Oracle server-Virtualization Technologies

July 2, 2012 in Solaris 10, Solaris Hardware

OS Virtualization is a hot topic in the IT market.All the operating system developers and OEM are keep
on introducing new virtualization technologies day by day. Have you ever asked why is it so import in
infrastructure management ? Operating system virtualization very important to reduce the hardware
cost and isolates the applications from server.

In older days ,if you want to port the website,you need to buy a minimum two servers hardware.One for
database and another one for applications.But now just buy one good configuration server and
partition it using one of the virtualization technologies
By doing this ,you are saving the space,power,money then what you want ?

Oracle offers many many virtualization technologies. We will see what type virtualization that are
offered by oracle on Solaris and sun hardware.
1. Hardware virtualizations.
2. Software virtualizations

HARDWARE VIRTUALIZATION:
Oracle is offering two type of hardware virtualization.

1. Dynamic domains
(Supported in Sun M series servers like M9000,M5000 i.e sun4u architecture)

2. LDOMS
(Supported in Sun T-series serves like T5240,T5220 i.e sun4v architecture)
(Now LDOM re-branded as Oracle VM for SPARC)
You can find the architecture type using uname m command from OS.
Dynamic Domains:

They offer electrical separation with different versions of the operating system possible per domain. The
number of domains is limited per system. Dynamic System Domain features include the ability to hot
plug hardware and run different versions of the Oracle Solaris Operating System per domain. Each
domain can be started, stopped and rebooted independently.
Server Model

Maximum Dynamic Domain per system

M3000

one
M4000

Two
M5000

Four
M8000

Sixteen
M9000-32

Twenty Four
M9000-64

Twenty Four

LDOM or Oracle VM for SPARC:

The SPARC Hypervisor runs in the Hyper-Privileged execution mode, which was introduced in the sun4v
architecture. In oracle VM each domains is full virtual machine which are configured with different
subset of hardware. These domains can be securely live migrated between servers while running
without any interruption. Like Dynamic domains, Operating systems running inside Logical Domains can

be started, stopped, and rebooted independently. On the fly we can add or remove CPUs, RAM, or I/O
devices without requiring a reboot. We can create 128 logical domains on these servers. Each will act as
global zone.

SOFTWARE VIRTUALIZATION:
Oracle is offering two type of software virtualization.
1. Solaris Zones
2. Oracle VM for X86
Solaris Zones: (Containers)
One of the most commonly using virtualization technologies on Solaris .Its very light weight and easy to
use and administrate. Oracle renamed the zones as containers and now it has meaningful name too.
Zones + resource control = containers. Yes. We can control the resource per zones by using rcap or
dedicated method. In one Solaris global zone we can create more than 8000 zones.

There three type of zones in Solaris.

1. Sparse root zone.
2. Whole root zone.
3. Branded zone.
Sparse root zone
The below mentioned filesystems are mounted from global zone as loop back filesystems on this zones
in read only mode. So that less than 150MB free space is enough to create sparse root zone.
/usr
/lib
/sbin
/platform.
Whole root zone.
A self-contain zone makes copies of from the global zone and it has own /usr, /lib, /sbin and /platform
directories and it will be in read/write mode. To install whole root zone we need minimum 3GB space .
Branded zone:
One of the powerful features of Solaris 10 allows you to run Solaris 8 and 9 environments in zones, but
only on SPARC. These zones are called branded zone.

Oracle VM for X86

Oracle VM is based on the open-source Xen hypervisor technology supports Windows, Linux, and Oracle
Solaris. This is more over like VMware ESX server where you have base OS and to manage ESX server
Vcenter will be installed on windows host.

Here you have Linux base operating system which needs to be installed as base OS on the x86
hardware.To manage these Oracle VM servers, you need to have install oracle VM application on Linux
host. VM application provides a web-based portal to administrate all oracle VM servers and Guest OS.
Note:Oracle VM application uses oracle Database and weblogic software.

