D73488GC30 SG PDF

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
ble
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Qav lic
i d
ah
Sh
Transition to Oracle Solaris 11
Student Guide
D73488GC30
Edition 3.0 | November 2014 | D89085
Learn more from Oracle University at oracle.com/education/

Author Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Venu Poddar Disclaimer
This document contains proprietary information and is protected by copyright and other
Technical Contributors intellectual property laws. You may copy and print this document solely for your own
and Reviewers use in an Oracle training course. The document may not be modified or altered in any
way. Except where your use constitutes "fair use" under copyright law, you may not
Juanita Heieck use, share, download, upload, copy, print, display, perform, reproduce, publish, license,
post, transmit, or distribute this document in whole or in part without the express
Kathy Slattery authorization of Oracle.
Alta Estad
The information contained in this document is subject to change without notice. If you
Alissa Bader Clark find any problems in the document, please report them in writing to: Oracle University,
Sharon Veach 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
Graphic Designer Restricted Rights Notice
Maheshwari Krishnamurthy If this documentation is delivered to the United States Government or anyone using the
documentation on behalf of the United States Government, the following notice is
ble
applicable:
e r a
nsf
Editors
Aju Kumar U.S. GOVERNMENT RIGHTS
-tr a
The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or
Anwesha Ray o n
disclose these training materials are restricted by the terms of the applicable Oracle
n
Raj Kumar
s a
license agreement and/or the applicable U.S. Government contract.
a
h eฺ
Trademark Notice
)
Publishers e
tฺa Guid
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names
n e
Sumesh Koshy
t e sฺ ent may be trademarks of their respective owners.
Syed Ali
m ira Stud
Srividya Rameshkumar
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
a h id
Sh
Contents
1 Introduction
Overview 1-2
Course Goals 1-3
Agenda 1-4
Introductions 1-6
Your Lab Environment 1-7
ble
Practice 1 Overview: Course Introduction 1-8
e r a
ansf
2 Introducing Oracle Solaris 11 New Features and Enhancements
o n -tr
Job Workflow 2-2
a n
Objectives 2-3 a s
h eฺ
e )
tฺa Guid
Agenda 2-4
n e
sฺ ent
Oracle Solaris 11 Operating System: Overview 2-5
t e
ira Stud
Oracle Solaris 11: Features and Enhancements 2-6
Installation Methods 2-8 m
e his
i @
v se t
Software Management Features 2-9
q a
h i dฺ to u
Networking Features and Enhancements 2-10
sha ense
Oracle Solaris Zones Enhancements 2-13
i (
Qav lic
Storage and File System Enhancements 2-15
User Environment Feature Changes 2-16
i d
ah Desktop Environment Enhancements 2-17
Sh System Security Enhancements 2-18
Agenda 2-20
Key Features of Oracle Solaris 10 and Oracle Solaris 11: Comparison 2-21
Agenda 2-22
Transitioning Strategy 2-23
Summary 2-24
3 Managing Software Packages in Oracle Solaris 11

Job Workflow 3-2
Objectives 3-3
Agenda 3-4
IPS: Overview 3-5
Planning for IPS 3-6
IPS Components 3-7
iii
Agenda 3-9
Local Package Repository 3-10
Creating a Local Repository 3-11
Enabling Users to Retrieve Packages Using an HTTP Interface 3-13
Configuring the IPS Clients 3-14

Updating the Local Master Repository Automatically 3-15
Practices 3-1 and 3-2: Overview 3-16
Agenda 3-17
Package Management: pkg (1) 3-18
pkg Command Examples: search 3-19
pkg Command Examples: info 3-20
ble
pkg Command Examples: install 3-21
e r a
pkg Command Examples: list, verify, and contents 3-22
a nsf
pkg Command Examples: uninstall 3-23
o n -tr
Package Manager 3-24
a n
Managing Packages by Using a Web Browser 3-25
a s
h eฺ
Update Manager 3-26 e )
Agenda 3-27
n e tฺa Guid
t e sฺ ent
Updating a System to Oracle Solaris 11.2 3-28
m ira Stud
Determining Your Starting Point 3-29
@ e his
i
v se t
Identifying the Repository in Use 3-30
a
q
dฺ to u
Verifying the SRU Currently Installed 3-31
i
h
sha ense
Updating a System Running Oracle Solaris 11 11/11 to Oracle Solaris 11.2 3-32
i (
Updating a System Running Oracle Solaris 11 11/11 with an SRU to Oracle
Qav lic
Solaris 11.2 3-34
i d
ah Updating a System Running Oracle Solaris 11.1 with or without an SRU to Oracle
Sh Solaris 11.2 OS 3-35
Updating a System to Oracle Solaris 11.2 3-36
Agenda 3-38
Boot Environment (BE) 3-39
beadm Utility 3-40
beadm Command Examples: list 3-42
beadm Command Examples: create 3-43
beadm Command Examples: activate, rename, and destroy 3-44
beadm Command Examples: mount and unmount 3-45
Package Manager BE Features 3-46
Quiz 3-47
Summary 3-52
Practice 3-5: Overview 3-53
iv
4 Installing the Oracle Solaris 11 Operating System
Job Workflow 4-2
Objectives 4-3
Agenda 4-4
Oracle Solaris 11 Installation Methods 4-5

Oracle Solaris 11 System Requirements 4-6
Agenda 4-7
Oracle Solaris 11 Text Installer 4-8
Oracle Solaris 11 Text Installation: Disks 4-11
Oracle Solaris 11 Text Installation: Network 4-13
Oracle Solaris 11 Text Installation: Users 4-14
ble
Oracle Solaris 11 Text Installation: Support 4-15
e r a
Oracle Solaris 11 Live Media 4-16
a nsf
Oracle Solaris 11 Live Media: Device Driver Utility 4-17
o n -tr
Oracle Solaris 11 Live Media: Partition Editor 4-18
a n
Oracle Solaris 11 Live Media Installer: Disk 4-19
a s
h eฺ
e )
Oracle Solaris 11 Live Media Installer: Time Zone 4-21
e tฺa Guid
Oracle Solaris 11 Live Media Installer: Users 4-22
n
t e sฺ ent
Oracle Solaris 11 Live Media Installer: Support 4-23
m ira Stud
@ e his
i
v se t
SMF-Based System and Network Configuration 4-25
a
q
dฺ to u
Configuring an Oracle Solaris 11 Image 4-27
i
h
sha ense
Agenda 4-29
i (
Oracle Solaris 11 Automated Installation 4-30
Qav lic
How Automated Installation Works 4-31
i d
ah AI Environmental Requirements 4-32
Sh IPS Case: Using Default Manifest 4-34
IPS Case: Using Custom Manifest 4-36
IPS Case: Using a System Configuration Profile 4-38
IPS Case: Multiple AI Services 4-39
Configuring the AI Server 4-40
Setting Up the AI Server 4-41
Creating an Installation Service 4-42
AI Manifests 4-43
default.xml AI Manifest File 4-44
Criteria Manifest 4-46
Criteria Manifest: Examples 4-48
AI Manifest Wizard 4-49
System Configuration Profiles 4-50
System Configuration Profile: Example 4-51
AI Server Configuration Walkthrough 4-53
v
Agenda 4-57
Comparing JumpStart with AI 4-58
Comparing Rules Keywords and Criteria Directives 4-59
Converting a JumpStart Profile to an AI Manifest 4-62
Agenda 4-65
Distribution Constructor 4-66
Distribution Constructor Manifest Files 4-67
Building an OS Image 4-68
Quiz 4-69
Summary 4-75
Practices 4-3, 4-4, 4-5 and 4-6: Overview 4-76
ble
e r a
5 Oracle Solaris 11 Network Administration Enhancements
a nsf
Job Workflow 5-2
o n -tr
Objectives 5-3
a n
Agenda 5-4
a s
h eฺ
Introducing Oracle Solaris 11 Network 5-5 e )
e tฺa Guid
Oracle Solaris 10 Network Protocol Stack 5-6
n
t e sฺ ent
Oracle Solaris 11 Network Protocol Stack 5-7
m ira Stud
Network Configuration During Installation 5-8
@ e his
Agenda 5-9
a i
v se t
q
dฺ to u
Oracle Solaris 11 Network Administration 5-10
i
h
sha ense
Network Administration Commands 5-11
i (
Comparing Network Administration Commands 5-12
Qav lic
Administering Datalinks 5-13
i d
ah Configuring IP Interfaces and IP Addresses 5-14
Sh Configuring Persistent Routes 5-15
Configuring Reactive Profiles 5-16
Agenda 5-20
Transitioning to Virtual Networking 5-21
Virtual Network Building Blocks 5-22
Building a Simple Virtual Network 5-23
Configuring a Private Virtual Network 5-24
Creating a Datalink in Non-Global Zone from the Global Zone 5-25
Accessing a Virtual Network Configuration 5-26
Bandwidth Management 5-27
Managing Bandwidth 5-28
Agenda 5-31
vi
Elastic Virtual Switch (EVS): Overview 5-32
Elastic Virtual Switch: Example 5-33
Installing the Mandatory EVS Packages 5-34
Setting Up SSH Authentication 5-35
Configuring an EVS Controller 5-36

Configuring Elastic Virtual Switches 5-38
Creating VNICs for an Elastic Virtual Switch 5-39
Creating a VNIC anet Resource for an EVS 5-40
Agenda 5-42
Link Aggregation 5-43
ble
Types of Link Aggregation 5-45
e r a
Creating a Trunk Aggregation 5-47
a nsf
Creating a DLMP Aggregation 5-48
o n -tr
n
Configuring Probe-Based Failure Detection for DLMP Aggregation 5-49
a
Agenda 5-50
a s
h eฺ
IP Network Multipathing 5-51 e )
IPMP Components 5-52
n e tฺa Guid
IPMP Configurations 5-53
t e sฺ ent
m ira Stud
Configuring IPMP: Active-Active 5-54
@ e his
i
v se t
Configuring IPMP: Active-Standby 5-55
a
q
dฺ to u
Failure Detection in IPMP 5-56
i
h
sha ense
Monitoring IPMP 5-57
i (
Qav lic
Agenda 5-60
i d
ah Network Bridging 5-61
Sh Configuring a Network Bridge 5-63
Agenda 5-65
Integrated Load Balancer (ILB) 5-66
ILB Operation Modes 5-68
ILB Operation Modes: DSR 5-69
ILB Operation Modes: NAT 5-70
Enabling and Disabling ILB 5-71
Configuring ILB 5-72
Agenda 5-73
dlstat Command 5-74
dlstat: Examples 5-75
flowstat Command 5-77
flowstat: Examples 5-78
Agenda 5-79
vii
Viewing IP Traffic Statistics 5-80
Viewing TCP and UDP Traffic Statistics 5-81
Viewing User and Process Information 5-82
Analyzing Network Traffic 5-83
wireshark Utility 5-84

Performing Network Diagnostics 5-85
Managing the network-monitor Module 5-86
Retrieving Reports That Are Generated by the network-monitor Module 5-87
Viewing Statistics of the network-monitor Fault Management Module 5-88
Quiz 5-89
Summary 5-99
ble
e r a
a nsf
6 Administering Oracle Solaris 11 Zones
o n -tr
Job Workflow 6-2
a n
Objectives 6-3
a s
h eฺ
Agenda 6-4 e )
Oracle Solaris 11 Zones 6-5
n e tฺa Guid
Zones: New Features 6-6
t e sฺ ent
Agenda 6-9
m ira Stud
@ e his
i
v se t
Oracle Solaris 10 Zones 6-10
a
q
dฺ to u
Migrating Oracle Solaris 10 Zones (V2V) 6-12
i
h
sha ense
Migrating Oracle Solaris 10 Global Zones (P2V) 6-14
i (
Agenda 6-16
Qav lic
Configuring Nonglobal Zones by Using the Automated Installer (AI) 6-17
i d
ah Specifying a Nonglobal Zone in the AI Manifest 6-18
Sh Nonglobal Zone Configuration Files 6-19
Adding a Nonglobal Zone Manifest and Profile 6-20
Agenda 6-21
Oracle Solaris Zone Brands 6-22
Overview of Kernel Zones 6-23
System Requirements for Using Oracle Solaris Kernel Zones 6-24
Configuring Kernel Zones 6-26
Agenda 6-29
Installing a Kernel Zone 6-30
Booting a Kernel Zone 6-32
Cloning by Using zoneadm clone 6-33
Suspending and Resuming a Kernel Zone 6-34
Migrating a Kernel Zone 6-35
Agenda 6-37
Monitoring Zone Resource Consumption 6-38
viii
Monitoring Zone Memory Consumption 6-39
Monitoring Zone CPU Consumption 6-40
Monitor Total and High Zone Resource Consumption 6-41
Monitoring File System Statistics 6-42
Quiz 6-43
Summary 6-45
Practice 6: Overview 6-46
7 Oracle Solaris 11 ZFS Enhancements

Job Workflow 7-2
Objectives 7-3
ble
Agenda 7-4
e r a
Introducing Oracle Solaris 11 ZFS Enhancements 7-5
a nsf
Agenda 7-7
o n -tr
ZFS Shadow Data Migration 7-8
a n
Shadow Migration Considerations 7-9
a s
h eฺ
Configuring ZFS Shadow Data Migration 7-11 e )
Agenda 7-12
n e tฺa Guid
t e sฺ ent
Splitting a Mirrored ZFS Storage Pool 7-13
m ira Stud
Splitting a ZFS Mirrored Pool: Example 7-14
@ e his
Agenda 7-15
a i
v se t
q
dฺ to u
Identifying ZFS Snapshot Differences 7-16
i
h
sha ense
Identifying ZFS Snapshot Differences: Example 7-17
i (
Using Time Slider 7-18
Qav lic
Enabling and Disabling Time Slider 7-19
i d
ah Agenda 7-20
Sh ZFS Deduplication 7-21
ZFS Deduplication Properties 7-23
ZFS Deduplication: Example 7-24
Agenda 7-25
Common Multiprotocol SCSI Target (COMSTAR) 7-26
COMSTAR: Benefits and Limitations 7-28
Configuring COMSTAR 7-29
Quiz 7-31
Summary 7-38
Practice 7 Overview: Oracle Solaris 11 ZFS Enhancements 7-39
8 Oracle Solaris 11 Security Enhancements

Job Workflow 8-2
Objectives 8-3
Agenda 8-4
ix
Oracle Solaris 11 Security Enhancements 8-5
Agenda 8-9
Oracle Solaris Cryptographic Framework 8-10
Administrative Command: Examples 8-12
User Command: Examples 8-15

Agenda 8-17
Increasing Security for Automated Installations 8-18
Configuring Security for Automated Installations 8-19
Configuring Kerberos Clients Using AI 8-21
Agenda 8-23
ZFS DataSet Encryption 8-24
ble
ZFS Pool Encryption: Example 8-25
e r a
ZFS File System Encryption: Example 8-26
a nsf
Agenda 8-27
o n -tr
Read-Only (Immutable) Zones 8-28
a n
file-mac-profile Property 8-29
a s
h eฺ
Administering Read-Only Zones 8-30 e )
Read-Only (Immutable) Global Zone 8-32
n e tฺa Guid
Agenda 8-33
t e sฺ ent
BART 8-34
m ira Stud
@ e his
BART: Example 8-35
a i
v se t
Agenda 8-37
i q
dฺ to u
h
sha ense
Auditing in Oracle Solaris 8-38
i (
Displaying Audit Service Defaults 8-41
Qav lic
Enabling and Disabling the Audit Service 8-42
i d
ah Viewing Contents of Binary Audit Files 8-43
Sh Quiz 8-44
Summary 8-48
Practice 8 Overview: Oracle Solaris 11 Security Enhancements 8-49
x
I t d ti
Introduction
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
Overview
• Course goals
• Agenda
• Practices
• Introductions
• Your learning center
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Welcome
Q lic to Oracle Solaris 11 course. This is an advanced course that builds
atovthe Transition
h
on d Solaris 10 system administration courses. It is focused on the skills and knowledge
iOracle
a
Sh required for transitioning from the Oracle Solaris 10 operating environment to the Oracle
Solaris 11 operating environment.
This course highlights the new features in Oracle Solaris 11, including the Automated
Installer (AI), the Image Packaging System (IPS), and network virtualization. Throughout the
course, you learn how to transition to the Oracle Solaris 11 operating environment by
performing a series of guided hands-on practices that walk you through the critical tasks
associated with operating system migration activities. These practices include case studies
that illustrate the best practices when transitioning from Oracle Solaris 10 to Oracle
Solaris 11.
This course does not address the system administration tasks that are currently supported in
Oracle Solaris 10 (or other) operating systems. Rather, it focuses on the new and enhanced
features found in the Oracle Solaris 11 operating system. It is assumed that you already have
the skills and knowledge that are necessary for administering the Oracle Solaris 10 operating
system.
Transition to Oracle Solaris 11 1 - 2

Course Goals
The goals of this course are to:

• Familiarize you with the Oracle Solaris 11 new features

and enhancements:
– Image Packaging System (IPS)
– Automated Installer (AI)
– Network virtualization
ble
– Oracle Solaris Zones
e r a
– Security
transf
n -
• Provide you with the skills necessary for a successful
a no
transition from Oracle Solaris 10 to Oracle
) h asSolarisฺ
11
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
dCopyright o u Oracle and/or its affiliates. All rights reserved.
© 2014,
h t
i ( sha ense
av lic
Transitioning to a new operating system can be a very daunting task. It involves working with
Q
i d
ah
a wide range of complex technologies and procedures, many of which are new to the
Sh personnel participating in the project.

Agenda
• Day 1
– Lesson 1: Introduction
– Lesson 2: Introducing Oracle Solaris 11 New Features and
Enhancements
– Lesson 3: Managing Software Packages in Oracle Solaris 11
• Day 2
– Lesson 3: Managing Software Packages in Oracle Solaris 11 rab
le
n
– Lesson 4: Installing the Oracle Solaris 11 Operating Systems fe
a -tr
• Day 3
a non
) h as ฺ
– Lesson 5: Oracle Solaris 11 Network Enhancements
– Lesson 6: Administering Oracle Solaris
e t Gu de
tฺae 11 iZones
s ฺ n n
a t e d e
e mir is Stu
a v i@ e th
i ฺq ©o2014,
dCopyrightt usOracle and/or its affiliates. All rights reserved.
h
i ( sha ense
The Transition
Q lic Solaris 11 course consists of five days of lectures and practice
av to Oracle
a h id This course also covers the latest Oracle Solaris 11.2 features and enhancements.
activities.
Sh • Lessonesso 2 pprovides
o des a b brief
e ooverview
e e o of aall tthe
e keyey features
eatu es a and deenhancements
a ce e ts o
of O
Oracle
ac e
Solaris 11 OS that are discussed in this course.
• Lesson 3 explains how to work with IPS, its main features, and components; and also
how to manage software packages using IPS.
• Lesson 4 explains how to install Oracle Solaris 11 OS using the text installer, Live CD,
and Automated Installer.
• Lesson 5 briefly lists and explains the network enhancements of Oracle Solaris 11 OS.
• Lesson 6 explains how Oracle Solaris 11 Zones are different from Oracle Solaris 10
Zones. It also explains how to migrate Oracle Solaris 10 Zones to Oracle Solaris 11
Zones.
• Lesson 7 briefly lists and explains the ZFS enhancements of Oracle Solaris 11 OS.
• Lesson 8 briefly lists and explains the security enhancements of Oracle Solaris 11 OS.

Agenda
• Day 4
– Lesson 6: Administering Oracle Solaris 11 Zones

• Day 5
– Lesson 7: Oracle Solaris 11 ZFS Enhancements
– Lesson 8: Oracle Solaris 11 Security Enhancements
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Introductions
• Name
• Company affiliation
• Title, function, and job responsibility
• Experience related to topics in this course
• Reasons for enrolling in this course
• Expectations from this course ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Your Lab Environment
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
OracleQ avVirtualBoxlicis a cross-platform virtualization application. It extends the capabilities
VM
a h
of id existing computer so that you can run multiple operating systems inside multiple
your
Sh virtual machines at the same time.
As part of each lesson, you will be given the opportunity to practice in a lab environment. The
lab environment used in this course is based on the Oracle VM VirtualBox virtualization
software, the interface of which is shown in the slide.

Practice 1 Overview: Course Introduction
This practice covers how to familiarize yourself with the lab

environment.
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Open your
Q lic to the practices for Lesson 1. Your instructor will walk you through
avActivity Guide
a h
theidmaterial, and you will have a chance to familiarize yourself with the lab environment
Sh configuration and setup.

IIntroducing
t d i Oracle
O l Solaris
S l i 11
New Features and Enhancements
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
Job Workflow
Introducing New Features

and Enhancements
M
Managing
i Software
S ft
Packages
Installing
ble
Network Administration
Enhancements
e r a
a nsf
Administering Zones
o n -tr
a n
a
h eฺ s
ZFS Enhancements
e )
tฺa Guid
Security Enhancements
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
The Transition
Q lic Solaris 11 course presents each of the system administration tasks
av to Oracle
a h
in id context of a workflow. Before you begin a lesson, take a look at the job workflow in the
the
Sh slide diagram at the beginning of each lesson.
As indicated in the workflow, you start with an introduction to the new features and
enhancements in the Oracle Solaris 11 OS.

Objectives
After completing this lesson, you should be able to:

• Describe the Oracle Solaris 11 operating system

• Describe the Oracle Solaris 11 features and
enhancements
• Compare the features of Oracle Solaris 10 and Oracle
Solaris 11
a b le
• Describe a strategy for transitioning from Oracle Solaris 10fer
to Oracle Solaris 11 a n s
tr
n on-
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
This lesson
Q licyou to the new features and enhancements in the Oracle Solaris 11
avintroduces
a h id system. The lesson begins with a description of Oracle Solaris 11 and continues
operating
Sh with a high-level description of each new feature and enhancement.
It also provides a comparison of the features in Oracle Solaris 10 with those of Oracle Solaris
11. This is followed by a description of a strategy for transitioning from Oracle Solaris 10 to
Oracle Solaris 11.

Agenda
• Oracle Solaris 11 new features and enhancements

• Features comparison
• Strategy for transitioning to Oracle Solaris 11
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Oracle Solaris 11 Operating System: Overview
Oracle Solaris 11:

• Builds on the proven technologies of Oracle Solaris 10

• Provides access to the latest Oracle Solaris 11 technology
• Has been tested and optimized for Oracle hardware and
software
• Offers state-of-the-art reliability, availability, and le
a b
serviceability
s fer
• Is an integrated component of Oracle’s Exadata and - t r an
E l i systems
Exalogic t n on
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
OracleQ Solaris
c
av is theliindustry-leading operating system for the enterprise. Oracle Solaris 11
d
hi the bar for the innovation introduced in Oracle Solaris 10 with a unique set of features
raises
h athat few other operating systems can offer. Oracle Solaris 11 has been tested and optimized
S for Oracle hardware and software and is an integral part of Oracle’s combined hardware and
software portfolio.
Oracle Solaris 11 provides customers with access to the latest Oracle Solaris technology,
allowing developers, architects, and administrators to test and deploy applications within large
data centers, which greatly simplify their day-to-day operations. Oracle Solaris 11 is
characterized by the reliability, availability, and serviceability that you expect from a leading
enterprise operating system.
system
Oracle Solaris 11 provides new optimizations and features designed to deliver proven
scalability and reliability as an integrated component of Oracle’s Exadata and Exalogic
systems.

Oracle Solaris 11: Features and Enhancements
• Installation methods
• Software management features

• Networking features and enhancements
• Oracle Solaris Zones enhancements
• Storage and file system features
• User account management features bl e
e r a
• Desktop environment enhancements
a nsf
• System
y configuration
g features o n -tr
a n
• Security features a s
e ) h eฺ
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
OracleQ av 11: lic
Solaris
h d
•i Introduces a new, modern software installation architecture, offering several installation
a
Sh cchoices.
o ces Thiss includes
c udes a co completely
p ete y hands-free
a ds ee auto automated ated network
et o installation
sta at o
experience, a graphical Live Media installer (x86 only), and an interactive text-based
installation for systems without a graphical display.
• Introduces Image Packaging System (IPS) as the next-generation packaging system
that provides safe system updates and upgrades
• Provides significant enhancements to networking, including several new network
virtualization features for high availability, improved performance, and resource
management. t The
Th key
k building
b ildi blblocks
k off network
t k virtualization
i t li ti are VNICVNICs, virtual
it l
switching, aggregations, bridging, virtual local area networks (VLANs), and Elastic
Virtual Switch (EVS).
• Enhances its virtualization solution with Oracle Solaris 10 Zones (also known as
solaris10 branded zones). Oracle Solaris 10 Zones provide a seamless method for
migrating to Oracle Solaris 11. Additional features such as delegated zone
administration, boot environment ((BE)) for zones, configuration
g and installation of
nonglobal zones as part of an AI client installation, and enhanced zone monitoring are
also included.

• Expands support for Oracle Solaris 10 storage technologies. The ZFS file system
includes several enhancements, including ZFS as the root file system, encryption,
deduplication, shadow migration, and ZFS snapshot differences. Additional
enhancements include the Common Multiprotocol SCSI Target (COMSTAR) technology
and Common Internet File System (CIFS) support for seamless file sharing with
Windows environments.
• Introduces the User Manager GUI for creating and managing users apart from providing
the usual command-line interface

• Includes GNOME 2.30, an intuitive, easy-to-use desktop environment, and the Firefox
web browser, among a variety of other software included in the network package
repository GNU (not UNIX) commands and a default bash shell environment are also
repository.
available.
• Provides significant changes to system configuration features and tools apart from
introducing the Oracle Solaris Unified Archives feature for system recovery and cloning e
and the Common UNIX Printing System (CUPS) feature as a printing solution r a bl
e
• nsf
Continues to optimize security controls. This release supplies several security-related
a
enhancements: root as a role, encrypted ZFS datasets, Trusted Platform
o n -tr
n
Module (TPM) support, and enhancements to Oracle Solaris Trusted Extensions.
a
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

Installation Methods
• Unattended installation
– Oracle Solaris 11 Automated Installer (AI)

— Network installation: Uses software package repository or an
Oracle Solaris Unified Archive
— AI Services: Refer to client architecture and OS to be installed
— AI manifests: Provide client installation instructions
— AI profiles: Provide system configuration information
ble
• Interactive installation e r a
nsf
– Oracle Solaris 11 Live Media installation (x86 only)n-tra
Suited for desktops and notebooks no
—
a
— GUI interface
) h as ฺ
– Interactive text installer e t ฺae uide
Suited for server deployments e s ฺn nt G
—
Text-based interface i r at tude

—
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
av lic
Oracle Solaris 11 offers several installation options:
Q
i d
ah• Unattended installation: An improved, hands-free, automated installation of networked
Sh systems.
syste s This s process
p ocess replaces
ep aces tthe
eOOracle
ac e So
Solaris
a s Ju
JumpStart
pSta t functionality
u ct o a ty aavailable
a ab e in
Oracle Solaris 10 and earlier releases.
• Interactive installation: Interactive installation by using a text-based user interface
(because most servers use a text-based console for installation), and interactive
installation for x86 desktop and notebook systems by using the Oracle Solaris 11 Live
Media for x86
Oracle Solaris 11 does not support the following installation features:
• Oracle Solaris Flash Archive installation: Instead, use the Oracle Solaris Unified
Archive feature to perform cloning and recovery operations.
• Oracle Solaris JumpStart feature: Instead, use the AI feature.
• Oracle Solaris Live Upgrade feature: Instead, use the beadm utility.
Note: You can use the js2ai utility to convert Oracle Solaris 10 JumpStart rules, profiles,
and system identification files to AI criteria files, AI manifests, and AI configuration files,
respectively.

Software Management Features
• Use IPS to perform software management tasks, such as:

– Software installation
– Software updates
– Operating system upgrades
– Removal of software packages
• Software management components include:
le
– IPS command-line utilities, such as pkg install, pkg
fe rab
update, pkg list, and pkg uninstall ans -tr
on
– IPS repositories as storage location for softwarenpackages
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
OracleQ
Solaris lic
av 11 introduces the Image Packaging System (IPS) feature, which is a
hi d
h acompletely
framework
redesigned software packaging model. IPS is a comprehensive delivery
that spans the complete software life cycle, addressing software installation,
S updates, operating system upgrades, and the removal of software packages.
In contrast to the SVR4 packaging model used in earlier Oracle Solaris releases, IPS
eliminates the need for patching. Relying on the use of network repositories of software
packages, IPS dramatically changes how an administrator updates system and application
software. IPS packages can be installed into nonglobal zones in addition to the global zone.
Note: There is no upgrade path from Oracle Solaris 10 to Oracle Solaris 11. You must
perform
f a fresh
f h installation.
i t ll ti

Networking Features and Enhancements
• Generic datalink names

• Network administration command changes

• Naming and directory services configuration
• Network virtualization features
• Enhanced IPMP feature
• Performance and efficiency enhancements bl e
e r a
• Resource management enhancements
a nsf
• Network securityy enhancements o n -tr
a n
• Network observability enhancements as
e ) h eฺ
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
OracleQSolaris lic generic names to each datalink on a system by using the net0,
av 11 supports
a h id netN naming convention.
net1,
Sh Oracle Solaris 11 introduces the following three commands to manage persistent network
configuration:
• ipadm: Creates persistent configuration of interfaces, addresses, and TCP/IP
properties. This command replaces the ifconfig command of Oracle Solaris 10.
• dladm: Manages datalink configuration. This command replaces the ndd command and
the drive.conf file of Oracle Solaris 10 for configuration of certain network
parameters.
• route: Configures persistent routes. This command replaces the use of the
/etc/defaultrouter file in Oracle Solaris 10 to manage a system route
configuration.
Oracle Solaris 11 uses Service Management Facility (SMF) to manage the naming and
directory services configuration. In Oracle Solaris 10, you edited the various files in the /etc
directory to configure the naming and directory services.

Oracle Solaris 11 provides several network virtualization features that you can use for high
availability, managing network resources, and improving overall network performance. Some
of the key network virtualization features include:
• VNICs: Refers to a p pseudo network interface that is configured
g on top
p of a p
physical
y
network interface of a system. Each VNIC has its own MAC address that you can
configure with additional attributes, thus enabling the VNIC to be easily integrated into
an existing network infrastructure.
• Aggregation: Refers to an L2 entity that ensures continuous access of a system to the

network. Link aggregations increase the availability and reliability of network connectivity
by pooling multiple datalink resources that you administer as a single unit.
- Datalink multipathing (DLMP): Refers to a type of probe probe-based
based link aggregation
that detects the loss of connectivity between DLMP-aggregated links and
configured targets. This type of failure detection addresses the limitations of the
link-based failure detection mechanism, which can detect only failures caused by e
the loss of direct connection between the datalink and the first-hop switch. r a bl
e
nsf
- Trunk aggregation: Refers to a type of a link aggregation mode that is based on
a
o n -tr
the IEEE 802.3ad standard and works by enabling multiple flows of traffic to be
spread across a set of aggregated ports.
a n
a s
• Bridging: Refers to an L2 technology that connects multiple datalinks on a network into
h eฺ
e )
a single network. Ethernet bridging is supported in Oracle Solaris 11 with the addition of
e tฺa Guid
the Spanning Tree and Transparent Interconnect of Lots of Links (TRILL) protocols.
n
t e sฺ ent
• Virtual switching: Refers to the built-in virtual switching capabilities of Oracle Solaris
ira Stud
11 that simulates a network physical switch. On a single system, you can use virtual
m
@ e his
switches to enable zones and virtual machines to communicate with each other other.
a i
v se t
q
dฺ to u
• EVS feature: Refers to an L2 technology that enables direct management of virtual
i
h
switches. You can create EVS switches to deploy multiple virtual networks that span
( sha ense
multiple hosts, within either a multi-tenant cloud environment or a datacenter.
i
av lic
• Virtual eXtensible Local Area Network (VXLAN): Refers to an L2 and L3 technology
Q
i d
ah that works by overlaying a datalink network on top of an IP network. The VXLAN feature
Sh addresses the 4K limitation of VLAN configuration. Typically, VXLANs are used in a
cloud infrastructure to isolate multiple virtual networks. You can manage VXLANs by
using the EVS feature.
• Edge Virtual Bridging (EVB): Refers to an L2 technology that enables Oracle Solaris
11 systems to exchange virtual link information with an external switch. EVB offloads the
enforcement of traffic service-level agreements (SLAs) to the switch.
• Layer 3 Virtual Router Redundancy Protocol (VRRP): Refers to the proprietary L3
feature that provides high availability of IP addresses,
addresses such as those that are used for
routers and load balancers. L3 VRRP removes the need to configure unique VRRP
virtual MAC addresses for VRRP routers, thereby providing better support for VRRP
over IPMP and InfiniBand interfaces, and in zones.

In Oracle Solaris 11, IP network multipathing (IPMP) has been redesigned to enhance the
administrative model and improve monitoring. IP interfaces are grouped into a virtual IP
interface, such as, ipmp0. This virtual IP interface serves all of the data IP addresses, while
test addresses that are used for probe-based failure detection are assigned to an underlying
i
interface,
f such
h as net0. The
Th new ipmpstat utility ili provides
id visibility
i ibili to the
h IPMP subsystem.
b
Oracle Solaris 11 provides performance and efficiency features through the following features:
• DCB: Refers to the L2 technology that you can use to manage the bandwidth, relative
priority, and flow control of multiple traffic types that share the same network link (for
example, when sharing a datalink between networking and storage protocols)
• ILB: Refers to the L3 and L4 technology that enables a system to spread the load of
network
t k processing
i amongstt available
il bl resources. ILB can b be used
d tto iimprove reliability
li bilit
and scalability, and to minimize the response time of network services. Load balancing
involves using multiple systems to deal with high demands of a network by balancing
the load between multiple systems.
bl e
Oracle Solaris 11 provides resource management capabilities through the following features: fe r a
n s
These attributes consist of packet header information n
information, such as IP addresses
tra protocol
• Flows: Refers to a subset of data packets that are identified by common attributes.
-
addresses,
type, and transport port numbers. You can observe flows individually, a noas well as assign
flows their own SLAs (for example, bandwidth control and
) h as ฺ You administer flows
priority).
e t u ide stack.
ฺae protocol
at the L2, L3, and L4 layers of the Oracle Solaris network
• LLDP: Refers to the L2 technology that is used
s ฺn by systems
n t G in a local area network
(LAN) to exchange configuration and a
r e
t udeinformation with each other. LLDP
management
i
m is S
enables a system to advertise connectivity andt management information to other
network. i@
e
systems on the network
a v e th
Oracle Solaris 11 improves
i d t o us sockets implementation by no longer using the
ฺqthe network
h h
STREAMS module.aThis enhancemente results in performance improvements and also
( s n s
avi licemonitors network traffic volume, allowing it to shift from interrupt
provides a new, simplified developer interface for adding new socket types. The new network
socketQarchitecture also
a h id to polling mode, which is much more efficient when dealing with high network traffic
driven
Sh volumes.
Oracle Solaris 11 provides the following commands to observe network traffic:
• tcpstat: Enables you to observe network traffic at the transport layer, specifically for
TCP and UDP
• ipstat: Enables you to observe network traffic at the IP layer, aggregated on source,
destination, higher-layer protocol, and interface
Additionally,
y, Oracle Solaris 11 supports
pp the use of Wireshark GUI to troubleshoot networking
g
issues and to perform package analysis. The Wireshark utility and its command-line
equivalent, TShark, enables you to capture packet data from a live network or read packets
from a previously saved capture file.

Oracle Solaris Zones Enhancements
• Oracle Solaris 10 branded zones

• Oracle Solaris kernel zones

• Whole root zones only
• Zone resource monitoring
• Delegated administration
• Zones on shared storage bl e
e r a
• NFS server in nonglobal zones
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
OracleQSolaris lic significant enhancements to zone administration and monitoring,
av 11 includes
a h id help administrators manage consolidated and virtualized workloads more efficiently.
which
Sh For users running applications either in zones or on bare metal on Oracle Solaris 10 systems,
virtual-to-virtual (v2v) and physical-to-virtual (P2V) tools are provided to help the transition to
an Oracle Solaris 10 zone running in Oracle Solaris 11. An Oracle Solaris 10 zone can have a
shared IP stack with the global zone or an exclusive IP stack. Oracle Solaris 10 Zones
provide a proven and fully supported option for quick adoption of Oracle Solaris 11, which
allows administrators to benefit immediately from all the new features available while
providing an easy application migration path.
Oracle
O l S
Solaris
l i 11
11.2
2 supports
t a ffully
ll iindependent
d d t and
d iisolated
l t d environment
i t called
ll d O
Oracle
l
Solaris Kernel Zones (also known as solaris-kz branded zone). Kernel zones use an
independent kernel and user environment within the zone. Each kernel zone can run at a
different kernel version from the global zone and can be updated separately without requiring
a reboot of the global zone.
Note: The following legacy branded zone features are supported only in Oracle Solaris 10:
• Linuxu bbrand
a d ((lx))
• Oracle Solaris 8 Containers (solaris8)
• Oracle Solaris 9 Containers (solaris9)

Another enhancement to zone technology is that the distinction in Oracle Solaris 10 between
whole root and sparse root is irrelevant. In Oracle Solaris 10, sparse root zones conserve disk
space and permit fast zone creation by sharing a single instance of key file systems among
multiple zones. In Oracle Solaris 11, the root file system is ZFS and zone creation leverages
ZFS clones for similar space and time savings. When a new boot environment is created by
cloning an existing one, the base boot environment’s zones are also cloned into the new boot
environment. As a result, you no longer have to choose between different zone types.
Oracle Solaris 11 greatly enhances your ability to monitor zone resource consumption with
the introduction of the zonestat command. With zonestat, you can observe memory and
CPU utilization, utilization of resource control limits, total utilization, and per-zone utilization
breakdowns over specified time periods.
In Oracle Solaris 11, you can delegate specific zone administration tasks to different
administrators using Role-Based Access Control (RBAC). With delegated administration
standard, users are identified with the permissions to log in, manage, or clone that zone.
a b le
In Oracle Solaris 11.1 release, you can configure, install, and run Oracle Solaris Zones e
f r
hosted
directly on arbitrary storage device objects such as Fibre Channel and iSCSI targets. n s
anewAnother
enhancement of this release is the support for NFS servers in nonglobal zones. - t rA
unavailable zone state has been added in Oracle Solaris 11.1 release n otonindicate that the
zone has been installed, but cannot be verified, made ready, booted, s aattached, or moved.
a
) h deฺchanges, such as
Starting from Oracle Solaris 11.2 release, you can makea e
configuration
tinฺ a runningi zone without the need to
changing network configuration and resource controls,
ฺ n e G u
reboot. In the earlier releases of Oracle Solaris,
t e sadministrators
e n t had to reboot a zone for a
configuration change to take effect. Live Zone
m S ud
ira Reconfiguration
t eliminates down time in
service availability within the zone e hi s
@wheneconfiguration changes are mademade.
v i t
i d ฺqa o us
a h e t
h
(s icen s
a v i l
d Q
ahi
Sh

Storage and File System Enhancements
• ZFS enhancements
– Default file system

– Deduplication
– ZFS snapshot differences (zfs diff)
– ZFS shadow migration
• COMSTAR
bl e
• CIFS support e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ZFS isQthe licfile system in Oracle Solaris 11. UFS is still available for nonroot file
avdefault root
a h id Oracle Solaris 11 has added ZFS deduplication, which detects and removes
systems.
Sh redundant data from ZFS file systems. If a ZFS file system has the dedup property enabled,
duplicate data blocks are removed synchronously. As a result, the file system stores only
unique data. Support for listing the differences between ZFS snapshots (zfs diff) has
been added with Oracle Solaris 11. Also, now you can use the shadow migration feature to
migrate data from an old file system to a new one while simultaneously allowing access and
modification of the new file system during the migration process.
The Common Multiprotocol SCSI Target (COMSTAR) technology, introduced in Oracle
Solaris 11,
11 enables network file sharing,
sharing similar to NFS and CIFS,
CIFS but for raw block-device
block device
access via iSCSI or SAN. This technology enables any Oracle Solaris 11 host to become a
SCSI target, allowing it to be accessed over a storage network by a variety of initiator hosts.
COMSTAR supplies a software framework that makes it possible for all SCSI device types to
connect to a transport protocol and provide network device access. In this way, virtual
machines can share image files or access to a database.
Oracle Solaris 11 provides in-kernel CIFS support for seamless file sharing with Windows
environments.
i t The
Th CIFS servicei also
l includes
i l d new features,
f t such h as host-based
h tb d access
control (which allows a CIFS server to restrict access to specific clients according to IP
addresses), access control lists (ACLs) on shares, and client-side caching of offline files with
synchronization on reconnect.
User Environment Feature Changes
• Administrative command locations

• Default user shell and path changes

• Development tools locations
• Creating and managing user accounts
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
In OracleaSolaris c administrative commands are located in the /usr/sbin directory
v 11,lithe
Q
id compared to /sbin in the previous release. In addition, the /sbin directory has been
when
a h
Sh replaced by an /sbin →/usr/sbin symbolic link.
In Oracle Solaris 10, the default scripting shell (/bin/sh) is the Bourne shell. Starting with
Oracle Solaris 11, the bash shell is the default interactive shell, and ksh93 replaces ksh as
the default system shell.
There are other changes in Oracle Solaris 11 that affect user experience. The default user
path is /usr/bin. The default path for the root role is /usr/bin:/usr/sbin. The
developer tools that were previously located in the /usr/ccs/bin directory has been moved
to the /usr/bin
/ /bi directory.
directory The /usr/ccs/bin
/ / /bi directory is replaced by a /usr/ccs/bin
/ / /bi →
/usr/bin symbolic link.
Although most of the user and group management commands almost remain the same, with
some enhancements, Oracle Solaris 11 replaces the Solaris Management Console graphical
tool and its associated command-line interface of Oracle Solaris 10 with the User Manager
GUI.

Desktop Environment Enhancements
• Enhanced desktop environment

• Time Slider snapshot management

• CUPS printing
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
For desktop
Q lic Solaris 11 offers a state-of-the-art GNOME desktop with the
avusers, Oracle
a h id graphical desktop manager (GDM) as the only graphical login option. Oracle Solaris
GNOME
Sh 10 supports the use of both Common Desktop Environment (CDE) and GDM for login.
The Oracle Solaris 11 desktop includes the innovative Time Slider tool. Integrated with the
File Browser, Time Slider supports file and directory recovery, which is made possible through
native snapshot and clone capabilities in ZFS. A user can click in Time Slider to snapshot a
home directory and later revert to it if necessary.
The Oracle Solaris 11 desktop also includes a network administration GUI to manage network
connections from the desktop.
The Common UNIX Printing System (CUPS) is the default print service on Oracle Solaris 11,
replacing the LP print service used in Oracle Solaris 10. CUPS support includes a web and
graphical interface to manage your printing environment. A system that is running CUPS
becomes a host that can accept print requests from client systems, process those requests,
and then send them to the appropriate printer.

System Security Enhancements
• Secure by default
• root treated as a role

• Robust data encryption
• Driver support for TPM
• Trusted Extensions enhancements
• Auditing enhancements bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
OracleQSolaris lic a fully secure-by-default environment. With automatic
av 11 provides
a h id
secure-by-default, all network services are disabled except for SSH, or set to listen for local
h system communications
S but disabled by default and only. In Oracle Solaris 10, the Secure by default feature is available
had to be enabled during the OS installation or by running the
netservices limited command.
In Oracle Solaris 11, root is treated as a role rather than a user. During system installation,
an initial user is defined. After an initial user login, a user with the appropriate privileges can
subsequently assume the role of root by using su or by performing administrative tasks after
authentication using sudo or pfexec. You can use the pfexec command to directly assign a
rights profile or directly assign more roles to a user account.
account
Oracle Solaris 11 supports a robust mechanism for your data protection by implementing
on-disk encryption/decryption support and key management for ZFS datasets. In the event of
theft or in the case of untrusted paths to networked storage, encrypted ZFS datasets can help
to safeguard data and prevent unauthorized access. The kernel implements raw
encryption/decryption functions that are applied to all data and file system metadata.

