Oracle Solaris 11 Advanced System Administration Ed 3 (Student Guide Volume 2)

User Manual:

Open the PDF directly: View PDF .
Page Count: 390

Download
Open PDF In Browser	View PDF

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

le

b
a
r
e
f

s

an
r
t
n

no
a
Oracle Solaris
s 11 Advanced
a
h
) Administration
ฺ
e
System
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this Student Guide - Volume II
n
o
oฺr use
r
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

D72965GC30
Edition 3.0
March 2013
D81024

Author

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.

Vijetha M Malkai

Disclaimer

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Technical Contributors
and Reviewers
Tammy Shannon
Anies Rahman
Rosemary Martinak

Editors
Malavika Jinka

This document contains proprietary information and is protected by copyright and
other intellectual property laws. You may copy and print this document solely for your
own use in an Oracle training course. The document may not be modified or altered
in any way. Except where your use constitutes "fair use" under copyright law, you
may not use, share, download, upload, copy, print, display, perform, reproduce,
publish, license, post, transmit, or distribute this document in whole or in part without
the express authorization of Oracle.
The information contained in this document is subject to change without notice. If you
find any problems in the document, please report them in writing to: Oracle University,
500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.

Aju Kumar

Restricted Rights Notice

Smita Kommini

If this documentation is delivered to the United States Government or anyone using
the documentation on behalf of the United States Government, the following notice is
applicable:

Graphic Designer
Seema Bopaiah

s

U.S. GOVERNMENT RIGHTS
The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or
disclose these training materials are restricted by the terms of the applicable Oracle
license agreement and/or the applicable U.S. Government contract.

o

Cic

an
s
ha ฺ
Jayanthy Keshavamurthy
)
Veena Narasimhan
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on
R
ero
Publishers

an
r
t
n

le

b
a
r
e
f

Trademark Notice

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names
may be trademarks of their respective owners.

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Contents

Preface
1

ro

e
Cic

Introduction
Overview 1-2
Course Goals 1-3
Course Agenda: Day 1 1-4
Course Agenda: Day 2 1-5
Course Agenda: Day 3 1-6
Course Agenda: Day 4 1-7
Course Agenda: Day 5 1-8
Introductions 1-9
Your Learning Center 1-10
Your Lab Environment 1-11

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t and Packages
o
2 Managing the Image Packaging
System
(IPS)
S
d
l
s
na thi
Objectives 2-2
o
r
ฺ
o 2-3 use
Workflow Orientation
r
e
ic 2-4 e to
c
Lesson Agenda
(
ns with a Plan 2-5
do oficWorking
Importance
l
e
a
l
n
RoPlanning for IPS and Package Management 2-6

Identifying IPS Server System Requirements 2-7
Planning for Boot Environment Management 2-8
Implementing the IPS and Package Management Plan 2-9
Quiz 2-10
Lesson Agenda 2-12
Configuring a Local IPS Package Repository 2-13
Creating a ZFS File System to Hold the Repository 2-14
Obtaining Software Packages from the Oracle Solaris Download Site 2-15
Making the Repository File Contents Available 2-16
Configuring the Repository Server Service 2-18
Starting the Repository Service 2-19
Setting the Local IPS Publisher 2-20
Testing IPS on the Local Server 2-21
Practice 2-1 Overview: Configuring a Local IPS Package Repository 2-22
Lesson Agenda 2-23

iii

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring Network Client Access to the Local IPS Server 2-24
Determining the Client Host and Domain Names 2-25
Checking Network Connectivity 2-26
Setting the Local IPS Publisher 2-27
Testing Client Access to the Local IPS Server 2-28
Practice 2-2 Overview: Configuring Network Client Access to the Local IPS
Server 2-29
Lesson Agenda 2-30
Introducing Signed Packages 2-31
Installing Signed Packages 2-32
Identifying Image Properties for Signed Packages 2-33
Configuring Image Properties for Signed Packages 2-35
Identifying Publisher Properties for Signed Packages 2-36
Configuring Publisher Properties for Signed Packages 2-37
Quiz 2-38
Introducing Variants and Facets 2-40
Displaying and Changing Variants and Facets 2-41
Managing Package History 2-42
Lesson Agenda 2-43
Managing Package Publishers 2-44
Displaying Publisher Information 2-45
Specifying Publisher Rankings 2-46
Specifying Publisher Stickiness 2-47
Setting the Publisher Search Order 2-48
Disabling and Enabling a Publisher 2-49
Changing a Publisher Origin URI 2-50
Quiz 2-51
Lesson Agenda 2-53
Managing Multiple Boot Environments 2-54
Listing the Boot Environments on the System 2-55
Mounting an Inactive Boot Environment 2-56
Installing a Package on an Inactive, Mounted Boot Environment 2-57
Uninstalling a Package on an Inactive, Mounted Boot Environment 2-58
Unmounting an Inactive Boot Environment 2-59
Creating a Backup of a Boot Environment 2-60
Creating a Boot Environment from an Existing Backup 2-61
Practice 2-3 Overview: Managing Multiple Boot Environments 2-62
Summary 2-63

R
o
r
ce

Ci

3

Installing Oracle Solaris 11 on Multiple Hosts
Objectives 3-2
iv

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Workflow Orientation 3-3
Lesson Agenda 3-4
Reviewing Your Company’s Plan for an Oracle Solaris 11 Implementation 3-5
Planning for an Oracle Solaris 11 AI Installation 3-6
Automated Installation: Overview 3-7
Automated Installation Process 3-8
How the AI Works 3-9
Quiz 3-10
Lesson Agenda 3-11
Installing Oracle Solaris 11 by Using the AI 3-12
Reviewing AI Installation Server Requirements 3-13
Verifying AI Install Server Software Requirements 3-14
Verifying the Static IP Address 3-15
Verifying That DNS Is Operational 3-16
Verifying That IPS Is Available Locally 3-17
Verifying That the DHCP Server Is Enabled 3-18
Practice 3-1 Overview: Verifying System AI Requirements (Optional) 3-19
Configuring the AI Install Server 3-20
Enabling the DNS Multicast Service 3-21
Installing the AI Installation Tools 3-22
Setting Up the AI Boot Image 3-23
Configuring an AI Install Service 3-24
Verifying the netmasks File Configuration 3-25
Creating an AI Install Service with an ISC DHCP Server Setup 3-26
Creating an AI Install Service Without a DHCP Setup 3-28
Note About the AI SMF Service 3-29
Adding a Client to the AI Install Service 3-30
AI Manifest 3-31
Identifying the Types of AI Manifests 3-32
Reviewing the Default AI Manifest (default.xml) 3-33
System Configuration Profiles (SC Profiles) 3-34
Adding an SC Profile to an Install Service 3-38
Creating a Custom AI Manifest 3-39
Selecting the AI Manifest 3-40
Criteria File: Examples 3-42
Adding Installation Criteria to an AI Manifest 3-43
Practice 3-2 Overview: Configuring the AI Server 3-44
Configuring the Client System 3-45
Identifying Client System Requirements 3-46
Using Secure Shell to Remotely Monitor an Installation 3-47
Implementing the Configuration 3-48

Ci

R
o
r
ce

v

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Reviewing Client Installation Messages 3-49
Practice 3-3: Deploying the OS on the Network Client 3-51
Lesson Agenda 3-52
Introducing the Distribution Constructor 3-53
Identifying System Requirements for Using the Distribution Constructor 3-54
Using Distribution Constructor Manifest Files 3-55
Building an Image 3-56
Quiz 3-57
Summary 3-60
4

Managing Business Application Data
Objectives 4-2
Workflow Orientation 4-3
Lesson Agenda 4-4
Planning for Data Storage Configuration and Backup 4-5
Determining Storage Pool Requirements 4-6
Mirrored Storage Pool Data Redundancy Features 4-7
Mirrored Storage Pool Configuration 4-8
Self-Healing Data 4-9
Dynamic Striping 4-10
Dynamic Striping in a Mirrored Pool 4-11
Determining File System Requirements 4-12
Identifying Your Data Backup and Restore Strategy 4-13
Determining Ways to Save Data Storage Space 4-14
Implementing the Data Storage Configuration and Backup Plan 4-15
Quiz 4-16
Lesson Agenda 4-18
Managing Data Redundancy with Mirrored Storage Pools 4-19
Creating a Mirrored Storage Pool 4-20
Adding Log Devices to a Storage Pool 4-21
Adding Cache Devices to a Storage Pool 4-22
Managing Devices in ZFS Storage Pools 4-23
Adding Devices to a Storage Pool 4-24
Attaching Devices to a Storage Pool 4-25
Taking Devices Offline in a Storage Pool 4-27
Detaching Devices from a Storage Pool 4-28
Bringing Devices Online in a Storage Pool 4-29
Replacing Devices in a Storage Pool 4-30
Designating Hot Spares in a Storage Pool 4-31
Removing Hot Spares in a Storage Pool 4-35
Practice 4-1 Overview: Managing Data Redundancy with a ZFS Mirrored Pool 4-36

s

o

an
r
t
n

Ci

R
o
r
ce

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

vi

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda 4-37
Backing Up and Recovering Data with ZFS Snapshots 4-38
Creating and Destroying a ZFS Snapshot 4-39
Holding a ZFS Snapshot 4-40
Renaming a ZFS Snapshot 4-46
Displaying a ZFS Snapshot 4-48
Snapshot Space Accounting 4-51
Rolling Back a ZFS Snapshot 4-53
Identifying ZFS Snapshot Differences 4-54
Creating and Destroying a ZFS Clone 4-56
Replacing a ZFS File System with a ZFS Clone 4-57
Sending ZFS Snapshot Data 4-60
Receiving ZFS Snapshot Data 4-62
Remote Replication of ZFS Snapshot Data 4-65
Practices 4-2 and 4-3 Overview: Using ZFS Snapshots for Backup and Recovery
and Using a ZFS Clone 4-66
Lesson Agenda 4-67
Managing Data Storage Space with ZFS File System Properties 4-68
Setting ZFS Properties 4-69
Inheriting ZFS Properties 4-70
Querying ZFS Properties 4-74
Mounting and Sharing ZFS File Systems 4-80
Overriding Default ZFS Mount Points 4-81
Introducing the mountpoint Property 4-82
Automatic Mount Point Behavior 4-83
Legacy Mount Point Behavior 4-84
Managing Legacy Mount Points 4-85
share.nfs Property: Introduction 4-86
Setting the share.nfs Property 4-87
Unsharing ZFS File Systems 4-88
Sharing ZFS File Systems 4-89
Setting ZFS Quotas and Reservations 4-90
Introducing the quota, reservation, refquota, and used Properties 4-91
Setting Quotas for ZFS File Systems 4-92
Setting a User Quota on a ZFS File System 4-94
Setting a Group Quota on ZFS File System 4-95
Displaying User and Group Space Usage 4-96
Identifying User and Group Space Usage 4-97
Removing User and Group Quotas 4-98
Identifying Reservation Restrictions 4-99
Setting Space Reservation on a Data Set and Snapshot 4-100

Ci

R
o
r
ce

vii

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Setting Space Reservation on a Data Set 4-101
Displaying Reservation Values 4-102
Practice 4-4 Overview: Configuring ZFS Properties 4-103
Lesson Agenda 4-104
Troubleshooting ZFS Failures 4-105
Identifying Problems in ZFS 4-106
Troubleshooting in ZFS: Overview 4-107
Basic Recovery Process 4-108
Configuring syslog for FMD Messages 4-109
Determining Problems in a ZFS Storage Pool 4-110
Interpreting zpool status Output 4-111
Determining Problems in a ZFS Storage Pool 4-114
Repairing a Damaged ZFS Configuration 4-115
Repairing a Missing Device 4-116
Reattaching a Device 4-118
Repairing a Missing Device 4-119
Repairing a Damaged Device 4-120
Determining the Cause of Device Failure 4-121
Clearing Transient Errors 4-124
Replacing a Device in a ZFS Storage Pool 4-125
Viewing Resilvering Status 4-127
Scrubbing 4-128
Repairing Damaged Data 4-129
Data Corruption: Overview 4-130
Identifying the Type of Data Corruption 4-131
Repairing a Corrupted File or Directory 4-133
Repairing ZFS Storage Pool–Wide Damage 4-134
Practice 4-5 Overview: Troubleshooting ZFS Failures 4-135
Summary 4-136

le

s

Ci

5

Configuring Network and Traffic Failover
Objectives 5-2
Workflow Orientation 5-3
Lesson Agenda 5-4
Planning for Network and Traffic Failover 5-5
Configuring a Host For TCP/IP 5-6
Configuring Network Services 5-7
Reactive Network Configuration 5-8
Network File System Servers and Clients 5-9
Network Performance Concepts 5-10
Link Aggregation 5-11
viii

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

le

ix

b
a
r
e
f

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Load Balancing and Aggregation Policies 5-12
Aggregation Modes and Switches 5-13
IPMP: Introduction 5-14
IPMP Components 5-16
Comparing Link Aggregation and IPMP 5-18
Implementing the Network and Traffic Failover Plan 5-19
Quiz 5-20
Lesson Agenda 5-24
Configuring Systems on a Local Network 5-25
Configuring a Physical Network Interface Manually 5-26
Configuring a Physical Network Interface Manually: Example 5-27
Deleting a Physical Network Interface Manually 5-28
Deleting a Physical Network Interface Manually: Example 5-29
Displaying TCP/IP Network Information 5-30
Displaying the Status of Network Interfaces 5-31
Displaying the Routing Table 5-32
Capturing Packets from the Network 5-33
Lesson Agenda 5-34
Configuring a Reactive Network 5-35
Creating a Network Configuration Profile 5-36
Creating a Location Profile 5-37
Listing a Location Profile 5-38
Modifying Profiles 5-39
Listing Reactive Network Profiles 5-40
Enabling and Disabling Reactive Network Profiles 5-41
Displaying Profile States 5-42
Displaying Profiles and Their Auxiliary States 5-43
Creating a Backup of a Profile 5-44
Removing Reactive Network Profiles 5-45
Practice 5-1 Overview: Managing a Reactive Network 5-46
Lesson Agenda 5-47
Configuring Network File System (NFS) 5-48
Configuring the NFS Server 5-49
Checking the NFS Services Status 5-50
Configuring the NFS Client 5-51
Selecting a Different Version of NFS on a Server 5-52
Enabling the Automounter 5-53
Displaying NFS Server and Client Statistics 5-54
Practice 5-2 Overview: Configuring the Network File System 5-55
Lesson Agenda 5-56
Preparing for Link Aggregation 5-57

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Creating Link Aggregation 5-58
Modifying Link Aggregation 5-59
Deleting Link Aggregation 5-60
Practice 5-3 Overview: Configuring a Link Aggregation 5-61
Lesson Agenda 5-62
Configuring an IPMP Group 5-63
Creating an IPMP Group 5-64
Adding IP Addresses to an IPMP Group 5-65
Moving an Interface from One IPMP Group to Another Group 5-66
Deleting or Disabling an IPMP Group 5-67
Lesson Agenda 5-68
Implementing Link Failover by Using IPMP 5-69
Configuring an Active-Active IPMP Group 5-70
Assigning Test Addresses 5-71
Configuring an Active-Standby IPMP Group 5-72
Lesson Agenda 5-73
Monitoring an IPMP Group 5-74
Displaying IPMP Group Information 5-75
Obtaining IPMP Address Information 5-76
Verifying IPMP Interface Information 5-77
Obtaining Probe Target Information 5-78
Checking Probe Information 5-79
Practice 5-4 Overview: Configuring IPMP 5-80
Summary 5-81

s

Objectives 6-2
Workflow Orientation 6-3
Lesson Agenda 6-4
Planning for a Virtual Network and Zones 6-5
Network Virtualization and Virtual Networks 6-6
Virtual Network Components 6-7
Introducing Zone Configuration by Using VNICs 6-8
Allocating System Resources to a Zone 6-9
Managing System Resource Allocation to a Zone 6-10
Resource Pool Allocation 6-12
How Resource Pools Work 6-13
Memory Resource Capping 6-14
Specifying Resource Capping Within a Zone 6-15
Implementing Controls on Network Resources 6-16
Managing Virtual Network Resources by Using Flows 6-17
x

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
6 Configuring Zones and the Virtual Network
o
r
ce

Ci

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Creating Flows and Selecting Flow Properties 6-18
Implementing the Virtual Network and Zones Plan 6-19
Quiz 6-20
Lesson Agenda 6-23
Creating a Virtual Network 6-24
Creating a Virtual Network Switch 6-25
Creating the Virtual Network Interfaces 6-26
Displaying the Virtual Network Configuration 6-27
The Virtual Network Configuration So Far 6-28
Quiz 6-29
Practice 6-1 Overview: Creating an Oracle Solaris 11 Virtual Network 6-31
Lesson Agenda 6-32
Configuring Zones to Use VNICs 6-33
Zone Configuration Process: Overview 6-34
Planning the Zone Strategy 6-35
Creating a ZFS File System for Zones in rpool 6-36
Configuring the Zone 6-37
Verifying, Committing, and Exiting the New Zone Configuration 6-39
Displaying a Zone Configuration 6-40
Verifying That a Zone Is in configured State 6-42
Gathering Information for the System Configuration Profile 6-43
Creating the System Configuration Profile 6-44
Installing the Zone 6-45
Booting the Zone 6-46
Checking the Virtual Network Configuration in a Zone 6-47
Verifying That a Zone’s Virtual Network Interface Connection Is Operational 6-48
Virtual Network Configuration 6-49
Removing the Virtual Network Without Removing the Zones 6-50
Verifying the State of the Configured Zones 6-51
Halting the Exclusive IP Zones 6-52
Verifying That the Zones Have Been Halted 6-53
Listing the VNICs That Were Configured for the Halted Zones 6-54
Deleting the VNICs 6-55
Quiz 6-56
Practice 6-2: Creating Two Zones by Using VNICs 6-59
Lesson Agenda 6-60
Allocating and Managing System Resources in a Zone 6-61
Allocating and Managing CPU Resources with Resource Pools 6-62
Enabling Services for Resource Pools 6-63
Configuring a Persistent Resource Pool 6-64
Displaying the Resource Pool Configuration File 6-65

Ci

R
o
r
ce

xi

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Modifying the Resource Pool Configuration File 6-67
Displaying and Committing the Modified Resource Pool Configuration File 6-69
Displaying the Resource Pool Configuration That Is Currently in Use 6-72
Displaying all Active Resource Pools 6-73
Binding the Zone to a Persistent Resource Pool 6-75
Listing the Current State of the Zones 6-76
Allocating the Pool to the Zone and Confirming the Allocation 6-77
Rebooting the Zone to Activate the Resource Pool Binding 6-78
Confirming the Availability of the Resource Pool 6-79
Removing the Resource Pool Configuration 6-81
Removing the Pool Configuration from the Zone 6-82
Rebooting the Zone 6-83
Checking the Resource Pool Configuration for the Zone 6-84
Deleting the Resource Pool 6-86
Displaying all Active Resource Pools 6-87
Allocating and Managing Physical Memory Resources with Resource Capping 6-88
Practice 6-3 Overview: Allocating Resources to Zones 6-89
Lesson Agenda 6-90
Managing Resources on the Virtual Network 6-91
Determining the Configured VNIC States 6-92
Creating and Adding a Flow 6-93
Displaying Flow Controls 6-94
Setting Flow Properties 6-95
Displaying Flow Control Properties 6-96
Setting a Priority Property 6-97
Practices 6-4 and 6-5 Overview: Managing the Virtual Network Data Flow and
Removing Part of the Virtual Network 6-98
Summary 6-99

s

o

an
r
t
n

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

7

Managing Services and Service Properties
Objectives 7-2
Workflow Orientation 7-3
Lesson Agenda 7-4
Planning for Services Configuration 7-5
SMF Advanced Features 7-6
SMF Profiles 7-7
SMF Profile: Example 7-8
When SMF Profiles Are Applied 7-9
SMF Manifests 7-10
SMF Manifest: Example 7-12
Service Configuration Repository 7-16
xii

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

SMF Administrative Layers 7-17
Introducing SMF Repository Backups 7-19
Introducing SMF Repository Snapshots 7-20
Creating New Service Scripts 7-21
Implementing the Services Administration Plan 7-22
Quiz 7-23
Lesson Agenda 7-27
Configuring SMF Services 7-28
Creating and Exporting a Service 7-29
Creating and Exporting a Service: Example 7-30
Creating and Importing a Service: Example 7-33
Creating and Exporting a Service: Example 7-34
Modifying a Service’s Manifest 7-35
Modifying a Service’s Manifest: Example 7-36
Changing an Environment Variable for a Service 7-37
Changing an Environment Variable for a Service: Example 7-38
Changing a Property for an inetd-Controlled Service 7-39
Changing a Property for an inetd-Controlled Service: Example 7-40
Creating and Applying an SMF Profile 7-43
Creating and Applying an SMF Profile: Example 7-45
Changing Services and Their Configurations by Using the netservices
Command 7-46
Practice 7-1 and Practice 7-2 Overview: Configuring SMF Services and Working with
Service Profiles 7-47
Lesson Agenda 7-48
Troubleshooting SMF Services 7-49
Debugging a Service That Is Not Starting 7-50
Restoring a Service in Maintenance State 7-52
Restoring a Service in Maintenance State: Example 7-53
Reverting to an SMF Snapshot 7-55
Reverting to an SMF Snapshot: Example 7-56
Configuration Repository Failed Integrity Check Process 7-57
Repairing a Corrupt Repository 7-58
Repairing a Corrupt Repository: Example 7-61
Debugging the Services During a System Boot 7-63
Addressing system/filesystem/local:default Service Failures During Boot 7-64
Practice 7-3 Overview: Restoring and Recovering a Service 7-65
Summary 7-66

s

o

an
r
t
n

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

8

Configuring Privileges and Role-Based Access Control
Objectives 8-2
xiii

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Workflow Orientation 8-3
Lesson Agenda 8-4
Planning for User Privileges and Roles Assignments 8-5
Process Rights Management and Privileges 8-6
Displaying Privilege Descriptions 8-7
Implementing Privileges 8-8
Role-Based Access Control (RBAC) 8-10
Roles 8-11
Rights Profile 8-12
Basic Solaris User Rights Profile 8-13
Interpreting the /etc/security/policy.conf File 8-14
Authorizations and Privileges 8-15
Security Attributes 8-16
Key RBAC Files 8-17
Interpreting the user_attr File 8-18
Interpreting the auth_attr File 8-19
Interpreting the exec_attr File 8-21
Interpreting the prof_attr File 8-23
Relationship Among the Four RBAC Files 8-25
Profile Shells 8-27
Implementing the Assigning User Privileges and Roles Plan 8-28
Quiz 8-29
Lesson Agenda 8-33
Configuring and Managing Privileges 8-34
Examining Process Privileges 8-35
Determining the Privileges Available to the Shell 8-36
Determining the Process Privileges to a Shell 8-38
Determining the Privileges on a Process 8-39
Displaying the Description of a Privilege 8-40
Managing User Privileges 8-41
Determining the Privileges Directly Assigned to You 8-42
Determining the Privileged Commands That You Can Use 8-43
Assigning Privileges to a User or Role 8-44
Limiting Privileges of a User or Role 8-45
Determining Privileges Needed by a Program Using the ppriv Debugging
Command 8-46
Using the ppriv Debugging Command to Examine Privilege Use in a Profile
Shell 8-47
Using the truss Command to Examine Privilege Use in a Regular Shell 8-48
Practice 8-1 Overview: Delegating Privileges to Users and Processes 8-49
Lesson Agenda 8-50

Ci

R
o
r
ce

xiv

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring and Using RBAC 8-51
Creating a Role 8-52
Creating a Rights Profile 8-54
Creating a Rights Profile: Example 8-55
Cloning and Modifying a Rights Profile 8-56
Creating or Changing a Rights Profile: Example 8-57
Assigning a Rights Profile to a Role 8-58
Assigning a Role to a User 8-59
Assigning a Role to a User: Example 8-60
Assuming a Role 8-61
Restricting an Administrator to Explicitly Assigned Rights 8-62
Assigning the Rights Profile to a User 8-63
Delegating an Authorization to a User 8-64
Delegating an Authorization to a User: Example 8-65
Assigning Authorization to a Role 8-66
Modifying a System-wide RBAC Policy 8-67
Practice 8-2 Overview: Configuring Role-Based Access Control
Summary 8-69

ro

e
Cic

le

s

xv

an
r
t
n

o

an
s
ha 8-68
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
@ Oracle
9 Securing System Resources byo
Using
tuSolaris Auditing
S
d
l
s
Objectives 9-2
na thi
o
r
ฺ
Workflow Orientation
o 9-3 use
r
e
ic 9-4 e to
Lesson Agenda
c
(
s Auditing 9-5
Planning
nSolaris
dofor Oracle
l
e
c
a
li
n
RoOracle Solaris Auditing 9-6
Interpreting the /etc/security/audit_event File 9-10
Event Types 9-12
Interpreting the /etc/security/audit_class File 9-13
Displaying the /etc/security/audit_class File 9-15
Audit Class Preselection 9-17
Audit Records and Audit Tokens 9-18
Audit Plug-in Modules 9-20
Storing and Managing the Audit Trail 9-21
Audit Remote Server (ARS) 9-22
Audit Policies 9-23
Implementing the Oracle Solaris Auditing Plan 9-24
Quiz 9-25
Lesson Agenda 9-31
Configuring Oracle Solaris Auditing 9-32
Configuring the Audit Service 9-33
Determining Audit Service Defaults 9-34

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Determining Audit Service Defaults: Example 9-35
Preselecting Audit Classes 9-37
Configuring a User’s Audit Characteristics 9-38
Modifying the Audit Policy 9-40
Modifying the Audit Policy: Example 9-41
Specifying the Audit Warning Destination Email 9-42
Adding an Audit Class 9-43
Changing an Audit Event’s Class Membership 9-44
Configuring Audit Logs 9-45
Creating ZFS File Systems for Audit Files 9-46
Allocating Audit Space for the Audit Trail 9-47
Sending Audit Files to a Remote Repository 9-48
Configuring the System Log as the Audit Message Destination 9-49
Configuring the Audit Service in Zones 9-50
Configuring All Zones Identically for Auditing 9-51
Configuring All Zones Identically for Auditing: Example 9-52
Specifying Per-Zone Auditing 9-53
Specifying Per-Zone Auditing: Example 9-54
Lesson Agenda 9-55
Administering the Audit Service 9-56
Enabling the Audit Service 9-57
Disabling the Audit Service 9-58
Refreshing the Audit Service 9-59
Practice 9-1 Overview: Configuring and Administering Oracle Solaris Auditing
Lesson Agenda 9-61
Managing Audit Records on Local Systems 9-62
Displaying Audit Record Definitions 9-63
Merging Audit Files 9-64
Selecting Audit Events to Examine 9-66
Viewing Contents of Binary Audit Files 9-67
Practice 9-2 Overview: Managing Audit Records on Local Systems 9-68
Summary 9-69

le

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

Ci

R
o
r
ce

10 Managing Processes and Priorities
Objectives 10-2
Workflow Orientation 10-3
Lesson Agenda 10-4
Planning Process Execution in an Appropriate Scheduling Class 10-5
Process Scheduler 10-6
Process Priority 10-7
Process Scheduling Classes 10-8
xvi

b
a
r
e
f

9-60

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Priority Ranges for Scheduling Classes 10-9
Combining FSS with Other Scheduling Classes 10-10
Using CPU Shares with the FSS 10-12
Scheduling Class on a System with Zones Installed 10-14
Implementing the Process Execution in an Appropriate Scheduling Class
Plan 10-15
Quiz 10-16
Lesson Agenda 10-20
Managing Process Scheduling Priority 10-21
Displaying Processes with the top Command 10-22
Displaying Process Class Information 10-24
Determining the Global Priority of a Process 10-25
Designating a Process Priority 10-27
Modifying a Process Priority 10-29
Lesson Agenda 10-30
Configuring the Fair Share Scheduler (FSS) 10-31
Making FSS the Default Scheduling Class 10-32
Manually Moving Processes from Other Classes into the FSS Class 10-33
Manually Moving the init Process into the FSS Class 10-35
Manually Moving a Project’s Processes into the FSS Class 10-36
Tuning Scheduler Parameters 10-37
Practice 10-1 Overview: Modifying Process Scheduling Priority 10-38
Lesson Agenda 10-39
Managing the Scheduling Class of Zones 10-40
Configuring CPU Shares Configuration in a Non-Global Zone 10-41
Configuring CPU Shares in a Non-Global Zone: Example 10-42
Measuring CPU Performance in the Zones 10-43
Assigning CPU Shares to the Global Zone 10-44
Removing the CPU Shares Configuration from a Zone 10-45
Removing the CPU Shares Configuration from a Zone: Example 10-46
Practice 10-2 Overview: Configuring FSS in an Oracle Solaris Zone 10-47
Summary 10-48

Ci

R
o
r
ce

11 Evaluating System Resources
Objectives 11-2
Workflow Orientation 11-3
Lesson Agenda 11-4
Planning for Resource Allocation and System Performance Evaluation 11-5
Resource Management 11-6
Resource Management Control Mechanisms 11-7
Projects and Tasks 11-9
xvii

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Project/Task/Process Relationship 11-10
Resource Controls 11-11
Resource Control Values 11-12
Privilege Levels of Resource Controls 11-13
Enforcing Multiple Resource Controls 11-14
Setting Resource Controls 11-15
Default /etc/project File 11-16
Setting Zone-Wide Resource Controls 11-18
Monitoring Resource Consumption 11-19
Implementing the Resource Allocation and System Performance Evaluation
Plan 11-20
Quiz 11-21
Lesson Agenda 11-26
Configuring and Administering System Resources 11-27
Administering Projects and Tasks 11-28
Displaying the Default Projects in the System 11-29
Default /etc/project File 11-30
Defining a Project 11-31
Obtaining Project Membership Information 11-32
Modifying a Project 11-33
Adding Attributes and Attribute Values to a Project 11-34
Substituting Attributes and Attribute Values for a Project 11-35
Removing Attributes or Attribute Values from a Project 11-36
Displaying Currently Running Processes and Projects 11-37
Creating a New Task 11-38
Moving a Running Process into a New Task 11-39
Deleting a Project 11-40
Administering Resource Controls and Attributes 11-41
Displaying the Default Resource Controls 11-42
Displaying Current Resource Control Settings 11-43
Displaying Information About a Given Resource Control 11-44
Enabling Global Resource Control Monitoring 11-45
Practice 11-1 Overview: Managing Resource Controls in Global and Non-Global
Zones 11-46
Lesson Agenda 11-47
Monitoring System Performance 11-48
Displaying Virtual Memory Statistics and Information 11-49
Displaying Virtual Memory Statistics 11-50
Displaying System Event Information 11-52
Displaying Swapping Statistics 11-53
Displaying Disk Usage Information 11-54

Ci

R
o
r
ce

xviii

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying General Disk Usage Information 11-55
Displaying Disk Space Information 11-56
Monitoring System Activities 11-57
Checking File Access Operation Statistics 11-58
Checking Buffer Activity 11-59
Checking System Call Statistics 11-60
Checking Disk Activity 11-61
Checking Unused Memory 11-62
Setting Up Automatic Data Collection 11-63
System Monitoring Commands: Summary 11-64
Practice 11-2 Overview: Evaluating System Performance Levels
Summary 11-66

11-65

le

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

Ci

R
o
r
ce

xix

s

an
r
t
n

12 Monitoring and Troubleshooting Software Failures
Objectives 12-2
Workflow Orientation 12-3
Lesson Agenda 12-4
Planning System Messaging and Diagnostic Facilities Implementation 12-5
Configuring the /etc/syslog.conf File 12-6
Stopping and Starting the syslogd Daemon 12-8
TCP Tracing 12-9
TCP Tracing: Example 12-10
Logger Command 12-11
/etc/dumpadm.conf File 12-13
/etc/coreadm.conf File 12-15
Core File Paths 12-17
Implementing the System Messaging and Diagnostic Facilities Implementation
Plan 12-18
Quiz 12-19
Lesson Agenda 12-23
Configuring System Messaging 12-24
Setting Up Message Routing 12-25
Setting Up Message Routing: Example 12-26
Logging a Message by Using TCP Trace 12-27
Monitoring a syslog File in Real Time 12-28
Practice 12-1 Overview: Setting Up System Messaging 12-29
Lesson Agenda 12-30
Configuring System Crash Facilities 12-31
Displaying the Current Crash Dump Configuration 12-32
Modifying the Crash Dump Configuration 12-33
Saving the Crash Dump File 12-35

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Uncompressing the Crash Dump File 12-36
Displaying the Crash Dump File Contents 12-37
Displaying the Crash Dump File Contents: Example 12-38
Lesson Agenda 12-39
Configuring Dump Facilities for Business Application Failure 12-40
Displaying the Current Core Dump Configuration 12-41
Modifying the Core Dump Configuration 12-42
Setting a Core File Name Pattern 12-44
Enabling a Core File Path 12-45
Displaying the Contents of the Core Dump File 12-46
Displaying the Core Dump File Contents: Example 12-47
Practice 12-2 Overview: Configuring System and Application Crash Facilities 12-48
Summary 12-49

s

o

an
r
t
n

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

xx

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

M
Managing
i
Services
S
i
and
d Service
S
i Properties
P
ti

le

s

b
a
r
e
f

o

an
r
t
n

Ci

R
o
r
ce

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
e
sOracle
o © 2013,
r
u
Copyright
and/or its affiliates. All rights reserved.
e
o
c
i
t
c
o ( ense
d
l
lic
ona

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Objectives
After completing this lesson, you should be able to:
• Implement a plan to configure services
• Configure SMF services
• Recover a service from a snapshot
• Troubleshoot SMF services

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 7 - 2

Workflow Orientation

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

IPS
AI INSTALLATION
MONITORING

DATA
STORAGE

RESOURCE
EVALUATION

PROCESSES

ENTERPRISE
DATACENTER

NETWORK
CONFIGURATION

le

b
a
r
e
f

s

an
r
t
n

C

no
a
sNETWORK
a
h
VIRTUALIZATION
)
ฺ
e
m
d
AUDITING
o
i
ilฺc t Gu
a
m den
g
PRIVILEGES
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n begin thel lesson, take a moment to orient yourself in your job workflow. You have
Before o
you
R
successfully
installed the operating system and have updated it. You have configured the data
ro
icestorage environment as well as the physical and virtual networks. In this lesson you manage
SERVICES

the SMF services and the service properties. As a system administrator, it is your
responsibility to ensure that the system and business processes that are running on the
system continue uninterrupted. To do this, you need to know which services are controlling
which functions so that you can take down or bring up a service as required.

Oracle Solaris 11 Advanced System Administration 7 - 3

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•

Planning Services Configuration
Configuring SMF Services
Troubleshooting SMF Services

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 7 - 4

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Planning for Services Configuration
Services configuration planning ensures that:
• The right services are enabled and running
• Existing services can be easily modified
• Downed services can be recovered and restored quickly
• New services can be created to meet emerging business
needs

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Your company
the importance of ensuring that the right services are enabled and
on recognizes
R
running
ro on the system and that these services can be easily and quickly modified, recovered,
iceand restored. Moreover, the company is interested in being able to have new services created

C

and supported by the SMF to meet emerging business needs.

In this section, you are introduced to the more advanced features of the SMF: manifests,
profiles, the service configuration repository, and repository backups using snapshots. You
are also introduced to service script creation.

Oracle Solaris 11 Advanced System Administration 7 - 5

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

SMF Advanced Features

SMF
Manifests

SMF

SMF
Profiles

svc.configd
Daemon

svc.startd
Daemon

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
SMF
a
h
)
ฺ
Repository
e
m
d
o
i
ilฺc t Gu
a
Snapshots
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
n is booted,
When aosystem
the SMF consults the SMF profiles to determine which services
R
should
ro be enabled. The SMF then starts the svc.startd daemon, which in turn consults the
iceSMF manifests to gather property and instance information about each service before starting
SERVICES
SERVICES
SERVICES
SERVICES
DEPENDENT
SERVICES

each service and its associated dependents. The SMF uses the Service Configuration
Repository (also known as the SMF Repository) to store state and configuration information
about each service instance in addition to per-service snapshots that are taken at the time
each service is successfully started and used as backups. The SMF repository is managed by
the svc.configd daemon.
You are to look at each feature in more detail next, beginning with the SMF profiles.

Oracle Solaris 11 Advanced System Administration 7 - 6

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

SMF Profiles
•
•

An SMF profile is an XML file that allows customization of
services and instances delivered by the system.
Profiles delivered with the operating system include:
– /etc/svc/profile/generic
/etc/svc/profile/generic_open.xml:
open.xml: Enables
standard services
– /etc/svc/profile/generic_limited_net.xml:
Disables many Internet services
ble
a
r
fe
– /etc/svc/profile/ns_*.xml: Enables services
s
n
ra on
associated with the name service that is configurednto-trun
no
the system
a
sEnables services
a
h
– /etc/svc/profile/platform_*.xml:
)
ฺ
e
m
d
o
i
associated with particular hardware
platforms
u
lฺc

Cic

ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n is anl XML file that allows customization of services and instances delivered by
An SMFoprofile
R
rosystem. Profiles are available for configuration customization using a file rather than a set
ethe
of scripts, or to customize configuration at deployment or installation time. All configurations
may be customized by using a profile, including adding instances for system-supplied
services.

Some profiles that are delivered with the operating system release include:
• /etc/svc/profile/generic_open.xml: This profile enables the standard services
that have been started by default in earlier releases.
• /etc/svc/profile/generic_limited_net.xml: This profile disables many of the
Internet services that have been started by default
f
in earlier releases. The
network/ssh service is enabled to provide network connectivity.
• /etc/svc/profile/ns_*.xml: This profile enables services associated with the
name service that is configured to run on the system.
• /etc/svc/profile/platform_*.xml: This profile enables services associated with
particular hardware platforms.

Oracle Solaris 11 Advanced System Administration 7 - 7

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

SMF Profile: Example















le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l an excerpt from the /etc/svc/profile/generic_open.xml file.
This example
on presents
R
As
rowas discussed, this profile enables the standard services that have been started by default
icein earlier releases. Each service is listed in the same basic format:

C




You learn how to create and apply your own profile in the next topic.

Oracle Solaris 11 Advanced System Administration 7 - 8

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

When SMF Profiles Are Applied
•

/etc/svc/profile/generic.xml profile:
– Applied during the first boot after a new installation or an
upgrade
_
or
– Symbolically linked to generic_open.xml
generic_limited_net.xml

• The contents of site.xml in /etc/svc/profile:
– Applied during first boot
– Added between boots

le

b
a
r
e
f

s

an
r
t
n

• Profiles in /etc/svc/profile are applied during
o early
n
a
manifest import.
s
a
) h eduring
ฺ
• Profiles in /var/svc/profile are
applied
later
m
d
o
i
c
u
manifest import.
ailฺ nt G

C

m de
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
nfirst bootlafter a new installation or an upgrade, the
During o
the
R
/etc/svc/profile/generic.xml
profile is applied. This file is usually symbolically linked
ro
iceto generic_open.xml or generic_limited_net.xml. Also, if a profile called site.xml

is in /etc/svc/profile during the first boot or is added between boots, the contents of this
profile are applied.
Note: By using the site.xml profile, the initial set of enabled services may be customized
by the administrator.
Similar to manifests, profiles in /etc/svc/profile are applied during the early manifest
import. Profiles in /var/svc/profile are applied during the later manifest import.

Note: The generic_xxx profiles are mutually exclusive. Any conflicting definitions between
files in /etc/svc/profile/site are treated as conflicts, and the affected service
instances are put into the maintenance state.

Oracle Solaris 11 Advanced System Administration 7 - 9

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

SMF Manifests
•
•
•
•
•
•

An SMF manifest is an XML file that describes a service
and a set of instances.
Manifests are imported to load the properties of that
service and its instances into the repository.
p
y
The preferred location for manifests is
/lib/svc/manifest.

)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n
An SMFomanifest
is lan XML file that describes a service and a set of instances. Manifests are
R
ro to load the properties of that service and its instances into the repository.
eimported

Cic

le

b
a
Manifests are imported and upgraded during the boot
r
e
sf
n
process before any services start.
a
tr
n
Site subdirectory is reserved for site
site-specific
specific use
use.
no
a
Manifests in the site directory can be modified
has directly.

The preferred location for manifests is /lib/svc/manifest. Manifests stored there will be
imported and upgraded during the boot process before any services start. Running the import
process early ensures that the repository will contain information from the latest manifests
before the services are started. At other times, you can import information from these
manifests by running this command: svcadm restart manifest-import.
/var/svc/manifest remains available for compatibility purposes, but manifests located
there will not be imported or upgraded until the svc:/system/manifestimport:default service runs
runs, which is significantly later in the boot process.
process
The site subdirectory of /lib/svc/manifest and /var/svc/manifest is reserved for
site-specific use. Manifests in the site directory may be modified directly. Other manifests
included in the software release should not be modified because those modifications will be
lost during software upgrades. If you need to make changes to the set of properties included
in the generic manifests, you should either create a profile or use the svccfg command. You
learn how to create a profile in the next topic.

Oracle Solaris 11 Advanced System Administration 7 - 10

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

With the introduction of svcbundle in Oracle Solaris 11.1, the creation of manifests and
profiles is easier. svcbundle enables you to take advantage of the benefits of automatic
application restart without requiring you to have full knowledge of the XML file format that is
used when integrating with the Service Management Facility (SMF). You can use the
svcbundle command
d to generate SMF manifests
if
and
d get the
h manifest
if
validated
lid d using
i the
h
svccfg command. The svcbundle command allows you to create and, optionally, install a
manifest or system profile. For more information, refer to
http://www.oracle.com/technetwork/articles/servers-storage-admin/howto-svcbundle-manifestprofile-1866525.html, http://docs.oracle.com/cd/E26502_01/html/E29003/eqbrs.html#smft-5
and svcbundle (1M).

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 7 - 11

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

SMF Manifest: Example




SUNWcsr:rbac >


le

b
a
r
e
f

s

an
r
t
n

no
a
s
a

h
)
ฺ
e
m
d
o
i
--lฺc t Gu
i
a
--m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l an excerpt from rbac.xml manifest. A manifest file consists of the
This example
on presents
R
following
ro basic entries:
ice • 

C

•
•
•
•
•
•
•
•

indicates a simple service rather than a milestone, the package providing the service,
and the service name.
: Identifies whether multiple instances of the service will run
: Creates information to describe the service

Oracle Solaris 11 Advanced System Administration 7 - 12

The rbac.xml manifest is displayed as follows (minus the header and comment content) for
you to familiarize yourself with a manifest’s layout:

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ


SUNWcsr:rbac >



le

b
a
r
e
f



s


a
m den
g

a this
n
o
oฺr use
r
e








Oracle Solaris 11 Advanced System Administration 7 - 13

/>





le

b
a
r
e
f



s


m
g ude

@
t
o
S
d
l
s
na thi
o
r
ฺ

o
r
u
e
ic name='duration'
to

ldo lvalue='transient'
en
c
a
i
n
o

R
o
r
type='method'

an
r
t
n

e

Cic


type 'application'



Oracle Solaris 11 Advanced System Administration 7 - 14




/
i

le

You create your own service manifest in Practice 7.

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 7 - 15

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Service Configuration Repository
•
•
•
•
•

Stores state and configuration information about each
service instance
Is located in /etc/svc/repository.db
Is managed by the svc.configd
svc configd daemon
Provides a consistent and persistent way to enable or
disable a service
Provides a consistent view of service state

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
SMF stores
on state andl configuration information about each service instance in the service
R
configuration
repository. The repository is distributed among local memory and local diskro
icebased files and is stored in /etc/svc/repository.db.
The repository is managed by the svc.configd daemon. This daemon is the interface
between the repository and the user and ensures that a consistent picture of the repository is
presented to the user.
In turn, the repository provides a consistent and persistent way to enable or disable a service,
as well as a consistent view of the service state. This capability helps you debug service
configuration problems.

