Documente Academic
Documente Profesional
Documente Cultură
In older days ,if you want to port the website,you need to buy a minimum two servers hardware.One for
database and another one for applications.But now just buy one good configuration server and
partition it using one of the virtualization technologies
By doing this ,you are saving the space,power,money then what you want ?
Oracle offers many many virtualization technologies. We will see what type virtualization that are
offered by oracle on Solaris and sun hardware.
1. Hardware virtualizations.
2. Software virtualizations
HARDWARE VIRTUALIZATION:
Oracle is offering two type of hardware virtualization.
1. Dynamic domains
(Supported in Sun M series servers like M9000,M5000 i.e sun4u architecture)
2. LDOMS
(Supported in Sun T-series serves like T5240,T5220 i.e sun4v architecture)
(Now LDOM re-branded as Oracle VM for SPARC)
You can find the architecture type using uname m command from OS.
Dynamic Domains:
They offer electrical separation with different versions of the operating system possible per domain. The
number of domains is limited per system. Dynamic System Domain features include the ability to hot
plug hardware and run different versions of the Oracle Solaris Operating System per domain. Each
domain can be started, stopped and rebooted independently.
Server Model
one
M4000
Two
M5000
Four
M8000
Sixteen
M9000-32
Twenty Four
M9000-64
Twenty Four
be started, stopped, and rebooted independently. On the fly we can add or remove CPUs, RAM, or I/O
devices without requiring a reboot. We can create 128 logical domains on these servers. Each will act as
global zone.
SOFTWARE VIRTUALIZATION:
Oracle is offering two type of software virtualization.
1. Solaris Zones
2. Oracle VM for X86
Solaris Zones: (Containers)
One of the most commonly using virtualization technologies on Solaris .Its very light weight and easy to
use and administrate. Oracle renamed the zones as containers and now it has meaningful name too.
Zones + resource control = containers. Yes. We can control the resource per zones by using rcap or
dedicated method. In one Solaris global zone we can create more than 8000 zones.
Here you have Linux base operating system which needs to be installed as base OS on the x86
hardware.To manage these Oracle VM servers, you need to have install oracle VM application on Linux
host. VM application provides a web-based portal to administrate all oracle VM servers and Guest OS.
Note:Oracle VM application uses oracle Database and weblogic software.
default:3::::
group.staff:10::::
limitedusers:100::linges::process.max-file-descriptor=(privileged,8192,deny)
test:101::::task.max-lwps=(privileged,2,deny)
As a test,
bash-3.00# newtask -p test bash ------------>First lwp process
bash-3.00# id -p
uid=0(root) gid=0(root) projid=101(test)
bash-3.00# ps -o project,taskid -p $$
PROJECT TASKID
test
98
bash-3.00# bash
------------------------------------>Second lwp process
bash-3.00# bash
bash: fork: Resource temporarily unavailable
bash-3.00# bash
bash: fork: Resource temporarily unavailable
Logging:
Global logging can be enabled by setting syslog=level with rctladm, where
level is one of the usual syslog levels: debug, info, notice, warning, err, crit,
alert or emerge.
We can enable syslog notice using the below command.If the system is
crossed the limit ,it will log in messages file.
bash-3.00# rctladm -e syslog process.max-file-descriptor
bash-3.00# rctladm
process.max-port-events
syslog=off
[ deny count ]process.max-msgmessages
syslog=off
[ deny count ]process.max-msg-qbytes
syslog=off
[ deny bytes ]process.max-sem-ops
syslog=off
[
deny count ]process.max-sem-nsems
syslog=off
[ deny count
]process.max-address-space
syslog=off
[ lowerable deny no-signal bytes
]process.max-file-descriptor syslog=notice [ lowerable deny count
]process.max-core-size
syslog=off
[ lowerable deny no-signal bytes
]process.max-stack-size
syslog=off
[ lowerable deny no-signal bytes
]process.max-data-size
syslog=off
[ lowerable deny no-signal bytes
]process.max-file-size
syslog=off
[ lowerable deny file-size bytes
]process.max-cpu-time
syslog=off
[ lowerable no-deny cpu-time inf
seconds ]task.max-cpu-time
syslog=off
[ no-deny cpu-time no-obs
inf seconds ]task.max-lwps
syslog=off
[ count ]project.maxcontracts
syslog=off
[ no-basic deny count ]project.max-devicelocked-memory syslog=off
[ no-basic deny bytes ]project.max-locked-memory
syslog=off
[ no-basic deny bytes ]project.max-port-ids
syslog=off
[ no-basic deny count ]project.max-shm-memory
syslog=off
[ no-basic
deny bytes ]project.max-shm-ids
syslog=off
[ no-basic deny count
]project.max-msg-ids
syslog=off
[ no-basic deny count
]project.max-sem-ids
syslog=off
[ no-basic deny count
]project.max-crypto-memory
syslog=off
[ no-basic deny bytes
]project.max-tasks
syslog=off
[ no-basic count ]project.maxlwps
syslog=off
[ no-basic count ]project.cpu-cap
syslog=off
[ no-basic deny no-signal inf count ]project.cpu-shares
syslog=n/a
[ no-basic no-deny no-signal no-syslog count ]zone.max-swap
syslog=off
[ no-basic deny bytes ]zone.max-locked-memory
syslog=off
[ no-basic deny bytes ]zone.max-shm-memory
syslog=off
[ no-basic
deny bytes ]zone.max-shm-ids
syslog=off
[ no-basic deny count
]zone.max-sem-ids
syslog=off
[ no-basic deny count ]zone.maxmsg-ids
syslog=off
[ no-basic deny count ]zone.max-lwps
syslog=off
[ no-basic count ]zone.cpu-cap
syslog=off
[
syslog=n/a
For testing purpose,Here i am setting the max-lwps to 5 for sshd .so your
sshd daemon allow the system to create 5lwps.once its reached the limit,you
cannot to the system using ssh.
