720 likes | 729 Views
Explore practical HP-UX patching strategies, from philosophy to implementation, security concerns, and custom libraries. Learn from a seasoned systems administrator's real-life experience.
E N D
HP World 2005 Real Life HP-UX Patching Strategies Steven E Protter Senior Systems Administrator I.S.N. Corporation
HP-UX Patching: Outline • Presenter information • Qualifications and experience. • Warning !! • How I got here.
HP-UX Patching: Outline • Patching Philosophy • If it isn’t broke, don’t fix it (A real life mess) • Generally Accepted principles • Three Star approach • Explanation of the star system • Security concerns • No strategy fits all
HP-UX Patching: Outline • What is a patch? • Why a systems administrator should care • The depot file • What might be in a patch
HP-UX Patching: Outline • Where to get a patch • Support Plus CD • ITRC patch database • Custom designed by HP
HP-UX Patching: Outline • Tools to help with patching • security_patch_check • Custom Patch Manager (CPM) • ITRC forums • Building a bundle in the ITRC patch database.
HP-UX Patching: Outline • Building a custom patch library • Including patches to cut # of boots • Including non-patch depot software • Removing superseded releases & patches. • A real life run through
14 ½ Years at the Jewish United Fund Software AG and Oracle DBA A decade of systems administration experience Survived an actual loss of data disaster. Five years as a Linux systems administrator Qualifications and Experience
HP-UX Patching: Warning • Today is August 14, 2005 • My body has no idea what time zone it is in. •
HP-UX Patching: How I got here • Left Tel Aviv August 2. • Drove from NY to San Francisco via the Grand Canyon. • Traveled over 7,000 miles to be here.
HP-UX Patching: Philosophy • If it isn’t broke, don’t fix it • HP-UX 11.00 rollout. • Recommended patches were not installed • Omniback II was unable to run Enterprise backups. • System had to be booted three times in prime time during the first day of production.
HP-UX Patching: Philosophy • If it isn’t broke, don’t fix it • This strategy can not work. • HP-UX is too complex to not have patches. • Its not classroom theory, its real life experience.
HP-UX Patching: Philosophy • If “it isn’t broke don’t fix it was a valid strategy, we’d still have to get to work like this:
HP-UX Patching: Generalities • Immediately after a cold OS installation you install the following: • Diagnostics • Gold Base Depot (Core Os defects) • A Gold Applications bundle • Hardware enablement bundle. • Gold Quality Pack depot
HP-UX Patching: Extras • Immediately after the general installation: • Install security patches • Install patches required for the applications • Install patches to deal with real situations • Tune the kernel
HP-UX Patching: 3 Star approach • Only three star patches • Three star patches are widely tested and the least likely to have problems. • Caveat Patcher: Three star patches have been recalled. • Quarterly bundles are three star patches. • Some critical security patches are not three star patches. If you wait too long, you may incur the security problem.
HP-UX Patching: Star System • From Charles Keenan: HP-UX CSE • 1 Star: Functional testing by HP to verify that a patch fixes the problem it is supposed to fix. No unwanted side effects discovered. • 2 Star: Patch has been installed in a certain number of customer environments with no problems reported. • 3 Star: Patch has been stress- and performance-tested by HP in a simulated customer mission-critical environments using common application stacks. Not all patches undergo this testing. • WARNING: patch contains warnings. You may still need to use it.
HP-UX Patching: Security!? • Your support contract may require you to install security patches. • Your continued employment may require you to install security patches. • Government regulation may require you to install security patches. • There are good tools to find out what security patches you need.
HP-UX Patching: No size fits all • You need a strategy that keeps your systems running smoothly. • You need a strategy that meets your organizations needs.
HP-UX Patching: JUF • Jewish United Fund has security concerns. When Homeland security goes orange, we got regular security patrols. • $200 million in annual revenue depended on the HP-9000 servers.
