Sun Patch Manager is one of the tools that is used to manage patches on Solaris systems.
For information about new tools for managing patches and updates in this Solaris release, see What's New in Software Management in the Solaris Operating System?.
Patch Manager primarily operates on signed patches , which include a digital signature from Sun Microsystems. A signed patch offers greater security than an unsigned patch , which does not have a digital signature. The digital signature of the patch is verified before the patch is applied to your system. A valid digital signature ensures that the signed patch that you apply has not been modified since the signature was applied. You can use the smpatch add command to apply unsigned patches.
Patch Manager enables you to manually or automatically perform the patch management process, which includes the following tasks:
Updating your system with some or all of the appropriate patches, which automatically analyzes the system to determine the appropriate patches, downloads the patches, and applies the patches to the system
Analyzing the system to obtain a list of appropriate patches
Downloading the appropriate patches to your system
Applying the appropriate patches to your system
Configuring the patch management environment for your system
Tuning the patch management environment for your system
Removing patches from your system
For information about recommended strategies and practices for using Solaris patches, go to Solaris Patch Management: Recommended Strategies .
Patch Manager can automatically apply the set of appropriate patches to your system. An update performs these steps in the patch management process:
Analyzes your system to determine which patches are appropriate
Downloads those patches to your system
Applies only the patches that meet the policy for applying patches
After a patch has been successfully applied, the downloaded patch is removed from the download directory.
Patches are applied to your system depending on the specified policy and the patch properties associated with the patches that are downloaded.
If a patch does not meet the
policy for applying patches
,
the patch is not applied. Instead, a patch entry for that patch is written
to the disallowed_patch_list file in the download directory.
Sun Patch Manager continues trying to apply the other patches. Later, you
can go to the download directory and use the smpatch add command
to manually apply any disallowed patches that are listed in this file. For
any of the patches that have the interactive property set,
follow the instructions in the patch's README file to apply them.
For example, you can bring your system to single-user mode and apply
the patches listed in the disallowed_patch_list file
by typing the following:
# smpatch add -x idlist=/var/sadm/spool/disallowed_patch_list
Instead of performing an update , you can perform the analyze, download, and apply tasks manually by using the smpatch command. These tasks are described in the following sections.
Before you can apply patches to your system, you can determine which patches are needed. You can use Patch Manager to perform a patch analysis of your system to obtain a list of appropriate patches.
Patch Manager uses analysis modules and a list of available patches from the source of patches, which is the SunSolve Online web site by default, to perform the analysis of your Solaris system. For information about the source of patches, see Specifying the Source of Patches.
Based on the result of the analysis, the patches can be downloaded and applied to your system.
Sometimes a patch depends on another patch, that is, the first patch cannot be applied to the system until the other patch is applied. The first patch is said to have a dependency on the second patch. When Patch Manager analyzes your system, it checks for patch dependencies and automatically includes all patches in the resulting list. If you request a system analysis based on particular patches, Patch Manager adds any patches to the list that are needed to resolve patch dependencies.
The list of patches that is generated by the analysis is based on all of the available patches from the Sun patch server. No explicit information about your host system or its network configuration is transmitted to Sun. Only a request for the Sun patch set is transmitted. The patch set is scanned for patches that are appropriate for this host system, the results are displayed, and those patches are optionally downloaded.
Before you apply patches to your system, you must download the patches that you want from the Sun patch server to that system.
You can download patches from the Sun patch server based on an analysis of the system, or you can specify particular patches to download.
Patch Manager can apply patches to your system.
If you use the smpatch add command to apply particular patches, it attempts to apply only those patches that you specified. The smpatch add command does not attempt to resolve patch dependencies. If you want to apply a patch that has a missing dependency, the patch is not applied. You can use the smpatch analyze command or the smpatch update command to resolve patch dependencies.
You might want to remove (or back out ) a patch that you previously applied to your system. Patch Manager enables you to remove patches.
When you remove a patch, the Solaris patch tools restore all of the files that have been modified by that patch, unless any of the following are true:
The patch was applied by the patchadd -d command, which instructs patchadd not to save copies of files being updated or replaced.
The patch was applied by the patchadd command
without using the
d option and the backout files that were
generated have since been removed.
The patch has been obsoleted by a later patch.
