Solaris 10 Zones

Creating a new zone/container:
$ makezone.ksh (makezone.ksh)
- Even after running makezone.ksh to create and install a zone, it is not fully done yet. For example, it will not install rsa/dsa public keys for ssh, hostname, interface, authentication, name service, root passwd etc.

- To fix this issue from the global zone, zlogin to zone's console with "zlogin -C zonename". It will prompt you for a few things to configure.
(We need to automate it by creating a sysidcfg file and putting it in /root/etc of jumpstart. Need to review sun doc on this)

Zone commands:
zoneadm list -cv #listing zoneszoneadm -z zonename halt #halt a running zone
#Delete a zone:zoneadm -z zonename uninstall #uninstall to configured mode zonecfg -z zonename delete #completely delete a zone

#Standard:
- As a standard, we must have two machines located in different sites that will run the backup virtual machines. Without a backup virutual machine, we won't allow using containers.
- Each machine must have multipath enabled.
- We decided to use full zone/container instead of sparse for the ease of patching containers independently. However, the kernel will be still shared across containers with the global zone.
- Monitoring viritual servers could generate duplicate messages for the same hardware since they are shared with global zone and other containers. We need to plan a bit if we could use global zone do the hardware monitoring, we can monitor only the application on the containers.
- Backups needs to be done on each container level for ease of restore
- Multipath at the global zone is transparent to the containers. The virtual machines binding to one of the interfaces knows how to failover to the second interface that is part of the multipath group in the global zone.

# Mounting a file system to a non-global zone:

1). For readonly types use loopback (lofs) as follows:
# zonecfg -z zoneabc
zonecfg:zoneabc> add fs
zonecfg:zoneabc:fs> set dir=/opt/abc
zonecfg:zoneabc:fs> set special=/opt/abc
zonecfg:zoneabc:fs> set type=lofs
zonecfg:zoneabc:fs> add options ro
zonecfg:zoneabc:fs> end
zonecfg:zoneabc> commit zonecfg:zoneabc> exit

2) For rw and dedicated file system:

root@tbespclapp-g1
# zonecfg -z zoneabczonecfg:zoneabc> add fs
zonecfg:zoneabc:fs> set dir=/opt
zonecfg:zoneabc:fs> set special=/dev/dsk/c1t0d0s0
zonecfg:zoneabc:fs> set raw=/dev/vx/rdsk/c1t0d0s0
zonecfg:zoneabc:fs> set type=ufs zonecfg:zoneabc:fs> end
zonecfg:zoneabc> commit
zonecfg:zoneabc> exit

3)For NFS via /etc/vfstab or automounter
# You need to either mounht the filesystem from global zone or reboot the non-global zone:
# mount /dev/dsk/c1t3d0s7 /zones/zoneabc/root/opt/enidata

Once a file system is assigned, it should show up as follows:
root@unixdevzone1

# zonecfg -z unixdeveni1
zonecfg:unixdeveni1> infozonename: unixdeveni1
zonepath: /zones/unixdeveni1
brand: native
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: shared
fs:
dir: /opt/enidata
special: /dev/dsk/c1t3d0s7
raw: /dev/rdsk/c1t3d0s7
type: ufs
options: []
net:
address: 165.237.139.58
physical: nxge0
defrouter: 165.237.139.126
device
match: /dev/rdsk/c1t3d0s7
device
match: /dev/dsk/c1t3d0s7
dedicated-cpu:
ncpus: 4-16
importance: 1
capped-memory:
physical: 16G
[swap: 8G]
[locked: 12G]
rctl:
name: zone.max-swap
value: (priv=privileged,limit=8589934592,action=deny)
rctl:
name: zone.max-locked-memory
value: (priv=privileged,limit=12884901888,action=deny)
zonecfg:unixdeveni1>

# Changing dedicated cpu resources for a zone.
- On the globalzone, run:
#zonecfg -z zonenamezonecfg:unixdeveni1> select
dedicated-cpu
zonecfg:unixdeveni1:dedicated-cpu> info
dedicated-cpu:
ncpus: 4-16
importance: 1
zonecfg:unixdeveni1:
dedicated-cpu> set ncpus=24-32
zonecfg:unixdeveni1:dedicated-cpu> infodedicated-cpu: ncpus: 24-32 importance: 1
zonecfg:unixdeveni1:dedicated-cpu> end
zonecfg:unixdeveni1>
zonecfg:unixdeveni1> verify
zonecfg:unixdeveni1> commit
zonecfg:unixdeveni1> exit

# You can do the same for capped-memory resource.

# Enable snoop on a non-global zone:

# zonecfg -z testzonecfg:test> set limitpriv=default,net_rawaccess zonecfg:test> exit
- reboot the zone- login and run the command as root# ppriv $$4547: -shflags = E: basic,contract_event,contract_observer,file_chown,file_chown_self,file_dac_execute, file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read, ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,net_mac_aware,net_privaddr,
- On the global zone, check the network device to get the major and minor devices e.g. 96, 1 in this example:

# ls -l /dev/nge0lrwxrwxrwx 1 root root 38 Apr 21 10:02 /dev/nge0 -> ../devices/pci@0,0/pci108e,5347@a:nge0# ls -l /devices/pci@0,0/pci108e,5347@a:nge0crw-rw-rw- 1 root root 96, 1 Apr 22 10:46 /devices/pci@0,0/pci108e,5347@a:nge0
With this information, we can now create the network device in the non-global zone:

# zonecfg -z test info zonepathzonepath: /my/zones/test# cd /my/zones/test/dev# mknod nge0 c 96 1# ls -l nge0crw-r--r-- 1 root root 96, 1 Apr 25 13:00 nge0

NIS Slave and Client

Configure NIS Slave Server
login as root.

