updatemanager can't find current patches?
Solaris Fans and Experts:
I have 3 nearly identical X4100 M2 boxes running Solaris 10 x86 11/06
and typically use updatemanager to keep them patched. A little over a week ago, updatemanager hung while trying to install some patches.
As I recall, I killed the various related processes and rebooted .... at least that's what I thought I did.
Since that time, this machine fails to find any needed patches using either 'updatemanager' or 'smpatch analyze'. I know that other applicable patches have been made available because my 2 other machines seem to be notified of them.
In looking for problems, I noticed a couple of error messages that show up in /var/adm/messages on reboot that, I think, are pointing to the problem (or at least part of it), but I don't know what to do to fix this problem.
Those messages are:
Jul 7 09:26:31 rise CNS Transport[430]: [ID 634722 daemon.error] unhandled exception: Shared CNS CCR lacks required properties: cns.security.privatekey, cns.transport.serverurl
Jul 7 09:26:47 rise root: [ID 702911 user.error] => com.sun.patchpro.util.CachingDownloader@5e176f <=com.sun.cc.platform.clientsignature.CNSSignException: Error reading private key
Jul 7 09:26:47 rise 804:error:0906D06C:PEMroutines:PEM_read_bio:no start line:
/on10/buildnd/G10U4B5/usr/src/common/openssl/crypto/pem/pem_lib.c:637:Expecting : ANY PRIVATE KEY
Here is /etc/release:
Solaris 10 11/06 s10x_u3wos_10 X86
Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 14 November 2006
and, as I indicated, this machine was pretty much up to date with patches as of about June 27 or 28.
I've re-registered in updatemanager and believe that I am not encountering problems with the registration part of the process .... but
that doesn't help with finding available updates. Note: I normally download patches for these machines directly from the Sun update site.
Any help or suggestions as to how to better diagnosis this problem would be greatly appreciated.
Thanks,
John
# 1
Try running these commands on the problem box to reset the missing properties and then re-register the system before running an analysis:
# /usr/lib/cc-cfw/framework/lib/cc-client-adm stop
# /usr/lib/cc-ccr/bin/ccr -p cns.transport.serverurl -v https://cns-transport.sun.com
# /usr/lib/cc-ccr/bin/ccr -r cns.security.privatekey
# /usr/lib/cc-cfw/framework/lib/cc-client-adm start
# cacaoadm stop
# /usr/lib/cc-ccr/bin/eraseCCRRepository
# rm /var/scn/persistence/SCN*
# cacaoadm start
# 2
Mr. Moderator:
Thank you for your timely and thorough repsonse. Running the commands that you suggested fixed my CNS transport errors. In particular, I now see in /var/adm/messages
(following registration and a reboot):
Jul 8 07:15:46 rise CNS Transport[431]: [ID 126843 daemon.notice] cctransport started
However, this machine still thinks that it needs no patches .... which seems surprising because I think that I've applied about 15-20 patches to the two sister machines over the last 10 days or so. Most notably the other two are at kernel level 125101-10 and this machine is still sitting at 125101-09.
I did try to compare the results of 'updateManager -debug >& /var/tmp/updateDebug'
on this machine with the other two: one which is fully patched and one which has 3 unapplied patches.
Aside from the differences in hostId and cns.assetId, the only differences I see are the
updateCollection.getUpdates() == null
that I get on both the fully patched machine and the one that I think is not fully patched.
On the machine with 3 unapplied patches, I get:
updateCollection.getUpdates().length: 3
So, in a sense, everything seems to be running properly .... except that I'm reasonably certain that the machine in question is about 20 patches out of date. And, in fact, comparison of 'showrev -p' on these machines shows that the machine in question is not, in fact, fully patched to the same levels.
Any suggestions as to where I should look next? Is there a file now stored locally that either lists my current patches that updatemanager uses? Or lists what it beleives to be the current patches avialble?
