IPS provides operations to validate that an installed package is installed correctly, fix any validation issues, and restore installed files to their packaged state.
Both the pkg fix command and the pkg revert command reinstall components of installed packages. The following table shows some of the similarities and differences between these two commands.
Use the pkg verify command to validate the installation of packages in the image. If the current signature policy for related publishers is not ignore, the signatures of each package are validated based on policy. See Image Properties for Signed Packages for an explanation of how signature policies are applied. Verification of installed package content is based on a custom content analysis that might return different results than those of other programs.
If you do not provide a package name, all installed packages are examined. The -v option provides informational messages, at least one line for each installed package. The following example shows only a small sample of output. The installation of the pkg/depot package has an error.
$ pkg verify -v PACKAGE STATUS pkg://solaris/archiver/gnu-tar OK pkg://solaris/audio/audio-utilities OK pkg://solaris/benchmark/x11perf OK ... pkg://solaris/package/pkg/depot ERROR dir: var/cache/pkg/depot Group: 'pkg5srv (97)' should be 'bin (2)' file: var/log/pkg/depot/access_log editable file has been changed file: var/log/pkg/depot/error_log editable file has been changed ... pkg://solaris/security/sudo OK file: etc/sudoers editable file has been changed ... pkg://solaris/x11/xlock OK pkg://solaris/x11/xmag OK pkg://solaris/x11/xvidtune OK
Use the pkg fix command to fix package errors that are reported by the pkg verify command. If the fix affects files that cannot be modified in the live image, the fix will be done in a new BE. You can specify -nv options to see what changes will be made, and you can specify BE options as described in Boot Environment Options.
The pkg verify output shows that components of the installed sudo package are different from the packaged components but these differences are not reported as validation errors. The pkg fix makes no changes. The /etc/sudoers file is not replaced.
$ pkg fix pkg://solaris/security/sudo No repairs for this image.
If you remove the /etc/sudoers file, the package fails validation and pkg fix replaces the file.
$ pkg fix pkg://solaris/security/sudo Verifying: pkg://solaris/security/sudo ERROR file: etc/sudoers Missing: regular file does not exist Created ZFS snapshot: 2014-03-13-22:05:42 Repairing: pkg://solaris/security/sudo Creating Plan (Evaluating mediators): DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 1/1 1/1 0.0/0.0 990B/s PHASE ITEMS Updating modified actions 1/1 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done
Only the missing file is replaced, as noted by the one file downloaded and one action (the file action) modified. Other sudo package content was not touched. The operation saved a snapshot of the current installation before performing the repair. See the “Created ZFS snapshot” line in the pkg fix output. The repair was performed in the current image.
$ zfs list -r rpool/ROOT/s11 NAME USED AVAIL REFER MOUNTPOINT rpool/ROOT/s11 16.3G 22.5G 26.1G / rpool/ROOT/s11@2014-03-13-23:52:19 249M - 26.1G -
The pkg verify output shows an error in ownership of a directory in the installed pkg/depot package. The pkg fix output shows only the error in the “Verifying” section. The other differences with the packaged components are not shown.
$ ls -ld /var/cache/pkg/depot drwxr-xr-x 3 pkg5srv pkg5srv 3 Dec 2 19:47 /var/cache/pkg/depot/ $ pkg fix pkg://solaris/package/pkg/depot Verifying: pkg://solaris/package/pkg/depot ERROR dir: var/cache/pkg/depot Group: 'pkg5srv (97)' should be 'bin (2)' Created ZFS snapshot: 2014-03-13-22:18:52 Repairing: pkg://solaris/package/pkg/depot Creating Plan (Evaluating mediators): PHASE ITEMS Updating modified actions 1/1 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done
The following output shows that only the error has been fixed. The other differences between installed and packaged components remain.
$ ls -ld /var/cache/pkg/depot drwxr-xr-x 3 pkg5srv bin 3 Dec 2 19:47 /var/cache/pkg/depot/ $ pkg verify -v pkg://solaris/package/pkg/depot PACKAGE STATUS pkg://solaris/package/pkg/depot OK file: var/log/pkg/depot/access_log editable file has been changed file: var/log/pkg/depot/error_log editable file has been changed
To evaluate pkg verify output programmatically, specify the --parsable 0 option. Do not use the -v option if you use the --parsable option.
