Thursday Nov 21, 2013

How to Limit Upgrades Beyond a Prescribed Version of Oracle Solaris

by Bart Smaalders and Alta Elstad

The Oracle Solaris 11 Image Packaging System (IPS) provides various methods to control the operating system version to which a server can be upgraded. One method is to provide a custom incorporation package.

An incorporation package specifies the versions of other packages that can be installed. An incorporation package ensures that if you install an incorporate dependency package of that incorporation package, only the prescribed version of the dependent package can be installed. You can create your own custom incorporation package to specify the constraints you want. Using a custom incorporation to control the version of software that can be installed enables you to easily maintain different versions of Oracle Solaris on different machines without maintaining multiple package repositories. Each image can install a different version of the custom upgrade control incorporation package. All systems share the same package repository that contains all versions of software needed by any of the systems.

In the example in this article, a system has been newly installed with Oracle Solaris 11.1. The solaris publisher origin is the Oracle Solaris support repository, which includes many updates since Oracle Solaris 11.1 was released. The IT department in the example company has not yet qualified the most current support updates, and they want to limit administrators to upgrading to only the latest update that is qualified for their environments, not the latest update that is available from the package repository.

Create a Custom Incorporation Package

The versions of core operating system packages that can be installed in an image are controlled by the pkg:/entire incorporation package. To control system upgrades, create a package that specifies a particular version of the pkg:/entire package as an incorporate dependency.

The following example shows a manifest named upgradectrl.p5m for a custom incorporation package that controls the version of the pkg:/entire package that can be installed. Some of the settings in this manifest are described below.

set name=pkg.fmri value=upgradectrl@1.0
set name=pkg.summary value="Incorporation to constrain the version of the OS"
set name=pkg.description value="This package controls the version of \
pkg://solaris/entire that can be installed."
set name=info.classification value="org.opensolaris.category.2008:Meta Packages/Incorporations"
set name=pkg.depend.install-hold value=core-os
set name=variant.opensolaris.zone value=global value=nonglobal
set name=variant.arch value=sparc value=i386
depend fmri=feature/package/dependency/self type=parent variant.opensolaris.zone=nonglobal
depend fmri=pkg://solaris/entire type=require
depend fmri=pkg://solaris/entire@0.5.11,5.11-0.175.1.0 type=incorporate
  • pkg.depend.install-hold This setting ensures that if a user updates the upgradectrl package, the pkg:/entire package is automatically updated as well.

  • variant.opensolaris.zone This setting enables this package to be installed in both global and non-global zones. See also the description of the parent dependency.

  • variant.arch This setting enables this package to be installed on both SPARC and x86 systems.

  • parent dependency This package can be installed in a non-global zone only if it is already installed in the global zone.

  • require dependency The upgradectrl package can be installed only if the pkg://solaris/entire package is already installed or can be installed in this same operation.

  • incorporate dependency The pkg://solaris/entire package must be installed at the specified version. More than one version can satisfy an incorporate dependency, depending on how many places of accuracy are specified. In this example, 0.175.1.0 specifies Oracle Solaris 11.1 SRU 0. This upgrade control package will keep systems at the newly installed Oracle Solaris 11.1 version, no support updates. This upgrade control package will, however, allow packages that are not contrained by the pkg:/entire incorporation to be updated.

Publish the upgradectrl package to a local file-based repository. This repository is for developing and testing this new package. If you create a repository for general use, you should include additional steps such as creating a separate file system for the repository. For information about creating package repositories for general use, see Copying and Creating Package Repositories in Oracle Solaris 11.2.

Create a package development repository on your system. See the pkgrepo(1) man page for more information about the pkgrepo command.

$ pkgrepo create myrepo

Set the default publisher for this repository. The default publisher is the value of the publisher/prefix property of the repository.

$ pkgrepo -s myrepo set publisher/prefix=site

Publish the upgradectrl package to the development repository.

$ pkgsend -s myrepo publish upgradectrl.p5m
pkg://site/upgradectrl@1.0,5.11:20131120T010105Z
PUBLISHED

Notice that the repository default publisher has been applied to the package FMRI.

Examine the repository to confirm that the package was published.

$ pkgrepo -s myrepo list
PUBLISHER NAME                                       O VERSION
site      upgradectrl                                  1.0,5.11:20131120T010105Z
$ pkg list -vg myrepo
FMRI                                                                         IFO
pkg://site/upgradectrl@1.0,5.11:20131120T010105Z                             ---

Deliver the package to a local repository in a separate ZFS file system in a shared location.

