How to Create Multiple Internal Repositories for Oracle Solaris 11

by Albert White

Some customers connect directly to hosted Oracle Solaris package repositories to get the latest fixes, but most customers set up a local repository due to network restrictions or the desire to control which updates their systems have access to. This article provides best practices for managing local repositories through the complete software lifecycle from development and testing to production deployment.


Published May 2012

Oracle provides updates to Oracle Solaris 11 via Support Repository Updates (SRU), which are accessible only to customers who have purchased an Oracle support contract. SRUs are available through an online repository hosted at http://pkg.oracle.com and via incremental ISO images.

Want technical articles like this one delivered to your inbox?  Subscribe to the Systems Community Newsletter—only technical content for sysadmins and developers.

For most customers and organizations, maintaining a set of internal package repositories will be standard practice, particularly in network-restrictive environments with strict software version control processes. For example, administrators will typically want to manage the entire software lifecycle, including how software is delivered to end users of production systems, through a series of staging and test systems.

In this article, we will set up the following three repositories and demonstrate a best-practices environment:

  • Release—The initial Oracle Solaris 11 repository
  • Development—The repository containing the latest SRUs released by Oracle
  • Support—The repository containing the latest SRU that you have tested across your organization

Creating the Initial Oracle Solaris 11 Release Repository

This process is described in detail in Copying and Creating Oracle Solaris 11 Package Repositories, so we won't go into too much detail here. However, let's quickly summarize the key steps.

Step 1: Create a Dedicated Oracle Solaris ZFS File System

First, you create a dedicated ZFS file system for your repository on your Oracle Solaris 11 system. This allows you to use ZFS technologies, such as clones and snapshots, to easily manage your data.

We'll assume that you already have the zpool rpool created on your system, and that this file system will be mounted as /export/s11ReleaseRepo.

# zfs create rpool/export/s11ReleaseRepo

Step 2: Create the Oracle Solaris 11 Release Repository

Next, we use pkgrepo(1) to create a repository in the location you created in Step 1. This creates the necessary initial structure of the repository that we will populate in the next step.

# pkgrepo create /export/s11ReleaseRepo

Step 3: Populate the Oracle Solaris 11 Release Repository

We now populate this repository with the contents of the official Oracle Solaris 11 release repository. For this we use pkgrecv(1) and instruct it to pull the latest versions of all packages from the Oracle package repository to our local repository.

# pkgrecv -s http://pkg.oracle.com/solaris/release/ -d /export/s11ReleaseRepo '*'

If you do not have network access to the Oracle package repository, you can use the Oracle Solaris 11 repository ISO image, as detailed in Copying and Creating Oracle Solaris 11 Package Repositories.

Step 4: Snapshot the Oracle Solaris 11 Release Repository

ZFS allows you to create snapshots of file systems, which makes it very easy to roll back a file system at a later date, if needed, or to copy a file system quickly. For convenience, we will create a snapshot of our repository now using the zfs snapshot command.

# zfs snapshot rpool/export/s11ReleaseRepo@initial

Step 5: Start the Package Repository SMF Service

Repositories are managed in Oracle Solaris 11 by the pkg.depotd daemon. You can configure and start instances of this daemon using the Oracle Solaris Service Management Facility (SMF).

Listing 1 shows an example of how to configure our Release repository service. We have chosen to run the daemon on port 10081.

# svccfg -s pkg/server add s11ReleaseRepo
# svccfg -s pkg/server:s11ReleaseRepo addpg pkg application
# svccfg -s pkg/server:s11ReleaseRepo setprop pkg/port=10081
# svccfg -s pkg/server:s11ReleaseRepo setprop pkg/inst_root=/export/S11ReleaseRepo
# svccfg -s pkg/server:s11ReleaseRepo addpg general framework
# svccfg -s pkg/server:s11ReleaseRepo addpropvalue general/complete astring: s11ReleaseRepo
# svccfg -s pkg/server:s11ReleaseRepo addpropvalue general/enabled boolean: true
# svccfg -s pkg/server:s11ReleaseRepo setprop pkg/readonly=true
# svccfg -s pkg/server:s11ReleaseRepo setprop pkg/proxy_base = astring: http://pkg.example.com/s11ReleaseRepo
# svccfg -s pkg/server:s11ReleaseRepo setprop pkg/threads = 200
# svcadm refresh application/pkg/server:S11ReleaseRepo
# svcadm enable application/pkg/server:S11ReleaseRepo

Listing 1. Configuring the Release Repository Service

You can also make SMF configuration changes using the svccfg interactive interface.

The pkg/proxy_base configuration property is an optional property that can be used if you plan to access your package repository via Apache. This allows you to use, for example, a URL of http://pkg.example.com/s11ReleaseRepo, rather than http://pkg.example.com:10081. Setting up the repository in this way is advantageous because the repository will work through HTTP proxy servers and end users can use a descriptive URL rather a port number.

Step 6: (Optional) Configuring the Apache HTTP Server

If you choose to use an Apache HTTP server so that the package repositories can be accessed via HTTP (or HTTPS) rather than directly through the file system, you now must configure the server to map our URL (http://pkg.example.com/s11ReleaseRepo) to the port where the pkg.depotd is running (http://pkg.example.com:10081). To do this, you need to add the following to your httpd.conf file:

ProxyPass /s11ReleaseRepo http://pkg.example.com:10081 nocanon max=200

To activate this change, you need to do one of the following:

  • If Apache was previously running, restart the Apache service:

    # svcadm restart svc:/network/http:apache22
    
  • If Apache was not previously running, you need to enable it:

    # svcadm enable svc:/network/http:apache22
    

Now that we have now created a copy of the Oracle Solaris 11 Release repository, clients can install software directly from http://pkg.example.com/s11ReleaseRepo rather than needing external network access to http://pkg.oracle.com/solaris/release/.

