I’ve forgotten this several times now so it’s time I wrote a short post to help me remember in future! In Solaris 11 we use the Image Packaging System to maintain the software on the system. This is written in python and uses libcurl and for non zoned systems setting the http_proxy is sufficient to allow the system to communicate with the repo.e.g.:
# export http_proxy="http://proxy-server:3128"
With zones however that is not sufficient. This is because of how zones are updated. On a system without zones you run ‘pkg install’ or ‘pkg update’ and it directly communicates with the publisher, so an environment variable to set the proxy will work in this case. For zones however the local zones communicate with the system repository service, they do not communicate with the publisher directly. The system repository service, as the name says, is a service and so does not get its environment from the shell you issue the pkg command from, hence it will not know about the proxy. This results in some unexpected errors when you try to update a system with zones. For example:
# pkg install pkg:/package/pkg Recursing into linked image: zone:zclone Returning from linked image: zone:zclone Recursing into linked image: zone:zone1 Returning from linked image: zone:zone1 Recursing into linked image: zone:zone2 Returning from linked image: zone:zone2 Packages to remove: 1 Create boot environment: No Create backup boot environment: No Recursing into linked image: zone:zclone Returning from linked image: zone:zclone pkg: install failed (linked image exception(s)): A 'sync-linked' operation failed for child 'zone:zclone' with an unexpected return value of 1 and the following error message: pkg: 0/1 catalogs successfully updated: Unable to contact valid package repository Encountered the following error(s): Unable to contact any configured publishers. This is likely a network configuration problem. Framework stall: URL: 'http://solaris-repo.us.oracle.com/s11development'. (happened 4 times)
If you look in the log file for the system repository you will also see errors showing that it can’t communicate with the publisher:
WARNING: unable to access http://solaris-repo.us.oracle.com/s11development when checking for redirects: <urlopen error timed out>
The solution to this is to set the http_proxy property for the service. You do this by, for example:
# svccfg -s svc:/application/pkg/system-repository:default setprop config/http_proxy=astring: "http://myproxy:3128" # svcadm refresh svc:/application/pkg/system-repository:default
You can check the current proxy settings by:
# svcprop svc:/application/pkg/system-repository:default | grep _proxy config/http_proxy astring "" config/https_proxy astring ""
Official documentation at http://docs.oracle.com/cd/E23824_01/html/821-1460/glqjr.html
One thing to mention, is that this changes in the next release, with a recent IPS putback [ 55bf0cb749ae 22-Jun-2012 7136244 granular configuration of http_proxy option ] where we add a –proxy argument to ‘set-publisher’ allowing proxies to be set per-origin (I wrote this specifically because I used to always forget to set $http_proxy too 🙂
When origins with –proxy are configured in the global zone, the system repository will automatically use those proxies (but only if the ‘config/http*_proxy’ system-repository SMF properties are not set, otherwise, they’ll override the per-origin proxies)
very useful