Introducing the Basics of Image Packaging System (IPS) on Oracle Solaris 11

Published November 2011, updated June 2018

by Glynn Foster

How to administer an Oracle Solaris 11 system using IPS, including how to deal with software package repositories, install and uninstall packages, and update systems.


Oracle Solaris 11 takes a new approach to lifecycle and package management to greatly simplify the process of managing system software helping to reduce the risk of operating system maintenance, including reducing unplanned and planned downtime. With Image Packaging System (IPS), administrators can install and update software from locally connected or remote software package repositories using a much-improved and modernized process.

OTN is all about helping you become familiar enough with Oracle technologies to make an informed decision. Articles, software downloads, documentation, and more. Join up and get the technical resources you need to do your job.

This article covers the basics of administering an Oracle Solaris 11 system using IPS. To learn more about IPS, check out a variety of content at the Lifecycle Management Technology Spotlight page on Oracle Technology Network. Also see the Oracle Solaris 11 Cheat Sheet for Image Packaging System.

An Overview of IPS

Before we begin to dive into the administrative details of IPS, let's briefly review some of the benefits of the new approach.

In previous releases of the Oracle Solaris platform, administrators used SVR4 packaging to install software onto a system, and then they used a different set of commands to install patches to update the system. As Oracle Solaris evolved to include new technologies, such as Oracle Solaris Zones, Oracle Solaris ZFS, and Solaris Service Management Facility (SMF), previously used processes for managing system updates and upgrades became more complex. With thousands of operating system instances installed in some of today's large virtualized data centers, manual methods of tracking and installing patches can result in errors that negatively affect application availability and security.

IPS is an integrated solution that helps automate and ease the complexity of managing system software on Oracle Solaris 11 by integrating patching with package updates. It relies on a network-centric and efficient approach with automatic software dependency checking and validation, and it builds on the foundation of ZFS as the default root file system. Using IPS, administrators can easily and reliably install or replicate an exact set of software package versions across many different client machines, and get a much clearer understanding of any differences between software versions installed on a system.

With ZFS's ability to snapshot and clone a given file system with little or no overhead, IPS establishes a much safer system update by applying changes to a clone or alternate boot environment so that updates can be done while a system is running services in a production environment. When a planned maintenance window can be scheduled, administrators can simply reboot the system into the new boot environment to get up and running faster with much lower system downtime. If administrators experience any problems with a new environment, they can simply bring the system down and back into the older boot environment.

Additionally, administration across any zones created on the system is much improved because the system automatically ensures that software package versions within a non-global zone are consistent with the global zone.

The IPS Command Line

There are several commands administrators can use from the command line to administer a system or create a package repository and populate it with software packages. Table 1 provides a quick summary of the different command line options that are available.

Table 1: Summary of IPS Commands
General administration
pkg Packaging client
Package creation and publication
pkgrepo Repository management utility
pkgrecv Content retrieval utility
pkgsend Package creation and publication
pkgdiff Package manifest comparing utility
pkgmerge Package merging utility
pkgmogrify Package manifest transmogrifying utility
pkgfmt Package manifest formatting utility
pkgsign Package signing utility
pkglint Package linting utility

In this article, we will take a closer look at the pkg command.

Configuring Repositories

IPS is a network-centric package management solution. Software developers, or publishers, make their software available in software package repositories from which administrators can install to their systems. Oracle Solaris 11 installations are configured to have a default publisher, solaris, which supplies software packages from the "release" repository: http://pkg.oracle.com/solaris/release. Administrators can install new software packages from this repository, search for package content, or mirror the contents of this repository locally if they are in a network-restricted environment within their data center. Administrators can quickly see what configuration a system has by using the pkg publisher command:

# pkg publisher
PUBLISHER	TYPE	STATUS	URI
solaris		origin	online	http://pkg.oracle.com/solaris/release/

Administrators can also quickly query some basic information about this repository using the pkgrepo info command, or they can load the repository URL into their Web browser:

# pkgrepo info -s http://pkg.oracle.com/solaris/release/
PUBLISHER PACKAGES STATUS           UPDATED
solaris   6143     online           2018-04-15T00:45:52.227891Z

Here we see that this repository is currently online with 4044 packages, and the output shows a time stamp of when the repository was last updated.

