Discussion:
Listing vulnerabilities for a system
(too old to reply)
l***@elanor.org
2011-12-08 17:23:11 UTC
Permalink
Guys,

I've got a rather big annoyance to deal with those days.

I need PCI-DSS compliance for my systems, and that includes knowing
about vulnerabilities, and applying critical patches one month after
they're published.

In that aspect, things have changed drastically since Oracle took
over. I think I've already complained about those patches whose
synopsis is «Problem with xxx».
Basically, now Oracle will only lists which CVE are fixed by which
patches in its Critical Patch Update, which is a quarterly result.
The fix itself might have been released in a patch long before, just
it was done without any information letting us know what it fixes.
I opened a case and been told it's just policy, so I can go google myself.

Even more impractical: those CPU things, such as the one below, only
lists «Solaris proper» vulnerabilities:
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1364156.1#REF_TEXT

The «Open Source Stuff» gets its own blog, which is updated regularly
(but not quite perfect, the Search is broken):
http://blogs.oracle.com/sunsecurity/

I am letting my salespeople know that I am not happy about this. It
means there's no way for me to know what patches are critical or not.

Are some of you dealing with that already? I'd be very interested to
have some hints on any practical way to follow those things without
wasting time.

Laurent



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
John D Groenveld
2011-12-08 18:03:41 UTC
Permalink
Post by l***@elanor.org
In that aspect, things have changed drastically since Oracle took
over. I think I've already complained about those patches whose
synopsis is «Problem with xxx».
I love those, especially when the CR can't be found in
OpenSolaris.ORG's bugzilla or Chuch Rozwat and company's MOS
Knowledge Base.
Post by l***@elanor.org
Basically, now Oracle will only lists which CVE are fixed by which
patches in its Critical Patch Update, which is a quarterly result.
The fix itself might have been released in a patch long before, just
it was done without any information letting us know what it fixes.
I opened a case and been told it's just policy, so I can go google myself.
Will Chuck Rozwat and company Support Repository Updates for
John Fowler and company's Solaris 11 11/11 only be quarterly?
Post by l***@elanor.org
Even more impractical: those CPU things, such as the one below, only
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1364156.1#REF
_TEXT
The «Open Source Stuff» gets its own blog, which is updated regularly
http://blogs.oracle.com/sunsecurity/
I don't have a handle on the distinction.
Which bits on pkg.Oracle.COM does Chuck Rozwat and company not support?
Post by l***@elanor.org
I am letting my salespeople know that I am not happy about this. It
means there's no way for me to know what patches are critical or not.
Thank you.

Perhaps it proves the level of my kookiness that I'm surprised
these concerns aren't shared by the legacy high-margin, low-volume
customers Keith Block and company intends on retaining.
Post by l***@elanor.org
Are some of you dealing with that already? I'd be very interested to
have some hints on any practical way to follow those things without
wasting time.
Did anyone here attend last night's Solaris BoFs at Usenix-LISA
in Boston?


BTW kudos to Judith Sim and company for spending some S&M shekels
on Usenix communications and community outreach.

John
***@acm.org



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
Alan Coopersmith
2011-12-08 18:20:05 UTC
Permalink
Post by John D Groenveld
Post by l***@elanor.org
In that aspect, things have changed drastically since Oracle took
over. I think I've already complained about those patches whose
synopsis is «Problem with xxx».
I love those, especially when the CR can't be found in
OpenSolaris.ORG's bugzilla or Chuch Rozwat and company's MOS
Knowledge Base.
Sun never published any bug report with the security flag set to SunSolve or
bugs.opensolaris.org. The OpenSolaris bugzilla doesn't contain any bugs from
patches or SRU's - those have always been tracked in the main corporate bug
database.
Post by John D Groenveld
Will Chuck Rozwat and company Support Repository Updates for
John Fowler and company's Solaris 11 11/11 only be quarterly?
No, as "Chuck" doesn't do Support Repository Updates, and the organization
that does them is doing them more often than quarterly.
Post by John D Groenveld
Post by l***@elanor.org
Even more impractical: those CPU things, such as the one below, only
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1364156.1#REF
_TEXT
The «Open Source Stuff» gets its own blog, which is updated regularly
http://blogs.oracle.com/sunsecurity/
I don't have a handle on the distinction.
Which bits on pkg.Oracle.COM does Chuck Rozwat and company not support?
It has nothing to do with support and everything to do with multi-vendor
coordination. There's no point waiting until a quarterly CPU to admit
that we have the same Firefox or BIND vulnerabilities all other vendors
disclosed months before, while vulnerabilities unique to Oracle's products
can be disclosed on a schedule Oracle is in control of.
--
-Alan Coopersmith- ***@oracle.com
Oracle Solaris Platform Engineering: X Window System



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
John D Groenveld
2011-12-08 19:08:00 UTC
Permalink
Post by Alan Coopersmith
No, as "Chuck" doesn't do Support Repository Updates, and the organization
that does them is doing them more often than quarterly.
Thank you for the heads-up.
I just found Chuck Rozwat and company's very useful Solaris 11 reference
for support subscription customers:
Oracle Solaris 11 Product Information Center [ID 1313405.1]

And here's the new S11 SRU index which shows that SRU 2 shipped 1DEC2011:
Oracle Solaris 11 Support Repository Updates (SRU) Index [ID 1372094.1]


BTW What's the procedure to check which SRU has been applied?

I see in Chuck Rozwat and company's SRU 2 README [ID 1382431.1]
that it contains "7096714 Problem with thunderbird/mailer", but
how do I figure out that its been applied?

And since its not in the knowledge base, what that CR fixes?

