How to install OS patch bundle on Solaris 11 ?

This article is going to explain that how to update the Solaris 11.1 . Most of the Solaris administrators will search for Solaris 11 OS patch bundle like how we use to get for Solaris 10 but you won’t get it. In Solaris 11 , oracle removed the word called “patches” from their dictionary.  Instead of that we have to call it as “package update”. In other words, you have to update the system instead of the patching it. If the server owner or application/DB teams is requesting you to patch the Solaris 11, you have to  update the system  using pkg commands. This operation is much easier than Solaris 10 OS patch bundle installation.

There are two type of repositories are available in oracle to update solaris 11 operating system.

* Oracle Solaris’s release repository which contains new packages and package updates. This repository doesn’t requires oracle support contract.

UA_SOL11# pkg publisher
PUBLISHER	TYPE	STATUS	URI
solaris		origin	online	http://pkg.oracle.com/solaris/release/

*  Oracle Solaris’s support repository which is exclusively available for oracle customers with valid support contract.

UA-SOL11#pkg publisher
PUBLISHER                   TYPE     STATUS P LOCATION
solaris                     origin   online F https://pkg.oracle.com/solaris/support/
UA-SOL11#

For testing purpose,you can use the release repository but production environments must use oracle support  repository. You can switch to any repository by setting it again using below command.
To set to Oracle’s support repository:

UA-SOL11#pkg set-publisher -O https://pkg.oracle.com/solaris/support/ solaris

To set to Oracle’s release repository:

UA-SOL11#pkg set-publisher -O http://pkg.oracle.com/solaris/release/ solaris

 Here we will see how we can update the system using oracle support  repository.

1. Login to the system and check the publisher .

UA-SOL11#pkg publisher solaris
            Publisher: solaris
                Alias:
           Origin URI: https://pkg.oracle.com/solaris/support/
              SSL Key: /var/pkg/ssl/3894503ae7c4f57761e866ed500bb1f0ded92e97
             SSL Cert: /var/pkg/ssl/5767a41cd2f5c3dd4bba37dfc9516490c004036d
 Cert. Effective Date: July 21, 2014 03:29:08 PM
Cert. Expiration Date: July 29, 2015 03:29:08 PM
          Client UUID: ddee2130-0292-11e2-b9e5-80144f013e20
      Catalog Updated: July 14, 2014 07:35:56 PM
              Enabled: Yes
UA-SOL11#

2.Check the current build release and FMRI

UA-SOL11#pkg info kernel
          Name: system/kernel
       Summary: Core Kernel
   Description: Core operating system kernel, device drivers and other modules.
      Category: System/Core
         State: Installed
     Publisher: solaris
       Version: 0.5.11
 Build Release: 5.11
        Branch: 0.175.1.0.0.24.2
Packaging Date: September 19, 2012 06:50:11 PM
          Size: 32.59 MB
          FMRI: pkg://solaris/system/kernel@0.5.11,5.11-0.175.1.0.0.24.2:20120919T185011Z
UA-SOL11#

3.To check the packages updates, use below command..There are 218 packages available to update on my system.

UA-SOL11#pkg list -u |head
NAME (PUBLISHER)                                  VERSION                    IFO
compress/gzip                                     1.4-0.175.1.0.0.24.0       i--
consolidation/SunVTS/SunVTS-incorporation         0.5.11-0.175.1.0.0.14.0    i--
consolidation/X/X-incorporation                   0.5.11-0.175.1.0.0.24.1317 i--
consolidation/cacao/cacao-incorporation           0.5.11-0.175.1.0.0.11.0    i--
consolidation/cns/cns-incorporation               0.5.11-0.175.1.0.0.23.0    i--
consolidation/desktop/desktop-incorporation       0.5.11-0.175.1.0.0.24.2    i--
consolidation/desktop/gnome-incorporation         0.5.11-0.175.1.0.0.22.0    i--
consolidation/install/install-incorporation       0.5.11-0.175.1.0.0.24.1736 i--
consolidation/ips/ips-incorporation               0.5.11-0.175.1.0.0.24.0    i--
UA-SOL11#pkg list -u |wc -l
     219
UA-SOL11#

4.To know more information about the above list , use the below command for each packages .

