Hi all,

In the zones documentation, it says this several times: "Note
that the contents of software packages in the inherit-pkg-dir
directory cannot be modified oe removed after the zone has been
installed qith zoneadm".

Suppose I have a zone which inherits /usr.  Does the above warning
mean that I can't patch something that affects /usr from the global
zone, even if the intent is for the zone to use the newly patched
versions of the software, and even if I apply the patch from within
the global zone?

On the other hand, if it means that I can't apply the patch from
the non-global (but it IS OK to apply it in the global zone), then
that's OK.

TIA,

-- 
Rich Teer, SCNA, SCSA, OpenSolaris CAB member

President,
Rite Online Inc.

Voice: +1 (250) 979-1638
URL: http://www.rite-group.com/rich

> In the zones documentation, it says this several times: "Note that the
> contents of software packages in the inherit-pkg-dir directory cannot
> be modified oe removed after the zone has been installed qith
> zoneadm".

Well, not in the zones manpage but I see what you mean. They refer to
the fact that you can't change the contents of the directory since it'll
be mounted read/only in the zone.

> Suppose I have a zone which inherits /usr.  Does the above warning
> mean that I can't patch something that affects /usr from the global
> zone, even if the intent is for the zone to use the newly patched
> versions of the software, and even if I apply the patch from within
> the global zone?

When you apply a patch a patch it'll be applied on all your zones. Some
will even bring the non-global zone to the single-user state in orde to
apply a patch.

> On the other hand, if it means that I can't apply the patch from the
> non-global (but it IS OK to apply it in the global zone), then that's
> OK.

That is the usual approach; install in the global zone, then your
non-globals will also be affected.

-- 
Groetjes, Peter

..\\ PGP/GPG key: http://www.catslair.org/pubkey.asc

Lion-O wrote:
>>In the zones documentation, it says this several times: "Note that the
>>contents of software packages in the inherit-pkg-dir directory cannot
>>be modified oe removed after the zone has been installed qith
>>zoneadm".
> 
> 
> Well, not in the zones manpage but I see what you mean. They refer to
> the fact that you can't change the contents of the directory since it'll
> be mounted read/only in the zone.
> 
> 
>>Suppose I have a zone which inherits /usr.  Does the above warning
>>mean that I can't patch something that affects /usr from the global
>>zone, even if the intent is for the zone to use the newly patched
>>versions of the software, and even if I apply the patch from within
>>the global zone?
> 
> 
> When you apply a patch a patch it'll be applied on all your zones. Some
> will even bring the non-global zone to the single-user state in orde to
> apply a patch.
> 
> 
>>On the other hand, if it means that I can't apply the patch from the
>>non-global (but it IS OK to apply it in the global zone), then that's
>>OK.
> 
> 
> That is the usual approach; install in the global zone, then your
> non-globals will also be affected.
> 

So a patch can't be tested in a non-global zone?

~S

Rich Teer wrote:
> Hi all,
> 
> In the zones documentation, it says this several times: "Note
> that the contents of software packages in the inherit-pkg-dir
> directory cannot be modified oe removed after the zone has been
> installed qith zoneadm".
> 
> Suppose I have a zone which inherits /usr.  Does the above warning
> mean that I can't patch something that affects /usr from the global
> zone, even if the intent is for the zone to use the newly patched
> versions of the software, and even if I apply the patch from within
> the global zone?
> 
> On the other hand, if it means that I can't apply the patch from
> the non-global (but it IS OK to apply it in the global zone), then
> that's OK.
> 
> TIA,
> 

I don't know if this answers your question, Rich, but I have installed 
many sparse-root zones (with /usr, etc inherit-pkg-dir'd).  I don't 
think I've had a problem adding things in the global zone and having 
them seen in the non-global zones. I know I've patched from the global 
zone before and the patch showed up in all the non-global zones as well.

THe first will be tested later today; I need to install IPLT* so that I 
can have one of my non-global zones be the LDAP master.

Solaris and Kerberos and LDAP, oh my

--
Coy Hile
hile@cse.psu.edu

Shea Martin wrote:
> Lion-O wrote:
> 
>>> In the zones documentation, it says this several times: "Note that the
>>> contents of software packages in the inherit-pkg-dir directory cannot
>>> be modified oe removed after the zone has been installed qith
>>> zoneadm".
>>
>>
>>
>> Well, not in the zones manpage but I see what you mean. They refer to
>> the fact that you can't change the contents of the directory since it'll
>> be mounted read/only in the zone.
>>
>>
>>> Suppose I have a zone which inherits /usr.  Does the above warning
>>> mean that I can't patch something that affects /usr from the global
>>> zone, even if the intent is for the zone to use the newly patched
>>> versions of the software, and even if I apply the patch from within
>>> the global zone?
>>
>>
>>
>> When you apply a patch a patch it'll be applied on all your zones. Some
>> will even bring the non-global zone to the single-user state in orde to
>> apply a patch.
>>
>>
>>> On the other hand, if it means that I can't apply the patch from the
>>> non-global (but it IS OK to apply it in the global zone), then that's
>>> OK.
>>
>>
>>
>> That is the usual approach; install in the global zone, then your
>> non-globals will also be affected.
>>
> 
> So a patch can't be tested in a non-global zone?
> 
> ~S

Zones share a common kernel, so if (1) it's a userland only patch (eg 
only touches things in /usr ) and (2) the zone you're using for tests is 
a full-root zone (/sbin /platform /usr /lib all remove 
inherit-pkg-dir'd), you should be able to, I would think.

On Mon, 29 Aug 2005, Shea Martin wrote:

> So a patch can't be tested in a non-global zone?

Kernel patches, no, because the kernel is shared by all zones.

But if my understanding of this is correct (and I will have a chance
to test this in the next couple of weeks), then you can apply and test
pacthes in a non-global zone provided you do this in a full root zone;
you can't do it in a sparse-root non-global zone.

In other words, if you want to test the ssh patch (say), you could do
so in a full root non-global zone, but not from a spare-root one.
(Again, the preceding assumes my understanding of all this is corect;
I've not had a chance to play with it for real yet.)

-- 
Rich Teer, SCNA, SCSA, OpenSolaris CAB member

President,
Rite Online Inc.

Voice: +1 (250) 979-1638
URL: http://www.rite-group.com/rich

>> That is the usual approach; install in the global zone, then your
>> non-globals will also be affected.

> So a patch can't be tested in a non-global zone?

People already answered but I'd like to go a little more indepth; that
depends on the kind of patch, what software it patches and how your zone
is installed.

If you let the zone inherit a lot of directories (lets focus on /usr)
then those will be readonly in your zone. Needless to say that this
won't do you much good when patching. A solution for this might be
installing a zone fully, without any inheritage. While this will cost
you extra diskspace it gives you more flexibility.

However, it also depends on the location of the software. But before I
go on I have to warn you that I'm threading partially known territory
here ;-)  When software is located in /opt/sfw (which isn't inherited by
default) and Sun releases a patch for it (here is the unknown territory
since I'm not too sure about that) it'll be easily installable in your
non-global zone.

I hope this helps.

-- 
Groetjes, Peter

..\\ PGP/GPG key: http://www.catslair.org/pubkey.asc