Published November 2011, updated June 2018
by Glynn Foster
Oracle Solaris 11 takes a new approach to lifecycle and package management to greatly simplify the process of managing system software helping to reduce the risk of operating system maintenance, including reducing unplanned and planned downtime. With Image Packaging System (IPS), administrators can install and update software from locally connected or remote software package repositories using a much-improved and modernized process.
This article covers the basics of administering an Oracle Solaris 11 system using IPS. To learn more about IPS, check out a variety of content at the Lifecycle Management Technology Spotlight page on Oracle Technology Network. Also see the Oracle Solaris 11 Cheat Sheet for Image Packaging System.
Before we begin to dive into the administrative details of IPS, let's briefly review some of the benefits of the new approach.
In previous releases of the Oracle Solaris platform, administrators used SVR4 packaging to install software onto a system, and then they used a different set of commands to install patches to update the system. As Oracle Solaris evolved to include new technologies, such as Oracle Solaris Zones, Oracle Solaris ZFS, and Solaris Service Management Facility (SMF), previously used processes for managing system updates and upgrades became more complex. With thousands of operating system instances installed in some of today's large virtualized data centers, manual methods of tracking and installing patches can result in errors that negatively affect application availability and security.
IPS is an integrated solution that helps automate and ease the complexity of managing system software on Oracle Solaris 11 by integrating patching with package updates. It relies on a network-centric and efficient approach with automatic software dependency checking and validation, and it builds on the foundation of ZFS as the default root file system. Using IPS, administrators can easily and reliably install or replicate an exact set of software package versions across many different client machines, and get a much clearer understanding of any differences between software versions installed on a system.
With ZFS's ability to snapshot and clone a given file system with little or no overhead, IPS establishes a much safer system update by applying changes to a clone or alternate boot environment so that updates can be done while a system is running services in a production environment. When a planned maintenance window can be scheduled, administrators can simply reboot the system into the new boot environment to get up and running faster with much lower system downtime. If administrators experience any problems with a new environment, they can simply bring the system down and back into the older boot environment.
Additionally, administration across any zones created on the system is much improved because the system automatically ensures that software package versions within a non-global zone are consistent with the global zone.
There are several commands administrators can use from the command line to administer a system or create a package repository and populate it with software packages. Table 1 provides a quick summary of the different command line options that are available.Table 1: Summary of IPS Commands
| ||Packaging client|
|Package creation and publication|
| ||Repository management utility|
| ||Content retrieval utility|
| ||Package creation and publication|
| ||Package manifest comparing utility|
| ||Package merging utility|
| ||Package manifest transmogrifying utility|
| ||Package manifest formatting utility|
| ||Package signing utility|
| ||Package linting utility|
In this article, we will take a closer look at the
IPS is a network-centric package management solution. Software developers, or publishers, make their software available in software package repositories from which administrators can install to their systems. Oracle Solaris 11 installations are configured to have a default publisher,
solaris, which supplies software packages from the "release" repository:
http://pkg.oracle.com/solaris/release. Administrators can install new software packages from this repository, search for package content, or mirror the contents of this repository locally if they are in a network-restricted environment within their data center. Administrators can quickly see what configuration a system has by using the
pkg publisher command:
# pkg publisher PUBLISHER TYPE STATUS URI solaris origin online http://pkg.oracle.com/solaris/release/
Administrators can also quickly query some basic information about this repository using the
pkgrepo info command, or they can load the repository URL into their Web browser:
# pkgrepo info -s http://pkg.oracle.com/solaris/release/ PUBLISHER PACKAGES STATUS UPDATED solaris 6143 online 2018-04-15T00:45:52.227891Z
Here we see that this repository is currently online with 4044 packages, and the output shows a time stamp of when the repository was last updated.
Note that for production systems you will want to point to the "support" repository:
http://pkg.oracle.com/solaris/support. This way you can pick up the latest updates and fixes. For more information about how configure this please refer to this OTN article and the Oracle documentation.
Additionally, administrators can choose to add new publishers to their configuration to allow them to install software packages from other publisher sources by using the
pkg set-publisher command:
# pkg set-publisher -p http://10.1.1.5 # pkg publisher PUBLISHER TYPE STATUS URI solaris origin online http://pkg.oracle.com/solaris/release/ myrepo origin online http://10.1.1.5
In this case, we're adding a new publisher from a system with IP address 10.1.1.5 that contains the software packages necessary for some in-house development. The
-p option automatically retrieves publisher configuration information from the specified address. We could have provided this manually using other command line options. For more on how to create your own packages and repository please refer to this OTN article and the Oracle documentation.
