Patch Management User Guide for HP-UX 11.x Systems Abstract This document helps less experienced system administrators acquire basic patch-related skills and knowledge in a short period of time and explains how to perform basic HP-UX patch management tasks. It aids system administrators in developing a basic patch management strategy. This document does not function as an all-encompassing source of information for patch management.
© Copyright 2004, 2010, 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 HP secure development lifecycle...................................................................7 2 HP-UX patches and patch management.........................................................8 Patch management strategies.....................................................................................................8 How to get patches..............................................................................................................9 Where to start................................
HP patch rating of 1 ..........................................................................................................37 Rating details ..............................................................................................................37 HP patch rating of 2 ..........................................................................................................37 Rating details .............................................................................................................
Ask your peers in the forums....................................................................................................65 Search knowledge base..........................................................................................................65 Key features .....................................................................................................................66 8 Using software depots for patch management..............................................
Patch usage model 4: operating environment update.................................................................107 Patch usage model 5: proactive patch.....................................................................................109 Patch usage model 6: reactive patch.......................................................................................110 Glossary..................................................................................................111 Index...........................
1 HP secure development lifecycle Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides the ability to authenticate HP-UX software. Software delivered through this release has been digitally signed using HP's private key. You can now verify the authenticity of the software before installing the products, delivered through this release. To verify the software signatures in signed depot, the following products must be installed on your system: • B.11.31.
2 HP-UX patches and patch management Patches are software that HP releases to deliver incremental updates to a system. Patches are best known for delivering defect fixes, but also deliver new functionality and features, enable new hardware, and update firmware. You can use HP-UX patches to update HP-UX software without having to completely reinstall a system application. For a description of patches, see Chapter 4: “HP-UX patch overview” (page 18).
How to get patches HP provides numerous ways to acquire patches, ensuring that system administrators with different goals and different levels of expertise can find a patch source to fit their needs. You can obtain patches individually or in groups of related patches known as patch bundles. This guide discusses the following HP-UX patch sources: • HP Support Center (HPSC) website: http://www.hp.
3 Quick start guide for patching HP-UX systems This quick start guide is for system administrators who have immediate patching needs. It is a limited solution to general patching issues. If you need in-depth information about patching, review the rest of this document and the other patch-related resources in Section : “Related information” (page 95). NOTE: You will require root user privileges to complete these procedures.
Please refer to “Acquiring and installing individual patches” (page 14) for more information. NOTE: In addition to the information in this guide, you should review the release notes for the product you are patching. Standard HP-UX patch bundles Table 2 shows the bundle names for the HP-UX 11i releases. See Chapter 6 (page 55) for more information. Table 2 Standard HP-UX patch bundle names Patch Bundle Name HP-UX 11i v1 (B.11.11) HP-UX 11i v2 (B.11.23) HP-UX 11i v3 (B.11.
9. Select the bundle/depot link. The bundles are cumulative; select the latest. The bundle's main page is displayed. It shows the following information and links: • Each patch contained in the bundle. If the bundle contains patches with warnings, which are notifications of known problems, they are listed near the top of the page. • All patch identifications (IDs) are linked to the patch database on the HPSC and provide detailed patch information.
You will see the message "* Verification succeeded." 5. Find the bundle names by entering this command: swlist -d @ /tmp/temporary_depot/depot 6. Record all bundle names. The bundle name is the first word of each line under the Bundle(s) heading. 7. 8. 9. This step is critical. When you install a QPK or HWE patch bundle, the system reboots automatically. Before you install a bundle (step 9), you need to follow your company's policy regarding a system reboot. This step is critical.
that the patched root volume does not perform as you desire, you can quickly reboot the original system image. For more information, please see Chapter 10 (page 90). Acquiring and installing individual patches At times, you might find it necessary to acquire and install individual patches based on known patch IDs. For example, you might read an HP-UX security bulletin in which HP recommends that you install specific patches.
this column, it meets all requirements of the patch you requested. HP recommends you download and install this patch. • most recent: Shows the most recent version of the requested patch. The following icons might be displayed along with the patch ID. • This symbol means that the patch has a warning associated with it. You should review the warning text to determine whether it applies to the system. • This icon means that the patch has Special Installation Instructions. You should always read them.
. Click download. Make the appropriate selections (based on the browser you are using) to save the selected bundle to the /tmp/some_patch_directory directory on the target system. 17. Record the name of the file being downloaded. The following section refers to the file as patches.xxx. Installing the patches To install the downloaded patches, perform the following steps: 1. Log in to the target system. 2. Unpack the downloaded file, patches.xxx: • If the downloaded file is patches.
9. Monitor the screen for error messages. The system reboots automatically if any of the patches you are installing requires it. Be patient. The patch installation can be slow for large numbers of patches. 10. Verify that the installation was successful: • Enter the command: swlist -l product Ensure that the installed patches are shown in the output. • Execute the swverify command on each of the new patches: swverify patch_id • ◦ This command might not always complete in a short period of time.
4 HP-UX patch overview Patch-related concepts Patch identification HP assigns each HP-UX patch a unique identification or patch ID. Each HP-UX patch ID has the form PHXX_#####, where: • PH is an abbreviation for Patch HP-UX • XX is replaced with one of the following values for the HP-UX area being patched: • ◦ CO = command patches ◦ KL = kernel patches ◦ NE = network patches ◦ SS = patches related to all other subsystems ##### is replaced with a unique four- or five-digit number.
