This content has been marked as final. Show 4 replies
I've not tried this but I would think you could patchadd -G <patch> to patch the global zone and then use patchadd <patch> inside each of the specific zones you'd like to patch. This might work for non-sparse zones but I'm not sure what would happen with sparse zones where files are mounted from the parent global zone. I'd think that even with -G in the global zone some of the file changes might bleed through to the non-global zones. It would seem a bit risky.
While it may be possible to patch some things independently, by and large it's not a strategy you should rely on. There are many things that need to be in sync between the global zone and non-global zones. For example, the kernel and libc need to be updated lockstep. Since so many things get tied up in patches that include the kernel and/or core libraries and there are so many dependencies on those patches, this greatly limits the likelihood that you can apply OS patches separately.
If you happen to have applications that require patches, it is quite likely that the applications can be patched independently. This is because the applications should be relying upon the stable ABI (application binary interface) provided by Solaris. Even as parts of the OS are patched, the public ABI (the part applications should use) remain compatible with the previous release. It is for this reason that Solaris has the application binary guarantee - with rare exceptions, those applications that used only the public ABI in Solaris 8 will still work on Solaris 11.
M10vir wrote:Branded zones and sparse zones don't have the relation that you imply. In Solaris 10, native zones can be sparse or whole-root (non-sparse, as you say). Zones that are not native zones are branded zones. Branded zones on Solaris 10 include Solaris Legacy Containers, previously known as Solaris 8 Containers and Solaris 9 Containers. That add-on product allows you to run Solaris 8 and Solaris 9 application environments under a thin layer of virtualization provided by the brands framework. solaris8 and solaris9 branded zones can be patched independently of each other and of the global zone.
Yes, if you have branded (non-sparse) zone!
Solaris 11 has no "native zones" - all zones use the brands framework. The "solaris" brand does no emulation and in that respect is very similar to native zones on Solaris 10. Solaris 11 also provides Solaris 10 Zones via the solaris10 brand. This allows zones or the global zone from a Solaris 10 system to be transferred to a Solaris 11 system and run as solaris10 zones. When running on Solaris 11, solaris10 zones can each be patched independently from each other and the Solaris 11 global zone. Technically, Solaris 11 doesn't have patches - it just has newer versions of packages to which the system is updated.