By Gerry Haskins-Oracle on Jun 10, 2015
Here's an updated version of patching best practice presentation, PatchingBestPractice.pdf.
You can still find more verbose earlier versions in prior postings.
A customer once said to me that "bad news, delivered early, is relatively good news, as it enables me to plan for contingencies".
That need to manage expectations has stuck with me over the years.
And in that spirit, we issue Docs detailing known issues with Solaris 11 SRUs (Doc ID 1900381.1) and Solaris 10 CPU patchsets (Doc ID 1943839.1).
Many issues only occur in very specific configuration scenarios which won't be seen by the vast majority of customers.
A few will be subtle issues which have proved hard to diagnose and hence may impact a number of releases.
But providing the ability to read up on known issues before upgrading to a particular Solaris 11 SRU or Solaris 10 CPU patchset enables customers to make more informed and hence better decisions.
BTW: The Solaris 11 Support Repository Update (SRU) Index (Doc ID 1672221.1) provides access to SRU READMEs summarizing the goodness that each SRU provides. (As do the bugs fixed lists in Solaris 10 patch and patchset READMEs.)
For example, from the Solaris 11.2 SRU10.5 (188.8.131.52.0) README:
Why Apply Oracle Solaris 184.108.40.206.0
Oracle Solaris 220.127.116.11.0 provides improvements and bug fixes that are applicable for all the Oracle Solaris 11 systems. Some of the noteworthy improvements in this SRU include:
- Bug fix to prevent panics when using zones configured with exclusive IP networking, and DR has been used to add and remove CPUs from the domain (Bug 19880562).
- Bug fix to improve NFS stability when under stress (Bug 20138331).
- Bug fix to address the generation of FMA events on the PCIEX bus on T5-2 (Bug 20245857).
- Bug fix to improve the performance of the
zoneadm listcommand for systems running a large number of zones (Bug 20386861).
- Bug fix to remove misleading warning messages seen while booting the Oracle VM Server for SPARC guests (Bug 20341341).
- Bug fix to address NTP security issues, which includes the new slew always mode for leap second processing (Bug 20783962).
- OpenStack components have been updated to Juno. For more information, see OpenStack Upgrade Procedures.
- The Java 8, Java 7, and Java 6 packages have been updated. For more information, see Java 8 Update 45 Release Notes, Java 7 Update 80 Release Notes, and Java 6 Update 95 Release Notes.
SRUs, Patches, and IDRs (Interim Diagnostics & Relief) are available from My Oracle Support, support.oracle.com for all supported Solaris releases to address the recent critical bash vulnerabilities, CVE-2014-6271, CVE-2014-7169.
Newer IDR revisions are available on MOS which additionally address the less critical "mop up" vulnerabilities, CVE-2014-7186, CVE-2014-7187. Patches and SRUs will follow for these too.
See MOS Doc ID 1930090.1 for details.
Many thanks to the folks around the globe who have been working tirelessly over the last 48 hours to code, test, and release these SRUs, patches, and IDRs - from Australia to India to the Czech Republic to Ireland and the US.
I sincerely apologise for the delay in proactively communicating these fixes to you. That was outside of my control.
Cross posting from my Solaris 11 Lifecycle blog, https://blogs.oracle.com/Solaris11Life/entry/orachk_health_checks_for_the as this is applicable to Solaris 10 too:
My colleagues, Susan Miller and Erwann Chénedé, have been working with the nice people behind the ORAchk tool (formerly RACcheck) to add Solaris health checks to the tool.
ORAchk 2.2.4, containing the initial 8 Solaris health checks, is now available:
ORAchk includes EXAchks functionality and replaces the popular RACcheck tool, extending the coverage based on prioritization of top issues reported by users, to proactively scan for known problems within:
ORAchk will expand in the future with more high impact checks in existing and additional product areas. If you have particular checks or product areas you would like to see covered, please post suggestions in the ORAchk community thread accessed from the support tab on the below document.
