Professional Documents
Culture Documents
Copyright 2005 Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved.
This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and
decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of
Sun and its licensors, if any.
Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.
Sun, Sun Microsystems, the Sun logo, Solaris, JumpStart, Web Start, Solstice DiskSuite, SunBlade, SunSolve, Ultra, OpenBoot, Java, Sun
Ray, Java Card and iPlanet are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.
All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and
other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc.
UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd.
The OPEN LOOK and Sun Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges
the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry.
Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Suns licensees who
implement OPEN LOOK GUIs and otherwise comply with Suns written license agreements.
Federal Acquisitions: Commercial Software Government Users Subject to Standard License Terms and Conditions
Export Laws. Products, Services, and technical data delivered by Sun may be subject to U.S. export controls or the trade laws of other
countries. You will comply with all such laws and obtain all licenses to export, re-export, or import as may be required after delivery to
You. You will not export or re-export to entities on the most current U.S. export exclusions lists or to any country subject to U.S. embargo
or terrorist controls as specified in the U.S. export laws. You will not use or provide Products, Services, or technical data for nuclear, missile,
or chemical biological weaponry end uses.
DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND
WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE
LEGALLY INVALID.
THIS MANUAL IS DESIGNED TO SUPPORT AN INSTRUCTOR-LED TRAINING (ILT) COURSE AND IS INTENDED TO BE
USED FOR REFERENCE PURPOSES IN CONJUNCTION WITH THE ILT COURSE. THE MANUAL IS NOT A STANDALONE
TRAINING TOOL. USE OF THE MANUAL FOR SELF-STUDY WITHOUT CLASS ATTENDANCE IS NOT RECOMMENDED.
Export Commodity Classification Number (ECCN) assigned: 12 December 2001
Please
Recycle
Copyright 2005 Sun Microsystems Inc. 4150 Network Circle, Santa Clara, California 95054, Etats-Unis. Tous droits rservs.
Ce produit ou document est protg par un copyright et distribu avec des licences qui en restreignent lutilisation, la copie, la distribution,
et la dcompilation. Aucune partie de ce produit ou document ne peut tre reproduite sous aucune forme, par quelque moyen que ce soit,
sans lautorisation pralable et crite de Sun et de ses bailleurs de licence, sil y en a.
Le logiciel dtenu par des tiers, et qui comprend la technologie relative aux polices de caractres, est protg par un copyright et licenci
par des fournisseurs de Sun.
Sun, Sun Microsystems, le logo Sun, Solaris, JumpStart, Web Start, Solstice DiskSuite, SunBlade, SunSolve, Ultra, OpenBoot, Java, Sun Ray,
Java Card, et iPlanet sont des marques de fabrique ou des marques dposes de Sun Microsystems, Inc. aux Etats-Unis et dans dautres
pays.
Toutes les marques SPARC sont utilises sous licence sont des marques de fabrique ou des marques dposes de SPARC International, Inc.
aux Etats-Unis et dans dautres pays. Les produits portant les marques SPARC sont bass sur une architecture dveloppe par Sun
Microsystems, Inc.
UNIX est une marques dpose aux Etats-Unis et dans dautres pays et licencie exclusivement par X/Open Company, Ltd.
Linterfaces dutilisation graphique OPEN LOOK et Sun a t dveloppe par Sun Microsystems, Inc. pour ses utilisateurs et licencis.
Sun reconnat les efforts de pionniers de Xerox pour larecherche et le dveloppement du concept des interfaces dutilisation visuelle ou
graphique pour lindustrie de linformatique. Sun dtient une licence non exclusive de Xerox sur linterface dutilisation graphique Xerox,
cette licence couvrant galement les licencis de Sun qui mettent en place linterface dutilisation graphique OPEN LOOK et qui en outre
se conforment aux licences crites de Sun.
Lgislation en matire dexportations. Les Produits, Services et donnes techniques livrs par Sun peuvent tre soumis aux contrles
amricains sur les exportations, ou la lgislation commerciale dautres pays. Nous nous conformerons lensemble de ces textes et nous
obtiendrons toutes licences dexportation, de r-exportation ou dimportation susceptibles dtre requises aprs livraison Vous. Vous
nexporterez, ni ne r-exporterez en aucun cas des entits figurant sur les listes amricaines dinterdiction dexportation les plus courantes,
ni vers un quelconque pays soumis embargo par les Etats-Unis, ou des contrles anti-terroristes, comme prvu par la lgislation
amricaine en matire dexportations. Vous nutiliserez, ni ne fournirez les Produits, Services ou donnes techniques pour aucune utilisation
finale lie aux armes nuclaires, chimiques ou biologiques ou aux missiles.
LA DOCUMENTATION EST FOURNIE EN LETAT ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES
EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y
COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A LAPTITUDE A UNE
UTILISATION PARTICULIERE OU A LABSENCE DE CONTREFAON.
CE MANUEL DE RFRENCE DOIT TRE UTILIS DANS LE CADRE DUN COURS DE FORMATION DIRIG PAR UN
INSTRUCTEUR (ILT). IL NE SAGIT PAS DUN OUTIL DE FORMATION INDPENDANT. NOUS VOUS DCONSEILLONS DE
LUTILISER DANS LE CADRE DUNE AUTO-FORMATION.
Please
Recycle
Table of Contents
About This Course ............................................................Preface-xvii
Course Goals....................................................................... Preface-xvii
Course Map........................................................................ Preface-xviii
Topics Not Covered............................................................. Preface-xix
How Prepared Are You?..................................................... Preface-xxi
Introductions .......................................................................Preface-xxii
How to Use Course Materials ..........................................Preface-xxiii
Conventions ........................................................................Preface-xxiv
Icons ............................................................................Preface-xxiv
Typographical Conventions .....................................Preface-xxv
Describing Interface Configuration ................................................1-1
Objectives ........................................................................................... 1-1
Controlling and Monitoring Network Interfaces .......................... 1-2
Displaying the MAC Address................................................. 1-2
Displaying the IP Address...................................................... 1-3
Marking an Ethernet Interface as Down................................ 1-3
Sending ICMP ECHO_REQUEST Packets.................................. 1-4
Capturing and Inspecting Network Packets........................ 1-5
Configuring IPv4 Interfaces at Boot Time ...................................... 1-6
Introducing IPv4 Interface Files.............................................. 1-6
Changing the System Host Name ......................................... 1-9
Performing the Exercises ................................................................ 1-12
Exercise: The Solaris OS Network Commands (Level 1) ........... 1-13
Preparation............................................................................... 1-13
Tasks ......................................................................................... 1-13
Exercise: The Solaris OS Network Commands (Level 2) ........... 1-14
Preparation............................................................................... 1-14
Task Summary......................................................................... 1-14
Tasks ........................................................................................ 1-15
Exercise: The Solaris OS Network Commands (Level 3) ........... 1-17
Preparation............................................................................... 1-17
Task Summary......................................................................... 1-17
Tasks and Solutions ............................................................... 1-18
Exercise Summary............................................................................ 1-20
v
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved.Sun Services, Revision A.1
vi
viii
ix
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
xi
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
xii
xiii
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
xiv
xv
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
xvi
Preface
Preface-xxi
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
Course Map
Course Map
The course map enables you to see what you have accomplished and
where you are going in reference to the course goals.
Customizing
Describing the
Interface
Client-Server
Configuration
Model
the Solaris
Management
Console
Managing
Swap
Crash Dumps
Configuring
Configuring
and
NFS
AutoFS
Configuration
Core Files
Configuring
RAID and
Solaris
Solaris
Volume
Volume
Manager
Manager
Software
Software
Configuring
Role-Based
Access Control
(RBAC)
System
Messaging
Configuring
Name
Name
Services
Service Clients
Configuring
the Network
Information
Service (NIS)
Preface-xxii
Configuring
the Custom
JumpStart
Procedure
Performing a
Flash
Installation
Preface-xxiii
Preface-xxiv
Can you add users to the system using the Solaris Management
Console software?
Preface-xxv
Introductions
Introductions
Now that you have been introduced to the course, introduce yourself to
the other students and the instructor, addressing the following items:
Preface-xxvi
Name
Company affiliation
Visual aids The instructor might use several visual aids to convey a
concept, such as a process, in a visual form. Visual aids commonly
contain graphics, animation, and video.
Preface-xxvii
Conventions
Conventions
The following conventions are used in this course to represent various
training elements and alternative learning resources.
Icons
Note Indicates additional information that can help students but is not
crucial to their understanding of the concept being described. Students
should be able to understand the concept or complete the task without
this information. Examples of notational information include keyword
shortcuts and minor system adjustments.
Caution Indicates that there is a risk of personal injury from a
nonelectrical hazard, or risk of irreversible damage to data, software, or
the operating system. A caution indicates that the possibility of a hazard
(as opposed to certainty) might happen, depending on the action of the
user.
Power user Indicates additional supportive topics, ideas, or other
optional information.
Preface-xxviii
Conventions
Typographical Conventions
Courier is used for the names of commands, files, directories, user
names, host names, programming code, and on-screen computer output;
for example:
Use the ls -al command to list all files.
host1# cd /home
Courier bold is used for characters and numbers that you type; for
example:
To list the files in this directory, type the following:
# ls
Preface-xxix
Module 1
The course map in Figure 1-1 shows how this module fits into the current
instructional goal.
Describing the
Interface
Client-Server
Configuration
Model
Figure 1-1
Customizing
the Solaris
Management
Console
Course Map
1-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
Note The MAC address is displayed only if run as the root user.
# ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1 inet 127.0.0.1 netmask ff000000
hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 192.168.30.41 netmask ffffff00 broadcast 192.168.30.255
ether 8:0:20:93:c9:af
The MAC address is listed as 8:0:20:93:c9:af in this example.
You can also retrieve the MAC address from a system that has not yet
been booted by running the banner command at the ok prompt.
ok banner
Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 300MHz), Keyboard Present
OpenBoot 3.31 256 MB (60ns) memory installed, Serial #9685423.
Ethernet address 8:0:20:93:c9:af, Host ID: 8093c9af.
1-2
1-3
For more information on ifconfig and plumbed, see the ifconfig man
page.
Note Configuration of routes is an advanced networking topic. Detailed
network administration concepts are covered in SA300: Network
Administration for the Solaris 10 Operating System.
1-4
Summary output
snoop -V
snoop -v
snoop -o filename
snoop -i filename
1-5
1-6
Interface
/etc/hostname.hme0
/etc/hostname.hme1
/etc/hostname.qfe0
/etc/hostname.eri0
The codes for the interface types are product codes. These codes originate
from varying sources. For example, the qfe code is an abbreviation for
Quad Fast Ethernet.
The /etc/hostname.hme0 file contains either the host name or the IP
address of the system that contains the hme0 interface. The host name
contained in the file must exist in the /etc/inet/hosts file so that it can
be resolved to an IP address at system boot time. You can edit the
/etc/hostname.hme0 file to contain either the host name or the IP
address from the /etc/inet/hosts file.
# cat /etc/hostname.hme0
sys41
or
# cat /etc/hostname.hme0
192.168.30.41
1-7
1-8
Note If crash dump is enabled on the system, the system name needs to
be changed under /var/crash. Older versions of Solaris also had the
hostname in files located under /etc/net/tic*/*.
1-9
1-10
Removes the password set for the root user in the /etc/shadow file.
1-11
1-12
Preparation
To prepare for this exercise, perform the following tasks:
Work with a partner for this exercise, and perform all steps on both
systems, unless noted otherwise.
Tasks
Complete the following steps:
Note Be sure to work closely with your partner during the lab to ensure
you are both working on the same steps.
Use the ping command to contact your partners system, and record
the snoop output. On one system, mark the primary interface as
down. Record the new ifconfig output for this interface. Use the
ping command to contact that host, and record related snoop
output.
1-13
Preparation
To prepare for this exercise, perform the following tasks:
Work with a partner for this exercise, and perform all steps on both
systems, unless noted otherwise.
Task Summary
Perform the following tasks:
1-14
Use the ping command to contact your partners system, and record
the snoop output. On one system, mark the primary interface as
down. Record the new ifconfig output for this interface. Use the
ping command to contact that host, and record related snoop output
including:
Tasks
Complete the following steps using the ifconfig utility, the ping
command, and the snoop utility.
Note Be sure to work closely with your partner during the lab to ensure
you are both working on the same steps.
1.
Value
IP address
Ethernet address
Interface up/down
2.
3.
Use the ping command to verify that your system can contact the
network interface on your partners system.
4.
Observe the output from the snoop command. Which protocol does
the ping command use?
Does the snoop output contain requests and replies (yes or no)?
Requests:
5.
Replies:
1-15
On the system whose interface remains up, attempt to use the ping
command to contact the system whose interface is down.
What does the ping command report?
________________________________________________
7.
Observe the output from the snoop utility on both systems. How
does the snoop output differ from the ping command output before
and after you marked the interface as down?
How many requests does the ping command send by default?
________________________________________________
Does the target system see the ping command requests? If so, how
are these requests handled?
________________________________________________
8.
9.
On the system whose interface remained up, use the ping command
to contact the other system.
What does the ping command report?
________________________________________________
Does the snoop utility report a reply from the target host?
________________________________________________
1-16
Preparation
To prepare for this exercise, perform the following tasks:
Work with a partner for this exercise, and perform all steps on both
systems, unless noted otherwise.
Task Summary
Complete the following steps:
Use the ping command to contact your partners system, and record
the snoop output. On one system, mark the primary interface as
down. Record the new ifconfig output for this interface. Use the
ping command to contact that host, and record related snoop output
including:
1-17
Value
IP address
Ethernet address
Interface up/down
2.
Use the ping command to verify that your system can contact the
network interface on your partners system.
4.
Observe the output from the snoop command. Which protocol does
the ping command use?
# ping host
ICMP
Does the snoop output contain requests and replies (yes or no)?
Requests: Yes
1-18
Replies: Yes
On the system whose interface remains up, attempt to use the ping
command to contact the system whose interface is down.
What does the ping command report?
After a time-out period, the ping command reports no answer from
host.
7.
Observe the output from the snoop utility on both systems. How
does the snoop output differ from the ping command output before
and after you marked the interface as down?
The snoop utility only shows the ping command requestsno replies.
How many requests does the ping command send by default?
Twenty
Does the target system see the ping command requests? If so, how
are these requests handled?
Yes it does, but it does not send a reply.
8.
# ifconfig hme0 up
# ifconfig hme0
9.
On the system whose interface remained up, use the ping command
to contact the other system.
What does the ping command report?
The host is alive.
Does the snoop utility report a reply from the target host?
Yes.
1-19
Exercise Summary
Exercise Summary
!
?
1-20
Experiences
Interpretations
Conclusions
Applications
Module 2
The course map in Figure 2-1 shows how this module fits into the current
instructional goal.
Describing the
Interface
Client-Server
Configuration
Model
Figure 2-1
Customizing
the Solaris
Management
Console
Course Map
2-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
File
Server
Client
Figure 2-2
2-2
Name
Server
Client
Print
Server
Client
Client Processes
For name services, a client is a host system that uses either the NIS+,
NIS, DNS, or LDAP name service lookup provided by the name
service server.
