Patch Management User Guide for HP-UX 11.
© Copyright 2004, 2010 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents 1 HP-UX patches and patch management......................................................................7 Patch management strategies.................................................................................................................7 How to get patches............................................................................................................................8 Where to start......................................................................................
HP patch rating of 1 ........................................................................................................................35 Rating details .............................................................................................................................35 HP patch rating of 2 ........................................................................................................................35 Rating details ..................................................................
Ask your peers in the forums...............................................................................................................62 Search knowledge base.........................................................................................................................62 Key features ....................................................................................................................................63 7 Using software depots for patch management................................
Patch usage model 3: operating environment cold install....................................................................98 Patch usage model 4: operating environment update........................................................................100 Patch usage model 5: proactive patch.................................................................................................102 Patch usage model 6: reactive patch.........................................................................................
1 HP-UX patches and patch management Patches are software that HP releases to deliver incremental updates to a system. Patches are best known for delivering defect fixes, but also deliver new functionality and features, enable new hardware, and update firmware. You can use HP-UX patches to update HP-UX software without having to completely reinstall a system application. For a description of patches, see Chapter 3: “HP-UX patch overview” (page 17).
How to get patches HP provides numerous ways to acquire patches, ensuring that system administrators with different goals and different levels of expertise can find a patch source to fit their needs. You can obtain patches individually or in groups of related patches known as patch bundles. This guide discusses the following HP-UX patch sources: • IT Resource Center (ITRC) website: http://itrc.hp.
2 Quick start guide for patching HP-UX systems This quick start guide is for system administrators who have immediate patching needs. It is a limited solution to general patching issues. If you need in-depth information about patching, review the rest of this document and the other patch-related resources in Section : “Related information” (page 91). NOTE: You will require root user privileges to complete these procedures.
NOTE: In addition to the information in this guide, you should review the release notes for the product you are patching. Standard HP-UX patch bundles Table 2-1 shows the bundle names for the HP-UX 11i releases. See Chapter 5 (page 52) for more information. Table 2-1 Standard HP-UX patch bundle names Patch Bundle Name HP-UX 11i v1 (B.11.11) HP-UX 11i v2 (B.11.23) HP-UX 11i v3 (B.11.
9. Select the bundle/depot link. The bundles are cumulative; select the latest. The bundle's main page is displayed. It shows the following information and links: • Each patch contained in the bundle. If the bundle contains patches with warnings, which are notifications of known problems, they are listed near the top of the page. • • All patch identifications (IDs) are linked to the patch database on the ITRC and provide detailed patch information.
5. Find the bundle names by entering this command: swlist -d @ /tmp/temporary_depot/depot 6. Record all bundle names. The bundle name is the first word of each line under the Bundle(s) heading. 7. 8. 9. This step is critical. When you install a QPK or HWE patch bundle, the system reboots automatically. Before you install a bundle (step 9), you need to follow your company's policy regarding a system reboot. This step is critical. Before you install the bundle, back up the system.
Acquiring and installing individual patches At times, you might find it necessary to acquire and install individual patches based on known patch IDs. For example, you might read an HP-UX security bulletin in which HP recommends that you install specific patches. Another possibility is that you are installing software that requires specific patches for the software to function properly. Customers also frequently acquire and install individual patches for reactive patching.
The following icons might be displayed along with the patch ID. • This symbol means that the patch has a warning associated with it. You should review the warning text to determine whether it applies to the system. • This icon means that the patch has Special Installation Instructions. You should always read them. See Table 6-1: “Navigating the search results table” (page 56) for a description of all table icons. 8. To review details about a patch, select the patch ID to open the patch details page.
Installing the patches To install the downloaded patches, perform the following steps: 1. Log in to the target system. 2. Unpack the downloaded file, patches.xxx: • If the downloaded file is patches.tgz: gunzip -c patches.tgz | tar xvf - • If the downloaded file is patches.tar: tar -xfv patches.tar • If the downloaded file is patches.zip: unzip patches.zip You must have an installed application that can unpack a .zip file. Not all HP-UX systems have such an application.
10. Verify that the installation was successful: • Enter the command: swlist -l product Ensure that the installed patches are shown in the output. • Execute the swverify command on each of the new patches: swverify patch_id — — — • This command might not always complete in a short period of time. If the verification is successful, the last few lines of output contain the line "* Verification succeeded." If the verification was not successful, view the /var/adm/sw/swagent.
3 HP-UX patch overview Patch-related concepts Patch identification HP assigns each HP-UX patch a unique identification or patch ID. Each HP-UX patch ID has the form PHXX_#####, where: • • PH is an abbreviation for Patch HP-UX XX is replaced with one of the following values for the HP-UX area being patched: — — — — • CO = command patches KL = kernel patches NE = network patches SS = patches related to all other subsystems ##### is replaced with a unique four- or five-digit number.
