Jason Greathouse | 1 Aug 20:29 2011
Picon

Does PCA Use the OS Field?

My question is, does PCA use the OS field in the patchdiag.xref when trying to 
determine which patches to apply to a system?

I'm trying to create a custom xref file to include the latest Vertias patches to 
use with PCA. I'd like to include patches for all somewhat recent versions of 
Solaris(8, 9 and 10). I have a working file, patches apply fine, except that 
versions of patches I've marked as 8 or 9 are still trying to be applied to 10, 
and vise versa. So they come back as failed. This is not the end of the world, 
but annoying. 

Here is an example of the xref line that PCA is still trying to apply to a S10 
system:

142633|07|Feb/01/11|R| | |  |9|sparc;|VRTSvxfs:5.1,REV=7Oct2009;| VRTSvxfs 
5.1SP1RP1: Patch for File System 5.1-Sun5.9

[:~]# pca -l --nocheckxref --xrefdir=/root
Using /root/patchdiag.xref from Jul/26/11
Host:  (SunOS 5.10/Generic_144488-17/sparc/sun4u)
List: missing (7/1538)

Patch  IR   CR RSB Age Synopsis
------ -- - -- --- --- -------------------------------------------------------
142633 -- < 07 R-- 181  VRTSvxfs 5.1SP1RP1: Patch for File System 5.1-Sun5.9
...

If PCA doesn't consider this field, is there another way of modifying the xref 
to limit a patch to a specific OS?

Thanks,
(Continue reading)

Martin Paul | 2 Aug 09:28 2011
Picon
Picon

Re: Does PCA Use the OS Field?

Jason Greathouse wrote:
> My question is, does PCA use the OS field in the patchdiag.xref when trying to 
> determine which patches to apply to a system?

No. I found out that the contents of this field couldn't be relied upon, so it 
only uses packages+versions (and architecture). I've thought about scanning the 
synopsis field for strings like "SunOS 5.9" etc. but this isn't set in a 
consistent manner neither.

I'm dealing with that by adding extra rules to PCA itself for affected patches, 
which is kind of odd, but turned out to work fine.

Many of the VRTS patches are already checked in PCA, I've now added 
142633/142634, too. Go get the current development release of PCA (20110802-01) 
which should fix the issue.

Thanks for the report,

Martin.

Don O'Malley | 2 Aug 14:30 2011
Picon

Heads-up: New download service

Hi,

Just a quick heads-up...

There were some backend changes to the Oracle patch download service over the weekend.

Everything went very smoothly, but you may notice that there is now an additional level of redirection added to patch downloads.
Requests to getupdates.oracle.com now redirect to updates.oracle.com via login.oracle.com (for authentication).

There is a possibility that firewall rules may need to be updated in certain circumstances to accommodate this change (hence the reason for the heads-up).

I've included the output of a wget request to retrieve a patch below.

