IPS – Packaging for Oracle Solaris 11 · Design Concepts Best practice is the default practice. Minimize planned and unplanned downtime. Integrate the facilities in Solaris to deliver

2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

IPS – Packaging for Oracle Solaris 11

Bart SmaaldersSolaris Core TechnologyLISA 2011

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Rationale for change

● Packaging & Patching problems were #1 customer complaint in all of Solaris.

● Customer uptime requirements demanded rethinking how software is managed.

● Solaris growth made pure media based distributions impractical.● Increased use of virtualization and Zones demanded more flexible installation and packaging mechanisms.

● Patch creation overhead made limited business options for Solaris.

Design Concepts

●Best practice is the default practice. ● Minimize planned and unplanned downtime.● Integrate the facilities in Solaris to deliver a better experience.● Automate everything possible.● Use software repositories, local or remote, for software installation – and make them easy to move, replicate and share.

● Make software installation cryptographically secure/auditable.● Make software minimization work.● Include all the tools needed to build Solaris distribution as part of Solaris – and have developers use same installation/update tools that customers do.

Design Concepts, cont.

● Avoid side-band meta-data – all the meta-data for a package belongs in the package.

● Drive system behavior with data, not scripts... and make sure that information is as high level as practical.

● Support higher-level objects directly in packages.

7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Install, packaging and patching – an integrated design.

Simplifiedarchitecture

+ImprovedautomaFon

+Improvedsafety

+Improvedflexibility

+ImprovedintegraFon

=BeGeruserexperience

•No longer a collection of independent parts

OnaLargeScale

8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Boot Environments

•ZFS Boot Environments Benefits–No initial investment–Updates are applied to a file system clone, no interruption–Reboot into upgraded environment when you’re ready–Trivial roll-back if failure occurs–Integrated, enforced best practice for safety•Fast reboot reduces maintenance windows•Excellent for recovery purposes•Maintains mirrored root during upgrade operations.•Zones also use boot environments, one or more per global zone boot environment per zone.•Managed by beadm(1M) command.

AcFveBE

AcFveBENewBE

AcFveBEUpdatedBE

9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Solaris 11 Lifecycle ManagementImproved updates with IPS

•4XFasterupgradestypical•CreateZFSbootenvironmenttosafelyapplyupdates•Fulldependencycheckofpackages,cryptoverified,auditable•RebootupdatedZFSbootenvironment

NewSecurityPatch

6:00:pkg update

6:00‐6:02:Dependencychecks,patch/updateplanning

6:02‐6:04:Newbootenvironmentcreated,updatesdownloadedandapplied6:04‐6:06:rebootupandrunningagain

Maintenance window: 6-7pm

10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Image Packaging System

•Networked package repositories•Cryptographically verified•Complete set of tools•Package, version, and distribute your internal applications•Easy to pilot and automate•Best practice is the default practice•Can’t stray off track

•Change Management Built for the Enterprise

10

Lightningfastupdates

Key IPS features

● IPS is biased toward networked software distribution; CD/DVDs are supported, along w/ archive files. Client supports multiple repositories from different vendors.

● Packaging & patching are now one and the same; no more patchids/versions. Packages are now versioned instead.

● Package variants are used to provide multiple architecture packages and define what gets installed in local zones; debug kernels are also available if needed.

● Constraint based system calculates best solution to package dependency graph using SAT solver; several new dependency types are included that reflect actual software dependencies.

● Installation of additional required packages is automatic, simple and fast.● Incompatible packages are avoided.● Packages are cryptographically signed & verifiable; packages can be signed by

customers as well for internal authorizations.

Key IPS features, cont.

● Updates compute “meta-patch” transitioning system from original to desired state; pkg then downloads and installs only changed files.

● Since individual packages contain actual functional dependencies, creating custom sets of packages is simple and straightforward. Software minimization is explicitly supported.

● No more scripting during package installation/removal.● Self-assembly is the new paradigm for software components.● Facets provide supported mechanism to permit elision of optional package

components: localizations, documentation, etc● Complete set of package publication tools, including automated dependency

analysis, package lint, automated annotations/addition of metadata, etc.

Publication model

● Compile your software and install into desired directory layout.● Use pkgsend generate to produce manifest of delivered filesystem components.● Use pkgmogrify to remove undesired components, add metadata, users, groups,

manual dependencies, etc.● Use pkgdepend to analyze software for dependencies, resolve against repo or

system to add to your package.● Use pkglint to double check package construction details● Publish into a local file-based repository with pkgsend publish.● Optionally, use pkgsign to sign as-delivered manifests.● Install and test.

Usage model with Solaris

● Solaris releases consist of minor releases (three to four years apart), with (likely yearly) updates in between, and (monthly) SRUs (Support Repository Updates) in between those.

● Default behavior is to keep all parts of Solaris at same level as was tested by Oracle.

● Pkg update by default takes one's system forward to latest bits available; this can be constrained either by dependencies in user installed packages or via the pkg freeze command.

● Pkg freeze will freeze at any desired degree of specificity – minor release, update or sru.

● Some components can be “unlocked” (using facets to hide constraints) so they can either newer or older than base system; this makes it easy to run the latest Firefox (or lock on the one that is supported by the plugins you need).

Resources

● Man pages● Pkg(5) offerls useful overview● Developer guide – very handy for both admin and developers● Google for “IPS Developer Guide” ● Some good tips for managing repositories● Http://docs.oracle.com/cd/E23824_01/html/E21803/index.html● Http://blogs.oracle.com/barts● [email protected]

16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Summary & Questions

Summary & Takeaways

● New packaging system:● Designed to streamline software maintenance.● Designed to facilitate automation, virtualization.● Reduces planned and unplanned downtime. ● The best practice is the default practice.