Re: [pca] PCA is 10!
Congratulations!! Many thanks for the incredible body of work that is PCA. On 9/9/2013 7:08 AM, Martin Paul wrote: PCA is 10! Scrolling down on the PCA-News web page, at the very bottom, one finds this message: 2003/09/09: First version. Introducing PCA 1.0. So it's really 10 years now since I decided to make this script public, after I've been using it for some time internally. It had 208 lines at that time. Only one day later I received the first e-mail with the subject pca from Andrew Brooks, which was a lot like the many messages I received in the next ten years: First, he thanked for the useful script. Such comments from PCA users turned out to be my main motivation to maintain and refine PCA in the following years. So thanks to all of you who ever sent positive comments! Second, he provided an idea (and included code) for some new function (a new option -H to output HTML) which I immediately decided *not* to include in the official version of PCA :-) In my answer I stated that I wanted to keep PCA as simple as possible, not depending on some URLs staying consistent on Sun's web page. I always liked Unix for its tradition of simple commands which can be used in pipes to achieve great things. Soon other PCA users provided more and more input and I started to add new functions and options over the time, always weighing simplicity against usefulness. The option to download patches from Sun directly was probably one of the most useful, and the one which caused me most work in the last years. Sun (and later Oracle) turned the simple process of downloading a patch file via FTP into a complicated procedure with authentication, server redirects, dependencies on certain HTTP features etc. which I always had to follow closely to keep the download functions in PCA working. There were moments when I seriously thought about giving up on it. While I knew that Sun engineers were using PCA themselves, and Sun never succeeded in providing a own, working patch administration tool (I would have been the first to switch, believe me!) they never officially acknowledged PCA, although it was recommended on some Sun websites and PDFs. As I got a lot of e-mails in the meantime from admins asking about the usage of PCA and me answering the same questions over and over again, I created the PCA mailing lists (for those interested in numbers, I have 4827 messages in my folder with private PCA communication, and 3139 messages on the PCA mailing list - I definitely wrote more text than code). This helped a lot, as power users now answered the queries from beginners. I also had a lot more contact to the users of PCA and was fascinated in how many different ways and procedures it was being used. I also got in contact with Gerry Haskins and Don O'Malley from Sun, which made it a lot easier to sort out problems and to get information about the internals of Sun's patch creation and publication. Thanks to both of them for their help and patience! With the appearance of Solaris 11 and its IPS system, traffic on the mailing list was reduced a lot. As PCA is not needed anymore on Solaris 11, it is now being used mostly by experienced admins running Solaris 10 who already know what they do. Personally, I also think that PCA is feature complete for quite some time now, and as (now) Oracle doesn't change their patch infrastructure anymore, new versions of PCA have been reduced to a minimum. As far as I'm concerned, that's very welcome. While I still work with some Solaris systems, we're moving away from Solaris here slowly, due to the high prices of Oracle hardware and support. Of course I'll keep PCA working as long as somebody is still using it. Finally, let me state that I'm pretty proud of what PCA turned out over the years - it has saved numerous sysadmins around the world uncountable hours of work and frustration. This compensates for all the time I invested, even if it was frustrating now and then when performing complicated tests to ensure PCA's analysis being correct or hunting for obscure bugs. Would I publish PCA 1.0 once again if I could go back to 2003? I think so :-) If only for the amount of positive feedback I got over all the years. Let me end with a quotation which is the basis of my work on PCA (and also in general): Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away. (Antoine de Saint-Exupery) -- ~ Diana Mayer Orrick Assistant Director, Unix Systems Infrastructure and Operations Support Information Technology Services The Florida State University orr...@fsu.edu - (850) 645-8009 ~
Re: [pca] MOS user name with @ character?