Best,
-Don

$ wget --no-check-certificate --http-user="xxxxxxxxx" --http-passwd="xxxxxxxx" "https://getupdates.oracle.com/all_unsigned/120068-02.zip" -O /tmp/120068-02.zip --2011-08-02 10:31:03-- https://getupdates.oracle.com/all_unsigned/120068-02.zip Resolving getupdates.oracle.com (getupdates.oracle.com)... 141.146.44.51 Connecting to getupdates.oracle.com (getupdates.oracle.com)|141.146.44.51|:443... connected. WARNING: cannot verify getupdates.oracle.com's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3': Unable to locally verify the issuer's authority. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login?site2pstoretoken=v1.2~E4066BF0~20AAF567DFBC8D71FD4D32721442AB2DAF68711C4CC999EE873CE676C8D825E655DCA9E9A1A706322991CFC5D30F705A4368A860BB7DA9AE2B50EA3258B8A2C50F91030E3F7499AFF1F0998A5E2BC11E78DE73F01D19F205CDDD579 AB31791877B68E0291473E89F9B01B0241D85F6F35C5C8E482194F1636C7ABCB4081964DD1A6B00638364CF644D2CB7B744DA202AFFAF33A53A4A82D6100D9B92DC5553B4DFC8C70367CD826C4579CC1BBCC5296D2A45E8930195F639 [following] --2011-08-02 10:31:04-- https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login?site2pstoretoken=v1.2~E4066BF0~20AAF567DFBC8D71FD4D32721442AB2DAF68711C4CC999EE873CE676C8D825E655DCA9E9A1A706322991CFC5D30F705A4368A860BB7DA9AE2B50EA3258B8A2C50F91030E3F7499AFF1F0998A5E2BC11E78DE73F0 1D19F205CDDD579AB31791877B68E0291473E89F9B01B0241D85F6F35C5C8E482194F1636C7ABCB4081964DD1A6B00638364CF644D2CB7B744DA202AFFAF33A53A4A82D6100D9B92DC5553B4DFC8C70367CD826C4579CC1BBCC5296D2A45E8 930195F639 Resolving login.oracle.com (login.oracle.com)... 141.146.9.36 Connecting to login.oracle.com (login.oracle.com)|141.146.9.36|:443... connected. WARNING: cannot verify login.oracle.com's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3': Unable to locally verify the issuer's authority. HTTP request sent, awaiting response... 401 Unauthorized Reusing existing connection to login.oracle.com:443. HTTP request sent, awaiting response... 302 Moved Temporarily Location: https://updates.oracle.com/osso_login_success?urlc=v1.2%7E90F38587349B069957EEAD927 1CDE9DA5D20A7061EF97051AE81D1498903E94B3E9FD2F389AFF928425B29577B7C6997302DE8A576BE62C612F2843A3DB120F50FDBA2885F9A1F7494495EB81FD9CF74E8C4062DAAB25D20E7521E3D186DFFF4D23993F16ED575729524534 0E0DF14534EAA96492718E89FA2753791A45E0082084D88F5DCFB3321026FE507ED07E3625C1EFD58115CA6E916982ABCAD7173B3721A84B749FF9760D947B031632772ACFBE642DF3C59ABE7312365332AD9093AB767B855DFCAB9B72AB485DE1AFCABD7A238F8B900DA288A08F6E3165F40891CF2EBD59CB1F6F6BEADDF8AB8F06EBC1D33F0371787F05D8E806941ABC3E29F62246DF9CCB06C36C49B5688B1CCDB616CB0FD1B37EA6CA2DD4A32FAB00452CE865C1D18FE4AD10E94C00D7D619AACDCD2 [following] --2011-08-02 10:31:05-- https://updates.oracle.com/osso_login_success?urlc=v1.2%7E90F3858734 9B069957EEAD9271CDE9DA5D20A7061EF97051AE81D1498903E94B3E9FD2F389AFF928425B29577B7C6997302DE8A576BE62C612F2843A3DB120F50FDBA2885F9A1F7494495EB81FD9CF74E8C4062DAAB25D20E7521E3D186DFFF4D23993F1 6ED5757295245340E0DF14534EAA96492718E89FA2753791A45E0082084D88F5DCFB3321026FE507ED07E3625C1EFD58115CA6E916982ABCAD7173B3721A84B749FF9760D947B031632772ACFBE642DF3C59ABE7312365332AD9093AB767B855DFCAB9B72AB485DE1AFCABD7A238F8B900DA288A08F6E3165F40891CF2EBD59CB1F6F6BEADDF8AB8F06EBC1D33F0371787F05D8E806941ABC3E29F62246DF9CCB06C36C49B5688B1CCDB616CB0FD1B37EA6CA2DD4A32FAB00452CE865C1D18FE4AD10E94C00D7D619AACDCD2 Resolving updates.oracle.com (updates.oracle.com)... 141.146.44.51 Connecting to updates.oracle.com (updates.oracle.com)|141.146.44.51|:443... connected. WARNING: cannot verify updates.oracle.com's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3': Unable to locally verify the issuer's authority. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://getupdates.oracle.com/all_unsigned/120068-02.zip [following] --2011-08-02 10:31:06-- https://getupdates.oracle.com/all_unsigned/120068-02.zip Connecting to getupdates.oracle.com (getupdates.oracle.com)|141.146.44.51|:443... connected. WARNING: cannot verify getupdates.oracle.com's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3': Unable to locally verify the issuer's authority. HTTP request sent, awaiting response... 200 OK Length: 47267 (46K) [application/zip] Saving to: `/tmp/120068-02.zip' 100%[===========================================================================================================================================================>] 47,267 163K/s in 0.3s 2011-08-02 10:31:08 (163 KB/s) - `/tmp/120068-02.zip' saved [47267/47267] irepatch <at> goshawk:~$
--

Don O'Malley
Manager,Patch System Test
Revenue Product Engineering | Solaris | Hardware
East Point Business Park, Dublin 3, Ireland
Phone: +353 1 8199764
Team Alias: rpe_patch_system_test_ww <at> oracle.com
Rajiv Gunja | 2 Aug 14:43 2011
Picon

Re: Heads-up: New download service

Thanks for the heads up Don.

