Chapter 3 Runtime Issues With Solaris Patch Management Tools

This chapter describes common problems you might encounter when using the Solaris patch management tools to do the following:

• Analyze systems to determine the list of recommended patches

• Download the recommended patches to the system

• Apply the recommended patches on the system

For additional troubleshooting information, see the Signed Patches Administration Guide for PatchPro 2.2.

Solaris 9, Solaris 9 9/02, and Solaris 9 12/02 only – If you expect to apply a large number of patches to your system, use the pprosvc -i command instead of smpatch.

If you use smpatch, all of the recommended patches might not be downloaded. If the download fails, no patches are applied to the system.

You might encounter this problem in one or both of these circumstances:

• If the patch download directory runs out of space before the download completes

• If one of the downloaded patches is a nonstandard patch

Wrong Version of the smpatch(1M) Man Page Appears on Solaris 9 Systems (4860008)

Description:

The wrong version of the smpatch(1M) man page appears when you run the man command on a Solaris 9 system.

The smpatch(1M) man page that appears pertains to the Solaris 2.6, Solaris 7, and Solaris 8 version of the smpatch command.

Cause:

This happens when the /opt/SUNWppro/man directory appears ahead of the /usr/man directory in your MANPATH.

Workaround:

Ignore the version of the smpatch(1M) man page that is installed in the /opt/SUNWppro/man/man1m directory.

Instead, refer to the man page installed in the /usr/man/sman1m directory, which contains the Solaris 9 version of the smpatch command.

# man -M /usr/man -s 1m smpatch

Or, ensure that the /usr/man directory appears ahead of the /opt/SUNWppro/man directory in your MANPATH.

smpatch add Does Not Use the Patch Directory Specified by the -d Option (4888820)

Description:

When you specify the patch directory on the smpatch add command line by using the -d option, the following error appears:

Error: PatchPro failed: CRITICAL: Invalid patch source directory. Problem Summary: (1) Patch source directory does not exist. Verify that the patch source directory exists or set the patch source directory to an existing directory with pprosetup -d <download_directory>

Workaround:

Do not use the -d option with any of the smpatch subcommands to specify a patch directory.

Patch Manager on Solaris 9 Systems Fails Because the /var/sadm/spool Directory Cannot Be Recreated (4883158)

Description:

On a Solaris 9 system, Patch Manager reports that it cannot create the patch directory, /var/sadm/spool, because it already exists.

When you run the smpatch command, the following error message appears:

# /usr/sadm/bin/smpatch download Authenticating as user: root Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: Loading Tool: com.sun.admin.patchmgr.cli.PatchMgrCli from host1 Login to host1 as user root was successful. Download of com.sun.admin.patchmgr.cli.PatchMgrCli from host1 was successful. Cannot create the directory /var/sadm/spool. Please check the permissions. #

This problem causes Patch Manager to be unusable.

Cause:

This problem appears on systems that have been upgraded from Solaris 9 12/02 to Solaris 9 4/03.

The CIM File System Management Provider was not reregistered after the system upgrade. Therefore, the service provider was not available for use by Patch Manager.

Workaround:

Reregister the directory service provider and restart the CIMOM:

# /etc/init.d/init.wbem stop # /usr/sadm/bin/mofreg -r regtag /usr/sadm/mof/Solaris_VM1.0.mof # /etc/init.d/init.wbem start

pprosvc Silently Creates a Nonexistent Patch Directory (4884494)

Description:

The pprosvc command silently creates a nonexistent patch directory that you specified by using the pprosetup -d command.

Cause:

You specified a nonexistent directory to be the patch directory.

Workaround:

Ensure that the patch directory exists before you run the pprosvc command.

pprosvc Issues Error When the Sequester Directory Does Not Exist (4884494)

CRITICAL: Sequester directory is not writable.

Description:

The pprosvc -i command fails with the following error message:

CRITICAL: Sequester directory is not writable.

This failure occurs when patches must be moved to the sequester directory, which does not exist.

Cause:

The sequester directory, that you specified by using the pprosetup -q command, does not exist.

Workaround:

Ensure that the sequester directory exists before you run the pprosvc command.

Server Failure Not Detected While Downloading the Patch Database (4876039)

Description:

Occasionally, PatchPro fails to detect a transient network failure and erroneously concludes that the download of the patch database succeeded.

Cause:

HTTP servers that support keep-alive might terminate a connection prematurely. When the connection terminates, the server sends less data to PatchPro than originally specified.

PatchPro ignores a connection termination that was initiated by the server. PatchPro also claims that the download was successful.

Workaround:

If you detect this problem, download the patch database again.

pprosvc -d or smpatch download Stalls After the First Ten Patches Are Downloaded (4892047)

Description:

The download process you initiate by running pprosvc -d or smpatch download hangs after the first ten patches have been downloaded.

PatchPro appears to be waiting for data to come in from the established connection to the server.

