Patch Check Advanced

I tried out the wizzy new Solaris patch GUI (updatemanager) a while back to see whether it was actually usable, and I had issues with it.  First of all it was really, really, slow when it had to analyze the currently installed patches.  Like it was so slow, you couldn't tell whether it was hung or not.  So today I figured I'd try out a perl script that I ran across called pca. It's called Patch Check Advanced. Because it's a relatively simple perl script, I think it will have a much better chance of running consistently on the Solaris 8, 9 and 10 boxes we have around here. I just installed Sun Studio 11 on my Sparc machine (running a fairly ancient Nevada build, 41).  Of course, I didn't have the patience to download a half a gigabyte over the internet, so I scrounged up a copy on our network and used that.

You can run pca as a non-root user to examine the current state of the machine, and then su to root and have it automatically update your Sun Studio installation.  You can use it to list only the Sun Studio patches. It's a little weird because the pca script lists patches by default, and it says that the "-l" option is the default. But I got a different list of patches between doing "pca" and doing "pca -l".  It turns out the x86 patches will be filtered out by "pca", but won't be filtered out by "pca -l". So I selected the Sparc patches by using the patch description.  It turns out that Sun Studio patches are now named consistently so SPARC patch start with "Sun Studio 11:" and x86 patches start with "Sun Studio 11_x86:" So to list all the latest Sun Studio patches on a Solaris machine, I used this command:


% pca -l '/Sun Studio 11:/'
Download xref-file to /var/tmp/patchdiag.xref: done
Using /var/tmp/patchdiag.xref from Nov/21/06
Host: steppe (SunOS 5.11/snv_41/sparc/sun4u)

Patch  IR   CR RSB Age Synopsis
------ -- - -- --- --- -------------------------------------------------------
120760 -- < 11 ---   6 Sun Studio 11: Compiler Common patch for Sun C C++ F77 F95
120761 -- < 02 --- 145 Sun Studio 11: Patch for Performance Analyzer Tools
121015 -- < 03 ---  14 Sun Studio 11: Patch for Sun C 5.8 compiler
121017 -- < 06 ---  14 Sun Studio 11: Patch for Sun C++ 5.8 compiler
121021 -- < 05 ---  36 Sun Studio 11: Patch for Fortran 95 Dynamic Libraries
121019 -- < 03 ---  71 Sun Studio 11: Patch for Fortran 95 8.2 Compiler
121023 -- < 03 ---   6 Sun Studio 11: Patch for Sun dbx 7.5 Debugger
121623 -- < 02 --- 145 Sun Studio 11: Patch for RHEL4 and SuSE9 Linux Performance Analyze
122135 -- < 02 ---  43 Sun Studio 11: Patch for Sun Performance Library
122142 -- < 02 ---   6 Sun Studio 11: Patch for dbx GUI plug-in and CPP modules

From this list you can see one Linux patch (which is just a freshened RPM, not really a "patch").  I don't think the sunsolve patch index data has a field to identify non-Solaris patches.  We should probably add that so that tools can skip such patches. You can see from "-- < 11" part that pca is telling me I don't have any patches installed and that hence my current revision level is less than (<) the revision available from sunsolve.  Here is what it looked like after I updated:

bash # pca -l '/Sun Studio 11:/'
Download xref-file to /var/tmp/patchdiag.xref: done
Using /var/tmp/patchdiag.xref from Nov/21/06
Host: steppe (SunOS 5.11/snv_41/sparc/sun4u)

Patch  IR   CR RSB Age Synopsis
------ -- - -- --- --- -------------------------------------------------------
120760 11 = 11 ---   6 Sun Studio 11: Compiler Common patch for Sun C C++ F77 F95
120761 02 = 02 --- 145 Sun Studio 11: Patch for Performance Analyzer Tools
121015 03 = 03 ---  14 Sun Studio 11: Patch for Sun C 5.8 compiler
121017 06 = 06 ---  14 Sun Studio 11: Patch for Sun C++ 5.8 compiler
121019 03 = 03 ---  71 Sun Studio 11: Patch for Fortran 95 8.2 Compiler
121021 05 = 05 ---  36 Sun Studio 11: Patch for Fortran 95 Dynamic Libraries
121023 03 = 03 ---   6 Sun Studio 11: Patch for Sun dbx 7.5 Debugger
121623 -- < 02 --- 145 Sun Studio 11: Patch for RHEL4 and SuSE9 Linux Performance Analyze
122135 02 = 02 ---  43 Sun Studio 11: Patch for Sun Performance Library
122142 02 = 02 ---   6 Sun Studio 11: Patch for dbx GUI plug-in and CPP modules

As you can see, the Linux patch didn't get installed, but it's still listed.

