Documente Academic
Documente Profesional
Documente Cultură
ble
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Qav lic
i d
ah
Sh
Transition to Oracle Solaris 11
Student Guide
D73488GC30
Edition 3.0 | November 2014 | D89085
This document contains proprietary information and is protected by copyright and other
Technical Contributors intellectual property laws. You may copy and print this document solely for your own
and Reviewers use in an Oracle training course. The document may not be modified or altered in any
way. Except where your use constitutes "fair use" under copyright law, you may not
Juanita Heieck use, share, download, upload, copy, print, display, perform, reproduce, publish, license,
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
post, transmit, or distribute this document in whole or in part without the express
Kathy Slattery authorization of Oracle.
Alta Estad
The information contained in this document is subject to change without notice. If you
Alissa Bader Clark find any problems in the document, please report them in writing to: Oracle University,
Sharon Veach 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
Maheshwari Krishnamurthy If this documentation is delivered to the United States Government or anyone using the
documentation on behalf of the United States Government, the following notice is
ble
applicable:
e r a
nsf
Editors
Aju Kumar U.S. GOVERNMENT RIGHTS
-tr a
The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or
Anwesha Ray o n
disclose these training materials are restricted by the terms of the applicable Oracle
n
Raj Kumar
s a
license agreement and/or the applicable U.S. Government contract.
a
h eฺ
Trademark Notice
)
Publishers e
tฺa Guid
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names
n e
Sumesh Koshy
t e sฺ ent may be trademarks of their respective owners.
Syed Ali
m ira Stud
Srividya Rameshkumar
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
a h id
Sh
Contents
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
1 Introduction
Overview 1-2
Course Goals 1-3
Agenda 1-4
Introductions 1-6
Your Lab Environment 1-7
ble
Practice 1 Overview: Course Introduction 1-8
e r a
ansf
2 Introducing Oracle Solaris 11 New Features and Enhancements
o n -tr
Job Workflow 2-2
a n
Objectives 2-3 a s
h eฺ
e )
tฺa Guid
Agenda 2-4
n e
sฺ ent
Oracle Solaris 11 Operating System: Overview 2-5
t e
ira Stud
Oracle Solaris 11: Features and Enhancements 2-6
Installation Methods 2-8 m
e his
i @
v se t
Software Management Features 2-9
q a
h i dฺ to u
Networking Features and Enhancements 2-10
sha ense
Oracle Solaris Zones Enhancements 2-13
i (
Qav lic
Storage and File System Enhancements 2-15
User Environment Feature Changes 2-16
i d
ah Desktop Environment Enhancements 2-17
Sh System Security Enhancements 2-18
Agenda 2-20
Key Features of Oracle Solaris 10 and Oracle Solaris 11: Comparison 2-21
Agenda 2-22
Transitioning Strategy 2-23
Summary 2-24
iii
Agenda 3-9
Local Package Repository 3-10
Creating a Local Repository 3-11
Enabling Users to Retrieve Packages Using an HTTP Interface 3-13
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
iv
4 Installing the Oracle Solaris 11 Operating System
Job Workflow 4-2
Objectives 4-3
Agenda 4-4
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
v
Agenda 4-57
Comparing JumpStart with AI 4-58
Comparing Rules Keywords and Criteria Directives 4-59
Converting a JumpStart Profile to an AI Manifest 4-62
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
Agenda 4-65
Distribution Constructor 4-66
Distribution Constructor Manifest Files 4-67
Building an OS Image 4-68
Quiz 4-69
Summary 4-75
Practices 4-3, 4-4, 4-5 and 4-6: Overview 4-76
ble
e r a
5 Oracle Solaris 11 Network Administration Enhancements
a nsf
Job Workflow 5-2
o n -tr
Objectives 5-3
a n
Agenda 5-4
a s
h eฺ
Introducing Oracle Solaris 11 Network 5-5 e )
e tฺa Guid
Oracle Solaris 10 Network Protocol Stack 5-6
n
t e sฺ ent
Oracle Solaris 11 Network Protocol Stack 5-7
m ira Stud
Network Configuration During Installation 5-8
@ e his
Agenda 5-9
a i
v se t
q
dฺ to u
Oracle Solaris 11 Network Administration 5-10
i
h
sha ense
Network Administration Commands 5-11
i (
Comparing Network Administration Commands 5-12
Qav lic
Administering Datalinks 5-13
i d
ah Configuring IP Interfaces and IP Addresses 5-14
Sh Configuring Persistent Routes 5-15
Configuring Reactive Profiles 5-16
Practice 5-1: Overview 5-18
Practice 5-2: Overview 5-19
Agenda 5-20
Transitioning to Virtual Networking 5-21
Virtual Network Building Blocks 5-22
Building a Simple Virtual Network 5-23
Configuring a Private Virtual Network 5-24
Creating a Datalink in Non-Global Zone from the Global Zone 5-25
Accessing a Virtual Network Configuration 5-26
Bandwidth Management 5-27
Managing Bandwidth 5-28
Practice 5-3: Overview 5-30
Agenda 5-31
vi
Elastic Virtual Switch (EVS): Overview 5-32
Elastic Virtual Switch: Example 5-33
Installing the Mandatory EVS Packages 5-34
Setting Up SSH Authentication 5-35
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
vii
Viewing IP Traffic Statistics 5-80
Viewing TCP and UDP Traffic Statistics 5-81
Viewing User and Process Information 5-82
Analyzing Network Traffic 5-83
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
viii
Monitoring Zone Memory Consumption 6-39
Monitoring Zone CPU Consumption 6-40
Monitor Total and High Zone Resource Consumption 6-41
Monitoring File System Statistics 6-42
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
Quiz 6-43
Summary 6-45
Practice 6: Overview 6-46
ix
Oracle Solaris 11 Security Enhancements 8-5
Agenda 8-9
Oracle Solaris Cryptographic Framework 8-10
Administrative Command: Examples 8-12
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
x
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
I t d ti
Introduction
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
Overview
• Course goals
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
• Agenda
• Practices
• Introductions
• Your learning center
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Welcome
Q lic to Oracle Solaris 11 course. This is an advanced course that builds
atovthe Transition
h
on d Solaris 10 system administration courses. It is focused on the skills and knowledge
iOracle
a
Sh required for transitioning from the Oracle Solaris 10 operating environment to the Oracle
Solaris 11 operating environment.
This course highlights the new features in Oracle Solaris 11, including the Automated
Installer (AI), the Image Packaging System (IPS), and network virtualization. Throughout the
course, you learn how to transition to the Oracle Solaris 11 operating environment by
performing a series of guided hands-on practices that walk you through the critical tasks
associated with operating system migration activities. These practices include case studies
that illustrate the best practices when transitioning from Oracle Solaris 10 to Oracle
Solaris 11.
This course does not address the system administration tasks that are currently supported in
Oracle Solaris 10 (or other) operating systems. Rather, it focuses on the new and enhanced
features found in the Oracle Solaris 11 operating system. It is assumed that you already have
the skills and knowledge that are necessary for administering the Oracle Solaris 10 operating
system.
• Day 1
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
– Lesson 1: Introduction
– Lesson 2: Introducing Oracle Solaris 11 New Features and
Enhancements
– Lesson 3: Managing Software Packages in Oracle Solaris 11
• Day 2
– Lesson 3: Managing Software Packages in Oracle Solaris 11 rab
le
n
– Lesson 4: Installing the Oracle Solaris 11 Operating Systems fe
a -tr
• Day 3
a non
) h as ฺ
– Lesson 5: Oracle Solaris 11 Network Enhancements
– Lesson 6: Administering Oracle Solaris
e t Gu de
tฺae 11 iZones
s ฺ n n
a t e d e
e mir is Stu
a v i@ e th
i ฺq ©o2014,
dCopyrightt usOracle and/or its affiliates. All rights reserved.
h
i ( sha ense
The Transition
Q lic Solaris 11 course consists of five days of lectures and practice
av to Oracle
a h id This course also covers the latest Oracle Solaris 11.2 features and enhancements.
activities.
Sh • Lessonesso 2 pprovides
o des a b brief
e ooverview
e e o of aall tthe
e keyey features
eatu es a and deenhancements
a ce e ts o
of O
Oracle
ac e
Solaris 11 OS that are discussed in this course.
• Lesson 3 explains how to work with IPS, its main features, and components; and also
how to manage software packages using IPS.
• Lesson 4 explains how to install Oracle Solaris 11 OS using the text installer, Live CD,
and Automated Installer.
• Lesson 5 briefly lists and explains the network enhancements of Oracle Solaris 11 OS.
• Lesson 6 explains how Oracle Solaris 11 Zones are different from Oracle Solaris 10
Zones. It also explains how to migrate Oracle Solaris 10 Zones to Oracle Solaris 11
Zones.
• Lesson 7 briefly lists and explains the ZFS enhancements of Oracle Solaris 11 OS.
• Lesson 8 briefly lists and explains the security enhancements of Oracle Solaris 11 OS.
• Day 4
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
• Name
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
• Company affiliation
• Title, function, and job responsibility
• Experience related to topics in this course
• Reasons for enrolling in this course
• Expectations from this course ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
OracleQ avVirtualBoxlicis a cross-platform virtualization application. It extends the capabilities
VM
a h
of id existing computer so that you can run multiple operating systems inside multiple
your
Sh virtual machines at the same time.
As part of each lesson, you will be given the opportunity to practice in a lab environment. The
lab environment used in this course is based on the Oracle VM VirtualBox virtualization
software, the interface of which is shown in the slide.
environment.
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Open your
Q lic to the practices for Lesson 1. Your instructor will walk you through
avActivity Guide
a h
theidmaterial, and you will have a chance to familiarize yourself with the lab environment
Sh configuration and setup.
IIntroducing
t d i Oracle
O l Solaris
S l i 11
New Features and Enhancements
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
Job Workflow
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
M
Managing
i Software
S ft
Packages
Installing
ble
Network Administration
Enhancements
e r a
a nsf
Administering Zones
o n -tr
a n
a
h eฺ s
ZFS Enhancements
e )
tฺa Guid
Security Enhancements
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
The Transition
Q lic Solaris 11 course presents each of the system administration tasks
av to Oracle
a h
in id context of a workflow. Before you begin a lesson, take a look at the job workflow in the
the
Sh slide diagram at the beginning of each lesson.
As indicated in the workflow, you start with an introduction to the new features and
enhancements in the Oracle Solaris 11 OS.
i ( sha ense
This lesson
Q licyou to the new features and enhancements in the Oracle Solaris 11
avintroduces
a h id system. The lesson begins with a description of Oracle Solaris 11 and continues
operating
Sh with a high-level description of each new feature and enhancement.
It also provides a comparison of the features in Oracle Solaris 10 with those of Oracle Solaris
11. This is followed by a description of a strategy for transitioning from Oracle Solaris 10 to
Oracle Solaris 11.
• Features comparison
• Strategy for transitioning to Oracle Solaris 11
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
• Installation methods
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
i ( sha ense
OracleQ av 11: lic
Solaris
h d
•i Introduces a new, modern software installation architecture, offering several installation
a
Sh cchoices.
o ces Thiss includes
c udes a co completely
p ete y hands-free
a ds ee auto automated ated network
et o installation
sta at o
experience, a graphical Live Media installer (x86 only), and an interactive text-based
installation for systems without a graphical display.
• Introduces Image Packaging System (IPS) as the next-generation packaging system
that provides safe system updates and upgrades
• Provides significant enhancements to networking, including several new network
virtualization features for high availability, improved performance, and resource
management. t The
Th key
k building
b ildi blblocks
k off network
t k virtualization
i t li ti are VNICVNICs, virtual
it l
switching, aggregations, bridging, virtual local area networks (VLANs), and Elastic
Virtual Switch (EVS).
• Enhances its virtualization solution with Oracle Solaris 10 Zones (also known as
solaris10 branded zones). Oracle Solaris 10 Zones provide a seamless method for
migrating to Oracle Solaris 11. Additional features such as delegated zone
administration, boot environment ((BE)) for zones, configuration
g and installation of
nonglobal zones as part of an AI client installation, and enhanced zone monitoring are
also included.
• Unattended installation
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
@ em his S
q a vi se t
i ฺ
dCopyright o u Oracle and/or its affiliates. All rights reserved.
© 2014,
h t
i ( sha ense
av lic
Oracle Solaris 11 offers several installation options:
Q
i d
ah• Unattended installation: An improved, hands-free, automated installation of networked
Sh systems.
syste s This s process
p ocess replaces
ep aces tthe
eOOracle
ac e So
Solaris
a s Ju
JumpStart
pSta t functionality
u ct o a ty aavailable
a ab e in
Oracle Solaris 10 and earlier releases.
• Interactive installation: Interactive installation by using a text-based user interface
(because most servers use a text-based console for installation), and interactive
installation for x86 desktop and notebook systems by using the Oracle Solaris 11 Live
Media for x86
Oracle Solaris 11 does not support the following installation features:
• Oracle Solaris Flash Archive installation: Instead, use the Oracle Solaris Unified
Archive feature to perform cloning and recovery operations.
• Oracle Solaris JumpStart feature: Instead, use the AI feature.
• Oracle Solaris Live Upgrade feature: Instead, use the beadm utility.
Note: You can use the js2ai utility to convert Oracle Solaris 10 JumpStart rules, profiles,
and system identification files to AI criteria files, AI manifests, and AI configuration files,
respectively.
– Software installation
– Software updates
– Operating system upgrades
– Removal of software packages
• Software management components include:
le
– IPS command-line utilities, such as pkg install, pkg
fe rab
update, pkg list, and pkg uninstall ans -tr
on
– IPS repositories as storage location for softwarenpackages
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
OracleQ
Solaris lic
av 11 introduces the Image Packaging System (IPS) feature, which is a
hi d
h acompletely
framework
redesigned software packaging model. IPS is a comprehensive delivery
that spans the complete software life cycle, addressing software installation,
S updates, operating system upgrades, and the removal of software packages.
In contrast to the SVR4 packaging model used in earlier Oracle Solaris releases, IPS
eliminates the need for patching. Relying on the use of network repositories of software
packages, IPS dramatically changes how an administrator updates system and application
software. IPS packages can be installed into nonglobal zones in addition to the global zone.
Note: There is no upgrade path from Oracle Solaris 10 to Oracle Solaris 11. You must
perform
f a fresh
f h installation.
i t ll ti
i ( sha ense
OracleQSolaris lic generic names to each datalink on a system by using the net0,
av 11 supports
a h id netN naming convention.
net1,
Sh Oracle Solaris 11 introduces the following three commands to manage persistent network
configuration:
• ipadm: Creates persistent configuration of interfaces, addresses, and TCP/IP
properties. This command replaces the ifconfig command of Oracle Solaris 10.
• dladm: Manages datalink configuration. This command replaces the ndd command and
the drive.conf file of Oracle Solaris 10 for configuration of certain network
parameters.
• route: Configures persistent routes. This command replaces the use of the
/etc/defaultrouter file in Oracle Solaris 10 to manage a system route
configuration.
Oracle Solaris 11 uses Service Management Facility (SMF) to manage the naming and
directory services configuration. In Oracle Solaris 10, you edited the various files in the /etc
directory to configure the naming and directory services.
priority, and flow control of multiple traffic types that share the same network link (for
example, when sharing a datalink between networking and storage protocols)
• ILB: Refers to the L3 and L4 technology that enables a system to spread the load of
network
t k processing
i amongstt available
il bl resources. ILB can b be used
d tto iimprove reliability
li bilit
and scalability, and to minimize the response time of network services. Load balancing
involves using multiple systems to deal with high demands of a network by balancing
the load between multiple systems.
bl e
Oracle Solaris 11 provides resource management capabilities through the following features: fe r a
n s
These attributes consist of packet header information n
information, such as IP addresses
tra protocol
• Flows: Refers to a subset of data packets that are identified by common attributes.
-
addresses,
type, and transport port numbers. You can observe flows individually, a noas well as assign
flows their own SLAs (for example, bandwidth control and
) h as ฺ You administer flows
priority).
e t u ide stack.
ฺae protocol
at the L2, L3, and L4 layers of the Oracle Solaris network
• LLDP: Refers to the L2 technology that is used
s ฺn by systems
n t G in a local area network
(LAN) to exchange configuration and a
r e
t udeinformation with each other. LLDP
management
i
m is S
enables a system to advertise connectivity andt management information to other
network. i@
e
systems on the network
a v e th
Oracle Solaris 11 improves
i d t o us sockets implementation by no longer using the
ฺqthe network
h h
STREAMS module.aThis enhancemente results in performance improvements and also
( s n s
avi licemonitors network traffic volume, allowing it to shift from interrupt
provides a new, simplified developer interface for adding new socket types. The new network
socketQarchitecture also
a h id to polling mode, which is much more efficient when dealing with high network traffic
driven
Sh volumes.
Oracle Solaris 11 provides the following commands to observe network traffic:
• tcpstat: Enables you to observe network traffic at the transport layer, specifically for
TCP and UDP
• ipstat: Enables you to observe network traffic at the IP layer, aggregated on source,
destination, higher-layer protocol, and interface
Additionally,
y, Oracle Solaris 11 supports
pp the use of Wireshark GUI to troubleshoot networking
g
issues and to perform package analysis. The Wireshark utility and its command-line
equivalent, TShark, enables you to capture packet data from a live network or read packets
from a previously saved capture file.
i ( sha ense
OracleQSolaris lic significant enhancements to zone administration and monitoring,
av 11 includes
a h id help administrators manage consolidated and virtualized workloads more efficiently.
which
Sh For users running applications either in zones or on bare metal on Oracle Solaris 10 systems,
virtual-to-virtual (v2v) and physical-to-virtual (P2V) tools are provided to help the transition to
an Oracle Solaris 10 zone running in Oracle Solaris 11. An Oracle Solaris 10 zone can have a
shared IP stack with the global zone or an exclusive IP stack. Oracle Solaris 10 Zones
provide a proven and fully supported option for quick adoption of Oracle Solaris 11, which
allows administrators to benefit immediately from all the new features available while
providing an easy application migration path.
Oracle
O l S
Solaris
l i 11
11.2
2 supports
t a ffully
ll iindependent
d d t and
d iisolated
l t d environment
i t called
ll d O
Oracle
l
Solaris Kernel Zones (also known as solaris-kz branded zone). Kernel zones use an
independent kernel and user environment within the zone. Each kernel zone can run at a
different kernel version from the global zone and can be updated separately without requiring
a reboot of the global zone.
Note: The following legacy branded zone features are supported only in Oracle Solaris 10:
• Linuxu bbrand
a d ((lx))
• Oracle Solaris 8 Containers (solaris8)
• Oracle Solaris 9 Containers (solaris9)
Oracle Solaris 11 greatly enhances your ability to monitor zone resource consumption with
the introduction of the zonestat command. With zonestat, you can observe memory and
CPU utilization, utilization of resource control limits, total utilization, and per-zone utilization
breakdowns over specified time periods.
In Oracle Solaris 11, you can delegate specific zone administration tasks to different
administrators using Role-Based Access Control (RBAC). With delegated administration
standard, users are identified with the permissions to log in, manage, or clone that zone.
a b le
In Oracle Solaris 11.1 release, you can configure, install, and run Oracle Solaris Zones e
f r
hosted
directly on arbitrary storage device objects such as Fibre Channel and iSCSI targets. n s
anewAnother
enhancement of this release is the support for NFS servers in nonglobal zones. - t rA
unavailable zone state has been added in Oracle Solaris 11.1 release n otonindicate that the
zone has been installed, but cannot be verified, made ready, booted, s aattached, or moved.
a
) h deฺchanges, such as
Starting from Oracle Solaris 11.2 release, you can makea e
configuration
tinฺ a runningi zone without the need to
changing network configuration and resource controls,
ฺ n e G u
reboot. In the earlier releases of Oracle Solaris,
t e sadministrators
e n t had to reboot a zone for a
configuration change to take effect. Live Zone
m S ud
ira Reconfiguration
t eliminates down time in
service availability within the zone e hi s
@wheneconfiguration changes are mademade.
v i t
i d ฺqa o us
a h e t
h
(s icen s
a v i l
d Q
ahi
Sh
• ZFS enhancements
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
i ( sha ense
ZFS isQthe licfile system in Oracle Solaris 11. UFS is still available for nonroot file
avdefault root
a h id Oracle Solaris 11 has added ZFS deduplication, which detects and removes
systems.
Sh redundant data from ZFS file systems. If a ZFS file system has the dedup property enabled,
duplicate data blocks are removed synchronously. As a result, the file system stores only
unique data. Support for listing the differences between ZFS snapshots (zfs diff) has
been added with Oracle Solaris 11. Also, now you can use the shadow migration feature to
migrate data from an old file system to a new one while simultaneously allowing access and
modification of the new file system during the migration process.
The Common Multiprotocol SCSI Target (COMSTAR) technology, introduced in Oracle
Solaris 11,
11 enables network file sharing,
sharing similar to NFS and CIFS,
CIFS but for raw block-device
block device
access via iSCSI or SAN. This technology enables any Oracle Solaris 11 host to become a
SCSI target, allowing it to be accessed over a storage network by a variety of initiator hosts.
COMSTAR supplies a software framework that makes it possible for all SCSI device types to
connect to a transport protocol and provide network device access. In this way, virtual
machines can share image files or access to a database.
Oracle Solaris 11 provides in-kernel CIFS support for seamless file sharing with Windows
environments.
i t The
Th CIFS servicei also
l includes
i l d new features,
f t such h as host-based
h tb d access
control (which allows a CIFS server to restrict access to specific clients according to IP
addresses), access control lists (ACLs) on shares, and client-side caching of offline files with
synchronization on reconnect.
Transition to Oracle Solaris 11 2 - 15
User Environment Feature Changes
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
In OracleaSolaris c administrative commands are located in the /usr/sbin directory
v 11,lithe
Q
id compared to /sbin in the previous release. In addition, the /sbin directory has been
when
a h
Sh replaced by an /sbin →/usr/sbin symbolic link.
In Oracle Solaris 10, the default scripting shell (/bin/sh) is the Bourne shell. Starting with
Oracle Solaris 11, the bash shell is the default interactive shell, and ksh93 replaces ksh as
the default system shell.
There are other changes in Oracle Solaris 11 that affect user experience. The default user
path is /usr/bin. The default path for the root role is /usr/bin:/usr/sbin. The
developer tools that were previously located in the /usr/ccs/bin directory has been moved
to the /usr/bin
/ /bi directory.
directory The /usr/ccs/bin
/ / /bi directory is replaced by a /usr/ccs/bin
/ / /bi →
/usr/bin symbolic link.
Although most of the user and group management commands almost remain the same, with
some enhancements, Oracle Solaris 11 replaces the Solaris Management Console graphical
tool and its associated command-line interface of Oracle Solaris 10 with the User Manager
GUI.
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
For desktop
Q lic Solaris 11 offers a state-of-the-art GNOME desktop with the
avusers, Oracle
a h id graphical desktop manager (GDM) as the only graphical login option. Oracle Solaris
GNOME
Sh 10 supports the use of both Common Desktop Environment (CDE) and GDM for login.
