Lifecycle patching


 
Thread Tools Search this Thread
Operating Systems Solaris Lifecycle patching
# 1  
Old 06-05-2014
Lifecycle patching

I am trying to understand how people manage lifecycle patching these days. I am not a sysadmin (I am a DB Architect) and what I am being told is that if there is any lag between patching a dev server and a prod server that we will liley get new patches in prod that have not had any soak time in dev. Back when I did do sysadmin work, we downloaded the set of patches being applied in dev and then applied them to prod from our patch repository. IS this not done anymore?

I appreciate any help that can be offered to bring me up to speed on how patching is managed these days.
# 2  
Old 06-06-2014
Is that host on the internet ?
If so, patching should be done more frequently (security patches should be applied as soon as tested).
The standard dev - test - prod applies here as well (or wider)

Mostly you have a repository with patches (hopefully local not from internet) for specific version you wish to upgrade to (for instance repository for Solaris 11.1.14.5) and hosts are running lower version (11.1.12.x or whatever) using 11.1.12.x repository).

So using zfs you can clone or send/receive the existing repository, upgrade it to 11.1.14.5 and define new repository server instance which you will use for upgrading all the hosts (dev test prod).

I don't see how a production patching from the same repository from which you patched dev and test (having in mind that dev test and production should be the same version of operating system) can be different.

If you don't require new features / bug fixes the new version brings or security issues don't affect your machines (not using compromised service etc.), don't fix it if it's not broken.
# 3  
Old 06-06-2014
Peasant, thank you very much for the response.

Unfortunately for us, our infrastructure group is trying to convince us that no one uses a local repository (unless they have to because there servers do not have access to pull them directly). Currently the way our systems (Unix and Linux) are patched is every system pulls whatever is available at the time that they are patched. So if we have a 30 day soak for a set of patches that were applied to dev before applying the patches to qa; it is likely that qa will get patches that were never applied in dev... and so on for production. This scares me (knowing that a single library change can have disastrous effects on a system). I have not even been able to convince them that I need the same version of gcc across an environment. (I.e. 4.1.2 20080704 on one box and 4.4.7 20120313 on another).

Your comments (and any others that might be willing to reply) are what I need to go to them and so no; we cannot keep doing things this way. It is a hard battle because they are seen by management as the expert in their area so if they disagree with us, they usually win. It is forums like this (and experts like yourself) that I have to rely on to make sure that what we are being told id accurate.

I thank you very much for being there and being willing to take a moment of your time to offer your advice and opinions.

Mark
# 4  
Old 06-06-2014
I agree that is not the way to do it (in general, not specifically for Solaris). You need to create (or use) some sort of baseline, either locally or somewhere else that is the same for development, test, qa and production, otherwise (because these environments should be patched in a certain order and never at the same time) there will be all sorts of differences between environments or perhaps even between different hosts within the same environment, depending on the moment of update. Ideally there are some extra unused hosts that can be tested prior to dev or test environments.

There also needs to be a distinction between preventive and corrective patching and patches need to be tested first. I personally am not of the school of "don't fix if it ain't broken", I think regular patching is a necessity. Security patches should be treated differently (perhaps also with a different frequency) from ordinary patching, especially if hosts are directly of indirectly exposed to the Internet. Besides OS, also applications (and their patching) need to be taken into account.

At any rate there should also be a good roll-back mechanism in place, simply removing a patch is often not sufficient to return to a previous state if need be..

Last edited by Scrutinizer; 06-06-2014 at 12:51 PM..
# 5  
Old 06-06-2014
I feel so much better that the consensus so far agrees with my school of thought. Even though we may not all agree on the "to patch or not to patch" debate, the agreement seems to be that you must use a controlled and consistent set of patches from dev thru production. As I mentioned initially it has been some time since I have done real "sysadmin" work but I do still manage many oracle databases and it would take someone with a set of nutcrackers on my knuckles to get me to even consider applying different patches in production than I had applied in lower environments. I was shocked when I found out that our servers were being handled differently but I was not sure if the game had changed so I wanted to make sure.

Thanks again for taking the time to share your expertise; it is appreciated,

Mark
# 6  
Old 06-09-2014
Are you saying that all your servers have direct internet access and that they all download patches when the command is issued?

As some have already said, there needs to be an agreed set that you are installing else your testing does not match what you put into production.

For AIX and HP-UX, I pull down a block of fixes to a directory for testing and then copy that directory to production servers. I don't get a fresh download for that very reason. There may be a neater way, but it's not a huge overhead.

