[pca] Safe patching of production systems

Jones, Dave Dave.Jones at maritz.com
Wed May 14 15:35:41 CEST 2008 

Hi Martin.

Thanks for the reply.
I understand the "don't patch frequently" concept but that does not work
with our ISO, PCI & other requirements.
We have quarterly security audits and any concerns must be addressed.

As you said, biting the bullet & doing them all in single user may be my
only option until we are able to use LU.

Dave


-----Original Message-----
From: pca-bounces at lists.univie.ac.at
[mailto:pca-bounces at lists.univie.ac.at] On Behalf Of Martin Paul
Sent: Wednesday, May 14, 2008 5:47 AM
To: PCA (Patch Check Advanced) Discussion
Subject: Re: [pca] Safe patching of production systems

Jones, Dave wrote:
> I'd like to bounce this off the list and see if there are any obvious
> flaws in my idea or if someone has a better way to deal with a
patching
> issue, specifically 'time'.

There are only compromises, especially if LU can't be used in your 
environment. So just a few notes:

Installing --noreboot patches in multiuser mode shouldn't be a problem. 
As you noticed, "single user mode" and "reboot required" usually
correlates.

You probably won't save much time with the two-stage patch process. 
Often the patches which don't require a reboot are those small patches 
which don't take much time. Or they depend on another patch which *does*

require a reboot, so can't be installed before the downtime - a third 
stage (patches with --noreboot after the downtime) might be needed.

You could take the risk and install *all* patches in multi-user mode. 
I've done that on a lot of systems for years, and never killed or 
crashed a system. It should be as quiet as possible, of course, and you 
won't be able to ask Sun Support for help if problems arise.

Do not install patches (freqently). Seriously - some systems with a 
limited number of services, no connection to the Internet and without 
user accounts might only need patches if actual problems show up.

For other systems it might be better to re-install them with the current

OS release + current patches at that time frequently instead of running 
an old OS release and keeping that patched. A fully hands-off jumpstart 
setup plus finish scripts helps a lot with that, of course.

Still, in the worst case, you just have to bite the bullet and force a 
long enough downtime to install e.g. all the RS patches in single user 
mode and accept that it takes as long as it takes.

Martin.


Confidentiality Warning:  This e-mail contains information intended only for the use of the individual or entity named above.  If the reader of this e-mail is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient, any dissemination, publication or copying of this e-mail is strictly prohibited.  The sender does not accept any responsibility for any loss, disruption or damage to your data or computer system that may occur while using data contained in, or transmitted with, this e-mail.  
If you have received this e-mail in error, please immediately notify us by return e-mail.  Thank you.

More information about the pca mailing list