SA-202-S10 Part2

8/4/2019 SA-202-S10 Part2

http://slidepdf.com/reader/full/sa-202-s10-part2 1/534

Sun Services

System Administration for the Solaris™ 10 Operating System, Part 2

System Administration for the

Solaris™ 10 Operating System, Part 2

SA-202-S10

8/4/2019 SA-202-S10 Part2


Copyright 2007 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California, 95054, U.S.A. All rights reserved.

Thisproduct or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any.

Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.

Sun, Sun Microsystems, the Sun logo,Solaris, JumpStart, SunSolve, OpenBoot, Ultra, Solstice DiskSuite, Sun Java, and UltraSPARC are trademarks or registered trademarks of SunMicrosystems, Inc. in the U.S. and other countries.

All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARCtrademarks are based upon an architecture developed by Sun Microsystems, Inc.

UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd.

The OPEN LOOK and Sun Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering effortsof Xerox in researchingand developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, whichlicense also covers Sun’s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements.

U.S. Government approval might be required when exporting the product.

RESTRICTED RIGHTS: Use, duplication, or disclosure by the U.S. Government is subject to restrictions of FAR 52.227-14(g)(2)(6/87) and FAR 52.227-19(6/87), or DFAR 252.227-7015(b)(6/95) and DFAR 227.7202-3(a).

DOCUMENTATION IS PROVIDED “ASIS” ANDALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, ANDWARRANTIES,INCLUDING ANY IMPLIED WARRANTYOF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS AREHELD TO BE LEGALLY INVALID.

8/4/2019 SA-202-S10 Part2


Copyright 2007 Sun Microsystems Inc., 4150 Network Circle, Santa Clara, California 95054, Etats-Unis. Tous droits réservés.

Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l’utilisation, la copie, la distribution, et la décompilation. Aucune partie de ceproduit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit, sans l’autorisation préalable et écrite de Sun et de ses bailleurs de licence, s’il y en a.

Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licencié par des fournisseurs de Sun.

Sun, Sun Microsystems, le logo Sun, Solaris, JumpStart, SunSolve, OpenBoot, Ultra, Solstice DiskSuite, Sun Java, et UltraSPARC sont des marques de fabrique ou des marques déposéesde Sun Microsystems, Inc. aux Etats-Unis et dans d’autres pays.

Toutes les marques SPARC sont utilisées sous licence sont des marques de fabrique ou des marques déposées de SPARC International, Inc. aux Etats-Unis et dans d’autres pays. Lesproduits portant les marques SPARC sont basés sur une architecture développée par Sun Microsystems, Inc.

UNIX est une marques déposée aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open Company, Ltd.

L’interfaces d’utilisation graphique OPEN LOOKet Sun™ a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun reconnaît les efforts de pionniers de Xeroxpour larecherche et le développement du concept des interfaces d’utilisation visuelle ou graphique pour l’industrie de l’informatique. Sun détient une licence non exclusive de Xerox surl’interface d’utilisation graphique Xerox, cette licence couvrant également les licenciés de Sun qui mettent en place l’interface d’utilisation graphique OPEN LOOK et qui en outre seconforment aux licences écrites de Sun.

L’accord du gouvernement américain est requis avant l’exportation du produit.

LA DOCUMENTATION EST FOURNIE “EN L’ETAT” ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES EXPRESSES OU TACITES SONT FORMELLEMENTEXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, AL’APTITUDE A UNE UTILISATION PARTICULIERE OU A L’ABSENCE DE CONTREFAÇON.

8/4/2019 SA-202-S10 Part2


http://-/?-

8/4/2019 SA-202-S10 Part2


8/4/2019 SA-202-S10 Part2


Sun Services

Advanced System Administration for the Solaris™ 10 Operating System xivCopyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision C

Managing ZFS Properties .................................................................................................................. 16-53Mounting ZFS File Systems ............................................................................................................... 16-58ZFS Web-Based Management ........................................................................................................... 16-66ZFS Snapshots ..................................................................................................................................... 16-67ZFS Snapshots ..................................................................................................................................... 16-72ZFS Clones ........................................................................................................................................... 16-74Using ZFS on a Solaris System With Zones Installed .................................................................... 16-81

8/4/2019 SA-202-S10 Part2


Sun Services


Preface

About This Course

8/4/2019 SA-202-S10 Part2


Sun Services

System Administration for the Solaris™ 10 Operating System, Part 2 Preface, slide xvi of xxvCopyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision C

Course Goals

Upon completion of this course, you should be able to:

• Describe network basics• Manage virtual file systems and core dumps

• Manage storage volumes

• Control access and configure system messaging• Set up name services

• Perform advanced installation procedures

8/4/2019 SA-202-S10 Part2


Sun Services

Course Map

Describing

InterfaceConfiguration

Describing the

Client-ServerModel

Using

NameServices

Configuring

NameService Clients

Configuring

the NetworkInformation

Service (NIS)

Describing Network Basics

ManagingSwap

Configuration

ManagingCrash Dumps

and

Core Files

ConfiguringNFS

ConfiguringAutoFS

Configuring

Role-BasedAccess Control

(RBAC)

Configuring

SystemMessaging

Managing Virtual File Systems and Core Dumps

Describing

RAID andSolaris

VolumeManagerSoftware

Configuring

SolarisVolume

ManagerSoftware

Managing Storage VVolumes

Controlling Access and Configuring System Messaging

Setting Up Name Services

Configuring Virtualization

SunConnectionServices

8/4/2019 SA-202-S10 Part2


Sun Services

System Administration for the Solaris™ 10 Operating System, Part 2 Preface, slide xviii of xxvCopyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision C

Topics Not Covered

This course does not cover the following topics. Many of thesetopics are covered in other courses offered by Sun Services:

• Basic UNIX® commands – Covered in SA-100-S10:UNIX® Essentials Featuring the Solaris™ 10 OperatingSystem

• The vi editor – Covered in SA-100-S10: UNIX®Essentials Featuring the Solaris™ 10 Operating System

• Basic UNIX file security – Covered in SA-100-S10:UNIX® Essentials Featuring the Solaris™ 10 Operating

System• Software package administration – Covered in SA-200-

S10: Intermediate System Administration for the Solaris™10 Operating System

8/4/2019 SA-202-S10 Part2


Sun Services

System Administration for the Solaris™ 10 Operating System, Part 2 Preface, slide xix of xxvCopyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision C

Topics Not Covered

• Patch maintenance – Covered in SA-200-S10:Intermediate System Administration for the Solaris™ 10Operating System

• Adding users using the Solaris Management Consolesoftware – Covered in SA-200-S10: Intermediate System

Administration for the Solaris™ 10 Operating System• Basic system security – Covered in SA-100-S10: UNIX®Essentials Featuring the Solaris™ 10 Operating System

• Administering initialization files – Covered in SA-200-

S10: Intermediate System Administration for the Solaris™10 Operating System

8/4/2019 SA-202-S10 Part2


Sun Services

System Administration for the Solaris™ 10 Operating System, Part 2 Preface, slide xx of xxvCopyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision C

Topics Not Covered

• Advanced file permissions – Covered in SA-200-S10:Intermediate System Administration for the Solaris™ 10Operating System

• Backup and recovery – Covered in SA-200-S10:Intermediate System Administration for the Solaris™ 10

Operating System• The lp print service and print commands – Covered inSA-200-S10: Intermediate System Administration for theSolaris™ 10 Operating System

• Process control – Covered in SA-200-S10: IntermediateSystem Administration for the Solaris™ 10 OperatingSystem

8/4/2019 SA-202-S10 Part2


Sun Services

System Administration for the Solaris™ 10 Operating System, Part 2 Preface, slide xxi of xxvCopyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision C

Topics Not Covered

• All the new features in Solaris 10 – Covered in SA-225S10: Solaris™ 10 for Experienced System Administrators

• Hardware or software troubleshooting – Covered inST-350: Sun™ Systems Fault Analysis Workshop System

tuning – Covered in SA-400:Enterprise System

Performance Management

• Detailed shell programming – Covered in SA-245: ShellProgramming for System Administrators

• Detailed network administration concepts – Covered inSA-300-S10: Network Administration for the Solaris™ 10Operating System

8/4/2019 SA-202-S10 Part2


Sun Services

System Administration for the Solaris™ 10 Operating System, Part 2 Preface, slide xxii of xxvCopyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision C

Topics Not Covered

Refer to the Sun Services catalog for specific information on coursecontent and registration.

8/4/2019 SA-202-S10 Part2


Sun Services

System Administration for the Solaris™ 10 Operating System, Part 2 Preface, slide xxiii of xxvCopyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision C

How Prepared Are You?

To be sure you are prepared to take this course, can youanswer yes to the following questions?

• Can you install and boot the Solaris™ 10 OperatingSystem (Solaris 10 OS) on a stand-alone workstation?

• Can you implement basic system security?

• Can you add users to the system using the SolarisManagement Console software?

• Can you use the pkgadd command to add software

packages?

8/4/2019 SA-202-S10 Part2


Sun Services

System Administration for the Solaris™ 10 Operating System, Part 2 Preface, slide xxiv of xxvCopyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision C

How Prepared Are You?

• Can you monitor and mount file systems?

• Can you manage disk devices and processes?• Can you perform backups and restorations?

8/4/2019 SA-202-S10 Part2


Sun Services

System Administration for the Solaris™ 10 Operating System, Part 2 Preface, slide xxv of xxvCopyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision C

Introductions

• Name

• Company affiliation• Title, function, and job responsibility

• Experience related to topics presented in this course

• Reasons for enrolling in this course

• Expectations for this course

8/4/2019 SA-202-S10 Part2


Sun Services


Module 1

Describing Interface Configuration

8/4/2019 SA-202-S10 Part2


Sun Services

System Administration for the Solaris™ 10 Operating System, Part 2 Module 1, slide 2 of 17Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision C

Objectives

• Control and monitor network interfaces

• Configure Internet Protocol Version 4 (IPv4) interfacesat boot time

8/4/2019 SA-202-S10 Part2


Sun Services


Controlling and Monitoring NetworkInterfaces

Network commands, such asifconfig

,ping

, andsnoop

,control and monitor the functionality of network interfaces.

8/4/2019 SA-202-S10 Part2


Sun Services


Displaying the MAC Address

The media access control (MAC) address is your computer’sunique hardware address.

Two ways to display the MAC address or the Ethernet addressare:

• Use the ifconfig -a command:# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet127.0.0.1 netmask ff000000nge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2

inet 192.168.30.41 netmask ffffff00 broadcast 192.168.30.255

ether 8:0:20:93:c9:af

8/4/2019 SA-202-S10 Part2


Sun Services


Displaying the MAC Address (cont.)

• Use the boot programmable read-only memory(PROM) banner command on SPARC®-based systems:

ok bannerSun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 300MHz), Keyboard PresentOpenBoot 3.31 256 MB (60ns) memory installed, Serial #9685423.Ethernet address 8:0:20:93:c9:af, Host ID: 8093c9af.

8/4/2019 SA-202-S10 Part2


Sun Services


Displaying the IP Address

The ifconfig -a command displays the current configurationfor the network interfaces.

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232index 1 inet 127.0.0.1 netmask ff000000nge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2

inet 192.168.30.41 netmask ffffff00 broadcast 192.168.30.255ether 8:0:20:93:c9:af

8/4/2019 SA-202-S10 Part2


Sun Services


Marking an Ethernet Interface as Down

You can use the ifconfig command to mark an Ethernetinterface as up or down.

# ifconfig nge0 down# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232index 1 inet 127.0.0.1 netmask ff000000nge0: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2


# ifconfig nge0 up# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232

index 1 inet 127.0.0.1 netmask ff000000nge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2


8/4/2019 SA-202-S10 Part2


Sun Services


Sending ICMP ECHO_REQUEST Packets

To determine if you can contact another system over thenetwork, enter the ping command:

# ping sys41sys41 is alive

8/4/2019 SA-202-S10 Part2


Sun Services


Capturing and Inspecting Network Packets

You can use the snoop utility to capture and inspect networkpackets to determine what kind of data is transferred between

systems.

# snoop sys41 sys42sys41 -> sys42 ICMP Echo request (ID: 615 Sequence number: 0)sys42 -> sys41 ICMP Echo reply (ID: 615 Sequence number: 0)

8/4/2019 SA-202-S10 Part2


Sun Services


Capturing and Inspecting Network Packets

Some additional snoop options include:

snoop Summary outputsnoop -V Summary verbose output

snoop -v Detailed verbose output

snoop -o filename Redirects the snoop utility output to filename

in summary modesnoop -i filename Displays packets that were previously captured

in filename

snoop -d device Receive packets from a network interface

specified bydevice

8/4/2019 SA-202-S10 Part2


Sun Services


Configuring IPv4 Interfaces at Boot Time

Introducing IPv4 Interface Files

Network interfaces in the Solaris OS are controlled by filesand services.

• The svc:/network/physical:default service

• The /etc/hostname.xxn file• The /etc/inet/hosts file

• The /etc/inet/ipnodes file

S S i

8/4/2019 SA-202-S10 Part2


Sun Services


The /etc/hostname.xxn File Entries andCorresponding Interfaces

Entry Interface

/etc/hostname.e1000g0 First e1000g (Intel PRO/1000 Gigabit family device driver)Ethernet interface in the system

/etc/hostname.bge0 First bge (Broadcom Gigabit Ethernet device driver) Ethernetinterface in the system

/etc/hostname.bge1 Second bge Ethernet interface in the system

/etc/hostname.ce0 First ce (Cassini Gigabit-Ethernet device driver) Ethernetinterface in the system

/etc/hostname.qfe0 First qfe (Quad Fast-Ethernet device driver) Ethernetinterface in the system

/etc/hostname.hme0 First hme (Fast-Ethernet device driver) Ethernet interface in

the system

/etc/hostname.eri0 First eri (eri Fast-Ethernet device driver) Ethernet interfacein the system

/etc/hostname.nge0 First nge (Nvidia Gigabit Ethernet driver) Ethernet interfacein the system

S S i

8/4/2019 SA-202-S10 Part2


Sun Services


The /etc/inet/ipnodesFile

A local database that associates the names of nodes with theirInternet Protocol (IP) addresses.

cat /etc/inet/ipnodes## Internet host table#::1 localhost127.0.0.1 localhost192.168.30.41 sys41 loghost

S S i

8/4/2019 SA-202-S10 Part2


Sun Services


Changing the System Host Name

The host name of a system is contained in four files on thesystem. You must modify all of these files, and perform a

reboot, to successfully change a system’s host name. The filesthat contain the host name of a system are:

• The /etc/nodename file

• The /etc/hostname.xxn file• The /etc/inet/hosts file

• The /etc/inet/ipnodes file

Sun Services

8/4/2019 SA-202-S10 Part2


Sun Services


The sys-unconfigCommand

You can use the /usr/sbin/sys-unconfig command torestore a system’s configuration to an unconfigured state,

ready to be reconfigured again.

The sys-unconfig command does the following:

• Saves the current /etc/inet/hosts file information inthe /etc/inet/hosts.saved file.

• If the current /etc/vfstab file contains Network FileSystem (NFS) mount entries, it saves the /etc/vfstab

file to the /etc/vfstab.orig file.• Restores the default /etc/inet/hosts file.

8/4/2019 SA-202-S10 Part2


Sun Services

8/4/2019 SA-202-S10 Part2


Sun Services


The sys-unconfigCommand

• Executes all system configuration applications. Theseapplications are defined by prior executions of a

sysidconfig -a command.• Removes the /etc/resolv.conf file for DNS clients.

• Disables Lightweight Directory Access Protocol

(LDAP) by removing:• The /var/ldap/ldap_client_cache file

• The /var/ldap/ldap_client_file file

• The /var/ldap/ldap_client_cred file

• The /var/ldap/cachemgr.log file

• Regenerates keys for the Secure Shell Daemon (sshd)

Sun Services

8/4/2019 SA-202-S10 Part2


Sun Services

Advanced System Administration for the Solaris™ 10 Operating System

Module 2

Describing the Client-Server Model

Sun Services

8/4/2019 SA-202-S10 Part2


Sun Services

Advanced System Administration for the Solaris™ 10 Operating System Module 2, slide 2 of 31Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision C

Objectives

• Describe client-server processes

• Start server processes

Sun Services

8/4/2019 SA-202-S10 Part2


Sun Services


Introducing Client-Server Processes

The client-server model describes network services and theclient programs of those services.

One example of the client-server relationship is the nameserver and resolver model of the DNS.

Another example of the client and server relationship is theNFS.

Sun Services

8/4/2019 SA-202-S10 Part2


Sun Services


Introducing Client Processes

The client is a host or a process that uses services from anotherhost or program, known as a server.

File

Server

Name

Server

Print

Server

Sun Services

8/4/2019 SA-202-S10 Part2



Introducing Server Processes

The server is a host or a process that provides services toanother program known as a client.

Printer A

Print

Server Storage

Server

Storage

Array 1

Storage

Array 2

Client 3 Client 4Client 1 Client 2

Printer B Printer C

Sun Services

8/4/2019 SA-202-S10 Part2



The Service Management Facility (SMF)

SMF provides a centralized configuration structure formanaging system services and the interaction of a service

with other services. SMF includes the following:

• A mechanism to establish and formalize dependencyrelationships between services.

• Information on procedures to start, stop, and restartservices.

• A centralized repository for information on startup behavior and service status.

Sun Services

8/4/2019 SA-202-S10 Part2



The Service Management Facility (cont.)

• A structured mechanism for Fault Management ofsystem services.

• Detailed information about misconfigured servicessuch as an explanation of why a service is not running.

• Individual log files for each service.

Sun Services

8/4/2019 SA-202-S10 Part2



Services

• The fundamental unit of administration in SMF is theservice.

• It provides a known list of capabilities to other localand remote services.

• Services are represented as instance nodes which are

children of service nodes.• One service might have many instances such as a Webserver on multiple ports.

• Both service nodes and instance nodes can have

properties.• If an instance does not have property X, the service's

property X is used.

Sun Services

8/4/2019 SA-202-S10 Part2



Service and Instance Nodes

Sun Services

S i Id tifi

8/4/2019 SA-202-S10 Part2


Service Identifiers

• The service identifier is in the form ofa Fault Management ResourceIdentifier or FMRI.

• The FMRI indicates the type of serviceor category, and the name andinstance of the service.

Service Category Description

milestone Synthetic service s for clean dependencystatement

device General device services

system Services concerned with host-centric, non-networked capabilities

system/security Low-level host-centric services implementingsecurity facilities

network Services concerned with host-centric, networkinfrastructure capabilities

application General software services

application/management

Services implementing management facilities

application/security Services implementing high-level security

Sun Services

8/4/2019 SA-202-S10 Part2



Service Identifiers (cont.)• FMRI examples:

svc:/system/filesystem/root:default

lrc:/etc/rc3_d/S90samba

Sun Services

8/4/2019 SA-202-S10 Part2



Listing Service InformationThe svcs command to list the FMRIs and states:

# svcsSTATE STIME FMRIlegacy_run Feb_10 lrc:/etc/rc2_d/S10lulegacy_run Feb_10 lrc:/etc/rc2_d/S20sysetuplegacy_run Feb_10 lrc:/etc/rc2_d/S90wbemlegacy_run Feb_10 lrc:/etc/rc2_d/S99dtloginlegacy_run Feb_10 lrc:/etc/rc3_d/S81volmgt

(output removed)online Feb_10 svc:/system/system-log:defaultonline Feb_10 svc:/system/fmd:defaultonline Feb_10 svc:/system/console-login:defaultonline Feb_10 svc:/network/smtp:sendmailonline Feb_10 svc:/milestone/multi-user:default

online Feb_10 svc:/milestone/multi-user-server:defaultonline Feb_10 svc:/system/zones:defaultoffline Feb_10 svc:/application/print/ipp-listener:defaultoffline Feb_10 svc:/application/print/rfc1179:default maintenance 10:24:15 svc:/network/rpc/spray:default

Sun Services

S i S

8/4/2019 SA-202-S10 Part2


Service States

Service put in maintenance state

Service

disabled

Can’t read

config

Service marked

disabled

Service enabled

by admin

Dependency

not met or

start failed

Dependency met

and service enabled

Service shutdown,

restart or disable

Partial failure of

service or dependency

Refresh

No improvementin service

Dependencies staisfied

and service is healthy

Unresolvable error

or thresholds reached

Unresolvable error or

thresholds reached

Unresolvable error or

thresholds reached

Service shutdown,

restart or disable

Re-readconfig data

Re-read

config data

Administrator

intervention

Start

service

UNINITALIZED

MAINTENANCE OFFLINE

ONLINE

DEGRADED

DISABLED

Sun Services

8/4/2019 SA-202-S10 Part2



MilestonesA milestone can be regarded as a system state to reach. Thissystem state requires a defined set of services to be running.

These services depend on other services being available.

Currently there are six milestones:

• single-user

• multi-user

• multi-user-server

• network

• name-services

• sysconfig

• devices

Sun Services

8/4/2019 SA-202-S10 Part2



Milestones (cont.)

milestone

network system application

name-services net-physical filesystem print X11

/ /usr /var

Sun Services

Milestones (cont )

8/4/2019 SA-202-S10 Part2


Milestones (cont.)

/var/svc/manifest/milestone/multi-user-server.xml

dependency list

dependency list

multi-user milestone

/var/svc/manifest/milestone/multi-user.xml

exec /sbin/rc3

dependency list

single-user milestone

/var/svc/manifest/milestone/

single-user.xml

name-services milestone

filesystem

/var/svc/manifest/system/

filesystem/local-fs.xml

method

/lib/svc/method/fs-local

milestone multiuser

Sun Services

8/4/2019 SA-202-S10 Part2



The svc.startdDaemonThe svc.startd is the daemon which is responsible formaintaining the system services. It is svc.startd which

ensures that the system boots to the appropriate milestone.

Currently the milestones that can be used at boot time are:

• none

• single-user

• multi-user

• multi-user-server

• all

Sun Services

8/4/2019 SA-202-S10 Part2



The Service Configuration RepositoryThe repository database stores information about the state ofeach service instance. It also stores configuration information

about the services and system.

The disk-based database is /etc/svc/repository.db.

This file can only be manipulated using the SMF interfaceutilities svccfg and svcprop.

A corrupt repository can be repaired by booting the system tosingle user, and running the command:

# /lib/svc/bin/restore_repository

and following the instructions.

Sun Services

8/4/2019 SA-202-S10 Part2



Starting Server ProcessesTo start services for server processes, you must know whichfiles to use for automatic service configuration. You must also

know how to manually start the services.

Introducing the Internet Service Daemon (inetd)

The inetd daemon is a special network process that runs oneach system and starts server processes that do notautomatically start at boot time.

The inetd daemon starts at boot time by svc.startd. There

is a legacy configuration file for inetd, /etc/inet/inetd.conf. Services listed in this file are imported into theService Management Facility (SMF) by the inetconvcommand.

Sun Services

8/4/2019 SA-202-S10 Part2



The Impact of SMF on Network ServicesSMF has a major impact on network services in that eachservice can be independently enabled or disabled using the

inetadm command.

To disable the telnet facility:

# inetadm -d telnet

# inetadm | grep telnetdisabled disabled svc:/network/telnet:default

To enable the telnet facility:

# inetadm -e telnet# inetadm | grep telnetenabled online svc:/network/telnet:default

Sun Services

8/4/2019 SA-202-S10 Part2



Introducing Network PortsNetwork ports help transport protocols distinguish betweenmultiple service requests arriving at a given host computer.

There are two fundamental approaches to port assignments:

• Central authority

• All users must agree to allow the central authority toassign all port numbers.

• The central authority is responsible for publishingthe list of port number assignments, called well-

known port assignments.• Well-known port assignments dictate software

requirements on a system.

Sun Services

8/4/2019 SA-202-S10 Part2



Introducing Network Ports• Dynamic binding

• The ports are unknown to the client in advance. The

system software dynamically assigns ports to theprograms that require them.