Configuring new publishers or updating existing ones becomes especially important to administrators in environments where there are network restrictions about what systems can access external repositories and administrators are forced to set up an internal mirror in their data center (this will be covered later). Publishers can easily be modified, prioritized, or removed using the
pkg set-publisher and
pkg unset-publisher commands.
Administrators who configure additional publishers in the global zone automatically expose these publishers in any non-global zones. These publishers (also known as system publishers) are special because they are relied upon to ensure that non-global zones and the global zone are kept in sync and cannot be modified (or deleted) in the non-global zone.
Once we have configured our repository, we can easily install software packages using the
pkg install command. If we want to see what changes would be made to the system without installing anything, we can use the
-nv option. In Listing 1, we do a dry-run install of the GCC GNU C compiler package using
pkg install -nv.
# pkg install -nv gcc Packages to install: 2 Estimated space available: 19.15 GB Estimated space to be consumed: 300.04 MB Create boot environment: No Create backup boot environment: No Rebuild boot archive: No Changed packages: solaris developer/gcc None -> 5.4.0,5.11-0.175.3.22.0.1.0:20170620T160441Z developer/gcc-5 None -> 5.4.0,5.11-0.175.3.22.0.1.0:20170620T160440Z
As we can see from the output, only a single package needs to be installed and it takes 300 MB. You can also see that no new boot environments are created, one service is restarted, and the system doesn't require the boot archive to be rebuilt.
By default, installing a package does not require a new boot environment to be created unless the package itself explicitly requires a reboot of the system. If a package operation is applied to the current boot environment and affects the state of the kernel, a backup boot environment is created for safety but it is not activated. Once you are happy with the proposed changes to the system, you can carry out the installation by removing the
-nv option. In Listing 2, we install the GCC GNU C compiler package.
# pkg install gcc Packages to install: 2 Create boot environment: No Create backup boot environment: No DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 2/2 6/6 0.0/0.0 9.6k/s PHASE ITEMS Installing new actions 38/38 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done Updating package cache 2/2
Administrators who wish to install a package into an alternative boot environment can do so by using a simple extension of the
pkg install command. In Listing 3, we install the GCC GNU C compiler package into a new boot environment called
# pkg install --be-name gcc-be gcc root@solaris:~# pkg install --be-name gcc-be gcc Packages to install: 1 Create boot environment: Yes Create backup boot environment: No DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 1/1 3/3 0.0/0.0 7.9k/s PHASE ITEMS Installing new actions 17/17 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done Updating package cache 2/2 A clone of test-repo exists and has been updated and activated. On the next boot the Boot Environment gcc-be will be mounted on '/'. Reboot when ready to switch to this updated BE. Updating package cache 2/2 root@solaris:~# beadm list BE Flags Mountpoint Space Policy Created -- ----- ---------- ----- ------ ------- gcc-be R - 15.75G static 2018-06-14 15:29 solaris N / 4.97M static 2018-06-01 17:04 solaris-1 - - 3.65G static 2018-06-03 23:15
Remember that each package operation automatically creates a ZFS snapshot of the file system to revert to in case the operation fails. Since ZFS snapshots and clones (or boot environments) have virtually zero overhead, it is recommended that administrators use them as part of their day-to-day best practices for administering a system. The
beam list command shows the boot environments on the system. Note the
R indicating which boot environment will be booted next time.
Each software package is uniquely described by an FMRI (Fault Management Resource Indicator), which is used to define the name, version, and publisher of a package. We saw part of an FMRI in Listing 1 (
pkg install -nv gcc). In this case, the full FMRI is
pkg://email@example.com,5.11-0.175.3.22.0.1.0:20170620T160441Z. Table 2 describes the different segments of this FMRI.
| ||FMRI scheme|
| ||Package name|
| ||Component version|
| ||Build version|
| ||Branch version|
| ||Package time stamp (ISO 8601 UTC format)|
The component, build, and branch versions are all sequences of dot-separated integers.
If there are alternative packages that also match the
gcc, you might need to further qualify what should be installed using any of the following commands, which are shown in increasing order of qualification:
# pkg install developer/gcc # pkg install pkg:/developer/gcc # pkg install pkg://solaris/developer/gcc # pkg install pkg://firstname.lastname@example.org # pkg install pkg://email@example.com,5.11-0.175.3.22.0.1.0:20170620T160441Z
For all package commands, it is possible to use the fully defined package FMRI.
pkg uninstall command, uninstalling a package is as simple as installing one, as shown in Listing 4.
