The Solaris boxes should be patched at least twice a year

  • Once in early June, before everyone goes on vacation
  • Once in mid December, before all the script kiddies are out of skool.
    • Also, the campus computing requirements require patching. See also Campus Standards for updating Suns

    There are two ways to patch Solaris

    1. Use smpatch
    2. Use the older method, the Recommended patches January, 2012 Use the Recommended Method

    Using smpatch

    Patching Solaris 10 has changed.

    In theory, this method can happen automatically and is preferred over the "Recommended" patch method below, but in practice, smpatch tends not to work.

    1. Download and install Sun Update Connection. I chose Sun Update Connection installer.
    2. Register using the command line interface
      1. Create /sunupdate.properties: 
        userName=user123
password=abc123
hostName=
subscriptionKey=
portalEnabled=false
proxyHostName=
proxyPort=
proxyUserName=
proxyPassword=
      2. chmod 600 /sunupdate.properties
      3. /usr/sbin/sconadm register -a -r /sunupdate.properties
      Note that on source.eecs, /usr/local/adm/distfile will rdist the /sunupdate.properties file - just run /usr/local/adm/dordist on source.
      /usr/local/adm/distfile looks like: 
      ################################
# Clients other than bennett, the loghost
PATCHCLIENTS = (andrews bennett carson)

FILES_PATCHCLIENTS = (
        /sunupdate.properties
        )

${FILES_PATCHCLIENTS} -> ${PATCHCLIENTS}
        install /sunupdate.properties ;
        special /sunupdate.properties "/usr/sbin/sconadm register -a -r /sunupdate.properties" ;

      If you have connection problems, open up outgoing https traffic. I edited /etc/ipf/ipf.conf and added 
      # Sun Update patching requires https:
pass out quick on bge0 proto tcp from 128.32.48.234 to any port = http flags S keep state group 200
pass out quick on bge0 proto tcp from 128.32.48.234 to any port = https flags S keep state group 200
      and then ran ipf -Fa /etc/ipf/ipf.conf
    3. Run smpatch update The command will run and eventually you will see output like: 
      121430-11 has been validated.
119254-27 has been validated.
119963-07 has been validated.
118833-24 has been validated.
122525-02 has been validated.
122523-03 has been validated.
Installing patches from /var/sadm/spool...
121430-11 has been applied.
119254-27 has been applied.
119963-07 has been applied.
NOTICE: Patch 118833-24 cannot be installed until the next system shutdown.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
122523-03 has been applied.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
WARNING: The installer cannot find the patch.
/var/sadm/spool/patchpro_dnld_2006.10.17@10:15:27:PDT.txt has been moved to /var/sadm/spool/patchproSequester/patchpro_dnld_2006.10.17@10:15:27:PDT.txt
 
ID's of the updates that are disallowed by installation policy have been 
written to file
	/var/sadm/spool/disallowed_patch_list
 