# prctl -n task.max-lwps -v 5 -t privileged -d all `pgrep sshd`
I tried to ssh this machine using putty and it allowed 4 session,when try to
take a 5th one, got error connected terminated unexpectedly .It means
,system is not allowing ssh process to create more than 5lwp process.You
can see this error is logged in messages file.
# tail -f /var/adm/messages
Jul 2 07:47:20 sfos e1000g: [ID 801725 kern.info] NOTICE: pci8086,100f e1000g[0] : link up, 1000 Mbps, full duplex
Jul 2 07:47:20 sfos in.routed[1212]: [ID 300549 daemon.warning] interface
e1000g0 to 192.168.10.29 restored
Jul 2 09:31:14 sfos genunix: [ID 748619 kern.notice] privileged rctl
task.max-lwps (value 5) exceeded by process 28555 in task 71.
^C
To Disable to syslog ,
bash-3.00# rctladm -d syslog process.max-file-descriptor
bash-3.00# rctladm
process.max-port-events
syslog=off
[ deny count ]process.max-msgmessages
syslog=off
[ deny count ]process.max-msg-qbytes
syslog=off
[ deny bytes ]process.max-sem-ops
syslog=off
[
deny count ]process.max-sem-nsems
syslog=off
[ deny count
]process.max-address-space
syslog=off
[ lowerable deny no-signal bytes
]process.max-file-descriptor syslog=off
[ lowerable deny count
]process.max-core-size
syslog=off
[ lowerable deny no-signal bytes
]process.max-stack-size
syslog=off
[ lowerable deny no-signal bytes
]process.max-data-size
syslog=off
[ lowerable deny no-signal bytes
]process.max-file-size
syslog=off
[ lowerable deny file-size bytes
]process.max-cpu-time
syslog=off
[ lowerable no-deny cpu-time inf
seconds ]task.max-cpu-time
syslog=off
[ no-deny cpu-time no-obs
inf seconds ]task.max-lwps
syslog=off
[ count ]project.maxcontracts
syslog=off
[ no-basic deny count ]project.max-devicelocked-memory syslog=off
[ no-basic deny bytes ]project.max-locked-memory
syslog=off
[ no-basic deny bytes ]project.max-port-ids
syslog=off
[ no-basic deny count ]project.max-shm-memory
syslog=off
[ no-basic
deny bytes ]project.max-shm-ids
syslog=off
[ no-basic deny count
]project.max-msg-ids
syslog=off
[ no-basic deny count
]project.max-sem-ids
syslog=off
[ no-basic deny count
]project.max-crypto-memory
syslog=off
[ no-basic deny bytes
]project.max-tasks
syslog=off
[ no-basic count ]project.maxlwps
syslog=off
[ no-basic count ]project.cpu-cap
syslog=off
[ no-basic deny no-signal inf count ]project.cpu-shares
syslog=n/a
[ no-basic no-deny no-signal no-syslog count ]zone.max-swap
syslog=off
[ no-basic deny bytes ]zone.max-locked-memory
syslog=off
[ no-basic deny bytes ]zone.max-shm-memory
syslog=off
[ no-basic
deny bytes ]zone.max-shm-ids
syslog=off
[ no-basic deny count
]zone.max-sem-ids
syslog=off
[ no-basic deny count ]zone.maxmsg-ids
syslog=off
[ no-basic deny count ]zone.max-lwps
syslog=off
[ no-basic count ]zone.cpu-cap
syslog=off
[
no-basic deny no-signal inf count ]zone.cpu-shares
syslog=n/a
[ no-basic no-deny no-signal no-syslog count ]
ACTION
deny
none
deny
Using pid also we can check the resource control limit for that process.
