Q: Are there any plans to improve the performance of patchadd and patchrm? This performance problem is due to repeated I/O to the contents file which entirely dominates performance. Big patches (123591 is a good example) do 10s of GB of I/O, of which 99% (this is a measured figure) is to the contents file. I can provide detailed traces of this ... I'm particularly interested in solutions which will work for existing releases ...

A: There is no long-term plan in the Solaris 10 OS to address the issue with patching and the contents file. There was work done in FCS to improve access times using memory mapped files, but in general the algorithm for when we access the file is the big issue. Patch packages tend to be sparse, i.e. in a recommended cluster most only deliver on average a little over one file per package, averaged across every patch. This means that for every package we access the contents file twice just to install one or two files, which is leading to the I/O stats you mention.

But while you won't be happy with the answer, eventually the patch and packaging tools we currently have, will be consigned to history. There might be some smaller projects to improve performance with respect to the contents DB, but we do not intend to do large rework of the contents file at this stage. I have quite detailed stats myself with the help of truss/DTrace and friends, which show all the above.

Tim Bradshaw - December 20, 2007 Back to top

---

Q: In the last few days, there have been weird patches showing up in patchdiag.xref - hundreds per day, in the meantime, there are more than 3000. All of them are "Unbundled" and have synopsis lines like "Sysmod ID is L1H13WB" and "PTF L1H13W9". The READMEs aren't very informative either. Can you explain the purpose of those patches? Is it a mistake that they have been published in patchdiag.xref?

A: These are patches from StorageTek, a company acquired by Sun some time back. They are transitioning to using SunSolve from their own third-party solution. As such the vast majority of these patches are for IBM mainframes, so please ignore them for now and I will contact the people responsible for patchdiag.xref to see what we can do.

Martin Paul - December 20, 2007 Back to top

---

Q: I have a Sun Ultra 5 SPARC machine that shows the error message WARNING: timeout: reset target chno = 1 targ = 2 during installation. After showing this message, it will reboot automatically and stop at the OK prompt. There are no obvious errors on disk and no other storage or devices attached. Any ideas what this error is referring to?

A: This is most probably a disk controller or LUN issue. The disk controller is unable to reach the target LUN. What disk controller and target LUN are attached to your system?

Deepak Kumar - January 2, 2008 Back to top

---

Q: On s10u2 patched with patchpro.patchset=current through September, adding SUNWdtlog fails during non-global zone install. Apparently, the package database state for SUNWdtlog after installing s10u2 and patching differs from the database state after installing s10u4 freshbitted package in some way that I don't understand. What has gone wrong here?

A: 124393-03 CDE 1.6: Dtlogin smf patch is changing var/svc/manifest/application/graphical-login/cde-login.xml from type "f" to type "v", due to a separate bug fix.

But when I then install a zone after installing 124393-03, I get the following:

*** package <SUNWdtlog> failed to install with fatal errors:

/export/zones/sparse-after/root/var/sadm/pkg/SUNWdtlog/install/i.manifest:
test: unknown operator
/export/zones/sparse-after/root/var/svc/manifest/application/graphical-
login/cde-login.xml
pkgadd: ERROR: class action script did not complete successfully

Installation of <SUNWdtlog> on zone <sparse-after> failed.

The problem is that i.manifest in pspool/SUNWdtlog/install for SUNWDtlog has a bug.

47 eval_pkg() {
48 read path # get the package source directory
49
50 if [ ${path:-NULL} != NULL ]; then
51 PKGSRC=${path:?undefined}

This is called first thing in main.

67 eval_pkg

But i.manifest is called with a standard src/dst pairing, which leads to the test in line 50 failing, because we have something like the following being read into path, which in turn leads to line 50 being like this:

[ /var/sadm/pkg/SUNWdtlog/save/pspool/SUNWdtlog/reloc/var/svc/manifest/
application/graphical-login/cde-login.xml
/export/zones/sparse-t/root/var/svc/manifest/application/graphical-
login/cde-login.xml != NULL ]

This leads to the error.

Prior to converting to type "v", the file was type "f", which meant the manifest never got run during zone install, because type "f" files are simply copied into the zones. (I am working on getting these patches pulled.)

Paul McClay - January 2, 2008 Back to top

---

Q: smpatch thinks cacao patches 123894-03 and 123895-03 should apply to (but not only to) s10u4 machines that do not have installed the packages that these patches patch. Why?

A: This is due to a bug in the logic that these patches use to detect whether they should be installed or not.

Please refer to: 6601732 Detectors for patches 123897-03 and 123894-03 do not require package SUNWcacaowsvr.

It is not a bug in the patch tools themselves, but rather a bug in the logic that these particular patches supply to smpatch tools, which detects whether to recommend the patch or not.

Paul McClay - January 2, 2008 Back to top

---

Q: Does applying the most recent Rec/Sec patch also bring the system to the most recent Solaris release? (i.e. if base install was Solaris 10 11/06 OS and I install the Jan 08 Rec/Sec patch, will my system now equal a clean S10 08/07 install?)

A: If you have a Solaris 10 11/06 system and install the Jan 08 Recommended patches, all you get is 79 patches installed on top of Solaris 10 11/06. You do not reach the Solaris 10 08/07 release.