John
***@acm.org



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
Alan Coopersmith
2011-12-08 19:22:22 UTC
Permalink
Post by John D Groenveld
Post by Alan Coopersmith
No, as "Chuck" doesn't do Support Repository Updates, and the organization
that does them is doing them more often than quarterly.
Thank you for the heads-up.
I just found Chuck Rozwat and company's very useful Solaris 11 reference
Oracle Solaris 11 Product Information Center [ID 1313405.1]
Oracle Solaris 11 Support Repository Updates (SRU) Index [ID 1372094.1]
BTW What's the procedure to check which SRU has been applied?
"pkg info entire"
Post by John D Groenveld
I see in Chuck Rozwat and company's SRU 2 README [ID 1382431.1]
that it contains "7096714 Problem with thunderbird/mailer", but
how do I figure out that its been applied?
You can use pkg contents to extract the bug ids a package fixes in an
SRU, such as this line in the metadata for the SRU2 package of
pkg://solaris/mail/***@7.0.1,5.11-0.175.0.2.0.2.0:

set last-fmri=mail/***@6.0,5.11-0.175.0.0.0.1.0:20111012T143446Z
name=com.oracle.service.bugid value=7096714

http://mail.opensolaris.org/pipermail/pkg-discuss/2011-January/025242.html
has some more details.
Post by John D Groenveld
And since its not in the knowledge base, what that CR fixes?
A security problem with Thunderbird. You may also notice the package
version number changed from 6.0 to 7.0.1 as part of the same update.
--
-Alan Coopersmith- ***@oracle.com
Oracle Solaris Platform Engineering: X Window System



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
l***@elanor.org
2011-12-09 10:36:24 UTC
Permalink
Post by Alan Coopersmith
Sun never published any bug report with the security flag set to SunSolve or
bugs.opensolaris.org. The OpenSolaris bugzilla doesn't contain any bugs from
patches or SRU's - those have always been tracked in the main corporate bug
database.
True, but there is still a major difference.

The latest entries in 119784's README:

7112581 problem with DNS
(from 119784-20)
7060712 problem with DNS
(from 119784-19)
7054901 problem with DNS

Scroll down a little:
(from 119784-12)
6865903 CVE-2009-0696 BIND dynamic update problem
(from 119784-11)
6821966 ISC security patch for BIND users of DLV

See? Sun gave me more than enough information both to satisfy an
auditor and my needs.

And yes, this particular case shows it is a schizophrenic attempt at
security by obscurity, because some other parts of Oracle think it is
ok for everybody to know:

http://blogs.oracle.com/sunsecurity/entry/cve_2011_4313_denial_of
CVE-2011-4313 Denial of Service vulnerability
BIND DNS software
Solaris 11 11/11 SRU 02
Solaris 10 SPARC: 119783-21 X86: 119784-21
Post by Alan Coopersmith
It has nothing to do with support and everything to do with multi-vendor
coordination. There's no point waiting until a quarterly CPU to admit
that we have the same Firefox or BIND vulnerabilities all other vendors
disclosed months before, while vulnerabilities unique to Oracle's products
can be disclosed on a schedule Oracle is in control of.
So then, we agree there is no point in restricting the bug ID of that
particular BIND issue? It's pure sadism on the part of whoever decided
of that change.

But I do understand better as to the how Solaris-specific
vulnerabilities are handled. I hadn't realized that Oracle registers
them as CVE only at the time of the release of the CPU. So they are
basically known, but kept secret, and sometimes patched in secret.

If one of them is ever found by an attacker, though, then what? It's
not exactly far-fetched to imagine a discreet exploit being used for
months. All that while a patch is actually available but not applied
because nobody knows what it does, and production matters more than
random patching.

Laurent




------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
Alan Coopersmith
2011-12-09 16:55:40 UTC
Permalink
Post by l***@elanor.org
Post by Alan Coopersmith
Sun never published any bug report with the security flag set to SunSolve or
bugs.opensolaris.org. The OpenSolaris bugzilla doesn't contain any bugs from
patches or SRU's - those have always been tracked in the main corporate bug
database.
True, but there is still a major difference.
I understand that - I was just pointing out that access to the bugs in the
externally views of the bug db was not the difference, but rather the
information provided in lieu of that access.

I can't really speak to or defend the policy decisions here - maybe next time
I'm in Europe we can have another beer to discuss it off the record. I can
note that these policies are not set in stone, and have evolved since the
acquisition due to customer feedback about their requirements via channels such
as your sales reps, and we do continue to discuss them.

The only piece of advice I've heard from other people working with customers
who need PCI-DSS compliance is that if you stay up to date on the S9/S10
recommended/security patch clusters or the S11 SRU's, then you've covered the
critical patches as well - it's only those who want to apply *just* the
critical patches and nothing else that have a harder problem to solve here.

(I haven't double checked, but if I remember correctly S8 hits End of Service
Life in early 2012, at which point we stop creating security patches, so
hopefully no one is still using S8 on systems needing high security compliance.)
--
-Alan Coopersmith- ***@oracle.com
Oracle Solaris Platform Engineering: X Window System



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
l***@elanor.org
2011-12-11 23:36:34 UTC
Permalink
Post by Alan Coopersmith
I understand that - I was just pointing out that access to the bugs in the
externally views of the bug db was not the difference, but rather the
information provided in lieu of that access.
I can't really speak to or defend the policy decisions here - maybe next time
I'm in Europe we can have another beer to discuss it off the record.
Or next time I'm in SF, I still hope to be flying around there next year.
Post by Alan Coopersmith
I can
note that these policies are not set in stone, and have evolved since the
acquisition due to customer feedback about their requirements via
channels such as your sales reps, and we do continue to discuss them.
Sure, I'm pretty sure they can evolve, and that of all people, it's
not you or others I've talked to that are stopping it :-)

But yes, when talking to Support, you can easily get the feeling that
everything is set in stone...
Post by Alan Coopersmith
The only piece of advice I've heard from other people working with customers
who need PCI-DSS compliance is that if you stay up to date on the S9/S10
recommended/security patch clusters or the S11 SRU's, then you've covered the
critical patches as well - it's only those who want to apply *just* the
critical patches and nothing else that have a harder problem to solve here.
I'm still concerned about the delay. How do they manage to be
compliant, with the delay induced by quarterly CPU releases? Or do
they just say «Gee, sorry, not our fault, we do our best». I'll see if
that can fit our auditor.
Post by Alan Coopersmith
(I haven't double checked, but if I remember correctly S8 hits End of Service
Life in early 2012, at which point we stop creating security patches, so
hopefully no one is still using S8 on systems needing high security compliance.)
Nope, no S8 left for me. But some RHEL4 will have to get extended life.

