Thanks to Albert White, Richard Sullivan, Todd Jensen, David Foster, Jesse Trucks, Tim Chipman, and Deborah Santomauro. Below find my summary for advice on patching a solaris box. What seems to be the most popular pratice for patching Solaris is to install the latest patch cluster on some type of schedule. Several seem to be doing that on a quarterly basis but I guess how often you do it depends on uptime requirements, etc. I did get a chance to try out several of the methods myself and here is what I found or feedback I got from others on the list. See comments mixed in below. > > Anybody want to comment on the best methods or best practices for patching a > Solaris 8 box? I've been searching some and have found that there seems to > be several ways to do patches: > > 1. search and find each patch individually and then install > separately. > This method can become a very daunting task but is basically the method you follow when security alerts come out on a sigle package that needs to be updated. Works well in between planned patch cluster installs, but, IMHO, is way too time consuming for broad patching. > > 2. Download latest patch cluster for your system and run install_cluster script. > This seems to be the most popular method of patching. Most seem to have some kind of schedule such as quarterly or ever N weeks that they apply the latest patch cluster. Several mentioned it is always a good idea to apply the patches to a test box first if you have that luxury. I agree. Also since the patch clusters do include kernel patches it was suggested by several that you might want to drop to single user mode then do the patch cluster install and then reboot the box. I did end up installing the latest patch cluster myself and since it was a development box that is not heavily used I decided to risk it and install the cluster in the default runlevel (3). I finished the install, rebooted the box and have yet to see any major problems. Warning: on a tangent! The only problem I did see was long delays when trying to telnet or ftp to the box. I figured out this was due to name lookups, but I've so far been unable to determine what changed that caused this to start happening after the patch install. This never occured before the patch cluster install. Any suggestions? > > 3. Use patchcheck to figure out what you need and then > either create patch suite (sunsolve only) or go and download all patches in list > individually and install. > I have also tried this method. This is basically a small perl script that uses a reference file( ftp://sunsolve.sun.com/pub/patches/patchdiag.xref), that you must download regularly, to analyze your system and creates a html document listing patches you may need. No one that responded made much mention of this method so I can only speak from my own limited experience. I found this to be a good way to compare where your box is (whats installed at what patch level) with the latest available patches. And if you have a sunsolve account (I currently don't) you can use this method to create your own custom patch cluster (patchsuite). http://sunsolve.sun.com/pub-cgi/show.pl?target=patchk > > 4. Use patchpro expert which is a java applet that creates a list of > patches you need and you can download them all at once. Still have to > install separately. > I got little feedback on this method as well. It works very similarly to the above method only I think you get more of an overall listing of patches that isn't quite as custom to your system. It is however slightly easier provided you have X and netscape. You have to go to Sun's website (http://patchpro.sun.com/servlet/com.sun.patchpro.servlet.PatchProServlet) and follow the link to Patch Pro Expert. This runs a java applet and after granting your life away and answering a few questions it gives you a list of patches you might need. As I said before I don't believe the list is completely custom to the system you run it on. Also I'm sure many admins will not want to deal with Netscape or feel comfortable granting the applet all the access it asks for. > > 5. Use patch manager. I have yet to try this method but it > looks like it might be the best way but I'm not sure. > This method was neither mention nor have I used. Once person did comment on wanting give it a try but that was the most I got. If anyone would like to comment on this method then please feel free to shoot me an email. > > I've installed a patch or two here and there in the past but I must admit > that I'm kind of behind so I'm looking into maybe getting a lot knocked out > at once. What I'm curious about is what the rest of you guys do for > patches. Does everyone do patches one by one or do you just grab the latest > cluster and install that with the cluster install script? > > Do cluster installs take care of dependencies? > Yes the cluster install does take care of dependencies. When you download and unpack the latest patch cluster you have all the patch directories, a cluster install script, and a patch_order file. The install script uses the patch_order file to do patchadd -M on the patches in the cluster. This ensures they are installed in the correct order. > > What about kernel patches that say you have to be in single user mode? > Do you need to go to single user mode to install a patch cluster? or are > the kernel patches even included in the patch cluster? > Yes kernel patches are included in the patch clusters and it is reccommended that you drop to single user mode to install a patch cluster. As I mentioned above I did not drop to single user mode when I installed the patch cluster and I have yet to have any problems, but that may only be due to what was patched this time around. I will probably drop to single user mode in the future unless I feel confident about what is going to be pathced won't harm the running system. > > What about patch manager? Does that require sunsolve registration? > Nothing to add. If you haev info you'd like to chare with me I'd be grateful. Brett _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Mon Oct 7 11:25:22 2002
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:55 EST