Archive for the ‘Solaris’ Category

Solaris Kernel Tuning for Security

Tuesday, March 23rd, 2010

Introduction
The Solaris kernel provides a great deal of user-configurable control over the system TCP/IP stack. Everything from cache table lifetimes to the number of TCP connections that the system can address are controllable. However, without understanding the underlying need for tuning these kernel parameters many system administrators choose to ignore them – thereby leaving their systems vulnerable to a resourceful assailant.
Solaris Kernel Tools
The only tool available to Solaris system administrators for tuning kernel parameters is ndd. Currently, ndd only supports the TCP/IP kernel drivers. It can be used to both show and set the values of parameters for these drivers.
Solaris Kernel Parameters
In general to show a particular parameter the command format is:
# ndd /dev/ where is one of the following: ARP, IP, TCP, and UDP. To view all parameters for a particular driver the command is:
# ndd /dev/ \?
To set a kernel parameter using ndd, the format of the command is:
# ndd -set /dev/
Unfortunately, changes to the Solaris kernel parameter values using ndd are not permanent. The values for these parameters return to default upon system reboot. To make these changes more permanent a system administrator needs to put these changes into a shell script that is run at system boot (one possible location would be /etc/init.d/inetinit or in a separate shell script). One of the primary problems with setting these parameters into a shell script is that the parameters are implementation-specific and may change from one Solaris release to another.
ARP
ARP (Address Resolution Protocol) is used to dynamically map layer-3 network addresses to data-link addresses. When one system wants to communicate with another system on a network it first sends an ARP packet to the broadcast address, FF:FF:FF:FF:FF:FF. The packet asks the simple question: “who has network address A?…tell network address B”. Since all hosts on a network receive these broadcast packets, system A receives the ARP request and sends back a response. The originating host then uses the responses to its ARP broadcasts to build a table, or cache, mapping the 32-bit IP addresses to Layer-2 hardware, or MAC, addresses. A second table is maintained by the network layer. This table is built from information provided by the data-link layer and contains network-routing information for active connections. The network layer requests MAC addresses from the data-link layer and inserts these addresses into a network routing table. Network routing entries expire after 20 minutes.
When a network host prepares to communicate with another the IP layer checks the ARP cache first. If an entry for the network peer does not exist in the cache, an ARP request is broadcasted. ARP cache entries expire after five minutes.
The ARP cache is susceptible to two types of attacks: ARP cache poisoning and ARP spoofing. ARP cache poisoning involves “inserting” either a non-existent ARP address or an incorrect ARP address into a system’s ARP cache. This results in a denial of service since the target system will send packets to the peer’s IP address but the MAC address will be incorrect.
ARP spoofing can result in system compromise. Just like IP spoofing, ARP spoofing relies on, first, disabling a host on the network so that it cannot reply to any ARP request broadcasts. Once that is done the attacker can configure the disabled host’s IP address on the attacking host. When the victim host tries to communicate with the disabled host the attacker’s system responds to any ARP request broadcasts, thereby inserting its MAC address in the victim’s ARP cache. Communication between the two hosts can then proceed normally.
It is very difficult to defend against ARP attacks. One defence against ARP attacks is to reduce the lifetime of cache entries. The cache lifetime is determined by the kernel parameter arp_cleanup_interval. The IP routing table entry lifetime is controlled by the kernel parameter ip_ire_flush_interval
# ndd -set /dev/arp arp_cleanup_interval

a) shorten the value of the abort timer, and
b) lengthen the TCP connection queue.