• To obtain the current port assignments on anycomputer, the software generates a request to thetarget machine for the port number information. Thetarget machine then responds with the port number.

• These port number assignments are considered

ephemeral since assignments are short lived, onlylasting until the system is rebooted.

Sun Services

8/4/2019 SA-202-S10 Part2



Introducing Network PortsWell-known ports are stored in the/etc/inet/servicesfile.

# grep telnet /etc/inet/services

telnet 23/tcp

Sun Services

8/4/2019 SA-202-S10 Part2



Starting Services That Use a Well-KnownPort

Services following the central authority approach that use a

well-known port includes:

• Services that start by default at system boot time

• Services that do not start automatically at boot, and

must start on demand

Sun Services

8/4/2019 SA-202-S10 Part2



Requesting a Well-Known Service

23

n

32

6

7

1

sys41 (Client)

telnet ...in.telnetd

sys42 (Server)

Traaffic oic on

nnnnn nnnnTraffic on

nnnnn

= port number n

T i m e

4

in.telnetd n.telnetd (portport nnnnn nnnn)in.telnetd (port nnnnn ) 5

nnnnn 23

inetdtelnet sys42

8 in.telnetd

Sun Services

8/4/2019 SA-202-S10 Part2



Starting RPC ServicesRPC services are services developed using a set of utilitiesdeveloped by Sun Microsystems, Inc. While RPC services are

assigned a unique program number by the programmer whenthey are written, the RPC services are not typically assigned towell-known ports.

Types of RPC services that follow the dynamic bindingapproach include:

• Services that start by default at system boot time

• Services that do not start automatically at boot andmust start on demand

Sun Services

8/4/2019 SA-202-S10 Part2



Starting RPC Services at Boot TimeRPC services started at boot time with startup scripts run onavailable ports above 32768. The rpcbind process associates

RPC program numbers with port numbers.The /lib/svc/method/rpc-bind startup script initializesthe rpcbind service. The port number used by the rpcbinddaemon is listed in the /etc/inet/services file.

After the system starts up, the rpcbind daemon startslistening at port 111. To view the port number and protocol,perform the command:

# grep rpcbind /etc/servicessunrpc 111/udp rpcbindsunrpc 111/tcp rpcbind

Sun Services

8/4/2019 SA-202-S10 Part2



Starting RPC Services on DemandSome rpcbind services start only on demand. The portnumbers are registered with the rpcbindprocess during boot.

When a client application requests a service, the rpcbindprocess returns the port number of the service to the clientmachine.

The client machine generates a new request using the portnumber that it just received for the requested service.

Sun Services

8/4/2019 SA-202-S10 Part2



Requesting an RPC Address

n = port number n

1

1112

6

Host 1 (Client)

spray host2

4

3

spray/1... rpc.sprayd

rpc.sprayd (port nnnnn)

Host 2 (Server)

T i m e

5

nnnnn nnnnn

nnnnn

nnnnn

rpcbind

inetd

Start rpcbind (port 111)

Sun Services

8/4/2019 SA-202-S10 Part2



Using the rpcinfoCommandsThe rpcinfo command makes an RPC call to an RPC server,and reports what it finds.

To list all the services registered with the rpcbind process,enter the rpcinfo command as follows:

rpcinfo -p [ host ]

For example:# rpcinfo -pprogram vers proto port service100000 4 tcp 111 rpcbind100000 3 tcp 111 rpcbind100000 2 tcp 111 rpcbind

100000 4 udp 111 rpcbind100000 3 udp 111 rpcbind100000 2 udp 111 rpcbind100232 10 udp 32772 sadmind

<output truncated>

Sun Services

8/4/2019 SA-202-S10 Part2



Deleting RPC Service RegistrationTo unregister the RPC service given a specified prognum

(program number) and versnum (version number), perform

the rpcinfo command:rpcinfo -d prognum versnum

For example:# rpcinfo -d 100012 1

The deleted RPC service that uses program number 100012 issprayd. To register the sprayd service again, restart theinetd daemon as follows:

# svcadm disable svc:/network/rpc/spray:udp# svcadm enable svc:/network/rpc/spray:udp

Sun Services

8/4/2019 SA-202-S10 Part2



Module 3

Introducing Sun Connection Services

Sun Services

8/4/2019 SA-202-S10 Part2



ObjectivesImplement patch management using Sun ConnectionServices including the Update Manager client, the smpatch

command line, and Sun Connection hosted Web application

Sun Services

8/4/2019 SA-202-S10 Part2



Solaris 10 OS Patch Access PolicyThe new Solaris 10 OS patch access policy:

• A service plan is not required for security, dataintegrity or hardware driver updates.

• A Sun Online Account is required for any patchesobtained using the Sun Connection.

Sun Services

8/4/2019 SA-202-S10 Part2



Introducing Sun ConnectionSun Connection is a seamless architecture that provides:

• Notifications to let administrators• Automated procedures

• Fast intelligent software dependency checks

• Optional local caching of updates

• A Web hosted service

Sun Services

8/4/2019 SA-202-S10 Part2



Administering PatchesThe Sun Connection tools include the following:

• Update Manager client graphical user interface (GUI)• Sun Connection hosted Web application

• Update Manager client command-line interface(smpatch)

Sun Services

8/4/2019 SA-202-S10 Part2



Sun Connection Modes• Local management of individual systems using the

Update Manager client or the smpatchCLI

• Remote and centralized management of multiplesystems using the Sun Connection hosted Webapplication

Sun Services

8/4/2019 SA-202-S10 Part2



Locally Managing Updates for IndividualSystems

• Maintain your own updates to the Solaris 10 OS by

establishing a connection to Sun Connection.• Sun Connection client software enables access to the

Sun Connection servers hosted at Sun.

• Automatic notification

• Update Manager client application

• The smpatch command

Sun Services

8/4/2019 SA-202-S10 Part2



Locally Managing Updates for IndividualSystems (cont.)

Sun Services

8/4/2019 SA-202-S10 Part2



Update Manager Client• The Update Manager client is a successor to the Solaris

Patch Manager application.

• PatchPro analysis engine• A new user interface

• Users can:

• Analyze system to check for available updates• View a list of updates currently available and

applicable for the system

• View details about a specific update

• Install selected updates

Sun Services

8/4/2019 SA-202-S10 Part2



Update Manager Client (cont.)

8/4/2019 SA-202-S10 Part2


Sun Services

8/4/2019 SA-202-S10 Part2



Caching Patches With Update Manager'sProxy

Sun Services

8/4/2019 SA-202-S10 Part2



Sun Connection Hosted Web Application

Sun Services

S C i H d W b A li i

8/4/2019 SA-202-S10 Part2



Sun Connection Hosted Web Application(cont.)

Sun Services

E t bli hi S O li A t

8/4/2019 SA-202-S10 Part2



Establishing a Sun Online Account• A Sun Online Account is required for using the Sun

Connection services regardless of the mode of

connection you choose.• There is no charge for establishing such an account.

Start at:http://www.sun.com/

• Click on the My Account link.

Sun Services

Obt i S S i Pl

8/4/2019 SA-202-S10 Part2



Obtain a Sun Service Plan• A Sun Service Plan is optional.

• Without one you will get security and hardware driver

updates only.• If you want all the other updates available contact your

Sun Service Representative and subscribe to anappropriate service plan.

• Obtain a subscription key associated with that plan foruse later when you install and register systems for SunConnection functionality.

Sun Services

D l di d I t lli th U d t

8/4/2019 SA-202-S10 Part2



Downloading and Installing the UpdateManager Client Software

• Solaris OS versions that precede the Solaris 10 1/06

release.• Solaris 10 1/6 and later releases.

• The Update Manager client (1.0.4) download andinstallation:

• On SPARC-based systems# smpatch update -i 121118-05

• On x86-based systems:

# smpatch update -i 12119-05

Sun Services

St ti th U d t M Cli t F th

8/4/2019 SA-202-S10 Part2



Starting the Update Manager Client For theFirst Time

Click on the Java™ Desktop notification icon or run the

# /usr/bin/updatemanager command.

Sun Services

Registering Systems

8/4/2019 SA-202-S10 Part2



Registering Systems

Sun Services

Registering Systems (cont )

8/4/2019 SA-202-S10 Part2



Registering Systems (cont.)

Sun Services

Registering Systems (cont )

8/4/2019 SA-202-S10 Part2



Registering Systems (cont.)

8/4/2019 SA-202-S10 Part2


Sun Services

Registration Confirmation

8/4/2019 SA-202-S10 Part2



Registration Confirmation

Sun Services

Registration Complete

8/4/2019 SA-202-S10 Part2



Registration Complete

Sun Services

Installing Updates With the UpdateManager Client

8/4/2019 SA-202-S10 Part2



Installing Updates With the UpdateManager Client

Sun Services

Installing Updates With the UpdateManager Client (cont )

8/4/2019 SA-202-S10 Part2



Installing Updates With the UpdateManager Client (cont.)

Sun Services

Installing Updates With the UpdateManager Client (cont )

8/4/2019 SA-202-S10 Part2



Installing Updates With the UpdateManager Client (cont.)

Sun Services

Setting Update Manager Client Preferences

8/4/2019 SA-202-S10 Part2



Setting Update Manager Client Preferences• The source of your updates.

• The Update Manager’s proxy hostname, IP address

and authentication details.• The directory where updates will be downloaded.

(Default is /var/sadm/spool.)

• The backout data directory setting.

• New update available notification icon for your JavaDesktop.

• Daily automatic update analysis.

8/4/2019 SA-202-S10 Part2


Sun Services

Configuring the Update Manager’s Proxy

8/4/2019 SA-202-S10 Part2



• Verify that required packages are on your system:# pkginfo | grep SUNWpsvrsystem SUNWpsvrr Patch Server Deployment (Root)

system SUNWpsvru Patch Server Deployment (Usr)• Set the network proxy for the Update Manager’s proxy:

# patchsvr setup -x network_proxy:port

• Specify the next update server:

# patchsvr setup -p http://server-name:port/solaris/

• Specify the default Sun update server:# patchsvr setup -p https://getupdates1.sun.com/solaris/

• Start the proxy server:

# patchsvr start

• Configure the proxy server to start on subsequent system boots:# patchsvr enable

Sun Services

Configuring Clients to Use the UpdateManager’s Proxy

8/4/2019 SA-202-S10 Part2



Configuring Clients to Use the UpdateManager s Proxy

Install and start the Update Manager client software on the

client by typing the following command:# /usr/bin/updatemanager

Sun Services

Configuring Clients to Use the UpdateManager’s Proxy (cont.)

8/4/2019 SA-202-S10 Part2



C g g C U UpManager s Proxy (cont.)

Sun Services

Patch Administration From the CLI

8/4/2019 SA-202-S10 Part2



• A Solaris OS update types include:

• Standard updates

• Recommended patches• Update clusters

• An update is distributed as a directory that is identified

by a unique number:105050-01.jar

8/4/2019 SA-202-S10 Part2


Sun Services

Phases for Applying Updates

8/4/2019 SA-202-S10 Part2



pp y g p• The full sequence involves these phases:

• Analyzing your system

• Downloading the necessary updates• Applying the updates

• Phase control:

• The smpatch update command performs all three

functions in one command.• The smpatch analyze and smpatch update

commands performs all three functions using twocommands.

• The smpatch analyze, smpatch download, andsmpatch add commands will perform all threefunctions using three commands.

Sun Services

Command Examples

l l l d d h

8/4/2019 SA-202-S10 Part2



• Analyze your local system and determine theappropriate, available updates for it.# smpatch analyze > plist# vi plist...119397-06 SunOS 5.10: patch for North America region localesissues# patchadd -p | grep 119397

• Download (but not apply) a new update.# smpatch download -i 119397-06119379-06 has been validated.# smpatch get | grep download

patchpro.download.directory - /var/sadm/spool# cd /var/sadm/spool ; ls119397-06.jar...

Sun Services

Command Examples (cont.)

I ll d if d

8/4/2019 SA-202-S10 Part2



• Install and verify an update.# smpatch add -i 119397-06add patch 119397-06

Patch 119397-06 has been successfully installed.# patchadd -p | grep 119397-06Patch: 119397-06 Obsoletes: Requires: 121734-01 Incompatibles:Packages: SUNWnameos SUNWnamdt SUNWnamow# smpatch analyze | grep 119397-06

• Remove an update.# smpatch remove -i 119397-06remove patch 119397-06Transition old-style patching.

Patch 119397-06 has been backed out.# smpatch analyze | grep 119397-06119397-06 SunOS 5.10: patch for North America region localesissues

Sun Services


A l d t i t

8/4/2019 SA-202-S10 Part2



• Apply an update in one step.# smpatch update -i 118815-05118815-05 has been validated.

Installing patches from /var/sadm/spool...118815-05 has been applied./var/sadm/spool/patchpro_dnld_2007.03.16@12:36:36:MST.txt hasbeen moved to /var/sadm/spool/patchproSequester/patchpro_dnld_2007.03.16@12:36:36:MST.txt

Sun Services

Configuring the Patch ManagementEnvironment

8/4/2019 SA-202-S10 Part2



• The smpatch get, smpatch set and smpatch unset

commands are used to configure the patchmanagement environment:

• smpatch get displays the current settings forenvironment parameters.

• smpatch set changes values for environmentparameters.

• smpatch unset enables the default values forenvironment parameters.

Sun Services

Command Examples

• Displa the current en ironment parameter alues

8/4/2019 SA-202-S10 Part2



• Display the current environment parameter values.# smpatch getpatchpro.backout.directory - ""

patchpro.baseline.directory - /var/sadm/spoolpatchpro.download.directory - /var/sadm/spoolpatchpro.install.types - rebootafter:reconfigafter:standardpatchpro.patch.source http://192.168.201.1:3816/solaris/ https://getupdates1.sun.com/solaris/patchpro.patchset - currentpatchpro.proxy.host - ""patchpro.proxy.passwd **** ****patchpro.proxy.port - 8080patchpro.proxy.user - ""

• Set a new value for the update source.# smpatch set patchpro.patch.source=http://newproxy.apex.com:3816/solaris/# smpatch getpatchpro.backout.directory - ""patchpro.baseline.directory - /var/sadm/spoolpatchpro.download.directory - /var/sadm/spool

8/4/2019 SA-202-S10 Part2


Sun Services


patchpro.download.directory - /var/sadm/spool

8/4/2019 SA-202-S10 Part2



patchpro.download.directory /var/sadm/spoolpatchpro.install.types - rebootafter:reconfigafter:standardpatchpro.patch.source - https://getupdates1.sun.com/solaris/patchpro.patchset - current

patchpro.proxy.host - ""patchpro.proxy.passwd **** ****patchpro.proxy.port - 8080patchpro.proxy.user - ""

• Configure an update set which defines a subset of

updates that commands will work with.# smpatch set patchpro.patchset=recommended# smpatch analyze

Sun Services

Using the Update Policy for ApplyingUpdates

8/4/2019 SA-202-S10 Part2



• The patchpro.install.types property defines the

update policy in effect for the update managementenvironment.

• Types of updates that are applied to the system:

• Standard updates that are applied immediately and

require no system restart• Updates that require a system restart

• Updates that must be manually applied

Sun Services

Example of Using the Update Policy

• Not Using the smpatch update command

8/4/2019 SA-202-S10 Part2



• Not Using the smpatch update command# smpatch analyze | grep wanboot119681-06 SunOS 5.10: wanboot patch

# patchadd -p | grep 119681Patch: 119681-05 Obsoletes: Requires: Incompatibles: Packages: SUNWcakr# smpatch download -i 119681-06119681-06 has been validated.# smpatch add -i 119681-06add patch 119681-06...

Validating patches...Loading patches installed on the system...Done!Loading patches requested to install.Done!Checking patches that you specified for installation.

Done!Approved patches will be installed in this order:119681-06Patch 119681-06 has been successfully installed.

Sun Services

Example of Using the Update Policy (cont.)

# patchadd -p | grep 119681

8/4/2019 SA-202-S10 Part2



|Patch: 119681-05 Obsoletes: Requires: Incompatibles: Packages: SUNWcakrPatch: 119681-06 Obsoletes: Requires: Incompatibles: Packages: SUNWcakr# smpatch analyze | grep 119681-06

## cd /var/sadm/spool ; ls119681-06.jarcachepatchpro_dnld_2006.02.13@10:10:29:MST.txt# cat *.txtThis patch bundle was generated by PatchPro.

Please refer to the README file within each patch for installationinstructions. To properly patch your system, the following patchesshould be installed in the listed order:

1) 119681-06 !!! IMMEDIATE REBOOT !!!

8/4/2019 SA-202-S10 Part2


8/4/2019 SA-202-S10 Part2


Sun Services

Module 4

8/4/2019 SA-202-S10 Part2



Module 4

Managing Swap Configuration

Sun Services

Objectives

• Describe virtual memory

8/4/2019 SA-202-S10 Part2



y

• Configure swap space

Sun Services

Introducing Virtual Memory

Virtual memory combines RAM and dedicated disk storage

8/4/2019 SA-202-S10 Part2



y gareas known as swap space.

Virtual memory management software maps copies of files ondisk to virtual addresses.

Programs use these virtual addresses, rather than real

addresses, to store instructions and data.Virtual memory makes it possible for the operating system(OS) to use a large range of memory.

Sun Services

Physical RAM

When working with swap space, RAM is the most critical

8/4/2019 SA-202-S10 Part2



g p presource in your system.

• Virtual and physical addressesThe Solaris 10 OS virtual memory managementsystem maps the files on disk to virtual addresses invirtual memory.

• Anonymous memory pages

Physical memory pages associated with a runningprocess can contain private data or stack information

that does not exist in any file system on disk. Theseare anonymous memory pages.

Sun Services

Swap Space

Sometimes a process must give up some of its memory space

8/4/2019 SA-202-S10 Part2



allocation to another process.

Anonymous memory pages are placed in a swap area, butunchanged file system pages are not.

• Swap slices

The primary swap space on the system is a disk slice.In the Solaris 10 OS, the default location for theprimary swap space is slice 1 of the boot disk which, by default, starts at cylinder 0.

As additional swap space becomes necessary, youcan configure additional swap slices.

Sun Services

Swap Space (cont.)

• Swap files

8/4/2019 SA-202-S10 Part2



It is also possible to provide additional swap space

on a system by using swap files.Swap files are files that reside on a file system, andthat have been created using the mkfile command.

Swap files can be permanently included in the swap

configuration by creating an entry for the swap filein the /etc/vfstab file.

8/4/2019 SA-202-S10 Part2


Sun Services

Paging

• The transfer of selected memory pages between RAMd th

8/4/2019 SA-202-S10 Part2



and the swap areas.

• Physical RAM is made available for other processes touse.

• Use the pagesize command to display the size of amemory page in bytes.

• On SPARC-based systems:# pagesize8192

• On x86-based systems:

# pagesize4096

Sun Services

Configuring Swap Space

The swap command provides a method of adding, deleting,d it i th d b th k l

8/4/2019 SA-202-S10 Part2



and monitoring the swap areas used by the kernel.

Swap area changes made from the command line are notpermanent and are lost after a reboot.

To create permanent additions to the swap space, create an

entry in the /etc/vfstab file.

8/4/2019 SA-202-S10 Part2


8/4/2019 SA-202-S10 Part2


Sun Services

Adding Swap Space

Use the following procedures to add additional swap space toyour system

8/4/2019 SA-202-S10 Part2



your system.

• To add swap slices, use the swap -a command:# swap -a /dev/dsk/c1t3d0s1

Edit the /etc/vfstab file and add a line similar tothe following:/dev/dsk/c1t3d0s1 - - swap - no -

Sun Services

Adding Swap Space

• To add swap files, use the mkfile command to createthe swap file For example:

8/4/2019 SA-202-S10 Part2



the swap file. For example:# mkfile 20m /usr/local/swap/swapfile

Add the swap file to the system’s swap space.# swap -a /usr/local/swap/swapfile

Add an entry for the swap file to the /etc/vfstab

file./usr/local/swap/swapfile - - swap - no -

8/4/2019 SA-202-S10 Part2


Sun Services

Removing Swap Space

• Removing swap files

Delete a swap file from the current swap

8/4/2019 SA-202-S10 Part2



Delete a swap file from the current swapconfiguration.# swap -d /usr/local/swap/swapfile

• Remove the file to free the disk space that it isoccupying.

# rm /usr/local/swap/swapfile

• Edit the /etc/vfstab file, and remove the swap fileentry.

Sun Services

Module 5

8/4/2019 SA-202-S10 Part2



Managing Crash Dumps and Core Files

Sun Services

Objectives

• Manage crash dump behavior

• Manage core file behavior

8/4/2019 SA-202-S10 Part2



• Manage core file behavior

Sun Services

Managing Crash Dump Behavior

If a fatal operating system error occurs, the operating systemgenerates a crash dump by writing some of the contents of the

8/4/2019 SA-202-S10 Part2



g p y gphysical memory to a predetermined dump device, which

must be a local disk slice.

You can configure the dump device by using the dumpadmcommand.

After the operating system has written the crash dump to thedump device, the system reboots.

The crash dump is saved for future analysis to help determine

the cause of the fatal error.

Sun Services

Crash Dump

When the operating system crashes, the savecore commandis automatically executed during a boot.

8/4/2019 SA-202-S10 Part2



y g

• The savecore command places kernel coreinformation in the/var/crash/nodename/vmcore.X file.

• The savecore command places name list information

and symbol table information in the/var/crash/nodename/unix.X file.

You can use the dumpadm command to configure the location

of the dump device and the savecore directory.

Sun Services

Displaying the Current Dump Configuration

To view the current dump configuration, use the dumpadmcommand without arguments.

8/4/2019 SA-202-S10 Part2



g

# dumpadm Dump content: kernel pagesDump device: /dev/dsk/c0t0d0s1 (swap)Savecore directory: /var/crash/sys-02Savecore enabled: yes

Sun Services

Changing the Crash Dump Configuration

The dumpadm command manages the configuration of thecrash dump facility.

8/4/2019 SA-202-S10 Part2



p y

The syntax of the dumpadm command is as follows:/usr/sbin/dumpadm [-nuy] [-c content-type] [-d dump-device][-m mink | minm | min%] [-s savecore-dir] [-r root-dir]

Use the dumpadm command to make all modifications to thecrash dump configuration, rather than attempting to edit the/etc/dumpadm.conf file manually.

Sun Services

Managing Core File Behavior

When a process terminates abnormally, it typically producesa core file.

8/4/2019 SA-202-S10 Part2



You can use the coreadm command to specify the name orlocation of core files produced by abnormally terminatingprocesses.

Sun Services

Core Files

• A core file is a disk copy of the address space of aprocess at a certain point in time.

8/4/2019 SA-202-S10 Part2



• The operating system generates two possible copies ofcore files:

• The global core file

• The per-process core file

Sun Services

Displaying the Current Core File

Configuration

You use the coreadm command without arguments to display

8/4/2019 SA-202-S10 Part2



g p ythe current configuration.

# coreadm global core file pattern:global core file content: defaultinit core file pattern: core

init core file content: defaultglobal core dumps: disabledper-process core dumps: enabledglobal setid core dumps: disabledper-process setid core dumps: disabledglobal core dump logging: disabled

8/4/2019 SA-202-S10 Part2


Sun Services

Changing the Core File Configuration

• The coreadm command allows you to control how corefiles are generated.

8/4/2019 SA-202-S10 Part2



• For example, you can use the coreadm command toconfigure a system so that all process core files areplaced in a single directory.

• You can separately enable or disable two configurable

core file paths: per-process and global.

Sun Services

Changing the Core File Configuration

• All users can run the coreadm command with the -poption to specify the file name pattern to use forper process core files

8/4/2019 SA-202-S10 Part2



per-process core files.

coreadm [-p pattern] [pid...]

• The root user can use the following coreadm commandoptions to configure system-wide core file options.coreadm [-g pattern] [-G content] [-i pattern] [-I content]

[-d option...] [-e option...]

• Pattern options determine how core files are named.

• Content options determine the content of global corefiles.

