Solaris 11 – Image
Packaging Systems – Quick Reference
What is Image the Packaging System?
The Image Packaging System (IPS) is a new
network-centric software packaging and delivery system in Oracle Solaris 11.
IPS allows efficient, observable, and controllable transitions between known
configurations of software content providing administrators with safe system
upgrade environments and better control over planned system downtime schedules.
The ZFS file system is integral to IPS,
providing administrators the ability to perform updates on a file system clones
on live production systems.
NOTE: While many IPS commands that query the
system (list, info, contents, search, history) can be performed by any user,
commands that make changes to the system image must be performed by adopting an
appropriate administrative role.
Understanding the Package FMRI
Each software package is uniquely described by an FMRI (Fault Managed
Resource Indicator), for example:
pkg://solaris/diagnostic/wireshark@1.4.2,5.11-0.174:20110128T0635Z
FMRI Segment
: Description
solaris
:
Publisher
diagnostic/wireshark :
Package name
1.4.2 Component
: version
5.11 Build
:
version
0.174 Branch
: version
20110128T0635Z :
Package time stamp
Installing Packages and Updating a System
Installing new packages on your system does not require a new boot
environment (BE) to be created. However, creating a ZFS snapshot and
clone initially consumes no additional space and is an instantaneous operation.
So it should be considered as an administrative best practice.
Install a package called diagnostic/wireshark:
# pkg install diagnostic/wireshark
Uninstall a package called diagnostic/wireshark
using a short form of the package name:
# pkg uninstall wireshark
Update all possible packages to the newest version,
including all Oracle Solaris zones:
# pkg update
Do a dry run of an update of all possible packages
to the newest version:
# pkg update -nv
Update all system packages to the newest version
and require a new BE:
# pkg update –be-name fix-nfs-issue
Getting Information or Searching for Packages
List packages currently installed on a system:
# pkg list
Show information about an installed package called
wireshark:
# pkg info wireshark
Show information about an uninstalled package
called xchat:
# pkg info -r xchat
Show the contents of an installed package called
wireshark:
# pkg contents wireshark
Show all PNG files of an installed package called
wireshark:
# pkg contents -o path -a path=\*.png wireshark
Search all locally installed packages for the match
gcc:
# pkg search -l gcc
Search all packages in the configured repositories
that contain dev header gcrypt-module.h:
# pkg search ‘gcrypt-module.h’
Search for all packages in the configured
repositories that have the classification Web Services/Application and
Web Servers:
# pkg search -o pkg.name ‘set:info.classification:*Application and Web
Servers’
Search for all packages installed locally that have
a dependency on library/libxml2:
# pkg search –l -o pkg.name ‘depend::library/libxml2′
Managing Repositories and Publishers
List currently associated publishers:
# pkg publisher
Add a publisher at a specified
repository URI:
# pkg set-publisher -p http://www.example.com/solaris11
Add a publisher:
# pkg set-publisher -g http://www.example.com/solaris11 siteapps
Remove a publisher:
# pkg unset-publisher siteapps
Query a repository URI for publisher names and
package counts:
# pkgrepo -s http://pkg.oracle.com/solaris11/release info
Change to the Oracle Solaris support repository
with pre-downloaded certificates and keys from the Oracle Solaris
release repository:
# pkg set-publisher -G
http://pkg.oracle.com/solaris11/release \
-g http://pkg.oracle.com/solaris11/support -k
/path/to/ssl_key \
-c /path/to/ssl_cert solaris
Miscellaneous Commands
Browse package command history
(includes graphical Package Manager client):
# pkg history
Purge package command history:
# pkg purge-history
Verify the integrity of the current system image:
# pkg verify
Verify the integrity of installed package called
wireshark:
# pkg verify wireshark
Fix any errors reported by pkg verify on an
installed package called wireshark:
# pkg fix wireshark
Freeze a package called wireshark to prevent any
accidental future updates:
# pkg freeze wireshar
This post helps to get some quick answers about
following questions
·
How
do I update my system to a specific Support Repository Update (SRU)?