Oracle Solaris 11 Advanced System Administration 7 - 16

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

SMF Administrative Layers
SMF Repository
manifest
manifest
system-profile
system-profile
site-profile
site-profile

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
admin
ฺ
admin
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
The SMF
onrepositorylconsists of four layers that can be used to help determine which settings
R
have
ro been customized by an administrator and which settings are delivered by the software.
iceThe four layers are as follows:
•
•

•

•

manifest: Imported full manifest files that completely define a service or an instance,
that is located in a standard location: /lib/svc/manifest or /var/svc/manifest
system-profile: Specifically named profiles (/etc/svc/profile/generic.xml
or /etc/svc/profile/platform.xml) that are applied to the system and delivered
by the Solaris consolidations
site-profile: Profiles that are site specific and are either applied from the
/ t /
/etc/svc/profile/site
/
fil / it directory
di t
or ffrom th
the /etc/svc/profile/site.xml
/ t /
/
fil / it
l or
/var/svc/profile/site.xml file
admin: Administrative customizations to the system done with svccfg add/set/del
subcommands as well as through enabling/disabling services through the command
line. Manifests and profiles imported and applied from nonstandard locations (that is,
outside of /lib/svc/manifest or /var/svc/manifest) are considered
customizations and are brought in at the admin layer.

Oracle Solaris 11 Advanced System Administration 7 - 17

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

The layers are hierarchical, with the admin layer taking precedence. If a property has a value
in the admin layer, that value will be used by the service. If not, the site-profile layer is
consulted, and then the system-profile layer, and eventually the manifest layer. This
behavior allows for local changes to take precedence over the default settings.
The system automatically manages these layers. Any direct changes that you as the system
administrator make to the repository appear only in the admin layer. Other layers are
changed only by placing or removing files in standard locations. When a property is put into
the repository because of file contents, the information about that property includes the name
of that file.
Note: You can use the svccfg listprop command to explore layers. You can use the
svccfg listcust command only to list customizations
customizations.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 7 - 18

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Introducing SMF Repository Backups
•

SMF automatically takes these backups:
– Boot backup: Taken immediately before the first change to
the repository is made during each system startup
_
backups: Occur after
– manifest_import
svc:/system/early-manifest-import:default or
svc:/system/manifest-import:default completes

•
•

•

System maintains four copies of each type.
ble
a
r
fe
Backups are stored as /etc/svc/repository-types
n
a
r
t
YYYYMMDD_HHMMSWS for the date and time when the
on
n
backup was taken.
a
s
a
h ฺ
Repository can be restored from these
e
m)backups.

C

co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l takes the following backups of the repository:
The SMF
onautomatically
R
r•o The boot backup is taken immediately before the first change to the repository is made
ice du
during
g eac
each syste
system sta
startup.
tup
•

The manifest_import backups occur after svc:/system/early-manifestimport:default or svc:/system/manifest-import:default completes, if the
service imported any new manifests or ran any upgrade scripts.

Four backups of each type are maintained by the system. The system deletes the oldest
backup when necessary. The backups are stored as /etc/svc/repository-typeYYYYMMDD_HHMMSWS, where YYYYMMDD (year, month, day) and HHMMSS (hour, minute,
second)) are the date and time when the backup was taken. Note that the hour format
f
is based
on a 24-hour clock.
You can restore the repository from these backups, if an error occurs. You learn how to do
this later in the lesson.

Oracle Solaris 11 Advanced System Administration 7 - 19

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Introducing SMF Repository Snapshots
•
•

Snapshots are taken per service at the time when a
service is successfully started.
Standard snapshots include:
– initial: Taken on the first import of the manifest
– running: Used when the service methods are executed
– start: Taken at the last successful start

•

sf
n
a
• Current property values for a service are incorporated
tr into
n
the running snapshot with the svcadm refresh
no
a
s
command.
a
h
)
ฺ
e
m
d
o
• Instance configurations can be viewed
or
reverted
to in a
i
c Gu
ฺ
l
i
t command.
previous snapshot by using the
n
ma svccfg
e
g
@ Stud
o
d
al this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l repository provides a per-service snapshot at the time each service
The service
on configuration
R
isro
successfully started so that fallback is possible. The standard snapshots that are stored in
icethe SMF repository are listed in the slide.

C

le

SMF service always executes with the running snapshot.erab

The SMF service always executes with the running snapshot. This snapshot is
automatically created if it does not exist.
When you change the property values of a service, the changes are incorporated into the
running snapshot when you execute the svcadm refresh command. You can use the
svccfg command to view or revert to instance configurations in a previous snapshot. You
learn how to revert to a previous snapshot later in this lesson.

Oracle Solaris 11 Advanced System Administration 7 - 20

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Creating New Service Scripts
•
•
•
•
•

Determine the process for starting and stopping your
service.
Establish a name for the service and the category that this
service is in.
Determine whether your service runs multiple instances.
Identify any dependency relationships between this service
ble
a
and any other services.
r
fe
s
n
a
If a script is required to start and stop the process, create
r
t
on
the script and place it in a local directory
directory, such as
n
a
/usr/local/svc/method.
as

C

) h eฺ
m
• Create a service manifest file for ฺyour
id
co service.
u
l
i
G
a by
t using the svccfg
• Incorporate the script into the
n
mSMF
e
g
@ Stud
o
utility.
d
al this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n newlscripts to start and stop additional processes or services to customize a
You canocreate
R
system.
ro For example, to eliminate the requirement for a manual start of a database server,
iceyou could create a script to start the database server automatically after the appropriate
network services have started. You can then create another script to terminate this service
and shut down the database server before the network services are stopped.

The procedure for service script creation is outlined in the steps in the slide. You learn how to
complete these steps in the next topic.

Oracle Solaris 11 Advanced System Administration 7 - 21

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Implementing the Services Administration Plan
Your assignment is to:
• Create a new service and incorporate it into the SMF
• Modify a service configuration
• Restore and recover a service

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 7 - 22

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
The preferred location for manifests is /lib/svc/manifest.
a. True
b. False

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:oan
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 7 - 23

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
Which of the following profiles is used to enable standard
services?
a. /etc/svc/profile/generic_open.xml
b /etc/svc/profile/generic_limited_net.xml
b.
/etc/svc/profile/generic limited net xml
c. /etc/svc/profile/ns_*.xml
d. etc/svc/profile/platform_*.xml

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:oan
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 7 - 24

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
Which daemon manages the service configuration repository?
a. svc.ipfd
b. svc.configd
c svc.startd
c.
svc startd

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:obn
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 7 - 25

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
Which service configuration repository snapshot does the SMF
service always execute with?
a. initial
b running
b.
c. start

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:obn
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 7 - 26

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•

Planning Services Configuration
Configuring SMF Services
Troubleshooting SMF Services

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 7 - 27

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring SMF Services
•
•
•
•

Creating and exporting a service
Modifying a service’s manifest
Changing an environment variable for a service
Changing a property for an inetd-controlled
inetd controlled service

•
•

Creating and applying an SMF profile
Changing services and their configurations by using the
netservices command

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

le

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 7 - 28

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Creating and Exporting a Service
1. Create the script by using the following command:
vi /usr/local/svc/method/servicename
2. Grant the execute permission on the script so it can be
executed by
y using
g the following
g command:
chmod 544 /usr/local/svc/method/servicename
3. Change directories to /lib/svc/manifest/site and
edit the manifest .xml file for your new service.

le

b
a
r
e
f

s
n
4. Import the new service into the SMF by using the following
a
r
-t
n
command: svccfg import \
o
an
/lib/svc/manifest/site/servicename.xml
s
ha ฺ
)
5. Verify that the new service is available
by
e the svcs
m using
d
o
i
c
u
servicename command.
ailฺ t G

C

m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
Notes for
onstep 3: Anl explanation of each of the entries in the file is provided on the following
R
pages.
ro
iceNotes for step 4: When using the default manifest, /lib/svc/manifest, use the import
command as shown in this step; otherwise, use the manifest-import command.

Oracle Solaris 11 Advanced System Administration 7 - 29

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Creating and Exporting a Service: Example

# vi /usr/local/svc/method/newservice
#!/sbin/sh
#
# ident "@(#)newservice 1.14 04/08/30 SMI"
case "$1" in
’start’)
/usr/bin/newservice &
;;
’stop’)
/usr/bin/pkill -x -u 0 newservice
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0
# chmod 544 /usr/local/svc/method/newservice

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l in the slide, you are creating a new service called newservice. Here
In the example
on shown
R
you
ro see the steps for editing the new service script and granting execute permissions.
ice

C

Oracle Solaris 11 Advanced System Administration 7 - 30

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Creating and Exporting a Service: Example
# cd /var/svc/manifest/site
# vi newservice.xml



OPTnew:newservice >













le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l directories to /var/svc/manifest/site and editing the manifest
Here you
onare changing
R
.xml
ro file entries for your new service. Take a closer look at each of the entries in the file. To
icebegin, you have the standard header:


Just below the header is the name of the service. The type (manifest) indicates a simple
service rather than a milestone, the package providing the service, and the service name.
yp
name=‘OPTnew:newservice'>

The next entry creates the instance and the entry below that specifies whether multiple
instances of the service will run.


i l i t
/

Oracle Solaris 11 Advanced System Administration 7 - 31

The next entry is how the service is started and stopped.

timeout_seconds=
30 >

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ




Next is the service model to use. The entry shows that the service will be started by
svc.startd.
d Transient
T
i t services
i
are nott continuously
ti
l running
i services.
i





le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
hado
Note: If you need to define dependencies for the service, you) can
so
by using the following
ฺ
e
m
entry:
co Guid
ฺ
l
i

e
ic e to value=’svc:/milestone/multi-user’ />
c
(

o
Rexample, you are ensuring that the service is associated with the multiuser milestone
In
this
o
r
iceand that the multiuser milestone requires this service.


After you have completed editing the manifest file and have reviewed the file to make sure
that you have not missed any XML tags or introduced typing errors, it is a good practice to
validate the file by running the following command:
# svccfg validate /var/svc/manifest/site/newservice.xml

Oracle Solaris 11 Advanced System Administration 7 - 32

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Creating and Importing a Service: Example

# svccfg import /var/svc/manifest/site/newservice.xml
svccfg: Taking "previous" snapshot for svc:/site/newservice:default.
svccfg: Upgrading properties of svc:/site/newservice according to
instance "default".
svccfg: svc:/site/newservice: Deleting property
"general/entity_stability".
svccfg: svc:/site/newservice: Upgrading property "stop/exec".
svccfg: svc:/site/newservice: Deleting property group "tm_common_name".
svccfg: svc:/site/newservice: Deleting property group "tm_man_utmpd1M".
svccfg: svc:/site/newservice: Deleting property group "tm_man_utmpx4".
svccfg: Taking "last-import" snapshot for svc:/site/newservice:default.
svccfg: Refreshed svc:/site/newservice:default.
svccfg: Successful import.
# svcs newservice
i
STATE STIME FMRI
online 8:43:45 svc:/site/newservice:default

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l the service into the SMF by using the svccfg import command.
Here you
onare importing
R
ro
iceNote: The SMF is creating a snapshot of this service to be stored in the service configuration

C

repository.

After the service has been imported into the SMF, your final step is to verify that it is visible to
the system by using the svcs command. Note that the service is online.

Oracle Solaris 11 Advanced System Administration 7 - 33

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Creating and Exporting a Service: Example

# svcadm -v disable site/newservice
site/newservice disabled.
# svcs newservice
STATE STIME FMRI
disabled 9:11:38 svc:/site/newservice:default
# svcadm -v enable site/newservice
site/newservice enabled.
# svcs newservice
STATE STIME FMRI
online 9:11:54 svc:/site/newservice:default
#

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l to verify that it is possible to disable and enable the service by using
It is alsooangood practice
R
the
rosvcadm command, as shown in the example in the slide.
ice

C

Oracle Solaris 11 Advanced System Administration 7 - 34

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Modifying a Service’s Manifest
1. Modify the manifest.
2. Re-import the manifest with svcadm restart
manifest-import if in the standard location. If not in the
standard location,, run svccfg
g import.
p
3. Importing the service will refresh it; however, a restart may
be required.

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
There might
on be timesl when you need to modify a service’s manifest due to structural changes
R
that
ro impact the execution method. To change the configuration of a service that is not
icemanaged by the inetd service, you use the steps listed in the slide.

C

Notes for step 1: Many of the services have one or more configuration files that are used to
define the startup or other configuration information. These files can be changed while the
service is running. The contents of the files are checked only when the service is started.
Notes for step 2: The svcadm utility enables you to perform common service management
tasks, such as enabling, disabling, or restarting service instances.

Oracle Solaris 11 Advanced System Administration 7 - 35

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Modifying a Service’s Manifest: Example

# vi crmsvc.xml
# grep monitor crmsvc.xml

t
d '60'/
# svcadm restart manifest-import
# svcadm restart crmsvc
# svcadm enable crmsvc
# svcs crmsvc
online
10:27:25 svc:/site/crmsvc:default

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l in the slide, the decision has been made to modify the crmsvc
In the example
on shown
R
service’s
ro manifest. To make the modification to the service manifest, you use a text editor to
icechange the crmsvc.xml to refer to monitor1.crm instead of monitor.crm. To
accomplish the change, you use the svcadm restart manifest-import command.
After the import, you restart and enable the service. Finally, you verify that the service is
online.

Oracle Solaris 11 Advanced System Administration 7 - 36

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Changing an Environment Variable for a Service
1. Verify that the service is running by using svcs FMRI.
2. Set environment variables by using svccfg -s FMRI
setenv envar value.
3 Refresh the service by using svcadm refresh FMRI.
3.
FMRI
4. Restart the service by using svcadm restart FMRI.
5. Verify that the change has been made by using pargs -e
le
b
a
r
`pgrep -f /usr/sbin/FMRI`.
fe

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l svcs utility provides detailed views of the service state of all service
Notes for
onstep1: The
R
instances
in the service configuration repository.
ro
iceNotes for step 2: The -ss option selects the entity indicated by the fault management
resource identifier (FMRI) before executing any subcommands. The modification
subcommand setenv searches for the “start” property group in the currently selected entity
and, if an instance is currently selected, its parent is also searched. After the property is
located, all values that begin with envvar followed by a “=” are removed, and the value
“envvar=value” is added.
Notes for step 3: The svcadm command is used to manipulate service instances. The
command
d iissues requests
t ffor actions
ti
on services
i
executing
ti within
ithi the
th SMF.
SMF A
Actions
ti
ffor a
service are carried out by its assigned service restarter agent. The refresh subcommand
requests that the assigned restarter update the service's running configuration snapshot with
the values from the current configuration. Some of these values take effect immediately (for
example, dependency changes). Other values do not take effect until the next service restart.
Notes for step 5: The pargs -e command prints the parameter arguments and environment
variables that have been passed to the service.

Oracle Solaris 11 Advanced System Administration 7 - 37

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Changing an Environment Variable
for a Service: Example
# svcs system/cron
STATE
STIME
FMRI
online
13:02:52 svc:/system/cron:default
# svccfg -s system/cron:default setenv UMEM_DEBUG default
# svccfg
g -s system/cron:default
y
/
setenv LD_PRELOAD libumem.so
# svcadm refresh system/cron
# svcadm restart system/cron
# pargs -e `pgrep -f /usr/sbin/cron`
100657: /usr/sbin/cron
envp[0]: LOGNAME=root
envp[1]: LD_PRELOAD=libumem.so
envp[2]: PATH=/usr/sbin:/usr/bin
envp[3]: SMF_FMRI=svc:/network/ssh:default
envp[4]: SMF_METHOD=/lib/svc/method/svc-ssh
envp[5]: SMF_RESTARTER=svc:/network/svc/restarter:default
envp[6]: TZ=GB
envp[7]: UMEM_DEBUG=default
#

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l in the slide, you are changing the environment variable for the ssh
In the example
on shown
R
service
ro to help with debugging. First, you verify that the service is up and running, and it is.
iceNext, you set the UMEM_DEBUG and LD_PRELOAD environment variables by using the

svccfg -s command with the setenv subcommand. To make the changes effective, you
refresh and then restart the system by using the svcadm refresh and svcadm restart
commands. Finally, you verify that the change has been made by using the pargs -e
command. Here you can see that the two variables are present. The LD_PRELOAD
environment variable is envp[1], and the UMEM_DEBUG environment variable is envp[7].

Oracle Solaris 11 Advanced System Administration 7 - 38

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Changing a Property for an
inetd-Controlled Service
1. List the properties for the specific service by using
inetadm -l FMRI.
2. Change the property for the service by using inetadm -m
FMRI property-name=value.
p p
y
3. Verify that the property has changed by using inetadm l FMRI.
4. Confirm that the change has taken effect.

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
If you have
on a need tol impose more access controls on a particular Internet service, you can
R
do
roso by modifying the service’s property settings.
iceNotes for step 1: The inetadm command enables you to observe or configure services

C

controlled by inetd, which is the delegated restarter for Internet services for the SMF. Its
basic responsibilities are to manage service states in response to administrative requests,
system failures, and service failures and, when appropriate, to listen for network requests for
services.
The inetadm -l command displays all the properties for the service identified by the FMRI.
Notes for step 2: The -m option is used to change the values of the specified properties of
the identified service instances. Each property for an inetd-controlled service is defined by a
property name and an assigned value. Supplying the property name without a specified value
resets the property to the default value.
Notes for step 3: You want to list the properties again to make sure that the appropriate
change has occurred.

Oracle Solaris 11 Advanced System Administration 7 - 39

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Changing a Property for an
inetd-Controlled Service: Example
# inetadm -l svc:/network/telnet
SCOPE
NAME=VALUE
name="telnet"
endpoint_type="stream"
proto="tcp6"
isrpc=FALSE
p
wait=FALSE
exec="/usr/sbin/in.telnetd"
user="root"
default
bind_addr=""
default
bind_fail_max=-1
default
bind_fail_interval=-1
default
max_con_rate=-1
default
max_copies=-1
default
con_rate_offline=-1
default
failrate_cnt=40
default
failrate_interval=60
default
inherit_env=TRUE
default
tcp_trace=FALSE
default
tcp_wrappers=FALSEgrep inetd /etc/init.d/inetsvc
default
connection_backlog=10
default
tcp_keepalive=FALSE

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l in the slide, you enable the tcp_trace property for the telnet
In the example
on shown
R
service.
ro As you can see, currently the tcp_trace property is set to FALSE.
ice

C

Oracle Solaris 11 Advanced System Administration 7 - 40

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Changing a Property for an
inetd-Controlled Service: Example
# inetadm -m telnet tcp_trace=TRUE
# inetadm -l telnet
SCOPE
NAME=VALUE
name="telnet"
endpoint_type="stream"
p
proto="tcp6"
p
isrpc=FALSE
wait=FALSE
exec="/usr/sbin/in.telnetd"
user="root"
default
bind_addr=""
default
bind_fail_max=-1
default
bind_fail_interval=-1
default
max_con_rate=-1
default
max_copies=-1
default
con rate offline= 1
con_rate_offline=-1
default
failrate_cnt=40
default
failrate_interval=60
default
inherit_env=TRUE
default
tcp_trace=TRUE
default
tcp_wrappers=FALSEgrep inetd /etc/init.d/inetsvc
default
connection_backlog=10
default
tcp_keepalive=FALSE

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
Here you
oncan verify lthat the property has been changed.
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 7 - 41

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Changing a Property for an
inetd-Controlled Service: Example
# tail -1 /var/adm/messages
Dec 15 08:04:39 client1 inetd[655]: [ID 317013 daemon.notice]
telnet[2390] from 192.168.0.100 34098
# grep /var/adm/messages /etc/syslog.conf
*.err;kern.debug;daemon.notice;mail.crit
.err;kern.debug;daemon.notice;mail.crit
/var/adm/messages

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
n is to confirm
The lastostep
that the change has taken effect. First, you telnet to your host from
R
another
ro host. You then check the /var/adm/messages file to see if the telnet connection
icewas logged, which as you can see it was. You then confirm the entry in /etc/syslog.conf,
which is configured to log this message. You have successfully changed the service property.

Oracle Solaris 11 Advanced System Administration 7 - 42

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Creating and Applying an SMF Profile
1. Create a profile by using svccfg extract>
profile.xml.
2. Edit the profile.xml file to make any required changes.
a. Change the name of the profile in the service_bundle
service bundle
declaration.
b. Remove any services that should not be managed by this
profile.
ble
a
r
e
c. Add any services that should be managed by this profile. nsf
a
r
t
y, change
g the enabled flag
g for selectedoservices.
d. If necessary,
n

n

a svccfg
3. When necessary, apply the new profile byausing
s
h ฺ
apply profile.xml.
e
m)

C

co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l profile that reflects which services you want enabled or disabled on
n an SMF
You canocreate
R
the
rocurrent system. Not all services need to be listed in a profile. Each profile needs to include
iceonly those services that need to be enabled or disabled to make the profile useful.
The steps for how to create an SMF profile are shown in the slide.
Notes for step 1: The svccfg utility enables you to display and manipulate the contents of
the service configuration repository. The service profile subcommand extract prints a
service profile that represents the enabled status of the service instances in the repository to
standard output. You can redirect the output to a file by using extract> (as you are doing in
step 1).
Notes for step 2b: For each service, remove the three lines that describe the service. Each
service description starts with 

true />

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ


Notes for step 3: Applying the service profile subcommand takes the properties, including
general/enabled, that are specified in the file and modifies them in the SMF repository.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 7 - 44

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Creating and Applying an SMF Profile: Example

# svccfg extract > profile.xml
# vi profile.xml
# cat profile.xml
...



...



...
# svccfg apply profile.xml

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l in the slide, you use the svccfg command to create a profile called
In the example
on shown
R
profile.xml
that reflects which services are enabled or disabled on the current system.
ro
iceThe assumption is that you are in your own home directory while performing this task.
Note: It is a best practice to use profile as the default name for your profile. Also, you do
have the option of making a copy of an existing profile to edit instead of creating a new profile.
In the first line of the profile.xml file, you change the name of the profile in the
service_bundle declaration to profile. In the second line, you add the LDAP client
service to the profile. In the third line, you disable the sendmail service. You then apply the
profile.

Oracle Solaris 11 Advanced System Administration 7 - 45

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Changing Services and Their Configurations
by Using the netservices Command
Run the netservices command to select either open
(traditional) or limited network exposure.
• For open or traditional network exposure, run
/usr/sbin/netservices
/
/
/
open.
p
•

For limited network exposure, run
/usr/sbin/netservices limited.

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
lcommand switches system services between minimal network exposure
The netservices
on
R
and
ro traditional network exposure. The switch is done with the generic_limited.xml and
icegeneric_open.xml profiles. In addition, some service properties are changed by the
command to limit some services to a local-only mode or to the traditional mode, as
appropriate.
Note: The generic_limited_net profile and the local-only-mode service properties are
applied by default.
To have open or traditional network exposure, you use the /usr/sbin/netservices
open command.

To have limited network exposure, you use the /usr/sbin/netservices limited
command. This command changes properties to run some services in local mode, as well as
restricts which services are enabled with the generic_limited_net profile. The command
should be used only if the generic_open.xml profile is applied.

Oracle Solaris 11 Advanced System Administration 7 - 46

Practice 7-1 and Practice 7-2 Overview:

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring SMF Services
and Working with Service Profiles
These practices cover the following topics:
• Creating and exporting a service
• Modifying a service configuration
• Creating and applying an SMF profile

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
The practices
on for thisl lesson are designed to reinforce the concepts that have been presented
R
inro
the lecture portion. These practices cover the following tasks:
ice • Practice
act ce 7-1: Co
Configuring
gu g S
SMF se
services
ces

C

•
•

Practice 7-2: Working with service profiles
Practice 7-3: Restoring and recovering a service

Practices 7-1 and 7-2 should take you a total of about 40 minutes to complete.

Oracle Solaris 11 Advanced System Administration 7 - 47

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•

Planning Services Configuration
Configuring SMF Services
Troubleshooting SMF Services

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 7 - 48

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Troubleshooting SMF Services
This section covers the following topics:
• Debugging a service that is not starting
• Restoring a service in maintenance state
• Reverting to an SMF snapshot
• Repairing a corrupt repository
• Debugging the services during a system boot
ble
a
r
• Addressing system/filesystem/local:default nsfe
a
r
t
service failures during boot
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 7 - 49

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Debugging a Service That Is Not Starting
1. Request information about the hung service by using svcs –xv
servicename.
2. Enable the service by using svcadm enable
serviceinstance.
3. Verify that the service is online by using svcs –a
servicename.
# svcs -xv
svc:/application/print/server:default (LP Print Service)
State: disabled since Thu 15 Dec 2011 02:20:37 PM PDT
Reason: Disabled by an administrator.
See: http://sun.com/msg/SMF-8000-05
S
See:
man -M
M /usr/share/man
/
/ h
/
-s 1M l
lpsched
h d
Impact: 2 services are not running:
svc:/application/print/rfc1179:default
svc:/application/print/ipp-listener:default
# svcadm enable application/print/server
# svcs printer
online
11:06:14 svc:/application/print/server:default

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
If you have
on a servicel that is disabled and not starting, you can debug it by using the steps
R
shown
ro in the slide.
iceNotes for step 1: The -xx option provides additional information about the service instances
that are affected.
In the example, the print service is disabled. To find out more about the problem, you run
the svcs -xv command for the service. The output for the svcs -xv command provides
the following information:
• State: The state of the service and the date and time stamp
• Reason: Whyy the service is disabled
• See: The URL to a knowledge article on the issue
• See: Man page references to help resolve the issue
• Impact: What services have been affected by the problem

Oracle Solaris 11 Advanced System Administration 7 - 50

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Here you can see that the service was disabled by an administrator. You can also see that
having the printer service disabled is impacting two other services. Because the issue is that
an administrator disabled the service, you try to correct the problem by enabling the service.
To verify that the service is back online, you can use the svcs servicename command.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 7 - 51

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Restoring a Service in Maintenance State
1. Determine if any processes that are dependent on the
service have not stopped by using svcs -p FRMI.
2. Kill any remaining processes as required by using pkill
-9 PID.
3. If necessary, repair the service configuration by using
svcs –x FRMI.
4. Restore the service by using svcadm clear FMRI.

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
SMF places
on a servicel in maintenance mode when it is unable to bring it up. As a system
R
administrator,
it is your job to figure out what has caused the problem. The steps for restoring
ro
icea service in maintenance state are shown in the slide.
Notes for step 1: Normally, when a service instance is in maintenance state, all processes
associated with that instance have stopped. However, you should make sure before you
proceed. The svcs -p FRMI command lists all the processes that are associated with a
service instance as well as the PIDs for those processes.
Notes for step 2: Repeat this step for all processes that are displayed by the svcs
command.
Notes for step 3: The -x option provides you with details that you might find useful for
debugging the issue. You can also examine the appropriate service log files in
/var/svc/log for a list of errors.

Oracle Solaris 11 Advanced System Administration 7 - 52

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Restoring a Service
in Maintenance State: Example
# svcs time-slider:default
STATE
STIME
FMRI
maintenance
8:22:10 svc:/application/time-slider:default
# svcs -p time-slider:default
ti
lid
d f lt
STATE
STIME
FMRI
maintenance
8:23:06 svc:/application/time-slider:default
svcs -x time-slider:default
svc:/application/time-slider:default (GNOME Desktop Snapshot
Management Service)
State: maintenance since Dec 15, 2011 08:22:41 AM MDT
Reason: Start method exited with $SMF_EXIT_ERR_FATAL.
$SMF EXIT ERR FATAL
See: http://sun.com/msg/SMF-8000-KS
See: zfs(1M)
See: /var/svc/log/application-time-slider:default.log
Impact: This service is not running.
# svccfg delete time-slider:default

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l in the slide, the time-slider: default service is in the
In the example
on shown
R
maintenance
state. Your first step is to determine if any processes that are dependent on
ro
icethe service have not stopped using the svcs -p command. As you can see, no dependent
processes are listed, so your next step is to repair the service by using the svcs -x
command. The output from this command indicates that there is an issue with the start
method.

Note: You can examine the log for further details.
Your next step is to determine what in the execution method configuration in the timeslide.xml manifest file is causing the problem. However, before you do that, you are going
to delete the corrupted service by using the svccfg
f delete
d l t command.
command

Oracle Solaris 11 Advanced System Administration 7 - 53

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Restoring a Service
in Maintenance State: Example
# svcadm refresh time-slider:default
# svcadm enable time-slider:default
# svcadm clear time-slider:default
# svcs time-slider:default
STATE
STIME
FMRI
online
9:37:52 svc:/application/time-slider:default

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n openedl the time-slider.xml manifest file, found the problem with the start
Assumeoyou
R
method,
ro fixed it, and imported the file into SMF. You are now ready to bring the service back
iceup. To do this, you first refresh the service by using the svcadm refresh command to make
sure SMF is reading the new service manifest file, enable the service, and then restore the
service by using the svcadm clear command. You then verify that the service is back
online, and it is. You have successfully restored the service.

Oracle Solaris 11 Advanced System Administration 7 - 54

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Reverting to an SMF Snapshot
1. Run the svccfg command.
a. Select the service instance that you want to fix.
b. Generate a list of available snapshots by using listsnap.
c. Select to revert to the start snapshot by using revert
start.
d. Quit svccfg by using quit.

) h eฺ
m
co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
If the service's
customizations are wrong, you can fix the problem by reverting
on administrative
R
toro
the last snapshot that started successfully. The steps for how to revert to a previous SMF
icesnapshot are shown in the slide.

C

le

b
2. Update the information in the service configuration
a
r
e
sf
repository by using svcadm refresh FMRI.
n
a
tr
n
3 Restart the service instance by using svcadm n
3.
restart
o
a
FMRI.
as

Notes for step 1a: You must use an FMRI that fully defines the instance. No shortcuts are
allowed.
Notes for step 1c: The start snapshot is the last snapshot in which the service successfully
started.
Notes for step 2: This step updates the repository with the configuration information from the
start snapshot.
Note: None of the file-backed properties (that is, properties delivered via manifests or profiles)
from the snapshot are restored. Instead, all the administrative customizations in the current
configuration are removed, and then all the administrative customizations from the selected
snapshot are propagated forward.

Oracle Solaris 11 Advanced System Administration 7 - 55

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Reverting to an SMF Snapshot: Example

# svccfg
svc:> select system/console-login:default
svc:/system/console-login:default> listsnap
initial
last-import
previous
running
ble
start
a
r
fe
svc:/system/console-login:default> revert start
s
n
a
r
svc:/system/console-login:default> quit
t
n
# svcadm
d refresh
f
h system/console-login:default
t /
l l i d f lt no
a
# svcadm restart system/console-login:default
s
a
) h eฺ
# svcs console-login:default
m
online 18:15:32 svc:/system/console-login:default
uid
lฺco

C

ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l in the slide, it is assumed that the console-login:default service
In the example
on shown
R
isro
in the maintenance state. To resolve the issue, you have decided to revert to a previous
iceSMF snapshot to bring the service back online. You have selected the start snapshot.
Note: The version of the snapshot you choose to use is based on what you are trying to
accomplish.
When you have selected the type of snapshot you want, you quit the service configuration.
You then refresh and restart the service. Your final step is to verify that the service is back
online.

Oracle Solaris 11 Advanced System Administration 7 - 56

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuration Repository
Failed Integrity Check Process
Message is sent to console if integrity check fails:

svc.configd: smf(5) database integrity check of:
/etc/svc/repository db
/etc/svc/repository.db
failed. The database might be damaged or a media error might have
prevented it from being verified. Additional information useful to
your service provider is in:

C

s
n
a
r
-t g
The system
y
will not be able to boot until you
y
have restored anworking
o
database. svc.startd(1M) will provide a sulogin(1M) prompt
a n for
s
recovery purposes. The command:
ha ฺ
)
/lib/svc/bin/restore_repository
om uide
c
ฺ
l
G
aofi your
t
n
can be run to restore a backup version
repository.
See
m
e
g information.
d
http://sun.com/msg/SMF-8000-MY @
for moretu
do is S
l
a
n
th
o
r
ฺ
e
s and/or its affiliates. All rights reserved.
uOracle
Copyright
ero © t2013,
o
c
i
(c nse
o
ld lice
a
n
When the
repository
daemon, svc.configd, is started, it does an integrity check of the
o
R
configuration
repository. If the integrity check fails, the svc.configd daemon writes a
ro
icemessage to the console similar to the one shown in the slide. The svc.startd daemon then
/etc/svc/volatile/db_errors

exits and starts sulogin to enable you to perform maintenance as shown on the next page.
Note: The repository can become corrupted due to one of the following reasons:
• Disk failure
• Hardware bug
• Software bug
• Accidental overwrite of the file

Oracle Solaris 11 Advanced System Administration 7 - 57

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Repairing a Corrupt Repository
1. Enter the root password at the sulogin prompt.
2. Run the following command:
/lib/svc/bin/restore_repository
3. Enter the appropriate response
3
response.
4. Enter yes to remedy the fault.

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Notes for
enables the root user to enter system maintenance mode to
onstep 1: sulogin
R
repair
ro the system.
ice

Notes for step 2: Running this command takes you through the necessary steps to restore a
non-corrupt backup. SMF automatically takes backups of the repository at key system
moments. When started, the /lib/svc/bin/restore_repository command displays a
message similar to the following:
Repository Restore utility
See http://sun.com/msg/SMF-8000-MY for more information on the use of
this script to restore backup copies of the smf(5) repository.
If there are any problems which need human intervention, this script
will give instructions and then exit back to your shell.
Note that upon full completion of this script, the system will be
rebooted using reboot(1M), which will interrupt any active services.

Oracle Solaris 11 Advanced System Administration 7 - 58

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

If the system that you are recovering is not a local zone, the script explains how to remount
the / and /usr file systems with read and write permissions to recover the databases. The
script exits after printing these instructions. Follow the instructions, paying special attention to
any errors that might occur.
After the root (/) file system is mounted with write permissions, or if the system is a local
zone, you are prompted to select the repository backup to restore, as follows:
The following backups of /etc/svc/repository.db exists, from oldest to newest:
... list of backups ...

Backups are given names, based on type and the time the backup was taken. Backups
beginning with boot
b t are completed before the first change is made to the repository after
system boot. Backups beginning with manifest_import are completed after
svc:/system/manifest-import:default finishes its process. The time of the backup is
given in YYYYMMDD_HHMMSS format.

le

C

b
a
r
Notes for step 3: Typically, you will select the most recent backup option. The list of options
e
sf
n
is as follows:
a
tr
Please enter one of:
n
no
1) boot, for the most recent post-boot backup
a
s backup.
a
2) manifest_import, for the most recent manifest_import
h
) list eฺ
3) a specific backup repository from the above
m
o
id
c (All
u
ฺ
l
4) -seed-, the initial starting repository.
customizations
i
G
ma dent
will be lost.)
g
5) -quit-, to cancel.
o@ Stu
d
l
a this
n
o
r
Enter response [boot]:roฺ
se
u
e
ic specifying
to a backup to restore, the default response, enclosed in
If you press Enter without
c
(
e
s
n-quit[ ] is selected.
exits the restore_repository script, returning you to
doSelecting
l
e
c
a
i
l
n
your shell
o prompt.
R
Selecting
-seed- restores the seed repository. This repository is designed for use during
ro
iceinitial installation and upgrades.
pg
Using
g the seed repository
p
y for recovery
yp
purposes
p
should be a
last resort.
After the backup to restore has been selected, it is validated and its integrity is checked. If
there are any problems, the restore_repository command prints error messages and
prompts you for another selection.

Oracle Solaris 11 Advanced System Administration 7 - 59

When a valid backup is selected, the following information is printed and you are prompted for
final confirmation.
After confirmation, the following steps will be taken:
svc.startd(1M) and svc.configd(1M) will be quiesced, if running.

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

/etc/svc/repository.db
-- renamed --> /etc/svc/repository.db_old_YYYYMMDD_HHMMSS
/etc/svc/volatile/db_errors
-- copied --> /etc/svc/repository.db_old_YYYYMMDD_HHMMSS_errors
repository_to_restore
-- copied -->
> /etc/svc/repository.db
/etc/svc/repository db
and the system will be rebooted with reboot(1M).
Proceed [yes/no]?

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 7 - 60

le

b
a
r
e
f

Notes for step 4: The system reboots after the restore_repository command executes
all the listed actions.

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Repairing a Corrupt Repository: Example

# cd /lib/svc/bin
#:/lib/svc/bin# ./restore_repository

The following backups of /etc/svc/repository.db exist, from oldest to newest:
manifest_import-20111215_035411
boot-20111214_124026
boot-20111215_150206
Please enter either a specific backup repository from the above list to restore it,
or one of the following choices:

s

CHOICE
---------------boot
manifest_import
-seed-

ACTION
----------------------------------------restore the most recent post-boot backup
restore the most recent manifest_import backup
restore the initial starting repository (All
customizations will be lost, including those
made by the install/upgrade process.)
cancel script and quit

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
-quita
m den
g
Enter response [boot]: boot-20111215_150206
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l in the slide, you are restoring the repository by using the most recent
In the example
on shown
R
backup option. The confirmation for this selection is shown on the next page.
ro
epost-boot

Cic

Oracle Solaris 11 Advanced System Administration 7 - 61

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Repairing a Corrupt Repository: Example


…
…
After confirmation, the following steps will be taken:
svc.startd(1M) and svc.configd(1M) will be quiesced, if running.
/ t /
/etc/svc/repository.db
/
it
db
-- renamed --> /etc/svc/repository.db_old_20111215_060922
/etc/svc/repository-boot-20111215_150206
-- copied --> /etc/svc/repository.db
and the system will be rebooted with reboot(1M).
Proceed [yes/no]? yes

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l for the final confirmation. You enter yes to tell the system to remedy
Here you
onare prompted
R
the
rofault. After the restore_repository command executes all the listed actions, the
icesystem reboots.

C

Oracle Solaris 11 Advanced System Administration 7 - 62

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Debugging the Services During a System Boot
1. Log in to the system as root.
2. Enable all services by using svcadm milestone all.
3. Determine where the boot process is hanging:
a. Run svcs -a to determine which services are not
running.
i
b. Look for error messages in the log files in
/var/svc/log.

le

Ci

b
a
r
e
4. After fixing the problems, verify that all services have started.
sf
n
a
tr
a. Verify that all needed services are online by using
svcs
n
no
-x.
a
s
a
h
b. Verify that the console-login service
dependencies
)
ฺ
e
m
d
o
i
are satisfied by using svcs -l
u
ilฺcsystem/consoleG
a
t
login:default.
m den
g
tu
o@ process.
5. Continue the normal booting
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l services occur, sometimes a system will hang during the boot. You
If problems
on with starting
R
can
o use the steps shown in the slide to troubleshoot this problem.
cer
Notes for step 2: There is an additional system state associated with the all milestone.
With the all milestone, all the services with a defined dependency on the multiuser-server
milestone are started, as well as any services that do not have a defined dependency. If you
have added services, such as third-party products, they may not be started automatically
unless you use the boot -m milestone=all command.
Notes for step 4b: This command verifies that the login process on the console will run.

Oracle Solaris 11 Advanced System Administration 7 - 63

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Addressing system/filesystem/local:default
Service Failures During Boot
1. Modify the system/console-login service as follows
by using svccfg -s svc:/system/console-login:
–
–
–
–
–
–

svc:/system/console-login> addpg site,filesystem-local
dependency
svc:/system/console-login> setprop site,filesystem-local/entities
= fmri: \ svc:/system/filesystem/local
svc:/system/console-login> setprop site,filesystemble
local/grouping = astring: require_all
a
r
fe
s
svc:/system/console-login> setprop site,filesystemn
a
r
t
local/restart_on = astring: none
on
n
svc:/system/console-login> setprop site,filesystem-local/type
=
a
s
astring: service
ha ฺ
)
svc:/system/console-login> end
com uide

ilฺ

G

a nt refresh
2. Refresh the service by using
msvcadm
g
de
console-login. ldo@ Stu

C

a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l are not required to boot the system are mounted by the
Local file
onsystems that
R
svc:/system/filesystem/local:default
service. When any of those file systems are
ro
iceunable to be mounted, the service enters a maintenance state. System startup continues, and
any services that do not depend on filesystem/local are started. Services that require
filesystem/local to be online before starting through dependencies are not started. To
change the configuration of the system so that a sulogin prompt appears immediately after
the service fails instead of allowing system startup to continue, you can use the steps shown
in the slide.
Note: When a failure occurs with the system/filesystem/local:default service, the
svcs -vx
vx command should be used to identify the failure
failure. After the failure has been fixed
fixed,
the following command clears the error state and allows the system boot to continue: svcadm
clear filesystem/local.

Oracle Solaris 11 Advanced System Administration 7 - 64

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Practice 7-3 Overview:
Restoring and Recovering a Service
This practice covers the following topics:
• Restoring a service in maintenance state
• Reverting to a previous SMF snapshot
• Repairing a corrupt repository
• Debugging a service that is not starting

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
This practice
on shouldl take you about 20 minutes to complete.
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 7 - 65

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Summary
In this lesson, you should have learned how to:
• Implement a plan to configure services
• Configure SMF services
• Recover a service from a snapshot
• Troubleshoot SMF services

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 7 - 66

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring
C
fi
i
Privileges
P i il
and
d
Role-Based Access Control

le

s

b
a
r
e
f

o

an
r
t
n

Ci

R
o
r
ce

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
e
sOracle
o © 2013,
r
u
Copyright
and/or its affiliates. All rights reserved.
e
o
c
i
t
c
o ( ense
d
l
lic
ona

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Objectives
After completing this lesson, you should be able to:
• Implement a plan to configure privileges
• Implement a plan to configure role-based access control
• Configure privileges
• Manage privileges
• Configure role-based access control
ble
a
r
e
• Use role-based access control
nsf

a
s
a
) h eฺ
m
co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

a
r
t
on

n

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 8 - 2

Workflow Orientation

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

IPS
AI INSTALLATION
MONITORING

DATA
STORAGE

RESOURCE
EVALUATION

PROCESSES

ENTERPRISE
DATACENTER

le

NETWORK
CONFIGURATION

b
a
r
e
f

s

an
r
t
n

C

no
a
PRIVILEGES
sNETWORK
a
h
VIRTUALIZATION
)
ฺ
e
m
d
o
i
AUDITING
ilฺc t Gu
a
n
m SERVICES
e
g
d
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n begin thel lesson, take just a moment to orient yourself in your job workflow. You
Before o
you
R
have
ro successfully installed the operating system and have updated it. You have configured
icethe data storage environment as well as the physical and virtual networks. You have also

ensured that all the system services are up and running. In the Oracle Solaris 11 Operating
System, the root, a process, and a non-root user need appropriate privileges to perform their
functions. To protect the integrity of system resources, the system administrator is responsible
for ensuring that both users and processes have been granted the appropriate level of
privilege.

Oracle Solaris 11 Advanced System Administration 8 - 3

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•

Planning for User Privileges and Roles Assignments
Configuring and Managing Privileges
Configuring and Using RBAC

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 8 - 4

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Planning for User Privileges and
Roles Assignments
User privilege and roles assignment planning is required to
ensure that:
• Processes and users have the appropriate level of access
they
y need to p
perform their functions
• Company’s process rights management and role-based
access control requirements are met

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l security conscious and wants to ensure that processes and users have
Your company
on is very
R
only
ro the level of access or privilege to system resources they need to perform their required
icefunctions. The predeployment plan contains activities to investigate what features and

C

functionality Oracle Solaris 11 offers that would support the company’s security policy,
specifically in the area of process rights management and role-based access control.

In this topic, you learn how Oracle Solaris 11 supports process rights management and rolebased access control.