To shorten the abort timer the kernel parameter: tcp_ip_abort_cinterval can be used. The value for this parameter is given in milliseconds. By default the abort timer interval is 180 seconds. To set the abort time to 60 seconds the system administrator can use the command:
# ndd -set /dev/tcp tcp_ip_abort_cinterval 60000
The kernel parameter tcp_conn_req_max_q0 controls the queue size for unestablished TCP connections in Solaris 2.6 and above (or in Solaris 2.5.1 w ith patch 103581-11). The default value for tcp_conn_req_max_q0 is 1024. To increase the queue size the following command can be used:
# ndd -set /dev/tcp tcp_conn_req_max_q0 2048
Another type of SYN attack involves exhausting the TCP established connection queue. This attack is not as desirable as the TCP SYN attack mentioned above because of the fact that the connection can be traced back to its source, however, it still presents a problem. Solaris 2.6 and above (as well as Solaris 2.5.1 with patch 103582-11) provide control over the size of the established TCP connection queue. This control is provided by the kernel parameter tcp_conn_req_max_q. By default it is set at 128. To increase the established TCP connection queue, the command is:
# ndd -set /dev/tcp tcp_conn_req_max_q
where is the total number of active, established, TCP connections allowed to the host. Increasing either the TCP queue for unestablished connections or the TCP queue for established connections will require more memory. Without sufficient memory the server’s performance will be affected. Also, while this provides some measure of relief against TCP SYN attacks and TCP established connection exhaustion attacks these types of attacks depend on which side has more resources. If the attacker can produce more TCP connections (whether “half-open” or established) than the server can possibly handle this denial of service will succeed.
Conclusion
The Solaris kernel has many configurable parameters that are security related. These parameters can be adjusted to strengthen the security posture of a system. The parameters cover such things as ARP timeouts, IP forwarding of packets, IP source routing of packets, TCP connection queue sizes, and many other factors governing network connections. By tuning the kernel properly a system administrator can even prevent OS fingerprinting of a Solaris system as provided by such tools as queso and nmap.

Tags: ,
Posted in Solaris | No Comments »

Server Configuration for Solaris JumpStart Software

Friday, March 19th, 2010

The Solaris 9 Operating System offers an automatic installation process, Solaris JumpStart software. The Solaris JumpStart procedure enables you to install the Solaris OS automatically and configure it differently, depending on the characteristics of client systems. These identifying characteristics are used to select the correct configuration for each client system.
The following tasks are required to configure a single JumpStart server to provide basic software installation services using the JumpStart procedures:
1. Spool the operating system image.
2. Edit the sysidcfg file.
3. Edit the profile and rules.
4. Run the check script.
5. Run the add_install_client script.
6. Boot the client.

Step #1
To spool the Solaris 9 boot and installation images to a local disk, complete the following steps:
Create a directory with at least 800 Mbytes of space available to hold the Solaris OS image. Usually the /export/install directory is used.
# mkdir /export/install
Insert the Solaris 9 Software 1 of 2 CD-ROM in the CD-ROM drive or the Solaris 9 DVD in the DVD drive.
Change the directory to the location of the setup_install_server script.
# cd /cdrom/cdrom0/s0/Solaris_9/Tools
Run the setup_install_server script to copy the Solaris 9 OS installation images to the local disk.
#./setup_install_server /export/install
When the setup_install_server script finishes, change the directory to root (/), and eject the CD-ROM or DVD.
#cd /
#eject cdrom
If you use CD-ROM media, insert the Solaris 9 Software 2 of 2 CD-ROM in the CD-ROM drive.
Change the directory to the location of the add_to_install_server script.
# cd /cdrom/cdrom0/Solaris_9/Tools
Run the add_to_install_server script to copy the remainder of the installation image to the local disk.
#./add_to_install_server /export/install
When add_to_install_server finishes, change the directory to root (/), and eject the CD-ROM.
# cd /
# eject cdrom

Step #2
The sysidcfg file keeps the various types of system information such as locale, time_zone, and so on, and supplies the information to the client at the booting time.
Create a directory to hold the sysidcfg file. Typically the /export/config directory holds the sysidcfg file.
# mkdir /export/config
Change the directory to /export/config, and create a file called sysidcfg using a text editor.
# cd /export/config
# vi sysidcfg
In the sysidcfg file, add the following lines. Substitute values that are appropriate for your systems, location, and network.
network-interface=primary {protocol-ipv6=no
netmask=255.255.255.0}

security_policy=none
name_service=none
time_zone=US/Mountain
system_locale=en_us
Save the sysidcfg file, and exit your edit session.