Sun Services

Pattern Options for the coreadmCommand

• %p - PID

• %u - Effective user ID (EUID)

8/4/2019 SA-202-S10 Part2



• %g - Effective group ID (EGID)• %f - Executable file name

• %n - System node name (uname -n)

• %m - Machine hardware name (uname -m)

• %t - The time in seconds since midnight January 1, 1970

• %d - Executable file directory/name

• %z - Zonename

• %% - Literal %

8/4/2019 SA-202-S10 Part2


Sun Services

Pattern Options for the Global Core File

Content

• rodata – Read-only private file mappings

8/4/2019 SA-202-S10 Part2



• shanon – Anonymous shared mappings• shfile – Shared mappings that are backed by files

• shm – System V shared memory

• stack – Process stack

• symtab – Symbol table sections for loaded object

• text – Readable and executable private file mappings

Sun Services

Examples of the coreadmCommand

• Example 1 – Setting the core file name pattern as aregular user

Wh t d f ’ $HOME/ fil

8/4/2019 SA-202-S10 Part2



When executed from a user’s $HOME/.profile or$HOME/.login file, the following entry sets the corefile name pattern for all processes run during thelogin session:

# coreadm -p core.%f.%p $$

8/4/2019 SA-202-S10 Part2


Sun Services


• Example 3 – Enabling and setting the core file globalname pattern

The following is an example of setting system wide

8/4/2019 SA-202-S10 Part2



The following is an example of setting system-wide

parameters that add the executable file name andPID to the name of any core file that is created:

# coreadm -g /var/core/core.%f.%p -eglobal

Sun Services


• Example 4 – Checking the core file configuration forspecific PIDs

Running the coreadm command with a list of PIDs

8/4/2019 SA-202-S10 Part2



Running the coreadm command with a list of PIDs

reports each process’s per-process core file namepattern, for example:# coreadm 228 507228: core default

507: /usr/local/swap/corefiles/%n.%f.%p default

Sun Services

Module 6

8/4/2019 SA-202-S10 Part2


Advanced System Administration for the Solaris™ 10 Operating System

Configuring NFS

Sun Services

Objectives

• Describe the benefits of NFS

• Describe the fundamentals of the NFS distributed filesystem

8/4/2019 SA-202-S10 Part2



system

• Manage an NFS server

• Manage an NFS client

• Enable the NFS server logging

• Manage NFS with the Solaris Management Consolestorage folder tools

• Troubleshoot NFS errors

Sun Services

NFS Benefits

The NFS service enables computers of different architecturesrunning different operating systems to share file systemsacross a network.

8/4/2019 SA-202-S10 Part2



You can implement the NFS environment on differentoperating systems (OS) because NFS defines an abstractmodel of a file system.

NFS file system operations, such as reading and writing, workas if they were accessing a local file.

Sun Services

NFS Benefits

The benefits of the NFS service are as follows:

• Allows multiple computers to use the same files,

8/4/2019 SA-202-S10 Part2



because all users on the network can access the samedata

• Reduces storage costs by sharing applications oncomputers instead of allocating local disk space for

each user application• Provides data consistency and reliability, because all

users can read the same set of files

• Supports heterogeneous environments, includingthose found on a personal computer (PC)

• Reduces system administration overhead

Sun Services

NFS Distributed File System Fundamentals

The NFS environment contains the following components:

• NFS server

8/4/2019 SA-202-S10 Part2



• NFS client

The Solaris 10 OS supports versions 2, 3, and 4 NFSsimultaneously.

The default is to use NFSv4.

Version-related checks are applied whenever a client hostattempts to access a server’s file share.

Sun Services

NFS Distributed File System Fundamentals

(cont.)

• NFS serverNFS Server (Host 1) NFS Client (Host 2)

8/4/2019 SA-202-S10 Part2



( )

Shared

Directories and

Disk Storage

NFS server

shares disk

storage with

NFS client.

( )

/ /

export opt

rdbms

sharelibbin

rdbms

Host1# share /export/rdbms

8/4/2019 SA-202-S10 Part2


8/4/2019 SA-202-S10 Part2


Sun Services

Pseudo-File System

Server exports:

/export_fs/local

/export_fs/projects/nfs4 /export_fs

/

Exported directoriesServer file systems:

8/4/2019 SA-202-S10 Part2



export_fs export_fs

local

nfs4x

projects payroll

nfs4

local projects

nfs4

Client view of server’s export_fs dir:Server file systems:

Sun Services

Strong Security

• Remote Procedure Call (RPC) implementation of theGeneral Security Service framework (GSS)

• New security flavor RPCSEC_GSS

8/4/2019 SA-202-S10 Part2



• Used with Sun Enterprise Authentication Mechanism(SEAM) software

• Other GSS_API applications

Sun Services

Compound Procedures

NFS version 3 NFS version 4

-> LOOKUP "export" ->OPEN "export/testdata"

<- OK READ

8/4/2019 SA-202-S10 Part2



->LOOKUP "testdata" <- OPEN OK<- OK READ OK

-> ACCESS "testdata" (sends data)

<- OK

-> READ "testdata"<- OK

(sends data)

Sun Services

Extended Attributes

• Mandatory – Minimal level of operation

• Recommended – Operating environment dependent

• Named – Byte string, data associated with files or file

8/4/2019 SA-202-S10 Part2



y g,system

8/4/2019 SA-202-S10 Part2


Sun Services

Delegation

• The server delegates the management of a file to aclient.

• The server alone decides whether to grant a delegation.

8/4/2019 SA-202-S10 Part2



• The new nfs4cbd (1M) daemon is used for callback.

• The server sends callback to get the updated state of thefile and to revoke the delegation.

• Different NFS client versions behave differently whena conflict occurs.

• Delegation is enabled by default.

Sun Services

Configuring an NFS Server and Client

• nfs(4) configuration file:

/etc/default/nfs

• Enabling NFS versions on server:

8/4/2019 SA-202-S10 Part2



NFS_SERVER_VERSMIN=num

NFS_SERVER_VERSMAX=num

• Enabling NFS versions on client:

NFS_CLIENT_VERSMIN=num

NFS_CLIENT_VERSMAX=num

num =version 2, 3 or 4

• Other options in nfs(4)

Sun Services

Managing an NFS Server

• NFS server files

You need several files to support NFS serveractivities on any computer.

8/4/2019 SA-202-S10 Part2


Advanced System Administration for the Solaris™ 10 Operating System Module 6, slide 16 of 48

Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision C

• /etc/dfs/dfstab

• /etc/dfs/sharetab

• /etc/dfs/fstypes

• /etc/rmtab• /etc/nfs/nfslog.conf

• /etc/default/nfslogd

• /etc/default/nfs

8/4/2019 SA-202-S10 Part2


Sun Services


• The /etc/dfs/sharetab file

The /etc/dfs/sharetab file contains a table of localresources currently being shared.# / /df / h b

8/4/2019 SA-202-S10 Part2




# cat /etc/dfs/sharetab/usr/local/data - nfs ro Shared data files/rdbms_files - nfs ro,root=sys01 Database files

Sun Services


• The /etc/rmtab file

The /etc/rmtab file contains a table of file systemsremotely mounted by NFS clients.# t / t / t b

8/4/2019 SA-202-S10 Part2




# cat /etc/rmtabsys-03:/usr/local/datasys-02:/export/config...

• The /etc/default/nfs file

The /etc/default/nfs file lists parameters that can be set for NFS daemon and NFS protocols.

Sun Services

NFS Server Daemons

To start the NFS server daemons, enable thesvc:/network/nfs/server service.

# svcadm -v enable nfs/server

/ t k/ f / d f lt bl d

8/4/2019 SA-202-S10 Part2




svc:/network/nfs/server:default enabled.

If a system has entries in its /etc/dfs/dfstab file, the NFSserver daemons start when the system enters the

multi-user-servermilestone.

Sun Services

NFS Server Daemons

• mountd

• nfsd

• statd

8/4/2019 SA-202-S10 Part2




• lockd

• nfslogd

• nfsmapid

In NFSv4, the features provided by the mountd and lockddaemons are integrated into the NFSv4 protocol.

Sun Services

NFS Server Daemons

• The mountd daemon

The mountd daemon handles NFS file system mountrequests from remote systems and provides access

control

8/4/2019 SA-202-S10 Part2




control.The mountd daemon determines if a particulardirectory is being shared, and if the requesting clienthas permission to access it.

• The nfsd daemon

When a client process attempts to access a remotefile resource, the nfsd daemon on the NFS server

receives the request and the resource’s file handle,and then performs the requested operation.

Sun Services

NFS Server Daemons

• The statd daemon

The statd daemon works with the lock managerlockd daemon to provide crash recovery functions

for the lock manager

8/4/2019 SA-202-S10 Part2




for the lock manager.• The lockd daemon

The lockd daemon supports record-lockingoperations for NFS files.

• The nfslogd daemon

The nfslogd daemon provides operational loggingfor an NFS server.

8/4/2019 SA-202-S10 Part2


Sun Services

Managing the NFS Server Daemons

The NFS daemons start conditionally when the systemtransitions through run levels, or they start manually whenenabling the svc:/network/nfs/server service.

The svcs command can be used to show the dependencies of

8/4/2019 SA-202-S10 Part2




The svcs command can be used to show the dependencies ofthe nfs/server service.

# svcs | grep nfs

online 15:35:24 svc:/network/nfs/client:defaultonline 15:35:29 svc:/network/nfs/status:default...# svcs -l nfs/serverfmri svc:/network/nfs/server:defaultname NFS server

...

Sun Services

Managing the NFS Server Daemons

• Starting and stopping the NFS server daemons

To start the NFS server daemons manually, place anentry in the /etc/dfs/dfstab file and perform the

following command:

8/4/2019 SA-202-S10 Part2




following command:# svcadm enable svc:/network/nfs/server

To stop the NFS server daemons manually, performthe following command:# svcadm disable svc:/network/nfs/server

Sun Services

NFS Server Commands

• share

• unshare

• shareall

• unshareall

8/4/2019 SA-202-S10 Part2




• unshareall

• dfshares

• dfmounts

Sun Services

Configuring the NFS Server for Sharing

ResourcesWhen the NFS server daemons are running, you can use theshare command to make file resources available.

For example to share the /usr/local/data directory as a

8/4/2019 SA-202-S10 Part2




For example, to share the /usr/local/data directory as aread-only shared resource, perform the following command:

# share -o ro /usr/local/data

Sun Services


ResourcesThe share command options:

• ro

8/4/2019 SA-202-S10 Part2




ro• rw

• root=access-list

• ro=access-list

• rw=access-list

• anon=n

Sun Services


Resources• Making file resources unavailable for mounting

Use the unshare command to make file resources

unavailable for mount operations.F l t k th / /l l/d t

8/4/2019 SA-202-S10 Part2




unavailable for mount operations.For example, to make the /usr/local/datadirectory unavailable for client-side mountoperations, perform the following command:

# unshare /usr/local/data

• Displaying currently shared NFS resources

The dfshares command displays currently sharedNFS resources.# dfsharesRESOURCE SERVER ACCESS TRANSPORTsys-02:/usr/local/data sys-02 - -

Sun Services


Resources• Displaying NFS mounted resources

The dfmounts command displays remotely mounted

NFS resource information.

8/4/2019 SA-202-S10 Part2




# dfmountsRESOURCE SERVER PATHNAME CLIENTS- sys-02 /usr/local/data sys-03

8/4/2019 SA-202-S10 Part2


Sun Services

Managing the NFS Client

• The /etc/vfstab file

To mount remote file resources at boot time, enterthe appropriate entries in the client’s /etc/vfstab

file. For example:

8/4/2019 SA-202-S10 Part2




psys-02:/usr/local/data - /usr/remote_data nfs - yes soft,bg

• The /etc/mnttab file

The /etc/mnttab file system provides read-onlyaccess to the table of mounted file systems for thecurrent host.

Mounting a file system adds an entry to the

/etc/mnttab file.

Sun Services

NFS Client Daemons

The NFS client daemons are started using thesvc:/network/nfs/client service.

• statd

• lockd

8/4/2019 SA-202-S10 Part2




lockd

• nfs4cbd

Sun Services

Managing the NFS Client Daemons

Two NFS daemons, the statd daemon and the lockddaemon, run both on the NFS servers and the NFS clients.

These daemons start automatically when a system enters thenetworkmilestone.

8/4/2019 SA-202-S10 Part2




# svcs -D milestone/networkSTATE STIME FMRIdisabled 15:34:35 svc:/network/dns/client:default

disabled 15:34:37 svc:/network/nfs/cbd:default(output omitted)online 16:31:18 svc:/network/nfs/nlockmgr:defaultonline 16:33:12 svc:/network/nfs/status:default

Sun Services

Managing the NFS Client Daemons

• The lockd daemon is started by the SMF servicenfs/nlockmgr.# svcadm -v enable nfs/nlockmgrsvc:/network/nfs/nlockmgr:default enabled.

• The statd daemon is started by the SMF service

8/4/2019 SA-202-S10 Part2




ynfs/status.# svcadm -v enable nfs/statussvc:/network/nfs/status:default enabled.

To manually restart these daemons, perform thefollowing commands:# svcadm -v restart nfs/statusAction restart set for svc:/network/nfs/status:default.

# svcadm -v restart nfs/nlockmgrAction restart set for svc:/network/nfs/nlockmgr:default.#

Sun Services

NFS Client Commands

• dfshares

• mount

• umount

• mountall

8/4/2019 SA-202-S10 Part2




• umountall

Sun Services

Configuring the NFS Client for Mounting

Resources• Displaying a server’s available resources

You can use the dfshares command to list resources

made available by an NFS server.#

8/4/2019 SA-202-S10 Part2




# dfshares sys-02RESOURCE SERVER ACCESS TRANSPORTsys-02:/usr/local/data sys-02 - -...

Sun Services


Resources• Accessing the remote file resource

Use the /usr/sbin/mount command to attach a local

or remote file resource to the local file systemhierarchy For example:

8/4/2019 SA-202-S10 Part2



hierarchy. For example:# mount sys-02:/rdbms_files /rdbms_files

When mounting a read-only remote resource, youcan specify a comma-separated list of sources for theremote resource, which are then used as a list offailover resources.# mount -o ro sys-45,sys-43,sys-41:/multi_homed_data /

remote_shared_data

Sun Services


Resources• Unmounting the remote file resources from the client

Use the umount command to detach local and remotefile resources from the file system hierarchy.# umount /rdbms_files

8/4/2019 SA-202-S10 Part2



• Mounting all file resources

The /usr/sbin/mountall command mounts all file

resources listed in the /etc/vfstab file with a mountat boot value of yes.

To limit the action of this command to remote fileresources, use the -r option.# mountall -r

Sun Services


Resources• Unmounting all currently mounted file resources

Use the umountall command with the -r option to

restrict unmounting to only remote file systems.# umountall r

8/4/2019 SA-202-S10 Part2



# umountall -r

• Mounting remote resources at boot time

To mount a remote file resource at boot time, createan appropriate entry in the client’s /etc/vfstab file.For example:sys-02:/usr/local/data - /usr/remote_data nfs - yes soft,bg

Sun Services

The mountCommand Options

• rw|ro

• bg|fg

• soft|hard

• intr|nointr

8/4/2019 SA-202-S10 Part2



• suid|nosuid

• timeo=n

• retry=n• retrans=n

Sun Services

Fundamentals of NFS Server Logging

The NFS server logging feature records NFS transactions.

The nfslogd daemon provides operational logging.

When you enable NFS server logging, the NFS kernel modulewrites records of all NFS operations on the file system into a

8/4/2019 SA-202-S10 Part2



p y buffer file.

The nfslogd DaemonThe nfslogddaemon converts the raw data from the loggingoperation into ASCII records, and stores the raw data in ASCIIlog files.

Sun Services

Configuring NFS Log Paths

The /etc/nfs/nfslog.conf file defines the path, file names,and type of logging that the nfslogd daemon must use.

A tag corresponds to each definition.

To configure NFS server logging, identify or create the tag

8/4/2019 SA-202-S10 Part2



g gg g, y gentries for each of the server’s shared resources.

The global tag defines default values.

Sun Services


Tagged entries in /etc/nfs/nfslog.conf use the followingformat:

<tag> [ defaultdir=<dir_path> ] \

[ log=<logfile_path> ] [ fhtable=<table_path> ] \[ buffer=<bufferfile_path> ] [ logformat=basic|extended ]

8/4/2019 SA-202-S10 Part2



For example:

global defaultdir=/var/nfs \log=nfslog fhtable=fhtable buffer=nfslog_workbuffer

Sun Services


Use the following parameters with each tag, as required:

• defaultdir=dir_path

• log=logfile_path

• fhtable=table_path

8/4/2019 SA-202-S10 Part2



• buffer=bufferfile_path

• logformat=basic|extended

Create any directories you specify in/etc/nfs/nfslog.conf before starting NFS server logging.

Sun Services

Initiating NFS Logging

To initiate NFS server logging, complete the following steps:

1. Become superuser.

2. Optional: Change the configuration settings in the/etc/nfs/nfslog.conf file.

3 Sh h fil f hi h bl

8/4/2019 SA-202-S10 Part2



3. Share the file system for which you want to enablelogging, adding the -o log option, or the log=tag

option. Example:share -F nfs -o log /export/sys44_data

4. Check that the NFS service is running on the server.

5. Run the share command to verify that the correctoptions are listed for the directory you shared.

Sun Services

Managing NFS With the Solaris

Management Console Storage Folder ToolsYou can manage the NFS system by using components of thestorage folder tools from the default tool box of the Solaris

Management Console.The Mounts and Shares tool lets you view create and manage

8/4/2019 SA-202-S10 Part2



The Mounts and Shares tool lets you view, create, and manageseveral types of mounts and shares.

Sun Services

Module 7

Configuring AutoFS

8/4/2019 SA-202-S10 Part2



Sun Services

Objectives

• Describe the fundamentals of the AutoFS file system

• Use automount maps

8/4/2019 SA-202-S10 Part2



Sun Services

AutoFS Fundamentals

AutoFS is a file system mechanism that provides automaticmounting using the NFS protocol.

AutoFS is a client-side service.

The AutoFS service mounts and unmounts file systems asi d ith t i t ti

8/4/2019 SA-202-S10 Part2



required without any user intervention.

The automount facility contains three components:• The AutoFS file system

• The automountd daemon

• The automount command

Sun Services

AutoFS Fundamentals

RAM

Automount Maps

a u t o m o u n t - vAutoFS

a u t o m o u n t d

a u t o m o u n t d

8/4/2019 SA-202-S10 Part2



Master map

Direct map

Indirect map

Special map

Sun Services

AutoFS Fundamentals

• AutoFS file system

An AutoFS file system’s mount points are defined inthe automount maps on the client system.

After the AutoFS mount points are set up, activityunder the mount points can trigger file systems to bem t d d th m t i t

8/4/2019 SA-202-S10 Part2



mounted under the mount points.

If a mount request is made for an AutoFS resource

not currently mounted, the AutoFS service calls theautomountd daemon, which mounts the requestedresource.

Sun Services

AutoFS Fundamentals

• The automountd daemon

The /lib/svc/method/svc-autofs script starts theautomountd daemon.

The automountd daemon mounts file systems ondemand and unmounts idle mount points.

8/4/2019 SA-202-S10 Part2



• The automount command

The automount command, called at system startuptime, reads the master map to create the initial set ofAutoFS mounts.

These AutoFS mounts are not automatically

mounted at startup time, they are the points underwhich file systems are mounted on demand.

Sun Services

Using Automount Maps

The following lists the AutoFS map types:

• Master map

• Direct map

• Indirect map

• Special

8/4/2019 SA-202-S10 Part2



• Special

Sun Services

Using Automount Maps (cont.)

NFS Client"venues"

/

auto_master

etc

8/4/2019 SA-202-S10 Part2



/net -hosts [options]

/home auto_home [options]

/- auto_direct [options]

auto_direct

/opt/moreapps pluto: /export/opt/apps

auto_home

Ernie mars:/export/home/ernieMary mars:/export/home/mary

Sun Services

Configuring the Master Map

The auto_master map associates a directory, also called amount point, with a map.

The auto_mastermap is a master list specifying all the maps

that the AutoFS service should check.

The following example shows an /etc/auto master file

8/4/2019 SA-202-S10 Part2



The following example shows an /etc/auto_master file.

# cat /etc/auto_master

# Master map for automounter#+auto_master/net -hosts -nosuid,nobrowse/home auto_home -nobrowse

8/4/2019 SA-202-S10 Part2


Sun Services

Using the /netDirectory

Shared resources associated with the hosts map entry aremounted below the /net/hostname directory.

For example, a shared resource named

/documentation on host sys42 is mounted by the command:

# cd /net/sys42/documentation

8/4/2019 SA-202-S10 Part2



Sun Services

Adding Direct Map Entries

A /- entry in the master map defines a mount point for adirect map.

/- auto_direct -ro

Creating a Direct Map

Direct maps specify the absolute path name of the mount

8/4/2019 SA-202-S10 Part2



Direct maps specify the absolute path name of the mountpoint, the specific options for this mount, and the shared

resource to mount. For example:

# cat /etc/auto_direct# Superuser-created direct map for automounter#

/apps/frame -ro,soft server1:/export/framemaker,v6.0/opt/local -ro,soft server2:/export/unbundled/usr/share/man -ro,soft server3,server4,server5:/usr/share/man

Sun Services

Adding Indirect Map Entries

Indirect maps obtain the initial path of the mount point fromthe master map. For example, the /home entry in the mastermap defines the base for mount points listed in the indirectmap called auto_home.

/home auto_home -nobrowse

• Creating an indirect map

8/4/2019 SA-202-S10 Part2



Creating an indirect map

Entries in an indirect map list the remainder of thepreferred mount point, and the resource to mount.For example:stevenu host5:/export/home/stevenujohnnyd host6:/export/home/johnnyd

Sun Services

Adding Indirect Map Entries (cont.)

• Reducing the auto_home map to a single line

In this example, the use of substitution characterswithin auto_home specifies that for every login ID,

the client remotely mounts the/export/home/loginID directory from the NFSserver.

8/4/2019 SA-202-S10 Part2



* server1:/export/home/&

• The wildcard character (*) matches any key.• The substitution character (&) at the end of the path

is replaced with the matched key field.

Sun Services

Adding Indirect Map Entries (cont.)

NFS Server

"mars"

export

NFS Client

"venus"

/

home

etc

/

8/4/2019 SA-202-S10 Part2



home

ernie

Mount on Demand

by automountd

auto_homeuto_home

autofsutofs

auto_home

autofs

mary

mary

Sun Services

Updating the Automount Maps

When making changes to the master map or creating a directmap, run the automount command to make the changeseffective.

You do not have to stop and restart the automountd daemon.

You can modify existing entries in a direct map at any time.

8/4/2019 SA-202-S10 Part2



The new information is used when the automountd daemon

next accesses the map entry to perform a mount.Any modifications to indirect maps are automatically used bythe automountd daemon.

Sun Services

Stopping and Starting the Automount

System• Stopping the automount system

To disable the service manually, enter the following

command:# svcadm disable svc:/system/filesystem/autofs

• Starting the automount system

8/4/2019 SA-202-S10 Part2



Starting the automount system

To enable the service manually, enter the followingcommand:# svcadm enable svc:/system/filesystem/autofs

Sun Services

Module 8

Describing RAID and the Solaris™Volume Manager Software

8/4/2019 SA-202-S10 Part2



Sun Services

Objectives

• Describe RAID

• Describe Solaris Volume Manager software concepts

8/4/2019 SA-202-S10 Part2



8/4/2019 SA-202-S10 Part2


Sun Services

RAID 0

• Concatenated volumes (or concatenations)

Physical

Slice A

RAID 0

(Concatenation)

Logical Volume

8/4/2019 SA-202-S10 Part2



Physical

Slice B

Physical

Slice C

Solaris Volume

Manager

Sun Services

RAID 0 (cont.)