• • ◦ Filesets must exist within a product. ◦ Although a patch has a unique name, the names of the filesets contained in a patch match the corresponding base filesets that they patch. Product ◦ A product is a software object that is packaged and distributed for users to acquire and install. ◦ Products are composed of one or more filesets and might additionally contain one or more control scripts. ◦ A product can exist either within a bundle or as its own entity.
For more information about listing the products on a system, see “Which patches are on a system?” (page 23). You might also find yourself working with patch bundles if you use the HPSC Patch Assessment Tool, which allows you to create your own custom patch bundles. For more information, see Chapter 11: “The Patch Assessment Tool” (page 92). Software depots and patch depots Software depots, or simply depots, are an integral part of patch management.
Patch state A patch that has been installed on a target system is assigned an attribute called patch_state that provides information about a patch. For example, the patch_state tells you whether the patch has been committed or superseded. For more information about attributes, see “Patch-related attributes” (page 31). There are four values for patch_state: • applied The patch is currently active on the system and is the most recent member of its supersession chain to have been loaded.
• corrupt SD-UX has encountered an unexpected condition during software installation checks. • transient When SD-UX moves software from one location to another, the software is in a transient state. If an interruption occurs during the transfer, the state remains transient. For more information about these states, see the Software Distributor Administration Guide on the HP Business Support Center website at http://www.hp.com/go/sd-docs.
• • special_release ◦ A patch with restricted distribution, usually intended for installation by one specific customer or set of customers. ◦ Information for special_release patches is not always available using the HPSC's Patch Database or other official HP information sources. However, you might encounter references to these patches when viewing information related to other patches. ◦ A patch cannot inherit this tag. critical ◦ A patch that repairs a critical problem.
# Bundle(s): FEATURE11i HWEnable11i OnlineDiag QPKAPPS MOZILLA T1471AA B.11.31.1303.391a B.11.31.1303.391 B.11.31.22.02 B.11.31.1303.391 1.4.0.00.00 A.03.50.000 # Product(s) not PHCO_32146 1.0 PHCO_32475 1.0 PHCO_34195 1.0 PHCO_35048 1.0 PHSS_35884 1.0 Feature Enablement Patches for HP-UX 11i v3, March 2013 Hardware Enablement Patches for HP-UX 11i v3, March 2013 HPUX 11.31 Support Tools Bundle, March 2013 Applications Patches for HP-UX 11i v3, March 2013 Mozilla 1.
◦ ◦ Use wildcards [ ], *, ? in the specification of the software_selections if you want to make multiple selections. For example: – A specification of bun[12] selects software bun1 and bun2. – A specification of \* selects all software. Views the manpages for sd(5) using the command: man 5 sd • -x option=value ◦ Sets the option to specified value. ◦ The default behavior of the swlist command is to show only the latest patches installed on a system.
For example: $ swlist -l product *,c=manual_dependencies # Initializing... # Contacting target "chb26006"... # # Target: chb26006:/ PHCO_24198 1.0 ioscan(1M) patch PHCO_25831 1.0 SCSI Ultra160 driver Online Addition script PHCO_25841 1.0 Add Rock Ridge extension to mount_cdfs(1M) PHCO_26252 1.0 mount_vxfs(1M) cumulative patch ... The following command shows bundles on the system specified: swlist -l level @ target_selections For example: $ swlist -l bundle @ some_system # Initializing...
Ancestors and supersession The related concepts of ancestors and supersession are integral to patches and patch management. It is important that you gain a basic understanding of both. It might also be helpful for you to recall information presented in “HP-UX software structure” (page 18). Ancestors The ancestor of a patch is the original software product that a patch modifies. Ancestry is defined only at the fileset level.
PHSS_26619.AGRM,fa=HP-UX_B.11.11_32/64 PHSS_26622.AGRM,fa=HP-UX_B.11.11_32/64 PHSS_26638.AGRM,fa=HP-UX_B.11.11_32/64 PHSS_29169.AGRM,fa=HP-UX_B.11.11_32/64 PHSS_29183.AGRM,fa=HP-UX_B.11.11_32/64 For more information see the Software Distributor Administration Guide on the HP Business Support Center website at http://www.hp.com/go/sd-docs. Supersession Supersession is the process of replacing an earlier patch with a new patch. A new patch supersedes all previous patches for its particular patch chain.
Advanced topic: displaying supersession information By default, the swlist command does not show superseded patches, but you can use the show_superseded_patches option to show them. Enter this command: swlist -l patch -x show_superseded_patches=true You can also use the HP-UX Patch Tool show_patches to show superseded patches. To show superseded patches, enter this command: show_patches -s You can list the filesets that have directly superseded the filesets of a given patch installed on the system.
You can use the following swlist command to show the patch_state attribute for patch patch_id: swlist -a patch_state -x show_superseded_patches=true patch_id It is important to note that the availability of a newer, superseding patch does not preclude the use of the older patch. Depending on the circumstances, a superseded patch might be a better choice than the patch superseding it. Older patches have had more exposure to varied, real-world use.
