Video Screencast Help

Patch Me Up – Exploring The New Layer Patch Feature of SWV 6.1

Created: 09 Jun 2009 • Updated: 29 Jul 2010 | 2 comments
Language Translations
karl_bunnell's picture
+7 7 Votes
Login to vote

Symantec Workspace Virtualization 6.1 contains a new "Layer Patch" feature that makes updating an existing virtual application (a.k.a. "layer") much more efficient than previous methods. Prior to the introduction of this feature, the process of updating an existing layer involved updating the layer, exporting it as a VSA, then redeploying the entire package application to all client nodes. The down-side of this approach is obvious. Small, incremental, updates to a large application such as Microsoft Office requires that the entire application package, plus updates, be deployed. For an application package that approaches 600-700 MB or greater in size this is a expensive proposition given the cost in bandwidth utilization and storage, not to mention the time involved for the layer packager.

The "Layer Patch" feature allows only the binary difference between an original and updated layer to be packaged into a virtual patch archive (VPA) file and applied to the original layer on client nodes. This greatly reduces the size of the package deployed to the client node to provide an update to an existing virtual layer. Rather than deploying an updated VSA some 700 MB+ in size, a VPA containing only the binary difference between layers may only be a tenth the size (70 MB or less). This article will describe how layer patching works, the process for creating and applying a Layer Patch, the best practices associated with this new feature and conclude with a list of frequently asked questions.

How Layer Patching Works

The concept of layer patching is really quite simple. It involves two layers: the original layer and an updated layer. The process of creating a patch involves comparing the original layer to the updated layer and generating a list of file/directory structure and registry differences between the two, then packaging these changes as files and metadata into a package called a virtual patch archive or VPA. This comparison process will yield files and directories that have been added to the updated layer, removed from the updated layer and files that are common to both, some of which have been updated. The common files are run through an engine that generates a binary difference (i.e. diff) between each of the files common to both layers. We are only interested in the bits that have changed. This is important because if the updated layer only has a handful of files that have changed, we only care to include the bits that have changed in the VPA. What about registry changes between the original and updated layers you ask? The updated layer registry area is captured and stored in the VPA as well.

For those familiar with the underlying structure of a virtual application, known as the sub-layers of an virtual application (also simply called a "Virtual Layer" or "layer"), the question arises as to what sub-layers are involved in the process of creating a Layer Patch? Before we jump too far into the inner-workings of a virtual application perhaps a quick refresher course on virtual layers is in order.

A virtual layer is actually composed to two sub-layers. A "read-only" (RO) sub-layer and a "read-write" (RW) sub-layer. The RO sub-layer represents the base state of the application and is not altered by changes to the virtual layer. This is the "reset point" to which a virtual layer is reverted when an application is "reset". All changes made to a virtual layer are captured to the RW sub-layer. This includes all file, directory and registry changes. Okay, armed with this knowledge let's jump back into how Layer Patch uses these sub-layers to create a patch.

The comparison process between the original and updated layers involves only the RO sub-layers of these virtual layers. For this reason, it is important that the correct process be used to create a patch. A common "gotcha" is to update a layer using some form of software update, then try and create a patch from this updated layer only to discover that the resultant patch doesn't contain any of the updates! I'll reiterate that this is because the changes made to the layer using its software update mechanism are captured to the RW sub-layer which is not used in the layer comparison process to create a patch! Remember that only the RO layers are compared for purposes of creating a patch. The patch application process simply involves combining the patch (VPA) to a copy of the original layer to recreate the updated layer. A patch can be applied "in-place" or into a new layer. Applying a patch "in-place" will combine the contents of the VPA to the existing layer (thus retaining the Layer ID of the layer). Applying the patch into a "new layer" will create a new layer (including a new layer ID), then combine the contents of the VPA with the original layer into the new layer. The original layer is left intact and not altered in any way when a patch is applied into a new layer. It is important to remember that this is a new layer with its own, unique layer ID. I need to sound a "Gotcha alert" here.

Gotcha Alert: If the original layer is a dependent layer of another layer the VPA must be applied "in place" to retain the dependent layer relationship. A dependent layer is linked to a layer using the layer ID. If a VPA is applied into a new layer the layer ID is changed and is therefore not linked to the dependent layer.

The process of applying a patch requires that the original layer be imported and available on the client node along with a copy of the VPA. The patch is applied by extracting the contents of the VPA and then applying the contents to the RO sub-layer of the original layer. The layer ID (GUID) of the original layer is stored in the VPA and compared against the layer ID of the layer to which you are attempting to apply the patch. If the source layer does not exist on the node where the patch is attempting to be applied, the patching process will end. Otherwise, the patching process will combine added files, remove deleted files and apply the binary difference patch for updated files to create the updated layer from the patch (VPA). The registry changes of the updated layer are applied as well.

The contents of the RW sub-layer can be retained (if applied "in place") or copied to the new layer's RW sub-layer if the patch is applied to a new layer.