Laurent



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
Alan Coopersmith
2011-12-12 22:33:30 UTC
Permalink
Post by Alan Coopersmith
The only piece of advice I've heard from other people working with customers
who need PCI-DSS compliance is that if you stay up to date on the S9/S10
recommended/security patch clusters or the S11 SRU's, then you've covered the
critical patches as well - it's only those who want to apply *just* the
critical patches and nothing else that have a harder problem to solve here.
I'm still concerned about the delay. How do they manage to be compliant, with
the delay induced by quarterly CPU releases? Or do they just say «Gee, sorry,
not our fault, we do our best». I'll see if that can fit our auditor.
The point was to install the SRU's/patch clusters every month, not just the
months that line up with the CPU releases.
--
-Alan Coopersmith- ***@oracle.com
Oracle Solaris Platform Engineering: X Window System



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
John D Groenveld
2011-12-13 18:48:19 UTC
Permalink
Post by Alan Coopersmith
The point was to install the SRU's/patch clusters every month, not just the
months that line up with the CPU releases.
I see in Chuck Rozwat and company's ID 1385179.1 that SRU 2a
is now shipping.
Unclear which CRs are security related so if there's a great urgency
to pkg update to it.

John
***@acm.org


------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
l***@elanor.org
2011-12-13 23:11:12 UTC
Permalink
Post by John D Groenveld
I see in Chuck Rozwat and company's ID 1385179.1 that SRU 2a
is now shipping.
Unclear which CRs are security related so if there's a great urgency
to pkg update to it.
I'm still deeply annoyed by IPS' lack of intuitiveness.

See that:

# pkg update -nv | sed 's/:[^ ]*//g'
Packages to update 12
Estimated space available 82.43 GB
Estimated space to be consumed 222.94 MB
Create boot environment Yes
Activate boot environment Yes
Create backup boot environment No
Rebuild boot archive Yes

Changed packages
solaris
consolidation/desktop/desktop-incorporation
0.5.11,5.11-0.175.0.2.0.2.0 -> 0.5.11,5.11-0.175.0.2.0.3.0
consolidation/osnet/osnet-incorporation
0.5.11,5.11-0.175.0.2.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
developer/debug/mdb
0.5.11,5.11-0.175.0.0.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
driver/network/ethernet/ixgbe
0.5.11,5.11-0.175.0.0.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
entire
0.5.11,5.11-0.175.0.2.0.3.0 -> 0.5.11,5.11-0.175.0.2.0.3.0
package/svr4
0.5.11,5.11-0.175.0.0.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
system/header
0.5.11,5.11-0.175.0.2.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
system/kernel
0.5.11,5.11-0.175.0.2.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
system/kernel/platform
0.5.11,5.11-0.175.0.2.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
system/library
0.5.11,5.11-0.175.0.0.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
system/network
0.5.11,5.11-0.175.0.0.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
web/browser/firefox/plugin/firefox-flashplayer
11.0.1.152,5.11-0.175.0.2.0.2.0 -> 11.1.102.56,5.11-0.175.0.2.0.3.0

Ok, great, plenty of packages, and almost readable with some sed
thrown in (pkg is making me loathe ISO8601, which is a feat in itself).

But what if, say, I wanted to know about a single package? I'm like
JohnG, worried about Flash? (I actually am).

# pkg update -nv web/browser/firefox/plugin/firefox-flashplayer
No updates available for this image.

No, nothing, there's no update for Flash. Why? And even if that
example is buried somewhere in TFM, I should not need to R it: this
should be easy, obvious, quick.
I should know there is an update, and if it has dependencies, depends
on the kernel or whatever, be ready to pull them in. Though I won't
take it kindly if updating Flash requires a new image and a reboot...

This tool is simply alien to me, and not because I am adverse to
change, but because I am adverse to change that makes simple things
difficult.

Laurent



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
Alan Coopersmith
2011-12-13 23:36:02 UTC
Permalink
Post by l***@elanor.org
Changed packages
solaris
consolidation/desktop/desktop-incorporation
0.5.11,5.11-0.175.0.2.0.2.0 -> 0.5.11,5.11-0.175.0.2.0.3.0
consolidation/osnet/osnet-incorporation
0.5.11,5.11-0.175.0.2.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
developer/debug/mdb
0.5.11,5.11-0.175.0.0.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
driver/network/ethernet/ixgbe
0.5.11,5.11-0.175.0.0.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
entire
0.5.11,5.11-0.175.0.2.0.3.0 -> 0.5.11,5.11-0.175.0.2.0.3.0
package/svr4
0.5.11,5.11-0.175.0.0.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
system/header
0.5.11,5.11-0.175.0.2.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
system/kernel
0.5.11,5.11-0.175.0.2.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
system/kernel/platform
0.5.11,5.11-0.175.0.2.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
system/library
0.5.11,5.11-0.175.0.0.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
system/network
0.5.11,5.11-0.175.0.0.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
web/browser/firefox/plugin/firefox-flashplayer
11.0.1.152,5.11-0.175.0.2.0.2.0 -> 11.1.102.56,5.11-0.175.0.2.0.3.0
Ok, great, plenty of packages, and almost readable with some sed
thrown in (pkg is making me loathe ISO8601, which is a feat in itself).
But what if, say, I wanted to know about a single package? I'm like
JohnG, worried about Flash? (I actually am).
# pkg update -nv web/browser/firefox/plugin/firefox-flashplayer
No updates available for this image.
No, nothing, there's no update for Flash. Why?
Because the standard shipped system configuration is set to constrain
updates to install the entire SRU, not let you pick and choose which
packages to install or not, and there is no newer version of flash for
the SRU you have currently installed, only for the next SRU revision.

This ensures you have a system package matrix that was tested together
by Oracle before release, not a custom combination that only you have
tested. (Cue standard rant about the difficulty in reproducing or
supporting such custom setups - if you've not heard it recently,
http://blogs.oracle.com/barts/entry/rethinking_patching has a copy.)

