Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
Could we approach this a different way by first getting a list of missing patches relevant to a patchdiag slightly *newer* than the CPU, then filter that list with the list of patches on the CPU? e.g., pca missing patches.missing.full for patch in `cat cpu_patches.lst | cut -d- -f1`; do patch_id=`echo $patch | cut -d- -f1` grep ^$patch_id patches.missing.full echo $patch cpu_patches_check.lst done; pca -l $(chkmin $(cat cpu_patches_check.lst)) The chkmin is to avoid re-installing the same release of a patch if the patchdiag.xref contains a newer release than the CPU. I haven't tried any of the above to see if it produces a list as I'm dreading trying to navigate Oracle support to see if there's a way to get the recent CPU patch_order file without downloading the 2GB zip file. Ateeq -Original Message- From: pca-boun...@lists.univie.ac.at [mailto:pca-boun...@lists.univie.ac.at] On Behalf Of Martin Paul Sent: 15 June 2011 10:07 To: PCA (Patch Check Advanced) Discussion Subject: Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca? Jeff wrote: It does reduce the number of patches to 100, but the problem still exists that pca doesn't verify the packages are installed that the patches applies to if a specific revision is requested. So in the case of the server I'm testing, it was built with the SUNWCrnet cluster, so it has minimal packages and the actual number that would be applied is around 10. I see, you're right. It only makes sense if you stick to the Entire Distribution cluster. I really think the best solution is to either convince Oracle to package a patchdiag.xref that cooresponds with the revisions in the CPU within the CPU bundle, or for me to grab patchdiag.xrefs around the release date until I find one that cooresponds with the bundle. Agreed, it would be best if Oracle provided a matching patchdiag.xref with each CPU. Chances for that are pretty low, I guess. Same for finding an xref file from a certain date which matches the CPU exactly. As Don already mentioned, the ultimate solution would be to create a new patchdiag.xref from scratch with the data from the patches in the CPU. All the required information should be in patchinfo (PATCHID, PATCH_ARCH, PATCH_REQUIRES), the README (Synopsis, Date) and the SUNW*/pkginfo files (VERSION). The R/S flags aren't in there, but they won't matter. Anybody want to try it? :) I guess I could come up with a rough script, it's the fine-tuning and testing which scares me off, as it will take a lot of time. All I have to say is keep up the good work Martin, you are keeping a lot of Solaris shops afloat. Thanks for that! Martin. This email and any attachment to it are confidential. Unless you are the intended recipient, you may not use, copy or disclose either the message or any information contained in the message. If you are not the intended recipient, you should delete this email and notify the sender immediately. Any views or opinions expressed in this email are those of the sender only, unless otherwise stated. All copyright in any Capita material in this email is reserved. All emails, incoming and outgoing, may be recorded by Capita and monitored for legitimate business purposes. Capita exclude all liability for any loss or damage arising or resulting from the receipt, use or transmission of this email to the fullest extent permitted by law.
Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
Ateeq Altaf wrote: Could we approach this a different way by first getting a list of missing patches relevant to a patchdiag slightly *newer* than the CPU, then filter that list with the list of patches on the CPU? Should get you close. It also depends whether you succeed in finding the closest patchdiag.xref. As soon as it contains at least one patch with a newer rev than in the CPU, things get complicated. Another idea is to use archived copies of the various xref files and try to find the one which contains all (or at least the most) of the patches+revisions in the CPU list. Then you could that with pca -l all_patch_IDs_of_CPU. I haven't tried any of the above to see if it produces a list as I'm dreading trying to navigate Oracle support to see if there's a way to get the recent CPU patch_order file without downloading the 2GB zip file. I'm donwloading the 2GB file right now as I wanted to take a look at it - it takes more than 12 hours. This should make clear why we all try to avoid the CPU, I guess. There's a Read Me button in the flash interface of MOS, which leads to a file including the patch list. Martin.
Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
Martin, I kind of disagree on using CPU for couple of reasons. 1. CPU tends to change within the given release, hence the different revisions (Am I wrong in this assessment?) 2. CPU tends to install on the minimum patch revision which will get the OS off the vulnerability. I like to patch my servers with given Xref, which will solve all the issues. Example April 2011 CPU has patches from March and before, where most of them are obsolete/replaced when the CPU came out. So if we look at the latest patch included in that CPU (April 01 2011), then we can safely assume that if we use April 01 2011 Xref, we should get all the patches via PCA. Please let me know if I have my theory straight. Thanks -GGR -- Rajiv G Gunja Blog: http://ossrocks.blogspot.com On Wed, Jun 15, 2011 at 06:24, Martin Paul mar...@par.univie.ac.at wrote: Ateeq Altaf wrote: Could we approach this a different way by first getting a list of missing patches relevant to a patchdiag slightly *newer* than the CPU, then filter that list with the list of patches on the CPU? Should get you close. It also depends whether you succeed in finding the closest patchdiag.xref. As soon as it contains at least one patch with a newer rev than in the CPU, things get complicated. Another idea is to use archived copies of the various xref files and try to find the one which contains all (or at least the most) of the patches+revisions in the CPU list. Then you could that with pca -l all_patch_IDs_of_CPU. I haven't tried any of the above to see if it produces a list as I'm dreading trying to navigate Oracle support to see if there's a way to get the recent CPU patch_order file without downloading the 2GB zip file. I'm donwloading the 2GB file right now as I wanted to take a look at it - it takes more than 12 hours. This should make clear why we all try to avoid the CPU, I guess. There's a Read Me button in the flash interface of MOS, which leads to a file including the patch list. Martin.
Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
Rajiv, I kind of disagree on using CPU for couple of reasons. Maybe you got me wrong - it's not that I use the CPU myself - I agree with what you say. Personally, I don't see much sense in installing an outdated revision of a patch. Why not get *all* available fixes, when I'm installing a patch anyway? If possible, I always install all missing patches. I do understand the reasoning behind the CPU and why people use it, though - it's what fixes all security issues with the least possible amount of changes to the system. Martin.
Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
Jeff wrote: From the way I understand how PCA works, when specifying a specific revision of a patch, it does no checking prior to trying to install, since it can't reference pre-reqs and supercedings in patchdiag.xref. As a test, I grabbed the patch list from the CPU readme and fed it into PCA, it downloaded and tried to apply all 209 patches. Yes, that's correct, both your assumption and the behaviour. I prefer to stick with only the revisions in the CPU, since I hope there is a greater chance they are well tested before released. I think the chkmin script from PCA's Contrib webpage could help here. If you feed it the list of all patches from the CPU, it will reduce it to those which are not installed yet (in the specified revision or higher). You can then feed this reduced list back to PCA for installation. Something like this might give the wanted result: $ pca --install `cat cpu_patches.txt | ./chkmin` Let us know if you try it! Martin.
Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
Thanks for the suggestion Martin, hadn't used chkmin before. This was the syntax I ended up using, not pretty: pca -l `./chkmin \`cat AprCPU.lst\`` It does reduce the number of patches to 100, but the problem still exists that pca doesn't verify the packages are installed that the patches applies to if a specific revision is requested. So in the case of the server I'm testing, it was built with the SUNWCrnet cluster, so it has minimal packages and the actual number that would be applied is around 10. I really think the best solution is to either convince Oracle to package a patchdiag.xref that cooresponds with the revisions in the CPU within the CPU bundle, or for me to grab patchdiag.xrefs around the release date until I find one that cooresponds with the bundle. It's kinda crazy that the best way to manage patching on Solaris systems after all these years continues to be PCA and would hope Oracle would continue to support its' use since there really isn't any valid alternative. All I have to say is keep up the good work Martin, you are keeping a lot of Solaris shops afloat. On Tue, Jun 14, 2011 at 3:55 AM, Martin Paul mar...