topic Re: Methods and Views on Patching in Operating System - HP-UX

Methods and Views on Patching

steven Burgess_2 — Fri, 28 Mar 2003 09:30:59 GMT

Hi all

I would like to open a question about patching.

1. How often do you patch your HPUX servers ?

2. Do you have custom bundles per server or apply one standard bundle then relevent patches per server

3. How many use the custom patch manager ?

4. What method do you use of applying your patches to multiple servers (ignite etc)

5. When you apply your patches do you investigate each individual patch to understand exactly what it's doing

6. With regard to pro active patching, how do you present this to the business

7. Who's job is it to test the patch before it goes in

Any more views and thoughts appreciated

Thanks in advance

Steve

Re: Methods and Views on Patching

Steve Steel — Fri, 28 Mar 2003 09:41:31 GMT

Hi

Look at

http://www.software.hp.com/SUPPORT_PLUS/

http://www.software.hp.com/SUPPORT_PLUS/faq.html

http://www.software.hp.com/SUPPORT_PLUS/info.html

Will answer all your questions

Steve Steel

Re: Methods and Views on Patching

Donald Kok — Fri, 28 Mar 2003 09:45:21 GMT

Hi Steve,

1. I patch when there is need to. I don't fix something that ain't broken.
2. If needed, I the support CD, or specific (newer) patches from the net.
3. Do not use it.
4. Do not have much servers, so I do them one by one.
5. No.
6. Do not do pro-active patching. Sometimes patches are redrawn, I never want to have had these patches.
7. HP! Patches goes to opeational machines immediately.

Donald

Re: Methods and Views on Patching

Robert-Jan Goossens — Fri, 28 Mar 2003 10:12:47 GMT

Hi Steve,

I'm going to ansew for both HPUX and Solaris,

-1- Twice a year

-2- Custom patch bundles and relevent patches for each server.

-3- I use the custom patch manager to check for extra patches.

-4- Install them for every server.

-5- I investigate every single patch.

-6- We do not use pro active patching, we let the rest of the world test the patches, install the patch bundles 3 months after it is released.

-7- Unix sysadmin and the technical application desingers.

We start patching on our test servers ---> shadow servers ---> production servers.

Kind regards,

Robert-Jan.

Re: Methods and Views on Patching

Pete Randall — Fri, 28 Mar 2003 11:23:14 GMT

Hi Steve,

1. When needed - if there's something broken, I'll patch it. Once in a great while I may put on a Quality Pak but not very often - I've caused more problems doing regular patching than I've ever cured.

2. See #1 - if I do feel the need to patch it's pretty much specific to the server having the problem, so I guess you could call that a "custom bundle per server".

3. The first time I tried it, it came up with a list of hundreds of patches - see #1 - no way would I put on that many patches at one time.

4. I don't have enough servers to have any elaborate scheme. When a patch(es) needs to be applied globally, I walk through each machine individually. That way I can be sure that the application goes OK.

5. Yes.

6. I don't - see #1.

7. Mine, if I need to put a patch on that I'm not sure about, it goes on my sandbox, then, after a testing period, into my development environment where the programmers can beat on it, then, after a shakedown period, onto production.

You're welcome

Pete

Re: Methods and Views on Patching

H.Merijn Brand (procura — Fri, 28 Mar 2003 11:52:13 GMT

0. Also read http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x136128c64656d71190080090279cd0f9,00.html

1. Not-reboot patches as soon as they come out and *I* think it will improve our system in general (e.g. C-compiler patches & security patches). Reboot patches every three month after the ExtSW has been released and received.

2. For the non-reboot patches patches mentioned in 1., might diff per system. Standard ExtSW bundles are applied on reception ASAP on the test system, and 3 weeks later on the production machine if all goes well.

3. Depends on the complexity of the wanted patch. I get the announcements on a regular basis by mail, and if there will be a period in front of me where I think that one of those patches will improve my work (e.g. NFS performance which is still *VERY* poor between two 11.00 servers), I might schedule that in, and these might well be fetched through the patch manager due to multiple dependencies. Single (easy) patches, I fetch from ftp.

4. swinstall on every server

5. Yes. Uhh, not *all* patches. Some I apply blindly, because I don't use it anyway :) (e.g. I don't give a sh.. about tar/cpio/csh patches, since I don't use them. I use GNU tar, GNU cpio and tcsh)

6. I don't :) We have a small buisiness, and I'm the only one to decide what is patched on HP servers, when and why.

7. Mine, and mine only :(

Enjoy, have FUN! H.Merijn

Re: Methods and Views on Patching

Stefan Farrelly — Fri, 28 Mar 2003 12:02:16 GMT

1. Main production servers; only apply security patches routinely. QPK bundles every year or two. Development servers; QPK bundles whenever they come out (including diags) - to test for stability for many months before applying to live prod servers.