$ pkgrecv -s myrepo -d /export/IPSpkgrepos/Solaris upgradectrl
Processing packages for publisher site ...
Retrieving and evaluating 1 package(s)...
PROCESS                                         ITEMS    GET (MB)   SEND (MB)
Completed                                         1/1     0.0/0.0     0.0/0.0

Verify the package in the repository and the version of pkg:/entire that it incorporates.

$ pkg info -g /export/IPSpkgrepos/Solaris upgradectrl
          Name: upgradectrl
       Summary: Incorporation to constrain the version of the OS
   Description: This package controls the version of pkg://solaris/entire that
                can be installed.
      Category: Meta Packages/Incorporations
         State: Not installed
     Publisher: site
       Version: 1.0
 Build Release: 5.11
        Branch: None
Packaging Date: November 20, 2013 01:01:05 AM 
          Size: 0.00 B
          FMRI: pkg://site/upgradectrl@1.0,5.11:20131120T010105Z
$ pkg contents -Hro fmri -t depend -a type=incorporate upgradectrl
pkg://solaris/entire@0.5.11,5.11-0.175.1.0

See “Creating and Publishing a Package” in Packaging and Delivering Software With the Image Packaging System in Oracle Solaris 11.2 for more detailed information about creating and delivering IPS packages.

Set the origin for the site publisher.

$ pkg set-publisher -g /export/IPSpkgrepos/Solaris site
$ pkg publisher
PUBLISHER              TYPE     STATUS P LOCATION
solaris                origin   online F https://pkg.oracle.com/solaris/support/
site                   origin   online F file:///export/IPSpkgrepos/Solaris/

Install the Upgrade Control Package

Install the upgrade control package. In this case, few changes should be made because the installed version of pkg:/entire is the same as the version incorporated by the upgrade control package.

$ pkg list -v entire
FMRI                                                                         IFO
pkg://solaris/entire@0.5.11,5.11-0.175.1.0.0.24.2:20120919T190135Z           i--
$ zoneadm list
global
z1
$ pkg install upgradectrl
           Packages to install:  1
       Create boot environment: No
Create backup boot environment: No

Planning linked: 0/1 done; 1 working: zone:z1
Planning linked: 1/1 done
Downloading linked: 0/1 done; 1 working: zone:z1
Downloading linked: 1/1 done
PHASE                                          ITEMS
Installing new actions                           9/9
Updating package state database                 Done 
Updating image state                            Done 
Creating fast lookup database                   Done 
Reading search index                            Done 
Updating search index                            1/1 
Executing linked: 0/1 done; 1 working: zone:z1
Executing linked: 1/1 done

The following commands show that versions of pkg:/entire that are newer than the installed version are available from the configured solaris publisher, but an attempt to upgrade is controlled by the newly-installed upgrade control package.

$ pkg list -af entire
NAME (PUBLISHER)                                  VERSION                    IFO
entire                                            0.5.11-0.175.1.13.0.6.0    ---
entire                                            0.5.11-0.175.1.12.0.5.0    ---
entire                                            0.5.11-0.175.1.11.0.4.0    ---
entire                                            0.5.11-0.175.1.10.0.6.0    ---
entire                                            0.5.11-0.175.1.10.0.5.0    ---
...
$ pkg update
pkg update: No solution was found to satisfy constraints
Plan Creation: Package solver has not found a solution to update to latest available versions.
This may indicate an overly constrained set of packages are installed.
latest incorporations:
...
Try specifying expected results to obtain more detailed error messages.
$ pkg update -nv entire@0.5.11-0.175.1.13.0.6.0
pkg update: No matching version of entire can be installed:
  Reject:  pkg://solaris/entire@0.5.11,5.11-0.175.1.13.0.6.0:20131108T211557Z
  Reason:  This version is excluded by installed incorporation pkg://site/upgradectrl@1.0,5.11:20131120T010105Z

Update the Upgrade Control Package

When you are ready to allow users to upgrade their systems to a new version, update the upgradectrl.p5m manifest, and republish and redeliver the new upgrade control package. In the following manifest, the version of the upgrade control package and the version of the pkg:/entire incorporation are updated. As an aid for users, the version of the upgrade control package matches the updated version of the pkg:/entire package.