To update my Sun Studio installation, I used this command:

# pca -G -i '/Sun Studio 11:/'
Don't forget to add the -G option on Solaris 10.  This just passes -G to the patchadd command happening under the covers.  It's necessary with Sun Studio patches on Solaris 10 because of a bug relating to zones. I thought I would have to configure my sunsolve name/password in there somewhere, but it seemed to work anyway.  I've probably wired those settings into a config file someplace and forgot about them.  I know I configured the updatemanager with that information, so maybe the pca script is using a Solaris utility that's layered on top of some other utility that knows my name/password.

I've been thinking about the patch management issue for a while.  As far as I'm concerned Linux has us totally beat in this area.  The majority of software that's "part" of a Linux system isn't installed by default, and you just choose it from a GUI to download and install it.  Updates are handled with the same infrastructure.  On the other hand Solaris has all sorts of wonderful network based install/maintenance tools (Live Upgrade, etc) geared towards enterprise users. Those things have absolutely no bearing on my life whatsoever.  I need something trivial and ubiquitous and point-and-shoot.

Aside: Computer companies have always gone out of business from the bottom up.  I hope Sun doesn't use all our wonderful Enterprise features as an excuse to ignore the desktop and small-business users of the world. The mainframe computer companies in the 80's had their users taken away by PC's that were "good enough" for small Mom and Pop businesses.  Of course, when Mom and Pop want to upgrade, they would naturally request new features from the PC vendor, instead of hiring an IT consultant and "going enterprise".  It's sort of like that picture of a fish eating a littler fish, and simultaneously being eaten by a bigger fish, only the market is complex enough that it's more like a circle. In the computer biz everyone frantically trys to out-innovate each other.  As long as Sun's chasing more than we're being chased, I think we're okay.  (I don't mean 'chasing' as in playing catch-up, I mean chasing, like trying to take someone else's market away from them by building new stuff) Anway, I get worried whenever I see a company concentrating on "enterprise" customers and ignoring all the little guys who will become enterprise customers in 5 years time.

Large established companies that are willing to try a revolutionary new technology seem few and far between, if you've got hot new ideas to show around, you want to start with the hobbyists and the little guys out there. That's the lesson I've learned from watching Linux.


Comments:

PCA seems to grab more patches than you'd otherwise get with an smpatch update on a machine without a support contract. I've been hit by a couple of patches recently that way - http://soulfood.dk/archives/2006/11/19/T15_31_02/index.html

Posted by Mads on November 22, 2006 at 06:54 PM PST #

Thanks you so much for that post! I've had so much trouble with smpatch/updatemanager that I switched to PCA months ago, and never looked back.
Martin Paul, its author, is really listening to actual users' needs. Sun, so far, didn't seem to be interested in them. You give me hope :-)

Oh, and you could download the Studio patches because they're free and do not nee d a contract.

To Mads: yes, PCA shows you what your system actually needs. I've seen it show twice the amount of patches shown by smpatch. In those not shown by the latter, there were more than a few security/recommended patches...

Posted by Laurent Blume on November 22, 2006 at 07:01 PM PST #

Thanks for mentioning PCA here. I'm the author, and always glad to receive feedback, positive or negative.

As for the problems you had with the Sun Studio patches, I think it's because the documentation on pca was misleading, esp. concerning the search patterns. "pca", "pca -l" and "pca -l missing" actually produce the same result - all patches missing on the current machine. When using a search pattern like /Studio/, pca will show \*all\* patches, no matter for which Solaris release or architecture - this is mostly useful to answer questions like "what are all patches ever produced for Sun Studio?".

In your case, you could have run "pca -H | grep Studio > patches.txt" followed by "pca -i patches.txt" to install all missing Sun Studio patches. I understand that this is too complicated, which is why I now have modified pca's usage of search patterns to make it more flexible. Please read about it on:

http://www.par.univie.ac.at/solaris/pca/news.html

With the new development version of pca, a simple "pca -p Studio -i" is sufficient to achieve what you want.

As mentioned by Laurent, you could download the Sun Studio patches because they are available without a Sun Online Account. pca will not re-use this information from a previous configuration of Sun Update Manager. You have to specify it explicitly via -a/--askauth or in pca's configuration file.

As for your thoughts about Sun's patch management tools in general, I second everything you say. This, and because I'm a big fan of Solaris, is the main reason why I'm investing a lot of time in PCA.

Posted by Martin Paul on November 22, 2006 at 09:11 PM PST #

Thanks for the update Martin, and thanks for writing pca. I like the improvements you made for using patterns, keep up the good work! Of course, I'd be happy to switch to updatemanager if it starts to work better.

Posted by Chris Quenelle on November 28, 2006 at 06:46 AM PST #

Post a Comment:
Comments are closed for this entry.
About

Chris Quenelle

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today