Solaris 10: Patching Solaris 10 on servers with non-global zones

For servers with Solaris 10 OS at, or near, update 1 (1/06) or update 2 (6/06), if non-global zones are already configured and running, patching these servers at single user mode will encounter issues.  Patches may only be loaded on the global zone but not on the non-global zones. One should pay attention to the following:

1. If non-global zones have their own separate root file systems, make sure all of them are mounted.
2. Patches 119254-52 (or later) and 122660-10 need to be loaded on the global zone and all non-global zones first.
3. If a non-global zone has its own separate /var file system, both 119254-52 (or later) and patch 122660-10 must be loaded on all zones. Otherwise, the following error will appear:

Patch 1xxxxx-xx failed to install due to a failure produced by pkgadd.

Resolution
Patching procedure
As global zone is in single user mode, by default all non-global zones are halted  in “installed” state. Patches 119254-52 (or later) and 122660-10 cannot be installed in this mode. All non-global zones need to be booted to single user mode first. Once patches 119254-52 (or later) and 122660-10, along with their required patches have been installed, all other patches can then be installed as non-global zones in halted state. The proper procedure is as follows:

1. Boot server in single user mode

2. Mount all zone root file systems

3. Boot all non-global zones to single user mode
# zoneadm -z zone boot -s

4. Load patch 119254-52 (or later), required patch 121133-02

5. Load kernel patch 118833-36 if needed, required patches 118913-13, 119042-09, 119254-14, 119578-30; then do a reconfiguration boot

6. Make sure the global zone and all non-global zones are in single user mode – repeating steps 1 – 3

7. Load patch 122660-10, required patches 118731-01, 118833-33 (or later), 120900-04, 121133-02, 122640-02, 124204-04; then do a reconfiguration boot

8. Load all other patches as the global zone in single user mode, and all non-global zones halted in “installed” state (by default), all zone root file systems still need to be mounted

Ramdev

Ramdev

I have started unixadminschool.com ( aka gurkulindia.com) in 2009 as my own personal reference blog, and later sometime i have realized that my leanings might be helpful for other unixadmins if I manage my knowledge-base in more user friendly format. And the result is today's' unixadminschool.com. You can connect me at - https://www.linkedin.com/in/unixadminschool/

13 Responses

  1. Santosh says:

    Hi Ramdev,
    can you please help me providing the steps for Patching in real time?
    like i heard that initially we need to break the mirror?
    please provide me the steps before starting patch and during the patch and after patch..

    i attended 2 interviews they asked this question which i failed to answer.
    i tried to get this info from many ppl but no one gave me the solution.
    i hope you will guide me on this..

    thanks

  2. Yogesh.Raheja says:

    @Santosh, we have already posted a real time patching process which includes complete step by step approach. “http://gurkulindia.com/main/2011/09/general-procedure-for-kernel-patching-in-solaris/”. Hope you will find it very useful.

  3. Santosh says:

    Hi Yogesh,
    i gone through this post already.
    so is the patching process same for either kernel patch or any application patch?
    or any difference between them. Like files need to take backup, or any extra steps?
    if any small differences there let me know..
    and thanks a lot for the immediate response for my query…

  4. Santosh says:

    Hi Yogesh,
    can you let me know the difference between a Oracle Live upgrade and Patching?
    Is live upgrade is a tool or set of commands? where can i found the commands for these live upgrade?
    Help needed…

    Thanks,
    Santosh

  5. Yogesh Raheja says:

    @Santosh, In real terms for any Patch (OS/Security/apps) same process is used. But you will find kernel patching most of the times as it contains all the required OS patches. But yes the process will be same as mentioned above. The only difference is for individual patch you will use patchadd command and also you have to find out the patch dependencies as well.

  6. Yogesh Raheja says:

    @Santosh, Live upgrade is a method to do pathing/OS upgrades etc.. For more details you can see the below link “http://gurkulindia.com/main/2011/10/solaris-patching-using-live-upgrade/” Hope this will help you in making a concept.

  7. Santosh says:

    Yogesh, in that post initially you installed the Oracle Live Upgrade application, it means it’s a tool right?
    yogesh#pwd
    /a/Solaris_10/Tools/Installers

    yogesh#ls -l
    total 3
    -r-xr-xr-x 1 root root 457 Sep 1 2009 liveupgrade20
    -r-xr-xr-x 1 root root 554 Sep 1 2009 solarisn
    yogesh#

    yogesh#./liveupgrade20

    Sorry i am wrong..it’s just a doubt..

  8. Yogesh Raheja says:

    @Santosh, Its a package which is by default present while OS installation. Its recommended by SUN to upgrade the LU package to the highest version before proceeding with its usage. Dats the reason I have done the above steps for precautions.. Live upgrade is just a package which is by default present in the OS. You can just check it in your server , you will find it. Hope this will help you.

  9. sandeep says:

    Hi Yogesh/Ramdev,

    In my environment some of the servers are mirrored with ZFS. Could you guys have any document to patch ZFS root mirror ? If so please pass it to me.

  10. Yogesh Raheja says:

    @Sandeep, let me try that on my test m/c and then I will get back to you.

  11. sandeep says:

    Hi Yogesh,

    Im planning to patch the solaris9/10 servers which are on below patch level. Could you please let me know what is latest patch level for those. So that I can apply the latest patches.

    Solaris 9 9/04 — Generic_122300-46

    Solaris 9 9/04 — Generic_122300-57

    Solaris 9 9/04 — Generic_122300-55

    Solaris 9 9/04 — Generic_118558-38

    Solaris 9 9/04 — Generic_118558-39

    Solaris 10 8/07 — Generic_137137-09

    Solaris 10 10/09 — Generic_141444-09

    • Ramdev Ramdev says:

      @Sandeep – To answer your question we should go back to the basic question why we need to apply a patch?

      As I discussed in some other comment “Basic purpose of Patching is to avoid any security or functional vulnerabilities either from the code of operating system or the code of related applications”.

      There are two common cases on the question “when we have to apply patches?”

      Case 1: SA realizes an issue on the server, raises a ticket to the vendor for support and then gets advice for specific patch update for the server. Finally, proceeds for patch update

      Case 2: SA performs proactive administration by checking all his environment if there is any other server similar to the problematic server that appeared in the case 1, and if found any then go for patch installation. In this case SA can take the call without vendor support because of the experience from case1.

      Back to your question:

      for general/kernel patches related to non-security issues : If your servers have no issues encountered then leave them as it is, and in case if you see some unexpected issues then raise the case to Oracle or otherwise find the problem history of your own environment and the resolution procedures. If there is any previous track record for the specific patch install then go ahead with the patch installation with appropriate procedures.

      For Security related Patches: Your company should have some security advisory team who continuously deals with technical vendors for any security vulnerabilities and if there is any alert then they will ask SA team to go for patch installation. If you think that you company doesn’t have such team, then you can keep watching at the site sunsolve.sun.com where the oracle releases all security updates and also lists the recommended patch list.

      Warning: Sometime installing patches without proper testing could cause application issues, so please be make sure test the patch on dev/test machines before going for installation on critical servers.

  1. December 2, 2011

    Ronald…

    […]gurkulindia.com » Solaris 10: Patching Solaris 10 on servers with non-global zones[…]…

What is in your mind, about this post ? Leave a Reply

Close
  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us