# pkg uninstall gcc root@solaris:~# pkg uninstall gcc Packages to remove: 1 Create boot environment: No Create backup boot environment: No PHASE ITEMS Removing old actions 17/17 Updating package state database Done Updating package cache 1/1 Updating image state Done Creating fast lookup database Done Updating package cache 2/2
Uninstalling a package does not recursively uninstall any of its package dependencies.
Software can also be installed and uninstalled in any non-global zones. Depending on the type of package being installed, it might be necessary for the package to be installed in the global zone first, which is usually the case for kernel components and drivers.
One of the unique capabilities of IPS is ensuring that all software versions on the system, whether they are installed in the global zone or non-global zones, are consistent with each other to ensure a working system. All package publishers that are configured in the global zone are automatically exposed in all non-global zones as system publishers, allowing individual non-global zone administrators to install additional packages independent of other non-global zones. System publishers are non-configurable and cache software packages as they are being installed so that the software does not need to be downloaded again over the network if it is required in other non-global zones. Administrators can also choose to configure new publishers in any non-global zones.
For the use cases where you actually want to independently update and patch an individual zone you can also use Kernel Zones, which can bee updated and controlled completely independently. For more information please refer to the Oracle documentation. And for the use cases where you want to run Oracle Solaris 10 environments inside a zone you can use Oracle Solaris 10 Zones. For more information please refer to the Oracle documentation.
Determining what packages are installed on a given system, determining whether there are any updates available for those packages, and getting details about the packages themselves is also easy to do with IPS. To list packages that are installed on the system, use the
pkg list command:
# pkg list NAME (PUBLISHER) VERSION IFO archiver/gnu-tar 1.27.1-0.175.3.0.0.30.0 i-- compress/bzip2 1.0.6-0.175.3.0.0.30.0 i-- compress/gzip 1.5-0.175.3.0.0.30.0 i-- compress/p7zip 9.20.1-0.175.3.0.0.30.0 i-- compress/pbzip2 1.1.6-0.175.3.0.0.30.0 i-- compress/pigz 2.2.5-0.175.3.0.0.30.0 i-- compress/pixz 1.0-0.175.3.0.0.30.0 i-- compress/unzip 6.0-0.175.3.0.0.30.0 i-- compress/xz 5.0.1-0.175.3.0.0.30.0 i-- compress/zip 3.0-0.175.3.0.0.30.0 i-- consolidation/X/X-incorporation 0.5.11-0.175.3.1.0.2.1489 i-- ....
The output of the command lists the package name, the package version, and the status of the package.
i in the
I column indicates that the package is installed. An
f in the
F column indicates that the package is frozen. An
o in the
O column indicates that this version of the package is obsolete (meaning that it cannot be installed, and, if upgraded to, would be removed), and an
r in the
O column indicates that the package is now available under a new name. Package freezing, obsolescence, and renaming are covered in the IPS Administration Guide.
We can take this a step further by listing some information about a particular package using the
pkg info command shown in Listing 5.
# pkg info gzip Name: compress/gzip Summary: GNU Zip (gzip) Description: The GNU Zip (gzip) compression utility Category: Applications/System Utilities State: Installed Publisher: solaris Version: 1.5 Build Release: 5.11 Branch: 0.175.3.0.0.30.0 Packaging Date: August 21, 2015 04:14:46 PM Size: 411.55 kB FMRI: pkg://firstname.lastname@example.org,5.11-0.175.3.0.0.30.0:20150821T161446Z
By default, this command only lists information about installed packages on the system; however, we can use a similar command to look up information about uninstalled packages, as shown in Listing 6.Listing 6: Listing Information About an Uninstalled Package
# pkg info -r php-53 Name: web/php-53 Summary: State: Not installed (Obsolete) Publisher: solaris Version: 5.3.29 Build Release: 5.11 Branch: 0.175.3.24.0.1.0 Packaging Date: August 11, 2017 09:43:52 PM Size: 5.46 kB FMRI: pkg://email@example.com,5.11-0.175.3.24.0.1.0:20170811T214352Z
Taking this a step further, we can easily list the contents of a given package using the
pkg contents command, as shown in Listing 7.
# pkg contents gzip PATH usr/bin/gunzip usr/bin/gzcat usr/bin/gzcmp usr/bin/gzdiff usr/bin/gzegrep usr/bin/gzexe usr/bin/gzfgrep usr/bin/gzforce usr/bin/gzgrep usr/bin/gzip usr/bin/gzless usr/bin/gzmore usr/bin/gznew ....