One or more updates that you installed requires a system shutdown to activate it. To initiate the system shutdown, you must use one of the following commands:
o Power down the system - init 0 or shutdown -i 0
o Drop to the firmware prompt - init 5 or shutdown -i 5
o Restart the system - init 6 or shutdown -i 6
      The disallowed_patch_list file contains a list of patches that have not been installed.
    4. Go to the console, log in and run 
      init 0
      The patches listed in disallowed_patch_list will update.
    5. Note: it may be necessary to install the single user patches by doing 
      shutdown -h now
boot -s
      and then logging in and doing 
      smpatch set patchpro.install.types=rebootafter:reconfigafter:standard:singleuser
      If smpatch update returns with no patches and /var/adm/messages contains 
      Oct 19 15:24:01 bennett.EECS.Berkeley.EDU pseudo: [ID 129642 kern.info] pseudo-device: devinfo0
Oct 19 15:24:01 bennett.EECS.Berkeley.EDU genunix: [ID 936769 kern.info] devinfo0 is /pseudo/devinfo@0
Oct 19 15:24:17 bennett.EECS.Berkeley.EDU root: [ID 702911 user.error]  => com.sun.patchpro.model.PatchProModel@10872ce <=non-descript failur
e while closing database. String index out of range: -1
Oct 19 15:24:17 bennett.EECS.Berkeley.EDU root: [ID 702911 user.error]  => com.sun.patchpro.model.PatchProModel@10872ce <=java.lang.StringInd
exOutOfBoundsException: String index out of range: -1
Oct 19 15:24:17 bennett.EECS.Berkeley.EDU       at java.lang.String.substring(String.java:1768)
Oct 19 15:24:17 bennett.EECS.Berkeley.EDU       at com.sun.patchpro.patch.PatchSequencer.removeObsoleteFromRequired(PatchSequencer.java:350)
Oct 19 15:24:17 bennett.EECS.Berkeley.EDU       at com.sun.patchpro.patch.PatchSequencer.evaluatePatchList(PatchSequencer.java:330)
Oct 19 15:24:17 bennett.EECS.Berkeley.EDU       at com.sun.patchpro.patch.PatchSequencer.getPatchList(PatchSequencer.java:251)
Oct 19 15:24:17 bennett.EECS.Berkeley.EDU root: [ID 702911 user.error]  => com.sun.patchpro.model.PatchProModel@10872ce <=      at com.sun.patchpro.patch.PatchSequencer.getPatchList(PatchSequencer.java:221)
Oct 19 15:24:17 bennett.EECS.Berkeley.EDU       at com.sun.patchpro.patch.GroupPatchSequencer.getPatchLists(GroupPatchSequencer.java:115)
Oct 19 15:24:17 bennett.EECS.Berkeley.EDU       at com.sun.patchpro.model.PatchProModel.runSequencer(PatchProModel.java:1915)
Oct 19 15:24:17 bennett.EECS.Berkeley.EDU       at com.sun.patchpro.model.PatchProStateMachine$9.run(PatchProStateMachine.java:482)
Oct 19 15:24:17 bennett.EECS.Berkeley.EDU       at com.sun.patchpro.util.State.run(State.java:266)
Oct 19 15:24:17 bennett.EECS.Berkeley.EDU root: [ID 702911 user.error]  => com.sun.patchpro.model.PatchProModel@10872ce <=null  at java.lang.Thread.run(Thread.java:595)
      Then search for com.sun.patchpro.model.PatchProModel which finds: http://forum.sun.com/jive/thread.jspa?threadID=92340 
      Nov  1 12:52:04 bennett.EECS.Berkeley.EDU root: [ID 702911 user.error]  => com.sun.patchpro.server.ServerPatchServiceProvider@1abf87 <=com.sun.patchpro.security.NotSignedByKnownCertificateException: 121430-12/prepatch CN=Enterprise Services Patch Management, O=Sun Microsystems Inc
Nov  1 12:52:04 bennett.EECS.Berkeley.EDU       at com.sun.patchpro.security.SignatureValidationUtil.validateJarFile(Signat
ureValidationUtil.java:256)
Nov  1 12:52:04 bennett.EECS.Berkeley.EDU       at com.sun.patchpro.server.ServerPatchServiceProvider.validatePatchBundle(S
erverPatchServiceProvider.java:2896)
Nov  1 12:52:04 bennett.EECS.Berkeley.EDU       at com.sun.patchpro.server.ServerPatchServiceProvider.requestDownload(Serve
rPatchServiceProvider.java:2470)
Nov  1 12:52:04 bennett.EECS.Berkeley.EDU       at com.sun.patchpro.server.ServerPatchServiceProvider.performDownloadPatche
s(ServerPatchServiceProvider.java:1550)
Nov  1 12:52:04 bennett.EECS.Berkeley.EDU root: [ID 702911 user.error]  => com.sun.patchpro.server.ServerPatchServiceProvid
er@1abf87 <= at com.sun.patchpro.server.ServerPatchServiceProvider.downloadPatches(ServerPatchServiceProvider.java:1287)
Nov  1 12:52:04 bennett.EECS.Berkeley.EDU       at com.sun.patchpro.server.PatchServerProxy.downloadPatches(PatchServerProx
y.java:196)
Nov  1 12:52:04 bennett.EECS.Berkeley.EDU       at com.sun.patchpro.server.GroupPatchDownloader.downloadPatches(GroupPatchD
ownloader.java:124)
Nov  1 12:52:04 bennett.EECS.Berkeley.EDU       at com.sun.patchpro.model.PatchProModel.performPatchDownload(PatchProModel.
java:1932)
Nov  1 12:52:04 bennett.EECS.Berkeley.EDU       at com.sun.patchpro.model.PatchProStateMachine$10.run(PatchProStateMachine.
java:526)
      See Signed Patches: A New Signing Certificate Will be Used Beginning September 24, 2006 
      smpatch download -i 121118-06
cd /var/sadm/spool
mkdir tmp
cd tmp
jar -xf ../121118-06.jar
patchadd 121118-06
      or, if you use patchadd to install signed patches. 
      wget http://www.sun.com/pki/certs/ca/VTN_Class2_PPCA.der
pkgadm addcert -t -f der VTN_Class2_PPCA.der