Oracle Solaris 11 Advanced System Administration 8 - 5

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Process Rights Management and Privileges
•

Process rights management
– Enables processes to be restricted at the command, user,
role, or system level
– Is implemented
p
through
g p
privileges
g

•

Privileges
– Decrease the security risk associated with one user or one
ble
process having full superuser capabilities on a system
a
r
fe
s
– Allow gradation between user capabilities and root
n
a
r
t
capabilities
on
n
a
– Restrict programs and processes to only thes capabilities
that
a
h ฺ
the program requires (principle of least)privilege)

C

om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
n management
Processorights
enables processes to be restricted at the command, user, role, or
R
system
ro level. The Oracle Solaris OS implements process rights management through
iceprivileges. Privileges decrease the security risk that is associated with one user or one
process having full superuser capabilities on a system.

A system that enforces policy with privileges allows a gradation between user capabilities and
root capabilities. A user can be granted privileges to perform activities that are beyond the
capabilities of regular users, and root can be limited to fewer privileges than root currently
possesses. With RBAC, a command that runs with privileges can be isolated in a rights profile
and assigned to one user or role.
P i il
Privileges,
th
then, can restrict
t i t programs and
d processes tto jjustt th
the capabilities
biliti th
thatt th
the program
requires. This capability is called the principle of least privilege. On a system that implements
least privilege, an intruder who captures a process can access only those privileges that the
process has. The rest of the system cannot be compromised.

Oracle Solaris 11 Advanced System Administration 8 - 6

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying Privilege Descriptions
•
•
•
•

•

FILE privileges: Privileges that begin with the string file
operate on file system objects.
IPC privileges: Privileges that begin with the string ipc
override IPC object
j
access controls.
NET privileges: Privileges that begin with the string net
give access to specific network functionality.
le
PROC privileges: Privileges that begin with the string procerab
f
allow processes to modify restricted properties of the rans
-t
n
process itself
itself.
o
n
a
s
SYS privileges: Privileges that begin withathe string sys
) h eฺsystem
give processes unrestricted accessoto
various
m
c Guid
ฺ
l
i
properties.
a nt

m de
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l grouped on the basis of the area of the privilege. The areas of privilege
Privileges
onare logically
R
are
roas follows:
ice • FILE pprivileges:
g
Privileges
g that begin
g with the string
g file operate
p
on file system
y

C

•

•

•

•

objects. For example, the file_dac_write privilege overrides discretionary access
control when writing to files.
IPC privileges: Privileges that begin with the string ipc override IPC object access
controls. For example, the ipc_dac_read privilege enables a process to read remote
shared memory that is protected by DAC.
NET privileges: Privileges that begin with the string net give access to specific
network
t
k functionality.
f
ti
lit F
For example,
l th
the net_rawaccess
t
privilege
i il
enables
bl a d
device
i tto
connect to the network.
PROC privileges: Privileges that begin with the string proc enable processes to modify
restricted properties of the process itself. PROC privileges include privileges that have a
very limited effect. For example, the proc_clock_highres privilege enables a
process to use high-resolution timers.
SYS
S
S p
privileges:
eges Privileges
eges tthat
at beg
begin with
t tthe
e st
string
g sys g
give
ep
processes
ocesses u
unrestricted
est cted
access to various system properties. For example, the sys_linkdir privilege enables
a process to make and break hard links to directories.
Oracle Solaris 11 Advanced System Administration 8 - 7

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Implementing Privileges
•
•
•
•

Effective privilege set, or E: Set of privileges that are
currently in effect
Inheritable privilege set, or I: Set of privileges that a
process can inherit across a call to exec
p
Permitted privilege set, or P: Set of privileges that are
available for use
ble
a
Limit privilege set, or L: Outside limit of the privileges
r
fe
s
n
that are available to a process and its children. By default,
a
r
t
the limit set is all privileges
privileges.
non

C

a
s
a
) h eฺ
E (Effective): basic
m
I (Inheritable): basic
co Guid
ฺ
l
i
P (Permitted): basic
ma dent
g
L (Limit): all
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l sets of privileges that determine whether a process can use a
Every process
on has four
R
particular
privilege. The kernel automatically calculates the effective set of privileges. You can
ro
icemodify the initial inheritable set of privileges. A program that is coded to use privileges can

reduce the program's permitted set of privileges. You can shrink the limit set of privileges.
• Effective privilege set, or E: Is the set of privileges that are currently in effect. A
process can add privileges that are in the permitted set to the effective set. A process
can also remove privileges from E.
• Inheritable privilege set, or I: Is the set of privileges that a process can inherit across a
call to exec. After the call to exec, the permitted and the effective sets are equal, except
in the special case of a setuid program.
program For a setuid program,
program after the call to exec,
exec
the inheritable set is first restricted by the limit set. Then, the set of privileges that were
inherited (I), minus any privileges that were in the limit set (L), are assigned to P and E
for that process.

Oracle Solaris 11 Advanced System Administration 8 - 8

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

•

•

Permitted privilege set, or P: Is the set of privileges that are available for use.
Privileges can be available to a program from inheritance or through assignment. An
execution profile is one way to assign privileges to a program. The setuid command
assigns all privileges that root has to a program. Privileges can be removed from the
permitted set, but privileges cannot be added to the set. Privileges that are removed
from P are automatically removed from E.
Note: A privilege-aware program removes the privileges that a program never uses from
the program's permitted set. In this way, unnecessary privileges cannot be exploited by
the program or a malicious process.
Limit privilege set, or L: Is the outside limit of what privileges are available to a
process and its children
children. By default
default, the limit set is all privileges
privileges. Processes can shrink
the limit set but can never extend the limit set. L is used to restrict I. Consequently, L
restricts P and E at the time of execution.

If a user is assigned a profile with a program that has been assigned privileges, the user can
usually run that program. On an unmodified system, the program's assigned privileges are
within the user's limit set. The privileges that have been assigned to the program become part
of the user's permitted set. To run the program that has been assigned privileges, the user
mustt run the
th program from
f
a profile
fil shell.
h ll

s

an
r
t
n

no
a
s each user's initial
The kernel recognizes a basic privilege set. On an unmodified system,
a
h
) modify
ฺ the basic set, you
inheritable set equals the basic set at login. Although you m
cannot
e
d
o
i
u an unmodified system, a
can modify which privileges a user inherits from the ibasic
On
lฺc set.
G
a
t
user's privilege sets at login would appear similar
example
shown in the slide.
n
m to the
e
g
d
Therefore, at login, all users have the basic
their
tu inheritable set, their permitted set, and
o@set inS
q
to
their effective set. A user's limit set a
isld
equivalent
s
i the default limit set for the zone,, gglobal or
n
h
t
o
r in the
non-global. To put more privileges
effective set, you must assign a rights profile
seuser's
roฺwould
u
to the user. The rights c
profile
include
commands
to which you have added privileges.
e
o
i
t
c
o ( ense
d
l
lic
na
o
R
o
r
e

Cic

Oracle Solaris 11 Advanced System Administration 8 - 9

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Role-Based Access Control (RBAC)
Users

Roles

le

Rights
Profiles

s

an
r
t
n

Supplementary
Rights Profiles

b
a
r
e
f

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
u
Commands with
ilฺc t GPrivileges
a
Authorizations
m den
Security Attributes
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
RBAC is
a security feature
for controlling user access to tasks that would normally be
on
R
restricted
to the superuser. RBAC collects superuser capabilities into rights profiles. Rights
ro
iceprofiles can contain authorizations, privileges, privileged commands, and other supplementary
rights profiles. Privileged commands are commands that execute with security attributes.
Rights profiles are assigned to special user accounts that are called roles. A user can then
assume a role to do a job that requires some of the superuser's capabilities.
Take a closer look at each of the key RBAC concepts, beginning with roles.

Oracle Solaris 11 Advanced System Administration 8 - 10

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Roles
A role:
• Is a special type of user account that performs a set of
administrative tasks
• Contains one or more rights profiles
• Provides access to restricted functionality

le

Rights Profiles

b
a
r
e
f

s

Right

an
r
t
n

C

no
a
s
a
h
Rights Profiles
)
ฺ
e
m
d
o
i
Right
ilฺc t Gu
a
m den
g
Right
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l of user account that performs a set of administrative tasks. Usually, a
A role isoanspecial type
R
role
ro contains one or more rights profiles, and a user is associated with one or more roles to
icegain access to restricted functionality. A role can be shared among users. Because of this,
Right

Role
Operator

User
John

# roles john
Operator

roles are preferred in RBAC as they simplify the management of large numbers of users.

Note: A role cannot log in to the system. A user must be logged in to the system to assume a
role.
The graphic illustrates how the user John is assigned the Operator role, which contains
several rights profiles.
The roles assigned to a user can be displayed by using the roles command. In the code
example, the roles assigned to the user john are displayed. john has one role assigned to
him: the Operator role.

Oracle Solaris 11 Advanced System Administration 8 - 11

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Rights Profile
•
•

Is a collection of rights that can be assigned to a user or
role
Rights are commands or scripts run with special security
attributes.

le

b
a
r
e
f

Rights Profiles
Operator
Basic

s

an
r
t
n

Cic

no
a
s
Role
a
Rights Profiles
h
Operator)
ฺ
e
Printer Right
m
d
o
i
ilฺc t Gu
Job Mgmt
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
n can consist
A rightsoprofile
of authorizations, commands with security attributes, and other
R
ro profiles. Rights profiles offer a convenient way to group security attributes.
erights
All

# profiles john
Operator
Basic Solaris User
All

New rights profiles can be created by editing this file. You are shown how to do this later in
this lesson.
The graphic illustrates rights profiles being assigned to the user john.
The profiles assigned to a user can be displayed by using the profiles command. In the
code example, the profiles assigned to the user john are displayed. john has three rights
profiles assigned to him: Operator, Basic Solaris User, and ALL.

Oracle Solaris 11 Advanced System Administration 8 - 12

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Basic Solaris User Rights Profile

# getent prof_attr | grep ’Basic Solaris User’
Basic Solaris User:RO::Automatically assigned
rights:auths=solaris.mail.mailq,solaris.network.autoconf.read,solaris.ad
min.wusb.read;profiles=All;help=RtDefault.html

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
All users
Solaris User profile by default. This profile grants users access
onhave the Basic
R
etoroall listed authorizations, as indicated by auths=.
Note: An authorization is divided into hierarchies, which are separated by periods. For
example, in the solaris.network.autoconf.read authorization, the first level of the
hierarchy is solaris, followed by the second level, which is network.autoconf (automatic
configuration of the network), and the third level, which is read. Taken together,
this entry is giving the basic user the authority to display the rights profile. The
solaris.mail.mailq authorization enables the basic user to look at the mail queue, and
so on.
Note: Other default authorizations for every user can be defined in the
/etc/security/policy.conf file.
A semicolon in a rights profile means that a different type of information is being specified, an
example of which can be seen just before profiles=All. In this case, the Basic Solaris
User profile is being attached to the All profile. The last file is a help file.
Note: The profiles=All field grants unrestricted access to all Oracle Solaris OS
y a definition in a previously
y listed authorization.
commands that have not been restricted by

Oracle Solaris 11 Advanced System Administration 8 - 13

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Interpreting the
/etc/security/policy conf File
/etc/security/policy.conf
# cat /etc/security/policy.conf

#
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
CONSOLE_USER=Console
_
User
# crypt(3c) Algorithms Configuration
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
# be used for new passwords. This is enforced only in crypt_gensalt(3c).
#
CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6

#PRIV_DEFAULT=basic
#PRIV_LIMIT=all
#
# LOCK_AFTER_RETRIES specifies the default account locking policy for local
# user accounts (passwd(4)/shadow(4)). The default may be overridden by
# a user's user_attr(4) "lock_after_retries" value.
# YES enables local account locking, NO disables local account locking.
# The default value is NO.
#
#LOCK_AFTER_RETRIES=NO

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
Rights profiles
on givenl to all new user accounts are defined in the
R
/etc/security/policy.conf
file. The settings in this file determine the default privileges
ro
icethat users have. If they are not set, the default privileges are taken from the inherited set.
There are two different settings: PRIV_DEFAULT determines the default set on login, and
PRIV_LIMIT defines the Limit set on login. Individual users can have privileges assigned or
taken away through user_attr.

Oracle Solaris 11 Advanced System Administration 8 - 14

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Authorizations and Privileges

User
John

Authorization

Authorization
Role
Operator

Rights Profiles
Authorization

le

User
John

b
a
r
e
f

s

Role
Operator

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
# auths john
d
o
i
ฺc Gu
solaris.admin.wusb.read,solaris.device.cdrw,sol
l
i
a
aris.device.mount.removable,solaris.mail.mailq,
m dent
g
solaris.profmgr.read
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
An authorization
is al name associated with the right to access restricted functionality.
on
R
enforce policy at the user application level. Authorizations can be assigned
ro
eAuthorizations

directly to a role or to a user. Typically, authorizations are included in a rights profile. The
rights profile is then included in a role, and the role is assigned to a user. For example,
security policy at installation gives regular users the solaris.device.cdrw authorization.
This authorization enables users to read and write to a CD-ROM device.
The graphic illustrates that authorizations can be assigned to user accounts, to roles, or
embedded in a rights profile, which can be assigned to a user or a role.
The authorizations assigned to a user can be displayed by using the auths command. In the
code example
example, the authorizations assigned to the user john
j h are displayed.
displayed john
j h has all
Oracle Solaris authorizations assigned to him.
A privilege is a discrete right that can be granted to a command, a user, a role, or a system.
Privileges enable a process to succeed. For example, the proc_exec privilege allows a
process to call execve(). Regular users have basic privileges.

Oracle Solaris 11 Advanced System Administration 8 - 15

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Security Attributes
•
•
•

Enable a process to perform an operation that is otherwise
forbidden to regular users
Include authorizations and privileges and setuid and
setgid
g p
programs
g
Can be assigned to a user

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
A security
onattribute isl an attribute that enables a process to perform an operation. In a typical
R
ro environment, a security attribute enables a process to perform an operation that is
eUNIX

otherwise forbidden to regular users. For example, as seen in the lesson “Managing Services
and Service Properties,” the setuid and setgid programs have security attributes. In the
RBAC model, authorizations and privileges are security attributes in addition to the setuid
and setgid programs. These attributes can be assigned to a user. For example, a user with
the solaris.device.allocate authorization can allocate a device for exclusive use.
Privileges can be placed on a process. For example, a process with the file_flag_set
privilege can set immutable, no-unlink, or append-only file attributes.

Oracle Solaris 11 Advanced System Administration 8 - 16

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Key RBAC Files
RBAC

RBAC

auth attr
auth_attr
user_attr
Users

Authorization

le

RBAC

Roles

RBAC

b
a
r
e
f

s

an
r
t
n

C

no
a
s
prof_attr
a
exec_attr
h
)
ฺ
e
m
d
o
i
Profiles lฺc
u Privileges
i
G
a
t
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l authorizations, and privileges commands are defined in four files.
The roles,
onrights profiles,
R
r•o user_attr: Contains the rights profiles and authorizations associated with users and
ice roles that supplement
pp
the /
/etc/passwd
/p
and /
/etc/shadow
/
files
•
•
•

auth_attr: Contains authorization attributes
exec_attr: Contains execution attributes
prof_attr: Contains rights profiles

These files are interrelated as illustrated in the graphic.
Take a closer look at the contents of each file, beginning with the user_attr file.

Oracle Solaris 11 Advanced System Administration 8 - 17

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Interpreting the user_attr File

# getent user_attr | grep chris
chris::::type=normal;profiles=Printer Management

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
The user_attr
filel uses colons (:) to separate the fields on each line. The first field is the
on
R
username
as it appears in the /etc/passwd and /etc/shadow files. The middle fields are
ro
icereserved for future use, and the last field is a lsist of semicolon-separated (;) key-value pairs
that describe the security attributes to be applied when the user runs commands.

Oracle Solaris 11 Advanced System Administration 8 - 18

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Interpreting the auth_attr File

# getent auth_attr | more
solaris.smf.manage.cups:::Manage CUPS service
states::help=ManageCUPS.html
solaris.smf.manage.dt.:::Manage Desktop Service
States::help=ManageDtHeader.html
solaris.smf.manage.dt.login:::Manage Desktop Login Service
States::help=ManageDt
Login.html
solaris.smf.manage.dbus:::Manage D-BUS Service
States::help=SmfDBUSStates.html
solaris.smf.value.tcsd:::Change TPM Administation value properties::
solaris.smf.manage.tcsd:::Manage TPM Administration service states::
solaris.smf.manage.servicetags:::Manage Service Tags Service
States::help=StStat
p
es.html
solaris.smf.value.servicetags:::Change Service Tag Service Property
Values::help
=StValue.html
solaris.:RO::All Solaris Authorizations::help=AllSolAuthsHeader.html
solaris.account.:RO::Account Management::help=AccountHeader.html


le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
The predefined
are listed in the configuration file for authorization attributes
on authorizations
R
named
ro auth_attr, an example of which is shown here. Each entry in the auth_attr
icedatabase consists of one line of text containing six fields separated by colons (:). The format
of each entry is:
name:res1:res2:short_desc:long_desc:attr

The description for each field is as follows:
• name: Name of the authorization. Authorization names are unique strings.
• res1: The characters RO in this field indicate it is read only and not modifiable by the
tools that update
p
this database.
• res2: Reserved for future use
• short_description: Short description or terse name for the authorization
• long_description: Reserved for future use
• attr: An optional list of semicolon-separated (;) key-value pairs that describe the
attributes of an authorization. Zero or more keys may be specified. The keyword help,
identifies a help file in HTML.

Oracle Solaris 11 Advanced System Administration 8 - 19

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Note: Authorizations can end with various suffixes:
• .read: Provides read access to user configuration files.
Example: solaris.admin.usermgr.read
• .write: Provides write access to user configuration files.
Example: solaris.admin.usermgr.write
• .pswd: Provides password access to user configuration files.
Example: solaris.admin.usermgr.pswd
• .grant: Permits a user to delegate any assigned authorizations that begin with the
same prefix to other users. Example: solaris.admin.usermgr.grant

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 8 - 20

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Interpreting the exec_attr File
# getent exec_attr | grep 'Network Management'
Network
Management:solaris:cmd:RO::/usr/sbin/dladm:euid=dladm;egid=netadm;privs=
sys_dl_config,net_rawaccess,proc_audit
Network Management:solaris:cmd:RO::/usr/sbin/dlstat:euid=dladm;egid=sys
Network
Management:solaris:cmd:RO::/usr/sbin/flowadm:euid=dladm;egid=sys;privs=s
ys_dl_config,net_rawaccess,proc_audit
Network
Management:solaris:cmd:RO::/usr/sbin/flowstat:euid=dladm;egid=sys
Network
Management:solaris:cmd:RO::/usr/sbin/ipadm:euid=netadm;egid=netadm;privs
=sys_ip_config,net_rawaccess
Network Management:solaris:cmd:RO::/usr/bin/netstat:uid=0
Network
k Management:solaris:cmd:RO::/usr/bin/rup:euid=0
l i
d
/
/bi /
id
Network Management:solaris:cmd:RO::/usr/bin/ruptime:euid=0
Network Management:solaris:cmd:RO::/usr/bin/setuname:euid=0
Network Management:solaris:cmd:RO::/usr/sbin/asppp2pppd:euid=0
Network Management:solaris:cmd:RO::/usr/sbin/ifconfig:uid=0
...


s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l is associated with a rights profile name. An execution attribute can be a
An execution
on attribute
R
with no options or a script that contains a command with options. Each entry in the
ro
ecommand

Cic

exec_attr database consists of one line of text containing seven fields separated by colons
(:). The basic format of each entry is:
name:policy:type:res1:res2:id:attr
The description for each field is as follows:
• name: Name of the profile. Profile names are case-sensitive.
• policy: Security policy that is associated with the profile entry. The valid policies are
p
) and solaris. The solaris p
policy
y recognizes
g
suser ((standard Solaris superuser)
privileges; the suser policy does not.
• type: Type of object defined in the profile. The cmd type specifies that the ID field is a
command that would be executed by a shell.

Oracle Solaris 11 Advanced System Administration 8 - 21

le

b
a
r
e
f

•

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

•
•

•

res1: The characters RO in this field indicate it is read only and not modifiable by the
tools that update this database.
res2: Reserved for future use
id: A string that uniquely identifies the object described by the profile. For a profile of
type cmd, the ID is either the full path to the command or the asterisk (*) symbol, which
is used to allow all commands. An asterisk that replaces the file name component in a
path name indicates all files in a particular directory.
attr: An optional list of semicolon-separated (;) key-value pairs that describe the
security attributes to apply to the object upon execution. Zero or more keys may be
specified. The list of valid keywords depends on the policy enforced. The following
keywords are valid: euid,
euid uid,
uid egid,
egid gid,
gid privs,
privs and limitprivs.
limitprivs
- euid and uid: Contain a single user name or a numeric user ID. Commands
designated with euid run with the effective UID indicated, which is similar to
setting the setuid bit on an executable file. Commands designated with uid run
with both the real and effective UIDs.
- egid and gid: Contain a single group name or a numeric group ID. Commands
g
with egid
g run with the effective GID indicated, which is similar to
designated
setting the setgid bit on a file. Commands designated with gid run with both the
real and effective GIDs.
- privs: Contains a privilege set that will be added to the inheritable set before
running the command
- Limitprivs: Contains a privilege set that will be assigned to the limit set before
running the command
Note: privs and limitprivs are valid only for the solaris policy.

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
ฺr use
o
r
e
The example in the slide
o commands and special security attributes for the Printer
ic shows
tthe
c
(
e
Management rights
profile.
do icens
l
a
l
on
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 8 - 22

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Interpreting the prof_attr File
# getent prof_attr | more
NTP Management:RO::Manage the NTP service:auths=solaris.smf.manage.ntp,solaris.s
mf.value.ntp
TPM Administration:RO::Administer Privileged TPM Operations:auths=solaris.smf.ma
nage.tcsd,solaris.smf.value.tcsd
D-BUS Management:RO::Manage D-BUS:auths=solaris.smf.manage.dbus;help=RtDBUSMngmn
t.html
DTrace Toolkit::::
Desktop Removable Media User:RO::Access removable media for desktop user:
Console User:RO::Manage System as the Console User:profiles=Desktop Removable Me
dia User,Suspend To RAM,Suspend To Disk,Brightness,CPU Power Management,Network
Autoconf User;auths=solaris.system.shutdown,solaris.device.cdrw,solaris.device.m
ount.removable,solaris.smf.manage.vbiosd,solaris.smf.value.vbiosd;help=RtConsUse
r.html
All:RO::Execute any command as the user or role:help=RtAll.html
Administrator Message Edit:RO::Update administrator message files:auths=solaris.
admin edit/etc/issue solaris admin edit/etc/motd;help RtAdminMsg html
admin.edit/etc/issue,solaris.admin.edit/etc/motd;help=RtAdminMsg.html
Audit Configuration:RO::Configure Solaris Audit:auths=solaris.smf.value.audit;he
lp=RtAuditCfg.html
Audit Control:RO::Control Solaris Audit:auths=solaris.smf.manage.audit;help=RtAu
ditCtrl.html
Audit Review:RO::Review Solaris Auditing logs:help=RtAuditReview.html
Contract Observer:RO::Reliably observe any/all contract
events:help=RtContractObserver.html


le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
An execution
on profilelis a mechanism that is used to bundle together the commands and
R
needed to perform a specific function. Each entry in the prof_attr database
ro
eauthorizations
consists of one line of text containing five fields separated by colons (:). The format of each
entry is:
profname:res1:res2:desc:attr

The description for each field is as follows:
• name: Name of the profile. Profile names are case-sensitive.
• res1: The characters RO in this field indicate it is read only and not modifiable by the
tools that update
p
this database.
• res2: Reserved for future use
• desc: A long description that explains the purpose of the profile, including what type of
user would be interested in using it

Oracle Solaris 11 Advanced System Administration 8 - 23

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

•

attr: An optional list of semicolon-separated (;) key-value pairs that describe the
security attributes to apply to the object upon execution. There are four valid keys:
help, profiles, auths, and privs.
- help: Assigned the name of a file ending in .htm or .html
- auths: Specifies a comma-separated list of authorization names chosen from
those names defined in the auth_attr database. Authorization names can be
specified using the asterisk (*) character as a wildcard. For example,
solaris.printer.* would mean all of Oracle Solaris authorizations for
printing.
- profiles: Specifies a comma-separated list of profile names chosen from those
names defined in the prof_attr
prof attr database
- privs: Specifies a comma-separated list of privileges names chosen from those
names defined in the priv_names database

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 8 - 24

le

b
a
r
e
f

Take a look at the profiles for the Auditing feature. Following the profile description, you can
see the list of profile attributes that specify what Auditing configurations you can perform.

Relationship Among the Four RBAC Files

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

From the user_attr database:
sysadmin::::type=role;profiles=Device Management,File System Management,Printer
Management;roleauth=role
johndoe::::type=normal;auths=solaris.system.date;roles=sysadmin
From the prof_attr database:
Device Management:RO::Control Access to Removable
Media:auths=solaris.device.*;help=RtDeviceMngmnt.html
From the auth_attr database:
solaris.device.:RO::Device Allocation::help=DevAllocHeader.html
solaris.device.allocate:RO::Allocate Device::help=DevAllocate.html
solaris.device.config:RO::Configure Device Attributes::help=DevConfig.html
solaris.device.revoke:RO::Revoke or Reclaim Device::help=DevRevoke.html
solaris device cdrw RO CD R/RW Recording Authorizations
solaris.device.cdrw:RO::CD-R/RW
Authorizations::help=DevCDRW.html
help DevCDRW html

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
From the exec_attr database:
ฺ
e
m
d
o
i
Device Management:solaris:cmd:RO::/usr/sbin/allocate:uid=0
ilฺc t Gu
Device Management:solaris:cmd:RO::/usr/sbin/add_drv:uid=0
a
m den
Device Management:solaris:cmd:RO::/usr/sbin/deallocate:uid=0
g
Device Management:solaris:cmd:RO::/usr/sbin/rem_drv:uid=0
o@ Stu
Device Management:solaris:cmd:RO::/usr/sbin/update_drv:uid=0
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l with the contents of each of the four RBAC files, look at an example
Now that
onyou are familiar
R
ofro
how the fields in the files are related.
iceThe first section of the graphic shows a portion of a user_attr
user attr file. The user johndoe is a


normal user account. The user is given the role of sysadmin. The sysadmin role is a role
account. When assuming the sysadmin role, johndoe has access to specific rights profiles,
defined as Device Management, Filesystem Management, and Printer Management profiles.
From the sysadmin role entry in the first section to the next section, which is the prof_attr
file, you can see one relationship between the user_attr file and the prof_attr file.
The Device Management rights profile, which is defined in the prof_attr file, is assigned to
the sysadmin
d i role in the user_attr
tt file.
file

Oracle Solaris 11 Advanced System Administration 8 - 25

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

From the second section containing the prof_attr file example, you can see the
relationship between the prof_attr and the auth_attr file, a portion of which is displayed
in the third section of the graphic. The Device Management profile is defined in the
prof_attr file as having all authorizations, beginning with the solaris.device.* string,
assigned
i
d to iit. Th
These authorizations
h i i
are d
defined
fi d iin the
h auth_attr file.
fil
From the second section containing the prof_attr file example, you can see the
relationship between the prof_attr and the exec_attr files, a portion of which is
displayed in the fourth section. The Device Management profile is defined in the prof_attr
file as having all authorizations, beginning with the solaris.device. string, assigned to it.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 8 - 26

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Profile Shells
•
•
•

•

Enable access to the privileged rights that are assigned to
the rights profile
Are assigned to a specific user as a login shell or through
the su command to assume a role
Users must be assigned one of the profile shells: pfsh for
Bourne shell (sh), pfcsh for C shell (csh), or pfksh for
Korn shell (ksh).
When a user executes a command, the profile shell: trans

-

n
orights
– Searches the role’s
role s rights profiles and associated
n
s a appears
– Uses the first matching entry if the samehcommand
a
)
ฺ
e
m
in more than one profile
d
o
i
c Gu
ilฺattributes
a
– Executes the command with
the
m dent specified in the
g
RBAC configuration files
o@ tu

ld is S
a
n
th
o
r
ฺ
e
s and/or its affiliates. All rights reserved.
uOracle
Copyright
ero © t2013,
o
c
i
(c nse
o
d ice
l type of shell that enables access to the privileged rights that are
nal is a special
A profileoshell
R
to the rights profile. Standard UNIX shells cannot be used because they are not
ro
eassigned

Cic

le

b
a
r
e
f

aware of the RBAC files and do not consult them.

Administrators can assign a profile shell to a specific user as a login shell, or the profile shell
is started when that user runs the su command to assume a role. Users must be assigned
one of the following profile shells: pfsh for Bourne shell (sh), pfcsh for C shell (csh), or
pfksh for Korn shell (ksh). For the list of profile shells, see the pfexec(1) man page.
When the user executes a command, the profile shell searches the role’s rights profiles and
associated rights. If the same command appears in more than one profile, the profile shell
uses the
th first
fi t matching
t hi entry.
t Th
The profile
fil shell
h ll executes
t th
the command
d with
ith th
the attributes
tt ib t
specified in the RBAC configuration files.

Oracle Solaris 11 Advanced System Administration 8 - 27

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Implementing the Assigning User
Privileges and Roles Plan
Your assignment is to investigate how Oracle Solaris 11:
• Supports process rights management
• Uses RBAC to grant appropriate privileges to users

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l company’s predeployment testing plan, you have been given the task
In accordance
on with your
R
eofroinvestigating how Oracle Solaris 11 supports process rights management and uses RBAC
to grant appropriate privileges to users.

Oracle Solaris 11 Advanced System Administration 8 - 28

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
The Oracle Solaris OS implements process rights management
through privileges.
a. True
b False
b.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:oan
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 8 - 29

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
Which letter indicates a set of privileges being used during a
process execution?
a. E
b I
b.
c. P
d. L

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:oan
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 8 - 30

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
Which of the following RBAC files contains rights profiles?
a. user_attr
b. auth_attr
c exec_attr
c.
exec attr
d. prof_attr

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:odn
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 8 - 31

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
A profile shell is a special type of shell that enables access to
the privileged rights that are assigned to the rights profile.
a. True
b False
b.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:oan
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 8 - 32

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•

Planning for User Privileges and Roles Assignments
Configuring and Managing Privileges
Configuring and Using RBAC

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 8 - 33

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring and Managing Privileges
This section covers the following topics:
• Examining process privileges
• Managing user privileges

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 8 - 34

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Examining Process Privileges
The following are first discussed:
• Determining the privileges available to the shell
• Determining the privileges on a process
• Displaying the description of a privilege

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 8 - 35

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Determining the Privileges Available to the Shell
To determine which privileges are available to your processes,
list the process privileges that are available to your shell using
ppriv $$.
# ps
PID TTY
TIME CMD
990 pts/1
0:00 bash
993 pts/1
0:00 ps
# ppriv $$
990: bash
flags = 
E: all
I: basic
P: all
L: all

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l is used to inspect or modify process privilege sets and attributes. The
The ppriv
on command
R
double
ro dollar sign ($$) passes the process number of the parent shell to the command.
iceIn the example, you run the ps command to see what processes are currently running and to
verify what shell you are using. Here you can see that you are using the bash shell. Next, you
run the ppriv $$ command. Again, you see that the shell is bash. There are no flags set,
the effective (E), permitted (P), and limit (L) privilege sets are all set to all, and the inherited
(I) privilege set is set to basic.

Oracle Solaris 11 Advanced System Administration 8 - 36

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Note: The flags field is associated with the getpflags() and setpflags() functions
that are used to get or set process flags. The following values are supported.
• PRIV_AWARE: This one-bit flag takes the value of 0 (unset) or 1 (set). Only if this flag is
set does the current process become privilege-aware. See privileges(5) for a
discussion of this flag.
• PRIV_DEBUG: This one-bit flag takes the value of 0 (unset) or 1 (set). Only if this flag is
set does the current process have privilege debugging enabled.
• NET_MAC_AWARE and NET_MAC_AWARE_INHERIT: These flags are available only if the
system is configured with Trusted Extensions. These one-bit flags each take the value of
0 (unset) or 1 (set).

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 8 - 37

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Determining the Process Privileges to a Shell
To display the names of the privileges in each privilege set, use
ppriv -v $$.
# ppriv -v $$
990:bash
flags = 
fl
E: contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,
dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,

I: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,
proc_info, proc_session
P: contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,
dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,

L: contract_event,contract
,
_identity,contract
y,
_observer,cpc
, p _cpu,dtrace
p ,
_kernel,
,
dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,


le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
Alternatively,
on you canl use the -v option with the ppriv $$ command to display the names of
R
the
roprivileges by privilege set, as shown in this example that contains partial output.
iceTake a closer look at the privileges in the inheritable (I) privilege set. The privileges listed
here indicate that you will be able to link to any file, read any file, and write any file. You will
have access to the network, which means you will be able to perform network configuration
tasks. In addition, you can execute any process, run a process in another subshell
(proc_fork), display information about any processes, and look at any session in the
process.

Oracle Solaris 11 Advanced System Administration 8 - 38

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Determining the Privileges on a Process
To determine which privileges are available to a process, use
ppriv –v pid.
# ppriv -v 476
476: /usr/sbin/cron
flags = 
E: contract_event,contract_identity,contract_observer,cpc_cpu,
dtrace_kernel,dtrace_proc,dtrace_user,file_chown,

I: file_link_any,file_read,file_write,net_access,proc_exec,
proc_fork,proc_info,proc_session
P: contract
contract_event,contract_identity,contract_observer,
event,contract identity,contract observer,
cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,

L: contract_event,contract_identity,contract_observer,
cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,


s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n -v lcommand with the process ID number (PID). The example presents the
Use theoppriv
R
partial
ro output for the cron process.
ice

C

Oracle Solaris 11 Advanced System Administration 8 - 39

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying the Description of a Privilege
To display a privilege definition, use ppriv -vl privilege.
# ppriv -vl contract_event
contract_event
Allows a process to request critical events without
limitation.
Allows a process to request reliable delivery of all
events on any event queue.
#
# ppriv -vl proc_exec
proc_exec
Allo s a process to call e
Allows
execve().
ec e()
#

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l the definition of a privilege that is listed for a process, you can do so
If you need
on to determine
R
by
rousing the ppriv -vl command followed by the privilege name. There are two examples:
icethe first is for the contract_event privilege and the second is for the proc_exec privilege.

C

Oracle Solaris 11 Advanced System Administration 8 - 40

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Managing User Privileges
•
•
•
•
•
•
•

Determining the privileges directly assigned to you
Determining the privileged commands you can use
Assigning privileges to a user or role
Limiting privileges of a user or role
Determining the privileges needed by a program by using
the ppriv debugging command
ble
a
r
Using the ppriv debugging command to examine
fe
s
n
a
r
privilege use in a profile shell
t
n
ouse
n
Using the truss command to examine privilege
in a
a
s
regular shell
) ha ฺ

C

om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l familiar with how to determine what privileges a process has, look at
Now that
onyou are more
R
how
ro to manage user privileges, including how to assign privileges, limit privileges, and debug
iceprivilege use.
The most secure way to manage privileges for users and roles is to confine the use of a
privilege to commands in a rights profile. The rights profile is then included in a role. The role
is assigned to a user. When the user assumes the assigned role, the privileged commands
are available to be run in a profile shell.

Oracle Solaris 11 Advanced System Administration 8 - 41

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Determining the Privileges
Directly Assigned to You
To view the privileges that have been directly assigned to your
user account, use ppriv -v $$.
$ pp
ppriv -v $$
990: bash
flags = 
E: file_link_any,proc_clock_highres,proc_session
I: file_link_any,proc_clock_highres,proc_session
P: file_link_any,proc_clock_highres,proc_session
L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,sys_time
$ ppriv -vl proc_clock_highres
Allows a process to use high resolution timers.

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
Note: The
onprivilegesl that are listed in the effective set are in effect throughout your session. If
R
you
ro have been directly assigned privileges in addition to the basic set, the privileges are listed
icein the effective set.
In this example, the user always has access to the proc_clock_highres privilege. This
privilege allows a process to use high-resolution timers.
Note: To see the privileges that have been directly assigned to a role, you su to the role and
then run the ppriv -v $$ command just as you did for the user account.

Oracle Solaris 11 Advanced System Administration 8 - 42

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Determining the Privileged Commands
That You Can Use
To determine which rights profiles you have been assigned,
use profiles.
$ profiles
Basic Solaris User
All
$ profiles -l
All
*
Basic Solaris User
/usr/bin/cdda2wav.bin
privs=file_dac_read,sys_devices,proc_priocntl,net_privaddr
/
/usr/bin/cdrecord.bin
/
/
privs=file_dac_read,sys_devices,proc_lock_memory,proc_priocntl,net_pri
vaddr
/usr/bin/readcd.bin
privs=file_dac_read,sys_devices,net_privaddr

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
n is not directly
When aouser
assigned privileges, the user obtains access to privileged
R
commands
through a rights profile. Commands in a rights profile must be executed in a profile
ro
iceshell. To determine which privilege commands you can use or run, you need to see which

C

rights profiles have been assigned to you. To do this, you use the profiles command. To
see more details about the privileges, you can use the profiles -l command.

Note: To see the details of a specific privilege, you use the profiles -l command with the
privilege name, as in this example:
$ profiles -l Basic Solaris User
To see what roles and authorization privileges you have, you use the roles and auth
commands, respectively, as in this example:
$ roles
No roles
$ auths
solaris.admin.wusb.read,solaris.device.cdrw,solaris.device.mount
.removable,solaris.mail.mailq,solaris.profmgr.read
,
q,
p
g

Oracle Solaris 11 Advanced System Administration 8 - 43

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Assigning Privileges to a User or Role
To assign privileges to a user, use usermod -K key=value
loginname.
# usermod -K defaultpriv=basic,proc_clock_highres jjones
# getent user_attr
user attr | grep jjones
jjones::::type=normal;defaultpriv=basic,proc_clock_highres

le

b
a
r
e
f

To assign privileges to a role, use rolemod -K key=values
an
r
t
rolename.
n

C

no
a
# rolemod -K defaultpriv=basic,proc_clock_highres
s realtime
a
h
# getent user_attr | grep realtime
)
ฺ
e
m
d
realtime::::type=role;defaultpriv=proc_clock_highres
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l a user or role with a particular privilege all the time. Very specific
You might
onwant to assign
R
privileges
that affect a small part of the system are good candidates for assigning to a user or
ro
icerole. To assign privileges to a user, you use the usermod -K command followed by the
key=value pair you want to assign and the user’s login name.

Note: The -K key=value option is used to replace or add to a user’s or role's key=value
pair attributes. See user_attr(4) for a list of valid key=value pairs.
In the example, you enable user jjones to use high-resolution timers by assigning the
proc_clock_highres privilege to his basic default privileges. The values for the
defaultpriv keyword replace the existing values. Therefore, for the user to retain the
b i privileges,
basic
privileges the value basic
b i must be specified
specified. In the default configuration
configuration, all users
have basic privileges. To verify that the privilege has been assigned, you look at the
user_attr entry for jjones. Here you can see how the privileges have been modified.
To assign privileges to a role, the same logic applies. You use the rolemod -K command
followed by key=value pair you want to assign and the role name. In the role example, you
use the same example, changing the user to role as appropriate. The role name is
realtime.

Oracle Solaris 11 Advanced System Administration 8 - 44

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Limiting Privileges of a User or Role
1. Determine the privileges in a user’s or role’s basic set and
limit set.
2. Remove one of the privileges from the basic set or from
the limit set.
3. Test that the user or role can still perform other assigned
functions as required.
# usermod -K limitpriv=all,!sys_linkdir jjones
# getent user_attr | grep jjones
jjones::::type=normal;defaultpriv=basic;limitpriv=all,!sys_linkdir

s

an
r
t
n

no
a
s
a
h
# rolemod -K limitpriv=all,!sys_linkdir realtime )
ฺ
e
m
d
# getent user_attr | grep realtime
o
i
ilฺc t Gu
realtime::::type=role;defaultpriv=basic;limitpriv=all,!sys_linkdir
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
There may
in which you want to limit the privileges that are available to a
on be circumstances
R
user
ro or role. You can do this by reducing the basic set or by reducing the limit set. However,
iceyou should have a very good reason why you want to limit the privileges, because such

C

limitations can have unintended side effects. To limit the privileges of a user or role, follow the
steps listed in the slide.
Caution for step 2: Do not remove the proc_fork or the proc_exec privilege. Without
these privileges, the user cannot use the system. In fact, these two privileges are only
reasonably removed from daemons that do not fork() or exec() other processes.

Notes for step 3: You must thoroughly test any user’s or role’s capabilities where you have
modified
difi d th
the b
basic
i sett or th
the lilimit
it sett ffor a user or role.
l It iis possible
ibl tto preventt a user or role
l
from being able to use the system when the basic set is less than the default. When you
modify the limit set to be less than all privileges, it is possible for processes that need to run
with an effective UID=0 to fail.
In the first example, all sessions that originate from jjone’s initial login are prevented from
using the sys_linkdir privilege. After this change is implemented, the user jjones will no
longer be able to make hard links to directories or unlink directories even after he runs the su
command. The same scenario is used in the second example for a role.

Oracle Solaris 11 Advanced System Administration 8 - 45

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Determining Privileges Needed by a Program
Using the ppriv Debugging Command
1. Enter the command that is failing as an argument to the
ppriv debugging command.
2. Determine which system call is failing by finding the
syscall
y
number in the /
/etc/name
/
_to_sysnum
y
file.
$ ppriv -eD touch /etc/acct/yearly
touch[5245]: missing privilege "file_dac_write"
(euid = 130, syscall = 224) needed at zfs_zaccess+0x258
touch: cannot create /etc/acct/yearly: Permission denied
$ grep 224 /etc/name_to_sysnum
creat64
224

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l provides two tools to debug privilege failure: the ppriv debugging
The Oracle
on Solaris OS
R
command
(ppriv -eD) and the truss command.
ro
iceNote: The -ee option with the ppriv command interprets the remainder of the arguments as a
command line and runs the command line with specified privilege attributes and sets. The -D
option turns on privilege debugging for the process or command supplied.
The steps for using the ppriv debugging command on a failed command or process are
listed in the slide.
In the example, ppriv -eD touch is being used to determine why the command
/etc/acct/yearly has failed. The output indicates that the missing privilege is
file_dac_write and provides the euid and system call information. To determine which
system call is failing, you take the syscall number from the debugging output and locate it in
the /etc/name_to_sysnum file. Here you can see that the system call create64 is failing.
When you know the missing privilege, you can assign it to the program as needed.

Oracle Solaris 11 Advanced System Administration 8 - 46

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Using the ppriv Debugging Command to
Examine Privilege Use in a Profile Shell
jjones:~$ ls -l useful.script
-rw-r--r-- 1 aloe staff 2303 Dec 15 10:10 useful.script
jjones:~$ chown objadmin useful.script
chown: useful.script: Not owner
jj
jjones:~$
$ ppriv
i -eD chown objadmin
j
i useful.script
i
chown[11444]: missing privilege "file_chown"
(euid = 130, syscall = 16) needed at zfs_zaccess+0x258
chown: useful.script: Not owner

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l can debug privilege use in a profile shell. If you assign a rights profile
The ppriv
on command
R
toro
a user, and the rights profile includes commands with privileges, the commands must be
iceentered in a profile shell. When the privileged commands are entered in a regular shell, the

commands do not execute with privilege.
In this example, the jjones user can assume the objadmin role. The objadmin role
includes the Object Access Management rights profile. This rights profile allows the
objadmin role to change permissions on files that objadmin does not own. In the example,
jjones’s attempt to change the permissions on the useful.script file fails. The user then
runs the ppriv debugging command to determine why the command failed and is shown that
the file_chown
file chown privilege is missing.
missing

To fix this issue, you assign the file_chown privilege to the jjones user.

