Unlike Solaris 10, where patching involved downloading individual patch files and applying them manually with patchadd, Solaris 11 uses IPS (Image Packaging System) to handle all software updates, dependencies, and patches in a structured and safe way.
This makes patching faster, safer, and more manageable, especially when dealing with global and non-global zones, or applying critical security updates.
Key Components
| Component | Purpose |
|---|---|
| IPS (Image Packaging System) | Manages software packages, dependencies, updates, and rollback. Command: pkg |
| Oracle Solaris Repository | Official source for OS updates and patches. Can be remote (Oracle server) or local (ISO mirror). |
| Zones | Solaris virtualized environments. Global zone is patched first; non-global zones follow. |
| Boot Environments (BE) | Snapshot of root filesystem allowing safe patching and rollback. |
| SMF (Service Management Facility) | Ensures system services are automatically restarted or managed during updates. |
| Types of Updates | Critical Patch Update (CPU), Recommended Patch Set (RP), bugfixes, and feature updates. |
Preparing for Patching:
1. Check OS Version
# cat /etc/release
Oracle Solaris 11.4 X86
2. Check Installed Packages & Version
# pkg info entire
The entire package ensures all system packages are locked to the same build.
Removing it can leave your system unsupported.
3. Check Current Updates / Patch Levels
# pkg list -af | grep patch
If the repository is unreachable, check network connectivity or configure a local mirror.
4. Set Up Repository
Oracle Public Repository
# pkg set-publisher -g https://pkg.oracle.com/solaris/release/ solaris
Local ISO Mirror
# pkg set-publisher -G /path/to/iso solaris
5. Check Disk Space
# df -h
Ensure enough space for new packages and BE snapshots.
Typically, keep 10–20% free space on ZFS root pool for safe patching.
6. Backup (Recommended)
Use ZFS snapshots before patching:
# zfs snapshot rpool/ROOT/solaris@snapshot_prepatch
This allows instant rollback if anything goes wrong.
Updating Solaris 11
A. Full System Update
Update all packages to the latest recommended versions:
# pkg update --accept
--accept automatically accepts licenses for updated packages.
Includes kernel, libraries, and core OS utilities.
B. Update Specific Package
# pkg update pkg:/network/ssh
C. Verify Updates
# pkg list -u # List packages that can be updated
# pkg info -r # Show installed package versions
Using Boot Environments (BE):
Solaris 11 updates are applied into a new Boot Environment (BE) to allow rollback.
1. List Current Boot Environments
# beadm list
BE Name Flags Mountpoint Space Policy Created
solaris NR / 3G static 2025-08-05
2. Create a New BE
# beadm create solaris_11_update
3. Apply Updates into New BE
# pkg update --accept --be-name solaris_11_update
4. Activate New BE
# beadm activate solaris_11_update
# reboot
5. Rollback if Needed
# beadm rollback solaris
# reboot
Useful if a patch breaks the system or a critical service.
Patching Zones:
1. Patch Global Zone First
# pkg update --accept --be-name solaris_11_update
2. Patch Non-Global Zones
Halt the zone:
# zoneadm -z <zone-name> halt
Boot into the zone:
# zoneadm -z <zone-name> boot
Patch inside zone:
# pkg update --accept
Or use zlogin to login and update interactively:
# zlogin <zone-name>
# pkg update --accept
Critical Patch Updates (CPU)
Oracle releases CPUs quarterly.
Recommended to apply within 30 days to prevent security vulnerabilities.
Example workflow:
# beadm create cpu_BE
# pkg update --accept --be-name cpu_BE solaris
# beadm activate cpu_BE
# reboot
Post-Patching Verification
Check OS version:
# uname -a
Verify updated packages:
# pkg info entire
# pkg list -u
Check system logs for errors:
# tail -f /var/sadm/system/logs/messages
Ensure critical services are running:
# svcs -xv
Troubleshooting
Rollback BE if update fails:
# beadm rollback solaris
# reboot
Resolve package conflicts:
# pkg fix <package-name>
Clear repository metadata if repository errors occur:
# pkg refresh -f
Best Practices
- Always patch global zone first, then non-global zones.
- Use Boot Environments to allow rollback.
- Snapshot ZFS root pool before major updates.
- Ensure disk space and network access to repositories.
- Schedule patching during maintenance windows; avoid patching production workloads directly without BE.
- Monitor SMF-managed services and check logs post-update.
- Keep a local mirror or ISO repo for environments with limited internet access.
- Document BE names and updates applied for audit purposes.
No comments:
Post a Comment