[pca] patch maintenance schedule
Martin Paul
martin at par.univie.ac.at
Thu Oct 29 10:58:24 CET 2009
Xu, Ying (Houston) wrote:
> We would like to use security patch
> cluster to make minimal changes to the environment but fix sun alert
> issues.
Here's one possible procedure you could use, e.g. for a monthly patch cycle:
On a certain date, e.g. mid-month, you install all the current security
patches using the same patchdiag.xref file on all your test machines
(e.g. "pca -i missings"). Determine whether a reboot is required or
recommended (pca will tell you). Keep and store the patchdiag.xref in
some central directory (or on a local patch server), e.g.
/xref/20091115/. With a local caching proxy (see pca docs) you will also
ensure that all patches are already stored locally when the production
machines are patched.
On the last day of the month - your patch day - you install the same set
of patches on all production machines by pointing pca at the frozen xref
file (e.g. "pca -X /xref/20091115/ -i missings"). If a reboot is
required, do that after patch installation.
As the production machines install the same patch set as the test
machines, and you had two weeks to sort out any possible issues, the
patch install on the production machines could be done automatically.
This could be combined with the usage of Live Update of course, where
you would patch an inactive boot environment and reboot to that after
patch installation.
hth,
Martin.
More information about the pca
mailing list