Go to main content

Updating Systems and Adding Software in Oracle® Solaris 11.4

Exit Print View

Updated: August 2018
 
 

Fixing Problems With Installed Packages

IPS provides operations to validate that an installed package is installed correctly, fix any validation issues, and restore installed files to their packaged state.


Note -  Security best practice recommends that you periodically run pkg verify -v to help ensure that packaged file system objects have not been changed insecurely.

Comparing the pkg fix and pkg revert Commands

Both the pkg fix command and the pkg revert command reinstall components of installed packages. The following table shows some of the similarities and differences between these two commands.

Table 3  pkg fix and pkg revert Comparison
pkg fix
pkg revert
  • Operates on packages. Takes one or more package names or patterns that match package names as operands.

  • Operates only on packages that fail pkg verify.

  • Fixes only errors reported by pkg verify. Does not redeliver other content or metadata from the package.

  • Operates on files. Takes one or more file names or tag names as operands.

  • Redelivers files identified by the operands. Does not redeliver other content or metadata from the package.

Verifying Packages and Fixing Verification Errors

Use the pkg verify command to validate the installation of packages in the image. If the current signature policy for related publishers is not ignore, the signatures of each package are validated based on policy. See Image Properties for Signed Packages for an explanation of how signature policies are applied. Verification of installed package content is based on a custom content analysis that might return different results than those of other programs.

If you do not provide a package name, all installed packages are examined. The -v option provides informational messages, at least one line for each installed package. The following example shows only a small sample of output. The installation of the pkg/depot package has an error.

$ pkg verify -v
PACKAGE                                                                 STATUS
pkg://solaris/archiver/gnu-tar                                              OK
pkg://solaris/audio/audio-utilities                                         OK
pkg://solaris/benchmark/x11perf                                             OK
...
pkg://solaris/package/pkg/depot                                          ERROR
        dir: var/cache/pkg/depot
                Group: 'pkg5srv (97)' should be 'bin (2)'
        file: var/log/pkg/depot/access_log
                editable file has been changed
        file: var/log/pkg/depot/error_log
                editable file has been changed
...
pkg://solaris/security/sudo                                                 OK
        file: etc/sudoers
                editable file has been changed
...
pkg://solaris/x11/xlock                                                     OK
pkg://solaris/x11/xmag                                                      OK
pkg://solaris/x11/xvidtune                                                  OK

Use the pkg fix command to fix package errors that are reported by the pkg verify command. If the fix affects files that cannot be modified in the live image, the fix will be done in a new BE. You can specify -nv options to see what changes will be made, and you can specify BE options as described in Boot Environment Options.

The pkg verify output shows that components of the installed sudo package are different from the packaged components but these differences are not reported as validation errors. The pkg fix makes no changes. The /etc/sudoers file is not replaced.

$ pkg fix pkg://solaris/security/sudo
No repairs for this image.

If you remove the /etc/sudoers file, the package fails validation and pkg fix replaces the file.

$ pkg fix pkg://solaris/security/sudo
Verifying: pkg://solaris/security/sudo                          ERROR
        file: etc/sudoers
                Missing: regular file does not exist
Created ZFS snapshot: 2014-03-13-22:05:42
Repairing: pkg://solaris/security/sudo
Creating Plan (Evaluating mediators): 

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1           1/1      0.0/0.0  990B/s

PHASE                                          ITEMS
Updating modified actions                        1/1
Updating package state database                 Done
Updating package cache                           0/0
Updating image state                            Done
Creating fast lookup database                   Done

Only the missing file is replaced, as noted by the one file downloaded and one action (the file action) modified. Other sudo package content was not touched. The operation saved a snapshot of the current installation before performing the repair. See the "Created ZFS snapshot" line in the pkg fix output. The repair was performed in the current image.

$ zfs list -r rpool/ROOT/s11
NAME                                 USED  AVAIL  REFER  MOUNTPOINT
rpool/ROOT/s11                      16.3G  22.5G  26.1G  /
rpool/ROOT/s11@2014-03-13-23:52:19   249M      -  26.1G  -

The pkg verify output shows an error in ownership of a directory in the installed pkg/depot package. The pkg fix output shows only the error in the "Verifying" section. The other differences with the packaged components are not shown.

$ ls -ld /var/cache/pkg/depot
drwxr-xr-x   3 pkg5srv  pkg5srv        3 Dec  2 19:47 /var/cache/pkg/depot/
$ pkg fix pkg://solaris/package/pkg/depot
Verifying: pkg://solaris/package/pkg/depot                      ERROR
        dir: var/cache/pkg/depot
                Group: 'pkg5srv (97)' should be 'bin (2)'
Created ZFS snapshot: 2014-03-13-22:18:52
Repairing: pkg://solaris/package/pkg/depot
Creating Plan (Evaluating mediators): 

PHASE                                          ITEMS
Updating modified actions                        1/1
Updating package state database                 Done
Updating package cache                           0/0
Updating image state                            Done
Creating fast lookup database                   Done

The following output shows that only the error has been fixed. The other differences between installed and packaged components remain.