2-3
Client 1
Client 2
Print
Server
Printer A
Printer B
Client 3
Client 4
Storage
Server
Printer C
Storage
Array 1
Storage
Array 2
Figure 2-3
2-4
Server Processes
2-5
SMF Service
A service can be described as an entity which provides a resource or list of
capabilities to applications and other services, both local and remote. A
service is not necessarily a running process, such as a web server. A
service can also be the software state of a device, such as a configured
network device, or a mounted file system.
A system can have more than one occurrence of a service running. For
example, a system can have more than one configured network interface,
or more than one mounted file system.
2-6
Service Identifiers
Each instance of a service within SMF has a name which is referred to as a
Service Identifier. This service identifier is in the form of a Fault
Management Resource Identifier or FMRI. The FMRI indicates the type of
service or category, and the name and instance of the service.
The service categories include the following:
application
device
legacy
milestone
network
platform
site
system
The word default identifies the first, in this case only, instance of
the service
The prefix lrc (Legacy Run Control) indicates that this service
currently is not managed by SMF
2-7
2-8
Service States
The svcs command can be used to list service identifiers and the state of
the service instance. A service can be either enabled or disabled. Service
states can include the following:
online
The service instance is enabled and has successfully started.
offline
The service instance is enabled, but the service is not yet running or
available to run.
disabled
The service instance is not enabled and is not running.
legacy_run
The legacy service is not managed by SMF, but the service can be
observed. This state is only used by legacy services.
uninitialized
This state is the initial state for all services before their configuration
has been read.
maintenance
The service instance has encountered an error that must be resolved
by the administrator.
degraded
The service instance is enabled, but is running at a limited capacity.
2-9
Milestones
A milestone is a special type of service which is made up of a defined set
of other services.
A milestone can be regarded as a system state to reach. This system state
requires a defined set of services to be running. These services depend on
other services being available. Hence, there is a hierarchy of dependency
relationships. This is one of the core features managed by SMF. Currently
there are 6 milestones.
single-user
multi-user
multi-user-server
network
name-services
sysconfig
devices
milestone
network
name-services
net-physical
Figure 2-4
2-10
system
application
filesystem
/usr
/var
X11
multiuser
/var/svc/manifest/milestone/
multi-user-server.xml
dependency list
exec /sbin/rc3
multi-user milestone
var/svc/manifest/milestone/
multi-user.xml
dependency list
name-services milestone
single-user milestone
filesystem
/var/svc/manifest/milestone/
single-user.xml
/var/svc/manifest/system/
filesystem/local-fs.xml
dependency list
method
/lib/svc/method/fs-local
Figure 2-5
2-11
none
single-user
multi-user
multi-user-server
all
2-12
2-13
2-14
Notes:
2-15
Notes:
2-16
svc:/network/telnet:default
svc:/network/telnet:default
svc:/network/telnet:default
2-17
FMRI
svc:/network/rpc/gss:default
svc:/network/rpc/mdcomm:default
svc:/network/rpc/meta:default
svc:/network/rpc/metamed:default
svc:/network/rpc/metamh:default
svc:/network/rpc/rex:default
svc:/network/rpc/rstat:default
svc:/network/rpc/rusers:default
svc:/network/rpc/spray:default
svc:/network/rpc/wall:default
svc:/network/security/ktkt_warn:default
svc:/network/tname:default
svc:/network/telnet:default
svc:/network/nfs/rquota:default
svc:/network/chargen:dgram
svc:/network/chargen:stream
svc:/network/daytime:dgram
svc:/network/daytime:stream
svc:/network/discard:dgram
svc:/network/discard:stream
svc:/network/echo:dgram
svc:/network/echo:stream
svc:/network/time:dgram
svc:/network/time:stream
svc:/network/ftp:default
svc:/network/comsat:default
svc:/network/finger:default
svc:/network/login:eklogin
svc:/network/login:klogin
svc:/network/login:rlogin
svc:/network/rexec:default
svc:/network/shell:default
svc:/network/shell:kshell
svc:/network/talk:default
Note When a network service is affected, any related services are also
affected. By disabling one service, a number of other services may become
unavailable.
2-18
Port Numbers
There are two fundamental approaches to port assignments:
Central authority:
All users must agree to allow the central authority to assign all
port numbers.
Dynamic binding:
2-19
2-20
inetd
telnet sys42
sys41
sys42
(Client)
Time
23
telnet ...in.telnetd
in.telnetd
(port
nnnnn
nnnnn)
23
8
(Server)
in.telnetd
6
7
Traffic
fic on
o
nnnnn
n
Figure 2-6
= port number
2-21
2.
The telnet service is a well-known service. The port for this service
is port 23.
3.
4.
Initially, the inetd daemon listens at port 23 for the telnet service.
The telnet sys42 command on sys41 generates a request to
port 23 that inetd recognizes as a telnet request because of the
configuration entry in the /etc/inet/services file.
5.
6.
7.
Note The inetd daemon continues to listen for new service requests.
2-22
rpcbind
rpcbind
2-23
rpcbind
inetd
spray host2
Host 1 (Client)
Host 2 (Server)
Start
111
nnnnn
nnnnn
spray/1... rpc.sprayd
rpc.sprayd (port nnnnn)
nnnnn
n
Figure 2-7
2-24
nnnnn
= port number
2.
3.
4.
The host1 client sends a second request to the port number of the
sprayd service on the host2 server. The inetd daemon receives the
request.
5.
2-25
[ host ]
For example:
# rpcinfo -p
program vers proto
100000
4
tcp
100000
3
tcp
100000
2
tcp
100000
4
udp
100000
3
udp
100000
2
udp
100232
10
udp
100083
1
tcp
...
<output truncated>
...
port
111
111
111
111
111
111
32772
32771
service
rpcbind
rpcbind
rpcbind
rpcbind
rpcbind
rpcbind
sadmind
Program number
RPC protocol
Port number
RPC service
2-26
2-27
2-28
Preparation
To prepare for this exercise, perform the following tasks:
Check that you have two systems listed in the /etc/hosts file on
each system.
Work with a partner for this exercise, and perform all steps on both
systems, unless noted otherwise.
# inetadm -e svc:/network/rpc/spray:default
Tasks
Perform the following tasks:
2-29
2-30
Check the port number assigned to the rpcbind service to make sure
that it is a well-known port. Record the port number. Check and
record the port number and program number assigned to the sprayd
daemon. Check that your partners system can contact your system
using the sprayd daemon. Unregister the sprayd service. Check that
the service has unregistered.
Check that the sprayd daemon does not function from your
partners system to your system. Restart the sprayd service, and
check that the sprayd service is again a registered service, and that
the sprayd service functions correctly between the two systems.
Check the new port number assigned to the sprayd service and the
program number that it uses.
Preparation
To prepare for this exercise, perform the following tasks:
Check that you have two systems listed in the /etc/hosts file on
each system.
Work with a partner for this exercise, and perform all steps on both
systems, unless noted otherwise.
# inetadm -e svc:/network/rpc/spray:default
Task Summary
Perform the following tasks:
2-31
Check the port number assigned to the rpcbind service to make sure
that it is a well-known port. Record the port number. Check and
record the port number and program number assigned to the sprayd
daemon. Check that your partners system can contact your system
using the sprayd daemon. Unregister the sprayd service. Check that
the service has unregistered.
Check that the sprayd daemon does not function from your
partners system to your system. Restart the sprayd service, and
check that the sprayd service is again a registered service, and that
the sprayd service functions correctly between the two systems.
Check the new port number assigned to the sprayd service and the
program number that it uses.
Tasks
Perform the following tasks.
2.
3.
4.
Note Determine which system acts as the FTP client and which acts as
the FTP server.
2-32
6.
7.
8.
9.
On both the FTP server and client, check for FTP-related daemons
and applications.
What does the pgrep command display?
_____________________________________________________________
10. Observe the output from the snoop utility on both systems. What
FTP-related login information does the snoop command display?
_____________________________________________________________
11. Change the client-server roles of the two systems, and repeat step 4
through step 9.
2-33
2.
3.
4.
5.
2-34
6.
Check that your system will respond to the sprayd service requests.
Have your partner run the spray command, and specify your
system as the target.
7.
Have your partner run the spray command, and specify your
system as the target again.
What message does the spray command return?
_____________________________________________________________
9.
2-35
Preparation
To prepare for this exercise, perform the following tasks:
Check that you have two systems listed in the /etc/hosts file on
each system.
Work with a partner for this exercise, and perform all steps on both
systems, unless noted otherwise.
# inetadm -e svc:/network/rpc/spray:default
Task Summary
Perform the following tasks:
2-36
Check the port number assigned to the rpcbind service to make sure
that it is a well-known port. Record the port number. Check and
record the port number and program number assigned to the sprayd
daemon. Check that your partners system can contact your system
using the sprayd daemon. Unregister the sprayd service. Check that
the service has unregistered.
Check that the sprayd daemon does not function from your
partners system to your system. Restart the sprayd service, and
check that the sprayd service is again a registered service, and that
the sprayd service functions correctly between the two systems.
Check the new port number assigned to the sprayd service and the
program number that it uses.
2-37
# ftp host1
Connected to host1.
220 host1 FTP server ready.
Name (host1:root):root
331 Password required for root.
Password:xxxxxxx
230 User root logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
5.
# pgrep -l ftp
nnn ftp
What does the pgrep command display?
The pgrep command should list the FTP application if the system is acting
as an FTP client.
6.
# pgrep -l ftp
nnnn in.ftpd
What does the pgrep command display?
The pgrep command should list the in.ftpd daemon if the system is
acting as an FTP server.
2-38
8.
On both the FTP server and FTP client, check for FTP-related
daemons and applications.
ftp> bye
# pgrep -l ftp
What does the pgrep command report?
Nothing. Both the FTP application and FTP server daemon have
terminated.
9.
Observe the output from the snoop utility on both systems. What
FTP-related login information does the snoop command display?
The login name and password in clear text.
10. Change the client-server roles of the two systems, and repeat
step 5 through step 9.
rpcbind
rpcbind
rpcbind
rpcbind
rpcbind
rpcbind
rpcbind
rpcbind
Does it?
Yes
2-39
sprayd
spray
Is it listed?
Yes
6.
Check that your system will respond to the sprayd service requests.
Have your partner run the spray command, and specify your
system as the target.
7.
# spray host1
# rpcinfo -d sprayd 1
# rpcinfo -p | grep sprayd
8.
Have your partner run the spray command, and specify your
system as the target again.
What message does the spray command return?
# spray host1
spray: cannot clnt_create host:netpath: RPC: Program not registered
9.
# inetadm -d svc:/network/rpc/spray:default
# inetadm -e svc:/network/rpc/spray:default
2-40
sprayd
2-41
Exercise Summary
Exercise Summary
!
?
2-42
Experiences
Interpretations
Conclusions
Applications
Module 3
The course map in Figure 3-1 shows how this module fits into the current
instructional goal.
Describing the
Interface
Client-Server
Configuration
Model
Figure 3-1
Customizing
the Solaris
Management
Console
Course Map
3-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
The console
3-2
Note You can start Solaris Management Console as a regular user, but
some tools and applications might not load unless you log in to the
Solaris Management Console server as root, or unless you assume a
role-based access control (RBAC) role during Solaris Management
Console server login.
3-3
3-4
3-5
Figure 3-2
3-6
Figure 3-3
Includes
System Status
System Configuration
Services
Scheduled Jobs
Storage
Serial Ports
Terminal
3-7
Figure 3-4
3-8
Figure 3-5
The first tool to be opened in the console requires authentication. Use the
root account details. The System Information window, shown in
Figure 3-5, collects and displays system configuration information.
3-9
Figure 3-6
3-10
Figure 3-7
Menu Bar
The menu bar is at the top of the toolbox editor and includes the
following menus:
Toolbox
Edit
Action
Go
Help
3-11
Open
Save
Save As
Exit
Figure 3-8
3-12
Figure 3-9
3-13
Add Tool
Add Folder
Move Up
Move Down
Properties
3-14
Home Toolbox
3-15
Contents
Index
Search
About Console
3-16
Open the toolbox to which you want to add the toolbox URL.
2.
Select the node in the toolbox to which you want to add the toolbox
URL.
3.
4.
5.
Adding a Tool
Adding access to a specific Solaris Management Console server tool from
other Solaris Management Console servers enables you to configure many
different support scenarios using the Solaris Management Console
toolboxes. In a single toolbox, you can configure all tools from a number
of servers for a particular functionality. This access provides the capability
to configure a single Solaris Management Console server for access, such
as a storage server, across all the Solaris Management Console servers.
To add access to a specific Solaris Management Console server tool from
other Solaris Management Console servers:
1.
2.
Select the node in the toolbox to which you want to add the tool.
3.
4.
5.
3-17
3-18
3-19
3-20
Note These steps follow the prompts from the Toolbox URL Wizard.
The wizard displays a help screen along the left side of each window,
as shown in Figure 3-15.
Note To hide the help information, which expands the usable area
within the wizard windows, click the gray box next to the word Help.
2.
3-21
3.
3-22
3-23
Note If the remote host has not started its SMC service since it booted,
there may be a delay before the toolboxes are displayed.
3-24
7.
Select the This Computer (default) toolbox from the Toolboxes list.
8.
9.
3-25
11. In this example, use the toolbox defaults, as shown in Figure 3-20.
3-26
Note Management scope defines what the tools action will update. For
example, a tool can update local files on a server or a tool can update
information in an NIS database. You can configure a toolbox folder and a
specific tool with a scope of operation. You can create folders and tools
that inherit the scope of operation from their parents, or you can configure
them to override their parents scope of operation.
In the Toolbox URL Wizard Step 6 window, you either:
Select Inherit from Parent to specify that the toolbox inherits its
management scope from the parent node.
13. In this example, click Override, select the file management scope
from the Management Scope pull-down menu, and then type the
name of the server where the file or name service resides (sys44), as
shown in Figure 3-21.
3-27
3-28
3-29
3-30
Saving a Toolbox
Every time you make a change to a toolbox, save the changes to that
toolbox by using the Solaris Management Console toolbox editor, and
then reload that toolbox by using the Solaris Management Console.
To save and reload the toolbox, perform the following steps:
Caution To ensure that you are saving the correct toolbox, select the
toolbox that you want to save.
1.
Select the toolbox that you want to save. In this example, select the
Management Tools item in the Navigation pane, as shown in
Figure 3-25.
3-31
To save the selected toolbox, select Save As from the Toolbox menu,
as shown in Figure 3-26.
3-32
Click Save.
3-33
3-34
Adding a tool
2.
3-35
3-36
3.
4.
Click Open.
3-37
3-38
Adding a Tool
To make the Solaris Management Console Tools visible between Solaris
Management Console servers, use the Add Tool function in the Action
menu.
To make the Solaris Management Console Tools visible to other servers,
follow these steps:
1.
Select Add Tool from the Action menu, as shown in Figure 3-33.
3-39
3-40
You can also specify a tool that is not on the server by entering
the tool class name in the Tool Class Name field. If the tool is
later added to the server, the tool will already be in the toolbox.
