Grammar nit.

a day ago by danmcd
Page History
  1. Upgrading to r151022. 
  2. Upgrading to the Very Latest 
  3. Upgrading to OpenSSH from SunSSH 
  4. A *NEW* REMINDER ABOUT NUMBER OF BOOT ENVIRONMENTS 
  5. Performing the Upgrade (lipkg zones from a r151014 or later stable) 
  6. Performing the Upgrade (ipkg zones only - NEW METHOD) 

Upgrading to r151022. #

One may upgrade any of r151014, r151016, r151018, r151020, or r151021/bloody to r151022.

Upgrading to the Very Latest #

There are updates specifically out to insure a smooth upgrade to r151022. The ca-bundle package MUST be updated on any release you have, even ones officially EOSLed. Please make sure "pkg update -n" produces no output and that "pkg list -v ca-bundle" shows an April 2017 timestamp.

Upgrading to OpenSSH from SunSSH #

SunSSH has been end-of-lifed in r151020 and later (including, of course, r151022). To this end, either prior to the upgrade switch to OpenSSH:

/usr/bin/pkg install --no-backup-be --reject pkg:/network/ssh --reject pkg:/network/ssh/ssh-key --reject pkg:/service/network/ssh --reject pkg:/service/network/ssh-common pkg:/network/openssh pkg:/network/openssh-server

Or add all of the --reject options shown above to any pkg update commands below for linked-image deployments. If you use non-linked image zones (ipkg), you must update to SunSSH PRIOR to reboot.

Switching from SunSSH to OpenSSH will require commenting-out MaxAuthTriesLog and RhostsAuthentication options from /etc/ssh/sshd_config. Also both ListenAddress directives MUST be commented out (SunSSH has one uncommented by default). There will be an sshd_config.new to consult, which comes from a fresh, unhindered installation of OpenSSH.

Also, if you have entries in /etc/pam.conf you may need to update them. For example, one may need to s/sshd-kbdint/sshd/ to re-enable their two-factor authentication.

ALL INSTALLATIONS WITH ZONES MUST update all zones (including global) to OpenSSH pre-upgrade. Even linked-image zones will require per-zone installation, because of how SunSSH/OpenSSH were mediated prior to SunSSH's end-of-life.

A *NEW* REMINDER ABOUT NUMBER OF BOOT ENVIRONMENTS #

GREAT NEWS! Once you switch to Loader - there are no limits on the number of boot environments you can have. Loader handles any number of them.

If you are still using GRUB, however, and if you get your machine into a state where grub will not boot, there are two different recovery methods available.

Performing the Upgrade (lipkg zones from a r151014 or later stable) #

WARNING: For the linked-images to upgrade, you MUST switch all zones pre-upgrade to OpenSSH for this to work if you have not already. See above for how to switch to OpenSSH. Please make sure all zones have OpenSSH installed prior to following any directions below.

If you have moved to linked-image (lipkg) non-global zones exclusively, the upgrade process can be simpler, modulo some setup.

  • If you wish to avoid a window of on-rpool log overflow between the old and new boot environments, disable any services that log in appropriate zones (including global).
  • Make sure the global zone can reach the network.
  • Create a backup boot environment for safety (being careful of the number of BEs):
beadm create <appropriate-backup-name>
  • Change the publisher (as root or with privilege) in every NATIVE (ipkg or lipkg) zone root, including global. For example, going from r151014 to r151022:
/usr/bin/pkg set-publisher -G http://pkg.omniti.com/omnios/r151014/ -g https://pkg.omniti.com/omnios/r151022/ omnios
/usr/bin/pkg -R /zones/zone1/root set-publisher -G http://pkg.omniti.com/omnios/r151014/ -g https://pkg.omniti.com/omnios/r151022/ omnios
/usr/bin/pkg -R /zones/zone2/root set-publisher -G http://pkg.omniti.com/omnios/r151014/ -g https://pkg.omniti.com/omnios/r151022/ omnios
.  .  .
  • If you have non-OmniOS IPS publishers, some of those packages may not yet be aware of r151022 and block the upgrade (e.g. some ms.omniti.com packages). Uninstall these ones prior to the update.
  • Perform the update, optionally specifying the new BE name, and if you are on SunSSH, adding the --reject arguments as well:
/usr/bin/pkg update {--be-name new-BE-name}
  • Many times a BE is named after the release it's becoming. For example:
/usr/bin/pkg update --be-name r151022
  • Reboot

NOTE: Once past a release migration, linked-image zones continue to offer great convenience, because a single "pkg update" in the global zone easy updates all linked-image zones, if you use the "-r" flag. Linked images have new behavior once you upgrade to r151022, and requiring the use of "-r" is one of them.

Performing the Upgrade (ipkg zones only - NEW METHOD) #

WARNING: This is the ONLY method that works for ipkg zones now, due to pkg(5) changes. For the detach/attach method of upgrade, you MUST switch all zones pre-upgrade to OpenSSH for this to work if you have not already. See above for how to switch to OpenSSH. Please make sure all zones have OpenSSH installed prior to following any directions below.

If you have non-global native (ipkg) zones, they must be shutdown and detached at this time.

LX Zones are not upgraded individually. Their native bits are directly inherited from the global zone, and Linux bits should be updated while running inside the zone.

After shutting down the zones gracefully (zlogin; shutdown -i5 -g0 -y):

/usr/sbin/zoneadm -z <zonename> detach

It would also be a good idea to take a ZFS snapshot of the zone root in case it's needed for rollback (such as if there are issues with the zone upgrade.)

/usr/sbin/zfs snapshot -r <zoneroot>@<old-release>
where <zoneroot> is the name of the ZFS dataset whose mountpoint corresponds to the value of zonepath in the zone's configuration. There are child datasets under this one, so we use the -r option to recursively snapshot all.

Because each OmniOS release has its own dedicated repo, you will first need to set the omnios package publisher to the repository for r151022:

/usr/bin/pkg unset-publisher omnios

/usr/bin/pkg set-publisher -P --set-property signature-policy=require-signatures -g https://pkg.omniti.com/omnios/r151022/ omnios

Update the global zone. The --be-name argument is optional, but it's nice to use a name that's more meaningful than "omnios-N". Add a '-nv' after the 'update' sub-command to do a dry run if you're unsure of what will happen. REMEMBER - You must change to OpenSSH first before using this method.

/usr/bin/pkg update --be-name=omnios-r151022 entire@11,5.11-0.151022

This will create a new BE and install r151022 packages into it. When it is complete, reboot your system. The new BE will now be the default option in GRUB.

Once booted into your new r151022 BE, if you don't have non-global zones, you are done with the upgrade.

Attach each ipkg zone. NOTE: This will fail due to the Python 2.6 -> 2.7 migration. DO NOT PANIC. The zone's publisher will have been updated, and it will be mounted in /zones/<zonename>/root/, however.

/usr/sbin/zoneadm -z <zonename> attach -u

Next, use the -R option to pkg(1M) and force-upgrade the zone

/usr/bin/pkg -R /zones/<zonename>/root update

If you'd forgotten to upgrade your zone to OpenSSH, try again, but with all of the --reject flags:

/usr/bin/pkg -R /zones/<zonename>/root update --reject pkg:/network/ssh --reject pkg:/network/ssh/ssh-key --reject pkg:/service/network/ssh --reject pkg:/service/network/ssh-common pkg:/network/openssh pkg:/network/openssh-server

Finally, attach the zone to reality check its integrity:

/usr/sbin/zoneadm -z <zonename> attach -u

The attach should be quick, as the upgrade already happened. The zone is now updated and ready to boot.