This article is going to explain that how to update the Solaris 11.1 . Most of the Solaris administrators will search for Solaris 11 OS patch bundle like how we use to get for Solaris 10 but you won’t get it. In Solaris 11 , oracle removed the word called “patches” from their dictionary. Instead of that we have to call it as “package update”. In other words, you have to update the system instead of the patching it. If the server owner or application/DB teams is requesting you to patch the Solaris 11, you have to update the system using pkg commands. This operation is much easier than Solaris 10 OS patch bundle installation.
There are two type of repositories are available in oracle to update solaris 11 operating system.
* Oracle Solaris’s release repository which contains new packages and package updates. This repository doesn’t requires oracle support contract.
UA_SOL11# pkg publisher PUBLISHER TYPE STATUS URI solaris origin online http://pkg.oracle.com/solaris/release/
* Oracle Solaris’s support repository which is exclusively available for oracle customers with valid support contract.
UA-SOL11#pkg publisher PUBLISHER TYPE STATUS P LOCATION solaris origin online F https://pkg.oracle.com/solaris/support/ UA-SOL11#
For testing purpose,you can use the release repository but production environments must use oracle support repository. You can switch to any repository by setting it again using below command.
To set to Oracle’s support repository:
UA-SOL11#pkg set-publisher -O https://pkg.oracle.com/solaris/support/ solaris
To set to Oracle’s release repository:
UA-SOL11#pkg set-publisher -O http://pkg.oracle.com/solaris/release/ solaris
Here we will see how we can update the system using oracle support repository.
1. Login to the system and check the publisher .
UA-SOL11#pkg publisher solaris Publisher: solaris Alias: Origin URI: https://pkg.oracle.com/solaris/support/ SSL Key: /var/pkg/ssl/3894503ae7c4f57761e866ed500bb1f0ded92e97 SSL Cert: /var/pkg/ssl/5767a41cd2f5c3dd4bba37dfc9516490c004036d Cert. Effective Date: July 21, 2014 03:29:08 PM Cert. Expiration Date: July 29, 2015 03:29:08 PM Client UUID: ddee2130-0292-11e2-b9e5-80144f013e20 Catalog Updated: July 14, 2014 07:35:56 PM Enabled: Yes UA-SOL11#
2.Check the current build release and FMRI
UA-SOL11#pkg info kernel Name: system/kernel Summary: Core Kernel Description: Core operating system kernel, device drivers and other modules. Category: System/Core State: Installed Publisher: solaris Version: 0.5.11 Build Release: 5.11 Branch: 0.175.1.0.0.24.2 Packaging Date: September 19, 2012 06:50:11 PM Size: 32.59 MB FMRI: pkg://solaris/system/kernel@0.5.11,5.11-0.175.1.0.0.24.2:20120919T185011Z UA-SOL11#
3.To check the packages updates, use below command..There are 218 packages available to update on my system.
UA-SOL11#pkg list -u |head NAME (PUBLISHER) VERSION IFO compress/gzip 1.4-0.175.1.0.0.24.0 i-- consolidation/SunVTS/SunVTS-incorporation 0.5.11-0.175.1.0.0.14.0 i-- consolidation/X/X-incorporation 0.5.11-0.175.1.0.0.24.1317 i-- consolidation/cacao/cacao-incorporation 0.5.11-0.175.1.0.0.11.0 i-- consolidation/cns/cns-incorporation 0.5.11-0.175.1.0.0.23.0 i-- consolidation/desktop/desktop-incorporation 0.5.11-0.175.1.0.0.24.2 i-- consolidation/desktop/gnome-incorporation 0.5.11-0.175.1.0.0.22.0 i-- consolidation/install/install-incorporation 0.5.11-0.175.1.0.0.24.1736 i-- consolidation/ips/ips-incorporation 0.5.11-0.175.1.0.0.24.0 i-- UA-SOL11#pkg list -u |wc -l 219 UA-SOL11#
4.To know more information about the above list , use the below command for each packages .
