Oracle Solaris 11 Advanced System Administration Ed 3 (Activity Guide)
User Manual:
Open the PDF directly: View PDF .
Page Count: 306
Download | |
Open PDF In Browser | View PDF |
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le s b a r e f an r t n no a s a h Oracle Solaris 11 Advanced ) ฺ e m d o i System u ilฺcAdministration G a t m den g tuGuide o@Activity S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci D72965GC30 Edition 3.0 March 2013 D81025 Author Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Vijetha M Malkai Disclaimer Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Technical Contributors and Reviewers Tammy Shannon Anies Rahman Rosemary Martinak Editors Malavika Jinka This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle. The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free. Aju Kumar Restricted Rights Notice Smita Kommini If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable: Graphic Designer Seema Bopaiah s U.S. GOVERNMENT RIGHTS The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract. o Cic an s ha ฺ Jayanthy Keshavamurthy ) om uide Veena Narasimhan c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R ero Publishers an r t n le b a r e f Trademark Notice Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Table of Contents Practices for Lesson 1: Introduction ..............................................................................................................1-1 Practices Overview for Lesson 1 ....................................................................................................................1-2 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Practices for Lesson 2: Managing the Image Packaging System (IPS) and Packages ..............................2-1 Practice Overview for Lesson 2......................................................................................................................2-2 Practice 2-1: Configuring a Local IPS Package Repository ...........................................................................2-3 Practice 2-2: Configuring a Network Client to Access the Local IPS Server ..................................................2-7 Practice 2-3: Managing Multiple Boot Environments ......................................................................................2-10 Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts ......................................................3-1 Practice Overview for Lesson 3......................................................................................................................3-2 Practice 3-1: Verifying the System AI Requirements (Optional) .....................................................................3-4 Practice 3-2: Configuring the AI Server ..........................................................................................................3-8 Practice 3-3: Deploying the OS on the Network Client ...................................................................................3-13 le Cic b Practices for Lesson 4: Managing Business Application Data ....................................................................4-1 era sf Practice Overview for Lesson 4......................................................................................................................4-2 n a tr Practice 4-1: Managing Data Redundancy with a ZFS Mirrored Pool ............................................................4-3 n Practice 4-2: Using ZFS Snapshots for Backup and Recovery ......................................................................4-10 no a Practice 4-3: Using a ZFS Clone ....................................................................................................................4-18 s a h Practice 4-4: Configuring ZFS Properties.......................................................................................................4-21 ) ฺ e m d Practice 4-5: Troubleshooting ZFS Failures ...................................................................................................4-31 o i u ilฺc.............................................................5-1 G a Practices for Lesson 5: Configuring Network and Traffic Failover t m den g Practice Overview for Lesson 5......................................................................................................................5-2 tu o@ ............................................................................5-3 Practice 5-1: Managing a Reactive Network Configuration S d l s Practice 5-2: Configuring the Network File naSystem ........................................................................................5-11 hi t o r ฺ e Practice 5-3: Configuring a Link s oAggregationu.................................................................................................5-14 r e o Practice 5-4: Configuringic IPMP ......................................................................................................................5-16 t (6:cConfiguring se Zones and the Virtual Network ..........................................................6-1 o Practices for Lesson n d l e a for lLesson ic 6......................................................................................................................6-2 Practicen Overview o R 6-1: Creating an Oracle Solaris 11.1 Virtual Network .......................................................................6-5 Practice o r e Practice 6-2: Creating Two Zones by Using VNICs........................................................................................6-6 Practice 6-3: Allocating Resources to Zones .................................................................................................6-14 Practice 6-4: Managing the Virtual Network Data Flow ..................................................................................6-25 Practice 6-5: Removing Part of the Virtual Network .......................................................................................6-27 Practices for Lesson 7: Managing Services and Service Properties...........................................................7-1 Practice Overview for Lesson 7......................................................................................................................7-2 Practice 7-1: Configuring SMF Services ........................................................................................................7-3 Practice 7-2: Working with Service Profiles ....................................................................................................7-12 Practice 7-3: Restoring and Recovering a Service .........................................................................................7-14 Practices for Lesson 8: Configuring Privileges and Role Based Access Control......................................8-1 Practice Overview for Lesson 8......................................................................................................................8-2 Practice 8-1: Delegating Privileges to Users and Processes .........................................................................8-3 Practice 8-2: Configuring Role-Based Access Control ...................................................................................8-14 Practices for Lesson 9: Securing System Resources Using Solaris Auditing ...........................................9-1 Practice Overview for Lesson 9......................................................................................................................9-2 Practice 9-1: Configuring and Administering Oracle Solaris Auditing .............................................................9-3 Practice 9-2: Managing Audit Records on Local Systems..............................................................................9-19 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Solaris 11 Advanced System Administration Table of Contents iii Practices for Lesson 10: Managing Processes and Priorities .....................................................................10-1 Practice Overview for Lesson 10....................................................................................................................10-2 Practice 10-1: Modifying Process Scheduling Priority ....................................................................................10-3 Practice 10-2: Configuring the FSS in an Oracle Solaris Zone ......................................................................10-22 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Practices for Lesson 11: Evaluating System Resources ..............................................................................11-1 Practice Overview for Lesson 11....................................................................................................................11-2 Practice 11-1: Managing Resource Controls in Global and Non-Global Zones..............................................11-3 Practice 11-2: Evaluating System Performance Levels..................................................................................11-14 Practices for Lesson 12: Monitoring and Troubleshooting Software Failures ...........................................12-1 Practice Overview for Lesson 12....................................................................................................................12-2 Practice 12-1: Setting Up System Messaging ................................................................................................12-3 Practice 12-2: Configuring System and Application Crash Facilities ..............................................................12-13 le s b a r e f o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle Solaris 11 Advanced System Administration Table of Contents iv Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le s b a r e f an r t n no a s a h Practices for ) Lesson ฺ 1: e m d o i Introduction ilฺc t Gu a m 1 den g Chapter o@ Stu d l a this n o oฺr use r e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 1: Introduction Chapter 1 - Page 1 Practices Overview for Lesson 1 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Practices Overview This practice introduces you to the project assignment that you will be using throughout this course and to your virtual lab environment. The project assignment is divided into multiple phases, which are presented in the checklist in Figure 1. The checklist items are synchronized with the lesson topics. Project Assignment Your organization, Delicious Treats Company, is in the business of selling chocolate products online locally and globally. In the United States, the company’s order, product, and customer information is stored on 350 servers that are strategically located in various states. Out of these 350 servers, 250 servers are Oracle Solaris x86/64 machines, for instance, Ultra 20s. Currently, the Oracle Solaris servers are running Oracle Solaris 10 or Solaris 9. According to the servicelevel agreements (SLAs), the business applications on these servers must be up 98% of the time. The company learned that Oracle has launched Oracle Solaris 11.1, which contains many resource-saving features. The company is convinced that it can use Oracle Solaris 11.1 to its benefit. Therefore, it has issued the directive to upgrade all Oracle Solaris machines to Oracle Solaris 11.1. As part of the Server Implementation team, you will install and configure Solaris 11.1 on 10 machines on a test basis. This will help you to explore Oracle Solaris 11.1 and prepare you to administer business applications and the operating system. Your senior system administrator has developed a predeployment test plan that consists of a checklist of tasks to be performed (see Figure 1). As you progress through each lesson in the course, you will implement the assigned tasks and report the results to your senior system administrator. s o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 1: Introduction Chapter 1 - Page 2 le b a r e f Oracle Solaris 11.1 Predeployment Checklist √ Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Managing the Image Packaging System (IPS) and Packages Installing Oracle Solaris 11.1 on Multiple Hosts Managing the Business Application Data Configuring Network and Traffic Failover Configuring Zones and the Virtual Network Managing Services and Service Properties le b a r e f Configuring Privileges and Role-Based Access Control Securing System Resources by Using Oracle Solaris Auditing s an r t n Cic no a s a h Evaluating the System Resources ) ฺ e m d o i Monitoring and Troubleshooting System Failures ilฺc t Gu a m den g Figure 1: Oracle Solaris 11.1 Predeployment Checklist o@ Stu d l a this n o Practices Infrastructureroฺr se u e ianc architectural to view of the equipment and the platforms for the practices. This section presents c ( e o e(VMs) ns are configured on a private internal network (192.168.0). Multiple virtual dmachines l c a li Each VM with other VMs only on the same private network (see Figure 2). oncan communicate R The VMs are configured to communicate with the host machine only through the share ero Managing Processes and Priorities directory. Internet access is not configured from these VMs. Figure 2: Virtual Pod Network Schematic Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 1: Introduction Chapter 1 - Page 3 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Your lab environment is based on the Oracle VM VirtualBox virtualization software. The VirtualBox is a cross-platform virtualization application. Figure 3 shows the configured virtual machines. The Oracle Solaris 11.1 OS is installed in the virtual machines with the exception of Sol11-Client1, which is an empty VM. le b a r e f s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n Figure 3: Oracle VirtualBox Virtual Machines o oฺr use r e o of memory. Most of the host machines have a total of 8 ic withe2tGB c All the VMs are configured ( GB to work with. do icens l a l located in /opt/ora/scripts. This directory contains mostly scripts n files are All the o student R o you may be directed to use to establish the start or end state of a particular practice. rthat e The following list briefly describes the virtual machines: Cic • • • Sol11-Server1: This VM provides network services, such as DNS, DHCP, and IPS that are used by other VMs in this virtual network. This VM should always be up and running. You use the command-line tools here. Sol11-Desktop: This is a general purpose user machine with the GUI and other features normally available on a network client machine. Most of the facilities available in Sol11-Server1 are available in this VM. Sol11-Client1: This is the VM for Oracle Solaris 11.1 installation that uses Automated Install mode. After performing the practice, switch off this VM. It will not be needed for any other practice. Logging In to the Practice Environment When you first log in to the practice environment, you are prompted to provide a login and password for the host system: • Userid: root • Password: oracle Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 1: Introduction Chapter 1 - Page 4 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ After you have gained access to the host system, the user account and password for each virtual machine is: • User account: oracle • Password: oracle1 • Administrator privileges: As the oracle user, use su - to switch to the primary administrator (root) role. The password is oracle1. The oracle user switches to root because root is configured as a role by default. The first username created on the system (during the OS installation) is the initial privileged user who can assume the administrator role. This can be verified in the /etc/user_attr file. Note: The Sol11-Server1 virtual machine must be started before any additional virtual machines are started. The Sol11-Server1 must always be running to perform the practices in this guide. s n a r -t its icon on 1. On your host system, start the Oracle VM VirtualBox Manager by double-clicking n o your desktop. an s ha ฺ ) om uide c ฺ l ai nt G m g double-click 2. In the Oracle VM VirtualBox Manager window, the Sol11-Server1 virtual dethe Sol11-Server1 @ u t machine to start it. Alternatively, you can simply select VM and click the o d is S l a Start button. n th o r ฺ e ero to us c i (c nse o ld lice a n o R o r Task: Becoming Familiar with Your Practice Environment e Cic Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 1: Introduction Chapter 1 - Page 5 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 3. After the Sol11-Server1 VM is powered on, at the command prompt, log in as the user oracle with the password oracle1. s11-server1 console login: oracle Password: oracle1 Last Login: Mon Nov 12 03:59:49 on console Oracle Corporation SunOS 5.11 11.1 September 2012 Or oracle@s11-server1:~$ oracle@s11-server1:~$ su – Password: oracle1 ... root@s11-server1:~# 4. le b a r e f s an r t n Start the Sol11-Desktop. When the Username login screen appears, enter oracle for the username and click the Log In button. Note: It might take a few minutes for the Username login screen to appear. o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on Ci R o r ce 5. When the password login screen appears, enter the password oracle1 and click the Log In button. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 1: Introduction Chapter 1 - Page 6 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 6. Open a terminal window by right-clicking on the desktop and selecting Open Terminal. In the terminal window, run the su - command to assume the administrator privileges. The password is oracle1. oracle@s11-desktop:~$ su – Password: oracle1 Oracle Corporation SunOS 5.11 root@s11-desktop:~# 7. 11.1 September 2012 At times, you may need to power off a VM and close its window. You may also need to shut down a VM to comply with the maximum recommended number of VMs running simultaneously, which is currently limited to three VMs. Now, practice shutting down a VM by using the Sol11-Desktop VM. To shut down the VM, click the “close” button (x) in the top-right corner of the VM window. le s b a r e f o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 1: Introduction Chapter 1 - Page 7 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 8. When the Close Virtual Machine dialog box appears, select “Power off the machine” and click OK. le b a r e f s o an r t n Note: You can verify that the VM is shut down by checking the status that appears under the VM’s name in the Oracle VM VirtualBox Manager. The status for the Sol11-Desktop should be “Powered Off.” The status for the Sol11-Server1 should be “Running.” an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 1: Introduction Chapter 1 - Page 8 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le s b a r e f an r t n no a s a h Practices for ) Lesson ฺ 2: e m d o i Managing uImage ilฺc tthe G a m den System (IPS) and Packaging g tu o@Packages S d l s i na thChapter o r 2 ฺ e s o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 2: Managing the Image Packaging System (IPS) and Packages Chapter 2 - Page 1 Practice Overview for Lesson 2 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Practices Overview After installing a new OS, it is a common practice to ensure that you have the IPS Package Repository set up on a local server. In these practices, you will set up a local repository on S11Server1 and configure a network client to access the repository. When you install critical software updates, for example, packages updating Solaris kernel facilities, creating another boot environment (BE) is very useful. In case the new package corrupts your system, you can revert to the previous boot environment. So, you can consider the original BE to be more like a backup environment. In the following practices, you will create a backup BE, install the diffstat package, and work with multiple BEs. The key areas covered in this practice are: • Configuring a local IPS package repository • Configuring a network client to access IPS • Managing boot environments s an r t n Ci no a s a h ) ฺ e m The following checklist shows your progress. Currently, youoare aboutito look into the IPS d functionality. ilฺc t Gu a m den g √ Oracle Solaris 11.1 Predeployment Checklist tu o@ S d l s na System thi (IPS) and Packages o Managing the Image Packaging r ฺ e us eroSolaris o c i t Installing Oracle 11.1 on Multiple Hosts c ( e s o en ldManaging a lic Business Application Data n o R o Configuring Network and Traffic Failover r ce Note: Your command output displays may be different than the displays in the practices, especially storage units, process IDs, and related content. Configuring Zones and the Virtual Network Managing Services and Service Properties Configuring Privileges and Role-Based Access Control Securing System Resources by Using Solaris Auditing Managing Processes and Priorities Evaluating System Resources Monitoring and Troubleshooting System Failures Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 2: Managing the Image Packaging System (IPS) and Packages Chapter 2 - Page 2 le b a r e f Practice 2-1: Configuring a Local IPS Package Repository Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview You will recall from the lecture that when you install or upgrade to the Oracle Solaris 11 release, the system initially has one publisher configured: the solaris publisher. In your lab environment, your virtual machine client cannot access the default publisher URL to download the IPS package repository. So your first task is to create your local package repository and make it the default so that the network client can be serviced by IPS. Tasks 1. 2. Verify that the Sol11-Server1 virtual machine is running. Log in to the Sol11-Server1 virtual machine as the oracle user. Use the password oracle1. 3. Run the su command to assume administrator privileges. oracle@s11-server1:~$ su – Password: oracle1 Oracle Corporation SunOS 5.11 root@s11-server1:~# 6. Address: 192.168.0.100#53 Name: Address: s11-server1.mydomain.com 192.168.0.100 s an r t n no September a s a h ) ฺ e 4. Determine the host name and domain of this server. om d i ilฺc t Gu root@s11-server1:~# hostname a m den g s11-server1 o@ Stu root@s11-server1:~# domainname d l a this n mydomain.com o oฺr use r e ic caneaccess to DNS services. c 5. Verify that this(server do icens nslookup s11-server1 l root@s11-server1:~# a l n oServer: 192.168.0.100 R ro e Cic le 11.1 Verify that the /export/IPS file system has been configured on the system. root@s11-server1:~# zpool list NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT rpool 31.8G 9.87G 21.9G 31% 1.00x ONLINE root@s11-server1:~# zfs list NAME USED AVAIL REFER MOUNTPOINT rpool 9.94G 21.3G 39K /rpool rpool/ROOT 2.13G 21.3G 31K legacy rpool/ROOT/solaris 2.13G 21.3G 1.58G / rpool/ROOT/solaris/var 507M 21.3G 505M /var rpool/dump 1.03G 21.3G 1.00G rpool/export 5.74G 21.3G 33K /export Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 2: Managing the Image Packaging System (IPS) and Packages Chapter 2 - Page 3 b a r e f 2012 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ rpool/export/IPS 5.74G rpool/export/home 212K rpool/export/home/jholt 35.5K rpool/export/home/jmoose 35.5K rpool/export/home/oracle 34K rpool/export/home/panna 35K rpool/export/home/sstudent 35K rpool/swap 1.03G 21.3G 21.3G 21.3G 21.3G 21.3G 21.3G 21.3G 21.3G 5.74G 37K 35.5K 35.5K 34K 35K 35K 1.00G /export/IPS /export/home /export/home/jholt /export/home/jmoose /export/home/oracle /export/home/panna /export/home/sstudent - Note: Your display may be different for space allocation/usage. Normally, a local IPS repository must be manually created on the local server. This involves creating a ZFS file system on the local server for the IPS repository and copying the repository files from the repository ISO image to the local repository. The following example shows the steps used to copy the IPS repository from the ISO image to a local ZFS file system. Do not run these commands in this practice. The repository has already been installed on the local server for you. # zfs create -o compression=on rpool/export/IPS # lofiadm –a sol-11-1111-repo-full.iso # mount –F hsfs /dev/lofi/1 /mnt # rsync –aP /mnt/repo /export/IPS s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g tu 4.4 gigabytes). Depending on the o@ S d The package repository is very llarge (approximately s nathe rsync speed of your host machine, thicommand can take a couple of hours to o r ฺ e complete. ro o us e c i t 7. Assess the current IPS configuration on the Sol11-Server1 system: c ( e s o n root@s11-server1:~# svcs application/pkg/server ld lice a n STATE STIME FMRI o R ro disabled 17:00:56 svc:/application/pkg/server:default e Cic root@s11-server1:~# svcprop -p pkg/inst_root application/pkg/server /var/pkgrepo This system is not currently configured as an IPS server (the service is disabled). Note the default location of the IPS repository as determined by the pkg/inst_root property. The /var/pkgrepo directory is not the correct location of your local repository. 8. Determine whether the IPS service is currently available: root@s11-server1:~# pkg search entire pkg: Some repositories failed to respond appropriately: solaris: Unable to contact valid package repository Encountered the following error(s): Unable to contact any configured publishers. This is likely a network configuration problem. Framework error: code: 6 reason: Couldn't resolve host 'pkg.oracle.com' Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 2: Managing the Image Packaging System (IPS) and Packages Chapter 2 - Page 4 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ URL: 'http://pkg.oracle.com/solaris/release' (happened 4 times) Note: This step will be especially useful on the job because you can see the displayed URL. In the training environment, your publisher URL will point to s11-server1. Searching for a package is a quick way of determining whether the IPS service is available. Based on the results shown here, this system has no access to the IPS service. 9. Set the application/pkg/server service pkg/inst_root property to the repository location (/export/IPS/repo). root@s11-server1:~# svccfg –s application/pkg/server setprop \ pkg/inst_root=/export/IPS/repo root@s11-server1:~# 10. Set the application/pkg/server service pkg/readonly property to true. root@s11-server1:~# svccfg –s application/pkg/server setprop \ pkg/readonly=true 11. Verify the application/pkg/server service inst_root property. no a s a h ) ฺ e 12. Refresh the application/pkg/server service. om d i lฺc t Gu iapplication/pkg/server root@s11-server1:~# svcadm refresh a m den g 13. Enable the application/pkg/server service. tu o@ S d l root@s11-server1:~# svcadm enable s a thi application/pkg/server n o 14. Verify that the application/pkg/server service is enabled. oฺr use r e o root@s11-server1:~# ic e t svcs application/pkg/server c ( STATEdo STIME FMRI ns l e c a i l n 17:00:56 svc:/application/pkg/server:default oonline R o Use the pkgrepo refresh command to refresh the package repository. r15. root@s11-server1:~# svcprop -p pkg/inst_root \ application/pkg/server /export/IPS/repo e Cic s an r t n root@s11-server1:~# pkgrepo refresh –s /export/IPS/repo Initiating repository refresh. When you create a new package repository, you must refresh the repository catalog so that the package search operations will work correctly. This may take several minutes to complete. 16. List the current package publishers. root@s11-server1:~# pkg publisher STATUS P LOCATION PUBLISHER TYPE solaris origin online F http://pkg.oracle.com/solaris/release/ The command output shows the current publisher. A publisher is a forward domain name that identifies a person, group of persons, or an organization that publishes one or more packages. The repository type origin is the location of the package repository that contains both package metadata (package manifests and catalogs) and package content (package files). The default publisher URI is http://pkg.oracle.com/solaris/release/. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 2: Managing the Image Packaging System (IPS) and Packages Chapter 2 - Page 5 le b a r e f 17. Remove the current publisher URI (http://pkg.oracle.com/solaris/release) and add a new URI (http://s11-server1.mydomain.com) to the publisher name solaris. Show the results. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# pkg set-publisher –G ‘*’ –g \ http://s11-server1.mydomain.com/ solaris root@s11-server1:~# pkg publisher PUBLISHER solaris TYPE origin STATUS URI online http://s11-server1.mydomain.com 18. Test IPS on the local server by searching for the entire package. root@s11-server1:~# pkg search entire INDEX ACTION VALUE PACKAGE pkg.fmri set solaris/entire pkg:/entire@0.5.11-0.175.0.0.0.2.0 s o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 2: Managing the Image Packaging System (IPS) and Packages Chapter 2 - Page 6 le b a r e f Practice 2-2: Configuring a Network Client to Access the Local IPS Server Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview Now that you have a local package repository set up, you must configure the network clients to access the new repository. By default, clients are configured to use the publisher http://pkg.oracle.com/solaris/release/. In this task, you reconfigure the client to access the http://s11-server1.mydomain.com/ package publisher solaris. Tasks 1. 2. 3. 4. Double-click the Sol11-Desktop icon to launch the Sol11-Desktop virtual machine. Log in to the Sol11-Desktop virtual machine as the oracle user. Use the password oracle1. Right-click the desktop background and open a terminal window. In the terminal window, run the su command to assume primary administrator privileges. s no a s September 2012 11.1 ha ) ฺ e m d o i uIPS server host name. lฺc t the iresolving G 5. Verify that this client can access DNS services by a m den g root@s11-desktop:~# nslookup s11-server1 o@ Stu d Server: 192.168.0.100 l a this n o Address: 192.168.0.100#53 oฺr use r e ic e to Name: o (c s11-server1.mydomain.com ns d ic192.168.0.100 l e Address: a l on 6. R Verify that this client can ping the IPS server. ro oracle@s11-desktop:~$ su – Password: oracle1 Oracle Corporation SunOS 5.11 root@s11-desktop:~# e Cic an r t n root@s11-desktop:~# ping s11-server1 s11-server1 is alive 7. List the current package publishers. This is what you can expect to see on the job because this is the default origin URL. root@s11-desktop:~# pkg publisher PUBLISHER solaris 8. TYPE origin STATUS P LOCATION online F http://pkg.oracle.com/solaris/release/ Remove the current publisher URI (http://pkg.oracle.com/solaris/release) and add a new URI (http://s11-server1.mydomain.com) to the publisher name solaris. root@ s11-desktop:~# pkg set-publisher –G ‘*’ –g \ http://s11-server1.mydomain.com/ solaris Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 2: Managing the Image Packaging System (IPS) and Packages Chapter 2 - Page 7 le b a r e f 9. Verify that the publisher is set to http://s11-server1.mydomain.com/. root@s11-desktop:~# pkg publisher Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ PUBLISHER solaris TYPE origin STATUS P LOCATION online F http://s11-server1.mydomain.com/ 10. Test client access to the IPS server by opening the http://s11-server1.mydomain.com URL in the Firefox browser. le s b a r e f o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( 11. Using the package ns browser, search for the entire package. do icerepository l a l on R ro e Cic Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 2: Managing the Image Packaging System (IPS) and Packages Chapter 2 - Page 8 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 12. Close the Firefox browser. 13. Close the Sol11-Desktop VM. le s b a r e f o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 2: Managing the Image Packaging System (IPS) and Packages Chapter 2 - Page 9 Practice 2-3: Managing Multiple Boot Environments Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview In this practice, you create a new full BE based on the current BE. The current BE does not have the diffstat package installed. You make the new BE the active boot environment and you update it with the diffstat package. You reboot to the original boot environment to prove that the two BEs are now logically separate. This action is also useful in case the diffstat package is corrupted and you want to revert to the original environment. As part of this practice, you also mount and update an inactive BE. In addition, you create another BE (a copy of the current BE) and a backup copy. This will demonstrate to you how to manage multiple BEs on the system. To run this practice, you must be logged in to the Sol11-Server1 virtual machine as the oracle user and have obtained primary administrator privileges. See Practice 2-2 if you need help. Note: Your display outputs may differ slightly. s an r t n Tasks 1. 2. 3. ro e Cic 4. no a s a h ) ฺ e m d o i ilฺc t Gu a m den g tu othe@boot environment S d The Active field indicates whether is active now (N) and active on l s a i n h reboot (R). ฺro use t o r Clone the current active the clone solaris-1. e BE.tName o c i c root@s11-server1:~# o ( ense beadm create solaris-1 d l acurrent BEs. List n the lic o R root@s11-server1:~# beadm list In a terminal window on the Sol11-Server1 virtual machine, list the current BEs. root@s11-server1:~# beadm list BE Active Mountpoint Space Policy Created ------- ---------- ----- ------ ------solaris NR / 2.84G static 2012-11-30 08:47 BE -solaris solaris-1 Active -----NR - Mountpoint Space ---------- ----/ 2.84G 164.0K Policy -----static static Created ------2012-11-30 08:47 2012-12-09 07:01 Activate the solaris-1 BE. Display the list of BEs. Note that solaris-1 is pending activation on reboot. root@s11-server1:~# beadm activate solaris-1 root@s11-server1:~# beadm list BE Active Mountpoint Space Policy Created ------- ---------- ----- ------ ------solaris N / 469.0K static 2012-11-30 08:47 solaris-1 R 2.84G static 2012-12-09 07:01 The activation process will take a short amount of time to store the data in the partition. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 2: Managing the Image Packaging System (IPS) and Packages Chapter 2 - Page 10 le b a r e f 5. Reboot the Sol11-Server1 virtual machine. root@s11-server1:~# init 6 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Notice that solaris-1 is now the default boot entry in the GRUB menu. le b a r e f s an r t n no a s a h ) ฺ e m d o i lฺc t Gu i a 6. After Sol11-Server1 has rebooted, log in as the nuser and su to root. moracle e g d 7. In a terminal window, list the current BEs. o@ Stu d l a list is root@s11-server1:~# n beadm h t o r BE Active se Space Policy Created oฺMountpoint r u e ----------- ------ ------ic e---------to c ( s solaris 4.60M static 2012-11-30 08:47 do i-cen l a l n / 2.89G static 2012-12-09 07:01 osolaris-1 NR R ro Note that the solaris-1 image is now active. e 8. Cic Verify that the diffstat package is not currently installed on the new active BE. root@s11-server1:~# pkg list diffstat pkg list: no packages matching “diffstat’ installed 9. Install the diffstat package on the new active BE. root@s11-server1:~# pkg install diffstat Creating plan... Packages to install: 1 Create boot environment: No Create backup boot environment: No DOWNLOAD PKGS Completed 1/1 PHASE Install Phase FILES 6/6 ACTIONS 24/24 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 2: Managing the Image Packaging System (IPS) and Packages Chapter 2 - Page 11 XFER (MB) 0.0/0.0 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ PHASE Package State Update Phase Image State Update Phase ITEMS 1/1 2/2 10. Activate the solaris BE. Display the list of BEs. Note that solaris is pending activation on reboot. root@s11-server1:~# beadm activate solaris root@s11-server1:~# beadm list BE Active Mountpoint Space Policy Created ------- ---------- ----- ------ ------solaris R 2.84G static 2012-11-30 08:47 solaris-1 N / 72.06M static 2012-12-09 07:01 s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( o BE. 13. Mount thedinactive ns l e c a li n mkdir -p /solaris-1 oroot@s11-server1:~# R ro root@s11-server1:~# beadm mount solaris-1 /solaris-1 12. Verify that the solaris image is now active and that the diffstat package is not installed. root@s11-server1:~# beadm list BE Active Mountpoint Space Policy Created ------- ---------- ---------- ------solaris NR / 2.89G static 2012-11-30 08:47 solaris-1 76.03M static 2012-12-09 07:01 root@s11-server1:~# pkg list diffstat pkg list: no packages matching “diffstat’ installed e Cic root@s11-server1:~# beadm list BE Active Mountpoint Space ------- ---------- ----solaris NR / 2.89G solaris-1 /solaris-1 76.03M Policy -----static static Created ------2012-11-30 08:47 2012-12-09 07:01 14. Verify that the diffstat package is installed in the inactive BE: root@s11-server1:~# pkg -R /solaris-1 verify -v diffstat Verifying: PACKAGE STATUS pkg://solaris/text/diffstat OK 15. Remove the diffstat package from the mounted inactive BE. root@s11-server1:~# pkg -R /solaris-1 uninstall diffstat Creating Plan… Packages to remove: 1 Estimated space available: 28.45 GB Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 2: Managing the Image Packaging System (IPS) and Packages Chapter 2 - Page 12 le b a r e f 11. Reboot the Sol11-Server1 virtual machine. After Sol11-Server1 has rebooted, log in as the oracle user and su to root. root@s11-server1:~# init 6 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Estimated space to be consumed: 14.58 MB Rebuild boot archive: No Changed packages: solaris text/diffstat 1.51,5.11-0.175.1.0.0.9.0:20120207T035254Z -> None PHASE ITEMS Removing old actions 19/19 Updating package state database Done Updating package cache 1/1 Updating image state Done Creating fast lookup database Done root@s11-server1:~# pkg -R /solaris-1 list diffstat pkg list: no packages matching “diffstat’ installed e Cic rpool/ROOT/solaris@backup rpool/ROOT/solaris/var@install - - 0 static 2012-12-09 07:18 144.54M static 2012-11-30 08:51 … … … 19. Create a new boot environment from the solaris@backup snapshot. Name this BE solaris-2. root@s11-server1:~# beadm create -e solaris@backup solaris-2 root@s11-server1:~# beadm list BE Active Mountpoint Space Policy Created ------- ---------- ----- ------ ------solaris NR / 2.89G static 2012-11-30 08:47 solaris-1 76.03M static 2012-12-09 07:01 solaris-2 130.0K static 2012-12-09 07:26 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 2: Managing the Image Packaging System (IPS) and Packages Chapter 2 - Page 13 s an r t n no a s a h )backup.eฺ 17. Create a snapshot of the solaris BE. Name the snapshot m o c Guid ฺ root@s11-server1:~# beadm create solaris@backup l i a nt m 18. Display the list of snapshots associated with the solaris g de BE. @ u t o root@s11-server1:~# beadm ld listis-aS solaris a n BE/Dataset/Snapshot Created th Mountpoint Space Policy o seActive r ------------------- oฺ ------ ---------- ---------- ------er to u solaris c i (c nse rpool/ROOT/solaris NR / 2.17G static 2012-11-30 08:47 o d l rpool/ROOT/solaris/var /var 518.90M static 2012-11-30 08:47 e a lic nrpool/ROOT/solaris/var@2012... 1.22M static 2012-12-09 07:01 o R rpool/ROOT/solaris/var@backup 0 static 2012-12-09 07:18 ro 16. Unmount the inactive BE. root@s11-server1:~# beadm unmount solaris-1 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 20. Destroy the solaris-2 BE and show the results. root@s11-server1:~# beadm destroy solaris-2 Are you sure you want to destroy solaris-2? This action cannot be undone(y/[n]): y root@s11-server1:~# beadm list BE Active Mountpoint Space Policy Created ------- ---------- ----- ------ ------solaris NR / 2.89G static 2012-11-30 08:47 solaris-1 76.23M static 2012-12-09 07:01 21. Rename the original solaris-1 BE to solaris-alt. root@s11-server1:~# beadm rename solaris-1 solaris-alt 22. List the boot environments. root@s11-server1:~# BE Active ------solaris NR solaris-alt - le Space ----2.89G 76.23M s an r t n Policy Created ------ ------static 2012-11-30 08:47 static 2012-12-09 07:01 b a r e f no a s a h ) removed. ฺ 23. Destroy the solaris-alt BE and then verify that it hasm been e d o i ilฺc t Gu root@s11-server1:~# beadm destroy asolaris-alt n This action cannot be msolaris-1? e Are you sure you want to destroy g d undone(y/[n]): y o@ Stu d l a list is root@s11-server1:~# n beadm h t o r BE Active se Space Policy Created oฺMountpoint r u e ic e---------to ---------------- ------c ( s solaris 2.89G static 2012-11-30 08:47 ldo liNRcen / a n o R o The next time you reboot the system, you will see only the solaris BE present on the r e Cic beadm list Mountpoint ---------/ - GNU GRUB menu. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 2: Managing the Image Packaging System (IPS) and Packages Chapter 2 - Page 14 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le s b a r e f an r t n no a s a h Practices for ) Lesson ฺ 3: e m d o i Installing u Solaris 11 ilฺc Oracle G a t n Hosts mMultiple on e g d tu3 o@Chapter S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts Chapter 3 - Page 1 Practice Overview for Lesson 3 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Practices Overview According to the predeployment plan and checklist, you will now start configuring the Automated Installer (AI). The AI configuration practices help you to understand how you can save time and resources while installing Oracle Solaris 11.1 on multiple client hosts individually. √ √ Oracle Solaris 11.1 Predeployment Checklist Managing the Image Packaging System (IPS) and Packages Installing Oracle Solaris 11.1 on Multiple Hosts le b a r e f Managing the Business Application Data s an r t n Configuring Network and Traffic Failover Configuring Zones and the Virtual Network o an s Managing Services and Service Properties ha ฺ ) om uide Configuring Privileges and Role-Based Access c Control ฺ l ai nt G m Securing System Resources by Using Solaris g uAuditing de @ t o ld is S Managing Processes and Priorities a n th o r ฺ e Evaluating System us ero Resources o c i t (c and e sTroubleshooting Monitoring System Failures o n d l e c a li on Ci R o In the following practices, you install Oracle Solaris 11.1 OS on an x86/64 machine in an r ce automated, unattended manner. Your first task is to verify that the system meets the AI requirements. In the second task, you configure the AI on a server. Then as a final step, you deploy the OS on a network client. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts Chapter 3 - Page 2 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Before you install the Oracle Solaris 11.1 OS by using AI, you must first download the Oracle Solaris 11.1 AI install image from the following site: http://www.oracle.com/technetwork/server-storage/solaris11/downloads/index.html. The AI installation download is in an ISO image format that can be burned to a CD or DVD, or used directly within Oracle VM Server or other virtualization software. Note: For training purposes, the AI ISO has already been downloaded for you. The ISO image file can be found in the /root directory of the Sol11-Server1 virtual machine. le s b a r e f o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts Chapter 3 - Page 3 Practice 3-1: Verifying the System AI Requirements (Optional) Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview This practice takes you through the steps for checking the existing version of Oracle Solaris 11.1 to verify the system requirements for the AI installation. For the purposes of AI configuration, you need to configure the IPS repository on the local VM (S11-Server1) so that you can minimize the package deployment. Note: If you have completed Practice 2 during Lesson 2, skip this practice. It is included here as a checkpoint prerequisite because you need to ensure that the IPS repository is properly configured before you configure AI. Note: Your command output displays may be different than the displays in the practice, especially allocation and utilization, process IDs, and similar information. s an r t n Tasks no a s a h ) 2. ฺ e m d o i 3. ilฺc t Gu a n oracle@s11-server1:~$ su – gm e d Password: oracle1 o@ Stu d l is Oracle Corporation na SunOS th 5.11 11.1 September o r ฺ e root@s11-server1:~# ro o us e c i t is Oracle Solaris 11 Build 173 release. 4. Verify that the (operating system c e s root@s11-server1:~# cat /etc/release ldo licen a n o Oracle Solaris 11.1 X86 R o r 1. e Cic Verify that the Sol11-Server1 virtual machine is running. If the virtual machine is not running, start it at this time. Log in to virtual machine Sol11-Server1 as the oracle user. Use the password oracle1. Run the su command to assume primary administrator privileges. Copyright (c) 1983, 2012, Oracle and/or its affiliates. rights reserved. Assembled 19 September 2012 5. Verify that the operating system is configured with a static IP address. root@s11-server1:~# svcs network/physical:default STATE STIME FMRI online 0:24:39 svc:/network/physical:default root@s11-server1:~# ipadm show-addr ADDROBJ TYPE STATE ADDR … net0/v4 static ok 192.168.0.100/24 … Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts Chapter 3 - Page 4 le b a r e f 2012 All Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 6. Verify that DNS is operational. root@s11-server1:~# nslookup s11-server1.mydomain.com Server: 192.168.0.100 Address: 192.168.0.100#53 Name: s11-server1.mydomain.com Address: 192.168.0.100 7. Verify that the /export/IPS file system has been configured in the rpool on the system. root@s11-server1:~# zpool list NAME SIZE ALLOC FREE CAP rpool 31.8G 9.98G 21.9G 31% root@s11-server1:~# zfs list NAME rpool rpool/ROOT rpool/ROOT/solaris rpool/ROOT/solaris/var rpool/dump rpool/export rpool/export/IPS rpool/export/home rpool/swap ro e Cic USED 9.95G 2.14G 2.14G 517M 1.03G 5.74G 5.74G 212K 1.03G DEDUP 1.00x AVAIL 21.3G 21.3G 21.3G 21.3G 21.3G 21.3G 21.3G 21.3G 21.3G HEALTH ONLINE REFER 39K 31K 1.58G 373M 1.00G 33K 5.74G 37K 1.00G ALTROOT - MOUNTPOINT /rpool legacy / /var /export /export/IPS /export/home - le b a r e f s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this based on the type of disks and platform. n Note: Your display mayrbe slightly different o oฺ use r e Normally, a local ic IPS repository to must be manually created on the local server. This c ( e s file system on the local server for the IPS repository and copying involveso anZFS d creating l e the repository files from the repository ISO image to the local repository. c a li n o R The following example shows you the steps to copy the IPS repository from the ISO image to a local ZFS file system. Do not run these commands in this practice. The repository has already been installed on the local server for you. # zfs create -o compression=on rpool/export/IPS # lofiadm –a sol-11-1111-repo-full.iso # mount –F hsfs /dev/lofi/1 /mnt # rsync –aP /mnt/repo /export/IPS The package repository is very large (over 6 GB). Depending on the speed of your host machine, the rsync command can take a couple of hours to complete. 8. Assess the current IPS configuration on the Sol11-Server1 system: root@s11-server1:~# svcs application/pkg/server STATE STIME FMRI disabled 0:24:39 svc:/application/pkg/server:default root@s11-server1:~# svcprop -p pkg/inst_root application/pkg/server /var/pkgrepo Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts Chapter 3 - Page 5 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ This system is not currently configured as an IPS server (the service is disabled). Note the default location of the IPS repository as determined by the pkg/inst_root property. The /var/pkgrepo directory is not the correct location of your local repository. Note: When you configure IPS for the first time, you will see this default value. It is shown here for that purpose. You will change it to the local ZFS file system. 9. Set the pkg/inst_root property of the application/pkg/server service to the local repository location /export/IPS/repo. root@s11-server1:~# svccfg –s application/pkg/server setprop \ pkg/inst_root=/export/IPS/repo root@s11-server1:~# 10. Set the pkg/readonly property of the application/pkg/server service to true. root@s11-server1:~# svccfg –s application/pkg/server setprop \ pkg/readonly=true 11. Verify the inst_root property of the application/pkg/server service. no a s a h ) ฺ e m d o i 12. Refresh the application/pkg/server service. ilฺc t Gu a n m application/pkg/server root@s11-server1:~# svcadm refresh e g d tu o@service. 13. Enable the application/pkg/server S d l s a hi application/pkg/server root@s11-server1:~#on svcadm tenable r ฺ e 14. Verify that the application/pkg/server service is enabled. ero to us c i c ( nse svcs application/pkg/server root@s11-server1:~# o d l e STATE STIME FMRI c a i l n o online 0:24:39 svc:/application/pkg/server:default ro R root@s11-server1:~# svcprop -p pkg/inst_root \ application/pkg/server /export/IPS/repo e 15. Cic s an r t n Use the pkgrepo refresh command to refresh the package repository. root@s11-server1:~# pkgrepo refresh –s /export/IPS/repo When you create a new package repository, you must refresh the repository catalog so that the package search operations will work correctly. This may take several minutes to complete. 16. List the current package publishers. root@s11-server1:~# pkg publisher PUBLISHER solaris TYPE origin STATUS online P LOCATION F http://pkg.oracle.com/solaris/release/ The command output shows the current publisher. A publisher is a forward domain name that identifies a person, group of persons, or an organization that publishes one or more packages. The repository type origin is the location of a package repository that contains both package metadata (package manifests and catalogs) and package content (package files). The default publisher URI is http://pkg.oracle.com/solaris/release/. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts Chapter 3 - Page 6 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 17. Remove the current publisher URI (http://pkg.oracle.com/solaris/release/) and add a new URI (http://s11-server1.mydomain.com) to the publisher name solaris. Show the results. root@s11-server1:~# pkg set-publisher -G \ http://pkg.oracle.com/solaris/release/ \ -g http://s11-server1.mydomain.com/ solaris root@s11-server1:~# pkg publisher PUBLISHER solaris TYPE origin STATUS P LOCATION online F http://s11-server1.mydomain.com Note: The value specified after the -G option is also mentioned here as the original default that you will see while installing the repository for the first time. In the lab environment, use the value displayed in the previous step. le s b a r e f o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts Chapter 3 - Page 7 Practice 3-2: Configuring the AI Server Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview After you have verified that the server meets the AI requirements, you are ready to configure the AI server. After the configuration is complete, you will be able to install the Oracle Solaris 11.1 OS on one or more client hosts. This practice will set up a DHCP server as part of the configuration. This DHCP server allocates an IP address to the client host. Tasks 1. Note: Because you are not using the default IPS service, you need to adjust the default AI service accordingly. On the Sol11-Server1 virtual machine, check whether the svc:/network/dns/multicast service is online. If the service is not online, enable it. root@s11-server1:~# svcs network/dns/multicast STATE STIME FMRI disabled 1:08:14 svc:/network/dns/multicast:default root@s11-server1:~# svcadm enable network/dns/multicast root@s11-server1:~# svcs network/dns/multicast STATE STIME FMRI online 1:32:27 svc:/network/dns/multicast:default s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g 2. Verify that the netmasks file is configured appropriately @ Stu for the DHCP service. o d root@s11-server1:~# n getent 192.168.0.0 al tnetmasks is h o r ฺ e uthes network mask for the local subnet is configured in the ero tthat o c Note that DHCP requires i (c file. seIf an entry does not exist, update the netmasks file now. /etc/netmasks o n d l e a /etc/netmasks #nvi lic o ro R … e Cic 192.168.0.0 255.255.255.0 root@s11-server1:~# getent netmasks 192.168.0.0 192.168.0.0 255.255.255.0 3. Use the installadm create-service command to create an AI service based on the following information: - Service name: basic_ai - DHCP base IP address: 192.168.0.130 - DHCP IP address range: 5 - AI ISO image location: /opt/ora/iso/sol-11_1-ai-x86.iso - Target directory: /export/ai/basic_ai root@s11-server1:~# installadm create-service -n basic_ai \ -s /opt/ora/iso/sol-11_1-ai-x86.iso -i 192.168.0.130 \ -c 5 -d /export/ai/basic_ai Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts Chapter 3 - Page 8 le b a r e f Creating service from: /opt/ora/iso/sol-11_1-ai-x86.iso Setting up the image ... Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Creating i386 service: basic_ai Image path: /export/ai/basic_ai Starting DHCP server... Adding IP range to local DHCP configuration le ro e Cic b a r e Unable to determine a route for network 192.168.0.0. Setting s the f n route a -tr n temporarily to 0.0.0.0; this should be changed to anoappropriate value an s a in the DHCP configuration file. Please see h dhcpd(8) for further ) ฺ information. om uide c ฺ l ai nt G m Refreshing install services g de @ u t o ld is S a n Creating default-i386 alias th o r ฺ e ero to us c i Setting (the c default e PXE bootfile(s) in the local DHCP s o n configuration ld lice a n to: Ro bios clients (arch 00:00): default-i386/boot/grub/pxegrub2 uefi clients (arch 00:07): defaulti386/boot/grub/grub2netx64.efi Refreshing install services root@s11-server1:~# Note: If a warning message “Unable to determine a route…” appears, ignore it because it is caused by the virtual machine network configuration. The same is true for any other warnings. These messages have no impact on this practice. Note: If you need to, you can remove an AI service and its associated clients by using the command installadm delete-service -r svcname. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts Chapter 3 - Page 9 4. Use the installadm list command to verify that your AI service is installed. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# installadm list Service Name Alias Of ------------ -------basic_ai default-i386 basic_ai 5. Status -----on on Arch ---i386 i386 Image Path ---------/export/ai/basic_ai /export/ai/basic_ai Use the installadm create-client command to add the client MAC address for the Sol11-Client1 virtual machines to the basic_ai service. root@s11-server1:~# installadm create-client -e \ 08:00:27:85:C7:D6 -n basic_ai Adding host entry for 08:00:27:85:C7:D6 to local DHCP configuration. le b a r e f s an r t n no a s a h ) ฺ e m d o i u was added to the AI ฺc the client ilthat 6. Use the installadm list –c command to verify G a t m den server basic_ai. g tu -c o@ S root@s11-server1:~# installadm list d l s naAddress Service Name Client thi Arch Image Path o r ฺ e ------------ero -------------------------us o c i t basic_ai(c 08:00:27:85:C7:D6 i386 /export/ai/basic_ai e s o n ld lice a n o the directory /var/tmp/manifests to store the AI manifest files. 7. R Create o r Note that, on the job, you will not encounter duplicate MAC addresses on your network. You should verify carefully what your actual network client systems’ MAC addresses are in order to properly install Oracle Solaris 11.1 on them. Note: Use the MAC addresses observed on your system. e Cic root@s11-server1:~# mkdir -p /var/tmp/manifests 8. Copy the default manifest file to the /var/tmp/manifests/basic_ai.xml file so that you can modify it for your configuration. root@s11-server1:~# cp \ /export/ai/basic_ai/auto_install/manifest/default.xml \ /var/tmp/manifests/basic_ai.xml Note: In the previous step, the /var/tmp/manifests/basic_ai.xml file is created read only. Before editing, you can change the permissions to 755 (using the command chmod 755 basic_ai.xml) or ignore the warning from the vi editor and save it with the “wq!” command. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts Chapter 3 - Page 10 9. Using the vi editor, modify the auto_install section of the /var/tmp/manifests/basic_ai.xml file and use the following data. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ auto_install manifest: - AI instance name (ai_instance name): basic_ai and add auto_reboot="true" - IPS origin URI: http://s11-server1.mydomain.com - IPS package: entire (confirm that it uses the entire package) - IPS package: solaris-large-server (confirm that it uses the solaris-largeserver package) 10. Use the diff command to view the differences between the basic_ai.xml file and the default.xml file. root@s11-server1:~# diff /var/tmp/manifests/basic_ai.xml \ /export/ai/basic_ai/auto_install/manifest/default.xml 27c27 <--> 40c40 < --> s an r t n Cic e no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a thisthat you made to the basic_ai.xml file. This output shows you the n modifications o 11. Create a MAC address–based sefile named criteria_ai.xml in the oฺr criteria r u e /var/tmp/manifests ic directory. to Use the MAC address of the network client Sol11c ( e Client1. o ens d l a root@s11-server1:~# vi /var/tmp/manifests/criteria_ai.xml lic n o R ro Note: If the AI client does not match the criteria for a service (in this case, a specific MAC address), the AI service will use the default manifest when installing the OS. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts Chapter 3 - Page 11 le b a r e f 12. Add the basic_ai manifest and criteria file to the basic_ai service. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# installadm create-manifest –n basic_ai \ -f /var/tmp/manifests/basic_ai.xml \ -C /var/tmp/manifests/criteria_ai.xml When a custom AI manifest (basic_ai.xml, in this example) is defined for this install service and the client matches the criteria specified (in the criteria_ai.xml file) for the custom AI manifest, the client will use that manifest. In cases where client characteristics match multiple AI manifests, the client characteristics are evaluated in the following order: mac, ipv4, platform, arch, cpu, and mem. If the client does not match the criteria for any custom AI manifest, the client uses the default AI manifest. 13. Use the installadm list –m command to verify that your manifest and the criteria have been added to the basic_ai service. s an r t n root@s11-server1:~# installadm list -m Service/Manifest Name Status Criteria ----------------------------------basic_ai basic_ai mac = 08:00:27:85:C7:D6 orig_default Default None default-i386 orig_default Default None o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s a thi ninstalladm o r root@s11-server1:~# list -m -n basic_ai ฺ se o r u e Service/Manifest Status Criteria ic e Name to c ( --------------------------------o ens d l c a onbasic_ai li Ci R o r ce basic_ai orig_default Default mac = 08:00:27:85:C7:D6 None Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts Chapter 3 - Page 12 le b a r e f Practice 3-3: Deploying the OS on the Network Client Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview After you complete the AI server configuration, it is time to test your work by deploying the Oracle Solaris 11.1 operating system on a network client. You will use the VM named Sol11Client1 as the client host. After the client is imaged from the AI server, you will verify that the install was done completely and accurately. Tasks 1. 2. Verify that the Sol11-Server1 virtual machine is running. If it is not, start it now. Click the Sol11-Client1 virtual machine icon. 3. Click the Start button. This will boot the Sol11-Client1 virtual machine. If the AI server is configured correctly, you should see the OS installation begin. Note • s an r t n If the Sol11-Client1 virtual machine fails to boot with a “No bootable medium found” error, change the virtual machine adapter. To change the adapter type, open the Oracle VM VirtualBox Manager, select the Sol11-Client1 virtual machine, and click Settings. In the Settings dialog box, select Network and click Advanced under Adapter 1. Select another adapter from the Adapter Type menu. Restart the Sol11-Client1 virtual machine. no a s a h ) ฺ e m d o i ilฺc t Gu • Perform the next step as soon as possible. a n mGRUB e g 4. When the Sol11-Client1 system starts the GNU menu, select the Oracle Solaris d tuoption. o@ 11.1 Text Installer and command line boot S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R ro e Cic Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts Chapter 3 - Page 13 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 5. When the Oracle Solaris installation menu appears, type option 1 for “Install Oracle Solaris” and press Enter as instructed. During the OS installation process, use the following configuration data to complete the Text installation. Note: The Text installer program directs you to use the F2 key to move to the next step in the installation process. - Installation menu: 1. Install Oracle Solaris - Disks: Local Disks - Fdisk Partitions: Use the entire disk. - Computer name: s11-client1 Ethernet network configuration: Automatically Time zone: Use your local region. Date and time: Set to current date and time. Root password: oracle1 User account: - Your real name: oracle Username: oracle e Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts Chapter 3 - Page 14 s an r t n no a - Password: oracle1 s a h 6. The installation should take around 10 minutes. You will see)an “installation ฺ complete” e m d o message displayed. i ilฺc t Gu a . m den g o@ Stu d l a this n o oฺr use r e ic e to c ( do icens l a l on R ro - Cic le b a r e f 7. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 8. After the installation has completed, reboot (F8) the Sol11-Client1 virtual machine. Note: If the F8 key does not work, press the F9-Quit key. This returns you to the installation menu. From the menu, select option 5 to reboot. After Sol11-Client1 completes the initial boot and the solaris-client1 console login prompt appears, power down the virtual machine. le s b a r e f o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts Chapter 3 - Page 15 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le s b a r e f o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 3: Installing Oracle Solaris 11 on Multiple Hosts Chapter 3 - Page 16 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le s b a r e f an r t n no a s a h Practices for ) Lesson ฺ 4: e m d o i Managing u ilฺc tBusiness G a m den Data Application g tu4 o@Chapter S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 1 Practice Overview for Lesson 4 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Practices Overview Following the predeployment test plan, you now need to address the storage requirements of the business applications. You need to configure multiple ZFS storage pools. In this case, your organization is working with the Oracle CRM application. Then you need to create file systems for storing business application data. For file system backup and recovery, you will create snapshots and clones. Then you will need to explore ZFS property compression to minimize the storage space. The default file system for Oracle Solaris 11 is ZFS. ZFS is the root file system on Oracle Solaris 11 that offers a superior experience in terms of manageability, scalability, and data integrity. The key areas explored in this practice are: • Managing data redundancy with a ZFS mirrored pool • Using ZFS snapshots for backup and recovery • Using a ZFS clone • Configuring ZFS compression • Troubleshooting ZFS failures s an r t n Cic no a as in the practice, hdisplays Note: Your command output displays may be different than )the ฺ e especially storage, process IDs, and other information.om d i ilฺc t Gu a m den Look at your checklist to see where you are. g o@ Stu d l aSolaris t11.1 isPredeployment Checklist Oracle √ n h o ฺr use o r √ e Managing System (IPS) and Packages o icthe Image tPackaging c ( e o Oracle √ nsSolaris 11.1 on Multiple Hosts dInstalling l e c a li on Managing R the Business Application Data ero Configuring Network and Traffic Failover Configuring Zones and the Virtual Network Managing Services and Service Properties Configuring Privileges and Role-Based Access Control Securing System Resources by Using Oracle Solaris Auditing Managing Processes and Priorities Evaluating System Resources Monitoring and Troubleshooting System Failures Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 2 le b a r e f Practice 4-1: Managing Data Redundancy with a ZFS Mirrored Pool Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview In this practice, you test application data redundancy by using different scenarios. First you create a ZFS mirrored pool that contains one mirror. To minimize the chances of losing data, you distribute the data over two mirrors. At this time, to address a policy change, you reconfigure the pool to keep three copies of data, which requires you to create a three-way mirror. Tasks 1. 2. 3. Verify that the Sol11-Server1 virtual machine is running. If it is not running, start it now. Log in to the Sol11-Server1 virtual machine as the oracle user. Use the oracle1 password. Assume administrator privileges. Execute the zpool list command to display the ZFS pools that are currently configured in the system. root@s11-server1:~# zpool list NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT rpool 31.8G 9.90G 21.9G 31% 1.00x ONLINE - s an r t n no a s a h ) ฺ e m d o i Currently, the only ZFS pool that is available is the uwhich is needed to make ilฺcroot tpool, G a the ZFS file system a root file system. m den g 4. Use the zpool status command to determine @ Sthe u disks that are currently configured for t o d the ZFS rpool. al this n o root@s11-server1:~# ฺr zpool estatus rpool s o r u e pool: rpool ic e to c ( state: ONLINE s n donone l erequested c a scan: i l n oconfig: R o r e Cic NAME rpool c7t0d0s0 STATE ONLINE ONLINE READ WRITE CKSUM 0 0 0 0 0 0 errors: No known data errors This display shows that rpool is using the local disk c7t0d0. So while creating new pools, leave this disk untouched. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 3 le b a r e f 5. Execute the format command to identify any additional disks configured in the system. root@s11-server1:~# format Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Searching for disks...done AVAILABLE DISK SELECTIONS: 0. c7t0d0 08:00:27:85:C7:D6 /pci@0,0/pci8086,2829@d/disk@0,0 1. c7t2d0 /pci@0,0/pci8086,2829@d/disk@2,0 2. c7t3d0 /pci@0,0/pci8086,2829@d/disk@3,0 3. c7t4d0 /pci@0,0/pci8086,2829@d/disk@4,0 4. c7t5d0 /pci@0,0/pci8086,2829@d/disk@5,0 5. c7t6d0 /pci@0,0/pci8086,2829@d/disk@6,0 6. c7t7d0 /pci@0,0/pci8086,2829@d/disk@7,0 7. c7t8d0 /pci@0,0/pci8086,2829@d/disk@6,0 8. c7t9d0 /pci@0,0/pci8086,2829@d/disk@7,0 le s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o ^C oฺr use r e o c7t2d0 to c7t9d0 are available for use. icyou that tdisks The display tells c ( e ns command, press Ctrl + C or Ctrl + D. To cancel do theiformat l e c a l ZFS pool named oraclecrm by using the disks c7t2d0 and c7t3d0. on a mirrored 6. R Create ro Show the results. e Cic b a r e f root@s11-server1:~# zpool create oraclecrm mirror c7t2d0 c7t3d0 root@s11-server1:~# zpool list NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT oraclecrm 1008M 112K 1008M 0% 1.00x ONLINE rpool 31.8G 9.90G 21.9G 31% 1.00x ONLINE Here, you created a pool called oraclecrm with a mirror by using two free disks. The purpose of this pool is to store the Oracle business application Customer Relationship Management (CRM) components. Because your company required redundancy, you have created a mirror, meaning that you have an online copy of the CRM data. This online copy will come in handy in case one of the disks gets corrupted. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 4 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 7. Add another mirror in the oraclecrm pool by using disks c7t4d0 and c7t5d0. root@s11-server1:~# zpool add oraclecrm mirror c7t4d0 c7t5d0 root@s11-server1:~# zpool status oraclecrm pool: oraclecrm state: ONLINE scan: none requested config: NAME oraclecrm mirror-0 c7t2d0 c7t3d0 mirror-1 c7t4d0 c7t5d0 READ WRITE CKSUM 0 0 0 0 0 0 0 0 0 - le b a r e f s an r t n no a s a h ) ฺ errors: No known data errors e m d o i ilฺc t Gu a n of data or disk corruption. Your company is very concerned about g losing m datadebecause You are asked to spread the data o over disks to mitigate the risk of data loss. To @multiple tuby S d l satisfy this objective, you create another mirror two free disks. Now, the data is s a and the irespective using n h t distributed over the two rmirrors disks. This means that 50% of the o se and 50% of the data in the second mirror. You will otheฺ first mirror data will be stored in r u e ic subsequently. to see a demonstration c ( e s the mirrors by issuing the zpool iostat -v oraclecrm o eofnboth 8. Check the dcapacity l c a li command. on R ro root@s11-server1:~# zpool iostat -v oraclecrm e Cic STATE ONLINE ONLINE ONLINE ONLINE ONLINE ONLINE ONLINE capacity operations bandwidth pool alloc free read write read write ---------- ----- ----- ----- ----- ----- ----oraclecrm 94K 1.97G 0 10 53 11.7K mirror 71.5K 1008M 0 7 53 7.77K c7t2d0 0 7 5.18K 30.8K c7t3d0 0 7 5.13K 30.8K mirror 33.5K 1.02G 0 7 0 9.31K c7t4d0 0 9 12.3K 65.8K c7t5d0 0 9 12.3K 65.8K ---------- ----- ----- ----- ----- ----- ----Here you see the two mirrors listed with their details. Note that the total free space in the pool, 1.97 GB, has been equally distributed between the two mirrors (1008 MB and 1.02 GB respectively). The alloc column shows the ZFS overhead. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 5 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 9. Determine the mount point of the top-level file system. root@s11-server1:~# zfs list oraclecrm NAME USED AVAIL REFER MOUNTPOINT oraclecrm 94K 1.94G 31K /oraclecrm The mount point of the pool or the top-level file system of oraclecrm is /oraclecrm. This is the root of the pool; that is, all the file systems that are created will be within this mount point. 10. Create a 2 MB file by using the mkfile command. Check the file storage allocation for the mirrors by running the zpool iostat command. root@s11-server1:~# mkfile 2m /oraclecrm/crmindex root@s11-server1:~# zpool iostat -v oraclecrm capacity operations bandwidth pool alloc free read write read write ---------- ----- ----- ----- ----- ----- ----oraclecrm 1.38M 1.97G 0 5 26 7.18K mirror 856K 1007M 0 3 26 4.67K c7t2d0 0 3 2.51K 15.8K c7t3d0 0 3 2.49K 15.8K mirror 558K 1007M 0 2 0 3.50K c7t4d0 0 2 3.47K 19.4K c7t5d0 0 2 3.47K 19.4K ---------- ----- ----- ----- ----- ----- ----- le b a r e f s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( s show different numbers. Note: Your nmay do display l e c a li on R Your CRM analyst shared with you that a small file will be needed for storing the index of o r the CRM application. You create a 2 MB file called crmindex in the pool. ce Ci Note how this 2 MB worth of storage has been roughly divided between the two mirrors. This shows that all CRM data will be divided between the two mirrors. Hint: In some cases, it may help to wait for some time before issuing the zpool iostat command to allow ZFS to complete writing to the mirrors. 11. Use the zfs list oraclecrm command to list the capacity summary for the oraclecrm pool. root@s11-server1:~# zfs list oraclecrm NAME USED AVAIL REFER MOUNTPOINT oraclecrm 2.09M 1.94G 2.03M /oraclecrm Note the space used now at the top-level file system. This reflects the 2 MB of storage used by the crmindex file. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 6 12. Use the zpool destroy oraclecrm command to delete the pool. Confirm the deletion by using the zpool list command. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# zpool destroy oraclecrm root@s11-server1:~# zpool list oraclecrm cannot open 'oraclecrm': no such pool Based on a review by the CRM analyst, there was a change in direction. It was agreed that you keep three copies of data and not distribute it over two separate mirror sets. To address this objective, you delete the current data redundancy configuration and destroy the pool to create the new configuration. 13. Re-create the mirrored ZFS pool named oraclecrm by using the disks c7t2d0 and c7t3d0. Show the results. e Cic le ab root@s11-server1:~# zpool create oraclecrm mirror c7t2d0 c7t3d0fer s n root@s11-server1:~# zpool list a r -t n NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT o oraclecrm 1008M 126K 1008M 0% 1.00x ONLINE a ns a rpool 31.8G 9.90G 21.9G 31% 1.00x h ONLINE ) ฺ e m o id c u ฺ l i G Note: The purpose of the reconfiguration is toacreate a tthree-way mirror now and reuse m youdinenfocusing on a cleaner setup, for the existing storage disks. This will also g assist instance, having one mirror. o@ Stu d l a to addthanother is disk to the mirror to make it a three-way n 14. Use the zpool attach command o e zpool status command. mirror. Confirm this action sthe oฺrby using r u e ic e tozpool attach oraclecrm c7t2d0 c7t4d0 root@s11-server1:~# c ( root@s11-server1:~# do icens zpool status oraclecrm l a l onpool: oraclecrm R ro state: ONLINE scan: resilvered 86.5K in 0h0m with 0 errors on Mon Dec 12 07:51:21 2012 config: NAME oraclecrm mirror-0 c7t2d0 c7t3d0 c7t4d0 STATE ONLINE ONLINE ONLINE ONLINE ONLINE READ WRITE CKSUM 0 0 0 0 0 0 - errors: No known data errors Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 7 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Now this new configuration meets the objective of maintaining redundancy by keeping three copies of data on three individual disks. The application data can be created as shown earlier. Notice that the attach command specifies an existing disk in the mirror and a free disk to be included in the mirror. The result is displayed by the status command. The status display also shows the resilvering action. The purpose of resilvering is to replicate data on the newly added disk. 15. Use the zpool add command to add a cache device to the mirror to allow the cache device to be used as local pool memory. Confirm this action by using the zpool status command. root@s11-server1:~# zpool add oraclecrm cache c7t5d0 root@s11-server1:~# zpool status oraclecrm pool: oraclecrm state: ONLINE scan: resilvered 86.5K in 0h0m with 0 errors on Mon Dec 12 07:51:21 2012 config: le b a r e f s an r t n o an s ha ฺ NAME STATE READ WRITE CKSUM ) m 0ide oraclecrm ONLINE 0 ฺco0 l i 0 t Gu0 a mirror-0 ONLINE 0 gm0 ude0n 0 c7t2d0 ONLINE @ t o S d l c7t3d0 ONLINE 0 0 0 s a thi n o c7t4d0 0 0 0 ฺr ONLINE e s o r u e cache ic e to c ( 0 0 0 ns ONLINE do ic7t5d0 l e c a l on Ci R errors: o r ce No known data errors This added device will serve as local memory for the pool to boost the input/output performance. Your business analyst had indicated that you may need to boost the I/O performance of the pool. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 8 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 16. Your business analyst has now indicated that you do not need to boost pool performance because of the low volume of data. Use the zpool remove command to delete the cache device. Confirm this action by using the zpool status command. root@s11-server1:~# zpool remove oraclecrm c7t5d0 root@s11-server1:~# zpool status oraclecrm pool: oraclecrm state: ONLINE scan: resilvered 86.5K in 0h0m with 0 errors on Mon Dec 12 07:51:21 2012 config: NAME oraclecrm mirror-0 c7t2d0 c7t3d0 c7t4d0 READ WRITE CKSUM 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 le b a r e f s an r t n no a s a h ) ฺ e m errors: No known data errors d o i ilฺc t Gu a n min theddisplay. e g Note that the cache device does not appear u tpool. o@ S d l 17. Use the zpool destroy command to delete the Use the zpool list command to s a thi n confirm the deletion. o selist oฺr zpool r u root@s11-server1:~# e icSIZE e ALLOC to c ( NAME FREE CAP DEDUP HEALTH ALTROOT s o n d l e oraclecrm a lic1008M 126K 1008M 0% 1.00x ONLINE n o rpool 31.8G 9.90G 21.9G 31% 1.00x ONLINE ro R e Cic STATE ONLINE ONLINE ONLINE ONLINE ONLINE root@s11-server1:~# zpool destroy oraclecrm root@s11-server1:~# zpool list NAME SIZE ALLOC FREE CAP DEDUP HEALTH rpool 31.8G 9.90G 21.9G 31% 1.00x ONLINE ALTROOT - The purpose of destroying this pool is to conclude working with the mirrors. In the next practice, you will create a new pool with no mirrors to simplify working with ZFS backup and recovery functions. In addition, you will create a pool with no mirrors. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 9 Practice 4-2: Using ZFS Snapshots for Backup and Recovery Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview According to your predeployment test plan, in this practice, you evaluate the data backup and recovery mechanism in Oracle Solaris 11.1. For backing up the data, you create snapshots, as well as use ZFS send/receive commands. The send/receive commands can be used to save the backed up data (snapshots) on the local or remote machine. You use rollback commands to recover the backed up or lost data. Tasks 1. 2. 3. Verify that Sol11-Server1 virtual machine is running. If the virtual machine is not running, start it now. Log in to the Sol11-Server1 virtual machine as the oracle user. Use oracle1 as the password. Assume administrator privileges. Execute the zpool list command to display the ZFS pools that are currently configured in the system. root@s11-server1:~# zpool list NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT rpool 31.8G 9.90G 21.9G 31% 1.00x ONLINE Run the zpool create command to create a pool with two top-level virtual devices. Check the pool information by using zpool list and zpool status. root@s11-server1:~# zpool create oraclecrm c7t3d0 c7t4d0 'oraclecrm' successfully created, but with no redundancy; failure of one device will cause loss of the pool root@s11-server1:~# zpool list NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT oraclecrm 1.97G 123K 1.97G 0% 1.00x ONLINE rpool 31.8G 9.90G 21.9G 31% 1.00x ONLINE - s an r t n o 4. an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R You now create a fresh pool by using two disks. This will give you experience in creating o r a simple pool without any mirror. Because your configuration is simple, your displays will ce Ci be clean and easy to follow. Confirm that the new pool has been created. root@s11-server1:~# zpool status oraclecrm pool: oraclecrm state: ONLINE scan: none requested config: NAME STATE oraclecrm ONLINE c7t3d0 ONLINE c7t4d0 ONLINE READ WRITE CKSUM 0 0 0 0 0 0 0 0 0 errors: No known data errors Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 10 le b a r e f 5. Create a file system named oraclecrm/crmdata with a mount point of /crmdata. Check the file system creation and the mount point by running the zfs list command. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# zfs create -o mountpoint=/crmdata \ oraclecrm/crmdata root@s11-server1:~# zfs list -r oraclecrm NAME USED AVAIL REFER MOUNTPOINT oraclecrm 137K 1.94G 31K /oraclecrm oraclecrm/crmdata 31K 1.94G 31K /crmdata You create a file system called crmdata in the oraclecrm pool. In this file system, you plan to store data in various CRM applications, such as Order Management, Marketing, and Customers. s an r t n Note that the mount point was specified to be /crmdata for oraclecrm/crmdata to be able to access the crmdata file system directly. 6. ro e Cic no a s a h ) ฺ e m d o i root@s11-server1:~# zfs create oraclecrm/crmdata/cust ilฺc t Gu a n root@s11-server1:~# zfs creategm oraclecrm/crmdata/mktg e d tu root@s11-server1:~# zfs d create o@ oraclecrm/crmdata/om S l s a listth-r i oraclecrm root@s11-server1:~# n zfs o r ฺ e NAME AVAIL REFER MOUNTPOINT ero to usUSED oraclecrm(cic 252K 1.94G 31K /oraclecrm e s oraclecrm/crmdata 127K 1.94G 34K /crmdata ldo licen a n Rooraclecrm/crmdata/cust 31K 1.94G 31K /crmdata/cust Create new ZFS file systems named oraclecrm/crmdata/cust, oraclecrm/crmdata/mktg, and oraclecrm/crmdata/om. List the descendants of the oraclecrm file system. oraclecrm/crmdata/mktg oraclecrm/crmdata/om 31K 31K 1.94G 1.94G 31K 31K /crmdata/mktg /crmdata/om Note: These file systems are created to demonstrate individual file systems for each business application, as you will experience on the job. Here, you create file systems to store data for the CRM application. The file systems are cust, mktg, and om. Note the used column and the refer column for the new file systems. The file systems are consuming an initial storage space of 31 KB. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 11 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 7. Using the tar command, create a tar bundle that will serve as an example of the business application data. Copy custarchive.tar to each crmdata file system and the /opt/ora/data directory for future use. Note the amount of data used and referenced by these file systems. root@s11-server1:~# tar cvf /crmdata/cust/custarchive.tar \ /usr/demo ... a /usr/demo/expect/ 0K a /usr/demo/expect/mkpasswd 6K a /usr/demo/expect/ftp-rfc 1K a /usr/demo/expect/rftp 9K a /usr/demo/expect/weather 3K … … … root@s11-server1:~# cp /crmdata/cust/custarchive.tar \ /crmdata/mktg/custarchive.tar root@s11-server1:~# cp /crmdata/cust/custarchive.tar \ /crmdata/om/custarchive.tar le s an r t n ro e Cic b a r e f no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this so that it will be available to you in the You are saving the data in n /opt/ora/data o subsequent steps. oฺr se r u e ic e to c ( root@s11-server1:~# do icens cp /crmdata/cust/custarchive.tar \ l /opt/ora/data/custarchive.tar a l n Ro For training purposes, you are creating application data and placing it in the crmdata file systems. root@s11-server1:~# zfs list -r oraclecrm NAME USED AVAIL REFER oraclecrm 2.88M 1.93G 31K oraclecrm/crmdata 2.75M 1.93G 35K oraclecrm/crmdata/cust 929K 1.93G 929K oraclecrm/crmdata/mktg 929K 1.93G 929K oraclecrm/crmdata/om 929K 1.93G 929K MOUNTPOINT /oraclecrm /crmdata /crmdata/cust /crmdata/mktg /crmdata/om After placing application data in each file system, you see that all the file systems indicate 929 KB worth of storage. Your numbers may be different. 8. Create a recursive snapshot of oraclecrm/crmdata named oraclecrm/crmdata@monday. List the file systems below oraclecrm. Note the amount of space used and referenced by oraclecrm/crmdata@monday. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 12 root@s11-server1:~# zfs snapshot -r oraclecrm/crmdata@monday Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Recursively create snapshots of every file system in crmdata. The purpose is to create a backup of each file system—that is, cust, mktg, and om data. root@s11-server1:~# zfs list -r oraclecrm NAME USED AVAIL REFER oraclecrm 3.06M 1.93G 31K oraclecrm/crmdata 2.75M 1.93G 34K oraclecrm/crmdata/cust 929K 1.93G 929K oraclecrm/crmdata/mktg 929K 1.93G 929K oraclecrm/crmdata/om 929K 1.93G 929K MOUNTPOINT /oraclecrm /crmdata /crmdata/cust /crmdata/mktg /crmdata/om Now, when you try to display the children file systems of oraclecrm recursively, the snapshots are not displayed. Take a look at this. s root@s11-server1:~# zpool get listsnapshots oraclecrm NAME PROPERTY VALUE SOURCE oraclecrm listsnapshots off default ro e Cic an r t n no a s a h ) ฺ e m As displayed here, the listsnapshots property isooff by default. You now enable it. d i ilฺc t Gu a root@s11-server1:~# zpool set listsnapshots=on oraclecrm m den g tu of oraclecrm, they are displayed. o@ file S d l Now, when you display the descendant systems s i nafor each thfile o Note that there is one snapshot system and they are all suffixed with @monday. r ฺ e s way to create o easy r u As you can see, this is a very multiple data backups and identify all of e o c i t c them with the same identifier. o ( ense d l root@s11-server1:~# zfs list -r oraclecrm lic na o R NAME USED AVAIL REFER MOUNTPOINT oraclecrm oraclecrm/crmdata oraclecrm/crmdata@monday oraclecrm/crmdata/cust oraclecrm/crmdata/cust@monday oraclecrm/crmdata/mktg oraclecrm/crmdata/mktg@monday oraclecrm/crmdata/om oraclecrm/crmdata/om@monday 2.90M 2.75M 0 929K 0 929K 0 929K 0 1.93G 1.93G 1.93G 1.93G 1.93G - 31K 35K 35K 929K 929K 929K 929K 929K 929K /oraclecrm /crmdata /crmdata/cust /crmdata/mktg /crmdata/om - Note that the newly created snapshots do not use any space (initially) but they do indicate 929 KB worth of storage, which includes the data that you placed in each file system. The snapshots initially do not take up any space because they are using the existing file system data pointers. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 13 le b a r e f 9. Create a file named /crmdata/cust/colochoc. Confirm that the file exists. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# touch /crmdata/cust/colochoc You create a file to store data on a customer colochoc (for Colorado Chocolate Company). root@s11-server1:~# ls /crmdata/cust/colochoc /crmdata/cust/colochoc Success! You confirmed that it exists. Note that this file was created after taking a backup on Monday. 10. Create another recursive snapshot named oraclecrm/crmdata@tuesday. root@s11-server1:~# zfs snapshot -r oraclecrm/crmdata@tuesday s an r t n Note that the colochoc file will be included in the Tuesday snapshot but not in the Monday snapshot. no a s a h ) ฺ root@s11-server1:~# zfs rollback oraclecrm/crmdata@monday e m d o i cannot rollback to 'oraclecrm/crmdata@monday': lฺc t Gu more recent i a snapshots exist m den g use '-r' to force deletion of the tfollowing snapshots: u o@ S d l s oraclecrm/crmdata@tuesday na thi o r ฺ se o r u e Notice that more (crmdata@tuesday) exist; therefore, you cannot roll ic recentesnapshots to c ( s back to an earlier snapshot unless you use the -r option that deletes the more recent n do till ithe l e c a snapshots crmdata@monday snapshot becomes the most recent. Do not roll l n o R back yet. 11. Attempt to roll back the oraclecrm/crmdata snapshot by using the oraclecrm/crmdata@Monday snapshot. What happens? ro e Cic Question: If the oraclecrm/crmdata snapshot is rolled back to the Monday snapshot, what data will be lost? Answer: The file named /crmdata/cust/colochoc will be lost. 12. Delete the file named /crmdata/cust/colochoc. root@s11-server1:~# rm /crmdata/cust/colochoc Remove the customer colochoc to see if you can recover it. 13. List the descendant oraclecrm file systems. Roll back the oraclecrm/crmdata/cust@tuesday snapshot. root@s11-server1:~# zfs list -r oraclecrm NAME USED AVAIL oraclecrm 2.94M 1.93G oraclecrm/crmdata 2.77M 1.93G oraclecrm/crmdata@monday 0 oraclecrm/crmdata@tuesday 0 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 14 REFER 31K 34K 34K 34K le b a r e f MOUNTPOINT /oraclecrm /crmdata - Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ oraclecrm/crmdata/cust /crmdata/cust oraclecrm/crmdata/cust@monday oraclecrm/crmdata/cust@tuesday oraclecrm/crmdata/mktg oraclecrm/crmdata/mktg@monday oraclecrm/crmdata/mktg@tuesday oraclecrm/crmdata/om oraclecrm/crmdata/om@monday oraclecrm/crmdata/om@tuesday 948K 1.93G 929K 19K 0 929K 0 0 929K 0 0 1.93G 1.93G - 929K 929K 929K 929K 929K 929K 929K 929K /crmdata/mktg /crmdata/om - root@s11-server1:~# zfs rollback oraclecrm/crmdata/cust@tuesday You rolled back (recovered) to the cust@tuesday backup. Does it include the colochoc customer file? You will find out in the next step. no a root@s11-server1:~# ls /crmdata/cust/colochoc s ha ฺ /crmdata/cust/colochoc ) om uide c ฺ l G ai the t Yes, your customer colochoc is restored.m Because Tuesday backup was taken n de after you created this customer, it was ingyour cust@tuesday backup. @ u t o S d 15. Create a directory named /backup. al this n o root@s11-server1:~# se/backup oฺr mkdir r u e ic e to c ( s to store your Monday backups. Your company wants to save Createdaoseparate n directory l e c a these n backupsli offsite because this is the end of the quarter for your company. o R o Use the zfs send command to recursively send the oraclecrm/crmdata@monday r16. 14. Confirm that /crmdata/cust/colochoc is restored. e Cic s an r t n snapshot. Save the copy in a file named /backup/oraclecrm.crmdata.monday. root@s11-server1:~# zfs send -Rv oraclecrm/crmdata@monday > \ /backup/oraclecrm.crmdata.monday sending from @ to oraclecrm/crmdata@monday sending from @ to oraclecrm/crmdata/om@monday sending from @ to oraclecrm/crmdata/mktg@monday sending from @ to oraclecrm/crmdata/cust@monday Now you have only one /backup directory, which contains all the Monday backups. This directory can be archived on tape or sent to another machine on the network. See how simple the command is. Use -R to send all the snapshots in crmdata@monday. The backed up snapshot naming convention has changed slightly to enable differentiation between the snapshots and the backed up data. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 15 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 17. Use the ls -lh command to list the size of the file in /backup. Verify that it approximately matches the size of the space used by the oraclecrm/crmdata file systems. root@s11-server1:~# ls -lh /backup total 1 -rw-r--r-1 root root oraclecrm.crmdata.monday 2.8M Dec 12 08:07 root@s11-server1:~# zfs list /crmdata NAME USED AVAIL REFER oraclecrm/crmdata 2.77M 1.93G 34K MOUNTPOINT /crmdata Yes. It does match approximately. s an r t n root@s11-server1:~# zfs send oraclecrm/crmdata/cust@monday > \ /backup/oraclecrm.crmdata.cust.monday ro e Cic no a s a h root@s11-server1:~# ls -lh /backup/oraclecrm.crmdata.cust.monday ) ฺ e m d o -rw-r--r-1 root root 946K Oct 15 08:08 i ilฺc t Gu /backup/oraclecrm.crmdata.cust.monday a m den g tu o@-r S root@s11-server1:~# zfsld list oraclecrm s na thi USED AVAIL REFER MOUNTPOINT NAME o r ฺ se o r oraclecrm 2.97M 1.93G 31K /oraclecrm u e o c i t c oraclecrm/crmdata 2.77M 1.93G 34K /crmdata ( nse o ld lice oraclecrm/crmdata@monday 0 34K a n 0 34K Rooraclecrm/crmdata@tuesday oraclecrm/crmdata/cust /crmdata/cust oraclecrm/crmdata/cust@monday oraclecrm/crmdata/cust@tuesday oraclecrm/crmdata/mktg /crmdata/mktg oraclecrm/crmdata/mktg@monday oraclecrm/crmdata/mktg@tuesday oraclecrm/crmdata/om oraclecrm/crmdata/om@monday oraclecrm/crmdata/om@tuesday 929K 1.93G 929K 19K 1K 929K 1.93G 929K 929K 929K - 0 0 929K 0 0 1.93G - 929K 929K 929K 929K 929K /crmdata/om - As you can see, the Monday snapshot for the cust file system and its Monday backup file consume approximately the same amount of storage space. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 16 le b a r e f 18. Use the zfs send command to send the oraclecrm/crmdata/cust@monday snapshot to the /backup directory. Then list the size of the snapshot stream. 19. Destroy the oraclecrm/crmdata/cust file system. Confirm whether it is deleted. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# zfs destroy -r oraclecrm/crmdata/cust root@s11-server1:~# zfs list /crmdata/cust /crmdata/cust: No such file or directory You are destroying the cust file system so that you can test the recover (receive) function. 20. Use the zfs receive command to re-create the oraclecrm/crmdata/cust file system. Confirm the file system recovery by using the zfs list command. root@s11-server1:~# zfs receive oraclecrm/crmdata/cust < \ /backup/oraclecrm.crmdata.cust.monday root@s11-server1:~# zfs list /crmdata/cust NAME USED AVAIL REFER MOUNTPOINT oraclecrm/crmdata/cust 929K 1.93G 929K /crmdata/cust This demonstrates that the recovery was successful. le b a r e f s an r t n e Cic no a s 21. Use the zfs list command to confirm the recovery of the fullh/crmdata/cust file a ) ฺ system. om uide c ฺ root@s11-server1:~# zfs list -r oraclecrm l G MOUNTPOINT ai AVAILnt REFER NAME USED m g de @ oraclecrm 2.96M tu1.93G 31K /oraclecrm o S d l oraclecrm/crmdata 2.78M 1.93G 35K /crmdata s a thi n o oraclecrm/crmdata@monday 0 34K ฺr use o r e oraclecrm/crmdata@tuesday 0 34K ic e to c ( oraclecrm/crmdata/cust 929K 1.93G 929K /crmdata/cust s o n d l e oraclecrm/crmdata/cust@monday 0 929K lic na o oraclecrm/crmdata/mktg 929K 1.93G 929K /crmdata/mktg R o r oraclecrm/crmdata/mktg@monday oraclecrm/crmdata/mktg@tuesday oraclecrm/crmdata/om oraclecrm/crmdata/om@monday oraclecrm/crmdata/om@tuesday 0 0 929K 0 0 1.93G - 929K 929K 929K 929K 929K /crmdata/om - This concludes the backup and recovery exercise. Keep the pool and destroy crmdata and its descendant file systems. You will create new file systems in the next practice. Confirm whether it has been destroyed. root@s11-server1:~# zfs destroy -R oraclecrm/crmdata Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 17 Practice 4-3: Using a ZFS Clone Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview According to your predeployment test plan, in this practice, you continue to evaluate the data backup and recovery mechanism in Oracle Solaris 11.1. In Practice 4-2, you worked with the snapshots. In this practice, you work with the ZFS clone functionality. You have a test file system called crmdata and you want to modify it, but you want to keep a version of the unmodified file system. Tasks 1. 2. 3. Verify that the Sol11-Server1 virtual machine is running. If the virtual machine is not running, start it now. Log in to the Sol11-Server1 virtual machine as the oracle user. Use oracle1 as the password. Assume administrator privileges. Execute the zfs list command to display the ZFS file systems that are currently configured in the oraclecrm pool. Create the crmdata file system by using the zfs create command. s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den root@s11-server1:~# zfs createg oraclecrm/crmdata tu o@-r S root@s11-server1:~# zfsld list oraclecrm s na AVAIL thi REFER MOUNTPOINT o NAME USED r ฺ e us 1.94G 32K /oraclecrm oraclecrm ero t158K o c i (c nse 31K 1.94G 31K /oraclecrm/crmdata oraclecrm/crmdata o d icofe the crmdata file system. Display the results. a 4. Create al snapshot l n oCheck whether R the listsnapshots property is enabled so that the snapshots can be ro root@s11-server1:~# zfs list -r oraclecrm NAME USED AVAIL REFER MOUNTPOINT oraclecrm 116K 2.01G 31K /oraclecrm e Cic displayed. root@s11-server1:~# zpool get listsnapshots oraclecrm NAME PROPERTY VALUE SOURCE oraclecrm listsnapshots on local root@s11-server1:~# zfs snapshot oraclecrm/crmdata@Dec11 root@s11-server1:~# zfs list -r /oraclecrm NAME USED AVAIL REFER MOUNTPOINT oraclecrm 159K 1.94G 32K /oraclecrm oraclecrm/crmdata 31K 1.94G 31K /oraclecrm/crmdata oraclecrm/crmdata@Dec11 0 31K - Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 18 le b a r e f 5. Create a clone of the snapshot and confirm the creation. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# zfs clone oraclecrm/crmdata@Dec11 \ oraclecrm/crmdata2 root@s11-server1:~# zfs list -r /oraclecrm NAME USED AVAIL REFER MOUNTPOINT oraclecrm 202K oraclecrm/crmdata oraclecrm/crmdata@Dec11 31K 0 oraclecrm/crmdata2 18K 1.94G 1.94G - 1.94G 33K /oraclecrm 31K /oraclecrm/crmdata 31K 31K /oraclecrm/crmdata2 Note that the snapshot is not mounted and the clone is. Remember from the previous exercise that the snapshots (and clones for that matter) do not take up any storage initially. Identify the snapshot and the clone in this display. 6. s an r t n root@s11-server1:/oraclecrm/crmdata2# cd root@s11-server1:~# zfs list -r /oraclecrm NAME USED AVAIL REFER oraclecrm 203K 1.94G 33K oraclecrm/crmdata 31K 1.94G 31K oraclecrm/crmdata@Dec11 0 31K oraclecrm/crmdata2 19K 1.94G 31K MOUNTPOINT /oraclecrm /oraclecrm/crmdata /oraclecrm/crmdata2 Note the used column for the clone. The space utilization has gone up when compared to the same column in step 5. Because you created a file in the clone, it will use more storage to keep track of the new file. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 19 le b a r e f no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o oฺr use r e c e todemonstrate the major difference between the snapshot and The precedingicommands c ( the clone. o The snapshot ns is not available and the clone is available, as well as modifiable. d l e c a 7. Assuming li have made the modifications in the clone, look at the space usage of the on that you clone. R ro e Cic Compare the attributes of the snapshot and the clone. root@s11-server1:~# ls -ld /oraclecrm/crmdata2 drwxr-xr-x 2 root root 2 Dec 13 08:14 /oraclecrm/crmdata2 root@s11-server1:~# ls -ld /oraclecrm/crmdata@Dec11 /oraclecrm/crmdata@Dec11: No such file or directory root@s11-server1:~# cd /oraclecrm/crmdata2 root@s11-server1:/oraclecrm/crmdata2# touch newcust root@s11-server1:/oraclecrm/crmdata2# ls newcust Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 8. Now, you can proceed with replacing the main file system with the newly modified clone. root@s11-server1:~# zfs promote oraclecrm/crmdata2 root@s11-server1:~# zfs list -r /oraclecrm NAME USED AVAIL REFER MOUNTPOINT oraclecrm 206K 1.94G 33K /oraclecrm oraclecrm/crmdata 0 1.94G 31K /oraclecrm/crmdata oraclecrm/crmdata2 50K 1.94G 31K /oraclecrm/crmdata2 oraclecrm/crmdata2@Dec11 19K 31K If you do the math, the used space of the clone crmdata2 now reflects the total of the main file system crmdata and the clone, that is, 31 KB + 19 KB = 50 KB. This means that the new file newcust in the clone has been added to crmdata. 9. Rename the main file system as crmdatabackup and rename the clone to replace the main file system. Display the results. s an r t n root@s11-server1:~# zfs rename oraclecrm/crmdata \ oraclecrm/crmdatabackup root@s11-server1:~# zfs rename oraclecrm/crmdata2 oraclecrm/crmdata root@s11-server1:~# zfs list -r oraclecrm NAME USED AVAIL REFER MOUNTPOINT C ro ice 10. no a s a h ) ฺ e m d o i c Gu oraclecrm 374K 1.94Gailฺ 33K /oraclecrm nt /oraclecrm/crmdata m d31K oraclecrm/crmdata 50K 1.94G e g o@ -Stu 31K oraclecrm/crmdata@Dec11 19K d l a 0 th1.94G is oraclecrm/crmdatabackup 31K /oraclecrm/crmdatabackup n o r ฺ e ro o us e c i t that reflect the modified picture. If you need to go back to the Now you have the datasets c ( e s previous ldoversion eofncrmdata, it is saved as crmdatabackup. c a i l n RoThis method is useful when you want to maintain the previous version of the data or overlay the production file system with modified data. Destroy oraclecrm by using the zpool destroy command. Confirm the action. root@s11-server1:~# zpool destroy oraclecrm root@s11-server1:~# zpool list NAME SIZE ALLOC FREE CAP DEDUP HEALTH rpool 31.8G 9.90G 21.8G 31% 1.00x ONLINE You will start afresh in the next practice. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 20 ALTROOT - le b a r e f Practice 4-4: Configuring ZFS Properties Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview According to your predeployment test plan, in this practice, you check to see how share, quotas, and reservation and data compression techniques work in Oracle Solaris 11.1. While working with the quota and reservation properties, you create a new user, make the home directory a ZFS file system, and set the properties on the user’s file system. Task 1: Configuring Quota and Reservation Properties 1. 2. 3. Verify that the Sol11-Server1 virtual machine is running. If it is not running, start it now. Log in to the Sol11-Server1 virtual machine as the oracle user. Use oracle1 as the password. Assume primary administrator privileges. Run the zpool list command to check the pools available. Use zfs list to display the file systems available. root@s11-server1:~# zpool list NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT rpool 31.8G 9.90G 21.8G 31% 1.00x ONLINE root@s11-server1:~# zfs list NAME USED AVAIL REFER MOUNTPOINT rpool 9.97G 21.3G 39K /rpool rpool/ROOT 1.89G 21.3G 31K legacy rpool/ROOT/solaris 1.89G 21.3G 1.61G / rpool/ROOT/solaris/var 232M 21.3G 87.3M /var rpool/dump 1.03G 21.3G 1.00G rpool/export 6.01G 21.3G 33K /export rpool/export/IPS 5.74G 21.3G 5.74G /export/IPS rpool/export/home 211K 21.3G 37K /export/home rpool/swap 1.03G 21.3G 1.00G - s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Note that the /export/home file system is designed to store the file systems that become the home directories for users. 4. Now you can create the new user gail and use the ZFS file system as Gail’s home directory. root@s11-server1:~# useradd -u 60015 -g 10 -d /export/home/gail \ -m gail 80 blocks root@s11-server1:~# ls -ld /export/home/gail drwxr-xr-x 2 gail staff 7 Dec 13 08:22 /export/home/gail 5. Set a storage quota of 2 MB for Gail. root@s11-server1:~# zfs set quota=2M rpool/export/home/gail root@s11-server1:~# zfs get quota rpool/export/home/gail NAME PROPERTY VALUE SOURCE Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 21 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ rpool/export/home/gail quota 2M local root@s11-server1:~# zfs list /export/home/gail NAME USED AVAIL REFER MOUNTPOINT rpool/export/home/gail 35K 1.97M 35K /export/home/gail root@s11-server1:~# df -h /export/home/gail Filesystem Size Used Available Capacity Mounted on rpool/export/home/gail 2.0M 35K 2.0M 2% /export/home/gail Note the available space for Gail as displayed by multiple commands. 6. Switch to Gail’s account and create a few files to test the storage limit. root@s11-server1:~# su - gail Oracle Corporation SunOS 5.11 11.1 November 2012 gail@s11-server1:~$ mkfile 1m /export/home/gail/crmindex gail@s11-server1:~$ ls -l /export/home/gail/crmindex -rw------1 gail staff 1048576 Dec 13 08:24 /export/home/gail/crmindex s an r t n no a s a h )information. ฺ Because Gail is You needed to create a 1-MB file to store the CRM index e m d o i u within her storage quota, there are no issues. ilฺc G a t n m 7. Create more files in Gail’s account to test the storage limit. e g d tu gail@s11-server1:~$ mkfile 2m /export/home/gail/crmdoc o@ S d l s /export/home/gail/crmdoc: 917504 of 2097152 bytes: na initialized hi t o r ฺ e Disc quota exceeded ero to us c i (c onlyn1sMB e left in the quota. The system allocated the requested amount o Here lyou have d e c enough storage to meet the quota. It could spell potential problems if but nainitializedlionly o you use up all the allocated space. ro R e Cic gail@s11-server1:~$ ls -l /export/home/gail total 4112 -rw------1 gail staff 2097152 Dec 13 08:24 crmdoc -rw------1 gail staff 1048576 Dec 13 08:24 crmindex -rw-r--r-1 gail staff 165 Dec 13 08:22 local.cshrc -rw-r--r-1 gail staff 170 Dec 13 08:22 local.login -rw-r--r-1 gail staff 130 Dec 13 08:22 local.profile gail@s11-server1:~$ mkfile 2m /export/home/gail/crmreq Could not open /export/home/gail/crmreq: Disc quota exceeded This is as expected. gail@s11-server1:~$ ls -l /export/home/gail total 4112 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 22 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ -rw------1 -rw------1 -rw-r--r-1 -rw-r--r-1 -rw-r--r-1 local.profile 8. gail gail gail gail gail staff staff staff staff staff 2097152 1048576 165 170 130 Dec Dec Dec Dec Dec 13 13 13 13 13 08:24 08:24 08:22 08:22 08:22 crmdoc crmindex local.cshrc local.login Gail is now working on a different project and needs to reserve 10 MB of storage. So now, as the administrator, you want to make a storage reservation for Gail. gail@s11-server1:~$ exit logout root@s11-server1:~# zfs set reservation=10M \ rpool/export/home/gail cannot set property for 'rpool/export/home/gail': size is greater than available space le b a r e f Cic e s n a r -t up and From the preceding steps, you know that Gail’s available space has beenn used o the quota limit is still in force; therefore, you cannot make the storagen reservation. a s 9. Remove the quota and the data files, and check the space utilization a of the file systems. h ) ฺ root@s11-server1:~# zfs set quota=none rpool/export/home/gail e m d o i ilฺc t Gu a n of any size that are not to m This will clear the quota property. Gail can create datasets e g d exceed the total pool storage available. o@ Stu d l a this n o e quota rpool/export/home/gail root@s11-server1:~# oฺr zfsusget r e NAME ic e to PROPERTY VALUE SOURCE c ( rpool/export/home/gail quota none local do icens l a l root@s11-server1:~# rm /export/home/gail/* n o R root@s11-server1:~# zfs list /export/home/gail o r NAME rpool/export/home/gail USED 2.04M AVAIL 21.3G REFER 2.04M MOUNTPOINT /export/home/gail The used column shows the current space usage since the files were deleted. root@s11-server1:~# zfs list /export/home NAME USED AVAIL REFER MOUNTPOINT rpool/export/home 246K 21.3G 38K /export/home Note that the used column currently shows 246 KB of storage used. 10. Reserve 10 MB of storage for Gail. root@s11-server1:~# zfs set reservation=10M \ rpool/export/home/gail root@s11-server1:~# zfs get reservation rpool/export/home/gail NAME PROPERTY VALUE SOURCE Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 23 rpool/export/home/gail reservation 10M local Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Confirmed! 11. Now check the file systems. root@s11-server1:~# zfs list /export/home/gail NAME USED AVAIL REFER MOUNTPOINT rpool/export/home/gail 33.5K 21.3G 33.5K /export/home/gail Note that the reserved space has not been added to Gail’s home directory. root@s11-server1:~# zfs list /export/home NAME USED AVAIL REFER MOUNTPOINT rpool/export/home 10.2M 21.3G 38K /export/home s n a r However, note that space has been reserved in /export/home, which is the -t parent n o dataset. This demonstrates that reservations are considered in the used disk n space a calculation of the parent dataset. s a h ) ฺ e m Task 2: Configuring the Share Property d o i u ilฺc ant G In this task, you share Gail’s home directory. In this situation, assumption is made that her a m that home directory contains an application documentation isn required by other users in other e g d @ u t locations on the network. In the real world,oyou mayShave another application directory for this ld is purpose that may need to be shared. a n th o r ฺ e s ero to uvirtual c 1. Verify that the Sol11-Server1 machine is running. If it is not, start it at this time. i c ( e s Also start the Sol11-Desktop virtual machine. ldo licen 2. Log n ina to the Sol11-Server1 virtual machine as the oracle user. Use oracle1 as the o R password. Assume administrator privileges. o cer3. Run the zpool list command to check the pools that are available. Use zfs list to Ci display the file systems that are available. Create a file in Gail’s directory. root@s11-server1:~# zfs list NAME USED rpool 9.97G rpool/ROOT 1.89G rpool/ROOT/solaris 1.89G rpool/ROOT/solaris/var 232M rpool/dump 1.03G rpool/export 6.02G rpool/export/IPS 5.74G rpool/export/home 10.2M rpool/export/home/gail 33.5K rpool/export/home/jholt 35K rpool/export/home/jmoose 35K rpool/export/home/oracle 34K AVAIL 21.3G 21.3G 21.3G 21.3G 21.3G 21.3G 21.3G 21.3G 21.3G 21.3G 21.3G 21.3G REFER 39K 31K 1.61G 87.3M 1.00G 274M 5.74G 38K 33.5K 35K 35K 34K MOUNTPOINT /rpool legacy / /var /export /export/IPS /export/home /export/home/gail /export/home/jholt /export/home/jmoose /export/home/oracle Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 24 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ rpool/export/home/panna 35K rpool/export/home/sstudent 35K rpool/swap 1.03G 21.3G 21.3G 21.3G 35K /export/home/panna 35K /export/home/sstudent 1.00G - root@s11-server1:~# cd /export/home/gail root@s11-server1:/export/home/gail# touch crmreq In Gail’s home directory, you created the crmreq file. 4. Using the chmod command, change the permissions on Gail’s home directory. root@s11-server1:/export/home/gail# chmod 777 /export/home/gail root@s11-server1:/export/home/gail# ls -ld /export/home/gail drwxrwxrwx 2 gail staff 4 Dec 13 08:27 /export/home/gail e Cic le b a r e You are setting these permissions only for training purposes. In the real world, you s will f n use appropriate permissions as required by your business environment and the policies. a tr n 5. Share her home directory with other users on the network. no a root@s11-server1:/export/home/gail# zfs set share=name=gail,\ s a h path=/export/home/gail,prot=nfs rpool/export/home/gail ) ฺ e m d o name=gail,path=/export/home/gail,prot=nfs i c Gu ilฺzfs a root@s11-server1:/export/home/gail# t sharenfs=on \ m denset g rpool/export/home/gail o@ Stu d l a/export/home/gail. is n h t Enable the share property on o oฺr use r e ic e to root@s11-server1:/export/home/gail# share c ( s gailldo /export/home/gail nfs sec=sys,rw en c a i l n /export/home/gail nfs sec=sys,rw oexport_home_gail R ro This confirms that the file system is being shared. root@s11-serv1:/export/home/gail# svcs -a | grep nfs disabled Dec_13 svc:/network/nfs/cbd:default disabled Dec_13 svc:/network/nfs/client:default online online online online online online Dec_13 8:31:55 8:31:56 8:31:56 8:31:56 8:32:00 svc:/network/nfs/fedfs-client:default svc:/network/nfs/status:default svc:/network/nfs/rquota:default svc:/network/nfs/mapid:default svc:/network/nfs/nlockmgr:default svc:/network/nfs/server:default The system has brought the NFS server online. It is always a good idea to check this. Note: You may need to manually share the NFS file system if it fails to do so automatically. If the NFS server is not enabled, issue this command: # share -F nfs -o rw /export/home/gail Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 25 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 6. Log in to the Sol11-Desktop virtual machine as the oracle user. Use oracle1 as the password. Open a terminal window and assume administrator privileges. Check if you can see the share. root@s11-desktop:~# dfshares s11-server1 RESOURCE SERVER ACCESS TRANSPORT s11-server1:/export/home/gail s11-server1 s11-server1:/export/share s11-server1 . . . Yes, you can see the resource shared by the s11-server1 server. 