HP-UX Patching: JUF • A third server was purchased for more thorough testing. • Quarterly bundles, applications, security patches and other priority patches were bundled an installed in the sandbox.
HP-UX Patching: JUF • 2-4 weeks in the sandbox. This box could be booted during business hours. • 2-4 weeks in the development (12 user) server. Bi-weekly maintenance. • 2-4 weeks of monitoring after release into production (200 users).
HP-UX Patching: JUF • Every Friday whether there was work scheduled or not a make_tape_recovery backup was made. • Copies of these backups went off site. • We regular ran recovery tests on the sandbox
“Ignite is Your Friend.” Steven E Protter Senior Systems Administrator, I.S.N. Corporation
“Ignite is Free.” Hewlett-Packard Corporation
HP-UX Patching • What is a patch? • A fix for an OS defect • Enable new hardware and software • Deliver new or enhanced functionality • Provide useful utilities Charles Keenan: HP-UX CSE
HP-UX Patching • Patch naming convention • PHCO: A patch for commands and libraries • PHKL: A kernel patch (boot time!) • PHNE: Networking patch • PHSS: Other HP-UX subsystems. Charles Keenan: HP-UX CSE
HP-UX Patching • Cool tricks and commands I • swlist –l product –a is_patch • Lists the patches • swlist –l product *,c=patch | more • swlist –l file PHCO_24630 Charles Keenan: HP-UX CSE
HP-UX Patching • Cool tricks and commands II • swlist –l fileset –a patch_state –x show_superseded_patches=true *,c=patch | more • Charles Keenan: HP-UX CSE
HP-UX Patching • Cool tricks and commands III • swlist –l patch –x show_superseded_patches=true OS-Core.CMDS-AUX • Charles Keenan: HP-UX CSE
HP-UX Patching • Cool tricks and commands V • swlist -l patch • swlist -l patch | grep -v ^\#
HP-UX Patching • Never do this: • The –q –qq option • These options tell the SD/UX program to ignore warnings and errors. This is such a bad thing someone else had to tell me what these options were. Never use them.
HP-UX Patching • Cool tricks and commands IV • cleanup –c 1 # commits patches getting back /var space • cleanup -p -d <depot.name> # preview • cleanup –p –d /tmp/protter.depot # full path required • Steven E Protter via hp education or forums.itrc.hp.com & Bill Hassell
HP-UX Patching: Outline • Why a systems administrator should care: • Your system might stop working • You might want to take a vacation or day off • Because a lot of experienced Administrators say you should
HP-UX Patching: Where to get • ITRC Patch database • Quarterly patch bundles • Custom patches • ITRC Custom patch manager
HP-UX Patching: Building a patchset • http://itrc.hp.com • Click patch/firmware database • Click HP-UX Choose your patches • Select dependencies • Download • Ignite Backup and installation
HP-UX Patching: Download notes: • Individual patches are ascii, you must remember this when you ftp them from a pc. • Use sftp to get them from your pc to your HP-UX box to avoid ascii/binary heck…. • zip,gzip or tar packages are binary. • A quick story about ascii/binary
HP-UX Patching: Real Life!! • While recovering from a complete loss of data the development staff uploaded an ftp of their programs from one of the developers C drives. • No oracle applications would compile. • I was tired, but asked, are you sure you did the upload binary? Answer: Of course, I’ve been doing this for years.
HP-UX Patching: Real Life!! • 20 man hours were invested. • An HP Support call was opened because nobody trusted the disk integrity. • Oracle tar was opened and escalated three times. They had us write a new simple program with the motif gui. • A light bulb went off over my head. Try the ftp again. I like good movies, can I watch? • Problem solved.
HP-UX Patching: Building a patchset • Why I like the ftp download option • Sometimes those zip downloads just stop • I can leave ftp to run and not worry about keeping a browser going • Gives me time for a snack or a nap • Gives me time for planning or backup • The bundle comes with a script to build a custom patch depot