Oracle Solaris 11 Advanced System Administration 8 - 47

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Using the truss Command to Examine
Privilege Use in a Regular Shell
$ truss touch /etc/acct/yearly
execve(“/usr/bin/touch”, 0x08047E74, 0x08047E80) argc = 2
sysinfo(SI_MACHINE, “i86pc”, 257)
=6
mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0) =
0xFEFB0000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
= 0xFEFA0000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
= 0xFEF90000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
= 0xFEF80000
memcntl(0xFEFB7000, 32184, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
memcntl(0x08050000, 4216, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
resolvepath(“/usr/lib/ld.so.1”, “/lib/ld.so.1”, 1023) = 12
resolvepath(“/usr/bin/touch”,
( /
/ i /
“/user/bin/touch”,
/
/ i /
1023)
) = 14
sysconfig(_CONFIG_PAGESIZE
= 4096
stat64(“/usr/bin/touc”, 0x08047A10)
= 0
open(“/var/ld/ld.config”, )_RDONLY)
ERR#2 ENOENT

close(3)
_exit(0)

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l can debug privilege use in a regular shell, as shown in the example,
The truss
on command
R
where
ro you are using the truss command to debug the failing touch process.
ice

C

Oracle Solaris 11 Advanced System Administration 8 - 48

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Practice 8-1 Overview:
Delegating Privileges to Users and Processes
This practice covers the following topics:
• Examining process privileges
• Managing user privileges

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
The practices
on for thisl lesson are designed to reinforce the concepts that have been presented
R
inro
the lecture portion. These practices cover the following tasks:
ice • Practice
act ce 8
8-1: Delegating
e egat g p
privileges
eges to users
use s a
and
dp
processes
ocesses

C

•

Practice 8-2: Configuring role-based access control

Practice 8-1 should take you about 30 minutes to complete.

Oracle Solaris 11 Advanced System Administration 8 - 49

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•

Planning for User Privileges and Roles Assignments
Configuring and Managing Privileges
Configuring and Using RBAC

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 8 - 50

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring and Using RBAC
This section covers the following topics:
• Creating a role
• Creating, cloning, or changing a rights profile
• Assigning a rights profile to a role
• Assigning a role to a user
• Assuming a role
ble
a
r
• Restricting an administrator to explicitly assigned rights nsfe
a
r
t
g g a rights
g
p
profile to a user
• Assigning
on
n
a
• Delegating authorization to a user
s
a
h
• Assigning authorization to a role om) ideฺ
ฺc Gu
ilpolicy
a
• Modifying a system-wide RBAC
nt
m

g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 8 - 51

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Creating a Role
To create a role, use roleadd -m -d dir rolename.
# roleadd -u 3000 -g 10 -m -d /export/home/level1 -c "Level 1 Support“ \
-P "Printer Management,Media Backup,Media Restore" level1
64 blocks
# passwd level1
New Password: 
Re-enter new Password: 
passwd: password successfully changed for level1
# getent passwd | grep level1
level1:x:102:1:Level One Support:/export/home/level1:/bin/pfsh
# grep level1 /etc/shadow
level1:CUs8aQ64vTrZ.:12713::::::
# g
getent user_attr | grep
g p level1
level1::::type=role;profiles=Printer Management,Media Backup,Media
Restore

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
To create
ona role, youl use the roleadd command combined with one or more options. The
R
ro common options are as follows:
emore

Cic

•
•
•
•
•
•
•

-u uid: Specifies
p
the user ID of the new role
-g gid: Specifies an existing group's integer ID or character-string name
-m: Creates the new role’s home directory if it does not already exist
-d dir: Specifies the home directory of the new role
-c comment: Text string that provides a short description of the role
-P profile: Assigns rights profiles to the role. Use commas (,) to separate multiple
rights profiles
profiles.
rolename: Name of the new role. For restrictions on acceptable strings, see the
roleadd (1M) man page.

Note: To create a role, you must be an administrator with the User Management rights profile.
To assign a password to the role, you must be assigned the User Security rights profile.

Oracle Solaris 11 Advanced System Administration 8 - 52

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

The roleadd command creates a role entry in the /etc/passwd, /etc/shadow, and
user_attr files. In this example, the roleadd command creates a new role called level1,
builds the home directory, and assigns the role with rights profiles of Printer Management,
Media Backup, and Media Restore to the user ID 3000 and group ID 10. The role
cannot be used until a password is applied to it.
Note: The installation of the Oracle Solaris 11 OS has the Printer Management, Media
Backup, and Media Restore rights profiles already defined in the exec_attr and
prof_attr files, so there is no need to add an entry for these profiles in these two files.
However, if you had created a new rights profile, you would need to make a new entry in the
prof_attr file. You will look at how to do that next.
The changes to the /etc/passwd,
/etc/passwd /etc/shadow,
/etc/shadow and user_attr
user attr files are shown in the
example. The type of this account is role (type=role) and includes the rights profiles
Printer Management, Media Backup, and Media Restore.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 8 - 53

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Creating a Rights Profile
1. Create a rights profile.
2. Use the set subcommand for profile properties that have
a single value, such as set desc and the add
subcommand for p
properties
p
that have more than one
value, such as add cmd.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 8 - 54

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Creating a Rights Profile: Example

# profiles -p -S LDAP "Sun Ray Users"
profiles:Sun Ray Users> set desc="For all users of Sun Rays"
profiles:Sun Ray Users> add profiles="Sun Ray Basic User"
profiles:Sun Ray Users> set defaultpriv="basic,!proc_info"
profiles:Sun Ray Users> set limitpriv="basic,!proc_info"
profiles:Sun
fil
S
Ray
R
Users>
U
end
d ... Ray
R
U
Users> exit
it
#
# profiles -p "Sun Ray Users"
Found profile in LDAP repository.
profiles:Sun Ray Users> info
name=Sun Ray Users
desc=For all users of Sun Rays
defaultpriv=basic,!proc_info,
limitpriv=basic !proc info
limitpriv=basic,!proc_info,
profiles=Sun Ray Basic User

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
In this example,
on the ladministrator creates a rights profile for Sun Ray users in the LDAP
R
repository.
The administrator has already created a Sun Ray version of the Basic Solaris User
ro
icerights profile, and has removed all rights profiles from the policy.conf file on the Sun Ray
server. The administrator verifies the contents.

Oracle Solaris 11 Advanced System Administration 8 - 55

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Cloning and Modifying a Rights Profile
1. Create a new rights profile from an existing profile.
# profiles -p [-S repository] existing-profile-name

• To enhance an existing
g rights
g
p
profile:
a. Create a new profile.
b. Add the existing rights profile as a supplementary rights profile
c. Add the enhancements

le

b
a
r
e
f

• To remove content from an existing rights profile, clone thes
n
profile, rename it, and then modify it.
-tra

on

2. Continue to modify the new rights profile by adding
a n or
s
a
removing supplementary rights profiles,) h
authorizations,
ฺ
e
m
d
o
i
and other security attributes. ilฺc
u

C

a nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l Oracle Solaris provides are read-only. You can clone a provided rights
The rights
onprofiles that
R
profile
ro for modification if its collection of security attributes is insufficient. For example, you
icemight want to add the solaris.admin.edit/path-to-system-file authorization to a
provided rights profile.

Oracle Solaris 11 Advanced System Administration 8 - 56

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Creating or Changing a Rights Profile: Example
# profiles -p "Network IPsec Management"
profiles:Network IPsec Management> add auths="solaris.admin.edit/etc/hosts"
Cannot add. Profile cannot be modified
#
# profiles -p "Total IPsec Mgt"
Total IPsec Mgt> set desc="Network IPsec Mgt plus edit authorization"
Total IPsec Mgt> add profiles="Network IPsec Management"
T t l IP
Total
IPsec M
Mgt>
t add
dd auths="solaris.admin.edit/etc/hosts"
th " l i
d i
dit/ t /h t "
Total IPsec Mgt> add auths="solaris.admin.edit/etc/inet/ipsecinit.conf"
Total IPsec Mgt> add auths="solaris.admin.edit/etc/inet/ike/config"
Total IPsec Mgt> add auths="solaris.admin.edit/etc/inet/secret/ipseckeys"
Total IPsec Mgt> end
Total IPsec Mgt> exit
#
# profiles -p "Total IPsec Mgt" info
name=Total IPsec Mgt
desc=Network IPsec Mgt plus edit authorization
auths=solaris.admin.edit/etc/hosts,
solaris.admin.edit/etc/inet/ipsecinit.conf,
solaris.admin.edit/etc/inet/ike/config,
solaris.admin.edit/etc/inet/secret/ipseckeys
profiles=Network IPsec Management

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
In this example,
on the ladministrator adds several solaris.admin.edit authorizations to a site
R
IPsec
ro Management rights profile. The administrator verifies that the Network IPsec
iceManagement rights profile cannot be modified. Then, the administrator creates a rights profile
that includes the Network IPsec Management profile. The administrator verifies the contents.

Oracle Solaris 11 Advanced System Administration 8 - 57

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Assigning a Rights Profile to a Role
To assign a rights profile to a role, use rolemod [-P
profile][-s shell] rolename.
# rolemod -P profile1,profile2 -s /usr/bin/pfksh level1

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l to a role, use the rolemod command. The rolemod command
To assign
ona rights profile
R
ro the definition of the specified role and makes the appropriate login-related changes
echanges

to the system file and file system.
Note: The rolemod command modifies the entry for the specified role in the /etc/passwd,
/etc/shadow, and user_attr files.

You can use the following options with the rolemod command:
• -e expire: Date a role expires. Use this option to create temporary roles.
• -l new_logname: Specifies the new login name for the role
• -P
P profile: Specifies one or more comma-separated
comma separated rights profiles, as defined in the
prof_attr file
• -s shell: Login shell for rolename. This shell must be a profile shell.
• Rolename: Name of the role you are modifying
In the example, the profile1 and profile2 profiles and the /usr/bin/pfksh profile
shell are assigned to the role named level1.

Oracle Solaris 11 Advanced System Administration 8 - 58

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Assigning a Role to a User
1. Assign the role to the user by using usermod –u uid –g
gid –m –d dir -R role –c comment loginname.
2. Assign a password to the role by using passwd
rolename.
3. Verify that an entry has been made in the user_attr file.

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l to many roles. The useradd command can be used to define which
A user can
on have access
R
roles
ro a new user has access to. To add roles to an existing user account, you use the
iceusermod command as shown in the steps displayed in the slide.
Notes for step 2: If you are assigned the User Security rights profile, you can create the
password. Otherwise, a user who is assigned the role must create it by using the su –
rolename command. Typically, because a role account is assigned to more than one user,
the superuser creates a role password and provides the users with the password.
Note: To remove all role access from a user account, you use the usermod command with
the -R “” option followed by the user login name.

Oracle Solaris 11 Advanced System Administration 8 - 59

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Assigning a Role to a User: Example

# useradd -u 4009 -g 10 -m -d /export/home/paul \
-R level1 –c “Paul” paul
64 blocks
# passwd paul
New Password: 
Re-enter new Password: 
passwd: password successfully changed for paul
# getent user_attr | grep paul
ble
a
r
paul::::type=normal;roles=level1
fe
s
n
a
# roles paul
r
t
level1
on
n
a
# usermod -R level1 chris
s
a
# passwd -r repository level1
) h eฺ
m
id
Password: ฺco
u
l
i
G
Confirm Password: 
g
# usermod -R "" chris
@ tu

C

do is S
l
a
n
th
o
r
ฺ
e
s and/or its affiliates. All rights reserved.
uOracle
Copyright
ero © t2013,
o
c
i
(c nse
o
ld lice
a
n
The example
o in the slide shows the useradd command being used with the -R option to
R
define
ro the level1 role for the user paul. To verify that the level1 role has been assigned
iceto paul, you view the user_attr file for the user paul. Here you can see that the entry for
paul has the level1 role. You can also use the roles command to see the roles that are
assigned to the paul user.
Note: The association between the paul user account and the level1 role is defined
automatically in the user_attr file.
Next, you are assigning the level1 role to the existing user account chris by using the
usermod -R command. In the last line you are removing all role access from the chris
account by using the usermod
d -R
R “” command.
command

Oracle Solaris 11 Advanced System Administration 8 - 60

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Assuming a Role
1. In a terminal window, determine which roles you can assume by
using roles.
2. Use the su command to assume a role by using su rolename.
3. Verify that you are now in a role by using /usr/ucb/whoami.
4. View the capabilities of your role by using ppriv $$.
# roles
sysadmin,oper,primaryadm
# su - sysadmin
Password: 
$ /usr/ucb/whoami
Sysadmin
$ ppriv $$
950:
bash
flags = 
E: basic
I: basic
P: basic
L: all

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l listed in the slide to assume a role.
n the steps
You canouse
R
ro for step 4: In contrast to the root role, the System Administrator role has the basic
Notes
ice
set of privileges in its effective (E) set.

In the example shown in the slide, you first determine which role you can assume. You then
assume the role of System Administrator. You then verify that you have assumed the System
Administrator role. Your final step is to view the capabilities for your role, which (as you can
see) are all basic except for the limit (L) privilege set, which by default is all.
Note: The command prompts displayed might differ based on the shell you are using.

Oracle Solaris 11 Advanced System Administration 8 - 61

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Restricting an Administrator to
Explicitly Assigned Rights
You can restrict a role or user to a limited number of
administrative actions in two ways:
• You can use the Stop rights profile.
• You can modify the policy.conf
policy conf file on a system and
require the role or user to use that system for
administrative tasks.
# rolemod -P “Profile_Name,All,Stop" rolename

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l or user to a limited number of administrative actions in two ways.
n a role
You canorestrict
R
r•o You can use the Stop rights profile. The Stop rights profile is the simplest way to create
ice a restricted
est cted sshell.
e The
e aut
authorizations
o at o s a
and
d rights
g ts profiles
p o es tthat
at a
are
e ass
assigned
g ed in tthe
e
policy.conf file are not consulted. In the default configuration, the role or user is not
assigned the Basic Solaris User rights profile, the Console User rights profile, or the
solaris.device.cdrw authorization.
• You can modify the policy.conf file on a system, and require the role or user to use
that system for administrative tasks.
The rolemod -P command is used with the Stop rights profile, as shown in the example.
This command is especially useful
f iff you have many profiles
f
assigned to a role and you want
to limit the role to only a few profiles.

Oracle Solaris 11 Advanced System Administration 8 - 62

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Assigning the Rights Profile to a User
# profiles chris
Basic Solaris User
All
# usermod -P "Printer Management" chris
# profiles chris
Printer Management
Basic Solaris User
All
# getent user_attr | grep chris
chris::::type=normal;profiles=Printer Management
# profiles -l chris
Printer Management:
/etc/init.d/lp euid=0, uid=0
/usr/bin/cancel euid=lp, uid=lp
/usr/bin/lpset egid=14
egid 14
/usr/bin/lpstat euid=0
/usr/lib/lp/local/accept uid=lp
/usr/lib/lp/local/lpadmin uid=lp, gid=8
/usr/lib/lp/lpsched uid=0

All:
*

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
The rights
to a user can be listed with the profiles command. Every
onprofiles assigned
R
account
ro has the All rights profile. It allows any command to be executed but with special
icesecurity attributes.
Note: Other rights profiles given to all new user accounts are defined in the
/etc/security/policy.conf file.
To assign a rights profile to a user, you use the usermod command. This example shows the
Printer Management rights profile being assigned to the chris user account. If you run the
profiles command again for the user, you can see that the Printer Management rights
profile has been added.
The usermod command automatically updates the user_attr file for the specified user, as
shown in the example. The new line for the user chris shows the new profile assignment.
You can examine the contents of a rights profile with the -l option of the profiles
command. The individual commands in the rights profile can be seen, along with the special
security attributes with which they are executed. This example shows the user chris being
able to enable and disable a printer.

Oracle Solaris 11 Advanced System Administration 8 - 63

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Delegating an Authorization to a User
1. Delegate the authorization to the user by using usermod
-A authorization loginname.
2. Verify that an entry has been made in the user_attr file
for the user.
3. View the authorizations for the user by using the auths
command.

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l assigned to user accounts. Authorizations can also be assigned to
Authorizations
on can be
R
roles
ro or embedded in a rights profile that can be assigned to a user or role.
iceTo delegate an authorization to a user, you use the usermod command with the -AA option,

C

the authorization, and the user login name.
Note: Only a user or role who has grant rights to the authorization can assign it to an account.
The roleadd command automatically updates the user_attr file.
To verify that the authorization has been assigned to the user, you can check the user_attr
file. You can also use the auths command for the user to see if the authorization is listed in
the entry.

Oracle Solaris 11 Advanced System Administration 8 - 64

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Delegating an Authorization to a User: Example
# su - chris
Oracle Corporation
SunOS 5.11 11.0
November 2011
chris:~$ crontab -l root
crontab: you must be super-user to access another user's crontab file
chris:~$ exit
# usermod -A solaris.jobs.admin chris
# g
getent user_attr | g
grep
p chris
chris::::type=normal;auths=solaris.jobs.admin;profiles=Printer Management
# auths chris
solaris.admin.printer.read,solaris.admin.printer.modify,solaris.admin.pri
nter.delete,solaris.device.cdrw,solaris.profmgr.read,solaris.jobs.users,s
olaris.mail.mailq,solaris.admin.usermgr.read,solaris.admin.logsvc.read,so
laris.admin.fsmgr.read,solaris.admin.serialmgr.read,solaris.admin.diskmgr
.read,solaris.admin.procmgr.user,solaris.compsys.read,solaris.admin.prodr
eg.read,solaris.admin.dcmgr.read,solaris.snmp.read,solaris.project.read,s
olaris.admin.patchmgr.read,solaris.network.hosts.read,solaris.admin.volmg
r read
r.read
# su - chris
Oracle Corporation
SunOS 5.11 11.0
November 2011
chris:~$ crontab -l root
#ident "%Z%%M%
%I% %E% SMI"
#
# The root crontab should be used to perform accounting data collection.
(output omitted)
chris:~$ exit

le

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l user is not permitted to look at another user’s crontab file.
In this example,
on a regular
R
To
rogrant the user authorization to manage the other user’s crontab file you use the
iceusermod command with the -A option to add an authorization. The user_attr file is

C

b
a
r
e
f

automatically modified with this new information. The chris account is a normal user
account (type=normal). You can see in the user_attr file that chris has had the
solaris.jobs.admin authorization and the Printer Management rights profile added
previously. Next, you use the auths command to see the authorizations assigned to chris.
With this authorization, chris can now view or modify other users’ crontab files.

Oracle Solaris 11 Advanced System Administration 8 - 65

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Assigning Authorization to a Role
1. Assign the authorization to a role by using rolemod –A
“authorization” rolename.
2. Verify that an entry has been made in the user_attr file
for the role.
3. View the authorizations for the role by using the auths
command.
# rolemod -A "solaris.admin.usermgr.*“ level2
# auths level2
solaris.admin.usermgr.*

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
If a large
onnumber of luser accounts require the same configuration and management of
R
it can be easier to assign the authorizations to a role and give the users
ro
eauthorizations,

Cic

access to the role. You can assign the authorization to the role by using the rolemod -A
command. The steps for completing this task are listed in the slide.
Note: The rolemod command automatically updates the user_attr file.
In the example, the solaris.admin.usermgr.* authorization is being assigned to the
level2 role. You use the auths command to verify that the authorization has been assigned
to the role.

Oracle Solaris 11 Advanced System Administration 8 - 66

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Modifying a System-wide RBAC Policy
1. Determine what privileges you want to comment out for the
basic user.
2. Using a text editor, modify the PRIV_DEFAULT=basic
default entry
y and reboot the system.
y
3. As a user, test the modification.
# vi /etc/security/policy.conf
# grep PRIV_DEFAULT /etc/security/policy.conf
# There are two different settings; PRIV_DEFAULT determines the default
# Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the
PRIV_DEFAULT=basic,!proc_info,!proc_session
# init 6

# su - jjones
Oracle Corporation SunOS 5.11
11.0
November 2011
jjones:~$ ps -A -o user -o pid -o comm | more
USER PID COMMAND
jjones 1941 ps
jjones 1935 –bash

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
The /etc/security/policy.conf
file establishes a system-wide RBAC policy. There are
on
R
two
ro different settings for the system-wide policy: PRIV_DEFAULT, which determines the
icedefault, and PRIV_DEFAULT=basic,!file_link_any, which can be used to modify the

C

default. The default is set to PRIV_DEFAULT=basic. You can modify this file to deny nonadministrative users specific privileges. The steps for performing this task are listed in the
slide.

The example shows how to deny a non-administrative user the privilege to look at the
processes of other users. You edit the PRIV_DEFAULT=basic entry as follows:
PRIV_DEFAULT=basic, !proc_info, !proc_session
For the changes to the policy to take place, you reboot the system. After you log back in to the
system, you su to the jjones user account and issue the command to access the
processes. The only processes the user can display are the user’s own processes.
Note: The -A and -o options used in the ps command are telling the system to write
information for all processes in the specified format, which in the example is by user, pid,
and command.

Oracle Solaris 11 Advanced System Administration 8 - 67

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Practice 8-2 Overview:
Configuring Role-Based
Role Based Access Control
This practice covers the following topics:
• Managing roles and profiles
• Configuring a rights profile
• Working with individual authorizations
• Creating a system-wide RBAC policy

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
This practice
on shouldl take you about 30 minutes to complete.
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 8 - 68

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Summary
In this lesson, you should have learned how to:
• Implement a plan to configure privileges
• Implement a plan to configure role-based access control
• Configure privileges
• Manage privileges
• Configure role-based access control
ble
a
r
e
• Use role-based access control
nsf

a
s
a
) h eฺ
m
co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

a
r
t
on

n

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 8 - 69

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Ci

le

s

o

R
o
r
ce
an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on
an
r
t
n
b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Securing
S
i
System
S t
Resources
R
by Using Oracle Solaris Auditing

le

s

b
a
r
e
f

o

an
r
t
n

Ci

R
o
r
ce

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
e
sOracle
o © 2013,
r
u
Copyright
and/or its affiliates. All rights reserved.
e
o
c
i
t
c
o ( ense
d
l
lic
ona

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Objectives
After completing this lesson, you should be able to:
• Implement a plan for Oracle Solaris auditing
• Configure Oracle Solaris auditing
• Administer the audit service
• Manage audit records

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 9 - 2

Workflow Orientation

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

IPS
AI INSTALLATION
MONITORING

DATA
STORAGE

RESOURCE
EVALUATION

PROCESSES

ENTERPRISE
DATACENTER

NETWORK
CONFIGURATION

s

an
r
t
n

no
a
sNETWORK
a
h
VIRTUALIZATION
)
ฺ
e
m
d
o
i
AUDITING
ilฺc t Gu
a
n
e
gmSERVICES
d
PRIVILEGES @
tu
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n begin thel lesson, take a moment to orient yourself in your job workflow. You have
Before o
you
R
successfully
installed the operating system and have updated it. You have configured the data
ro
icestorage environment as well as the physical and virtual networks. You have also ensured that

C

all the system services are up and running and that both users and processes have been
granted the appropriate level of privilege. In order to monitor proper use of business
resources and assigned privileges, the Oracle Solaris 11 OS provides several security
features, one of which is the Oracle Solaris audit service. It is the system administrator’s
responsibility to configure, administer, and manage this service.

Oracle Solaris 11 Advanced System Administration 9 - 3

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•
•

Planning for Oracle Solaris Auditing
Configuring Oracle Solaris Auditing
Administering the Audit Service
Managing Audit Records on Local Systems

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 9 - 4

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Planning for Oracle Solaris Auditing
•
•
•
•
•
•
•
•
•
•

Determine if you want a single-system image audit trail.
Determine the audit policy.
Determine if you want to modify event-to-class mappings.
p
Determine which audit classes to preselect.
Determine user exceptions to the system-wide preselections.
Decide how to manage the audit_warn email alias.
ble
Decide in which format and where to collect audit records.
a
r
fe
s
n
Determine when to warn the administrator about shrinking rdisk
a
t
space.
on
n
a
Decide what action to take when all the audit directories
are full.
s
a
h
ฺ
Determine how much storage space to allocate
m) dtoeauditing.

Cic

co Gui
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l your company is concerned with ensuring that their system resources
As witho
allncompanies,
R
rokept secure. As part of investigating ways to keep the system resources secure, your
eare

company wants to evaluate the Oracle Solaris auditing service. By using the audit service,
your company hopes to be able to monitor and record specific, security-related events. They
also want to be able to detect suspicious activities by reviewing patterns of access and
access histories as well as discover attempts to circumvent the protections that have been put
in place to safeguard the system. In short, they want to keep a log of what was done, when it
was done, by whom, and what was affected.
Your company recognizes that setting up auditing takes a considerable amount of planning
and as a result
and,
result, they have put together a plan that addresses each of the requirements listed
in the slide. As the system administrator responsible for configuring, administering, and
managing the Oracle Solaris audit service, you will need this information to do your job.
In this topic you are introduced to Oracle Solaris auditing and shown how the audit service
addresses each of these requirements.

Oracle Solaris 11 Advanced System Administration 9 - 5

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Oracle Solaris Auditing
Oracle Solaris auditing is:
• A service controlled by the audit daemon, auditd
•
•

Enabled by default
g
to p
provide the following
g defaults when first enabled:
Configured
–
–
–
–

All login events are audited.
All users are audited for login, logout, and role assumption events.
The audit_binfile plug-in is active.
ble
a
r
The cnt audit policy is set.
sfe

–

These audit queue controls are set:

n

a
r
t
on

C

an
s
–
ha ฺ
)
om uide
c
ฺ
–
l
ai nt G
m
–
g ude
@
t
o
– All zones are auditedld
identically.
S
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l is a service. The audit service is controlled by the audit daemon,
n auditing
Oracle o
Solaris
R
auditd,
ro and is enabled by default.
ice
–

Maximum number of records before records lock: 100
Maximum number of records before blocked auditing process unblock:
10
Buffer size: 8192 bytes
Interval for writing records to the audit trail: 20 seconds

Note: The audit daemon controls the generation and location of audit trail files and the
generation of syslog messages based on its configuration.

When the audit service is first enabled, the following defaults are provided:
• All login events are audited. Both successful and unsuccessful login attempts are
audited.
Note: An event is a security-related system action that is audited.
• All users are audited for login,
login logout,
logout and role assumption events
events.
• The audit_binfile plug-in is active. The /var/audit directory stores audit records,
the size of an audit file is not limited, and the queue size is 100 records.
Note: An audit plug-in is a module that transfers the audit records in the audit queue to
a specified location. The audit_binfile plug-in creates binary audit files (the audit
trail). The audit trail is a collection of one or more audit files that store the audit data
from all systems that run the audit service by using the default plug-in,
audit_binfile. You will learn more about the audit plug-ins later in this lesson.

Oracle Solaris 11 Advanced System Administration 9 - 6

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

•

•

The cnt audit policy is set. This policy has the following effect: When audit records fill
the available disk space, the system keeps a count of the number of dropped audit
records. No warning is issued.
Note: The audit p
policy
y is a set of auditing
g options
p
that yyou can enable or disable at yyour
site. The cnt policy is one option. These options include whether to record certain kinds
of audit data. The options also include whether to suspend auditable actions when the
audit queue is full. You will take a closer look at the audit policy shortly.
The following audit queue controls are set:
- Maximum number of records in the audit queue before generating the records
locks: 100
- Minimum number of records in the audit queue before blocked auditing processes
unblock: 10
- Buffer size for the audit queue: 8192 bytes
- Interval between writing audit records to the audit trail: 20 seconds

s
n
a
r
Note: You will be shown how to configure zones for auditing identically and n
on-ta per-zone
o
basis later in this lesson.
an
s
Rights profiles control who can administer the audit service. There
ha are ฺrights profiles for
)
e for analyzing the
configuring the audit service, for enabling and disabling o
the
mservice,
idand
u
li ฺc tthe
audit trail. The System Administration rights profileaincludes
Audit
Review rights profile. A
G
n
m
role with the System Administrator rights profile
e audit records.
g canuanalyze
d
@
t
do is S
l
a
n
th
o
r
ฺ
e
ero to us
c
i
(c nse
o
ld lice
a
n
o
R
o
er
By default, all zones are audited identically.

Cic

Oracle Solaris 11 Advanced System Administration 9 - 7

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Oracle Solaris Auditing

Audit Event

Audit Record

Audit Remote
Server

Audit File
audit_binfile

le

Audit Queue

s

an
r
t
n

no
a
s
a
h
Local
)
syslog
ฺ
e
m
d
o
i
audit_syslog
Storage
lฺc t Gu
isummary)
a
(text
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
The auditing
on processl begins when a specified, security-related audit event occurs that
R
generates
an audit record.
ro
ice

C

b
a
r
e
f

audit_remote

Note: The most common audit events are:
• System startup and system shutdown
• Login and logout
• Process creation or process destruction, or thread creation or thread destruction
• Opening, closing, creating, destroying, or renaming of objects
• Use of privilege capabilities or RBAC
• Identification
Id tifi ti actions
ti
and
d authentication
th ti ti actions
ti
• Permission changes by a process or user
• Administrative actions, such as installing a package
• Site-specific applications

Oracle Solaris 11 Advanced System Administration 9 - 8

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Each audit record contains information that identifies the event, what caused the event, the
time of the event, and other relevant information. This record is then placed in an audit queue
for the active plug-ins to retrieve. The active plug-ins can include the default plug-in,
audit_binfile, the audit_remote plug-in, and the audit_syslog plug-in. The
audit_binfile plug-in
l i writes
i
the
h records
d to audit
di fil
files. Th
These audit
di records
d are stored
d
locally in binary format. The audit_remote plug-in sends these records to an audit remote
server, and the audit_syslog plug-in sends text summaries to the syslog utility.
Now that you have a high-level understanding of how Oracle Solaris auditing works, take a
closer look at each part of the process, beginning with audit events.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 9 - 9

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Interpreting the
/etc/security/audit event File
/etc/security/audit_event
number:name:description:flags

Each entry in the file contains four fields:
• number: Event number
• name: Event name
• description: Event description
• flags: Specify classes to which the event is mapped
Examples:

le

b
a
r
e
f

s

an
r
t
n

C

no
a
6153:AUE_logout:logout:lo
s
a
h
6161:AUE_reboot_solaris:reboot(1m):ss
)
ฺ
e
m
6180:AUE_prof_cmd:profile command:ua,as
d
o
i
ฺc Gu
6207:AUE_create_user:create user:noail
m dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
As discussed,
on audit levents represent auditable actions on a system. Audit events are listed in
R
the
ro/etc/security/audit_event file. The /etc/security/audit_event file entry
iceformat is shown in the slide. Each entry in the file contains four fields, with a colon separating
each field. Each event appears on its own line. The following is the format for an entry:
number:name:description:flags
The description and requirement for each field are as follows:
• number: Event number. Event number ranges are assigned as follows:
-

•

0: Reserved as an invalid event number
1 – 2047: Reserved for the Solaris Kernel events
2048 – 6143: Reserved for user-level audit events
6000 – 7999: Allocated for Solaris user-level audit events, includes SMF-related,
ilbd, netcfgd, TCSD, and hotplugd events

- 9035 – 9201: Reserved for the Solaris Trusted Extensions events
name: Event name

Oracle Solaris 11 Advanced System Administration 9 - 10

•
•

description: Event description
Flags: Flags specifying classes to which the event is mapped. Classes are commaseparated, without spaces.

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Note: In addition to the audit events that are defined by the Oracle Solaris audit service
service, thirdthird
party applications can generate audit events.
Each of the examples is a Solaris user-level audit event. The first event example,
AUE_logout, tracks when a user logs out of the system. lo is the audit_class designation for
login or logout. The second event example, AUE_reboot_solaris, tracks when a user
reboots the operating system. ss is the audit_class designation for a change in the system
state. The third event example, AUE_prof_cmd, tracks when a user executes the profile
command.
d ua and
d as are the
th audit_class
dit l
d
designations
i
ti
ffor user administration
d i i t ti and
d systemt
wide administration respectively. The last event example, AUE_create_user, tracks when a
user executes the user create command. no audit_class designation indicates that this is an
invalid class and any event mapped solely to this class will not be audited.

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 9 - 11

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Event Types
•
•

•
•

Synchronous: Events associated with a process in the
system
Asynchronous: Events not associated with any process,
so no p
process is available to be blocked and later woken
up
Attributable: Events attributed to a user. All attributable
ble
events are synchronous events.
a
r
fe
s
n
Non-attributable: Events that occur at the kernel-interrupt
a
r
t
level or before a user is authenticated
authenticated. Most nonnon
on
n
a
attributable events are asynchronous events.
as

) h eฺ
m
co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l handles these types of events:
n auditing
Oracle o
Solaris
R
r•o Synchronous: Events that are associated with a process in the system. Synchronous
ice eevents
e ts are
a e the
t e majority
ajo ty of
o system
syste e
events.
e ts

C

•

•

•

Asynchronous: Events that are not associated with any process, so no process is
available to be blocked and later woken up. Initial system boot and PROM enter and exit
events are examples of asynchronous events.
Attributable: Events that can be attributed to a user. The execve()system call can be
attributed to a user, so the call is considered an attributable event. All attributable events
are synchronous events.
Non-attributable: Events that occur at the kernel-interrupt level or before a user is
authenticated. The na audit class handles audit events that are non-attributable. For
example, booting the system is a non-attributable event. Most non-attributable events
are asynchronous events. However, non-attributable events that have associated
processes, such as failed login, are synchronous events.

Oracle Solaris 11 Advanced System Administration 9 - 12

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Interpreting the
/etc/security/audit class File
/etc/security/audit_class
mask:name:description

Each entry in the file contains four fields:
• mask: Class mask
• name: Class name
• description: Class description
Examples:

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l to an audit class or classes. Audit classes are convenient
Each audit
on event belongs
R
containers
for large numbers of audit events. Audit classes are defined in the
ro
ice/etc/security/audit_class file. The /etc/security/audit_class file entry format
0x00001000:lo:login or logout
0x00010000:ss:change system state
0x00040000:ua:user administration
0x00020000:as:system-wide administration
0x00000000:no:invalid class
0xffffffff:all:all classes (meta-class)

is shown in the slide. Each entry in the file contains three fields, with a colon separating each
field. The following is the format for an entry:
mask:name:description

The description and requirement for each field are as follows:
• mask: Class mask
• name: Class name
• description: Class description
Each class is represented as a bit in the class mask, which is an unsigned integer. There are
32 different classes available. Meta-classes can also be defined. You can have supersets
composed of multiple base classes, which will have more than 1 bit in the mask.

Oracle Solaris 11 Advanced System Administration 9 - 13

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Two special meta-classes are also predefined: all and no.
• all: Represents a conjunction of all allowed classes and is provided as a shorthand
method of specifying all classes
• no: Represents an invalid class. Any event mapped solely to this class will not be
audited. Turning auditing on to the all meta-class will not cause events mapped solely
to the no class to be written to the audit trail. This class is also used to map obsolete
events that are no longer generated. Obsolete events are retained to process old audit
trails files.
The examples show the audit classes that you saw associated with the previous audit event
examples: login or logout (lo), change system state (as), user administration (ua), systemwide administration ((as),
) and invalid class ((no).
) An example of the all
ll audit class is also
included.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 9 - 14

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying the
/etc/security/audit class File
/etc/security/audit_class
# cat /etc/security/audit_class

0x00000000:no:invalid class
0x00000001:fr:file read
0x00000002:fw:file write
0x00000004:fa:file attribute access
0x00000008:fm:file attribute modify
0x00000010:fc:file create
0x00000020:fd:file delete
0x00000040:cl:file close
0x00000100:nt:network
0x00000200:ip:ipc
0x00000400:na:non-attribute
0x00001000:lo:login or logout
0x00004000:ap:application
0x00008000:cy:cryptographic
0x00010000:ss:change system state


le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l classes as they appear in the /etc/security/audit_class
The default
on list of audit
R
shown
ro in the slide.
ice

C

Oracle Solaris 11 Advanced System Administration 9 - 15

file is

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying the
/etc/security/audit class File
/etc/security/audit_class

0x00020000:as:system-wide administration
0x00040000:ua:user administration
0x00070000:am:administrative (meta-class)
0x00080000:aa:audit utilization
0x000f0000:ad:old administrative (meta-class)
0x00100000:ps:process start/stop
0x00200000:pm:process modify
0x00300000:pc:process (meta-class)
0x00400000:xp:X - privileged/administrative operations
0x00800000:xc:X - object create/destroy
0x01000000:xs:X - operations that always silently fail, if bad
0 01 00000
0x01c00000:xx:X
X - all
ll X events
t (
(meta-class)
t
l
)
0x20000000:io:ioctl
0x40000000:ex:exec
0x80000000:ot:other
0xffffffff:all:all classes (meta-class)

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
A continuation
on of thel default audit classes is shown in the slide.
R
ero

Cic

Oracle Solaris 11 Advanced System Administration 9 - 16

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Audit Class Preselection
•
•
•

Preselection is the choice of which audit classes to
monitor.
Preselected audit class events are collected in the audit
q
queue.
You can preselect events that specify:
– System-wide auditing defaults (system-wide audit mask)
– Exceptions for individual users (user-specific audit mask)

•

le

b
a
r
e
f

s

When combined, these preselections constitute the -tran
process preselection mask
mask.
non

C

a
s
a
) h eฺ
m
co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l of which audit classes to monitor. The audit events of preselected
Preselection
on is the choice
R
audit
ro classes are collected in the audit queue. Audit classes that are not preselected are not
iceaudited, so their events do not appear in the queue. For example, when you preselect the ps

and na audit classes, execve() system calls and system boot actions, among other events,
are recorded.

You can specify system-wide auditing defaults (referred to as the system-wide audit mask) by
preselecting events on a system, and you can specify exceptions to the system-wide auditing
defaults for individual users by preselecting events initiated by a particular user (referred to as
the user-specific audit mask). When combined, these preselections constitute the process
preselection mask.
mask When a user logs in
in, the login process combines the preselected classes
to establish the process preselection mask for the user’s processes. The process preselection
mask specifies whether events in each audit class are to generate audit records.
Note: After the audit service is enabled, you can change the preselections.
You are shown how to modify the preselection mask later in this lesson.

Oracle Solaris 11 Advanced System Administration 9 - 17

Audit Records and Audit Tokens

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

•

Audit record:
– Records the occurrence of a single audited event
– Includes the following information:
—
—
—
—

•

Who performed the action
Which files were affected
What action was attempted
Where and when the action occurred

Audit token:

s
– Defines the type of information saved for each audit event
n
a
r
t
-event
n
Which tokens are recorded is determined by the type
of
event.
o
n

a
s
a
) h eฺ
m
id
co Gu10:10:10.020
ฺ
l
header,69,2,login - local,,example_system,2011-12-16
-07:00
i
a nt
subject,root,root,other,root,other,378,378,1234567891
2 example_system
m
g ude
return,success,0
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Each audit
the occurrence of a single audited event. The record includes
on record records
R
information
such as who did the action, which files were affected, what action was attempted,
ro
iceand where and when the action occurred.

C

The type of information that is saved for each audit event is defined by a set of audit tokens.
Each time an audit record is created for an event, the record contains some or all of the
tokens that are defined for the event. The nature of the event determines which tokens are
recorded.
An audit record always begins with a header token. The header token indicates where the
audit record begins in the audit trail. In the case of attributable events, the subject and the
process tokens refer to the values of the process that caused the event
event. In the case of non
nonattributable events, the process token refers to the system. Each audit token has a token type
identifier, which is followed by data that is specific to the token. Each token type has its own
format.
Note: For a listing of the audit token formats, see the “Oracle Solaris Auditing (Reference)”
chapter in Oracle Solaris Administration: Security Services.

Oracle Solaris 11 Advanced System Administration 9 - 18

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

To display the tokens that comprise an audit record, you use the auditrecord -e event
command.
The example in the slide shows the login audit record, which comprises the following tokens:
• Header,
Header which marks the beginning of the audit record and contains the following:
- Record bite count (69)
- Version number (2)
- Audit event type (login – local)
- System on which the event occurred (example_system)
- Date/time stamp (2011-12-16 10:10:10.020 -07:00):
header 69 2 login - local,,example_system,2011-12-16
header,69,2,login
local example system 2011 12 16
10:10:10.020 -07:00
• subject, which describes a user who performs or attempts to perform an operation:
subject,root,root,other,root,other,378,378,1234567891 2
example_system
• Return, which contains the return status of the system call (u_error) and the process
) return,success,0
return value ((u_rval1):
Note: The return token is always returned as part of kernel-generated audit records
for system calls. In application auditing, this token indicates exit status and other return
values.

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 9 - 19

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Audit Plug-in Modules
•
•

•
•

An audit plug-in transfers an audit record from the audit
queue to a specified location.
The audit services provides these plug-ins:
– audit
audit_binfile:
binfile: Delivers audit records from the audit
queue to the binary audit files
– audit_remote: Delivers audit records from the audit queue
to a configured remote server
ble
a
r
– audit_syslog: Delivers selected records from the auditnsfe
a
r
t
queue to the syslog log
n

no

a
At least one plug-in must be active.
s
a
h ฺ
By default, the audit_binfile plug-in
e
m) is active.

Cic

co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
As discussed
on earlier,l an audit plug-in is a module that transfers an audit record from the audit
R
ro to a specified location. The Oracle Solaris audit service provides the following plug-ins:
equeue
•

•

•

y of an audit record from the audit q
queue to the binary
y
audit_binfile: Handles delivery
audit files.
audit_remote: Handles secure delivery of binary audit records from the audit queue
to a configured remote server. The audit_remote plug-in uses the libgss() library
to authenticate the server. The transmission is protected for privacy and integrity.
audit_syslog: Handles delivery of selected records from the audit queue to the
syslog log.

You can configure the systems at your site to use binary mode locally, to send binary files to a
remote repository, or to use syslog mode, or to use any combination of these modules.
However, at least one plug-in must be active. By default, the audit_binfile plug-in is
active.
Note: You are shown how to configure plug-ins in the next topic.

Oracle Solaris 11 Advanced System Administration 9 - 20

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Storing and Managing the Audit Trail

Audit Trail

Audit
Files
Secondary Audit
Directory

Audit
Files
Primary Audit
Directory

Audit
Files
Secondary Audit ans
r
Directory n-t

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l in audit logs (also called audit files). In turn, audit files are stored in
Audit records
on are stored
R
audit
ro directories. The contents of all audit directories comprise the audit trail. The audit trail
icerequires dedicated file space. This space must be available and secure. A best practice is to

C

configure several audit directories for audit files.

Audit files are stored in audit directories in the following order:
• Primary audit directory: A directory where the audit files for a system are placed under
normal conditions. The ZFS files are used for the primary audit directory. You will be
shown how to set this up later in this lesson.
•

Secondary audit directories: Directories where the audit files for a system are placed
iff the primary audit directory is full
f or not available

A directory is not used until a directory that is earlier in the list is full.
You are shown how to manage the audit files later in this lesson.

Oracle Solaris 11 Advanced System Administration 9 - 21

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Audit Remote Server (ARS)
•
•
•

ARS receives audit records over a secure link from audited
systems and stores the records.
ARS is delivered as a disabled Oracle Solaris audit
component.
p
To observe and configure ARS, use the –setremote and
–getremote options of the auditconfig command.

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
Audit Remote
on Serverl (ARS) is the counterpart of the audit_remote(5) plug-in. Data sent by
R
the
roaudit_remote plug-in can be captured, processed, and stored by the server according
iceto its configuration.

C

It is necessary to configure ARS before it can be used to process a remote audit trail. ARS
configuration is two fold:
• The underlying security mechanisms used for secure audit data transport have to be
configured (a Kerberos realm with specific audit principles and a GSS-API mechanism).
See the audit_remote man page.
• The audit remote subsystem has to be configured.
The ARS configuration is divided between the configuration of server and group.
The server configuration allows changing common ARS parameters, while
the group keyword allows configuration of connection groups (sets of hosts sharing the same
local storage parameters).

