Re: [pca] patch maintenance schedule
GGR/Martin/Kevin, Thanks for your suggestions and advices. We will discuss and decide which patching strategy we will adopt. Thanks Ying Xu y...@littonloan.com Unix Group Office: 713-218-4508 BB: 832-671-6633 4828 Loop Central Dr. Houston TX 77081 From: pca-boun...@lists.univie.ac.at [mailto:pca-boun...@lists.univie.ac.at] On Behalf Of Rajiv Gunja Sent: Sunday, November 01, 2009 12:43 PM To: PCA (Patch Check Advanced) Discussion Subject: Re: [pca] patch maintenance schedule Ying, Each environment/Org has to decide on what patching strategy they need to use depending on their situation. In our environment, we have about 4000 to 5000 SUN servers in Dev, Test and Production environments. We concentrate mostly on Production servers for security issues and we, as in SA teams discuss which SUN alerts we should look at and which SUN alerts should be taken what precedence. Depending on the SUN alerts, either we (SA) takes the decision to add it to our quarterly patch bundle or we get input from middleware or database teams, whose products are affected by the SUN Alert. We freeze patchdiag.xref quarterly and change our patch bundle generation script to point to that quarter' Xref file. If we do add new Patches from outside that Xref file, we install those patches manually either before patching or after patching the OS. Example: Currently our Xref file is frozen on May 29 2009 and 119254-70 has been indentified as a patch which needs to be installed before all other patches. So we manually install this patch before we start patching the OS. So depending on your environment and needs, you have to decide how often you want to patch your servers and which Xref files to use. Sometimes SUN comes out with Patches which cause more trouble than solving it, example: 141414-09. Hope this helps. -GGR -- Rajiv G Gunja Blog: http://ossrocks.blogspot.com 2009/10/29 Martin Paul mar...@par.univie.ac.at Xu, Ying (Houston) wrote: We would like to use security patch cluster to make minimal changes to the environment but fix sun alert issues. Here's one possible procedure you could use, e.g. for a monthly patch cycle: On a certain date, e.g. mid-month, you install all the current security patches using the same patchdiag.xref file on all your test machines (e.g. pca -i missings). Determine whether a reboot is required or recommended (pca will tell you). Keep and store the patchdiag.xref in some central directory (or on a local patch server), e.g. /xref/20091115/. With a local caching proxy (see pca docs) you will also ensure that all patches are already stored locally when the production machines are patched. On the last day of the month - your patch day - you install the same set of patches on all production machines by pointing pca at the frozen xref file (e.g. pca -X /xref/20091115/ -i missings). If a reboot is required, do that after patch installation. As the production machines install the same patch set as the test machines, and you had two weeks to sort out any possible issues, the patch install on the production machines could be done automatically. This could be combined with the usage of Live Update of course, where you would patch an inactive boot environment and reboot to that after patch installation. hth, Martin. --- DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to this message and then delete it from your system. Use, dissemination or copying of this message by unintended recipients is not authorized and may be unlawful. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
Re: [pca] patch maintenance schedule
Xu, Ying (Houston) wrote: We would like to use security patch cluster to make minimal changes to the environment but fix sun alert issues. Here's one possible procedure you could use, e.g. for a monthly patch cycle: On a certain date, e.g. mid-month, you install all the current security patches using the same patchdiag.xref file on all your test machines (e.g. pca -i missings). Determine whether a reboot is required or recommended (pca will tell you). Keep and store the patchdiag.xref in some central directory (or on a local patch server), e.g. /xref/20091115/. With a local caching proxy (see pca docs) you will also ensure that all patches are already stored locally when the production machines are patched. On the last day of the month - your patch day - you install the same set of patches on all production machines by pointing pca at the frozen xref file (e.g. pca -X /xref/20091115/ -i missings). If a reboot is required, do that after patch installation. As the production machines install the same patch set as the test machines, and you had two weeks to sort out any possible issues, the patch install on the production machines could be done automatically. This could be combined with the usage of Live Update of course, where you would patch an inactive boot environment and reboot to that after patch installation. hth, Martin.
[pca] patch maintenance schedule
I'd like to know how often you perform patch maintenance. We have a 80-serer environment. We usually do anual update/patch. We just updated all our servers to solaris10 update7. Now management push us to do quarterly even monthly patch maintenance due to corporate security policy. Our windows group has already been on monthly schedule, but they have automated tool to do hundreds at a time. We tried to find some reasoning to get an exception for our solaris environment. SUN doesnt release security patches on regular basis, also doesnt rate the patches, such as critical, important, and etc. It is subjective to decide which cluster to use. We would like to use security patch cluster to make minimal changes to the environment but fix sun alert issues. I'd like to hear what you think. Also, could pca run against specific patch cluster? Thanks Ying Xu y...@littonloan.com Unix Group Office: 713-218-4508 BB: 832-671-6633 4828 Loop Central Dr. Houston TX 77081 --- DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to this message and then delete it from your system. Use, dissemination or copying of this message by unintended recipients is not authorized and may be unlawful. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
Re: [pca] patch maintenance schedule
If you sign up for the weekly Sun alerts, the entries that are security related follow the standard security ratings so the information is available for you to evaluate. PCA does not use Sun's patch clusters, it uses the latest patches as indicated in patchdiag.xref. Our goal is quarterly patching, however, due to various extraneous issues with some environments, some are less frequent and some are more frequent. For instance, internet facing servers do security patching more frequently. If you use pca -s you will get the latest security patches and any patches required by those. Or you could evaluate the info in the weekly Sun alerts and pick those that you feel are urgent for your environment. If you are comfortable with patches being applied automatically it would be pretty easy to write wrapper scripts for pca that run in cron to automatically patch on whatever cycle you prefer. From: pca-boun...@lists.univie.ac.at [mailto:pca-boun...@lists.univie.ac.at] On Behalf Of Xu, Ying (Houston) Sent: Wednesday, October 28, 2009 7:59 AM To: pca@lists.univie.ac.at Subject: [pca] patch maintenance schedule I'd like to know how often you perform patch maintenance. We have a 80-serer environment. We usually do anual update/patch. We just updated all our servers to solaris10 update7. Now management push us to do quarterly even monthly patch maintenance due to corporate security policy. Our windows group has already been on monthly schedule, but they have automated tool to do hundreds at a time. We tried to find some reasoning to get an exception for our solaris environment. SUN doesnt release security patches on regular basis, also doesnt rate the patches, such as critical, important, and etc. It is subjective to decide which cluster to use. We would like to use security patch cluster to make minimal changes to the environment but fix sun alert issues. I'd like to hear what you think. Also, could pca run against specific patch cluster? Thanks Ying Xu y...@littonloan.commailto:y...@littonloan.com Unix Group Office: 713-218-4508 BB: 832-671-6633 4828 Loop Central Dr. Houston TX 77081 --- DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to this message and then delete it from your system. Use, dissemination or copying of this message by unintended recipients is not authorized and may be unlawful. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.