set name=pkg.fmri value=upgradectrl@1.10
set name=pkg.summary value="Incorporation to constrain the version of the OS"
set name=pkg.description value="This package controls the version of \
pkg://solaris/entire that can be installed."
set name=info.classification value="org.opensolaris.category.2008:Meta Packages/Incorporations"
set name=pkg.depend.install-hold value=core-os
set name=variant.opensolaris.zone value=global value=nonglobal
set name=variant.arch value=sparc value=i386
depend fmri=feature/package/dependency/self type=parent variant.opensolaris.zone=nonglobal
depend fmri=pkg://solaris/entire type=require
depend fmri=pkg://solaris/entire@0.5.11,5.11-0.175.1.10 type=incorporate

The following commands republish and redeliver the upgrade control package:

$ pkgsend -s myrepo publish upgradectrl.p5m
pkg://site/upgradectrl@1.10,5.11:20131120T021902Z
PUBLISHED
$ pkgrepo -s myrepo list
PUBLISHER NAME                                      O VERSION
site      upgradectrl                                 1.10,5.11:20131120T021902Z
site      upgradectrl                                 1.0,5.11:20131120T010105Z
$ pkgrecv -s myrepo -d /export/IPSpkgrepos/Solaris upgradectrl
Processing packages for publisher site ...
Retrieving and evaluating 1 package(s)...
PROCESS                                         ITEMS    GET (MB)   SEND (MB)
Completed                                         1/1     0.0/0.0     0.0/0.0
$ pkg refresh site
$ pkg list -af pkg://site/upgradectrl
NAME (PUBLISHER)                                  VERSION                    IFO
upgradectrl (site)                                1.10                       ---
upgradectrl (site)                                1.0                        i--

Upgrade the Image

The following pkg update command updates all packages to the newest available versions allowed because no packages are specified. The command updates to the newest available version of the upgrade control package, which upgrades the image because the pkg.depend.install-hold setting in the upgradectrl package causes the pkg:/entire package to be updated when the upgradectrl package is updated. The image is upgraded to the version of the pkg:/entire incorporation that is specified in the new upgradectrl incorporation.

$ pkg update --be-name s11u1_10
            Packages to remove:   1
            Packages to update: 186
           Mediators to change:   1
       Create boot environment: Yes
Create backup boot environment:  No

Planning linked: 0/1 done; 1 working: zone:z1
Linked image 'zone:z1' output:
|  Packages to remove:  1
| Packages to install:  3
|  Packages to update: 73
| Mediators to change:  1
|  Services to change:  3
`
Planning linked: 1/1 done
DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                            187/187   16139/16139  507.9/507.9  562k/s

Downloading linked: 0/1 done; 1 working: zone:z1
Downloading linked: 1/1 done
PHASE                                          ITEMS
Removing old actions                       1473/1473
Installing new actions                     3451/3451
Updating modified actions                16378/16378
Updating package state database                 Done 
Updating package cache                       187/187 
Updating image state                            Done 
Creating fast lookup database                   Done 
Reading search index                            Done 
Building new search index                    851/851 
Executing linked: 0/1 done; 1 working: zone:z1
Executing linked: 1/1 done

A clone of s11u1_0 exists and has been updated and activated.
On the next boot the Boot Environment s11u1_10 will be
mounted on '/'.  Reboot when ready to switch to this updated BE.
$ pkg list entire upgradectrl
NAME (PUBLISHER)                                  VERSION                    IFO
entire                                            0.5.11-0.175.1.0.0.24.2    i--
upgradectrl (site)                                1.0                        i--
$ pkg -R /mnt list entire upgradectrl
NAME (PUBLISHER)                                  VERSION                    IFO
entire                                            0.5.11-0.175.1.10.0.6.0    i--
upgradectrl (site)                                1.10                       i--
$ beadm unmount s11u1_10

See Also

Bart Smaalders’ blog

Packaging and Delivering Software With the Image Packaging System in Oracle Solaris 11.2

Copying and Creating Package Repositories in Oracle Solaris 11.2

About the Authors

Bart Smaalders is one of the senior engineers in the Oracle Solaris Core OS group, and led development of the IPS packaging system.

Alta Elstad is a technical writer supporting Oracle Solaris 11 packaging.

photograph of strange plants copyright Beth Ramsey

Follow OTN on:
Blog | Facebook | Twitter | YouTube

About

Contributors:
Rick Ramsey
Kemer Thomson
and members of the OTN community

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
12
13
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Blogs We Like