Both IPS and SVR4 packages are supported for the OpenSolaris 2009.06 release. This chapter discusses maintaining the Solaris Operating System on a system using SVR4 packaging when zones are installed.
Information about adding packages and patches to the operating system using SVR4 packaging in the global zone and in all installed non-global zones is provided. Information about removing packages and patches is also included. The material in this chapter supplements the existing Solaris installation and patch documentation. See the Solaris Express Release and Installation Collection and System Administration Guide: Basic Administration for more information.
This chapter covers the following SVR4 packaging topics:
Applying Patches on a Solaris System With Zones Installed (SVr4 Only)
Removing Patches on a Solaris System With Zones Installed (SVR4 Only)
See OpenSolaris 2009.06 Image Packaging System Guide for more information.
The Solaris packaging tools are used in administering the zones environment. The global administrator can upgrade the system to a new version of Solaris, which updates both the global and the non-global zones.
Solaris Live Upgrade, the standard Solaris interactive installation program, or the custom Solaris JumpStart installation program can be used in the global zone to upgrade a system that includes non-global zones.
The zone administrator can use the packaging tools to administer any software installed in a non-global zone, within the limits described in this document.
The following general principles apply when zones are installed:
The global administrator can administer the software on every zone on the system.
The root file system for a non-global zone can be administered from the global zone by using the Solaris packaging and patch tools. The Solaris packaging and patch tools are supported within the non-global zone for administering co-packaged (bundled), standalone (unbundled), or third-party products.
The packaging and patch tools work in a zones-enabled environment. The tools allow a package or patch installed in the global zone to also be installed in a non-global zone.
The SUNW_PKG_ALLZONES package parameter defines the zone scope of a package. The scope determines the type of zone in which an individual package can be installed. For more information about this parameter, see SUNW_PKG_ALLZONES Package Parameter.
The SUNW_PKG_HOLLOW package parameter defines the visibility of a package if that package is required to be installed on all zones and be identical in all zones. For information about this parameter, see SUNW_PKG_HOLLOW Package Parameter.
The SUNW_PKG_THISZONE package parameter defines whether a package must be installed in the current zone only. For information about this parameter, see SUNW_PKG_THISZONE Package Parameter.
Packages that do not define values for zone package parameters have a default setting of false.
The packaging information visible from within a non-global zone is consistent with the files that have been installed in that zone using the Solaris packaging and patch tools. The visibility includes packages that have been imported from the global zone using read-only loopback mounts. See Configuring, Verifying, and Committing a Zone for more information about this process.
A change, such as a patch or package added in the global zone, can be pushed out to all of the zones. This feature maintains consistency between the global zone and each non-global zone.
The package commands can add, remove, and interrogate packages. The patch commands can add and remove patches.
While certain package and patch operations are performed, a zone is temporarily locked to other operations of this type. The system might also confirm a requested operation with the administrator before proceeding.
Only a subset of the Solaris packages installed on the global zone are completely replicated when a non-global zone is installed. For example, many packages that contain the Solaris kernel are not needed in a non-global zone. All non-global zones implicitly share the same Solaris kernel from the global zone. However, even if a package's data is not required or is not of use in a non-global zone, the knowledge that a package is installed in the global zone might be required in a non-global zone. The information allows package dependencies from the non-global zones to be properly resolved with the global zone.
Packages have parameters that control how their content is distributed and made visible on a system with non-global zones installed. The SUNW_PKG_ALLZONES, SUNW_PKG_HOLLOW, and SUNW_PKG_THISZONE package parameters define the characteristics of packages on a system with zones installed. If desired, system administrators can check these package parameter settings to verify the package's applicability when applying or removing a package in a zone environment. The pkgparam command can be used to view the values for these parameters. For more information on parameters, see Package Parameter Information (SVR4 Only). See Checking Package Parameter Settings on a System with Zones Installed for usage instructions.
When a patch is generated for any package, the parameters must be set to the same values as the original package.
Any package that must be interactive, which means that it has a request script, is added to the current zone only. The package is not propagated to any other zone. If an interactive package is added to the global zone, the package is treated as though it is being added by using the pkgadd command with the -G option. For more information about this option, see About Adding Packages in Zones (SVR4 Only).
