Solaris ipfilter broken by Patch 125503-02

We recently installed a number of patches onto a T1000 server running Solaris 10 U3, only to discover that the ipfilter service was broken thereafter. The service itself appeared to be configured correctly with no visible signs of error but we discovered that many ports that we had configured to be blocked from certain sources were not.

After some careful analysis of the patches applied, we discovered that Patch 125503-02 had replaced a number of the files associated with the SUNWipfilter package, resulting in the main network interface for our system no longer being plumbed for use with the pfil driver.

Here is how we recovered from this situation:

1. Back out the patch and reboot

# smpatch remove –i 125503-02
# reboot

2. Replumb the appropriate network interface

# ifconfig bge0 modinsert pfil@2
# autopush -f /etc/ipf/pfil.ap
# ifconfig bge0 unplumb
# ifconfig bge0 plumb

Note: Replace bge0 with e1000g0 for a T2000 and ensure your pfil.ap has the correct entry in it.

Thanks to for assistance.

Corrupted Boot Archive after Solaris X86 patch update

I’ve installed a number of Solaris 10 X86 (U3) systems recently a very annoying issue on each one of them which results in the system not booting after installing the latest applicable patches for that system. Immediately after the GRUB boot menu times out and it attempts to boot Solaris, it returns with a “corrupted boot_archive. No boot device available” message. No other information is presented.

Here is how I recovered from this situation:

  1. Boot the system in Failsafe mode
  2. The system will detect your Solaris boot partition and offer to mount it on /a. Select Yes when asked about this.
  3. Once the system completes its Failsafe boot, go to /a/platform/i86pc and remove the file called boot_archive.
  4. Reboot the system using the “reboot” command wherby the system appears to re-generated the file you just deleted.
  5. The system should then boot normally again

After installation and registration of fresh Solaris system, I usually run the smpatch update command at least once to bring the system to a reasonable patch level (before installing any other software on it). I realise that this may not be entirely advisable in a live environment but on a fresh install, I feel it should be reasonable thing to do. After all, the man pages for the smpatch command state (for the update subcommand):

This subcommand analyzes the system, then downloads the appropriate updates from the Sun update server to your system. After the availability of the updates has been confirmed, the updates are applied based on the update policy. …If an update does not meet the policy for applying updates, the update is not applied.

I have used this technique several times on SPARC-based systems without issue. It only appears to happen on X86 installations.