Q. A fellow sysad phoned me a couple of days ago to ask if I experienced patching Solaris zones. When he was attaching the local zones to the global zone he got errors. As advised, he detached the local zones from the global zone before patching. This is what I used to call the detach-patch-attach method in patching Solaris hosts with zones. He was indeed very fortunate that I experienced this same error before and below is how we resolved his issue. Just to give a brief background, the error he got when attaching the local zones was:
root@global> zoneadm -z vhost1 attach -u zoneadm: zone 'vhost1': ERROR: attempt to downgrade package SUNWlur, the source had patch 121430-25 but this system only has 121430-14 zoneadm: zone 'vhost1': ERROR: attempt to downgrade package SUNWluu, the source had patch 121430-25 but this system only has 121430-14 ... (other output truncated) ...
The above scenario happened after he detached the zones from the global zone (zoneadm -z vhost1 detach), then he applied the latest bundle patch for Solaris 10 (in single-user mode). After reboot, he allowed the server to boot to full multi-user mode.
And when he attached the zones with the update flag (zoneadm -z vhost1 attach -u), boom.. Errors!
A. This scenario happened because the package SUNWlur and SUNWluu (packages for Solaris LiveUpgrade) do not get patched by the Solaris patch bundle. Instead it has its own "special" set of patches. And unfortunately for him, the local zones have a more updated patch for LiveUpgrade than the global zone. Thus the attach with update failed.
I got the solution to the problem from a now non-existent forum -- this link. Too bad, that very informative thread has been removed. But I was glad to have gleaned something from it before it was expunged.
The solution is to append the patch IDs of every SUNWlur and SUNWluu package that would fail when trying to attach the local zones.
root@global> echo 121430 >> /usr/lib/brand/native/bad_patches root@global> tail /usr/lib/brand/native/bad_patches ... ... 121430
After adding every patch ID entry for "special" patches required by LiveUpgrade, the local zones attach with update was successful.
root@global> zoneadm -z vhost1 attach -u Getting the list of files to remove Removing 1568 files Remove 13 of 13 packages Installing 18014 files Add 340 of 340 packages Updating editable files The file </var/sadm/system/logs/update_log> within the zone contains a log of the zone update.
As seen above, the local zone attached and was updated. It booted with the same kernel as the global zone and the had same patch levels. The other zones attached without errors after performing this procedure.
There are other packages that would fail when doing the upgrade on attach, not just packages for Solaris LiveUpgrade. The other ones that I know of are SUNWvts and SUNWvtss. There are others still. And this same solution is applicable to them.
I was surprised to see that the forum where this solution was shared no longer exists. It contained a wealth of information, and it will probably make the job of new sysads a bit toughter without those shared knowledge and other threads on that forum.
