Use the smpatch command to perform most of the common patch management tasks described in the following table. See the smpatch(1M) man page.
Task |
Description |
For Instructions |
---|---|---|
Analyze your system to determine the list of patches. |
You want to analyze your system to obtain the list of appropriate patches. Based on the analysis, you can update your system with one or more patches in the list. |
How to Analyze Your System to Obtain the List of Patches to Apply (Command Line) |
Automatically update your system with one or more patches in a single procedure. |
You want to automatically download and apply the patches that are appropriate for your system. The list of patches is determined by having Patch Manager analyze your system. | |
Apply patches to your system. |
| |
Remove patches from your system. |
You want to remove, or back out, patches that you applied to your system. | |
(Optional) View patch management tool log entries. |
View Patch Manager log entries in the system log file to identify problems with installing patch management tools or applying patches. | |
Apply patches to an inactive boot environment on your system by using luupgrade. |
You want to use Solaris Live Upgrade to apply patches to a system that has more than one boot environment. |
How to Use luupgrade to Apply a List of Patches to an Inactive Boot Environment (Command Line) |
The following procedures and examples show how to run the local mode smpatch command, which is run by default. To run the remote mode version, use any of the authentication options (except for -L) or the remote options. See the smpatch(1M) man page.
You can perform an analysis of your system to determine the list of appropriate patches. This list is in an order that can be used to apply patches. You can also supply a list of one or more patches as input to restrict the analysis to just those patches. In addition to performing the analysis, you can save the patch list for modification or for use at a later time.
The system analysis writes the list of patches to standard output, so you can save the contents of the patch list to a file by redirecting standard output to a file.
Each line in a patch list has two columns. The first column is the patch ID, and the second column is a synopsis of that patch.
If you supply a list of one or more patches to the smpatch analyze command, the list of patches is augmented with any patches that are required as dependencies.
Become an appropriately authorized user or assume a role that includes the Software Installation profile or the solaris.admin.patchmgr.* authorization.
The System Administrator profile includes the appropriate profiles. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Perform a patch analysis of your system and optionally save the list of patches in a file.
To create a list of all the appropriate patches for your system, type:
# smpatch analyze |
To create a list of particular patches for your system based on a patch list, type:
# smpatch analyze -x idlist=patch-list-file |
To create a list of particular patches for your system, type:
# smpatch analyze -i patch-id... |
The following example shows how to analyze a system to create a list of all appropriate patches. The list is written to the /tmp/patch.all file.
# smpatch analyze > /tmp/patch.all |
The following example shows how to create a list of patches, plist, modify it, and resolve the patch dependencies. The list is written to the /tmp/patch.plist file.
# smpatch analyze > plist # vi plist . . . # smpatch analyze -x idlist=plist > /tmp/patch.plist |
The following example shows how to resolve patch dependencies for patch 112785-28 and write the resulting patch list to a file called /tmp/patch.out. Patch 112785-28 depends on patch 113096-03. After running the smpatch analyze command, the patch.out file contains this ordered list: 113096-03 and 112785-28.
# smpatch analyze -i 112785-28 > /tmp/patch.out |
An update of a system performs the entire patch management process in one step. First, the analysis determines the appropriate patches for your system. Next, those patches are downloaded to your system. Finally, the patches are applied to your system.
All standard patches are applied by an update. You can configure your system to apply some nonstandard patches by changing the default policy for applying patches. To change the policy for your system, see How to Change the Policy for Applying Patches (Command Line).
Become an appropriately authorized user or assume a role that includes the Software Installation profile or the solaris.admin.patchmgr.* authorization.
The System Administrator profile includes the appropriate profiles. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Update the system with patches in one of the following ways:
To update your system with all appropriate patches, type:
# smpatch update |
To update your system with all patches listed in a file, first create a patch list (see How to Analyze Your System to Obtain the List of Patches to Apply (Command Line)), then type:
# smpatch update -x idlist=patch-list-file |
To update your system with particular patches, type:
# smpatch update -i patch-id -i patch-id ... |
If you specify particular patches by using the -i or -x idlist= options, the list is augmented with patches on which they depend before the update occurs.
Any patches that cannot be applied to the system are listed in a patch list file called disallowed_patch_list, which is located in the download directory. You can use this file as input to the smpatch add command.
