Patching Solaris with Customize By Daniel Bergström and Joacim Häggmark With Customize comes the module Global::stdpatches, which is the module that does all the installation and uninstallation of Solaris patches. The idea is any two machines, one have been around for a while, and another just installed, should have the exact same patches (unless something else is wanted). In all examples we will use Solaris 8 but I guess you understand what to do for another Solaris version. 1. First time If you don't have any customize patch directory you should probably first create /custom/patchdir and then download 8_Recommended.zip from sunsolve.sun.com and unzip it into that directory. Rename the 8_Recommended directory to SunOS_5.8. Then you should have a /custom/patchdir/SunOS_5.8 directory with a lot of patches in it. Rename patch_order to what you have the PATCHCLASS set to in the custom.conf. Try running customize to see that the patches gets installed. There are two ways of adding a new patch to the patchfile. First we will show how to do it manually and then with help from a script. 2. Manually add a patch to the patchlist. In this example we will show how the patch 108528-05 is added into SunOS 5.8 patch list. First we got the patch from sunsolve.sun.com. Once we got the patch downloaded we unpack it in /custom/patchdir/SunOS_5.8 with the other patches. After this step is done it's time to modify the patch list. In our case its the patch class is ws (for workstations). If you are uncertain you can look in your /custom/etc/custom.conf, for set PATCHCLASS xxx. When when have figured out our patchclass we should make a copy of the file. > cp ws ws.16_Feb_2001 We then modify the copy with our favorite editor. In this case we are going to upgrade an old revision of the patch. Look for 108528 we find # SunOS 5.8: kernel update patch # 108528-03 UPGRADED FROM 108528-02 108528-03 Lines beginning with a hash (#) is ignored at parsing. The first line is the synopsis from the patch readme file, it's for information so we easily can see what kind of patch it is. The line below shows that we earlier have done a upgrade from revision 02 to revision 03. The last line is the patch id and that's the only line thats really needed. The changes we do is adding a comment about our change of revision and changes the revision of the patch, this results in # SunOS 5.8: kernel update patch # 108528-05 UPGRADED FROM 108528-03 108528-05 Our example is based on that the patchclass file is just a soft link to the real file that ends with the date when the patchfile was created. If you haven't done it that way you should do a backup of the file first. Now it's time to apply the changes. This is done by removing the old link ws and pointing it to our new patch list, ws.16_Feb_2001. > rm ws > ln -s ws.16_Feb_2001 ws 3. Add patches to patchlist with patchupdate.pl This program builds new patchfiles by processing Sun:s patchreport file and the current patchfile. It updates all patches currently in use and adds all new recommended patches. If a patch is obsoleted it will be removed and patches that isn't unpacked will be unpacked into the customize patchdirectory. To be able to run it you need a mirror of Suns patches. You can find the program in the contrib directory and you should edit it and change the defaultmirrordir to your mirror directory. The programs syntax is: patchupdate.pl options patchfile new_patchfile os_rev patchdirectory patchfile is the name of the file that we will update our patches from (just create an empty file if it's the first run) new_patchfile is the name of the new patchfile that this program will create. os_rev is the Solaris version for example 2.6, 7 or 8. patch direcory is the path to where the unpacked patches is (usually something like /custom/patchdir/SunOS_5.8) Options: Options has to be given before the arguments -i patchid Patchnumbers of patches that should NOT be upgraded or installed. Only specify the first six digits. If it's more then one patch do -i "123456 123457" If these patches already exists in the patchfile they will stay in the same version and if it doesn't exist if won't be installed even if the patch is recommended. -r patchreport (If the patchreport isn't in the mirrordir) ex. -r ~/Solaris2.6.PatchReport. This option overides the os_rev. -a patchid (If we should include other patches) If there are more then one do -a "105222-03 105529-07" The easiest way to run it is to stand in /custom/patchdir/SunOS_5.8 and run for example patchupdate -a "112233-05" ws ws.new 8 . You should avoid running patchupdate while the patchmirror is being updated. 4. Running customize It is possible to run just the patching part of customize, By running the command below only the patching is done, without reboot. # /custom/bin/custom.pl -o Global::stdpatches Done with ERROR If an error occurs when backing out a patch or when patching it will write on the screen, `done with ERROR'. The information on what went wrong is stored in two different files depending on what went wrong. When a backout of a patch fails the information is written to /var/custom/patcherror.backout. When a patch fails to be installed it writes to /var/custom/patcherror. Older customize versions failed when a patch has been installed without backing up the original files but now it creates a file (/var/custom/patches.unremoveable) instead and when we are going to upgrade patches that are in that file we don't even try to backout them because we know it's useless to try. Instead we just installs the new patch but then we loose the possibility to backout it. This was needed to be able to run customize on computers that hasn't been running customize from installation. In the an example above, we added a patch. When we ran Customize we got the message `Done with ERROR'. By looking in the /var/custom directory we find a file called patcherror that contains: 108528-05 2001-02-16 17:14 The required patch 110383 was not in the patchfile. This is because the patch 110383 haven't been installed. We install this patch by adding into the ws_cde.16_Feb_2001 # SunOS 5.8: libnvpair patch 110383-01 When this is done we remove the patcherror file and run customize again. Here is another example, we setup to install a patch for PGX32 graphic card. Everything works good on all machines with a PGX32 card, on those without we get an error. The error in /var/custom/patcherror: 107851-07 2001-03-07 09:06 No packages to patch This indicates that the patch couldn't be added to the system because we don't have the software package installed. In the patch list its written. # PGX32 2.1: Graphics Patch 107851-07 What we want it is checking if the package to patch exists before even trying to patch. This can be done by adding a package or a file name after the patch id. # PGX32 2.1: Graphics Patch 107851-07 TSIgfx or 107851-07 /kernel/drv/gfxp