Sun Patch Manager 2.0 Administration Guide for the Solaris 9 Operating System

Chapter 1 Managing Solaris Patches (Overview)

Patch management involves applying Solaris^TM patches to a system. Patch management might also involve removing unwanted or faulty patches. Removing patches is also called backing out patches.

The following overview information is in this chapter:

For information about applying patches to diskless client systems, see Patching Diskless Client OS Services in System Administration Guide: Basic Administration.

For information about recommended strategies and practices for using Solaris patches, see Solaris Patch Management: Recommended Strategies on docs.sun.com.

Types of Patches

A patch is a collection of files and directories that replaces or updates existing files and directories that are preventing proper execution of the existing software. The existing software is derived from a specified package format, which conforms to the Application Binary Interface (ABI).

You can manage patches on your Solaris system by using the Patch Manager software or by using the patchadd command.

Signed and Unsigned Patches

A signed patch is one that has a digital signature applied to it. A patch that has its digital signature verified has not been modified since the signature was applied. The digital signature of a signed patch is verified after the patch is downloaded to your system.

Patches for the Solaris 2.6, Solaris 7, Solaris 8, and Solaris 9 releases are available as signed patches and as unsigned patches. Unsigned patches do not have a digital signature.

Signed patches are stored in Java^TM archive format (JAR) files and are available from the SunSolve Online^SM web site. Unsigned patches are stored in directory format and are also available from the SunSolve Online web site as .zip files.

For information about applying patches to your system by using Patch Manager, see Managing Patches by Using the Command-Line Interface (Task Map) or Managing Patches by Using the Browser Interface (Task Map).

For information about applying patches by using the patchadd command, see Chapter 25, Managing Solaris Patches (Tasks), in System Administration Guide: Basic Administration.

Accessing Solaris Patches

Sun customers can access patches from the SunSolve Online web site whether or not they are in the SunSpectrum^SM program. These patches are updated nightly.

If you are in the SunSpectrum program – You have access to the entire SunSolve^SM database of patches and all patch information.
If you are not in the SunSpectrum program – You have access to the entire SunSolve database of patches and all patch information except for patches that have third-party contract restrictions.

You can obtain Solaris patches in the following ways:

From the http://sunsolve.sun.com web site

To access patches from the Patch Portal of the SunSolve Online site, your system must be connected to the Internet and be capable of running a web browser, such as the Netscape^TM software.
By using anonymous ftp to download the patches to your system

To obtain patches by using the anonymous ftp command, your system must be connected to the Internet and be capable of running the ftp command.
By using the Sun Patch Manager tools that are described in this book.

You can access individual patches or a set of patches from a patch cluster, or refer to patch reports. You can also use Sun Patch Manager to analyze your system to determine the appropriate patches. Patch Manager also can download and apply the patches to your system.

Each patch is associated with a README file that has information about the patch.

Solaris Patch Numbering

Patches are identified by unique patch IDs. A patch ID is an alphanumeric string that is a patch base code and a number that represents the patch revision number joined with a hyphen. For example, patch 108528-10 is the patch ID for the SunOS^TM 5.8 kernel update patch.

Tools for Managing Solaris Patches

You can use the following tools to apply patches to Solaris systems:

Sun Patch Manager command-line interface (smpatch)
Sun Patch Manager browser interface
patchadd
Solaris Management Console Patches tool (GUI, starting with Solaris 9)

If you need to apply a patch to a diskless client system, see Patching Diskless Client OS Services in System Administration Guide: Basic Administration.

Note –

The browser interface that was originally released with the Sun Patch Manager 2.0 product for Solaris 9 systems has been withdrawn.

The Patch Manager product will be replaced by the new Sun Update Manager product.

The following table summarizes the availability of the Solaris patch management tools.

Tool Availability	`patchadd`/`patchrm` Commands	Solaris 2.6 and Solaris 7 Patch Management Tools	Sun Patch Manager 2.0	PatchPro Interactive or PatchPro Expert
How do I get this tool?	Included with the Solaris release	Download the tool from the Sun Download Center web site [The Sun Download Center web site is `http://wwws.sun.com/software/download`.]	Download the Solaris 8 or Solaris 9 version of the tool from the Sun Download Center web site	Run tool from the PatchPro web site [The PatchPro web site is `http://www.sun.com/PatchPro`.]
Solaris release availability	Solaris 2.6, Solaris 7, Solaris 8, and Solaris 9 releases	Solaris 2.6 and Solaris 7 releases	Solaris 8 and Solaris 9 releases	Solaris 2.6, Solaris 7, Solaris 8, and Solaris 9 releases
Applies signed patches?	Starting with the Solaris 9 12/03 release – Yes, and automatically verifies the signed patch when it is downloaded	Yes, and automatically verifies the signed patch when it is downloaded	Yes, and automatically verifies the signed patch when it is downloaded	No, these tools do not apply patches
Applies unsigned patches?	Yes	No	Yes, but the patches must be unzipped first	No
GUI available?	No	No	Yes, for Solaris 9 systems only	Yes, these tools can only be run from the PatchPro web site
Analyzes system to determine the appropriate patches and downloads signed or unsigned patches	No	Yes, signed patches only	Yes, signed patches only	Yes, unsigned patches only
Local and remote system patch support	Local	Local	Local and remote For Solaris 8 systems – Local	No
RBAC support?	Yes	No	Yes	No

Note –

Starting with the Solaris 9 release – A graphical user interface (GUI), the Patches tool in the Solaris Management Console (smc), is also available. The Patches tool enables you to analyze systems to determine the appropriate patches, view patch properties, download patches, apply patches to systems, and remove patches.