·
How
to prevent pkg(1) from keeping a large download cache in /var/pkg/download?
·
How
to change the current publisher?
·
How
to remove a publisher via the CLI?
·
How
can I check which Support Repository Update (SRU) I have currently installed?
·
How
do I install pkgs into an alternate root?
·
How
do I configure proxy access to pkg.oracle.com?
·
How
do I check if a bug is fixed on Solaris 11?
·
How
do I list all the available package groups?
·
How
do I list the contents of a package group?
·
How
do I determine which group is installed on my system?
·
How
do I update a local repository with only the changes from a remote repository?
·
How
do I list the changes that would apply to my local repository during an update
without actually updating my local repository?
·
How
do I locate the pkg that delivers a particular file?
·
How
do I list pkg dependencies?
·
How
to Update Your Local System From a Support Repository Update (SRU) ISO
Image
·
How
to Update an Oracle Solaris 11 Package Repository
·
How
do I set the default version of pkgs that allow multiple versions to be
installed, like Java?
·
How
do I list all setuid and setgid programs?
How do I update my system to a specific Support
Repository Update (SRU)?
First, get a list of all the available versions of
the “entire” pkg (formatting modified slightly for this document):
$ pkg search entire
INDEX ACTION VALUE PACKAGE
pkg.fmri set solaris/entire
pkg:/entire@0.5.11-0.175.0.1.0.4.0
pkg.fmri set solaris/entire
pkg:/entire@0.5.11-0.175.0.2.0.3.0
pkg.fmri set solaris/entire
pkg:/entire@0.5.11-0.175.0.3.0.4.0
pkg.fmri set solaris/entire
pkg:/entire@0.5.11-0.175.0.4.0.5.0
pkg.fmri set solaris/entire
pkg:/entire@0.5.11-0.175.0.4.0.6.0
pkg.summary set entire incorporation including
Support Repository Update
(Oracle Solaris 11 11/11 SRU 01). For more
information see Document 1372094.1 pkg:/entire@0.5.11-0.175.0.1.0.4.0
pkg.summary set entire incorporation including
Support Repository Update
(Oracle Solaris 11 11/11 SRU 02). For more
information see Document 1372094.1 pkg:/entire@0.5.11-0.175.0.2.0.3.0
pkg.summary set entire incorporation including
Support Repository Update
(Oracle Solaris 11 11/11 SRU 03). For more
information see Document 1372094.1 pkg:/entire@0.5.11-0.175.0.3.0.4.0
pkg.summary set entire incorporation including
Support Repository Update
(Oracle Solaris 11 11/11 SRU 04). For more
information see Document 1372094.1 pkg:/entire@0.5.11-0.175.0.4.0.5.0
pkg.summary set entire incorporation including
Support Repository Update
(Oracle Solaris 11 11/11 SRU 04a). For more
information see Document 1372094.1 pkg:/entire@0.5.11-0.175.0.4.0.6.0
$
By default this will return a list of available
SRUs equal to or newer than the current system as pkg(1) by default prunes
results which are older. You can display all available SRUs by appending the -f
flag.
Take note of the “pkg:/entire@” field and the
numbers after the @. This is the value you will be using to upgrade
(<SRU_version> below).
You can now upgrade to that specific version using
one of two methods:
The long method – this method is good if you like
to specify a nice name for for your boot environment in the grub menu using the
-d option:
# beadm create -d “BE Description” <New_BE>
# beadm mount <new-be> /mnt
# pkg -R /mnt install entire@<SRU_version>
# bootadm update-archive -R /mnt
# beadm unmount <New_BE>
# beadm activate <New_BE>
The short single command method:
# pkg update –be-name <New_BE>
entire@<SRU_version>
The –be-name argument is an optional argument.
How to prevent pkg(1) from keeping a large download
cache in /var/pkg/download?