5.
Type a description.
6.
3-41
9.
3-42
Select File from the Management Scope pull down menu, and
provide the name of the server where the files are stored.
3-43
Select the Load tool when selected option to load each tool only
when the specified tool is selected in the Solaris Management
Console.
3-44
3-45
Saving a Toolbox
Every time you make a change to a toolbox, you must save the changes to
the toolbox using the Solaris Management Console toolbox editor. Then,
you must re-open the toolbox in the Solaris Management Console before
you can use the new tool. To save the current toolbox, follow these steps:
1.
/var/sadm/smc/toolboxes/this_computer/this_computer.tbx
3-46
3-47
# smc &
The Solaris Management Console window displays the last tool that
the Solaris Management Console accessed, as shown in Figure 3-44.
3-48
3-49
3-50
3-51
3-52
Because the preferences are set to force you to log in when opening a
tool, you must log in as shown in Figure 3-49:
a.
b.
c.
Click OK.
3-53
3-54
3-55
Close the toolbox by clicking on the turner icon next to the This
Computer sys42 entry in the Navigation pane, as shown in
Figure 3-52.
3-56
3-57
Preparation
To prepare for this exercise, refer to your lecture notes as necessary.
You are paired with another student so that, when necessary, the lab
scenarios can send commands between two systems, system1 and
system2. Lab instructions uses the variable names system1 and system2.
Use the translated names as follows:
system1:__________________ system2:__________________
Task Summary
In this exercise, you launch:
3-58
Preparation
To prepare for this exercise, refer to your lecture notes as necessary.
You are paired with another student so that, when necessary, the lab
scenarios can send commands between two systems, system1 and
system2. Lab instructions uses the variable names system1 and system2.
Use the translated names as follows:
system1:__________________ system2:__________________
Task Summary
Launch the following:
3-59
Tasks
Perform the following tasks.
2.
3.
4.
5.
Start the Solaris Management Console toolbox editor and be alert for
the toolbox open failure message.
______________________________________________________
3-60
Start opening the root toolbox on system1 by selecting Open from the
Toolbox menu. Click the Server Toolbox tab and (single) click
Management Tools from the list.
2.
3.
3-61
On system1, select the Add Toolbox URL from the Action menu. (If
this menu choice is not available, single click the Management Tools
node in the left Navigation pane.)
How does the server toolbox selection differ from the local toolbox
selection?
______________________________________________________
2.
3.
4.
On system1, from the Toolboxes list, select the toolbox that contains
all of the management tools for managing the services and the
configuration of system2, and click Next.
What is the URL for this toolbox?
______________________________________________________
5.
6.
7.
b.
Enter the name of the server where the file or name service
resides (system2), and click Finish.
How has the Solaris Management Console toolbox editor
display changed?
______________________________________________________
3-62
2.
On system1, select the directory and file location of the root toolbox,
and click Save.
What is directory location of the root toolbox?
______________________________________________________
2.
3.
4.
3-63
2.
3.
4.
5.
On system1, enter a tool name and description that will enable you
to differentiate between the Disks tools for the local system and
those tools on the remote system, then click Next.
Where are the name and description fields used?
______________________________________________________
6.
On system1, click Use Tool Defaults, and click Next to use the
default tool icons. Authenticate with root password as appropriate.
7.
8.
9.
10. On system1, enter the name of the server (system2) in the Server
field and click Next.
11. On system1, select Load tool when selected option.
What is the alternative to the loading the tool when selected option?
______________________________________________________
12. On system1, click Finish.
3-64
2.
Caution You must select the This Computer (default) toolbox during the
save operation to prevent writing over the Management Tools (root)
toolbox.
What are the current contents of the Storage folder?
______________________________________________________
3.
Exit the Solaris Management Console editor (using the Exit option
on the Toolbox menu) and start only the Solaris Management
Console from the command line.
2.
3.
4.
5.
3-65
3-66
6.
7.
On system1, close the toolbox by clicking the turner icon next to the
This Computer system1 entry in the Navigation pane.
8.
Select Exit from the Console menu to exit the Solaris Management
Console.
Preparation
To prepare for this exercise, refer to your lecture notes as necessary.
You are paired with another student so that, when necessary, the lab
scenarios can send commands between two systems, system1 and
system2. Lab instructions uses the variable names system1 and system2.
Use the translated names as follows:
system1:__________________ system2:__________________
Task Summary
Launch the following:
3-67
# init 6
What is the current status of the Solaris Management Console
server?
# /etc/init.d/init.wbem status
Solaris Management Console server not running on port 898.
2.
# smc &
1694
#
What is the current status of the Solaris Management Console
server?
# /etc/init.d/init.wbem status
Solaris Management Console server version 2.1.0 running on port 898.
3.
# /etc/init.d/init.wbem status
Solaris Management Console server version 2.1.0 running on port 898.
4.
# /etc/init.d/init.wbem stop
Shutting down Solaris Management Console server on port 898.
What is the current status of the Solaris Management Console
server?
# /etc/init.d/init.wbem status
Solaris Management Console server not running on port 898.
3-68
Start the Solaris Management Console toolbox editor and be alert for
the toolbox open failure message.
# dtterm -C &
# /etc/init.d/init.wbem start
Starting Solaris Management Console server version 2.1.0.
endpoint created: :898
Solaris Management Console server is ready.
What is the current status of the Solaris Management Console
server?
# /etc/init.d/init.wbem status
Solaris Management Console server version 2.1.0 running on port 898.
What happens to the Solaris Management Console server when you
shut down either the Solaris Management Console or the Solaris
Management Console toolbox editor?
Shutting down either the Solaris Management Console or the Solaris
Management Console toolbox editor has no effect on the Solaris
Management Console server.
What happens to the Solaris Management Console or the Solaris
Management Console toolbox editor when you shut down the
Solaris Management Console server?
Shutting down the Solaris Management Console server prevents the Solaris
Management Console or the Solaris Management Console toolbox editor
from starting because you cannot open the toolbox.
3-69
Start opening the root toolbox on system1 by selecting Open from the
Toolbox menu. Click the Server Toolbox tab, and (single) click the
Management Tools from the list.
2.
http://system1:898/toolboxes/smc.tbx.
3.
On system1, select the Add Toolbox URL from the Action menu. (If
this menu choice is not available, single click the Management Tools
node in the left Navigation pane.)
How does the server toolbox selection differ from the local toolbox
selection?
A server toolbox means a computer where the Solaris Management Console
server is running, whereas a local toolbox means the computer from which
you started the Solaris Management Console toolbox editor.
2.
3.
4.
On system1, from the Toolboxes list, select the toolbox that contains
all of the management tools for managing the services and the
configuration of system2, and click Next.
What is the URL for this toolbox?
The URL for this toolbox is
http://system1:898/toolboxes/this_computer.tbx.
5.
3-70
7.
b.
Enter the name of the server where the file or name service
resides (system2), and click Finish.
How has the Solaris Management Console toolbox editor
display changed?
The Toolbox URL for the remote Solaris Management Console server
has been added to the local Solaris Management Console server root
toolbox.
2.
On system1, select the directory and file location of the root toolbox,
and click Save.
What is directory location of the root toolbox?
/var/sadm/smc/toolboxes/smc/smc.tbx
3-71
2.
3.
4.
2.
3.
4.
5.
On system1, enter a tool name and description that will enable you
to differentiate between the Disks tools for the local system and
those tools on the remote system, and click Next.
Where are the name and description fields used?
The name will be displayed in the Navigation pane of the Solaris
Management Console. If the tool is selected in the Navigation pane, it is
also displayed beneath the tools icon in the Information pane. The
description will be displayed in the Information pane if the tool is selected in
the View pane.
6.
3-72
On system1, click Use Tool Defaults, and click Next to use the
default tool icons. Authenticate with root password as appropriate.
8.
9.
10. On system1, enter the name of the server (system2) in the Server:
field and click Next.
11. On system1, select Load tool when selected option
What is the alternative to the Load tool when selected option?
The alternative to loading the tool when selected is to load the tool when the
toolbox is opened.
12. On system1, click Finish.
2.
Caution You must select the This Computer (default) toolbox during the
save operation to prevent writing over the Management Tools (root)
toolbox.
What are the current contents of the Storage folder?
The current contents of the Storage folder are:
Tool (com.sun.admin.fsmgr.client.VFsMgr)
Tool (com.sun.admin.diskmgr.client.VDiskMgr)
Tool (com.sun.admin.volmgr.client.VVolMgr)
Tool (com.sun.admin.diskmgr.client.VDiskMgr)
3.
Exit the Solaris Management Console editor (using the Exit option
on the Toolbox menu) and start only the Solaris Management
Console from the command line.
# smc &
3-73
2.
3.
3-74
4.
5.
On system1, log in because this is the first tool opened since reopening the Home Toolbox.
6.
7.
On system1, close the toolbox by clicking the turner icon next to the
This Computer system1 entry in the Navigation pane.
8.
Select Exit from the Console menu to exit the Solaris Management
Console.
Exercise Summary
Exercise Summary
!
?
Experiences
Interpretations
Conclusions
Applications
3-75
Module 4
The course map in Figure 4-1 shows how this module fits into the current
instructional goal.
Figure 4-1
Managing
Crash Dumps
and
Core Files
Configuring
NFS
Configuring
AutoFS
Course Map
4-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
Physical RAM
Physical memory refers to the actual RAM installed on a computer. When
working with swap space, RAM is the most critical resource in your
system. The amount of physical memory varies depending on the system
that runs the Solaris 10 OS. The code for each active process and any data
required by each process must be mapped into physical memory before
execution can take place.
4-2
Swap Space
While the amount of physical memory in a system is constant, the use of
the physical memory varies. Often processes conflict over which one gets
access to physical memory space. Sometimes a process must give up some
of its memory space allocation to another process. The process has some
of its pages in RAM paged out. Anonymous memory pages are placed in
a swap area, but unchanged file system pages are not placed in swap
areas, because file system data exists as permanent storage on the disk,
and can be removed from physical memory.
Swap Slices
The primary swap space on the system is a disk slice. In the Solaris 10 OS,
the default location for the primary swap space is slice 1 of the boot disk,
which by default, starts at cylinder 0. You can change the default location
during a custom installation. Each time you reboot the system, an entry in
the /etc/vfstab file determines the configuration of the swap partition.
As additional swap space becomes necessary, you can configure
additional swap slices. Plan your swap slice location carefully. If you have
additional storage space outside of the system disk, place the swap slice
on an additional drive to reduce the load on the system disk drive.
Swap Files
It is also possible to provide additional swap space on a system by using
swap files. Swap files are files that reside on a file system, and that have
been created using the mkfile command. These files might be useful in
some cases. For example, swap files are useful when additional swap
space is required, but there are no free disk slices and reslicing a disk to
add more swap is not a practical solution. Swap files can be permanently
included in the swap configuration by creating an entry for the swap file
in the /etc/vfstab file.
4-3
Swap Slice
Swap Space
Swap File
RAM
Figure 4-2
4-4
Swap Space
Paging
Paging is the transfer of selected memory pages between RAM and the
swap areas. When you page private data to swap spaces, physical RAM is
made available for other processes to use. If you need the pages that were
paged out, you can retrieve them (page them in) from swap and map
them back into physical memory. Moving these pages back into RAM
might require more paging (page outs) of other processs pages to make
room. Swapping is the movement of all modified data memory pages
associated with a process, between RAM and a disk.
Use the pagesize command to display the size of a memory page in
bytes. The default page size for the Solaris 10 OS is 8192 bytes.
# pagesize
8192
You can use the Multiple Page Size Support (MPSS) service to run legacy
applications with larger memory page sizes. Using larger page sizes can
significantly improve the performance of programs using large amounts
of memory. Large pages must be mapped to addresses that are multiples
of the page size. Use the pagesize command to display all supported
page sizes.
# pagesize -a
8192
65536
524288
4194304
Swapping does not typically occur in the Solaris OS. However, the
requirement within the Solaris OS to reserve swap space prior to
executing any process, makes it necessary that some amount of swap
space is available. The required amount of swap space varies from system
to system. The amount of available swap space must satisfy two criteria:
4-5
swap -s
Total Swap Allocation
Available
Arrow up:
Arrow down:
Figure 4-3
4-6
# swap -s
total: 41776k bytes allocated + 5312k reserved = 47088k used, 881536k
available
2.
# swap -l
swapfile
/dev/dsk/c0t0d0s1
Note There can be a discrepancy in available and free swap space size
between the swap -s and swap -l outputs. The swap -s output does
not take into account pre-allocated swap space that has not yet been used
by a process.
4-7
# vi /etc/vfstab
#device
device
#to mount
to fsck
...
2.
/dev/dsk/c1t3d0s1
3.
mount
point
FS
type
fsck
pass
mount
at boot
mount
options
swap
no
# swap -a /dev/dsk/c1t3d0s1
Note When the system is subsequently rebooted, the new swap slice
/dev/dsk/c1t3d0s1, is automatically included as part of the swap space
as a result of adding the entry to the /etc/vfstab file.
2.
# mkdir -p /usr/local/swap
3.
4-8
# swap -a /usr/local/swap/swapfile
5.
# swap -l
swapfile
dev swaplo blocks
free
/dev/dsk/c0t0d0s1
136,9
16 1048304 1048304
/usr/local/swap/swapfile 16 40944 40944
6.
# swap -s
total: 41672k bytes allocated + 5416k reserved = 47088k used, 901200k
available
7.
# vi /etc/vfstab
#device
device
#to mount
to fsck
...
/usr/local/swap/swapfile
mount
point
-
FS
type
-
swap
fsck
pass
-
mount
at boot
no
mount
options
-
# swap -d /dev/dsk/c1t3d0s1
2.
To prevent the swap slice from being configured as part of the swap
configuration during a reboot or change of run level, edit the
/etc/vfstab file, and remove the swap slice entry from the file.
4-9
# swap -d /usr/local/swap/swapfile
2.
# rm /usr/local/swap/swapfile
3.
To prevent the swap file from being configured as part of the swap
configuration during a reboot or change of run level, edit the
/etc/vfstab file, and remove the swap file entry.
Note The output of the df -h command shows the space used by the
swap file until it is removed.
4-10
4-11
Preparation
To prepare for this exercise:
All students use disk slice 1 on their systems for this exercise.
4-12
Slice
Size
Use
512 Mbytes
Swap/dump
900 Mbytes
20 Mbytes
20 Mbytes
Size
Use
3000 Mbytes
0 Mbytes
Unassigned
0 Mbytes
Unassigned
Tasks
Perform the following tasks:
4-13
Preparation
To prepare for this exercise:
All students use disk slice 1 on their systems for this exercise.
4-14
Slice
Size
Use
512 Mbytes
Swap/dump
900 Mbytes
20 Mbytes
20 Mbytes
Size
Use
3000 Mbytes
0 Mbytes
Unassigned
0 Mbytes
Unassigned
Task Summary
Perform the following tasks:
Tasks
To determine the amount of disk space used by a swapfs file system,
complete the following steps:
1.
