How to Update Oracle Solaris 11 Systems From Oracle Support Repositories

by Glynn Foster


The steps for updating an Oracle Solaris 11 system with software packages provided by an active Oracle support agreement, plus how to ensure the update is successful and safe.




Published March 2012

Oracle Solaris 11 includes a new package management system that greatly simplifies the process of managing system software helping to reduce the risk of operating system maintenance, including planned and unplanned system downtime. Image Packaging System (IPS) takes much of the complexity out of software administration with its ability to automatically calculate dependencies, and it merges both the package and patch management into a single administrative interface.

If you'd like to download software, participate in forums, and get access to other technical how-to goodies in addition to content like this, become an OTN member. No spam!

This article steps through updating an Oracle Solaris 11 system with software packages that are provided with an active Oracle support agreement. In the process, it covers some of the basics that you should know to ensure an update goes successfully and safely.

An Overview of IPS

Before we begin the process of updating a system, let's go through a quick overview of IPS.

In previous releases of the Oracle Solaris platform, administrators used SVR4 packaging to install software onto a system, and then they used a different set of commands to install patches to update the system. While the end result was an updated system, it was often a very time consuming and error-prone process because administrators had to do the heavy lifting themselves to research what packages should be installed, what patches and recommended patch clusters were needed, and in what order they needed to be applied. If any virtual environments were configured through the use of Oracle Solaris Zones, the task got gradually more complicated with little automation available to the administrator. More often than not, to ensure better consistency across the data center, administrators re-installed systems from scratch instead of spending hours trying to patch the systems.

IPS is an integrated solution that helps automate and ease the complexity of managing system software on Oracle Solaris 11 by integrating patching with package updates. It relies on a network-centric and efficient approach with automatic software dependency checking and validation, and it builds on the foundation of Oracle Solaris ZFS as the default root file system.

Using IPS, you can reliably install or replicate an exact set of software package versions across many different systems and get a much clearer understanding of any differences between the software versions installed on any given systems.

More importantly, IPS establishes a much safer system upgrade using the benefits of ZFS snapshot and clone functionality, which allows you to apply changes to a clone or alternate boot environment (BE) so that system updates can be scheduled while the live system is running critical applications or services. When a planned maintenance window can be scheduled, you then simply reboot the system into the new BE to get up and running faster with much lower system downtime. If you experience any problems with the new environment, you can simply bring the system down and boot back into the older environment.

IPS improves integration with Oracle Solaris Zones, allowing you to automatically update any non-global zones to ensure consistency across the system. An added benefit is individual software stacks for each non-global zone are independent of the global zone.

Configuring the Support Repository

IPS is a network-centric package management solution. Software developers, or publishers, make software available in software package repositories that can be installed using the package utilities on client systems. All new Oracle Solaris 11 installations are configured to have a single default publisher, solaris, which supplies software packages from the public Oracle Solaris 11 released repository (http://pkg.oracle.com/solaris/release). You can install new software packages from here, search for package content, or mirror the contents of this repository locally if there are network restrictions in the data center or simply to get improved software change control across systems in your data center.

You can see what configuration a given system has using the pkg publisher command:

# pkg publisher
PUBLISHER	TYPE	STATUS	URI
solaris		origin	online	http://pkg.oracle.com/solaris/release/

In this article, we will change our default publisher to point to the Oracle Solaris 11 supported repository (https://pkg.oracle.com/solaris/support). This repository is available only to customers who have an active Oracle support agreement—more specifically, Oracle Premier Support for Operating Systems on Oracle hardware or Oracle Solaris Premier Subscription for non-Oracle hardware. Since this repository is served through HTTPS, we must first check our entitlement from Oracle, and then download a key and certificate pair so that we can access the repository.

Checking the Entitlement

You can check repository entitlements, including whether they have access to the "support" repository, by opening up a Web browser and going to http://pkg-register.oracle.com, as shown in Figure 1.

Figure 1

Figure 1. Home Page for Oracle's IPS Package Repository

Once there, you need to log in to the portal using your Oracle Single Sign On username and password; this is usually the e-mail address you would have used to access the My Oracle Support portal. This can be done by clicking the Request Certificates link. Once you have successfully logged in, you will see a list of entitlements for different IPS package repositories that you have access to. In this case, we are most interested in the Oracle Solaris 11 Support entitlement, which is shown in Figure 2.

