Documente Academic
Documente Profesional
Documente Cultură
SA-225-S10
Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these
intellectual property rights may include one or more of the U.S. patents listed at http://www.sun.com/patents and one or more additional patents or pending patent applications in the
U.S. and in other countries.
U.S. Government Rights - Commercial Software. Government users are subject to the Sun Microsystems, Inc. standard license agreement and applicable provisions of the FAR and its
supplements.
Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and in other countries, exclusively
licensed through X/Open Company, Ltd.
Sun, Sun Microsystems, the Sun logo, are trademarks or registered trademarks of Sun Microsystems, Inc., or its subsidiaries, in the U.S. and other countries.
All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC
trademarks are based upon an architecture developed by Sun Microsystems, Inc.
The OPEN LOOK and Sun(TM) Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in
researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User
Interface, which license also covers Sun’s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements.
This product is covered and controlled by U.S. Export Control laws and may be subject to the export or import laws in other countries. Nuclear, missile, chemical biological weapons or
nuclear maritime end uses or end users, whether direct or indirect, are strictly prohibited. Export or reexport to countries subject to U.S. embargo or to entities identified on U.S. export
exclusion lists, including, but not limited to, the denied persons and specially designated nationals lists is strictly prohibited.
DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
Sun Microsystems, Inc. détient les droits de propriété intellectuelle relatifs à la technologie incorporée dans le produit qui est décrit dans ce document. En particulier, et ce sans limitation,
ces droits de propriété intellectuelle peuvent inclure un ou plusieurs des brevets américains listés à l’adresse suivante: http://www.sun.com/patents et un ou plusieurs brevets
supplémentaires ou les applications de brevet en attente aux États-Unis et dans les autres pays.
Cette distribution peut inclure des éléments développés par des tiers.
Des parties de ce produit pourront être dérivées des systèmes Berkeley BSD licenciés par l’Université de Californie. UNIX est une marque déposée aux États-Unis et dans d’autres pays
et licenciée exclusivement par X/Open Company, Ltd.
Sun, Sun Microsystems, le logo Sun, sont des marques de fabrique ou des marques déposées enregistrées de Sun Microsystems, Inc., ou ses filiales, aux États-Unis et dans d’autres pays.
Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc. aux États-Unis et dans d’autres pays. Les
produits portant les marques SPARC sont basés sur une architecture développée par Sun Microsystems, Inc.
L’interface d’utilisation graphique OPEN LOOK et Sun(TM) à été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun reconnaît les efforts de pionniers de Xerox
pour la recherche et le développement du concept des interfaces d’utilisation visuelle ou graphique pour l’industrie de l’informatique. Sun détient une license non exclusive de Xerox
sur l’interface d’utilisation graphique Xerox, cette licence couvrant également les licenciés de Sun qui mettent en place l’interface d’utilisation graphique OPEN LOOK et qui, en outre,
se conforment aux licences écrites de Sun.
Les produits qui font l’objet de ce manuel d’entretien et les informations qu’il contient sont regis par la legislation americaine en matière de contrôle des exportations et peuvent être
soumis au droit d’autres pays dans le domaine des exportations et importations. Les utilisations finales, ou utilisateurs finaux, pour des armes nucleaires, des missiles, des armes
biologiques et chimiques ou du nucleaire maritime, directement ou indirectement, sont strictement interdites. Les exportations ou reexportations vers des pays sous embargo des
États-Unis, ou vers des entites figurant sur les listes d’exclusion d’exportation americaines, y compris, mais de maniere non exclusive, la liste de personnes qui font objet d’un ordre de
ne pas participer, d’une façon directe ou indirecte, aux exportations de des produits ou des services qui sont regi par la legislation americaine sur le contrôle des exportations et la liste
de ressortissants specifiquement designes, sont rigoureusement interdites.