Creating the Support and Development Repositories

Next, we will look at creating the local Support and Development repositories. The Support repository will be used to roll out changes that you have tested across your organization, and the Development repository will be used to mirror the latest Support Repository Update (SRU) changes from Oracle.

Step 1: Cloning the Release Repository

Initially, the Support and Development repositories will be the same as the Release repository you just created. We can use zfs clone to create copies of the repository file systems rather than needing to use pkgrecv to pull the content over the network again from Oracle.

# zfs clone rpool/export/s11ReleaseRepo@initial rpool/export/s11SupportRepo
# zfs clone rpool/export/s11ReleaseRepo@initial rpool/export/s11DevelopmentRepo

Again, we will make a ZFS snapshot of these repositories for future use. It is recommended that ZFS snapshots be taken anytime new content is added to a repository to provide a convenient way to roll back to an earlier snapshot if necessary.

# zfs snapshot rpool/export/s11DevelopmentRepo@initial
# zfs snapshot rpool/export/s11SupportRepo@initial

Step 2: Repeat the Repository Configuration

The next step is to repeat the repository configuration detailed in Step 5 and Step 6 when we set up the Release repository.

Caution: Pay careful attention to changing the repository name, path, Apache proxy base, and port number during configuration.

Populating the Development Repository

Every month or so, Oracle issues new updates to the Oracle Solaris 11 Support Repository. This repository is available only to customers with a support contract, and a support contract is required to obtain the updates.

We will use the Development repository to populate the latest changes from Oracle, either directly from the Oracle repository itself or through incremental SRU ISO images.

Using the Oracle Solaris 11 Support Repository

Obtain your SSL key and certificates from https://pkg-register.oracle.com/. You will need your My Oracle Support login to download the key and certificate pair. Once they have been downloaded, you can use pkgrecv again to update the contents of the Development repository.

# pkgrecv -s https://pkg.oracle.com/solaris/support \
-d /export/s11DevelopmentRepo \
--key /path/to/ssl_key --cert /path/to/ssl_cert solaris '*'

Remember that since we made a change to the repository, it is always a good idea to create a ZFS snapshot for our current position. The snapshot names should be meaningful, such as @sru04-2012-03-01.

# zfs snapshot rpool/export/s11Development@sru04-2012-03-01

If you choose to manage your repository using pkg.depod (instead of using a file-based repository), you must restart the appropriate SMF service.

# svcadm restart pkg/server:s11DevelopmentRepo

Using the Oracle Solaris 11 Incremental SRU ISO Images

Alternatively, you can update your repository from the ISO images, which you can download from My Oracle Support (login required).

First, we mount the ISO image as a file system on the server:

# mount -F hsfs full_path_to/sol-11-1111-sruN-bldnum-incr-repo.iso /mnt

Once we have mounted the ISO image, we can use pkgrecv to copy the updates from one file system repository to another. There is no need to specify an SSL key and certificate when using the ISO image.

# pkgrecv -s /mnt/repo -d file:///export/s11DevelopmentRepo '*'

Next, we need to rebuild the search index for the repository to reflect the latest updates:

# pkgrepo rebuild -s /export/s11DevelopmentRepo

And, once again, we need to create a ZFS snapshot for our current position and start the SMF service, if necessary:

# zfs snapshot rpool/export/s11DevelopmentRepo@sru04-2012-03-01
# svcadm restart pkg/server:s11DevelopmentRepo

Populating the Internal Support Repository from the Development Repository

After performing the necessary testing on your Development repository, it is time to roll out the changes to your Support repository so users can obtain the updates. We can make these changes using the pkgrecv command as follows:

# pkgrecv -s /export/s11DevelopmentRepo -d file:///export/s11SupportRepo '*'

Then we need to rebuild the search indexes for the repository, take a ZFS snapshot, and restart the appropriate SMF service:

# pkgrepo rebuild -s /export/s11SupportRepo
# zfs snapshot rpool/export/s11SupportRepo@sru04-2012-03-08
# svcadm restart pkg/server:s11SupportRepo

Rolling Back to Previous Repository Snapshots

Occasionally, you might encounter a problem, which means that you cannot install a particular SRU in your environment. In this case, you will need to roll back your repository to a previous snapshot. This is easily accomplished using the ZFS rollback mechanism (the zfs rollback command) and then restarting the SMF service:

# zfs rollback -r rpool/export/S11Development@SRU3-2012-02-15
# svcadm restart pkg/server:s11SupportRepo

Note: Ideally, you will not roll back changes on a repository from which systems have installed packages, because that might lead to dependency resolution problems during a system update. If dependency resolution problems occur, you will need to revert to a previous boot environment on any affected systems.

Summary

The Image Packaging System is a network-based package management system that enables systems to install software packages from locally or network-connected package repositories. To use this new Oracle Solaris 11 capability, it is wise to employ best practices in environments that have network restrictions or internal software change control.

See Also

Here are relevant SRU resources:

And here are additional Oracle Solaris 11 resources:

About the Author

Albert White is a Principal Software Engineer working with the Revenue Product Engineering group at Oracle focusing on Oracle Solaris 11 and the Image Packaging System. Albert joined Oracle as part of the Sun Microsystems acquisition.

Revision 1.1, 04/11/2013

See sysadmin-related content for all Oracle technologies by following OTN Systems on Facebook and Twitter.