Cause:

The connection to the server is blocked. This state prevents PatchPro from reading patches from the server.

Workaround:

If the download stalls, interrupt the download operation and leave the downloaded patches in the patch directory. Then, restart the pprosvc -d or smpatch download command to resume the patch download process.

smpatch download Cannot Download Patches Listed by smpatch analyze (4888232)

(ERROR) => com.sun.patchpro.server.ServerPatchServiceProvider@7918f0 
<=Patch cannot be found by server

Description:

This message might appear when you run the smpatch download command in an effort to download a patch supplied by the smpatch analyze command.

Cause:

smpatch analyze lists all possible patches recommended for your system, including contract patches. The error indicates one of the following:

• Cause 1 – You do not have a Sun service contract. Without a service contract, you are not permitted to access contract patches.

• Cause 2 – You have a Sun service contract, but you have not configured your patch management environment to access contract patches.

Workaround:

Resolve this problem by doing one of the following:

• If you do not want to access contract patches, you can ignore this error message.

• If you want to access the contract patches, do one of the following:

  • For Cause 1, sign up for a Sun service contract so that you can access these patches.

  • For Cause 2, configure your patch management environment so you can access contract patches. See “How to Configure Your System to Access Contract Patches” in the Signed Patches Administration Guide for PatchPro 2.2.

PatchPro Locks Up Indefinitely When Running on Solaris 2.6 and Solaris 7 Systems (4882095)

Error: PatchPro is in use by another process. Please try again later.

Description:

Each time that you run the pprosetup command, the following error message appears:

Error: PatchPro is in use by another process. Please try again later.

Cause:

This problem occurs when a previous pprosetup command did not complete cleanly or when pprosetup -H was running and then was interrupted when you typed Control-C. In such cases, the lock file is not removed even if the process is no longer running.

Workaround:

Manually remove the lock file, patchpro.conf.lock, from the /etc/opt/SUNWppro/etc directory.

# rm /etc/opt/SUNWppro/etc/patchpro.conf.lock

smpatch update Attempts to Apply Patches Prohibited by the Policy (4892470)

Description:

The following message appears and states that one or more patches cannot be applied due to patch attributes, or properties.

At least one patch cannot be installed due to patch attributes.

The properties listed for each patch indicate that the patch should actually be applied given the stated policy.

Workaround:

Ignore this message.

Despite the message, the specified patches are properly applied because the policy was not violated.

Using smpatch on Solaris 9 Systems to Apply Patches That Stop WBEM Services Fails (4916635)

Description:

One of the following error messages appears after you use smpatch update to apply a WBEM patch to a Solaris 9 4/03 system:

Unknown error occurred while attempting to download patches.

Or:

Installing patches on machine system-name. Please wait... EXM_NO_MESSAGE

Cause:

WBEM patches stop WBEM services before being applied, so any application that depends on these services cannot no longer run.

Since the Solaris 9 smpatch command uses WBEM services, it cannot continue to download patches when the WBEM services are unavailable.

Workaround:

Use pprosvc instead of smpatch to apply the WBEM patches.

Patch Incompatibility Problem Detected

patch-ID description

Error: This patch is incompatible with patch(s) patch-ID

Description:

You might see this sort of message if you request signed patch downloads by using the smpatch update command or the pprosetup command.

Cause:

This error might indicate one of these patch incompatibility problems:

• Two or more patches on the download list are incompatible.

• One of the patches on the download list is incompatible with a patch that is already applied to the system. See the following workaround.

Workaround:

Follow these steps to identify and resolve the patch incompatibility problem.

1. Determine whether an incompatible patch is applied to your system.

   # showrev -p | grep "Patch: patch-ID"

2. Use the output from the showrev -p command to determine your next step:

   • If an incompatible patch is applied and the patch to download is a Kernel Update patch, determine which patch is most critical for your environment. To help you decide, review the patch README files for the incompatible patch and the Kernel Update patch.

     ---

     Note –

     The Kernel Update patch might not contain all of the fixes that are included in an applied Supplemental Kernel Update patch. If this is the case, check for a more current Supplemental Kernel Update patch that is compatible with the Kernel Update patch that you are trying to apply.

     The incompatible patch is most likely a Supplemental Kernel Update patch. If you decide to keep the incompatible patch, further automation with PatchPro is not possible until the incompatible patch is removed.

     ---

     If patch automation is desired and the incompatible patch can be safely removed, remove the incompatible patch.

     # smpatch remove -i patch-ID

   • If the incompatible patch is not applied, go to Step 4.

   • If the incompatible patch is applied but it is not a Kernel Update patch, go to Step 4.

3. Restart the patch download process.

   # smpatch update

4. Send the patch list to patchpro_feedback1@sun.com for resolution.

Patch Cannot Be Downloaded

At least one of the requested patches could not be downloaded.

Or,

The following patches were not downloaded. Contact your Sun Microsystems
support provider for more information.

