According to TechTarget, a software patch is a “quick-repair job for a piece of programming designed to resolve functionality issues, improve security and add new features.” As I’m sure you already know, there is no such thing as a perfect software program, therefore patches are very common. And this also applies to Cloud Pak for Data world. Considering this, one of the most important Day2 operation is applying the patches for Cloud Pak for Data. In this article, I'd like to share the experience or best practice for applying the Cloud Pak for Data patches.

Assumption

In this article, we assume you are using the latest CPD version - CPD 3.5 on OCP 4.5/4.6.

Introduction to Cloud Pak for Data patches

Cloud Pak for Data is based on OCP. So in terms of patches, there will be basically two parts :
Part 1: OCP patches
Part 2:Cloud Pak for Data patches

Patch OCP 4 with OCP upgrade
You should not apply security patch for OCP4 manually. RHCOS is an immutable container host, rather than a customizable operating system like RHEL, so manual low-level modification of RHCOS systems in OpenShift Container Platform is not supported and put systems at risk of having changes overwritten by upgrades or operators.

Ongoing security patches and bug fixes for OCP 4 are released weekly for each supported version of OpenShift. They call this stream of updates the “z-stream” in reference to the x.y.z semantic versioning scheme.

OCP 4 providing a modern release driven, phased life cycle, where in at least 3 minor versions could be supported at any point in time. The time period of support is determined by the future release schedule. Red Hat aims to forecast these at a 3 month cadence, providing customers ample opportunity to plan.

For more details, please refer to the following two links.

The Ultimate Guide to OpenShift Release and Upgrade Process for Cluster Administrators:
https://www.openshift.com/blog/the-ultimate-guide-to-openshift-release-and-upgrade-process-for-cluster-administrators

Red Hat OpenShift Container Platform Life Cycle Policy
https://access.redhat.com/support/policy/updates/openshift

In addition, make sure you upgrade the OCP 4 to the officially supported version by Cloud Pak for Data when your current OCP 4 version falling into End of Support.

And for getting the officially supported version by Cloud Pak for Data, you can refer to the System Requirements and What's New about CPD 3.5 in IBM Knowledge Center.
https://www.ibm.com/docs/en/cloud-paks/cp-data/3.5.0?topic=planning-system-requirements
https://www.ibm.com/docs/en/cloud-paks/cp-data/3.5.0?topic=overview-whats-new

And it's recommended you subscribe to Cloud Pak for Data for notifications. I'll also discuss about how to do this in later part.

Cloud Pak for Data patches

1)Subscribing to the CPD product can get you receiving notification when new patches released.

And here's how you can subscribe to CPD.

There's a 2:38 mins video explaining what it is and how to subscribe:
https://mediacenter.ibm.com/media/Using+the+IBM+My+Notifications+subscription+service/1_8nldqz8m/71754582

Alternatively in a readable format:https://www.ibm.com/support/pages/about-my-notifications

2)You can also Checking for available patches manually
For example, we want to determine whether there are any patches available for the version of Watson Studio that you installed:

Clusters connected to the internet:

Run the following command to check for patches:

./cpd-cli status \
--repo ./repo.yaml \
--namespace Project \ 
--assembly wsl \
--patches \
--available-updates 

Air-gapped clusters
When opening this link https://www.ibm.com/support/pages/node/6327429#3.5.0 , you can search for the patches with your keyword (assembly name) input in the search box.


Note:
Not all assemblies will have the patches released to address the bugs or security vulnerabilities. Some assembly, e.g. WSL will require upgrading the assembly to a newer minor version for getting the fixes instead.

Key points about applying the patch

1) Find a time window for the patch as it may disrupt the services.
Even applying the patches may require only a short time, it's better you find a time window for this operation for minimizing the risk and the impact to your production end-users.

2) Know the purpose, type and prerequisites for the patch to be applied.
It's recommended you have answers to the following questions before applying the patches.
a)Is the patch what you want so that it can address either the problems you met?

b)Is the patch type Cumulative or Additive one?
If it's Cumulative, then you only need to apply the latest patch as it includes the fixes introduced in earlier patches.

c)Is there any Prerequisites or Dependencies before applying this patch?

d)Is there any pre-work or post-work to do for applying the patch?

e)Any particular steps for validating the patch?

You'll see the importance of the above questions when you checking the example patch cpd-3.5.3-spark-patch-1 with the following link.
https://www.ibm.com/support/pages/node/5693756

3) Know your cluster health status before applying the patch.
Check the cluster status to see if there’s any pods in unhealthy status with the following command.
oc get po --no-headers --all-namespaces -o wide| grep -Ev '([[:digit:]])/\1.*R' | grep -v 'Completed’

If your cluster not healthy, then it's recommended fixing current problems before applying the patches.

4)Apply the patches following the official document
https://www.ibm.com/docs/en/cloud-paks/cp-data/3.5.0?topic=installing-applying-patches

5) Post check to make sure the patch applied successfully.
You can check whether the patches applied with the command.
cpd-linux status -n zen –patches

But it doesn't grantee all the patches applied will display in the output of the above command.

6) Post check to make sure your cluster is in healthy status.
There should be no new error pods listed when running the command.
oc get po --no-headers --all-namespaces -o wide| grep -Ev '([[:digit:]])/\1.*R' | grep -v 'Completed’

6) Verify if the target issue fixed.
This is critical for the validation and making sure your target issues have been addressed.

Conclusion

This article introduced the best practice for applying the Cloud Pak for Data 3.5 patches. Hope it's helpful! We'll share the step by step operation or commands for applying the patch later for your reference in details.