You can prevent pkg(1) from keeping a cache of successfully installed
pkgs as by telling it to flush the content cache on success.
First check what the current property is:
# pkg property
PROPERTY
VALUE
be-policy
default
ca-path
/etc/openssl/certs
check-certificate-revocation False
display-copyrights
True
flush-content-cache-on-success False
<—– HERE
mirror-discovery
False
preferred-authority
solaris
publisher-search-order
['solaris']
pursue-latest
True
require-optional
False
send-uuid
True
signature-policy
verify
signature-required-names
[]
trust-anchor-directory
etc/certs/CA
use-system-repo
False
#
Change this property to true:
# pkg set-property flush-content-cache-on-success true
The download cache will only be cleared the next time you install a pkg
or perform an update. You can manually empty this directory in the mean
time.
How to change the current publisher?
You can use the GUI (easy and intuitive) or the CLI:
# pkg set-publisher -G http://<old_publisher>/ -g
http://<new_publisher>/ solaris
How to remove a publisher via the CLI?
# pkg unset-publisher <publisher_name>
–
How can I check which Support Repository Update
(SRU) I have currently installed?
You can use “pkg info entire” to get a clear and concise description of
the SRU you currently have installed:
$ pkg info entire
Name: entire
Summary: entire incorporation including Support Repository Update (Oracle
Solaris 11 11/11 SRU 04a).
For more information see Document
1372094.1
Description: This package
constrains system package versions to the same
build. WARNING: Proper system update and correct package
selection depend on the presence of this incorporation.
Removing this package will result in an unsupported system.
Category: Meta Packages/Incorporations
State: Installed
Publisher:
solaris
Version: 0.5.11
Build Release: 5.11
Branch: 0.175.0.4.0.6.0
Packaging Date: March 2, 2012
04:01:06 PM
Size: 5.45 kB
FMRI: pkg://solaris/entire@0.5.11,5.11-0.175.0.4.0.6.0:20120302T160106Z
$
Or you can use “pkg list entire” for a short output that doesn’t
explicitly state the SRU, where
$ pkg list entire
NAME (PUBLISHER) VERSION IFO
entire 0.5.11-0.175.0.0.0.2.0 i–
$
How do I install pkgs into an alternate root?
# pkg -R /path/to/alt/root install <pkg>
But do NOT do this with zones. It may work, but it is better to do
install the pkg from within the zone itself:
# zlogin <zone> pkg install <pkg>
How do I configure proxy access to pkg.oracle.com?
In the global zone, you need to set the http_proxy environment variable
in the shell in which you are running the pkg(1) commands:
# export
http_proxy=http://<proxy_server>:<proxy_port>
# export https_proxy=https://<proxy_server>:<proxy_port>
For non-global zones, you need to configure the system-repository svc as
follows:
# svccfg -s
svc:/application/pkg/system-repository:default setprop \
config/http_proxy=astring:
“http://<proxy_server>:<proxy_port>”
# svcadm refresh
svc:/application/pkg/system-repository:default
# svcadm restart svc:/application/pkg/system-repository:default
If your proxy server requires a username and password, you need to set
your environment variables as follows:
# export
http_proxy=http://<username>:<password>@<proxy_server>:<proxy_port>
# export https_proxy=https://<username>:<password>@<proxy_server>:<proxy_port>
The corresponding system-repository command is as follows:
# svccfg -s
svc:/application/pkg/system-repository:default setprop \
config/http_proxy=astring:
“http://<username>:<password>@<proxy_server>:<proxy_port>”
# svcadm refresh
svc:/application/pkg/system-repository:default
# svcadm restart svc:/application/pkg/system-repository:default
How do I check if a bug is fixed on Solaris 11?
$ pkg search -f
‘:set:com.oracle.service.bugid:7146824′
INDEX
ACTION VALUE PACKAGE
com.oracle.service.bugid set
7146824 pkg:/library/security/openssl@1.0.0.7-0.175.0.5.0.3.0
$
How do I list all the available package groups?
