Sa225s10 Ohpdf

Sun Learning Services
Solaris™ 10 Features for Experienced

Solaris System Administrators
SA-225-S10
Solaris™ 10 Features for Experienced Solaris System Administrators

Copyright © 2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved.
Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these
intellectual property rights may include one or more of the U.S. patents listed at http://www.sun.com/patents and one or more additional patents or pending patent applications in the
U.S. and in other countries.
U.S. Government Rights - Commercial Software. Government users are subject to the Sun Microsystems, Inc. standard license agreement and applicable provisions of the FAR and its
supplements.
This distribution may include materials developed by third parties.
Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and in other countries, exclusively
licensed through X/Open Company, Ltd.
Sun, Sun Microsystems, the Sun logo, are trademarks or registered trademarks of Sun Microsystems, Inc., or its subsidiaries, in the U.S. and other countries.
All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC
trademarks are based upon an architecture developed by Sun Microsystems, Inc.
The OPEN LOOK and Sun(TM) Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in
researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User
Interface, which license also covers Sun’s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements.
This product is covered and controlled by U.S. Export Control laws and may be subject to the export or import laws in other countries. Nuclear, missile, chemical biological weapons or
nuclear maritime end uses or end users, whether direct or indirect, are strictly prohibited. Export or reexport to countries subject to U.S. embargo or to entities identified on U.S. export
exclusion lists, including, but not limited to, the denied persons and specially designated nationals lists is strictly prohibited.
DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
Solaris™ 10 Features for Experienced Solaris System Administrators ii of iii

Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Sun Learning Services, Revision E
Copyright © 2009 Sun Microsystems Inc., 4150 Network Circle, Santa Clara, California 95054, Etats-Unis. Tous droits réservés.
Sun Microsystems, Inc. détient les droits de propriété intellectuelle relatifs à la technologie incorporée dans le produit qui est décrit dans ce document. En particulier, et ce sans limitation,
ces droits de propriété intellectuelle peuvent inclure un ou plusieurs des brevets américains listés à l’adresse suivante: http://www.sun.com/patents et un ou plusieurs brevets
supplémentaires ou les applications de brevet en attente aux États-Unis et dans les autres pays.
Cette distribution peut inclure des éléments développés par des tiers.
Des parties de ce produit pourront être dérivées des systèmes Berkeley BSD licenciés par l’Université de Californie. UNIX est une marque déposée aux États-Unis et dans d’autres pays
et licenciée exclusivement par X/Open Company, Ltd.
Sun, Sun Microsystems, le logo Sun, sont des marques de fabrique ou des marques déposées enregistrées de Sun Microsystems, Inc., ou ses filiales, aux États-Unis et dans d’autres pays.
Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc. aux États-Unis et dans d’autres pays. Les
produits portant les marques SPARC sont basés sur une architecture développée par Sun Microsystems, Inc.
L’interface d’utilisation graphique OPEN LOOK et Sun(TM) à été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun reconnaît les efforts de pionniers de Xerox
pour la recherche et le développement du concept des interfaces d’utilisation visuelle ou graphique pour l’industrie de l’informatique. Sun détient une license non exclusive de Xerox
sur l’interface d’utilisation graphique Xerox, cette licence couvrant également les licenciés de Sun qui mettent en place l’interface d’utilisation graphique OPEN LOOK et qui, en outre,
se conforment aux licences écrites de Sun.
Les produits qui font l’objet de ce manuel d’entretien et les informations qu’il contient sont regis par la legislation americaine en matière de contrôle des exportations et peuvent être
soumis au droit d’autres pays dans le domaine des exportations et importations. Les utilisations finales, ou utilisateurs finaux, pour des armes nucleaires, des missiles, des armes
biologiques et chimiques ou du nucleaire maritime, directement ou indirectement, sont strictement interdites. Les exportations ou reexportations vers des pays sous embargo des
États-Unis, ou vers des entites figurant sur les listes d’exclusion d’exportation americaines, y compris, mais de maniere non exclusive, la liste de personnes qui font objet d’un ordre de
ne pas participer, d’une façon directe ou indirecte, aux exportations de des produits ou des services qui sont regi par la legislation americaine sur le contrôle des exportations et la liste
de ressortissants specifiquement designes, sont rigoureusement interdites.
LA DOCUMENTATION EST FOURNIE "EN L’ÉTAT" ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES EXPRESSES OU TACITES SONT
FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVEÀLA
QUALITE MARCHANDE, À L’APTITUDE À UNE UTILISATION PARTICULIERE OU À L’ABSENCE DE CONTREFAÇON.
Solaris™ 10 Features for Experienced Solaris System Administrators iii of iii

Course Contents
About This Course ......................................................................................... Preface-i

Course Goals .................................................................................................................................Preface-ii
Course Map ..................................................................................................................................Preface-iii
Topics Not Covered ....................................................................................................................Preface-iv
How Prepared Are You? ............................................................................................................. Preface-v
Introductions ...............................................................................................................................Preface-vi
Solaris™ Zones Configuration ............................................................................... 1-1

Objectives ................................................................................................................................................. 1-2
Solaris Zones ............................................................................................................................................ 1-3
Typical System with Zones Installed ................................................................................................... 1-4
Zone Features .......................................................................................................................................... 1-5
Solaris Zones and Solaris Containers ................................................................................................... 1-6
Zone Concepts ......................................................................................................................................... 1-9
Shared File System Example ............................................................................................................... 1-10
Sparse Root Model File System Structure ......................................................................................... 1-11
Whole Root Model File System Structure ......................................................................................... 1-12
Zone States ............................................................................................................................................. 1-15
Configuring Zones ................................................................................................................................ 1-16
Using zonecfg to Configure Zones ..................................................................................................... 1-17
Zone Configuration Walk-Through ................................................................................................... 1-18
Adding ZFS File Systems to a
Non-Global Zone ............................................................................................................................... 1-23
Delegating Datasets to a Non-Global Zone ....................................................................................... 1-24
Viewing the Zone Configuration ........................................................................................................ 1-25
Verifying a Configured Zone .............................................................................................................. 1-27
Solaris™ 10 Features for Experienced Solaris System Administrators i

Exporting the Zone Configuration ..................................................................................................... 1-28

Installing a Configured Zone .............................................................................................................. 1-29
Solaris™ Zones Administration .............................................................................. 2-1

Objectives ................................................................................................................................................. 2-2
Using the zoneadm Command .............................................................................................................. 2-3
Verifying a Configured Zone ................................................................................................................ 2-4
Installing a Configured Zone ................................................................................................................ 2-5
Booting a Zone ......................................................................................................................................... 2-6
Logging In to the Zone’s Virtual Console – First Time ..................................................................... 2-7
Halting a Zone ......................................................................................................................................... 2-8
Rebooting a Zone .................................................................................................................................... 2-9
Using the init Command ...................................................................................................................... 2-10
Renaming a Zone .................................................................................................................................. 2-11
Moving a Zone ...................................................................................................................................... 2-12
Cloning a Zone ...................................................................................................................................... 2-13
Migrating a Zone ................................................................................................................................... 2-14
Update an Attached Zone .................................................................................................................... 2-16
Removing a Zone .................................................................................................................................. 2-17
Installing Packages in Zones ............................................................................................................... 2-18
Adding Patches in Zones ..................................................................................................................... 2-19
Using patchadd in the Global Zone .................................................................................................. 2-20
Using patchadd in a Non-Global Zone ............................................................................................. 2-22
Removing Packages from Zones ......................................................................................................... 2-23
Creating Backups on Systems With Zones Installed ....................................................................... 2-25
Using fssnap and ufsdump to Back Up a Non-Global Zone ......................................................... 2-27
Configuring Resource Pools ................................................................................................................ 2-28
Enabling and Disabling the Resource Pools Service ........................................................................ 2-29
Configuring Pools ................................................................................................................................. 2-32
Introducing Resource Management With Zones ............................................................................. 2-38
Solaris™ 10 Features for Experienced Solaris System Administrators ii

Managing Scheduling Classes and the Fair Share Scheduler ......................................................... 2-39
Describing CPU Shares ........................................................................................................................ 2-41
Combining FSS With Other Scheduling Classes .............................................................................. 2-43
Making FSS the Default Scheduling Class ........................................................................................ 2-48
Manually Move Processes From All User Classes Into the FSS Class ........................................... 2-49
Setting the Scheduling Class For a Zone ........................................................................................... 2-50
Monitoring FSS ...................................................................................................................................... 2-51
Configuring CPU Shares for Zones .................................................................................................... 2-52
Using the cpu-shares Zone Property ............................................................................................... 2-53
Using prctl to Configure CPU Shares .............................................................................................. 2-57
Monitoring the Effect of CPU Shares Using prstat ....................................................................... 2-58
Configuring Temporary Resource Pools ........................................................................................... 2-59
Displaying Temporary Resource Pool Configurations ................................................................... 2-62
Using the capped-cpu Resource ......................................................................................................... 2-65
Configuring Memory Capping for Zones ......................................................................................... 2-66
How Resource Capping Works .......................................................................................................... 2-67
Resource Capping Guidelines ............................................................................................................. 2-69
Enabling and Disabling the rcap Service .......................................................................................... 2-70
Using zonecfg to Configure Memory Caps ..................................................................................... 2-72
Using rcapadm to Configure Memory Caps ..................................................................................... 2-76
Monitoring the Effect of Memory Caps Using rcapstat ............................................................... 2-77
Setting the Memory Cap Enforcement Threshold ........................................................................... 2-78
Introduction to the Solaris™ ZFS File System ...................................................... 3-1

Objectives ................................................................................................................................................. 3-2
What Is Solaris ZFS? ............................................................................................................................... 3-3
What Is ZFS? ............................................................................................................................................ 3-4
ZFS Terminology ..................................................................................................................................... 3-5
ZFS Component Naming Requirements ............................................................................................. 3-7
ZFS Hardware and Software Requirements and Recommendations ............................................. 3-9
Solaris™ 10 Features for Experienced Solaris System Administrators iii

Creating Basic ZFS File Systems ......................................................................................................... 3-10

Components of a ZFS Storage Pool .................................................................................................... 3-11
Replication Features of a ZFS Storage Pool ....................................................................................... 3-17
Creating and Destroying ZFS Storage Pools ..................................................................................... 3-25
Querying ZFS Storage Pool Status ..................................................................................................... 3-31
Creating and Destroying ZFS File Systems ....................................................................................... 3-38
ZFS Properties ....................................................................................................................................... 3-44
Querying ZFS File System ................................................................................................................... 3-55
Managing ZFS Properties .................................................................................................................... 3-58
Mounting ZFS File Systems ................................................................................................................. 3-63
ZFS Web-Based Management ............................................................................................................. 3-72
ZFS Snapshots ....................................................................................................................................... 3-73
ZFS Clones ............................................................................................................................................. 3-81
Using ZFS on a Solaris System With Zones Installed ...................................................................... 3-88
Predictive Self-Healing ............................................................................................ 4-1

Objectives ................................................................................................................................................. 4-2
What is Predictive Self-Healing? .......................................................................................................... 4-3
Fault Management Architecture ........................................................................................................... 4-4
Fault Management Activities ................................................................................................................ 4-5
Error Handler .......................................................................................................................................... 4-6
Event Naming Scheme ........................................................................................................................... 4-7
FMRI (URL and URI) .............................................................................................................................. 4-8
Fault Manager Daemon (fmd) ............................................................................................................... 4-9
Looking at FMA Data ........................................................................................................................... 4-13
Using the fmadm Utility ........................................................................................................................ 4-14
Using the fmstat Utility ...................................................................................................................... 4-16
Using the fmdump Utility ...................................................................................................................... 4-18
Information Recorded by syslog ....................................................................................................... 4-20
SNMP-Based Monitoring ..................................................................................................................... 4-22
Solaris™ 10 Features for Experienced Solaris System Administrators iv

Interacting with Service Management Facility ................................................................................. 4-24

Service Management Facility .............................................................................................................. 4-25
SMF Components .................................................................................................................................. 4-28
SMF Initialization .................................................................................................................................. 4-29
Services ................................................................................................................................................... 4-30
Service and Instance Nodes ................................................................................................................. 4-31
Service/Instance FMRI Syntax ............................................................................................................ 4-32
Service Components ............................................................................................................................. 4-33
Service Profiles ...................................................................................................................................... 4-34
Manifests ................................................................................................................................................ 4-35
A Manifest File Example ...................................................................................................................... 4-36
Writing a Service Manifest ................................................................................................................... 4-39
SMF Commands .................................................................................................................................... 4-40
Using the svcs Command ................................................................................................................... 4-41
Using the svcprop Command ............................................................................................................ 4-43
Using the svcadm Command .............................................................................................................. 4-46
Using the svccfg Command .............................................................................................................. 4-47
Using the inetadm Command ............................................................................................................ 4-50
A Service That Fails to Start ................................................................................................................. 4-52
Introduction to DTrace ............................................................................................. 5-1

Objectives ................................................................................................................................................. 5-2
Introduction to DTrace ........................................................................................................................... 5-3
Introduction to D Scripts ........................................................................................................................ 5-5
Simple D Script Example ....................................................................................................................... 5-6
Description of a Probe ............................................................................................................................ 5-7
Describe a Predicate ................................................................................................................................ 5-9
Describe Action Commands ................................................................................................................ 5-10
DTrace for Developers ......................................................................................................................... 5-11
The pid Provider ................................................................................................................................... 5-12
Solaris™ 10 Features for Experienced Solaris System Administrators v

Other Useful Scripts .............................................................................................................................. 5-22

DTrace for System Administrators ..................................................................................................... 5-25
The proc Provider ................................................................................................................................. 5-30
The sched Provider ............................................................................................................................... 5-32
The io Provider ...................................................................................................................................... 5-33
The DTraceToolkit ................................................................................................................................ 5-34
Troubleshooting Performance Problems ........................................................................................... 5-37
NFS Changes ............................................................................................................ 6-1

Objectives ................................................................................................................................................. 6-2
NFS Version 4 Features .......................................................................................................................... 6-3
NFS Version 4 .......................................................................................................................................... 6-4
Pseudo-File System ................................................................................................................................. 6-5
Strong Security ........................................................................................................................................ 6-6
Compound Procedures .......................................................................................................................... 6-7
Extended Attributes ................................................................................................................................ 6-8
File Handlers ............................................................................................................................................ 6-9
Identities and Mapping ........................................................................................................................ 6-10
Delegation .............................................................................................................................................. 6-11
New Solaris ACL Modes ...................................................................................................................... 6-12
Configuring an NFS Server and Client .............................................................................................. 6-13
Enabling and Disabling NFS ............................................................................................................... 6-14
NFS Over RDMA .................................................................................................................................. 6-15
Security Changes ..................................................................................................... 7-1

Objectives ................................................................................................................................................. 7-2
The Least Privilege Model ..................................................................................................................... 7-3
Process Privilege Sets ............................................................................................................................. 7-4
Files Containing Privilege Information ............................................................................................... 7-5
The ppriv Utility Actions ...................................................................................................................... 7-6
Solaris™ 10 Features for Experienced Solaris System Administrators vi

ppriv Command Examples .................................................................................................................. 7-7

Privileges and Role Based Access Control (RBAC) .......................................................................... 7-12
Solaris OS Cryptographic Framework (SCF) .................................................................................... 7-13
Terms and Definitions .......................................................................................................................... 7-14
Architecture Overview ......................................................................................................................... 7-15
SCF Architectural Components .......................................................................................................... 7-16
The pkcs11_softtoken.so Library .................................................................................................. 7-18
Solaris OS Kernel Framework ............................................................................................................. 7-19
The cryptoadm Utility .......................................................................................................................... 7-20
The digest Utility ................................................................................................................................ 7-21
The mac Utility ....................................................................................................................................... 7-22
The encrypt Utility .............................................................................................................................. 7-23
Secure by Default .................................................................................................................................. 7-25
Using Stronger Algorithms ................................................................................................................. 7-26
SHA256/SHA512 crypt(3C) Plug-in .................................................................................................. 7-29
Specify an Algorithm for Password Encryption .............................................................................. 7-31
Specify a New Password Algorithm for an NIS+ Domain ............................................................. 7-33
Specify a New Password Algorithm for an LDAP Domain ........................................................... 7-34
Install a Password Encryption Module From a Third Party .......................................................... 7-35
Implementing Password Strength, Syntax Checking, History, and Aging Improvements ....... 7-37
Using Password History Checking .................................................................................................... 7-38
Configuring Password Complexity Constraints .............................................................................. 7-39
Dictionary Files ...................................................................................................................................... 7-40
Configuring Account Locking ............................................................................................................ 7-41
Solaris™ 10 Operating System Installation Changes ........................................... 8-1

Objectives ................................................................................................................................................. 8-2
Solaris SPARC Boot Architecture Redesign ........................................................................................ 8-4
Solaris Installation Media Changes ...................................................................................................... 8-5
Configuring Multiple Network Interfaces During Installation ........................................................ 8-6
Solaris™ 10 Features for Experienced Solaris System Administrators vii

Supporting LDAP Version 2 Profiles ................................................................................................... 8-7

NFS version 4 Default Domain Name ................................................................................................. 8-8
The sysidcfg File Keywords .................................................................................................................. 8-9
Enhanced Security Using Limited Networking ............................................................................... 8-10
Modifying Disk Partition Tables Using a VTOC .............................................................................. 8-11
The Reduced Networking Software Group ...................................................................................... 8-12
Changes to Solaris JumpStart™ .......................................................................................................... 8-15
New JumpStart Profile Keywords ...................................................................................................... 8-17
RAID 1 (Mirrors) Support .................................................................................................................... 8-19
Limiting Profile Keywords When Upgrading With Non-Global Zones ....................................... 8-20
Changes to Flash Archives .................................................................................................................. 8-21
New Flash Archive Features ............................................................................................................... 8-22
Changed Packages and Files ............................................................................................................... 8-23
Changes to Solaris Live Upgrade ....................................................................................................... 8-24
New Features of Live Upgrade ........................................................................................................... 8-25
New Keywords for the lucreate Command ................................................................................... 8-26
Configuring a ZFS Root File System with Zones Root on ZFS ...................................................... 8-28
Upgrading the Solaris OS When Non-Global Zones Are Installed ............................................... 8-31
Live Upgrade with ZFS root File System .......................................................................................... 8-36
Using Signed Packages and Patches .................................................................................................. 8-41
Support for x86-Based Systems ........................................................................................................... 8-44
Support for x86-Based Systems ........................................................................................................... 8-45
Solaris™ 10 Features for Experienced Solaris System Administrators viii

Preface
About This Course
Solaris™ 10 Features for Experienced Solaris System Administrators Preface, slide i of vi

Course Goals
• Identify changes to system management features
• Identify the new features of Solaris™ Zones
• Identify the new features of the Solaris™ ZFS file
system
• Identify the new features of Sun’s Predictive Self-
Healing architecture
• Identify new features of Sun’s DTrace facility
• Identify changes to NFS version 4
• Identify the changes to security
• Identify changes to installation features
Solaris™ 10 Features for Experienced Solaris System Administrators Preface, slide ii of vi

Course Map
Solaris
Zones
System Management
Solaris
Changes ZFS 10
in Solaris Predictive
File System Self-Healing
System Management
Introduce DTrace Changes
Changes to 10
in Solaris
in Solaris 10 NFS Version 4
Security Installation
Changes Changes in Solaris 10
Solaris™ 10 Features for Experienced Solaris System Administrators Preface, slide iii of vi
Topics Not Covered

• Concepts involving desktop changes
• Concepts relating to Sun™ Enterprise Volume
Manager software
Solaris™ 10 Features for Experienced Solaris System Administrators Preface, slide iv of vi

How Prepared Are You?

• Can you administer the Solaris 10 Operating System?
• Do you understand how network protocols such as
NFS and SSH work?
• Can you configure remote installation methods such as
JumpStart?
• Do you understand security protection methods
commonly employed in computer environments?
Solaris™ 10 Features for Experienced Solaris System Administrators Preface, slide v of vi

Introductions
• Name
• Company affiliation
• Title, function, and job responsibility
• Experience related to topics presented in this course
• Reasons for enrolling in this course
• Expectations for this course
Solaris™ 10 Features for Experienced Solaris System Administrators Preface, slide vi of vi

Module 1
Solaris™ Zones Configuration

Objectives
• Identify the features of Solaris™ Zones
• Understand how and why zone partitioning is used
• Configure zones
• Verify zone configuration
• Export zone configuration
• Install zones
Solaris™ 10 Features for Experienced Solaris System Administrators Module 1, slide 2 of 29

Solaris Zones
• Separate Solaris OS virtual environments on one
physical system
• Server consolidation solutions:
• Hardware Partitioning
• Emulation or Full Virtualization
• Solaris Zones technology is in the Operating System
Partitions category

Typical System with Zones Installed

Global Zone (serviceprovider.com)
Apps Zone (apps.com) Users Zone (users.net) Work Zone (work.org)
zone root: /aux0/apps zone root: /aux0/users zone root: /aux0/work
Web Services Login Services Web Services
(Apache 1.3.22, J2SE) (OpenSSH, sshd 3.4) (Apache 2.0)
Enterprise Services Network Services Network Services

(Databases) (BIND 8.3, sendmail) (BIND 9.2, sendmail)
Application Core Services Core Services Core Services

Environment (ypbind, automountd) hme0:1 (ypbind, inetd, rpcbind) (netd, ldap_cachemgr)
hme0:2
hme0:3
/opt/yt
/opt/yt
/opt/yt
zcons
zcons
zcons
/usr
/usr
/usr
Virtual
Platform zoneadmd zoneadmd zoneadmd
Zone Management (zonecfg(1M), zoneadm(1M), zlogin(1)...
Core Services
(inetd, rpcbind, ypbind, Remote Admin/monitoring Platform Administration
automountd, snmpd, dtlogin, (SNMP, SunMC, WBEM) (syseventd, devfsadmd,...)
sendmail, ctlogin, sshd,...)
< ... > < ... >

Network Device Network Device
(hme0) (ce0)
Storage Complex

Zone Features
• Security
• Isolation
• Virtualization
• Granularity
• Transparency

Solaris Zones and Solaris Containers

Solaris Containers provide isolation between software
applications or services using flexible, software-defined
boundaries.
Solaris Containers create an execution environment within a
single instance of the Solaris OS and provide:
• Full resource containment and control for more
predictable service levels
• Software fault isolation to minimize fault propagation
and unplanned downtime
• Security isolation to prevent unauthorized access as
well as unintentional intrusions


(cont.)
Solaris Containers can be built using one or more the
following technologies. These technologies can be combined
to create Containers tailored for a specific server
consolidation project.
• Solaris Resource Manager, for workload resource
management
• Resource Pools, for partitioning
• Zones, for isolation, security and virtualization


(cont.)
• It is important to note that a Solaris Container is not
equivalent to a Solaris Zone.
• Zones technology can be used to create a Container
with certain characteristic.
• While a Zone is a Container, a Container is not
necessarily a Zone.