You can reconfigure the system to allow you to unconstrain many packages
that aren't as tightly bound together (you can't split the kernel from
libc for instance, since the system call interface between them means they
have to be in sync with each other).

For instance, for the specific case of Flash, you could run
pkg change-facet \
facet.version-lock.web/browser/firefox/plugin/firefox-flashplayer=false

And then you should be able to update it by itself. Many of the Desktop,
X11 and external open source packages have similar version-lock facets,
while those closer to the OS core do not.

This will probably have implications for support if you do have problems
after unconstraining packages, but I don't know how much of a hassle they'll
give you for that.
--
-Alan Coopersmith- ***@oracle.com
Oracle Solaris Platform Engineering: X Window System



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
palowoda
2011-12-14 08:47:11 UTC
Permalink
Post by Alan Coopersmith
Post by l***@elanor.org
Changed packages
solaris
consolidation/desktop/desktop-incorporation
0.5.11,5.11-0.175.0.2.0.2.0 -> 0.5.11,5.11-0.175.0.2.0.3.0
consolidation/osnet/osnet-incorporation
0.5.11,5.11-0.175.0.2.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
developer/debug/mdb
0.5.11,5.11-0.175.0.0.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
driver/network/ethernet/ixgbe
0.5.11,5.11-0.175.0.0.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
entire
0.5.11,5.11-0.175.0.2.0.3.0 -> 0.5.11,5.11-0.175.0.2.0.3.0
package/svr4
0.5.11,5.11-0.175.0.0.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
system/header
0.5.11,5.11-0.175.0.2.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
system/kernel
0.5.11,5.11-0.175.0.2.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
system/kernel/platform
0.5.11,5.11-0.175.0.2.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
system/library
0.5.11,5.11-0.175.0.0.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
system/network
0.5.11,5.11-0.175.0.0.0.2.1 -> 0.5.11,5.11-0.175.0.2.0.3.1
web/browser/firefox/plugin/firefox-flashplayer
11.0.1.152,5.11-0.175.0.2.0.2.0 -> 11.1.102.56,5.11-0.175.0.2.0.3.0
Ok, great, plenty of packages, and almost readable with some sed
thrown in (pkg is making me loathe ISO8601, which is a feat in itself).
But what if, say, I wanted to know about a single package? I'm like
JohnG, worried about Flash? (I actually am).
# pkg update -nv web/browser/firefox/plugin/firefox-flashplayer
No updates available for this image.
No, nothing, there's no update for Flash. Why?
Because the standard shipped system configuration is set to constrain
updates to install the entire SRU, not let you pick and choose which
packages to install or not, and there is no newer version of flash for
the SRU you have currently installed, only for the next SRU revision.
This ensures you have a system package matrix that was tested together
by Oracle before release, not a custom combination that only you have
tested. (Cue standard rant about the difficulty in reproducing or
supporting such custom setups - if you've not heard it recently,
http://blogs.oracle.com/barts/entry/rethinking_patching has a copy.)
You can reconfigure the system to allow you to unconstrain many packages
that aren't as tightly bound together (you can't split the kernel from
libc for instance, since the system call interface between them means they
have to be in sync with each other).
For instance, for the specific case of Flash, you could run
pkg change-facet \
facet.version-lock.web/browser/firefox/plugin/firefox-flashplayer=false
And then you should be able to update it by itself. Many of the Desktop,
X11 and external open source packages have similar version-lock facets,
while those closer to the OS core do not.
This will probably have implications for support if you do have problems
after unconstraining packages, but I don't know how much of a hassle they'll
give you for that.
pkg facets and variant always confuse me. Say for instance you use a facet on apache-22. Obvious that the apache server with all the modules are going to be the most contentious part of Solaris someone is going to want to upgrade. Look at all the modules that one must add with respect to apache that require newer versions of apache than Oracle delivers. Anyways.

--------------------------------------------------
***@fishbutt:/root> pkg change-facet facet.version-lock.web/server/apache-22=false
Recursing into linked image: zone:patrick
Returning from linked image: zone:patrick
Packages to update: 882
Variants/Facets to change: 1
Create boot environment: No
Create backup boot environment: Yes

PHASE ACTIONS
Removal Phase 1/1

PHASE ITEMS
Image State Update Phase 2/2
--------------------------------------------------------

So does that mean 882 packages are unlocked? And if I wanted to use change-facet to a non local zone or list facets per zone how is that done.

You know if this is going to cause a problem with support contracts than why haven't they thought this out beforehand and written it in the support policy? People are paying 1K$ per/cpu you got to expect some customization for that kind of money. I know there is RFE's but out of the slowest implementations of say Apache/PHP other language modules etc Solaris has a disadvantage because the testing group never figures out fast enough how to test it. How are you going to compete?

---Bob




------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
palowoda
2011-12-14 09:00:25 UTC
Permalink
Post by palowoda
And if I wanted to use change-facet to a non local zone or list facets per zone how is that done.
Opps I meant local zone, i.e. can I set a facet from the global to the local zone?

---Bob




------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
Alan Coopersmith
2011-12-14 15:33:46 UTC
Permalink
Post by palowoda
pkg facets and variant always confuse me. Say for instance you use a facet on apache-22. Obvious that the apache server with all the modules are going to be the most contentious part of Solaris someone is going to want to upgrade. Look at all the modules that one must add with respect to apache that require newer versions of apache than Oracle delivers. Anyways.
--------------------------------------------------
Recursing into linked image: zone:patrick
Returning from linked image: zone:patrick
Packages to update: 882
Variants/Facets to change: 1
Create boot environment: No
Create backup boot environment: Yes
PHASE ACTIONS
Removal Phase 1/1
PHASE ITEMS
Image State Update Phase 2/2
--------------------------------------------------------
So does that mean 882 packages are unlocked?
It checked 882 packages to see if they needed changes, since many facets affect
lots of packages, like the ones for docs, devel bits & locale, and the system
doesn't know that the version-lock facet is special and only affects the
incorporations. There are some open bugs for optimizations being done to the
facet changing.
Post by palowoda
And if I wanted to use change-facet to a non local zone or list facets per zone how is that done.
Listing facet settings is done with "pkg facet", though that only lists the ones
that have been explicitly set - any not explicitly set default to "true", so
most won't show up.