$ pkg info -r \*group\*
How do I list the contents of a package group?
There are two ways:
$ pkg contents -r -m group/system/<GROUP>
$ pkg contents -o fmri -r -t depend <GROUP>
How do I determine which group is installed on my
system?
$ pkg list group/system/\*
How do I update a local repository with only the
changes from a remote repository?
You update a repository in the same way as you do to create it by using
the pkgrecv(1M) command:
# pkgrecv -s http://source-repo
This will download only the new packages and changes. It will not
download the entire repository again.
How do I list the changes that would apply to my
local repository during an update without actually updating my local
repository?
You can use the -n argument to pkgrecv:
# pkgrecv -s http://source-repo -n
How do I locate the pkg that delivers a particular
file?
You can determine the pkg that delivers a file using the following
command:
$ pkg contents -o pkg.name,path -a path=’path/to/file’
Do not include the initial forward slash (/) in the path. The pkg
contents you are searching record relative path names not absolute path names.
How do I list pkg dependencies?
You can determine the pkgs that a certain pkg depends on using the
following command:
$ pkg contents -o fmri -H -r -t depend
<pkg/uri/>
How to Update Your Local System From a Support
Repository Update (SRU) ISO Image
The
procedure is documented in the README file that comes with the SRU ISO image.
1. Mount the ISO image as a filesystem
# mount -F hsfs
full_path_to/sol-11-1111-sruN-bldnum-incr-repo.iso /mnt
2. Add an additional origin to the
existing solaris publisher
# pkg set-publisher -g file:///mnt/repo
solaris
3. Perform the update of the packages
# pkg update
How to Update an Oracle Solaris 11 Package
Repository
The procedure is documented in the README file that comes with the SRU
ISO image.
1. Mount the ISO image as a filesystem
# mount -F hsfs
full_path_to/sol-11-1111-sruN-bldnum-incr-repo.iso /mnt
2. Import the SRU packages to your
existing Solaris 11 repository
# pkgrecv -s /mnt/repo -d
full_path_to_existing_s11_repo ‘*’
For example:
# pkgrecv -s /mnt/repo -d
file:///export/s11repo ‘*’
3. Rebuild the search indexes for the
repository
# pkgrepo rebuild -s
full_path_to_existing_s11_repo
4. If the repository is managed by
pkgserv, restart the appropriate service:
# svcadm restart
svc:/application/pkg/server:your_repo_instance
How do I set the default version of pkgs that allow
multiple versions to be installed, like Java?
Solaris 11 uses the “mediator” option within pkgs that offer multiple
versions that allow you to set the default version.
You can use the “pkg mediator” command to view the current settings…
# pkg mediator
MEDIATOR VER. SRC. VERSION IMPL. SRC.
IMPLEMENTATION
automake system
1.11 system
java system
1.7 system
php
system 5.2 system
python vendor 2.6
vendor
If “local” occurs in the “VER. SRC.” column, it indicates the
default version has already been changed.
Use “pkg mediator -a” to display all options available on your system…
# pkg mediator -a
MEDIATOR VER. SRC. VERSION IMPL. SRC.
IMPLEMENTATION
java
system 1.7 system
java
system 1.6 system
php
system 5.2 system
python vendor 2.6
vendor
This will only show all the versions for the software installed on your
system.
You can set the mediator to be the desired version using “pkg
set-mediator”
# pkg set-mediator -V 1.6 java
Packages to update: 3
Mediators to change: 1
Create boot
environment: No
Create backup boot environment: No
PHASE
ITEMS
Removing old
actions
2/2
Updating modified
actions
3/3
Updating image
state
Done
Creating fast lookup
database
Done
Reading search
index
Done
Updating search
index
3/3
Note: there is a problem with signed pkgs, like the
Java pkgs:
7156990 setting a mediator with signed packages containing variants
doesn’t work
Workaround from bug report:
In the global zone, turning off signature checking solves the issue:
# pkg set-property signature-policy ignore
# pkg set-publisher –set-property
signature-policy=ignore solaris
In a zone, these approaches don’t work. The workaround is to
uninstall the package providing the unused mediated links or to reconfigure the
links manually.