@par.univie.ac.atwrote: Jeff wrote: From the way I understand how PCA works, when specifying a specific revision of a patch, it does no checking prior to trying to install, since it can't reference pre-reqs and supercedings in patchdiag.xref. As a test, I grabbed the patch list from the CPU readme and fed it into PCA, it downloaded and tried to apply all 209 patches. Yes, that's correct, both your assumption and the behaviour. I prefer to stick with only the revisions in the CPU, since I hope there is a greater chance they are well tested before released. I think the chkmin script from PCA's Contrib webpage could help here. If you feed it the list of all patches from the CPU, it will reduce it to those which are not installed yet (in the specified revision or higher). You can then feed this reduced list back to PCA for installation. Something like this might give the wanted result: $ pca --install `cat cpu_patches.txt | ./chkmin` Let us know if you try it! Martin. -- Jeff
Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
From the way I understand how PCA works, when specifying a specific revision of a patch, it does no checking prior to trying to install, since it can't reference pre-reqs and supercedings in patchdiag.xref. As a test, I grabbed the patch list from the CPU readme and fed it into PCA, it downloaded and tried to apply all 209 patches. I prefer to stick with only the revisions in the CPU, since I hope there is a greater chance they are well tested before released. You don't need to look any further then the last couple weeks when kernel patches 144488-13 through 144488-15 were withdrawn. On Thu, Jun 9, 2011 at 12:13 AM, Glenn Satchell glenn.satch...@uniq.com.auwrote: Unless the specific patch is already installed, so it should only download the new patches. So this is a win over downloading the whole 2GB patch bundle. If you strip the revision numbers off the list and use that, pca will get the latest version of each patch. The CPU revisions are not necessarily always the latest version. regards, -glenn From what I understand about how PCA works, if you specify a specific patch revision in a list, it isn't able to check supercedings and dependencies, because it doesn't have a match in patchdiag.xref. So you would still end up downloading all the patches and trying to apply them. On Wed, Jun 8, 2011 at 10:08 AM, Gael Martinez gael.marti...@gmail.comwrote: On Wed, Jun 8, 2011 at 8:46 AM, Jeff variver...@gmail.com wrote: What would be even better is if the CPU contained a copy of patchdiag.xref that can be used by PCA users to replicate the CPU. Why don't you use the patch_order file included in the CPU ? pca does accept a list of patch in a file ... -- Gaël Martinez -- Jeff -- Jeff
Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
Hi Jeff, The Oracle Patch Strategy Best Practice is to download and install the CPU (ideally to an Alternate Boot Environment). The CPU does have the advantage of having an excellent install script (written by Ed Clark; a Senior Engineer on my team) and is tested by my team prior to release; two excellent reasons why we recommend that customers use it! It also supports application to an Alternate Boot Environment (ABE). (I know PCA supports patch application to an ABE too...) PCA is a third-party tool, which Martin kindly maintains and makes freely available, so is not the recommended way to apply the CPU. There is no special copy of the patchdiag.xref from the recommended patch cluster the CPU is cut from made available. (The day the CPU is released is not accurate, as we need to cut the CPU a week before to allow time to test.) I know that previously Chris Reece released a tool called Mkpcadir, which created a patchdiag.xref based on the directory structure of the EIS (Enterprise Installation Standards) DVD. I do not know if someone else has created a similar tool that would do something similar for patch clusters??? Each Patch Cluster (eg. Recommended Patch Cluster, CPU Patch Cluster) that Oracle produces does contain a patch_list file, which is a flat file listing the patches the cluster delivers in the order in which they should be applied. I'm not 100% sure of the correct syntax to use with PCA, but I think you should be able to rename this file patchlist.txt and provide it as an input to PCA. Perhaps Martin or someone else could confirm... HTH, -Don Jeff wrote: Guess I didn't understand that was the purpose of --minimal. So based on your answer, there is no way to follow the Oracle Best Practices patch strategy of applying the CPU between update releases using pca? Except maybe grabbing the patchdiag.xref on the day the CPU is released and comparing the patch revisions between patchdiag and the CPU? On Fri, May 27, 2011 at 4:59 AM, Don O'Malley don.omal...