2. Standard bundles only, never use custom bundles (as HP havent tested how the patches in them work together whereas the standard bundles are tested by HP extensively before releasE).

3. Never use CPM for reason cited in 2.

4. Simply use SD to install them (swinstall). All servers install from a central depot server (pull method, to a local depot on each machine first, then install from local depot if it copied aok. If you install over network from a remote depot and the network drops you can completely screw your server!).

5. Only follow bundle release notes for individual patches mentioned there, dont check every patch.

6. Our business only go for proactive patching for security patches, nothing else. How you can you explain to ths business you want a lot of downtime to install a massive QPK bundle on a prod server when it has the potential to completely screw the server (if say the kernel wont build after it?) - especially when the QPK bundle is not essential (unlike security patches which are).

7. HP test the QPK bundles extensively first, we test them on dev servers for months first, and a single prod server for a few more months before rolling out, just to be safe.

7.

Re: Methods and Views on Patching

John Poff — Fri, 28 Mar 2003 12:39:22 GMT

Hi Steve,

1. We try to patch quarterly.

2. We have been getting a standard bundle per server type and patching similar boxes with that bundle. Now we are looking at building custom patch bundles for each box.

3. We don't, but I'd like to start doing it.

4. Currently we are patching them individually, but we used to have a large patch depot [until someone stole our storage!] and we are probably going to make one again.

5. I get the weekly patch notification via e-mail from the ITRC and I'll review what it soming out, but when we get a patch bundle we just go with it. We've have had great success with our patches and in five years we've only had to back out a couple of patches, so we don't worry about it.

6. We sold our business on it early and they like it.

7. We put our patches on test and development boxes first and let them run for a month. It would be nice to have a sandbox system to run them on from our end but we don't have that luxury.

JP

Re: Methods and Views on Patching

BFA6 — Fri, 28 Mar 2003 12:49:44 GMT

Hi Steve,

1. Don't patch unless there is a problem
2. Usually download any required patches from the net
3. Nope
4. Generally do not patch multiple servers.
5. Usually an applied patch is a because of a call with HP
6. No active patching.
7. Testing - what's that :-)

Regards,

Hilary

Re: Methods and Views on Patching

Jeff Schussele — Fri, 28 Mar 2003 13:49:10 GMT

Hi Steve,

1) Twice a year

2) We have standard bundles *except* for our V-class - it gets a custom bundle.

3) Sort of - our contract calls for HP to bundle custom sets of patches that we - the SAs - agree upon. We call this our HP Recommended bundle & it along with the HWE & QPK bundles are what we install twice/yr.

4) Every HP SA has a certain # of systems that they are the primary SA on. It's the responsibility of designated primaries to install the patches on those servers. Unless we get the opportunity to install on multiple servers at once - rarely - we generally install them locally.

5) We follow the recall list & exclude/remove any that pop up there, but we generally trust the HWE & QPK bundles. But yes we DO investigate each on the HP Recommended bundle.

6) We tell them it's a mandatory part of normal system maintenance. The only choice we give them is - when.

7) Patches go in this order
A) Development
B) Test
C) Staging
They then "break-in" there for a while & then finally go in
D) Training & Production
Again, it's the responsibility of the primary SA to monitor the system for adverse effects of the patch install.

Later,
Jeff

Re: Methods and Views on Patching

eran maor — Fri, 28 Mar 2003 13:56:00 GMT

Hi Steva

1. if think that you need to patch your system when installing the system and then do a CPM to your system every 3 month .

2. i m advising my cu to install the last support plus bundle ( QPK and HWE ) and to do a CPM for each server .

3. all of our css and pss customer is using CPM and it is highly recommend .

4. my advise is to do a maintence windows every 3 month to install the patches .
remember to do a make_tape_recovery before the install and also to try to compile the kernel to see if there is a problem with the kernel .

5. i will check the rating of the patch .
dont install patches with rating of 1 star * .

6. installing the level of patches that is recommend by hp will help you to prevert problem and it is saving you problem in the futate .

7. it is the system admin job .

i will do a test in 1 computer to see if there is problem but if your system are diff. from each other a simple test will not help you .

remember to stop oracle , omniback and perview and mwa and to do a test to the kernel with compiling it .

most of the problem is not with the patches and are before you install your patches .