LA DOCUMENTATION EST FOURNIE "EN L’ÉTAT" ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES EXPRESSES OU TACITES SONT
FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVEÀLA
QUALITE MARCHANDE, À L’APTITUDE À UNE UTILISATION PARTICULIERE OU À L’ABSENCE DE CONTREFAÇON.
Managing Scheduling Classes and the Fair Share Scheduler ......................................................... 2-39
Describing CPU Shares ........................................................................................................................ 2-41
Combining FSS With Other Scheduling Classes .............................................................................. 2-43
Making FSS the Default Scheduling Class ........................................................................................ 2-48
Manually Move Processes From All User Classes Into the FSS Class ........................................... 2-49
Setting the Scheduling Class For a Zone ........................................................................................... 2-50
Monitoring FSS ...................................................................................................................................... 2-51
Configuring CPU Shares for Zones .................................................................................................... 2-52
Using the cpu-shares Zone Property ............................................................................................... 2-53
Using prctl to Configure CPU Shares .............................................................................................. 2-57
Monitoring the Effect of CPU Shares Using prstat ....................................................................... 2-58
Configuring Temporary Resource Pools ........................................................................................... 2-59
Displaying Temporary Resource Pool Configurations ................................................................... 2-62
Using the capped-cpu Resource ......................................................................................................... 2-65
Configuring Memory Capping for Zones ......................................................................................... 2-66
How Resource Capping Works .......................................................................................................... 2-67
Resource Capping Guidelines ............................................................................................................. 2-69
Enabling and Disabling the rcap Service .......................................................................................... 2-70
Using zonecfg to Configure Memory Caps ..................................................................................... 2-72
Using rcapadm to Configure Memory Caps ..................................................................................... 2-76
Monitoring the Effect of Memory Caps Using rcapstat ............................................................... 2-77
Setting the Memory Cap Enforcement Threshold ........................................................................... 2-78
Preface
Course Goals
• Identify changes to system management features
• Identify the new features of Solaris™ Zones
• Identify the new features of the Solaris™ ZFS file
system
• Identify the new features of Sun’s Predictive Self-
Healing architecture
• Identify new features of Sun’s DTrace facility
• Identify changes to NFS version 4
• Identify the changes to security
• Identify changes to installation features
Course Map
Solaris
Zones
System Management
Solaris
Changes ZFS 10
in Solaris Predictive
File System Self-Healing
System Management
Introduce DTrace Changes
Changes to 10
in Solaris
in Solaris 10 NFS Version 4
Security Installation
Changes Changes in Solaris 10
Solaris™ 10 Features for Experienced Solaris System Administrators Preface, slide iii of vi
Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Sun Learning Services, Revision E
Sun Learning Services
Introductions
• Name
• Company affiliation
• Title, function, and job responsibility
• Experience related to topics presented in this course
• Reasons for enrolling in this course
• Expectations for this course
Module 1
Objectives
• Identify the features of Solaris™ Zones
• Understand how and why zone partitioning is used
• Configure zones
• Verify zone configuration
• Export zone configuration
• Install zones
Solaris Zones
• Separate Solaris OS virtual environments on one
physical system
• Server consolidation solutions:
• Hardware Partitioning
• Emulation or Full Virtualization
• Solaris Zones technology is in the Operating System
Partitions category
hme0:2
hme0:3
/opt/yt
/opt/yt
/opt/yt
zcons
zcons
zcons
/usr
/usr
/usr
Virtual
Platform zoneadmd zoneadmd zoneadmd
Core Services
(inetd, rpcbind, ypbind, Remote Admin/monitoring Platform Administration
automountd, snmpd, dtlogin, (SNMP, SunMC, WBEM) (syseventd, devfsadmd,...)
sendmail, ctlogin, sshd,...)
