Updating Solaris 11 zones behind a proxy

I’ve forgotten this several times now so it’s time I wrote a short post to help me remember in future! In Solaris 11 we use the Image Packaging System to maintain the software on the system. This is written in python and uses libcurl and for non zoned systems setting the http_proxy is sufficient to allow the system to communicate with the repo.e.g.:

# export http_proxy="http://proxy-server:3128"

With zones however that is not sufficient. This is because of how zones are updated. On a system without zones you run ‘pkg install’ or ‘pkg update’ and it directly communicates with the publisher, so an environment variable to set the proxy will work in this case. For zones however the local zones communicate with the system repository service, they do not communicate with the publisher directly. The system repository service, as the name says, is a service and so does not get its environment from the shell you issue the pkg command from, hence it will not know about the proxy. This results in some unexpected errors when you try to update a system with zones. For example:

# pkg install pkg:/package/pkg
Recursing into linked image: zone:zclone
Returning from linked image: zone:zclone
Recursing into linked image: zone:zone1
Returning from linked image: zone:zone1
Recursing into linked image: zone:zone2
Returning from linked image: zone:zone2
Packages to remove:  1
Create boot environment: No
Create backup boot environment: No

Recursing into linked image: zone:zclone
Returning from linked image: zone:zclone
pkg: install failed (linked image exception(s)):

A 'sync-linked' operation failed for child 'zone:zclone' with an unexpected
return value of 1 and the following error message:
pkg: 0/1 catalogs successfully updated:

Unable to contact valid package repository
Encountered the following error(s):
Unable to contact any configured publishers.
This is likely a network configuration problem.
Framework stall:
URL: 'http://solaris-repo.us.oracle.com/s11development'. (happened 4 times)

If you look in the log file for the system repository you will also see errors showing that it can’t communicate with the publisher:

WARNING: unable to access http://solaris-repo.us.oracle.com/s11development when checking for redirects: <urlopen error timed out>

The solution to this is to set the http_proxy property for the service. You do this by, for example:

# svccfg -s svc:/application/pkg/system-repository:default setprop config/http_proxy=astring: "http://myproxy:3128"
# svcadm refresh svc:/application/pkg/system-repository:default

You can check the current proxy settings by:

# svcprop svc:/application/pkg/system-repository:default | grep _proxy
config/http_proxy astring ""
config/https_proxy astring ""

Official documentation at http://docs.oracle.com/cd/E23824_01/html/821-1460/glqjr.html

2 thoughts on “Updating Solaris 11 zones behind a proxy”

  1. One thing to mention, is that this changes in the next release, with a recent IPS putback [ 55bf0cb749ae 22-Jun-2012 7136244 granular configuration of http_proxy option ] where we add a –proxy argument to ‘set-publisher’ allowing proxies to be set per-origin (I wrote this specifically because I used to always forget to set $http_proxy too 🙂

    When origins with –proxy are configured in the global zone, the system repository will automatically use those proxies (but only if the ‘config/http*_proxy’ system-repository SMF properties are not set, otherwise, they’ll override the per-origin proxies)

Leave a Reply

Your email address will not be published. Required fields are marked *