Monday Feb 01, 2010

'wget', 'pca', and TLP users need to accept updated software license

As the software license agreement terms were updated last week upon Sun becoming a wholly owned subsiduary of Oracle, customers who use 'wget' to automate patch downloads from SunSolve will need to login in once to SunSolve and accept the updated software license agreement before they can continue to use 'wget'.   Please note that some popular patch automation tools such as Traffic Light Patching (TLP) and the 3rd party 'pca' tool use 'wget' and hence this notice is applicable to them too.

http://sunsolve.sun.com currently has the following message at the top of the SunSolve home page:

Alert: wget customers ~ Please log into SunSolve to re-accept the new Software License Agreement prior to running any wget scripts. You can also look under "Update Account" and refer to:
Step 5: Register for patch download automation
Check the box to confirm that you read the license and save the changes. Downloads will work as normal at this point.

Thursday Aug 13, 2009

New SunSolve release, wget, and patch access entitlement update

SunSolve 7.3.0 Release, Akamai, and Vintage Solaris 8 patch access entitlement

The SunSolve 7.3.0 release was deployed to production August 11th. 

It includes major changes to back-end processes designed to provide a more robust, reliable, and consistent customer experience.  All patch downloads are now serviced by Akamai, which is the same process used by Sun's patch automation tools smpatch, Update Manager, UCE, and xVM Ops Center.

Firewall rules may need to be changed to permit the access to the following systems:

  • sunsolve.sun.com
  • getupdates2.sun.com
  • a248.e.akamai.net
The move to using Akamai to service download requests should resolve the transient "500" error issues in Squid which was impacting the reliability of patch downloads in the old SunSolve download infrastructure.

This release also removes Member Support Center (MSC) from the critical path for Solaris 8 Vintage Patch access entitlement.   Prior to this release, Vintage Solaris 8 customers needed to register in MSC in order to access Vintage Solaris 8 patches (created after April 1, 2009).  This was difficult for some customers who needed to undergo a contract clean-up process prior to full registration in MSC.  Now, such customers can simply associate their Vintage Solaris 8 Patch Plan contract number with their Sun Online Account (SOA) using the "Change Contract" link at the top right hand corner of SunSolve pages once they have logged on.  This is now sufficient to grant patch download entitlement to patches covered by any support contract, including Solaris 8 Vintage patches.

Note, customers who are registered in Member Support Center (MSC) will not see the "Change Contact" link as their contract associations are automatically handled by MSC.

For non-MSC users, to ensure access to all patches to which you are entitled, please ensure your associate your Support Contracts with your Sun On-line Account.

Recognition of Support Contract Changes

Support contracts naturally get renewed, upgraded, extended, or expire.  

When a support contract changes - for example a new line item is added to provide support for additional products - then, for non-MSC registered users, to get this additional entitlement "recognized" quickly to enable manual download of access-entitled patches covered by this additional line item, either remove and re-add the Contract number to your Sun Online Account (SOA) using the "Change Contract" link on SunSolve while logged on or else simply log out and log back in again.  Both methods will grant the additional access entitlement as long as the back-end IBIS Contract database has been updated with the modified contract information.

For Member Support Center (MSC) registered users, the contract association will be handled automatically by MSC.    (BTW: A bug in the refresh of IBIS Materialized Views has now been fixed, so delays in automate updates of contract associations by MSC should no longer occur, once the contract amendments have been inputed to the backend database.)

Patch access entitlement information

We will be improving the ability for customers to clearly determine what they are / are not entitled to access in the next release of SunSolve and the new PatchFinder tool (due in October).

In the meantime, when logged into SunSolve, go to the "Change Contract" link at the top right hand corner of SunSolve pages.

This will display the "Entitlement Classes" provided by the support contracts which you have currently associated with your Sun Online Account (SOA).  Displaying the internal "Entitlement Class" names is not ideal and will be improved in the next release, but here's how to interpret them:

  • "Public": You are entitled to access Public patches - i.e. patches which don't require a support contract to access them.
  • "Solaris8VintageSoftwareUpdates": You have a Solaris 8 Vintage Patch Service plan and are entitled to access Solaris 8 Vintage patches produced after April 1, 2009.  (See previous blog posting on the Solaris 8 Vintage Patch Service plan.)
  • "Solaris8SoftwareUpdates": You are entitled to access non-Vintage Solaris 8 patches.
  • "Solaris9SoftwareUpdates": You are entitled to access Solaris 9 patches.
  • "Solaris10SoftwareUpdates": You are entitled to access Solaris 10 patches.

There are a couple of additional entitlement classes, some of which are historical artifacts which overlap with the above.  These will be cleaned up in due course.

