Thanks for the replies - sorry about the delayed summary. I've had a look at the "commercial" alternatives suggested and they all seem to be over engineered and, for us, no real improvement on patchchk. I'm a little concerned that Sun is being pressured by "marketing" into adopting a SMC based solution suitable for non-experts and forgetting the rest of us who are running high profile services that cannot be interupted on demand. I hope that Sun will ask for comments before implementing any new patch management schemes. I also hope Sun continues to create and publish either patchdiag.xref or something with a similar or better level of detail. Then we can always implement patch management schemes that suit our sites rather than be forced to adopt a general solution. Reply Summaries Andy Kannberg suggested srsnet -- It does more than patchmanagement. But It can generate a report which tells you which patches are installed on the system, divided in recommended and security. It does not tell you whether the patch has dependencies and if a reboot is needed, but within the report, you can link to the patches which are not installed/not uprev to see what the prerequisites are. SRSnetconnect can be used for free if you have a SUN contract. It can be downloaded from http://www.sun.com/service/support/srs/netconnect/ Fredrik Robertsson reports that something new is coming from Sun -- we just had our quarterly support meeting with Sun, and they told us that they are currently working on a "new patch strategy". Mainly they are trying to merge several tools into one tool to rule them all or something like that. Since patchdiag.xref are used by the LISA tool to analyze explorer dumps against I would assume that it will be available for quite some time... Gene Siepka suggested Traffic Light Patch Manager -- TLP will analyze your system, and create a patch bundle for you, along with giving you a patch order file. Also, probably the coolest thing about it is that it can generate a patch bundle based on Explorer output. So if you set up Explorer on your 50 or so servers, and have them sent to one box, (like a gateway box that has internet access to send Explorer output to Sun) you can load TLP on that box and create your patch bundles there. However, as with all good things, there is a catch, as we found out. First off, TLP is not free, its not even freely available. Its used in the UK already, however its unused it here in the US. Also, the patches are generated from the monthly EIS cd's, which is not made available to customers. What are sun rep told us is that they we could build a patch management server, which also holds our explorer output. And they could install an EIS cd on this server, for a nominal fee. (5000 a quarter) We are trying to get management approval for the cost, but this sounds like the best thing Sun has available for patches right now. Hopefully they can release TLP to everyone soon, as it seems like a pretty cool thing to keep servers up to date. Javier Palacios described a home grown solution based on "yum" -- Hello, this is not exactly a solution for patching, but might be. Some months ago, I modify yum (a rpm packages tool) to work with solaris pkgs, and is able to install, remove and update packages from a remote repository. As our patching policy is 'relaxed', I've not taken too seriously. It behaves as if the latest patch were the only one to apply, and installs the patch with a 'pkgadd' of the package subdirectory on the patch tarball. > Does anybody know if the patchdiag.xref file will continue to be updated and > made available? If so, I suppose I'll just have to write my own patch > management scheme... again. Now that you have pointed me to patchk, I'll try to import the logic into my yum4sol (is python). Right now, it has quite limited as patching tool, but might be a good starting point. Dave Foster suggested a product called "Patchlink" -- If you can go commercial, Patchlink is a very nice product, we use it to patch our Windows systems but it can also handle Linux and Solaris. pdg describes a home grown python script -- I have written a python script which parses the xref file and works out what to patch on the current machine, then either complains it cannot find the patch or installs the patch if it can find it (in a specified location). It may be useful to you. (start tirade) However, the xref file is crap. Not only is the format ridiculously dificult to parse, it never seems to accurately reflect the current situation with patches and I end up having to hack the xref file to make it agree with reality. Every month I run this, and I always end up (according to the xref file) with patches depending on patches that are withdrawn or superceded or similar. It drives me crazy. (end tirade). The whole things needs a revamp and the SUN end. Original Question ---------------------------------------------- Since the "official" view of patchk is that it's dead[1], I've been looking at the available alternatives. Straight off I see that PatchPro Interactive and PatchPro Expert are useless to us as they are purely interactive - with 50 odd machines to look after whatever replaces patchk has generate reports automatically. PatchPro 2.2 looks more useful but we don't add patches without first checking them so the automatic installation features can't be used. As we can't reboot our systems on demand, any patch that needs a reboot must be reviewed for importance. The "smpatch analyze" command looks useful at first glance but the report it generates doesn't distinguish between security, recommended and general patches at all! Neither does it indicate dependencies, reboot needs, patch ages or any of the information a sysadmin might need to access the urgency of a particular patch. So it turns out that we can't make use of PatchPro. Does anybody know if the patchdiag.xref file will continue to be updated and made available? If so, I suppose I'll just have to write my own patch management scheme... again. [1] "As of February 29, Patch Check will no longer be available for download. Please transition to using Patch Manager by that date." http://uk.sunsolve.sun.com/pub-cgi/show.pl?target=patchk Actually, it remains available as of today. -- | Geoff. Lane | Manchester Computing | Manchester | M13 9PL | England | IBM manuals are neither written by, nor for, humans. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Tue Jul 13 03:59:41 2004
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:35 EST