For Red Hat Linux we use their Satellite Server, which means that servers with no business need are not directly on the internet and it reduces our public traffic (that we pay for by usage) This allows us to set up cloned channels (as they call it) into which we can move fixes as we require and then each OS still does a network pull, but from this controlled list. We can then be sure that production gets the same as testing. We then update the patches in the cloned channel and start testing the next updates, and round we go again.

I think Centos has the same and I'm sure others do too.

You can even use Red Hat Satellite for Solaris patching (no roll-back though)


Of course, this is always done if anyone agrees that we will actually do some patching. Let's not get into that debate here though. Smilie




Robin


As a DBA, you must have some software patch responsibilities too. It's just common sense and you are right.
# 7  
Old 06-09-2014
Yes, that is what they are doing. This all came up when I was told that the longer we "soak" a set of patches in dev, the more likely it is that a different (and untested) set of patches will go into productionSmilie . Once I picked my jaw up off the floor (which I have to do often around here) we decided to "ask" for a patching server to be configured so that we can start controlling what goes in and when. The most generous time you have all offered up on this thread is what I needed to substantiate our request; which I needed because they tried to make me believe that the "whole world" was doing it their way. My assumption was that this was an extremely inaccurate statement but then again, I don't know everything so I turned to those who knew much more about this area than I... you all.

Again I say thanks for sharing both your time and your knowledge.
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Homework & Coursework Questions

C++ Environment needed on Solaris,Program lifecycle

Hello, I would like to build some sample C++ application on Solaris SunOS 5.8 Generic Virtual sun4v sparc. so I would like to know what are the compilation utilities and runtime utilities I need to get in my machine and will any one explain me the detaied life cycle of program like what... (1 Reply)
Discussion started by: Revathi R
1 Replies

2. Solaris

ldom patching

Greetings everyone! I have the task of patching six ldoms and two control domains. I have never done this before and would like to know of any pitfalls or "gotchas" I may encounter. I have been looking online but have found very little about patching ldoms. Thank you all. (4 Replies)
Discussion started by: desertdenizen
4 Replies

3. Red Hat

Java patching

hello, I'm a Solaris admin and I was asked to patch some RHEL servers. I'm having trouble trying to figure out the RHEL java version. Can someone help me? This what I do in Solaris java -version java version "1.5.0_34" java(TM) 2 Runtime Envirement, Standard Edition (build 1.5.0_34-b03)... (5 Replies)
Discussion started by: bitlord
5 Replies

4. Solaris

Patching Solaris 10

Hello to all, I have a quick question. I am learning Solaris, with Solaris 10 x86, and one of the chapters in the manual is about patching. So can I download free patches from the Sun page, I mean with out paying a license. Because It would be a great exercise to patch my installation of Solaris.... (1 Reply)
Discussion started by: piukeman
1 Replies

5. Solaris

Patching error

Hi Gurus I wanted to patch two servers yesterday with the SUN provided patch_cluster for solaris 10 One server is had the same patchlevel before and after patching SunOS svr10008 5.10 Generic_125100-10 sun4v sparc SUNW,Sun-Fire-T200 The other had after the patching a different patchlevel... (3 Replies)
Discussion started by: gnom
3 Replies

6. Solaris

Patching

Hi all Ive got 12 odd sun servers, running solars 8, 9 and soon 10. Have to admit I havent patched for years. Infact the last time I did patch a load of servers, sun provided you will a small script which would review the current patch levels, create a xml file that you would use on sunsolve... (3 Replies)
Discussion started by: sbk1972
3 Replies

7. Virtualization and Cloud Computing

Adaptive Information Technology for Service Lifecycle Management

HPL-2008-80 Adaptive Information Technology for Service Lifecycle Management - Rolia, Jerry; Belrose, Guillaume; Brand, Klaus; Edwards, Nigel; Gmach, Daniel; Graupner, Sven; Kirschnick, Johannes; Stephenson, Bryan; Vickers, Paul; Wilcock, Lawrence Keyword(s): Software as a Service, Enterprise... (0 Replies)
Discussion started by: Linux Bot
0 Replies

8. Solaris

Patching

Hi all, I'm new to Solaris. How can i make sure that all my servers are patched to the same level. When i do a uname -a, i see different level. How can i make sure that they are having the same patches. Any expert to guide me through pls? eg. ServerA#uname -a SunOS ServerA 5.10... (0 Replies)
Discussion started by: ahlude
0 Replies
Login or Register to Ask a Question