Storage Complex
Zone Features
• Security
• Isolation
• Virtualization
• Granularity
• Transparency
Zone Concepts
• Zone types
• Global Zone
• Non Global Zones
• Zone daemons
• Zone file systems
• Sparse Root Model
• Whole Root Model
zones
/ / /
/ /
/var /var
/opt /opt
*
* /export
*
* *
*
(~100 MB) (~4 GB)
/usr /usr
/lib /lib
/platform /platform
/ /
/var /var
/opt /opt
* /export
*
*
* *
*
(~3 GB) (~4 GB)
Zone States
Create Install
Undefined Configured Installed
Delete Uninstall
Shutting Down
Ready
Halt
Reboot
Running Ready
Configuring Zones
Identifying Zone Components
• A zone name
• A path to the zone’s root
• The zone network interfaces
• The file systems mounted in zones
• The configured devices in zones
<continued>
Module 2
Objectives
• Verify zone configuration
• Install zones
• Boot zones
• Rename, Move and Clone a zone
• Back up and restore non-global zones
• Migrate zones from one machine to another
• Describe system upgrades with non-global zones
installed
• Administer packages in zones
• Remove zones
• Configure resource pools
Booting a Zone
• Booting a zone places the zone in the running state.
• The default autoboot state is false
• Use the zoneadm -z zone_name boot command to
boot a zone.
• Use the zoneadm list -v command to verify boot
status.
Halting a Zone
Use the zoneadm -z zone_name halt command to remove
both the application environment and the virtual platform for
a zone.
• The zone is placed in the installed state.
• Processes are killed.
• Devices are unconfigured.
• Network interfaces are unplumbed.
• File systems are unmounted.
• Kernel data structures are destroyed.
Rebooting a Zone
• Use the zoneadm -z zone_name reboot command
to reboot a zone.
• The zone is halted and then booted again.
Renaming a Zone
Zone renaming is performed using the zonecfg command.
You use the set zonename subcommand to change
the zonename attribute to a new value not currently
assigned to a non-global zone.
$ zonecfg -z work-zone
zonecfg:work-zone> set zonename=new-zone
zonecfg:new-zone> commit
zonecfg:new-zone> exit
Moving a Zone
• Relocates a non-global zone from one point on a system
to another point on the same system.
• Works within and across file systems.
• Does not work on an NFS mounted file system.
• When crossing file system boundaries, the data is
copied and the original directory is removed.
• Use the zoneadm -z zone_name move /newpath
command.
• Zone must be halted before moving.
Cloning a Zone
• Allows you to rapidly provision new non-global zones.
• System checks for ZFS snapshot and file systems.
• If non-ZFS, cpio is used.
• Cloning procedure:
# zoneadm -z work-zone halt
# zonecfg -z work-zone export -f /export/zones/master
# zonecfg -z new-zone -f /export/zones/master
# zoneadm -z new-zone clone work-zone
Migrating a Zone
• Migrate a non-global zone from one system to another.
• The global zone on the target system must be:
• The same release as the original host.
• The same versions of operating system packages
and patches as the original host.
• Zone migration procedure:
On source host:
host1# zoneadm -z work-zone halt
host1# zoneadm -z work-zone detach
host1# cd /export/zones
host1# tar cf work-zone.tar work-zone
host1# sftp host2
Connecting to host2...
Password:
On destination host:
host2# cd /export/zones
host2# tar xf my-zone.tar
host2# zonecfg -z work-zone
work-zone: No such zone configured
zonecfg:work-zone> create -a /export/zones/work-zone
zonecfg:work-zone> commit
zonecfg:work-zone> exit
host2# zoneadm -z work-zone attach
Removing a Zone
• Be sure to back up any files that you want to keep.
• Zone removing procedure:
# zoneadm -z work-zone halt
# zoneadm -z work-zone uninstall
# zonecfg -z work-zone delete
Configuring Pools
• Create the initial configuration:
# svcadm enable system/pools:default
# pooladm -s
# poolcfg -c info
system tester
string system.comment
int system.version 1
...
cpu
int cpu.sys_id 3
string cpu.comment
string cpu.status on-line
cpu
int cpu.sys_id 2
string cpu.comment
string cpu.status on-line
...