UA-SOL11#pkg info -r compress/gzip
          Name: compress/gzip
       Summary: GNU Zip (gzip)
   Description: The GNU Zip (gzip) compression utility
      Category: Applications/System Utilities
         State: Not installed
     Publisher: solaris
       Version: 1.5
 Build Release: 5.11
        Branch: 0.175.1.15.0.2.0
Packaging Date: December 14, 2013 02:16:40 AM
          Size: 437.27 kB
          FMRI: pkg://solaris/compress/gzip@1.5,5.11-0.175.1.15.0.2.0:20131214T021640Z
UA-SOL11#

If we update the system , compress/gzip will be updated with branch 0.175.1.15.0.2.0

5.To know the current package branch,

UA-SOL11#pkg info compress/gzip
          Name: compress/gzip
       Summary: GNU Zip (gzip)
   Description: The GNU Zip (gzip) compression utility
      Category: Applications/System Utilities
         State: Installed
     Publisher: solaris
       Version: 1.4
 Build Release: 5.11
        Branch: 0.175.1.0.0.24.0
Packaging Date: September  4, 2012 05:06:03 PM
          Size: 433.32 kB
          FMRI: pkg://solaris/compress/gzip@1.4,5.11-0.175.1.0.0.24.0:20120904T170603Z
UA-SOL11#

6.If we perform the system update, we should know how much space its going to occupy and what are the packages will update from which branch to branch . To get these details , we just do a dry run using below command.

UA-SOL11#pkg update -nv
            Packages to remove:       1
           Packages to install:       6
            Packages to update:     218
           Mediators to change:       1
     Estimated space available: 4.63 GB
Estimated space to be consumed: 2.11 GB
       Create boot environment:     Yes
     Activate boot environment:     Yes
Create backup boot environment:      No
          Rebuild boot archive:     Yes

Changed mediators:
  mediator perl:
           version: None -> 5.12 (vendor default)

Changed packages:
solaris
  consolidation/vpanels/vpanels-incorporation
    0.5.11,5.11-0.175.1.0.0.17.0:20120529T220223Z -> None
  consolidation/java-7/java-7-incorporation
    None -> 1.7.0.60.19,5.11-0:20140521T004349Z

7. To perform the actual update, use “pkg update” command.It will update the system automatically . But reboot required to take effect.

UA-SOL11#pkg update
            Packages to remove:   1
           Packages to install:   6
            Packages to update: 218
           Mediators to change:   1
       Create boot environment: Yes
Create backup boot environment:  No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
database/mysql-51/library             22/225      90/11937    1.5/412.1  101k/s

8.Once the update is completed, you can see the below details.

UA-SOL11#pkg update
            Packages to remove:   1
           Packages to install:   6
            Packages to update: 218
           Mediators to change:   1
       Create boot environment: Yes
Create backup boot environment:  No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                            225/225   11937/11937  412.1/412.1 40.1k/s

PHASE                                          ITEMS
Removing old actions                       1448/1448
Installing new actions                     5807/5807
Updating modified actions                10914/10914
Updating package state database                 Done
Updating package cache                       219/219
Updating image state                            Done
Creating fast lookup database                   Done

A clone of solaris exists and has been updated and activated.
On the next boot the Boot Environment solaris-1 will be
mounted on '/'.  Reboot when ready to switch to this updated BE.
---------------------------------------------------------------------------
NOTE: Please review release notes posted at:
http://www.oracle.com/pls/topic/lookup?ctx=E26502&id=SERNS
---------------------------------------------------------------------------
UA-SOL11#

9.As per above results, you can see that new boot environment has been created (Solaris-1) and activated for next reboot.

UA-SOL11#beadm list
BE               Active Mountpoint Space  Policy Created
--               ------ ---------- -----  ------ -------
solaris          N      /          206.0K static 2014-06-29 05:59
solaris-1        R      -          5.71G  static 2014-08-01 01:33
solaris-backup-1 -      -          171.0K static 2014-06-29 06:26
UA-SOL11#

10.Just reboot the system using “init 6 ”  to boot from solaris-1 BE.

11.Once the system is up, you can check the kernel’s  FMRI or Branch . You can see the new values .(Compare with Step 2  output)

Note: There is a way to identify  Solaris 11’s kernel branch (Other words , Kernel patch number).

root@UA-SOL11:~# pkg info kernel
          Name: system/kernel
       Summary: Core Kernel
   Description: Core operating system kernel, device drivers and other modules.
      Category: System/Core
         State: Installed
     Publisher: solaris
       Version: 0.5.11
 Build Release: 5.11
        Branch: 0.175.1.21.0.4.2
Packaging Date: June 30, 2014 02:07:25 PM
          Size: 36.27 MB
          FMRI: pkg://solaris/system/kernel@0.5.11,5.11-0.175.1.21.0.4.2:20140630T140725Z
root@UA-SOL11:~#

You can also compare with “entire” info regarding the update.

