Help & Support
Applying the recommended patch bundle to a Solaris system
Introduction
Sun provide a convenient "bundle" of their recommended patches for each supported version of Solaris complete with an install script. The set of recommended patches typically contains all the security patches, so this provides a convenient way of applying most of Sun's patches. However, the bundle does lag behind the release of new patches sometime, and it is fairly inefficient to try to apply all the patches every time a constituent patch changes. Therefore we recommends that the patch bundle be applied to a machine when it is first installed and then a routine comparison is made of the currently applied set of patches and the currently avaialble set. Then just the necessary patches can be applied.
In this example we will assume that Sun's automounter is running and that the /net automount point has its default definition.
NB Before doing any widespread patching you should do a complete system backup. Also note that, as described in "Keeping a Solaris system up to date", binaries such as sendmail and in.named that you might have replaced will be overwritten by system patches with (patched) Sun versions.
Locating the appropriate patch bundle
First you need to know what version of Solaris you are running. If you really don't know the number then you can work it out like this. Run the command uname -r to give the SunOS version number. If the answer is less than 5.7 then subtract 3 to get the Solaris version number. (No, we're not making this up.) If the answer is 5.7 or greater than ignore the leading "5.".
For example, on a Solaris 2.6 system we get the following:$ uname -r
5.6
and on a Solaris 7 system we get this:$ uname -r
5.7
In certain Solaris documents you will see Solaris 7 refered to as Solaris 2.7. This is because when Sun's marketing department decided to mess with the numbering scheme they didn't move soon enough and the "obvious" name for the new version was already wired into some places.
Next we need to mount Unix Support's mirror of Sun's public patches. We can do this by changing directory through /net:$ cd /net/nfs-uxsup.csx.cam.ac.uk/public_patches/SUN/clusters
Within this directory there are a variety of tarred, compressed recommended patch bundles for versions 2.6 and earlier. For version 7 and later the files are in ZIP format. These are accompanied with the corrsponding README files.
$ ls -ln [0-9\.]*_*Recommended* -rw-r--r-- 1 1017 1017 15706 Sep 18 2004 2.5.1_Recommended.README -rw-r--r-- 1 1017 1017 60195469 Sep 18 2004 2.5.1_Recommended.tar.Z -rw-r--r-- 1 1017 1017 14244 Sep 18 2004 2.5.1_x86_Recommended.README -rw-r--r-- 1 1017 1017 41303851 Sep 18 2004 2.5.1_x86_Recommended.tar.Z -rw-r--r-- 1 1017 1017 15346 Feb 15 00:00 2.6_Recommended.README -rw-r--r-- 1 1017 1017 63001581 Feb 15 00:00 2.6_Recommended.tar.Z -rw-r--r-- 1 1017 1017 15039 Feb 16 00:00 2.6_x86_Recommended.README -rw-r--r-- 1 1017 1017 47356855 Feb 16 00:00 2.6_x86_Recommended.tar.Z -rw-r--r-- 1 1017 1017 15205 May 10 00:36 7_Recommended.README -rw-r--r-- 1 1017 1017 61398162 May 10 00:36 7_Recommended.zip -rw-r--r-- 1 1017 1017 14989 May 4 23:01 7_x86_Recommended.README -rw-r--r-- 1 1017 1017 34289963 May 4 23:01 7_x86_Recommended.zip -rw-r--r-- 1 1017 1017 17797 May 10 00:37 8_Recommended.README -rw-r--r-- 1 1017 1017 157069005 May 10 00:37 8_Recommended.zip -rw-r--r-- 1 1017 1017 16699 May 10 00:40 8_x86_Recommended.README -rw-r--r-- 1 1017 1017 67380155 May 10 00:40 8_x86_Recommended.zip -rw-r--r-- 1 1017 1017 13682 May 3 23:00 9_Recommended.README -rw-r--r-- 1 1017 1017 156952032 May 3 23:00 9_Recommended.zip -rw-r--r-- 1 1017 1017 12427 May 10 00:43 9_x86_Recommended.README -rw-r--r-- 1 1017 1017 106856227 May 10 00:43 9_x86_Recommended.zip
Select the file corresponding to your version of Solaris. The x86 files are for Solaris on the Intel platform. The versions without x86 are for the Sparc platform.