    Using the "Recommended" patches

    Sun used to distributed patches in a zip file named "XX_Recommended.zip" file.
    1. Download the 10_Recommended.zip file from the Solaris patches page at: http://sunsolve1.sun.com or at http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access. You may want to use the wget command to transfer the file from the Sunsolve website. wget gets files via the web without starting up a browser.
      OR Look for patches on /usr/sww/patch Note that not all machines mount /usr/sww or /usr/sww/patch so you may need to poke around and find a machine.
      As of 3/07, carson mounts /usr/sww/patch. If you mount /usr/sww use 
      showmount -e project | grep patch
      to find the patch partition exported on project and then add that partition to /etc/vfstab. I added: 
      project:/vol/vol2/sww/patch     - /usr/sww/patch              nfs     -      yes ro,bg,noquota,timeo=15,retry=20,retrans=4
    2. In 11/07, the patch directory on sww had lots of patches which were more than we needed to get what we need, do: 
       gtar -cf /export/home1/root/patches/10_Recommended.tar `cat patch_order.fcs` patch_order.fcs CLUSTER_README README.first copyright install_cluster
      and then untar 10_Recommended.tar: 
      cd /export/home1/root/patches
gtar -xf 10_Recommended.tar
mv patch_order.fcs patch_order
    3. If you download the Recommend zip file youself, then as root, transfer the file to /export/home1/tools/downloads
      1. Remove the old 10_Recommended directory.
      2. Unzip the file: 
        unzip 10_Recommended.zip
    4. If you use the version from /usr/sww/patch, then look in /usr/sww/patch/sun/10/10_Recommended.
    5. Run showrev -p and compare the output with the 10_Recommended/CLUSTER_README file.

      The commands below will generate a three column output where

      1. the first column is patches that are installed, but not in the current cluster of patches
      2. the second column is patches that are not installed, but are in the current cluster of patches
      3. the third column is patches that are both installed and in the current cluster. 
      showrev -p  | awk '{print $2}' | sort > /tmp/showrev.out

egrep '^1[0-9]' CL* | awk '{print $1}' | sort > /tmp/CLUSTER_README.out
comm /tmp/showrev.out /tmp/CLUSTER_README.out
    6. To see what the patches that will be applied, run 
       egrep `comm -13 /tmp/showrev.out /tmp/CLUSTER_README.out | awk '{if (NR == 1) {printf("%s",$1)} else { printf("|%s",$1)}}'` CL*
    7. Usually, you should move the sendmail patch out of the way because we use a different version.
      If you are using the patches on sww, this may have already happened.
      The sendmail patch number changes, you can find it with 
      grep sendmail CL*
      Then replace ???? with the sendmail patch number in the commands below 
      mkdir bak
mv ???? bak
mv patch_order patch_order.old
grep -v ??? patch_order.old > patch_order
    8. If everything looks ok, run ../installcluster -d --s10cluster >&l patch7.out &
      I use -d because I've never had to back out a patch.
      If you run install_cluster in the background, be sure to tail -f the output. Note that install_cluster seems to hang on tty input when run in the background, you may need to bring the process into the foreground.
    9. Problem with swap space.
      If the patch process runs out of swap, find a partition that is not dumped (the top level directory does not have a NOTDUMPED directory) and do 
      mkfile 2g /export/home1/2gbswapfile
/usr/sbin/swap -a /export/home1/2gbswapfile
    10. Look for errors in /var/sadm/install_data/Solaris_10_Recommended_log
      Note: You may need to re-run install_cluster if one of the patches disables further patching. Read the log file!.
    11. Reboot
    12. After patching, check that all the patches were applied,
      check for additions to /etc/inet/inetd.conf,
      new processes (use ps -auxgww),
      or new open ports (use nmap)
    13. Problem: During reboot, the message "Configure keyboard layout" appeared and prevented the reboot.
      Solution:
      1. Hit the BREAK key, boot single user with boot -s
      2. Log in as root.
      3. To choose a language, enter kbd -s
    14. One patch installs and turns on wbem, which is the Web Enterprise Management software. We don't need this, to kill the cimomboot process and prevent it from starting, do 
      /etc/init.d/init.wbem stop
rm /etc/rc2.d/S90wbem
    15. Make sure that as root, su - adm works, see Problems with cron for details.