# pooladm -c
# pooladm -s /var/tmp/backup-rsrc_pools.conf
CPU Utilization
Database 2
Database 1 Database 1
Time Time
CPU Utilization
Database 2
Database 2 Database 1
Time Time
Configuring FSS
• FSS related commands:
Command Description
priocntl(1) Displays or sets scheduling parameters of specified processes,
moves running processes into a different scheduling class.
ps(1) Lists information about running processes, identifies in which
scheduling classes processor sets are running.
dispadmin(1M) Sets the default scheduler for the system. Also used to
examine and tune the FSS scheduler's time quantum value.
FSS(7) Describes the fair share scheduler (FSS).
Monitoring FSS
• To monitor the CPU usage of zones on the system, use
the prstat command with the -Z option.
global# prstat -Z
Module 3
Objectives
• Describe the Solaris ZFS file system
• Create new ZFS pools and file systems
• Modify ZFS file system properties
• Mount and unmount ZFS file systems
• Destroy ZFS pools and file systems
• Work with ZFS snapshots and Clones
• Use ZFS datasets with Solaris Zones
What Is ZFS?
• ZFS Snapshots
ZFS snapshots are read-only copies of file systems
that initially consume no additional space in a pool.
• Simplified Administration
ZFS uses a simplified command set, uses an
hierarchical file system layout, supports file system
property inheritance and automatic mount points.
ZFS Terminology
• checksum - A 256-bit hash of the data in a file system
block.
• clone - A file system whose initial contents are identical
to the contents of a snapshot.
• dataset - A generic name for the following ZFS entities:
clones, file systems, snapshots, or volumes.
• file system - A dataset that contains a standard POSIX
file system.
• mirror - A virtual device that stores identical copies of
data on two or more disks.
Pool
File
Whole disk Disk slice (for test only)
(preferred)
01 Data 01
Stripe 1
0001 110 Stripe 3
00
1
0 Stripe 2
0
10
01
1
0
1
0
1
0
36 36 36
36 36 36
1 00 00
0
0
10
01
36 36 36 36
36 36 36
10
01
Some of these errors can be overridden by using the -f option, but most errors
cannot.
ZFS Properties
Two types, native and user defined
Properties provide the main mechanism that you use to
control the behavior of file systems, volumes, snapshots, and
clones.
Properties are either read-only statistics or settable properties.
Most settable properties are also inheritable.
An inheritable property is a property that, when set on a
parent, is propagated to all of its descendants.
Property Default
Type Description
Name Value
available Number N/A Read-only property that identifies
the amount of space available to
the dataset and all its children,
assuming no other activity in the
pool.
canmount Boolean on Controls whether the given file
system can be mounted with the
zfs mount command.
checksum String on Controls the checksum used to
verify data integrity.
compression String off Enables or disables compression
for this dataset.
compressratio Number N/A Read-only property that identifies
the compression ratio achieved for
this dataset.
Property Default
Type Description
Name Value
copies Number 1 Sets the number of copies of user
data per file system.
creation Number N/A Read-only property that identifies
the date and time that this dataset
was created.
devices Boolean on Controls whether device nodes
found within this file system
can be opened.
exec Boolean on Controls whether programs within
this file system are allowed
to be executed.
mounted Boolean N/A Read-only property that indicates
whether this file system,
clone, or snapshot is currently
mounted.
Property Default
Type Description
Name Value
mountpoint String N/A Controls the mount point used for
this file system.
origin String N/A Read-only property for cloned file
systems or volumes that identifies
the snapshot from which the clone
was created.
quota Number none Limits the amount of space a
(or dataset and its descendants can
none) consume.
readonly Boolean off Controls whether this dataset can
be modified.
recordsize Number 128K Specifies a suggested block size for
files in the file system.