We'll enough on the inner-workings. Let's jump in and take a look at how to create a patch.

How to Create a Layer Patch

Let's look at a practical scenario. Suppose you've deployed version 9.0.0 of Adobe Reader. This has been working well but you get a notification via the Adobe software updater that a new version 9.1.0 of Adobe Reader is available that resolves a security vulnerability and improves stability. You decide that updating to version 9.1.0 is worth the effort to guard against any security vulnerabilities of the 9.0.0. version. Where do we start? Let's walk through the process of creating a Layer Patch that includes the updates to 9.1.0.

Create the Updated Layer

There are two features new to SWV 6.1 that make creating an updated layer an easy matter. The "Clone Layer" and "New Reset Point" (both described in their own articles) make this process an easy and straight-forward matter.

We begin by making a clone of the original layer.

Clone Menu Item

Select the "Clone..." menu item from the context menu by right-clicking the original layer as shown in the above figure. Next we are presented with a the "Clone Layer" dialog box:

Clone Layer Dialog Box

Let's name the cloned layer "Adobe Reader 9.1.0" because shortly this will be our new, updated layer. The checkbox "Copy writeable sub-layer from existing layer" gives the option of preserving the current RW sub-layer in the new cloned layer. We want a "clean" cloned layer so remove the check from the box.

Now we need to update the cloned layer to include the update to 9.1.0. Most modern software includes a mechanism to check for updates on-line then update the application as needed. Adobe Reader is updated by selecting "Help->Check For Updates...":

Adobe Reader Check for Updates

This initiates the process of running the Adobe Reader software updater. Select to download and apply the updates for 9.1.0. Once this completes we have an updated layer but I need to signal a "gotcha" alert.

Gotcha Alert: The temptation at this point is to consider our work of updating the layer complete. This is not the case. Recall that running the software update caused all file and registry updates to be applied to the RW sub-layers of the file system and registry. Remember that a Layer Patch is created from the RO sub-layers of each virtual layer. We need to merge the updates made to the RW sub-layer to RO layer so these updates can be captured when creating a patch.

As we learned in the "Gotcha Alert" we need to merge the changes made to the RW sub-layer to the RO sub-layer. Fortunately the "New Reset Point" feature makes this a very simple process. Right-click the cloned/updated layer named Adobe Reader 9.1.0 and select the "New Reset Point" command.

Establish New Reset Point

Next we are presented with the "New Reset Point" dialog box.

New Reset Point Dialog Box

The "Export layer before creating new reset point" checkbox gives us the option to export the layer before making a un-recoverable change to the layer. The "Copy current user's settings to default user's settings area" checkbox provides the option to preserve any user-specific data in the RW sub-layer to the RO sub-layer. For purposes of creating a patch we aren't interested in retaining user-specific data so we leave this unchecked. We've now created our updated layer that includes the Adobe Reader 9.1.0 updates. Now we are prepared to create a Layer Patch from our original layer (Adobe Reader 9.0.0) and our updated layer (Adobe Reader 9.1.0).

Create the Layer Patch

Now that the updated layer has been prepared, creating a layer patch is straightforward. Select "File->Create Patch..." from the SWV file menu. You will be presented with the "Create Layer Patch Archive File" dialog box.

Create Layer Patch Archive File

Select the original layer (Adobe Reader 9.0.0) and the new, updated layer (Adobe Reader 9.1.0) and provide a path to the VPA file and click "OK" to create the patch. That's it! Patch creation is complete.

Apply the Layer Patch

The process of applying a patch is also straightforward. Select "File->Apply Patch..." from the File menu of SWV Admin.

Apply Patch Archive File

You are presented with the "Apply Patch Archive File" dialog box. Browse and select the VPA file to be applied. Recall from the description of "How Layer Patching Works" that the original layer GUID is stored in the VPA file so there is no need to specify the original layer to which the patch is to be applied. If the original layer does not exist on the client where you are attempting to apply the patch, the patch process will abort.

Notice the two options for applying the patch: "Patch existing layer" and "Create new layer". Patching the existing layer combines the original layer with the contents of the VPA to create the updated layer. Because this operation is destructive to the original layer, the option to export the layer is provided. Check the "Export before patching" checkbox to export a copy of the original layer.

The option to "Create new layer" does not alter the original layer, rather it combines the VPA and the contents of the original layer into a new layer. For this reason there is no need to export the original layer before patching. The "Copy writeable sub-layer from existing layer" checkbox provides the option to copy the contents of the original layer RW sub-layer to the new layer's RW sub-layer. It is important to understand that this refers to the RW sub-layer on the current client node, not the RW sub-layer of the original layer from which the patch was created. No RW sub-layer information is stored in the VPA when creating a patch.

Apply the patch by clicking the "OK" button.


