

    patch as root i.e.: did you su - root before running issuing the patch commands

    7. The installpatch command uses the Korn shell (ksh). To avoid problems, patch the ksh itself first.

    8. For patch install from an NFS mounted filesystem, check to see if other/world permission has been set to

    read(r) and execute(x) on directory containing the patches, and the individual patch files and directories.

    If you follow the above 8 steps, 90% of patching problems will have been avoided. Here are some things to check for

    the other 10%

    1. Examine the /var/sadm/patch/log file for errors.

    2. Check if the "OS" field of file /var/sadm/softinfo/INST_RELEASE is correct for the patch being applied.

    3. Does ls -alR show the same file names, sizes and permissions of customer's copy of the patch vs. a known

    good copy

    4. Did the customer copy the patch with cp -rp to preserve permissions Again, the preferred method of moving a

    patch is in its compressed state (as a single file). That eliminates any possible cp issues.

    5. Does MOS already identify problems with this specific patch

    6. Do the pkg , arch and version of the patch match the target system This can be determined by running apkginfo -l command on one of the packages which will be patched by the patch.

    7. How to determine when a patch was applied: Easiest way is to just run patchadd -p or showrev -p then grep f

    the. A more manual methodwould be to grep PATCH_INFO_ /var/sadm/pkg/*/pkginfo . That information has

    exist in every package which was touched by the installed patch.

    Deciphering patch failure error codes:

    Document 1007270.1 has a complete list of patch error codes. But there might be new error codes added to

    patchadd. To get the freshest list run more /usr/sbin/patchadd (This applies only from Solaris 2.5.1 to Solaris 9). As

    this is a script, there is a definition of all the error codes in the first few screenfuls of the printout. With Solaris 10,

    /usr/sbin/patchadd is now a binary file but the ksh script is located at /usr/lib/patch/patchadd.

    Most common patch error codes are:

    1. #8 Attempting to patch a package that is not installed

    2. #18 Not enough space on target filesystems

    3. #24 An incompatible patch was installed

    4. #25 A required patch is not applied

    5. #28 A pkginfo file is corrupt or missing

    https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1007270.1https://support.oracle.com/
  • 8/22/2019 Solaris Patching Guide

    5/5

    6/27/13 Document Display

    https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_adf.ctr l-state=13z7b6ooqz_1108

    (There could be 37 error codes total again, depending on the OS and patchadd versions)

    Products

    Solaris 10 Operating System

    Solaris 9 Operating System

    Solaris 8 Operating System

    References

    NOTE:1006707.1 - How to remove a patch installed with patchadd -d command

    NOTE:1007429.1 - How to install a patch and troubleshoot failed installs

    NOTE:1289614.1 - Sun Patches and Updates Resource Center [VIDEO]

    NOTE:1339267.1 - Patching fails with pkgadd: ERROR: checkinstall script did not complete successfully due to

    permissions

    NOTE:1359259.1 - Master document for smpatch / updatemanager - troubleshooting information & how-to

    NOTE:1007270.1 - Solaris Operating System: patchadd (installpatch) and patchrm (backoutpatch) exit error codes

    NOTE:1199543.1 - Patch download automation for Sun products using wget

    NOTE:1018088.1 - Patch Install Quick Troubleshooting Steps

    https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1018088.1https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1199543.1https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1007270.1https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1359259.1https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1339267.1https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1289614.1https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1007429.1https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1006707.1