The Oracle Solaris 11 desktop includes the innovative Time Slider tool. Integrated with the
File Browser, Time Slider supports file and directory recovery, which is made possible through
native snapshot and clone capabilities in ZFS. A user can click in Time Slider to snapshot a
home directory and later revert to it if necessary.
The Oracle Solaris 11 desktop also includes a network administration GUI to manage network
connections from the desktop.
The Common UNIX Printing System (CUPS) is the default print service on Oracle Solaris 11,
replacing the LP print service used in Oracle Solaris 10. CUPS support includes a web and
graphical interface to manage your printing environment. A system that is running CUPS
becomes a host that can accept print requests from client systems, process those requests,
and then send them to the appropriate printer.
• Secure by default
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
i ( sha ense
OracleQSolaris lic a fully secure-by-default environment. With automatic
av 11 provides
a h id
secure-by-default, all network services are disabled except for SSH, or set to listen for local
h system communications
S but disabled by default and only. In Oracle Solaris 10, the Secure by default feature is available
had to be enabled during the OS installation or by running the
netservices limited command.
In Oracle Solaris 11, root is treated as a role rather than a user. During system installation,
an initial user is defined. After an initial user login, a user with the appropriate privileges can
subsequently assume the role of root by using su or by performing administrative tasks after
authentication using sudo or pfexec. You can use the pfexec command to directly assign a
rights profile or directly assign more roles to a user account.
account
Oracle Solaris 11 supports a robust mechanism for your data protection by implementing
on-disk encryption/decryption support and key management for ZFS datasets. In the event of
theft or in the case of untrusted paths to networked storage, encrypted ZFS datasets can help
to safeguard data and prevent unauthorized access. The kernel implements raw
encryption/decryption functions that are applied to all data and file system metadata.
password for each label. This password is in addition to the session login password, thus
allowing administrators to set a per-zone encryption key for each label of every user’s home
directory.
The auditing service of Oracle Solaris 11 is enabled by default
default. When compared to Oracle
Solaris 10, you do not need to reboot the system when enabling or disabling the auditing
service. Further, you can use the auditconfig command to view and edit audit policy.
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
• Features comparison
• Strategy for transitioning to Oracle Solaris 11
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
• Features comparison
• Strategy for transitioning to Oracle Solaris 11
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
i ( sha ense
av should
Administrators
Q lichave a sound understanding of the key features of Oracle Solaris 10,
a h id Oracle Solaris Zones and ZFS (especially to support root file systems), before
including
Sh preparing for transitioning to Oracle Solaris 11. Oracle Solaris 11 builds upon these features.
Oracle continues the Solaris commitment to binary compatibility across hardware
architectures. This simplifies migrations between major Oracle Solaris releases and allows
applications to take advantage of performance gains from Oracle’s newest SPARC and x86
hardware systems. Oracle guarantees source code compatibility across different machine
architectures, allowing software providers to simply recompile applications across hardware
architectures.
O l S
Oracle Solaris
l i 11 supportst a migration
i ti pathth ffor ZFS and
d UFS fil
file systems
t by
b using
i the
th ZFS
shadow migration feature. You can migrate data from an old file system to a new file system
while simultaneously allowing access and modification of the new file system during the
migration process.
Oracle offers multiple migration paths for transitioning applications to Oracle Solaris 11.
Applications can run directly on Oracle Solaris 11 in global or nonglobal zones. The release
also supports Oracle Solaris 10 Zones hosted within an Oracle Solaris 11 g global zone. Just as
Oracle Solaris 8 and 9 branded zones helped to transition applications to Oracle Solaris 10,
Oracle Solaris 10 branded zones in Oracle Solaris 11 enable a more gradual, step-by-step
approach to an OS migration.
Managing
M i Software
S ft Packages
P k
in Oracle Solaris 11
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
Job Workflow
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
M
Managing
i Software
S ft
Packages
Installing
ble
Network Administration
Enhancements
e r a
a nsf
Administering Zones
o n -tr
n a
ZFS Enhancements
a
h eฺ s
e )
tฺa Guid
Security Enhancements
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
BeforeQ avbegin theliclesson, take a look at the job workflow in the slide diagram. So far, you
you
a h id learned about the new features and enhancements of the Oracle Solaris 11 OS.
have
Sh You will now learn how to manage software packages with the help of an IPS repository.
i ( sha ense
Qav lic
i d
ah
Sh
Oracle Network
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
Repositories
Firewall
Custom Repository
ble
e r a
a nsf
o n -tr
a n
Operating System
Active Boot Inactive Boot a
h eฺ s
Environment
)
Environment
e
n e tฺa Guid
Oracle Solaris
t e sฺ ent
Image Packaging System
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
The Image
Q avPackaginglicSystem (IPS) is a framework that enables software lifecycle
a h id
management, such as installation, upgrade, and removal of packages. IPS also enables users
h
S and mirror existing software
to create their own packages, create and manage package repositories, and copy
package repositories. Packages can be installed only into file systems that
are part of a boot environment (BE). For example, on a default Oracle Solaris 11 installation,
only datasets under rpool/ROOT/BEname/ are supported for package operations.
Using IPS, you can perform the following tasks:
• Create and manage images.
• Search the IPS packages on your system and in IPS repositories.
• Copy, mirror, create, and administer package repositories.
• Create and publish IPS packages to a package repository.
i ( sha ense
v ic
theapackagingl system for the Oracle Solaris 11 operating systems as SVR4 is the
IPS is Q
a h id
packaging system for the Oracle Solaris 10 operating systems. A key component of IPS is
h the package
S stored and from repository. A package repository is a location where software packages are
where packages are retrieved by client systems. You can even clone an
entire package repository, such that any package repository that the client can access has
everything they need to proceed.
Package
Cloned
Repository
Repository
Server bl e
e r a
a nsf
Client
k Command o n -tr
pkg
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
IPS is Q av up of thelicfollowing key components. Each component has a role to play.
made
h d
•i Package: A package in IPS is a collection of actions defined by a set of key-value pairs
a
Sh tthat
at represent
ep ese t metadata,
etadata, such
suc as classification,
c ass cat o , descriptions,
desc pt o s, o or ot
other
e att
attributes
butes suc
such as
path and alias. The key-value pair can also represent a data payload. These actions can
represent items, such as directories, links, drivers, and services. Each IPS package is
represented by a Fault Management Resource Identifier (FMRI), which is used with the
pkg(1) command to indicate the packages on which to perform operations.
• Repository: A repository is a location where clients publish and retrieve packages. The
location is described by a uniform resource identifier (URI), such as
http://pkg oracle com/solaris/release A repository can contain packages
http://pkg.oracle.com/solaris/release.
from any number of publishers, such as solaris and ha-cluster. A publisher can
publish to multiple repositories. A repository has an origin and zero or more cloned
repositories. The repository origin is the location of a package repository that contains
both package metadata (package manifests and catalogs) and package content
(package files).
- Category: developer
- Package Name: apptrace
- Component Version: 0.5.11
- Build Version: 5.11
- Branch Version: 0.175.2.0.0.42.2
- Time Stamp (when the package was published): 20140624T183919Z
• bl
Manifest: A manifest describes the components and attributes that make up a package. e
e r a
nsf
• Client package management utility: pkg(1) is a command-line utility that you can
a
use to create and manage images; search package data; and perform software
-tr
installation, upgrade, and removal.
n o n
• s a
Boot environment (not shown): A boot environment (BE) is a bootable image of an
a
h eฺ
Oracle Solaris 11 operating system plus any other application software packages
)
e
tฺa Guid
installed in that image. System administrators can maintain multiple BEs in their
n e
t e sฺ ent
systems, and each BE can have different software versions installed.
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
i ( sha ense
Qav lic
i d
ah
Sh
http://pkg.oracle.com/solaris/release/
• Reasons for creating a local repository:
– Default repository not available to clients
– Performance
– Security
ble
– Replication e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
The default
Q lic
avsystem installation manifest installs the Oracle Solaris 11 operating system from
d
hi public repository at http://pkg.oracle.com/solaris/release/. If you have an Oracle support
h athe
S supportpost
contract, the installation, you can change the default manifest to use the Oracle
repository. You can also add additional publishers and repositories, such as those
for Oracle Exadata, Oracle Solaris Cluster, and Oracle Solaris Studio.
You can create your own local package repository. Having a local package repository is
necessary when your network clients do not have access to the web-based default repository.
Other reasons you might want to have a local copy of a package repository include:
• Performance: Having a local package repository allows clients access to packages at
local network speeds.
speeds
• Security: You might not want your client systems to have access to the Internet.
• Replication: You want to ensure that an installation that you perform next year is
exactly the same as the installation you perform today.
i ( sha ense
To create
Q lic you perform the following steps:
aavlocal repository,
d
ah1.i Obtain the repository files.
Sh When creating a local package repository
repository, you first download the Oracle Solaris 11
repository files from:
http://www.oracle.com/technetwork/server-storage/solaris11/downloads/index.html
The repository files provide you with a complete archive of software packages, which
allow you to set up a local network IPS repository to which client systems can connect.
Download the following repository files:
- README file (README-zipped-repo.txt)
- Repository assembly script (install-repo.ksh)
- MD5 checksum file
- Four IPS repository parts (zip files)
2. Make the installation script file executable.
# cd /opt/ora/repodir (download directory)
# chmod +x install-repo.ksh
# ./install-repo.ksh -d /export/IPSpkgrepos/Solaris -c -v -I
Comparing checksums of downloaded files...done. Checksums match.
Uncompressing sol-11_2-repo-1of4.zip...done.
Uncompressing sol-11_2-repo-2of4.zip...done.
Uncompressing sol-11_2-repo-3of4.zip...done.
Uncompressing sol-11_2-repo-4of4.zip...done.
bl e
Repository can be found in /export/IPSpkgrepos/Solaris.
e r a
Initiating repository verification.
a nsf
Building ISO image...done.
o n -tr
a
ISO image and instructions for using the ISO image are at: n
/opt/ora/repodir/sol-11_2-repo.iso a
h eฺs
e )
n e tฺa Guid
/opt/ora/repodir/README-repo-iso.txt
5. Configure the publisher.
t e sฺ system
e n t
The publisher for the Oracle Solaris r
i 11a tud
operating is solaris and the default
@ em his S
origin for that publisher is http://pkg.oracle.com/solaris/release. If you want your clients
t gett packages
to k from
f your
a v i
local
l l
e t
repository,
it you mustt reset
t the
th origin
i i for
f the
th solarisi
publisher as shown
i o us “Configuring the IPS Clients” later in this lesson.
dฺinqthe tsection
h
i ( sha ense
Q av lic
a h id
Sh
i ( sha ense
c repository, you need to create a depot server instance to provide
av a localliIPS
After creating
Q
id access to the data contained within a package repository. You could configure the
a h
network
Sh default instance of the service.
To create and configure a new depot server instance, perform the following steps:
1. Create a depot server instance of the pkg/server service, named solaris:
# svccfg -s pkg/server add solaris
2. Set the path where the pkg/server:solaris instance can find the repository data:
# svccfg -s pkg/server:solaris setprop \
pkg/inst_root=/export/IPSpkgrepos/Solaris
3. Set the port number on which the depot server instance should listen for incoming
package requests (optional):
# svccfg -s pkg/server:solaris setprop pkg/port=81
4. Restart the package depot server service:
# svcadm refresh pkg/server:solaris
# svcadm enable pkg/server:solaris
5. Test whether the repository server is working by opening a browser window on the
localhost location.
# pkg publisher
PUBLISHER TYPE STATUS P URI
solaris origin online F http://pkg.oracle.com/solaris/release/
# pkg publisher
ble
PUBLISHER TYPE STATUS P URI
e r a
nsf
solaris origin online F http://s11-server1.mydomain.com/
-tra
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
v
asystems
For client
ic
tol access a local repository, you must set the publisher to the local IPS
Q
id as shown in the example in the slide. Here, s11-server1.mydomain.com is the
publisher
a h
Sh FQDN name of the Oracle Solaris 11 system on which you configured a depot server
instance.
i ( sha ense
Qav lic
i d
ah
Sh
i ( sha ense
Qav lic
i d
ah
Sh
Oracle Solaris 10
Package Management Task IPS Command
Equivalent
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
-tr a
# pkg search -o pkg.name basename:apptrace
PKG NAME
PKG.NAME
n o n
developer/apptrace
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
ashows
This slide
Q lic of searching for a package (apptrace).
v examples
a h id
Sh
Name: developer/apptrace
Summary: Apptrace Utility
Description: Apptrace utility for application tracing, including shared
objects
Category: Development/System
State: Not installed
Publisher: solaris
Version: 0.5.11
Build Release: 5.11
Branch: 0.175.2.0.0.42.2
Packaging Date: June 24, 2014 06:39:19 PM
ble
Size: 162.04 kB
e r a
nsf
FMRI: pkg://solaris/developer/apptrace@0.5.11,5.11-
0.175.2.0.0.42.2:20140624T183919Z
-tr a
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
ashows
This slide ic
v anlexample of displaying package information. The –r option retrieves the
d Q
h hi
ainformation data from the repositories of the image’s configured publishers.
S
Changed packages:
packages
solaris
developer/apptrace
None -> 0.5.11,5.11-0.175.2.0.0.42.2:20140624T183919Z
ble
# pkg install apptrace
e r a
nsf
Packages to install: 1
Create boot environment: No
Create backup boot environment: No
-tra
DOWNLOAD
Completed
PKGS
1/1
FILES
10/10 n o
XFER (MB)n SPEED
0.1/0.1 81.7k/s
s a
PHASE
) a
h eฺITEMS
Installing new actions
e
tฺa Guid
29/29
n e
Updating package state database Done
t e
Updating image state sฺ ent
Updating package cache 0/0
Done
m ira Stud
Creating fast lookup database Done
@ e his
Updating package cache 1/1
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
ashows
This slide
Q lic of performing a package (apptrace) installation dry run (-n) and
v examples
a id package installation.
ahreal
Sh Note: Starting from Oracle Solaris 11.2, you can use the -rr option with the pkg install
command to run package operations recursively across multiple nonglobal zones along with
the named nonglobal zones, from the global zone.
i ( sha ense
v examples
ashows
This slide
Q lic of listing an installed package (apptrace), verifying package
a h id and displaying the contents of a package. The pkg contents command with no
status,
Sh command
option just lists the directory, file, and link content. You can use the pkg contents
to find dependencies between packages.
Packages to remove: 1
Create boot environment: No
Create backup boot environment: No
PHASE ITEMS
Removing old actions 25/25
Updating package state database Done
Updating package cache 1/1
Updating image state Done
Creating fast lookup database Done
Updating package cache 1/1
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
ashows
This slide ic
v anlexample of uninstalling a package (apptrace).
d Q
h ahi
S
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
av Manager
The Package
Q lic GUI provides most package and publisher operations and some BE
a h id
operations. If you are new to the Oracle Solaris 11 and IPS technologies, use the Package
Sh Manager GUI to quickly download and install packages.
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
IPS allows
Q lic the package repository by using a web browser. With a web
avyou to access
a h id you can search for and install packages, and view the contents of a package
browser,
Sh manifest.
i ( sha ense
AnotherQ av
important lic of IPS is the Update Manager. Update Manager updates all
feature
a h id packages to the newest version allowed by the constraints imposed on the system
installed
Sh by installed packages and publisher configuration.
The Update Manager feature can be invoked in one of the three following ways:
• In the Package Manager GUI, click the Updates button
• In the Package Manager GUI, select the Package > Updates menu option.
• Use pm-launch with the packagemanager subcommand:
$ /usr/lib/pm-launch packagemanager –update –all
Note: Startingg from Oracle Solaris 11.1,, you
y can use the -C option
p with the p
pkg
g update
p
command to install packages in nonglobal zones concurrently with the global zone. For an
example on using the –C option, refer to
http://docs.oracle.com/cd/E36784_01/html/E36802/gmhap.html#scrolltoc.
If the system created a new BE for the update, you edit the default BE name. Click the Restart
Now button to restart your system immediately or the Restart Later button to restart your
system at a later time. You must restart to boot into the new BE. The new BE will become
your active BE
BE. Your current BE will be available as an alternate boot choice.
choice
i ( sha ense
Qav lic
i d
ah
Sh
i ( sha ense
OracleQ uses lic Packaging System (IPS) to manage software updates. The Oracle
av the Image
a h id 11 product engineering group releases software updates for the operating system on
Solaris
Sh web-based
a regular basis. These updates are published as Support Repository Updates (SRUs) to a
Oracle repository and to My Oracle Support (MOS) for distribution. SRUs contain
a number of bug fixes and critical security fixes that, when applied to an existing Oracle
Solaris 11 systems, help to ensure that the systems run without any issues.
Oracle customers with an active Oracle Support Agreement will have access to the SRUs to
routinely update their Oracle Solaris 11 systems. Oracle’s web-based support repository is
located at http://pkg.oracle.com/solaris/support. With the support contract, you can also
download them from My Oracle Support (https://support
(https://support.oracle.com/).
oracle com/)
If you do not have an Oracle Support Agreement, then download the Oracle Solaris 11.2 zip
files from http://www.oracle.com/technetwork/server-storage/solaris11/downloads/beta-
2182939.html.
To understand how to create an Oracle SSO account and to access the SRUs by using My
Oracle Support, refer to the tutorial available at:
http://supportweb.siebel.com/crmondemand/videos/Customer_Support/UITraining/MOS2010/
http://supportweb siebel com/crmondemand/videos/Customer Support/UITraining/MOS2010/
registration/registration.htm
point.
• Identify which repository is in use on your system.
• Identify which OS release your system is running
running.
• Verify which SRU your system is running.
• Identify to which release you want to update. e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
ble
• For a system with Oracle Support Agreement, and using fera
the Oracle Solaris support repository, you will see the a n s
following output: o n -tr
a n
# pkg publisher
) h as ฺ
ฺae uide
PUBLISHER TYPE STATUS P LOCATION
solaris
e t
origin online F http://pkg.oracle.com/solaris/support
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
dCopyright o u Oracle and/or its affiliates. All rights reserved.
© 2014,
h t
i ( sha ense
Q av lic
a hid
Sh
i ( sha ense
Qav lic
i d
ah
Sh
http://pkg.oracle.com/solaris/release.
2. Review the licenses of the Oracle Solaris 11.1 preupgrade
repository (0.5.11-0.175.0.10.1.0.0).
3. Update the system packages. A new boot environment is
created.
4. Reboot the system to use the new updated boot environment.
a b le
5. On a SPARC system only, for each zone, remove the s fer
ldomsmanager package. tran n-
6. Update the IPS
S package. a no
7. Review the update’s license.
) h as ฺ
8. Update the system packages. A new e t
boot u ide
ฺae environment is
created. s ฺ n n t G
a t
r newe d e
mithe
9. Reboot the system to use u
Stupdated boot environment.
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
To update
ic Oracle Solaris 11 11/11 to Oracle Solaris 11.2, perform the
ava systemlrunning
Q
hid steps:
afollowing
Sh 1. su e tthat
Ensure at you
your pac
package
age repository
epos to y is
s set to use http://pkg.oracle.com/solaris/release.
ttp //p g o ac e co /so a s/ e ease
# pkg publisher
PUBLISHER TYPE STATUS P LOCATION
solaris origin online F http://pkg.oracle.com/solaris/release
2. Review the licenses of the Oracle Solaris 11.1 preupgrade repository (0.5.11-
0.175.0.10.1.0.0).
# pkg update –license | less
3. Update the system packages. A new boot environment is created.
# pkg update –-be-name Solaris11Upgraded –-accept \
entire@0.5.11-0.175.0.10.1.0.0
Note: For systems that cannot directly connect to Oracle’s hosted package repositories,
download the Oracle Solaris 11.1 Pre-Upgrade Repository Image from
http://www.oracle.com/technetwork/server-storage/solaris11/downloads/index.html. This
image contains packages that you must update before updating to Oracle Solaris 11
11.2.
2
In Practice 3-1, you will watch a demonstration on how to update your system running
Oracle Solaris 11 to Oracle Solaris 11.2 OS by using a local repository.
Q av lic
a h id
Sh
http://pkg.oracle.com/solaris/support.
2. If your system is installed with an SRU that is earlier than
SRU #10.5, update the system to SRU #10.5
(0.5.11,5.11-0.175.0.10), and then reboot.
If your system is already installed with an SRU #10.5 or later,
continue updating the system to Oracle Solaris 11.2. le
a b
3. On a SPARC system only, for each zone, remove the s fer
n
ldomsmanager package. -tra n
4. Update the IPS packages. a no
5. Review the licenses of Oracle Solaris 11.2) h as ฺ
update.
6. Update the system to Oracle Solaris
e t ae OS.
ฺ11.2 u ide
e s ฺn nt G
7. Reboot the system to userthe e
at newudupdated boot environment.
e mi is St
a v i@ e th
i ฺq ©o2014,
dCopyrightt usOracle and/or its affiliates. All rights reserved.
h
i ( sha ense
ic Oracle Solaris 11 11/11 with an SRU to Oracle Solaris 11.2 OS,
ava systemlrunning
To update
Q
hid the following steps:
aperform
Sh 1. Ensure that y
your package
p g repository
p y is set to use http://pkg.oracle.com/solaris/support.
p p g pp
# pkg publisher
PUBLISHER TYPE STATUS P LOCATION
solaris origin online F http://pkg.oracle.com/solaris/support
2. If your system is installed with an SRU that is earlier than SRU #10.5, update the system to
SRU #10.5 (0.5.11,5.11-0.175.0.10), and then reboot.
# pkg update –be-name S11SRU10.5 --accept entire@0.5.11,5.11-
0 175 0 10
0.175.0.10
# init 6
If your system is already installed with an SRU #10.5 or later, continue updating the system
to Oracle Solaris 11.2.
3. On a SPARC system only, for each zone, remove the
pkg:/system/ldoms/ldomsmanager package.
4.
4 Update the IPS packages.
packages
5. Review the licenses and update the system to Oracle Solaris 11.2 OS. Reboot the system
to use the new updated boot environment.
i ( sha ense
Qav lic
i d
ah
Sh
Start State of the System Intermediate State of the System End State of the
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
System
Oracle Solaris 11 11/11 • Updated to Oracle Solaris 11.1 pre-upgrade repository
(General Availability) • Removed some of the non-relevant packages by
updating package/pkg
• On
O SPARC systems
t only,
l uninstalled
i t ll d ldomsmanager
ld
package
Oracle Solaris 11 (at an SRU • Updated to Oracle Solaris 11 SRU 10.5
lower than SRU #10.5) • Removed some of the bad packages by updating
package/pkg
ble
• On SPARC systems only, uninstalled ldomsmanager Oracle Solaris 11.2
fe r a
package
n s
Oracle Solaris 11 (at SRU • Removed some of the bad packages by updating
n - tra
#10.5 and later) package/pkg
• On SPARC systems only, uninstalled ldomsmanager
a no
package
a
h eฺ s
Oracle Solaris 11.1 at any SRU
e )
Oracle Solaris 11.1 None
n e tฺa Guid
(General Availability)
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Q av lic
a hid
Sh
i ( sha ense
Qav lic
i d
ah
Sh
i ( sha ense
Qav lic
i d
ah
Sh
operating system.