Oracle Solaris 11 includes driver support for TPM hardware. TPM devices are often
embedded in systems to securely store certificates or encryption keys that help to perform
platform authentication and/or attestation. Attestation is a process that determines whether a
server is trustworthy and has not been breached.
Oracle Solaris 11 enhances Oracle Solaris Trusted Extensions by introducing labeled IPsec
and labeled ZFS datasets. Additionally, Trusted Extensions now enables per-label and
per-user credentials, which allow administrators to set up a requirement for a unique
password for each label. This password is in addition to the session login password, thus
allowing administrators to set a per-zone encryption key for each label of every user’s home
directory.
The auditing service of Oracle Solaris 11 is enabled by default
default. When compared to Oracle
Solaris 10, you do not need to reboot the system when enabling or disabling the auditing
service. Further, you can use the auditconfig command to view and edit audit policy.
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

Agenda

ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Key Features of Oracle Solaris 10
and Oracle Solaris 11: Comparison
Feature Oracle Solaris 10 Oracle Solaris 11
Packaging model SVR4 packaging Image Packaging System (IPS)

Maintaining system SVR4 patching Image Packaging System (IPS)
software
OS installation • Interactive: Installation • Interactive: Installation CD and
DVD package repositories
• Automated: Oracle • Automated: Automated Installer
ble
Solaris JumpStart and package repositories
fe r a
Building a Blueprints for custom Distribution Constructor to create n s
customized DVDs ISO and virtual machine images
n - tra
di t ib ti iimage
distribution
a no
Virtual Networking N/A as ฺ and resource
Network virtualization
) h
e t ฺ ae uide
management
User environment ksh and SVR4
s ฺn Bash,nGNU, t G and SVR4 commands
commands
r e
at tude
i
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
The table
Q ainvthe slidelicshows the major changes made to some of the key features of Oracle
a h id 10 in Oracle Solaris 11.
Solaris
Sh For more information, refer to the website at
http://docs.oracle.com/cd/E36784_01/html/E39134/compare-1.html.

Agenda

ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Transitioning Strategy
• A sound understanding of the key features of

Oracle Solaris 10 is critical.

• Solaris is binary-compatible across hardware
architectures.
• Source code is compatible across different machine
architectures.
• Migration path for ZFS and UFS file systems is supported. erab
le
n s f
• Multiple migration paths for transitioning applications:
tra
– A
Applications
li ti can run di
directly
tl on O
Oracle
l SSolaris
l i 11 no
11.
n-
s a
e haZones.
– Applications can run in Oracle Solaris 10
) deฺ
e t ฺ a u i
n
sฺ ent G
t e
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
av should
Administrators
Q lichave a sound understanding of the key features of Oracle Solaris 10,
a h id Oracle Solaris Zones and ZFS (especially to support root file systems), before
including
Sh preparing for transitioning to Oracle Solaris 11. Oracle Solaris 11 builds upon these features.
Oracle continues the Solaris commitment to binary compatibility across hardware
architectures. This simplifies migrations between major Oracle Solaris releases and allows
applications to take advantage of performance gains from Oracle’s newest SPARC and x86
hardware systems. Oracle guarantees source code compatibility across different machine
architectures, allowing software providers to simply recompile applications across hardware
architectures.
O l S
Oracle Solaris
l i 11 supportst a migration
i ti pathth ffor ZFS and
d UFS fil
file systems
t by
b using
i the
th ZFS
shadow migration feature. You can migrate data from an old file system to a new file system
while simultaneously allowing access and modification of the new file system during the
migration process.
Oracle offers multiple migration paths for transitioning applications to Oracle Solaris 11.
Applications can run directly on Oracle Solaris 11 in global or nonglobal zones. The release
also supports Oracle Solaris 10 Zones hosted within an Oracle Solaris 11 g global zone. Just as
Oracle Solaris 8 and 9 branded zones helped to transition applications to Oracle Solaris 10,
Oracle Solaris 10 branded zones in Oracle Solaris 11 enable a more gradual, step-by-step
approach to an OS migration.

Summary
In this lesson, you should have learned how to:

• Describe the Oracle Solaris 11 operating system

• Describe the Oracle Solaris 11 features and
enhancements
• Identify the key differences between Oracle Solaris 10 and
the Oracle Solaris 11 features
a b le
• Strategically prepare to transition to Oracle Solaris 11 fer n s
a
n-tr no
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
In this Q av you were
lesson, lic presented with the new features and enhancements in the Oracle
a h id 11 operating system. You had an opportunity to compare the features in Oracle
Solaris
Sh Solaris 10 with those of Oracle Solaris 11. Finally, you were provided a strategy to transition
from Oracle Solaris 10 to Oracle Solaris 11.

Managing
M i Software
S ft Packages
P k
in Oracle Solaris 11
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
Job Workflow

and Enhancements
M
Managing
i Software
S ft
Packages
Installing
ble
Enhancements
e r a
a nsf
Administering Zones
o n -tr
n a
ZFS Enhancements
a
h eฺ s
e )
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
BeforeQ avbegin theliclesson, take a look at the job workflow in the slide diagram. So far, you
you
a h id learned about the new features and enhancements of the Oracle Solaris 11 OS.
have
Sh You will now learn how to manage software packages with the help of an IPS repository.

Objectives

• Describe the Image Packaging System (IPS)

• Plan for moving to IPS
• Configure a local package repository
• Configure network client systems to use IPS
• Search for software packages by using IPS
a b le
• Install software packages by using IPS s fer
- t r an
• Remove software p packages
g by y using
g IPS on
a n
• Update the OS image by using IPS a s
e ) h eฺ
• Manage boot environments ฺa id
ฺ n et t Gu
t e s e n
a d
e mir is Stu
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
This lesson
Q licyou to the new Oracle Solaris 11 software packaging feature: Image
avintroduces
a h id
Packaging System (IPS). The lesson begins with a description of IPS and later compares IPS
Sh with package management in the Oracle Solaris 10 operating system.
Next, the lesson shows you how to configure a local IPS repository. It then shows you the
ways to manage software packages by using IPS. The lesson also covers how to update a
system to Oracle Solaris 11.2. Finally, you learn to manage boot environments in the Oracle
Solaris 11 operating system.

Agenda
• Introducing the Image Packaging System (IPS)

• Configuring a local IPS repository

• Managing software packages by using IPS
• Updating a system to Oracle Solaris 11
11.2
2
• Managing boot environments
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

IPS: Overview
Oracle Network
Repositories
Firewall
Mirrored Network Repository
Custom Repository
ble
e r a
a nsf
o n -tr
a n
Operating System
Active Boot Inactive Boot a
h eฺ s
Environment
)
Environment
e
n e tฺa Guid
Oracle Solaris
t e sฺ ent
Image Packaging System
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
The Image
Q avPackaginglicSystem (IPS) is a framework that enables software lifecycle
a h id
management, such as installation, upgrade, and removal of packages. IPS also enables users
h
S and mirror existing software
to create their own packages, create and manage package repositories, and copy
package repositories. Packages can be installed only into file systems that
are part of a boot environment (BE). For example, on a default Oracle Solaris 11 installation,
only datasets under rpool/ROOT/BEname/ are supported for package operations.
Using IPS, you can perform the following tasks:
• Create and manage images.
• Search the IPS packages on your system and in IPS repositories.
• Copy, mirror, create, and administer package repositories.
• Create and publish IPS packages to a package repository.

Planning for IPS
• Oracle Solaris 11 or later

• SPARC and x86 architectures

• Web-based or local package repository
• Repository mirroring
• Client access to IPS server
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
v ic
theapackagingl system for the Oracle Solaris 11 operating systems as SVR4 is the
IPS is Q
a h id
packaging system for the Oracle Solaris 10 operating systems. A key component of IPS is
h the package
S stored and from repository. A package repository is a location where software packages are
where packages are retrieved by client systems. You can even clone an
entire package repository, such that any package repository that the client can access has
everything they need to proceed.

IPS Components
Package
Cloned
Repository
Repository
Server bl e
e r a
a nsf
Client
k Command o n -tr
pkg
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
IPS is Q av up of thelicfollowing key components. Each component has a role to play.
made
h d
•i Package: A package in IPS is a collection of actions defined by a set of key-value pairs
a
Sh tthat
at represent
ep ese t metadata,
etadata, such
suc as classification,
c ass cat o , descriptions,
desc pt o s, o or ot
other
e att
attributes
butes suc
such as
path and alias. The key-value pair can also represent a data payload. These actions can
represent items, such as directories, links, drivers, and services. Each IPS package is
represented by a Fault Management Resource Identifier (FMRI), which is used with the
pkg(1) command to indicate the packages on which to perform operations.
• Repository: A repository is a location where clients publish and retrieve packages. The
location is described by a uniform resource identifier (URI), such as
http://pkg oracle com/solaris/release A repository can contain packages
http://pkg.oracle.com/solaris/release.
from any number of publishers, such as solaris and ha-cluster. A publisher can
publish to multiple repositories. A repository has an origin and zero or more cloned
repositories. The repository origin is the location of a package repository that contains
both package metadata (package manifests and catalogs) and package content
(package files).

• FMRI: The FMRI includes descriptive information about the package, such as the
package name, version information, and date. For example, the FMRI,
pkg://solaris/developer/apptrace@0.5.11,5.11-
0.175.2.0.0.42.2:20140624T183919Z, consists of the following information:
- Scheme: pkg
- Publisher: solaris
- Category: developer
- Package Name: apptrace
- Component Version: 0.5.11
- Build Version: 5.11
- Branch Version: 0.175.2.0.0.42.2
- Time Stamp (when the package was published): 20140624T183919Z
• bl
Manifest: A manifest describes the components and attributes that make up a package. e
e r a
nsf
• Client package management utility: pkg(1) is a command-line utility that you can
a
use to create and manage images; search package data; and perform software
-tr
installation, upgrade, and removal.
n o n
• s a
Boot environment (not shown): A boot environment (BE) is a bootable image of an
a
h eฺ
Oracle Solaris 11 operating system plus any other application software packages
)
e
tฺa Guid
installed in that image. System administrators can maintain multiple BEs in their
n e
t e sฺ ent
systems, and each BE can have different software versions installed.
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

Agenda


11.2
2
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Local Package Repository
• The default package repository is available at:

http://pkg.oracle.com/solaris/release/
• Reasons for creating a local repository:
– Default repository not available to clients
– Performance
– Security
ble
– Replication e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
The default
Q lic
avsystem installation manifest installs the Oracle Solaris 11 operating system from
d
hi public repository at http://pkg.oracle.com/solaris/release/. If you have an Oracle support
h athe
S supportpost
contract, the installation, you can change the default manifest to use the Oracle
repository. You can also add additional publishers and repositories, such as those
for Oracle Exadata, Oracle Solaris Cluster, and Oracle Solaris Studio.
You can create your own local package repository. Having a local package repository is
necessary when your network clients do not have access to the web-based default repository.
Other reasons you might want to have a local copy of a package repository include:
• Performance: Having a local package repository allows clients access to packages at
local network speeds.
speeds
• Security: You might not want your client systems to have access to the Internet.
• Replication: You want to ensure that an installation that you perform next year is
exactly the same as the installation you perform today.

Creating a Local Repository
1. Obtain software packages:

– Download IPS repository zip files.

– Copy from the default package repository.
2. Create a ZFS file system for the repository.
2 repository
3. Copy the packages to the repository.
4. Set the publisher. e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
To create
Q lic you perform the following steps:
aavlocal repository,
d
ah1.i Obtain the repository files.
Sh When creating a local package repository
repository, you first download the Oracle Solaris 11
repository files from:
http://www.oracle.com/technetwork/server-storage/solaris11/downloads/index.html
The repository files provide you with a complete archive of software packages, which
allow you to set up a local network IPS repository to which client systems can connect.
Download the following repository files:
- README file (README-zipped-repo.txt)
- Repository assembly script (install-repo.ksh)
- MD5 checksum file
- Four IPS repository parts (zip files)
2. Make the installation script file executable.
# cd /opt/ora/repodir (download directory)
# chmod +x install-repo.ksh

3. Create a ZFS file system for the repository.
A good practice is to store the repository in a separate ZFS file system with compression
enabled.
# zfs create –o compression=on
p –o atime=off \
rpool/export/IPSpkgrepos
# zfs create rpool/export/IPSpkgrepos/Solaris
4. Run the repository installation script, install-repo.ksh.
# ./install-repo.ksh -d /export/IPSpkgrepos/Solaris -c -v -I
Comparing checksums of downloaded files...done. Checksums match.
Uncompressing sol-11_2-repo-1of4.zip...done.
bl e
Repository can be found in /export/IPSpkgrepos/Solaris.
e r a
Initiating repository verification.
a nsf
Building ISO image...done.
o n -tr
a
ISO image and instructions for using the ISO image are at: n
/opt/ora/repodir/sol-11_2-repo.iso a
h eฺs
e )
n e tฺa Guid
/opt/ora/repodir/README-repo-iso.txt
5. Configure the publisher.
t e sฺ system
e n t
The publisher for the Oracle Solaris r
i 11a tud
operating is solaris and the default
@ em his S
origin for that publisher is http://pkg.oracle.com/solaris/release. If you want your clients
t gett packages
to k from
f your
a v i
local
l l
e t
repository,
it you mustt reset
t the
th origin
i i for
f the
th solarisi
publisher as shown
i o us “Configuring the IPS Clients” later in this lesson.
dฺinqthe tsection
h
i ( sha ense
Q av lic
a h id
Sh

Enabling Users to Retrieve Packages Using an
HTTP Interface
1. Create a depot server instance (optional).
2. Add a new instance of the pkg/server service.

3. Set the path to the repository.
4
4. Set the port number (optional).
(optional)
5. Restart the package depot server service.
6. Test whether the repository server is working. ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
c repository, you need to create a depot server instance to provide
av a localliIPS
After creating
Q
id access to the data contained within a package repository. You could configure the
a h
network
Sh default instance of the service.
To create and configure a new depot server instance, perform the following steps:
1. Create a depot server instance of the pkg/server service, named solaris:
# svccfg -s pkg/server add solaris
2. Set the path where the pkg/server:solaris instance can find the repository data:
# svccfg -s pkg/server:solaris setprop \
pkg/inst_root=/export/IPSpkgrepos/Solaris
3. Set the port number on which the depot server instance should listen for incoming
package requests (optional):
# svccfg -s pkg/server:solaris setprop pkg/port=81
4. Restart the package depot server service:
# svcadm refresh pkg/server:solaris
# svcadm enable pkg/server:solaris
5. Test whether the repository server is working by opening a browser window on the
localhost location.

Configuring the IPS Clients
Set the local IPS publisher.

# pkg publisher
PUBLISHER TYPE STATUS P URI
solaris origin online F http://pkg.oracle.com/solaris/release/
# pkg set-publisher –G http://pkg.oracle.com/solaris/release/ \

-g http://s11-server1.mydomain.com/ solaris
# pkg publisher
ble
PUBLISHER TYPE STATUS P URI
e r a
nsf
solaris origin online F http://s11-server1.mydomain.com/
-tra
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
v
asystems
For client
ic
tol access a local repository, you must set the publisher to the local IPS
Q
id as shown in the example in the slide. Here, s11-server1.mydomain.com is the
publisher
a h
Sh FQDN name of the Oracle Solaris 11 system on which you configured a depot server
instance.

Updating the Local Master Repository
Automatically
The svc:/application/pkg/mirror SMF service:
• Updates the local master repository from the Oracle

support repository automatically
• Performs a periodic pkgrecv operation from the solaris
publisher origins to
/var/share/pkg/repositories/solaris, which
starts at 2:30 AM one day each month a b le
s fer
• Refreshes the repository catalog at the end of each ran
t
successful run of the service on- n
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
You canQ lic
ausev the svc:/application/pkg/mirror SMF service to automatically update
d
hi local master repository from the Oracle
h athe support repository. By default, the
S from the solaris publisher origins defined in this performs
svc:/application/pkg/mirror SMF service
image to
a periodic pkgrecv operation
/var/share/pkg/repositories/solaris. This pkgrecv operation starts at 2:30 AM

one day each month. Therefore, in a data center environment, only one system needs to have
an Internet publisher origin and run the mirror service to automatically receive updates.
Other systems can set their publisher origin to this repository and then they too will always
have the latest update, at least once a month. For more information, refer to
p _ p g
http://docs.oracle.com/cd/E36784_01/html/E36805/pkgmirror.html#scrolltoc.

Practices 3-1 and 3-2: Overview
• Practice 3-1 covers the following topics:

– Creating a ZFS file system for the package repository

– Downloading the package repository zip files
– Configuring the IPS service with the new repository location
– Updating the repository catalog
– Testing the new repository
le
• Practice 3-2 covers configuring a network client to access erab
the local IPS repository. n s f
ra -t
a non
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Agenda


11.2
2
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Package Management: pkg (1)
Oracle Solaris 10
Package Management Task IPS Command
Equivalent
Install package. pkg install pkgadd -a
Display package state and pkg list pkginfo

version information.
information
Verify package installation. pkg verify pkgchk -v
Display package information. pkg info pkginfo -v

ble
e r a
Display the contents of a
package.
pkg contents pkgchk -l
nsf
tra
n -
Search for a package. pkg search pkgchk –lno -p
a
Uninstall a package. ) h as ฺ
ฺae uide
pkg uninstall pkgrm
e t G
Install package updates. pkg update
e s ฺn nt pkgadd
i r at tude
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
The pkg Q
v
acommand licthe primary user interface in the Image Packaging System. The table in
is
a h idslide shows the pkg commands that are used to perform common package management
this
Sh tasks. It compares these commands with equivalent commands used in Oracle Solaris 10.

pkg Command Examples: search
# pkg search apptrace

INDEX ACTION VALUE PACKAGE

pkg.description set Apptrace utility for application tracing, including
shared objects pkg:/developer/apptrace@5.11-0.175.2.0.0.42.2
pkg.summary set Apptrace Utility
pkg:/developer/apptrace@5.11-0.175.2.0.0.42.2
basename file usr/bin/apptrace
pp
pkg.fmri set solaris/developer/apptrace
# pkg search basename:apptrace

ble
INDEX ACTION VALUE PACKAGE
e r a
nsf
basename file usr/bin/apptrace pkg:/developer/apptrace@5.11-0.175.2.0.0.42.2
-tr a
# pkg search -o pkg.name basename:apptrace
PKG NAME
PKG.NAME
n o n
developer/apptrace
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ashows
This slide
Q lic of searching for a package (apptrace).
v examples
a h id
Sh

pkg Command Examples: info
# pkg info -r apptrace

Name: developer/apptrace
Summary: Apptrace Utility
Description: Apptrace utility for application tracing, including shared
objects
Category: Development/System
State: Not installed
Publisher: solaris
Version: 0.5.11
Build Release: 5.11
Branch: 0.175.2.0.0.42.2
Packaging Date: June 24, 2014 06:39:19 PM
ble
Size: 162.04 kB
e r a
nsf
FMRI: pkg://solaris/developer/apptrace@0.5.11,5.11-
0.175.2.0.0.42.2:20140624T183919Z
-tr a
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ashows
This slide ic
v anlexample of displaying package information. The –r option retrieves the
d Q
h hi
ainformation data from the repositories of the image’s configured publishers.
S

pkg Command Examples: install
# pkg install -nv apptrace

Packages to install: 1
Estimated space available: 36.11 GB
Estimated space to be consumed: 19.83 MB

Create boot environment: No
Create backup boot environment: No
Rebuild boot archive: No
Changed packages:
packages
solaris
developer/apptrace
None -> 0.5.11,5.11-0.175.2.0.0.42.2:20140624T183919Z
ble
# pkg install apptrace
e r a
nsf
Packages to install: 1
-tra
DOWNLOAD
Completed
PKGS
1/1
FILES
10/10 n o
XFER (MB)n SPEED
0.1/0.1 81.7k/s
s a
PHASE
) a
h eฺITEMS
Installing new actions
e
tฺa Guid
29/29
n e
Updating package state database Done
t e
Updating image state sฺ ent
Updating package cache 0/0
Done
m ira Stud
Creating fast lookup database Done
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ashows
This slide
Q lic of performing a package (apptrace) installation dry run (-n) and
v examples
a id package installation.
ahreal
Sh Note: Starting from Oracle Solaris 11.2, you can use the -rr option with the pkg install
command to run package operations recursively across multiple nonglobal zones along with
the named nonglobal zones, from the global zone.

pkg Command Examples:
verify and contents
list verify,
list,
# pkg list apptrace
NAME (PUBLISHER) VERSION IFO

developer/apptrace 0.5.11-0.175.2.0.0.42.2 i--
# pkg verify -v apptrace

PACKAGE STATUS
pkg://solaris/developer/apptrace
p g // / p / pp OK
# pkg contents apptrace

PATH
usr
usr/bin
ble
usr/bin/apptrace
e r a
nsf
usr/lib
usr/lib/abi
-tra
usr/lib/abi/amd64
usr/lib/abi/amd64/apptrace so 1
usr/lib/abi/amd64/apptrace.so.1
n o n
usr/lib/abi/apptrace.so.1
s a
...
...
) a
h eฺ
# e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
v examples
ashows
This slide
Q lic of listing an installed package (apptrace), verifying package
a h id and displaying the contents of a package. The pkg contents command with no
status,
Sh command
option just lists the directory, file, and link content. You can use the pkg contents
to find dependencies between packages.

pkg Command Examples: uninstall
# pkg uninstall apptrace

Packages to remove: 1
PHASE ITEMS
Removing old actions 25/25
Updating package state database Done
Updating image state Done
Creating fast lookup database Done
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ashows
This slide ic
v anlexample of uninstalling a package (apptrace).
d Q
h ahi
S

Package Manager
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
av Manager
The Package
Q lic GUI provides most package and publisher operations and some BE
a h id
operations. If you are new to the Oracle Solaris 11 and IPS technologies, use the Package
Sh Manager GUI to quickly download and install packages.

Managing Packages by Using a Web Browser
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
IPS allows
Q lic the package repository by using a web browser. With a web
avyou to access
a h id you can search for and install packages, and view the contents of a package
browser,
Sh manifest.

Update Manager
• Updates all installed packages to the newest version

• Can be invoked in one of the following three ways:

– In the Package Manager GUI, click the Updates button.
– In the Package Manager GUI
GUI, select the Package > Updates
menu.
– Use pm-launch with the packagemanager subcommand:
bl e
— $ /usr/lib/pm-launch packagemanager update all
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
AnotherQ av
important lic of IPS is the Update Manager. Update Manager updates all
feature
a h id packages to the newest version allowed by the constraints imposed on the system
installed
Sh by installed packages and publisher configuration.
The Update Manager feature can be invoked in one of the three following ways:
• In the Package Manager GUI, click the Updates button
• In the Package Manager GUI, select the Package > Updates menu option.
• Use pm-launch with the packagemanager subcommand:
$ /usr/lib/pm-launch packagemanager –update –all
Note: Startingg from Oracle Solaris 11.1,, you
y can use the -C option
p with the p
pkg
g update
p
command to install packages in nonglobal zones concurrently with the global zone. For an
example on using the –C option, refer to
http://docs.oracle.com/cd/E36784_01/html/E36802/gmhap.html#scrolltoc.
If the system created a new BE for the update, you edit the default BE name. Click the Restart
Now button to restart your system immediately or the Restart Later button to restart your
system at a later time. You must restart to boot into the new BE. The new BE will become
your active BE
BE. Your current BE will be available as an alternate boot choice.
choice

Agenda


11.2
2
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Updating a System to Oracle Solaris 11.2
You can update your system to Oracle Solaris 11.2 OS by

using one of the following repositories:

• Web-based Oracle Solaris support repository, for those
who have an Oracle Support
pp Agreement:
g
https://pkg.oracle.com/solaris/support
• Web-based Oracle Solaris release repository, for those
without an Oracle Support Agreement: a b le
s fer
http://pkg.oracle.com/solaris/release tran
n on-
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
OracleQ uses lic Packaging System (IPS) to manage software updates. The Oracle
av the Image
a h id 11 product engineering group releases software updates for the operating system on
Solaris
Sh web-based
a regular basis. These updates are published as Support Repository Updates (SRUs) to a
Oracle repository and to My Oracle Support (MOS) for distribution. SRUs contain
a number of bug fixes and critical security fixes that, when applied to an existing Oracle
Solaris 11 systems, help to ensure that the systems run without any issues.
Oracle customers with an active Oracle Support Agreement will have access to the SRUs to
routinely update their Oracle Solaris 11 systems. Oracle’s web-based support repository is
located at http://pkg.oracle.com/solaris/support. With the support contract, you can also
download them from My Oracle Support (https://support
(https://support.oracle.com/).
oracle com/)
If you do not have an Oracle Support Agreement, then download the Oracle Solaris 11.2 zip
files from http://www.oracle.com/technetwork/server-storage/solaris11/downloads/beta-
2182939.html.
To understand how to create an Oracle SSO account and to access the SRUs by using My
Oracle Support, refer to the tutorial available at:
http://supportweb.siebel.com/crmondemand/videos/Customer_Support/UITraining/MOS2010/
http://supportweb siebel com/crmondemand/videos/Customer Support/UITraining/MOS2010/
registration/registration.htm

Determining Your Starting Point
Before you start updating your system, determine your starting

point.
• Identify which repository is in use on your system.
• Identify which OS release your system is running
running.
• Verify which SRU your system is running.
• Identify to which release you want to update. e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Identifying the Repository in Use
• For a system without Oracle Support Agreement, and

using the Oracle Solaris release repository, you will see

the following output:
# pkg publisher
PUBLISHER TYPE STATUS P LOCATION
solaris origin online F http://pkg.oracle.com/solaris/release
ble
• For a system with Oracle Support Agreement, and using fera
the Oracle Solaris support repository, you will see the a n s
following output: o n -tr
a n
# pkg publisher
) h as ฺ
ฺae uide
solaris
e t
origin online F http://pkg.oracle.com/solaris/support
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
Q av lic
a hid
Sh

Verifying the SRU Currently Installed
If your system has Oracle Solaris 11 11/11 installed with an

SRU, the package information appears as the following:

% pkg list -v entire
FMRI IFO
pkg://solaris/entire@0 5 11 5 11-0 175 0 10 0 5 0:20120803T182627Z
pkg://solaris/entire@0.5.11,5.11-0.175.0.10.0.5.0:20120803T182627Z i--
In this example, SRU #10.5 is installed.

ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Updating a System Running
Oracle Solaris 11 11/11 to Oracle Solaris 11.2
11 2
1. Ensure that your package repository is set to use
http://pkg.oracle.com/solaris/release.
2. Review the licenses of the Oracle Solaris 11.1 preupgrade
repository (0.5.11-0.175.0.10.1.0.0).
3. Update the system packages. A new boot environment is
created.
4. Reboot the system to use the new updated boot environment.
a b le
5. On a SPARC system only, for each zone, remove the s fer
ldomsmanager package. tran n-
6. Update the IPS
S package. a no
7. Review the update’s license.
) h as ฺ
8. Update the system packages. A new e t
boot u ide
ฺae environment is
created. s ฺ n n t G
a t
r newe d e
mithe
9. Reboot the system to use u
Stupdated boot environment.
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
To update
ic Oracle Solaris 11 11/11 to Oracle Solaris 11.2, perform the
ava systemlrunning
Q
hid steps:
afollowing
Sh 1. su e tthat
Ensure at you
your pac
package
age repository
epos to y is
s set to use http://pkg.oracle.com/solaris/release.
ttp //p g o ac e co /so a s/ e ease
# pkg publisher
solaris origin online F http://pkg.oracle.com/solaris/release
2. Review the licenses of the Oracle Solaris 11.1 preupgrade repository (0.5.11-
0.175.0.10.1.0.0).
# pkg update –license | less
3. Update the system packages. A new boot environment is created.
# pkg update –-be-name Solaris11Upgraded –-accept \
entire@0.5.11-0.175.0.10.1.0.0
Note: For systems that cannot directly connect to Oracle’s hosted package repositories,
download the Oracle Solaris 11.1 Pre-Upgrade Repository Image from
http://www.oracle.com/technetwork/server-storage/solaris11/downloads/index.html. This
image contains packages that you must update before updating to Oracle Solaris 11
11.2.
2
In Practice 3-1, you will watch a demonstration on how to update your system running
Oracle Solaris 11 to Oracle Solaris 11.2 OS by using a local repository.

4. Reboot the system to use the new updated boot environment.
# reboot
5. On a SPARC system only, for each zone, remove the
pkg:/system/ldoms/ldomsmanager
p g / y / / g p package.
g
# for z in `zoneadm list`; do zlogin $z pkg uninstall \
ldomsmanager; done
6. Update the IPS packages.

# pkg update package/pkg
Note: Because of earlier bugs in some packages, it was possible to incorrectly install
those packages on a system. The pkg update command removes the following bad
packages, if they are installed:
• x86: pkg:/consolidation/ldoms/ldoms-incorporation
• SPARC:
ble
- pkg:/consolidation/nvidia/nvidia-incorporation
e r a
- pkg:/driver/network/ethernet/elxl
a nsf
- pkg:/driver/network/ethernet/pcn
o n -tr
-
a
pkg:/driver/network/ethernet/dnet n
- a s
) h deฺ
pkg:/driver/network/ethernet/iprb
7. Review the licenses of Oracle Solaris 11.2 OS. ฺae
# pkg update –license | less ฺne
t G ui
t e s e n t
8. Update the system packages. A new
m rboot
iSolaris11.2
S t ud
a environment is created.
# pkg update –-be-name
@ e his –-accept \
i
v se t
entire@0.5.11-0.175.2.0.0.42.2
a
9. Reboot the systemi q
dtoฺ use tthe uupdated boot environment.
h o
i ( sha ense
# reboot
Q av lic
a h id
Sh

Updating a System Running Oracle Solaris 11
11/11 with an SRU to Oracle Solaris 11.2
11 2
1. Ensure that your package repository is set to use
http://pkg.oracle.com/solaris/support.
2. If your system is installed with an SRU that is earlier than
SRU #10.5, update the system to SRU #10.5
(0.5.11,5.11-0.175.0.10), and then reboot.
If your system is already installed with an SRU #10.5 or later,
continue updating the system to Oracle Solaris 11.2. le
a b
3. On a SPARC system only, for each zone, remove the s fer
n
ldomsmanager package. -tra n
4. Update the IPS packages. a no
5. Review the licenses of Oracle Solaris 11.2) h as ฺ
update.
6. Update the system to Oracle Solaris
e t ae OS.
ฺ11.2 u ide
e s ฺn nt G
7. Reboot the system to userthe e
at newudupdated boot environment.
e mi is St
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
ic Oracle Solaris 11 11/11 with an SRU to Oracle Solaris 11.2 OS,
ava systemlrunning
To update
Q
hid the following steps:
aperform
Sh 1. Ensure that y
your package
p g repository
p y is set to use http://pkg.oracle.com/solaris/support.
p p g pp
# pkg publisher
solaris origin online F http://pkg.oracle.com/solaris/support
2. If your system is installed with an SRU that is earlier than SRU #10.5, update the system to
SRU #10.5 (0.5.11,5.11-0.175.0.10), and then reboot.
# pkg update –be-name S11SRU10.5 --accept entire@0.5.11,5.11-
0 175 0 10
0.175.0.10
# init 6
If your system is already installed with an SRU #10.5 or later, continue updating the system
to Oracle Solaris 11.2.
3. On a SPARC system only, for each zone, remove the
pkg:/system/ldoms/ldomsmanager package.
4.
4 Update the IPS packages.
packages
5. Review the licenses and update the system to Oracle Solaris 11.2 OS. Reboot the system
to use the new updated boot environment.

Updating a System Running Oracle Solaris 11.1
with or without an SRU to Oracle Solaris 11.2
11 2 OS
If Oracle Solaris 11.1 is installed with or without an SRU, no
special steps are required to update the system.

1. Based on whether you have an Oracle Support Agreement
or not,, ensure that your
y package
p g repository
p y is p
pointing g to
the correct repository (support or release).
2. Review the licenses of Oracle Solaris 11.2 OS.
3. Update the system to Oracle Solaris 11.2 OS. a b le
s fer
4. Reboot the system to use the new updated boot
- t r an
environment.
environment non a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Updating a System to Oracle Solaris 11.2
Start State of the System Intermediate State of the System End State of the
System
Oracle Solaris 11 11/11 • Updated to Oracle Solaris 11.1 pre-upgrade repository
(General Availability) • Removed some of the non-relevant packages by
updating package/pkg
• On
O SPARC systems
t only,
l uninstalled
i t ll d ldomsmanager
ld
package
Oracle Solaris 11 (at an SRU • Updated to Oracle Solaris 11 SRU 10.5
lower than SRU #10.5) • Removed some of the bad packages by updating
package/pkg
ble
• On SPARC systems only, uninstalled ldomsmanager Oracle Solaris 11.2
fe r a
package
n s
Oracle Solaris 11 (at SRU • Removed some of the bad packages by updating
n - tra
#10.5 and later) package/pkg
• On SPARC systems only, uninstalled ldomsmanager
a no
package
a
h eฺ s
Oracle Solaris 11.1 at any SRU
e )
Oracle Solaris 11.1 None
n e tฺa Guid
(General Availability)
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Q av lic
a hid
Sh

• Practice 3-3 provides demonstrations that show how to

update from Oracle Solaris 11 to Oracle Solaris 11.2

release by using:
– The pkg update command
• Practice 3-4 covers managing software packages by using:
– The pkg utility
– The Package Manager GUI ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Agenda


11.2
2
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Boot Environment (BE)
• A BE is a bootable instance of an Oracle Solaris 11

operating system.
• Multiple BEs can be maintained on a system.
• BEs can have different software versions installed
installed.
• BEs make updating software a low-risk operation.
• BE management utilities include: e
– The beadm command r a bl
e
a nsf
– The Package Manager GUI
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
A BE is
Q
v lic of an Oracle Solaris 11 operating system plus any other
aabootable instance
a h id
application software packages installed into that image. System administrators can maintain
Sh multiple BEs on their systems, and each BE can have different software versions installed.
With multiple BEs, the process of updating software becomes a low-risk operation because
system administrators can create backup BEs before making any software updates to their
system. If needed, they have the option of booting a backup BE.
You do not have to create a backup BE as a separate step if you are updating IPS packages.
When you use the pkg install or pkg update command, use the --require-backup-
be, --backup-be-name , --be-name, or --require-new-be option to make the changes
i a new b
in boott environment,
i t nott in
i th
the currentt boot
b t environment.
i t
After the initial installation of Oracle Solaris 11 onto a system, a BE is created. Use the beadm
utility or the pkg command to administer additional BEs on your system.
Note: The time to reboot Oracle Solaris 11 is significantly faster when compared to the reboot
time taken by Oracle Solaris 10. The faster reboot helps in minimizing system down time.
Administrators can decide whether to configure fast reboot by default or not by setting a
Boolean value for the config/fastreboot_default
config/fastreboot default SMF property in the
svc:/system/boot-config:default SMF service, allowing certain system and firmware
checks to be bypassed both for SPARC and x86 systems.

beadm Utility
• Is the primary BE management tool

• Enables you to:

– Create a new BE
– Create a snapshot of an existing BE
– Create a BE based on a snapshot
– Activate an existing, inactive BE
bl e
– Mount and unmount a BE e r a
– Destroy BEs and snapshots a nsf
o n -tr
– Rename BEs n
s a
– Display BE information
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
The beadm ic primary BE management tool. The beadm utility aggregates all
avutility is lthe
Q
id in a BE and performs actions on the entire BE at once. You no longer need to
a h
datasets
Sh structures
perform ZFS commands to modify each dataset individually. It manages the dataset
within BEs. For example, when the beadm utility clones a BE that has shared
datasets, the utility automatically recognizes and manages those shared datasets for the new
BE.
The beadm utility enables you to perform administrative tasks on your BEs. These tasks can
be performed without upgrading your system. It automatically manages and updates the
GRUB menu for x86 systems, or the boot menu for SPARC systems. For example, when you
use the beadm utility to create a new BE,
BE that environment is automatically added to the
GRUB menu or boot menu.

The beadm utility enables you to perform the following tasks:
• Create a new BE based on the active BE.
• Create a new BE based on an inactive BE.
• Create a snapshot of an existing BEBE.
• Create a new BE based on an existing snapshot.
• Create a new BE and add a custom title to the x86 GRUB menu or the SPARC boot
menu.
• Activate an existing, inactive BE.
• Mount a BE.
• U
Unmount t a BE.
BE
• Destroy a BE.
• Destroy a snapshot of a BE.
ble
• Rename an existing, inactive BE.
e r a
• Display information about your BE snapshots and datasets.
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

beadm Command Examples: list
# beadm list
BE Active Mountpoint Space Policy Created
-- ------ ---------- ----- ------ -------
solaris NR / 3.47G static 2014-07-07 01:05
solaris-1 - - 94.03M static 2014-07-09 03:52
# beadm list -a solaris

BE/Dataset/Snapshot Active Mountpoint Space Policy Created
------------------- ------ ---------- ----- ------ -------
solaris
ble
rpool/ROOT/solaris NR / 2.88G static 2014-07-07 01:05
e r a
nsf
rpool/ROOT/solaris/var - /var 323.72M static 2014-07-07 01:05
rpool/ROOT/solaris/var@2014.. - - 748.5K static 2014-07-09 03:52
...
-tra
...
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ashows
This slide
Q lic of listing boot environments and associated snapshots.
v examples
a id that the BE is currently active, and R means that it will be the BE that will be active
Nhmeans
Sh on reboot as well.

beadm Command Examples: create
# beadm create solaris-2
# beadm create solaris-2@backup
# beadm create -e solaris-2@backup solaris-3
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ashows
This slide
Q lic of creating a new BE and a clone.
v examples
h d
•i The first command creates a new BE.
a
Sh • The second command creates a snapshot of the new BE BE.
• The third command creates a BE clone from a snapshot.

beadm Command Examples:
rename and destroy
activate rename,
activate,
# beadm activate solaris-3
# beadm rename solaris-2 solaris-old
# beadm destroy solaris
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ashows
This slide
Q lic of activating, renaming, and destroying BEs.
v examples
a h id
Sh

beadm Command Examples: mount and unmount
# beadm mount solaris-1 /solaris-1
# beadm unmount solaris-1
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ashows
This slide
Q lic of mounting and unmounting inactive BEs.
v examples
a h id
Sh

Package Manager BE Features
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
av Manager
The Package
Q lic is a GUI that enables you to install, update, and manage packages on
a h idinstalled system. If you use the Package Manager to update all the packages on your
your
Sh system, a clone of the active BE is created. During this process, any update happens to the
cloned BE, not the active BE. You do not actually update until you choose to boot the new BE.
After you boot the new BE, you can change your mind and boot back to the original. You do
not have to reboot to get to your preupdate state if you have not yet rebooted to the new,
updated BE.
You can use the Package Manager to manage your BEs as follows:
• Delete old and unused BEs to make disk space available.
• Change
C the default
f BE on your system.
• Activate a BE.

Quiz
What benefits does a local IPS repository provide?

a. Greater capacity for more packages in the repository

b. Automatically created backup BEs
c Increased performance for package retrieval
c.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Q avc
a, lic
a h id
Sh

Quiz
Which utility is used to manage BEs in Oracle Solaris 11?

a. Live Upgrade
b. beadm
c BE Manager
c.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qbav lic
a h id
Sh

Quiz
You want to gather installation information about a new

application without actually installing the software. Which

command is most appropriate for this task?
a. p
pkgg install –-dry y new_app pp
b. pkg install –-noinstall new_app
c. pkg install –dv new_app
ble
d. pkg install –nv new_app e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qdav lic
a h id
Sh

Quiz
Which command is used to verify a package installation?

a. pkg verify new_package

b. pkg status new_package
c pkg –v
c. v new_package
new package
d. pkg validate new_package
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qaa
v lic
a h id
Sh

Quiz
Which command is used to set solaris-alt as the default

boot environment?
a. activate –v solaris-alt
b beadm solaris
b. solaris-alt
alt boot
c. beadm activate solaris-alt
d. activate –d solaris-alt e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qca
v lic
a h id
Sh

Summary

• Describe the Image Packaging System (IPS)

• Plan for moving to IPS
• Configure a local package repository
• Configure network client systems to use IPS
• Search for software packages by using IPS
a b le
• Install software packages by using IPS s fer
- t r an
• Remove software p packages
g by y using
g IPS on
a n
• Update the OS image by using IPS a s
e ) h eฺ
• Manage boot environments ฺa id
ฺ n et t Gu
t e s e n
a d
e mir is Stu
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
lesson, lic introduced to the new Oracle Solaris 11 software packaging feature:
a h id Packaging System (IPS). You were then shown how to configure a local IPS repository
Image
Sh how
and how to manage software packages by using IPS. You also had the opportunity to learn
to update a system to Oracle Solaris 11.2. Finally, you were introduced to boot
environments and how to manage them.

Practice 3-5: Overview
This practice covers the following topics:

• Displaying boot environments

• Creating boot environments
• Selecting boot environments
• Removing boot environments
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Sh
ah i d Q
av i (
h
lic
i q a
sha ense
i @
dฺ to u
m
v se t
t
e his
e
n e
ira Stud
e
sฺ ent
) a s
tฺa Guid
a
h eฺ
n o n -tr
a
nsf
e r a
e bl
IInstalling
t lli the
th Oracle
O l Solaris
S l i 11
Operating System
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh
Job Workflow

and Enhancements
M
Managing
i Software
S ft
Packages
Installing
ble
Enhancements
e r a
a nsf
Administering Zones
o n -tr
a n
ZFS Enhancements
a
h eฺ s
e )
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014,uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
you
a h id learned how to manage software packages by using the IPS repository.
have
Sh You will now learn how to install the Oracle Solaris 11 OS using Text Installer, Live Media,
and AI.

Objectives

• Describe Oracle Solaris 11 installation options

• Describe an Oracle Solaris 11 Live Media installation
• Describe an Oracle Solaris 11 Text installation
• Describe an Oracle Solaris 11 Automated installation
• Configure a system image
a b le
• Configure an AI server s fer
- t r an
• Configure
g an AI client on
a n
• Install Oracle Solaris 11 by using AI a s
e ) h eฺ
• Compare JumpStart and AI
n e tฺa Guid
• Convert a JumpStart configuration
t e sฺ etontan AI configuration
• Describe the distribution
a tud
irconstructor
is e m S
i @ t h
ฺ q a©v2014,uOracle
s e
h i d
Copyright
t o and/or its affiliates. All rights reserved.
i ( sha ense
This lesson
Q licyou to the new Oracle Solaris 11 operating system installation
avintroduces
a h id You explore both interactive and automated installations. Then you compare Oracle
methods.
Sh Solaris 10 JumpStart installation with Oracle Solaris 11 installation and convert Oracle Solaris
10 JumpStart installation to Oracle Solaris 11 installation. The lesson also shows you how to
configure and work with automated installation features. Finally, you are introduced to the
distribution constructor.

Agenda
• Introducing Oracle Solaris 11 operating system

installation options
• Performing interactive installations of the Oracle Solaris 11
operating
p g system
y
• Configuring an AI Server and clients
• Comparing and converting JumpStart to AI
a b le
• Working with the distribution constructor fer n s
a
no n-tr
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
o uOracle and/or its affiliates. All rights reserved.
i ( sha ense
Qav lic
i d
ah
Sh

Oracle Solaris 11 Installation Methods
• GUI installation
– Live Media (x86 only)

• Text installation
– Text installer
• Automated installation
– Automated installations through media e
– Automated installations of multiple clients r a bl
e
• Installation images can be downloaded from: a nsf
o n -tr
http://www.oracle.com/technetwork/server- a n
storage/solaris11/downloads
) has ฺ
ฺ a
et t Gu
e ide
s ฺ n n
a t e d e
e mir is Stu
a v i@ e th
dฺq © t2014, s and/or its affiliates. All rights reserved.
uOracle
h i
Copyright
o
i ( sha ense
OracleQ av 11 canlicbe installed in the following ways:
Solaris
h d
•i Oracle Solaris 11 Live Media image: You use the Oracle Solaris 11 Live Media image
a
Sh to install
sta ono x86-based
86 based syste
systems.s This s method
et od is s used for o syste
systems s tthat
at have
a eag
graphic
ap c
display. It contains software packages that are normally found in workstations and
notebook environments.
• Oracle Solaris 11 Text installer: You use the Oracle Solaris 11 Text installation for
x86- or SPARC-based systems. This method is used for systems that do not have a
graphic display. It contains software packages that are normally found in server
environments.
• A t
Automated t d IInstallations
t ll ti through
th h media:
di You
Y can initiate
i iti t an automated
t t d iinstallation
t ll ti off
the Oracle Solaris 11 OS on a SPARC or an x86 system by booting an AI Image on
media, such as CD, DVD, or USB. This method initiates a hands-free installation of only
that system and uses a manifest file to obtain the installation instructions.
• Automated Installations over the network: The Oracle Solaris 11 Automated
installation provides a “hands-free” network installation for multiple client systems for
y
x86- or SPARC-based systems. This method enables administrators to create and
manage customized installation profiles for different systems.
All installation downloads are in an ISO image format that can be burned to a CD or a DVD, or
used directly within Oracle VM Server or other virtualization software.

