Installing a Patch

Sun customers can access security patches and other recommended patches via the World Wide Web or anonymous FTP. You can download patches from the SunSolve website, which (as of this writing) is at http://sunsolve.sun.com. Sun customers who have purchased a service contract can access an extended set of patches and a complete database of patch information. (This information is also available via the World Wide Web or FTP, and it is regularly distributed on CD-ROM.)

You can obtain individual patches or groups of patches called a patch cluster. Detailed information about how to install and remove a patch is provided in the README file included with each patch, which contains specific information about the patch.

Patches come in three different formats. Solaris 10 patches come in ZIP format, such as 104945-02.zip. For Solaris 10 patches, use the unzip command to extract the patch files, as follows:

/usr/bin/unzip 104945-02.zip

Other times, a patch may come in as a jar file indicated by a .jar suffix in the name, for example 120292-01.jar. To extract the jar file, type

jar xvf 120292-01.jar

For Solaris 2.6 and earlier operating environments, patches might come in compressed TAR format, such as 104945-02.tar.Z. Use the zcat command to decompress this type of patch file and the tar command to create the patch directories, as follows:

/usr/bin/zcat 104945-02.tar.Z | tar xvf -

Other Solaris patches might come as GZIP compressed TAR files, such as 102945-02.tar.gz. To extract a GZIP compressed TAR file, use the gzcat command to decompress and create the patch directories, as follows:

/usr/bin/gzcat 104945-02.tar.gz | tar xvf -

The patchadd command is used to install directory-format patches to a Solaris 10 system. It must be run as root. The syntax is as follows:

patchadd [ -d ] [ -u ] [ -B backout_dir]

The patchadd command is described in Table 2.6.

Table 2.6. patchadd Command Options

Command Option	Description
-d	Does not create a backup of the files to be patched. The patch cannot be removed when this option has been used to install the patch. By default, patchadd saves a copy of all files being updated so that the patch can be removed if necessary. Do not use the -d option unless you're positive the patch has been tested.
-p	Displays a list of the patches currently applied.
-u	Installs the patch unconditionally, with file validation turned off. The patch is installed even if some of the files to be patched have been modified since their original installation.
-B <backout_dir>	Saves backout data to a directory other than the package database. Specify <backout_dir> as an absolute pathname.
-M <patch_dir> <patch_id>	Specifies the patches to be installed. Specify patches to the -M option by directory location and by patch number.
<patch_dir>	is the absolute pathname of the directory that contains the spooled patches. The <patch_id> is the patch number of a particular patch.
-M <patch_dir> <patch_file list>	Specifies the patches to be installed. Specify patches to the -M option by directory location and the name of a file containing a patch list. To use the directory location and a file containing a patch list, specify <patch_dir> as the absolute pathname of the directory containing the file with a list of patches to be installed. Specify <patch_list> as the name of the file containing the patches to be installed. See the example in the "Installing a Patch" section of this chapter.
-R <client_root_path>	Locates all patch files generated by patchadd under the directory <client_root_path>. <client_root_path> is the directory that contains the bootable root of a client from the server's perspective. Specify <client_root_path> as the absolute pathname to the beginning of the directory tree under which all patch files generated by patchadd are to be located. See the example in the "Installing a Patch" section of this chapter.

Installing a Patch

The following examples describe how to add patches to your system. A word of caution is in order before you install patches, however. It has been my personal experienceMurphy's Law, you might saythat things can go wrong. Because you're modifying the operating system with a patch, I highly recommend that you back up your file systems before loading patches. Although it can be a time-consuming and seemingly unnecessary task, I once encountered a power failure during a patch installation that completely corrupted my system. Another time, the patch installation script was defective, and the patch did not load properly. Without a backup, I would have had to reinstall the entire operating system.

The following example installs a patch to a standalone machine:

patchadd /var/spool/patch/104945-02

The following example installs multiple patches. The patchlist file specifies a file containing a list of patches to install:

patchadd -M /var/spool/patch patchlist

Many times, a patch or patch cluster contains a script named install_patch or install_cluster. Simply executing this script will install the patch or patch cluster.

