HP UX Patch Management Proactive patching strategy, Acquiring patches for proactive patching

Page 48

Proactive patching strategy

The goal of a proactive patching strategy is problem prevention. Many patches that provide defect fixes are released long before you need them on your system. The crux of proactive patching is identifying these patches and applying them in a safe manner. By definition, your starting point for proactive patching should be a system you believe to be functioning normally. Most proactive patching can be scheduled and carefully controlled. This is one of the benefits of this approach. To automate the process of identifying and selecting patches, see Chapter 8: “Using HP-UX Software Assistant for patch management” (page 85). To reduce the downtime required to perform proactive maintenance, see Chapter 9: “Using Dynamic Root Disk for patch management” (page 86).

As compared with the reactive patching strategy (see the following section), proactive patching generally creates more system change and requires regularly scheduled patch installation maintenance windows. Although the system down time associated with patch installation is a disadvantage of proactive patching, HP highly recommends proactive patching as the strategy of choice.

The following benefits can be achieved by implementing a proactive patch management strategy:

Problem avoidance

Reduced risk

Reduced unplanned down time

Enhanced functionality and tools

Increased time for testing

Because proactive patching involves installation of patches before a problem occurs, this strategy allows more time to complete sufficient testing than does reactive patching. For a flow chart of the high-level steps suggested for proactive patching, see Appendix A (page 94).

Acquiring patches for proactive patching

Although patching is not a one-size-fits-all process, the following generic recommended strategy embodies many of our customers' best practices:

1.Identify the patches to acquire. You can identify and track these on an ongoing basis, or you can engage in patch analysis that targets a specific proactive patching cycle.

2.Acquire the latest Quality Pack (QPK) patch bundle and, if you are planning any hardware changes, the latest Hardware Enablement (HWE) patch bundle.

3.Determine whether the patches included in the standard HP-UX patch bundles cover your entire list of identified patches. Use the ITRC Patch Database to acquire any missing patches.

4.Scan the patches for warnings and run the HP-UX Software Assistant Tool.

5.Create one depot for the acquired patches and copy them into it. You can choose to copy the latest Operating Environment (OE) products to the depot.

6.Test the depot content.

7.Create a deployment plan and roll out the new depot within your maintenance window.

The following details apply to acquiring the latest QPK and HWE patch bundles:

The QPK patch bundle is an excellent vehicle for proactive patching and was created for this purpose. The HWE patch bundle contains patches required by new hardware products that HP has released. To enable or pre-enable support for new hardware, you should select this bundle. New HP-UX core enhancements are introduced as part of the Software Pack

