SUMMARY: Recommended patch clusters in single user

From: Ed <>
Date: Tue Aug 10 2004 - 11:31:04 EDT
--- Ed <> wrote:

> This may be one of those amazingly daft questions that many people know the
> answer to. I've seen multiple recommendations that patches are only ever
> installed in Single User Mode.
> But I can't seem to find any explanation as to why this is necessary. 
> The best I've managed to get is 'it's safer' because then you're definitely
> the
> only person changing those files. But is that the only reason?

Thanks to all the people who responded
Brett Lymn, Nathan Dietsch, Russell Page, Alan Pae, Michael Connolly, John
Leadeham, Andrew_Rotramel, Darren Dunham, Chris Pinnock, Lecher Jane, John
Christian, Terry L Moore, Kalyan Manchikanti , Michael Horton, Nicolas Figaro.

The general consensus was that one should reboot after patching, to check for
anything unpleasant having happened with one of the patches, so if something
strange has happened, it's picked up immediately.

Several mentions of "It's safer". A particular example given being that if
you're modifying a dynamic library the program opening it may do 'unexpected'
things. These might include daemons being spawned (I always thought though,
that if files were open, then they'd be fine until the daemon restarted though)

Also that the patches _may_ modify config files, such as and
nsswitch.conf, which may cause problems on a 'live' system (although as far as
I can tell, this will _also_ cause problems if you do it in single use, and
then reboot).

A mention that Sun 'recommend' doing this because it covers their arse against
things that can be a real pain to troubleshoot, and because they've tested the
patches through a single user install. 

A report that 'some patches make the kernel "delicate"' so a crash might occur
when someone logs in. 

A mention that if a kernel patch is being applied, the system can die and go
horribly wrong. 

A mention that that if files are in use they won't be overwritten which is
really bad when patching (I would agree, but again, I thought Solaris allowed
one to overwrite files that were open, because the 'other' copy of the file
would remain linked as an inode until the ref count dropped to zero)

In summary, I'm still not entirely clear as to the need for single user mode to
install. As a convenience in order to avoid potential user complaints of failed
logins or crashed processes, and one report of cron dying. No specific examples
as to patches that would cause a machine in run level 3 to fail, and it seems
no real danger if the system is rebooted just after patching. 

It's strongly recommended to reboot after patching, because this allows one to
verify that none of the patches installed cause any horrible problems. They'd
still do so when the machine next rebooted, but without the fact that it was
patched recently still fresh in the memory. 

Ideally rebooting beforehand to kick off users can also be handy.

The reason for asking the question was a debate with a collegue about a new
server on which we're deploying a patch cluster. The machine, at the time, was
not live, and the question of why we had to take it to single user, and faff
around with a console server was raised. 

Thanks all for your responses, and I'd still be keen to hear if anyone has
further information on the subject. I'm still quite curious as to whether the
'single user to patch' doctrine is folklore and 'just in case' or if there's
some specific things that _will_ cause a system failure beyond one fixable by a reboot.

Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish. 
sunmanagers mailing list
Received on Tue Aug 10 11:31:51 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:36 EST