SUMMARY: solaris patch management

From: Geoff Lane <>
Date: Tue Jul 13 2004 - 03:59:23 EDT
Thanks for the replies - sorry about the delayed summary.

I've had a look at the "commercial" alternatives suggested and they all seem
to be over engineered and, for us, no real improvement on patchchk.  

I'm a little concerned that Sun is being pressured by "marketing" into
adopting a SMC based solution suitable for non-experts and forgetting the
rest of us who are running high profile services that cannot be interupted
on demand.  I hope that Sun will ask for comments before implementing any
new patch management schemes.

I also hope Sun continues to create and publish either patchdiag.xref or
something with a similar or better level of detail.  Then we can always
implement patch management schemes that suit our sites rather than be forced
to adopt a general solution.

Reply Summaries

Andy Kannberg suggested srsnet -- It does more than patchmanagement. But It
	can generate a report which tells you which patches are installed on
	the system, divided in recommended and security. It does not tell
	you whether the patch has dependencies and if a reboot is needed,
	but within the report, you can link to the patches which are not
	installed/not uprev to see what the prerequisites are.

	SRSnetconnect can be used for free if you have a SUN contract. It
	can be downloaded from
Fredrik Robertsson reports that something new is coming from Sun -- we just
	had our quarterly support meeting with Sun, and they told us that
	they are currently working on a "new patch strategy". Mainly they
	are trying to merge several tools into one tool to rule them all or
	something like that. Since patchdiag.xref are used by the LISA tool
	to analyze explorer dumps against I would assume that it will be
	available for quite some time...
Gene Siepka suggested Traffic Light Patch Manager -- TLP will analyze your
	system, and create a patch bundle for you, along with giving you a
	patch order file. Also, probably the coolest thing about it is that
	it can generate a patch bundle based on Explorer output. So if you
	set up Explorer on your 50 or so servers, and have them sent to one
	box, (like a gateway box that has internet access to send Explorer
	output to Sun) you can load TLP on that box and create your patch
	bundles there.
	However, as with all good things, there is a catch, as we found out.
	First off, TLP is not free, its not even freely available. Its used
	in the UK already, however its unused it here in the US.  Also, the
	patches are generated from the monthly EIS cd's, which is not made
	available to customers. What are sun rep told us is that they we
	could build a patch management server, which also holds our explorer
	output. And they could install an EIS cd on this server, for a
	nominal fee. (5000 a quarter)
	We are trying to get management approval for the cost,  but this
	sounds like the best thing Sun has available for patches right now.
	Hopefully they can release TLP to everyone soon, as it seems like a
	pretty cool thing to keep servers up to date.

Javier Palacios described a home grown solution based on "yum" -- Hello,
	this is not exactly a solution for patching, but might be. Some
	months ago, I modify yum (a rpm packages tool) to work with solaris
	pkgs, and is able to install, remove and update packages from a
	remote repository.  As our patching policy is 'relaxed', I've not
	taken too seriously. It behaves as if the latest patch were the only
	one to apply, and installs the patch with a 'pkgadd' of the package
	subdirectory on the patch tarball.

	> Does anybody know if the patchdiag.xref file will continue to be updated and
	> made available?  If so, I suppose I'll just have to write my own patch
	> management scheme... again.

	Now that you have pointed me to patchk, I'll try to import the logic
	into my yum4sol (is python). Right now, it has quite limited as
	patching tool, but might be a good starting point.

Dave Foster suggested a product called "Patchlink" -- If you can go
	commercial, Patchlink is a very nice product, we use it to patch our
	Windows systems but it can also handle Linux and Solaris.

pdg describes a home grown python script -- I have written a python script
	which parses the xref file and works out what to patch on the
	current machine, then either complains it cannot find the patch or
	installs the patch if it can find it (in a specified location).  It
	may be useful to you.

	(start tirade)

	However, the xref file is crap. Not only is the format ridiculously
	dificult to parse, it never seems to accurately reflect the current
	situation with patches and I end up having to hack the xref file to
	make it agree with reality. Every month I run this, and I always end
	up (according to the xref file) with patches depending on patches
	that are withdrawn or superceded or similar. It drives me crazy.

	(end tirade).

	The whole things needs a revamp and the SUN end.

Original Question ----------------------------------------------

Since the "official" view of patchk is that it's dead[1], I've been looking
at the available alternatives.

Straight off I see that PatchPro Interactive and PatchPro Expert are useless
to us as they are purely interactive - with 50 odd machines to look after
whatever replaces patchk has generate reports automatically.

PatchPro 2.2 looks more useful but we don't add patches without first
checking them so the automatic installation features can't be used. As we
can't reboot our systems on demand, any patch that needs a reboot must be
reviewed for importance. The "smpatch analyze" command looks useful at first
glance but the report it generates doesn't distinguish between security,
recommended and general patches at all! Neither does it indicate
dependencies, reboot needs, patch ages or any of the information a sysadmin
might need to access the urgency of a particular patch.  So it turns out
that we can't make use of PatchPro.

Does anybody know if the patchdiag.xref file will continue to be updated and
made available?  If so, I suppose I'll just have to write my own patch
management scheme... again.

[1] "As of February 29, Patch Check will no longer be available for
download. Please transition to using Patch Manager by that date."
Actually, it remains available as of today.

| Geoff. Lane | Manchester Computing | Manchester | M13 9PL | England |

IBM manuals are neither written by, nor for, humans.
sunmanagers mailing list
Received on Tue Jul 13 03:59:41 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:35 EST