Not able to login into Non-globalzones (NGZ) after Patching

Not able to login into Non-globalzones (NGZ) after Patching.

Yesterday I faced an issue, where in I was unable to login into NGZs after kernel patching.Though the zlogin was working perfectly.

Initially I think the cause is ssh key, thenI tried to login into the NGZ from the network, it was showing ssh connection refused.I have checked the ssh services via zlogin. There were many services related to network which were not running including ssh. All services were depending on /system/sysidtool:net service which is in disbale mode. I tried to enable /system/sysidtool:net service but No luck.# svcs -vx# svcs -a | grep -i /system/sysidtool:net# svcadm enable /system/sysidtool:net# svcs -a | grep -i /system/sysidtool:net# svcs -vxThen I examine the logs for this service failure and found:

[ Aug 27 09:15:49 Method "start" exited with status 0 ][ Aug 27 09:36:58 Enabled. ][ Aug 27 09:37:01 Executing start method ("/lib/svc/method/sysidtool-net") ]/etc/.UNCONFIGURED not found. System already configured, /lib/svc/method/sysidtool-net exiting.[ Aug 27 09:37:01 Method "start" exited with status 0 ][ Aug 27 14:58:06 Enabled. ][ Aug 27 14:58:12 Executing start method ("/lib/svc/method/sysidtool-net") ]ifconfig: status: SIOCGLIFFLAGS: fjgi0: no such interfaceifconfig: setifflags: SIOCGLIFFLAGS: fjgi0: no such interfaceifconfig: status: SIOCGLIFFLAGS: fjgi7: no such interfaceifconfig: setifflags: SIOCGLIFFLAGS: fjgi7: no such interfaceTerminatedAt this point of time I checked the Interfaces, but all were up and running fine in Global as well as in Non-global zone.

Then one particular line got my attention:

/etc/.UNCONFIGURED not found. System already configured, /lib/svc/method/sysidtool-net exiting.I checked /etc/.UNCONFIGURE with ls -la in the NGZ and found one file with name .UNCONFIGURE, which was of 0 Zero size.

I removed this file and restarted the NZG, all went in favor and all services started successfully.# cd /etc# ls -la# rm .UNCONFIGURE# zoneadm -z zone-name reboot Prasad

29 August, 2011, 1:48

Hi Yogesh, Thats a nice post.If you examine further this error occurs because of the following reasons:

1.) If you have done detach and attach of the zones to global zone.2) If you have invoked a sys-unconfig and ran reboot.

If you check on this system, please verify Timezone of the non-global zone it might have changed to default PST. And also changes in /etc/nsswitch.conf will be lost, that needs to be restored.Unfortunately, these changes will not be caught as all the services on the system come up as usual..

Thanks.Prasad

ramdev29 August, 2011, 3:43

Good one Yogesh, can you please consider Prasads points and chck the Timezone and name switch configuration were not reset to defaults.

Yogesh Raheja

29 August, 2011, 4:28

Hi Prasad,

Thanks for your valuable comments..

1.) I havent performed detach/attach on the server.2.) No sys-unconfig invoked as I was performing only Bundle patching.

I need to check the TIMEZONE and /etc/nsswitch.conf files for any config. changes.

Yogesh Raheja

29 August, 2011, 12:57

Hi Prasad/Ram, No changes have been found in nsswitch.conf and the TIMEZONE is also looking good. Prasad

29 August, 2011, 14:41

Ok. Thats good.. cool..In my earlier experience.. I have faced above said issues during detach and attach of zones and also with sys-unconfig.. But you may help investigate further and know which patch is doing that, it would be helpful if we are getting this issue persistently across other servers as well. Thanks for bringing this up..

Ram

12 September, 2011, 18:24

I was facing same issue today. Resolved by removing .UNCONFIGURED file. After that I was getting Couldnt agree a key exchange algorithm while using Putty. Resolved that by using following commands:

/lib/svc/method/sshd -c

svcadm restart ssh

Thanks a lot

Ramdev

13 September, 2011, 2:08

@ram thanks for sharing the information to us

Yogesh Raheja

13 September, 2011, 10:02

@Ram, yes sometimes it would required to restart the sshd or to reboot the zone. Yogesh Raheja

13 September, 2011, 10:02

sorry not sometimeinfact every time..:)

krishna

27 October, 2011, 12:09

HI,

I checked /etc/.UNCONFIGURE with ls -la in the NGZ and found one file with name .UNCONFIGURE, which was of 0 Zero size.