I don't use zones much - I would guess to do these things in zones you run the
commands in the zone, or you run them from the parent with the -R flag, but
that's just a guess and you really should go read the docs to find out.
Post by palowoda
You know if this is going to cause a problem with support contracts than why haven't they thought this out beforehand
I'm sure they have, but I'm not in support and my connection to the hive mind
isn't strong enough to know what is being thought that far away in the org
chart.
--
-Alan Coopersmith- ***@oracle.com
Oracle Solaris Platform Engineering: X Window System



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
Rob McMahon
2011-12-14 15:52:10 UTC
Permalink
I'm seen this in the forums, but no answer. Trying to do an
sudo env BE_PRINT_ERR=true pkg image-update -v
...
_update_vfstab: failed to open vfstab (/tmp/.be.luaq1a/etc/vfstab): No
such file or directory
be_copy: failed to update new BE's vfstab (solaris_11-11_11-1)
be_copy: destroying partially created boot environment
be_mount_callback: failed to mount dataset
rpool/ROOT/solaris_11-11_11-1/opt at /tmp/.be.muaq1a/opt: mountpoint or
dataset is busy
be_mount: failed to mount BE (solaris_11-11_11-1) on /tmp/.be.muaq1a
be_destroy_zones: failed to mount the BE (solaris_11-11_11-1) for zones
processing.
pkg: Unable to clone the current boot environment.
sudo env BE_PRINT_ERR=true beadm create test
_update_vfstab: failed to open vfstab (/tmp/.be.USaanB/etc/vfstab): No
such file or directory
be_copy: failed to update new BE's vfstab (test)
be_copy: destroying partially created boot environment
be_mount_callback: failed to mount dataset rpool/ROOT/test/opt at
/tmp/.be.VSaanB/opt: mountpoint or dataset is busy
be_mount: failed to mount BE (test) on /tmp/.be.VSaanB
be_destroy_zones: failed to mount the BE (test) for zones processing.
Unable to create test.
Unable to find message for error code: 1
Exit 1
There's nothing remotely odd about vfstab in the parent environment:

#device device mount FS fsck mount
mount
#to mount to fsck point type pass at boot
options
#
/devices - /devices devfs - no -
/proc - /proc proc - no -
ctfs - /system/contract ctfs - no -
objfs - /system/object objfs - no -
sharefs - /etc/dfs/sharetab sharefs - no -
fd - /dev/fd fd - no -
swap - /tmp tmpfs - yes -
rpool/ROOT/solaris_11-11_11 - / zfs - no -
/dev/dsk/c5t0d0s1 - - swap - no -
/dev/dsk/c5t1d0s1 - - swap - no -

Any ideas ?

Rob
--
E-Mail: ***@warwick.ac.uk PHONE: +44 24 7652 3037
Rob McMahon, IT Services, Warwick University, Coventry, CV4 7AL, England



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
John D Groenveld
2011-12-14 19:55:01 UTC
Permalink
Post by Rob McMahon
#device device mount FS fsck mount
mount
#to mount to fsck point type pass at boot
options
#
/devices - /devices devfs - no -
/proc - /proc proc - no -
ctfs - /system/contract ctfs - no -
objfs - /system/object objfs - no -
sharefs - /etc/dfs/sharetab sharefs - no -
fd - /dev/fd fd - no -
swap - /tmp tmpfs - yes -
rpool/ROOT/solaris_11-11_11 - / zfs - no -
/dev/dsk/c5t0d0s1 - - swap - no -
/dev/dsk/c5t1d0s1 - - swap - no -
Your swap partitions are kind'a odd for a ZFS based system.

John
***@acm.org


------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
John Taylor
2011-12-14 21:32:19 UTC
Permalink
On Wed, Dec 14, 2011 at 2:55 PM, John D Groenveld
Post by John D Groenveld
#device device mount FS fsck mount
mount
#to mount to fsck point type pass at boot
options
#
/devices - /devices devfs - no -
/proc - /proc proc - no -
ctfs - /system/contract ctfs - no -
objfs - /system/object objfs - no -
sharefs - /etc/dfs/sharetab sharefs - no -
fd - /dev/fd fd - no -
swap - /tmp tmpfs - yes -
rpool/ROOT/solaris_11-11_11 - / zfs - no -
/dev/dsk/c5t0d0s1 - - swap - no -
/dev/dsk/c5t1d0s1 - - swap - no -
Your swap partitions are kind'a odd for a ZFS based system.
it may be that he has additional swap. Swap in ZFS is not
recorded in the /etc/vfstab.

OTOH, having additional swap may be required, but having an
inconsistent configuration (some swap mirrored, some not)
could cause a problem if a device that the unmirrored swap
device is on fails.

Ben


------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
John D Groenveld
2011-12-14 21:40:26 UTC
Permalink
Post by John Taylor
OTOH, having additional swap may be required, but having an
inconsistent configuration (some swap mirrored, some not)
could cause a problem if a device that the unmirrored swap
device is on fails.
Assuming the OP's S11 Express system is quiescent, it might
be worth trying to update to S11 with those swap devices deleted.

John
***@acm.org


------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
John Taylor
2011-12-14 21:48:20 UTC
Permalink
On Wed, Dec 14, 2011 at 4:40 PM, John D Groenveld
Post by John D Groenveld
Post by John Taylor
OTOH, having additional swap may be required, but having an
inconsistent configuration (some swap mirrored, some not)
could cause a problem if a device that the unmirrored swap
device is on fails.
Assuming the OP's S11 Express system is quiescent, it might
be worth trying to update to S11 with those swap devices deleted.
Well, after a second look, I see swap on my /etc/vfstab on my
zfs root systems. I can see putting swap off on a disk device
if the zfs root is SSD. Still, non-mirrored swap potentially exposes
the system to unpredictable results if a swap device goes away.


