SUMMARY: This fast-track enhances the Solaris Zones [1] subsystem to address existing RFEs [2,3] requesting the ability to update a non-global zone when migrating from one machine to another. Currently when we migrate a zone we validate that the destination host has the same pkg versions and patches for the zone-dependent packages as were installed on the source host. This is described in the zone migration ARC case [4]. While this is safe and ensures that the new host is capable of properly supporting the zone, it is also very restrictive. With this enhancement, if the new host has higher versions of the zone-dependent pkgs, or higher versions of patches for those pkgs, then when we attach the zone to the new host we will enable an update of the pkgs and pkg metadata within the zone to match the new host. Patch binding is requested for this "update on attach" capability. The stability of these interfaces is documented in the interface table below. DETAILS: "Update on attach" is different from a traditional zone upgrade. In the traditional upgrade all native zones are upgraded as part of upgrading the base system using a standard Solaris media image as the source for the pkgs to upgrade to. Pkg operations on pkgs with the SUNW_ALLZONES attribute set must be run from the global zone, the operation will be performed on all native zones, and this behavior is built-in to the pkg commands. With "update on attach" we are only updating a single zone. We cannot depend on the basic pkg behavior which updates all zones when a pkg is installed in the global zone. We cannot use standard Solaris media since the host can have a variety of patches installed which have updated the base system pkgs beyond any specific Solaris release. Instead what we want to do is similar to what happens when a zone is initially installed. The spooled pkg data and global zone files are the source for installing the zone. In this way the zone is installed with the correct pkg versions along with any patches that have been applied to those pkgs. We can do something similar for "update on attach". The zone 'attach' validation already generates a list of mismatched pkg versions and patches. We can use this information to determine which dependent pkgs need to be updated so that the zone can run properly on the new host. We will remove the obsolete versions of those pkgs and install the up-to-date version using the pkg data spooled in the global zone. This procedure will preserve any editable or volatile files that are delivered by these pkgs. The normal pkg install scripts and class action scripts are run as part of this process so any updates performed by these scripts will take place. As described in [4] the dependent pkgs are those that have the SUNW_PKG_ALLZONES=true pkg attribute as well as any pkgs installed in an inherited-pkg-dir. Only these pkgs will be updated to match the new host. We will ensure that we will only update a zone to a host running the same or later version of the dependent pkgs. For example, if the new host has a mix of higher and lower version patches as compared to the source host then we will not allow an update during the attach. By default the zone will not be updated during attach. Instead, the existing output listing the pkgs that are out of sync will continue to be printed. We will add a new option (-u) to the 'zoneadm attach' subcommand. When this option is used then zoneadm will update the necessary pkgs during the attach (assuming there are any to update). Because the zone has previously booted and run on the source host it is possible that there could be security issues with directly accessing the zone's filesystem to remove and add pkgs to the zone. To protect against this the pkg operations will be performed within the scratch zone [5]. The scratch zone was defined to address this specific issue for upgrading zones. We cannot use the pkgrm(1M) and pkgadd(1M) commands to update the zone while running within the scratch zone. Those commands explicitly disallow removing or adding a pkg with the SUNW_ALLZONES attribute set unless running in the global zone. Instead we will use the /usr/sadm/install/bin/pkgremove and /usr/sadm/install/bin/pkginstall commands directly. The pkgrm and pkgadd commands are wrappers to those commands. Those commands were formerly part of the ON consolidation but moved to the Install consolidation as part of [6]. That case documents man pages for pkgremove and pkginstall but no such man pages exist. No stability level is documented for these two commands so we're assuming these are consolidation private and a contract is needed to directly use these commands. The command line options being used are: /usr/sadm/install/bin/pkgremove: -a same as public pkgrm option -F private - used by upgrade to suppress actual removal of files delivered by the pkg -M same as public pkgrm option -n same as public pkgrm option -O inherited-filesystem={IPD} private - used to specify the zone's inherited-pkg-dir entries -R same as public pkgrm option /usr/sadm/install/bin/pkginstall: -a same as public pkgrm option -C private - disable checksums since files are installed via a separate copy from the global zone -h private - enable hollow pkg support -N pkgadd private - error msgs use use the name "pkgadd" instead of "pkginstall" -n same as public pkgrm option -O addzonename private - error msgs include zonename -O inherited-filesystem={IPD} private - used to specify the zone's inherited-pkg-dir entries -R same as public pkgrm option -S private - suppress copyright output -t private - suppress spooled pkg creation -z private - install zone pkg data from spooled pkg data EXPORTED INTERFACES zoneadm attach option [-u] Evolving IMPORTED INTERFACES pkgremove, pkginstall and their options described in this case Contracted Consolidation Private REFERENCES 1. PSARC 2002/174 Virtualization and Namespace Isolation in Solaris 2. RFE: zoneadm attach should patch/update the zone to the new hosts level Bugid 6480464 http://bugs.opensolaris.org/view_bug.do?bug_id=6480464 3. RFE: zoneadm detach/attach should work between sun4u and sun4v architecture Bugid 6576592 http://bugs.opensolaris.org/view_bug.do?bug_id=6576592 4. PSARC/2006/030 Zone migration 5. PSARC/2005/474 Zones Upgrade 6. PSARC/2002/274 Move SVr4 Packaging from ON to ADMIN