Hot-patching is a very interesting feature that provides AOS-CX switches with a way to update running software without rebooting their system. Hot-patches are distributed as signed .patch files and are applied on top of an official AOS-CX image. This feature also enhances support for security and stability patches.
A hot-patch can be downloaded by “copy” command and TFTP/SCP onto a CX switch then applied without rebooting the switch. By default, the software patch remains on the switch after it is applied and is automatically reapplied when the switch reboots.
In order to revert an applied hot-patch update, the patch must be disabled. When the hot-patch is disabled, a reboot will be required, though the hot-patch will still remain on the system. After the initial reboot, the disabled hot-patch can be removed from the system without the need for a second reboot. Once a downloaded hot-patch is removed, it must be downloaded again before it can be reapplied.
In this short technote we’ll demonstrate how to add a hot-patch to an existing CX switch.
Before you start
AOS-CX hot-patch software can be obtained from Aruba Technical Assistance Centre (TAC) and is identified with a .patch extension.
Note that the feature was added back in CX 10.10 firmware release.
The name of the patch indicates the version of AOS-CX to which it can be applied. For example, the patch FL.10.10.XXXX-YYYY.patch indicates that the patch can be applied on top of switch image FL.10.10.XXXX.swi and brings software up to date with the FL.10.10.YYYY release.
Hot-patch software can be applied only after it has been downloaded to the switch.
Hot-patch software can be applied to a standalone CX switch, or to a VSF stack CX switches.
With AOS-CX 10.12, hot-patching is now supported on the entire CX range of switches (incl. CX 10K switches)
With AOS-CX 10.12, hot-patching is now supported for third party software components, both open source libraries and utilities as well as commercial software licensed from external vendors.
Only daemons that are restartable can be updated with a hot-patch file.
Each hot-patch applies to only one release image and each subsequent hot-patch for that release image is cumulative. This means that applying the most recent hot-patch provides all the same fixes included in previous hot-patches. As such, only one hot-patch can be applied at a time.
A maximum of 10x hot-patches are allowed to be present or preconfigured on the system at a time.
Adding Hot Patch
We are using a simple hot-patch for demonstration purposes. This hot patch resolves the issue that when using IP-SLA responder command, the proper error message will be displayed when the IP_SLA responder name with more than 63 characters is used. (AOSCX-269835) Here we’ll start with ensuring that the switch firmware is 10.12.0006
6300M-2# sh images --------------------------------------------------------------------------- ArubaOS-CX Primary Image --------------------------------------------------------------------------- Version : FL.10.10.1060 Size : 920 MB Date : 2023-05-02 18:43:40 UTC SHA-256 : b8fcf15607db2b702daeda5cf8a969862d511bb798d02923d88880f13d834c6
--------------------------------------------------------------------------- ArubaOS-CX Secondary Image --------------------------------------------------------------------------- Version : FL.10.12.0006 Size : 888 MB Date : 2023-05-31 23:02:41 UTC SHA-256 : 73623c65b67a395bca8dfe2b539cd3174400688fc80ae4bb50755c97d26167b1
Default Image : secondary Boot Profile Timeout : 5 seconds ------------------------------------------------------ Management Module 1/1 (Active) ------------------------------------------------------ Active Image : secondary Service OS Version : FL.01.12.0002 BIOS Version : FL.01.0002
6300M-2#
Login to CLI and verify the system is ready.
6300M-2# sh module Management Modules ================== Product Serial Name Number Description Number Status ---- ------- -------------------------------------- ---------- ---------------- 1/1 JL661A 6300M 48G CL4 PoE 4SFP56 Swch SG1AKN01MQ Active (local)
Line Modules
============ Product Serial Name Number Description Number Status ---- ------- -------------------------------------- ---------- ---------------- 1/1 JL661A 6300M 48G CL4 PoE 4SFP56 Swch SG1AKN01MQ Ready 6300M-2#
Check the output of the IP sla responder error. The patch when applied will change the error message of “Command failed” to more informative one.
Note that because the hot-patch update’s IP-SLA’s CLI library that plugs-in to VTYSH/CLI, the user would need to log out of the current SSH /CLI context and log back in for the updated library’s effect to take place.
Removing the patch
An applied hot-patch can be both un-applied and also removed from the device with the commands shown below.
To un-apply the hot patch simply use this command and then reboot the switch. Note that as of firmware version 10.12, there is no need to reboot the switch after removing/disabling a patch.
6300M-2# config 6300M-2(config)# no hot-patch apply FL_10_12_0006-ATMTEST.patch 6300M-2(config)#
6300M-2(config)# show hot-patch Name Status ------------------------------------- ------ FL_10_12_0006-ATMTEST.patch Not applied
6300M-2(config)#
Once you remove the hot-patch, the patch cannot be reapplied unless it is downloaded again. For further info please refer to this video.
Solutions Tech Lab 
Leave a comment