Tried downloading and it was successful. I am behind a firewall/proxy. I used the latest DEV version of PCA.

-GGR

--
Rajiv G Gunja
Blog: http://ossrocks.blogspot.com


On Tue, Aug 2, 2011 at 08:30, Don O'Malley <don.omalley <at> oracle.com> wrote:
Hi,

Just a quick heads-up...

There were some backend changes to the Oracle patch download service over the weekend.

Everything went very smoothly, but you may notice that there is now an additional level of redirection added to patch downloads.
Requests to getupdates.oracle.com now redirect to updates.oracle.com via login.oracle.com (for authentication).

There is a possibility that firewall rules may need to be updated in certain circumstances to accommodate this change (hence the reason for the heads-up).

I've included the output of a wget request to retrieve a patch below.

Best,
-Don

$ wget --no-check-certificate --http-user="xxxxxxxxx" --http-passwd="xxxxxxxx" "https://getupdates.oracle.com/all_unsigned/120068-02.zip" -O /tmp/120068-02.zip --2011-08-02 10:31:03-- https://getupdates.oracle.com/all_unsigned/120068-02.zip Resolving getupdates.oracle.com (getupdates.oracle.com)... 141.146.44.51 Connecting to getupdates.oracle.com (getupdates.oracle.com)|141.146.44.51|:443... connected. WARNING: cannot verify getupdates.oracle.com's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3': Unable to locally verify the issuer's authority. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login?site2pstoretoken=v1.2~E4066BF0~20AAF567DFBC8D71FD4D32721442AB2DAF68711C4CC999EE873CE676C8D825E655DCA9E9A1A706322991CFC5D30F705A4368A860BB7DA9AE2B50EA3258B8A2C50F91030E3F7499AFF1F0998A5E2BC11E78DE73F01D19F205CDDD579AB31791877B68E0291473E89F9B01B0241D85F6F35C5C8E482194F1636C7ABCB4081964DD1A6B00638364CF644D2CB7B744DA202AFFAF33A53A4A82D6100D9B92DC5553B4DFC8C70367CD826C4579CC1BBCC5296D2A45E8930195F639 [following] --2011-08-02 10:31:04-- https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login?site2pstoretoken=v1.2~E4066BF0~20AAF567DFBC8D71FD4D32721442AB2DAF68711C4CC999EE873CE676C8D825E655DCA9E9A1A706322991CFC5D30F705A4368A860BB7DA9AE2B50EA3258B8A2C50F91030E3F7499AFF1F0998A5E2BC11E78DE73F01D19F205CDDD579AB31791877B68E0291473E89F9B01B0241D85F6F35C5C8E482194F1636C7ABCB4081964DD1A6B00638364CF644D2CB7B744DA202AFFAF33A53A4A82D6100D9B92DC5553B4DFC8C70367CD826C4579CC1BBCC5296D2A45E8 930195F639 Resolving login.oracle.com (login.oracle.com)... 141.146.9.36 Connecting to login.oracle.com (login.oracle.com)|141.146.9.36|:443... connected. WARNING: cannot verify login.oracle.com's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3': Unable to locally verify the issuer's authority. HTTP request sent, awaiting response... 401 Unauthorized Reusing existing connection to login.oracle.com:443. HTTP request sent, awaiting response... 302 Moved Temporarily Location: https://updates.oracle.com/osso_login_success?urlc=v1.2%7E90F38587349B069957EEAD9271CDE9DA5D20A7061EF97051AE81D1498903E94B3E9FD2F389AFF928425B29577B7C6997302DE8A576BE62C612F2843A3DB120F50FDBA2885F9A1F7494495EB81FD9CF74E8C4062DAAB25D20E7521E3D186DFFF4D23993F16ED575729524534 0E0DF14534EAA96492718E89FA2753791A45E0082084D88F5DCFB3321026FE507ED07E3625C1EFD58115CA6E916982ABCAD7173B3721A84B749FF9760D947B031632772ACFBE642DF3C59ABE7312365332AD9093AB767B855DFCAB9B72AB485DE1AFCABD7A238F8B900DA288A08F6E3165F40891CF2EBD59CB1F6F6BEADDF8AB8F06EBC1D33F0371787F05D8E806941ABC3E29F62246DF9CCB06C36C49B5688B1CCDB616CB0FD1B37EA6CA2DD4A32FAB00452CE865C1D18FE4AD10E94C00D7D619AACDCD2 [following] --2011-08-02 10:31:05-- https://updates.oracle.com/osso_login_success?urlc=v1.2%7E90F38587349B069957EEAD9271CDE9DA5D20A7061EF97051AE81D1498903E94B3E9FD2F389AFF928425B29577B7C6997302DE8A576BE62C612F2843A3DB120F50FDBA2885F9A1F7494495EB81FD9CF74E8C4062DAAB25D20E7521E3D186DFFF4D23993F1 6ED5757295245340E0DF14534EAA96492718E89FA2753791A45E0082084D88F5DCFB3321026FE507ED07E3625C1EFD58115CA6E916982ABCAD7173B3721A84B749FF9760D947B031632772ACFBE642DF3C59ABE7312365332AD9093AB767B855DFCAB9B72AB485DE1AFCABD7A238F8B900DA288A08F6E3165F40891CF2EBD59CB1F6F6BEADDF8AB8F06EBC1D33F0371787F05D8E806941ABC3E29F62246DF9CCB06C36C49B5688B1CCDB616CB0FD1B37EA6CA2DD4A32FAB00452CE865C1D18FE4AD10E94C00D7D619AACDCD2 Resolving updates.oracle.com (updates.oracle.com)... 141.146.44.51 Connecting to updates.oracle.com (updates.oracle.com)|141.146.44.51|:443... connected. WARNING: cannot verify updates.oracle.com's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3': Unable to locally verify the issuer's authority. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://getupdates.oracle.com/all_unsigned/120068-02.zip [following] --2011-08-02 10:31:06-- https://getupdates.oracle.com/all_unsigned/120068-02.zip Connecting to getupdates.oracle.com (getupdates.oracle.com)|141.146.44.51|:443... connected. WARNING: cannot verify getupdates.oracle.com's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3': Unable to locally verify the issuer's authority. HTTP request sent, awaiting response... 200 OK Length: 47267 (46K) [application/zip] Saving to: `/tmp/120068-02.zip' 100%[===========================================================================================================================================================>] 47,267 163K/s in 0.3s 2011-08-02 10:31:08 (163 KB/s) - `/tmp/120068-02.zip' saved [47267/47267] irepatch <at> goshawk:~$
--