Zone Concepts
• Zone types
• Global Zone
• Non Global Zones
• Zone daemons
• Zone file systems
• Sparse Root Model
• Whole Root Model

Shared File System Example

/
sbin usr export etc var
zones
zonea zoneb zonec
/ / /
sbin usr var sbin usr etc
sbin usr etc var

Sparse Root Model File System Structure

global zone
sparse zone
Shared LOFS r/o /sbin
Shared LOFS r/o /usr
Shared LOFS r/o /lib
Shared LOFS r/o /platform
/ /
/var /var
/opt /opt
*
* /export
*
* *
*
(~100 MB) (~4 GB)

Whole Root Model File System Structure

global zone
whole zone
/sbin /sbin
/usr /usr
/lib /lib
/platform /platform
/ /
/var /var
/opt /opt
* /export
*
*
* *
*
(~3 GB) (~4 GB)

Zone Concepts (cont.)

• Zone Networking
• Shared-IP Non-Global Zones
• Exclusive-IP Non-Global Zones

Zone Concepts (cont.)

• Zone states
• Undefined
• Configured
• Incomplete
• Installed
• Ready
• Running
• Mounting
• Shutting Down, and Down

Zone States
Create Install
Undefined Configured Installed
Delete Uninstall
Shutting Down
Ready
Halt
Reboot
Running Ready

Configuring Zones
Identifying Zone Components
• A zone name
• A path to the zone’s root
• The zone network interfaces
• The file systems mounted in zones
• The configured devices in zones

Using zonecfg to Configure Zones

• Identifying the zonecfg Command Scope
• Using zonecfg Sub-commands
• Using zonecfg Resource Parameters

Zone Configuration Walk-Through

1. chaos:/> zonecfg -z work-zone
2. zonecfg:work-zone> create
3. zonecfg:work-zone> set zonepath=/export/work-zone
4. zonecfg:work-zone> set autoboot=true
5. zonecfg:work-zone> set
limitpriv=default,dtrace_user,!sys_acct
6. zonecfg:work-zone> set bootargs="-m verbose"
7. zonecfg:work-zone> set cpu-shares=30
8. zonecfg:work-zone> set scheduling-class=FSS
9. zonecfg:work-zone> add inherit-pkg-dir

Zone Configuration Walk-Through (cont.)

10.zonecfg:work-zone:inherit-pkg-dir> set dir=/opt/
local/sfw
11.zonecfg:work-zone:inherit-pkg-dir> end
12.zonecfg:work-zone> add net
13.zonecfg:work-zone:net> set physical=ce0
14.zonecfg:work-zone:net> set address=192.168.0.1/24
15.zonecfg:work-zone:net> set defrouter=192.168.0.254
16.zonecfg:work-zone:net> end
17.zonecfg:work-zone> add device
18.zonecfg:work-zone:device> set match=/dev/zvol/dsk/
mpool/vol/vol1


19.zonecfg:work-zone:device> end
20.zonecfg:work-zone> add device
21.zonecfg:work-zone:device> set match=/dev/zvol/rdsk/
mpool/vol/vol1
22.zonecfg:work-zone:device> end
23.zonecfg:work-zone> add dataset
24.zonecfg:work-zone:dataset> set name=mpool/zones/
export/datastor
25.zonecfg:work-zone:dataset> end
26.zonecfg:work-zone> add fs
27.zonecfg:work-zone:fs> set dir=/app/data


28.zonecfg:work-zone:fs> set special=/dev/dsk/c0t0d0s7
29.zonecfg:work-zone:fs> set raw=/dev/rdsk/c0t0d0s7
30.zonecfg:work-zone:fs> set type=ufs
31.zonecfg:work-zone:fs> add options [nosetuid]
32.zonecfg:work-zone:fs> end
33.zonecfg:work-zone> add capped-memory
34.zonecfg:work-zone:capped-memory> set physical=2g
35.zonecfg:work-zone:capped-memory> set swap=512m
36.zonecfg:work-zone:capped-memory> end
37.zonecfg:work-zone> add attr


38.zonecfg:work-zone:attr> set name=comment
39.zonecfg:work-zone:attr> set type=string
40.zonecfg:work-zone:attr> set value="The Work Zone"
41.zonecfg:work-zone:attr> end
42.zonecfg:work-zone> verify
43.zonecfg:work-zone> commit
44.zonecfg:work-zone> exit

Adding ZFS File Systems to a

Non-Global Zone
# zonecfg -z work-zone
work-zone: No such zone configured
Use ’create’ to begin configuring a new zone.
zonecfg:work-zone> create
zonecfg:work-zone> add fs
zonecfg:work-zone:fs> set type=zfs
zonecfg:work-zone:fs> set special=tank/zone/work-zone
zonecfg:work-zone:fs> set dir=/export/shared
zonecfg:work-zone:fs> end

Delegating Datasets to a Non-Global Zone

# zonecfg -z work-zone
Use ’create’ to begin configuring a new zone.
zonecfg:work-zone> create
zonecfg:work-zone> add dataset
zonecfg:work-zone:dataset> set name=tank/zone/work-zone
zonecfg:work-zone:dataset> end

Viewing the Zone Configuration

You can use the zonecfg command to view the zone
configuration.
# zonecfg -z work-zone info
zonepath: /export/work-zone
autoboot: true
pool: pool_default
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin
inherit-pkg-dir:
dir: /usr
inherit-pkg-dir:
dir: /opt/sfw
<continued>

Viewing the Zone Configuration (cont.)

fs:
dir: /mnt
special: /dev/dsk/c0t0d0s7
raw: /dev/rdsk/c0t0d0s7
type: ufs
options: [logging]
net:
address: 192.168.0.1
physical: ce0
device
match: /dev/sound/*
rctl:
name: zone.cpu-shares
value: (priv=privileged,limit=20,action=none)
attr:
name: comment
type: string
value: "The work zone."
#

Verifying a Configured Zone

• Verify a zone before you install it
• The zoneadm -z zone_name verify command
• Zone configuration verification example:
global# zoneadm -z work-zone verify
Warning: /export/work-zone does not exist, so it cannot be
verified. When zoneadm install is run, install will try to create
/export/work-zone, and verify will be tried again, but the verify
may fail if: the parent directory of /export/work-zone is group-
or other-writable or /export/work-zone overlaps with any other
installed zones.

Exporting the Zone Configuration

• Export the zone’s configuration to a command file
• It is required for future cloning of a zone
• You use the zonecfg -z zonename -f filename
command

Installing a Configured Zone

• The zone must first be configured
• Use the zoneadm -z zone_name install command
to install
• Zone installation takes time to complete
• Use the zoneadm list -iv command to verify
installation

Module 2
Solaris™ Zones Administration

Objectives
• Verify zone configuration
• Install zones
• Boot zones
• Rename, Move and Clone a zone
• Back up and restore non-global zones
• Migrate zones from one machine to another
• Describe system upgrades with non-global zones
installed
• Administer packages in zones
• Remove zones
• Configure resource pools

Using the zoneadm Command

• Verify a configured zone
• Install a zone
• Boot a zone
• Reboot a zone
• Display information about a running zone
• Move a zone
• Clone a zone
• Uninstall a zone

Verifying a Configured Zone

• Verify a zone before you install it.
• The zoneadm -z zone_name verify command.
• Zone configuration verification example:
global# zoneadm -z work-zone verify
Warning: /export/work-zone does not exist, so it cannot be
verified. When zoneadm install is run, install will try to create
/export/work-zone, and verify will be tried again, but the verify
may fail if: the parent directory of /export/work-zone is group-
or other-writable or /export/work-zone overlaps with any other
installed zones.

Installing a Configured Zone

• The zone must first be configured.
• Use the zoneadm -z zone_name install command
to install.
• Zone installation takes time to complete.
• Use the zoneadm list -iv command to verify
installation.

Booting a Zone
• Booting a zone places the zone in the running state.
• The default autoboot state is false
• Use the zoneadm -z zone_name boot command to
boot a zone.
• Use the zoneadm list -v command to verify boot
status.

Logging In to the Zone’s Virtual Console –

First Time
• Connect to the zone’s virtual console and complete the
zone’s system identification.
• Use the zlogin -C zone_name command to open a
virtual console.
• Identification process starts automatically.
• Use ~. to break console connection.

Halting a Zone
Use the zoneadm -z zone_name halt command to remove
both the application environment and the virtual platform for
a zone.
• The zone is placed in the installed state.
• Processes are killed.
• Devices are unconfigured.
• Network interfaces are unplumbed.
• File systems are unmounted.
• Kernel data structures are destroyed.

Rebooting a Zone
• Use the zoneadm -z zone_name reboot command
to reboot a zone.
• The zone is halted and then booted again.

Using the init Command

• Used to cleanly transition a zone between run-levels.
• Run the init command as an argument to the
zlogin command.
global# zlogin work-zone init 0
global# zoneadm list -v
ID NAME STATUS PATH BRAND IP
0 global running / native shared
- work-zone installed /export/work-zone native shared

Renaming a Zone
Zone renaming is performed using the zonecfg command.
You use the set zonename subcommand to change
the zonename attribute to a new value not currently
assigned to a non-global zone.
$ zonecfg -z work-zone
zonecfg:work-zone> set zonename=new-zone
zonecfg:new-zone> commit
zonecfg:new-zone> exit

Moving a Zone
• Relocates a non-global zone from one point on a system
to another point on the same system.
• Works within and across file systems.
• Does not work on an NFS mounted file system.
• When crossing file system boundaries, the data is
copied and the original directory is removed.
• Use the zoneadm -z zone_name move /newpath
command.
• Zone must be halted before moving.

Cloning a Zone
• Allows you to rapidly provision new non-global zones.
• System checks for ZFS snapshot and file systems.
• If non-ZFS, cpio is used.
• Cloning procedure:
# zoneadm -z work-zone halt
# zonecfg -z work-zone export -f /export/zones/master
# zonecfg -z new-zone -f /export/zones/master
# zoneadm -z new-zone clone work-zone

Migrating a Zone
• Migrate a non-global zone from one system to another.
• The global zone on the target system must be:
• The same release as the original host.
• The same versions of operating system packages
and patches as the original host.
• Zone migration procedure:
On source host:
host1# zoneadm -z work-zone halt
host1# zoneadm -z work-zone detach
host1# cd /export/zones
host1# tar cf work-zone.tar work-zone
host1# sftp host2
Connecting to host2...
Password:

Migrating a Zone (cont.)

sftp> cd /export/zones
sftp> put work-zone.tar
Uploading work-zone.tar to /export/zones/work-zone.tar
sftp> quit
On destination host:
host2# cd /export/zones
host2# tar xf my-zone.tar
host2# zonecfg -z work-zone
zonecfg:work-zone> create -a /export/zones/work-zone
zonecfg:work-zone> commit
zonecfg:work-zone> exit
host2# zoneadm -z work-zone attach

Update an Attached Zone

The attach subcommand takes a zone that has been
detached from one system and attaches the zone on to a new
system.
By default, zoneadm checks package and patch levels on the
machine to which the zone is to be attached.
With -u, as in the default behavior, zoneadm does
not perform an attach if outdated packages/patches
are found on the target system.
To update an attached zone:
host2# zoneadm -z work-zone attach -u

Removing a Zone
• Be sure to back up any files that you want to keep.
• Zone removing procedure:
# zoneadm -z work-zone halt
# zoneadm -z work-zone uninstall
# zonecfg -z work-zone delete

Installing Packages in Zones

• Package operations possible in the global zone.
• Package operations possible in a non-global zone.
• Zone package parameters:
• SUNW_PKG_ALLZONES
• SUNW_PKG_HOLLOW
• SUNW_PKG_THISZONE

Adding Patches in Zones

• The patchadd utility is used to add patches on a
Solaris system with zones installed.
• Patch information is used to determine whether the
patch is applicable to the currently running system.
• Each package contained in the patch is checked.
• If all dependencies are satisfied, the packages inside the
patch are used to patch the system.
• The package and patch databases are also updated.

Using patchadd in the Global Zone

• The patchadd utility can be used from the global zone,
to apply patches to previously installed packages.
• The package parameter settings still influence behavior
of the patch add operation.
• Verify the state of the patch.
global# patchadd -p | grep 120544
Patch: 120544-09 Obsoletes: Requires: 119043-09, 121902-01
Incompatibles: Packages: SUNWapch2r, SUNWapch2u, SUNWapch2d
global# zlogin work-zone patchadd -p | grep 120544
Patch: 120544-09 Obsoletes: Requires: 119043-09, 121902-01
Incompatibles: Packages: SUNWapch2r, SUNWapch2u, SUNWapch2d
• Apply the patch to all zones, from the global zone.

global# patchadd 120544-11
Validating patches...

Using patchadd in the Global Zone

(cont.)
• Using the -G Option With patchadd
• Logged into global zone, -G specified
• Logged into global zone, -G not specified
• Logged into non-global zone, -G specified or not
specified

Using patchadd in a Non-Global Zone

• When used in a non-global zone by the zone
administrator, patchadd can only be used to add
patches to that zone.
• A patch can be added to a non-global zone in the
following cases:
• The patch does not affect any area of a sparse root
zone that is shared from the global zone.
• All packages in the patch are set
SUNW_PKG_ALLZONES=false.
• The following steps are performed by the patchadd
utility:
• The patch is added to the non-global zone only.

Removing Packages from Zones

• The pkgrm utility is used to remove packages on a
Solaris system with zones installed.
• Removing packages while logged into the global zone:
• Use pkgparam to identify zone parameters.
global# pkgparam -v SUNWaclg
• Use pkginfo to identify where packages are

installed.
global# pkginfo SUNWaclg
system SUNWaclg Apache Common Logging
global# zlogin work-zone pkginfo SUNWaclg
global# zlogin test-zone pkginfo SUNWaclg

Removing Packages from Zones (cont.)

• Use pkgrm to remove packages from all zones.
global# pkgrm SUNWapclg

Creating Backups on Systems With Zones

Installed
• Relating Non-Global Zone Configurations to Backup
and Recovery Requirements
• Example 1: Backing Up One Root File System
• Example 2: Backing Up Separate Root File Systems
and Data File Systems
• Making Zone Backups from the Global Zone
• Using ufsdump to Back Up a Non-Global Zone
• Using fssnap and ufsdump to Back Up a Non-
Global Zone

Creating Backups on Systems With Zones

Installed (cont.)
• Making Backups from Within a Non-Global Zone
• Backing Up Loopback File System Directories
• Saving and Restoring Non-Global Zone Configuration
Information
• Creating a Copy of a Non-Global Zone
Configuration
• Restoring an Individual Non-Global Zone
Configuration
• Recovering Individual Non-Global Zones

Using fssnap and ufsdump to Back Up a

Non-Global Zone
The following example illustrates the use of fssnap and
ufsdump to back up a non-global zone.
global# fssnap -o bs=/var /export/zone2
/dev/fssnap/0
global# mount -o ro /dev/fssnap/0 /mnt
global# ufsdump 0f /backup/zone2_root_snap_dump /mnt
DUMP: Date of this level 0 dump: Mon Dec 26 13:44:01 2005
DUMP: Date of last level 0 dump: the epoch
DUMP: Dumping /dev/rfssnap/0 (sys21:/mnt) to
/backup/zone2_root_snap_dump.
...
DUMP: DUMP IS DONE
global# umount /mnt
global# fssnap -d /dev/fssnap/0
Deleted snapshot 0.

Configuring Resource Pools

Use these commands to perform various resource pool
configuration tasks:
• The pooladm(1M) command – The pooladm command
provides administrative operations on pools.
• The poolbind(1M) command – The poolbind
command allows an authorized user to bind zones,
projects, tasks, and processes to pools.
• The poolcfg(1M) command – Provides configuration
operations on pools.
• The poolstat(1M) command – Displays statistics for
pool-related resources.

Enabling and Disabling the Resource Pools

Service
• You can enable and disable the resource pools and
dynamic resource pools services on your system using
the svcadm command.
• Display the current state of resource both pools
services.
# svcs *pool*
STATE STIME FMRI
disabled 10:32:26 svc:/system/pools/dynamic:default
disabled 10:32:26 svc:/system/pools:default
• Enable the resource pools service.

# svcadm enable system/pools:default


Service (cont.)
• Enable the dynamic resource pools (DRP) service.
# svcadm enable system/pools/dynamic:default
• Re-display the state of resource pools services.

# svcs *pool*
STATE STIME FMRI
online 10:40:27 svc:/system/pools:default
online 10:40:27 svc:/system/pools/dynamic:default
• If you attempt to enable the DRP service prior to the

resource pools service, the state of the SMF services
reports as follows:
# svcs -a | grep pool
disabled 10:39:00 svc:/system/pools:default
offline 10:39:12 svc:/system/pools/dynamic:default


Service (cont.)
• Use the -x option of the svcs command to determine
why the DRP service is offline:
# svcs -x *pool*
svc:/system/pools:default (resource pools framework)
State: disabled since Wed 25 Jan 2006 10:39:00 AM GMT
Reason: Disabled by an administrator.
(content omitted)
State: offline since Wed 25 Jan 2006 10:39:12 AM GMT
Reason: Service svc:/system/pools:default is disabled.
(content omitted)
Impact: This service is not running.
• To correct the SMF service state problem, enable the

resource pools service so that the DRP service can run:
# svcadm enable svc:/system/pools:default

Configuring Pools
• Create the initial configuration:
# svcadm enable system/pools:default
# pooladm -s
# poolcfg -c info
system tester
string system.comment
int system.version 1
...
cpu
int cpu.sys_id 3
string cpu.comment
string cpu.status on-line
cpu
int cpu.sys_id 2
string cpu.comment
...
# pooladm -c
# pooladm -s /var/tmp/backup-rsrc_pools.conf

Configuring Pools (cont.)

• Modify the configuration
The following example creates a processor set named
pset_batch and a pool named pool_batch. Then it
joins the pool and the processor set with an
association.
# poolcfg -c ’create pset pset_batch (uint pset.min = 2; \
uint pset.max = 4)’
# poolcfg -c ’create pool pool_batch’
# poolcfg -c ’associate pool pool_batch (pset pset_batch)’
# poolcfg -c info
# pooladm -c


• Associate a pool with a scheduling class:
# poolcfg -c ’modify pool pool_batch \
(string pool.scheduler="FSS")’
# poolcfg -c info
...
string pool.comment
string pool.scheduler FSS
pset batch
...
# pooladm -c


• Set configuration constraints
The following example shows how to set the
cpu.pinned property in the static or dynamic
configuration.
• Modify the boot-time (static) configuration:
# poolcfg -c ’modify cpu cpuid \
(boolean cpu.pinned = true)’
• Modify the running (dynamic) configuration

without modifying the boot-time configuration:
# poolcfg -dc ’modify cpu cpuid \
(boolean cpu.pinned = true)’


• Define configuration wt-load and locality
objectives:
# poolcfg -c ’modify system tester \
(string system.poold.objectives="wt-load")’
# poolcfg -c ’modify pset pset_default \
(string pset.poold.objectives="locality none")’ one line
# poolcfg -c ’modify pset pset_batch \
(string pset.poold.objectives="locality none")’ one line
# poolcfg -c info
...
string system.poold.objectives wt-load
...
string pset.poold.objectives locality none
...
string pset.poold.objectives locality none
...


• Set the poold logging level
Set the logging level by using the poold command
with the -l option and a parameter, for example,
DEBUG.
# /usr/lib/pool/poold -l DEBUG
• The default poold log file is /var/log/pool/poold

Introducing Resource Management With

Zones
• Resource management capabilities are bundled within
the Solaris OS.
• Resource management capabilities provide various
levels of control over CPUs and memory.
• Many resource management controls in support of
zones can now be achieved within zone configurations
and not as a separate task.

Managing Scheduling Classes and the Fair

Share Scheduler
• The Fair Share Scheduler (FSS) gives you the ability to
specify that certain workloads be given more resources
than others.
• FSS can be used on:
• Individual resources
• Resources within a persistent or temporary resource
pool
• CPU resources are allocated on a per-project or per-
zone basis.
• The relative importance of applications is expressed by
allocating CPU resources based on shares.

Managing Scheduling Classes and the Fair

Share Scheduler (cont.)
• FSS guarantees the fair dispersion of CPU resources.
• With FSS, you can keep rogue processes from
consuming all available processing power.

Describing CPU Shares

• The Fair Share Scheduler controls allocation of CPU
resources using CPU shares.
• The importance of a workload is expressed by the
number of shares.
• A CPU share defines a relative entitlement of the CPU
resources available to a project or zone.
• CPU shares are not the same as CPU percentages.
• Shares define the relative importance of projects or
zones with respect to other projects or zones
respectively.
• The actual number of shares assigned is largely
irrelevant.