This bug will be fixed in Solaris 11 update 1.
How do I list all setuid and setgid programs?
$ pkg contents -a mode=4??? -a mode=2??? -t file -o pkg.name,path,mode
You can limit the output to a specific pkg by appending the pkg
name to the end of the above command.
IPS Troubleshooting
Scenario 1: IPS repository image is older than the client
# pkg install compatibility/ucb
Creating Plan (Solver setup): -
pkg install: No matching version of
compatibility/ucb can be installed:
Reject:
pkg://solaris/compatibility/ucb@0.5.11,5.11-0.151.0.1:20101104T230637Z
pkg://solaris/compatibility/ucb@0.5.11,5.11-0.175.0.0.0.2.1:20111019T053003Z
pkg://solaris/compatibility/ucb@0.5.11,5.11-0.175.0.10.1.0.0:20120918T160038Z
pkg://solaris/compatibility/ucb@0.5.11,5.11-0.175.1.0.0.24.2:20120919T184131Z
Reason: This version is excluded by
installed incorporation
pkg://solaris/consolidation/osnet/osnet-incorporation@0.5.11,5.11-0.175.1.9.0.5.2:20130704T025151Z
#
Troubleshooting : The IPS repository the client is referring
to is offering a version of Solaris 11, and thus the pkg requested, that is
older than the current release installed on the client. This is evident from
the version numbers highlighted in the error above. In this example, the client
has Solaris 11.1.9.5 installed but the latest revision offered by the
repository is Solaris 11.1.0.24.
Solution: The IPS repository needs to be updated to include the
version/service repository update (SRU) that is installed on the client.
Details on updating the repository can be found in the README file supplied
with the SRU download
Scenario 2: The IPS repository is incomplete
pkg update: No solution was found to
satisfy constraints
latest incorporations:
pkg://solaris/consolidation/cns/cns-incorporation@0.5.11,5.11-0.175.0.10.0.4.0:20120731T142644Z
pkg://solaris/consolidation/install/install-incorporation@0.5.11,5.11-0.175.0.10.0.4.0:20120731T141438Z
pkg://solaris/consolidation/desktop/gnome-incorporation@0.5.11,5.11-0.175.0.11.0.3.0:20120824T161817Z
pkg://solaris/entire@0.5.11,5.11-0.175.0.11.0.4.1:20120901T011439Z
pkg://solaris/consolidation/desktop/desktop-incorporation@0.5.11,5.11-0.175.0.11.0.3.0:20120824T161815Z
pkg://solaris/consolidation/X/X-incorporation@0.5.11,5.11-0.175.0.10.0.2.1231:20120716T221822Z
pkg://solaris/consolidation/ips/ips-incorporation@0.5.11,5.11-0.175.0.11.0.4.0:20120830T143219Z
pkg://solaris/consolidation/userland/userland-incorporation@0.5.11,5.11-0.175.0.11.0.4.0:20120830T142828Z
pkg://solaris/consolidation/osnet/osnet-incorporation@0.5.11,5.11-0.175.0.11.0.4.1:20120830T142013Z
pkg://solaris/consolidation/sunpro/sunpro-incorporation@0.5.11,5.11-0.175.0.11.0.3.0:20120824T162258Z
pkg://solaris/consolidation/l10n/l10n-incorporation@0.5.11,5.11-0.175.0.11.0.1.108:20120810T173009Z
The following indicates why the system
cannot update to the latest version:
No suitable version of required package
pkg://solaris/consolidation/userland/userland-incorporation@0.5.11,5.11-0.175.0.11.0.4.0:20120830T142828Z
found:
Reject:
pkg://solaris/consolidation/userland/userland-incorporation@0.5.11,5.11-0.175.0.11.0.4.0:20120830T142828Z
Reason: All versions matching
‘incorporate’ dependency pkg:/web/server/apache-22@2.2.22,5.11-0.175.0.10.0.2.0
are rejected
Reject: pkg://solaris/web/server/apache-22@2.2.22,5.11-0.175.0.10.0.2.0:20120716T221431Z
Reason: A version for ‘require’
dependency on pkg:/library/apr-util-13/apr-ldap@1.3.9,5.11-0.175.0.0.0.2.537
cannot be found
Troubleshooting : The IPS repository the client is
referring to is incomplete and most likely offering only a partial IPS
repository image. This commonly occurs when the repository has been incorrectly
configured to only provide the contents of a service repository update (SRU)
image or the client is referring directly to the SRU IPS ISO image without
access to a full IPS repository. This fails because the SRU IPS images are not
complete images; they are partial images.