Don O'Malley
Manager,Patch System Test
Revenue Product Engineering | Solaris | Hardware
East Point Business Park, Dublin 3, Ireland
Phone: +353 1 8199764
Team Alias: rpe_patch_system_test_ww <at> oracle.com

Martin Paul | 2 Aug 15:03 2011
Picon
Picon

Re: Heads-up: New download service

Don O'Malley wrote:
> Everything went very smoothly, but you may notice that there is now an 
> additional level of redirection added to patch downloads.
> Requests to getupdates.oracle.com now redirect to updates.oracle.com via 
> login.oracle.com (for authentication).

Downloads work for me, but it looks different from your example - at the end I'm 
getting the patch from "http://aru-llnw-dl.oracle.com/aaruna04/...". Was there a 
switch from akamai to limelight, or does this depend on where the client is 
coming from?

Martin.

Jeff Earickson | 2 Aug 15:34 2011

Re: Heads-up: New download service

Paul, Don et al,

I too am seeing the Limelight networks addresses and I am in the US,
not Europe.  My pca debug sessions hung on aru-llnw.oracle.com and
aru-llnw-dl.oracle.com; I ended up adding 208.111.128.0/24 into my
firewall rules to get pca working again.

Paul, it would be nice if pca spit up a message if a URL connection
times out, even if you are not running in debug mode.  That would be a
clue that
either something was down at the Oracle end, or there is a
change/firewall issue.  Otherwise you tend to assume that things are
working normally.

Don, I have noticed a big drop-off in Solaris 10 patches in the past
month to six weeks.  Is this because a new release of Solaris 10 is
about to happen?

Jeff Earickson
Colby College

On Tue, Aug 2, 2011 at 9:03 AM, Martin Paul <martin <at> par.univie.ac.at> wrote:
> Don O'Malley wrote:
>>
>> Everything went very smoothly, but you may notice that there is now an
>> additional level of redirection added to patch downloads.
>> Requests to getupdates.oracle.com now redirect to updates.oracle.com via
>> login.oracle.com (for authentication).
>
> Downloads work for me, but it looks different from your example - at the end
> I'm getting the patch from "http://aru-llnw-dl.oracle.com/aaruna04/...". Was
> there a switch from akamai to limelight, or does this depend on where the
> client is coming from?
>
> Martin.
>
>

Martin Paul | 2 Aug 15:45 2011
Picon
Picon

Re: Heads-up: New download service

Jeff Earickson wrote:
> Paul, it would be nice if pca spit up a message if a URL connection
> times out, even if you are not running in debug mode.