Step #3
a. Rules
Create a directory to hold the rules file if this directory does not already exist. Usually, the /export/config directory holds the rules file.
# mkdir /export/config
Change the directory to /export/config, and create a file called rules using a text editor.
# cd /export/config
# vi rules
In the rules file, add the following line:
hostname client_name – profile1 -
For client_name, substitute the name of your JumpStart client. For example:
hostname sun1 - profile -
Save the rules file, and exit your edit session.
b. Profiles
Usually, the /export/config directory holds the profile file.
Change the directory to /export/config, and create a file called profile using a text editor.
# cd /export/config

# vi profile1
Add the following lines to the profile1 file:
install_type initial_install
system_type standalone
partitioning explicit
filesys c0t0d0s0 free /
filesys c0t0d0s1 128 swap
cluster SUNWCXall
Save the profile1 file, and exit your edit session.

Step #4
Before a JumpStart client can use a configuration provided by a JumpStart server, you must run the check script to produce a file called rules.ok. The check script validates the syntax of the rules file and the profile files. If the validation completes successfully, the check script creates the rules.ok file.
Change the directory to the location of the check script.
# cd /export/install/Solaris_9/Misc/JumpStart_sample
Copy the check script to the /export/config directory.
# cp check /export/config
Change the directory to /export/config, and run the check script.
# cd /export/config
#./check
Validating rules…
Validating profile profile1…
The custom JumpStart configuration is ok.

Step #5
a. Add a host entry.
Edit the /etc/ethers file, and add an entry for the JumpStart client.
#vi /etc/ethers

00-C0-26-84-34-A1 sun1
Save and exit from the ethers file.
Edit the /etc/inet/hosts file, and add an entry for the JumpStart client.
#vi /etc/inet/hosts

192.168.1.1 sun1
Save and exit from the hosts file.
b. Add a client.
Change the directory to the location of the add_install_client script on the server.
# cd /export/install/Solaris_9/Tools
Run the add_install_client script, and specify server and client information as follows. (Note: The following line of code should all be entered on one line.)
#./add_install_client -c server_name:/export/config \
-p server_name:/export/config client_name platform_group
For example:
#./add-install-client -c sun:/export/config -p sun:/export/config sun1 sun4u
Edit the /etc/dfs/dfstab file to add the following line:
#vi /etc/dfs/dfstab

share -F nfs -o ro, anon=0 /export/install

share -F nfs -o ro, anon=0 /export/config
Save and exit from the dfstab file.
Run the shareall command to share the /export/config and /export/install directories.
#shareall
Verify that the /export/config and /export/install directories are currently shared.
#share

Step #6
Booting the JumpStart Client
After the JumpStart server has been configured to provide all of the required services, you can initiate the installation process on the JumpStart client. To boot the JumpStart client, perform the following steps:
a. Bring the JumpStart client to run state 0.
# init 0
b. Boot the client to initiate the software installation using the JumpStart procedure.
ok boot net – install

Tags:
Posted in Solaris | No Comments »