48 Patch management overview

Page 47 Page 49
Image 48
Page 47 Page 49
Contents Patch Management User Guide for HP-UX 11.x Systems Revision history Table of Contents What are standard HP-UX patch bundles? Using Dynamic Root Disk for patch management 104 107HP-UX patches and patch management Patch management strategiesHow to get patches Where to startQuick start guide for patching HP-UX systems OverviewBefore you begin Should you use standard HP-UX patch bundles?Acquiring and installing standard HP-UX patch bundles Standard HP-UX patch bundlesAcquiring the bundles Installing the bundles As root, run the createdepothp-ux11scriptAdvanced topic using Dynamic Root Disk DRD SwlistAcquiring and installing individual patches Acquiring the patchesQuick start guide for patching HP-UX systems Installing the patches Swverify -d \* @ /tmp/somepatchdirectory/depotAdvanced topic using Dynamic Root Disk DRD HP-UX patch overview Patch-related conceptsPatch identification HP-UX software structurePatch bundles Software depots and patch depotsPatch status Patch stateState Category tagsSwlist -l fileset -a state grep patchid Which patches are on a system? Swlist -l product -a categorytag patchidExamples of the swlist command For example$ swlist -l product *,c=patch $ swlist -l product *,c=manualdependencies $ swlist -l bundle @ somesystemAncestors and supersession Ancestors$ swlist -l fileset -a ancestor PHSS29183 Supersession Swlist -a appliedpatches filesetname$ swlist -a appliedpatches Xserver.AGRM Swlist -l patch -x showsupersededpatches=true Showpatches -s$ swlist -l fileset -a supersedes PHSS28681 Swlist -a patchstate -x showsupersededpatches=true patchidPatch-related attributes HP-UX Patch Supersession ChainSee Category tags Patch dependencies Types of dependenciesCorequisites and prerequisites Enforced and unenforced manual dependencies Impact of dependencies on acquiring patchesSwlist -vl fileset -a dependencytype fileset Patch rollback and commitment Patch rollbackPatch commitment Advanced topic patch cleanup utility Cleanup -p -c numberHP-UX patch ratings HP patch rating Rating detailsCritical and noncritical patches Finding information for a specific patchPatch documentation $ swlist -l product -a categorytag PHSS30011Subset of fields in patch text file and patch details Obtaining information using the Itrc Patch warningsAdvanced topic the readme attribute Swlist -l product -a readme patchid moreCritical and noncritical warnings How to handle patch warnings Questions to askAdvanced topic finding patches with warnings Backup and recovery ConsiderationsPatch management overview Patch management life cyclePatch management life cycle Patch management overview Establishing a software change management strategy Restrictive Conservative InnovativeRecommendations for software change management Operational factor and patch management strategy matrixConsideration of HP patch rating Patch management and software depotsProactive patching strategy Acquiring patches for proactive patchingReactive patching strategy Advanced topic HP-UX Software AssistantAdvanced topic security patching strategy Acquiring patches for reactive patchingTesting the patches to be installed Advanced topic scanning for security patchesKey features What are standard HP-UX patch bundles?Standard HP-UX patch bundles Obtaining standard HP-UX patch bundles Standard HP-UX patch bundle use and release datesQuick start guide for patching HP-UX systems Using the IT Resource Center Obtaining an Itrc user accountUseful pages on the Itrc Find individual patchesKey features Accessing the patch database and finding an individual patchClick the add to selected patch list button Using the IT Resource Center Advanced topic checking for all patch dependencies Check for patches with dependenciesUsing the IT Resource Center Click the add to selected patch list button Standard patch bundles Custom patch bundles run a patch assessmentSupport information digests Ask your peers in the forumsSearch knowledge base Using software depots for patch management Common software distributor commands for patchingDepot types Directory depotsUsing depots Tape depotsViewing depots Choosing depot type and depot locationSwlist -l depot $ swlist -l depot Swlist -l depot @ remotesystem$ swlist -l depot @ swdepot.xyz.com Creating and adding to a directory depot Copying patches to depots Depot/patches/11.11Registering and unregistering directory depots Advanced topic HP-UX Software AssistantCopying products with patch dependencies to depots Advanced topic access control lists Examples of registering and unregistering depots$ swreg -l depot /depot/patches/2003-07periodicdepot $ swreg -u -l depot /depot/patches/2003-07periodicdepotVerifying directory depots Examples of verifying directory depots$ swverify -d \* @ /mydepots/newdirectorydepot Verification had errors Removing software from a directory depotVerification succeeded $ swverify -d \* @ /mydepots/PHSS30278depotExecution succeeded $ /usr/sbin/cleanup -d /mydepots/patchdepot Advanced topic removing superseded patches from a depot$ swlist -l product -d @ /mydepots/patchdepot Installing patches from a depot Removing a directory depot$ swlist -l product @ /mydepots/patchdepot $ swreg -u -l depot /mydepots/PHCO27780depotReboots the system when required Examples of installing patches from a depot Analysis succeededInstalling products with patch dependencies from a depot Custom patch bundlesAnalysis and Execution succeeded Examples of listing patches and bundles Rev Patch descriptionRev Bundle Description Creating a custom bundle $ swlist -d @ /mydepots/temporarydepotAnalysis succeeded Finally, remove the temporary depot Using HP-UX Software Assistant for patch management For more informationUsing Dynamic Root Disk for patch management Drd1m Using the Patch Assessment Tool Patch Assessment ToolBenefits of the Patch Assessment Tool Example of running the Patch Assessment Tool Select upload new system information Support and other resources Contacting HPRelated information Typographic conventions HP websitesNon-HP websites Times Patch usage models Patch usage model 1 hardware/application software change Components in test Image Then productionDRD Begi n Product needs to be certified on HP-UX 11i v2/v3 Patch usage model 3 operating environment cold install Patch usage model 3 operating environment cold install Patch usage model 4 operating environment update Patch usage model 4 operating environment update Patch usage model 5 proactive patch Create clonePatch usage model 6 reactive patch Passed? SystemGlossary AncestorIPD SWA Index Index See also HWE Index
Top Page Image Contents