Tuesday Mar 08, 2016

Overview of Oracle Solaris Release Cadence, IPS, SRUs, IDRs, and CVE Metadata

After 12 years using my beloved SunRay - Oracle Sun's most underrated product by far - I got a new Oracle Solaris x86 workstation in January and for the first time in many years I have a root password.   Oh, the power!!!

This has enabled me to play around with IPS and practice what I preach regarding Oracle Solaris lifecycle management.  The result is this document which I'm in the process of publishing to MOS as Doc 2114039.1.  My Product Management friends are also looking to publish it on OTN.

The document provides an overview of the Oracle Solaris release cadence including Releases, Updates, Support Repository Updates (SRUs), Critical Patch Updates (CPUs), and Interim Diagnostics or Relief (IDRs). 

It also provides an overview of the Oracle Solaris Binary Application and Source Code Guarantee which protects your long term investment in Oracle Solaris.

It then looks at the Image Packaging System (IPS) used in products such as Oracle Solaris 11 and Oracle Solaris Cluster 4, provides an overview of Oracle Solaris 11 Install Groups and Incorporations, and how IPS is used to apply SRUs and IDRs. 

Finally, it shows how the IPS 'pkg' command can be used to query Critical Vulnerability and Exposures (CVEs) and Oracle BugID metadata.  This is useful for anyone involved in security compliance.

This overview is designed for hands-on IT Executives and Managers, Senior and Junior System Administrators including those responsible for security compliance, and anyone with an interest in understanding the Oracle Solaris lifecycle.

I've deliberately used the simplest form of 'pkg' commands in my examples.  You can play with options like '-H', '-o', '-s', '-t', etc. to manipulate output for beautification or easy parsing.  Remember, 'man pkg' is your friend.

I hope you find it useful.

Best Wishes,

Gerry.

Friday Sep 26, 2014

Solaris SRUs, patches, and IDRs available on MOS for bash vulnerabilities CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

SRUs, Patches, and IDRs (Interim Diagnostics & Relief) are available from My Oracle Support, support.oracle.com for all supported Solaris releases to address the recent critical bash vulnerabilities, CVE-2014-6271, CVE-2014-7169.

Newer IDR revisions are available on MOS which additionally address the less critical "mop up" vulnerabilities, CVE-2014-7186, CVE-2014-7187.  Patches and SRUs will follow for these too.

See MOS Doc ID 1930090.1 for details.

Many thanks to the folks around the globe who have been working tirelessly over the last 48 hours to code, test, and release these SRUs, patches, and IDRs - from Australia to India to the Czech Republic to Ireland and the US.

I sincerely apologise for the delay in proactively communicating these fixes to you.   That was outside of my control.

Best Wishes,

Gerry.

Friday Oct 04, 2013

Top Tip: Managing Solaris 11 IDRs

Here's a Top Tip from my colleague, IPS Guru, and all-round good guy, Pete Dennis:

Background

If the issue(s) addressed by a Solaris 11 IDR (Interim Diagnostics / Relief) are fixed in a subsequent SRU (Support Repository Update), the SRU is said to "supersede" the IDR. 

As mentioned in previous posts, in Solaris 11 the IDR is automatically superseded when the system is updated to the relevant SRU (or any later SRU).  That is, unlike in Solaris 10, there's no need to manually remove the IDR before updating*.  We provide "terminal packages" for superseded IDRs in the Support Repo, enabling IPS (Image Packaging System) to automatically handle the IDRs for you.

Several weeks before a planned maintenance update, it's a good idea to check whether all the IDRs in use are superseded by the SRU to which you are planning to update.

If any of them aren't superseded, and the relevant packages they touch are updated in the SRU, you'll need to raise an SR (Service Request) with Oracle Support to get new IDRs generated for the relevant BugIDs at that SRU level.  So please ensure you provide enough time for these to be generated.  Note, if the Bugs are already fixed in a later SRU, you'll be told to update to that SRU.

Question:

Is there a simple way for a customer to find out which of their IDRs will be superseded by updating to a given SRU ?

Answer:

All superseded IDRs are tagged in the Support Repository and on the incremental ISO images available from MOS (My Oracle Support).

The following command will list the superseded IDRs in the Support Repository, so you can then examine the ones of interest. 

I'm assuming here that you're maintaining a local Repo behind your firewall which is, at a minimum, up to date with the SRU to which you are planning to update:

pkg list -g http://<url of local repo> -af idr* 

For example:

pkg contents -g http://<url of local repo> -m idr679

set name=pkg.fmri value=pkg://solaris/idr679@3,5.11:20130905T193900Z
set name=pkg.description value="Terminal package"
set name=pkg.renamed value=true
depend fmri=pkg:/consolidation/osnet/osnet-incorporation@0.5.11,5.11-0.175.1.11.0.4.2 type=require

You do need to be able to interpret FMRI strings correctly (see previous posts). For example, 5.11-0.175.1.11.0.4.2 is Solaris 11.1 SRU 11.4 or, to give it its official Marketing name, Solaris 11.1.11.4.0.

So that tells us that idr679 is superseded by Solaris 11.1 SRU 11.4 (Solaris 11.1.11.4.0).

We'll look to make this more transparent by adding a text field with the human readable translation of the FMRI string to the metadata.

If you wish to restrict updates to selected SRUs which you have "qualified" in your environment, for example, a "Golden Image", Bart's blog posting may also be of interest.

Best Wishes,

Gerry.

* There's more work required to make this happen seamlessly in Solaris 11 Zones.

About

This blog is to inform customers about Solaris 11 maintenance best practice, feature enhancements, and key issues. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle. The Documents contained within this site may include statements about Oracle's product development plans. Many factors can materially affect these plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material code, or functionality, and SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISIONS. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle. THIS INFORMATION MAY NOT BE INCORPORATED INTO ANY CONTRACTUAL AGREEMENT WITH ORACLE OR ITS SUBSIDIARIES OR AFFILIATES. ORACLE SPECIFICALLY DISCLAIMS ANY LIABILITY WITH RESPECT TO THIS INFORMATION. Gerry Haskins, Director, Software Lifecycle Engineering

Search

Categories
Archives
« June 2016
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  
       
Today