1 Reply Latest reply on Apr 27, 2012 2:42 PM by Bill Robinson

    Unexpected behavior with Solaris Analysis in 8.1 with Includes and Excludes list

      I'm not sure how many of you are using BladeLogic 8.1 to patch, but we stumbled upon an interesting behavior this week that I thought would be worth sharing in case someone else comes across it.  I looked through the release notes and didn't see anything that describes these issues.  We are currently using 8.1 SP1, getting ready to go to 8.2 when it comes out.

       

      We found circumstances where patches we didn't include were being included and patches we were trying to exclude were being excluded.  Our solution was to be more clever in our include lists and avoid using exclude lists.

       

      Includes we never included:

       

      If an older version of an existing patch id is included and then excluded, the newer version of the patch will be included, even though the new version is not on the includes list. Eg.  You have an includes list of all security patches and an excludes list of all Obsolete patches (yes this could be done in a single includes list, but I am using a simple example).  Patch x-01 is included because it is a security patch, but it has been replaced by x-02, so x-01 is obsolete.  The happy people at Oracle decided that x-02 doesn't need tobe a security patch.  You run analysis and it reports that x-02 is missing even though you never included it.

       

      Why it is happening:

       

      I did some digging and testing and found that when the includes list is processed, it is done withou patch versions, just patch ids.  So the big include list just says analyze for patch x.  There is a file that has all the ignores in it too, but it is only saying ignore patch x-01, implying that patch x-02 is okay.

       

      Excludes not being excluded:

       

      If an older (obsolete) version of a patch and a newer version of a patch are being excluded, there is a random chance that the newer version may still be included in analysis.  Eg. Like above, all security patches are included and all obsolete are excluded.  Patch x-01 is obsolete and Patch x-02 is not.  They are both security patches.  Somebody decides that Patch x-02 breaks something in an application, so it can't go in, so you make a list just for this patch and exclude it in the analysis job.  Sometimes when you run the analysis, it shows this patch as missing and sometimes it doesn't show up at all (is properly excluded.)

       

      Why it is happening:

       

      It turns out the order in the ignore list used by the analysis matters, but the list appears to be generated randomly.  The order matters because if you are excluding two patches with the same id, if the newer version is listed first, it doesn't appear to get excluded. 

       

      I hope all of that made sense.  Moral of the story - avoid excludes on Solaris if you can.  I have reported this, so maybe there will be a day I can post a follow up to ignore it after a certain version.

       

      I like smart groups, but wish there was better boolean controls (groups statements together with ANDs and ORs).  Technically what is there should be able to accomplish almost anything,  but just a tiny bit more sophistication in the smart groups would go a really long way.

       

      For those of you still with me - THANKS. 

       

      Craig Ludlow

        • 1. Unexpected behavior with Solaris Analysis in 8.1 with Includes and Excludes list
          Bill Robinson

          Problem with Include List 

          -------------------------------

          Patch  x-01 is specified in list, but analysis return Patch x-02 (i.e higher version of the patch). This I believe is consistent with how analysis should happen and is how PCA (analysis engine) under the hood behaves. Until recently if a higher version of a patch is released it meant the older version is obsolete and the user should install the higher version of the patch, which essentially is the  next version of the patch. Now what Oracle has done recently is flip the definition of “obsolete” and state if older version of a patch could be termed as  “Security”  where the next higher version of the same patch may not be termed “Security”. Sounds strange, but per Oracle although the next higher version has the fix, it may have other fixes which don’t fit the definition of security and hence users should install the obsolete patch. I believe this behavior change is fixed in later version of PCA , so probably we need to get the latest version of PCA and test it and release a appserver fix.

           

          If the user is only concerned with “Recommended” and  “Security” patches, the best way is to analyze using the group mode, which is internally a mode supported by PCA and the results will differ from creating a include list of patches. The details which the user describes with the include list being created without the version etc are being done to ensure PCA return the correct result. Basically if you pass a list of patches with their version id, PCA does not check for the OS & Arch applicability of the patch.

           

          Problem with Exclude List

          -------------------------------

             Excludes not being excluded: If an older (obsolete) version of a patch and a newer version of a patch are being excluded, there is a random chance that the newer version may still be included in analysis.  Eg. Like above, all security patches are included and all obsolete are excluded.  Patch x-01 is obsolete and Patch x-02 is not.  They are both security patches.  Somebody decides that Patch x-02 breaks something in an application, so it can't go in, so you make a list just for this patch and exclude it in the analysis job.

           

            The only case this is possible is if they are dependent of another patch which is missing on the system.  For eg. If Patch y-03 had dependency on Patch x-01 than even if you exclude patch Patch x-01 it will still show up as missing if Patch y-03 is reported as missing, simply because analysis results assume you intend to deploy and need to have the dependencies complete else deploy is bound to fail.

           

          Now if Patch x-01 /02 was not a part of any dependency, I don’t believe it should show up.