This document is relevant to 4.0 --> 4.2:
Sometimes patches that are approved will appear in the deployment status section and other times they will not. Why does this happen? How can I know that my patch detect and / or deploy worked?
This document will attempt to explain the answers to those questions. Before reading this document you should have an understanding of how patching works.
Patches can be approved for machines that are not eligible to receive the patch.
This statement may seem counter-intuitive, but it is important to note that when picking machines the K1000 appliance has very little ability to determine if the target machine should be eligible for the patch you are assigning. This is because of the following facts:
- The information in inventory is not real-time. When you are selecting a machine for deployment you are selecting a machine that appears in the inventory or that matches a label. The specifications of that machine may change the next time that it checks in, or more importantly, the next time that patching is run. For example, the host OS may change. This example may seem extreme, but as far as patching is concerned XP SP2 is a different OS from XP SP3 -- a completely reasonable scenario. Furthermore, when you are selecting machines by label there are no guarantees that the membership of that label is going to be the same when the patch is detected/deployed. A label may also contains machines with a mix of different OSes
- The actual detection of whether the patch can be run on your platform or not is done based on OS and other pre-requisites. While the host OS is a key factor in determining which patches have the potential for deployment it is possible for patches to have other pre-requisites before they are applied. For example, a fix for an windows component must first have that component installed
Therefore, it is up to you to select the right machines for approval as well as the right machines for detect and deploy.
The inputs to the detect process are the same for every machine with that host OS:
- list file of potential patches
- signature file for those patches
The outputs of the detect process are unique to that machine:
- A list of patches that can be deployed to the machine
What happens during patch detection is that at run-time K1000 appliance detects your OS and then an OS-specific file containing a list of all the potential patches for that machine is sent to the machines in the "detect" definition. Each patch is then compared to the machine to determine if the machine is eligible for that patch (ie. if the machine meets the pre-requisites for receiving that patch).
This list of patches is the same for every machine. This list of patches contains EVERY Patch definition for the host OS. All patches are detected on every detect phase -- including patches that have been approved and those that have been declined. Therefore, the detect phase examines the same patches for that OS regardless of what you have approved or not and regardless of what the pre-requisites are.
Note that the files involved in this process are very small and do not include the actual patches themselves.
The inputs to the patch deployment process are:
- A list of patches that can be deployed to that machine
- The list of patches that have been approved
- The binaries for patches that have been approved (downloaded to your k1000 appliance automatically)
The outputs of the patch process are:
- Status on deployment
- Patched software
During patch deployment the K1000 appliance will only send the approved patches for that machine that were determined to be eligible with the detect phase.
When the deployment phase is finished then patches that failed will show up in the "Deployment Status" section of your inventory. It will look something like this screenshot (note that these results have been trimmed in order to show the three main "Detect Status" types):
Not all Patches that are successfully deployed will show in the deployment status section. This is because that successfully deployed patches will either have a status of "NOT APPLICABLE" or a status of "PATCHED". Patches with a status of "NOT APPLICABLE" will disappear from the detection results. Some examples of this are windows service packs or Mac combo updates, but there are others.
The detection results under the "Deployment Status" of a machine is always the current snapshot based on most recent detection run. In our earlier example of service pack 3, it was a patch (ie SP3) that actually caused the host OS to change from XP SP2 to XP SP3 and thus SP3 is not longer relevant to this machine. In this case the patch may show up in the section called "installed patches (via inventory)". It might look like this:
The section "installed patches (via inventory)" is actually just a reporting of the add/remove programs list and has nothing to do with the patching process. However, it is a way to verify if some patches have been installed when detection considers them "not applicable"
Lastly, you will always know that your detection phase is complete based on the newest timestamp in the "Deployment status" results. Remember, that a detect always scans all eligible patches -- it cannot display detect results for one patch and leave out another. If you see otherwise then there may be a problem
If you are also running "Windows Update" (WSUS) or another patching service in addition to k1000 appliance then it is possible that your inventory section of "installed patches (via inventory)" will report conflicting results from the last patching run. This would happen when something has intervened to install new patches in between detect phases of the KBOX. If you are using more than one patching service then you should evaluate which one to keep and turn off the other.