UA-SOL11#pkg info -r compress/gzip Name: compress/gzip Summary: GNU Zip (gzip) Description: The GNU Zip (gzip) compression utility Category: Applications/System Utilities State: Not installed Publisher: solaris Version: 1.5 Build Release: 5.11 Branch: 0.175.1.15.0.2.0 Packaging Date: December 14, 2013 02:16:40 AM Size: 437.27 kB FMRI: pkg://solaris/compress/gzip@1.5,5.11-0.175.1.15.0.2.0:20131214T021640Z UA-SOL11#
If we update the system , compress/gzip will be updated with branch 0.175.1.15.0.2.0
5.To know the current package branch,
UA-SOL11#pkg info compress/gzip Name: compress/gzip Summary: GNU Zip (gzip) Description: The GNU Zip (gzip) compression utility Category: Applications/System Utilities State: Installed Publisher: solaris Version: 1.4 Build Release: 5.11 Branch: 0.175.1.0.0.24.0 Packaging Date: September 4, 2012 05:06:03 PM Size: 433.32 kB FMRI: pkg://solaris/compress/gzip@1.4,5.11-0.175.1.0.0.24.0:20120904T170603Z UA-SOL11#
6.If we perform the system update, we should know how much space its going to occupy and what are the packages will update from which branch to branch . To get these details , we just do a dry run using below command.
UA-SOL11#pkg update -nv Packages to remove: 1 Packages to install: 6 Packages to update: 218 Mediators to change: 1 Estimated space available: 4.63 GB Estimated space to be consumed: 2.11 GB Create boot environment: Yes Activate boot environment: Yes Create backup boot environment: No Rebuild boot archive: Yes Changed mediators: mediator perl: version: None -> 5.12 (vendor default) Changed packages: solaris consolidation/vpanels/vpanels-incorporation 0.5.11,5.11-0.175.1.0.0.17.0:20120529T220223Z -> None consolidation/java-7/java-7-incorporation None -> 1.7.0.60.19,5.11-0:20140521T004349Z
7. To perform the actual update, use “pkg update” command.It will update the system automatically . But reboot required to take effect.
UA-SOL11#pkg update Packages to remove: 1 Packages to install: 6 Packages to update: 218 Mediators to change: 1 Create boot environment: Yes Create backup boot environment: No DOWNLOAD PKGS FILES XFER (MB) SPEED database/mysql-51/library 22/225 90/11937 1.5/412.1 101k/s
8.Once the update is completed, you can see the below details.
UA-SOL11#pkg update Packages to remove: 1 Packages to install: 6 Packages to update: 218 Mediators to change: 1 Create boot environment: Yes Create backup boot environment: No DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 225/225 11937/11937 412.1/412.1 40.1k/s PHASE ITEMS Removing old actions 1448/1448 Installing new actions 5807/5807 Updating modified actions 10914/10914 Updating package state database Done Updating package cache 219/219 Updating image state Done Creating fast lookup database Done A clone of solaris exists and has been updated and activated. On the next boot the Boot Environment solaris-1 will be mounted on '/'. Reboot when ready to switch to this updated BE. --------------------------------------------------------------------------- NOTE: Please review release notes posted at: http://www.oracle.com/pls/topic/lookup?ctx=E26502&id=SERNS --------------------------------------------------------------------------- UA-SOL11#
9.As per above results, you can see that new boot environment has been created (Solaris-1) and activated for next reboot.
UA-SOL11#beadm list BE Active Mountpoint Space Policy Created -- ------ ---------- ----- ------ ------- solaris N / 206.0K static 2014-06-29 05:59 solaris-1 R - 5.71G static 2014-08-01 01:33 solaris-backup-1 - - 171.0K static 2014-06-29 06:26 UA-SOL11#
10.Just reboot the system using “init 6 ” to boot from solaris-1 BE.