Oracle Solaris 11 Advanced System Administration 9 - 22

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Audit Policies
An audit policy determines the characteristics of the audit
records for the local system.
# auditconfig -lspolicy
policy string
description:
ahlt
halt machine if it can not record an async event
all
all policies
arge
include exec environment args in audit recs
argv
include exec command line args in audit recs
cnt
when no more space, drop recs and keep a cnt
group
include supplementary groups in audit recs
none
no policies
path
allow multiple paths per event
per one
perzone
use
se a separate queue
q e e and auditd
a ditd per zone
one
public
audit public files
seq
include a sequence number in audit recs
trail
include trailer token in audit recs
windata_down
include downgraded window information in audit recs
windata_up
include upgraded window information in audit recs
zonename
include zonename token in audit recs

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
By default,
on most auditl policy options are disabled to minimize storage requirements and
R
ro processing demands. These options are stored as properties of the audit service and
esystem

determine the policy options that are in effect at system boot or when the service is restarted.
You can display a list of available policy options by running the auditconfig -lspolicy
command, as shown in this example.
The following policies add tokens to audit records: arge, argv, group, path, seq, trail,
windata_down, windata_up, and zonename. The windata_down and windata_up
policies are used by the Trusted Extensions feature of Oracle Solaris.
The remaining policies do not add tokens. The ahlt and cnt policies determine what
happens when audit records cannot be delivered, the public policy limits auditing of public
files, and the perzone policy establishes separate audit queues for non-global zones.
Note: For a description of each policy option and how each option affects the audit service,
see the “Determining Audit Policy” section in Oracle Solaris Administration: Security Services.

Oracle Solaris 11 Advanced System Administration 9 - 23

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Implementing the Oracle Solaris Auditing Plan
Your assignment is to:
• Configure the audit service
• Configure audit logs
• Configure the audit service in zones
• Administer the audit service
• Manage audit records on local systems

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
n to implement
It is nowotime
the Oracle Solaris auditing plan. Your assignment is to configure
R
the
roaudit service and logs as well as set up the audit service in both the global zone and noniceglobal zones. You will then administer the audit service. Your final task will be to manage the
audit records.

Oracle Solaris 11 Advanced System Administration 9 - 24

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
Oracle Solaris auditing is a service controlled by the audit
daemon, auditd.
a. True
b False
b.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:oan
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 9 - 25

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
Oracle Solaris auditing is enabled by default.
a. True
b. False

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:oan
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 9 - 26

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
Which audit plug-in module is active by default?
a. audit_binfile
b. audit_remote
c audit_syslog
c.
audit syslog

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:oan
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 9 - 27

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
Audit classes that are not preselected are not audited.
a. True
b. False

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:oan
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 9 - 28

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
Which Oracle Solaris auditing component determines the
characteristics of the audit records for the local system?
a. Audit class
b Audit event
b.
c. Audit profile
d. Audit token

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:ocn
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 9 - 29

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
Which audit policy is set by default?
a. all
b. cnt
c none
c.
d. zonename

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:obn
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 9 - 30

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•
•

Planning for Oracle Solaris Auditing
Configuring Oracle Solaris Auditing
Administering the Audit Service
Managing Audit Records on Local Systems

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 9 - 31

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring Oracle Solaris Auditing
This section covers the following topics:
• Configuring the audit service
• Configuring audit logs
• Configuring the audit service in zones
• Administering the audit service
• Managing audit records on local systems

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 9 - 32

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring the Audit Service
This section covers the following topics:
• Determining audit service defaults
• Preselecting audit classes
• Configuring a user’s
user s audit characteristics
• Modifying the audit policy
• Specifying the audit warning destination email alias
ble
a
r
fe
• Adding an audit class
s
n
a
r
t
g g an audit event’s class membership
p
• Changing
on

C

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
n enable auditing
Before o
you
on your network, you can modify the defaults to satisfy your site
R
auditing
ro requirements. Best practice is to customize your audit configuration as much as
icepossible before the first users log in.
If you have implemented zones, you can choose to audit all zones from the global zone.
Alternatively, to audit non-global zones individually, you can set the perzone policy in the
global zone. In the perzone configuration, each non-global zone administrator manages
auditing in their non-global zone.

Oracle Solaris 11 Advanced System Administration 9 - 33

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Determining Audit Service Defaults
1. Display the preselected classes for attributable events by
using auditconfig -getflags.
2. Display the preselected classes for non-attributable events
by
y using
g auditconfig
g –getnaflags.
g
g
3. Display the audit policy by using auditconfig –
getpolicy.

le

b
a
4. Display information about the audit plug-ins by using
r
e
sf
n
auditconfig –getplugin.
a
tr
n
5 Display the audit queue controls by using auditconfig
5.
no
a
s
–getqctrl.
a
h
)userseby
ฺ using
m
6. Display the audit_flags for existing
d
o
i
c
ailฺ nt Gu
userattr audit_flags m
loginname.

g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
Notes for
onstep 6: Byl default, users are audited for the system-wide settings only.
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 9 - 34

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Determining Audit Service Defaults: Example

# auditconfig -getflags
active user default audit flags = lo(0x1000,0x1000)
configured user default audit flags = lo(0x1000,0x1000)
# auditconfig -getnaflags
active non-attributable audit flags = lo(0x1000,0x1000)
configured
fi
d non-attributable
ib
bl audit
di flags
fl
= lo(0x1000,0x1000)
l (0 1000 0 1000)
# auditconfig -getpolicy
configured audit policies = cnt
active audit policies = cnt
# auditconfig -getplugin
Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=0;

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
Plugin: audit_remote (inactive)
e
m
d
o
i
Attributes: p_hosts=;p_retries=3;p_timeout=5;
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l in the slide, you are looking at the defaults on an unconfigured system
In the example
on shown
R
with
ro regards to the audit service configuration. The first thing you do is look at the preselected
iceclasses for attributable events.
Plugin: audit_syslog
audit syslog (inactive)
Attributes: p_flags=;

Note: lo is the flag for the login/logout audit class. The format of the mask output is
(success,failure).
Next, you are looking at the preselected classes for non-attributable events.
Note: To see which events are assigned to a class, and therefore which events are being
recorded, you can run the auditrecord -c class command.
Your next step is to look at the default policy.
Note: The configured policy is a property of the audit service and is restored when you restart
the audit service. The active policy is the policy that is currently used by the kernel, but is not
a property of the audit service.
Next, you look at the default settings for the audit plug-ins. The audit_binfile plug-in is
active by default.

Oracle Solaris 11 Advanced System Administration 9 - 35

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Determining Audit Service Defaults: Example
$ auditconfig -getqctrl
no configured audit queue hiwater mark
no configured audit queue lowater mark
no configured audit queue buffer size
no configured audit queue delay
active audit queue hiwater mark (records) = 100
active audit queue lowater mark (records) = 10
active audit queue buffer size (bytes) = 8192
active audit queue delay (ticks) = 20
# who
jjones pts/1
Dec 15 10:20
(:0.0)
jjones pts/2
Dec 15 10:20
(:0.0)
tbone
b
pts/5
/
Dec 16 12:20
12 20
(:0.0)
( 0 0)
tbone
pts/6
Dec 16 12:20
(:0.0)
...
# userattr audit_flags jjones
# userattr audit_flags tbone

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
Next, you
onlook at thel audit queue controls. The active policy is the policy that is currently used
R
by
rothe kernel. The string no configured indicates that the system is using the default
icesettings.
The final default configuration you look at is the audit_flag settings for existing users. First,
you run the who command to see who is on the system and then you run userattr
audit_flags command for each user.

Oracle Solaris 11 Advanced System Administration 9 - 36

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Preselecting Audit Classes
1. Determine the current preselected classes by using the
auditconfig command’s -getflags and
-getnaflags options.
2. Set the new audit configuration
g
as follows:
a. Preselect the attributable classes by using auditconfig setflags lo,ps,fw.
b. Preselect the non-attributable classes by using
auditconfig -setnaflags lo,na.

s

an
r
t
n

no
# auditconfig -setflags lo,ps,fw
a
s
user default audit flags = ps,lo,fw(0x101002,0x101002)
a
h
)
ฺ
# auditconfig -setnaflags lo,na
e
m
d
o
i
non-attributable audit flags = lo,na(0x1400,0x1400)
ilฺc Gu

ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l auditing for attributable and non-attributable events, you use the
To configure
on systemwide
R
command, as shown in the steps in the slide.
ro
eauditconfig

Cic

Notes for step 1: See steps 1 and 2 from the previous task for how to use these commands
to view the current preselected classes.
Notes for step 2b: The auditconfig -set*flags commands do not add classes to the
current kernel defaults. These commands replace the kernel defaults, so you must specify all
classes that you want to preselect.

In the example in the slide, the events in the three classes are being audited for success and
for failure. The second command in the example audits the events in the na class, and the
login events that are not attributable. lo and na are the only legal arguments to the setnaflags option.

Oracle Solaris 11 Advanced System Administration 9 - 37

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring a User’s Audit Characteristics
1. To set audit flags for a user, use usermod -K
audit_flags=fw:no loginname.
2. To set audit flags for a rights profile, use profiles -K
audit_flags=fw,as:no
g
,
“Profile_Name“.
# auditconfig -getflags
active user default audit flags = ss,lo(0x11000,0x11000)
configured user default audit flags = ss,lo(0x11000,0x11000)
# usermod -K audit_flags=pf:no jjones
# userattr audit_flags jjones
pf:no

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l for each user are specified by the audit_flags keyword and are
Audit class
on preselections
R
stored
ro in the user_attr database and prof_attr database. These definitions, plus the
icepreselected classes for the system, determine the user’s audit mask. Follow the steps listed in
the slide to configure the audit characteristics for a user.
Notes for step 1: The format of the audit_flags keyword is always -audit:neveraudit, as follows:
• always-audit: Lists the audit classes that are exceptions for this user. Exceptions to
the system-wide classes are prefixed by a caret (^). Added classes are not prefixed by a
caret.
• never-audit:
i Lists
Li t th
the audit
dit classes
l
th
thatt are never audited
dit d ffor th
the user, even if th
these
audit events are audited system-wide. Exceptions to the system-wide classes are
prefixed by a caret (^).

To specify multiple audit classes, you separate the classes with commas.
Notes for step 2: When you assign the rights profile to a user or a role, that user or role is
audited for those flags.

Oracle Solaris 11 Advanced System Administration 9 - 38

The example shows how to change the events that are audited for one user. You begin by
displaying the audit preselection mask for all users. You then preselect the pf class for the
jjones user. You run the userattr command to show the addition.

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

preselection mask for jj
jjones is a combination of the audit_flags
g settings
g with
The audit p
the system default settings.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 9 - 39

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Modifying the Audit Policy
1. View the current audit policy by using auditconfig
–getpolicy.
2. View the available policy options by using auditconfig
–lspolicy.
p
y
3. Enable or disable selected audit policy options by using
auditconfig [ -t ] -setpolicy
[prefix]policy[,policy...].

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
The audit
the characteristics of the audit records for the local host. You can
onpolicy determines
R
inspect,
ro change, and temporarily change audit policies with the auditconfig command.
iceFollow the steps listed in the slide to modify the audit policy.
Notes for step 3: The options for the auditconfig [ t ] -setpolicy command are as
follows:
• -t: Creates a temporary, or active, policy. The policy setting is not restored when you
restart the audit service. This option is optional.
• prefix: A prefix value of + adds the list of policies to the current policy. A prefix
value of - removes the list of policies from the current policy. Without a prefix, the audit
policy is reset.
• policy: Selects the policy to be enabled or to be disabled.
A temporary policy is in effect until the audit service is refreshed, or until the policy is modified
by the auditconfig -setpolicy command.

Oracle Solaris 11 Advanced System Administration 9 - 40

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Modifying the Audit Policy: Example
$ auditconfig -lspolicy
policy string
description:
ahlt
halt machine if it can not record an async event
all
all policies for the zone
arge
include exec environment args in audit recs
argv
g
include exec command line args
g in audit recs
cnt
when no more space, drop recs and keep a cnt
group
include supplementary groups in audit recs
none
no policies
path
allow multiple paths per event
perzone
use a separate queue and auditd per zone
public
audit public files
seq
include a sequence number in audit recs
trail
include trailer token in audit recs
windata_down
include downgraded window information in audit recs
windata_up
include upgraded window information in audit recs
zonename
include zonename token in audit recs
# auditconfig -setpolicy -cnt
# auditconfig -setpolicy +ahlt

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l in the slide, you are viewing the available policy options.
In the example
on shown
R
ro The perzone and ahlt policy options can be set only in the global zone.
Note:
ice

C

le

b
a
r
e
f

After reviewing the policy options
options, it is decided to disable the cnt policy and enable the ahlt
policy. With these settings, system use is halted when the audit queues are full and an
asynchronous event occurs. When a synchronous event occurs, the process that created the
thread hangs. These settings are appropriate when security is more important than
availability.

Oracle Solaris 11 Advanced System Administration 9 - 41

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Specifying the Audit Warning Destination Email
To configure the audit_warn email alias, choose one of the
following options:
• Option 1: Replace the audit_warn email alias with
another email alias in the audit_warn script,
p , as follows:
ADDRESS=audit_warn

•

# standard alias for audit alerts

Option 2:
– Redirect the audit_warn email to another mail account. s
an
r
– Run the newaliases command to rebuild the random
t
on
n
access database
d t b
ffor th
the aliases
li
fil
file.
a

s
a
h
)
audit_warn: root
ฺ
e
m
d
o
i
# newaliases
ubytes total
lฺc t 156
ibytes,
G
/etc/mail/aliases: 14 aliases, longest 10
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l if the audit directories are close to filling up or have already filled up,
If you want
on to be notified
R
you
o can set up an email to warn you of this. To send this mail to a valid email address, you
cer

Ci

can follow one of the options shown in the slide. The /etc/security/audit_warn script
generates mail to an email alias that is called audit_warn.
Note: If the perzone policy is set, the non-global zone administrator must configure the
audit_warn alias in the non-global zone.

Oracle Solaris 11 Advanced System Administration 9 - 42

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Adding an Audit Class
1. Save a backup copy of the audit_class file as follows:
# cp /etc/security/audit_class \
/etc/security/audit_class.orig
2 Add new entries to the audit_class
2.
audit class file by using
0xnumber:flag:description.

le

b
a
r
e
f

0x08000000:pf:profile command

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l own audit class, you can place it into just those audit events that you
When you
oncreate your
R
want
ro to audit for your site. When you add the class on one system, you copy the change to all
icesystems that are being audited. A best practice is to create audit classes before enabling the
audit service.

Note: You must choose free bits. Your choice can be overwritten by a future release of the
Oracle Solaris OS.
Notes for step 1: Although not required, it is a good practice to save a backup copy of the
audit_class file before you modify it.
Notes for step 2: The entry must be unique in the file. Do not use existing audit class masks.
In the example in the slide, a class to hold administrative commands that are executed in a
role is being created. The entry creates the new pf audit class.
Note: If you have customized the audit_class file, make sure that any user exceptions to
the system audit preselection mask are consistent with the new audit classes. Errors occur
when an audit_flags value is not a subset of the audit_class file.

Oracle Solaris 11 Advanced System Administration 9 - 43

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Changing an Audit Event’s Class Membership
1. Save a backup copy of the audit_event file as follows:
# cp /etc/security/audit_event \
/etc/security/audit_event.orig
2 Change the class membership for an audit event by
2.
changing the class_list field in the audit event entry.
3. Verify the change by using auditconfig –setflags
class_list.

le

b
a
r
e
f

s

an
r
t
n

# grep pf /etc/security/audit_class
no
0x08000000:pf:profile command
a
s
# vi /etc/security/audit_event
a
h
)
ฺ
116:AUE_PFEXEC:execve(2) with pfexec m
enabled:pf
e
d
o
i
# auditconfig -setflags pf
ilฺc t Gu
a
user default audit flags = pf(0x8001000,0x8001000)
gm en

C

@ Stud
o
d
al this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
You might
an audit event’s class membership to reduce the size of an existing
onwant to change
R
audit
ro class or to place the event in a class of its own. When you reconfigure audit eventiceclass mappings on one system, you need to copy the change to all systems that are being
audited. A best practice is to change event-class mappings before users log in.
In the example in the slide, an existing audit event is being mapped to the pf audit class. By
default, the AUE_PFEXEC audit event is mapped to four classes: ps, ex, ua, and as. Using
the vi text editor, you change the mapping for the event to the pf audit class. The new class
replaces the existing classes. Replacement enables you to audit for events in the other
classes while not generating the records of the AUE_PFEXEC event. With the final command,
you verify that the change has been made successfully
successfully.

Oracle Solaris 11 Advanced System Administration 9 - 44

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring Audit Logs
This section covers the following topics:
• Creating ZFS file systems for audit files
• Allocating audit space for the audit trail
• Sending audit files to a remote repository
• Configuring the system log as the audit message
destination

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 9 - 45

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Creating ZFS File Systems for Audit Files
1. Determine the amount of disk space that is required.
2. Create a mirrored ZFS storage pool.
3. Create a ZFS file system and mount point for the audit
files.
files
4. Create a ZFS file system for the audit files.
5. Protect the parent audit file system.
ble
a
r
6. Compress the audit files in the pool.
fe
s
n
a
r
t
7. Set quotas on the audit file system.
on
n
8. For a large pool, limit the size of the audit files.
sa

C

ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l at least 200 MB of disk space per host. However, keep in mind that
Notes for
onstep 2: Assign
R
the
roamount of auditing you require will dictate the disk space requirements. You might find
icethat your disk space requirements are far greater.
Notes for step 4: You might want to create additional file systems for the audit files. If so,
repeat this step as many times as necessary.
Notes for step 5: To protect the parent audit file system, you set three ZFS properties to off
for all file systems in the pool: devices, exec, and setuid.

Notes for step 6: Typically, compression is set on file systems. However, because all the file
systems in this pool contain audit files, compression is set at the pool level.
Notes for step 7: These quotas are used by the audit_warn alias to notify you when the
space is filling up.
Notes for step 8: By default, an audit file can grow to the size of the pool.

Oracle Solaris 11 Advanced System Administration 9 - 46

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Allocating Audit Space for the Audit Trail
1. Determine the attributes to the audit_binfile plug-in
by using man audit_binfile.
2. To add directories to the audit trail, specify the p_dir
attribute by
y using
g the following
g command:
# auditconfig -setplugin audit_binfile
active \
ble
p_dir=/audit/example1/files,/var/audit
a
r
fe
s
n
3. Refresh the audit service by using audit -s.
ra

t

n
o
n

# auditconfig -setplugin audit_binfile activea \
s
p_dir=/audit/client1/files,/var/audit ) ha
ฺ
# audit -s
om ide

C

ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l ZFS file systems for the audit files, the next task is to allocate audit
After you
onhave created
R
space
ro for the audit trail. By default, the /var/audit directory holds audit files for the
iceaudit_binfile plug-in.
Notes for step 2: The command presented for this step sets the /audit/example1/files
directory as the primary directory for audit files, and the default /var/audit directory as the
secondary directory.
Notes for step 3: The auditconfig -setplugin command sets the configured value.
This value is a property of the audit service, so it is restored when the service is refreshed or
restarted. The configured value becomes active when the audit service is refreshed or
restarted.
t t d
In the example shown in the slide you are activating the audit_binfile plug-in and setting
the storage for auditing. You are setting your ZFS file systems as the primary storage location
with the /var/audit as the secondary audit file directory. You then refresh the audit service.

Oracle Solaris 11 Advanced System Administration 9 - 47

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Sending Audit Files to a Remote Repository
1. Determine the attributes to the audit_remote plug-in by using
man audit_remote.
2. To specify the remote hosts, use the p_hosts attribute as
follows:
# auditconfig
dit
fi -setplugin
t l i audit_remote
dit
t active
ti
\
p_hosts=rhost1:16088:kerberos_v5
3. To specify the number of retries, use the p_retries attribute as
ble
a
follows:
r
fe
s
n
# auditconfig -setplugin audit_remote active
a\
r
t
p retries=5
p_retries
5
on

C

n
a
s
4. To specify the length of a connection timeout, a
use the
h
)
ฺ
p_timeout attribute as follows:
e
m
d
o
i
ilฺc t Gu
# auditconfig -setplugin aaudit_remote
active \
n
m
g ude
p_timeout=3
@
t
o
S
d
l
5. Refresh the audit service
by
y
using
g
audit -s.
s
a thi
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l the OBJECT ATTRIBUTES section. The default port is the
Notes for
onstep 1: Read
R
solaris_audit
IANA-assigned port, port 16162/tcp. The default mechanism is
ro
icekerberos-v5. The timeout default is 5 seconds. You can also specify a queue size for the
plug-in.

Oracle Solaris 11 Advanced System Administration 9 - 48

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring the System Log
as the Audit Message Destination
1. Select classes to be sent to the audit_syslog plug-in
and make the plug-in active.
2. Add an audit.notice entry to the syslog.conf file.
3. Create the log file
3
file.
4. Refresh the configuration information for the syslog
service.
le
b
a
r
5. Refresh the audit service by using audit -s.
fe
s
n
6. Regularly archive the syslog log files.
-tra

C

on
n
a
s
a
) h eฺ
m
co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l classes must be preselected as either system defaults, or in a user’s
Notes for
onstep 1: These
R
audit_flags
attribute. Records are not collected for a class that is not preselected.
ro
ice
# auditconfig -setplugin audit_syslog active p_flags=-lo,-ss,+pf
# vi /etc/syslog.conf
# grep audit.notice /etc/syslog.conf
audit.notice
/var/log/auditlog
# touch /var/log/auditlog
# svcadm refresh system/system-log
# audit –s

Notes for step 3: The entry includes the location of the log file.

Notes for step 6: The audit service can generate extensive output.
In the example, the audit_syslog plug-in is being activated and the audit flags that are to
be activated for the log are indicated. You want to track failed login and login attempts, failed
changes in the system state, and successful uses of the profile command.
Next, you add the audit.notice entry to the syslog.conf file and then create the file by
using
us
g tthe
e touc
touch co
command.
a d With
t tthe
e final
a ttwo
o co
commands,
a ds, you refresh
e es tthe
e sys
syslog
og se
service
ce
and the audit service.

Oracle Solaris 11 Advanced System Administration 9 - 49

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring the Audit Service in Zones
•

Configuring all zones identically for auditing
– Single audit service is used.
– Audit service runs in the global zone.
– Audit records are collected for both the global zone and all
non-global zones.

•

Specifying per-zone auditing

) h eฺ
m
co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l the entire system, including activities in zones. A system that has
The audit
onservice audits
R
installed
ro non-global zones can run a single audit service to audit all zones identically, or it can
icerun one audit service per zone, including the global zone.

C

le

b
– An audit service is used per zone.
a
r
e
sf
n
– An audit service can be disabled on a zone-by-zone basis.
a
tr
n
– Each zone collects its own audit records
records, which are
no visible to
a
the non-global zone and the global zone. as

When you audit the non-global zones exactly as the global zone is audited, the audit service
runs in the global zone. The service collects audit records from the global zone and all the
non-global zones. The non-global zone administrators might not have access to the audit
records.
The advantages of per-zone auditing are a customized audit trail for each zone, and the ability
to disable auditing on a zone-by-zone basis. Each zone collects its own audit records. The
records
d are visible
i ibl tto th
the non-global
l b l zone and
d th
the global
l b l zone. These
Th
advantages
d
t
can b
be
offset by the administrative overhead. Each zone administrator must administer auditing.
Each zone runs its own audit daemon, and has its own audit queue and audit logs. These
audit logs must be managed.
In this section you are shown how to configure the audit service for both situations.

Oracle Solaris 11 Advanced System Administration 9 - 50

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring All Zones Identically for Auditing
1. Configure the global zone for auditing.
2. Copy modified audit configuration files from the global
zone to every non-global zone by using one of the
following options:
•

Loopback mount the changed audit_class and
audit_event files.
-

From the global zone, halt the non-global zone.
le
b
a
r
Create a read-only loopback mount for every audit
fe
s
n
configuration file that you modified in the global zone.
a
r
t
Boot the non
non-global
global zone to make the changes effective
effective.
on

an
s
ha ฺdirectory in the
)
From the global zone, list the /etc/security
om uide
c
ฺ
non-global zone.
l
G
ai and
t
n
m
Copy the changed audit_class
g ude audit_event files to
@
tdirectory.
o
the zone’s /etc/security
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Notes for
a zone for auditing is the same as configuring a system with
onstep 1: Configuring
R
the
rofollowing exceptions:
ice • Do not enable pperzone audit ppolicy.y
•

C

•
•

Copy the files.

Do not enable the audit service. You enable the audit service after you have configured
the non-global zones for auditing.
Set the zonename policy. This policy adds the name of the zone to every audit record.

Notes for step 2: If you modified the audit_class or audit_event file, copy it.
Otherwise, skip this step. You have two options. You can loopback mount the files, or you can
copyy the files. The non-global
g
zone must be running.
g
The non-global zones are audited when the audit service is enabled in the global zone.

Oracle Solaris 11 Advanced System Administration 9 - 51

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring All Zones Identically
for Auditing: Example
# auditconfig -getpolicy
configured audit policies = ahlt,arge,argv
active audit policies = ahlt,arge,argv
# auditconfig -setpolicy +zonename
# auditconfig -getpolicy
configured
fi
d audit
dit policies
li i
= ahlt,arge,argv,zonename
hlt
active audit policies = ahlt,arge,argv,zonename
# cp /etc/security/audit_class \
/zones/zone1/root/etc/security/audit_class
# cp /etc/security/audit_event \
/zones/zone1/root/etc/security/audit_event
# ls -l /zones/zone1/root/etc/security/audit_*
-rw-r--r-rw r r
1 root sys 2878 2011
2011-12-16
12 16 07:04
/zones/zone1/root/etc/security/audit_class
-rw-r--r-- 1 root sys 29472 2011-12-16 07:05
/zones/zone1/root/etc/security/audit_event
-rwxr----- 1 root sys 7823 2011-12-03 15:24
/zones/zone1/root/etc/security/audit_warn
# audit –s

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
In the example
on in thel slide, you configure all the zones for auditing. You begin by checking the
R
current
ro audit policy to verify that auditing for the global zone has not been configured. Next,
iceyou configure all zones for auditing by setting the zonename policy. You then verify that
zones are now part of the audit policy. By adding the zonename policy, the audit records will
be tagged with the zone name. Next you copy the modified audit_event and
audit_class configuration files from the global zone to the non-global zone called zone1.
You then verify that the audit configuration files are in the /etc/security file for zone1,
which they are. Your final step is to start the audit service.

Oracle Solaris 11 Advanced System Administration 9 - 52

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Specifying Per-Zone Auditing
1. In the global zone, configure auditing.
2. In each non-global zone, configure the audit files.
a. Complete each of the tasks for configuring the audit service.
b Do not configure system-wide audit settings
b.
settings.

3. If auditing is not enabled in the global zone, enable it.
4. Enable auditing in your zone by using audit -s.

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
Notes for
onstep 2b: lSpecifically, do not add the perzone or ahlt policy to the non-global
R
zone.
ro
ice

Notes for step 3: The global zone administrator must enable the audit service for the system.

Oracle Solaris 11 Advanced System Administration 9 - 53

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Specifying Per-Zone Auditing: Example
# zlogin zone1
[Connected to zone 'zone1' pts/2]
Last login: Fri Dec 16 10:42:38 on pts/2
Oracle Corporation SunOS 5.11 11.0
November 2011
# auditconfig -getcond
audit condition = noaudit
# auditconfig -getflags
active user default audit flags = no(0x0,0x0)
configured user default audit flags = lo(0x1000,0x1000)
# auditconfig -getnaflags
active non-attributable audit flags = no(0x0,0x0)
configured non-attributable audit flags = lo(0x1000,0x1000)
# auditconfig -getpolicy
configured audit policies = cnt
active audit policies = cnt,perzone
# audit –s
# ls /var/audit
20111216141435.not_terminated.zone1
# exit
logout

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l in the slide, an auditing is being set up in the non-global zone called
In the example
on shown
R
zone1.
ro The assumption is that the global zone is already configured. The first step is to log in
iceto the zone. Then the audit files are configured by using the auditconfig command, to
include the audit condition, the user default audit flags, the active non-attributable audit flags,
and the audit policies. Next, the audit service is enabled. Then it is verified that auditing is
occurring in the zone by checking /var/audit, which in this example has been set up as
the primary audit directory. You then exit the non-global zone.

Oracle Solaris 11 Advanced System Administration 9 - 54

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•
•

Planning for Oracle Solaris Auditing
Configuring Oracle Solaris Auditing
Administering the Audit Service
Managing Audit Records on Local Systems

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 9 - 55

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Administering the Audit Service
This section covers the following topics:
• Enabling the audit service
• Disabling the audit service
• Refreshing the audit service

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 9 - 56

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Enabling the Audit Service
1. Use the audit -s command to enable the audit service.
2. Verify that auditing is enabled by using auditconfig
-getcond.
# audit –s
# auditconfig -getcond
audit condition = auditing

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
nan SMF service.
Auditingois
You configure the service by using the auditconfig command
R
and
ro enable it with the audit -s command. The steps for enabling the audit service for all
icezones are listed in the slide. You must be assigned the Audit Control rights profile to perform

these tasks.
Note: If the perzone audit policy is set in the global zone, zone administrators can enable,
refresh, and disable the service in their non-global zones.
Notes for step 2: The output should reflect that the audit condition is set to auditing,
as shown in the example.
Note: Before a zone administrator can enable the audit service in a non-global zone by using
the audit -s command, the following actions must be completed:
• The global zone administrator sets the perzone policy in the global zone and enables
auditing.
• The zone administrator of the non-global zone configures the audit service and per-user
exceptions.

Oracle Solaris 11 Advanced System Administration 9 - 57

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Disabling the Audit Service
To disable the audit service, run audit -t.
# audit -t

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
The step
onfor disablingl the audit service for all zones is shown in the slide. This action returns
R
the
rosystem to the system state before auditing was enabled.
iceNote: If the perzone audit policy is not set, auditing is disabled for all zones. If the perzone
audit policy is set in the global zone, the policy remains in effect in the non-global zones that
have enabled auditing. The non-global zone continues to collect audit records across global
zone reboots and non-global zone reboots until the zone administrator disables the nonglobal zone by using the audit -t command from within the non-global zone.

Oracle Solaris 11 Advanced System Administration 9 - 58

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Refreshing the Audit Service
1. Refresh the audit service by using the audit -s
command.
2. Update the preselection masks of users who are currently
being
g audited.
a. Terminate the users’ existing sessions.
b. Use the auditconfig -setflags command to
dynamically change each logged-in user’s preselection
mask.

s
n
a
r
t using
–
Determine the logged-in user’s audit ID and audit session ID -by
n
o
th who
the
h command.
d
n
apasswd
s
–
Determine the user’s audit ID by using the getent
ha ฺ
loginname command.
)
de
obymusinguauditconfig
i
–
Change the user’s preselection mask
–
c
ฺ
l
i
G
a
t
setumask and auditconfig
–setsmask.
m den
g
–
Verify that the preselection
tuhas changed by using auditconfig
o@ mask
S
d
l
- g
getpinfo.
p
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Any time
changes to the audit service after it has been enabled, you
onyou make configuration
R
will
roneed to refresh the service.
ice

C

Notes for step 1: When you refresh the audit service, all temporary configuration settings are
lost. Audit policy and queue controls enable temporary settings.

Notes for step 2: Audit records are generated based on the audit preselection mask that is
associated with each process. Refreshing the audit service does not change the masks of
existing processes. To explicitly reset the preselection mask for an existing process, you must
update each user’s preselection mask. To change the systemwide audit preselection mask,
the users must be logged in. You have two ways to complete this task. You can terminate the
existing sessions or use the auditconfig
dit
fi command,
command as shown in steps 2a and 2b in the
slide.
Notes for step 2a: Users can log out and log back in, or you can manually terminate (kill)
active sessions. The new sessions will inherit the new preselection mask.

Oracle Solaris 11 Advanced System Administration 9 - 59

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Practice 9-1 Overview: Configuring and
Administering Oracle Solaris Auditing
This practice covers the following topics:
• Configuring the audit service
• Configuring audit logs
• Configuring the audit service in zones
• Administering the audit service

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
The practices
on for thisl lesson are designed to reinforce the concepts that have been presented
R
inro
the lecture portion. These practices cover the following tasks:
ice • Practice
act ce 9
9-1: Co
Configuring
gu g a
and
d ad
administering
ste g O
Oracle
ac e So
Solaris
a s aud
auditing
t g

C

•

Practice 9-2: Managing audit records on local systems

Practice 9-1 should take you about 45 minutes to complete.

Oracle Solaris 11 Advanced System Administration 9 - 60

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•
•

Planning for Oracle Solaris Auditing
Configuring Oracle Solaris Auditing
Administering the Audit Service
Managing Audit Records on Local Systems

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 9 - 61

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Managing Audit Records on Local Systems
This section covers the following topics:
• Displaying audit record definitions
• Merging audit files
• Selecting audit events to examine
• Viewing contents of binary audit files

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l service has been up and running for a while, and you are now ready to
n the audit
Assumeothat
R
collect
ro and analyze the data from the audit trail.
ice

C

Oracle Solaris 11 Advanced System Administration 9 - 62

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying Audit Record Definitions
To display audit record definitions, use auditrecord –a.
# auditrecord –a
terminal login
program
/usr/sbin/login
/usr/dt/bin/dtlogin
event ID
6152
class
lo
header
subject
[text]
return

See login(1)
See dtlogin
AUE_login
(0x00001000)

le

error message

b
a
r
e
f

s

an
r
t
n

C

no
a
s
See login(1)
a
h
)
ฺ
AUE_logout
e
m
d
o
i
(0x00001000)
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
The audit
provide the audit event number, audit class, selection mask, and
onrecord definitions
R
record
ro format of an audit event. By viewing the audit record definitions, you can determine the
iceset of audit tokens included in a specific type of audit record. The example in the slide
login: logout
program
various
event ID
6153
class
lo
---

contains the partial audit record format for the login program. Here you can see that the lo
class format has three audit tokens: header, subject, and return with text being an
optional token.
Note: The -a option for the auditrecord command lists all audit event record definitions.
You can use the -h option to put the list in an HTML format that can be displayed in a
browser. After you have the *html file displayed in a browser, you can use the browser’s
Find tool to find specific audit record definitions
definitions.

Oracle Solaris 11 Advanced System Administration 9 - 63

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Merging Audit Files
1. Create a directory for storing merged audit files.
2. Merge the audit records in the audit trail as follows:
a. Change directories to the audit-trail-directory.
b Merge the audit records into a file with a named suffix by
b.
using the following command:
—

# auditreduce -Uppercase-option -O suffix

$ cd /var/audit/audit_summary.dir
$ auditreduce -C -O Complete
$ ls
l *Complete
*C
l t
20111216183214.20111216214217.Complete

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l the contents of the entire audit trail, you can do so more easily by
If you need
on to analyze
R
merging
ro all audit files in all the audit directories by using the auditreduce command. The
icecommand merges all the records from its input files into a single output file. The input files can
then be deleted. If you do not specify a path for your merged file, the auditreduce
command uses the /var/audit directory.

Notes for step 1: To complete this step, follow the instructions for creating a ZFS file system
for audit files that were covered earlier.
Notes for step 2b: All directories in the audit trail on the local system are merged. The
uppercase options (-Uppercase-option), which are used to manipulate files in the audit
t il iinclude,
trail
l d b
butt are nott lilimited
it d tto, th
the ffollowing:
ll i
• -A: Selects all of the files in the audit trail
• -C: Selects complete files only. This option ignores files with the suffix
not_terminated.

Oracle Solaris 11 Advanced System Administration 9 - 64

•
•

-M: Selects files with a particular suffix. The suffix can be a machine name, or it can be a
suffix that you have specified for a summary file.
-O: Creates an audit file with 14-character time stamps for both the start time and the
end time, with the suffix suffix in the current directory.

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Note: For the full list of options, see the auditreduce(1M) man page.
In the example in the slide, only complete files are copied from the audit trail into a merged
file.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 9 - 65

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Selecting Audit Events to Examine
To select audit events to examine, use auditreduce
-lowercase-option argument [optional-file].
$ cd /var/audit/audit_summary.dir
$ auditreduce -c na -O nasumm
$ ls *nasumm
20111216183214.20111216215318.nasumm

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l kinds of records to examine from the audit trail or from a file by using
n specific
You canoselect
R
the
roauditreduce command. Some of the more commonly used options for the
iceauditreduce command are as follows:
•

•

•
•
•
•

-d: Selects all of the events on a particular date. The date format for argument is
yyymmdd. Other date options, -b and -a, select events before and after a particular
date.
-u: Selects all of the events attributable to a particular user. The argument is a user
name. Another user option, -e, selects all of the events attributable to an effective user
ID.
-c: Selects
S l t allll off th
the events
t iin a preselected
l t d audit
dit class.
l
Th
The argument
t is
i an audit
dit
class name.
-m: Selects all of the instances of a particular audit event. The argument is an audit
event.
argument: Specific argument that a lowercase option requires. For example, the -c
option requires an argument of an audit class, such as ua.
optional file: Is the name of an audit file
optional-file:

Note: For the full list of options, see the auditreduce(1M) man page.
In the example in the slide, all the records of audit events in the na class are collected into
one file.
Oracle Solaris 11 Advanced System Administration 9 - 66

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Viewing Contents of Binary Audit Files
To view the contents of binary audit files, use one of the
following praudit commands:
• praudit –s: Displays audit records in a short format
• praudit –r:
r: Displays audit records in their raw format
• praudit –x: Displays audit records in XML format
$ auditreduce -c lo | praudit -s
header,69,2,AUE_screenlock,,mach1,2011-12-16 08:02:56.348 -07:00
subject,jjones,root,staff,jjones,staff,856,50036632,82 0 mach1
return,success,0
sequence,1298

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l enables you to view the contents of binary audit files. You can pipe
The praudit
on command
R
the
rooutput from the auditreduce command, or you can read a particular audit file. There are
icethree praudit command options as listed in the slide.
Note: Each of the praudit commands displays the format in one token per line. For the
praudit -s and praudit -r commands, you can use the -l option to place each record
on one line. For the praudit -x command, you can use the -l option to place the XML
output for one record on one line.
In the example in the slide, the praudit -s command is being used to display audit records
in a short format.

Oracle Solaris 11 Advanced System Administration 9 - 67

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Practice 9-2 Overview:
Managing Audit Records on Local Systems
This practice covers the following topics:
• Displaying audit record definitions
• Selecting audit events from the audit trail
• Viewing the contents of binary audit files
• Cleaning up an audit file currently in use (named
not_terminated)

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
This practice
on shouldl take you about 30 minutes to complete.
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 9 - 68

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Summary
In this lesson, you should have learned how to:
• Implement a plan for Oracle Solaris auditing
• Configure Oracle Solaris auditing
• Administer the audit service
• Manage audit records

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 9 - 69

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Ci

le

s

o

R
o
r
ce
an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on
an
r
t
n
b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

M
Managing
i
Processes
P
and
d Priorities
P i iti

le

s

b
a
r
e
f

o

an
r
t
n

Ci

R
o
r
ce

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
e
sOracle
o © 2013,
r
u
Copyright
and/or its affiliates. All rights reserved.
e
o
c
i
t
c
o ( ense
d
l
lic
ona

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Objectives
After completing this lesson, you should be able to:
• Implement a plan for executing a process in an appropriate
scheduling class
• Manage process scheduling priority
• Manage the scheduling class of zones
• Configure the fair share scheduler
ble
a
r
• Monitor the fair share scheduler
sfe

n

a
s
a
) h eฺ
m
co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

a
r
t
on

n

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 10 - 2

Workflow Orientation

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

IPS
AI INSTALLATION
MONITORING

DATA
STORAGE

RESOURCE
EVALUATION

PROCESSES

ENTERPRISE
DATACENTER

NETWORK
CONFIGURATION

s

an
r
t
n

no
a
sNETWORK
a
h
VIRTUALIZATION
)
ฺ
e
m
d
o
i
AUDITING
ilฺc t Gu
a
n
e
gmSERVICES
d
PRIVILEGES @
tu
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n begin thel lesson, take a moment to orient yourself in your job workflow. You have
Before o
you
R
successfully
installed the operating system and have updated it. You have configured the data
ro
icestorage environment as well as the physical and virtual networks. You have also ensured that

C

all the system services are up and running that both users and processes have been granted
the appropriate level of privilege. You have also set up the Oracle Solaris audit service. In this
lesson you are shown how to manage the priority and scheduling of system and user
processes that the Oracle Solaris 11 operating system uses to run business functions. As the
system administrator, you are responsible for controlling and managing these system
processes to ensure the system operates smoothly.

Oracle Solaris 11 Advanced System Administration 10 - 3

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•
•

Planning Process Execution in an Appropriate
Scheduling Class
Managing Process Scheduling Priority
Configuring the Fair Share Scheduler
Managing the Scheduling Class of Zones

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 10 - 4

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Planning Process Execution
in an Appropriate Scheduling Class
The process execution in an appropriate scheduling class
plan ensures that:
• System resources are used appropriately
• Processes are prioritized in accordance with business
needs and requirements
• Process workload distribution is controlled
le
b
a
r
• Processes are assigned to the appropriate scheduling
fe
s
n
class
-tra

C

on
n
a
s
a
) h eฺ
m
co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l created to be equal, and given that there can be hundreds of processes
Not all processes
are
on
R
active
ro on the system at any time, it is important for a system administrator to be able to
iceprioritize the processes and control their load distribution. Through these means, the system

administrator ensures that the system resources, such as CPU, memory, and network, are not
overused to the point where the system becomes bogged down or comes to a complete halt.
Understandably your company wants to ensure that its business applications run interrupted
and that they are available when needed. As part of the predeployment activities, your
company wants you to test the Oracle Solaris 11 process priority and scheduling class
functionality to determine the best approach for distributing process workload.
I this
In
thi ttopic,
i you are iintroduced
t d
d to
t process priorities
i iti and
d the
th scheduling
h d li classes.
l

Oracle Solaris 11 Advanced System Administration 10 - 5

Process Scheduler

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Operating System Starts

svc:/system/scheduler:default

Process Scheduler
Class

Class

le

Class

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
Process
Process
Process
h
Process
Process
Process
)
ฺ
Process
Process
Process
e
m
d
o
i
ilฺc t Gu
a
PrioritygQueue
m den
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
A fundamental
on job ofl the operating system is to arbitrate which processes get access to the
R
ro resources. The process scheduler, which is also called the dispatcher, is the portion
esystem’s
of the kernel that controls allocation of the CPU to processes. It is managed by the SMF
service svc:/system/scheduler:default.

The process scheduler supports the concept of scheduling classes. Each class defines a
scheduling policy that is used to schedule processes within the class. The scheduling policy
of a process determines its position in the priority queue.

Oracle Solaris 11 Advanced System Administration 10 - 6

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Process Priority
•

Global priority:
– Based on scheduling class

•

Designated priority:
– Affects global priority assignment and position in a priority
queue
– Both scheduling class and user priority can be designated.
ble
– User priority is based on the assigned priority range of the
a
r
fe
s
scheduling class.
n
a

tr
n
no

C

a
s
a
) h eฺ
m
co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
Based on
onschedulingl class, each process has a global priority that identifies its position in the
R
priority
ro queue and its access to system resources, specifically CPU resources. The higher the
iceglobal priority number the greater the priority.
As a system administrator, you might want to specify that certain processes be given more
resources than others. You can do this by designating a priority for a process, thereby
impacting its global priority assignment and position in the priority queue. You can designate
a scheduling class for the process as well as a user priority. The user priority is based on the
process’s scheduling class and the priority range assigned to that scheduling class. By
designating a priority for a process, you as the system administrator can control how the
system should prioritize the running of each process
process, taking into account those processes that
by their nature and their system-assigned scheduling class have a higher priority.
Note: You will take a look at the priority ranges for each scheduling class in just a moment.
Based on changing business needs and requirements, you can always modify the priority of a
process. You learn how to designate and modify a process’s priority later in this lesson.