I agree in that it would be nice, but it won't happen. I'm leaving all the 
download stuff to wget - and I'm very glad that I don't have to care about that 
in PCA - which will timeout eventually, but I have no plans to write ugly code 
looking at wget's (debug) output to see what's going on. With all the redirects 
and all the changes in Sun's/Oracle's backend infrastructure in the past, this 
would be a nightmare.

Martin.

Jeff Earickson | 2 Aug 16:01 2011

Re: Heads-up: New download service

Paul,

I was hoping for something simple like examining the return code for
wget.  But googling on the topic of wget return codes, took me to
here:

http://www.gnu.org/software/wget/manual/html_node/Exit-Status.html

These codes are very vague (maybe code 4 would work).  The note about
return codes for older versions convinces me that you are right.
Ugh.

Jeff Earickson
Colby College

On Tue, Aug 2, 2011 at 9:45 AM, Martin Paul <martin <at> par.univie.ac.at> wrote:
> Jeff Earickson wrote:
>>
>> Paul, it would be nice if pca spit up a message if a URL connection
>> times out, even if you are not running in debug mode.
>
> I agree in that it would be nice, but it won't happen. I'm leaving all the
> download stuff to wget - and I'm very glad that I don't have to care about
> that in PCA - which will timeout eventually, but I have no plans to write
> ugly code looking at wget's (debug) output to see what's going on. With all
> the redirects and all the changes in Sun's/Oracle's backend infrastructure
> in the past, this would be a nightmare.
>
> Martin.
>
>

Don O'Malley | 2 Aug 17:39 2011
Picon

Re: Heads-up: New download service

Hi Jeff,
 
To answer both questions:
1) Yes you can expect patch downlaods from limelight too, so aru-llnw.oracle.com and aru-llnw-dl.oracle.com should be added to firewall rules.
2) The dropoff in S10 patches is due to the upcoming release of S10U10.

Best,
-Don


Jeff Earickson wrote:
Paul, Don et al, I too am seeing the Limelight networks addresses and I am in the US, not Europe. My pca debug sessions hung on aru-llnw.oracle.com and aru-llnw-dl.oracle.com; I ended up adding 208.111.128.0/24 into my firewall rules to get pca working again. Paul, it would be nice if pca spit up a message if a URL connection times out, even if you are not running in debug mode. That would be a clue that either something was down at the Oracle end, or there is a change/firewall issue. Otherwise you tend to assume that things are working normally. Don, I have noticed a big drop-off in Solaris 10 patches in the past month to six weeks. Is this because a new release of Solaris 10 is about to happen? Jeff Earickson Colby College On Tue, Aug 2, 2011 at 9:03 AM, Martin Paul <martin <at> par.univie.ac.at> wrote:
Don O'Malley wrote:
Everything went very smoothly, but you may notice that there is now an additional level of redirection added to patch downloads. Requests to getupdates.oracle.com now redirect to updates.oracle.com via login.oracle.com (for authentication).
Downloads work for me, but it looks different from your example - at the end I'm getting the patch from "http://aru-llnw-dl.oracle.com/aaruna04/...". Was there a switch from akamai to limelight, or does this depend on where the client is coming from? Martin.

--

Don O'Malley
Manager,Patch System Test
Revenue Product Engineering | Solaris | Hardware
East Point Business Park, Dublin 3, Ireland
Phone: +353 1 8199764
Team Alias: rpe_patch_system_test_ww <at> oracle.com
Martin Paul | 5 Aug 10:32 2011
Picon
Picon

New release: 20110805-02

A new release of PCA has just been published. Here's a list of new features and 
changes:

  * Deprecate option supplevel after Oracle broke query interface
  * Fix showing errors when running pca proxy in debug mode
  * Whitelist: add 144500, 144501
  * Whitelist: replace 143647/143648 with 145957/145958
  * Whitelist: replace 143957/143958 with 146489/146490
  * Whitelist: replace 143645/143646 with 146232/146233
  * Whitelist: add 146673, 146674
  * Whitelist: modify 144489
  * Whitelist: remove obsolete patches
  * Whitelist: remove patches for products which reached EOSL
  * Apply check: add 147056
  * Apply check: add 142633, 142634
  * Apply check: remove patches for products which reached EOSL
  * Update list of contributors

Update:
   pca --update now

Download:
   http://www.par.univie.ac.at/solaris/pca/installation.html

MD5: 7a5806de0fa1c4b6ed8973afadf4a397


Gmane