For example, you might bring your system to single-user mode and apply the patches listed in the disallowed_patch_list file by typing the following:
# init S # smpatch add -x idlist=/var/sadm/spool/disallowed_patch_list |
See How to Apply Patches to Your System (Command Line) for more information.
The following example shows how to update a system with patch 112622-12 and 112771-17.
# smpatch update -i 112622-12 -i 112771-17 |
The following example shows how to update a system by using a list of patches, named plist, as input. It then shows how to create a patch list and modify it to contain only the patches that you want to apply to your system. Then, you use the smpatch update command to apply the patches and update the system.
Create a list of patches by performing an analysis.
Edit the patch list to include only the patches that you want to apply.
Run the smpatch update command to apply the patches.
For example:
# smpatch analyze > plist . . . # vi plist . . . # smpatch update -x idlist=plist . . . |
You can use the smpatch add command to apply one or more downloaded patches to your system.
You can use the local mode version of the smpatch command to apply one or more downloaded patches while your system is in single-user mode or in multiuser mode.
The smpatch add command ignores the policy for applying patches and does not resolve dependencies when applying patches.
Become an appropriately authorized user or assume a role that includes the Software Installation profile or the solaris.admin.patchmgr.* authorization.
The System Administrator profile includes the appropriate profiles. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Apply the downloaded patches to your system.
To apply all patches listed in a file, type:
# smpatch add -x idlist=patch-list-file |
To apply particular patches, type:
# smpatch add -i patch-id -i patch-id ... |
To apply particular patches that have the singleuser property, you must first bring the system to single-user mode. Type:
# init S # smpatch add -i patch-id -i patch-id ... |
To apply the list of patches that could not be applied by the smpatch update command, you must first bring the system to single-user mode. Type:
# init S # smpatch add -x idlist=/var/sadm/spool/disallowed_patch_list |
The following example shows how to apply the patches listed in the file plist while the system is in single-user mode.
INIT: SINGLE USER MODE Type control-d to proceed with normal startup, (or give root password for system maintenance): root-password single-user privilege assigned to /dev/console. Entering System Maintenance Mode Jan 7 13:17:44 su: 'su root' succeeded for root on /dev/console Sun Microsystems Inc SunOS 5.9 Generic May 2002 # smpatch add -x idlist=plist |
The following example shows how to apply patch 112662-12 while the system is in single-user mode.
INIT: SINGLE USER MODE Type control-d to proceed with normal startup, (or give root password for system maintenance): root-password single-user privilege assigned to /dev/console. Entering System Maintenance Mode Jan 7 13:17:44 su: 'su root' succeeded for root on /dev/console Sun Microsystems Inc SunOS 5.9 Generic May 2002 # smpatch add -i 112662-12 |
You cannot use smpatch to apply nonstandard patches that have the interactive property set. To apply the patch, review the information in the Special Installation Instructions section of the patch's README file.
Become superuser.
In the download directory, find the nonstandard patch that you want to apply.
# cd /var/sadm/spool; ls |
To access the patch README file, do one of the following:
View the patch README file from the Sun patch server at http://sunsolve.sun.com.
To extract the patch README file from the JAR archive, do the following:
Identify the name of the README file, for example:
# /usr/j2se/bin/jar tvf 107058-01.jar | grep README 1440 Sat Apr 06 08:50:08 MST 2002 107058-01/README.107058-01 |
Extract the README file.
# /usr/j2se/bin/jar xvf 107058-01.jar 107058-01/README.107058-01 extracted: 107058-01/README.107058-01 |
View the README file.
# more 107058-01/README.107058-01 |
Follow the instructions in the Special Installation Instructions section of the README file to apply the patch.
Sometimes a patch depends on another patch, that is, the first patch cannot be applied to the system until the other patch is applied. The first patch is said to have a dependency on the second patch.
If you specify a list of patches to apply, you can resolve the list for patch dependencies. The resulting list might include additional patches that you must apply before applying the patches you specified.
Become an appropriately authorized user or assume a role that includes the Software Installation profile or the solaris.admin.patchmgr.* authorization.
The System Administrator profile includes the appropriate profiles. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Resolve the list of patches.
Resolve a list of patches specified one at a time on the command line.