Re: Methods and Views on Patching

A. Clay Stephenson — Fri, 28 Mar 2003 15:36:27 GMT

As a general rule, I patch on a quarterly basis. For those of you in the "It ain't broke so don't fix it camp" my question is "How do you know?". If you read through the patch release notes, you will find that a fairly large fraction of them deal with "possible data corruption". The very last thing that you want is little bits and pieces of data corruption that you might not find for months.

My method is to first apply the full patchset and Hardware Enablement bundles to a sandbox and test there. Next, the patches are applied
to the Test/Development boxes; finally (usally after two or three weeks) a maintenance window is scheduled for production.

At this point, you know how long the patches will take to apply and you know that they are safe for your environment.

While it's a good tool, I rarely use the CPM. I install the entire patchsets - with very rare exceptions.

I typically use multiple copies of the install media and do multiple patches on the production boxes simultaneously.

I don't bother to read over the patches until I've installed on the Sandbox. I then know which will actually be applied and then I read over the release notes for each one and look for possible impact; that gives me a very good way to look for possible hiccups in the sandbox and test/development environments.

I've never had any real difficulty scheduling maintenance windows as long as plenty of lead time is available AND I NEVER exceed my requested time window. In order to make your case, just drag out one of the "possible data corruption" release notes and your battle is won.

It's your job to test along with the DBA's and any application support people's job as well.

I am rapidly approaching 4 years of zero unplanned production downtime so I have no intention of changing my maintenance policies. My best piece of advice is get yourself a sandbox - not the same as a test environment. A sandbox will more than pay for itself in the prevention on unplanned downtime.

Re: Methods and Views on Patching

Jeff Schussele — Fri, 28 Mar 2003 15:45:49 GMT

Clay,

Quick question:

How do you simulate load on that sandbox system?
Specifically, what do you do to insure you have an environment & workload as similar as possible to your other environments?

We've found problems with patches that did not appear until the system reached certain levels rarely touched - even in production.
To me it seems that scenario is almost impossible to duplicate outside of production.

Curiously,
Jeff

Re: Methods and Views on Patching

Steven E. Protter — Fri, 28 Mar 2003 15:51:10 GMT

When I took over my shop, the attitude was, if if it ain't broke, don't fix it.

That made our last server rollout hell, because critical patches were missing and omniback and a dozen other functions didn't work the first day we ran the new system.

I patch my servers with large patch sets quarterly and two weekends a month with critical patches for secruity or oracle functionality.

I build my own custom batches based on the task at hand.

I am moving to a new setup where I patch an Ignite server and then roll out vg00 to two other rp5450 servers. Thus far its testing all right, though I'm worried about Ignite properly pushing nsswtich.conf and the hosts files . I'll resolve that.

Its my job to test patches in a test environment, though I am allowed to draft the dba and users. I have a list of things to check, open this app, look up account, stuff like that.

For production servers, same thing, if its a reallhy big deal managment might keeep me company and test the Sunday morning after I patch.

We have adopted what I call a sane but agressive strategy. We don't patch for the sake of patching, but we do try hard to stay current, especially with security issues and Oracle.

I was once burned by putting in a pax patch that let Ignite pack up 8 Gig files. The pax_iux utility that unpacks on the Ignite client barfed and could not unpack the files. It took four weeks, including a bout with the flu to figure that out, but hey, I learned how to use tusc.

Even with that one failure, the strategy is sound and the users rarely notice when I roll a new server into production.

SEP

Re: Methods and Views on Patching

steven Burgess_2 — Fri, 28 Mar 2003 15:52:35 GMT

Hi all

Thanks for the responses

A.Clay I'm interested in your reply from the question that Jeff has just put to you

I finish for the weekend shortly.

Keep them coming will pick up again on Monday

Thanks

Steve

Re: Methods and Views on Patching

Marco Santerre — Fri, 28 Mar 2003 16:18:44 GMT

1) In my case, what I try to do is patch my systems every six months with the Support Plus CD.

2) When it comes to my production servers, I do ask for a patch analysis to be done by HP at least once a year after I've just patched the system with the Support Plus CD. In this case, mostly to get more relevant patches for the specific applications, like oMniback or things like that.

3) I do use the custom patch manager, but not as much as I should unfortunately. I use mostly for information at this point rather than patching.

4) In my case, I rather use a simple depot, rather than Ignite because almost all my servers have got a little something that's different. So I will swinstall the patches but from a depot, rather than the CD.

5) I do investigate some patches, but not all of them. I'm often interested in network , and Kernel mostly to see what changes are made and see the probably impact it may have.

6) I admit this one is tough, but often enough, my development servers are often done ahead of time, therefore proving that (relatively) all patches work for one is a good thing for the business case. Another thing is if I can find certain patches that are really critical that would help as well. Unfortunately, I don't hold all the secrets to dealing with managers and they sometimes (though not too often) don't listen to me.

