Patch Management Tasks and Examples

installing copying, interactive patch management, removal, rollback, committing patches, verifying patches

Installing Patches

Installation of patch products follows the same rules as any other SD installation. The key difference is that patch selection and mechanisms let you select only the patches that meet specified criteria. Selection mechanisms for patches are:

The category_tag attribute and corresponding category objects.
The patch_filter, patch_match_target, and autoselect_patches options.

When you install a patch, SD updates the applied_patches attribute of the fileset that has been patched and updates the INFO file information to include the patched file's attributes. Also (if the patch_save_files option is set to true), files that would be overwritten are stored in a special save area in the IPD.

When a patch is installed, by default it has the patch_state of applied. When the patch is committed (rollback files are removed) or it has been installed without saving rollback files, it has the state of committed. When the patch is superseded, the patch_state is set to superseded, and the superseded_by attribute is set to the software_specification of the superseding patch fileset.

If a patch is both committed and superseded, its patch_state is set to committed/superseded.

Installing Patches in Same Session as Base Product

If you select a non-patch fileset for installation and patch filesets for that base fileset exist in the same source depot, all applicable patches are selected by default as long as the autoselect_patches option is set to its default value of true. The following rules also apply:

Automatic patch software selections are filtered as defined by the patch_filter option.
If more than one patch for a base fileset exists, only the latest patches (i.e., those that are not superseded) will be automatically selected for installation, unless overridden by an explicit patch selection.
You can also explicitly specify patches on the command line. See “Explicitly Specifying Patches” for more information.

The following examples demonstrate the use of patch options on the command line. (Note that the autoselect_patches option is true by default.)

The example below shows the default behavior for patch installation. All patches in the depot that apply to the software being installed (in this case, X11) are selected by default:

swinstall -s sw_server X11

To select all applicable patches that include the category_tag of critical_patch and install them along with the selected software:

swinstall -s sw_server \ -x patch_filter="*.*,c=critical_patch" X11

The following example installs a product and an explicitly specified patch.

swinstall -s sw_server \ -x autoselect_patches=false X11 PHSS_12345

Installing Patches After Base Product Installation

When you want to install patches after installation of the base product, you can select the patches explicitly or by matching the installed software using the patch_match_target option, which automatically selects the latest patches for the software found on the target.

To select all patches in the depot that correspond to currently installed software:

swinstall -s sw_server -x patch_match_target=true

To select all patches in the depot that correspond to currently installed software and that contain the category_tag critical_patch:

swinstall -s sw_server -x patch_match_target=true \ -x patch_filter=" *.*,c=critical_patch"

Patch Filtering with Multiple Criteria

You can repeat a version qualifier (for AND criteria) and use the pipe symbol (|) within qualifiers (for OR criteria). This is consistent with the current level of expression support in POSIX standard software specifications.

To install any patches that have the category tag of critical AND the category tag of either special_release OR hardware_enablement.

swinstall -s sw_server -x patch_match_target=true \ -x patch_filter="*.*,c=critical,\ c=special_release|hardware_enablement"




	NOTE: Selecting software with the `\*` wildcard overrides patch filtering.

Explicitly Specifying Patches

You can explicitly specify and install a patch (without autoselection or matching the target) by specifying one or more operands for the software_specification within a command.

Explicit patch selections override any automatic patch selections. When SD automatically selects a patch (for example, with a value of true for the auto_select_patches option), it attempts to select the latest patch in the supersession chain unless some other patch in the chain is explicitly selected.

To explicitly install a patch:

swinstall PHCO_1234




	NOTE: Patch filtering does not apply to explicitly selected patches.

Installing Patches to Kernel and Library Files

To permit patching of kernel files or libraries (e.g. libc.a), SD uses an archive file type of a. When loading a file of type a, swinstall temporarily installs the .o file to the target path specified, integrates it into the archive specified by the archive_path attribute of the file, and then removes the .o file.

If patch rollback is enabled (see “Patch Removal, Rollback, and Committal”), the original .o file is automatically extracted first and saved so that it can be replaced. Disk Space Analysis is performed as needed to account for these operations.