Patch bundles Patch bundles play an important role in patch management. A patch bundle is a collection of patches that have been grouped into a single software object to meet a specific need. Many HP-UX users find that acquiring and installing these bundles, as opposed to acquiring and installing patches individually, simplifies the patch management process. Your first encounter with patch bundles might be with the standard HP-UX patch bundles.
Patch status Patches have an associated status. The initial value of a patch's status does not change, but over the life of the patch, modifiers might be added (as described in this section). You can find the value for a patch's status in the Status field. This field is in the patch’s patch details page on the ITRC and in the patch text file. To obtain the most up-to-date values for patch status, use the patch details page. A patch status has the following values and modifiers to describe it.
IMPORTANT: For HP-UX 11.0 systems, you must install patch PHCO_22526 or a superseding patch for proper functionality regarding the committed/superseded patch_state.
You can determine patch categories for a given patch in the following ways: • • Viewing the Category Tags field on the patch details page or inthe text file for the patch. Using the swlist command: swlist -l product -a category_tag patch_id This command also shows any category tags that have been manually added to the patch by a user. For swlist examples that use category tags and for more information about the swlist command, see “Which patches are on a system?” (page 21).
This section presents some examples of swlist to display information about patches, bundles, and depots. NOTE: For brevity and improved readability, some lines of SD-UX command output have been shortened or removed. Examples of the swlist command Use the swlist command with no arguments to get a default listing of all top-level software installed on the local host: swlist For example: $ # # # # swlist Initializing... Contacting target "some_system"...
• -a attribute Specifies one or more attributes to display. For more information about attributes, see “Patch-related attributes” (page 29). • -s source Specifies the software source to list. Use this argument as an alternative way to list a depot. • software_selections — — — Specifies software objects to be listed. Applies only if the level is bundle, product, fileset, file, or patch. Use wildcards [ ], *, ? in the specification of the software_selections if you want to make multiple selections.
PHSS_28677 ... 1.0 CDE Applications Periodic Patch The following command shows patches that have a manual_dependencies category tag: swlist -l level *,c=category_tag For example: $ swlist -l product *,c=manual_dependencies # Initializing... # Contacting target "chb26006"... # # Target: chb26006:/ PHCO_24198 1.0 ioscan(1M) patch PHCO_25831 1.0 SCSI Ultra160 driver Online Addition script PHCO_25841 1.0 Add Rock Ridge extension to mount_cdfs(1M) PHCO_26252 1.0 mount_vxfs(1M) cumulative patch ...
Table 3-1 Variations of the swlist command (continued) swlist Commands Description swlist -l product -a category_tag patch_id Lists the category tags for patch patch_id. swlist -l product -a category_tag \*,c=patch Lists the patches installed on the local system and their corresponding category tags. Ancestors and supersession The related concepts of ancestors and supersession are integral to patches and patch management. It is important that you gain a basic understanding of both.
swlist -a applied_patches fileset_name For example: $ # # # swlist -a applied_patches Xserver.AGRM Initializing... Contacting target "chb26006"... Target: chb26006:/ Xserver.Runtime.AGRM PHSS_21817.AGRM,fa=HP-UX_B.11.11_32/64 PHSS_26619.AGRM,fa=HP-UX_B.11.11_32/64 PHSS_26622.AGRM,fa=HP-UX_B.11.11_32/64 PHSS_26638.AGRM,fa=HP-UX_B.11.11_32/64 PHSS_29169.AGRM,fa=HP-UX_B.11.11_32/64 PHSS_29183.AGRM,fa=HP-UX_B.11.
Figure 3-1 Patch Supersession Chain in a Patch Family The cumulative nature of a patch allows it to satisfy all dependencies on all patches it supersedes. The converse is not true, however. A superseded patch will not satisfy a dependency on a superseding patch. For more information about dependencies, see “Patch dependencies” (page 31). You can determine which patches a given patch supersedes by viewing either the patch's patch details page or the patch's patch text file.
PHSS_27875.X11-RUN-CL PHSS_27875.X11-TCH-B-MSG PHSS_28681.X11-RUN-CL,fa=HP-UX_B.11.11_32/64 PHSS_28681.X11-TCH-B-MSG,fa=HP-UX_B.11.11_32/64 You can also show the filesets that a given patch has superseded. These superseded filesets will be listed whether or not they are installed on a system. This is done by using the swlist command to list the supersedes attribute of the patch. Note that the first patch of any particular patch supersession chain does not have a supersedes attribute.
Figure 3-2 HP-UX Patch Supersession Chain The supersession chain in Figure 3-2: “HP-UX Patch Supersession Chain” (page 29) is composed of two separate supersession chains that were combined when patch PHSS_29156 superseded both PHSS_29026 and PHSS_29008. Again, because of the cumulative nature of HP-UX patches, patch PHSS_29377 delivers all the features and fixes delivered by the other six patches in this supersession chain.