Oracle Solaris 11 Advanced System Administration 10 - 7

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Process Scheduling Classes
Scheduling Class

Description

Timesharing (TS)

Default class for processes and their associated kernel threads. Priorities
in this class are dynamically adjusted in an attempt to allocate processor
resources evenly.

Interactive (IA)

Enhanced version of the TS class that applies to the in-focus window in
the GUI. Its intent is to give extra resources to processes associated with
that specific window.

Fair Share Scheduler
(FSS)

This class is share based rather than priority based. Threads managed
by FSS are scheduled based on their associated shares and the
processor's utilization.

s

an
r
t
n

C

no
a
s
a
h
System (SYS)
Used to schedule kernel threads. Threads)in this class
ฺ are “bound”
e
m
d
threads, which means that they run
until
they
block
or
o
i
c Gu complete.
ฺ
l
i
a nt with a fixed-time duration
mfixed-priority,
Real-Time (RT)
Threads in the RT classgare
de
u
called quantum. o@
t
ld is S
a
n
th
o
r
ฺ
e
s and/or its affiliates. All rights reserved.
uOracle
Copyright
ero © t2013,
o
c
i
(c nse
o
ld lice
a
n
The table
shown
in the slide identifies the process scheduling classes that can be configured
o
R
on
royour system. The RT class offers the highest scheduling priorities and can preempt other
icescheduling class priorities.
Fixed-Priority (FX)

Priorities for threads associated with this class are fixed.
fixed In other words
words,
they do not vary dynamically over the lifetime of the thread.

Note: By default, any new processes that are created are assigned the TS class. However, as
discussed, you can change the scheduling class designation based on business requirements
and the importance of the application. You can also change the default scheduling class for
the entire system so that all the processes including the non-global zones will run in the same
scheduling class. You learn how to do this later in the lesson.
Although the TS scheduling class is the system’s default scheduling class, using the fair
share
h
scheduler
h d l (FSS) as th
the d
default
f lt scheduling
h d li class
l
iis hi
highly
hl d
desirable.
i bl Th
The FSS gives
i
you
the control to specify that certain processes should be given more resources than others. This
is exceptionally beneficial when you are trying to balance workloads for multiple projects or
non-global zones. Because the FSS is recommended as the default scheduling class, a good
deal of time is spent in this lesson, teaching you how to use it.

Oracle Solaris 11 Advanced System Administration 10 - 8

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Priority Ranges for Scheduling Classes

Scheduling Class

Priority Range

Real-time (RT)

100 through 159

System (SYS)

60 through 99

Fair share scheduler (FSS)

0 through 59

Fixed priority (FX)

0 through 59

Interactive (IA)

0 through 59

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l have an assigned range of priorities. The table in the slide presents
The scheduling
on classes
R
the
roranges.
ice
Timesharing (TS)

0 through 59

The higher the number, the greater the priority. This means that a real
real-time
time process will
always run before either a system process or a process that is assigned to any of the other
scheduling classes (FSS, FX, IA, TS).
Note: The priority of a process is inherited from the parent process.

Oracle Solaris 11 Advanced System Administration 10 - 9

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Combining FSS with Other Scheduling Classes
•
•

•
•

Avoid having the FSS, TS, IA, and FX scheduling classes
share the same processor set (pset).
All processes that run on a processor set must be in the
same scheduling
g class so that they
y do not compete
p
for the
same CPUs.
To avoid starving applications in the FSS class, use
ble
processor sets for FSS class and FX class applications.
a
r
fe
s
n
The following classes can be in the same processor sets:
ra

-t

on
– TS and IA classes
n
a
s
– FSS and RT classes
a
h ฺ
e
m)classidprocesses.
Note: FSS has no control over theoRT

Cic

ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n saw, by ldefault, the FSS scheduling class uses the same range of priorities (0
As you o
just
R
ro 59) as the time sharing (TS), interactive (IA), and fixed priority (FX) scheduling
ethrough

classes. Therefore, you should avoid having processes from these scheduling classes share
the same processor set. A mix of processes in the FSS, TS, IA, and FX classes could result in
unexpected scheduling behavior.

With the use of processor sets, you can mix TS, IA, and FX with FSS in one system.
However, all the processes that run on each processor set must be in one scheduling class,
so they do not compete for the same CPUs. The FX scheduler in particular should not be
used in conjunction with the FSS scheduling class unless processor sets are used. This
action prevents applications in the FX class from using priorities high enough to starve
applications in the FSS class.
You can mix processes in the TS and IA classes in the same processor set, or on the same
system without processor sets.
Because RT and FSS are using disjointed, or non-overlapping ranges of priorities, FSS can
coexist with the RT scheduling class within the same processor set. However, the FSS
g class does not have any
y control over processes that run in the RT class.
scheduling

Oracle Solaris 11 Advanced System Administration 10 - 10

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

For example, on a four-processor system, a single-threaded RT process can consume one
entire processor if the process is CPU bound. If the system also runs FSS, regular user
processes compete for the three remaining CPUs that are not being used by the RT process.
Note that the RT process might not use the CPU continuously. When the RT process is idle,
FSS uses all four processors.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 10 - 11

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Using CPU Shares with the FSS
•
•
•

•

The FSS uses CPU shares to control the allocation of available
CPU resources among workloads.
Assigning a greater number of CPU shares to a project gives that
project more CPU resources from the FSS.
CPU share allocation and CPU resource usage are not the
same.
– CPU shares define the relative importance of workloads in
le
b
a
r
relation to other workloads.
fe
s
n
a
– Resource utilization is the percentage of CPU capacity being
r
t
used.
used
on
n
a
s
When allocating CPU shares, you should know:
a
) h eฺwith other
– How many shares the project has in o
comparison
m
c Guid
ฺ
l
i
projects
a nt
m
g
– How many of the other projects
are
decompeting for CPU
@
u
t
o
resources
ald is S

C

n
th
o
r
ฺ
e
s and/or its affiliates. All rights reserved.
uOracle
Copyright
ero © t2013,
o
c
i
(c nse
o
ld lice
a
n
The primary
benefit
of using the FSS is its ability to enable you to control the allocation of
o
R
available
CPU resources among workloads, based on their importance. This control is
ro
iceachieved by using CPU shares. You identify the importance of each workload by the number
of shares of CPU resources that you assign to each workload. The term “share” is used to
define a portion of the system’s CPU resources that is allocated to a project. If you assign a
greater number of CPU shares to a project, relative to other projects, the project receives
more CPU resources from the FSS.
Note: Processes in projects with zero shares always run at the lowest system priority (0).
These processes run only when projects with nonzero shares are not using CPU resources.

CPU share
h
allocation
ll
ti iis nott th
the same as CPU resource usage. Sh
Shares are used
d tto d
define
fi th
the
relative importance of workloads in relation to other workloads, whereas CPU resource usage
is the percentage of CPU capacity being used. A project that is allocated 50 percent of the
CPU resources might average only a 20 percent CPU use. Moreover, shares serve to limit
CPU usage only when there is competition from other projects. Regardless of how low a
project’s allocation is, it always receives 100 percent of the processing power if it is running
alone on the system.

Oracle Solaris 11 Advanced System Administration 10 - 12

When allocating CPU shares, it is important to know how many shares the project has in
comparison with other projects and how many of the other projects are competing for CPU
resources.
g
to any
y one p
project
j
is 65535.
Note: The maximum number of shares that can be assigned

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

You learn how to allocate CPU shares later in this lesson.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 10 - 13

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Scheduling Class on a System
with Zones Installed
•
•
•

Non-global zones use the system’s default scheduling
class.
For a new default scheduling class setting, non-global
zones obtain the new setting
g when booted or rebooted.
To ensure that all zones get a fair share of the system
CPU resources, set the FSS as the system default
scheduling class.

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l the default scheduling class for the system. If the system is updated
Non-global
on zones use
R
with
ro a new default scheduling class setting, non-global zones obtain the new setting when
icebooted or rebooted.
As discussed earlier, the recommended scheduler to use with zones is the FSS. The
preferred way then is to set the FSS to be the system default scheduling class and then
configure CPU shares for the zones. All zones then benefit from getting a fair share of the
system CPU resources.
You learn how to configure CPU shares for zones later in this lesson.

Oracle Solaris 11 Advanced System Administration 10 - 14

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Implementing the Process Execution in an
Appropriate Scheduling Class Plan
Your assignment is to:
• Determine the scheduling priorities and classes for the
process running on the system
• Modify scheduling priorities
• Set the FSS as the default scheduler
• Configure CPU shares for zones

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
As part o
ofnthe predeployment
test, you have been given the assignment to learn how to
R
designate, modify, and monitor scheduling priorities and classes for the processes
ro
edetermine,
running on the system. You have also been tasked with learning how to make the FSS the
default scheduling class for zones, and then how to configure CPU shares for the zones.

Oracle Solaris 11 Advanced System Administration 10 - 15

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
For the operating system to prioritize processes, all
processes must have the same scheduling class.
a. True
b False
b.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:obn
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 10 - 16

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
Which scheduling class has the highest range of user priority
designations?
a. Fair share scheduler (FSS)
b Real
b.
Real-time
time (RT)
c. System (SYS)
d. Time sharing (TS)

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:obn
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 10 - 17

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
What is the purpose of CPU shares?
a. To control the allocation of available CPU resources
among workloads
b To increase CPU capacity
b.
c. To change the global priority of a project in the priority
queue
d. To cap the CPU resource usage of a process

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:oan
R
ro
ice

le

C

Oracle Solaris 11 Advanced System Administration 10 - 18

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
Non-global zones use the default system scheduling class
for the system.
a. True
b False
b.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:oan
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 10 - 19

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•
•

Planning Process Execution in an Appropriate Scheduling
Class
Managing Process Scheduling Priority
Configuring the Fair Share Scheduler
Managing the Scheduling Class of Zones

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 10 - 20

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Managing Process Scheduling Priority
This section covers the following topics:
• Displaying processes with the top command
•
•
•
•

Displaying process class information
Determining the global priority of a process
Designating a process priority
Modifying a process priority

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 10 - 21

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying Processes with the top Command
To display the processes that are using the most CPU
resources, use top number_of_processes
time_interval.
# top 10 -s 10
last pid: 1121; load avg: 0.20, 0.14, 0.12; up 0+01:50:30
14:10:30
87 processes: 83 sleeping, 3 running, 1 on cpu
CPU states: 81.8% idle, 5.1% user, 13.1% kernel, 0.0% iowait, 0.0% swap
Kernel: 609 ctxsw, 9 trap, 327 intr, 1935 syscall, 4 flt
Memory: 1024M phys mem, 84M free mem, 977M total swap, 977M free swap
PID
991
733
929
934
1120
917
913
11
536

USERNAME NLWP PRI NICE SIZE
RES
oracle
2 59
0
87M
19M
oracle
l
3 59
0
65M
53M
oracle
20 59
0 160M 140M
oracle
1 56
0
12M 5552K
root
1 59
0 4296K 2480K
oracle
1 49
0 107M
36M
oracle
1 59
0
27M
15M
root
18 59
0
12M
11M
root
7 59
0 9420K 1856K

STATE
sleep
run
run
run
cpu
sleep
sleep
sleep
sleep

TIME
0:11
0:23
0 23
2:01
0:06
0:00
0:01
0:01
0:41
0:03

CPU
4.03%
3
3.82%
82%
1.75%
1.46%
0.25%
0.22%
0.08%
0.06%
0.04%

le

s

an
r
t
n

COMMAND
gnome-terminal
X
Xorg
java
xscreensaver
top
nautilus
metacity
svc.configd
VBoxService

b
a
r
e
f

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l way to view the processes running on the system that are using the
n convenient
A quicko
and
R
ro CPU resources is by using the top command. The output of the command is very
emost
similar to the prstat command.

Note: The top utility iteratively examines all active processes on the system and reports
statistics in descending order–based CPU usage.
The command displays the following information:
• Last pid: Last process ID assigned to a process
• Load avg: These are the CPU load averages. The averages are based on one-, five-,
and 15-minute intervals.
• up: System uptime and current time
•
•
•

Number of processes currently active on the system and their respective states
CPU states by percentage: Shows the percentage of CPU time in the following modes:
idle, user, kernel, iowait, and swap.
Kernel: Statistics on the following kernel-related activity: context switches, traps,
interrupts,
p , system
y
calls,, and page
p g faults.

Oracle Solaris 11 Advanced System Administration 10 - 22

•
•
•

Memory: Statistics on memory usage, including physical memory, free memory, total
swap, and free swap
PID: Process ID of the process
USERNAME: Login name or UID of the owner of the process
NLWP: Number of lightweight processes (LWPs) in the process

•

Note: The kernel and many applications are now multithreaded. A thread is a logical
sequence of program instructions written to accomplish a particular task. Each
application thread is independently scheduled to run on an LWP, which functions as a
virtual CPU. LWPs in turn, are attached to kernel threads, which are scheduled to run on
actual CPUs.
PRI: Priority of the process. Processes with higher numbers are given precedence.

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

•

•

Note: The priority of a process is determined by the policies of its scheduling class and
by its nice number.
NICE: Value used in priority computation. Only processes in certain scheduling classes
have a nice value.
Note: The nice numbers range from 0 through +39, with 0 representing the highest
priority.
SIZE: Total virtual memory size of the process
RES: Resident memory, which represents the amount of physical memory being used by
the process, in megabytes (M)
STATE: State of the process
- cpuN: Process is running on the CPU.
- sleep: Process is waiting for an event to complete.
- run: Process is in the run queue.
- zombie: Process is terminated, and the parent is not waiting.
- stop: Process is stopped.
TIME: Cumulative execution time for the process, given in hours, minutes, and seconds.
g of recent CPU time used by
y the p
process
CPU: Percentage
COMMAND: Command name of the process

s

an
r
t
n

o

•
•
•

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

Ci

R
•o
r
ce
•
•

Oracle Solaris 11 Advanced System Administration 10 - 23

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying Process Class Information
To display information about process classes, use priocntl
-l.
# priocntl -l
CONFIGURED CLASSES
==================
SYS (System Class)
TS (Time Sharing)
Configured TS User Priority Range: -60 through 60

le

Cic

s

an
r
t
n

no
a
s
FSS (Fair Share)
a
h
Configure FSS User Priority Range: -60 through
) 60eฺ
m
o
c Guid
ฺ
l
i
FX (Fixed priority)
nt 60
ma d0 ethrough
Configured FX User Priority g
Range:
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
To display
classes and priority ranges, you use the priocntl
onprocess scheduling
R
ro
ecommand.
SDC (System Duty
Duty-Cycle
Cycle Class)

b
a
r
e
f

-l

Note: The priocntl command is used to display or set scheduling parameters for a
specified process. You can also use it to display the current configuration information for the
system's process scheduler (as is being done here) or you can use it to execute a command
with specified scheduling parameters (which will be looked at in the next few slides).
In the output example, you can see all the classes being used at this time: system class
(SYS), time sharing (TS), fixed priority (FX), and interactive (IA). You can also see the priority
ranges for the time sharing (-60 through 60), fixed priority (0 through 60), and interactive (-60
th
through
h 60).
60) Y
You need
d tto kknow th
these ranges when
h you d
designate
i
t th
the priority
i it off a process,
which will be looked at in the next few slides.

Oracle Solaris 11 Advanced System Administration 10 - 24

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Determining the Global Priority of a Process
To determine the global priority of a process, use ps -ecl.
$ ps
F S
19 T
8 S
19 S
19 S
8 S
8 S

-ecl
UID PID
0
0
0
1
0
2
0
3
0
269
0
204

PPID
0
0
0
0
1
1

CLS
SYS
TS
SYS
SYS
TS
TS

PRI
96
50
98
60
58
43

ADDR
SZ
f00d05a8
0
ff0f4678 185
ff0f4018
0
ff0f5998
0
ff0f5338 303
ff2f6008 50

WCHAN
ff0f4848
f00c645c
f00d0c68
ff49837e
ff2f606e

TTY
TIME
CMD
?
0:03 sched
?
36:51
init
?
0:01 pageout
?
241:01 fsflush
?
0:07
sac
console 0:02
sh

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l information about every process that is currently running. The -c
n displays
The –eo
option
R
option
ro displays information about scheduler properties. The –l option generates a long listing.
ice

C

The command displays the following information:
• F: Flags associated with the process
• S: State of the process. States include:
- O: Process is running on a processor.
- S: Sleeping. Process is waiting for an event to complete.
- R: Runnable. Process is on run queue.
- Z:
Z Zombie
Z bi state.
t t Process
P
terminated
t
i t d and
d parentt nott waiting.
iti
- T: Process is stopped, either by a job control signal or because it is being traced.
• UID: Effective user ID number of the process
• PID: Process ID of the process
• CLS: Scheduling class

Oracle Solaris 11 Advanced System Administration 10 - 25

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

•
•
•
•
•
•
•

PRI: Priority of the process
ADDR: Memory address of the process
SZ: Size (in pages) of the swappable process’s image in main memory
WCHAN: Address of an event for which the process is sleeping
sleeping. If blank
blank, the process is
running.
TTY: Controlling terminal for the process. The message ? is printed when there is no
controlling terminal.
TIME: Cumulative execution time for the process
CMD: Command name

In the example in the slide
slide, the values in the priority (PRI) column show that the pageout
process has the highest priority (98), whereas the sh process has the lowest priority (43).

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 10 - 26

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Designating a Process Priority
1. Start a process with a designated priority by using
priocntl -e -c class -m user-limit -p userpriority command-name.
y the process
p
status by
y using
gp
ps -ecl | grep
g p
2. Verify
command-name.
# priocntl -e -c TS -m 60
# ps -ecl | grep find
0 S
0 2959 2771
0:01 gfind
ps -ecl
l | grep find
fi d
0 S
0 2959 2771
0:01 gfind
ps -ecl | grep find
0 R
0 2959 2771
0:02 gfind

le

b
a
r
e
f

-p 60 find . -name core -print
TS

60

?

1865

s

an
r
t
n

? pts/1

Cic

no
a
TS 60
?
1961s
? pts/1
a
h
)
ฺ
e
m
d
o
i
u
ilฺc ? t G1985
TS 59
pts/1
a
n
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
As discussed
on in the lfirst topic, you can designate the priority of a process. To do this, you use
R
ropriocntl command. The steps listed in the slide show how to designate the scheduling
ethe
class as well as the user priority.
Notes for step 1: The options that are used with the priocntl command are as follows:
• -e: Executes a specified command with the class and scheduling parameters
associated with a set of processes
• -c class: Specifies the class to be set. The valid class arguments are:
- RT for real-time
- TS
S for
o ttime
e ssharing
a g
- IA for interactive
- FSS for fair-share
- FX for fixed priority
• -m user-limit: When you use the -p option in conjunction with this option, it
specifies the maximum amount you can raise or lower the priority.
• -p user-priority: Designates the user priority

Oracle Solaris 11 Advanced System Administration 10 - 27

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

In the example, you designate the time sharing (TS) class for the process and the highest
possible time-share priority, which is 60, to the find command. You then run the ps –ecl |
grep command to verify that the priority is being used at all times, which as you can see, it is
not. Based on workloads and available priorities, the system might not use the designated
priority at all times.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 10 - 28

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Modifying a Process Priority
1. Change the priority of the process using priocntl -s p user-priority pid.
2. Verify the process status using ps -ecl | grep
command-name.
# priocntl -s -p 30 3084
# ps -ecf | grep myprog
root 3093 2909
RT 130 09:09:34 pts/3
root 3124 2771
IA 32 09:15:25 pts/1

le

0:00 /bin/bash /root/myprog
0:00 grep myprog

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
Because
onof changingl business priorities, you might need to modify the priority of a running
R
process.
ro To do this, you use the priocntl command. The steps in the slide show how to
icecomplete this task.
Notes for step 1: The options that are used with the priocntl command are as follows:
• -s: Sets the scheduling parameters associated with a set of processes
• -p user-priority: Designates the user priority
In the example in the slide, you are changing the current user priority on a process called
myprog (PID 3093). You now want the myprog process to have a priority of 30. You then
g Here yyou can see that the myprog
yp g p
process now has a g
global p
priority
y of
verifyy the change.
130. The system added 100 to the RT priority of 30 to create the global priority.

Oracle Solaris 11 Advanced System Administration 10 - 29

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•
•

Planning Process Execution in an Appropriate Scheduling
Class
Managing Process Scheduling Priority
Configuring the Fair Share Scheduler
Managing the Scheduling Class of Zones

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 10 - 30

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring the Fair Share Scheduler (FSS)
This section covers the following topics:
• Making the FSS the default scheduling class
• Manually moving processes from other classes into the
FSS class
• Manually moving a project’s processes into the FSS class
• Tuning scheduler parameters

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 10 - 31

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Making FSS the Default Scheduling Class
To set the default scheduler for the system to be FSS,
use dispadmin -d FSS.
# dispadmin -d FSS
# d
dispadmin
spad
-d
d
FSS(Fair Share)
# dispadmin -l
CONFIGURED CLASSES
==================

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l class enables you to allocate CPU time based on shares instead of
n scheduling
The fairoshare
R
the
ropriority scheme of the time sharing (TS) scheduling class. To make FSS the default
icescheduling class for the system, you use the dispadmin -d command, as shown in the
SYS(System Class)
TS(Time Sharing)
SDC(System Duty-Cycle Class)
FSS(Fair Share)
FX(Fixed Priority)

slide.
Note: The dispadmin command displays or changes process scheduler parameters while
the system is running. The -d option sets or displays the name of the default scheduling class
to be used on reboot when starting svc:/system/scheduler:default.

This command does not change the scheduling classes of the currently running process,
which you can see if you run the dispadmin –l command, as shown in the second
example.
l H
Here you can see allll th
the classes
l
currently
tl b
being
i used.
d Th
The command
dd
does,
however, impact any new processes that might be created. The new processes will all be
assigned the FSS class.

Oracle Solaris 11 Advanced System Administration 10 - 32

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Manually Moving Processes from Other Classes
into the FSS Class
To move all processes into the FSS class, use priocntl -s
-c FSS -i all.
# priocntl -s -c FSS -i all

# ps -ef -o class,zone,fname | grep -v CLS | sort -k2 | more
FSS
global automoun
FSS
global bash
FSS
global bonobo-a
FSS
global clock-ap
FSS
global consoleg
FSS
global cron
FSS
global fmd
SYS
global fsflush
TS
global init

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l all processes into the FSS scheduling class without changing the
n
You canomanually
move
R
default
ro scheduling class and rebooting (assuming you have not made the FSS the default
icescheduling class). To move all the processes from other classes into the FSS class, use the
priocntl command as shown in the slide.

Note: This is only a temporary change. After reboot, all processes will again run in the default
scheduling class.
The options that are used with the priocntl command are as follows:
• -s: Sets the upper limit on the user priority range and changes the current priority
p
the class to be set
• -c class: Specifies
• -i idtype: Specifies one or more processes to which the priocntl command is to
apply. The -i all option specifies to apply the priocntl command to all existing
processes.
Note: For a complete list of valid idtype arguments, see the priocntl man page.

Oracle Solaris 11 Advanced System Administration 10 - 33

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

To verify that all the processes have been moved into the FSS class, you can use the pf ef command, as shown in the second example. The -o option is being used to specify the
format that is to be displayed. In this case, you want to view the class, zone type, and file
name. You use the grep command to specify that you want to view the class (CLS) output
and
d the
h sort command
d to iindicate
di
that
h you want to sort b
by the
h second
d column,
l
which
hi h iin this
hi
case, is the zone.
Note: To display all the processes running in a specific class, such as FSS or TS, replace CLS
with the class type.
In this partial output, you can see that most but not all of the scheduling classes for the
processes have been changed to FSS. Some processes retain their scheduling class based
on the nature or scope of the process.
process

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 10 - 34

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Manually Moving the init Process
into the FSS Class
To move the init process into the FSS class, use priocntl
-s -c FSS -i pid 1.
# ps -ecf | grep init
root
1
0
TS 59 07:42:52 ?
# priocntl -s -c FSS -i pid 1
# ps -ef -o class,zone,fname | grep init
FSS
global init

0:00 /sbin/init

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
To move
into the FSS class, use the priocntl command with the init
onthe init process
R
ro ID number (PID 1) as shown in the slide.
eprocess
Note: Because you are specifying only the init process for the global zone (PID 1), any
init processes that are associated with non-global zones are not affected.

In the example in the slide, you begin by displaying the scheduling class for the init
process. Notice that the scheduling class is TS. You then run the command to move the init
process into the FSS class. Your final step is to verify that the change has been made, and it
has.
Note: Again, this is only a temporary change. After reboot, the init process will again run in
its default scheduling class.

Oracle Solaris 11 Advanced System Administration 10 - 35

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Manually Moving a Project’s Processes
into the FSS Class
To move the processes that run in a project to the FSS
scheduling class, use priocntl -s -c FSS -i projid
projectID_number.
# ps -o user,pid,uid,projid,project,class
USER
PID
UID PROJID PROJECT CLS
root 2771
0
1 user.root
TS
root 3000
0
1 user.root
TS
# priocntl -s -c FSS -i projid 1
# ps -o user,pid,uid,projid,project,class
USER
PID
UID PROJID PROJECT CLS
root
t 2771
0
1 user.root
t FSS
root 3015
0
1 user.root FSS

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l move a project’s processes from their current scheduling class to the
n manually
You canoalso
R
FSS
ro scheduling class. The commands for completing this task are identical to moving
iceprocesses into FSS with one exception. Instead of specifying a process, you specify a project
ID number, as shown in the slide. As with the processes, this change is only temporary. After
reboot, the project’s processes will again run in the default scheduling class.

In the example in the slide, you start by displaying the current scheduling class for the current
projects. As you can see, you have one project (PROJID 1) that has a scheduling class of
TS. Using the priocntl command, you move the project’s processes into the FSS class.
Your last step is to verify the change.

Oracle Solaris 11 Advanced System Administration 10 - 36

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Tuning Scheduler Parameters
To tune the scheduler parameters, use dispadmin -c
scheduler –g [-r resolution].
$ dispadmin -c FSS -g
#
# Fair Share Scheduler Configuration
#
RES=1000
#
# Time Quantum
#
QUANTUM=110
$ dispadmin -c FSS -g -r 100
#
# Fair Share Scheduler Configuration
#
RES=100
#
# Time Quantum
#
QUANTUM=11

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
n the dispadmin
You canouse
command to display or change process scheduler parameters
R
while
ro the system is running. For example, you can use dispadmin to examine and tune the
iceFSS scheduler's time quantum value. Time quantum is the amount of time that a thread is
allowed to run before it must relinquish the processor. You can specify the resolution that is
used for displaying time quantum values. If no resolution is specified, time quantum values
are displayed in milliseconds by default. You might find it easier to work with smaller digits;
specifying 10 is much easier than specifying 100000 for quantum values.

In the example in the slide, you are tuning the time quantum parameter for FSS by modifying
the resolution. First, you display the current time quantum for the FSS scheduler.
As you can see
see, currently
currently, the quantum values are specified in 1/1000th of a second.
second By using
the -r option, you change the time quantum to 1/100th of a second.

Oracle Solaris 11 Advanced System Administration 10 - 37

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Practice 10-1 Overview:
Modifying Process Scheduling Priority
This practice covers the following topics:
• Managing scheduling class and process priorities
• Configuring the fair share scheduler

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
The practices
on for thisl lesson are designed to reinforce the concepts that have been presented
R
inro
the lecture portion. These practices cover the following tasks:
ice • Practice
act ce 10-1:
0 Modifying
od y g tthe
e sc
scheduling
edu g p
priority
o ty for
o ap
process
ocess

C

•

Practice 10-2: Configuring CPU shares and FSS in an Oracle Solaris zone

Practice 10-1 should take you about 30 minutes to complete.

Oracle Solaris 11 Advanced System Administration 10 - 38

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•
•

Planning Process Execution in an Appropriate Scheduling
Class
Managing Process Scheduling Priority
Configuring the Fair Share Scheduler
Managing the Scheduling Class of Zones

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 10 - 39

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Managing the Scheduling Class of Zones
This section covers the following topics:
• Configuring CPU shares configuration in a non-global zone
• Measuring CPU performance in the zones
• Assigning CPU shares to the global zone
• Removing the CPU shares configuration from a zone

le

s

b
a
r
e
f

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l is that FSS has been made the default scheduling class for the
Note: The
onassumption
R
system.
ro
ice

C

Oracle Solaris 11 Advanced System Administration 10 - 40

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring CPU Shares Configuration
in a Non-Global
Non Global Zone
1. Add the CPU shares to the zone by using zonecfg
-z zone.
2. Set the number of shares for the global zone by using
set cpu-shares=number.
p
3. Exit zonecfg.
4. Verify the configuration change by using zonecfg -z
zone info.

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

le

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 10 - 41

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring CPU Shares in a
Non Global Zone: Example
Non-Global
# zonecfg -z hrzone
zonecfg:hrzone> set cpu-shares=80
zonecfg:hrzone> exit
# zonecfg -z hrzone info
zonename: hrzone
zonepath: /zones/hrzone
brand: solaris
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: exclusive
hostid:
fs-allowed:
[cpu-shares: 80]
net:
address not specified
allowed-address not specified
physical: vnic1
defrouter not specified
rctl:
name: zone.cpu-shares
value: (priv=privileged,limit=80,action=none)

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l in the slide, you configure the CPU shares for hrzone from the global
In the example
on shown
R
zone
ro by using the zonecfg -z command. You set the CPU shares to 80, exit, and then
iceconfirm the configuration change. Here, you can see that hrzone now has 80 CPU shares.

C

Oracle Solaris 11 Advanced System Administration 10 - 42

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Measuring CPU Performance in the Zones
To measure CPU performance in the zones, use prstat -Z.
# prstat –Z
…
…
…
ZONEID
NPROC
1
27
2
27
0
98

SWAP
34M
34M
348M

RSS MEMORY
43M
4.2%
43M
4.2%
451M
44%

TIME CPU ZONE
0:20:09 8.3% hrzone
0:16:15 2.4% itzone
0:00:50 0.3% global

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
In this mode,
on prstatl displays separate reports about processes and zones at the same time.
R
The
ro output of the command is as follows:
ice • ZONEID: ID number of the zone
•
•
•
•
•
•
•

NPROC: Number of processes in the zone
SWAP: Total virtual memory size of the process, including all mapped files and devices,
in kilobytes (K), megabytes (M), or gigabytes (G)
RSS: Resident set size of the process in kilobytes (K), megabytes (M), or gigabytes (G)
MEMORY: Percentage of memory used by a specified collection of processes
TIME: Cumulative execution time for the process
CPU: Percentage of recent CPU time used by the process
ZONE: Zone name

As the output is dynamically updated, you will notice the percentage of CPU time shifting
closer to the ratio you specified. Assuming that you allocated more CPU shares to hrzone,
you will see a higher percentage of CPU time being used by that zone.

Oracle Solaris 11 Advanced System Administration 10 - 43

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Assigning CPU Shares to the Global Zone
To assign CPU shares to the global zones, use prctl -n
zone.cpu-shares -v number_of_shares -r -i zone
global.
# prctl
tl -n zone.cpu-shares
h
-v 60 -r -i
i zone global
l b l

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n assignl CPU shares to the global zone by using the prctl -n zone.cpuYou canoalso
R
shares
ro command, as shown in the slide.
iceThe options for the prctl -nn zone.cpu-shares
zone.cpu shares command are as follows:

C

•
•
•
•

–n: Specifies the name of the resource
–v value: Specifies the value for the resource control for a set operation
–r: Replaces the first resource control value with the new value specified through the –
v option
–i idtype: Specifies the type of the id operands. Valid idtypes are process, task,
project, and zone

In the example in the slide, you are assigning 60 CPU shares to the global zone. Again, you
are making the assumption that FSS is the default scheduling class for the global zone.

Oracle Solaris 11 Advanced System Administration 10 - 44

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Removing the CPU Shares Configuration
from a Zone
1. Remove the CPU shares configuring the zone by
using zonecfg -z zone clear cpu-shares.
2. Verify the configuration change by using zonecfg -z
zone info.
3. Reboot the zone to make the configuration effective.

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
To remove
on the CPUlshares configuration from either the global zone or a non-global zone,
R
ro the zonecfg –z clear cpu-shares command. The steps for completing this task
euse
are listed in the slide.

Oracle Solaris 11 Advanced System Administration 10 - 45

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Removing the CPU Shares Configuration
from a Zone: Example
# zonecfg -z hrzone clear cpu-shares
# zonecfg -z hrzone info
zonename: hrzone
zonepath: /zones/hrzone
brand: solaris
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: exclusive
hostid:
fs-allowed:
net:
address not specified
allowed-address not specified
configure-allowed-address:
i
true
physical: vnic1
defrouter not specified
…
…
…
# zoneadm –z hrzone shutdown –r

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l in the slide, you remove the CPU shares configuration from hrzone by
In the example
on shown
R
using
ro the zonecfg –z clear cpu-shares command. You then confirm the configuration
icechange. The CPU shares entry is no longer part of the zones configuration. Your final step is
to reboot the zone by using the shutdown –r command to make the configuration changes
effective.

Oracle Solaris 11 Advanced System Administration 10 - 46

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Practice 10-2 Overview:
Configuring FSS in an Oracle Solaris Zone
This practice covers the following topics:
• Configuring CPU shares and monitoring FSS in two zones
• Removing the CPU shares configuration

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
This practice
on shouldl take you about 30 minutes to complete.
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 10 - 47

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Summary
In this lesson, you should have learned how to:
• Implement a plan for executing a process in an appropriate
scheduling class
• Manage process scheduling priority
• Manage the scheduling class of a zone
• Configure the fair share scheduler
ble
a
r
• Monitor the fair share scheduler
sfe

n

a
s
a
) h eฺ
m
co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

a
r
t
on

n

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 10 - 48

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

E l ti
Evaluating
System
S t
Resources
R

le

s

b
a
r
e
f

o

an
r
t
n

Ci

R
o
r
ce

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
e
sOracle
o © 2013,
r
u
Copyright
and/or its affiliates. All rights reserved.
e
o
c
i
t
c
o ( ense
d
l
lic
ona

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Objectives
After completing this lesson, you should be able to:
• Implement a plan to evaluate resource allocation and
system performance
• Configure system resources
• Monitor system performance

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
In this lesson,
the System Resources,” you are introduced to resource controls
on “Evaluating
R
and
ro shown how to configure system resources to use them. You are also introduced to a
icenumber of system utilities that you can use to monitor the usage of these system resources.

C

Oracle Solaris 11 Advanced System Administration 11 - 2

Workflow Orientation
IPS

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

AI INSTALLATION
MONITORING

DATA
STORAGE

RESOURCE
EVALUATION

NETWORK
CONFIGURATION

PROCESSES

ENTERPRISE
DATACENTER

le

b
a
r
e
f

s

an
r
t
n

C

no
a
sNETWORK
a
h
VIRTUALIZATION
)
ฺ
e
m
d
o
i
AUDITING
ilฺc t Gu
a
n
e
gmSERVICES
d
PRIVILEGES @
tu
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n begin thel lesson, take a moment to orient yourself in your job workflow. Up to this
Before o
you
R
point
ro you have been configuring all the pieces of your system to create a fully functional and
icesecure operating environment. In this lesson you are first shown how to optimize the use of

your system resources by configuring the resources and then allocating them. You are then
shown how to monitor the usage of these resources to ensure that the system resources have
been appropriately allocated to the existing processes.

Oracle Solaris 11 Advanced System Administration 11 - 3

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•

Planning for Resource Allocation and System
Performance Evaluation
Configuring and Administering System Resources
Monitoring System Performance

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 11 - 4

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Planning for Resource Allocation and
System Performance Evaluation
The resource allocation and system performance evaluation
plan ensures that:
• Business applications are being given the appropriate
priority
p
y in terms of system
y
resource allocation
• Resource allocation is being monitored regularly
• Adjustments are made as necessary to resource controls
to ensure continued optimal use of system resources

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
As part o
ofnthe predeployment
testing activities, your company has put a plan in place that
R
what business application processes should be given priority. The company knows
ro
eaddresses

Cic

that Oracle Solaris 11 supports resource management, so they are looking to you to create a
resource configuration that presents the least compromise to the service goals of the
business while working within the limitations of the system’s capabilities. The plan also calls
for system resources to be monitored on a regular basis and resource controls to be adjusted
as necessary to ensure the continued optimal use of the system’s resources.
In this topic you are introduced to resource controls as a means of controlling system
resource allocation. You are also introduced to a number of tools for monitoring resource
usage.
usage

Oracle Solaris 11 Advanced System Administration 11 - 5

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Resource Management
•
•

Resource management enables you to control how
applications use available system resources.
With resource management, you can:
–
–
–
–

Allocate system resources
Monitor how the allocations are being used
Adjust the allocations as necessary
Increase resource usage

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
You have
about resource management in the context of zones, where you
onalready learned
R
controlled
your resource allocations through the use of resource pools. In this lesson, you
ro
iceexpand your understanding of resource management.
The ability to minimize cross-workload performance compromises, along with the facilities that
monitor resource usage, is referred to as resource management. Resource management
enables you to control how applications use available system resources. You can allocate
system resources, such as processor time and memory, to ensure that your applications have
the required response times. You can then monitor how the allocations are being used and
adjust the allocations as necessary to address the needs of the business.
You can also
Y
l use resource managementt tto increase
i
resource usage. B
By categorizing
t
i i and
d
prioritizing usage, you can effectively use reserve capacity during off-peak periods, thereby
often eliminating the need for additional processing power.

Oracle Solaris 11 Advanced System Administration 11 - 6

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Resource Management Control Mechanisms
•
•
•

Constraint: Limits the consumption of specific resources
for a workload
Scheduling: Makes a sequence of allocation decisions at
specific
p
intervals
Partitioning: Binds a workload to a subset of the system’s
available resources

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
The Oracle
system uses three types of resource management control
on Solaris operating
R
mechanisms:
constraints, scheduling, and partitioning.
ro
ice

C

The constraint mechanism enables you to set bounds on the consumption of specific
resources for a workload. You can use bounds to control ill-behaved applications that might
negatively compromise system performance or availability through unregulated resource
requests. An example of a constraint mechanism is a resource capping.
Scheduling mechanism refers to making a sequence of allocation decisions at specific
intervals. An application that has had a scheduling mechanism applied to it leaves the
resource available for another application’s use if it does not need its current allocation.
S h d li b
Scheduling-based
d resource managementt enables
bl ffullll usage off an undercommitted
d
itt d
configuration, while providing controlled allocations in a critically committed or overcommitted
situation. An example of a scheduling mechanism is the fair share scheduler (FSS).
A partitioning mechanism is used to bind a workload to a subset of the system’s available
resources. This binding guarantees that a known amount of resources is always available to
the workload. An example of a partitioning mechanism is a resource pool.

Oracle Solaris 11 Advanced System Administration 11 - 7

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

You have already had exposure to using the scheduling and partitioning mechanisms as a
means of controlling resources. In the previous lesson on managing processes, you learned
how to use scheduling classes to control resource allocation to processes in both the global
zone and non-global zones. In the lesson on zones, you used resource pools to control
resource allocation. In this lesson, you focus on using constraint mechanisms to set resource
controls on the processes associated with projects and tasks.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 11 - 8

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Projects and Tasks
•

Project: Provides a network-wide administrative identifier
for related work
• Task: Collects a group of processes into a manageable
entity
y that represents
p
a workload component
p
Projects and tasks are used to separate and identify workloads.

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
To optimize
on workloadl response, you must first be able to identify the workloads that are
R
ro on the system you are analyzing. This information can be difficult to obtain by using
erunning

either a purely process-oriented or a user-oriented method alone. In the Oracle Solaris
system, you have two additional facilities that can be used to separate and identify workloads:
the project and the task. The project provides a network-wide administrative identifier for
related work. The task collects a group of processes into a manageable entity that represents
a workload component.

Oracle Solaris 11 Advanced System Administration 11 - 9

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Project/Task/Process Relationship

Project 1

Task 1

Task 2

Task 3

le

Process 1

Process 4

Process 6

b
a
r
e
f

s

an
r
t
n

C

Process
no 7
a
s
a
h
)
ฺProcess 8
Process 3
e
m
d
o
i
ilฺc t Gu
a
m den
g
Process 9
@
u
t
o
ld is S
a
n
th
o
r
ฺ
e
s and/or its affiliates. All rights reserved.
uOracle
Copyright
ero © t2013,
o
c
i
(c nse
o
ld lice
a
n
A user or
group
can belong to one or more projects. These projects can be used to represent
o
R
the
roworkloads in which the user (or group of users) is allowed to participate. This membership
icecan then be the basis of chargeback that is based on, for example, usage or initial resource
Process 2

Process 5

allocations. Although a user must be assigned to a default project, the processes that the user
launches can be associated with any of the projects of which that user is a member.
Each successful login into a project creates a new task that contains the login process. The
task is a process collective that represents a set of work over time. A task can also be viewed
as a workload component. Each task is automatically assigned a task ID.
As illustrated by the graphic, each process is a member of one task, and each task is
associated
i t d with
ith one project.
j t

Oracle Solaris 11 Advanced System Administration 11 - 10

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Resource Controls
•
•
•

Resource controls can be set at the process, task, project,
and zone levels.
For a list of available resource controls see
resource_controls.
Example resource controls include:
– process.max-cpu-time: Maximum CPU time that is
le
available to this process, expressed as a number of seconds rab
fe
s
– task.max-lwps: Maximum number of LWPs
n
a
r
t
simultaneously
y available to this task’s p
processes,, o
expressed
np
n
a
as an integer
s
a
– project.cpu-caps: Maximum amount
) hof CPU
ฺ resources
e
m
d
o
i
that a project can use
ilฺc t Gu
a
m dennumber of processes
– zone.max-processes: g
Maximum
@ tu expressed as an integer
simultaneously available
ldo to aSzone,

a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n resourcel controls at the process, task, project, and zone levels. You can find a
You canoset
R
list
roof the available resource controls for each level on the resource_controls man page.
iceExamples of a few resource controls are provided in the slide.

C

Oracle Solaris 11 Advanced System Administration 11 - 11

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Resource Control Values
Threshold Value:
• A point at which local or global actions can occur
• Associated with the following local actions:
– none: Takes no action on resource requests for an amount
that is greater than the threshold
– deny: Denies resource request for an amount that is greater
ble
than the threshold
a
r
sfe
– signal=: Enables a global signal message action whenan
the
tr
resource control is exceeded
n
o

C

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
You define
for a resource control through threshold values and privilege levels.
on the constraints
R
Aro
threshold value on a resource control constitutes a point at which local actions can be
icetriggered or global actions, such as logging, can occur.
•

Must have an associated privilege level

Note: Local actions are taken on a process that attempts to exceed the control value. Global
actions apply to resource control values for every resource control on the system.
For each threshold value that is placed on a resource control, you can associate one or more
actions. There are three types of local actions: none, deny, and signal=. These are defined
in the slide.
Note
• The deny action is useful for monitoring resource usage without affecting the progress of
applications.
•

Not all of the actions can be applied to every resource control. For example, a process
cannot exceed the number of CPU shares assigned to the project of which it is a member.
Therefore, a deny action is not allowed on the project.cpu-shares resource control.

Each threshold value on a resource control must be associated with a privilege level. You will
look at these privilege levels next.

Oracle Solaris 11 Advanced System Administration 11 - 12

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Privilege Levels of Resource Controls
Privilege levels:
• basic: Can be modified by the owner of the calling
process
• privileged: Can be modified by the current process or
by the prctl(1). Can be abbreviated as priv.
• system: Is fixed for the duration of the operating system
instance

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
The privilege
on level forl a resource control must be one of these three types: basic,
R
privileged
(priv), or system. The definitions for all the types are shown in the slide.
ro
iceA resource control is guaranteed to have one system value, which is defined by the system,
task max-lwps=(priv
task.max
lwps=(priv,1K,deny)
1K deny)

or resource provider. The system value represents how much of the resource the current
implementation of the operating system is capable of providing.
You can define any number of privileged values, and only one basic value is allowed.
Operations that are performed without specifying a privilege value are assigned a basic
privilege by default.
The example shows the task.max-lwps resource control. It has been assigned a privilege
level of privileged (priv), which means only the user or current process can modify this
limit, a threshold value of 1K, and the deny action.