In the above line I have a doubt is that NGZ or GZ, because Our issue is not able to login into NGZ. So how can i do it with out login.

Yogesh Raheja

@Krishna, login into the NGZ from GZ via zlogin and rm /etc/.unconfigure file from NGZ and reboot your NGZ. It will restart all the services without issues. Try it and you will be able to login via ssh.

Eliza

Thank you for posting this. I have 8 theoretically identical zones (all built from the same build script on the same server) and one of the 8 had this issue. After removing the .UNCONFIGURE file all of the services were able to start.

Yogesh Raheja

@Eliza, its a great pleasure that our post worked for your issue. thanks for you interest in Gurkulindia. Shahul

Just curious what the command /lib/svc/method/sshd -c does?

Yogesh Raheja

@Shahul, Purpose of /lib/svc/method/sshd -c is to create rsa and dsa key if they are not present in the server before restarting ssh. Though it wont require in many cases and restarting of ssh is enough. Also you can check /lib/svc/method/sshd file which will give you more idea. Hope this helps.

deepa K R

http://docs.oracle.com/cd/E19683-01/817-1592/gbcyr/index.html.

To prevent the system from displaying the sysidtool questions upon initial zone login, delete the file zonepath/root/etc/.UNCONFIGURED,

Solaris 10: Configuring netmasks and default gateway in zones

The command, zonecfg, has no provision for defining the netmask of network resources. Modifying /etc/netmask file resident within the designated zone does not configure the netmask of the new interface. This procedure details how to set the netmask of a network resource within a zone to the desired value.Netmasks Configuration

Within the context of the global zone, the zonecfg command is used to define a network resource:on the global zone:

1. zonecfg -z rhzonezonecfg:rhzone>add netzonecfg:rhzone>set address=10.1.0.1zonecfg:rhzone>set physical=e1000g0zonecfg:rhzone>endzonecfg:rhzone>exportzonecfg:rhzone>exitzoneadm -z rhzone reboot

on the zone rhzone

1. vi /etc/netmasks

adding the line

10.1.0.0 255.255.255.0then saving the file and rebooting the zone, yields:

login: rootpassword: xxxxxx

#ifconfig -ae1000g0 inet 10.1.0.1 netmask 255.0.0.0 createzonecfg:sol10zone> set zonepath=/export/zones/sol10zonezonecfg:sol10zone> set autoboot=truezonecfg:sol10zone> add netzonecfg:sol10zone:net> set physical=hme0zonecfg:sol10zone:net> set address=129.148.195.32 (use unique ip address!)zonecfg:sol10zone:net> endzonecfg:sol10zone> verifyzonecfg:sol10zone> exit#Now your Container is setup but not yet installed with Solaris [TM] 10 OE.3) Install the Container:# zoneadm -z sol10zone installPreparing to install zone .Creating list of files to copy from the global zone.Copying files to the zone.Initializing zone product registry.Determining zone package initialization order.Preparing to initialize packages on the zone.Initialized packages on zone.Zone is initialized.Installation of packages was skipped.The file contains a log of the zone installation.Note that zoneadm is located in /usr/sbin as well.

4) Boot the Container:# zoneadm -z sol10zone boot5) Connect to the Console of your Container:# zlogin -C sol10zone[Connected to zone 'sol10zone' console]Press return. (can take several mins)Now, respond to some basic questions of a Solaris [TM] installation, such as:o Define the Localeo Define the Termo Define the TZo Define the root passwordo Define the Name ServiceOnce this is done, the Container will perform a final reboot:rebooting system due to change(s) in /etc/default/init[NOTICE: Zone rebooting]SunOS Release 5.10 Version Generic 64-bitCopyright 1983-2005 Sun Microsystems, Inc. All rights reserved.Use is subject to license terms.Hostname: sol10zonesol10zone console login:6) Log into the Container:# zlogin -C sol10zone[Connected to zone 'sol10zone' console]sol10zone console login: rootPassword:Last login: Wed Feb 9 12:06:08 on consoleFeb 9 12:46:23 sol10zone login: ROOT LOGIN /dev/consoleSun Microsystems Inc. SunOS 5.10 Generic January 2005# ifconfig -alo0:1: flags=2001000849 mtu 8232 index 1inet 127.0.0.1 netmask ff000000hme0:1: flags=1000843 mtu 1500 index 2inet 10.16.10.254 netmask ff000000 broadcast 10.255.255.255# uname -aSunOS sol10zone 5.10 Generic sun4u sparc SUNW,Ultra-5_10You are now done.