Patch management involves applying SolarisTM patches to a system. Patch management might also involve removing unwanted or faulty patches. Removing patches is also called backing out patches.
The following overview information is in this chapter:
For information about applying patches to diskless client systems, see Patching Diskless Client OS Services in System Administration Guide: Basic Administration.
For information about recommended strategies and practices for using Solaris patches, see Solaris Patch Management: Recommended Strategies on docs.sun.com.
A patch is a collection of files and directories that replaces or updates existing files and directories that are preventing proper execution of the existing software. The existing software is derived from a specified package format, which conforms to the Application Binary Interface (ABI).
You can manage patches on your Solaris system by using the Patch Manager software or by using the patchadd command.
A signed patch is one that has a digital signature applied to it. A patch that has its digital signature verified has not been modified since the signature was applied. The digital signature of a signed patch is verified after the patch is downloaded to your system.
Patches for the Solaris 2.6, Solaris 7, Solaris 8, and Solaris 9 releases are available as signed patches and as unsigned patches. Unsigned patches do not have a digital signature.
Signed patches are stored in JavaTM archive format (JAR) files and are available from the SunSolve OnlineSM web site. Unsigned patches are stored in directory format and are also available from the SunSolve Online web site as .zip files.
For information about applying patches to your system by using Patch Manager, see Managing Patches by Using the Command-Line Interface (Task Map) or Managing Patches by Using the Browser Interface (Task Map).
For information about applying patches by using the patchadd command, see Chapter 25, Managing Solaris Patches (Tasks), in System Administration Guide: Basic Administration.
Sun customers can access patches from the SunSolve Online web site whether or not they are in the SunSpectrumSM program. These patches are updated nightly.
If you are in the SunSpectrum program – You have access to the entire SunSolveSM database of patches and all patch information.
If you are not in the SunSpectrum program – You have access to the entire SunSolve database of patches and all patch information except for patches that have third-party contract restrictions.
You can obtain Solaris patches in the following ways:
From the http://sunsolve.sun.com web site
To access patches from the Patch Portal of the SunSolve Online site, your system must be connected to the Internet and be capable of running a web browser, such as the NetscapeTM software.
By using anonymous ftp to download the patches to your system
To obtain patches by using the anonymous ftp command, your system must be connected to the Internet and be capable of running the ftp command.
By using the Sun Patch Manager tools that are described in this book.
You can access individual patches or a set of patches from a patch cluster, or refer to patch reports. You can also use Sun Patch Manager to analyze your system to determine the appropriate patches. Patch Manager also can download and apply the patches to your system.
Each patch is associated with a README file that has information about the patch.
Patches are identified by unique patch IDs. A patch ID is an alphanumeric string that is a patch base code and a number that represents the patch revision number joined with a hyphen. For example, patch 108528-10 is the patch ID for the SunOSTM 5.8 kernel update patch.
You can use the following tools to apply patches to Solaris systems:
Sun Patch Manager command-line interface (smpatch)
Sun Patch Manager browser interface
patchadd
Solaris Management Console Patches tool (GUI, starting with Solaris 9)
If you need to apply a patch to a diskless client system, see Patching Diskless Client OS Services in System Administration Guide: Basic Administration.
The browser interface that was originally released with the Sun Patch Manager 2.0 product for Solaris 9 systems has been withdrawn.
The Patch Manager product will be replaced by the new Sun Update Manager product.
The following table summarizes the availability of the Solaris patch management tools.
Starting with the Solaris 9 release – A graphical user interface (GUI), the Patches tool in the Solaris Management Console (smc), is also available. The Patches tool enables you to analyze systems to determine the appropriate patches, view patch properties, download patches, apply patches to systems, and remove patches.
When you apply a patch, the patch tools call the pkgadd command to apply the patch packages from the patch directory to a local system's disk.
Do not run the pkgadd command directly to apply patches.
More specifically, the patch tools do the following:
Determine the Solaris version number of the managing host and the target host
Update the patch package's pkginfo file with this information:
Patches that have been obsoleted by the patch being applied
Other patches that are required by this patch
Patches that are incompatible with this patch
While you apply patches, the patchadd command logs information in the /var/sadm/patch/patch-id/log file.
The patchadd command cannot apply a patch under the following conditions:
The package is not fully installed on the system.
The patch package's architecture differs from the system's architecture.
The patch package's version does not match the installed package's version.
A patch with the same base code and a higher revision number has already been applied.
A patch that obsoletes this patch has already been applied.
The patch is incompatible with a patch that has already been applied to the system. Each patch that has been applied keeps this information in its pkginfo file.
The patch being applied depends on another patch that has not yet been applied.
You can use several different methods to download or apply one or more patches to your system. Use the following table to determine which method is best for your needs.
Command or Tool |
Description |
For More Information |
---|---|---|
Starting with the Solaris 8 release – Use this command to analyze your system to determine the appropriate patches, and to automatically download and apply the patches. Note that this command will not apply a patch that has the interactive property set. Note – For Solaris 8 systems, only the local mode smpatch is available. |
How to Update Your System With Patches (Command Line) smpatch(1M) man page |
|
smpatch analyze and smpatch update |
Starting with the Solaris 8 release – First, use smpatch analyze to analyze your system to determine the appropriate patches. Then, use smpatch update to download and apply one or more of the patches to your system. Note – For Solaris 8 systems, only the local mode smpatch is available. |
How to Analyze Your System to Obtain the List of Patches to Apply (Command Line) How to Update Your System With Patches (Command Line) smpatch(1M) man page |
smpatch analyze, smpatch download, and smpatch add |
Starting with the Solaris 8 release – First, use smpatch analyze to analyze your system to determine the appropriate patches. Then, use smpatch download to download them. This command also downloads any prerequisite patches. Then, use smpatch add to apply one or more of the patches to your system while the system is in single-user or multiuser mode. Note – For Solaris 8 systems, only the local mode smpatch is available. |
Managing Patches by Using the Command-Line Interface (Task Map) smpatch(1M) man page |
Starting with the Solaris 9 release – Use this tool when you want the convenience of a web browser tool to manage patches. The browser interface enables you to do the following:
|
Managing Solaris Patches by Using the Sun Patch Manager Browser Interface (Task Map) |
|
Starting with the Solaris 2.6 release – Apply unsigned patches to your system. Starting with the Solaris 9 12/03 release – Use this command to apply either signed or unsigned patches to your system. To apply signed patches, you must first set up your package keystore. |
patchadd(1M) man page |
|
Starting with the Solaris 9 release – Use this tool when you want the convenience of a GUI tool to manage signed patches. |
Solaris Management Console online help |
If you choose to use the smpatch command-line interface or the Patch manager browser interface, see Chapter 4, Getting Started With Sun Patch Manager (Overview) for additional information that might affect which method you select to apply patches.
Use this road map to identify all the tasks for managing Solaris patches. Each task points to a series of additional tasks such as managing signed or unsigned patches.
Task |
Description |
For Instructions |
---|---|---|
Determine whether to apply signed or unsigned patches. |
Determine whether applying signed or unsigned patches is best for your environment. |
Determining Whether to Apply Signed or Unsigned Patches to Your System |
Apply a patch to your system. |
You can apply patches in the following ways:
|
The key factor when determining whether to apply signed or unsigned patches to your system is whether you trust of the source of patches.
If you trust the source of patches, for example, a patch CD from a known distributor or an HTTPS connection to a trusted web site, you can use unsigned patches. However, if you do not trust the source, use signed patches.
If you are unsure about whether to trust the source of patches, use signed patches.