7. Create the mount point and mount the shared resource. root@s11-desktop:~# mkdir /gaildir root@s11-desktop:~# mount -f nfs s11-server1:/export/home/gail /gaildir root@s11-desktop:~# cd /gaildir root@s11-desktop:/gaildir# ls crmreq s no a s a root@s11-desktop:/gaildir# touch crmdata h ) ฺ root@s11-desktop:/gaildir# ls e m d o i crmdata crmreq ilฺc t Gu a n you have read/write access. m demeaning g You can create another file in the shared directory, tu you can unmount it. o@Gail’sSdirectory, d l 8. Because you have finished working with s na tcdhi o r root@s11-desktop:/gaildir# ฺ e s o r u e root@s11-desktop:~# ic e toumount /gaildir c ( o ens d l a Ifn you are unable lic to mount the /gaildir directory, use -f to unmount it. o ro R root@s11-desktop:~# umount -f /gaildir You can see the shared file crmreq in Gail’s home directory. e 9. Cic an r t n Return to the s11-server1 VM and stop sharing the directory. root@s11-server1:~# zfs set sharenfs=off rpool/export/home/gail Task 3: Configuring ZFS Compression 1. Verify that the Sol11-Server1 virtual machine is running. 2. Log in to the Sol11-Server1 virtual machine as the oracle user. Use oracle1 as the password. Assume primary administrator privileges. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 26 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 3. Using the command zpool, create the oraclecrm pool using disks c7t2d0 and c7t3d0. Run the zfs list command to list the space currently used by oraclecrm. Make a note of the value indicated. root@s11-server1:~# zpool list NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT rpool 31.8G 9.90G 21.8G 31% 1.00x ONLINE root@s11-server1:~# zpool create oraclecrm c7t2d0 c7t3d0 'oraclecrm' successfully created, but with no redundancy; failure of one device will cause loss of the pool root@s11-server1:~# zfs list -r oraclecrm NAME USED AVAIL REFER MOUNTPOINT oraclecrm 88K 1.94G 31K /oraclecrm Currently, you have the pool available to you with no other file systems, which you confirm by using the -r option. 4. 5. er6.o c i C s n a r Use the ls command with the –lh options to list the size of the archive file in -t on /opt/ora/data. Make a note of it. n a root@s11-server1:~# ls -lh /opt/ora/data/custarchive.tar s a ) h13 09:09 -rw-r—r-1 root root 786K Dec ฺ e m d o i /opt/ora/data/custarchive.tar ilฺc t Gu a gm en The new file takes up approximately@ 786 KB. tud do is toShold the files that you will copy to the file l Create a directory named /oraclecrm/cmp a n th o system. r ฺ e us /oraclecrm/cmp ero tomkdir root@s11-server1:~# c i (c nse o ld cebe used to store the compressed customer data. a This directoryliwill n Ro Use the zfs get command to display the current settings of the compression and compressratio properties for oraclecrm. Verify that compression is off and the compression ratio is 1.00x. root@s11-server1:~# zfs get compression,compressratio oraclecrm NAME PROPERTY VALUE SOURCE oraclecrm compression off default oraclecrm compressratio 1.00x The compression property is set to off by default. Because compression is off, the compressratio property is set to 1.00x. A ratio of 1-to-1 for data means no compression. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 27 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 7. Copy /opt/ora/data/custarchive.tar to /oraclecrm/cmp/custarchive.tar. List the file to display its size. root@s11-server1:~# cp /opt/ora/data/custarchive.tar \ /oraclecrm/cmp/custarchive.tar root@s11-server1:~# ls -lh /oraclecrm/cmp total 1 -rw-r--r-1 root root 786K Dec 13 09:47 custarchive.tar After copying the file into the pool, it consumes approximately the same space. 8. Use the zfs list command to list the space used by oraclecrm. Does the space used match the size of /oraclecrm/cmp/custarchive.tar? root@s11-server1:~# zfs list oraclecrm NAME USED AVAIL REFER MOUNTPOINT oraclecrm 992K 1.94G 931K /oraclecrm le b a r e f s an r t n no a 9. Use zfs get to verify that the compression ratio for oraclecrm issstill 1.00x. ha ฺ root@s11-server1:~# zfs get compressratio )oraclecrm om uide c NAME PROPERTY VALUE SOURCE ฺ l ai nt G oraclecrm compressratio 1.00xmg ude @ t o S d Yes, compressratio is still unchanged. l s nafor oraclecrm thi to gzip and verify that the new value is o 10. Set the compression property r ฺ e set. ero to us c i (c nse zfs set compression=gzip oraclecrm root@s11-server1:~# o ld lice root@s11-server1:~# zfs get compression oraclecrm a n o NAME PROPERTY VALUE SOURCE ro R Yes, the zfs list command also confirms the same space consumption. e Cic oraclecrm compression gzip local You set the compression property on oraclecrm file system to gzip. Now notice the space usage of the files, which get stored in the oraclecrm file system. root@s11-server1:~# zfs set compression=ggg oraclecrm cannot set property for 'oraclecrm': 'compression' must be one of 'on | off | lzjb | gzip | gzip-[1-9] | zle' The purpose of this command is to demonstrate the different types of compression property values that are available. You intentionally specify ggg so that you can see valid property values. Optionally, you can experiment with these compression types and compare the compression ratio. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 28 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 11. Copy /opt/ora/data/custarchive.tar to /oraclecrm/cmp/archive2.tar. List all the files in /oraclecrm/cmp to display their sizes. Are the files in /oraclecrm/cmp the same size? root@s11-server1:~# cp /opt/ora/data/custarchive.tar \ /oraclecrm/cmp/archive2.tar root@s11-server1:~# ls -lh /oraclecrm/cmp total 3529 -rw-r--r-1 root root 786K Dec 13 09:11 archive2.tar -rw-r--r-1 root root 786K Dec 13 09:09 custarchive.tar Yes, they are equal as displayed by the ls command. 12. Use the zfs list command to list the space used by oraclecrm. Does the space used match the sum of the size of the two files? No, the output reports a smaller size than the sum of the two files. root@s11-server1:~# zfs list oraclecrm NAME USED AVAIL REFER MOUNTPOINT oraclecrm 1.12M 1.94G 1.06M /oraclecrm s an r t n no a s by the two files would With reference to the preceding step, the sum of the space utilized a h be 1572 KB as against 1.12 MB displayed by the zfs list ) command. ฺ e m d o i ucompressratio property 13. Use the zfs get command to display the current isetting lฺc oft the G a for oraclecrm. Notice that compressratiom is now 1.55x. n e g d root@s11-server1:~# zfs get oraclecrm tu o@compressratio S d l s NAME PROPERTY na VALUE hi SOURCE t o r ฺ e oraclecrm compressratio s 1.68x o r u e o ic e t c ( s means that data is being compressed at a ratio of 1.68-1 The ratio nwhich dois 1.68x, l e c a li 59%). n o(approximately R o Copy /opt/ora/data/custarchive.tar to /oraclecrm/cmp/archive3.tar. List r14. e Cic all the files in /oraclecrm/cmp to display their sizes. Are the files in /oraclecrm/cmp the same size? root@s11-server1:~# cp /opt/ora/data/custarchive.tar \ /oraclecrm/cmp/archive3.tar root@s11-server1:~# ls -lh /oraclecrm/cmp total 2405 -rw-r--r--rw-r--r--rw-r--r-- 1 root root 786K Dec 13 09:11 archive2.tar 1 root root 786K Dec 13 09:12 archive3.tar 1 root root 786K Dec 13 09:09 custarchive.tar Yes, they are. 15. Use the du –h command to display the space used by the files in /oraclecrm/cmp. How does the amount of space used by these files compare? root@s11-server1:~# du -h /oraclecrm/cmp/* 152K /oraclecrm/cmp/archive2.tar 152K /oraclecrm/cmp/archive3.tar Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 29 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 898K /oraclecrm/cmp/custarchive.tar The custarchive.tar file uses the same space as the ls -lh command indicates. The other two files show a percentage of the original size of the files. The custarchive.tar file was created in the cmp file system before enabling compression. This was done intentionally, so that you can see the difference between space usage by compressed and uncompressed files. 16. Use the zfs get command to display the current value of the compressratio property for oraclecrm. What is the current compression ratio? How has it changed and why? root@s11-server1:~# zfs get compressratio oraclecrm NAME PROPERTY VALUE SOURCE oraclecrm compressratio 2.20x - le Cic e b The compression ratio is now 2.20x. It has increased with the addition of the second era sf compressed file. A larger portion of the data in the pool is now being compressed.nThis a tr demonstrates that as you add more data files in a ZFS file system with compression n enabled, compression further reduces space utilization. no a s 17. Remove the /oraclecrm/cmp/custarchive.tar file. a h ) ฺ root@s11-server1:~# rm /oraclecrm/cmp/custarchive.tar e m d o i u lฺc of ttheGcompressratio 18. Use the zfs get command to display the current ivalue property a n m for oraclecrm. What is the current compression ratio? eHow has it changed and why? g u d @ t root@s11-server1:~# zfs d get oraclecrm o compressratio S l s a i NAME PROPERTYon VALUE th SOURCE r ฺ e oraclecrm compressratio ero to us 5.41x c i (c nse o The compression ld liceratio has increased again with the removal of the uncompressed file. a n o the zfs list command to list the space used by oraclecrm and du –h to list the 19. R Use o space used by the remaining two files in /oraclecrm/cmp. Does the refer value r reported by zfs list reflect the sum of the space used by the two files in /oraclecrm/cmp? root@s11-server1:~# zfs list oraclecrm NAME USED AVAIL REFER MOUNTPOINT oraclecrm 398K 1.94G 336K /oraclecrm root@s11-server1:~# du -h /oraclecrm/cmp/* 152K /oraclecrm/cmp/archive2.tar 152K /oraclecrm/cmp/archive3.tar Yes, the two values are correlated. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 30 20. Using the zpool destroy command, delete the oraclecrm pool. Confirm the action. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# zpool destroy oraclecrm root@s11-server1:~# zpool list NAME SIZE ALLOC FREE CAP rpool 31.8G 9.90G 21.8G 31% DEDUP 1.00x HEALTH ONLINE ALTROOT - You have destroyed the pool because you have finished using it. le s b a r e f o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 31 Practice 4-5: Troubleshooting ZFS Failures Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview In this practice, you will work with ZFS device and data problems. For demonstration purposes, you will simulate the problems and correct the problems. This practice includes the following activities: • Troubleshooting ZFS device issues • Troubleshooting ZFS data errors Task 1: Troubleshooting ZFS Device Issues This task includes the following activities: • Creating ZFS components • Configuring syslog for Fault Manager Daemon (FMD) messages • Troubleshooting a ZFS device error in a raidz pool s an r t n no a 1. Verify that the Sol11-Server1 virtual machine is running. If the virtual s machine is not a h running, start it now. ) ฺ e m d o i 2. Log in to the Sol11-Server1 virtual machine as the oracle user. Use oracle1 as the c Gu ฺ l i password. Assume primary administrator privileges. a nt m g oracle@s11-server1:~$ su - @ de u t o Password: oracle1 ld is S a n th5.11 o Oracle Corporation SunOS 11.1 September 2012 r ฺ e s o r u root@s11-server1:~# e ic e to c ( 3. Using the zpool ns create a raidz pool with three virtual devices. Verify the do iccommands, e results.al l n oroot@s11-server1:~# R format ro Task 1A: Creating the ZFS Components e Cic le b a r e f Searching for disks...done AVAILABLE DISK SELECTIONS: 0. c7t0d0 cyl 1022 alt 2 hd 64 sec 32> cyl 1022 alt 2 hd 64 sec 32> cyl 1022 alt 2 hd 64 sec 32> cyl 1022 alt 2 hd 64 sec 32> cyl 1022 alt 2 hd 64 sec 32> cyl 1022 alt 2 hd 64 sec 32> cyl 1022 alt 2 hd 64 sec 32> Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 32 /pci@0,0/pci8086,2829@d/disk@6,0 8. c7t9d0 /pci@0,0/pci8086,2829@d/disk@7,0 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Specify disk (enter its number): ^C root@s11-server1:~# zpool create assetpool raidz c7t3d0 c7t4d0 c7t5d0 root@s11-server1:~# zpool list NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT assetpool 2.95G 241K 2.95G 0% 1.00x ONLINE rpool 31.8G 9.90G 21.8G 31% 1.00x ONLINE - root@s11-server1:~# zpool status assetpool pool: assetpool state: ONLINE scan: none requested le s an r t n config: no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o r se oฺdata r u errors: No known errors e ic e zpool to status -x c ( root@s11-server1:~# s nhealthy do iare e allalpools c l n RUseo the zfs command to create an inventory file system in your assetpool. NAME assetpool raidz1-0 c7t3d0 c7t4d0 c7t5d0 4. o r ce Ci STATE ONLINE ONLINE ONLINE ONLINE ONLINE READ WRITE CKSUM 0 0 0 0 0 0 - root@s11-server1:~# zfs create assetpool/inventory root@s11-server1:~# zfs mount | grep inventory assetpool/inventory /assetpool/inventory root@s11-server1:~# ls -lh /opt/ora/data/custarchive.tar -rw-r—r-1 root root 786K Dec 13 09:09 /opt/ora/data/custarchive.tar For training purposes, you use the custarchive.tar file to simulate business application files. 5. b a r e f Use the cp command to copy the custarchive file into the inventory file system. root@s11-server1:~# cp /opt/ora/data/custarchive.tar \ /assetpool/inventory/custarchive.tar Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 33 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Task 1B: Configuring syslog for FMD Messages 1. Create a new file named /var/adm/messages.fmd for Fault Management Daemon to log the device-related messages. root@s11-server1:~# touch /var/adm/messages.fmd 2. Back up the current /etc/syslog.conf file. root@s11-server1:~# cp /etc/syslog.conf /etc/syslog.conf.orig 3. Edit the /etc/syslog.conf file. Enter a new line below the existing line as shown. root@s11-server1:~# vi /etc/syslog.conf Existing line: *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages le New line: daemon.err b a r e f s an r t n /var/adm/messages.fmd no a s a h ) /var/adm/messages ฺ e m *.err;kern.debug;daemon.notice;mail.crit d o i u ilฺc t G/var/adm/messages.fmd daemon.err a m den g tu o@ Remember to separate the columns by using tabs. S d l s na thi o r ฺ sinesyslog? This step will ensure that all ZFS deviceoof this entry r What is the purpose u e ic are elogged to in a separate file for this practice. related messages c ( ns hardware-related messages to the /var/adm/messages file.) do FMD (Normally, writes l e c a li n RUseo the svcadm command to refresh the syslog service for the new configuration to take Make it look similar to the following: 4. ro e Cic effect. root@s11-server1:~# svcadm refresh system-log Task 1C: Troubleshooting a ZFS Device Error in a raid-z Pool 1. Verify that you can read the contents of your data file /assetpool/inventory/custarchive.tar. root@s11-server1:~# tar tvf /assetpool/inventory/custarchive.tar … -r--r--r-- root/bin 0 Oct 20 22:18 usr/share/commonlisp/ -r--r--r-- root/bin 0 Oct 20 22:18 usr/share/commonlisp/source/ -r--r--r-- root/bin 0 Oct 20 22:27 usr/share/commonlisp/source/gpg -error/ Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 34 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ -r--r--r-- root/bin 2206 Oct 20 09:01 usr/share/commonlisp/source/gpg -error/gpg-error-package.lisp … … … Can you access your data in the inventory file system? Yes Note that the contents are irrelevant in this situation. The output of the file that you are viewing was created to simulate a business application data file and is only for training purposes. 2. Display the status of assetpool and verify that all devices are online. root@s11-server1:~# zpool status assetpool pool: assetpool state: ONLINE scan: none requested config: 3. Ci o cer le b a r e f s an r t n no a s a h ) ฺ e m NAME STATE READ WRITE o CKSUM d i u ฺc G assetpool ONLINE 0 ail 0 0 t m d0 en 0 g raidz1-0 ONLINE 0 @ - Stu c7t3d0 ONLINEldo s a i n h c7t4d0 rONLINE o se t ฺ o r c7t5d0 u e ONLINE o c i t c ( nse o No d l e data errors errors: known c a i l n o the prtvtoc command, display the current vtoc configuration of the c7t5d0 disk. RUsing root@s11-desktop:~# prtvtoc /dev/rdsk/c7t5d0 * /dev/rdsk/c7t5d0 partition map * * Dimensions: * 512 bytes/sector * 2097152 sectors * 2097085 accessible sectors * * Flags: * 1: unmountable * 10: read-only * * Unallocated space: * First Sector Last * Sector Count Sector Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 35 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ * 34 * * * Partition Tag Directory 0 4 8 11 222 255 Flags First Sector 00 00 256 2080735 Sector Count 2080479 16384 Last Sector Mount 2080734 2097118 Note that you will be working with the highlighted slice 0 entry. 4. Save vtoc and cause the c7t5d0 disk to appear as failed. Use the /var/tmp/vtoc5 file as indicated to make slice 0 disappear. root@s11-server1:~# prtvtoc /dev/rdsk/c7t5d0 > /var/tmp/vtoc5.orig root@s11-server1:~# prtvtoc /dev/rdsk/c7t5d0 > /var/tmp/vtoc5 le b a r e f s an r t n Note that you have saved a copy of c7t5d0 vtoc to two files because you will modify the /var/tmp/vtoc5 file and keep /var/tmp/vtoc5.orig as a copy of your original vtoc configuration. ro e Cic no a s a h ) ฺ e m Delete the slice 0 configuration from vtoc (the highlighted entry in the preceding step). d o i ilฺc t Gu a m den g root@s11-server1:~# vi /var/tmp/vtoc5 o@ Stu d l a this n o Verify that the slice 0 line is deleted. se/var/tmp/vtoc5 oฺr tail r u root@s11-server1:~# e ic e to c ( * 10: read-only o ens * ald lic n o R * Unallocated space: * First Sector * Sector Count * 34 222 * * * Partition Tag Flags Directory 8 11 00 Last Sector 255 First Sector 2158559 Sector Count 16384 Last Sector Mount 2174942 Is the slice 0 line available? No, it has been deleted. What is the purpose of deleting this entry? So that you can simulate a device problem The system will not be able to use this disk because its vtoc configuration is not available, thus affecting the ZFS pool. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 36 5. Use the fmthard command to copy the modified vtoc to the disk. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# fmthard -s /var/tmp/vtoc5 /dev/rdsk/c7t5d0s0 fmthard: New volume table of contents now in place. What is the purpose of this command? To overlay the current c7t5d0 vtoc 6. 7. Repeat steps 1 and 2 in the current task. Question: Why is the system showing no errors with disk c7t5d0, whereas its vtoc is corrupted? Answer: Because the system is working with vtoc and its configuration from memory. You need to recycle the disk. Using the zpool command, take the disk offline and attempt to put it back online. Display the status of the pool. root@s11-server1:~# zpool offline assetpool c7t5d0 root@s11-server1:~# zpool online assetpool c7t5d0 warning: device 'c7t5d0' onlined, but remains in faulted state use 'zpool clear' to restore a faulted device root@s11-server1:~# s an r t n C ro ice no a s a h ) ฺ e m d o root@s11-server1:~# zpool status assetpool i ilฺc t Gu a pool: assetpool m den g state: DEGRADED @unavailable tu in response to persistent oare S status: One or more devices d l s na replicas errors. Sufficient thi exist for the pool to continue o r ฺ e functioning ro oinuasdegraded state. e c i action: Determine if tthe device needs to be replaced, and clear the c ( e s ldoerrors enusing 'zpool clear' or 'fmadm repaired', or replace the c a i l n device with 'zpool replace'. Ro Run 'zpool status -v' to see device specific details. config: NAME STATE READ WRITE CKSUM assetpool DEGRADED 0 0 0 raidz1-0 DEGRADED 0 0 0 c7t3d0 ONLINE 0 0 0 c7t4d0 ONLINE 0 0 0 c7t5d0 UNAVAIL 0 0 0 errors: No known data errors In your raidz pool, is disk c7t5d0 available? No, it cannot be opened. Note that the message displayed on your system may be different. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 37 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 8. Using the more command, view the contents of your log file /var/adm/messages.fmd. root@s11-server1:~# more /var/adm/messages.fmd Dec 12 05:17:08 s11-server1 fmd: [ID 377184 daemon.error] SUNWMSG-ID: ZFS-8000-LR, TYPE: Fault, VER: 1, SEVERITY: Major Dec 12 05:17:08 s11-server1 EVENT-TIME: Wed Dec 12 05:17:08 UTC 2012 Dec 12 05:17:08 s11-server1 PLATFORM: VirtualBox, CSN: 0, HOSTNAME: s11-server1 Dec 12 05:17:08 s11-server1 SOURCE: zfs-diagnosis, REV: 1.0 Dec 12 05:17:08 s11-server1 EVENT-ID: fbe8ab80-a530-e5a3-bc1aa8709067f39e Dec 12 05:17:08 s11-server1 DESC: ZFS device 'id1,sd@SATA_____VBOX_HARDDISK____VBc5298f81-7a69e7ac/a' in pool 'assetpool' failed to open. Dec 12 05:17:08 s11-server1 AUTO-RESPONSE: An attempt will be made to activate a hot spare if available. Dec 12 05:17:08 s11-server1 IMPACT: Fault tolerance of the pool may be compromised. Dec 12 05:17:08 s11-server1 REC-ACTION: Use 'fmadm faulty' to provide a more detailed view of this event. Run 'zpool status lx' for more information. Please refer to the associated reference document at http://support.oracle.com/msg/ZFS-8000-LR for the latest ser vice procedures and policies regarding this diagnosis. root@s11-server1:~# s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on Ci R o r ce 9. Using the zpool command, replace the faulty disk with an available disk. Clear any poolThe FMD facility logged the device corruption messages in the configured file. level errors logged by ZFS. Verify the results. root@s11-server1:~# zpool replace assetpool c7t5d0 c7t2d0 Which disk is replacing which disk? You are replacing c7t5d0 with c7t2d0. root@s11-server1:~# zpool clear assetpool root@s11-server1:~# zpool status assetpool pool: assetpool state: ONLINE scan: resilvered 524K in 0h0m with 0 errors on Wed Dec 14 09:37:38 2012 config: NAME assetpool STATE ONLINE READ WRITE CKSUM 0 0 0 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 38 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ raidz1-0 c7t3d0 c7t4d0 c7t2d0 ONLINE ONLINE ONLINE ONLINE 0 - 0 - 0 - errors: No known data errors Has the faulty disk been replaced? Yes Is the pool healthy? Yes 10. Using the scrub command, have ZFS streamline the data in the raidz pool. root@s11-server1:~# zpool scrub assetpool root@s11-server1:~# zpool status assetpool pool: assetpool state: ONLINE scan: scrub repaired 0 in 0h0m with 0 errors on Wed Dec 14 18:05:55 2012 config: le b a r e f s an r t n o an s ha ฺ ) m ide oCKSUM NAME STATE READ WRITE c u ฺ l i G a t assetpool ONLINE 0m 0 n 0 e 0 g d raidz1-0 ONLINE 0 0 @ u t o ld is- S c7t3d0 ONLINE a n h t o c7t4d0 ฺrONLINEse o r u e c7t2d0 ic eONLINE to c ( o ens d l a Nolic known data errors n oerrors: Ci R o r Your display may be a bit different. ce What is the purpose of the scrub operation? To ensure data population on the new disk 11. Using the zpool command, destroy the pool assetpool. root@s11-server1:~# zpool destroy assetpool Task 2: Troubleshooting ZFS Data Errors in a Mirror Pool In this task, you inject errors into your data file. Then you implement corrective measures to make sure that the data is restored from the mirror copy. The following activities are covered in this task: • Running an explicit scrub • Restoring data in the mirror pool Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 39 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Note: Your command output displays may be different than the displays in the practice. In some cases, ZFS may indicate a different number of errors or no errors. It may show errors at different points in the process based upon when it performs certain internal data integrity processes, for example, the scrub operation. The steps in this task demonstrate multiple possible scenarios to assist in understanding why your output would be unpredictable. Some of the factors governing this unpredictability are: • ZFS is monitoring the errors but can discover all the data errors only after a full scrub. Based upon where it is in the scrub process, it will be able to display the sofar discovered errors. So for this reason, the number can change in subsequent status displays. • Because ZFS is performing the scrub operation periodically, it depends when it launches it. This will affect the timing of the results displayed to you. • Based upon the volume of data generated, ZFS may be able to work with the same disk or utilize the spare disk. Based upon multiple variables in the situation, you will get different output every time you perform this task. s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a n If the virtual machine is not m is running. e g 1. Verify that the Sol11-Server1 virtual machine d o@ Stu running, start it now. d l a machine is as the oracle user. Use oracle1 as the n 2. Log in to the Sol11-Server1 virtual h t o password. Assume administrator se oฺr uprivileges. r e ic e to su oracle@S11-server1:~$ c ( ns Password: do ioracle1 l e c a l n Corporation SunOS 5.11 11.0 November 2012 oOracle R ro root@s11-server1:~# The main objective of this task is to demonstrate a situation where the results can be different with every iteration of the task, while at the same time showing you how ZFS discovers and corrects the errors. This process of discovering and repairing is called self-healing, which is an extremely useful function of ZFS. e Cic Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 40 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 3. Use the zpool command and create a mirror pool. Check the health of the pool. root@s11-server1:~# zpool create assetpool mirror c7t3d0 c7t4d0 spare c7t5d0 root@s11-server1:~# zpool status assetpool pool: assetpool state: ONLINE scan: none requested config: NAME assetpool mirror-0 c7t3d0 c7t4d0 spares c7t5d0 READ WRITE CKSUM 0 0 0 0 0 0 0 0 0 0 0 0 le b a r e f s an r t n no a s a h errors: No known data errors ) ฺ e m d o i 4. Use the tar command to create a demonstration data file. Let it generate data for a minute c Gu ฺ l i a nt or more, and then break the command. m g de root@s11-server1:~# tar cvf@ /assetpool/data.tar /usr u t o S d … al this n o … ฺr use o r e /usr/bin/nvidia-xconfig ic e to c ( /usr/bin/alacarte do icens l /usr/bin/iceauth a l n o/usr/bin/ps2ascii R ro e Cic STATE ONLINE ONLINE ONLINE ONLINE AVAIL /usr/bin/gvfs-mount /usr/bin/pmap /usr/bin/smproxy /usr/bin/pkglint /usr/bin/nautilus-connect-server … root@s11-server1:~# zfs list /assetpool NAME USED AVAIL REFER MOUNTPOINT assetpool 154M 822M 154M /assetpool For training purposes, you are creating a data file with a significant amount of data in it. Your displays and data will be different. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 41 5. Using the dd command, corrupt the data on the first disk. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# dd if=/dev/zero of=/dev/dsk/c7t3d0 oseek=100 bs=8192 count=10000 conv=notrunc 10000+0 records in 10000+0 records out If you are not familiar with the dd command, refer to the man pages. Using full blocks, you are overlaying 10,000 blocks of 8 kilobytes with zeros. Because you are using the oseek option, you are bypassing the beginning data (VTOC and other system-reserved sectors) on the disk. 6. Using the tar command, display your data. root@s11-server1:~# tar tvf /assetpool/data.tar … … … drwxr-xr-x root/sys 0 Oct 20 17:34 usr/ lrwxrwxrwx root/root 0 Oct 20 17:34 usr/tmp -> ../var/tmp lrwxrwxrwx root/root 0 Oct 20 17:34 usr/mail -> ../var/mail drwxr-xr-x root/bin 0 Oct 20 17:34 usr/snadm/ … … … le b a r e f s an r t n o 7. ro e Cic an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi Is your data still there? Yes o r ฺ sethe status of the pool. o display r Using the zpool command, u e ic e tozpool status assetpool c root@s11-server1:~# ( ns do assetpool l e pool: c a li n Ro state: ONLINE scan: none requested config: NAME assetpool mirror-0 c7t3d0 c7t4d0 spares c7t5d0 STATE ONLINE ONLINE ONLINE ONLINE READ WRITE CKSUM 0 0 0 0 0 0 0 0 15 0 0 0 AVAIL errors: No known data errors Note the checksum errors on the disk c7t3d0. ZFS has discovered some data errors. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 42 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Your display may not show these errors until the scrub is performed in step 11. ZFS discovers the errors based upon multiple factors and one of them is when it performs the scrub. 8. Using the zpool commands, take the corrupted disk offline and then bring it online to refresh its status. root@s11-server1:~# zpool offline assetpool c7t3d0 root@s11-server1:~# zpool online assetpool c7t3d0 warning: device 'c7t3d0' onlined, but remains in degraded state 9. Using the zpool command, display the pool’s status. root@s11-server1:~# zpool status assetpool pool: assetpool state: ONLINE config: le s STATE ONLINE ONLINE ONLINE ONLINE READ WRITE CKSUM 0 0 0 0 0 0 0 0 19 0 0 0 an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l AVAIL s na thi o r ฺ e s o r u e errors: No iknown c edata to errors c ( o ens d l a Yes lic oIsnthe pool functional? NAME assetpool mirror-0 c7t3d0 c7t4d0 spares c7t5d0 b a r e f Ci R o r What actions has ZFS taken? Due to data errors, it is trying to recover the data as ce indicated by the resilvering status. By recycling the disk, it has discovered more data errors. Your display may not show these errors until the scrub is performed in step 11. ZFS discovers the errors based upon multiple factors and one of them is when it performs the scrub. Note: Out varies from system to system. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 43 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 10. Using the zpool command, clear the errors and display the pool’s status. root@s11-server1:~# zpool clear assetpool root@s11-server1:~# zpool status assetpool pool: assetpool state: ONLINE scan: resilvered 9K in 0h0m with 0 errors on Thu Dec 15 07:15:31 2012 config: NAME assetpool mirror-0 c7t3d0 c7t4d0 spares c7t5d0 STATE ONLINE ONLINE ONLINE ONLINE READ WRITE CKSUM 0 0 0 0 0 0 0 0 0 0 0 0 le s an r t n AVAIL no a s a h By clearing the errors, now the corrupted disk seems to be operational and does not ) ฺ e m report any errors. co Guid ฺ l i a pool, nandt display the pool’s health. 11. Using the zpool command, scrub the data on the m g de root@s11-server1:~# zpool scrub assetpool @ u t o S root@s11-server1:~# zpool ld status s assetpool a i n h t pool: assetpool ro ฺ e s o r state: ONLINEe u o c i t c status: One or more devices has been diagnosed as degraded. An attempt ( nse o ld waslicmade e to correct the error. Applications are unaffected. a n action: Determine if the device needs to be replaced, and clear the o R errors using 'zpool clear' or 'fmadm repaired', or replace the ro errors: No known data errors e Cic b a r e f device with 'zpool replace'. Run 'zpool status -v' to see device specific details. scan: scrub in progress since Wed Dec 12 05:59:16 2012 310M scanned out of 976M at 62.1M/s, 0h0m to go 2.01M repaired, 31.79% done config: NAME assetpool mirror-0 c7t3d0 c7t4d0 spares c7t5d0 STATE ONLINE ONLINE ONLINE ONLINE READ WRITE CKSUM 0 0 0 0 0 0 0 0 343 0 0 0 (repairing) AVAIL Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 44 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ errors: No known data errors Note that ZFS is in the process of scrubbing the data as reported in the scan progress. You may see a completely different output display based upon when ZFS runs into data errors. This display is included here as a possible outcome. The following display is another possible outcome you may receive, once again based upon when and how ZFS encounters the errors. pool: assetpool state: DEGRADED status: One or more devices has been diagnosed as degraded. An attempt was made to correct the error. Applications are unaffected. action: Determine if the device needs to be replaced, and clear the errors using 'zpool clear' or 'fmadm repaired', or replace the device with 'zpool replace'. Run 'zpool status -v' to see device specific details. scan: scrub in progress since Wed Dec 12 05:59:16 2012 310M scanned out of 976M at 62.1M/s, 0h0m to go 2.01M repaired, 31.79% done config: s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g NAME STATE o@ READ WRITE tu CKSUM S d l s assetpool DEGRADED 0 0 na thi 00 o mirror-0 ฺrDEGRADED 0 0 e s o r u e 0 0 31 (repairing) c e DEGRADED ic7t3d0 to c ( c7t4d0 ONLINE 0 0 0 s o c7t5d0 n d l e ONLINE 0 0 0 lic ona Ci R o r ce errors: No known data errors Notice that in this example the pool is in the degraded state and that the spare disk c7t5d0 you assigned in step 3 is now in use and has taken the place of the degraded disk c7t3d0. Now, attempt to clear these errors and then display the status of the pool. root@s11-server1:~# zpool clear assetpool root@s11-server1:~# zpool status assetpool Note that the pool and all the disks are now back online, all the errors have been corrected, and the spare disk c7t5d0 is still in use. The spare disk should become available by the time you issue the next status command in the following step. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 45 le b a r e f 12. Repeat the zpool status command to determine if the scrubbing is complete. root@s11-server1:~# zpool status assetpool Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ In your case, if the scrub is completed before you issue the above command, your results may be very different. The purpose of this step is to display the scrub progress. 13. Using the zpool commands, clear the errors and display status of the pool. root@s11-server1:~# zpool clear assetpool root@s11-server1:~# zpool status assetpool pool: assetpool state: ONLINE scan: scrub repaired 47.9M in 0h0m with 0 errors on Thu Dec 15 07:17:26 2012 config: NAME assetpool mirror-0 c7t3d0 c7t4d0 STATE ONLINE ONLINE ONLINE ONLINE READ WRITE CKSUM 0 0 0 0 0 0 0 0 0 0 0 0 le an r t n s no a s a h ) ฺ e m d o i ilฺc t Gu errors: No known data errors a m den g tu o@has S d Now you know that the data corruption been repaired after the scrub operation. l s nayour data. thi o 14. Using the tar command,ฺdisplay r e utvfs /assetpool/data.tar ero tar root@s11-server1:~# o c i t (c nse … o e … ald c i l n o… R o r e Cic drwxr-xr-x lrwxrwxrwx lrwxrwxrwx drwxr-xr-x … … … root/sys root/root root/root root/bin 0 0 0 0 Oct Oct Oct Oct 20 20 20 20 17:34 17:34 17:34 17:34 usr/ usr/tmp -> ../var/tmp usr/mail -> ../var/mail usr/snadm/ Is your data still there? Yes Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 46 b a r e f 15. Using the zpool destroy command, delete the pool. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# zpool destroy assetpool root@s11-server1:~# zpool list NAME rpool SIZE 31.8G ALLOC 5.61G FREE 26.1G CAP 17% DEDUP 1.00x HEALTH ONLINE ALTROOT - This concludes the ZFS troubleshooting topic. le s b a r e f o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 47 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le s b a r e f o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 4: Managing Business Application Data Chapter 4 - Page 48 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le s b a r e f an r t n no a s a h Practices for ) Lesson ฺ 5: e m d o i Configuring and u ilฺc t GNetwork a n m dFailover Traffic e g tu5 o@Chapter S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 1 Practice Overview for Lesson 5 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Practices Overview Following the predeployment test plan, it is now time to review the Oracle Solaris 11.1 networking functionality. Your company’s business applications, such as Oracle CRM, work with the data that is being transmitted via the network interfaces configured on server and client hosts. Because you will be monitoring the transaction traffic load and managing the network interfaces, it is critical for you to know how the networking is configured. To provide you with an orientation to the network, the following topics are covered in this practice: • Modifying the Reactive Network configuration • Configuring the Network File System • Configuring link aggregation • Implementing link failover by using IP multipathing s an r t n Note: Your command output displays may be different than the displays in the practice, especially storage, processes, and other session-oriented content. no a Look at your checklist to see where you are. You have just completed managing the business s a h application data and you are now ready to test the network configuration and network failover. ) ฺ e m id co Checklist u ฺ l i G Oracle Solaris 11.1 Predeployment √ ma dent g √ Managing the Image Packaging System o@ (IPS)SandtuPackages d l s aon Multiple iHosts √ n h t Installing Oracle Solaris 11.1 o oฺr use r e √ Managingic the Businessto Application Data c ( e s o eNetwork n and Traffic Failover ldConfiguring c a i l n o R Configuring Zones and the Virtual Network o er Cic Managing Services and Service Properties Configuring Privileges and Role-Based Access Control Securing System Resources by Using Oracle Solaris Auditing Managing Processes and Priorities Evaluating System Resources Monitoring and Troubleshooting Software Failures Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 2 le b a r e f Practice 5-1: Managing a Reactive Network Configuration Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview Reactive network is a technology that simplifies and automates network configuration on Oracle Solaris 11.1. The key reactive network components are the network profiles, which allow you to specify various network configurations to be created depending on the current network conditions. In this practice, you perform the following tasks: • Assess the current Reactive Network configuration. • Create and deploy a Reactive Network profile. Task 1: Assessing the Current Reactive Network Configuration 1. 2. 3. Note: For Reactive Network to configure the host’s network interface “auto-magically,” the DHCP service must be available. Verify that the Sol11-Server1 and Sol11-Desktop virtual machines are running. If the virtual machines are not running, start them now. Log in to the Sol11-Desktop virtual machine as the oracle user with oracle1 as the password. Click the Network Preferences icon to determine the NCPs and network interfaces (NCUs) that are currently enabled by Reactive Network. Click OK to continue. s o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci 4. an r t n Open a terminal window, and su to root. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 3 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 5. Display the current network configuration for s11-desktop. root@s11-desktop:~# ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 net0/v4 static ok 192.168.0.111/24 lo0/v6 static ok ::1/128 net0/v6 addrconf disabled :: 6. List all available Reactive Network profiles and their current state. root@s11-desktop:~# netadm list TYPE PROFILE STATE ncp Automatic disabled ncp start_state online ncu:phys net0 online ncu:ip net0 online ncp DefaultFixed disabled loc Automatic offline loc NoNet offline loc aces online le s ncp ncu:phys ncu:ip 9. start_state net0 net0 online online online List the Reactive Network location profiles. root@s11-desktop:~# netadm list -p loc TYPE PROFILE STATE loc Automatic offline loc NoNet offline loc aces online Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 4 an r t n o an s ha ฺ ) om uide c ฺ 7. List the Reactive Network Automatic profile. l ai nt G m root@s11-desktop:~# netadm list Automatic g ude @ t TYPE PROFILE STATE o S d l s ncp Automatic na tdisabled hi o r ฺ e loc Automatic ero to us offline c i 8. List the Reactive (cNetwork estart_state profile. s o n ld lice root@s11-desktop:~# netadm list start_state a n oTYPE PROFILE STATE R o r e Cic b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 10. List all the phys and ip network configuration units (NCUs) in the active network configuration profiles (NCPs). root@s11-desktop:~# netadm list -c phys TYPE PROFILE STATE ncu:phys net0 online root@s11-desktop:~# netadm list -c ip TYPE PROFILE STATE ncu:ip net0 online 11. List all the Reactive Network profiles and their auxiliary state. root@s11-desktop:~# netadm TYPE PROFILE ncp Automatic ncp start_state ncu:phys net0 ncu:ip net0 ncp DefaultFixed loc Automatic loc NoNet loc aces AUXILIARY STATE disabled by administrator active interface/link is up interface/link is up disabled by administrator conditions for activation are unmet conditions for activation are unmet active s an r t n ncp:start_state management-type reactive NCUs: phys net0 ip net0 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 5 le b a r e f no a s a h ) ฺ and aces profiles. 12. Use the netcfg export command to create backups of them start_state e d o i u root@s11-desktop:~# netcfg export a-f ncp \ ilฺcstart_state_ncp_backup G t n m start_state g ude @ root@s11-desktop:~# netcfg export t-f aces_loc_backup loc aces o S d l s root@s11-desktop:~# n lsa *backup thi o r ฺ e aces_loc_backup o start_state_ncp_backup r us e o c i t 13. Use the netcfg (cutilityntoseselect the start_state profile and list its NCUs. o root@s11-desktop:~# netcfg ld lice a n onetcfg> select ncp start_state R o netcfg:ncp:start_state> list r e Cic list -x STATE disabled online online online disabled offline offline online Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 14. Select the phys NCU and display its properties. netcfg:ncp:start_state> select ncu phys net0 netcfg:ncp:start_state:ncu:net0> list ncu:net0 type link class phys parent "start_state" activation-mode manual enabled true netcfg:ncp:start_state:ncu:net0> end 15. Select the ip NCU and display its properties. netcfg:ncp:start_state> select ncu ip net0 netcfg:ncp:start_state:ncu:net0> list ncu:net0 type interface class ip parent "start_state" enabled true ip-version ipv4 ipv4-addrsrc static ipv4-addr "192.168.0.111/24" ipv6-addrsrc dhcp,autoconf netcfg:ncp:start_state:ncu:net0> end netcfg:ncp:start_state> end netcfg> s netcfg:loc:aces> list loc:aces activation-mode conditions enabled nameservices nameservices-config-file dns-nameservice-configsrc dns-nameservice-domain dns-nameservice-servers netcfg:loc:aces> end conditional-all “system domain is mydomain.com” true dns "/etc/nsswitch.dns" manual "mydomain.com" "192.168.0.100" netcfg> exit root@s11-desktop:~# Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 6 an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a 16. Select on the acesl location profile and list its properties. R ro netcfg> select loc aces e Cic le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Task 2: Creating and Deploying a Reactive Network Profile 1. Create an NCP named oracle_profile. root@s11-desktop:~# netcfg netcfg> create ncp oracle_profile 2. Create a phys NCU for the net1 data link. netcfg:ncp:oracle_profile> create ncu phys net1 Created ncu 'net1'. Walking properties ... activation-mode (manual) [manual|prioritized]> manual mac-addr> autopush> mtu> netcfg:ncp:oracle_profile:ncu:net1> list ncu:net1 type link class phys parent "oracle_profile" activation-mode manual enabled true netcfg:ncp:oracle_profile:ncu:net1> end Committed changes netcfg:ncp:oracle_profile> list ncp:oracle_profile management-type reactive NCUs: phys net1 le o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on Ci RCreate an ip NCU for the net1 data link. 3. o r ce netcfg:ncp:oracle_profile> create ncu ip net1 Created ncu 'net1'. Walking properties ... ip-version (ipv4,ipv6) [ipv4|ipv6]> ipv4 ipv4-addrsrc [dhcp|static]> static ipv4-addr> 192.168.0.111 ipv4-default-route> netcfg:ncp:oracle_profile:ncu:net1> list ncu:net1 type interface class ip parent "oracle_profile" enabled true ip-version ipv4 ipv4-addrsrc static ipv4-addr "192.168.0.111" Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 7 s b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ netcfg:ncp:oracle_profile:ncu:net1> verify All properties verified netcfg:ncp:oracle_profile:ncu:net1> commit Committed changes netcfg:ncp:oracle_profile:ncu:net1> end netcfg:ncp:oracle_profile> list ncu ip net1 ncu:net1 type interface class ip parent "oracle_profile" enabled true ip-version ipv4 ipv4-addrsrc static ipv4-addr "192.168.0.111" s an r t n no a s a h 4. Create a location (loc) NCP named classroom. ) ฺ e m d o i netcfg> create loc classroom lฺc t Gu i a Created loc 'classroom'. Walking n ... m properties e g d activation-mode (manual) [manual|conditional-any|conditionalo@ Stu all]> conditional-all ald is n h t o conditions> "system-domain is ฺr use mydomain.com" o r nameservicesce (dns) [dns|files|nis|ldap]> dns o i t c nameservices-config-file ("/etc/nsswitch.dns")> o ( ense d l dns-nameservice-configsrc (dhcp) [manual|dhcp]> manual a lic n o dns-nameservice-domain> "mydomain.com" ro R netcfg:ncp:oracle_profile> end netcfg> e Cic le b a r e f dns-nameservice-servers> "192.168.0.100" dns-nameservice-search> dns-nameservice-sortlist> dns-nameservice-options> nfsv4-domain> ipfilter-config-file> ipfilter-v6-config-file> Press Return> ipnat-config-file> ippool-config-file> ike-config-file> ipsecpolicy-config-file> netcfg:loc:classroom> list loc:classroom activation-mode conditional-all conditions "system-domain is mydomain.com" Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 8 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ enabled nameservices nameservices-config-file dns-nameservice-configsrc dns-nameservice-domain dns-nameservice-servers netcfg:loc:classroom> verify All properties verified netcfg:loc:classroom> commit Committed changes netcfg:loc:classroom> end netcfg> exit 5. false dns "/etc/nsswitch.dns" manual "mydomain.com" "192.168.0.100" s an r t n e Cic no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o oฺr use r e ic e to c ( 6. Use the netcfg export ns command to create backups of your oracle_profile and doprofiles. l e classroom c a li n oroot@s11-desktop:~# R netcfg export -f oracle_ncp_backup ncp \ ro oracle_profile root@s11-desktop:~# netcfg export -f classroom_loc_backup \ loc classroom root@s11-desktop:~# ls *backup aces_loc_backup oracle_ncp_backup classroom_loc_backup start_state_ncp_backup Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 9 le b a r e f Use the netcfg list command to display all the profiles that exist at the current scope. root@s11-desktop:~# netcfg list NCPs: Automatic start_state DefaultFixed oracle_profile Locations: Automatic NoNet aces classroom Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 7. Destroy the classroom profile and show the results. root@s11-desktop:~# netcfg destroy loc classroom root@s11-desktop:~# netcfg list NCPs: Automatic start_state DefaultFixed oracle_profile Locations: aces Automatic NoNet 8. le Recover the classroom profile from your backup and show the results. root@s11-desktop:~# netcfg -f classroom_loc_backup Configuration read. root@s11-desktop:~# netcfg list NCPs: Automatic start_state DefaultFixed oracle_profile Locations: Automatic NoNet aces classroom s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci 9. Use the netadm enable command to enable the classroom and oracle_profile profiles. root@s11-desktop:~# netadm enable classroom Enabling loc 'classroom' root@s11-desktop:~# netadm enable oracle_profile Enabling ncp 'oracle_profile' 10. Reboot the system to verify that oracle_profile and classroom are the default Reactive Network profiles. root@s11-desktop:~# init 6 11. After the system reboots, log in as oracle. Use oracle1 as the password. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 10 b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 12. Open the Network Preferences dialog box. Click OK to continue. le b a r e f s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g Note that the net1 network interfaceo is@ now connected tu to the network. S d l s a Useththe i ping command to verify communication with 13. Open a terminal window su tonroot. o r a remote host. ฺ e us s11-server1 ero toping root@s11-desktop:~# c i (c isnsalive. e s11-server1 o d l e lic na the Sol11-Desktop 14. Power-off virtual machine. o R ro e Cic Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 11 Practice 5-2: Configuring the Network File System Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview In this practice, you configure the NFS server as well as the NFS client. You share a documentation folder from the server and access it on the client host. The following activities are covered: • Configuring the NFS server • Configuring the NFS client Task 1: Configuring the NFS Server 1. Verify that the Sol11-Server1 virtual machine is running. 2. Log in to the Sol11-Server1 virtual machine as the oracle user. Use oracle1 as the password. Assume primary administrator privileges. Display the current status of the ZFS pool and the file systems. 3. s an r t n root@s11-server1:~# zpool list NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT rpool 31.8G 9.90G 21.8G 31% 1.00x ONLINE root@s11-server1:~# zfs list -r /rpool NAME USED AVAIL REFER MOUNTPOINT rpool 9.98G 21.3G 39K /rpool rpool/ROOT 1.89G 21.3G 31K legacy rpool/ROOT/solaris 1.89G 21.3G 1.61G / rpool/ROOT/solaris/var 235M 21.3G 90.2M /var rpool/dump 1.03G 21.3G 1.00G rpool/export 6.02G 21.3G 274M /export rpool/export/IPS 5.74G 21.3G 5.74G /export/IPS rpool/export/home 10.2M 21.3G 38K /export/home rpool/export/home/gail 33.5K 21.3G 33.5K /export/home/gail rpool/swap 1.03G 21.3G 1.00G - o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci 4. Your display may be different. Before you create the docs file system, you want to make sure that it does not exist already. Using the zfs create command, create a ZFS file system called rpool/export/home/docs. Confirm the creation of the file system. root@s11-server1:~# zfs create rpool/export/home/docs root@s11-server1:~# zfs list /export/home/docs NAME USED AVAIL REFER MOUNTPOINT rpool/export/home/docs 31K 21.3G 31K /export/home/docs What is the mount point of rpool/export/home/docs? /export/home/docs 5. Using the touch command, create a file called assetlist in /export/home/docs. root@s11-server1:~# cd /export/home/docs root@s11-server1:/export/home/docs# touch assetlist root@s11-server1:/export/home/docs# cd Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 12 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 6. Use the zfs commands to share the ZFS file system. root@s11-server1:~# zfs set \ share=name=docs,path=/export/home/docs,prot=nfs \ rpool/export/home/docs name=docs,path=/export/home/docs,prot=nfs root@s11-server1:~# zfs set sharenfs=on rpool/export/home/docs root@s11-server1:~# zfs set compression=on rpool/export/home/docs root@s11-server1:~# share docs /export/home/docs nfs sec=sys,rw shares /export/share nfs sec=sys,rw This shows that the /export/home/docs resource is being shared. 7. le b a r e f Verify that the nfs services are up and running. root@s11-server1:~# svcs -a | grep nfs disabled 9:13:15 svc:/network/nfs/cbd:default disabled 9:13:15 svc:/network/nfs/client:default online 9:13:15 svc:/network/nfs/fedfs-client:default online 9:13:15 svc:/network/nfs/status:default online 9:13:15 svc:/network/nfs/mapid:default online 9:13:18 svc:/network/nfs/rquota:default online 9:13:36 svc:/network/nfs/nlockmgr:default online 9:13:37 svc:/network/nfs/server:default s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ e s o r u e Is nfs/server icup anderunning? to Yes c ( do icens l a l on R o r ce 1. Verify that Sol11-Server1 is still running. Start the Sol11-Desktop virtual machine and Task 2: Configuring the NFS Client Ci 2. log in as the oracle user. Use oracle1 as the password. Open a terminal window and assume administrator privileges. Use the dfshares command to confirm whether you can view the shared resource from the s11-desktop virtual machine. Create a directory called /docs to use as the mount point. root@s11-desktop:~# dfshares s11-server1 RESOURCE SERVER s11-server1:/export/home/docs s11-server1 ACCESS - root@s11-desktop:~# mkdir /docs Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 13 TRANSPORT - Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 3. Use the mount command to specify the resource to be mounted on the /docs directory. root@s11-desktop:~# mount -F nfs -o ro s11-server1:/export/home/docs \ /docs root@s11-desktop:~# cd /docs root@s11-desktop:/docs# ls assetlist This demonstrates that the assetlist file in /export/home/docs can be shared on s11-desktop from s11-server1. 4. Using the umount command, unmount the /docs directory. root@s11-desktop:/docs# cd root@s11-desktop:~# umount /docs le Note: If you are unable to unmount, then run the umount -f /docs command. 5. Return to s11-server1 and stop sharing the directory. s b a r e f an r t n root@s11-server1:~# zfs set sharenfs=off rpool/export/home/docs 6. Using the share command, check whether any resource is being shared. o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on root@s11-server1:~# share R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 14 Practice 5-3: Configuring a Link Aggregation Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview Link aggregation requires at least two network interfaces. The network interfaces must be unplumbed before they can be aggregated. In this practice, you combine four network interfaces into one link aggregation called crmpipe0 to create a larger network pipe for the CRM application. Then you manage the interfaces, which includes removing, adding, and eventually deleting the crmpipe0 link aggregation. This portrays different network management situations while working with the CRM application (for example, adjusting the bandwidth as needed). Task 1: Configuring a Link Aggregation 1. 