Easy Solaris patching with pca
Solaris is bundled with a tool called smpatch but my personal experience from using it is very poor. It is slow and not always that easy to use. This is of course only my personal opinion.
Fortunately Martin Paul has created a tool called Patch Check Advanced (PCA). It is fast and I find it very simple to use. The only requirement is that you have a Sun Online Account and you get it for free here. With the free account you will have access to security and driver patches. If you want access to all patches you need to purchase a service plan.
It is very easy to install pca. It is just matter of downloading the script (it is written in Perl).
If you want to see what patches you are missing you run it with the followin arguments
# ./pca -l missing
If you haven’t patched your system in a while the list may be quite long. When we only want to see the missing security patches we run pca like this
# ./pca -l missings Using /var/tmp/patchdiag.xref from Jun/13/07 Host: xyz (SunOS 5.10/Generic_125101-08/i386/i86pc) List: missings Patch IR CR RSB Age Synopsis ------ -- - -- --- --- ------------------------------------------------------- 119116 26 < 28 -S- 9 Mozilla 1.7_x86 patch 119255 36 < 38 RS- 3 SunOS 5.10_x86: Install and Patch Utilities Patch 120037 13 < 19 RS- 13 SunOS 5.10_x86: libc nss ldap PAM zfs patch 120095 11 < 12 RS- 13 X11 6.6.2_x86: xscreensaver patch 120273 06 < 13 RS- 16 SunOS 5.10_x86: SMA patch 122213 18 < 19 -S- 2 GNOME 2.6.0_x86: GNOME Desktop Patch 124259 05 < 06 RS- 2 SunOS 5.10_x86: ufs and nfs driver patch 125101 08 < 09 RS- 2 SunOS 5.10_x86: Kernel Update patch 125720 03 < 08 RS- 1 X11 6.8.0_x86: Xorg server patch
The first column shows the patch id, IR is the installed revision, CR is the current revision, RSB is Recommended/Security/Bad (type of patch), Age is how many days the patch has been available (it is approx. 16 days since I last patched my server).
Lets say we want to see the readme file for 125101-09 patch. You then run pca like this
# ./pca --user=my.user.name --passwd=my.password -r 125101-09
As you can see you must now give your SOA username and password. The readme file will be downloaded and it will be viewed in a pager.
The next step would be to install a specific patch. To install one single patch you can do it like this
# ./pca --user=my.user.name --passwd=my.password -i 125101-09
This will download the patch and install it for you. To install all missing security patches
# ./pca --user=my.user.name --passwd=my.password -i missings
Now if you want to make it very easy for yourself you run pca from cron once every week (or every day if you are paranoid) and email the result. You will get a list of all missing patches within one week without having to follow all security announcements all the time.
There are many more options. You can e.g collect informations on remote machines and run pca in one location. pca can then download all the missing patches and you can slowly build your own local repository of patches that you can push out to the other machines. Take a look at the man page for pca for more information.
Do you need system administration assistance? If you like what you are reading please consider subscribing to the RSS feed. If you have feedback or if you find the article useful please leave a comment below.
Yes, PCA is great! It definitely fills the critical Solaris patching void for older systems as well as the new, since smpatch is absolutely worthless.
It’s always good to see PCA getting a mention…more admins need to be aware of it.
It was a real eye opener for me when I found it about a year ago. Before that I had been struggling with smpatch that simply could hang while running “smpatch analyze”. pca is probably 100x faster than smpatch on certain operations.
More admins need to be aware of it yes, but maybe Sun should include it in the base install. That would be a big improvement.
PCA does not work last two month following patchdiag missing on sunsolve.sun.com.
I just looked at sunsolve and the patchdiag.xref file is still there. The timestamp was 14th of September so it looks like they are still updating. However, sunsolve was it usual slow self and I got an error trying to download it the first time. Sun really really needs to get their act together with sunsolve.
I agree that smpatch is troublesome (far more so that it ought to be), though I do not find it useless. When I register a server with sconadm, I specify not only a user/pass for a Sun Online Account, but also a Sun support contract number.
Without the Sun support contract, I would not get patches for all Sun packages, just patches that they consider “Security” and “Device Drivers”. See Sun’s explanation:
http://www.sun.com/emrkt/sunspectrum/resources.jsp#policy
Example: My server has SUNWbind installed from a Solaris 10 1/06 install DVD (BIND 9.2.4). The server was initially registered via sconadm without a Sun support contract number, and smpatch did not give me any patches for SUNWbind. Later, I registered the server with a Sun support contract number, and smpatch patched the app to current 9.3.4-P1.
My concern: PCA has no way to use a Sun support contract number (please correct me if I’m wrong). I need more than just Sun’s ‘free’ patches, I need them all. Can pca give me that?
@yuri: PCA still works fine. While it needs frequent updates due to Sun’s changes to the SunSolve infrastructure, I always managed to keep it working. As you might guess, I’m the author. If you have problems to get it going, feel free to contact me. See the PCA webpage for contact information.
@Mark: You can of course get all patches (not only the free ones) with PCA. You only have to connect your contract information to your Sun Online Account. Go to sunsolve.sun.com, login with your SOA, and add your contract number via the “Change Contract” link. You will now be able to access all contract information when browsing sunsolve, and PCA will be able to download all patches with this SOA. Feel free to contact me in case of problems.
online las gambling casino casino poker gambling online