11.Once the system is up, you can check the kernel’s FMRI or Branch . You can see the new values .(Compare with Step 2 output)
Note: There is a way to identify Solaris 11’s kernel branch (Other words , Kernel patch number).
root@UA-SOL11:~# pkg info kernel Name: system/kernel Summary: Core Kernel Description: Core operating system kernel, device drivers and other modules. Category: System/Core State: Installed Publisher: solaris Version: 0.5.11 Build Release: 5.11 Branch: 0.175.1.21.0.4.2 Packaging Date: June 30, 2014 02:07:25 PM Size: 36.27 MB FMRI: pkg://solaris/system/kernel@0.5.11,5.11-0.175.1.21.0.4.2:20140630T140725Z root@UA-SOL11:~#
You can also compare with “entire” info regarding the update.
UA-SOL11#pkg info entire Name: entire Summary: entire incorporation including Support Repository Update (Oracle Solaris 11.1.21.4.1). Description: This package constrains system package versions to the same build. WARNING: Proper system update and correct package selection depend on the presence of this incorporation. Removing this package will result in an unsupported system. For more information see https://support.oracle.com/CSP/main/article ?cmd=show&type=NOT&doctype=REFERENCE&id=1501435.1. Category: Meta Packages/Incorporations State: Installed Publisher: solaris Version: 0.5.11 (Oracle Solaris 11.1.21.4.1) Build Release: 5.11 Branch: 0.175.1.21.0.4.1 Packaging Date: July 1, 2014 04:57:05 PM Size: 5.46 kB FMRI: pkg://solaris/entire@0.5.11,5.11-0.175.1.21.0.4.1:20140701T165705Z UA-SOL11#
There won’t be any changes on “uname -a” & Releases.It will reflect only on the major upgrade. Ex: Solaris 11.1 to Solaris 11.2
UA-SOL11#uname -a SunOS SAN 5.11 11.1 i86pc i386 i86pc UA-SOL11#cat /etc/release Oracle Solaris 11.1 X86 Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved. Assembled 06 November 2013 UA-SOL11#
12.Verify the BE. You can see that new BE (Solaris-1) has been activated now and
root@UA-SOL11:~# beadm list BE Active Mountpoint Space Policy Created -- ------ ---------- ----- ------ ------- solaris - - 7.06M static 2014-06-29 05:59 solaris-1 NR / 5.83G static 2014-08-01 01:33 solaris-backup-1 - - 171.0K static 2014-06-29 06:26 root@UA-SOL11:~#
Awesome . We have successfully updated Solaris 11.1 from oracle support repository.
Here is the list of challenges that i have faced during this update:
- To update the Solaris 11, you need an internet connection. But most of the production system may not have direct internet access or it may be blocked in firewall.If its blocked ,then check with network team to open a port for https . Oracle support repository will use https connection and oracle release repository will use http.
If the system do not have direct internet connection, then they have to follow the below.
1. Login in to the system and export the proxy settings. Here my pxoxy server IP address is 192.168.2.2 and https’s configured port is 808.
UA-SOL11# export https_proxy=http://192.168.2.2:808
2. Check the internet connection usage by running below command.This command just does the dry run for updating the package.
UA-SOL11#pkg update -nv Creating Plan (Solver setup):
- The second challenge that i have faced is that settings the publisher. Due to proxy issue and DNS problem , i thought of using oracle support repository IP address instead of pkg.oracle.com.But i am getting the below error due to SSL certificate issue. Because SSL will check the repository’s exact URL.
root@UA-SOL11:~# pkg set-publisher -O https://137.254.56.21/solaris/support/ solaris pkg set-publisher: The origin URIs for 'solaris' do not appear to point to a valid pkg repository. Please verify the repository's location and the client's network configuration. Additional details: Unable to contact valid package repository Encountered the following error(s): Unable to contact any configured publishers. This is likely a network configuration problem. Framework error: code: 51 reason: SSL: certificate subject name 'pkg.oracle.com' does not match target host name '137.254.56.21' URL: 'https://137.254.56.21/solaris/support' root@UA-SOL11:~#
Then i just added the pkg.oracle.com in /etc/hosts to fix this issue.