Oracle Solaris 11 System Requirements
Recommended
Minimum Minimum Disk

Installer Minimum Disk
Memory Space
Space
Text 1.5 GB for x86 4.9 GB for x86 9 GB for x86
I t ll
Installer 2 0 GB ffor SPARC
2.0 4 9 GB ffor SPARC
4.9 9 GB ffor SPARC
Live Media 1.5 GB for x86 6.7 GB 13 GB
Automated 1.5 GB for x86 Varies depending on 13 GB for solaris-

bl e
Installer 2.0 GB for SPARC the number and size of e r a
nsf
desktop
packages included for 9 GB for solaris-
installation -tr a
large-server
n o n
8 GB for solaris-
s a
) a
h eฺ
small-server
6 GB for solaris-
e
tฺa Guid
n e minimal-server
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
hCopyright
o
i ( sha ense
ashows
This slide
c
v thelihardware requirements needed for installing Oracle Solaris 11.
d Q
h hi Oracle Solaris 11.1 now supports installation to x86 systems with UEFI firmware.
aNote:
S GRUB 2 has been added as the default x86 boot loader, which not only supports
UEFI-specified, GPT partitioning schemes, but also disks that are larger than 2 TB. You must
note that UEFI 2.1+ is required and this feature is not currently available on SPARC
platforms. For information about GRUB2 and how to upgrade your GRUB legacy system to a
release that supports GRUB2, see the following websites:
• http://docs.oracle.com/cd/E36784_01/html/E36801/gkvif.html#scrolltoc
• http://docs.oracle.com/cd/E36784_01/html/E36801/gluae.html#scrolltoc
Starting with Oracle Solaris 11.2, a new group package, solaris-minimal-server,
installs the smallest possible set of Oracle Solaris packages. Fewer packages reduce
potential system vulnerabilities, and provide faster system updates, faster system cloning, and
faster backup in the cloud.

Agenda
• Introducing Oracle Solaris 11 operating system installation

options
• Performing interactive installations of the Oracle
Solaris 11 operating
p g system
y
a b le
a
no n-tr
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
i ( sha ense
Qav lic
i d
ah
Sh

Oracle Solaris 11 Text Installer
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
When Qstarting lic Solaris 11 Text installer, you are provided with a menu of keyboard
av the Oracle
a h id as shown in this slide. The default is US-English.
layouts
Sh

ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
avshown inlicthe slide provides the language options. The default is English.
The screen
Q
a h id
Sh

ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
hCopyright
o
i ( sha ense
av menulicprovides you with options, such as installing additional device drivers
The installation
Q
a h
andidchanging the terminal type. The default is “Install Oracle Solaris” (option 1).
Sh

Oracle Solaris 11 Text Installation: Disks
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
hCopyright
o
i ( sha ense
Starting from
c 11.1 release, the ability to install to iSCSI target LUNs has been
av OracleliSolaris
Q
id in the Text installer. Administrators can choose between installing on local disks or
a h
included
Sh iSCSI disks.
• Local Disks: This is the default option for disks that are attached to the computer,
including internal and external hard disks.
• iSCSI: If you want the installer to search for remote disks that are accessible over a
network by using the iSCSI standard, select this option. You can connect to a remote
iSCSI disk by using DHCP auto-discovery or by manually specifying a target IP address,
an iSCSI target name and LUN, and an initiator name.
For more information,
f refer
f to
http://docs.oracle.com/cd/E36784_01/html/E36800/texttask.html#scrolltoc.

Oracle Solaris 11 Text Installation: Disks
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
DuringQ
the lic 11 Text installation, you must choose the disk on which to install the
avOracle Solaris
a h
OS.id
Sh

Oracle Solaris 11 Text Installation: Network
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
You are required
ic a name to the installation system. This is the network host name.
av to lassign
Q
id you must decide how the installation system network is to be configured:
a h
Also,
Sh • Automatically:
uto at ca y Also so known
o as reactive
eact e network,
et o , co configures
gu es tthe e network
et o auto
automatically
at ca y
using a combination of Network Configuration Profile and Location profile files. You can
configure multiple Network Configuration Profile files and Location profile files by using
the reactive network. A network configuration file can have a static IP or an IP obtained
by the DHCP server.
• Manually: Enables you to configure the network interface manually by assigning the
desired IP address, subnet mask, and router
• N
None: Di bl reactive
Disables ti network.
t k Wh
When selecting
l ti thi this option,
ti you mustt configure
fi th
the
network manually.

Oracle Solaris 11 Text Installation: Users
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
In Oracle
v 11,liby
aSolaris c default, root is configured as a role rather than as a user. During
Q
id installation, the Text installer helps you to set up the root password and initial user
system
a h
Sh account. You use the initial user account to log in to the system. After the initial user login, a
user with the appropriate privileges can subsequently assume the role of root by using su or
perform administrative tasks after authentication by using sudo or pfexec.
Note: If user information is not specified on this page, root becomes a normal account and
can directly log in to the system.

Oracle Solaris 11 Text Installation: Support
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
The Oracle
Q lic installers now provide the ability to automatically connect to Oracle
avSolaris 11.1
a h id services through the integration of Oracle Configuration Manager and Oracle Auto
support
Sh Service Request. By providing My Oracle Support credentials to take advantage of Oracle’s
support services, administrators can get systems online and in service faster.

Oracle Solaris 11 Live Media
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
avSolaris 11
The Oracle
Q licLive Media for x86 provides a GUI-based interactive installation that
a h id through the process of configuring the system for the OS installation. The Live Media
steps
Sh then installs a software payload that includes a full desktop operating environment. The Live
Media also provides additional utilities, such as the Device Driver Utility and partition editor, to
help ensure a successful installation.

Oracle Solaris 11 Live Media: Device Driver Utility
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
The Device
Q lic helps you to decide whether Oracle Solaris 11 can be installed on
avDriver Utility
a h idx86 system. When started, it runs a quick device compatibility check on your system. If a
your
Sh device driver problem is detected, it provides the tools for installing the appropriate device
driver packages from a file, web, or the IPS repository.

Oracle Solaris 11 Live Media: Partition Editor
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
The GParted
Q licEditor enables you to customize the installation disk layout before you
av Partition
a h id the OS installation. Note that GParted is usually used only if you are attempting to set
begin
Sh up a disk to boot multiple operating systems.

Oracle Solaris 11 Live Media Installer: Disk
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
hCopyright
o
i ( sha ense
Starting from
c 11.1 release, the ability to install to iSCSI target LUNs has been
av OracleliSolaris
Q
id in the Live Media Installer. Administrators can choose between installing on local
a h
included
Sh disks or iSCSI disks.
• Local Disks: This is the default option for disks that are attached to the computer,
including internal and external hard disks.
• iSCSI: If you want the installer to search for remote disks that are accessible over a
network using the iSCSI standard, select this option. You can connect to a remote iSCSI
disk using DHCP auto-discovery or by manually specifying a target IP address, an iSCSI
target name and LUN, and an initiator name.
For more information,
f refer
f to
http://docs.oracle.com/cd/E36784_01/html/E36800/guitask.html#scrolltoc.

Oracle Solaris 11 Live Media Installer: Disk
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
The Oracle
Q licLive Media installer helps you to choose the target installation disk or
avSolaris 11
a h id
partition.
Sh

Oracle Solaris 11 Live Media Installer: Time Zone
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
The Oracle
Q licLive Media installer provides a point-and-click time zone configuration
avSolaris 11
a h id Simply click the city nearest to your installation location.
interface.
Sh

Oracle Solaris 11 Live Media Installer: Users
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
SimilarQ
v lic in Oracle Solaris 11, root is configured by default as a role rather
toathe Text installer,
a h idas a user. During system installation, the Live Media installer helps you to set up the root
than
Sh password and initial user account. You use the initial user account to log in to the system.
After initial user login, you can assume the role of root by using su or perform administrative
tasks after authentication by using sudo or pfexec. Note that the root password will be the
same as the user account password entered here.
In addition to the initial user configuration, the Users dialog box enables you to set the host
name for your system. The network configuration method is automatically set to reactive
network.

Oracle Solaris 11 Live Media Installer: Support
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
The Oracle
Q lic installers now support the ability to automatically connect to Oracle
avSolaris 11.1
a h id services through the integration of Oracle Configuration Manager and Oracle Auto
support
Sh Service Request. By providing My Oracle Support credentials to take advantage of Oracle’s
support services, administrators can get systems online and in service faster.

• Practice 4-1 covers installing Oracle Solaris 11 by using

the Text installer.

• Practice 4-2 covers installing Oracle Solaris 11 by using
the Live Media installer.
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
In these
Q av
practices, licperform interactive installations of the Oracle Solaris 11 operating
you
a h id
system.
Sh

SMF-Based System and Network Configuration
• System and network configuration files are moved from

/etc to the SMF repository.

• System and network configuration changes:
– File system sharing
– Network configuration
– The system host name
bl e
– Power management
e r a
– Time zone a nsf
– Naming services o n -tr
a n
– Domain name a
h eฺ s
e )
– tฺa Guid
Environment variables
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
In Oracle
v 11,lithe
aSolaris c system and network configuration data that was previously stored in
the
Q
id/etc directory is now stored in an SMF repository. Moving configuration data to SMF
a h
Sh service properties enables the delivery of a uniform, extensible architecture for system
configuration, which provides you with a more complete capability to manage the system
configuration.
The following network configuration features have changed in Oracle Solaris 11:
• File system sharing: Sharing a file system is managed through SMF and administered
by using the zfs command. The /etc/dfs/dfstab file is meaningful only for legacy
file systems.
• Network configuration:
f Network configuration
f persistence through the editing off these
files is no longer necessary. You use commands such as svccfg, svcprop, ipadm,
and dladm to manage this type of network configuration. Files such as
/etc/hostname.<if>, /etc/dhcp.<if>, and /etc/hostname.ip*.tun* are no
longer relevant.
• The system host name: A system’s host name is now set by configuring the
config/nodename
g service p
property
p y of the svc:/system/identity:node
y y SMF
service. The /etc/nodename file is no longer relevant.

• Power management: Power management is now administered by using the poweradm
command. The /etc/power.conf file and the pmconfig command are no longer
relevant.
• Time zone: A new svc:/system/timezone:default SMF service enables you to
set the time zone on an Oracle Solaris 11 system.
• Naming services: The primary repository for all naming services configuration is the
SMF repository. All legacy configuration files, such as resolv.conf,
nsswitch.conf, /var/yp/*, and /var/ldap/ are regenerated from the SMF data
when an appropriate service is started or refreshed. You do not edit these files directly.
The /etc/nsswitch.conf configurations are now handled by the
svc:/system/name service/switch service and /etc/resolv.conf
svc:/system/name-service/switch /etc/resolv conf
configurations are handled by svc:/network/dns/client. A new utility, nscfg(1),
has been provided to import and export name service configuration into and out of the
SMF repository and allows legacy files such as /etc/nsswitch.conf and
/etc/resolv.conf to regenerate from SMF configuration for backward compatibility. bl e
e r a
• Domain name: The system’s domain name is now handled by the
a nsf
svc:/system/identity/domain service. The /etc/defaultdomain file is no
o n -tr
l
longer relevant.
l t
a n
• s
Environment variables: The system’s environment variables are now being handled by
a
h eฺ
)
the svc:/system/environment:init service. The /etc/default/init file is
e
n e tฺa Guid
now read-only. To use the svc:/system/environment:init SMF service, the
t e sฺ ent
skip_init_upgrade property must be set to true.
Note: Starting from the Oracle Solaris 11.1 irarelease,t d options to svccfg(1M), extract,
unew
and delcust commands have been
m
eintroduced, S
is which help administrators to better
i @ t h
understand the administrative
ฺ q avcustomizations
u s e that have been made on a system and apply
those changes to otherid systems.to The svccfg editprop command has also been improved
a h e
i ( sh etonsservice
to enable administrators easily change the service configuration by using a text editor.
Some of the
a v i c
infrastructural
l properties that are typically less interesting to
i d Q
administrators are now hidden.
a h
Sh

Configuring an Oracle Solaris 11 Image
• The sysconfig utility replaces sys-unconfig and

sysidtool.
• Unconfigure the system:
– sysconfig unconfigure –g system
• Configure the system:
– sysconfig configure
ble
• System configuration profile creation: r a
e
– sysconfig create-profile a nsf
• Configure functional grouping interactively: o n -tr
a n
as
– sysconfig configure –g network,naming_services
) h eฺ
• Configure functional grouping non-interactively: e
tฺa Guid
n e
– sysconfig create-profile
t e sฺ ent\
–g network,naming_services
m ira Stud \
e his
–o /var/tmp/sysconfig_dir
@
a i
v se t
i q
h Copyright
o
i ( sha ense
av lic
The sysconfig utility is used in Oracle Solaris 11 to unconfigure and reconfigure an existing
Q
i d
ah
Oracle Solaris 11 system or its subsystem. The subsystems of a system that are configurable
Sh are referred to as “functional groupings.” A functional grouping is a service or collection of
services that are configured or unconfigured when the utility is executed.
The sysconfig utility replaces the sysunconfig and sysidtool utilities. The
sysconfig utility launches the System Configuration tool. You use the System Configuration
tool to interactively unconfigure and configure the OS image.
You can perform the following three operations by using the sysconfig utility:
• Unconfiguration of the system: Brings the OS image to a pristine (unconfigured) state
• Configuration of the system: Enables you to reconfigure the OS image. It helps you to
change the host name, IP address, name service, time zone, initial user account, and
root password.
• System configuration profile creation: Helps you to create a system configuration
profile. The system configuration profile is an XML-based file that contains the host
name, IP address, name service, time zone, initial user account, and root password
configuration properties.
properties The system configuration profile can be used with the
sysconfig configure command or with Automatic Installation (AI) to configure an
OS image.

Apart from using sysconfig to perform system configurations, you can also reconfigure and
unconfigure individual functional groups. The functional groupings that can be configured on a
system are date_time, network, naming_services, location, users, identity,
support, and keyboard. The system grouping will configure or unconfigure all functional
groupings. Groupings can also be unconfigured and left in an unconfigured state.
The following command reconfigures the network and naming services functional groupings.
The SCI Tool is invoked and the groupings will be reconfigured interactively.
# sysconfig configure -g network,naming_services

The following sequence of commands creates a profile for the network and naming services,
and then use the profile to reconfigure the groupings non-interactively:
# sysconfig create-profile -g network,naming_services -o
/var/tmp/sysconfig_dir/
# sysconfig configure -g network,naming_services -c
/var/tmp/sysconfig_dir/sc_profile.xml
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

Agenda

options
operating
p g system
y
a b le
a
no n-tr
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
i ( sha ense
Qav lic
i d
ah
Sh

Oracle Solaris 11 Automated Installation
AI Server
Installation Service
Manifests
M M ... M
Boot Image
...
DHCP IPS
bl e
Server Installation Service Repository
e r a
a nsf
2
o n -tr
a n
1 a
h eฺ s 3
e )
n e tฺa Guid
Automated InstallationssOver
e ฺ the Network n t
t
ira Stud e
m
e his
i @
v se t
q a
h i dฺ © t2014,
Copyright
i ( sha ense
The automated
Q lic is used to automate the installation of the Oracle Solaris 11 OS on
av installer
a h
oneidor more SPARC and x86 systems over a network. The installations can differ in
Sh architecture, packages installed, disk capacity, network configuration, and other parameters.
An automated installation can be run in a “serverless” mode where the client boots from the
ISO image and uses a manifest that is either located on the media or obtained from a network
location to which you have access. Client access to an IPS repository and DHCP service are
required.
An automated installation over the network to a client system, as shown in the slide, involves
the following core steps:
1. A client system boots and gets IP information from the DHCP server.
2. The client contacts an installation service on the AI server and accesses the boot image
and the AI manifest containing the installation specifications.
3. The client is installed with the operating system, pulling packages from the IPS
repository specified in the AI manifest.

How Automated Installation Works
Boot client from Client uses HTTP to

network. download install User examines logs

programs from AI Install No and error messages
successful?
Image. and determines
Client contacts
course of action.
DHCP server, g
gets
IP address and Client identifies
installation services Yes
boot program.
and chooses
Client gets boot
matching service.
bl e
Automatic No
User can examine
e r a
nsf
program and reboot set in logs and reboot
Client contacts
loads it.
installation service
manifest?
-tra
Manually.
and gets installation
n o n
Client downloads Manifest.
s a
boot archive
) a
h eฺ
Yes
AI installs AI client
and loads kernel. e
a uid
tฺreboots.
and configures the System
ฺ n e t G
system for use.
e s n
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
i ( sha ense
Assume Q av you have
that licset up an installation server with one or more installation services. You
a h id customized the installation specifications for the installation services to suit your needs.
have
Sh need
Now, you are ready to install the Oracle Solaris 11 OS to client systems on the network. You
only to boot the client, and the process runs to completion without further input from you.
The flowchart in the slide illustrates how a client system is installed. The client browses for
available installation services, seeking a service where the installation criteria in the service’s
manifest file match the characteristics of the client system. When a match is found, the
installation is performed on the client system, using a boot image and manifest specifications
provided by the installation service.

AI Environmental Requirements
• Network
• Client access to AI service and IPS repository

• AI service storage location
• Manifests and system configuration profiles
• Custom manifest and profile storage location
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
To useQ
v lic systems over the network, you should set up DHCP and also an AI
AIato install client
a h id
installation service on an installation server. AI uses DHCP to provide the IP address, subnet
h mask, router,
S be installed. The DNS server, and the location of the installation server to the client machine to
DHCP server and AI installation server can be the same machine or two
different machines.
The client machines that you want to install should be able to access an Oracle Solaris Image
Packaging System (IPS) software package repository. The IPS package repository can be on
the installation server, on another server on the local network, or on the Internet. An AI
installation service is associated with an x86 network boot image (net image), one or more
installation instruction files (AI manifests),
manifests) and zero or more system configuration instruction
files (system configuration profiles). The net image is not a complete installation. Client
machines must access an IPS package repository to complete their installations. The AI
manifest specifies one or more IPS package repositories where the client retrieves the
packages needed to complete the installation. The AI manifest also includes the names of
additional packages to install and information such as target device and partition information.
You can also specify instructions for configuring the client.

If two client machines have different architectures or need to be installed with different
versions of the Oracle Solaris 11 OS, you create two AI installation services and associate
each installation service with a different net image. If two client machines need to be installed
with the same version of the Oracle Solaris 11 OS but with different configurations applied,
you create two AI manifests for the AI installation service. The different AI manifests can
specify different packages to install or a different slice as the installation target. If client
systems need to have different configurations applied, create multiple system configuration
profiles for the installation service. The different system configuration profiles can specify
different network or locale setup, or unique host name and IP address.
Note: Starting from Oracle Solaris 11.1 release, a new set of Role-Based Access
Control (RBAC) profiles and authorizations are available for managing the Automated
Installation service, including the Install Service Management profile.
The Automated Installer command-line utility, installadm, now supports three new options,
update-service, update-profile, and set-service, to improve flexibility for e
a bl
administrators maintaining a set of installation services. Oracle Solaris 11.1 also supports the
r
e
ability to specify a manifest location with a system boot argument.
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

IPS Case: Using Default Manifest
Installation Server IPS Software

Static IP Address, Default Route Package Repository
pkg.oracle.com
svc:/network/dns/multicast
AI Service Components
from installadm Package
Client
ble
AI Installation Service e r a
a nsf
Default Client
DHCP Server
o
Direct Client to n -tr
Provisioning Manifest
a n
Installation Server
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
hCopyright
o
i ( sha ense
av you have
The minimum
Q lic to do to use AI is create one installation service. In this minimal
a h id all clients have the same architecture and are installed with the same version of the
scenario,
Sh recent
Oracle Solaris OS. The installations use the default AI manifest, which specifies the most
version of the OS available from the default IPS package repository on the Internet.
1. Make sure that the installation server has a static IP address and default route.
2. Install the installation tools package, install/installadm.
3. Run the installadm create-service command.
4. Make sure that the clients can access a DHCP server.
5. Make sure that the necessaryy information is available in the DHCP configuration
g to boot
the service.
6. Make sure that the clients can access an IPS software package repository. To use the
default IPS package repository, the clients must be able to access the Internet.
7. Network boot the client.

When you network boot the client, the following steps are performed:
1. The client gets the installation server address from the DHCP server.
2. Because the installation server has only one installation service, the client uses that
service if the architecture matches.
matches
3. Because the installation service has only one AI manifest, the client uses that default AI
manifest, installing software packages from the IPS package repository over the
network.
4. When the client boots after installation, an interactive tool prompts for system
configuration information because no system configuration profile is provided.
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

IPS Case: Using Custom Manifest
Installation Server Local IPS Software

Client
bl e
a nsf
Custom Client
DHCP Server
Direct Client too n -tr
Provisioning Manifest n
Installation Server a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
To specify
Q lic parameters, such as a local IPS publisher, the target disk for
avthe installation
hid
ainstallation, partition or mirror configuration, or additional software packages to install, provide
Sh a customized AI manifest. Perform the following steps before you boot the client, in addition to
the minimum required steps:
1. Create a new AI manifest, or write a script that dynamically creates a custom AI
manifest at client installation time.
2. Run the installadm create-manifest command to add the new manifest or script
to the installation service. Specify criteria for the client to select this manifest or script, or
use the -d option to make this manifest or script the default manifest specification for
this service.
service

1. The client gets the installation server address from the DHCP server.
matches
3. The client is directed to the correct provisioning manifest by criteria specified to
create-manifest. If no criteria match, the client uses the default manifest for this
service.
4. The client is provisioned according to the selected manifest.
g
configuration information because no system
y configuration
g p
profile is p
provided.
ble
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

IPS Case: Using a System Configuration Profile
Installation Server IPS Software

pkg.oracle.com
Client
bl e
a nsf
P
Default Client
Provisioning
i i i Manifest
M if t
DHCP Server
Direct Client too n -tr
n
Installation Server a
a
h eฺ s
Configuration Profile
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
hCopyright
o
i ( sha ense
To specify
Q lic
avsystem configuration parameters, such as time zone, user accounts, and
d
ahi
networking, provide a Service Management Facility (SMF) system configuration profile.
Sh Perform the following steps before you boot the client, in addition to the minimum required
steps:
1. Create a system configuration profile by using the sysconfig create-profile
utility.
2. Run the installadm create-profile command to validate the profile, add the
profile to the installation service, and specify criteria to select which clients should use
this system configuration profile.
1 The client gets a temporary IP address for itself along with the address of the installation
1.
server, from the DHCP server.
3. Because the installation service has only one AI manifest, the client uses that default AI
manifest, installing software packages from the IPS package repository over the
network.
4. The client is directed to the correct system configuration profile by criteria specified to
create-profile.
5. The client is configured according to the selected configuration profile. If no
configuration profile is selected because the criteria do not match, the interactive
configuration tool starts.
IPS Case: Multiple AI Services
Installation Server Local IPS Software

pkg.oracle.com
from installadm Package Client
ble
e r a
AI Installation Service for Client
a nsf
Oracle Solaris 11 version m
o n -tr
n a
AI Installation Service for
DHCP Server
a
h eฺ s
Direct Client to
e )
Oracle Solaris 11 version n
tฺa Guid
Installation Server
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
To install
Q
v
adifferent lic of the Oracle Solaris 11 OS, create additional AI installation
versions
hid Perform the following steps before you boot the client, in addition to the minimum
aservices.
Sh required steps:
1. Run the installadm create-service command and specify a different net image.
2. Run the installadm create-client command to direct the client to this new
installation service.
3. Create custom manifests and system configuration profiles (if required) and associate
them with the appropriate AI service.
When yyou network boot the client, the followingg steps are performed:
1. The client gets a temporary IP address for itself along with the address of the installation
server, from the DHCP server.
2. The client is directed to this new installation service by create-client.
3. The client is provisioned according to the default provisioning manifest for this service.
configuration information because no system configuration profile is provided.

Configuring the AI Server
• Set up the AI service:

– Installation images
– DHCP server
• Set up or remove clients.
clients
• Add or delete manifest files.
• Add or delete system configuration profiles. le
a b
• Administer installation services by using the AI SMF s fer
n
service. -tra on
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
This slide
Q
v
aprovides licoverview of the tasks that you must perform when configuring your AI
an
a h id
server.
Sh

Setting Up the AI Server
• Install Oracle Solaris 11 OS.

• Set a static IP address for the network interface.

• Install the installadm package:
# pkg install installadm
• Enable DNS multicast on the AI server:

ble
# svcadm enable svc:/network/dns/multicast:default
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

Creating an Installation Service
• Set up a DHCP server in managed state.

# installadm set-server –i 192.168.0.100 –c 20 -m
• Create the AI service.

# installadm create-service -n x86_clients \
-s /export/images/sol-11_1-ai-x86.iso \
-d /rpool/ai/x86_clients
ble
• List the AI services. e r a
a nsf
# installadm list
o n -tr
n a
• Add AI clients to the AI service. s
) a
hx86_clients
ฺ
# installadm create-client -e 08:00:27:85:C7:D6e-n
ฺ a i d e
ฺ n et t Gu
t e s e n
a d
e mir is Stu
a v i@ e th
uOracle
h i
Copyright
o
i ( sha ense
Q av lic
ah id
Sh

AI Manifests
• Default manifest
• Derived manifest
• Custom manifest
• Criteria manifest
bl e
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
av are XMLlicfiles that are used to specify multiple sets of installation and system
AI manifests
Q
hid
aconfiguration instructions for each installation service.
Sh AI has four types of manifests:
• Default manifest: A default manifest is an installation manifest that has no criteria
associated with it. The default manifest is used by clients when no other installation
manifest’s criteria match the client.
• Derived manifest: The default AI manifest for an installation service is a derived
manifest. When you create an installation service, a default manifest called
orig_default is created for the service. A derived manifest enables the AI process to
use existing system configuration
f data to simplify
f AI configuration
f steps.
• Custom manifest: To perform different installations on different clients by using the
same installation image, you need to provide customized AI manifests for that
installation service. Clients that do not match the criteria specific to any custom manifest
are installed using the instructions in the default manifest.
• Criteria manifest: The criteria manifest allows you to associate client-specific
installation instructions with AI services.
services When the client matches the criteria that have
been specified for a criteria manifest, the client uses the associated manifest.

default.xml AI Manifest File
<!DOCTYPE auto_install SYSTEM

"file:///usr/share/install/ai.dtd">
<auto_install>
<ai_instance name="default">
<target>
<logical>
<zpool name="rpool" is_root="true">
ble
<filesystem name="export" mountpoint="/export"/>
e r a
<filesystem name="export/home"/>
a nsf
<be name="solaris"/>
o n -tr
</zpool>
/
a n
</logical> a
h eฺ s
e )
tฺa Guid
</target>
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
The default
Q lic file, default.xml, provides a generic configuration applicable to
avAI manifest
a h id clients. You can change the AI defaults by copying the default.xml file to a new file
most
Sh and editing the new file as desired. You can then apply the new manifest by using the
installadm create-manifest –f command, as in this example:
installadm create-manifest –f new_manifest –n AI_service_name
The <target> element is used to configure the disk drive used for the OS installation.

default.xml AI Manifest File
<software type="IPS">
<source>
<publisher name="solaris">
<origin
name "http://pkg oracle com/solaris/release"/>
name="http://pkg.oracle.com/solaris/release"/>
</publisher>
</source>
<software_data action="install">
ble
e r a
nsf
<name>pkg:/entire</name>
<name>pkg:/group/system/solaris-large-server</name>
-tra
</software data>
</software_data>
n o n
</software> s a
) a
h eฺ
</ai_instance>
e
tฺa Guid
</auto_install>
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
This slide
v theliIPS
ashows c and packages sections of the default manifest file. The
id Q element defines the location of the IPS origin and which software packages to
h a h
<software>
install and uninstall. The entire package is recommended so that the system will be
S updated coherently when patching or upgrading in the future. The solaris-large-server
package is suitable for a server installation.

Criteria Manifest
• Associates client-specific installation instructions with AI

services
• Uses an AI manifest selection algorithm
• Uses multiple non-overlapping
non overlapping criteria
• Can be added using the
installadm create-manifest command:
bl e
# installadm create-manifest -f /export/manifests/manifest_x86.xml \
fe r a
n s
tra
-n s11-x86 –C /export/manifests/criteria_x86.xml
n -
a no
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
i ( sha ense
c you to associate client-specific installation instructions with AI
avmanifestliallows
The criteria
Q
id When the client matches the criteria that have been specified for a criteria manifest,
a h
services.
Sh the client uses that manifest.
An AI manifest is selected for a client according to the following algorithm:
• If custom manifests are defined for this installation service but the client does not match
criteria for any custom manifest, the client uses the default manifest.
• If the client matches criteria that have been specified for a custom manifest, the client
uses the associated manifest.
p manifests,, the client characteristics are evaluated in the
If client characteristics match multiple
following order:
• mac
• ipv4
• platform
• arch
• cpu
• mem

For example, if one criteria specification matches the client’s MAC address and another
criteria specification matches the same client’s IP address, the manifest associated with the
MAC address criteria specification is used, because mac is a higher priority for selection than
ipv4.
You use the installadm create-manifest command to add a criteria manifest to a
service, as in the following example:
# pfexec installadm create-manifest -m \

/export/manifests/manifest_x86.xml -n s11-x86 \
–C /export/manifests/criteria_x86.xml
In this case, when a client meets the criteria identified in the criteria_x86.xml criteria file,
the manifest_x86.xml
manifest x86 xml will be applied to that client
client.
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

Criteria Manifest: Examples
• arch criteria manifest file:

<ai_criteria_manifest>
<ai_criteria name="arch">
<value>i86pc</value>
</ai_criteria>
</ai_criteria_manifest>
• mac criteria manifest file:
<ai_criteria name=“mac">
ble
<value>0:14:4F:20:53:94</value>
e r a
</ai_criteria>
a nsf
o n -tr
• i 4 criteria manifest file:
ipv4 n
s a
) a
h eฺ
<ai_criteria name=“ipv4"> e
tฺa Guid
e
<value>192.168.0.114/24</value>
n
</ai_criteria>
t e sฺ ent
ira Stud
m
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
ashows
This slide
Q lic of arch, mac, and ipv4 criteria files.
v examples
a h id
Sh

AI Manifest Wizard
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
In the Q
Oracle
c release, a new interactive browser interface enables you to easily
av Solarisli11.2
a h id AI manifests, which can be used on an AI server. By stepping through a series of
create
Sh screens, you can quickly create a new manifest that describes the disk layout and ZFS
datasets, IPS repository and software packages, and zones to be installed. You can then
save this manifest to the AI server that can be associated with a client installation later by
using the installadm(1M) command.
You can use the AI Manifest Wizard to create manifest files for AI without having to edit XML
files. The AI Manifest Wizard web application is served from the AI server's web server, which
is controlled via the svc:/system/install/server SMF service. By default, this runs on
port 5555,
5555 but can be modified via the SMF service's
service s all_services/port
all services/port property.
property
You can access the AI Manifest Wizard by using the URL for the AI server. For example, the
URL for an AI server named ai-server would be http://ai-server.domain:5555. Additionally,
you can also start the AI Manifest Wizard by running the /usr/bin/ai-wizard command
on the AI server.
For more information about the AI Manifest Wizard, refer to installadm(1M) and
ai_manifest(4) man pages.

System Configuration Profiles
• System configuration profiles specify client configuration.

• System configuration profiles set SMF properties for

appropriate SMF services.
• System configuration profiles are applied during the first
client boot after installation.
• AI clients may have multiple system configuration profiles.
a b le
• If no system configuration profile is specified, the
s fer
interactive system configuration tool is used at first client
- t r an
boot.
boot n on
s a
• System configuration profiles are created
) h ausing
ฺ the
sysconfig create-profile utility.
ne nt G tฺae uide
s ฺ
i r ate tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
i ( sha ense
The system
Q lic profiles specify client system configuration as a set of configuration
avconfiguration
a h id
parameters in the form of a Service Management Facility (SMF) profile. The system
Sh configuration profile sets SMF properties for appropriate SMF services.
System configuration profiles are applied during the first boot of the system after AI
installation. SMF services responsible for particular configuration areas process SMF
properties and configure the system accordingly.
Each client can use any number of system configuration profiles. For example, a client might
be assigned one profile that provides only the host name and IP address for that client. The
same client and many other clients might be assigned other profiles that set more broadly
applicable
li bl property t values.
l If no system
t configuration
fi ti profile
fil iis provided
id d ffor a particular
ti l client,
li t
the interactive configuration tool is started on that client.
The system configuration profiles can be created using the sysconfig create-profile
utility or a text editor.
Note: If multiple system configuration profiles are provided, those profiles must not configure
the same SMF properties, because this will cause conflicts with undefined results.

System Configuration Profile: Example
<!DOCTYPE service_bundle SYSTEM
"/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="profile" name="sysconfig">
<service version="1" type="service" name="system/config-user">

<instance enabled="true" name="default">
<property_group type="application" name="root_account">
<propval type="astring" name="login" value="root"/>
<propval type="astring" name="password"
value= $5$bypT4oRp$Dsy3J0FhJNBXqlxDtCJjlqk3k3ZHAg8cb98bPLs3kI9 />
value="$5$bypT4oRp$Dsy3J0FhJNBXqlxDtCJjlqk3k3ZHAg8cb98bPLs3kI9"/>
<propval type="astring" name="type" value="role"/>
</property_group>
<property_group type="application" name="user_account">
<propval type="astring" name="login" value="oracle1"/>
ble
...
e r a
nsf
...
<property type="astring" name="search">
-tra
<astring_list>
n o n
<value_node value="mydomain.com"/>
s a
</astring_list>
</property>
) a
h eฺ
</property_group> e
tฺa Guid
n e
sฺ ent
<instance enabled="true" name="default"/>
</service>
t e
ira Stud
</service_bundle>
m
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
The system
Q lic profile is used to configure client systems. The following example
avconfiguration
a h id entries for configuring the initial standard user and root roles:
shows
Sh <!DOCTYPE service_bundle SYSTEM
"/
"/usr/share/lib/xml/dtd/service_bundle.dtd.1">
/ h /lib/ l/dtd/ i b dl dtd 1"
<service_bundle type="profile" name="sysconfig">
<service version="1" type="service" name="system/config-user">
<property_group type="application" name="root_account">
<propval type="astring" name="login" value="root"/>
value="$5$bypT4oRp$Dsy3J0FhJNBXqlxDtCJjlqk3k3ZHAg8cb98bPLs3kI9"/>
<propval type="astring" name="type" value="role"/>
</property_group>
/ t
<property_group type="application" name="user_account">
<propval type="astring" name="login" value="oracle1"/>
value="$5$LuaMBnZg$m2YIULH2KoMJeTIm2ahxm08rsKEmMQxYtK8KHMKwFr6"/>
<propval type="astring" name="type" value="normal"/>
<propval type="astring" name="description" value="Oracle"/>
<propval type="count" name="gid" value="10"/>
<propval type="astring" name="shell" value="/usr/bin/bash"/>
<propval type="astring" name="roles" value="root"/>
/
<propval type="astring" name="profiles" value="System
Administrator"/>

<propval type="count" name="gid" value="10"/>
<propval type="astring" name="shell" value="/usr/bin/bash"/>
<propval type="astring" name="roles" value="root"/>
<propval type="astring" name="profiles" value="System
Administrator"/>
<propval
propval type="astring"
type "astring" name="sudoers"
name "sudoers" value="ALL=(ALL)
value "ALL (ALL) ALL"/>
ALL"/
</property_group>
</instance>
</service>
<service version="1" type="service" name="system/timezone">

<property_group type="application" name="timezone">
<propval type="astring" name="localtime" value="US/Mountain"/>
</property_group>
</instance>
/i t
</service>
<service version="1" type="service" name="system/identity">
<instance enabled="true" name="node">
<property_group type="application" name="config">
ble
<propval type="astring" name="nodename" value="s11-client3"/>
e r a
nsf
</property_group>
</instance>
-tra
</service>
<service
i version="1"
i type="service"
i n o
name="system/keymap">
/
n
s a
a
h eฺ
<property_group type="system" name="keymap">
)
e
tฺa Guid
<propval type="astring" name="layout" value="US-English"/>
</property_group>
n e
</instance>
t e sฺ ent
ira Stud
</service>
m
<service version="1" type="service" name="system/console-login">
e his
<property_group type="application" name="ttymon">
i @
v se t
<propval type="astring" name="terminal_type" value="sun-color"/>
q a
dฺ to u
</property_group>
h i
</service>
i ( sha ense
<service version="1" type="service" name="network/physical">
lic
Qav <property_group type="application" name="netcfg">

i d <propval type="astring" name="active_ncp" value="DefaultFixed"/>
ah </property_group>
Sh </instance>
</service>
<service version="1" type="service" name="network/install">
<property_group type="application" name="install_ipv4_interface">
<propval type="astring" name="address_type" value="static"/>
<propval type="net_address_v4" name="static_address"
value="192.168.0.140/24"/>
<propval type="astring" name="name" value="net0/v4"/>
p p y_g
</property group>
p
<property_group type="application" name="install_ipv6_interface">
<propval type="astring" name="stateful" value="yes"/>
<propval type="astring" name="stateless" value="yes"/>
<propval type="astring" name="address_type" value="addrconf"/>
<propval type="astring" name="name" value="net0/v6"/>
</property_group>
</instance>
...
...
...

AI Server Configuration Walkthrough
# mkdir –p /export/ai/custom_ai
# installadm set-server -i 192.168.0.130 -c 5 -m
# installadm create-service -n custom_ai \

-s /opt/ora/course_files/sol-11_1-ai-x86.iso \
-d /export/ai/custom_ai
# installadm create-client -e 08:00:27:85:C7:D8 -n custom_ai ble

e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
This slide
Q lic
v a step-by-step
abegins walkthrough for configuring an AI service. This walkthrough
hi d
h aincludes:
S • CCreatingeat g tthe
e AI se
service
ce
• Adding a client to the AI service
• Creating a custom manifest
• Creating a criteria manifest
• Adding manifests to the AI service
• Creating a system configuration profile
• Adding the profile to the AI service
ser ice
• Validating the system configuration profile
In this slide, you create a new AI service named custom_ai in the
/export/AI/custom_ai directory. The AI image used in this service is sol-11_1-ai-
x86.iso. Next, you add the client 08:00:27:85:C7:D8 to the custom_ai AI service.

# vi /var/tmp/manifests/custom_manifest.xml
<!DOCTYPE auto_install SYSTEM "file:///usr/share/install/ai.dtd">

<auto_install>
<ai_instance name="custom_ai" auto_reboot="true">
<target>
<logical>
<zpool
l name="rpool"
" l" is_root="true">
i t "t "
<filesystem name="export" mountpoint="/export"/>
<filesystem name="export/home"/>
<be name="solaris"/>
</zpool>
ble
</logical>
e r a
</target>
a nsf
-tr
<software type="IPS">
<source>
<publisher name="solaris"> n o n
s
<origin name="http://s11-server1.mydomain.com"/> a
</publisher>
) a
h eฺ
</source> e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Now that
Q athe lic service exists, you create a custom manifest file named
v custom_ai
a h id
custom_manifest.xml. Here, you set the image name to custom_ai. This results in a
h manifest name (identifier) that
S configures the client default boot is used to manage the manifest. Next, the target element
disk using Oracle Solaris 11 standard conventions. Then
you set the IPS publisher to a local origin (http://s11-server1.mydomain.com).

<software_data action="install">
<name>pkg:/group/system/solaris-large-server</name>
</software_data>
</software>
/so t a e
</ai_instance>
</auto_install>
ble
# vi /var/tmp/manifests/criteria_custom_ai.xml
e r a
nsf
<ai_criteria name="mac">
-tra
<value>
n o n
08:00:27:85:C7:D8
s a
</value>
) a
h eฺ
</ai_criteria> e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
hCopyright
o
i ( sha ense
This slide
v
acontinues ic custom_mainfest edit. Here, you identify which software packages
lthe
Q
idto be loaded on the client system from the IPS server.
a h
are
Sh After the custom manifest build is completed, you create a criteria manifest for the client
system. In this case, you use the client’s MAC address as the criteria.

# installadm create-manifest –n custom_ai \

-f /var/tmp/manifests/custom_manifest.xml \
–C /var/tmp/manifests/criteria_custom_ai.xml
# sysconfig create
create-profile
profile \
-o /var/tmp/manifests/client_profile.xml
# installadm create-profile –n custom_ai \

bl e
-f /var/tmp/manifests/client_profile.xml
e r a
nsf
–p /var/tmp/client_profile \
-C /var/tmp/manifests/criteria_custom_ai.xml
-tra
n o n
# installadm validate -n custom_ai -p client_profile
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Now thatathe c
v customlimanifest and criteria manifest are built, you associate them with the
d Q
h hi
acustom_ai AI service by using the installadm create-manifest command.
S Next, you use the sysconfig create-profile
create profile utility to create a system configuration
profile named client_profile for the AI client. The sysconfig create-profile utility
starts the interactive system configuration tool, which guides you through the system
configuration profile design.
After the system configuration profile is completed, you use the installadm create-
profile command to associate the new system configuration profile with the custom_ai AI
service and the client criteria manifest.
Finally, you validate the system configuration profile. If the system configuration profile passes
validation checks, the AI service is completed and available.

Agenda

options
operating
p g system
y
a b le
a
no n-tr
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
i ( sha ense
Qav lic
i d
ah
Sh

Comparing JumpStart with AI
Task JumpStart AI
Set up an Use the Use the installadm

installation server. setup_install_server create-service command.
command.
Add clients to the Use the Use the installadm
installation. add_install_client create-client command.
command.
Create derived Use a begin script Use the installadm
ble
profiles. create-manifest command.
e r a
Specify installation Use profile files. Use the installadm
a nsf
instructions. -tr
create-profile command.
o n
Specify client Use rules files to associate n
Use the create-manifest or
a
customization. clients with profile files. a s
set-criteria subcommands
h eฺ
e ) of the installadm command.
Specify Use finish scripts and ฺne Use the
tฺa Ginstalladmuid
client configuration. sysidcfg files. tes e n t
create-profile command.
i r a tud
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
i ( sha ense
The table
Q ainvthe slideliccompares the methods used to accomplish JumpStart tasks and AI
a h id
tasks.
Sh

Comparing Rules Keywords
and Criteria Directives
JumpStart
Rules File AI Criteria File Directives

Keyword
any For client systems that do not match any selection criteria, the AI
installation service provides a default AI manifest
manifest.
arch sparc Command option: -c cpu=sparc
Criteria file:
<ai_criteria name="cpu">
ble
<value>sparc</value>
e r a
</ai_criteria>
a nsf
karch i86pc Command option:p -c arch=i86pc
o n -tr
Criteria file: a n
<ai_criteria name="arch"> a
h eฺ s
e )
<value>i86pc</value>
e
</ai_criteria>
n tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
ainvthe slideliccompares Oracle Solaris 10 JumpStart rules file keywords to Oracle
The table
Q
a h id 11 AI criteria file directives.
Solaris
Sh Note: Oracle Solaris 11 introduces the Jumpstart Migration utility, which has the ability to
convert Oracle Solaris 10 JumpStart rules and profiles to Automated Installer manifests. This
utility makes a best effort to translate those JumpStart keywords that can be translated to the
AI context and is not intended to create a one-to-one equivalence with JumpStart. To use the
js2ai(1) command-line utility, you must install the pkg:/install/js2ai package.