------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
Rob McMahon
2011-12-15 10:52:06 UTC
Permalink
Post by John D Groenveld
Post by John Taylor
OTOH, having additional swap may be required, but having an
inconsistent configuration (some swap mirrored, some not)
could cause a problem if a device that the unmirrored swap
device is on fails.
Assuming the OP's S11 Express system is quiescent, it might
be worth trying to update to S11 with those swap devices deleted.
Thanks for the thoughts. This machine has had a long history, and
frankly I'd forgotten about the separate swap devices. The rpool is
made up of the *s0 devices and the swap partitions are (were) *s1.

(beadm llist shows
bfu-1 - - 72.80M static 2010-08-26 14:44
on-nightly-142 - - 864.28M static 2010-06-21 15:45
openindiana-147 - - 31.06M static 2010-09-30 12:23
opensolaris-134a - - 764.10M static 2010-09-30 11:49
os-devel_145 - - 21.92M static 2010-09-02 11:42
os-devel_145-2 - - 13.89G static 2010-09-02 15:58
solaris_11-11_11 NR / 106.81G static 2011-12-06 15:13
solaris_nv151 - - 21.12M static 2010-11-16 10:17
solaris_nv151-10 - - 24.78M static 2011-08-23 12:40
...
solaris_nv151-13 - - 108.45M static 2011-11-09 09:28
)

Anyway, I tried adding a zvol swap device, and removing the swap disk
partitions (including from vfstab), but the upgrade errors are identical.
Post by John D Groenveld
env BE_PRINT_ERR=true pkg image-update -v
...
_update_vfstab: failed to open vfstab (/tmp/.be.GXayzw/etc/vfstab): No
such file or directory
be_copy: failed to update new BE's vfstab (solaris_11-11_11-1)
be_copy: destroying partially created boot environment
be_mount_callback: failed to mount dataset
rpool/ROOT/solaris_11-11_11-1/opt at /tmp/.be.HXayzw/opt: mountpoint or
dataset is busy
be_mount: failed to mount BE (solaris_11-11_11-1) on /tmp/.be.HXayzw
be_destroy_zones: failed to mount the BE (solaris_11-11_11-1) for zones
processing.
pkg: Unable to clone the current boot environment.
Any other ideas ?

Rob
--
E-Mail: ***@warwick.ac.uk PHONE: +44 24 7652 3037
Rob McMahon, IT Services, Warwick University, Coventry, CV4 7AL, England



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
John D Groenveld
2011-12-15 16:27:50 UTC
Permalink
Post by Rob McMahon
Thanks for the thoughts. This machine has had a long history, and
frankly I'd forgotten about the separate swap devices. The rpool is
made up of the *s0 devices and the swap partitions are (were) *s1.
(beadm llist shows
bfu-1 - - 72.80M static 2010-08-26 14:44
on-nightly-142 - - 864.28M static 2010-06-21 15:45
openindiana-147 - - 31.06M static 2010-09-30 12:23
opensolaris-134a - - 764.10M static 2010-09-30 11:49
os-devel_145 - - 21.92M static 2010-09-02 11:42
os-devel_145-2 - - 13.89G static 2010-09-02 15:58
solaris_11-11_11 NR / 106.81G static 2011-12-06 15:13
solaris_nv151 - - 21.12M static 2010-11-16 10:17
solaris_nv151-10 - - 24.78M static 2011-08-23 12:40
...
solaris_nv151-13 - - 108.45M static 2011-11-09 09:28
)
Anyway, I tried adding a zvol swap device, and removing the swap disk
partitions (including from vfstab), but the upgrade errors are identical.
I would try creating a new BE on another disk and also
creating a new from a prior BE then trying to update it
to S11.

John
***@acm.org


------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
Rob McMahon
2011-12-20 11:26:44 UTC
Permalink
Post by Rob McMahon
Anyway, I tried adding a zvol swap device, and removing the swap disk
partitions (including from vfstab), but the upgrade errors are identical.
env BE_PRINT_ERR=true pkg image-update -v
...
_update_vfstab: failed to open vfstab (/tmp/.be.GXayzw/etc/vfstab): No
such file or directory
be_copy: failed to update new BE's vfstab (solaris_11-11_11-1)
be_copy: destroying partially created boot environment
be_mount_callback: failed to mount dataset
rpool/ROOT/solaris_11-11_11-1/opt at /tmp/.be.HXayzw/opt: mountpoint or
dataset is busy
be_mount: failed to mount BE (solaris_11-11_11-1) on /tmp/.be.HXayzw
be_destroy_zones: failed to mount the BE (solaris_11-11_11-1) for zones
processing.
pkg: Unable to clone the current boot environment.
For anyone else suffering similar problems, the solution was:

1) comment out the entry for / from /etc/vfstab
2) env BE_PRINT_ERR=true beadm create solaris_11-11_11-1
... which results in a bunch of errors including one about the following
filesystem
3) zfs umount rpool/ROOT/solaris_11-11_11-1/opt
4) zfs set mountpoint=/ rpool/ROOT/solaris_11-11_11-1
... you can now check that this beadm is mountable:
5) env BE_PRINT_ERR=true beadm mount solaris_11-11_11-1 /mnt
... hopefully no errors
6) beadm umount solaris_11-11_11-1
7) beadm activate solaris_11-11_11-1
8) reboot into the new environment
... and the image-update worked.

Thanks to Danek Duvall for the initial suggestion about the entry for /
in /etc/vfstab. The dataset entry needed to be changed from legacy to
"/" at the same time. It appears you can't upgrade a system with a root
filesystem which is "legacy" and in vfstab, and that the mount of /opt
underneath throws it more.