• Striped volumes (or stripes)

Interlace 4

Interlace 1

Interlace 5

Interlace 2

Interlace 6

Interlace 3

Physical

Slice A

Physical

Slice B

Physical

Slice C

8/4/2019 SA-202-S10 Part2



Solaris VolumeManager

RAID 0(Stripe)

Logical Volume

Interlace 4 Interlace 5

Interlace 2

Interlace 6

Interlace 1 Interlace 3

Sun Services

RAID 1

Interlace 2

Interlace 3

Interlace 4

Interlace 1

Submirror 1

RAID 1

(Mirror)

Logical Volume

Submirror 2Submirror 1

Submirror 2Solaris Volume

Manager

Int 1

Int 2

Int 1

Int 2

8/4/2019 SA-202-S10 Part2



Interlace 2

Interlace 3

Interlace 4

Interlace 1 Int 3

Int 4

Int 3

Int 4

Sun Services

RAID 0+1

PhysicalSlice A

PhysicalSlice B

PhysicalSlice C

PhysicalSlice D

PhysicalSlice E

PhysicalSlice F

RAID 0(Striped)

Volume

Submirror 1

RAID 0(Striped)

Volume

Submirror 2

8/4/2019 SA-202-S10 Part2



RAID 1

(Mirrored)

Volume

8/4/2019 SA-202-S10 Part2


Sun Services

Mirror Options

Mirror performance can be modified by using the followingoptions:

• Mirror read policy

• Mirror write policy

You can define mirror options when you initially create themirror or after you set up the mirror You can distribute the

8/4/2019 SA-202-S10 Part2



mirror or after you set up the mirror. You can distribute the

load across the submirrors to improve read performance.

Sun Services

Mirror Read Policies

Read Policy Description

Round Robin (default) Balances the load across the submirrors

Geometric Enables the system to divide reads amongsubmirrors on the basis of a logical disk block

addressFirst Directs all reads to the first submirror

8/4/2019 SA-202-S10 Part2



Sun Services

Mirror Write Policies

Write Policy Description

Parallel (Default) Replicates a write to a mirror, and dispatchesthe write to all of the submirrorssimultaneously

Serial Specifies that writes to one submirror mustcomplete before initiating writes to the nextsubmirror

8/4/2019 SA-202-S10 Part2



Sun Services

RAID 5

P(4-6)

Interlace 7

Interlace 10

Interlace 1

Physical

Slice A

Interlace 4

P(7-9)

Interlace 11

Interlace 2

PhysicalSlice B

Interlace 3

RAID 5Logical Volume

Interlace 8

Interlace 7

Interlace 6

Interlace 2

Interlace 3

Interlace 4

Interlace 5

Interlace 1

Solaris Volume

Manager

8/4/2019 SA-202-S10 Part2



Interlace 5

Interlace 8

P(10-12)

Physical

Slice C

P(1-3)

Interlace 9

Interlace 12

Interlace 6Physical

Slice D

Interlace 12

Interlace 9

Interlace 10

Interlace 11

Sun Services

RAID 5 (cont.)

Requirements for RAID-5 Volumes

The general configuration guidelines for configuring RAID-5volumes are:

• Create a RAID-5 volume with a minimum of threeslices. The more slices a RAID-5 volume contains, thelonger read and write operations take when a slice fails.

8/4/2019 SA-202-S10 Part2



g p

• Do not stripe, concatenate, or mirror RAID-5 volumes.• Do not create a RAID-5 volume from a slice that

contains an existing file system, because you will erasethe data during the RAID-5 initialization process.

Sun Services

RAID 5 (cont.)

• When you create a RAID-5 volume, you can define theinterlace value. If you do not specify a value, a defaultvalue of 16 Kbytes is assigned.

• A RAID-5 volume (with no hot spares) can only handlea single slice failure.

• To optimize performance, use slices across separatecontrollers when creating RAID-5 volumes.

8/4/2019 SA-202-S10 Part2



g

• Use disk slices of the same size. Creating a RAID-5volume of different-sized slices results in unused diskspace on the larger slices.

Sun Services

RAID 5 (cont.)

Suggestions for RAID 5 Volumes

The following general suggestions can help avoid commonperformance problems when using RAID-5 volumes:

• Because of the complexity of parity calculations,volumes with greater than about 20 percent writesshould probably not be RAID-5 volumes. If data

8/4/2019 SA-202-S10 Part2



p y

redundancy on a write-heavy volume is needed,consider mirroring.

• If the slices in the RAID-5 volume reside on differentcontrollers and the accesses to the volume are primarily

large sequential accesses, then setting the interlacevalue to 32 Kbytes might improve performance.

Sun Services

Hardware Considerations

For any given application there are trade-offs in performance,availability, and hardware costs. A few categories ofinformation that you must address during the storageplanning phase are:

• General storage guidelines

• Determining storage characteristics

St f id li

8/4/2019 SA-202-S10 Part2



• Storage performance guidelines

Sun Services

Choosing Storage Mechanisms

Feature RAID-0Concatenation

RAID-0Stripe

RAID-1Mirror

RAID-5 StripeWith Parity

Redundantdata

No No Yes Yes

Improved readperformance

No Yes Depends ontheunderlyingdevice

Yes

8/4/2019 SA-202-S10 Part2



Improvedwriteperformance

No Yes No No

Sun Services

Optimizing Redundant Storage

Factors RAID 1(Mirror)

RAID 5 Non-Redundant

Write operations Faster Slower Neutral

Random read Slower Faster Neutral

Hardware cost Highest Higher Lowest

Performanceduring failure

Best Poor Data loss

8/4/2019 SA-202-S10 Part2



Sun Services

Introducing Solaris Volume ManagerSoftware Concepts

The Solaris Volume Manager software lets you manage largenumbers of disks and the data on those disks. Most tasksinclude:

• Increasing storage capacity

• Increasing data availability

8/4/2019 SA-202-S10 Part2



• Making the administration of large storage deviceseasier

Sun Services

Logical Volume

SVM software uses virtual disks called logical volumes tomanage physical disks and their associated data.

You can create the Solaris Volume Manager software volumes

from slices (disk partitions) or from other Solaris VolumeManager software volumes.

The Enhanced Storage tool within the Solaris ManagementC l ll t li t t d dif t f

8/4/2019 SA-202-S10 Part2



Console allows you to list, create, and modify any type ofSVM software volumes or components.

Sun Services

Soft Partitions

Soft partitions provide a mechanism for dividing largestorage spaces into smaller, more manageable sizes.

Use soft partitioning to divide a slice or volume into as many

divisions as needed. A soft partition, once named, can bedirectly accessed by applications, including file systems, aslong as it is not included in another volume.

8/4/2019 SA-202-S10 Part2



Sun Services

Introducing the State Database

Before creating volumes using the Solaris Volume Managersoftware, state database replicas must exist on the SolarisVolume Manager software system.

The Solaris Volume Manager software automatically updatesthe state database when a configuration or state changeoccurs.

The state database is a collection of multiple replicated

8/4/2019 SA-202-S10 Part2



The state database is a collection of multiple, replicateddatabase copies. Having copies of the state database protectsagainst data loss from single points-of-failure.

8/4/2019 SA-202-S10 Part2


Sun Services

Objectives

• Describe Solaris Volume Manager software concepts• Build a RAID-0 (concatenated) volume

• Build a RAID-1 (mirror) volume for the root (/) file

system

8/4/2019 SA-202-S10 Part2



Sun Services

Solaris Volume Manager Concepts

The Solaris Volume Manager software in the Solaris 9 OS andSolaris 10 OS replaces the Solstice DiskSuite™ software usedin releases of the Solaris OS prior to Solaris 9 OS.

The Solaris Volume Manager software is used to implementRAID 0, RAID 1, RAID 1+0, and RAID 5.

8/4/2019 SA-202-S10 Part2



Sun Services

State Database Replicas

The state database stores information on disk about the stateof your Solaris Volume Manager software configuration.

Multiple copies of the database, called replicas, provide

redundancy. The state database replicas should be distributedacross multiple disks.

Solaris Volume Manager software uses a majority consensusalgorithm to determine which state database replicas contain

8/4/2019 SA-202-S10 Part2



algorithm to determine which state database replicas containvalid data.

The algorithm requires that a majority (half +1) of the statedatabase replicas are available before any of them are

considered valid.

Sun Services

State Database Replicas

The majority consensus algorithm:

• Makes sure that the system stays running if at least halfof the state database replicas are available.

• Causes the system to panic if fewer than half of the statedatabase replicas are available.

• Prevents the system from starting the Solaris VolumeManager software unless a majority of the total number

8/4/2019 SA-202-S10 Part2



g j y

of state database replicas are available.

Sun Services

Creating the State Database

You can create state database replicas by using the following:

• The metadb -a command

• The Solaris Volume Manager software GUI

The following example shows using metadb to create statedatabase replicas:

# metadb -a -f c0t0d0s4 c0t0d0s5 c1t0d0s0 c1t0d0s1

8/4/2019 SA-202-S10 Part2



# metadbflags first blk block count

a u 16 8192 /dev/dsk/c0t0d0s4a u 16 8192 /dev/dsk/c0t0d0s5a u 16 8192 /dev/dsk/c1t0d0s0a u 16 8192 /dev/dsk/c1t0d0s1

Sun Services

Creating the State Database Using theSolaris Management Console

8/4/2019 SA-202-S10 Part2



Sun Services

Creating the State Database Using theSolaris Management Console (cont.)

8/4/2019 SA-202-S10 Part2



Sun Services

Configuring RAID-0

RAID-0 volumes let you expand disk storage capacityefficiently. These volumes do not provide data redundancy, but can be used to expand disk storage capacity.

RAID-0 comes in two forms, stripes and concatenations.• Striping enables parallel data access because multiple

controllers can access the data at the same time. Astripe distributes data equally across all slices in the

8/4/2019 SA-202-S10 Part2



ystripe.

• A concatenated volume writes data to the first availableslice. When the first slice is full, the volume writes data

to the next available slice.

Sun Services

Creating a RAID-0 Volume Using theCommand Line

• State database replicas must exist before you canconfigure any metadevices.

• For example, to create two replicas on each of twoslices, use the command:# metadb -a -f -c 2 c3t2d0s7 c3t3d0s7

• In this example, assume that the /export/home

8/4/2019 SA-202-S10 Part2



(/dev/dsk/c0t0d0s7) file system is almost at capacity.A new slice from another disk will be concatenated toit, making a RAID-0 concatenated volume.

Sun Services


• Use the metainit command to create metadevices andassociate slices with them. For example:# metainit -f d0 2 1 c0t0d0s7 1 c3t2d0s0

d0: Concat/Stripe is setup

• The -f option is required if one of these slices iscurrently mounted.

• The metadevice name used for this concatenation is

8/4/2019 SA-202-S10 Part2



d0.

• In a concatenation, the number of stripes is equal tothe number of slices being added, in this case 2.

• The number of slices in each stripe is one, so thenumber 1 appears before each slice.

Sun Services


• The new metadevice (d0) has been created, but is not being used yet. It needs to be remounted using the newmetadevice device files.

• Locate the entry in the /etc/vfstab file that mountsthe file system at boot time:/dev/dsk/c0t0d0s7 /dev/rdsk/c0t0d0s7 /export/home ufs 2 yes -

8/4/2019 SA-202-S10 Part2



Change the device names to match the metadevicenames:/dev/md/dsk/d0 /dev/md/rdsk/d0 /export/home ufs 2 yes -

Sun Services


• Un-mount and re-mount the file system using the newdevice files:# umount /export/home

# mount /export/home# df -h /export/homeFilesystem size used avail capacity Mounted on/dev/md/dsk/d0 470M 395M 28M 94% /export/home

• The existing file system needs to be grown into the new

8/4/2019 SA-202-S10 Part2



space.• This is done with the growfs command. Use the option

-M to specify a mount point:# growfs -M /export/home /dev/md/rdsk/d0...

Sun Services

Creating a RAID-0 Volume Using SolarisManagement Console

8/4/2019 SA-202-S10 Part2



Sun Services

Creating a RAID-0 Volume Using SolarisManagement Console (cont.)

8/4/2019 SA-202-S10 Part2



Sun Services


8/4/2019 SA-202-S10 Part2



Sun Services

Configuring RAID-1

RAID-1 volumes are also known as mirrors and provide dataredundancy. A RAID-1 volume maintains identical copies ofthe data in the RAID-0 volumes from which it is made.

• Using multiple submirrors• A mirror is made of two or more RAID-0 volumes.

• The mirrored RAID-0 volumes are calledsubmirrors.

• A mirror consisting of two submirrors is known as a

8/4/2019 SA-202-S10 Part2



• A mirror consisting of two submirrors is known as atwo-way mirror.

• You can attach or detach a submirror from a mirror

at any time.

8/4/2019 SA-202-S10 Part2


Sun Services

Building a Mirror of the Root (/) File System

The procedure for building a mirror of the root (/) file systemcan be accomplished using the command line exclusively, butit is not possible to use the Solaris Management Console(SMC) exclusively.

This section describes how to create a RAID-1 volume for theroot (/) file system, which cannot be unmounted.

8/4/2019 SA-202-S10 Part2



Sun Services

Building a Mirror of the Root (/) File System(cont.)

Creating a mirror of the root (/) file system requires thefollowing general steps:

1. Create a RAID-0 volume for the file system you wantto mirror.

2. Create a second RAID-0 volume to contain thesecond submirror of the RAID-1 volume.

3 Create a one-way mirror using the RAID-0 volume

8/4/2019 SA-202-S10 Part2



3. Create a one-way mirror using the RAID-0 volumethat contains the file system to be mirrored.

4. Use the metaroot command to update the system’s

configuration, because this is a root (/) mirror.5. Reboot your system, because this is a root (/) mirror.

Sun Services


6. Attach the second submirror to the file systemmirror.

7. Record the alternate boot path that is used in theevent of a failure of the primary submirror, becausethis is a mirror of the root (/) file system.

8/4/2019 SA-202-S10 Part2



Sun Services


• Creating the RAID-0 volumes

The first step when building a mirror of the root (/) filesystem is to create RAID-0 volumes, which you later

combine to form the mirror.Each RAID-0 volume becomes a submirror to themirror.

• Use the metainit command to create a RAID-0volume to be used as the primary submirror of the root

8/4/2019 SA-202-S10 Part2



volume to be used as the primary submirror of the root(/) file system:# / usr/sbin/metainit -f d11 1 1 c0t0d0s0

d11: Concat/Stripe is setup

This command forces the creation of the d11 volume.

Sun Services


• To create a RAID-0 volume to be used as thesecondary submirror of the root file system, use the metainit command again:

# metainit d12 1 1 c3t3d0s1d12: Concat/Stripe is setup

• Creating the RAID-1 volume

The following metainit example creates a mirroredvolume named d10.

8/4/2019 SA-202-S10 Part2



volume named d10.

This command attaches the volume d11 as asubmirror of the mirror named d10.

# /usr/sbin/metainit d10 -m d11d10: Mirror is setup

Sun Services


• Executing the metaroot command

When creating mirrors of mounted file systems, youmust update the /etc/vfstab file to change the mount

point from a slice to a volume.The /etc/system file must change to include entriesrelated to SVM drivers.

When mirroring the root (/) file system, use the metaroot command to modify the /etc/vfstab and /

8/4/2019 SA-202-S10 Part2



eta oot y /etc/ stab /etc/system files, as follows:# metaroot d10# grep md /etc/vfstab/dev/md/dsk/d10 /dev/md/rdsk/d10 / ufs 1 no -# tail /etc/system rootdev:/pseudo/md@0:0,10,blk

Sun Services


• Rebooting the system

You must reboot the system before attaching thesecondary submirror.# init 6

• Attaching the secondary submirror

Attach the secondary submirror by using the

metattach command:

8/4/2019 SA-202-S10 Part2



# metattach d10 d12d10: submirror d12 is attached

Sun Services


The metastat command shows the mirror synchronizationtaking place.

# metastat d10d10: MirrorSubmirror 0: d11State: OkaySubmirror 1: d12State: Resyncing

Resync in progress: 83 % donePass: 1

8/4/2019 SA-202-S10 Part2



Pass: 1Read option: roundrobin (default)

Write option: parallel (default)Size: 307440 blocks (150 MB)

Sun Services


• Updating the boot-device PROM variable

Use the OpenBoot nvalias command to define abackup_root device alias for the secondary rootmirror. For example:ok nvalias backup_root /pci@1f,0/pci@1/pci@1/SUNW,isptwo@4/sd@3,0:b

Redefine the boot-device variable to reference both

the primary and secondary submirrors, in the orderh h h

8/4/2019 SA-202-S10 Part2



p y y ,in which you want to access them.ok setenv boot-device disk backup_root netboot-device= disk backup_root net

8/4/2019 SA-202-S10 Part2


Sun Services

Configuring an x86-Based System forMirrored Failover (cont.)

• The GNU GRand Unified Bootloader (GRUB)

• GRUB is responsible for loading a boot archive intothe system's memory.

• Understanding the GRUB device namingconventions can assist you in correctly specifyingdrive and partition information when you configureGRUB on your system.

• The functional GRUB components include the

8/4/2019 SA-202-S10 Part2



The functional GRUB components include thestage1 and stage2 programs, and the menu.lstfile.

Sun Services


• x86/x64 Boot Program Locations

Sector 0 =

mboot + fdiskPartition table

Sector 0 = stage1

Sector 1 + 2 =disk label + VTOC

Disk Cylinders

0

1

8/4/2019 SA-202-S10 Part2



Sector 50 = stage2- extends for 200 + sectors

Solaris fdisk partitioncylinder 0 (disk cyl 1) = slice 8

0

Sun Services


• Creating a RAID-1 Volume From the root File System

• Configure the ordering for the BIOS boot devices, ifpossible.

• Configure the Solaris fdisk partition and root sliceon the mirror disk.

• Install the mboot program.

# fdisk -b /usr/lib/fs/ufs/mboot -n /dev/rdsk/c2d0p0

• Install the GRUB stage1 and stage2 programs

8/4/2019 SA-202-S10 Part2



• Install the GRUB stage1 and stage2 programs.# /sbin/installgrub /boot/grub/stage1 /boot/grub/stage2 \/dev/rdsk/c2d0p0

Sun Services


• Identify the slice that contains the existing root (/)file system to be mirrored.

• Create a new RAID-0 volume on the existing

root (/) file system to be mirrored.• Create a second RAID-0 volume on an unused slice

to act as the second submirror.

• Create a one-way mirror.• Remount your newly mirrored file system then

8/4/2019 SA-202-S10 Part2



• Remount your newly mirrored file system, thenreboot the system.

# metaroot volume-name

# reboot

Sun Services


• Attach the second submirror.# metattach volume-name submirror-name

• Define the alternative boot path in the

/boot/grub/menu.lst file.# vi /boot/grub/menu.lst....title alternate bootroot (hd1,0,a)

kernel /boot/multibootmodule /boot/x86.miniroot-safe

8/4/2019 SA-202-S10 Part2



module /boot/x86.miniroot safe

8/4/2019 SA-202-S10 Part2


Sun Services

Unmirroring the Root (/) File System (cont.)

• Because this is a root (/) file system mirror, run the metaroot command to update the /etc/vfstab and/etc/system files.# metaroot /dev/dsk/c0t0d0s0

• Reboot the system.# init 6

• Run the metaclear command to clear the mirror andsubmirrors.# metaclear -r d10d10: Mirror is cleared

8/4/2019 SA-202-S10 Part2



d10: Mirror is clearedd11: Concat/Stripe is cleared# metaclear d12d12: Concat/Stripe is cleared

Sun Services

Unmirroring the Root (/) File System (cont.)

If you changed your boot-device variable to an alternate boot path, return it to its original setting.

8/4/2019 SA-202-S10 Part2



Sun Services

Module 10

Configuring Role-Based Access Control

(RBAC)

8/4/2019 SA-202-S10 Part2



Sun Services

Objectives

• Describe RBAC fundamentals• Describe component interaction within RBAC

• Manage RBAC by using the Solaris ManagementConsole

• Manage RBAC by using the command line

8/4/2019 SA-202-S10 Part2



Sun Services

RBAC Fundamentals

In conventional UNIX® systems, the root user (also referredto as the superuser) has the ability to perform any task.

In systems implementing RBAC, individual users can beassigned to roles, where roles are associated with rightsprofiles.

Rights profiles list the rights to run specific commands andapplications with escalated privileges.

Roles can also be assigned authorizations. An authorizationi d f i i RBAC li

8/4/2019 SA-202-S10 Part2



grants access to restricted functions in RBAC compliantapplications.

Sun Services

Key RBAC Files

RBAC authorizations, roles, rights profiles, and privilegedcommands are defined in four files:

• The /etc/user_attr file

• The /etc/security/prof_attr file• The /etc/security/policy.conf file

• The /etc/security/exec_attr file

8/4/2019 SA-202-S10 Part2



Sun Services

The user_attrFile

The /etc/user_attr file lists the rights profiles andauthorizations associated with users and roles.

When you create a new user account with no rights profiles,authorizations, or roles, nothing is added to the file.

Changes to this file will be illustrated as related RBACfeatures are described in this module.

8/4/2019 SA-202-S10 Part2



Sun Services

Roles

• A role is a special identity, similar to a user account,used to run privileged applications or commands.

• You assign users to roles so those users can run thecommands associated with those roles.

• No predefined roles are shipped with the Solaris 10 OS.• You assign rights profiles to a role when you define a

role.

• The roles command lists the roles a user has beenassigned:

8/4/2019 SA-202-S10 Part2



# roles rootNo roles

Sun Services

Assigning Rights Profiles to Users

• A rights profile is a collection of rights that can beassigned to a user.

• A right is a command or script which runs with specialsecurity attributes.

• Many examples of rights profiles are shipped with theSolaris 10 OS.

8/4/2019 SA-202-S10 Part2



Sun Services


• The /etc/security/prof_attr file contains rightsprofile names and descriptions.# cat /etc/security/prof_attr(output omitted)All:::Execute any command as the user or role:help=RtAll.html

Log Management:::Manage log files:help=RtLogMngmnt.html...

• Each line starts with the rights profile name.

• The middle fields are not used, and the last two fields

hold a comment and a pointer to a help file.

8/4/2019 SA-202-S10 Part2



Sun Services


• The profiles command lists rights profiles assignedto a user.# profiles chrisBasic Solaris UserAll

• Every account has the All rights profile. It allows anycommand to be executed, but with special securityattributes.

• Other rights profiles given to all new user accounts aredefined in the /etc/security/policy.conf file.# grep 'PROFS' /etc/security/policy conf

8/4/2019 SA-202-S10 Part2



# grep PROFS /etc/security/policy.confPROFS_GRANTED=Basic Solaris User

Sun Services


• Rights profiles can be assigned to a user account withthe usermod command or the Solaris ManagementConsole (SMC).# usermod -P "Printer Management" chris# profiles chris

Printer ManagementBasic Solaris UserAll

• This automatically updates the/etc/user_attr file as

shown by the following:# grep chris /etc/user_attrchris::::type=normal;profiles=Printer Management

8/4/2019 SA-202-S10 Part2



yp ;p g

Sun Services

The /etc/security/exec_attrFile

The /etc/security/exec_attr file holds executionattributes.

• An execution attribute is either a command with nooption, or a script that contains a command, possiblywith options.

• In this file, the special security attributes UID, EUID,GID, and EGID, specify attributes to add to a processwhen it runs.

• Only the users and roles assigned access to a particularrights profile can run its associated commands with

8/4/2019 SA-202-S10 Part2



rights profile can run its associated commands withtheir special security attributes.

Sun Services

The /etc/security/exec_attrFile

Commands and special security attributes for the PrinterManagement rights profile are listed as follows:

# grep 'Printer Management' /etc/security/exec_attrPrinter Management:suser:cmd:::/etc/init.d/lp:euid=0;uid=0Printer Management:suser:cmd:::/usr/bin/cancel:euid=lp;uid=lpPrinter Management:suser:cmd:::/usr/bin/lpset:egid=14Printer Management:suser:cmd:::/usr/bin/lpstat:euid=0Printer Management:suser:cmd:::/usr/lib/lp/local/accept:uid=lpPrinter Management:suser:cmd:::/usr/lib/lp/local/lpadmin:uid=lp;gid=8

Printer Management:suser:cmd:::/usr/lib/lp/lpsched:uid=0Printer Management:suser:cmd:::/usr/sbin/accept:euid=lp;uid=lp...