Figure 2 HP-UX Patch Supersession Chain The supersession chain in Figure 2: “HP-UX Patch Supersession Chain” (page 31) is composed of two separate supersession chains that were combined when patch PHSS_29156 superseded both PHSS_29026 and PHSS_29008. Again, because of the cumulative nature of HP-UX patches, patch PHSS_29377 delivers all the features and fixes delivered by the other six patches in this supersession chain.
The following list describes a subset of available attributes: • • • • • • • • 32 ancestor ◦ Applies to filesets. ◦ Identifies the fileset that must be on the system for the patch to be installable. category_tag ◦ Applies to products or filesets. ◦ Provides a label for a fileset or product. Several tags are defined during patch creation; users can create others with the swmodify command. ◦ See “Category tags” (page 22). is_patch ◦ Applies to both patch products and filesets.
• • supersedes ◦ Applies to patch filesets. ◦ Lists all prior filesets that a patch fileset supersedes. ◦ See “Ancestors and supersession” (page 27). superseded_by ◦ Applies to patch filesets. ◦ Records the software specification of the fileset that superseded the fileset on a given system. This attribute is set only for installed patch filesets, and never in software depots. ◦ See “Ancestors and supersession” (page 27).
Types of dependencies HP provides patch dependency information for a patch in its patch details page and its patch text file. The dependency information is contained in the following fields: • Patch Dependencies Patches that are required for proper operation. • Other Dependencies Various dependencies that cannot be described as patch dependencies, such as those that are needed only under specific circumstances.
Impact of dependencies on acquiring patches HP strongly recommends that you use the HPSC as your primary source for acquiring patches. If you acquire individual patches using the HPSC's Patch Database, the patches required to meet the dependencies of these patches are automatically selected for download along with the patches you selected manually. The analysis performed by the Patch Database to select these patches takes into account supersession and patch warnings.
Patch commitment Allowing for patch rollback does come at a cost, because the files required for patch rollback consume disk space. If disk space is an issue on a system, you can commit the patches; a process that deletes the associated rollback files, thereby freeing disk space. If disk space is not an issue on a system, you should avoid committing the patches, and leave rollback files in place.
All information has been logged to /var/adm/cleanup.log. ### Cleanup program completed at 04/13/04 07:17:40 HP-UX patch ratings HP-UX patches have a corresponding quality rating called the HP rating. HP assigns a patch rating of 1 (numeral or star) to each HP-UX patch when it is released. Over time, HP might update the rating value to 2 or 3 (numeral or stars) to convey increased confidence in the patch.
Rating details The following list provides more details on patch ratings of 2: • These patches have met minimum criteria based on the number of days available to customers and the number of times downloaded with no problems reported. • These patches might appear in the recommended column of the HPSC's Patch Database patch search results page (provided they have no associated patch warnings). HP patch rating of 3 Rating 3 is the highest rating HP assigns to a patch.
Critical patches have a critical category tag. The category tags (and swlist command used to acquire the category tags) for patch PHSS_30011 are shown in the following screen. See “Category tags” (page 22) for more information. $ swlist -l product -a category_tag PHSS_30011 # Initializing... # Contacting target "some_system"...
Table 4 Subset of fields in patch text file and patch details page (continued) Field Description Category Tags A listing of the categories associated with this patch. For more information, see “Category tags” (page 22). Symptoms The symptoms of the problem. Defect Description A detailed description of the defect. Enhancement This is set to Y if the patch is an enhancement. Patch Dependencies All patches that this patch depends upon for proper operation.
Accessing information on the HPSC 1. Log in to the HPSC at http://www.hp.com/go/hpsc. Be sure to log in to the appropriate site (Americas/Asia Pacific or European). 2. 3. 4. 5. 6. 7. 8. Select Patch database from the left navigation. Select find individual patches. Select HP-UX to go to the search for patches page. To find instructions, select the How would you like to search?, Search Criteria and read our usage guide links. Select the OS revision.
The Warning field contains the following information: • The issue date of any warnings (year/month/day format) • Whether the patch warning is critical or noncritical (see “Critical and noncritical warnings” (page 42)) • A description of the problem • A suggested course of action for the problem might be provided • A reference to a replacement patch might be provided See “Finding information for a specific patch” (page 39) for a description of how you can access a patch details page and a patch tex
Questions to ask If you must deal with a patch that has a warning, consider the following questions in deciding whether or not to use, or continue to use, the patch: • Is the system environment susceptible to the problem? A patch with a warning might not cause problems for every customer. Exposure depends on the system-use models, and whether you have any of the affected configurations. The previous screen is a good example of this situation.
Considerations 44 • You should have a detailed recovery plan formulated before you install any patches. • You should know how long the system can be down for patch installation, and set aside a portion of that time for recovery in case it is required. • When patching critical systems, some customers have a redundant environment in place to take over in the event that anything goes wrong with the production system.
5 Patch management overview Patch management is a process used to ensure that the appropriate patches are installed on a system. Patch management is becoming increasingly important for users of all types of systems, from desktop systems to mission-critical servers. Industry experience has shown that failures in patch management can lead to financial loss, loss of data, exploitation of security vulnerabilities, and other negative consequences.
