Work-around for Solaris smpatch bugs

I like to keep my Solaris systems up to date with the the latest Operating System and application patches, and try to patch my systems monthly if time permits. If I am patching a production system, I always use recommend patch bundles that have been tested in a non-production environment. If I am patching QE or development machines, I like to use the automated patch features built into the Solaris smpatch(1m) utility. This makes patching a breeze, and ensures that all relevant patches are applied to the server.

While performing a routine patch update with smpatch(1m) this weekend, I encountered the following error message:

$ smpatch update -L
This operation is not supported by this application for systems with local zones.

I have used smpatch(1m) numerous times, and have never encountered this specific error. This led me to believe that new functionality was recently added, or a bug had been introduced during the last patch update. A quick check of Sunsolve verified that this error was due to a bug in smpatch(1m), and the bug report indicated that a patch was not available. As with any software fix, it could take a while to produce a patch for this issue, so I decided to create a work-around in the interm.

The first step in my work-around uses the ‘smpatch analyze’ output to get the list of patches to apply:

$ smpatch analyze | awk ‘{print $1}’ |more
119828-03
118890-01
119580-01
120844-01
119573-01
118371-04
[ ….. ]

The analyze operation will check the current patch levels against a master database at getupdates.sun.com. If smpatch(1m) determines that a patch is out of date, it will be displayed in the output. Each patch identifer produced by the analyze option can be downloaded to the local disk drive with smpatch(1m)’s download option. Smpatch(1m) will place the downloaded files in “/var/sadm/spool” by default, but allows you to change this default behavior with the “-d” (directory location to store files) option:

$ smpatch download -d /var/tmp -i 119145-05
com.sun.patchpro.util.Percentage@8ddb93
119145-05 has been validated.

This example uses smpatch(1m)’s “-i” (patch identifier) option to download one of the patches produced by the analyze operation. If you would prefer to download all of the patches that are produced during the analyze operation, you can pass a file with a list of patch identifiers to smpatch(1m)’s “-x” (list of patches to download) option:

$ smpatch download -d /var/tmp -x idlist=/var/tmp/patch.list

Once the patch(es) finish downloading, the unzip(1) utility can be used to uncompress and extract the archive:

$ cd /var/tmp && unzip -q /var/tmp/119145-05.jar

Once unzip(1) finishes extracting the archive, the patchadd(1m) utility can be used to apply the patch:

$ patchadd 119145-05

Validating patches…

Loading patches installed on the system…

Done!

Loading patches requested to install.

Done!

Checking patches that you specified for installation.

Done!

Approved patches will be installed in this order:

119145-05
Preparing checklist for local zone check…

Checking local zones…

Booting local zone oracle for patch check…
## waiting for zone to enter single user mode…
## waiting for zone to enter single user mode…
## waiting for zone to enter single user mode…
## waiting for zone to enter single user mode…
Restoring state for local zone oracle…
Booting local zone build for patch check…
## waiting for zone to enter single user mode…
## waiting for zone to enter single user mode…
## waiting for zone to enter single user mode…
## waiting for zone to enter single user mode…
Restoring state for local zone build…

This patch passes the local zone check.
119145-05

Summary for zones:

Zone oracle

Rejected patches:
None.

Patches that passed the dependency check:
119145-05

Zone build

Rejected patches:
None.

Patches that passed the dependency check:
119145-05

Zone irc

Rejected patches:
None.