Property Default
Type Description
Name Value
referenced Number N/A Read-only property that identifies
the amount of data accessible by
this dataset.
refquota Number none Sets the amount of space that a
(or dataset can consume.
none)
refreservati Number none Sets the minimum amount of
on (or space that is guaranteed to a
none) dataset, not including
descendants, such as snapshots
and clones.
reservation Number none The minimum amount of space
(or guaranteed to a dataset and its
none) descendants.
Property Default
Type Description
Name Value
setuid Boolean on Controls whether setuid the bit is
honored in the file system.
sharenfs String off Controls whether the file system is
available over NFS, and what
options are used.
snapdir String hidden Controls whether the .zfs
directory is hidden or visible in the
root of the file system.
type String N/A Read-only property that identifies
the dataset type as filesystem (file
system or clone), volume, or
snapshot.
used Number N/A Read-only property that identifies
the amount of space consumed by
the dataset and all its descendants.
Property Default
Type Description
Name Value
volsize Number N/A For volumes, specifies the logical
size of the volume.
volblocksize Number 8 Kbytes For volumes, specifies the block
size of the volume.
zoned Boolean N/A Indicates whether this dataset has
been delegated to a non-global
zone.
xattr Boolean on Indicates whether extended
attributes are enabled or disabled
for this file system.
If you type the appropriate URL and are unable to reach the ZFS
Administration console, the server might not be started. To start
the server, run the following command:
# /usr/sbin/smcwebserver start
ZFS Snapshots
A snapshot is a read-only copy of a file system or volume.
Snapshots are created almost instantly, and initially consume
no additional disk space within the pool.
ZFS snapshots include the following features:
• Snapshots persist across system reboots.
• The theoretical maximum number of snapshots is 264.
• Snapshots use no separate backing store. Snapshots
consume disk space directly from the same storage
pool as the file system from which they were created.
You can list snapshots that were created for a particular file
system as follows:
# zfs list -r -t snapshot -o name,creation pool/home
NAME CREATION
pool/home/anne@monday Mon Mar 13 11:46 2006
pool/home/bob@monday Mon Mar 13 11:46 2006
ZFS Clones
A clone is a writable volume or file system whose initial
contents are the same as the snapshot from which it was
created.
As with snapshots, creating a clone is nearly instantaneous,
and initially consumes no additional disk space.
You can only create clones from a snapshot.
When you clone a snapshot, an implicit dependency is created
between the clone and snapshot.
A clone does not inherit properties from the dataset from
which it was created.
Module 4
Predictive Self-Healing
Objectives
• List the benefits of Predictive Self-Healing
• Determine the relationship of Fault Management
Architecture (FMA) to Sun’s Predictive Self-Healing
capability
• Determine the relationship of Service Management
Facility (SMF) to Sun’s Predictive Self-Healing
capability
• Explore features of the Fault Management Architecture
• Explore features of the Service Management Facility
Error Handler
Software for the following must be written specifically to
work with the fault manager.
• Drivers
• CPU
• Memory
• PCI
The software must detect an error, capture data, and generate
an error event.
UltraSPARC1 UltraSPARC2e
UltraSPARC2
CE TO TPERR DPERR UE
# fmadm faulty
STATE RESOURCE / UUID
------------------------------------------------------------------------
faulted fmd:///module/cpumem-diagnosis
72c443b7-35a3-6779-bf48-fea92b893c36
------------------------------------------------------------------------
degraded mem:///unum=Slot,A:J7900
44d8c0bc-b8da-6a47-c4f2-b7e40c3ca1c3
------------------------------------------------------------------------
SNMP-Based Monitoring
• Information can be:
• Pushed from any device to one or more network
management stations (NMSs).
• Pulled by an administrator or automated utility
from a particular device of interest.
• Managed devices signify events using traps or
notifications.
• MIB provides access to a much greater breadth and
depth of information than is transmitted with a trap or
notification.