UA-SOL11#pkg info entire
          Name: entire
       Summary: entire incorporation including Support Repository Update (Oracle Solaris 11.1.21.4.1).
   Description: This package constrains system package versions to the same
                build.  WARNING: Proper system update and correct package
                selection depend on the presence of this incorporation.
                Removing this package will result in an unsupported system.  For
                more information see https://support.oracle.com/CSP/main/article
                ?cmd=show&type=NOT&doctype=REFERENCE&id=1501435.1.
      Category: Meta Packages/Incorporations
         State: Installed
     Publisher: solaris
       Version: 0.5.11 (Oracle Solaris 11.1.21.4.1)
 Build Release: 5.11
        Branch: 0.175.1.21.0.4.1
Packaging Date: July  1, 2014 04:57:05 PM
          Size: 5.46 kB
          FMRI: pkg://solaris/entire@0.5.11,5.11-0.175.1.21.0.4.1:20140701T165705Z
UA-SOL11#

There won’t be any changes on “uname -a” & Releases.It will reflect only on the major upgrade. Ex: Solaris 11.1 to Solaris 11.2

UA-SOL11#uname -a
SunOS SAN 5.11 11.1 i86pc i386 i86pc
UA-SOL11#cat /etc/release
                             Oracle Solaris 11.1 X86
  Copyright (c) 1983, 2013, Oracle and/or its affiliates.  All rights reserved.
                           Assembled 06 November 2013
UA-SOL11#

12.Verify the BE. You  can see that new BE (Solaris-1) has been activated now and

root@UA-SOL11:~# beadm list
BE               Active Mountpoint Space  Policy Created
--               ------ ---------- -----  ------ -------
solaris          -      -          7.06M  static 2014-06-29 05:59
solaris-1        NR     /          5.83G  static 2014-08-01 01:33
solaris-backup-1 -      -          171.0K static 2014-06-29 06:26
root@UA-SOL11:~#

Awesome . We have successfully updated Solaris 11.1 from oracle support repository.

Here is the list of challenges  that i have faced during this update:

• To update the Solaris 11, you need an internet connection. But most of the production system may not have direct internet access or it may be  blocked in firewall.If its blocked ,then check with network team to open a port for https  . Oracle support repository will  use https connection and oracle release repository will use http.

 

If the system do not have direct internet connection, then they have to follow the below.

1. Login in to the system and export the proxy settings. Here my pxoxy server IP address is 192.168.2.2 and https’s configured port is 808.

UA-SOL11# export https_proxy=http://192.168.2.2:808

 

2. Check the internet connection usage by running below command.This command just does the dry run for updating the package.

UA-SOL11#pkg update -nv
Creating Plan (Solver setup):

• The second challenge that i have faced is that settings the publisher. Due to proxy issue and DNS problem , i thought of using oracle support repository IP address instead of pkg.oracle.com.But i am getting the below error due to SSL certificate issue. Because SSL will check the repository’s exact URL.

root@UA-SOL11:~# pkg set-publisher -O https://137.254.56.21/solaris/support/ solaris
pkg set-publisher: The origin URIs for 'solaris' do not appear to point to a valid pkg repository.
Please verify the repository's location and the client's network configuration.
Additional details:

Unable to contact valid package repository
Encountered the following error(s):
Unable to contact any configured publishers.
This is likely a network configuration problem.
Framework error: code: 51 reason: SSL: certificate subject name 'pkg.oracle.com' does not match target host name '137.254.56.21'
URL: 'https://137.254.56.21/solaris/support'
root@UA-SOL11:~#

 

Then i just added the pkg.oracle.com in /etc/hosts to fix this issue.

UA-SOL11#cat /etc/hosts |grep pkg.oracle.com
137.254.56.21   pkg.oracle.com
UA-SOL11#

 

Note: I got the IP address by doing nslookup from my laptop which has direct internet connection.

C:\Users\lingeswaran.rangasam>nslookup pkg.oracle.com
Server:  UnKnown
Address:  192.168.2.1
Non-authoritative answer:
Name:    pkg.oraclegha.com
Address:  137.254.56.21
Aliases:  pkg.oracle.com
C:\Users\lingeswaran.rangasam>

•   Another issue , i have faced due to certificate . When i try to do dry run for package update, i got the below error due to SSL certificate which is expired.

root@UA-SOL11:~# pkg update -nv
pkg update: Certificate '/var/pkg/ssl/131fa32e78e539c41973c03a251e34acf76e5162' for publisher 'solaris' needed to access 'https://pkg.oracle.com/solaris/support/', has expired.  Please install a valid certificate.
root@UA-SOL11:~#

 