Figure 2

Figure 2. List of Entitlements

Downloading the Key and Certificate

The next step in the process is to download the key and certificate for the Oracle Solaris 11 supported repository. Ensure Oracle Solaris 11 Support is selected, and then click the Submit to go to a screen that allows you to add additional certificate data to distinguish this key and certificate pair, as shown in Figure 3. This is an optional step that allows you to identify the key and certificate further. For our case, enter Support for Oracle Solaris 11 in the Comment (optional) field.

Once the key and certificate have been created, they are available to download from the home page and our label will show up under the Comments table column towards the bottom of the screen, as shown in Figure 3.

Figure 3

Figure 3. Optional Step for Providing Additional Data for the Key and Certificate Pair

Click the Submit button to go to a screen that provides the download links and lists some details about the certificate, including what product it applies to, when it was issued, and when it expires, as shown in Figure 4. Go ahead and download both the key and certificate.

Figure 4

Figure 4. Downloading the Key and Certificate for Oracle Solaris 11 Supported Repository

Installing the Key and Certificate

The key and certificate download page shown in Figure 4 also provides details about how to install the key and certificate pair and how to change your repository configuration to point to the Oracle Solaris 11 supported repository. These details are shown in Listing 1 for a key and certificate copied to the Desktop folder of your home directory.

Listing 1. Example of Installing the Key and Certificate
# mkdir -m 0755 -p /var/pkg/ssl
# cp -i ~/Desktop/Oracle_Solaris_11_Support.key.pem /var/pkg/ssl
# cp -i ~/Desktop/Oracle_Solaris_11_Support.certificate.pem /var/pkg/ssl
# pkg set-publisher \
 -k /var/pkg/ssl/Oracle_Solaris_11_Support.key.pem \
-c /var/pkg/ssl/Oracle_Solaris_11_Support.certificate.pem \
-g https://pkg.oracle.com/solaris/support/ \
-G http://pkg.oracle.com/solaris/release/ solaris
# pkg publisher PUBLISHER TYPE STATUS URI solaris origin online https://pkg.oracle.com/solaris/support/

Performing an Update

The Oracle Solaris 11 supported repository receives updates approximately every month through a series of Support Repository Updates (SRUs). Each SRU is a single unit of change that you can use to update you system, but the SRU contains updates to many different packages installed and not installed on a given system. While this might represent a little less flexibility in terms of what changes can be applied to the system compared to patching in Oracle Solaris 10, it means the updates have been thoroughly tested by Oracle as a single unit and they are known to work well rather than being an arbitrary selection of patches that are applied in an arbitrary order.

Now that we have successfully configured the Oracle Solaris 11 supported repository, we can check whether there are any updates available. We can do this using the pkg list command with the -u flag to show us only the packages for which newer versions are available.

Listing 2. Checking for Package Updates
# pkg list -u
NAME (PUBLISHER)                                  VERSION                    IFO
consolidation/SunVTS/SunVTS-incorporation         0.5.11-0.172.0.0.0.0.0     i--
consolidation/ips/ips-incorporation               0.5.11-0.175.0.0.0.2.2576  i--
consolidation/osnet/osnet-incorporation           0.5.11-0.175.0.0.0.2.1     i--
entire                                            0.5.11-0.175.0.0.0.2.0     i--
package/pkg                                       0.5.11-0.175.0.0.0.2.2576  i--
system/core-os                                    0.5.11-0.175.0.0.0.2.1     i--
system/file-system/nfs                            0.5.11-0.175.0.0.0.2.1     i--
system/file-system/zfs                            0.5.11-0.175.0.0.0.2.1     i--
system/io/infiniband/ip-over-ib                   0.5.11-0.175.0.0.0.2.1     i--
system/io/infiniband/reliable-datagram-sockets-v3 0.5.11-0.175.0.0.0.2.1     i--
system/kernel                                     0.5.11-0.175.0.0.0.2.1     i--
system/kernel/platform                            0.5.11-0.175.0.0.0.2.1     i--
system/zones                                      0.5.11-0.175.0.0.0.2.1     i--

From the output shown in Listing 2, we can see that there are 13 different packages with newer versions available. Some of these packages don't contain any content; they just list dependency information necessary to keep a consistent software version state on the installed system. The package versions listed in the output just show us the currently installed version; we have to do a little more work to see what new package versions are available.