A client needs to have access to both a complete
IPS repository and any SRUs or repositories containing those updates that the
client has installed.
Solution: Ensure the repository your client is references contains the
full IPS repository image and any service repository updates (SRUs) you have or
wish to install onto your clients.
Scenario 3: A pkg fails to install because of a version dependency lock
# pkg install compatibility/ucb
Creating Plan (Solver setup): /
pkg install: No matching version of
compatibility/ucb can be installed:
Reject:
pkg://solaris/compatibility/ucb@0.5.11,5.11-0.175.1.6.0.3.2:20130322T212735Z
Reason: This version is excluded by
installed incorporation
pkg://solaris/consolidation/osnet/osnet-incorporation@0.5.11,5.11-0.175.1.5.0.4.2:20130228T222858Z
#
Troubleshooting : The pkg you are attempting
to install is dependent on a later of a pkg that is not installed.
In this example, the
pkg://solaris/compatibility/ucb@0.5.11,5.11-0.175.1.6.0.3.2 pkg can’t be
installed because it requires
pkg://solaris/consolidation/osnet/osnet-incorporation@0.5.11,5.11-0.175.1.6.0.3.2
to be installed first. At the moment
pkg://solaris/consolidation/osnet/osnet-incorporation@0.5.11,5.11-0.175.1.5.0.4.2,
an older revision, is installed.
This normally happens when a pkg depends on a
specific version of another pkg and your repository is offering a later
revision than is installed on your system. By default pkg(1M) will always
attempt to install the latest revision of a pkg available.
There are two possible solutions. Update your entire system
to the latest revision of Solaris offered by your local repository and then
attempt to install your pkg. OR Install the
specific version of your pkg that meets the required dependency version using
the syntax:
# pkg install
<pkgname>@<version>
For example:
# pkg install
compatibility/ucb@0.5.11-0.175.1.0.0.24.2
Scenario 4: Missing support repository certificate
# pkg set-publisher -G
http://pkg.oracle.com/solaris/release -g https://pkg.oracle.com/solaris/support
solaris
pkg set-publisher: The origin URIs for
‘solaris’ do not appear to point to a valid pkg repository.
Please verify the repository’s location
and the client’s network configuration.
Additional details:
Unable to contact valid package
repository
Encountered the following error(s):
Unable to contact any configured
publishers.
This is likely a network configuration
problem.
Framework error: code: 35 reason:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
URL:
‘https://pkg.oracle.com/solaris/support’
#
Troubleshooting : The client is attempting to
access the Oracle support repository (https://pkg.oracle.com/solaris/support)
without a valid certificate and key pair.
To resolve this, we
might need to obtain a certificate and key pair from
https://pkg-register.oracle.com and update your client to utilize the
certificate and key pair as per the details at
https://pkg-register.oracle.com/help/
Solaris 11 release & update
Here's how to check Solaris 11 release and update:
# cat /etc/release
Oracle Solaris 11 11/11 X86
Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights reserved.
Assembled 18 October 2011
# pkg info entire | grep Summary | sed 's/.*[\(]\(.*\)[\)]./\1/'
Oracle Solaris 11 11/11 SRU 8.5
