The Solaris boxes should be patched at least twice a year
Also, the campus computing requirements require patching. See also Campus Standards for updating SunsThere are two ways to patch Solaris
smpatch
smpatch
In theory, this method can happen automatically
and is preferred over the "Recommended" patch method
below, but in practice, smpatch
tends
not to work.
userName=user123 password=abc123 hostName= subscriptionKey= portalEnabled=false proxyHostName= proxyPort= proxyUserName= proxyPassword=
chmod 600 /sunupdate.properties
/usr/sbin/sconadm register -a -r /sunupdate.properties
/usr/local/adm/distfile
will rdist the /sunupdate.properties
file
- just run /usr/local/adm/dordist
on source.
/usr/local/adm/distfile
looks like:
################################ # Clients other than bennett, the loghost PATCHCLIENTS = (andrews bennett carson) FILES_PATCHCLIENTS = ( /sunupdate.properties ) ${FILES_PATCHCLIENTS} -> ${PATCHCLIENTS} install /sunupdate.properties ; special /sunupdate.properties "/usr/sbin/sconadm register -a -r /sunupdate.properties" ;
/etc/ipf/ipf.conf
and added
# Sun Update patching requires https: pass out quick on bge0 proto tcp from 128.32.48.234 to any port = http flags S keep state group 200 pass out quick on bge0 proto tcp from 128.32.48.234 to any port = https flags S keep state group 200and then ran
ipf -Fa /etc/ipf/ipf.conf
smpatch update
The command will run and eventually you will see output like:
121430-11 has been validated. 119254-27 has been validated. 119963-07 has been validated. 118833-24 has been validated. 122525-02 has been validated. 122523-03 has been validated. Installing patches from /var/sadm/spool... 121430-11 has been applied. 119254-27 has been applied. 119963-07 has been applied. NOTICE: Patch 118833-24 cannot be installed until the next system shutdown. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. 122523-03 has been applied. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. WARNING: The installer cannot find the patch. /var/sadm/spool/patchpro_dnld_2006.10.17@10:15:27:PDT.txt has been moved to /var/sadm/spool/patchproSequester/patchpro_dnld_2006.10.17@10:15:27:PDT.txt ID's of the updates that are disallowed by installation policy have been written to file /var/sadm/spool/disallowed_patch_list One or more updates that you installed requires a system shutdown to activate it. To initiate the system shutdown, you must use one of the following commands: o Power down the system - init 0 or shutdown -i 0 o Drop to the firmware prompt - init 5 or shutdown -i 5 o Restart the system - init 6 or shutdown -i 6The
disallowed_patch_list
file contains
a list of patches that have not been installed.
init 0The patches listed in
disallowed_patch_list
will update.
shutdown -h now boot -sand then logging in and doing
smpatch set patchpro.install.types=rebootafter:reconfigafter:standard:singleuserIf
smpatch update
returns with no patches
and /var/adm/messages
contains
Oct 19 15:24:01 bennett.EECS.Berkeley.EDU pseudo: [ID 129642 kern.info] pseudo-device: devinfo0 Oct 19 15:24:01 bennett.EECS.Berkeley.EDU genunix: [ID 936769 kern.info] devinfo0 is /pseudo/devinfo@0 Oct 19 15:24:17 bennett.EECS.Berkeley.EDU root: [ID 702911 user.error] => com.sun.patchpro.model.PatchProModel@10872ce <=non-descript failur e while closing database. String index out of range: -1 Oct 19 15:24:17 bennett.EECS.Berkeley.EDU root: [ID 702911 user.error] => com.sun.patchpro.model.PatchProModel@10872ce <=java.lang.StringInd exOutOfBoundsException: String index out of range: -1 Oct 19 15:24:17 bennett.EECS.Berkeley.EDU at java.lang.String.substring(String.java:1768) Oct 19 15:24:17 bennett.EECS.Berkeley.EDU at com.sun.patchpro.patch.PatchSequencer.removeObsoleteFromRequired(PatchSequencer.java:350) Oct 19 15:24:17 bennett.EECS.Berkeley.EDU at com.sun.patchpro.patch.PatchSequencer.evaluatePatchList(PatchSequencer.java:330) Oct 19 15:24:17 bennett.EECS.Berkeley.EDU at com.sun.patchpro.patch.PatchSequencer.getPatchList(PatchSequencer.java:251) Oct 19 15:24:17 bennett.EECS.Berkeley.EDU root: [ID 702911 user.error] => com.sun.patchpro.model.PatchProModel@10872ce <= at com.sun.patchpro.patch.PatchSequencer.getPatchList(PatchSequencer.java:221) Oct 19 15:24:17 bennett.EECS.Berkeley.EDU at com.sun.patchpro.patch.GroupPatchSequencer.getPatchLists(GroupPatchSequencer.java:115) Oct 19 15:24:17 bennett.EECS.Berkeley.EDU at com.sun.patchpro.model.PatchProModel.runSequencer(PatchProModel.java:1915) Oct 19 15:24:17 bennett.EECS.Berkeley.EDU at com.sun.patchpro.model.PatchProStateMachine$9.run(PatchProStateMachine.java:482) Oct 19 15:24:17 bennett.EECS.Berkeley.EDU at com.sun.patchpro.util.State.run(State.java:266) Oct 19 15:24:17 bennett.EECS.Berkeley.EDU root: [ID 702911 user.error] => com.sun.patchpro.model.PatchProModel@10872ce <=null at java.lang.Thread.run(Thread.java:595)Then search for