Solaris 10s Resource

Management:Controlling process using
projects
July 2, 2012 in Resource Management, Solaris 10
in older days we use to set the kernel tuneable parameters through /etc/system
in Solaris Boxes.But from Solaris 10 on-wards,we set those parameters using resource
control mechanism.The rctladm command allows you to make runtime interrogations
of and modifications to the resource controls facility, with global scope. The prctl
command allows you to make runtime interrogations of and modifications to the
resource controls facility, with local scope.
Many kernel parameters have been replaced by so called resource controls in Solaris
10. It is possible to change resource controls using the prctl command. All shared
memory and semaphore settings are now handled via resource controls, so any entries
regarding shared memory or semaphores (shm & sem) in /etc/system will be ignored.
Here we will see how to control the resource for process by using project and
newtask.
For example, I am creating the new project called test and setting maximum lwps
process to 2.So from this project, system cannot generate more than two lwp process.
bash-3.00# projadd -K 'task.max-lwps=(privileged,2,deny)' test
bash-3.00# cat /etc/project
system:0::::
user.root:1::::
noproject:2::::

default:3::::
group.staff:10::::
limitedusers:100::linges::process.max-file-descriptor=(privileged,8192,deny)
test:101::::task.max-lwps=(privileged,2,deny)

As a test,
bash-3.00# newtask -p test bash ------------>First lwp process
bash-3.00# id -p
uid=0(root) gid=0(root) projid=101(test)
bash-3.00# ps -o project,taskid -p $$
PROJECT TASKID
test
98
bash-3.00# bash
------------------------------------>Second lwp process
bash-3.00# bash
bash: fork: Resource temporarily unavailable
bash-3.00# bash
bash: fork: Resource temporarily unavailable

Logging:
Global logging can be enabled by setting syslog=level with rctladm, where
level is one of the usual syslog levels: debug, info, notice, warning, err, crit,
alert or emerge.
We can enable syslog notice using the below command.If the system is
crossed the limit ,it will log in messages file.
bash-3.00# rctladm -e syslog process.max-file-descriptor
bash-3.00# rctladm
process.max-port-events
syslog=off
[ deny count ]process.max-msgmessages
syslog=off
[ deny count ]process.max-msg-qbytes
syslog=off
[ deny bytes ]process.max-sem-ops
syslog=off
[
deny count ]process.max-sem-nsems
syslog=off
[ deny count
]process.max-address-space
syslog=off
[ lowerable deny no-signal bytes
]process.max-file-descriptor syslog=notice [ lowerable deny count
]process.max-core-size
syslog=off
[ lowerable deny no-signal bytes
]process.max-stack-size
syslog=off
[ lowerable deny no-signal bytes
]process.max-data-size
syslog=off
[ lowerable deny no-signal bytes
]process.max-file-size
syslog=off
[ lowerable deny file-size bytes
]process.max-cpu-time
syslog=off
[ lowerable no-deny cpu-time inf
seconds ]task.max-cpu-time
syslog=off
[ no-deny cpu-time no-obs
inf seconds ]task.max-lwps
syslog=off
[ count ]project.maxcontracts
syslog=off
[ no-basic deny count ]project.max-devicelocked-memory syslog=off
[ no-basic deny bytes ]project.max-locked-memory
syslog=off
[ no-basic deny bytes ]project.max-port-ids
syslog=off
[ no-basic deny count ]project.max-shm-memory
syslog=off
[ no-basic
deny bytes ]project.max-shm-ids
syslog=off
[ no-basic deny count
]project.max-msg-ids
syslog=off
[ no-basic deny count
]project.max-sem-ids
syslog=off
[ no-basic deny count
]project.max-crypto-memory
syslog=off
[ no-basic deny bytes
]project.max-tasks
syslog=off
[ no-basic count ]project.maxlwps
syslog=off
[ no-basic count ]project.cpu-cap
syslog=off
[ no-basic deny no-signal inf count ]project.cpu-shares
syslog=n/a
[ no-basic no-deny no-signal no-syslog count ]zone.max-swap
syslog=off
[ no-basic deny bytes ]zone.max-locked-memory
syslog=off
[ no-basic deny bytes ]zone.max-shm-memory
syslog=off
[ no-basic
deny bytes ]zone.max-shm-ids
syslog=off
[ no-basic deny count
]zone.max-sem-ids
syslog=off
[ no-basic deny count ]zone.maxmsg-ids
syslog=off
[ no-basic deny count ]zone.max-lwps
syslog=off
[ no-basic count ]zone.cpu-cap
syslog=off
[

no-basic deny no-signal inf count ]zone.cpu-shares

[ no-basic no-deny no-signal no-syslog count ]

syslog=n/a

By default syslog,will be enabled as notice. If you want to set the syslog

level to debug ,you can use below command.
bash-3.00# rctladm -e syslog=debug task.max-lwps
bash-3.00# rctladm |grep task.max-lwps
task.max-lwps
syslog=debug
[ count ]

