FAQ: Error with Update on Attach of Solaris Zone

"There’s No Such Thing As A Silly Question" -- does the cliche sound familiar? In this part of pimp-my-rig reloaded, technical questions are answered. Mail them to me and I will post the answers here. If you have a better answer, by all means share it with us.

Q. A fellow sysad phoned me a couple of days ago to ask if I experienced patching Solaris zones. When he was attaching the local zones to the global zone he got errors. As advised, he detached the local zones from the global zone before patching. This is what I used to call the detach-patch-attach method in patching Solaris hosts with zones. He was indeed very fortunate that I experienced this same error before and below is how we resolved his issue. Just to give a brief background, the error he got when attaching the local zones was:

root@global> zoneadm -z vhost1 attach -u
zoneadm: zone 'vhost1': ERROR: attempt to downgrade package SUNWlur, the source had patch 121430-25 but this system only has 121430-14
zoneadm: zone 'vhost1': ERROR: attempt to downgrade package SUNWluu, the source had patch 121430-25 but this system only has 121430-14
...
(other output truncated)
...

The above scenario happened after he detached the zones from the global zone (zoneadm -z vhost1 detach), then he applied the latest bundle patch for Solaris 10 (in single-user mode). After reboot, he allowed the server to boot to full multi-user mode.

And when he attached the zones with the update flag (zoneadm -z vhost1 attach -u), boom.. Errors!

A. This scenario happened because the package SUNWlur and SUNWluu (packages for Solaris LiveUpgrade) do not get patched by the Solaris patch bundle. Instead it has its own "special" set of patches. And unfortunately for him, the local zones have a more updated patch for LiveUpgrade than the global zone. Thus the attach with update failed.

I got the solution to the problem from a now non-existent forum -- this link. Too bad, that very informative thread has been removed. But I was glad to have gleaned something from it before it was expunged.

The solution is to append the patch IDs of every SUNWlur and SUNWluu package that would fail when trying to attach the local zones.
root@global> echo 121430 >> /usr/lib/brand/native/bad_patches
root@global> tail /usr/lib/brand/native/bad_patches
...
...
121430

After adding every patch ID entry for "special" patches required by LiveUpgrade, the local zones attach with update was successful.
root@global> zoneadm -z vhost1 attach -u
Getting the list of files to remove
Removing 1568 files
Remove 13 of 13 packages
Installing 18014 files
Add 340 of 340 packages
Updating editable files The file </var/sadm/system/logs/update_log> within the zone contains a log of the zone update.

As seen above, the local zone attached and was updated. It booted with the same kernel as the global zone and the had same patch levels. The other zones attached without errors after performing this procedure.

There are other packages that would fail when doing the upgrade on attach, not just packages for Solaris LiveUpgrade. The other ones that I know of are SUNWvts and SUNWvtss. There are others still. And this same solution is applicable to them.

I was surprised to see that the forum where this solution was shared no longer exists. It contained a wealth of information, and it will probably make the job of new sysads a bit toughter without those shared knowledge and other threads on that forum.

You might also be interested in:

Feedback

We at pimp-my-rig strive to keep on improving, help us reach that goal by leaving comments or constructive criticisms. Don't miss out on our next feature -- subscribe via RSS (What is RSS?).

Share This

3 comments: