Chapter 3 Sun Patch Manager Concepts (Overview)

To make good use of the Sun Patch Manager product, you need to be familiar with these Patch Manager concepts:

• Sun Patch Manager Tool

• Patch Management Process

• Specifying the Source of Patches

• Customizing the Policy for Applying Patches

• Setting Patch Manager Configuration Parameters

The browser interface that was originally released with the Sun Patch Manager 2.0 product for Solaris 9 systems has been withdrawn.

The Patch Manager product will be replaced by the new Sun Update Manager product.

Sun Patch Manager Tool

Sun Patch Manager is the standard tool for managing patches on Solaris systems.

Patch Manager primarily operates on signed patches, which include a digital signature from Sun Microsystems. A signed patch offers greater security than an unsigned patch, which does not have a digital signature. The digital signature of the patch is verified before the patch is applied to your system. A valid digital signature ensures that the signed patch that you apply has not been modified since the signature was applied. You can use the smpatch add command to apply unsigned patches.

You can access Patch Manager by using the smpatch command-line interface or by using a browser interface.

Patch Management Process

Patch Manager enables you to manually or automatically perform the patch management process, which includes the following tasks:

• Updating your system with some or all of the appropriate patches, which automatically analyzes the system to determine the appropriate patches, downloads the patches, and applies the patches to the system

• Analyzing the system to obtain a list of appropriate patches

• Downloading the appropriate patches to your system

• Applying the appropriate patches to your system

• Configuring the patch management environment for your system

• Tuning the patch management environment for your system

• Removing patches from your system

For information about recommended strategies and practices for using Solaris patches, see Solaris Patch Management: Recommended Strategies on docs.sun.com.

Automatically Updating Your System With Patches

Patch Manager can automatically apply the set of appropriate patches to your system.

An update performs these steps in the patch management process:

• Analyzes your system to determine which patches are appropriate

• Downloads those patches to your system

• Applies only the patches that meet the policy for applying patches

After a patch has been successfully applied, the downloaded patch is removed from the download directory.

Patches are applied to your system depending on the specified policy and the patch properties associated with the patches that are downloaded.

If a patch does not meet the policy for applying patches, the patch is not applied. Instead, a patch entry for that patch is written to the disallowed_patch_list file in the download directory. Sun Patch Manager continues trying to apply the other patches. Later, you can go to the download directory and use the smpatch add command to manually apply any disallowed patches that are listed in this file. For any of the patches that have the interactive property set, follow the instructions in the patch's README file to apply them.

For example, you can bring your system to single-user mode and apply the patches listed in the disallowed_patch_list file by typing the following:

# smpatch add -x idlist=/var/sadm/spool/disallowed_patch_list

Instead of performing an update, you can perform the analyze, download, and apply tasks manually by using the smpatch command. These tasks are described in the following sections.

Analyzing Your System

Before you can apply patches to your system, you can determine which patches are needed. You can use Patch Manager to perform a patch analysis of your system to obtain a list of appropriate patches.

Patch Manager uses analysis modules and a list of available patches from the source of patches, which is the SunSolve Online web site by default, to perform the analysis of your Solaris system. For information about the source of patches, see Specifying the Source of Patches.

Based on the result of the analysis, the patches can be downloaded and applied to your system.

Sometimes a patch depends on another patch, that is, the first patch cannot be applied to the system until the other patch is applied. The first patch is said to have a dependency on the second patch. When Patch Manager analyzes your system, it checks for patch dependencies and automatically includes all patches in the resulting list. If you request a system analysis based on particular patches, Patch Manager adds any patches to the list that are needed to resolve patch dependencies.

The list of patches that is generated by the analysis is based on all of the available patches from the Sun patch server. No explicit information about your host system or its network configuration is transmitted to Sun. Only a request for the Sun patch set is transmitted. The patch set is scanned for patches that are appropriate for this host system, the results are displayed, and those patches are optionally downloaded.

Downloading Patches to Your System

Before you apply patches to your system, you must download the patches that you want from the Sun patch server to that system.

You can download patches from the Sun patch server based on an analysis of the system, or you can specify particular patches to download.

You cannot use the Patch Manager browser interface to just download patches. When you select patches from the list of patches and click Apply or Apply All, the patches you specified are both downloaded and applied. To just download patches, use the smpatch download command.

Applying Patches to Your System

Patch Manager can apply patches to your system.

If you use the smpatch add command to apply particular patches, it attempts to apply only those patches that you specified. The smpatch add command does not attempt to resolve patch dependencies. If you want to apply a patch that has a missing dependency, the patch is not applied. You can use the smpatch analyze command or the smpatch update command to resolve patch dependencies.

When you use the browser interface to apply patches that you selected from the list of patches, each patch is downloaded (if necessary) before it is applied.

Removing Patches From Your System

You might want to remove (or back out) a patch that you previously applied to your system. Patch Manager enables you to remove patches.

Do not remove the Sun Patch Manager 2.0 WBEM patch (117680-01 for x86 and 117679-01 for SPARC®) from a system, or Patch Manager will not work properly.

When you remove a patch, the Solaris patch tools restore all of the files that have been modified by that patch, unless any of the following are true:

• The patch was applied by the patchadd -d command, which instructs patchadd not to save copies of files being updated or replaced.

• The patch was applied by the patchadd command without using the -d option and the backout files that were generated have since been removed.

• The patch has been obsoleted by a later patch.

• The patch is required by another patch.