com.sun.patchpro.model.PatchProModel
which finds:
http://forum.sun.com/jive/thread.jspa?threadID=92340
Nov 1 12:52:04 bennett.EECS.Berkeley.EDU root: [ID 702911 user.error] => com.sun.patchpro.server.ServerPatchServiceProvider@1abf87 <=com.sun.patchpro.security.NotSignedByKnownCertificateException: 121430-12/prepatch CN=Enterprise Services Patch Management, O=Sun Microsystems Inc Nov 1 12:52:04 bennett.EECS.Berkeley.EDU at com.sun.patchpro.security.SignatureValidationUtil.validateJarFile(Signat ureValidationUtil.java:256) Nov 1 12:52:04 bennett.EECS.Berkeley.EDU at com.sun.patchpro.server.ServerPatchServiceProvider.validatePatchBundle(S erverPatchServiceProvider.java:2896) Nov 1 12:52:04 bennett.EECS.Berkeley.EDU at com.sun.patchpro.server.ServerPatchServiceProvider.requestDownload(Serve rPatchServiceProvider.java:2470) Nov 1 12:52:04 bennett.EECS.Berkeley.EDU at com.sun.patchpro.server.ServerPatchServiceProvider.performDownloadPatche s(ServerPatchServiceProvider.java:1550) Nov 1 12:52:04 bennett.EECS.Berkeley.EDU root: [ID 702911 user.error] => com.sun.patchpro.server.ServerPatchServiceProvid er@1abf87 <= at com.sun.patchpro.server.ServerPatchServiceProvider.downloadPatches(ServerPatchServiceProvider.java:1287) Nov 1 12:52:04 bennett.EECS.Berkeley.EDU at com.sun.patchpro.server.PatchServerProxy.downloadPatches(PatchServerProx y.java:196) Nov 1 12:52:04 bennett.EECS.Berkeley.EDU at com.sun.patchpro.server.GroupPatchDownloader.downloadPatches(GroupPatchD ownloader.java:124) Nov 1 12:52:04 bennett.EECS.Berkeley.EDU at com.sun.patchpro.model.PatchProModel.performPatchDownload(PatchProModel. java:1932) Nov 1 12:52:04 bennett.EECS.Berkeley.EDU at com.sun.patchpro.model.PatchProStateMachine$10.run(PatchProStateMachine. java:526)See Signed Patches: A New Signing Certificate Will be Used Beginning September 24, 2006
smpatch download -i 121118-06 cd /var/sadm/spool mkdir tmp cd tmp jar -xf ../121118-06.jar patchadd 121118-06or, if you use patchadd to install signed patches.
wget http://www.sun.com/pki/certs/ca/VTN_Class2_PPCA.der pkgadm addcert -t -f der VTN_Class2_PPCA.der
XX_Recommended.zip
" file.
10_Recommended.zip
file
from the Solaris patches page at:
http://sunsolve1.sun.com
or at
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access
.
You may want to use the wget
command
to transfer the file from the Sunsolve website.
wget
gets files via the web without starting
up a browser.
/usr/sww/patch
Note that not all machines mount /usr/sww
or /usr/sww/patch
so you may need to poke
around and find a machine.
/usr/sww/patch
.
If you mount /usr/sww
use
showmount -e project | grep patchto find the patch partition exported on project and then add that partition to
/etc/vfstab
.
I added:
project:/vol/vol2/sww/patch - /usr/sww/patch nfs - yes ro,bg,noquota,timeo=15,retry=20,retrans=4
gtar -cf /export/home1/root/patches/10_Recommended.tar `cat patch_order.fcs` patch_order.fcs CLUSTER_README README.first copyright install_clusterand then untar
10_Recommended.tar
:
cd /export/home1/root/patches gtar -xf 10_Recommended.tar mv patch_order.fcs patch_order
/export/home1/tools/downloads
10_Recommended
directory.
unzip 10_Recommended.zip
/usr/sww/patch
,
then look in /usr/sww/patch/sun/10/10_Recommended
.
showrev -p
and compare the output
with the 10_Recommended/CLUSTER_README
file.
The commands below will generate a three column output where
showrev -p | awk '{print $2}' | sort > /tmp/showrev.out egrep '^1[0-9]' CL* | awk '{print $1}' | sort > /tmp/CLUSTER_README.out comm /tmp/showrev.out /tmp/CLUSTER_README.out
egrep `comm -13 /tmp/showrev.out /tmp/CLUSTER_README.out | awk '{if (NR == 1) {printf("%s",$1)} else { printf("|%s",$1)}}'` CL*
grep sendmail CL*Then replace
????
with the sendmail
patch number in the commands below
mkdir bak mv ???? bak mv patch_order patch_order.old grep -v ??? patch_order.old > patch_order
../installcluster -d --s10cluster >&l patch7.out &
NOTDUMPED
directory) and do
mkfile 2g /export/home1/2gbswapfile /usr/sbin/swap -a /export/home1/2gbswapfile
/var/sadm/install_data/Solaris_10_Recommended_log
install_cluster
if one of the patches
disables further patching.
Read the log file!.
/etc/inet/inetd.conf
,
ps -auxgww
),
boot -s
kbd -s
/etc/init.d/init.wbem stop rm /etc/rc2.d/S90wbem
su - adm
works, see
Problems with cron
for details.