7) Mine

I often find, that when you have a whole slew of servers, even if you do try to move ahead with them, you'll often find yourself behind for several reason. I lok at one server in particular here that I have a problem patching cause I haven't been able to get a downtime period for it for almost a year. So I find that it's good to have standards in regards to patching but I sometimes have problems adhering to my own standards.

Re: Methods and Views on Patching

Sridhar Bhaskarla — Fri, 28 Mar 2003 16:43:41 GMT

Hi Steve,

My method is same of Jeff as we work together :-).

However,

C) Staging
They then "break-in" there for a while & then finally go in
D) Training & Production

Our staging servers are supposed to be the DR for the production. So they match production in all aspects. Before we patch production, we patch Staging servers and do loadtest for critical application. We make sure neither functionality nor the performance is impacted negatively before rolling them into production.

I am against "if it isn't broken, then dont fix it" rule for patches.

-Sri

Re: Methods and Views on Patching

A. Clay Stephenson — Fri, 28 Mar 2003 16:53:45 GMT

How do I test?

After loading the patches and going through very routine tasks like printing, starting Oracle and doing a few simple queries, starting an Oracle listener and doing additional queries. I then startup the the main applications (e.g. ERP, HR, CAD) and run automated test scripts. There are several good vendors out there. As an example, http://www.qalinks.com/

You will do a lot of work on the front-end setting up the test scripts but they more than pay for themselves. These same scripts are used whenever one of the application service packs are applied.

Re: Methods and Views on Patching

Michael Tully — Sat, 29 Mar 2003 00:21:39 GMT

Hi Steve,

1. We try to patch twice a year. More often if there are particular problems or security related patch releases. If we patched more oftern we would'nt do anything else.
2. We use the standard patch bundle.
3. Don't use custom patch manager
4. Use a CD as a patch depot. All systems are updated from these.
5. As we test a patch bundle in it's entirety, we find any problems prior to rolling out to a production server.
6. We sell it like vitamins. It is better to prevent a sickness before it occurs. I am lucky enough that the business trusts us enough to do these things, as long as they are tested thoroughly, we go through our change control mechanism and they will like when we propose or negotiate a different time.
7. We are luck enough to have quite a few development systems, we also have plenty of developers willing to try and get the systems keel over ..... Seriously this actually irons out any problems.

Cheers
Michael

Re: Methods and Views on Patching

Dave Unverhau_1 — Sat, 29 Mar 2003 04:12:30 GMT

Steve,

Since you're looking for different views on patching, I'll throw one in that comes from a little different angle...

My job with HP is to provide proactive patch analysis and patching assistance to our customers with PSS support contracts. HP's goal with regard to proactive patching is to minimize the need for reactive patching and unplanned downtime (shut the barn door before you find the cows grazing in the neighbor's garden...).

I try to have my customers patch at least twice per year, with custom patch bundles that I create using a tool similar to CPM (with some careful manual oversight).

When I started doing this job a couple of years ago, I found that most of my customers had no interest in proactive patch analysis and patching, and I had to chase after them. I expect that this was due to bad patching experiences or horror stories from other users. Now, most of my customers come to me on a pretty regular basis and whenever they're experiencing a behavior that they perceive to be related to, or fixable by, a patch. They seem to be very pleased with the proactive patching process.

Granted, proactive patching *can* introduce problems, but the incidence of this is inversely proportional to the time and care spent researching and selecting the patches, and reading the special installation instructions. Almost all of the post-patching complications I have been involved with resulted from failure to follow these instructions. A few were due to patches that were later found to have a problem, but that number is very small if only patches with a reting of 2 or 3 are selected for a bundle. The only exception I make to this rule is for security patches and critical patches when I can see that the critical patch addresses an issue that the customer is experiencing.

Some of my customers have contacted me to say how pleased they were because the proactive patching process had reaped benefits for them beyond their expectations (like fixing performance problems that they didn't know they had, or plugging security holes before their management presented them with a mandate to address said security issue.

Here are some documents at docs.hp.com related to patching that you may or may not have already seen:

"Patching Mission Critical Systems":
http://docs.hp.com/hpux/onlinedocs/os/patching_mc.pdf

"Patching Usage Models" (much of the same text, but worth worth scanning, as well):
http://docs.hp.com/hpux/onlinedocs/os/patch_usage.pdf

"Patch Management Guide for HP-UX 11.x" (patching-101):
Patch Management Guide for HP-UX 11.x

I hope this has been worth your consideration!

Best Regards,

Dave