2. le b a r e f s Delete the IP interface for the net0 data link. root@s11-server1:~# ipadm delete-ip net0 an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o r crmpipe0 4. Create a link aggregation that consists of the net0, net1, net2, and se oฺnamed r u e o net3 network interfaces, ic eandt show the results. c ( root@s11-server1:~# do icens dladm create-aggr -l net0 -l net1 \ l a o-ln net2 -ll net3 crmpipe0 R ro root@s11-server1:~# dladm show-link 3. e Cic Verify that the Sol11-Server1 is running and that you have assumed administrator privileges. Disable IP filtering. root@s11-server1:~# ipf -D List the network links that are currently configured in the system. root@s11-server1:~# dladm show-link LINK CLASS MTU STATE OVER net1 phys 1500 unknown -net2 phys 1500 unknown -net0 phys 1500 unknown -net3 phys 1500 unknown -- LINK net1 net2 net0 net3 crmpipe0 CLASS phys phys phys phys aggr MTU 1500 1500 1500 1500 1500 STATE up up up up up OVER ------ root@s11-server1:~$ dladm show-aggr LINK MODE POLICY ADDRPOLICY crmpipe0 trunk L4 auto root@s11-server1:~$ net0 net1 net2 net3 LACPACTIVITY LACPTIMER off short Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 15 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 5. Create an IP interface for the crmpipe0 data link and show the results. root@s11-server1:~# ipadm create-ip crmpipe0 root@s11-server1:~# ipadm show-if IFNAME CLASS STATE ACTIVE OVER lo0 loopback ok yes -crmpipe0 ip down no -- 6 Run the ipadm command to create the static IPv4 address for the s11-server1 system on the crmpipe0 interface, and show the results. root@s11-server1:~# ipadm create-addr -T static \ -a 192.168.0.100/24 crmpipe0/v4 root@s11-server1:~# ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 crmpipe0/v4 static ok 192.168.0.100/24 lo0/v6 static ok ::1/128 s n a r 7. Log in to the Sol11-Desktop system and use the ping command to verifyn connectivity to -t o the s11-server1 server. n a s root@s11-desktop:~# ping s11-server1 ha ฺ ) s11-server1 is alive m work.ide onot Note: Reboot the system if the ping command ldoes c u ฺ i G a t m den g Task 2: Removing the Link Aggregation u o@ SIPtinterface d l 1. From Sol11-Server1, delete the crmpipe0 by using the ipadm command s a thi n o root@s11-server1:~# ipadmedelete-ip crmpipe0 oฺr ipadm r us show-addr root@s11-server1:~# e o c i t ADDROBJ (c STATE ADDR o ense TYPE d lo0/v4 static ok 127.0.0.1/8 l c a i l n lo0/v6 static ok ::1/128 o R ero root@s11-server1:~# dladm show-link Cic le b a r e f LINK net1 net2 net0 net3 crmpipe0 CLASS phys phys phys phys aggr MTU 1500 1500 1500 1500 1500 STATE up up up up up Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 16 OVER ----net0 net1 net2 net3 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 2. Using the dladm command, delete the crmpipe0 aggregation. root@s11-server1:~# dladm delete-aggr crmpipe0 root@s11-server1:~# dladm show-link LINK CLASS MTU STATE OVER net1 phys 1500 unknown -net2 phys 1500 unknown -net0 phys 1500 unknown -net3 phys 1500 unknown -root@s11-server1:~# ipadm show-if IFNAME CLASS STATE ACTIVE OVER lo0 loopback ok yes -Currently, the link aggregation has been removed. Note: At this time, you want to keep these links unconfigured because they will be needed in this state for the next practice. s o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 17 le b a r e f Practice 5-4: Configuring IPMP Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview IP network multipathing (IPMP) provides physical interface failure detection, transparent network access failover, and packet load balancing. An IPMP configuration typically consists of two or more physical interfaces on the same system that are attached to the same LAN. These interfaces can belong to an IPMP group in either of the following configurations: • Active-active configuration: In this configuration, all underlying interfaces are active. An active interface is an IP interface that is currently available for use by the IPMP group. By default, an underlying interface becomes active when you configure the interface to become a part of an IPMP group. • Active-standby configuration: In this configuration, at least one interface is administratively configured as standby. If an active interface fails, the standby interface is automatically deployed as needed. You can configure as many standby interfaces as you want for an IPMP group. In this practice, you configure both active-active and active-standby configurations. s an r t n no a Task 1: Creating an Active-Active IPMP Configuration s a h In this task, you configure an active-active IPMP group that consists ) of twoeฺnetwork interfaces. m o id c virtualGmachines u ฺ l i 1. Verify that the Sol11-Server1 and Sol11-Desktop are running. If any a nt virtual machine is not running, start it now. gm de @ u t o 2. Log in to the Sol11-Server1 virtual machine as the d is S oracle user and su to root. l a n thetIPh network interfaces that are currently configured 3. Use the ipadm command to display o r ฺ se o in the system. r u e ic e toipadm show-if root@s11-server1:~# c ( ns STATE ACTIVE OVER do icCLASS IFNAME l e a l loopback ok n olo0 yes -R o net0 ip ok yes -er Cic Note: If you performed the previous practice, you will not see net0 in this display. This step is shown here in case you perform this practice independently. 4. If you did not delete the net0 network interface as part of Practice 5-3, delete it now and display the results. If you have already deleted the network interface, go to step 5. root@s11-server1:~# ipadm delete-ip net0 Note: If you performed the previous practice, you will not see net0 in this display. This step is shown here in case you perform this practice independently. . root@s11-server1:~# ipadm show-if IFNAME CLASS STATE ACTIVE OVER lo0 loopback ok yes -- Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 18 le b a r e f When configuring IPMP, you must assign all network interfaces that are attached to the same LAN to an IPMP group. In this step, you deleted the net0 interface in preparation for configuring it in an IPMP group. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 5. le b a r e 6. Create IP interfaces for the link0_ipmp0 and link1_ipmp0 data links. Show the results. f s n a root@s11-server1:~# ipadm create-ip link0_ipmp0 tr n root@s11-server1:~# ipadm create-ip link1_ipmp0 no a root@s11-server1:~# ipadm show-if as IFNAME CLASS STATE ACTIVE OVER ) h ฺ e m d o lo0 loopback ok yes -i ilฺc t Gu link0_ipmp0 ip down no a -en gm u-d link1_ipmp0 ip down @no t o S d l 7. Create an IPMP group named ipmp0. s a thi nipadm o r root@s11-server1:~# ฺ secreate-ipmp ipmp0 o r u e o 8. Add the link0_ipmp0 IP interfaces to the ipmp0 IPMP group and ic and tlink1_ipmp0 c ( e s show the results. ldo licen a root@s11-server1:~# n o–i link1_ipmp0 ipmp0ipadm add-ipmp –i link0_ipmp0 \ R ro e Cic Rename the net0 data link to link0_ipmp0 and the net1 data link to link1_ipmp0. Show the results. root@s11-server1:~# dladm rename-link net0 link0_ipmp0 root@s11-server1:~# dladm rename-link net1 link1_ipmp0 root@s11-server1:~# dladm show-link LINK CLASS MTU STATE OVER link1_ipmp0 phys 1500 unknown -net2 phys 1500 unknown -link0_ipmp0 phys 1500 unknown -net3 phys 1500 unknown -- root@s11-server1:~# ipmpstat –g GROUP GROUPNAME STATE FDT ipmp0 ipmp0 ok -- 9. INTERFACES link0_ipmp0 link1_ipmp0 Assign two static IP addresses to the IPMP interface to be used for data access. root@s11-server1:~# ipadm create-addr –T static \ –a 192.168.0.112/24 ipmp0/v4add1 root@s11-server1:~# ipadm create-addr –T static \ –a 192.168.0.113/24 ipmp0/v4add2 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 19 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 10. Assign a static IP address to each IPMP subinterface to be used for link testing. root@s11-server1:~# ipadm create-addr –T static \ –a 192.168.0.142/24 link0_ipmp0/test Dec 14 02:59:46 s11-server1 in.mpathd[113]: At least one NOFAILOVER test address has been configured on group ‘ipmp0’; link-state fault-detection setting will be ignored for the group If you receive the above message, ignore it because link-state fault-detection is not your objective root@s11-server1:~# ipadm create-addr –T static \ –a 192.168.0.143/24 link1_ipmp0/test 11. Display the data and test the IP addresses. root@s11-server1:~# ipadm show-addr ADDROBJ TYPE STATE lo0/v4 static ok link0_ipmp0/test static ok link1_ipmp0/test static ok ipmp0/v4add1 static ok ipmp0/v4add2 static ok lo0/v6 static ok le ADDR 127.0.0.1/8 192.168.0.142/24 192.168.0.143/24 192.168.0.112/24 192.168.0.113/24 ::1/128 b a r e f s an r t n e Cic no a s a h ) ฺ e m d o i ilฺc t Gu a m den information. g 12. Use the ipmpstat command to display the IPMP address o@-anStu root@s11-server1:~# ipmpstat d l a GROUPthisINBOUND n ADDRESS STATE OUTBOUND o r ฺ e s o r :: -e downto uipmp0 -c i c 192.168.0.113 ipmp0 link0_ipmp0 link0_ipmp0 link1_ipmp0 e o ( ensup d l 192.168.0.112 up ipmp0 link1_ipmp0 link0_ipmp0 link1_ipmp0 c a i l n o R o r Note: The INBOUND traffic is restricted to one interface depending on the IP address that is used. The OUTBOUND traffic is spread across both interfaces. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 20 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 13. Use the ipmpstat command to display the IP interface information. root@s11-server1:~# ipmpstat -i INTERFACE ACTIVE GROUP FLAGS LINK link0_ipmp0 yes ipmp0 --mbM-up link1_ipmp0 yes ipmp0 ------up PROBE ok ok STATE ok ok The interface FLAGS are defined as: i = Unusable due to being INACTIVE s = Masked STANDBY m = Nominated to send/receive IPv4 multicast for its IPMP group b = Nominated to send/receive IPv4 broadcast for its IPMP group M = Nominated to send/receive IPv6 multicast for its IPMP group s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l is Note the Sol11-Desktop IPaaddress 192.168.0.111 under the Targets column. n h t o ฺr to receive e VM should be up forro you this display. us e o c i t 15. Use the ipmpstat (c command e to display the current probe information. s o n root@s11-server1:~# ipmpstat -pn ld lice a n TIME INTERFACE PROBE NETRTT RTT RTTAVG TARGET o R 0.49s link0_ipmp0 i195 0.70ms 1.29ms 0.71ms 192.168.0.111 ro 14. Use the ipmpstat command to display information about test address targets. root@s11-server1:~# ipmpstat -nt INTERFACE MODE TESTADDR TARGETS link0_ipmp0 multicast 192.168.0.142 192.168.0.111 link1_ipmp0 multicast 192.168.0.143 192.168.0.111 e Cic 0.73s 1.38s 2.11s 3.25s 3.70s 4.58s 5.16s 6.04s 6.61s link1_ipmp0 link0_ipmp0 link1_ipmp0 link0_ipmp0 link1_ipmp0 link0_ipmp0 link1_ipmp0 link0_ipmp0 link1_ipmp0 i145 i196 i146 i197 i147 i198 i148 i199 i149 0.68ms 0.59ms 0.51ms 0.50ms 0.60ms 0.56ms 0.43ms 0.53ms 0.77ms 0.96ms 0.73ms 0.69ms 0.58ms 1.01ms 0.72ms 0.60ms 0.60ms 0.84ms 1.94ms 0.71ms 1.78ms 0.70ms 1.69ms 0.70ms 1.55ms 0.69ms 1.46ms ^C Your display may be different. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 21 192.168.0.111 192.168.0.111 192.168.0.111 192.168.0.111 192.168.0.111 192.168.0.111 192.168.0.111 192.168.0.111 192.168.0.111 le b a r e f d = Unusable due to being down h = Unusable due to being brought OFFLINE by in.mpathd (IPMP daemon) because of a duplicate hardware address This Task 2: Testing the Active-Active IPMP Configuration Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ In this task, you test the active-active IPMP configuration by causing one of the subinterfaces to fail. Then you verify that the system is still accessible by using the remaining interface. 1. Shut down the Sol11-Server1 virtual machine. 2. Open the VirtualBox Manager GUI and click the Settings utility for the Sol11-Server1 virtual machine. s o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 22 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 3. Under Network settings, select Adapter 2 and set the “Attached to:” field to “Not attached.” Click OK to continue. le b a r e f s an r t n no a s a h ) ฺ e m 4. Start the Sol11-Server1 virtual machine. d o i uIPMP interface and other ilฺc thetfailed G Note: You might see a series of error messagesaabout n to continue to the console login mpressdEnter e g services. You can ignore these messages and prompt. o@ Stu d l a machine is as the oracle user and su to root. 5. Log in to the Sol11-Server1 virtual n h t o se IPMP group information. oฺr toudisplay 6. Use the ipmpstat command r e ic e toipmpstat -g c root@s11-server1:~# ( ns STATE do GROUPNAME GROUP FDT INTERFACES l e c a i l n oipmp0 ipmp0 degraded 10.00s link1_ipmp0 [link0_ipmp0] R o r e Cic Note that link0_ipmp0 has been boxed ([link0_ipmp0]) indicating that it has failed. 7. Use the ipmpstat command to display the IP interface information. root@s11-server1:~# ipmpstat -i INTERFACE ACTIVE GROUP FLAGS LINK link0_ipmp0 no ipmp0 ------up link1_ipmp0 yes ipmp0 --mbM-up The link0_ipmp0 interface is no longer active. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 23 PROBE failed ok STATE failed ok Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 8. Use the ipmpstat command to display the current probe information. root@s11-server1:~# ipmpstat -pn TIME INTERFACE PROBE NETRTT RTT RTTAVG 0.21s link1_ipmp0 i505 0.62ms 1.11ms 0.70ms -1.99s link0_ipmp0 i504 ---1.15s link1_ipmp0 i506 0.51ms 0.65ms 0.70ms 0.25s link0_ipmp0 i506 ----1.02s link0_ipmp0 i505 ---2.85s link1_ipmp0 i507 0.56ms 0.70m 0.70ms 4.25s link1_ipmp0 i508 0.41ms 0.55ms 0.68ms ^C Note that link0_ipmp0 is failing probe tests. Your display may be different. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 24 le b a r e f s n a r 9. Log in to the Sol11-Desktop virtual machine and ping the IPMP data IP addresses -t n o configured on the Sol11-Server1. an root@s11-desktop:~# ping 192.168.0.112 s ha ฺ 192.168.0.112 is alive ) om uide root@s11-desktop:~# ping 192.168.0.113 c ฺ l ai nt G 192.168.0.113 is alive m e g andudshut @ 10. Return to the Sol11-Server1 virtual machine it down. t o S d l s a and tclick i the Settings utility for the Sol11-Server1 11. Open the VirtualBox Managern GUI h o r ฺ e virtual machine. ero to us c i (c nse o ld lice a n o R o r e Cic TARGET 192.168.0.111 192.168.0.111 192.168.0.111 192.168.0.111 192.168.0.111 192.168.0.111 192.168.0.111 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 12. Under Network settings, select Adapter 2 and set the “Attached to:” field to Internal Network. Click OK to continue. le s b a r e f an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l 13. Start the Sol11-Server1 virtual a machine. is n h t o 14. Log in to the Sol11-Server1 semachine as the oracle user and su to root. oฺr virtual r u e 15. Use the ipmpstat iccommand toto verify that the IPMP group ipmp0 STATE is ok. c ( e root@s11-server1:~# do icens ipmpstat –g l a lGROUPNAME STATE FDT n INTERFACES oGROUP R ipmp0 ok 10.00s link0_ipmp0 link1_ipmp0 ro ipmp0 e Cic Task 3: Creating an Active-Standby IPMP Configuration In this task, you reconfigure the ipmp0 IPMP group from an active-active configuration to an active-standby configuration. 1. On the Sol11-Server1 virtual machine, display the data links. root@s11-server1:~# dladm show-link LINK CLASS MTU STATE OVER link1_ipmp0 phys 1500 up -net2 phys 1500 unknown -link0_ipmp0 phys 1500 up -net3 phys 1500 unknown -- Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 25 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 2. Rename the net2 data link to link2_ipmp0 and show the results. root@s11-server1:~# dladm rename-link net2 link2_ipmp0 root@s11-server1:~# dladm show-link LINK CLASS MTU STATE OVER link1_ipmp0 phys 1500 up -link2_ipmp0 phys 1500 unknown -link0_ipmp0 phys 1500 up -net3 phys 1500 unknown -- 3. Create IP interfaces for the link2_ipmp0 data links and show the results. root@s11-server1:~# ipadm create-ip link2_ipmp0 root@s11-server1:~# ipadm show-if IFNAME CLASS STATE ACTIVE OVER lo0 loopback ok yes -ipmp0 ipmp ok yes link1_ipmp0 link0_ipmp0 link1_ipmp0 ip ok yes -link0_ipmp0 ip ok yes -link2_ipmp0 ip down no -- le s an r t n no a s a h ) ฺ the results. e 4. Add the link2_ipmp0 IP interfaces to the ipmp0 IPMP m group and show d o i u ipmp0 lฺclink2_ipmp0 i–i root@s11-server1:~# ipadm add-ipmp G a t m den root@s11-server1:~# ipmpstat –g g tu o@ INTERFACES GROUP GROUPNAME STATE FDT S d l s a thi link2_ipmp0 link0_ipmp0 link1_ipmp0 ipmp0 ipmp0 ok on 10.00s r ฺ se subinterface link2_ipmp0 to be used for link o to theuIPMP r 5. Assign a static IP address e c results. ithe to testing and show c ( e do icens ipadm create-addr –T static \ root@s11-server1:~# l a l link2_ipmp0/test on–a 192.168.0.144/24 R ro root@s11-server1:~# ipadm show-addr e Cic b a r e f ADDROBJ lo0/v4 ipmp0/v4add1 ipmp0/v4add2 link1_ipmp0/test link0_ipmp0/test link2_ipmp0/test lo0/v6 TYPE static static static static static static static STATE ok ok ok ok ok ok ok ADDR 127.0.0.1/8 192.168.0.112/24 192.168.0.113/24 192.168.0.143/24 192.168.0.142/24 192.168.0.144/24 ::1/128 Note: Your display may be different. 6. Show the current setting of the standby property for the link2_ipmp0 interface. root@s11-server1:~# ipadm show-ifprop –p standby link2_ipmp0 IFNAME PROPERTY PROTO PERM CURRENT PERSISTENT DEFAULT POSSIBLE link2_ipmp0 standby ip rw off -off on,off Note that standby is currently turned off. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 26 7. Set the standby property for the link2_ipmp0 interface to on and show the results. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# ipadm set-ifprop -p standby=on -m ip link2_ipmp0 root@s11-server1:~# ipadm show-ifprop -p standby link2_ipmp0 IFNAME PROPERTY PROTO PERM CURRENT PERSISTENT DEFAULT POSSIBLE link2_ipmp0 standby ip rw on on off on,off 8. Use the ipmpstat command to display the IPMP group information. root@s11-server1:~# ipmpstat -g GROUP GROUPNAME STATE FDT INTERFACES ipmp0 ipmp0 ok 10.00s link0_ipmp0 link1_ipmp0 (link2_ipmp0) Note that the link2_ipmp0 interface is enclosed in parenthesis. This indicates that the interface is set to standby. 9. Use the ipmpstat command to display the IPMP address information. root@s11-server1:~# ipmpstat -an ADDRESS STATE GROUP INBOUND OUTBOUND :: down ipmp0 --192.168.0.113 up ipmp0 link0_ipmp0 link0_ipmp0 link1_ipmp0 192.168.0.112 up ipmp0 link1_ipmp0 link0_ipmp0 link1_ipmp0 s an r t n no a s a h ) ฺ and OUTBOUND e m d Note that the link2_ipmp0 interface is not actively used for INBOUND o i ilฺc t Gu traffic. a m den information. g 10. Use the ipmpstat command to display the IPMP interface o@-i Stu d root@s11-server1:~# ipmpstat l a this n o INTERFACE ACTIVE GROUP LINK PROBE STATE ฺr use FLAGS o r link2_ipmp0 cno is----up ok ok e toipmp0 i c ( yes link0_ipmp0 ------up ok ok se ipmp0 o n d l e link1_ipmp0 ipmp0 --mbM-up ok ok licyes na o ro R Note the flags for the link2_ipmp0 interface. This indicates that the interface is e Cic inactive and set to standby. Task 4: Testing the Active-Standby IPMP Configuration In this task, you test the active-standby IPMP configuration by causing one of the subinterfaces to fail. Then you verify that the system is still accessible by using the remaining interface. 1. Shut down the Sol11-Server1 virtual machine. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 27 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 2. Open the VirtualBox Manager GUI and click the Settings utility for the Sol11-Server1 virtual machine. le b a r e f s an r t n no a sfield to “Not attached.” 3. Under Network settings, select Adapter 2 and set the “Attached to:” a h ) ฺ Click OK to continue. e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o oฺr use r e ic e to c ( do icens l a l on R ro e Cic 4. 5. Start the Sol11-Server1 virtual machine. Log in to the Sol11-Server1 virtual machine as the oracle user and su to root. Note: You might see a series of error messages about the failed IPMP interface. You can ignore these messages and press Enter to continue. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 28 6. Use the ipmpstat command to display the IPMP group information. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# ipmpstat -g GROUP GROUPNAME STATE FDT ipmp0 ipmp0 degraded 10.00s 7. 8. INTERFACES link2_ipmp0 link1_ipmp0 [link0_ipmp0] Note that link1_ipmp0 has been boxed ([link1_ipmp0]), indicating that it has failed. Use the ipmpstat command to display the IP interface information. root@s11-server1:~# ipmpstat -i INTERFACE ACTIVE GROUP FLAGS LINK PROBE STATE link2_ipmp0 yes ipmp0 -s----up ok ok link0_ipmp0 no ipmp0 ------up failed failed link1_ipmp0 yes ipmp0 --mbM-up ok ok The link0_ipmp0 interface is no longer active but link2_ipmp0 is now active. Use the ipmpstat command to display the IPMP address information. root@s11-server1:~# ipmpstat -an ADDRESS STATE GROUP INBOUND OUTBOUND :: down ipmp0 --192.168.0.113 up ipmp0 link2_ipmp0 link2_ipmp0 link1_ipmp0 192.168.0.112 up ipmp0 link1_ipmp0 link2_ipmp0 link1_ipmp0 s an r t n no a s a h ) ฺ e m d o i u and OUTBOUND traffic. ilฺc fortINBOUND Note that the link2_ipmp0 interface is being used G a m deninformation. 9. Use the ipmpstat command to display thegcurrent probe o@-pnStu d root@s11-server1:~# ipmpstat l a this RTT TIME INTERFACE ron PROBE NETRTT RTTAVG TARGET ฺ e s o r 0.06s link2_ipmp0 u 0.26ms 0.49ms 0.33ms 192.168.0.111 e toi163 c i c 0.90s link1_ipmp0 i162 0.26ms 0.39ms 0.31ms 192.168.0.111 ( nse o 0.92sld link2_ipmp0 i164 0.19ms 0.36ms 0.34ms 192.168.0.111 e c a i l n 0.49s link0_ipmp0 i161 ---192.168.0.111 o R --192.168.0.111 ro -0.49s link0_ipmp0 i160 -- e Cic 2.52s 2.74s 3.69s 2.31s link2_ipmp0 link1_ipmp0 link1_ipmp0 link0_ipmp0 i165 i163 i164 i162 0.23ms 0.24ms 0.25ms -- 0.39ms 0.38ms 0.45ms -- 0.34ms 0.32ms 0.34ms -- 192.168.0.111 192.168.0.111 192.168.0.111 192.168.0.111 … … … Note that the link2_ipmp0 interface is actively probing targets. 10. Log in to the Sol11-Desktop virtual machine and ping the IPMP data IP addresses. root@s11-desktop:~# ping 192.168.0.112 192.168.0.112 is alive root@s11-desktop:~# ping 192.168.0.113 192.168.0.113 is alive Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 29 le b a r e f 11. Return to the Sol11-Server1 virtual machine and shut it down. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 12. Open the VirtualBox Manager GUI and click the Settings utility for the Sol11-Server1 virtual machine. 13. Under Network settings, select Adapter 2 and set the “Attached to:” field to Internal Network. Click OK to continue. le b a r e f s an r t n Cic e no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o 14. Start the Sol11-Server1 se oฺrvirtualumachine. r e ic e tovirtual machine as the oracle user and su to root. 15. Log in to the Sol11-Server1 c ( ns to display the IPMP group information. 16. Use the lipmpstat do icecommand a l n ipmpstat -g oroot@s11-server1:~# R ro GROUP GROUPNAME STATE FDT INTERFACES ipmp0 ipmp0 ok 10.00s link0_ipmp0 link1_ipmp0 (link2_ipmp0) Note that the link2_ipmp0 interface has been placed back as standby and is inactive. This indicates that the failed interface is repaired. 17. Use the ipmpstat command to display the IPMP interface information. root@s11-server1:~# ipmpstat -i INTERFACE ACTIVE GROUP FLAGS LINK PROBE link2_ipmp0 no ipmp0 is----up ok link0_ipmp0 yes ipmp0 ------up ok link1_ipmp0 yes ipmp0 --mbM-up ok Task 5: Removing the IPMP Configuration In this task, you remove the ipmp0 IPMP group and return the network to its original configuration. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 30 STATE ok ok ok Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 1. Remove all the subinterfaces from the ipmp0 IPMP group and show the results. root@s11-server1:~# ipadm remove-ipmp –i link0_ipmp0 \ –i link1_ipmp0 –i link2_ipmp0 ipmp0 Dec 14 04:17:43 s11-server1 in.mpathd[113]: All IP interfaces in group ipmp0 are now unusable. Note: You may see other error messages due to the system being in an unstable state. You can ignore these messages. root@s11-server1:~# ipmpstat -g GROUP GROUPNAME STATE FDT ipmp0 ipmp0 failed -- 2. Delete the ipmp0 IPMP group. root@s11-server1:~# ipadm delete-ipmp ipmp0 root@s11-server1:~# ipmpstat –g root@s11-server1:~# le e Display the IP address that is currently configured in the system. root@s11-server1:~# ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 link1_ipmp0/test static ok 192.168.0.143/24 link0_ipmp0/test static ok 192.168.0.142/24 link2_ipmp0/test static ok 192.168.0.144/24 lo0/v6 static ok ::1/128 root@s11-server1:~# ipadm delete-addr link1_ipmp0/test root@s11-server1:~# ipadm delete-addr link2_ipmp0/test root@s11-server1:~# ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 lo0/v6 static ok ::1/128 Your display may be different. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 31 b a r e f s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o oฺr use r e ic e to c ( nsdifferent. Your ldisplay be do may e c a 4. Delete on the test IPli addresses and show the results. R ro root@s11-server1:~# ipadm delete-addr link0_ipmp0/test 3. Cic INTERFACES -- Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 5. Delete the link0_ipmp0, link1_ipmp0, and link2_ipmp0 IP interfaces. Show the results. root@s11-server1:~# ipadm delete-ip link0_ipmp0 root@s11-server1:~# ipadm delete-ip link1_ipmp0 root@s11-server1:~# ipadm delete-ip link2_ipmp0 root@s11-server1:~# ipadm show-if IFNAME CLASS STATE ACTIVE OVER lo0 loopback ok yes -- 6. Rename the data links to their original names and show the results. root@s11-server1:~# dladm rename-link link0_ipmp0 net0 root@s11-server1:~# dladm rename-link link1_ipmp0 net1 root@s11-server1:~# dladm rename-link link2_ipmp0 net2 root@s11-server1:~# dladm show-link LINK CLASS MTU STATE OVER net1 phys 1500 unknown -net2 phys 1500 unknown -net0 phys 1500 unknown -net3 phys 1500 unknown -- le b a r e f s an r t n e Cic no a s a h ) ฺ 7. Restart the svc:/network/physical:default service. e m d o i root@s11-server1:~# svcadm restart isvc:/network/physical:default lฺc t Gu a n correctly. m configured 8. Verify that the net0 network interface has g been e d @ Stu oshow-addr root@s11-server1:~# ipadm d l a tSTATE is ADDR n h ADDROBJ TYPE o se ok oฺrstatic lo0/v4 127.0.0.1/8 r u e o c i t lo0/v6 (c ::1/128 e static ok s o n ldthe physical e network interface. 9. Reinstate c a i l n oroot@s11-server1:~# ipadm create-ip net0 R o r root@s11-server1:~# ipadm create-addr –T static \ -a 192.168.0.100/24 net0/v4add1 10. Test the network interface by using the ping command. root@s11-server1:~# ping 192.168.0.111 192.168.0.111 is alive. 11. Power-off the Sol11-Desktop virtual machine. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 5: Configuring Network and Traffic Failover Chapter 5 - Page 32 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le s b a r e f an r t n no a s a h Practices for ) Lesson ฺ 6: e m d o i Configuring and the u ilฺc t GZones a n m dNetwork Virtual e g tu6 o@Chapter S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 1 Practice Overview for Lesson 6 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Practices Overview According to your predeployment plan, it is time to evaluate the business scenario. On one company server, you are asked to create two independent virtual Oracle Solaris 11.1 systems (zones) where the company can maintain two separate customers’ environments. Therefore, you create a zone called grandmazone for the vendor Grandma’s Cookies and a zone called choczone for Assorted Chocolates Inc. When these customers need assistance, you can recreate their scenario in their respective zones and evaluate the issues. Because you have only one physical interface on this server, you are asked to create two virtual network interfaces and assign one to each zone on a dedicated basis. The key areas explored in the practices are: • Configuring an Oracle Solaris 11.1 virtual network • Configuring two zones to use VNICs • Allocating resources to Oracle Solaris zones • Managing resources on the virtual network interface • Removing part of the virtual network s an r t n Ci no a s a h ) Note: Your command output displays may be different from the displays in ฺthe practice, for e m d o i u example, storage data, process IDs, and session-related information. ilฺcand system-generated G a t n m g ude @ t √ Oracle Solaris 11.1 Predeployment Checklist o S d l s a i n System √ th (IPS) and Packages o Managing the Image Packaging r ฺ e ro o us e c √ i t 11.1 on Multiple Hosts Installing Oracle Solaris c ( e s o en ldManaging √ a licthe Business Application Data n o R √ o r Configuring Network and Traffic Failover ce Configuring Zones and the Virtual Network Managing Services and Service Properties Configuring Privileges and Role-Based Access Control Securing System Resources by Using Oracle Solaris Auditing Managing Processes and Priorities Evaluating System Resources Monitoring and Troubleshooting System Failures Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 2 le b a r e f Preparation Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ This practice requires the Sol11-Server1 virtual machine to have two CPUs so that resource pools can be configured accordingly. To ensure that the Sol11-Sever1 virtual machine has two CPUs in place, follow these steps: 1. Shut down the Sol11-Server1 virtual machine. 2. Open the VirtualBox Manager GUI and click the Settings utility for the Sol11-Server1 virtual machine. s o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 3 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 3. Under the System settings, click the Processor tab and verify that the number of processors is 2. If not, change the number of processors to 2. Click OK to continue. le s b a r e f o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 4 Practice 6-1: Creating an Oracle Solaris 11.1 Virtual Network Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview In this practice, you configure an Oracle Solaris 11.1 virtual network. To do this, you perform the following key tasks: • Create a virtual network switch • Create the virtual network interfaces • Display the virtual network configuration Task: 1. 2. 3. Verify that the Sol11-Server1 virtual machine is running. If the virtual machine is not running, start it now. Log in to the Sol11-Server1 virtual machine as the oracle user. Use oracle1 as the password. Assume administrator privileges. Run the dladm utility to create an etherstub named stub0. Confirm the creation of the etherstub by using the show-link command. s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o oฺr use r e ic e to c ( 4. Use the dladm o utilityentoscreate the vnic0, vnic1, and vnic2 VNICs. Attach these VNICs d l a ic to the netherstublstub0. o ro R root@s11-server1:~# dladm create-vnic -l stub0 vnic0 root@s11-server1:~# dladm create-etherstub stub0 root@s11-server1:~$ dladm show-link LINK CLASS MTU STATE OVER net1 phys 1500 unknown -net2 phys 1500 unknown -net3 phys 1500 unknown -net0 phys 1500 up -stub0 etherstub 9000 unknown -root@s11-server1:~# Before you create the VNICs, you need to create a virtual network switch. e Cic root@s11-server1:~# dladm create-vnic -l stub0 vnic1 root@s11-server1:~# dladm create-vnic -l stub0 vnic2 5. Here vnic0 is required for the virtual switch stub0. The other VNICs are the virtual network interfaces that would be available for your use. Show the results of the preceding step. root@s11-server1:~# dladm show-vnic LINK OVER SPEED MACADDRESS vnic0 stub0 0 2:8:20:84:d:cb vnic1 stub0 0 2:8:20:a:97:10 vnic2 stub0 0 2:8:20:4:ee:9 MACADDRTYPE random random random All three VNICs have been created as displayed. Notice that each VNIC has a MAC address created. Now these VNICs are available for use as “physical” networks. You will use them in the following practice for the zones. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 5 le b a r e f VID 0 0 0 Practice 6-2: Creating Two Zones by Using VNICs Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview In this practice, you configure Oracle Solaris 11 zones and assign the virtual network interfaces created in the previous exercise. To do this, you perform the following key tasks: • Configure two zones to use VNICs • Display the zone configuration, including the interfaces Task: Perform the following steps to configure the zone named grandmazone and the zone named choczone: 1. 2. 3. Verify that the Sol11-Server1 virtual machine is running. If the virtual machine is not running, start it now. Log in to the Sol11-Server1 virtual machine as the oracle user. Use oracle1 as the password. Assume administrator privileges. Verify that the IPS publisher is configured correctly and is operational. s no a LOCATION as ) h eฺ http://s11-server1.mydomain.com/ m co Guid ฺ l i a nt root@s11-server1:~# pkg search m diffstat g de INDEX ACTION VALUE @ u t o ld is S a n th o PACKAGE r ฺ e s diff command compares files line by erosetto uThe pkg.description c i line. Diffstat (c nsreads e the output of the diff command and displays o d a histogram of the insertions, deletions and modifications in l e na file.licDiffstat is commonly used to provide a summary of the each o R changes in large, complex patch files. Install diffstat if you root@s11-server1:~# pkg publisher PUBLISHER TYPE STATUS P solaris origin online F ro e Cic an r t n need a program which provides a summary of the diff command's output. pkg:/text/diffstat@1.51-0.175.1.0.0.9.0 … … If the IPS publisher is configured incorrectly, change to an operational publisher. For example, if your current publisher is http://pkg.oracle.com/solaris/release/, you need to change it to http://s11-server1.mydomain.com. Run the following command: root@s11-server1:~# pkg set-publisher –G ‘*’ \ –g http://s11-server1.mydomain.com/ solaris Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 6 le b a r e f Refer to Practice 2: Managing the Image Packing System (IPS) and Packages for detailed IPS configuration. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ The objective is to access the IPS repository on the local system to speed up package transfer during the zone installation steps. 4. Verify that an rpool/zones ZFS file system exists and is mounted as /zones. root@s11-server1:~# zfs list rpool/zones NAME USED AVAIL REFER MOUNTPOINT rpool/zones 31K 22.6G 31K /zones If the rpool/zones ZFS file system does not exist, run the following command: 5. Configure grandmazone and display the results. R o r ce Ci o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on root@s11-server1:~# zonecfg -z grandmazone Use 'create' to begin configuring a new zone. zonecfg:grandmazone> create create: Using system default template ‘SYSdefault’ zonecfg:grandmazone> set zonepath=/zones/grandmazone zonecfg:grandmazone> set autoboot=true zonecfg:grandmazone> add net zonecfg:grandmazone:net> set physical=vnic1 zonecfg:grandmazone:net> end zonecfg:grandmazone> verify zonecfg:grandmazone> commit zonecfg:grandmazone> exit root@s11-server1:~# zonecfg -z grandmazone info zonename: grandmazone zonepath: /zones/grandmazone brand: solaris autoboot: true bootargs: file-mac-profile: pool: limitpriv: scheduling-class: ip-type: exclusive hostid: fs-allowed: net: Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 7 s an r t n The root file systems for the zones will be stored in the rpool/zones file system. le b a r e f root@s11-server1:~# zfs create -o mountpoint=/zones rpool/zones Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ address not specified allowed-address not specified configure-allowed-address: true physical: vnic1 defrouter not specified anet: linkname: net0 lower-link: auto allowed-address not specified configure-allowed-address: true defrouter not specified allowed-dhcp-cids not specified link-protection: mac-nospoof mac-address: random mac-prefix not specified mac-slot not specified vlan-id not specified priority not specified rxrings not specified txrings not specified mtu not specified maxbw not specified rxfanout not specified vsi-typeid not specified vsi-vers not specified vsi-mgrid not specified etsbw-lcl not specified cos not specified pkey not specified linkmode not specified le s Ci 6. Configure choczone and display the results. root@s11-server1:~# zonecfg -z choczone Use 'create' to begin configuring a new zone. zonecfg:choczone> create create: Using system default template ‘SYSdefault’ zonecfg:choczone> set zonepath=/zones/choczone zonecfg:choczone> set autoboot=true zonecfg:choczone> add net zonecfg:choczone:net> set physical=vnic2 zonecfg:choczone:net> end zonecfg:choczone> verify zonecfg:choczone> commit Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 8 an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 9 b a r e f s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci zonecfg:choczone> exit root@s11-server1:~# zonecfg -z choczone info zonename: choczone zonepath: /zones/choczone brand: solaris autoboot: true bootargs: file-mac-profile: pool: limitpriv: scheduling-class: ip-type: exclusive hostid: fs-allowed: net: address not specified allowed-address not specified physical: vnic2 defrouter not specified anet: linkname: net0 lower-link: auto allowed-address not specified configure-allowed-address: true defrouter not specified allowed-dhcp-cids not specified link-protection: mac-nospoof mac-address: random mac-prefix not specified mac-slot not specified vlan-id not specified priority not specified rxrings not specified txrings not specified mtu not specified maxbw not specified rxfanout not specified vsi-typeid not specified vsi-vers not specified vsi-mgrid not specified etsbw-lcl not specified cos not specified pkey not specified linkmode not specified 7. Using the zoneadm command, display the configured zones. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# zoneadm list -cv ID 0 - NAME global grandmazone choczone STATUS running configured configured PATH / /zones/grandmazone /zones/choczone BRAND solaris solaris solaris IP shared excl excl Both zones are in configured state. They need to be installed. 8. Using the sysconfig command, create a system configuration profile for grandmazone. root@s11-server1:~# sysconfig create-profile -o \ /opt/ora/data/gmconf.xml le b a r e f s an r t n When the system configuration tool appears, follow the directions on the screen and provide appropriate information from the following: • Computer name: grandmazone o an s ha ฺ • Ethernet network configuration: Manually ) • Network Interface: vnic1 om uide c ฺ l ai nt G • IP Address: 192.168.1.100 m g ude • DNS: Do not configure @ DNS t o S d l • Alternate Name Service: None s na thi o r ฺ • Time zone: Use your local seregion. o r u e • Date and ictime:eSettoto current date and time. c ( • o password: ns oracle1 dRoot l e c a i name: oraclegm o• n Your lreal Ci R• o r ce • • Username: oraclegm User password: oracle1 Remove the Email address from the Support - Registration menu After you have reviewed the information on the System Configuration Summary screen, select F2_Apply. Exiting System Configuration Tool. Log is available at: /system/volatile/sysconfig/sysconfig.log.1999 root@s11-server1:~# Display the SC profile that you just created for grandmazone. root@s11-server1:~# more /opt/ora/data/gmconf.xml Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 10 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ … … root@s11-server1:~# zoneadm -z grandmazone install –c /opt/ora/data/gmconf.xml s o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on Ci R o r ce The zone installation should take approximately 15 minutes. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 11 le b a r e f 9. Using the sysconfig command, create a system configuration profile for the choczone. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# sysconfig create-profile –o \ /opt/ora/data/chocconf.xml When the system configuration tool appears, follow the directions on the screen and provide the appropriate information from the following: • Computer name: choczone • Ethernet network configuration: Manually ro e Cic • Network Interface: vnic2 • IP Address: 192.168.1.200 • • • • • • DNS: Do not configure DNS Alternate Name Service: None Time zone: Use your local region. Date and time: Set to current date and time. Root password: oracle1 Your real name: oraclech • Username: oraclech le b a r e f s an r t n no a s a h • User password: oracle1 ) ฺ e m d o i • Remove the Email address from the Support u menu ilฺc - Registration G a t n Configuration Summary screen, mthe System e After you have reviewed the informationg on d o@ Stu select F2_Apply. d l a this n o oฺr use Tool. Log is available at: Exiting System rConfiguration e ic e to /system/volatile/sysconfig/sysconfig.log.2987 c ( root@s11-server1:~# do icens l a l n Roroot@s11-server1:~# zoneadm -z choczone install –c \ /opt/ora/data/chocconf.xml The zone installation should take approximately five minutes. 10. Show the results of the zone installations. root@s11-server1:~# zoneadm list -iv ID 0 - NAME global grandmazone choczone STATUS running installed installed PATH / /zones/grandmazone /zones/choczone BRAND solaris solaris solaris IP shared excl excl BRAND solaris IP shared Both zones are in installed state. 11. Boot the grandmazone and choczone zones and show the results. root@s11-server1:~# zoneadm -z grandmazone boot root@s11-server1:~# zoneadm -z choczone boot root@s11-server1:~# zoneadm list -v ID NAME 0 global STATUS running PATH / Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 12 1 grandmazone 2 choczone running running /zones/grandmazone /zones/choczone solaris solaris excl excl Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Both zones have an ID and are in the running state. 12. Check the virtual network configuration in the global zone. root@s11-server1:~# ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 net0/v4add1 static ok 192.168.0.100/24 lo0/v6 static ok ::1/128 In the global zone, no information is displayed about the links that you created. Why? Because the VNICs exist at the link level. They would be visible by using the dladm commands that you used earlier. 13. Check the virtual network configuration in the grandmazone zone. s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o oฺr use r e ic e to c ( do icens l a n the virtuall network configuration in the choczone zone. It should be similar to 14. Check o R ro grandmazone, except for the name of the network interface and the IP address. root@s11-server1:~# zlogin grandmazone [Connected to zone 'grandmazone' pts/3] Oracle Corporation SunOS 5.11 11.1 September 2012 root@grandmazone:~# ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 vnic1/v4 static ok 192.168.1.100/24 lo0/v6 static ok ::1/128 vnic1/v6 addrconf ok fe80::8:20ff:fe0a:9710/10 e 15. Cic From grandmazone, use the ping command to verify that the virtual network that connects grandmazone and choczone is operational. root@grandmazone:~# ping 192.168.1.200 192.168.1.200 is alive This demonstrates that you have connectivity with choczone because both zones are created on the same network. 16. Exit to the global zone. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 13 le b a r e f Practice 6-3: Allocating Resources to Zones Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview In this practice, you allocate resources to the zones that you created in the previous practice. To accomplish this goal, you perform the following key tasks: • Enable services for resource pools • Configure a persistent resource pool • Bind the zone to a persistent resource pool • Remove the resource pool configuration • Manage the virtual network data flow Task 1: Enabling Resource Pool Services 1. 2. s an r t n e disabled online 5. 16:06:10 svc:/system/pools:default 15:45:55 svc:/system/filesystem/local:default Use the svcadm command to enable the pool services recursively. Confirm that the pool services and the poold daemon are up. root@s11-server1:~# svcadm enable -r pools/dynamic root@s11-server1:~# svcs *pools* STATE STIME FMRI online 16:08:10 svc:/system/pools:default online 16:08:11 svc:/system/pools/dynamic:default root@s11-server1:~# pgrep -lf poold 8493 /usr/lib/pool/poold Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 14 le b a r e f no a s a root@s11-server1:~# pgrep -lf poold h ) ฺ e m root@s11-server1:~# svcs *pools* d o i ilฺc t Gu STATE STIME FMRI a m den g disabled 16:06:10 svc:/system/pools:default o@ Stu disabled 16:05:55ld svc:/system/pools/dynamic:default a this n o ฺr uare sedisabled. oservices r Currently, all the e pool ic service to is dependent on the default pool service. c e 4. Verify that the (dynamic do icens svcs -d pools/dynamic l root@s11-server1:~# a l n oSTATE STIME FMRI R ro 3. Cic Verify that the Sol11-Server1 virtual machine is running. If the virtual machine is not running, start it now. Log in to the Sol11-Server1 virtual machine as the oracle user. Use oracle1 as the password. Assume administrator privileges. Verify that the poold daemon and the pool services are running. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 6. Use the pooladm command to display the default resource pool configuration that is currently in use. root@s11-server1:~# pooladm system default string int boolean string system.comment system.version 1 system.bind-default true system.poold.objectives wt-load pool pool_default int pool.sys_id 0 boolean pool.active true boolean pool.default true int pool.importance 1 string pool.comment pset pset_default s string an r t n o an s ha ฺ ) pset pset_default om uide c ฺ l ai -1 nt G int pset.sys_id m e g udtrue boolean pset.default @ t o S1 uint ald pset.min s i n h uint 65536 ฺro uspset.max et o r pset.units population e string o c i t c e pset.load 164 o ( ensuint d l lic uint pset.size 2 ona R o r ce Ci le pset.comment cpu int string string cpu.sys_id 1 cpu.comment cpu.status on-line int string string cpu.sys_id 0 cpu.comment cpu.status on-line cpu root@s11-server1:~# Examine the default pool and the pset (processer set) configuration. Also note the number of CPUs available. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 15 b a r e f Task 2: Configuring a Persistent Resource Pool 1. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 2. Log in to the Sol11-Server1 virtual machine as the oracle user. Use oracle1 as the password. Assume administrator privileges. Create the pool configuration file. root@s11-server1:~# ls -l /etc/pool* /etc/pool*: No such file or directory Currently, the pooladm.conf file does not exist. root@s11-server1:~# pooladm –s Now you are saving the current pool configuration in the default file /etc/pooladm.conf. le s an r t n root@s11-server1:~# ls -l /etc/pool* -rw-r--r-- 1 root root 1160 Dec 14 16:13 /etc/pooladm.conf root@s11-server1:~# file /etc/pooladm.conf /etc/pooladm.conf: XML document b a r e f e Cic no a s a h ) ฺ e m d o i c ailฺXML.nt Gu The file has been created for you and it is m of type e the more command, so that you g file byudusing 3. Display the contents of the pool configuration @ t o S ldat a time. can examine its contents one page s a i n h t root@s11-server1:~# /etc/pooladm.conf ฺro more e s o r e to u c i c ( system ro R wtload 0 388 2 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 16 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺonline … … The XML file contains the default pool configuration that you saved in step 2. 4. Use the poolcfg command to display the resource pool configuration from the config file. root@s11-server1:~# poolcfg -c info system default string int boolean string system.comment system.version 1 system.bind-default true system.poold.objectives wt-load le b a r e f s an r t n o an s ha ฺ pool pool_default ) de int pool.sys_id 0com i u ฺ l ai truent G boolean pool.active m e g udtrue boolean pool.default @ t o S int ald pool.importance 1 s i n h t o string pool.comment ฺr use opset r pset_default e o c i t c ( nse … o d l e … a c i l n o R o r purpose of displaying it again is that you can view it another time before you make ce You will find that this display is exactly the same as in step 6 of the previous task. The Ci modifications. 5. Create a pset called pset_1to2 by using the poolcfg command. root@s11-server1:~# poolcfg -c 'create pset pset_1to2 \ (uint pset.min=1; uint pset.max=2)' The pset is defined with a range of two CPUs (1–2). For instance, the kernel can use one or two CPUs based on the workload. 6. Use the poolcfg command to create a pool called pool_gmzone and associate it with the pset_1to2 pset. Confirm whether the pool configuration file shows the current modification stamp. root@s11-server1:~# poolcfg -c 'create pool pool_gmzone \ (string pool.scheduler="FSS")' While creating pool_gmzone, you also optionally indicate the Fair Share Scheduler (FSS) as your default scheduling class. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 17 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# poolcfg -c 'associate pool pool_gmzone \ (pset pset_1to2)' root@s11-server1:~# ls -l /etc/pool* -rw-r--r-- 1 root root 1645 Dec 14 16:17 /etc/pooladm.conf The pool configuration file has been modified as is evident from the time stamp. 7. Use the poolcfg –c info command to view the modified pool configuration. root@s11-server1:~# poolcfg -c info | more system default string int boolean string le boolean string int string pset pool.default false pool.scheduler FSS pool.importance 1 pool.comment pset_1to2 pset pset_default int pset.sys_id -1 boolean pset.default true uint pset.min 1 uint pset.max 65536 string pset.units population uint pset.load 42 uint pset.size 2 string pset.comment Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 18 b a r e f s an r t n o n a s pool pool_default ha ฺ int pool.sys_id 0 m) co Guide boolean pool.activeilฺtrue boolean pool.default nt ma dtrue e g int pool.importance o@ Stu 1 d l a pool.comment is string n h t o ฺr uspset_default e opset r e ic e to c ( pool_gmzone ns do pool l e c a li boolean pool.active true on R o r ce Ci system.comment system.version 1 system.bind-default true system.poold.objectives wt-load Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ cpu int string string cpu.sys_id 1 cpu.comment cpu.status on-line int string string cpu.sys_id 0 cpu.comment cpu.status on-line cpu pset pset_1to2 int boolean uint uint string uint uint string root@s11-server1:~# pset.sys_id -2 pset.default false pset.min 1 pset.max 2 pset.units population pset.load 0 pset.size 0 pset.comment le b a r e f s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g tu o@ S d l This is your new pool configuration. The pset, s a thi the pool, and the CPUs are all associated n o and displayed as you had specified. Note that your pset_1to2 shows only one CPU r ฺ e s o r currently. This is the uCPU; maximum CPUs are used as needed. Output may e minimum o c i t slightly differ. c secommand to validate the configuration. Commit the changes by o ( -n n d 8. Use the pooladm –c l e a -c option. lic nthe using o ro R e Cic root@s11-server1:~# pooladm -n –c root@s11-server1:~# pooladm -c 9. Using the poolcfg –dc info command, display the current pool configuration that is in use. root@s11-server1:~# poolcfg -dc info | more system default string int boolean string system.comment system.version 1 system.bind-default true system.poold.objectives wt-load pool pool_gmzone int pool.sys_id 1 boolean pool.active true boolean pool.default false Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 19 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ string int string pset pool.scheduler FSS pool.importance 1 pool.comment pset_1to2 pool pool_default int pool.sys_id 0 boolean pool.active true boolean pool.default true int pool.importance 1 string pool.comment … … le b a r e f s an r t n This display should include your modifications; for instance, the pool_gmzone pool and its pset pset_1to2 shown here. Cic no a 10. Use the poolstat command to display all the active resource pools. s a h ) ฺ root@s11-server1:~# poolstat -r all e m d o i id pool type rid rset load ilฺc t Gumin1 max2 size1 used a 1 pool_gmzone pset 1 pset_1to2 0.00 0.00 m den g 0 pool_default pset -1 pset_default 1 66K 1 0.00 0.03 @ u t o ld is S a n The output shows a default pool as well th as your new pool. o r ฺ e ero to us c i (c nse o Task 3: Binding Zone ld the e to a Persistent Resource Pool c a i l n o 1. R Log in to the Sol11-Server1 virtual machine as the oracle user. Use oracle1 as the o er password. Assume administrator privileges. 2. Use the zoneadm command to list the current state of the zones. root@s11-server1:~# zoneadm list -iv ID 0 1 2 NAME global grandmazone choczone STATUS running running running PATH / /zones/grandmazone /zones/choczone BRAND solaris solaris solaris IP shared excl excl The choczone and grandmazone zones are both up and running. 3. Because grandmazone needs the resource pool, allocate the pool to grandmazone. root@s11-server1:~# zonecfg -z grandmazone set pool=pool_gmzone Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 20 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 4. Confirm that the pool allocation is included in the zone configuration. root@s11-server1:~# zonecfg -z grandmazone info | grep pool pool: pool_gmzone The info sub option displays the pool that is allocated to the grandmazone zone. 5. Reboot grandmazone to activate the resource pool binding. Check whether the zone has rebooted and is currently running. root@s11-server1:~# zlogin grandmazone init 6 root@s11-server1:~# zoneadm list -iv ID 0 1 2 NAME global grandmazone choczone STATUS running running running PATH / /zones/grandmazone /zones/choczone Note that the reboot process might take a while to complete. 6. Log in to grandmazone to confirm the availability of the resource pool. e string system.poold.objectives wt-load pool pool_gmzone int pool.sys_id 1 boolean pool.active true boolean pool.default false string pool.scheduler FSS int pool.importance 1 string pool.comment pset pset_1to2 pset pset_1to2 int pset.sys_id 1 boolean pset.default false uint pset.min 1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 21 IP shared excl excl le b a r e f s an r t n no a s a h ) ฺ e m September d o i ilฺc t Gu a en pool configuration. gmtheumodified 7. Use the poolcfg –dc info command@ to view d t o -dc S d l root@grandmazone:~# poolcfg info s na thi o r ฺ e s o r u e system default ic system.comment to c ( e string do inticenssystem.version 1 l a l on R boolean system.bind-default true ro root@s11-server1:~# zlogin grandmazone [Connected to zone 'grandmazone' pts/1] Oracle Corporation SunOS 5.11 11.1 Cic BRAND solaris solaris solaris 2012 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ uint string uint uint string pset.max 2 pset.units population pset.load 1827 pset.size 1 pset.comment cpu int string string cpu.sys_id 0 cpu.comment cpu.status on-line root@grandmazone:~# 8. Exit grandmazone. Log in to choczone. no a s a h ) ฺ e m d o i [Connection to zone 'grandmazone' pts/1 u ฺc closed] l i G a t root@s11-server1:~# zlogin choczone m den g [Connected to zone 'choczone' pts/1] o@5.11 Stu 11.1 d l Oracle Corporation SunOS September a this n o ฺr command, 9. Using the poolcfg –dcoinfo se display the current pool configuration. r u e ic epoolcfg root@choczone:~# to -dc info c ( do icens l a l n default osystem R string system.comment ro root@grandmazone:~# exit logout e Cic int system.version 1 boolean system.bind-default true string system.poold.objectives wt-load pool pool_default int pool.sys_id 0 boolean pool.active true boolean pool.default true int pool.importance 1 string pool.comment pset pset_default pset pset_default int pset.sys_id -1 boolean pset.default true Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 22 s an r t n le b a r e f This is your new pool configuration. The pset, the pool, and the CPUs are all associated as you had specified. 