UA-SOL11#cat /etc/hosts |grep pkg.oracle.com 137.254.56.21 pkg.oracle.com UA-SOL11#
Note: I got the IP address by doing nslookup from my laptop which has direct internet connection.
C:\Users\lingeswaran.rangasam>nslookup pkg.oracle.com Server: UnKnown Address: 192.168.2.1 Non-authoritative answer: Name: pkg.oraclegha.com Address: 137.254.56.21 Aliases: pkg.oracle.com C:\Users\lingeswaran.rangasam>
- Another issue , i have faced due to certificate . When i try to do dry run for package update, i got the below error due to SSL certificate which is expired.
root@UA-SOL11:~# pkg update -nv pkg update: Certificate '/var/pkg/ssl/131fa32e78e539c41973c03a251e34acf76e5162' for publisher 'solaris' needed to access 'https://pkg.oracle.com/solaris/support/', has expired. Please install a valid certificate. root@UA-SOL11:~#
You can see the issue on “pkg publisher” command as well.
root@UA-SOL11:# pkg publisher solaris Publisher: solaris Alias: Origin URI: https://pkg.oracle.com/solaris/support/ SSL Key: /9dc169389bb0ca494ecd73f21ae040e9f393bc93 SSL Cert: /131fa32e78e539c41973c03a251e34acf76e5162 Certificate '/131fa32e78e539c41973c03a251e34acf76e5162' has expired. Please install a valid certificate. Client UUID: 00fe37ac-00fe-37b4-ffbf-bc20ff21e290 Catalog Updated: May 14, 2014 10:01:23 PM Enabled: Yes root@UA-SOL11:#
If you face such an issue , then you have to download the certificates and support keys file from oracle website and copy to /var/pkg/ssl directory . (Oracle_Solaris_11_Support.key.pem & Oracle_Solaris_11_Support.certificate.pem). To get these files, you have to login on http://pkg-register.oracle.com portal .
UA-SOL11#cd /var/pkg/ssl UA-SOL11#ls -lrt total 12 -rw-r--r-- 1 root root 887 Jul 31 20:14 Oracle_Solaris_11_Support.key.pem -rw-r--r-- 1 root root 741 Jul 31 20:14 Oracle_Solaris_11_Support.certificate.pem -rw-r--r-- 1 root root 741 Jul 31 20:17 5767a41cd2f5c3dd4bba37dfc9516490c004036d -rw-r--r-- 1 root root 887 Jul 31 20:17 3894503ae7c4f57761e866ed500bb1f0ded92e97 UA-SOL11#
Once the keys are in place , just set the publisher ,using below command.
root@UA-SOL11:# pkg set-publisher -k /var/pkg/ssl/Oracle_Solaris_11_Support.key.pem -c /var/pkg/ssl/Oracle_Solaris_11_Support.certificate.pem -G '*' -g https://pkg.oracle.com/solaris/support/ solaris
Check the repository status now,
UA-SOL11#pkg publisher solaris Publisher: solaris Alias: Origin URI: https://pkg.oracle.com/solaris/support/ SSL Key: /var/pkg/ssl/3894503ae7c4f57761e866ed500bb1f0ded92e97 SSL Cert: /var/pkg/ssl/5767a41cd2f5c3dd4bba37dfc9516490c004036d Cert. Effective Date: July 21, 2014 03:29:08 PM Cert. Expiration Date: July 29, 2015 03:29:08 PM Client UUID: ddeexx30-0292-11e2-b9e5-80xx4f013e20 Catalog Updated: July 14, 2014 07:35:56 PM Enabled: Yes UA-SOL11#
IDR Patches needs to be back-out when you are updating the OS.
IDR (Interim Diagnostics / Relief) patches needs to be removed from system prior to the system update. Otherwise you might receive error like below.
Error:
pkg update: No solution was found to satisfy constraints
Plan Creation: Package solver has not found a solution to update to latest available versions.
This may indicate an overly constrained set of packages are installed.