JumpStart Rules File
AI Criteria File Directives

Keyword
hostaddress Command option: -c ipv4=xx.xx.xx.xx
xx.xx.xx.xx Criteria file:
<ai criteria name="ipv4">
<ai_criteria name "ipv4">
<value>xx.xx.xx.xx</value>
</ai_criteria>
network xx.xx.xx.xx Use ipv4 with a range.
ble
Command option: -c ipv4=xx.xx.xx.xx-
e r a
yy.yy.yy.yy
a nsf
Criteria file:
o n -tr
<ai_criteria
i it i name="ipv4">
"i 4" na
<range>xx.xx.xx.xx
a
h eฺ s
yy.yy.yy.yy</range>
e )
</ai_criteria>
n e tฺa Guid
hostname xxxxxx
t e sฺ a host
To uniquely identify
e n tin AI, use either the IP
addressirorathe MAC
m S t udaddress.
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
ainvthe slideliccontinues the comparison of Oracle Solaris 10 JumpStart rules file
The table
Q
a h id to Oracle Solaris 11 AI criteria file directives.
keywords
Sh

JumpStart Profile (Class)
AI Criteria File Directives

File Keywords
memsize xxxx Command option: -c mem=xxxx
Criteria file:
<ai criteria name=“mem">
<ai_criteria name “mem">
<value>xxxx</value>
</ai_criteria>
model 123-xyz Command option: -c platform=123-xyz
ble
Criteria file:
e r a
<ai_criteria name=“platform">
a nsf
<value>123-xyz</value>
o n -tr
</ai_criteria>
/ i it i n
a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
ainvthe slideliccontinues the comparison of Oracle Solaris 10 JumpStart rules file
The table
Q
a h id to Oracle Solaris 11 AI criteria file directives.
keywords
Sh

Converting a JumpStart Profile to an AI Manifest
JumpStart
Profile
AI Manifest Directives
(Class) File
Keywords
boot_devic g
<target>
e c0t0d0s0 <disk whole_disk=“true”>
update <disk_name name="c0t0d0" name_type="ctd"/>
</disk>
<logical nodump=“true” noswap=“false”/> ble
e r a
nsf
</target
bootenv
-tra
A boot environment is automatically created on the Oracle Solaris
OS
OS.
n o n
cluster <software_data action="install”> s a
SUNWCXall <name>pkg:/entire</name> ) a
h eฺ
e
tฺa Guid
<name>pkg:/group/system/solaris-desktop</name>
n e
t e sฺ ent
</software_data>
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
The tables
Q licand the following slides show how to convert Oracle Solaris 10
avin this slide
a h id
JumpStart rules file keywords to Oracle Solaris 11 AI manifest directives.
Sh

JumpStart Profile
(Class) File AI Manifest Directives

Keywords
fdisk c0t3d0 <target>
solaris maxfree <disk>
<disk_name name="c0t3d0" name_type="ctd"/>
<partition action=“create” name=“1”
part_type=“191”>
</disk> ble
e r a
nsf
<logical nodump="true" noswap="false"/>
</target
-tra
filesys AI creates ZFS file systems,
systems not UFS file systems
systems.
n o n
s a
geo a
h eฺ
Geographic regions for language support are specified
)
through pkg group packages.
tฺa G e id
ฺ n e u
locale Locale support is specified
e s through
n t pkg facets.
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
i ( sha ense
Q av lic
a hid
Sh

JumpStart Profile
(Class) File AI Manifest Directives

Keywords
package 123xyz <software type=“IPS”>
add <software data action="install”>
<software_data action "install”>
<name>pkg:/solaris-small-server</name>
<name>pkg:/xxxxxx/123xyz</name>
ble
</software_data>
e r a
nsf
</software>
package 123xyz <software type=“IPS”> -tra
d l t
delete <software_data
ft d t action=“uninstall">
ti “ i t ll" n o n
<name>pkg:/to/delete</name> s a
</software_data> ) a
h eฺ
</software> e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

Agenda

options
operating
p g system
y
• Converting JumpStart to AI
a b le
a
no n-tr
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
i ( sha ense
Qav lic
i d
ah
Sh

Distribution Constructor
• The distribution constructor:

– Is used to build custom Oracle Solaris images

– Builds an ISO image or a Virtual Machine image
– Allows customized versions of the following Oracle Solaris
11 image types:
— x86 or SPARC Oracle Solaris Text installer image
Oracle Solaris x86 Live Media image bl e
—
e r a
— x86 or SPARC ISO image for Automated Installations
a nsf
• The distribution-constructor p
package
g contains:
o n -tr
– The distro_const command-line utility a n
a
h eฺ s
– Manifest files e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
You useQ lic constructor to build custom Oracle Solaris images. These images can
athev distribution
h
be d to install the Oracle Solaris software on individual systems or on multiple systems
iused
a
Sh that run the Oracle Solaris 11 operating system. The distribution constructor takes an XML
manifest file as input and builds an ISO image or a Virtual Machine image that is based on the
parameters specified in the manifest file.
Using the distribution constructor, you can build customized versions of the following types of
Oracle Solaris 11 images:
• x86 or SPARC Oracle Solaris Text installer image
• Oracle Solaris x86 Live Media image
• x86 or SPARC ISO image for Automated Installations
The distribution constructor is distributed in the distribution-constructor package. The
distribution-constructor package contains the distro_const command-line utility for
building custom Oracle Solaris images. It also contains the default manifest files that are used
to describe the various image types.

Distribution Constructor Manifest Files
Manifest File Manifest Type Description

dc_livecd.xml x86 Live Media ISO image Used to create an x86 ISO image that is
comparable with the Oracle Solaris Live
Media image
dc_text_x86.xml x86 text installation image Used to create an x86 ISO image that can
be used to perform a text installation of
the x86 Oracle Solaris operating system
dc_text_sparc.xml SPARC text installation Used to create a SPARC ISO image that
image can be used to perform a text installation
ble
of the SPARC Oracle Solaris operating
e r a
system
a nsf
dc_ai_x86.xml x86 AI ISO image
o n -tr
Used to create an x86 Automated
Installation ISO image for automated
a n
installations of the Oracle Solaris OS on
a s
SPARC AI ISO image Usedฺa toe
) h deฺ Automated
x86 clients
create a iSPARC
et t G
dc_ai_sparc.xml
n Installation ISOuimage for automated
e ฺ
s installations n of the Oracle Solaris OS on
a t
ir Stu clients d
SPARC
e
m
e his
i @
v se t
q a
h i dฺ © t2014,
Copyright
i ( sha ense
The table
Q ainvthe slideliclists the default manifest files shipped with the distribution-constructor
a h id After you install the distribution-constructor package, you can locate these manifest
package.
Sh files in the /usr/share/distro_const directory.

Building an OS Image
• The build process can be performed in one step:

# distro_const build manifest
• Checkpointing is enabled by default.

• The build process can be stopped and resumed at a
specific checkpoint:
# distro_const build -p checkpoint manifest
bl e
# distro_const build -r checkpoint manifest
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
hCopyright
o
i ( sha ense
You can
v an OSlicimage in one step by using the distro_const command without
abuild
Q
id You use the options provided in the distro_const command to stop and restart
options.
a h
Sh selection
the build process at various stages in the image-generation process, to check and debug your
of files, packages, and scripts for the image that is being built. This process of
stopping and restarting during the build process is called checkpointing.
Checkpointing supports the process of developing and debugging images. You can start
building an image, pause at any stage you want and examine the contents of the image, and
then resume building the image. Checkpointing is optional. The checkpointing feature is
enabled by default in the manifest file. A ZFS dataset, or a mount point that correlates to a
ZFS dataset
dataset, must be specified as the build area
area.
Checkpointing allows you to stop and resume at a specific checkpoint (step).
Example:
• # distro_const build -p step manifest
• # distro_const build -r step manifest

Quiz
Which servers are often used to support AI installation?

a. AI server, IPS server, and DNS server

b. AI server, DHCP server, and IPS server
c AI server
c. server, DHCP server
server, and DNS server
d. AI server, DHCP server, IPS server, and DNS server
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Answer: Qbav lic
a h id
Sh

Quiz
Which of the following AI components provides installation

instructions to the client system?

a. AI server
b DHCP server
b.
c. IPS repository
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Answer: Qaa
v lic
a h id
Sh

Quiz
During an automated installation, the client system that is being

installed always requires access to an IPS repository.

a. True
b False
b.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Answer: Qbav lic
a h id
Sh

Quiz
Which command is used to reconfigure a Solaris 11 image to a

pristine state?
a. sysconfig -d image-name
b sysconfig -u
b. u image
image-name
name
c. sysconfig unconfigure
d. sysconfig deconfigure e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Answer: Qca
v lic
a h id
Sh

Quiz
Which command is used to create a system configuration

profile?
a. screate -o /var/tmp/output_file.xml
b. sysconfig create-sc –f /var/tmp/output_file.xml
c. screate -f /var/tmp/output_file.xml
d. sysconfig create-profile –o /var/tmp/output_file.xml
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Answer: Qdav lic
a h id
Sh

Quiz
Which command enables you to build an OS image in one

step?
a. distro_const
b distro_const
b. distro const build
c. distro_const build manifest
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Answer: Qca
v lic
a h id
Sh

Summary

• Describe Oracle Solaris 11 installation options

• Describe an Oracle Solaris 11 Live Media installation
• Describe an Oracle Solaris 11 Text installation
• Describe an Oracle Solaris 11 Automated installation
• Configure a system image
a b le
• Configure an AI server s fer
- t r an
• Configure
g an AI client on
a n
• Install Oracle Solaris 11 by using AI a s
e ) h eฺ
• Compare JumpStart and AI
n e tฺa Guid
• Convert a JumpStart configuration
t e sฺ etontan AI configuration
• Describe the distribution
a tud
irconstructor
is e m S
i @ t h
ฺ q a©v2014,uOracle
s e
h i d
Copyright
t o and/or its affiliates. All rights reserved.
i ( sha ense
lesson, lic presented with the Oracle Solaris 11 installation options. You were
a h id how to install the operating system by using the interactive options (Text installer and
shown
Sh Live Media), as well as how to perform an automated installation. You then spent some time
looking at how to configure an AI server and client. You also had the opportunity to compare a
JumpStart OS installation with an AI OS installation and see how to perform the conversion.
Finally, you were introduced to the distribution constructor and shown how to build an OS
image.

Practices 4-3, 4-4, 4-5 and 4-6: Overview
These practices cover the following topics:

• Installing Oracle Solaris 11 network clients by using the

Automated Installer (AI)
• Verifying that the system meets AI requirements
• Configuring the AI server
• Customizing the automated installations le
a b
• Deploying the OS to network clients s fer
• Configuring an OS image - t r an
n no
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
i ( sha ense
Qav lic
i d
ah
Sh

Oracle
O l Solaris
S l i 11 Network
N t k
Administration Enhancements
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
Job Workflow

and Enhancements
M
Managing
i Software
S ft
Packages
Installing
ble
Enhancements
e r a
a nsf
Administering Zones
o n -tr
a n
ZFS Enhancements
a
h eฺ s
e )
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
you
a h id learned how to administer Oracle Solaris Zones.
have
Sh You will now learn about the enhancements made to networking features of the Oracle Solaris
11 OS.

Objectives

• Describe the Oracle Solaris 11 network

• Perform basic network administration
• Configure network virtualization features
• Configure Elastic Virtual Switch (EVS)
• Configure link aggregation
a b le
• Configure IP network multipathing (IPMP) s fer
- t r an
• Configure
g a network bridge
g on
n
• Configure Integrated Load Balancer (ILB)as a
e ) h eฺ
• Manage network resources
n e tฺa Guid
• Use network monitoring tools
r at tude esฺ nt
i
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
avintroduces
This lesson
Q licyou to the Oracle Solaris 11 network and then teaches you how to
a h id basic network administration. It then covers how to configure the network
perform
Sh virtualization features. The lesson then shows how to configure EVS, link aggregation, IPMP,
network bridges, and ILB. Finally, the lesson shows how to manage network resources and
the use of the various network monitoring tools.

Agenda
• Introducing the Oracle Solaris 11 network

• Performing basic network administration

• Configuring network virtualization features
• Configuring EVS
• Configuring link aggregation
• Configuring IPMP
a b le
• Configuring network bridges s fer
- t r an
• Configuring
g g ILB on
a n
• Managing network resources a s
e ) h eฺ
• Using network monitoring tools ฺa id
ฺ n et t Gu
t e s e n
a d
e mir is Stu
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
Qav lic
i d
ah
Sh

Introducing Oracle Solaris 11 Network
• Revisit the Oracle Solaris 10 network protocol stack

• Explore the Oracle Solaris 11 network protocol stack

• Network configuration during installation
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Network
Q
v licin Oracle Solaris 11 has changed significantly from that of Oracle
aconfiguration
a h id 10. In addition, Oracle Solaris 11 supports several new networking features, including
Solaris
Sh some keyy network virtualization technologies.g

Oracle Solaris 10 Network Protocol Stack
Application Layer Program Naming/directory services
pfiles
Transport Layer
TCP, UDP, SCTP 192.168.222.5:53426
netstat -p
e1000g0 e1000g0:1
192.168.222.5 192.168.222.6
Network Layer
IPv4, IPv6
ifconfig
ble
nxge0
e r a
192.168.222.7
a nsf
o n -tr
Datalink Layer
e1000g0 a nxge1
nxge0
n
Physical NICs
dladm show-dev
a
h eฺ s dladm show-phys
e )
n e tฺa Guid
Hardware e1000g t e sฺ ent nxge
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
In the Q
Oracle
c implementation of the network protocol stack, interfaces and links on
av Solarisli10
a h
theidsoftware layer were built on the devices in the hardware layer. More specifically, a
Sh hardware device instance in the hardware layer y had a corresponding p g link on the datalink layer
y
and a configured interface on the interface layer. The graphic in the slide depicts a typical
one-to-one relationship between the network device, its datalink, and its IP interface in Oracle
Solaris 10 releases.
Further, there is limited support for virtual devices in the datalink layer in Oracle Solaris 10,
wherein only link aggregations are supported.
You use the ifconfig command to manage logical interface names,
names where each logical
interface corresponds to an IP address on the interface. Therefore, it is not always obvious
which managed features apply to the interface and which apply to individual addresses.

Oracle Solaris 11 Network Protocol Stack
Application Layer Program Naming/directory services
pfiles
Transport Layer
TCP, UDP, SCTP 192.168.222.5:53428
netstat -p
net0/v4 net0/v4a vnic0/v4

Network Layer 192.168.222.5 192.168.222.6 192.168.222.7
ipadm show-addr
ipadm show-if
net0 vnic0
ble
e r a
VNICs
a nsf
y
Datalink Layer
vnic0 dladm show-vnic
o n -tr
vnic1
dladm show-link
a etherstub0 n
net0
a
h eฺ s net1
e )Physical NICs Etherstubs dladm
n e tฺa Guiddladm show-phys show-etherstub
t e sฺ ent
Hardware ixgbe0 ra
i t d
unxge0
m
e his S
i @
v se t
ฺ q a u Oracle and/or its affiliates. All rights reserved.
h i dCopyrightt o
© 2014,
i ( sha ense
In Oracle aSolaris c will still find the one-to-one relationship between the hardware,
v 11,liyou
Q
id and interface layers, as shown in the graphic in the slide. However, the new network
a h
datalink,
Sh design
g of Oracle Solaris 11 decouples p the software layer y from the hardware layer. y With this
separation, network configuration on the software layer is no longer bound to the chipset or
the network topology in the hardware layer. With this decoupling, you can create customized
link names in the datalink layer. Further, with the abstraction of the datalink layer, multiple
networking abstractions or configurations, such as virtual local area networks (VLANs), virtual
network interface cards (VNICs), physical devices, link aggregations, and IP tunnels, are
unified into a common administrative entity, which is the datalink.

Network Configuration During Installation
• GUI installation:
– Uses the Automatic profile where the network is

automatically configured upon reboot, based on the current
network conditions
• Text installation:
– Allows you to choose one of the following options:
— Automatic: Activates the Automatic profile and the network is
a b le
automatically configured upon reboot
s fer
— Manual: Uses the DefaultFixed profile that enables you
- t r anto
manually configure network settings n on
None: Uses the DefaultFixed profile, but s a do not perform
you
—
a
network configuration e) h eฺ tฺa Guid
• AI installation: n e
t e sฺ ent
– Configures the network
m irabased S t udthe profile that you set up
on
before the installation
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Agenda
• Introducing Oracle Solaris 11 network


• Configuring EVS
a b le
- t r an
• Configuring
g g ILB on
a n
e ) h eฺ
ฺ n et t Gu
t e s e n
a d
e mir is Stu
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
Qav lic
i d
ah
Sh

Oracle Solaris 11 Network Administration
• Using the network administration commands

• Administering datalinks
• Configuring IP interfaces and IP addresses
• Configuring persistent routes
• Working with reactive profiles
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
NetworkQ
v licin Oracle Solaris 11 has changed significantly from how you configured
aconfiguration
a h
theidnetwork in Oracle Solaris 10. In addition, Oracle Solaris 11 supports several new
Sh networkingg features,, includingg some keyy network virtualization technologies. g

Network Administration Commands
Use the following commands for persistent network

configuration in Oracle Solaris 11:

• ipadm: Creates persistent configuration of interfaces,
addresses,, and TCP/IP properties.
p p This command
replaces the ifconfig command that is used in Oracle
Solaris 10.
• dladm: Manages datalink configuration. This command a b le
replaces the ndd command and the drive.conf file that s fer
- t r an
are used in Oracle Solaris 10 for configuration
g ofocertain
n
network parameters. a n
a s
h command
• route: Configures persistent routes.eThis
a ) d e ฺ
replaces the /etc/defaultrouter ฺ
et tfile i
uthat is used in
ฺ n
sa system G
n route configuration.
Oracle Solaris 10 to managea t e d e
m is St ir u
e
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
In a
Note: Q
v lic 11, the /etc/defaultrouter file is not removed, but is deprecated.
Oracle Solaris
a h id
Sh

Comparing Network Administration Commands
Task Oracle Solaris 10 Oracle Solaris 11

Datalink configuration dladm command dladm command
IP interface and IP ifconfig g command ipadm

p command
address configuration Edit the /etc/hostname* file.
System host name Edit the /etc/nodename file. hostname command

configuration
ble
TCP/IP host name Edit the /etc/inet/hosts file. Edit the /etc/inet/hosts file.
e r a
configuration
a nsf
Network pparameter ndd command ipadm
p command
o n -tr
administration dladm command n a
Wireless network wificonfig command dladm command a
h eฺ s
e )
configuration
n e tฺa Guid
Drive configuration ndd command
t e sฺ file.enSet t dladmdriver-private
properties.
m ira Stud properties.

Edit the /etc/driver.conf Configure
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Q av lic
a hid
Sh

Administering Datalinks
• Determine the state of physical network interfaces:

# dladm show-phys
LINK MEDIA STATE SPEED DUPLEX DEVICE
net1 Ethernet unknown 1000 full e1000g1
g
net0 Ethernet up 1000 full e1000g0
• Determine the state of each network link: ble

e r a
a nsf
-tr
# dladm show-link
LINK CLASS MTU STATE OVER
n o n
net1 phys 1500 unknown --
s a
net2
net0
phys
phys
1500
1500
unknown
up )
--
a
h eฺ
--
net3 phys 1500 e
tฺa Guid
unknown --
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Configuring IP Interfaces and IP Addresses
• Configure a static network interface:

# ipadm create-ip net0

# ipadm create-addr –T static –a local=192.168.0.112/24 net0
net0/v4
• Configure an interface with DHCP:

# ipadm create-ip net1
ble
# ipadm create-addr –T dhcp net1/dhcpaddr
e r a
net1/dhcpaddr
a nsf
o n -tr
• Display interface information: n
s a
# ipadm interface ) a
h eฺ
# ipadm show-if e
tฺa Guid
n e
# ipadm show-addr
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Note: QThere
c to configure an IP in Oracle Solaris 11: First, you create the
av are twolisteps
a h id and then you configure an IP address for the interface. However, in Oracle Solaris
interface,
Sh 10, you configure an IP in a single step by using the ifconfig command.

Configuring Persistent Routes
• Add a persistent route to a system:

# route –p add default ip-address
• View all the p

persistent static routes:
# route –p show
• Display the currently active routes on a system: ble

e r a
a nsf
# netstat –rn
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
You use
ic
athev route lcommand to manually manipulate the network routing tables. The use of
d Q
h hi –p option with the route command makes the changes persistent across reboots. You
athe
S cannot manage g routes by y usingg the //etc/defaultrouter
/ file because it is deprecated
p in
Oracle Solaris 11.

Configuring Reactive Profiles
• List all profiles and their state:

# netadm list
• List system-defined and user-defined profiles:

# netcfg list
• Create an NCP and NCU:

ble
e r a
nsf
# netcfg
netcfg> create ncp oracle_profile
netcfg:ncp:oracle_profile> create ncu phys net0 -tra
n o n
• Enable a profile: s a
) a
h eฺ
# netadm enable -p loc classroom e
ฺa uid
# netadm enable -p ncp oracle_profile et G
s ฺ n n t
r e
at tude
i
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
You useQ athev netadmliclist command to display all profile information, including which
a h id are active, even if the currently active profile is DefaultFixed and you are using
profiles
Sh fixed network configuration.
g It is the onlyy command that yyou can use to determine which
profile is active on a system. Also, you use the netadm list command to check which
profile is active after an installation.
You use the netcfg command to create new profiles and customize them, and you use the
netadm command to display information about existing profiles and to manage user-defined
profiles.

Configuring Reactive Profiles
• Create an NCP and NCU:

# netcfg
netcfg> create ncp oracle_profile
netcfg:ncp:oracle_profile> create ncu phys net0
Created ncu 'net0'. Walking properties …
...
• Create a location profile:

bl e
# netcfg
e r a
netcfg> create loc User
a nsf
Created loc 'User'. Walking properties ...
o n -tr
...
a n
a
h eฺ s
• Enable a profile: e )
n e tฺa Guid
sฺ ent
# netadm enable -p loc classroom
# netadm enable -p ncp oracle_profile
t e
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ic configuration object types are:
av profile land
The network
d Q
a h•i Network Configuration Profiles (NCPs): An NCP specifies the configuration of
Sh et o links
network saand d interfaces.
te aces There eea are
e ttwoo types o of NCPs:
C s
- Automatic NCP: It is a system-defined profile that is made up of one link NCU
and one interface NCU for each physical link that is present of the system. The
content of the Automatic NCP changes if network devices are added or
removed.
- User-defined NCPs: They are profiles that you create to meet the needs of your
particular network configuration. A user-defined NCP can be modified and
removed dbby th
the user.
• Network Configuration Units (NCUs): They are the individual configuration objects (or
profiles) that contain all of the properties that define an NCP. Each NCU represents a
physical link or an interface and contains properties that define the configuration for that
link or interface.
• Location Profiles: It is one of the two primary profile types that define the system’s
network configuration and specifies the systemwide network configuration (for example,
the naming services, domain, IP Filter, and IPsec configuration). There are both
system- and user-defined locations.


• Accessing the current network profile

• Creating and deploying a network profile
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

This practice covers exploring the new capabilities of the

ipadm and dladm utilities:

• Manage datalinks by using dladm.
• Manage IP configuration by using ipadm.
ipadm
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Agenda


• Configuring EVS
a b le
- t r an
• Configuring
g g ILB on
a n
e ) h eฺ
ฺ n et t Gu
t e s e n
a d
e mir is Stu
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
Qav lic
i d
ah
Sh

Transitioning to Virtual Networking
Network
Physical Link 1
vnic vnic
Network Network
Webserver 1 Zone Webserver 2 Zone
vnic vnic
Webserver 1 Webserver 2
Virtual Switch Etherstub
vnic
bl e
e r a
nsf
Router Router Zone
vnic
n - tra
db1 db1 db1
Virtual Switch
a no Etherstub
Server Server Server vnic vnic
a
h eฺ s vnic
db1
e ) db2 db3
n e tฺa Guid
Server Zone Server Zone Server Zone
e ฺ Solaris
sOracle n t 11
t
ira Stud e
m
e his
i @
v se t
h i dCopyrightt o
© 2014,
i ( sha ense
Network
Q
v licis the process of combining hardware network resources and software
avirtualization
a h id resources into a single administrative unit. The goal of network virtualization is to
network
Sh resources.
provide systems and users with efficient, controlled, and secure sharing of the networking
The end product of network virtualization is the virtual network.
With server virtualization becoming more mainstream in the IT industry, the focus is shifting to
a deployment model that uses network virtualization to support the sharing of network traffic
amongst multiple virtual machines (VMs) or zones. Along with a rise in the adoption of cloud
architectures that rely upon virtualization for deploying workloads, network virtualization is
playing an even more critical role in the overall network administration strategy in Oracle
Solaris.
Solaris
Using virtual infrastructure (shown on the right in the graphic in the slide) to consolidate
physical systems in the data center, enterprises can experience the following:
• Lower total cost of ownership of servers
• Higher server utilization
• Increased operational efficiency
• Tighter secsecurity
rit

Virtual Network Building Blocks
Components Description
Virtual NIC (VNIC) A VNIC is a virtual network device with the same datalink
functionality as the physical interface.
Virtual switch A virtual switch is an entity that facilitates communication between
virtual machines (VMs). The virtual switch loops traffic between
virtual machines (inter-VM traffic) within the physical machine and
does not send this traffic out on the wire.
Elastic Virtual Switch An EVS enables direct management of virtual switches. You can
ble
(EVS) create EVS switches to deploy multiple virtual networks that span
e r a
nsf
multiple hosts, within either a multi-tenant cloud environment or a
a
to an EVS switch or a virtual p -tr
datacenter. Additionally, you can connect any Oracle Solaris VNIC
n
port. Such VNICs automatically
o y inherit
their network configuration from EVS.
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Note: Q
You
ic about the EVS feature later in this lesson.
avwill learnlmore
a h id
Sh

Building a Simple Virtual Network
Global Zone
Zone 1 Zone 2
vnic 1 vnic 2
Virtual Switch
net0
ble
e r a
a nsf
Network
o n -tr
a n
a
h eฺ s
# dladm create-vnic -l net0 vnic1
e )
# dladm create-vnic -l net0 vnic2
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
The graphic
Q lic shows a simple virtual network with two Solaris zones. Whenever you
av in the slide
a h id two or more VNICs on the same physical port, a virtual switch will be created at the
create
Sh MAC layer. The effect of the creation of the virtual switch is that traffic between Zone 1 and
Zone 2 is switched at the MAC layer. As long as the VNICs share the same physical NIC and
are on the same VLAN, this MAC layer virtual switch can be employed.
This slide shows you how to create two VNICs on the physical interface.

Configuring a Private Virtual Network
Global Zone
Zone 3 Zone 4
vnic 1 vnic 2
Stub 0 192.168.1 Network
vnic 0
bl e
e r a
net0 a nsf
o n -tr
a n
192.168.0 Network
a
h eฺ s
# dladm create-etherstub stub0 e )
# dladm create-vnic -l stub0 vnic0
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ashows
This slide
Q lic isolated private virtual network with two Solaris zones. This virtual
v a simple,
a h id consists of the following:
network
Sh • GLDv3 network interface net0: This interface connects the gglobal zone to the ppublic
network.
• Etherstub stub0: You use etherstubs to isolate the virtual network from the rest of the
virtual networks in the system as well as the external network to which the system is
connected. You cannot use an etherstub just by itself. Instead, you use VNICs with an
etherstub to create the private or isolated virtual networks. You can create as many
etherstubs as you require. You can also create as many VNICs over each etherstub as
required.
required
• Three VNICs: vnic0 is created over etherstub stub0. This interface can be configured
in the global zone to provide a route between the private virtual network (192.168.1.0)
and the public network. Technologies such as IP forwarding, IP filtering, and Network
Address Translation (NAT) can be used to customize the relationship between the
private and public networks. VNICs vnic1 and vnic2 are also created over etherstub
stub0 and are used to attach the nonglobal zones to stub0.
• Two exclusive IP zones: Each of the two exclusive IP zones has a VNIC assigned.
vnic1 is assigned to Zone 3 and vnic2 is assigned to Zone 4.

Creating a Datalink in Non-Global Zone from the
Global Zone
Create a VNIC v1 in nonglobal zones zone1 and zone2 from
the global zone.

# dladm create-vnic -t -l net1 zone1/v1
# dladm create-vnic -t -l net1 zone2/v1
# dladm show-link -Z
LINK ZONE CLASS MTU STATE OVER
ble
net1 global phys 1500 unknown --
e r a
nsf
net0 global phys 1500 up --
zone1/net0 zone1 vnic 1500 up net0
-tra
zone2/net0
zone1/v1
zone2
zone1
vnic
vnic
1500
1500
up
up
net0
n o
net1
n
zone2/v1 zone2 vnic 1500 up s a net1
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Starting from
c 11.2, you can create datalinks in nonglobal zones from the global
av OracleliSolaris
Q
id This feature enables administrators to dynamically create VNICs, VLANs, and IP-over-
a h
zone.
Sh names
InfiniBand partitions directly in the nonglobal zone’s namespace from the global zone. Link
are specified as <zonename>/<linkname> and the links are created directly in the
specified nonglobal zone.
The example in the slide shows how to create a VNIC v1 in nonglobal zones zone1 and
zone2 from the global zone. The zone1/net0 and zone2/net0 are automatically created
VNICs for zone1 and zone2, respectively.

Accessing a Virtual Network Configuration
# dladm show-link

net0 phys 1500 up --
stub0 etherstub 9000 unknown --
vnic0 vnic 9000 up stub0
ble
e r a
# dladm show-vnic
LINK OVER SPEED MACADDRESS MACADDRTYPE
t0ransf
VIDS
vnic0 stub0 40000 2:8:20:61:47:f6 random
o n -
vnic1 stub0 40000 2:8:20:81:e5:95
a n
random
0
vnic2 stub0 40000
a s
2:8:20:e9:10:18
h
random
0
a e ) deฺ
# dladm show-etherstub
e t ฺ u i
LINK n
sฺ ent G
stub0
t e
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
This slide
Q
v useful
ashows lic commands for accessing your virtual network configuration. The first
a h id (dladm show-link) shows you how to list all the links configured in your system.
command
Sh how
This includes VNICs and etherstubs. The next command (dladm show-vnic) shows you
to list the VNIC links. The last command (dladm show-etherstub) shows you how to
list the etherstubs.

Bandwidth Management
• This enables the assignment of a portion of the available

bandwidth of an NIC by setting the maxbw option.

• The allocated portion of bandwidth is known as a share.
– The limit is the maximum allocation of bandwidth that the
share can consume.
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Bandwidth
Q avmanagementlic enables you to assign a portion of the available bandwidth of an NIC
a h
to idconsumer, such as an application or a customer. You can control bandwidth on a
a
Sh ensures
per-application, per-port, per-protocol, and per-address basis. Bandwidth management
efficient use of the large amount of bandwidth available from the new GLDv3 network
interfaces. Resource control features enable you to implement a series of controls on an
interface’s available bandwidth.
The allocated portion of bandwidth is known as a share. By setting up shares, you can
allocate enough bandwidth for applications that cannot function properly without a certain
amount of bandwidth. For example, streaming media and Voice over IP consume a great deal
of bandwidth
bandwidth. You can use the resource control features to guarantee that these two
applications have enough bandwidth to successfully run. You can also set a limit on the
share. The limit is the maximum allocation of bandwidth that the share can consume. Using
limits, you can contain noncritical services from taking away bandwidth from critical services.
You can prioritize among the various shares allotted to consumers. You can give highest
priority to critical traffic, such as heartbeat packets for a cluster, and lower priority for less
critical applications.
You can control bandwidth usage through the management of flows (by using the flowadm
command) and link utilization (by using the dladm command).

Managing Bandwidth
Global Zone
Zone 3 Zone 4
vnic 1 vnic 2
St b 0
Stub 192 168 1 N
192.168.1 Network
t k
vnic 0
100Mb/s
Firewall Priority=Low e
r a bl
e
nsf
net0
-tra
192 168 0 Network
192.168.0
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
v youlichow to restrict flows and lower priority on a VNIC. Flows consist of
ashows
This slide
Q
id packets that are organized according to an attribute. Flows enable you to further
a h
network
Sh allocate network resources.

Managing Bandwidth
# flowadm add-flow -l vnic2 -a transport=tcp,local_port=80 http1

# flowadm set-flowprop –p maxbw=100M http1
# flowadm show-flowprop http1

FLOW PROPERTY PERM VALUE DEFAULT POSSIBLE
http1 maxbw rw 100 -- --
http1 priority rw medium medium low,medium,high
http1 hwflow r- off -- on,off
ble
# dladm set-linkprop –p priority=low vnic2
e r a
a nsf
-tr
# dladm show-linkprop –p priority vnic2
LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT
o n
POSSIBLE
n
vnic2 priority rw low low medium
s a
low,medium,high
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
In the Q av in thislicslide, a flow named http1 is created by using the flowadm command.
example
a h iduser-designed flow (http1) restricts vnic2 bandwidth to 100 Mbits/s and sets the link
This
Sh priority to low.

This practice covers exploring Oracle Solaris 11 network

virtualization:
• Configure two zones on a private virtual network.
• Configure the virtual network for public access
access.
• Secure the virtual network behind a firewall.
• Control network traffic flow. e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Agenda


• Configuring EVS
a b le
- t r an
• Configuring
g g ILB on
a n
e ) h eฺ
ฺ n et t Gu
t e s e n
a d
e mir is Stu
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
Qav lic
i d
ah
Sh

Elastic Virtual Switch (EVS): Overview
• Is an entity that represents explicitly Compute Node

created virtual switches that belong

to the same Layer 2 (L2) segment VM1 VM2
• Enables you to create and administer

VNIC1 VNIC2
a virtual
i t l switch
it h th
thatt spans one or
more physical machines (nodes) VPort VPort
Elastic Virtual Switch
• Provides network connectivity e
between VMs connected to it from
(EVS0)
r a bl
e
anywhere in the network Datalink
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Today’sQ av centerslicinclude multiple physical servers hosting several virtual machines (VMs)
data
a h idare connected by a network fabric. Provisioning networking for VMs in a data center is a
that
Sh challenge for administrators, because it includes virtual networking between VMs, managing
the MAC address and IP address, and administering VLANs and VXLANs. The additional
challenge apart from ensuring internal and external network connectivity for VMs is to
provision and enforce service-level agreements (SLAs). These SLAs might include bandwidth
limits and priorities. Data center administrators also need to provide isolation between
multiple tenants sharing a common network infrastructure. To meet these requirements,
Oracle Solaris network virtualization capabilities enable administrators to manage virtual
p
switches across a data center. The virtual switches are exposed as first-class operating
p g
system abstractions. These virtual switches, also known as elastic virtual switches, span
multiple physical servers and enable system administrators to manage them as a single
virtual switch.
Starting with the Oracle Solaris 11.2 release, you can use the Oracle Solaris Elastic Virtual
Switch (EVS) feature to manage multiple virtual switches that are spread across several
physical machines. An elastic virtual switch represents an isolated L2 segment, and the
isolation is implemented through VLANs or VXLANs
VXLANs. Every elastic virtual switch is associated
with a name, virtual ports, and a block of IP addresses. You can create, monitor, and control
the virtual switch resources.

Elastic Virtual Switch: Example
Compute Node (CN1) Compute Node (CN2)

VM1 VM2 VM3 VM4 VM5 VM6
VNIC1 VNIC2 VNIC3 VNIC4 VNIC5 VNIC6
VPort VPort VPort

EVS1
bl e
VPort VPort VPort
e r a
EVS2
a nsf
o n -tr
a n
Datalink Datalink a
h eฺ s
e )
n e tฺa Guid
VLAN,
t
Network e sฺ
Fabric en
t
VXLAN
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
The graphic
Q lic shows an example of two elastic virtual switches (EVS1 and EVS2)
av in the slide
a h id two compute nodes. The VMs that are provisioned on these compute nodes are
between
Sh compute
connected through the elastic virtual switches that span across the two compute nodes. Each
node connects to the same network fabric through a datalink. The datalink is also
known as an uplink port. The datalinks on these compute nodes connect the virtual switch to
the external network. The VNIC is connected to the elastic virtual switch through a virtual port
(VPort). The VNICs inherit properties that are associated with the virtual ports, such as MAC
address, IP address, and SLAs.
In the graphic in the slide, the VMs VM1, VM2, and VM6 can communicate with each other
through the elastic virtual switch EVS1.
EVS1 The VMs VM3, VM4 and VM5 can communicate with
VM3 VM4,
each other through the elastic virtual switch EVS2.
Note: The limitation of EVS is that you can connect only temporary VNICs to an elastic virtual
switch.

Installing the Mandatory EVS Packages
You need to install the following packages before using EVS:

Packages Description
pkg:/service/network/evs You need to install this core package on the EVS manager
manager,
EVS controller, and EVS nodes. This package contains the
following components:
• evsadm
• evsstat ble
e r a
nsf
• svc:/network/evs:default
pkg:/system/management/r
-tra
You need to install this package only on the system that acts
ad/module/rad evs
ad/module/rad-evs- as an EVS controller.
n o n
controller This package contains the SMF service
service,
controller svc:/network/evs-controller:default.
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Note Q av lic
i d
ah• The svc:/network/evs:default SMF service has the controller property that
Sh holds
o ds tthe
e host
ost name
a eo or tthe
e IP add
address
ess o
of tthe
e EVS
S co
controller.
t o e Thee EVS
S cclient
e t uses tthe
e
host name or the IP address to communicate with the EVS controller. You use the
evsadm set-prop command to manage the controller property.
• The svc:/network/evs-controller:default SMF service has properties that
capture information that is necessary for implementing L2 segments across physical
machines. You use the evsadm set-controlprop command to manage the
controller properties.

Setting Up SSH Authentication
EVS Node EVS Node

evsuser root evsuser root

/var/user/ /root/.ssh/ /var/user/ /root/.ssh/
evsuser/.ssh/ id_rsa.pub evsuser/.ssh/ id_rsa.pub
authorized_keys authorized_keys
...
ble
e r a
EVS Controller
nsf
administrator
a
evsuser
o n -tr
a n
evsuser
a
h eฺ s evsuser /$HOME/.ssh/id_
)
/var/user/ /var/user/ rsa.pub
t e
evsuser/.ssh/
ฺa uid EVS Manager

id_rsa.pub
evsuser/.ssh/
authorized_keys
e
ฺn nt G
e s tode
i at is seton
Note: It is assumed that the controller property
r t u
e
ssh://evsuser@evs-controller.example.comm is S each host.
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
The graphic
Q lic shows the setting up of SSH authentication between the EVS
av in the slide
a h id
components. You need SSH authentication with the preshared public key for the evsadm
h command to communicate
S set up the SSH authentication with the EVS controller non-interactively and securely. You need to
with the preshared public key for evsuser between the
following components in the EVS setup:
• EVS manager and EVS controller: Append the public key of the administrator or the
user running the evsadm command on the EVS manager to the
/var/user/evsuser/.ssh/authorized_keys file on the EVS controller.
• EVS nodes and EVS controller: Append the public key of the root user on each EVS
node to the /var/user/evsuser/.ssh/authorized_keys
/var/user/evsuser/ ssh/authorized keys file on the EVS
controller. You need to append these public keys because the zoneadmd daemon runs
as root. This daemon connects to the EVS controller and retrieves configuration
information for the VNIC anet resource. For more information, see the zoneadmd(1M)
man page.
• EVS controller and EVS nodes: Append the public key of evsuser on the EVS
controller to the /var/user/evsuser/.ssh/authorized_keys file on each EVS
node because the EVS S controller communicates with each off the EVS
S node for
f setting
VPort properties.

Configuring an EVS Controller
1. Set the EVS controller.

# evsadm set-prop -p controller=[value[...,]]
2. Display the configured EVS controller.

# evsadm show-prop [[-c] -o field[,...]] [-p prop[,...]]
3. Set the properties for the EVS controller. e

r a bl
e
# evsadm set-controlprop [-h host] -p prop=[value[...,]]
a nsf
o n -tr
4. Display the properties of an EVS controller. a n
a s
hprop[,...]]
# evsadm show-controlprop [[-c] -o field[,...]] e[-p
a ) d e ฺ
ฺ
et t Gu i
s ฺ n n
a t e d e
e mir is Stu
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
You must
Q
v only
aspecify licone compute node as an EVS controller in your network, and then set
a h
theidEVS controller on each compute node so that the compute nodes can communicate with
Sh the EVS controller. However,, youy need to set the controller properties p p only
y once from any
y
compute node that can communicate with the EVS controller. You can run the evsadm
command on any machine, which can communicate with the EVS controller. You can also
reset the controller properties for an EVS controller.
Before you configure the EVS controller, you must set up SSH authentication with preshared
keys between the host where you run the evsadm command and the EVS controller. You
need SSH authentication so that the evsadm command can communicate with the EVS
controller non-interactively and securely.

The following example shows how to configure the s11-server host as the EVS controller
whose L2 segments are created by using a VXLAN.
# evsadm set-prop -p controller=ssh://s11-server
# evsadm
d show-prop
h
PROPERTY PERM VALUE DEFAULT
Controller rw ssh://s11-server --
# evsadm set-controlprop -p l2-type=vxlan
# evsadm set-controlprop -p vxlan-range=10000-20000
# evsadm set
set-controlprop
controlprop -p
p vxlan
vxlan-addr=192.168.10.0/24
addr 192.168.10.0/24
# evsadm set-controlprop -h s11-server -p uplink-port=net3
# evsadm set-controlprop -h s11-client -p uplink-port=net4
ble
# evsadm show-controlprop
r a
PROPERTY PERM VALUE DEFAULT HOST sfe
- t r an
on
l2-type rw vxlan vlan --
uplink-port rw -- --a n --
-- ha
s
uplink-port rw net3
a e ) d e ฺ s11-server
uplink-port rw net4 ฺ
et t Gu
-- i s11-client
s ฺ n n--
vlan-range rw --
a t e d e --
vlan-range-avail r- --mir S tu -- --
e hi s
@ 192.168.10.0/24
vxlan-addr
a v
rw i e t / 0.0.0.0 --
vxlan-ipvers idฺq rw
t o uv4s v4 --
h
i ( sha enserw 0.0.0.0
vxlan-mgroup 0.0.0.0 --
av
vxlan-rangeli c rw 10000-20000 -- --
id Q
h ah vxlan-range-avail r- 10000-20000 -- --
S In this example,
example the vxlan-range-avail property displays the VXLAN IDs (10000-20000)
that are available for implementing elastic virtual switches. An IP interface that is part of the
subnet 192.168.10.0/24 is used to create the VXLAN links on the EVS nodes.

Configuring Elastic Virtual Switches
1. Create an elastic virtual switch.

# evsadm create-evs [-T tenant-name] \

[-p {prop=value[,...]}[,..]] EVS-switch-name
2 Add an IPnet to an elastic virtual switch.

2. switch
# evsadm add-ipnet [-T tenant-name] \
-p subnet=value[{,prop=value[,...]}[,...]] \
EVS-switch-name/IPnet-name
ble
e r a
3. Add a VPort to an elastic virtual switch.
ansf
# evsadm add
add-vport
vport [
[-T
T tenant
tenant-name]
name] [
[-p
p {prop=value[,...]}[,...]] o n -tr \
EVS-switch-name/VPort-name a n
a
h eฺ s
4. Display the configured elastic virtual e )
switch.
n e tฺa Guid
# evsadm
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
When Q you lic an elastic virtual switch, you need to understand your virtual
avplan to configure
a h id Determine how many L2 segments you need and the IPnet information for each
topology.
Sh network includingg the subnet and the default router. In addition,, you y might g need to determine
the number of virtual ports that you need to configure for the elastic virtual switch and the
properties that you need to specify for virtual ports
The following example shows how to create the elastic virtual switch ORA with the tenant
tenantA, add an IPnet ora_ipnet, and add a VPort vport0 to the elastic virtual switch:
# evsadm create-evs -T tenantA ORA
# evsadm
d add-ipnet
dd i t -T
T tenantA
t tA -p subnet=192.168.10.0/24
b t 192 168 10 0/24 ORA/ora_ipnet
ORA/ i t
# evsadm add-vport -T tenantA ORA/vport0
# evsadm
NAME TENANT STATUS VNIC IP HOST
ORA tenantA idle -- ora_ipnet -
vport0
p -- free -- 192.168.10.2/24
/ --

Creating VNICs for an Elastic Virtual Switch
1. Configure a VNIC for an elastic virtual switch.