For testing purpose,Here i am setting the max-lwps to 5 for sshd .so your
sshd daemon allow the system to create 5lwps.once its reached the limit,you
cannot to the system using ssh.
# prctl -n task.max-lwps -v 5 -t privileged -d all `pgrep sshd`

I tried to ssh this machine using putty and it allowed 4 session,when try to
take a 5th one, got error connected terminated unexpectedly .It means
,system is not allowing ssh process to create more than 5lwp process.You
can see this error is logged in messages file.
# tail -f /var/adm/messages
Jul 2 07:47:20 sfos e1000g: [ID 801725 kern.info] NOTICE: pci8086,100f e1000g[0] : link up, 1000 Mbps, full duplex
Jul 2 07:47:20 sfos in.routed[1212]: [ID 300549 daemon.warning] interface
e1000g0 to 192.168.10.29 restored
Jul 2 09:31:14 sfos genunix: [ID 748619 kern.notice] privileged rctl
task.max-lwps (value 5) exceeded by process 28555 in task 71.
^C

To Disable to syslog ,
bash-3.00# rctladm -d syslog process.max-file-descriptor
bash-3.00# rctladm
process.max-port-events
syslog=off
[ deny count ]process.max-msgmessages
syslog=off
[ deny count ]process.max-msg-qbytes
syslog=off
[ deny bytes ]process.max-sem-ops
syslog=off
[
deny count ]process.max-sem-nsems
syslog=off
[ deny count
]process.max-address-space
syslog=off
[ lowerable deny no-signal bytes
]process.max-file-descriptor syslog=off
[ lowerable deny count
]process.max-core-size
syslog=off
[ lowerable deny no-signal bytes
]process.max-stack-size
syslog=off
[ lowerable deny no-signal bytes
]process.max-data-size
syslog=off
[ lowerable deny no-signal bytes
]process.max-file-size
syslog=off
[ lowerable deny file-size bytes
]process.max-cpu-time
syslog=off
[ lowerable no-deny cpu-time inf
seconds ]task.max-cpu-time
syslog=off
[ no-deny cpu-time no-obs
inf seconds ]task.max-lwps
syslog=off
[ count ]project.maxcontracts
syslog=off
[ no-basic deny count ]project.max-devicelocked-memory syslog=off
[ no-basic deny bytes ]project.max-locked-memory
syslog=off
[ no-basic deny bytes ]project.max-port-ids
syslog=off
[ no-basic deny count ]project.max-shm-memory
syslog=off
[ no-basic
deny bytes ]project.max-shm-ids
syslog=off
[ no-basic deny count

]project.max-msg-ids
syslog=off
[ no-basic deny count
]project.max-sem-ids
syslog=off
[ no-basic deny count
]project.max-crypto-memory
syslog=off
[ no-basic deny bytes
]project.max-tasks
syslog=off
[ no-basic count ]project.maxlwps
syslog=off
[ no-basic count ]project.cpu-cap
syslog=off
[ no-basic deny no-signal inf count ]project.cpu-shares
syslog=n/a
[ no-basic no-deny no-signal no-syslog count ]zone.max-swap
syslog=off
[ no-basic deny bytes ]zone.max-locked-memory
syslog=off
[ no-basic deny bytes ]zone.max-shm-memory
syslog=off
[ no-basic
deny bytes ]zone.max-shm-ids
syslog=off
[ no-basic deny count
]zone.max-sem-ids
syslog=off
[ no-basic deny count ]zone.maxmsg-ids
syslog=off
[ no-basic deny count ]zone.max-lwps
syslog=off
[ no-basic count ]zone.cpu-cap
syslog=off
[
no-basic deny no-signal inf count ]zone.cpu-shares
syslog=n/a
[ no-basic no-deny no-signal no-syslog count ]