Unpacking the patch bundle
You need a directory in which to unpack the bundle. In these examples we will use /tmp.
We will give examples for the Solaris 2.6 and Solaris 7 patch bundles. Obviously you should use whichever bundle is suitable for your version. The ownership of some of the files in the packages appears to be important. The unpacking should be done as root.
# pwd / # cd /tmp # zcat /net/nfs-uxsup.csx.cam.ac.uk/public_patches/SUN/clusters/2.6_Recommended.tar.Z | tar -xf - # cd 2.6_Recommended # ls 105181-04 105379-03 105615-03 105736-01 106125-02 105210-05 105393-01 105621-02 105755-03 CLUSTER_README 105216-03 105401-08 105665-01 105786-04 copyright 105284-05 105407-01 105667-01 105837-02 install_cluster 105356-04 105464-01 105669-02 105845-01 patch_order 105357-01 105518-01 105686-02 105926-01 105375-04 105558-01 105720-03 106033-01
# pwd / # cd /tmp # unzip /net/nfs-uxsup.csx.cam.ac.uk/public_patches/SUN/clusters/7_Recommended.zip Archive: /net/nfs-uxsup.csx.cam.ac.uk/public_patches/SUN/7_Recommended.zip creating: 7_Recommended/ creating: 7_Recommended/106960-01/ inflating: 7_Recommended/106960-01/README.106960-01 inflating: 7_Recommended/106960-01/.diPatch creating: 7_Recommended/106960-01/SUNWman/ inflating: 7_Recommended/106960-01/SUNWman/pkgmap inflating: 7_Recommended/106960-01/SUNWman/pkginfo creating: 7_Recommended/106960-01/SUNWman/install/ inflating: 7_Recommended/106960-01/SUNWman/install/checkinstall ... inflating: 7_Recommended/108662-01/SUNWadmfw/reloc/usr/snadm/lib/libadmapm.so.2 inflating: 7_Recommended/CLUSTER_README inflating: 7_Recommended/patch_order inflating: 7_Recommended/copyright inflating: 7_Recommended/install_cluster # cd 7_Recommended # ls 106541-08 107022-05 107451-02 107885-06 108374-01 106725-02 107038-01 107454-03 107887-08 108482-01 106793-03 107115-03 107456-01 107893-04 108662-01 106934-03 107171-04 107544-03 107972-01 CLUSTER_README 106944-02 107200-11 107587-01 108219-01 copyright 106952-01 107259-01 107636-03 108221-01 install_cluster 106960-01 107337-01 107684-01 108301-01 patch_order 106978-09 107359-02 107792-01 108343-02
The number of patches and their versions will increase with time so don't worry if the set you see does not match this example exactly. The bundles for the other versions of the O/S also have different contents of course. All the bundles should contain a CLUSTER_README file and a install_cluster shell script. You should read the CLUSTER_README file.
If you have replaced any system binaries with local copies (e.g. replacing in.named and named-xfer with the more recent BIND releases, or replacing sendmail with exim then now is a good time to make copies of your replacement versions because the patching may well overwrite your versions with Sun versions.
Installing the patches
Now we will run the patch installation. Note that not all the patch installations will succeed. You should also note that patch installation pounds the system very hard; don't do this at peak time. On some systems the entire installation has taken over six hours.
The following text is the transcript from a successful patching of a Solaris 7 system. The instructions work for earlier versions too.
# ./install_cluster -nosave
Patch cluster install script for Solaris 7 Recommended
*WARNING* SYSTEMS WITH LIMITED DISK SPACE SHOULD *NOT* INSTALL PATCHES:
With or without using the save option, the patch installation process
will still require some amount of disk space for installation and
administrative tasks in the /, /usr, /var, or /opt partitions where
patches are typically installed. The exact amount of space will
depend on the machine's architecture, software packages already
installed, and the difference in the patched objects size. To be
safe, it is not recommended that a patch cluster be installed on a
system with less than 4 MBytes of available space in each of these
partitions. Running out of disk space during installation may result
in only partially loaded patches. Check and be sure adequate disk space
is available before continuing.
Are you ready to continue with install? [y/n]: y
The nosave option was used. Objects will not be saved.