# dladm create-vnic -t -c EVS-switch-name[/VPort-name] \

[-T tenant-name] VNIC-name
2 Display information about VNICs connected to an elastic

2.
virtual switch.
# dladm show-vnic -c
ble
e r a
tra nsf
Note: The -c option displays the information about VNICs
n -
o
connected to an elastic virtual switch. an
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
av example
The following
Q licshows how to create a temporary VNIC vnic1 and connect the VNIC
a h
to id elastic virtual switch ORA and VPort vport0:
the
Sh # dladm create create-vnic
vnic -t t -c c ORA/vport0 vnic1
LINK TENANT EVS VPORT OVER MACADDRESS VIDS
vnic1 sys-global ORA vport0 evs-vxlan10000 2:8:20:b0:6e:63 0

Creating a VNIC anet Resource for an EVS
The following example shows how to create a zone that has a

VNIC anet resource evszone/net1, which is connected to

ORA EVS and vport0 of the tenant tenantA.
# zonecfg -z evszone
Use 'create' to begin configuring a new zone
zonecfg:evszone> create
create: Using system default template 'SYSdefault'
zonecfg:evszone> set zonepath=/export/zones/evszone
bl e
zonecfg:evszone> set tenant=tenantA
e r a
nsf
zonecfg:evszone> add anet
zonecfg:evszone:net> set evs=ORA
-tra
zonecfg:evszone:net> set vport=vport0
zonecfg:evszone:net> end n o n
zonecfg:evszone> exit
s a
# zoneadm -z evszone install
) a
h eฺ
# zoneadm -z evszone boot e
tฺa Guid
n e
esฺ dMACADDRESS
EVS VPORT ratOVER e nt
LINK TENANT
i
m is S t u VIDS
evszone/net1 tenantA
e
ORA vport0 net2 2:8:20:89:a1:97 200
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
Note: QIn a
v
the example licin the slide, when evszone boots, the VNIC anet evszone/net1 is
a h id
associated with the MAC address, IP address, and SLA properties of the VPort ORA/vport0.
h
S You can use the enhanced zonecfg command to configure a zone zone’s s VNIC anet resource for
an elastic virtual switch.
You can set the following properties for the anet resource when you are configuring a zone:
• tenant: Specifies the name of the tenant. If a value is not specified when configuring a
zone, the system assigns the default value, sys-global tenant.
• vport: Specifies the name of the VPort. If a value is not specified when configuring a
zone,, a system
y VPort is automaticallyy generated
g for the elastic virtual switch and the
VPort inherits the elastic virtual switch properties.
• evs: Specifies the name of an elastic virtual switch to which you must connect the anet
resource
A VPort in a data center is uniquely identified by the tenant name, elastic virtual switch name,
and VPort name.
For more information about EVS, refer to
http://docs.oracle.com/cd/E36784_01/html/E36813/index.html.

This practice covers how to set up two elastic virtual switches

between two compute nodes by performing the following tasks:

• Configuring two zones on a private virtual network
• Installing the mandatory EVS packages
• Setting up the SSH authentication
• Configuring the EVS controller le
a b
• Configuring the EVS across compute nodes s fer
• Configuring compute nodes to use the EVS settings - t r an
n on
• Verifying the EVS configuration sa h a ฺ
)
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
Qav lic
i d
ah
Sh

Agenda


• Configuring EVS
a b le
- t r an
• Configuring
g g ILB on
a n
e ) h eฺ
ฺ n et t Gu
t e s e n
a d
e mir is Stu
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
Qav lic
i d
ah
Sh

Link Aggregation
• Link aggregations enable you to pool multiple datalink

resources that you administer as a single unit.

• Link aggregation consists of several interfaces on a
system
y that are configured
g together
g as a single,
g , logical
g unit
to increase throughput of network traffic.
aggr1 bl e
e r a
a nsf
net0
o n -tr
a n
a
h eฺ s
net1
e )
n e tฺa Guid
t e sฺ ent
m ira Studnet2
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
av
Link aggregations
Q lic you to pool multiple datalink resources that you administer as a
enable
a h id unit. By combining the resources of the multiple datalinks and dedicating them to
single
Sh serving the system’s network operations, the system’s performance is greatly improved.
The graphic in the slide shows an example of a link aggregation configured on a system, in
which an aggregation aggr1 consists of three underlying datalinks, net0 through net2.
These datalinks are dedicated to serving the traffic that traverses the system through the
aggregation. The underlying links are hidden from external applications. Instead, the logical
datalink aggr1 is accessible.
Link aggregation has the following features:
• Increased bandwidth: The capacity of multiple links is combined into one logical link.
• Automatic failover and failback: By supporting link-based failure detection, traffic from
a failed link is failed over to other working links in the aggregation.
• Improved administration: All underlying links are administered as a single unit.
• Less drain on the network address pool: The entire aggregation can be assigned one
IP address.
• Link protection: You can configure the datalink property that enables link protection for
packets flowing through the aggregation.

• Resource management: Datalink properties for network resources as well as flow
definitions enable you to regulate applications’ use of network resources.
Note: Link aggregations perform similar functions as IP network multipathing (IPMP) to
p
improve network pperformance and availability.
y For more information about Link
Aggregation, refer to
http://docs.oracle.com/cd/E36784_01/html/E37516/gdysx.html#scrolltoc.
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

Types of Link Aggregation
Oracle Solaris supports two types of link aggregations:

• Trunk aggregations:
– Support aggregation over multiple switches; require switch
configuration
co gu a o a and
d sswitch-vendor
c e do p proprietary
op e a y eextensions
e so s
– Provide unique features such as policies and load balancing,
aggregation of Link Aggregation Control Protocol (LACP)
mode and switches ble
e r a
• Datalink multipathing (DLMP) aggregations:
a nsf
– Are created by
y specifying
p y g dlmp gg g n-tr mode
p as the link aggregation
n o
– Support failover between multiple switches;sdo not require a
vendor proprietary extensions ) h a ฺ
– Enable use of link layer features, e t ฺae asulink
such
ideprotection,
e s ฺn nt G
user-defined flows, and a
i r t udeto customize link
the ability
m is St
properties, such asebandwidth
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
av
Trunk Aggregations
Q lic
i d
h aggregations benefit a variety of networks with different traffic loads. For example, if a
aTrunk
Sh system in the network runs applications with distributed heavy traffic, you can dedicate a trunk
aggregation to that application’s traffic to avail the increased bandwidth. For sites with limited
IP address space that nevertheless require large amounts of bandwidth, you need only one IP
address for a large aggregation of interfaces. For sites that need to hide the existence of
internal interfaces, the IP address of the aggregation hides its interfaces from external
applications.
In Oracle Solaris, when you create link aggregation, the aggregation is by default created in
t
trunkk mode.
mode Typically
Typically, systems that are configured with link aggregations also use an
external switch to connect to other systems.
Trunk aggregations also support back-to-back configuration. Instead of using a switch, two
systems are directly connected together to run parallel aggregations. The most common
application for back-to-back link aggregations is the configuration of mirrored database
servers.

Datalink Multipathing (DLMP) Aggregations
A trunk aggregation generally suffices for the requirements of a network setup. You can span
trunk aggregation to multiple switches but requires switch configuration and switch-vendor
proprietary
p p y extensions to work. DLMP aggregations
gg g can span
p over multiple
p switches.
In a trunk aggregation, every port is associated with every configured datalink over the
aggregation. In a DLMP aggregation, a port is associated with any of the aggregation's
configured datalinks as well as with the primary the interface and VNICs over that
aggregation.
You can switch between a trunk aggregation and a DLMP aggregation by using the dladm
modify-aggr command, provided that you use only the options supported by the specific
type.
type
Note: If you switch from a trunk aggregation to a DLMP aggregation, you must remove the
switch configuration that was previously created for the trunk aggregation.
DLMP aggregation supports link-based and probe-based failure detection to ensure bl e
e r a
nsf
continuous availability of the network to send and receive traffic. For more information about
the failure detection, refer to the
-tra
http://docs.oracle.com/cd/E36784 01/html/E37516/gnant.html#scrolltoc.
http://docs.oracle.com/cd/E36784_01/html/E37516/gnant.html#scrolltoc.
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

Creating a Trunk Aggregation
# ipadm show-if
IFNAME CLASS STATE ACTIVE OVER

lo0 loopback ok yes --
net0 ip ok no --
net1 ip ok no --
# ipadm delete-ip net0

# ipadm delete-ip net1
# dladm create-aggr -L active -l net0 -l net1 aggr0

ble
e r a
# dladm show-aggr
a nsf
LINK
aggr0
gg
MODE
trunk
POLICY
L4
ADDRPOLICY
auto
LACPACTIVITY
active
o
short -tr
LACPTIMER
n
n
a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ic shows the commands to create a link aggregation with two
av in the lslide
The example
id Q
underlying datalinks, net0 and net1. The aggregation is also configured to transmit LACP
h a h
S datalinks. example begins with the removal of existing IP interfaces over the underlying
packets. The

Creating a DLMP Aggregation
# dladm create-aggr –m dlmp -l net0 -l net1 -l net2 -l net3 speedway0

# dladm show-link
net1 phys
p y 1500 up
p --
speedway0 aggr 1500 up net0 net1 net2 net3
ble
# dladm show-aggr
e r a
nsf
LINK MODE POLICY ADDRPOLICY LACPACTIVITY LACPTIMER
speedway0 DLMP -- -- -- --
-tr a
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ic shows how to create a DLMP aggregation. The aggregation has four
av in the lslide
The example
id Q
h a h
underlying datalinks.
S

Configuring Probe-Based Failure Detection for
DLMP Aggregation
# dladm show-aggr
LINK MODE POLICY ADDRPOLICY LACPACTIVITY LACPTIMER

speedway0 dlmp -- -- -- --
# dladm set-linkprop –p probe-ip=+ speedway0

# dladm set
set-linkprop
linkprop –p
p probe-fdt=15
probe fdt=15 speedway0
# dladm show-linkprop –p probe-ip,probe-fdt speedway0

LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT POSSIBLE
speedway0 probe-ip rw + + -- --
ble
speedway0 probe-fdt rw 15 15 10 1-600
e r a
a nsf
o n -tr
an
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ic shows how to configure probe-based failure detection for a DLMP
av in the lslide
The example
id Q
a h
aggregation.
Sh

Agenda


• Configuring EVS
a b le
- t r an
• Configuring
g g ILB on
a n
e ) h eฺ
ฺ n et t Gu
t e s e n
a d
e mir is Stu
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
Qav lic
i d
ah
Sh

IP Network Multipathing
Server
IPMP Group
LAN
Active Client
net0
Active bl e
net1
e r a
Standby a nsf
net2
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
In production
Q lic it is important to eliminate any single point of failure. IP network
av environments,
a h id
multipathing (IPMP) provides a mechanism for building redundant network interfaces to guard
h against failures with network interfaces, cables, switches, or other networking hardware. In
S addition to eliminating any single point of failure, the IPMP load spreading feature increases
the machine’s bandwidth by spreading the outbound load among all the cards in the same
IPMP group.
When compared with the IPMP configuration in Oracle Solaris 10, Oracle Solaris 11 groups
the IP interfaces into a virtual IP interface (for example, ipmp0). The virtual IP interface
serves all of the data IP addresses, while test addresses that are used for probe-based failure
detection are assigned to an underlying interface
interface, such as net0.
net0
With IPMP, you can assign two or more NICs to a failover group. Each interface is assigned a
static test IP address, which is used by Solaris to verify the operational state of the interface.
The interfaces with the static test IP addresses are used to periodically send an Internet
Control Message Protocol (ICMP) echo request to a target system and listen for the response.
If no response occurs within a given number of tries, the link is marked as failed. IPMP will fail
over all application IP addresses currently configured on that physical interface to another
physical
h i l iinterface
t f within
ithi the
th IPMP group. InI this
thi way, network
t k outages
t due
d to t failed
f il d network
t k
hardware are eliminated.

IPMP Components
IPMP consists of the following software components:

• IPMP daemon: in.mpathd

• IPMP service: svc:/network/ipmp
• Configuration file: /etc/default/mpathd
• IPMP administration command: ipadm
• IPMP display information command: ipmpstat bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
IPMP consists
c
av of thelifollowing software components:
d Q
h ah•i IPMP daemon: Detects failure by sending ICMP echo probes through the interface and
S also monitors the RUNNING flag g on the interface. If a failure is detected from one of
these methods, the daemon chooses the standby IP address or the next appropriate IP
address and failover occurs.
• IPMP service: Manages the IPMP daemon. The IPMP service also sets IPMP
properties, such as enabling or disabling transitive probing.
• Configuration file: Specifies the daemon’s default behavior. This file can be used to set
parameters, such as specifying the interfaces to probe for failure and the duration. This
fil can also
file l b be used
d tto specify
if what
h t th
the status
t t off a ffailed
il d iinterface
t f should
h ld bbe after
ft it iis
repaired, or whether to monitor all interfaces, including those that do not belong to an
IPMP group.
• IPMP administration command: Administers the IP interfaces of the IPMP group
• IPMP display information command: Provides information about the status of IPMP

IPMP Configurations
• An IPMP configuration consists of two or more physical

interfaces on the same system that are attached to the

same network.
• These interfaces can belong g to an IPMP g
group
p in either of
the following configurations:
– Active-active
– Active-standby bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
An IPMPQ
v lictypically consists of two or more physical interfaces on the same
aconfiguration
a h id that are attached to the same LAN. These interfaces can belong to an IPMP group in
system
Sh either of the following configurations:
• Active-active: In this configuration, all underlying interfaces are active. An active
interface is an IP interface that is currently available for use by the IPMP group. By
default, an underlying interface becomes active when you configure the interface to
become part of an IPMP group.
• Active-standby: In this configuration, at least one interface is administratively
configured as a reserve. The reserve interface is called the standby interface. Although
idle the standby IP interface is monitored by the multipathing daemon to track the
idle,
interface’s availability, depending on how the interface is configured. If link-failure
notification is supported by the interface, link-based failure detection is used. If the
interface is configured with a test address, probe-based failure detection is also used. If
an active interface fails, the standby interface is automatically deployed as needed. You
can configure as many standby interfaces as you want for an IPMP group.

Configuring IPMP: Active-Active
# dladm rename-link net0 link0_ipmp0

# ipadm create-ip link0_ipmp0

# ipadm create-ipmp ipmp0
# ipadm add-ipmp –i link0_ipmp0 –i link1_ipmp0 ipmp0

ble
# ipadm create-addr –a 192.168.0.112/24 ipmp0/v4add1
e r a
# ipadm create-addr –a 192.168.0.113/24 ipmp0/v4add2
a nsf
#
#
ipadm
ipadm
create-addr
create
create-addr
addr
–a
–a
a
192.168.0.142/24
192.168.0.143/24
192 168 0 143/24
link0_ipmp0/test
link1_ipmp0/test
link1 ipmp0/test o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
This slide
v youlicthe steps to configure an active-active IPMP configuration with flexible
ashows
Q
id names. Here, you rename the datalinks net0 and net1 to link0_ipmp0 and
datalink
a h
Sh an
link1_ipmp0, respectively. Before these datalinks can be used by IPMP, you must create
IP interface for each one.
Now you are ready to create the IPMP group. This involves two steps. You first create the
IPMP group (ipmp0 in this example), and then you add the underlying interfaces
(link0_ipmp0 and link1_ipmp0) to the group. Note that this example shows vanity
naming of the network interfaces. You use vanity naming to label network components. This
helps you clarify complex network topologies.
Next assign the data IP addresses to the IPMP interface (ipmp0)
Next, (i 0) in the form of IP address
objects (ipmp0/v4add1 and ipmp0/v4add2).
Finally, assign the test IP addresses to each underlying interface in the form of IP address
objects (link0_ipmp0/test and link1_ipmp0/test).

Configuring IPMP: Active-Standby



link1 ipmp0
# ipadm create-ipmp ipmp0
ble
# ipadm add-ipmp –i link0_ipmp0 –i link1_ipmp0 –i link2_ipmp0 ipmp0
e r a
a nsf
#
#
ipadm
ipadm
p
create-addr
create-addr
–a
–a
192.168.0.112/24
192.168.0.113/24
/
ipmp0/v4add1
ipmp0/v4add2
p p /
o n -tr
# ipadm create-addr –a 192.168.0.142/24
a
link0_ipmp0/test n
# ipadm create-addr –a 192.168.0.143/24
a
h eฺ s
link1_ipmp0/test
# ipadm create-addr –a
e )
192.168.0.144/24 link2_ipmp0/test
n e tฺa Guid
t e sฺ ent
# ipadm set-ifprop -p standby=on -m ip link2_ipmp0
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
v youlicthe steps to configure an active-standby IPMP configuration with flexible
ashows
This slide
Q
id names. The steps are similar to those shown in the previous slide.
a h
datalink
Sh Here, you rename the datalinks net0, net1, and net2 to link0_ipmp0, link0 ipmp0, link1_ipmp0,
link1 ipmp0,
and link2_ipmp0, respectively. You then create an IP interface for each one.
Now you create the IPMP group. This involves two steps. You first create the IPMP group
(ipmp0 in this example), and then you add the underlying interfaces (link0_ipmp0,
link1_ipmp0, and link2_ipmp0) to the group.
After the IPMP group is created, you set the standby property in one of the underlying
interfaces (link2_ipmp0 in this example) to on.
Next, assign the data IP addresses to the IPMP interface (ipmp0) in the form of IP address
objects (ipmp0/v4add1 and ipmp0/v4add2).
Finally, assign the test IP addresses to each underlying interface in the form of IP address
objects (link0_ipmp0/test, link1_ipmp0/test, and link2_ipmp0).

Failure Detection in IPMP
IPMP performs failure detection on the IPMP group’s

underlying IP interfaces to ensure continuous availability of the

network to send or receive traffic.
• The in.mpathd
p daemon handles the followingg types
yp of
failure detection:
– Two types of probe-based failure detection:
No test addresses are configured. ble
—
e r a
— Test addresses are configured.
tr a nsf
– Link-based failure detection,, if supported
pp by n-driver.
y the NIC
no
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
To ensure
Q licavailability of the network to send or receive traffic, IPMP performs
avcontinuous
hid detection on the IPMP group’s underlying IP interfaces. Failed interfaces remain
afailure
Sh unusable until they are repaired. Remaining active interfaces continue to function while any
existing standby interfaces are deployed as needed.

Monitoring IPMP
# ipmpstat -g
GROUP GROUPNAME STATE FDT INTERFACES
ipmp0 ipmp0 degraded 10.00s link2_ipmp0 link1_ipmp0 [link0_ipmp0]
# ipmpstat -i
INTERFACE ACTIVE GROUP FLAGS LINK PROBE STATE
link2_ipmp0 yes ipmp0 -s----- up ok ok
link1_ipmp0 yes ipmp0 --mbM-- up ok ok
link0_ipmp0 no ipmp0 ------- up failed failed
ble
# ipmpstat -an
e r a
ADDRESS STATE GROUP INBOUND OUTBOUND
a nsf
-tr
:: down ipmp0 -- --
192.168.0.113
192.168.0.112
up
up
ipmp0
ipmp0 n o n
link1_ipmp0 link2_ipmp0 link1_ipmp0
link2_ipmp0 link2_ipmp0 link1_ipmp0
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
You use
Q lic command to monitor IPMP group activity and health.
athev ipmpstat
a h idslide shows three examples of the ipmpstat usage. The examples that you see here
This
Sh are taken from an IPMP active
active-standby
standby configuration created by the procedure shown in the
previous slide. Here, one of the underlying interfaces has failed.
The first example (ipmpstat –g) displays information about the IPMP group. The IPMP
group is named ipmp0. It has three underlying interfaces: link0_ipmp0, link1_impm0,
and link2_ipmp0. Note that the state of the IPMP group is degraded and the underlying
interface link0_ipmp0 has brackets around it (boxed) indicating that it has failed.
The second example (ipmpstat –i) displays information about the IP interfaces. Here,
link2_ipmp0 is in the Active state and link0_ipmp0 is in the Failed state.
The third example (ipmpstat –an) displays information about the IPMP data addresses. IP
address 192.168.0.112 is currently assigned to the standby interface (link2_ipmp0) and
192.168.0.113 is assigned to link1_ipmp0 for all INBOUND data traffic.
OUTBOUND data traffic is spread across both active interfaces for each IP address.

Monitoring IPMP
# ipmpstat -pn
TIME INTERFACE PROBE NETRTT RTT RTTAVG TARGET
0.06s link2_ipmp0 i163 0.26ms 0.49ms 0.33ms 192.168.0.100

0.49s link0_ipmp0 i161 -- -- -- 192.168.0.100
-0.49s
0.49s link0_ipmp0
link0 ipmp0 i160 -- -- -- 192.168.0.100
2.31s link0_ipmp0 i162 -- -- -- 192.168.0.100
ble
...
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ic (ipmpstat –pn) shows information about the IPMP probe. For
av in the lslide
The example
Q
id probing to work correctly, the IPMP group must be connected to the local area network
a h
IPMP
Sh and at least one other host (the probe target) must also be connected to the same network.
Here, link2_ipmp0 (standby) and link1_ipmp0 interfaces are actively probing target
192.168.0.100. Interface link0_ipmp0 probing is failing.

This practice covers exploring IP network multipathing (IPMP):

• Creating and testing an IPMP active-active configuration

• Creating and testing an IPMP active-standby configuration
• Removing the IPMP configuration
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Agenda


• Configuring EVS
a b le
- t r an
• Configuring
g g ILB on
a n
e ) h eฺ
ฺ n et t Gu
t e s e n
a d
e mir is Stu
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
Qav lic
i d
ah
Sh

Network Bridging
Network Segment Network Segment
Forwarding
le
Bridging:
fe rab
• Is used to connect separate network segments a n s
o n -tr
• Simplifies
Si lifi network
t k administration
d i i t ti a n
• Uses a packet-forwarding mechanism ) ha ฺ
s
• Supports STP ,TRILL, EVB, and t
DCB
e ฺae uide
sฺ ent n G
t e
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Network
v areliused
abridges c to connect separate network segments. When connected by a
Q
id the attached network segments communicate as if they were a single network
a h
bridge,
Sh segment. Bridging is implemented at the datalink layer (L2) of the networking stack to connect
subnetworks together.
Using a bridge configuration simplifies the administration of the various nodes in the network
by connecting them to a single network. By connecting these segments through a bridge, all
the nodes share a single broadcast network. Thus, each node can reach the other nodes by
using network protocols such as IP rather than by using routers to forward traffic across
network segments. If you do not use a bridge, you must configure IP routing to permit the
forwarding of IP traffic between nodes.
nodes
To forward packets to their destinations, bridges must listen in promiscuous mode on every
link that is attached to the bridge. Listening in promiscuous mode causes bridges to become
vulnerable to the occurrences of forwarding loops, in which packets circle forever at full line
rate. To prevent this, bridging uses the Spanning Tree Protocol (STP) to prevent network
loops that would render the subnetworks unusable. In addition to STP, Oracle Solaris 11
supports the Transparent Interconnect of Lots of Links (TRILL) protocol.

Unlike STP and RSTP, TRILL does not shut down physical links to prevent loops. Instead,
TRILL computes the shortest-path information for each TRILL node in the network and uses
that information to forward packets to individual destinations. As a result, TRILL enables the
system to leave all links in use at all times.
Data Center Bridging (DCB) is a set of features that enhance traditional Ethernet networks’
abilities to manage traffic especially in environments where network traffic volume and
transmission rates are high. DCB features address fibre channel’s sensitivity to packet loss
while traversing the Ethernet network. It enables peers to distinguish traffic based on
priorities. Support for enhanced transmission selection (ETS) based on IEEE 802.1Qaz has
been added to the DCB functionality introduced in Oracle Solaris 11 11/11. This will provide
guaranteed bandwidth and lossless Ethernet transport for converged network environments
where storage protocols share the same fabric as regular network traffic.
For more information about DCB, refer to
http://docs.oracle.com/cd/E36784_01/html/E37516/glahx.html#NWDLKglahx. e
EVB is an IEEE standard that defines new protocols and mechanisms for exchanging era
bl
information about virtual links between hosts/stations and a switch/bridge. With EVB, n s f
more
information about virtual link configurations can be advertised on the network n - tra for
beyond,
example, bandwidth share or priority definitions for physical links that DCB
a nofeatures provide.
In general, EVB can be used to enable reflective relay on the external
h s bridge port and
aEVB
automate virtual port configuration on the bridge. Support for
a e )the
d e ฺ
Virtual Station Interface
(VSI) Discovery and Configuration Protocol (VDP) and ฺ
etthe Edge i
uControl Protocol (ECP) are
new in Oracle Solaris 11.1 release. Using EVB, ฺ n
sproperties t G
n(such as the bandwidth limit) of the
a t e d e
r Stu the switch so that the switch can be
Oracle Solaris Virtual NIC (VNIC) can be iexchanged with
configured accordingly for the VNIC.e m is is from
The standard defined in the IEEE 802.1Qbg
i @
v se
specification. Additional information can t
be h
obtained
q a evb(7P), vdpd(1M), dladm(1M),
h i dฺ to u
and http://docs.oracle.com/cd/E36784_01/html/E36813/gmhgg.html#scrolltoc.
( s ha of network
With the introduction
n se virtualization, inter-VM traffic is sent through an internal
a i
v without
software switch l e
ic being sent through the physical network infrastructure. This process
Q
aidsdorganizations that have networking policies that require all network traffic to be routed
h hi an external network so that access control lists (ACL), packet monitoring, and so on
athrough
S can be configured on the external switch
switch. In this release
release, you can enable reflective relay to
ensure that this inter-VM traffic is also subjected to these same policies. For more information,
see http://docs.oracle.com/cd/E36784_01/html/E36813/index.html.

Configuring a Network Bridge
# dladm create-bridge -l net0 -l net3 tonowhere

# dladm show-bridge
BRIDGE PROTECT ADDRESS PRIORITY DESROOT
tonowhere stp 32768/8:0:27:15:2:19 32768 32768/8:0:27:15:2:19
# dladm show-bridge -l tonowhere

LINK STATE UPTIME DESROOT
net0 forwarding 90 32768/8:0:27:15:2:19
net3 discarding 90 32768/8:0:27:15:2:19
ble
e r a
nsf
# dladm remove-bridge -l net0 -l net3 tonowhere
-tra
# dladm delete-bridge tonowhere
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ic shows you how to create, display, and remove a network bridge.
av in the lslide
The example
id Q
a h
Sh

• Practice 5-6 covers creating a bridge between two network

interfaces.
• Practice 5-7 covers creating a link aggregation.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Agenda


• Configuring EVS
a b le
- t r an
• Configuring
g g ILB on
a n
e ) h eฺ
ฺ n et t Gu
t e s e n
a d
e mir is Stu
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
Qav lic
i d
ah
Sh

Integrated Load Balancer (ILB)
• Provides Layer 3 and Layer 4 load-balancing capabilities

for Oracle Solaris installed on SPARC and x86-based

systems. It is managed by the
svc:/network/loadbalancer/ilb:default service.
• Intercepts incoming requests from clients, decides which
back-end server should handle the request based on
load-balancing rules, and then forwards the request to the able
selected server s fer
- t r an
• Performs optional
p health checks and p provides the on for
data
the load-balancing algorithms to verify whether n
a the
a s
hrequest
selected server can handle the incoming e ) e ฺ
ฺ a
etserver u i d
• Spreads workload directed to theฺ n t G across multiple
e s n
servers
m is St irat ude
e
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
av are thelickey features of ILB:
The following
Q
h d
•i Supports stateless Direct Server Return (DSR) and Network Address Translation (NAT)
a
Sh odes o
modes of ope
operation
at o foro IPv4 a and
d IPv6
6
• Enables ILB administration through a command-line interface (CLI)
• Provides server monitoring capabilities through health checks
ILB enables:
• Clients to ping virtual IP (VIP) addresses
• You to add and remove servers from a server group without interrupting service
• You
Y to t configure
fi session
i persistence
i t (stickiness)
( ti ki )
• You to perform connection draining
• Load-balancing of TCP and UDP ports
• You to specify independent ports for virtual services within the same server group
• You to load balance a simple port range
• Port range shifting and collapsing
For more information about ILB and its features, refer to
http://docs.oracle.com/cd/E36784_01/html/E37517/gmvhl.html#scrolltoc.

Installing ILB
ILB has two portions, the kernel and the userland. The kernel portion is automatically installed
as part of the Oracle Solaris 11 installation. To obtain the userland portion of ILB, you must
manuallyy install the ilb p
package
g by y usingg the p g install ilb command.
pkg
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

ILB Operation Modes
ILB supports the following modes of operation for IPv4 and

IPv6, in single-legged and dual-legged topologies:

• Stateless Direct Server Return (DSR) topology
• Network Address Translation (NAT) mode (full-NAT
(full NAT and
half-NAT) topology
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

ILB Operation Modes: DSR
Client Ethernet Switch

Segment or VLAN
IP: 129.146.86.x
Internet
ble
e r a
a nsf
o n -tr
a n ILB
Server 1 a
h eฺ s
Server 2
e )
tฺa Guid VIP:
VIP: 10.0.0.20 VIP: 10.0.0.20
IP: 192.168.1.50 IP: 192.168.1.60
GW: 192.168.1.31 ฺ n e t
10.0.0.20
GW: 192.168.1.31
(Default Gateway) t e s e n IP: 192.168.1.21
a
(Default Gateway)
d
e mir is Stu
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
In DSR Q mode, lic incoming requests to the back-end servers, but allows the return
av ILB balances
a h id from the servers to the clients to bypass it. However, you can also set up ILB to be used
traffic
Sh client
as a router for the back-end server. In this case, the response from the back-end server to the
is routed through the machine that is running ILB.
With stateless DSR, ILB does not save any state information of the processed packets,
except basic statistics. Because ILB does not save any state in this mode, the performance is
comparable to the normal IP-forwarding performance. This mode is best suited for
connectionless protocols.

ILB Operation Modes: NAT
Client Ethernet Switch

Segment or VLAN
IP: 129.146.86.x
Internet
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
Ethernet Switch
Segment ore
n tฺa Guid
VLAN
Server 1
IP: 192.168.1.50
t e sฺ ent
GW: 192.168.1.21
m ira Stud
(Default Gateway)
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ILB uses
Q lic
v in stand-alone
aNAT mode strictly for load balancing. In this mode, ILB rewrites the
d
hi information and handles incoming as well as outgoing traffic. ILB operates in both
h aheader
half-NAT and full-NAT modes.
S
In the half-NAT and full-NAT modes, ILB matches the response from the back-end server to
the incoming request, and replaces the changed IP address and the transport protocol port
number with that of the original incoming request. ILB then forwards the response to the
client. Essentially, both modes rewrite the destination IP address. However, full-NAT also
rewrites the source IP address, making it appear to the server that all connections are from
the load balancer.
N t NAT mode
Note: d provides
id additional
dditi l security,
it and
d iis b
bestt suited
it d ffor HTTP or secure sockets
k t
layer (SSL) traffic.

Enabling and Disabling ILB
1. Enable the appropriate forwarding service: either IPv4 or

IPv6, or both of them. Note that this command produces

no output when successful.
# ipadm set-prop -p forwarding=on ipv4
# ipadm set-prop -p forwarding=on ipv6
2. Enable the ILB service.

ble
# svcadm enable ilb
e r a
a nsf
3. Disable the ILB service. o n -tr
a n
# svcadm disable ilb
a
h eฺ s
e )
4. Verify that the ILB service is enabled e tฺa orGdisabled.
u id
n
sฺ ent
t e
# svcs ilb
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
BeforeQ you lic make sure that the system’s Role-Based Access Control (RBAC)
avenable ILB,
a h id files have the following entries. If the entries are not present, add them manually:
attribute
Sh • File name: /etc/security/auth_attr
/etc/security/auth attr
- solaris.network.ilb.config:::Network ILB
Configuration::help=NetworkILBconf.html
- solaris.network.ilb.enable:::Network ILB Enable
Configuration::help=NetworkILBenable.html
- solaris.smf.manage.ilb:::Manage Integrated Load Balancer Service
States::help=SmfILBStates.html
• File name: /etc/security/prof_attr
- Network ILB:::Manage ILB configuration via
ilbadm:auths=solaris.network.ilb.config,solaris.network.ilb.enab
le;help=RtNetILB.html
- The NetworkManagement entry in the file must include
solaris.smf.manage.ilb.
• File name: /etc/user_attr
- daemon::::auths=solaris.smf.manage.ilb,solaris.smf.modify.applic
ation

Configuring ILB
1. Set up the back-end servers.

# route add -p default 192.168.1.21
2. Set up the server group in ILB.

# ilbadm create-sg -s servers=192.168.1.50,192.168.1.60 srvgrp1
3. Set up the simple health check called hc-srvgrp1.

ble
e r a
nsf
# ilbadm create-hc -h hc-test=tcp,hc-timeout=3, \
hc-count=3,hc-inerval=60 hc-srvgrp1
-tra
4 Set
4. S t up an ILB rule.
l n o n
s a
# ilbadm create-rule -e -p -i vip=10.0.2.20,port=5000
) a
h –meฺ \
lbalg=rr,type=half-nat,pmask=32 -h hc-name=hc-srvgrp1 e
tฺa Guid \
n e
-o servergroup=srvgrp1 rule1_rr
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Q av lic
a hid
Sh

Agenda


• Configuring EVS
a b le
- t r an
• Configuring
g g ILB on
a n
h eฺ
• Using the network monitoring toolsฺae) id
ฺ n et t Gu
t e s e n
a d
e mir is Stu
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
Qav lic
i d
ah
Sh

dlstat Command
• Reports runtime statistics about datalinks

• Enables you to:

– Examine all links and reports statistics
– Examine a specific link and reports statistics
– Examine physical network devices and reports statistics
– Examine link aggregations and reports statistics
ble
– Specify the sampling interval and count values e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
av command
The dlstat
Q lic reports runtime statistics about datalinks. The output is sorted in
a h id
descending order of link utilization. The slide lists what you can do using dlstat.
Sh

dlstat: Examples
# dlstat
LINK IPKTS RBYTES OPKTS OBYTES

net1 0 0 0 0
net2 0 0 0 0
net3 0 0 155 10.43K
net0 0 0 6.73K
6 73K 765.05K
765 05K
speedway0 59.02K 5.93K 115.69K 148.09M
# dlstat show-phys
ble
net1 2.90K 501.69K 9.02K 5.03M
e r a
net2 4.78K 627.83K 16.47K 20.59M
a nsf
net3
net0
10.73K
49.49K
1.34M
4.45M
26.00K
70.83K
32.64M
90.65M
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
The slide
Q ashows lic of dlstat usage.
v examples
a h
In id first example, running dlstat without subcommands displays a summary of statistics
the
Sh for all the links. The report shows incoming traffic (IPKTS and RBYTES) and outgoing traffic
(OPKTS and OBYTES).
In the second example, the show-phys subcommand reports network traffic statistics for
each physical network device. Note that if your link aggregations (speedway0) are present,
they are also displayed.

dlstat: Examples
# dlstat show-link

net1 0 0 0 0
net2 0 0 0 0
net3 0 0 155 10.43K
net0 0 0 6
6.73K
73K 765.06K
765 06K
speedway0 59.16K 5.94K 115.75K 148.09M
# dlstat show-aggr
LINK PORT IPKTS RBYTES OPKTS OBYTES
ble
speedway0 -- 68.08K 6.93M 122.66K 148.92M
e r a
speedway0 net0 49.59K 4.46M 70.84K 90.65M
a nsf
-tr
speedway0 net1 2.92K 505.13K 9.05K 5.03M
speedway0
p y net2 4.81K 631.91K 16.76K
o
20.59M
n n
speedway0 net3 10.76K 1.34M 26.01K
s a 32.64M
# dlstat show-bridge
a
) h dDROPS ฺ FORWARDS
BRIDGE LINK IPKTS RBYTES OPKTS ฺa e
t 702Gu 0
OBYTES i e
n9e
tonowhere -- 2 191
191 es
ฺ 6 ent 447
0
net0
net3
2
0 a t
ir Stu
0 3 d 255
0
0
--
--
m
e his
i @
v se t
h i dCopyrightt o
© 2014,
i ( sha ense
The show-link
Q lic
av subcommand reports network traffic statistics for each network link, whereas
d
hi show-aggr subcommand reports incoming and outgoing network traffic statistics for
h athe
aggregated links. The PORT field indicates the devices that make up the link aggregation.
S

flowstat Command
• Enables you to gather runtime statistics on user-defined

flows
• Using flowstat, you can:
– Display receive-side
receive side statistics only (includes bytes)
– Display transmit-side statistics only
– Specify an interval in seconds at which statistics are
refreshed along with a count value. The default interval is a b le
one second. s fer
- t r an
– Display
p y statistics for all flows on the specified
p linkoor
n statistics
for the specified flow a n
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
Flows Q consist lic packets that are organized according to an attribute. Flows enable
av of network
a h
you idto further allocate network resources. Packets traverse a path when they flow into or out
Sh ofrings
a system. On a granular level, packets are received and transmitted through receive (Rx)
and transmit (Tx) rings of an NIC. From these rings, received packets are passed up the
network stack for further processing while outbound packets are sent to the network.

flowstat: Examples
# flowstat 1 1
FLOW IPKTS RBYTES IDROPS OPKTS OBYTES ODROPS
http1 430.45K 910.46M 0 398.22K 44.09M 0
# flowstat -r
FLOW IPKTS RBYTES IDROPS
http1 2.95M 3.44M 0
# flowstat -t
FLOW OPKTS OBYTES ODROPS
ble
http1 17.89M 987.22M 0
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
The first av inlthe
example
ic slide shows information every second about incoming and outgoing
Q
id on all configured flows on the system.
a h
traffic
Sh The second example shows receive-side
receive side statistics for all flows.
The third example shows transmit-side statistics for all flows.

Agenda


• Configuring EVS
a b le
- t r an
• Configuring
g g ILB on
a n
e ) h eฺ
• Using the network monitoring tools ฺa id
ฺ n et t Gu
t e s e n
a d
e mir is Stu
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
Qav lic
i d
ah
Sh

Viewing IP Traffic Statistics
To gather and report statistics on IP traffic based on the

selected output mode and sort order, use the ipstat

command.
# ipstat -l
l 5
SOURCE DEST PROTO INT BYTES
s11-server1.mydomain.com s11-desktop.mydomain.com UDP net0 39.0
s11-desktop.mydomain.com s11-server1.mydomain.com UDP net0 28.0
Total: bytes in: 39.0 bytes out: 28.0
ble
e r a
a nsf
o n -tr
n
a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Starting with ic 11.2 release, you can use the ipstat(1M) command to report
av OraclelSolaris
Q
id about IP traffic. ipstat provides options to gather and report statistics only on IP
statistics
a h
Sh traffic matching specified source or destination address, interface, and higher layer protocol.
For more information, refer to the ipstat(1M) man page.

Viewing TCP and UDP Traffic Statistics
To gather and report statistics on TCP and UDP traffic based

on the selected output mode and sort order, use the tcpstat
command.
# tcpstat -l
l 5
ZONE PID PROTO SADDR SPORT DADDR DPORT BYTES
global 795 UDP s11-server1.mydo 53 s11-desktop.mydo 42857 20.0
global 795 UDP s11-desktop.mydo 42857 s11-server1.mydo 53 9.0
ble
e r a
nsf
global 795 UDP s11-server1.mydo 53 s11-desktop.mydo 59127 7.0
Total: bytes in: 34.0 bytes out: 23.0
-tr a
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Starting with ic 11.2 release, you can use the tcpstat(1M) command to report
av OraclelSolaris
Q
id on TCP and UDP traffic. tcpstat provides options to gather and report statistics
statistics
a h
Sh only on traffic matching specified source or destination address, interface, process ID, source
or destination port, and zone name. For more information, refer to the tcpstat(1M) man
page.

Viewing User and Process Information
To list the user, process ID, and the program that originally
created the network endpoint or controls it now, use the

netstat -u command.
# netstat -nauv
UDP: IPv4
Local Address Remote Address User Pid State Command
-------------------- -------------------- -------- ------ ---------- ----------------
*.* root 79 Unbound /lib/inet/in.mpathd
*.*
*.*
root
netadm
79 Unbound
308 Unbound
/lib/inet/in.mpathd
/lib/inet/nwamd
ble
*.* netadm 308 Unbound /lib/inet/nwamd
e r a
nsf
*.631 root 430 Idle /usr/sbin/cupsd -C
/etc/cups/cupsd.conf
-tr a
127.0.0.1.53
192 168 0 100 53
192.168.0.100.53
root
root
443
443
Idle
Idle
n n
/usr/sbin/named
o
/usr/sbin/named
*.111 daemon
s a 539 Idle /usr/sbin/rpcbind
*.*
*.52951
) a
daemon
h eฺ
daemon
539
539
Unbound
Idle
/usr/sbin/rpcbind
/usr/sbin/rpcbind
*.111
e
tฺa Guid
daemon 539 Idle /usr/sbin/rpcbind
*.*
n e daemon 539 Unbound /usr/sbin/rpcbind
sฺ ent
*.36871 daemon 539 Idle /usr/sbin/rpcbind
*.*
t e root 585 Unbound /usr/lib/inet/in.ndpd
. . .
m ira Stud
(output truncated)
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Starting with ic 11.2 release, the netstat command provides the -u option to
av OraclelSolaris
Q
idinformation about processes and users in the netstat output. In the example in the
view
a h
Sh slide:
• -a: Displays the state of all sockets, all routing table entries, or all interfaces, both
physical and logical
• -n: Displays network addresses as numbers. netstat normally displays addresses as
symbols.
• -v: Provides verbose information
In the example, the output includes details of both IPv4 and IPv6, and all active UNIX domain
sockets.

Analyzing Network Traffic
• Oracle Solaris 11 provides the following network traffic

analyzers:
– Tshark: Command-line network traffic analyzer:
— Captures
p p
packet data from a live network
— Reads packet data from a previously saved capture file
– Wireshark: Third-party graphical user interface (GUI) network
protocol analyzer: ble
e r a
— Interactively dumps and analyze network traffic
a nsf
• Both TShark and Wireshark analyzers:
o n -tr
a
– Assemble all of the packet data in a TCP conversation and n
a s
h format
display the data in ASCII, EBCDIC, or)hex
a e d e ฺ
– Contain many filterable fields et ฺ i
s Guฺn nt
r e
at tude
i
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
Qav lic
i d
ah
Sh

wireshark Utility
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
You can
Q lic to capture and interactively browse the traffic running on a computer
ausev Wireshark
a h id Because of its rich and powerful feature set, system administrators, security experts,
network.
Sh developers, and educators around the world use it regularly. It is freely available as open
source and is released under the GNU General Public License version 2.
Using Wireshark, you can:
• Capture live packet data from a network interface
• Display packets with very detailed protocol information
• Open and save captured packet data
• Import packet data from and export packet data to many other capture programs
• Filter packets by using many criteria
• Search for packets by using many criteria
• Colorize packet display based on filters
• View various statistics
This slide shows the Wireshark packet analyzer interface.

Performing Network Diagnostics
• network-monitor is a fault manager daemon (fmd)

transport module utility.

– Monitors network resources
– Reports
p conditions that might
g lead to limited or degraded
g
network functionality
– Generates an ireport on detecting an abnormal network
condition
a b le
– Does not diagnose the error condition s fer
– Does not perform any recovery actions - t r an
n n o
• a
Use the fmdump command to retrieve ireports.
s
) h a ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
Qav lic
i d
ah
Sh

Managing the network-monitor Module
• View the current status of the network-monitor module:

# fmadm config
MODULE VERSION STATUS DESCRIPTION

cpumem-retire
p 1.1 active CPU/Memory
/ y Retire Agent
g
disk-diagnosis 0.1 active Disk Diagnosis engine
…
network-monitor 1.0 active Network monitor
ble
• Enable the network-monitor module: e r a
a nsf
...
o n -tr
# enable
# a n
# Enable/disable the network-monitor. a
h eฺ s
# e )
setprop enable true
n e tฺa Guid
...
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
You can Q lic command to report the current status of the network-monitor
ausev the fmadm
a h id which is displayed as active when it is performing fault monitoring, as shown in the
module,
Sh first example in the slide.
You control the state of the network-monitor module by setting the enable property to
true in the /usr/lib/fm/fmd/plugins/network-monitor.conf configuration file, as
shown in the second example in the slide. The monitor will be active upon reboot.