Rob
--
E-Mail: ***@warwick.ac.uk PHONE: +44 24 7652 3037
Rob McMahon, IT Services, Warwick University, Coventry, CV4 7AL, England



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
palowoda
2011-12-20 12:00:00 UTC
Permalink
Post by Rob McMahon
Thanks to Danek Duvall for the initial suggestion about the entry for /
in /etc/vfstab. The dataset entry needed to be changed from legacy to
"/" at the same time. It appears you can't upgrade a system with a root
filesystem which is "legacy" and in vfstab, and that the mount of /opt
underneath throws it more.
Did Danek indicate it was a bug or an RFE or GWTMM (Great Way to Make Money) over a self inflected wound.?

---Bob




------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
Dave Miner
2011-12-20 19:22:48 UTC
Permalink
Post by palowoda
Post by Rob McMahon
Thanks to Danek Duvall for the initial suggestion about the entry for /
in /etc/vfstab. The dataset entry needed to be changed from legacy to
"/" at the same time. It appears you can't upgrade a system with a root
filesystem which is "legacy" and in vfstab, and that the mount of /opt
underneath throws it more.
Did Danek indicate it was a bug or an RFE or GWTMM (Great Way to Make
Money) over a self inflected wound.?
It was a flag day along the way that perhaps should have been covered in
the release notes. I'd expect the number of systems affected to be
quite small, though.

Dave


------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com

palowoda
2011-12-14 23:53:54 UTC
Permalink
Post by Alan Coopersmith
Post by palowoda
pkg facets and variant always confuse me. Say for instance you use a facet on apache-22. Obvious that the apache server with all the modules are going to be the most contentious part of Solaris someone is going to want to upgrade. Look at all the modules that one must add with respect to apache that require newer versions of apache than Oracle delivers. Anyways.
--------------------------------------------------
Recursing into linked image: zone:patrick
Returning from linked image: zone:patrick
Packages to update: 882
Variants/Facets to change: 1
Create boot environment: No
Create backup boot environment: Yes
PHASE ACTIONS
Removal Phase 1/1
PHASE ITEMS
Image State Update Phase 2/2
--------------------------------------------------------
So does that mean 882 packages are unlocked?
It checked 882 packages to see if they needed changes, since many facets affect
lots of packages, like the ones for docs, devel bits & locale, and the system
doesn't know that the version-lock facet is special and only affects the
incorporations. There are some open bugs for optimizations being done to the
facet changing.
Sigh. I sometimes wonder about the Solaris development teams nomenclature. The output said; "Packages to update" not packages checked. And the Removal Phase of one package would scare the crap out of system admin because it's not removing anything.

After having some time to use Linux package managements I can understand the reluctance and confusion of coming from that environment using yum or apt-get would be frustrating. Linux package management are evolutionary where I think pkg is a revolution. Pkg did start out simple when opensolaris was introduced. But it did go through a couple of iterations changing the meta-data and adding functionality along the way that made it complex. Well complex compared to other package management tools where new users would come from. You could write a college coarse on pkg.

I think the real challenge for Oracle now is training new system admins to use pkg. Oracle kind of wiped out all the help and resources that the opensolaris project would help in doing this. Not completely the opensolaris.org site is still online but can you imagine if Oracle pulled the plug on the opensolaris.org site new admins coming to Solaris 11 would be total lost. That is an objective of Oracles is to pull the opensolaris.org site right? They are doing a good slow job of it. But they should replace it with something. The forums.oracle.com site is rather pathetic answer and the docs assume you understand the history of pkg.

But pkg is fun, slow and logical. Needs some work but I'm sure Oracle will keep us all informed what is going on.

---Bob




------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
Ian Collins
2011-12-15 00:03:44 UTC
Permalink
Post by palowoda
I think the real challenge for Oracle now is training new system admins to use pkg. Oracle kind of wiped out all the help and resources that the opensolaris project would help in doing this. Not completely the opensolaris.org site is still online but can you imagine if Oracle pulled the plug on the opensolaris.org site new admins coming to Solaris 11 would be total lost. That is an objective of Oracles is to pull the opensolaris.org site right? They are doing a good slow job of it. But they should replace it with something. The forums.oracle.com site is rather pathetic answer and the docs assume you understand the history of pkg.
But pkg is fun, slow and logical. Needs some work but I'm sure Oracle will keep us all informed what is going on.
At lease they have had the good sense to keep the pkg and install mail
lists open.
--
Ian.



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
Alan Coopersmith
2011-12-15 00:07:10 UTC
Permalink
Post by palowoda
Post by Alan Coopersmith
It checked 882 packages to see if they needed changes, since many facets affect
lots of packages, like the ones for docs, devel bits& locale, and the system
doesn't know that the version-lock facet is special and only affects the
incorporations. There are some open bugs for optimizations being done to the
facet changing.
Sigh. I sometimes wonder about the Solaris development teams nomenclature. The output said; "Packages to update" not packages checked.
I think that's covered by bug
https://defect.opensolaris.org/bz/show_bug.cgi?id=18246 but the
Post by palowoda
And the Removal Phase of one package would scare the crap out of system admin because it's not removing anything.
It's removing the record of the constraint dependency that locks down the
version of that package. If you were removing packages, you'd see the
number of files removed there, not the number of packages.
Post by palowoda
I think the real challenge for Oracle now is training new system admins to use pkg.
Training should be covered as part of the Solaris 11 courses. Documentation is
definitely a work in progress - you can see an excellent example that
unfortunately didn't make it into the S11 11/11 doc set:

https://timsfoster.wordpress.com/2011/10/17/replacing-the-application-packaging-developers-guide/

While it presents the system from the developer point of view, it does also
explain a lot of the underlying technology that may help an admin understand it.

For instance, if you download the current pdf draft from
http://defect.opensolaris.org/bz/attachment.cgi?id=4607
you'll find descriptions of how we used the incorporations mechanism in building
the OS to enforce these constraints and provided the facet.version-lock
mechanism to allow admins to opt out of them.
--
-Alan Coopersmith- ***@oracle.com
Oracle Solaris Platform Engineering: X Window System



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
palowoda
2011-12-15 09:22:57 UTC
Permalink
Post by Alan Coopersmith
Post by palowoda
I think the real challenge for Oracle now is training new system admins to use pkg.
Training should be covered as part of the Solaris 11 courses. Documentation is
definitely a work in progress - you can see an excellent example that
https://timsfoster.wordpress.com/2011/10/17/replacing-the-application-packaging-developers-guide/
While it presents the system from the developer point of view, it does also
explain a lot of the underlying technology that may help an admin understand it.
While Tims blog does help I wonder how much of this material is in the Solaris 11 training classes. I went over to take a look what material they have when you sign up for the classes and there was little to no information at all. I could be wrong has anybody on this list taken the Solaris Admin or Advanced Admin classes? As time goes on we should see more public repo's and job descriptions that call for customized pkg services. It's kind of lacking right now.

