Chapter 2 New Patch Manager Features (Overview)

This chapter describes the following new features in the Sun Patch Manager tool (Patch Manager):

• PatchPro Analysis Engine

• Local-Mode Command-Line Interface

• Patch List Operations

• Sun Web Console Browser Interface

• Local Patch Server

To use the Patch Manager tool, you must install at least the Developer Solaris Software Group of Solaris 9 software. You must also obtain the Patch Manager software from the Sun Download Center at http://wwws.sun.com/software/download.

As of September 2004, not all Sun patches are available through Sun Patch Manager. Such patches include those that do not conform to PatchPro standards, and those that have third-party contract restrictions.

PatchPro Analysis Engine

Sun Patch Manager 2.0 incorporates PatchPro functionality. PatchPro performs patch analyses on systems, then downloads and applies the resulting patches. This automation functionality was previously available for Solaris 2.6, Solaris 7, Solaris 8, and Solaris 9 as a separate PatchPro product, and is now part of Sun Patch Manager 2.0.

PatchPro uses signed patches, which improves the security of Solaris patches by ensuring that they have not been modified.

The pprosetup and pprosvc commands are included with Sun Patch Manager 2.0 for transition purposes. It is best not to use these commands and to use the smpatch command instead.

Local-Mode Command-Line Interface

On Solaris 8 systems, you can only run smpatch in local mode.

Starting with Solaris 9, the smpatch command is available in two modes: local mode and remote mode. Local mode can only be run on the local system. This mode can be run while the system is in single-user or multiuser mode. Remote mode can be used to perform tasks on remote systems. Both local mode and remote mode can be used by users or roles that have the appropriate authorizations.

By default, local mode is run. In local mode, the Solaris WBEM services are not used, and none of the authentication options or those options referring to remote systems are available. The smpatch command in local mode runs faster than in remote mode.

If you specify any of the remote or authentication options (except for -L), remote mode is used.

Single-User Mode Operations in Local Mode

You can use the smpatch add command in local mode to apply patches while the system is in single-user mode. Apply patches in this way when the patches are associated with the singleuser patch property, or when you want to apply any patches to a quiet system.

Use only the smpatch add, smpatch order, and smpatch remove commands to manage patches when your system is running in single-user mode.

You can configure your patch management environment while the system is running in single-user mode by using the smpatch get, smpatch set, and smpatch unset commands.

Do not use the smpatch analyze, smpatch download, and smpatch update commands while the system is running in single-user mode. These commands depend on network services that are not available while the system is in single-user mode.

If you previously used the smpatch update command or the browser interface to update your system with patches, some of the patches might not have been applied. Such patches cannot be applied if they do not meet the policy for applying patches, and must be applied manually in single-user mode.

To apply the patches while the system is in single-user mode, use the smpatch add command with the -x idlist= option to specify the list of patches to apply.

You can use the disallowed_patch_list file as input to the smpatch add command to apply the singleuser patches. This file, stored in the download directory, lists any patch that could not be applied by smpatch update while the system was in multiuser mode. For example:

# smpatch add -x idlist=/var/sadm/spool/disallowed_patch_list

Patch List Operations

Patch Manager can create an ordered list of patches that you can save to a text file and use to perform patch operations.

You might use a patch list to apply the same set of patches to systems that have the same hardware and software configurations. Or, you might create a patch list file that contains all pertinent security patches and use the patch list to apply those security patches to one or more systems.

You can create a file that contains an ordered patch list by using the smpatch command in any of these ways:

• Perform an analysis of a system – Use the smpatch analyze command to analyze a system to generate an ordered list of patches and write it to a file. You can edit this file to remove unneeded patches.

• Supply a specific list of patches – Use the smpatch analyze command to generate an ordered list of patches based on a set of patches that you specify for a particular system. The patch list is resolved by augmenting the list with patches on which they depend.

• Point to a collection of patches stored on a system – Use the smpatch order command to produce an ordered list of patches based on a collection of patches stored on a system.

If you modify a patch list and the patches are available on your system, use the smpatch order command to put the list in an order suitable for applying patches. Otherwise, use the smpatch analyze command, which also produces an ordered list of patches.

You can use patch lists as input to the smpatch add, smpatch analyze, smpatch download, smpatch order, and smpatch update commands.

The smpatch add command attempts to apply all of the patches in the patch list, regardless of the policy for applying patches and patch dependencies.

Sun Web Console Browser Interface

Starting with Solaris 9, Patch Manager offers a browser interface for updating systems with patches. You can use the browser interface to analyze a system, update a system with patches, remove patches, and configure your patch management environment.

The browser interface that was originally released with the Sun Patch Manager 2.0 product for Solaris 9 systems has been withdrawn.

The Patch Manager product will be replaced by the new Sun Update Manager product.

Local Patch Server

The local patch server is an optional Sun Patch Manager 2.0 feature that you can obtain at no charge if you are a contract customer in the SunSpectrum program.

For information about becoming a contract customer or obtaining the local patch server distribution, go to http://sunsolve.sun.com and click Patch Portal.

Starting with Solaris 8, client systems can use Patch Manager to access patches and patch data to perform patch analysis and maintenance. This patch data is provided by a patch source. The patch source can be a patch server, such as the Sun patch server or a local patch server, or a local collection of patches.

By using a local patch server on your intranet, you can serve patches to your local systems and minimize the Internet traffic between your systems and the Sun patch server. Such a local patch server caches any patches that are downloaded from its patch source.

For information about configuring a local patch server on your intranet, see Configuring Your Local Patch Server by Using the Command-Line Interface.

The local patch server obtains patches from its source of patches on a per-request basis, so you do not need to stock your patch server with patches before you can use it.

The system you choose to act as the local patch server must be running at least Solaris 9 and have at least the Developer Solaris Software Group installed. This system must also have the Sun Patch Manager 2.0 software installed.

Benefits of Using a Local Patch Server

Using a local patch server addresses security concerns as well as system analysis and patch download performance issues.

For instance, instead of patches and metadata being downloaded from the Sun patch server to each of your systems, the patch is downloaded only once to your local patch server. After the patch data is stored on this server, patch data is transferred to your system for analysis over your intranet instead of over the Internet.

You can configure a chain of patch servers on your intranet. The last link in the chain of local servers can point to the Sun patch server or to a local collection of patches. By using this chain of servers, a patch download request from your system to its primary patch server can be forwarded to other servers in the chain in an attempt to fulfill the request. If your system's primary server cannot locate a patch, the server makes the same request of the next server in the chain to see if the patch is stored there. If the patch is found, it is downloaded to the system. If the patch is not found, the request continues along the chain until the patch is found or the last server in the chain is reached.

For example, your company has a patch server that obtains patches directly from the Sun patch server. Each office in your company has its own patch server that obtains patches from the company patch server.

Each local patch server in the chain stores the patches found on another server in the chain based on the download request. So, a patch that is not initially found on your local server will be downloaded to your local server and stored before being downloaded to the client system. Each system in a chain of local patch servers might increase the amount of time it takes to download patches to your client system.