Describing CPU Shares (cont.)

Without Fair Share Scheduler
100% 100%
CPU Utilization
CPU Utilization
Database 2
Database 1 Database 1
Time Time
With Fair Share Scheduler

100% 100%
CPU Utilization
CPU Utilization
Database 2
Database 2 Database 1
Time Time

Combining FSS With Other Scheduling

Classes
• The FSS scheduling class uses the same range of
priorities (0 to 59) as the timesharing (TS), interactive
(IA), and fixed priority (FX) scheduling classes.
• With the use of processor sets, you can mix TS, IA, and
FX with FSS in one system.
• Do not use the FX scheduler in conjunction with the
FSS scheduling class unless processor sets are used.
• You can mix processes in the TS and IA classes in the
same processor set.
• FSS can coexist with the RT scheduling class within
the same processor set.


Classes (cont.)
• To find out which scheduling classes the processor sets
are running in, type:
$ ps -ef -o pset,class | grep -v CLS | sort | uniq
1 FSS
1 SYS
2 TS
2 RT
3 FX


Classes (cont.)
• To view process information for all zones and include scheduling class
information, type:
global# ps -efcZ | sort -k1 | more
ZONE UID PID PPID CLS PRI STIME TTY TIME CMD
zone1 root 16840 1 SYS 60 Feb 27 ? 0:00 zsched
zone1 root 16853 16840 TS 59 Feb 27 ? 0:00 /sbin/init
(output omitted)
zone2 root 17386 1 SYS 60 Feb 27 ? 0:00 zsched
zone2 root 17399 17386 TS 59 Feb 27 ? 0:00 /sbin/init
(output omitted)
global root 0 0 SYS 96 Jan 17 ? 0:55 sched
global root 1 0 TS 59 Jan 17 ? 0:04 /sbin/init
(output omitted)
global root 595 587 TS 59 Jan 17 ? 0:00 /usr/openwin/bin/
fbconsole -n -d :0
global root 596 587 IA 59 Jan 17 ? 8:44 /usr/X11/bin/Xorg :0 -
depth 24 -nobanner -auth /var/dt/A:0-wQayjb
(output omitted)
global daemon302 1 TS 59 Jan 17 ? 0:03 /usr/lib/nfs/nfsmapid
global daemon303 1 TS 59 Jan 17 ? 0:00 /usr/lib/nfs/statd
global daemon309 1 FX 60 Jan 17 ? 0:00 /usr/lib/nfs/lockd
global noaccess 828 1 TS 59 Jan 17 ? 23:53 /usr/java/bin/java -
server -Xmx128m -XX:+BackgroundCompilation -XX:PermSize=32m


Classes (cont.)
• The preferred way to use FSS is to set FSS to be the system default
scheduling class using dispadmin

Configuring FSS
• FSS related commands:
Command Description
priocntl(1) Displays or sets scheduling parameters of specified processes,
moves running processes into a different scheduling class.
ps(1) Lists information about running processes, identifies in which
scheduling classes processor sets are running.
dispadmin(1M) Sets the default scheduler for the system. Also used to
examine and tune the FSS scheduler's time quantum value.
FSS(7) Describes the fair share scheduler (FSS).

Making FSS the Default Scheduling Class

• Set the default scheduling class for the system to be
FSS.
# dispadmin -d FSS
• Make this configuration take effect immediately,

without rebooting.
# priocntl -s -c FSS

Manually Move Processes From All User

Classes Into the FSS Class
• Move the init process (pid 1) into the FSS scheduling
class.
# priocntl -s -c FSS -i pid 1
• Move all processes from their current scheduling

classes into the FSS scheduling class.
# priocntl -s -c FSS -i all

Setting the Scheduling Class For a Zone

• One method: Use the scheduling-class property in
zonecfg to set the scheduling class for the zone.
global# zonecfg -z work-zone
zonecfg:work-zone> set scheduling-class=FSS
zonecfg:work-zone> verify
• Alternate method: Set the scheduling class for a zone

through the resource pools facility.
global# poolcfg -c ’modify pool pool_batch \
(string pool.scheduler="FSS")’
• If the zone’s cpu-shares rctl is set and FSS is not

already set as the scheduling class for the zone in some
other manner, the zone’s zoneadmd daemon sets the
scheduling class to FSS when the zone boots.
Monitoring FSS
• To monitor the CPU usage of zones on the system, use
the prstat command with the -Z option.
global# prstat -Z
• To monitor the CPU usage of projects that run on the

system, use the prstat command with the -J option.
work-zone# prstat -J

Configuring CPU Shares for Zones

• A commonly used method to prevent “CPU hogs”
from impacting other workloads is to assign CPU
shares to the zone or project associated with the
workload.
• The relative number of shares assigned per zone
guarantees a relative minimum amount of CPU
resources for the zone.
• This method of using shares is less wasteful than
dedicating one or more CPUs to a zone.

Using the cpu-shares Zone Property

• cpu-shares property represents a relative minimum
amount of CPU resource compared to other zones.
• To set a zone rctl to 30 shares for the work-zone using
the cpu-shares property, type:
zonecfg:work-zone> set cpu-shares=30
zonecfg:work-zone> info
zonename: work-zone
brand: native
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: shared


(cont.)
[cpu-shares: 30]
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin
inherit-pkg-dir:
dir: /usr
net:
address: 192.168.100.137
physical: bge0


(cont.)
attr:
name: comment
type: string
value: "The work-zone"
rctl:
name: zone.cpu-shares
value: (priv=privileged,limit=30,action=none)


(cont.)
• Use of cpu-shares in a zone configuration requires
use of FSS as the scheduling class.
• Zone boot messages with cpu-shares property set:
global# zoneadm -z work-zone boot
zoneadm: zone ’work-zone’: WARNING: The zone.cpu-shares rctl is set but
zoneadm: zone ’work-zone’: FSS is not the default scheduling class for
zoneadm: zone ’work-zone’: this zone. FSS will be used for processes in
zoneadm: zone ’work-zone’: the zone but to get the full benefit of FSS,
zoneadm: zone ’work-zone’: it should be the default scheduling class.
zoneadm: zone ’work-zone’: See dispadmin(1M) for more details.
• To remove a cpu-shares zone property from a zone

configuration, use the rctl alias with the clear
subcommand.
global# zonecfg -z work-zone clear cpu-shares

Using prctl to Configure CPU Shares

• To display the zone.cpu-shares currently active for
the work-zone, type:
global# prctl -n zone.cpu-shares -P -i zone work-zone
zone: 6: work-zone
zone.cpu-shares privileged 30 - none -
zone.cpu-shares system 65535 max none -
• To replace the current zone.cpu-shares value with a

new value, type:
global# prctl -n zone.cpu-shares -v 55 -r -i zone work-zone

Monitoring the Effect of CPU Shares Using

prstat
• To monitor the CPU usage of zones on the system, use
the prstat command with the -Z option.
global# prstat -Z
PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/
NLWP
9695 root 3428K 2888K cpu2 59 0 0:00:00 0.1% prstat/1
(output omitted)
275 daemon 2452K 1560K sleep 59 0 0:00:00 0.0% statd/1
329 root 1740K 688K sleep 59 0 0:00:00 0.0% smcboot/1
9 root 10M 9728K sleep 59 0 0:00:09 0.0%
svc.configd/16
ZONEID NPROC SWAP RSS MEMORY TIME CPU ZONE

0 54 184M 263M 3.2% 0:05:27 3.1% global
6 32 183M 247M 3.0% 0:00:18 12.8% work-zone

Configuring Temporary Resource Pools

• Temporary resource pools provide an alternative to the
persistent resource pool configurations and binding a
zone to a persistent pool.
• Temporary resource pools only exist in support of a
specific zone and only exist while that zone is booted.
• These pools are designed to simplify the association
between a zone and the amount of CPU resources
desired for a zone.


(cont.)
• The dedicated-cpu resource specifies that a subset of
the system’s processors should be dedicated to a non-
global zone while the zone is running.
• The dedicated-cpu resource has two properties:
• The ncpu property and the importance property.
• To configure a zone with a range of 2 to 4 CPUs defined
and an importance of 10, type:
zonecfg:work-zone> add dedicated-cpu
zonecfg:work-zone:dedicated-cpu> set ncpus=2-4
zonecfg:work-zone:dedicated-cpu> set importance=10
zonecfg:work-zone:dedicated-cpu> end
...


(cont.)
• The cpu-shares global property is not compatible
with the dedicated-cpu resource, within a zone
configuration.
• The cpu-shares global property is compatible with
the pools global property, within a zone configuration.

Displaying Temporary Resource Pool

Configurations
• Use the zonecfg command with the info
subcommand to examine the configuration.
global# zonecfg -z work-zone info
zonename: work-zone
(output omitted)
dedicated-cpu:
ncpus: 2-4
importance: 10
(output omitted)


Configurations (cont.)
• Use the pooladm command to see the configuration effect:
global# pooladm
(output omitted)
pool SUNWtmp_work-zone
int pool.sys_id 3
boolean pool.active true
boolean pool.default false
int pool.importance 10
string pool.comment
boolean pool.temporary true
pset SUNWtmp_work-zone
(output omitted)
pset SUNWtmp_work-zone
int pset.sys_id 1
boolean pset.default false
uint pset.min 2
uint pset.max 4
string pset.units population


Configurations (cont.)
uint pset.load 11
uint pset.size 2
string pset.comment
boolean pset.temporary true
cpu
int cpu.sys_id 1
string cpu.comment
cpu
int cpu.sys_id 0
string cpu.comment

Using the capped-cpu Resource

The capped-cpu resource provides an absolute fine-grained
limit on the amount of CPU resources that can be consumed
by a project or a zone.
The capped-cpu resource has a single ncpus property that
is a positive decimal with two digits to the right of the
decimal.
• This property corresponds to units of CPUs.
To use the capped-cpu resource from a zone configuration:
zonecfg:workzone> add capped-cpu
zonecfg:workzone:capped-cpu> set ncpus=1.5
zonecfg:workzone:capped-cpu> end

Configuring Memory Capping for Zones

• A resource cap is an upper bound placed on the
consumption of a resource, such as physical memory.
• Per-zone and per-project physical memory caps are
supported.
• The resource capping daemon rcapd and its associated
utilities provide mechanisms for physical memory
resource cap enforcement and administration.

How Resource Capping Works

• The rcapd daemon repeatedly samples the resource
utilization of projects that have physical memory caps.
• When physical memory utilization exceeds the
threshold for cap enforcement, rcapd takes action to
reduce the resource consumption of zones and projects
with memory caps to levels at or below the caps.
• The rcapd daemon manages physical memory by
regulating the size of a zone or project workload's
resident set relative to the size of its working set.
• The resident set is the set of pages that are resident
in physical memory.
• The working set is the set of pages that the workload
actively uses during its processing cycle.

How Resource Capping Works (cont.)

• The working set changes over time, depending on the
process's mode of operation and the type of data being
processed.
• The working set can also include the use of secondary
disk storage to hold the memory that does not fit in
physical memory.
• Only one instance of rcapd can run at any given time.

Resource Capping Guidelines

• For zones: use the capped-memory resource and the
physical property within the zone’s configuration.
• For projects: change the rcap.max-rss value for the project
and then use the svcadm restart rcap command.
• Consider the total amount of memory in the system, the
needs of all processes in the project, and the needs of all
applications which will run on the system, in all zones.
• Profile the memory usage of applications that use a lot of
shared memory.
• Set a memory cap enforcement threshold greater than zero
to ensure paging does not occur when RAM is available.
• The use of resource capping can impact performance.
• Do not kill the rcapd daemon.

Enabling and Disabling the rcap Service

• Three ways to enable resource capping:
• Turn on resource capping using the svcadm
command.
# svcadm enable rcap
• Enable the resource capping daemon so that it will

be started now and also be started each time the
system is booted:
# rcapadm -E
• Enable the resource capping daemon at boot

without starting it now by also specifying the -n
option:
# rcapadm -n -E

Enabling and Disabling the rcap Service

(cont.)
• Three ways to enable resource capping:
• Turn off resource capping using the svcadm
command.
# svcadm disable rcap
• To disable the resource capping daemon so that it

will be stopped now and not be started when the
system is booted:
# rcapadm -D
• To disable the resource capping daemon without

stopping it, also specify the -n option:
# rcapadm -n -D

Using zonecfg to Configure Memory

Caps
• To set a Resident Set Size (RSS) memory cap for a zone,
type:
zonecfg:work-zone> add capped-memory
zonecfg:work-zone:capped-memory> set physical=1024m
zonecfg:work-zone:capped-memory> end


Caps (cont.)
• To set a swap space cap for a zone, type:
zonecfg:work-zone:capped-memory> set swap=1g


Caps (cont.)
• To set the amount of physical memory (RSS) that a zone
can lock down, type:
zonecfg:work-zone:capped-memory> set locked=256m


Caps (cont.)
• To remove a capped-memory resource from a zone
configuration, type:
zonecfg:work-zone> remove capped-memory
zonecfg:zone1> exit

Using rcapadm to Configure Memory

Caps
• The rcapadm command may be used to establish
various memory caps for the zone, without rebooting
the zone.
• To set a Resident Set Size (RSS) memory cap for a
running zone:
global# rcapadm -z work-zone -m 1024m
• Resource caps remain in effect until the zone is

rebooted.

Monitoring the Effect of Memory Caps

Using rcapstat
• To monitor the memory caps in effect for all zones on
your system, using a limited count of 3 and sampling
duration of 5 seconds, type:
global# rcapstat -z 5 3
id zone nproc vm rss cap at avgat pg avgpg
7 work-zone - 161M 203M 1024M 0K 0K 0K 0K
9 user-zone - 148M 201M 2048M 0K 0K 0K 0K

Setting the Memory Cap Enforcement

Threshold
• Caps can be configured so that they will not be
enforced until the physical memory available to
processes is low.
• Use the -c option of rcapadm to set a different physical
memory utilization value for memory cap
enforcement.
global# rcapadm -c percent
• The percent value is in the range 0 to 100.

• Higher values are less restrictive.

Module 3
Introduction to the Solaris™ ZFS File

System

Objectives
• Describe the Solaris ZFS file system
• Create new ZFS pools and file systems
• Modify ZFS file system properties
• Mount and unmount ZFS file systems
• Destroy ZFS pools and file systems
• Work with ZFS snapshots and Clones
• Use ZFS datasets with Solaris Zones

What Is Solaris ZFS?

• ZFS Pooled Storage
ZFS aggregates devices into storage pools.
• Transactional Semantics
Any sequence of operations is either entirely
committed or entirely ignored.
• Checksums and Self-Healing Data
All data and metadata is checksummed, and
detected errors are corrected using replicated data.
• Unparalleled Scalability
Solaris ZFS is a 128-bit file system, allowing for 256
quadrillion zettabytes of storage.

What Is ZFS?
• ZFS Snapshots
ZFS snapshots are read-only copies of file systems
that initially consume no additional space in a pool.
• Simplified Administration
ZFS uses a simplified command set, uses an
hierarchical file system layout, supports file system
property inheritance and automatic mount points.

ZFS Terminology
• checksum - A 256-bit hash of the data in a file system
block.
• clone - A file system whose initial contents are identical
to the contents of a snapshot.
• dataset - A generic name for the following ZFS entities:
clones, file systems, snapshots, or volumes.
• file system - A dataset that contains a standard POSIX
file system.
• mirror - A virtual device that stores identical copies of
data on two or more disks.

ZFS Terminology (cont.)

• pool - A logical group of devices describing the layout
and physical characteristics of the available storage.
• RAID-Z - A virtual device that stores data and parity
on multiple disks, similar to RAID-5.
• resilvering -The process of transferring data from one
device to another device is known as resilvering.
• snapshot - A read-only image of a file system or
volume at a given point in time.
• virtual device - A logical device in a pool, which can be
a physical device, a file, or a collection of devices.
• volume - A dataset used to emulate a physical device.

ZFS Component Naming Requirements

Empty components are not allowed.
Each component can only contain alphanumeric characters in
addition to the following four special characters:
• Underscore (_)
• Hyphen (-)
• Colon (:)
• Period (.)

ZFS Component Naming Requirements

(cont.)
Pool names must begin with a letter, except that the beginning
sequence c[0-9] is not allowed. In addition, pool names that
begin with mirror, raidz, or spare are not allowed as these
name are reserved.
Dataset names must begin with an alphanumeric character.

ZFS Hardware and Software Requirements

and Recommendations
A SPARC® or x86 system that is running the Solaris 10 6/06
release.
The minimum disk size is 128 Mbytes. The minimum amount
of disk space required for a storage pool is approximately 64
Mbytes.
For good ZFS performance, at least one Gbyte or more of
memory is recommended.
If you create a mirrored disk configuration, multiple
controllers are recommended.

Creating Basic ZFS File Systems

One goal of the ZFS design is to reduce the number of
commands needed to create a usable file system.
When you create a new pool, a new ZFS file system is created
and mounted automatically.
Within a pool, you will probably want to create additional file
systems.
In most cases, you will probably want to create and organize
a hierarchy of file systems that matches your organizational
needs.

Components of a ZFS Storage Pool

Using Disks in a ZFS Storage Pool
Physical storage can be any block device of at least 128 Mbytes
in size.
Typically, this device is a hard drive that is visible to the
system in the /dev/dsk directory.
A storage device can be a whole disk (c1t0d0) or an
individual slice (c0t0d0s7).
The recommended mode of operation is to use an entire disk.
ZFS applies an EFI label when you create a storage pool with
whole disks.

Components of a ZFS Storage Pool (cont.)

Using Disks in a ZFS Storage Pool (continued)
Disks can be specified by using either the full path, such as
/dev/dsk/c1t0d0, or a shorthand name.
For example, the following are valid disk names:
• c1t0d0
• /dev/dsk/c1t0d0
• c0t0d6s2
ZFS works best when given whole physical disks.


Using Files in a ZFS Storage Pool
ZFS also allows you to use UFS files as virtual devices in your
storage pool.
This feature is aimed primarily at testing and enabling simple
experimentation, not for production use.
The reason is that any use of files relies on the underlying file
system for consistency.
All files must be specified as complete paths and must be at
least 128 Mbytes in size.


ZFS pools can consist of whole disks, disk slices, or files.
Pool
File
Whole disk Disk slice (for test only)
(preferred)


Virtual Devices in a Storage Pool
Each storage pool is comprised of one or more virtual devices.
Two top-level virtual devices provide data redundancy:
mirror and RAID-Z virtual devices. These virtual devices
consist of disks, disk slices, or files.
Disks, disk slices, or files that are used in pools outside of
mirrors and RAID-Z virtual devices, function as top-level
virtual devices themselves.
Storage pools typically contain multiple top-level virtual
devices. ZFS dynamically stripes data among all of the top-
level virtual devices in a pool.


A ZFS pool that uses disks as top level virtual devices
provides no data replication.
01 Data 01
Stripe 1
0001 110 Stripe 3
00
1
0 Stripe 2
0
10
01
1
0
1
0
1
0
36 36 36
36 36 36

Replication Features of a ZFS Storage Pool

Mirrored Storage Pool Configuration
A mirrored storage pool configuration requires at least two
disks, preferably on separate controllers.
You can create more than one mirror in each pool.
A simple mirrored configuration would look similar to the
following:
mirror c1t0d0 c2t0d0
A more complex mirrored configuration would look similar

to the following:
mirror c1t0d0 c2t0d0 c3t0d0 mirror c4t0d0 c5t0d0 c6t0d0


(cont.)
ZFS stripes data among mirror virtual devices in a pool, and
data is replicated within each mirror.
Data
Stripe 1
0101 01 1 1 Stripe 2
1 00 00
0
0
10
01
Mirror device Mirror device
36 36 36 36


(cont.)
RAID-Z Storage Pool Configuration
RAID-Z is similar to RAID-5.
In RAID-Z, ZFS uses variable-width RAID stripes so that all
writes are full-stripe writes.
You need at least two disks for a RAID-Z configuration.
Conceptually, RAID-Z configuration with three disks would
look similar to the following:
raidz c1t0d0 c2t0d0 c3t0d0


(cont.)
RAID-Z Storage Pool Configuration (continued)
A more complex conceptual RAID-Z configuration would
look similar to the following:
raidz c1t0d0 c2t0d0 c3t0d0 c4t0d0 c5t0d0 c6t0d0 c7t0d0 raidz
c8t0d0 c9t0d0 c10t0d0 c11t0d0 c12t0d0 c13t0d0 c14t0d0
If you are creating a RAID-Z configuration with many disks,

as in this example, a RAID-Z configuration with 14 disks is
better split into a two 7-disk groupings.
RAID-Z configurations with single-digit groupings of disks
should perform better.


(cont.)
ZFS uses variable width stripes within RAID-Z devices.
Data
0
1
0
1
0
RAID-Z device 1
0
36 36 36


(cont.)
Self-Healing Data in a Replicated Configuration
ZFS provides for self-healing data in a mirrored or RAID-Z
configuration.
When a bad data block is detected, not only does ZFS fetch the
correct data from another replicated copy, but it also repairs the bad
data by replacing it with the good copy.
Dynamic Striping in a Storage Pool
For each virtual device that is added to the pool, ZFS dynamically
stripes data across all available devices.
No fixed width stripes are created at allocation time.


(cont.)
ZFS dynamically stripes data across all virtual devices in a
pool.
Data
01 01 1 1
001
Stripe 1 Stripe 2
00
10 0
0
10
01
RAID-Z device RAID-Z device


(cont.)
Dynamic Striping in a Storage Pool (continued)
When virtual devices are added to a pool, ZFS gradually
allocates data to the new device in order to maintain
performance and space allocation policies.
While ZFS supports combining different types of virtual
devices within the same pool, this practice is not
recommended.

