hp world 2005 real life hp ux patching strategies
Download
Skip this Video
Download Presentation
HP World 2005 Real Life HP-UX Patching Strategies

Loading in 2 Seconds...

play fullscreen
1 / 72

HP World 2005 Real Life HP-UX Patching Strategies - PowerPoint PPT Presentation


  • 224 Views
  • Uploaded on

HP World 2005 Real Life HP-UX Patching Strategies. Steven E Protter Senior Systems Administrator I.S.N. Corporation. HP-UX Patching: Outline . Presenter information Qualifications and experience. Warning !! How I got here. HP-UX Patching: Outline . Patching Philosophy

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'HP World 2005 Real Life HP-UX Patching Strategies' - sandra_john


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hp world 2005 real life hp ux patching strategies

HP World 2005 Real Life HP-UX Patching Strategies

Steven E Protter

Senior Systems Administrator

I.S.N. Corporation

hp ux patching outline
HP-UX Patching: Outline
  • Presenter information
    • Qualifications and experience.
    • Warning !!
    • How I got here.
hp ux patching outline3
HP-UX Patching: Outline
  • Patching Philosophy
    • If it isn’t broke, don’t fix it (A real life mess)
    • Generally Accepted principles
    • Three Star approach
    • Explanation of the star system
    • Security concerns
    • No strategy fits all
hp ux patching outline4
HP-UX Patching: Outline
  • What is a patch?
    • Why a systems administrator should care
    • The depot file
    • What might be in a patch
hp ux patching outline5
HP-UX Patching: Outline
  • Where to get a patch
    • Support Plus CD
    • ITRC patch database
    • Custom designed by HP
hp ux patching outline6
HP-UX Patching: Outline
  • Tools to help with patching
    • security_patch_check
    • Custom Patch Manager (CPM)
    • ITRC forums
    • Building a bundle in the ITRC patch database.
hp ux patching outline7
HP-UX Patching: Outline
  • Building a custom patch library
    • Including patches to cut # of boots
    • Including non-patch depot software
    • Removing superseded releases & patches.
    • A real life run through
qualifications and experience
14 ½ Years at the Jewish United Fund

Software AG and Oracle DBA

A decade of systems administration experience

Survived an actual loss of data disaster.

Five years as a Linux systems administrator

Qualifications and Experience
hp ux patching warning
HP-UX Patching: Warning
  • Today is August 14, 2005
  • My body has no idea what time zone it is in.
hp ux patching how i got here
HP-UX Patching: How I got here
  • Left Tel Aviv August 2.
  • Drove from NY to San Francisco via the Grand Canyon.
  • Traveled over 7,000 miles to be here.
hp ux patching philosophy
HP-UX Patching: Philosophy
  • If it isn’t broke, don’t fix it
    • HP-UX 11.00 rollout.
    • Recommended patches were not installed
    • Omniback II was unable to run Enterprise backups.
    • System had to be booted three times in prime time during the first day of production.
hp ux patching philosophy15
HP-UX Patching: Philosophy
  • If it isn’t broke, don’t fix it
    • This strategy can not work.
    • HP-UX is too complex to not have patches.
    • Its not classroom theory, its real life experience.
hp ux patching philosophy16
HP-UX Patching: Philosophy
  • If “it isn’t broke don’t fix it was a valid strategy, we’d still have to get to work like this:
hp ux patching generalities
HP-UX Patching: Generalities
  • Immediately after a cold OS installation you install the following:
    • Diagnostics
    • Gold Base Depot (Core Os defects)
    • A Gold Applications bundle
    • Hardware enablement bundle.
    • Gold Quality Pack depot
hp ux patching extras
HP-UX Patching: Extras
  • Immediately after the general installation:
    • Install security patches
    • Install patches required for the applications
    • Install patches to deal with real situations
    • Tune the kernel
hp ux patching 3 star approach
HP-UX Patching: 3 Star approach
  • Only three star patches
    • Three star patches are widely tested and the least likely to have problems.
    • Caveat Patcher: Three star patches have been recalled.
    • Quarterly bundles are three star patches.
    • Some critical security patches are not three star patches. If you wait too long, you may incur the security problem.
hp ux patching star system
HP-UX Patching: Star System
  • From Charles Keenan: HP-UX CSE
    • 1 Star: Functional testing by HP to verify that a patch fixes the problem it is supposed to fix. No unwanted side effects discovered.
    • 2 Star: Patch has been installed in a certain number of customer environments with no problems reported.
    • 3 Star: Patch has been stress- and performance-tested by HP in a simulated customer mission-critical environments using common application stacks. Not all patches undergo this testing.
    • WARNING: patch contains warnings. You may still need to use it.
hp ux patching security
HP-UX Patching: Security!?
  • Your support contract may require you to install security patches.
  • Your continued employment may require you to install security patches.
  • Government regulation may require you to install security patches.
  • There are good tools to find out what security patches you need.
hp ux patching no size fits all
HP-UX Patching: No size fits all
  • You need a strategy that keeps your systems running smoothly.
  • You need a strategy that meets your organizations needs.
hp ux patching juf
HP-UX Patching: JUF
  • Jewish United Fund has security concerns. When Homeland security goes orange, we got regular security patrols.
  • $200 million in annual revenue depended on the HP-9000 servers.
hp ux patching juf25
HP-UX Patching: JUF
  • A third server was purchased for more thorough testing.
  • Quarterly bundles, applications, security patches and other priority patches were bundled an installed in the sandbox.
hp ux patching juf26
HP-UX Patching: JUF
  • 2-4 weeks in the sandbox. This box could be booted during business hours.
  • 2-4 weeks in the development (12 user) server. Bi-weekly maintenance.
  • 2-4 weeks of monitoring after release into production (200 users).
hp ux patching juf27
HP-UX Patching: JUF
  • Every Friday whether there was work scheduled or not a make_tape_recovery backup was made.
  • Copies of these backups went off site.
  • We regular ran recovery tests on the sandbox
slide28
“Ignite is Your Friend.”

