This chapter describes the following new features in the Sun Patch Manager tool (Patch Manager):
To use the Patch Manager tool, you must install at least the End User Solaris Software Group of Solaris 8 software. You must also obtain the Patch Manager software from the Sun Download Center at http://wwws.sun.com/software/download.
As of September 2004, not all Sun patches are available through Sun Patch Manager. Such patches include those that do not conform to PatchPro standards, and those that have third-party contract restrictions.
Sun Patch Manager 2.0 incorporates PatchPro functionality. PatchPro performs patch analyses on systems, then downloads and applies the resulting patches. This automation functionality was previously available for Solaris 2.6, Solaris 7, and Solaris 8 as a separate PatchPro product, and is now part of Sun Patch Manager 2.0.
PatchPro uses signed patches, which improves the security of Solaris patches by ensuring that they have not been modified.
The pprosetup and pprosvc commands are included with Sun Patch Manager 2.0 for transition purposes. It is best not to use these commands and to use the smpatch command instead.
You can only run smpatch in local mode. Remote mode smpatch commands and options are not supported in Solaris 8. See the smpatch(1M) man page.
Local mode, the default mode, can only be run on the local system. This mode can be run while the system is in single-user or multiuser mode. Local mode can be used by users or roles that have the appropriate authorizations.
You can use the smpatch add command in local mode to apply patches while the system is in single-user mode. Apply patches in this way when the patches are associated with the singleuser patch property, or when you want to apply any patches to a quiet system.
Use only the smpatch add, smpatch order, and smpatch remove commands to manage patches when your system is running in single-user mode.
You can configure your patch management environment while the system is running in single-user mode by using the smpatch get, smpatch set, and smpatch unset commands.
Do not use the smpatch analyze, smpatch download, and smpatch update commands while the system is running in single-user mode. These commands depend on network services that are not available while the system is in single-user mode.
If you previously used the smpatch update command to update your system with patches, some of the patches might not have been applied. Such patches cannot be applied if they do not meet the policy for applying patches, and must be applied manually in single-user mode.
To apply the patches while the system is in single-user mode, use the smpatch add command with the -x idlist= option to specify the list of patches to apply.
You can use the disallowed_patch_list file as input to the smpatch add command to apply the singleuser patches. This file, stored in the download directory, lists any patch that could not be applied by smpatch update while the system was in multiuser mode. For example:
# smpatch add -x idlist=/var/sadm/spool/disallowed_patch_list |
Patch Manager can create an ordered list of patches that you can save to a text file and use to perform patch operations.
You might use a patch list to apply the same set of patches to systems that have the same hardware and software configurations. Or, you might create a patch list file that contains all pertinent security patches and use the patch list to apply those security patches to one or more systems.
You can create a file that contains an ordered patch list by using the smpatch command in any of these ways:
Perform an analysis of a system Use the smpatch analyze command to analyze a system to generate an ordered list of patches and write it to a file. You can edit this file to remove unneeded patches.
Supply a specific list of patches Use the smpatch analyze command to generate an ordered list of patches based on a set of patches that you specify for a particular system. The patch list is resolved by augmenting the list with patches on which they depend.
Point to a collection of patches stored on a system Use the smpatch order command to produce an ordered list of patches based on a collection of patches stored on a system.
If you modify a patch list and the patches are available on your system, use the smpatch order command to put the list in an order suitable for applying patches. Otherwise, use the smpatch analyze command, which also produces an ordered list of patches.
You can use patch lists as input to the smpatch add, smpatch analyze, smpatch download, smpatch order, and smpatch update commands.
The smpatch add command attempts to apply all of the patches in the patch list, regardless of the policy for applying patches and patch dependencies.
Starting with Solaris 8, client systems can use Patch Manager to access patches and patch data to perform patch analysis and maintenance. This patch data is provided by a patch source. The patch source can be a patch server, such as the Sun patch server or a local patch server, or a local collection of patches.
If you use a local patch server on your intranet, you can serve patches to your local systems and minimize the Internet traffic between your systems and the Sun patch server. Such a local patch server caches any patches that are downloaded from its patch source.
Using a local patch server addresses security concerns as well as system analysis and patch download performance issues.
The local patch server is an optional Sun Patch Manager 2.0 feature that you can obtain at no charge if you are a contract customer in the SunSpectrum program.
For information about becoming a contract customer or obtaining the local patch server distribution, go to http://sunsolve.sun.com and click Patch Portal.
The system you choose to act as the local patch server must be running at least Solaris 9 and have at least the Entire Solaris Software Group installed. This system must also have the Sun Patch Manager 2.0 software installed.
For information about configuring a Solaris 9 system to act as local patch server on your intranet, see ``Configuring Your Local Patch Server by Using the Command-Line Interface'' in the Sun Patch Manager 2.0 Administration Guide for the Solaris 9 Operating System.