Oracle Solaris 11 Advanced System Administration 11 - 13

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Enforcing Multiple Resource Controls

rctl set

rctl set

rctl set

rctl set

s

an
r
t
n

C

no
a
s
Project ha
) Zone
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l control can exist on a resource. A resource control can exist at each
More than
onone resource
R
containment
level in the process model. If resource controls are active on the same resource
ro
iceat different container levels, the smallest container’s control is enforced first. Thus, action is
Process

Task

taken on process.max-cpu-time before task.max-cpu-time if both controls are
encountered simultaneously.

Oracle Solaris 11 Advanced System Administration 11 - 14

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Setting Resource Controls
Use the utilities in the following table to set and modify resource
controls:
Utility

Description

prctl

Get or set the resource controls of running processes, tasks, and projects.

projadd

Administer a new project on the system, to include specifying resource control
attributes.

projmod

Modify a project’s information on the system, to include modifying a project’s
resource control attributes.

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l the resource controls through the utilities listed in the table shown in
n and modify
You canoset
R
the
roslide. You learn how to configure the resource controls by using each of these utilities
icelater in this lesson.
rctladm

Display or modify the global state of system resource controls.

C

Oracle Solaris 11 Advanced System Administration 11 - 15

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Default /etc/project File
Format of an /etc/project file entry:
projname:projid:comment:user-list:group-list:attributes

Default /etc/project file:
# cat /etc/project
system:0::::
user.root:1::::
noproject:2::::
default:3::::
group.staff:10::::

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l facility is configured through the project database.
The resource
on controls
R
ro Updates to entries in the project database, whether to the /etc/project file or to a
Note:
ice

representation of the database in a network naming service, are not applied to currently active
projects. The updates are applied to new tasks that join the project when either the login or
the newtask command is used.
Each entry in the project database consists of one line of text containing six fields
separated by colons (:). The format of each entry is shown in the slide. The description for
each field is as follows:
• projname: Name of the project
• projid: Project’s unique numerical ID (PROJID) within the system. Project IDs below
100 are reserved for the use of the operating system.
• comment: Description of the project

Oracle Solaris 11 Advanced System Administration 11 - 16

user-list: Comma-separated list of users allowed in the project. An empty field
indicates no users are allowed.
Note: See the project man page for special project exceptions.
group-list:
list: Comma
Comma-separated
separated list of groups of users allowed in the project. An empty
• group
field indicates no groups are allowed.
Note: As with the user-list there are exceptions. See the project man page for
these exceptions.
• attributes: Semicolon-separated list of name-value pairs, the most frequent use of
which is resource controls. See the project man page for a list of accepted namevalue pairs.
An example of the default /etc/project file is shown in the slide.

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

•

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 11 - 17

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Setting Zone-Wide Resource Controls
•
•

The total resource usage of all process entities in a zone is
limited.
You can specify limits for both the global and non-global
zones using
g either:
– zonecfg command (limits are persistent)
– prctl command (limits are not persistent)

•

Examples of zone-wide resource controls include:

s
n
– zone.cpu-cap: Limits the amount of CPU resource for
the
a
r
-t
n
zone
o
a n (FSS)
– zone.cpu-shares: Number of fair shareascheduler
s
) h eฺ
CPU shares for the zone
m
id
co amount
u
ฺ
l
i
– zone.max-locked-memory:
Total
of physical
G
a nt
m
g uto
locked memory that is @
available
dea zone

t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
Zone-wide
onresourcelcontrols limit the total resource usage of all process entities within a
R
zone.
ro These limits are specified for both the global and non-global zones by using the
icezonecfg command.

C

You can also specify these limits for running processes by using the prctl command.
However, the limits you specify through the prctl command are not persistent. They are in
effect only until the system is rebooted.
Some examples of zone-wide resource controls are shown in the slide. For a complete listing
and description of the zone-wide resource controls, see the “Setting Zone-Wide Resource
Controls” section of Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10
Z
Zones,
and
d Resource
R
M
Management.
t

Oracle Solaris 11 Advanced System Administration 11 - 18

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Monitoring Resource Consumption
Performance tools enable you to:
• View current resource consumption
• Evaluate the need to:
– Restrict access to a given resource
– Isolate particular workloads from other workloads

In this lesson, you learn how to use these utilities:
ble
a
r
• vmstat: Reports virtual memory statistics
fe
s
n
a
r
t
• iostat: Reports I/O statistics
on
n
a
• df: Displays status of disk space on file systems
s
a
• sar: Reports on system activities m) h eฺ

C

co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
n 11 supports
Oracle o
Solaris
a number of performance tools that enable you to view the current
R
resource
ro consumption of workloads that are running on your system. By using these tools,
iceyou can evaluate whether you must restrict access to a given resource or isolate particular
workloads from other workloads.
In this lesson you learn how to use the vmstat, iostat, and df utilities to evaluate memory
and disk resource usage. You also learn how to use the sar utility to monitor system
activities.

Oracle Solaris 11 Advanced System Administration 11 - 19

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Implementing the Resource Allocation and
System Performance Evaluation Plan
Your assignment is to:
• Configure system resources
• Put resource controls in place
• Monitor the use of these resources

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
As part o
ofnthe predeployment
testing effort, you have been assigned the task of configuring
R
ro resources, putting resource controls in place, and then monitoring the use of these
esystem
resources.

In the topics that follow, you learn how to complete each of these tasks.

Oracle Solaris 11 Advanced System Administration 11 - 20

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
Which of the following resource management control
mechanisms limits the consumption of specific resources for a
workload?
a. Constraint
b. Scheduling
c. Partitioning

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:oan
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 11 - 21

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
Resource controls can be set at the process, task, project, and
zone levels.
a. True
b False
b.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:oan
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 11 - 22

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
A resource control threshold value must have an associated
privilege level.
a. True
b False
b.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:oan
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 11 - 23

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
In the following resource control, which value defines a local
action?
task.max-lwps=(priv,1K,deny)
a task.max
a.
task max-lwps=
lwps=
b. priv
c. 1K
d. deny

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:odn
R
ro
ice

le

C

Oracle Solaris 11 Advanced System Administration 11 - 24

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
You can specify limits for both the global and non-global zones
by using zonecfg, but the limits are not persistent.
a. True
b False
b.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:obn
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 11 - 25

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•

Planning for Resource Allocation and System Performance
Evaluation
Configuring and Administering System Resources
Monitoring System Performance

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 11 - 26

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring and Administering
System Resources
This section covers the following topics:
• Administering projects and tasks
• Administering resource controls and attributes

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 11 - 27

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Administering Projects and Tasks
•
•
•
•
•
•
•
•
•
•
•

Displaying the default projects in a system
Defining a project
Obtaining project membership information
Modifying a project
Adding attributes and attribute values to a project
Substituting attributes and attribute values for a project
ble
a
r
Removing attributes or attribute values from a project nsfe
a
r
t
p y g currently
y running
gp
projects
j
Displaying
on
n
a
Creating a new task
s
a
) h eฺ
Moving a running process into a new
task
m
co Guid
ฺ
l
i
Deleting a project
ma nt

g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 11 - 28

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying the Default Projects in the System
To display the default projects in a system, use project -l.
# projects -l
system
projid : 0
comment: ""
users : (none)
groups : (none)
attribs:
user.root
projid : 1
comment: ""
users : (none)
(
)
groups : (none)
attribs:


le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 11 - 29

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Default /etc/project File

noproject
projid : 2
comment: ""
users : (none)
groups : (none)
attribs:
default
projid : 3
comment: ""
users : (none)
groups : (none)
attribs:
tt ib
group.staff
projid : 10
comment: ""
users : (none)
groups : (none)
attribs:

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
The continuation
of lthe default /etc/project file is shown in the example in the slide.
on
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 11 - 30

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Defining a Project
1. View the default projects on your system by using
projects -l.
2. Add a project by using projadd -U username -p
projid
p
j
project.
p
j
3. View the projects file again to verify that the new project
has been added.
# projects –l
# projadd -U jjones -p 4115 testproj
# projects –l

i
d
testproj
projid : 4115
comment: ""
users : jjones
groups : (none)
attribs:

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
To define
ona project, lyou add it by using the projadd command. The steps listed in the slide
R
ro how to define a project.
eshow

Cic

Notes for step 1: Check to see what projects have been defined in the system and determine
what project ID number is available for your project.
Notes for step 2: The options that are used with the projadd command are as follows:
• -U user: Specifies a user for the project. Multiple users can be specified by using a
comma-separated list.
• -p projid: Sets the project ID for the new project
Note: The projid should be specified as a non-negative
non negative decimal integer below
UID_MAX as defined in limits.h. The projid defaults to the next available unique
number above the highest number currently assigned. For example, if projids 100,
105, and 200 are assigned, the next default projid is 201. projids between 0 and 99
are reserved by the Oracle Solaris operating system.
For a full list of options, see the projadd man page.

In the example in the slide, after you have checked the project file, you create a new project
called testproj with project ID 4115 and assign it to the user jjones. You then verify that
your new project has been added to the projects file.

Oracle Solaris 11 Advanced System Administration 11 - 31

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Obtaining Project Membership Information
To obtain information about project membership, use id –p.
# /usr/bin/id -p
uid=0(root) gid=0(root) projid=4015(testproj)

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
To obtain
oninformationl about project membership, you use the id –p command. The id
R
is used to return user identity. The –p option provides information about the current
ro
ecommand
project membership of the invoking process.

In the example in the slide, you are displaying the identity of the current user, which in this
case is root. You can see that the project you just created, testproj (4015), has been
assigned to this user.

Oracle Solaris 11 Advanced System Administration 11 - 32

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Modifying a Project
1. Modify the project by using projmod.
2. View the projects file to verify that the modifications to
the project have been added.
# projmod -G testers -c “Oracle Solaris test team” testproj
# projects –l

testproj
projid : 4115
comment: “Oracle Solaris test team"
users : jjones
groups : testers
attribs:

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l associated with a project, such as giving the project a new name or
To modify
onthe information
R
ro ID or adding a comment, you use the projmod command, as shown in the steps
eproject
listed in the slide.
For a list of the options you can use with the projmod command, see the projmod man
page.
In the example in the slide, you are making several modifications to the testproj project.
You are adding a group called testers by using the –G option, and you are adding a short
description of the project, “Oracle Solaris test team”, by using the –c option. You
then verify that your modifications are reflected in the projects file.

Oracle Solaris 11 Advanced System Administration 11 - 33

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Adding Attributes and Attribute Values
to a Project
1. Add an attribute to a project by using projmod -a -K
name=value project.
2. Add another value to the existing list of values by using the
same options.
p
3. View the projects file to verify that the attribute and
attribute values have been added.

s

an
r
t
n

# projmod -a -K "task.max-lwps=(priv,100,deny)" testproj
# projmod -a -K "task.max-lwps=(priv,1000,signal=KILL)" testproj
# p
projects
j
–l

testproj
projid : 4115
comment: “Oracle Solaris test team"
users : jjones
groups : testers
attribs: task.max-lwps=(priv,100,deny),(priv,1000,signal=KILL)

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n use thel projmod command to edit project attributes. The steps for adding an
You canoalso
R
attribute
ro are shown in the slide.
iceThe -KK option specifies a replacement list of attributes. Attributes are delimited by semicolons

C

(;). When the -K option is used with the –a option, the attribute or attribute value is added.
Notes for step 1: The value consists of a privilege level, a threshold value, and an action
associated with reaching the threshold.
Notes for step 2: Multiple values are separated by commas.
In the example in the slide, you are adding a resource control attribute to the project that will
est ct the
t e maximum
a
u number
u be o
of lightweight
g t eg tp
processes
ocesses ((max-lwps)
a
ps) to 100.
00 You
ou tthen
e add
restrict
another resource control attribute that generates a KILL signal to the project if the number of
lightweight processes exceeds 1000.
Your last step is to verify that the attribute and attribute values have been added to the
projects file, and they have.

Oracle Solaris 11 Advanced System Administration 11 - 34

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Substituting Attributes and Attribute Values
for a Project
1. Replace an attribute to a project by using projmod -s
-K name=value project.
2. View the projects file to verify that the attribute and
attribute values have been replaced.
p
# projmod -s -K "task.max-lwps=(priv,120,deny),(priv,800,signal=KILL)“ testproj
# projects –l

testproj
projid : 4115
comment: “Oracle Solaris test team"
users : jjones
groups
g
p : testers
attribs: task.max-lwps=(priv,120,deny),(priv,800,signal=KILL)

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
n
You canosubstitute
attributes
and attribute values for a project by using the projmod
R
command
with the –s and –K options, as shown in the steps in the slide.
ro
ice
Notes for step 1: If the attribute does not exist, it is created.

Notes for step 2: Multiple values are separated by commas.
In the example in the slide, you are replacing the current task.max-lwps values that you
defined previously with the new values shown.
To verify that the substitution has been made, you view the projects file. You can see here
that the substitution for the resource control attribute has been made.

Oracle Solaris 11 Advanced System Administration 11 - 35

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Removing Attributes or Attribute Values
from a Project
1. Remove an attribute or attribute value from a project by
using projmod -r -K name=value project.
2. View the projects file to verify that the attribute or
attribute value has been removed.
# projmod -r -K "task.max-lwps=(priv,120,deny)" testproj
# projects –l

testproj
projid : 4115
comment: “Oracle Solaris test team"
users : jjones
groups : testers
attribs: task.max-lwps=(priv,800,signal=KILL)

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
lฺc t Gu
# projmod -r -K task.max-lwps testproj ai
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
If you want
on to removel an attribute or attribute value from a project, you use the –r and –K
R
options
ro with the projmod command, as shown in the steps listed in the slide.
ice

In the first example, you are removing the attribute value that restricts the maximum number
of lightweight processes (max-lwps) to 120. You then verify that the attribute value has been
removed from the project’s attribute entry in the projects file, and it has. The second
attribute value that you added previously still remains.
In the second example, you are removing the entire resource control attribute. If you were to
view the projects file again, you would see nothing listed in the attribs field.

Oracle Solaris 11 Advanced System Administration 11 - 36

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying Currently Running Processes
and Projects
To display the processes and projects that are currently running
on the system, use prstat –JR.
# prstat -JR
…
…
…
PROJID
NPROC SWAP
RSS MEMORY
4015
2 312K 7328K
0.7%
1
3 2912K
17M
1.6%
0
99 142M 170M
17%

TIME CPU PROJECT
2:35:44 50% testproj
0:00:00 0.3% user.root
0:00:47 0.0% system

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
To display
onstatisticall information, such as memory and CPU usage, for the processes and
R
ro that are currently running on the system, you can use the prstat –JR command, as
eprojects
shown in this example.

The command displays the following information:
• PROJID: ID number of the project
• NPROC: Number of processes in the project
• SWAP: Total virtual memory size of the process, including all mapped files and devices,
in kilobytes (K), megabytes (M), or gigabytes (G)
• RSS:
SS Resident
es de t set ssize
eo
of tthe
ep
process
ocess in kilobytes
obytes ((K),
), megabytes
egabytes ((M),
), or
o gigabytes
g gabytes (G)
• MEMORY: Percentage of memory used by a specified collection of processes
• TIME: Cumulative execution time for the process
• CPU: Percentage of recent CPU time used by the process
• PROJECT: Project name

Oracle Solaris 11 Advanced System Administration 11 - 37

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Creating a New Task
To create a new task, use newtask -v –p project.
# newtask -v -p testproj
16

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
To create
ona new taskl and associate it with a project, you use the newtask command, as
R
ro in the slide. You can use the –v option with this command to obtain the system task
eshown
ID. The –p option specifies the project. The newtask command creates a new task in the
specified project and places the user’s default shell in this task.
For a full list of options, see the newtask man page.

In the example in the slide, you are creating a task for the testproj project. The task ID is
16.

Oracle Solaris 11 Advanced System Administration 11 - 38

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Moving a Running Process into a New Task
1. Determine the process ID by using pgrep process.
2. Associate the process ID with a task ID in a project by
using newtask -v -p projid -c pid.
3 Confirm the task to process ID mapping by using pgrep 3.
T taskID.
# pgrep test1
8103
# newtask -v -p testproj -c 8100
15
# pgrep -T 15
8103

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
If you are
onhandling al critical process that cannot be restarted in order to place it into a new
R
project,
ro you can take a running process and put it into an existing project by creating a new
icetask. To associate a running process with a new task in an existing project, use the newtask
command, as shown in the steps in the slide.

Note: To perform this task, you must either be the superuser, have the required rights profile,
or be the owner of the process and be a member of the new project.
Notes for step 1: Check to see what projects have been defined in the system and determine
what project ID number is available for your project.
Notes for step 2: The options that are used with the newtask command are as follows:
• –p project_name: Specifies the project name
• –c pid: Specifies the process ID of the process that is being mapped to the task
In the example in the slide, you have a running process called test1 that you want to map to
a task associated with the testproj project. First, you determine the process ID for test1;
it is 8103. You then map the running process’s PID to testproj by using the newtask
command, which generates a new task with the task ID 15. Your last step is to verify that the
new taskk is
i mapped
d to the
h running
i process, and
d iit iis.

Oracle Solaris 11 Advanced System Administration 11 - 39

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Deleting a Project
1. Remove the project by using projdel project.
2. Display the projects file by using project -l to verify
that the project has been deleted.
3 Log in as a user and enter projects to view the projects
3.
that are assigned to this user.
# projdel testproj
# projects –l

# su - jjones
jj
# projects
default

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
If you no
onlonger needl a project, you can delete it by using the projdel command. The steps
R
listed
ro in the slide show how to remove a project from the /etc/project file.
ice

Notes for step 3: You should no longer see the deleted project listed.
In the example in the slide, you are deleting the testproj project by using the projdel
command. You then verify that the project no longer appears in the projects file. Next, you
log in as the user jjones to again verify that the project is no longer assigned to this user. As
you can see, the testproj project is no longer associated with jjones. The only project
assigned to jjones is the default project.

Oracle Solaris 11 Advanced System Administration 11 - 40

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Administering Resource Controls and Attributes
•
•
•
•

Displaying the default resource controls
Displaying information about a given resource control
Displaying current resource control settings
Monitoring resource control events globally

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l how to display the default resource controls for the system; how to
In this section,
on you learn
R
display
ro information for a specific resource control; how to display the current resource control
icesettings for a process, task, project, or zone; and how to set up system-wide resource control
monitoring.

Oracle Solaris 11 Advanced System Administration 11 - 41

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying the Default Resource Controls
To display the default resource controls, use prtcl $$.
# prctl $$
process: 3320: bash
NAME
PRIVILEGE
process.max-port-events
privileged
system
…
…
task.max-cpu-time
usage
system
…
…
project.max-contracts
privileged
system
…
…
zone.max-lofi
usage
system
…
…

VALUE

FLAG

ACTION

RECIPIENT

65
65.5K
5K
2.15G

max

deny
deny

-

0s
18.4Es

inf

none

-

le

b
a
r
e
f

s

an
r
t
n

Cic

no -a
s
a
h
)
ฺ
e
m
d
o
i
0
lฺc t Gu
i
a
18.4E
max
deny
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
To determine
controls are available for a process, such as the current shell that
on what resource
R
eisrorunning, you use the prtcl $$ command.
10.0K
2.15G

max

deny
deny

Note: $$ refers to the current shell process.

This command can be used only on a system on which you have not set or changed the
resource controls. There can be only non-default entries in the /etc/system file or in the
project database.
Note: The prtcl command can be used to get or set the resource controls of running
processes, tasks, projects, and zones.
In the example in the slide, which contains only a partial sample, the resource controls that
are available for the bash process are listed. They include resource controls for processes,
tasks, projects, and zones. The threshold value, flags, actions, and recipient are listed for
each resource control attribute.
Note: For a complete list of local flags, global flags, and their definitions, see
rctlblk_set_value (3C).
You will have a chance to see the full list of available resources during the practice.

Oracle Solaris 11 Advanced System Administration 11 - 42

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying Current Resource Control Settings
To display the current resource control settings,
use prctl -i id.
# ps -o taskid -p $$
TASKID
96
# prctl -i task 96
task: 96
NAME
PRIVILEGE
task.max-cpu-time
usage
system
…
…
project.cpu-shares
usage
privileged
system
zone.max-lofi
usage
system
…
…

VALUE
26s
18.4Es

FLAG

ACTION

RECIPIENT

le

inf

none

-

b
a
r
e
f

s

an
r
t
n

Cic

no a
s
a
h
)
ฺ
0
om uide
c
ฺ
l
18.4E
max
deny
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l resource control settings are for a process, project, task, or zone, you
To determine
on what the
R
ro use the prctl -i command with the process, project, task, or zone ID.
ecan
1
1
65.5K

max

none
none

In the example in the slide, you want to display the current resource control settings for a
particular task. You run the ps -o command to determine the task ID for the currently running
process. The task ID is 96. You then run the prctl command for task 96 to display the
current control settings for that task.

Oracle Solaris 11 Advanced System Administration 11 - 43

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying Information
About a Given Resource Control
To display information about a specific resource control,
use prtcl -n control.attribute $$.
# prctl -n task.max-lwps $$
process: 3220: bash
p
NAME
PRIVILEGE
VALUE
task.max-lwps
usage
3
privileged
3
system
2.15G

FLAG

max

ACTION

RECIPIENT

deny
deny

-

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l about a specific resource control, use the prtcl command with the -n
To display
oninformation
R
ro to specify the name of the resource control, followed by the resource control attribute
eoption
and $$.

Oracle Solaris 11 Advanced System Administration 11 - 44

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Enabling Global Resource Control Monitoring
To enable the global resource control monitoring,
use rctladm -e syslog control.attribute.
# rctladm -e syslog task.max-lwps
# rctladm
process.max-port-events
process.max-msg-messages
process.max-msg-qbytes
process.max-sem-ops
…
…
task.max-cpu-time
task.max-processes
task.max-lwps
…
…
zone.max-lofi
zone.max-swap
zone.max-locked-memory
…
…

syslog=off
syslog=off
syslog=off
syslog=off

[
[
[
[

syslog=off
syslog=off
syslog=notice

deny
deny
deny
deny

count
count
bytes
count

]
]
]
]

le

b
a
r
e
f

s

an
r
t
n

[ no-deny cpu-time no-obs inf seconds ]
[ count ]
[ count ]

C

no
a
s
a
h
) count e] ฺ
syslog=off
[ no-basic deny
m
syslog=off
[ no-basic
deny bytes
o
id ]]
c denyGbytes
u
ฺ
l
syslog=off
[ no-basic
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
After you
onhave set alresource control, you can enable system-wide resource controls to
R
monitor
ro resource consumption and log a notification to syslog when a resource control
icethreshold value is exceeded.
To enable the global syslog attribute of a resource control, use the rctladm -e syslog
command with the global syslog attribute for the resource control, as shown in the slide.
Note: The rctladm command is used to display or modify the global state of system
resource controls. For a list of options that can be used with this command, see the rctladm
man page.
In the example in the slide, you are enabling the global syslog attribute of task.max-lwps.
By using the rctladm command without arguments, you can view the global logging state of
each resource control on a system-wide basis, as shown in the second example. In the
example in the slide, you can see that because you have enabled global resource control
monitoring for the task.max-lwps resource control, syslog messaging for that resource
control has been set to notice. When the threshold for this resource control value is
exceeded, a log entry will be generated in the /var/adm/messages file.

Oracle Solaris 11 Advanced System Administration 11 - 45

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Practice 11-1 Overview: Managing Resource
Controls in Global and Non-Global
Non Global Zones
This practice covers the following topics:
• Administering projects and tasks
• Configuring resource controls and attributes

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
The practices
on for thisl lesson are designed to reinforce the concepts that have been presented
R
inro
the lecture portion. These practices cover the following tasks:
ice • Practice
act ce 11-1: Managing
a ag g resource
esou ce co
controls
t o s in g
global
oba a
and
d non-global
o g oba zones
o es

C

•

Practice 11-2: Evaluating system performance levels

Practice 11-1 should take you about 30 minutes to complete.

Oracle Solaris 11 Advanced System Administration 11 - 46

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•

Planning for Resource Allocation and System Performance
Evaluation
Configuring and Administering System Resources
Monitoring System Performance

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 11 - 47

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Monitoring System Performance
This section covers the following topics:
• Displaying virtual memory statistics and information
• Displaying disk usage information
• Monitoring system activities

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 11 - 48

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying Virtual Memory Statistics
and Information
•
•
•

Displaying virtual memory statistics
Displaying system event information
Displaying swapping statistics

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l statistics and information about system events, such as CPU load,
To obtain
onvirtual memory
R
ro number of context switches, device interrupts, and system calls, you can use the
epaging,

vmstat command. You can also use this command to display statistics on swapping, cache
flushing, and interrupts. In this section, you focus on using the vmstat command to display
virtual memory statistics, system event information, and swapping statistics.
Note: To see information about how to use vmstat to gather other types of virtual memoryrelated statistics, see Oracle Solaris Administration: Common Tasks.

Oracle Solaris 11 Advanced System Administration 11 - 49

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying Virtual Memory Statistics
To display virtual memory statistics, use vmstat n.
# vmstat 5
kthr
memory
r b w swap free
0 0 0 11456 4120
0 0 1 10132 4280
0 0 1 10132 4616
0 0 1 10132 5292
1 1 1 10132 5496
1 0 1 10132 5564
1 0 1 10124 5412
1 0 1 10124 5236

page
disk
faults
cpu
re mf pi p fr de sr s0 s1 s2 s3 in sy cs us sy id
1 41 19 1 3 0 2 0 4 0 0 48 112 130 4 14 82
0
4 44 0 0 0 0 0 23 0 0 211 230 144 3 35 62
0
0 20 0 0 0 0 0 19 0 0 150 172 146 3 33 64
0
0 9 0 0 0 0 0 21 0 0 165 105 130 1 21 78
0
0 5 0 0 0 0 0 23 0 0 183 92 134 1 20 79
0
0 25 0 0 0 0 0 18 0 0 131 231 116 4 34 62
0
0 37 0 0 0 0 0 22 0 0 166 179 118 1 33 67
0
0 24 0 0 0 0 0 14 0 0 109 243 113 4 56 39

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l reports virtual memory statistics regarding kernel thread (kthr),
The vmstat
on command
R
virtual
ro memory (memory), disk (disk), trap (faults), and CPU (cpu) activity. A five-second
iceinterval is a good choice for live monitoring.
Note: For a description of each field, see the vmstat man page.
By using this command, you can determine virtual memory performance and identify memory
bottlenecks. Turn your attention to the page and cpu fields. In the page field you want to look
for po (page outs) and sr (scan rate). When both are consistently high (more than 100 per
second) at the same time, the page daemon is being forced to steal free memory from running
processes.
Note: The free column (located in the memory section to the right of the swap column) may
not be a good indication of the available memory in the system. This is because, after
memory pages are used by the file system buffer cache, they are not returned to the free list.
When the page daemon detects a memory shortfall, it scans for pages that can be freed.
Pages are then freed from the file system buffer cache for the use of applications.

Oracle Solaris 11 Advanced System Administration 11 - 50

In the cpu field, when the system is consuming less CPU, more memory is available to the
system. This usage is reflected in the sy column and by the amount of CPU idle time reflected
in the id column.

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

p y user time.
Note: The us column displays
In the example in the slide, on the last line of the output, you can see that the system is
staying on the CPU longer, which means the CPU idle time is lower, which equates to less
available memory. However, on the first line of the output, the system is consuming very little
CPU time and the idle time is very high, which means more memory is available.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 11 - 51

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying System Event Information
To display system event information, use vmstat -s.
# vmstat -s
0 swap ins
0 swap outs
0 pages swapped in
0 pages swapped out
522586 total address trans. faults taken
17006 page ins
25 page outs
23361 pages paged in
28 pages paged out
45594 total reclaims
45592 reclaims from free list
0 micro (hat) faults
522586 minor (as) faults
16189 major faults
98241 copy-on-write faults
137280 zero fill page faults
45052 pages examined by the clock daemon
0 revolutions of the clock hand
26 pages freed by the clock daemon
2857 forks
78 vforks


le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l information (specifically the system events that have occurred since
To display
onsystem event
R
rolast reboot), you use the vmstat –s command, as shown in the slide. This command can
ethe
give you an indication of what is occurring in the system that might be causing a load on the
system memory. The number of reclaims from free list is an indication of how quickly the
system was running out of memory. Because programs require memory to run, it might
explain why there is a load on the system.
Other system events that can impact memory are the number of forks that have occurred.
Note: Forks refer to the number of processes launching subprocesses.
Each subprocess that is launched creates a workload that requires memory and CPU
resources to run.

Oracle Solaris 11 Advanced System Administration 11 - 52

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying Swapping Statistics
To display swapping statistics, use vmstat -S.
# vmstat -S
kthr
memory
r b w
swap free si
0 0 0 862608 364792 0

page
disk
so pi po fr de sr dd f0 s1 -0 1 0 0 0 0 0 0 0 0

faults
in
sy
406 394

cpu
cs us sy id
213 1 0 99

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
To display
onswappingl statistics, use the vmstat command with the -S option. With this
R
you can evaluate the workload created by one job running in the background.
ro
ecommand,

Cic

Oracle Solaris 11 Advanced System Administration 11 - 53

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying Disk Usage Information
•
•

Displaying general disk usage information
Displaying disk space information

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
If you are
onspecificallyl interested in monitoring disk usage, you can use the iostat command,
R
inro
both a normal and an extended format. If you want to find out about disk space, you can
iceuse the df command.

C

Oracle Solaris 11 Advanced System Administration 11 - 54

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying General Disk Usage Information
To display general disk usage information, use iostat n.
# iostat 5
tty
sd0
tin tout kps tps serv
0
3 138
4
51
0
47
0
0
0
0
16 50 18
3
0
16
0
0
0

sd1
kps tps serv
1
0
7
0
0
0
0
0
0
0
0
0

sd2
kps tps serv
0
0
0
0
0
0
0
0
0
0
0
0

sd3
kps tps serv
0
0
0
0
0
0
0
0
0
0
0
0

us
4
8
8
8

cpu
sy wt
10 0
18 0
18 0
18 0

id
86
74
74
74

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
The iostat
statistics on terminal, disk, tape I/O, and CPU usage activity. The
on utility provides
R
first
ro line of output shows the statistics from the last time the system was booted. Each
icesubsequent line shows the interval statistics. The default is to show statistics for the terminal
(tty), disks (fd and sd), and CPU (cpu).

Note: For a description of each field, see the iostat man page.
With this command, you can determine which disks are taking more time to service
transactions by comparing the service times (serv column under each disk) for each disk. In
the example in the slide, you can see that the service time for transactions for the sd1 disk is
7 milliseconds as compared to the 51 milliseconds it is taking the sd0 disk to service
transactions Based on this information
transactions.
information, you could determine that the sd0
d0 disk is taking longer
to service transactions; however, you need to keep in mind the nature of the transactions,
which can impact the length of time it takes a disk to service a transaction.

Oracle Solaris 11 Advanced System Administration 11 - 55

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying Disk Space Information
To display disk space information, use dh –h.
# df -h | more
Filesystem
Size Used Avail Use% Mounted on
rpool/ROOT/solaris
14G 3.5G
11g 25% /
swap
1.2G
1 2G 388K 1.2G
1 2G
1% /etc/svc/volatile
/usr/lib/libc/libc_hwcap3.so.1
14G 3.5G
11g 25% /lib/libc.so.1
swap
1.2G
56K 1.2G
1% /tmp
swap
1.2G
60K 1.2G
1% /var/run
ora
202G
60G 142G 30% /opt/ora
rpool/export
11g
35K
11g
1% /export
rpool/export/home
11g
34K
11g
1% /export/home
rpool/export/home/jholt
11g
31K
11g
1% /export/home/jholt
rpool/export/home/oracle
11g 5.0M
11g
1% /export/home/oracle
rpool/export/home/tshane
11g
31K
11g
1% /export/home/tshane

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n amountl of disk space occupied by the mounted file systems, the amount of used
To show
othe
R
ro available space, and how much of the file system’s total capacity has been used, you can
eand
use the df -h command, as shown in the slide.

Note: The usable disk space that the df command reports reflects only 90 percent of full
capacity. This is because the reporting statistics allow for 10 percent above the total available
space. The percentage of disk space actually reported by the df command is used space
divided by usable space.
In the example in the slide, you can see that the ZFS file system has used up 3.5 GB out of
14 GB, which equates to 25% of the file system’s total capacity.

Oracle Solaris 11 Advanced System Administration 11 - 56

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Monitoring System Activities
•
•
•
•
•
•

Checking file access operation statistics
Checking buffer activity
Checking system call statistics
Checking disk activity
Checking unused memory
Setting up automatic data collection

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
There are
ona numberlof system activities that you can monitor by using the sar utility. In this
R
section,
ro you focus on five: file access operation statistics, buffer activity, system call statistics,
icedisk activity, and unused memory. You conclude this section by learning about how to collect
data automatically.
For a full list of activities you can monitor with the sar utility, see Oracle Solaris
Administration: Common Tasks.

Oracle Solaris 11 Advanced System Administration 11 - 57

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Checking File Access Operation Statistics
To display file access operation statistics, use sar –a.
# sar -a
SunOS s11-desktop 5.11 11.1 i86pc
00:00:00
01:00:00
02:00:00
03:00:00
04:00:00
05:00:00
06:00:00
07:00:00
08:00:00
08:20:01
08:40:00
09:00:00
09:20:01
09:40:01
10:00:02

iget/s
i
/ namei/s
i/ dirbk/s
di bk/
0
3
0
0
3
0
0
3
0
0
3
0
0
3
0
0
3
0
0
3
0
0
3
0
0
3
0
0
3
0
0
3
0
0
10
0
0
1
0
0
5
0

12/20/2012

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
Average
0
4
0
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
To display
onfile accessl operation statistics, use the sar -a command. The -a option is helpful
R
eforroviewing how disk-dependent an application is. The output of the command is as follows:
•

•
•

iget/s:
g / Number of requests
q
made for inodes that were not in the directory
y name lookup cache (DNLC)
namei/s: Number of file system path searches per second
dirbk/s: Number of directory block reads issued per second

Note: You can set the number of displays you want displayed by time intervals in seconds.
For example, if you want four displays provided every 10 seconds, you use the command:
# sar –a
a 10 4

The amount of time reflects how heavily programs and applications are using the file systems.
The larger the reported values for these operating system routines, the more time the kernel is
spending to access user files. At the system level, if this number is high, then you need to be
concerned.

Oracle Solaris 11 Advanced System Administration 11 - 58

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Checking Buffer Activity
To display buffer activity, use sar -b.
# sar -b
SunOS s11-desktop 5.11 11.1 i86pc

12/20/2012

00:00:04 bread/s lread/s %rcache bwrit/s lwrit/s %wcache pread/s pwrit/s
01 00 00
01:00:00
0
0
100
0
0
94
0
0
02:00:01
0
0
100
0
0
94
0
0
03:00:00
0
0
100
0
0
92
0
0
04:00:00
0
1
100
0
1
94
0
0
05:00:00
0
0
100
0
0
93
0
0
06:00:00
0
0
100
0
0
93
0
0
07:00:00
0
0
100
0
0
93
0
0
08:00:00
0
0
100
0
0
93
0
0
08:20:00
0
1
100
0
1
94
0
0
08:40:01
0
1
100
0
1
93
0
0
09:00:00
0
1
100
0
1
93
0
0
09:20:00
0
1
100
0
1
93
0
0
09:40:00
0
2
100
0
1
89
0
0
10:00:00
0
9
100
0
5
92
0
0
10:20:00
0
0
100
0
0
68
0
0
10:40:00
0
1
98
0
1
70
0
0
11:00:00
0
1
100
0
1
75
0
0

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
@ St1u 91
Average
0
1
100 do 0
0
0
l
s
a
i
n
th
o
r
ฺ
e
s and/or its affiliates. All rights reserved.
uOracle
Copyright
ero © t2013,
o
c
i
(c nse
o
ld lice
a
n
To display
buffer
activity, use the sar -b command.
o
R
ro The buffer is used to cache metadata. Metadata includes inodes, cylinder group blocks,
eNote:
and indirect blocks.
The most important entries are the cache hit ratios %rcache and %wcache. These entries
measure the effectiveness of system buffering. If %rcache falls below 90 percent or if
%wcache falls below 65 percent, you might be able to improve performance by increasing the
buffer space. In the example in the slide, the %rcache and %wcache buffers are not causing
any slowdowns. All the data is within acceptable limits.

Oracle Solaris 11 Advanced System Administration 11 - 59

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Checking System Call Statistics
To display system call statistics, use sar -c.
# sar -c
SunOS s11-desktop 5.11 11.1 i86pc
00:00:04 scall/s sread/s swrit/s
01 00 00
01:00:00
89
14
9
02:00:01
89
14
9
03:00:00
89
14
9
04:00:00
90
14
9
05:00:00
89
14
9
06:00:00
89
14
9
07:00:00
89
14
9
08:00:00
89
14
9
08:20:00
90
14
9
08:40:01
90
14
9
09:00:00
90
14
9
09:20:00
90
14
9
09:40:00
880
207
156
10:00:00
2020
530
322
10:20:00
853
129
75
10:40:00
2061
524
450
11:00:00
1658
404
350

12/20/2012
fork/s
0
0.01
01
0.01
0.01
0.01
0.01
0.01
0.01
0.01
0.01
0.01
0.01
0.01
0.08
0.14
0.02
0.08
0.07

exec/s rchar/s wchar/s
0
0.00
00
2906
2394
0.00
2905
2393
0.00
2908
2393
0.00
2912
2393
0.00
2905
2393
0.00
2905
2393
0.00
2905
2393
0.00
2906
2393
0.01
2914
2395
0.00
2914
2396
0.01
2915
2396
0.01
2915
2396
0.08
26671
9290
0.13
57675
36393
0.01
10500
8594
0.08 579217 567072
0.06 1152916 1144203

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
@ 0.01
tu 57842 55544
Average
302
66
49 do
0.02
S
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l statistics, such as number of system calls, reads, writes, and forks, use
To display
onsystem call
R
rosar –c command. Typically, reads and writes account for about half of the total system
ethe
calls. However, the percentage varies greatly with the activities that are being performed by
the system.
Note: For a description of each field, see the sar man page.
This information is useful when you are developing metrics or want to use dtrace to track
down a very high number of system calls.

Oracle Solaris 11 Advanced System Administration 11 - 60

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Checking Disk Activity
To display disk activity, use sar –d.
# sar -d
SunOS s11-desktop 5.11 11.1 i86pc
12/2/2012
12:36:32
device
%busy
avque
r+w/s
12:40:01

dad1
dad1,a
dad1,b
dad1,c
dad1,h
fd0
nfs1
nfs2
nfs3
nfs4
nfs5
nfs6
nfs7
sd1

15
15
0
0
0
0
0
1
0
0
0
1
0
0

0.7
0.7
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0

26
26
0
0
0
0
0
1
0
0
0
6
0
0

blks/s

avwait

avserv

399
398
1
0
0
0
0
12
2
0
0
125
0
0

18.1
18.1
1.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
4.3
0.0
0.0

10.0
10.0
3.0
0.0
6.0
0.0
0.0
13.2
1.9
7.0
57.1
3.2
6.0
5.4

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
lฺc t Gu
…
i
a
…
m den
g
…
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l use the sar -d command. The output will provide you with
To display
ondisk activity,
R
about the name of the device that is being monitored (device), the percentage of
ro
einformation
time the device was busy servicing a transfer request(%busy), the average number of
requests (avque), the number of read/write transfers in seconds (r+w/s), the number of
block transfers (blks/s), average wait time (avwait), and average time it took for a request
to be completed by the device (avserv).
Note: For a description of each field, see the sar man page.
Queue lengths and wait times are measured when something is in the queue. If %busy is
small, large queues and service times probably represent the periodic efforts by the system to
ensure that
th t altered
lt d blocks
bl k are promptly
tl written
itt tto th
the di
disk.
k If any off these
th
numbers
b
are ttoo
high for your application, there could be a disk issue.

Oracle Solaris 11 Advanced System Administration 11 - 61

Checking Unused Memory

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

To display unused memory, use sar -r.
# sar -r
SunOS s11-desktop 5.11 11.1 i86pc
00:00:04 freemem freeswap
01:00:00
44717 1715062
02:00:01
44733 1715496
03:00:00
44715 1714746
04:00:00
44751 1715403
05:00:00
44784 1714743
06:00:00
44794 1715186
07:00:00
44793 1715159
08:00:00
44786 1714914
08:20:00
44805 1715576
08:40:01
44797 1715347
09:00:00
44761 1713948
09:20:00
44802 1715478
09:40:00
41770 1682239
10:00:00
35401 1610833
10:20:00
34295 1599141
10:40:00
33943 1598425
11:00:00
30500 1561959

12/20/2012

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
Average
43312 1699242
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
To display
use the sar -r command. The output will provide you with the
onunused memory,
R
ro of currently unused memory pages and swap-file disk blocks. The freemem column
enumber
displays the average number of pages available to user processes. The freeswap column
displays the average number of disk blocks available for page swapping.

By monitoring these numbers over time to establish a trend, you can determine if you are in
danger of running out of memory and then take appropriate action to correct the situation.

Oracle Solaris 11 Advanced System Administration 11 - 62

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Setting Up Automatic Data Collection
1. Run the svcadm enable system/sar:default
command (as necessary).
2. Edit the /var/spool/cron/crontabs/sys crontab file
by
y using
g crontab -e sys.
y
3. Uncomment the last entry to run the system script sa2.
# svcadm enable system/sar:default
# crontab -e sys
…
…
…
#0 * * * 0-6 /usr/lib/sa/sa1
#20,40 8-17 * * 1-5 /usr/lib/sa/sa1
5 18 * * 1-5 /usr/lib/sa/sa2 -s 8:00 -e 18:01 -i 1200 -A

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
Insteado
ofnhaving to lmanually gather system performance information, you can set up
R
automatic
data collection by following the steps listed in the slide.
ro
ice

Notes for step 1: This command writes a special record that marks the time when the
counters are reset to zero (boot time).
Notes for step 2: You do not edit a crontab file directly. Instead, you use the crontab -e
command to make changes to an existing crontab file.

Notes for step 3: By uncommenting this entry, the sa2 script will run every day Monday
through Friday at 6:05 PM. The monitoring start time is 8 AM and ends at 6:01 PM. The
performance data interval is every 1200 seconds (every 20 minutes). The -A option at the end
of the entry means that the script will report overall system performance. The data files are
placed in the /var/adm/sa directory. Each file is named sadd, where dd is the current date.
Note: For other ways to set up automatic data collection, see “Collecting System Activity Data
Automatically (sar)” in Oracle Solaris Administration: Common Tasks.