The following list describes a subset of available attributes: • ancestor — — • category_tag — — — • Applies to filesets. Provides useful information about the installation state of software. See “State” (page 20). supersedes — — — • Applies to bundles, products, or filesets. Contains the fully qualified identifier for the bundle, product, or fileset. Uniquely identifies a specific instance of a software object. state — — — • Applies to products. Contains the patch's original text file.
Patch dependencies A patch that depends on other software in order to install or run correctly is said to have a dependency on that other software. In order to become fully active, a patch might require changes to areas of the system other than those it modifies. Such a patch might have a documented dependency on one or more patches or nonpatch software products that are responsible for the changes in these other areas.
A prerequisite adds a requirement that the order of installation be controlled. The prerequisite fileset must be installed before the requesting fileset. This implies that some content of the prerequisite is used or modified during the installation process. Advanced topic: determining corequisite and prerequisite filesets with the swlist command You can use the following command to determine the dependent filesets. Replace dependency_type with either corequisite or prerequisite, as appropriate.
Patch rollback and commitment Patch rollback You might occasionally want to remove a patch and restore the system to its prepatched state. This process is known as patch rollback. For example, if you installed a patch that resulted in unacceptable system behavior, you might choose to roll back this patch. However, rollback is possible only if certain files were saved as part of the patch installation process.
Advanced topic: patch cleanup utility The patch utility called cleanup allows you to commit all patches that have been superseded a specified number of times. You can execute this command in preview mode in order to see what effect the command will have without actually making any changes. You should always use the preview mode first. This is accomplished by including the -p option.
HP patch rating of 1 Although these patches have passed rigorous prerelease testing, HP recommends that you use these patches only if all of the following conditions are true: • • • If you are in a reactive patching situation. The highest-rated patch that addresses the problem is rated 1. You cannot wait for the patch to increase to a higher rating. Whenever possible, you should wait until the patch gains more exposure and achieves a rating of 2 or 3.
Critical and noncritical patches HP-UX patches are considered to be either critical or noncritical. You can determine whether a patch is labeled as critical by looking at the Critical field on the patch details page or in the patch text file for the patch. This field identifies newly delivered critical content. HP considers a patch to be critical if the patch provides a fix for a critical problem.
The patch details page and the patch text file contain the same fields and provide detailed information about a patch. Table 3-2: “Subset of fields in patch text file and patch details page ” (page 37) shows a subset of these fields. Table 3-2 Subset of fields in patch text file and patch details page Field Description Patch Name The patch ID. See “Patch identification” (page 17) for more information about the format of patch IDs. Patch Description A terse description of the patch.
Advanced topic: the readme attribute Each patch has an SD-UX attribute called readme that you can view using the swlist command. See “Patch-related attributes” (page 29) for more information about attributes. The readme attribute contains the patch's original text file. Be aware that, although the readme attribute allows you to quickly and conveniently access information about patches on the system, this information is static. Because of this, the readme will not contain more current information.
recommendations. This information helps you to make decisions about the patch, such as whether to install or remove a patch with a warning from the system. The warning field You can find patch warning information in the Warning field of a patch's patch details page or patch text file. This field exists only for patches that have a warning. The Warning field is the definitive source of information about a patch warning. The following screen shows part of the Warning field for patch PHKL_30065.
How to handle patch warnings Your initial response to a warning for a patch on a system should be to carefully read the associated warning text and research the issue to gain a complete understanding of how or if the warning will impact the system. Because of the number and complexity of the factors involved, there is no single correct way of dealing with a patch with a warning.
Backup and recovery Always perform a backup of the system before making patch-related system changes. You should have a backup in the event that unacceptable behavior occurs as a result of patching. This section provides some resources that you can investigate for recovery strategies. It does not provide the details needed for recovering from patch-related problems.
4 Patch management overview Patch management is a process used to ensure that the appropriate patches are installed on a system. Patch management is becoming increasingly important for users of all types of systems, from desktop systems to mission-critical servers. Industry experience has shown that failures in patch management can lead to financial loss, loss of data, exploitation of security vulnerabilities, and other negative consequences.
Second, use standard HP-UX patch bundles as your starting point: • HP provides standard HP-UX patch bundles including the Quality Pack (QPK), Hardware Enablement (HWE), and Feature Enablement Patch Bundle (FEATURE11i) patch bundles. The QPK consists of defect fixes and the HWE consists of patches that are required for new hardware products. The FEATURE11i bundle enables new features and enhancements to the HP-UX operating system and applications by providing the complete, minimal set of patches required.
Some specific criteria to consider when planning your change: — — — — — • Backup of your system. System down time.
HP service contracts If you would like assistance with your patch management work, you can purchase a Mission Critical level HP service contract. This entitles you to a proactive service called patch analysis. In patch analysis, an HP support engineer furnishes you with a custom list of recommended patches. At the Mission Critical (highest) contract level, your assigned HP engineer even helps you define a patch management strategy based on the software change management principles defined in this chapter.