Retrieving Reports That Are Generated by the
network-monitor Module
Use the fmdump command to retrieve the ireports:
# fmdump –Ivp –c ‘ireport.os.sunos.net.datalink.*’
nvlist version: 0
class = ireport.os.sunos.net.datalink.mtu
p _mismatch
version = 0x0
uuid = f3832064-e83b-6ce8-9545-8588db76493d
pri = high
detector = fmd:///module/network-monitor
ble
attr = (embedded nvlist)
e r a
nsf
nvlist version: 0
linkname = net0
-tra
linkid = 0x3
mtu = 0x1b58 n o n
s a
(end attr)
__ttl = 0x1
) a
h eฺ
__tod = 0x513a4f2e 0x279ba218 e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
If a problem
Q avwith yourlicnetwork occurs, or if you suspect degraded network performance, you
acan
h idretrieve the ireports that are generated by the network-monitor module by using the
Sh fmdump command. These reports include the name of the datalink for which a potential
problem was detected.

Viewing Statistics of the network-monitor Fault
Management Module
Use the fmstat command to view statistics that are kept by
the network-monitor fault management module:

# fmstat –m network-monitor
NAME VALUE DESCRIPTION

mtu-mismatch.allocerr 0 memory allocation errors
mtu-mismatch.enabled true operating status for mtu-mismatch
mtu-mismatch.nprobes 7 number of transmitted ICMP probes
mtu-mismatch.procerr 0 errors processing datalinks
ble
sysev_drop 0 number of dropped sysevents
e r a
vlan-mismatch.enabled true
nsf
operating status for vlan-mismatch
a
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
The fmstat
Q av command lic reports fault management module statistics. You can also use the
a h id command to view statistics for diagnosis engines and agents that are currently
fmstat
Sh participating
utility.
in fault management, which includes the network-monitor transport module

Quiz
Which command is used to enable a reactive network profile?

a. netadm enable –p <profile-type> Automatic

b. netadm –p <profile-type> Automatic
c netadm enable –p
c. p <profile-type>
<profile type>
DefaultFixed
d. netadm –p <profile-type> DefaultFixed e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qaa
v lic
a h id
Sh

Quiz
Which command is used to display a network interface IP

address?
a. ipadm show-ip interface
b ipadm show-if
b. show if interface
c. ipadm show-all interface
d. ipadm show-addr interface e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qdav lic
a h id
Sh

Quiz
Which command is used to create an IPMP group?

a. dladm create-ipmp ipmp_name

b. ipadm create-group ipmp_name
c dladm create-group
c. create group ipmp_name
ipmp name
d. ipadm create-ipmp ipmp_name
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qdav lic
a h id
Sh

Quiz
Which command is used to display IPMP group information?

a. ipmpstat -g
b. ipmpadm -g
c ipmpcfg –g
c. g
d. ipmpconf -g
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qaa
v lic
a h id
Sh

Quiz
A VNIC is a virtual network device with the same datalink

interface as a physical interface.

a. True
b False
b.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qaa
v lic
a h id
Sh

Quiz
Which property controls maximum flow bandwidth?

a. speed
b. maxbw
c threshold
c.
d. maximum
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qbav lic
a h id
Sh

Quiz
To use VNICs, a zone must be configured as what IP type?

a. Shared-IP
b. Exclusive-IP
c Either shared or exclusive
c.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qbav lic
a h id
Sh

Quiz
You have created an etherstub called stub2. You now want to

create vnic1 and attach it to stub2. Which command(s)

would you use to do this?
a. # dladm create-vnic1
b. # dladm create-vnic -l vnic1
c. # dladm create-vnic -l stub2 vnic0
a b le
d. # dladm create-vnic -l stub2 vnic1 fer n s
a
no n-tr
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
Answer: Qdav lic
a h id
Sh

Quiz
Which bridging protocols does Oracle Solaris 11 network

support?
a. STP only
b TRILL only
b.
c. STP and TRILL
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qca
v lic
a h id
Sh

Quiz
Which command is used to display datalink statistics?

a. dladm
b. dlmon
c dlstat
c.
d. dlcfg
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qca
v lic
a h id
Sh

Summary

• Describe the Oracle Solaris 11 network

• Perform basic network administration
• Configure the network virtualization feature
• Configure EVS
• Configure IPMP
a b le
• Configure link aggregation s fer
- t r an
• Configure
g a network bridge
g on
a n
• Configure ILB a s
e ) h eฺ
• Manage network resources
n e tฺa Guid
• Use network monitoring tools
r at tude esฺ nt
i
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
lesson, lic introduced to the Oracle Solaris 11 network, and then how to perform
a h id network administration. You then learned to configure the network virtualization
basic
Sh features. You also had the opportunity to learn how to configure EVS, link aggregation, IPMP,
network bridges, and ILB features. Finally, you were shown how to manage network
resources and how to use the various network monitoring tools.

This practice covers using the new Oracle Solaris 11 utilities to

monitor the network by using:

• The wireshark utility
• The dlstat command
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Ad i i t i Oracle
Administering O l Solaris
S l i 11 Zones
Z
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh
Job Workflow

and Enhancements
M
Managing
i Software
S ft
Packages
Installing
ble
Enhancements
e r a
a nsf
Administering Zones
o n -tr
a n
a
h eฺ s
ZFS Enhancements
e )
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
you
a h id learned how to install Oracle Solaris 11 OS using Text Installers, Live Media installers,
have
Sh and AI.
You will now learn how to administer Oracle Solaris Zones.

Objectives

• Describe the new features and enhancements of Oracle

Solaris 11 Zones
• Configure an Oracle Solaris 10 zone
• Perform a virtual-to-virtual (V2V) migration of zones
present in the source system
a b le
• Migrate a physical Oracle Solaris 10 system to an Oracle fer
Solaris 10 Zone (P2V) a n s
o n -tr
• Configure
C fi a nonglobal
l b l zone bby using
i AI a n
• Configure an Oracle Solaris Kernel Zone ) h as ฺ
• Manage an Oracle Solaris Kernel e t ฺae uide
Zone
e s ฺn nt G
irat ude
• Monitor zone resource consumption
m is St
e
a v i@ e th
uOracle
h i
Copyright
o
i ( sha ense
This lesson
Q licyou to the new features and enhancements of Oracle Solaris 11
avintroduces
a h id You learn how to configure an Oracle Solaris 10 Zone in Oracle Solaris 11 and
Zones.
Sh migrate Oracle Solaris 10 Zones from Oracle Solaris 10. You then learn to configure
nonglobal zones by using AI. You also have an opportunity to configure and manage Oracle
Solaris Kernel Zone. Finally, you learn how to monitor zone resource consumption.

Agenda
• Introducing Oracle Solaris 11 Zones

• Configuring an Oracle Solaris Kernel Zone

• Managing an Oracle Solaris Kernel Zone
• Migrating Oracle Solaris 10 Zones
• Configuring zones by using AI
• Monitoring zone resource consumption ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

Oracle Solaris 11 Zones
Before Consolidation
Host 1 Host 2 Host 3
App 1 App 2 App 3

NIC Port NIC Port NIC Port
1 Gb 1 Gb 100 Mb
After Consolidation
ble
e r a
a nsf
ZONE
O 1 ZONE
O 2 ZONE
O 3
o n -tr
a n
VNIC VNIC
a s VNIC
1 Gb 300 Mb ) h ฺ100 Mb
t ฺ a e i d e
ฺ n ePort G u
Physical NIC
t e s e n t
a d
e mir is10SGbtu
a v i@ e th
uOracle
h i
Copyright
o
i ( sha ense
OracleQ av Zoneslicis an OS virtualization feature in Oracle Solaris with a long and
Solaris
a h id
distinguished pedigree. One of the most highly adopted, highly used, mature virtualization
h
S Oracle SolarisOracle
technologies, Solaris Zones was first introduced as a core part of Oracle Solaris 10. In
11, Oracle Solaris Zones become even more central to both the application
and the end user. Enhancements and new features include:
• Integration into the new packaging system (IPS)
• Support for Oracle Solaris 10 Zones
• Integration with the new Oracle Solaris 11 network stack architecture
• Improved observability
• Increased control over administration
• Tight integration with ZFS

Zones: New Features
Zones Feature Description

Solaris 10 Zones Solaris 10 Zones host Solaris 10 user environments inside

zones on Oracle Solaris 11.
Boot environments for zones Boot environments are integrated with Oracle Solaris Zones.
IPS integration Oracle Solaris Zones have been integrated with the new IPS
package management tools in Oracle Solaris 11.
Zone resource monitoring Oracle Solaris 11 features a robust zones resource monitoring
utility, zonestat. bl e
fe r a
Delegated administration Delegate common zone administration tasks for specific zones
n s
to different administrators by using Role-Based Access r
n - ta
Control.
Zones on shared storage Configure install,
Configure, install and run Oracle Solaris Zones hosted
no directly
on arbitrary storage device objects, such asaFibre Channel or
iSCSI targets.
) h as ฺ
NFS server in nonglobal zones Nonglobal zones now support
e t ฺaeNFS servers.
u ide
New unavailable zone state This state indicates s n the zone
ฺthat n t G
has been installed, but cannot
r t e
a tud
be verified, made ready, e
booted, attached, or moved.
i
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
i ( sha ense
The table
Q ainvthis slideliclists the new features of Oracle Solaris 11 Zones.
a h id Solaris 10 Zones
Oracle
Sh Oracle Solaris 10 Zones host Oracle Solaris 10 user environments inside zones on Oracle
Solaris 11. They are meant to help maintainers of Oracle Solaris 10 systems consolidate their
production environments onto systems running Oracle Solaris 11. Workloads running within
Oracle Solaris 10 Zones can take advantage of the performance improvements made to the
Oracle Solaris 11 kernel and use some of the innovative technologies available only on
Oracle Solaris 11 (such as virtualized NICs). The Oracle Solaris 10 Zones support x86 and
SPARC Solaris 10 9/10 (or later released Oracle Solaris 10 update) Zones. Note that it is
possible to use an earlier update
p p release if yyou first install the kernel p
patch 142909-17
(SPARC) or 142909-17 (x86/x64), or a later version.
Note: Starting with Oracle Solaris 11.1, the IPoIB Datalink Administration feature improves
the usability of zones on Infiniband. With this feature, IP over Infiniband (IPoIB) datalinks can
be configured under anet resources in the same way as VNICs using the zonecfg
command.
Boot Environments for Zones
Boot environments are integrated with Oracle Solaris Zones. Zone root file systems use Zone
Boot Environment (ZBE) datasets. When a new boot environment is created by cloning an
existing one, the base boot environment’s zones are also cloned into the new boot
environment.
IPS Integration
Oracle Solaris Zones have been integrated with the new IPS package management tools in
Oracle Solaris 11. Zones require an active network connection for their creation, and must be
manuallyy updated
p ((by
y using
g zoneadm attach -u)) to stayy in sync
y with the global
g zone,, if
zones were detached. The pkg update command can also be run from the global zone to
update the nonglobal zones. Sparse root zones are not supported in Oracle Solaris 11.
Zone Resource Monitoring

Oracle Solaris 11 features a robust zones resource monitoring utility, zonestat. The
zonestat utility greatly enhances the observation of system resources consumed by Oracle
Solaris Zones. You can observe memory and CPU utilization, utilization of resource control
limits, and total utilization and per-zone utilization breakdowns over specified time periods.
Delegated Administration
With Oracle Solaris 11, you can delegate common zone administration tasks for specific
bl e
zones to different administrators by using Role-Based Access Control (RBAC). With
e r a
nsf
delegated administration, for each zone, a user or set of users may be identified with the
a
o n -tr
permissions to log in, manage, or clone that zone. These specific authorizations are
interpreted by the appropriate commands running in the global zone to allow access at the
a
correct authorization level to the correct user.
n
a
h eฺ s
Zones on Shared Storage e ) d to configure, install, and
With Oracle Solaris 11.1, zones of shared storage n e tฺa enable
feature G u iyou
t e
run Oracle Solaris Zones hosted directly on arbitrarysฺ storage
e n t device objects, such as Fibre
Channel or iSCSI targets. You can specify
m S t ud the path to the device directly by the
a configure
irand
g( ) command. The zone is
zonecfg(1M)
@ e thenhautomatically
is y encapsulated
p into its own zpool.
p The
aim is to simplify deployment,
i t
v se and migration of Oracle Solaris Zones.
aadministration,
i ฺ q
d Zones u
NFS Server in Nonglobal h t o
( shaof eOracle
In previous versions
i n seSolaris, establishing an NFS share was not supported in
nonglobal v as liticrequired a privilege to be granted that is prohibited by the Oracle Zones
azones
Q
id model. With Oracle Solaris 11, NFS servers are now supported in a nonglobal zone.
security
a h
Sh Ifofyou want to disable shares within a zone, you can add PRIV_SYS_SHARE to the zone's set
prohibited privileges.
unavailable Zone State
This state indicates that the zone has been installed, but cannot be verified, made ready,
booted, attached, or moved. A zone enters the unavailable state at the following times:
• When the zone’s storage is unavailable and svc:/system/zones:default begins,
such as during system boot
• When the zone’s storage is unavailable
• When archive-based installations fail after successful archive extraction
• When the zone’s software is incompatible with the global zone’s software, such as after
an improper -F (force) attach
The unavailable zone state allows pkg operations to work even if a zone’s storage is not
available. It is important for Oracle Solaris Zones on shared storage implementation.

Zones: New Features
Zones Feature Description

Live zone reconfiguration This enables configuration changes in a running zone without
the need to reboot, eliminating down time in service availability
within the zone when configuration changes are made.
Datalinks creation in nonglobal This feature enables administrators to dynamically create
zones from the global zone VNICs, VLANs, and IP-over-InfiniBand partitions directly in the
nonglobal zone’s namespace from the global zone.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Live Zone
Q lic
avReconfiguration
a h id from Oracle Solaris 11.2 release, you can make configuration changes in a running
Starting
Sh zone without the need to reboot. Previously, administrators had to reboot a zone for a
configuration change to take effect. Live Zone Reconfiguration eliminates down time in
service availability within the zone when configuration changes are made. You can use this
feature to make the following changes in running nonglobal zones:
• Change resource controls
• Change network configuration
• Change g the CPU resource pool
• Add or remove file systems
• Add or remove virtual and physical devices
Create Datalinks in Nonglobal Zones from the Global Zone
Starting from Oracle Solaris 11.2, you can create datalinks in nonglobal zones from the global
zone. This feature enables administrators to dynamically create VNICs, VLANs, and
IP-over-InfiniBand p
partitions directly
y in the nonglobal
g zone’s namespace
p from the g
global zone.
Link names are specified as <zonename>/<linkname> and the links are created directly in
the specified non-global zone.

Agenda


e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

Oracle Solaris 10 Zones
• A complete runtime environment for Oracle Solaris 10

– Oracle Solaris 10 9/10 or later

• Supported on SPARC and x86 architectures
• Support 3232-bit
bit and 64
64-bit
bit applications
• Virtual-to-virtual (V2V)
• Physical-to-virtual (P2V) e
r a bl
• Support only ZFS e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
avSolaris 10
The Oracle
Q liczone is a complete runtime environment for Solaris 10 applications on
a h id and x86 machines running the Oracle Solaris 10 9/10 operating system or later. You
SPARC
Sh must install the patches 119254-75 (SPARC) or 119255-75 (x86/x64), or later versions on
your Oracle Solaris 10 system before you create the archive to be used to install the zone.
The Oracle Solaris 10 Zones are supported on all SPARC, and x86 architecture machines
that the Oracle Solaris 11 release has defined as supported platforms. The Solaris 10 zone
supports the execution of 32-bit and 64-bit Solaris 10 applications. Solaris 10 Zones include
the tools required to install an Oracle Solaris 10 system image into a zone.
You cannot install a Solaris 10 zone directly from a Solaris 10 media. A P2V capability is used
to directly migrate an existing system to a zone on a target system
system. The Oracle Solaris 10
zone also supports the tools used to migrate a Solaris 10 zone to an Oracle Solaris 10 zone.
The V2V process for migrating a Solaris 10 zone into an Oracle Solaris 10 zone supports the
same archive formats as P2V. The Oracle Solaris 10 zone supports the whole root zone
model. All of the required Oracle Solaris 10 software and any additional packages are
installed into the private file systems of the zone.

The zone must reside on its own ZFS dataset; only ZFS is supported. The ZFS dataset will be
created automatically when the zone is installed or attached. If a ZFS dataset cannot be
created, the zone will not be installed or attached. Note that the parent directory of the zone
path must also be a ZFS dataset or the file system creation will fail. Any script or program that
executes in an Oracle Solaris 10 zone should also work in a Solaris 10 zone.
A /dev/sound device cannot be configured into the Solaris 10 zone.
Zone Physical-to-Virtual and Virtual-to-Virtual Preflight Checker

The process of consolidating a system into a zone is referred to as physical-to-virtual (P2V). A
new preflight checker utility, zonep2vchk(1M), has been added to Oracle Solaris 11, which
can be run on the physical system before performing the P2V process to provide information
and identify any issues in advance. This utility can also generate a proposed zone
configuration based on the source system configuration and analyze any applications running
on the source system for potential issues.
Recursive ZFS Send bl e
e r a
When you need to migrate one or more zones to another system, consider using the zfs
a nsf
send and zfs receive commands. Depending on the scenario, it may be best to use
replication streams or recursive streams. o n -tr
streams A recursive stream package consists of the specified
a n
dataset and its descendents. Similar to a replication stream, a recursive stream does not
a s
h eฺ
include any unneeded intermediate snapshots. Additionally, administrators can now also
e )
n e tฺa Guid
create entirely self-contained recursive streams. The following commands might be used to
another zone. t e sฺ ent

generate a recursive zfs send stream without worrying about whether the zone is a clone of
m S t ud
irarpool/zones/zone1@send-to-nfs
systemA# zfs snapshot
@ e his
-r
systemA# zfs send
a i -rc t
v serpool/zones/zone1@send-to-nfs >
ฺ
dzfsq u
/net/nfssrv/export/scratch/zone1.zfs
i
a h e t o
( s h
systemB#
n s create tank/zones
Q licezfs receive -d tank/zones <

avi/net/nfssrv/export/scratch/zone1.zfs
systemB#
h i d
aMultiple Boot Environments for Oracle Solaris 10 Zones
Sh Starting with
ith Oracle Solaris 11.2
11 2 release,
release Oracle Solaris 10 Zones ssupport
pport m
multiple
ltiple boot
environments. Administrators have a greater degree of flexibility and safety when performing
patching operations within an Oracle Solaris 10 environment running on an Oracle Solaris 11
system. For more information, see the zones(5) and solaris10(5) man page.
To activate a boot environment, set the com.oracle.zones.solaris10:activebe
property on the zone’s ROOT dataset as shown in the following:
# zfs set com.oracle.zones.solaris10:activebe=be_name zone/root/dataset
/ /
An installed Solaris 10 zone with more than one boot environment is required to have the
activebe property set. If the property is not set, or is set to a missing or invalid boot
environment name, the zone will transition to unavailable state on next zone or system boot.
To resolve this, the activebe property must be corrected, and the zone must be attached
with zoneadm attach.

Migrating Oracle Solaris 10 Zones (V2V)
1. Assess the Oracle Solaris 10 zone to be migrated.

2. Create an archive of the Oracle Solaris 10 zone to be

migrated.
3 Prepare the Oracle Solaris 11 target system.
3. system
4. Migrate Solaris 10.
bl e
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
avan OraclelicSolaris 10 zone to Oracle Solaris 11, perform the following steps:
To migrate
Q
d
ah1.i Assess the Oracle Solaris 10 zone to be migrated. An existing Oracle Solaris 10 8/11
Sh syste (o
system (or later
ate released
e eased So
Solaris
a s 10 0 update) ca can be ddirectly
ect y migrated
g ated into
to a
an O
Oracle
ac e
Solaris 10 zone on an Oracle Solaris 11 system. Depending on the services performed
by the original system, you might need to manually customize the zone after it has been
installed. For example, the privileges assigned to the zone might need to be modified or
the network interface is different. It is critical that you examine the source system and
collect the following information:
- Host name
- Host
H t ID
- Domain name
- Running applications
- Networking
- Storage
- Zone configuration

2. Create an archive of the Oracle Solaris 10 zone to be migrated. You have a variety of
methods available for creating the archive. The installer can accept the following archive
formats:
- flar image
- cpio archives
- gzip compressed cpio archives
- bzip2 compressed cpio archives

- pax archives created with the -x xustar (XUSTAR) format
- ufsdump level zero (full) backups
After you have created an archive,
archive you must provide a method (such as NFS) for
transporting it to the target system.
3. Prepare the Oracle Solaris 11 target system. Before you can migrate the Solaris 10
zone, you must first prepare the target system. This normally involves:
bl e
- Configuring the client side of the image transport e r a
- Configuring the Oracle Solaris 10 zone a nsf
4 Migrate the Solaris 10 zone.
4. zone After performing the previous task, o n -tr
task use the zoneadm
a n
attach subcommand to migrate the Solaris 10 zone. Finally, after completing the
a s
h eฺ
migration, you can perform the post-migration configuration based on the information
e )
n e tฺa Guid
that you gathered when assessing the source system.
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

Migrating Oracle Solaris 10 Global Zones (P2V)
1. Assess the global zone to be migrated.

2. Create an archive of the global zone to be migrated.

3. Prepare the Oracle Solaris 11 target system.
4
4. Migrate the Solaris 10 global zone
zone.
bl e
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
avan OraclelicSolaris 10 global zone to Oracle Solaris 11, perform the following steps:
To migrate
Q
d
ah1.i Assess the global zone to be migrated. An existing Oracle Solaris 10 9/10 system (or a
Sh So a s 10
Solaris 0 update released
e eased later)
ate ) ca
can be ddirectly
ect y migrated
g ated into
to a
an O
Oracle
ac e So
Solaris
a s 10
0 zone
o e
on an Oracle Solaris 11 system. Depending on the services performed by the original
system, you might need to manually customize the zone after it has been installed. For
example, the privileges assigned to the zone might need to be modified or the network
interface is different. It is critical that you examine the source system and collect the
following information:
- Host name
- Host
H t ID
- Domain name
- Root password
- Running applications
- Networking
- Storage

2. Create an archive of the global zone to be migrated. You have a variety of methods
available for creating the archive. The installer can accept the following archive formats:
- flar image
- cpio archives
- gzip compressed cpio archives
- bzip2 compressed cpio archives
- pax archives created with the -x xustar (XUSTAR) format

- ufsdump level zero (full) backups
After you have created an archive, you must provide a method (such as NFS) for
transporting it to the target system.
system
3. Prepare the Oracle Solaris 11 target system. Before you can migrate the global zone,
you must first prepare the target system. This normally involves configuring:
- The client side of the image transport bl e
e r a
nsf
- The Oracle Solaris 10 zone
-tra
4. Migrate the Oracle Solaris 10 global zone. After performing the previous task, use the
zoneadm attach subcommand to migrate the Oracle Solaris 10 global zone
n o n zone. Finally
Finally,
a
after completing the migration, you can perform the post-migration configuration based
s
a
h eฺ
on the information that you gathered when assessing the source system.
)
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

Agenda


e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

Configuring Nonglobal Zones
by Using the Automated Installer (AI)
• AI supports nonglobal zone installation.
• AI manifest
• The configuration element
• The zone’s
zone s self
self-assembly
assembly SMF service
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
OracleQ
Solaris lic nonglobal zone installation by using the Automated Installer (AI).
av 11 supports
a h id zones are installed and configured on first reboot after the global zone is installed.
Nonglobal
Sh When a system is installed by using AI, nonglobal zones can be installed on that system by
using the configuration element in the AI manifest.
When the system first boots after the global zone installation, the zone’s self-assembly SMF
service (svc:/system/zones-install:default) configures and installs each nonglobal
zone defined in the global zone AI manifest.

Specifying a Nonglobal Zone in the AI Manifest
...
</software>
<configuration type="zone" name=“zone5“ source=“http://s11-
server1.mydomain.com/zone_configs/zone5.cfg"/>
</ai instance>
</ai_instance>
</auto_install>
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
ic shows an excerpt from an AI manifest file. The configuration
av in the lslide
The example
Q
id is highlighted. You use the configuration element in the AI manifest for the client
element
a h
Sh system to specify nonglobal zones. Use the name attribute of the configuration element
to specify the name of the zone. Use the source attribute to specify the location of the
configuration file for the zone. The zone configuration file must be in the zonecfg export
format. AI copies this configuration file onto the installed client system to be used to configure
the zone. The source location can be any http:// or file:// location that the client can access
during installation.

Nonglobal Zone Configuration Files
• Zone configuration file

• AI manifest
– zonename criteria keyword
• System configuration profile
– zonename criteria keyword
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
The following
Q licused to configure and install nonglobal zones:
av files are
h•id Zone configuration file: The zone configuration file is the zone’s configuration in file
a
Sh form from the output of the zonecfg export command. The location of the zone
configuration file is specified by the source attribute of the configuration element in the
AI manifest. AI copies this zone configuration file onto the installed client system to be
used to configure the zone.
• AI manifest (optional): This AI manifest for zone installation specifies the packages to
be installed in the zone, along with publisher information and certificate and key files as
necessary. To provide a custom AI manifest for a zone, you add the manifest to the
installation service that is installing the global zone. In the create-manifest
command, specify the zonename criteria keyword with the names of all zones that
should use this AI manifest. If you do not provide a custom AI manifest for a nonglobal
zone, the default AI manifest for zones is used.
• System configuration profile (optional): You can provide zero or more configuration
files for a nonglobal zone. These system configuration profiles are similar to the system
configuration profiles for configuring the global zone. You might want to provide system
configuration profile files to specify zone configuration such as users and the root
password for the zone administrator. To provide system configuration profile files for a
zone, add the configuration profiles to the installation service that is installing the global
zone. In the create-profile command, specify the zonename criteria keyword with
the names of all zones that should use this system configuration profile.
Adding a Nonglobal Zone Manifest and Profile
# installadm create-manifest -n custom_ai \

-f /manifests/zone_ai –c zonename=“zone5”
# installadm create-profile -n custom_ai \

-f /manifests/zone5_profile.xml -p zone5_profile \
–c
c zonename=“zone5”
# installadm list –c -m -p -n custom_ai

Service Name Client Address Arch Image Path
------------ -------------- ---- ----------
ble
custom_ai 08:00:27:85:C7:D9 i386 /export/ai/custom_ai
e r a
a nsf
Manifest
--------
Status
------
Criteria
--------
o n -tr
custom_ai active mac = 08:00:27:85:C7:D9 na
zone_ai active zonename = zone5 a
h eฺ s
e )
Profile Criteria
n e tฺa Guid
------- --------
t e sฺ ent
ira Stud
client4_profile mac = 08:00:27:85:C7:D9
zone5_profile zonename = zone5
m
e his
i @
v se t
q a
h i dฺ © t2014,
Copyright
i ( sha ense
This slideashows ic
v anlexample of adding a nonglobal zone manifest and a profile to an existing
d Q
h aAIhiservice named custom_ai.
S

Agenda


e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

Oracle Solaris Zone Brands
Oracle Solaris 11.2 supports the following zone brands:

• Oracle Solaris Zones (solaris):

– Introduced in Oracle Solaris 10
– Commonly called nonglobal zones or just zones
– A complete runtime environment for applications
• Oracle Solaris 10 Zones (solaris10): e
– Known as solaris10 branded, nonglobal zones r a bl
e
– Uses the BrandZ technology to run Oracle Solaris 10 tra nsf
-
applications on the Oracle Solaris 11 OS non a
• has
Oracle Solaris Kernel Zones (solaris-kz):
) ฺ
– Introduced in Oracle Solaris 11.2 tฺae u ide
– A feature enhancement that s ฺ ne nthe
extends t Gfunctionality of the
r e
at tude
m i
existing zones technology S
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
OracleQ
Solaris
ic
av 11.2 lsupports the following zone brands:
d
h ah•i Oracle Solaris Zones
S • Oracle Solaris 10 Zones
• Oracle Solaris Kernel Zones

Overview of Kernel Zones
The Oracle Solaris Kernel Zones feature:

• Provides a full kernel and user environment within a zone

• Increases kernel separation between the host and the
global zone
• Provides greater flexibility in configuring and managing the
zone than a default solaris zone
a b le
• Requires installing the brand-solaris-kz package fer n s
• Enables management from the global zone by using -tr a
existing
i ti ttools, l such h as zonecfg, f zoneadm, d and o n
nd zlogin
l i
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
i ( sha ense
The Oracle
Q lic Zones feature provides a full kernel and user environment within a
avSolaris Kernel
a h
zone,id and also increases kernel separation between the host and the zone. The brand name
Sh issuch
solaris-kz. Kernel zones are managed from the global zone by using the existing tools
as zonecfg, zoneadm, and zlogin.
As an administrator of a kernel zone, you have greater flexibility in configuring and managing
the zone than a default solaris zone administrator. For example, you can fully update and
modify the zone’s installed packages, including the kernel version, without being limited to the
packages installed in the global zone. You can manage storage private to the zone, create
and destroy ZFS pools, and configure iSCSI and CIFS. You can install solaris and
solaris10 zones within a kernel zone to produce hierarchical (nested) zones zones.
Kernel zones support suspend and resume operation. Migration is achieved by suspending a
kernel zone on one machine and resuming it on another.
To use Oracle Solaris Kernel Zones, the package brand-solaris-kz must be installed on
your system. To determine whether your machine supports kernel zones, first ensure that you
have installed Oracle Solaris 11.2 OS, and then run the virtinfo command on your
machine. For more information about the virtinfo command, refer to the virtinfo(1M)
man page.

System Requirements for Using
Oracle Solaris Kernel Zones
• Oracle Solaris OS version 11.2 or later
– For SPARC systems:

— SPARC T4 system with System Firmware 8.5.1 or newer
— SPARC T5, SPARC T6, or SPARC M6 systems
y with System
y
Firmware 9.2.1 or newer
– For X86 systems:
— Nehalem+(Intel) or Barcelona+(AMD) based machines with:
ble
CPU virtualization, such as VT-x) enabled in the BIOS e r a
nsf
—
—
-tra
Extended/Nested Page Table support, also referred to as EPT, NPT,
or Rapid Virtualization Indexing (RVI)
n o n
• Minimum of 8 GB of RAM s a
) a
h eฺ
• e
Kernel zone brand package, brand/brand-solaris-kz
ฺa id
ฺ n et t Gu
• ZFS ARC cache tuning on the e s hosten
t
ir Stud
a
m
e his
i @
v se t
q a
h i dฺ © t2014,
Copyright
i ( sha ense
BeforeQ av
configuring
ic
al kernel zone, you must verify that the kernel zone host hardware supports
a h
theidOracle Solaris Kernel Zones feature. You can ensure kernel zone host hardware support
Sh by performing the following steps:
1. Ensure that the hardware is optimized to run kernel zones.
2. Run the virtinfo command on the kernel zone host.
# virtinfo
NAME CLASS
logical-domain current
non-global-zone
non global zone supported
kernel-zone supported

To ensure efficient performance, you must configure the kernel zone host to limit the system
ZFS Adaptive Replacement Cache (ARC). This value needs to be set only once on the host
when you are planning your kernel zone configuration.
Ass with
t any
a yb big
g memory
e o y app
application,
cat o , tthe
e host
ost sshould
ou d be co
configured
gu ed to limitt tthe
e ZFS
S ARC
C cac
cache.
e
Failure to limit the host ZFS ARC cache can lead to low memory allocation failures. The
suggested value is one-half of what you would like the host ZFS resources to use. You must
reboot the kernel zone host for the changes to take effect.
For example, if you want ZFS to use <2 GB of memory, you should set ARC cache to 1 GB.
global# echo "set zfs:zfs_arc_max=0x40000000" >> /etc/system
global# reboot
For more information about ZFS ARC tuning, refer to:
http://docs.oracle.com/cd/E36784_01/html/E36845/chapterzfs-1.html#scrolltoc
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

Configuring Kernel Zones
1. Install and verify that kernel zone packages are installed on the
global zone:
# pkg install brand/brand-solaris-kz
# pkg list brand/brand/brand-solaris-kz
2. Create a new kernel zone configuration.

3. Add any additional kernel zone resources, such as CPUs,
memory, storage devices, and network devices.
a b le
4. Install the kernel zone by using the zoneadm -z <zonename>sfe
r
install command. - t r an
5. Boot the kernel zone by using the zoneadm -z <zonename>n on
s a
boot command.
) a
h eฺ
6. Log in to the zone by using the zlogin
e
tฺa -CGu id
<zonename>
ฺ n e
command.
ira Stud tes ent
m
e his
i @
v se t
q a
h i dฺ © t2014,
Copyright
i ( sha ense
KernelQ zone lic are mechanisms for managing system and CPU resources. Resources
av resources
a h
areidset when planning a zone configuration. Note that some resources on the kernel zone
Sh differ from what is available in solaris and solaris10 zones. For example, there is no
support for the max-processes, sf-allowed, and ip-type resources in solaris-
kzzones.
• CPU resources: By default, a kernel zone is given one virtual CPU upon creation,
which you can modify by using the virtual-cpu resource. Use the dedicated-cpu
zonecfg resource property to dedicate a host CPU to the kernel zone.
• Kernel zone memory resources: You must allocate a fixed amount of physical RAM to
the kernel zone virtual platform by setting the kernel zone capped-memory
d resource
resource.
The memory allocated is only for the exclusive use of the kernel zone.
• Kernel zone storage devices: A kernel zone uses zvol ZFS volume as its storage
device, in the global zone’s root zpool. By default, zvol is 16 GB in size. You can add
other storage devices to a kernel zone by using the add device resource.
• Kernel zone network devices and configuration: Kernel zones provide network
access by adding net or anet resources. Exclusive-IP
Exclusive IP zones must be used for kernel
zones.

globalzone# zonecfg -z kzone1

Use ’create’ to begin configuring a new zone.

zonecfg:kzone1> create -t SYSsolaris-kz
zonecfg:kzone1> add virtual-cpu
zonecfg:kzone1:virtual-cpu> set ncpus=8
zonecfg:kzone1:virtual-cpu>
zonecfg:kzone1:virtual cpu> end
zonecfg:kzone1> info virtual-cpu
virtual-cpu:
ncpus: 8
zonecfg:kzone1> add device
ble
zonecfg:kzone1:device> set match=/dev/rdsk/c9t0d0
e r a
zonecfg:kzone1:device> set id=4
a nsf
-tr
zonecfg:kzone1:device> end
zonecfg:kzone1> info device
n o n
device:
s a
match not specified
) a
h eฺ
storage.template: dev:/dev/zvol/dsk/%{global-
e
tฺa Guid
rootzpool}/VARSHARE/zones/%{zonename}/disk%{id}
n e
sฺ ent
storage: dev:/dev/zvol/dsk/rpool/VARSHARE/zones/kzone1/disk0
id: 0
t e
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
You use
Q lic
athev SYSsolaris-kz template to create a kernel zone. This template mimics the
hi d template, with an addition of the capped-memory resource.
h aSYSdefault
S Note: Unlike in Oracle Solaris Zones, zonepath cannot be set for a kernel zone. As an
implementation detail, it is set to a fixed location using tmpfs (7FS).
As the zone root is contained with the root ZFS volume, it is not mounted in the global zone
under the zone path, unlike traditional zones. Access to the zone root can be done only via
the zone itself (for example, zlogin).

(continued...)
bootpri: 0
device:
match: /dev/rdsk/c9t0d0
storage not specified
id: 4
bootpri not specified
zonecfg:kzone1> select capped-memory
zonecfg:kzone1:capped-memory> set physical=2048m
ble
zonecfg:kzone1:capped-memory> end
e r a
nsf
zonecfg:kzone1> add anet
zonecfg:kzone1:anet> set id=3
-tra
zonecfg:kzone1:anet> end
n o n
zonecfg:kzone1> verify
s a
zonecfg:kzone1> commit
zonecfg:kzone1> exit
) a
h eฺ
e
tฺa Guid
n e
sฺ ent
# zoneadm –z kzone1 verify
t e
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
After aQ av zone islicconfigured, you can verify to ensure the following:
kernel
h d
•i The system has all the required properties for each resource
a
Sh • The configured zone meets all its brand requirements

Agenda


e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

Installing a Kernel Zone
You install a kernel zone by using the zoneadm install

command through one of the following methods:

• Direct installation
• Media installation
• Alternate AI manifest or an alternate system configuration
profile e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
You install
Q lic by using the zoneadm install command. All zones must be
ava kernel zone
a h id
configured before installation. You can install a kernel zone through one of the following
Sh methods:
• Direct installation: A direct installation is the default kernel zone installation method,
where the installer:
- Runs on the host
- Creates and formats the kernel zones boot disk
- Installs solaris packages on that disk by using the global zone’s pkg publishers

• Media installation: The benefit of a media installation is that you can install a version of
Oracle Solaris that does not match that of the host. With a media installation, you boot
the kernel zone from the installation media. The kernel zone formats the root disk and
installs the packages.
global# zoneadm -z zonename install -b media-file
For a media installation, you can choose between:
– Text install
global# zoneadm -z kzone1 install -b \
/root/Oracle_Solaris_Text_X86.iso
– AI Install
global# zoneadm -z kzone1 install -m /root/aimanifest.xml \
-c /root/sysconfig.xml -b /root/Oracle_Solaris_AI_X86.iso
Note: Live media installation is not supported for kernel zones.
bl e
• Alternate AI manifest or alternate sysconfig profile: To install multiple kernel
e r a
nsf
zones with specific resource and package configurations separate from that of the global
a
zone.
o n -tr
n
– Use the zoneadm install command with the -m option to specify an alternate AI
a
manifest: a s
h eฺ
e )
# zoneadm –z kzone1 install –m manifest
e u id profile:
tฺa configuration
n
– Use the –c option to specify an alternate system G
sฺsysconfig-profile
n t
# zoneadm –z kzone1 install t–c e e
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
ah id
Sh

Booting a Kernel Zone
To specify an alternative BE in a kernel zone:

1. Log in to the zone console.

# zlogin -C zonename
2. In a separate terminal window, list the available kernel

zone BEs.
ble
# zoneadm -z zonename boot -- -L
e r a
a nsf
3. Boot to a selected BE.
o n -tr
# zoneadm -z zonename boot -- -Z boot-environment a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

Cloning by Using zoneadm clone
In the following example, the kzone1 kernel zone is cloned to

the kzone2 kernel zone on the global host:

1. To create a clone, you must first halt that zone.
global# zoneadm -z kzone1 halt
2. Create a new zone configuration.

ble
e r a
nsf
global# zonecfg -z kzone2 create -t kzone1
tra
3. on-
3 Clone the zone by using the zoneadm clone command.
command
n
a
global# zoneadm -z kzone2 clone kzone1
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
i ( sha ense
In the Q av in thelicslide, the kzone1 kernel zone is cloned to the kzone2 kernel zone on
example
athe
h idglobal host. After the zone cloning process is complete, you can configure and install
Sh the zone with the zonecfg and zoneadm commands, respectively.

Suspending and Resuming a Kernel Zone
• The suspend operation is unique to kernel zones.

• You can suspend a kernel zone to disk by using the

zoneadm suspend command.
• The zoneadm suspend command places a kernel zone in
the suspended state.
• You can resume a suspended zone by invoking the e
zoneadm boot command. r a bl
e
• Suspend and resume are supported only if a kernel tzone
ra nsf
n -
has the suspend resource property in its configuration
configuration.
no
a
a
h eฺ s
global# zonecfg -z kzone1 info suspend
e )
suspend:
path: /system/zones/kzone1/suspend
n e tฺa Guid
storage not specified
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
The suspend
Q lic which allows you to suspend a kernel zone to disk by using the
av operation,
a h id
zoneadm suspend command, is unique to kernel zones.
h
S You can resume a suspended zone by invoking the zoneadm boot command. Suspend and
resume are supported for a kernel zone only if a kernel zone has a suspend resource
property in its configuration. The kernel zone template, SYSsolaris-kz, provides the
suspend resource property by default. For example, the suspend information for the
kernel zone kzone1 is shown in the code box.

Migrating a Kernel Zone
The following example warm migrates the kzone1 zone onto

the new host:

1. On the global zone, suspend the file system on the kernel
g
zone to be migrated.
global# zoneadm -z kzone1 suspend
2. Detach the kernel zone file system on the global zone. bl e

e r a
a nsf
-tr
global# zoneadm -z kzone1 detach
n o n
a file onto the
3. Export the zone configuration and transfer sthe
a
new host. e) h eฺ
tฺa Guid \
n e
t e sฺ ent
global# zonecfg -z kzone1 export | ssh root@global2
ira Stud
zonecfg -z kzone1 -f -
m
e his
i @
v se t
q a
h i dฺ © t2014,
Copyright
i ( sha ense
av suspend
The zoneadm
Q lic command allows migration of kernel zone to other hosts using
a h id and resume options as illustrated in the example in the slide. Note that the suspend
suspend
Sh and
resource is configured to use Zones on Shared Storage (ZOSS), and both the host system
the remote system can reach it.
Note that for step 3, you cannot ssh to root directly. So when you run the command, you will
get an error saying, “zonecfg command not found.” You need to permit ssh root login
first and make root a regular user in the user_attr file. Restart the ssh service for the
changes to take effect, and then the command will work.

Migrating a Kernel Zone
4. Attach the zone on the new host.

global2# zoneadm -z kzone1 attach
5. Boot the kernel zone on the new host to resume the

migrated zone.
global2# zoneadm -z kone1 boot
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Note that
Q lic
aforv zone migrations, a zone configuration must be portable across machines. Also, a
d
hi source and destination must be the same platform for a zone migration. On x86
h azone
systems, the vendor as well as the CPU revision must be identical. On SPARC, the hardware
S platform must be the same. For example, you cannot migrate a kernel zone from a T4 to a T3
host.

Agenda


e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

Monitoring Zone Resource Consumption
The zonestat utility:

• Monitors zone resources:

– CPU consumption
– Memory consumption
– Resource control utilization
• Can print: bl e
e r a
– A series of reports at specified intervals
a nsf
– One or more summary y reports
p o n -tr
a n
• Runs as a service in the global zone as
e ) h eฺ
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
av utilitylicreports on the CPU, memory, and resource control utilization of the
The zonestat
Q
a h id running zones. Each zone’s utilization is reported as a percentage of both system
currently
Sh resources and the zone’s configured limits.
The zonestat utility prints a series of reports at specified intervals. It can print one or more
summary reports. When run from within a zone, only the processor sets that are visible to that
zone are reported. The zone output will include all of the memory resources and the limits
resource.
The zonestat service in the global zone must be online to use the zonestat service in the
zone. The zonestat service in each zone reads system configuration and utilization data
from the zonestat
t t service in the global zone.
zone The zonestatd t td system daemon is started
during system boot. The daemon monitors the utilization of system resources by zones as
well as zone and system configuration information, such as psrset processor sets, pool
processor sets, and resource control settings. There are no configurable components.