The following example displays the patches installed on a client system named client1:

patchadd -R /export/root/client1 -p

When you're installing a patch, the patchadd command copies files from the patch directory to the local system's disk. More specifically, patchadd does the following:

• It determines the Solaris version number of the managing host and the target host.

• It updates the patch package's pkginfo file with information about patches made obsolete by the patch being installed, other patches required by this patch, and about patches incompatible with this patch.

• It moves outdated files and directories to the /var directory.

• It logs the patch installation to the /var/sadm/patch/ (patch-id) directory.

• It updates the /var/sadm/pkg/<pkg-name>/pkginfo file.

The patchadd command will not install a patch under the following conditions:

• If the package is not fully installed on the host.

• If the patch architecture differs from the system architecture.

• If the patch version does not match the installed package version.

• If an installed patch already exists with the same base code and a higher version number.

• If the patch is incompatible with another, already-installed patch. (Each installed patch keeps this information in its pkginfo file.)

• If the patch being installed requires another patch that is not installed.

When a patch is installed, files that are replaced are moved into the /var/sadm/pkgs>/<pkgname>/save directory. Files in this directory are used if you ever need to back out of a patch. These files are used to restore the system to the prepatch installation state. Backing out a patch returns files and directories stored in the /var directory to their original locations and removes the versions installed by the patch. If you remove files in this directory, you will not be able to backout a patch.

showrev -p gets its information from /var/sadm/pkg/<pkgname>/save as well, specifically from the pkginfo file in each pkg directory. This directory contains old information about the package as it existed prior to a patch install and contains backups of critical files for the package.

The file that you see in this directory will be different depending on the package, but the save information for the patch IDs that have been installed should always exist and will look something like this:

1s -1 /var/sadm/pkg/SUNWcsu/save <cr>
total 8
drwxr-xr-x    2  root    other     512  Oct 10 15:25  112233-02
drwxr-xr-x    2  root    other     512  Oct 10 15:20  112963-01
drwxr-xr-x    2  root    other     512  Oct 10 15:27  112964-02
drwxr-xr-x    2  root    other     512  Oct 10 15:08  112998-02

Looking into each directory, we see a file named undo.Z as follows:

1s 112233-02 <cr>
undo.Z

If a file doesn't exist here, the patch was installed with the -d option. You did not save the backout information and the patch cannot be backed out. This file will not always be in .Z format. Sometimes it will be just a regular uncompressed file.

A patch cluster contains a selected set of patches, conveniently wrapped for one-step installation. Typically, they will be named "10_recommended". Clusters consist of operating system patches (including security fixes) deemed to be of universal interest. To install a patch cluster, follow these steps:

Removing a Patch

Sometimes a patch does not work as planned and needs to be removed from the system. The utility used to remove, or "back out of," a patch is the patchrm command, described in Table 2.7. Its syntax is as follows:

patchrm [ -f ] [ -B backout_dir]

Table 2.7. patchrm Command Options

Command Options	Description
-f	Forces the patch removal regardless of whether the patch was superseded by another patch.
-B <backout_dir>	Removes a patch whose backout data has been saved to a directory other than the package database. This option is needed only if the original backout directory, supplied to the patchadd command at installation time, has been moved. Specify <backout_dir> as an absolute pathname.

The following example removes a patch from a standalone system:

patchrm 104945-02

The patchrm command removes a Solaris 10 patch package and restores previously saved filesrestoring the file system to its state before a patch was appliedunless any of the following four conditions exist:

• The patch was installed with patchadd -d. (The -d option instructs patchadd not to save copies of files being updated or replaced.)

• The patch has been made obsolete by a later patch.

• The patch is required by another patch already installed on the system.

• The patchrm command calls pkgadd to restore packages saved from the initial patch installation.

Historical information about all installed patches that are able to be uninstalled using patchrm is stored in the /var/sadm/patch directory.