To check the task value,

bash-3.00# prctl -n task.max-lwps $$
process: 29525: bash
NAME
PRIVILEGE
VALUE
FLAG
RECIPIENT
task.max-lwps
privileged
5
privileged
40
system
2.15G
max
-

ACTION

deny
none
deny

Using pid also we can check the resource control limit for that process.
# prctl 29513
process: 29513: /usr/lib/ssh/sshd
NAME
PRIVILEGE
VALUE
FLAG
RECIPIENT
process.max-port-events
privileged
65.5K
system
2.15G
max
process.max-msg-messages
privileged
8.19K
system
4.29G
max
process.max-msg-qbytes
privileged
64.0KB
system
16.0EB
max
process.max-sem-ops
privileged
512
system
2.15G
max

ACTION

deny
deny

deny
deny

deny
deny

deny
deny

process.max-sem-nsems
privileged
512
system
32.8K
process.max-address-space
privileged
16.0EB
system
16.0EB
process.max-file-descriptor
basic
256
29513
privileged
65.5K
system
2.15G
process.max-core-size
privileged
8.00EB
system
8.00EB
process.max-stack-size
basic
10.0MB
29513
privileged
125TB
system
125TB
process.max-data-size
privileged
16.0EB
system
16.0EB
process.max-file-size
privileged
8.00EB
system
8.00EB
process.max-cpu-time
privileged
18.4Es
system
18.4Es
task.max-cpu-time
system
18.4Es
task.max-lwps
privileged
5
privileged
40
system
2.15G
project.max-contracts
privileged
10.0K

deny

max

deny

max

deny

max

deny

deny

deny

max

deny

max

deny

max

deny

deny

deny

max

deny

max

deny

max

deny

max

deny,signal=XFSZ

max

deny

inf

signal=XCPU

inf

none

inf

none

deny

none

max

deny

deny

system
2.15G
project.max-device-locked-memory
privileged
63.5MB
system
16.0EB
project.max-locked-memory
system
16.0EB
project.max-port-ids
privileged
8.19K
system
65.5K
project.max-shm-memory
privileged
254MB
system
16.0EB
project.max-shm-ids
privileged
128
system
16.8M
project.max-msg-ids
privileged
128
system
16.8M
project.max-sem-ids
privileged
128
system
16.8M
project.max-crypto-memory
privileged
254MB
system
16.0EB
project.max-tasks
system
2.15G
project.max-lwps
system
2.15G
project.cpu-cap
system
4.29G
project.cpu-shares
privileged
1
system
65.5K
zone.max-swap
system
16.0EB

max

deny

deny

max

deny

max

deny

deny

max

deny

deny

max

deny

deny

max

deny

deny

max

deny

deny

max

deny

deny

max

deny

max

deny

max

deny

inf

deny

none

max

none

max

deny

zone.max-locked-memory
system
zone.max-shm-memory
system
zone.max-shm-ids
system
zone.max-sem-ids
system
zone.max-msg-ids
system
zone.max-lwps
system
zone.cpu-cap
system
zone.cpu-shares
privileged
system

16.0EB

max

deny

16.0EB

max

deny

16.8M

max

deny

16.8M

max

deny

16.8M

max

deny

2.15G

max

deny

4.29G

inf

deny

none

65.5K

max

none

Solaris 10s Resource Management and Shell

Limit(ulimit)
July 2, 2012 in Resource Management, Solaris 10
Solaris 10s Resource Management
One of the best known features in Solaris is Resource management. This mechanism allows
controlling resource for each and every process which is big advantage in system
administration.System precious resources like CPU & memory also can be controlled by using
projects and newtask feature.

Resource Management:
A resource controls are identified by following prefix
1. zone (Ex:zone.cpu-shares)
2. project (Ex:project.max-shm-memory)
3. task (Ex:task.max-lwps)
4. process (Ex:process.max-stack-size)
Resource controls can be observed on a system-wide basis and possible to update
resource control values on a running system. In older system we need to deal with

ulimit command and most of the time we use to set in /etc/profile file to take effect
for all users. But in Solaris 10, we can easily manage shell limits using simple prctl
command.
Levels:
Each resource control threshold needs to be associated with one of the following privilege
levels:

basic: Can be modified by owner of calling process.