Second, use standard HP-UX patch bundles as your starting point: • HP provides standard HP-UX patch bundles including the Quality Pack (QPK), Hardware Enablement (HWE), and Feature Enablement Patch Bundle (FEATURE11i) patch bundles. The QPK consists of defect fixes and the HWE consists of patches that are required for new hardware products. The FEATURE11i bundle enables new features and enhancements to the HP-UX operating system and applications by providing the complete, minimal set of patches required.
Some specific criteria to consider when planning your change: • ◦ Backup of your system. ◦ System down time.
You should keep all similarly configured production systems at the same patch level. 5. Managing patch-related changes to systems. • You might find it helpful to log all patch-related system changes. • You might find it helpful to document the results of patch testing and installation. • Many customers find it helpful to have a formal change-request process associated with their patch management process.
The following are three strategies for software change management.
• Change Management Covers all processes and standards used to manage data center operations. • Test Environment Includes systems, software, and equipment used to support the production operations. The test environment is used to evaluate changes before they are put into production. Table 6: “Recommendations based on strategy” (page 50) offers recommendations to help you implement your chosen software change management strategy.
then use these depots as your patch source for all patch installations. In this way, you can maintain the same patch level on all the systems with less overall effort. Using depots also minimizes reboots when you install new patches. You should be able to install the entire content of a single depot with only a single reboot. For more information about these SD-UX software depots, see Chapter 8: “Using software depots for patch management” (page 67).
bundle. New HP-UX core enhancements are introduced as part of the Software Pack (SPK). If you want to install one of these new features, see the Software Pack documentation on the HP Business Support Center website at http://www.hp.com/go/spb-docs. • All the standard HP-UX patch bundles can be downloaded from the HPSC and are available on media from HP. For more information, see Chapter 6: “What are standard HP-UX patch bundles?” (page 55).
Reactive patching has some important disadvantages as compared with proactive patching. The process of identifying a problem fix can be made more difficult as your system falls further behind the most recent patch levels available. In addition, the required patch will likely contain much more new content than if you had performed frequent proactive updates.
Advanced topic: scanning for security patches You can use the SWA Tool to identify security patches for installation. This tool also identifies patches that have associated warnings. For more information about SWA, see Chapter 9: “Using HP-UX Software Assistant for patch management” (page 89). Testing the patches to be installed The single most important action that can ensure the success of a software patch is to first test the changes in a nonproduction environment.
6 What are standard HP-UX patch bundles? Patches can be grouped into collections known as patch bundles, or simply bundles. HP provides a number of prepackaged, standard HP-UX patch bundles that you can install as a unit. This chapter shows you how to obtain standard HP-UX patch bundles. Table 7: “Standard HP-UX patch bundle names” (page 55) shows the QPK and other standard patch bundles. HP tests these bundles rigorously to ensure a high level of reliability and updates many of them periodically.
Table 7 Standard HP-UX patch bundle names (continued) Patch Bundle Name HP-UX 11i v1 (B.11.11) HP-UX 11i v2 (B.11.23) HP-UX 11i v3 (B.11.31) Quality Pack GOLDAPPS11i QPKAPPS QPKAPPS GOLDBASE11i QPKBASE QPKBASE BUNDLE11i BUNDLE11i N/A Required NOTE: Standard HP-UX patch bundles are cumulative, which means that you can install the latest version of the bundle to get all the previous changes. The standard HP-UX patch bundles (QPK, FEATURE11i, and HWE) might have overlapping content.
Obtaining standard HP-UX patch bundles The following options are available for obtaining patch bundles: • Option 1: HP-UX Software Assistant The SWA Tool is the preferred option for obtaining standard HP-UX patch bundles. See Chapter 9: “Using HP-UX Software Assistant for patch management” (page 89) for more information. • Option 2: HPSC You can obtain the standard HP-UX patch bundles from the HPSC. Access requires you have an HPSC login.
7 Using the HP Support Center The HP Support Center (HPSC) is a website you can personalize to provide a wide range of services and support, including support for HP-UX patch management. The HPSC website is your fastest connection to HP Support and is located at http://www.hp.com/go/hpsc. This chapter presents many of the HPSC HP-UX patch-related areas. You should explore the links on the HPSC main page and familiarize yourself with all the HPSC has to offer.
• collaborate ◦ • assessment and warranty ◦ • “Ask your peers in the forums” (page 65) “Custom patch bundles - run a patch assessment” (page 65) notifications ◦ “Support information digests” (page 65) Find individual patches The HPSC patch database should be your primary means of searching for patches, getting information about patches, and acquiring patches. The patch database is an excellent tool for system administrators who employ a reactive patch management strategy.
Table 9 Navigating the search results table Term Description description Provides a terse patch description for the specified patch. specified If you search for a specific patch it is displayed in the specified column, which is only shown when a search is done for a specific patch ID. recommended If there is an HP recommended patch, it appears in the recommended column and might not be the patch you searched for. most recent Shows the latest patch without a warning in the supersession chain.
7. Read through the following Advanced Topic sections, then continue with the procedures in “Check for patches with dependencies” (page 62) Advanced topic: checking for special installation instructions Some patches might have extra installation instructions, called special installation instructions, that you should follow to install the patch successfully. The following steps show you how to access these instructions. 1.
