Patching the Solaris OS Using Sun Ops Center 2.5

Shanthi Srinivasan and Laura Hartman; October 2009

Contents:

This article describes the methods to patch the Solaris Operating System (Solaris OS) using Sun Ops Center.

Ops Center enables you to patch the following operating systems:

  • Solaris 10 OS on x86 platforms
  • Solaris 8, 9, and 10 OS on the SPARC platform
  • Oracle Enterprise Linux 5.3
  • Red Hat Enterprise Linux (RHEL) Advanced Server 3, 4, and 5
  • Novell SUSE Linux Enterprise Server (SLES) 8, 9, 10, and 11
  • Microsoft Windows XP and 2008

This article describes how to patch the Solaris OS. For other operating systems, refer to the Ops Center Documentation.

Sun Ops Center and Patching

Ops Center offers comprehensive data center management software for the physical and virtual systems in your data center. This software enables you to provision, patch, virtualize, manage, and monitor the assets in your data center from a single browser user interface (BUI).

Patch management can be a complex and time-consuming process. Ops Center is designed to help manage the complexity, standardize the installation process, minimize downtime, and help you to keep your systems current. With the remote management capabilities, you can access a consolidated view of the assets in your data center from a single user interface.

Some of the tasks that Ops Center can help with include:

  • Identifying patch levels and patch status, and determining the patches and packages that are needed to update your systems

    A variety of compliance reports and system checks are available to help you to identify the gaps.

  • Determining withdrawn patches and updating to the most current patch

    Predefined profiles are available to check for withdrawn patches.

  • Understanding the patch dependencies before you start a patch job

    Patch job simulations are available to test for dependencies and requirements before running an actual patch job. You can run a patch simulation in analyze-only mode, or download content as part of the simulation. The simulation with download also reduces the amount of time required to run an actual patch job.

  • Applying patch policy consistently throughout your data center

    Profiles and policies are available to help you control the update jobs. Predefined profiles and policies are available, but you can also create custom profiles and policies.

  • Updating a group of operating systems at the same time

    Operating systems with the same distribution are automatically placed in homogenous groups. You can use these groups to apply patches to all systems in the group at the same time. You can change the policies and profiles for specific systems in the group, or apply the same standards to all systems.

  • Patching virtual systems

    Sun built-in virtualization technologies such as Solaris Zones and Logical Domains can be patched.

  • Testing the stability of the patches in your environment

    Solaris Live Upgrade capabilities and support for alternate boot environments help you to test the patches before deploying them in a production environment.

  • Scheduling a day and time that will cause the least amount of downtime

    The job scheduler enables you to run a job immediately, or schedule a time to apply the updates across your data center. You can schedule patch simulations or actual patch jobs.

This article provides an overview of the OS update profiles and policies, system catalogs, compliance reports, and the methods that you can use to manage and update your Solaris software with Ops Center.

Sun Ops Center Architecture

Ops Center has a three-tier architecture as shown in the illustration.

Figure 1
Figure 1: Architecture

The Enterprise Controller is the central server that consolidates the management systems. This is where you manage the connected systems using the browser user interface. The Enterprise Controller has Internet access and is connected to Sun Knowledge Services.

Sun Knowledge Services provides information about available patches, patch dependencies, and patch compatibility rules. When you want to download and install any patch, the Enterprise Controller checks with the knowledge base for patch dependencies and compatibility rules. For example, suppose you need to install patch A, and patch B should also be installed with patch A. Then Ops Center suggests that you download and install patch B along with patch A.

By default, the Enterprise Controller is in connected mode and has Internet access to download the patches from different software vendors such as Red Hat and SUSE. Solaris OS patches are available from the SunSolve web site. You need to configure and provide authentication in Ops Center to download the patches.

If your data center environment does not allow Internet access, you can use the Ops Center in disconnected mode. In disconnected mode, the Enterprise Controller is not connected to the Internet. Ops Center provides an option to manually upload all content, such as patches, to the Enterprise Controller. To download the patches and packages, you must run the harvester script on a system outside the data center that has Internet access. Save the downloaded information to a portable media device, such as a CD or DVD, and bring it in to your data center for manual upload. Refer to Updating in Disconnected Mode for more information about the harvester script.

Another option is to run your Enterprise Controller in semi-disconnected mode until you need to download patches or packages. You can change the Enterprise Controller's connection mode to Connected in order to download the required patches and packages, and then change back to the disconnected mode.

Understanding Profiles, Policies, and Catalogs

Ops Center provides OS Update Profiles and Policies, System Catalogs, and Reports that help to create OS Update jobs.

  • OS Update Profiles - Specify which components to install, which components are not allowed, and which actions to perform on a system. You can maintain the configuration of a managed system. You can either create your own custom profiles or use the predefined profiles provided by Ops Center. Refer to OS Updates Profiles and Policies for more information about profiles and policies.

  • OS Update Policies - Define how a job should be performed and set the automation level of the job. You can create appropriate policies or use system-defined policies to handle the patch dependencies. Policies apply to actions that are implicitly generated by the dependency resolver.

