Patches

A patch is a fix, provided by a supplier as a temporary solution to a problem. It is temporary in that it fixes a problem, which will be integrated with a future release of the software, in the same way as a homeowner might plug a leaking pipe until the plumber arrives. A patch can be for both software and hardwareit might provide support for a new type of hard disk device, but it is implemented through the software. This is an important part of the installation and, although the system administrator will install the patch, the system manager will decide on the correct policy to adopt on patch installation.

Sun provides access to its patches via two media: the Sunsolve Web site on the Internet, and on regularly updated CD-ROMs. The Internet option provides security and recommended patches for all customers. For customers who have a support agreement, there is access to many other patches and a database of patch information, bug reports , a searchable symptoms and resolution database, and a comprehensive range of white papers and early warning notices. The CD-ROM distribution (currently at four CDs per month) is available to customers with a support agreement and contains the same information as mentioned, along with a periodic updated CD containing archived patches, mainly for older revisions of SunOS.

In recent years , three main patching policies have been identified within businesses. These are listed along with the advantages and disadvantages of each:

• Install all patches This strategy follows the advice of the supplier and installs each recommended patch. This policy is a sensible one because it ensures that the system is always up-to-date with the latest fixes. It can also fix problems that may not yet have been encountered and is a preventative, proactive policy. Some caution is encouraged, though, so that patches are not just blindly installed when they are clearly irrelevant. The installation information supplied with each patch must be clearly noted to see if there are any dependenciesother patches that must already be installed before installing this oneor any conflicts; these are clearly labeled in the documentation. A significant advantage of this policy is that a fault call raised with the supplier can be dealt with more quickly, avoiding unnecessary delays. The only disadvantage is the extra time needed to ensure that the system remains up-to-date.

• Install only those patches necessary This policy installs only the patches needed to resolve the current problem. This is a reactive strategy and deals with faults and failures after they have already occurred. The only advantage to adopting this policy is that less time is spent analyzing and installing the required patches. The advantage is easily outweighed by the disadvantages: A problem must occur before it is resolved, which could mean downtime and potential loss of data. A serious problem requiring a call to the supplier can be delayed while patches are installed to bring the system up to the required level. Indeed, the installation of these patches couldand often doesresolve the problem.

• Resist as much as possible Some companies refuse to apply any recommended patches on the grounds that their applications work correctly without them. I noticed this especially with a few third-party suppliers providing applications running on the Sun/Solaris platform during the run-up to Y2K. One company refused to apply the /usr/bin/date, patch stating that it wasn't used! Needless to say, the application itself was certified as Y2K-compliant, after thorough testing, but with a caveat stating that the platform it was running on was definitely not Y2K-compliant. This policy is extremely short-sighted and could cause significant downtime, as well as make fault resolution much more difficult than it should be.

The next two sections outline the application of patches for both the Solaris operating environment and for unbundled/third-party-supplied patches.

Operating System Patches

Sun Microsystems delivers operating system patches in a consistent format, similar to that of a software package in that they can be easily installed or uninstalled (the latter being known as " backed out"). Patches are provided both separately and as clusters. The recommended patches are often delivered in a cluster to aid installation. This means that all the necessary patches can be installed in one go rather than having to do them one at a time.

After deciding on a patching policy as outlined in the previous section, the system manager should ensure that the systems that he is responsible for are patched accordingly . Installation of the actual patches themselves will be carried out by the system administrator, but the system manager may have to decide on particular issues when there are possibilities of conflict. An up-to-date list of the patches already applied to the system should be readily available as part of the system documentation (see Chapter 8, "Strategic Management," for a discussion of this aspect) so that any potential discrepancies or conflicts can be easily identified. A sample of the output from the command patchadd -p for an Intel box running Solaris 7 with the recommended patch cluster installed is shown in Listing 5.2.