# prctl 29513
process: 29513: /usr/lib/ssh/sshd
NAME
PRIVILEGE
VALUE
FLAG
RECIPIENT
process.max-port-events
privileged
65.5K
system
2.15G
max
process.max-msg-messages
privileged
8.19K
system
4.29G
max
process.max-msg-qbytes
privileged
64.0KB
system
16.0EB
max
process.max-sem-ops
privileged
512
system
2.15G
max
ACTION
deny
deny
deny
deny
deny
deny
deny
deny
process.max-sem-nsems
privileged
512
system
32.8K
process.max-address-space
privileged
16.0EB
system
16.0EB
process.max-file-descriptor
basic
256
29513
privileged
65.5K
system
2.15G
process.max-core-size
privileged
8.00EB
system
8.00EB
process.max-stack-size
basic
10.0MB
29513
privileged
125TB
system
125TB
process.max-data-size
privileged
16.0EB
system
16.0EB
process.max-file-size
privileged
8.00EB
system
8.00EB
process.max-cpu-time
privileged
18.4Es
system
18.4Es
task.max-cpu-time
system
18.4Es
task.max-lwps
privileged
5
privileged
40
system
2.15G
project.max-contracts
privileged
10.0K
deny
max
deny
max
deny
max
deny
deny
deny
max
deny
max
deny
max
deny
deny
deny
max
deny
max
deny
max
deny
max
deny,signal=XFSZ
max
deny
inf
signal=XCPU
inf
none
inf
none
deny
none
max
deny
deny
system
2.15G
project.max-device-locked-memory
privileged
63.5MB
system
16.0EB
project.max-locked-memory
system
16.0EB
project.max-port-ids
privileged
8.19K
system
65.5K
project.max-shm-memory
privileged
254MB
system
16.0EB
project.max-shm-ids
privileged
128
system
16.8M
project.max-msg-ids
privileged
128
system
16.8M
project.max-sem-ids
privileged
128
system
16.8M
project.max-crypto-memory
privileged
254MB
system
16.0EB
project.max-tasks
system
2.15G
project.max-lwps
system
2.15G
project.cpu-cap
system
4.29G
project.cpu-shares
privileged
1
system
65.5K
zone.max-swap
system
16.0EB
max
deny
deny
max
deny
max
deny
deny
max
deny
deny
max
deny
deny
max
deny
deny
max
deny
deny
max
deny
deny
max
deny
max
deny
max
deny
inf
deny
none
max
none
max
deny
zone.max-locked-memory
system
zone.max-shm-memory
system
zone.max-shm-ids
system
zone.max-sem-ids
system
zone.max-msg-ids
system
zone.max-lwps
system
zone.cpu-cap
system
zone.cpu-shares
privileged
system
16.0EB
max
deny
16.0EB
max
deny
16.8M
max
deny
16.8M
max
deny
16.8M
max
deny
2.15G
max
deny
4.29G
inf
deny
none
65.5K
max
none
Resource Management:
A resource controls are identified by following prefix
1. zone (Ex:zone.cpu-shares)
2. project (Ex:project.max-shm-memory)
3. task (Ex:task.max-lwps)
4. process (Ex:process.max-stack-size)
Resource controls can be observed on a system-wide basis and possible to update
resource control values on a running system. In older system we need to deal with
ulimit command and most of the time we use to set in /etc/profile file to take effect
for all users. But in Solaris 10, we can easily manage shell limits using simple prctl
command.
Levels:
Each resource control threshold needs to be associated with one of the following privilege
levels:
Actions:
It is possible to use rctladm to specify one of the following actions on a process that violates
the control:
PRIVILEGE
VALUE
FLAG ACTION
RECIPIENT
process.max-file-descriptor
basic
8.19K
deny
privileged 61.9K deny >61.9k is hard limit(privileged). Only Root modify this.
system
2.15G max deny
max value.
Experiment:
I am creating the new user called linges and setting the resource control on fly using project
control.
bash-3.00# useradd -m -d /export/home/linges -s /bin/bash linges
64 blocks
bash-3.00# cat /etc/project
system:0::::
user.root:1::::
noproject:2::::
default:3::::
group.staff:10::::
Here i am setting maximum openfiles softlimit to 8192 and maximum hard limit to
61921 using below command.
bash-3.00# projmod -s -K 'process.max-filedescriptor=(basic,8192,deny),(privileged,61921,deny)' limitedusers
unlimited
unlimited
unlimited
61921
10
unlimited
unlimited
16245
unlimited
unlimited
unlimited
unlimited
8192
10
1347
unlimited
16245
unlimited
Setting Unlimited:
January 2005
In older days we use to set value unlimited for shell limits. But in Resource Management
you cant use the word unlimited as the resource controls have no concept of unlimited.