It is best to keep the software installed in the non-global zones in sync with the software installed in the global zone to the maximum extent possible. This practice minimizes the difficulty in administering a system with multiple installed zones.
To achieve this goal, the package tools enforce the following rules when adding or removing packages in the global zone.
If the package is not currently installed in the global zone and not currently installed in any non-global zone, the package can be installed:
Only in the global zone, if SUNW_PKG_ALLZONES=false
In the current zone only, which is the global zone in this case, if SUNW_PKG_THISZONE=true
In the global zone and all non-global zones
If the package is currently installed in the global zone only:
The package can be installed in all non-global zones.
The package can be removed from the global zone.
If a package is currently installed in the global zone and currently installed in only a subset of the non-global zones:
SUNW_PKG_ALLZONES must be set to false.
The package can be installed in all non-global zones. Existing instances in any non-global zone are updated to the revision being installed.
The package can be removed from the global zone.
The package can be removed from the global zone and from all non-global zones.
If a package is currently installed in the global zone and currently installed in all non-global zones, the package can be removed from the global zone and from all non-global zones.
These rules ensure the following:
Packages installed in the global zone are either installed in the global zone only, or installed in the global zone and all non-global zones.
Packages installed in the global zone and also installed in any non-global zone are the same across all zones.
The package operations possible in any non-global zone are:
If a package is not currently installed in the non-global zone, the package can be installed only if SUNW_PKG_ALLZONES=false.
The package can be installed in the current zone, which is the non-global zone in this case, if SUNW_PKG_THISZONE=true.
If a package is currently installed in the non-global zone:
The package can be installed over the existing instance of the package only if SUNW_PKG_ALLZONES=false.
The package can be removed from the non-global zone only if SUNW_PKG_ALLZONES=false.
The following table describes what will happen when pkgadd, pkgrm, patchadd, and patchrm commands are used on a system with non-global zones in various states.
| Zone State | Effect on Package and Patch Operations | 
|---|---|
| Configured | Patch and package tools can be run. No software has been installed yet. | 
| Installed | Patch and package tools can be run. During patch or packaging operations, the system moves a zone from the installed state to a new internal state called mounted. After patching has completed, the zone is reverted back to the installed state. Note that immediately after zoneadm -z zonename install has completed, the zone is also moved to the installed state. A zone in the installed state that has never been booted cannot be patched or run packaging commands. The zone must be booted to the running state at least once. After a zone has been booted at least once, and then moved back to the installed state by using zoneadm halt, then patch and packaging commands can be run. | 
| Ready | Patch and package tools can be run. | 
| Running | Patch and package tools can be run. | 
| Incomplete | A zone being installed or removed by zoneadm. Patch and package tools cannot be used. The tools cannot bring the zone into the appropriate state for using the tools. | 
The pkgadd system utility described in the pkgadd(1M) man page is used to add packages on a Solaris system with zones installed.
On the OpenSolaris 2009.06 release, use the pkginstall command.
The pkgadd utility can be used with the -G option in the global zone to add the package to the global zone only. The package is not propagated to any other zones. Note that if SUNW_PKG_THISZONE=true, you do not have to use the -G option. If SUNW_PKG_THISZONE=false, the -G option will override it.
When you run the pkgadd utility in the global zone, the following actions apply.
The pkgadd utility is able to add a package:
To the global zone only, unless the package is SUNW_PKG_ALLZONES=true
To the global zone and to all non-global zones
To all non-global zones only, if the package is already installed in the global zone
To the current zone only, if SUNW_PKG_THISZONE=true
The pkgadd utility cannot add a package:
To any subset of the non-global zones
To all non-global zones, unless the package is already installed in the global zone
If the pkgadd utility is run without the -G option and SUNW_PKG_THISZONE=false , the specified package is added to all zones by default. The package is not marked as installed in the global zone only.
If the pkgadd utility is run without the -G option and SUNW_PKG_THISZONE=true, then the specified package is added to the current (global) zone by default. The package is marked as installed in the global zone only.