Description:

The download of a patch fails.

Cause:

The following are possible causes:

• Cause 1 – A specific revision of one or more patches in the list is not currently available due to a patch server synchronization problem. Sun is actively working to resolve this issue.

• Cause 2 – The SunSolve user name and password required to access the requested patches were not provided.

Workaround:

Resolve this problem by doing one of the following:

• For Cause 1, do one of the following:

  • If the patch list is less than 20 patches, wait 24 hours and try again.

  • If you need the patch immediately, go to http://sunsolve.sun.com/patches and download the patch manually.

• For Cause 2, verify that you have entered your SunSolve user name and password correctly.

  # grep identity /opt/SUNWppro/etc/patchpro.conf patchpro.sunsolve.identity=username # cat /opt/SUNWppro/lib/.sunsolvepw password

  If you can log in to SunSolve successfully by using the display user name and password, try the solutions for Cause 1.

If a Patch Fails to Be Applied by pprosvc -i -p, the Patch JAR File Is Erroneously Deleted From the Sequester Directory (4898638)

Description:

If a patch fails to be applied by pprosvc -i -p, the patch JAR file is deleted from the sequester directory.

If you later try to manually apply the sequestered patch, the operation fails because the patch JAR file no longer exists in the sequester directory.

Cause:

PatchPro erroneously removes the patch JAR file from the sequester directory.

Workaround:

To apply this patch, do the following:

1. Use the pprosvc -d -p command to download the patch.

2. Go to the sequester directory.

3. Use the unjar command to extract the files from the patch JAR file.

4. Apply the patch by using the patchadd command.

Cannot Apply Signed Patches Due to Insufficient Disk Space

Description:

It is possible that signed patches cannot be applied if there is insufficient disk space.

Workaround:

Ensure that enough disk space is available in the patch directory, which you can identify by running the following command:

# pprosetup -L | grep Download Download directory: /var/sadm/spool

For information about disk space considerations, see the Signed Patches Administration Guide for PatchPro 2.2.

PatchPro Issues a Disk Space Error When Applying Patch 113176-01 or 113176-02

Description:

When you apply Patch 113176-01 or 113176-02, PatchPro issues a disk space error.

Cause:

This patchadd problem was introduced by recent patches to the SVR4 package code. The broken patches have been removed from the PatchPro database so that they cannot be reinstalled automatically.

Workaround:

Remove the appropriate patch.

• Solaris 9:

  # patchrm 112951-02

• Solaris 8:

  # patchrm 108987-09

PatchPro Cannot Access SunSolve Resources

<=com.sun.patchpro.database.DBBuilderFailedException: No valid download source.

Description:

PatchPro encounters a state machine failure. A similar message is written to the PatchPro log file when PatchPro cannot download the patch database and detector files from SunSolve.

Cause:

PatchPro is operating behind a firewall and requires a proxy to access the SunSolve resources.

Workaround:

Configure a valid proxy server. For more information, see the Signed Patches Administration Guide for PatchPro 2.2.

PatchPro Cannot Reach the Internet

This message appears when you try to use PatchPro:

Downloader.getResponseCode() : IOException [URL with server]/patchprodb.zip

Description:

This message indicates that PatchPro is incapable of reaching the Internet.

Cause:

The following are possible causes:

• Cause 1 – Your system must get through a proxy to access the Internet, and the proxy has not been entered properly.

• Cause 2 – The proxy is entered correctly, but the proxy requires a password.

• Cause 3 – All the settings are correct, but the firewall prohibits access through HTTP (port 80) or HTTPS (port 443).

• Cause 4 – Network failure.

Workaround:

Resolve this problem by doing one of the following:

• For Cause 1, double-check the host name and port of your proxy, and inform PatchPro by typing the following:

  # /opt/SUNWppro/bin/pprosetup -x proxy_host:proxy_port

• For Cause 2, create a password for the proxy user. See the description of the -U option in the pprosetup(1M) man page.

• For Cause 3, contact your system administrator about unblocking those ports.

• For Cause 4, contact your network administrator about the network outage.

Your institution might have a firewall that blocks HTTPS (port 443). Check this with your system administrator.

If you still cannot contact the Internet, you can perform a test. Download wget from http://sunfreeware.com and type:

# wget https://patchpro.sun.com/apache_pb.gif

• If you get a picture of a feather, then your system does not have a proxy and the problem you are seeing with PatchPro is related to something else.

• If you do not see the feather, then your browser knows something that nothing else does.

  You might be able to figure out how to get PatchPro through your firewall by reviewing your browser's preferences.

PatchPro Does Not Support the Microsoft Internet Security Accelerator

Description:

Patchpro 2.2 does not work with the Microsoft Internet Security Accelerator.

Workaround:

Install at least Java 1.4.1_03 on the client system and run PatchPro. Ensure that /usr/j2se/bin/java points to the latest installed JRE.