If you installed all the patches included in the Solaris 10 08/07 OS, then you would be at the same maintenance level as Solaris 10 08/07, but would be missing any new packages included for some of the new features included in the Solaris 10 08/07 OS.

The Recommended patch cluster only holds a subset of patches for Solaris 10. This is stated in the cluster README as those meeting the Sun Alert criteria -- Security, Availability, Data Loss. This is a small subset of all the patches for the Solaris 10 OS.

Eric - January 9, 2008 Back to top

---

Q: On the topic of patch automation, we've written some scripts internally to handle resolving dependencies and downloading the .jars associated with patches from a list of patch IDs. Unfortunately, we receive our mandatory patches ... in the form of Sun Alert IDs. Is there an automated way of resolving Sun Alert IDs to actual patch numbers? ... Does such a thing exist without having to do screen scrapes of each individual Alert ID page?

A: There is a report that maps Sun Alerts to patches, and the link for it is on the SunSolve home page (http://sunsolve.sun.com). The link to Sun Alert Patch Reports takes you to a very large report that will take time to load.

Matt Moldvan - January 11, 2008 Back to top

---

Q: Yesterday, I patched a Sun Fire X2200M2 server running the Solaris 11/06 distribution (original, not yet patched). I decided to use the Sun Update Manager and install ALL (about 90) proposed patches. After rebooting, the system went into panic, and it seems that the trouble was caused by patch 118855-02. I assume this is related to "Solaris 10 Kernel Patches May Cause a System Panic, Data Corruption, and/or a Denial of Service Security Issue" (documented at SunSolve). The Sun Update Manager interface and mode of operation deceive Solaris users and administrators about easy and well-automated patching experiences, and this could result in substantial losses for an enterprise/organization that adopts the Solaris platform. What strategy (if any) is a reliable way to patch a Solaris system? Will it be implemented in Sun Update Manager?

A: I would strongly advise the use of Solaris Live Upgrade (luupgrade) to install patches when possible. Solaris Live Upgrade basically creates a bootable copy of the current system (using lucreate), and then you use luupgrade to patch this new boot environment. Then you can boot into the new environment. If there are issues, you can then boot back to the old boot environment.

Solaris Live Upgrade also has the benefit of minimizing downtime, in that the only downtime is the time required to reboot the system.

I believe there are no plans to incorporate Solaris Live Upgrade into Sun Update Manager currently. There are plans to replace the underlying analysis engine in Sun Update Manager in the not-too-distant future.

Giovanni Schmid - January 14, 2008 Back to top

---

Q: smpatch analyze selects over 80 patches for a machine freshly loaded with the Solaris OS 10 8/07 (update 4). You consider the patch README file the authoritative indicator of whether or not a patch must be applied using a special procedure, correct? Can you suggest a way to scan approximately 100 README files for either 1) those patches that might call for a special procedure or 2) those patches that certainly do not? For example, can you provide a string, a regexp, or something similar to look for?

A: Look at the README.xxxxxx-xx file contained within the patch. The last section (the heading for this section is the same in every patch) is titled "Special Install Instructions," and it contains any special installation instructions that pertain to the patch.

All patches, even those with no special installation instructions, contain the string "Special Install Instructions." If there is no text after this heading, then there are no special install instructions; otherwise, they will be in the format "NOTE XX:".

Also, be aware that NOTES can be duplicated across patches, that is, some NOTES instruct customers to always install the latest patch utilities patch and are contained in a large number of patches.

So, any good text parser, be it perl, nawk, and so on, should suffice to extract any text.

Paul McClay - January 15, 2008 Back to top

---

Q: It looks like you would not recommend smpatch update;init 6 and go to lunch. Is the following process OK: 1) select patches by some combination of policy, alerts, and smpatch analyze, 2) check a specific ordered set of patches for special circumstances with patchadd -a -M and reading README files, 3) apply patches with patchadd (or, better yet, luupgrade) and any special instructions in the README files, and 4) appropriately test result.

A: Yes, this seems reasonable. smpatch also has a download facility that can be useful. As far as I'm aware, it downloads patches in a jar format (for example, 123456-01.jar), but you must use unzip (not jar -xv) to extract the patch; otherwise, the permissions for the scripts used to install the patch deliverables will not be correct.

Yes, I recommend using luupgrade when possible. At least then, if issues occur, it is mostly trivial to boot back to the original boot partition.

patchadd -a -M is useful in that it can find issues, such as dependency problems or zones that are not patchable, prior to actually installing any patches.

The -a option, while it is a private interface currently, does a dry run only. So no software gets updated. The output is very verbose (bordering on overly verbose), but with care, you can identify potential issues up front.

Certain patches, such as Kernel patches, should be treated with extreme care. Ensure that you examine the README file and you understand any information in the "Special Install Instructions" section. Some information will not be relevant, but spend time reading this and understanding the consequences that pertain.

I would advise parsing all patches to extract and examine these instructions. I know they are text-based and so they are time consuming, but certainly in the case of Kernel updates, they contain vital information.

Also, be aware that the "Special Install Instructions" information can be updated after the patch is released on SunSolve. This occurs mostly in the case of Kernel updates, if we discover issues after releasing the patch that are relevant to installing the patch or relevant to the operation of the patched system.

Paul McClay - January 15, 2008 Back to top

---