You can use most IPS commands in a non-global zone the same way you use the commands in the global zone. See Images and Boot Environments for introductory information about zones.
With regard to package installation, the global zone and non-global zones have a parent-child relationship as described in Relationship Between Global and Non-Global Zones and Updating Multiple Non-Global Zones Concurrently.
An important difference between the global zone and non-global zones is the use of package publishers as described in The System Repository and Proxy Services.
Installed solaris branded non-global zones can be affected by installing, updating, and uninstalling packages in the global zone.
Changing facets and variants can cause package installations and removals and affect non-global zones.
Non-global zones do not need to be booted to be updated from the global zone. Non-global zones only need to be installed to be affected by package changes in the global zone.
When you run installation and update commands in the global zone, by default the global zone and each installed non-global zone is updated serially, and the non-global zones are modified only to the extent required to keep the non-global zone compatible with the global zone.
To perform the same operation in non-global zones that you perform in the global zone instead of performing only the minimal required updates in the non-global zones, use the -r option as described in Options That Operate on Non-Global Zones.
When you run package commands while logged into a non-global zone, only that non-global zone is affected. Non-global zones can be different from their parent global zone in the following ways, for example:
Different packages can be installed.
Different versions of the same package can be installed if the result is compatible with the global zone.
Different packages can be on the avoid list.
Different packages can be frozen and can be frozen at different versions.
Mediators can be set to select different default implementations.
Different facets can be set.
Versions of packages installed in a non-global zone can be restricted by the versions installed in the global zone. Some packages cannot be updated or downgraded in a non-global zone because those packages must be the same version in the non-global zone as they are in the global zone. For example, the package named entire must be the same version in each non-global zone as in the global zone.
If a package that is installed in a non-global zone has a parent dependency, then updating that package in the global zone causes that package to be updated in the non-global zone. Packages that are dependents of packages that have parent dependencies are also affected.
Packages that are not affected by parent dependencies can be installed at a different version in a non-global zone than the version that is installed in the global zone. To install a different version in the non-global zone, specify the version in the pkg install command or freeze the version at the version you want.
In a non-global zone, the system repository provides access to the package repositories configured in the global zone. Publisher configuration changes made to the global zone are seen immediately by all non-global zones via the system repository.
A publisher origin or mirror that is configured in a non-global zone must be accessible from the global zone even if that location is not configured in the global zone publisher list. For example, if you have the localsw publisher configured in a non-global zone but not in the global zone, all origins and mirrors for the localsw publisher still must be accessible from the global zone.
The system repository can proxy http, https, file, and .p5p archive repositories. Only version 4 file system repositories are supported, which is the default format for the pkgrepo create command. See the pkgrepo(1) man page for more information about repository versions.
The zones proxy is a service that enables pkg commands running inside a zone to communicate with the system repository, which is running in the global zone. The zones proxy has two parts. The following service runs in the global zone:
The following service runs in the non-global zone:
See the pkg.sysrepo(8) man page for more information about the system repository and zones proxy services.
The following example shows publishers in a global zone:
global:~$ pkg publisher PUBLISHER TYPE STATUS P LOCATION solaris origin online F http://pkg.oracle.com/solaris/release/ solaris origin online F file:///var/share/pkgrepos/solaris/ devtool (disabled) origin online F http://pkg.example1.com/ isvpub origin online F http://pkg.example2.com/
The following example shows how these same publishers appear when you are logged into a non-global zone:
z1:~$ pkg publisher PUBLISHER TYPE STATUS P LOCATION solaris (syspub) origin online T <system-repository> solaris (syspub) origin online F <system-repository> isvpub (syspub) origin online T <system-repository>
Notice that the disabled repository is not available in the non-global zone.
Use the -F option to display the URI and proxy values for system-repository locations:
z1:~$ pkg publisher -F tsv PUBLISHER STICKY SYSPUB ENABLED TYPE STATUS URI PROXY solaris true true true origin online http://pkg.oracle.com/solaris/release/ http://localhost:1008 solaris true true true origin online http://localhost:1008/solaris/35024e7d1859bedee9af156d22a591c433adc0ee/ - isvpub true true true origin online http://pkg.example2.com/ http://localhost:1008
Notice that the file:// repository in the global zone has been assigned an http:// location in the non-global zone.