• Multiple BEs can be maintained on a system.
• BEs can have different software versions installed
installed.
• BEs make updating software a low-risk operation.
• BE management utilities include: e
– The beadm command r a bl
e
a nsf
– The Package Manager GUI
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
A BE is
Q
v lic of an Oracle Solaris 11 operating system plus any other
aabootable instance
a h id
application software packages installed into that image. System administrators can maintain
Sh multiple BEs on their systems, and each BE can have different software versions installed.
With multiple BEs, the process of updating software becomes a low-risk operation because
system administrators can create backup BEs before making any software updates to their
system. If needed, they have the option of booting a backup BE.
You do not have to create a backup BE as a separate step if you are updating IPS packages.
When you use the pkg install or pkg update command, use the --require-backup-
be, --backup-be-name , --be-name, or --require-new-be option to make the changes
i a new b
in boott environment,
i t nott in
i th
the currentt boot
b t environment.
i t
After the initial installation of Oracle Solaris 11 onto a system, a BE is created. Use the beadm
utility or the pkg command to administer additional BEs on your system.
Note: The time to reboot Oracle Solaris 11 is significantly faster when compared to the reboot
time taken by Oracle Solaris 10. The faster reboot helps in minimizing system down time.
Administrators can decide whether to configure fast reboot by default or not by setting a
Boolean value for the config/fastreboot_default
config/fastreboot default SMF property in the
svc:/system/boot-config:default SMF service, allowing certain system and firmware
checks to be bypassed both for SPARC and x86 systems.
i ( sha ense
The beadm ic primary BE management tool. The beadm utility aggregates all
avutility is lthe
Q
id in a BE and performs actions on the entire BE at once. You no longer need to
a h
datasets
Sh structures
perform ZFS commands to modify each dataset individually. It manages the dataset
within BEs. For example, when the beadm utility clones a BE that has shared
datasets, the utility automatically recognizes and manages those shared datasets for the new
BE.
The beadm utility enables you to perform administrative tasks on your BEs. These tasks can
be performed without upgrading your system. It automatically manages and updates the
GRUB menu for x86 systems, or the boot menu for SPARC systems. For example, when you
use the beadm utility to create a new BE,
BE that environment is automatically added to the
GRUB menu or boot menu.
menu.
• Activate an existing, inactive BE.
• Mount a BE.
• U
Unmount t a BE.
BE
• Destroy a BE.
• Destroy a snapshot of a BE.
ble
• Rename an existing, inactive BE.
e r a
• Display information about your BE snapshots and datasets.
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
# beadm list
BE Active Mountpoint Space Policy Created
-- ------ ---------- ----- ------ -------
solaris NR / 3.47G static 2014-07-07 01:05
solaris-1 - - 94.03M static 2014-07-09 03:52
i ( sha ense
ashows
This slide
Q lic of listing boot environments and associated snapshots.
v examples
a id that the BE is currently active, and R means that it will be the BE that will be active
Nhmeans
Sh on reboot as well.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
ashows
This slide
Q lic of creating a new BE and a clone.
v examples
h d
•i The first command creates a new BE.
a
Sh • The second command creates a snapshot of the new BE BE.
• The third command creates a BE clone from a snapshot.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
ashows
This slide
Q lic of activating, renaming, and destroying BEs.
v examples
a h id
Sh
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
ashows
This slide
Q lic of mounting and unmounting inactive BEs.
v examples
a h id
Sh
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
av Manager
The Package
Q lic is a GUI that enables you to install, update, and manage packages on
a h idinstalled system. If you use the Package Manager to update all the packages on your
your
Sh system, a clone of the active BE is created. During this process, any update happens to the
cloned BE, not the active BE. You do not actually update until you choose to boot the new BE.
After you boot the new BE, you can change your mind and boot back to the original. You do
not have to reboot to get to your preupdate state if you have not yet rebooted to the new,
updated BE.
You can use the Package Manager to manage your BEs as follows:
• Delete old and unused BEs to make disk space available.
• Change
C the default
f BE on your system.
• Activate a BE.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Answer: Q avc
a, lic
a h id
Sh
a. Live Upgrade
b. beadm
c BE Manager
c.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Answer: Qbav lic
a h id
Sh
i ( sha ense
Answer: Qdav lic
a h id
Sh
i ( sha ense
Answer: Qaa
v lic
a h id
Sh
boot environment?
a. activate –v solaris-alt
b beadm solaris
b. solaris-alt
alt boot
c. beadm activate solaris-alt
d. activate –d solaris-alt e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Answer: Qca
v lic
a h id
Sh
i ( sha ense
Qav lic
i d
ah
Sh
Sh
ah i d Q
av i (
h
lic
i q a
sha ense
i @
dฺ to u
m
v se t
t
e his
e
n e
ira Stud
e
sฺ ent
) a s
tฺa Guid
a
h eฺ
n o n -tr
a
nsf
e r a
e bl
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
IInstalling
t lli the
th Oracle
O l Solaris
S l i 11
Operating System
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh
Job Workflow
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
M
Managing
i Software
S ft
Packages
Installing
ble
Network Administration
Enhancements
e r a
a nsf
Administering Zones
o n -tr
a n
ZFS Enhancements
a
h eฺ s
e )
tฺa Guid
Security Enhancements
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014,uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
BeforeQ avbegin theliclesson, take a look at the job workflow in the slide diagram. So far, you
you
a h id learned how to manage software packages by using the IPS repository.
have
Sh You will now learn how to install the Oracle Solaris 11 OS using Text Installer, Live Media,
and AI.
i ( sha ense
This lesson
Q licyou to the new Oracle Solaris 11 operating system installation
avintroduces
a h id You explore both interactive and automated installations. Then you compare Oracle
methods.
Sh Solaris 10 JumpStart installation with Oracle Solaris 11 installation and convert Oracle Solaris
10 JumpStart installation to Oracle Solaris 11 installation. The lesson also shows you how to
configure and work with automated installation features. Finally, you are introduced to the
distribution constructor.
installation options
• Performing interactive installations of the Oracle Solaris 11
operating
p g system
y
• Configuring an AI Server and clients
• Comparing and converting JumpStart to AI
a b le
• Working with the distribution constructor fer n s
a
no n-tr
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
o uOracle and/or its affiliates. All rights reserved.
i ( sha ense
Qav lic
i d
ah
Sh
• GUI installation
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
Recommended
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014,uOracle and/or its affiliates. All rights reserved.
hCopyright
o
i ( sha ense
ashows
This slide
c
v thelihardware requirements needed for installing Oracle Solaris 11.
d Q
h hi Oracle Solaris 11.1 now supports installation to x86 systems with UEFI firmware.
aNote:
S GRUB 2 has been added as the default x86 boot loader, which not only supports
UEFI-specified, GPT partitioning schemes, but also disks that are larger than 2 TB. You must
note that UEFI 2.1+ is required and this feature is not currently available on SPARC
platforms. For information about GRUB2 and how to upgrade your GRUB legacy system to a
release that supports GRUB2, see the following websites:
• http://docs.oracle.com/cd/E36784_01/html/E36801/gkvif.html#scrolltoc
• http://docs.oracle.com/cd/E36784_01/html/E36801/gluae.html#scrolltoc
Starting with Oracle Solaris 11.2, a new group package, solaris-minimal-server,
installs the smallest possible set of Oracle Solaris packages. Fewer packages reduce
potential system vulnerabilities, and provide faster system updates, faster system cloning, and
faster backup in the cloud.
options
• Performing interactive installations of the Oracle
Solaris 11 operating
p g system
y
• Configuring an AI Server and clients
• Comparing and converting JumpStart to AI
a b le
• Working with the distribution constructor fer n s
a
no n-tr
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
o uOracle and/or its affiliates. All rights reserved.
i ( sha ense
Qav lic
i d
ah
Sh
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
When Qstarting lic Solaris 11 Text installer, you are provided with a menu of keyboard
av the Oracle
a h id as shown in this slide. The default is US-English.
layouts
Sh
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014,uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
avshown inlicthe slide provides the language options. The default is English.
The screen
Q
a h id
Sh
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014,uOracle and/or its affiliates. All rights reserved.
hCopyright
o
i ( sha ense
av menulicprovides you with options, such as installing additional device drivers
The installation
Q
a h
andidchanging the terminal type. The default is “Install Oracle Solaris” (option 1).
Sh
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014,uOracle and/or its affiliates. All rights reserved.
hCopyright
o
i ( sha ense
Starting from
c 11.1 release, the ability to install to iSCSI target LUNs has been
av OracleliSolaris
Q
id in the Text installer. Administrators can choose between installing on local disks or
a h
included
Sh iSCSI disks.
• Local Disks: This is the default option for disks that are attached to the computer,
including internal and external hard disks.
• iSCSI: If you want the installer to search for remote disks that are accessible over a
network by using the iSCSI standard, select this option. You can connect to a remote
iSCSI disk by using DHCP auto-discovery or by manually specifying a target IP address,
an iSCSI target name and LUN, and an initiator name.
For more information,
f refer
f to
http://docs.oracle.com/cd/E36784_01/html/E36800/texttask.html#scrolltoc.
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
DuringQ
the lic 11 Text installation, you must choose the disk on which to install the
avOracle Solaris
a h
OS.id
Sh
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
You are required
ic a name to the installation system. This is the network host name.
av to lassign
Q
id you must decide how the installation system network is to be configured:
a h
Also,
Sh • Automatically:
uto at ca y Also so known
o as reactive
eact e network,
et o , co configures
gu es tthe e network
et o auto
automatically
at ca y
using a combination of Network Configuration Profile and Location profile files. You can
configure multiple Network Configuration Profile files and Location profile files by using
the reactive network. A network configuration file can have a static IP or an IP obtained
by the DHCP server.
• Manually: Enables you to configure the network interface manually by assigning the
desired IP address, subnet mask, and router
• N
None: Di bl reactive
Disables ti network.
t k Wh
When selecting
l ti thi this option,
ti you mustt configure
fi th
the
network manually.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
In Oracle
v 11,liby
aSolaris c default, root is configured as a role rather than as a user. During
Q
id installation, the Text installer helps you to set up the root password and initial user
system
a h
Sh account. You use the initial user account to log in to the system. After the initial user login, a
user with the appropriate privileges can subsequently assume the role of root by using su or
perform administrative tasks after authentication by using sudo or pfexec.
Note: If user information is not specified on this page, root becomes a normal account and
can directly log in to the system.
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
The Oracle
Q lic installers now provide the ability to automatically connect to Oracle
avSolaris 11.1
a h id services through the integration of Oracle Configuration Manager and Oracle Auto
support
Sh Service Request. By providing My Oracle Support credentials to take advantage of Oracle’s
support services, administrators can get systems online and in service faster.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
avSolaris 11
The Oracle
Q licLive Media for x86 provides a GUI-based interactive installation that
a h id through the process of configuring the system for the OS installation. The Live Media
steps
Sh then installs a software payload that includes a full desktop operating environment. The Live
Media also provides additional utilities, such as the Device Driver Utility and partition editor, to
help ensure a successful installation.
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
The Device
Q lic helps you to decide whether Oracle Solaris 11 can be installed on
avDriver Utility
a h idx86 system. When started, it runs a quick device compatibility check on your system. If a
your
Sh device driver problem is detected, it provides the tools for installing the appropriate device
driver packages from a file, web, or the IPS repository.
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014,uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
The GParted
Q licEditor enables you to customize the installation disk layout before you
av Partition
a h id the OS installation. Note that GParted is usually used only if you are attempting to set
begin
Sh up a disk to boot multiple operating systems.
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014,uOracle and/or its affiliates. All rights reserved.
hCopyright
o
i ( sha ense
Starting from
c 11.1 release, the ability to install to iSCSI target LUNs has been
av OracleliSolaris
Q
id in the Live Media Installer. Administrators can choose between installing on local
a h
included
Sh disks or iSCSI disks.
• Local Disks: This is the default option for disks that are attached to the computer,
including internal and external hard disks.
• iSCSI: If you want the installer to search for remote disks that are accessible over a
network using the iSCSI standard, select this option. You can connect to a remote iSCSI
disk using DHCP auto-discovery or by manually specifying a target IP address, an iSCSI
target name and LUN, and an initiator name.
For more information,
f refer
f to
http://docs.oracle.com/cd/E36784_01/html/E36800/guitask.html#scrolltoc.
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
The Oracle
Q licLive Media installer helps you to choose the target installation disk or
avSolaris 11
a h id
partition.
Sh
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
The Oracle
Q licLive Media installer provides a point-and-click time zone configuration
avSolaris 11
a h id Simply click the city nearest to your installation location.
interface.
Sh
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
SimilarQ
v lic in Oracle Solaris 11, root is configured by default as a role rather
toathe Text installer,
a h idas a user. During system installation, the Live Media installer helps you to set up the root
than
Sh password and initial user account. You use the initial user account to log in to the system.
After initial user login, you can assume the role of root by using su or perform administrative
tasks after authentication by using sudo or pfexec. Note that the root password will be the
same as the user account password entered here.
In addition to the initial user configuration, the Users dialog box enables you to set the host
name for your system. The network configuration method is automatically set to reactive
network.
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
The Oracle
Q lic installers now support the ability to automatically connect to Oracle
avSolaris 11.1
a h id services through the integration of Oracle Configuration Manager and Oracle Auto
support
Sh Service Request. By providing My Oracle Support credentials to take advantage of Oracle’s
support services, administrators can get systems online and in service faster.
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
In these
Q av
practices, licperform interactive installations of the Oracle Solaris 11 operating
you
a h id
system.
Sh
nsswitch.conf, /var/yp/*, and /var/ldap/ are regenerated from the SMF data
when an appropriate service is started or refreshed. You do not edit these files directly.
The /etc/nsswitch.conf configurations are now handled by the
svc:/system/name service/switch service and /etc/resolv.conf
svc:/system/name-service/switch /etc/resolv conf
configurations are handled by svc:/network/dns/client. A new utility, nscfg(1),
has been provided to import and export name service configuration into and out of the
SMF repository and allows legacy files such as /etc/nsswitch.conf and
/etc/resolv.conf to regenerate from SMF configuration for backward compatibility. bl e
e r a
• Domain name: The system’s domain name is now handled by the
a nsf
svc:/system/identity/domain service. The /etc/defaultdomain file is no
o n -tr
l
longer relevant.
l t
a n
• s
Environment variables: The system’s environment variables are now being handled by
a
h eฺ
)
the svc:/system/environment:init service. The /etc/default/init file is
e
n e tฺa Guid
now read-only. To use the svc:/system/environment:init SMF service, the
t e sฺ ent
skip_init_upgrade property must be set to true.
Note: Starting from the Oracle Solaris 11.1 irarelease,t d options to svccfg(1M), extract,
unew
and delcust commands have been
m
eintroduced, S
is which help administrators to better
i @ t h
understand the administrative
ฺ q avcustomizations
u s e that have been made on a system and apply
those changes to otherid systems.to The svccfg editprop command has also been improved
a h e
i ( sh etonsservice
to enable administrators easily change the service configuration by using a text editor.
Some of the
a v i c
infrastructural
l properties that are typically less interesting to
i d Q
administrators are now hidden.
a h
Sh
sysidtool.
• Unconfigure the system:
– sysconfig unconfigure –g system
• Configure the system:
– sysconfig configure
ble
• System configuration profile creation: r a
e
– sysconfig create-profile a nsf
• Configure functional grouping interactively: o n -tr
a n
as
– sysconfig configure –g network,naming_services
) h eฺ
• Configure functional grouping non-interactively: e
tฺa Guid
n e
– sysconfig create-profile
t e sฺ ent\
–g network,naming_services
m ira Stud \
e his
–o /var/tmp/sysconfig_dir
@
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
av lic
The sysconfig utility is used in Oracle Solaris 11 to unconfigure and reconfigure an existing
Q
i d
ah
Oracle Solaris 11 system or its subsystem. The subsystems of a system that are configurable
Sh are referred to as “functional groupings.” A functional grouping is a service or collection of
services that are configured or unconfigured when the utility is executed.
The sysconfig utility replaces the sysunconfig and sysidtool utilities. The
sysconfig utility launches the System Configuration tool. You use the System Configuration
tool to interactively unconfigure and configure the OS image.
You can perform the following three operations by using the sysconfig utility:
• Unconfiguration of the system: Brings the OS image to a pristine (unconfigured) state
• Configuration of the system: Enables you to reconfigure the OS image. It helps you to
change the host name, IP address, name service, time zone, initial user account, and
root password.
• System configuration profile creation: Helps you to create a system configuration
profile. The system configuration profile is an XML-based file that contains the host
name, IP address, name service, time zone, initial user account, and root password
configuration properties.
properties The system configuration profile can be used with the
sysconfig configure command or with Automatic Installation (AI) to configure an
OS image.
options
• Performing interactive installations of the Oracle Solaris 11
operating
p g system
y
• Configuring an AI Server and clients
• Comparing and converting JumpStart to AI
a b le
• Working with the distribution constructor fer n s
a
no n-tr
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
o uOracle and/or its affiliates. All rights reserved.
i ( sha ense
Qav lic
i d
ah
Sh
AI Server
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
Installation Service
Manifests
M M ... M
Boot Image
...
DHCP IPS
bl e
Server Installation Service Repository
e r a
a nsf
2
o n -tr
a n
1 a
h eฺ s 3
e )
n e tฺa Guid
Automated InstallationssOver
e ฺ the Network n t
t
ira Stud e
m
e his
i @
v se t
q a
h i dฺ © t2014,
Copyright
o uOracle and/or its affiliates. All rights reserved.
i ( sha ense
The automated
Q lic is used to automate the installation of the Oracle Solaris 11 OS on
av installer
a h
oneidor more SPARC and x86 systems over a network. The installations can differ in
Sh architecture, packages installed, disk capacity, network configuration, and other parameters.
An automated installation can be run in a “serverless” mode where the client boots from the
ISO image and uses a manifest that is either located on the media or obtained from a network
location to which you have access. Client access to an IPS repository and DHCP service are
required.
An automated installation over the network to a client system, as shown in the slide, involves
the following core steps:
1. A client system boots and gets IP information from the DHCP server.
2. The client contacts an installation service on the AI server and accesses the boot image
and the AI manifest containing the installation specifications.
3. The client is installed with the operating system, pulling packages from the IPS
repository specified in the AI manifest.
• Network
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
profiles for the installation service. The different system configuration profiles can specify
different network or locale setup, or unique host name and IP address.
Note: Starting from Oracle Solaris 11.1 release, a new set of Role-Based Access
Control (RBAC) profiles and authorizations are available for managing the Automated
Installation service, including the Install Service Management profile.
The Automated Installer command-line utility, installadm, now supports three new options,
update-service, update-profile, and set-service, to improve flexibility for e
a bl
administrators maintaining a set of installation services. Oracle Solaris 11.1 also supports the
r
e
ability to specify a manifest location with a system boot argument.
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
AI Service Components
from installadm Package
Client
ble
AI Installation Service e r a
a nsf
Default Client
DHCP Server
o
Direct Client to n -tr
Provisioning Manifest
a n
Installation Server
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014,uOracle and/or its affiliates. All rights reserved.
hCopyright
o
i ( sha ense
av you have
The minimum
Q lic to do to use AI is create one installation service. In this minimal
a h id all clients have the same architecture and are installed with the same version of the
scenario,
Sh recent
Oracle Solaris OS. The installations use the default AI manifest, which specifies the most
version of the OS available from the default IPS package repository on the Internet.
1. Make sure that the installation server has a static IP address and default route.
2. Install the installation tools package, install/installadm.
3. Run the installadm create-service command.
4. Make sure that the clients can access a DHCP server.
5. Make sure that the necessaryy information is available in the DHCP configuration
g to boot
the service.
6. Make sure that the clients can access an IPS software package repository. To use the
default IPS package repository, the clients must be able to access the Internet.
7. Network boot the client.
network.
4. When the client boots after installation, an interactive tool prompts for system
configuration information because no system configuration profile is provided.
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
AI Service Components
from installadm Package
Client
bl e
AI Installation Service e r a
a nsf
Custom Client
DHCP Server
Direct Client too n -tr
Provisioning Manifest n
Installation Server a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
To specify
Q lic parameters, such as a local IPS publisher, the target disk for
avthe installation
hid
ainstallation, partition or mirror configuration, or additional software packages to install, provide
Sh a customized AI manifest. Perform the following steps before you boot the client, in addition to
the minimum required steps:
1. Create a new AI manifest, or write a script that dynamically creates a custom AI
manifest at client installation time.
2. Run the installadm create-manifest command to add the new manifest or script
to the installation service. Specify criteria for the client to select this manifest or script, or
use the -d option to make this manifest or script the default manifest specification for
this service.
service
service.
4. The client is provisioned according to the selected manifest.
5. When the client boots after installation, an interactive tool prompts for system
g
configuration information because no system
y configuration
g p
profile is p
provided.
ble
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
AI Service Components
from installadm Package
Client
bl e
AI Installation Service e r a
a nsf
P
Default Client
Provisioning
i i i Manifest
M if t
DHCP Server
Direct Client too n -tr
n
Installation Server a
a
h eฺ s
Configuration Profile
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014,uOracle and/or its affiliates. All rights reserved.
hCopyright
o
i ( sha ense
To specify
Q lic
avsystem configuration parameters, such as time zone, user accounts, and
d
ahi
networking, provide a Service Management Facility (SMF) system configuration profile.
Sh Perform the following steps before you boot the client, in addition to the minimum required
steps:
1. Create a system configuration profile by using the sysconfig create-profile
utility.
2. Run the installadm create-profile command to validate the profile, add the
profile to the installation service, and specify criteria to select which clients should use
this system configuration profile.
When you network boot the client, the following steps are performed:
1 The client gets a temporary IP address for itself along with the address of the installation
1.
server, from the DHCP server.
2. Because the installation server has only one installation service, the client uses that
service if the architecture matches.
3. Because the installation service has only one AI manifest, the client uses that default AI
manifest, installing software packages from the IPS package repository over the
network.
4. The client is directed to the correct system configuration profile by criteria specified to
create-profile.
5. The client is configured according to the selected configuration profile. If no
configuration profile is selected because the criteria do not match, the interactive
configuration tool starts.
Transition to Oracle Solaris 11 4 - 38
IPS Case: Multiple AI Services
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
AI Service Components
from installadm Package Client
ble
e r a
AI Installation Service for Client
a nsf
Oracle Solaris 11 version m
o n -tr
n a
AI Installation Service for
DHCP Server
a
h eฺ s
Direct Client to
e )
Oracle Solaris 11 version n
tฺa Guid
Installation Server
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
To install
Q
v
adifferent lic of the Oracle Solaris 11 OS, create additional AI installation
versions
hid Perform the following steps before you boot the client, in addition to the minimum
aservices.
Sh required steps:
1. Run the installadm create-service command and specify a different net image.
2. Run the installadm create-client command to direct the client to this new
installation service.
3. Create custom manifests and system configuration profiles (if required) and associate
them with the appropriate AI service.