Listing 5.2 Sample Output Listing the Patches Already Applied to a System

 # patchadd -p  Patch: 107545-03 Obsoletes:  Requires: Incompatibles: Packages:  SUNWcsr SUNWcsu  Patch: 106542-08 Obsoletes: 106833-03 106914-04 106977-01 107440-01 107032-01  107118-05 107447-01 Requires: 107545-02 Incompatibles:  Packages:  SUNWarc  SUNWatfsr SUNWcar SUNWcsl SUNWcsr SUNWcsu SUNWdpl SUNWesu SUNWhea SUNWipc SUNWkvm  SUNWpcmci SUNWpcmcu SUNWscpu SUNWtnfc SUNWtoo SUNWvolr  Patch: 106794-03 Obsoletes:  Requires: Incompatibles: Packages:  SUNWcsu  SUNWhea  Patch: 106961-01 Obsoletes:  Requires: Incompatibles: Packages:  SUNWman  Patch: 107039-01 Obsoletes:  Requires: Incompatibles: Packages:  SUNWdoc  Patch: 108375-01 Obsoletes: 107882-10 Requires: Incompatibles: Packages:  SUNWdtbas SUNWdtdte SUNWdtinc SUNWdtmad  Patch: 107023-05 Obsoletes:  Requires: 108375-01 Incompatibles:  Packages:  SUNWdtdmn SUNWdtdst SUNWdtma  Patch: 107457-01 Obsoletes:  Requires: Incompatibles: Packages:  SUNWcsr  Patch: 107588-01 Obsoletes:  Requires: Incompatibles: Packages:  SUNWaccu  Patch: 107637-03 Obsoletes:  Requires: Incompatibles: Packages:  SUNWxi18n  SUNWxim  Patch: 107888-08 Obsoletes: 107002-01 Requires: Incompatibles: Packages:  SUN Wdtdst SUNWdtdte SUNWdtma  Patch: 108344-02 Obsoletes:  Requires: 108375-01 Incompatibles:  Packages:  SUNWdtezt  Patch: 107201-11 Obsoletes:  Requires: 108375-01 107888-08 Incompatibles:  Packages:  SUNWdtdst SUNWdtma  Patch: 106945-02 Obsoletes:  Requires: Incompatibles: Packages:  SUNWcsr  Patch: 106953-01 Obsoletes:  Requires: Incompatibles: Packages:  SUNWbnuu  Patch: 106979-09 Obsoletes:  Requires: 107457-01 Incompatibles:  Packages:  SUNWadmap SUNWadmc  Patch: 107116-03 Obsoletes:  Requires: Incompatibles: Packages:  SUNWpcu  SUNWpsu  Patch: 107260-01 Obsoletes:  Requires: Incompatibles: Packages:  SUNWvolu  Patch: 107452-02 Obsoletes:  Requires: 107118-03 Incompatibles:  Packages:  SUNWcsu  Patch: 107455-03 Obsoletes:  Requires: Incompatibles: Packages:  SUNWcsu  Patch: 107685-01 Obsoletes:  Requires: Incompatibles: Packages:  SUNWsndmu  Patch: 107793-01 Obsoletes:  Requires: Incompatibles: Packages:  SUNWcsu  Patch: 107973-01 Obsoletes:  Requires: Incompatibles: Packages:  SUNWsutl  Patch: 108302-01 Obsoletes:  Requires: Incompatibles: Packages:  SUNWcsu  Patch: 106737-03 Obsoletes:  Requires: Incompatibles: Packages:  SUNWoldst  Patch: 107339-01 Obsoletes:  Requires: Incompatibles: Packages:  SUNWkcspg  SUNWkcsrt  Patch: 107894-04 Obsoletes: 108123-01 108238-01 Requires: Incompatibles: Packages:  SUNWtltk  Patch: 106935-03 Obsoletes:  Requires: Incompatibles: Packages:  SUNWdtbas  Patch: 107181-12 Obsoletes:  Requires: Incompatibles: Packages:  SUNWdtdte  Patch: 108220-01 Obsoletes:  Requires: Incompatibles: Packages:  SUNWdtbas  Patch: 108222-01 Obsoletes:  Requires: Incompatibles: Packages:  SUNWdtdmn  Patch: 107886-06 Obsoletes:  107220-02 Requires: 106935-03 Incompatibles:  Packages:  SUNWdtdst SUNWdthev SUNWdticn SUNWdtma  Patch: 108483-01 Obsoletes:  Requires: Incompatibles: Packages:  SUNWcsu  Patch: 108663-01 Obsoletes:  Requires: Incompatibles: Packages:  SUNWadmfw  # 

This sample output clearly shows whether a patch conflicts with any other patch (in the "Incompatibles" section, which in this case are none) and also whether a patch obsoletes another patch. This information is valuable to the system manager if a specific problem requires a patch to resolve it. If a conflict is identified, a call to Sun will obtain the necessary advice on how to proceed. If the patch were to just be installed, then the system could suffer adverse affects and further complicate the problem.

Each patch supplied by Sun contains important installation information, including any dependenciesthat is, any other patches that must be installed before this oneas well as the information relating to potential conflicts. Always ensure that this information is read and checked against the list of patches currently installed on the system. It could save a lot of time.

A final noteworthy point about operating system patches is that, when using the Jumpstart utility to install Solaris on a number of systems, it is possible to prepatch the Solaris image on the install server. This means that each system installed will already contain the necessary patches and so does not have to be done individually. In the same way, servers providing operating system resources to diskless or AutoClient systems can also be patched at the server level once and then replicated to each of the clients. For example, a server supporting 25 diskless clients and 25 AutoClients can apply the patches once to a spool directory and then synchronize all the clients so that they are also using the patches. These clients do not physically store the operating system software on local disks; it is kept in a file system on the server and is accessed over the network. (See the Appendix for further information on the Jumpstart utility.)

Unbundled and Third-Party Application Patches

Patches supplied by Sun Microsystems for unbundled and application products are normally supplied in the same format as the operating system patches. They should be subjected to the same treatment as outlined in the previous section.

Patches from third-party suppliers, however, can be slightly different. They may or may not be supplied in the package-type format. Decisions on whether to install these patches need to be given particular attention because there might not be enough information provided on potential conflicts with either other patches or other applications.

A patch from a third-party software supplier should be subjected to the following procedures:

• It should be installed only if the supplier or Sun Microsystems states that it is necessary.

• Any patch should be treated with caution and thoroughly checked for viruses.

• Look for any supporting documentation provided by the supplier for an indication that it has been thoroughly tested.

• Confirm that the patch is for the correct version of the Solaris operating environment.

• Always install the patch in a test environment and carry out rigorous testing; also reproduce some of the tests that may be documented (if any). The test environment should mirror the production environment, as closely as possible, including any other third-party and unbundled software applications.

• Read all of the installation instructions that accompany the patch carefully , particularly where they may involve altering kernel parameters or installing other patches.

• If in doubt, always contact Sun for confirmation.

Failure to carry out these procedures could seriously jeopardize the integrity of the system and possibly the network. Of course, it is the system manager's responsibility to ensure that these duties are carried out and that the company is not exposed to any unnecessary risk.