I'm not sure how many of you are using BladeLogic 8.1 to patch, but we stumbled upon an interesting behavior this week that I thought would be worth sharing in case someone else comes across it. I looked through the release notes and didn't see anything that describes these issues. We are currently using 8.1 SP1, getting ready to go to 8.2 when it comes out.
We found circumstances where patches we didn't include were being included and patches we were trying to exclude were being excluded. Our solution was to be more clever in our include lists and avoid using exclude lists.
Includes we never included:
If an older version of an existing patch id is included and then excluded, the newer version of the patch will be included, even though the new version is not on the includes list. Eg. You have an includes list of all security patches and an excludes list of all Obsolete patches (yes this could be done in a single includes list, but I am using a simple example). Patch x-01 is included because it is a security patch, but it has been replaced by x-02, so x-01 is obsolete. The happy people at Oracle decided that x-02 doesn't need tobe a security patch. You run analysis and it reports that x-02 is missing even though you never included it.
Why it is happening:
I did some digging and testing and found that when the includes list is processed, it is done withou patch versions, just patch ids. So the big include list just says analyze for patch x. There is a file that has all the ignores in it too, but it is only saying ignore patch x-01, implying that patch x-02 is okay.
Excludes not being excluded:
If an older (obsolete) version of a patch and a newer version of a patch are being excluded, there is a random chance that the newer version may still be included in analysis. Eg. Like above, all security patches are included and all obsolete are excluded. Patch x-01 is obsolete and Patch x-02 is not. They are both security patches. Somebody decides that Patch x-02 breaks something in an application, so it can't go in, so you make a list just for this patch and exclude it in the analysis job. Sometimes when you run the analysis, it shows this patch as missing and sometimes it doesn't show up at all (is properly excluded.)
Why it is happening:
It turns out the order in the ignore list used by the analysis matters, but the list appears to be generated randomly. The order matters because if you are excluding two patches with the same id, if the newer version is listed first, it doesn't appear to get excluded.
I hope all of that made sense. Moral of the story - avoid excludes on Solaris if you can. I have reported this, so maybe there will be a day I can post a follow up to ignore it after a certain version.
I like smart groups, but wish there was better boolean controls (groups statements together with ANDs and ORs). Technically what is there should be able to accomplish almost anything, but just a tiny bit more sophistication in the smart groups would go a really long way.
For those of you still with me - THANKS.