8/4/2019 SA-202-S10 Part2



Sun Services

Assigning Rights Profiles to Roles

If a large number of user accounts require the sameconfiguration and management of rights profiles, it can beeasier to assign the rights profiles to a role and give the usersaccess to the role.

• Creating a roleThe roleadd command creates a role entry in the/etc/passwd, /etc/shadow, and /etc/user_attrfiles.# roleadd -m -d /export/home/level1 -c "Level One Support" \-P "Printer Management,Media Backup,Media Restore" level164 bl k

8/4/2019 SA-202-S10 Part2



64 blocks

The role cannot be used until a password for it is set.

Sun Services


The changes to the /etc/passwd, /etc/shadow, and/etc/user_attr files are shown as follows:

# grep level1 /etc/passwdlevel1:x:102:1:Level One Support:/export/home/level1:/bin/pfsh# grep level1 /etc/shadow level1:CUs8aQ64vTrZ.:12713::::::# grep level1 /etc/user_attrlevel1::::type=role;profiles=Printer Management,MediaBackup,MediaRestore

8/4/2019 SA-202-S10 Part2



Sun Services


• Modifying a roleTo modify the login information of a role on asystem, use the rolemod command.

This example modifies the role’s rights profiles.# rolemod -P profile1,profile2 -s /usr/bin/pfksh level1

8/4/2019 SA-202-S10 Part2



Sun Services


• Purpose of the profile shellsA profile shell is a special type of shell that enablesaccess to the privileged rights that are assigned tothe rights profile.

The standard UNIX shells cannot be used, as theyare not aware of the RBAC files, and do not consultthem.

The profile shells are pfsh, pfcsh, and pfksh.

8/4/2019 SA-202-S10 Part2



Sun Services

Assigning Roles to Users

The useradd command or the Solaris Management Console(SMC) can be used to assign users to roles.

The example shows the useradd command being used withthe -R option to assign roles:

# useradd -m -d /export/home/paul -R level1 paul64 blocks#

This example associates the level1 role with the user chris:# usermod -R level1 chris#

8/4/2019 SA-202-S10 Part2



#

Sun Services

Using Roles

As it is not possible to directly log in to a role account, log inas a regular user first.

The roles command shows the roles available to youraccount.

$ iduid=103(paul) gid=1(other)$ roleslevel1

Switch the user to the role account with the su command.

$ su level1

8/4/2019 SA-202-S10 Part2



$ su level1Password:$ id

uid=102(level1) gid=1(other)

Sun Services

Authorizations

An authorization grants access to restricted functions inRBAC-compliant applications.

Some applications and commands in the Solaris 10 OS arewritten to check the authorizations of the user calling them.

The predefined authorizations are listed in the/etc/security/auth_attr file.

# cat /etc/security/auth_attr

(output omitted)solaris.jobs.:::Job Scheduler::help=JobHeader.htmlsolaris.jobs.admin:::Manage All Jobs::help=AuthJobsAdmin.htmll i j b l

8/4/2019 SA-202-S10 Part2



solaris.jobs.grant:::Delegate Cron & AtAdministration::help=JobsGrant.html

...

8/4/2019 SA-202-S10 Part2


Sun Services

Assigning Authorizations

Authorizations can be assigned to user accounts.Authorizations can also be assigned to roles or embedded ina rights profile, which can be assigned to a user or role.

Authorizations may be assigned from the command line orwith SMC.

This example shows the useradd command used with the -A

option to add an authorization to a user:# usermod -A solaris.jobs.admin chris

8/4/2019 SA-202-S10 Part2



Sun Services

Assigning Authorizations

Theusermod

command automatically updates the/etc/user_attr file with this new information.

# grep chris /etc/user_attrchris::::type=normal;auths=solaris.jobs.admin;profiles=Printer

Management

8/4/2019 SA-202-S10 Part2



Sun Services

Assigning Authorizations to Roles

If a large number of user accounts require the sameconfiguration and management of authorizations, it can beeasier to assign the authorizations to a role and give the usersaccess to the role.

You can assign authorizations to roles with the roleaddcommand or with SMC.

8/4/2019 SA-202-S10 Part2



Sun Services

Assigning Authorizations to Roles

This example uses theroleadd -P

and-A

options to create arole called level2 that is assigned the authorizationsolaris.admin.usermgr.*.

# roleadd -m -d /export/home/level2 -P "Mail Management" \

-A "solaris.admin.usermgr.*" level264 blocks#

8/4/2019 SA-202-S10 Part2



Sun Services

Assigning Authorizations to Rights Profiles

A rights profile usually includes a list of commands andspecial security attributes, the rights, as defined in the /etc/security/exec_attr file.

It is also possible to include predefined authorizations from

the /etc/security/auth_attr file in the rights profile byadding the authorizations to the /etc/security/prof_attrfile.

8/4/2019 SA-202-S10 Part2



Sun Services

RBAC Configuration File Summary

The figure on this slide shows how the four files used byRBAC are interrelated.

u s e r _ a t t r

Users

Roles

p r o f _ a t t r

Profiles

e x e c _ a t t r

Privileges

a u t h _ a t t r

Authorization

8/4/2019 SA-202-S10 Part2



Sun Services

RBAC Configuration File SummaryFrom the / e t c / s e c u r i t y / a u t h _ a t t r database:

s o l a r i s . s y s t e m . d a t e : : : S e t D a t e & T i m e : : h e l p = S y s D a t e . h t m l

From the / e t c / u s e r _ a t t r database:

s y s a d m i n : : : : t y p e = r o l e ; p r o f i l e s = D e v i c e M a n a g e m e n t , F i l e s y s t e m

M a n a g e m e n t , P r i n t e r M a n a g e m e n t , A l l

j o h n d o e : : : : t y p e = n o r m a l ; a u t h s = s o l a r i s . s y s t e m . d a t e ; r o l e s = s y s a d m i n

From the / e t c / s e c u r i t y / p r o f _ a t t r database:

P r i n t e r M a n a g e m e n t : : : M a n a g e p r i n t e r s , d a e m o n s ,

s p o o l i n g : h e l p = R t P r n t A d m i n . h t m l ; a u t h s = s o l a r i s . a d m i n . p r i n t e r . r e a d , s o l a r i s . a

d m i n . p r i n t e r . m o d i f y , s o l a r i s . a d m i n . p r i n t e r . d e l e t e

From the / e t c / s e c u r i t y / e x e c _ a t t r database:

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / s b i n / a c c e p t : e u i d = l p

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / u c b / l p q : e u i d = 0

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / e t c / i n i t . d / l p : e u i d = 0

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / b i n / l p s t a t : e u i d = 0

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / l i b / l p / l p s c h e d : u i d = 0

8/4/2019 SA-202-S10 Part2



Sun Services

Managing RBAC Using the SolarisManagement Console

The Solaris Management Console in the Solaris 10 OS enablesyou to configure RBAC features using a GUI console.

8/4/2019 SA-202-S10 Part2



Sun Services


To set up privileged access using SMC, complete thefollowing steps:

1. Build the user accounts that will be assigned theRBAC rights profiles and roles.

2. Build the rights profiles needed to support theprivileged access requirements.

3. Build the role that will provide access to the rightsprofiles for designated users.

8/4/2019 SA-202-S10 Part2



Sun Services


To access RBAC features in SMC, complete the followingsteps:

1. Select Management Tools.

2. Click This Computer.

3. Click System Configuration.

4. Double-click the Users icon.

8/4/2019 SA-202-S10 Part2



Sun Services

Module 11

Configuring System Messaging

8/4/2019 SA-202-S10 Part2



Sun Services

Objectives

• Describe the fundamentals of the syslog function

• Configure the /etc/syslog.conf file

• Configure syslogmessaging

• Use the Solaris Management Console log viewer

8/4/2019 SA-202-S10 Part2



Sun Services

The syslogConcept

The syslog function sends messages generated by thekernel and system utilities and applications to the syslogddaemon. With the syslog function you can control messagelogging, depending on the configuration of the /etc/syslog.conf file. The daemon can:

• Write messages to a system log

• Forward messages to a centralized log host

• Forward messages to a list of users• Write messages to the system console

8/4/2019 SA-202-S10 Part2



Sun Services

The /etc/syslog.confFile

A configuration entry in the /etc/syslog.conf file consistsof two tab-separated fields: selector and action.

The selector field has two components, a facility and alevelwritten as facility.level.

The action field determines where to send the message.

8/4/2019 SA-202-S10 Part2



Sun Services

The syslogdDaemon and the m4MacroProcessor

The syslogd daemon, the m4macro processor, and the /etc/syslog.conf file interact in conceptual phases to determinethe correct message routing.

These conceptual phases are described as:

1. The syslogd daemon runs the m4 macro processor.

2. The m4 processor reads the /etc/syslog.conf file,

processes any m4 statements in the input, and passesthe output to the syslogd daemon.

8/4/2019 SA-202-S10 Part2



8/4/2019 SA-202-S10 Part2


Sun Services

The syslogdDaemon and the m4MacroProcessor

• The m4Macro Processor

s y s l o g . c o n f

Selector

Field

Action

Field

m 4

m 4

8/4/2019 SA-202-S10 Part2



s y s l o g d

Sun Services

Configuring the /etc/syslog.confFile

The target locations for the syslogmessage files are definedwithin the /etc/syslog.conf file. You must restart thesyslogddaemon whenever you make any changes to this file.

The following excerpt from the /etc/syslog.conf file

shows how various events are logged by the system.*.err;kern.notice;auth.notice /dev/sysmsg*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages*.alert;kern.err;daemon.err operator

*.alert root*.emerg *

8/4/2019 SA-202-S10 Part2



Sun Services


In Line 1, every error event (*.err) and all kernel andauthorization facility events of level notice, which are noterror conditions but might require special handling, will write amessage to the /dev/sysmsg file.

In Line 2, every error event (*.err), all kernelfacility

eventsof level debug, all daemon facility events of level notice,and all critical levelmail events will record a message in the /var/adm/messages file. Therefore, errors are logged to bothfiles.

Line 3 indicates that all alert level events, including thekernel error level and daemon error level events, are sent tothe user operator if this user is logged in.

8/4/2019 SA-202-S10 Part2



Sun Services


Line 4 indicates that all alert level events are sent to the rootuser if the root user is logged in.

Line 5 indicates that any event that the system interprets as anemergency will be logged to the terminal of every logged-in user.

8/4/2019 SA-202-S10 Part2



Sun Services

Stopping and Starting the syslogdDaemon

The /lib/svc/method/system-log file starts the syslogdprocess during each system boot.

You can manually stop or start the syslogd daemon, or send

it a refresh command, which causes the daemon to rereadthe /etc/syslog.conf file.

# svcadm disable svc:/system/system-log:defaultTo start the syslogd daemon, perform the command:

# svcadm enable svc:/system/system-log:defaultTo send a refresh to the syslogd daemon, perform the command:# svcadm refresh svc:/system/system-log:default

8/4/2019 SA-202-S10 Part2



Sun Services

Configuring syslogMessaging

The inetd daemon is the network listener process for manynetwork services. The inetd daemon listens for servicerequests on the TCP and User Datagram Protocol (UDP) portsassociated with each of the services listed in the inetdconfiguration file.

The inetd daemon is controlled through the use of theinetadm command.

8/4/2019 SA-202-S10 Part2



Sun Services

Monitoring a syslogFile in Real Time

The tail -f command holds the file open so that you canview messages being written to the file by the syslogddaemon, for example:

# tail -f /var/adm/messages

Jun 14 13:15:39 host1 inetd[2359]:[ID 317013 daemon.notice] telnet[2361]

from 192.9.200.1 45800

1

7

2 5 63 4

8

8/4/2019 SA-202-S10 Part2



Sun Services

Using the Solaris Management ConsoleLog Viewer

You can use the Solaris Management Console Log Viewerapplication to view syslogmessage files. You can also usethis application to view and capture information from theManagement Tool logs. To open the viewer, perform thefollowing steps:

1. Use the smc command to open the SolarisManagement Console:

# smc &

The Solaris Management Console applicationlaunches.

8/4/2019 SA-202-S10 Part2



Sun Services

Using the Solaris Management ConsoleLog Viewer

2. Select This Computer (hostname).

3. Select System Status.

4. Select Log Viewer.

The initial Log Viewer display lists Management Tools logentries from the /var/sadm/wbem/log directory.

8/4/2019 SA-202-S10 Part2



Sun Services

Module 12

Using Name Services

8/4/2019 SA-202-S10 Part2



Sun Services

Objectives

• Describe the name service concept

• Describe the name service switch file/etc/nsswitch.conf

• Describe the name service cache daemon (nscd)

• Get name service information

8/4/2019 SA-202-S10 Part2



Sun Services

Name Service Concept

Name services centralize the shared information in a network.

A single system, the name server, maintains the informationpreviously maintained on each individual host.

The name servers provide information, such as host names,Internet Protocol (IP) addresses, user names, passwords, andautomount maps.

Other hosts in the name service domain (called clients),request the information from the name server.

This name server system responds to clients, and translates,or resolves their requests from its memory-based (cached) or

8/4/2019 SA-202-S10 Part2



disk-based databases.

Sun Services


/ e t c / n s s w i t c h . c o n f

/ e t c / h o s t s

Client DatabaseNameServer

LocalFile

1 2

3

5

4

8/4/2019 SA-202-S10 Part2



Sun Services


The name service concept provides the following benefits:

• A single point of administration for name service data

• Consistent name service information for systemswithin the domain

• All clients have access to changed data

• Assurance that clients do not miss updates

• Secondary servers prevent a single point-of-failure

8/4/2019 SA-202-S10 Part2



Sun Services

Domain Name System (DNS)

• Domain Name System (DNS) is an Internet-wide

naming system for resolving host names to IPaddresses and IP addresses to host names.

• DNS supports name resolution for both local andremote hosts, and uses the concept of domains to allowhosts with the same name to coexist on the Internet, solong as they are in different domains.

• For example:

www.sun.com and www.microsoft.com

8/4/2019 SA-202-S10 Part2



Sun Services


• The collection of networked systems that use DNS is

referred to as the DNS namespace.• The DNS namespace is divided into a hierarchy of

domains.

• Each domain is usually supported by two or morename servers, a master name server, and one or moreslave name servers.

• Each server implements DNS by running thein.named

daemon.

8/4/2019 SA-202-S10 Part2



Sun Services


• On the client’s side, DNS is implemented through the

resolver. The resolver library resolves users’ queries.• The DNS name servers store the host and IP address

information in files called zone files.

• The svc:/network/dns/server:default servicestarts the DNS server during the boot process if theDNS server has been configured.

8/4/2019 SA-202-S10 Part2



Sun Services

Network Information Service (NIS)

• Network Information Service (NIS) was developed

independently of DNS and has a slightly differentfocus.

• NIS stores information about host names, IP addresses,users, groups, and others.

• This collection of network information is referred to asthe NIS namespace.

• NIS namespace information is stored in files called NIS

maps.• NIS maps were designed to supplement many of the

UNIX /etc files.

8/4/2019 SA-202-S10 Part2



Sun Services


• NIS maps are database files created from source files in

the /etc directory (or in a directory that you specify).• By default, these maps are stored in the

/var/yp/domainname directory on NIS servers.

• NIS uses domains to define who can access the hostnames, user information, and other administrative datain its namespace.

• However, NIS does not use a domain hierarchy to store

its data. Therefore, the NIS namespace is flat.

8/4/2019 SA-202-S10 Part2



Sun Services


• Replicated NIS servers provide services to NIS clients.

• The principal server is called a master server, and, forreliability, it has a backup, or a slave server.

• Each server implements NIS by running the ypserv

daemon.• All NIS clients and servers must run the ypbind

daemon.

• The svc:/network/nis/server:default service

starts the NIS server during the boot process.

8/4/2019 SA-202-S10 Part2



Sun Services

Network Information Service Plus (NIS+)

• Network Information Service Plus (NIS+) is similar to

NIS, but provides many more features.• NIS+ enables you to store information about machine

addresses, security information, mail information,Ethernet interfaces, and network services in centrallocations.

• This configuration of network information is referredto as the NIS+ namespace.

• The NIS+ namespace is hierarchical and is similar instructure to the UNIX directory tree.

8/4/2019 SA-202-S10 Part2



Sun Services


• An NIS+ namespace can be divided into multiple

domains that can be administered independently.• NIS+ uses a client-server model to store and gain access

to the information contained in an NIS+ namespace.

• The principal server is called the root server, and the backup servers are called replica servers.

• Both root and replica servers run NIS+ server software,as well as maintain copies of NIS+ tables.

8/4/2019 SA-202-S10 Part2



Sun Services


• NIS+ includes a sophisticated security system to

protect the structure of the namespace and itsinformation.

• NIS+ uses authentication and authorization to verifywhether a client’s request for information should befulfilled.

• Each server implements NIS+ by running therpc.nisd daemon.

• The svc:/network/rpc/nisplus:default servicestarts the NIS+ name service during the boot process.

8/4/2019 SA-202-S10 Part2



Sun Services

Lightweight Directory Access Protocol(LDAP)

• LDAP is the protocol clients use to communicate witha directory server.

• It is a vendor-independent protocol and can be used on

common TCP/IP networks.• The Solaris 10 OS comes with an LDAP client andLDAP server.

• The LDAP Directory Server is called the Sun Java™

System Directory Server.

8/4/2019 SA-202-S10 Part2



Sun Services


• A directory server stores information in a DirectoryInformation Tree (DIT).

• Clients can query the directory server for information

or make changes to the information stored on theserver.

• The hierarchy of the directory tree structure is similarto that of the UNIX file system.

• Entries are named according to their position in thistree structure by a distinguished name (DN).

8/4/2019 SA-202-S10 Part2



Sun Services


• The DN is similar to an absolute path name in UNIX.

• A Relative Distinguished Name (RDN) is similar to arelative path name in UNIX.

• A directory entry is composed of attributes that have atype, and one or more values.

• Similar to the DNS namespace, LDAP names start withthe least significant component and proceed to the

most significant.

8/4/2019 SA-202-S10 Part2



Sun Services

Name Service Switch File

• The name service switch file determines which name

services a system uses to search for information, and inwhich order the name service request is resolved.

• All Solaris OS systems use the /etc/nsswitch.conffile as the name service switch file.

• The nsswitch.conf file is loaded with the contents ofa template file during the installation of the Solaris OS,depending on the name service that is selected.

• The /etc/nsswitch.conf file includes a list ofdatabases that are sources of information about IPaddresses, users, and groups.

8/4/2019 SA-202-S10 Part2



Sun Services


• The following entries are from the

/etc/nsswitch.conf file configured to support theNIS name service:...passwd: files nisgroup: files nis# consult /etc "files" only if nis is down.hosts: nis [NOTFOUND=return] files...networks: nis [NOTFOUND=return] filesprotocols: nis [NOTFOUND=return] files

rpc: nis [NOTFOUND=return] filesethers: nis [NOTFOUND=return] filesnetmasks: nis [NOTFOUND=return] filesbootparams: nis [NOTFOUND=return] filespublickey: nis [NOTFOUND=return] files...

8/4/2019 SA-202-S10 Part2



Sun Services


• The information sources in/etc/nsswitch.conf are

listed in the order that they are searched.• Information sources

• files

• nisplus• nis

• dns

• ldap• user

If two or more sources are listed, the first listedsource is searched before moving to the next source.

8/4/2019 SA-202-S10 Part2



Sun Services


• When a name service is referenced, the attempt to

search this source can return one of the following statuscodes:

• SUCCESS

• UNAVAIL• NOTFOUND

• TRYAGAIN

• For each status code, two actions are possible:

• return

• continue

8/4/2019 SA-202-S10 Part2



Sun Services


• When the action is not explicitly specified, the default

action is to continue the search using the next specifiedinformation source, as follows:

• SUCCESS = return

• UNAVAIL = continue• NOTFOUND = continue

• TRYAGAIN = continue

8/4/2019 SA-202-S10 Part2



Sun Services

Configuring the Name Service CacheDaemon (nscd)

• The nscd daemon

• The nscd daemon is a process that provides a cachefor the most common name service requests.

• The nscd daemon starts during multiuser boot.• The /etc/nscd.conf configuration file controls the

behavior of the nscd daemon.

• The nscd daemon provides caching for the passwd,group, hosts, ipnodes, exec_attr, prof_attr,and user_attr databases.

8/4/2019 SA-202-S10 Part2



Sun Services


• Configuring the nscd daemon

• The/etc/nscd.conffile contains the configurationinformation for the nscd daemon.

• Each line specifies either an attribute and a value, oran attribute, a cache name, and a value.

• An example of an attribute and a value is as follows:

logfile /var/adm/nscd.log

• An example of an attribute, a cache name, and avalue is as follows:

enable-cache hosts no

8/4/2019 SA-202-S10 Part2



Sun Services


• Stopping and starting the nscd daemon

• The nscddaemon’s cache might become out of datedue to various abnormal circumstances.

• A common way to force the nscddaemon to updateits cache is to stop and start the daemon.

• Restarting the nscd daemon

Clearing the cache by restarting the daemon can behelpful in removing old cached data:# svcadm restart system/name-service-cache:default

8/4/2019 SA-202-S10 Part2



Sun Services

Retrieving Name Service Information

• The getent command

You can query name service information sourceswith specific tools, such as the ypcat, nslookup,niscat, and ldaplist commands. However, thensswitch.conf file is not referenced by these

commands.The getent command has the following advantages:

• The getent searches the information sources in the

order listed in the name service switch file.• By using the name service switch file, the defined

status message codes and actions are tested as theyare currently configured.

8/4/2019 SA-202-S10 Part2



Sun Services

Retrieving Name Service Information

• Using the getent command

The getent command retrieves a list of entries fromthe administrative database specified by database.

The sources for the database are specified in the/etc/nsswitch.conf file. The syntax is asfollows:

getent database [key]...

8/4/2019 SA-202-S10 Part2



Sun Services

Module 13

Configuring Name Service Clients

8/4/2019 SA-202-S10 Part2



Sun Services

Objectives

• Configure a DNS client

• Configure an LDAP client

8/4/2019 SA-202-S10 Part2



Sun Services

Configuring a DNS Client

Name resolution using the Internet domain name system

begins with the client-side resolver.

The client resolver code is controlled by the following files:

• /etc/resolv.conf

• /etc/nsswitch.conf

8/4/2019 SA-202-S10 Part2



Sun Services

Configuring the DNS Client DuringInstallation

During the system identification phase of a Solaris 10 OSinstallation, use the following:

• The Name Service window, to select DNS as the name

service• The Domain Name window, to enter the DNS domain

name to which the client will belong

• The DNS Server Address window, to enter the IPaddresses of up to three DNS servers that the client willuse for lookups

8/4/2019 SA-202-S10 Part2



Sun Services

Configuring the DNS Client DuringInstallation

During the system identification phase of a Solaris 10 OSinstallation, use the following:

• The DNS Search List window, to enter search suffixes

to supplement searches for names that are not fullyqualified

• The Confirm Information window, to verify that youhave provided accurate information

8/4/2019 SA-202-S10 Part2



Sun Services

Editing DNS Client Configuration Files

To use DNS with another name service, such as NIS or LDAP,

you must manually modify configuration files.