Solaris SPARC Boot Sequence

Friday, March 19th, 2010

The following represents a summary of the boot process for a Solaris 2.x system on Sparc hardware.
Power On: Depending on the system involved, you may see some output on a serial terminal immediately after power on. This may take the form of a Hardware Power ON message on a large Enterprise server, or a “‘” or “,” in the case of an older Ultra system. These indications will not be present on a monitor connected directly to the server.
POST: If the PROM diag-switch? parameter is set to true, output from the POST (Power On Self Test) will be viewable on a serial terminal. The PROM diag-level parameter determines the extent of the POST tests. (See the Hardware Diagnostics page for more information on these settings.) If a serial terminal is not connected, a prtdiag -v will show the results of the POST once the system has booted. If a keyboard is connected, it will beep and the keyboard lights will flash during POST. If the POST fails, an error indication may be displayed following the failure.
Init System: The “Init System” process can be broken down into several discrete parts:
• OBP: If diag-switch? is set, an Entering OBP message will be seen on a serial terminal. The MMU (memory management unit) is enabled.
• NVRAM: If use-nvramrc? is set to true, read the NVRAMRC. This may contain information about boot devices, especially where the boot disk has been encapsulated with VxVM or DiskSuite.
• Probe All: This includes checking for SCSI or other disk drives and devices.
• Install Console: At this point, a directly connected monitor and keyboard will become active, or the serial port will become the system console access. If a keyboard is connected to the system, the lights will flash again during this step.
• Banner: The PROM banner will be displayed. This banner includes a logo, system type, PROM revision level, the ethernet address, and the hostid.
• Create Device Tree: The hardware device tree will be built. This device tree can be explored using PROM monitor commands at the ok> prompt, or by using prtconf once the system has been booted.
Extended Diagnostics: If diag-switch? and diag-level are set, additional diagnostics will appear on the system console.
auto-boot?: If the auto-boot? PROM parameter is set, the boot process will begin. Otherwise, the system will drop to the ok> PROM monitor prompt, or (if sunmon-compat? and security-mode are set) the > security prompt.
The boot process will use the boot-device and boot-file PROM parameters unless diag-switch? is set. In this case, the boot process will use the diag-device and diag-file.
bootblk: The OBP (Open Boot PROM) program loads the bootblk primary boot program from the boot-device (or diag-device, if diag-switch? is set). If the bootblk is not present or needs to be regenerated, it can be installed by running the installboot command after booting from a CDROM or the network. A copy of the bootblk is available at /usr/platform/`arch -k`/lib/fs/ufs/bootblk
ufsboot: The secondary boot program, /platform/`arch -k`/ufsboot is run. This program loads the kernel core image files. If this file is corrupted or missing, a bootblk: can’t find the boot program or similar error message will be returned.
kernel: The kernel is loaded and run. For 32-bit Solaris systems, the relevant files are:
• /platform/`arch -k`/kernel/unix
• /kernel/genunix
For 64-bit Solaris systems, the files are:
• /platform/`arch -k`/kernel/sparcV9/unix
• /kernel/genunix
As part of the kernel loading process, the kernel banner is displayed to the screen. This includes the kernel version number (including patch level, if appropriate) and the copyright notice.
The kernel initializes itself and begins loading modules, reading the files with the ufsboot program until it has loaded enough modules to mount the root filesystem itself. At that point, ufsboot is unmapped and the kernel uses its own drivers. If the system complains about not being able to write to the root filesystem, it is stuck in this part of the boot process.
The boot -a command singlesteps through this portion of the boot process. This can be a useful diagnostic procedure if the kernel is not loading properly.
/etc/system: The /etc/system file is read by the kernel, and the system parameters are set.
The following types of customization are available in the /etc/system file:
• moddir: Changes path of kernel modules.
• forceload: Forces loading of a kernel module.
• exclude: Excludes a particular kernel module.
• rootfs: Specify the system type for the root file system. (ufs is the default.)
• rootdev: Specify the physical device path for root.
• set: Set the value of a tuneable system parameter.
If the /etc/system file is edited, it is strongly recommended that a copy of the working file be made to a well-known location. In the event that the new /etc/system file renders the system unbootable, it might be possible to bring the system up with a boot -a command that specifies the old file. If this has not been done, the system may need to be booted from CD or network so that the file can be mounted and edited.
kernel initialized: The kernel creates PID 0 ( sched). The sched process is sometimes called the “swapper.”
init: The kernel starts PID 1 (init).
init: The init process reads the /etc/inittab and /etc/default/init and follows the instructions in those files.
Some of the entries in the /etc/inittab are:
• fs: sysinit (usually /etc/rcS)
• is: default init level (usually 3, sometimes 2)
• s#: script associated with a run level (usually /sbin/rc#)
rc scripts: The rc scripts execute the files in the /etc/rc#.d directories. They are run by the /sbin/rc# scripts, each of which corresponds to a run level.

Tags:
Posted in Solaris | No Comments »

Moving populated disks out of rootdg or moving rootdg to another system

Friday, March 19th, 2010

First, moving populated disks between diskgroups.
Get a list of disks in the diskgroup that you intend to move the populated disks out of.
# vxdisk list | grep rootdg

Get the configuration of the diskgroup.
# vxprint -ht -g rootdg

Determine which disks contain the volumes that are to be moved.

Save the configuration of the desired volumes in a format that can be used later by vxmake to recreate the volumes. Specify all volumes on the disks in question, plus any unassociated plexes and their child subdisks, plus any unassociated subdisks.
# vxprint -hmQq -g rootdg vol01 vol02 vol03 > /tmp/volinfo

Unmount the appropriate filesystems, and/or stop any processes holding the volumes open.