Creating and Destroying ZFS Storage Pools

By design, creating and destroying pools is fast and easy.
However, be cautious when doing these operations.
Creating a ZFS Storage Pool
To create a storage pool, use the zpool create command.
This command takes a pool name and any number of virtual
devices as arguments.
Creating a Basic Storage Pool
The following command creates a new pool named tank that
consists of the disks c1t0d0 and c1t1d0:
# zpool create tank c1t0d0 c1t1d0


(cont.)
Creating a Mirrored Storage Pool
To create a mirrored pool, use the mirror keyword, followed
by any number of storage devices that will comprise the
mirror.
# zpool create tank mirror c1d0 c2d0 mirror c3d0 c4d0
Creating a Single-Parity RAID-Z Storage Pool

Creating a RAID-Z pool is identical to creating a mirrored
pool, except that the raidz keyword is used instead of
mirror.
# zpool create tank raidz c1t0d0 c2t0d0 c3t0d0 c4t0d0 /dev/dsk/c5t0d0


(cont.)
Creating a Double-Parity RAID-Z Storage Pool
You can create a double-parity RAID-Z configuration by
using the raidz2 keyword when the pool is created. For
example:
# zpool create tank raidz2 c1t0d0 c2t0d0 c3t0d0


(cont.)
Detecting in Use Devices
Before formatting a device, ZFS first determines if the disk is in use
by ZFS or some other part of the operating system.
If the disk is in use, you might see errors such as the following:
# zpool create tank c1t0d0 c1t1d0
invalid vdev specification
use ’-f’ to override the following errors:
/dev/dsk/c1t0d0s0 is currently mounted on /
/dev/dsk/c1t0d0s1 is currently mounted on swap
/dev/dsk/c1t1d0s0 is part of active ZFS pool ’zeepool’
Please see zpool(1M)
Some of these errors can be overridden by using the -f option, but most errors
cannot.


(cont.)
Mismatched Replication Levels
Creating pools with virtual devices of different replication
levels is not recommended.
The zpool command tries to prevent you from accidentally
creating a pool with mismatched replication levels.
Doing a Dry Run of Storage Pool Creation
The zpool create command with the -n option simulates
creating the pool without actually writing data to disk.


(cont.)
Destroying ZFS Storage Pools
Pools are destroyed by using the zpool destroy command.
# zpool destroy tank

Querying ZFS Storage Pool Status

The zpool list command provides a number of ways to
request information regarding pool status.
Listing Information About All Storage Pools
With no arguments, the zpool list command displays all
the fields for all pools on the system. For example:
# zpool list
NAME SIZE USED AVAIL CAP HEALTH ALTROOT
tank 80.0G 22.3G 47.7G 28% ONLINE -
dozer 1.2T 384G 816G 32% ONLINE -

Querying ZFS Storage Pool Status (cont.)

Listing Specific Storage Pool Statistics
You can request specific statistics by using the -o option.
For example, to list only the name and size of each pool, you
use the following syntax:
# zpool list -o name,size
NAME SIZE
tank 80.0G
dozer 1.2T


Display Command History of Pools
The zpool history command enables you to identify the
exact set of ZFS commands that were executed
# zpool history
History for ’bpool’:
2008-09-19.05:59:46 zpool create -f bpool c1t1d0
2008-09-19.06:00:25 zpool attach -f bpool c1t1d0 c1t2d0
2008-09-19.06:00:56 zpool add bpool mirror c1t3d0 c1t4d0
2008-09-19.06:01:23 zpool add bpool spare c1t6d0
2008-09-19.06:03:16 zfs create bpool/users
2008-09-19.06:03:23 zfs create bpool/users/larry
2008-09-19.06:03:30 zfs create bpool/users/curly
2008-09-19.06:03:36 zfs create bpool/users/moe
2008-09-19.06:04:21 zfs create bpool/zonepool
2008-09-19.06:04:46 zfs rename bpool/zonepool bpool/zonep
2008-09-19.06:05:03 zfs create bpool/zonep/dset
2008-09-19.06:05:09 zfs create bpool/zonep/fixed
2008-09-19.06:38:40 zfs set com.suned:backup=10/15/08 bpool/users


ZFS Storage Pool Properties
# zpool get all rpool
NAME PROPERTY VALUE SOURCE
rpool size 148G -
rpool used 7.75G -
rpool available 140G -
rpool capacity 5% -
rpool altroot - default
rpool health ONLINE -
rpool guid 11081266947880784355 -
rpool version 10 default
rpool bootfs rpool/ROOT/s10x_u6wos_07b local
rpool delegation on default
rpool autoreplace off default
rpool cachefile - default
rpool failmode continue local


Health Status of ZFS Storage Pools
ZFS provides an integrated method of examining pool and
device health. The health of a pool is determined from the
state of all its devices.
This state information is displaying by using the zpool
status command.
Each device can fall into one of the following states:
• ONLINE
• DEGRADED
• FAULTED


Health Status of ZFS Storage Pools (continued)
• OFFLINE
• UNAVAILABLE
Basic Storage Pool Health Status
The simplest way to request a quick overview of pool health
status is to use the zpool status command:
# zpool status -x
all pools are healthy


Detailed Health Status
You can request a more detailed health summary by using the
-v option. For example:
# zpool status -v tank
pool: tank
state: DEGRADED
status: One or more devices could not be opened. Sufficient replicas exist
for the pool to continue functioning in a degraded state.
action: Attach the missing device and online it using ’zpool online’.
see: http://www.sun.com/msg/ZFS-8000-2Q
scrub: none requested
config:
NAME STATE READ WRITE CKSUM
tank DEGRADED 0 0 0
mirror DEGRADED 0 0 0
c1t0d0 FAULTED 0 0 0 cannot open
c1t1d0 ONLINE 0 0 0
errors: No known data errors

Creating and Destroying ZFS File Systems

Creating a ZFS File System
You use the zfs create command to create ZFS file
systems. The create subcommand takes a single argument:
the name of the file system to create.
Specify the file system name as a path name starting from the
name of the pool:
pool-name/[filesystem-name/]filesystem-name
The pool name and initial file system names in the path
identify the location in the hierarchy where the new file
system will be created. All the intermediate file system names
must already exist in the pool.


(cont.)
Creating Intermediate Dataset
You can use the -p option with the zfs create, zfs clone,
and zfs rename commands to quickly create a non-existent
intermediate dataset, if it doesn’t already exist.
• Create ZFS datasets: users/area2 in the datab
storage pool.
# zfs list
NAME USED AVAIL REFER MOUNTPOINT
datab 106K 16.5G 18K /datab
# zfs create -p -o compression=on datab/users/area2


(cont.)
Creating a ZFS File System (cont.)
In the following example, a file system named bonwick is
created in the tank/home file system.
# zfs create tank/home/bonwick
ZFS automatically mounts the newly created file system if it is

created successfully.


(cont.)
Destroying a ZFS File System
You use the zfs destroy command to destroy ZFS file
systems. The destroyed file system is automatically
unmounted and unshared.
In the following example, the tabriz file system is
destroyed.
# zfs destroy tank/home/tabriz
If the file system to be destroyed is busy and so cannot be

unmounted, the zfs destroy command fails. The zfs
destroy command also fails if a file system has children.


(cont.)
Renaming a ZFS File System
You use the zfs rename command to rename ZFS file
systems.
The rename subcommand can perform the following
operations:
• Change the name of a file system.
• Relocate the file system to a new location within the
ZFS hierarchy.
• Change the name of a file system and relocate it within
the ZFS hierarchy.


(cont.)
Renaming a ZFS File System (cont.)
The following example uses the rename subcommand to
simply rename a file system:
# zfs rename tank/home/kustarz tank/home/kustarz_old
The following example shows how to use zfs rename to

relocate a file system.
# zfs rename tank/home/maybee tank/ws/maybee

ZFS Properties
Two types, native and user defined
Properties provide the main mechanism that you use to
control the behavior of file systems, volumes, snapshots, and
clones.
Properties are either read-only statistics or settable properties.
Most settable properties are also inheritable.
An inheritable property is a property that, when set on a
parent, is propagated to all of its descendants.

ZFS Properties (cont.)

All inheritable properties have an associated source.
The source indicates how a property was obtained. The source
of a property can have the following values:
• default
• local
• inherited from dataset-name
• temporary
• - (none)


Property Default
Type Description
Name Value
aclinherit String secure Controls how ACL entries are
inherited when files and
directories are created.
aclmode String groupmask Controls how an ACL entry is
modified during a chmod
operation
atime Boolean on Controls whether the access time
for files is updated when they are
read.

Property Default
Type Description
Name Value
available Number N/A Read-only property that identifies
the amount of space available to
the dataset and all its children,
assuming no other activity in the
pool.
canmount Boolean on Controls whether the given file
system can be mounted with the
zfs mount command.
checksum String on Controls the checksum used to
verify data integrity.
compression String off Enables or disables compression
for this dataset.
compressratio Number N/A Read-only property that identifies
the compression ratio achieved for
this dataset.

Property Default
Type Description
Name Value
copies Number 1 Sets the number of copies of user
data per file system.
creation Number N/A Read-only property that identifies
the date and time that this dataset
was created.
devices Boolean on Controls whether device nodes
found within this file system
can be opened.
exec Boolean on Controls whether programs within
this file system are allowed
to be executed.
mounted Boolean N/A Read-only property that indicates
whether this file system,
clone, or snapshot is currently
mounted.

Property Default
Type Description
Name Value
mountpoint String N/A Controls the mount point used for
this file system.
origin String N/A Read-only property for cloned file
systems or volumes that identifies
the snapshot from which the clone
was created.
quota Number none Limits the amount of space a
(or dataset and its descendants can
none) consume.
readonly Boolean off Controls whether this dataset can
be modified.
recordsize Number 128K Specifies a suggested block size for
files in the file system.

Property Default
Type Description
Name Value
referenced Number N/A Read-only property that identifies
the amount of data accessible by
this dataset.
refquota Number none Sets the amount of space that a
(or dataset can consume.
none)
refreservati Number none Sets the minimum amount of
on (or space that is guaranteed to a
none) dataset, not including
descendants, such as snapshots
and clones.
reservation Number none The minimum amount of space
(or guaranteed to a dataset and its
none) descendants.

Property Default
Type Description
Name Value
setuid Boolean on Controls whether setuid the bit is
honored in the file system.
sharenfs String off Controls whether the file system is
available over NFS, and what
options are used.
snapdir String hidden Controls whether the .zfs
directory is hidden or visible in the
root of the file system.
type String N/A Read-only property that identifies
the dataset type as filesystem (file
system or clone), volume, or
snapshot.
used Number N/A Read-only property that identifies
the amount of space consumed by
the dataset and all its descendants.

Property Default
Type Description
Name Value
volsize Number N/A For volumes, specifies the logical
size of the volume.
volblocksize Number 8 Kbytes For volumes, specifies the block
size of the volume.
zoned Boolean N/A Indicates whether this dataset has
been delegated to a non-global
zone.
xattr Boolean on Indicates whether extended
attributes are enabled or disabled
for this file system.


ZFS Read-Only Properties
• Read-only properties are properties that you can
retrieve, but not set. Read-only properties are not
inherited.
Settable ZFS Properties
• Settable properties are properties whose values you
can both retrieve and set.
• Settable properties are set by using the zfs set
command.
• With the exceptions of quotas and reservations,
settable properties are inherited.


ZFS User Properties
• User properties have no effect on ZFS behavior, but
you can use them to annotate datasets with information
that is meaningful in your environment.
• User property names must contain a colon (":")
character, to distinguish them from native
properties.

Querying ZFS File System

The zfs list command provides an extensible mechanism
for viewing and querying dataset information.
Listing Basic ZFS Information
You can list basic dataset information by using the zfs list
command with no options. For example:
# zfs list
pool 84.0K 33.5G - /pool
pool/clone 0 33.5G 8.50K /pool/clone
pool/test 8K 33.5G 8K /test
pool/home 17.5K 33.5G 9.00K /pool/home
pool/home/marks 8.50K 33.5G 8.50K /pool/home/marks
pool/home/marks@snap 0 - 8.50K /pool/home/marks@snap

Querying ZFS File System (cont.)

Listing Basic ZFS Information (cont.)
You can also use the zfs list command to display specific
datasets by providing the dataset name on the command line.
Use the the -r option to recursively display all descendants
of a dataset.
Creating Complex ZFS Queries
The zfs list output can be customized by using of the -
o, -t, and -H options. For example:
# zfs list -o name,sharenfs,mountpoint
NAME SHARENFS MOUNTPOINT
tank rw /export

Querying ZFS File System (cont.)

Creating Complex ZFS Queries (cont.)
You can use the -t option to specify the types of datasets to
display. The valid types are:
• filesystem
• volume
• snapshot
You can use the -H option to omit the zfs list header from
the generated output.
With the -H option, all white space is output as tabs. This
option can be useful when you need pursuable output.

Managing ZFS Properties

Dataset properties are managed through the zfs command’s
set, inherit, and get subcommands.
Setting ZFS Properties
You can use the zfs set command to modify any settable
dataset property.
Only one property at a time can be set or modified using zfs
set.
The following example sets the atime property to off for
tank/home.
# zfs set atime=off tank/home

Managing ZFS Properties (cont.)

Inheriting ZFS Properties
All settable properties, with the exception of quotas and
reservations, inherit their value from their parent.
If no ancestor has an explicit value set for an inherited
property, the default value for the property is used.
You can use the zfs inherit command is to clear a property
setting, thus causing the setting to be inherited from the
parent.
The inherit subcommand applies recursively when you
specify the -r option.


Querying ZFS Properties
The simplest way to query property values is by using the
zfs list command.
For more complex queries and for scripting, you can use the
zfs get command to obtain more detailed information in a
customized format.
You can use the zfs get command to retrieve any dataset
property. For example:
# zfs get checksum tank/ws
tank/ws checksum on default


Querying ZFS Properties (cont.)
The fourth column in zfs get output, SOURCE, indicates
how a property value has been set. The possible source values
are:
• default
• inherited from dataset-name
• local
• temporary
• - (none)


Querying ZFS Properties (cont.)
You can use the special keyword all to retrieve all dataset
properties. The following example uses the all keyword to
retrieve all existing dataset properties:
# zfs get all pool
pool type filesystem -
pool creation Mon Mar 13 11:41 2006 -
pool used 2.62M -
<output omitted>
The -s option to zfs get enables you to specify, by source

value, the type of properties to display.

Mounting ZFS File Systems

Managing ZFS Mount Points
By default, all ZFS file systems are mounted by ZFS at boot by
using SMF’s svc://system/filesystem/local service.
File systems are mounted under /path, where path is the
name of the file system.
You can override the default mount point by using the zfs
set command to set the mountpoint property to a specific
path.
ZFS automatically creates this mount point, if needed.
The mountpoint property is inherited.

Mounting ZFS File Systems (cont.)

Managing ZFS Mount Points (cont.)
You can set the mountpoint property to none to prevent a
file system from being mounted.
If desired, you can explicitly manage file systems through
legacy mount interfaces by setting the mountpoint property
to legacy.


Automatic Mount Points
When you create a pool, you can set the default mount point
for the root dataset by using zpool create -m.
Any dataset whose mountpoint property is not legacy is
managed by ZFS.
When you change the mountpoint property, the file system
is automatically unmounted from the old mount point and
remounted to the new mount point.
Mount point directories are created as needed.


Legacy Mount Points
You can manage ZFS file systems with legacy tools by setting
the mountpoint property to legacy.
Legacy file systems must be managed through the mount and
umount commands and the /etc/vfstab file.
The following examples show how to set up and manage a
ZFS dataset in legacy mode:
# zfs set mountpoint=legacy tank/home/eschrock
# mount -F zfs tank/home/eschrock /mnt


Mounting ZFS File Systems
ZFS automatically mounts file systems when file systems are
created or when the system boots.
The zfs mount command is only necessary when changing
mount options, or explicitly mounting or unmounting file
systems.
The zfs mount command with no argument shows all
currently mounted file systems that are managed by ZFS.
# zfs mount
tank /tank
tank/home /tank/home
tank/home/bonwick /tank/home/bonwick


You can use the -a option to mount all ZFS managed file
systems. For example:
# zfs mount -a
This command does not mount legacy managed file systems.

When a file system mounts, it uses a set of mount options
based on the property values associated with the dataset.


The canmount Property
Use the canmount property to specify whether a dataset can
be mounted by using the zfs mount command.
The example shows an existing directory in /export/home
on a system. The canmount property adds the ZFS home
directory file systems to the existing UFS file system. This
existing UFS file system contains a home directory.
# ls -F /export/home
tim/
# df -h /export/home/tim
Filesystem size used avail capacity Mounted
on
/dev/dsk/c0t0d0s0 13G 5.9G 7.3G 45% /


Temporary Mount Properties
If you explicitly set mount options by using the -o option
with the zfs mount command, the corresponding property
value is temporarily overridden.
In the following example, the read-only mount option is
temporarily set on the tank/home/perrin file system:
# zfs mount -o ro tank/home/perrin
To temporarily change a property on a file system that is

currently mounted, you must use the special remount
option.


Unmounting ZFS File Systems
You can unmount file systems by using the zfs unmount
subcommand. The unmount command accepts either the
mount point or the file system name as an argument.
In the following example, a file system is unmounted by
specifying its file system name:
# zfs unmount tank/home/tabriz
In the following example, the file system is unmounted by

specifying its mount point:
# zfs unmount /export/home/tabriz

ZFS Web-Based Management

A web-based ZFS management tool is available to perform many
administrative actions. You can access the ZFS Administration
console through a secure web browser at the following URL:
https://system-name:6789/zfs
If you type the appropriate URL and are unable to reach the ZFS
Administration console, the server might not be started. To start
the server, run the following command:
# /usr/sbin/smcwebserver start
If you want the server to run automatically when the system

boots, run the following command:
# /usr/sbin/smcwebserver enable

ZFS Snapshots
A snapshot is a read-only copy of a file system or volume.
Snapshots are created almost instantly, and initially consume
no additional disk space within the pool.
ZFS snapshots include the following features:
• Snapshots persist across system reboots.
• The theoretical maximum number of snapshots is 264.
• Snapshots use no separate backing store. Snapshots
consume disk space directly from the same storage
pool as the file system from which they were created.

ZFS Snapshots (cont.)

Creating and Destroying ZFS Snapshots
You use the zfs snapshot command to create ZFS
snapshots. The zfs snapshot command takes the name of
the snapshot to create as its only argument.
Snapshot names use the following format:
filesystem@snapname
volume@snapname
The following example creates a snapshot of tank/home/

ahrens that is named friday.
# zfs snapshot tank/home/ahrens@friday


Creating and Destroying ZFS Snapshots
Snapshots have no modifiable properties. Dataset properties
cannot be applied to a snapshot.
You use the zfs destroy command to destroy a ZFS
snapshot. For example:
# zfs destroy tank/home/ahrens@friday
A dataset cannot be destroyed if snapshots of the dataset exist.

In addition, if clones have been created from a snapshot, then
they must be destroyed before the snapshot can be destroyed.


Renaming ZFS Snapshots
You can rename snapshots, but they must remain within the
pool and dataset from which they were created. For example:
# zfs rename tank/home/cindys@031306 tank/home/cindys@today
Displaying and Accessing ZFS Snapshots

Snapshots of file systems are accessible in the .zfs/
snapshot directory within the root of the containing file
system. For example:
# ls /home/ahrens/.zfs/snapshot
tuesday wednesday thursday


Displaying and Accessing ZFS Snapshots (cont.)
You can list all snapshots as follows:
# zfs list -t snapshot
pool/home/anne@monday 0 - 780K -
pool/home/bob@monday 0 - 1.01M -
<output omitted>
You can list snapshots that were created for a particular file
system as follows:
# zfs list -r -t snapshot -o name,creation pool/home
NAME CREATION
pool/home/anne@monday Mon Mar 13 11:46 2006
pool/home/bob@monday Mon Mar 13 11:46 2006


Snapshot Space Accounting
When you create a snapshot, its space is initially shared
between the snapshot and the file system, and possibly with
previous snapshots.
As the file system changes, space that was previously shared
becomes unique to the snapshot, and thus is counted in the
snapshot’s used property.
Additionally, deleting snapshots can increase the amount of
space unique to (and thus used by) other snapshots.


ZFS Quotas and Reservations for File System Data Only
The refquota property limits the amount of space a dataset
can consume.
• The refreservation property sets the minimum
amount of space that is guaranteed to a dataset.
You can set a 10 Gbyte refquota for studentA that sets a 10-
Gbyte hard limit of referenced space. For additional flexibility,
you can set a 20-Gbyte quota that allows you to manage
studentA’s snapshots.
# zfs set refquota=10g tank/studentA
# zfs set quota=20g tank/studentA


Rolling Back to a ZFS Snapshot
You can use the zfs rollback command to discard all
changes made since a specific snapshot.
The zfs rollback command causes the file system to revert
to its state at the time the snapshot was taken.
By default, the zfs rollback command cannot roll back to
a snapshot other than the most recent snapshot.
To roll back to an earlier snapshot, you must destroy all
intermediate snapshots. You can destroy more recent
snapshots by specifying the -r option.

ZFS Clones
A clone is a writable volume or file system whose initial
contents are the same as the snapshot from which it was
created.
As with snapshots, creating a clone is nearly instantaneous,
and initially consumes no additional disk space.
You can only create clones from a snapshot.
When you clone a snapshot, an implicit dependency is created
between the clone and snapshot.
A clone does not inherit properties from the dataset from
which it was created.

ZFS Clones (cont.)