Steven E Protter

Senior Systems Administrator,

I.S.N. Corporation

slide29
“Ignite is Free.”

Hewlett-Packard Corporation

hp ux patching
HP-UX Patching
  • What is a patch?
    • A fix for an OS defect
    • Enable new hardware and software
    • Deliver new or enhanced functionality
    • Provide useful utilities

Charles Keenan: HP-UX CSE

hp ux patching31
HP-UX Patching
  • Patch naming convention
    • PHCO: A patch for commands and libraries
    • PHKL: A kernel patch (boot time!)
    • PHNE: Networking patch
    • PHSS: Other HP-UX subsystems.

Charles Keenan: HP-UX CSE

hp ux patching32
HP-UX Patching
  • Cool tricks and commands I
    • swlist –l product –a is_patch
    • Lists the patches
    • swlist –l product *,c=patch | more
    • swlist –l file PHCO_24630

Charles Keenan: HP-UX CSE

hp ux patching33
HP-UX Patching
  • Cool tricks and commands II
    • swlist –l fileset –a patch_state –x show_superseded_patches=true *,c=patch | more
  • Charles Keenan: HP-UX CSE
hp ux patching34
HP-UX Patching
  • Cool tricks and commands III
    • swlist –l patch –x show_superseded_patches=true OS-Core.CMDS-AUX
  • Charles Keenan: HP-UX CSE
hp ux patching35
HP-UX Patching
  • Cool tricks and commands V
    • swlist -l patch
    • swlist -l patch | grep -v ^\#
hp ux patching36
HP-UX Patching
  • Never do this:
    • The –q –qq option
    • These options tell the SD/UX program to ignore warnings and errors. This is such a bad thing someone else had to tell me what these options were. Never use them.
hp ux patching37
HP-UX Patching
  • Cool tricks and commands IV
    • cleanup –c 1 # commits patches getting back /var space
    • cleanup -p -d # preview
    • cleanup –p –d /tmp/protter.depot # full path required
  • Steven E Protter via hp education or forums.itrc.hp.com & Bill Hassell
hp ux patching outline38
HP-UX Patching: Outline
  • Why a systems administrator should care:
    • Your system might stop working
    • You might want to take a vacation or day off
    • Because a lot of experienced Administrators say you should
hp ux patching where to get
HP-UX Patching: Where to get
  • ITRC Patch database
  • Quarterly patch bundles
  • Custom patches
  • ITRC Custom patch manager
hp ux patching building a patchset
HP-UX Patching: Building a patchset
  • http://itrc.hp.com
  • Click patch/firmware database
  • Click HP-UX Choose your patches
  • Select dependencies
  • Download
  • Ignite Backup and installation
hp ux patching download notes
HP-UX Patching: Download notes:
  • Individual patches are ascii, you must remember this when you ftp them from a pc.
  • Use sftp to get them from your pc to your HP-UX box to avoid ascii/binary heck….
  • zip,gzip or tar packages are binary.
  • A quick story about ascii/binary
hp ux patching real life
HP-UX Patching: Real Life!!
  • While recovering from a complete loss of data the development staff uploaded an ftp of their programs from one of the developers C drives.
  • No oracle applications would compile.
  • I was tired, but asked, are you sure you did the upload binary? Answer: Of course, I’ve been doing this for years.
hp ux patching real life49
HP-UX Patching: Real Life!!
  • 20 man hours were invested.
  • An HP Support call was opened because nobody trusted the disk integrity.
  • Oracle tar was opened and escalated three times. They had us write a new simple program with the motif gui.
  • A light bulb went off over my head. Try the ftp again. I like good movies, can I watch?
  • Problem solved.
hp ux patching building a patchset50
HP-UX Patching: Building a patchset
  • Why I like the ftp download option
    • Sometimes those zip downloads just stop
    • I can leave ftp to run and not worry about keeping a browser going
    • Gives me time for a snack or a nap
    • Gives me time for planning or backup
    • The bundle comes with a script to build a custom patch depot
hp ux patching patch download options
HP-UX Patching: Patch Download Options
  • Run a browser on an HP-UX Box
    • Advantage: No binary/ascii problem.
    • Disadvantage: Management might not let you.
  • Snarf
    • Third party program can be run on one designated HP-UX box to gather patches for others.