Oracle Solaris 11 Advanced System Administration 11 - 63

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

System Monitoring Commands: Summary
Commands

Description

vmstat n

Displays virtual memory statistics

vmstat -s

Displays system event information

vmstat -S
S

Displays swapping statistics

iostat n

Displays general disk usage information

iostat -xtc

Displays extended disk statistics

df -h

Displays disk space information

sar -a

Checks file access operation statistics

sar -b

Checks buffer activity

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
sar -c
Checks system call m
statistics
e
d
o
i
lฺc t Gu
iactivity
sar -d
Checks disk
a
m den
g
sar -r
@ unused
tu memory
oChecks
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
The table
ondisplayed lin the slide contains a list of the system monitoring commands you
R
covered
ro in this topic.
ice

C

Oracle Solaris 11 Advanced System Administration 11 - 64

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Practice 11-2 Overview:
Evaluating System Performance Levels
This practice covers the following topics:
• Displaying virtual memory statistics (vmstat)
•
•
•
•

Displaying disk usage information
Monitoring system activities
Collecting system activity data automatically (sar)
Setting up automatic data collection (sar)

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
This practice
on shouldl take you about 30 minutes to complete.
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 11 - 65

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Summary
In this lesson, you should have learned how to:
• Implement a plan to evaluate resource allocation and
system performance
• Configure system resources
• Monitor system performance

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 11 - 66

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Monitoring
M
it i
and
d Troubleshooting
T
bl h ti
Software Failures

le

s

b
a
r
e
f

o

an
r
t
n

Ci

R
o
r
ce

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
e
sOracle
o © 2013,
r
u
Copyright
and/or its affiliates. All rights reserved.
e
o
c
i
t
c
o ( ense
d
l
lic
ona

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Objectives
After completing this lesson, you should be able to:
• Implement a plan for system messaging and diagnostic
facilities implementation
• Configure the following:
– System messaging
– System crash facilities
– Dump facilities for business application failure

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 12 - 2

Workflow Orientation

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

MONITORING

IPS
AI INSTALLATION

DATA
STORAGE

RESOURCE
EVALUATION

le

PROCESSES

ENTERPRISE
DATACENTER

NETWORK
CONFIGURATION

b
a
r
e
f

s

an
r
t
n

C

no
a
sNETWORK
a
h
VIRTUALIZATION
)
ฺ
e
m
d
o
i
AUDITING
ilฺc t Gu
a
n
e
gmSERVICES
d
PRIVILEGES @
tu
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n start the llesson, orient yourself in the job workflow. You have reached the end of
Before o
you
R
the
roworkflow. You have successfully performed all major administrative tasks: installation,
icesoftware updates, data storage management, network, zones, and services configuration.

You have also put system security controls in place with role-based access control (RBAC)
and Oracle Solaris auditing. You have ensured that the system resources are being used
appropriately with the resource controls that you have set up for the processes running on the
system. In this last lesson, you configure the facilities that you will need to monitor and
capture issues with the software.

Oracle Solaris 11 Advanced System Administration 12 - 3

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•
•

Planning System Messaging and Diagnostic Facilities
Implementation
Configuring System Messaging
Configuring System Crash Facilities
Configuring Dump Facilities for Business Application
Failure

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 12 - 4

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Planning System Messaging and
Diagnostic Facilities Implementation
The system messaging and diagnostic facilities implementation
plan ensures that:
• Controls are in place to monitor system activity so that
issues can be addressed q
quickly
y and efficiently
y
• System crashes and core dumps are captured and
reported so that major problems can be analyzed and
corrected

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
Knowing
onwhat issuesl the operating system is encountering and what actions to take to correct
R
those
ro issues is an important part of your role as a system administrator. Recognizing this,
iceyour company has developed a plan that identifies the system monitoring and diagnostic tools

C

that they want in place to quickly and efficiently identify and resolve issues that might occur
within the Oracle Solaris operating system. The plan includes time for you to be trained on
how to configure and use these tools. In addition to system logging, your company wants you
to set up crash and core dump files so that any major issues with the operating system or with
any processes or applications can be captured and sent to a support engineer for analyses
and resolutions.
In this section,
section you are introduced to system messaging and crash and core dump file
configuration.

Oracle Solaris 11 Advanced System Administration 12 - 5

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring the /etc/syslog.conf File
You configure this file to:
• Define target locations for the syslog message files
• Use a selector level of err to indicate that all events of
priority error (and higher) are logged to the target defined
in the action field
*.err;kern.notice;auth.notice
*.err;kern.debug;daemon.notice;mail.crit
*.alert;kern.err;daemon.err
*.alert
usr emerg
usr.emerg

/dev/sysmsg
/var/adm/messages
operator
root
*

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
Note: Whenever you make changes to this
)file, you
ฺ must
e
m
d
o
i
restart the syslogd daemon.
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l need to do to set up system messaging is to identify target locations for
n that you
The firstothing
R
the
rosyslog message files. The target locations are defined in the /etc/syslog.conf file.
iceNote: A configuration entry in the /etc/syslog.conf file consists of two tab-separated
tab separated
fields: selector and action. The selector field has two components: a facility and a level
written as facility.level. Facilities represent categories of system processes that can
generate messages. Levels represent the severity or importance of the message. The action
field determines where to send the message. This is the target location.
Within the /etc/syslog.conf file, you use a selector level of err to indicate that all events
of priority error (and higher) are logged to the target defined in the action field.
In the example in the slide, partial contents of the /etc/syslog.conf file are displayed. In
the first line, every error event (*.err) and all kernel and authorization facility events of level
notice, which are not error conditions but might require special handling, will write a message
to the /dev/sysmsg file.

Oracle Solaris 11 Advanced System Administration 12 - 6

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

In the second line, every error event (*.err), all kernel facility events of level debug, all
daemon facility events of level notice, and all critical level mail events will record a message
in the /var/adm/messages file. Therefore, errors are logged to both files.
The third line indicates that all alert level events,, including
g the kernel error level and daemon
error level events, are sent to the user operator if this user is logged in.
The fourth line indicates that all alert level events are sent to the root user if the root user is
logged in.
The fifth line, which is taken from the “log messages to be logged locally” section of the
/etc/syslog.conf file, indicates that any event that the system interprets as an
emergency will be logged to the terminal of every logged-in user.
Note: You will have the opportunity to examine the /etc/syslog.conf file in full during the
practice on setting up system messaging.
To alter the event logging mechanism, edit the /etc/syslog.conf file and restart the
syslogd daemon.

s

an
r
t
n

Note: You must restart the syslogd daemon whenever you make any changes to the
/etc/syslog.conf file.

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 12 - 7

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Stopping and Starting the syslogd Daemon
•

•
•

The syslogd daemon can be started:
– Automatically during boot
– Manually from the command line
Each time the syslogd daemon starts, the
/etc/syslog.conf configuration file is read.
After you have modified the configuration file, you can:
– Manually stop or start the syslogd daemon
– Send the syslogd daemon a refresh command

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l can be started automatically during boot or it can be manually started
The syslogd
on daemon
R
from
ro the command line. During each system boot, the /lib/svc/method/system-log file
icestarts the syslogd process. The /etc/syslog.conf configuration file is read each time
# svcadm disable svc:/system/system-log:default
# svcadm enable svc:/system/system-log:default
# svcadm refresh svc:/system/system-log:default

the syslogd daemon starts.

If you have modified the configuration file, you can manually stop or start the syslogd
daemon, or send it a refresh command, which causes the daemon to reread the
/etc/syslog.conf file. The example in the slide shows the commands for stopping,
starting, and refreshing the syslogd daemon.
Note: Oracle Solaris 11.1 includes an enhanced version of the syslog daemon called
rsyslog
l for message logging
logging. The rsyslog
l daemon provides enhanced features
features, such as
failover log destinations, high precision timestamps, queued operations, and filter any
message part. These advanced features of rsyslog makes it suitable for enterprise-class,
encryption-protected applications, while being easy to set up and use. By default, the
rsyslog daemon is not enabled. Administrators can switch to this new logging daemon by
disabling svc:/system/system-log:default and enabling svc:/system/systemlog:rsyslog using SMF administrative utilities.

Oracle Solaris 11 Advanced System Administration 12 - 8

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

TCP Tracing
•
•

•

You can use the inetadm command to enable the trace
option on one or more services.
The inetadm command uses the syslog command to
record and log
g the following:
g
– Client’s IP address
– TCP port number
ble
– Name of the service
a
r
fe
s
n
You can configure /etc/syslog.conf so that the syslogd
a
r
t
daemon selectively distributes messages sent to it from
onthe
n
inetd daemon.
sa

C

ha ฺ
)
# grep daemon.notice /etc/syslog.conf
om uide
c
ฺ
l
*.err;kern.debug;daemon.notice;mail.crit
G
ai n/var/adm/messages
t
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
n up system
A part of
messaging includes enabling TCP tracing. Use the inetadm
osetting
R
command
to modify the settings of a service to enable the trace option. When you enable
ro
iceTCP tracing, the inetd daemon uses the syslog command to record incoming network

connection requests made by using TCP. The client’s IP address, TCP port number, and the
name of the service are logged.
You can enable tracing on all services or on each service separately.
Note: The change is immediately recognized. There is no requirement to restart any daemon
process.
By default, the /etc/syslog.conf file is configured such that the syslogd daemon
selectively distributes the messages that are sent to it from the inetd daemon to the
/var/adm/messages file. This message distribution is achieved through the
daemon.notice entry in the /etc/syslog.conf file.
In the example in the slide, all daemon messages of level notice or higher are sent to the
/var/adm/messages file.
Note: The /var/adm/messages file must exist. If it does not exist, create it, and then stop
and start the syslogd
l d daemon; otherwise
otherwise, messages will not be written to the file
file.

Oracle Solaris 11 Advanced System Administration 12 - 9

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

TCP Tracing: Example
# inetadm -m telnet tcp_trace=TRUE
# inetadm -l telnet
SCOPE
NAME=VALUE
name="telnet"
endpoint_type="stream"
proto tcp6
proto="tcp6"
isrpc=FALSE
wait=FALSE
exec="/usr/sbin/in.telnetd"
user="root"
default
bind_addr=""
default
bind_fail_max=-1
default
bind_fail_interval=-1
default
max_con_rate=-1
default
max_copies=-1
default
con_rate_offline=-1
default
failrate_cnt=40
default
failrate_interval=60
default
inherit_env=TRUE
default
tcp_trace=TRUE
default
tcp_wrappers=FALSE

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
In this example,
on youl are enabling TCP tracing on telnet sessions. You then verify that the
R
tracing
ro option is enabled, and it is.
iceNote: The -mm option changes the values of the specified properties of the identified service
instances.
If you want to enable TCP tracing on all services, use the following command:
# inetadm -M tcp_trace=TRUE

Note: The -M option changes the value of the specified inetd default property or properties.

Oracle Solaris 11 Advanced System Administration 12 - 10

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Logger Command
•

This command enables you to send messages to the
syslogd daemon.

•

You can write administrative shell scripts that report the
status of backups or other functions.

logger [ -i ] [ -f file ] [ -p priority ] [ -t tag ] [ message ]

s

# logger System rebooted

an
r
t
n

no
a
s
a
h
)
ฺ
e
# logger -p user.err System rebooted
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l enables you to send messages to the syslogd daemon. By using the
The logger
on command
R
logger
ro command, you can write administrative shell scripts that report the status of backups
iceor other functions. The slide gives you the syntax for the command. The description for each

C

option is as follows:
• i: Logs the process ID of the logger command with each line
• -f file: Uses the contents of the file as the message to log (file must exist)
• -p priority: Enters the message with the specified priority
• -t tag: Marks each line that is added to the log file with the specified tag
• message:
g Concatenates the string
g arguments
g
of the message
g in the order specified,
p
,
separated by single-space characters
You can specify message priority as a facility.level pair. For example, -p
local3.info assigns a message priority of info level in the local3 facility. The
default priority is user.notice.

In the second example, the message System rebooted is logged to the syslogd daemon,
by using the default priority level notice and facility user.

Oracle Solaris 11 Advanced System Administration 12 - 11

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

If the user.notice selector field is configured in the /etc/syslog.conf file, the message
is logged to the file that is designated for the user.notice selector field. If the
user.notice selector field is not configured in the /etc/syslog.conf file, you can either
add the user.notice selector field to the /etc/syslog.conf file, or you can prioritize the
output as shown in the third example.
Changing the priority of the message to user.err routes the message to the
/var/adm/messages file as indicated in the /etc/syslog.conf file.
You can also specify a message priority numerically. For example, logger -i -p 2
"crit" creates an entry in the message log that identifies the user.critfacility.level pair as follows:
Nov 3 09:49:34 hostname
h
root[2838]:
[
] [
[ID 702911 user.crit]
i ] crit
i

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 12 - 12

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

/etc/dumpadm.conf File

# cat /etc/dumpadm.conf
#
# dumpadm.conf
#
# Configuration
g
parameters
p
for system
y
crash dump.
p
# Do NOT edit this file by hand -- use dumpadm(1m) instead.
#
DUMPADM_DEVICE=/dev/zvol/dsk/rpool/dump
DUMPADM_SAVDIR=/var/crash/client1
DUMPADM_CONTENT=kernel
DUMPADM_ENABLE=no
DUMPADM_CSAVE=on

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Now you
the crash and core dump files. You begin with the crash dump.
onfocus on configuring
R
ro /etc/dumpadm.conf file contains the crash dump configuration of the current system.
The
ice

As you can see in the example in the slide
slide, the default values are set as follows:
• DUMPADM_DEVICE=/dev/zvol/dsk/rpool/dump: The default dump device is
dedicated to a ZFS volume.
Note: You can choose an unused disk partition to use as a dedicated dump device. The
traditional method is to use a swap disk partition. Whichever device you choose, be sure
that the dump device is large enough to handle the dump content. A good rule of thumb
physical
y
memory.
y
is 50% of the p
• DUMPADM_SAVDIR=/var/crash/client1: The directory for the savecore files is
set to /var/crash/client1.
• DUMPADM_CONTENT=kernel: The dump content is set to kernel memory pages only.

Oracle Solaris 11 Advanced System Administration 12 - 13

•

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

•

DUMPADM_ENABLE=no: The savecore command is not set to run automatically on
reboot. This is the default.
Note: When it is enabled, the savecore utility saves a crash dump of the kernel
((assuming
g that one was made)) and writes a reboot message
g in the shutdown log.
g It is
invoked by the dumpadm service each time the system boots.
DUMPADM_CSAVE=on: The compression of the savecore files is enabled. Because
crash dump files can be extremely large and require less file system space if they are
saved in a compressed format, the default is on.
Note: When you configure savecore to save the crash dump data in a compressed
format, savecore saves the crash dump data in the file directory /vmcore.N.z, where
N in the pathname is replaced by a number
number, which increments by one each time
savecore is run in the directory. The compressed file can be uncompressed in a
separate step by using the -f dumpfile option. You will learn how to do this later in
this lesson. For the uncompressed format, savecore saves the crash dump data in the
file directory /vmcore.N and the kernel’s namelist in the /unix.N directory.

s

an
r
t
n

You should not edit the /etc/dumpadm.conf file directly. Any changes that you want to
make to the dump configuration should be made by using the dumpadm command. You learn
how to modify the dump configuration later in this lesson.

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 12 - 14

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

/etc/coreadm.conf File
# cat /etc/coreadm.conf
#
# coreadm.conf
#
# Parameters for system core file configuration.
# Do NOT edit this file by hand -- use coreadm(1) instead.
#
COREADM_GLOB_PATTERN=
COREADM_GLOB_CONTENT=default
COREADM_INIT_PATTERN=core
COREADM_INIT_CONTENT=default
COREADM_GLOB_ENABLED=no
COREADM_PROC_ENABLED=yes
COREADM_GLOB_SETID_ENABLED=no
COREADM_PROC_SETID_ENABLED=no
COREADM_GLOB_LOG_ENABLED=no

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
The /etc/coreadm.conf
file contains the current core dump configuration.
on
R
royou can see in the example in the slide, the default values for the /etc/coreadm.conf
As
ice

file are set as follows:
• COREADM_GLOB_PATTERN=: Identifies the name to use for the core files placed in a
global directory
• COREADM_GLOB_CONTENT=default: Identifies that the content of the core files has
the default setting. The resultant core file contains all the process information that is
pertinent to debugging.
• COREADM_INIT_PATTERN=core: Identifies the default name that the per-process core
files must use. This name is set for the init process, meaning that it is inherited by all
other processes on the system.
• COREADM_INIT_CONTENT=default: Indicates that the init core file content has the
default content structure.
• COREADM_GLOB_ENABLED=no: Indicates that the global core files are disabled

Oracle Solaris 11 Advanced System Administration 12 - 15

COREADM_PROC_ENABLED=yes: Indicates that core file generation is enabled in the
current working directory of a process
• COREADM_GLOB_SETID_ENABLED=no: Indicates that the generation of global core files
with setuid or setgid permissions is disabled
• COREADM_PROC_SETID_ENABLED=no: Indicates that the generation of per-process
core files with setuid or setgid permissions is disabled
• COREADM_GLOB_LOG_ENABLED=no: Indicates whether global core dump logging is
enabled
Caution: A process that has a setuid mode presents security issues with respect to
dumping core files. The files may contain sensitive information in their address space to which
the current non-privileged owner of the process should not have access. Therefore, by
default, setuid core files are not generated because of this security issue.

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

•

You should not edit the /etc/coreadm.conf file directly. Any changes that you want to
make to the dump configuration should be made by using the coreadm command. You learn
how to modify the dump configuration later in this lesson.

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 12 - 16

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Core File Paths
•

•

Per-process core file path:
– Defaults to core
– Is enabled by default
– If enabled, produces a core file when a process terminates
abnormally
– Is inherited by a new process from its parent process
Per-process files are owned and can be viewed only by the
le
b
a
r
process owner.
fe
s
n
a
Global core file path:
r
t
– Defaults to core
non

a

s
– Is disabled by default
a
h
) withethe
ฺ same
mfile
– If enabled, produces an additional c
core
d
o
i
lฺ t Gu
content as the per-process coreaifile
m den
g
Global core files are owned
by
@ Sthe
u superuser. Non-privileged
t
o
d
l ese files.
users
use
s ca
cannot
o read
ead
s
nathese
hies

Cic

ฺro use t
o
r
Copyright
Oracle and/or its affiliates. All rights reserved.
e © t2013,
o
c
i
c
o ( ense
d
l
lic/etc/coreadm.conf file, there are two configurable core file paths:
nasaw in the
As you o
just
R and global. A per-process core file path defaults to core and is enabled by
per-process
o
r
e

default. If enabled, the per-process core file path causes a core file to be produced when the
process terminates abnormally. The per-process path is inherited by a new process from its
parent process. When generated, a per-process core file is owned by the owner of the
process with read/write permissions for the owner. Only the owning user can view this file.
A global core file path also defaults to core but is disabled by default. If it is enabled, an
additional core file with the same content as the per-process core file is produced by using the
global core file path. When generated, a global core file is owned by the superuser with
read/write permissions only for the superuser.
superuser Non
Non-privileged
privileged users cannot view this file
file.

Oracle Solaris 11 Advanced System Administration 12 - 17

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Implementing the System Messaging and
Diagnostic Facilities Implementation Plan
Your assignment is to configure the following:
• System messaging
• Crash and core dump files

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
ltesting effort is nearly at an end. Your final testing activities will be to
The predeployment
on
R
configure
system messaging and the crash and core dump files.
ro
ice
In this assignment, you learn how to complete each of these tasks.

Oracle Solaris 11 Advanced System Administration 12 - 18

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
What is the default target destination for the following syslog
message type?
*.err;kern.debug;daemon.notice;mail.crit
a /dev/sysmsg
a.
b. /var/adm/messages
c. operator
ble
a
r
d. root
sfe

n

a
s
a
) h eฺ
m
co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:obn
R
ro
ice

a
r
t
on

n

C

Oracle Solaris 11 Advanced System Administration 12 - 19

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
You must always restart the syslogd daemon after you modify
the etc/syslog.conf file.
a. True
b False
b.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:oan
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 12 - 20

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
Saving of the crash dump file is enabled by default.
a. True
b. False

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:obn
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 12 - 21

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Quiz
You can separately enable or disable two configurable core
file paths: per-process and global.
a. True
b False
b.

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
Answer:oan
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 12 - 22

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•
•

Planning System Messaging and Diagnostic Facilities
Implementation
Configuring System Messaging
Configuring System Crash Facilities
Configuring Dump Facilities for Business Application
Failure

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 12 - 23

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring System Messaging
This section covers the following topics:
• Setting up message routing
• Restarting the message logging daemon
• Using TCP trace to log a message
• Monitoring message logging in real time
• Adding one-line entries to a system log file

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 12 - 24

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Setting Up Message Routing
1. By using a text editor, edit the contents of the
/etc/syslog.conf file to append the following entry to
the end of the file:
local0.notice

@hostname

2. Restart the syslogd daemon to activate the new
configuration.
e
3. On the local host, create the /var/log/loca10.log file. rabl
fe
s
n
4. Modify the /etc/syslog.conf file and add the entry
aas
r
t
follows:
non

a

s
local0.notice
/var/log/local0.log
a
h
)
ฺ
5. Restart the syslogd daemon to activate
omthe new
ideconfiguration.

C

ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
To set up
between two hosts (for example, host1 and host2), perform the
onmessage routing
R
steps
ro listed in the slide. Steps 1 and 2 are performed on the first host, host1. The remaining
icesteps are performed on the second host, host2.
Note for step 1: Following our example, the @hostname would be host2.

Oracle Solaris 11 Advanced System Administration 12 - 25

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Setting Up Message Routing: Example

root@host1:~# vi /etc/syslog.conf

local0.notice
@host2
root@host1:~# svcadm refresh system/system-log
root@host2:~# touch /var/log/local0.log
g
g
root@host2:~# vi /etc/syslog.conf
root@host2:~# grep local0 /etc/syslog.conf
local0.notice
/var/log/local0.log
root@host2:~# svcadm refresh system-log

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
In the example
on in thel slide, the local0.notice entry is added to the /etc/syslog.conf
R
file
roon the host system to enable users to record messages. The destination of the message is
icehost2. After you have modified the configuration, restart the syslog daemon by using the
refresh command. Next, you create a log file on host2 for the local0 log messages. You
then edit the /etc/syslog.conf file configuration on host2 to include the
local0.notice entry. Notice that the destination of the message is the log that you created
in an earlier step. Finally, you restart the syslog daemon to activate the configuration
change. Now if any message is written to this log, it will be displayed.

Oracle Solaris 11 Advanced System Administration 12 - 26

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Logging a Message by Using TCP Trace
To enable TCP tracing, use inetadm -m tcp_trace=TRUE.
# inetadm -m tcp_trace=TRUE
# inetadm –l telnet
SCOPE
NAME=VALUE
name= telnet
name=”telnet”
endpoint_type=”stream”

default
bind_addr=""
default
bind_fail_max=-1
default
bind_fail_interval=-1
default
max_con_rate=-1
default
max_copies=-1
default
con rate offline=-1
con_rate_offline
1
default
failrate_cnt=40
default
failrate_interval=60
default
inherit_env=TRUE
default
tcp_trace=TRUE
default
tcp_wrappers=FALSE
default
connection_backlog=10
default
tcp_keepalive=FALSE

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l with the inetadm command, as shown in the slide. The -M option is
You enable
on TCP tracing
R
used
ro to change the values of the specified inetd default property. To verify that TCP tracing
iceis enabled, use the inetadm -p command.
In the example in the slide, you enable TCP tracing, and then verify that it is enabled. In the
example in the slide, you can see that tcp_trace is now set to TRUE.
Note: To disable TCP tracing, set tcp_trace to FALSE.

Oracle Solaris 11 Advanced System Administration 12 - 27

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Monitoring a syslog File in Real Time
To view the messages sent to the /var/adm/messages file,
use tail -f /var/adm/messages.
# tail –f /var/adm/messages
…
…
Dec 20 06:10:05 client1 inetd[655]: [ID 317013 daemon.notice]
ftp[3044] from 192.168.0.100 61017

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n
You canomonitor
thel designated syslog file in the /var/adm directory, in real time, by using
R
the
rotail -f /var/adm/messages command. The tail -f command holds the file open so
icethat you can view the messages that are being written to the file by the syslogd daemon. To
exit the /var/adm/messages file, press Ctrl + C.

In the example in the slide, you can see that a TCP tracing-related notice message has been
generated by the syslog daemon. The message contains the following general information:
• The date and time stamp when the message was generated (Aug 18 06:10:05)
• The local host name (client1)
•
•

The process name and PID number for the process that was involved in the action
(inetd[655])
The message ID number (ID 317013)

•

The facility that generated the message; for example, the kernel, a system daemon, or
the syslogd daemon (daemon)

•

Level of severity for the message; for example, emergency, error, warning, notice, or
information (notice)
The problem or event (ftp[3044] from 192.168.0.112 61017)

•

Oracle Solaris 11 Advanced System Administration 12 - 28

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Practice 12-1 Overview:
Setting Up System Messaging
This practice covers the following topics:
• Setting up message routing
• Using TCP trace to log a message

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
The practices
on for thisl lesson are designed to reinforce the concepts that have been presented
R
inro
the lecture portion. These practices cover the following tasks:
ice • Practice
act ce 12-1: Sett
Setting
g up system
syste messaging
essag g

C

•

Practice 12-2: Configuring system and application crash facilities

Practice 12-1 should take about 30 minutes to complete.

Oracle Solaris 11 Advanced System Administration 12 - 29

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•
•

Planning System Messaging and Diagnostic Facilities
Implementation
Configuring System Messaging
Configuring System Crash Facilities
Configuring Dump Facilities for Business Application
Failure

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l to configure system messaging, you will next look at how to configure
Now that
onyou know how
R
the
rosystem crash facilities.
ice

C

Oracle Solaris 11 Advanced System Administration 12 - 30

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring System Crash Facilities
This section covers the following topics:
• Displaying the current crash dump configuration
• Modifying the crash dump configuration
• Saving the crash dump file
• Uncompressing the crash dump file
• Displaying the crash dump file contents

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 12 - 31

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying the Current Crash Dump Configuration
To display the current crash dump configuration, use dumpadm.
# dumpadm
Dump content: kernel pages
Dump device: /dev/zvol/dsk/rpool/dump
Savecore directory: /var/crash/client1
Savecore enabled: no
Save compressed: on

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n current ldump configuration, use the dumpadm command without arguments, as
To viewothe
R
ro in the slide.
eshown

Note: The configuration in the slide example matches the configuration that you saw earlier in
the /etc/dumpadm.conf file.

Oracle Solaris 11 Advanced System Administration 12 - 32

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Modifying the Crash Dump Configuration
To modify the crash dump configuration, use
/usr/sbin/dumpadm [-nuy] [-c content] [-d
dump-device][-m mink | minm | min%]
[-s savecore-dir] [-r root-dir] [-z on | off].
# dumpadm –y -d /dev/dsk/c0t1d0s1
Dump content: kernel
le
b
a
r
Dump device: /dev/dsk/c0t1d0s1 (dedicated)
fe
s
n
Savecore directory: /var/crash/client1
a
r
t
Savecore enabled: yes
y
on
n
Save compressed: on
a

Cic

s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
As discussed
on in the ltopic on planning system messaging and diagnostic facilities
R
if you want to modify the configuration of the crash dump file, you use the
ro
eimplementation,
dumpadm command.

You can use several options with this command, as shown in the slide. The description for
each option is as follows:
• -n: Specifies that savecore should not be run when the system reboots. Although this
is the default setting, this dump configuration is not recommended. If system crash
information is written to the swap device and savecore is not enabled, the crash dump
information is overwritten when the system begins to swap.
• -u: Forcibly
F ibl updates
d t th
the kkernell d
dump configuration
fi
ti b
based
d on th
the contents
t t off th
the
/etc/dumpadm.conf file. Normally, this option is used only on reboot when starting
svc:/system/dumpadm:default, when the dumpadm settings from the previous
boot must be restored. Your dump configuration is saved in the configuration file for this
purpose.
• -y: Modifies the dump configuration to automatically execute the savecore command
on reboot

Oracle Solaris 11 Advanced System Administration 12 - 33

•

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

•
•

•

•

-c content: Specifies the type of data to dump. Use kernel to dump all kernel
memory, all to dump all memory, or curproc to dump kernel memory and the
memory pages of the process whose thread was executing when the crash occurred.
The default dump content is kernel memory.
-d dumpdevice: Specifies the device that stores the dump data temporarily when the
system crashes. The primary swap device is the default dump device.
-m mink | minm | min%: Specifies the minimum free disk space for saving crash
dump files by creating a minfree file in the current savecore directory. This
parameter can be specified in KB (nnnk), MB (nnnm), or file system size percentage
(nnn%).
-s
s savecore-dir:
savecore dir: Specifies an alternative directory for storing crash dump files
files. The
default savecore-dir directory is /var/crash/hostname, where host name is the
output of the uname -n command.
-r root-dir: Specifies an alternative root directory relative to which the dumpadm
command should create files. If the -r argument is not specified, the default root
directory “/” is used.
p configuration
g
to control the operation
p
of the
-z on | off: Modifies the dump
savecore command on reboot. The on setting enables the saving of a core file in a
compressed format. The off setting automatically uncompresses the crash dump file.

s

•

an
r
t
n

no
a
s
a
h
)
ฺdump device,
e
m
In the example in the slide, the kernel pages are dumped
to
a different
d
o
i
u In addition, the dump
ilฺc dump
/dev/dsk/c0t1d0s1, which is labeled as a dedicated
device.
G
a
t
n command upon reboot by using
msavecore
configuration is set to automatically execute the
e
g
d
the -y option.
o@ Stu
d
l
a this
n
o
oฺr use
r
e
ic e to
c
(
do icens
l
a
l
on
R
ero

Cic

Oracle Solaris 11 Advanced System Administration 12 - 34

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Saving the Crash Dump File
To save the crash dump file to the designated dump device,
use savecore –L.
# savecore -L
dumping to /dev/dsk/c0t1d0s1
/dev/dsk/c0t1d0s1, offset 65536
65536, content:
content
kernel
0:04 100% done
100% done: 103879 pages dumped, dump succeeded
savecore: System dump time: Tue Oct 18 10:23:31 2011

le

b
a
r
e
f

s

an
r
t
n

g compressed
p
system
y
crash dump
p ino
savecore: Saving
/var/crash/client1/vmdump.0
an
s
savecore: Decompress the crash dump withha
)
ฺ
'savecore -vf /var/crash/client1/vmdump.0'
om ide

Cic

ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n contentsl of the crash dump file to the dump device that you have designated, use
To saveothe
R
rosavecore -L command. The -L option saves a crash dump of the live running Oracle
ethe
Solaris system without actually rebooting or altering the system in any way. This option forces
savecore to save a live snapshot of the system to the dump device, and then immediately to
retrieve the data and to write it to a new set of crash dump files in the specified directory. Live
system crash dumps can be performed only if you have configured your system to have a
dedicated dump device by using the dumpadm command.

The vmdump.0 file that you see in the example in the slide contains the recently created
dump in compressed format.

Oracle Solaris 11 Advanced System Administration 12 - 35

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Uncompressing the Crash Dump File
To uncompress the crash dump file, use savecore -vf
/var/crash/hostname/vmdump.0.
# savecore -vf /var/crash/client1/vmdump.0
savecore: System
S t
d
dump ti
time: Tue
T
Dec
D
20 10:23:31
10 23 31 2011
savecore: saving system crash dump in
/var/crash/client1/{unix,vmcore}.0
ble
a
r
Constructing namelist /var/crash/lient1/unix.0
fe
s
n
Constructing corefile /var/crash/client1/vmcore.0
a
r
t
0:24 100% done: 103879 of 103879 pages saved
on
n
a
2266 (2%) zero pages were not written
s
a
0:24 dump decompress is done
)h

C

ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
After you
onhave savedl the contents of the crash dump file to the dump device, you can
R
uncompress
the vmdump.0 file by using the savecore -vf command, as shown in the slide.
ro
iceIn the example in the slide, notice that this command (specifically the -ff option)
uncompresses the file to vmcore.0.

Oracle Solaris 11 Advanced System Administration 12 - 36

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying the Crash Dump File Contents
To display the contents of the crash dump file, perform the
following steps:
1. Change directories to the /var/crash directory.
2. List the files in the crash directory
2
directory.
3. Use the file command to access the crash dump file, either
vmcore.0 or vmdump.0.

le

Cic

b
4. View the contents of the file by using the string command. fera
s
n
a
r
-t
n
o
an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n contentsl of the crash dump files, you first need to go to the /var/crash
To viewothe
R
Next, you list the files that are in the directory. You should see these files listed:
ro
edirectory.
bounds, unix.0, vmcore.0, and vmdump.0. To view the contents of the vmcore.0 and
vmdump.0 files, use the file command, and then the string command.
From this point, you send the crash dump files to an Oracle Solaris support engineer for
analysis to determine what caused the system to crash.

Oracle Solaris 11 Advanced System Administration 12 - 37

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying the Crash Dump
File Contents: Example
# cd /var/crash/client1
root@client1:/var/crash/client1# ls
bounds unix.0
vmcore.0 vmdump.0
root@client1:/var/crash/client1# file vmcore.0
vmcore.0: SunOS 5.11 11.0 64-bit Intel live dump from ‘client1‘
root@client1 / ar/crash/client# strings vmcore.0
root@client1:/var/crash/client#
mcore 0 | more
SunOS
s11-desktop
5.11
11.0
i86pc
i86pc
aefffed4-f452-6dbc-f11e-cdb35c1bc0a2
.symtab
symtab
.strtab
.shstrtab
_END_
_START_
__return_from_main
…
…

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
In this example,
on the lcontents of the vmcore.0 file is displayed. The contents represent the
R
processes
that are running in memory at the time the system crash occurred.
ro
iceTo display the vmdump.0 file, you use the same set of commands.

C

When you view the contents of the vmdump.0 file and compare it to the vmcore.0 file, you
find that the contents of the two files are the same.

Oracle Solaris 11 Advanced System Administration 12 - 38

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Lesson Agenda
•
•
•
•

Planning System Messaging and Diagnostic Facilities
Implementation
Configuring System Messaging
Configuring System Crash Facilities
Configuring Dump Facilities for Business Application
Failure

s

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 12 - 39

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Configuring Dump Facilities
for Business Application Failure
This section covers the following topics:
• Displaying the current core dump configuration
• Modifying the core dump configuration
• Setting a core file name pattern
• Enabling a core file path
• Displaying the contents of the core dump file

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

Oracle Solaris 11 Advanced System Administration 12 - 40

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying the Current Core Dump Configuration
To display the current core dump configuration, use coreadm.
# coreadm
global
global
init
init

core file pattern:
core file content:
core file pattern:
core file content:
global core dumps:
per-process core dumps:
global setid core dumps:
per-process setid core dumps:
global core dump logging:

/var/core/core.%f.%p
default
core
default
disabled
ble
enabled
a
r
fe
s
disabled
n
a
r
t
disabled
non
disabled

Cic

a
s
a
) h eฺ
m
co Guid
ฺ
l
i
ma dent
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n current lcore dump configuration, use the coreadm command without arguments,
To viewothe
R
easroshown in the slide.

Note: The configuration in the slide example matches the configuration that you saw earlier in
the /etc/coreadm.conf file.

Oracle Solaris 11 Advanced System Administration 12 - 41

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Modifying the Core Dump Configuration
To modify the core dump configuration, use coreadm [-g
pattern] [-i pattern] [-d option ... ] [-e
option ... ].
# coreadm -e log
# coreadm
global core file pattern: /var/core/core.%f.%p
global core file content: default
ble
a
r
init core file pattern: core
fe
s
n
a
init core file content: default
r
t
global core dumps: enabled
on
n
a
per-process core dumps: enabled
s
a
global setid core dumps: disabled) h
ฺ
e
m
d
o
i
per-process setid core dumps: disabled
ilฺc t Gu
a
global core dump logging:
enabled
n
m

Cic

g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
As discussed
on in the lfirst topic on planning system messaging and diagnostic facilities
R
if you want to modify the configuration of the core dump file, you use the
ro
eimplementation,
coreadm command, as shown in the slide.

The coreadm command enables you to control the behavior of core file generation. For
example, you can use the coreadm command to configure a system such that all process
core files are placed in a single system directory. The flexibility of this configuration makes it
easier to track problems by examining the core files in a specific directory whenever a
process or daemon terminates abnormally.
This flexibility also makes it easy to locate and remove the core files on a system.
In the example in the slide, assume that you have already configured and enabled the global
core file path and now you want to enable global logging. This will generate a message when
the system creates a global core file. To enable global logging, use the coreadm -e
command followed by the log core file option. You then verify the change by displaying the
current core dump configuration.
Note: You can view the dump creation messages in /var/adm/messages.

Oracle Solaris 11 Advanced System Administration 12 - 42

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

You can use several options with the coreadm command. Descriptions for some of the
options are as follows. For a full list of options, see the coreadm man page.
• -g pattern: Sets the global core file name pattern to pattern. The pattern must start
with a slash (/), and can contain any of the special embedded variables.

•

•
•

Note: For a list of possible embedded variables for the global core file content, see the
coreadm man pages.
-i pattern: Sets the per-process core file name pattern from init to pattern
Note: For a list of pattern options, see the coreadm man pages. This option is the same
as the coreadm –p pattern 1 command that is described in the following list,
except that the setting is persistent after a reboot.
-d option: Disables the specified core file option. See the -e option for descriptions
of possible options. You can specify multiple -e and -d options on the command line.
-e option: Enables the specified core file option, where option can be any one of the
following:
- global: Enables core dumps by using the global core pattern
- process: Enables core dumps by using the per-process core pattern
- global-setid: Enables setid core dumps by using the global core pattern
- proc-setid: Enables setid core dumps by using the per-process core pattern
- log: Generates a syslog (3) message when a user attempts to generate a global
core file
-u: Updates system-wide core file options from the contents of the configuration file
/etc/coreadm.conf. If the configuration file is missing or contains invalid values,
default
f
values are substituted. Following the update, the configuration
f
file
f is
resynchronized with the system core file configuration.
-p pattern: Sets the per-process core file name pattern to pattern for each of the
specified process IDs (PIDs). The pattern can contain any of the special embedded
variables and does not have to begin with a slash (/). If pattern does not begin with
“/,” it is evaluated relative to the current directory that is in effect when the process
generates a core file.
g
-G content: Sets the global core file content. You can specify content by using pattern
options.

s

an
r
t
n

o

•

•

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on

R
o
r
ce

Ci

•

A core file name pattern is a file system path name with embedded variables. The embedded
variables are specified with a leading percent (%) character. The operating system expands
these variables from the values that are in effect when the OS generates a core file.
Note: Only the root user can run the following coreadm command options to configure
system-wide core file options: coreadm [-g pattern] [-i pattern] [-d option
... ] [-e option ... ]. Users can run only the coreadm command with the -p option
to specify the file name pattern for the operating system to use when generating a perprocess core file.

Oracle Solaris 11 Advanced System Administration 12 - 43

le

b
a
r
e
f

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Setting a Core File Name Pattern
To set a per-process file name pattern, use coreadm –p
$HOME/corefiles/%f.%p $$.
$ coreadm -p $HOME/corefiles/%f.%p $$

To set a global file name pattern, use coreadm -g
/var/core/%f.%p.
# coreadm -g /var/core/%f.%p

le

b
a
r
e
f

s

an
r
t
n

C

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
After you
ondeterminelwhether you want to set a per-process or global core file, you can set the
R
core
ro file name pattern. You can set a core file name pattern on a global, zone, or per-process
icebasis. In addition, you can set the per-process defaults that persist across a system reboot.
To set a per-process file name pattern, use the coreadm -p command followed by
$HOME/corefiles/%f.%p $$.
Note: This command sets up a per-process core dump that will save core dumps in the
$HOME/core directory by the name of the file or program being executed (%f) and the
process ID (%p). The $$ symbols represent a placeholder for the process ID of the currently
running shell. The per-process core file name pattern is inherited by all child processes.
To set a global file name pattern, use the coreadm -g command followed by
/var/core/%f.%p.
After you have set a per-process or global core file name pattern, you must enable it.

Oracle Solaris 11 Advanced System Administration 12 - 44

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Enabling a Core File Path
• To enable the per-process core file path, use
coreadm –e process.
• To enable the global core file path, use
coreadm -e g
global -g
g /var/core/core.%f.%p.
/
/
/
p
• To verify the configuration, use coreadm.
# coreadm
global
global
init
init

ld is
a
n
th
o
r
ฺ
e
s and/or its affiliates. All rights reserved.
uOracle
Copyright
ero © t2013,
o
c
i
(c nse
o
ld lice
a
n
To verify
either
configuration change, you use the coreadm command to display the current
o
R
ro dump configuration. In the example in the slide, you can see that both core dump files
ecore

Cic

le

b
core file pattern: /var/core/core.%f.%p
a
r
e
sf
core file content: default
n
a
tr
core file pattern: core
n
core file content: default
no
a
s
global core dumps: enabled
a
h
)
ฺ
per-process core dumps: enabled
e
m
d
o
i
global setid core dumps: disabled
ilฺc t Gu
a
n
per-process setid core dumps:
m disabled
e
g
d
global core dump logging:
tu
o@ Senabled

are enabled.

Note: When a process terminates abnormally, it produces a core file in the current directory
by default. If the global core file path is enabled, each abnormally terminating process might
produce two files: one in the current working directory and one in the global core file location.

Oracle Solaris 11 Advanced System Administration 12 - 45

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying the Contents of
the Core Dump File
To display the contents of the core dump file:
1. Change directories to the /var/core directory.
2. List the files in the core directory.
3 Use the file command to access the core file.
3.
file
4. View the contents of the file by using the string
command.

le

b
a
r
e
f

s

an
r
t
n

Cic

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
n contentsl of a core dump file, you first need to go to the /var/core directory.
To viewothe
R
ro you list the files that are in the directory. To view the contents of a file, use the file
eNext,

command, and then the string command, just as you did to view the contents of the crash
dump file.
From this point, you send the core dump files to an Oracle Solaris support engineer for
analysis to determine what caused the system to crash.

Oracle Solaris 11 Advanced System Administration 12 - 46

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Displaying the Core Dump File
Contents: Example
# cd /var/core
root@client1:/var/core# ls /var/core
core.bash.3811
root@client1:/var/core# file core*
core.bash.3811:ELF 32-bit LSB core file 80386 Version 1, from 'bash'
root@client1 / ar/core# strings core.bash.3811
root@client1:/var/core#
core bash 3811 | more
CORE
pMNDbash
-bash
CORE
i86pc
CORE
CORE
CORE
CORE
pMNDbash
-bash
…
…

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
In the example
on in thel slide, the contents of a core dump file for a damaged bash process are
R
displayed.
ro
ice

C

Oracle Solaris 11 Advanced System Administration 12 - 47

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Practice 12-2 Overview: Configuring System and
Application Crash Facilities
This practice covers the configuration of:
• System crash facilities
• Dump facilities for business application failure

le

s

b
a
r
e
f

an
r
t
n

o

an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se and/or its affiliates. All rights reserved.
o © 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
This practice
on shouldl take about 30 minutes to complete.
R
ro
ice

C

Oracle Solaris 11 Advanced System Administration 12 - 48

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Summary
In this lesson, you should have learned how to:
• Implement a plan for system messaging and diagnostic
facilities implementation
• Configure the following:
– System messaging
– System crash facilities
– Dump facilities for business application failure

le

b
a
r
e
f

s

an
r
t
n

no
a
s
a
h
)
ฺ
e
m
d
o
i
ilฺc t Gu
a
m den
g
o@ Stu
d
l
a this
n
o
se and/or its affiliates. All rights reserved.
oฺr© 2013,uOracle
r
Copyright
e
ic e to
c
(
do icens
l
a
l introduced to system logs and learned how to monitor system
In this lesson,
on you were
R
messages.
You also learned how to configure the system to generate crash and core dump
ro
icefiles.

C

Oracle Solaris 11 Advanced System Administration 12 - 49

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ

Ci

le

s

o

R
o
r
ce
an
s
ha ฺ
)
om uide
c
ฺ
l
ai nt G
m
g ude
@
t
o
S
d
l
s
na thi
o
r
ฺ
se
o
r
u
e
ic e to
c
(
do icens
l
a
l
on
an
r
t
n
b
a
r
e
f



---

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Encryption                      : Standard V2.3 (128-bit)
User Access                     : Print, Annotate, Extract, Print high-res
Page Count                      : 390
Create Date                     : 2013:03:07 15:01:18+05:30
Producer                        : iText 2.1.3 (by lowagie.com)
Modify Date                     : 2014:07:26 12:33:31-05:00

EXIF Metadata provided by EXIF.tools