2012 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ uint uint string uint uint string pset.min 1 pset.max 65536 pset.units population pset.load 149 pset.size 1 pset.comment cpu int string string cpu.sys_id 1 cpu.comment cpu.status on-line root@choczone:~# exit le b a r e f s an r t n Because you have not modified any pool configuration here, you will see the default resource pool configuration. no a 10. Exit the zone choczone. s a h ) ฺ e m d o i ilฺc t Gu Task 4: Removing the Resource Pool Configuration a m den user. Use oracle1 as the 1. Log in to the Sol11-Server1 virtual machinegas the oracle o@ Stu password. Assume administrator privileges. d l a grandmazone is n h 2. Remove the pool configuration from by using the zonecfg command. t o ฺr use o r root@s11-server1:~# e tozonecfg -z grandmazone clear pool c i c ( nse o d l e Check the zone to see if it is up and running. 3. Rebootagrandmazone. c i l n oroot@s11-server1:~# zlogin grandmazone init 6 R o root@s11-server1:~# zoneadm list -iv er Cic ID 0 2 3 4. NAME global choczone grandmazone STATUS running running running PATH / /zones/choczone /zones/grandmazone BRAND solaris solaris solaris IP shared excl excl Log in to grandmazone. Use the poolcfg –dc info command to check the resource pool configuration. root@s11-server1:~# zlogin grandmazone [Connected to zone 'grandmazone' pts/1] Oracle Corporation SunOS 5.11 11.1 September 2012 root@grandmazone:~# poolcfg -dc info system default string system.comment int system.version 1 boolean system.bind-default true Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 23 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ string system.poold.objectives wt-load pool pool_default int pool.sys_id 0 boolean pool.active true boolean pool.default true int pool.importance 1 string pool.comment pset pset_default pset pset_default int pset.sys_id -1 boolean pset.default true uint pset.min 1 uint pset.max 65536 string pset.units population uint pset.load 1418 uint pset.size 1 string pset.comment cpu int cpu.sys_id 1 string cpu.comment string cpu.status on-line root@grandmazone:~# le s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o oฺr use r e ic e to c ( o ens d l a ic of the new resource pool information? No, only the default resource oDon you havelany R o r ce 5. Exit the grandmazone zone to return to the global zone. Ci b a r e f pool configuration is available and displayed. root@grandmazone:~# exit logout [Connection to zone ‘grandmazone’ pts/1 closed] root@s11-server1:~# Note that the resource pool configuration is kept because it will be used again in subsequent practices. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 24 Practice 6-4: Managing the Virtual Network Data Flow Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview Now that you have configured the resources for the zone, in this task, you manage the resources on the virtual network. It was determined by the transaction load for the choczone zone that it requires up to 100MB/s of network bandwidth to receive and process the transaction on time. To accomplish this objective, you also increase the priority of transaction handling to high. Tasks 1. 2. Log in to the Sol11-Server1 virtual machine as the oracle user. Use oracle1 as the password. Assume administrator privileges. Use dladm show-link to determine the state of all the links that are currently configured in the system. root@s11-server1:~# dladm show-link LINK CLASS MTU STATE OVER net1 phys 1500 unknown -net2 phys 1500 unknown -net0 phys 1500 up -net3 phys 1500 unknown -stub0 etherstub 9000 unknown -vnic0 vnic 9000 up stub0 vnic1 vnic 9000 up stub0 grandmazone/vnic1 vnic 9000 up stub0 vnic2 vnic 9000 up stub0 choczone/vnic2 vnic 9000 up stub0 choczone/net0 vnic 1500 up net0 grandmazone/net0 vnic 1500 up net0 s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l are available that you created in Practice 6-1. n same VNICs oThe Ci R o r 3. ce Use the flowadm command to create a flow called http1. Define this traffic to port 80. Display the results. First create a new VNIC called vnic3. root@s11-server1:~# dladm create-vnic -l stub0 vnic3 root@s11-server1:~# flowadm add-flow -l vnic3 -a \ transport=tcp,local_port=80 http1 root@s11-server1:~# flowadm show-flow FLOW LINK IPADDR PROTO LPORT RPORT DSFLD http1 vnic3 -- tcp 80 -- -- In this case, the name of the new flow control is http1 and it controls the vnic3 configuration. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 25 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 4. Use the flowadm command to set the maximum bandwidth of the flow property to 100 Mbps on the http1 flow. Show the results. root@s11-server1:~# flowadm set-flowprop -p maxbw=100M http1 root@s11-server1:~# flowadm show-flowprop http1 FLOW http1 PROPERTY maxbw VALUE 100 DEFAULT -- POSSIBLE -- Note: The bandwidth capping is demonstrated here for training purposes only. On the job, you may also have to manage the bandwidth by increasing or decreasing it. This would be based on the transactions running for your business application. 5. Use the dladm command to set the link property priority to high on the vnic3 link. Display the results. root@s11-server1:~# dladm set-linkprop -p priority=high vnic3 root@s11-server1:~# dladm show-linkprop -p priority vnic3 LINK vnic3 PROPERTY priority PERM VALUE rw high DEFAULT high s o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 26 an r t n POSSIBLE low,medium,high le b a r e f Practice 6-5: Removing Part of the Virtual Network Overview Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ In this task, you delete the network flow. Other virtual network components and the zones are not being deleted because they will be used in the subsequent practices. Task 1. 2. Log in to the Sol11-Server1 virtual machine as the oracle user. Use oracle1 as the password. Assume administrator privileges. Use the flowadm command to delete the flow. Display the results. root@s11-server1:~# flowadm show-flow FLOW DSFLD http1 -- LINK IPADDR PROTO LPORT RPORT vnic3 -- tcp 80 -- root@s11-server1:~# flowadm remove-flow -l vnic3 root@s11-server1:~# flowadm show-flow 3. Ci 4. s o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on Use the dladm command to display and delete the links. Display the results. root@s11-server1:~# dladm show-link LINK CLASS MTU STATE OVER net1 phys 1500 unknown -net2 phys 1500 unknown -net0 phys 1500 up -net3 phys 1500 unknown -stub0 etherstub 9000 unknown -vnic0 vnic 9000 up stub0 vnic1 vnic 9000 up stub0 grandmazone/vnic1 vnic 9000 up stub0 vnic2 vnic 9000 up stub0 choczone/vnic2 vnic 9000 up stub0 choczone/net0 vnic 1500 up net0 grandmazone/net0 vnic 1500 up net0 vnic3 vnic 9000 up stub0 R o r ce Use the dladm command to delete the vnic3 link. root@s11-server1:~# dladm delete-vnic vnic3 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 27 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 5. Use the dladm command to display the links. root@s11-server1:~# dladm show-link LINK CLASS MTU net1 phys 1500 net2 phys 1500 net0 phys 1500 net3 phys 1500 stub0 etherstub 9000 vnic0 vnic 9000 vnic1 vnic 9000 grandmazone/vnic1 vnic 9000 vnic2 vnic 9000 choczone/vnic2 vnic 9000 choczone/net0 vnic 1500 grandmazone/net0 vnic 1500 STATE unknown unknown up unknown unknown up up up up up up up This configuration will be used in future practices. OVER -----stub0 stub0 stub0 stub0 stub0 net0 net0 le s Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 6: Configuring Zones and the Virtual Network Chapter 6 - Page 28 an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le s b a r e f an r t n no a s a h Practices for ) Lesson ฺ 7: e m d o i Managing and u ilฺc tServices G a n m deProperties Service g tu7 o@Chapter S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 7: Managing Services and Service Properties Chapter 7 - Page 1 Practice Overview for Lesson 7 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Practices Overview In these practices, you are given a plan for configuring, restoring, and maintaining the Oracle Solaris 11.1 services and getting acquainted with various service profiles. According to the predeployment plan, the time has come for you to evaluate the Service Management Facility (SMF) services. You have been tasked with working with multiple scenarios to test the SMF functionality. In support of your business applications, in certain cases, you may have to create, troubleshoot, and modify the services and the service profiles. The key areas explored in the practices are: • Configuring SMF services • Restoring and recovering a service • Working with service profiles s an r t n Note: In many cases, your command output displays may be different from the displays in the practice. Some examples would be storage, process IDs, and session-oriented and system-generated information. Ci no a s a h ) youeareฺ working with Check your progress. You just completed the zones lesson and now m o Services. c Guid ฺ l i ma dent g √ Oracle Solaris 11.1 Predeployment Checklist tu o@ S d l s √ na System thi(IPS) and Packages Managing the ImagerPackaging o ฺ e eroSolaristo11.1uons Multiple Hosts √ c Installing Oracle i (c nse o √ ldManaging e Business Application Data the c a i l n o √ R o Configuring Network and Traffic Failover cer √ Configuring Zones and the Virtual Network Managing Services and Service Properties Configuring Privileges and Role-Based Access Control Securing System Resources by Using Oracle Solaris Auditing Managing Processes and Priorities Evaluating System Resources Monitoring and Troubleshooting System Failures Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 7: Managing Services and Service Properties Chapter 7 - Page 2 le b a r e f Practice 7-1: Configuring SMF Services Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview As part of the predeployment testing plan, you are given the task of creating a simple service that can also assist you in modifying a service. You will call this new service crmsvc, which has been designed to monitor the CRM processes. In addition, you will also modify environment variables and properties of actively running services. For example, you will determine any memory leaks caused by the running programs and turning on the TCP trace. In this practice, you work with SMF services in the following areas: • Creating and exporting a service • Modifying a service • Changing an environment variable for a service • Changing a property for a service controlled by inetd Task 1: Creating and Exporting a Service 1. s an r t n Verify that the Sol11-Server1 virtual machine is running. If it is not running, start it now. Double-click the Sol11-Desktop icon to launch the Sol11-Desktop virtual machine. no a s Use the password 2. Log in to the Sol11-Desktop virtual machine as the user oracle. a h oracle1. ) ฺ e m d o i 3. Right-click the desktop background and open a terminal u lฺc window. i G a t 4. In the terminal window, run the su - command n administrator privileges. m to assume e g d oracle@s11-desktop:~$ su o -@ tu S d l s Password: na thi o r ฺ Oracle Corporation SunOS 11.1 September 2012 se 5.11 o r u e o ic e t root@s11-desktop:~# c ( o user esstudent ns exists. If not, create the user sstudent and then confirm 5. Verify that dthe l c a that onthe user hasli been created. R ro root@s11-desktop:~# tail /etc/passwd e Cic le b a r e f nobody:x:60001:60001:NFS Anonymous Access User:/: noaccess:x:60002:60002:No Access User:/: nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/: aiuser:x:60003:60001:AI User:/: pkg5srv:x:97:97:pkg(5) server UID:/: oracle:x:60004:10:Oracle:/home/oracle:/usr/bin/bash … … … sstudent:x:60008:10:super student:/export/home/sstudent:/bin/sh Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 7: Managing Services and Service Properties Chapter 7 - Page 3 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Note: The user sstudent has been created so that you can create a new service as a non-administrative user. Because you must have the appropriate privileges, you will perform some steps as an administrative user. If sstudent does not exist, run the following command: root@s11-desktop:~# useradd -u 60008 -g 10 –d \ /export/home/sstudent -m -s /bin/bash -c "super student" sstudent 6. As the sstudent user, create the smf directory in your home directory. Create a file called monitor.crm with the contents shown below. Finally, grant the execution permission on the script. root@s11-desktop:~# su - sstudent Oracle Corporation SunOS 5.11 11.1 September 2012 sstudent@s11-desktop:~$ pwd /export/home/sstudent sstudent@s11-desktop:~$ mkdir smf sstudent@s11-desktop:~$ ls local.cshrc local.login local.profile smf sstudent@s11-desktop:~$ cd smf sstudent@s11-desktop:~/smf$ vi monitor.crm sstudent@s11-desktop:~/smf$ cat monitor.crm #!/bin/sh echo "crm monitoring service" > /export/home/sstudent/smf/crmrep s an r t n r7.o e Cic no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o oฺr use chmod 774 monitor.crm sstudent@s11-desktop:~/smf$ r e ic e to c ( ns you granted the execute permission on the script so it can be do ithe After lcreating script, e c a l n Roexecuted. Exit the sstudent user account to return to the administrative user to configure the service. Use the svccfg command to copy an existing service to serve as a template. root@s11-desktop:~/smf$ exit root@s11-desktop:~# svccfg export system/utmp > \ /var/svc/manifest/site/crmsvc.xml Instead of starting the manifest file from scratch, you will have this template to work with. 8. Edit the crmsvc.xml file to match the contents displayed. Your file should match these contents exactly, so make sure to delete all unnecessary tags from the template. root@s11-desktop:~# vi /var/svc/manifest/site/crmsvc.xml root@s11-desktop:~# more /var/svc/manifest/site/crmsvc.xmls an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g @service u look like this. Review the contents After editing, the manifest for youro test tshould S d l s for any XML tags missing, and naany typing thi errors. Notice that exec_method matches up o r with your program. ฺ e s roby using uthe efile 9. Validate the manifest svccfg validate command. o c i t c ( e root@s11-desktop:~# do icens svccfg validate /var/svc/manifest/site/crmsvc.xml l a l on R ro Unless there are any spelling mistakes, the validate command should run fine. e 10. Cic le b a r e f By using the svcadm restart command, make the manifest available to SMF. root@s11-desktop:~# svcadm restart system/manifest-import Because the service you created is in an SMF standard manifest directory, you can just restart the manifest service. This will import the newly created service. You don’t have to import the service individually. This is the recommended practice. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 7: Managing Services and Service Properties Chapter 7 - Page 5 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 11. Display the service by using the svcs command. If it is disabled, enable it by using the svcadm command. root@s11-desktop:~# svcs crmsvc disabled 13:14:07 svc:/site/crmsvc:default root@s11-desktop:~# svcadm enable /site/crmsvc root@s11-desktop:~# svcs crmsvc STATE STIME FMRI online 13:43:36 svc:/site/crmsvc:default Is your service enabled and online? Yes. 12. Now verify that the command echo was executed by using the new service. root@s11-desktop:~# cat /export/home/sstudent/smf/crmrep crm monitoring service s n a r The action you had specified in the monitor.crm was executed by bringing -tup the n o service resulting in echoing the above string to the crmrep file. This is how n you can a execute a program as a service. s a h ) ฺ e m d o i ilฺc t Gu Task 2: Modifying Service Configuration a m den g Overview o@ Stu d l avariousthtypes is of service modifications, for example, the The following tasks will introduceothe n e properties and process to service conversion. service environment variables, sservice oฺrnetwork r u e In this practice, you c will icwork with toSMF services in the following areas: ( e • Changing ns variable for a service do anicenvironment l e a • on Changing al property of a service controlled by inetd R ero Cic Task 2A: Change an Environment Variable for a Service 1. 2. 3. 4. Double-click the Sol11-Desktop icon to launch the Sol11-Desktop virtual machine. Log in to the virtual machine Sol11-Desktop as the user oracle. Use the password oracle1. Right-click the desktop background and open a terminal window. In the terminal window, run the su - command to assume administrator privileges. oracle@s11-desktop:~$ su Password: oracle1 Oracle Corporation SunOS 5.11 root@s11-desktop:~# 11.1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 7: Managing Services and Service Properties Chapter 7 - Page 6 le b a r e f September 2012 5. By using the svcs command, check to see if the cron service is running. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-desktop:~# svcs system/cron STATE STIME FMRI online 6:52:52 svc:/system/cron:default The cron service is up and running. 6. Use the svccfg command to modify the memory environment variables for the cron service. root@s11-desktop:~# svccfg -s system/cron:default setenv \ UMEM_DEBUG default root@s11-desktop:~# svccfg -s system/cron:default setenv \ LD_PRELOAD libumem.so le e Cic ab The two environment variables are configured for the cron service for debugging thefer s n memory leaks while the cron service is executing a program. a r -t n o n 7. Refresh and restart the cron service by using the svcadm commanda to make the changes s effective. ha ฺ ) root@s11-desktop:~# svcadm refresh system/cron om uide c ฺ l G root@s11-desktop:~# svcadm restart aisystem/cron t n m gbeen modified. 8. Verify that the environment variables have de @ u t o Note: Use the back tick key on the toSenclose the pgrep command. Look for the ldkeyboard s a i n h t back tick below the tilde (~)ro the keyboard. ฺ key on e s o r u -e `pgrep -f /usr/sbin/cron` root@s11-desktop:~# e topargs c i c ( nse 1593: /usr/sbin/cron o d l e … a c i l n o… R o r envp[10]: LD_PRELOAD=libumem.so … … envp[19]: UMEM_DEBUG=default envp[20]: A__z="*SHLVL Your display may be slightly different. Are the configured environment variables displayed in the output? Yes, envp[10] and envp[19] show the new values. This command is helpful when you need to debug or monitor programs for memory leaks. In order to find the memory leaks in the programs, you need knowledge of Oracle Solaris debugging tools like mdb. The debugging topic is covered in more specialized course like Oracle Solaris 11 Performance Management. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 7: Managing Services and Service Properties Chapter 7 - Page 7 Task 2B: Change a Property for an inetd-Controlled Service Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 1. 2. 3. Verify that the Sol11-Server1 virtual machine is running. If it is not, start it now. Log in to the virtual machine Sol11-Server1 as the user oracle. Use the password oracle1. Assume administrator privileges. oracle@s11-server1:~$ su Password: oracle1 Oracle Corporation SunOS 5.11 root@s11-server1:~# 4. 11.1 September 2012 By using the inetadm command, list the properties of the telnet service. root@s11-server1:~# inetadm -l svc:/network/telnet:default SCOPE NAME=VALUE name="telnet" endpoint_type="stream" proto="tcp6" isrpc=FALSE wait=FALSE exec="/usr/sbin/in.telnetd" user="root" default bind_addr="" default bind_fail_max=-1 default bind_fail_interval=-1 default max_con_rate=-1 default max_copies=-1 default con_rate_offline=-1 default failrate_cnt=40 default failrate_interval=60 default inherit_env=TRUE default tcp_trace=FALSE default tcp_wrappers=FALSE default connection_backlog=10 default tcp_keepalive=FALSE le b a r e f s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Is the tcp_trace property for telnet enabled? No, because it says false in the entry. 5. Use the inetadm command to enable tcp_trace on the telnet service. Confirm the action. root@s11-server1:~# inetadm -m svc:/network/telnet:default tcp_trace=TRUE root@s11-server1:~# inetadm -l svc:/network/telnet:default SCOPE NAME=VALUE name="telnet" … Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 7: Managing Services and Service Properties Chapter 7 - Page 8 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ … … default default default default inherit_env=TRUE tcp_trace=TRUE tcp_wrappers=FALSE connection_backlog=10 tcp_keepalive=FALSE Why do we need to turn on tcp_trace? So the telnet connections can be monitored. Is the tcp_trace enabled now for the telnet service? Yes. 6. Start verifying the tcp_trace by using the telnet command to connect to the localhost and the exit command to log out. Note: If you are unable to connect, the telnet service may be down. You can bring it up by using the command: # svcadm enable network/telnet s no a s Trying ::1… a h ) ฺ Connected to s11-server1. e m d o i Escape character is '^]'. lฺc t Gu i a login: oracle m den g Password: oracle1 o@ Stu d l Last login: Thu Dec n 15a 07:08:43 is on s11-desktop h t o Oracle Corporation 11.1 September se 5.11 oฺr uSunOS r e o oracle@s11-server1:~# exit ic e t c ( logout do icens l a l to s11-server1 closed by foreign host. Connection n Ro root@s11-server1:~# telnet localhost ro e Cic 7. an r t n 2012 Because you created the connection, you can check if the tcp_trace property is logging the message. Check whether any message was logged in the /var/adm/messages file. root@s11-server1:~# tail -1 /var/adm/messages Dec 15 08:27:57 s11-server1 inetd[787]: [ID 317013 daemon.notice] telnet[13363] from 127:0:0:1 57330 Note: -1 in the command is the digit one. By using the tail command with -1 option, you display the last or most current message. Is the telnet connection logged? Yes. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 7: Managing Services and Service Properties Chapter 7 - Page 9 le b a r e f 8. Confirm the entry in /etc/syslog.conf, which is configured to log this message. root@s11-server1:~# grep /var/adm/messages /etc/syslog.conf Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ *.err;kern.debug;daemon.notice;mail.crit ... ... /var/adm/messages Notice that the daemon.notice facility messages are configured to be written to /var/adm/messages. Who is writing the trace messages to /var/adm/messages? The syslogd daemon. Task 2C: Modify the Manifest for a Service 1. 2. Double-click the Sol11-Desktop icon to launch the S11-Desktop virtual machine. Log in to the virtual machine S11-Desktop as the user oracle. Use the password oracle1. Right-click the desktop background and open a terminal window. In the terminal window, run the su - command to assume administrator privileges. le b a r e f s an r t n no a s a h oracle@s11-desktop:~$ su ) ฺ e m d Password: oracle1 o i u September 2012 lฺc 11.1 G Oracle Corporation SunOS 5.11 ai t m den g root@s11-desktop:~# othe@statusSoftuthe crmsvc service you created earlier d l 5. By using the svcs command, check a this n o in Practice 7-1, Task 1. Disable service and display the result. ฺr the e s o r u appear in a maintenance state when you run the svcs Note: If the crmsvc eservice tshould o c i c ( thenfirst crmsvc command se time, disable the service, refresh it, and then enable it to bring it oonline d back into an state. l e lic na o root@s11-desktop~# svcs crmsvc R o r 3. 4. e Cic online 10:04:44 svc:/site/crmsvc:default root@s11-desktop:~# svcadm disable crmsvc root@s11-desktop:~# svcs crmsvc STATE STIME FMRI disabled 10:07:59 svc:/site/crmsvc:default Notice that at this time crmsvc is disabled. 6. Use the cd command to switch to sstudent’s smf directory. Display the directory’s contents. root@s11-desktop~# cd /export/home/sstudent/smf;ls crmrep monitor.crm Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 7: Managing Services and Service Properties Chapter 7 - Page 10 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 7. By using the cp command, copy the file monitor.crm as monitor1.crm. By using the vi editor, modify the contents of monitor1.crm as indicated below. root@s11-desktop:/home/sstudent/smf# cp monitor.crm monitor1.crm root@s11-desktop:/home/sstudent/smf# vi monitor1.crm root@s11-desktop:/home/sstudent/smf# cat monitor1.crm #!/bin/sh echo "here is your modified crm monitoring service" > /export/home/sstudent/smf/crmrep Your modified service should record this new message in the crmrep file. 8. Use the cd command to switch to the manifest directory. Edit the crmsvc.xml to refer to monitor1.crm instead of monitor.crm. root@s11-desktop:/home/sstudent/smf# cd /var/svc/manifest/site root@s11-desktop:/var/svc/manifest/site# ls crmsvc.xml root@s11-desktop:/var/svc/manifest/site# vi crmsvc.xml root@s11-desktop:/var/svc/manifest/site# grep monitor crmsvc.xml Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 7: Managing Services and Service Properties Chapter 7 - Page 4 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ [Make sure you delete the dependency and dependent tags.] [Make sure you delete the stability value and template tags and their associated information] s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den cd g root@s11-desktop:/var/svc/manifest/site# o@ Stu root@s11-desktop:~# d l arestarttthe ismanifest-import service. Enable crmsvc n h o 9. By using the svcadm command, r se oisฺonline. r and confirm the service u e ic e tosvcadm restart manifest-import c root@s11-desktop:~# ( do icens svcadm restart crmsvc l root@s11-desktop:~# a l n oroot@s11-desktop:~# svcadm enable crmsvc R o r e Cic root@s11-desktop:~# svcs crmsvc online 10:27:25 svc:/site/crmsvc:default The service is online. 10. By using the cat command, display the new contents of the report. root@s11-desktop:~# cat /export/home/sstudent/smf/crmrep here is your modified crm monitoring service So what was the purpose of modifying the service manifest? To demonstrate that these are the steps you take to modify an existing service. The modified service is executing a different program monitor1.crm. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 7: Managing Services and Service Properties Chapter 7 - Page 11 le b a r e f Practice 7-2: Working with Service Profiles Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview In this practice, you evaluate the current service profile. Based on your business application environment, you want to make sure that only the required services are enabled at the system startup. In addition, you learn how to limit remote access to your host by using a network profile. The following activities are addressed: • Creating an SMF profile • Applying an SMF profile • Changing the services and their configuration by using the netservices command Tasks 1. 2. 3. 4. le b a r e f s an r t n no a s a oracle@s11-desktop:~$ su h ) ฺ e m Password: oracle1 d o i c Gu September 2012 Oracle Corporation SunOS 5.11 ailฺ 11.1 m dent g root@s11-desktop:~# @ status tu of cups/scheduler service. ocurrent S 5. Use the svcs command to check lthe d s a thi nsvcs o root@s11-desktop:~# cups/scheduler r ฺ e s o r usvc:/application/cups/scheduler:default online e16:48:33 o c i t c o ( ense d l Currently, c is enabled. na theliservice o r6.o RUse the command svccfg extract to copy the currently active SMF profile into a file e Cic Double-click the Sol11-Desktop icon to launch the Sol11-Desktop virtual machine. Log in to the Sol11-Desktop virtual machine as the user oracle. Use the password oracle1. Right-click the desktop background and open a terminal window. In the terminal window, run the su - command to assume administrator privileges. called profile.xml. root@s11-desktop:~# svccfg extract > profile.xml 7. By using the vi editor, modify the extracted file profile.xml. Change the enabled property of application/cups/scheduler service from true to false. root@s11-desktop:~# vi profile.xml root@s11-desktop:~# more profile.xml … … … Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 7: Managing Services and Service Properties Chapter 7 - Page 12 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ … … … After you apply the configuration, this cups/scheduler service will be disabled. 8. Use the svccfg command to apply the modified profile. root@s11-desktop:~# svccfg apply profile.xml Note: Allow the OS to apply the changes. It will take a few minutes. le b a r e f s an r t n no a s a h ) ฺ e m d o i Notice the cups/scheduler service is disabled. ilฺc t Gu a m den g u svcadm enable command. As a last Refresh and then enable the service by using tthe o@ S d l s step, verify that the servicen isanow back ionline. th o r ฺ e us refresh cups/scheduler ero tosvcadm root@s11-desktop:~# c i (c nse svcadm enable cups/scheduler root@s11-desktop:~# o ld lice a root@s11-desktop:~# svcs cups/scheduler n Roonline 16:50:15 svc:/application/cups/scheduler:default root@s11-desktop:~# svcs cups/scheduler disabled 16:48:33 svc:/application/cups/scheduler:default ro e Cic The service is once again enabled. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 7: Managing Services and Service Properties Chapter 7 - Page 13 Practice 7-3: Restoring and Recovering a Service Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview Your predeployment test plan calls for various SMF service scenarios. This practice covers most of the repair and restore scenarios when a service or the SMF repository has become defective. The following areas will be addressed in this practice: • Restoring a service in the maintenance state • • • Reverting to a previous SMF snapshot Repairing a corrupt repository Debugging a service that is not starting Task 1: Restore a Service in the maintenance State Now you look at a service which will be in the maintenance state. In a training scenario like this, you will make a spelling error in the service manifest file, and observe the service going into the maintenance state and correct the problem. le b a r e f 1. 2. 3. 4. 5. ro e Cic 6. s n a r -t Double-click the Sol11-Desktop icon to launch the Sol11-Desktop virtual machine. n o npassword Log in to the Sol11-Desktop virtual machine as the user oracle. Useathe s oracle1. ha ฺ ) Right-click the desktop background and open a terminal window. ide privileges. comadministrator u ฺ l In the terminal window, run the su - command toiassume a nt G m oracle@s11-desktop:~$ su g ude @ t o Password: oracle1 S d l s a th5.11 i Oracle Corporation on SunOS 11.1 September 2012 r ฺ e root@s11-desktop:~# ero to us c i Use the command to (c svcs e check if the crmsvc service is running. s o n ld lice root@s11-desktop:~# svcs crmsvc a n o STIME FMRI R STATE online 10:27:25 svc:/site/crmsvc:default By using vi (or any other UNIX editor), delete the last letter ‘m’ from the file name monitor1.crm in the method block as indicated. Save the changes. root@s11-desktop:~# cd /var/svc/manifest/site root@s11-desktop:/var/svc/manifest/site# vi crmsvc.xml E: basic I: basic P: basic L: all Because you are logged in as jholt, the current process shows your privileges, which could be different for different accounts based on the privileges granted by the system administrator. Why would you want to use the -v option with this command? Issue the command and analyze the difference. Refer to Task 1 if you need help. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 8 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ jholt@s11-server1:~$ ls -ld /export/home/jmoose/docs drwxr-xr-x 2 jmoose staff 2 Dec 15 03:00 /export/home/jmoose/docs jholt@s11-server1:~$ Before you change the ownership of the docs directory in jmoose’s home directory, you want to make sure jmoose is (of course!) the owner. 8. As the jholt user, use the chown command to change the ownership of the docs directory to jholt. jholt@s11-server1:~$ chown jholt /export/home/jmoose/docs chown: /export/home/jmoose/docs: Not owner le e Cic b a r e As expected, since jholt does not have the privilege to execute the chown command, sf n a message is displayed. a tr n 9. Use the ppriv command in debug mode to determine what privilege is missing. no a jholt@s11-server1:~$ ppriv -eD chown jholt \ s ha ฺ /export/home/jmoose/docs ) de = 60005, chown[1737]: missing privilege "file_chown" om (euid i c u ฺ l syscall = 56) for "/export/home/jmoose/docs" ai nt G needed at m zfs_setattr+0xbb3 g ude @ t owner o chown: /export/home/jmoose/docs: Not S d l s na thi o r ฺ se by jholt? The file_chown privilege. The -D o isuneeded Can you tell which privilege r e ic e to option is for(debugging. c ns to determine what privilege is missing. 10. Use the ltruss do command e c a li n ojholt@s11-server1:~$ truss chown jholt /export/home/jmoose/docs R o r execve("/usr/bin/chown", 0x08047E58, 0x08047E68) argc = 3 sysinfo(SI_MACHINE, "i86pc", 257) = 6 mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFEFB0000 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFEFA0000… … … lstat64("/export/home/jmoose/docs", 0x08064010) = 0 chown("/export/home/jmoose/docs", 60005, -1) Err#1 EPERM [file_chown] fstat64(2, 0x08046D90) = 0 chown: write(2, " c h o w n : ", 7) = 7 open("/usr/lib/locale/en_US.UTF-8/LC_MESSAGES/SUNW_OST_OSLIB.mo", O_RDONLY) Err#2 ENOENT /export/home/jmoose/docswrite(2, " / e x p o r t / h o m e".., 24) = 24 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 9 : write(2, " : ", 2) Not ownerwrite(2, " N o t Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ write(2, "\n", 1) _exit(1) = 2 o w n e r", 9) = 9 = 1 The truss utility is also used for debugging purposes. As you see this utility also reports that the file_chown privilege is missing (although not in plain English text). 11. Exit the jholt account and as the administrator, use the usermod command to grant jholt the file_chown privilege. Confirm the entry in the /etc/user_attr file. jholt@s11-server1:~$ exit logout root@s11-server1:~# usermod –K defaultpriv=basic,file_chown jholt root@s11-server1:~# grep jholt /etc/user_attr jholt::::defaultpriv=basic,file_chown s an r t n no a s a h ) Note that Here you have granted jholt the file_chown privilege. ฺ you are only e m d o i interested in granting him the file_chown privilege youumust include the basic ilฺcwillbuttreplace G all his privileges with the a privilege also because the defaultpriv keyword n m e privileges to users or roles. g any specified privileges. This file is used to record dspecial @ u t o This facility is covered in detail lin the next practice. d is S a n 12. Log back in to jholt’s account. Now issue th that chown command. Confirm the ownership o r ฺ e of the docs directory. ero to us c i root@s11-server1:~# (c nse su - jholt o ld Corporation e Oracle SunOS 5.11 11.1 September 2012 c a i l n ojholt@s11-server1:~$ chown jholt /export/home/jmoose/docs R o r e Cic jholt@s11-server1:~$ ls -ld /export/home/jmoose/docs drwxr-xr-x 2 jholt staff 2 Dec 15 03:00 /export/home/jmoose/docs Success! You were able to successfully change the ownership to jholt. Return the ownership of the docs directory to jmoose, so that you can use this setup again. jholt@s11-server1:~$ chown jmoose /export/home/jmoose/docs jholt@s11-server1:~$ ls -ld /export/home/jmoose/docs drwxr-xr-x 2 jmoose staff 2 Dec 15 03:00 /export/home/jmoose/docs Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 10 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Task 2B: Limiting the Privileges of a User The following activities are covered in this task: • Limiting the privileges of a user • Determining the privileged commands you can use 1. In the jholt account, use the ps –ef command to display the current processes. jholt@s11-server1:~$ ps -ef | more UID PID PPID C STIME TTY root 0 0 0 01:07:24 ? root 5 0 0 01:07:22 ? root 1 0 0 01:07:25 ? root 2 0 0 01:07:25 ? root 3 0 0 01:07:25 ? root 6 0 0 01:07:25 ? root 7 0 0 01:07:25 ? root 427 1 0 01:08:57 ? /sbin/dhcpagent root 10 1 0 01:07:27 ? /lib/svc/bin/svc.startd root 12 1 0 01:07:27 ? /lib/svc/bin/svc.configd daemon 75 1 0 01:07:52 ? /lib/crypto/kcfd netadm 96 1 0 01:07:57 ? /lib/inet/ipmgmtd root 114 1 0 01:08:07 ? /lib/inet/in.mpathd dladm 43 1 0 01:07:43 ? /usr/sbin/dlmgmtd netcfg 48 1 0 01:07:45 ? /lib/inet/netcfgd TIME 0:04 0:07 0:00 0:00 0:05 0:00 0:00 0:00 CMD sched zpool-rpool /usr/sbin/init pageout fsflush intrd vmtasks s o an 0:05 s ha ฺ ) de om ui0:36 c ฺ l ai nt G m g ude 0:00 @ t o ld is S a 0:00 n th o r ฺ e ero to us c 0:00 i c ( e s ldo licen a 0:00 n o R o r ce Ci an r t n 0:00 … … … At this time, with the current privileges, are you able to view any processes started by others? Yes. 2. Exit the jholt account and as the administrator, launch a Korn shell and use the usermod command to limit jholt’s privileges. jholt@s11-server1:~$ exit logout root@s11-server1:~# ps PID TTY TIME CMD 14050 pts/1 0:00 ps Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 11 le b a r e f 13919 pts/1 13920 pts/1 0:00 su 0:00 bash Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# usermod -K defaultpriv=basic,!proc_info jholt -bash: !proc_info: event not found As the message says, the bash shell is not aware of the !proc_info event. Switch to ksh. root@s11-server1:~# ksh root@s11-server1:~# ps PID TTY TIME CMD 14051 pts/1 0:00 ksh 14056 pts/1 0:00 ps 13919 pts/1 0:00 su 13920 pts/1 0:00 bash ro e Cic le 13919 pts/1 13920 pts/1 s an r t n no a s a h root@s11-server1:~# usermod -K defaultpriv=basic,!proc_info ) ฺ e m d o root@s11-server1:~# grep jholt /etc/user_attr i ilฺc t Gu a jholt::::defaultpriv=basic,!proc_info m den g o@shell.Stu d l Exit to Bash shell, which is your default a this n o se oฺr exit r u root@s11-server1:~# e ic e tops c ( root@s11-server1:~# o ens dTTY l PID TIME CMD a lic n o 0:00 ps R 14067 pts/1 b a r e f jholt 0:00 su 0:00 bash You have taken away the process view privilege from jholt. Can you guess if he can display the processes for other users? No. 3. Return to the jholt account and use the ps –ef command to display the current processes. root@s11-server1:~# su - jholt Oracle Corporation SunOS 5.11 11.1 September 2012 jholt@s11-server1:~$ ps -ef UID PID PPID C STIME TTY TIME CMD jholt 12501 12500 0 04:34:45 pts/2 0:00 -bash jholt 12505 12501 0 04:34:49 pts/2 0:00 ps -ef jholt@s11-server1:~$ Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 12 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Are you able to view processes for other users? No. Why? Because the administrator has taken away the proc_info privilege. Did you remember to log back in to jholt’s account? Yes. Why? To make the new privileges effective. How would you find out if jholt still has the privilege to execute the chown command? a) issue the chown command on a file as demonstrated earlier OR b) check jholt’s privileges 4. Exit the jholt account and as the administrator, replace the original privileges for the jholt account. jholt@s11-server1:~$ exit logout root@s11-server1:~# usermod -K defaultpriv=basic jholt root@s11-server1:~# grep jholt /etc/user_attr jholt::::defaultpriv=basic le s an r t n no a sin the basic rights profile. Now John Holt should be able to use all the privileges included a h ฺ You will learn more about profiles in the next practice. ) e m d o i c privilege u set? Yes, use the ppriv Can you determine the privileges included in the lฺbasic i G a t command. m den g 5. Now you are curious. You want to know what privileges tu John Holt has. As John Holt, use o@ S d l the commands profiles, roles, and auths to view the privileges. s a thi n o root@s11-server1:~# oฺr suu-sejholt r e Oracle Corporation 11.1 September 2012 ic e to SunOS 5.11 c ( jholt@s11-server1:~$ profiles o ens dBasic l c a on All li Solaris User R ro e Cic b a r e f jholt@s11-server1:~$ roles No roles jholt@s11-server1:~$ auths solaris.admin.wusb.read,solaris.mail.mailq,solaris.network.autoco nf.read If any special profiles, roles, or individual authorizations are assigned to John Holt, they will be displayed here. These facilities are part of Role-Based Access Control, which will be covered in the next practice. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 13 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 6. Use the profiles –l command to see more details of the privileges assigned to John Holt. jholt@s11-server1:~$ profiles -l Basic Solaris User auths=solaris.mail.mailq,solaris.device.mount.removable,sol aris.admin.wusb.read profiles=All /usr/bin/cdrecord.bin privs=file_dac_read,sys_devices,proc_lock_memory,proc_priocntl,ne t_privaddr /usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr /usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices,proc_priocntl,net_privaddr All * These are the same profiles you displayed in the previous step. However, the privileges connected to the profiles are also displayed. s o an r t n ro e Cic an s ha ฺ ) Exit the jholt account. om uide c ฺ l ai nt G m g ude jholt@s11-server1:~$ exit @ t o S d logout l s na thi o root@s11-server1:~# r ฺ se o r u e ic e to c ( do icens l a l n Ro Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 14 le b a r e f Practice 8-2: Configuring Role-Based Access Control Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview Your predeployment test plan calls for using the Role-Based Access Control (RBAC) functionality of Oracle Solaris 11.1. By using RBAC, you can create the roles and assign them specific privileges or authorizations. You can then assign these roles to the appropriate users. This saves resources because you do not have to assign privileges to individual users. In this practice, you will work with a role sdown and Shut profile with authorization to execute the shutdown command. The following areas are covered in this practice: • • • • Managing roles and profiles Configuring a rights profile Working with individual authorizations Creating a system-wide RBAC policy le Task 1: Manage Roles and Profiles This task covers the following activities: • Creating a role • Creating or changing a rights profile • Assigning a rights profile to a role (added) • Assigning a role to a user • Assuming a role • Restricting an administrator to explicitly assigned rights s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o e smachine 1. Verify that the Sol11-Server1 is running. If it is not, start it now. oฺr virtual r u e o c i t 2. Log in to the Sol11-Server1 (c nse virtual machine as the oracle user. Use the password o oracle1. ld lice a n 3. Run the o su - command to assume privileges. R ro oracle@s11-server1:~$ su - e Cic b a r e f Password: oracle1 Oracle Corporation root@s11-server1:~# 4. SunOS 5.11 11.1 September 2012 Use the roleadd command to add a role called sdown for shutdown. Using the passwd command, create a password for the sdown role. root@s11-server1:~# roleadd -u 3000 -g 10 -m -d \ /export/home/sdown sdown 80 blocks root@s11-server1:~# passwd sdown New Password: sdown123 Re-enter new Password: sdown123 passwd: password successfully changed for sdown A new role is added and the password created. Use the password sdown so it can be remembered easily. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 15 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 5. Verify the entries created in various files. root@s11-server1:~# grep sdown /etc/passwd sdown:x:3000:10::/export/home/sdown:/usr/bin/pfbash root@s11-server1:~# getent user_attr | grep sdown sdown::::type=role;profiles=All;roleauth=role As you can see, an entry in /etc/passwd was created very much like an entry for a new user. Notice the default shell. An entry was also made in /etc/user_attr for sdown, which is marked as a role. 6. Use the 'profiles' command to create a 'Shut' profile that, when assigned to user, could shut down a system. root@s11-server1:~# profiles -p Shut profiles:Shut> set desc="Able to shutdown the system" profiles:Shut> add cmd=/usr/sbin/shutdown profiles:Shut:shutdown> set uid=0 profiles:Shut:shutdown> end profiles:Shut> commit profiles:Shut> exit root@s11-server1:~# getent prof_attr | grep Shut Shut:::Able to shutdown the system: root@s11-server1:~# getent exec_attr | grep Shut Shut:solaris:cmd:::/usr/sbin/shutdown:uid=0 s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e Here you created ic a newe rights to profile called Shut. c ( 7. Use the rolemod ns to assign the profile Shut to the sdown role. do iccommand l e a l n rolemod -P Shut sdown oroot@s11-server1:~# R ro root@s11-server1:~# getent user_attr | grep sdown e Cic sdown::::type=role;profiles=Shut;roleauth=role root@s11-server1:~# Note the profiles entry in the /etc/user_attr file. 8. Create a user called abell and assign her the sdown role. Create a password. Confirm that an entry is made in the /etc/user_attr file. root@s11-server1:~# useradd -u 60020 -g 10 -m –d \ /export/home/abell -s /bin/bash -R sdown -c "anna bell" abell 80 blocks root@s11-server1:~# passwd abell New Password: oracle1 Re-enter new Password: oracle1 passwd: password successfully changed for abell root@s11-server1:~# getent user_attr | grep abell Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 16 le b a r e f abell:::: roles=sdown Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Note the entry in /etc/user_attr for Anna Bell with the sdown role. Why? Because you assigned her the role sdown. 9. Now, log in to the abell account and use the shutdown command to reboot the system. root@s11-server1:~# su - abell Oracle Corporation SunOS 5.11 11.1 September 2012 abell@s11-server1:~$ /usr/sbin/shutdown -i 6 -g 0 /usr/sbin/shutdown: Only root can run /usr/sbin/shutdown As expected, Anna Bell does not have the privileges to shut down the system. le 10. Execute the profiles and roles commands to determine Anna’s privileges. abell@s11-server1:~$ profiles Basic Solaris User All abell@s11-server1:~$ roles sdown s an r t n no a s a h ) ฺ e m d o i c you ucreated her account ilฺWhen Anna has been assigned the sdown role. When? G a t nto shut down the system. m e g 11. Log in with the sdown role and use the init command d o@ Stu abell@s11-server1:~$ suld sdown a this n Password: sdown123 o se 5.11 oฺr uSunOS r Oracle Corporation 11.0 November 2011 e o c i t c ( nse id sdown@s11-server1:~$ o d l e gid=10(staff) uid=3000(sdown) c a i l n osdown@s11-server1:~$ /usr/sbin/init 6 R o r e Cic b a r e f init: unable to open /dev/fb to load the shutdown image bootadm: you must be root to run this command Must be super-user Why can’t Anna reboot the system? She is not allowed the privilege of using the init command. 12. Using the profiles –l command, obtain the privileged commands that Anna can use. sdown@s11-server1:~$ profiles -l Shut /usr/sbin/shutdown uid=0 Basic Solaris User auths=solaris.mail.mailq,solaris.network.autoconf.read,sola ris.admin.wusb.read profiles=All Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 17 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ /usr/bin/cdrecord.bin privs=file_dac_read,sys_devices,proc_lock_memory,proc_priocntl,ne t_privaddr /usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr /usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices,proc_priocntl,net_privaddr All * sdown@s11-server1:~$ Does the sdown role have the privilege to execute the init command? No. le Can this role execute the shutdown command? Yes, as part of the Shut profile. b a r e f s an r t n 13. Now use the shutdown command to attempt to bring down the system. To save time, respond with n when prompted to continue shutting down. no a s a h ) Shutdown started. Fri Dec 16 05:24:30mAM MDTdeฺ o c Gui ฺ l i a t Do you want to continue? (y orgm n): n en d s11-desktop Fri Dec 16 20 @(pts/2) uon t o Broadcast Message from root S d al this 05:24:38... n o False Alarm: The ses11-server1 will not be brought down. oฺrsystem r u e Shutdown aborted. ic e to c ( sdown@s11-server1:~$ do icens l a l n Ro sdown@s11-server1:~$ /usr/sbin/shutdown -i 6 -g 0 o er14. c i C Were you able to execute the shutdown command? Yes. Use the profiles command to display the profiles assigned to the sdown role. sdown@s11-server1:~$ profiles Shut Basic Solaris User All The sdown profile has three profiles assigned: Shut, Basic Solaris User, and All. 15. Log out of the sdown role and Anna’s account. sdown@s11-server1:~$ exit exit abell@s11-server1:~$ exit logout Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 18 16. Now you want to delete the Shut profile from the profiles assigned to the sdown role. Use the rolemod command to delete the profile. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# rolemod -P "Basic Solaris User,All,Stop" \ sdown root@s11-server1:~# Referring to the output in Step 15, by using the Stop profile, you are taking away the Shut profile from sdown. This command is especially useful if you have many (for example, 15) profiles assigned to a role and you want to limit the role to only a few profiles. 17. Log in to Anna Bell’s account, assume the sdown role, and attempt to use the shutdown command as before. root@s11-server1:~# su - abell Oracle Corporation SunOS 5.11 11.1 September 2012 abell@s11-server1:~$ su sdown Password: sdown123 sdown@s11-server1:~$ /usr/sbin/shutdown -i 6 -g 0 /usr/sbin/shutdown: Only root can run /usr/sbin/shutdown sdown@s11-server1:~$ exit exit s an r t n ro e Cic no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l aBell cannot isissue the shutdown command by using the You are back to where Anna n h t o sdown role. If you display se profiles assigned to sdown, you see only the oฺr theucurrent r e remaining profiles. ic e to c ( o ens d l a abell@s11-server1:~$ profiles lic n o R Basic Solaris User All Exit Anna Bell’s user account. abell@s11-server1:~$ exit logout root@s11-server1:~# Task 2: Assign Profiles Directly to a User 1. 2. Verify that the Sol11-Server1 virtual machine is running. If it is not, start it now. Log in to the Sol11-Server1 virtual machine as the oracle user. Use the password oracle1. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 19 le b a r e f 3. Run the su - command to assume administrator privileges. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ oracle@s11-server1:~$ su Password: oracle1 Oracle Corporation SunOS 5.11 root@s11-server1:~# 4. 11.1 September 2012 Use the usermod command to assign the profile “File System Management” to an existing user jholt. Verify the entry in the /etc/user_attr file. root@s11-server1:~# usermod -P "File System Management" jholt root@s11-server1:~# getent user_attr | grep jholt jholt::::profiles=File System Management;defaultpriv=basic Yes, it is there. 5. s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on Ci R o r ce 6. Using the mkdir command, attempt to create a directory in the root file system. jholt@s11-server1:~$ mkdir /holtdir mkdir: Failed to make directory “/holtdir”; Permission denied Can jholt create a directory in the root file system? No. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 20 le b a r e f Log in to the jholt account. Use the profiles command to display the current profiles assigned. root@s11-server1:~# su - jholt Oracle Corporation SunOS 5.11 11.1 September 2012 jholt@s11-server1:~$ profiles File System Management SMB Management VSCAN Management SMBFS Management Shadow Migration Monitor ZFS File System Management Basic Solaris User All Along with the File System Management, other dependent profiles are also assigned as default. 7. Use the pfexec command to execute the mkdir command. Confirm the directory creation. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ jholt@s11-server1:~$ pfexec mkdir /holtdir jholt@s11-server1:~$ cd /;ls -l | grep holt drwxr-xr-x 2 root staff 2 Dec 16 15:20 holtdir jholt@s11-desktop:/$ exit logout The pfexec command temporarily enables you to assume the privileges in the profile assigned to you. This demonstrates the direct assignment of a profile and usage of the profile privileges. le Task 3: Assign Authorization Directly to a User 1. 2. Double-click the Sol11-Server1 icon to launch the Sol11-Server1 virtual machine. Log in to the Sol11-Server1 virtual machine as the oracle user. Use the password oracle1. Run the su - command to assume administrator privileges. b a r e f s an r t n e Cic no a s a h oracle@s11-server1:~$ su ) ฺ e m d Password: oracle1 o i u September 2012 lฺc 11.1 G Oracle Corporation SunOS 5.11 ai t m den g root@s11-server1:~# o@ UseSthetucrontab command to determine if you d l 4. Temporarily log in to the jmoose account. a this n o have the authorization to display ฺr uthesecrontab contents for the superuser. o r e tosu - jmoose root@s11-server1:~# c i c ( nse OracleoCorporation SunOS 5.11 11.1 September 2012 d l e c a jmoose@s11-server1:~$ crontab -l root li n ocrontab: R you must be super-user to access another user's crontab ro 3. file jmoose@s11-server1:~$ exit logout root@s11-server1:~# As expected, the jmoose account doesn’t have the authorization to list the root’s crontab file. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 21 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 5. Using the usermod command, assign Jerry Moose the authorization for job administration. root@s11-server1:~# usermod -A solaris.jobs.admin jmoose root@s11-server1:~# getent user_attr |grep jmoose jmoose::::auths=solaris.jobs.admin root@s11-server1:~# auths jmoose | grep jobs solaris.admin.wusb.read,solaris.jobs.admin,solaris.mail.mailq,sol aris.network.autoconf.read root@s11-server1:~# Does Jerry Moose have the right authorizations now? Yes. 6. Log in as jmoose and issue the crontab command now. root@s11-server1:~# su - jmoose Oracle Corporation SunOS 5.11 11.1 September 2012 jmoose@s11-server1:~$ crontab -l root #ident "%Z%%M% %I% %E% SMI" # # Copyright 2007 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # # The root crontab should be used to perform accounting data collection. # # 10 3 * * * /usr/sbin/logadm 15 3 * * 0 [ -x /usr/lib/fs/nfs/nfsfind ] && /usr/lib/fs/nfs/nfsfind 30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean jmoose@s11-desktop:~$ s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Can Jerry Moose access the crontab file for the root account now? Yes. 7. Log out of Jerry Moose’s account to return to the superuser account. Take away the authorization from Jerry Moose. Confirm that he doesn’t have the authorization anymore. jmoose@s11-server1:~$ exit logout root@s11-server1:~# usermod -A "" jmoose root@s11-server1:~# getent user_attr | grep jmoose jmoose::::auths= root@s11-server1:~# su - jmoose Oracle Corporation SunOS 5.11 11.1 September 2012 jmoose@s11-server1:~$ crontab -l root Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 22 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ crontab: you must be super-user to access another user's crontab file jmoose@s11-server1:~$ exit logout Jerry Moose cannot access the superuser’s crontab file. This task demonstrates the direct assignment of an authorization and usage of that authorization. Task 4: Create a System-wide RBAC Policy 1. 