A huge advantage of IPS is the ability to connect to a package repository and easily search for specific things, such as the name of the package to which a particular file belongs. In its simplest form, you can use the
pkg search command to search across any packages that are currently installed and any that are in configured publishers, as follows:
# pkg search stdio.h INDEX ACTION VALUE PACKAGE basename file usr/gcc/4.5/include/c++/4.5.2/tr1/stdio.h pkg:/firstname.lastname@example.org basename file usr/gcc/4.5/lib/gcc/i386-pc-solaris2.11/4.5.2/include/ssp/stdio.h pkg:/email@example.com basename file usr/gcc/4.5/lib/gcc/sparc-sun-solaris2.11/4.5.2/include/ssp/stdio.h pkg:/firstname.lastname@example.org basename file usr/include/ast/stdio.h pkg:/email@example.com basename file usr/gcc/4.7/lib/gcc/sparc-sun-solaris2.11/4.7.3/include/ssp/stdio.h pkg:/firstname.lastname@example.org basename file usr/gcc/4.7/lib/gcc/i386-pc-solaris2.11/4.7.3/include/ssp/stdio.h pkg:/email@example.com ...
In the results, we can see that there are four files that match the search, which come from three different packages. Like many other IPS commands, the type of output can be controlled by using the
pkg search -o command with the appropriate values. This will be covered in more detail in another article.
Now that we've covered the basics of configuring publishers, installing and uninstalling packages, and searching for package content, let's look at how we update a system in a single step. We can use the
pkg update -nv command to do a dry-run or the
pkg update command to bring a system's software up to date.
# pkg update --accept ------------------------------------------------------------ Package: pkg://firstname.lastname@example.org,5.11-0.175.3.32.0.4.0:20180426T184953Z License: lic_OTN You acknowledge that your use of this Oracle Solaris software product is subject to, and may not exceed the use for which you are authorized, (i) the license or cloud services terms that you accepted when you obtained the right to use Oracle Solaris software; or (ii) the license terms that you agreed to when you placed your Oracle Solaris software order with Oracle; or (iii) the Oracle Solaris software license terms included with the hardware that you acquired from Oracle; or, if (i), (ii) or (iii) are not applicable, then, (iv) the OTN License Agreement for Oracle Solaris (which you acknowledge you have read and agree to) available at http://www.oracle.com/technetwork/licenses/solaris-cluster-express-license-167852.html. Note: Software downloaded for trial use or downloaded as replacement media may not be used to update any unsupported software. Packages to remove: 27 Packages to install: 34 Packages to update: 451 Packages to change: 1 Mediators to change: 1 Create boot environment: Yes Create backup boot environment: No DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 513/513 33972/33972 816.9/816.9 2.6M/s PHASE ITEMS Removing old actions 11752/11752 Installing new actions 19690/19690 Updating modified actions 21039/21039 Updating package state database Done Updating package cache 478/478 Updating image state Done Creating fast lookup database Done Updating package cache 1/1 A clone of solaris exists and has been updated and activated. On the next boot the Boot Environment solaris-2 will be mounted on '/'. Reboot when ready to switch to this updated BE. Updating package cache 1/1 --------------------------------------------------------------------------- NOTE: Please review release notes posted at: http://www.oracle.com/pls/topic/lookup?ctx=solaris11&id=SERNS ---------------------------------------------------------------------------
This command will usually create a new boot environment if kernel components are being updated, as is the case in Listing 8. Changes are applied to the new boot environment and the boot environment is activated on the next system reboot. You can easily switch between boot environments if the update causes an undesirable result.
--accept is needed in this case to accept any new licenses for software added between updates.
It is also important to note that an update depends on what existing package dependencies are present on the system. For example, an administrator may have chosen to freeze the content of a package because a specific version was required to always be present for business-critical application. If such a situation, a
pkg update might not do quite what you'd expect, or it might not have apply any updates to the system, even if you know that newer versions of packages are available.
When a system update is being applied, all non-global zones are automatically updated as well. IPS recursively updates each non-global zone in turn to match the same set of software versions that are present in the global zone. The update will also create new zone boot environments for each non-global zone as necessary.
The Oracle Solaris 11 Image Packaging System is a major advancement in software management providing an integrated user experience and improved safety for system updates. IPS takes much of the complexity out of managing Oracle Solaris by providing improved automation and auditing, allowing administrators to flexibly manage multiple application environments across virtualized and non-virtualized instances of the operating system.
|Revision 1.1, 06/15/2018|
|Revision 1.0, 10/27/2011|