Verifying Packages and Fixing Verification Errors
Use the pkg verify
command to validate the installation of packages in the image. If the current signature policy for related publishers is not ignore
, the signatures of each package are validated based on policy. See Image Properties for Signed Packages for an explanation of how signature policies are applied. Verification of installed package content is based on a custom content analysis that might return different results than those of other programs.
If you do not provide a package name, all installed packages are examined. The -v
option provides informational messages, at least one line for each installed package. The following example shows only a small sample of output. The installation of the pkg/depot
package has an error.
$ pkg verify -v
PACKAGE STATUS
pkg://solaris/archiver/gnu-tar OK
pkg://solaris/audio/audio-utilities OK
pkg://solaris/benchmark/x11perf OK
...
pkg://solaris/package/pkg/depot ERROR
dir: var/cache/pkg/depot
Group: 'pkg5srv (97)' should be 'bin (2)'
file: var/log/pkg/depot/access_log
editable file has been changed
file: var/log/pkg/depot/error_log
editable file has been changed
...
pkg://solaris/security/sudo OK
file: etc/sudoers
editable file has been changed
...
pkg://solaris/x11/xlock OK
pkg://solaris/x11/xmag OK
pkg://solaris/x11/xvidtune OK
Use the pkg fix
command to fix package errors that are reported by the pkg verify
command. If the fix affects files that cannot be modified in the live image, the fix will be done in a new BE. You can specify -nv
options to see what changes will be made, and you can specify BE options as described in Boot Environment Options.
The pkg verify
output shows that components of the installed sudo
package are different from the packaged components but these differences are not reported as validation errors. The pkg fix
makes no changes. The /etc/sudoers
file is not replaced.
$ pkg fix pkg://solaris/security/sudo
No repairs for this image.
If you remove the /etc/sudoers
file, the package fails validation and pkg fix
replaces the file.
$ pkg fix pkg://solaris/security/sudo
Verifying: pkg://solaris/security/sudo ERROR
file: etc/sudoers
Missing: regular file does not exist
Created ZFS snapshot: 2014-03-13-22:05:42
Repairing: pkg://solaris/security/sudo
Creating Plan (Evaluating mediators):
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 1/1 1/1 0.0/0.0 990B/s
PHASE ITEMS
Updating modified actions 1/1
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Only the missing file is replaced, as noted by the one file downloaded and one action (the file
action) modified. Other sudo
package content was not touched. The operation saved a snapshot of the current installation before performing the repair. See the “Created ZFS snapshot” line in the pkg fix
output. The repair was performed in the current image.
$ zfs list -r rpool/ROOT/s11
NAME USED AVAIL REFER MOUNTPOINT
rpool/ROOT/s11 16.3G 22.5G 26.1G /
rpool/ROOT/s11@2014-03-13-23:52:19 249M - 26.1G -
The pkg verify
output shows an error in ownership of a directory in the installed pkg/depot
package. The pkg fix
output shows only the error in the “Verifying” section. The other differences with the packaged components are not shown.
$ ls -ld /var/cache/pkg/depot drwxr-xr-x 3 pkg5srv pkg5srv 3 Dec 2 19:47 /var/cache/pkg/depot/ $ pkg fix pkg://solaris/package/pkg/depot Verifying: pkg://solaris/package/pkg/depot ERROR dir: var/cache/pkg/depot Group: 'pkg5srv (97)' should be 'bin (2)' Created ZFS snapshot: 2014-03-13-22:18:52 Repairing: pkg://solaris/package/pkg/depot Creating Plan (Evaluating mediators): PHASE ITEMS Updating modified actions 1/1 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done
The following output shows that only the error has been fixed. The other differences between installed and packaged components remain.
$ ls -ld /var/cache/pkg/depot drwxr-xr-x 3 pkg5srv bin 3 Dec 2 19:47 /var/cache/pkg/depot/ $ pkg verify -v pkg://solaris/package/pkg/depot PACKAGE STATUS pkg://solaris/package/pkg/depot OK file: var/log/pkg/depot/access_log editable file has been changed file: var/log/pkg/depot/error_log editable file has been changed
To evaluate pkg verify
output programmatically, specify the --parsable 0
option. Do not use the -v
option if you use the --parsable
option.