Instead, you just need to set the value to the maximum allowed system value.
For example, to see the maximum stack size, use:
bash-3.00# prctl -P -t system -n process.max-stack-size $$
process: 29525: bash
process.max-stack-size system 137988707188736 max deny -
-Ha
(blocks, -c)
(kbytes, -d)
(blocks, -f)
(-n)
(512 bytes, -p)
(kbytes, -s)
(seconds, -t)
(-u)
(kbytes, -v)
-Sa
(blocks, -c)
(kbytes, -d)
(blocks, -f)
(-n)
(512 bytes, -p)
(kbytes, -s)
(seconds, -t)
(-u)
(kbytes, -v)
unlimited
unlimited
unlimited
61921
10
unlimited
unlimited
16245
unlimited
unlimited
unlimited
unlimited
8192
10
10240
unlimited
16245
unlimited
- ---
Here I tried to set value which is higher that than the system value and its end up
with error exceeds system limit.Which means you cant set value higher than the
system value.
bash-3.00# projmod -s -K "process.max-stacksize=(privileged,9223372036854775807,deny)" limitedusers
projmod: rctl "process.max-stack-size" value "9223372036854775807" exceeds
system limit
We can verify using root account also by gaining access via newtask
bash-3.00# newtask -p limitedusers bash
bash-3.00# id -p
uid=0(root) gid=0(root) projid=100(limitedusers)
-bash-3.00# ulimit -Ss
10240
-bash-3.00# ulimit -Hs
unlimited
project.max-shm-ids
project.max-sem-ids
project.max-msg-ids
project.max-shm-memory
process.max-sem-nsems
process.max-sem-ops
process.max-msg-messages
process.max-msg-qbytes
If you are planning to use zones in production, better keep dedicated zpool and make sure
that you are keeping zone root path under zfs dataset not under zpool .i.e Not in /lzpool1
.keep it in /lzpool1/rpool. Otherwise you cannot use live upgrade feature.
For example, in your environment if you have more than 2 to 3 physical server, make sure
that you are provisioning LUNs to all the three physical serves. In case if your one of physical
server failed, you can import the zpool to other global and you can start the zone .But make
sure you have the copy of zone configuration files copied over to other global zones. You can
use below command to export the configuration file.
The below mentioned setup will eliminate solaris bug CR: 6867013
(Zones residing on top level of the pool dataset)
Creating new zpool for localzone
bash-3.00# zpool create lzpool1 c1t4d0
21K
21K
/lzpool1
/lzpool1/rpool
Testing Liveupgrade:
bash-3.00#
bash-3.00# lustatus
ERROR: No boot environments are configured on this system
ERROR: cannot determine list of all boot environment names
bash-3.00# lucreate -c oldbe -n newbe
Checking GRUB menu...
Analyzing system configuration.
No name for current boot environment.
Current boot environment is named .
Creating initial configuration for primary boot environment .
The device is not a root device for any boot environment; cannot get BE ID.
PBE configuration successful: PBE name PBE Boot Device .
Comparing source boot environment file systems with the file
system(s) you specified for the new boot environment. Determining which
file systems should be in the new boot environment.
Updating boot environment description database on all BEs.
Updating system configuration files.
Creating configuration for boot environment .
Source boot environment is .
Creating boot environment .
Cloning file systems from boot environment to create boot environment .
Creating snapshot for on .
Creating clone for on .
Setting canmount=noauto for </> in zone on .
Creating snapshot for on .
Creating clone for on .
Setting canmount=noauto for in zone on .
Creating snapshot for on .
Creating clone for on .
Saving existing file in top level dataset for BE as
//boot/grub/menu.lst.prev.
File propagation successful
Copied GRUB menu from PBE to ABE
No entry for BE in GRUB menu
Population of boot environment successful.
Creation of boot environment successful.
From the above output you can see Liveupgrade is keeping zones root snapshot and
for BE its creating new dataset. So if patching failed also, you can easily roll back
.You will similar error if you are followed the above procedure while creating boot
environment.
Creating snapshot for on .
cannot create '.': missing dataset name
Creating clone for on .
ERROR: cannot create 'lzpool1-SOL_2012Q1': missing dataset name
ERROR: Unable to clone <> on <>.
/usr/lib/lu/luclonefs: lzpool1@SOL_2012Q1: not found
cannot open 'lzpool1-SOL_2012Q1': dataset does not exist
cannot open 'lzpool1-SOL_2012Q1': dataset does not exist
cannot open 'lzpool1-SOL_2012Q1': dataset does not exist
cannot open 'lzpool1-SOL_2012Q1': dataset does not exist