The patch is required by another patch.
The Solaris patch tools call the pkgadd command to restore packages that were saved when the patch was initially applied.
During the patch removal process, the patchrm command
logs the backout process in the /tmp/backoutlog.
process-id file. This log file is automatically removed if the
patch is successfully removed.
Note that you can only remove one patch at a time when you use the smpatch remove command.
If you attempt to remove a patch on which other patches depend, it is not removed. If you remove all of the patches that depend upon this patch, then you can remove it.
When you use Patch Manager, your client systems must have access to Solaris patches and patch data. Both client systems and local patch servers can obtain patches from these sources:
Patch server – A server that provides access to Solaris patches and patch data.
Local collection of patches – A collection of patches and patch data that is stored in a directory available to the local system. Such a directory might be a local directory, a shared network directory, or a CD mounted on your local system.
The default source of patches for client systems is the Sun patch server. As a result, any client system that obtains patches from the Sun patch server must be connected, either directly or through a web proxy , to the Internet.
You can use a combination of different patch sources to configure these patch management environments.
Clients access patches and patch data from the following sources:
Sun patch server – Your client systems obtain patches from the Sun patch server.
This configuration requires that your client systems are connected, directly or through a web proxy, to the Internet.
Local collection of patches – Your client systems obtain patches and patch data from a collection of patches on your local system.
This configuration does not require that the client systems be connected to the Internet.
For instructions on specifying the source of patches for your client system, see or How to Specify the Source of Patches (Command Line).
Patch Manager enables you to customize a policy for applying patches to use when updating your system. The policy determines the types of patches that can be applied during an update operation.
Solaris patches are classified as being standard or nonstandard. A
standard
patch
can be applied to your Solaris system when running
in multiuser mode. A reboot is not required. Such a patch is associated with
the standard patch property.
A nonstandard patch has one of the following characteristics:
The patch is associated with one or more of the rebootafter, rebootimmediate, reconfigafter, reconfigimmediate, and singleuser properties.
Such a nonstandard patch can be applied during an update operation if permitted
by the policy.
The patch is associated with the interactive property.
Such a patch cannot be applied by using the smpatch update command.
You can use the smpatch add command or the patchadd command
to apply such a patch.
As of this Solaris release, not all Sun patches are available through Sun Patch Manager. Such patches include those that do not conform to PatchPro standards, and those that have third-party contract restrictions.
You can specify the types of patches that Patch Manager can apply during an update. Such patches might include those that require a reboot or those that must be applied while the system is in single-user mode.
For descriptions of the following patch properties, see the smpatch ( 1M ) man page.
interactive
rebootafter
reconfigafter
rebootimmediate
reconfigimmediate
singleuser
standard
You can use the smpatch command to set the following Patch Manager parameters.
patchpro.patchset
Name of the patch set to use. The default name is patchdb.
patchpro.download.directory
Path of the directory where downloaded patches are stored
and from which patches are applied. The default location is /var/sadm/spool.
patchpro.backout.directory
Path of the directory where patch backout data is saved. When a patch is removed, the data is retrieved from this directory as well. By default, backout data is saved in the package directories.
patchpro.patch.source
URL that points to the collection of patches. The default
URL is that of the Sun patch server, https://updateserver.sun.com/solaris/.
patchpro.sun.user
The Sun user name that you use to obtain patches. You obtain this user name by registering at . By default, you are not permitted to access contract patches.
patchpro.sun.passwd
Password used with your Sun user name. No default password is set. If you specify your Sun user name, you must also specify your password.
patchpro.proxy.host
Host name of your web proxy. By default, no web proxy is specified, and a direct connection to the Internet is assumed.
patchpro.proxy.port
Port number used by your web proxy. By default, no web proxy
is specified, and a direct connection to the Internet is assumed. The default
port is 8080.
patchpro.proxy.user
Your user name used by your web proxy for authentication.
patchpro.proxy.passwd
Password used by your web proxy for authentication.
patchpro.install.types
Your policy for applying patches. The value is a list of zero or more colon-separated patch properties that are permitted to be applied by an update operation (smpatch update).
By default, patches that have the standard, rebootafter, and reconfigafter properties can be applied.
See Customizing the Policy for Applying Patches.