Solaris 11.3: IPS change-facet in global zone not inherited in non-global zones

[TheBloke]

Hi all

I am using pkg change-facet to change version-lock to False on a large number of packages, such that I can update these packages to their latest version. This is working OK in the global zone.

The problem is that these changed facets are not being inherited into my non-global zones. So while in the global zone I see the changed facet, and can upgrade the affected packages, the same is not true in any non-global zone I later create: it shows the original, unchanged facet, and therefore cannot upgrade the affected packages.

The man page for pkg, pkg(5), and the Oracle documentation says that facets are inherited into child images, and that non-global zones are child images of the global zone. But this does not seem to be working for me.

Specifically, what I am doing is trying to update all software to the latest version using Oracle's 'evaluation FOSS' program. I am following the steps in this document: How to access selected FOSS Evaluation packages for Oracle Solaris 11.3

What I've done is run pkg list -a \*@\*-5.12.0.0.0.122 (the latest FOSS update), and then converted that into a pkg change-facet list. For example:
pkg change-facet version-lock.shell/bash=False

This works great in the global zone. I was able to run pkg update --accept and it updated all the FOSS packages I had installed. Bash is now version 4.4, for example.

The problem is that this change is not applying to my non-global zones. I ran the above pkg change-facet in the global zone with no non-global zones installed. I then tried installing some zones, but found that the packages installed in the zones were the older version, and that the pkg change-facet has not applied.

Here's an example. This is what I see for the version-lock facet for Bash, in the global zone:

root@magrathea:/system/zones# pkg facet -a | grep version-lock.shell/bash
version-lock.shell/bash                                          False local

That's good. But then in a zone, I see this:

root@goldenzone:~# pkg facet -a | grep version-lock.shell/bash
version-lock.shell/bash                                          True  system

So the zone (which was installed after I made the pkg change-facet changes in the global) is not inheriting the facet from the global zone. I thought this was meant to happen automatically, like the IPS documentation says? Have I misunderstood something, or is there some extra step needed?

How can I get my non-global zones to automatically inherit my facet changes from the global zone?

Of course I could manually run pkg change-facet in the non-global zones as well, but that is messy and I did not think it should be necessary?

Thanks in advance.

 

[TheBloke]

For now I am using the following workaround:

I create my master/golden zone using a custom manifest, and I have now added the following:

<software type="IPS">
            <destination>
                <image>
                    <facet set="false">facet.version-lock.*</facet>
...

This works, removing all version locks on zone install, and thus causing the zone to use the latest FOSS packages from the start. I will then clone that golden zone to make all other zones.

However I don't yet know if there could be later implications from the fact that I'm here removing all version locks, and not only those that have FOSS updates.

But for now it works and seems an acceptable solution. But I would still like to understand why the facet changes don't automatically inherit from the global, and I would prefer if it were possible to do that instead.

Maybe I need to create a new IPS image or something similar? Not yet quite sure how that works.

 

[TheBloke]

To close this off: I've had my questions answered and the following confirmed by a Solaris IPS developer:

1. I misunderstood the documentation - it describes situations when facets can inherit, not when they will.
2. Changed facets never inherit automatically from global zones to non-globals, which is by design to ensure the isolation of a zone's packages
3. Nor is there in fact any way to make certain facets optionally inherit from the global to non-globals
4. Therefore the only way to apply changed facets (or variants or mediators) to a non-global is either to do so manually for each new zone, or else to ensure they're part of the zone's Auto Install manifest (which is what I have ended up doing, as per my second post above.)
5. It's also not possible to apply facet changes via a package, something I didn't realise. Apparently this would be a challenge for Oracle to implement, and there are potential problems, such as what to do if a package depends on a facet that it then changes.
6. Also, I really shouldn't be unlocking all version locks for all packages (as I did in my zone AI manifest) - this will slow down software updates and could potentially lead to a broken image.

So going forward I am going to selectively review the various FOSS updates available and unlock only those that I need on a case-by-case basis. I will put this in my zone AI manifest, and if I decide to make further changes after a zone is installed, I will just have to make the change in all zones.

I should also add that I was told that the FOSS programme is not being heavily tested in unsupported systems - ie systems without a support contract, using the Release repo. I've already encountered a number of bugs and incompatibilities that I can trace back to FOSS updates, and at least one or two of them I am pretty sure stem from problems and inconsistencies in the Release repo.

So FOSS should be taken selectively and carefully at the moment, especially on systems that aren't using the latest SRUs.

Personally I'm going to primarily go back to what I always used to do - compiling from source most programs where I want a newer version. Including for basic software like Vim, Bash, Screen, etc. I have a very basic auto build and package system (just a couple of shell scripts) which I can use to repeatably extract, configure, build, install and then package software (once I've tested and recorded the required ./configure arguments etc.)

Or of course there's the various third-party package libraries, like OpenCSW. I use some packages from there, but not for everything as I've often found they can have unexpectedly large and undesirable dependency trees. Although any repo that uses IPS would presumably be more manageable if it properly implements facets - I've not yet tried investigating using Illumos or OmniOS packages on Solaris 11; that might work OK.)

Anyway there's the info, just in case anyone stumbles on this thread in future with the same questions