When yyou network boot the client, the followingg steps are performed:
1. The client gets a temporary IP address for itself along with the address of the installation
server, from the DHCP server.
2. The client is directed to this new installation service by create-client.
3. The client is provisioned according to the default provisioning manifest for this service.
4. When the client boots after installation, an interactive tool prompts for system
configuration information because no system configuration profile is provided.
– Installation images
– DHCP server
• Set up or remove clients.
clients
• Add or delete manifest files.
• Add or delete system configuration profiles. le
a b
• Administer installation services by using the AI SMF s fer
n
service. -tra on
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
This slide
Q
v
aprovides licoverview of the tasks that you must perform when configuring your AI
an
a h id
server.
Sh
• Default manifest
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
• Derived manifest
• Custom manifest
• Criteria manifest
bl e
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
av are XMLlicfiles that are used to specify multiple sets of installation and system
AI manifests
Q
hid
aconfiguration instructions for each installation service.
Sh AI has four types of manifests:
• Default manifest: A default manifest is an installation manifest that has no criteria
associated with it. The default manifest is used by clients when no other installation
manifest’s criteria match the client.
• Derived manifest: The default AI manifest for an installation service is a derived
manifest. When you create an installation service, a default manifest called
orig_default is created for the service. A derived manifest enables the AI process to
use existing system configuration
f data to simplify
f AI configuration
f steps.
• Custom manifest: To perform different installations on different clients by using the
same installation image, you need to provide customized AI manifests for that
installation service. Clients that do not match the criteria specific to any custom manifest
are installed using the instructions in the default manifest.
• Criteria manifest: The criteria manifest allows you to associate client-specific
installation instructions with AI services.
services When the client matches the criteria that have
been specified for a criteria manifest, the client uses the associated manifest.
<software type="IPS">
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
<source>
<publisher name="solaris">
<origin
name "http://pkg oracle com/solaris/release"/>
name="http://pkg.oracle.com/solaris/release"/>
</publisher>
</source>
<software_data action="install">
ble
e r a
nsf
<name>pkg:/entire</name>
<name>pkg:/group/system/solaris-large-server</name>
-tra
</software data>
</software_data>
n o n
</software> s a
) a
h eฺ
</ai_instance>
e
tฺa Guid
</auto_install>
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
This slide
v theliIPS
ashows c and packages sections of the default manifest file. The
id Q element defines the location of the IPS origin and which software packages to
h a h
<software>
install and uninstall. The entire package is recommended so that the system will be
S updated coherently when patching or upgrading in the future. The solaris-large-server
package is suitable for a server installation.
services
• Uses an AI manifest selection algorithm
• Uses multiple non-overlapping
non overlapping criteria
• Can be added using the
installadm create-manifest command:
bl e
# installadm create-manifest -f /export/manifests/manifest_x86.xml \
fe r a
n s
tra
-n s11-x86 –C /export/manifests/criteria_x86.xml
n -
a no
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
o uOracle and/or its affiliates. All rights reserved.
i ( sha ense
c you to associate client-specific installation instructions with AI
avmanifestliallows
The criteria
Q
id When the client matches the criteria that have been specified for a criteria manifest,
a h
services.
Sh the client uses that manifest.
An AI manifest is selected for a client according to the following algorithm:
• If custom manifests are defined for this installation service but the client does not match
criteria for any custom manifest, the client uses the default manifest.
• If the client matches criteria that have been specified for a custom manifest, the client
uses the associated manifest.
p manifests,, the client characteristics are evaluated in the
If client characteristics match multiple
following order:
• mac
• ipv4
• platform
• arch
• cpu
• mem
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
<ai_criteria_manifest>
<ai_criteria name="arch">
<value>i86pc</value>
</ai_criteria>
</ai_criteria_manifest>
• mac criteria manifest file:
<ai_criteria_manifest>
<ai_criteria name=“mac">
ble
<value>0:14:4F:20:53:94</value>
e r a
</ai_criteria>
a nsf
</ai_criteria_manifest>
o n -tr
• i 4 criteria manifest file:
ipv4 n
s a
<ai_criteria_manifest>
) a
h eฺ
<ai_criteria name=“ipv4"> e
tฺa Guid
e
<value>192.168.0.114/24</value>
n
</ai_criteria>
t e sฺ ent
ira Stud
</ai_criteria_manifest>
m
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
ashows
This slide
Q lic of arch, mac, and ipv4 criteria files.
v examples
a h id
Sh
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
In the Q
Oracle
c release, a new interactive browser interface enables you to easily
av Solarisli11.2
a h id AI manifests, which can be used on an AI server. By stepping through a series of
create
Sh screens, you can quickly create a new manifest that describes the disk layout and ZFS
datasets, IPS repository and software packages, and zones to be installed. You can then
save this manifest to the AI server that can be associated with a client installation later by
using the installadm(1M) command.
You can use the AI Manifest Wizard to create manifest files for AI without having to edit XML
files. The AI Manifest Wizard web application is served from the AI server's web server, which
is controlled via the svc:/system/install/server SMF service. By default, this runs on
port 5555,
5555 but can be modified via the SMF service's
service s all_services/port
all services/port property.
property
You can access the AI Manifest Wizard by using the URL for the AI server. For example, the
URL for an AI server named ai-server would be http://ai-server.domain:5555. Additionally,
you can also start the AI Manifest Wizard by running the /usr/bin/ai-wizard command
on the AI server.
For more information about the AI Manifest Wizard, refer to installadm(1M) and
ai_manifest(4) man pages.
i ( sha ense
<service version="1" type="service" name="network/physical">
lic
<instance enabled="true" name="default">
# mkdir –p /export/ai/custom_ai
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
# vi /var/tmp/manifests/custom_manifest.xml
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
<software_data action="install">
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
<name>pkg:/entire</name>
<name>pkg:/group/system/solaris-large-server</name>
</software_data>
</software>
/so t a e
</ai_instance>
</auto_install>
ble
# vi /var/tmp/manifests/criteria_custom_ai.xml
e r a
nsf
<ai_criteria_manifest>
<ai_criteria name="mac">
-tra
<value>
n o n
08:00:27:85:C7:D8
s a
</value>
) a
h eฺ
</ai_criteria> e
tฺa Guid
n e
t e sฺ ent
</ai_criteria_manifest>
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014,uOracle and/or its affiliates. All rights reserved.
hCopyright
o
i ( sha ense
This slide
v
acontinues ic custom_mainfest edit. Here, you identify which software packages
lthe
Q
idto be loaded on the client system from the IPS server.
a h
are
Sh After the custom manifest build is completed, you create a criteria manifest for the client
system. In this case, you use the client’s MAC address as the criteria.
-f /var/tmp/manifests/custom_manifest.xml \
–C /var/tmp/manifests/criteria_custom_ai.xml
# sysconfig create
create-profile
profile \
-o /var/tmp/manifests/client_profile.xml
options
• Performing interactive installations of the Oracle Solaris 11
operating
p g system
y
• Configuring an AI Server and clients
• Comparing and converting JumpStart to AI
a b le
• Working with the distribution constructor fer n s
a
no n-tr
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
o uOracle and/or its affiliates. All rights reserved.
i ( sha ense
Qav lic
i d
ah
Sh
Task JumpStart AI
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
JumpStart
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
Profile
AI Manifest Directives
(Class) File
Keywords
boot_devic g
<target>
e c0t0d0s0 <disk whole_disk=“true”>
update <disk_name name="c0t0d0" name_type="ctd"/>
</disk>
<logical nodump=“true” noswap=“false”/> ble
e r a
nsf
</target
bootenv
-tra
A boot environment is automatically created on the Oracle Solaris
OS
OS.
n o n
cluster <software_data action="install”> s a
SUNWCXall <name>pkg:/entire</name> ) a
h eฺ
e
tฺa Guid
<name>pkg:/group/system/solaris-desktop</name>
n e
t e sฺ ent
</software_data>
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
The tables
Q licand the following slides show how to convert Oracle Solaris 10
avin this slide
a h id
JumpStart rules file keywords to Oracle Solaris 11 AI manifest directives.
Sh
JumpStart Profile
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
o uOracle and/or its affiliates. All rights reserved.
i ( sha ense
Q av lic
a hid
Sh
JumpStart Profile
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
options
• Performing interactive installations of the Oracle Solaris 11
operating
p g system
y
• Configuring an AI Server and clients
• Converting JumpStart to AI
a b le
• Working with the distribution constructor fer n s
a
no n-tr
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
o uOracle and/or its affiliates. All rights reserved.
i ( sha ense
Qav lic
i d
ah
Sh
e r a
— x86 or SPARC ISO image for Automated Installations
a nsf
• The distribution-constructor p
package
g contains:
o n -tr
– The distro_const command-line utility a n
a
h eฺ s
– Manifest files e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
You useQ lic constructor to build custom Oracle Solaris images. These images can
athev distribution
h
be d to install the Oracle Solaris software on individual systems or on multiple systems
iused
a
Sh that run the Oracle Solaris 11 operating system. The distribution constructor takes an XML
manifest file as input and builds an ISO image or a Virtual Machine image that is based on the
parameters specified in the manifest file.
Using the distribution constructor, you can build customized versions of the following types of
Oracle Solaris 11 images:
• x86 or SPARC Oracle Solaris Text installer image
• Oracle Solaris x86 Live Media image
• x86 or SPARC ISO image for Automated Installations
The distribution constructor is distributed in the distribution-constructor package. The
distribution-constructor package contains the distro_const command-line utility for
building custom Oracle Solaris images. It also contains the default manifest files that are used
to describe the various image types.
dc_livecd.xml x86 Live Media ISO image Used to create an x86 ISO image that is
comparable with the Oracle Solaris Live
Media image
dc_text_x86.xml x86 text installation image Used to create an x86 ISO image that can
be used to perform a text installation of
the x86 Oracle Solaris operating system
dc_text_sparc.xml SPARC text installation Used to create a SPARC ISO image that
image can be used to perform a text installation
ble
of the SPARC Oracle Solaris operating
e r a
system
a nsf
dc_ai_x86.xml x86 AI ISO image
o n -tr
Used to create an x86 Automated
Installation ISO image for automated
a n
installations of the Oracle Solaris OS on
a s
SPARC AI ISO image Usedฺa toe
) h deฺ Automated
x86 clients
create a iSPARC
et t G
dc_ai_sparc.xml
n Installation ISOuimage for automated
e ฺ
s installations n of the Oracle Solaris OS on
a t
ir Stu clients d
SPARC
e
m
e his
i @
v se t
q a
h i dฺ © t2014,
Copyright
o uOracle and/or its affiliates. All rights reserved.
i ( sha ense
The table
Q ainvthe slideliclists the default manifest files shipped with the distribution-constructor
a h id After you install the distribution-constructor package, you can locate these manifest
package.
Sh files in the /usr/share/distro_const directory.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Answer: Qaa
v lic
a h id
Sh
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Answer: Qbav lic
a h id
Sh
pristine state?
a. sysconfig -d image-name
b sysconfig -u
b. u image
image-name
name
c. sysconfig unconfigure
d. sysconfig deconfigure e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Answer: Qca
v lic
a h id
Sh
profile?
a. screate -o /var/tmp/output_file.xml
b. sysconfig create-sc –f /var/tmp/output_file.xml
c. screate -f /var/tmp/output_file.xml
d. sysconfig create-profile –o /var/tmp/output_file.xml
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Answer: Qdav lic
a h id
Sh
step?
a. distro_const
b distro_const
b. distro const build
c. distro_const build manifest
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Answer: Qca
v lic
a h id
Sh
i ( sha ense
In this Q av you were
lesson, lic presented with the Oracle Solaris 11 installation options. You were
a h id how to install the operating system by using the interactive options (Text installer and
shown
Sh Live Media), as well as how to perform an automated installation. You then spent some time
looking at how to configure an AI server and client. You also had the opportunity to compare a
JumpStart OS installation with an AI OS installation and see how to perform the conversion.
Finally, you were introduced to the distribution constructor and shown how to build an OS
image.
Oracle
O l Solaris
S l i 11 Network
N t k
Administration Enhancements
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
Job Workflow
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
M
Managing
i Software
S ft
Packages
Installing
ble
Network Administration
Enhancements
e r a
a nsf
Administering Zones
o n -tr
a n
ZFS Enhancements
a
h eฺ s
e )
tฺa Guid
Security Enhancements
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
BeforeQ avbegin theliclesson, take a look at the job workflow in the slide diagram. So far, you
you
a h id learned how to administer Oracle Solaris Zones.
have
Sh You will now learn about the enhancements made to networking features of the Oracle Solaris
11 OS.
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Network
Q
v licin Oracle Solaris 11 has changed significantly from that of Oracle
aconfiguration
a h id 10. In addition, Oracle Solaris 11 supports several new networking features, including
Solaris
Sh some keyy network virtualization technologies.g
Transport Layer
TCP, UDP, SCTP 192.168.222.5:53426
netstat -p
e1000g0 e1000g0:1
192.168.222.5 192.168.222.6
Network Layer
IPv4, IPv6
ifconfig
ble
nxge0
e r a
192.168.222.7
a nsf
o n -tr
Datalink Layer
e1000g0 a nxge1
nxge0
n
Physical NICs
dladm show-dev
a
h eฺ s dladm show-phys
e )
n e tฺa Guid
Hardware e1000g t e sฺ ent nxge
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
In the Q
Oracle
c implementation of the network protocol stack, interfaces and links on
av Solarisli10
a h
theidsoftware layer were built on the devices in the hardware layer. More specifically, a
Sh hardware device instance in the hardware layer y had a corresponding p g link on the datalink layer
y
and a configured interface on the interface layer. The graphic in the slide depicts a typical
one-to-one relationship between the network device, its datalink, and its IP interface in Oracle
Solaris 10 releases.
Further, there is limited support for virtual devices in the datalink layer in Oracle Solaris 10,
wherein only link aggregations are supported.
You use the ifconfig command to manage logical interface names,
names where each logical
interface corresponds to an IP address on the interface. Therefore, it is not always obvious
which managed features apply to the interface and which apply to individual addresses.
Transport Layer
TCP, UDP, SCTP 192.168.222.5:53428
netstat -p
dladm show-link
a etherstub0 n
net0
a
h eฺ s net1
t e sฺ ent
Hardware ixgbe0 ra
i t d
unxge0
m
e his S
i @
v se t
ฺ q a u Oracle and/or its affiliates. All rights reserved.
h i dCopyrightt o
© 2014,
i ( sha ense
In Oracle aSolaris c will still find the one-to-one relationship between the hardware,
v 11,liyou
Q
id and interface layers, as shown in the graphic in the slide. However, the new network
a h
datalink,
Sh design
g of Oracle Solaris 11 decouples p the software layer y from the hardware layer. y With this
separation, network configuration on the software layer is no longer bound to the chipset or
the network topology in the hardware layer. With this decoupling, you can create customized
link names in the datalink layer. Further, with the abstraction of the datalink layer, multiple
networking abstractions or configurations, such as virtual local area networks (VLANs), virtual
network interface cards (VNICs), physical devices, link aggregations, and IP tunnels, are
unified into a common administrative entity, which is the datalink.
• GUI installation:
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
i ( sha ense
Qav lic
i d
ah
Sh
• Administering datalinks
• Configuring IP interfaces and IP addresses
• Configuring persistent routes
• Working with reactive profiles
ble
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
NetworkQ
v licin Oracle Solaris 11 has changed significantly from how you configured
aconfiguration
a h
theidnetwork in Oracle Solaris 10. In addition, Oracle Solaris 11 supports several new
Sh networkingg features,, includingg some keyy network virtualization technologies. g
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Q av lic
a hid
Sh
# dladm show-phys
LINK MEDIA STATE SPEED DUPLEX DEVICE
net1 Ethernet unknown 1000 full e1000g1
net2 Ethernet unknown 1000 full e1000g2
g
net0 Ethernet up 1000 full e1000g0
net3 Ethernet unknown 1000 full e1000g3
i ( sha ense
Qav lic
i d
ah
Sh
i ( sha ense
Note: QThere
c to configure an IP in Oracle Solaris 11: First, you create the
av are twolisteps
a h id and then you configure an IP address for the interface. However, in Oracle Solaris
interface,
Sh 10, you configure an IP in a single step by using the ifconfig command.
i ( sha ense
You use
ic
athev route lcommand to manually manipulate the network routing tables. The use of
d Q
h hi –p option with the route command makes the changes persistent across reboots. You
athe
S cannot manage g routes by y usingg the //etc/defaultrouter
/ file because it is deprecated
p in
Oracle Solaris 11.
# netadm list
# netcfg
netcfg> create ncp oracle_profile
netcfg:ncp:oracle_profile> create ncu phys net0
Created ncu 'net0'. Walking properties …
...
i ( sha ense
ic configuration object types are:
av profile land
The network
d Q
a h•i Network Configuration Profiles (NCPs): An NCP specifies the configuration of
Sh et o links
network saand d interfaces.
te aces There eea are
e ttwoo types o of NCPs:
C s
- Automatic NCP: It is a system-defined profile that is made up of one link NCU
and one interface NCU for each physical link that is present of the system. The
content of the Automatic NCP changes if network devices are added or
removed.
- User-defined NCPs: They are profiles that you create to meet the needs of your
particular network configuration. A user-defined NCP can be modified and
removed dbby th
the user.
• Network Configuration Units (NCUs): They are the individual configuration objects (or
profiles) that contain all of the properties that define an NCP. Each NCU represents a
physical link or an interface and contains properties that define the configuration for that
link or interface.
• Location Profiles: It is one of the two primary profile types that define the system’s
network configuration and specifies the systemwide network configuration (for example,
the naming services, domain, IP Filter, and IPsec configuration). There are both
system- and user-defined locations.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
Network
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
Physical Link 1
vnic vnic
Network Network
Webserver 1 Zone Webserver 2 Zone
vnic vnic
Webserver 1 Webserver 2
Virtual Switch Etherstub
vnic
bl e
e r a
nsf
Router Router Zone
vnic
n - tra
db1 db1 db1
Virtual Switch
a no Etherstub
Server Server Server vnic vnic
a
h eฺ s vnic
db1
e ) db2 db3
n e tฺa Guid
Server Zone Server Zone Server Zone
e ฺ Solaris
sOracle n t 11
t
ira Stud e
m
e his
i @
v se t
ฺ q a u Oracle and/or its affiliates. All rights reserved.
h i dCopyrightt o
© 2014,
i ( sha ense
Network
Q
v licis the process of combining hardware network resources and software
avirtualization
a h id resources into a single administrative unit. The goal of network virtualization is to
network
Sh resources.
provide systems and users with efficient, controlled, and secure sharing of the networking
The end product of network virtualization is the virtual network.
With server virtualization becoming more mainstream in the IT industry, the focus is shifting to
a deployment model that uses network virtualization to support the sharing of network traffic
amongst multiple virtual machines (VMs) or zones. Along with a rise in the adoption of cloud
architectures that rely upon virtualization for deploying workloads, network virtualization is
playing an even more critical role in the overall network administration strategy in Oracle
Solaris.
Solaris
Using virtual infrastructure (shown on the right in the graphic in the slide) to consolidate
physical systems in the data center, enterprises can experience the following:
• Lower total cost of ownership of servers
• Higher server utilization
• Increased operational efficiency
• Tighter secsecurity
rit
Components Description
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
Virtual NIC (VNIC) A VNIC is a virtual network device with the same datalink
functionality as the physical interface.
Virtual switch A virtual switch is an entity that facilitates communication between
virtual machines (VMs). The virtual switch loops traffic between
virtual machines (inter-VM traffic) within the physical machine and
does not send this traffic out on the wire.
Elastic Virtual Switch An EVS enables direct management of virtual switches. You can
ble
(EVS) create EVS switches to deploy multiple virtual networks that span
e r a
nsf
multiple hosts, within either a multi-tenant cloud environment or a
a
to an EVS switch or a virtual p -tr
datacenter. Additionally, you can connect any Oracle Solaris VNIC
n
port. Such VNICs automatically
o y inherit
their network configuration from EVS.
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Note: Q
You
ic about the EVS feature later in this lesson.
avwill learnlmore
a h id
Sh
Global Zone
Zone 1 Zone 2
vnic 1 vnic 2
Virtual Switch
net0
ble
e r a
a nsf
Network
o n -tr
a n
a
h eฺ s
# dladm create-vnic -l net0 vnic1
e )
# dladm create-vnic -l net0 vnic2
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
The graphic
Q lic shows a simple virtual network with two Solaris zones. Whenever you
av in the slide
a h id two or more VNICs on the same physical port, a virtual switch will be created at the
create
Sh MAC layer. The effect of the creation of the virtual switch is that traffic between Zone 1 and
Zone 2 is switched at the MAC layer. As long as the VNICs share the same physical NIC and
are on the same VLAN, this MAC layer virtual switch can be employed.
This slide shows you how to create two VNICs on the physical interface.
Global Zone
Zone 3 Zone 4
vnic 1 vnic 2
Stub 0 192.168.1 Network
vnic 0
bl e
e r a
net0 a nsf
o n -tr
a n
192.168.0 Network
a
h eฺ s
# dladm create-etherstub stub0 e )
# dladm create-vnic -l stub0 vnic0
n e tฺa Guid
# dladm create-vnic -l stub0 vnic1
t e sฺ ent
# dladm create-vnic -l stub0 vnic2
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
ashows
This slide
Q lic isolated private virtual network with two Solaris zones. This virtual
v a simple,
a h id consists of the following:
network
Sh • GLDv3 network interface net0: This interface connects the gglobal zone to the ppublic
network.
• Etherstub stub0: You use etherstubs to isolate the virtual network from the rest of the
virtual networks in the system as well as the external network to which the system is
connected. You cannot use an etherstub just by itself. Instead, you use VNICs with an
etherstub to create the private or isolated virtual networks. You can create as many
etherstubs as you require. You can also create as many VNICs over each etherstub as
required.
required
• Three VNICs: vnic0 is created over etherstub stub0. This interface can be configured
in the global zone to provide a route between the private virtual network (192.168.1.0)
and the public network. Technologies such as IP forwarding, IP filtering, and Network
Address Translation (NAT) can be used to customize the relationship between the
private and public networks. VNICs vnic1 and vnic2 are also created over etherstub
stub0 and are used to attach the nonglobal zones to stub0.
• Two exclusive IP zones: Each of the two exclusive IP zones has a VNIC assigned.
vnic1 is assigned to Zone 3 and vnic2 is assigned to Zone 4.
# dladm show-link -Z
LINK ZONE CLASS MTU STATE OVER
ble
net1 global phys 1500 unknown --
e r a
nsf
net0 global phys 1500 up --
zone1/net0 zone1 vnic 1500 up net0
-tra
zone2/net0
zone1/v1
zone2
zone1
vnic
vnic
1500
1500
up
up
net0
n o
net1
n
zone2/v1 zone2 vnic 1500 up s a net1
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Starting from
c 11.2, you can create datalinks in nonglobal zones from the global
av OracleliSolaris
Q
id This feature enables administrators to dynamically create VNICs, VLANs, and IP-over-
a h
zone.