Thanks for your helpful response,
John
# 3
I think it is worth clearing out the cache files to remove any corrupted data from when the processes were killed, then rerun the analysis:
# rm -fr /var/sadm/spool/cache/*
If there is still a problem, are the registration details the same for all three boxes, i.e same Sun online account and contract number (if applicable)? Also, please post the output from the commands below:
# showrev -p | egrep '^Patch: (11978[8|9]|12033[5|6]|12108[1|2])'
# showrev -p | egrep '^Patch: (12111[8|9]|12145[3|4]|12156[3|4])'
# showrev -p | egrep '^Patch: (12223[1|2]|12300[3|4|5|6]|124463|12461[4|5])'
# smpatch get
# 4
Forum Moderator:
Wow, you deserve special recognition for your timely responses ... I hope that your bosses at Sun are aware of you diligent attention to this forum!
Well, I'm glad to know how to clean out the cache .... and I'm somewhat surprised that this didn't take care of it, but fresh analysis seems to still think that I'm up to date. Yes, I am using the same online account and Sun service contract number on all three machines.
The results of the various commands that you requrested follows:
root@rise # showrev -p | egrep '^Patch: (11978[8|9]|12033[5|6]|12108[1|2])'
Patch: 121082-06 Obsoletes: 122232-01 Requires: 121454-02 Incompatibles: Packages: SUNWccccrr, SUNWccccr, SUNWccfw, SUNWccsign, SUNWcctpx, SUNWccinv, SUNWccccfg, SUNWccfwctrl
Patch: 119789-07 Obsoletes: Requires: 121119-08 Incompatibles: Packages: SUNWppror, SUNWpprou
Patch: 119789-08 Obsoletes: Requires: 121119-08 Incompatibles: Packages: SUNWppror, SUNWpprou, SUNWpsvrr, SUNWpsvru
Patch: 120336-04 Obsoletes: Requires: 121454-01 Incompatibles: Packages: SUNWpprou
root@rise # showrev -p | egrep '^Patch: (12111[8|9]|12145[3|4]|12156[3|4])'
Patch: 121454-02 Obsoletes: 120777-03, 121087-02, 119108-07 Requires: 119575-02, 119255-06 Incompatibles: Packages: SUNWcsu, SUNWcsr, SUNWccccrr, SUNWccccr, SUNWccfw, SUNWccsign, SUNWcsmauth, SUNWswupcl, SUNWppror, SUNWpprou, SUNWcctpx, SUNWccinv, SUNWupdatemgru, SUNWupdatemgrr, SUNWccccfg, SUNWccfwctrl, SUNWppro-plugin-sunos-base
Patch: 121119-11 Obsoletes: Requires: 121454-02 Incompatibles: Packages: SUNWcsmauth, SUNWppror, SUNWpprou, SUNWupdatemgru, SUNWupdatemgrr, SUNWppro-plugin-sunos-base
Patch: 121119-12 Obsoletes: Requires: 121454-02 Incompatibles: Packages: SUNWcsmauth, SUNWppror, SUNWpprou, SUNWupdatemgru, SUNWupdatemgrr, SUNWppro-plugin-sunos-base
Patch: 121119-09 Obsoletes: Requires: 121454-02 Incompatibles: Packages: SUNWppror, SUNWpprou, SUNWupdatemgru, SUNWupdatemgrr, SUNWppro-plugin-sunos-base
root@rise # showrev -p | egrep '^Patch: (12223[1|2]|12300[3|4|5|6]|124463|12461[4|5])'
Patch: 124615-01 Obsoletes: Requires: Incompatibles: Packages: SUNWscn-base
Patch: 123004-02 Obsoletes: Requires: Incompatibles: Packages: SUNWsamr, SUNWsam
Patch: 123006-05 Obsoletes: Requires: 123004-02, 123631-01 Incompatibles: Packages: SUNWbrg
root@rise # smpatch get
patchpro.backout.directory-""
patchpro.baseline.directory-/var/sadm/spool
patchpro.download.directory-/var/sadm/spool
patchpro.install.types -rebootafter:reconfigafter:standard
patchpro.patch.source-https://getupdates1.sun.com/
patchpro.patchset-current
patchpro.proxy.host -""
patchpro.proxy.passwd********
patchpro.proxy.port -8080
patchpro.proxy.user -""
Let me know if I can provide additional information and thanks again for your detailed responses .... I've at least got a much better appreciation of where some of this stuff lives.
