Applies To:: The Beginner's Guide To Oracle Solaris Patching (ID 1005835.1)
Applies To:: The Beginner's Guide To Oracle Solaris Patching (ID 1005835.1)
Applies To:: The Beginner's Guide To Oracle Solaris Patching (ID 1005835.1)
Document Display
Applies to:
Solaris SPARC Operating System - Version 8.0 to 10 1/13 U11 [Release 8.0 to 10.0] Solaris x64/x86 Operating System - Version 8 6/00 U1 to 10 1/13 U11 [Release 8.0 to 10.0] All Platforms
Goal
There are a lot of documents available about patching the Solaris Operating Environment, but this guide is a simple, quick reference for beginners to become acquainted with the patch process and common "gotchas" when installing patches.
Fix
This document covers the following topics: 1. What is a patch anyway? 2. What does patchadd do? 3. What does patchrm do? 4. patchadd and patchrm : Most common options. 5. Patch Clusters ? 6. What's a T-patch? 7. Patch installation from an NFS mounted filesystem. 8. Troubleshooting 9. Deciphering patchadd / patchrm failure error codes 10. Related documents What is a patch anyway? A patch fixes problems that prevent the proper execution of software. It is a collection of files and directories that replace or update existing files/binaries and directories. To be more specific: The entire OS is installed as a collection of Solaris packages. It is done during the OS installation via the pkgadd command. Patches are build in a similar fashion. Patches are partial packages which replace files in the existing packages then they update the pkg/patch databases. Some patches only update one package in the OS others update several packages. To get an idea as to which packages might be updated by a patch look into the patch directory itself. There will be at least one sub-directory of a package which will be updated. Many 3rd party applications are also distributed and patched using the same pkgadd/patchadd mechanism What does patchadd do?
#/ u s r / s b i n / p a t c h a d d/ p a t h / t o
6/27/13
Document Display
2. Copies files from the patch directory to to their final destinations. Patches are also capable of modifying contents of files instead of just replacing them. 3. Update p k g i n f ofile with: patches now obsoleted other required patches incompatible patches its own current patch information 4. Archives outdated files and dirs to / v a r / s a d m / p k g / s a v e( i nac o m p r e s s e df o r m a t ) 5. Log patch installation to the / v a r / s a d m / p k g / p a t c h / { p a t c h i d }directory. NOTE: This is not the directory that patchadd -p or showrev -p look at to determine which patches are installed. Those commands look at
/ v a r / s a d m / p k g / p k g i n f of i l et oc o m p i l eal i s to fi n s t a l l e dp a t c h e s
Attempts to restore the system to the pre-patch installation state. It returns files and directories archived in / v a r / s a d m / p k g / s a v edirectory to their original locations and removes the versions installed by the patch. patchadd and patchrm: The most common options.
#/ u s r / s b i n / p a t c h a d d
-d Don't back up the files to be patched. Patch can't be backed out after using this option. Sometimes people use this when disk space is low. Using this option is extremely discouraged as the patch cannot ever be backed out ! Sometimes this option is used by mistake (often confuse with pkgadd -d option there is a RFE on this: 4890609 ). Also, see document 1006707.1 -p Print list of patches. Same as " showrev -p " -u Install unconditionally, even if files to be patched have been modified. -M Installs multiple patches. You can list multiple patches separated by a space or include a file containing a list of patches.
#/ u s r / s b i n / p a t c h r m
-f Forces removal. Sometimes this is needed when a later patch revision was applied. -B Removes a patch whose backout data was not stored in / v a r / s a d m / p a t c h / { p a t c h i d } . -R Removes a patch from alternate root directory structure. This comes in handy when backing out a patch on a diskless client OS image or when removing patch while booted from a CDROM. (i.e. patchrm -R /export/root/client1 104945-02 or patchrm -R /a 104945-02 ) If using this while booted from CDROM, the entire OS directory structure needs to be properly mounted on the alternate root directory. If the OS is installed as a flat fs, then only root slice needs to be mounted on /a Otherwise mount: root slice on /a var slice on /a/var
https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_adf.ctrl-state=13z7b6ooqz_1108 2/5
6/27/13
Document Display
use slice on /a/usr See patchadd(1M) and patchrm(1M) for more information on both commands. Troubleshooting and root cause analysis patchadd/patchrm issues - download the patchanalysis_gather.txt script from http://www.oracle.com/technetwork/systems/articles/patchanalysis-jsp-137407.html Patch Clusters Recommended Patch Cluster A list of tested patches that the customer can download in order to be "up to date" with patch revisions at a point in time. They include security and other recommended patches for optimum system functionality. See bug 4899226 for some useful info. What is a "T-patch"? A "T-patch" is a "test patch". When a customer calls in a bug that is high priority and needs quick resolution, there's a separate special group that may opt to provide them with a T-patch. Patch installation from an NFS mounted filesystem :Often it's a common practice to install patches from an NFS mounted filesystem...especially if several systems need to be patched. Patching from an NFS mounted filesystem is similar to patching locally since all the same set of rules and commands apply. However, patches located on an NFS mounted filesystem might have been created with a different userid (uid) and groupid (gid). Therefore, system(s) that need to be patched might not have the same set of uid and gid. In such a case, the other/world permission plays an important role (a file/directory always has user permission, group permission, other/world permission), When patchadd runs as root on the local system it switches to user "install". If the "install" user does not exist, then it switches to the user "nobody". If user root / nobody does not belong to the same groupid (gid) as set on patches or directory containing the patches, then it relies on other/world permission. The directory containing the patches, and the individual patch files and directories, should have read(r) and execute(x) permissions set for other/world. This will ensure that patch install scripts do not fail. 1339267.1 would provide more data of this also. Sun Bug id, 6188748 discuss the details of patchadd command for NFS in more details. Troubleshooting: 1. Always review the patch README file!!!! Many patches have dependencies or require special install prerequisites. OpenBoot PROM (OBP or Flash) patches and patch clusters are installed by running a completely different script than "patchadd". So to always be safe, please read the README! 