• /etc/sma/snmp/mibs/SUN-FM-MIB
• snmp-trapgen: an SNMP Plugin for fmd
SMF Components
SMF Component Description
svc.startd Responsible for starting and stopping services
as requested
svc.configd Responsible for accessing the configuration
repository
Service repository The /etc/svc/repository.db file
Delegated restarter For example: inetd
Service abstraction An entity which provides a known list of
capabilities to other local and remote services.
SMF Initialization
Services
• The fundamental unit of administration in SMF is the
service.
• It provides a known list of capabilities to other local
and remote services.
• Services are represented as instance nodes which are
children of service nodes.
• One service might have many instances such as a Web
server on multiple ports.
• Both service nodes and instance nodes can have
properties.
• If an instance doesn't have property X, the service's
property X is used.
Service Components
• Services are composed of several components, for
example:
• A mechanism to start and stop the service
• A mechanism to monitor and restart services
• A location for configuration data (properties)
• A location for error messages
• SMF organizes service components using profiles and
manifests.
Service Profiles
• A service profile is used to set general settings for a
system as to what services need to run.
• It consists of a group of related services for the purpose
of enabling them in a consistent pattern.
• Profiles are listed in the directory /var/svc/profile.
• The generic_open.xml profile.
• The generic_limited_net.xml profile.
Manifests
• A manifest is used to describe a single service or set of
related services.
• The XML-based manifest files are in the /var/svc/
manifest directory tree.
• All manifests in the /var/svc/manifest directory
tree are read by svc.startd as it starts.
• New services are imported into the /etc/svc/
repository.db repository file.
• Error logs are found in the /var/svc/log directory.
<service
name=’system/coreadm’
type=’service’
version=’1’>
<single_instance />
<dependency
name=’usr’
type=’service’
grouping=’require_all’
restart_on=’none’>
<service_fmri value=’svc:/system/filesystem/minimal’ />
</dependency>
</service_bundle>
SMF Commands
Command Description
svcs(1) Show services, their current state, and their dependencies
svcprop(1) Used to list properties of a service.
svcadm(1M) Used for service management.
svccfg(1M) Used to display and manipulate data in the service configuration
repository.
inetadm(1M) Observe or configure inetd-controlled services
# svcs -l system/filesystem/minimal:default
fmri svc:/system/filesystem/minimal:default
enabled true
state online
next_state none
restarter svc:/system/svc/restarter:default
dependency require_all/none svc:/system/device/local (online)
dependency require_all/none svc:/system/filesystem/usr (online)
Module 5
Introduction to DTrace
Objectives
• Describe the features of Solaris™ Dynamic Tracing
(DTrace)
• Write simple D Scripts
• List and enable probes and predicates
• Create action statements
• Explain the use of the pid, syscall, proc, sched,
and io Providers
• Describe the DTrace Toolkit and one-liners
Introduction to DTrace
DTrace enables you to explore your system to understand
how it works, track down performance problems across many
layers of software, or locate the cause of abnormal behavior.
• DTrace dynamically modifies the operating system
kernel and user processes to record data at locations of
interest, called probes.
• DTrace includes a new scripting language called D
which is designed specifically for dynamic tracing.
• With the D language it is easy to write scripts that
dynamically turn on probes, collect the information,
and process it.
intrstat(1M) plockstat(1M)
DTrace consumers
dtrace(1M) lockstat(1M)
libdtrace(3LIB)
userland
@JH=?A%,
kernel
DTrace
Introduction to D Scripts
The construct of a D script consists of a probe description, a
predicate, and actions as shown in this example:
probe description
/predicate/
{
actions
}
Description of a Probe
The probe is described using four fields:
• provider – Specifies the instrumentation method to
be used. For example, the syscall provider is used to
monitor system calls while the io provider is used to
monitor the disk I/O.
• module – Describes the module you want to observe.
• function – Describes the function you want to
observe.
• name – Typically represents the location in the
function. For example, use entry for name to
instrument when you enter the function.
Describe a Predicate
A predicate can be any D expression.
The action is executed only when the predicate evaluates to
true.
