Re: Patching Solaris 9 systems to "current"



Richard B. Gilbert wrote:

ohaya wrote:

Hi,

We have a number of Solaris 9 (SPARC) systems that were originally deployed awhile ago, and I've been asked to bring the systems "up-to-date" patch-wise. The person who originally deployed/built these systems is unavailable, so I got "stuck" with this task :(.

It's going to be a couple of weeks before I can get in to "see" the systems, but I'm trying to prepare and gather information on this...

From what I've been told, Solaris on all these systems was installed from a base image (FLAR), and then I think (again, I haven't actually had any "hands-on" time with these systems yet) the disk allocations were adjusted on some of the systems depending on what was going to be running on them.

Also, according to what I've been able to find out, that base image had "the latest patch cluster at the time" applied.

From what I can gather, the original deployment took place about 2 years ago :(.

And, finally, these systems don't have any internet access, so I'll have to burn whatever is needed to some CDs beforehand.

So, I'm looking for some advice as to what the best/safest approach to doing this might be.

I'm thinking that one of the first things that I want to do is to get onto each system and run "showprev -p", to verify that all the systems really are patched the same, and also to try to understand (and document) what has been applied.

Assuming that they all are patched identically, I'm wondering: What then?

Would it be best/safest to get a support case with Sun and ask for the last recommended patch cluster, and just install that?

Or, is there a "better way"?

The main thing I'm looking for is "safety", by which I mean minimizing the possibility of trashing any of these systems, since all of the people who were involved with the original deployment are apparently long gone :(.

Also, any other hints/suggestions on this matter?

Sorry if the questions in this post are a bit vague, but any suggestions/recommendations would be appreciated.

Thanks,
Jim


This is the sort of situation that makes me cringe!

I'd *strongly* suggest that you make a backup of the system disk on each machine before applying ANY patches! If you fail to do this, you will regret it later!! If there IS a later!!!

Next, see if you can use one of the machines as a "patch server". Load all the patches onto your patch server and have the other machines grab them over the network. This should be faster than trying to read them from a CD. Multiple machines can be patching themselves at one time.

Martin Paul wrote a script called "Patch Check Advanced" or PCA. The script checks the machine to be patched against the master patch file and determines which patches are needed. It then downloads the necessary patches and installs them. I don't know if you can use it without internet access but you might want to look at it. If you can use it, it should save you a good deal of time and effort. Since you can't connect to the internet you will need to burn PCA to a CD along with the master patch file and the patches to be installed.



Hi,

I was already cringing when I was asked to do this :)!!

As I said in my response to Greg, it looks likely that I may not be able to backup each (or even one) system. Of course, the people who are asking/assigning this aren't the ones who'll have to deal with things if something goes BOOM.

I was hoping you all would post something like "no problem, just run the patch cluster", but given the early responses, I'm going to have to see if I can force the issue (like: I won't do the installation unless you provide a means to backup each system before the patching). Not sure if that is going to fly though :(...

Thanks,
Jim

.

Relevant Pages

  • Re: MS03-026 - are you patched? Windows Update isnt sure!
    ... registry checks to determine if a patch is installed on a given machine. ... Many patches install a registry key to indicate that they have been ...
    (NT-Bugtraq)
  • Re: This is Why Consoles are More Popular than PCs for Gaming
    ... Just remembering you needed that faithful floppy disk to install SATA ... > patch downloaded, well the patch took *forever* to install. ... You download patches every time? ... still have patches for games I have uninstalled on CD. ...
    (comp.sys.ibm.pc.games.action)
  • Re: Event ID 6161 for HP 6840
    ... patch related to an exposure via the print spooler service. ... download which offers the option of a local port. ... >> There were no problems with the install and the printer works find so long ... >> 3) All machines on the network can connect to the printer via Internet ...
    (microsoft.public.windowsxp.print_fax)
  • Re: Patching Solaris 9 systems to "current"
    ... Would it be best/safest to get a support case with Sun and ask for the last recommended patch cluster, and just install that? ... The main thing I'm looking for is "safety", by which I mean minimizing the possibility of trashing any of these systems, since all of the people who were involved with the original deployment are apparently long gone:(. ... I'd *strongly* suggest that you make a backup of the system disk on each machine before applying ANY patches! ...
    (comp.unix.solaris)
  • Re: Why not patch all windows and not just legal copies
    ... from getting patches through other means. ... I see what you are saying - the end-result is machines that get infected and ... infested are those who do not take the time to patch their stolen systems. ... breeding grounds for attacks and bots and hackers.. ...
    (microsoft.public.security)