    • Still, management might not let you do this.
hp ux patching patch download options52
HP-UX Patching: Patch Download Options
  • Have a patch box
    • A PC dedicated to the task or an old HP-UX box in the DMZ which would allow for ftp access. Disable or swremove unneeded services.
    • Make sure every transfer step on files ending in the extension .depot is ascii or the installation will fail.
hp ux patching building a patchset54
HP-UX Patching: Building a patchset
  • security_patch_check
    • Originally released as a patch
    • Comes with Bastille
    • Mostly gives you patches you can find in the patch database
    • Makes me feel warm and fuzzy
hp ux patching building a patchset55
HP-UX Patching: Building a patchset
  • CPM: Custom Patch Manager
    • A feature of itrc.hp.com
    • Comes with a usual script for patch and application inventory
    • Uploads system data for analysis
hp ux patching building a patchset56
HP-UX Patching: Building a patchset
  • Quarterly Patch bundles
    • Advantage: Well tested widely used. Not bleeding edge
    • Advantage: Easy to sell to management
    • Disadvantage: Security, DP 5.x patches may not be included.
    • Some Oracle applications need two star patches.
hp ux patching real life58
HP-UX Patching: Real Life
  • Objectives
    • Deploy the maximum number of patches and software with the minimum number of system boots. Minimize downtime.
    • Remove patches from the patch set which are superseded.
    • Minimize disk space used for patches
    • Insure we have a back out plan.
hp ux patching real life59
HP-UX Patching: Real Life
  • Work Plan
    • make_tape_recovery (Ignite is my best friend)
    • security_patch_check
    • ITRC Patch database
    • Check www.hp.com/go/software
    • Prepare a large custom depot
hp ux patching real life60
HP-UX Patching: Real Life
  • Important points
    • Read the patch notes
    • Try to avoid using recalled patches
    • Have a backup plan
    • Test patches in a server that can tolerate down time.
hp ux patching real life61
HP-UX Patching: Real Life
  • Good Stuff
    • My depot is too big and contains patches that are superseded a few times, what to do?
    • cleanup –p –d # preview
    • cleanup –p
hp ux patching real life62
HP-UX Patching: Real Life
  • Example, my /home/spring.2005.depot
    • cd /home/spring.2005.depot
    • du –sk shows 2488634 kb (2.4 GB)
    • There are three versions of secure shell
    • cleanup –p
    • cleanup –p –d $PWD
hp ux patching real life63
HP-UX Patching: Real Life
  • Example, my /home/spring.2005.depot
    • cleanup –d $PWD
    • Did not clean up software depots, they need to be handled differently.
    • du –sk now reports: 2332936 2.3 GB
    • Its not a lot of space but everything helps.
hp ux patching real life64
HP-UX Patching: Real Life
  • Cleaning up the installed software
    • This is a manual process.
    • cd /home/spring.2005.depot
    • swremove -d -x enforce_dependencies=true Secure_Shell @ $PWD
hp ux patching real life65
HP-UX Patching: Real Life
  • Cleaning up the installed software
    • swremove the unwanted software
    • swremove -d -x enforce_dependencies=true Secure_Shell,r=A.03.91.002 @ $PWD
    • swcopy the latest revision into the depot
hp ux patching real life66
HP-UX Patching: Real Life
  • Cleaning up and revising the installed software
    • swcopy the latest revision into the depot
    • cd /home/secsh (location is where you actually downloaded the depot)
    • swcopy -s ${PWD}/T1471AA_A.04.00.000_HP-UX_B.11.11_32+64.depot \* @ /home/spring.2005.depot
hp ux patching final stuff
HP-UX Patching: Final stuff
  • How to set up a patch depot on an NFS share
    • Add the patch location to the /etc/exports configuration file
    • exportfs –av # verbose re-export of shares
    • cd /depot_location
    • swreg –l depot /depot_location/patch.depot
    • From remote machine:
    • swinstall –x autoreboot=true –s hostname:/patch.depot \*
hp ux patching real life68
HP-UX Patching: Real Life
  • Done for today!!!!
hp ux patching real life69
HP-UX Patching: Real Life

Questions and hopefully answers

slide70
“Never be afraid to ask

a question”

Steven E Protter

Senior Systems Administrator

I.S.N. Corporation

ad