[PUP-5287] install_options capability on Solaris provider "sun" & "pkg" - clone Created: 2015/09/28  Updated: 2019/01/25  Resolved: 2019/01/25

Status: Closed
Project: Puppet
Component/s: None
Affects Version/s: None
Fix Version/s: PUP 6.2.0

Type: New Feature Priority: Normal
Reporter: Rachel Kelly Assignee: Casey Williams
Resolution: Fixed Votes: 0
Labels: customer, package, resolved-issue-added, solaris, solaris-parity, type_and_provider
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Solaris 11 i386, PE 3.7/8

Issue Links:
Team: Platform OS
Sprint: Platform OS Kanban
CS Priority: Normal
CS Frequency: 2 - 5-25% of Customers
CS Severity: 3 - Serious
CS Business Value: 3 - $$$$
CS Impact: We should support Solaris to the level we support other operating systems including handling it's native packaging.
Release Notes: Enhancement
Release Notes Summary: Adds support for install_options for the pkg provider on Solaris


In this particular situation, there are several Puppet setups which they are trying to use the install_options functionality of the "sun" & "pkg" providers on Solaris. Puppet supports sun/pkg, but it does not, it appears, support all its pieces as install_options is not available.

When deploying packages to Solaris agents and trying to use install_options, it adds it to the command in double quotes, rendering the command ineffective.

The addition of install_options will also enable manipulation of boot environments as they are generated.

Potentially tangentially they also need to know how to put a file in a puppet repo (central repository) for it to be found without using source?

Please let me know what other information you need on this.

Comment by William Hopper [ 2015/10/05 ]

Possibly related (though my Solaris foo is weak): commit 2e63e307b (from way, way back in 2012) refactored install_options in the sun provider.

Also, Rachel Kelly would you mind pasting some output from the failed package installation, as well as the failing manifest?

Comment by Rachel Kelly [ 2015/10/14 ]

Here's some, anonymized at <company>:

Debug: Executing '/usr/bin/pkg install --accept <company>'
*Error: Unable to update Startup: Refreshing catalog 'solaris' ... Done*
Startup: Refreshing catalog 'puppetlabs.com' ... Done
Startup: Refreshing catalog 'ha-cluster' ... Done
pkg install: The following pattern(s) did not match any allowable packages. Try using a different matching pattern, or refreshing publisher information:
*Error: /Stage[main]/Te_fpm_deploy::Solaris11/Package[<company>]/ensure: change from absent to present failed: Unable to update Startup: Refreshing catalog 'solaris' ... Done*
Startup: Refreshing catalog 'puppetlabs.com' ... Done
Startup: Refreshing catalog 'ha-cluster' ... Done

Comment by Benjamin West [ 2016/06/23 ]

Following up here that the word 'option' no longer appears in the current version of the SunOS/Solaris pkg provider, and puppet agent now states install_options is not supported at all:

Debug: /Package[openssl]: Provider pkg does not support features install_options; not managing attribute install_options

At lease for my case, the desired use case for install_options would be to invoke options like 'no-backup-be' and 'deny-new-be.' That is, it would very handy to disable pkg tool's behavior of quietly creating and activating new boot environments for certain packages, causing any subsequent filesystem changes to become orphaned on next reboot.

Comment by Benjamin West [ 2016/06/23 ]

Following up that patching the stock pkg provider to include install_options doesn't appear very difficult. I just added this to a custom module and set the 'provider' attribute on package resources to point to it instead of pkg. Now, invocation like the following works as expected:

package { 'openssl':
  ensure => latest,
  provider => 'custom_pkg',
  install_options => ['--no-backup-be', '--deny-new-be'].

Here is the diff against stock pkg provider:

--- pkg.rb	2016-06-23 12:23:08.443854979 -0500
+++ custom_pkg.rb	2016-06-23 12:22:02.355857268 -0500
@@ -1,6 +1,6 @@
 require 'puppet/provider/package'
-Puppet::Type.type(:package).provide :pkg, :parent => Puppet::Provider::Package do
+Puppet::Type.type(:package).provide :custom_pkg, :parent => Puppet::Provider::Package do
   desc "OpenSolaris image packaging system. See pkg(5) for more information"
   # https://docs.oracle.com/cd/E19963-01/html/820-6572/managepkgs.html
   # A few notes before we start :
@@ -19,14 +19,16 @@
   has_feature :holdable
-  commands :pkg => "/usr/bin/pkg"
+  has_feature :install_options
+  commands :custom_pkg => "/usr/bin/pkg"
   confine :osfamily => :solaris
   defaultfor :osfamily => :solaris, :kernelrelease => '5.11'
   def self.instances
-    pkg(:list, '-Hv').split("\n").map{|l| new(parse_line(l))}
+    custom_pkg(:list, '-Hv').split("\n").map{|l| new(parse_line(l))}
   # The IFO flag field is just what it names, the first field can have ether
@@ -106,11 +108,11 @@
   def hold
-    pkg(:freeze, @resource[:name])
+    custom_pkg(:freeze, @resource[:name])
   def unhold
-    r = exec_cmd(command(:pkg), 'unfreeze', @resource[:name])
+    r = exec_cmd(command(:custom_pkg), 'unfreeze', @resource[:name])
     raise Puppet::Error, "Unable to unfreeze #{r[:out]}" unless [0,4].include? r[:exit]
@@ -143,14 +145,14 @@
       # unfortunately it doesn't consider downgrades 'available' (eg. with
       # installed foo@1.0, list -a foo@0.9 would fail).
       name = @resource[:name]
-      potential_matches = pkg(:list, '-Hvfa', "#{name}@#{should}").split("\n").map{|l|self.class.parse_line(l)}
+      potential_matches = custom_pkg(:list, '-Hvfa', "#{name}@#{should}").split("\n").map{|l|self.class.parse_line(l)}
       n = potential_matches.length
       if n > 1
         warning("Implicit version #{should} has #{n} possible matches")
       potential_matches.each{ |p|
         command = is == :absent ? 'install' : 'update'
-        status = exec_cmd(command(:pkg), command, '-n', "#{name}@#{p[:ensure]}")[:exit]
+        status = exec_cmd(command(:custom_pkg), command, @resource[:install_options], '-n', "#{name}@#{p[:ensure]}")[:exit]
         case status
         when 4
           # if the first installable match would cause no changes, we're in sync
@@ -171,7 +173,7 @@
   # http://defect.opensolaris.org/bz/show_bug.cgi?id=19159%
   # notes that we can't use -Ha for the same even though the manual page reads that way.
   def latest
-    lines = pkg(:list, "-Hvn", @resource[:name]).split("\n")
+    lines = custom_pkg(:list, "-Hvn", @resource[:name]).split("\n")
     # remove certificate expiration warnings from the output, but report them
     cert_warnings = lines.select { |line| line =~ /^Certificate/ }
@@ -185,7 +187,7 @@
     # return the first known we find. The only way that is currently available is to do a dry run of
     # pkg update and see if could get installed (`pkg update -n res`).
     known = lst.find {|p| p[:status] == 'known' }
-    return known[:ensure] if known and exec_cmd(command(:pkg), 'update', '-n', @resource[:name])[:exit].zero?
+    return known[:ensure] if known and exec_cmd(command(:custom_pkg), @resource[:install_options], 'update', '-n', @resource[:name])[:exit].zero?
     # If not, then return the installed, else nil
     (lst.find {|p| p[:status] == 'installed' } || {})[:ensure]
@@ -206,7 +208,7 @@
     unless should.is_a? Symbol
       name += "@#{should}"
-    r = exec_cmd(command(:pkg), command, '--accept', name)
+    r = exec_cmd(command(:custom_pkg), command, @resource[:install_options], '--accept', name)
     return r if nofail
     raise Puppet::Error, "Unable to update #{r[:out]}" if r[:exit] != 0
@@ -233,7 +235,7 @@
   # list a specific package
   def query
-    r = exec_cmd(command(:pkg), 'list', '-Hv', @resource[:name])
+    r = exec_cmd(command(:custom_pkg), 'list', '-Hv', @resource[:name])
     return {:ensure => :absent, :name => @resource[:name]} if r[:exit] != 0

Comment by Casey Williams [ 2018/11/30 ]

This PR is up for pkg – it looks like install_options was already implemented for sun at some point.

Comment by Geoff Nichols [ 2019/01/15 ]

Casey Williams - it looks like this is passing puppet-agent#master CI - is there anything left to do here? 

Generated at Fri Dec 13 08:07:25 PST 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.