Predicate Explanation
cpu == 0 true if the probe executes on cpu0
pid == 1029 true if the pid of the process that caused the probe
to fire is 1029
ppid !=0 && arg0 == 0 true if the parent process id is not 0 and first
argument is 0
Actions Explanation
printf() print something using C-style printf()
command
ustack() print the user level stack
trace print the given variable
For example:
@count_table[probefunc] = count() ;
#!/usr/sbin/dtrace -s
pid$1:::entry
{
ts[probefunc] = timestamp;
}
pid$1:::return
{
@func_time[probefunc] = sum(timestamp - ts[probefunc]);
ts[probefunc] = 0;
}
pid$target:libc::entry
{
@[probefunc]=count();
}
sched:::off-cpu
/self->on/
{ @time["<on cpu>"] = sum(vtimestamp - self->on);
self->on = 0;
}
The io Provider
The io provider looks into the disk input and output (I/O)
subsystem.
Sample D script to trace which files are being
accessed on which device and to determine if the
task being performed is a read or a write:
#!/usr/bin/dtrace -qs
BEGIN
{ printf("%10s %58s %2s\n", "DEVICE", "FILE", "RW");
}
io:::start
{ printf("%10s %58s %2s\n", args[1]->dev_statname,
args[2]->fi_pathname, args[0]->b_flags & B_READ ? "R" :
"W");
}
The DTraceToolkit
Download the toolkit from:
http://www.opensolaris.org/os/community/dtrace/dtracetoolkit
ultra20:/> vmstat 2
kthr memory page disk faults cpu
r b w swap free re mf pi po fr de sr s0 s1 s2 -- in sy cs us sy id
0 0 0 4167836 2732672 11 121 0 0 0 0 3 4 -0 3 0 481 315 352 0 0 100
0 0 0 4167424 2727600 6 25 0 0 0 0 0 0 0 0 0 462 351 334 0 0 100
0 0 0 4167344 2727568 0 0 0 0 0 0 0 0 0 0 0 458 270 324 0 0 100
0 0 0 4167344 2727568 0 0 0 0 0 0 0 0 0 0 0 455 285 327 0 0 100
ultra20:/> iostat 5
tty sd0 sd1 sd2 nfs1 cpu
tin tout kps tps serv kps tps serv kps tps serv kps tps serv us sy wt id
0 1 32 4 2 0 0 0 32 3 2 0 0 0 0 0 0 100
0 47 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 100
0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 100
ttymon 1
bash 1
mozilla-bin 36
tar 6661
Module 6
NFS Changes
Objectives
• Describe Network File System (NFS) enhancements
• Describe the enhancements to Network File System
version 4 (NFS version 4)
• Describe NFS hardware and software requirements,
dependencies, and limitations
NFS Version 4
Single Protocol:
• Stateful
• Protocol functionality built into NFS version 4
• MOUNT
• STATD
• NFSLOGD
• Others
Pseudo-File System
Server Exports Server File systems
/data/car /data/car
/data/boat /data/boat
/backup/system_1 /data/buyers
/backup/system_1
/expenses
/ /
Strong Security
• Remote Procedure Call (RPC) implementation of the
General Security Service framework (GSS)
• New security flavor RPCSEC_GSS
• Other GSS_API applications
Compound Procedures
NFS version 3 NFS version 4
-> LOOKUP "export" ->OPEN "export/testdata"
<- OK READ
->LOOKUP "testdata" <- OPEN OK
<- OK READ OK
-> ACCESS "testdata" (sends data)
<- OK
-> READ "testdata"
<- OK
(sends data)
Extended Attributes
• Mandatory – Minimal level of operation
• Recommended – Operating environment dependent
• Named – Byte string, data associated with files or file
system
File Handlers
• File handles are created on the server and contain
information that uniquely identifies files and
directories.
• NFS version 4 protocol permits a server to declare that
its file handles are volatile.
• Clients must support volatile file handles if the server
uses them.
