Solaris 11 Patching and Updates

Teo de Hesselle

Feb 26, 2013 • 3 min read

Solaris 11 is patched differently to previous versions of solaris.

Solaris 11 is installed and patched/updated from "Image Package System" repositories, typically over http/https. Oracle maintains two repositories, one public which is only updated with major releases, and a second repository which contains regular support updates -- this is restricted to customers with a current solaris support contract. See the oracle KB article at the bottom for details on setting up access to oracle's restricted repository.

Major updates (e.g. 11.0 to 11.1) are applied in the same way as support repository updates, but care must be taken to read the instructions as multiple steps may be required (hint: you can't go straight from 11.0 to 11.1)

To List configured publishers -

# pkg publisher 
PUBLISHER                   TYPE     STATUS P LOCATION 
solaris                     origin   online F https://oracle-oem-oc-mgmt-hostname:8002/IPS/

There is a special "incorporation" package called entire, whose dependencies will cause all packages to be updated to the same level.

We can see the current version of the entire package using:

# pkg list entire 
NAME (PUBLISHER)                                  VERSION                    IFO 
entire                                            0.5.11-0.175.1.0.0.24.2    i--

.. and we can see all available "entire" packages using:

# pkg list -af entire 
NAME (PUBLISHER)                                  VERSION                    IFO 
entire                                            0.5.11-0.175.1.0.0.24.2    --- 
entire                                            0.5.11-0.175.0.12.0.4.0    i-- 
entire                                            0.5.11-0.175.0.10.0.5.0    --- 
entire                                            0.5.11-0.175.0.0.0.2.0     ---

Note the "i--" showing the currently installed version.

To read the version numbers, for example:

0.5.11-0.175.0.12.0.4.0 
               ^--- 12 == Support repository update 12 
             ^-----  0 == Solaris 11 GA (1 would be Solaris 11.1. etc) 
         ^-------- 175 == this was an internal build number during S11 development, can be ignored 
     ^------------  11 == Solaris 11 (vs 10) 
  ^---------------   5 == Solaris (vs SunOS)

The last two are kept for legacy compatibility (so 5.8 can be compared to 5.9, 5.11 by scripts which parse the output of uname)

Solaris updates are typically performed on a clone of the current boot environment, similar to "Live upgrade" in previous solaris versions, except better.
The beadm utility will show the current system's available boot environments

# beadm list
BE        Active Mountpoint Space  Policy Created          
--        ------ ---------- -----  ------ -------          
s11-sru12 NR     /          10.67G static 2012-11-28 17:47 
solaris   -      -          47.12M static 2012-07-09 15:01 
solaris-1 -      -          14.22M static 2012-09-21 13:18

Note: It is helpful to give boot environments descriptive names.
In this example we see "s11-sru12" is active "N"ow and on "R"eboot

The pkg command will create new boot environments when performing more major changes such as installing a solaris update, or whenever the appropriate flag is provided.

To actually apply an update:

0: If you have a local repository server, update its contents to the desired release level.
1: Consult oracle's documentation for known issues and to ensure you are aware the current version (tip: search for "Solaris SRU Index")
2: Run pkg utility to create a new, patched boot environment
3: Reboot to use the new boot environment.

# pkg update  --accept \ 
 --require-new-be \ 
 --be-name s11-sru12 \ 
 [email protected]

This will clone the current boot environment, and that of any attached zones, apply patches and then wait for you to activate the new boot environment.

This can be done while applications are running, as long as the applications are on their own filesystems.

Activate the new boot environment when ready using:

# beadm activate s11-sru12 
# init 6

Note on what's part of a boot environment:

Everything under rpool/ROOT will be cloned, while everything not under rpool/ROOT (e.g. /export/home) will not be cloned.
This means that application data MUST be kept on a separate filesystem to ensure data is not unexpectedly lost during live upgrade.

Also, starting with Solaris 11.1, certain directories under /var have become symbolic links to /var/SHARE, so that certain directories (e.g. mail) are now no longer boot environment specific.

Consider the following example:

rpool/ROOT/solaris     547G   5.0G       109G     5%    / 
rpool/ROOT/solaris/var 547G    20G       109G    16%    /var 
rpool/export           547G    33K       109G     1%    /export 
rpool/export/home      547G   2.1G       109G     2%    /export/home

1pm: Apply patches/support repository update
2pm: Modify files under /export/home and /opt
3pm: Reboot to new boot environment

After the reboot, the changes we made to /export/home are still part of the active boot environment, while changes to /opt (part of root filesystem) are part of the now-inactive boot environment.

Useful oracle documentation:

Oracle Support Document 1433186.1 (Oracle Solaris 11 Image Packaging System (IPS) Frequently Asked Questions (FAQ))
(https://support.oracle.com/epmos/faces/DocumentDisplay?id=1433186.1)