Go to main content

Updating Systems and Adding Software in Oracle® Solaris 11.4

Exit Print View

Updated: August 2018
 
 

Working with Non-Global Zones

You can use most IPS commands in a non-global zone the same way you use the commands in the global zone. See Images and Boot Environments for introductory information about zones.

With regard to package installation, the global zone and non-global zones have a parent-child relationship as described in Relationship Between Global and Non-Global Zones and Updating Multiple Non-Global Zones Concurrently.

An important difference between the global zone and non-global zones is the use of package publishers as described in The System Repository and Proxy Services.

Relationship Between Global and Non-Global Zones

Installed solaris branded non-global zones can be affected by installing, updating, and uninstalling packages in the global zone.

Changing facets and variants can cause package installations and removals and affect non-global zones.

Non-global zones do not need to be booted to be updated from the global zone. Non-global zones only need to be installed to be affected by package changes in the global zone.

When you run installation and update commands in the global zone, by default the global zone and each installed non-global zone is updated serially, and the non-global zones are modified only to the extent required to keep the non-global zone compatible with the global zone.


Tip  -  Use the -nv options to review what changes will be made in non-global zones as well as in the global zone.

When you run package commands while logged into a non-global zone, only that non-global zone is affected. Non-global zones can be different from their parent global zone in the following ways, for example:

  • Different packages can be installed.

  • Different versions of the same package can be installed if the result is compatible with the global zone.

  • Different packages can be on the avoid list.

  • Different packages can be frozen and can be frozen at different versions.

  • Mediators can be set to select different default implementations.

  • Different facets can be set.

Versions of packages installed in a non-global zone can be restricted by the versions installed in the global zone. Some packages cannot be updated or downgraded in a non-global zone because those packages must be the same version in the non-global zone as they are in the global zone. For example, the package named entire must be the same version in each non-global zone as in the global zone.

If a package that is installed in a non-global zone has a parent dependency, then updating that package in the global zone causes that package to be updated in the non-global zone. Packages that are dependents of packages that have parent dependencies are also affected.

Packages that are not affected by parent dependencies can be installed at a different version in a non-global zone than the version that is installed in the global zone. To install a different version in the non-global zone, specify the version in the pkg install command or freeze the version at the version you want.

See Sync Linked Package Cannot Be Installed and Non-Global Zone Cannot Be Installed for some help related to installing packages in non-global zones.

The System Repository and Proxy Services

In a non-global zone, the system repository provides access to the package repositories configured in the global zone. Publisher configuration changes made to the global zone are seen immediately by all non-global zones via the system repository.

A publisher origin or mirror that is configured in a non-global zone must be accessible from the global zone even if that location is not configured in the global zone publisher list. For example, if you have the localsw publisher configured in a non-global zone but not in the global zone, all origins and mirrors for the localsw publisher still must be accessible from the global zone.

The system repository can proxy http, https, file, and .p5p archive repositories. Only version 4 file system repositories are supported, which is the default format for the pkgrepo create command. See the pkgrepo(1) man page for more information about repository versions.

The zones proxy is a service that enables pkg commands running inside a zone to communicate with the system repository, which is running in the global zone. The zones proxy has two parts. The following service runs in the global zone:

svc:/application/pkg/zones-proxyd:default

The following service runs in the non-global zone:

svc:/application/pkg/zones-proxy-client:default

See the pkg.sysrepo(8) man page for more information about the system repository and zones proxy services.

The following example shows publishers in a global zone:

global:~$ pkg publisher
PUBLISHER             TYPE     STATUS P LOCATION
solaris               origin   online F http://pkg.oracle.com/solaris/release/
solaris               origin   online F file:///var/share/pkgrepos/solaris/
devtool  (disabled)   origin   online F http://pkg.example1.com/
isvpub                origin   online F http://pkg.example2.com/

The following example shows how these same publishers appear when you are logged into a non-global zone:

z1:~$ pkg publisher
PUBLISHER             TYPE     STATUS P LOCATION
solaris  (syspub)     origin   online T <system-repository>
solaris  (syspub)     origin   online F <system-repository>
isvpub   (syspub)     origin   online T <system-repository>

Notice that the disabled repository is not available in the non-global zone.

Use the -F option to display the URI and proxy values for system-repository locations:

z1:~$ pkg publisher -F tsv
PUBLISHER  STICKY  SYSPUB  ENABLED  TYPE    STATUS  URI                                     PROXY
solaris    true    true    true     origin  online  http://pkg.oracle.com/solaris/release/  http://localhost:1008
solaris    true    true    true     origin  online  http://localhost:1008/solaris/35024e7d1859bedee9af156d22a591c433adc0ee/ -
isvpub     true    true    true     origin  online  http://pkg.example2.com/                http://localhost:1008

Notice that the file:// repository in the global zone has been assigned an http:// location in the non-global zone.