• Editing the /etc/resolv.conf file

The /etc/resolv.conf file contains configuration

directives for the DNS resolver. The directivesinclude the following:

• nameserver

• domain

• search

8/4/2019 SA-202-S10 Part2



Sun Services


The following resolv.conf example shows two

name servers for the suned.sun.com domain.It also specifies two domain names,training.sun.com and sun.com, to append to anyrequests received that are not fully qualified.# cat /etc/resolv.confnameserver 192.168.10.11nameserver 192.168.20.88domain suned.sun.com training.sun.com sun.com

8/4/2019 SA-202-S10 Part2



Sun Services


• Copying the /etc/nsswitch.dns file to the

/etc/nsswitch.conf file• To configure a client to use DNS in combination with

the system’s local files, copy the/etc/nsswitch.dns file to the

/etc/nsswitch.conf file.• This action only changes the hosts entry.

8/4/2019 SA-202-S10 Part2



Sun Services

Setting Up an LDAP Client

Native LDAP is the client implementation of the LDAP name

service.

An LDAP server, such as the Sun Java Directory Server that is bundled with the Solaris 10 OS, must exist on the network.

8/4/2019 SA-202-S10 Part2



Sun Services

Client Authentication

An LDAP client must establish a session with an LDAP server.

This authentication process is known as binding.

After a client is authenticated, it can then perform operations,such as “search and modify,” on the data.

8/4/2019 SA-202-S10 Part2



Sun Services

Client Authentication

Details on how the client is authenticated and what data the

client is authorized to access is maintained on the LDAPserver.

To avoid having to re-enter the same information for each and

every client, a single client profile is created on the directoryserver.

8/4/2019 SA-202-S10 Part2



Sun Services

Client Profile and Proxy Account

A single client profile defines the configuration parameters

for a group of Solaris OS clients allowed to access the LDAPdatabase.

Client profile:

• Contains the client’s credential information• Describes how authentication is to take place

• Provides the client with various configuration

parametersA proxy account is created to allow multiple clients to bind tothe server with the same access privileges.

8/4/2019 SA-202-S10 Part2



Sun Services

Client Initialization

• The client profile and proxy account are created as part

of the Sun Java Directory Server setup procedures onthe Solaris 10 OS.

• By default, the client profile named default and theproxy account proxyagent are created under a special

profile directory entry.• When the Solaris LDAP client is initialized, a copy of

the client profile is retrieved from the server and storedon disk.

8/4/2019 SA-202-S10 Part2



Sun Services

Configuring the LDAP Client DuringInstallation

To configure the LDAP client, complete the following steps:

• In the Name Service window, select LDAP as the nameservice.

• In the Domain Name window, enter the domain namewhere the system is located.

• In the LDAP Profile window, enter the profile nameand server IP address.

• In the LDAP Proxy Bind window, select No.

• In the Confirm Information window, verify that youhave provided accurate information.

8/4/2019 SA-202-S10 Part2



Sun Services

Initializing the Native LDAP Client

You execute the ldapclient command on the client system

once to initiate the client as a native LDAP client.

The following example describes a typical client initialization:

# ldapclient init -a proxyPassword=proxy \

-a proxyDN=cn=proxyagent,ou=profile,dc=suned,dc=sun,dc=com\-a domainname=suned.sun.com 192.168.0.100System successfully configured

8/4/2019 SA-202-S10 Part2



Sun Services

Copying the /etc/nsswitch.ldapFile tothe /etc/nsswitch.conf File

During LDAP client initialization, the/etc/nsswitch.ldap file is copied over to the/etc/nsswitch.conf file.

8/4/2019 SA-202-S10 Part2



Sun Services

Listing LDAP Entries

You use the ldaplist command to list the naming

information from the LDAP servers.Without any arguments, the ldaplist command returns allof the containers in the current search base DN.

8/4/2019 SA-202-S10 Part2



Sun Services

S t Ad i i t ti f th S l i ™ 10 O ti S t P t 2 M d l 13 lid 18 f 18

Unconfiguring an LDAP Client

To unconfigure an LDAP client, use the ldapclient

command with the uninit option.This command removes the client files from the/var/ldap directory and restores the previous/etc/nsswitch.conf file.

# ldapclient uninitSystem successfully unconfigured

8/4/2019 SA-202-S10 Part2



Sun Services

S f S O S

Module 14

Configuring the Network Information

Service (NIS)

8/4/2019 SA-202-S10 Part2



Sun Services

System Administration for the Solaris™ 10 Operating System Part 2 Module 14 slide 2 of 29

Objectives

• Describe NIS fundamentals

• Configure the name service switch file• Describe NIS security

• Configure an NIS domain

• Build custom NIS maps• Troubleshoot NIS

8/4/2019 SA-202-S10 Part2



Sun Services

System Administration for the Solaris™ 10 Operating System Part 2 Module 14 slide 3 of 29

NIS Fundamentals

NIS facilitates the creation of server systems that act as central

repositories for several of the administrative files found onUNIX systems.

The benefits of NIS include the following:

• Centralized administration of configuration files• Better scaling of configuration file administration as

networks grow

NIS is organized into named administrative domains.

Within each domain there is one NIS master server, zero ormore slave servers, and one or more clients.

8/4/2019 SA-202-S10 Part2


System Administration for the Solaris 10 Operating System, Part 2 Module 14, slide 3 of 29Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision C

Sun Services

System Administration for the Solaris™ 10 Operating System, Part 2 Module 14, slide 4 of 29

NIS Namespace Information

NIS stores information about host names and their IP

addresses, users, groups, and others.NIS maps can replace or be used with the configuration filesthat exist on each UNIX system.

NIS maps are located in the/var/yp/domainname directoryon NIS servers.

8/4/2019 SA-202-S10 Part2


System Administration for the Solaris 10 Operating System, Part 2 Module 14, slide 4 of 29Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision C

Sun Services


Map Contents and Sort Keys

Each map contains a key and value pair.

The key represents data used to perform the lookup in themap, while the value represents data returned after asuccessful lookup.

For example, for the domain name training, the NIS mapfiles list for the hostsmap are as follows:

• The /var/yp/training/hosts.byname.pag file

• The /var/yp/training/hosts.byname.dir file• The /var/yp/training/hosts.byaddr.pag file

• The /var/yp/training/hosts.byaddr.dir file

8/4/2019 SA-202-S10 Part2


y p g y , ,Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision C

Sun Services


Commands to Read Maps

You can use two commands to read maps:

• ypcat [ -k ] mname

• ypmatch [ -k ] value mname

# ypcat hosts192.168.30.30 instructor instructor. loghost192.168.30.30 instructor instructor. loghost127.0.0.1 localhost...

# ypmatch sys44 hosts

sys44: 192.168.30.44 sys44 loghost# ypmatch usera passwdusera: usera:LojyTdiQev5i2:3001:10::/export/home/usera:/bin/ksh

8/4/2019 SA-202-S10 Part2



Sun Services


NIS Domains

An NIS domain is a collection of hosts and interconnecting

networks that are organized into a single administrativeauthority.

Each NIS domain contains:

• One NIS master server• NIS slave servers (optional)

• NIS clients

8/4/2019 SA-202-S10 Part2



Sun Services

System Administration for the Solaris™ 10 Operating System, Part 2 Module 14, slide 8 of 29C i ht 2007 S Mi t I All Ri ht R d S S i R i i C

NIS Master Server

Within each domain, the NIS master server has the following

characteristics:• Contains the original source ASCII files used to build

the NIS maps

• Contains the NIS maps generated from the ASCII files• Provides a single point-of-control for the entire NIS

domain

8/4/2019 SA-202-S10 Part2



Sun Services

System Administration for the Solaris™ 10 Operating System, Part 2 Module 14, slide 9 of 29Copyright 2007 Sun Microsystems Inc All Rights Reserved Sun Services Revision C

NIS Slave Servers

Within each domain, the NIS slave servers have the following

characteristics:• Do not contain the original source ASCII files used to

build the NIS maps

• Contain copies of the NIS maps copied from the NISmaster server

• Provide a backup for NIS map information

• Provide redundancy in case of server failures

• Provide load sharing on large networks

8/4/2019 SA-202-S10 Part2



Sun Services

System Administration for the Solaris™ 10 Operating System, Part 2 Module 14, slide 10 of 29Copyright 2007 Sun Microsystems Inc All Rights Reserved Sun Services Revision C

NIS Clients

Within each domain, the NIS clients have the following

characteristics:• Do not contain the original source ASCII files used to

build the NIS maps

• Do not contain any NIS maps• Bind to the master server or to a slave server to obtain

access to the administrative file information containedin that server’s NIS maps

• Dynamically rebind to another server in case of serverfailure

• Make all appropriate system calls aware of NIS

8/4/2019 SA-202-S10 Part2



Sun Services


NIS Processes

The main daemons involved in the running of an NIS domain

are as follows:• The ypserv daemon

• The ypbind daemon

• The rpc.yppasswdd daemon• The ypxfrd daemon

• The rpc.ypupdated daemon

8/4/2019 SA-202-S10 Part2



Sun Services


Configuring the Name Service Switch

When you select NIS as the name service during installation,the /etc/nsswitch.nis configuration file loads into thedefault /etc/nsswitch.conf file.

• Changing lookup requests to go from files to NIS

Entries in /etc/nsswitch.conf with the following form

cause requests to search files first, and then NIS:passwd: files nis

• Changing lookup requests to go from NIS to files

Entries in /etc/nsswitch.conf with the following form

cause requests to search NIS first, and then files:hosts: nis [NOTFOUND=return] files

8/4/2019 SA-202-S10 Part2


py g y g

Sun Services


NIS Security

Just as NIS makes the network information more manageable,

it can also create inadvertent security holes.Two methods of closing these security holes are using thesecurenets file to restrict access to a single host or to asubnetwork, and using the passwd.adjunct file to limitaccess to the password information across the network.

8/4/2019 SA-202-S10 Part2


Sun Services


Configuring an NIS Domain

To generate NIS maps, you need the source files.

You can find source files in the /etc directory on the masterserver.

Do not keep the source files in the /etcdirectory, because the

contents of the maps are then the same as the contents of thelocal files that control access to the master server.

This is a special problem for the /etc/passwd and

/etc/shadow files.

8/4/2019 SA-202-S10 Part2


Sun Services


Configuring an NIS Domain

• To locate the source files in another directory, modify

the /var/yp/Makefile file:• Change the INETDIR line to DIR=/ your-choice

• Change the DIR=/etc line to DIR=/ your-choice

• Change the PWDIR=/etc line toPWDIR=/ your-choice

• Copy files from/etc,/etc/inet,and/etc/servicesto DIR=/ your-choice

• Before you make any modifications to the/var/yp/Makefile file, save a copy of the originalMakefile file.

8/4/2019 SA-202-S10 Part2


Sun Services


Generating NIS Maps

The NIS configuration script, /usr/sbin/ypinit, and the

make utility generate NIS maps.The ypinit command reads the /var/yp/Makefile file forsource file locations, and converts ASCII source files into NISmaps.

For security reasons and to prevent unauthorized root access,the files that build the NIS password maps should not containan entry for the root user.

To make sure of this, copy the files to an alternative directory,and modify the PWDIR entry in the Makefile file.

8/4/2019 SA-202-S10 Part2


Sun Services


Locating Source Files

• The source files are located in the /etcdirectory on the

master server, but the files can be copied into anotherdirectory, such as /etc/yp_dir.

• The /etc/defaultdomain file sets the NIS domainname during system boot.

• The ypinit script calls the program make, which usesthe Makefile file located in the /var/yp directory.

8/4/2019 SA-202-S10 Part2


Sun Services


Locating Source Files

• The /var/yp directory contains a subdirectory named

after the NIS domain name. This domainnamedirectory is the repository for the NIS maps.

• The /var/yp/binding/domainname directorycontains theypservers file where the names of the NIS

master server and NIS slave servers are stored.• The /usr/lib/netsvc/yp directory contains the

ypstop and ypstart commands that stop and startNIS services, respectively.

8/4/2019 SA-202-S10 Part2


Sun Services


Converting ASCII Source Files Into NISMaps

To build new maps on the master server, perform thefollowing command:

# /usr/sbin/ypinit -m

The ypinit command prompts for a list of other machines to become NIS slave servers.

8/4/2019 SA-202-S10 Part2


Sun Services


Configuring the NIS Master Server

To set up the NIS name service master server, complete the

following steps:1. Determine which machines on your network domain

will be NIS servers.

2. Choose an NIS domain name.3. Use the domainname command to set the local NISdomain.

4. Create an /etc/defaultdomain file that contains the

domain name.

8/4/2019 SA-202-S10 Part2


Sun Services



5. If the files do not already exist, use the touch

command to create zero-length files with thefollowing names: /etc/ethers, /etc/bootparams,/etc/locale, /etc/timezone, /etc/netgroup, and/etc/netmasks.

6. Install an updated Makefile file in the /var/ypdirectory if you intend to use NIS on the system thatfunctions as your JumpStart software server.

7. Create or populate the /etc/locale file, and make

an entry for each domain on your network.

8/4/2019 SA-202-S10 Part2


Sun Services



8. Initialize the master server by using the local /etc

files. Enter the ypinit -m command.a. When the program prompts you for a list of slave

servers, and after you complete your list, pressControl-D.

b. The program asks if you want to terminate it onthe first fatal error.

9. Copy the /etc/nsswitch.nis file to the/etc/nsswitch.conf file.

10.Start the NIS daemons on the master server with thefollowing command:# svcadm enable svc:/network/nis/server:default

8/4/2019 SA-202-S10 Part2


Sun Services


Testing the NIS Service

There are a number of commands that you can use to obtain

information from and about the NIS database.The most commonly used NIS commands are as follows:

• ypcat

• ypmatch• ypwhich

8/4/2019 SA-202-S10 Part2


Sun Services


Configuring the NIS Client

To configure the NIS client, complete the following steps:

1. Edit the /etc/inet/hosts file to ensure that the NISmaster server and all slave servers have beendefined.

2. Execute thedomainname domainname

command toset the local NIS domain.

3. Create or populate the /etc/defaultdomain filewith the domain name.

8/4/2019 SA-202-S10 Part2


Sun Services


Configuring the NIS Client

4. To initialize the system as an NIS client, perform the

following command:# ypinit -c

5. When the system prompts you for a list of NISservers, enter the names of the NIS master and all

slave servers.6. Copy the /etc/nsswitch.nis file to the

/etc/nsswitch.conf file.

7. Start NIS with the following command:# svcadm enable svc:/network/nis/client:default

8/4/2019 SA-202-S10 Part2


Sun Services


Configuring the NIS Slave Server

To configure an NIS slave server, complete the following steps

on the system that you want to designate as the slave server:1. Edit the /etc/inet/hosts file to ensure that the NIS

master server and all slave servers have beendefined.

2. Execute the domainname domainname command toset the local NIS domain.

3. Create or populate the /etc/defaultdomain file

with the domain name.

8/4/2019 SA-202-S10 Part2


Sun Services



4. To initialize the system as an NIS client, perform the

following command:# ypinit -c

5. When the system prompts for a list of NIS servers,enter the NIS master host followed by the name of

the local host and all other NIS slave servers on thelocal network.

6. Copy the /etc/nsswitch.nis file to the/etc/nsswitch.conf file.

7. On the NIS master, ensure that the ypserv process isrunning.

8/4/2019 SA-202-S10 Part2


Sun Services



8. On the proposed NIS slave system, start the ypbind

daemon.# svcadm enable svc:/network/nis/client:default

9. Initialize the system as an NIS slave by performingthe following command:

# ypinit -s master

10.Before starting the ypserv daemon on the slaveserver, stop the client with the following command:# svcadm disable svc:/network/nis/client:default

11. When the NIS server is started, it also starts theypbind client daemon.# svcadm enable svc:/network/nis/server:default

8/4/2019 SA-202-S10 Part2


Sun Services


Updating the NIS Map

Because database files change with time, you must update

your NIS maps. To update the NIS maps (on the masterserver), complete the following steps:

1. Update the text files in your source directory.

2. Change to the /var/yp directory.

# cd /var/yp

3. Refresh the NIS database maps using the makeutility.

# /usr/ccs/bin/make

8/4/2019 SA-202-S10 Part2


Sun Services


Module 15

Introduction to Zones

8/4/2019 SA-202-S10 Part2


Sun Services


Objectives

• Identify the different zones features

• Understand how and why zone partitioning is used• Configure zones

• Install zones

• Boot zones• Administer packages with zones

• Upgrade the Solaris 10 OS with installed zones

8/4/2019 SA-202-S10 Part2


Sun Services


Solaris Zones

Solaris zones technology enables software partitioning of aSolaris 10 OS to support multiple instances of the operatingsystem services with independent process space, allocatedresources, and users.

Zones provide virtual operating system services that look like

different Solaris instances to users and applications.

Solaris zones allow administrators to dedicate systemresources to individual zones.

Each zone exists with separate process and file system space,and can only monitor and interact with local processes.

8/4/2019 SA-202-S10 Part2


Sun Services


Zone Features

• Security

• Isolation• Virtualization

• Granularity

• Transparency

8/4/2019 SA-202-S10 Part2


Sun Services


Zone Types

The Solaris Operating System supports two types of zones:

• Global• Non-global

8/4/2019 SA-202-S10 Part2


Sun Services


Global Zones

Every Solaris system contains a global zone.

The global zone has two functions:

• It is the default zone for the system.

• It is the zone used for system-wide administrative

control.

The global zone is the only zone from which a non-globalzone can be configured, installed, managed, or uninstalled.

The global zone contains a complete installation of the Solarissystem software packages.

8/4/2019 SA-202-S10 Part2


Sun Services


Global Zones

Each zone, including the global zone, is assigned a zone name.

The global zone always uses the name global. Non-globalzones must have user-defined names.

The system always assigns zone ID 0 to the global zone.

The system assigns non-zero zone IDs to non-global zoneswhen they boot.

8/4/2019 SA-202-S10 Part2


Sun Services


Non-Global Zones

Non-global zones contain an installed subset of the completeSolaris Operating System software packages.

They can also contain Solaris software packages shared fromthe global zone and additional installed software packagesnot shared from the global zone.

Non-global zones share operation under the Solaris kernel booted from the global zone.

Non-global zones are not aware that any other zones exist.

8/4/2019 SA-202-S10 Part2


Sun Services


Zone Daemons

The system uses two daemons to control zone operation,zoneadmd and zsched.

The zoneadmd daemon is the primary process for managingthe zone’s virtual platform.

The zoneadmd daemon is responsible for the following:• Managing zone booting and shutting down

• Allocating the zone ID and starting the zsched system

process• Setting zone-wide resource controls

• Preparing the zone’s devices as specified in the zoneconfiguration

8/4/2019 SA-202-S10 Part2


Sun Services


Zone Daemons

The zoneadmd daemon is also responsible for the following:

• Plumbing virtual network interfaces• Mounting loopback and conventional file systems

The zsched process involves the following:

• Every active zone has an associated kernel process,zsched.

• The zsched process enables the zones subsystem to

keep track of per-zone kernel threads.• Kernel threads doing work on behalf of the zone are

owned by zsched.

8/4/2019 SA-202-S10 Part2


8/4/2019 SA-202-S10 Part2


Sun Services


Zone File Systems

• Sparse root model

• The sparse root model installs a minimal number offiles from the global zone when you initialize anon-global zone.

• Files that need to be shared between a non-global

zone and the global zone are mounted throughread-only loopback file systems.

• By default, in the sparse root model, the directories/lib, /platform, /sbin, and /usr are mounted in

this manner.

8/4/2019 SA-202-S10 Part2


Sun Services


Zone File Systems

• Whole root model

• The whole root model provides the maximumconfigurability.

• All of the required and any selected optional Solarispackages are installed into the private file systems of

the zone.• The disk requirements for this model are

determined by the disk space used by the packagescurrently installed in the global zone.

8/4/2019 SA-202-S10 Part2


Sun Services


Zone Networking

• Each non-global zone that requires networkconnectivity has one or more dedicated IP addresses.

• These addresses are associated with logical networkinterfaces that can be placed in a zone by using theifconfig command.

• For example, if the primary network interface in theglobal zone is ce0, then the non-global’s logicalnetwork interface might be ce0:1.

• Logical interfaces are automatically assigned the next

available identifier, for example, ce0:2, ce0:3.

8/4/2019 SA-202-S10 Part2


Sun Services


Zone States

As you configure a non-global zone, bring it into operation,use the zone, reboot, or shut it down, the state that thezoneadm command reports for that zone changes.

The zoneadm command reports the following zone states:

• Undefined• Configured

• Incomplete

• Installed• Ready

• Running

• Shutting down and Down

8/4/2019 SA-202-S10 Part2


Sun Services


Configuring Zones

Configuring a zone requires completing the following tasks:

• Identifying the components that will make up the zone• Configuring the zone with the zonecfg command

• Verifying and committing the configured zone

8/4/2019 SA-202-S10 Part2


Sun Services


Identifying Zone Components

When planning zones for your environment, you mustconsider the components that make up each zone’sconfiguration. These components include the following:

• A zone name

• A path to the zone’s root

• The zone network interfaces

• The file systems mounted in zones

• The configured devices in zones

8/4/2019 SA-202-S10 Part2


Sun Services


Allocating File System Space

There are no limits on how much disk space can be consumed by a zone.

The nature of the packages installed in the global zone affectsthe space requirements of the non-global zones that arecreated.

• As a general guideline, about 100 megabytes of freedisk space per non-global zone using the sparse rootmodel is required.

• By default, any additional packages installed in theglobal zone also populate the non-global zones.

8/4/2019 SA-202-S10 Part2


Sun Services


Using the zonecfgCommand

You can perform the following operations with zonecfg:

• You can create or delete a zone configuration.• You can add resources to a particular configuration.

• You can set properties for resources added to aconfiguration.

• You can remove resources from a particularconfiguration.

• You can query or verify a configuration.

• You can commit to a configuration.• You can revert to a previous configuration.

8/4/2019 SA-202-S10 Part2


Sun Services


Using the zonecfgCommand

• To simplify the user interface, zonecfg utilizes theconcept of a scope.

• The default scope is global.

• The zonecfg interactive command prompt changes toreflect the current scope.

• You can use the add and select subcommands toselect a specific resource, at which point the scopechanges to that resource.

• The end and cancel subcommands cause the scope torevert to global.

8/4/2019 SA-202-S10 Part2


Sun Services


The zonecfgSubcommands

• Subcommands within the zonecfg utility are used toconfigure and provision zones.

• The zonecfg prompt indicates if the scope is global oris confined to a particular resource.

Note: The zonecfg subcommands are demonstrated

in the “Zone Configuration Walk-Through” section,later in this module.

8/4/2019 SA-202-S10 Part2


Sun Services


The zonecfgResource Parameters

Resource types within the zonecfg utility include thefollowing:

• zonename• zonepath• autoboot

• pool• fs• inherit-pkg-dir• net• device• rctl• attr

8/4/2019 SA-202-S10 Part2


Sun Services


The zonecfgResource Parameters

Parameters associated with the fs resource include thefollowing:

• dir

• special

• raw

• type

• options

8/4/2019 SA-202-S10 Part2


Sun Services


Zone Configuration Walk-Through

To create a zone, you must log in to the global system as rootor a role-based access control (RBAC)-allowed user.

The following shows an example of configuring a zone named work-zone:

1 global# zonecfg -z work-zone2 zonecfg:work-zone> create3 zonecfg:work-zone> set zonepath=/export/work-zone4 zonecfg:work-zone> set autoboot=true5 zonecfg:work-zone> set pool=pool_default6 zonecfg:work-zone> add fs

7 zonecfg:work-zone:fs> set dir=/mnt8 zonecfg:work-zone:fs> set special=/dev/dsk/c0t0d0s7

8/4/2019 SA-202-S10 Part2


Sun Services



9 zonecfg:work-zone:fs> set raw=/dev/rdsk/c0t0d0s710 zonecfg:work-zone:fs> set type=ufs11 zonecfg:work-zone:fs> add options [logging]12 zonecfg:work-zone:fs> end13 zonecfg:work-zone> add inherit-pkg-dir14 zonecfg:work-zone:inherit-pkg-dir> set dir=/opt/sfw 15 zonecfg:work-zone:inherit-pkg-dir> end

16 zonecfg:work-zone> add net17 zonecfg:work-zone:net> set physical=ce018 zonecfg:work-zone:net> set address=192.168.0.119 zonecfg:work-zone:net> end20 zonecfg:work-zone> add device21 zonecfg:work-zone:device> set match=/dev/sound/*

8/4/2019 SA-202-S10 Part2


Sun Services



22 zonecfg:work-zone:device> end28 zonecfg:work-zone:attr> set name=comment29 zonecfg:work-zone:attr> set type=string30 zonecfg:work-zone:attr> set value="The work zone."31 zonecfg:work-zone:attr> end32 zonecfg:work-zone> verify33 zonecfg:work-zone> commit34 zonecfg:work-zone> exit

8/4/2019 SA-202-S10 Part2


Sun Services


Viewing the Zone Configuration

You can use the zonecfg command to view the zoneconfiguration.