@oracle.com wrote: Hi Jeff, The --minimal option never mapped to the contents of the CPU. The --minimal option is mapped to the Recommended Patch Cluster contents, not the CPU. The CPU is effectively an archived version of the Recommended Patch Cluster, so the 2 are closely related. That said, with changes that we made to merge the Recommended Patch Cluster and former Sun Alert Cluster (see Patch Corner - Merging the Solaris Recommended and Sun Alert Patch Clusters for the details), we now only add the lowest revision of a patch required to address SunAlert issues (Security, Data Loss and System Availability). This means that over time customers need to apply less patches to keep up to date with critical fixes. This is the reason that some patches in patchdiag.xref that are Recommended are now longer the latest revs of patches. The only exception to this rule is patches required for the patch utilities on Solaris to function correctly; these patches (eg. 119254) are always kept at the latest available revision. HTH, -Don Jeff wrote: I've been using the --minimal option for pca since it came out to standardize patching based on the most recent CPU. Today I noticed that is looks like Oracle dropped support for in in patchdiag.xref. I'm using the patchdiag.xref I downloaded on May 15th and trying to apply the patches from the April/2011 CPU using pca. I find these patch discrepancies between what is in the CPU and what is in patchdiag.xref: April CPU patchdiag 119254-80 119254-81 122911-24 122911-25 125215-03 125215-04 141552-03 141552-04 143559-07 143559-08 144488-11 144488-14 Previously, patdiag.xref would list both the version of the patch that was in the CPU and the most recent version. Guess the question is to Martin or Don: Do you know if this is intentional? -- Jeff -- Don O'Malley Manager, Patch System Test Revenue Product Engineering | Solaris | Hardware East Point Business Park, Dublin 3, Ireland Phone: +353 1 8199764 Team Alias: rpe_patch_system_test...@oracle.com -- Jeff -- Don O'Malley Manager,Patch System Test Revenue Product Engineering | Solaris | Hardware East Point Business Park, Dublin 3, Ireland Phone: +353 1 8199764 Team Alias: rpe_patch_system_test...@oracle.com
Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
Thanks Don. I agree that the CPU has an excellent install script. The problem with using the CPU is when you are deploying to hundreds of servers, there is a significant amount of time involved in staging the large bundle of patches when you really are only applying a very small subset between CPU's. PCA allows us to only grab what is needed on an individual server vs having a script run through a long list of patches and see if they apply. What I'll probably end up doing is keeping copies of the patchdiag.xref file from around the time that the CPU is released and then compare the patch list in the CPU against the patchdiag.xref until I find the one that matches. What would be even better is if the CPU contained a copy of patchdiag.xref that can be used by PCA users to replicate the CPU. On Wed, Jun 8, 2011 at 8:53 AM, Don O'Malley don.omal...@oracle.com wrote: Hi Jeff, The Oracle Patch Strategy Best Practice is to download and install the CPU (ideally to an Alternate Boot Environment). The CPU does have the advantage of having an excellent install script (written by Ed Clark; a Senior Engineer on my team) and is tested by my team prior to release; two excellent reasons why we recommend that customers use it! It also supports application to an Alternate Boot Environment (ABE). (I know PCA supports patch application to an ABE too...) PCA is a third-party tool, which Martin kindly maintains and makes freely available, so is not the recommended way to apply the CPU. There is no special copy of the patchdiag.xref from the recommended patch cluster the CPU is cut from made available. (The day the CPU is released is not accurate, as we need to cut the CPU a week before to allow time to test.) I know that previously Chris Reece released a tool called Mkpcadirhttp://www.jessies.org/%7Ecar/projects/mkpcadir/, which created a patchdiag.xref based on the directory structure of the EIS (Enterprise Installation Standards) DVD. I do not know if someone else has created a similar tool that would do something similar for patch clusters??? Each Patch Cluster (eg. Recommended Patch Cluster, CPU Patch Cluster) that Oracle produces does contain a patch_list file, which is a flat file listing the patches the cluster delivers in the order in which they should be applied. I'm not 100% sure of the correct syntax to use with PCA, but I think you should be able to rename this file patchlist.txt and provide it as an input to PCA. Perhaps Martin or someone else could confirm... HTH, -Don Jeff wrote: Guess I didn't understand that was the purpose of --minimal. So based on your answer, there is no way to follow the Oracle Best Practices patch strategy of applying the CPU between update releases using pca? Except maybe grabbing the patchdiag.xref on the day the CPU is released and comparing the patch revisions between patchdiag and the CPU? On Fri, May 27, 2011 at 4:59 AM, Don O'Malley don.omal...