In the non-global zone, the system repository always shows as a proxy. This is the proxy the non-global zone uses to communicate with the system repository in the global zone.

You cannot reconfigure the system repository from within a non-global zone. For example, you cannot change the origins or properties of publishers or the publisher search order of publishers whose location is <system-repository>. If a publisher is added or reconfigured in the global zone, those changes are seen immediately by non-global zones. If a publisher is unset in the global zone, that publisher is unset in non-global zones unless the non-global zone has a package installed from that publisher.


Tip  -  Before you unset a publisher in the global zone, uninstall packages from that publisher in non-global zones.

If you cannot reach a publisher, you can set a proxy in the global zone, as described in Specifying a Proxy. For more information about setting proxies when you have non-global zones, including instructions for when and how to use the http_proxy and https_proxy environment variables, see Configuring Proxies to the Package Repository for Non-Global Zones in Creating and Using Oracle Solaris Zones.

For a publisher that is already configured in the global zone, the following pkg list command gives the same result in the both the global zone and non-global zones:

z1:~$ pkg list -a isvtool
NAME (PUBLISHER)    VERSION    IFO
isvtool (isvpub)    2.0        ---
isvtool (isvpub)    1.0        ---

Repositories can be network or file system accessible to the non-global zone even if those repositories are not configured in the global zone. The non-global zone publisher configuration must match the global zone publisher configuration or must be a superset of the global zone publisher configuration. For example, the localsw publisher could be configured in a non-global zone with an origin of file:///var/share/pkgrepos/localrepo because that location is accessible in the global zone even if the localsw publisher is not configured in the global zone.

Updating Multiple Non-Global Zones Concurrently

By default, when you use the pkg update command in the global zone, the packaging system updates the global zone and each non-global zone serially. To update multiple non-global zones concurrently, use the -C option or set the PKG_CONCURRENCY environment variable in the global zone. See Options That Operate on Non-Global Zones for more information.

In the following example, both non-global zones are updated at the same time as the global zone. The output refers to the non-global zones as linked images because they are linked to their parent global zone image.

global:~$ pkg update -C 0 --be-name s12.0
 Startup: Linked image publisher check ... Done
 Startup: Refreshing catalog 'solaris' ... Done
 Startup: Refreshing catalog 'isvpub' ... Done
 Startup: Checking that pkg(7) is up to date ... Done
Planning: Solver setup ... Done
Planning: Running solver ... Done
Planning: Finding local manifests ... Done
Planning: Package planning ... Done
Planning: Merging actions ... Done
Planning: Checking for conflicting actions ... Done
Planning: Consolidating action changes ... Done
Planning: Evaluating mediators ... Done
Planning: Planning completed in 39.00 seconds
            Packages to remove:   2
           Packages to install:   1
            Packages to update: 640
       Create boot environment: Yes
Create backup boot environment:  No

Planning: Linked images: 0/2 done; 2 working: zone:z1 zone:z2
Planning: Linked image 'zone:z1' output:
| Packages to install:   1
|  Packages to update: 161
|  Services to change:   2
`
Planning: Linked images: 1/2 done; 1 working: zone:z2
Planning: Linked image 'zone:z2' output:
| Packages to install:   1
|  Packages to update: 161
|  Services to change:   2
`
Planning: Finished processing linked images.
Download:     0/12068 items    0.0/350.9MB  0% complete
...
Download: 11664/12068 items  336.1/350.9MB  95% complete
Download: Completed 350.91 MB in 187.08 seconds (0B/s)
Download: Linked images: 0/2 done; 2 working: zone:z1 zone:z2
Download: Linked images: 1/2 done; 1 working: zone:z1
Download: Finished processing linked images.
 Actions:     1/23382 actions (Removing old actions)
 Actions:  3867/23382 actions (Installing new actions)
 Actions:  8192/23382 actions (Updating modified actions)
...
 Actions: 23266/23382 actions (Updating modified actions)
 Actions: Completed 23382 actions in 96.16 seconds.
Finalize: Updating package state database ...  Done
Finalize: Updating package cache ...  Done
Finalize: Updating image state ...  Done
Finalize: Creating fast lookup database ...  Done
Finalize: Reading search index ...  Done
Finalize: Building new search index ...  Done
Finalize: Linked images: 0/2 done; 2 working: zone:z1 zone:z2
Finalize: Linked images: 1/2 done; 1 working: zone:z2
Finalize: Finished processing linked images.

A clone of s11 exists and has been updated and activated.
On the next boot the Boot Environment s11u1 will be
mounted on '/'.  Reboot when ready to switch to this updated BE.