Patch management involves applying SolarisTM patches to a system. Patch management might also involve removing unwanted or faulty patches. Removing patches is also called backing out patches.
The following overview information is in this chapter:
For information about applying patches to diskless client systems, see Patching Diskless Client OS Services in System Administration Guide: Basic Administration.
For information about recommended strategies and practices for using Solaris patches, go to http://download.oracle.com/817-0574/.
A patch is a collection of files and directories that replaces or updates existing files and directories that are preventing proper execution of the existing software. The existing software is derived from a specified package format, which conforms to the Application Binary Interface (ABI).
You can manage patches on your Solaris system by using the Patch Manager software or by using the patchadd command.
A signed patch is one that has a digital signature applied to it. A patch that has its digital signature verified has not been modified since the signature was applied. The digital signature of a signed patch is verified after the patch is downloaded to your system.
Patches for the Solaris 2.6, Solaris 7, and Solaris 8 releases are available as signed patches and as unsigned patches. Unsigned patches do not have a digital signature.
Signed patches are stored in JavaTM archive format (JAR) files and are available from the SunSolve OnlineSM web site. Unsigned patches are stored in directory format and are also available from the SunSolve Online web site as .zip files.
For information about applying patches to your system by using Patch Manager, see Managing Patches (Task Map).
For information about applying patches by using the patchadd command, see Chapter 25, Managing Solaris Patches (Tasks), in System Administration Guide: Basic Administration.
Sun customers can access patches from the SunSolve Online web site whether or not they are in the SunSpectrumSM program. These patches are updated nightly.
If you are in the SunSpectrum program You have access to the entire SunSolveSM database of patches and all patch information.
If you are not in the SunSpectrum program You have access to the entire SunSolve database of patches and all patch information except for patches that have third-party contract restrictions.
You can obtain Solaris patches in the following ways:
From the http://sunsolve.sun.com web site
To access patches from the Patch Portal of the SunSolve Online site, your system must be connected to the Internet and be capable of running a web browser, such as the NetscapeTM software.
By using anonymous ftp to download the patches to your system
To obtain patches by using the anonymous ftp command, your system must be connected to the Internet and be capable of running the ftp command.
By using the Sun Patch Manager tools that are described in this book.
You can access individual patches or a set of patches from a patch cluster, or refer to patch reports. You can also use Sun Patch Manager to analyze your system to determine the appropriate patches. Patch Manager also can download and apply the patches to your system.
Each patch is associated with a README file that has information about the patch.
Patches are identified by unique patch IDs. A patch ID is an alphanumeric string that is a patch base code and a number that represents the patch revision number joined with a hyphen. For example, patch 108528-10 is the patch ID for the SunOSTM 5.8 kernel update patch.
The following table summarizes the availability of the Solaris patch management tools.
You can now use the smpatch command to apply patches to Solaris 8 systems.
If you need to apply a patch to a diskless client system, see Patching Diskless Client OS Services in System Administration Guide: Basic Administration.
When you apply a patch, the patch tools call the pkgadd command to apply the patch packages from the patch directory to a local system's disk.
Do not run the pkgadd command directly to apply patches.
More specifically, the patch tools do the following:
Determine the Solaris version number of the managing host and the target host
Update the patch package's pkginfo file with this information:
Patches that have been obsoleted by the patch being applied
Other patches that are required by this patch
Patches that are incompatible with this patch
While you apply patches, the patchadd command logs information in the /var/sadm/patch/patch-id/log file.
The patchadd command cannot apply a patch under the following conditions:
The package is not fully installed on the system.
The patch package's architecture differs from the system's architecture.
The patch package's version does not match the installed package's version.
A patch with the same base code and a higher revision number has already been applied.
A patch that obsoletes this patch has already been applied.
The patch is incompatible with a patch that has already been applied to the system. Each patch that has been applied keeps this information in its pkginfo file.
The patch being applied depends on another patch that has not yet been applied.
You can use several different methods to download or apply one or more patches to your system. Use the following table to determine which method is best for your needs.
Command or Tool |
Description |
For More Information |
---|---|---|
Solaris 8 release Use this command to analyze your system to determine the appropriate patches, and to automatically download and apply the patches. Note that this command will not apply a patch that has the interactive property set. Only the local mode smpatch is available. |
How to Update Your System With Patches smpatch(1M) man page |
|
smpatch analyze and smpatch update |
Solaris 8 release First, use smpatch analyze to analyze your system to determine the appropriate patches. Then, use smpatch update to download and apply one or more of the patches to your system. Only the local mode smpatch is available. |
How to Analyze Your System to Obtain the List of Patches to Apply How to Update Your System With Patches smpatch(1M) man page |
smpatch analyze, smpatch download, and smpatch add |
Solaris 8 release First, use smpatch analyze to analyze your system to determine the appropriate patches. Then, use smpatch download to download them. This command also downloads any prerequisite patches. Then, use smpatch add to apply one or more of the patches to your system while the system is in single-user or multiuser mode. Only the local mode smpatch is available. |
smpatch(1M) man page |
Solaris 2.6, Solaris 7, and Solaris 8 releases Apply unsigned patches to your system. |
patchadd(1M) man page |
Use this road map to identify all the tasks for managing Solaris patches. Each task points to a series of additional tasks such as managing signed or unsigned patches.
Task |
Description |
For Instructions |
---|---|---|
Determine whether to apply signed or unsigned patches. |
Determine whether applying signed or unsigned patches is best for your environment. |
Determining Whether to Apply Signed or Unsigned Patches to Your System |
Apply a patch to your system. |
You can apply patches in the following ways:
|
|
The key factor when determining whether to apply signed or unsigned patches to your system is whether you trust of the source of patches.
If you trust the source of patches, for example, a patch CD from a known distributor or an HTTPS connection to a trusted web site, you can use unsigned patches. However, if you do not trust the source, use signed patches.
If you are unsure about whether to trust the source of patches, use signed patches.