Sh names
InfiniBand partitions directly in the nonglobal zone’s namespace from the global zone. Link
are specified as <zonename>/<linkname> and the links are created directly in the
specified nonglobal zone.
The example in the slide shows how to create a VNIC v1 in nonglobal zones zone1 and
zone2 from the global zone. The zone1/net0 and zone2/net0 are automatically created
VNICs for zone1 and zone2, respectively.
# dladm show-link
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
a e ) deฺ
# dladm show-etherstub
e t ฺ u i
LINK n
sฺ ent G
stub0
t e
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
This slide
Q
v useful
ashows lic commands for accessing your virtual network configuration. The first
a h id (dladm show-link) shows you how to list all the links configured in your system.
command
Sh how
This includes VNICs and etherstubs. The next command (dladm show-vnic) shows you
to list the VNIC links. The last command (dladm show-etherstub) shows you how to
list the etherstubs.
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Bandwidth
Q avmanagementlic enables you to assign a portion of the available bandwidth of an NIC
a h
to idconsumer, such as an application or a customer. You can control bandwidth on a
a
Sh ensures
per-application, per-port, per-protocol, and per-address basis. Bandwidth management
efficient use of the large amount of bandwidth available from the new GLDv3 network
interfaces. Resource control features enable you to implement a series of controls on an
interface’s available bandwidth.
The allocated portion of bandwidth is known as a share. By setting up shares, you can
allocate enough bandwidth for applications that cannot function properly without a certain
amount of bandwidth. For example, streaming media and Voice over IP consume a great deal
of bandwidth
bandwidth. You can use the resource control features to guarantee that these two
applications have enough bandwidth to successfully run. You can also set a limit on the
share. The limit is the maximum allocation of bandwidth that the share can consume. Using
limits, you can contain noncritical services from taking away bandwidth from critical services.
You can prioritize among the various shares allotted to consumers. You can give highest
priority to critical traffic, such as heartbeat packets for a cluster, and lower priority for less
critical applications.
You can control bandwidth usage through the management of flows (by using the flowadm
command) and link utilization (by using the dladm command).
Global Zone
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
Zone 3 Zone 4
vnic 1 vnic 2
St b 0
Stub 192 168 1 N
192.168.1 Network
t k
vnic 0
100Mb/s
Firewall Priority=Low e
r a bl
e
nsf
net0
-tra
192 168 0 Network
192.168.0
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
v youlichow to restrict flows and lower priority on a VNIC. Flows consist of
ashows
This slide
Q
id packets that are organized according to an attribute. Flows enable you to further
a h
network
Sh allocate network resources.
ble
# dladm set-linkprop –p priority=low vnic2
e r a
a nsf
-tr
# dladm show-linkprop –p priority vnic2
LINK PROPERTY PERM VALUE EFFECTIVE DEFAULT
o n
POSSIBLE
n
vnic2 priority rw low low medium
s a
low,medium,high
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
In the Q av in thislicslide, a flow named http1 is created by using the flowadm command.
example
a h iduser-designed flow (http1) restricts vnic2 bandwidth to 100 Mbits/s and sets the link
This
Sh priority to low.
virtualization:
• Configure two zones on a private virtual network.
• Configure the virtual network for public access
access.
• Secure the virtual network behind a firewall.
• Control network traffic flow. e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
r a bl
e
anywhere in the network Datalink
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Today’sQ av centerslicinclude multiple physical servers hosting several virtual machines (VMs)
data
a h idare connected by a network fabric. Provisioning networking for VMs in a data center is a
that
Sh challenge for administrators, because it includes virtual networking between VMs, managing
the MAC address and IP address, and administering VLANs and VXLANs. The additional
challenge apart from ensuring internal and external network connectivity for VMs is to
provision and enforce service-level agreements (SLAs). These SLAs might include bandwidth
limits and priorities. Data center administrators also need to provide isolation between
multiple tenants sharing a common network infrastructure. To meet these requirements,
Oracle Solaris network virtualization capabilities enable administrators to manage virtual
p
switches across a data center. The virtual switches are exposed as first-class operating
p g
system abstractions. These virtual switches, also known as elastic virtual switches, span
multiple physical servers and enable system administrators to manage them as a single
virtual switch.
Starting with the Oracle Solaris 11.2 release, you can use the Oracle Solaris Elastic Virtual
Switch (EVS) feature to manage multiple virtual switches that are spread across several
physical machines. An elastic virtual switch represents an isolated L2 segment, and the
isolation is implemented through VLANs or VXLANs
VXLANs. Every elastic virtual switch is associated
with a name, virtual ports, and a block of IP addresses. You can create, monitor, and control
the virtual switch resources.
i ( sha ense
The graphic
Q lic shows an example of two elastic virtual switches (EVS1 and EVS2)
av in the slide
a h id two compute nodes. The VMs that are provisioned on these compute nodes are
between
Sh compute
connected through the elastic virtual switches that span across the two compute nodes. Each
node connects to the same network fabric through a datalink. The datalink is also
known as an uplink port. The datalinks on these compute nodes connect the virtual switch to
the external network. The VNIC is connected to the elastic virtual switch through a virtual port
(VPort). The VNICs inherit properties that are associated with the virtual ports, such as MAC
address, IP address, and SLAs.
In the graphic in the slide, the VMs VM1, VM2, and VM6 can communicate with each other
through the elastic virtual switch EVS1.
EVS1 The VMs VM3, VM4 and VM5 can communicate with
VM3 VM4,
each other through the elastic virtual switch EVS2.
Note: The limitation of EVS is that you can connect only temporary VNICs to an elastic virtual
switch.
Packages Description
pkg:/service/network/evs You need to install this core package on the EVS manager
manager,
EVS controller, and EVS nodes. This package contains the
following components:
• evsadm
• evsstat ble
e r a
nsf
• svc:/network/evs:default
pkg:/system/management/r
-tra
You need to install this package only on the system that acts
ad/module/rad evs
ad/module/rad-evs- as an EVS controller.
n o n
controller This package contains the SMF service
service,
controller svc:/network/evs-controller:default.
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Note Q av lic
i d
ah• The svc:/network/evs:default SMF service has the controller property that
Sh holds
o ds tthe
e host
ost name
a eo or tthe
e IP add
address
ess o
of tthe
e EVS
S co
controller.
t o e Thee EVS
S cclient
e t uses tthe
e
host name or the IP address to communicate with the EVS controller. You use the
evsadm set-prop command to manage the controller property.
• The svc:/network/evs-controller:default SMF service has properties that
capture information that is necessary for implementing L2 segments across physical
machines. You use the evsadm set-controlprop command to manage the
controller properties.
ble
e r a
EVS Controller
nsf
administrator
a
evsuser
o n -tr
a n
evsuser
a
h eฺ s evsuser /$HOME/.ssh/id_
)
/var/user/ /var/user/ rsa.pub
t e
evsuser/.ssh/
Controller rw ssh://s11-server --
# evsadm set-controlprop -p l2-type=vxlan
# evsadm set-controlprop -p vxlan-range=10000-20000
# evsadm set
set-controlprop
controlprop -p
p vxlan
vxlan-addr=192.168.10.0/24
addr 192.168.10.0/24
# evsadm set-controlprop -h s11-server -p uplink-port=net3
# evsadm set-controlprop -h s11-client -p uplink-port=net4
ble
# evsadm show-controlprop
r a
PROPERTY PERM VALUE DEFAULT HOST sfe
- t r an
on
l2-type rw vxlan vlan --
uplink-port rw -- --a n --
-- ha
s
uplink-port rw net3
a e ) d e ฺ s11-server
uplink-port rw net4 ฺ
et t Gu
-- i s11-client
s ฺ n n--
vlan-range rw --
a t e d e --
vlan-range-avail r- --mir S tu -- --
e hi s
@ 192.168.10.0/24
vxlan-addr
a v
rw i e t / 0.0.0.0 --
vxlan-ipvers idฺq rw
t o uv4s v4 --
h
i ( sha enserw 0.0.0.0
vxlan-mgroup 0.0.0.0 --
av
vxlan-rangeli c rw 10000-20000 -- --
id Q
h ah vxlan-range-avail r- 10000-20000 -- --
S In this example,
example the vxlan-range-avail property displays the VXLAN IDs (10000-20000)
that are available for implementing elastic virtual switches. An IP interface that is part of the
subnet 192.168.10.0/24 is used to create the VXLAN links on the EVS nodes.
i ( sha ense
When Q you lic an elastic virtual switch, you need to understand your virtual
avplan to configure
a h id Determine how many L2 segments you need and the IPnet information for each
topology.
Sh network includingg the subnet and the default router. In addition,, you y might g need to determine
the number of virtual ports that you need to configure for the elastic virtual switch and the
properties that you need to specify for virtual ports
The following example shows how to create the elastic virtual switch ORA with the tenant
tenantA, add an IPnet ora_ipnet, and add a VPort vport0 to the elastic virtual switch:
# evsadm create-evs -T tenantA ORA
# evsadm
d add-ipnet
dd i t -T
T tenantA
t tA -p subnet=192.168.10.0/24
b t 192 168 10 0/24 ORA/ora_ipnet
ORA/ i t
# evsadm add-vport -T tenantA ORA/vport0
# evsadm
NAME TENANT STATUS VNIC IP HOST
ORA tenantA idle -- ora_ipnet -
vport0
p -- free -- 192.168.10.2/24
/ --
a v i@ e th
i ฺq ©o2014,
dCopyrightt usOracle and/or its affiliates. All rights reserved.
h
i ( sha ense
Note: QIn a
v
the example licin the slide, when evszone boots, the VNIC anet evszone/net1 is
a h id
associated with the MAC address, IP address, and SLA properties of the VPort ORA/vport0.
h
S You can use the enhanced zonecfg command to configure a zone zone’s s VNIC anet resource for
an elastic virtual switch.
You can set the following properties for the anet resource when you are configuring a zone:
• tenant: Specifies the name of the tenant. If a value is not specified when configuring a
zone, the system assigns the default value, sys-global tenant.
• vport: Specifies the name of the VPort. If a value is not specified when configuring a
zone,, a system
y VPort is automaticallyy generated
g for the elastic virtual switch and the
VPort inherits the elastic virtual switch properties.
• evs: Specifies the name of an elastic virtual switch to which you must connect the anet
resource
A VPort in a data center is uniquely identified by the tenant name, elastic virtual switch name,
and VPort name.
For more information about EVS, refer to
http://docs.oracle.com/cd/E36784_01/html/E36813/index.html.
aggr1 bl e
e r a
a nsf
net0
o n -tr
a n
a
h eฺ s
net1
e )
n e tฺa Guid
t e sฺ ent
m ira Studnet2
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
av
Link aggregations
Q lic you to pool multiple datalink resources that you administer as a
enable
a h id unit. By combining the resources of the multiple datalinks and dedicating them to
single
Sh serving the system’s network operations, the system’s performance is greatly improved.
The graphic in the slide shows an example of a link aggregation configured on a system, in
which an aggregation aggr1 consists of three underlying datalinks, net0 through net2.
These datalinks are dedicated to serving the traffic that traverses the system through the
aggregation. The underlying links are hidden from external applications. Instead, the logical
datalink aggr1 is accessible.
Link aggregation has the following features:
• Increased bandwidth: The capacity of multiple links is combined into one logical link.
• Automatic failover and failback: By supporting link-based failure detection, traffic from
a failed link is failed over to other working links in the aggregation.
• Improved administration: All underlying links are administered as a single unit.
• Less drain on the network address pool: The entire aggregation can be assigned one
IP address.
• Link protection: You can configure the datalink property that enables link protection for
packets flowing through the aggregation.
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
• Trunk aggregations:
– Support aggregation over multiple switches; require switch
configuration
co gu a o a and
d sswitch-vendor
c e do p proprietary
op e a y eextensions
e so s
– Provide unique features such as policies and load balancing,
aggregation of Link Aggregation Control Protocol (LACP)
mode and switches ble
e r a
• Datalink multipathing (DLMP) aggregations:
a nsf
– Are created by
y specifying
p y g dlmp gg g n-tr mode
p as the link aggregation
n o
– Support failover between multiple switches;sdo not require a
vendor proprietary extensions ) h a ฺ
– Enable use of link layer features, e t ฺae asulink
such
ideprotection,
e s ฺn nt G
user-defined flows, and a
i r t udeto customize link
the ability
m is St
properties, such asebandwidth
a v i@ e th
i ฺq ©o2014,
dCopyrightt usOracle and/or its affiliates. All rights reserved.
h
i ( sha ense
av
Trunk Aggregations
Q lic
i d
h aggregations benefit a variety of networks with different traffic loads. For example, if a
aTrunk
Sh system in the network runs applications with distributed heavy traffic, you can dedicate a trunk
aggregation to that application’s traffic to avail the increased bandwidth. For sites with limited
IP address space that nevertheless require large amounts of bandwidth, you need only one IP
address for a large aggregation of interfaces. For sites that need to hide the existence of
internal interfaces, the IP address of the aggregation hides its interfaces from external
applications.
In Oracle Solaris, when you create link aggregation, the aggregation is by default created in
t
trunkk mode.
mode Typically
Typically, systems that are configured with link aggregations also use an
external switch to connect to other systems.
Trunk aggregations also support back-to-back configuration. Instead of using a switch, two
systems are directly connected together to run parallel aggregations. The most common
application for back-to-back link aggregations is the configuration of mirrored database
servers.
aggregation.
You can switch between a trunk aggregation and a DLMP aggregation by using the dladm
modify-aggr command, provided that you use only the options supported by the specific
type.
type
Note: If you switch from a trunk aggregation to a DLMP aggregation, you must remove the
switch configuration that was previously created for the trunk aggregation.
DLMP aggregation supports link-based and probe-based failure detection to ensure bl e
e r a
nsf
continuous availability of the network to send and receive traffic. For more information about
the failure detection, refer to the
-tra
http://docs.oracle.com/cd/E36784 01/html/E37516/gnant.html#scrolltoc.
http://docs.oracle.com/cd/E36784_01/html/E37516/gnant.html#scrolltoc.
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
# ipadm show-if
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
i ( sha ense
ic shows the commands to create a link aggregation with two
av in the lslide
The example
id Q
underlying datalinks, net0 and net1. The aggregation is also configured to transmit LACP
h a h
S datalinks. example begins with the removal of existing IP interfaces over the underlying
packets. The
# dladm show-link
LINK CLASS MTU STATE OVER
net0 phys 1500 up --
net1 phys
p y 1500 up
p --
net2 phys 1500 up --
net3 phys 1500 up --
speedway0 aggr 1500 up net0 net1 net2 net3
ble
# dladm show-aggr
e r a
nsf
LINK MODE POLICY ADDRPOLICY LACPACTIVITY LACPTIMER
speedway0 DLMP -- -- -- --
-tr a
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
ic shows how to create a DLMP aggregation. The aggregation has four
av in the lslide
The example
id Q
h a h
underlying datalinks.
S
i ( sha ense
ic shows how to configure probe-based failure detection for a DLMP
av in the lslide
The example
id Q
a h
aggregation.
Sh
Server
IPMP Group
LAN
Active Client
net0
Active bl e
net1
e r a
Standby a nsf
net2
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
In production
Q lic it is important to eliminate any single point of failure. IP network
av environments,
a h id
multipathing (IPMP) provides a mechanism for building redundant network interfaces to guard
h against failures with network interfaces, cables, switches, or other networking hardware. In
S addition to eliminating any single point of failure, the IPMP load spreading feature increases
the machine’s bandwidth by spreading the outbound load among all the cards in the same
IPMP group.
When compared with the IPMP configuration in Oracle Solaris 10, Oracle Solaris 11 groups
the IP interfaces into a virtual IP interface (for example, ipmp0). The virtual IP interface
serves all of the data IP addresses, while test addresses that are used for probe-based failure
detection are assigned to an underlying interface
interface, such as net0.
net0
With IPMP, you can assign two or more NICs to a failover group. Each interface is assigned a
static test IP address, which is used by Solaris to verify the operational state of the interface.
The interfaces with the static test IP addresses are used to periodically send an Internet
Control Message Protocol (ICMP) echo request to a target system and listen for the response.
If no response occurs within a given number of tries, the link is marked as failed. IPMP will fail
over all application IP addresses currently configured on that physical interface to another
physical
h i l iinterface
t f within
ithi the
th IPMP group. InI this
thi way, network
t k outages
t due
d to t failed
f il d network
t k
hardware are eliminated.
i ( sha ense
IPMP consists
c
av of thelifollowing software components:
d Q
h ah•i IPMP daemon: Detects failure by sending ICMP echo probes through the interface and
S also monitors the RUNNING flag g on the interface. If a failure is detected from one of
these methods, the daemon chooses the standby IP address or the next appropriate IP
address and failover occurs.
• IPMP service: Manages the IPMP daemon. The IPMP service also sets IPMP
properties, such as enabling or disabling transitive probing.
• Configuration file: Specifies the daemon’s default behavior. This file can be used to set
parameters, such as specifying the interfaces to probe for failure and the duration. This
fil can also
file l b be used
d tto specify
if what
h t th
the status
t t off a ffailed
il d iinterface
t f should
h ld bbe after
ft it iis
repaired, or whether to monitor all interfaces, including those that do not belong to an
IPMP group.
• IPMP administration command: Administers the IP interfaces of the IPMP group
• IPMP display information command: Provides information about the status of IPMP
i ( sha ense
An IPMPQ
v lictypically consists of two or more physical interfaces on the same
aconfiguration
a h id that are attached to the same LAN. These interfaces can belong to an IPMP group in
system
Sh either of the following configurations:
• Active-active: In this configuration, all underlying interfaces are active. An active
interface is an IP interface that is currently available for use by the IPMP group. By
default, an underlying interface becomes active when you configure the interface to
become part of an IPMP group.
• Active-standby: In this configuration, at least one interface is administratively
configured as a reserve. The reserve interface is called the standby interface. Although
idle the standby IP interface is monitored by the multipathing daemon to track the
idle,
interface’s availability, depending on how the interface is configured. If link-failure
notification is supported by the interface, link-based failure detection is used. If the
interface is configured with a test address, probe-based failure detection is also used. If
an active interface fails, the standby interface is automatically deployed as needed. You
can configure as many standby interfaces as you want for an IPMP group.
i ( sha ense
This slide
v youlicthe steps to configure an active-active IPMP configuration with flexible
ashows
Q
id names. Here, you rename the datalinks net0 and net1 to link0_ipmp0 and
datalink
a h
Sh an
link1_ipmp0, respectively. Before these datalinks can be used by IPMP, you must create
IP interface for each one.
Now you are ready to create the IPMP group. This involves two steps. You first create the
IPMP group (ipmp0 in this example), and then you add the underlying interfaces
(link0_ipmp0 and link1_ipmp0) to the group. Note that this example shows vanity
naming of the network interfaces. You use vanity naming to label network components. This
helps you clarify complex network topologies.
Next assign the data IP addresses to the IPMP interface (ipmp0)
Next, (i 0) in the form of IP address
objects (ipmp0/v4add1 and ipmp0/v4add2).
Finally, assign the test IP addresses to each underlying interface in the form of IP address
objects (link0_ipmp0/test and link1_ipmp0/test).
ble
# ipadm add-ipmp –i link0_ipmp0 –i link1_ipmp0 –i link2_ipmp0 ipmp0
e r a
a nsf
#
#
ipadm
ipadm
p
create-addr
create-addr
–a
–a
192.168.0.112/24
192.168.0.113/24
/
ipmp0/v4add1
ipmp0/v4add2
p p /
o n -tr
# ipadm create-addr –a 192.168.0.142/24
a
link0_ipmp0/test n
# ipadm create-addr –a 192.168.0.143/24
a
h eฺ s
link1_ipmp0/test
# ipadm create-addr –a
e )
192.168.0.144/24 link2_ipmp0/test
n e tฺa Guid
t e sฺ ent
# ipadm set-ifprop -p standby=on -m ip link2_ipmp0
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
v youlicthe steps to configure an active-standby IPMP configuration with flexible
ashows
This slide
Q
id names. The steps are similar to those shown in the previous slide.
a h
datalink
Sh Here, you rename the datalinks net0, net1, and net2 to link0_ipmp0, link0 ipmp0, link1_ipmp0,
link1 ipmp0,
and link2_ipmp0, respectively. You then create an IP interface for each one.
Now you create the IPMP group. This involves two steps. You first create the IPMP group
(ipmp0 in this example), and then you add the underlying interfaces (link0_ipmp0,
link1_ipmp0, and link2_ipmp0) to the group.
After the IPMP group is created, you set the standby property in one of the underlying
interfaces (link2_ipmp0 in this example) to on.
Next, assign the data IP addresses to the IPMP interface (ipmp0) in the form of IP address
objects (ipmp0/v4add1 and ipmp0/v4add2).
Finally, assign the test IP addresses to each underlying interface in the form of IP address
objects (link0_ipmp0/test, link1_ipmp0/test, and link2_ipmp0).
e r a
— Test addresses are configured.
tr a nsf
– Link-based failure detection,, if supported
pp by n-driver.
y the NIC
no
a
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
dCopyright o u Oracle and/or its affiliates. All rights reserved.
© 2014,
h t
i ( sha ense
To ensure
Q licavailability of the network to send or receive traffic, IPMP performs
avcontinuous
hid detection on the IPMP group’s underlying IP interfaces. Failed interfaces remain
afailure
Sh unusable until they are repaired. Remaining active interfaces continue to function while any
existing standby interfaces are deployed as needed.
# ipmpstat -g
GROUP GROUPNAME STATE FDT INTERFACES
ipmp0 ipmp0 degraded 10.00s link2_ipmp0 link1_ipmp0 [link0_ipmp0]
# ipmpstat -i
INTERFACE ACTIVE GROUP FLAGS LINK PROBE STATE
link2_ipmp0 yes ipmp0 -s----- up ok ok
link1_ipmp0 yes ipmp0 --mbM-- up ok ok
link0_ipmp0 no ipmp0 ------- up failed failed
ble
# ipmpstat -an
e r a
ADDRESS STATE GROUP INBOUND OUTBOUND
a nsf
-tr
:: down ipmp0 -- --
192.168.0.113
192.168.0.112
up
up
ipmp0
ipmp0 n o n
link1_ipmp0 link2_ipmp0 link1_ipmp0
link2_ipmp0 link2_ipmp0 link1_ipmp0
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
You use
Q lic command to monitor IPMP group activity and health.
athev ipmpstat
a h idslide shows three examples of the ipmpstat usage. The examples that you see here
This
Sh are taken from an IPMP active
active-standby
standby configuration created by the procedure shown in the
previous slide. Here, one of the underlying interfaces has failed.
The first example (ipmpstat –g) displays information about the IPMP group. The IPMP
group is named ipmp0. It has three underlying interfaces: link0_ipmp0, link1_impm0,
and link2_ipmp0. Note that the state of the IPMP group is degraded and the underlying
interface link0_ipmp0 has brackets around it (boxed) indicating that it has failed.
The second example (ipmpstat –i) displays information about the IP interfaces. Here,
link2_ipmp0 is in the Active state and link0_ipmp0 is in the Failed state.