Note that for production systems you will want to point to the "support" repository: http://pkg.oracle.com/solaris/support. This way you can pick up the latest updates and fixes. For more information about how configure this please refer to this OTN article and the Oracle documentation.

Additionally, administrators can choose to add new publishers to their configuration to allow them to install software packages from other publisher sources by using the pkg set-publisher command:

# pkg set-publisher -p http://10.1.1.5
# pkg publisher
PUBLISHER       TYPE    STATUS  URI
solaris         origin  online  http://pkg.oracle.com/solaris/release/
myrepo          origin  online  http://10.1.1.5

In this case, we're adding a new publisher from a system with IP address 10.1.1.5 that contains the software packages necessary for some in-house development. The -p option automatically retrieves publisher configuration information from the specified address. We could have provided this manually using other command line options. For more on how to create your own packages and repository please refer to this OTN article and the Oracle documentation.

Configuring new publishers or updating existing ones becomes especially important to administrators in environments where there are network restrictions about what systems can access external repositories and administrators are forced to set up an internal mirror in their data center (this will be covered later). Publishers can easily be modified, prioritized, or removed using the pkg set-publisher and pkg unset-publisher commands.

Administrators who configure additional publishers in the global zone automatically expose these publishers in any non-global zones. These publishers (also known as system publishers) are special because they are relied upon to ensure that non-global zones and the global zone are kept in sync and cannot be modified (or deleted) in the non-global zone.

Installing Additional Packages

Once we have configured our repository, we can easily install software packages using the pkg install command. If we want to see what changes would be made to the system without installing anything, we can use the -nv option. In Listing 1, we do a dry-run install of the GCC GNU C compiler package using pkg install -nv.

Listing 1: Doing a Dry-Run Install of the GCC GNU C Compiler Package and Dependencies
# pkg install -nv gcc
           Packages to install:         2
     Estimated space available:  19.15 GB
Estimated space to be consumed: 300.04 MB
       Create boot environment:        No
Create backup boot environment:        No
          Rebuild boot archive:        No

Changed packages:
solaris
  developer/gcc
    None -> 5.4.0,5.11-0.175.3.22.0.1.0:20170620T160441Z
  developer/gcc-5
    None -> 5.4.0,5.11-0.175.3.22.0.1.0:20170620T160440Z

As we can see from the output, only a single package needs to be installed and it takes 300 MB. You can also see that no new boot environments are created, one service is restarted, and the system doesn't require the boot archive to be rebuilt.

By default, installing a package does not require a new boot environment to be created unless the package itself explicitly requires a reboot of the system. If a package operation is applied to the current boot environment and affects the state of the kernel, a backup boot environment is created for safety but it is not activated. Once you are happy with the proposed changes to the system, you can carry out the installation by removing the -nv option. In Listing 2, we install the GCC GNU C compiler package.

Listing 2: Installing the GCC GNU C Compiler Package and Dependencies
# pkg install gcc
           Packages to install:  2
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                2/2           6/6      0.0/0.0  9.6k/s

PHASE                                          ITEMS
Installing new actions                         38/38
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2

Administrators who wish to install a package into an alternative boot environment can do so by using a simple extension of the pkg install command. In Listing 3, we install the GCC GNU C compiler package into a new boot environment called gcc-be.

Listing 3: Installing the GCC GNU C Compiler Package and Dependencies into a New Boot Environment
# pkg install --be-name gcc-be gcc
root@solaris:~# pkg install --be-name gcc-be gcc
           Packages to install:   1
       Create boot environment: Yes
Create backup boot environment:  No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1           3/3      0.0/0.0  7.9k/s

PHASE                                          ITEMS
Installing new actions                         17/17
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 

A clone of test-repo exists and has been updated and activated.
On the next boot the Boot Environment gcc-be will be
mounted on '/'.  Reboot when ready to switch to this updated BE.