# zonecfg -z work-zone infozonepath: /export/work-zoneautoboot: truepool: pool_defaultinherit-pkg-dir:

dir: /libinherit-pkg-dir:

dir: /platforminherit-pkg-dir:

dir: /sbin

inherit-pkg-dir:dir: /usr

...

8/4/2019 SA-202-S10 Part2


Sun Services


Using the zoneadmCommand

The zoneadm command is the primary tool used to install andadminister non-global zones.

Operations using the zoneadm command must be run fromthe global zone.

8/4/2019 SA-202-S10 Part2


Sun Services



The following tasks can be performed using the zoneadmcommand:

• Verify a zone’s configuration

• Install a zone

• Boot a zone

• Reboot a zone

• Display information about a running zone

• Uninstall a zone

8/4/2019 SA-202-S10 Part2


Sun Services



• Verifying a configured zone

You can verify a zone before you install it. If youskip this procedure, the verification is performedautomatically when you install the zone.global# zoneadm -z work-zone verify Warning: /export/work-zone does not exist, so it cannot be verified. When

zoneadm install is run, install will try to create /export/work-zone, andverify will be tried again, but the verify may fail if: the parentdirectory of /export/work-zone is group- or other-writable or/export/work-zone overlaps with any other installed zones.

8/4/2019 SA-202-S10 Part2


Sun Services



• Installing a configured zone

You use thezoneadm -z zone_name install

command to install a non-global zone.global# zoneadm -z work-zone install

Zone installation takes time to complete.

• Booting a zoneBooting a zone places the zone in the running state.global# zoneadm -z work-zone bootglobal# zoneadm list -v

ID NAME STATE PATH0 global running /1 work-zone running /export/work-zone

8/4/2019 SA-202-S10 Part2


Sun Services



• Halting a zone

The zoneadm halt command is used to remove boththe application environment and the virtual platformfor a zone.global# zoneadm -z work-zone haltglobal# zoneadm list -v

ID NAME STATE PATH0 global running /- work-zone installed /export/work-zone

• Rebooting a zone

The zoneadm reboot command is used to reboot azone.global# zoneadm -z work-zone reboot

8/4/2019 SA-202-S10 Part2


Sun Services



• Logging in to the zone console

After you boot the zone for the first time, it isimportant to connect to the zone’s virtual consoleand complete the zone’s system identification beforeyou can begin using the zone.

Use the zlogin command with the -C option.global# zlogin -C work-zone

The first time that you connect to the zone’s virtualconsole, the system identification process starts

automatically.The ~. (tilde dot) character sequence terminates theconsole connection.

S S i

8/4/2019 SA-202-S10 Part2


Sun Services



• Deleting a zone

The following zoneadm example removes a zone:# zoneadm list -cp0:global:running:/3:work-zone:running:/export/work-zone# zoneadm -z work-zone halt# zoneadm list -cp

0:global:running:/-:work-zone:installed:/zones/work-zone# zoneadm -z work-zone uninstallAre you sure you want to uninstall zone work-zone (y/[n])? y# zoneadm list -cp

0:global:running:/-:work-zone:configured:/export/work-zone# zonecfg -z work-zone deleteAre you sure you want to delete zone work-zone (y/[n])? y# zoneadm list -cp0:global:running:/

S S i

8/4/2019 SA-202-S10 Part2


Sun Services


Installing Packages in Zones

The standard Solaris package management tools, for example,pkgadd and pkgrm, are used to administer packages in the

zones environment.

Package parameters listed in the pkginfo file for a packagecontrol how the Solaris package tools can administer the

package.Currently, three package parameters control how packagesare administered. They are as follows:

• SUNW_PKG_ALLZONES• SUNW_PKG_HOLLOW

• SUNW_PKG_THISZONE

S S i

8/4/2019 SA-202-S10 Part2


Sun Services



You can list parameters for packages using the pkgparamcommand.

# pkgparam -v SUNWzoneuCLASSES='none'BASEDIR='/'LANG='C'(output omitted)EMAIL=''SUNW_PKGVERS='1.0'SUNW_PKG_ALLZONES='true'SUNW_PKG_HOLLOW='false'PSTAMP='gaget20050121155950'

PKGINST='SUNWzoneu'PKGSAV='/var/sadm/pkg/SUNWzoneu/save'INSTDATE='Jan 26 2005 10:21'

Sun Services

8/4/2019 SA-202-S10 Part2


Sun Services



• The -G option to the pkgadd command causes pkgaddto add a package to the current zone only.

• Package operations possible in the global zone

If the package is not currently installed in the globalzone and not currently installed in any non-global

zone, the package can be installed according to thefollowing guidelines:

• Only in the global zone, ifSUNW_PKG_ALLZONES=false

• In the global zone and all non-global zones

Sun Services

8/4/2019 SA-202-S10 Part2


Sun Services



If the package is currently installed in the global zone only, thefollowing guidelines apply:

• The package can be installed in all non-global zones.

• The package can be removed from the global zone.

Sun Services

8/4/2019 SA-202-S10 Part2


Sun Services



If a package is currently installed in the global zone andcurrently installed in only a subset of the non-global zones,

the following guidelines apply:

• SUNW_PKG_ALLZONES must be set to false.

• The package can be installed in all non-global zones.

Existing instances in any non-global zone are updatedto the revision being installed.

• The package can be removed from the global zone.

• The package can be removed from the global zone andfrom all non-global zones.

Sun Services

8/4/2019 SA-202-S10 Part2


Sun Services



If a package is currently installed in the global zone andcurrently installed in all non-global zones, the package can be

removed from the global zone and from all non-global zones.

These rules ensure the following:

• Packages that are installed in the global zone are eitherinstalled in the global zone only, or installed in theglobal zone and all non-global zones.

• Packages that are installed in the global zone and also

installed in any non-global zone are the same across allzones.

Sun Services

8/4/2019 SA-202-S10 Part2


Sun Services



• If a package is not currently installed in the non-globalzone, the package can be installed only if

SUNW_PKG_ALLZONES=false.• If a package is currently installed in the non-global

zone, the following guidelines apply:

• The package can be installed over the existinginstance of the package only ifSUNW_PKG_ALLZONES=false.

• The package can be removed from the non-global

zone only if SUNW_PKG_ALLZONES=false.

Sun Services

8/4/2019 SA-202-S10 Part2


Sun Services


Upgrading Solaris 10 OS With InstalledNon-Global Zones

The normal upgrade path from Solaris 10 to Solaris 10 01/06is not available if installed zones are present. There are threeoptions:

• Uninstall the zones, upgrade the OS, and reinstall the

zones.• Reinstall the entire OS from an initial install, with the

loss of existing zones configuration.

• Use the new features of Solaris 10 update 01/06 toupgrade the OS and any installed zones.

Sun Services

8/4/2019 SA-202-S10 Part2


Sun Services


Solaris Install Media Support

• The new upgrade method for Solaris 10 update 01/06is only available on the DVD media.

• If no DVD reader is available, a network installationmust be used.

Sun Services

8/4/2019 SA-202-S10 Part2



Upgrading the Solaris 10 OS

• Boot the system to be installed.

ok boot net - install

• Select Standard install.

• Choose Upgrade option.

• If installed zones are present, the upgrade continues

with the new method.

Sun Services

8/4/2019 SA-202-S10 Part2



Using Custom Jumpstart

• Custom jumpstart can be used to upgrade Solaris 10update 01/06 with installed zones.

• Only two profile keywords should be used:

• install_type

• root_device

• Other keywords will be ignored or will cause jumpstartto fail.

• Ignored: cluster, geo, locale, package, patch

• Causes failure: backup_media,layout_constraint

Sun Services

8/4/2019 SA-202-S10 Part2


System Administration for the Solaris™ 10 Operating System, Part 2 Revision A

Module 16

Introduction to the ZFS File System

Sun Services

8/4/2019 SA-202-S10 Part2


System Administration for the Solaris™ 10 Operating System, Part 2 Module 16, slide 2 of 91Copyright 2006 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A

Objectives

• Describe the Solaris ZFS file system

• Create new ZFS pools and file systems

• Modify ZFS file system properties

• Mount and unmount ZFS file systems

• Destroy ZFS pools and file systems

• Work with ZFS snapshots and Clones

• Use ZFS datasets with Solaris Zones

Sun Services

8/4/2019 SA-202-S10 Part2



What Is Solaris ZFS?

• ZFS Pooled Storage

ZFS aggregates devices into storage pools.

• Transactional Semantics

Any sequence of operations is either entirelycommitted or entirely ignored.

• Checksums and Self-Healing DataAll data and metadata is checksummed, anddetected errors are corrected using replicated data.

• Unparalleled ScalabilitySolaris ZFS is a 128-bit file system, allowing for 256quadrillion zettabytes of storage.

Sun Services

8/4/2019 SA-202-S10 Part2



What Is ZFS?

• ZFS Snapshots

ZFS snapshots are read-only copies of file systemsthat initially consume no additional space in a pool.

• Simplified Administration

ZFS uses a simplified command set, uses an

hierarchical file system layout, supports file systemproperty inheritance and automatic mount points.

Sun Services

8/4/2019 SA-202-S10 Part2



ZFS Terminology• checksum - A 256-bit hash of the data in a file system

block.

• clone - A file system whose initial contents are identicalto the contents of a snapshot.

• dataset - A generic name for the following ZFS entities:clones, file systems, snapshots, or volumes.

• file system - A dataset that contains a standard POSIXfile system.

• mirror - A virtual device that stores identical copies of

data on two or more disks.

Sun Services

8/4/2019 SA-202-S10 Part2



ZFS Terminology (cont.)• pool - A logical group of devices describing the layout

and physical characteristics of the available storage.

• RAID-Z - A virtual device that stores data and parityon multiple disks, similar to RAID-5.

• resilvering -The process of transferring data from onedevice to another device is known as resilvering.

• snapshot - A read-only image of a file system orvolume at a given point in time.

• virtual device - A logical device in a pool, which can be

a physical device, a file, or a collection of devices.• volume - A dataset used to emulate a physical device.

Sun Services

8/4/2019 SA-202-S10 Part2



ZFS Component Naming RequirementsEmpty components are not allowed.

Each component can only contain alphanumeric characters inaddition to the following four special characters:

• Underscore (_)

• Hyphen (-)• Colon (:)

• Period (.)

Sun Services

8/4/2019 SA-202-S10 Part2



ZFS Component Naming Requirements(cont.)

Pool names must begin with a letter, except that the beginning

sequencec[0-9] is not allowed. In addition, pool names that begin with mirror,raidz, orspare are not allowed as thesename are reserved.

Dataset names must begin with an alphanumeric character.

Sun Services

8/4/2019 SA-202-S10 Part2



ZFS Hardware and Software Requirementsand Recommendations

A SPARC® or x86 system that is running the Solaris 10 6/06

release.

The minimum disk size is 128 Mbytes. The minimum amountof disk space required for a storage pool is approximately 64

Mbytes.

For good ZFS performance, at least one Gbyte or more ofmemory is recommended.

If you create a mirrored disk configuration, multiplecontrollers are recommended.

Sun Services

8/4/2019 SA-202-S10 Part2



Creating ZFS File SystemsOne goal of the ZFS design is to reduce the number ofcommands needed to create a usable file system.

When you create a new pool, a new ZFS file system is createdand mounted automatically.

Within a pool, you will probably want to create additional filesystems.

In most cases, you will probably want to create and organizea hierarchy of file systems that matches your organizational

needs.

Sun Services

8/4/2019 SA-202-S10 Part2



Components of a ZFS Storage PoolUsing Disks in a ZFS Storage Pool

Physical storage can be any block device of at least 128 Mbytesin size.

Typically, this device is a hard drive that is visible to thesystem in the /dev/dsk directory.

A storage device can be a whole disk (c1t0d0) or anindividual slice (c0t0d0s7).

The recommended mode of operation is to use an entire disk.ZFS applies an EFI label when you create a storage pool withwhole disks.

Sun Services

8/4/2019 SA-202-S10 Part2



Components of a ZFS Storage Pool (cont.)Using Disks in a ZFS Storage Pool (continued)

Disks can be specified by using either the full path, such as/dev/dsk/c1t0d0, or a shorthand name.

For example, the following are valid disk names:

• c1t0d0• /dev/dsk/c1t0d0

• c0t0d6s2

ZFS works best when given whole physical disks.

Sun Services

8/4/2019 SA-202-S10 Part2



Components of a ZFS Storage Pool (cont.)Using Files in a ZFS Storage Pool

ZFS also allows you to use UFS files as virtual devices in yourstorage pool.

This feature is aimed primarily at testing and enabling simpleexperimentation, not for production use.

The reason is that any use of files relies on the underlying filesystem for consistency.

All files must be specified as complete paths and must be atleast 128 Mbytes in size.

Sun Services

8/4/2019 SA-202-S10 Part2



Components of a ZFS Storage Pool (cont.)ZFS pools can consist of whole disks, disk slices, or files.

Pool

Whole disk

(preferred)

Disk slice

File(for test only)

Sun Services

8/4/2019 SA-202-S10 Part2



Components of a ZFS Storage Pool (cont.)Virtual Devices in a Storage Pool

Each storage pool is comprised of one or more virtual devices.Two top-level virtual devices provide data redundancy:mirror and RAID-Z virtual devices. These virtual devicesconsist of disks, disk slices, or files.

Disks, disk slices, or files that are used in pools outside ofmirrors and RAID-Z virtual devices, function as top-levelvirtual devices themselves.

Storage pools typically contain multiple top-level virtualdevices. ZFS dynamically stripes data among all of the top-level virtual devices in a pool.

Sun Services

8/4/2019 SA-202-S10 Part2



Components of a ZFS Storage Pool (cont.)A ZFS pool that uses disks as top level virtual devicesprovides no data replication.

36 3636

0

1

0

1

01

0

Data

0 1 0 1 0 0

0 101 0111 0

0 0 1 0

36 36 36

Stripe 1 Stripe 3

Stripe 2

Sun Services

8/4/2019 SA-202-S10 Part2



Replication Features of a ZFS Storage PoolMirrored Storage Pool Configuration

A mirrored storage pool configuration requires at least twodisks, preferably on separate controllers.

You can create more than one mirror in each pool.

A simple mirrored configuration would look similar to thefollowing:

mirror c1t0d0 c2t0d0

A more complex mirrored configuration would look similarto the following:

mirror c1t0d0 c2t0d0 c3t0d0 mirror c4t0d0 c5t0d0 c6t0d0

Sun Services

8/4/2019 SA-202-S10 Part2



Replication Features of a ZFS Storage Pool(cont.)

ZFS stripes data among mirror virtual devices in a pool, and

data is replicated within each mirror.

Data

0 1 0 1 0 0 0 10

10111 0 0

0 1 0

Stripe 1 Stripe 2

Mirror device Mirror device

36 36 36 36

Sun Services

8/4/2019 SA-202-S10 Part2




RAID-Z Storage Pool Configuration

RAID-Z is similar to RAID-5.

In RAID-Z, ZFS uses variable-width RAID stripes so that all

writes are full-stripe writes.You need at least two disks for a RAID-Z configuration.

Conceptually, RAID-Z configuration with three disks would

look similar to the following:raidz c1t0d0 c2t0d0 c3t0d0

Sun Services

8/4/2019 SA-202-S10 Part2




RAID-Z Storage Pool Configuration (continued)

A more complex conceptual RAID-Z configuration wouldlook similar to the following:

raidz c1t0d0 c2t0d0 c3t0d0 c4t0d0 c5t0d0 c6t0d0 c7t0d0 raidz

c8t0d0 c9t0d0 c10t0d0 c11t0d0 c12t0d0 c13t0d0 c14t0d0

If you are creating a RAID-Z configuration with many disks,as in this example, a RAID-Z configuration with 14 disks is

better split into a two 7-disk groupings.RAID-Z configurations with single-digit groupings of disksshould perform better.

Sun Services

8/4/2019 SA-202-S10 Part2




ZFS uses variable width stripes within RAID-Z devices.

36 3636

0

1

0

1

0

1

0

Data

RAID-Z device

Sun Services

8/4/2019 SA-202-S10 Part2




Self-Healing Data in a Replicated Configuration

ZFS provides for self-healing data in a mirrored or RAID-Zconfiguration.

When a bad data block is detected, not only does ZFS fetch the

correct data from another replicated copy, but it also repairs the baddata by replacing it with the good copy.

Dynamic Striping in a Storage Pool

For each virtual device that is added to the pool, ZFS dynamicallystripes data across all available devices.

No fixed width stripes are created at allocation time.

Sun Services

8/4/2019 SA-202-S10 Part2




ZFS dynamically stripes data across all virtual devices in a

pool.

Data

0 1 0 1 0

0 0 101 0111

0 0 0 1 0

Stripe 1 Stripe 2

RAID-Z device RAID-Z device

Sun Services

8/4/2019 SA-202-S10 Part2




Dynamic Striping in a Storage Pool (continued)

When virtual devices are added to a pool, ZFS graduallyallocates data to the new device in order to maintainperformance and space allocation policies.

While ZFS supports combining different types of virtualdevices within the same pool, this practice is notrecommended.

Sun Services

8/4/2019 SA-202-S10 Part2



Creating and Destroying ZFS Storage PoolsBy design, creating and destroying pools is fast and easy.However, be cautious when doing these operations.

Creating a ZFS Storage Pool

To create a storage pool, use the zpool create command.This command takes a pool name and any number of virtual

devices as arguments.

Creating a Basic Storage Pool

The following command creates a new pool named tank thatconsists of the disks c1t0d0 and c1t1d0:

# zpool create tank c1t0d0 c1t1d0

Sun Services

8/4/2019 SA-202-S10 Part2



Creating and Destroying ZFS Storage Pools(cont.)

Creating a Mirrored Storage Pool

To create a mirrored pool, use the mirror keyword, followed by any number of storage devices that will comprise themirror.

# zpool create tank mirror c1d0 c2d0 mirror c3d0 c4d0

Creating a Single-Parity RAID-Z Storage Pool

Creating a RAID-Z pool is identical to creating a mirroredpool, except that the raidz keyword is used instead of mirror.

# zpool create tank raidz c1t0d0 c2t0d0 c3t0d0 c4t0d0 /dev/dsk/c5t0d0

Sun Services

8/4/2019 SA-202-S10 Part2




Creating a Double-Parity RAID-Z Storage Pool

You can create a double-parity RAID-Z configuration byusing the raidz2 keyword when the pool is created. Forexample:

# zpool create tank raidz2 c1t0d0 c2t0d0 c3t0d0

Sun Services

8/4/2019 SA-202-S10 Part2




Detecting in Use Devices

Before formatting a device, ZFS first determines if the disk is in use by ZFS or some other part of the operating system.

If the disk is in use, you might see errors such as the following:

# zpool create tank c1t0d0 c1t1d0invalid vdev specificationuse ’-f’ to override the following errors:/dev/dsk/c1t0d0s0 is currently mounted on //dev/dsk/c1t0d0s1 is currently mounted on swap

/dev/dsk/c1t1d0s0 is part of active ZFS pool ’zeepool’Please see zpool(1M)

Some of these errors can be overridden by using the -f option, but most errorscannot.

Sun Services

8/4/2019 SA-202-S10 Part2




Mismatched Replication Levels

Creating pools with virtual devices of different replicationlevels is not recommended.

The zpool command tries to prevent you from accidentallycreating a pool with mismatched replication levels.

Doing a Dry Run of Storage Pool Creation

The zpool create command with the -n option simulatescreating the pool without actually writing data to disk.

Sun Services

8/4/2019 SA-202-S10 Part2




Destroying ZFS Storage Pools

Pools are destroyed by using the zpool destroy command.

# zpool destroy tank

Sun Services

8/4/2019 SA-202-S10 Part2



Querying ZFS Storage Pool StatusThe zpool list command provides a number of ways torequest information regarding pool status.

Listing Information About All Storage Pools

With no arguments, the zpool list command displays allthe fields for all pools on the system. For example:

# zpool listNAME SIZE USED AVAIL CAP HEALTH ALTROOTtank 80.0G 22.3G47.7G 28% ONLINE -dozer 1.2T 384G 816G 32% ONLINE -

Sun Services

8/4/2019 SA-202-S10 Part2



Querying ZFS Storage Pool Status (cont.)Listing Specific Storage Pool Statistics

You can request specific statistics by using the -o option.

For example, to list only the name and size of each pool, youuse the following syntax:

# zpool list -o name,sizeNAME SIZEtank 80.0Gdozer 1.2T

Sun Services

8/4/2019 SA-202-S10 Part2



Querying ZFS Storage Pool Status (cont.)Health Status of ZFS Storage Pools

ZFS provides an integrated method of examining pool anddevice health. The health of a pool is determined from thestate of all its devices.

This state information is displaying by using the zpool

status command.

Each device can fall into one of the following states:

• ONLINE• DEGRADED

• FAULTED

Sun Services

8/4/2019 SA-202-S10 Part2



Querying ZFS Storage Pool Status (cont.)Health Status of ZFS Storage Pools (continued)

• OFFLINE

• UNAVAILABLE

Basic Storage Pool Health Status

The simplest way to request a quick overview of pool healthstatus is to use the zpool status command:

# zpool status -xall pools are healthy

Sun Services

8/4/2019 SA-202-S10 Part2



Querying ZFS Storage Pool Status (cont.)Detailed Health Status

You can request a more detailed health summary by using the-v option. For example:

# zpool status -v tankpool: tankstate: DEGRADEDstatus: One or more devices could not be opened. Sufficient replicas exist

for the pool to continue functioning in a degraded state.action: Attach the missing device and online it using ’zpool online’.see: http://www.sun.com/msg/ZFS-8000-2Qscrub: none requestedconfig:

NAME STATE READ WRITE CKSUMtank DEGRADED 0 0 0 mirror DEGRADED 0 0 0

c1t0d0 FAULTED 0 0 0 cannot openc1t1d0 ONLINE 0 0 0

errors: No known data errors

Sun Services

8/4/2019 SA-202-S10 Part2



Creating and Destroying ZFS File SystemsCreating a ZFS File System

You use the zfs create command to create ZFS filesystems. The create subcommand takes a single argument:the name of the file system to create.

Specify the file system name as a path name starting from the

name of the pool:

pool-name/[filesystem-name/]filesystem-name

The pool name and initial file system names in the pathidentify the location in the hierarchy where the new filesystem will be created. All the intermediate file system namesmust already exist in the pool.

Sun Services

8/4/2019 SA-202-S10 Part2



Creating and Destroying ZFS File Systems(cont.)

Creating a ZFS File System (cont.)

In the following example, a file system named bonwick iscreated in the tank/home file system.

# zfs create tank/home/bonwick

ZFS automatically mounts the newly created file system if it iscreated successfully.

Sun Services

8/4/2019 SA-202-S10 Part2




Destroying a ZFS File System

You use the zfs destroy command to destroy ZFS filesystems. The destroyed file system is automaticallyunmounted and unshared.

In the following example, the tabriz file system isdestroyed.

# zfs destroy tank/home/tabriz

If the file system to be destroyed is busy and so cannot beunmounted, the zfs destroy command fails. The zfsdestroy command also fails if a file system has children.

Sun Services

C i d D i ZFS Fil S

8/4/2019 SA-202-S10 Part2




Renaming a ZFS File System

You use the zfs rename command to rename ZFS filesystems.