4-15
3.
4.
5.
6.
Use the swap -l command to verify that the new swap space is
available.
_____________________________________________________________
7.
Use the swap -s command to verify that the new swap space is
available.
How does the output differ between the swap -l command and the
swap -s command?
_____________________________________________________________
8.
9.
Use the swap utility to verify that the swap space is no longer
available.
10. Add a disk partition as a swap slice to your existing swap space.
11. Add the new swap partition to the /etc/vfstab file to make the
partition permanent. To verify this change, you must reboot the
system.
12. After the reboot, verify that the additional swap space exists by
using the swap utility.
Is the newly listed swap partition the same as the one you added to
the /etc/vfstab file?
_____________________________________________________________
4-16
4-17
Preparation
To prepare for this exercise:
All students use disk slice 1 on their systems for this exercise.
4-18
Slice
Size
Use
512 Mbytes
Swap/dump
900 Mbytes
20 Mbytes
20 Mbytes
3000 Mbytes
Size
Use
0 Mbytes
Unassigned
0 Mbytes
Unassigned
Task Summary
Perform the following tasks:
# swap -s
total: 57840k bytes allocated + 6680k reserved = 64520k used, 637696k
available
What is the total number of bytes actually allocated and currently in
use?
57,840 Kbytes
What is the number of bytes allocated and not currently in use but
reserved by processes for possible future use?
6,680 Kbytes
What is the total amount of swap space, both allocated and reserved?
64,520 Kbytes
What is the total swap space currently available for future
reservation and allocation?
637,696 Kbytes
4-19
/dev/dsk/c0t0d0s1
How much total swap space is in the listed swap device?
1,049,312 blocks
How much space is available for the listed device?
1,049,312 blocks
3.
# df -h
Filesystem
/dev/dsk/c0t0d0s0
/devices
ctfs
proc
mnttab
swap
objfs
/dev/dsk/c0t0d0s6
fd
/dev/dsk/c0t0d0s3
swap
swap
/dev/dsk/c0t0d0s7
size
883M
0K
0K
0K
0K
623M
0K
3.0G
0K
1.8G
623M
623M
441M
used
109M
0K
0K
0K
0K
368K
0K
2.4G
0K
94M
104K
304K
1.0M
avail capacity
721M
14%
0K
0%
0K
0%
0K
0%
0K
0%
623M
1%
0K
0%
568M
82%
0K
0%
1.7G
6%
623M
1%
623M
1%
396M
1%
Mounted on
/
/devices
/system/contract
/proc
/etc/mnttab
/etc/svc/volatile
/system/object
/usr
/dev/fd
/var
/var/run
/tmp
/export/home
Does the /usr file system have sufficient space to add 20 Mbytes of
swap space?
Yes
4.
# mkdir -p /usr/local/swap
5.
4-20
Use the swap -l command to verify that the new swap space is
available.
# swap -l
swapfile
dev swaplo blocks
free
/dev/dsk/c0t0d0s1
136,9
16 1049312 1049312
/usr/local/swap/swapfile 16 40944 40944
7.
Use the swap -s command to verify that the new swap space is
available.
# swap -s
total: 47336k bytes allocated + 6136k reserved = 53472k used, 660552k
available
How does the output differ between the swap -l command and the
swap -s command?
The swap -l command output is a listing of each space, whereas the
swap -s command output only produces a cumulative report.
8.
# swap -d /usr/local/swap/swapfile
# rm /usr/local/swap/swapfile
9.
Use the swap utility to verify that the swap space is no longer
available.
# swap -l
swapfile
dev swaplo blocks
free
/dev/dsk/c0t0d0s1
136,9
16 1049312 1049312
# swap -s
total: 47408k bytes allocated + 6064k reserved = 53472k used, 640056k
available
10. Add a disk partition as a swap slice to your existing swap space.
# swap -a /dev/dsk/c#t#d#s1
11. Add the new swap partition to the /etc/vfstab file to make the
partition permanent. To verify this change, you must reboot the
system.
# vi /etc/vfstab
(add entry that matches your configuration)
/dev/dsk/c#t#d#s1 - swap - no # init 6
4-21
13. Verify the additional swap space exists using the df -h command.
Why is the newly created swap space listed in the /etc/vfstab file
not listed in the output of the df -h command?
The df -h output does not produce an entry for the additional swap utility
devices, however the added swap space is reflected in the total swap space.
14. To return the system to its initial swap configuration, remove the
additional swap space using the swap -d command.
# swap -d /dev/dsk/c#t#d#s1
15. So that the system maintains its initial swap configuration after
rebooting, remove the additional swap space entry from the
/etc/vfstab file.
# vi /etc/vfstab
16. Verify that the additional swap space was unconfigured using the
swap -l command.
# swap -l
swapfile
/dev/dsk/c0t0d0s1
4-22
Exercise Summary
Exercise Summary
!
?
Experiences
Interpretations
Conclusions
Applications
4-23
Module 5
The course map in Figure 5-1 shows how this module fits into the current
instructional goal.
Figure 5-1
Managing
Crash Dumps
and
Core Files
Configuring
NFS
Configuring
AutoFS
Course Map
5-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
Note Within the crash dump directory, a file named bounds is created.
The bounds file holds a number that is used as a suffix for the next dump
to be saved.
5-2
kernel pages
/dev/dsk/c0t0d0s1 (swap)
/var/crash/sys-02
yes
5-3
-u
-y
-c content-type
-d dump-device
5-4
-m mink
-m minm
-m min%
-s savecore-dir
5-5
Core Files
A core file is a point-in-time copy (snapshot) of the RAM allocated to a
process. The copy is written to a more permanent medium, such as a hard
disk. A core file is useful in analyzing why a particular program crashed.
A core file is also a disk copy of the address space of a process, at a certain
point-in-time. This information identifies items, such as the task name,
task owner, priority, and instruction queue, in execution at the time that
the core file was created.
When a core file occurs, the operating system generates two possible
copies of the core files, one copy known as the global core file and the
other copy known as the per-process core file. Depending on the system
options in effect, one file, both files, or no files can be generated. When
generated, a global core file is created in mode 600 and is owned by the
superuser. Non-privileged users cannot examine files with these
permissions.
Ordinary per-process core files are created in mode 600 under the
credentials of the process. The owner of the process can examine files with
these permissions.
5-6
default
core
default
disabled
enabled
disabled
disabled
disabled
Note The line numbers in the example are not part of the configuration.
They are part of the example only to assist with the following description
of the file.
Line 1 of the output identifies the name to use for core files placed in a
global directory.
Line 2 of the output identifies that the content of core files is the default
setting. The resultant core file contains all the process information
pertinent to debugging.
Line 3 of the output identifies the default name that per-process core files
must use. This name is set for the init process, meaning it is inherited by
all other processes on the system.
Line 4 of the output indicates that the init core file content is the default
content structure.
Line 5 indicates that global core files are disabled.
Line 6 indicates that core file generation in the current working directory
of a process is enabled.
Line 7 indicates that generation of global core files with setuid or setgid
permissions are disabled.
5-7
5-8
5-9
5-10
-i pattern
-e option
-d option
-u
-g pattern
-G content
A core file named pattern is a file system path name with embedded
variables. The embedded variables are specified with a leading percent (%)
character. The operating system expands these variables from values in
effect when the operating system generates a core file. The possible
variables are listed in Table 5-1.
Table 5-1 Pattern Options for the coreadm Command
Option
Meaning
%p
PID
%u
%g
%f
%n
%m
%t
%d
%z
Zonename
%%
Literal %
5-11
Note The $$ variable is the PID of the currently running shell. The
per-process core file name pattern is inherited by all child processes.
Example 2 Dumping a Users Core Files Into a Subdirectory
The following command places all of the users core files into the
corefiles subdirectory of the users home directory, differentiated by
the system node name. This example is useful for users who use many
different systems, but share a single home directory across multiple
systems.
$ coreadm -p $HOME/corefiles/%n.%f.%p $$
Example 3 Enabling and Setting the Core File Global Name Pattern
The following is an example of setting system-wide parameters that add
the executable file name and PID to the name of any core file that is
created:
# coreadm -g /var/core/core.%f.%p -e global
For example, the core file name pattern /var/core/core.%f.%p causes
the xyz program with PID 1234 to generate the core file
/var/core/core.xyz.1234.
Note In the above coreadm examples, the corefiles file and the core
directory must be created manually. The coreadm command does not
create them automatically.
5-12
/var/core/core.%f.%p
default
core
default
enabled
enabled
disabled
disabled
disabled
default
Only the owner of a process or the superuser can query a process by using
the coreadm command with a list of PIDs.
Example 5 Setting up the System to Produce Core Files in the Global
Repository only if the executables were run from /usr/bin or
/usr/sbin
# mkdir -p /var/core/usr/bin
# mkdir -p /var/core/usr/sbin
# coreadm -G all -g /var/core/%d/%f %p %n
When using the all option in the previous command, examples of the
core file content include:
anon = anonymous private maps
data = writable private file mapping
stack = process stack
symtab = symbol table sections for loaded object files
5-13
5-14
Preparation
To prepare for this exercise, refer to the material in the module.
Partitioning of the second disk in the previous module is a prerequisite to
this lab.
Tasks
Perform the following tasks:
5-15
Preparation
To prepare for this exercise, refer to the material in the module.
Partitioning of the second disk in the previous module is a prerequisite to
this lab.
Task Summary
In this exercise, you perform the following tasks:
5-16
Tasks
Perform the following tasks.
2.
3.
4.
5.
Force the kernel to save a live snapshot of the running system and
write out a new set of crash dump files by using the savecore -L
command.
6.
Make sure the crash dump succeeded by using the file command
on the files of the savecore directory.
2.
Create the core file directory, and enable a global core file path.
3.
4.
5-17
6.
7.
Run the ps command to get the PID of the new shell, and send a
SIGFPE signal (Signal 8) to the new shell by using the kill
command. (The SIGFPE signal forces a core file.)
Note The kill -8 command terminates the shell and the terminal
window in which it is executed.
8.
9.
10. Observe the messages generated in the console window and the
/var/adm/messages file due to coreadm logging being enabled.
5-18
Preparation
To prepare for this exercise, refer to the material in the module.
Partitioning of the second disk in the previous module is a prerequisite to
this lab.
Task Summary
Perform the following tasks:
5-19
2.
# dumpadm
Dump content: kernel pages
Dump device: /dev/dsk/c0t0d0s1 (swap)
The savecore directory: /var/crash/sys42
Is savecore enabled? Yes
3.
Use the dumpadm command to change the dump device to the second
disk drive slice 5.
# dumpadm -d /dev/dsk/c#t#d#s5
4.
5.
Force the kernel to save a live snapshot of the running system and
write out a new set of crash dump files by using the savecore -L
command.
6.
Make sure the crash dump succeeded by using the file command
on the files of the savecore directory.
# sync
# savecore -L
5-20
# coreadm
global
global
init
init
default
core
default
disabled
enabled
disabled
disabled
disabled
Create the core file directory, and enable a global core file path.
# mkdir /var/core
# coreadm -e global -g /var/core/core.%f.%p
3.
# coreadm -e log
4.
# coreadm
global
global
init
init
/var/core/core.%f.%p
default
core
default
enabled
enabled
disabled
disabled
enabled
# mkdir /var/tmp/dir
# cd /var/tmp/dir
5-21
7.
Run the ps command to get the PID of the new shell, and send a
SIGFPE signal (Signal 8) to the new shell by using the kill
command. (SIGFPE forces a core file.)
# pwd
/var/tmp/dir
# ps
PID
507
570
# kill
TTY
pts/2
pts/2
-8 PID
TIME CMD
0:00 ksh
0:00 ps
Note The kill -8 command terminates the shell and the terminal
window in which it is executed.
8.
# cd /var/tmp/dir
# ls
core
# file core
core:
ELF 32-bit MSB core file SPARC Version 1, from sh
9.
# ls /var/core
core.ksh.507
10. Observe the messages generated in the console window and the
/var/adm/messages file due to coreadm logging being enabled.
# tail /var/adm/messages
...
Nov 3 21:17:26 sys-02 savecore: [ID 748169 auth.error] saving system
crash dump in /var/crash/sys-02/*.0
Nov 3 21:22:24 sys-02 genunix: [ID 603404 kern.notice] NOTICE: core_log:
ksh[507] core dumped: /var/core/core.ksh.507
5-22
Exercise Summary
Exercise Summary
!
?
Experiences
Interpretations
Conclusions
Applications
5-23
Module 6
Configuring NFS
Objectives
The Network File System (NFS) is a client-server service that lets users
view, store, and update files on a remote computer as though they were
on the their own local computer.
Upon completion of this module, you should be able to:
The course map in Figure 6-1 shows how this module fits into the current
instructional goal.
Figure 6-1
Managing
Crash Dumps
and
Core Files
Configuring
NFS
Configuring
AutoFS
Course Map
6-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
Allows multiple computers to use the same files, because all users on
the network can access the same data
Provides data consistency and reliability, because all users can read
the same set of files
6-2
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-3
NFS server
NFS client
6-4
NFS Server
The NFS server contains file resources shared with other systems on the
network. A computer acts as a server when it makes files and directories
on its hard disk available to the other computers on the network.
NFS Server Configuration shows how files and directories on an NFS
server are made available to NFS clients. The NFS server is sharing the
/export/rdbms directory over NFS, as shown in Figure 6-2.
NFS Server (Host 1)
/
NFS server
shares disk
storage with
NFS client.
export
opt
rdbms
rdbms
Shared
Directories and
Disk Storage
bin
lib
share
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-5
NFS Client
The NFS client system mounts file resources shared over the network and
presents the file resources to users as if they were local files.
NFS Client Configuration shows how an NFS client uses the files and
directories shared by an NFS server. The /export/rdbms directory, shared
by the NFS server, is mounted on the NFS client on the /opt/rdbms
mount point. The resource mount point exists on the NFS client, and the
NFS server shares the file resources with other computers on the network,
as shown in Figure 6-3.
NFS Server (Host 1)
/
NFS server
shares disk
storage with
NFS client.
export
opt
rdbms
rdbms
Shared
Directories and
Disk Storage
bin
lib
share
6-6
NFSv4
The Solaris 10 OS includes NFSv4 in addition to NFSv3 and NFSv2.
NFSv4 includes features that were not in the previous versions of NFS.
These features include the following:
Stateful connections.
Pseudo file systems which ensure the NFS client has seamless access
to all exported objects on the server and that portions of a server file
system that are not explicitly exported are not visible to the client.
Figure 6-4 on page 6-7 shows an example.
Strong security.
Extended attributes
Delegation. In the Solaris 10 NFSv4 release, the NFS server can hand
over delegation of management of a shared file to the client
requesting that file. It is the server that decides whether or not to
apply delegation. By delegating read or write management control to
the client, this can greatly reduce the amount of network traffic that
would otherwise be caused by clients making requests of the server
for the current state of a shared file.