Updating package cache                           2/2 
root@solaris:~# beadm list
BE        Flags Mountpoint Space   Policy Created          
--        ----- ---------- -----   ------ -------          
gcc-be    R     -          15.75G  static 2018-06-14 15:29 
solaris   N     /          4.97M   static 2018-06-01 17:04 
solaris-1 -     -          3.65G   static 2018-06-03 23:15 

Remember that each package operation automatically creates a ZFS snapshot of the file system to revert to in case the operation fails. Since ZFS snapshots and clones (or boot environments) have virtually zero overhead, it is recommended that administrators use them as part of their day-to-day best practices for administering a system. The beam list command shows the boot environments on the system. Note the R indicating which boot environment will be booted next time.

Understanding the Package FMRI

Each software package is uniquely described by an FMRI (Fault Management Resource Indicator), which is used to define the name, version, and publisher of a package. We saw part of an FMRI in Listing 1 (pkg install -nv gcc). In this case, the full FMRI is pkg://solaris/developer/gcc@5.4.0,5.11-0.175.3.22.0.1.0:20170620T160441Z. Table 2 describes the different segments of this FMRI.

Table 2. FMRI Segments
FMRI Segment Description
pkg:// FMRI scheme
solaris Publisher
developer/gcc Package name
5.4.0 Component version
5.11 Build version
0.175.3.22.0.1.0 Branch version
20170620T160441Z Package time stamp (ISO 8601 UTC format)

The component, build, and branch versions are all sequences of dot-separated integers.

If there are alternative packages that also match the gcc, you might need to further qualify what should be installed using any of the following commands, which are shown in increasing order of qualification:

# pkg install developer/gcc
# pkg install pkg:/developer/gcc
# pkg install pkg://solaris/developer/gcc
# pkg install pkg://solaris/developer/gcc@5.4.0
# pkg install pkg://solaris/developer/gcc-3@5.4.0,5.11-0.175.3.22.0.1.0:20170620T160441Z

For all package commands, it is possible to use the fully defined package FMRI.

Uninstalling Packages

Using the pkg uninstall command, uninstalling a package is as simple as installing one, as shown in Listing 4.

Listing 4: Uninstalling a Package
# pkg uninstall gcc
root@solaris:~# pkg uninstall gcc
            Packages to remove:  1
       Create boot environment: No
Create backup boot environment: No

PHASE                                          ITEMS
Removing old actions                           17/17
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2

Uninstalling a package does not recursively uninstall any of its package dependencies.

Installing Packages in Oracle Solaris Zones

Software can also be installed and uninstalled in any non-global zones. Depending on the type of package being installed, it might be necessary for the package to be installed in the global zone first, which is usually the case for kernel components and drivers.

One of the unique capabilities of IPS is ensuring that all software versions on the system, whether they are installed in the global zone or non-global zones, are consistent with each other to ensure a working system. All package publishers that are configured in the global zone are automatically exposed in all non-global zones as system publishers, allowing individual non-global zone administrators to install additional packages independent of other non-global zones. System publishers are non-configurable and cache software packages as they are being installed so that the software does not need to be downloaded again over the network if it is required in other non-global zones. Administrators can also choose to configure new publishers in any non-global zones.

For the use cases where you actually want to independently update and patch an individual zone you can also use Kernel Zones, which can bee updated and controlled completely independently. For more information please refer to the Oracle documentation. And for the use cases where you want to run Oracle Solaris 10 environments inside a zone you can use Oracle Solaris 10 Zones. For more information please refer to the Oracle documentation.