The third example (ipmpstat –an) displays information about the IPMP data addresses. IP
address 192.168.0.112 is currently assigned to the standby interface (link2_ipmp0) and
192.168.0.113 is assigned to link1_ipmp0 for all INBOUND data traffic.
OUTBOUND data traffic is spread across both active interfaces for each IP address.
# ipmpstat -pn
TIME INTERFACE PROBE NETRTT RTT RTTAVG TARGET
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
i ( sha ense
ic (ipmpstat –pn) shows information about the IPMP probe. For
av in the lslide
The example
Q
id probing to work correctly, the IPMP group must be connected to the local area network
a h
IPMP
Sh and at least one other host (the probe target) must also be connected to the same network.
Here, link2_ipmp0 (standby) and link1_ipmp0 interfaces are actively probing target
192.168.0.100. Interface link0_ipmp0 probing is failing.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
Forwarding
le
Bridging:
fe rab
• Is used to connect separate network segments a n s
o n -tr
• Simplifies
Si lifi network
t k administration
d i i t ti a n
• Uses a packet-forwarding mechanism ) ha ฺ
s
• Supports STP ,TRILL, EVB, and t
DCB
e ฺae uide
sฺ ent n G
t e
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Network
v areliused
abridges c to connect separate network segments. When connected by a
Q
id the attached network segments communicate as if they were a single network
a h
bridge,
Sh segment. Bridging is implemented at the datalink layer (L2) of the networking stack to connect
subnetworks together.
Using a bridge configuration simplifies the administration of the various nodes in the network
by connecting them to a single network. By connecting these segments through a bridge, all
the nodes share a single broadcast network. Thus, each node can reach the other nodes by
using network protocols such as IP rather than by using routers to forward traffic across
network segments. If you do not use a bridge, you must configure IP routing to permit the
forwarding of IP traffic between nodes.
nodes
To forward packets to their destinations, bridges must listen in promiscuous mode on every
link that is attached to the bridge. Listening in promiscuous mode causes bridges to become
vulnerable to the occurrences of forwarding loops, in which packets circle forever at full line
rate. To prevent this, bridging uses the Spanning Tree Protocol (STP) to prevent network
loops that would render the subnetworks unusable. In addition to STP, Oracle Solaris 11
supports the Transparent Interconnect of Lots of Links (TRILL) protocol.
while traversing the Ethernet network. It enables peers to distinguish traffic based on
priorities. Support for enhanced transmission selection (ETS) based on IEEE 802.1Qaz has
been added to the DCB functionality introduced in Oracle Solaris 11 11/11. This will provide
guaranteed bandwidth and lossless Ethernet transport for converged network environments
where storage protocols share the same fabric as regular network traffic.
For more information about DCB, refer to
http://docs.oracle.com/cd/E36784_01/html/E37516/glahx.html#NWDLKglahx. e
EVB is an IEEE standard that defines new protocols and mechanisms for exchanging era
bl
information about virtual links between hosts/stations and a switch/bridge. With EVB, n s f
more
information about virtual link configurations can be advertised on the network n - tra for
beyond,
example, bandwidth share or priority definitions for physical links that DCB
a nofeatures provide.
In general, EVB can be used to enable reflective relay on the external
h s bridge port and
aEVB
automate virtual port configuration on the bridge. Support for
a e )the
d e ฺ
Virtual Station Interface
(VSI) Discovery and Configuration Protocol (VDP) and ฺ
etthe Edge i
uControl Protocol (ECP) are
new in Oracle Solaris 11.1 release. Using EVB, ฺ n
sproperties t G
n(such as the bandwidth limit) of the
a t e d e
r Stu the switch so that the switch can be
Oracle Solaris Virtual NIC (VNIC) can be iexchanged with
configured accordingly for the VNIC.e m is is from
The standard defined in the IEEE 802.1Qbg
i @
v se
specification. Additional information can t
be h
obtained
q a evb(7P), vdpd(1M), dladm(1M),
h i dฺ to u
and http://docs.oracle.com/cd/E36784_01/html/E36813/gmhgg.html#scrolltoc.
( s ha of network
With the introduction
n se virtualization, inter-VM traffic is sent through an internal
a i
v without
software switch l e
ic being sent through the physical network infrastructure. This process
Q
aidsdorganizations that have networking policies that require all network traffic to be routed
h hi an external network so that access control lists (ACL), packet monitoring, and so on
athrough
S can be configured on the external switch
switch. In this release
release, you can enable reflective relay to
ensure that this inter-VM traffic is also subjected to these same policies. For more information,
see http://docs.oracle.com/cd/E36784_01/html/E36813/index.html.
# dladm show-bridge
BRIDGE PROTECT ADDRESS PRIORITY DESROOT
tonowhere stp 32768/8:0:27:15:2:19 32768 32768/8:0:27:15:2:19
-tra
# dladm delete-bridge tonowhere
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
ic shows you how to create, display, and remove a network bridge.
av in the lslide
The example
id Q
a h
Sh
interfaces.
• Practice 5-7 covers creating a link aggregation.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
Segment or VLAN
IP: 129.146.86.x
Internet
ble
e r a
a nsf
o n -tr
a n ILB
Server 1 a
h eฺ s
Server 2
e )
tฺa Guid VIP:
VIP: 10.0.0.20 VIP: 10.0.0.20
IP: 192.168.1.50 IP: 192.168.1.60
GW: 192.168.1.31 ฺ n e t
10.0.0.20
GW: 192.168.1.31
(Default Gateway) t e s e n IP: 192.168.1.21
a
(Default Gateway)
d
e mir is Stu
a v i@ e th
i ฺq ©o2014,
dCopyrightt usOracle and/or its affiliates. All rights reserved.
h
i ( sha ense
In DSR Q mode, lic incoming requests to the back-end servers, but allows the return
av ILB balances
a h id from the servers to the clients to bypass it. However, you can also set up ILB to be used
traffic
Sh client
as a router for the back-end server. In this case, the response from the back-end server to the
is routed through the machine that is running ILB.
With stateless DSR, ILB does not save any state information of the processed packets,
except basic statistics. Because ILB does not save any state in this mode, the performance is
comparable to the normal IP-forwarding performance. This mode is best suited for
connectionless protocols.
Segment or VLAN
IP: 129.146.86.x
Internet
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
Ethernet Switch
Segment ore
n tฺa Guid
VLAN
Server 1
IP: 192.168.1.50
t e sฺ ent
GW: 192.168.1.21
m ira Stud
(Default Gateway)
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
ILB uses
Q lic
v in stand-alone
aNAT mode strictly for load balancing. In this mode, ILB rewrites the
d
hi information and handles incoming as well as outgoing traffic. ILB operates in both
h aheader
half-NAT and full-NAT modes.
S
In the half-NAT and full-NAT modes, ILB matches the response from the back-end server to
the incoming request, and replaces the changed IP address and the transport protocol port
number with that of the original incoming request. ILB then forwards the response to the
client. Essentially, both modes rewrite the destination IP address. However, full-NAT also
rewrites the source IP address, making it appear to the server that all connections are from
the load balancer.
N t NAT mode
Note: d provides
id additional
dditi l security,
it and
d iis b
bestt suited
it d ffor HTTP or secure sockets
k t
layer (SSL) traffic.
i ( sha ense
BeforeQ you lic make sure that the system’s Role-Based Access Control (RBAC)
avenable ILB,
a h id files have the following entries. If the entries are not present, add them manually:
attribute
Sh • File name: /etc/security/auth_attr
/etc/security/auth attr
- solaris.network.ilb.config:::Network ILB
Configuration::help=NetworkILBconf.html
- solaris.network.ilb.enable:::Network ILB Enable
Configuration::help=NetworkILBenable.html
- solaris.smf.manage.ilb:::Manage Integrated Load Balancer Service
States::help=SmfILBStates.html
• File name: /etc/security/prof_attr
- Network ILB:::Manage ILB configuration via
ilbadm:auths=solaris.network.ilb.config,solaris.network.ilb.enab
le;help=RtNetILB.html
- The NetworkManagement entry in the file must include
solaris.smf.manage.ilb.
• File name: /etc/user_attr
- daemon::::auths=solaris.smf.manage.ilb,solaris.smf.modify.applic
ation
i ( sha ense
Q av lic
a hid
Sh
i ( sha ense
av command
The dlstat
Q lic reports runtime statistics about datalinks. The output is sorted in
a h id
descending order of link utilization. The slide lists what you can do using dlstat.
Sh
# dlstat
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
# dlstat show-phys
LINK IPKTS RBYTES OPKTS OBYTES
ble
net1 2.90K 501.69K 9.02K 5.03M
e r a
net2 4.78K 627.83K 16.47K 20.59M
a nsf
net3
net0
10.73K
49.49K
1.34M
4.45M
26.00K
70.83K
32.64M
90.65M
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
The slide
Q ashows lic of dlstat usage.
v examples
a h
In id first example, running dlstat without subcommands displays a summary of statistics
the
Sh for all the links. The report shows incoming traffic (IPKTS and RBYTES) and outgoing traffic
(OPKTS and OBYTES).
In the second example, the show-phys subcommand reports network traffic statistics for
each physical network device. Note that if your link aggregations (speedway0) are present,
they are also displayed.
# dlstat show-link
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
# dlstat show-aggr
LINK PORT IPKTS RBYTES OPKTS OBYTES
ble
speedway0 -- 68.08K 6.93M 122.66K 148.92M
e r a
speedway0 net0 49.59K 4.46M 70.84K 90.65M
a nsf
-tr
speedway0 net1 2.92K 505.13K 9.05K 5.03M
speedway0
p y net2 4.81K 631.91K 16.76K
o
20.59M
n n
speedway0 net3 10.76K 1.34M 26.01K
s a 32.64M
# dlstat show-bridge
a
) h dDROPS ฺ FORWARDS
BRIDGE LINK IPKTS RBYTES OPKTS ฺa e
t 702Gu 0
OBYTES i e
n9e
tonowhere -- 2 191
191 es
ฺ 6 ent 447
0
net0
net3
2
0 a t
ir Stu
0 3 d 255
0
0
--
--
m
e his
i @
v se t
ฺ q a u Oracle and/or its affiliates. All rights reserved.
h i dCopyrightt o
© 2014,
i ( sha ense
The show-link
Q lic
av subcommand reports network traffic statistics for each network link, whereas
d
hi show-aggr subcommand reports incoming and outgoing network traffic statistics for
h athe
aggregated links. The PORT field indicates the devices that make up the link aggregation.
S
flows
• Using flowstat, you can:
– Display receive-side
receive side statistics only (includes bytes)
– Display transmit-side statistics only
– Specify an interval in seconds at which statistics are
refreshed along with a count value. The default interval is a b le
one second. s fer
- t r an
– Display
p y statistics for all flows on the specified
p linkoor
n statistics
for the specified flow a n
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
i ฺ
dCopyright o u Oracle and/or its affiliates. All rights reserved.
© 2014,
h t
i ( sha ense
Flows Q consist lic packets that are organized according to an attribute. Flows enable
av of network
a h
you idto further allocate network resources. Packets traverse a path when they flow into or out
Sh ofrings
a system. On a granular level, packets are received and transmitted through receive (Rx)
and transmit (Tx) rings of an NIC. From these rings, received packets are passed up the
network stack for further processing while outbound packets are sent to the network.
# flowstat 1 1
FLOW IPKTS RBYTES IDROPS OPKTS OBYTES ODROPS
http1 430.45K 910.46M 0 398.22K 44.09M 0
# flowstat -r
FLOW IPKTS RBYTES IDROPS
http1 2.95M 3.44M 0
# flowstat -t
FLOW OPKTS OBYTES ODROPS
ble
http1 17.89M 987.22M 0
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
The first av inlthe
example
ic slide shows information every second about incoming and outgoing
Q
id on all configured flows on the system.
a h
traffic
Sh The second example shows receive-side
receive side statistics for all flows.
The third example shows transmit-side statistics for all flows.
i ( sha ense
Starting with ic 11.2 release, you can use the ipstat(1M) command to report
av OraclelSolaris
Q
id about IP traffic. ipstat provides options to gather and report statistics only on IP
statistics
a h
Sh traffic matching specified source or destination address, interface, and higher layer protocol.
For more information, refer to the ipstat(1M) man page.
on the selected output mode and sort order, use the tcpstat
command.
# tcpstat -l
l 5
ZONE PID PROTO SADDR SPORT DADDR DPORT BYTES
global 795 UDP s11-server1.mydo 53 s11-desktop.mydo 42857 20.0
global 795 UDP s11-desktop.mydo 42857 s11-server1.mydo 53 9.0
global 795 UDP s11-desktop.mydo 59127 s11-server1.mydo 53 7.0
ble
global 795 UDP s11-desktop.mydo 38509 s11-server1.mydo 53 7.0
e r a
nsf
global 795 UDP s11-server1.mydo 53 s11-desktop.mydo 59127 7.0
Total: bytes in: 34.0 bytes out: 23.0
-tr a
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Starting with ic 11.2 release, you can use the tcpstat(1M) command to report
av OraclelSolaris
Q
id on TCP and UDP traffic. tcpstat provides options to gather and report statistics
statistics
a h
Sh only on traffic matching specified source or destination address, interface, process ID, source
or destination port, and zone name. For more information, refer to the tcpstat(1M) man
page.
To list the user, process ID, and the program that originally
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
sฺ ent
*.36871 daemon 539 Idle /usr/sbin/rpcbind
*.*
t e root 585 Unbound /usr/lib/inet/in.ndpd
. . .
m ira Stud
(output truncated)
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Starting with ic 11.2 release, the netstat command provides the -u option to
av OraclelSolaris
Q
idinformation about processes and users in the netstat output. In the example in the
view
a h
Sh slide:
• -a: Displays the state of all sockets, all routing table entries, or all interfaces, both
physical and logical
• -n: Displays network addresses as numbers. netstat normally displays addresses as
symbols.
• -v: Provides verbose information
In the example, the output includes details of both IPv4 and IPv6, and all active UNIX domain
sockets.
analyzers:
– Tshark: Command-line network traffic analyzer:
— Captures
p p
packet data from a live network
— Reads packet data from a previously saved capture file
– Wireshark: Third-party graphical user interface (GUI) network
protocol analyzer: ble
e r a
— Interactively dumps and analyze network traffic
a nsf
• Both TShark and Wireshark analyzers:
o n -tr
a
– Assemble all of the packet data in a TCP conversation and n
a s
h format
display the data in ASCII, EBCDIC, or)hex
a e d e ฺ
– Contain many filterable fields et ฺ i
s Guฺn nt
r e
at tude
i
@ em his S
q a vi se t
i ฺ
dCopyright o u Oracle and/or its affiliates. All rights reserved.
© 2014,
h t
i ( sha ense
Qav lic
i d
ah
Sh
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
You can
Q lic to capture and interactively browse the traffic running on a computer
ausev Wireshark
a h id Because of its rich and powerful feature set, system administrators, security experts,
network.
Sh developers, and educators around the world use it regularly. It is freely available as open
source and is released under the GNU General Public License version 2.
Using Wireshark, you can:
• Capture live packet data from a network interface
• Display packets with very detailed protocol information
• Open and save captured packet data
• Import packet data from and export packet data to many other capture programs
• Filter packets by using many criteria
• Search for packets by using many criteria
• Colorize packet display based on filters
• View various statistics
This slide shows the Wireshark packet analyzer interface.
# fmadm config
ble
• Enable the network-monitor module: e r a
a nsf
...
o n -tr
# enable
# a n
# Enable/disable the network-monitor. a
h eฺ s
# e )
setprop enable true
n e tฺa Guid
...
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
You can Q lic command to report the current status of the network-monitor
ausev the fmadm
a h id which is displayed as active when it is performing fault monitoring, as shown in the
module,
Sh first example in the slide.
You control the state of the network-monitor module by setting the enable property to
true in the /usr/lib/fm/fmd/plugins/network-monitor.conf configuration file, as
shown in the second example in the slide. The monitor will be active upon reboot.
nvlist version: 0
class = ireport.os.sunos.net.datalink.mtu
p _mismatch
version = 0x0
uuid = f3832064-e83b-6ce8-9545-8588db76493d
pri = high
detector = fmd:///module/network-monitor
ble
attr = (embedded nvlist)
e r a
nsf
nvlist version: 0
linkname = net0
-tra
linkid = 0x3
mtu = 0x1b58 n o n
s a
(end attr)
__ttl = 0x1
) a
h eฺ
__tod = 0x513a4f2e 0x279ba218 e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
If a problem
Q avwith yourlicnetwork occurs, or if you suspect degraded network performance, you
acan
h idretrieve the ireports that are generated by the network-monitor module by using the
Sh fmdump command. These reports include the name of the datalink for which a potential
problem was detected.
i ( sha ense
The fmstat
Q av command lic reports fault management module statistics. You can also use the
a h id command to view statistics for diagnosis engines and agents that are currently
fmstat
Sh participating
utility.
in fault management, which includes the network-monitor transport module
i ( sha ense
Answer: Qaa
v lic
a h id
Sh
address?
a. ipadm show-ip interface
b ipadm show-if
b. show if interface
c. ipadm show-all interface
d. ipadm show-addr interface e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Answer: Qdav lic
a h id
Sh
i ( sha ense
Answer: Qdav lic
a h id
Sh
a. ipmpstat -g
b. ipmpadm -g
c ipmpcfg –g
c. g
d. ipmpconf -g
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Answer: Qaa
v lic
a h id
Sh
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Answer: Qaa
v lic
a h id
Sh
a. speed
b. maxbw
c threshold
c.
d. maximum
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Answer: Qbav lic
a h id
Sh
a. Shared-IP
b. Exclusive-IP
c Either shared or exclusive
c.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Answer: Qbav lic
a h id
Sh
support?
a. STP only
b TRILL only
b.
c. STP and TRILL
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Answer: Qca
v lic
a h id
Sh
a. dladm
b. dlmon
c dlstat
c.
d. dlcfg
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Answer: Qca
v lic
a h id
Sh
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
Ad i i t i Oracle
Administering O l Solaris
S l i 11 Zones
Z
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh
Job Workflow
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
M
Managing
i Software
S ft
Packages
Installing
ble
Network Administration
Enhancements
e r a
a nsf
Administering Zones
o n -tr
a n
a
h eฺ s
ZFS Enhancements
e )
tฺa Guid
Security Enhancements
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014,uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
BeforeQ avbegin theliclesson, take a look at the job workflow in the slide diagram. So far, you
you
a h id learned how to install Oracle Solaris 11 OS using Text Installers, Live Media installers,
have
Sh and AI.
You will now learn how to administer Oracle Solaris Zones.
Before Consolidation
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
1 Gb 1 Gb 100 Mb
After Consolidation
ble
e r a
a nsf
ZONE
O 1 ZONE
O 2 ZONE
O 3
o n -tr
a n
VNIC VNIC
a s VNIC
1 Gb 300 Mb ) h ฺ100 Mb
t ฺ a e i d e
ฺ n ePort G u
Physical NIC
t e s e n t
a d
e mir is10SGbtu
a v i@ e th
dฺq © t2014, s and/or its affiliates. All rights reserved.
uOracle
h i
Copyright
o
i ( sha ense
OracleQ av Zoneslicis an OS virtualization feature in Oracle Solaris with a long and
Solaris
a h id
distinguished pedigree. One of the most highly adopted, highly used, mature virtualization
h
S Oracle SolarisOracle
technologies, Solaris Zones was first introduced as a core part of Oracle Solaris 10. In
11, Oracle Solaris Zones become even more central to both the application
and the end user. Enhancements and new features include:
• Integration into the new packaging system (IPS)
• Support for Oracle Solaris 10 Zones
• Integration with the new Oracle Solaris 11 network stack architecture
• Improved observability
• Increased control over administration
• Tight integration with ZFS
Live zone reconfiguration This enables configuration changes in a running zone without
the need to reboot, eliminating down time in service availability
within the zone when configuration changes are made.
Datalinks creation in nonglobal This feature enables administrators to dynamically create
zones from the global zone VNICs, VLANs, and IP-over-InfiniBand partitions directly in the
nonglobal zone’s namespace from the global zone.
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Live Zone
Q lic
avReconfiguration
a h id from Oracle Solaris 11.2 release, you can make configuration changes in a running
Starting
Sh zone without the need to reboot. Previously, administrators had to reboot a zone for a
configuration change to take effect. Live Zone Reconfiguration eliminates down time in
service availability within the zone when configuration changes are made. You can use this
feature to make the following changes in running nonglobal zones:
• Change resource controls
• Change network configuration
• Change g the CPU resource pool
• Add or remove file systems
• Add or remove virtual and physical devices
Create Datalinks in Nonglobal Zones from the Global Zone
Starting from Oracle Solaris 11.2, you can create datalinks in nonglobal zones from the global
zone. This feature enables administrators to dynamically create VNICs, VLANs, and
IP-over-InfiniBand p
partitions directly
y in the nonglobal
g zone’s namespace
p from the g
global zone.
Link names are specified as <zonename>/<linkname> and the links are created directly in
the specified non-global zone.
m S t ud
irarpool/zones/zone1@send-to-nfs
systemA# zfs snapshot
@ e his
-r
systemA# zfs send
a i -rc t
v serpool/zones/zone1@send-to-nfs >
ฺ
dzfsq u
/net/nfssrv/export/scratch/zone1.zfs
i
a h e t o
( s h
systemB#
n s create tank/zones
h i d
aMultiple Boot Environments for Oracle Solaris 10 Zones
Sh Starting with
ith Oracle Solaris 11.2
11 2 release,
release Oracle Solaris 10 Zones ssupport
pport m
multiple
ltiple boot
environments. Administrators have a greater degree of flexibility and safety when performing
patching operations within an Oracle Solaris 10 environment running on an Oracle Solaris 11
system. For more information, see the zones(5) and solaris10(5) man page.
To activate a boot environment, set the com.oracle.zones.solaris10:activebe
property on the zone’s ROOT dataset as shown in the following:
# zfs set com.oracle.zones.solaris10:activebe=be_name zone/root/dataset
/ /
An installed Solaris 10 zone with more than one boot environment is required to have the
activebe property set. If the property is not set, or is set to a missing or invalid boot
environment name, the zone will transition to unavailable state on next zone or system boot.