In the non-global zone, the system repository always shows as a proxy. This is the proxy the non-global zone uses to communicate with the system repository in the global zone.
You cannot reconfigure the system repository from within a non-global zone. For example, you cannot change the origins or properties of publishers or the publisher search order of publishers whose location is <system-repository>. If a publisher is added or reconfigured in the global zone, those changes are seen immediately by non-global zones. If a publisher is unset in the global zone, that publisher is unset in non-global zones unless the non-global zone has a package installed from that publisher.
If you cannot reach a publisher, you can set a proxy in the global zone, as described in Specifying a Proxy. For more information about setting proxies when you have non-global zones, including instructions for when and how to use the http_proxy and https_proxy environment variables, see Configuring Proxies to the Package Repository for Non-Global Zones in Creating and Using Oracle Solaris Zones.
For a publisher that is already configured in the global zone, the following pkg list command gives the same result in the both the global zone and non-global zones:
z1:~$ pkg list -a isvtool NAME (PUBLISHER) VERSION IFO isvtool (isvpub) 2.0 --- isvtool (isvpub) 1.0 ---
Repositories can be network or file system accessible to the non-global zone even if those repositories are not configured in the global zone. The non-global zone publisher configuration must match the global zone publisher configuration or must be a superset of the global zone publisher configuration. For example, the localsw publisher could be configured in a non-global zone with an origin of file:///var/share/pkgrepos/localrepo because that location is accessible in the global zone even if the localsw publisher is not configured in the global zone.
By default, when you use the pkg update command in the global zone, the packaging system updates the global zone and each non-global zone serially. To update multiple non-global zones concurrently, use the -C option or set the PKG_CONCURRENCY environment variable in the global zone. See Options That Operate on Non-Global Zones for more information.
In the following example, both non-global zones are updated at the same time as the global zone. The output refers to the non-global zones as linked images because they are linked to their parent global zone image.
global:~$ pkg update -C 0 --be-name s12.0 Startup: Linked image publisher check ... Done Startup: Refreshing catalog 'solaris' ... Done Startup: Refreshing catalog 'isvpub' ... Done Startup: Checking that pkg(7) is up to date ... Done Planning: Solver setup ... Done Planning: Running solver ... Done Planning: Finding local manifests ... Done Planning: Package planning ... Done Planning: Merging actions ... Done Planning: Checking for conflicting actions ... Done Planning: Consolidating action changes ... Done Planning: Evaluating mediators ... Done Planning: Planning completed in 39.00 seconds Packages to remove: 2 Packages to install: 1 Packages to update: 640 Create boot environment: Yes Create backup boot environment: No Planning: Linked images: 0/2 done; 2 working: zone:z1 zone:z2 Planning: Linked image 'zone:z1' output: | Packages to install: 1 | Packages to update: 161 | Services to change: 2 ` Planning: Linked images: 1/2 done; 1 working: zone:z2 Planning: Linked image 'zone:z2' output: | Packages to install: 1 | Packages to update: 161 | Services to change: 2 ` Planning: Finished processing linked images. Download: 0/12068 items 0.0/350.9MB 0% complete ... Download: 11664/12068 items 336.1/350.9MB 95% complete Download: Completed 350.91 MB in 187.08 seconds (0B/s) Download: Linked images: 0/2 done; 2 working: zone:z1 zone:z2 Download: Linked images: 1/2 done; 1 working: zone:z1 Download: Finished processing linked images. Actions: 1/23382 actions (Removing old actions) Actions: 3867/23382 actions (Installing new actions) Actions: 8192/23382 actions (Updating modified actions) ... Actions: 23266/23382 actions (Updating modified actions) Actions: Completed 23382 actions in 96.16 seconds. Finalize: Updating package state database ... Done Finalize: Updating package cache ... Done Finalize: Updating image state ... Done Finalize: Creating fast lookup database ... Done Finalize: Reading search index ... Done Finalize: Building new search index ... Done Finalize: Linked images: 0/2 done; 2 working: zone:z1 zone:z2 Finalize: Linked images: 1/2 done; 1 working: zone:z2 Finalize: Finished processing linked images. A clone of s11 exists and has been updated and activated. On the next boot the Boot Environment s11u1 will be mounted on '/'. Reboot when ready to switch to this updated BE.