1. domainname example-domain
"example-domain" is the domainname. It must be the same domainname as you have in NIS master.

2. Populate the /etc/defaultdomain file with the domainname.
domainname > /etc/defaultdomain

3. Edit the /etc/hosts file to ensure that the NIS master and all NIS slave servers have been defined.

4. cp /etc/nsswitch.nis /etc/nsswitch.conf
Edit /etc/nsswitch.conf as necessary (ie. add dns entry).

5. /usr/sbin/ypinit -c
Above command initialize the slave server as a client first.

The "ypinit" command prompts you for a list of NIS servers. Enter the name of the local slave you are working on first, then the master server, followed by the other NIS servers in your domain in order from the physically closest to the furthermost (in network team), then press CTRL-D.

6. Make sure "ypbind" is not running.
ps -ef | grep ypbind

7. Start ypbind.
/usr/lib/netsvc/yp/ypstart

8. Initialize this machine as a slave and transfer the NIS maps.
/usr/sbin/ypinit -s master_machine_name

9. Stop ypbind.
/usr/lib/netsvc/yp/ypstop

10. Start ypbind and ypserv.
/usr/lib/netsvc/yp/ypstart

Configure NIS Client

login as root
domainname > /etc/defaultdomain
cp /etc/nsswitch.nis /etc/nsswitch.conf
Edit /etc/nsswitch.conf as necessary (ie. add dns entry)
/usr/sbin/ypinit -c

You will be asked to name NIS servers from which the client may obtain name service information. You may list as many master or slave servers as youwant. The servers that you list can be located anywhere in the domain. It is good practice to first list the servers closest (in net terms) to the machine,then those that are on more distant parts of the net, then press CTRL-D.

Start the YP service
/usr/lib/netsvc/yp/ypstart

Configure NIS Master

HOW TO CONFIGURE NIS MASTER

You must login as root.

1. Define the NIS domainname.
domainname example-domain

2. Populate the /etc/defaultdomain file with the domainname.
domainname > /etc/defaultdomain

3. Edit the /etc/hosts file to ensure that the NIS master and all NIS slave
servers have been defined and that a fully qualified name exists for this server.

4. Optionally, create an alternate directory and copy the source files there.
mkdir /var/yp/src
cd /etc
cp auto_home auto_master bootparams ethers group hosts netgroup netmasks networks \
passwd protocols publickey rpc services shadow timezone user_attr /var/yp/src

5. Edit the Makefile.
cp /var/yp/Makefile /var/yp/Makefile.orig
vi /var/yp/Makefile

Modify DIR= and PWDIR= entries to reflect the location of the alternate directory
used in step 4.
Example:DIR=/var/yp/src
Example:PWDIR=/var/yp/src

If you wish NIS to resolve hosts through DNS comment out "B=" and uncomment "B=-b".
Locate the target labeled all: and remove any map from the definition that does not have a
corresponding file and will not be used as part of this service. For example, bootparams,
ethers, and timezone files do not exist by default, and may be removed. This will avert
errors during the make process (IE. make: Fatal error: Command failed for target 'k').

Note: If the netgroup map is to be used later, but does not yet exist, create a
placeholder for this in the target directory.
touch /var/yp/src/netgroup

Note: To relocate RBAC related files or /etc/inet/ipnodes consult the comments in
/var/yp/Makefile.

6. Ensure files are selected as the naming service, if not previously defined.
cp /etc/nsswitch.files /etc/nsswitch.conf

7. Initialize the server:

cd /var/yp
/usr/sbin/ypinit -m

It will ask you for the other yp server's name. Type the name of the server you
are working on, along with the name of your NIS slave servers, and then
press CTRL-D.

It will ask the question "Do you want this procedure to quit on non-fatal
errors [y/n:n]n. choose n.

8. Start the NIS daemons.

/usr/lib/netsvc/yp/ypstart

This will start all NIS server daemons (ypbind ypserv ypxfrd rpc.yppasswdd rpc.ypupdated).

9. Test the configuration.
cd /var/yp
/usr/ccs/bin/make (this should complete without errors)
ypcat -k hosts (to make sure the new maps are there)
ypwhich -m (display the maps that are being served)
NOTE: All the resulting NIS maps will be stored under /var/yp/example-domain directory.
10. To enable this host as a NIS client.
cp /etc/nsswitch.nis /etc/nsswitch.conf
Edit /etc/nsswitch.conf as necessary (ie. add dns entry).