Did you know:

  • You need a support contract to access most patches
  • You must have a Solaris 8 Vintage Patch support plan in order to access Vintage Solaris 8 patches created after April 1, 2009
  • A SunSpectrum support plan or a Solaris 8 Software Subscription entitles you to access non-Vintage Solaris 8, 9, and 10 patches
  • A Solaris 9 Software Subscription entitles you to access Solaris 9 and 10 patches
  • A Solaris 10 Software Subscription entitles you to access Solaris 10 patches

Another "did you know":

Many documents on SunSolve have a "Document Audience:" of "PUBLIC".  However, in the case of patch README files, this does not necessarily mean that the patches they refer to have "public" access entitlement - i.e. that anyone can download the patch without a support contract.  The README is designed to make folk aware of the existence of a patch they may need.  However, they may still need to purchase a support contract in order to access the patch itself.

Using 'wget' to automate patch downloads

'wget' is a popular and efficient way to automate patch downloads.   Popular patch automation tools such as 'pca' and TLP utilize 'wget' for patch downloads.  Authentication is via the user's Sun Online Account (SOA), so customers should associate their support contracts to their SOA using the "Change Contract" link at the top right hand corner of SunSolve pages once they have logged on.

A version of 'wget' which support https transfers is now required in order to download patches.  For example, the 'wget' version in Solaris 10 supports https transfers.  To check whether the version of wget you are using is linked to SSL (to provide https support), you can use the following command:

# wget --help.

For example, the current development releases of wget (1.12-devel) shows:

   Options: +digest +ipv6 +nls +ntlm +opie +md5/openssl -gnutls
           +openssl +gettext

You also have to have your proxy configured to allow https connections through the proxy with the 'connect' command.

When contracts are added, renewed, or changed, MSC registered 'wget' users now need to attempt a download of a access-entitled patch (which will fail) in order to trigger a resynchronization of their contract data between the backend servers servicing the patch download request.  The modified contract entitlement will then be activated within 8 hours of this initial download attempt.

See Information on using wget for http download including example download script for further information.

Solaris 2.5.1 patch access entitlement removed

Solaris 2.5.1 is past its End Of Service Life (EOSL).   Access to Solaris 2.5.1 patches has therefore been removed.

Vintage Phone support, which includes access to existing patches (but no new patches will be created) is still available for Solaris 2.6 and Solaris 7 until the end of 2009, after which all access to Solaris 2.6. and Solaris 7 patches will also be removed.

Tuesday Jan 22, 2008

Patch Automation Tools

First of all, let me say that my personnel experience of Sun's patch automation tools is limited.  I work upstream from the SysNet and Services groups who produce most of Sun's patch automation tools, so I and my team mostly patch from first principles using the basic Solaris patch utilities, patchadd and patchrm.

My team does have some experience of working with some of the patch automation tools.  I've supplemented this with information from SysNet and Services folk.

Sun Connection 1.1.1 Satellite (a.k.a. UCE) and xVM Ops Center 1.0

The official Sun patching tool of choice is now xVM Ops Center, which contains an enhanced version of Sun Connection 1.1.1 Satellite Edition.

Sun acquired Aduva a couple of years ago.  Aduva has a track record of providing patch and update automation tools for multiple Operating Systems.

The next-generation Aduva-based tools are coming on stream. Sun Connection 1.1.1 Satellite is based on Aduva.  Note, "Satellite" has a completely different back end to the Sun Update Connection Hosted edition and Solaris Update Manager, which are based on PatchPro (see below).

I'm hearing good things about the Satellite.  I understand that its initial target market is customers with 50+ systems.

Sun Connection 1.1.1 Satellite Edition is based on Aduva Onstage and Update Connection Enterprise.   A central server (Satellite) at the customer site is used to analyze and update all attached client systems in a fully automated manner.  It builds upon a central Knowledge Database fed by Sun.  It covers the provisioning of patches, packages, config files and scripts.  It is available to customers who pay for it.

Sun Connection 1.1.1 Satellite provides a solution for customers primarily interested in patch and package provisioning.  There is a 10 minute demo introducing you to some of the key features of Sun Connection Satellite at http://frsun.downloads.edgesuite.net/sun/07D01031/SunConnectSatellite.html, or alternatively there is a more detailed 32 minute demo at http://frsun.downloads.edgesuite.net/sun/07D01032/SunConnect.html

Sun Connection Satellite is a component of the xVM Ops Center

xVM Ops Center is a merge of Sun Connection and N1SM.  Here's a BigAdmin article on Patching Solaris using Sun xVM Ops Center.  The monthly patch baselines referred to are the patch sets in the monthly EIS DVD release (see below).

For further information, please see the Sun Connection hub's Product Tour page on BigAdmin.

EIS

EIS stands for Enterprise Installation Standards and originated from Sun field personnel wanting to develop best practice installation standards for systems installed on customer sites.

EIS has proved extremely popular with Sun field personnel and approved partners.  It's widespread adoption was due to it successfully addressing a real need.  I view it's widespread adoption among field personnel and OEMs as proof positive of its efficacy.

The EIS patch baseline goes through QA testing prior to release.  The images installed by Sun's manufacturers on servers are also based upon the EIS patch baseline.  Additional testing by Sun's manufacturers plus feedback from the EIS user community raises confidence in the EIS patch baseline content further.  Since many system installations world-wide use the EIS methodology, any inherent problems will quickly appear and can be dealt with.  In the event of there being issues with the EIS patch baseline recommendations are communicated to the EIS community.