Table 4-1 Operational factor and patch management strategy matrix Patch Management Strategy New Features Unplanned Down Time Impact on Core Business Self-Maintenance Restrictive No Unacceptable High No Conservative No Unacceptable Medium No Innovative Yes Acceptable Low Yes The process of selecting an appropriate software change management strategy seeks to align behavior with the key business objectives of the systems involved.
hours, and provide an efficient way to back out changes if necessary. See Chapter 9 (page 86) for more details. Table 4-2 Recommendations based on strategy Strategy OS & Applications Proactive Patching Reactive Patching Change Management Restrictive Stable release, available for one year or more. Conservative Innovative Stable release, available for six months or more. Stable release, available for two months or more. Use only thoroughly tested patches with the highest level of exposure.
Proactive patching strategy The goal of a proactive patching strategy is problem prevention. Many patches that provide defect fixes are released long before you need them on your system. The crux of proactive patching is identifying these patches and applying them in a safe manner. By definition, your starting point for proactive patching should be a system you believe to be functioning normally. Most proactive patching can be scheduled and carefully controlled. This is one of the benefits of this approach.
• • (SPK). If you want to install one of these new features, see the Software Pack documentation on the HP Business Support Center website at http://www.hp.com/go/spb-docs. All the standard HP-UX patch bundles can be downloaded from the ITRC and are available on media from HP. For more information, see Chapter 5: “What are standard HP-UX patch bundles?” (page 52). If you have a support contract at the Mission Critical level, you are entitled to a regular customer patch analysis from HP.
Reactive patching has some important disadvantages as compared with proactive patching. The process of identifying a problem fix can be made more difficult as your system falls further behind the most recent patch levels available. In addition, the required patch will likely contain much more new content than if you had performed frequent proactive updates.
Advanced topic: scanning for security patches You can use the SWA Tool to identify security patches for installation. This tool also identifies patches that have associated warnings. For more information about SWA, see Chapter 8: “Using HP-UX Software Assistant for patch management” (page 85). Testing the patches to be installed The single most important action that can ensure the success of a software patch is to first test the changes in a nonproduction environment.
5 What are standard HP-UX patch bundles? Patches can be grouped into collections known as patch bundles, or simply bundles. HP provides a number of prepackaged, standard HP-UX patch bundles that you can install as a unit. This chapter shows you how to obtain standard HP-UX patch bundles. Table 5-1: “Standard HP-UX patch bundle names” (page 52) shows the QPK and other standard patch bundles. HP tests these bundles rigorously to ensure a high level of reliability and updates many of them periodically.
NOTE: Standard HP-UX patch bundles are cumulative, which means that you can install the latest version of the bundle to get all the previous changes. The standard HP-UX patch bundles (QPK, FEATURE11i, and HWE) might have overlapping content. This does not affect your patching. For the HP-UX 11i releases, Table 5-2 (page 53) shows when to use the bundles and also shows the release information.
TIP: Acquiring and installing standard HP-UX patch bundles is a two-step process. See Chapter 2: “Quick start guide for patching HP-UX systems” (page 9).
6 Using the IT Resource Center The IT Resource Center (ITRC) is a website you can personalize to provide a wide range of services and support, including support for HP-UX patch management. The ITRC website is your fastest connection to HP Support and is located at http://itrc.hp.com. This chapter presents many of the ITRC HP-UX patch-related areas. You should explore the links on the ITRC main page and familiarize yourself with all the ITRC has to offer.
NOTE: This section only addresses finding individual patches, not finding firmware. Key features With the patch database, you can search for patches using a variety of criteria.
Table 6-1 Navigating the search results table (continued) Term Description Patch ID Link Access the patch details page associated with a patch by selecting the patch ID. This page contains extensive information about the patch. Patch Warning Icon If a patch has a warning associated with it, no stars are displayed. Instead, a yellow, triangular symbol appears. Select the patch ID link to go to the patch details page. Read the Warning section.
7. Read through the following Advanced Topic sections, then continue with the procedures in “Check for patches with dependencies” (page 59) Advanced topic: checking for special installation instructions Some patches might have extra installation instructions, called special installation instructions, that you should follow to install the patch successfully. The following steps show you how to access these instructions. 1.
TIP: You can use the show_patches –it command directed at a source depot to list Special Installation Instructions documented within any patches in the depot. For more information, see show_patches(1).
1. Select a patch ID link in the selected patch list to display the patch details page for the patch. For example, in the following screen, select the PHKL_28766 link. 2. Read the other dependencies and special installation instructions sections of the patch details page. The other dependencies section, and occasionally the special installation instructions section, might list additional patches or products that are needed to obtain full functionality of the patch selected.