Advanced topic: checking for all patch dependencies The Patch Database automatically selects patches to meet certain dependencies for patches that have been selected for download. The Patch Database can detect and select patches that are required to meet enforced dependencies, and in most cases this is sufficient. However, if any of the patches selected for download have unenforced (manual) dependencies on other patches, the Patch Database does not identify these.
For example, the Other Dependencies section for PHKL_28766 shows that PHKL_21549 is needed only if you want a specific performance improvement. If not, you do not need to download the listed patch. Other Dependencies PHKL_21549 is required when using the gang scheduler. Without PHKL_21549, the gang scheduler exhibits unacceptable perfomance after this patch is installed.
3. Return to the selected patch list page by selecting the view selected patch list link located in the upper right corner of the patch details page. If any patches were noted in step 2 for other dependencies or special installation instructions, verify they are listed in the selected patch list. If not, you should add each one. To do this, select the add patches link. • Enter your search criteria, including the patch ID for a search by patch ID, and then click search.
Standard patch bundles The find standard patch bundles link on the patch database page provides the find bundles page to help you acquire standard HP-UX patch bundles. See Chapter 6: “What are standard HP-UX patch bundles?” (page 55) for more information. Custom patch bundles - run a patch assessment The Patch Assessment Tool allows you to create custom patch bundles specific to an environment. This web-based tool replaced the Custom Patch Manager Tool.
Key features The Knowledge Base helps you to do the following: • Solve problems yourself with timely technical support information. • Search the HP Knowledge Base for technical documents, including patch information, security bulletins, and service requests related to HP-UX and a variety of other areas. • Retrieve a specific document using its document identification (ID). To access the knowledge base page: 1. Log in to the HPSC at http://www.hp.com/go/hpsc. 2.
8 Using software depots for patch management A software depot, or simply depot, is a special type of file or directory formatted for use by Software Distributor for HP-UX (SD-UX). Depots can contain a variety of software products. This chapter focuses specifically on depots as repositories for patches and patch bundles. These depots are commonly referred to as patch depots. Common uses for patch depots include the following: • Patch depots are an extremely effective mechanism for managing patches.
Table 10 SD commands and patch tools (continued) SD-UX Command Description This command is available on 11i v3 systems, and is available as a patch in preceding HP-UX versions: • PHCO_27780: 11.11 HP-UX Patch Tools • PHCO_32220: 11.23 HP-UX Patch Tools See cleanup(1M) for more information. show_patches List patches installed on a system or in a depot. Options allow you to list patches that are active, superseded, require Special Installation Instructions, or have any Other Dependencies.
For patch management, directory depots offer the following advantages over tape depots: • Can be made available to remote users. See “Registering and unregistering directory depots” (page 75). • Are optimized for random access by multiple simultaneous sessions. • Allow for customized access controls. See “Advanced topic: access control lists” (page 76). • Allow SD-UX verification. See “Verifying directory depots” (page 76). • Allow modification.
encounter known failures and to bring systems up to the latest level of security patches. You can use this depot as the starting point for the next version of the periodic patch depot. • Application depot — contains patches specific to a given application. This type of depot might actually be a specific version of a periodic patch depot. After you have identified the need that a specific depot will address, you should determine whether a directory depot or a tape directory best suits your needs.
Examples of the swlist command To view a list of registered depots on the local system, use this command: swlist -l depot For example: $ swlist -l depot # Initializing... # Target "my_system" has the following depot(s): /var/spool/sw /bundles/sp1209/QPK1131/depot380 /bundles/sp1209/HWEnable11i/depot380 /bundles/sp1209/FEATURE11i/depot380 To view a list of registered depots on a remote system, use this command: swlist -l depot @ remote_system For example: $ swlist -l depot @ swdepot.xyz.
For more information about the swlist command, see the Software Distributor Administration Guide on the HP Business Support Center website at http://www.hp.com/go/sd-docs. Creating and adding to a directory depot You can use the swcopy command to create a directory depot from an existing tape or directory depot. Software objects from the source depot are copied into the target directory. By default, the swcopy command automatically registers newly created directory depots for use by Software Distributor.
• • software_selections ◦ Specifies the software to be copied. ◦ Replace software_selections with a wildcard to copy multiple products to the target depot with one command. For example: – \* selects everything from the source depot. – \*,c=patch selects all patches from the source depot. – PHXX_12345 selects patch PHXX_12345 from the source depot. @ [target_system:]/directory_path/target_depot ◦ Specifies the depot directory into which the selected patches will be copied.
PHCO_27752 PHCO_27758 PHCO_27780 PHCO_27781 PHCO_27828 ... 1.0 1.0 1.0 1.0 1.0 audevent(1M) cumulative patch gsp parser & DIMM labels HP-UX Patch Tools su(1) cumulative patch ups_mond(1M) cumulative patch Note the patch to be copied into the target_depot. 4. Execute the swcopy command in preview mode by including the -p argument: $ swcopy -p -s remote_system:/depot/patches/11.11 PHCO_27780 \ @ /my_depots/new_directory_depot The swcopy command generates a log file.
Registering and unregistering directory depots You must register a directory depot if you want its contents to be available for remote access by SD-UX commands across a network. Conversely, you might have to restrict remote access to a specific directory depot. For example, you might be in the process of creating a directory depot to use for patch installation on production systems.