As an example, let's look at the system/zones package and use the pkg info command with the -r flag to show us the latest version that is in the repository.

Listing 3. Checking for the Latest Package Version in the Repository
# pkg info -r system/zones
          Name: system/zones
       Summary: Solaris Zones
   Description: Solaris Zones Configuration and Administration
      Category: System/Core
         State: Not installed
     Publisher: solaris
       Version: 0.5.11
 Build Release: 5.11
        Branch: 0.175.0.1.0.4.1
Packaging Date: November 10, 2011 07:23:00 PM
          Size: 2.93 MB
          FMRI: pkg://solaris/system/zones@0.5.11,5.11-0.175.0.1.0.4.1:20111110T192300Z

As we can see from the FMRI: line in Listing 3, a new package version is available (0.5.11,5.11-0.175.0.1.0.4.1) that is not currently installed.

When performing an update, IPS will always try to update packages on the system to the newest version that is allowed by the current set of dependency relationships (constraints). Sometimes, this results in a system being updated to a set of package versions that are older than you expect, and further analysis is required to see what installed package is preventing a system from being updated further. As a result, it's always a good idea to do a dry run of a system update first to see what changes will be made to the system. This can be done using the pkg update command using the -nv flag, as shown in Listing 4.

Listing 4. Doing a Dry Run of an Update
# pkg update -nv
            Packages to update:        13
     Estimated space available:  11.91 GB
Estimated space to be consumed: 136.51 MB
       Create boot environment:       Yes
     Activate boot environment:       Yes
Create backup boot environment:        No
          Rebuild boot archive:       Yes

Changed packages:
solaris
  consolidation/SunVTS/SunVTS-incorporation
    0.5.11,5.11-0.172.0.0.0.0.0:20110816T071310Z -> 
    0.5.11,5.11-0.175.0.1.0.4.0:20111108T154138Z
  consolidation/ips/ips-incorporation
    0.5.11,5.11-0.175.0.0.0.2.2576:20111020T063559Z -> 
    0.5.11,5.11-0.175.0.1.0.4.2584:20111107T205610Z
  consolidation/osnet/osnet-incorporation
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T053010Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192202Z
  entire
    0.5.11,5.11-0.175.0.0.0.2.0:20111020T143822Z -> 
    0.5.11,5.11-0.175.0.1.0.4.0:20111110T225628Z
  package/pkg
    0.5.11,5.11-0.175.0.0.0.2.2576:20111020T063649Z -> 
    0.5.11,5.11-0.175.0.1.0.4.2584:20111110T170548Z
  system/core-os
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T070457Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192209Z
  system/file-system/nfs
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T072120Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184835Z
  system/file-system/zfs
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T072820Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184848Z
  system/io/infiniband/ip-over-ib
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T073458Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184927Z
  system/io/infiniband/reliable-datagram-sockets-v3
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T073533Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184930Z
  system/kernel
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T075711Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184935Z
  system/kernel/platform
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T074654Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192254Z
  system/zones
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T085226Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192300Z

As we can see from the output of the dry run, the system will automatically create a BE, which often means there are changes in the update that are applied to the kernel and a reboot is required. We can see that there are 13 packages to update that will take up an estimated 136 MB. This certainly coincides with our previous pkg list -r output, so once we are happy, we can perform the update, as shown in Listing 5. In this case, we have piped the output so we can see the packages that are downloaded during the update. If for any reason something unexpected happens, we can simply reboot back into the older BE in a matter of minutes.

