1 Reply Latest reply on May 28, 2013 6:54 PM by ghalied

    OS patching best practices

      Hi - we have a number of Solaris 10 servers all running non-global zones and setup with SVM on UFS file systems. I'm wondering now what the best method to O/S patch these is, at present I do this:

      1) stop all non-global zones.
      2) split disk mirrors
      3) stop any remaining apps / processes.
      4) with server still in runlevel 3 patch the live boot env.
      5) reboot
      6) if all ok, reattach the disk mirrors.

      My question is, is there a better way to do this. There seems to be several ways to do this.Would I be better performing any patching in single user mode for starters. Also having a quick google I can see that some people suggest splitting the mirrors and revert back to booting from a single physical disk as described here http://www.oracle.com/technetwork/systems/articles/splitsvm-jsp-138936.html or some suggest you again split the disk mirrors but then mount the detached submirror and patch this, this method seems quite long winded with a lot of steps to follow but does make sense.

      My only other question is all our servers are physically like this:

      disk0 + disk1 used for O/S
      disk2 + disk3 used for non-global zones (/export/zones)

      With either of the two other methods mentioned above do I need to factor in the disks used for non-global zones when patching or do I just leave these untouched and patch the O/S?

      I've also heard many times before that ZFS is much better in this situation, some of our newer servers are setup in this way and I do patch by creating an ABE. It's just our older servers using UFS I'm concerned about.

      Thanks - J.
        • 1. Re: OS patching best practices
          I used to patch similar to this as well. Single user mode would be better (though I've done it lots of times in run level 3 and survived). Also, definitely split the root and zone mirrors. Just splitting the root disks could mean that your zones could end up on later versions that your global zone - and that just leads to problems.

          Also check your /etc/pdo/patch.conf (or is it /etc/patch/pdo.conf? Can't check right now). Change the entry to your amount of non-global zones. This can speed up your patching by a bit.

          Another thing I do, when it's not me that personally installed the global zone and and/or the non-global zones, is that before my patching I do a detach and a re-attach (with -u) of the non-global zones so that I know my patching levels of my global zone and the non-global zones are in sync. This can take a while though but it's a good safety net if you do lot of copying of zones from one global zone to another like we do.