Re: Patching Solaris machines with cfengine

[Ian Wallace]

I agree with K that you shouldn't just go winging patches on machines, 
however we use cfengine, along with a list of patches that should be applied 
and the CheckPatches, GetApplyPatch scripts that you can get from Sun to 
automate the whole process.

We haven't run into any problems yet (cross my fingers, etc).  We tend not to 
worry about the fact that you should be rebooting machines after kernel 
patches etc.  All of our environments are development only and we take that 
risk knowingly.  I guess we'd rather patch the machines then not patch at all.

Production is a whole different ball game.

If you want more info just say so and I can share the cfservd configuration, 
one line shellcommands that we use for this.

cheers
ian

On Tuesday 29 January 2002 07:28 am, Katherine Morris wrote:
> If you're talking about applying OS patches, I wouldn't recommend
> automating this in general.  Your Solaris versions are foreign to me since
> I run mostly 2.5.1 up through 8 and am currently evaluating 9.  I don't
> know Linux yet, so maybe that's where the disconnect is...
>
> However Solaris OS patches in general require some knowledge about what
> you're patching and why, reading the README's is highly advisable prior to
> patching as well.  Sun's not perfect either, and some patches break
> things... it would be terrible to break everything at once! There's also
> potential user intervention involved if you apply a patch which requires
> you to reboot your systems.  Particularly if you have any slack-ass admins
> you work with that don't update configuration files after they make changes
> on the fly and should be fired. (vent)
>
> If you're using "patch" in a more general sense, we're basically using it
> for security fixes/changes.
>
> -K
>
>
> ----- Original Message -----
> From: "Didier CONTIS" <didier@ece.gatech.edu>
> To: <help-cfengine@gnu.org>
> Sent: Monday, January 28, 2002 12:06 PM
> Subject: Patching Solaris machines with cfengine
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > Hi,
> >
> > I was wondering how people are patching their Solaris systems using
> > cfengine.
> > Which tool combined with cfengine works the best.
> >
> > I am starting to deploy 2.0.a16. Most of Solaris systems are however
> > still running 1.6.x
> >
> > I am already doing that under Linux using autoupdate + cfengine.
> >
> > Thanks in advance for any feedback.
> >
> > Regards - Didier.
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
> >
> > iQA/AwUBPFWFF3qEbTtUcuwQEQIQ6gCfdOW5/x9Xce+AEt3ZsOK/mFSLsywAn1Xt
> > 45PY8hDIZxuf7cLimoFfz9QA
> > =8D3o
> > -----END PGP SIGNATURE-----
> >
> >
> > _______________________________________________
> > Help-cfengine mailing list
> > Help-cfengine@gnu.org
> > http://mail.gnu.org/mailman/listinfo/help-cfengine
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-cfengine

-- 
Ian Wallace - iwallace@context.com
Senior Consultant, Context Managed Services
(W) 303.209.5623 (H) 303.388.9858