Listing 5. Performing an Update
# pkg update
            Packages to update:  13
       Create boot environment: Yes
Create backup boot environment:  No

Download: consolidation/SunVTS/SunVTS-incorporation ...  Done
Download: system/kernel ...  Done
Download: system/zones ...  Done
Download: system/core-os ...  Done
Download: consolidation/osnet/osnet-incorporation ...  Done
Download: package/pkg ...  Done
Download: system/io/infiniband/ip-over-ib ...  Done
Download: consolidation/ips/ips-incorporation ...  Done
Download: system/file-system/zfs ...  Done
Download: system/kernel/platform ...  Done
Download: system/file-system/nfs ...  Done
Download: entire ...  Done
Download: system/io/infiniband/reliable-datagram-sockets-v3 ...  Done
Removal Phase ...  Done
Install Phase ...  Done
Update Phase ...  Done
Package State Update Phase ...  Done
Package Cache Update Phase ...  Done
Image State Update Phase ...  Done

A clone of solaris exists and has been updated and activated.
On the next boot the Boot Environment solaris-1 will be
mounted on '/'.  Reboot when ready to switch to this updated BE.


---------------------------------------------------------------------------
NOTE: Please review release notes posted at:

http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=SERNS
---------------------------------------------------------------------------

As we can see from the output in Listing 5, our 13 packages have been downloaded and installed, and a new BE has been created called solaris-1. We can see a list of the BEs created on a system by using the beadm list command:

# beadm list
BE        Active Mountpoint Space  Policy Created
--        ------ ---------- -----  ------ -------
solaris   N      /          404.0K static 2011-11-23 00:10
solaris-1 R      -          2.39G  static 2011-11-25 00:15

In this case, the current BE is called solaris, but the new BE solaris-1 will be active on reboot. This means it will be the default BE after a system reboot.

Dealing with Oracle Solaris Zones

With IPS, updating Oracle Solaris Zones is a trivial operation, and in most cases, it happens automatically during a package update of the global zone. As in the case with the global zone, a new zone BE is created for each non-global zone during the update for updates that require a system reboot. These zone BEs are child BEs of the parent BE in the global zone.

Let's look into this a little closer, first by taking a look at what zones have been created on the system:

# zoneadm list -iv
  ID NAME           STATUS     PATH                  BRAND    IP
   0 global         running    /                     solaris  shared
   3 devzone        running    /zones/devzone        solaris  excl
   4 testzone       running    /zones/testzone       solaris  excl
   5 prodzone       running    /zones/prodzone       solaris  excl

As we can see, there are three zones on this system: devzone, testzone, and prodzone. Before we update the system, let's go into a console session for one of the zones and look at the package publisher configuration of that zone, using the pkg publisher command:

# zlogin -C devzone
[Connected to zone 'devzone' console]

solaris console login: root
Password:
# pkg publisher
PUBLISHER   TYPE	STATUS	URI
solaris    (syspub)	origin	online	proxy://http://pkg.oracle.com/solaris/support/

The output of the pkg publisher command is different than what we would have seen in the global zone. The default publisher is a system publisher, or syspub, which means that it has been inherited from the global zone and cannot be modified:

# pkg unset-publisher solaris
pkg unset-publisher: Removal failed for 'solaris': solaris is a system publisher 
and cannot be unset

The other change to note in the pkg publisher output above is the addition of proxy:// at the start of the publisher URI. This indicates that that the system publisher is just a proxy through to the global zone. All package operations from the non-global zone get proxied through to the global zone. What's more, package content is automatically cached within the global zone by a system repository ensuring that content needs to be downloaded only once, which helps to greatly speed up package installations and updates across all non-global zones installed on the system.

With this in mind, let's initially run pkg update in the global zone using the -nv option to indicate a dry run and see how this affects our three non-global zones, as shown in Listing 6.

Listing 6. Doing a Dry Run to See How an Update Affects Non-Global Zones
# pkg update -nv
Recursing into linked image: zone:devzone
Returning from linked image: zone:devzone
Recursing into linked image: zone:prodzone
Returning from linked image: zone:prodzone
Recursing into linked image: zone:testzone
Returning from linked image: zone:testzone

            Packages to update:        13
     Estimated space available:  10.83 GB
Estimated space to be consumed: 136.51 MB
       Create boot environment:       Yes
     Activate boot environment:       Yes
Create backup boot environment:        No
          Rebuild boot archive:       Yes