(In older term, we call it as Soft limit.These settings can be viewed using ulimit -Sa )
privileged: Only modifiable by superuser
(In older term, we call it as Hard limit.These settings can be viewed using ulimit -Ha )
system:Fixed for the duration of the operating system instance
(Systems maximum value.You cant set the privileged more than system value)

Actions:
It is possible to use rctladm to specify one of the following actions on a process that violates
the control:

none: No action taken. (Useful for monitoring.)

deny: Denies a request.

signal: Enable a signal.(i.e SIGTERM,SIGKILL)

To check current soft shell limits, enter the following command:
$ ulimit -Sa
Ex:To find the Maximum open files soft limit
bash-3.00# ulimit -Sn
8192

To check maximum hard limits, enter the following command:

$ ulimit -Ha
Ex:To find the Maximum open files hard limit.
bash-3.00# ulimit -Hn
61921

We can find the same using prctl,

bash-3.00# prctl -n process.max-file-descriptor $$

process: 6414: bash
NAME

PRIVILEGE

VALUE

FLAG ACTION

RECIPIENT

process.max-file-descriptor
basic

8.19K

deny

6414>8.19K is soft limit(Basic).It can be increased by user.

privileged 61.9K deny >61.9k is hard limit(privileged). Only Root modify this.
system
2.15G max deny
max value.

>2.15G is system maximum limit. Otherwords privileged

To Display default resource control value:

bash-3.2# prctl -n process.max-file-descriptor $$
process: 12372: bash
NAME
PRIVILEGE
VALUE
FLAG
ACTION
RECIPIENT
process.max-file-descriptor
basic
256
deny
12372
privileged
65.5K
deny
system
2.15G
max
deny
bash-3.2# prctl -n process.max-stack-size $$
process: 12372: bash
NAME
PRIVILEGE
VALUE
FLAG
ACTION
RECIPIENT
process.max-stack-size
basic
8.00MB
deny
12372
privileged
8.00EB
deny
system
8.00EB
max
deny
-

Experiment:
I am creating the new user called linges and setting the resource control on fly using project
control.
bash-3.00# useradd -m -d /export/home/linges -s /bin/bash linges
64 blocks
bash-3.00# cat /etc/project
system:0::::
user.root:1::::
noproject:2::::
default:3::::
group.staff:10::::

Creating the new project called limitedusers

bash-3.00# projadd limitedusers
bash-3.00# cat /etc/project
system:0::::
user.root:1::::
noproject:2::::
default:3::::
group.staff:10::::
limitedusers:100::::

Adding the newly created user to in to limitedusers project.

bash-3.00# projmod -U linges limitedusers
bash-3.00# cat /etc/project
system:0::::
user.root:1::::
noproject:2::::
default:3::::
group.staff:10::::
limitedusers:100::linges::

Here i am setting maximum openfiles softlimit to 8192 and maximum hard limit to
61921 using below command.
bash-3.00# projmod -s -K 'process.max-filedescriptor=(basic,8192,deny),(privileged,61921,deny)' limitedusers

Method :1 to verify the new values

To check the current project.
bash-3.00# id -p
uid=0(root) gid=0(root) projid=1(user.root)

We can gain new project using below command.

bash-3.00# newtask -p limitedusers bash
bash-3.00# id -p
uid=0(root) gid=0(root) projid=100(limitedusers)

Now we can check new values using prctl command.

bash-3.00# prctl -n process.max-file-descriptor $$
process: 6414: bash
NAME
PRIVILEGE
VALUE
FLAG
ACTION
RECIPIENT
process.max-file-descriptor
basic
8.19K
deny
6414
privileged
61.9K
deny
system
2.15G
max
deny
-

you can verify Using ulimit ,

bash-3.00# ulimit -Ha
core file size
(blocks, -c)
data seg size
(kbytes, -d)
file size
(blocks, -f)
open files
(-n)
pipe size
(512 bytes, -p)
stack size
(kbytes, -s)
cpu time
(seconds, -t)
max user processes
(-u)
virtual memory
(kbytes, -v)
bash-3.00# ulimit -Sa
core file size
(blocks, -c)
data seg size
(kbytes, -d)
file size
(blocks, -f)
open files
(-n)
pipe size
(512 bytes, -p)
stack size
(kbytes, -s)
cpu time
(seconds, -t)
max user processes
(-u)
virtual memory
(kbytes, -v)
bash-3.00# ulimit -Sn
8192
bash-3.00# ulimit -Hn
61921

unlimited
unlimited
unlimited
61921
10
unlimited
unlimited
16245
unlimited
unlimited
unlimited
unlimited
8192
10
1347
unlimited
16245
unlimited