@oracle.comwrote: Hi Jeff, The --minimal option never mapped to the contents of the CPU. The --minimal option is mapped to the Recommended Patch Cluster contents, not the CPU. The CPU is effectively an archived version of the Recommended Patch Cluster, so the 2 are closely related. That said, with changes that we made to merge the Recommended Patch Cluster and former Sun Alert Cluster (see Patch Corner - Merging the Solaris Recommended and Sun Alert Patch Clustershttp://blogs.oracle.com/patch/entry/merging_the_solaris_recommended_andfor the details), we now only add the lowest revision of a patch required to address SunAlert issues (Security, Data Loss and System Availability). This means that over time customers need to apply less patches to keep up to date with critical fixes. This is the reason that some patches in patchdiag.xref that are Recommended are now longer the latest revs of patches. The only exception to this rule is patches required for the patch utilities on Solaris to function correctly; these patches (eg. 119254) are always kept at the latest available revision. HTH, -Don Jeff wrote: I've been using the --minimal option for pca since it came out to standardize patching based on the most recent CPU. Today I noticed that is looks like Oracle dropped support for in in patchdiag.xref. I'm using the patchdiag.xref I downloaded on May 15th and trying to apply the patches from the April/2011 CPU using pca. I find these patch discrepancies between what is in the CPU and what is in patchdiag.xref: *April CPUpatchdiag* 119254-80119254-81 122911-24122911-25 125215-03125215-04 141552-03141552-04 143559-07143559-08 144488-11144488-14 Previously, patdiag.xref would list both the version of the patch that was in the CPU and the most recent version. Guess the question is to Martin or Don: Do you know if this is intentional? -- Jeff -- http://www.oracle.com/ *Don O'Malley* Manager, Patch
Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
On Wed, Jun 8, 2011 at 8:46 AM, Jeff variver...@gmail.com wrote: What would be even better is if the CPU contained a copy of patchdiag.xref that can be used by PCA users to replicate the CPU. Why don't you use the patch_order file included in the CPU ? pca does accept a list of patch in a file ... -- Gaël Martinez
Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
From what I understand about how PCA works, if you specify a specific patch revision in a list, it isn't able to check supercedings and dependencies, because it doesn't have a match in patchdiag.xref. So you would still end up downloading all the patches and trying to apply them. On Wed, Jun 8, 2011 at 10:08 AM, Gael Martinez gael.marti...@gmail.comwrote: On Wed, Jun 8, 2011 at 8:46 AM, Jeff variver...@gmail.com wrote: What would be even better is if the CPU contained a copy of patchdiag.xref that can be used by PCA users to replicate the CPU. Why don't you use the patch_order file included in the CPU ? pca does accept a list of patch in a file ... -- Gaël Martinez -- Jeff
Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
Unless the specific patch is already installed, so it should only download the new patches. So this is a win over downloading the whole 2GB patch bundle. If you strip the revision numbers off the list and use that, pca will get the latest version of each patch. The CPU revisions are not necessarily always the latest version. regards, -glenn From what I understand about how PCA works, if you specify a specific patch revision in a list, it isn't able to check supercedings and dependencies, because it doesn't have a match in patchdiag.xref. So you would still end up downloading all the patches and trying to apply them. On Wed, Jun 8, 2011 at 10:08 AM, Gael Martinez gael.marti...@gmail.comwrote: On Wed, Jun 8, 2011 at 8:46 AM, Jeff variver...@gmail.com wrote: What would be even better is if the CPU contained a copy of patchdiag.xref that can be used by PCA users to replicate the CPU. Why don't you use the patch_order file included in the CPU ? pca does accept a list of patch in a file ... -- Gaël Martinez -- Jeff
Re: [pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
Jeff wrote: Guess the question is to Martin or Don: Do you know if this is intentional? Sorry, I have no idea whether this is a mistake or intentional, I only can confirm your findings and otherwise leave it to Don to provide an explanation. Martin.
[pca] Oracle removed support from patchdiag.xref for --minimal option in pca?
I've been using the --minimal option for pca since it came out to standardize patching based on the most recent CPU. Today I noticed that is looks like Oracle dropped support for in in patchdiag.xref. I'm using the patchdiag.xref I downloaded on May 15th and trying to apply the patches from the April/2011 CPU using pca. I find these patch discrepancies between what is in the CPU and what is in patchdiag.xref: *April CPUpatchdiag* 119254-80119254-81 122911-24122911-25 125215-03125215-04 141552-03141552-04 143559-07143559-08 144488-11144488-14 Previously, patdiag.xref would list both the version of the patch that was in the CPU and the most recent version. Guess the question is to Martin or Don: Do you know if this is intentional? -- Jeff