Changed packages:
solaris
  consolidation/SunVTS/SunVTS-incorporation
    0.5.11,5.11-0.172.0.0.0.0.0:20110816T071310Z -> 
    0.5.11,5.11-0.175.0.1.0.4.0:20111108T154138Z
  consolidation/ips/ips-incorporation
    0.5.11,5.11-0.175.0.0.0.2.2576:20111020T063559Z -> 
    0.5.11,5.11-0.175.0.1.0.4.2584:20111107T205610Z
  consolidation/osnet/osnet-incorporation
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T053010Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192202Z
  entire
    0.5.11,5.11-0.175.0.0.0.2.0:20111020T143822Z -> 
    0.5.11,5.11-0.175.0.1.0.4.0:20111110T225628Z
  package/pkg
    0.5.11,5.11-0.175.0.0.0.2.2576:20111020T063649Z -> 
    0.5.11,5.11-0.175.0.1.0.4.2584:20111110T170548Z
  system/core-os
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T070457Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192209Z
  system/file-system/nfs
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T072120Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184835Z
  system/file-system/zfs
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T072820Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184848Z
  system/io/infiniband/ip-over-ib
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T073458Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184927Z
  system/io/infiniband/reliable-datagram-sockets-v3
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T073533Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184930Z
  system/kernel
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T075711Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184935Z
  system/kernel/platform
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T074654Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192254Z
  system/zones
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T085226Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192300Z
Recursing into linked image: zone:devzone

            Packages to update:       11
     Estimated space available: 10.83 GB
Estimated space to be consumed: 79.13 MB
       Create boot environment:       No
Create backup boot environment:       No
          Rebuild boot archive:       No

Changed packages:
solaris
  consolidation/SunVTS/SunVTS-incorporation
    0.5.11,5.11-0.172.0.0.0.0.0:20110816T071310Z -> 
    0.5.11,5.11-0.175.0.1.0.4.0:20111108T154138Z
  consolidation/ips/ips-incorporation
    0.5.11,5.11-0.175.0.0.0.2.2576:20111020T063559Z -> 
    0.5.11,5.11-0.175.0.1.0.4.2584:20111107T205610Z
  consolidation/osnet/osnet-incorporation
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T053010Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192202Z
  entire
    0.5.11,5.11-0.175.0.0.0.2.0:20111020T143822Z -> 
    0.5.11,5.11-0.175.0.1.0.4.0:20111110T225628Z
  package/pkg
    0.5.11,5.11-0.175.0.0.0.2.2576:20111020T063649Z -> 
    0.5.11,5.11-0.175.0.1.0.4.2584:20111110T170548Z
  system/core-os
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T070457Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192209Z
  system/file-system/nfs
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T072120Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184835Z
  system/file-system/zfs
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T072820Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184848Z
  system/kernel
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T075711Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184935Z
  system/kernel/platform
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T074654Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192254Z
  system/zones
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T085226Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192300Z
Returning from linked image: zone:devzone

Recursing into linked image: zone:prodzone

            Packages to update:       11
     Estimated space available: 10.82 GB
Estimated space to be consumed: 79.13 MB
       Create boot environment:       No
Create backup boot environment:       No
          Rebuild boot archive:       No

Changed packages:
solaris
  consolidation/SunVTS/SunVTS-incorporation
    0.5.11,5.11-0.172.0.0.0.0.0:20110816T071310Z -> 
    0.5.11,5.11-0.175.0.1.0.4.0:20111108T154138Z
  consolidation/ips/ips-incorporation
    0.5.11,5.11-0.175.0.0.0.2.2576:20111020T063559Z -> 
    0.5.11,5.11-0.175.0.1.0.4.2584:20111107T205610Z
  consolidation/osnet/osnet-incorporation
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T053010Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192202Z
  entire
    0.5.11,5.11-0.175.0.0.0.2.0:20111020T143822Z -> 
    0.5.11,5.11-0.175.0.1.0.4.0:20111110T225628Z
  package/pkg
    0.5.11,5.11-0.175.0.0.0.2.2576:20111020T063649Z -> 
    0.5.11,5.11-0.175.0.1.0.4.2584:20111110T170548Z
  system/core-os
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T070457Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192209Z
  system/file-system/nfs
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T072120Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184835Z
  system/file-system/zfs
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T072820Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184848Z
  system/kernel
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T075711Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184935Z
  system/kernel/platform
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T074654Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192254Z
  system/zones
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T085226Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192300Z
Returning from linked image: zone:prodzone

Recursing into linked image: zone:testzone

            Packages to update:       11
     Estimated space available: 10.82 GB
Estimated space to be consumed: 79.13 MB
       Create boot environment:       No
Create backup boot environment:       No
          Rebuild boot archive:       No

