ToolMan Meets PatchReport by Daniel E. Singer <des@cs.duke.edu> Dan has been doing a mix of programming and systems administration for 13 years. He is currently a systems administrator in the Duke University Department of Computer Science in Durham, North Carolina, USA. Warning: This issue's ToolMan is highly platform specific and hard-core sysadmin. If you don't run and maintain Sun Solaris systems, you might wish to move on. Boring Technical Stuff OK, now that everyone else has gone away, we can get down to business. As you know, one of the very tedious aspects of maintaining computer systems is keeping them up to date via application of OS patches. This process breaks down into basically three phases: (1) identifying patches that are needed, (2) downloading patches, and (3) installing patches. You know how much fun this isn't. The process is tedious, time-consuming, error prone, and boring. But I'll show you a program that can accomplish all of this and more in one single, solitary command line. Background In our department, a medium-sized site, we have (among other systems) about 150 computers running Sparc and X86 Solaris (SunOS 5.5, 5.5.1, and 5.6). These all need occasional patch updates, either to fix some identifiable problems or because, well, it's just that time. Sun makes these rueful patch update tasks more bearable in a few ways. (1) They supply a nice Web site from which most patches can be downloaded ­ whether or not you have a support contract (though if you have the contract, you get a few extra bennies). (2) They also supply a handy program, patchdiag, which will analyze your system and tell you which patches could be applied. And (3) They supply some useful tools for applying and maintaining patches on your system, namely, installpatch, showrev, and, for Solaris 2.6, patchadd. But there are some problems with going through this procedure. One is the use of the patchdiag program. You must connect to the SunSolve site (<http://sunsolve.sun.com> or <ftp://sunsolve.sun.com>) using your support ID and password, and download the latest copy of the patchdiag.xref patch database file and possibly a current copy of the patchdiag program. Then there are some deficiencies with the patchdiag output (see Listing 1).

As you can see, the patches are listed in three sections: Installed, Recommended, and Security. This layout is not very clear in that there is overlap between the Recommended and Security sections that makes it difficult to decide which patches to install. You cannot easily see, for instance, which patches are both Recommended and Security without doing a lot of tedious cross-referencing. Additionally, if a patch is already installed and an update is available (Installed section), there is no indication as to whether such a patch is Recommended or Security or both. And even if these were not problems, you still have to go through the rigamarole of downloading the patches and running the installations. If you need to do this for multiple OS releases for multiple hardware architectures, it becomes easy to let this slip down to a lower spot on your priority list. This is quite unfortunate in a scenario, for example, of Internet-connected computers needing security patches! A Break in the Clouds One of my co-workers, Joe Shamblin, is our OS and security guru and is generally the one burdened with the chore of keeping our systems up-to-date with the latest patches. He has brilliantly automated and simplified this odious task. Joe created ­ and regularly employs ­ a not-so-trivial Perl script called PatchReport, so named because in its initial incarnation its sole function was to produce a report à la patchdiag, but with two improvements: it automatically downloaded the xref file, and it provided a more usable, consolidated report. The table produced by PatchReport combines the information from all three sections of the patchdiag report, indicating in a single line for each patch if it is Recommended, Security, and/or if a prior version is already installed. This makes it much easier to scan the list and decide which patches are appropriate for your system. But PatchReport has evolved into a full-fledged patch analyzer (the report), downloader, and installer. As noted earlier, it can accomplish all of this and leave a Solaris system completely up to date via a single command. Invoked with appropriate options specified, PatchReport will: connect to the Sunsolve site, download the patchdiag.xref and CHECKSUMS files, analyze patches on your system and produce a report, download selected patches, check the md5 checksums, and install the patches. You can even tell it to shut down and reboot the system when it's done! Listing 2 shows an example of a PatchReport run.

By the way, if PatchReport finds that your system is completely up to date, well, you'll just have to find out for yourself what happens. You can also use PatchReport in conjunction with Sun's JumpStart suite (used to install new systems). PatchReport can download appropriate patches to a directory. Then JumpStart can be configured to install these patches to the OS during the initial installation. Alternatively, JumpStart could be configured to call PatchReport directly. PatchReport is written for Solaris and not extended to other operating systems because Sun has a very open and well-documented patch system that makes programs like patchdiag and PatchReport possible. Other vendors, please take note. Closing Remarks To paraphrase someone who was paraphrasing Dave Barry, systems administration consumes time like Dave Barry's dog gobbles taco chips. If your job involves installing, maintaining, and updating Solaris-based systems, here's a power tool that can save you hours at a pop. But you better hurry and pick up a copy before SprintNet goes down again! To paraphrase another sage, "you snooze, you looze."

Program:	PatchReport
Abstract:	analyze system, download and install patches
Platforms:	Solaris 2.x (SunOS 5.x)
Language:	Perl 5.002+, with
	modules: libnet, Data-Dumper, MD5, and IO
Author:	Joe Shamblin <wjs@cs.duke.edu>
Availability:	<http://www.cs.duke.edu/~wjs/pr.html>
	<ftp://x86.cs.duke.edu/pub/PatchReport/index.html>

Features are still being added, so check for updates!