Updating Solaris 11 zones behind a proxy

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

I’ve forgotten this several times now so it’s time I wrote a short post to help me remember in future! In Solaris 11 we use the Image Packaging System to maintain the software on the system. This is written in python and uses libcurl and for non zoned systems setting the http_proxy is sufficient to allow the system to communicate with the repo.e.g.:

export http_proxy="http://proxy-server:3128"

With zones however that is not sufficient. This is because of how zones are updated. On a system without zones you run ‘pkg install’ or ‘pkg update’ and it directly communicates with the publisher, so an environment variable to set the proxy will work in this case. For zones however the local zones communicate with the system repository service, they do not communicate with the publisher directly. The system repository service, as the name says, is a service and so does not get its environment from the shell you issue the pkg command from, hence it will not know about the proxy. This results in some unexpected errors when you try to update a system with zones. For example:

# pkg install pkg:/package/pkg
Recursing into linked image: zone:zclone
Returning from linked image: zone:zclone
Recursing into linked image: zone:zone1
Returning from linked image: zone:zone1
Recursing into linked image: zone:zone2
Returning from linked image: zone:zone2
Packages to remove:  1
Create boot environment: No
Create backup boot environment: No
 
Recursing into linked image: zone:zclone
Returning from linked image: zone:zclone
pkg: install failed (linked image exception(s)):
 
A 'sync-linked' operation failed for child 'zone:zclone' with an unexpected
return value of 1 and the following error message:
pkg: 0/1 catalogs successfully updated:
 
Unable to contact valid package repository
Encountered the following error(s):
Unable to contact any configured publishers.
This is likely a network configuration problem.
Framework stall:
URL: 'http://solaris-repo.us.oracle.com/s11development'. (happened 4 times)

If you look in the log file for the system repository you will also see errors showing that it can’t communicate with the publisher:

WARNING: unable to access http://solaris-repo.us.oracle.com/s11development when checking for redirects:

The solution to this is to set the http_proxy property for the service. You do this by, for example:

# svccfg -s svc:/application/pkg/system-repository:default setprop config/http_proxy=astring: "http://myproxy:3128"
# svcadm refresh svc:/application/pkg/system-repository:default

You can check the current proxy settings by:

# svcprop svc:/application/pkg/system-repository:default | grep _proxy
config/http_proxy astring ""
config/https_proxy astring ""

Leave a Reply

avatar
3000
  Subscribe  
Notify of