This same EIS set of patches which are considered by Sun Field Engineers as best practice to install on a new system, can also be used to patch existing systems to the same patch level.  The EIS set of patches is based on the Recommended Patch Cluster for the Solaris OS with additional patches included by the Field Engineers for additional products and to address irritating issues which do not meet the criteria for inclusion in the Recommended Patch Cluster.

The EIS patch baseline covers Solaris and other products such as SunCluster, SunVTS, SSP, SMS, QFS, SAM-FS, and includes patches which provide firmware updates.

EIS has traditionally only been available via Sun Services personnel but is now available direct to customers via Sun Connection Satellite.  This provides a good option to customers to patch to a defined and tested patch baseline.  See the Sun Connection blog for further information.

pca

pca is a popular 3rd party tool developed by Martin Paul.  I've only ever heard positive feedback about pca.

pca is available from http://www.par.univie.ac.at/solaris/pca/

To try out pca, just run this on any Solaris machine:

  $ wget http://www.par.univie.ac.at/solaris/pca/pca
  $ chmod +x pca
  $ ./pca

pca is a good solution for customers interested in a simple, easy to use, patch automation tool.

smpatch, Update Manager, and Sun Connection Hosted Edition

smpatch is a command line tool and part of Solaris.   It allows customers to analyze and update Solaris with current patches.  For customers without a valid support contract,  only security and driver patches are available.  For customers with a valid support contract, all patches are available.

updatemanager is a GUI wrapper around smpatch and is also part of Solaris.  It can be used to see what patches/updates are available and to easily select the patches, which the customer wants to install. Again, for customers without a valid support contract,  only security and driver patches are available.  For customers with a valid support contract,  all patches are available.

Sun Connection - Hosted Edition is the internet portal version of  updatemanager.  The customer can register all their servers and  can schedule and review the installation of patches from a central portal.  This is only available to customers who pay for it.

The above tools rely on the "PatchPro" analysis engine to recommend patches to customers.

PatchPro utilizes what are called "Realizations".  These are listed in the patchinfo file in the top directory of a patch.  This allows the patch developer to associate a patch with one or more "Realization Detectors", which determines whether or not it is appropriate to apply a patch to a particular customer environment.  For example, a Realization Detector might only recommend a particular patch if the target system utilizes a particular piece of hardware or software, or if a particular service is enabled.  This provides fine-grained control on patch recommendations.

The vast majority of Realizations simply associate a patch to packages installed on the target system, in the same way patchadd determines whether or not to apply a patch.  That is, if the package name, package version, and platform architecture in the pkginfo file(s) in the patch match at least one package name, package version, and platform architecture on the target system, the patch can be applied, else not.

Errors in writing Realization Detectors cause patch automation tools which utilize the PatchPro analysis engine to occasionally recommend inappropriate patches.  This has impacted the reliability of PatchPro based tools.

Work is underway to write a generic realization detector to match patches to packages.  This will save patch creators from writing their own realization detectors for the common case, simplifying the process and reducing error opportunity.  Patch creators will still be able to write specific Realization Detectors where necessary.

See Instructions for Getting Started with Sun Connection's Update Manager and Sun Hosted solutions and Patch Manager 2.0 FAQs for further information.

TLP

TLP stands for Traffic Light Patching, and is another tool which was developed by Sun Service folk for Sun Service folk to address the need for Patch Automation.

TLP is not directly available to customers.  It's used by Sun Service personnel to determine the appropriate patches to be installed on a customer's system, including things like firmware patches.

TLP has a modular design.   It utilizes the concept of a "baseline" of patches chosen by the user, from the Recommended Patch Set, to the EIS patch set, to a user defined set of patches.  TLP allows a number of different patch analysis engines to be used to determine which patches from the "baseline" to apply to a particular target system.

TLP is popular with customers who use it, as it's reliable and works well. 

TLP was End-Of-Lifed (EOL'd) in September of 2006 and reached End-Of-Service-Life (EOSL) in December 2007.  However, a number of customers have been given extensions on TLP support for transition purposes. 

Sun Services Patch Recommendations 

Most European countries provide a service where customers can submit Explorer logs and the local Sun office provides back a patch bundle.  These services may use SRAS and TLP in the background.

Please contact your local Sun Services office for further details.

I believe the plan will be to consolidate these services into a consistent official worldwide service.

About

This blog is to inform customers about patching best practice, feature enhancements, and key issues. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle. The Documents contained within this site may include statements about Oracle's product development plans. Many factors can materially affect these plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material code, or functionality, and SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISIONS. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle. THIS INFORMATION MAY NOT BE INCORPORATED INTO ANY CONTRACTUAL AGREEMENT WITH ORACLE OR ITS SUBSIDIARIES OR AFFILIATES. ORACLE SPECIFICALLY DISCLAIMS ANY LIABILITY WITH RESPECT TO THIS INFORMATION. ~~~~~~~~~~~~ Gerry Haskins, Director, Software Lifecycle Engineer

Search

Categories
Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today