For more details about ORAchk see Document 1268927.1
Posting updated June 6, 2013, with new Solaris 10 Kernel PatchIDs 150400-xx (SPARC) and 150401-xx (x86):
As usual, we've released a patchset of all the patches contained in Solaris 10 1/13 (Update 11):
This patchset can be applied to any existing Solaris 10 system to bring all pre-existing packages up to the same software level as Solaris 10 1/13.
It is not the same as upgrading to Solaris 10 1/13 (available here), as upgrading will additionally install any new packages delivered in the Update.
I've also updated my Solaris 10 Kernel PatchID sequence posting with the latest Solaris 10 Kernel PatchIDs, namely:
Please note that there are no more planned updates to Solaris 10, so these latest Kernel PatchIDs - 148888-xx (SPARC) / 148889-xx (x86) - will continue to be used for the foreseeable future.
Murphy's Law strikes again!
No sooner had I written that Solaris 10 Kernel PatchIDs 148888-xx (SPARC) and 148889-xx (x86) were here to stay for the foreseeable future, than the integration of the SR-IOV feature into rev-04 of these patches made it prudent to rejuvenate them.
So from July 2013, the Solaris 10 Kernel PatchIDs will change to be 150400-xx (SPARC) and 150401-xx (x86).
Dare I tempt fate again by saying these Solaris 10 PatchIDs are likely to remain the same for the foreseeable future ?
I've also updated my Useful Patch Related Downloads posting with links to the Solaris 10 1/13, Jan 2013 CPU, and latest Recommended patchsets.
The October 2012 security "Critical Patch Update" information and downloads are now available from My Oracle Support (MOS).
See http://www.oracle.com/technetwork/topics/security/alerts-086861.html and in particular Document 1475188.1 on My Oracle Support (MOS), http://support.oracle.com, which includes security CVE mappings for Oracle Sun products.
For Solaris 11, Doc 1475188.1 points to the relevant SRUs
containing the fixes for each issue. SRU12.4 was released on the CPU
date and contains the current cumulative security fixes for the Solaris
For Solaris 10, we take a copy of the Recommended Solaris OS patchset containing the relevant security fixes and rename it as the October CPU patchset on MOS. See link provided from Doc 1475188.1Doc 1475188.1 also contains references for Firmware, etc., and links to other useful security documentation, including information on Userland/FOSS vulnerabilities and fixes in https://blogs.oracle.com/sunsecurity/
On the basis that you can't have too much of a good thing, I've started a 2nd blog, the Solaris11Life blog , to enable me to blog about all aspects of the Solaris 11 Customer Maintenance Lifecycle, including policies, best practices, resource links, clarifications, and anything else which I hope you may find useful.
In my first post, I share my Solaris 11 Customer Maintenance Lifecycle presentation, which I gave at Oracle Open World and the recent Deutsche Oracle Anwendergruppe (DOAG) conference.
I'll be posting lots more there in the coming week as time allows, including secret handshake stuff on how to interpret IPS FMRI version strings.
In future, I'll post any Solaris 11 Customer Maintenance Lifecycle related material on the Solaris11Life blog, http://blogs.oracle.com/Solaris11Life , and any Solaris 10 or below material here on the Patch Corner blog, http://blogs.oracle.com/patch .
Today, we launch Solaris 11 in New York City.
Work on Solaris 11 started 7 years ago, as soon as Solaris 10 reached "code freeze".
About 6 years ago in a Solaris P-Team (Product Team) meeting, someone raised the repeatedly asked question as to when we planned to release Solaris 11.
A slightly exasperated Jeff Jackson said 11/11/11, half jokingly, half seriously. It made sense. It was in the right ballpark considering all the radical changes the architects wanted to make in Solaris 11. And what better date to launch Solaris 11 ?
175 bi-weekly builds and two release candidate respins later, and we're releasing Solaris "Nevada" build snv_175b, officially known as Solaris 11. But 2 days early. Ooops! I must admit to having been tempted to file a "Stopper" bug to cause enough of a smoke screeen to delay the release by two days. But early is good. So 11/9/2011 it is.