Patch Load Order

If you install patch filesets and normal filesets in the same session, then each patch fileset is considered to have an implied prerequisite on the fileset that it is patching. For example, a product containing the patch fileset is installed (or copied into serial distributions) after installation of the one or more products that contain the patch's ancestors.

If a base fileset has the is_kernel attribute set to true, then the fileset patching it must also have the is_kernel attribute set to true to be installed in the kernel phase of the execution. Otherwise, the patch is installed along with other non-kernel filesets.

If a bundle contains both normal and patch filesets, the filesets are installed in their normal order except that any ancestor fileset must be installed before its patch or patches.

Updating Patched Software

Installation of a new version of a base fileset results in removal of all filesets that patch the base fileset that you are replacing, along with any files saved for potential rollback.

Installing Patches to Remote Systems

You can use the SD-UX remote operations features to install patches on multiple remote systems. (See Chapter 6 “Remote Operations Overview”.) You can explicitly select patches for multiple remote systems. Note, however, that the patch_match_target option works with only one remote system at a time.

Copying Patches

The swcopy command uses the autoselect_patches, patch_filter, and patch_match_target options in the same way that swinstall does, except that there is no filtering based on architecture (either 32-bit or 64-bit).

The following example copies X11 software from the default depot and copies all patches for this software at the same time. (Note that autoselect_patches is true by default.)

swcopy X11 @ hostA:/tmp/sw

The following example copies patches that match the base filesets that are already present in the target depot, and copies (at the same time and from the same depot) a filtered set of patches (which have a category_tag value of hardware_enablement) for the base software being copied. (Note that autoselect_patches is true by default.)

swcopy -x patch_filter="*.*,c=hardware_enablement" \ -x patch_match_target @ hostB:/tmp/newdepot

To copy all patches for the base filesets that are already present in the target depot, starting from a depot that contains patch and non-patch software:

swcopy -x patch_match_target=true \ @ hostC:/var/spool/sw

To copy a filtered set of patches for the base filesets that are already present in the target depot, starting from a depot that contains patches and that may contain non-patch software:

swcopy -x patch_match_target=true \ -x patch_filter="*.*,c=special_release" \ @ hostD:/var/spool/sw/sample.depot

Interactive Patch Management

The swinstall or swcopy GUI lets you perform interactive patch installation and copying. (See “Installing with the GUI” and “Using the swcopy GUI”.)

The Manage Patch Selection... option in the Actions menu opens the Manage Patch Selection dialog. This dialog lets you:

Select from a list of patches available to install or copy.
Select filters for patches.
Set other patch options.

Figure 5-1 Manage Patch Selection Dialog

The main object list contains a read-only list of available patch categories. The list contains the name of the category and a short description. You can use the list as an aid to selecting and filtering patches. The following options are also available:

Include patches with selected (marked) software from the source
Sets the autoselect_patches option. (Default is true.)
Automatically select patches for existing software on the target
Sets the patch_match_target option. (Default is false.)
Filter (button and specification field)
Click on the Filter button to display a list of example filters that you can select from. (To change the filters in the list, see “Editing the Patch Filter List”.)
This field sets the patch_filter option, which lets you specify a filter for automatic patch selection. Patches for software to be installed or copied are automatically marked as you enter the analysis phase. Only patches that match the filter criteria are marked.

You can also set Save files replaced by patch for later rollback in the Options menu. This sets the patch_save_files option. (The default is true.)

See “Command Options” in this chapter for more information on patch options.




	NOTE: As with all system options, the patch management options revert to their default values at the next session unless you save and re-use the session information. See “Session Files” for more information.

Editing the Patch Filter List

You can change the default list of patch filters displayed by the swinstall and swcopy GUI. The list is stored in:

/var/adm/sw/defaults.patchfilters
The system-wide default list of patch filters.
$HOME/.swdefaults.patchfilters
The user-specific default list of patch filters.

The list of patch filters is enclosed in braces {} and separated by white space (blank, tab, or newline). For example:

swinstall.patch_filter_choices={
*.*,c=enhancement
*.*,c=critical
}
swcopy.patch_filter_choices={
*.*,c=halts_system
}

Listing Patches

Software objects with the is_patch attribute set to true have the built-in, reserved category of patch. This lets you list available patches and patches with a certain name.

