Solaris Global/Zones patching

baladelaware73 · November 7, 2016, 4:23pm

Issue is : We have Solaris Global with 12 Zones and some have 15 Zones. All the OS version are10.
Is it possible to apply patch at Zone level instead of patching at Global level? Please let me know.

hicksd8 · November 8, 2016, 7:57am

Solaris 10.....

Yes, you can apply a patch to a particular zone by running the command as the zone admin. Also, you can apply a patch to a global zone only.

Applying a Patch to a Solaris System
With Zones Installed (System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones)

jim_mcnamara · November 8, 2016, 8:01am

Caveat: does not work for sparse zones.

hicksd8 · November 8, 2016, 9:49am

Yes, thanks Jim. Many thanks for pointing that out. I missed that point.

Zones can be "whole root", that is self-sufficient operating systems with all their own binaries, or "sparse zone" where all binaries are not loaded but the global zone's binaries are used instead, ie, the global zone binaries are shared to make the zone disk space smaller.

jlliagre · November 8, 2016, 12:38pm

A few comments:

some patches might apply to packages that are required to be in sync across all zones including the global one (SUNW_PKG_ALLZONES property). In such case the patch will refuse to be applied to a single zone or the global zone only.
for obvious reasons, kernel patches are of this kind
Patches that do not modify files residing in inherited file-systems can be applied to a sparse zone.

baladelaware73 · November 9, 2016, 2:24pm

Thanks for the great response

What I'm understanding is "Sparse Zone" cannot apply patch at Zone level and for "Whole root Zone" the patch can be applied at Zone/Global level.

And some patches (kernel patch) might not be able to apply on both type of zones at Zone level and they have to be applied at Global level.

Please let me know if I'm wrong.

jlliagre · November 9, 2016, 3:17pm

I'm not sure to understand what you wrote so let me state again some facts:

Some patches can be applied to a sparse zone.

Some patches need to be applied at once to all zones including the global one, and from the latter.

Many patches can be applied to a single zone, whether global or not.

The fact a zone is sparse is strongly limiting the number of patches that can be applied to it.

baladelaware73 · November 9, 2016, 3:52pm

Thanks for stating it. Summarizing below, please confirm.

"Whole root Zone" - Normally patches can be applied at Zone or Global level. But some patches (kernel) has to be applied only at Global level.

"Sparse Zone" - Any patches have to be applied only at Global level.

jlliagre · November 9, 2016, 6:41pm

I wouldn't use "normally" but "most" instead. All patches are "normal".
Kernel is an example, there are many patches that aren't kernel patches but that nevertheless need to be applied to all zones, not only the global one as you state.
Your last statement is incorrect and contradict the first statement of my previous posting.

baladelaware73 · November 10, 2016, 11:24am

Correcting my statement below.
For "Sparse Zone" type, all kind of patches have to be applied at Global and Zone level.

jlliagre · November 10, 2016, 12:18pm

Still incorrect