3. Return to the selected patch list page by selecting the view selected patch list link located in the upper right corner of the patch details page. If any patches were noted in step 2 for other dependencies or special installation instructions, verify they are listed in the selected patch list. If not, you should add each one. To do this, select the add patches link. • Enter your search criteria, including the patch ID for a search by patch ID, and then click search.
Standard patch bundles The find standard patch bundles link on the patch database page provides the find bundles page to help you acquire standard HP-UX patch bundles. See Chapter 5: “What are standard HP-UX patch bundles?” (page 52) for more information. Custom patch bundles - run a patch assessment The Patch Assessment Tool allows you to create custom patch bundles specific to an environment. This web-based tool replaced the Custom Patch Manager Tool.
Key features The Knowledge Base helps you to do the following: • • • Solve problems yourself with timely technical support information. Search the HP Knowledge Base for technical documents, including patch information, security bulletins, and service requests related to HP-UX and a variety of other areas. Retrieve a specific document using its document identification (ID). To access the knowledge base page: 1. Log in to the ITRC at http://itrc.hp.com. 2.
7 Using software depots for patch management A software depot, or simply depot, is a special type of file or directory formatted for use by Software Distributor for HP-UX (SD-UX). Depots can contain a variety of software products. This chapter focuses specifically on depots as repositories for patches and patch bundles. These depots are commonly referred to as patch depots. Common uses for patch depots include the following: • • • • Patch depots are an extremely effective mechanism for managing patches.
Table 7-1 SD commands and patch tools (continued) SD-UX Command Description This command is available on 11i v3 systems, and is available as a patch in preceding HP-UX versions: • PHCO_27780: 11.11 HP-UX Patch Tools • PHCO_32220: 11.23 HP-UX Patch Tools See cleanup(1M) for more information. show_patches List patches installed on a system or in a depot. Options allow you to list patches that are active, superseded, require Special Installation Instructions, or have any Other Dependencies.
For patch management, directory depots offer the following advantages over tape depots: • • • • • Can be made available to remote users. See “Registering and unregistering directory depots” (page 71). Are optimized for random access by multiple simultaneous sessions. Allow for customized access controls. See “Advanced topic: access control lists” (page 72). Allow SD-UX verification. See “Verifying directory depots” (page 73). Allow modification.
• Application depot — contains patches specific to a given application. This type of depot might actually be a specific version of a periodic patch depot. After you have identified the need that a specific depot will address, you should determine whether a directory depot or a tape directory best suits your needs. Most often, directory depots will be more useful for patch management. You must also select a location for the depot.
For example: $ swlist -l depot # Initializing... # Target "my_system" has the following depot(s): /var/spool/sw /depot/patches/2003-07_periodic_depot /depot/patches/2004-01_periodic_depot /tmp_depot/PHSS_29735.depot To view a list of registered depots on a remote system, use this command: swlist -l depot @ remote_system For example: $ swlist -l depot @ swdepot.xyz.com # Initializing... # Target "swdepot.xyz.com" has the following depot(s): /depot/patches/11.00 /depot/patches/11.04 /depot/patches/11.
Creating and adding to a directory depot You can use the swcopy command to create a directory depot from an existing tape or directory depot. Software objects from the source depot are copied into the target directory. By default, the swcopy command automatically registers newly created directory depots for use by Software Distributor. The swcopy command has many possible arguments.
Copying patches to depots The following example shows how to copy patch PHCO_27780 from a remote directory depot to a local directory depot. The process creates the local depot. The following values are specified in the command line: • • • • 1. source_system: remote_system source_depot: /depot/patches/11.11/ target_system: my_system target_depot: /my_depots/new_directory_depot/ List the registered depots on the local system before copying the patch: $ swlist -l depot # Initializing...
8. Show the registered depots on the local system again: $ swlist -l depot # Initializing... # Target "my_system" has the following depot(s): /var/spool/sw /my_depots/new_directory_depot The newly created depot is listed. 9. Show the contents of the new depot: $ # # # # # swlist -l product -d @ /my_depots/new_directory_depot Initializing... Contacting target "my_system"... Target: my_system:/my_depots/new_directory_depot PHCO_27780 1.0 HP-UX Patch Tools Note that PHCO_27780 is present.
NOTE: • Registered depots on a network server are both visible and accessible to remote systems. These depots can be used as a software source for remote systems. • Unregistered depots on a network server are neither visible nor accessible to remote systems. These depots cannot be used as a software source for remote systems. Depots can be registered or unregistered in the following ways: • • • The swreg command explicitly registers or unregisters depots.
Verifying directory depots You can use the swverify command to verify the contents of a directory depot. Tape depots are not valid targets for the swverify command. Depot verification does the following: • • • Verifies that all dependencies can be met. For more information about dependencies, see Chapter 3: “HP-UX patch overview” (page 17). Reports missing files. Checks file attributes, including permissions, file types, size, checksum, mtime, and major and minor attributes.
