System Administration Guide: Basic Administration

Chapter 24 Managing Solaris Patches (Tasks)

Patch management involves listing or installing Solaris patches from a system running the Solaris release. Patch management might also involve removing unwanted or faulty patches. Removing patches is also called backing out patches.

This is a list of the step-by-step instructions in this chapter.

This is a list of the overview information in this chapter.

For information on adding patches to diskless client systems, see Patching Diskless Client OS Services.

What Is a Patch?

A patch is a collection of files and directories that replace or update existing files and directories that are preventing proper execution of the software. The existing software is derived from a specified package format, which conforms to the Application Binary Interface. For details about packages, see Chapter 22, Managing Software (Overview).

A signed patch is a patch with a digital signature. A patch with a valid digital signature ensures that the patch has not been modified since the signature was applied. Using signed patches is a secure method of downloading or applying patches because the patches include a digital signature that can be verified before the patch is applied to your system. For more information about signed patches, see http:sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/spfaq or http:sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/spag.

Tools for Managing Solaris Patches

Several options for managing patches are available:

Command/Tool Name	Description	Solaris Release Availability
`patchadd` and `patchrm`	Adds and removes unsigned patches	Solaris 2.6, 7, 8, and 9
`smpatch`	Adds and removes signed patches	Solaris 2.6, 7, 8, and 9
Solaris Management Console's Patches Tool	Adds and removes signed or unsigned patches	Solaris 9

Detailed information about how to install and back out a patch is provided in patchadd(1M) and patchrm(1M). Each patch also contains a README file that contains specific information about the patch.

Before installing patches, you might want to know more about patches that have previously been installed. The following table describes commands that provide useful information about patches that are already installed on a system.

Table 24–1 Commands for Solaris Patch Management


Command	Description
`patchadd` `-p`, `showrev` `-p`	Shows all patches that have applied to a system.
`pkgparam` `pkgid` `PATCHLIST`	Shows all patches that have been applied to the package identified by pkgid, the name of the package. For example, `SUNWadmap`.
`patchadd -S` `Solaris-OS` `-p`	Shows all the `/usr` patches installed on an OS server.

Solaris Patch Distribution

All Sun customers can access security patches and other recommended patches through the SunSolve^TM program. The following table describes the various ways to access Solaris patches.

Table 24–2 Customer Patch Access Information


Customer Type	Description
SunSpectrum contract customer	You have access to the SunSolve database of patches and patch information. These are available from the SunSolve web page or by using anonymous `ftp`, as described in Accessing Solaris Patches. These patches are updated nightly.
Not a SunSpectrum contract customer	You have access to a general set of security patches and other recommended patches. These patches are available through SunSolve.

Accessing Solaris Patches

You can access Solaris patches from a web page or by using anonymous ftp. If you have purchased a Sun service contract, you can get patches directly from the SunSolve web page.

To access patches from a web page, you need a system that is:

Connected to the Internet
Capable of running web browsing software such as Netscape

To access patches by anonymous ftp, you need a machine that is:

Connected to the Internet
Capable of running the ftp program

Access patches from SunSolve^TM by using the following URL:

http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access

You can either install a patch cluster of recommended patches or individual patches that are freely available. Patch reports are available also.

You can also access publicly available patches by using this URL:

http://www.ibiblio.org/pub/sun-info/sun-patches

Solaris Patch Numbering

Patches are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. For example, patch 108528-10 is a SunOS 5.8 kernel update patch.

How to Display Information About Installed Solaris Patches

Use the patchadd -p command to display information about patches installed on your system.

$ patchadd -p

Use the following command to verify whether a specific patch is installed on your system.

$ patchadd -p | grep 111879

Adding a Solaris Patch

Use the patchadd command to add patches to servers or standalone systems. If you need to add a patch to a diskless client system, see Patching Diskless Client OS Services.

When you add a patch, the patchadd command calls the pkgadd command to install the patch packages from the patch directory to a local system's disk. More specifically, the patchadd command:

Determines the Solaris version number of the managing host and the target host
Updates the patch package's pkginfo file with information about patches obsoleted by the patch being installed, other patches required by this patch, and patches incompatible with this patch

During the patch installation, patchadd keeps a log of the patch installation in /var/sadm/patch/patch-number/log file for current Solaris versions.

The patchadd command will not install a patch under the following conditions:

The package is not fully installed on the host
The patch packages architecture differs from the system's architecture
The patch packages version does not match the installed package's version
A patch with the same base code and a higher version number is already installed
The patch is incompatible with another, already installed patch. Each installed patch keeps this information in its pkginfo file.
The patch being installed requires another patch that is not installed

How to Add a Solaris Patch

This procedure assumes that you have already pulled the patch from one of the sites listed in Accessing Solaris Patches.

Become superuser.

Review the information in the patch README file, typically called patch-id.README.

Add the patch.

# patchadd /patch-dir/patch-ID-revision

Verify that the patch is added.
# patchadd -p | grep patch-ID-revision

Example—Adding a Solaris Patch

The following example adds the Solaris 8 patch, 111879–01.

# patchadd /export/Sol8patch/111879-01

Checking installed patches...
Verifying sufficient filesystem capacity (dry run method)...
Installing patch packages...

Patch number 111879-01 has been successfully installed.
See /var/sadm/patch/111879-01/log for details

Patch packages installed:
  SUNWwsr
# patchadd -p | grep 111879-01
Patch: 111879-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWwsr

How to Download and Add a Solaris Patch From SunSolve

(Optional) Log in to the system where the patch will be applied.

Or, you can download the patch and use the ftp command to copy the patch to the target system.

Open a Web browser and go to the SunSolve patch site:

http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access

Determine if you are going to download a recommended a specific patch or patch cluster. Then select one of the following:
1. Enter the patch number (patch-ID) in the "Find Patch" search field and click on Find Patch.
  
  Entering patch-ID downloads the latest patch revision.
  
  If this patch is a freely available, the patch README is displayed. If this patch is not a freely available, an ACCESS DENIED message is displayed.
  
  There are different patch numbers for SPARC and IA systems, which are listed in the displayed patch README. Make sure you install the patch that matches your system architecture.
2. Click on a recommended patch cluster based on the Solaris release running on the system to be patched.

Click on the Download HTTP or FTP button.

After the patch or patches are download successfully, you can close the Web browser.

Change to the directory that contains the downloaded patch package, if necessary.

Unzip the patch package.
% unzip patch-ID-revision

Become superuser.

Add the patch or patches.
# patchadd patch-ID-revision

Removing a Solaris Patch

When you back out a patch, the patchrm command restores all files modified by that patch, unless:

The patch was installed with the patchadd -d option, which instructs patchadd not to save copies of files being updated or replaced)
The patch has been obsoleted by a later patch
The patch is required by another patch

The patchrm command calls pkgadd to restore packages that were saved from the initial patch installation.

During the patch removal process, patchrm keeps a log of the back out process in /tmp/backoutlog.process_id. This log file is removed if the patch backs out successfully.

How to Remove a Solaris Patch

Use this procedure if you need to remove a Solaris patch.

Become superuser.

Remove the patch.
# patchrm patch-ID-revision

Verify that the patch is removed.
# patchadd -p | grep patch-ID-revision

Example—Removing a Solaris Patch

The following example removes the Solaris 8 patch, 111879–01.

# patchrm 111879-01

Checking installed patches...

Backing out patch 111879-01...

Patch 111874-02 has been backed out.

# showrev -p | grep 111879-01
#