Method :2 to verify the new values

Otherwise, we can login to user which is part of project limitedusers to verify the settings.
bash-3.00# su - linges
Oracle Corporation
SunOS 5.10
Generic Patch
-bash-3.00$ prctl -n process.max-file-descriptor $$
process: 7369: -bash
NAME
PRIVILEGE
VALUE
FLAG
ACTION
RECIPIENT
process.max-file-descriptor
basic
8.19K
deny
7369
privileged
61.9K
deny
system
2.15G
max
deny
-bash-3.00$ ulimit -Sn
8192
-bash-3.00$ ulimit -Hn
61921

Setting Unlimited:

January 2005

In older days we use to set value unlimited for shell limits. But in Resource Management
you cant use the word unlimited as the resource controls have no concept of unlimited.
Instead, you just need to set the value to the maximum allowed system value.
For example, to see the maximum stack size, use:
bash-3.00# prctl -P -t system -n process.max-stack-size $$
process: 29525: bash
process.max-stack-size system 137988707188736 max deny -

Here i am setting stack size hardlimit as systems stack size.(Which is equal to

unlimited value)
bash-3.00# projmod -s -K "process.max-stacksize=(basic,10MB,deny),(privileged,137988707188736,deny)" limitedusers
-bash-3.00$ prctl -n process.max-stack-size $$
process: 7605: -bash
NAME
PRIVILEGE
VALUE
FLAG
ACTION
RECIPIENT
process.max-stack-size
basic
10.0MB
deny
7605--------------->Soft Limit
privileged
125TB
deny
- -------------->Hard Limit
system
125TB
max
deny
----------->Maximum System Limit
-bash-3.00$ ulimit
core file size
data seg size
file size
open files
pipe size
stack size
cpu time
max user processes
virtual memory
-bash-3.00$ ulimit
core file size
data seg size
file size
open files
pipe size
stack size
cpu time
max user processes
virtual memory

-Ha
(blocks, -c)
(kbytes, -d)
(blocks, -f)
(-n)
(512 bytes, -p)
(kbytes, -s)
(seconds, -t)
(-u)
(kbytes, -v)
-Sa
(blocks, -c)
(kbytes, -d)
(blocks, -f)
(-n)
(512 bytes, -p)
(kbytes, -s)
(seconds, -t)
(-u)
(kbytes, -v)

-bash-3.00$ ulimit -Ss

10240
-bash-3.00$ ulimit -Hs
unlimited

unlimited
unlimited
unlimited
61921
10
unlimited
unlimited
16245
unlimited
unlimited
unlimited
unlimited
8192
10
10240
unlimited
16245
unlimited

- ---

Here I tried to set value which is higher that than the system value and its end up
with error exceeds system limit.Which means you cant set value higher than the
system value.
bash-3.00# projmod -s -K "process.max-stacksize=(privileged,9223372036854775807,deny)" limitedusers
projmod: rctl "process.max-stack-size" value "9223372036854775807" exceeds
system limit

We can verify using root account also by gaining access via newtask
bash-3.00# newtask -p limitedusers bash
bash-3.00# id -p
uid=0(root) gid=0(root) projid=100(limitedusers)
-bash-3.00# ulimit -Ss
10240
-bash-3.00# ulimit -Hs
unlimited

Important parameters in IPC in solaris

project.max-shm-ids

: Maximum shared memory IDs for a project.

project.max-sem-ids

: Maximum semaphore IDs for a project.

project.max-msg-ids

: Maximum message queue IDs for a project.

project.max-shm-memory

: Total amount of shared memory allowed for a project.

process.max-sem-nsems

: Maximum number of semaphores allowed per semaphore set.

process.max-sem-ops

: Maximum number of semaphore operations allowed per semop.

process.max-msg-messages

: Maximum number of messages on a message queue.

process.max-msg-qbytes

: Maximum number of bytes of messages on a message queue.