"/.sw/sessions/swverify.last". * The analysis phase succeeded for "my_system:/my_depots/new_directory_depot". * Verification succeeded. NOTE: More information may be found in the agent logfile using the command "swjob -a log my_system-0831 @ my_system:/my_depots/new_directory_depot". ======= 05/03/04 12:28:51 MDT END swverify SESSION (non-interactive) (jobid=my_system-0831) The following example verifies the directory depot /my_depots/PHSS_30278_depot/. This depot contains one patch, PHSS_30278.
swremove [-p] -d patch_to_remove @ [target_system:] /some_directory/target_depot A basic description of these swremove arguments follows: • -p Executes the command in preview mode. • -d Operates on a depot rather than on installed software. • patch_to_remove — — — • Specifies the patches to be removed. Replace with a wildcard to remove multiple patches with one command. For example: ◦ \* selects everything from the source depot. ◦ \*,c=patch selects all patches from the source depot.
======= 05/03/04 13:25:02 MDT END swremove SESSION (non-interactive) (jobid=my_system-0843) Advanced topic: removing superseded patches from a depot If you have a depot that you are using for patch installation that contains both superseded patches and corresponding superseding patches, the superseded patches will never be installed and are a waste of disk space.
Obtaining the list of superseded 11.X patches in the depot: /my_depots/patch_depot ...The following superseded patches exist in the depot: ==================================================== PHCO_24630 superseded by PHCO_27780 Please be patient; this may take several minutes. Removing superseded 11.X patches from depot: /my_depots/patch_depot ...done. The superseded 11.X patches have been removed from the depot: /my_depots/patch_depot. All information has been logged to /var/adm/cleanup.log.
Although the swinstall command takes many arguments, the following are pertinent to this discussion: swinstall [-p] -s source_system:/some_directory/source_depot [-x autoreboot=true -x patch_match_target=true software_selections] [@ target_selections] A basic description of these swinstall arguments follows: • -p Executes the command in preview mode. When executed in preview mode, the swinstall command does not perform the software installation.
Examples of installing patches from a depot To install all applicable patches in the directory depot /my_depots/depot on the local system, use this command: For example: $ swinstall -s /my_depots/depot \ -x autoreboot=true -x patch_match_target=true ======= 05/03/04 14:07:16 MDT BEGIN swinstall SESSION (non-interactive) (jobid=my_system-0856) * Session started for user "some_user@my_system". * * * * * * Beginning Selection Target connection succeeded for "my_system:/".
NOTE: * * * * The patch match operation failed to find patches for target software on "my_system" which passed the filter. Source: /my_depots/a_depot Targets: my_system:/ Software selections: PHCO_28175.CORE-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP, fr=1.0,fa=HP-UX_B.11.11_32/64 Selection succeeded. * Beginning Analysis and Execution * Session selections have been saved in the file "/.sw/sessions/swinstall.last". * The analysis phase succeeded for "my_system:/".
related patches that you want to place in a depot with other patches. This is advantageous for the following reasons: • • • When you list the contents of the depot, you see the bundle rather than the individual patches. If you choose to install only this group of patches, you simply select the bundle for installation. After installing a bundle, when you use the swlist command to list the patches on a system you will see the bundle rather than the individual patches contained in the bundle.
# SOME_PATCH_001 SOME_PATCH_002 ... rev rev patch description patch description Creating a custom bundle The following example shows how to create a custom bundle. Before you do so, for example, perform an assessment to determine which patches to add to the periodic patch depot /my_depots/periodic_depot/.
4. Preview copying the bundle (using the -p argument) from the temporary depot to the periodic depot. Review the output generated by this command. $ swcopy -p -s my_system:/my_depots/temporary_depot/ PATCH_ASSESSMENT_05042005 \ @ my_system:/my_depots/periodic_depot/ ======= 05/04/05 14:25:00 MDT BEGIN swcopy SESSION (non-interactive) (jobid=my_system-1132) * Session started for user "some_user@my_system".
fr=1.0,fa=HP-UX_B.11.11_32/64 PHCO_28830.PAUX-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP, fr=1.0,fa=HP-UX_B.11.11_32/64 PHCO_28830.SEC-ENG-A-MAN,r=1.0,a=HP-UX_B.11.11_32/64,v=HP, fr=1.0,fa=HP-UX_B.11.11_32/64 * Selection succeeded. * Beginning Analysis and Execution * Session selections have been saved in the file "/.sw/sessions/swcopy.last". * The analysis phase succeeded for "my_system:/my_depots/periodic_depot/". * The execution phase succeeded for "my_system:/my_depots/periodic_depot/".
8 Using HP-UX Software Assistant for patch management HP-UX Software Assistant (SWA) is a tool that consolidates and simplifies patch management and security bulletin management on HP-UX systems. It is the HP-recommended utility for maintaining currency with HP-published security bulletins and recommended patch levels for HP-UX 11i software. SWA's major functions are: • Analysis – SWA runs as a client-side patch and security analysis tool.
