Persistent proxies should be set in an image by using the –-proxy option as described in Chapter 5, Configuring Installed Images in Adding and Updating Software in Oracle Solaris 11.3. If a persistent image proxy configuration is not used, and http_proxy and https_proxy environment variables are always used to access repositories when running the pkg command, then the system-repository services should also be configured to use those same proxies through SMF system-repository service properties. See the pkg(1) man page.
Access to repositories configured in the global zone is provided to non-global zones using the system-repository service. Any updates to proxies for origins in the global zone are automatically made to the system-repository configuration. Using this method, no modifications are required to the system-repository SMF service.
It is also possible to configure the proxies used by the system-repository SMF service, overriding any proxies configured on publishers in the global zone. The system-repository proxies can be set by using the config/http_proxy or config/https_proxy SMF properties.
For more information, see the pkg.sysrepo(1M) man page and Adding and Updating Software in Oracle Solaris 11.3.
You can configure the proxy directly in the global zone, and any updates to proxies for origins in the global zone are automatically made to the system-repository configuration. The system-repository service does not require modification.Example 7 Configuring the Proxy in the Global Zone
# pkg set-publisher --proxy http://www-proxy -g http://pkg-server pub
No port specification is required unless the proxy accepts connections on a port other than 80.
If zones are on the system, the system-repository service is restarted, and the proxy is used to provide access to pkg-server.
Proxies should be set in an image, and only the system-repository service proxy should be set. The https_proxy and http_proxy should be set in the environment when running the pkg command.
The procedures in this section are used to set proxies in the system-repository service on an internal subnet that does not have a direct connection to the IPS publisher repository. Use of this procedure overrides any proxies configured by the pkg command in the global zone. Non-global zones communicate with the system-repository over HTTP. The system-repository then accesses the publishers using the protocol for that repository as configured in the global zone.
This configuration allows the solaris non-global zones to contact the publisher set in the global zone as well. Recursive pkg operations into the solaris zones will succeed.Example 8 Using https_proxy and http_proxy To Override Global Zone Proxies
For example, assume that the software on a system running solaris non-global zones is managed by IPS and requires the use of the proxy server http_proxy=http://192.0.2.0 for access to both http and https URLs. The following steps show how to use http_proxy and https_proxy environment variables and SMF service properties to allow the global zone and non-global zones to access the IPS repositories.
Note that these variables override any proxy configuration set on the origin unless the user is running the pkg command from a non-global zone to connect to the Universal Resource Identifier (URI) for a system publisher. In this case, the command goes through the system-repository.
A host name that can be resolved can also be used.
Type the following lines to set the proxy in the shell for the global zone:
# export http_proxy=http://192.0.2.0 # export https_proxy=http://192.0.2.0
Setting the proxy allows pkg commands to reach the publisher through the proxy server. This affects pkg operations that use an https or http URL and do not go through the system-repository for the global zone.
To allow the solaris zones on the system to use the configured system publishers directly accessible from the global zone, execute the following commands:
# svccfg -s system-repository:default setprop config/http_proxy = http://192.0.2.0 # svccfg -s system-repository:default setprop config/https_proxy = http://192.0.2.0
To make the change take effect in the live SMF repository, run:
# svcadm refresh system-repository
To confirm that the setting is in effect, run:
# svcprop -p config/http_proxy system-repository # svcprop -p config/https_proxy system-repository
For more information about the pkg command, see the pkg(1) man page.