You can see the issue on “pkg publisher” command as well.

root@UA-SOL11:# pkg publisher solaris
            Publisher: solaris
                Alias:
           Origin URI: https://pkg.oracle.com/solaris/support/
              SSL Key: /9dc169389bb0ca494ecd73f21ae040e9f393bc93
             SSL Cert: /131fa32e78e539c41973c03a251e34acf76e5162
Certificate '/131fa32e78e539c41973c03a251e34acf76e5162' has expired.  Please install a valid certificate.
          Client UUID: 00fe37ac-00fe-37b4-ffbf-bc20ff21e290
      Catalog Updated: May 14, 2014 10:01:23 PM
              Enabled: Yes
root@UA-SOL11:#

If you face such an issue , then you have to download the certificates and support keys file from oracle website and copy to /var/pkg/ssl directory . (Oracle_Solaris_11_Support.key.pem  & Oracle_Solaris_11_Support.certificate.pem).  To get these files, you have to login on http://pkg-register.oracle.com portal .

UA-SOL11#cd /var/pkg/ssl
UA-SOL11#ls -lrt
total 12
-rw-r--r--   1 root     root         887 Jul 31 20:14 Oracle_Solaris_11_Support.key.pem
-rw-r--r--   1 root     root         741 Jul 31 20:14 Oracle_Solaris_11_Support.certificate.pem
-rw-r--r--   1 root     root         741 Jul 31 20:17 5767a41cd2f5c3dd4bba37dfc9516490c004036d
-rw-r--r--   1 root     root         887 Jul 31 20:17 3894503ae7c4f57761e866ed500bb1f0ded92e97
UA-SOL11#

Once the keys are in place , just set the publisher ,using below command.

root@UA-SOL11:# pkg set-publisher -k /var/pkg/ssl/Oracle_Solaris_11_Support.key.pem -c /var/pkg/ssl/Oracle_Solaris_11_Support.certificate.pem  -G '*' -g https://pkg.oracle.com/solaris/support/ solaris

 

Check the repository status now,

UA-SOL11#pkg publisher solaris
            Publisher: solaris
                Alias:
           Origin URI: https://pkg.oracle.com/solaris/support/
              SSL Key: /var/pkg/ssl/3894503ae7c4f57761e866ed500bb1f0ded92e97
             SSL Cert: /var/pkg/ssl/5767a41cd2f5c3dd4bba37dfc9516490c004036d
 Cert. Effective Date: July 21, 2014 03:29:08 PM
Cert. Expiration Date: July 29, 2015 03:29:08 PM
          Client UUID: ddeexx30-0292-11e2-b9e5-80xx4f013e20
      Catalog Updated: July 14, 2014 07:35:56 PM
              Enabled: Yes
UA-SOL11#

 

IDR Patches needs to be back-out when you are updating the OS.

IDR (Interim Diagnostics / Relief) patches needs to be removed from system prior to the system update. Otherwise you might receive error like below.

Error:
pkg update: No solution was found to satisfy constraints
Plan Creation: Package solver has not found a solution to update to latest available versions.
This may indicate an overly constrained set of packages are installed.

# pkg update -nv
Creating Plan (Running solver): -
pkg update: No solution was found to satisfy constraints
Plan Creation: Package solver has not found a solution to update to latest available versions.
This may indicate an overly constrained set of packages are installed.

latest incorporations:

pkg://solaris/consolidation/jdmk/jdmk-incorporation@0.5.11,5.11-0.175.2.0.0.22.0:20130902T173003Z
pkg://solaris/consolidation/userland/userland-incorporation@0.5.11,5.11-0.175.2.15.0.4.0:20150923T160421Z
pkg://solaris/consolidation/cns/cns-incorporation@0.5.11,5.11-0.175.2.12.0.2.0:20150615T141349Z
pkg://solaris/consolidation/sic_team/sic_team-incorporation@0.5.11,5.11-0.175.2.0.0.39.0:20140512T160329Z
pkg://solaris/consolidation/SunVTS/SunVTS-incorporation@7.19.2,5.11-0.175.2.9.0.3.1:20150321T015045Z
pkg://solaris/consolidation/l10n/l10n-incorporation@0.5.11,5.11-0.175.2.12.0.3.2:20150622T162532Z
pkg://solaris/consolidation/solaris_re/solaris_re-incorporation@0.5.11,5.11-0.175.2.12.0.3.0:20150622T164923Z
pkg://solaris/consolidation/X/X-incorporation@0.5.11,5.11-0.175.2.11.0.2.1436:20150515T221810Z
pkg://solaris/consolidation/ips/ips-incorporation@0.5.11,5.11-0.175.2.13.0.5.0:20150731T191350Z
pkg://solaris/consolidation/cacao/cacao-incorporation@0.5.11,5.11-0.175.2.0.0.38.0:20140428T130228Z
pkg://solaris/consolidation/desktop/gnome-incorporation@0.5.11,5.11-0.175.2.13.0.3.0:20150720T153013Z
pkg://solaris/consolidation/cde/cde-incorporation@0.5.11,5.11-0.175.2.0.0.23.0:20130916T152657Z
pkg://solaris/entire@0.5.11,5.11-0.175.2.15.0.5.1:20151026T231525Z
pkg://solaris/consolidation/ldoms/ldoms-incorporation@0.5.11,5.11-0.175.2.11.0.3.0:20150526T144347Z
pkg://solaris/consolidation/desktop/desktop-incorporation@0.5.11,5.11-0.175.2.13.0.3.0:20150720T153012Z
pkg://solaris/consolidation/sunpro/sunpro-incorporation@0.5.11,5.11-0.175.2.13.0.2.0:20150710T212917Z
pkg://solaris/consolidation/osnet/osnet-incorporation@0.5.11,5.11-0.175.2.15.0.5.2:20151019T195301Z
pkg://solaris/consolidation/man/man-incorporation@0.5.11,5.11-0.175.2.0.0.40.0:20140527T142047Z
pkg://solaris/consolidation/install/install-incorporation@0.5.11,5.11-0.175.2.0.0.5.0:20130107T161003Z
pkg://solaris/consolidation/dbtg/dbtg-incorporation@0.5.11,5.11-0.175.2.0.0.38.0:20140428T130044Z
Dependency analysis is unable to determine exact cause.
Try specifying expected results to obtain more detailed error messages.

 

To fix the above issue,

1. List the installed IDR patches.

# pkg list |grep idr
idr1638                                              2                          i--
#

2. View the IDR package info.

# pkg info idr1638
          Name: idr1638
       Summary: To back out This IDR : # /usr/bin/pkg update --reject pkg://solaris/idr1638@1,5.11 pkg:/system/kernel/platform@0.5.11,5.11-0.175.1.19.0.5.2:20140505T165722Z
   Description: sparc IDR built for release : Solaris 11.1 SRU # 19.6.0
         State: Installed
     Publisher: solaris
       Version: 1
 Build Release: 5.11
        Branch: None
Packaging Date: February  4, 2015 03:06:13 PM
          Size: 6.89 kB
          FMRI: pkg://solaris/idr1638@1,5.11:20150204T150613Z

 

3. Back out the IDR patch. Just execute the command given in the package info. (summary)

# /usr/bin/pkg update --reject pkg://solaris/idr1638@1,5.11 pkg:/system/kernel/platform@0.5.11,5.11-0.175.1.19.0.5.2:20140505T165722Z
            Packages to remove:   1
            Packages to update:   1
       Create boot environment: Yes
Create backup boot environment:  No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                2/2           5/5      4.0/4.0  1.3M/s

PHASE                                          ITEMS
Removing old actions                           11/11
Installing new actions                           1/1
Updating modified actions                        3/3
Updating package state database                 Done
Updating package cache                           2/2
Updating image state                            Done
Creating fast lookup database                   Done

A clone of solaris-idr1638 exists and has been updated and activated.
On the next boot the Boot Environment solaris-idr1638-1 will be
mounted on '/'.  Reboot when ready to switch to this updated BE.

#

 

4. If you get error like following for IDR patch back-out, set the oracle support repository & try.

Error: Matches no installed packages

# /usr/bin/pkg update --reject pkg://solaris/idr1638@1,5.11 pkg:/system/kernel/platform@0.5.11,5.11-0.175.1.19.0.5.2:20140505T165722Z

pkg update: 'pkg:/system/kernel/platform@0.5.11,5.11-0.175.1.19.0.5.2:20140505T165722Z' matches no installed packages
#

 

Support repository:

To download the key & certificate, visit – https://pkg-register.oracle.com/

# pkg set-publisher -k /tmp/pkg.oracle.com.key.pem -c /tmp/pkg.oracle.com.certificate.pem -G '*' -g https://pkg.oracle.com/solaris/support/ solaris
# pkg publisher
PUBLISHER                   TYPE     STATUS P LOCATION
solaris                     origin   online F https://pkg.oracle.com/solaris/support/
#

 

Hope this article has cover everything about the Solaris 11’s  OS update (In other words, Solaris 11’s OS patching).

Share it ! Comment it !! Be Sociable !!!