2. Verify that the Sol11-Server1 virtual machine is running. If it is not, start it now. Log in to the Sol11-Server1virtual machine as the oracle user. Use the password oracle1. 3. Run the su - command to assume administrator privileges. le b a r e f s an r t n no a s September 2012 11.1 ha ) ฺ e m d o i u to display the privilege ฺc command ilppriv G 4. Temporarily log in to the jmoose account. Use the a t m den sets. g @ u root@s11-server1:~# su l-do jmoose St s a th5.11 i Oracle Corporationron SunOS 11.1 September 2012 ฺ e s o r 2011jmoose@s11-server1:~$ ppriv $$ e to u c i c 12687: -bash ( nse o d l e flags = c a i l n o E: basic R o r oracle@s11-server1:~$ su Password: oracle1 Oracle Corporation SunOS 5.11 root@s11-server1:~# e Cic I: basic P: basic L: all 5. Use the ps command to display all the processes. jmoose@s11-server1:~$ ps -A -o user -o pid -o comm | more USER PID COMMAND root 0 sched root 5 zpool-rpool root 1 /usr/sbin/init root 2 pageout root 3 fsflush root 6 intrd root 7 vmtasks root 427 /sbin/dhcpagent Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 23 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root root daemon netadm root dladm netcfg root oracle root daemon root oracle 10 12 75 96 114 43 48 2493 2356 119 1840 756 2309 /lib/svc/bin/svc.startd /lib/svc/bin/svc.configd /lib/crypto/kcfd /lib/inet/ipmgmtd /lib/inet/in.mpathd /usr/sbin/dlmgmtd /lib/inet/netcfgd su /usr/lib/clock-applet /usr/lib/pfexecd /usr/lib/nfs/nfs4cbd lockd_kproc nautilus… … … Can you display the processes for any user? Yes. le b a r e f s an r t n e Cic no a 6. Exit the jmoose account and as the administrator, modify the s a h /etc/security/policy.conf file as indicated below. ) ฺ e m d o i jmoose@s11-server1:~$ exit lฺc t Gu i a logout m den g root@s11-server1:~# vi /etc/security/policy.conf @ Stu oPRIV_DEFAULT d l root@s11-server1:~# grep /etc/security/policy.conf a this n o # There are twoodifferent ฺr usesettings; PRIV_DEFAULT determines the r e default ic PRIV_DEFAULT=basic,!file_link_any to c ( e # Similarly, takes away only s o n d l e thea lic n o #PRIV_DEFAULT=basic ro R PRIV_DEFAULT=basic,!proc_info,!proc_session … … This file establishes a system-wide policy. You are denying a non-administrative user the privilege to look at the processes of other users. Now reboot the system to have the policy take effect. root@s11-server1:~# init 6 Note: The reboot may take a few minutes to complete. Log in and assume administrator privileges. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 24 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 7. Log in to the jmoose account and issue the same ps command to access the processes. root@s11-server1:~# su - jmoose Oracle Corporation SunOS 5.11 11.1 September 2012 jmoose@s11-server1:~$ ps -A -o user -o pid -o comm | more USER PID COMMAND jmoose 3691 ps jmoose 3687 -bash jmoose@s11-server1:~$ Now you are able to display only your own processes. Would that be true for any user? Yes. 8. Exit the jmoose account and then issue the ps command. le b a r e f s an r t n o nCMD a s sched a h ) ฺ zpool-rpool e m d o i /sbin/init ilฺc t Gu a pageout m den g fsflush o@ Stu d l s vmtasks na thi o r ฺ e ero to us c i (c nse ? 0:18 o d l e lic ona R o r e Cic jmoose@s11-server1:~$ exit logout root@s11-server1:~# ps -ef | more UID PID PPID C STIME root 0 0 0 07:47:06 root 5 0 0 07:47:03 root 1 0 0 07:47:08 root 2 0 0 07:47:08 root 3 0 0 07:47:08 root 6 0 0 07:47:08 root 135 1 0 07:47:48 /usr/lib/pfexecd root 9 1 0 07:47:13 /lib/svc/bin/svc.startd root 11 1 0 07:47:13 /lib/svc/bin/svc.configd root 374 366 0 07:48:02 daemon 71 1 0 07:47:32 /lib/crypto/kcfd dladm 43 1 0 07:47:23 root 406 1 0 07:48:05 /usr/sbin/cupsd -C /etc/cups/ cupsd.conf … … … TTY ? ? ? ? ? ? ? TIME 0:01 0:12 0:00 0:00 0:18 0:00 0:00 ? 0:58 ? ? 0:00 hald-runner 0:00 ? ? 0:02 /sbin/dlmgmtd 0:00 The administrator account can still access all the processes. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 25 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 9. Reset the process parameters in /etc/security/policy.conf to the original value. Display all the processes as Jerry Moose. root@s11-server1:~# vi /etc/security/policy.conf root@s11-server1:~# grep PRIV_DEFAULT /etc/security/policy.conf # There are two different settings; PRIV_DEFAULT determines the default # Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the #PRIV_DEFAULT=basic root@s11-server1:~# Now reboot the system to have the policy take effect. le root@s11-server1:~# init 6 b a r e f s an r t n Note: The reboot may take a few minutes to complete. no a s a h ) ฺ e root@s11-server1:~# su - jmoose m d o i c u September 2012 Oracle Corporation SunOS 5.11 ailฺ 11.1G t n jmoose@s11-server1:~$ ps -ef |gm more e d u tTTY UID PID PPID C o@ STIME TIME CMD S d l s a i root 0 ? 0:01 sched th ro0n 0 07:47:06 root 5 roฺ 0 u0se 07:47:03 ? 0:12 zpool-rpool e o t0 0 07:47:08 ? root cic 1 0:00 /sbin/init ( e s 0:00 pageout do ice2n 0 0 07:47:08 ? lroot a l n 3 0 0 07:47:08 ? 0:18 fsflush Ro root Log in and assume administrator privileges. Then log in to the jmoose account. ro e Cic root 6 0 0 07:47:08 ? 0:00 vmtasks … … … Now Jerry Moose can display the processes for any user. This completes the system-wide policy configuration for RBAC. Exit the jmoose account. jmoose@s11-server1:~$ exit logout Now that you have completed this practice, turn off sharing. root@s11-server1:~# zfs set sharenfs=off rpool/export/home/docs root@s11-server1:~# exit Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 8: Configuring Privileges and Role Based Access Control Chapter 8 - Page 26 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le s b a r e f an r t n no a s a h Practices for ) Lesson ฺ 9: e m d o i Securing u Resources ilฺc System G a t n Auditing m dSolaris Using e g tu9 o@Chapter S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 1 Practice Overview for Lesson 9 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Practices Overview In these practices, you will be presented with a plan for auditing various actions taken by users. When special privileges are used, Oracle Solaris auditing can create complete records that can be analyzed. According to the predeployment test plan, you are asked to configure auditing for various situations. You configure auditing for preselected classes as well as a customized class. You modify the audit policy and configure the audit logs. The key areas explored in the practices are: • Configuring the audit service • Configuring audit logs • Configuring the audit service per-zone • Administering the audit service • Managing audit records on local systems s an r t n Ci no a s a h ) and RBAC ฺ and now you are e Check your progress. You just completed the lesson on privileges m d o i working with Oracle Solaris auditing. ilฺc t Gu a m den g tu o@ √ Oracle Solaris 11.1 Predeployment Checklist S d l s a i n System th (IPS) and Packages √ o r Managing the Image Packaging ฺ e ero to us c √ i Installing Solaris (c Oracle e 11.1 on Multiple Hosts s o n ldManaging e √ c a i the Business Application Data l n o R √ o Configuring Network and Traffic Failover cer Note: Your command output displays may be different than the displays in the practice. Some examples are storage data, process IDs, session and system-generated content. √ √ √ Configuring Zones and the Virtual Network Managing Services and Service Properties Configuring Privileges and Role-Based Access Control Securing System Resources by Using Oracle Solaris Auditing Managing Processes and Priorities Evaluating System Resources Monitoring and Troubleshooting System Failures Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 2 le b a r e f Practice 9-1: Configuring and Administering Oracle Solaris Auditing Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview As part of the predeployment testing plan, you are tasked with configuring and managing the audit service. In this practice, you will work with the following activities: • Configuring the audit service • Configuring audit logs • Configuring the audit service in zones - Configure all zones identically for auditing. • Administering the audit service - Enable/disable the audit service. - Refresh the audit service. s Note: In many cases, your displays will be different. The reason is that the content, such as dates, session number, and ZFS overhead, will make your displays unique to you. an r t n o an s This task covers the following activities: ha ฺ ) • Determining audit service defaults om uide c ฺ l • Preselecting audit classes ai nt G m g ude • Determining a user’s audit attributes @ t o S d l • Modifying a user’s audit attributes s na thi o r • Modifying the audit policy ฺ se o r u e • Specifying the icaudit warning to destination email alias c ( e • Addingoan audit class d icens l a • n o Changing anl audit event’s class membership R ro • Using the newly configured class Task 1: Configuring the Audit Service e Cic 1. 2. Verify that the Sol11-Server1 virtual machine is running. If it is not running, start it now. Log in to the Sol11-Server1 virtual machine as the oracle user. Use the password oracle1. 3. Run the su - command to assume primary administrator privileges. oracle@s11-server1:~$ su Password: oracle1 Oracle Corporation SunOS 5.11 root@s11-server1:~# 11.1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 3 le b a r e f September 2012 4. Use the auditconfig command to view the attributable classes configured by default. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# auditconfig -getflags active user default audit flags = lo(0x1000,0x1000) configured user default audit flags = lo(0x1000,0x1000) At this time, the audit service is configured for successful and failed login/logout attempts. Where would you find the lo class? In the etc/security/audit_class file 5. Use the auditconfig command to view the non-attributable classes configured by default. root@s11-server1:~# auditconfig -getnaflags active non-attributable audit flags = lo(0x1000,0x1000) configured non-attributable audit flags = lo(0x1000,0x1000) le b a r e f s an r t n How do you tell the system that you want to display non-attributable flags? By using the command option getnaflags 6. no a s a h ) ฺ e m d o i ilฺc t Gu a n Admin Server Authentication gm e d program admin (various) o@ StuSee SMC, WBEM, or AdminSuite d l is AUE_admin_authenticate event ID 6213 ona h t oฺr use class lo (0x0000000000001000) r e o c i t header (c nse o subject ld lice a n [text] error message o Use the auditrecord command to determine the type of records included under the lo class. root@s11-server1:~# auditrecord -c lo Ci R o r ce return FTP server login program proftpd event ID 6165 class lo header subject [text] return … … … See in.ftpd(1M) AUE_ftpd (0x0000000000001000) error message If you look at the full output display, you will see all the authentication facilities by using the lo class. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 4 In addition, you can see the record format that will be used to record the auditing events for respective authentication facilities. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 7. Use the auditconfig -getplugin command to determine which plug-ins are active. root@s11-server1:~# auditconfig -getplugin Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1; Plugin: audit_syslog (inactive) Attributes: p_flags=; Plugin: audit_remote (inactive) Attributes: p_hosts=;p_retries=3;p_timeout=5; s n a r Which plug-ins are active at this time? Only the audit_binfile plug-in. -t on directory Where would the auditing records be stored by default? In the /var/audit n a s a ) h eฺfor the oracle user. 8. Use the userattr command to determine the default audit_flags m co Guid ฺ l root@s11-server1:~# who -q i ma dent oracle g o@ Stu # users=1 d l a this n o sein at one place. It is the only user logged in at this oฺris logged Here, the oracleeuser r u ic e to time. c ( nsdifferent based on how many users or how many logins the Your ldisplay be do may e c a li has. n account ooracle R ro e Cic root@s11-server1:~# userattr audit_flags oracle root@s11-server1:~# At this time, by default, the oracle user has no specific audit_flags set. This doesn’t account for systemwide audit_flags. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 5 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 9. Using the auditconfig command, modify the systemwide attributable and nonattributable flags. root@s11-server1:~# auditconfig -setnaflags lo,na non-attributable audit flags = lo,na(0x1400,0x1400) root@s11-server1:~# auditconfig -setflags lo,ps,fw user default audit flags = ps,lo,fw(0x101002,0x101002) Where can you find more information about the na, ps, and fw flags? In the audit_class file located in /etc/security directory (as demonstrated below) root@s11-server1:~# cd /etc/security root@s11-server1:/etc/security# ls audit_class auth_attr.d exec_attr audit_event crypt.conf exec_attr.d audit_warn dev extra_privs auth_attr device_policy kmfpolicy.xml pam_policy policy.conf priv_names prof_attr le prof_attr.d tcsd.conf b a r e f s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l grep ps audit_class n oroot@s11-server1:/etc/security# root@s11-server1:/etc/security# grep na audit_class # The "frcp" class is a reserved name. It will force preselection of # It must not be renamed. However, the "frcp" value may be changed in a # mask:class name:class description # Length limits: class name up to 8, class description up to 72 and 0x0000000000000400:na:non-attributed Ci R 0x0000000000100000:ps:process o r ce start/stop root@s11-server1:/etc/security# grep fw audit_class 0x0000000000000002:fw:file write root@s11-server1:/etc/security# cd Now you have it. Try to display the definition of another flag. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 6 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 10. Using the usermod command, set the audit_flags for the user accounts jholt and sstudent. Verify the results. root@s11-server1:~# root@s11-server1:~# root@s11-server1:~# lo,fr:no root@s11-server1:~# lo,fw:no usermod -K audit_flags=lo,fr:no jholt usermod -K audit_flags=lo,fw:no sstudent userattr audit_flags jholt userattr audit_flags sstudent You set the audit_flags for the users not logged in at this time. When they log in, the specified activities will be monitored and logged. le b a r e f 11. Use the auditconfig -lspolicy command to view the available policy options. s root@s11-server1:~# auditconfig -lspolicy an r t n description: halt machine if it can not record an async event all policies include exec environment args in audit recs include exec command line args in audit recs when no more space, drop recs and keep a cnt include supplementary groups in audit recs no policies allow multiple paths per event use a separate queue and auditd per zone audit public files include a sequence number in audit recs include trailer token in audit recs include downgraded window information in audit recs include upgraded window information in audit recs include zonename token in audit recs o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci policy string ahlt all arge argv cnt group none path perzone public seq trail windata_down windata_up zonename If you would like to record auditing the zones separately, which policy would be suitable? The perzone policy Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 7 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 12. Use the auditconfig –setpolicy command to modify the following policy options. Display the results. root@s11-server1:~# auditconfig -setpolicy -cnt root@s11-server1:~# auditconfig -setpolicy +ahlt root@s11-server1:~# auditconfig -setpolicy +arge root@s11-server1:~# auditconfig -setpolicy +argv root@s11-server1:~# auditconfig -getpolicy configured audit policies = ahlt,arge,argv active audit policies = ahlt,arge,argv Which policy options are being deleted? The cnt policy Which policy options are being added? ahlt, arge, argv s an r t n no a s a h ) ฺ e m d o i 14. Save a copy of the audit_class file. Use the vi leditor to add u the pf class to the i ฺc t G a audit_class file. Verify the results. m den g root@s11-server1:~# cd /etc/security tu o@ S d l root@s11-server1:/etc/security# cp audit_class audit_class.orig s a thi n o root@s11-server1:/etc/security# vi audit_class oฺr use r e root@s11-server1:/etc/security# tail audit_class ic e to c ( 0x0000000000400000:xa:X - server access o ens d l c a - privileged/administrative operations li n o0x0000000000800000:xp:X R ro 0x0000000001000000:xc:X - object create/destroy e Cic 0x0000000002000000:xs:X - operations that always silently fail, if bad 0x0000000003c00000:xx:X - all X events (meta-class) 0x0000000040000000:io:ioctl 0x0000000080000000:ex:exec 0x0000000100000000:ot:other 0x0010000000000000:pf:profiles command 0x0000000080475080:cusa:common user or role activity and sysadmin actions (meta-class) 0xffffffffffffffff:all:all classes (meta-class) What is the purpose of the profiles command? To display assigned profiles. However, in this context, use pfexec. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 8 le b a r e f 13. Use the vi editor to add a line to the aliases file. Add the oracle and root users to the audit_warn mail alias at the end of the file. Use the grep command to confirm the results. root@s11-server1:~# vi /etc/mail/aliases root@s11-server1:~# grep audit_warn /etc/mail/aliases audit_warn: oracle,root 15. Save a copy of audit_event and edit the audit_event file as indicated. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:/etc/security# cp audit_event audit_event.orig root@s11-server1:/etc/security# vi audit_event Add pf to the following event row: root@s11-server1:/etc/security# grep pf audit_event 116:AUE_PFEXEC:execve(2) with pfexec enabled:ps,ex,ua,as,pf What is the purpose of making this entry? Now the pf class is linked to the AUE_PFEXEC event, which points to the execve system call. Every time this system call is made, it is recorded with the pf class usage. s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ubydethe message. Is it successfully configured? Yes, it’s confirmed @ t o S d l s na thi Task 2: Configure Audit Logs o r ฺ se o activities: This task will cover the following r u e o audit files. ic systems tfor c • Create ZFS file ( e ns for the audit trail. doauditicspace l e • Allocate a l n • o Configure system log as audit message destination. R ro e Cic • 1. 2. Configure all zones identically for auditing. Verify that the Sol11-Server1 virtual machine is running. If it is not running, start it now. Log in to the Sol11-Server1 virtual machine as the oracle user. Use the password oracle1. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 9 le b a r e f 16. Now you can use the pf audit flag with the auditconfig command because the pf audit flag is fully configured. root@s11-server1:/etc/security# auditconfig -setflags lo,pf user default audit flags = pf,lo(0x10000000001000,0x10000000001000) root@s11-server1:/etc/security# cd root@s11-server1:~# 3. Run the su - command to assume administrator privileges. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ oracle@s11-server1:~$ su Password: oracle1 Oracle Corporation SunOS 5.11 root@s11-server1:~# 4. 11.1 September 2012 Using the df –h command, determine which disks are mounted. This will help you discover the available disks for creating a ZFS pool. root@s11-server1:~# df -h Available Capacity 20G 8% 0K 0% 0K 0% 0K 0% 0K 0% 0K 0% 1.3G 1% 0K 0% 0K 0% Mounted on / /devices /dev /system/contract /proc /etc/mnttab /system/volatile /system/object /etc/dfs/sharetab le b a r e f s an r t n no a s a h ) /lib/libc.so.1 ฺ 20G 8% e m d o i u/dev/fd lฺc t0% i0K G a 20G 3% /var m 1.3Gden 1% /tmp g tu o@ S391G 9% /opt/ora d l s a i n h 20G 1% /export t o r ฺ e 20G 23% /export/IPS ero to us c 20G 1% /export/home i c ( e s 20G 1% /export/home/jholt do icen l a l on R o r ce Ci Filesystem Size Used rpool/ROOT/solaris 31G 1.6G /devices 0K 0K /dev 0K 0K ctfs 0K 0K proc 0K 0K mnttab 0K 0K swap 1.3G 1.7M objfs 0K 0K sharefs 0K 0K /usr/lib/libc/libc_hwcap1.so.1 22G 1.6G fd 0K 0K rpool/ROOT/solaris/var 31G 639M swap 1.3G 32K ora 426G 35G rpool/export 31G 33K rpool/export/IPS 31G 5.7G rpool/export/home 31G 41K rpool/export/home/jholt 31G 35K rpool/export/home/jmoose 31G 36K rpool/export/home/oracle 31G 34K Rpool/export/home/panna 31G 35K rpool/export/home/sstudent 31G 35K rpool 31G 39K ora 426G 35G … … … 20G 1% /export/home/jmoose 20G 20G 1% 1% /export/home/oracle /export/home/panna 20G 20G 391G 1% 1% 9% /export/home/sstudent /rpool /mnt/sf_ora You are looking for a disk address like c7t2d0 in the first column. There should be no disks displayed. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 10 Your display will be different based on what file systems are mounted at the time of display. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Note: If you see a disk on which the GuestAdditions package is mounted, ignore it. 5. Using the format command, determine the available disks. You will select disks c7t8d0 and c7t9d0. root@s11-server1:~# format Searching for disks...done AVAILABLE DISK SELECTIONS: - cyl 1022 alt 2 hd 64 sec 32> select a disk select (define) a disk type select (define) a partition table describe the current disk format and analyze the disk run the fdisk program repair a defective sector write label to the disk surface analysis Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 11 s an r t n cyl 1022 alt 2 hd 64 sec 32> Specify disk (enter its number): 7 selecting c7t8d0 [disk formatted] No Solaris fdisk partition found. FORMAT MENU: disk type partition current format fdisk repair label analyze le b a r e f cyl 4174 alt 2 hd 255 sec 63> no a s a h cyl 1022)alt 2 hd ฺ64 sec 32> om uide c ฺ l G alt 2 hd 64 sec 32> aicyl 1022 t n m g ude @ t cyl 1022 alt 2 hd 64 sec 32> o S d l s na thi o r cyl 1022 alt 2 hd 64 sec 32> ฺ se o r u e ic e to c ( cyl 1022 alt 2 hd 64 sec 32> o ens d l lic cyl 1022 alt 2 hd 64 sec 32> ona R o r ce Ci 0. c7t0d0 - execute , then return quit format> p WARNING - This disk may be in use by an application that has modified the fdisk table. Ensure that this disk is not currently in use before proceeding to use fdisk. Please answer with “y” or “n”: y format> fd No fdisk table exists. The default partition for the disk is: le s an r t n ro e Cic no a a 100% "SOLARIS System" partition s a h ) ฺ e m d o i Type "y" to accept the default partition, otherwise type c Gu ฺ l i edit the partition table. ma dent g y o@ Stu format> p d l a this n o oฺr use r PARTITION MENU: e ic - echange to `0' partition 0(c do 1 icens- change `1' partition l a l n 2 - change `2' partition Ro "n" to 3 - change `3' partition 4 - change `4' partition 5 - change `5' partition 6 - change `6' partition 7 - change `7' partition select - select a predefined table modify - modify a predefined partition table name - name the current table print - display the current table label - write partition map and label to the disk ! - execute , then return quit partition> p Current partition table (default): Total disk cylinders available: 528 + 2 (reserved cylinders) Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 12 b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Part Tag 0 unassigned 1 unassigned 2 backup 3 unassigned 4 unassigned 5 unassigned 6 unassigned 7 unassigned 8 boot 9 unassigned Flag wm wm wu wm wm wm wm wm wu wm Cylinders 0 0 0 - 1020 0 0 0 0 0 0 0 0 Size 0 0 1021.00MB 0 0 0 0 0 1.00MB 0 Blocks (0/0/0) 0 (0/0/0) 0 (1021/0/0)2091008 (0/0/0) 0 (0/0/0) 0 (0/0/0) 0 (0/0/0) 0 (0/0/0) 0 (1/0/0) 2048 (0/0/0) 0 partition> q le - b a r e f s an r t n select a disk select (define) a disk type select (define) a partition table describe the current disk format and analyze the disk run the fdisk program repair a defective sector write label to the disk surface analysis defect list management search for backup labels read and display labels save new disk/partition definitions show disk ID set 8-character volume name execute , then return o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci FORMAT MENU: disk type partition current format fdisk repair label analyze defect backup verify save inquiry volname ! quit format> q root@s11-server1:~# Assumption: You are familiar with the format command and know how to partition the disk by using the fdisk option. If you are not familiar with this utility, the instructor will walk you through the steps. Repeat this step for the c7t9d0 disk. The purpose of going into this utility is to select two empty disks. Make a note of these two disks: c7t8d0 and c7t9d0. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 13 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 6. Create a ZFS pool called auditpool and the file systems as indicated. Because you have created the ZFS pools and the file systems, you are taking quick steps to create the configuration for auditing. root@s11-server1:~# zpool create auditpool c7t8d0 c7t9d0 'auditpool' successfully created, but with no redundancy; failure of one device will cause loss of the pool You created the auditpool with two available disks as you determined earlier. In case your business application auditing requires redundancy, you may want to create a mirror pool. Refer to Lesson 4 for details. root@s11-server1:~# zpool status auditpool pool: auditpool state: ONLINE scan: none requested config: s no a s a h ) ฺ e m d o i ilฺc t Gu a m den g errors: No known data errors o@ Stu d l a this n o ฺr zfsuscreate e root@s11-server1:~# -o mountpoint=/audit \ o r e auditpool/auditdir o ic e t c ( o ens d l a ic file system with the /audit mount point so you can refer to the file You n created lthe o R system by using the mount point. This will save you time. Based on the volume of NAME auditpool c7t8d0 c7t9d0 ro e Cic an r t n STATE ONLINE ONLINE ONLINE READ WRITE CKSUM 0 0 0 0 0 0 0 0 0 auditing records, you may consider storage saving and limiting actions, for example configuring compression and quotas. root@s11-server1:~# zfs create -p \ auditpool/auditdir/s11-server1/files Why do you create these file systems? For storing auditing records for this host root@s11-server1:~# zfs list -r /auditpool NAME auditpool auditpool/auditdir auditpool/auditdir/s11-server1 auditpool/auditdir/s11-server1/files server1/files USED 218K 31K 63K 31K AVAIL 1.94G 1.94G 1.94G 1.94G REFER 32K 31K 32K 31K Does the display confirm creation of the files? Yes. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 14 MOUNTPOINT /auditpool /audit /audit/s11-server1 /audit/s11- le b a r e f 7. Using the auditconfig command, set the p_dir parameter to the file systems. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# auditconfig -setplugin audit_binfile active \ p_dir=/audit/s11-server1/files,/var/audit You are activating auditing and setting the storage for auditing. What is the primary storage location? The ZFS file systems you just created. What is the secondary storage location? /var/audit The secondary directory is also considered the “directory of last resort.” It means that you really want the system to write to the primary directory. However, if the system has to, it will use the secondary directory only when the primary directory is not available. 8. Using the command auditconfig, activate the syslog plug-in and indicate the audit flags. root@s11-server1:~# auditconfig -setplugin audit_syslog active \ p_flags=-lo,-ss,+pf le b a r e f Cic e s n a r Where can you find the details about these flags? In the audit_class file -t n o What does the pf flag represent? The pf class (profiles command) an s What is the significance of the minus and plus signs? The minus represents the ) ha sign ฺ failed attempt and the plus sign represents successfulm attempt. co Guide file. 9. Using the vi editor, make the following entry in theilฺ/etc/syslog.conf ma dent root@s11-server1:~# vi /etc/syslog.conf g @ Stu /etc/syslog.conf root@s11-server1:~# grepdo audit.notice l a this n audit.notice /var/log/auditlog o r ฺ e root@s11-server1:~# us /var/log/auditlog ero totouch c i c sofedefining this entry in syslog? The file is defined so that the (purpose What is the o ld auditing enrecords will be sent to the /var/log/auditlog directory. c a configured i l n o R 10. Refresh the system-log service and auditing for the new configuration to take effect. o r root@s11-server1:~# svcadm refresh system-log Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 15 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 11. Modify the audit policy to include zone auditing. Verify the results. root@s11-server1:~# auditconfig -getpolicy configured audit policies = ahlt,arge,argv active audit policies = ahlt,arge,argv At this time the zone auditing is not configured. root@s11-server1:~# auditconfig -setpolicy +zonename By adding the zonename policy, the audit records will be tagged with the zone name. root@s11-server1:~# auditconfig -getpolicy configured audit policies = ahlt,arge,argv,zonename active audit policies = ahlt,arge,argv,zonename Has the zonename policy been added? Yes. s an r t n no a s a h ) ฺ Determine the root directory for the zone grandmazone. e m d o i ilฺc t Gu a n info | more root@s11-server1:~# zonecfg -zgm grandmazone e d zonename: grandmazone o@ Stu d l a this zonepath: /zones/grandmazone n o brand: solaris roฺr se u e ic e to autoboot: ctrue ( bootargs: do icens l a l n Rofile-mac-profile: 12. Copy the modified audit files from the global zone to the zone named grandmazone. Verify the results. ro e Cic pool: limitpriv: scheduling-class: ip-type: exclusive … … … root@s11-server1:~# cp /etc/security/audit_class \ /zones/grandmazone/root/etc/security/audit_class root@s11-server1:~# cp /etc/security/audit_event \ /zones/grandmazone/root/etc/security/audit_event Because you are configuring the global and grandmazone identically, you also need the modified audit files in grandmazone. root@s11-server1:~# ls -l \ /zones/grandmazone/root/etc/security/audit_* Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 16 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ -rw-r--r-1 root sys 2437 Dec 16 07:59 /zones/grandmazone/root/etc/security/audit_class -rw-r--r-1 root sys 30123 Dec 16 07:59 /zones/grandmazone/root/etc/security/audit_event -rwxr--r-1 root sys 7024 Dec 14 07:59 /zones/grandmazone/root/etc/security/audit_warn How can you tell that the copy action was successful? By the timestamp on the files 13. Use the audit -s command to start the audit service. root@s11-server1:~# audit –s Note: If you get an error solaris audit invalid audit flag pf:Invalid argument, terminate the audit service by using audit –t command and start the service by using audit –s command. To make sure you can gather records regarding the pf class, John Holt will be using the pfexec command. You will extract these records from the auditing log in the next practice. 14. As John Holt, try to access the crontab file of the superuser. Check John’s profiles. s an r t n no a 11.1 has September 2012 ) ฺ e m d o i c rootGu jholt@s11-server1:~$ pfexec crontabilฺ-l a t another user's crontab n mto access crontab: you must be super-user e g @ Stud file o d al this jholt@s11-server1:~$nprofiles o File System se oฺrManagement r u e SMB c Management ic e to ( o Management ns dVSCAN l e c a n SMBFSli Management Ro root@s11-server1:~# su - jholt Oracle Corporation SunOS 5.11 C ro ice Shadow Migration Monitor ZFS File System Management Basic Solaris User All Because John does not have the Cron Management profile, he does not have the privilege to look at the superuser’s crontab file. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 17 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 15. As the superuser, assign the Cron Management profile to John Holt. Verify the result. jholt@s11-server1:~$ exit logout root@s11-server1:~# usermod -P "Cron Management" jholt root@s11-server1:~# profiles jholt jholt: Cron Management Basic Solaris User All Do you think John can display root’s crontab file now? Yes. 16. As John Holt, by using the pfexec command, attempt to display the contents of the superuser’s crontab file. le b a r e f s an r t n root@s11-server1:~# su - jholt Oracle Corporation SunOS 5.11 11.1 September 2012 jholt@s11-server1:~$ pfexec crontab -l root #ident "%Z%%M% %I% %E% SMI" # # Copyright 2007 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # # The root crontab should be used to perform accounting data collection. # # 10 3 * * * /usr/sbin/logadm 15 3 * * 0 [ -x /usr/lib/fs/nfs/nfsfind ] && /usr/lib/fs/nfs/nfsfind 30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean jholt@s11-server1:~$ exit o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on Ci R o r ce Make a note of this command. You will be looking for pfexec command in the audit logs. 17. Using the zoneadm command, verify that the two zones are up and running. root@s11-server1:~# zoneadm list -civ ID NAME 0 global 1 grandmazone 2 choczone STATUS running running running PATH / /zones/grandmazone /zones/choczone Are the zones up? Yes. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 18 BRAND solaris solaris solaris IP shared excl excl Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 18. Log in to both the zones to create some log in/out entries in the audit records. root@s11-server1:~# zlogin grandmazone [Connected to zone 'grandmazone' pts/1] Oracle Corporation SunOS 5.11 11.1 September 2012 root@grandmazone:~# exit logout Repeat this step for the zone named choczone. 19. Check the current auditing configuration. root@s11-server1:~# auditconfig -getcond audit condition = auditing root@s11-server1:~# auditconfig -getpolicy configured audit policies = ahlt,arge,argv,zonename active audit policies = ahlt,arge,argv,zonename root@s11-server1:~# auditconfig -getflags active user default audit flags = pf,lo(0x10000000001000,0x10000000001000) configured user default audit flags = pf,lo(0x10000000001000,0x10000000001000) root@s11-server1:~# auditconfig -getnaflags active non-attributable audit flags = lo,na(0x1400,0x1400) configured non-attributable audit flags = lo,na(0x1400,0x1400) s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o oฺr use r e c e to idoes c ( If your display not s match the current audit_flag values, modify them to match o n d l e this display. Refer lic to the auditconfig command used earlier. ona R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 19 le b a r e f Practice 9-2: Managing Audit Records on Local Systems Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview Your predeployment test plan calls for managing the audit records and the audit trails. You need to analyze the audit records for multiple events configured by you. In addition, you need to terminate the audit file used currently. The following areas will be addressed in this practice: • Displaying audit record definitions • Selecting audit events from the audit trail • Viewing the contents of binary audit files • Cleaning up an audit file currently in use (named not_terminated) Task 1. 2. Verify that the Sol11-Server1 virtual machine is running. If it is not running, start it now. Log in to the Sol11-Server1 virtual machine as the oracle user. Use the password oracle1. Run the su - command to assume primary administrator privileges. s an r t n e Cic no a s a oracle@s11-server1:~$ su h ) ฺ e m Password: oracle1 d o i ฺc Gu September 2012 Oracle Corporation SunOS 5.11 ail 11.1 m dent g root@s11-server1:~# @ anSHTML tu file containing the full set of all the ocreate d 4. Using the auditrecord command, l s a events. naudit record formats available forro the thi Using the more command, display the ฺ e contents of the file. ro e to us c i root@s11-server1:~# (c nse auditrecord -a -h > audit.recfmt.html o root@s11-server1:~# more audit.recfmt.html ld lice a n o R o r 3. Audit Record Formats
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 20 le b a r e f … … … Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 5. Change the permissions on the root directory to rwxr-xr-x so it is accessible by anyone. root@s11-server1:~# ls -ld /root drwx------ 3 root root 10 Dec 16 11:24 /root root@s11-server1:~# chmod 755 /root root@s11-server1:~# ls -ld /root drwxr-xr-x 3 root root 10 Dec 16 11:24 /root The current permissions allow only the root user access to the directory. Why do you have to change the permission to x (execute) for the browser? You need this permission to cd into the directory. 6. Using the auditrecord command to display all the login formats in use. no a s a h ) terminal login ฺ e m d o i program /usr/sbin/login See u lฺc login(1) i G a t /usr/dt/bin/dtlogin dtlogin n m See e g d event ID 6152 o@ StuAUE_login d l class lo a this (0x0000000000001000) n o header oฺr use r e subject ic e to c ( error message o ens d[text] l c a li n return Ro root@s11-server1:~# auditrecord -p login | more ro e Cic login: logout program various See login(1) event ID 6153 AUE_logout class lo (0x0000000000001000) header subject [text] "logout" username Return … … … How can you use these record formats? Based on the class, you can use this information to expect the type of records included in the audit log. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 21 s an r t n le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 7. Using the auditrecord command, display the record format of the audit records in the pf class. root@s11-server1:~# auditrecord -c pf pfexec system call pfexec event ID 116 class ps,ex,ua,as,pf header path path [privilege] inheritable set are changed [privilege] inheritable set are changed [process] is changed exec_arguments [exec_environment] subject [use_of_privilege] return pathname of the executable pathname of working directory privileges if the limit or le b a r e f privileges if the limit or s an r t n process if ruid, euid, rgid or egid no a s is set output if arge a policy h ) ฺ e m d o i ilฺc t Gu a m den g @ Stu dothe l Do you remember where youa used AUE_PFEXEC audit event? In the audit_event is n h t o file while configuring the ฺrpf class e s o r u e 8. Use the cd command to ic to go to/audit/s11-server1/files. Display the current audit c ( e file. do icens cd /audit/s11-server1/files l a root@s11-server1:~# l n oroot@s11-server1:/audit/s11-server1/files# R ls ro e Cic See execve(2) with pfexec enabled AUE_PFEXEC (0x0100000080160000) 20111216140055.not_terminated.s11-server1 Why is this file labeled as not_terminated? Because it is the currently active audit file Did you create this directory? Yes, in the auditpool. 9. Use the audit -n command to close out the current audit file. This will automatically start a new “not_terminated” file. root@s11-server1:/audit/s11-server1/files# audit -n root@s11-server1:/audit/s11-server1/files# ls 20111216145549.20111216152447.s11-server1 20111216152447.not_terminated.s11-server1 You may get different output Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 22 10. Using the auditreduce command, filter the records for the lo class. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Caution: Use the audit file (with timestamp) from your display instead of the file in the following command. root@s11-server1:/audit/s11-server1/files# auditreduce -c lo \ /audit/s11-server1/files/20111216145549.20111216152447.s11server1 > lofile root@s11-server1:/audit/s11-server1/files# praudit lofile file,2011-12-16 08:56:54.000 -06:00, header,127,2,login - zlogin,,localhost,2011-12-16 08:56:54.832 06:00 subject,oracle,root,root,root,root,9186,3242122680,0 0 localhost text,zone:global return,success,0 zone,grandmazone header,112,2,logout,,localhost,2011-12-16 08:56:56.942 -06:00 subject,oracle,root,root,root,root,9186,3242122680,0 0 localhost return,success,0 zone,grandmazone header,107,2,su,,localhost,2011-12-16 09:21:45.718 -06:00 subject,oracle,jholt,staff,jholt,staff,9233,3242122680,0 0 localhost return,success,0 zone,global header,107,2,su logout,,localhost,2011-12-16 09:22:01.284 -06:00 subject,oracle,jholt,staff,jholt,staff,9233,3242122680,0 0 localhost return,success,0 zone,global file,2011-12-16 09:22:01.000 -06:00, s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on Ci R o r ce The lo file displays the login/logout information as indicated in the audit flags. You may get different output. 11. Using the auditreduce command, create a collection of pf class records. Use the praudit command to display. root@s11-server1:/audit/s11-server1/files# auditreduce -c pf \ /audit/s11-server1/files/20111216145549.20111216152447.s11server1 > pffile root@s11-server1:/audit/s11-server1/files# praudit pffile file,2011-12-16 09:21:57.000 -06:00, Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 23 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ header,521,2,execve(2) with pfexec enabled,,localhost,2011-12-16 09:21:57.785 -06:00 path,/usr/bin/crontab attribute,104555,root,bin,65538,59345,18446744073709551615 path,/home/jholt process,oracle,jholt,staff,jholt,staff,9238,3242122680,0 0 localhost exec_args,3,crontab,-l,root exec_env,19,HZ=100,LC_MONETARY=C,SHELL=/bin/bash,TERM=suncolor,LC_NUMERIC=C,LC_ALL=C,MAIL=/var/mail/jholt,PATH=/usr/bin:,L C_MESSAGES=C,LC_COLLATE=C,PWD=/home/jholt,LANG=C,TZ=localtime,SHL VL=1,HOME=/home/jholt,LOGNAME=jholt,LC_CTYPE=C,LC_TIME=C,_=/usr/b in/pfexec subject,oracle,root,staff,jholt,staff,9238,3242122680,0 0 localhost return,success,0 zone,global file,2011-12-16 09:21:57.000 -06:00, s an r t n no a s a h ) ฺthem up with the e m Determine the fields of the header and the subject line by matching d o i man pages in the next step. ilฺc t Gu a m den g @ Stu –l root command issued by Review the records and attemptd toofind the crontab l aYes. this John Holt. Was it successful? n o se command to use the Cron Management profile Why? Because he used oฺrthe pfexec r u e ic output to You may get different c ( e do icens l a l onthe man command 12. Use to display the audit.log information. Use the find command to R o display the header format. cer Ci root@s11-server1:/audit/s11-server1/files# man audit.log … … … /header The expanded header token consists of: token ID record byte count version # event type event modifier address type/length machine address address) 1 4 1 2 2 4 4 byte bytes byte [2] bytes bytes bytes bytes/16 bytes (IPv4/IPv6 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 24 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ seconds of time nanoseconds of time 4 bytes/8 bytes 4 bytes/8 bytes (32/64-bits) (32/64-bits) … … … Match up the fields with the header line in the previous step. How long is the record? 480 bytes What is the event type? execve(2) with pfexec enabled What is execve? The system call to Solaris kernel Repeat this step for the subject format. Similarly you can find the format of other records such as the attribute record. root@s11-server1:/audit/s11-server1/files# auditreduce -z \ grandmazone \ /audit/s11-server1/files/20111216145549.20111216152447.s11server1 > gmfile s an r t n no a has ฺ 14. Using the praudit command, browse the gmfile you just)created. de gmfile om praudit root@s11-server1:/audit/s11-server1/files# i c u ฺ l ai nt G file,2011-12-16 08:56:54.000 -06:00, m g ude header,127,2,login - zlogin,,s11-server1,2011-10-21 08:56:54.832 @ t o S -06:00 d al this n subject,oracle,root,root,root,root,9186,3242122680,0 0 localhost o r ฺ e s o r text,zone:global e to u c i c return,success,0 o ( ense d l zone,grandmazone lic na o header,112,2,logout,,s11-server1,2011-12-16 08:56:56.942 -06:00 R o r e Cic subject,oracle,root,root,root,root,9186,3242122680,0 0 s11server1 return,success,0 zone,grandmazone file,2011-12-16 08:56:56.000 -06:00, As a sample, go over the header for the login - zlogin class: Refer to step 12 above or pull up the man pages for audit.log and do a find for header. header,127,2,login - zlogin,,s11-server1,2011-12-16 08:56:54.832 -06:00 Now you can match up the fields in this raw format with the previous display or with the format below. You may get expect different output Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 25 le b a r e f 13. Use the auditreduce command to create a file for grandmazone. Verify the results. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ An example of matching would be: Token ID: header Record byte count: 127 Version #: 2 Event type: login - zlogin Event Modifier: - (nothing) Address Type/Length: none specified Machine address: s11-server1 Remaining fields: 2011-12-16 08:56:54.832 -06:00 – date/timestamp The expanded header token consists of: token ID 1 byte record byte count 4 bytes version # 1 byte [2] event type 2 bytes event modifier 2 bytes address type/length 4 bytes machine address 4 bytes/16 bytes (IPv4/IPv6 address) seconds of time 4 bytes/8 bytes (32/64-bits) nanoseconds of time 4 bytes/8 bytes (32/64-bits) le b a r e f s an r t n Ci no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o sein three formats: text, raw, or XML format. oฺr records You can display theraudit u e o ic and tpraudit 15. Use the auditreduce -x commands to display the output in XML format. c ( e s o n ld lice root@s11-server1:/audit/s11-server1/files# praudit -x gmfile a n o R o Event Name Event ID Event Class Mask Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 26 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ zone:global … … Is there any benefit of using the XML format? Yes, all the fields have the respective tags translated for me. 16. Use the ls command to confirm the contents of the audit file storage directory. root@s11-server1:/audit/s11-server1/files# ls 20111216145549.20111216152447.s11-server1 20111216152447.not_terminated.s11-server1 gmfile lofile pffile s n a r -t How can you tell that a new audit file has been started? The file has not_terminated n o n hence closed. in the name. The previous file has the beginning and ending timestamp a s You may get expect different output ha ฺ ) om uide c ฺ l 17. Use the command audit –t to terminate the audit service. ai nt G m root@s11-server1:/audit/s11-server1/files# g ude audit -t @ t o root@s11-server1:/audit/s11-server1/files# auditconfig -getcond S d l s a i n audit condition = noaudit th o r ฺ e ero to us c i How can you the (ctell that e audit service is stopped? Because in the output, it says s o n noaudit ld lice a n o R o r e Cic Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 27 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 18. Examine the /var/log/auditlog file for audit messages sent to syslog. root@s11-server1:~# more /var/log/auditlog … … … Dec 16 09:44:05 s11-server1 audit: [ID 702911 audit.notice] screenlock - unlock failed session 810837356 by oracle as root:staff from s11-server1 Dec 16 10:41:21 s11-server1 audit: [ID 702911 audit.notice] execve(2) with pfexec enabled ok session 3584330031 by oracle as root:staff in global from s11-server1 proc_auid oracle proc_uid jholt obj /home/jholt Dec 16 10:58:52 s11-server1 last message repeated 1 time … … … Parts of this display, such as the session number, date, and time may be different for you. s an r t n ro e Cic no a s a h ) ฺ e m d o i c is G You had configured the syslog for the pf class. theumessage recorded in the lฺHere i a t audit.log file. m den g o@ Stu d l a this n o oฺr use r e ic e to c ( do icens l a l n Ro Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 9: Securing System Resources Using Solaris Auditing Chapter 9 - Page 28 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le s b a r e f an r t n no a s a h Practices for ) Lesson ฺ 10: e m d o i Managing and u ilฺc tProcesses G a m den Priorities g tu10 o@Chapter S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 1 Practice Overview for Lesson 10 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Practices Overview In these practices, you are presented with a plan for managing the Oracle Solaris 11.1 processes, scheduling classes, and process priorities. According to the predeployment test plan, you are going to evaluate various system processes. Assume you are supporting Oracle CRM and Financial applications. These applications will launch multiple processes and you will need to know which processes should run as high or low priority. Therefore, you are asked to assess the processes, their priorities, and scheduling classes. You are presented with various situations that will help you evaluate and configure the facilities. The key areas explored in the practices are: • Modifying process scheduling priority • Configuring the fair share scheduler (FSS) in an Oracle Solaris Zone le Ci b a r Note: Your display outputs will be different due to the type of tasks, processes, and users. e sf n a r tnow n Check your progress. You just completed the Oracle Solaris auditing lesson and are no working with processes and priorities. a s a h ) ฺ Oracle Solaris 11.1 Predeployment Checklist √ e m d o i ฺc Gu l i a √ t Managing the Image Packaging System (IPS) n mand Packages e g @ Hosts tud √ oMultiple Installing Oracle Solaris 11.1 lon S d a this n o √ Managing the Business se Data oฺr Application r u e ic Network to √ c Configuring and Traffic Failover ( e o ens d l a √ lic Zones and the Virtual Network n Configuring o R o r √ Managing Services and Service Properties ce √ Configuring Privileges and Role-Based Access Control √ Securing System Resources by Using Oracle Solaris Auditing Managing Processes and Priorities Evaluating System Resources Monitoring and Troubleshooting System Failures Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 2 Practice 10-1: Modifying Process Scheduling Priority Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview In this practice, you work with the processes in the following areas: • Managing scheduling class and process priorities • Configuring the fair share scheduler Task 1: Manage Scheduling Class and Process Priorities This task will cover the following activities: • Listing the current processes • Displaying process class information • Determining the process global priority • Designating a process priority • Modifying process scheduling priority • Changing the scheduling parameters of a timesharing process 1. Verify that the Sol11-Server1 virtual machine is running. If it is not, start it now. 2. Log in to the Sol11-Server1 virtual machine as the oracle user. Use the password oracle1. 3. Make sure that all other virtual machines are shut down. 4. Run the su - command to assume administrator privileges. s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g tu oracle@s11-server1:~$ su o -@ S d l s Password: na thi o r ฺ Oracle Corporation SunOS 11.1 September se 5.11 o r u e o ic e t root@s11-server1:~# c ( nsto view the top 10 processes at a 10-second interval. docommand 5. Use the ltop e c a li n oroot@s11-server1:~# top 10 -s 10 R o r e Cic le b a r e f 2012 last pid: 1121; load avg: 0.20, 0.14, 0.12; up 0+01:50:30 14:10:30 87 processes: 83 sleeping, 3 running, 1 on cpu CPU states: 81.8% idle, 5.1% user, 13.1% kernel, 0.0% iowait, 0.0% swap Kernel: 609 ctxsw, 9 trap, 327 intr, 1935 syscall, 4 flt Memory: 1024M phys mem, 84M free mem, 977M total swap, 977M free swap PID 991 733 929 934 1120 917 913 966 USERNAME NLWP PRI NICE SIZE RES STATE oracle 2 59 0 87M 19M sleep oracle 3 59 0 65M 53M run oracle 20 59 0 160M 140M run oracle 1 56 0 12M 5552K run root 1 59 0 4296K 2480K cpu oracle 1 49 0 107M 36M sleep oracle 1 59 0 27M 15M sleep oracle 2 59 0 26M 12M sleep TIME 0:11 0:23 2:01 0:06 0:00 0:01 0:01 0:06 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 3 CPU 4.03% 3.82% 1.75% 1.46% 0.25% 0.22% 0.08% 0.07% COMMAND gnome-terminal Xorg java xscreensaver top nautilus metacity nwam-manager 11 root 536 root 18 7 59 59 0 12M 11M sleep 0 9420K 1856K sleep 0:41 0:03 0.06% svc.configd 0.04% VBoxService Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Enter ‘q’ to exit. In what order is the CPU column sorted? Descending, so that the processes using high CPU are displayed at the top Remember: Your display output will differ from the output presented here. 6. Use the priocntl command to view the configured classes. root@s11-server1:~# priocntl -l CONFIGURED CLASSES ================== SYS (System Class) le TS (Time Sharing) Configured TS User Priority Range: -60 through 60 s an r t n no a s a h ) ฺ e m d o i FX (Fixed priority) u ilฺc t G Configured FX User Priority a Range:n0 through 60 m de g @ Stu obeing d l These are all the classes currently at this time. For example, the Interactive a thIA isused nconfigured o class (IA) is not shown.ฺrThe user priority range is -60 through 60. e s o r u scheduling class and the priority of the processes 7. Using the ps command, the e display o c i t c currently running. ( nse o d l e root@s11-server1:~# ps -ecl | more c a i l n o F S UID PID PPID CLS PRI ADDR SZ WCHAN TTY TIME CMD R o 1 T 0 0 0 SYS 96 ? 0 ? 0:01 sched r SDC (System Duty-Cycle Class) e Cic b a r e f 1 0 1 1 1 0 S S S S S S 0 0 0 0 0 16 5 1 2 3 6 52 0 0 0 0 0 1 SDC TS SYS SYS SDC TS 99 59 98 60 99 59 ? ? ? ? ? ? 0 688 0 0 0 991 S S R S S 101 101 0 101 101 934 928 997 973 972 848 1 994 1 1 IA IA IA IA IA 59 59 19 59 59 ? ? ? ? ? 3180 2793 2163 3199 3248 ? ? ? ? ? ? ? ? ? ? ? ? 0:03 0:00 0:00 0:05 0:00 0:00 zpool -rp init page out fsflush vmtasks ipmgmtd … … … 0 0 0 0 0 ? ? ? ? pts/1 ? ? ? ? … … Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 4 0:08 xscreens 0:00 gvfsd-tr 0:00 bash 0:00 VBoxClie 0:00 VBoxClie … Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ What is the highest priority in use? It is 99 for the zpool process. What is the lowest priority in use? It is 19 for the bash shell. Refer to the man pages for detailed explanation of the columns. 