To resolve this, the activebe property must be corrected, and the zone must be attached
with zoneadm attach.
bl e
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014,uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
avan OraclelicSolaris 10 zone to Oracle Solaris 11, perform the following steps:
To migrate
Q
d
ah1.i Assess the Oracle Solaris 10 zone to be migrated. An existing Oracle Solaris 10 8/11
Sh syste (o
system (or later
ate released
e eased So
Solaris
a s 10 0 update) ca can be ddirectly
ect y migrated
g ated into
to a
an O
Oracle
ac e
Solaris 10 zone on an Oracle Solaris 11 system. Depending on the services performed
by the original system, you might need to manually customize the zone after it has been
installed. For example, the privileges assigned to the zone might need to be modified or
the network interface is different. It is critical that you examine the source system and
collect the following information:
- Host name
- Host
H t ID
- Domain name
- Running applications
- Networking
- Storage
- Zone configuration
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
bl e
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014,uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
avan OraclelicSolaris 10 global zone to Oracle Solaris 11, perform the following steps:
To migrate
Q
d
ah1.i Assess the global zone to be migrated. An existing Oracle Solaris 10 9/10 system (or a
Sh So a s 10
Solaris 0 update released
e eased later)
ate ) ca
can be ddirectly
ect y migrated
g ated into
to a
an O
Oracle
ac e So
Solaris
a s 10
0 zone
o e
on an Oracle Solaris 11 system. Depending on the services performed by the original
system, you might need to manually customize the zone after it has been installed. For
example, the privileges assigned to the zone might need to be modified or the network
interface is different. It is critical that you examine the source system and collect the
following information:
- Host name
- Host
H t ID
- Domain name
- Root password
- Running applications
- Networking
- Storage
-tra
4. Migrate the Oracle Solaris 10 global zone. After performing the previous task, use the
zoneadm attach subcommand to migrate the Oracle Solaris 10 global zone
n o n zone. Finally
Finally,
a
after completing the migration, you can perform the post-migration configuration based
s
a
h eฺ
on the information that you gathered when assessing the source system.
)
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
• AI manifest
• The configuration element
• The zone’s
zone s self
self-assembly
assembly SMF service
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
OracleQ
Solaris lic nonglobal zone installation by using the Automated Installer (AI).
av 11 supports
a h id zones are installed and configured on first reboot after the global zone is installed.
Nonglobal
Sh When a system is installed by using AI, nonglobal zones can be installed on that system by
using the configuration element in the AI manifest.
When the system first boots after the global zone installation, the zone’s self-assembly SMF
service (svc:/system/zones-install:default) configures and installs each nonglobal
zone defined in the global zone AI manifest.
...
</software>
<configuration type="zone" name=“zone5“ source=“http://s11-
server1.mydomain.com/zone_configs/zone5.cfg"/>
</ai instance>
</ai_instance>
</auto_install>
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014,uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
ic shows an excerpt from an AI manifest file. The configuration
av in the lslide
The example
Q
id is highlighted. You use the configuration element in the AI manifest for the client
element
a h
Sh system to specify nonglobal zones. Use the name attribute of the configuration element
to specify the name of the zone. Use the source attribute to specify the location of the
configuration file for the zone. The zone configuration file must be in the zonecfg export
format. AI copies this configuration file onto the installed client system to be used to configure
the zone. The source location can be any http:// or file:// location that the client can access
during installation.
• AI manifest
– zonename criteria keyword
• System configuration profile
– zonename criteria keyword
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
The following
Q licused to configure and install nonglobal zones:
av files are
h•id Zone configuration file: The zone configuration file is the zone’s configuration in file
a
Sh form from the output of the zonecfg export command. The location of the zone
configuration file is specified by the source attribute of the configuration element in the
AI manifest. AI copies this zone configuration file onto the installed client system to be
used to configure the zone.
• AI manifest (optional): This AI manifest for zone installation specifies the packages to
be installed in the zone, along with publisher information and certificate and key files as
necessary. To provide a custom AI manifest for a zone, you add the manifest to the
installation service that is installing the global zone. In the create-manifest
command, specify the zonename criteria keyword with the names of all zones that
should use this AI manifest. If you do not provide a custom AI manifest for a nonglobal
zone, the default AI manifest for zones is used.
• System configuration profile (optional): You can provide zero or more configuration
files for a nonglobal zone. These system configuration profiles are similar to the system
configuration profiles for configuring the global zone. You might want to provide system
configuration profile files to specify zone configuration such as users and the root
password for the zone administrator. To provide system configuration profile files for a
zone, add the configuration profiles to the installation service that is installing the global
zone. In the create-profile command, specify the zonename criteria keyword with
the names of all zones that should use this system configuration profile.
Transition to Oracle Solaris 11 6 - 19
Adding a Nonglobal Zone Manifest and Profile
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
—
-tra
Extended/Nested Page Table support, also referred to as EPT, NPT,
or Rapid Virtualization Indexing (RVI)
n o n
• Minimum of 8 GB of RAM s a
) a
h eฺ
• e
Kernel zone brand package, brand/brand-solaris-kz
ฺa id
ฺ n et t Gu
• ZFS ARC cache tuning on the e s hosten
t
ir Stud
a
m
e his
i @
v se t
q a
h i dฺ © t2014,
Copyright
o uOracle and/or its affiliates. All rights reserved.
i ( sha ense
BeforeQ av
configuring
ic
al kernel zone, you must verify that the kernel zone host hardware supports
a h
theidOracle Solaris Kernel Zones feature. You can ensure kernel zone host hardware support
Sh by performing the following steps:
1. Ensure that the hardware is optimized to run kernel zones.
2. Run the virtinfo command on the kernel zone host.
# virtinfo
NAME CLASS
logical-domain current
non-global-zone
non global zone supported
kernel-zone supported
For example, if you want ZFS to use <2 GB of memory, you should set ARC cache to 1 GB.
global# echo "set zfs:zfs_arc_max=0x40000000" >> /etc/system
global# reboot
For more information about ZFS ARC tuning, refer to:
http://docs.oracle.com/cd/E36784_01/html/E36845/chapterzfs-1.html#scrolltoc
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
1. Install and verify that kernel zone packages are installed on the
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
global zone:
# pkg install brand/brand-solaris-kz
# pkg list brand/brand/brand-solaris-kz
(continued...)
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
bootpri: 0
device:
match: /dev/rdsk/c9t0d0
storage not specified
id: 4
bootpri not specified
zonecfg:kzone1> select capped-memory
zonecfg:kzone1:capped-memory> set physical=2048m
ble
zonecfg:kzone1:capped-memory> end
e r a
nsf
zonecfg:kzone1> add anet
zonecfg:kzone1:anet> set id=3
-tra
zonecfg:kzone1:anet> end
n o n
zonecfg:kzone1> verify
s a
zonecfg:kzone1> commit
zonecfg:kzone1> exit
) a
h eฺ
e
tฺa Guid
n e
sฺ ent
# zoneadm –z kzone1 verify
t e
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
After aQ av zone islicconfigured, you can verify to ensure the following:
kernel
h d
•i The system has all the required properties for each resource
a
Sh • The configured zone meets all its brand requirements
– Text install
global# zoneadm -z kzone1 install -b \
/root/Oracle_Solaris_Text_X86.iso
– AI Install
global# zoneadm -z kzone1 install -m /root/aimanifest.xml \
-c /root/sysconfig.xml -b /root/Oracle_Solaris_AI_X86.iso
Note: Live media installation is not supported for kernel zones.
bl e
• Alternate AI manifest or alternate sysconfig profile: To install multiple kernel
e r a
nsf
zones with specific resource and package configurations separate from that of the global
a
zone.
o n -tr
n
– Use the zoneadm install command with the -m option to specify an alternate AI
a
manifest: a s
h eฺ
e )
# zoneadm –z kzone1 install –m manifest
e u id profile:
tฺa configuration
n
– Use the –c option to specify an alternate system G
sฺsysconfig-profile
n t
# zoneadm –z kzone1 install t–c e e
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
ah id
Sh
tra
3. on-
3 Clone the zone by using the zoneadm clone command.
command
n
a
global# zoneadm -z kzone2 clone kzone1
) h as ฺ
e t ฺae uide
e s ฺn nt G
i r at tude
@ em his S
q a vi se t
h i dฺ © t2014,
Copyright
o uOracle and/or its affiliates. All rights reserved.
i ( sha ense
In the Q av in thelicslide, the kzone1 kernel zone is cloned to the kzone2 kernel zone on
example
athe
h idglobal host. After the zone cloning process is complete, you can configure and install
Sh the zone with the zonecfg and zoneadm commands, respectively.
n o n
a file onto the
3. Export the zone configuration and transfer sthe
a
new host. e) h eฺ
tฺa Guid \
n e
t e sฺ ent
global# zonecfg -z kzone1 export | ssh root@global2
ira Stud
zonecfg -z kzone1 -f -
m
e his
i @
v se t
q a
h i dฺ © t2014,
Copyright
o uOracle and/or its affiliates. All rights reserved.
i ( sha ense
av suspend
The zoneadm
Q lic command allows migration of kernel zone to other hosts using
a h id and resume options as illustrated in the example in the slide. Note that the suspend
suspend
Sh and
resource is configured to use Zones on Shared Storage (ZOSS), and both the host system
the remote system can reach it.
Note that for step 3, you cannot ssh to root directly. So when you run the command, you will
get an error saying, “zonecfg command not found.” You need to permit ssh root login
first and make root a regular user in the user_attr file. Restart the ssh service for the
changes to take effect, and then the command will work.
# zonestat -r physical-memory 5
Collecting data for first interval...
Interval: 1, Duration: 0:00:05
PHYSICAL-MEMORY SYSTEM MEMORY
mem_default 767M
ZONE USED %USED CAP %CAP
[total] 631M 82.2% - -
[system] 215M 28.1% - -
global 14.9M 1.94% - -
zone1 123M 15.8% - -
ble
zone2 137M 18.3% - -
e r a
a nsf
o n -tr
n
a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
In the Q avyou seeliaczonestat utility report on zone memory consumption. This example
slide,
a h id a summary of utilization every five seconds.
shows
Sh
# zonestat -r default-pset 1 1m
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
n e tฺa Guid
ZONE USED %PART USED %USED
[total] 0.06 6.19% 622M 39.6%
USED %USED PBYTE %PUSE
789M 30.4% 126 0.00%
t e sฺ ent
[system] 0.01 1.74% 453M 28.9% 631M 24.3% - -
ira Stud
global 0.04 4.15% 120M 7.70% 113M 4.38% 0 0.00%
m
e his
zone1 0.00 0.25% 21.7M 1.38%
zone2 0.00 0.19% 25.8M 1.65%
22.3M 0.86%
22.3M 0.86%
0 0.00%
0 0.00%
i @
v se t
q a
h i dฺ © t2014,
Copyright
o uOracle and/or its affiliates. All rights reserved.
i ( sha ense
You can
Q lic utility to report total and high zone resource utilization. In this
ausev the zonestat
a h id the zonestat utility silently monitors at 10-second intervals for one minute, and
example,
Sh then produces a report on the total and high utilizations.
new name name attr attr lookup rddir read read write write
file remov chng get set ops ops ops bytes ops bytes
93 82 6 163K 110 507K 148 69.7K 67.9M 4.62K 13.7M zfs:s10
248 237 158 188K 101 612K 283 70.6K 68.6M 4.71K 15.2M zfs:s10u9
12.0K 1.90K 10.1K 35.4K 12 60.3K 4 25.7K 29.8M 36.6K 31.0M tmpfs:s10
12 0K 1.90K
12.0K 1 90K 10.1K
10 1K 35.6K
35 6K 14 60.2K
60 2K 2 28.4K
28 4K 32.1M
32 1M 36.5K
36 5K 30.9M
30 9M tmpfs:S10u9
resource utilization?
a. zoneadm
b zonestat
b.
c. zoneprt
d. ztop e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Answer: Qbav lic
a h id
Sh
O
Oracle
l Solaris
S l i 11 ZFS Enhancements
E h t
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh
Job Workflow
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
M
Managing
i Software
S ft
Packages
Installing
ble
Network Administration
Enhancements
e r a
a nsf
Administering Zones
o n -tr
a n
a
h eฺ s
ZFS Enhancements
e )
tฺa Guid
Security Enhancements
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
This lesson
Q licyou to the ZFS enhancements in Oracle Solaris 11. You learn how to
avintroduces
a h id data from a UFS file system to a ZFS file system. The lesson shows you how to split
migrate
Sh ahow
mirrored ZFS storage pool. You then learn how to identify ZFS snapshot differences and
to use the Time Slider feature. You then learn to configure the ZFS deduplication feature.
Finally, you learn how to configure COMSTAR.
t e sฺ ent
provides file sharing and MS-RPC administration services required for Windows-like
m ira Stud
behavior for interoperability with CIFS clients, including many new features such as
host-based access control, which allows a CIFS server to restrict access to specific
@ e his
clients
li t by
b IP address,
dd
a i
v se t
access control
t l lists
li t (ACLs)
(ACL ) on shares,
h and
d synchronization
h i ti off
q
dฺ to u
client-side offline file caching during reconnection. Microsoft ACLs are also supported in
i
h
sha ense
ZFS.
i (
Q av lic
i d
ah
Sh
- Consider using the BYTES XFRD and the ELAPSED TIME information to estimate
the length of the migration process.
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
storage pool.
• Splitting detaches a disk from a mirrored pool to create a
new pool.
p
• The new pool contents are identical to the original mirror
pool.
bl e
• By default, zpool split detaches the last disk. r a
e
• After splitting, the new pool must be imported to be tra nsf
-
accessible.
accessible non
a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
A mirrored
Q lic pool can be quickly cloned as a backup pool by using the zpool
avZFS storage
a h id command. Currently, this feature cannot be used to split a mirrored root pool.
split
Sh You use the zpool split command to detach disks from a mirrored ZFS storage pool to
create a new pool with one of the detached disks. The new pool will have identical contents to
the original mirrored ZFS storage pool. By default, a zpool split operation on a mirrored
pool detaches the last disk for the newly created pool. After the split operation, the new pool
must be imported to be accessible.
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
The slide ashows ic
v an lexample of splitting a ZFS mirrored storage pool.
d Q
i example, you create a mirrored pool (newpool). Then you run the zpool split –n
h aInhthis
S command to perform a “dry dry run
run” on the spilt operation. Next, you split the mirror to create the
newpool1 pool. Finally, you import the newpool1 pool and check ZFS pool status. The
status shows that the newpool and newpool1 pools each contain one disk from the original
mirrored ZFS pool.
# touch /newpool/mydata/newfile
# zfs snapshot newpool/mydata@after
# zfs list -r -t snapshot -o name,creation
NAME CREATION
newpool/mydata@before Thu Oct 11 7:05 2012
newpool/mydata@after Thu Oct 11 7:05 2012
rpool/ROOT/solaris@install Mon Sep 10 14:49 2012
rpool/ROOT/solaris/var@install Mon Sep 10 14:49 2012
bl e
e r a
nsf
# zfs diff newpool/mydata@before newpool/mydata@after
M /newpool/mydata/
-tra
+ /newpool/mydata/newfile
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
This slideashows ic
v anlexample of identifying ZFS snapshot differences.
d Q
i example, you take a before snapshot of the newpool/mydata ZFS file system. Then
h hthe
aInyou
S create a new file (newfile) in /newpool/mydata. You take another snapshot (after)
of the same ZFS file system and list the snapshots based on name and creation date. Finally,
you compare the before and after snapshots to determine the differences. Note that in the
zfs diff command output, “M” indicates that /newpool/mydata/ was modified and “+”
indicates that a file (/newpool/mydata/newfile) was added to the dataset later.
Note: The zfs snapshot command has a snap alias that provides abbreviated syntax for
the zfs snapshot command, as in the following example:
# zfs snap -r users/home@snap1
ble
e r a
a nsf
o n -tr
3. Deselect the Enable Time Slider check box ato disable the n
a s
h eฺ
Time Slider. e )
4. Click OK. n e tฺa Guid
ฺ t e s n
a t d e
e mir is Stu
a v i@ e th
dฺq © t2014, s and/or its affiliates. All rights reserved.
uOracle
h i
Copyright
o
i ( sha ense
Qav lic
i d
ah
Sh
necessary.
• File servers: When users collaborate on projects, they might end up storing many
documents multiple times.
• Virtualization storage: Server virtualization, such as Solaris zones, is another area with
much duplicate data. Multiple installations of the same virtualized operating system
share the same kernel, libraries, system files, and applications.
When you run these types of applications on deduplication-enabled ZFS file systems, data isbl e
e r a
nsf
stored only once.
-tra
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
bl e
e r a
a nsf
o n -tr
n a
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
To support
Q lic
avthe deduplication feature, Oracle Solaris 11 adds new properties to ZFS.
d
hi has a new ZFS file system property, dedup, to support deduplication. You use the
aZFS
Sh deduplication (dedup) property to remove redundant data from your ZFS file systems. If a file
system has the dedup property enabled, duplicate data blocks are removed synchronously.
The result is that only unique data is stored and common components are shared between
files. When dedup is enabled, the dedup checksum algorithm overrides the checksum
property. Setting the value to verify is equivalent to specifying sha256 for the checksum
property. If the property is set to verify and two blocks have the same signature, ZFS does
a byte-for-byte comparison with the existing block to ensure that the contents are identical.
ZFS has two new ZFS pool properties to support deduplication: dedupratio
d d ti and
dedupditto. The dedupratio property is a read-only value used as a multiplier that
indicates the deduplication ratio achieved for a ZFS pool. The dedupditto property sets a
deduplication copy threshold. If the reference count for a deduped block goes above this
threshold, another ditto copy of the block is stored automatically.
By telling ZFS to store an additional copy after a specific number of references, you build in
some redundancyy just
j in case the original
g block g
gets checksum errors.
# zpool list
NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
newpool dedupditto
n e0 tฺa Guid
# zpool get all newpool|grep dedup
default
newpool
e
dedupratio
t sฺ ent 3.00x -
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
In the Q av in thislicslide, you check the ZFS properties to determine whether deduplication
example
a h
hasidbeen enabled. The properties show that deduplication is currently disabled. Next, you
Sh enable deduplication. You copy the same file to the three different directories in the file
system that has deduplication enabled. Finally, you recheck the ZFS properties and find that
the deduped file system has a deduplication factor of 3.
Initiator Hosts
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
Although the iSCSI target in COMSTAR is a functional replacement for the iSCSI target
daemon, no upgrade or update path exists to convert your iSCSI LUNs to COMSTAR LUNs.
Both the iSCSI target daemon and the shareiscsi property are not available in Oracle
Solaris 11. The following commands are used to manage iSCSI targets and LUNs.
• The itadm command manages SCSI targets.
• The srptadm command manages SCSI RDMA Protocol (SRP) target ports.
• The stmfadm command manages SCSI LUNs. Rather than setting a special iSCSI e
property on the ZFS volume, create the volume and use stmfadm to create the LUN.r a bl
e
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
• Benefits:
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
migration?
a. shadow
b shadow
b. shadow-migration
migration
c. zfs-shadow
d. zfs-migration e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Answer: Qbav lic
a h id
Sh
progress?
a. shadowadm
b shadow
b.
c. shadowstat
d. migrationstat e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Answer: Qca
v lic
a h id
Sh
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Answer: Qaa
v lic
a h id
Sh
a. dedupratio
b. dedupmax
c maxdedup
c.
d. dedupditto
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Answer: Qdav lic
a h id
Sh
Solaris 11?
a. comstar
b iscsi
b.
c. storage-server
d. iscsi-storage e
r a bl
e
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Answer: Qca
v lic
a h id
Sh
a. iscsi
b. stmf
c comstar
c.
d. iscsitgt
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Answer: Qbav lic
a h id
Sh
a. iscsiadm
b. stmf
c itadm
c.
d. stmfadm
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ © t2014, uOracle and/or its affiliates. All rights reserved.
h Copyright
o
i ( sha ense
Answer: Qca
v lic
a h id
Sh
Sh
ah i d Q
av i (
h
lic
i q a
sha ense
i @
dฺ to u
m
v se t
t
e his
e
n e
ira Stud
e
sฺ ent
) a s
tฺa Guid
a
h eฺ
n o n -tr
a
nsf
e r a
e bl
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
O
Oracle
l Solaris
S l i 11 Security
S it Enhancements
E h t
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
Job Workflow
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
M
Managing
i Software
S ft
Packages
Installing
ble
Network Administration
Enhancements
e r a
a nsf
Administering Zones
o n -tr
n
a
ZFS Enhancements
a
h eฺ s
e )
tฺa Guid
Security Enhancements
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
BeforeQ avbegin theliclesson, take a look at the job workflow in the slide diagram. So far, you
you
a h id learned about ZFS enhancements.
have
Sh You will now learn about the enhancements made to security features of the Oracle Solaris 11
OS.
• Cryptographic Framework
• Increase security for automated installations
• ZFS dataset encryption
• Managing read-only zones
• BART, the file verification and reporting tool ble
e r a
• Monitoring the audit service
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
• Secure by Default
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
i ( sha ense
SeveralQ av
important lic features and enhancements have been introduced with the release
security
a h
of id Oracle Solaris 11 operating system, including the following:
the
Sh • SecuSecure
e by Default:
e au t O Oracle
ac e SoSolaris
a s 11 p provides
o des a fully u y Secu
Secure e by Default
e au t e
environment.
o e t
Oracle Solaris Secure by Default reduces the attack surface of the Oracle Solaris OS by
disabling as many network services as possible while still leaving a useful system. In
this way, the number of exposed network services is dramatically reduced. With
automatic Secure by Default, network services are disabled by default or set to listen for
local system communications only.
• Root account as a role: Oracle Solaris 11 implements a role for root. The root as a
role option was first delivered in Solaris 8 (1998)
(1998). In Oracle Solaris 11
11, this option is
enabled by default during installation. The advantage of root as a role is that it ensures
that administrative actions done by the root account are attributable to a real (unique)
person. Because you must have at least one user who is authorized to assume the
root role, a standard user account (which can assume that role) is automatically
created during the installation process. If you do not want this feature, you can revert to
Oracle Solaris 10 behavior by running the following command:
# rolemod -K K type
type=normal
normal root
-tr
- IPv6 CALIPSO protocol option alongside the current Trusted Extensions IPv6 a
CIPSO has been implemented
implemented. By default o n
default, IPv6 will be enabled on Trusted
n
a
Extensions systems using Common Architecture Label IPv6 Security Option
s
a
h eฺ
(CALIPSO) as the security labeling protocol. This integration allows Oracle Solaris
)
e
tฺa Guid
to use the IETF’s CALIPSO standard for passing MAC labels in IPv6 for Trusted
n e
Extensions.
t e sฺ ent
m ira Stud
- When Trusted Extensions is enabled, every zone is assigned a label. Previously,
the label for each zone had to be unique. Now it is possible for labeled zones to
@ e his
share
h
a i
v se t
a common llabel.b l H
However, ffor b
backward
k d compatibility,
tibilit zones th
thatt previously
i l
q
dฺ to u
had unique labels are referred to as primary labeled zones. Additional zones that
i
h
sha ense
are sharing the label of a primary labeled zone are called secondary labeled
(
zones. This feature provides greater flexibility when configuring the security policy
i
Q av lic
for labeled zones.
i d
ah - Support for Oracle Solaris Trusted Extensions label policy specification to include
Sh networking g interfaces has been added using g the Trusted Networking g Extended
policy. It allows you to assign labels to network interfaces in the same manner as
the host label specification. It also helps to ensure that systems on the same
network use the same label policy. It also greatly increases the flexibility and
scalability of trusted network deployment.
• Auditing enhancements: Auditing is the collecting of data about the use of system
resources. The audit data provides a record of security-related system events. This data
can then be used to assign responsibility for actions that take place on a system.
system
Auditing is a basic requirement for security evaluation, validation, and certification
bodies. Auditing can also provide a deterrent to potential intruders.
This new feature will allow better interoperability with operating systems that use
OpenPAM and Linux-PAM as well as better integration with IPS for self-assembly and
delivery.