Server exports:
/export_fs/local
/export_fs/projects/nfs4
export_fs
local
projects
nfs4x
Exported directories
export_fs
payroll
local
projects
nfs4
Figure 6-4
nfs4
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-7
6-8
File
Description
/etc/dfs/dfstab
/etc/dfs/sharetab
/etc/dfs/fstypes
/etc/rmtab
/etc/nfs/nfslog.conf
/etc/default/nfslogd
/etc/default/nfs
/usr/local/data
/rdbms_files
ro
Shared data files
ro,root=sys01
Database files
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-9
6-10
Description
NFSv4
mountd
No
nfsd
Yes
statd
No
lockd
No
nfslogd
No
nfsmapid
Yes
In NFSv4, the features provided by the mountd and lockd daemons are
integrated into the NFSv4 protocol. This reduces the number of daemons
required on the server and makes the NFS server implementation and
management easier.
In NFSv2 and NFSv3, the mount protocol is implemented by the separate
mountd daemon which did not use an assigned, well-known port
number. This made it very hard to use NFS through a firewall. INFSv4
includes the mount protocol and uses the well-known port number 2049
which improves support for NFS use through a firewall.
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-11
6-12
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-13
6-14
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-15
6-16
Commands
Description
share
unshare
shareall
unshareall
dfshares
dfmounts
-o options
-d description
pathname
Note Unless you specify an option to the share command, for example,
-F nfs, the system uses the file system type from the first line of the
/etc/dfs/fstypes file.
To share a file resource from the command line, you can use the share
command. For example, to share the /usr/local/data directory as a
read-only shared resource, perform the command:
# share -o ro /usr/local/data
By default, NFS-mounted resources are available with read and write
privileges based on standard Solaris OS file permissions. Access decisions
are based on a comparison of the user ID (UID) of the client and the
owner.
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-17
Definitions
ro
rw
Allows the server to accept read and write requests from the
client
root=client
Informs clients that the root user on the specified client system or
systems can perform superuser-privileged requests on the shared
resource
ro=access-list
rw=access-list
Allows read and write requests from the specified access list, as
shown in Table 6-5
Description
access-list=client:client
access-list=@network
access-list=.domain
access-list=netgroup_name
anon=n
6-18
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-19
# share
-
/usr/local/data
ro
"Shared data files"
/rdbms_files
rw,root=sys01
"Database files"
pathname
SERVER ACCESS
sys-02 -
TRANSPORT
-
SERVER ACCESS
sys-01 -
TRANSPORT
-
SERVER PATHNAME
sys-02 /usr/local/data
CLIENTS
sys-03
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-21
Description
/etc/vfstab
/etc/mnttab
/etc/dfs/fstypes
/etc/default/nfs
6-22
mount
point
/usr/remote_data
FS
fsck
type pass
nfs
mount
mount
at boot options
yes
soft,bg
Description
statd
lockd
nfs4cbd
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-23
6-24
Description
dfshares
mount
umount
mountall
umountall
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-25
SERVER ACCESS
sys-02 sys-02 -
TRANSPORT
-
-o options
server:pathname
mount_point
Use the mount command to access a remote file resource. For example:
# mount sys-02:/rdbms_files /rdbms_files
6-26
umount /rdbms_files
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-27
Note Use the -F FSType with the mountall and umountall commands
to specify FSType as the file system type. You do not have to specify the
-F nfs option, because NFS is listed as the default remote file system
type.
mount
point
/usr/remote_data
FS
fsck
type pass
nfs
mount
mount
at boot options
yes
soft,bg
6-28
device to
mount
The name of the server and the path name of the remote
file resource. The server host name and share name are
separated by a (:).
device to
fsck
mount
point
FS type
fsck pass
mount
options
Note If the /etc/vfstab file contains the file resource, the superuser
can specify either server:pathname or mount_point on the command
line, because the mount command checks the /etc/vfstab file for more
information.
Table 6-9 The mount Command Options
Option
Description
rw|ro
bg|fg
soft|hard
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-29
Description
intr|nointr
6-30
suid|nosuid
timeo=n
retry=n
retrans=n
Converts the raw data from the logging operation into ASCII
records, and stores the raw data in ASCII log files.
Maps the file handles to path names, and records the mappings in a
file-handle-to-path mapping table. Each tag in the
/etc/nfs/nfslog.conf file corresponds to one mapping table.
Note If the nfslogd daemon is not running, changes are not tracked to
the mappings in the file-handle-to-path table.
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-31
defaultdir=/var/nfs \
log=nfslog fhtable=fhtable buffer=nfslog_workbuffer
Use the following parameters with each tag, as needed:
6-32
defaultdir=dir_path
log=logfile_path
fhtable=table_path
buffer=
bufferfile_path
logformat=
basic|extended
Specifies the format when creating userreadable log files. The basic format produces a
log file similar to the FTPdaemon. The
extended format gives a more detailed view.
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-33
Become superuser.
2.
Edit the default settings for all file systems by changing the data
corresponding to the global tag.
To share file systems using NFS server logging, you must first enable
NFS server logging. Edit the /etc/dfs/dfstab file to add an entry
for file systems for which you want to enable NFS server logging.
Either:
Specify a tag by entering the tag to use with the log=tag option
in the /etc/dfs/dfstab file.
Use the log option without specifying a tag, which causes the
option to use the global tag as a default. The following
example uses the default settings in the global tag:
Run the share command to verify that the correct options are listed.
/export/sys44_data
6.
ro,log
""
# shareall
6-34
Description
IDLE_TIME
MIN_PROCESSING_SIZE
Sets the minimum number of bytes that the buffer file must
reach before processing and writing to the log file. The default
value is 524,288 bytes. Increasing this number can improve
performance by reducing the number of times that the buffer
file is processed.
The MIN_PROCESSING_SIZE and the IDLE_TIME parameters
determine how often the buffer file is processed.
UMASK
Specifies the permissions for the log files set by the nfslogd
daemon. The default value is 0137.
CYCLE_FREQUENCY
Determines the time that must pass before the log files are
cleared. The default value is 24 hours. Use the
CYCLE_FREQUENCY parameter to prevent the log files from
becoming too large.
MAX_LOGS_PRESERVE
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-35
Managing NFS With the Solaris Management Console Storage Folder Tools
Note The following steps display the contents of the Shared folder
within the Mounts and Shares tool.
2.
Click the turner icon to display the default toolbox called This
Computer (nfs_servername).
3.
Note When you access a tool for the first time, after opening the Solaris
Management Console, log in to the Solaris Management Console to
authenticate your access rights.
4.
6-36
Click the turner icon to display the Mounts and Shares tool.
Managing NFS With the Solaris Management Console Storage Folder Tools
5.
Click the Shares icon to display the currently shared resources from
the Shares folder.
The Shared folder opens. The remaining steps add a shared directory
to the list of shared resources.
6.
7.
8.
9.
2.
b.
b.
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-37
Managing NFS With the Solaris Management Console Storage Folder Tools
Note The following steps display the contents of the Mounts folder
within the Mounts and Shares tool.
2.
Click the turner icon to display the default toolbox that is labeled as
This Computer (nfs_clientname).
3.
4.
Click the Mount and Share icon to display the Mounts and Shares
tool.
5.
Click the turner icon to display the Mounts and Shares tool.
6.
7.
To start the Add NFS Mount wizard, select the Add NFS Mount field
from the Action menu.
8.
To identify the computer sharing the directory, enter the name of the
NFS server in the Computer field.
9.
To specify the mount point, enter the name of the NFS client
directory that will contain the contents of the shared directory.
If the mount point directory does not exist on the NFS client, you
must create it.
6-38
Managing NFS With the Solaris Management Console Storage Folder Tools
12. Review your NFS mount selections:
a.
b.
If you are satisfied with your selections, click Finish to add the
NFS mount point.
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-39
The hosts database file that supports the client has the correct server
node, but the server node temporarily stops due to an overload.
To solve the rpcbind failure error condition when the server node is
operational, determine if the server is out of critical resources (for
example, memory, swap, or disk space).
6-40
The network between the local system and the server is down. To
verify that the network is down, enter the ping command
(ping server2).
To interrupt the failed client node press Stop-A, and boot the client
into single-user mode.
2.
3.
To continue booting to the default run level (normally run level 3),
press Control-D.
4.
5.
After you resolve problems with the NFS servers, remove the
comments from the /etc/vfstab file.
6-41
2.
6-42
1.
2.
3.
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-43
6-44
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-45
Preparation
Choose a partner for this lab. Determine which systems to configure as
the NFS server and the NFS client. Verify that entries for both systems
exist in the /etc/hosts file on both systems. Refer to your lecture notes
as necessary to perform the following steps.
Tasks
Perform the following tasks:
6-46
share
dfshares
dfmounts
On the NFS client, record the default options used for the NFS
mount. Unmount the /usr/share/man file, and verify the list of
remote mounts the server is providing.
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-47
Preparation
Choose a partner for this lab. Determine which systems to configure as
the NFS server and the NFS client. Verify that entries for both systems
exist in the /etc/hosts file on both systems. Refer to your lecture notes
as necessary to perform the following steps.
Task Summary
Perform the following tasks:
6-48
share
dfshares
dfmounts
On the NFS client, record the default options used for the NFS
mount. Verify the list of mounts that the server provides. Unmount
the /usr/share/man file, and verify the list of remote mounts the
server is providing.
Tasks
Complete the following tasks.
2.
3.
2.
3.
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-49
5.
Verify and record the default ro | rw options used for this mount.
_____________________________________________________________
6.
7.
Observe the list of remote mounts from the server. Unmount the
/usr/share/man directory, and verify the list of remote mounts
from the server.
2.
6-50
2.
2.
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-51
Preparation
Choose a partner for this lab. Determine which systems to configure as
the NFS server and the NFS client. Verify that entries for both systems
exist in the /etc/hosts file on both systems. Refer to your lecture notes
as necessary to perform the following steps.
Task Summary
Perform the following tasks:
6-52
share
dfshares
dfmounts
On the NFS client, record the default options used for the NFS
mount. Verify the list of mounts that the server provides. Unmount
the /usr/share/man file, and verify the list of remote mounts the
server is providing.
share -o ro /usr/share/man
2.
svc:/network/nfs/cbd:default
svc:/network/nfs/client:default
svc:/network/nfs/status:default
svc:/network/nfs/nlockmgr:default
svc:/network/nfs/mapid:default
svc:/network/nfs/rquota:default
svc:/network/nfs/server:default
""
# dfshares
RESOURCE
server:/usr/share/man
SERVER
server
ACCESS
-
TRANSPORT
-
# dfmounts
There is no output for the dfmounts command.
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-53
# mv /usr/share/man /usr/share/man.orig
# man ls
What message does the man command report?
No manual entry for ls.
2.
# cd /usr/share
# mkdir man
3.
svc:/network/nfs/rquota:ticlts
svc:/network/nfs/rquota:udp
svc:/network/nfs/server:default
svc:/network/nfs/cbd:default
svc:/network/nfs/mapid:default
svc:/network/nfs/status:default
svc:/network/nfs/nlockmgr:default
svc:/network/nfs/client:default
# man ls
Are the man pages available?
Yes
6.
Verify and record the default ro | rw options used for this mount.
# mount
The ro | rw option for the mount command is read/write (rw) by
default.
6-54
# touch /usr/share/man/test
touch: /usr/share/man/test cannot create
What is the result of trying to write to the NFS-mounted file system?
You cannot write to the file system.
What conclusion can be reached by this exercise?
Even though the file system mount is read/write, by default, the actual
ro | rw permission is read-only, as defined when the directory was shared
on the NFS server.
8.
Observe the list of remote mounts from the server. Unmount the
/usr/share/man directory, and verify the list of remote mounts
from the server.
# dfmounts server
# umount /usr/share/man
# dfmounts server
No output from the dfmounts command indicates that there are no clients
mounting the file systems from the server. (This output still shows the
mount.)
2.
# unshareall
# shareall
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-55
2.
# unshareall
# cd /usr/share
# rmdir man
# mv man.orig man
2.
# man ls
6-56
Exercise Summary
Exercise Summary
!
?
Experiences
Interpretations
Conclusions
Applications
Configuring NFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
6-57
Module 7
Configuring AutoFS
Objectives
The AutoFS file system provides a mechanism for automatically mounting
NFS file systems on demand and for automatically unmounting these file
systems after a predetermined period of inactivity. The mount points are
specified using local or distributed automount maps.
Upon completion of this module, you should be able to:
The course map in Figure 7-1 shows how this module fits into the current
instructional goal.
Figure 7-1
Managing
Crash Dumps
and
Core Files
Configuring
NFS
Configuring
AutoFS
Course Map
7-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
7-2
RAM
AutoFS
automount -v
Automount Maps
automountd
Master map
Direct map
Indirect map
Special map
Figure 7-2
Configuring AutoFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
7-3
7-4
NFS Client
"venues"
etc
auto_master
/net
/home
/-
-hosts
[options]
auto_home
[options]
auto_direct [options]
auto_direct
/opt/moreapps pluto: /export/opt/apps
auto_home
Ernie
Mary
Figure 7-3
mars:/export/home/ernie
mars:/export/home/mary
Master map Lists the other maps used for establishing the AutoFS
file system. The automount command reads this map at boot time.
Direct map Lists the mount points as absolute path names. This
map explicitly indicates the mount point on the client.
Indirect map Lists the mount points as relative path names. This
map uses a relative path to establish the mount point on the client.
Configuring AutoFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
7-5
-nosuid,nobrowse
-nobrowse
The general syntax for each entry in the auto_master map is:
mount point
map name
mount options
where:
mount point
7-6
map name
mount options
Note The plus (+) symbol at the beginning of the +auto_master line in
this file directs the automountd daemon to look at the NIS, NIS+, or
LDAP databases before it reads the rest of the map. If this line is
commented out, only the local files are searched unless the
/etc/nsswitch.conf file specifies that NIS, NIS+, or LDAP should be
searched.
Configuring AutoFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
7-7
The auto_home
map
7-8
-nosuid,nobrowse
-nobrowse
-ro
Configuring AutoFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
7-9
key
The full path name of the mount point for the direct
maps.
mount-options
location
The following direct map entry specifies that the client mounts the
/usr/share/man directory as read-only from the servers server3,
server4, or server5, as available.
/usr/share/man
-ro
server3,server4,server5:/usr/share/man
7-10
-nosuid,nobrowse
-nobrowse
key
[ mount-options ]
location
Configuring AutoFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
7-11
key
mount-options
location
NFS Server
NFS Client
"mars"
"venus"
export
home
etc
mary
auto_home
home
ernie
mary
autofs
Mount on Demand
by
Figure 7-4
automountd
7-12
server1:/export/home/&
Figure 7-5
-v
You can modify the master map entries or add entries for new maps.
However, you must run the automount command to make these changes
effective.
You do not have to stop and restart the automountd daemon after making
changes to existing entries in a direct map, because the daemon is
stateless. You can modify existing entries in the direct map at any time.
The new information is used when the automountd daemon next accesses
the map entry to perform a mount.
Configuring AutoFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
7-13
Automount Map
master map
Yes
Yes
Direct map
Yes
No
Indirect map
No
No
special
mount_point
fstype
options
time
where:
7-14
special
mount_point
fstype
options
time
Configuring AutoFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
7-15
7-16
Configuring AutoFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
7-17
Preparation
Choose a partner for this lab, and determine which system will be
configured as the NFS server and which will serve as the NFS client.