# smpatch analyze -i patch-id -i patch-id ... |
Resolve a list of patches specified in a file.
# smpatch analyze -x idlist=patch-list-file |
The following example shows how to resolve patch dependencies for patch 112785-28 and write the resulting patch list to a file called /tmp/patch.out. Patch 112785-28 depends on patch 113096-03. After running the smpatch analyze command, the patch.out file contains this ordered list: 113096-03 and 112785-28.
# smpatch analyze -i 112785-28 > /tmp/patch.out |
The following example shows how to take a modified list of patches, plist, and resolve the patch dependencies. The list is written to the /tmp/patch.plist file.
# smpatch analyze -x idlist=plist > /tmp/patch.plist |
A patch list that is created by the smpatch command can be used by luupgrade to apply patches to an inactive boot environment. You can also use the luupgrade command to remove patches from an inactive boot environment based on showrev information. See the luupgrade(1M) and showrev(1M) man pages.
This procedure assumes that you have created a second boot environment that is a duplicate of the active boot environment. See the lumake(1M) man page for information about creating boot environments.
Become an appropriately authorized user or assume a role that includes the Software Installation profile or the solaris.admin.patchmgr.* authorization.
The System Administrator profile includes the appropriate profiles. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Perform a patch analysis on the active boot environment to obtain the list of appropriate patches to apply to the inactive boot environment, and remove the synopsis for each patch entry.
# smpatch analyze | sed 's/ .*//' > patch-list-file |
The modified file will be a list of patches, one patch ID per line.
Download the patches from a patch list to your system.
# smpatch download -x idlist=patch-list-file |
Apply patches from a patch list to the inactive boot environment.
# luupgrade -t -n BE-name -s dir-name `cat patch-list-file` |
You must specify the name of the inactive boot environment to update, BE-name, and the directory where the patches are stored, dir-name.
(Optional) To remove a patch from the inactive boot environment, use the following command:
# luupgrade -T -n BE-name patch-id |
You must specify the name of the inactive boot environment to update, BE-name, and the patch to be removed, patch-id.
The following example shows how to use Patch Manager and Solaris Live Upgrade commands to apply a list of patches to an inactive boot environment. For this example, a duplicate boot environment, be2, of the active boot environment has been created.
First, use the smpatch analyze and sed commands to analyze the active boot environment and create a patch list, plist, that includes one patch ID per line. The sed command removes the synopsis from each patch entry. Use the smpatch download command to download the patches in the list. Then, use the luupgrade command to apply the list of patches to the inactive boot environment of the system. The inactive boot environment is called be2, and the directory where the patches reside is /var/sadm/spool on the active boot environment.
# smpatch analyze | sed 's/ .*//' > plist . . . # smpatch download -x idlist=plist . . . # luupgrade -t -n be2 -s /var/sadm/spool `cat plist` . . . |
The following example shows how to use Patch Manager and the Solaris Live Upgrade commands to remove a patch from an inactive boot environment. For this example, a duplicate boot environment, be2, of the active boot environment has been created.
Use the luupgrade command to remove patch 107058-01 from the inactive boot environment of the system, be2.
# luupgrade -T -n be2 107058-01 . . . |
You can remove only one patch at a time.
If you want to remove more than one patch, use the browser interface. See How to Remove Patches From Your System (Web Browser).
If your system has more than one boot environment, you can use the luupgrade command to remove a list of patches from an inactive boot environment. See How to Use luupgrade to Apply a List of Patches to an Inactive Boot Environment (Command Line).
Do not remove the Sun Patch Manager 2.0 WBEM patch (117680-01 for x86 and 117679-01 for SPARC) from a system, or Patch Manager will not work properly.
Identify the patch that you want to remove.
Become an appropriately authorized user or assume a role that includes the Software Installation profile or the solaris.admin.patchmgr.* authorization.
The System Administrator profile includes the appropriate profiles. To create the role and assign the role to a user, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Remove the patch from your system.
# smpatch remove -i patch-id |
Patch Manager writes to the system log file /var/adm/messages.
Choose which method to use to see information about a failed installation of a patch.
/var/adm/messages – Identifies problems that are found when applying a patch to a system by using Patch Manager.
Solaris WBEM log – To view this log from the command line, use the smlog view command. See the smlog(1M) man page.
View log entries from the appropriate log file.