Stop all the volumes.
# vxvol -g rootdg stop vol01 vol02 vol03

Remove from the configuration database the definitions of the structures ( (volumes, plexes, subdisks) to be moved. NOTE that this does not affect your data.
# vxedit -g rootdg -r rm vol01 vol02 vol03

Remove the disks from the original diskgroup.
# vxdg -g roodg rmdisk rootdg01 rootdg02 rootdg03 rootdg04

If you are moving the disks to a preexisting diskgroup, SKIP THIS STEP. If not, initialize the diskgroup using one of your disks. It is simplest to keep the old disk names until a later step.
# vxdg init newdg rootdg01=c1t2d0s2

Add the disks to their new disk group. It is simplest to keep the old disk names until a later step.
# vxdg -g newdg adddisk rootdg02 rootdg03 rootdg04

Verify that the disks are in their new diskgroup.
# vxdisk list | grep newdg

Reload the object configuration into the new diskgroup.
# vxmake -g newdg -d /tmp/volinfo

Verify the configuration of the new diskgroup.
# vxprint -ht -g newdg

Test your data.

Second, moving rootdg between systems.

Get the diskgroup ID (dgid) of rootdg from the old host.
# vxdisk -s list
(example)

Disk: c1t5d0s2type: slicedflags: online ready private autoconfig autoimport importeddiskid: 824180434.4523.csclust2dgname: rootdgdgid: 824180442.4528.csclust2hostid: csclust1 Disk: c1t9d0s2type: slicedflags: online ready private autoconfig autoimport importeddiskid: 824180440.4525.csclust2dgname: rootdgdgid: 824180442.4528.csclust2hostid: csclust1 Disk: c1t13d0s2type: slicedflags: online ready private autoconfig autoimport importeddiskid: 830532975.3418.csclust1dgname: rootdgdgid: 824180442.4528.csclust2hostid: csclust1

Shutdown the old host, remove the disks, and connect the disks to the new host.

Import the diskgroup with its new name, assigning ownership of the diskgroup to the new host, using the dgid for the diskgroup name.
# vxdg -C -n newdg import 824180442.4528.csclust2

Perform the necessary steps to make the new host and VxVM recognize the new disks. I.e. perform the steps necessary to make the OS see the disks, and then perform a ‘vxdctl enable’ to restart vxconfigd so that VxVM also recognizes the disks.

Start all volumes in the diskgroup.
# vxrecover -g newdg -sb

Tags: , , ,
Posted in Solaris, Veritas | No Comments »

zone migration

Monday, January 25th, 2010

Procedure to do a zone migration.
——————————————-

Actions on nodeA

create a pool called pool1 with some disk in it on NodeA

NodeA# zpool import pool1
NodeA# zfs create zones/labzone3 /zones/labzone3
NodeA# chmod 700 /zones/labzone3
NodeA# zonecfg -z labzone3
>create
>set zonepath /labzone3
>set autoboot=true
>set pool=pool_default
>add net
net:set physical=eri0
net:set address=10.45.13.202
net:end
>verify
>commit
>exit
NodeA# zoneadm -z labzone3 intall ( this takes about 20 Minutes)
NodeA# zoneadm -z labzone3 ready
NodeA# zoneadm -z labzone3 boot
NodeA# zlogin -C labzone3
labzone3# df -k
labzone3# init 0
NodeA# zonecfg -z labzone3 export -f /tmp/labzone3.cfg
NodeA# umount /zones/labzone3
NodeA# zpool export pool1

Actions on nodeB

NodeB# mkdir -p -m 700 /zones/labzone3
NodeB# zpool import pool1
….successfull
NodeB# zpool iostat
NodeB# zpool ls
NodeB# mount -F zfs pool1/labzone3 /zones/labzone3
NodeB# scp NodeA:/tmp/labzone3.cfg /tmp/labzone3.cfg
NodeB# zonecfgadm -z labzone3 -f /tmp/labzone3.cfg

NodeB# vi /etc/zones/index
change here configured into installed
NodeB#zoneadm -list -i
NodeB#ftp NodeA
get> /etc/zones/labzone3.xml
to> /etc/zones/labzone3.xml
NodeB#zoneadm -z labzone3 boot

zone boot successfullly on NodeB

Tags: , ,
Posted in Solaris | No Comments »

Zone Configuration in step

Monday, January 25th, 2010

Here is a short guide to creating zones with Solaris Containers technology, with examples using Solaris Volume Manager and an Oracle database. It’s easy to modify these steps and add more file systems into the script.