2. Enter single user mode if at all possible. Live patching'' the kernel or system libraries while the system is in multiuser mode can cause problems - single user mode avoids most of these problems. This is VERY important when installing any kernel or library patches or patch clusters (since they contain both of those patches). 3. Check for free disk space in the / v a rdirectory. Old files and directories which are replaced by a patch will be stored in the / v a rdirectory tree. 4. Ensure that an entry for the user nobody is in the / e t c / p a s s w dand / e t c / s h a d o wfiles and that it is properly configured. The patch scripts require the User ID nobody to function properly. 5. Copy the entire uncompressed tar patch file to the / t m pdirectory. Note: on Solaris 8 and above, / v a r / t m pis a l s oat m p f sb u tt h ep r e f e r r e dl o c a t i o ni ss t i l l/ t m p . Using df -kl determine that /tmp is actually mounted as a tmpfs. This avoids permissions problems. Uncompress and extract the patch file in the / t m p
https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_adf.ctrl-state=13z7b6ooqz_1108 3/5
6/27/13
Document Display
directory. Special Note for ftp downloading: Make sure customer sets binary mode before download:
# f t p >b i n # f t p >g e t
Customers can avoid a lot of problems by downloading patch directly to Sun system they are loading the patch onto. Transfers between systems (especially if a PC running MS Windows is involved in the process) can be troublesome. If they need to transfer, make sure they do not uncompress the patch until it is on system patch will be loaded onto. 6. Use the right command i.e.: installpatch , patchadd , or install_cluster . Pre-2.5.1 OS may require installpatch or backoutpatch. The README file will always give you the appropriate command to use. Be sure you are adding patch as root i.e.: did you su - root before running issuing the patch commands 7. The installpatch command uses the Korn shell (ksh). To avoid problems, patch the ksh itself first. 8. For patch install from an NFS mounted filesystem, check to see if other/world permission has been set to read(r) and execute(x) on directory containing the patches, and the individual patch files and directories. If you follow the above 8 steps, 90% of patching problems will have been avoided. Here are some things to check for the other 10% 1. Examine the / v a r / s a d m / p a t c h / l o gf i l ef o re r r o r s . 2. Check if the "OS" field of file / v a r / s a d m / s o f t i n f o / I N S T _ R E L E A S Eis correct for the patch being applied. 3. Does ls -alR show the same file names, sizes and permissions of customer's copy of the patch vs. a known good copy 4. Did the customer copy the patch with cp -rp to preserve permissions Again, the preferred method of moving a patch is in its compressed state (as a single file). That eliminates any possible cp issues. 5. Does MOS already identify problems with this specific patch 6. Do the pkg , arch and version of the patch match the target system This can be determined by running a pkginfo -l command on one of the packages which will be patched by the patch. 7. How to determine when a patch was applied: Easiest way is to just run patchadd -p or showrev -p then grep for the. A more manual methodwould be to grep PATCH_INFO_ /var/sadm/pkg/*/pkginfo . That information has to exist in every package which was touched by the installed patch. Deciphering patch failure error codes: Document 1007270.1 has a complete list of patch error codes. But there might be new error codes added to patchadd. To get the freshest list run more /usr/sbin/patchadd (This applies only from Solaris 2.5.1 to Solaris 9). As this is a script, there is a definition of all the error codes in the first few screenfuls of the printout. With Solaris 10, /usr/sbin/patchadd is now a binary file but the ksh script is located at /usr/lib/patch/patchadd. Most common patch error codes are: 1. #8 Attempting to patch a package that is not installed 2. #18 Not enough space on target filesystems 3. #24 An incompatible patch was installed 4. #25 A required patch is not applied 5. #28 A pkginfo file is corrupt or missing
https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_adf.ctrl-state=13z7b6ooqz_1108 4/5
6/27/13
Document Display
(There could be 37 error codes total again, depending on the OS and patchadd versions) Products Solaris 10 Operating System Solaris 9 Operating System Solaris 8 Operating System
References
NOTE:1006707.1 NOTE:1007429.1 NOTE:1289614.1 NOTE:1339267.1 permissions NOTE:1359259.1 NOTE:1007270.1 NOTE:1199543.1 NOTE:1018088.1 How to remove a patch installed with patchadd -d command How to install a patch and troubleshoot failed installs Sun Patches and Updates Resource Center [VIDEO] Patching fails with pkgadd: ERROR: checkinstall script did not complete successfully due to Master document for smpatch / updatemanager - troubleshooting information & how-to Solaris Operating System: patchadd (installpatch) and patchrm (backoutpatch) exit error codes Patch download automation for Sun products using wget Patch Install Quick Troubleshooting Steps
https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_adf.ctrl-state=13z7b6ooqz_1108
5/5