* Selection succeeded. 03/26/13 13:33:37 IST ======= END swreg SESSION (non-interactive) Advanced topic: access control lists If you require finer control over directory depot access, you should familiarize yourself with Access Control Lists (ACLs) and the swacl command. You can use ACLs to grant a variety of access rights to certain systems or users. For more information, see the Software Distributor Administration Guide on the HP Business Support Center website at http://www.hp.com/go/sd-docs.
$ swverify -d \* @ /my_depots/new_directory_depot ======= 05/03/04 12:28:51 MDT BEGIN swverify SESSION (non-interactive) (jobid=my_system-0831) * Session started for user "some_user@my_system". * Beginning Selection * Target connection succeeded for "my_system:/my_depots/new_directory_depot". * Software selections: PHCO_27780.CMDS-AUX,r=1.0, a=HP-UX_B.11.11_32/64,v=HP,fr=1.0,fa=HP-UX_B.11.11_32/64 * Selection succeeded. * Beginning Analysis * Session selections have been saved in the file "/.
* The analysis phase failed for "my_system:/my_depots/PHSS_30278_depot". * Verification had errors. NOTE: More information may be found in the agent logfile using the command "swjob -a log my_system-0841 @ my_system:/my_depots/PHSS_30278_depot". ======= 05/03/04 13:04:01 MDT END swverify SESSION (non-interactive) (jobid=my_system-0841) Removing software from a directory depot If you need to remove patches from a directory depot, you can do so by using the swremove command.
v=HP,fr=1.0, fa=HP-UX_B.11.11_32/64 * Selection succeeded. * Beginning Analysis * Session selections have been saved in the file "/.sw/sessions/swremove.last". * The analysis phase succeeded for "my_system:/my_depots/new_directory_depot". * Analysis succeeded. * Beginning Execution * The execution phase succeeded for "my_system:/my_depots/new_directory_depot". * Execution succeeded.
removes superseded patches; the output states “PHCO_24630 superseded by PHCO_27780”. $ /usr/sbin/cleanup -p -d /my_depots/patch_depot ### Cleanup program started at 05/04/04 07:48:27 Preview mode enabled. No modifications will be made. Cleanup of depot '/my_depots/patch_depot'. Obtaining the list of patches in the depot: /my_depots/patch_depot ...done. Obtaining the list of superseded 11.X patches in the depot: /my_depots/patch_depot ...
1. Use the following swreg command to unregister the depot: $ swreg -u -l depot /my_depots/PHCO_27780_depot ======= 08/06/04 14:10:35 MDT BEGIN swreg SESSION (non-interactive) * Session started for user "root@my_system". * Beginning Selection * Targets: my_system * Objects: /my_depots/PHCO_27780_depot * Selection succeeded. ======= 08/06/04 14:10:36 MDT END swreg SESSION (non-interactive) 2.
• -x patch_match_target=true Selects for installation only those patches that correspond to products installed on the target system. • software_selections Specifies the software to be installed. If you use the -x patch_match_target=true option, you do not need to specify a software selection. To install multiple products to the target depot with one command, replace software_selections with a wildcard. For example: • ◦ \* selects everything from the source depot.
fr=B.11.11.22,fa=HP-UX_B.11.11_32/64 * Selection succeeded. * Beginning Analysis * Session selections have been saved in the file "/.sw/sessions/swinstall.last". * The analysis phase succeeded for "my_system:/". * Analysis succeeded. NOTE: ======= More information may be found in the agent logfile using the command "swjob -a log my_system-0856 @ my_system:/".
Installing products with patch dependencies from a depot Set autoselect_patches=false when using swinstall for selection of applications on HP-UX media or directory depots with multiple patch bundles. The default use of autoselect_patches=true might select extra patches from other patch bundles. Most products will only require a few patches that are delivered in the FEATURE11i bundle.
and tedious to determine if all 10 patches are listed because they are interspersed among all the other patches in the output. For example: # # Bundle(s): # SOME_BUNDLE_001 SOME_BUNDLE_002 rev rev # # Product(s) not contained in a Bundle: # SOME_PATCH_001 rev INDIVIDUAL_XYZ_PATCH_001 rev SOME_PATCH_002 rev SOME_PATCH_003 rev SOME_PATCH_004 rev INDIVIDUAL_XYZ_PATCH_002 rev ... SOME_PATCH_067 rev SOME_PATCH_068 rev SOME_PATCH_069 rev INDIVIDUAL_XYZ_PATCH_010 rev ...
PATCH_ASSESSMENT_05042005. Note that 05042005 represents the date on which the patch assessment was performed. 1. List the patches in the temporary depot /my_depots/temporary_depot/, which contains the patches identified by the patch assessment. For example: $ # # # swlist -d @ /my_depots/temporary_depot/ Initializing... Contacting target "my_system"... Target: my_system:/my_depots/temporary_depot/ # # No Bundle(s) on my_system:/my_depots/temporary_depot/ # Product(s): # PHCO_24587 1.
fr=1.0,fa=HP-UX_B.11.11_32/64 PHCO_28830.CORE-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP, fr=1.0,fa=HP-UX_B.11.11_32/64 PHCO_28830.PAUX-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP, fr=1.0,fa=HP-UX_B.11.11_32/64 PHCO_28830.SEC-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP, fr=1.0,fa=HP-UX_B.11.11_32/64 * Selection succeeded. * Beginning Analysis * Session selections have been saved in the file "/.sw/sessions/swcopy.last". * The analysis phase succeeded for "my_system:/my_depots/periodic_depot/".