Verify that entries for both systems exist in the /etc/hosts file of each
system. Refer to the lecture notes as necessary to perform the steps listed.
Tasks
Perform the following tasks:
7-18
Create a new, identical user on both the server and client that uses
/export/home/username for the users home directory. On both
systems, make the changes required in the /etc/passwd file to set
the home directory for this new user to the /home/username
directory.
Preparation
Choose a partner for this lab, and determine which system will be
configured as the NFS server and which will serve as the NFS client.
Verify that entries for both systems exist in the /etc/hosts file of each
system. Refer to the lecture notes as necessary to perform the steps listed.
Task Summary
Perform the following tasks:
Create a new, identical user on both the server and client that uses
/export/home/username for the users home directory. On both
systems, make the changes required in the /etc/passwd file to set
the home directory for this new user to the /home/username
directory.
Configuring AutoFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
7-19
Tasks
Complete the following tasks.
Edit the /etc/dfs/dfstab file, and add a line to share the man
pages.
2.
2.
3.
4.
5.
7-20
2.
3.
Primary group: 10
Login shell:/bin/ksh
Configure the password mechanism for usera so that this user must
assign a new password (123pass) at next login. Do this by executing
the passwd -f usera command.
2.
3.
Primary group: 10
Configure the password mechanism for usera so that this user must
assign a new password (123pass) at next login. Do this by executing
the passwd -f usera command.
Configuring AutoFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
7-21
username
1.
Edit the /etc/passwd file, and change the home directory for usera
from the /export/home/usera directory to /home/usera.
2.
server:/export/home/usera
2.
On the server?
________________________________________________________
On the client?
________________________________________________________
7-22
2.
3.
4.
5.
2.
3.
Configuring AutoFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
7-23
Preparation
Choose a partner for this lab, and determine which system will be
configured as the NFS server and which will serve as the NFS client.
Verify that entries for both systems exist in the /etc/hosts file of each
system. Refer to the lecture notes as necessary to perform the steps listed.
Task Summary
Perform the following tasks:
7-24
Create a new, identical user on both the server and client that uses
/export/home/username for the users home directory. On both
systems, make the changes required in the /etc/passwd file to set
the home directory for this new user to the /home/username
directory.
Edit the /etc/dfs/dfstab file, and add a line to share the man
pages.
share -o ro /usr/share/man
2.
# shareall
# cd /usr/share/
# mv man man.orig
Configuring AutoFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
7-25
# cp /etc/auto_master /etc/_auto_master
# vi /etc/auto_master
/auto_direct
3.
# vi /etc/auto_direct
server:/usr/share/man
/usr/share/man
4.
5.
# automount -v
# man ls
<-- output from man command -- >
# mount | grep man
/usr/share/man on sys44:/usr/share/man
remote/read/write/setuid/dev=42c0003 on Thu Jan 6 08:07:26 2005
What did you observe to indicate that the automount operation was
successful?
This operation should automatically mount the directory in which the
manuals are stored. In other words, the man command should work.
# ls /export/home
# mkdir /export/home
7-26
Primary group: 10
Login shell:/bin/ksh
Configure the password mechanism for usera so that this user must
assign a new password (123pass) at next login. Do this by executing
the passwd -f usera command.
Verify that the /export/home directory exists. If it does not, create it.
# ls /export
# mkdir /export/home
2.
Primary group: 10
Configure the password mechanism for usera so that this user must
assign a new password (123pass) at next login. Do this by executing
the passwd -f usera command.
Configuring AutoFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
7-27
Edit the /etc/passwd file, and change the home directory for usera
from the /export/home/usera directory to /home/usera.
# vi /etc/passwd
2.
username
server:/export/home/usera
# cp /etc/auto_home /etc/_auto_home
share /export/home
2.
# shareall
7-28
On the server?
The /home/username directory is mounted on the
/export/home/username directory.
On the client?
The /home/username directory is mounted on the
server:/export/home/username directory.
2.
3.
4.
# init 6
# rmdir /usr/share/man
5.
# mv /usr/share/man.orig /usr/share/man
Configuring AutoFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
7-29
2.
3.
# unshareall
7-30
Exercise Summary
Exercise Summary
!
?
Experiences
Interpretations
Conclusions
Applications
Configuring AutoFS
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
7-31
Module 8
Describe RAID
The course map in Figure 8-1 shows how this module fits into the current
instructional goal.
Figure 8-1
Configuring
Solaris
Volume
Manager
Software
Course Map
8-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
Introducing RAID
Introducing RAID
RAID is a classification of methods to back up and to store data on
multiple disk drives. There are six levels of RAID as well as a
non-redundant array of independent disks (RAID 0). The Solaris Volume
Manager software uses metadevices, which are product-specific
definitions of logical storage volumes, to implement RAID 0, RAID 1,
RAID 1+0 and RAID 5:
RAID 0
RAID-0 volumes, including both stripes and concatenations, are
composed of slices and let you expand disk storage capacity. You can
either use RAID-0 volumes directly or use the volumes as the building
blocks for RAID-1 volumes (mirrors). There are two types of RAID-0
volumes:
8-2
Introducing RAID
Concatenated Volumes
Figure 8-2 shows that in a concatenated RAID 0 volume, data is organized
across disk slices, forming one logical storage unit.
RAID 0
(Concatenation)
Logical Volume
Physical
Slice A
Physical
Solaris Volume
Slice B
Manager
Physical
Slice C
Figure 8-2
RAID-0 Concatenation
8-3
Introducing RAID
The default behavior of concatenated RAID-0 volumes is to fill a physical
component within the volume before beginning to store data on
subsequent components within the concatenated volume. However, the
default behavior of UFS file systems within the Solaris OS is to distribute
the load across devices assigned to the volume containing a file system.
This behavior makes it seem that concatenated RAID-0 volumes distribute
data across the components of the volume in a round-robin, interlaced
fashion.
This interlacing of data is a function of the UFS file system that is
mounted in the concatenated volume and is not a function of the
concatenated volume itself.
You can also use a concatenation to expand any active and mounted UFS
file system without having to bring down the system. The capacity of a
concatenation is the total size of all the slices in the concatenation.
8-4
Introducing RAID
Striped Volumes
Figure 8-3 shows the arrangement of a striped RAID-0 volume. A RAID 0
volume configured as a stripe arranges data across two or more slices.
Striping alternates equally-sized segments of data across two or more
slices, forming one logical storage unit. These segments are interleaved
round-robin, so that the combined space is created alternately from each
slice.
Physical
Physical
Physical
Slice A
Slice B
Slice C
Interlace 1
Interlace 2
Interlace 3
Interlace 4
Interlace 5
Interlace 6
Solaris Volume
Manager
Interlace 1
Interlace 2
Interlace 3
Interlace 4
Interlace 5
Interlace 6
RAID 0
(Stripe)
Logical Volume
Figure 8-3
RAID-0 Stripe
Striping enables parallel data access because data can be retrieved from
multiple disks at the same time. Parallel access increases input/output
(I/O) throughput because multiple disks in the volume are busy servicing
I/O requests simultaneously.
8-5
Introducing RAID
You cannot convert an existing file system directly to a stripe. You must
first back up the file system, create the stripe, and then restore the file
system to the stripe.
For sequential I/O operations on a stripe, the Solaris Volume Manager
software reads all the blocks in an interlace. An interlace is a grouped
segment of blocks on a particular slice. The Solaris Volume Manager
software then reads all the blocks in the interlace on the second slice, and
so on.
An interlace is the size of the logical data chunks on a stripe. Depending
on the application, different interlace values can increase performance for
your configuration. The performance increase comes from several disk
head-arm assemblies (HDAs) concurrently executing I/O operations.
When the I/O request is larger than the interlace size, you might get
better performance.
When you create a stripe, you can set the interlace value. After you create
the stripe, you cannot change the interlace value. You could back up the
data on it, delete the stripe, create a new stripe with a new interlace value,
and then restore the data.
RAID 1
RAID-1 volumes, also known as mirror volumes in the Solaris Volume
Manager software, are typically composed of RAID-0 volumes and
provide the advantage of data redundancy. The disadvantage is the
higher cost incurred by requiring two RAID-1 devices wherever a single
RAID-0 device is mirrored. Typical topics to be considered when
configuring mirrors are:
8-6
RAID 0+1
RAID 1+0
Introducing RAID
8-7
Introducing RAID
Submirror 1
Interlace 1
RAID 1
(Mirror)
Interlace 2
Logical Volume
Interlace 3
Interlace 4
Submirror 1
Submirror 2
Solaris Volume
Interlace 1
Interlace 2
Manager
Submirror 2
Int 1
Int 1
Int 2
Int 2
Int 3
Int 3
Int 4
Int 4
Interlace 3
Interlace 4
Figure 8-4
RAID-1 Mirror
The Solaris Volume Manager software makes duplicate copies of the data
located on multiple physical disks. The Solaris Volume Manager software
presents one virtual disk to the application. All disk writes are duplicated,
and disk reads come from one of the underlying submirrors. If the
submirrors are not of equal size, the total capacity of the mirror is limited
by the size of the smallest submirror.
8-8
Introducing RAID
RAID 0+1
In RAID-0+1 volumes, stripes are mirrored to each other. In a pure
RAID-0+1 configuration, the failure of one slice would cause the failure of
the whole submirror.
Figure 8-5 shows an example of a RAID-0+1 configuration. A failure in
slice A, B, or C causes a failure of the entire Submirror 1. A failure in slice
D, E, or F causes a failure of the entire Submirror 2. One failure in each
submirror of the RAID 0+1 mirror causes a failure of the entire mirror.
Physical
Physical
Physical
Physical
Physical
Physical
Slice A
Slice B
Slice C
Slice D
Slice E
Slice F
RAID 0
RAID 0
(Striped)
(Striped)
Volume
Volume
Submirror 2
Submirror 1
RAID 1
(Mirrored)
Figure 8-5
8-9
Introducing RAID
RAID 1+0
RAID-1+0 volumes consist of multiple mirrors striped together. RAID 1+0
provides greater data security, because a failure of a single physical disk
slice causes a failure for only one half of one of the submirrors, leaving
most of the configurations redundancy intact.
Figure 8-6 shows an example of a RAID-1+0 volume configuration.
This example consists of three slices. Each of these three slices mirrors
itself. The RAID 0 stripe can tolerate three simultaneous physical slice
failures, one in each RAID-1 mirror, before the entire RAID-0 stripe is
considered to have failed. This is a more fault-tolerant configuration, as
compared with the RAID-0+1 mirror. If both submirrors in any one of the
mirrors fail, one third of the data is lost, and the RAID-1+0 volume is also
considered failed.
Physical
Slice A
RAID 1
(Mirror)
Logical
Physical
Slice B
Volume
RAID 1
(Mirror)
Logical
Physical
Slice C
Volume
Physical
Physical
Slice D
Slice E
Slice F
RAID 0
(Striped)
Logical Volume
8-10
Logical
Volume
Physical
Figure 8-6
RAID 1
(Mirror)
Introducing RAID
Mirror Options
Mirror performance can be modified by using the following options:
Note The mirror options listed here are representative of the options
presented when configuring RAID-1 mirrors using the Solaris Volume
Manager software.
You can define mirror options when you initially create the mirror or after
you set up the mirror. You can distribute the load across the submirrors to
improve read performance. Table 8-1 describes the configurable mirror
read policies.
Table 8-1 Mirror Read Policies
Read Policy
Description
Geometric
First
Description
Parallel (Default)
Serial
8-11
Introducing RAID
When a submirror is offline, any writes to the mirror are tracked in a dirty
region log. When the submirror is brought back online, those regions
must be updated or resynchronized.
8-12
Mount the mirror device directly. Do not try and mount a submirror
directly, unless it is offline and mounted as read-only. Do not mount
a slice that is part of a submirror, or you might destroy data and
crash the system.
Introducing RAID
Use the swap -l command to check for all swap devices. Mirror the
slices specified as swap separately.
RAID 5
RAID-5 volumes are striped volumes that use a distributed parity scheme
for data protection. To fully understand RAID-5 volumes, you must
understand each of the following:
8-13
Introducing RAID
Figure 8-7 shows that the first three data interlaces are written to slices A,
B, and C. The next item written is parity to Drive D. The pattern of
writing data and parity results in both data and parity spread across all
disks in the RAID-5 volume. You can read each drive independently. The
parity protects against a single disk failure. In RAID-5 Distributed
Parity, if each disk were 2 Gbytes, the total capacity of the RAID-5
volume would be 6 Gbytes. Parity information occupies the space
equivalent to one drive.
Interlace 1
Physical
Slice A
RAID 5
Logical Volume
P(4-6)
Interlace 7
Interlace 1
Interlace 10
Interlace 2
Interlace 3
Interlace 2
Physical
Slice B
Interlace 4
Interlace 4
Interlace 5
P(7-9)
Interlace 6
Interlace 11
Solaris Volume
Interlace 3
Physical
Slice C
Manager
Interlace 7
Interlace 8
Interlace 5
Interlace 9
Interlace 8
Interlace 10
P(10-12)
Interlace 11
Interlace 12
P(1-3)
Physical
Slice D
Interlace 6
Interlace 9
Interlace 12
Figure 8-7
8-14
Introducing RAID
When you create a RAID-5 volume, you can define the interlace
value. If you do not specify a value, a default value of 16 Kbytes is
assigned.
A RAID-5 volume (with no hot spares) can only handle a single slice
failure.
8-15
Introducing RAID
Hardware Considerations
When planning your storage management configuration, keep in mind
that for any given application there are trade-offs in performance,
availability, and hardware costs. You might need to experiment with the
different variables to determine what works best for your configuration. A
few categories of information that you must address during the storage
planning phase are:
Storage Characteristics
When you classify storage characteristics, you provide guidelines for
working with the Solaris Volume Manager software RAID-0
(concatenation and stripe) volumes, RAID-1 (mirror) volumes, and
RAID-5 (striping with distributed parity) volumes.
While building your storage management plan, decide what types of
storage devices to use. The storage characteristics guidelines help you
compare and contrast the various storage mechanisms and also help you
choose the best storage device.
Note The storage mechanisms listed in Table 8-3 are not mutually
exclusive. You can use them in combination to meet multiple goals. For
example, you could create a RAID-1 volume for redundancy, and then
create soft partitions on it to increase the number of possible discrete file
systems.
Table 8-3 Choosing Storage Mechanisms
Feature
Redundant
data
8-16
RAID-0
Concatenation
RAID-0
Stripe
RAID-1
Mirror
RAID-5
Stripe With
Parity
No
No
Yes
Yes
Introducing RAID
Table 8-3 Choosing Storage Mechanisms (Continued)
RAID-5
Stripe With
Parity
RAID-0
Concatenation
RAID-0
Stripe
RAID-1
Mirror
Improved
read
performance
No
Yes
Depends
on the
underlying
device
Yes
Improved
write
performance
No
Yes
No
No
Feature
RAID 1
(Mirror)
RAID 5
Non-Redundant
Write operations
Faster
Slower
Neutral
Random read
Slower
Faster
Neutral
Hardware cost
Highest
Higher
Lowest
Performance
during failure
Best
Poor
Data loss
Striping performs well for large, sequential I/O and for random I/O
distributions.