$ ls -ld /var/cache/pkg/depot
drwxr-xr-x   3 pkg5srv  bin            3 Dec  2 19:47 /var/cache/pkg/depot/
$ pkg verify -v pkg://solaris/package/pkg/depot
PACKAGE                                                                 STATUS
pkg://solaris/package/pkg/depot                                             OK
        file: var/log/pkg/depot/access_log
                editable file has been changed
        file: var/log/pkg/depot/error_log
                editable file has been changed

To evaluate pkg verify output programmatically, specify the --parsable 0 option. Do not use the -v option if you use the --parsable option.

Verifying File System Content

In addition to verifying installed packages, the pkg verify command can verify installed directories, files, and links.

The following example uses the -p option to show the same information that was shown by doing a full verify of all installed packages in the previous section:

$ pkg verify -p var/cache/pkg/depot
PACKAGE                                                                 STATUS
pkg://nightly/package/pkg/depot                                          ERROR
        dir: var/cache/pkg/depot
                ERROR: Group: 'pkg5srv (97)' should be 'bin (2)'

In the following example, because the file verification status is OK, no output is shown unless the -v option is added:

$ pkg verify -vp etc/sudoers
PACKAGE                                                                 STATUS
pkg://nightly/security/sudo                                                 OK
        file: etc/sudoers
                editable file has been changed

Identifying Unpackaged File System Content

The message in the following example indicates that the file is not delivered by any package:

$ pkg verify -p etc/resolv.conf
PACKAGE                                                                 STATUS
etc/resolv.conf is not found in the image

The file /etc/resolv.conf exists on the system but is not packaged. The file contains the following comments, indicating the file is generated from SMF data:

# _AUTOGENERATED_FROM_SMF_V1_
#
# WARNING: THIS FILE GENERATED FROM SMF DATA.
#   DO NOT EDIT THIS FILE.  EDITS WILL BE LOST.
# See resolv.conf(5) for details.

To include file system content that is not delivered by any package in the report of installed package verification, use the --unpackaged option:

$ pkg verify -v --unpackaged

To report only file system content that is not delivered by any package, use the --unpackaged-only option:

$ pkg verify --unpackaged-only

Restoring a File

Use the pkg revert command to restore files to their packaged condition. File ownership and protections are also restored.


Caution

Caution  -  Reverting some editable files can make the system unbootable, or cause other malfunctions. Use the --require-backup-be option when reverting a key editable file.


Reverting Named Files

The following example specifies one of the two installed files from the pkg/depot package that are different from their packaged versions.

$ pkg revert -v /var/log/pkg/depot/access_log
               Packages to fix:         1
     Estimated space available:  21.08 GB
Estimated space to be consumed: 460.87 MB
       Create boot environment:        No
Create backup boot environment:        No
          Rebuild boot archive:        No

Changed packages:
solaris
  package/pkg/depot
    0.5.11,5.11-0.175.2.0.0.33.0:20140217T134751Z
DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1           1/1      0.0/0.0   50B/s

PHASE                                          ITEMS
Updating modified actions                        1/1
Updating package state database                 Done
Updating package cache                           0/0
Updating image state                            Done
Creating fast lookup database                   Done

The specified file was replaced by the packaged version. No other components of the pkg.depot package were changed.

Reverting Tagged Files and Directories

Use the --tagged option to perform the following operations:

  • Revert all files tagged with the specified tag name.

  • Remove any unpackaged files or directories that are under directories with the specified tag name and that match the specified pattern.

See the description of the revert-tag attribute in File Actions in Packaging and Delivering Software With the Image Packaging System in Oracle Solaris 11.4 and Directory Actions in Packaging and Delivering Software With the Image Packaging System in Oracle Solaris 11.4 for more information.

The following example shows directories that are tagged with the system:sysconfig-profile tag name. Unpackaged files will be removed from these directories when you use the --remove-profiles option with the sysconfig unconfigure command, as described in the sysconfig(8) man page.

$ pkg contents -H -a revert-tag='system:sysconfig-profile*' '*'
etc/svc/profile/enterprise
etc/svc/profile/incoming
etc/svc/profile/node
etc/svc/profile/site
etc/svc/profile/sysconfig
etc/svc/profile/system

The following command shows files that are tagged with the system:dev-init tag name. These files are reverted to their packaged state during recovery archive creation because these files contain configuration that is specific to that system and should not be included in a recovery archive. See the archiveadm(8) man page for more information.

$ pkg contents -Ha revert-tag='system:dev-init*' '*'

The following files are reverted to their packaged state during clone archive creation. In addition to the instance-specific information described in the previous example, information such as log file content and some configuration files also is reverted in a clone archive.

$ pkg contents -H -a revert-tag='system:dev-init*' -a revert-tag='system:clone*' '*'

The following command shows a preview of an operation that would revert all files that have the system:dev-init tag name. The files to be reverted would be listed by the -v option but are not shown in this example. Notice that the boot archive would be rebuilt. Using the --be-name option to create a new boot environment with a meaningful name is a good practice.

$ pkg revert -nv --tagged system:dev-init
               Packages to fix:         5
     Estimated space available: 852.20 GB
Estimated space to be consumed: 470.42 MB
       Create boot environment:       Yes
     Activate boot environment:       Yes
Create backup boot environment:        No
          Rebuild boot archive:       Yes