If the -G option is used, the pkgadd utility adds the specified package to the global zone only. The package is marked as installed in the global zone only. The package is not installed when any non-global zone is installed.
To add a package to the global zone and to all non-global zones, execute the pkgadd utility in the global zone. As the global administrator, run pkgadd without the -G option.
A package can be added to the global zone and to all non-global zones without regard to the area affected by the package.
The following steps are performed by the pkgadd utility:
Package dependencies are checked on the global zone and on all non-global zones. If required packages are not installed in any zone, then the dependency check fails. The system notifies the global administrator, who is prompted whether to continue.
The package is added to the global zone.
The package database on the global zone is updated.
The package is added to each non-global zone and the database in the global zone is updated.
The package database on each non-global zone is updated.
To add a package to the global zone only, as the global administrator in the global zone, execute the pkgadd utility with the -G option only.
A package can be added to the global zone if the following conditions are true:
The package contents do not affect any area of the global zone that is shared with any non-global zone.
The package is set SUNW_PKG_ALLZONES=false.
The following steps are performed by the pkgadd utility:
If the package contents affect any area of the global zone that is shared with any non-global zone, or if the package is set SUNW_PKG_ALLZONES=true, then pkgadd fails. The error message states that the package must be added to the global zone and to all non-global zones.
Package dependencies are checked on the global zone only. If required packages are not installed, then the dependency check fails. The system notifies the global administrator, who is prompted whether to continue.
The package is added to the global zone.
The package database on the global zone is updated.
The package information on the global zone is annotated to indicate that this package is installed on the global zone only. If a non-global zone is installed in the future, this package will not be installed.
To add a package that is already installed in the global zone to all non-global zones, you must currently remove the package from the global zone and reinstall it in all zones.
These are the steps used to add a package that is already installed in the global zone to all of the non-global zones:
In the global zone, use pkgrm to remove the package.
Add the package without using the -G option.
To add a package in a specified non-global zone, execute the pkgadd utility, without options, as the zone administrator. The following conditions apply:
The pkgadd utility can only add packages in the non-global zone in which the utility is used.
The package cannot affect any area of the zone that is shared from the global zone.
The package must be set SUNW_PKG_ALLZONES=false.
The following steps are performed by the pkgadd utility:
Package dependencies are checked on the non-global zone's package database before the package is added. If required packages are not installed, then the dependency check fails. The system notifies the non-global zone administrator, who is prompted whether to continue. The check fails if either of the following conditions are true.
Any component of the package affects any area of the zone that is shared from the global zone.
The package is set SUNW_PKG_ALLZONES=true.
The package is added to the zone.
The package database on the zone is updated.
The pkgrm utility described in the pkgrm(1M) man page supports removing packages on a Solaris system with zones installed.
On the OpenSolaris 2009.06 release, use the pkguninstall command.
The pkgrm utility can be used with the -G option from the global zone to remove packages from the global zone only. The package must not affect any area of the global zone shared with non-global zones or be installed in any non-global zone.
When the pkgrm utility is used in the global zone, the following actions apply.
pkgrm can remove a package from the global zone and from all non-global zones, or from the global zone only when the package is only installed in the global zone.
pkgrm cannot remove a package only from the global zone if the package is also installed in a non-global zone, or remove a package from any subset of the non-global zones.
Note that a package can only be removed from a non-global zone by a zone administrator working in that zone if the following are true:
The package does not affect any area on the non-global zone that is shared from the global zone.
The package is set SUNW_PKG_ALLZONES=false.
To remove a package from the global zone and from all non-global zones, execute the pkgrm utility in the global zone. As the global administrator, run pkgrm without the -G option.
A package can be removed from the global zone and from all non-global zones without regard to the area affected by the package.
The following steps are performed by the pkgrm utility:
Package dependencies are checked on the global zone and on all non-global zones. If the dependency check fails, then pkgrm fails. The system notifies the global administrator, who is prompted whether to continue.
The package is removed from each non-global zone.
The package database on each non-global zone is updated.
The package is removed from the global zone.
The package database on the global zone is updated.