- Per-user
Per user authentication policy via PAM: This feature adds the ability to
configure the PAM [see pam(3PAM)] stack on a per-user basis rather than the
current system-wide option provided by pam.conf(4). The path to the alternate
PAM policy can be specified either in a user’s extended attributes [see e
user_attr(4)] or in a profile assigned to the user [see prof_attr(4) and r a bl
e
policy.conf(4)] using the new pam_policy keyword and a new PAM service
a nsf
module named pam_user_policy(5). When pam_user_policy(5) is
configured in pam.conf(4), o n -tr
f(4) the PAM stack can be configured on a per-user
per user basis
basis.
a n
a
h eฺs
The new user_attr(4) key named pam_policy can be set using the RBAC
utilities useradd(1M), usermod(1M), and profiles(1) to pam.conf(4)–
)
e
tฺa Guid
formatted files supplied by administrators with an absolute path, or one of the
n e
t e sฺ ent
default policies in /usr/lib/security/pam_policy can be chosen.
• Kerberos enhancements: Oracle Solaris
m ira S ud now supports multiple master Key
Kerberos
t
Distribution Centers (KDCs), such
@ e as hActive
isreliability
Directory, when changing a Kerberos
principal’s password. This a i
v se
provides t
more if there is more than one master KDC
and one of them is i q
ฺ Now,
ddown. uthe password-changing logic will try all the master KDCs
until the changea hsucceedse t o
or it fails with all of them. See the krb5.conf(4) man page
( s h n s
sections
a l ice admin_server and kpasswd_server for more information.
vi describing
i d Q
h ah
S
• Cryptographic Framework
• Increase security for automated installations
• ZFS dataset encryption
• Managing read-only zones
• BART, the file verification and reporting tool ble
e r a
• Monitoring the audit service
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
data.
• Oracle Solaris Cryptographic Framework command scope:
– Administrator commands
– User commands
– Binary signatures for third-party software
bl e
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Cryptographic
Q lic provide authentication and encryption mechanisms to applications
av services
a h
andidusers.
Sh Note: Oracle Solaris Cryptographic Framework now supports the NSA Suite B algorithms and
Intel Advanced Encryption Standards – New Instructions (AES-NI). Starting from Oracle
Solaris 11.1, Cryptographic Framework also supports SHA-224, which is the SHA-2 hash
algorithm variant for 224-bit digests. SHA-224 is available as a stand-alone hash algorithm
and as part of the PKCS#11 cryptographic library implementation.
• Administrator commands: The framework provides commands for administrators, for
users, and for developers who supply providers. The cryptoadm command administers
a running Cryptographic Framework
Framework. The command is part of the CryptoManagement
rights profile. This profile can be assigned to a role for secure administration of the
Cryptographic Framework. The cryptoadm command allows you to:
- Display cryptographic provider information
- Disable or enable provider mechanisms
- Disable or enable the metaslot
enables a receiver to verify that the message came from the sender and that the
message has not been tampered with. The sha1_mac and md5_hmac
mechanisms can compute a MAC.
- encrypt command: Encrypts files or stdin with a symmetric cipher cipher. The
encrypt –l command lists the algorithms that are available. Mechanisms that
are listed under a user-level library are available to the encrypt command. The
framework provides AES, DES, 3DES (Triple-DES), and ARCFOUR mechanisms e
for user encryption. r a bl
e
- decrypt command: Decrypts files or stdin that were encrypted with the
a nsf
encrypt command. The decrypt command uses the identical key and
o n -tr
mechanism that were used to encrypt the original file.
a n
a s
- pktool command: Enables you to manage the certificates and keys on multiple
h eฺ
e )
keystores, including PKCS#11 tokens, Netscape Security Services (NSS) tokens,
e tฺa Guid
and standard file-based keystore for OpenSSL
n
• t e sฺ ent
Binary signatures for third-party software: The elfsign command provides a
ira Stud
means to sign providers to be used with the Oracle Solaris Cryptographic Framework.
m
@ e his
Typically this command is run by the developer of a provider
Typically, provider. The elfsign command
a i
v se t
has subcommands to request a certificate from Oracle and to sign binaries. Another
i q
dฺ to u
h
subcommand verifies the signature. Unsigned binaries cannot be used by the Oracle
i ( sha ense
Solaris Cryptographic Framework. Signing one or more providers requires the certificate
av lic
from Oracle and the private key that was used to request the certificate.
Q
i d
ah
Sh
# cryptoadm list
User-level providers:
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
Provider: /usr/lib/security/$ISA/pkcs11_tpm.so
i ( sha ense
The cryptoadm
Q av list lic command displays a list of the providers currently installed in the
a h id Providers are cryptographic services that consumers use. Because providers plug in
system.
Sh tothetheproviders
framework, they are also called “plug-ins.” The cryptoadm list command separates
into three categories: user-level providers, kernel software providers, and kernel
hardware providers.
i ( sha ense
av list
The cryptoadm
Q lic metaslots command displays the system-wide configuration for a
a h id A metaslot is a single slot that presents a union of the capabilities of other slots that
metaslot.
Sh are loaded in the framework. The metaslot eases the work of dealing with all of the
capabilities of the providers that are available through the framework. When an application
that uses the metaslot requests an operation, the metaslot figures out which actual slot should
perform the operation. Metaslot capabilities are configurable, but configuration is not required.
The metaslot is enabled by default.
The cryptoadm list –m command displays a list of mechanisms that can be used with the
installed providers or metaslot.
A mechanism
h i iis th
the application
li ti off a mode
d off an algorithm
l ith ffor a particular
ti l purpose.
Cryptographic algorithms are established, recursive, computational procedures that encrypt or
hash input. Encryption algorithms can be symmetric or asymmetric. Symmetric algorithms use
the same key for encryption and decryption. Asymmetric algorithms, which are used in public-
key cryptography, require two keys. Hashing functions are also algorithms. If a provider is
specified, display the name of the specified provider and the mechanism list that can be used
with that provider. If the metaslot keyword is specified, display the list of mechanisms that can
b used
be d with
ith th
the metaslot.
t l t
ble
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Qav lic
i d
ah
Sh
# digest -l
sha1
md5
sha224
sha256
sha384
sha512
# digest -a sha1 /etc/release
e64eb9c537f90f6cba0cfd1e6b39fe9dd33cf552
# mac -l
ble
Algorithm Keysize: Min Max (bits)
e r a
nsf
------------------------------------------
des_mac 64 64
-tra
sha1_hmac
md5_hmac
d5 h
8
8
512
512
n o n
Sha224_hmac 8 512
s a
sha256_hmac 8 512
) a
h eฺ
sha384_hmac 8 1024
e
tฺa Guid
sha512_hmac 8 1024
n e
t e sฺ ent
# mac -v -k mykey -a sha1_hmac /etc/release
ira Stud
sha1_hmac (/etc/release) = 913ced311df10f1708d9848641ca8992f4718057
m
e his
i @
v se t
ฺ q a u Oracle and/or its affiliates. All rights reserved.
h i dCopyrightt o
© 2014,
i ( sha ense
This slide
v theliuse
ashows c of digest and mac commands.
Q
id The md5, des_mac, and md5_hmac cryptographic algorithms are not considered safe
a h
Note:
Sh in today
today’ss computer environment. They are provided here only for backward compatibility.
# pktool setpin
Enter token passphrase: changeme
Create new passphrase: cangetin
Re-enter new passphrase: cangetin
Passphrase changed.
# ppktool g
genkey
y label=myaeskey
y y keytype=aes
y yp keylen=256
y
Enter PIN for Sun Software PKCS#11 softtoken: cangetin
# pktool list objtype=key
Enter PIN for Sun Software PKCS#11 softtoken: cangetin
No. Key Type Key Len. Key Label
bl e
----------------------------------------------------
e r a
nsf
Symmetric keys:
1) AES 256 myaeskey
# cat /newpool/mydata/newfile
-tra
This is a test
test.
n o n
# encrypt -a aes -K myaeskey -i newfile –o newfile
s a
# cat /newpool/mydata/newfile ) a
Enter PIN for Sun Software PKCS#11 softtoken : cangetin
h eฺ
<some encrypted data> e
tฺa Guid
n e
sฺ ent
# decrypt -a aes -K myaeskey -i newfile -o newfile
t e
# cat /newpool/mydata/newfile
ira Stud
This is a test.
m
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
ashows
This slide
c of pktool, encrypt, and decrypt commands.
v theliuse
Q
idpktool command enables you to manage the softtoken object store. The setpin
a h
The
Sh subcommand changes the passphrase used to authenticate a user to the softtoken object
store. setpin prompts you for the old passphrase. If the old passphrase matches, pktool
prompts for the new passphrase twice. If the two entries of the new passphrase match, it will
become the current passphrase for the token. The default passphrase is changeme.
The pktool genkey command generates a symmetric key in the specified keystore. The
genkey subcommand prompts the user to enter a PIN for a token-based keystore.
Next, the example in the slide shows the contents of the /newpool/mydata/newfile text
file. The encrypt command is used with the new key to encrypt this file. The next command
shows that the file is now encrypted. Finally, the file is decrypted by using the same key.
• Cryptographic Framework
• Increase security for automated installations
• ZFS dataset encryption
• Managing read-only zones
• BART, the file verification and reporting tool ble
e r a
• Monitoring the audit service
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
i ( sha ense
Qav lic
i d
ah
Sh
i ( sha ense
To configure
Q licautomated installations, perform the following steps:
avsecurity for
a h id Generate security credentials for the AI server:
1.
Sh # installadm set set-security
security -s s -g g
The root CA certificate has been generated.
The CA signing certificate request has been generated.
The signing CA certificate has been generated.
Generating server credentials...
A new certificate key has been generated.
A new certificate has been generated.
g
Generating new encryption key...
To set the OBP encryption key for server authentication only, enter
this OBP command:
set-security-key wanboot-aes 8d210964e95f2a333c5e749790633273
Generating new hashing key (HMAC)...
• Cryptographic Framework
• Increase security for automated installations
• ZFS dataset encryption
• Managing read-only zones
• BART, the file verification and reporting tool ble
e r a
• Monitoring the audit service
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
protect against:
– Theft of physical storage
– Man-in-the-middle attacks on the SAN
– Dataset-level secured deletion
• Data is encrypted at the dataset level.
ble
• Benefits of ZFS encryption include the following: e r a
– ZFS encryption is integrated with the ZFS command set. transf
n -
– Y can use your existing
You i ti storage
t pools.
l
a no
– ZFS encryption is inheritable to descendant
) h asfileฺ systems.
– Data is encrypted by using AES, by t e ide
ฺadefault.
ฺ n e G u
– tes
ZFS encryption uses the Cryptographic t
en Framework.
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Benefits
Q of lic include the following:
avZFS encryption
h d
•i ZFS encryption is integrated with the ZFS command set. Like other ZFS operations,
a
Sh encryption
e c ypt o ope
operations,
at o s, suc
such as key ey cchanges
a ges a and d rekey,
e ey, a aree pe
performed
o ed oonline.
e
• You can use your existing storage pools as long as they are upgraded. You have the
flexibility of encrypting specific file systems.
• ZFS encryption is inheritable to descendent file systems. Key management can be
delegated through ZFS-delegated administration.
• Data is encrypted by using Advanced Encryption Standard (AES) with key lengths of
128,192, and 256 in the CCM and GCM operation modes.
• ZFS encryption uses the Cryptographic Framework of Oracle Solaris, which
automatically gives it access to any available hardware acceleration or optimized
software implementations of the encryption algorithms.
bl e
# zfs get keysource encryptedpool/mysecrets
e r a
nsf
NAME PROPERTY VALUE SOURCE
encryptedpool/mysecrets keysource passphrase,prompt inherited from
encryptedpool -tra
n o n
# zfs set encryption=off encryptedpool/mysecrets
s a
a
h eฺ
Cannot set property for ‘encryptedpool/mysecrets’: ‘encryption’ is readonly
)
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
This slide ashows ic
v anlexample of encrypting a ZFS pool.
d Q
i example, first you create a ZFS pool named encryptedpool with the encryption
h hthis
aInproperty
S set to on. Then, you create a ZFS file system named mysecrets in the encrypted
pool. The keysource property of the mysecrets file system shows that encryption
(passphrase,prompt) was inherited from the encrypted ZFS pool.
Note: A file system’s encryption policy is inherited by descendent file systems and cannot be
removed.
# zfs g
get encryption
yp newpool/mysecretdata
p / y
NAME PROPERTY VALUE SOURCE
newpool/mysecretdata encryption aes-256-ccm local
-tr a
n o n
s a
) a
h eฺ
e
tฺa Guid
n e
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
This slide ashows ic
v anlexample of encrypting a ZFS file system within a pool.
d Q
i example, first you generate a keystore file named /myfskey. Then you create a ZFS
h hthis
aInfile
S system named mysecretdata with the /myfskey keystore file. The keysource
property of the mysecretdata file system shows that the encryption key source comes from
the /myfskey keystore file.
• Cryptographic Framework
• Increase security for automated installations
• ZFS dataset encryption
• Managing read-only zones
• BART, the file verification and reporting tool ble
e r a
• Monitoring the audit service
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
zone.
• Read-only zones preserve a zone’s integrity by using
read-only
y root file systems.
y
• Modifications to system binaries or system configurations
are blocked.
• The file-mac-profile property is used to configure a rab
le
read-only zone root. n s fe
ra -t
on
– The zonecfg utility is used to set the file-mac-profile
n
property. s a
) a
h eฺis not set.
– By default, the file-mac-profile a e property
d
n e tฺ Gui
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
A zoneQ with lic zone root is called a read-only zone. An Oracle Solaris read-only
ava read-only
a h id preserves the zone’s configuration by implementing read-only root file systems for
zone
Sh nonglobal zones. This zone extends the zone’s secure runtime boundary by adding additional
restrictions to the runtime environment. Unless performed as specific maintenance
operations, modifications to system binaries or system configurations are blocked.
The mandatory write access control (MWAC) kernel policy is used to enforce file system write
privilege through a zonecfg file-mac-profile property. Because the global zone is not
subject to the MWAC policy, the global zone can write to a nonglobal zone’s file system for
installation, image updates, and maintenance. The MWAC policy is downloaded when the
zone enters the ready state
state. The policy is enabled at zone boot
boot. To perform post
post-installation
installation
assembly and configuration, a temporary writable root-file system boot sequence is used.
Modifications to the zone’s MWAC configuration take effect only with a zone reboot.
read-only policy
• Four possible values:
– none
– strict
– fixed-configuration
– bl e
flexible-configuration
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
av
The file-mac-profile
Q lic property allows you to define which parts of the file system are
a h id from the read-only policy (that is, which parts of the file system the zone is allowed
exempted
Sh to write to).
There are currently four supported values for this property:
• none: This value makes the zone exactly the same as a normal, read/write zone.
Setting the value to none is equivalent to not setting the file-mac-profile property.
• strict: This value allows no exceptions to the read-only policy.
• fixed-configuration: This value allows the zone to write to files in and below
/var, except directories containing configuration files:
- /var/ld
- /var/lib/postrun
- /var/pkg
- /var/spool/cron
- /var/spool/postrun
- /var/svc/manifest
- /var/svc/profiles
• flexible-configuration:
fl ibl fi ti This is similar to fixed-configuration,
fi d fi ti b t allows
but allo s
writing to files in /etc too.
i ( sha ense
ashows
This slide
Q lic of configuring and viewing read-only zones.
v examples
a h•id strict: Read-only file system, no exceptions
Sh - IPS packages cannot be installed
installed.
- Persistently enabled SMF services are fixed.
- SMF manifests cannot be added from the default locations.
- Logging and auditing configuration files are fixed. Data can be logged only
remotely.
• fixed-configuration: Permits updates to /var/* directories, with the exception of
directories that contain system configuration components.
components
- IPS packages, including new packages, cannot be installed.
- Persistently enabled SMF services are fixed.
- SMF manifests cannot be added from the default locations.
- Logging and auditing configuration files can be local. syslog and audit
configuration are fixed.
- Logging and auditing configuration files can be local. syslog and audit
configuration can be changed.
• none: Standard, read/write, nonglobal zone, with no additional protection beyond the
existing
g zones boundaries. Setting g the value to none is equivalent
q to not setting
g the
file-mac-profile property.
bl e
e r a
a nsf
o n -tr
a n
a s
h eฺ
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
i d
ah
Sh
• Cryptographic Framework
• Increase security for automated installations
• ZFS dataset encryption
• Managing read-only zones
• BART, the file verification and reporting tool ble
e r a
• Monitoring the audit service
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
i ( sha ense
BART Qis a
v lic
a tool that performs a file-level check of the software contents of a system. BART
d
hi you to quickly, easily, and reliably gather information about the components of the
enables
h asoftware stack that is installed on deployed systems. Using BART can greatly reduce the
S costs of administering a network of systems by simplifying time-consuming administrative
tasks.
BART enables you to determine what file-level changes have occurred on a system, relative
to a known baseline. You use BART to create a baseline or control manifest from a fully
installed and configured system. You can then compare this baseline with a snapshot of the
system at a later time, generating a report that lists file-level changes that have occurred on
the system since it was installed
installed.
# vi bartrules
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
IGNORE all
/export/home/oracle
CHECK all
# touch /export/home/oracle/newfile
bl e
# bart create -r bartrules > bart-`hostname`-`date '+%d%m%Y-%H:%M:%S'`
e r a
nsf
# ls bart*
bart-s11-server1-15072014-07:35:24 bartrules
-tra
bart-s11-server1-15072014-07:36:38
n o n
s a \
# bart compare –r bartrules bart-s11-server1-15072014-07:35:24
bart-s11-server1-15072014-07:36:38
) a
h eฺ
/export/home/oracle: e
tฺa Guid
size control:5 test:6
n e
t e sฺ ent
dirmtime control:53ba0c5a test:53c4d9f5
ira Stud
/export/home/oracle/newfile:
add
m
e his
i @
v se t
ฺ q a u Oracle and/or its affiliates. All rights reserved.
h i dCopyrightt o
© 2014,
i ( sha ense
The slide ashows ic
v an lexample of using BART.
d Q
i example, first you create a BART rules file. In this case, BART ignores all file changes
h hthis
aInon
S the system except for the file changes in the /export/home/oracle directory. Then you
run the BART report by using the BART rules file to create a comparison baseline. In a bart
compare report, the baseline is indicated by the “control” field.
Next, a new file is created in the /export/home/oracle directory and a second BART
report is generated. The second BART report is used to compare against the baseline report
created earlier. In a bart compare report, the BART report to be compared against the
baseline is indicated by the “test” field.
Finally, bart compare is run by using the baseline (control) and test BART report. The
results show that /export/home/oracle directory size was changed and
/export/home/oracle/newfile was added.
# vi /export/home/oracle/newfile
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2015, Oracle and/or its affiliatesฺ
This is a test.
# ls bart
bart*
bart-s11-server1-15072014-07:35:24 bart-s11-server1-15072014-07:39:25
bart-s11-server1-15072014-07:36:38 bartrules
i ( sha ense
avmessagelicis added to the /export/home/oracle/newfile file and a third
Next, aQtext
a h id report is run. Using the second BART report, a new baseline is run against the third
BART
Sh BART report. The results show that in the test report, /export/home/oracle/newfile
has grown by 16 bytes. The modified time stamp and file contents have changed.
• Cryptographic Framework
• Increase security for automated installations
• ZFS dataset encryption
• Managing read-only zones
• BART, the file verification and reporting tool ble
e r a
• Monitoring the audit service
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Qav lic
i d
ah
Sh
During system configuration, you set audit policies and preselect which classes of audit
events to monitor. You can fine-tune the degree of auditing that is done for individual users.
After the audit data is collected, post-selection tools enable you to reduce and examine the
audit trail. Systems that install nonglobal zones can audit all zones identically from the global
zone You can also configure systems with nonglobal zones to collect different records for
zone.
each zone.
Auditing generates audit records when specified events occur, such as:
• System startup and system shutdown bl e
e r a
• Login and logout
a nsf
• Process creation or destruction, or thread creation or destruction
o n -tr
• Opening, closing, creating, destroying, renaming objects
a n
a s
• Use of Role-Based Access Control (RBAC)
h eฺ
e )
• Permission changes by a process or user
n e tฺa Guid
t e sฺ ent
• Administrative actions, such as installing a package
ira Stud
• Use of site-specific applications
m
Audit records are g e sources:
generated from three
@ h is
• By an application
i
av use t
id ฺ q
• As a result of anhasynchronous
a e to event
• As a result
i ( sofh a system
e n s call
av provides c
li rights profiles for configuring the audit service, for enabling and
OracleQ Solaris
a h id the service, and for analyzing the audit trail. Editing an audit configuration file
disabling
Sh requires
q the p
privileges
g of the root role.
• Audit Configuration: Enables an administrator to configure the parameters of the audit
service and to run the auditconfig command
• Audit Control: Enables an administrator to start, refresh, and disable the audit service
and to run the audit command to start, refresh, or stop the service
• Audit Review: Enables an administrator to analyze audit records. This rights profile
grants authorization to read audit records with the praudit and auditreduce
commands. This administrator can also run the auditstat command.
• System Administrator: Includes the Audit Review rights profile. An administrator
with the System Administrator rights profile can analyze audit records.
For more information, refer to http://docs.oracle.com/cd/E36784_01/html/E37127/auditref-
1.html#scrolltoc.
a s
h eฺ
)
• By using the Audit Control rights profile, you can control the Oracle Solaris audit service
e
n e tฺa Guid
with audit(1M) to refresh, change audit files, disable, and re-enable. Refer to the
t e sฺ ent
audit(1M) for more information.
ira for
• Global zone auditing need not be enabled
m S t ud auditing.
per-zone
@ e his
a i
v se t
i q
dฺ to u
h
i ( sha ense
Q av lic
a h id
Sh
# auditconfig –getpolicy
configured audit policies = argv,cnt
active audit policies = argv,cnt
i ( sha ense
Qav lic
i d
ah
Sh
# cd /var/audit
# ls
...
20140718053501.not_terminated.s11-server1
20140722022941.not_terminated.s11-server1
20140723075705.20140724072749.s11-server1
i ( sha ense
Qav lic
i d
ah
Sh
a. True
b. False
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Answer: Qaa
v lic
a h id
Sh
i ( sha ense
Answer: Qdav lic
a h id
Sh
i ( sha ense
Answer: Qbav lic
a h id
Sh
ble
e r a
a nsf
o n -tr
a n
a
h eฺ s
e )
n e tฺa Guid
t e sฺ ent
m ira Stud
@ e his
a i
v se t
i ฺ q
dCopyright u Oracle and/or its affiliates. All rights reserved.
h t o
© 2014,
i ( sha ense
Answer: Qaa
v lic
a h id
Sh
i ( sha ense
Qav lic
i d
ah
Sh
Sh
ah i d Q
av i (
h
lic
i q a
sha ense
i @
dฺ to u
m
v se t
t
e his
e
n e
ira Stud
e
sฺ ent
) a s
tฺa Guid
a
h eฺ
n o n -tr
a
nsf
e r a
e bl