Re: [pca] Patch pre-requisites
Those other patches may have been superceded or obsoleted by newer patches, and perhaps the superceded patches are already installed. Try searching the patchdiag.xref file for the various patch numbers (without revisions), eg egrep '108528|117000|128624' /var/tmp/patchdiag.xref regards, -glenn Glenn, That seems to provide a bit more detail, which seems to make sense had I not seen the patchinfo file. I ran the pca command against the patch without a revision (see below) and then ran the same command against the dependencies to see if they had any pre-requisites (below). It seems to show one requirements (117350-62) but not the others. Any ideas. *PATCH_REQUIRES=108528-29 117000-05 117350-62* pca -l 127721 Patch IR CR RSB Age Synopsis -- -- - -- --- --- --- 128624 -- 16 RS- 116 SunOS 5.8: LDAP2 client, libc, libthread and libnsl libraries patc 117350 28 62 RS- 784 SunOS 5.8: kernel patch 127721 -- 06 RS- 64 SunOS 5.8: kernel patch pca -l 128624 Patch IR CR RSB Age Synopsis -- -- - -- --- --- --- 128624 -- 16 RS- 116 SunOS 5.8: LDAP2 client, libc, libthread and libnsl libraries patc pca -l 117350 Patch IR CR RSB Age Synopsis -- -- - -- --- --- --- 128624 -- 16 RS- 116 SunOS 5.8: LDAP2 client, libc, libthread and libnsl libraries patc 117350 28 62 RS- 784 SunOS 5.8: kernel patch pca -l 127721 Patch IR CR RSB Age Synopsis -- -- - -- --- --- --- 128624 -- 16 RS- 116 SunOS 5.8: LDAP2 client, libc, libthread and libnsl libraries patc 117350 28 62 RS- 784 SunOS 5.8: kernel patch 127721 -- 06 RS- 64 SunOS 5.8: kernel patch On Mon, Jun 13, 2011 at 6:09 PM, Glenn Satchell glenn.satch...@uniq.com.auwrote: There is some slight differences here. When you give pca the patch *and* the revision number it assumes that you want information about *only* that one patch. If you the patch number *without* the revision, then it looks up the patch and dependencies in patchdiag.xref and gives all to you. $ pca -l 142341 Is that what you wanted? Below is the command and the results. According to this no dependence. pca -l 127721-03 Try using pca -l 127721 regards, -glenn On 06/14/11 03:28, Fred wrote: Does the system you're running pca on already meet or exceed the other unlisted requirements for that kernel patch? Remeber that pca is basically telling you This is what I will install, in this order, for the patch you specify. Fred On Mon, Jun 13, 2011 at 1:03 PM, little help littlehelph...@gmail.com mailto:littlehelph...@gmail.com wrote: Actually I did a little more digging on this and the -l option does not seem to show the dependencies. For example I ran the command against a kernel patch Below is the command and the results. According to this no dependence. pca -l 127721-03 Patch IR CR RSB Age Synopsis -- -- - -- --- --- --- 127721 -- 06 RS- 63 SunOS 5.8: kernel patch I then untarred the actual patch and looked at the patchinfo file. You can see the patch requires three other patches. So now I guess I am back to the beginning. Any ideas how to get details on the dependencies for a patch? Thanks. more patchinfo PATCHINFOVERSION=1.0 PATCHID=127721-03 PATCH_CORRECTS='Automate-1.0' PATCH_ARCH='sparc' PATCH_OS='SunOS' PATCH_OSRELEASE='5.8' PATCH_PROPERTIES='clientroot clientusr rebootimmediate singleuser' *PATCH_REQUIRES=108528-29 117000-05 117350-62* PATCH_OBSOLETES=108727-26 111439-03 112325-01 114671-04 116959-21 On Mon, Jun 13, 2011 at 10:37 AM, little help littlehelph...@gmail.com mailto:littlehelph...@gmail.com wrote: Fred, Seems to be right - thanks for the tip. On Fri, Jun 10, 2011 at 1:28 PM, Fred fchag...@gmail.com mailto:fchag...@gmail.com wrote: You can determine the dependencies of a single patch by supplying the patch ID in the ARGS list on the command line. For example: $ pca -l 142341 Is that what you wanted? On Fri, Jun 10, 2011 at 10:55 AM, little help littlehelph...@gmail.com mailto:littlehelph...@gmail.com wrote: I had a quick question about the pre-requisites when installing one patch. I know pca determines dependence, etc and installs patches in that order. However, how do you do this for one single patch. For example - I want to install 109326-17 : libresolv.so.2, in.named and BIND9 patch Now libresolv.so.2
Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
Could we approach this a different way by first getting a list of missing patches relevant to a patchdiag slightly *newer* than the CPU, then filter that list with the list of patches on the CPU? e.g., pca missing patches.missing.full for patch in `cat cpu_patches.lst | cut -d- -f1`; do patch_id=`echo $patch | cut -d- -f1` grep ^$patch_id patches.missing.full echo $patch cpu_patches_check.lst done; pca -l $(chkmin $(cat cpu_patches_check.lst)) The chkmin is to avoid re-installing the same release of a patch if the patchdiag.xref contains a newer release than the CPU. I haven't tried any of the above to see if it produces a list as I'm dreading trying to navigate Oracle support to see if there's a way to get the recent CPU patch_order file without downloading the 2GB zip file. Ateeq -Original Message- From: pca-boun...@lists.univie.ac.at [mailto:pca-boun...