As the zone administrator, use the pkgrm utility in a non-global zone to remove a package. The following limitations apply:
pkgrm can only remove packages from the non-global zone.
The -G option cannot be used. If this option is used, pkgrm outputs an error message and the attempted operation fails.
The package cannot affect any area of the zone that is shared from the global zone.
The package must be set SUNW_PKG_ALLZONES=false.
The following steps are performed by the pkgrm utility:
Dependencies are checked on the non-global zone's package database. If the dependency check fails, then pkgrm fails and the zone administrator is notified. The check fails if either of the following conditions are true.
Any component of the package affects any area of the zone that is shared from the global zone.
The package is set SUNW_PKG_ALLZONES=true.
The package is removed from the zone.
The package database on the zone is updated.
The SUNW_PKG_ALLZONES, SUNW_PKG_HOLLOW, and SUNW_PKG_THISZONE package parameters define the characteristics of packages on a system with zones installed. These parameters must be set so that packages can be administered on a system with non-global zones installed.
The following table lists the four valid combinations for setting package parameters. If you choose setting combinations that are not listed in the following table, those settings are invalid and the package will fail to install.
Ensure that you have set all three package parameters. You can leave all three package parameters blank. The package tools interpret a missing zone package parameter as if the setting were false, but not setting the parameters is strongly discouraged. By setting all three package parameters, you specify the exact behavior the package tools should exhibit when installing or removing the package.
Table 24–1 Valid Package Parameter Settings
The optional SUNW_PKG_ALLZONES package parameter describes the zone scope of a package. This parameter defines the following:
Whether a package is required to be installed on all zones
Whether a package is required to be identical in all zones
The SUNW_PKG_ALLZONES package parameter has two permissible values. These values are true and false. The default value is false. If this parameter is either not set or set to a value other than true or false, the value false is used.
The SUNW_PKG_ALLZONES parameter should be set to true for packages that must be the same package version and patch revision level across all zones. Any package that delivers functionality dependent on a particular Solaris kernel, for example, Solaris 10, should set this parameter to true. Any patch for a package must set the SUNW_PKG_ALLZONESparameter to the same value that is set in the installed package being patched. The patch revision level for any package that sets this parameter to true must be the same across all zones.
Packages that deliver functionality not dependent on a particular Solaris kernel, such as third-party packages or Sun compilers, should set this parameter to false. Any patch for a package that sets this parameter to false must also set this parameter to false. Both the package version or the patch revision level for any package that sets this parameter to false can be different between zones. For example, two non-global zones could each have a different version of a web server installed.
The SUNW_PKG_ALLZONES package parameter values are described in the following table.
Table 24–2 SUNW_PKG_ALLZONES Package Parameter Values
The SUNW_PKG_HOLLOW package parameter defines whether a package should be visible in any non-global zone if that package is required to be installed and be identical in all zones.
The SUNW_PKG_HOLLOW package parameter has two permissible values, true or false.
If SUNW_PKG_HOLLOW is either not set or set to a value other than true or false, the value false is used.
If SUNW_PKG_ALLZONES is set to false, the SUNW_PKG_HOLLOW parameter is ignored.
If SUNW_PKG_ALLZONES is set to false, then SUNW_PKG_HOLLOW cannot be set to true.
The SUNW_PKG_HOLLOW package parameter values are described in the following table.
Table 24–3 SUNW_PKG_HOLLOW Package Parameter Values
The SUNW_PKG_THISZONE package parameter defines whether a package must be installed in the current zone, global or non-global, only. The SUNW_PKG_THISZONE package parameter has two permissible values. These values are true and false. The default value is false.
The SUNW_PKG_THISZONE package parameter values are described in the following table.
Table 24–4 SUNW_PKG_THISZONE Package Parameter Values
The pkginfo utility described in the pkginfo(1) man page supports querying the software package database on a Solaris system with zones installed. For information about the database, see Product Database (SVr4 Only).
The pkginfo utility can be used in the global zone to query the software package database in the global zone only. The pkginfo utility can be used in a non-global zone to query the software package database in the non-global global zone only.
On the OpenSolaris 2009.06 release, use the pkginfo command.