Although I haven't tried to unzip/unjar them am I correct in thinking that the files /var/sadm/spool/cache/Database/https%3A%2F%2Fgetupdates1.sun.com%2F%2FDatabase% 2Fcurrent.zip
and /var/sadm/spool/cache/https%3A%2F%2Fgetupdates1.sun.com%2F%2Fdetectors.jar
represent the set of patches that are currently available. I guess this because they are the same on both machines. Is the an equivalent .zip, .jar, or .xml that represents the current patch state of my machine or does smpatch and updatemanager somehow rely on "showrev -p" for that information?
Thanks,
John
# 5
Happy to help.
Ok the patch levels look fine, except that patch 123004-03 is now available but that shouldn't have an effect on the problem faced here.
Can you post the output from the sequence of commands below
# java -version
Check the required packages:
# pkginfo SUNWzoner SUNWj5rt SUNWj5rtx SUNWpoolr SUNWpool SUNWadmc SUNWadmfr SUNWadmfw SUNWlur SUNWluu SUNWluzone SUNWzoneu SUNWbreg SUNWbrg SUNWbrgr SUNWccccfg SUNWccccr SUNWccccrr SUNWccfw SUNWccfwctrl SUNWccinv SUNWccsign SUNWcctpx SUNWcsr SUNWcsu SUNWdc SUNWppro-plugin-sunos-base SUNWppror SUNWpprou SUNWxcu4 SUNWctpls SUNWmfrun SUNWjdmk-base SUNWxwrtl SUNWxwice SUNWxwfnt SUNWxwplr SUNWxwplt 2>&1 | grep "was not found" | sed -e 's/\"//g' | awk '{print $4" not installed"}' 2>&1
And check if you are actually able to download patches
# smpatch download -i 125101-10
Check for any errors in the messages file:
# egrep -i 'swup|patch' /var/adm/messages
If downtime is possible, a reconfigure reboot could help, and will infact be necessary if applying the kernel patch.
# touch /reconfigure
# init 6
You are correct, the *current.zip file represents the set of patches that are currently available and the *detectors.jar is a set of probes to determine which patches are required by the system.
# 6
Forum Moderator:
OK, here are the responses to the initial commands:
root@rise # java -version
java version "1.5.0_12"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_12-b04)
Java HotSpot(TM) Server VM (build 1.5.0_12-b04, mixed mode)
The lengthy command checking for packages resulted in:
SUNWbreg not installed
SUNWdc not installed
smpatch download -i 125101-10
returned:
125101-10 has been validated
and 'ls -l /var/sadm/spool/*.jar' returns:
-rw-r--r--1 rootroot6565548 Jul 8 20:25 125101-10.jar
The results of grepping for 'swup|patch' in /var/adm/messages
shows nothing recent .... while there were a lot of error messages, they all predated the time when you told me how to fix the CNS transport problem that I had.
I can certainly do a reconfigure reboot and will do that first thing in the morning while I can be there to watch it ... since I work for a university, early morning is my best time to take down machines given the typical graduate student 11 a.m. to 3 a.m. work schedule.
Thanks again for your timely response and I'll let you know if I see anything different after the reconfigure boot.
John
# 7
Forum Moderator:
I did the 'touch /reconfigure' followed by the 'init 6' and notice no change after the reboot.
My one machine still thinks that it is fully patched when I beleive that it is not.
I did check to make sure that my entitlements in /var/sadm/spool/cache/entitlements are the same and they both seem to be:
-START-ENTITLEMENT-TOKENS-
Solaris10
SolarisAllUpdates
Solaris10Security
SolarisSecurityUpdates
SolarisDataIntegrityUpdates
SolarisHardwareUpdates
SolarisUtilityUpdates
Public
--END-ENTITLEMENT-TOKENS--
However, because I was worried that I was somehow mistaken on this issue of my two machines not being equally patched, I did a 'showrev -p | sort > /var/tmp/showrev_sort_(machine_name).txt' on each machine and then did a diff on those two files.
