Ever since I started workin at my current job (~1 year) I've struggled with patch management. Unfortunantly due to the nature of our business it is impossible for me to connect any of our Solaris 8 computers to the Internet. Because of this I've had to download patches one at a time and bring them over on CD. It's next to impossible to patch my servers since I can't figure out a way to resolve patch dependencies ahead of time. Everytime I try to install a patch it asks for other patches, so I have to go back and download those patches, burn them, then try again. And usually those patches ask for otehr patches, and on and on. There is no way for me to have a Sun computer connected to the internet even for testing. Is there a tool I can use to help solve this problem? It's a total nightmare. I tried Patch Manager but it needed an internet connection. I would think Sun would have a way to view dependencies online but I can't find anything like that on their website. Any ideas?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Offiline Patch Mangement Issues
- Thread starter rayen99
- Start date
Rayen99;
When you go to download the patch it tells you in the patch description if there are any dependencies.
The fact that you have to put the patches to CD sucks.
They don't allow you to ftp to the sun boxes from your pc? boo
I am not really aware of any tools to check dependencies sorry.
CA
When you go to download the patch it tells you in the patch description if there are any dependencies.
The fact that you have to put the patches to CD sucks.
They don't allow you to ftp to the sun boxes from your pc? boo
I am not really aware of any tools to check dependencies sorry.
CA
Hello,
Yes such a product exists: it's called TLP.
First of all, you should have SUN explorer installed on your solaris machine. Based on explorer's results and on the EIS-cd patches set, tlp can analyse which patches are needed and create a patch bundle customized for your machine.
So, you can create a tar or a cpio file with all the needed patches and sftp it to the machine to apply them.
The only negative point is that EIS-cd and tlp are not publically available, so you should first ask to you local sun support.
a+
Eric Deblon
Yes such a product exists: it's called TLP.
First of all, you should have SUN explorer installed on your solaris machine. Based on explorer's results and on the EIS-cd patches set, tlp can analyse which patches are needed and create a patch bundle customized for your machine.
So, you can create a tar or a cpio file with all the needed patches and sftp it to the machine to apply them.
The only negative point is that EIS-cd and tlp are not publically available, so you should first ask to you local sun support.
a+
Eric Deblon
KenCunningham
Technical User
Why are you downloading them one at a time? Can't you download the latest recommended patch cluster, which would also solve your dependencies issue. Or am I missing something - after all it's early Saturday morning!
OR... migrate to AIX and your problem is solved ![[bigsmile]](/data/assets/smilies/bigsmile.gif "[bigsmile] [bigsmile]")
! AIX uses APARs and PTFs to manage the dependencies of filesets for maintenance.
I have always been amazed that Sun doesn't have anything like that, but then again, Sun doesn't have a volume manager anything like AIXs LVM.
Therefore, I go through the same head beating against the wall with patches.
And Sun doesn't use anything for Solaris close to IBMs VRMF (Version, Release, Maintenance, Fix) for AIX. With AIX I can tell exactly what release and maintenace level I am at. With Solaris you run a showrev or uname -a and get the kernel patch number but you have no idea what that exactly is. Unless /etc/release is updated with an upgrade, say from 9/04 to 9/07, but if you installed any maintenance you have no idea, unlike with AIX. And a patch cluster I am not sure that has an equivalent to anything AIX has.
There is more Solaris installed than AIX, and a lot of people point to the cost as a reason, but then again, there is a reason for that extra cost. AIX is much nicer to manage and work with.
! AIX uses APARs and PTFs to manage the dependencies of filesets for maintenance.I have always been amazed that Sun doesn't have anything like that, but then again, Sun doesn't have a volume manager anything like AIXs LVM.
Therefore, I go through the same head beating against the wall with patches.
And Sun doesn't use anything for Solaris close to IBMs VRMF (Version, Release, Maintenance, Fix) for AIX. With AIX I can tell exactly what release and maintenace level I am at. With Solaris you run a showrev or uname -a and get the kernel patch number but you have no idea what that exactly is. Unless /etc/release is updated with an upgrade, say from 9/04 to 9/07, but if you installed any maintenance you have no idea, unlike with AIX. And a patch cluster I am not sure that has an equivalent to anything AIX has.
There is more Solaris installed than AIX, and a lot of people point to the cost as a reason, but then again, there is a reason for that extra cost. AIX is much nicer to manage and work with.
Annihilannic
MIS
Someone else in this forum pointed out this handy tool, I'm not sure whether it will be useful for your situation:
Patch Check Advanced
However, I agree with Ken, why not simply install the current recommended patch bundle?
Sun do provide a similar tool, but it is slow and bulky Java bloatware.
Annihilannic.
Patch Check Advanced
However, I agree with Ken, why not simply install the current recommended patch bundle?
Sun do provide a similar tool, but it is slow and bulky Java bloatware.
Annihilannic.
KenCunningham
Technical User
I can second Annihilanic's recommendation for Patch Check Advanced - it's certainly the best tool of it's type I've seen for Solaris.
- Thread starter
- #8
Thanks a lot everyone. I'll definantly check out those tools. Well part of it is that I'm just stupid and never noticed the "Required Patches" section in each patch's README. This should solve my problem. I did use the patch cluster but it didn't include patches for non-default packages. And the reason I have to install with a CD is because the solaris server I need to patch is on a classified military network and it makes it very difficult to do anything. Connecting one of those systems to the internet is a big no no.
Rayen I work on JWICS and SIPR I run into this problem also I have developed my own patch solution. I download the latest cluster burn them to cd-rom, and them untar them to a NFS mounted directory. I then have a script on each machine that checks the uname -a output to the kernel patch listed in the directory and if it is lower then that it starts patching the machines automatically for me. Also you will want to make sure you backup files before you apply the patches, then restore them if you have ran JEDI, Gold Disk, etc... I usually just stick with the recommended cluster's and do not worry. I have had DISA and NSA inspections and they have little to no "findings" but there info is usually outdated anyway...
- Status
Similar threads
- Locked
- Question
- Locked
- Question