9 Using Dynamic Root Disk for patch management This chapter introduces the HP-UX Dynamic Root Disk (DRD) tool for patching HP-UX systems and reducing system downtime. DRD provides you with the ability to clone an HP-UX system image to an inactive disk, and then: • perform system maintenance on the clone while your HP-UX 11i system is online. • automatically synchronize the active image and the clone, eliminating the need to manually update files on the clone.
For more information • • • See the DRD webpage at http://www.hp.com/go/drd for links to download the DRD product free of charge and to access DRD documentation, including the release notes, administrators guide, and white papers. The Patch Usage Models in Appendix A (page 94) provide information on where DRD fits into the overall patch process. The DRD manpages describe the commands and provide examples. For HP-UX releases, the manpages are available from the command line using the man drd command.
10 The Patch Assessment Tool Benefits of the Patch Assessment Tool You can use the Patch Assessment Tool to create custom patch bundles for individual HP-UX systems and for multiple systems you manage as a group. The Patch Assessment Tool simplifies the bundle creation process by guiding you through system-based patch analysis and selection. HP's web-based Patch Assessment Tool is available on the IT Resource Center (ITRC) website at http://itrc.hp.com.
4. You can access information regarding the use of the Patch Assessment Tool, including how to complete the tasks in the previous list, from the useful links navigation menu on the run a patch assessment page. Some links include the following topics: • • • 5. running a patch assessment configuring an assessment profile interpreting assessment results To run an assessment, you must complete the following tasks.
4. Select run a patch assessment. The run a patch assessment page is displayed. This is the home page for the Patch Assessment Tool. You can see that no system information has been uploaded. 5. Select (upload new system information). The upload system information page is displayed. 6. 7. Download the collection script swainv to the target system. Run the data collection script, swainv, on the target system. This creates an HP-UX Software Assistant inventory file called inventory.xml. 8.
11 Support and other resources Contacting HP Before you contact HP Be sure to have the following information available before you contact HP: • Technical support registration number (if applicable) • Service agreement ID (SAID) • Product serial number • Product model name and number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level HP contact information For the name of the nearest HP authoriz
• • • • Ignite-UX Administration Guide Software Distributor Administration Guide Support Plus User Guide Read Before Installing Support Plus HP websites • • • • • • • • • • • HP Home Page HP-UX 11i features and news Software Assistant Dynamic Root Disk Ignite-UX IT Resource Center HP Software Depot Software Distributor System diagnostic and monitoring tools HP ITRC hp-ux technical documentation forum HP_UX_Docs Twitter account Non-HP websites • • hpux-admin mailing list HP-UX Porting and Archive Centre
... The preceding element can be repeated an arbitrary number of times. Indicates the continuation of a code example. | Separates items in a list of choices. WARNING A warning calls attention to important information that if not understood or followed will result in personal injury or nonrecoverable system problems. CAUTION A caution calls attention to important information that if not understood or followed will result in data loss, data corruption, or damage to hardware or software.
A Patch usage models This appendix lists the following patch usage models: • “Patch usage model 1: hardware/application software change” (page 95) • “Patch usage model 2: third-party hardware/software qualification” (page 97) • “Patch usage model 3: operating environment cold install” (page 98) • “Patch usage model 4: operating environment update” (page 100) • “Patch usage model 5: proactive patch” (page 102) • “Patch usage model 6: reactive patch” (page 103) The following legend is used in all the diagrams
Patch usage model 1: hardware/application software change B egin: Planning for change to hardware or software Is a complete OE update or install required? Is this a hardware upgrade/ change? No No Go to B - HP-UX 11i v2/v3 Software Change Ye s Go to A - HP-UX 11i v2/v3 Hardware Change Ye s Go to the HP-UX 11i v2/v3 OE Update Model 4 A Check documentation or the IRTC at http://irtc.hp.
B Install all required software and patches in test and then production Review existing change management procedures No Check with application vendor for specific tools recommendations and patches Acquire software and patches on media or from Web site Use DRD to minimize downtime? Create recovery/ archive image Include required software in master depot or golden image Ye s Create clone * Ensure the latest drd_unsafe_patch_list file is loaded End : New software deployed Apply all required softwa
Patch usage model 2: third-party hardware/software qualification Begi n : Product needs to be certified on HP-UX 11i v2/v3 Install QPK Review HP-UX Software Transition Kit for compliance (software.hp.
Patch usage model 3: operating environment cold install Go to A-1 Go to A Ye s Ye s Refer to the Ignite-UX website: www.hp.
