Go to main content

Updating Systems and Adding Software in Oracle® Solaris 11.4

Exit Print View

Updated: August 2018
 
 

Relaxing Version Constraints Specified by Constraint Packages

A constraint package specifies which versions of packages can be installed. These version constraints help keep the system in a supportable state across updates. See Constraint Packages for more information about constraint packages and version constraints.

Some packages that are incorporate dependencies might be safe to downgrade or upgrade at a version different from the version specified by the incorporate dependency of the constraint package. The version constraint is expressed by a version-lock.package facet tag specified on the depend action in the constraint package. The default value of the version-lock.package facet property is true. To relax the version constraint on a package, set the value of its version-lock. facet to false.


Note -  Unlocking packages can result in an unsupported configuration. Best practice is to keep systems updated and keep version locks set to true. See Applying Support Updates.

In the following example, you want to downgrade to an earlier version of a package. The pkg update command downgrades as well as upgrades packages.

$ pkg list -af library/security/openssl
NAME (PUBLISHER)                    VERSION                    IFO
library/security/openssl            1.0.1.5-0.175.2.0.0.24.0   i--
library/security/openssl            1.0.1.5-0.175.2.0.0.23.0   --- 
$ pkg update library/security/openssl@1.0.1.5-0.175.2.0.0.23.0
Creating Plan (Solver setup):
pkg update: No matching version of library/security/openssl can be installed:
  Reject: pkg://solaris/library/security/openssl@1.0.1.5,5.11-0.175.2.0.0.23.0:20130916T191702Z 
  Reason:  This version is excluded by installed incorporation 
  pkg://solaris/consolidation/userland/userland-incorporation@0.5.11,5.11-0.175.2.0.0.24.0:20131001T160408Z

The pkg contents command shows how this version constraint is set. To relax the version constraint on this package, set its version-lock facet to false. Then try the downgrade again. Notice that a new BE is not created, but a backup BE is created. See Boot Environment Policy Image Properties for information about when BEs are created.

$ pkg contents -m userland-incorporation | grep 'library/security/openssl'
depend facet.version-lock.library/security/openssl=true 
fmri=pkg:/library/security/openssl@1.0.1.5-0.175.2.0.0.24.0 type=incorporate
$ pkg change-facet facet.version-lock.library/security/openssl=false
            Packages to update: 850
     Variants/Facets to change:   1
       Create boot environment:  No
Create backup boot environment: Yes

PHASE                                          ITEMS
Removing old actions                             1/1
Updating image state                            Done
Creating fast lookup database                   Done
Reading search index                            Done
Building new search index                    850/850
$ pkg update library/security/openssl@1.0.1.5-0.175.2.0.0.23.0
            Packages to update:   1
       Create boot environment:  No
Create backup boot environment: Yes

DOWNLOAD                                  PKGS       FILES    XFER (MB)   SPEED
Completed                                  1/1       10/10      1.6/1.6    0B/s

PHASE                                          ITEMS
Removing old actions                             3/3
Installing new actions                           3/3
Updating modified actions                      14/14
Updating package state database                 Done
Updating package cache                           1/1
Updating image state                            Done
Creating fast lookup database                   Done
Reading search index                            Done
Updating search index                            1/1
$ pkg list library/security/openssl
NAME (PUBLISHER)                    VERSION                   IFO
library/security/openssl            1.0.1.5-0.175.2.0.0.23.0  i--

To prevent this package from being downgraded or upgraded, freeze the package at the current version. The "f" in the package listing indicates that the package is frozen.

$ pkg freeze -c "Downgrade to avoid bug" library/security/openssl
library/security/openssl was frozen at 1.0.1.5,5.11-0.175.2.0.0.23.0:20130916T191702Z
$ pkg list library/security/openssl
NAME (PUBLISHER)                    VERSION                   IFO
library/security/openssl            1.0.1.5-0.175.2.0.0.23.0  if-

To re-enable downgrade or upgrade, use the pkg unfreeze command to remove the version freeze. If the package is installed at a version lower than the version specified in the constraint package, setting the version-lock facet for this package to true installs the version specified in the constraint package.

If other installed packages have require dependency relationships with the package that you want to downgrade or upgrade, you might need to also relax version constraints on those related packages. In the following example, version constraints have been lifted on the hexedit package but installation is rejected because of version constraints on the system/library package.

$ pkg install editor/hexedit@1.2.12-0.175.2.0.0.25.0
Creating Plan (Solver setup):
pkg install: No matching version of editor/hexedit can be installed:
  Reject: pkg://solaris/editor/hexedit@1.2.12-0.175.2.0.0.25.0:20131014T170634Z
  Reason:  All versions matching 'require' dependency 
  pkg:/system/library@0.5.11,5.11-0.175.2.0.0.24.0 are rejected
    Reject: pkg://solaris/system/library@0.5.11,5.11-0.175.2.0.0.24.0:20131001T152820Z

pkg://solaris/system/library@0.5.11,5.11-0.175.2.0.0.25.0:20131014T161136Z
    Reason:  This version is excluded by installed incorporation 
    pkg://solaris/consolidation/osnet/osnet-incorporation@0.5.11,5.11-0.175.2.0.0.24.0:20131001T150429Z

In addition to individual component packages, you can also relax version constraints on constraint packages. In this case, setting the version-lock facet to false enables you to unlock the constraint package from the rest of the system. Though the constraint package is unlocked, its incorporate dependency packages continue to be synchronized.