Getting Information About a Package

Determining what packages are installed on a given system, determining whether there are any updates available for those packages, and getting details about the packages themselves is also easy to do with IPS. To list packages that are installed on the system, use the pkg list command:

# pkg list
NAME (PUBLISHER)                                  VERSION                    IFO
archiver/gnu-tar                                  1.27.1-0.175.3.0.0.30.0    i--
compress/bzip2                                    1.0.6-0.175.3.0.0.30.0     i--
compress/gzip                                     1.5-0.175.3.0.0.30.0       i--
compress/p7zip                                    9.20.1-0.175.3.0.0.30.0    i--
compress/pbzip2                                   1.1.6-0.175.3.0.0.30.0     i--
compress/pigz                                     2.2.5-0.175.3.0.0.30.0     i--
compress/pixz                                     1.0-0.175.3.0.0.30.0       i--
compress/unzip                                    6.0-0.175.3.0.0.30.0       i--
compress/xz                                       5.0.1-0.175.3.0.0.30.0     i--
compress/zip                                      3.0-0.175.3.0.0.30.0       i--
consolidation/X/X-incorporation                   0.5.11-0.175.3.1.0.2.1489  i--
....

The output of the command lists the package name, the package version, and the status of the package.

An i in the I column indicates that the package is installed. An f in the F column indicates that the package is frozen. An o in the O column indicates that this version of the package is obsolete (meaning that it cannot be installed, and, if upgraded to, would be removed), and an r in the O column indicates that the package is now available under a new name. Package freezing, obsolescence, and renaming are covered in the IPS Administration Guide.

We can take this a step further by listing some information about a particular package using the pkg info command shown in Listing 5.

Listing 5: Listing Information About a Particular Package
# pkg info gzip
          Name: compress/gzip
       Summary: GNU Zip (gzip)
   Description: The GNU Zip (gzip) compression utility
      Category: Applications/System Utilities
         State: Installed
     Publisher: solaris
       Version: 1.5
 Build Release: 5.11
        Branch: 0.175.3.0.0.30.0
Packaging Date: August 21, 2015 04:14:46 PM 
          Size: 411.55 kB
          FMRI: pkg://solaris/compress/gzip@1.5,5.11-0.175.3.0.0.30.0:20150821T161446Z

By default, this command only lists information about installed packages on the system; however, we can use a similar command to look up information about uninstalled packages, as shown in Listing 6.

Listing 6: Listing Information About an Uninstalled Package
# pkg info -r php-53
          Name: web/php-53
       Summary: 
         State: Not installed (Obsolete)
     Publisher: solaris
       Version: 5.3.29
 Build Release: 5.11
        Branch: 0.175.3.24.0.1.0
Packaging Date: August 11, 2017 09:43:52 PM 
          Size: 5.46 kB
          FMRI: pkg://solaris/web/php-53@5.3.29,5.11-0.175.3.24.0.1.0:20170811T214352Z

Taking this a step further, we can easily list the contents of a given package using the pkg contents command, as shown in Listing 7.

Listing 7: Listing the Contents of a Package
# pkg contents gzip
PATH
usr/bin/gunzip
usr/bin/gzcat
usr/bin/gzcmp
usr/bin/gzdiff
usr/bin/gzegrep
usr/bin/gzexe
usr/bin/gzfgrep
usr/bin/gzforce
usr/bin/gzgrep
usr/bin/gzip
usr/bin/gzless
usr/bin/gzmore
usr/bin/gznew
....

Searching for Package Content

A huge advantage of IPS is the ability to connect to a package repository and easily search for specific things, such as the name of the package to which a particular file belongs. In its simplest form, you can use the pkg search command to search across any packages that are currently installed and any that are in configured publishers, as follows:

# pkg search stdio.h
INDEX      ACTION VALUE                                                               PACKAGE
basename   file   usr/gcc/4.5/include/c++/4.5.2/tr1/stdio.h                           pkg:/developer/gcc-45@4.5.2-0.175.3.0.0.30.0
basename   file   usr/gcc/4.5/lib/gcc/i386-pc-solaris2.11/4.5.2/include/ssp/stdio.h   pkg:/developer/gcc-45@4.5.2-0.175.3.0.0.30.0
basename   file   usr/gcc/4.5/lib/gcc/sparc-sun-solaris2.11/4.5.2/include/ssp/stdio.h pkg:/developer/gcc-45@4.5.2-0.175.3.0.0.30.0
basename   file   usr/include/ast/stdio.h                                             pkg:/shell/ksh@0.5.11-0.175.0.9.0.2.1
basename   file   usr/gcc/4.7/lib/gcc/sparc-sun-solaris2.11/4.7.3/include/ssp/stdio.h pkg:/developer/gcc-4/gcc-common-47@4.7.3-0.175.3.0.0.30.0
basename   file   usr/gcc/4.7/lib/gcc/i386-pc-solaris2.11/4.7.3/include/ssp/stdio.h   pkg:/developer/gcc-4/gcc-common-47@4.7.3-0.175.3.0.0.30.0
...