The Solaris 11 Tech Lead, David Comay, has posted some excuses - er, I mean "reasons" - on his blog as to why we're releasing 2 days early. See http://blogs.oracle.com/solaris for further information.
Having arrived in New York Tuesday afternoon, I went to the 9/11 memorial to pay my respects.
May I just say, well done New York! Well done America!
It's a truly excellent and moving memorial. The sound of the water falling and the patterns it makes as it falls into the abyss in the center of the very footprint where the twin towers stood is poignant symbolism. It's impossible not to be moved.
And the fact that all around the memorial is still a construction site, with all the sounds of rebuilding what was destroyed, is very apt indeed.
Evil will not triumph. Good will overcome.
It puts our humble efforts in stark perspective.
I hope you enjoy Solaris 11. It's our most radical Solaris release since SunOS 2.0. Virtualization built in. Cloud built in. Architected for maintainability. Scalability beyond your imagination (and mine!).
I'll be presenting an updated version of my Solaris 11 Customer Maintenance Lifecycle presentation at the DOAG (Deutsche Oracle Anwender Gruppe) Conference in Nuremberg, Germany, next week. I hope to meet some of you there.
I'll then post the presentation here on my blog.
Let the fun begin! Enjoy!
As I sit here in 22A on an American Airlines flight from San Francisco to O'Hare at the start of my 16 hour journey home to Ireland, I'm reflecting on some of the key Solaris 11 related events at Oracle OpenWorld this week.
For the first time in a couple of years, I got to spend the weekend in Northern California, having been here last week for Solaris 11 planning meetings. I went up to the Sierras to hug some Sequoias. I'm not normally the tree-hugging type, but I make as exception for these giants. I saw Mono Lake. Cool. Devil's Postpile. Way Cool. And the Sequoia National Park - it's truly amazing walking in the shadows of these giants.
As usual, Oracle OpenWorld and Jave One this week provided the opportunity to hear about bleeding edge technologies directly from their architects and to chat with them about the what and the why.
Markus Flierl (VP, Solaris Engineering) hosted a session on Monday with some of his key architects who have been developing Solaris 11 over the last 7+ years, including Liane Praza (IPS), Bart Smaalders (IPS), Darren Moffett (Security), Dan Price (Zones), and Mark Maybee (I/O). It was great to hear these experts express their passion, ingenuity, and innovation. They have a justifable parental sense of pride in Solaris 11. Technologies which were bolt-ons in Solaris 10, or indeed far too disruptive to even be considered for release in a Solaris 10 Update, are tightly integrated and honed in Solaris 11. Low latency (i.e. performance), scalability, security, availability, robustness, and diagnosability are all factors that customers have come to expect of Solaris. Solaris 11 takes it to a whole new level. Warp drive.
My colleague, Pete Dennis, and I have been working closely with Bart, Liane, David Comay, and others to ensure that IPS fully meets the needs of our customers' maintenance lifecycle. They've listening to us and subtly tweaked and adapted their implementations where necessary to fully meet customers' maintenance lifecycle needs. Working with geniuses is great. Working with geniuses who are prepared to listen and adapt is truly wonderful.
But what really blew me away this week was a presentation by Nicolas Droux last night on Network Virtualization in Solaris 11. Some of you may know about earlier incarnations of this, codenamed Project "Crossbow". But the fleshing out of the capabilities in Solaris 11 is truly amazing. The ability to have virtualized NICs (VNICs), virtualized LANs (VLANs), Zones which act as virtualized switches, Zones which act as virtualized firewalls, fully segregated data "Lanes", "Flows", etc., etc., and all with diagnosability built in with new utilities such as 'dlstat' (Data link stats), 'flowstat', etc. I hadn't met Nicolas before but wow! Not only is Nicolas a key architect, he has an amazing ability to explain it with crystal clarity in a really easy to understand manner. As I said to the Product Manager, Joost Pronk, we've got to video Nicolas giving this talk once Solaris 11 ships so that the world can see it.