The Solaris patch tools call the pkgadd command to restore packages that were saved when the patch was initially applied.

During the patch removal process, the patchrm command logs the backout process in the /tmp/backoutlog.process-id file. This log file is automatically removed if the patch is successfully removed.

You can use the browser interface to remove one or more patches by selecting them from the list of applied patches. However, you can only remove one patch at a time when you use the smpatch remove command.

If you attempt to remove a patch on which other patches depend, it is not removed. If you remove all of the patches that depend upon this patch, then you can remove it.

Specifying the Source of Patches

When you use Patch Manager, your client systems and any local patch servers must have access to Solaris patches and patch data.

Both client systems and local patch servers can obtain patches from these sources:

• Patch server – A server that provides access to Solaris patches and patch data. A patch server can be a local patch server on your intranet or the Sun patch server.

  ---

  Note –

  The local patch server is an optional Sun Patch Manager 2.0 feature that you can obtain at no charge if you are a contract customer in the SunSpectrum program.

  For information about becoming a contract customer or obtaining the local patch server distribution, go to http://sunsolve.sun.com and click Patch Portal.

  ---

• Local collection of patches – A collection of patches and patch data that is stored in a directory available to the local system. Such a directory might be a local directory, a shared network directory, or a CD mounted on your local system.

The default source of patches for client systems and local patch servers is the Sun patch server. As a result, any client system or local patch server that obtains patches from the Sun patch server must be connected, either directly or through a web proxy, to the Internet.

You can use a combination of local patch servers and different patch sources to configure these patch management environments.

Clients access patches and patch data from the following sources:

• Sun patch server – Your client systems obtain patches from the Sun patch server.

  This configuration requires that your client systems are connected, directly or through a web proxy, to the Internet.

• Local patch server obtains patches from the Sun patch server – Your client systems obtain patches from a local patch server on your intranet. The local patch server obtains patches from the Sun patch server.

  This configuration requires that only the local patch server be connected, directly or through a web proxy, to the Internet.

• Local collection of patches – Your client systems obtain patches and patch data from a collection of patches on your local system.

  This configuration does not require that the client systems be connected to the Internet.

• Local patch server obtains patches from a local collection of patches – Your client systems are connected to a local patch server, which obtains patches and patch data from a collection of patches on the local patch server.

  This configuration does not require that the client systems and local patch server be connected to the Internet.

For instructions on specifying the source of patches for your client system, see How to Specify the Source of Patches (Web Browser) or How to Specify the Source of Patches (Command Line).

For instructions on specifying the source of patches for your local patch server, see How to Change Configuration Settings for Your Local Patch Server (Command Line).

Customizing the Policy for Applying Patches

Patch Manager enables you to customize a policy for applying patches to use when updating your system. The policy determines the types of patches that can be applied during an update operation.

Solaris patches are classified as being standard or nonstandard. A standard patch can be applied to your Solaris system when running in multiuser mode. A reboot is not required. Such a patch is associated with the standard patch property.

A nonstandard patch has one of the following characteristics:

• The patch is associated with one or more of the rebootafter, rebootimmediate, reconfigafter, reconfigimmediate, and singleuser properties. Such a nonstandard patch can be applied during an update operation if permitted by the policy.

• The patch is associated with the interactive property. Such a patch cannot be applied by using the smpatch update command. You can use the smpatch add command or the patchadd command to apply such a patch.

As of June 2005, not all Sun patches are available through Sun Patch Manager. Such patches include those that do not conform to PatchPro standards, and those that have third-party contract restrictions.

You can specify the types of patches that Patch Manager can apply during an update. Such patches might include those that require a reboot or those that must be applied while the system is in single-user mode.

For descriptions of the following patch properties, see the smpatch(1M) man page.

• interactive

• rebootafter

• reconfigafter

• rebootimmediate

• reconfigimmediate

• singleuser

• standard

Setting Patch Manager Configuration Parameters

You can modify configuration settings from the Administration page of the browser interface, as well. Note that the label names that appear on the Administration page represent the following set of configuration parameters:

patchpro.patchset

Name of the patch set to use. The default name is patchdb.

patchpro.download.directory

Path of the directory where downloaded patches are stored and from which patches are applied. The default location is /var/sadm/spool.

patchpro.backout.directory

Path of the directory where patch backout data is saved. When a patch is removed, the data is retrieved from this directory as well. By default, backout data is saved in the package directories.

patchpro.patch.source

URL that points to the collection of patches. The default URL is that of the Sun patch server, https://updateserver.sun.com/solaris/.

patchpro.sun.user

The Sun user name that you use to obtain patches. You obtain this user name by registering at http://sunsolve.sun.com. By default, you are not permitted to access contract patches.

patchpro.sun.passwd

Password used with your Sun user name. No default password is set. If you specify your Sun user name, you must also specify your password.

patchpro.proxy.host

Host name of your web proxy. By default, no web proxy is specified, and a direct connection to the Internet is assumed.

patchpro.proxy.port

Port number used by your web proxy. By default, no web proxy is specified, and a direct connection to the Internet is assumed. The default port is 8080.

patchpro.proxy.user

Your user name used by your web proxy for authentication.

patchpro.proxy.passwd

Password used by your web proxy for authentication.

patchpro.install.types

Your policy for applying patches. The value is a list of zero or more colon-separated patch properties that are permitted to be applied by an update operation (smpatch update).

By default, patches that have the standard, rebootafter, and reconfigafter properties can be applied. See Customizing the Policy for Applying Patches.