by Peter Dennis
Published May 2012, updated July 2018
The Oracle Support Repository contains a number of bug fixes and critical security fixes that can be applied to existing Oracle Solaris 11 installations helping to ensure that systems run without a hitch in the data center. The Support Repository is updated on a monthly basis, and these updates are called Support Repository Updates (SRU). Unlike Oracle Solaris Update releases, which include a wide range of new operating system features, the Oracle Support Repository is available only to systems under a support contract and includes a smaller set of critical changes.
This article explores more advanced use of the Image Packaging System (IPS) and assumes a basic knowledge of the update process using the
pkg(1) command-line utility. If you would like to get up to speed with IPS, read "How to Update Oracle Solaris 11 Systems From the Oracle Support Repository."
The Oracle Solaris 11 software is delivered by a set of packages, with each group of packages constrained by incorporations, which ensure that package versions are consistent (and tested) with each other. Note that an incorporation does not deliver the packages but rather it defines the versions of the packages that can be installed on the system.
Each incorporation broadly represents the functional components for the system. An example is
gnome-incorporation, which represents the GNOME desktop. You can find a complete list of the incorporations in the Packaging and Delivering Software with the Image Packaging System developer's guide. All the incorporations are in turn constrained by an incorporation called
You can upgrade from one version of an incorporation to another. When you update an incorporation, all the packages it constrains will be updated to the versions specified in the new version of the incorporation.
The Support Repository requires SSL certificates to be configured on the relevant client systems. You can obtain the SSL certificates by using the registration application here.
After you install the SSL certificates, you can access the Support Repository using the
pkg(1) command-line utility or the Package Manager graphical utility.
Bug fixes are delivered via updates to software packages. When a package is updated in an SRU, the package's version string is also incremented. You can find details about the version string in the Packaging and Delivering Software with the Image Packaging System developer's guide.
Because each package is part of an incorporation, the incorporation will be updated to include the new version of the package. This in turn means the
entire incorporation is updated to use these new incorporations.
There are several ways to update your system:
It is recommended that you regularly update your system with the latest set of changes held within the Support Repository. To do this, use the following command on a system:
# pkg update
If you need to update to only a particular SRU, when you run the
pkg update command, identify the SRU via the
entire Fault Managed Resource Identifier (FMRI) string. For example, here is the command to update to SRU#34:
# pkg update email@example.com
To list all the available SRUs, use the following command:
# pkg list -af entire
Information about the bugs fixed in each SRU is available at the My Oracle Support SRU information page (requires login).
You can update a particular package or set of packages to address issues fixed by an SRU when updating to the whole SRU is not feasible. This is not the preferred or recommended approach, but it is possible to update specific packages and incorporations.
This method utilizes the version unlocking mechanism that is documented in the Chapter 6 and Chapter 13 of the developer's guide.
Setting the appropriate version-lock facet to
false removes the constraint applied to the corresponding package by an incorporation.
Because interdependent packages must have consistent versions, not all packages can have their constraints relaxed and, if that is the case, they do not have a version-lock facet. An example of this is the indivisible core, which consists of the kernel, drivers, system libraries, and associated utilities.
It is possible that other installed components have
optional dependencies on the packages that have the version-lock facet. In this instance, it is possible that you can unset the facet but not be able to modify the version of the package on the system. If this is the case, the package system will indicate why the package cannot be changed.
At this time, setting version-lock facets might potentially take a long time. This issue is being addressed.
Version-lock facets exist on individual component packages, as well as on incorporations. Setting the latter allows you to unlock an incorporation from the rest of the system, while the packages it itself incorporates continue to be synchronized.
The following is the general form of a version-lock facet name, where
<package-name> is the name of the package to which the facet applies:
This convention might change in the future so that a single version-lock facet can be modified for a particular component that is delivered via several packages.
Some packages can be individually updated if required. Generally, these packages are ones that can be updated independently of the operating system. This approach is recommended for updating a particular package in an SRU that contains a security fix when is it not possible to update to the whole SRU.