Note: To control NIS services from the command line:

/usr/lib/netsvc/yp/ypstop (to stop NIS services)
/usr/lib/netsvc/yp/ypstart (to start NIS services)

For Solaris 10, you can use:

ypstop/ypstart (enable/disable/restart)

svcadm disable network/nis/server:default
svcadm disable network/nis/client:default

SSH between servers with no password

Steps:

On the client run the following commands:

$ mkdir -p $HOME/.ssh
$ chmod 0700 $HOME/.ssh
$ ssh-keygen -t dsa -f $HOME/.ssh/id_dsa -P ''

This should result in two files, $HOME/.ssh/id_dsa (private key) and $HOME/.ssh/id_dsa.pub (public key).
Copy $HOME/.ssh/id_dsa.pub to the server.

On the server run the following commands:

$ cat id_dsa.pub >> $HOME/.ssh/authorized_keys2
$ chmod 0600 $HOME/.ssh/authorized_keys2

Depending on the version of OpenSSH the following commands may also be required:
$ cat id_dsa.pub >> $HOME/.ssh/authorized_keys
$ chmod 0600 $HOME/.ssh/authorized_keys

An alternative is to create a link from authorized_keys2 to authorized_keys:
$ cd $HOME/.ssh && ln -s authorized_keys2 authorized_keys

On the client test the results by ssh'ing to the server:

$ ssh -i $HOME/.ssh/id_dsa server

(Optional) Add the following $HOME/.ssh/config on the client:

Host server
IdentityFile ~/.ssh/id_dsa

This allows ssh access to the server without having to specify the path to the id_dsa file as an argument to ssh each time.

Setting up RBAC

RBAC - Assign web administration to given server
Assign user "nsserver" the ability to manage the web services

ServerName: mywebserver1
Rolename : web_admin
Username : nsserver
Profile : web_prof
Objective : Stop and Start the Web Server ( secure & non-secure )

Create a role
roleadd -u 400 -g 10 -d /export/home/web_admin -m web_admin

Assign Password to the role
passwd web_admin


cd /etc/security
cp prof_attr prof_attr.orig

edit the prof_attr file and add the below line

vi prof_attr
web_prof:::Permit stop and start of Web, coldfusion Server:


edit the exec_attr and add the below line

vi exec_attr

web_prof:suser:cmd:::/apps/iplanet/servers/https-mywebserver1.twcnyc.com/stop:uid=0
web_prof:suser:cmd:::/apps/iplanet/servers/https-mywebserver1.twcnyc.com/start:uid=0
web_prof:suser:cmd::: /apps/coldfusionmx/bin/coldfusion stop:uid=0
web_prof:suser:cmd::: /apps/coldfusionmx/bin/coldfusion start:uid=0
web_prof:suser:cmd:::/usr/bin/ls
web_prof:suser:cmd:::/usr/bin/wc
web_prof:suser:cmd:::/usr/bin/profiles
web_prof:suser:cmd:::/usr/bin/vi
web_prof:suser:cmd:::/usr/bin/more
web_prof:suser:cmd:::/usr/bin/id
web_prof:suser:cmd:::/usr/bin/gzip
web_prof:suser:cmd:::/usr/bin/roles

Use rolemod to assign the profile to the role
rolemod -P web_prof web_admin
Use the usermod command to assign the role to the user
usermod -R web_admin nsserver

Reset LOM Password

To overide the ALOM password on the system you will need to:

1) Attach console to Serial Management Port

2) Power on the server via the front power button. Once POST has
completed, you will need to wait 1 to 2 minutes for a timeout to
occur and the system to drop to the "ok>" prompt.

If you do not get the "Please login:" prompt (you will likely see the
SC prompt) then you must power the system off remove the battery from
the LOM board, wait a minute, and re-install everything).

Below is an example of what you might see on the console:

Please login:
SC Alert: Host System has Reset

[wait one two minutes]
Serial line login timeout, returns to console stream.

ok>

3) Boot the system to the OS level. If Solaris is not currently
installed on the server, you will need to install it at this point.

4) Use the scadm command to reset the admin password:

a) cd /usr/platform/`uname -i`/sbin
b) ./scadm userpassword admin

5) Use the escape sequence "#." to get system back to the alom login
prompt.

6) You can now log into the admin account using the password from
step 4 b).

NAS Failover

Case: active/standby setup

In case of problems to the primary datamover the auto fail back is activated, to failback the datamover
Check the current status of the datamover

[nasadmin@fluxnasmgt1 toftp]$ nas_server -l
id type acl slot groupID state name
1 4 1000 2 2 server_2.faulted.server_3
2 1 1000 3 0 server_2

[nasadmin@fluxnasmgt1 toftp]$ /nas/sbin/getreason
10 - slot_0 primary control station
5 - slot_2 contacted
5 - slot_3 contacted

Execute the below command to make server2 active

[nasadmin@fluxnasmgt1 toftp]$ server_standby server_2 -r mover

Check the layout of the servers, it should appear as below

[nasadmin@fluxnasmgt1 toftp]$ nas_server -l
id type acl slot groupID state name
1 1 1000 2 0 server_2
2 4 1000 3 0 server_3