[SunHELP] A discussion about patch policy
velociraptor at gmail.com
Tue Jun 14 11:20:34 CDT 2005
On 6/14/05, Grindell, Joan M. <GrindellJ at sec.gov> wrote:
> Sun recommends that cluster patches be installed in single user
> mode. Some folks here prefer to install the patches remotely and reboot
> remotely. What policies do other admins take and why? What are the
> if any of installing remotely?
I've only installed in single user mode when updating immediately
after a system install (e.g. before the system is put into use).
Generally, I just make sure I'm installing patches at a time that
there are few users active--e.g. after hours or on the weekend.
But that's more so as not to interfere with the users than an issue
with the OS.
The reason for the warnings are more a CYA on Sun's part.
If the patches replace the binaries for an active running process,
and for some reason those binaries had to be re-read off the disks
after being replaced, then the patching has the potential to do
"bad things" to the system--e.g. system panic, corrupt data (were
it to be software that had open data files), etc.
In practice, I've never seen this happen. Patching when the system
is quiet is a half-way measure. On a db server or similar, I'd likely
go so far as to shut down the app if there was potential to write to
the db during the patch application process.
More information about the SunHELP