In addition to verifying installed packages, the pkg verify command can verify installed directories, files, and links.
The following example uses the -p option to show the same information that was shown by doing a full verify of all installed packages in the previous section:
$ pkg verify -p var/cache/pkg/depot PACKAGE STATUS pkg://nightly/package/pkg/depot ERROR dir: var/cache/pkg/depot ERROR: Group: 'pkg5srv (97)' should be 'bin (2)'
In the following example, because the file verification status is OK, no output is shown unless the -v option is added:
$ pkg verify -vp etc/sudoers PACKAGE STATUS pkg://nightly/security/sudo OK file: etc/sudoers editable file has been changed
The message in the following example indicates that the file is not delivered by any package:
$ pkg verify -p etc/resolv.conf PACKAGE STATUS etc/resolv.conf is not found in the image
The file /etc/resolv.conf exists on the system but is not packaged. The file contains the following comments, indicating the file is generated from SMF data:
# _AUTOGENERATED_FROM_SMF_V1_ # # WARNING: THIS FILE GENERATED FROM SMF DATA. # DO NOT EDIT THIS FILE. EDITS WILL BE LOST. # See resolv.conf(5) for details.
To include file system content that is not delivered by any package in the report of installed package verification, use the --unpackaged option:
$ pkg verify -v --unpackaged
To report only file system content that is not delivered by any package, use the --unpackaged-only option:
$ pkg verify --unpackaged-only
Use the pkg revert command to restore files to their packaged condition. File ownership and protections are also restored.
Caution - Reverting some editable files can make the system unbootable, or cause other malfunctions. Use the --require-backup-be option when reverting a key editable file.
The following example specifies one of the two installed files from the pkg/depot package that are different from their packaged versions.
$ pkg revert -v /var/log/pkg/depot/access_log Packages to fix: 1 Estimated space available: 21.08 GB Estimated space to be consumed: 460.87 MB Create boot environment: No Create backup boot environment: No Rebuild boot archive: No Changed packages: solaris package/pkg/depot 0.5.11,5.11-0.175.2.0.0.33.0:20140217T134751Z DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 1/1 1/1 0.0/0.0 50B/s PHASE ITEMS Updating modified actions 1/1 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done
The specified file was replaced by the packaged version. No other components of the pkg.depot package were changed.
Use the --tagged option to perform the following operations:
Revert all files tagged with the specified tag name.
Remove any unpackaged files or directories that are under directories with the specified tag name and that match the specified pattern.
See the description of the revert-tag attribute in File Actions in Packaging and Delivering Software With the Image Packaging System in Oracle Solaris 11.4 and Directory Actions in Packaging and Delivering Software With the Image Packaging System in Oracle Solaris 11.4 for more information.
The following example shows directories that are tagged with the system:sysconfig-profile tag name. Unpackaged files will be removed from these directories when you use the --remove-profiles option with the sysconfig unconfigure command, as described in the sysconfig(8) man page.
$ pkg contents -H -a revert-tag='system:sysconfig-profile*' '*' etc/svc/profile/enterprise etc/svc/profile/incoming etc/svc/profile/node etc/svc/profile/site etc/svc/profile/sysconfig etc/svc/profile/system
The following command shows files that are tagged with the system:dev-init tag name. These files are reverted to their packaged state during recovery archive creation because these files contain configuration that is specific to that system and should not be included in a recovery archive. See the archiveadm(8) man page for more information.
$ pkg contents -Ha revert-tag='system:dev-init*' '*'
The following files are reverted to their packaged state during clone archive creation. In addition to the instance-specific information described in the previous example, information such as log file content and some configuration files also is reverted in a clone archive.
$ pkg contents -H -a revert-tag='system:dev-init*' -a revert-tag='system:clone*' '*'
The following command shows a preview of an operation that would revert all files that have the system:dev-init tag name. The files to be reverted would be listed by the -v option but are not shown in this example. Notice that the boot archive would be rebuilt. Using the --be-name option to create a new boot environment with a meaningful name is a good practice.
$ pkg revert -nv --tagged system:dev-init Packages to fix: 5 Estimated space available: 852.20 GB Estimated space to be consumed: 470.42 MB Create boot environment: Yes Activate boot environment: Yes Create backup boot environment: No Rebuild boot archive: Yes