Reviewed the wget doc on My Oracle Support site and I think I've found my problem: Highest version number access http://sunsolve.sun.com/pdownload.do?target=141445method=h returns 141445-09 Not supported. A full patch id with a specific version is required /usr/sfw/bin/pca -d 119254 -V no version number /usr/sfw/bin/pca -d 119254-78 -V worked. tried a general download of r/s patches, 403 errors again tried simple single download of 118666-28 , same errors I've been using pca successfully for some time now (up to yesterday) does anyone have suggestions on how to recognize MOS account problems? On 12/14/2010 11:13 AM, Diana Orrick wrote: I'm still getting the ERROR: 403: Service Error on a simple single patch download attempt: /usr/sfw/bin/pca -d 119254 -V I don't have around the user/pw in the pca.conf file. I tried commenting out the user/pw entries in pca.conf, but pca never prompted for info, moved on attempted to connect and same error... On 12/14/2010 5:36 AM, Gerard Henry wrote: On 12/13/10 15:07, Martin Paul wrote: Stuart F. Biggar wrote: I'm a part time admin that has NO knowledge of perl. I've been using pca for quite some time with a Sun user name of firstnamelastname with no punctuation at all. My new MOS account name is: stuart.big...@optics.arizona.edu. I tried putting that into the USER line in pca where my old user name just worked. I now get complaints about the @ symbol. Is there a way to escape that or otherwise convince pca that my new user name is OK? This works for me: user||s|USER|us...@domain.org|My Oracle Support user name, passwd||s|PASSWD|secret||My Oracle Support password, hello all, sorry, but i don't understand your answer. With my new MOS account, i'm able to download patch 119254-78 without problem, via website. But with pca, i got: Trying Oracle Trying https://getupdates.oracle.com/ (1/1) Failed (Error 403: Service Error) Failed (patch not found) i use pca.conf, and put (double quotes) around user and passwd values. thanks in advance for help, gerard -- ~~~ Diana Mayer Orrick, System Administrator Information Technology Services, Florida State University Contact: orr...@fsu.edu -- (850) 645-8009 ~~~
Re: [pca] MOS user name with @ character?
Have been able to download the 118666-28 patch from the My Oracle Support site without issue, still throws 403: Service Error on simple single patch download attempt with pca nothing stand out in the verbose output from pca: ... Resolving getupdates.oracle.com... 192.18.110.9 Connecting to getupdates.oracle.com|192.18.110.9|:443... connected HTTP request sent, awaiting response... 403 Service Error 11:44:45 ERROR 403: Service Error. ... really prefer using pca for patch updates, any suggestions welcome... On 12/14/2010 11:40 AM, Diana Orrick wrote: Reviewed the wget doc on My Oracle Support site and I think I've found my problem: Highest version number access http://sunsolve.sun.com/pdownload.do?target=141445method=h returns 141445-09 Not supported. A full patch id with a specific version is required /usr/sfw/bin/pca -d 119254 -V no version number /usr/sfw/bin/pca -d 119254-78 -V worked. tried a general download of r/s patches, 403 errors again tried simple single download of 118666-28 , same errors I've been using pca successfully for some time now (up to yesterday) does anyone have suggestions on how to recognize MOS account problems? On 12/14/2010 11:13 AM, Diana Orrick wrote: I'm still getting the ERROR: 403: Service Error on a simple single patch download attempt: /usr/sfw/bin/pca -d 119254 -V I don't have around the user/pw in the pca.conf file. I tried commenting out the user/pw entries in pca.conf, but pca never prompted for info, moved on attempted to connect and same error... On 12/14/2010 5:36 AM, Gerard Henry wrote: On 12/13/10 15:07, Martin Paul wrote: Stuart F. Biggar wrote: I'm a part time admin that has NO knowledge of perl. I've been using pca for quite some time with a Sun user name of firstnamelastname with no punctuation at all. My new MOS account name is: stuart.big...@optics.arizona.edu. I tried putting that into the USER line in pca where my old user name just worked. I now get complaints about the @ symbol. Is there a way to escape that or otherwise convince pca that my new user name is OK? This works for me: user||s|USER|us...@domain.org|My Oracle Support user name, passwd||s|PASSWD|secret||My Oracle Support password, hello all, sorry, but i don't understand your answer. With my new MOS account, i'm able to download patch 119254-78 without problem, via website. But with pca, i got: Trying Oracle Trying https://getupdates.oracle.com/ (1/1) Failed (Error 403: Service Error) Failed (patch not found) i use pca.conf, and put (double quotes) around user and passwd values. thanks in advance for help, gerard -- ~~~ Diana Mayer Orrick, System Administrator Information Technology Services, Florida State University Contact: orr...@fsu.edu -- (850) 645-8009 ~~~