8-17
Introducing RAID
RAID 5 writes are not as fast as mirrored writes, and mirrored writes
are not as fast as unprotected writes.
Performance Guidelines
When designing your storage configuration, consider the following
performance guidelines:
8-18
Identify the most frequently accessed data, and increase the access
bandwidth for that data with mirroring or striping.
For raw random I/O reads, the stripe and the RAID-5 volume are
comparable. Both the stripe and RAID-5 volume split the data across
multiple disks, and the RAID-5 volume parity calculations are not a
factor in reads, except after a component failure.
In some instances, the Solaris Volume Manager software can also improve
I/O performance.
Logical Volume
The Solaris Volume Manager software uses virtual disks called logical
volumes to manage physical disks and their associated data. Historically,
a logical volume is functionally identical to a physical slice. However, a
logical volume can span multiple disk members. The Solaris Volume
Manager software converts I/O requests directed at a volume into I/O
requests to the underlying member disks.
You can create the Solaris Volume Manager software volumes from slices
(disk partitions) or from other Solaris Volume Manager software volumes.
An easy way to create volumes is to use the GUI built into the
Solaris Management Console. The Enhanced Storage tool within the
Solaris Management Console lists all the existing volumes. By following
the steps in the tool wizard, you can create any type of Solaris Volume
Manager software volumes or components. You can also build and
modify volumes using command-line utilities in the Solaris Volume
Manager software.
8-19
Soft Partitions
As disks become larger, and disk arrays present larger logical devices to
the Solaris OS, users must be able to subdivide disks or logical volumes
into more than eight sections, often to create manageable file systems or
partition sizes.
Soft partitions provide a mechanism for dividing large storage spaces into
smaller, more manageable, sizes. For example, large storage aggregations
provide redundant storage of many gigabytes, but many scenarios would
not require as much space. Soft partitions allow you to subdivide that
storage space into more manageable sections, each of which can have a
complete file system.
For example, you could create 1000 soft partitions on top of a RAID-1
volume or RAID-5 volume so that each of your users can have a home
directory on a separate file system. If a user needs more space at a later
date, you can grow the soft partition.
Note The Solaris Volume Manager software can support up to
8192 logical volumes per disk set, but is configured for 128 (d0d127) by
default. For instructions on increasing the number of logical volumes,
refer to the Solaris Volume Manager Administration Guide, part number
806-6111-10.
8-20
You can build soft partitions on any slice. Creating a single slice that
occupies the entire disk and then creating soft partitions on that slice
is the most efficient way to use soft partitions at the disk level.
You can grow soft partitions to use any available space on a volume.
8-21
8-22
The system will stay running if at least half of the state database
replicas are available.
The system will panic if fewer than half the state database replicas
are available.
The system will not start the Solaris Volume Manager software
unless a majority (half + 1) of the total number of state database
replicas are available.
You can put replicas on unused slices, and then use them on RAID-0,
RAID-1, or RAID-5 volumes.
For a system with only a single drive: put all three replicas in
one slice.
For a system with two to four drives: put two replicas on each
drive.
For a system with five or more drives: put one replica on each
drive.
Make sure that you have at least two extra replicas per mirror.
You can add additional state database replicas to the system at any
time. The additional state database replicas help to ensure the Solaris
Volume Manager softwares availability.
8-23
Hot Spares
A hot spare is a slice (not a volume) that is functional and available, but
not in use. A hot spare is on reserve to substitute for a failed slice in a
submirror or RAID-5 volume. You cannot use a hot spare to hold data or
state database replicas until the hot spare is assigned as a member. A hot
spare must be ready for immediate use in the event of a slice failure in the
volume with which it is associated. To use hot spares, invest in additional
disks beyond those that the system requires to function.
8-24
Module 9
Build a RAID-1 (mirror) volume for the root (/) file system
The course map in Figure 9-1 shows how this module fits into the current
instructional goal.
Figure 9-1
Configuring
Solaris
Volume
Manager
Software
Course Map
9-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
9-2
Makes sure that the system stays running if at least half of the state
database replicas are available.
Causes the system to panic if fewer than half of the state database
replicas are available.
If insufficient state database replicas are available, you must boot into
single-user mode and delete enough of the corrupt replicas to achieve a
majority consensus.
State database replicas are stored in their own disk slices.
9-3
-f
-c n
-l nnnn
disk_slice
Note The metadb command without options reports the status of all
replicas.
The following example shows the creation of state database replicas:
# metadb -a -f c0t0d0s4 c0t0d0s5 c1t0d0s0 c1t0d0s1
# metadb
flags
first blk
block count
a
u
16
8192
a
u
16
8192
a
u
16
8192
a
u
16
8192
/dev/dsk/c0t0d0s4
/dev/dsk/c0t0d0s5
/dev/dsk/c1t0d0s0
/dev/dsk/c1t0d0s1
This example lists the four replicas that were just created. Each replica
begins at block 16 of the assigned disk slice. Each replica is 8192 blocks, or
4 Mbytes in size. The flags indicate that the replica is active and up to
date. If there are capital letters in the flags field, it is an indication that the
replica is corrupt.
Note The previous example places the state database replicas on disks
on different controllers. This is an appropriate fault tolerant configuration
for a production environment.
9-4
# smc &
The Solaris Management Console appears, as shown in Figure 9-2.
Figure 9-2
2.
3.
4.
Select Storage.
9-5
Figure 9-3
Note After you start the Solaris Management Console, you must log in
after you open the first tool.
6.
9-6
Figure 9-4
9-7
Figure 9-5
Select alternate disk sets when additional disk sets are available, as
shown in Figure 9-6. In this configuration, no additional disk sets
have been configured, so choose the default selection of <none>.
Figure 9-6
9-8
Note A disk set is a set of shared disk drives that contain logical Volume
Manager objects that can be shared exclusively but not concurrently by
one or two hosts. Disk sets are enablers for host fail-over scenarios.
9.
9-9
Figure 9-7
9-10
Figure 9-8
9-11
Figure 9-9
16. Double-check your selections to ensure that they meet the criteria of
your state database replicas.
Note Before you click Finish, click Show Commands to view and,
optionally, log the commands used to accomplish the specified Enhanced
Storage Tool operations.
17. Click Finish to complete the operation.
9-12
9-13
Configuring RAID-0
Configuring RAID-0
RAID-0 volumes allow you to expand disk storage capacity efficiently.
These volumes do not provide data redundancy but can be used to
expand disk storage capacity. If a single slice fails on a RAID-0 volume,
there is a loss of data. RAID-0 comes in two forms, stripes and
concatenations.
9-14
Physical
Physical
Slice A
Slice B
Slice C
Interlace 1
Interlace 2
Interlace 3
Interlace 4
Interlace 5
Interlace 6
Solaris Volume
Manager
Interlace 1
Interlace 2
Interlace 3
Interlace 4
Interlace 5
Interlace 6
RAID 0
(Stripe)
Logical Volume
9-15
size
470M
used
395M
avail capacity
28M
94%
Mounted on
/export/home
block count
8192
8192
8192
8192
/dev/dsk/c3t2d0s7
/dev/dsk/c3t2d0s7
/dev/dsk/c3t3d0s7
/dev/dsk/c3t3d0s7
9-16
-f
concat/stripe
numstripes
width
component
Note The metastat command does not show information about soft
partitioning.
The metastat command is used to check the configuration:
# metastat
d0: Concat/Stripe
Size: 3118752 blocks (1.5 GB)
Stripe 0:
Device
Start Block Dbase
c0t0d0s7
0
No
Stripe 1:
Device
Start Block Dbase
c3t2d0s0
2160
No
Reloc
Yes
Reloc
Yes
sys
85,
0 Oct 25 12:35 d0
9-17
sys
85,
0 Oct 25 12:35 d0
The new metadevice (d0) has been created but is not being used yet. The
/export/home file system is still mounted as a regular disk slice:
# df -h /export/home
Filesystem
/dev/dsk/c0t0d0s7
size
470M
used
395M
avail capacity
28M
94%
Mounted on
/export/home
ufs
yes
Then un-mount and re-mount the file system using the new device files:
# umount /export/home
# mount /export/home
# df -h /export/home
Filesystem
/dev/md/dsk/d0
size
470M
used
395M
avail capacity
28M
94%
Mounted on
/export/home
The file system is now mounted using the metadevice device file. Notice
that the file system does not appear to be any bigger, and the capacity is
still at 94%. The existing file system needs to be grown into the new space.
This is done with the growfs command. Use the option -M to specify a
mount point:
# growfs -M /export/home /dev/md/rdsk/d0
/dev/md/rdsk/d0: 3118752 sectors in 3094 cylinders of 16 tracks, 63
sectors
1522.8MB in 194 cyl groups (16 c/g, 7.88MB/g, 3776 i/g)
super-block backups (for fsck -F ufs -o b=#) at:
32, 16224, 32416, 48608, 64800, 80992, 97184, 113376, 129568, 145760,
2968096, 2984288, 3000480, 3016672, 3032864, 3049056, 3065248, 3081440,
3096608, 3112800,
The file system now occupies all the space in the d0 metadevice:
# df -h /export/home
Filesystem
/dev/md/dsk/d0
9-18
size
1.4G
used
395M
avail capacity
988M
29%
Mounted on
/export/home
2.
Select the Volumes tool and Create Volume from the Action menu, as
shown in Figure 9-12.
# smc &
9-19
9-20
9-21
9-22
9-23
Select the existing slice and click Add to move it to the Selected list.
9.
Select an unused slice and click Add to move it to the Selected list.
9-24
9-25
9-26
9-27
ufs
yes
# mount /export/home
# growfs -M /export/home /dev/md/rdsk/d0
/dev/md/rdsk/d0: 3118752 sectors in 3094 cylinders of 16 tracks, 63
sectors
1522.8MB in 194 cyl groups (16 c/g, 7.88MB/g, 3776 i/g)
super-block backups (for fsck -F ufs -o b=#) at:
32, 16224, 32416, 48608, 64800, 80992, 97184, 113376, 129568, 145760,
2968096, 2984288, 3000480, 3016672, 3032864, 3049056, 3065248, 3081440,
3096608, 3112800,
# df -h /export/home
Filesystem
size
used avail capacity Mounted on
/dev/md/dsk/d0
1.4G
395M
988M
29%
/export/home
9-28
Configuring RAID-1
Configuring RAID-1
RAID-1 volumes are also known as mirrors and provide data redundancy.
In a two-way mirror, the data is written to two disk slices of the same size.
If one disk fails, the other will have an up-to-date copy of the data.
A RAID-1 volume maintains identical copies of the data in several
RAID-0 volumes. Mirroring requires more disks. You need at least twice
as much disk space as the amount of data to be mirrored.
After configuring a mirror, you can use it as if it were a physical slice.
With multiple copies of data available, and correctly configured read and
write policies, data access time is reduced.
You can mirror any file system, including existing file systems.
Mirror Options
Mirror performance can be modified by using the following options:
9-29
Configuring RAID-1
Note The mirror options listed here are representative of the options
presented when configuring RAID-1 mirrors using the Solaris Volume
Manager software.
You can define mirror options when you initially create the mirror or after
you set up the mirror. You can distribute the load across the submirrors to
improve read performance. Table 9-1 describes the configurable mirror
read policies.
Table 9-1 Mirror Read Policies
Read Policy
Description
Geometric
First
Description
Parallel (Default)
Serial
When a submirror is offline, any writes to the mirror are tracked in a dirty
region log. When the submirror is brought back online, those regions
must be updated or resynchronized.
9-30
Create a RAID-0 volume for the file system you want to mirror.
2.
3.
Create a one-way mirror using the RAID-0 volume that contains the
file system to be mirrored.
4.
5.
6.
7.
Record the alternate boot path that is used in the event of a failure of
the primary submirror, as this is a mirror of the root (/) file system.
9-31
The Scenario
The scenario assumes the root (/) file system is on disk slice c0t0d0s0.
1.
2.
3.
d10
d11
d12
RAID 0
Volume
RAID 0
Volume
9-32
9-33
Select Create Volume from the Action menu, as shown in Figure 9-24.
9-34
9-35
9-36
6.
If only one disk set exists on the system, select the default of <none>.
7.
9.
9-37
9-38
9-39
Note When mirroring root (/), you cannot span multiple slices.
15. Click Next to continue.
9-40
9-41
9-42
9-43
mirror -m
submirror
read_options
write_options
pass_num
Note If neither the -g nor -r options are specified, reads are made in a
round-robin order from all submirrors in the mirror. This process enables
load balancing across the submirrors.
The following command-line example creates a mirrored volume named
d10, and attaches a one-way mirror using volume d11. Volume d11 is a
submirror of the mirror named d10.
# /usr/sbin/metainit d10 -m d11
d10: Mirror is setup
9-44
9-45
Select Create Volume from the Action menu, as shown in Figure 9-35.
9-46
9-47
If only one disk set exists on the system, select the default of <none>,
as shown in Figure 9-37.
Note When you are mirroring root, you must use the local disk set.
9-48
8.
9-49
9-50
9-51
When building a mirror that does not already contain data, you
can select the secondary submirror, as shown in Figure 9-41.
9-52
9-53
9-54
9-55
ufs
no
In addition to modifying the /etc/vfstab file to update the root (/) file
system pointer, the metaroot command updates the /etc/system file to
support the logical volumes. For example:
# tail /etc/system
rootdev:/pseudo/md@0:0,10,blk
You must reboot the system before attaching the secondary submirror.
When the system boots, it mounts the root file system using the
metadevice device file. Enter the init command to reboot the system:
# init 6
After the reboot is complete, the root file system is mounted through the
d10 metadevice:
# df -h /
Filesystem
/dev/md/dsk/d10
9-56
size
141M
used
111M
avail capacity
15M
88%
Mounted on
/
9-57
ok printenv boot-device
boot-device= disk net
ok setenv boot-device disk backup_root net
boot-device= disk backup_root net
In the event of primary root disk failure, the system automatically boots
from the secondary submirror. To test the secondary submirror, boot the
system manually, as follows:
ok boot backup_root
9-59
# metastat d10
d10: Mirror
Submirror 0: d11
State: Okay
Submirror 1: d12
State: Okay
Pass: 1
Read option: roundrobin (default)
Write option: parallel (default)
Size: 307440 blocks (150 MB)
d11: Submirror of d10
State: Okay
Size: 307440 blocks (150 MB)
Stripe 0:
Device
Start Block Dbase
c0t0d0s0
0
No
9-60
Because this is a root (/) file system mirror, run the metaroot
command to update the /etc/vfstab and etc/system files.
# metaroot /dev/dsk/c0t0d0s0
# grep c0t0d0s0 /etc/vfstab
/dev/dsk/c0t0d0s0/dev/rdsk/c0t0d0s0/ufs1no4.