The rename subcommand can perform the followingoperations:

• Change the name of a file system.

• Relocate the file system to a new location within the

ZFS hierarchy.• Change the name of a file system and relocate it within

the ZFS hierarchy.

Sun Services

C ti d D t i ZFS Fil S t

8/4/2019 SA-202-S10 Part2




Renaming a ZFS File System (cont.)

The following example uses the rename subcommand tosimply rename a file system:

# zfs rename tank/home/kustarz tank/home/kustarz_old

The following example shows how to use zfs rename torelocate a file system.

# zfs rename tank/home/maybee tank/ws/maybee

Sun Services

ZFS P ti

8/4/2019 SA-202-S10 Part2



ZFS PropertiesProperties provide the main mechanism that you use tocontrol the behavior of file systems, volumes, snapshots, and

clones.Properties are either read-only statistics or settable properties.

Most settable properties are also inheritable.

An inheritable property is a property that, when set on aparent, is propagated to all of its descendants.

Sun Services

ZFS P ti ( t )

8/4/2019 SA-202-S10 Part2



ZFS Properties (cont.)All inheritable properties have an associated source.

The source indicates how a property was obtained. The sourceof a property can have the following values:

• default

• local

• inherited from dataset-name

• temporary

• - (none)

Sun Services

ZFS P ti ( t )

8/4/2019 SA-202-S10 Part2



ZFS Properties (cont.)PropertyName

TypeDefaultValue

Description

aclinherit String secure Controls how ACL entries areinherited when files anddirectories are created.

aclmode String groupmask Controls how an ACL entry ismodified during a chmod

operation

atime Boolean on Controls whether the access timefor files is updated when they areread.

Sun Services

Property Type Defaultl Description

8/4/2019 SA-202-S10 Part2



available Number N/A Read-only property that identifiesthe amount of space available tothe dataset and all its children,

assuming no other activity in thepool.

checksum String on Controls the checksum used toverify data integrity.

compression String off Controls the compressionalgorithm used for this dataset.

compressratio Number N/A Read-only property that identifiesthe compression ratio achieved forthis dataset.

creation Number N/A Read-only property that identifiesthe date and time that this datasetwas created.

PropertyName Type DefaultValue Description

Sun Services

PropertyN Type DefaultV l Description

8/4/2019 SA-202-S10 Part2



devices Boolean on Controls whether device nodesfound within this file systemcan be opened.

exec Boolean on Controls whether programswithin this file system are allowedto be executed.

mounted Boolean N/A Read-only property that indicates

whether this file system,clone, or snapshot is currentlymounted.

mountpoint String N/A Controls the mount point used forthis file system.


Sun Services

PropertyN Type DefaultV l Description

8/4/2019 SA-202-S10 Part2



origin String N/A Read-only property for cloned filesystems or volumes that identifiesthe snapshot from which the clone

was created.

quota Number(or none)

none Limits the amount of space adataset and its descendants canconsume.

readonly Boolean off Controls whether this dataset can be modified.

recordsize Number 128K Specifies a suggested block size forfiles in the file system.

referencedNumber N/A Read-only property that identifiesthe amount of data accessible by

this dataset.


Sun Services


8/4/2019 SA-202-S10 Part2



reservation Number(or none)

none The minimum amount of spaceguaranteed to a dataset and itsdescendants.

sharenfs String off Controls whether the file system isavailable over NFS, and whatoptions are used.

setuid Boolean on Controls whether setuid the bit is

honored in the file system.snapdir String hidden Controls whether the .zfs

directory is hidden or visible inthe root of the file system.

type String N/A Read-only property that identifiesthe dataset type asfilesystem (file system or clone),volume, or snapshot.


Sun Services


8/4/2019 SA-202-S10 Part2



used Number N/A Read-only property that identifiesthe amount of spaceconsumed by the dataset and all

its descendants.

volsize Number N/A For volumes, specifies the logicalsize of the volume.

volblocksize Number 8 Kbytes For volumes, specifies the block

size of the volume.zoned Boolean N/A Indicates whether this dataset has

been delegated to a non-globalzone.


Sun Services

ZFS Properties (cont )

8/4/2019 SA-202-S10 Part2



ZFS Properties (cont.)Read-Only ZFS Properties

Read-only properties are properties that you can retrieve, butnot set. Read-only properties are not inherited.

Settable ZFS Properties

Settable properties are properties whose values you can bothretrieve and set.

Settable properties are set by using the zfs set command.

With the exceptions of quotas and reservations, settableproperties are inherited.

Sun Services

Querying ZFS File System Information

8/4/2019 SA-202-S10 Part2



Querying ZFS File System InformationThe zfs list command provides an extensible mechanismfor viewing and querying dataset information.

Listing Basic ZFS Information

You can list basic dataset information by using the zfs listcommand with no options. For example:

# zfs listNAME USED AVAIL REFER MOUNTPOINTpool 84.0K 33.5G - /poolpool/clone 0 33.5G 8.50K /pool/clonepool/test 8K 33.5G 8K /test

pool/home 17.5K 33.5G 9.00K /pool/homepool/home/marks 8.50K 33.5G 8.50K /pool/home/markspool/home/marks@snap 0 - 8.50K /pool/home/marks@snap

Sun Services

Querying ZFS File System Information(cont )

8/4/2019 SA-202-S10 Part2



Querying ZFS File System Information(cont.)

Listing Basic ZFS Information (cont.)

You can also use the zfs list command to display specificdatasets by providing the dataset name on the command line.

Use the the -r option to recursively display all descendants

of a dataset.

Creating Complex ZFS Queries

The zfs list output can be customized by using of the -o, -t, and -H options. For example:

# zfs list -o name,sharenfs,mountpointNAME SHARENFS MOUNTPOINTtank rw /export

Sun Services

Querying ZFS File System Information(cont )

8/4/2019 SA-202-S10 Part2



Querying ZFS File System Information(cont.)

Creating Complex ZFS Queries (cont.)

You can use the -t option to specify the types of datasets todisplay. The valid types are:

• filesystem

• volume

• snapshot

You can use the -H option to omit the zfs list header fromthe generated output.

With the -H option, all white space is output as tabs. Thisoption can be useful when you need parsable output.

Sun Services

Managing ZFS Properties

8/4/2019 SA-202-S10 Part2



Managing ZFS PropertiesDataset properties are managed through the zfs command’sset, inherit, and get subcommands.

Setting ZFS Properties

You can use the zfs set command to modify any settabledataset property.

Only one property at a time can be set or modified using zfsset.

The following example sets the atime property to off fortank/home.

# zfs set atime=off tank/home

Sun Services

Managing ZFS Properties (cont.)

8/4/2019 SA-202-S10 Part2



Managing ZFS Properties (cont.)Inheriting ZFS Properties

All settable properties, with the exception of quotas and

reservations, inherit their value from their parent.

If no ancestor has an explicit value set for an inheritedproperty, the default value for the property is used.

You can use thezfs inherit command is to clear a propertysetting, thus causing the setting to be inherited from theparent.

The inherit subcommand applies recursively when youspecify the -r option.

Sun Services


8/4/2019 SA-202-S10 Part2



Managing ZFS Properties (cont.)Querying ZFS Properties

The simplest way to query property values is by using the

zfs list command.

For more complex queries and for scripting, you can use thezfs get command to obtain more detailed information in a

customized format.

You can use the zfs get command to retrieve any datasetproperty. For example:

# zfs get checksum tank/wsNAME PROPERTY VALUE SOURCEtank/ws checksum on default

8/4/2019 SA-202-S10 Part2


Sun Services


8/4/2019 SA-202-S10 Part2



g g S p ( )Querying ZFS Properties (cont.)

You can use the special keyword all to retrieve all dataset

properties. The following example uses the all keyword toretrieve all existing dataset properties:

# zfs get all poolNAME PROPERTY VALUE SOURCE

pool type filesystem -pool creation Mon Mar 13 11:41 2006 -pool used 2.62M -<output omitted>

The -s option to zfs get enables you to specify, by sourcevalue, the type of properties to display.

Sun Services

Mounting ZFS File Systems

8/4/2019 SA-202-S10 Part2



g yManaging ZFS Mount Points

By default, all ZFS file systems are mounted by ZFS at boot by

using SMF’s svc://system/filesystem/local service.

File systems are mounted under /path, where path is thename of the file system.

You can override the default mount point by using the zfsset command to set the mountpoint property to a specificpath.

ZFS automatically creates this mount point, if needed.

The mountpoint property is inherited.

Sun Services

Mounting ZFS File Systems (cont.)

8/4/2019 SA-202-S10 Part2



g y ( )Managing ZFS Mount Points (cont.)

You can set the mountpoint property to none to prevent a

file system from being mounted.

If desired, you can explicitly manage file systems throughlegacy mount interfaces by setting the mountpoint property

to legacy.

Sun Services


8/4/2019 SA-202-S10 Part2



g y ( )Automatic Mount Points

When you create a pool, you can set the default mount point

for the root dataset by using zpool create -m.

Any dataset whose mountpoint property is not legacy ismanaged by ZFS.

When you change the mountpoint property, the file systemis automatically unmounted from the old mount point andremounted to the new mount point.

Mount point directories are created as needed.

Sun Services


8/4/2019 SA-202-S10 Part2



Legacy Mount Points

You can manage ZFS file systems with legacy tools by setting

the mountpoint property to legacy.

Legacy file systems must be managed through the mount andumount commands and the /etc/vfstab file.

The following examples show how to set up and manage aZFS dataset in legacy mode:

# zfs set mountpoint=legacy tank/home/eschrock

# mount -F zfs tank/home/eschrock /mnt

Sun Services


M ti ZFS Fil S t

8/4/2019 SA-202-S10 Part2



Mounting ZFS File Systems

ZFS automatically mounts file systems when file systems are

created or when the system boots.

The zfs mount command is only necessary when changingmount options, or explicitly mounting or unmounting filesystems.

The zfs mount command with no argument shows allcurrently mounted file systems that are managed by ZFS.

# zfs mount

tank /tanktank/home /tank/hometank/home/bonwick /tank/home/bonwick

Sun Services


M ti ZFS Fil S t ( t )

8/4/2019 SA-202-S10 Part2




You can use the -a option to mount all ZFS managed file

systems. For example:

# zfs mount -a

This command does not mount legacy managed file systems.

When a file system mounts, it uses a set of mount options based on the property values associated with the dataset.

Sun Services


Temporar Mo nt Properties

8/4/2019 SA-202-S10 Part2



Temporary Mount Properties

If you explicitly set mount options by using the -o option

with the zfs mount command, the corresponding propertyvalue is temporarily overridden.

In the following example, the read-only mount option is

temporarily set on the tank/home/perrin file system:# zfs mount -o ro tank/home/perrin

To temporarily change a property on a file system that is

currently mounted, you must use the special remountoption.

Sun Services


Unmounting ZFS File Systems

8/4/2019 SA-202-S10 Part2



Unmounting ZFS File Systems

You can unmount file systems by using the zfs unmount

subcommand. The unmount command accepts either themount point or the file system name as an argument.

In the following example, a file system is unmounted by

specifying its file system name:# zfs unmount tank/home/tabriz

In the following example, the file system is unmounted by

specifying its mount point:# zfs unmount /export/home/tabriz

Sun Services

ZFS Web-Based Management

A web-based ZFS management tool is available to perform many

8/4/2019 SA-202-S10 Part2



A web-based ZFS management tool is available to perform manyadministrative actions. You can access the ZFS Administrationconsole through a secure web browser at the following URL:

https://system-name:6789/zfs

If you type the appropriate URL and are unable to reach the ZFSAdministration console, the server might not be started. To start

the server, run the following command:# /usr/sbin/smcwebserver start

If you want the server to run automatically when the system

boots, run the following command:# /usr/sbin/smcwebserver enable

Sun Services

ZFS Snapshots

A snapshot is a read only copy of a file system or volume

8/4/2019 SA-202-S10 Part2



A snapshot is a read-only copy of a file system or volume.

Snapshots are created almost instantly, and initially consume

no additional disk space within the pool.

ZFS snapshots include the following features:

• Snapshots persist across system reboots.• The theoretical maximum number of snapshots is 264.

• Snapshots use no separate backing store. Snapshotsconsume disk space directly from the same storage

pool as the file system from which they were created.

Sun Services

ZFS Snapshots (cont.)

Creating and Destroying ZFS Snapshots

8/4/2019 SA-202-S10 Part2




You use the zfs snapshot command to create ZFS

snapshots. The zfs snapshot command takes the name ofthe snapshot to create as its only argument.

Snapshot names use the following format:

filesystem@snapname

volume@snapname

The following example creates a snapshot of tank/home/

ahrens that is named friday.# zfs snapshot tank/home/ahrens@friday

Sun Services



8/4/2019 SA-202-S10 Part2




Snapshots have no modifiable properties. Dataset properties

cannot be applied to a snapshot.

You use the zfs destroy command to destroy a ZFSsnapshot. For example:

# zfs destroy tank/home/ahrens@friday

A dataset cannot be destroyed if snapshots of the dataset exist.

In addition, if clones have been created from a snapshot, thenthey must be destroyed before the snapshot can be destroyed.

Sun Services


Renaming ZFS Snapshots

8/4/2019 SA-202-S10 Part2



Renaming ZFS Snapshots

You can rename snapshots, but they must remain within the

pool and dataset from which they were created. For example:

# zfs rename tank/home/cindys@031306 tank/home/cindys@today

Displaying and Accessing ZFS Snapshots

Snapshots of file systems are accessible in the .zfs/snapshot directory within the root of the containing filesystem. For example:

# ls /home/ahrens/.zfs/snapshottuesday wednesday thursday

Sun Services


Displaying and Accessing ZFS Snapshots (cont.)

8/4/2019 SA-202-S10 Part2



Displaying and Accessing ZFS Snapshots (cont.)

You can list all snapshots as follows:

# zfs list -t snapshotNAME USED AVAIL REFER MOUNTPOINTpool/home/anne@monday 0 - 780K -pool/home/bob@monday 0 - 1.01M -<output omitted>

You can list snapshots that were created for a particular filesystem as follows:

# zfs list -r -t snapshot -o name,creation pool/homeNAME CREATIONpool/home/anne@monday Mon Mar 13 11:46 2006pool/home/bob@monday Mon Mar 13 11:46 2006

Sun Services

ZFS Snapshots

Snapshot Space Accounting

8/4/2019 SA-202-S10 Part2



Snapshot Space Accounting

When you create a snapshot, its space is initially shared

between the snapshot and the file system, and possibly withprevious snapshots.

As the file system changes, space that was previously shared

becomes unique to the snapshot, and thus is counted in thesnapshot’s used property.

Additionally, deleting snapshots can increase the amount ofspace unique to (and thus used by) other snapshots.

Sun Services


Rolling Back to a ZFS Snapshot

8/4/2019 SA-202-S10 Part2



g p

You can use the zfs rollback command to discard all

changes made since a specific snapshot.

Thezfs rollback command causes the file system to revertto its state at the time the snapshot was taken.

By default, the zfs rollback command cannot roll back toa snapshot other than the most recent snapshot.

To roll back to an earlier snapshot, you must destroy all

intermediate snapshots. You can destroy more recentsnapshots by specifying the -r option.

Sun Services

ZFS Clones

A clone is a writable volume or file system whose initial

8/4/2019 SA-202-S10 Part2



ycontents are the same as the snapshot from which it wascreated.

As with snapshots, creating a clone is nearly instantaneous,and initially consumes no additional disk space.

You can only create clones from a snapshot.When you clone a snapshot, an implicit dependency is created between the clone and snapshot.

A clone does not inherit properties from the dataset fromwhich it was created.

Sun Services

ZFS Clones (cont.)

Creating a ZFS Clone

8/4/2019 SA-202-S10 Part2



g

To create a clone, use the zfs clone command. Specify the

snapshot from which to create the clone, and the name of thenew file system or volume.

The new file system or volume can be located anywhere in the

ZFS hierarchy within the same pool.The following example creates a new clone named tank/home/ahrens/bug123, with the same initial contents asthe snapshot tank/ws/gate@yesterday.

# zfs snapshot tank/ws/gate@yesterday# zfs clone tank/ws/gate@yesterday tank/home/ahrens/bug123

Sun Services

ZFS Clones (cont.)

Destroying a ZFS Clone

8/4/2019 SA-202-S10 Part2



You use the zfs destroy command to destroy ZFS clones.

For example:# zfs destroy tank/home/ahrens/bug123

Clones must be destroyed before the parent snapshot can be

destroyed.

Sun Services

ZFS Clones (cont.)

Replacing a ZFS File System With a ZFS Clone

8/4/2019 SA-202-S10 Part2



You can use the zfs promote command to replace an active

ZFS file system with a clone of that file system.

This feature facilitates the ability to clone and replace filesystems so that the ’origin’ file system become the clone of the

specified file system.In addition, this feature makes it possible to destroy the filesystem from which the clone was originally created.

Without clone promotion, you cannot destroy a ’origin’ filesystem of active clones.

Sun Services

ZFS Clones (cont.)


8/4/2019 SA-202-S10 Part2



In the following example, the tank/test/productA file

system is cloned and then the clone file system, tank/test/productAbeta becomes the tank/test/productA filesystem.

# zfs create tank/test

# zfs create tank/test/productA # zfs snapshot tank/test/productA@today# zfs clone tank/test/productA@today tank/test/productAbeta# zfs list -r tank/testNAME USED AVAIL REFER MOUNTPOINTtank/test 314K 8.24G 25.5K /tank/test

tank/test/productA 288K 8.24G 288K /tank/test/productAtank/test/productA@today 0 - 288K -tank/test/productAbeta 0 8.24G 288K /tank/test/productAbeta

Sun Services

ZFS Clones (cont.)


8/4/2019 SA-202-S10 Part2



# zfs promote tank/test/productAbeta# zfs list -r tank/test

NAME USED AVAIL REFER MOUNTPOINTtank/test 316K 8.24G 27.5K /tank/testtank/test/productA 0 8.24G 288K /tank/test/productAtank/test/productAbeta 288K 8.24G 288K /tank/test/productAbetatank/test/productAbeta@today 0 - 288K -

Sun Services

ZFS Clones (cont.)


8/4/2019 SA-202-S10 Part2



Complete the clone replacement process by renaming the file

systems. For example:# zfs rename tank/test/productA tank/test/productAlegacy# zfs rename tank/test/productAbeta tank/test/productA # zfs list -r tank/testNAME USED AVAIL REFER MOUNTPOINT

tank/test 316K 8.24G 27.5K /tank/testtank/test/productA 288K 8.24G 288K /tank/test/productAtank/test/productA@today 0 - 288K -tank/test/productAlegacy 0 8.24G 288K /tank/test/productAlegacy

Sun Services

Using ZFS on a Solaris System With ZonesInstalled

8/4/2019 SA-202-S10 Part2



You can associate ZFS datasets with non-global zones either by adding them to the zones, or delegating them to the zones.Typically you would associate ZFS file systems or volumeswith non-global zones.

For example, adding a file system to a non-global zone allows

the non-global zone to share space with the global zone. As anadded dataset, the non-global zone administrator cannotcontrol properties of the file system, or create new ZFS filesystems below the added file system.

Sun Services

Using ZFS on a Solaris System With ZonesInstalled (cont.)

8/4/2019 SA-202-S10 Part2



When you delegate a dataset to a non-global zone, you givecomplete control over the dataset and all its children to thezone administrator.

For example, if you delegate a file system to a non-globalzone, the zone administrator can create and destroy file

systems within that dataset, and modify their properties.

The zone administrator cannot affect datasets that have not been delegated to the zone, and cannot exceed any top-level

quotas set on the delegated dataset.

Sun Services


Addi ZFS Fil S N Gl b l Z

8/4/2019 SA-202-S10 Part2



Adding ZFS File Systems to a Non-Global Zone

You can add a ZFS file system as a generic file system whenthe goal is solely to share space with the global zone. A ZFSfile system that is added to a non-global zone must have its mountpoint property set to legacy.

You can add a ZFS file system to a non-global zone by usingthe add fs subcommand in zonecfg. For example:

zonecfg:zone1> add fs

zonecfg:zone1:fs> set type=zfszonecfg:zone1:fs> set special=tank/zone/zone1zonecfg:zone1:fs> set dir=/export/sharedzonecfg:zone1:fs> end

Sun Services


D l ti D t t t N Gl b l Z

8/4/2019 SA-202-S10 Part2



Delegating Datasets to a Non-Global Zone

If the primary goal is to delegate the administration of storageto a zone, then ZFS supports adding datasets to a non-globalzone through use of the add dataset subcommand inzonecfg. For example:

zonecfg:zone1> add datasetzonecfg:zone1:dataset> set name=tank/zone/zone1zonecfg:zone1:dataset> end

Sun Services


D l ti D t t t N Gl b l Z ( t )

8/4/2019 SA-202-S10 Part2



Delegating Datasets to a Non-Global Zone (cont.)

The zone administrator can set file system properties, andcreate new file systems below the delegated file system.

In addition, the zone administrator can take snapshots, create

clones, and otherwise control the entire file system hierarchyfrom the delegated file system down.

Sun Services


Adding ZFS Volumes to a Non Global Zone

8/4/2019 SA-202-S10 Part2



Adding ZFS Volumes to a Non-Global Zone

You can add emulated volumes to a non-global zone by usingthe add device subcommand in zonecfg.

In the following example, a ZFS emulated volume is added to

a non-global zone by the administrator in the global zone:zonecfg:zone1> add devicezonecfg:zone1:device> set match=/dev/zvol/dsk/tank/volzonecfg:zone1:device> end

Sun Services


Using ZFS Storage Pools Within a Zone

8/4/2019 SA-202-S10 Part2



Using ZFS Storage Pools Within a Zone

You cannot create or modify ZFS storage pools from within anon-global zone.

The delegated administration model centralizes control of

physical storage devices within the global zone, and control ofvirtual storage to non-global zones.

While a pool-level dataset can be added to a non-global zone,any command that modifies the physical characteristics of thepool, such as creating, adding, or removing devices, is notallowed from within a non-global zone.

Sun Services


Property Management Within a Non Global Zone

8/4/2019 SA-202-S10 Part2



Property Management Within a Non-Global Zone

Once a dataset is delegated to a zone, the zone administrator cancontrol specific dataset properties.

When a dataset is delegated to a zone, its ancestors are visible tozfs list

in the non-global zone, but their content remainsinaccessible. The delegated dataset itself is writable, as are all itschildren.

The zone administrator cannot change the sharenfs property,

because non-global zones cannot act as NFS servers.Neither can the zone administrator change the zoned property.

Sun Services

Using ZFS on a Solaris System With Zones

Installed (cont.)

Understanding the zoned Property

8/4/2019 SA-202-S10 Part2




When a dataset is added to a non-global zone, the datasetmust be specially marked so that certain properties are notinterpreted within the context of the global zone.

Once a dataset has been added to a non-global zone under thecontrol of a zone administrator, its contents can no longer betrusted.

ZFS uses the zoned property to indicate that a dataset has been delegated to a non-global zone at one point in time.

Sun Services


Installed (cont.)


8/4/2019 SA-202-S10 Part2




The zoned property is a boolean value that is automaticallyturned on when a zone containing a ZFS dataset is first booted.

If the zonedproperty is set, the dataset cannot be mounted orshared in the global zone.

When a dataset is removed from a zone or a zone is destroyed,the zoned property is not automatically cleared.

Sun Services


Installed (cont.)


8/4/2019 SA-202-S10 Part2




To prevent accidental security risks, the zonedproperty must bemanually cleared by the global administrator if you want toreuse the dataset in any way.

Before setting the zoned property to off, make sure that the mountpoint property for the dataset and all its children are set

to reasonable values and that no setuid binaries exist, or turn offthe setuid property.

Once you have verified that no security vulnerabilities are left,the zoned property can be turned off by using the zfs set orzfs inherit commands.

SA-202-S10 Part2

Documents

Transcript of SA-202-S10 Part2