Patch Automation Tools
By Gerry Haskins-Oracle on Jan 22, 2008
First of all, let me say that my personnel experience of Sun's patch automation tools is limited. I work upstream from the SysNet and Services groups who produce most of Sun's patch automation tools, so I and my team mostly patch from first principles using the basic Solaris patch utilities, patchadd and patchrm.
team does have some experience of working with some of the patch
automation tools. I've supplemented this with information from SysNet
and Services folk.
Sun Connection 1.1.1 Satellite (a.k.a. UCE) and xVM Ops Center 1.0
The official Sun patching tool of choice is now xVM Ops Center, which contains an enhanced version of Sun Connection 1.1.1 Satellite Edition.
Sun acquired Aduva a couple of years ago. Aduva has a track record of providing patch and update automation tools for multiple Operating Systems.
The next-generation Aduva-based tools are coming on stream. Sun Connection 1.1.1 Satellite is based on Aduva. Note, "Satellite" has a completely different back end to the Sun Update Connection Hosted edition and Solaris Update Manager, which are based on PatchPro (see below).
I'm hearing good things about the Satellite. I understand that its initial target market is customers with 50+ systems.
Sun Connection 1.1.1 Satellite Edition
is based on Aduva Onstage and Update Connection Enterprise. A
central server (Satellite) at the customer site is used to analyze and
update all attached client systems in a fully automated manner. It
builds upon a central Knowledge Database fed by Sun. It covers the
provisioning of patches, packages, config files and scripts.
It is available to customers who pay for it.
Sun Connection 1.1.1 Satellite provides a solution for customers primarily interested in patch and package provisioning. There is a 10 minute demo introducing you to some of the key features of Sun Connection Satellite at http://frsun.downloads.edgesuite.net/sun/07D01031/SunConnectSatellite.html, or alternatively there is a more detailed 32 minute demo at http://frsun.downloads.edgesuite.net/sun/07D01032/SunConnect.html
Sun Connection Satellite is a component of the xVM Ops Center.
xVM Ops Center is a merge of Sun Connection and N1SM. Here's a BigAdmin article on Patching Solaris using Sun xVM Ops Center. The monthly patch baselines referred to are the patch sets in the monthly EIS DVD release (see below).
For further information, please see the Sun Connection hub's Product Tour page on BigAdmin.
EIS stands for Enterprise Installation Standards and originated from Sun field personnel wanting to develop best practice installation standards for systems installed on customer sites.
EIS has proved extremely popular with Sun field personnel and approved partners. It's widespread adoption was due to it successfully addressing a real need. I view it's widespread adoption among field personnel and OEMs as proof positive of its efficacy.
The EIS patch baseline goes through QA testing prior
The images installed by Sun's manufacturers on servers are also based
EIS patch baseline. Additional testing by Sun's manufacturers plus
feedback from the EIS
user community raises confidence in the EIS patch baseline content
further. Since many system installations
world-wide use the EIS
inherent problems will quickly appear and can be dealt with. In the
there being issues with the EIS patch baseline recommendations are
communicated to the
This same EIS set of patches which are considered by Sun Field
Engineers as best practice to install on a new system, can also be used
to patch existing systems to the same patch level. The EIS set of
patches is based on the Recommended Patch Cluster for the Solaris OS with additional
patches included by the Field Engineers for additional products and to
address irritating issues which do not meet the criteria for inclusion
in the Recommended Patch Cluster.
The EIS patch baseline covers Solaris and other products such as SunCluster, SunVTS, SSP, SMS, QFS, SAM-FS, and includes patches which provide firmware updates.
EIS has traditionally only been available via Sun Services personnel but is now available direct to customers via Sun Connection Satellite. This provides a good option to customers to patch to a defined and tested patch baseline. See the Sun Connection blog for further information.
pca is a popular 3rd party tool developed by Martin Paul. I've only ever heard positive feedback about pca.
pca is available from http://www.par.univie.ac.at/solaris/pca/
To try out pca, just run this on any Solaris machine:
$ wget http://www.par.univie.ac.at/solaris/pca/pca
$ chmod +x pca
pca is a good solution for customers interested in a simple, easy to use, patch automation tool.
smpatch, Update Manager, and Sun Connection Hosted Edition
smpatch is a command line tool and part of Solaris. It
allows customers to analyze and update Solaris with current patches.
For customers without a valid support contract, only security and
driver patches are available. For customers with a valid support
contract, all patches are available.
updatemanager is a GUI wrapper around smpatch and is also part of Solaris. It can be used to see what patches/updates are available and to easily select the patches, which the customer wants to install. Again, for customers without a valid support contract, only security and driver patches are available. For customers with a valid support contract, all patches are available.
Sun Connection - Hosted Edition
is the internet portal version of updatemanager. The customer can register
all their servers and
can schedule and review the installation of patches from a central portal.
This is only available to customers who pay for it.
The above tools rely
on the "PatchPro" analysis engine to recommend patches to
The vast majority of Realizations simply associate a patch to packages installed on the target system, in the same way patchadd determines whether or not to apply a patch. That is, if the package name, package version, and platform architecture in the pkginfo file(s) in the patch match at least one package name, package version, and platform architecture on the target system, the patch can be applied, else not.
Errors in writing Realization Detectors cause patch
automation tools which utilize the PatchPro analysis engine to
occasionally recommend inappropriate patches. This has impacted the reliability of PatchPro based tools.
Work is underway to write a generic realization detector to match patches to packages. This will save patch creators from writing their own realization detectors for the common case, simplifying the process and reducing error opportunity. Patch creators will still be able to write specific Realization Detectors where necessary.
See Instructions for Getting Started with Sun Connection's Update Manager and Sun Hosted solutions and Patch Manager 2.0 FAQs for further information.
TLP stands for Traffic Light Patching, and is another tool which was developed by Sun Service folk for Sun Service folk to address the need for Patch Automation.
TLP is not directly available to customers. It's used by Sun Service personnel to determine the appropriate patches to be installed on a customer's system, including things like firmware patches.
TLP has a modular design. It utilizes the concept of a "baseline" of patches chosen by the user, from the Recommended Patch Set, to the EIS patch set, to a user defined set of patches. TLP allows a number of different patch analysis engines to be used to determine which patches from the "baseline" to apply to a particular target system.
TLP is popular with customers who use it, as it's reliable and works well.
TLP was End-Of-Lifed (EOL'd) in September of 2006 and reached End-Of-Service-Life (EOSL) in December 2007. However, a number of customers have been given extensions on TLP support for transition purposes.
Sun Services Patch Recommendations
Most European countries provide a service where customers can submit Explorer logs and the local Sun office provides back a patch bundle. These services may use SRAS and TLP in the background.
Please contact your local Sun Services office for further details.
I believe the plan will be to consolidate these services into a consistent official worldwide service.