# Target: my_system:/my_depots/periodic_depot/ # # Bundle(s): # PATCH_ASSESSMENT_05042004 Assessment Patches 7. 1.0 May 04, 2004: HP-UX 11.11 Patch Finally, remove the temporary depot.
9 Using HP-UX Software Assistant for patch management HP-UX Software Assistant (SWA) is a tool that consolidates and simplifies patch management and security bulletin management on HP-UX systems. It is the HP-recommended utility for maintaining currency with HP-published security bulletins and recommended patch levels for HP-UX 11i software. SWA's major functions are: • Analysis – SWA runs as a client-side patch and security analysis tool.
10 Using Dynamic Root Disk for patch management This chapter introduces the HP-UX Dynamic Root Disk (DRD) tool for patching HP-UX systems and reducing system downtime. DRD provides you with the ability to clone an HP-UX system image to an inactive disk, and then: • perform system maintenance on the clone while your HP-UX 11i system is online. • automatically synchronize the active image and the clone, eliminating the need to manually update files on the clone.
For more information • See the DRD webpage at http://www.hp.com/go/drd for links to download the DRD product free of charge and to access DRD documentation, including the release notes, administrators guide, and white papers. • The Patch Usage Models in Appendix A (page 99) provide information on where DRD fits into the overall patch process. • The DRD manpages describe the commands and provide examples. For HP-UX releases, the manpages are available from the command line using the man drd command.
11 The Patch Assessment Tool Benefits of the Patch Assessment Tool You can use the Patch Assessment Tool to create custom patch bundles for individual HP-UX systems and for multiple systems you manage as a group. The Patch Assessment Tool simplifies the bundle creation process by guiding you through system-based patch analysis and selection. HP's web-based Patch Assessment Tool is available on the HP Support Center (HPSC) website at http:// www.hp.com/go/hpsc.
3. Select run a patch assessment. The run a patch assessment page is displayed. 4. 5. You can access information regarding the use of the Patch Assessment Tool, including how to complete the tasks in the previous list, from the useful links navigation menu on the run a patch assessment page. Some links include the following topics: • running a patch assessment • configuring an assessment profile • interpreting assessment results To run an assessment, you must complete the following tasks.
Tool, but you must perform intermediate steps to transfer files to the system you are using to access the HPSC and the system to be analyzed. 1. Open a browser window on the target system. 2. Log in to the HPSC at http://www.hp.com/go/hpsc. 3. Select Patch database from the left navigation. 4. Select run a patch assessment. The run a patch assessment page is displayed. This is the home page for the Patch Assessment Tool. You can see that no system information has been uploaded. 5.
12 Support and other resources Contacting HP Before you contact HP Be sure to have the following information available before you contact HP: • Technical support registration number (if applicable) • Service agreement ID (SAID) • Product serial number • Product model name and number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level HP contact information For the name of the ne
• Support Plus User Guide • Read Before Installing Support Plus HP websites • HP Home Page • HP-UX 11i features and news • Software Assistant • Dynamic Root Disk • Ignite-UX • HP Support Center • HP Software Depot • Software Distributor • System diagnostic and monitoring tools • HP HPSC hp-ux technical documentation forum • HP_UX_Docs Twitter account Typographic conventions This document uses the following typographical conventions: %, $, or # A percent sign represents the C shell
WARNING A warning calls attention to important information that if not understood or followed will result in personal injury or nonrecoverable system problems. CAUTION A caution calls attention to important information that if not understood or followed will result in data loss, data corruption, or damage to hardware or software.
13 Documentation Feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.
A Patch usage models This appendix lists the following patch usage models: • “Patch usage model 1: hardware/application software change” (page 100) • “Patch usage model 2: third-party hardware/software qualification” (page 104) • “Patch usage model 3: operating environment cold install” (page 105) • “Patch usage model 4: operating environment update” (page 107) • “Patch usage model 5: proactive patch” (page 109) • “Patch usage model 6: reactive patch” (page 110) The following legend is used in a
Patch usage model 1: hardware/application software change 100 Patch usage models
NOTE: The latest OE Update Release (OEUR) media and Application Release (AR) media include new and updated software. The HP-UX 11i v2 and v3 OEUR media include all standard patch bundles. The AR media only include the FEATURE11i patch bundle for applications that require patches during installation. Patch bundles can be obtained from the HPSC. New hardware support might require patches from the HWE patch bundle, along with diagnostics and new or updated drivers in I/O bundles.
B Install all required software and patches in test and then production Review existing change management procedures No Check with application vendor for specific tools recommendations and patches Acquire software and patches on media or from Web site Use DRD to minimize downtime? Create recovery/ archive image Include required software in master depot or golden image Ye s Create clone * Ensure the latest drd_unsafe_patch_list file is loaded Apply all required software and patches to clone and t
NOTE: The latest OEUR media and AR media include new and updated software. The 11i v2 and v3 OEUR media include all standard patch bundles. The AR media only include the FEATURE11i patch bundle for applications on AR media that require patches during installation. Patch bundles can be obtained from the HPSC. The new HP-UX 11i v2 Software Pack media include the SPK product bundles with required patches in the same depot.