# pkg update -nv Creating Plan (Running solver): - pkg update: No solution was found to satisfy constraints Plan Creation: Package solver has not found a solution to update to latest available versions. This may indicate an overly constrained set of packages are installed. latest incorporations: pkg://solaris/consolidation/jdmk/jdmk-incorporation@0.5.11,5.11-0.175.2.0.0.22.0:20130902T173003Z pkg://solaris/consolidation/userland/userland-incorporation@0.5.11,5.11-0.175.2.15.0.4.0:20150923T160421Z pkg://solaris/consolidation/cns/cns-incorporation@0.5.11,5.11-0.175.2.12.0.2.0:20150615T141349Z pkg://solaris/consolidation/sic_team/sic_team-incorporation@0.5.11,5.11-0.175.2.0.0.39.0:20140512T160329Z pkg://solaris/consolidation/SunVTS/SunVTS-incorporation@7.19.2,5.11-0.175.2.9.0.3.1:20150321T015045Z pkg://solaris/consolidation/l10n/l10n-incorporation@0.5.11,5.11-0.175.2.12.0.3.2:20150622T162532Z pkg://solaris/consolidation/solaris_re/solaris_re-incorporation@0.5.11,5.11-0.175.2.12.0.3.0:20150622T164923Z pkg://solaris/consolidation/X/X-incorporation@0.5.11,5.11-0.175.2.11.0.2.1436:20150515T221810Z pkg://solaris/consolidation/ips/ips-incorporation@0.5.11,5.11-0.175.2.13.0.5.0:20150731T191350Z pkg://solaris/consolidation/cacao/cacao-incorporation@0.5.11,5.11-0.175.2.0.0.38.0:20140428T130228Z pkg://solaris/consolidation/desktop/gnome-incorporation@0.5.11,5.11-0.175.2.13.0.3.0:20150720T153013Z pkg://solaris/consolidation/cde/cde-incorporation@0.5.11,5.11-0.175.2.0.0.23.0:20130916T152657Z pkg://solaris/entire@0.5.11,5.11-0.175.2.15.0.5.1:20151026T231525Z pkg://solaris/consolidation/ldoms/ldoms-incorporation@0.5.11,5.11-0.175.2.11.0.3.0:20150526T144347Z pkg://solaris/consolidation/desktop/desktop-incorporation@0.5.11,5.11-0.175.2.13.0.3.0:20150720T153012Z pkg://solaris/consolidation/sunpro/sunpro-incorporation@0.5.11,5.11-0.175.2.13.0.2.0:20150710T212917Z pkg://solaris/consolidation/osnet/osnet-incorporation@0.5.11,5.11-0.175.2.15.0.5.2:20151019T195301Z pkg://solaris/consolidation/man/man-incorporation@0.5.11,5.11-0.175.2.0.0.40.0:20140527T142047Z pkg://solaris/consolidation/install/install-incorporation@0.5.11,5.11-0.175.2.0.0.5.0:20130107T161003Z pkg://solaris/consolidation/dbtg/dbtg-incorporation@0.5.11,5.11-0.175.2.0.0.38.0:20140428T130044Z Dependency analysis is unable to determine exact cause. Try specifying expected results to obtain more detailed error messages.
To fix the above issue,
1. List the installed IDR patches.
# pkg list |grep idr idr1638 2 i-- #
2. View the IDR package info.
# pkg info idr1638 Name: idr1638 Summary: To back out This IDR : # /usr/bin/pkg update --reject pkg://solaris/idr1638@1,5.11 pkg:/system/kernel/platform@0.5.11,5.11-0.175.1.19.0.5.2:20140505T165722Z Description: sparc IDR built for release : Solaris 11.1 SRU # 19.6.0 State: Installed Publisher: solaris Version: 1 Build Release: 5.11 Branch: None Packaging Date: February 4, 2015 03:06:13 PM Size: 6.89 kB FMRI: pkg://solaris/idr1638@1,5.11:20150204T150613Z
3. Back out the IDR patch. Just execute the command given in the package info. (summary)
# /usr/bin/pkg update --reject pkg://solaris/idr1638@1,5.11 pkg:/system/kernel/platform@0.5.11,5.11-0.175.1.19.0.5.2:20140505T165722Z Packages to remove: 1 Packages to update: 1 Create boot environment: Yes Create backup boot environment: No DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 2/2 5/5 4.0/4.0 1.3M/s PHASE ITEMS Removing old actions 11/11 Installing new actions 1/1 Updating modified actions 3/3 Updating package state database Done Updating package cache 2/2 Updating image state Done Creating fast lookup database Done A clone of solaris-idr1638 exists and has been updated and activated. On the next boot the Boot Environment solaris-idr1638-1 will be mounted on '/'. Reboot when ready to switch to this updated BE. #