In general, a patch consists of the following components:
Patch information:
Identification, which is the patch version and patch ID
Applicability, which is the operating system type, operating system version, and architecture
Dependencies, such as requires and obsoletes
Properties, such as requires a reboot afterwards
One or more packages to patch, where each package contains:
The version of the package to which the patches can be applied
Patch information, such as ID, obsoletes, and requires
One or more components of the package to be patched
When the patchadd command is used to apply a patch, the patch information is used to determine whether the patch is applicable to the currently running system. If determined to be not applicable, the patch is not applied. Patch dependencies are also checked against all of the zones on the system. If any required dependencies are not met, the patch is not applied. This could include the case in which a later version of the patch is already installed.
Each package contained in the patch is checked. If the package is not installed on any zone, then the package is bypassed and not patched.
If all dependencies are satisfied, all packages in the patch that are installed on any zone are used to patch the system. The package and patch databases are also updated.
All patches applied at the global zone level are applied across all zones. When a non-global zone is installed, it is at the same patch level as the global zone. When the global zone is patched, all non-global zones are similarly patched. This action maintains the same patch level across all zones.
The patchadd system utility described in the patchadd(1M) man page is used to add patches on a system with zones installed.
To add a patch to the global zone and to all non-global zones, run patchadd as the global administrator in the global zone.
When patchadd is used in the global zone, the following conditions apply:
The patchadd utility is able to add the patch(es) to the global zone and to all non-global zones only. This is the default action.
The patchadd utility cannot add the patch(es) to the global zone only or to a subset of the non-global zones.
When you add a patch to the global zone and to all non-global zones, you do not have to consider whether the patch affects areas that are shared from the global zone.
The following steps are performed by the patchadd utility:
The patch is added to the global zone.
The patch database on the global zone is updated.
The patch is added to each non-global zone.
The patch database on each non-global zone is updated.
When used in a non-global zone by the zone administrator, patchadd can only be used to add patches to that zone. A patch can be added to a non-global zone in the following cases:
The patch does not affect any area of the zone that is shared from the global zone.
All packages in the patch are set SUNW_PKG_ALLZONES=false.
The following steps are performed by the patchadd utility:
The patch is added to the zone.
The patch database on the zone is updated.
The following list specifies the interaction between the -G option and the SUNW_PKG_ALLZONES variable when adding a patch in global and non-global zones.
If any packages have SUNW_PKG_ALLZONES=TRUE, this use results in an error and no action.
If no packages have SUNW_PKG_ALLZONES=TRUE, patch is applied to package(s) in global zone only.
If any packages have SUNW_PKG_ALLZONES=TRUE, patch is applied to those package(s) in all zones.
If any packages do not have SUNW_PKG_ALLZONES=TRUE, patch is applied to those package(s) in all appropriate zones. Global zone only packages are installed only in the global zone.
If any packages have SUNW_PKG_ALLZONES=TRUE, this use results in an error and no action.
If no packages have SUNW_PKG_ALLZONES=TRUE, patch is applied to packages in non-global zone only.
The patchrm system utility described in the patchrm(1M) man page is used to remove patches on a system with zones installed.
As the global administrator, you can use the patchrm utility in the global zone to remove patches. The patchrm utility cannot remove patches from the global zone only or from a subset of the non-global zones.
As the zone administrator, you can use the patchrm utility in a non-global zone to remove patches from that non-global zone only. Patches cannot affect areas that are shared.
PatchPro can be used in the global zone and in any non-global zone. If run in the global zone, PatchPro uses the existing patch database and patch tools to patch the global and all non-global zones for all software that is installed on the global zone. No software installed in a non-global zone that is not also installed in the global zone will be taken into account.
A zone administrator can run PatchPro in a non-global zone to patch the software installed in the non-global zone.
Each zone's respective package, patch, and product registry database completely describes all installed software that is available on the zone. All dependency checking for installing additional software or patches is performed without accessing any other zone's database, unless a package or patch is being installed or removed on the global zone and on one or more non-global zones. In this case, the appropriate non-global zone database(s) must be accessed.
For more information about the database, see the pkgadm(1M) man page.