Changed packages:
solaris
  consolidation/SunVTS/SunVTS-incorporation
    0.5.11,5.11-0.172.0.0.0.0.0:20110816T071310Z -> 
    0.5.11,5.11-0.175.0.1.0.4.0:20111108T154138Z
  consolidation/ips/ips-incorporation
    0.5.11,5.11-0.175.0.0.0.2.2576:20111020T063559Z -> 
    0.5.11,5.11-0.175.0.1.0.4.2584:20111107T205610Z
  consolidation/osnet/osnet-incorporation
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T053010Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192202Z
  entire
    0.5.11,5.11-0.175.0.0.0.2.0:20111020T143822Z -> 
    0.5.11,5.11-0.175.0.1.0.4.0:20111110T225628Z
  package/pkg
    0.5.11,5.11-0.175.0.0.0.2.2576:20111020T063649Z -> 
    0.5.11,5.11-0.175.0.1.0.4.2584:20111110T170548Z
  system/core-os
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T070457Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192209Z
  system/file-system/nfs
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T072120Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184835Z
  system/file-system/zfs
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T072820Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184848Z
  system/kernel
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T075711Z -> 
    0.5.11,5.11-0.175.0.1.0.3.1:20111110T184935Z
  system/kernel/platform
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T074654Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192254Z
  system/zones
    0.5.11,5.11-0.175.0.0.0.2.1:20111019T085226Z -> 
    0.5.11,5.11-0.175.0.1.0.4.1:20111110T192300Z
Returning from linked image: zone:testzone

From the output in Listing 6, we can see that 13 packages will be updated in the global zone, but only 11 packages will be updated in each of the non-global zones. In this case, two packages, system/io/infiniband/ip-over-ib and system/io/infiniband/reliable-datagram-sockets-v3, don't make sense in the non-global zone context. Once we are happy with the dry run, we can remove the -nv option and do a full system update, as shown in Listing 7.

Listing 7. Doing a Full System Update
# pkg update
Recursing into linked image: zone:devzone
Returning from linked image: zone:devzone
Recursing into linked image: zone:prodzone
Returning from linked image: zone:prodzone
Recursing into linked image: zone:testzone
Returning from linked image: zone:testzone

            Packages to update:  13
       Create boot environment: Yes
Create backup boot environment:  No

Recursing into linked image: zone:devzone

            Packages to update: 11
       Create boot environment: No
Create backup boot environment: No

Returning from linked image: zone:devzone
Recursing into linked image: zone:prodzone

            Packages to update: 11
       Create boot environment: No
Create backup boot environment: No

Returning from linked image: zone:prodzone
Recursing into linked image: zone:testzone

            Packages to update: 11
       Create boot environment: No
Create backup boot environment: No

Returning from linked image: zone:testzone

DOWNLOAD		PKGS		FILES		XFER (MB)
Completed		13/13		350/350		13.2/13.2

PHASE				ACTIONS
Removal Phase			120/120
Install Phase			109/109
Update Phase			935/935

PHASE				  ITEMS
Package State Update Phase	  26/26
Package Cache Update Phase	  13/13
Image State Update Phase	    2/2

Recursing into linked image: zone:devzone
DOWNLOAD		PKGS		FILES		XFER (MB)
Completed		11/11		79/79		  2.1/2.1

PHASE				ACTIONS
Removal Phase			  97/97
Install Phase			  88/88
Update Phase			630/630

PHASE				  ITEMS
Package State Update Phase	  22/22
Package Cache Update Phase	  11/11
Image State Update Phase	    2/2
Returning from linked image: zone:devzone
Recursing into linked image: zone:prodzone
DOWNLOAD		PKGS		FILES		XFER (MB)
Completed		11/11		79/79		  2.1/2.1

PHASE				ACTIONS
Removal Phase			  97/97
Install Phase			  88/88
Update Phase			630/630

PHASE				  ITEMS
Package State Update Phase	  22/22
Package Cache Update Phase	  11/11
Image State Update Phase	    2/2
Returning from linked image: zone:prodzone
Recursing into linked image: zone:testzone
DOWNLOAD		PKGS		FILES		XFER (MB)
Completed		11/11		79/79		  2.1/2.1

PHASE				ACTIONS
Removal Phase			  97/97
Install Phase			  88/88
Update Phase			630/630

PHASE				  ITEMS
Package State Update Phase	  22/22
Package Cache Update Phase	  11/11
Image State Update Phase	    2/2
Returning from linked image: zone:testzone

A clone of solaris exists and has been updated and activated.
On the next boot the Boot Environment solaris-1 will be
mounted on '/'.  Reboot when ready to switch to this updated BE.