You can also list patches with the swlist GUI (invoked by swlist -i).

For example, to list all products and bundles in a depot that have the is_patch attribute set to true:

swlist -d -l product -l bundle *,c=patch

...
PHSS_15851  1.0  Xserver cumulative patch
PHSS_16482  1.0  CDE Localization for UTF8 locales
PHSS_16587  1.0  HP aC++ runtime libraries
...

You can list the patches that have been installed for a given base software product or fileset using the -l patch option.

For example, to list the patches applied to the X11.X11R6-SHLIBS fileset:

swlist -l patch X11.X11R6-SHLIBS

# X11.X11R6-SHLIBS B.11.00 X11R6 shared libraries
PHSS_15840.X11R6-SHLIBS 1.0 X11.X11R6-SHLIBS applied
PHSS_17422.X11R6-SHLIBS 1.0 X11R6 shared libraries 
applied

You can list the products and filesets to which a patch applies by listing the ancestor attribute. You can generate a list of patches that a given patch superseded by listing the supersedes attribute of the patch fileset.

By default, swlist will only show the latest patches installed on a system (i.e., those patches that have not been superseded). To list superseded patches, set the show_superseded_patches option to true:

swlist -x show_superseded_patches=true

Listing Available Patch Categories

You can use the -l category specification to list the categories of available patches for patches that are defined with category objects.

To list the categories defined for patches in the depot mounted at /CD:

swlist -d -l category @ /CD

critical_patch           Patches that fix system
hangsdefect_repair       Provide defect repair
hardware_enablement     Patches enabling new hardware

To list a particular attribute of a category object identified by the tag critical_patch:

swlist -a description -l category critical_patch

Using swlist to Resolve Manual Dependencies

Some patches cannot automatically resolve their own dependencies. HP-UX patch creation tools mark such patches with a generated tag called manual_dependencies. This tag can help you find patches with unresolved dependencies, for example:

swlist -l product *,c=manual_dependencies

This command lists all patches on your system that need manual resolution of dependencies. To identify the dependencies, list the readme attribute for each patch. For example, you could redirect the output of the above command to a file, then use the file to list the readme information for each patch:

swlist -l product -a readme *,c=manual_dependencies

Patch Removal, Rollback, and Committal

To permit future rollback of a patch, use the patch_save_files option. This option (set to true by default) automatically saves any files replaced by a patch. You can then restore the original files if you later decide to remove the patch.

For example,

swinstall -s sw_server -x patch_save_files=true

Rollback files are saved to the directory:

/var/adm/sw/save/new_patch_name/fileset_name

These rules govern patch removal and rollback:

Using swremove to remove the base fileset of a patch fileset also removes all patches to that fileset.
Files saved for rollback are also removed when the base fileset to which they apply is updated or removed from the system.
Removal of a patch automatically rolls back the saved files, unless:
- You set the patch_save_files option to false at the time you installed the patches.
- You also remove or update the base fileset.
- You performed a swmodify operation on the patch with the patch_commit option set to true.
You cannot roll back an installed patch that has been superseded unless you first roll back the superseding patch.
SD performs disk space analysis (DSA) on the save area in the same way it performs DSA on regular file locations.

To save disk space when you are certain a patch operates correctly, you may wish to commit the patch by removing the rollback files saved by the patch_save_files option.

To commit a patch, invoke swmodify on the patch with the
-x patch_commit=true option. (The default value is false.)

For example, to commit the patch PHKL_1234 and remove its corresponding rollback files:

swmodify -x patch_commit=true PHLK_1234




	NOTE: NOTE: When you commit a patch and remove its rollback files, all patches that are superseded by this patch are also committed.

Verifying Patches

The swverify operation on a normal fileset checks that the latest files are properly installed. When installing a patch, the ancestor fileset is updated to have the correct attributes of the patched files.

SD verifies patch filesets by checking that files in a patch are still properly installed (or in the depot correctly).

swverify PHCO_1234

swverify *,c=patch