Re: [pca] Release 20101213-01
I've been able to successfully update pca Have double checked the wget version for SSL/HTTPS support wget --version -- 1.10.2 Still get this error on connection to getupdates.oracle.com: ... Connecting to getupdates.oracle.com|192.18.110.9|:443... connected HTTP request sent, awaiting response... 403 Service Error 11:44:38 ERROR 403: Service Error. ... Am I missing something? Have tried all known accounts/pws as well... Any suggestions welcome! -- ~~~ Diana Mayer Orrick, System Administrator Information Technology Services, Florida State University Contact: orr...@fsu.edu -- (850) 645-8009 ~~~
Re: [pca] Release 20101213-01
Thanks for the response, I also escaped the @ sign and have removed from pca.conf... have tried all credentials for our sysadmins still getting ERROR: 403: Service Error just trying to download 119254... any help appreciated, saw the Oracle email that the issues were resolved, but... On 12/13/2010 2:06 PM, Martin Paul wrote: Diana Orrick schrieb: Thanks for the suggestion, Unfortunately the 1.12 wget requires libssl.0.9.8 which I cannot find without installing OpenSSL separately from the Sun/Oracle supplied openssl. Would prefer to stick with Sun supplied version and the updates provided as needed... It's fine to stick with the wget version provided with Solaris. PCA isn't really that picky about wget versions, all you need is a version of wget which support SSL/HTTPS. Sun provides that for Solaris 9 and 10. On Solaris 9 it might be necessary to install a recent version of the wget patches: 125326 -- 02 RS- 269 SunOS 5.9: wget patch 125327 -- 02 RS- 269 SunOS 5.9_x86: wget patch Martin. -- ~~~ Diana Mayer Orrick, System Administrator Information Technology Services, Florida State University Contact: orr...@fsu.edu -- (850) 645-8009 ~~~
Re: [pca] Download server issue fixed
Hello Mike, I'm still having issues, getting ERROR: 403: Service Error on a simple download attempt using PCA for patch 119254 When I look at settings manage users the display appears to have myself, orr...@fsu.edu and my cohort tkitter...@fsu.edu associated with an expired Support Identifier 17029740 instead of the correct one 17049317. I have tried to change this without having it 'stick'. Can you help me determine why I'm still getting the 403 ERROR? thanks for any help! On 12/13/2010 1:55 PM, Mike Brown wrote: Please note there was an issue with the new download server this morning where correctly entitled downloads were being incorrectly rejected. Apologies for any inconvenience. Please retry any failed downloads that you believe should have worked. Thanks Mike Brown (filling in for Don O'Malley) -- Oracle http://www.oracle.com Michael Brown | Principal Product Strategy Manager Phone/Fax: +1.858.526.9136 tel:+18585269136 | Mobile: +1.858.248.7473 tel:+18582487473 Oracle - Proactive Support Center, Knowledge Management 9515 Towne Centre Dr | San Diego, California 92121, USA Green Oracle http://www.oracle.com/commitment Oracle is committed to developing practices and products that help protect the environment -- ~~~ Diana Mayer Orrick, System Administrator Information Technology Services, Florida State University Contact: orr...@fsu.edu -- (850) 645-8009 ~~~
Re: [pca] Download server issue fixed