Creating a ZFS Clone
To create a clone, use the zfs clone command. Specify the
snapshot from which to create the clone, and the name of the
new file system or volume.
The new file system or volume can be located anywhere in the
ZFS hierarchy within the same pool.
The following example creates a new clone named tank/
home/ahrens/bug123, with the same initial contents as
the snapshot tank/ws/gate@yesterday.
# zfs snapshot tank/ws/gate@yesterday
# zfs clone tank/ws/gate@yesterday tank/home/ahrens/bug123

ZFS Clones (cont.)

Destroying a ZFS Clone
You use the zfs destroy command to destroy ZFS clones.
For example:
# zfs destroy tank/home/ahrens/bug123
Clones must be destroyed before the parent snapshot can be

destroyed.

ZFS Clones (cont.)

Replacing a ZFS File System With a ZFS Clone
You can use the zfs promote command to replace an active
ZFS file system with a clone of that file system.
This feature facilitates the ability to clone and replace file
systems so that the ’origin’ file system become the clone of the
specified file system.
In addition, this feature makes it possible to destroy the file
system from which the clone was originally created.
Without clone promotion, you cannot destroy a ’origin’ file
system of active clones.

ZFS Clones (cont.)

In the following example, the tank/test/productA file
system is cloned and then the clone file system, tank/test/
productAbeta becomes the tank/test/productA file
system.
# zfs create tank/test
# zfs create tank/test/productA
# zfs snapshot tank/test/productA@today
# zfs clone tank/test/productA@today tank/test/productAbeta
# zfs list -r tank/test
tank/test 314K 8.24G 25.5K /tank/test
tank/test/productA 288K 8.24G 288K /tank/test/productA
tank/test/productA@today 0 - 288K -
tank/test/productAbeta 0 8.24G 288K /tank/test/productAbeta

ZFS Clones (cont.)

# zfs promote tank/test/productAbeta
tank/test/productA 0 8.24G 288K /tank/test/productA
tank/test/productAbeta 288K 8.24G 288K /tank/test/productAbeta
tank/test/productAbeta@today 0 - 288K -

ZFS Clones (cont.)

Complete the clone replacement process by renaming the file
systems. For example:
# zfs rename tank/test/productA tank/test/productAlegacy
# zfs rename tank/test/productAbeta tank/test/productA
tank/test/productA 288K 8.24G 288K /tank/test/productA
tank/test/productA@today 0 - 288K -
tank/test/productAlegacy 0 8.24G 288K /tank/test/
productAlegacy

Using ZFS on a Solaris System With Zones

Installed
You can associate ZFS datasets with non-global zones either
by adding them to the zones, or delegating them to the zones.
Typically you would associate ZFS file systems or volumes
with non-global zones.
For example, adding a file system to a non-global zone allows
the non-global zone to share space with the global zone. As an
added dataset, the non-global zone administrator cannot
control properties of the file system, or create new ZFS file
systems below the added file system.


Installed (cont.)
When you delegate a dataset to a non-global zone, you give
complete control over the dataset and all its children to the
zone administrator.
For example, if you delegate a file system to a non-global
zone, the zone administrator can create and destroy file
systems within that dataset, and modify their properties.
The zone administrator cannot affect datasets that have not
been delegated to the zone, and cannot exceed any top-level
quotas set on the delegated dataset.


Installed (cont.)
Adding ZFS File Systems to a Non-Global Zone
You can add a ZFS file system as a generic file system when
the goal is solely to share space with the global zone. A ZFS
file system that is added to a non-global zone must have its
mountpoint property set to legacy.
You can add a ZFS file system to a non-global zone by using
the add fs subcommand in zonecfg. For example:
zonecfg:zone1> add fs
zonecfg:zone1:fs> set type=zfs
zonecfg:zone1:fs> set special=tank/zone/zone1
zonecfg:zone1:fs> set dir=/export/shared
zonecfg:zone1:fs> end


Installed (cont.)
Delegating Datasets to a Non-Global Zone
If the primary goal is to delegate the administration of storage
to a zone, then ZFS supports adding datasets to a non-global
zone through use of the add dataset subcommand in
zonecfg. For example:
zonecfg:zone1> add dataset
zonecfg:zone1:dataset> set name=tank/zone/zone1
zonecfg:zone1:dataset> end


Installed (cont.)
Delegating Datasets to a Non-Global Zone (cont.)
The zone administrator can set file system properties, and
create new file systems below the delegated file system.
In addition, the zone administrator can take snapshots, create
clones, and otherwise control the entire file system hierarchy
from the delegated file system down.


Installed (cont.)
Adding ZFS Volumes to a Non-Global Zone
You can add emulated volumes to a non-global zone by using
the add device subcommand in zonecfg.
In the following example, a ZFS emulated volume is added to
a non-global zone by the administrator in the global zone:
zonecfg:zone1> add device
zonecfg:zone1:device> set match=/dev/zvol/dsk/tank/vol
zonecfg:zone1:device> end


Installed (cont.)
Using ZFS Storage Pools Within a Zone
You cannot create or modify ZFS storage pools from within a
non-global zone.
The delegated administration model centralizes control of
physical storage devices within the global zone, and control of
virtual storage to non-global zones.
While a pool-level dataset can be added to a non-global zone,
any command that modifies the physical characteristics of the
pool, such as creating, adding, or removing devices, is not
allowed from within a non-global zone.


Installed (cont.)
Property Management Within a Non-Global Zone
Once a dataset is delegated to a zone, the zone administrator can
control specific dataset properties.
When a dataset is delegated to a zone, its ancestors are visible to
zfs list in the non-global zone, but their content remains
inaccessible. The delegated dataset itself is writable, as are all its
children.
The zone administrator cannot change the sharenfs property,
because non-global zones cannot act as NFS servers.
Neither can the zone administrator change the zoned property.


Installed (cont.)
Understanding the zoned Property
When a dataset is added to a non-global zone, the dataset
must be specially marked so that certain properties are not
interpreted within the context of the global zone.
Once a dataset has been added to a non-global zone under the
control of a zone administrator, its contents can no longer be
trusted.
ZFS uses the zoned property to indicate that a dataset has
been delegated to a non-global zone at one point in time.


Installed (cont.)
The zoned property is a boolean value that is automatically
turned on when a zone containing a ZFS dataset is first
booted.
If the zoned property is set, the dataset cannot be mounted or
shared in the global zone.
When a dataset is removed from a zone or a zone is destroyed,
the zoned property is not automatically cleared.


Installed (cont.)
To prevent accidental security risks, the zoned property must be
manually cleared by the global administrator if you want to
reuse the dataset in any way.
Before setting the zoned property to off, make sure that the
mountpoint property for the dataset and all its children are set
to reasonable values and that no setuid binaries exist, or turn off
the setuid property.
Once you have verified that no security vulnerabilities are left,
the zoned property can be turned off by using the zfs set or
zfs inherit commands.

Module 4
Predictive Self-Healing

Objectives
• List the benefits of Predictive Self-Healing
• Determine the relationship of Fault Management
Architecture (FMA) to Sun’s Predictive Self-Healing
capability
• Determine the relationship of Service Management
Facility (SMF) to Sun’s Predictive Self-Healing
capability
• Explore features of the Fault Management Architecture
• Explore features of the Service Management Facility

What is Predictive Self-Healing?

• Self-healing technology enables Sun systems and
services to maximize availability in the face of software
and hardware faults.
• Self-healing technology facilitates a simpler and more
effective end-to-end experience for system
administrators, which can reduce cost of ownership.
• Predictive Self-Healing benefits.
• Predictive Self-Healing features:
• Fault Management Architecture
• Service Management Facility

Fault Management Architecture

• Fault Management Architecture (FMA) is fault
detection and action methodology built into the Solaris
10 OS.
• Error Handling – Detect an error.
• Fault Diagnosing – Identify the cause of the error.
• Response – What action should be taken to correct the
error?

Fault Management Activities

Error Handler
Software for the following must be written specifically to
work with the fault manager.
• Drivers
• CPU
• Memory
• PCI
The software must detect an error, capture data, and generate
an error event.

Event Naming Scheme

Naming scheme for a CPU (UltraSPARC2e) event
ereport.cpu.UltraSparc2e.DPERR.
ereport fault list
asic cpu i/o solaris
UltraSPARC1 UltraSPARC2e
UltraSPARC2
CE TO TPERR DPERR UE

FMRI (URL and URI)

• All FMRIs are composed of:
fmri-scheme://authority/path
• Current schemes include:
• cpu – Central Processing Unit
• mem – System main memory
• mod – Modules
• pkg – Packages
• hc – Hardware component managed by FMA
• legacy-hc – Legacy hardware component
• fmd – Diagnosis engine which is part of FMA
• dev – Solaris device path status and properties
• svc – Application service managed by the Service Management
Facility
• zfs – ZFS file system

Fault Manager Daemon (fmd)

• Fault Manager Daemon contains:
• Diagnosis engines
• Agents
• Schemes

Fault Manager Daemon (fmd) (cont.)

• Solaris fault management architecture


• The fault engine generates an event (FMRI) to the FMA
Agent.
• The FMA Agent will take action on the error:
• Restart a daemon
• Dynamically reconfigure a device
• Generate an error
• Take some other action of self-healing


• /usr/platform/’uname -m’/lib/fm/fmd/plugins
• /usr/lib/fm/fmd/plugins
• All plug-ins will have a .conf file
• Configuration and logging:
• /etc/fm/fmd/fmd.conf
• /usr/lib/fm/fmd
• /var/fm/fmd

Looking at FMA Data

Using the fmadm Utility

# fmadm config
MODULE VERSION STATUS DESCRIPTION
USII-io-diagnosis 1.0 active UltraSPARC-II I/O Diagnosis
cpumem-retire 1.1 active CPU/Memory Retire Agent
disk-transport 1.0 active Disk Transport Agent
eft 1.16 active eft diagnosis engine
fabric-xlate 1.0 active Fabric Ereport Translater
fmd-self-diagnosis 1.0 active Fault Manager Self-Diagnosis
io-retire 1.0 active I/O Retire Agent
snmp-trapgen 1.0 active SNMP Trap Generation Agent
sysevent-transport 1.0 active SysEvent Transport Agent
syslog-msgs 1.0 active Syslog Messaging Agent
zfs-diagnosis 1.0 active ZFS Diagnosis Engine
zfs-retire 1.0 active ZFS Retire Agent
# fmadm faulty
STATE RESOURCE / UUID
------------------------------------------------------------------------
faulted fmd:///module/cpumem-diagnosis
72c443b7-35a3-6779-bf48-fea92b893c36
------------------------------------------------------------------------
degraded mem:///unum=Slot,A:J7900
44d8c0bc-b8da-6a47-c4f2-b7e40c3ca1c3
------------------------------------------------------------------------

Using the fmadm Utility (cont.)

The fmadm repair process is as follows:
• Identify the faulty device with the fmadm faulty -a
command.
# fmadm faulty
------------------------------------------------------
faulty <fmri>
• Clear the fault by using the fmadm repair command.

# fmadm repair <fmri>
• Run the fmadm faulty command again to be sure the

fault is cleared.
# fmadm faulty -a

Using the fmstat Utility

# fmstat
module ev_recv ev_acpt wait svc_t %w %b open solve memsz bufsz
cpumem-retire 0 0 0.0 0.8 0 0 0 0 0 0
disk-transport 0 0 0.0 143.0 0 0 0 0 32b 0
eft 0 0 0.0 1.0 0 0 0 0 1.4M 0
fabric-xlate 0 0 0.0 0.9 0 0 0 0 0 0
fmd-self-diagnosis 0 0 0.0 0.2 0 0 0 0 0 0
io-retire 0 0 0.0 0.1 0 0 0 0 0 0
snmp-trapgen 0 0 0.0 0.2 0 0 0 0 32b 0
sysevent-transport 0 0 0.0 199.3 0 0 0 0 0 0
syslog-msgs 0 0 0.0 0.0 0 0 0 0 0 0
zfs-diagnosis 8 0 0.0 0.7 0 0 0 0 0 0
zfs-retire 0 0 0.0 0.9 0 0 0 0 0 0
# fmstat -m cpumem-retire
NAME VALUE DESCRIPTION
auto_flts 0 auto-close faults received
bad_flts 0 invalid fault events received
cpu_blfails 0 failed cpu blacklists
cpu_blsupp 0 cpu blacklists suppressed
cpu_fails 0 cpu faults unresolveable
cpu_flts 0 cpu faults resolved
cpu_supp 0 cpu offlines suppressed
nop_flts 0 inapplicable fault events received
page_fails 0 page faults unresolveable
page_flts 0 page faults resolved
page_nonent 0 retires for non-existent fmris
page_supp 0 page retires suppressed

Using the fmstat Utility (cont.)

# fmstat -s -m cpumem-diagnosis
NAME >N T CNT DELTA STAT
0f353373-67f0-6585-bd01-a405f6d9cdec >2 3d 1 43597245900ns pend
# fmstat -s -m cpumem-diagnosis
NAME >N T CNT DELTA STAT
0f353373-67f0-6585-bd01-a405f6d9cdec >2 3d 3 200606494100ns fire

Using the fmdump Utility

# fmdump -e
TIME CLASS
Jul 26 12:49:27.6137 ereport.cpu.ultraSPARC-IIIplus.ce
# fmdump -Ve
TIME CLASS
Jul 26 12:49:27.613793750 ereport.cpu.ultraSPARC-IIIplus.ce
nvlist version: 0
class = ereport.cpu.ultraSPARC-IIIplus.ce
...
syndrome-status = 0x1
syndrome = 0x3e
error-type = Persistent
l2-cache-ways = 0x1
l2-cache-data = 0xec0106f1a6 0x39c000 0x0 0x2c7c6000002 0xb9 0xeccf00df1b9c000
0xeccf00df1b9c000 0xeccf00df1b9c000 0xeccf00df1b9c000 0x2c361 0xeccf00df1b9c000 0xeccf00df1b9c000
0xeccf00df1b9c000 0xeccf00df1b9c000 0x2c361
dcache-ways = 0x0
icache-ways = 0x0
resource = (embedded nvlist)
nvlist version: 0
version = 0x0
scheme = mem
unum = Slot B: J3000
(end resource)

Using the fmdump Utility (cont.)

# fmdump
TIME UUID SUNW-MSG-ID
Jul 26 12:52:10.6786 dbdc7f15-848c-cbdc-b47f-deb9d9fff5c9 SUN4U-8000-1A
The -v option of fmdump provides extra information about the fault.

# fmdump -v -u dbdc7f15-848c-cbdc-b47f-deb9d9fff5c9
TIME UUID SUNW-MSG-ID
Jul 26 12:52:10.6786 dbdc7f15-848c-cbdc-b47f-deb9d9fff5c9 SUN4U-8000-1A
100% fault.memory.page
FRU: mem:///component=Slot B: J3000
rsrc: mem:///component=Slot B: J3000

Information Recorded by syslog

SUNW-MSG-ID: SUNOS-8000-0G, TYPE: Error, VER: 1, SEVERITY: Major
EVENT-TIME: 0x40c5f5b8.0x1017d044 (0x69e2a9b6e4)
PLATFORM: SUNW,Sun-Fire-880, CSN: -, HOSTNAME: s12y-lab
SOURCE: SunOS, REV: 5.10 s10_56
DESC: Errors have been detected that require a reboot to ensure system
integrity. See http://www.sun.com/msg/SUNOS-8000-0G for more information.
AUTO-RESPONSE: Solaris will attempt to save and diagnose the error telemetry
IMPACT: The system will sync files, save a crash dump if needed, and reboot
REC-ACTION: Save the error summary below in case telemetry cannot be saved
ereport.io.pci.master-abort ena=69e2a5c19c00005 detector=[ version=0 scheme=

"dev" device-path="/pci@9,600000" ] pci-status=22a0 pci-command=146 pci-pa=0
ereport.io.pci.master-abort ena=69e2a5c19c00009 detector=[ version=0 scheme=
"dev" device-path="/pci@8,700000" ] pci-status=2280 pci-command=146 pci-pa=0
ereport.io.pci.master-abort ena=69e2a5c19c0000d detector=[ version=0 scheme=
"dev" device-path="/pci@9,700000" ] pci-status=2280 pci-command=146 pci-pa=0
ereport.cpu.ultraSPARC-IIIplus.ue ena=69e2a5c19c00001 detector=[ version=0
scheme="cpu" cpuid=0 cpumask=b1 serial=12e1df824e1 ] afsr=1000040000000a
afar-status=1 afar=a1fe4a4020 pc=7b602a00 tl=0 tt=32 privileged=1 multiple=0
syndrome-status=1 syndrome=a error-type="Unknown" l2-cache-ways=1
l2-cache-data=[...] dcache-ways=0 icache-ways=0 resource=[ version=0 scheme=
"mem" unum="Slot A: J2900 J2901 J3001 J3000" ]

Information Recorded by syslog (cont.)

SUNW-MSG-ID: SUN4U-8000-35, TYPE: Fault, VER: 1, SEVERITY: Minor
EVENT-TIME: Tue Jun 8 13:24:12 EDT 2004
PLATFORM: SUNW,Sun-Fire-880, CSN: -, HOSTNAME: s12y-lab
SOURCE: cpumem-diagnosis, REV: 1.0
EVENT-ID: 7a67763c-08f0-672e-ceee-ad6ab7065113
DESC: The number of errors associated with this memory module has exceeded acceptable levels.
Refer to http://sun.com/msg/SUN4U-8000-35 for more information.
AUTO-RESPONSE: Pages of memory associated with this memory module are being removed from service
as errors are reported.
IMPACT: Total system memory capacity will be reduced as pages are retired.
REC-ACTION: Schedule a repair procedure to replace the affected memory module.
Use fmdump -v -u <EVENT_ID> to identify the module.

SNMP-Based Monitoring
• Information can be:
• Pushed from any device to one or more network
management stations (NMSs).
• Pulled by an administrator or automated utility
from a particular device of interest.
• Managed devices signify events using traps or
notifications.
• MIB provides access to a much greater breadth and
depth of information than is transmitted with a trap or
notification.
• /etc/sma/snmp/mibs/SUN-FM-MIB
• snmp-trapgen: an SNMP Plugin for fmd

SNMP-Based Monitoring (cont.)

• SNMPv2 notification example:
2006-02-07 16:36:34 stomper [192.xx.xx.xx]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2266748911) 262 days, 8:31:29.11
SNMPv2-MIB::snmpTrapOID.0 = OID: SUN-FM-MIB::sunFmProblemTrap
SUN-FM-MIB::sunFmProblemUUID."a58aa105-4fab-6e16-8557-ab7687113de7" = STRING: "a58aa105-4fab-6e16-8557-ab7687113de7"
SUN-FM-MIB::sunFmProblemCode."a58aa105-4fab-6e16-8557-ab7687113de7" = STRING: SUN4U-8000-KA
SUN-FM-MIB::sunFmProblemURL."a58aa105-4fab-6e16-8557-ab7687113de7" = STRING: http://sun.com/msg/SUN4U-8000-KA
• libfmd_snmp: a MIB Plugin for the SMA

• Add the architecture-dependent line dlmod sunFM
/usr/lib/fm/sparcv9/libfmd_snmp.so.1 to
/etc/sma/snmp/snmpd.conf
• Use the snmpwalk utility to view devices is degraded or
faulted state:
snmpwalk -c public -v 2c stomper sunFmResourceTable
SUN-FM-MIB::sunFmResourceFMRI.1 = STRING: cpu:///cpuid=4/serial=23EBEC1505
SUN-FM-MIB::sunFmResourceStatus.1 = INTEGER: degraded(3)
SUN-FM-MIB::sunFmResourceDiagnosisUUID.1 = STRING:
"a58aa105-4fab-6e16-8557-ab7687113de7"

Interacting with Service Management

Facility
Service Management Facility is used to restart a service
necessarily terminated in response to a hardware error caught
by FMA.

Service Management Facility

SMF is designed to provide a unified Solaris configuration
infrastructure.
SMF speeds up the boot process:
• Processes are started in parallel not sequential.
• Processes are maintained in a database repository.
• Processes are prioritized for prerequisite
sequencing.
• The rc and init.d scripts becomes legacy.
• The /etc/inittab is becoming legacy.
• The /etc/inetd.conf becomes legacy.

Service Management Facility (cont.)

Previously, the operation of inittab performed three tasks.
These tasks have been moved under the control of the Service
Management Facility.
• Mile Stones – was Single-User, Multi-User, and Multi-
User-Server
• Events – were tasks like init5 and init6.
• Processes – were processes like starting the Service
Access Controller for the Portmonitor and starting a
ttymon process that controlled the console login
service. There were also many third-party applications
started in inittab (that is, UPS services).

Service Management Facility (cont.)

Services normally started in /etc/inittab and
/etc/inetd.conf are now organized into:
• Manifests – List of things pertaining to each service.
• Profiles – A service profile is a group of related services
for the purpose of enabling them in a consistent
pattern.

SMF Components
SMF Component Description
svc.startd Responsible for starting and stopping services
as requested
svc.configd Responsible for accessing the configuration
repository
Service repository The /etc/svc/repository.db file
Delegated restarter For example: inetd
Service abstraction An entity which provides a known list of
capabilities to other local and remote services.

SMF Initialization

Services
• The fundamental unit of administration in SMF is the
service.
• It provides a known list of capabilities to other local
and remote services.
• Services are represented as instance nodes which are
children of service nodes.
• One service might have many instances such as a Web
server on multiple ports.
• Both service nodes and instance nodes can have
properties.
• If an instance doesn't have property X, the service's
property X is used.

Service and Instance Nodes

Service/Instance FMRI Syntax

Service Components
• Services are composed of several components, for
example:
• A mechanism to start and stop the service
• A mechanism to monitor and restart services
• A location for configuration data (properties)
• A location for error messages
• SMF organizes service components using profiles and
manifests.