At the end of Nicolas's presentation, Thierry Manfe showed how he is leveraging Network Virtualization in Oracle Solaris's cloud infrastructure provided to enable ISVs to test their apps with complete data integrity and segregation. You can sign up for this, it's available now. "Solaris 11. #1 for Clouds" isn't just some Marketing hype. It's true.
I'm walking in the shadow of giants. And it's a wonderful feeling.
Roll on Solaris 11. It won't be long now and I really can't wait. It's amazing. Big time!
Thank you to the 90+ of you who attended Pete Dennis, Isaac Rozenfeld, and my presentation on Solaris 11 Customer Maintenance Lifecycles, policies, and best practices. If you missed it, there'll be another chance to catch an updated version with more technical content at DOAG (the German Oracle Users Group) conference in Nuremberg, Germany in November (see previous posting for details).
Finally, I'd like to pay my respects to a true giant of our industry, Steve Jobs. Gone way too soon. RIP Steve. You'll be missed. Big time!
Disclaimer: Any forward looking statements in this posting are subject to the vagueries of my Crystal ball, possible hallucinations, and lack of coffee. You get the drift.
I hope to see you next week at Oracle OpenWorld in San Francisco.
Pete Dennis, Isaac Rosenfeld, and I will be giving a presentation on the Solaris 11 Customer Maintenance Lifecycle, which will provide an introduction to how we expect customers to maintain Solaris 11 systems, comparing and contrasting it to the Solaris 10 experience.
I believe the compelling advantages of ZFS Root Snapshots and Image Packaging System (IPS) have the potential to dramatically improve our customers' maintenance experience.
I'm sure you, like me, will be delighted to hear that there will be no patches and no patching in Solaris 11. Neither is there a need to use technologies like Live Upgrade to provide a safety net - it's all baked into core Solaris 11 for you.
It's my intention to provide customers with much more up front guidance on how best to maintain Solaris 11, so customers don't need to figure out their maintenance strategy from scratch.
But we also remain committed to providing the flexibility to meet individual customer's needs and special circumstances.
So if you're at OpenWorld, please come along and hear Pete, Isaac, and I introduce you to the Solaris 11 maintenance lifecycle:
3:30pm, Tuesday, Oct 4th
Moscone South, Room 200
Pete Dennis and I will also be presenting at the Deutsche Oracle Anwendergruppe (DOAG) conference in Nürnberg in November 15-17, so if we don't see you at OpenWorld, we hope to see you there.
I really want to get your feedback on our current plans - what you like, what you don't like, and what we can improve. So come along and let me know.
I like stuff which is well designed (minimalist), well engineered, high quality, with well thought out usability.
My latest gadget arrived on Friday - a HTC Desire HD and I'm tickled pink with it.
It replaces my Nokia 5800 XpressMusic whose screen I cracked in the gym a couple of weeks ago. For those who know me, they'll read that last sentence with incredulity. But yes, I attend the gym once a quarter whether I need to or not.
I put the Nokia in the rectangular holder on the exercise bike and it fell straight on the floor. Thinking I'd simply missed the holder, I picked it up and put it in again, only for it to fall straight back to the floor, hitting the leg of the exercise bike and cracking the screen. Looking into the holder, I saw it's "designed" with a big hole in the bottom of it - presumably sponsored by the local phone repair company. Who designs a holder for iPods/phones with a ruddy great hole in the bottom of it ? Arrgh.
Anyway, rather than pay EURO 80 for another new screen, I was due an upgrade so it was time to get a "smarter" phone. The Nokia XpressMusic is great for playing music, but I found it useless for web browsing due to it's glacial connect times (which may be at least partially due to my local provider), slow loading, and small screen. But the Nokia's web capabilities did come in handy in an emergency when I got stuck in Spain last year due to the Icelandic volanic ash cloud.
I spent a couple of evenings googling smartphone reviews and reading everything I could find.