---Bob




------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
l***@elanor.org
2011-12-14 09:27:44 UTC
Permalink
Post by Alan Coopersmith
Because the standard shipped system configuration is set to constrain
updates to install the entire SRU, not let you pick and choose which
packages to install or not, and there is no newer version of flash for
the SRU you have currently installed, only for the next SRU revision.
I assumed something like that, but the result is both
counter-intuitive and ridiculous. No, I will not accept that a reboot
is necessary to update Flash.
Post by Alan Coopersmith
This ensures you have a system package matrix that was tested together
by Oracle before release, not a custom combination that only you have
tested. (Cue standard rant about the difficulty in reproducing or
supporting such custom setups - if you've not heard it recently,
http://blogs.oracle.com/barts/entry/rethinking_patching has a copy.)
I had not realized it went beyond OS/Net.
Post by Alan Coopersmith
You can reconfigure the system to allow you to unconstrain many packages
that aren't as tightly bound together (you can't split the kernel from
libc for instance, since the system call interface between them means they
have to be in sync with each other).
For instance, for the specific case of Flash, you could run
pkg change-facet \
facet.version-lock.web/browser/firefox/plugin/firefox-flashplayer=false
And then you should be able to update it by itself. Many of the Desktop,
X11 and external open source packages have similar version-lock facets,
while those closer to the OS core do not.
I understand the idea, but even though I disagree with it, I believe
that pkg *must* tell you something like:
An update for this package is available in SRU xxx.

Not that there is no update available «for this image» (the use of
new, uncommon terminology is bad in itself: why try to confuse
newcomers who have no idea what an image is in this context?).
Post by Alan Coopersmith
This will probably have implications for support if you do have problems
after unconstraining packages, but I don't know how much of a hassle they'll
give you for that.
That'll be interesting to see.

Laurent




------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
palowoda
2011-12-14 12:14:54 UTC
Permalink
Not that there is no update available «for this image» (the use of
new, uncommon terminology is bad in itself: why try to confuse
newcomers who have no idea what an image is in this context?).
Solaris "newcomers", where?

---Bob




------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
John D Groenveld
2011-12-14 22:47:46 UTC
Permalink
Post by palowoda
Solaris "newcomers", where?
The Register hack (an Sam Palmisano and company flack?) Timothy
Pricket Morgan on Oracle's newcomer strategy:
<URL:http://www.theregister.co.uk/2011/12/12/ibm_vs_oracle_data_centre_optimisation/>

Do John Fowler and company's Exa mainframe systems come bundled
with Chuck Rozwat and company's white lab coats to handle the
S11 update issues?

John
***@acm.org


------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
Alan Coopersmith
2011-12-14 23:18:32 UTC
Permalink
Post by John D Groenveld
Do John Fowler and company's Exa mainframe systems come bundled
with Chuck Rozwat and company's white lab coats to handle the
S11 update issues?
No, I think coats need to be separately ordered, though you may convince
your sales rep to throw some in with large orders such as Exa* systems.

I only see white windbreakers though, not lab coats:
http://www.oraclestore.com/ProductList.aspx?did=13197
--
-Alan Coopersmith- ***@oracle.com
Oracle Solaris Platform Engineering: X Window System



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
Alan Coopersmith
2011-12-14 15:36:35 UTC
Permalink
Post by l***@elanor.org
I understand the idea, but even though I disagree with it, I believe
An update for this package is available in SRU xxx.
pkg list will tell you that a new version is available, but not how to get there.
Post by l***@elanor.org
Not that there is no update available «for this image» (the use of
new, uncommon terminology is bad in itself: why try to confuse
newcomers who have no idea what an image is in this context?).
Usability & messaging improvements are definitely still areas being worked
on for IPS. You can still provide feedback directly to the IPS team on
pkg-***@opensolaris.org or via the bugzilla on defect.opensolaris.org.
--
-Alan Coopersmith- ***@oracle.com
Oracle Solaris Platform Engineering: X Window System



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
John Taylor
2011-12-14 16:54:43 UTC
Permalink
Post by l***@elanor.org
**
Post by Alan Coopersmith
Because the standard shipped system configuration is set to constrain
updates to install the entire SRU, not let you pick and choose which
packages to install or not, and there is no newer version of flash for
the SRU you have currently installed, only for the next SRU revision.
I assumed something like that, but the result is both
counter-intuitive and ridiculous. No, I will not accept that a reboot
is necessary to update Flash.
Unreal. This is what happens when developers don't talk to customers.
Continuing to treat the patching mechanism like it is done on a
workstation, while touting the server-ness of Solaris

See ya Solaris 11. Not in my shop.


[Non-text portions of this message have been removed]



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
Bob Friesenhahn
2011-12-08 18:35:32 UTC
Permalink
Post by l***@elanor.org
In that aspect, things have changed drastically since Oracle took
over. I think I've already complained about those patches whose
synopsis is «Problem with xxx».
As someone who is still paying for "support", I have found this
behavior (requiring blind application of patches) to be particularly
disturbing.

However, I notice that Debian Linux does not have this problem and the
support costs are much lower.

All of these details are factors which drive my future vendor
selection and purchasing decisions.

Bob
--
Bob Friesenhahn
***@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/

[Non-text portions of this message have been removed]



------------------------------------

Please check the Links page before posting:
http://groups.yahoo.com/group/solarisx86/links
Post message: ***@yahoogroups.com
UNSUBSCRIBE: solarisx86-***@yahoogroups.com
Continue reading on narkive:
Loading...