Service Profiles
• A service profile is used to set general settings for a
system as to what services need to run.
• It consists of a group of related services for the purpose
of enabling them in a consistent pattern.
• Profiles are listed in the directory /var/svc/profile.
• The generic_open.xml profile.
• The generic_limited_net.xml profile.

Manifests
• A manifest is used to describe a single service or set of
related services.
• The XML-based manifest files are in the /var/svc/
manifest directory tree.
• All manifests in the /var/svc/manifest directory
tree are read by svc.startd as it starts.
• New services are imported into the /etc/svc/
repository.db repository file.
• Error logs are found in the /var/svc/log directory.

A Manifest File Example

The system/coreadm.xml manifest:
<service_bundle type=’manifest’ name=’SUNWcsr:coreadm’>
<service
name=’system/coreadm’
type=’service’
version=’1’>
<create_default_instance enabled=’false’ />
<single_instance />
<dependency
name=’usr’
type=’service’
grouping=’require_all’
restart_on=’none’>
<service_fmri value=’svc:/system/filesystem/minimal’ />
</dependency>

A Manifest File Example (cont.)

<exec_method
type=’method’
name=’start’
exec=’/usr/bin/coreadm -u’
timeout_seconds=’3’ /><exec_method
type=’method’
name=’stop’
exec=’:true’
timeout_seconds=’0’ />
<property_group name=’startd’ type=’framework’>

<propval name=’duration’ type=’astring’
value=’transient’ />
</property_group>
<stability value=’Unstable’ />

A Manifest File Example (cont.)

<template>
<common_name>
<loctext xml:lang=’C’>
System-wide core file configuration service
</loctext>
</common_name>
<documentation>
<manpage
title=’coreadm’
section=’1M’
manpath=’/usr/share/man’ />
</documentation>
</template>
</service>
</service_bundle>

Writing a Service Manifest

• Name your service
• Identify multiple instances
• Identify your service model
• Identify start and stop methods
• Determine faults to be ignored
• Identify dependencies
• Identify dependents
• Insert your service into a milestone
• Create default instance
• Create template information

SMF Commands
Command Description
svcs(1) Show services, their current state, and their dependencies
svcprop(1) Used to list properties of a service.
svcadm(1M) Used for service management.
svccfg(1M) Used to display and manipulate data in the service configuration
repository.
inetadm(1M) Observe or configure inetd-controlled services

Using the svcs Command

# svcs -a
STATE STIME FMRI
legacy_run Aug_31 lrc:/etc/rcS_d/S10pfil
legacy_run Aug_31 lrc:/etc/rcS_d/S29wrsmcfg
legacy_run Aug_31 lrc:/etc/rcS_d/S35cacheos_sh
. . .
disabled Aug_31 svc:/platform/sun4u/mpxio-upgrade:default
disabled Aug_31 svc:/network/dns/client:default
disabled Aug_31 svc:/network/ldap/client:default
. . .
online Aug_31 svc:/system/svc/restarter:default
online Aug_31 svc:/milestone/name-services:default
online Aug_31 svc:/network/loopback:default
. . .
offline Aug_31 svc:/application/print/ipp-listener:default
# svcs -p "*nfs*"
STATE STIME FMRI
disabled Aug_31 svc:/network/nfs/rquota:ticlts
disabled Aug_31 svc:/network/nfs/rquota:udp
online 8:52:05 svc:/network/nfs/server:default
8:52:03 2389 statd
8:52:03 2391 lockd
8:52:03 2393 mountd
8:52:03 2395 nfsd
8:52:04 2397 nfsmapid
online 8:53:48 svc:/network/nfs/client:default

Using the svcs Command (cont.)

# svcs -d /system/filesystem/minimal:default
STATE STIME FMRI
online Aug_31 svc:/system/cryptosvc:default
online Aug_31 svc:/system/sysidtool:net
online Aug_31 svc:/system/sysidtool:system
...
# svcs -D /system/filesystem/minimal:default
STATE STIME FMRI
online Aug_31 svc:/system/device/local:default
online Aug_31 svc:/system/filesystem/usr:default
# svcs -l system/filesystem/minimal:default
fmri svc:/system/filesystem/minimal:default
enabled true
state online
next_state none
restarter svc:/system/svc/restarter:default
dependency require_all/none svc:/system/device/local (online)
dependency require_all/none svc:/system/filesystem/usr (online)

Using the svcprop Command

# svcprop svc:/system/system-log:default
general/package astring SUNWcsr
general/enabled boolean true
restarter/contract count 41
restarter/start_pid count 593
restarter/auxiliary_state astring none
restarter/next_state astring none
restarter/state astring online
restarter/state_timestamp time 1093965480.562821000
restarter_actions/refresh integer

Using the svcprop Command (cont.)

# svcprop system/system-log
milestone/entities fmri svc:/milestone/single-user
milestone/grouping astring require_all
milestone/restart_on astring none
milestone/type astring service
dependents/system-log_single-user astring svc:/milestone/multi-user
general/entity_stability astring Unstable
general/single_instance boolean true
stop/exec astring :kill
stop/timeout_seconds count 3
stop/type astring method
start/exec astring /lib/svc/method/system-log
start/timeout_seconds count 3
start/type astring method
tm_man_syslogd/manpath astring /usr/share/man
tm_man_syslogd/section astring 1M
tm_man_syslogd/title astring syslogd
tm_common_name/C ustring system log

Using the svcprop Command (cont.)

# svcprop -p general network/rpc/spray
general/restarter fmri svc:/network/inetd:default
# svcprop svc:/system/svc/restarter:default | grep milestone

Using the svcadm Command

# svcadm disable internet/http:apache
# svcadm enable system/sar
# svcs -l system/sar:default
fmri svc:/system/sar:default
enabled true
state online
next_state none
dependency require_all/none svc:/system/filesystem/minimal (online)
# svcadm milestone all

Using the svccfg Command

# svccfg
svc:> list
system/console-login
milestone/devices
system/device/local
system/identity
system/filesystem/local
system/manifest-import
system/filesystem/minimal
milestone/multi-user-server
milestone/multi-user
milestone/name-services
network/initial
network/loopback
network/physical
system/svc/restarter
system/filesystem/root
milestone/single-user
system/filesystem/usr
network/rpc/bind
network/inetd-upgrade
system/utmp
system/metainit
system/mdmonitor
smf/manifest
...

Using the svccfg Command (cont.)

svc:> select system/name-service-cache
svc:/system/name-service-cache> list
:properties
default
svc:/system/name-service-cache> listprop
usr dependency
usr/entities fmri svc:/system/filesystem/usr
usr/grouping astring require_all
usr/restart_on astring none
usr/type astring service
config_data dependency
config_data/entities fmri file://localhost/etc/nscd.conf file://localhost/etc/
nsswitch.conf
config_data/grouping astring require_all
config_data/restart_on astring restart
config_data/type astring path
general framework
general/single_instance boolean true

Using the svccfg Command (cont.)

stop method
stop/exec astring :kill
stop/timeout_seconds count 3
stop/type astring method
start method
start/exec astring /lib/svc/method/svc-nscd
start/timeout_seconds count 30
start/type astring method
...
svc:/system/name-service-cache> setprop start/timeout_seconds = 15
svc:/system/name-service-cache> select default
svc:/system/name-service-cache:default> listsnap
initial
running
start

Using the inetadm Command

# inetadm
ENABLED STATE FMRI
disabled disabled svc:/network/rpc/ocfserv:default
disabled disabled svc:/network/lp:default
enabled online svc:/network/rpc/mdcomm:tcp
disabled disabled svc:/network/rpc/mdcomm:tcp6
enabled online svc:/network/rpc/meta:tcp
disabled disabled svc:/network/rpc/meta:tcp6
enabled online svc:/network/rpc/metamed:tcp
...
# inetadm -l network/telnet:default
SCOPE NAME=VALUE
name="telnet"
endpoint_type="stream"
proto="tcp6"
isrpc=FALSE
wait=FALSE
exec="/usr/sbin/in.telnetd"
user="root"
default bind_addr=""
default bind_fail_max=-1
default bind_fail_interval=-1
default max_con_rate=-1
default max_copies=-1
default con_rate_offline=-1
...

Using the inetadm Command (cont.)

# rdate localhost
rdate: connect: Connection refused
# inetadm -e network/time:dgram
# inetadm -e network/time:stream
# rdate localhost
Thu Sep 2 16:18:59 2004
# inetadm -p
NAME=VALUE
bind_addr=""
bind_fail_max=-1
bind_fail_interval=-1
max_con_rate=-1
max_copies=-1
con_rate_offline=-1
failrate_cnt=40
failrate_interval=60
inherit_env=TRUE
tcp_trace=FALSE
tcp_wrappers=FALSE

A Service That Fails to Start

1. Attempt to boot in single-user mode.
2. Run init2, init3 and so on.
3. Now to boot in single-user mode, you actually boot
to milestones.
Example – To boot in single-user mode, you would use the
command:
ok> boot -m milestone=single-user
Note that the kernel man page provides acceptable

milestones to the boot process.

A Service That Fails to Start (cont.)

4. You can manually start services and see where things
stop.
# svcadm enable fmri
5. To start all services logged in as single-user, use the
following command:
system console> svcadm milestone all


Example – Troubleshooting the lpsched service where it fails
to start:
# svcadm enable /application/print/server
After running the previous command, the service still shows

as disabled.
sys-02# svcs /application/print/server
STATE STIME FMRI
disabled 11:14:24 svc:/application/print/server:default
sys-02#


First, determine if all the dependencies are met. To do this, use
the command:
sys-02# svcs -D /application/print/server:default
STATE STIME FMRI
sys-02
Because the command returned no dependencies, there is no

need to check for services that the print-server service might
require.
This also means that the root of the problem lies with
svc.startd not starting the service.


If someone had made incorrect changes to
/application/print/server, we can revert to the last good
known running state.
sys-02# svccfg
svc:> select /application/print/server:default
svc:/application/print/server:default> listsnap
initial
running
svc:/application/print/server:default>


This shows us that we could revert to the initial configuration
for this service.
svc:/application/print/server:default> revert initial
svc:/application/print/server:default> listsnap
initial
running
previous
svc:/application/print/server:default>


Now start the service:
sys-02# svcadm -v enable /application/print/server
/application/print/server enabled.
sys-02# svcs /application/print/server

STATE STIME FMRI
online 11:43:50 svc:/application/print/server:default
sys-02#
The svcs command now shows that the service is running.


If the print-server still had not started, the problem could be
with a corrupt /etc/svc/repository.db file. The error logs
should report such problems.
sys-02# more /var/svc/log/application-print-server:default.log
Aug 25 11:43:50 Executing start method ("/lib/svc/method/print-server start")
Print services started.
sys-02#


You can also use the following command to check for
additional errors. The -l option to svcs lists the status of the
FMRI. Any errors from svc.startd are reported here.
sys-02# svcs -l /application/print/server:default
fmri svc:/application/print/server:default
enabled true
state online
next_state none
contract_id 122
sys-02#


If SMF or /etc/svc/repository.db gets confused, you can
restore the /etc/svc/repository.db from backup or copy
in a new one, a seed, and reboot.
Usually in this state, the root partition will become read-only.
To recover, do the following in single-user mode:
# mount -o remount /
sys-02# cp /lib/svc/seed/global.db /etc/svc/repository.db
# reboot

Module 5
Introduction to DTrace

Objectives
• Describe the features of Solaris™ Dynamic Tracing
(DTrace)
• Write simple D Scripts
• List and enable probes and predicates
• Create action statements
• Explain the use of the pid, syscall, proc, sched,
and io Providers
• Describe the DTrace Toolkit and one-liners

Introduction to DTrace
DTrace enables you to explore your system to understand
how it works, track down performance problems across many
layers of software, or locate the cause of abnormal behavior.
• DTrace dynamically modifies the operating system
kernel and user processes to record data at locations of
interest, called probes.
• DTrace includes a new scripting language called D
which is designed specifically for dynamic tracing.
• With the D language it is easy to write scripts that
dynamically turn on probes, collect the information,
and process it.

Introduction to DTrace (cont.)

DTrace Architectural Components
a.d b.d D program source files
intrstat(1M) plockstat(1M)
DTrace consumers
dtrace(1M) lockstat(1M)
libdtrace(3LIB)
userland
@JH=?A%,
kernel
DTrace
sysinfo vminfo io ...

DTrace providers
syscall profile fbt sched

Introduction to D Scripts
The construct of a D script consists of a probe description, a
predicate, and actions as shown in this example:
probe description
/predicate/
{
actions
}

Simple D Script Example

In this example, the probe description is the
syscall::write:entry which describes the write system
call.
The predicate is /execname == "bash"/
syscall::write:entry
/execname == "bash"/
{
printf("bash with pid %d called write system
call\n",pid);
}
This checks to see if the executable that is calling the write

system call is the bash shell.

Description of a Probe
The probe is described using four fields:
• provider – Specifies the instrumentation method to
be used. For example, the syscall provider is used to
monitor system calls while the io provider is used to
monitor the disk I/O.
• module – Describes the module you want to observe.
• function – Describes the function you want to
observe.
• name – Typically represents the location in the
function. For example, use entry for name to
instrument when you enter the function.

Description of a Probe (cont.)

Probe Description Explanation
syscall::open:entry entry into open system call
syscall::open*:entry entry into any system call that starts with (open
and open64)
syscall:::entry entry into any system called
syscall::: all probes published by the system call provider

Describe a Predicate
A predicate can be any D expression.
The action is executed only when the predicate evaluates to
true.
Predicate Explanation
cpu == 0 true if the probe executes on cpu0
pid == 1029 true if the pid of the process that caused the probe
to fire is 1029
execname != "sched" true if the process is not the scheduler (sched)
ppid !=0 && arg0 == 0 true if the parent process id is not 0 and first
argument is 0

Describe Action Commands

The action section can contain a series of action commands
separated by semi-colons (;)
Actions Explanation
printf() print something using C-style printf()
command
ustack() print the user level stack
trace print the given variable

DTrace for Developers

The types of information application developers are
particularly interested in can be obtained by using the
following providers: syscall, proc, pid, sdt, vminfo.
Developers can use these to look at running
processes as well as process creation and
termination, LWP creation and termination, and
signal handling

The pid Provider

The pid provider instruments the entry and return from
any user level function in a running process.
• With the pid provider you can trace any instruction in
any process on the system.
Example Explanation
pid2439:libc:malloc:entry entry into the malloc function in libc for
process id 2439
pid1234:a.out:main:return return from main for process id 1234
pid1234:a.out::entry entry into any function in 1234 that is main
executable
pid1234:::entry entry into any function in any library for
process id 1234

The pid Provider (cont.)

Here is the command you can run to print all the functions
that process id 1234 calls:
# dtrace -n pid1234:::entry
This same command can be used in a script as shown below:

#!/usr/sbin/dtrace -s
/* The above line means that the script that follows needs to be
interpreted using dtrace. D uses C-style comments.
*/
pid1234:::entry
{}


The D language has a construct called aggregate to collect
all the detail in memory and print out a summary.
• Aggregations allow you to collect tables of information
in memory.
Aggregations have the following construct:
@name[table index(es)] =aggregate_function()
For example:
@count_table[probefunc] = count() ;


The following example adds aggregates into a script, to see a
summary table of user functions:
pid$1:::entry
{
@count_table[probefunc]=count();
}
This script will collect information into a table and

will continue to run until you press Control-c


The timestamp Variable
Finding out how much time is being spent in each function
can be done through the built in variable timestamp
• This variable reports time in nanoseconds.
pid$1:::entry
{
ts[probefunc] = timestamp;
}
pid$1:::return
{
@func_time[probefunc] = sum(timestamp - ts[probefunc]);
ts[probefunc] = 0;
}


The D Script to Handle Corner-Cases
• Exception 1 – Monitor function entry and return
If you are creating the probes on a live running
application it is likely that you could be executing a
function when you ran the D script. Therefore, it is
possible to see the return for a function for which
you did not see an enter.
This case is easily handled by adding a predicate
/ts[probefunc] != 0/
to the return probe section.


The D Script to Handle Corner-Cases
• Exception 2 – Multi-threaded applications
There is a condition where two threads could
execute the same function at the same time. In this
case you need one copy of the ts[] for each thread.
• DTrace addresses this using the self variable.
• If you add anything to the self variable it will be
made thread local.


D script modified to handle the two corner-cases
pid$1:::entry
{
self->ts[probefunc] = timestamp;
}
pid$1:::return
/self->ts[probefunc]/
{
@func_time[probefunc] = sum(timestamp - ts[probefunc]);
ts[probefunc] = 0;
}


Limit the Number of Probes Enabled
You can limit the number of probes enabled by modifying the
probe description.
Probe Description Explanation

pid$1:libc::entry Limit to only a given library
pid$1:a.out::entry Limit probes to non-library functions
pid$1:libc:printf:entry Limit probes to just one function


Monitor a Process
You can see how to monitor a process from the time it starts
until it ends.
• This script will count the number of times libc
functions are called from a given application.
pid$target:libc::entry
{
@[probefunc]=count();
}

Other Useful Scripts

The following is a script to find the stack trace when the
program makes the write system call.
syscall::write:entry
{
@[ustack()]=count();
}

Other Useful Scripts (cont.)

This script counts the number of times various processes get
to run in the CPU.
sysinfo:::pswitch
{
@[execname] = count();
}

Other Useful Scripts (cont.)

This particular script prints out the process name, pid and
uid when a new process is started in the system.
#!/usr/sbin/dtrace -qs
proc:::exec-success
{
printf("%s(pid=%d) started by uid - %d\n",execname, pid,
uid);
}

DTrace for System Administrators

Among the tasks that every system administrator faces are
those related to the behavior or misbehavior of the
applications running on a pre-determined environment.
• This type of information can be obtained through the
following providers: syscall, proc, io, sched,
sysinfo, vminfo, lockstat and profile.
• Of these providers, syscall, proc, io and sched are
the easiest starting points.
By using these providers, you can get information related to
processes, threads, stack status, and many other kernel
metrics.

DTrace for System Administrators (cont.)

The syscall Provider
Knowing which system calls are being used among other
information establishes metrics of system usage and identifies
possible misbehavior.
• With the syscall provider you can easily identify
who executes what and how much time a certain
operation takes, helping you to identify the root cause
of system misbehavior.


1. To list all the occurrences of the probe when it was
fired and give information about the system calls at
entry into the system that are performing a
close(2) system call, you can use the following
script:
# dtrace -n syscall::close:entry


2. To start to identify the process which sent a kill(2)
signal to a particular process, use the following
script:
syscall::kill:entry
{ trace(pid);
trace(execname);
}


3. To determine how much time your web server is
spending at read(2), use the following script.
#!/usr/sbin/dtrace -qs
BEGIN
{ printf("sizetime\n");
}
syscall::read:entry
/execname == "httpd"/
{ self->start = timestamp;
}
syscall::read:return
/self->start/
{ printf("%d%d\n", arg0, timestamp - self->start);
self->start = 0;
}

The proc Provider

The proc provider fires at processes and thread creation and
termination as well as signals.
• You can trace all the signals sent to all the processes
currently running on the system with this script:
#!/usr/sbin/dtrace -wqs
proc:::signal-send
{ printf("%d was sent to %s by ", args[2], args[1]-
>pr_fname);
system("getent passwd %d | cut -d: -f5", uid);

The proc Provider (cont.)

You can add the conditional statement
(/args[2] == SIGKILL/)
into the script and send SIGKILL signals to different
processes from different users.
#!/usr/sbin/dtrace -wqs
proc:::signal-send
/args[2] == SIGKILL/
{ printf("SIGKILL was sent to %s by ", args[1]->pr_fname);
system("getent passwd %d | cut -d: -f5", uid);
}

The sched Provider

This provider dynamically traces scheduling events. Use it to
understand when and why threads sleep, run, change
priority, or wake other threads.
The following script determines the amount of time
the CPU spends on I/O wait and working.
#!/usr/bin/dtrace -sq
sched:::on-cpu
/execname == "soffice.bin"/
{ self->on = vtimestamp;
}
sched:::off-cpu
/self->on/
{ @time["<on cpu>"] = sum(vtimestamp - self->on);
self->on = 0;
}

The io Provider
The io provider looks into the disk input and output (I/O)
subsystem.
Sample D script to trace which files are being
accessed on which device and to determine if the
task being performed is a read or a write:
#!/usr/bin/dtrace -qs
BEGIN
{ printf("%10s %58s %2s\n", "DEVICE", "FILE", "RW");
}
io:::start
{ printf("%10s %58s %2s\n", args[1]->dev_statname,
args[2]->fi_pathname, args[0]->b_flags & B_READ ? "R" :
"W");
}

The DTraceToolkit
Download the toolkit from:
http://www.opensolaris.org/os/community/dtrace/dtracetoolkit
The DtraceToolkit is a collection of open source:

• The scripts
• The man pages in the Man directory
• The example files in the Docs/Examples directory
• The one-liners in the Docs/oneliners.txt file
The DTraceToolkit is a product of the OpenSolaris
community; it is not written by nor is it supported by Sun
Microsystems.

The DTraceToolkit (cont.)

The one-liners file contains a list of short and useful DTrace
commands. The following is an extract of this file:
# New processes with arguments,
dtrace -n 'proc:::exec-success { trace(curpsinfo->pr_psargs); }'
# Files opened by process name,
dtrace -n 'syscall::open*:entry { printf("%s
%s",execname,copyinstr(arg0)); }'
# Read bytes by process name,
dtrace -n 'sysinfo:::readch { @bytes[execname] = sum(arg0); }'
# Write bytes by process name,
dtrace -n 'sysinfo:::writech { @bytes[execname] = sum(arg0); }'
# Read size distribution by process name,
dtrace -n 'sysinfo:::readch { @dist[execname] = quantize(arg0);
}'
# Write size distribution by process name,
dtrace -n 'sysinfo:::writech { @dist[execname] = quantize(arg0);
}'

The DTraceToolkit (cont.)