Since I purchased an iMac last year, and Santa Claus brought iTouches for the kids, I was leaning towards the iPhone4, perhaps partially due to Apple's slick marketing. But one of the reasons I bought the iMac (apart from my natural UNIX affiliation to MacOS, the 27" screen, cool design, and my engineers telling me how cool everything Apple is), was exasperation with Microsoft for continually changing how to change/fix settings on its various releases. Being a 25 year UNIX veteran, I'm pretty amateurish at finding my way around Windows, but having grasped the basics of XP, I found it really frustrating having to re-learn how to do the same functions on Vista and my father-in-law's Windows 7 laptop.
While I'm very happy with my iMac, the Apple iTunes lock-in and Apple marketing machine gives me a slightly uneasy sense of deja-vu with Microsoft from 10-15 years ago. Granted, Apple designs Operating Systems and hardware a hell of a lot better and I don't think any company will ever again get away with that sort of monopolization tactics.
Anyway, the consensus amongst most of the smartphone reviews was that the HTC Desire / Desire HD is superior to the iPhone4 and Samsung Galaxy S. And being Android based, it satisfies my UNIX principles too. And so far, so good. It's intuitive, fast, well designed, with good apps, and all very well integrated. Pity about the appalling battery life, but there's always a socket or USB connection nearby. I carry the charging cable with me in my coat pocket.
So my HTC Desire HD joins my favorite gadget collection alongside the superb Panasonic Lumix DMC-ZS7 camera I bought at Christmas, the SunRay which I've used as my main computer at work for the last 10 years and which is truly excellent (allowing me to bring my desktop session with me anywhere in the world), my Pansonic G10 FullHD TV, the kids' PS3, and my all time favorite, my Rado watch.
The Rado fulfills the pinnacle of design IMHO. Beautifully minimalist, utterly unscratchable (and believe me, I'm a Philistine - I do gardening and DIY with it on), and perfectly functional apart from the date field which is so small that it's very hard to read even in good light. Four years on, and it genuinely looks like I bought it yesterday. Truly a product which exceeds even my most demanding expectations.
As I've mentioned in previous postings, Image Packaging System (IPS) is a single-tier packaging architecture which in Solaris 11 replaces the old System V (five), Release 4 (SVR4) based 2-tier package and patching architecture in Solaris 10 and earlier releases.
IPS architects, Bart Smaalders and David Comay, spent a lot of time with me around the Solaris 10 Update 3 timeframe to understand the deficiencies in the SVR4-based patch architecture, and helped fix the issues around patching Zones and applying arbitrary change to a live boot environment.
Bart and David have used that deep understanding of the deficiencies of the SVR4-based patch architecture when designing IPS to ensure their design addresses these and other issues. The result is a highly flexible IPS architecture. Feature and process development is continuing as the target audience moves from developers in OpenSolaris, to ISVs and evaluators in the currently available Solaris 11 Express release, to meeting the needs of Enterprise production customers in Solaris 11.
You can learn lots more about IPS at http://www.oracle.com/technetwork/server-storage/solaris11/technologies/ips-323421.html and by trying in out in the current Solaris 11 Express release.
I, for one, will not be sorry to see the back of patches. While my team and I have done our best to improve our customers' patching experience over the last decade, it's very difficult to make a silk purse out of a sow's ear.
Much of the work to be done between now and the Solaris 11 release revolves around defining and communicating the processes and best practices which we recommend customers adopt around maintaining Solaris 11.
While we still have a lot of work to do, I look forward to adding IPS to my most favorite technology list.
This blog is to inform customers about patching best practice, feature enhancements, and key issues. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle. The Documents contained within this site may include statements about Oracle's product development plans. Many factors can materially affect these plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material code, or functionality, and SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISIONS. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle. THIS INFORMATION MAY NOT BE INCORPORATED INTO ANY CONTRACTUAL AGREEMENT WITH ORACLE OR ITS SUBSIDIARIES OR AFFILIATES. ORACLE SPECIFICALLY DISCLAIMS ANY LIABILITY WITH RESPECT TO THIS INFORMATION. ~~~~~~~~~~~~ Gerry Haskins, Director, Software Lifecycle Engineer