@lists.univie.ac.at] On Behalf Of Martin Paul Sent: 15 June 2011 10:07 To: PCA (Patch Check Advanced) Discussion Subject: Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca? Jeff wrote: It does reduce the number of patches to 100, but the problem still exists that pca doesn't verify the packages are installed that the patches applies to if a specific revision is requested. So in the case of the server I'm testing, it was built with the SUNWCrnet cluster, so it has minimal packages and the actual number that would be applied is around 10. I see, you're right. It only makes sense if you stick to the Entire Distribution cluster. I really think the best solution is to either convince Oracle to package a patchdiag.xref that cooresponds with the revisions in the CPU within the CPU bundle, or for me to grab patchdiag.xrefs around the release date until I find one that cooresponds with the bundle. Agreed, it would be best if Oracle provided a matching patchdiag.xref with each CPU. Chances for that are pretty low, I guess. Same for finding an xref file from a certain date which matches the CPU exactly. As Don already mentioned, the ultimate solution would be to create a new patchdiag.xref from scratch with the data from the patches in the CPU. All the required information should be in patchinfo (PATCHID, PATCH_ARCH, PATCH_REQUIRES), the README (Synopsis, Date) and the SUNW*/pkginfo files (VERSION). The R/S flags aren't in there, but they won't matter. Anybody want to try it? :) I guess I could come up with a rough script, it's the fine-tuning and testing which scares me off, as it will take a lot of time. All I have to say is keep up the good work Martin, you are keeping a lot of Solaris shops afloat. Thanks for that! Martin. This email and any attachment to it are confidential. Unless you are the intended recipient, you may not use, copy or disclose either the message or any information contained in the message. If you are not the intended recipient, you should delete this email and notify the sender immediately. Any views or opinions expressed in this email are those of the sender only, unless otherwise stated. All copyright in any Capita material in this email is reserved. All emails, incoming and outgoing, may be recorded by Capita and monitored for legitimate business purposes. Capita exclude all liability for any loss or damage arising or resulting from the receipt, use or transmission of this email to the fullest extent permitted by law.
Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
Ateeq Altaf wrote: Could we approach this a different way by first getting a list of missing patches relevant to a patchdiag slightly *newer* than the CPU, then filter that list with the list of patches on the CPU? Should get you close. It also depends whether you succeed in finding the closest patchdiag.xref. As soon as it contains at least one patch with a newer rev than in the CPU, things get complicated. Another idea is to use archived copies of the various xref files and try to find the one which contains all (or at least the most) of the patches+revisions in the CPU list. Then you could that with pca -l all_patch_IDs_of_CPU. I haven't tried any of the above to see if it produces a list as I'm dreading trying to navigate Oracle support to see if there's a way to get the recent CPU patch_order file without downloading the 2GB zip file. I'm donwloading the 2GB file right now as I wanted to take a look at it - it takes more than 12 hours. This should make clear why we all try to avoid the CPU, I guess. There's a Read Me button in the flash interface of MOS, which leads to a file including the patch list. Martin.
Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
Martin, I kind of disagree on using CPU for couple of reasons. 1. CPU tends to change within the given release, hence the different revisions (Am I wrong in this assessment?) 2. CPU tends to install on the minimum patch revision which will get the OS off the vulnerability. I like to patch my servers with given Xref, which will solve all the issues. Example April 2011 CPU has patches from March and before, where most of them are obsolete/replaced when the CPU came out. So if we look at the latest patch included in that CPU (April 01 2011), then we can safely assume that if we use April 01 2011 Xref, we should get all the patches via PCA. Please let me know if I have my theory straight. Thanks -GGR -- Rajiv G Gunja Blog: http://ossrocks.blogspot.com On Wed, Jun 15, 2011 at 06:24, Martin Paul mar...@par.univie.ac.at wrote: Ateeq Altaf wrote: Could we approach this a different way by first getting a list of missing patches relevant to a patchdiag slightly *newer* than the CPU, then filter that list with the list of patches on the CPU? Should get you close. It also depends whether you succeed in finding the closest patchdiag.xref. As soon as it contains at least one patch with a newer rev than in the CPU, things get complicated. Another idea is to use archived copies of the various xref files and try to find the one which contains all (or at least the most) of the patches+revisions in the CPU list. Then you could that with pca -l all_patch_IDs_of_CPU. I haven't tried any of the above to see if it produces a list as I'm dreading trying to navigate Oracle support to see if there's a way to get the recent CPU patch_order file without downloading the 2GB zip file. I'm donwloading the 2GB file right now as I wanted to take a look at it - it takes more than 12 hours. This should make clear why we all try to avoid the CPU, I guess. There's a Read Me button in the flash interface of MOS, which leads to a file including the patch list. Martin.
Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
Rajiv, I kind of disagree on using CPU for couple of reasons. Maybe you got me wrong - it's not that I use the CPU myself - I agree with what you say. Personally, I don't see much sense in installing an outdated revision of a patch. Why not get *all* available fixes, when I'm installing a patch anyway? If possible, I always install all missing patches. I do understand the reasoning behind the CPU and why people use it, though - it's what fixes all security issues with the least possible amount of changes to the system. Martin.
Re: [pca] Patch pre-requisites
little help wrote: Glenn, That seems to provide a bit more detail, which seems to make sense had I not seen the patchinfo file. I ran the pca command against the patch without a revision (see below) and then ran the same command against the dependencies to see if they had any pre-requisites (below). It seems to show one requirements (117350-62) but not the others. Three things: PCA will recursively resolve the dependencies, so you don't need to re-run it manually multiple times. If a required patch is already installed, it will not be shown. To see the inner workings of resolving dependencies, run pca --debug. Martin.