Managing Solaris patches with pca

I have written repeatedly about the problems with the Solaris patch tools, and decided to test out the pca utility after Chris and Frank recommended it so highly. Pca is not only an awesome patching tool, but it blows away everything that is currently offered by Sun (pca has yet to throw Java exceptions and die in mysterious ways). To see what I mean, all you need to do is run pca with the help option:

$ pca -h

Usage: bin/pca [OPTION] .. [OPERAND] ..

Operands:
  patch group:    missing, installed, all, unbundled, bad
                  Add r, s or rs at the end to list Recommended,
                  Security or Recommended/Security patches only.
  patch ID:       123456, 123456-78
  patch file:     123456-78.zip, 123456-78.tar.Z
  file name:      patchlist.txt
  pattern:        /dtmail/

Options:
  -l              List patches
  -L              List patches, produce HTML output
  -d              Download patches
  -i              Install patches
  -I              Pretend to install patches
  -x              Download patch cross-reference file
  -y              Do not check for updated patch cross-reference file
  -X dir        Set location of patches cross-reference file
  -P dir        Set patch download directory
  -R dir        Set alternative root directory
  -n              Install only patches which do not require a reboot
  -k              Make patchadd not back up files to be patched
  -G              Make patchadd modify packages in the current zone only
  -a              Ask for SunSolve authentication data interactively
  -H              Don't display descriptive headers
  -r id         Display patch README
  -f dir        Read uname/showrev/pkginfo output from files in dir
  -h              Display this help
  -V              Display debug output
  -v              Display version information

Pca has several modes of operation. It can list patches that are outdated on your system, retrieve patches from Sunsolve, and most importantly it can be used to install individual patches and groups of patches on a server. To list patches that are available for a server, pca can be run with the “-l” option (or “-L” if you want HTML reports):

$ pca -l

Retrieving xref-file to /var/tmp/patchdiag.xref ... done
Using /var/tmp/patchdiag.xref from Jul/14/06
Host: neutron (SunOS 5.10/i386/i86pc)

Patch  IR   CR RSB Age Synopsis
------ -- - -- --- --- -------------------------------------------------------
117464 01 < 02 ---   2 SunOS 5.10_x86: passwdutil Patch
119131 21 < 22 R--   4 SunOS 5.10_x86: Sun Fibre Channel Device Drivers
119214 07 < 09 RSB   2 NSS_NSPR_JSS 3.11.2_x86: NSPR 4.6.2 / NSS 3.11.2 / JSS 4.2.4
119471 05 < 06 ---   5 SunOS 5.10_x86: Sun Enterprise Network Array firmware and utilitie
119686 06 < 07 ---   2 SunOS 5.10_x86: lib/svc/bin/svc.startd Patch
120037 03 < 05 ---   2 SunOS 5.10_x86: libldap patch
120053 02 < 03 ---   2 SunOS 5.10_x86: pam library patch
120200 04 < 05 ---   3 SunOS 5.10_x86: sysidtool Patch
121003 02 < 03 ---   2 SunOS 5.10_x86: pax patch
121005 01 < 02 RS-   2 SunOS 5.10_x86: sh patch
121011 01 < 02 ---   2 SunOS 5.10_x86: rpc.metad patch
123327 -- < 01 ---   5 SunOS 5.10_x86: tail patch
123521 -- < 01 ---   2 SunOS 5.10_x86: dirname & basename patch
123525 -- < 01 ---   2 SunOS 5.10_x86: psrinfo patch

The first column lists the patchid, the second column lists the version of the patch installed, the fourth column lists the updated version of the patch that is available on Sunsolve, and the fifth column indicates if the patch addresses a security or reliability problem. To install patches with pca, you can run pca with the "-i" option to install all available patches, or you can install individual patches by passing the patchid(s) to "-i":

$ pca -i 121005 119214

Retrieving xref-file to /var/tmp/patchdiag.xref ... done
Using /var/tmp/patchdiag.xref from Jul/14/06

Downloading patches to /home/matty
------------------------------------------------------------------------------
Retrieving 119214-09 (1/2) ... done
Retrieving 121005-02 (2/2) ... done

Summary: 2 total, 2 successful, 0 failed

Installing patches
------------------------------------------------------------------------------
Installing 119214-09 (1/2) ... done
Installing 121005-02 (2/2) ... done

Summary: 2 total, 2 successful, 0 skipped, 0 failed

This is a super useful piece of software, and I wish Sun would include something similar in Solaris (smpatch is not the answer!).

5 thoughts on “Managing Solaris patches with pca”

  1. I just found PCA tthrough your website and I have to agree, it is a great tool. I had the SUN patch management (GUI) running, but pca cannot be beat.
    Thank you
    PS# Great blog

  2. PCA still works fine. While it needs frequent updates due to Sun’s changes to the SunSolve infrastructure, I always managed to keep it working. As you might guess, I’m the author. If you have problems to get it going, feel free to contact me. See the PCA webpage for contact information.

  3. Great if you only want to apply the latest patches very time. How do get around applying patches that are released a particular time such as the Oracle Critical Patch Update and/or Recommended Patch Bundle?

Leave a Reply

Your email address will not be published. Required fields are marked *