Patches that passed the dependency check:
119145-05

Patching global zone
Adding patches…

Checking installed patches…
Verifying sufficient filesystem capacity (dry run method)…
Installing patch packages…

Patch 119145-05 has been successfully installed.
See /var/sadm/patch/119145-05/log for details

Patch packages installed:
SUNWadmc

Done!
Patching local zones…

Patching zone oracle
Booting local zone oracle for patching…
## waiting for zone to enter single user mode…
## waiting for zone to enter single user mode…
## waiting for zone to enter single user mode…
Adding patches…

Checking installed patches…
Verifying sufficient filesystem capacity (dry run method)…
Installing patch packages…

Patch 119145-05 has been successfully installed.
See /var/sadm/patch/119145-05/log for details

Patch packages installed:
SUNWadmc

Done!
Restoring state for local zone oracle…

Patching zone build
Booting local zone build for patching…
## waiting for zone to enter single user mode…
## waiting for zone to enter single user mode…
## waiting for zone to enter single user mode…
Adding patches…

Checking installed patches…
Verifying sufficient filesystem capacity (dry run method)…
Installing patch packages…

Patch 119145-05 has been successfully installed.
See /var/sadm/patch/119145-05/log for details

Patch packages installed:
SUNWadmc

Done!
Restoring state for local zone build…

Once the patch installation process completes, you can remove the patch and META-INF files in the work directory:

$ rm -rf /var/tmp/119145-05.jar /var/tmp/119145-05 /var/tmp/META-INF

I am not real sure how long smpatch(1m) will be broken, so I created autopatch to ease the patch process in the interm. Please review the script and test it in a non-production environment prior to use. If you run into any issues with autopatch, post a comment to let me know what issues you encountered (I have used it on several systems, and have yet to encounter any issues).

Automating Solaris patch installations

Solaris 10 now ships with the patchpro suite of utilities, which assist with analyzing and applying Operating System patches. Patchpro makes patch installation super easy, since you are not required to download recommended bundles, or dig through patchdiag information to find the “required” patches. The patchpro smpatch(1m) utility can be run with the analyze option to compare the current set of patches from updateserver.sun.com with what is installed on a server:

$ smpatch analyze

119145-01 SunOS 5.10: usr/snadm/lib Patch
119042-02 SunOS 5.10: patch usr/sbin/svccfg
117463-02 SunOS 5.10: passwdutil Patch
119143-02 SunOS 5.10: patch lib/libinetutil.so.1
118822-01 SunOS 5.10: kernel Patch

If you want decided to download and install each patch listed by the analyze option, you can run smpatch(1m) with the update option:

$ smpatch update

119145-01 has been validated.
119042-02 has been validated.
117463-02 has been validated.
119143-02 has been validated.
118822-01 has been validated.
Installing patches from /var/sadm/spool...
119145-01 has been applied.
119042-02 has been applied.
117463-02 has been applied.
119143-02 has been applied.
118822-01 has been applied.
/var/sadm/spool/patchpro_dnld_2005.04.07@12:25:28:EDT.txt has been moved to /var/sadm/spool/patchproSequester/patchpro_dnld_2005.04.07@12:25:28:EDT.txt

Each smpatch run produces a logfile with notes on required reboots, and additional instructions:

$ cat /var/sadm/spool/patchproSequester/patchpro_dnld_2005.04.07@12:25:28:EDT.txt

This patch bundle was generated by PatchPro.

Please refer to the README file within each patch for installation
instructions. To properly patch your system, the following patches
should be installed in the listed order:

1) 119145-01
2) 119042-02
3) 117463-02 !!! REBOOT !!!
4) 119143-02 !!! REBOOT !!!
5) 118822-01 !!! REBOOT !!!

If you want to view the smpatch(1m) configuration options, you can run smpatch(1m) with the get option:

$ smpatch get

patchpro.backout.directory - ""
patchpro.download.directory - /var/sadm/spool
patchpro.install.types - rebootafter:reconfigafter:standard
patchpro.patch.source - https://updateserver.sun.com/solaris/
patchpro.patchset - patchdb
patchpro.proxy.host - ""
patchpro.proxy.passwd **** ****
patchpro.proxy.port - 8080
patchpro.proxy.user - ""
patchpro.sun.passwd **** ****
patchpro.sun.user - ""

smpatch(1m) contains a several options in addition to “analyze,” “update” and “get.” The “add” option allows individual patches to be installed, “remove” backs out patches from a system, “download” grabs a patch from “patchpro.patch.source,” and “set and “unset” are used to configure smpatch(1m).