# Disk size by process ID,
dtrace -n 'io:::start { printf("%d %s %d",pid,execname,args[0]-
>b_bcount); }'
# Disk size aggregation
dtrace -n 'io:::start { @size[execname] = quantize(args[0]-
>b_bcount); }'
# Pages paged in by process name,
dtrace -n 'vminfo:::pgpgin { @pg[execname] = sum(arg0); }'
# Minor faults by process name,
dtrace -n 'vminfo:::as_fault { @mem[execname] = sum(arg0); }'
# CPU cross calls by process name,
dtrace -n 'sysinfo:::xcalls { @num[execname] = count(); }'

Troubleshooting Performance Problems

To trouble shoot performance problems, system
administrators often rely on system utilities like the mpstat,
vmstat, or iostat commands .
• While these commands can give system-wide
information they do not show you what is causing the
problem.


(cont.)
ultra20:/> mpstat
CPU minf mjf xcal intr ithr csw icsw migr smtx srw syscl usr sys wt idl
0 61 0 17 383 176 172 1 17 6 0 166 0 0 0 99
1 60 0 3 97 6 180 2 17 6 0 151 0 0 0 100
ultra20:/> vmstat 2
kthr memory page disk faults cpu
r b w swap free re mf pi po fr de sr s0 s1 s2 -- in sy cs us sy id
0 0 0 4167836 2732672 11 121 0 0 0 0 3 4 -0 3 0 481 315 352 0 0 100
0 0 0 4167424 2727600 6 25 0 0 0 0 0 0 0 0 0 462 351 334 0 0 100
0 0 0 4167344 2727568 0 0 0 0 0 0 0 0 0 0 0 458 270 324 0 0 100
0 0 0 4167344 2727568 0 0 0 0 0 0 0 0 0 0 0 455 285 327 0 0 100
ultra20:/> iostat 5
tty sd0 sd1 sd2 nfs1 cpu
tin tout kps tps serv kps tps serv kps tps serv kps tps serv us sy wt id
0 1 32 4 2 0 0 0 32 3 2 0 0 0 0 0 0 100
0 47 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 100
0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 100


(cont.)
The following is output from the DTrace one-liner.
• Minor faults by process that displays minor page
faults.
• These are the mf field of the vmstat command and the
minf field of the mpstat command.


(cont.)
ultra20:/> dtrace -n ’vminfo:::as_fault { @mem[execname] = sum(arg0); }’
dtrace: description ’vminfo:::as_fault ’ matched 1 probe
^C
gconfd-2 1
wnck-applet 12
Xvnc 22
metacity 26
basename 43
dirname 43
staroffice 63
domainname 64
dtrace 91
uname 110
lpget 125
sh 288
nautilus 341
javaldx 549
soffice 619
pagein 10398
soffice.bin 10457


(cont.)
This one-liner, Pages paged in by process uses the
vminfo provider and displays information about the vmstat
commands pi field.
# dtrace -n ’vminfo:::pgpgin { @pg[execname] = sum(arg0); }’
dtrace: description ’vminfo:::pgpgin ’ matched 1 probe
^C
ttymon 1
bash 1
mozilla-bin 36
tar 6661


(cont.)
The Dtrace Toolkit xcallsbypid.d script displays
information about cross-calls as might be reported in the
xcal field of the mpstat command.
# xcallsbypid.d
Tracing... Hit Ctrl-C to end.
^C
PID CMD XCALLS
215 utmpd 3
6350 bash 3
6351 bash 3
6350 ls 24
0 sched 48
6349 dtrace 93
6351 find 5718

Module 6
NFS Changes

Objectives
• Describe Network File System (NFS) enhancements
• Describe the enhancements to Network File System
version 4 (NFS version 4)
• Describe NFS hardware and software requirements,
dependencies, and limitations

NFS Version 4 Features

• Single protocol
• Strong security
• Compound procedures
• Extended attributes
• Universal Multiple-Octet Coded Character Set
Transformation Format 8 (UTF-8)
• Delegation
• Support for Windows NT style ACLs

NFS Version 4
Single Protocol:
• Stateful
• Protocol functionality built into NFS version 4
• MOUNT
• STATD
• NFSLOGD
• Others

Pseudo-File System
Server Exports Server File systems
/data/car /data/car
/data/boat /data/boat
/backup/system_1 /data/buyers
/backup/system_1
/expenses
Server file system Client’s view
/ /
data expenses backup data backup
boat car buyers system_1 boat car system_1

Strong Security
• Remote Procedure Call (RPC) implementation of the
General Security Service framework (GSS)
• New security flavor RPCSEC_GSS
• Other GSS_API applications

Compound Procedures
NFS version 3 NFS version 4
-> LOOKUP "export" ->OPEN "export/testdata"
<- OK READ
->LOOKUP "testdata" <- OPEN OK
<- OK READ OK
-> ACCESS "testdata" (sends data)
<- OK
-> READ "testdata"
<- OK
(sends data)

Extended Attributes
• Mandatory – Minimal level of operation
• Recommended – Operating environment dependent
• Named – Byte string, data associated with files or file
system

File Handlers
• File handles are created on the server and contain
information that uniquely identifies files and
directories.
• NFS version 4 protocol permits a server to declare that
its file handles are volatile.
• Clients must support volatile file handles if the server
uses them.
• Upon file handle expiration, the client:
• Flushes the cached information that refers to that file
handle.
• Searches for that file's new file handle.
• Retries the operation.

Identities and Mapping

• File and directory names are UTF-8 encoded.
• Supports internationalization (I18N)
• Owner and owner_group UTF-8 encoded strings
user@dns_domain
• The nfsmapid (1M) daemon maps string to user
identification (UID) and group identification (GID) in
the Solaris OS

Delegation
• The server delegates the management of a file to a
client.
• The server alone decides whether to grant a delegation.
• The new nfs4cbd (1M) daemon is used for callback.
• The server sends callback to get the updated state of the
file and to revoke the delegation.
• Different NFS client versions behave differently when
a conflict occurs.
• Delegation is enabled by default.

New Solaris ACL Modes

A new model that is based on the NFSv4 specification is used
to protect Solaris ZFS files.
The new ACL model:
• Is based on the NFSv4 specification and the new
ACLs that are similar to NT-style ACLs.
• Provides a more granular set of access privileges.
• Uses the chmod and ls commands rather than the
setfacl and getfacl commands to set and
display ACLs.
• Provides richer inheritance semantics for
designating how access privileges are applied from
directory to subdirectories, and so on.

Configuring an NFS Server and Client

• nfs(4) configuration file:
/etc/default/nfs
• Enabling NFS versions on server:
NFS_SERVER_VERSMIN=num
NFS_SERVER_VERSMAX=num
• Enabling NFS versions on client:
NFS_CLIENT_VERSMIN=num
NFS_CLIENT_VERSMAX=num
num=version 2, 3 or 4
• Other options in nfs(4)

Enabling and Disabling NFS

NFS uses the Service Management Facility (SMF).
• To check the current state:
# svcs /network/nfs/server
# svcs /network/nfs/client
• To enable and disable the NFS server:

# svcadm enable network/nfs/server
# svcadm disable network/nfs/server
• To enable and disable the NFS client (enabled by

default):
# svcadm enable network/nfs/client
# svcadm disable network/nfs/client

NFS Over RDMA

• RDMA protocol
• Fast memory-to-memory data transfer
• NFS over InfiniBand Architecture (IBA)
• Default if IBA hardware is present
• Design for in-room network configurations
• mount(1M) command option to use only RDMA
• proto=rdma

Module 7
Security Changes

Objectives
• Describe the Least Privilege Model
• Examine administration tasks for Solaris OS
Cryptographic Framework
• Examine Secure By Default
• Explain the lock after retries feature in Secure by
Default
• Examine new password encryption methods
• Explain password history, password constrains and
password dictionary files

The Least Privilege Model

• It gives a specified process a subset of the superuser
powers and not full access to all privileges.
• It enables normal users to perform privileged tasks
such as mount file systems, start daemon processes that
bind to lower numbered ports, and change the
ownership of files.
• Damage due to programming errors like buffer
overflows can be contained to a non-root user.

Process Privilege Sets

• Effective privilege set, or E – Is the set of privileges that
is currently in effect.
• Permitted privilege set, or P – Is the set of privileges
that is available for use.
• Inheritable privilege set, or I – Is the set of privileges
that a process can inherit across a call to exec.
• Limit privilege set, or L – Is the outside limit of what
privileges are available to a process and its children.

Files Containing Privilege Information

• The /etc/security/policy.conf file
• The /etc/user_attr file
• The /etc/security/exec_attr file
• The syslog.conf file

The ppriv Utility Actions

Action Command
Examine process privileges ppriv -v pid
Set process privileges ppriv -s spec
List the privileges on the system ppriv -l
List a privilege and its description ppriv -lv priv
Debug privilege failure ppriv -e -D failed-operation

ppriv Command Examples

• To list all currently defined privileges:
$ ppriv -l
contract_event
contract_observer
cpc_cpu
dtrace_kernel
dtrace_proc
dtrace_user
file_chown
file_chown_self
file_dac_execute
file_dac_read
file_dac_search
file_dac_write
file_downgrade_sl
...

ppriv Command Examples (cont.)

• To show a specific privilege details:
$ ppriv -lv file_chown
file_chown
Allows a process to change a file's owner user ID.
Allows a process to change a file's group ID to one other than
the process' effective group ID or one of the process'
supplemental group IDs.
• To list the privileges that are available to your shell's

process:
$ ppriv $$
738: ksh
flags = <none>
E: basic
I: basic
P: basic
L: all


$ ppriv -v $$
738: ksh
flags = <none>
E: file_link_any,proc_exec,proc_fork,proc_info,proc_session
I: file_link_any,proc_exec,proc_fork,proc_info,proc_session
P: file_link_any,proc_exec,proc_fork,proc_info,proc_session
L:
contract_event,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,
file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgra
de_sl,file_link_any,file_owner,file_setid,file_upgrade_sl,graphics_access,graphics_map,ipc
_dac_read,ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,net_mac_aware,net_privaddr,ne
t_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_l
ock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct
,sys_admin,sys_audit,sys_config,sys_devices,sys_ipc_config,sys_linkdir,sys_mount,sys_net_c
onfig,sys_nfs,sys_res_config,sys_resource,sys_suser_compat,sys_time,sys_trans_label,win_co
lormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_font
path,win_mac_read,win_mac_write,win_selection,win_upgrade_sl


• To show a verbose listing of a process’s privileges:
# ppriv -v 441
441: /usr/sbin/vold -f /etc/vold.conf
flags = <none>
E:
contract_event,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chow
n,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_dow
ngrade_sl,file_link_any,file_owner,file_setid,file_upgrade_sl,...
I: file_link_any,proc_exec,proc_fork,proc_info,proc_session
P:
ngrade_sl,...
L:
ngrade_sl,file_link_any,...


• To run a process with the privilege debugger:
$ ppriv -e -D cat /etc/shadow
cat[418]: missing privilege “file_dac_read” (euid = 21782),
needed at ufs_access+0x3c
cat: cannot open /etc/shadow

Privileges and Role Based Access Control

(RBAC)
• The RBAC facility is used to assign specific privileges
to roles or users.
• Solaris RBAC configuration is controlled through four
files:
• The /etc/security/exec_attr file
• The /etc/security/prof_attr file
• The /etc/security/auth_attr file
• The /etc/user_attr file

Solaris OS Cryptographic Framework

(SCF)
• Provides cryptographic services to applications and
kernel modules in a manner seamless to the end user
• Brings direct cryptographic services, like encryption
and decryption for files, to the end user through the
following:
• Commands
• A user-level programming interface
• A kernel programming interface
• User-level and kernel-level frameworks

Terms and Definitions

• Mechanism – A process for implementing a
cryptographic operation.
• Provider – A cryptographic service: a user-level provider
is a PKCS#11 library, a kernel software provider is a
loadable kernel software module, and a kernel hardware
provider is a cryptographic hardware device.
• PKCS#11 – RSA Data Security, Inc's Cryptographic Token
Interface Standard.
• Reader – The means by which information is exchanged
with a device.
• Slot – A logical reader that potentially contains a token.
• Token – The logical view of a cryptographic device that
Cryptoki defines.

Architecture Overview
Application elfsign
kernel
Module
libpkcs11.so crypto
verification library
daemon
Pluggable cryptoadm
interface
Third-party Hardware
and Software pkcs11_kernel.so pkcs11_softtoken.so
pluggable tokens
Userland /dev/crypto /dev/cryptoadm

pseudo-device pseudo-device
Kernel driver driver
Scheduler/
load balancer Service provider
interface
Kernel
IPsec programmer Sun Hardware
interface and Software
crypto providers
Kerberos Other kernel

GSS Merchanism crypto sonsumers
Third-party Third-party
Hardware Software
Private components crypto providers crypto providers
User portion of cryptographic framework
Kernel portion of cryptographic framework

SCF Architectural Components

• Applications provide key material, if needed, and
specify which algorithm to use.
• SCF provides the following:
• Encryption (Data Encryption Standard [DES], 3DES,
Advanced Encryption Standard [AES], Blowfish,
ARCFOUR)
• Message Digests (MD5 Secure Hash Algorithm
[SHA])
• Signing (RSA Digital Signature Algorithm [DSA]
Diffie-Hellman key agreement protocol [DH])

SCF Architectural Components (cont.)

• Random number generation
• PKCS#11 is also used as the Service Provider Interface
(SPI)
• The framework does not limit the functionality of
providers plugged in through the SPI
• Library uses a local policy file and internal metrics to
decide which implementation of a given algorithm to
use. For example, the library determines if 3DES is
available in both hardware and software.

The pkcs11_softtoken.so Library

• Software-only implementation of PKCS#11.
• DES3, DES, AES, Blowfish, and ARCFOUR encryption.
• MD5, SHA1, and SHA2 message digest and keyed
Hash Message Authentication Codes (HMAC).
• RSA, DSA, DH key exchange and signing
authentication algorithms.
• The pkcs11_softtoken.extra.so library is available
in Solaris OS.

Solaris OS Kernel Framework

• Programming interface for kernel-level consumers.
• System call interface for user-level libraries.
• SPI for plug-in modules.
• SPI uses PKCS#11 standard that all current
cryptographic hardware providers support.
• Kernel presents an ordered list of slots through the
/dev/crypto interface.
• Virtual slots to present groups of providers that offer
the same mechanisms.
• Slots that correspond to specific hardware providers.

The cryptoadm Utility

The cryptoadm(1M) utility is used to list providers, install
providers, and uninstall providers.
• Can be used for both kernel- and user-level providers.
• Can be used to enable or disable specific mechanisms.

The digest Utility

The digest(1M) user utility generates cryptographic hash.
• Listing available mechanisms:
ultra20:/> digest -l
sha1
md5
sha256
sha384
sha512
• Generating a digest:
ultra20:/> digest -a md5 /usr/bin/login
eed532cc83d97d726dbdb577ed85c415
• Generating multiple digests:

ultra20:/>$ digest -v -a sha1 ~/docs/* > ~/digest.docs.legal

The mac Utility

The mac(1M) utility calculates a keyed message
authentication code (MAC).
• Listing available mechanisms:
ultra20:/> mac -l
Algorithm Keysize: Min Max (bits)
-----------------------------------
des_mac 64 64
sha1_hmac 8 512
md5_hmac 8 512
sha256_hmac 8 512
sha384_hmac 8 1024
sha512_hmac 8 1024
• Generating a MAC:
ultra20:/> mac -a md5_hmac /etc/hosts
Enter key:key_typed_in
2f3b84524c7fa61848c439af487006bc

The encrypt Utility

The encrypt(1M) utility encrypts or decrypts a given file.
• Listing mechanisms:
ultra20:/> decrypt -a arcfour -k /etc/mykeys/backup.k \
-i /dev/rmt/0 | ufsrestore xf -
The following example lists the available algorithms and key
lengths:
ultra20:/> encrypt -l
Algorithm Keysize: Min Max (bits)
-----------------------------------
aes 128 256
arcfour 8 248
des 64 64
3des 192 192

The encrypt Utility (cont.)

Using the encrypt(1M) utility to encrypt and decrypt a tape
backup:
• Creating the backup
ufsdump 0f - /var | encrypt -a arcfour -k \
ultra20:/>
/etc/mykeys/backup.k | dd of=/dev/rmt/0
• Restoring the preceding backup

decrypt -a arcfour -k /etc/mykeys/backup \
ultra20:/>
-i /dev/rmt/0 | ufsrestore xf -

Secure by Default
This feature changes the default configuration of the Solaris
OS such that ssh is the only network-listening service.
Secure By Default Network Profile
• During installation you can set the default behavior for
network services to run in a much more secured
manner.

Using Stronger Algorithms

Solaris 10 OS supports a pluggable crypt framework for
password hashing functions.
The OS includes three cryptographic password hashing plug-
in modules and the traditional UNIX crypt(3C) algorithm.
• The modules are configured in the /etc/security/
crypt.conf file.
• The default entries in the crypt.conf file are:
1 crypt_bsdmd5.so.1
2a crypt_bsdbf.so.1
md5 crypt_sunmd5.so.1

Using Stronger Algorithms (cont.)

Each entry in the crypt.conf file has three fields:
• The first field is used to identify the algorithm when
configuring password hashing algorithms in the
policy.conf file and to identify the algorithm in the
salt of the stored hash.
• The second field is the shared library that implements
the password hashing algorithm and contains an
absolute path to the shared library. If the path is not
presently the default path, /usr/lib/security/
$ISA, is used.
• The last field is optional and can contain a value pair
that defines module-specific parameters.


• The password hash algorithm is configured in the
/etc/security/policy.conf file.
• The following excerpt shows the default algorithms
configuration in the policy.conf file:
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
#CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=__unix__

SHA256/SHA512 crypt(3C) Plug-in

This new feature provides an additional pair of crypt(3C)
plug-ins based on the SHA256 and SHA512 digest algorithms.
This plug-in provides a crypt(3C) hash that uses
FIPS 140-2 approved algorithms and discontinues
using MD5-based hashes.


2
Yes
Is this a new password?
No
Is ID null in old Yes

password?
No Generate hash using

CRYPT_DEFAULT
Is ID in Yes
CRYPT_ALGORITHMS_DEPRECATE?
No
Is ID in No
CRYPT_ALGORITHMS_ALLOW?
Generate hash using

Yes current password
algorithm ID

Specify an Algorithm for Password

Encryption
# cat /etc/security/policy.conf
_
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
#
# Use the version of MD5 that works with Linux and BSD systems.
# Passwords previously encrypted with __unix__ will be encrypted
with MD5
# when users change their passwords.
#
#
CRYPT_DEFAULT=__unix__
CRYPT_DEFAULT=1

Specify a New Password Algorithm for an

NIS Domain
1. Specify the password encryption algorithm in the
/etc/security/policy.conf file on the NIS
client.
2. Copy the modified /etc/security/policy.conf
file to every client machine in the NIS domain.
3. To minimize confusion, copy the modified
/etc/security/policy.conf file to the NIS root
server and to the slave servers.


NIS+ Domain
When users in an NIS+ domain change their passwords, the
NIS+ name service consults the algorithms configuration in
the /etc/security/policy.conf file on the NIS+ master.
The NIS+ master, which is running the rpc.nispasswd
daemon, creates the encrypted password.
1. Specify the password encryption algorithm in the /
etc/security/policy.conf file on the NIS+
master.
2. To minimize confusion, copy the NIS+ master’s /
etc/security/policy.conf file to every host in
the NIS+ domain.


LDAP Domain
When the LDAP client is properly configured, the LDAP
client can use the new password algorithms.
1. Specify a password encryption algorithm in the
/etc/security/policy.conf file on the LDAP
client.
2. Copy the modified policy.conf file to every client
machine in the LDAP domain.
3. Ensure that the client’s /etc/pam.conf file does
not use a pam_ldap module.

Install a Password Encryption Module From

a Third Party
1. Add the software by using the pkgadd command.
2. Confirm that the new module and module identifier
have been added.
# crypt.conf
#
md5 /usr/lib/security/$ISA/crypt_md5.so
rot13 /usr/lib/security/$ISA/crypt_rot13.so
# For *BSD - Linux compatibility

# 1 is MD5, 2a is Blowfish
1 /usr/lib/security/$ISA/crypt_bsdmd5.so
2a /usr/lib/security/$ISA/crypt_bsdbf.so

Install a Password Encryption Module From

a Third Party (cont.)
3. Add the identifier of the newly installed algorithm to
the /etc/security/policy.conf file.
# Copyright 1999-2002 Sun Microsystems, Inc. All rights
reserved.
# ...
#ident "@(#)policy.conf 1.6 02/06/07 SMI"
# ...
# crypt(3c) Algorithms Configuration
CRYPT_ALGORITHMS_ALLOW=1,2a,md5,rot13
#CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=md5

Implementing Password Strength, Syntax

Checking, History, and Aging Improvements
• The Solaris 10 OS delivers new flexible and commonly
requested authentication features
• Local passwords have strong password encryption
options, including MD5 and Blowfish, as well as
account lockout, and syntax checking

Using Password History Checking

• When activated, the password history checking feature
retains up to 26 prior passwords for each user.
• Setting the HISTORY flag in the /etc/default/
passwd file to a non-zero value activates this feature.
• If the HISTORY flag in the /etc/default/passwd
file is set to a non-zero value, /etc/security/
passhistory is automatically created when the next
password change occurs.

Configuring Password Complexity

Constraints
• Password constraints allow the administrator to
configure how the user’s password is formed.
• When a user changes passwords the new password is
checked by the pam_authtok_check PAM module.
• The complexity constraints are specified in /etc/
default/passwd file.