Patch usage model 2: third-party hardware/software qualification NOTE: * More information is available in the Managing Rare DRD-Unsafe Patches white paper, available at http://www.hp.com/go/drd-docs.
Patch usage model 3: operating environment cold install Go to A-1 Go to A Ye s Ye s Refer to the Ignite-UX website: www.hp.
B Go to C - HP-UX 11i2/v3 Depot Install Create 11i install depot (Core Depot) with desired OE content (including all patch bundles) and additional products from OE DVD Create Ignite-UX configurations Installing additional HP products? No Installing optional core enhancements? Ye s Ye s Copy additional HP products from Application Software Media into Application Depot Copy optional core enhancements from Software Pack (SPK) No Copy QPKAPPS bundle from OE media into Application Depot C Cold insta
Patch usage model 4: operating environment update Begin: Consider updating the O/S Go to HP-UX 11i v2/v3 Operating Environment Cold Install model Cold install O/S? go to A – HP-UX 11i v2/v3 Update From Media Ye s Ye s Updating from 11i v1.
B swcopy OE, optional drivers, QPK, HWE, and optional products from OE media into new Core Depot Install/ upgrade additional HP products? No Installing optional core enhancements? Ye s No Go to C - HP-UX 11i2/v3 Depot Update Ye s swcopy additional HP applications from Application Software Media into Application Depot swcopy optional core enhancements from Software Pack (SPK) swcopy QPKAPPS from OE media into Application Depot C swinstall Update-UX from Core Depot Update 11i OE, optional driver
Patch usage model 5: proactive patch B egin: Start with functioning system Is patch assessment to be performed by HP support? No No U s e D RD to minimize d ow n ti m e Ye s Run SWA to find additional issues and their resolution. Updated products and patches will be identified; manual actions might be required. Use SWA to create depot of additional patches if needed. Resolve security issues including manual actions. Add patches used for reactive patching in the past to the patch depot.
Patch usage model 6: reactive patch 110 Patch usage models
Glossary This glossary defines key terms related to patching that are used in this book. HP recommends the Software Distributor Administration Guide on the HP Business Support Center website at http://www.hp.com/go/sd-docs for additional terms. ancestor An ancestor of a patch is the preexisting software that is being modified or replaced by the patch. applied One of four possible states in which a patch is first installed. When a patch is installed, by default it has the patch_state of applied.
HP-UX Software Assistant A tool that consolidates and simplifies patch management and security bulletin management on HP-UX systems. The SWA tool is the HP-recommended utility to use to maintain currency with HP-published security bulletins and recommended patch levels for HP-UX 11i software. SWA has been released for HP-UX 11i systems. SWA can perform a number of checks including published security issues, installed patches with warnings, and missing patches with critical fixes.
See also applied, committed. superseding patch A patch that supersedes all previous patches to a given fileset. SWA See HP-UX Software Assistant. tape depot A software depot stored in tape archive (tar) format. Within the archive, directory and file entries are organized using the same structure as any other SD-UX format depot. warning See patch warning.
Index A Access Control Lists, 76 advanced topics Access Control Lists, 76 checking for all patch dependencies, 62 corequisite and prerequisite filesets, 34 Dynamic Root Disk, 13 HP-UX Software Assistant, 52, 74 patch ancestors, 27 patch cleanup utility, 36 patch warnings, 43 readme attribute, 40 rollback files, 35 scanning for security patches, 54 security patching strategy, 53 special installation instructions, 61 supersession information, 29 supersession, patch_state attribute, 29 ancestor attribute, 32 a
H Hardware Enablement patch bundle see HWE hardware_enablement category tag, 22 HPSC forums, 65 getting access to patch download, 58 Knowledge Base, 65 patch database, 58, 59 Subscriber's Choice, 65 using, 58 using to get information, 40 webpages, 58 HWE, 55 see also standard HP-UX patch bundles overview, 46 reboot on install, 13 use and release date table, 56 I Ignite-UX about, 84 documentation, 95 recovery tools, 43 individual patches see patches installed SW state, 21 is_patch attribute, 32 is_reboot at
Quick Start Guide, 10 R ratings, 37 reactive patching strategy, 52 see also patch strategies readme attribute, 32, 40 recovery, 43 registered depots, 75 Required Patch Bundle see BUNDLE11i resources all related, 95 DRD, 91 SWA, 89 S SD-UX see Software Distributor security, 53 security patching strategy, 53 see also patch strategies Selected Patch List Table, 61 serial access depots, 69 service contracts, 48 show_patches, 68 availability of command, 61 list Special Installation instructions, 47 show supers
overview, 69 registered, 75 using, 67 viewing, 70 text file for a patch, 39 tools Custom Patch Manager, 65 DRD, 90 Patch Assessment Tool, 92 Software Distributor commands, 67 SWA, 89 transient SW state, 22 U unenforced dependencies see manual dependencies usage models for patching, 99 W warning information, 41 warranty information in the HPSC, 58 117