To relax the constraint on the package, use this command:
# pkg change-facet facet.version-lock.library/security/openssl=false
It is also possible to specify the required version:
# pkg update firstname.lastname@example.org
Note that the
pkg update command above uses a subset of the full FMRI string (only enough to uniquely identify it).
Additionally, in order to prevent accidental changes to a package, you can freeze a package at the desired level:
# pkg freeze library/security/openssl
It is recommended that the reason for freezing be recorded using the
# pkg freeze -c "Update prior to SRU#34 install" library/security/openssl
Note that if the package is to be modified (moved to a different version), the freeze needs to be undone:
# pkg unfreeze library/security/openssl
There are two methods for bringing packages back in sync with the SRUs.
# pkg change-facet facet.version-lock.library/security/openssl=true
# pkg update # pkg change-facet facet.version-lock.library/security/openssl=true
# pkg search -l -o fmri ':depend:incorporate:library/security/openssl' FMRI email@example.com,5.11-0.175.3.32.0.1.0
Then update to that version and reset the version-lock facet:
# pkg update firstname.lastname@example.org,5.11-0.175.3.32.0.1 ... # pkg change-facet facet.version-lock.library/security/openssl=true
Again note that the complete FMRI string of the package was not used.
As mentioned before, it is possible to relax the constraints enforced by an incorporation. Once the constraints are relaxed, the package can be updated independently of the rest of the system. The package can then be frozen using
pkg freeze to prevent it from being updated in the future.
For example, you can avoid a system reboot by updating the desktop and kernel incorporations independently:
# pkg change-facet facet.version-lock.consolidation/desktop/desktop-incorporation=false
Then you can update the desktop incorporation independently of the rest of the system:
# pkg update desktop-incorporation
Additionally, it might be possible to update to a particular revision of the incorporation:
# pkg update email@example.com
Note: If the incorporation was unlocked and a
pkg update was performed on the system, the unlocked incorporation would be updated. This might not be desired, so you could freeze the incorporation to prevent further updates using
pkg freeze desktop-incorporation.
It is recommended that you record the reason for freezing using the
# pkg freeze -c "Standard environment 07/18" desktop-incorporation
If the incorporation needs to be changed in the future, you will need to unfreeze it:
# pkg unfreeze desktop-incorporation
There are two methods for bringing an incorporation back in sync with the SRUs:
# pkg change-facet facet.version-lock.consolidation/desktop/desktop-incorporation=true
# pkg update # pkg change-facet facet.version-lock.consolidation/desktop/desktop-incorporation=true
# pkg update firstname.lastname@example.org \
email@example.com \ ..... # pkg change-facet facet.version-lock.consolidation/desktop/desktop-incorporation=true
Packages might have cross-dependencies and, thus, require updating at the same time. The packaging software will enforce a consistent image on the system: If it cannot satisfy the dependencies, the packages will not be modified. If such a dependency exists, you need to relax the constraints of the affected packages.
The message reported by the packaging software will be of the following form:
# pkg update firstname.lastname@example.org Creating Plan \ pkg update: No matching version of package_name can be installed: Reject: pkg://email@example.com,5.11-0.175.3.34.0.5.0:... Reason: All versions matching 'require' dependency pkg:/firstname.lastname@example.org,5.11-0.175.3.32.0.4.0 are rejected
You will also need to relax the constraints of the dependent package.
To see what packages have been frozen on a system, use this command:
# pkg freeze
To see what facets have been set on a system, run this command:
# pkg facet
Peter Dennis is a Principle Engineer within the Oracle Solaris Revenue Product Engineering team. He has worked on a wide variety of technologies: file systems, volume management and backup, cluster and general end-user utilities. He is currently the technical lead for the Oracle Solaris 11 Update release.
|Revision 1.1, 07/24/2018|
|Revision 1.0, 05/14/2012|