Monitoring Zone Memory Consumption
# zonestat -r physical-memory 5
Collecting data for first interval...
Interval: 1, Duration: 0:00:05
PHYSICAL-MEMORY SYSTEM MEMORY
mem_default 767M
ZONE USED %USED CAP %CAP
[total] 631M 82.2% - -
[system] 215M 28.1% - -
global 14.9M 1.94% - -
zone1 123M 15.8% - -
ble
zone2 137M 18.3% - -
e r a
a nsf
o n -tr
n
a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
In the Q avyou seeliaczonestat utility report on zone memory consumption. This example
slide,
a h id a summary of utilization every five seconds.
shows
Sh

Monitoring Zone CPU Consumption
# zonestat -r default-pset 1 1m
Interval: 8, Duration: 0:00:08

PROCESSOR_SET TYPE ONLINE/CPUS MIN/MAX
pset_default default-pset 1/1 1/1
ZONE USED PCT CAP %CAP SHRS %SHR %SHRU
[total] 0.35 35.4% - - - - -
[system] 0.02 2.20% - - - - -
global 0.31 31.1% - - - - -
zone1 0.01 1.12% - - - - -
zone2 0.00 1.05% - - - - -
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
In the Q avyou seeliaczonestat utility report on zone CPU (processor sets) consumption.
slide,
a h idexample shows a report on the default processor set (pset) once a second for one
This
Sh minute.

Monitor Total and High
Zone Resource Consumption
# zonestat -q -R total,high 10s 1m 1m
Report: Total Usage

Start: Friday, August 5, 2014 08:20:53 AM PST
End: Friday, August 5, 2014 08:21:53 AM PST
Intervals: 6, Duration: 0:01:00
SUMMARY Cpus/Online: 1/1 PhysMem: 1568M VirtMem: 2592M
---CPU---- --PhysMem-- --VirtMem-- --PhysNet--
ZONE USED %PART USED %USED USED %USED PBYTE %PUSE
[total] 0.05 5.71% 622M 39.6% 789M 30.4% 2 0.00%
[system] 0.01 1.50% 453M 28.9% 630M 24.3% - -
global 0.03 3.90% 120M 7.70% 113M 4.38% 0 0.00%
zone1 0.00 0.19% 21.7M 1.38% 22.3M 0.86% 0 0.00%
ble
zone2 0.00 0.12% 25.8M 1.65% 22.3M 0.86% 0 0.00%
e r a
Report: High Usage
a nsf
Start: Friday, August 5, 2014 08:20:53 AM PST
o n -tr
End: Friday,
Friday August 5,5 2014 08:21:53
Intervals: 6, Duration: 0:01:00
AM PST
a n
SUMMARY Cpus/Online: 1/1
a s
PhysMem: 1568M VirtMem: 2592M
h eฺ
---CPU---- --PhysMem--
e )
--VirtMem-- --PhysNet--
n e tฺa Guid
ZONE USED %PART USED %USED
[total] 0.06 6.19% 622M 39.6%
USED %USED PBYTE %PUSE
789M 30.4% 126 0.00%
t e sฺ ent
[system] 0.01 1.74% 453M 28.9% 631M 24.3% - -
ira Stud
global 0.04 4.15% 120M 7.70% 113M 4.38% 0 0.00%
m
e his
zone1 0.00 0.25% 21.7M 1.38%
zone2 0.00 0.19% 25.8M 1.65%
22.3M 0.86%
22.3M 0.86%
0 0.00%
0 0.00%
i @
v se t
q a
h i dฺ © t2014,
Copyright
i ( sha ense
You can
Q lic utility to report total and high zone resource utilization. In this
ausev the zonestat
a h id the zonestat utility silently monitors at 10-second intervals for one minute, and
example,
Sh then produces a report on the total and high utilizations.

Monitoring File System Statistics
# fsstat -z s10 -z s10u9 zfs tmpfs

new name name attr attr lookup rddir read read write write
file remov chng get set ops ops ops bytes ops bytes
93 82 6 163K 110 507K 148 69.7K 67.9M 4.62K 13.7M zfs:s10
248 237 158 188K 101 612K 283 70.6K 68.6M 4.71K 15.2M zfs:s10u9
12.0K 1.90K 10.1K 35.4K 12 60.3K 4 25.7K 29.8M 36.6K 31.0M tmpfs:s10
12 0K 1.90K
12.0K 1 90K 10.1K
10 1K 35.6K
35 6K 14 60.2K
60 2K 2 28.4K
28 4K 32.1M
32 1M 36.5K
36 5K 30.9M
30 9M tmpfs:S10u9
# fsstat -A -Z zfs tmpfs

new name name attr attr lookup rddir read read write write
file remov chng get set ops ops ops bytes ops bytes
360K 1.79K 20.2K 4.20M 1.02M 25.0M 145K 5.42M 2.00G 1.07M 8.10g zfs
bl e
359K 1.48K 20.1K 4.04M 1.02M 24.5M 144K 5.31M 1.88G 1.06M 8.08G zfs:global
e r a
93 82 6 74.8K 107 250K 144 54.8K 60.5M 4.61K 13.7M zfs:s10
ansf
-tr
248 237 158 90.2K 101 336K 283 53.0K 58.3M 4.71K 15.2M zfs:s10u9
60.0K 41.9K
49.4K 38.1K
17.7K 410K
11.0K 366K
515
489
216K
172K
426 1022K 1.02G 343K 330M tmpfs
n o n
420 968K 979M 283K 273M tmpfs:global
5.28K 1.90K 3.36K 21.9K 12 21.7K
s a
4 25.7K 29.8M 29.9K 28.3M tmpfs:s10
5.25K 1.90K 3.34K 22.1K 14 21.6K a
h eฺ
2 28.4K 32.1M 29.8K 28.2M tmpfs:s10u9
)
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Reporting
Q avPer-Zonelicfstype Statistics for All Zones
a h
Theidfsstat utility collects and prints kstats per zone, including aggregations. By default,
Sh the utilityy reports
p an aggregate
gg g of all running g zones. A p per-fstype yp kstat is p
produced for
each zone. The kstat global zone reports its exclusive activity. The global zone can see the
kstats of all zones on the system. Nonglobal zones see only the kstats associated with
the zone in which the utility is run. A nonglobal zone cannot monitor file system activity in
other zones.
Use the -z option to report on file system activity per zone. Multiple -z options can be used
to monitor the activity in selected zones. Use the -A option to report aggregate file system
activity for the specified fstypes across all zones
zones. This is the default behavior if neither -z
z
or the -Z option is used. When used with either the -z or the -Z option, the -A option
displays the aggregate for the specified fstypes across all zones on a separate line. Use the
-Z option to report file system activity in all zones on the system. This option has no effect if
used with the -z option. The option has no effect if used to monitor only mount points and not
fstypes.

Quiz
When creating an archive of the Oracle Solaris 10 zone to be

migrated to an Oracle Solaris 11 system, which of the following

archive formats is not supported?
a. zipp
b. flar
c. gzip
a b le
d. cpio fer n s
a
no n-tr
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
i ( sha ense
Answer: Qaa
v lic
a h id
Sh

Quiz
Which command is used to report zone CPU and memory

resource utilization?
a. zoneadm
b zonestat
b.
c. zoneprt
d. ztop e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Answer: Qbav lic
a h id
Sh

Summary

• Describe the new zone features and enhancements

• Configure an Oracle Solaris 10 zone
• Perform a virtual-to-virtual
virtual to virtual migration of Oracle Solaris 10
Zones present in the source system (V2V)
• Migrate a physical Oracle Solaris 10 system to a Solaris 10 le
a b
zone (P2V)
s fer
• Configure a nonglobal zone by using AI - t r an
• Configure an Oracle Solaris Kernel Zone n on
s a
• Manage an Oracle Solaris Kernel Zone ) a
h eฺ
e
tฺa Guid
• Monitor zone resource consumption ฺ n e t
t e s e n
a d
e mir is Stu
a v i@ e th
uOracle
h i
Copyright
o
i ( sha ense
In this Q
lesson, lic presented with the new features and enhancements of Oracle Solaris
av you were
h
11 d You were shown the tasks to configure an Oracle Solaris 10 Zone in Oracle Solaris
iZones.
a
Sh 11. You then learned how to migrate Oracle Solaris 10 Zones from Oracle Solaris 10. You
also learned that nonglobal zones can be installed by using AI services. Additionally, you
learned how to configure and manage Oracle Solaris Kernel Zone. Finally, you learned how to
monitor zone resource consumption.

Practice 6: Overview

• Migrating Oracle Solaris 10 Zones to Oracle Solaris 11

(V2V)
• Migrating Oracle Solaris 10 global zones to Oracle Solaris
11 (P2V)
• Configuring an Oracle Solaris Kernel Zone (demonstration)
a b le
• Deploying an Oracle Solaris Kernel Zone using unified fer
archive (demonstration) a n s
o n -tr
• Monitoring
M it i zone resource utilization
tili ti an
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
i ( sha ense
Qav lic
i d
ah
Sh

O
Oracle
l Solaris
S l i 11 ZFS Enhancements
E h t
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh
Job Workflow

and Enhancements
M
Managing
i Software
S ft
Packages
Installing
ble
Enhancements
e r a
a nsf
Administering Zones
o n -tr
a n
a
h eฺ s
ZFS Enhancements
e )
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
This lesson
Q licyou to the ZFS enhancements in Oracle Solaris 11. You learn how to
avintroduces
a h id data from a UFS file system to a ZFS file system. The lesson shows you how to split
migrate
Sh ahow
mirrored ZFS storage pool. You then learn how to identify ZFS snapshot differences and
to use the Time Slider feature. You then learn to configure the ZFS deduplication feature.
Finally, you learn how to configure COMSTAR.

Objectives

• Describe the new ZFS features and enhancements

• Split a mirrored ZFS storage pool
• Identify ZFS snapshot differences
• Configure ZFS deduplication
• Configure COMSTAR ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
This lesson
Q licyou to the ZFS enhancements in Oracle Solaris 11. You learn how to
avintroduces
a h id data from UFS file system to ZFS file system. The lesson shows you how to split a
migrate
Sh mirrored ZFS storage pool. You then learn how to identify ZFS snapshot differences and how
to use the Time Slider feature. You then learn to configure ZFS deduplication feature. Finally,
you learn how to configure COMSTAR.

Agenda
• Introducing Oracle Solaris 11 ZFS enhancements

• Migrating UFS and ZFS file systems

• Splitting a mirrored ZFS storage pool
• Identifying ZFS snapshot differences
• Configuring ZFS deduplication
• Configuring COMSTAR ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

Introducing Oracle Solaris 11
ZFS Enhancements
• ZFS is the default root file system.
• You can migrate UFS and ZFS file systems.

• You can split a mirrored ZFS storage pool.
• You can determine ZFS snapshot differences
differences.
• You can use deduplication in ZFS to save storage space.
• COMSTARs for iSER, SRP, and FCoE are now supported. ble
• There is greater Microsoft interoperability with fully s fera
integrated CIFS support. - t r an
n on
• You can share a ZFS file system by settingsthe a new
a
share.nfs property.
tฺa Guid e) h eฺ
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Several
Q av
important lic features and enhancements have been introduced in the Oracle
ZFS
a h id 11 operating system.
Solaris
Sh • ZFSS default
de au t root
oot file
e syste
system: ZFS S iss the
t e default
de au t root oot file e syste
system for
o tthe
eOOracle
ac e So
Solaris
a s
11 operating system. With a ZFS root pool, you do not have to worry about calculating
slice sizes for /, /var, /export, and so on only to find out you did not create them with
enough space (or with too much). With ZFS, they consume only as much space as they
need. ZFS reduces complexity by eliminating the need for multiple volume management
tools. Another benefit of having a ZFS root pool is that you can mirror your root file
system with very little effort.
• Migrating UFS and ZFS file systems: You can use the ZFS Shadow Migration feature
to migrate data from old UFS and ZFS file systems to new file systems while
simultaneously allowing access and modification of the new file systems during the
migration process.
• Splitting mirrored ZFS storage pools: A mirrored ZFS storage pool can be quickly
cloned as a backup pool.

• ZFS snapshot differences: A very useful feature has been implemented for ZFS in
Oracle Solaris 11, which allows you to list all file changes between two snapshots of a
ZFS file system.
• ZFS deduplication:
p Deduplication
p is the pprocess of eliminating
g duplicate
p copies
p of data.
ZFS deduplication saves space and unnecessary I/O, which can lower storage costs
and improve performance. ZFS deduplication automatically avoids writing the same data
twice on your drive by detecting duplicate data blocks and keeping track of the multiple
places where the same block is needed.

• COMSTAR targets for iSER, SRP, and FCoE: Common Multiprotocol SCSI Target
(COMSTAR) is the software framework that enables the ability to turn any Oracle Solaris
host into a target device that can be accessed over a storage network
network. The COMSTAR
framework makes it possible for all SCSI device types (tape, disk, and the like) to
connect to a transport (such as Fibre Channel) with concurrent access to all logical unit
numbers (LUN) and a single point of management. Support for several protocols has
been added: iSCSI Extensions for RDMA (iSER) and SCSI RDMA Protocol (SRP) for bl e
e r a
nsf
hosts that include an InfiniBand Host Channel Adapter, iSCSI, and Fibre Channel over
a
the SCSI Target Mode Framework (STMF) and SCSI Block Device (SBD). o -tr
Ethernet (FCoE). Oracle Solaris DTrace probes have also been added to COMSTAR in
n
(SBD)
a n
•
a s
Greater Microsoft interoperability with fully integrated CIFS: Oracle Solaris 11
h eฺ
)
includes fully integrated Common Internet File System (CIFS). The CIFS, also known as
e
n e tฺa Guid
SMB, is the standard for Microsoft file-sharing services. The Oracle Solaris CIFS service
t e sฺ ent
provides file sharing and MS-RPC administration services required for Windows-like
m ira Stud
behavior for interoperability with CIFS clients, including many new features such as
host-based access control, which allows a CIFS server to restrict access to specific
@ e his
clients
li t by
b IP address,
dd
a i
v se t
access control
t l lists
li t (ACLs)
(ACL ) on shares,
h and
d synchronization
h i ti off
q
dฺ to u
client-side offline file caching during reconnection. Microsoft ACLs are also supported in
i
h
sha ense
ZFS.
i (
Q av lic
i d
ah
Sh

Agenda


e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

ZFS Shadow Data Migration
• Used for migrating data from one system to another

• Supported file system types:

– A local or remote ZFS file system to a target ZFS file system
– A local or remote UFS file system to a target ZFS file system
• Shadow migration method:
– Create an empty ZFS file system.
a b le
– Set the shadow property on an empty ZFS file system to fer
point to the file system to be migrated. a n s
n r
-tfile
o
– Data from source file system is copied to the shadow
n
a
system.
) as
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
A common
Q lic
avtask for administrators is to migrate data from one system to another. In the most
d
hi sense, this problem encompasses a large number of use cases, from replicating data
h aabstract
S Migrationservers
between to keeping user data on laptops in sync with servers. The ZFS Shadow Data
feature in Oracle Solaris 11 OS provides a simple-to-use solution for moving data
quickly and safely between systems.
You can use the shadow migration feature to migrate file systems as follows:
• A local or remote ZFS file system to a target ZFS file system
• A local or remote UFS file system to a target ZFS file system
ZFS Shadow Data Migration
g uses a simple
p method that p pulls the data to be migrated:
g
• Create an empty ZFS file system.
• Set the shadow property on an empty ZFS file system, which is the target (or shadow)
file system, to point to the file system to be migrated.
• Data from the file system to be migrated is copied over to the shadow file system.

Shadow Migration Considerations
• Source file system must be set to read-only.

• The target file system must be completely empty.

• Migration continues across reboots.
• Determine whether UID,
UID GID,
GID and ACL information is to be
migrated.
• Be patient. le
a b
• Use the shadowstat command to monitor shadow s fer
n
migration activity. -tra on
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
hCopyright
o
i ( sha ense
When Qplanning
c
av yourlishadow migration configuration, consider the following:
d
h ah•i read-only,
The file system to be migrated must be set to read-only. If the file system is not set to
S ead o y, in-progress
p og ess cchanges
a ges might
g t notot be migrated.g ated
• The target file system must be completely empty.
• If the system is rebooted during a migration, the migration continues after the system is
booted.
• Access to directory content that is not completely migrated or access to file content that
is not completely migrated is blocked until the entire content is migrated.
• If yyou want the UID,, GID,, and ACL information to be migrated
g to the shadow file system
y
during an NFS migration, make sure that the name service information is accessible
between the local and remote systems. You might consider copying a subset of the file
system data to be migrated for a test migration to see that all the information is migrated
properly before completing a large migration of data over NFS.
• Migrating file system data over NFS can be slow, depending on your network
bandwidth. Be patient.

• You can use the shadowstat command to monitor a file system migration, which
provides the following data:
- The BYTES XFRD column identifies how many bytes have been transferred to the
y
shadow file system.
- The BYTES LEFT column fluctuates continuously until the migration is almost
complete. ZFS does not identify how much data needs to be migrated at the
beginning of the migration because this process might be too time-consuming.
- Consider using the BYTES XFRD and the ELAPSED TIME information to estimate
the length of the migration process.
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

Configuring ZFS Shadow Data Migration
# share –F nfs –o ro /export/UFS_data

# share –F nfs –o ro /export/ZFS_data
# pkg install shadow-migration
# svcadm enable shadowd
# zfs create –o shadow=nfs://s11-source/export/UFS_data \

rpool/export/shadow_UFS_data
# zfs create –o shadow=nfs://s11-source/export/ZFS_data \
bl e
rpool/export/shadow_ZFS_data
e r a
# shadowstat
a nsf
EST
o n -tr
BYTES BYTES ELAPSED
a n
DATASET XFRD
rpool/export/UFS_shadow 85.7M
LEFT ERRORS
77.75M - a
h eฺ s
TIME
00:05:11
e )
tฺa Guid
rpool/export/ZFS_shadow - - - 00:05:12
…
n e
e sฺ ent
No migrations in progress
t
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
The slideashows ic
v an lexample of setting up ZFS shadow data migration on a remote host
d Q
h hi
containing
asystem. the file system to be migrated and the target host containing the shadow file
S
Here, two remote file systems (UFS and ZFS) are exported as read-only NFS file systems.
On the target host, you must first install the shadow-migration software package. After the
package is installed, enable the shadowd service.
Finally, create an empty ZFS file system for each exported file system on the remote host. On
each ZFS shadow file system, set the shadow option to
nfs://remote_system/exported_file_system.
Run the shadowstat command on the target host to monitor shadow migration activity.

Agenda


e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

Splitting a Mirrored ZFS Storage Pool
• Use the zpool split command to split a mirrored ZFS

storage pool.
• Splitting detaches a disk from a mirrored pool to create a
new pool.
p
• The new pool contents are identical to the original mirror
pool.
bl e
• By default, zpool split detaches the last disk. r a
e
• After splitting, the new pool must be imported to be tra nsf
-
accessible.
accessible non
a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
A mirrored
Q lic pool can be quickly cloned as a backup pool by using the zpool
avZFS storage
a h id command. Currently, this feature cannot be used to split a mirrored root pool.
split
Sh You use the zpool split command to detach disks from a mirrored ZFS storage pool to
create a new pool with one of the detached disks. The new pool will have identical contents to
the original mirrored ZFS storage pool. By default, a zpool split operation on a mirrored
pool detaches the last disk for the newly created pool. After the split operation, the new pool
must be imported to be accessible.

Splitting a ZFS Mirrored Pool: Example
# zpool create newpool mirror c7t2d0 c7t3d0

# zpool split -n newpool newpool1
would create 'newpool1' with the following layout:

newpool1
c7t3d0
# zpool split newpool newpool1
# zpool import newpool1
# zpool status
pool: newpool
state: ONLINE
scan: none requested
config:
bl e
NAME STATE READ WRITE CKSUM
e r a
newpool ONLINE 0 0 0
a nsf
-tr
c7t2d0 ONLINE 0 0 0
…
n o n
pool: newpool1
s a
state: ONLINE
scan: none requested
) a
h eฺ
config: e
tฺa Guid
NAME STATE
n e
READ WRITE CKSUM
newpool1
t e
ONLINEsฺ ent
0 0 0
c7t3d0
m ira Stud
ONLINE 0 0 0
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
The slide ashows ic
v an lexample of splitting a ZFS mirrored storage pool.
d Q
i example, you create a mirrored pool (newpool). Then you run the zpool split –n
h aInhthis
S command to perform a “dry dry run
run” on the spilt operation. Next, you split the mirror to create the
newpool1 pool. Finally, you import the newpool1 pool and check ZFS pool status. The
status shows that the newpool and newpool1 pools each contain one disk from the original
mirrored ZFS pool.

Agenda


e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

Identifying ZFS Snapshot Differences
• You can determine ZFS snapshot differences by using the

zfs diff command.

• The zfs diff command gives a high-level description of
the differences between a snapshot
p and a descendent
dataset.
• The type of change is described along with the name of
the file: bl e
e r a
– “+” indicates that the file was added in the later dataset. nsf
– n -tra
“–” indicates that the file was removed in the laterodataset
dataset.
a n
– “M” indicates that the file was modified in the
a s later dataset.
h ฺ
– ae)in the
“R” indicates that the file was renamed
e tฺ Gu idelater dataset.
n
sฺ ent
t e
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
In Oracle
v 11,liyou
aSolaris c can determine ZFS snapshot differences by using the zfs diff
id Q
command. The zfs diff command gives a high-level description of the differences between
h a h
a snapshot
S dataset or theand a descendent dataset. The descendent can be either a snapshot of the
current dataset.
For each file that has undergone a change between the original snapshot and the
descendent, the type of change is described along with the name of the file. In the case of a
rename, both the old and new names are shown. The type of change follows any time stamp
displayed and is described with a single character (as listed in the slide).

Identifying ZFS Snapshot Differences: Example
# zfs snapshot newpool/mydata@before

# touch /newpool/mydata/newfile
# zfs snapshot newpool/mydata@after
# zfs list -r -t snapshot -o name,creation
NAME CREATION
newpool/mydata@before Thu Oct 11 7:05 2012
newpool/mydata@after Thu Oct 11 7:05 2012
rpool/ROOT/solaris@install Mon Sep 10 14:49 2012
rpool/ROOT/solaris/var@install Mon Sep 10 14:49 2012
bl e
e r a
nsf
# zfs diff newpool/mydata@before newpool/mydata@after
M /newpool/mydata/
-tra
+ /newpool/mydata/newfile
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
This slideashows ic
v anlexample of identifying ZFS snapshot differences.
d Q
i example, you take a before snapshot of the newpool/mydata ZFS file system. Then
h hthe
aInyou
S create a new file (newfile) in /newpool/mydata. You take another snapshot (after)
of the same ZFS file system and list the snapshots based on name and creation date. Finally,
you compare the before and after snapshots to determine the differences. Note that in the
zfs diff command output, “M” indicates that /newpool/mydata/ was modified and “+”
indicates that a file (/newpool/mydata/newfile) was added to the dataset later.
Note: The zfs snapshot command has a snap alias that provides abbreviated syntax for
the zfs snapshot command, as in the following example:
# zfs snap -r users/home@snap1

Using Time Slider
• Time Slider provides a graphical way for Oracle Solaris

desktop users to restore individual files or directories from

automatically scheduled, incremental snapshots of home
directories.
• After it is activated and set up, Time Slider takes a
snapshot of every ZFS file system every 15 minutes, by
default. bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
c ability for users to quickly take ZFS snapshots of their home
avprovideslithe
Time Slider
id Q
h a h
directories automatically and manually as required. Snapshots can be viewed graphically over
time with Oracle
S modified or deleted Solaris ZFS snapshot file manager integration to identify accidentally
files.
The snapshots taken by Time Slider can be deleted again over time, such that only one
snapshot is kept for each of the preceding 24 hours, one for each of the preceding seven
days, and one for each previous week that the Time Slider service was running.
Time Slider snapshot services can automate periodic snapshots for any ZFS file system,
including boot environments, even on nondesktop systems. However, the desktop/time-
lid package does require that the desktop
slider desktop-incorporation
incorporation package be installed
installed, even if the
Oracle Solaris Desktop will not be used on that machine.

Enabling and Disabling Time Slider
1. Open the Time Slider preferences pane by choosing

System > Administration > Time Slider.

2. Select the Enable Time Slider check box to enable the
Time Slider.
ble
e r a
a nsf
o n -tr
3. Deselect the Enable Time Slider check box ato disable the n
a s
h eฺ
Time Slider. e )
4. Click OK. n e tฺa Guid
ฺ t e s n
a t d e
e mir is Stu
a v i@ e th
uOracle
h i
Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

Agenda


e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

ZFS Deduplication
• Is the process of identifying redundancies within a dataset

and eliminating them

• Significantly shrinks storage requirements and improves
bandwidth efficiencyy
• Enables data deduplication at the block level
• Is synchronous
a b le
• Benefits these applications: fer n s
– Backup to disk storage a
– M il servers
Mail no n-tr
a
– File servers
) h as ฺ
– Virtualization storagee t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
i ( sha ense
Deduplication
ic
av is thelprocess of identifying redundancies within a dataset and eliminating
d Q
h hi Eliminating redundant data can significantly shrink storage requirements and improve
athem.
bandwidth efficiency. Because primary storage has become cheaper over time, enterprises
S typically store many versions of the same information so that new work can reuse old work.
Some operations, such as backup, store extremely redundant information. Deduplication
lowers storage costs because fewer disks are needed, and shortens backup/recovery times
because there can be far less data to transfer.
In Oracle Solaris 11, ZFS deduplication automatically avoids writing the same data twice on
your drive by detecting duplicate data blocks and keeping track of the multiple places where
the same block is needed.
needed With ZFS deduplication,
deduplication data can be deduplicated at the level of
files, blocks, or bytes. ZFS deduplication is synchronous. It instantly removes redundant data
during writes, without the need for background deduplication processes.

Here are some applications that typically benefit from ZFS deduplication:
• Backup to disk storage: On systems with many users, backing up user files to disk
storage has a potential for multiple copies of the same data, such as applications,
y
system files, documents, images,
g and videos.
• Mail servers: Mail servers are classic examples of data duplication. When a user sends
a mail attachment to a mailing list on the network, the mail server maintains a copy of
the same attachment for each recipient. Only one copy of the attachment is really
necessary.
• File servers: When users collaborate on projects, they might end up storing many
documents multiple times.
• Virtualization storage: Server virtualization, such as Solaris zones, is another area with
much duplicate data. Multiple installations of the same virtualized operating system
share the same kernel, libraries, system files, and applications.
When you run these types of applications on deduplication-enabled ZFS file systems, data isbl e
e r a
nsf
stored only once.
-tra
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

ZFS Deduplication Properties
• One new ZFS file system property: dedup

• Two new ZFS pool properties

– dedupratio
– dedupditto
bl e
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
To support
Q lic
avthe deduplication feature, Oracle Solaris 11 adds new properties to ZFS.
d
hi has a new ZFS file system property, dedup, to support deduplication. You use the
aZFS
Sh deduplication (dedup) property to remove redundant data from your ZFS file systems. If a file
system has the dedup property enabled, duplicate data blocks are removed synchronously.
The result is that only unique data is stored and common components are shared between
files. When dedup is enabled, the dedup checksum algorithm overrides the checksum
property. Setting the value to verify is equivalent to specifying sha256 for the checksum
property. If the property is set to verify and two blocks have the same signature, ZFS does
a byte-for-byte comparison with the existing block to ensure that the contents are identical.
ZFS has two new ZFS pool properties to support deduplication: dedupratio
d d ti and
dedupditto. The dedupratio property is a read-only value used as a multiplier that
indicates the deduplication ratio achieved for a ZFS pool. The dedupditto property sets a
deduplication copy threshold. If the reference count for a deduped block goes above this
threshold, another ditto copy of the block is stored automatically.
By telling ZFS to store an additional copy after a specific number of references, you build in
some redundancyy just
j in case the original
g block g
gets checksum errors.

ZFS Deduplication: Example
# zpool list
NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT
newpool 1.07G 169K 1.07G 0% 1.00x ONLINE -

newpool1 1.07G 130K 1.07G 0% 1.00x ONLINE -
rpool 15.9G 4.12G 11.8G 25% 1.00x ONLINE -
# zpool get all newpool|grep dedup
Newpool dedupditto 0 default
newpool
p dedupratio
p 1.00x -
# zfs get all newpool/mydata|grep dedup
newpool/mydata dedup off default
# zfs set dedup=on newpool/mydata
# zfs get all newpool/mydata|grep dedup
newpool/mydata dedup on local
ble
# cp /opt/ora/iso/sol-11_1-ai-x86.iso /newpool/mydata/dir1
e r a
nsf
# zpool list
n - t ra
NAME
newpool
SIZE
1.07G
ALLOC
302M
FREE
794M
CAP
27%
DEDUP
a -
3.00x
HEALTH
ONLINE noALTROOT
-
newpool1 1.07G 130K 1.07G 0%
a s
1.00x
h eฺ - ONLINE
rpool 15.9G 4.12G 11.8G
e )
25% 1.00x ONLINE
newpool dedupditto
n e0 tฺa Guid
# zpool get all newpool|grep dedup
default
newpool
e
dedupratio
t sฺ ent 3.00x -
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
In the Q av in thislicslide, you check the ZFS properties to determine whether deduplication
example
a h
hasidbeen enabled. The properties show that deduplication is currently disabled. Next, you
Sh enable deduplication. You copy the same file to the three different directories in the file
system that has deduplication enabled. Finally, you recheck the ZFS properties and find that
the deduped file system has a deduplication factor of 3.

Agenda


e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

Common Multiprotocol SCSI Target (COMSTAR)
Initiator Hosts
Storage Network ble

e r a
Oracle Solaris 11
a nsf
host runningg
o n -tr
COMSTAR a n
a
h eฺ s
e )
SCSI Targets
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
CommonQ
v lic SCSI Target ( COMSTAR) is a software framework that provides
aMultiprotocol
a h id for the iSCSI protocol. iSCSI is an Internet Protocol (IP)–based storage networking
support
Sh the
standard for linking data storage subsystems. By carrying SCSI commands over IP networks,
iSCSI protocol enables you to mount disk devices from across the network onto your local
system. On your local system, you can use the devices like block devices.
COMSTAR enables you to convert any Oracle Solaris 11 host into a SCSI target device. This
device can be accessed over a storage network by initiator hosts by using a SCSI Target
Mode Framework (STMF) to manage target storage devices. STMF provides the following
components:
• Port providers (or plug-ins):
plug ins): Implement protocols,
protocols such as Fibre Channel (FC) and
iSCSI
• Logical unit providers: Emulate various SCSI devices, such as disk and tape devices
• The management library (libstmf): Provides the COMSTAR management interface

The Oracle Solaris 10 release uses the iSCSI target daemon, the iscsitadm command, and
the ZFS shareiscsi property to configure iSCSI LUNs. In the Oracle Solaris 11 release,
COMSTAR:
• Supports
pp different types
yp of SCSI targets,
g not jjust the iSCSI p
protocol
• Uses ZFS volumes as backing store devices for SCSI targets by using one or more of its
supported protocols
Although the iSCSI target in COMSTAR is a functional replacement for the iSCSI target
daemon, no upgrade or update path exists to convert your iSCSI LUNs to COMSTAR LUNs.
Both the iSCSI target daemon and the shareiscsi property are not available in Oracle
Solaris 11. The following commands are used to manage iSCSI targets and LUNs.
• The itadm command manages SCSI targets.
• The srptadm command manages SCSI RDMA Protocol (SRP) target ports.
• The stmfadm command manages SCSI LUNs. Rather than setting a special iSCSI e
property on the ZFS volume, create the volume and use stmfadm to create the LUN.r a bl
e
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

COMSTAR: Benefits and Limitations
• Benefits:
– The iSCSI protocol runs across existing Ethernet networks.

– Existing Fibre Channel devices can be connected to clients
without the cost of Fibre Channel HBAs.
– Systems with dedicated arrays can export replicated storage.
– There is no upper limit on the maximum number of
configured iSCSI target devices.
a b le
r
– You can connect to Fibre Channel or SAN environments.nsfe
-tra
• Limitations: o n
n
aSLP.
– There is no support for iSCSI devices that use s
a
h edevices.
)dump ฺ
– iSCSI targets cannot be configuredaas e d
ฺ
et over u i
– Transferring large amounts s ofฺn
data
n t Gyour existing
a t e
network can affect performance. d e
m is St ir u
e
a v i@ e th
uOracle
h i
Copyright
o
i ( sha ense
Benefits
Q of lic
avusing COMSTAR include the following:
d
h ah•i The iSCSI protocol runs across existing Ethernet networks.
S - You can use any supported network interface card (NIC), Ethernet hub, or
Ethernet switch.
- One IP port can handle multiple iSCSI target devices.
- You can use existing infrastructure and management tools for IP networks.
• Existing Fibre Channel devices can be connected to clients without the cost of Fibre
Channel HBAs.
• Systems with dedicated arrays can now export replicated storage with ZFS or UFS file
systems.
• There is no upper limit on the maximum number of configured iSCSI target devices.
• The protocol can be used to connect to Fibre Channel or iSCSI Storage Area Network
(SAN) environments with the appropriate hardware.
Current limitations or restrictions on using COMSTAR include the following:
• Support for iSCSI devices that use service locator protocol (SLP) is not currently
available.
• iSCSI targets cannot be configured as dump devices.
• Transferring large amounts of data over your existing network can adversely affect
performance.
Configuring COMSTAR
• Install the storage-server software package.

• Create an iSCSI LUN.

– Enable the stmf service.
– Identify a disk volume to serve as the SCSI target
target.
– Run the stmfadm utility to create a LUN.
– Make the LUN viewable to the initiators.
bl e
• Create the iSCSI target. e r a
– Enable the target service.
tra nsf
target no
– Run the itadm utility to create an iSCSI target. n -
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Tasks Q
required lic
av for configuring COMSTAR:
d
h ah•i required
Install the storage-server software package: This package contains all the software
S equ ed to coconfigure
gu e SCS
SCSI ta targets.
gets The e sto
storage-server
age se e software so t a e package
pac age is
s installed
sta ed oon
the system that provides the storage devices.
• Create an iSCSI LUN: This task is performed on the system that provides the disk
volumes. The disk volume provided by the server is referred to as the target. When the
LUN is associated with an iSCSI target, it can be accessed by an iSCSI initiator. This
task involves:
- Enabling the stmf service
- Identifying a disk volume to serve as the SCSI target
- Running the stmfadm utility to create a LUN
- Making the LUN viewable to the initiators
• Create the iSCSI target: This task is performed on the system that provides the disk
volumes. This task involves:
- Enabling the target service
- Running the itadm utility to create an iSCSI target

Configuring COMSTAR
• Configure an iSCSI initiator.

– Enable initiator service.

– Configure the target device discovery method.
– Reconfigure the /dev namespace to recognize the iSCSI
disk.
• Access the iSCSI disk.
– Use the format utility to identify the iSCSI LUN information. ble
e r a
– Create a ZFS file system on the iSCSI LUN. a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
av an liSCSI
• Configure
ic initiator: This task is performed on the initiator client host. This
Q
id task involves:
a h
Sh ab g initiator
- Enabling t ato service
se ce
- Configuring the target device discovery method
- Reconfiguring the /dev namespace to recognize the iSCSI disk
• Access the iSCSI disk: This task is performed on the initiator client host. This task
involves:
- Using the format utility to identify the iSCSI LUN information
- Creating a ZFS file system on the iSCSI LUN
For more information about COMSTAR configurations, refer to Oracle Solaris 11.1
Administration: Devices and File Systems.

Quiz
Which software package provides support for ZFS shadow data

migration?
a. shadow
b shadow
b. shadow-migration
migration
c. zfs-shadow
d. zfs-migration e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Answer: Qbav lic
a h id
Sh

Quiz
Which command is used to monitor ZFS shadow data migration

progress?
a. shadowadm
b shadow
b.
c. shadowstat
d. migrationstat e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Answer: Qca
v lic
a h id
Sh

Quiz
ZFS deduplication is the process of identifying redundancies

within a dataset and eliminating them.

a. True
b False
b.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Answer: Qaa
v lic
a h id
Sh

Quiz
Which property sets the deduplication copy threshold?

a. dedupratio
b. dedupmax
c maxdedup
c.
d. dedupditto
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Answer: Qdav lic
a h id
Sh

Quiz
Which software package provides support for iSCSI devices in

Solaris 11?
a. comstar
b iscsi
b.
c. storage-server
d. iscsi-storage e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Answer: Qca
v lic
a h id
Sh

Quiz
Which service must be enabled to create an iSCSI LUN?

a. iscsi
b. stmf
c comstar
c.
d. iscsitgt
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Answer: Qbav lic
a h id
Sh

Quiz
Which utility is used to create an iSCSI target?

a. iscsiadm
b. stmf
c itadm
c.
d. stmfadm
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Answer: Qca
v lic
a h id
Sh

Summary

• Describe the new ZFS features and enhancements

• Split a mirrored ZFS storage pool
• Identify ZFS snapshot differences
• Configure ZFS deduplication
• Configure COMSTAR bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
lesson, lic presented with the enhancements in the Oracle Solaris 11 ZFS file
a h id You learned the concept of shadow migration using which you can migrate data from
system.
Sh apool
UFS file system to a ZFS file system. You then learned how to split a mirrored ZFS storage
to create new pools. In addition, you learned how to identify ZFS snapshot differences
and how to use the Time Slider feature to restore files and directories. You then learned to
configure the ZFS deduplication feature to eliminate dataset redundancies. Finally, you
learned how to configure COMSTAR to convert your Oracle Solaris 11 host into a SCSI target
device.

Practice 7 Overview:
Oracle Solaris 11 ZFS Enhancements
• Migrating a ZFS file system

• Configuring COMSTAR iSCSI target ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh

Sh
ah i d Q
av i (
h
lic
i q a
sha ense
i @
dฺ to u
m
v se t
t
e his
e
n e
ira Stud
e
sฺ ent
) a s
tฺa Guid
a
h eฺ
n o n -tr
a
nsf
e r a
e bl
O
Oracle
l Solaris
S l i 11 Security
S it Enhancements
E h t
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
Job Workflow

and Enhancements
M
Managing
i Software
S ft
Packages
Installing
ble
Enhancements
e r a
a nsf
Administering Zones
o n -tr
n
a
ZFS Enhancements
a
h eฺ s
e )
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
you
a h id learned about ZFS enhancements.
have
Sh You will now learn about the enhancements made to security features of the Oracle Solaris 11
OS.

Objectives

• Describe the new security features and enhancements

• Explore the Cryptographic Framework of Oracle Solaris
• Increase security for automated installations
• Encrypt ZFS data
• Manage read-only zones
a b le
• Use BART to audit system files s fer
- t r an
• Monitor the audit service on
a n
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
This lesson
Q licyou to the security enhancements in Oracle Solaris 11. You then
avintroduces
a h id the Cryptographic Framework of Oracle Solaris. The lesson then shows how to
explore
Sh increase security for automated installations. You then learn how to encrypt ZFS data and
manage read-only zones. Additionally, you learn about BART, the file verification and
reporting tool. Finally, you learn how to monitor the audit service.

Agenda
• Oracle Solaris 11 security enhancements

• Cryptographic Framework
• ZFS dataset encryption
• Managing read-only zones
• BART, the file verification and reporting tool ble
e r a
• Monitoring the audit service
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Oracle Solaris 11 Security Enhancements
• Secure by Default
• Root account as a role

• RBAC kernel enhancements
• Read-only zones
a b le
• BART, the file verification and reporting tool s fer
- t r an
• Labeled IPsec on
a n
• Trusted Extensions enhancements a s
e ) h eฺ
• Auditing enhancements
n e tฺa Guid
• Pluggable Authentication Module
t e sฺ (PAM)
e n t enhancements
• Kerberos enhancements m ira Stud
@ h is e
i
av © 2014, e t
d ฺ q u s
h i Copyright
t o Oracle and/or its affiliates. All rights reserved.
i ( sha ense
SeveralQ av
important lic features and enhancements have been introduced with the release
security
a h
of id Oracle Solaris 11 operating system, including the following:
the
Sh • SecuSecure
e by Default:
e au t O Oracle
ac e SoSolaris
a s 11 p provides
o des a fully u y Secu
Secure e by Default
e au t e
environment.
o e t
Oracle Solaris Secure by Default reduces the attack surface of the Oracle Solaris OS by
disabling as many network services as possible while still leaving a useful system. In
this way, the number of exposed network services is dramatically reduced. With
automatic Secure by Default, network services are disabled by default or set to listen for
local system communications only.
• Root account as a role: Oracle Solaris 11 implements a role for root. The root as a
role option was first delivered in Solaris 8 (1998)
(1998). In Oracle Solaris 11
11, this option is
enabled by default during installation. The advantage of root as a role is that it ensures
that administrative actions done by the root account are attributable to a real (unique)
person. Because you must have at least one user who is authorized to assume the
root role, a standard user account (which can assume that role) is automatically
created during the installation process. If you do not want this feature, you can revert to
Oracle Solaris 10 behavior by running the following command:
# rolemod -K K type
type=normal
normal root

• RBAC kernel enhancements: In Oracle Solaris 11, an in-kernel pfexec
implementation is used to execute administrative commands that require a higher
privilege level. Unlike in Oracle Solaris 10, in Oracle Solaris 11, the pfexec program is
no longer a privileged program; therefore
therefore, it cannot pass any privileges to other
programs. Instead, it sets a process execution mode flag that specifies that all
subsequent executions are subject to the Role-Based Access Control (RBAC) policy
specified in rights profiles. You use the usermod –P command to delegate
administrative rights to trusted users.

Unlike in Oracle Solaris 10, the process privileges of setuid-to-root binaries are also
specified by using RBAC. A new rights profile, Forced Privileges, specifies the required
privilege set for these applications
applications, instead of granting all privileges
privileges. This significantly
reduces the potential to be an attack vector against the system.
Oracle Solaris 11 adds new privileges: file read, file write, and net access. These
privileges restrict read, write, and outbound network access. Additionally, a new rights
profile, Stop, removes default authorizations and execution rights from specific users bl e
e r a
facilitating the creation of restricted execution environments.
a nsf
• Cryptographic Framework of Oracle Solaris: Cryptography is the science of
o n -tr
encrypting
ti and dddecrypting
ti d data.
t C Cryptographic
t hi services
a
i provide n
id authentication
th ti ti and d
a s
encryption mechanisms to applications and users. Central to the Oracle Solaris
h eฺ
Cryptographic Framework is the pktool command. The pktool command enables
)
e
tฺa Guid
you to manage the certificates and keys on multiple keystores including PKCS#11
n e
t e sฺ ent
tokens, Netscape Security Services (NSS) tokens, and standard file-based keystores for
ira Stud
OpenSSL. Cryptographic Framework now supports the NSA Suite B algorithms.
m
•
@ e his
ZFS dataset encryption: When using ZFS dataset encryption, the ZFS dataset at rest
i
v se t
is encrypted, and can be mounted only by a user who can supply the cryptographic key
a
q
dฺ to u
that is associated with the ZFS dataset. When the file system is mounted, it is no longer
i
h
i ( sha ense
cryptographically protected. Instead, normal Solaris access controls (ACLs, permission
bits, containment) apply. Encryption can be specified at the pool or dataset level (per-
Q av lic
mount point), and each dataset can have a unique encryption key. This is in contrast to
i d
ah systems that do whole-disk encryption.
Sh • BART, the file verification and reporting tool: BART is a file integrity scanning and
reporting tool that uses cryptographic-strength checksums and file system metadata to
determine changes. BART can help you detect security breaches or troubleshoot
performance issues on a system by identifying corrupted or unusual files. There is no
change to BART from Oracle Solaris 10 except that the hash used is now SHA256
instead of MD5. However, in addition to SHA256 being the default, you can also select
the hash algorithm.
• Labeled IPsec: When labeled processes in a multilevel secure operating system, system such
as Oracle Solaris Trusted Extensions, communicate across system boundaries, their
network traffic needs to be labeled and protected. Traditionally, this requirement is met
by using a physically separate network infrastructure to ensure that data belonging to
different labeled domains stays in separate physical infrastructures. Labeled IPsec/IKE,
which is new in Oracle Solaris 11, enables customers to reuse the same physical
network infrastructure for labeled communications by transferring labeled data within
separate t labeled
l b l d IP
IPsec security
it associations,
i ti removing
i th
the need d ffor a redundant
d d t and d
expensive physical network infrastructure.