Managing Solaris Patches

When you apply a patch, the patch tools call the pkgadd command to apply the patch packages from the patch directory to a local system's disk.

Caution –

Do not run the pkgadd command directly to apply patches.

More specifically, the patch tools do the following:

Determine the Solaris version number of the managing host and the target host
Update the patch package's pkginfo file with this information:
- Patches that have been obsoleted by the patch being applied
- Other patches that are required by this patch
- Patches that are incompatible with this patch

While you apply patches, the patchadd command logs information in the /var/sadm/patch/patch-id/log file.

The patchadd command cannot apply a patch under the following conditions:

The package is not fully installed on the system.
The patch package's architecture differs from the system's architecture.
The patch package's version does not match the installed package's version.
A patch with the same base code and a higher revision number has already been applied.
A patch that obsoletes this patch has already been applied.
The patch is incompatible with a patch that has already been applied to the system. Each patch that has been applied keeps this information in its pkginfo file.
The patch being applied depends on another patch that has not yet been applied.

Selecting the Best Method for Applying Patches

You can use several different methods to download or apply one or more patches to your system. Use the following table to determine which method is best for your needs.

Command or Tool	Description	For More Information
`smpatch update`	Starting with the Solaris 8 release – Use this command to analyze your system to determine the appropriate patches, and to automatically download and apply the patches. Note that this command will not apply a patch that has the `interactive` property set. Note – For Solaris 8 systems, only the local mode `smpatch` is available.	How to Update Your System With Patches (Command Line) smpatch(1M) man page
`smpatch analyze` and `smpatch update`	Starting with the Solaris 8 release – First, use `smpatch analyze` to analyze your system to determine the appropriate patches. Then, use `smpatch update` to download and apply one or more of the patches to your system. Note – For Solaris 8 systems, only the local mode `smpatch` is available.	How to Analyze Your System to Obtain the List of Patches to Apply (Command Line) How to Update Your System With Patches (Command Line) smpatch(1M) man page
`smpatch analyze`, `smpatch download`, and `smpatch add`	Starting with the Solaris 8 release – First, use `smpatch analyze` to analyze your system to determine the appropriate patches. Then, use `smpatch download` to download them. This command also downloads any prerequisite patches. Then, use `smpatch add` to apply one or more of the patches to your system while the system is in single-user or multiuser mode. Note – For Solaris 8 systems, only the local mode `smpatch` is available.	Managing Patches by Using the Command-Line Interface (Task Map) smpatch(1M) man page
Patch Manager browser interface	Starting with the Solaris 9 release – Use this tool when you want the convenience of a web browser tool to manage patches. The browser interface enables you to do the following: Analyze your system to determine the appropriate patches Update the system with one or more patches Remove patches View the list of applied patches View the patch management tool logs Configure your patch management environment	Managing Solaris Patches by Using the Sun Patch Manager Browser Interface (Task Map)
`patchadd`	Starting with the Solaris 2.6 release – Apply unsigned patches to your system. Starting with the Solaris 9 12/03 release – Use this command to apply either signed or unsigned patches to your system. To apply signed patches, you must first set up your package keystore.	patchadd(1M) man page
Solaris Management Console Patches tool	Starting with the Solaris 9 release – Use this tool when you want the convenience of a GUI tool to manage signed patches.	Solaris Management Console online help

If you choose to use the smpatch command-line interface or the Patch manager browser interface, see Chapter 4, Getting Started With Sun Patch Manager (Overview) for additional information that might affect which method you select to apply patches.

Managing Patches in the Solaris Operating System (Road Map)

Use this road map to identify all the tasks for managing Solaris patches. Each task points to a series of additional tasks such as managing signed or unsigned patches.

Task	Description	For Instructions
Determine whether to apply signed or unsigned patches.	Determine whether applying signed or unsigned patches is best for your environment.	Determining Whether to Apply Signed or Unsigned Patches to Your System
Apply a patch to your system.	You can apply patches in the following ways: Use the `smpatch` command on Solaris 8 or Solaris 9 systems to apply signed or unsigned patches. Use the Sun Patch Manager browser interface on Solaris 9 systems. Use the `patchadd` command on Solaris 2.6, Solaris 7, Solaris 8, or Solaris 9 systems to apply unsigned Solaris patches. Starting with the Solaris 9 12/03 release – Use the `patchadd` command to apply either signed or unsigned patches.	Managing Solaris Patches by Using the Sun Patch Manager Command-Line Interface (Task Map) Managing Solaris Patches by Using the Sun Patch Manager Browser Interface (Task Map) patchadd(1M) man page

Task

Description

For Instructions

Determine whether to apply signed or unsigned patches.

Determine whether applying signed or unsigned patches is best for your environment.

Determining Whether to Apply Signed or Unsigned Patches to Your System

Apply a patch to your system.

You can apply patches in the following ways:

Use the smpatch command on Solaris 8 or Solaris 9 systems to apply signed or unsigned patches.
Use the Sun Patch Manager browser interface on Solaris 9 systems.
Use the patchadd command on Solaris 2.6, Solaris 7, Solaris 8, or Solaris 9 systems to apply unsigned Solaris patches.

Starting with the Solaris 9 12/03 release – Use the patchadd command to apply either signed or unsigned patches.

Determining Whether to Apply Signed or Unsigned Patches to Your System

The key factor when determining whether to apply signed or unsigned patches to your system is whether you trust of the source of patches.

If you trust the source of patches, for example, a patch CD from a known distributor or an HTTPS connection to a trusted web site, you can use unsigned patches. However, if you do not trust the source, use signed patches.

If you are unsure about whether to trust the source of patches, use signed patches.