After removing a couple of entries for which the patch levels were the same but the order of the required or incompatible packages differed, I was left with the following listing showing that one machine does, in fact, have something like 20 newer patches. However, I also note that the machine that I beleive is not fully patched, has one additional patch that the "good" machine does not:
< Patch: 124180-01 Obsoletes: Requires: Incompatibles: Packages: SUNWeswupcl, SUNWfswupcl
I gather that those are spanish and french update clusers for the swup package. While I don't know why I have those on this machine, I thought that I'd better mention this in case this is somehow causing a problerm.
Other than that, however, the second machine does seem to have about 20 patches applied that the first does not.
Here is the result of my diff of the sorted 'showrev -p' commands:
24a25
> Patch: 118734-04 Obsoletes: Requires: Incompatibles: Packages: SUNWmibii, SUNWsasnm
45a47
> Patch: 119060-25 Obsoletes: 121869-04 Requires: Incompatibles: Packages: SUNWxwfnt, SUNWxwplt, SUNWxwopt, SUNWxwacx, SUNWxwman, SUNWxwpmn, SUNWxwinc, SUNWxwfs, SUNWxwsrv, SUNWxwxst
64a67
> Patch: 119116-29 Obsoletes: Requires: Incompatibles: Packages: SUNWmoznspr, SUNWmozilla, SUNWmozmail, SUNWmoznss, SUNWmozpsm, SUNWmozgm, SUNWmozilla-devel, SUNWmoznss-devel
70,71c73,74
78a82
> Patch: 119253-20 Obsoletes: 124070-02 Requires: 126678-01 Incompatibles: Packages: SUNWadmap
94a99
> Patch: 119316-09 Obsoletes: 123886-01 Requires: 124189-01 Incompatibles: Packages: SUNWmga
119a125
> Patch: 119549-09 Obsoletes: Requires: Incompatibles: Packages: SUNWgnome-im-client, SUNWgnome-im-client-share
148a155
> Patch: 119907-10 Obsoletes: Requires: Incompatibles: Packages: SUNWgnome-vfs-share, SUNWgnome-vfs, SUNWgnome-vfs-devel
190a198
> Patch: 120200-09 Obsoletes: 124074-01 Requires: 126678-01 Incompatibles: Packages: SUNWadmr, SUNWadmap
268a277
> Patch: 120987-12 Obsoletes: 121009-02, 121275-01, 121415-01, 123933-03 Requires: 118844-24, 118855-36, 119375-09 Incompatibles: Packages: SUNWcsu, SUNWcsr
352a362
> Patch: 122033-05 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu
451a462
> Patch: 123779-02 Obsoletes: Requires: 118855-36 Incompatibles: Packages: SUNWpsdcr, SUNWpsdir, SUNWpsh
460d470
< Patch: 124180-01 Obsoletes: Requires: Incompatibles: Packages: SUNWeswupcl, SUNWfswupcl
499a510
> Patch: 124629-03 Obsoletes: 126678-02 Requires: 119082-25 Incompatibles: Packages: SUNWadmlib-sysid
> Patch: 125101-10 Obsoletes: 119999-03, 124917-03, 124996-01, 125019-02 Requires: 118344-14, 118855-36 Incompatibles: Packages: SUNWcsu, SUNWcsr, SUNWckr, SUNWcakr, SUNWhea, SUNWos86r, SUNWdtrc, SUNWdtrp, SUNWmdbr, SUNWmdb
548a561
> Patch: 125132-01 Obsoletes: Requires: 118855-36 Incompatibles: Packages: SUNWcsr
583a597
> Patch: 125794-02 Obsoletes: Requires: 118855-36 Incompatibles: Packages: SUNWcsu, SUNWrcmdc, SUNWrcmds
597a612,614
> Patch: 126309-01 Obsoletes: Requires: 118855-36 Incompatibles: Packages: SUNWckr
> Patch: 126311-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcslr
> Patch: 126313-01 Obsoletes: Requires: 118855-36 Incompatibles: Packages: SUNWqos
599a617
> Patch: 126321-01 Obsoletes: Requires: 118855-36 Incompatibles: Packages: SUNWckr
602a621
> Patch: 126837-01 Obsoletes: Requires: 118855-36 Incompatibles: Packages: SUNWrsg, SUNWrsgk
Thank you for your continued assistance and suggestions,
John