Notes: In this example, I make only one instance or zone, called zone1. I used Solaris Volume Manager in Steps 2 and 3, and I tested this on Oracle 10.1 and 10.2.

1. Format the hard disk into slice 0.

2. Make the meta devices. For example, I have three SAN disks, and I want to make a meta device with the three disks concatenated. (Note: Please type the command all on one line.)

# metainit d60 3 1 c2t50060E800456EE02d0s0 1 c2t50060E800456EE02d1s0
1 c2t50060E800456EE02d2s0
d60: Concat/Stripe is setup
3. Make the soft partitions:

# metainit d61 -p d60 6g
d61: Soft Partition is setup
# metainit d62 -p d60 10g
d62: Soft Partition is setup
# metainit d63 -p d60 30g
d63: Soft Partition is setup
#
4. Create the file systems:

# newfs /dev/md/rdsk/d61
newfs: construct a new file system /dev/md/rdsk/d61: (y/n)? y
# newfs /dev/md/rdsk/d62
newfs: construct a new file system /dev/md/rdsk/d62: (y/n)? y
# newfs /dev/md/rdsk/d63
newfs: construct a new file system /dev/md/rdsk/d63: (y/n)? y
#
5. Create the mount point for the root file system (/ fs) and /u00 and /u01 for the Oracle database.

mkdir -p /export/zone1
mkdir /u00
mkdir /u01
mount /export/zone1
6. Execute the following script, which is shown in its entirety after Step 11.

zonecfg -z zone1 -f /usr/scripts/make.zone1.ksh

# zoneadm list -cv
ID NAME STATUS PATH
0 global running /
– zone1 configured /export/zone1
# chmod 700 /export/zone1
7. Install zone1:

# zoneadm -z zone1 install
Preparing to install zone .
Checking file system on device
to be mounted at
Checking file system on device
to be mounted at
Creating list of files to copy from the global zone.
Copying <124550> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <1021> packages on the zone.
Initializing package <49> of <1021>: percent complete: 4%
8. Run the following command to get the zone state:

# zoneadm list -cv
ID NAME STATUS PATH
0 global running /
– zone1 installed /export/zone1
9. Transition the zone to the ready state by running the following command:

# zoneadm -z zone1 ready
10. Use the following command to get the zone state:

# zoneadm list -cv
ID NAME STATUS PATH
0 global running /
1 zone1 ready /export/zone1
11. Boot the zone:

# zoneadm -z zone1 boot
The script to be executed is /usr/scripts/make.zone1.ksh, and here are the details:

create -b
set zonepath=/export/zone1
set autoboot=true
add fs
set dir=/u00
set special=/dev/md/dsk/d62
set raw=/dev/md/rdsk/d62
set type=ufs
end
add fs
set dir=/u01
set special=/dev/md/dsk/d63
set raw=/dev/md/rdsk/d63
set type=ufs
end
add net
set address=10.11.33.144
set physical=ce2
end

Tags: ,
Posted in Solaris | No Comments »

IPMP with single interface

Monday, January 25th, 2010

• For IPv4, create the single interface IPMP group.
Use the following syntax to assign the single interface to an IPMP group.

# ifconfig interface group group-name
The following example assigns the interface hme0 into the IPMP group v4test:

# ifconfig hme0 group v4test
After this step is performed, IPMP enables link-based failure detection on the interface.
In addition, you can also use the -failover subcommand of the ifconfig command to enable probe-based failure detection. The following example enables probe-based failure detection on hme0 by using the IP address currently assigned to hme0:

# ifconfig hme0 -failover
Note that unlike multiple-interface groups, the same IP address can act as both a data address and a test address. To enable applications to use the test address as a data address, test addresses must never be marked deprecated on single-interface IPMP groups.
• For IPv6, create the single interface IPMP group.
Use the following syntax to assign a single interface to an IPMP group:

# ifconfig interface inet6 group group-name
For example, to add the single interface hme0 into the IPMP group v6test, type the following:

# ifconfig hme0 inet6 group v6test
After this step is performed, IPMP enables link-based failure detection on the interface.
In addition, you can also use the -failover subcommand of the ifconfig command to enable probe-based failure detection. The following example enables probe-based failure detection on hme0 by using the IP address currently assigned to hme0:

# ifconfig hme0 inet6 -failover
Note that unlike multiple-interface groups, the same IP address can act as both a data address and a test address. To enable applications to use the test address as a data address, test addresses must never be marked deprecated on single-interface IPMP groups.
In a single physical interface configuration, you cannot verify whether the target system that is being probed has failed or whether the interface has failed. The target system can be probed through only one physical interface. If only one default router is on the subnet, turn off IPMP if a single physical interface is in the group. If a separate IPv4 and IPv6 default router exists, or multiple default routers exist, more than one target system needs to be probed. Hence, you can safely turn on IPMP.

Tags: ,
Posted in Solaris | No Comments »

Zone Configuration in the Solaris 10 OS

Thursday, December 24th, 2009

Here is a short guide to creating zones with Solaris Containers technology, with examples using Solaris Volume Manager and an Oracle database. It’s easy to modify these steps and add more file systems into the script.
Notes: In this example, I make only one instance or zone, called zone1. I used Solaris Volume Manager in Steps 2 and 3, and I tested this on Oracle 10.1 and 10.2.
1. Format the hard disk into slice 0.
2. Make the meta devices. For example, I have three SAN disks, and I want to make a meta device with the three disks concatenated. (Note: Please type the command all on one line.)
# metainit d60 3 1 c2t50060E800456EE02d0s0 1 c2t50060E800456EE02d1s0
1 c2t50060E800456EE02d2s0
d60: Concat/Stripe is setup
3. Make the soft partitions:
# metainit d61 -p d60 6g
d61: Soft Partition is setup
# metainit d62 -p d60 10g
d62: Soft Partition is setup
# metainit d63 -p d60 30g
d63: Soft Partition is setup
#
4. Create the file systems:
# newfs /dev/md/rdsk/d61
newfs: construct a new file system /dev/md/rdsk/d61: (y/n)? y
# newfs /dev/md/rdsk/d62
newfs: construct a new file system /dev/md/rdsk/d62: (y/n)? y
# newfs /dev/md/rdsk/d63
newfs: construct a new file system /dev/md/rdsk/d63: (y/n)? y
#
5. Create the mount point for the root file system (/ fs) and /u00 and /u01 for the Oracle database.

mkdir -p /export/zone1
mkdir /u00
mkdir /u01
mount /export/zone1
6. Execute the following script, which is shown in its entirety after Step 11.
zonecfg -z zone1 -f /usr/scripts/make.zone1.ksh

# zoneadm list -cv
ID NAME STATUS PATH
0 global running /
– zone1 configured /export/zone1
# chmod 700 /export/zone1
7. Install zone1:
# zoneadm -z zone1 install
Preparing to install zone .
Checking file system on device
to be mounted at
Checking file system on device
to be mounted at
Creating list of files to copy from the global zone.
Copying <124550> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <1021> packages on the zone.
Initializing package <49> of <1021>: percent complete: 4%
8. Run the following command to get the zone state:
# zoneadm list -cv
ID NAME STATUS PATH
0 global running /
– zone1 installed /export/zone1
9. Transition the zone to the ready state by running the following command:
# zoneadm -z zone1 ready
10. Use the following command to get the zone state:
# zoneadm list -cv
ID NAME STATUS PATH
0 global running /
1 zone1 ready /export/zone1
11. Boot the zone:
# zoneadm -z zone1 boot
The script to be executed is /usr/scripts/make.zone1.ksh, and here are the details:
create -b
set zonepath=/export/zone1
set autoboot=true
add fs
set dir=/u00
set special=/dev/md/dsk/d62
set raw=/dev/md/rdsk/d62
set type=ufs
end
add fs
set dir=/u01
set special=/dev/md/dsk/d63
set raw=/dev/md/rdsk/d63
set type=ufs
end
add net
set address=10.11.33.144
set physical=ce2
end

Posted in Solaris | No Comments »