8. Use the priocntl command to generate a process in the TS scheduling class with a specified priority of 60 by using the find command. root@s11-server1:~# priocntl -e -c TS -m 60 -p 60 find / -name core -exec ls {} \; > /var/tmp/find 2<>/dev/null& [1] 1348 root@s11-server1:~# s an r t n no a s a h ) ฺ e m d o i lฺc t Gu ifind root@s11-server1:~# ps -ecl | grep a m d? en1865 0 S 0 2959 2771 TS 60 g ? pts/1 @ u t 0:01 find o S ld | grep s a i root@s11-server1:~# psn-ecl find h ro sTSe t59 0 S 0 2959oฺ2771 ? 1961 ? pts/1 r u e 0:01 find o ic e t ps -ecl | grep find c ( root@s11-server1:~# ns 2771 TS 60 do 0 ic2959 e 0 a Rl ? 1985 ? pts/1 n find l o 0:02 R Use the ps command to inspect the priority of the find command. Repeat the command multiple times to check if the specified priority is being used at all times. ro e Cic Is the designated priority 60 being used at all times? No, but it is used most of the time. The kernel determines the priority based on what other jobs are running on the CPU; therefore, you might see a slight variance in the specified priority number. 9. Create a small program to run for a longer duration, so that you can change its priority. Use the priocntl command to change the class and specify a time slice or the global priority of the program modparm. Create a small script called modparm. Grant the owner the execute permission. root@s11-server1:~# vi modparm root@s11-server1:~# cat modparm #!/bin/bash find / -name jholt -exec ls{} \; > /var/tmp/jholt 2<>/dev/null find / -name jmoose -exec ls{} \; > /var/tmp/jmoose 2<>/dev/null find / -name panna -exec ls{} \; > /var/tmp/panna 2<>/dev/null Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 5 le b a r e f Here you execute the find command with the priority of 60. What is the highest priority a user can specify for a user-generated process? Refer to Step 6 to determine the highest priority, which is 60. Refer to man pages for the command options used here. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ find / -name sstudent -exec ls{} \; > /var/tmp/sstudent 2<>/dev/null find / -name oracle -exec ls{} \; > /var/tmp/oracle 2<>/dev/null find / -name core -exec ls{} \; > /var/tmp/core 2<>/dev/null root@s11-server1:~# ls -l modparm -rw-r--r-- 1 root root 87 Dec 19 08:31 modparm root@s11-server1:~# chmod 755 modparm root@s11-server1:~# ls -l modparm -rwxr-xr-x 1 root root 87 Dec 19 08:31 modparm root@s11-server1:~# priocntl -e -c RT -t 500 -p 20 /root/modparm & [1] 5104 s an r t n Here you execute your program in the RT class with a time slice of 500 milliseconds, a priority of 20 in the RT class, and a global priority of 120. no a s a h )find / e-name ฺ jholt -exec root 10270 10269 RT 120 02:08:08 pts/1 0:05 m d o i ls{} lฺc t Gu i a root@s11-server1:~# ps -ecf | grep n m find e g d root 10270 10269 33 02:08:08 pts/1 0:25 find / -name jholt -exec ls{} ; @ Stu o d root 10281 1310 0 02:09:33 al pts/1 is 0:00 grep find n h t o se oฺrin theudesignated r Is your program running scheduling class? Yes. e o c i t c ( nse o d l econtinuation of the commands being run in the modparm script, Note: To see ithe c a l n Rocontinue to run ps –ecf | grep find. 10. Verify the designated scheduling class and the priority. root@s11-server1:~# ps -ecf | grep find o er11. c i C Use the priocntl command to change the priority of the running program modparm. Verify the results. Note: Make sure you use the process number that appears on your display. Your process number will be different than the process number (5104) presented in the example. root@s11-server1:~# priocntl -s -p 30 5104 root@s11-server1:~# ps -ecf | grep find root 10293 10269 root 10299 1310 RT 120 02:11:43 pts/1 0:09 find / -name sstudent -exec ls{} ; TS 29 02:12:04 pts/1 0:00 grep find What are the new RT and the global priorities? They are 30 and 130. Note that the system added 100 to 30 to come up with the global priority of 130. Why would you need to change the priority? Based on your business process priority, you needed to lower the priority of a long running transaction. 12. Copy the modparm program to John Holt’s home directory so that he can run the program under his privileges. As the administrator, you will change the program’s scheduling class by using John’s user ID. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 6 le b a r e f As the administrator, execute the following command. root@s11-server1:~# cp modparm /export/home/jholt Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ As John Holt, execute the following commands. root@s11-server1:~# su - jholt Oracle Corporation SunOS 5.11 11.1 September 2012 jholt@s11-server1:~$ ls modparm modparm jholt@s11-server1:~$ cp modparm holtparm jholt@s11-server1:~$ ls -l holtparm -rwxr-xr-x 1 jholt staff 336 Dec 19 15:13 holtparm Note that by copying, it changed the ownership. ro e Cic s an r t n no a Make sure that John has the execute permission on this program. s If needed, use the a h chmod command as you did before. ) ฺ e m d o i u ilฺtoc edittthe G a Before you run the program as jholt, you need /var/tmp file part of the n m e g entry in the holtparm file for each user. The user jholt does not have the @ uddoes t o S d authorization to overwrite the original files but he have the authorization to l s a i n h overwrite the files he himself has created. ฺro use t o r e tovi holtparm c i jholt@s11-server1:~$ c o ( ense cat holtparm d jholt@s11-server1:~$ l lic na o #!/bin/bash R find / -name find / -name find / -name find / -name 2<>/dev/null find / -name find / -name jholt -exec ls{} \; > /var/tmp/holt 2<>/dev/null jmoose -exec ls{} \; > /var/tmp/moose 2<>/dev/null panna -exec ls{} \; > /var/tmp/anna 2<>/dev/null sstudent -exec ls{} \; > /var/tmp/student oracle -exec ls{} \; > /var/tmp/orcl 2<>/dev/null core -exec ls{} \; > /var/tmp/cre 2<>/dev/null As John Holt, run the program by using the following command: jholt@s11-server1:~$ ./holtparm 2<>/dev/null& [1] 5130 You will see some “permission denied” error messages, which you can ignore. The only purpose of the program is to continue running for a while. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 7 le b a r e f 13. Now, display the active program as the user John Holt. Next, change the program’s scheduling class to IA and verify the results. Finally, use the pkill -9 command to terminate the processes associated with the find command and modparm script. Verify that all the processes have been terminated. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ jholt@s11-server1:~$ ps -ef | grep holt jholt 10328 jholt 10329 exec ls{} ; jholt 10335 jholt 10315 jholt 10334 10315 10328 0 02:17:40 pts/1 22 02:17:40 pts/1 10315 1310 10315 0 02:18:11 pts/1 0 02:14:44 pts/1 1 02:18:11 pts/1 0:00 /bin/bash ./holtparm 0:10 find / -name jholt 0:00 -bash 0:00 -bash 0:00 ps -ef … … … … s an r t n no a s a h ) ฺ jholt@s11-server1:~$ exit e m d o i logout ilฺc t Gu a root@s11-server1:~# grep holt /etc/passwd m den g jholt:x:60005:10:john holt:/export/home/jholt:/bin/bash o@ Stu d l a this n o As the administrator, se class to IA for all the processes running under osetฺr the scheduling r u e John’s useridic (60005). to c ( o ense d l root@s11-server1:~# priocntl -s -c IA -i uid 60005 lic na o R root@s11-server1:~# ps -ecf | grep holt Determine John’s userid. ro e Cic root@s11-server1:~# ps -ecf | grep holt jholt 6244 6243 jholt -exec ls{} ; root 6251 6106 jholt 6243 1 ./holtparm IA TS IA 50 22:13:06 pts/1 49 22:16:10 pts/1 59 22:13:06 pts/1 2:00 find / -name 0:00 grep holt 0:00 /bin/bash Here you can see all the processes launched by John that are currently running in the IA class. Why would you need to make changes like this? You want to run the job interactively so that you can get results more quickly. root@s11-server1:~# pkill -9 find root@s11-server1:~# ps -ef | grep find jholt 5143 5130 1 15:18:47 pts/1 exec ls{} ; jholt 5143 5130 1 15:18:47 pts/1 0:10 find / -name jmoose 0:10 grep find Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 8 le b a r e f When John submitted his job, it ended up in the TS class. Why? The kernel made the call based on the nature of the program and overall workload. root@s11-server1:~# pkill -9 modparm root@s11-server1:~# ps -ef | grep find root@s11-server1:~# Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 14. Use the ps command to display all the processes running in the TS class. root@s11-server1:~# ps -ef -o class,zone,fname | grep TS | sort -k2 | more TS global asr-noti TS global automoun TS global automoun TS global bash TS global bash TS global bash TS global bash TS global bash TS global cron TS global cupsd TS global dbus-dae TS global devchass TS global devfsadm TS global dhcpagen TS global dlmgmtd TS global fmd TS global hald TS global hald-add TS global hald-add TS global hald-add TS global hald-run TS global htcachec TS global httpd.wo TS global httpd.wo TS global httpd.wo TS global httpd.wo TS global httpd.wo TS global httpd.wo TS global in.mpath TS global in.ndpd TS global in.route TS global inetd TS global init TS global ipmgmtd TS global iscsid TS global kcfd s o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on Ci R o r ce Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 9 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global choczone choczone choczone choczone choczone login mountd named netcfgd nfsmapid nscd nwamd pfexecd picld pkg.depo ps rad reparsed rmvolmgr rpcbind sshd sshd sshd statd su su svc.conf svc.star sysevent syslogd ttymon ttymon ttymon ttymon ttymon utmpd vbiosd VBoxServ vtdaemon zoneadmd zoneadmd zoneprox automoun automoun cron dhcpagen fmd le Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 10 b a r e f s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ choczone in.mpath choczone in.ndpd choczone in.route choczone inetd choczone init choczone ipmgmtd choczone kcfd choczone netcfgd choczone nscd choczone nwamd choczone pfexecd choczone rpcbind choczone sendmail choczone sendmail choczone smtp-not choczone sshd choczone svc.conf choczone svc.star choczone syslogd choczone ttymon choczone utmpd choczone zoneprox grandmazone automoun grandmazone automoun grandmazone cron grandmazone dhcpagen grandmazone fmd grandmazone in.mpath grandmazone in.ndpd grandmazone in.route grandmazone inetd grandmazone init grandmazone ipmgmtd grandmazone kcfd grandmazone netcfgd grandmazone nscd grandmazone nwamd grandmazone pfexecd grandmazone rpcbind grandmazone sendmail grandmazone sendmail grandmazone smtp-not le Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 11 b a r e f s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ TS grandmazone sshd TS grandmazone svc.conf TS grandmazone svc.star TS grandmazone syslogd TS grandmazone ttymon TS grandmazone utmpd TS grandmazone zoneprox root@s11-server1:~# Here you display all the processes running on your system that are in the TS class. Task 2: Configure the Fair Share Scheduler This task will cover the following activities: • Making FSS the default scheduling class • Moving processes into the FSS class • Moving a project’s processes into the FSS class • Tuning scheduler parameters 1. Verify that the Sol11-Server1 virtual machine is running. If it is not running, start it now. 2. Log in to the Sol11-Server1 virtual machine as the oracle user. Use the password oracle1. 3. Make sure that all other virtual machines are shut down. 4. Run the su - command to assume administrator privileges. s an r t n r5.o e Cic no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o oracle@s11-server1:~$ oฺr ususer e Password: cic to ( e Oracle SunOS 5.11 11.1 September ns doCorporation l e c a i l n Roroot@s11-server1:~# 2012 Use the dispadmin command to view and change the default scheduling class to FSS. Confirm the action. root@s11-server1:~# dispadmin -d dispadmin: Default scheduling class is not set root@s11-server1:~# dispadmin -d FSS root@s11-server1:~# dispadmin -d FSS (Fair Share) Is the default scheduling class changed for the global zone? Yes. Does it mean that FSS has become the default scheduling class for all the processes running on the system? Refer to the display in the next steps. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 12 le b a r e f 6. Use the dispadmin command to view the current scheduling classes being used. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# dispadmin -l CONFIGURED CLASSES ================== SYS TS SDC FSS FX RT IA (System Class) (Time Sharing) (System Duty-Cycle Class) (Fair Share) (Fixed Priority) (Real Time) (Interactive) s n a r 7. Using the ps command, display the scheduling class of the currently running processes. -t n o root@s11-server1:~# ps -ef -o class,zone,fname | grep a n -v CLS | sort -k2 | more s ha ฺ ) TS global asr-noti om uide TS global automoun c ฺ l ai nt G TS global automoun m g ude TS global bash @ t o S d l s TS global bash na thi o r TS global bash ฺ se o r u e TS global ic bash to c ( e s TS oglobal n bash d l e c a global li cron onTS R TS global cupsd ro These are all the classes currently being used at this time. e Cic TS TS TS TS TS IA TS SYS TS TS TS TS TS IA TS global global global global global global global global global global global global global global global dbus-dae devchass devfsadm dhcpagen dlmgmtd find fmd fsflush hald hald-add hald-add hald-add hald-run holtparm htcachec Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 13 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global global httpd.wo httpd.wo httpd.wo httpd.wo httpd.wo httpd.wo in.mpath in.ndpd in.route inetd init intrd ipmgmtd iscsid kcfd kmem_tas lockd lockd_kp login mountd named netcfgd nfsd nfsd_kpr nfsmapid nscd nwamd pageout pfexecd picld pkg.depo ps rad reparsed rmvolmgr rpcbind sched sshd sshd sshd statd su le Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 14 b a r e f s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci TS TS TS TS TS TS TS TS TS TS TS SYS TS TS TS SDC FX SYS TS TS TS TS FX SYS TS TS TS SYS TS TS TS TS TS TS TS TS SYS TS TS TS TS TS Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ global global global global global global global global global global global global global global global global global global global global global choczone choczone choczone choczone choczone choczone choczone choczone choczone choczone choczone choczone choczone choczone choczone choczone choczone choczone choczone choczone choczone su svc.conf svc.star sysevent syslogd ttymon ttymon ttymon ttymon ttymon utmpd vbiosd VBoxServ vmtasks vtdaemon zoneadmd zoneadmd zoneprox zonestat zpool-au zpool-rp automoun automoun cron dhcpagen fmd in.mpath in.ndpd in.route inetd init ipmgmtd kcfd netcfgd nscd nwamd pfexecd rpcbind sendmail sendmail smtp-not sshd le Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 15 b a r e f s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci TS TS TS TS TS TS TS TS TS TS TS TS TS SYS TS TS TS TS FX SDC SDC TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ choczone svc.conf choczone svc.star choczone syslogd choczone ttymon choczone utmpd choczone zoneprox choczone zsched grandmazone automoun grandmazone automoun grandmazone cron grandmazone dhcpagen grandmazone fmd grandmazone in.mpath grandmazone in.ndpd grandmazone in.route grandmazone inetd grandmazone init grandmazone ipmgmtd grandmazone kcfd grandmazone netcfgd grandmazone nscd grandmazone nwamd grandmazone pfexecd grandmazone rpcbind grandmazone sendmail grandmazone sendmail grandmazone smtp-not grandmazone sshd grandmazone svc.conf grandmazone svc.star grandmazone syslogd grandmazone ttymon grandmazone utmpd grandmazone zoneprox grandmazone zsched le Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 16 an r t n o What are some of the classes being used at this time? TS, IA, and SYS Copyright © 2013, Oracle and/or its affiliates. All rights reserved. b a r e f s an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci TS TS TS TS TS TS SYS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS TS SYS … … 8. Use the priocntl command to move all current processes into the FSS class. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# priocntl -s -c FSS -i all Why did you have to move all the current processes to the FSS class manually when you already set the default class to FSS? Because the new default class is effective on next reboot. It does not affect the currently active processes. 9. Using the ps command, display the modified scheduling class of the currently running processes. root@s11-server1:~# ps -ef -o class,zone,fname | grep -v CLS | sort -k2 | more FSS global asr-noti FSS global automoun FSS global automoun FSS global bash FSS global bash FSS global bash FSS global bash FSS global cron FSS global cupsd FSS global dbus-dae FSS global devchass FSS global devfsadm FSS global dhcpagen FSS global dlmgmtd FSS global find FSS global fmd SYS global fsflush FSS global grep FSS global hald . . . FSS global in.ndpd FSS global in.route FSS global inetd TS global init SYS global intrd FSS global ipmgmtd FSS global iscsid FSS global kcfd SDC global kmem_tas FSS global lockd SYS global lockd_kp FSS global login FSS global more FSS global mountd FSS global named s o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on Ci R o r ce Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 17 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 18 b a r e f s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci FSS global netcfgd FSS global nfsd SYS global nfsd_kpr FSS global nfsmapid FSS global nscd. FSS global nwamd SYS global pageout FSS global pfexecd FSS global picld FSS global pkg.depo FSS global ps FSS global rad FSS global reparsed FSS global rmvolmgr FSS global rpcbind SYS global sched FSS global sort FSS global sshd FSS global sshd FSS global sshd FSS global statd FSS global su FSS global su FSS global svc.conf FSS global svc.star FSS global sysevent FSS global syslogd FSS global ttymon FSS global ttymon FSS global ttymon FSS global ttymon FSS global ttymon FSS global utmpd FSS global vbiosd FSS global VBoxServ SYS global vmtasks FSS global vtdaemon FSS global zoneadmd FSS global zoneadmd FSS global zoneprox FSS global zonestat SDC global zpool-au SDC global zpool-rp FSS choczone automoun FSS choczone automoun Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ choczone cron choczone dhcpagen choczone fmd choczone in.mpath choczone in.ndpd choczone in.route choczone inetd choczone init choczone ipmgmtd choczone kcfd choczone netcfgd choczone nscd choczone nwamd choczone pfexecd choczone rpcbind choczone sendmail choczone sendmail choczone smtp-not choczone sshd choczone svc.conf choczone svc.star choczone syslogd choczone ttymon choczone utmpd choczone zoneprox choczone zsched grandmazone automoun grandmazone automoun grandmazone cron grandmazone dhcpagen grandmazone fmd grandmazone in.mpath grandmazone in.ndpd grandmazone in.route grandmazone inetd grandmazone init grandmazone ipmgmtd grandmazone kcfd grandmazone netcfgd grandmazone nscd grandmazone nwamd grandmazone pfexecd grandmazone rpcbind grandmazone sendmail grandmazone sendmail le Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 19 b a r e f s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS SYS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS FSS Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ FSS grandmazone smtp-not FSS grandmazone sshd FSS grandmazone svc.conf FSS grandmazone svc.star FSS grandmazone syslogd FSS grandmazone ttymon FSS grandmazone utmpd FSS grandmazone zoneprox SYS grandmazone zsched root@s11-server1:~# Are all the processes using FSS? No; however, most of the processes are using FSS. Why are some of the processes in the TS,SDC and SYS classes? The classes remain unchanged for these processes based on the nature of the processes. For example, the zsched daemon normally runs in the SYS class because of its scope. s an r t n 10. Using the ps command, display all the init processes. no a s a h ) ฺ e m d o i lฺc t Gu i a Why are there so many init processes? m One for each n zone. Refer to the display in e g d Step 9. Stuof the init process to the FSS do@theisclass l 11. Using the priocntl command,achange n h o scheduling class. Display ฺthe classeseoftall the init processes to confirm the change. r us -s -c FSS -i pid 1 ero topriocntl root@s11-server1:~# c i (c nse ps -ef -o class,zone,fname | grep init root@s11-server1:~# o ld global e init c a FSS i l n o FSS choczone init R o r root@s11-server1:~# ps -ecf | grep init root root root e Cic 1 2487 2491 0 1562 1406 TS FSS FSS 59 10:54:11 ? 59 11:00:37 ? 59 11:00:37 ? 0:00 /usr/sbin/init 0:00 /usr/sbin/init 0:00 /usr/sbin/init FSS grandmazone init Did you change the classes for all the init processes? No, only for the global zone because you specified the PID 1. 12. Now change a project’s scheduling class. First, by using the ps command, find the current class for the current projects. root@s11-server1:~# ps -o user,pid,uid,projid,project,class USER PID PROJID PROJECT CLS root 1309 1 user.root TS root 1310 1 user.root TS root 10415 1 user.root TS Since you changed the scheduling class for all the processes, the user.root project and its processes are running in the FSS class. So, where can you find the definition of this project? The definition can be found in the /etc/project file. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 20 le b a r e f Note: The project topic is covered here only in the context of a scheduling class. This topic will be covered in greater detail in Lesson 11: Evaluating System Resources. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# grep user.root /etc/project user.root:1:::: root@s11-server1:~# priocntl -s -c TS -i projid 1 root@s11-server1:~# ps -o user,pid,uid,projid,project,class USER PID UID PROJID PROJECT CLS root 5142 0 1 user.root TS root 5189 0 1 user.root TS le b a r e f Did you change the scheduling class for all the processes? No. How would you confirm that? Refer to the commands in the previous steps. What would prompt this action of changing the project class? You want to change the scheduling class based on the importance of a project. s an r t n Cic e no a s a h 13. Using the dispadmin command, inspect the current scheduler parameter quantum value. ) ฺ e m Modify the value and verify the change. co Guid ฺ l i Refer to Task1, Step 9 where you used -t 500 at quantum value for the task. In ma to esetnto, the following steps, you change the timegquantumdunit for example, one-tenth and @ u t o one-hundredth of a second. ld is S a n th o r ฺ e root@s11-server1:~# -c FSS -g ro odispadmin us e c i t # (c nse o # Fair Share ld liceScheduler Configuration a n o# R ro RES=1000 # # Time Quantum # QUANTUM=110 Currently, the quantum values are specified in 1/1000th of a second. You can change it to 1/100th of a second. root@s11-server1:~# dispadmin -c FSS -g -r 100 # # Fair Share Scheduler Configuration # RES=100 # # Time Quantum Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 21 # QUANTUM=11 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Why would you need to change these values? When you want to work with smaller digits (specifying 10 is a lot easier than 100000 for quantum values). Now reboot s11-server1 to make your changes effective. root@s11-server1:~# init 6 le s b a r e f o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 22 Practice 10-2: Configuring the FSS in an Oracle Solaris Zone Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview Your predeployment test plan calls for configuring the CPU shares and the scheduling class FSS for the grandmazone and the choczone non-global zones. This practice will demonstrate the effect of using CPU shares in an attempt to constrain the resources. The tasks are covered in this practice: • Configuring CPU shares and the FSS • Monitoring the FSS in two zones • Removing the CPU shares configuration Task 1: Configure the CPU Shares and the FSS 1. 2. Verify that the Sol11-Server1 virtual machine is running. If it is not running, start it now. Log in to the Sol11-Server1 virtual machine as the oracle user. Use the password oracle1. 3. Run the su - command to assume administrator privileges. s no a s a h ) ฺ e m 11.1 September d o i ilฺc t Gu a n mconfigured e g d 4. Use the zoneadm list command to view the zones. @ Stu o d root@s11-server1:~# zoneadm al thlist is -civ n o ID NAME BRAND se PATH oฺrSTATUS r u 0 global running / solaris e o c i t c 1 grandmazone running /zones/grandmazone solaris ( nse o 2 lchoczone solaris d ice running /zones/choczone a l n o R If you recall, you had configured these zones earlier in the class. o r oracle@s11-server1:~$ su Password: Oracle Corporation SunOS 5.11 root@s11-server1:~# e 5. Cic an r t n 2012 IP shared excl excl Use the zonecfg command to add the CPU shares to grandmazone. Display the results to confirm the action. root@s11-server1:~# zonecfg -z grandmazone zonecfg:grandmazone> set cpu-shares=80 zonecfg:grandmazone> exit root@s11-server1:~# zonecfg -z grandmazone info | more zonename: grandmazone zonepath: /zones/grandmazone brand: solaris autoboot: true bootargs: file-mac-profile: pool: limitpriv: scheduling-class: Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 23 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ ip-type: exclusive hostid: fs-allowed: [cpu-shares: 80] net: address not specified allowed-address not specified configure-allowed-address: true physical: vnic1 defrouter not specified anet: linkname: net0 lower-link: auto allowed-address not specified configure-allowed-address: true defrouter not specified allowed-dhcp-cids not specified link-protection: mac-nospoof mac-address: random auto-mac-address: 2:8:20:7b:1a:a1 mac-prefix not specified mac-slot not specified vlan-id not specified priority not specified rxrings not specified txrings not specified mtu not specified maxbw not specified rxfanout not specified rctl: name: zone.cpu-shares value: (priv=privileged,limit=80,action=none) le o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Notice the CPU shares–related entries. 6. Repeat step 6 for the second zone, namely, choczone. root@s11-server1:~# zonecfg -z choczone zonecfg:choczone> set cpu-shares=10 zonecfg:choczone> exit root@s11-server1:~# zonecfg -z choczone info | more zonename: choczone zonepath: /zones/choczone brand: solaris Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 24 s b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ autoboot: true bootargs: file-mac-profile: pool: limitpriv: scheduling-class: ip-type: exclusive hostid: fs-allowed: [cpu-shares: 10] net: address not specified allowed-address not specified configure-allowed-address: true physical: vnic2 defrouter not specified anet: linkname: net0 lower-link: auto allowed-address not specified configure-allowed-address: true defrouter not specified allowed-dhcp-cids not specified link-protection: mac-nospoof mac-address: random auto-mac-address: 2:8:20:56:b5:ad mac-prefix not specified mac-slot not specified vlan-id not specified priority not specified rxrings not specified txrings not specified mtu not specified maxbw not specified rxfanout not specified rctl: name: zone.cpu-shares value: (priv=privileged,limit=10,action=none) le o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on Ci R o r ce Notice the number of CPU shares allocated to this zone. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 25 s b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 7. Use the zlogin command to cleanly reboot both the zones. Verify that they are back up and running. root@s11-server1:~# zlogin grandmazone init 6 root@s11-server1:~# zlogin choczone init 6 root@s11-server1:~# zoneadm list -civ ID 0 2 3 NAME global grandmazone choczone STATUS running running running PATH / /zones/grandmazone /zones/choczone BRAND solaris solaris solaris IP shared excl excl How can you tell they have been rebooted? The zone IDs are different. 8. Now examine the effect of CPU share assignment. Log in to each zone and create the tasks as indicated. root@s11-server1:~# zlogin grandmazone [Connected to zone 'grandmazone' pts/1] Oracle Corporation SunOS 5.11 11.1 September 2012 root@grandmazone:~# newtask dd if=/dev/zero of=/dev/null & [1] 7949 root@grandmazone:~# ps -ef | grep 7949 root 7949 7945 34 03:12:42 pts/2 0:21 dd if=/dev/zero of=/dev/null root 7953 7945 0 03:13:55 pts/2 0:00 grep 7949 root@grandmazone:~# exit logout s an r t n o ro e Cic an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( [Connection do icetonszone 'grandmazone' pts/1 closed] l a l n Ro Start a similar task in choczone. root@s11-server1:~# zlogin choczone [Connected to zone 'choczone' pts/2] Oracle Corporation SunOS 5.11 11.1 September 2012 root@choczone:~# newtask dd if=/dev/zero of=/dev/null & [1] 7959 root@choczone:~# ps -ef | grep 7959 root 7959 7955 8 03:15:12 pts/2 0:08 dd if=/dev/zero of=/dev/null root 7961 7955 0 03:15:14 pts/2 0:00 grep 7959 root@choczone:~# exit logout [Connection to zone 'choczone' pts/2 closed] Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 26 le b a r e f The newtask command starts a task that is an infinite loop. These tasks will be used to demonstrate the CPU resource utilization by the Oracle Solaris kernel. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 9. Use the ps command from the global zone to verify that the task from choczone is running in the FSS class. root@s11-server1:~# ps -ecf | grep 7949 root 7967 3467 FSS 59 03:16:04 console 0:00 grep 7949 root 7949 1 FSS 1 03:12:42 ? 2:31 dd if=/dev/zero of=/dev/null root@s11-server1:~# ps -ecf | grep 7959 root 8430 1 FSS 1 03:15:01 ? 0:11 dd if=/dev/zero of=/dev/null root@s11-server1:~# ps -ecf | grep 7959 root 8430 1 FSS 6 03:15:01 ? 0:13 dd if=/dev/zero of=/dev/null root@s11-server1:~# ps -ecf | grep 7959 root 8430 1 FSS 1 03:15:01 ? 0:16 dd if=/dev/zero of=/dev/null s an r t n no a s a h ) ฺ e m d o i Is the task running in the FSS zone? Yes. ilฺc t Gu a How and why? Because earlier you set g the n to FSS for the whole system mdefaultdclass e @ running Check the scheduling class for theotask tuin grandmazone. S d l s a t-Z 10. From the global zone, use then prstat hicommand to measure the CPU performance. o r ฺ e root@s11-server1:~# ro oprstat us –Z e c i t PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP (c 1700K e 1036K s o 8183droot run 15 0 0:03:12 37% dd/1 n l root lice1720K 836K run a 8430 1 0 0:00:14 4.1% dd/1 n o 8130 root R 12M 11M run 58 0 0:00:08 0.9% svc.configd/21 ro e Cic 5 7188 2384 1121 8128 8705 8780 517 8815 8811 7186 8817 8505 8803 3466 8618 8765 ZONEID root root pkg5srv root root root root root root root root root root root root root root NPROC 0K 13M 4496K 31M 11M 4500K 2108K 46M 4224K 5560K 11M 4428K 5064K 4356K 1732K 17M 3948K SWAP 0K 12M 3200K 9036K 8116K 3232K 1328K 16M 2380K 2504K 7884K 3396K 3272K 2212K 1040K 8880K 1788K RSS sleep sleep sleep run sleep sleep sleep sleep sleep sleep sleep cpu1 sleep sleep run sleep sleep MEMORY 99 1 60 59 59 59 59 59 60 59 59 59 59 59 59 59 59 -20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 TIME 0:01:19 0.7% 0:00:16 0.6% 0:00:10 0.4% 0:00:07 0.2% 0:00:01 0.1% 0:00:00 0.1% 0:00:00 0.1% 0:00:02 0.1% 0:00:00 0.0% 0:00:00 0.0% 0:00:01 0.0% 0:00:00 0.0% 0:00:00 0.0% 0:00:00 0.0% 0:00:00 0.0% 0:00:00 0.0% 0:00:00 0.0% CPU ZONE Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 27 zpool-rpool/136 svc.configd/22 htcacheclean/1 pkg.depotd/64 svc.startd/16 inetd/6 ttymon/1 poold/9 configCCR.bin/1 svc-ocm/1 svc.startd/14 prstat/1 nscd/37 net-iptun/1 script/1 fmd/11 syslogd/10 le b a r e f 3 4 0 32 16 80 132M 59M 438M 76M 37M 236M 7.4% 3.6% 23% 0:03:29 38% grandmazone 0:00:23 5.2% choczone 0:02:01 1.4% global Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ … … In order to get a true picture, you need to watch the dynamic display for a few minutes. You will see it getting close and closer to the ratio you specified. (Recall from the lecture the difference between the CPU shares and the CPU percentage.) Convert the CPU shares to percentages and compare with the average CPU utilization here. le What column do we need to watch? The CPU column b a r e f s an r t n Note that there’s more CPU utilization by grandmazone as compared to choczone. Why? This is the effect of the CPU shares allocation. no a s -i zone global a h root@s11-server1:~# prctl -n zone.cpu-shares -v 40 -r ) ฺ e m d o i u ilฺc zone G Note that you can modify the attributes of thea global too. t n m e g d 12. Refer to step 9 and start a new task from the global zone. tu o@dd if=/dev/zero S d l root@s11-server1:~# newtask of=/dev/null& s a thi n o [1] 10444 oฺr use r e 13. Observe the results o prstat command. ic running tthe c ( e o ens prstat -Z root@s11-server1:~# d l a TIME CPU PROCESS/NLWP lic SIZE RSS STATE PRI NICE nPID USERNAME o R 8183 root 1700K 1036K run 1 0 0:07:22 33% dd/1 ro 11. Use the prctl command to assign 40 CPU shares to the global zone. e Cic 10444 8430 2384 5 1121 517 10445 3466 8130 9377 8418 3467 2399 349 178 112 159 47 root root pkg5srv root root root root root root root daemon root root root root root root netcfg 1720K 1720K 4896K 0K 31M 46M 4428K 1732K 13M 17M 7608K 3388K 11M 4420K 0K 2848K 7012K 3780K 1088K 836K 3600K 0K 9036K 17M 3316K 1040K 12M 8856K 4528K 2720K 5920K 1592K 0K 1052K 3096K 2588K run run sleep sleep sleep sleep cpu1 run sleep sleep sleep sleep sleep sleep sleep sleep sleep sleep 58 1 60 99 59 59 59 59 59 54 55 59 59 53 99 59 29 29 0 0 0 -20 0 0 0 0 0 0 0 0 0 0 -20 0 0 0 0:00:05 0:00:53 0:00:12 0:01:29 0:00:08 0:00:02 0:00:00 0:00:00 0:00:11 0:00:00 0:00:00 0:00:00 0:00:00 0:00:00 0:00:00 0:00:00 0:00:00 0:00:00 7.6% 5.3% 0.8% 0.4% 0.2% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 28 dd/1 dd/1 htcacheclean/1 zpool-rpool/136 pkg.depotd/64 poold/9 prstat/1 script/1 svc.configd/21 fmd/12 kcfd/3 bash/1 httpd.worker/1 net-physical/1 zpool-auditpool/136 in.mpathd/1 syseventd/18 netcfgd/4 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 82 daemon 8000K 5048K sleep ZONEID NPROC SWAP RSS MEMORY 3 30 128M 74M 7.3% 0 81 440M 238M 23% 4 29 125M 70M 6.8% 29 0 0:00:00 0.0% kcfd/4 TIME CPU ZONE 0:07:39 33% grandmazone 0:02:19 9.1% global 0:01:05 5.3% choczone … … Repeat the analysis you did in Step 10, but this time pay attention to the global zone CPU consumption. Remember to observe the changing CPU utilization for a few minutes to obtain an approximate average. Compare the shares allocation and the percentages. 14. Abort all the infinite processes. root@s11-server1:~# pkill -9 dd root@s11-server1:~# pkill -9 find s an r t n no a s a h Task 2: Remove the CPU shares configuration ) ฺ e m d o 1. Verify that the Sol11-Server1 virtual machine is running. If it is not running, start it now. i c Gu ฺ l i 2. Log in to the Sol11-Server1 virtual machine as the t user. Use the password n ma oracle e g oracle1. @ Stud o d 3. Run the su - command to assume al administrator is privileges. n h t o oracle@s11-server1:~$ ฺr ususeo r e Password: ic to c ( e OracleoCorporation SunOS 5.11 11.1 September 2012 ns d l e c a root@s11-server1:~# li n o R 4. Use the zonecfg command to view the current CPU shares configuration of the zone ero named grandmazone. Cic root@s11-server1:~# zonecfg -z grandmazone info zonename: grandmazone zonepath: /zones/grandmazone brand: solaris autoboot: true bootargs: file-mac-profile: pool: limitpriv: scheduling-class: ip-type: exclusive hostid: fs-allowed: [cpu-shares: 80] Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 29 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ net: address not specified allowed-address not specified configure-allowed-address: true physical: vnic1 defrouter not specified anet: linkname: net0 lower-link: auto allowed-address not specified configure-allowed-address: true defrouter not specified allowed-dhcp-cids not specified link-protection: mac-nospoof mac-address: random auto-mac-address: 2:8:20:7b:1a:a1 mac-prefix not specified mac-slot not specified vlan-id not specified priority not specified rxrings not specified txrings not specified mtu not specified maxbw not specified rxfanout not specified le s Ci an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l rctl: a l on R o r ce name: zone.cpu-shares value: (priv=privileged,limit=80,action=none) Notice the CPU configuration. 5. Use the zonecfg command to delete the CPU configuration. Verify the action. root@s11-server1:~# zonecfg -z grandmazone clear cpu-shares root@s11-server1:~# zonecfg -z grandmazone info zonename: grandmazone zonepath: /zones/grandmazone brand: solaris autoboot: true bootargs: file-mac-profile: pool: limitpriv: scheduling-class: Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 30 b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le Notice that the cpu-shares entry is deleted. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 31 b a r e f s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci ip-type: exclusive hostid: fs-allowed: net: address not specified allowed-address not specified configure-allowed-address: true physical: vnic1 defrouter not specified anet: linkname: net0 lower-link: auto allowed-address not specified configure-allowed-address: true defrouter not specified allowed-dhcp-cids not specified link-protection: mac-nospoof mac-address: random auto-mac-address: 2:8:20:34:6e:84 mac-prefix not specified mac-slot not specified vlan-id not specified priority not specified rxrings not specified txrings not specified mtu not specified maxbw not specified rxfanout not specified vsi-typeid not specified vsi-vers not specified vsi-mgrid not specified etsbw-lcl not specified cos not specified pkey not specified linkmode not specified 6. Repeat Step 5 for the second zone, namely, choczone. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# zonecfg -z choczone clear cpu-shares root@s11-server1:~# zonecfg -z choczone info | grep cpu-shares To make the configuration effective, do you need to reboot the zones? Yes. The zones will be rebooted as part of step 8. 7. Reset the system default scheduling class by using the dispadmin command. Verify the change. root@s11-server1:~# dispadmin -d FSS (Fair Share) root@s11-server1:~# dispadmin -d TS root@s11-server1:~# dispadmin -d TS (Time Sharing) root@s11-server1:~# priocntl -s -c TS -i all s an r t n no a Have you verified that all system processes have been moved to s the TS class? Yes. a h ) ฺ e m d o i 8. Reboot the system by using the init 6 command.lฺBy rebooting u the entire system, the ithecglobal G a t global CPU share property is cleared. In addition, zone the new default n rebootedhasautomatically m deare g scheduling class (TS). As part of the reboot, the zones so their @ u t o CPU share properties are also cleared. ld AfteristheS reboot is completed, the new configuration a will be in place. n th o r ฺ e ero to us c i (c nse o ld lice a n o R o r e Cic Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 10: Managing Processes and Priorities Chapter 10 - Page 32 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le s b a r e f an r t n no a s a h Practices for ) Lesson ฺ 11: e m d o i Evaluating u ilฺc t System G a m den Resources g tu11 o@Chapter S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 1 Practice Overview for Lesson 11 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Practices Overview In these practices, you are presented with a plan for configuring resource controls and assessing system performance. According to the predeployment test plan, you need to evaluate various system resource controls. As a standard practice, you will be required to conserve resources, such as system memory, CPU time, and data storage. You are asked to control the CPU resource for your CRM project with the objective that other projects should also be able to share the CPU resources. Then you evaluate the memory, CPU, and disk usage by using many system utilities. Based on your evaluation of the resources, you will be able to allocate appropriate resources to various projects. The key areas explored in the practices are: • Managing resource controls in global and non-global zones • Evaluating system performance levels Check your progress. You just completed Lesson 10: Managing Processes and Priorities and are now working with system resource evaluation. s o an r t n an s ha ฺ ) Managing the Image Packaging System (IPS) and Packages om uide c ฺ l ai nt G Installing Oracle Solaris 11.1 on Multiple Hosts m g ude @ t o Managing the Business Application Data S d l s na thi o r ฺ Configuring Network and Traffic se Failover o r u e ic Zoneseand tothe Virtual Network c Configuring ( do icens l a l Services and Service Properties on Managing √ √ √ √ √ √ √ Ci R o √ r ce √ √ Oracle Solaris 11.1 Predeployment Checklist Configuring Privileges and Role-Based Access Control Securing System Resources by Using Oracle Solaris Auditing Managing Processes and Priorities Monitoring the System Resources Monitoring and Troubleshooting System Failures Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 2 le b a r e f Practice 11-1: Managing Resource Controls in Global and Non-Global Zones Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview In this practice, you will work with the resource controls in the following areas: • Administering projects and tasks • Configuring resource controls and attributes Note: Your displays will be different from those presented in this guide due to the dynamic nature of the contents displayed. Task le This task will cover the following activities: • Creating a resource pool • Defining a project • Obtaining project membership information • Editing and validating project attributes • Binding the resource pool to a project • Creating a new task • Moving a running process into a new task • Monitoring resource control events globally • Displaying information about a given resource control • Setting resource controls • Deleting a project s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o oฺr use r e ic e to c ( do icens l a l 1. Verify virtual machine is running. If it is not running, start it now. on that the Sol11-Server1 R r2.o Log in to the Sol11-Server1 virtual machine as the oracle user. Use oracle1 as the e Cic b a r e f 3. password. Run the su - command to assume administrator privileges. oracle@s11-server1:~$ su Password: Oracle Corporation SunOS 5.11 root@s11-server1:~# 4. 11.1 September 2012 Use the projects command to view the default projects in the system. root@s11-server1:~# projects -l system projid : 0 comment: "" users : (none) groups : (none) attribs: Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 3 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le b a r e f s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci user.root projid : 1 comment: "" users : (none) groups : (none) attribs: noproject projid : 2 comment: "" users : (none) groups : (none) attribs: default projid : 3 comment: "" users : (none) groups : (none) attribs: group.staff projid : 10 comment: "" users : (none) groups : (none) attribs: root@s11-server1:~# cat /etc/project system:0:::: user.root:1:::: noproject:2:::: default:3:::: group.staff:10:::: You are viewing this default project information so that you are aware of the default entries in the project file. In addition, when you make changes in the following steps, you will be able to recognize the changes. In this display (project context), what is 10 in the group.staff project? Project ID Check in the /etc/group file if the staff group is defined. What is its numeric ID? It is 10. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 4 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 5. Use the projadd command to create a project and assign it to John Holt. Verify that an entry has been made in /etc/project file by using the projects –l command. root@s11-server1:~# projadd -U jholt -p 4000 s11deploy root@s11-server1:~# /usr/bin/id -ap jholt uid=60005(jholt) gid=10(staff) groups=10(staff) projid=10(group.staff) Verify John Holt’s group membership. le Has the project been added? Yes Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 5 b a r e f s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci root@s11-server1:~# projects -l system projid : 0 comment: "" users : (none) groups : (none) attribs: user.root projid : 1 comment: "" users : (none) groups : (none) attribs: noproject projid : 2 comment: "" users : (none) groups : (none) attribs: default projid : 3 comment: "" users : (none) groups : (none) attribs: group.staff projid : 10 comment: "" users : (none) groups : (none) attribs: s11deploy projid : 4000 comment: "" users : jholt groups : (none) attribs: Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 6. Use the projmod command to add the staff group to the project membership. root@s11-server1:~# projmod -G staff -c 'Oracle Solaris 11.1 deployment' s11deploy root@s11-server1:~# projects -l | tail comment: "" users : (none) groups : (none) attribs: s11deploy projid : 4000 comment: "Oracle Solaris 11.1 deployment" users : jholt groups : staff attribs: le b a r e f s an r t n no a s a h Note: You are going to bind the s11deploy project to the resource pool pool_gmzone ) Network. ฺ e m that you created in Practice 6: Configuring Zones and the Virtual id co configuration u ฺ l i G 7. Enable the pools service and create the default pool file. a nt m g system/pools:default de root@s11-server1:~# svcadm @ enable u t o S root@s11-server1:~# poolcfg ld -cisdiscover a n h ฺro use t o r e configuration. 8. Verify the pool and pset c i to c ( e root@s11-server1:~# do icens poolcfg -c info | more l a l n osystem R default ro What is the significance of group membership in the project? The staff group has an entry in the project file for accounting purposes. e Cic string int boolean string system.comment system.version 1 system.bind-default true system.poold.objectives wt-load … … … pool pool_gmzone int pool.sy_id1 boolean pool.active true boolean pool.default false string pool.scheduler FSS int pool.importance 1 string pool.comment Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 6 pset pset_1to2 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ … … … pset pset_1to2 int boolean uint uint string uint uint string pset.sys_id 1 pset.default false pset.min 1 pset.max 2 pset.units population pset.load 0 pset.size 0 pset.comment You have a pool with 1–2 CPUs. Your output may differ. s an r t n no a s a h root@s11-server1:~# projmod -s -K project.pool=pool_gmzone \ ) ฺ e m s11deploy co Guid ฺ l i Here you bind pool_gmzone to the s11deploy nt ma dproject. e g What is the main purpose of this binding? So that tu you can allocate one to two CPUs to o@ was S d l the s11deploy project. An assumption made that this project can possibly s a thi n o consume up to two CPUs at times. ฺr use o r e 10. Verify the pool binding ic to eyourtoproject. c ( root@s11-server1:~# o ens projects -l | tail dcomment: l a "" n userslic : (none) o ro R 9. e Cic le b a r e f Use the projmod command to assign the pool to the s11deploy project. groups : attribs: s11deploy projid : comment: users : groups : attribs: (none) 4000 "Oracle Solaris 11.1 deployment" jholt staff project.pool=pool_gmzone As you can see, an attribute called project.pool has been added and it is pointing to pool_gmzone. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 7 11. By using the newtask command, create a task under the s11deploy project. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# newtask -p s11deploy dd if=/dev/zero \ of=/dev/null& [1] 2954 root@s11-server1:~# newtask -p s11deploy dd if=/dev/zero of=/dev/null& [1] 2955 For training purposes, you are creating two infinite tasks. Note down the task numbers displayed; you will need them subsequently. On your job, you may be running a different program, such as a program to create reports. 12. Use the prstat command to display all currently running processes and projects. Let this command run to view the dynamically changing CPU usage. root@s11-server1:~# prstat -JR … … … PROJID NPROC SWAP RSS MEMORY TIME CPU PROJECT 4000 2 312K 7328K 0.7% 2:35:44 50% s11deploy 1 3 2912K 17M 1.6% 0:00:00 0.3% user.root 0 99 142M 170M 17% 0:00:47 0.0% system 10 1 10M 0K 0.0% 0:00:00 0.0% group.staff 3 2 10M 1164K 0.0% 0:00:14 0.0% default Notice the value for your s11deploy project in the NPROC column. What is the project ID displayed? It is 4000. Is this ID the same as that defined in the /etc/project file? Yes s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on RCreate a new task and associate it with your project. o 13. r ce Ci root@s11-server1:~# newtask dd if=/dev/zero of=/dev/null& [1] 2980 For training purposes, you are creating an infinitely running job. On your job, it may be related to the supported business application. root@s11-server1:~# newtask -v -p s11deploy -c 2980 250 Here you associate the process ID 2980 with your s11deploy project. Did it create a new task? Yes, 250 How many other processes are associated with process ID 250? Two processes What are their process IDs? They are 2954 and 2955. Your output may differ. Example: Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 8 le b a r e f root@s11-server1:~# prstat –JR | grep dd Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ PID USERNAME 2980 root 2954 root SIZE RSS STATE PRI NICE 7156K 1316K cpu0 59 7156K 1316K cpu1 59 0 0 TIME CPU PROCESS/NLWP 1:36:13 25% dd/1 1:55:55 25% dd/1 Here you can associate the PIDs 2980 and 2954 with the dd programs that are running. 14. Associate another attribute with your project. Verify the result. root@s11-server1:~# projmod -a -K "task.max-lwps=(priv,100,deny)" s11deploy For training purposes, you are configuring a ceiling for the maximum number of lightweight processes (LWPs) to be 100. The assumption is that you determined that your project can consume significant resources sometimes and you want to limit the LWPs. s root@s11-server1:~# projects -l | tail users : (none) groups : (none) attribs: s11deploy projid : 4000 comment: "Oracle Solaris 11.1 deployment" users : jholt groups : staff attribs: project.pool=pool_gmzone task.max-lwps=(priv,100,deny) an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o oฺr use r e ic e to c ( do icens l a l if the number of processes exceeds 100? The Oracle Solaris kernel n will happen oWhat R will not start the 101st task because the ceiling is defined as 100. o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 9 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 15. Use the projmod command to remove the pool configuration from your project. Verify the results. root@s11-server1:~# projmod -r -K project.pool s11deploy root@s11-server1:~# projects -l | tail comment: "" users : (none) groups : (none) attribs: s11deploy projid : 4000 comment: "Oracle Solaris 11 deployment" users : jholt groups : staff attribs: task.max-lwps=(priv,100,deny) le b a r e f Cic e s n a r t one to -use Because you configured a limit of 100 for LWPs, it does not make sense to n o two CPUs. So assume that you determined that the CPU pool is not needed a n any more. Is the pool showing up in the project file? No s ha ฺ ) Note: Test the LWPs limit in the next few steps. demanageable three. om to aumore i c 16. Use the projmod command to modify the maximum LWPs ฺ l ai nt G Verify the results. m g ude root@s11-server1:~# projmod -K 'task.max-lwps=(priv,3,deny)' \ @ t o S d l s11deploy s a thi nprojects o root@s11-server1:~# r ฺ e -l | tail s o r u e comment: ic ""e to c ( s o e:n(none) dusers l c a groups : (none) li on attribs: R ro s11deploy projid : comment: users : groups : attribs: 4000 "Oracle Solaris 11.1 deployment" jholt staff task.max-lwps=(priv,3,deny) What will happen if an attempt is made to start the fourth process? The Oracle Solaris kernel will not start it. How can you tell? The deny directive in the command Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 10 17. Use the newtask command to create a task called bash for the project s11deploy. root@s11-server1:~# newtask -p s11deploy bash Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Because your default shell for launching processes is bash, you create a new task for your s11deploy project. root@s11-server1:~# prctl -n task.max-lwps $$ process: 3220: bash NAME PRIVILEGE task.max-lwps usage privileged system VALUE FLAG 3 3 2.15G max ACTION RECIPIENT deny deny - le b a r e f This verifies the LWPs setting for your default shell. root@s11-server1:~# id -p uid=0(root) gid=0(root) projid=4000(s11deploy) s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o oฺr use r e o monitor as well as log the tasks that cross the icyou can tglobally c Using this utility, ( e ns you set the syslog priority level to notice so that a log entry threshold. case, do In this l e c a li n Rocan be generated in the /var/adm/messages file. You will learn more about syslog 18. Using the rctladm command, enable global monitoring on the lightweight processes. Verify the results. root@s11-server1:~# rctladm -e syslog task.max-lwps root@s11-server1:~# rctladm | grep max-lwps task.max-lwps syslog=notice [ count ] project.max-lwps syslog=off [ no-basic count ] zone.max-lwps syslog=off [ no-basic count ] C ro ice 19. in Lesson 12: Monitoring and Troubleshooting Software Failures. Create multiple bash processes and test the limit. root@s11-server1:~# ps -o project,taskid -p $$ PROJECT TASKID s11deploy 256 The current task ID of the bash process is 256. root@s11-server1:~# bash root@s11-server1:~# bash root@s11-server1:~# bash bash: fork: retry: Resource temporarily unavailable … … … You may see this message being displayed repetitively. Use Ctrl + C to stop the display. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 11 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Press Enter and then exit from one of the bash processes in order to receive the command prompt. Verify by using the ps command that you now have only three bash processes running. root@s11-server1:~# ps PID TTY TIME 3352 console 0:00 2923 console 0:00 2962 console 0:00 2962 console 0:00 CMD ps bash bash bash le b a r e f How many bash processes are running currently? Three s Now exit two bash process. root@s11-server1:~# exit root@s11-server1:~# exit o an s ha ฺ ) de om 20. Use the prctl command to display the current resource controls. i c u ฺ l ai nt G root@s11-server1:~# prctl $$ m g ude process: 2974: bash @ t o d NAME PRIVILEGE VALUE FLAG S ACTION l s a thi process.max-port-eventson r ฺ se - deny privilegedro 65.5K u e ic e to2.15G max deny system c ( process.max-msg-messages ns doprivileged l e c a 8.19K deny li on system 4.29G max deny R ro e Cic an r t n RECIPIENT - … … … task.max-lwps usage system … … … project.max-tasks usage system project.max-processes usage system … … … 3 2.15G max deny 6 2.15G max deny - 39 2.15G max deny - Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 12 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ zone.cpu-shares usage privileged system 1 1 65.5K max none none - Notice the first column for various types of global resource controls. Some levels to note are project, task, process, and zone. 21. Using the tail command, view the error messages in the /var/adm/messages file. root@s11-server1:~# tail /var/adm/messages Dec 19 13:39:17 s11-serv1 genunix: [ID 748619 kern.notice] privileged rctl task.max-lwps (value 3) exceeded by process 3492 in task 256. Dec 19 13:39:18 s11-serv1 genunix: [ID 748619 kern.notice] privileged rctl task.max-lwps (value 3) exceeded by process 3494 in task 256. Dec 19 13:39:18 s11-serv1 genunix: [ID 748619 kern.notice] privileged rctl task.max-lwps (value 3) exceeded by process 3495 in task 256.ps s an r t n ro e Cic no a s a h ) ฺ e m d o i … ilฺc t Gu a … m den g … o@ Stu d l a this n o Can you match the task e is reported here with the task ID in step 21? Yes oฺrID 256usthat r e Note that the threshold o and other related information are also listed. ic eoftthree c ( Each time nsis made to cross the threshold, an entry is made in this log. do an iattempt l e c a l n RoKill the infinitely running processes. root@s11-server1:~# pkill -9 dd root@s11-server1:~# 22. Using the projdel command, delete the s11deploy project. Confirm the results. root@s11-server1:~# projdel s11deploy root@s11-server1:~# projects -l system projid : 0 comment: "" users : (none) groups : (none) attribs: user.root projid : 1 comment: "" Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 13 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ users : groups : attribs: noproject projid : comment: users : groups : attribs: default projid : comment: users : groups : attribs: group.staff projid : comment: users : groups : attribs: ro e Cic (none) (none) 2 "" (none) (none) 3 "" (none) (none) le an r t n s no a 10 s a h "" ) ฺ e m d o i (none) ilฺc t Gu a (none) m den g o@ Stu d l a this n o You are deleting the project e demonstration purposes. On the job, you will, of sfor roฺronlyoonly u course, delete acproject when the project is not needed anymore. e i t c If this project sein subsequent practices, you will create it. o ( is needed n d l e lic na o R Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 14 b a r e f Practice 11-2: Evaluating System Performance Levels Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview Your predeployment test plan calls for evaluating system performance. This practice will cover monitoring the memory, CPU, and disk usage. Multiple system utilities will be used to assess system performance. The following topics will be addressed in this practice: • Displaying virtual memory statistics (vmstat) • • Displaying disk usage information Monitoring system activities • Collecting system activity data automatically (sar) • Setting up automatic data collection (sar) le b a r e f Task 1: Displaying Virtual Memory Statistics Virtual memory statistics (vmstat) • System event information (vmstat -s) • Swapping statistics (vmstat -S) s an r t n no a s a h 1. Verify that the Sol11_Server1 virtual machine is running. If it)is not running, ฺ start it now. e m d o Double-click the Sol11-Desktop icon to launch the Sol11-Desktop virtual machine. i c Gu ฺ l i a oracle 2. Log in to the Sol11-Desktop virtual machine as t user. Use oracle1 as the n mthe e g password. @ Stud o d 3. Right-click the desktop background and a terminal window. l open s a i n h t o su s- ecommand 4. In the terminal window, run to assume administrator privileges. ฺrthe o r e to usu oracle@s11-desktop:~$ c i c Password: o ( ense d l Oracle SunOS 5.11 11.1 September 2012 lic na Corporation o ro R root@s11-desktop:~# e 5. Cic • Use the newtask command to create an infinitely running task. root@s11-desktop:~# newtask dd if=/dev/zero of=/dev/null& [1] 3462 This task is created to generate some workload for training purposes. On the job, you will have your application and system processes. While these tasks are running, as a system administrator, you would like to monitor their impact on system resources, especially the memory and CPU. root@s11-desktop:~# vmstat 5 kthr r b w 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 memory swap free 948016 53556 930388 33940 930284 33844 930284 33856 930284 33856 re 4 3 0 0 0 mf 32 12 0 0 0 page disk pi po fr de sr s0 s1 s2 s3 0 0 0 0 21 1 3 -1 -1 0 0 0 0 0 9 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 15 faults cpu in sy cs us sy 794 733327 451 5 15 683 87963 555 8 18 637 88670 461 8 18 663 89500 465 8 18 649 88298 466 8 18 id 80 74 74 74 74 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 0 0 0 0 0 0 0 11 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 930284 930276 930276 930276 930276 930276 930276 932936 961508 961508 33856 33844 33844 33844 33844 33844 33844 36496 65076 65076 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8 0 0 0 0 0 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 642 87486 465 0 638 87308 457 0 657 88708 500 0 635 88078 459 0 794 87826 461 0 646 87986 462 0 643 86883 463 0 2771 83461 450 0 656 88659 532 0 967 87164 503 8 8 8 8 8 8 8 8 8 8 18 18 18 18 18 18 19 20 18 18 74 74 74 74 74 74 73 72 74 74 Some points to note are: a. For example, take the last two lines. When the system is consuming less CPU (sy under the CPU column), more memory is available. In addition, the last column (id under the CPU column) shows more idle time. b. As another example, take the third line from the bottom. Currently, the system is not using the CPU for a longer time (sy under the CPU column), so there is more CPU idle time (id under the CPU column) and less memory available. s an r t n no a s last reboot. 6. Use the vmstat -s command to display the system events since the a h ) ฺ root@s11-desktop:~# vmstat -s | more e m d o i 0 swap ins ilฺc t Gu a m den 0 swap outs g 0 pages swapped in o@ Stu d l a outthis 0 pages swapped n o ฺr ustrans. e 875033 total faults taken oaddress r e o ic ins t 6 cpage ( e s ldo69 lipage enouts c a n 32 pages paged in o R 948 pages paged out ro e Cic 110830 110830 0 875033 5 207486 217129 464034 2 3777 2356 total reclaims reclaims from free list micro (hat) faults minor (as) faults major faults copy-on-write faults zero fill page faults pages examined by the clock daemon revolutions of the clock hand pages freed by the clock daemon forks … … … Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 16 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ So, what can you take away from here? Although some of the display items are common with the previous display (pages swapped in and swapped out), consider the highlighted items: a. 110830 reclaims from free list: Displays how many free pages of memory were reclaimed, which indicates how quickly the system was running out of memory. Because the memory is used for programs, it explains the load on the system memory. b. 2356 forks: Tells you how many processes are launching subprocesses. These processes create the workload that requires memory and CPU resources. 7. Use the vmstat –S command to display system memory pages swapping in and swapping out. root@s11-desktop:~# vmstat -S kthr memory r b w swap free si 0 0 0 1024800 150444 0 page disk so pi po fr de sr s0 s1 s2 s3 0 0 1 6 0 298 8 0 -2 -2 faults cpu in sy cs us sy id 719 7142 1157 1 2 97 s an r t n no a s a h ) ฺ e m d o i Task 2: Displaying Disk Usage Information ilฺc t Gu a m den This task covers the following activities: g o@ Stu • Displaying general disk usage d data l a -xtc) is n h • Extending disk statisticso(iostat t se (df -h) oฺrinformation r • Displaying disk e space u ic e to c ( o Sol11-Serve1 ns virtual machine is running. If it is not running, start it now. dthe l e 1. Verify a that c li on Double-click the Sol11-Desktop icon to launch the Sol11-Desktop virtual machine. R ro e Cic Here you can check the swapping activity, for example, memory pages swapped in (pi) and pages swapped out (po). This demonstrates the workload created by one job running in the background. 2. 3. 4. Log in to the Sol11-Desktop virtual machine as the oracle user. Use oracle1 as the password. Right-click the desktop background and open a terminal window. In the terminal window, run the su – command to assume administrator privileges. oracle@s11-desktop:~$ su Password: Oracle Corporation SunOS 5.11 root@s11-desktop:~# 5. 11.1 September 2012 Use the iostat command to check the input/output activity on your disks and CPU. root@s11-desktop:~# iostat 5 tty sd0 tin tout kps tps serv 0 3 138 4 51 0 47 0 0 0 0 16 50 18 3 0 16 0 0 0 sd1 kps tps serv 1 0 7 0 0 0 0 0 0 0 0 0 sd2 kps tps serv 0 0 0 0 0 0 0 0 0 0 0 0 sd3 kps tps serv 0 0 0 0 0 0 0 0 0 0 0 0 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 17 us 4 8 8 8 cpu sy wt 10 0 18 0 18 0 18 0 le b a r e f id 86 74 74 74 Here you can inspect the service time for transactions by using the sd1 disk, which is 7 milliseconds. Compare that to the 51 milliseconds service time for transactions on the sd0 disk. Generally speaking, it shows you which disk is taking more time in servicing your transaction. However, you need to keep in mind the nature of the transactions too. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 6. Use the iostat –xtc command to obtain extended input/output statistics for the disks. root@s11-desktop:~# iostat -xtc extended device statistics tty device id sd0 84 sd1 sd2 sd3 sd4 sd5 cpu r/s w/s kr/s kw/s wait actv 2.4 1.4 92.9 21.9 0.1 0.1 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.4 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 svc_t %w %b 0.0 48.6 3 4 0.0 0.0 0.0 0.0 0.0 6.9 0.0 0.0 0.0 0.0 0 0 0 0 0 0 0 0 0 0 tin tout 0 9 us sy wt 5 11 0 le b a r e f s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o ฺr usystem 7. Use the df command toodisplay se memory pages swapping in and swapping out. r e ic e todf -h | more root@s11-desktop:~# c ( Filesystem Size Used Avail Use% Mounted on do icens l a l n 13G 4.5G 8.5G 35% / orpool/ROOT/solaris R 907M 460K 906M 1% /system/volatile ro swap This display can help you to understand I/O activity. For example, consider the reads and writes of the sd0 disk: 92.9 kilobytes worth of data read per second; 21.9 kilobytes worth of data written per second. The svc_t column shows the service time in milliseconds. Look at 48.6 milliseconds of average service time for the sd0 disk. Compare this disk to the other disks. Why is its service time so high? The answer is because, in the current environment, you have the default ZFS file system on this disk. e Cic /usr/lib/libc/libc_hwcap1.so.1 13G 4.5G swap 907M 56K ora 209G 118G rpool/export 8.5G 32K rpool/export/home 8.5G 37K rpool/export/home/jholt 8.5G 40K rpool/export/home/oracle 8.5G 807K 8.5G 906M 92G 8.5G 8.5G 35% 1% 57% 1% 1% /lib/libc.so.1 /tmp /opt/ora /export /export/home 8.5G 1% /export/home/jholt 8.5G 1% /export/home/oracle … … This command is very useful because it presents the used and available storage information for all mounted file systems. For example, here you can see that the ZFS root file system has used up 4.5G out of 13G. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 18 Task 3: Monitoring System Activities Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ The following activities are covered in this task: 1. 2. 3. 4. • Checking file access (sar –a) • Checking buffer activity (sar –b) • Checking system call statistics (sar –c) • Checking disk activity (sar –d) • Checking unused memory (sar –r) • Setting up automatic data collection Verify that the Sol11-Server1 virtual machine is running. If it is not running, start it now. Double-click the Sol11-Desktop icon to launch the Sol11-Desktop virtual machine. Log in to the Sol11-Desktop virtual machine as the oracle user. Use oracle1 as the password. Right-click the desktop background and open a terminal window. In the terminal window, run the su – command to assume administrator privileges. s an r t n no a s a h ) ฺ e 11.1 September m d o i ilฺc t Gu a n on file access. m todcheck e g 5. In the terminal window, use the sar –a command tu o@ root@s11-desktop:~# sarld -a 5 2s S na thi o r ฺ se i86pc 12/16/2012 o 5.11u11.1 r SunOS s11-desktop e ic e to c ( ns namei/s dirbk/s do iiget/s l e 16:07:28 c a l n o16:07:33 0 2 0 R ro oracle@s11-desktop:~$ su Password: Oracle Corporation SunOS 5.11 root@s11-desktop:~# e Cic 16:07:38 0 6 0 Average 0 4 0 2012 You ran the command for two displays every 5 seconds. On an average, the system could not find one file (under column namei/s). At the system level, if this number is high, you need to be concerned. 6. Use the sar –b command to check on buffer activity. root@s11-desktop:~# sar -b 2 2 SunOS s11-desktop 5.11 11.1 i86pc 12/16/2012 16:42:45 bread/s lread/s %rcache bwrit/s lwrit/s %wcache pread/s pwrit/s 16:42:47 0 0 100 0 0 100 0 0 16:42:49 0 0 100 0 0 100 0 0 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 19 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Average 0 0 100 0 0 100 0 0 This command displays the reads from the buffer and writes to the buffer. At a glance, you can see 100% reads from the buffer and 100% writes to the buffer. You are looking for any anomalies. Here things are running smoothly as far as buffer activity is concerned. 7. Use the sar –c command to check on system call activity. root@s11-desktop:~# sar -c 2 2 SunOS s11-desktop 5.11 11.1 16:50:29 scall/s sread/s swrit/s 16:50:31 1473382 736337 736318 16:50:33 1360794 680028 680012 fork/s 0.00 0.00 12/16/2012 exec/s rchar/s wchar/s 0.00 376991964 376989750 0.00 348160177 348160229 e … … … Average 1417088 708182 708165 0.00 0.00 362576070 362574990 sd0,q 0 0.0 0 0 0.0 0.0 sd0 sd0,a sd0,c sd0,i sd0,q 2 2 0 0 0 0.0 0.0 0.0 0.0 0.0 19 19 0 0 0 79 79 0 0 0 0.0 0.0 0.0 0.0 0.0 1.3 1.3 0.0 0.0 0.0 … … … This command displays disk-related activity, for example, reads and writes as shown in the r+w/s column, average wait time, and average service time in milliseconds. How can you use this information? If any of these numbers are too high for your application, there may be a disk issue. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 20 le b a r e f s n a r -t call This command displays system calls for reads, writes, forks, and other system n o n or want to use information. This information is useful when you are developing metrics a s dtrace to track down a very high number of system calls. a ) h eฺ 8. Use the sar -d command to check on disk activity. m co Guid ฺ l root@s11-desktop:~# sar -d 2 2 i ma dent g SunOS s11-desktop 5.11 11.1@i86pctu 12/16/2012 do is S l a n%busy tavque h r+w/s blks/s avwait avserv o 16:56:15 device r ฺ e ero to us c i c se 16:56:17 (sd0 0 0.0 0 0 0.0 0.0 o n 0 0.0 0 0 0.0 0.0 ld sd0,a e c a i l n sd0,c 0 0.0 0 0 0.0 0.0 o R sd0,i 0 0.0 0 0 0.0 0.0 ro Average Cic i86pc 9. Use the command sar –r to check on available physical and swap memory. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-desktop:~# sar -r 2 2 SunOS s11-desktop 5.11 11.1 17:07:08 freemem freeswap 17:07:10 8215 1853912 17:07:12 8222 1853912 Average 8218 i86pc 12/16/2012 1853912 This command displays the physical and swap memory available. The benefit of tracking these numbers is that you will be able to take corrective action if you are running out of memory. For example, if very little swap memory is left, you can increase the swap memory allocation. s an r t n 10. Use the crontab command to edit the system cron file. Uncomment the last entry to run the system script sa2. Exit edit mode. no a s a … h ) ฺ … e m d o i … ilฺc t Gu a #0 * * * 0-6 /usr/lib/sa/sa1 m den g #20,40 8-17 * * 1-5 /usr/lib/sa/sa1 o@ Stu d l a this-s 8:00 -e 18:01 -i 1200 #5 18 * * 1-5 /usr/lib/sa/sa2 n o ฺr use o r e root@s11-desktop:/etc/cron.d# crontab -e sys ic e to c ( … o ens … ald lic n o … R root@s11-desktop:/etc/cron.d# crontab -l sys ro e Cic -A #0 * * * 0-6 /usr/lib/sa/sa1 #20,40 8-17 * * 1-5 /usr/lib/sa/sa1 5 18 * * 1-5 /usr/lib/sa/sa2 -s 8:00 -e 18:01 -i 1200 -A This entry will run the sa2 script every day Monday through Friday at 6:05 PM. The monitoring start time is at 8 AM and it ends at 6:01 PM. The performance data interval is every 1200 seconds (every 20 minutes) and you are collecting all statistics, for example, memory, CPU, and disk usage. 11. Shut down the Sol11-Desktop virtual machine. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 21 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le s b a r e f o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 11: Evaluating System Resources Chapter 11 - Page 22 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ le s b a r e f an r t n no a s a h Practices for ) Lesson ฺ 12: e m d o i Monitoring u ilฺc t and G a m den Troubleshooting Software g @ u t S do Failures l s a i n h ฺro use t Chapter 12 o r e to c i c o ( ense d l lic ona R o r ce Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 1 Practice Overview for Lesson 12 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Practices Overview In these practices, you will be presented with a plan for viewing and exploring various configurations of system messaging. In addition, you will inspect the current system and application dump facilities, which are beneficial when debugging system or application problems. The following activities are covered: • Setting up system messaging • Configuring system and application crash facilities Scenario Your company would like to evaluate the system messaging and debugging facilities. Because your company also plans to utilize ZFS, you are asked to create disk and data failures and correct the problems. s Check your progress. You have completed evaluating system resources. √ an Oracle Solaris 11.1 Predeployment Checklist s ha ฺ ) m ide Managing the Image Packaging System (IPS) andoPackages c u ฺ l i G a t Installing Oracle Solaris 11.1 on Multiple mHostsden g o@DataStu d Managing the Business Application l a this n o Configuring Network se Failover oฺr anduTraffic r e ic Zoneseand tothe Virtual Network c ( Configuring do icens l a l Services and Service Properties on Managing √ √ √ √ √ √ R o r √ ce Ci √ √ √ o Configuring Privileges and Role-Based Access Control Securing System Resources by Using Oracle Solaris Auditing Managing Processes and Priorities Evaluating System Resources Monitoring and Troubleshooting System Failures Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 2 an r t n le b a r e f Practice 12-1: Setting Up System Messaging Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview In this practice, you work with system messaging facilities. You configure message routing on Sol11-Desktop as well as on the message destination host Sol11-Server1. This practice will include the following activities: • Setting up message routing • Using TCP trace to log a message Note: The contents of your display may be different from the displays in this practice. Task 1: Setting up message routing The following activities are covered in this task: • Determining the type and destination of messages • Setting up message routing s an r t n no a s a h ) ฺ e m d o i u ilฺc machines G a 1. Verify that the Sol11-Server1 and Sol11-Desktop virtual are running. If the virtual t m den machines are not running, start them now. g o@ asSthetuoracle user. Use oracle1 as the 2. Log in to the Sol11-Desktop virtualld machine a andthopen is a terminal window. Assume administrator n password. Right-click on the desktop o oฺr use privileges. r e ic e to su oracle@s11-desktop:~$ c ( do icens Password: l a l n oOracle Corporation SunOS 5.11 11.1 September 2012 R o root@s11-desktop:~# r e Cic le b a r e f 3. • Restarting the message logging daemon (syslogd) • • Adding one-line entries to a system log file Monitoring the message logging in real time Copy the /etc/syslog.conf file and then use the more command to display the contents of the file. root@s11-desktop:~# cp /etc/syslog.conf /etc/syslog.conf.orig root@s11-desktop:~# more /etc/syslog.conf # # syslog configuration file. # # This file is processed by m4 so be careful to quote (`') names # that match m4 reserved words. Also, within ifdef's, arguments # containing commas must be quoted. # *.err;kern.notice;auth.notice /dev/sysmsg *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 3 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ *.alert;kern.err;daemon.err *.alert operator root What does the configuration kern.debug mean? It means that the message source facility is defined as kernel and the severity as debug. Debug means that messages of any severity should be recorded in the /var/adm/messages file. Can you break down the configuration set daemon.err? Yes. 4. Using the vi editor, modify /etc/syslog.conf to add the local0.notice entry as indicated. root@s11-desktop:~# vi /etc/syslog.conf le b a r e f Add the following entry at the end of the file. s an r t n root@s11-desktop:~# grep local0.notice /etc/syslog.conf local0.notice @s11-server1 root@s11-desktop:~# no a s a h ) ฺ e m d o i Caution: After local0.notice, you need to use (one or more) tabs. These are not c Gu ฺ l i spaces. ma dent g tu to record messages. o@ forSusers dreserved l What is the local0 facility? a It is s n hi o r 5. Use the svcadm command to restartethet syslogd daemon so that the new configuration is ฺ activated. ero to us c i (c nse svcadm refresh system/system-log root@s11-desktop:~# o ld lice a n oNow your syslog configuration is in effect. R o r e Cic Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 4 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 6. Display detailed information about the telnet service package, install the package, and then verify that the telnet service is online. root@s11-desktop:~# pkg info -r *telnet* | more Name: network/telnet Summary: Telnet client command Description: The telnet(1) utility communicates with another host using the legacy Telnet protocol (RFCs 727, 854, 1073, 1096, 1408, 1510, 1571, 1572, 2941, 2942, 2946, and 2952). Category: Applications/System Utilities State: Installed Publisher: solaris Version: 0.5.11 Build Release: 5.11 Branch: 0.175.1.0.0.24.2 Packaging Date: September 19, 2012 06:44:32 PM Size: 237.29 kB FMRI: pkg://solaris/network/telnet@0.5.11,5.110.175.1.0.0.24.2:20120 919T184432Z Name: service/network/telnet Summary: Telnet service Description: Provides server support for the legacy Telnet protocol (RFCs 727, 854, 1073, 1096, 1408, 1510, 1571, 1572, 2941, 2942, 2946, and 2952). Category: System/Services State: Not installed Publisher: solaris Version: 0.5.11 Build Release: 5.11 Branch: 0.175.1.0.0.24.2 Packaging Date: September 19, 2012 06:45:51 PM Size: 80.77 kB FMRI: pkg://solaris/service/network/telnet@0.5.11,5.11-0.175.1.0.0.24 .2:20120919T184551Z root@s11-desktop:~# s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on Ci R o r ce Install the telnet package if, it’s not installed. root@s11-desktop:~# pkg install service/network/telnet Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 5 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Packages to install: 1 Create boot environment: No Create backup boot environment: No Services to change: 1 DOWNLOAD XFER (MB) SPEED Completed 0.0/0.0 69.4k/s PKGS FILES 1/1 10/10 PHASE ITEMS Installing new actions 32/32 Updating package state database Done Updating image state Done Creating fast lookup database Done root@s11-desktop:~# root@s11-desktop:~# svcs –a | grep telnet online 8:14:18 svc:/network/telnet:default s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m deusen the command “svcadm enable In case the telnet service is installed asgdisabled, o@ Stu network/telnet” to bring itld online. a the netservices is n h t 7. Switch to the s11-server1. Use open command to ensure that all o ฺrmessage e s o r services are open and the can be received from s11-desktop. e to u c i root@s11-server1:~# (c nse netservices open o ld lice a n oIgnore any error messages. R o r e 8. Cic le b a r e f On s11-server1, by using the touch command, create the /var/log/local0.log file. root@s11-server1:~# touch /var/log/local0.log 9. On s11-server1, by using the vi editor, modify the /etc/syslog.conf file by adding the entry as indicated. root@s11-server1:~# vi /etc/syslog.conf root@s11-server1:~# grep local0 /etc/syslog.conf local0.notice /var/log/local0.log On s11-server1, what is the destination file of the message? The /var/log/local0.log file. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 6 10. On the s11-server1 host, by using the svcadm command, restart the system-log service. Use the tail command to monitor the messages being written to the log. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# svcadm refresh system-log root@s11-server1:~# tail -f /var/log/local0.log Now if any message is written to this log, it will be displayed under the above command. 11. Switch to the s11-desktop host and by using the logger command, record a message to the log. root@s11-desktop:~# logger -p local0.notice hello from s11desktop le b a r e Why? Because you configured the destination of local0.notice to s11-server1. sf n a tr n 12. Switch to the s11-server1 host and view the message. no a s root@s11-server1:~# tail -f /var/log/local0.log a h ) local0.notice] ฺ Dec 20 08:07:58 s11-desktop oracle: [ID m 702911 e d o i hello from s11-desktop ilฺc t Gu a m den g Use CTRL + C key to exit. o@ Stu d l a thcome is from? From s11-desktop. So here it is. Where did thisnmessage o ฺr use o r e Task 2: Using TCP iTrace c eto Log to a Message c ( This task coversothe following ns activity: d l e c a i to log a message • n Using TCP ltrace o R • Verifying the message in the log ero Where would this message be displayed? On the s11-server1 host. Cic Note: In this task, you will be working with both the hosts: Sol11-Desktop and Sol11Server1. You can determine the host by the command prompt in the displays. 1. 2. Verify that the Sol11-Server1 and Sol11-Desktop virtual machines are running. If the virtual machines are not running, start them now. Log in to both virtual machines as the oracle user. Use oracle1 as the password. Assume administrator privileges. oracle@s11-desktop:~$ su Password: Oracle Corporation SunOS 5.11 root@s11-desktop:~# 11.1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 7 September 2012 3. Use the man command to find the facility and the message severity level used by the inetd daemon. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ After the man pages are displayed, do a find on tcp_trace, which will take you to the desired information directly. root@s11-desktop:~# man inetd … … … /tcp_trace … … … tcp_trace le b a r e f s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o oฺr use r e ic e to c ( nands severity level does inetd use? daemon.notice do code l e What facility c a li on If true, and this is a nowait-type service, inetd logs the client's IP address and TCP port number, along with the name of the service, for each incoming connection, using the syslog(3C) facility. inetd uses the syslog facility code daemon and notice priority level. See syslog.conf(4) for a description of syslog codes and severity levels. This logging is separate from the logging done by the TCP wrappers facility. 4. R o Using the grep command, display the daemon.notice entry in syslog. r e root@s11-desktop:~# grep daemon.notice /etc/syslog.conf c Ci *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages When a daemon needs to send a notice, where would it send it? To the /var/adm/messages file 5. Open another terminal window on S11-Desktop. In the new window, use the tail –f command to monitor the messages file. oracle@s11-desktop:~$ su Password: Oracle Corporation SunOS 5.11 11.1 September 2012 root@s11-desktop:~# tail –f /var/adm/messages … … … Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 8 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Dec 20 02:48:40 s11-desktop gnome-session[2745]: [ID 702911 daemon.warning] WARNING: IceListenForConnections returned 2 nonlocal listeners: inet/s11-desktop:47263,inet6/s11-desktop:33256 Dec 20 02:48:44 s11-desktop genunix: [ID 127566 kern.info] device pciclass,030000@2(display#0) keeps up device scsiclass,05@1,0(cdrom#1), but the former is not power managed You will need to monitor this log for any new messages being written when you use the telnet command. Your output may differ. 6. Switch to the s11-server1 host and use the telnet command to connect to the s11desktop host. Check to see if the telnet service is enabled. If it is not, enable it. root@s11-server1:~# svcs telnet STATE STIME FMRI disabled 10:12:24 svc:/network/telnet:default root@s11-server1:~# svcadm enable telnet root@s11-server1:~# svcs telnet STATE STIME FMRI online 11:03:04 svc:/network/telnet:default ro e Cic le b a r e f s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s a ts11-desktop root@s11-server1:~# n telnet hi o r ฺ e Trying 192.168.0.111... ro o us es11-desktop. c i Connected cto t ( e s Escape n is '^]'. docharacter l e c a i l n login: oracle Ro Password: oracle1 Last login: Sat Oct 22 10:48:48 on rad/0 Oracle Corporation SunOS 5.11 11.1 September 2012 oracle@s11-desktop:~$ ls Desktop Documents Downloads Public oracle@s11-desktop:~$ pwd /home/oracle oracle@s11-desktop:~$ exit logout Connection to s11-desktop closed by foreign host. root@s11-server1:~# What is the purpose of this telnet connection to the desktop? To verify that the system writes the connection information in the log Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 9 7. Switch to the s11-desktop host and go to the window that is running the tail command. root@s11-desktop:~# tail –f /var/adm/messages … Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ … … Dec 13 22:14:32 s11-desktop pulseaudio[1695]: [ID 295310 user.error] [(null)] module.c: Failed to load module "module-oss" (argument: "device="/dev/dsp" sink_name=output source_name=input"): initialization failed. Dec 13 22:14:32 s11-desktop pulseaudio[1695]: [ID 295310 user.error] [(null)] main.c: Module load failed. Dec 13 22:14:32 s11-desktop pulseaudio[1695]: [ID 295310 user.error] [(null)] main.c: Failed to initialize daemon. Dec 13 22:14:32 s11-desktop pulseaudio[1693]: [ID 295310 user.error] [(null)] main.c: Daemon startup failed. s … no a s No. a Do you see any new entry being written for the telnet command? h ) eฺ m 8. On the s11-desktop host, in the other window, usecthe inetadm command to check d o i u ฺ l i G whether tracing is enabled. ma dent root@s11-desktop:~# inetadm –lg telnet @ Stu SCOPE NAME=VALUE ldo a this n name=”telnet” o oฺr use r endpoint_type=”stream” e ic e to c … ( … do icens l a l o…n R ro default bind_addr="" root@s11-desktop:~# e Cic an r t n default default default default default default default default default default default default bind_fail_max=-1 bind_fail_interval=-1 max_con_rate=-1 max_copies=-1 con_rate_offline=-1 failrate_cnt=40 failrate_interval=60 inherit_env=TRUE tcp_trace=FALSE tcp_wrappers=FALSE connection_backlog=10 tcp_keepalive=FALSE Is tcp_trace enabled? No How can you tell? The tcp_trace is set to FALSE in the display. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 10 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 9. On the s11-desktop host, use the inetadm command to enable tcp_trace. root@s11-desktop:~# inetadm –m telnet tcp_trace=true root@s11-desktop:~# inetadm –l telnet SCOPE NAME=VALUE name=”telnet” endpoint_type=”stream” … … … default bind_addr="" default bind_fail_max=-1 default bind_fail_interval=-1 default max_con_rate=-1 default max_copies=-1 default con_rate_offline=-1 default failrate_cnt=40 default failrate_interval=60 default inherit_env=TRUE tcp_trace=TRUE default tcp_wrappers=FALSE default connection_backlog=10 default tcp_keepalive=FALSE s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o Is tcp_trace enabled se oฺrnow? uYes. r e 10. Switch to s11-server1 ic andetelnet to to s11-desktop. Then return to s11-desktop, in the c ( monitoring o look nsfor any new message written to the log. dwindow, l e c a li telnet s11-desktop n oroot@s11-server1:~# R ro Trying 192.168.0.111... e Cic le b a r e f Connected to s11-desktop. Escape character is '^]'. login: oracle Password: oracle1 Last login: Sat Oct 22 10:48:48 on s11-server1.myd Oracle Corporation SunOS 5.11 11.1 September 2012 oracle@s11-desktop:~$ ls Desktop Documents Downloads Public oracle@s11-desktop:~$ pwd /home/oracle oracle@s11-desktop:~$ exit logout Connection to s11-desktop closed by foreign host. root@s11server1:~# Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 11 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Now switch to s11-desktop and look for any new messages regarding telnet. root@s11-desktop:~# tail –f /var/adm/messages … … … Dec 13 22:14:32 s11-desktop pulseaudio[1695]: [ID 295310 user.error] [(null)] module.c: Failed to load module "module-oss" (argument: "device="/dev/dsp" sink_name=output source_name=input"): initialization failed. Dec 13 22:14:32 s11-desktop pulseaudio[1695]: [ID 295310 user.error] [(null)] main.c: Module load failed. Dec 13 22:14:32 s11-desktop pulseaudio[1695]: [ID 295310 user.error] [(null)] main.c: Failed to initialize daemon. Dec 13 22:14:32 s11-desktop pulseaudio[1693]: [ID 295310 user.error] [(null)] main.c: Daemon startup failed. Dec 16 09:44:39 s11-desktop inetd[1018]: [ID 317013 daemon.notice] telnet[2726] from 192.168.0.100 54587 . . . root@s11-desktop:~# s an r t n ro e Cic no a s a h ) ฺ e m d o i ilฺc t Gu a m den g Do you see a new log entry? Yes. o@ Stu Can you identify the fields in this message? d l a process is name (PID), Message ID, n h t Date/time stamp, local host name, o se PPID, IP address of the source host, and port oฺr urequest, facility.level, incoming r e to number. (cic e do icens l a l n Ro Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 12 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 11. Return to the other s11-desktop terminal window and by using the inetadm command, disable tcp_trace. root@s11-desktop:~# inetadm -m telnet tcp_trace=FALSE root@s11-desktop:~# inetadm –l telnet SCOPE NAME=VALUE name=”telnet” endpoint_type=”stream” … … … default bind_addr="" default bind_fail_max=-1 default bind_fail_interval=-1 default max_con_rate=-1 default max_copies=-1 default con_rate_offline=-1 default failrate_cnt=40 default failrate_interval=60 default inherit_env=TRUE tcp_trace=FALSE default tcp_wrappers=FALSE default connection_backlog=10 default tcp_keepalive=FALSE le o an r t n an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( Is tcp_trace o disabled? ns Yes. d l e c a 12. Shutndown the Sol11-Desktop virtual machine. li o R ro e Cic Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 13 s b a r e f Practice 12-2: Configuring System and Application Crash Facilities Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Overview In this practice, you work with the configuration of dump facilities. In case of system failures, you need to inspect the system facilities that are causing system crashes. Similarly, if your supported business applications fail, you can check the process that is failing. This information is helpful for an application analyst. This practice includes the following activities: • Configuring system crash facilities • Configuring dump facilities for business application failure Note: The contents of your display may be different from the displays in this practice. Task 1: Configuring System Crash Facilities The following activities are included in this task: • Displaying system dump configuration • Determining the location of the dump device • Changing the dump device • Creating a system dump • Analyzing and displaying the dump files • Resetting the dump device to a ZFS device s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a nIf the virtual machine is not m 1. Verify that the Sol11-Server1 virtual machine is running. e g d running, start it now. o@ Stu d l a machine 2. Log in to the Sol11-Server1 virtual isas the oracle user. Use oracle1 as the n h t o password. Assume administrator se oฺr uprivileges. r e oracle@s11-server1:~$ ic e to su c ( Password: o ens d l a Oracle Corporation SunOS 5.11 11.1 September 2012 lic n o R ro root@s11-server1:~# e 3. Cic le b a r e f Use the dumpadm command to display the system dump configuration. root@s11-server1:~# Dump content: Dump device: Savecore directory: Savecore enabled: Save compressed: dumpadm kernel pages /dev/zvol/dsk/rpool/dump (dedicated) /var/crash yes on Where is the dump device pointing to? The default rpool Can you display the device? Yes, by using the zfs list command. root@s11-server1:~# zfs list rpool/dump NAME USED AVAIL REFER MOUNTPOINT rpool/dump 1.03G 20.3G 1.00G - Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 14 Which pool does this dump device belong to? It belongs to rpool. How much space is allocated to the dump device? 1.03 GB. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 4. Use the format command to partition c7t5d0 and allocate 800 MB to slice 3. root@s11-server1:~# format Searching for disks...done AVAILABLE DISK SELECTIONS: 0. c7t0d0 cyl 1022 alt 2 hd 64 sec 32> cyl 1022 alt 2 hd 64 sec 32> le cyl 1022 alt 2 hd 64 sec 32> b a r e f s an r t n cyl 1022 alt 2 hd 64 sec 32> no a s a h )alt 2 hdeฺ64 sec 32> cyl 1022 m o c Guid ฺ l i t alt 2 hd 64 sec 32> 1022 n ma cyl e g @ Stud o d al this cyl 1022 alt 2 hd 64 sec 32> n o oฺr use r e ic (enter toits number): 4 Specify disk c ( e do icens l a n yourlinstructor if you need assistance in formatting the disk. oConsult cyl 1022 alt 2 hd 64 sec 32> Ci R o r 5. ce Use the dumpadm command to change the dump device to the /dev/dsk/c7t5d0s3 slice that you just formatted. root@s11-server1:~# Dump content: Dump device: Savecore directory: Savecore enabled: Save compressed: dumpadm -d /dev/dsk/c7t5d0s3 kernel pages /dev/dsk/c7t5d0s3 (dedicated) /var/crash yes on What is the purpose of changing the dump device? Because you want to use another location (in this case, slice 3 on the c7t5d0 disk) on a dedicated basis. One reason can be that your existing dump device is running out of space and you have storage space available on another disk or slice. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 15 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 6. Check whether the specified savecore directory exists. If not, create it by using the mkdir command. root@s11-server1:~# ls /var/crash 7. Use the savecore command to dump the current system state, essentially the memory contents. root@s11-server1:~# savecore -L dumping to /dev/dsk/c7t5d0s3, offset 65536, content: kernel 0:04 100% done 100% done: 103879 pages dumped, dump succeeded savecore: System dump time: Tue Dec 20 10:23:31 2012 savecore: Saving compressed system crash dump in /var/crash/vmdump.0 savecore: Decompress the crash dump with 'savecore -vf /var/crash/vmdump.0' root@s11-server1:~# ls /var/crash bounds vmdump.0 s an r t n no a s a h ) ฺ e m Note there are only two files in your directory. d o i u lฺc Grecently What are the contents of the vmdump.0 file? a It icontainst the created dump in m den g compressed format. tu command. o@the savecore S 8. Uncompress the vmdump.0 file byld using s a thi nsavecore o root@s11-server1:~# -vf /var/crash/vmdump.0 r ฺ se Tue o dump utime: r e savecore: System Dec 20 10:23:31 2012 o c i t c o ( ense d l savecore: system crash dump in /var/crash/{unix,vmcore}.0 c lisaving na o Constructing namelist /var/crash/unix.0 ro R e Cic le b a r e f Constructing corefile /var/crash/vmcore.0 0:24 100% done: 103879 of 103879 pages saved 2266 (2%) zero pages were not written 0:24 dump decompress is done Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 16 9. Use the cd command to switch to the crash directory. Analyze the newly created files. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ root@s11-server1:~# cd /var/crash root@s11-server1:/var/crash# ls bounds unix.0 vmcore.0 vmdump.0 When vmdump.0 was uncompressed, it created the vmcore.0 file. root@s11-server1:/var/crash# file bounds bounds: ascii text Because bounds is a text file, you can use the cat command to look at it. root@s11-server1:/var/crash# cat bounds 1 ro s an r t n no a s a h ฺ root@s11-server1:/var/crash# file unix.0m) e d o i u Version 1, unix.0: ELF 64-bit LSB executable AMD64 lฺc t G i a statically linked, not stripped, information n mno debugging e g d available o@ Stu d l a this n o The executable and linking refers to this file as being an executable binary, ฺr format se(ELF) r so you cannot open itowith theucat or more commands. e ic e to c ( o ecommand. ns dstrings l Trya the Sometimes, it can convert the encoding. c li n o R Can you guess what 1 represents? Dump number 1. e Cic le b a r e f root@s11-server1:/var/crash# strings unix.0 No luck! The strings command cannot convert this binary executable. 10. Now analyze the vmcore dump file. root@s11-server1:/var/crash# file vmcore.0 vmcore.0: SunOS 5.11 11.1 64-bit Intel live dump from 's11server1' This is your uncompressed dump file. Use the strings command to display its contents. root@s11-server1:/var/crash# strings vmcore.0 | more SunOS s11-server1 5.11 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 17 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 11.1 i86pc i86pc aefffed4-f452-6dbc-f11e-cdb35c1bc0a2 .symtab .strtab .shstrtab _END_ _START_ __return_from_main __unsupported_cpu .dtrace_induced dtrace_badflags dtrace_badtrap _lwp_rtt freq_tsc_loop freq_tsc_perf_loop freq_tsc_increase_count freq_tsc_pit_did_not_wrap … … … What do the contents represent? The processes that are running in memory currently s an r t n no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o oฺr use r e 11. Analyze the vmdump ic file. e to c ( root@s11-server1:/var/crash# file vmdump.0 do icens l a l vmdump.0: SunOS 5.11 11.1 64-bit Intel compressed live dump from n o's11-server1' R o root@s11-server1:/var/crash/s11-server1# strings vmdump.0 | more cer Ci SunOS s11-server1 5.11 11.1 i86pc i86pc aefffed4-f452-6dbc-f11e-cdb35c1bc0a2 .symtab .strtab .shstrtab _END_ _START_ __return_from_main __unsupported_cpu Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 18 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ .dtrace_induced dtrace_badflags dtrace_badtrap _lwp_rtt freq_tsc_loop freq_tsc_perf_loop freq_tsc_increase_count freq_tsc_pit_did_not_wrap … … … Does it look like a copy of the vmcore.0 file? Yes. s n a r root@s11-server1:/var/crash# dumpadm -d /dev/zvol/dsk/rpool/dump -t n o n Dump content: kernel pages a s Dump device: /dev/zvol/dsk/rpool/dump a (dedicated) h ) ฺ Savecore directory: /var/crash e m d o i Savecore enabled: yes ilฺc t Gu a m den Save compressed: on g u do@useistheStZFS l Recommended best practice:aAlways pool dump device. The reason is that n h t you will have all the system-critical files in one place, in rpool. o ฺr use o r e to c i c root@s11-server1:/var/crash# cd ( nse o d l e root@s11-server1:~# lic na o R 12. Now use the dumpadm command to set the dump device back to the ZFS volume. o erTask c 2: Configuring Dump Facilities for Business Application Failure i C Task 2A: Configuring the Global File Path Pattern The following activities are covered in this task: • Displaying the current dump configuration • Specifying the global file path pattern • Generating the core dump • Displaying the core dump 1. Verify that the Sol11-Server1 virtual machine is running. If the virtual machine is not running, start it now. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 19 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 2. Log in to the Sol11-Server1 system as the oracle user. Use oracle1 as the password. Assume administrator privileges. oracle@s11-server1:~$ su Password: Oracle Corporation SunOS 5.11 11.1 September 2012 root@s11-server1:~# 3. Use the coreadm command to display the current default dump configuration for the applications. root@s11-server1:~# coreadm global core file pattern: global core file content: default init core file pattern: core init core file content: default global core dumps: disabled per-process core dumps: enabled global setid core dumps: disabled per-process setid core dumps: disabled global core dump logging: disabled root@s11-server1:~# le s an r t n no a s a h ) ฺ e m d o i ubusiness application lฺc t For ienabled? G Why is the per-process core dumps option a n to capture the critical m youdewant g processes. In case they terminate abnormally, tu information in the core dump. do@ S l s na option thidisabled? You do not want to create a global o r Why is the global core dumps ฺ e usprocess fails. eanroapplication dump every time o c i t (c command, 4. Using the mkdir se create the /var/core directory. o n d l e root@s11-server1:~# mkdir /var/core lic na o R ro e Cic b a r e f You are creating this directory for the global dump location. 5. Use the coreadm command to enable global logging and configure the global core file pattern. Verify the results. root@s11-server1:~# coreadm -e log root@s11-server1:~# coreadm -e global -g /var/core/core.%f.%p root@s11-server1:~# coreadm global core file pattern: /var/core/core.%f.%p global core file content: default init core file pattern: core init core file content: default global core dumps: enabled per-process core dumps: enabled global setid core dumps: disabled per-process setid core dumps: disabled global core dump logging: enabled Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 20 Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ You enabled global core dump logging to generate a message when the system creates a global core file. How would you interpret the global core file pattern? The directory is specified as /var/core. The dump files will be named core.%f.%p (%f for the file or the program being executed, %p for the process ID). 6. Create a dumpdir in the /var/tmp directory. Then cd to /var/tmp/dumpdir. root@s11-server1:~# mkdir /var/tmp/dumpdir root@s11-server1:~# cd /var/tmp/dumpdir root@s11-server1:/var/tmp/dumpdir# You are creating this directory for the system to create a core file in it. 7. s root@s11-server1:/var/tmp/dumpdir# ps PID TTY TIME CMD 3811 pts/1 0:00 bash 3833 pts/1 0:00 ps root@s11-server1:/var/tmp/dumpdir# kill -8 3811 Arithmetic Exception (core dumped) no a s a h ) ฺ e m d o i ilฺc t Gu a m den g @ Stu doprocess l Normally, this would kill your a shell is and your terminal window would disappear. n h t o However, you are logged to theeroot account by using the su command. Therefore, oฺr inwill r ubes terminated and you will go back to the oracle user. your invoked shelleprocess o c i t c generated (system 8. Verify that the se a core file in the dumpdir directory. o n d l e oracle@s11-server1:~$ su – lic na o R ro Password: e Cic an r t n Oracle Corporation root@s11-server1:~# SunOS 5.11 11.1 September 2012 Switch to /var/tmp/dumpdir if the system takes you out of this directory. root@s11-server1:~# cd /var/tmp/dumpdir root@s11-server1:/var/tmp/dumpdir# ls core root@s11-server1:/var/tmp/dumpdir# file core core: ELF 32-bit LSB core file 80386 Version 1, from 'bash' The system has created the core file in the “current directory,” meaning the current directory at the time of dump creation. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 21 le b a r e f Using the ps command, display the process ID of the current shell process. Use the kill -8 command to kill the shell process. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 9. Use the cd command to switch to the /var/core directory and examine the dump created when you killed the bash process. root@s11-server1:/var/tmp/dumpdir# cd /var/core root@s11-server1:/var/core# ls core.bash.3811 root@s11-server1:/var/core# file core* core.bash.3811: ELF 32-bit LSB core file 80386 Version 1, from 'bash' root@s11-server1:/var/core# strings core.bash.3811 | more CORE pMNDbash -bash CORE i86pc CORE CORE CORE CORE pMNDbash -bash CORE CORE i86pc CORE CORE SunOS s11-server1 5.11 11.1 s an r t n o an s ha ฺ ) om uide c ฺ l ai nt G m g ude @ t o S d l s na thi o r ฺ se o r u e ic e to c ( do icens l a l on Ci R o r ce The strings command was able to convert the encoded contents to some extent. However, this file will be analyzed by the dump analyzing utilities. Dump analysis is covered in courses such as Oracle Solaris 11 Workshop. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 22 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 10. Use the tail command to view the dump creation message in syslog. root@s11-server1:~# tail /var/adm/messages Dec 20 09:46:56 s11-server1 genunix: [ID 665016 kern.notice] ^M100% done: 102515 pages dumped, Dec 20 09:46:56 s11-server1 genunix: [ID 851671 kern.notice] dump succeeded Dec 20 09:59:58 s11-server1 genunix: [ID 603404 kern.notice] NOTICE: core_log: bash[3275] core dumped: /var/core/core.bash.3275 Dec 20 10:18:00 s11-server1 genunix: [ID 454863 kern.info] dump on /dev/dsk/c7t5d0s3 size 800 MB Dec 20 10:23:31 s11-server1 genunix: [ID 111219 kern.notice] dumping to /dev/dsk/c7t5d0s3, offset 65536, content: kernel Dec 20 10:23:36 s11-server1 genunix: [ID 100000 kern.notice] Dec 20 10:23:36 s11-server1 genunix: [ID 665016 kern.notice] ^M100% done: 103879 pages dumped, Dec 20 10:23:36 s11-server1 genunix: [ID 851671 kern.notice] dump succeeded Dec 20 10:49:28 s11-server1 genunix: [ID 454863 kern.info] dump on /dev/zvol/dsk/rpool/dump size 511 MB Dec 20 14:09:34 s11-server1 genunix: [ID 603404 kern.notice] NOTICE: core_log: bash[3811] core dumped: /var/core/core.bash.3811 s an r t n ro e Cic no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o Did you configure the dump se to include this message here? Yes, by using the oฺr facilities r u coreadm –e logecommand. ic e to c ( do icens l a l n Ro Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 23 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ Task 2B: Configuring the Per-Process File Path Configuration The following activities are covered in this task: • Enabling per-process dump generation • Specifying per-process generation 1. 2. 3. Verify that the Sol11-Server1 virtual machine is running. If the virtual machine is not running, start it now. Log in to the Sol11-Server1 virtual machine as the oracle user. Use oracle1 as the password. Assume administrator privileges. oracle@s11-server1:~$ su Password: Oracle Corporation SunOS 5.11 11.1 September 2012 root@s11-server1:~# s an r t n Use the coreadm command to display the current dump configuration for the applications. root@s11-server1:~# coreadm global core file pattern: global core file content: init core file pattern: init core file content: global core dumps: per-process core dumps: global setid core dumps: per-process setid core dumps: global core dump logging: no a s a h ) ฺ e m d o i ilฺc t Gu a m den g o@ Stu d l a this n o oฺr use r e ic e to c ( do icens l a l core dumps option is disabled, perform step 4 to enable it; oIfnthe per-process /var/core/core.%f.%p default core default enabled enabled disabled disabled enabled R otherwise, skip step 4. The disable setting means that for individual processes, no o r ce dumps will be generated. Ci Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 24 le b a r e f Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ 4. Using the coreadm command, enable the per-process dump configuration. Verify the results. root@s11-server1:~# coreadm -e process root@s11-server1:~# coreadm global core file pattern: /var/core/core.%f.%p global core file content: default init core file pattern: core init core file content: default global core dumps: enabled per-process core dumps: enabled global setid core dumps: disabled per-process setid core dumps: disabled le b a r e f global core dump logging: enabled. Is the per-process core dumps option enabled? Yes, it is. s an r t n no a s root@s11-server1:~# su - jholt a h ) ฺ Oracle Corporation SunOS 5.11 11.1 September 2012 e m d o i c u jholt@s11-server1:~$ ilฺ t G a n m 6. Create a directory called corefiles in your home directory. e g d tu o@ jholt@s11-server1:~$ mkdir corefiles S d l s na thi o r ฺ odirectoryuforsethe system to create a core file in it. r You are creating e this ic display to the process ID of the current shell process. Use the c 7. Using the ps command, ( e s the per-process file for John. o etondisplay dcommand coreadm l c a li n ojholt@s11-server1:~$ ps R o r 5. e Cic Using the su command, log in to John Holt’s account. PID TTY TIME CMD 3936 pts/1 0:00 bash 3950 pts/1 0:00 ps jholt@s11-server1:~$ coreadm 3936 3936: core default Currently, if any of the processes created by John are aborted, the default core file will be created. 8. Use the coreadm command to configure the per-process file path. jholt@s11-server1:~$ coreadm -p $HOME/corefiles/%f.%p $$ jholt@s11-server1:~$ coreadm 3936 3936: /export/home/jholt/corefiles/%f.%p default Has the display changed? Yes, now the new per-process file path pattern has taken effect. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 25 9. Use the kill command to kill the bash process. Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ jholt@s11-server1:~$ kill -8 3936 Arithmetic Exception (core dumped) root@s11-server1:/var/core# Because John’s bash process is killed, you are back to the root role. Log in to John’s account again. root@s11-server1:~# su - jholt Oracle Corporation SunOS 5.11 jholt@s11-server1:~$ 11.1 September 2012 10. After switching to the corefiles directory, use the file command to display the type of dump file created for John. jholt@s11-server1:~$ cd corefiles jholt@s11-server1:~/corefiles$ file bash* bash.3936: ELF 32-bit LSB core file 80386 Version 1, from 'bash' s an r t n no a s a h How can you display the contents of this dump file? By using command as ) the estrings ฺ m d o i in the previous task ฺc Gu ilhave a t 11. Shut down the Sol11-Server1 virtual machine. You completed this practice and thus n m e g the final practice for this course. Congratulations! @ Stud o d al this n o oฺr use r e ic e to c ( do icens l a l on R ro e Cic Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Practices for Lesson 12: Monitoring and Troubleshooting Software Failures Chapter 12 - Page 26 le b a r e f
Source Exif Data:File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : No Encryption : Standard V2.3 (128-bit) User Access : Print, Annotate, Extract, Print high-res Page Count : 306 Create Date : 2013:03:07 15:01:12+05:30 Producer : iText 2.1.3 (by lowagie.com) Modify Date : 2014:07:26 12:33:59-05:00EXIF Metadata provided by EXIF.tools