---------------------------------------------------------------------------
NOTE: Please review release notes posted at:

http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=SERNS
---------------------------------------------------------------------------

As we can see from Listing 7, a new global zone BE was created during the update. Let's quickly log in to one of our non-global zones and see what zone BEs have been created:

# beadm list
BE        Active Mountpoint Space  Policy Created
--        ------ ---------- -----  ------ -------
solaris   NR     /          346.5K static 2011-11-29 01:19
solaris-1 !R     -          86.43M static 2011-11-29 03:35

Notice that a new BE called solaris-1 was created for this zone, but the output indicates this BE is currently unbootable (as indicated by ! in the Active column). This is because zone BEs have a child relationship to the global zone BE; we cannot boot into this new BE in the zone until we boot into the global zone BE. After we reboot, the output looks like the following:

# beadm list
BE        Active Mountpoint Space   Policy Created
--        ------ ---------- -----   ------ -------
solaris   !R     -          2.63M   static 2011-11-29 01:19
solaris-1 NR     /          108.31M static 2011-11-29 03:35

Browsing the Oracle Solaris 11 Supported Repository Using Firefox

As we saw above, we needed to install a certificate and key pair on a system prior to being able to connect to the Oracle Solaris 11 Supported repository and install packages from it. A further set of steps is required if you want to browse the repository through the Firefox Web browser.

In this case, we'll be adding the certificate on Apple OSX, but the same principle applies to any operating system from which we want to browse. First, we use the openssl command to export a PKCS#12 formatted certificate file (.p12) that Firefox can consume. You will be asked for a password; choose something you can quickly remember because you will need it when adding the certificate in Firefox.

# openssl pkcs12 -in ~/Desktop/Oracle_Solaris_11_Support.certificate.pem \
-inkey ~/Desktop/Oracle_Solaris_11_Support.key.pem \
-export > ~/Desktop/Oracle_Solaris_11_Support_Certificate.p12
Enter Export Password: Verifying - Enter Export Password:

Once you have successfully created this new file, open up the Firefox Options dialog box, click Advanced, and then click Encryption, as shown in Figure 5.

Figure 5

Figure 5. Viewing the Firefox Encryption Preferences

Then click View Certificates and click the Your Certificates tab, as shown in Figure 6.

Figure 6

Figure 6. Viewing Your Certificates in Firefox

Finally, click the Import button and choose the Oracle_Solaris_11_Support_Certificate.p12 file that's located in the Desktop folder, and the certificate will be added, as shown in Figure 7.

Figure 7

Figure 7. Newly Added Certificate in Firefox

Once you have successfully added the certificate, you can browse https://pkg.oracle.com/solaris/support, as shown in Figure 8.

Figure 8

Figure 8. Browsing the Oracle Solaris 11 Supported Repository in Firefox

Summary

Image Packaging System is a new package management system in Oracle Solaris 11 that provides a much-improved and automated way of maintaining system software across the data center. IPS integrates package and patch management into a single interface and provides for safe system upgrades by utilizing boot environments and ZFS snapshot and clone capabilities.

IPS also takes much of the complexity out of managing Oracle Solaris by providing improved automation across multiple virtualized environments that use Oracle Solaris Zones. With an active Oracle support agreement, connecting to the Oracle Solaris 11 supported repository is easy and provides you with a regular channel for system updates to help keep systems secure and free of issues.

See Also

About the Author

Glynn Foster is a Principal Product Manager for Oracle Solaris and works on technology areas including the Image Packaging System and Service Management Facility. Glynn joined Oracle in 2010 as part of the Sun Microsystems acquisition.

Revision 1.0, 03/29/2012

Follow us on Facebook, Twitter, or Oracle Blogs.