[pca] Safe patching of production systems

[Martin Paul]

Jones, Dave wrote:
> I'd like to bounce this off the list and see if there are any obvious
> flaws in my idea or if someone has a better way to deal with a patching
> issue, specifically 'time'.

There are only compromises, especially if LU can't be used in your 
environment. So just a few notes:

Installing --noreboot patches in multiuser mode shouldn't be a problem. 
As you noticed, "single user mode" and "reboot required" usually correlates.

You probably won't save much time with the two-stage patch process. 
Often the patches which don't require a reboot are those small patches 
which don't take much time. Or they depend on another patch which *does* 
require a reboot, so can't be installed before the downtime - a third 
stage (patches with --noreboot after the downtime) might be needed.

You could take the risk and install *all* patches in multi-user mode. 
I've done that on a lot of systems for years, and never killed or 
crashed a system. It should be as quiet as possible, of course, and you 
won't be able to ask Sun Support for help if problems arise.

Do not install patches (freqently). Seriously - some systems with a 
limited number of services, no connection to the Internet and without 
user accounts might only need patches if actual problems show up.

For other systems it might be better to re-install them with the current 
OS release + current patches at that time frequently instead of running 
an old OS release and keeping that patched. A fully hands-off jumpstart 
setup plus finish scripts helps a lot with that, of course.

Still, in the worst case, you just have to bite the bullet and force a 
long enough downtime to install e.g. all the RS patches in single user 
mode and accept that it takes as long as it takes.

Martin.