Dictionary Files
The password must not be based on a dictionary word.
The list of words to be used for the site’s dictionary can be
specified with DICTIONLIST.
This file should contain a comma-separated list of
file names, one word per line.
The database that is created from these files is stored in the
directory named by DICTIONDBDIR (defaults to /var/
passwd).
• If neither DICTIONLIST nor DICTIONDBDIR is
specified, no dictionary check is made.

Configuring Account Locking

• The number of attempts before the account is locked is
defined by the RETRIES variable found in the /etc/
default/login file.
• To enable account locking for the system, remove the
comment from the LOCK_AFTER_RETRIES variable in
the /etc/policy.conf file and set the variable to
YES.
• Account locking can be defined for individual users by
adding a lock_after_retries= entry to the attr
field of the /etc/security/user_attr database.
• The system stores the count of failed login attempts in
the last field of the /etc/shadow database entry for
each account.

Module 8
Solaris™ 10 Operating System

Installation Changes

Objectives
• Describe the Solaris SPARC Boot Architecture
Redesign
• Describe upgrading the Solaris OS with installed non-
global zones
• Configure multiple network interfaces during
installation
• Describe how disk partition tables can be modified
using an existing Volume Table of Contents (VTOC)
• Describe the Reduced Networking Software Group
• Explore changes to the Solaris JumpStart™ software
and configure, enable, and troubleshoot JumpStart
• Identify the changes to Flash archives

Objectives (cont.)
• Identify changes to the Solaris Live Upgrade boot
environment and configure, enable, and troubleshoot
the Live Upgrade boot capability

Solaris SPARC Boot Architecture Redesign

The Solaris SPARC bootstrap process has been redesigned to
increase commonality with the Solaris x86 boot architecture.
The improved Solaris boot architecture brings direct boot,
ramdisk-based booting, and the ramdisk miniroot to the
SPARC platform. These enabling technologies support the
following functions:
• Booting a system from additional file system types. For
example, a ZFS file system.
• Booting a single miniroot for software installation from
DVD, NFS, or HTTP

Solaris Installation Media Changes

• The Solaris Installation CD has been eliminated.
• Solaris Software 1 CD is the only bootable CD.
• Use the boot cdrom command to use the GUI installer.
• Use boot cdrom - text to use the text-based installer
in a windowing environment.
• Use boot cdrom - nowin to use the text-based
installer in a console session.

Configuring Multiple Network Interfaces

During Installation
• Use the network_interface keyword of the
sysidcfg file.
• Use one keyword for each configured interface.
• Example:
network_interface=eri0 {primary
hostname=host1
ip_address=192.168.2.7
netmask=255.255.255.0
protocol_ipv6=no
default_route=192.168.2.1}
network_interface=eri1 {hostname=host1-b
ip_address=192.168.3.8
netmask=255.255.255.0
protocol_ipv6=no
default_route=NONE}

Supporting LDAP Version 2 Profiles

This feature enables users to use LDAP version 2 profiles to
set a proxy credential level during the installation.
Specify the LDAP proxy-bind distinguished name and proxy-
bind password using the proxy_dn and proxy_password and
name_service keywords in the sysidcfg file.
Example:
name_service=LDAP {domain_name=west.example.com
profile=default
profile_server=172.31.2.1
proxy_dn="cn=proxyagent,ou=profile,
dc=west,dc=example,dc=com"
proxy_password=password}

NFS version 4 Default Domain Name

There is a new sysidcfg file keyword for specifying the
NFSv4 default domain name:
nfs4_domain=dynamic, value
For example:
nfs4_domain=example.com

The sysidcfg File Keywords

Configuration Information Keyword
Keyboard layout and language keyboard Keyword
Naming service, domain name, name server name_service Keyword
Network interface, host name, Internet Protocol network_interface Keyword
(IP) address, netmask, DHCP, IPv6
Domain name definition for NFSv4 nfs4_domain Keyword
Root password root_password Keyword
Security policy security_policy Keyword
Network security profile service_profile Keyword
Language in which to display the system_locale Keyword
install program and desktop
Terminal type terminal Keyword
Time zone timezone Keyword
Date and time timeserver Keyword

Enhanced Security Using Limited

Networking
You can, during installation, set the default behavior for
network services to run in a much more secured manner.
For automated JumpStart installations, you can select a
limited network profile by using a new service_profile
keyword in the sysidcfg file.
Use one of the following syntax examples to set this keyword.
service_profile=limited_net
service_profile=open

Modifying Disk Partition Tables Using a

VTOC
This change enables you to preserve and use the system's
existing disk slice tables during installation by selecting Load
VTOC.

The Reduced Networking Software Group

• Creates a more secure system with fewer enabled
network services.
• Sample JumpStart profile:
install_type initial_install
cluster SUNWCrnet
partitioning explicit
filesys rootdisk.s1 768 swap
filesys rootdisk.s0 free /
system_type standalone

The Reduced Networking Software Group

(cont.)
# ps -aef
UID PID PPID C STIME TTY TIME CMD
root 0 0 0 21:52:19 ? 0:06 sched
root 1 0 0 21:52:22 ? 0:00 /sbin/init
root 2 0 0 21:52:22 ? 0:00 pageout
root 3 0 0 21:52:22 ? 0:01 fsflush
root 432 376 0 22:31:05 console 0:00 ps -aef
root 7 1 0 21:52:24 ? 0:03 /lib/svc/bin/svc.startd
root 9 1 0 21:52:24 ? 0:16 svc.configd
root 394 385 0 22:00:00 ? 0:00 /usr/lib/saf/ttymon
daemon 335 1 0 21:53:40 ? 0:00 /usr/sbin/rpcbind
root 340 1 0 21:53:40 ? 0:00 /usr/sbin/keyserv
daemon 279 1 0 21:53:27 ? 0:00 /usr/lib/crypto/kcfd
root 376 7 0 21:59:59 console 0:00 -sh
root 278 1 0 21:53:26 ? 0:00 /usr/sbin/nscd
root 79 1 0 21:52:46 ? 0:00 /usr/lib/sysevent/syseventd
root 411 1 0 22:00:03 ? 0:00 /usr/lib/fm/fmd/fmd
root 367 1 0 21:59:58 ? 0:00 /usr/lib/utmpd
root 385 7 0 22:00:00 ? 0:00 /usr/lib/saf/sac -t 300
root 389 1 0 22:00:00 ? 0:00 /usr/sbin/syslogd
root 395 1 0 22:00:00 ? 0:00 /usr/lib/inet/inetd start
root 397 1 0 22:00:00 ? 0:00 /usr/sbin/cron

The Reduced Networking Software Group (cont.)

# netstat -an
UDP: IPv4
Local Address Remote Address State
-------------------- -------------------- -------
*.111 Idle
*.* Unbound
*.32772 Idle
*.514 Idle
*.* Unbound
TCP: IPv4
Local Address Remote Address Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ -------
*.* *.* 0 0 49152 0 IDLE
*.111 *.* 0 0 49152 0 LISTEN
*.* *.* 0 0 49152 0 IDLE
TCP: IPv6
Local Address Remote Address Swind Send-Q Rwind Recv-Q State If
--------------------- ---------------------- ----- ------ ----- ------ -----------
*.* *.* 0 0 49152 0 IDLE
SCTP:
Local Address Remote Address Swind Send-Q Rwind Recv-Q StrsI/O State
-------------------- ------------------- ------ ------ ------ ------ ------- --------
0.0.0.0 0.0.0.0 0 0 102400 0 32/32 CLOSED
Active UNIX domain sockets

Address Type Vnode Conn Local Addr Remote Addr
30001307e08 stream-ord 30001292a80 00000000 /var/run/.inetd.uds

Changes to Solaris JumpStart™

• Solaris JumpStart™ has a new DHCP vendor option
that lets you specify the tftpboot server as a Universal
Resource Identifier (URI).
• The URI can specify either a tftp or an http resource.
• Traditional inetboot JumpStart installations and the
new WAN Boot installations use http resources.
• Only traditional inetboot JumpStart installations use
tftp resources.
• The new metacluster SUNWCrnet creates a more secure
installation option.

New JumpStart Features (cont.)

• SUNWCrnet provides core operating system
functionality, including the following:
• libm and generic device driver modules
• Installation and patch utilities, including utilities
commonly used in packaging scripts such as Perl
and gzip
• System localization and keyboard configuration
tables
• Elements for supporting sysidcfg options,
specifically name services and Kerberos

New JumpStart Profile Keywords

New JumpStart profile keywords let you create Solaris
Volume Manager mirrored metadevices and metastate
databases during the JumpStart process.
• The mirror qualifier has been added to the filesys
keyword.
The mirror qualifier instructs the system to
construct a mirror using the slices and sizes listed on
the command line.

New JumpStart Profile Keywords (cont.)

• The metadb keyword has been added.
The metadb keyword lets the system administrator
specify the size and number of metastate databases
that will reside on a mirrored slice.

RAID 1 (Mirrors) Support

The custom JumpStart installation method now enables you
to create RAID-1 volumes during a Solaris OS installation.
By mirroring file systems, you can protect your
system by duplicating data over two physical disks.
In JumpStart, the following new custom profile keywords and
values enable you to create mirrored file systems.
• The new filesys keyword value mirror creates a
mirror. Then you can designate specific slices as single-
slice concatenations to attach to the mirror.
• The new metadb profile keyword enables you to create
the required state database replicas.

Limiting Profile Keywords When Upgrading

With Non-Global Zones
• Only two profile keywords should be used in the
profile:
• install_type
• root_device
• Some keywords cannot be included in a profile:
• backup_media
• cluster
• geo
• layout_constraint
• locale
• package
• patch

Changes to Flash Archives

• Large file support.
• The flarcreate command creates an archive image
that can be used to reinstall the target system where the
archive was created or to install a clone system.
• Archive images are commonly used with JumpStart.
• Large file support.
• Differential archives.

New Flash Archive Features

• Enhancements to the -x option and the new -X, -y, and
-z options increase the flexibility and granularity with
which archives can be created.
• The flarcreate command now can create differential
archives.

Changed Packages and Files

• SUNWinst
• flarcreate
• flar

Changes to Solaris Live Upgrade

• The lucreate command creates a new boot
environment while the system continues to run on the
existing boot environment.
• The system can then be upgraded to the new operating
system boot environment with just a reboot.

New Features of Live Upgrade

• Changes to the lucreate command let the system
administrator work with a limited set of operations on
logical storage devices, including:
• Creating mirrors
• Removing devices from mirrors
• Attaching devices to mirrors
• The JumpStart interface now supports the creation of
empty boot environments during installation that are
immediately available for use.

New Keywords for the lucreate Command

• preserve
• mirror
• attach
• detach


• SUNWluu
• /usr/sbin/luxcreate

Configuring a ZFS Root File System with

Zones Root on ZFS
The set up of a ZFS root file system and ZFS zone root
configuration that can be upgraded or patched include:
1. Install the system with a ZFS root, either by using
the interactive initial installation method or the
Solaris JumpStart installation method.
2. Boot the system from the newly-created root pool.
3. Create a dataset for grouping the zone roots. For
example:
# zfs create -o canmount=noauto rpool/ROOT/S10be/zones


Zones Root on ZFS (cont.)
4. Mount the newly-created zones container dataset.
# zfs mount rpool/ROOT/S10be/zones
5. Create and mount a dataset for each zone root.

# zfs create -o canmount=noauto rpool/ROOT/S10be/zones/
zonerootA
# zfs mount rpool/ROOT/S10be/zones/zonerootA
6. Set the appropriate permissions on the zonerootA

directory.
# chmod 700 /zones/zonerootA


Zones Root on ZFS (cont.)
7. Configure the zone, setting the zone path as follows:
# zonecfg -z zoneA
8. Install the zone.

# zoneadm -z zoneA install
9. Boot the zone.

# zoneadm -z zoneA boot

Upgrading the Solaris OS When Non-

Global Zones Are Installed
You can upgrade or patch a system that contains non-global
zones with Solaris Live Upgrade.
Solaris Live Upgrade is the recommended program
to upgrade and to add patches.
The following list summarizes changes to accommodate
systems that have non-global zones installed.
• A new package: SUNWlucfg
• Creating a new boot environment, you can now specify
a destination disk slice for a shared file system within a
non-global zone.


Global Zones Are Installed (cont.)
• The lumount command provides non-global zone
with access to their corresponding file systems that
exist on inactive boot environments
• Comparing boot environments is enhanced with the
lucompare comand
• List file systems with lufslist command is enhanced


To upgrade a system with non-global zones installed:
1. Install required patches.
# patchadd /net/server/export/patches
# init 6
2. Remove the Solaris Live Upgrade packages from the

current boot environment.
# pkgrm SUNWlucfg SUNWluu SUNWlur
3. Insert the Solaris DVD or CD and install the

replacement Solaris Live upgrade packages from the
target release.
# pkgadd -d /cdrom/cdrom0/Solaris_10/Product SUNWlucfg SUNWlur
SUNWluu


4. Create a boot environment.
# lucreate -n newbe -m /:/dev/dsk/c0t1d0s4:ufs -m \ /export:/dev/
dsk/c0t1d0s1:ufs:zone1
5. Upgrade the new boot environment.

# luupgrade -n newbe -u -s \ /net/server/export/Solaris_10/
combined.solaris_wos
6. (Optional) Verify that the boot environment is

bootable.
# lustatus
boot environment Is Active Active Can Copy
Name Complete Now OnReboot Delete Status
-----------------------------------------------------------------
c0t1d0s0 yes yes yes no -
newbe yes no no yes -


7. Activate the new boot environment.
# luactivate newbe
# init 6

Live Upgrade with ZFS root File System

Solaris Live Upgrade can be used to create and upgrade an
inactive boot environment on ZFS storage pools, and you can
now migrate your UFS root (/) file system to a ZFS root pool.
• The lucreate command has been enhanced with the
-p option
• The -p option specifies the ZFS pool in which a new
boot environment resides.
• The lucreate command -m option is not supported
with ZFS


(cont.)
Migrating From a UFS root (/) File System to ZFS Root Pool
The following commands create a ZFS root pool and a new
boot environment from a UFS root (/) file system in the ZFS
root pool.
# zpool create rpool c0t1d0s5
# zfs list
rpool 9.29G 57.6G 20K /rpool
# lucreate -c c0t0d0 -n new-zfsBE -p rpool

# zfs list
rpool/ROOT 5.38G 57.6G 18K /rpool/ROOT
rpool/ROOT/new-zfsBE 5.38G 57.6G 551M /tmp/.alt.luupdall.110034
rpool/dump 1.95G - 1.95G -
rpool/swap 1.95G - 1.95G -


(cont.)
Migrating a UFS File System With Solaris Volume Manager
Volumes Configured to a ZFS Root File System.
You can migrate your UFS file system if your system has
Solaris Volume Manager (SVM) volumes.
# lucreate -n ufsBE -m /:/dev/md/dsk/d104:ufs
# zpool create rpool mirror c0t0d0s0 c0t1d0s0
# lucreate -n c0t0d0s0 -s ufsBE -p zpool


(cont.)
Creating a New Boot Environment From a ZFS Root Pool
You can either create a new ZFS boot environment within the
same root pool or on a new root pool.
To create a new boot environment in the same root pool.
# lucreate -c zfsBE -n new-zfsBE
# zfs list

rpool/ROOT 5.38G 57.6G 18K /rpool/ROOT
rpool/ROOT/zfsBE 5.38G 57.6G 551M
rpool/ROOT/zfsBE@new-zfsBE 66.5K - 551M -
rpool/ROOT/new-zfsBE 5.38G 57.6G 551M /tmp/.alt.luupdall.110034
rpool/dump 1.95G - 1.95G -
rpool/swap 1.95G - 1.95G -


(cont.)
Patching a Zone With Live Upgrade
You can patch a system that contains non-global zones with
Solaris Live Upgrade
• If you have a system that contains non-global zones,
Solaris Live Upgrade is the recommended program to
add patches.
• If you are patching a system with Solaris Live Upgrade,
you do not have to take the system to single-user mode
and you can maximize your system’s uptime.

Using Signed Packages and Patches

• Web Installation for Packages and Patches provides the
ability to sign, download, verify, and install Solaris
packages and patches over the web.
• Web Installation for Packages and Patches lets you
deploy Solaris streamed packages and patches through
HTTP or HTTPS protocols.
• Web Installation for Packages and Patches lets you
digitally sign packages and patches and verify
signatures during or after download so that the
authenticity and integrity of signed packages and
patches can be guaranteed.


• SUNWcsr
• /var/sadm/security
• /usr/bin/pkgadm
• /usr/sbin/pkgadd
• /usr/bin/pkgtrans
• SUNWswmt
• /usr/sbin/patchadd
• /usr/lib/patch/patchutil

Support for x86-Based Systems

New GRUB findroot Command
All Solaris installation methods, including Solaris Live
Upgrade, now use the findroot command for specifying
which disk slice to boot on an x86 based system.
This information is located in the menu.lst file that is used
by GRUB. The most common form of the entry in the
menu.lst file is:
findroot (rootfs0,0,a)
kernel$ /platform/i86pc/kernel/$ISADIR/unix
module$ /platform/i86pc/$ISADIR/boot_archive


GRUB-Based Booting
• GNU GRand Unified Boot Loader (GRUB) has been adopted
in the Solaris OS for x86 based systems.
• The GRUB based boot feature provides the following
improvements:
• Faster boot times
• Installation from USB CD or DVD drives
• Ability to boot from USB storage devices
• Simplified DHCP setup for PXE boot (no vendor-specific
options)
• Elimination of all realmode drivers
• Ability to use Solaris Live Upgrade and the GRUB menu
to quickly activate and fall back to boot environments


Default Boot-Disk Partition Layout on X86 Systems
The new default includes the following partitions:
• First partition – Service partition (existing size on
system)
• Second partition – x86 boot partition (approximately 11
Mbytes)
• Third partition – Solaris Operating System partition
(remaining space on the boot disk)


Sa225s10 Ohpdf

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Sa225s10 Ohpdf

Încărcat de

Drepturi de autor:

Formate disponibile

Sun Learning Services

Solaris™ 10 Features for Experienced

Solaris™ 10 Features for Experienced Solaris System Administrators

This distribution may include materials developed by third parties.

Solaris™ 10 Features for Experienced Solaris System Administrators ii of iii

Solaris™ 10 Features for Experienced Solaris System Administrators iii of iii

About This Course ......................................................................................... Preface-i

Solaris™ Zones Configuration ............................................................................... 1-1

Solaris™ 10 Features for Experienced Solaris System Administrators i

Exporting the Zone Configuration ..................................................................................................... 1-28

Solaris™ Zones Administration .............................................................................. 2-1

Solaris™ 10 Features for Experienced Solaris System Administrators ii

Introduction to the Solaris™ ZFS File System ...................................................... 3-1

Solaris™ 10 Features for Experienced Solaris System Administrators iii

Creating Basic ZFS File Systems ......................................................................................................... 3-10

Predictive Self-Healing ............................................................................................ 4-1

Solaris™ 10 Features for Experienced Solaris System Administrators iv

Interacting with Service Management Facility ................................................................................. 4-24

Introduction to DTrace ............................................................................................. 5-1

Solaris™ 10 Features for Experienced Solaris System Administrators v

Other Useful Scripts .............................................................................................................................. 5-22

NFS Changes ............................................................................................................ 6-1

Security Changes ..................................................................................................... 7-1

Solaris™ 10 Features for Experienced Solaris System Administrators vi

ppriv Command Examples .................................................................................................................. 7-7

Solaris™ 10 Operating System Installation Changes ........................................... 8-1

Solaris™ 10 Features for Experienced Solaris System Administrators vii

Supporting LDAP Version 2 Profiles ................................................................................................... 8-7

Solaris™ 10 Features for Experienced Solaris System Administrators viii

About This Course

Solaris™ 10 Features for Experienced Solaris System Administrators Preface, slide i of vi

Solaris™ 10 Features for Experienced Solaris System Administrators Preface, slide ii of vi

Topics Not Covered

Solaris™ 10 Features for Experienced Solaris System Administrators Preface, slide iv of vi

How Prepared Are You?

Solaris™ 10 Features for Experienced Solaris System Administrators Preface, slide v of vi

Solaris™ 10 Features for Experienced Solaris System Administrators Preface, slide vi of vi

Solaris™ Zones Configuration

Solaris™ 10 Features for Experienced Solaris System Administrators

Solaris™ 10 Features for Experienced Solaris System Administrators Module 1, slide 2 of 29

Solaris™ 10 Features for Experienced Solaris System Administrators Module 1, slide 3 of 29

Typical System with Zones Installed

Enterprise Services Network Services Network Services

Application Core Services Core Services Core Services

Zone Management (zonecfg(1M), zoneadm(1M), zlogin(1)...

< ... > < ... >

Solaris™ 10 Features for Experienced Solaris System Administrators Module 1, slide 4 of 29

Solaris™ 10 Features for Experienced Solaris System Administrators Module 1, slide 5 of 29

Solaris Zones and Solaris Containers

Solaris™ 10 Features for Experienced Solaris System Administrators Module 1, slide 6 of 29

Solaris Zones and Solaris Containers

Solaris™ 10 Features for Experienced Solaris System Administrators Module 1, slide 7 of 29

Solaris Zones and Solaris Containers

Solaris™ 10 Features for Experienced Solaris System Administrators Module 1, slide 8 of 29

Solaris™ 10 Features for Experienced Solaris System Administrators Module 1, slide 9 of 29

Shared File System Example

sbin usr export etc var

zonea zoneb zonec

sbin usr var sbin usr etc

sbin usr etc var

Solaris™ 10 Features for Experienced Solaris System Administrators Module 1, slide 10 of 29

Sparse Root Model File System Structure