Software products are becoming more complicated and interconnected,
and keeping systems current is equally complex and time consuming.
The complexity of patch management can lead some administrators
to apply patches only after a problem has been identified. However,
the recognized security and reliability benefits of keeping systems
up to date with current patches are leading many organizations to
adopt proactive patch management practices. Sun Microsystems recently
announced a new product that addresses exactly these issues and
makes the patching process significantly faster and easier.
The process of patching a system involves several steps. First,
you must take inventory of the patches and product revision levels
already installed on the system or systems. Second, you must search
through the Sun database to identify patches appropriate to your
configuration. This step is particularly time consuming when multiple
patches are involved and encompasses the task of identifying patches
that are dependent upon other patches. The third step is to determine
the correct order for installing patches and reviewing any special
instructions. On a single system, this step typically takes several
hours. The fourth step involves the actual installation of patches
and the occasional removal of one or more patches.
In an environment with multiple systems running with different
configurations, this whole process is then repeated for each system.
Each individual step can take several hours to several days and
even longer when hundreds of servers are involved and interdependencies
with third-party products are considered. In this article, I will
take an in-depth look at Sun's new SolarisTM Patch
Manager Tool and how its automated features can turn patch management
from an infrequent chore to a simple daily task.
Solaris Patch Manager
Solaris Patch Manager is available in two versions. Solaris Patch
Manager Version 1.0 ships with SolarisTM 9 Operating
Environment (OE). SolarisTM Patch Manager Base Version
1.0 is freely available via download from:
Both versions of Patch Manager provide automatic inventory of patches
currently installed on a system and enable authorized users to analyze
patch requirements, download, install, and remove patches. All analysis
is performed locally, and no information is sent back to Sun. Patch
Manager downloads the most current revision of a patch in Java[tm]
archive (.jar) format from Sun's Web site. Patch Manager currently
recognizes patches for the Solaris OE, Enterprise Systems Products,
Network Storage Products, and SunTM Cluster. In the future,
Patch Manager will manage patches for all Sun products. Table 1 summarizes
the functionality of Solaris Patch Manager.
Solaris Patch Manager on Solaris 9
Start SolarisTM Management Console (SMC 2.1); see Figure
Tabs in the GUI
- Login either as root or as an authorized user.
- Under System Configuration, choose Patches.
- When the user logs into Patch Manager, it automatically displays
a list of patches installed on the system.
- Patch Properties displays the patch ID, description, date added,
backout directory, and packages affected.
- Add Patch: Determines the proper installation order and installs
the patch(es) on a single system. Note: Patches are managed from
a local user-specified patch repository.
- Add Patch to Multiple Systems: Verifies the machine configurations
and preorders the patches to be installed, then installs patches
on the specified machines. The user may enter the system names
individually or a text file with the list of machines.
- Analyze and Add Patches: Analyzes the system configuration
against Sun's available patches. It then lists recommended
patches for the system including any dependent patches and installs
appropriate patches on the system. See Figure 2.
- Download Patches: Downloads the most current version of a single
or multiple patches from the SunSolve Web site. Users may specify
either ID number or a text string. All dependencies are automatically
checked and dependent patches are downloaded over a secure connection.
- De-installs the patch or patches from a system. The Remove
operation will pre-verify patch dependencies and will not allow
the removal of a patch that other patches are dependent on.
All operations available via GUI are available via the command
line for an experienced systems administrator, for example:
- Analyze: -/usr/sadm/bin/smpatch analyze
- Download: -/usr/sadm/bin/smpatch download
- Add Patch: -/usr/sadm/bin/smpatch add
Keep the following disk space considerations in mind when using
the smpatch command to download and install signed patches:
Special Notes and Tips
- The default download directory for signed patches is /var/sadm/spool.
- The patch download process might use more disk space than anticipated,
because multiple patches can be downloaded if prerequisite patches
- Signed patches are unpacked in the /var/sadm/spool directory
before they are installed, so be sure you have enough disk space
in the /var directory for this process.
- If your /var directory is not large enough to support the downloading
and unpacking of signed patches, you can use the smpatch
command with the -d option to specify an alternate patch
Sun is eliminating the need for reboots after installation of
patches whenever possible. Patch Manager 1.0 on the Solaris 9 OE
will not install patches that contain Special Instructions. Patches
with special instructions such as reboot required, must be installed
manually. In the second quarterly release of the Solaris 9 OE, Patch
Manager will set aside patches with special instructions into a
separate subdirectory for manual installation.
To Add Patches on Multiple Systems, all of the systems on which
you wish to install patches must be homogenous, meaning they must:
1) run the same version of the Solaris 9 Operating Environment,
2) have the same hardware architecture, and 3) have the same patches
Patch Manager is security aware. It automatically verifies and
installs digitally signed patches. Digitally signed patches are
patches that include a digital signature from Sun. Verifying the
signature helps ensure the patch has not been tampered with. Patch
Manager also automatically downloads any dependent patches and has
the built-in intelligence to install all patches that a particular
patch depends on. An Update feature is expected to be available
soon. This feature further automates the patching process by combining
the Analyze, Download, and Add features to update the system to
the latest patches. It also offers flexibility for those who choose
to cancel out of the wizard after the analysis or download and add
patches to their systems at a later time.
Sun's first goal is to eliminate the need for patches. However,
patches are a fact of life today, so Sun has established a Patch
Management Initiative that utilizes products, processes, and services
to decrease the complexity of the patch management process. Solaris
Patch Manager is the first step toward a standard patch tool that
automates the analysis, installation, and removal of patches for
all Sun products. Patch Manager can save many days and hours of
tedious research by automating the process of determining the appropriate
patches, patch installation order, and patch dependencies while
providing customers with an easy tool for daily comparisons to the
latest Sun patch information tailored for their particular configurations.
Systems administrators will see significant time savings as the
most tedious steps in the patch process are automated. Security
is tighter than ever before with digital signatures on all patches.
Patch Manager downloads only the most current patches over a secure
connection and automatically verifies the patch has not been tampered
with since Sun signed it. This security is achieved with no additional
effort from the systems administrator and with no additional product
Patch Manager significantly simplifies the process of keeping
systems updated with the then-current revision available, which
inevitably translates to increased system reliability, availability,
and security. Patch Manager enables regular proactive patch management.
For more information about Patch Management best practices and the
tools and processes best suited for your particular environment,
please refer to the Sun Patch Management Best Practices White Paper
expected to be available from Sun in the fall of 2002. See also
Table 2 for Frequently Asked Questions.
Jody Little is Senior Product Manager in the Sun System Management
Marketing group at Sun Microsystems Inc. She focuses on Sun system
management solutions that will help the enterprise to easily manage
their IT environments thereby increasing the service levels while
reducing the total cost of ownership.
Sun, Sun Microsystems, the Sun Logo, Solaris Patch Manager Tool,
Java Archive, and Sun Cluster are trademarks or registered trademarks
of Sun Microsystems, Inc. in the United States and other countries.