Apologies, meant for this to go to Mike... On 12/13/2010 2:25 PM, Diana Orrick wrote: Hello Mike, I'm still having issues, getting ERROR: 403: Service Error on a simple download attempt using PCA for patch 119254 When I look at settings manage users the display appears to have myself, orr...@fsu.edu and my cohort tkitter...@fsu.edu associated with an expired Support Identifier 17029740 instead of the correct one 17049317. I have tried to change this without having it 'stick'. Can you help me determine why I'm still getting the 403 ERROR? thanks for any help! On 12/13/2010 1:55 PM, Mike Brown wrote: Please note there was an issue with the new download server this morning where correctly entitled downloads were being incorrectly rejected. Apologies for any inconvenience. Please retry any failed downloads that you believe should have worked. Thanks Mike Brown (filling in for Don O'Malley) -- Oracle http://www.oracle.com Michael Brown | Principal Product Strategy Manager Phone/Fax: +1.858.526.9136 tel:+18585269136 | Mobile: +1.858.248.7473 tel:+18582487473 Oracle - Proactive Support Center, Knowledge Management 9515 Towne Centre Dr | San Diego, California 92121, USA Green Oracle http://www.oracle.com/commitment Oracle is committed to developing practices and products that help protect the environment -- ~~~ Diana Mayer Orrick, System Administrator Information Technology Services, Florida State University Contact: orr...@fsu.edu -- (850) 645-8009 ~~~
Re: [pca] Release 20101213-01
Thanks, Our shop runs Sol 10 only. On 12/13/2010 2:25 PM, French, David wrote: BTW, the Sol9 packages run fine on Sol8. I use it that way here. Just grab the packages from Sol9 and install on Sol8. PCA is even nice enough to know when they need to be patched and handle that as well... -Original Message- From: pca-boun...@lists.univie.ac.at [mailto:pca- boun...@lists.univie.ac.at] On Behalf Of Martin Paul Sent: Monday, December 13, 2010 11:07 AM To: PCA (Patch Check Advanced) Discussion Subject: Re: [pca] Release 20101213-01 Diana Orrick schrieb: Thanks for the suggestion, Unfortunately the 1.12 wget requires libssl.0.9.8 which I cannot find without installing OpenSSL separately from the Sun/Oracle supplied openssl. Would prefer to stick with Sun supplied version and the updates provided as needed... It's fine to stick with the wget version provided with Solaris. PCA isn't really that picky about wget versions, all you need is a version of wget which support SSL/HTTPS. Sun provides that for Solaris 9 and 10. On Solaris 9 it might be necessary to install a recent version of the wget patches: 125326 -- 02 RS- 269 SunOS 5.9: wget patch 125327 -- 02 RS- 269 SunOS 5.9_x86: wget patch Martin. -- ~~~ Diana Mayer Orrick, System Administrator Information Technology Services, Florida State University Contact: orr...@fsu.edu -- (850) 645-8009 ~~~
Re: [pca] Release 20101213-01
Well... Tried wget as cmd line and got certificate errors so I dug around and did get the getupdates.pem file installed and successfully downloaded 119254 ! Then did a test run of downloading the rs patches and still getting lots of ERROR: 403: Service Error failures... Are other folks on the list having success with the transition today? Or similar snags? On 12/13/2010 2:14 PM, Diana Orrick wrote: Thanks for the response, I also escaped the @ sign and have removed from pca.conf... have tried all credentials for our sysadmins still getting ERROR: 403: Service Error just trying to download 119254... any help appreciated, saw the Oracle email that the issues were resolved, but... On 12/13/2010 2:06 PM, Martin Paul wrote: Diana Orrick schrieb: Thanks for the suggestion, Unfortunately the 1.12 wget requires libssl.0.9.8 which I cannot find without installing OpenSSL separately from the Sun/Oracle supplied openssl. Would prefer to stick with Sun supplied version and the updates provided as needed... It's fine to stick with the wget version provided with Solaris. PCA isn't really that picky about wget versions, all you need is a version of wget which support SSL/HTTPS. Sun provides that for Solaris 9 and 10. On Solaris 9 it might be necessary to install a recent version of the wget patches: 125326 -- 02 RS- 269 SunOS 5.9: wget patch 125327 -- 02 RS- 269 SunOS 5.9_x86: wget patch Martin. -- ~~~ Diana Mayer Orrick, System Administrator Information Technology Services, Florida State University Contact: orr...@fsu.edu -- (850) 645-8009 ~~~
Re: [pca] Kernel Patch 142909-17