  • System Catalogs - List the software components that are installed on a managed system. After every job execution on a system, the snapshot of the system is created with the timestamp and job details. You can create historical catalogs, modify or compare catalogs, and create profiles from catalogs.

  • Reports - Enable you to check for new patches and security advisories. Ops Center provides specific Solaris OS Update reports. Refer to Solaris OS Update Reports to generate a variety of Solaris OS reports.

It is assumed that you have a fair understanding of your data center to devise an effective patch management plan to create profiles and policies.

Methods of Patching the Solaris OS

In Ops Center, you have different methods by which you can patch a Solaris release. In this article, it is assumed that the Enterprise Controller is in connected mode. The methods of patching will remain the same even in disconnected mode, provided that the latest patch information is manually uploaded onto the Enterprise Controller.

You can use the following methods to patch the Solaris OS using Ops Center:

  • Use predefined or custom profiles to run an update job.

  • Use system catalogs to create an update job.

  • Create reports such as Baseline Analysis Reports and compliance reports. Use the report outputs to run a compliance job to install the patches.

The different methods to update an OS are illustrated in the following figure.

Figure 1
Figure 2: Methods of Updating Solaris OS

Alternate Boot Environment

Apart from these methods, Ops Center also provides Solaris Live Upgrade technology to apply patches to a duplicate, inactive boot environment. This reduces the amount of downtime required to update your Solaris software and enables you to fully test the update before introducing it in your production environment. When you are satisfied with the update, you can switch boot environments and deploy the updated boot environment. The downtime is essentially the time it takes to reboot into the new environment.

You must have a boot environment (BE) and an alternate boot environment (ABE) in order to use this method of patching. You can use an ABE that was created outside of Ops Center, but the preferred method is to create the ABE with Ops Center.

Refer to Updating With Solaris Live Upgrade for the complete procedures for creating an ABE, supported OS versions, and the requisites for creating and patching the ABE.

Creating a Customized Update Job

To create a customized update job, you should have the following information:

  • OS Update Profile: Use the system-defined profiles or create your own custom profile as per your requirement.

  • OS Update Policy: Use the system-defined policies or create your own custom policies.

  • Targets: Select the targets on which you want to run the update job.

  • Run Type: Decide whether you want to run the job in simulation or actual run mode.

  • Task Execution: Select whether the tasks should be executed sequentially or in parallel fashion across the selected targets.

Use the following procedure to create an update job:

  1. Log in to the Ops Center interface.

  2. Select an asset from the Navigation panel and click New Update OS Job in the Actions panel. Alternatively, you can select Update Profiles from the Libraries section in the Navigation panel. Select a profile from the list and click New Update OS Job in the Actions panel.

    The New Update OS Job wizard is displayed as shown in Figure 3.

    Figure 1
    Figure 3: Update Job

    Enter a name for the update job.

  3. Select the required job information and run the job.

Depending on the policy, the update job proceeds to download and install the patches. You can refer to detailed information about update jobs at Creating a Solaris OS Update job.

View the status of an update job in the Jobs section. For more information on managing update jobs, see Job Management.

System Catalogs

In Ops Center, you can create catalogs, modify a catalog, compare two catalogs, and create a profile from a catalog.

A catalog provides an inventory list of components installed on your system. You can create a profile from a catalog. This helps to create systems with desired components quickly and effortlessly for production. You can modify a catalog to install or uninstall a patch quickly. You are not required to create profiles and policies to modify a catalog. Modifying a catalog is an alternate option for running an OS update job to install, uninstall, or upgrade a component. Modifying a catalog is a quick way of changing the component configuration in a system.

Figure 1
Figure 4: Catalog

You can compare two system catalogs for the differences in the installed components. You can also compare the current system catalog and saved snapshots of the same managed host to examine the difference in the components that were installed and uninstalled after executing a job.

Refer to Catalogs in Ops Center Documentation for detailed information and procedures for creating, modifying, and comparing system catalogs.

Reports

In Ops Center, you can generate a variety of reports, which helps to check for new patches and security advisories. For the Solaris OS, you can generate the following reports to check for different types of compliance status:

  • Jobs History Report
  • Host Compliance Report
  • CVE Compliance Report
  • Incidence Compliance Report
  • Distribution Update Report
  • Solaris Update Compliance Report
  • Baseline Analysis Report
  • Package Compliance Report

You can run any compliance report for a Solaris release and update to the latest version of patches and packages by launching a compliance job from the report result. This article explains only the Baseline Analysis Report in detail. Refer to Ops Center Documentation for more information about other reports.

Baseline Analysis Reports

You can create a Baseline Analysis Report (BAR) based on the Solaris baselines. Depending on the report results, you can create compliance jobs to install or uninstall a patch.

Solaris Baselines

A baseline is a dated collection of patches, patch meta data, and tools. Sun releases baselines for the Solaris OS on a monthly basis. When you install the patches of a baseline on a host, the host is considered compliant with that baseline. Using baselines enables you to easily check the patch level of your hosts. For example, to easily learn the patch level of your hosts, install some test hosts with a particular baseline. Test these hosts for a period of time to check if the patches in the baseline are stable enough to be used on your production hosts. If the testing reveals that the baseline is stable, you can install the same baseline that you tested on your production hosts.