Solaris ZONE + Liveupgrade compatibility

model Solaris 10
July 3, 2012 in Live upgrade, ZFS, Zones
Using ZFS as root filesystems on global zone and local zone is huge advantage for OS patching.
ZFS is very flexible with Liveupgrade, so that rollback action is very simple. Its Just reboot.
Here we will see what type of zone+zfs configuration will support in Solaris 10 for
Liveupgrade.

If you are planning to use zones in production, better keep dedicated zpool and make sure
that you are keeping zone root path under zfs dataset not under zpool .i.e Not in /lzpool1
.keep it in /lzpool1/rpool. Otherwise you cannot use live upgrade feature.

For example, in your environment if you have more than 2 to 3 physical server, make sure
that you are provisioning LUNs to all the three physical serves. In case if your one of physical
server failed, you can import the zpool to other global and you can start the zone .But make
sure you have the copy of zone configuration files copied over to other global zones. You can
use below command to export the configuration file.
The below mentioned setup will eliminate solaris bug CR: 6867013
(Zones residing on top level of the pool dataset)
Creating new zpool for localzone
bash-3.00# zpool create lzpool1 c1t4d0

Creating new dataset:

bash-3.00# zfs create lzpool1/rpool
bash-3.00# zfs list |grep lzpool
lzpool1
104K 3.91G
lzpool1/rpool
21K 3.91G

21K
21K

/lzpool1
/lzpool1/rpool

In zone configuration,set the root directory as below.

zonecfg:zarena> set zonepath=/lzpool1/rpool
Do not set /lzpool1 as local zone root filesystem.Since that mount is sitting on top zpool,it
wont allow to use live upgrade.Its better to create dataset under the zpool and use it as
zones root filesystem.

Testing Liveupgrade:
bash-3.00#
bash-3.00# lustatus
ERROR: No boot environments are configured on this system
ERROR: cannot determine list of all boot environment names
bash-3.00# lucreate -c oldbe -n newbe
Checking GRUB menu...
Analyzing system configuration.
No name for current boot environment.
Current boot environment is named .
Creating initial configuration for primary boot environment .
The device is not a root device for any boot environment; cannot get BE ID.
PBE configuration successful: PBE name PBE Boot Device .
Comparing source boot environment file systems with the file
system(s) you specified for the new boot environment. Determining which
file systems should be in the new boot environment.
Updating boot environment description database on all BEs.
Updating system configuration files.
Creating configuration for boot environment .
Source boot environment is .
Creating boot environment .
Cloning file systems from boot environment to create boot environment .
Creating snapshot for on .
Creating clone for on .
Setting canmount=noauto for </> in zone on .
Creating snapshot for on .
Creating clone for on .
Setting canmount=noauto for in zone on .
Creating snapshot for on .
Creating clone for on .
Saving existing file in top level dataset for BE as
//boot/grub/menu.lst.prev.
File propagation successful
Copied GRUB menu from PBE to ABE
No entry for BE in GRUB menu
Population of boot environment successful.
Creation of boot environment successful.

From the above output you can see Liveupgrade is keeping zones root snapshot and
for BE its creating new dataset. So if patching failed also, you can easily roll back
.You will similar error if you are followed the above procedure while creating boot
environment.
Creating snapshot for on .
cannot create '.': missing dataset name
Creating clone for on .
ERROR: cannot create 'lzpool1-SOL_2012Q1': missing dataset name
ERROR: Unable to clone <> on <>.
/usr/lib/lu/luclonefs: lzpool1@SOL_2012Q1: not found
cannot open 'lzpool1-SOL_2012Q1': dataset does not exist
cannot open 'lzpool1-SOL_2012Q1': dataset does not exist
cannot open 'lzpool1-SOL_2012Q1': dataset does not exist
cannot open 'lzpool1-SOL_2012Q1': dataset does not exist

cannot open 'lzpool1-SOL_2012Q1': dataset does not exist

ERROR: Failed to mount dataset
cannot open 'lzpool1-SOL_2012Q1': dataset does not exist