Patch Check Advanced

Analyze, download and install patches for Oracle Solaris
Written by
Martin Paul

News via












Some PCA users contribute modifications or own scripts wrapping around PCA. I'm collecting them here for anybody who might be interested. These are not officially part of PCA, and I cannot provide support for them.

Setup and Documentation

Laurent Blume has prepared a presentation introducing PCA. You can download the slides in PDF format. It has been updated in Jan 2008, describing version 20080109-01 of PCA.

William Pool provides a description of his setup using PCA in an environment with multiple data centers (PDF). He's using daisy-chained PCA proxies to limit network bandwidth.

Dan Shaw provided documentation about his experience when setting up PCA and a local caching proxy in his network for the first time.


Ron Halstead has scripted a pca proxy server setup, both the server and the client side with supporting files and the httpd.conf file, approved and to be used in his (very paranoid) company.

Dave Collodel has built a package around PCA to automate patch installation, including the installation of deferred patches during reboot. See PCApatch.

For those of you who use Sun's EIS DVDs (containing frozen, stable patch sets) Chris Reece's script mkpcadir might be worth to look at. It converts the patch set on the DVD into a directory hierarchy which can be used with PCA.

Victor Feng has put up a collection of scripts for daily system checks on BigAdmin. The checkpatch script uses PCA to report missing security patches.

Helper scripts

The mkxref script creates a patchdiag.xref from a custom set of patches, like the "Critical Patch Updates (CPU)" or the Solaris Update patch cluster issued by Oracle. With such an xref file you can test whether all of the patches from the defined set are installed, and only download and install those which are missing. Example output: patchdiag.xref for CPU OS Cluster 2011/04 Solaris 10 SPARC.

chkmin will check the patches in its argument list and show those which are not installed in the specified revision or higher. Useful if you have e.g. a list of patches required for a certain application to be installed and want to know which of them are missing.

The directory in which a PCA local caching proxy stores downloaded patches can become pretty large after some time. The clean script will move all but the highest revision of each patch into a subdir named BAK, which can then be removed to save space. It will also move patch READMEs which can be extracted from existing patch ZIP files to reduce the number of files. To be run as root or with appropriate permissions in the directory containing the patches and patch READMEs.

The patchadd command in Solaris keeps backup copies of modified files whenever installing patches. After some time this can fill up the partition containing the /var/sadm/ directory. The cleanup_sadm script from Jeff Earickson will remove backup files from any installed patch which is obsolete or older than 40 days. Attention: When backup files have been removed, you will not be able to remove this patch later with patchrm! When you have the chance, it's always better to make the partition containing /var/sadm/ big enough and not mess with the files in it.