Yes, we have been using the set num_proc as soon as it became available and it has made a significant difference. That's why the delay seemed so strange. On 10/11/2010 3:39 AM, French, David wrote: I just wanted to point out that you can modify /etc/patch/pdo.conf and set num_proc to something higher than the default of 1. This will patch num_proc zones in parallel when patchadd runs. For example, if you have many cpus and 10 zones, it shouldn't take much more time than twice what it took to patch the global alone if you set the value to ten, as they will all run in parallel. I have a couple of T2000s with a global and 4 container zones. The first (num_proc=1) took hours (4-5) to add about 120 patches. The other system I made sure the parameter above was set to 5. Patching on that server for the same 120 or so patches (identical setups) took a little over an hour. You can really see the difference with the Java patches. BTW, the parameter is described in the patchadd man page, just search for parallel. --Dave -Original Message- From: pca-boun...@lists.univie.ac.at [mailto:pca- boun...@lists.univie.ac.at] On Behalf Of Diana Orrick Sent: Saturday, October 09, 2010 3:41 PM To: PCA (Patch Check Advanced) Discussion Subject: Re: [pca] Kernel Patch 142909-17 Thanks for the suggestions everyone, will supply more info when time allows. Still working on the cluster... On 10/9/2010 6:18 PM, Rajiv Gunja wrote: You might want to compare the times it took for other patches so that you know if it will take longer that 13*11*x minutes whet x is some random number which it seems to take for patching zones. If the server is ok to run for more time let it run. It took my server 7 hours to patch 200 patches on a server with 3 zones. Sine you have 13 zones it might take longer. -GGR On Oct 9, 2010 12:17 PM, Martin Paulmar...@par.univie.ac.at mailto:mar...@par.univie.ac.at wrote: Diana Orrick schrieb: Any suggestions on how to determine if the patching is progressing at all? I guess you could use truss -f -pPID on the PID of the patchadd process to see what's going on. If you have to interrupt the patch installation process, the only good thing is that PCA is using plain patchadd for the patch install, so there's no extra uncertainty added by the fact that you are using PCA. On the other hand I don't have much practical experience about how patchadd reacts to Ctrl-C. I think that it should be pretty save to remove the partly installed patch with patchrm afterwards without causing any ill effects. Martin. -- ~~~ Diana Mayer Orrick, System Administrator Information Technology Services, Florida State University Contact: orr...@fsu.edu -- (850) 645-8009 ~~~ -- ~~~ Diana Mayer Orrick, System Administrator Information Technology Services, Florida State University Contact: orr...@fsu.edu -- (850) 645-8009 ~~~
Re: [pca] Kernel Patch 142909-17
Thanks much!! I believe this will be a helpful tool in the future. On 10/11/2010 6:44 AM, Glenn Satchell wrote: patchadd spawns many sub-processes, so I get the PID of the pca process, then run ptree frequently ptree 12345 and look to see if the lowest level processes keep changing. % ptree 19993 459 /usr/lib/ssh/sshd 19911 /usr/lib/ssh/sshd 19912 /usr/lib/ssh/sshd 19922 -zsh 19984 /usr/bin/zsh -l 19993 perl -x -w /usr/local/bin/pca -i 143592 20023 sh -c /usr/sbin/patchadd /tmp/pca.128679374919993/143592-05 20024 /usr/sbin/patchadd /tmp/pca.128679374919993/143592-05 20026 /bin/ksh -hp /usr/lib/patch/patchadd -M /tmp/pca.12867937 20108 pkgadd -O patchPkgInstall -O nozones -O enable-hollow-p 20111 /usr/sadm/install/bin/pkginstall -O patchPkgInstall - 20112 /sbin/sh /tmp/pca.128679374919993/143592-05/SUNWipf 20113 cut -d- -f1 regards, -glenn On 10/10/10 09:41, Diana Orrick wrote: Thanks for the suggestions everyone, will supply more info when time allows. Still working on the cluster... On 10/9/2010 6:18 PM, Rajiv Gunja wrote: You might want to compare the times it took for other patches so that you know if it will take longer that 13*11*x minutes whet x is some random number which it seems to take for patching zones. If the server is ok to run for more time let it run. It took my server 7 hours to patch 200 patches on a server with 3 zones. Sine you have 13 zones it might take longer. -GGR On Oct 9, 2010 12:17 PM, Martin Paul mar...@par.univie.ac.at mailto:mar...@par.univie.ac.at wrote: Diana Orrick schrieb: Any suggestions on how to determine if the patching is progressing at all? I guess you could use truss -f -p PID on the PID of the patchadd process to see what's going on. If you have to interrupt the patch installation process, the only good thing is that PCA is using plain patchadd for the patch install, so there's no extra uncertainty added by the fact that you are using PCA. On the other hand I don't have much practical experience about how patchadd reacts to Ctrl-C. I think that it should be pretty save to remove the partly installed patch with patchrm afterwards without causing any ill effects. Martin. -- ~~~ Diana Mayer Orrick, System Administrator Information Technology Services, Florida State University Contact: orr...@fsu.edu -- (850) 645-8009 ~~~