In the results, we can see that there are four files that match the search, which come from three different packages. Like many other IPS commands, the type of output can be controlled by using the pkg search -o command with the appropriate values. This will be covered in more detail in another article.

Updating a System

Now that we've covered the basics of configuring publishers, installing and uninstalling packages, and searching for package content, let's look at how we update a system in a single step. We can use the pkg update -nv command to do a dry-run or the pkg update command to bring a system's software up to date.

Listing 8: Updating a System
# pkg update --accept 
------------------------------------------------------------
Package: pkg://solaris/consolidation/osnet/osnet-incorporation@0.5.11,5.11-0.175.3.32.0.4.0:20180426T184953Z
License: lic_OTN

You acknowledge that your use of this Oracle Solaris software product
is subject to, and may not exceed the use for which you are authorized,
(i) the license or cloud services terms that you accepted when you
obtained the right to use Oracle Solaris software; or (ii) the license
terms that you agreed to when you placed your Oracle Solaris software
order with Oracle; or (iii) the Oracle Solaris software license terms
included with the hardware that you acquired from Oracle; or, if (i),
(ii) or (iii) are not applicable, then, (iv) the OTN License Agreement
for Oracle Solaris (which you acknowledge you have read and agree to)
available at
http://www.oracle.com/technetwork/licenses/solaris-cluster-express-license-167852.html.
Note: Software downloaded for trial use or downloaded as replacement 
media may not be used to update any unsupported software.



            Packages to remove:  27
           Packages to install:  34
            Packages to update: 451
            Packages to change:   1
           Mediators to change:   1
       Create boot environment: Yes
Create backup boot environment:  No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                            513/513   33972/33972  816.9/816.9  2.6M/s

PHASE                                          ITEMS
Removing old actions                     11752/11752
Installing new actions                   19690/19690
Updating modified actions                21039/21039
Updating package state database                 Done 
Updating package cache                       478/478 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           1/1 

A clone of solaris exists and has been updated and activated.
On the next boot the Boot Environment solaris-2 will be
mounted on '/'.  Reboot when ready to switch to this updated BE.

Updating package cache                           1/1 

---------------------------------------------------------------------------
NOTE: Please review release notes posted at:

http://www.oracle.com/pls/topic/lookup?ctx=solaris11&id=SERNS
---------------------------------------------------------------------------

This command will usually create a new boot environment if kernel components are being updated, as is the case in Listing 8. Changes are applied to the new boot environment and the boot environment is activated on the next system reboot. You can easily switch between boot environments if the update causes an undesirable result.

Note the --accept is needed in this case to accept any new licenses for software added between updates.

It is also important to note that an update depends on what existing package dependencies are present on the system. For example, an administrator may have chosen to freeze the content of a package because a specific version was required to always be present for business-critical application. If such a situation, a pkg update might not do quite what you'd expect, or it might not have apply any updates to the system, even if you know that newer versions of packages are available.

When a system update is being applied, all non-global zones are automatically updated as well. IPS recursively updates each non-global zone in turn to match the same set of software versions that are present in the global zone. The update will also create new zone boot environments for each non-global zone as necessary.

Summary

The Oracle Solaris 11 Image Packaging System is a major advancement in software management providing an integrated user experience and improved safety for system updates. IPS takes much of the complexity out of managing Oracle Solaris by providing improved automation and auditing, allowing administrators to flexibly manage multiple application environments across virtualized and non-virtualized instances of the operating system.

For More Information

Revision 1.1, 06/15/2018
Revision 1.0, 10/27/2011