B Go to C - HP-UX 11i2/v3 Depot Install Create 11i install depot (Core Depot) with desired OE content (including all patch bundles) and additional products from OE DVD Create Ignite-UX configurations Installing additional HP products? No Installing optional core enhancements? Ye s Ye s Copy additional HP products from Application Software Media into Application Depot Copy optional core enhancements from Software Pack (SPK) No Copy QPKAPPS bundle from OE media into Application Depot C Cold insta
Patch usage model 4: operating environment update Begin: Consider updating the O/S Go to HP-UX 11i v2/v3 Operating Environment Cold Install model Cold install O/S? go to A – HP-UX 11i v2/v3 Update From Media Ye s Ye s Updating from 11i v1.
B swcopy OE, optional drivers, QPK, HWE, and optional products from OE media into new Core Depot Install/ upgrade additional HP products? No Installing optional core enhancements? Ye s No Go to C - HP-UX 11i2/v3 Depot Update Ye s swcopy additional HP applications from Application Software Media into Application Depot swcopy optional core enhancements from Software Pack (SPK) swcopy QPKAPPS from OE media into Application Depot C swinstall Update-UX from Core Depot Update 11i OE, optional driver
Patch usage model 5: proactive patch B egin: Start with functioning system Is patch assessment to be performed by HP support? No No U s e D RD to minimize d ow n ti m e Ye s Run SWA to find additional issues and their resolution. Updated products and patches will be identified; manual actions might be required. Use SWA to create depot of additional patches if needed. Resolve security issues including manual actions. Add patches used for reactive patching in the past to the patch depot.
Patch usage model 6: reactive patch B egin: System has a problem Analyze fix: Risk Dependencies Installation issues Identify/ diagnose problem Fix approved for immediate action Fix deferred 1 Search ITRC for possible resolution Acquire fix Save fix or patch to be installed during proactive maintenance Go to A –Install, Test, Distribute Go to HP-UX 11i v2/v3 Proactive Patching model Ye s Fix rejected Ye s Fix found? No Contact vendor for support Fix identified? No Work with vendor to identify
Glossary This glossary defines key terms related to patching that are used in this book. HP recommends the Software Distributor Administration Guide on the HP Business Support Center website at http://www.hp.com/go/sd-docs for additional terms. ancestor An ancestor of a patch is the preexisting software that is being modified or replaced by the patch. applied One of four possible states in which a patch is first installed. When a patch is installed, by default it has the patch_state of applied.
HP-UX Software Assistant A tool that consolidates and simplifies patch management and security bulletin management on HP-UX systems. The SWA tool is the HP-recommended utility to use to maintain currency with HP-published security bulletins and recommended patch levels for HP-UX 11i software. SWA has been released for HP-UX 11i systems. SWA can perform a number of checks including published security issues, installed patches with warnings, and missing patches with critical fixes.
subproduct A subset or partitioning of a software product. A subproduct is an optional component of a product and contains one or more filesets. superseded The state in which a patch is applied but is then replaced by a superseding patch. See also applied, committed. superseding patch A patch that supersedes all previous patches to a given fileset. SWA See HP-UX Software Assistant. tape depot A software depot stored in tape archive (tar) format.
Index A Access Control Lists, 72 advanced topics Access Control Lists, 72 checking for all patch dependencies, 59 corequisite and prerequisite filesets, 32 Dynamic Root Disk, 12 HP-UX Software Assistant, 49, 71 patch ancestors, 25 patch cleanup utility, 34 patch warnings, 40 readme attribute, 38 rollback files, 33 scanning for security patches, 51 security patching strategy, 50 special installation instructions, 58 supersession information, 27 supersession, patch_state attribute, 28 ancestor attribute, 30 a
H Hardware Enablement patch bundle (see HWE) hardware_enablement category tag, 21 HWE, 52 (see also standard HP-UX patch bundles) overview, 43 reboot on install, 12 use and release date table, 53 I Ignite-UX about, 80 documentation, 91 recovery tools, 41 individual patches (see patches) installed SW state, 20 is_patch attribute, 30 is_reboot attribute, 30 ITRC forums, 62 getting access to patch download, 55 Knowledge Base, 62 patch database, 55 Subscriber's Choice, 62 using, 55 using to get information, 38
Quick Start Guide, 9 R ratings, 34 reactive patching strategy, 49 (see also patch strategies) readme attribute, 30, 38 recovery, 41 registered depots, 71 Required Patch Bundle (see BUNDLE11i) resources all related, 91 DRD, 87 SWA, 85 S SD-UX (see Software Distributor) security, 50 security patching strategy, 50 (see also patch strategies) Selected Patch List Table, 58 serial access depots, 66 service contracts, 45 show_patches, 65 availability of command, 59 list Special Installation instructions, 44 show
overview, 66 registered, 71 using, 64 viewing, 67 text file for a patch, 36 tools Custom Patch Manager, 62 DRD, 86 Patch Assessment Tool, 88 Software Distributor commands, 64 SWA, 85 transient SW state, 20 U unenforced dependencies (see manual dependencies) usage models for patching, 94 W warning information, 38 warranty information in the ITRC, 55 110 Index