Installing patches located in /tmp/7_Recommended
Using patch_order file for patch installation sequence
Installing 106960-01...
Installation of 106960-01 failed. Return code 2.
Installing 107038-01...
Installation of 107038-01 failed. Return code 2.
Installing 108374-01...
Installing 107022-05...
Installing 107171-04...
Installing 106793-03...
Installing 106934-03...
Installation of 106934-03 failed. Return code 2.
Installing 106725-02...
Installing 107544-03...
Installing 106541-08...
Installing 107587-01...
Installation of 107587-01 failed. Return code 8.
Installing 107359-02...
Installation of 107359-02 failed. Return code 8.
Installing 107636-03...
Installing 107887-08...
Installing 108343-02...
Installing 107200-11...
Installing 106944-02...
Installing 106952-01...
Installation of 106952-01 failed. Return code 8.
Installing 107456-01...
Installation of 107456-01 failed. Return code 2.
Installing 106978-09...
Installing 107115-03...
Installing 107259-01...
Installation of 107259-01 failed. Return code 2.
Installing 107451-02...
Installing 107454-03...
Installing 107684-01...
Installing 107792-01...
Installing 107972-01...
Installation of 107972-01 failed. Return code 8.
Installing 108301-01...
Installing 107337-01...
Installation of 107337-01 failed. Return code 8.
Installing 107893-04...
Installing 108219-01...
Installing 108221-01...
Installing 107885-06...
Installing 108482-01...
Installing 108662-01...
The following patches were not able to be installed:
106960-01
107038-01
106934-03
107587-01
107359-02
106952-01
107456-01
107259-01
107972-01
107337-01
For more installation messages refer to the installation logfile:
/var/sadm/install_data/Solaris_7_Recommended_log
Use '/usr/bin/showrev -p' to verify installed patch-ids.
Refer to individual patch README files for more patch detail.
Rebooting the system is usually necessary after installation.
#
The installations failures above are nothing to worry about; nothing has been corrupted, but they may need some following up. Here is the complete set of error codes.
| Exit code | Meaning |
|---|---|
| 0 | No error |
| 1 | Usage error |
| 2 | Attempt to apply a patch that's already been applied |
| 3 | Effective UID is not root |
| 4 | Attempt to save original files failed |
| 5 | pkgadd failed |
| 6 | Patch is obsoleted |
| 7 | Invalid package directory |
| 8 | Attempting to patch a package that is not installed |
| 9 | Cannot access /usr/sbin/pkgadd (client problem) |
| 10 | Package validation errors |
| 11 | Error adding patch to root template |
| 12 | Patch script terminated due to signal |
| 13 | Symbolic link included in patch |
| 14 | NOT USED |
| 15 | The prepatch script had a return code other than 0. |
| 16 | The postpatch script had a return code other than 0. |
| 17 | Mismatch of the -d option between a previous patch install and the current one. |
| 18 | Not enough space in the file systems that are targets of the patch. |
| 19 | $SOFTINFO/INST_RELEASE file not found |
| 20 | A direct instance patch was required but not found |
| 21 | The required patches have not been installed on the manager |
| 22 | A progressive instance patch was required but not found |
| 23 | A restricted patch is already applied to the package |
| 24 | An incompatible patch is applied |
| 25 | A required patch is not applied |
| 26 | The user specified backout data can't be found |
| 27 | The relative directory supplied can't be found |
| 28 | A pkginfo file is corrupt or missing |
| 29 | Bad patch ID format |
| 30 | Dryrun failure(s) |
| 31 | Path given for -C option is invalid |
| 32 | Must be running Solaris 2.6 or greater |
| 33 | Bad formatted patch file or patch file not found |
| 34 | The appropriate kernel jumbo patch needs to be installed |
What we see from this is that the error codes we saw (2 and 8) mean that either a patch was already installed or that the patch was irrelevant.
Sometimes you will see more serious errors. The most common of the serious errors is code 5 which means that the internal run of pkgadd failed. You should check the detailed log file /var/sadm/install_data/Solaris_2.6_Recommended_log for the reasons.
It is not necessary to reboot the system immediately after installation but the system does need to be rebooted before any kernel or libc patches can take effect.