The Layer patch feature of SWV 6.1 provides the capability to update an existing layer by applying a patch file that contains only the binary difference between an original layer and the desired updated layer. This makes updating virtual layers much quicker and efficient without the higher bandwidth, storage and time requirements of deploying an entirely new virtual layer as a VSA . Layer patch, coupled with the Layer Cloning and "New reset point" features make the process of creating a patch very straightforward. In order to create a layer patch, simply clone the original layer, update the layer as desired, establish a new reset point (which merges the RW sub-layer to the RO sub-layer), then create patch between the original layer the cloned, updated layer. Applying the patch file (VPA) simply involves deploying the VPA to client nodes where the original layer exists and applying it.

Frequently Asked Questions

Question: What value does Layer Patch bring? Can't I just update an existing layer and export it as a VSA then deploy this VSA to my clients?
Answer: A Layer Patch file (VAP) contains only the binary difference between two layers so the deployed package is only a fraction of the size of a new VSA that contains the application updates.

Question: What is the best way to prepare an updated layer so I can create a patch between it and the original?
Answer: Clone the original layer, update it using the applications built-in software update mechanism, then establish a new reset point for the cloned layer by selecting "New reset point" from the context menu. Use the cloned, updated layer (with new reset point) as the updated layer when creating the patch.

Question: In order to create a patch I cloned and updated a layer, then created a patch. After applying the patch the layer was not updated. Why?
Answer: When preparing to create a patch ensure that after cloning and updating a layer that you establish a new reset point by selecting the "New Reset Point" command from the context menu on the cloned layer. Because layer patch only applies the patch to the RO sub-layer, you must merge changes made to the RW sub-layer to the RO sub-layer before creating a patch from the original and cloned/updated layer.

Question: Why is the layer patch file (VPA) so big?
Answer: The size of a virtual-layer patch archive depends on the magnitude of changes between the original and updated layers. Layer Patch is intended for small, incremental updates such as Adobe Reader 9.0.0 to Adobe Reader 9.1.0. Major version updates such as Acrobat Reader 6 to Adobe Reader 9 would be so different that the resultant VPA would essentially contain the entire Adobe Reader 9 layer files. Because of the magnitude of changes this is essentially equivalent to exporting an entire updated VSA.

Question: I applied a patch to a dependent layer but it doesn't appear that the layer was updated. Why?
Answer: When applying a patch to a dependent layer make sure to select the "Patch existing layer" option on the "Apply Patch Archive File" dialog box. This ensures that the layer ID of the original layer is preserved. If you select to "Create new layer" when applying a patch the updated layer will have a new layer ID and thus not be linked to the dependent layer.

Question: After applying a patch (VPA) to my layer I've lost all of my application settings. What happened?
Answer: You applied a patch into a new layer and did not check the "Copy writeable sub-layer from existing layer" checkbox. If this box is not checked, the new layer will have an empty RW sub-layer. Check the checkbox to ensure that all application settings are retained.

Question: What if an application doesn't have it's own "Software Update" mechanism? What's the best practice for creating the updated layer in that case?
Answer: Let's answer this with an example. Suppose, for the sake of argument, that you wanted to create an updated layer for Adobe Reader 9.1.0 without using the Clone, Update, "New Reset Point" method described in this article. This would be the case for an application that doesn't provide an auto-software update mechanism. In the absence of an auto-update mechanism, application vendors will either provide an executable that will install the updated files to an existing application, or a complete new install of the application that includes the updates. Let's look at each of these scenarios:
Update Executable
If the vendor provides an update executable (e.g. Adobe Reader 9-SP1.exe), the following steps for creating the updated layer are suggested as a best practice:
1. Clone the existing layer (e.g. Adobe Reader 9.0.0) and give it the name of the updated layer (e.g. Adobe Reader 9.1.1).
2. Right-click the cloned layer and select "Add to Layer" (this requires SWV to enter capture mode and will require that current layers be deactivated before this option will show as enabled). Invoke the software update program (e.g. Adobe Reader 9-SP1.exe) to update the layer. Once the capture completes, the layer is updated.
3. Create the patch from original and updated layers.

New Install
If the application vendor provides a new install program (e.g. Adobe Reader 10 Install.exe), the following steps for creating the updated layer are suggested as a best practice:
1. Create a new layer (i.e. from SWV Admin | File -> New Layer ...). It is best not to start with a cloned layer in this case as the install will try to uninstall the application in the cloned layer, then install the update. This can leave undesirable artifacts in the cloned layer which can cause the VPA to be larger than it otherwise would.
2. Create the patch from the original and updated layers.

The important thing to remember is to strive to always create a "clean" updated layer. These best practices will help ensure that the updated layer is clean. Remember that a patch (VPA) updates an original layer to a copy of the updated layer. If the updated layer from which the patch is created is not clean, the patched version won't be either.

Comments 2 CommentsJump to latest comment

BBaird's picture

Excellent explaination of how the new Patch feature works.


Login to vote
meggie_woodfield's picture

For anyone interested in this topic, there is now a video on creating layer patches posted on Connect here.

Login to vote