• Trusted Extensions enhancements: To enable greater flexibility and security, Trusted
Extensions now enables per-label and per-user credentials allowing administrators to
require a unique password for each label. This password is in addition to the session
login password, thereby allowing administrators to set a per-zone encryption key for
each label of every user’s home directory. Trusted Extensions has now also added
support to explicitly set security labels on ZFS datasets, ensuring that ZFS file systems
for a specific security label cannot be mounted on a zone of a different label, and thus
cannot inadvertently upgrade or downgrade the classification of data. A new command,

tncfg(1M) has been introduced in Trusted Extensions, which allows administrators to
create, modify, and display configuration of networking properties related to Trusted
Extensions and to label network packets received from remote hosts.
In the Oracle Solaris 11.1 release, the following enhancements have been made to
Trusted Extensions:
- Support for multilevel ZFS has been added. It provides the capability for
fine-grained file labeling with Trusted Extensions, allowing a ZFS dataset to bl e
e r a
nsf
contain files at various labels.
-tr
- IPv6 CALIPSO protocol option alongside the current Trusted Extensions IPv6 a
CIPSO has been implemented
implemented. By default o n
default, IPv6 will be enabled on Trusted
n
a
Extensions systems using Common Architecture Label IPv6 Security Option
s
a
h eฺ
(CALIPSO) as the security labeling protocol. This integration allows Oracle Solaris
)
e
tฺa Guid
to use the IETF’s CALIPSO standard for passing MAC labels in IPv6 for Trusted
n e
Extensions.
t e sฺ ent
m ira Stud
- When Trusted Extensions is enabled, every zone is assigned a label. Previously,
the label for each zone had to be unique. Now it is possible for labeled zones to
@ e his
share
h
a i
v se t
a common llabel.b l H
However, ffor b
backward
k d compatibility,
tibilit zones th
thatt previously
i l
q
dฺ to u
had unique labels are referred to as primary labeled zones. Additional zones that
i
h
sha ense
are sharing the label of a primary labeled zone are called secondary labeled
(
zones. This feature provides greater flexibility when configuring the security policy
i
Q av lic
for labeled zones.
i d
ah - Support for Oracle Solaris Trusted Extensions label policy specification to include
Sh networking g interfaces has been added using g the Trusted Networking g Extended
policy. It allows you to assign labels to network interfaces in the same manner as
the host label specification. It also helps to ensure that systems on the same
network use the same label policy. It also greatly increases the flexibility and
scalability of trusted network deployment.
• Auditing enhancements: Auditing is the collecting of data about the use of system
resources. The audit data provides a record of security-related system events. This data
can then be used to assign responsibility for actions that take place on a system.
system
Auditing is a basic requirement for security evaluation, validation, and certification
bodies. Auditing can also provide a deterrent to potential intruders.

• Pluggable Authentication Module (PAM) enhancements:
- PAM configuration: There is now support for PAM configuration using per-service
files in /etc/pam.d/ in addition to /etc/pam.conf. See pam.conf(4). This
feature allows configuration
g of the PAM architecture via p
per-service files in the
/etc/pam.d/ directory.
The traditional mechanism of configuring PAM via the single /etc/pam.conf configuration
file will still be supported and searched first, so these changes are backward compatible.
This new feature will allow better interoperability with operating systems that use
OpenPAM and Linux-PAM as well as better integration with IPS for self-assembly and
delivery.
- Per-user
Per user authentication policy via PAM: This feature adds the ability to
configure the PAM [see pam(3PAM)] stack on a per-user basis rather than the
current system-wide option provided by pam.conf(4). The path to the alternate
PAM policy can be specified either in a user’s extended attributes [see e
user_attr(4)] or in a profile assigned to the user [see prof_attr(4) and r a bl
e
policy.conf(4)] using the new pam_policy keyword and a new PAM service
a nsf
module named pam_user_policy(5). When pam_user_policy(5) is
configured in pam.conf(4), o n -tr
f(4) the PAM stack can be configured on a per-user
per user basis
basis.
a n
a
h eฺs
The new user_attr(4) key named pam_policy can be set using the RBAC
utilities useradd(1M), usermod(1M), and profiles(1) to pam.conf(4)–
)
e
tฺa Guid
formatted files supplied by administrators with an absolute path, or one of the
n e
t e sฺ ent
default policies in /usr/lib/security/pam_policy can be chosen.
• Kerberos enhancements: Oracle Solaris
m ira S ud now supports multiple master Key
Kerberos
t
Distribution Centers (KDCs), such
@ e as hActive
isreliability
Directory, when changing a Kerberos
principal’s password. This a i
v se
provides t
more if there is more than one master KDC
and one of them is i q
ฺ Now,
ddown. uthe password-changing logic will try all the master KDCs
until the changea hsucceedse t o
or it fails with all of them. See the krb5.conf(4) man page
( s h n s
sections
a l ice admin_server and kpasswd_server for more information.
vi describing
i d Q
h ah
S

Agenda

e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Oracle Solaris Cryptographic Framework
• Cryptography is the science of encrypting and decrypting

data.
• Oracle Solaris Cryptographic Framework command scope:
– Administrator commands
– User commands
– Binary signatures for third-party software
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Cryptographic
Q lic provide authentication and encryption mechanisms to applications
av services
a h
andidusers.
Sh Note: Oracle Solaris Cryptographic Framework now supports the NSA Suite B algorithms and
Intel Advanced Encryption Standards – New Instructions (AES-NI). Starting from Oracle
Solaris 11.1, Cryptographic Framework also supports SHA-224, which is the SHA-2 hash
algorithm variant for 224-bit digests. SHA-224 is available as a stand-alone hash algorithm
and as part of the PKCS#11 cryptographic library implementation.
• Administrator commands: The framework provides commands for administrators, for
users, and for developers who supply providers. The cryptoadm command administers
a running Cryptographic Framework
Framework. The command is part of the CryptoManagement
rights profile. This profile can be assigned to a role for secure administration of the
Cryptographic Framework. The cryptoadm command allows you to:
- Display cryptographic provider information
- Disable or enable provider mechanisms
- Disable or enable the metaslot

• User commands: The Oracle Solaris Cryptographic Framework provides user-level
commands to check the integrity of files, to encrypt files, and to decrypt files.
- digest command: Computes a message digest for one or more files or for
stdin. A digest is useful for verifying the integrity of a file. SHA1 and MD5 are
examples of digest functions.
- mac command: Computes a message authentication code (MAC) for one or more
files or for stdin. A MAC associates data with an authenticated message. A MAC
enables a receiver to verify that the message came from the sender and that the
message has not been tampered with. The sha1_mac and md5_hmac
mechanisms can compute a MAC.
- encrypt command: Encrypts files or stdin with a symmetric cipher cipher. The
encrypt –l command lists the algorithms that are available. Mechanisms that
are listed under a user-level library are available to the encrypt command. The
framework provides AES, DES, 3DES (Triple-DES), and ARCFOUR mechanisms e
for user encryption. r a bl
e
- decrypt command: Decrypts files or stdin that were encrypted with the
a nsf
encrypt command. The decrypt command uses the identical key and
o n -tr
mechanism that were used to encrypt the original file.
a n
a s
- pktool command: Enables you to manage the certificates and keys on multiple
h eฺ
e )
keystores, including PKCS#11 tokens, Netscape Security Services (NSS) tokens,
e tฺa Guid
and standard file-based keystore for OpenSSL
n
• t e sฺ ent
Binary signatures for third-party software: The elfsign command provides a
ira Stud
means to sign providers to be used with the Oracle Solaris Cryptographic Framework.
m
@ e his
Typically this command is run by the developer of a provider
Typically, provider. The elfsign command
a i
v se t
has subcommands to request a certificate from Oracle and to sign binaries. Another
i q
dฺ to u
h
subcommand verifies the signature. Unsigned binaries cannot be used by the Oracle
i ( sha ense
Solaris Cryptographic Framework. Signing one or more providers requires the certificate
av lic
from Oracle and the private key that was used to request the certificate.
Q
i d
ah
Sh

Administrative Command: Examples
# cryptoadm list
User-level providers:
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
Provider: /usr/lib/security/$ISA/pkcs11_tpm.so
Kernel software providers:

des
aes ble
e r a
nsf
arcfour
blowfish
camellia -tra
ecc
n o n
sha1
s a
sha2
) a
h eฺ
md4 e
tฺa Guid
md5
n e
rsa
t e sฺ ent
swrand
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
The cryptoadm
Q av list lic command displays a list of the providers currently installed in the
a h id Providers are cryptographic services that consumers use. Because providers plug in
system.
Sh tothetheproviders
framework, they are also called “plug-ins.” The cryptoadm list command separates
into three categories: user-level providers, kernel software providers, and kernel
hardware providers.

Administrative Command: Examples
# cryptoadm list metaslot

System-wide Meta Slot Configuration:

------------------------------------
Status: enabled
Sensitive Token Object Automatic Migrate: enabled
Persistent object store slot: Sun Crypto Softtoken
# cryptoadm list -m provider=aes

aes: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR,CKM_AES_CCM,CKM_AES_GCM,CKM_AES
_GMAC,CKM_AES_CFB128,CKM_AES_XTS,CKM_AES_XCBC_MAC
bl e
# cryptoadm list -p provider=aes
e r a
aes: all mechanisms are enabled.
a nsf
# c
cryptoadm
yptoad disable
d sab e provider=aes
p o de aes mechanism=CKM
ec a s C _AES S_G
GMAC
C
o n -tr
a n
a
aes: all mechanisms are enabled, except CKM_AES_GMAC.
h eฺ s
e )
# cryptoadm enable provider=aes mechanism=CKM_AES_GMAC
n e tฺa Guid
t e sฺ ent
ira Stud
aes: all mechanisms are enabled.
m
e his
i @
v se t
h i dCopyrightt o
© 2014,
i ( sha ense
av list
The cryptoadm
Q lic metaslots command displays the system-wide configuration for a
a h id A metaslot is a single slot that presents a union of the capabilities of other slots that
metaslot.
Sh are loaded in the framework. The metaslot eases the work of dealing with all of the
capabilities of the providers that are available through the framework. When an application
that uses the metaslot requests an operation, the metaslot figures out which actual slot should
perform the operation. Metaslot capabilities are configurable, but configuration is not required.
The metaslot is enabled by default.
The cryptoadm list –m command displays a list of mechanisms that can be used with the
installed providers or metaslot.
A mechanism
h i iis th
the application
li ti off a mode
d off an algorithm
l ith ffor a particular
ti l purpose.
Cryptographic algorithms are established, recursive, computational procedures that encrypt or
hash input. Encryption algorithms can be symmetric or asymmetric. Symmetric algorithms use
the same key for encryption and decryption. Asymmetric algorithms, which are used in public-
key cryptography, require two keys. Hashing functions are also algorithms. If a provider is
specified, display the name of the specified provider and the mechanism list that can be used
with that provider. If the metaslot keyword is specified, display the list of mechanisms that can
b used
be d with
ith th
the metaslot.
t l t

The cryptoadm list –p command displays the mechanism policy (that is, which
mechanisms are available and which are not) for the installed providers.
The cryptoadm disable and cryptoadm enable commands enable you to disable or
enable provider mechanisms.
ble
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Qav lic
i d
ah
Sh

User Command: Examples
# digest -l
sha1
md5
sha224
sha256
sha384
sha512
# digest -a sha1 /etc/release
e64eb9c537f90f6cba0cfd1e6b39fe9dd33cf552
# mac -l
ble
Algorithm Keysize: Min Max (bits)
e r a
nsf
------------------------------------------
des_mac 64 64
-tra
sha1_hmac
md5_hmac
d5 h
8
8
512
512
n o n
Sha224_hmac 8 512
s a
sha256_hmac 8 512
) a
h eฺ
sha384_hmac 8 1024
e
tฺa Guid
sha512_hmac 8 1024
n e
t e sฺ ent
# mac -v -k mykey -a sha1_hmac /etc/release
ira Stud
sha1_hmac (/etc/release) = 913ced311df10f1708d9848641ca8992f4718057
m
e his
i @
v se t
h i dCopyrightt o
© 2014,
i ( sha ense
This slide
v theliuse
ashows c of digest and mac commands.
Q
id The md5, des_mac, and md5_hmac cryptographic algorithms are not considered safe
a h
Note:
Sh in today
today’ss computer environment. They are provided here only for backward compatibility.

User Command: Examples
# pktool setpin
Enter token passphrase: changeme
Create new passphrase: cangetin
Re-enter new passphrase: cangetin
Passphrase changed.
# ppktool g
genkey
y label=myaeskey
y y keytype=aes
y yp keylen=256
y
Enter PIN for Sun Software PKCS#11 softtoken: cangetin
# pktool list objtype=key
Enter PIN for Sun Software PKCS#11 softtoken: cangetin
No. Key Type Key Len. Key Label
bl e
----------------------------------------------------
e r a
nsf
Symmetric keys:
1) AES 256 myaeskey
# cat /newpool/mydata/newfile
-tra
This is a test
test.
n o n
# encrypt -a aes -K myaeskey -i newfile –o newfile
s a
# cat /newpool/mydata/newfile ) a
Enter PIN for Sun Software PKCS#11 softtoken : cangetin
h eฺ
<some encrypted data> e
tฺa Guid
n e
sฺ ent
# decrypt -a aes -K myaeskey -i newfile -o newfile
t e
# cat /newpool/mydata/newfile
ira Stud
This is a test.
m
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ashows
This slide
c of pktool, encrypt, and decrypt commands.
v theliuse
Q
idpktool command enables you to manage the softtoken object store. The setpin
a h
The
Sh subcommand changes the passphrase used to authenticate a user to the softtoken object
store. setpin prompts you for the old passphrase. If the old passphrase matches, pktool
prompts for the new passphrase twice. If the two entries of the new passphrase match, it will
become the current passphrase for the token. The default passphrase is changeme.
The pktool genkey command generates a symmetric key in the specified keystore. The
genkey subcommand prompts the user to enter a PIN for a token-based keystore.
Next, the example in the slide shows the contents of the /newpool/mydata/newfile text
file. The encrypt command is used with the new key to encrypt this file. The next command
shows that the file is now encrypted. Finally, the file is decrypted by using the same key.

Agenda

e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Increasing Security for Automated Installations
An automated installation can be secured in the following ways:

• Verify server identity.

• Verify client identity.
• Control access to automated installations
installations.
• Control access to server data.
• Protect client data for all clients or separately for
a b le
specified clients. s fer
• Encrypt data so that it cannot be read over the network.- t r an
n on
• Access secured IPS package repositories. s a
) h a ฺ
• Publish user-specified web server directory
ae dsecurely.
e
n e tฺ Gui
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Configuring Security for Automated Installations
1. Generate security credentials for the AI server.

2. Set the installation service security policy.

3. Modify the AI manifests.
4
4. Generate credentials for an AI client
client.
5. Set OBP keys for SPARC clients.
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
To configure
Q licautomated installations, perform the following steps:
avsecurity for
a h id Generate security credentials for the AI server:
1.
Sh # installadm set set-security
security -s s -g g
The root CA certificate has been generated.
The CA signing certificate request has been generated.
The signing CA certificate has been generated.
Generating server credentials...
A new certificate key has been generated.
A new certificate has been generated.
g
Generating new encryption key...
To set the OBP encryption key for server authentication only, enter
this OBP command:
set-security-key wanboot-aes 8d210964e95f2a333c5e749790633273
Generating new hashing key (HMAC)...

To set the OBP hashing (HMAC) key for server authentication only,
enter this OBP command:
set-security-key wanboot-hmac-sha1
4088861239fa3f3bed22f8eb885bfa476952fab4
Configuring web server security.
2. Set the installation service security policy:
# installadm set-service -o sec=require-client-auth svcname

3. Generate credentials for an AI client:
$ pfexec installadm set-security -c 02:00:00:00:00:00 -g
Generating credentials for client 02:00:00:00:00:00...
A new certificate key has been generated.
A new certificate has been generated.
Generating new encryption key...
ble
To set the OBP encryption key, enter this OBP command:
e r a
set-security-key wanboot-aes 030fd11c98afb3e434576e886a094c1c
a nsf
Generating new hashing key (HMAC)...
o n -tr
a n
To set the OBP hashing (HMAC) key, enter this OBP command:
a s
h eฺ
set-security-key wanboot-hmac-sha1
e )
tฺa Guid
e729a742ae4ba977254a2cf89c2060491e7d86eb
4. Set OBP keys for SPARC clients: n e
t e sฺ 030fd11c98afb3e434576e886a094c1c
e n t
ira Stud
ok set-security-key wanboot-aes
m
e his
ok set-security-key wanboot-hmac-sha1
i @
v se t
e729a742ae4ba977254a2cf89c2060491e7d86eb
q a
h i dฺ to u
i ( sha ense
Q av lic
a h id
Sh

Configuring Kerberos Clients Using AI
1. Create an installation service, if needed.

2. Associate clients with a service.

3. Create credentials for the clients.
4
4. Create an AI profile that defines the contents of the
Kerberos configuration file.
5. (Optional) Convert a client’s binary keytab file to an XML le
a b
profile.
s fer
6. Create client profiles to configure the rest of the clients. - t r an
7. (Optional) Set security policy for profiles. n on
s a
8. Associate the client profiles with the client
) a
h service.
ฺ
t ฺ a e i d e
9.
e s ฺne t Gu
Boot the client to start the AI process.
n
a t d e
e mir is Stu
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
c using AI, perform the following steps:
avKerberosliclients
To configure
Q
id Create a DHCP server, if needed.
a h1.
Sh # installadm set set-server
server –ii ipip-addr
addr_ai_server
ai server -c c numeric_count
numeric count -m
m
2. Create an installation service, if needed.
# installadm create-service -n krb-sparc \
-d /export/auto_install/krb-sparc \
-s /export/auto_install/iso/sol-11.2-ai-sparc.iso
3. Associate clients with a service.
# installadm create
create-client
client -n
n krb
krb-sparc
sparc -e
e 11:11:11:11:11:11
4. Create credentials for the clients.
# installadm set-client -c 11:11:11:11:11:11 -g

5. Create an AI profile that defines the contents of the Kerberos configuration file.
# kclient -x /root/krb-sc.xml
Starting client setup
---------------------------------------------------
Is this a client of a non-Solaris KDC ? [y/n]: y
Which type of KDC is the server:
ms_ad: Microsoft Active Directory

mit: MIT KDC server
heimdal: Heimdal KDC server
shishi: Shishi KDC server
Enter required KDC type: mit
Do you want to use DNS for kerberos lookups ? [y/n]: n
No action performed.
ble
Enter the Kerberos realm: EXAMPLE.COM
e r a
Specify the master KDCs for the above realm using a comma-separated
a nsf
list: kdc.example.com
o n -tr
Do you have any slave KDC(s) ? [y/n]: y
a n
a s
h eฺ
Enter a comma-separated list of slave KDC host names:
kdc2.example.com e )
n e tฺa Guid
Do you have multiple domains/hosts to map to a realm ? [y/n]: n
t e sฺ ent
No action performed.
m ira Stud
Setting up /root/krb-sc.xml.
6 (Optional)
6. (O ti l) Convert
C li vt'i@
t a client's
e keytab
binary
bi
s fil tot an XML profile.
kthti b file fil
a s e
h i dฺq to-ku./host1.keytab
# kclient-kt2prof -p /root/host1.xml
7. Create client
s a
hprofiles seconfigure the rest of the client.
to
i ( e n
av# installadm
8. (Optional) ic policy for profiles.
Set lsecurity
i d Q set-service -o sec=require-client-auth krb-sparc
a h
Sh 9. Associate the client profiles with the client service.
# installadm create-profile -n krb-sparc -f /root/krb-sc.xml
Profile krb-sc.xml added to database.
# installadm create-profile -n krb-sparc -f /root/host1.xml -c
mac="11:11:11:11:11:11"
Profile host1.xml added to database.
10. Boot the client to start the AI process.

Agenda

e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

ZFS DataSet Encryption
• Encrypted dataset support has been added to ZFS to

protect against:
– Theft of physical storage
– Man-in-the-middle attacks on the SAN
– Dataset-level secured deletion
• Data is encrypted at the dataset level.
ble
• Benefits of ZFS encryption include the following: e r a
– ZFS encryption is integrated with the ZFS command set. transf
n -
– Y can use your existing
You i ti storage
t pools.
l
a no
– ZFS encryption is inheritable to descendant
) h asfileฺ systems.
– Data is encrypted by using AES, by t e ide
ฺadefault.
ฺ n e G u
– tes
ZFS encryption uses the Cryptographic t
en Framework.
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Benefits
Q of lic include the following:
avZFS encryption
h d
•i ZFS encryption is integrated with the ZFS command set. Like other ZFS operations,
a
Sh encryption
e c ypt o ope
operations,
at o s, suc
such as key ey cchanges
a ges a and d rekey,
e ey, a aree pe
performed
o ed oonline.
e
• You can use your existing storage pools as long as they are upgraded. You have the
flexibility of encrypting specific file systems.
• ZFS encryption is inheritable to descendent file systems. Key management can be
delegated through ZFS-delegated administration.
• Data is encrypted by using Advanced Encryption Standard (AES) with key lengths of
128,192, and 256 in the CCM and GCM operation modes.
• ZFS encryption uses the Cryptographic Framework of Oracle Solaris, which
automatically gives it access to any available hardware acceleration or optimized
software implementations of the encryption algorithms.

ZFS Pool Encryption: Example
# zpool create -O encryption=on encryptedpool c7t4d0 c7t5d0

Enter passphrase for 'encryptedpool': cangetin
Enter again: cangetin
# zfs create encryptedpool/mysecrets
# zfs get encryption encryptedpool/mysecrets

NAME PROPERTY VALUE SOURCE
encryptedpool/mysecrets encryption on inherited from encryptedpool
bl e
# zfs get keysource encryptedpool/mysecrets
e r a
nsf
encryptedpool/mysecrets keysource passphrase,prompt inherited from
encryptedpool -tra
n o n
# zfs set encryption=off encryptedpool/mysecrets
s a
a
h eฺ
Cannot set property for ‘encryptedpool/mysecrets’: ‘encryption’ is readonly
)
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
This slide ashows ic
v anlexample of encrypting a ZFS pool.
d Q
i example, first you create a ZFS pool named encryptedpool with the encryption
h hthis
aInproperty
S set to on. Then, you create a ZFS file system named mysecrets in the encrypted
pool. The keysource property of the mysecrets file system shows that encryption
(passphrase,prompt) was inherited from the encrypted ZFS pool.
Note: A file system’s encryption policy is inherited by descendent file systems and cannot be
removed.

ZFS File System Encryption: Example
# pktool genkey keystore=file outkey=/myzfskey keytype=aes keylen=256
# zfs create -o encryption=aes-256-ccm -o keysource=raw,file:///myzfskey

newpool/mysecretdata
# zfs g
get encryption
yp newpool/mysecretdata
p / y
newpool/mysecretdata encryption aes-256-ccm local
# zfs get keysource newpool/mysecretdata

ble
e r a
nsf
newpool/mysecretdata keysource raw,file:///myzfskey local
-tr a
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
This slide ashows ic
v anlexample of encrypting a ZFS file system within a pool.
d Q
i example, first you generate a keystore file named /myfskey. Then you create a ZFS
h hthis
aInfile
S system named mysecretdata with the /myfskey keystore file. The keysource
property of the mysecretdata file system shows that the encryption key source comes from
the /myfskey keystore file.

Agenda

e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Read-Only (Immutable) Zones
• A zone with a read-only zone root is called a read-only

zone.
• Read-only zones preserve a zone’s integrity by using
read-only
y root file systems.
y
• Modifications to system binaries or system configurations
are blocked.
• The file-mac-profile property is used to configure a rab
le
read-only zone root. n s fe
ra -t
on
– The zonecfg utility is used to set the file-mac-profile
n
property. s a
) a
h eฺis not set.
– By default, the file-mac-profile a e property
d
n e tฺ Gui
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
A zoneQ with lic zone root is called a read-only zone. An Oracle Solaris read-only
ava read-only
a h id preserves the zone’s configuration by implementing read-only root file systems for
zone
Sh nonglobal zones. This zone extends the zone’s secure runtime boundary by adding additional
restrictions to the runtime environment. Unless performed as specific maintenance
operations, modifications to system binaries or system configurations are blocked.
The mandatory write access control (MWAC) kernel policy is used to enforce file system write
privilege through a zonecfg file-mac-profile property. Because the global zone is not
subject to the MWAC policy, the global zone can write to a nonglobal zone’s file system for
installation, image updates, and maintenance. The MWAC policy is downloaded when the
zone enters the ready state
state. The policy is enabled at zone boot
boot. To perform post
post-installation
installation
assembly and configuration, a temporary writable root-file system boot sequence is used.
Modifications to the zone’s MWAC configuration take effect only with a zone reboot.

file-mac-profile Property
• Defines which part of the file system is exempt from the

read-only policy
• Four possible values:
– none
– strict
– fixed-configuration
– bl e
flexible-configuration
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
av
The file-mac-profile
Q lic property allows you to define which parts of the file system are
a h id from the read-only policy (that is, which parts of the file system the zone is allowed
exempted
Sh to write to).
There are currently four supported values for this property:
• none: This value makes the zone exactly the same as a normal, read/write zone.
Setting the value to none is equivalent to not setting the file-mac-profile property.
• strict: This value allows no exceptions to the read-only policy.
• fixed-configuration: This value allows the zone to write to files in and below
/var, except directories containing configuration files:
- /var/ld
- /var/lib/postrun
- /var/pkg
- /var/spool/cron
- /var/spool/postrun
- /var/svc/manifest
- /var/svc/profiles
• flexible-configuration:
fl ibl fi ti This is similar to fixed-configuration,
fi d fi ti b t allows
but allo s
writing to files in /etc too.

Administering Read-Only Zones
• Setting a strict read-only zone

zonecfg:zone1: set file-mac-profile=strict
• Setting a fixed-configuration read-only zone

zonecfg:zone2: set file
file-mac-profile=fixed-configuration
mac profile=fixed configuration
• Setting a flexible-configuration read-only zone

zonecfg:zone3: set file-mac-profile=flexible-configuration
ble
e r a
• Displaying zone properties
a nsf
o n -tr
root@s11-serv1:
t@ 11 1 zoneadm
d list
li t -p
a n
0:global:running:/::solaris:shared:-:none
a
h eฺ s
1:zone1:running:/zones/zone1:<UUID>:solaris:shared:W:strict
e )
tฺa Guid
2:zone2:running:/zones/zone2:<UUID>::solaris:shared:W:fixed-
configuration
n e
e sฺ ent
3:zone3:running:/zones/zone3:<UUID>:solaris:excl:W:flexible-
t
ira Stud
configuration
m
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
ashows
This slide
Q lic of configuring and viewing read-only zones.
v examples
a h•id strict: Read-only file system, no exceptions
Sh - IPS packages cannot be installed
installed.
- Persistently enabled SMF services are fixed.
- SMF manifests cannot be added from the default locations.
- Logging and auditing configuration files are fixed. Data can be logged only
remotely.
• fixed-configuration: Permits updates to /var/* directories, with the exception of
directories that contain system configuration components.
components
- IPS packages, including new packages, cannot be installed.
- Logging and auditing configuration files can be local. syslog and audit
configuration are fixed.

• flexible-configuration: Permits modification of files in /etc/* directories,
changes to root's home directory, and updates to /var/* directories. This configuration
provides closest functionality to the Oracle Solaris 10 native sparse root zone.
- IPS p packages,
g includingg new p packages,
g cannot be installed.
- Logging and auditing configuration files can be local. syslog and audit
configuration can be changed.
• none: Standard, read/write, nonglobal zone, with no additional protection beyond the
existing
g zones boundaries. Setting g the value to none is equivalent
q to not setting
g the
file-mac-profile property.
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh

Read-Only (Immutable) Global Zone
A read-only global zone has a read-only root file system.

• Provides a trusted path login to allow system maintenance

tasks
• Uses the zonecfg command and its file file-mac-
mac
profile property to configure
# zonecfg -z global set file-mac-profile=fixed-configuration
bl e
• Allows nonglobal zones to run only in unrestricted datasets fe r a
n s
• Writes the zonecfg boot information and updates-tthe
n ra
boot archive a no
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
Starting with
ic 11.2 release, immutable global zones support has been added to
av OraclelSolaris
Q
id the immutable zone implementation to the global zone. If a system is configured to
a h
extend
Sh login
have an immutable global zone, files in the root file system are read-only. A Trusted Path
is provided to allow maintenance tasks, such as performing system updates.
The configuration of the global zone is done through the zonecfg command file-mac-
profile. If the system uses DHCP to set network interfaces, the flexible-
configuration must be selected.
The rpool dataset will be restricted but you can add an unrestricted sub-dataset by using
add dataset. An immutable global zone can run zones only in unrestricted datasets. All the
children
hild off an unrestricted
t i t dddataset
t t are also
l unrestricted.
t i t d Aft
After committing
itti ththe zone
configuration, the zonecfg boot information is written and the boot archive is updated.
Reboot the system to boot with an immutable global zone.
To enable immutable global zones:
# zonecfg -z global set file-mac-profile=fixed-configuration

Agenda

e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

BART
BART, the file verification and reporting tool:

• Performs a file-level check of the software contents of a

system
• Enables you to determine what file
file-level
level changes have
occurred on a system
• Compares changes to a known baseline e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
BART Qis a
v lic
a tool that performs a file-level check of the software contents of a system. BART
d
hi you to quickly, easily, and reliably gather information about the components of the
enables
h asoftware stack that is installed on deployed systems. Using BART can greatly reduce the
S costs of administering a network of systems by simplifying time-consuming administrative
tasks.
BART enables you to determine what file-level changes have occurred on a system, relative
to a known baseline. You use BART to create a baseline or control manifest from a fully
installed and configured system. You can then compare this baseline with a snapshot of the
system at a later time, generating a report that lists file-level changes that have occurred on
the system since it was installed
installed.

BART: Example
# vi bartrules
IGNORE all
/export/home/oracle
CHECK all
# bart create -r bartrules > bart-`hostname`-`date '+%d%m%Y-%H:%M:%S'`

# ls
l bbart*
t*
bart-s11-server1-15072014-07:35:24 bartrules
# touch /export/home/oracle/newfile
bl e
e r a
nsf
# ls bart*
-tra
bart-s11-server1-15072014-07:36:38
n o n
s a \
# bart compare –r bartrules bart-s11-server1-15072014-07:35:24
bart-s11-server1-15072014-07:36:38
) a
h eฺ
/export/home/oracle: e
tฺa Guid
size control:5 test:6
n e
t e sฺ ent
dirmtime control:53ba0c5a test:53c4d9f5
ira Stud
/export/home/oracle/newfile:
add
m
e his
i @
v se t
h i dCopyrightt o
© 2014,
i ( sha ense
The slide ashows ic
v an lexample of using BART.
d Q
i example, first you create a BART rules file. In this case, BART ignores all file changes
h hthis
aInon
S the system except for the file changes in the /export/home/oracle directory. Then you
run the BART report by using the BART rules file to create a comparison baseline. In a bart
compare report, the baseline is indicated by the “control” field.
Next, a new file is created in the /export/home/oracle directory and a second BART
report is generated. The second BART report is used to compare against the baseline report
created earlier. In a bart compare report, the BART report to be compared against the
baseline is indicated by the “test” field.
Finally, bart compare is run by using the baseline (control) and test BART report. The
results show that /export/home/oracle directory size was changed and
/export/home/oracle/newfile was added.

BART: Example
# vi /export/home/oracle/newfile
This is a test.
# ls bart
bart*
bart-s11-server1-15072014-07:35:24 bart-s11-server1-15072014-07:39:25
# bart compare –r bartrules bart-s11-server1-15072014-07:36:38 bart-s11-

ble
server1-15072014-07:39:25
e r a
/export/home/oracle/newfile:
a nsf
size control:0 test:16
mtime control:53c4d9f5 test:53c4daa2
o n -tr
contents n a
a s
control:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
h eฺ
)
test:11586d2eb43b73e539caa3d158c883336c0e2c904b309c0c5ffe2c9b83d562a1
e
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
avmessagelicis added to the /export/home/oracle/newfile file and a third
Next, aQtext
a h id report is run. Using the second BART report, a new baseline is run against the third
BART
Sh BART report. The results show that in the test report, /export/home/oracle/newfile
has grown by 16 bytes. The modified time stamp and file contents have changed.

Agenda

e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Auditing in Oracle Solaris
Auditing is the process of collecting data about the use of

system resources. It is enabled by default.

• Records security-related system events
• Records events in a network-wide
network wide audit trail
• Detects misuse or unauthorized activity
• Reviews patterns of access and access histories of users le
a b
and objects
s fer
• Discovers attempts to bypass protection mechanisms - t r an
• Discovers extended use of privileges n on
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
The audit
Q
v
aservice, lic
svc:/system/auditd:default, is enabled by default.
d
hi audit data that is captured during the auditing provides a record of security-related
h aThe
S system events. This data can then be used to assign responsibility for actions that take place
on a system.
To protect a computer system, especially a system on a network, requires mechanisms that
monitor activities when system processes start and before user processes begin, and provide
reports. Most auditing activities involve monitoring current events and reporting those events
that meet the specified, pre-selected parameters.
Auditing cannot prevent malicious users from unauthorized use of the system. However, the
auditing service can record, for example, that a specific user performed specific actions at a
specific time and date. The audit record identifies the user by entry path and username. Such
information can be reported immediately to your terminal and to a file for later analysis. Thus,
the auditing service provides data that helps you determine the loopholes that need to be
closed to ensure the desired level of security.
Successful auditing starts with two security features: identification and authentication. At each
login, after a user supplies a username and PAM authentication succeeds,
login succeeds a unique and
immutable audit user ID is associated with the user, and a unique audit session ID is
generated and associated with the user’s session.

This happens as lo events are the only default configured events. The audit session ID is
inherited by every process that is started during that login session. When a user switches to
another user, all user actions are tracked with the same audit user ID. For more details about
switching identity, see the su(1M) man page.
Note: By default, certain actions such as booting and shutting down the system are always
audited.
During system configuration, you set audit policies and preselect which classes of audit
events to monitor. You can fine-tune the degree of auditing that is done for individual users.
After the audit data is collected, post-selection tools enable you to reduce and examine the
audit trail. Systems that install nonglobal zones can audit all zones identically from the global
zone You can also configure systems with nonglobal zones to collect different records for
zone.
each zone.
Auditing generates audit records when specified events occur, such as:
• System startup and system shutdown bl e
e r a
• Login and logout
a nsf
• Process creation or destruction, or thread creation or destruction
o n -tr
• Opening, closing, creating, destroying, renaming objects
a n
a s
• Use of Role-Based Access Control (RBAC)
h eฺ
e )
• Permission changes by a process or user
n e tฺa Guid
t e sฺ ent
• Administrative actions, such as installing a package
ira Stud
• Use of site-specific applications
m
Audit records are g e sources:
generated from three
@ h is
• By an application
i
av use t
id ฺ q
• As a result of anhasynchronous
a e to event
• As a result
i ( sofh a system
e n s call
av provides c
li rights profiles for configuring the audit service, for enabling and
OracleQ Solaris
a h id the service, and for analyzing the audit trail. Editing an audit configuration file
disabling
Sh requires
q the p
privileges
g of the root role.
• Audit Configuration: Enables an administrator to configure the parameters of the audit
service and to run the auditconfig command
• Audit Control: Enables an administrator to start, refresh, and disable the audit service
and to run the audit command to start, refresh, or stop the service
• Audit Review: Enables an administrator to analyze audit records. This rights profile
grants authorization to read audit records with the praudit and auditreduce
commands. This administrator can also run the auditstat command.
• System Administrator: Includes the Audit Review rights profile. An administrator
with the System Administrator rights profile can analyze audit records.
For more information, refer to http://docs.oracle.com/cd/E36784_01/html/E37127/auditref-
1.html#scrolltoc.

Following are the changes in the Oracle Solaris Auditing feature in Oracle Solaris 11:
• Oracle Solaris Auditing and Device Allocation replace “BSM.”
• bsmconv(1M) and bsmunconv(1M) commands, and the need to reboot have been
removed.
removed
• bsmrecord(1M) is renamed auditrecord(1M).
• /etc/security/audit directory and symlink no longer exists. /var/audit is now
the official audit directory.

• By default, Oracle Solaris Auditing is configured and enabled. lo events are the default
configured events.
• By using the Audit Configuration rights profile
profile, all global configurations can be
performed by auditconfig(1M). audit_startup(1M) and audit_control(4) no
longer exist. You must use the auditconfig(1M) command instead.
• By using the useradd, roleadd, usermod, and rolemod commands, you can place
bl e
the per-user audit_flags security attribute in the user_attr database. Similarly,
e r a
nsf
you can use the profiles command to place the desired per-user audit flags for the
a
o n -tr
rights profiles in the prof_attr database. audit_user(4) no longer exists. Refer to
user attr(4) and audit_flags(5)
profiles(1) usermod(1M),
profiles(1), usermod(1M) prof_attr(4),
prof attr(4) user_attr(4),
man pages for more information.a n audit flags(5)
a s
h eฺ
)
• By using the Audit Control rights profile, you can control the Oracle Solaris audit service
e
n e tฺa Guid
with audit(1M) to refresh, change audit files, disable, and re-enable. Refer to the
t e sฺ ent
audit(1M) for more information.
ira for
• Global zone auditing need not be enabled
m S t ud auditing.
per-zone
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
a h id
Sh

Displaying Audit Service Defaults
• Displaying the default audit policy

# auditconfig –getpolicy
configured audit policies = argv,cnt
active audit policies = argv,cnt
• Displaying default class for events

ble
# auditconfig -getflags
e r a
audit condition = auditing
a nsf
active user default audit flags = lo(0x1000,0x1000)
o n -tr
configured user default audit flags = lo(0x1000,0x1000)
lo(0x1000 0x1000)
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Enabling and Disabling the Audit Service
1. Use the audit –s command to enable the audit service if

it is not running or to refresh the service if it is currently

running.
Note: Auditing g is enabled byy default.
# audit –s
2. Verify that auditing is enabled. ble

e r a
a nsf
-tr
# auditconfig -getcond
audit condition = auditing
g
n o n
a
as service.
3. Use the audit –t command to disablehthe
) ฺ
ฺ
et t Gu a e ide
# audit -t
s ฺ n n
a t e d e
e mir is Stu
a v i@ e th
i ฺq ©o2014,
h
i ( sha ense
Q av lic
ah id
Sh

Viewing Contents of Binary Audit Files
# cd /var/audit
# ls
...
20140718053501.not_terminated.s11-server1
20140722022941.not_terminated.s11-server1
20140723075705.20140724072749.s11-server1
# praudit 20140723075705.20140724072749.s11-server1 | more

...
file,2014-07-23 07:57:05.537 +00:00,header,52,2,system booted,na,s11-
server1,2014-07-23 07:54:31.212 +00:00text,booting
ble
e r a
nsf
kernelheader,42,2,init(1m),na,s11-server1,2014-07-23 07:57:12.533
+00:00text,bootedreturn,success,0header,61,2,zone state change,na,s11-
server1,2014-07-23 07:59:02.762
-tra
, , , , , , ,
+00:00text,bootzone,zone2return,success,0header,61,2,zone state change,na,s11-
g , ,
n o n
server1,2014-07-23 07:59:06.248
s a
server1,2014-07-23 08:00:58.010
) a
+00:00text,bootzone,zone1return,success,0header,61,2,zone state change,na,s11-
h eฺ
e
tฺa Guid
+00:00text,bootzone,zone5return,success,0header,49,2,init(1m),na,s11-
server1,2014-07-23 08:11:48.516 +00:00text,booted:
n e
e sฺ ent
zone5return,success,0header,69,2,login - ssh,,s11-server1,2014-07-24
t
07:05:35.696
m ira Stud
...
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Quiz
ZFS encryption is inherited to descendant file systems.

a. True
b. False
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qaa
v lic
a h id
Sh

Quiz
When configuring a read-only zone, which file-mac-

profile property value provides the closest functionality to

the Oracle Solaris 10 native sparse root zone?
a. none
b. strict
c. fixed-configuration
ble
d. flexible-configuration e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qdav lic
a h id
Sh

Quiz
‘Which command is used to display the zonecfg file-mac-

profile property value?

a. zonestat
b zoneadm list -p
b. p
c. zoneadm –z zone_name info
d. zonestat –p file-mac-profile e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qbav lic
a h id
Sh

Quiz
BART is a tool that performs a file-level check of the software

contents of a system and enables you to determine what

file-level changes have occurred on a system.
a. True
b. False
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Answer: Qaa
v lic
a h id
Sh

Summary

• Describe the new security features and enhancements

• Explore the Cryptographic Framework
• Encrypt ZFS data
• Manage read-only zones
a b le
• Use BART for file verification and reporting s fer
- t r an
• Monitor the audit service on
a n
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
© 2014,
h t
i ( sha ense
In this Q
lesson, lic presented with the security enhancements in Oracle Solaris 11. You
av you were
a h id the Cryptographic Framework of Oracle Solaris. You then learned how to increase
explored
Sh security for automated installations. In addition, you learned how to encrypt ZFS data and
manage read-only zones. You then learned about BART, the file verification and reporting
tool. Finally, you learned how to monitor the audit service.

Practice 8 Overview:
Oracle Solaris 11 Security Enhancements
• Managing encryption keys

• Configuring a ZFS-encrypted storage pool
• Configuring a ZFS-encrypted
ZFS encrypted file system
• Configuring read-only zones
• Configuring BART ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh

Sh
ah i d Q
av i (
h
lic
i q a
sha ense
i @
dฺ to u
m
v se t
t
e his
e
n e
ira Stud
e
sฺ ent
) a s
tฺa Guid
a
h eฺ
n o n -tr
a
nsf
e r a
e bl

D73488GC30 SG PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

D73488GC30 SG PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ

Learn more from Oracle University at oracle.com/education/

Venu Poddar Disclaimer

Graphic Designer Restricted Rights Notice

3 Managing Software Packages in Oracle Solaris 11

Configuring the IPS Clients 3-14

Oracle Solaris 11 Installation Methods 4-5

Configuring an EVS Controller 5-36

wireshark Utility 5-84

7 Oracle Solaris 11 ZFS Enhancements

8 Oracle Solaris 11 Security Enhancements

User Command: Examples 8-15

Transition to Oracle Solaris 11 1 - 2

The goals of this course are to:

• Familiarize you with the Oracle Solaris 11 new features

Transition to Oracle Solaris 11 1 - 3

Transition to Oracle Solaris 11 1 - 4

– Lesson 6: Administering Oracle Solaris 11 Zones

Transition to Oracle Solaris 11 1 - 5

Transition to Oracle Solaris 11 1 - 6

Transition to Oracle Solaris 11 1 - 7

This practice covers how to familiarize yourself with the lab

Transition to Oracle Solaris 11 1 - 8

Introducing New Features

Transition to Oracle Solaris 11 2 - 2

After completing this lesson, you should be able to:

• Describe the Oracle Solaris 11 operating system

Transition to Oracle Solaris 11 2 - 3

• Oracle Solaris 11 new features and enhancements

Transition to Oracle Solaris 11 2 - 4

Oracle Solaris 11:

• Builds on the proven technologies of Oracle Solaris 10

Transition to Oracle Solaris 11 2 - 5

• Software management features

Transition to Oracle Solaris 11 2 - 6

the usual command-line interface

Transition to Oracle Solaris 11 2 - 7

– Oracle Solaris 11 Automated Installer (AI)

Text-based interface i r at tude

Transition to Oracle Solaris 11 2 - 8

• Use IPS to perform software management tasks, such as:

Transition to Oracle Solaris 11 2 - 9

• Generic datalink names

• Network administration command changes

Transition to Oracle Solaris 11 2 - 10

• Aggregation: Refers to an L2 entity that ensures continuous access of a system to the

Transition to Oracle Solaris 11 2 - 11

Transition to Oracle Solaris 11 2 - 12

• Oracle Solaris 10 branded zones

• Oracle Solaris kernel zones

Transition to Oracle Solaris 11 2 - 13

Transition to Oracle Solaris 11 2 - 14

– Default file system

• Administrative command locations

• Default user shell and path changes

Transition to Oracle Solaris 11 2 - 16

• Enhanced desktop environment

• Time Slider snapshot management

Transition to Oracle Solaris 11 2 - 17

• root treated as a role

Transition to Oracle Solaris 11 2 - 18

Transition to Oracle Solaris 11 2 - 19

• Oracle Solaris 11 new features and enhancements