Re: [pca] Kernel Patch 142909-17
All indications are that the kernel patch 142909-17 progressed to the installation of SUNWdcar package and just stopped. () Patching was halted/killed, partial install backed out cleanly and later the system rebooted fine. Unfortunately, the other node in the cluster was not fine. Pay very close attention to the back out procedures in the kernel patch README under Note 4. Node would not boot when backout procs were not followed. An excellent, reminder to review the docs prior to work, no matter how many previous successes are under your belt. On 10/10/2010 10:12 AM, Dennis Clarke wrote: Thanks for the suggestions everyone, will supply more info when time allows. Still working on the cluster... ~~~ Diana Mayer Orrick, System Administrator Information Technology Services, Florida State University Contact: orr...@fsu.edu -- (850) 645-8009 ~~~ So, did everything finished up nicely ? -- ~~~ Diana Mayer Orrick, System Administrator Information Technology Services, Florida State University Contact: orr...@fsu.edu -- (850) 645-8009 ~~~
Re: [pca] Kernel Patch 142909-17
If anyone is watching the list, have you seen/heard of this 'problem'? I am currently attempting to use PCA to patch a clustered Sun 10 system of 2 nodes. The cluster has 13 non-global zones. Have used PCA for some time now and have been very happy with the tool. Following recommended (and always previously successful) procedures, I have placed all zones on one node and patched the other node (w/o zones). Installation of 142909-17 did take a while (11 minutes) but the process moved on as always and the patching was successful on the node with no zones. On the node with the zones, followed usual procedure and the process seems to have halted at the kernel patch 142909-17 and has not progressed. Ordinarily the global zone would be patched and then it goes through listing the non-global zones... It has not gotten past the global zone installation. It's been almost 3 hours and I'm reluctant to stop/halt/Ctl-C the patching process since this is a kernel patch. System is up, nothing in /var/adm/messages... I've spot checked the updated files listed in the patch doc on Oracle/Sun between the first patched node and the current node and see some updates, but it's difficult to tell the order the files are introduced/updated from the extensively long list of new files in this patch. The processes listed related to PCA are still 'running' , another reason I'm reluctant to halt/kill. Has anyone seen this behavior with this patch in a similar system situation? Any suggestions on how to determine if the patching is progressing at all? -- ~~~ Diana Mayer Orrick, System Administrator Information Technology Services, Florida State University Contact: orr...@fsu.edu -- (850) 645-8009 ~~~
Re: [pca] sunsolve https not working?
Oracle Sunsolve appears to be down/unaccessible/incredibly slow...again. Attempted to avoid this problem by pre-downloading patches in advance, but apparently a new patch was released...after 5 attempts on HTTPS request using pca: ERROR: 503 Service Unavailable. Finally logged in on Sun website, but response time is incredibly slow... Will attempt a manual download, eventually. Same experience at Memorial Day weekend... Anyone have any idea when Sunsolve will be fully back and what the issues are?? all info appreciated, DM Orrick On 6/28/2010 2:06 PM, Martin Paul wrote: Hi Don, I just checked this out and all appears to be working fine for me; longest delay was about 7 seconds... The delays have gone down to a similar maximum here, so I guess it's fine now. Thanks, Martin. -- ~~~ Diana Mayer Orrick, System Administrator Information Technology Services, Florida State University Contact: orr...@fsu.edu -- (850) 645-8009 ~~~