Cover V11, I13

Article
Figure 1
Figure 2
Table 1
Table 2

SolarisTM Patch Manager

Jody Little

Software products are becoming more complicated and interconnected, and keeping systems current is equally complex and time consuming. The complexity of patch management can lead some administrators to apply patches only after a problem has been identified. However, the recognized security and reliability benefits of keeping systems up to date with current patches are leading many organizations to adopt proactive patch management practices. Sun Microsystems recently announced a new product that addresses exactly these issues and makes the patching process significantly faster and easier.

Patch Management

The process of patching a system involves several steps. First, you must take inventory of the patches and product revision levels already installed on the system or systems. Second, you must search through the Sun database to identify patches appropriate to your configuration. This step is particularly time consuming when multiple patches are involved and encompasses the task of identifying patches that are dependent upon other patches. The third step is to determine the correct order for installing patches and reviewing any special instructions. On a single system, this step typically takes several hours. The fourth step involves the actual installation of patches and the occasional removal of one or more patches.

In an environment with multiple systems running with different configurations, this whole process is then repeated for each system. Each individual step can take several hours to several days and even longer when hundreds of servers are involved and interdependencies with third-party products are considered. In this article, I will take an in-depth look at Sun's new SolarisTM Patch Manager Tool and how its automated features can turn patch management from an infrequent chore to a simple daily task.

Solaris Patch Manager

Solaris Patch Manager is available in two versions. Solaris Patch Manager Version 1.0 ships with SolarisTM 9 Operating Environment (OE). SolarisTM Patch Manager Base Version 1.0 is freely available via download from: 

http://www.sun.com/sunsolve/patches
Both versions of Patch Manager provide automatic inventory of patches currently installed on a system and enable authorized users to analyze patch requirements, download, install, and remove patches. All analysis is performed locally, and no information is sent back to Sun. Patch Manager downloads the most current revision of a patch in Java[tm] archive (.jar) format from Sun's Web site. Patch Manager currently recognizes patches for the Solaris OE, Enterprise Systems Products, Network Storage Products, and SunTM Cluster. In the future, Patch Manager will manage patches for all Sun products. Table 1 summarizes the functionality of Solaris Patch Manager.

Solaris Patch Manager on Solaris 9

Start SolarisTM Management Console (SMC 2.1); see Figure 1.

  • Login either as root or as an authorized user.
  • Under System Configuration, choose Patches.
Tabs in the GUI

View

  • When the user logs into Patch Manager, it automatically displays a list of patches installed on the system.
  • Patch Properties displays the patch ID, description, date added, backout directory, and packages affected.
Action

  • Add Patch: Determines the proper installation order and installs the patch(es) on a single system. Note: Patches are managed from a local user-specified patch repository.
  • Add Patch to Multiple Systems: Verifies the machine configurations and preorders the patches to be installed, then installs patches on the specified machines. The user may enter the system names individually or a text file with the list of machines.
  • Analyze and Add Patches: Analyzes the system configuration against Sun's available patches. It then lists recommended patches for the system including any dependent patches and installs appropriate patches on the system. See Figure 2.
  • Download Patches: Downloads the most current version of a single or multiple patches from the SunSolve Web site. Users may specify either ID number or a text string. All dependencies are automatically checked and dependent patches are downloaded over a secure connection.
Remove

  • De-installs the patch or patches from a system. The Remove operation will pre-verify patch dependencies and will not allow the removal of a patch that other patches are dependent on.
Command-Line Interfaces

All operations available via GUI are available via the command line for an experienced systems administrator, for example:

  • Analyze: -/usr/sadm/bin/smpatch analyze
  • Download: -/usr/sadm/bin/smpatch download
  • Add Patch: -/usr/sadm/bin/smpatch add

Keep the following disk space considerations in mind when using the smpatch command to download and install signed patches:

  • The default download directory for signed patches is /var/sadm/spool.
  • The patch download process might use more disk space than anticipated, because multiple patches can be downloaded if prerequisite patches are required.
  • Signed patches are unpacked in the /var/sadm/spool directory before they are installed, so be sure you have enough disk space in the /var directory for this process.
  • If your /var directory is not large enough to support the downloading and unpacking of signed patches, you can use the smpatch command with the -d option to specify an alternate patch download directory.
Special Notes and Tips

Sun is eliminating the need for reboots after installation of patches whenever possible. Patch Manager 1.0 on the Solaris 9 OE will not install patches that contain Special Instructions. Patches with special instructions such as reboot required, must be installed manually. In the second quarterly release of the Solaris 9 OE, Patch Manager will set aside patches with special instructions into a separate subdirectory for manual installation.

To Add Patches on Multiple Systems, all of the systems on which you wish to install patches must be homogenous, meaning they must: 1) run the same version of the Solaris 9 Operating Environment, 2) have the same hardware architecture, and 3) have the same patches installed.

Patch Manager is security aware. It automatically verifies and installs digitally signed patches. Digitally signed patches are patches that include a digital signature from Sun. Verifying the signature helps ensure the patch has not been tampered with. Patch Manager also automatically downloads any dependent patches and has the built-in intelligence to install all patches that a particular patch depends on. An Update feature is expected to be available soon. This feature further automates the patching process by combining the Analyze, Download, and Add features to update the system to the latest patches. It also offers flexibility for those who choose to cancel out of the wizard after the analysis or download and add patches to their systems at a later time.

Summary

Sun's first goal is to eliminate the need for patches. However, patches are a fact of life today, so Sun has established a Patch Management Initiative that utilizes products, processes, and services to decrease the complexity of the patch management process. Solaris Patch Manager is the first step toward a standard patch tool that automates the analysis, installation, and removal of patches for all Sun products. Patch Manager can save many days and hours of tedious research by automating the process of determining the appropriate patches, patch installation order, and patch dependencies while providing customers with an easy tool for daily comparisons to the latest Sun patch information tailored for their particular configurations.

Systems administrators will see significant time savings as the most tedious steps in the patch process are automated. Security is tighter than ever before with digital signatures on all patches. Patch Manager downloads only the most current patches over a secure connection and automatically verifies the patch has not been tampered with since Sun signed it. This security is achieved with no additional effort from the systems administrator and with no additional product fees.

Patch Manager significantly simplifies the process of keeping systems updated with the then-current revision available, which inevitably translates to increased system reliability, availability, and security. Patch Manager enables regular proactive patch management. For more information about Patch Management best practices and the tools and processes best suited for your particular environment, please refer to the Sun Patch Management Best Practices White Paper expected to be available from Sun in the fall of 2002. See also Table 2 for Frequently Asked Questions.

Jody Little is Senior Product Manager in the Sun System Management Marketing group at Sun Microsystems Inc. She focuses on Sun system management solutions that will help the enterprise to easily manage their IT environments thereby increasing the service levels while reducing the total cost of ownership.

Sun, Sun Microsystems, the Sun Logo, Solaris Patch Manager Tool, Java Archive, and Sun Cluster are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries.

 
© 2002 CMP Media LLC. All Rights Reserved.
www.sysadminmag.com