• Upon file handle expiration, the client:
• Flushes the cached information that refers to that file
handle.
• Searches for that file's new file handle.
• Retries the operation.
Delegation
• The server delegates the management of a file to a
client.
• The server alone decides whether to grant a delegation.
• The new nfs4cbd (1M) daemon is used for callback.
• The server sends callback to get the updated state of the
file and to revoke the delegation.
• Different NFS client versions behave differently when
a conflict occurs.
• Delegation is enabled by default.
Module 7
Security Changes
Objectives
• Describe the Least Privilege Model
• Examine administration tasks for Solaris OS
Cryptographic Framework
• Examine Secure By Default
• Explain the lock after retries feature in Secure by
Default
• Examine new password encryption methods
• Explain password history, password constrains and
password dictionary files
...
Architecture Overview
Application elfsign
kernel
Module
libpkcs11.so crypto
verification library
daemon
Pluggable cryptoadm
interface
Third-party Hardware
and Software pkcs11_kernel.so pkcs11_softtoken.so
pluggable tokens
Scheduler/
load balancer Service provider
interface
Kernel
IPsec programmer Sun Hardware
interface and Software
crypto providers
Third-party Third-party
Hardware Software
Private components crypto providers crypto providers
User portion of cryptographic framework
• Generating a digest:
ultra20:/> digest -a md5 /usr/bin/login
eed532cc83d97d726dbdb577ed85c415
• Generating a MAC:
ultra20:/> mac -a md5_hmac /etc/hosts
Enter key:key_typed_in
2f3b84524c7fa61848c439af487006bc
Secure by Default
This feature changes the default configuration of the Solaris
OS such that ssh is the only network-listening service.
Secure By Default Network Profile
• During installation you can set the default behavior for
network services to run in a much more secured
manner.
#CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=__unix__
No
Is ID in Yes
CRYPT_ALGORITHMS_DEPRECATE?
No
Is ID in No
CRYPT_ALGORITHMS_ALLOW?
Dictionary Files
The password must not be based on a dictionary word.
The list of words to be used for the site’s dictionary can be
specified with DICTIONLIST.
This file should contain a comma-separated list of
file names, one word per line.
The database that is created from these files is stored in the
directory named by DICTIONDBDIR (defaults to /var/
passwd).
• If neither DICTIONLIST nor DICTIONDBDIR is
specified, no dictionary check is made.
Module 8
Objectives
• Describe the Solaris SPARC Boot Architecture
Redesign
• Describe upgrading the Solaris OS with installed non-
global zones
• Configure multiple network interfaces during
installation
• Describe how disk partition tables can be modified
using an existing Volume Table of Contents (VTOC)
• Describe the Reduced Networking Software Group
• Explore changes to the Solaris JumpStart™ software
and configure, enable, and troubleshoot JumpStart
• Identify the changes to Flash archives
Objectives (cont.)
• Identify changes to the Solaris Live Upgrade boot
environment and configure, enable, and troubleshoot
the Live Upgrade boot capability
For example:
nfs4_domain=example.com
service_profile=open
UDP: IPv4
Local Address Remote Address State
-------------------- -------------------- -------
*.111 Idle
*.* Unbound
*.32772 Idle
*.514 Idle
*.* Unbound
TCP: IPv4
Local Address Remote Address Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ -------
*.* *.* 0 0 49152 0 IDLE
*.111 *.* 0 0 49152 0 LISTEN
*.* *.* 0 0 49152 0 IDLE
TCP: IPv6
Local Address Remote Address Swind Send-Q Rwind Recv-Q State If
--------------------- ---------------------- ----- ------ ----- ------ -----------
*.* *.* 0 0 49152 0 IDLE
SCTP:
Local Address Remote Address Swind Send-Q Rwind Recv-Q StrsI/O State
-------------------- ------------------- ------ ------ ------ ------ ------- --------
0.0.0.0 0.0.0.0 0 0 102400 0 32/32 CLOSED
# init 6