4. If you get error like following for IDR patch back-out, set the oracle support repository & try.
Error: Matches no installed packages
# /usr/bin/pkg update --reject pkg://solaris/idr1638@1,5.11 pkg:/system/kernel/platform@0.5.11,5.11-0.175.1.19.0.5.2:20140505T165722Z pkg update: 'pkg:/system/kernel/platform@0.5.11,5.11-0.175.1.19.0.5.2:20140505T165722Z' matches no installed packages #
Support repository:
To download the key & certificate, visit – https://pkg-register.oracle.com/
# pkg set-publisher -k /tmp/pkg.oracle.com.key.pem -c /tmp/pkg.oracle.com.certificate.pem -G '*' -g https://pkg.oracle.com/solaris/support/ solaris # pkg publisher PUBLISHER TYPE STATUS P LOCATION solaris origin online F https://pkg.oracle.com/solaris/support/ #
Hope this article has cover everything about the Solaris 11’s OS update (In other words, Solaris 11’s OS patching).
Share it ! Comment it !! Be Sociable !!!
Xavier O'Neill says
Thanks so much for the thoroughly, well-written instructions. I will be using this for an upcoming dev env patch activity.
Kunal says
Hi,
I visited oracle site performing the pkg update.These are the steps are found …
Log into the following site.
http://pkg-register.oracle.com/
Download the SSL key and certificate for the Oracle Solaris 11 release.
Consider creating a directory inside /var/pkg to store the key and certificate.
# mkdir -m 0755 -p /var/pkg/ssl
# cp -i Oracle_Solaris_11_Support.key.pem /var/pkg/ssl
# cp -i Oracle_Solaris_11_Support.certificate.pem /var/pkg/ssl
Copy the key and certificate from the directory that you downloaded the key and certificate into this directory.
The key files are kept by reference, so if the files become inaccessible to the packaging system, you will encounter errors.
Set the publisher to the support repository.
# pkg set-publisher \
-k /var/pkg/ssl/Oracle_Solaris_11_Support.key.pem \
-c /var/pkg/ssl/Oracle_Solaris_11_Support.certificate.pem \
-O https://pkg.oracle.com/solaris/support solaris
Install the updated packages from the support repository, if desired.
# pkg update
I am bit confused. You didn’t mentioned about these steps. So did you downloaded these certificates and then directly posted how to perform the pkg update.
Also what is “Oracle Solaris 11 FCS” ?
Lingeswaran R says
I have mentioned in the bottom of the page(check it again). You need to update the SSL certificates ,if you get error while running “pkg update”
Dan says
There is a typo between your commands to set release vs set support repositories. Both commands are pointed at support.
Lingeswaran R says
Thank you Dan for pointing out . I have just corrected it
Garry Garrett says
Okay, so suppose I patch one server. Then say 2-3 months later, I want to put those same patches on another server. Let’s say my first server has pkg:/entire@0.5.11-0.175.2.2.0.8.0, for example. If I say “pkg update” on this second server, I’ll get the current pages – not the patches that match my other server (i.e. pkg:/entire@0.5.11-0.175.2.2.0.8.0). Syntactically, how do I say, “patch to pkg:/entire@0.5.11-0.175.2.2.0.8.0”?
Lingeswaran R says
You can try to update the version to specific SRU using below command.
pkg update –accept entire@0.5.11-0.175.2.2.0.8.0
Regards
Lingeswaran