Each dated baseline contains these three patch sets:

  • Full: Includes the recommended patches for the specific Solaris version and the selected patches for other unbundled Sun products, such as Java 2 Platform, Standard Edition (J2SE platform), Sun Cluster software, and Solaris Volume Manager software.

  • Recommended: Includes the Solaris OS recommended patches for the specific OS version.

  • Security: Includes all the security patches, including the platform-specific patches and patches for other Sun products, such as J2SE platform and Sun Cluster software. The Security baseline is not a subset of the Recommended baseline.

Note - The Full baseline often contains Solaris OS patches that are not included in the Recommended baseline. The Full baseline includes additional patches based on feedback from various customer support groups within Sun. All baselines include patches for a specific time. To install the Recommended and Security baselines, you either need to deploy two jobs, or run a job that includes multiple tasks.

Black Lists and White Lists

You can modify a baseline to create a custom patch set by using black lists and white lists. A black list is a list of patch IDs that should not be installed on a managed system.

You build a black list by creating a policy with the specified action for the patches. You can select a black list option when you create a Baseline Analysis Report. Select the black list either from the created policy or as a text file that you can create. In the text file, enter the patch IDs separated by new lines. If a particular patch in the profile is set with the policy component setting as Never for install action, then the patch will not be installed. If the patch is already installed, it will not be uninstalled or removed.

A white list is a list of patch IDs that should be installed on a managed system. For a white list, create a profile using the Required setting. You can also specify a white list when generating a Baseline Analysis report. Select the white list either from the created profile or as a text file that you can create. In the text file, enter the patch IDs separated by new lines. The required patches will be installed.

Types of Baseline Analysis Report

You can generate two types of BAR reports:

  • Database-based report: The report is run against the information that is available in the database in the management server. The dependency checks for any patch installation not carried out. The report runs on the details that are available on the database. Dependency checks are carried out only when you create a compliance job to install the patches. This report is generated faster than the report run against the host.

  • Agent-based BAR report: A simulated job is run against the selected assets. The dependency checks are done for all patches and resolved, and the required patches are downloaded to the host. This report takes time to generate as it requires time to check dependencies and download the patches. When you run a compliance job from this report result, the job is completed quickly because the patches are already downloaded.

Creating a Baseline Analysis Report

The Baseline Analysis Report provides information about the hosts that are compliant with a baseline OS.

Perform the following steps to create a Baseline Analysis Report:

  1. Log in to the Ops Center BUI.

  2. Select Reports from the Navigation panel.

  3. Select Solaris/Linux OS Updates from the Reports section.

  4. Select Baseline Analysis Report from the Actions panel.

    The Baseline Analysis Report is displayed.

  5. Name the report and select the targets on which you want to run the report.

  6. Select the Baselines from the list or custom-defined profile that comprises selected baselines.

  7. Select whether to run the report against the database or the agent.

    Figure 1
    Figure 5: Baselines

    Select the white list and the black list.

  8. Schedule the report to be generated now or later.

  9. Run the report and view the result displayed under Report Results.

  10. Run the compliance job to update the managed system to the selected baselines.

Updating Solaris Zones

Ops Center enables you to update the global and non-global zones of your Solaris systems.

The installation of the patches and packages on the zones depend on the following package parameters:

  • SUNW_PKG_ALLZONES
  • SUNW_PKG_HOLLOW
  • SUNW_PKG_THISZONE

The values that you set for these parameters determine whether a package is installed on global zones or non-global zones. The value of the parameters can be set to true or false. The following list shows how the package parameter values affect the installation of the packages on the non-global zones:

  • SUNW_PKG_ALLZONES - If the value is set to true, then the package is installed on the global and all non-global zones.

  • SUNW_PKG_HOLLOW - If the value is set to true, then the package information is propagated to the non-global zones where it is made available, although not installed.

  • SUNW_PKG_THISZONE - If the value is set to true, the package is installed in that zone only.

In Ops Center, the installation of the patches and packages is implemented with the pkgadd and patchadd commands in the background. These commands are implemented without the -G option. You have the option to include the -G option in the commands by modifying the uce.rc file in Ops Center. (Refer to the "To Edit the uce.rc File" section of Installing Packages and Patches on Zones.)

Installing or removing the patches with the -G option has a different impact. Refer to Updating a Global Zone and Updating Non-Global Zones for the result of patching zones with -G, without -G, and with different package parameter values.

Summary

Sun Ops Center helps you to determine whether systems are up-to-date and choose the right patches to be applied. Ops Center provides a centralized, intelligent patching solution for distributed data centers. It automates the patching of the Solaris OS, which can increase the availability and utilization of systems and minimize downtime. These capabilities lead to better management of your data center.


For More Information

Here are additional resources.

Oracle Solaris resources:

Virtualization resources:

General links:

Comments (latest comments first)

Discuss and comment on this resource in the BigAdmin Wiki

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.


Left Curve
Popular Downloads
 Right Curve
Untitled Document
Left Curve
More Systems Downloads
 Right Curve