5.
# init 6
# metaclear -r d10
d10: Mirror is cleared
d11: Concat/Stripe is cleared
# metaclear d12
d12: Concat/Stripe is cleared
6.
9-61
9-62
Preparation
This exercise mirrors the root (/) file system of the system disk.
This exercise mirrors the root (/) file system of the system disk.
As a setup requirement, the second disk on your system must be
partitioned with one slice that is equal to or larger than the root (/)
partition of the system disk. You must also partition space for the state
database replicas on the second disk. You can choose how the remaining
slices of the second disk must be partitioned.
This exercise is performed on each individual system, so there is no need
to work with a partner for this exercise. Most steps in these procedures
are executable by using either the Enhanced Storage Tool within the
Solaris Volume Manager software or by using the command line.
For this exercise, the solution to each step is presented using the
command-line equivalent. The Enhanced Storage Tool within the Solaris
Volume Manager software is open and used to display a visual record of
the Solaris Volume Manager softwares activities.
9-63
Tasks
Perform the following tasks:
9-64
Map the available disk slices to the requirements for state database
replicas and root (/) file system submirrors.
Reboot the system using the secondary root (/) submirror to test the
mirror.
Preparation
This exercise mirrors the root (/) file system of the system disk.
As a setup requirement, the second disk on your system must be
partitioned with one slice that is equal to or larger than the root (/)
partition of the system disk. You must also partition space for the state
database replicas on the second disk. You can choose how the remaining
slices of the second disk must be partitioned.
This exercise is performed on each individual system, so there is no need
to work with a partner for this exercise. Most steps in these procedures
are executable by using either the Enhanced Storage Tool within the
Solaris Volume Manager Software or by using the command line.
For this exercise, the solution to each step is presented using the
command-line equivalent. The Enhanced Storage Tool within the Solaris
Volume Manager is open and used to display a visual record of the Solaris
Volume Manager softwares activities.
9-65
Task Summary
Perform the following tasks:
Map the available disk slices to the requirements for state database
replicas and root (/) file system submirrors.
Reboot the system using the secondary root (/) submirror to test the
mirror.
Tasks
Complete the following steps:
9-66
1.
2.
3.
Disk slice for the root (/) file system secondary submirror:
________________________________________________________
4.
Create a RAID-0 volume to use as the root (/) file systems primary
submirror.
5.
Create a RAID-0 volume on the secondary drive to use as the root (/)
file systems secondary submirror.
6.
Create a RAID-1 volume as a one-way mirror using the root (/) file
system primary submirror as the source of the mirrors data.
7.
8.
9.
Attach the RAID-0 volume used as the root (/) file systems
secondary submirror to the RAID-1 volume, and allow the mirror
synchronization to complete before continuing.
What is the primary reason for using the command line to attach a
secondary submirror to a mirror?
_____________________________________________________________
9-67
9-68
Preparation
This exercise mirrors the root (/) file system of the system disk.
As a setup requirement, the second disk on your system must be
partitioned with one slice that is equal to or larger than the root (/)
partition of the system disk. You must also partition space for the state
database replicas on the second disk. You can choose how the remaining
slices of the second disk must be partitioned.
This exercise is performed on each individual system, so there is no need
to work with a partner for this exercise. Most steps in these procedures
are executable by using either the Enhanced Storage Tool within the
Solaris Volume Manager or by using the command line.
For this exercise, the solution to each step is presented using the
command-line equivalent. The Enhanced Storage Tool within the Solaris
Volume Manager is open and used to display a visual record of the Solaris
Volume Manager softwares activities.
9-69
Task Summary
Perform the following tasks:
Map the available disk slices to the requirements for state database
replicas and root (/) file system submirrors.
Reboot the system using the secondary root (/) submirror to test the
mirror.
# smc &
9-70
#
#
#
#
/usr/sbin/metadb
/usr/sbin/metadb
/usr/sbin/metadb
/usr/sbin/metadb
-a
-a
-a
-a
-f c#t#d#s0
c#t#d#s1
c#t#d#s4
c#t#d#s5
Create a RAID-0 volume to use as the root (/) file systems primary
submirror.
Create a RAID 0 volume on the secondary drive to use as the root (/)
file systems secondary submirror.
9-71
Create a RAID-1 volume as a one-way mirror using the root (/) file
system primary submirror as the source of the mirrors data.
# /usr/sbin/metaroot d10
# cat /etc/vfstab
# cat /etc/system
8.
9.
Attach the RAID-0 volume used as the root (/) file systems
secondary submirror to the RAID-1 volume, and allow the mirror
synchronization to complete before continuing.
# init 6
9-72
9-73
Exercise Summary
Exercise Summary
!
?
9-74
Experiences
Interpretations
Conclusions
Applications
Module 10
The course map in Figure 10-1 shows how this module fits into the
current instructional goal.
Control System Access and Configure System Messaging
Configure
Role-based
Access
Control
(RBAC)
Configure
ste
essaging
10-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
Roles
A role is a special identity, similar to a user account, for running
privileged applications or commands that can be assumed by assigned
users only.
While no predefined roles are shipped with the Solaris 10 OS, predefined
rights profiles, or collections of privileges, can be associated with roles. To
define a role, you assign the rights profiles to the role, as shown in
Figure 10-2.
Rights Profile
right
right
User
John
Role
Operator
Rights Profile
right
right
Note You can also set up the root user as a role through a manual
process. This approach prevents users from logging in directly as the root
user. Therefore, they must log in as themselves first, and then use the su
command to assume the role.
10-3
Rights Profile
right
right
User
John
Rights Profile
right
right
10-4
10-5
10-6
10-7
Rights Profile
right
right
User
John
Role
level 1
Rights Profile
right
right
Creating a Role
The roleadd command creates a role entry in the /etc/passwd,
/etc/shadow, and /etc/user_attr files. Some common options include:
-c comment
-d dir
-m
-P profile
10-8
Modifying a Role
To modify the login information of a role on a system, use the rolemod
command. The rolemod command changes the definition of the specified
role and makes the appropriate login-related changes to the system file
and file system. The fields in the rolemod command are:
-e expire
-l new_logname
-P profile
10-9
10-10
10-11
Using Roles
As it is not possible to log in to a role account, log in as a regular user
first. The roles command shows the roles available to your account.
$ id
uid=103(paul) gid=1(other)
$ roles
level1
Switch the user to the role account with the su command.
$ su level1
Password: level1
$ id
uid=102(level1) gid=1(other)
The level1 role has the two default rights profiles and was configured
with three extra rights profiles.
$ profiles
Printer Management
Media Backup
Media Restore
Basic Solaris User
All
The Printer Management rights profile has a right which allows the
cancel command to be run as the lp user.
$ lpstat -t
scheduler is running
system default destination: laser
system for _default: host1 (as printer laser)
device for laser: /dev/null
_default accepting requests since Fri Oct 22 13:59:24 2004
laser accepting requests since Fri Oct 22 13:59:24 2004
printer laser disabled since Fri Oct 22 13:59:34 2004. available.
Changing Toner
laser-8
root
479
Oct 22 14:12
$ cancel laser-8
laser-8: cancelled
10-12
Authorizations
Authorizations
An authorization grants access to restricted functions in RBAC compliant
applications. Some applications and commands in the Solaris 10 OS are
written to check the authorizations of the user calling them. You cannot
create new authorizations, however, you can create and assign
authorizations to new applications.
The predefined authorizations are listed in the authorization attributes
configuration file named /etc/security/auth_attr.
# cat /etc/security/auth_attr
(output omitted)
solaris.jobs.:::Job Scheduler::help=JobHeader.html
solaris.jobs.admin:::Manage All Jobs::help=AuthJobsAdmin.html
solaris.jobs.grant:::Delegate Cron & At Administration::help=JobsGrant.html
solaris.jobs.user:::Manage Owned Jobs::help=AuthJobsUser.html
(output omitted)
Action
solaris.admin.usermgr.read
solaris.admin.usermgr.read
Provides read and write access to
solaris.admin.usermgr.write user configuration files. Cannot
change passwords.
solaris.admin.usermgr.read
Provides read, write, and password
solaris.admin.usermgr.write access to user configuration files.
solaris.admin.usermgr.pswd
Caution An authorization that ends with the suffix grant permits a user
to delegate any assigned authorizations that begin with the same prefix to
other users.
10-13
Authorizations
For example, a role with the authorizations:
solaris.admin.usermgr.grant
solaris.admin.usermgr.read
Can delegate the solaris.admin.usermgr.read authorization to
another user.
A role with the authorizations:
solaris.admin.usermgr.grant
solaris.admin.usermgr.*
Can delegate any of the authorizations with the solaris.admin.usermgr
prefix to other users.
Default Authorizations
All users have the Basic Solaris User profile by default.
# profiles chris
Printer Management
Basic Solaris User
All
The Basic Solaris User profile grants users access to all listed
authorizations. The profiles=All field grants unrestricted access to all
Solaris OS commands that have not been restricted by a definition in a
previously listed authorization.
# grep Basic Solaris User /etc/security/prof_attr
Basic Solaris User:::Automatically assigned rights:
auths=solaris.profmgr.read,solaris.jobs.users,solaris.mail.
mailq,
solaris.admin.usermgr.read,solaris.admin.logsvc.read,
solaris.admin.fsmgr.read,solaris.admin.serialmgr.read,
solaris.admin.diskmgr.read,solaris.admin.procmgr.user,
solaris.compsys.read,solaris.admin.printer.read,
solaris.admin.prodreg.read,solaris.admin.dcmgr.read,
solaris.snmp.read,solaris.project.read,solaris.admin.patchm
gr.read,
solaris.network.hosts.read,solaris.admin.volmgr.read;profil
es=All; help=RtDefault.html
10-14
Authorizations
Other default authorizations for every user can be defined in the
/etc/security/policy.conf file:
# grep 'AUTHS' /etc/security/policy.conf
AUTHS_GRANTED=solaris.device.cdrw
This authorization is in the default /etc/security/policy.conf file
as installed with the Solaris 10 OS.
Assigning Authorizations
Authorizations can be assigned to user accounts. Authorizations can also
be assigned to roles or embedded in a rights profile which can be assigned
to a user or role.
Figure 10-5 shows the authorization assignment permutations.
Authorization
User
John
Authorization
User
Role
John
Operator
Rights Profile
Authorization
User
John
Rights Profile
Authorization
User
John
Role
Operator
10-15
Authorizations
10-16
Authorizations
With this authorization, he can view or modify other users crontab files:
# su - chris
Sun Microsystems Inc.
SunOS 5.10
s10_68 Sep. 20, 2004
$ crontab -l root
#ident "@(#)root
1.21
04/03/23 SMI"
#
# The root crontab should be used to perform accounting data collection.
#
#
(output omitted)
$ exit
# profiles level2
Mail Management
Basic Solaris User
All
# auths level2
solaris.admin.usermgr.*
(output omitted)
10-17
Authorizations
10-18
auth_attr
Authorization
user_attr
Users
Roles
prof_attr
exec_attr
Profiles
Privileges
auth_attr
Authorization
user_attr
Users
Roles
prof_attr
exec_attr
Profiles
Privileges
10-19
root::::type=normal;auth=solaris.*,solaris.grant
sysadmin::::type=role;profiles=Device Management,Filesystem
Management,Printer Management
johndoe::::type=normal;auths=solaris.system.date;roles=sysadmin
auth_attr
Authorization
user_attr
Users
Roles
prof_attr
exec_attr
Profiles
Privileges
10-20
/etc/security/prof_attr database:
/etc/user_attr database:
root::::type=normal;auth=solaris.*,solaris.grant
sysadmin::::type=role;profile=Device Management,Printer Management
...
Figure 10-10 User and Profile Association
10-21
/etc/security/prof_attr database:
/etc/security/auth_attr database:
auth_attr
Authorization
user_attr
Users
Roles
prof_attr
exec_attr
Profiles
Privileges
10-22
/etc/security/prof_attr database:
Printer
Printer
Printer
Printer
Printer
Printer
Printer
Printer
Printer
Printer
Printer
Printer
Printer
Printer
Printer
Printer
Printer
Printer
/etc/security/exec_attr database:
Management:suser:cmd:::/usr/sbin/accept:euid=lp
Management:suser:cmd:::/usr/ucb/lpq:euid=0
Management:suser:cmd:::/etc/init.d/lp:euid=0
Management:suser:cmd:::/usr/bin/lpstat:euid=0
Management:suser:cmd:::/usr/lib/lp/lpsched:uid=0
Management:suser:cmd:::/usr/sbin/lpfilter:euid=lp
Management:suser:cmd:::/usr/bin/lpset:egid=14
Management:suser:cmd:::/usr/sbin/lpadmin:egid=14
Management:suser:cmd:::/usr/sbin/lpsystem:uid=0
Management:suser:cmd:::/usr/sbin/lpmove:euid=lp
Management:suser:cmd:::/usr/sbin/lpshut:euid=lp
Management:suser:cmd:::/usr/bin/cancel:euid=0
Management:suser:cmd:::/usr/bin/disable:euid=lp
Management:suser:cmd:::/usr/sbin/lpforms:euid=lp
Management:suser:cmd:::/usr/sbin/reject:euid=lp
Management:suser:cmd:::/usr/ucb/lprm:euid=0
Management:suser:cmd:::/usr/bin/enable:euid=lp
Management:suser:cmd:::/usr/sbin/lpusers:euid=lp
Figure 10-13 Profile and Execution Association
The Printer Management rights profile lists commands with the
appropriate security attributes assigned in the
/etc/security/exec_attr file.
10-23
auth_attr
Authorization
user_attr
Users
Roles
prof_attr
exec_attr
Profiles
Privileges
10-24
/etc/security/auth_attr database:
solaris.*:::Primary Administrator::help=PriAdmin.html
...
solaris.system.date:::Set Date & Time::help=SysDate.html
...
From the
/etc/user_attr database:
johndoe::::type=normal;auths=solaris.system.date;roles=sysadmin
Figure 10-15 User, Role, and Authorization Association
Figure 10-16 shows how the fields of the four files are related.
From the
/etc/security/auth_attr database:
/etc/user_attr database:
sysadmin::::type=role;profiles=Device Management,Filesystem
Management,Printer Management,All
johndoe::::type=normal;auths=solaris.system.date;roles=sysadmin
From the
/etc/security/prof_attr database:
Printer
Printer
Printer
Printer
Printer
/etc/security/exec_attr database:
Management:suser:cmd:::/usr/sbin/accept:euid=lp
Management:suser:cmd:::/usr/ucb/lpq:euid=0
Management:suser:cmd:::/etc/init.d/lp:euid=0
Management:suser:cmd:::/usr/bin/lpstat:euid=0
Management:suser:cmd:::/usr/lib/lp/lpsched:uid=0
Figure 10-16 Relationship Between the Four RBAC Files
Configuring Role-Based Access Control (RBAC)
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
10-25
Build the user accounts that will be assigned the RBAC rights
profiles and roles.
Note step 1 is not required if the designated rights profiles and roles are
being made available to existing users.
10-26
2.
3.
Build the role that will provide access to the rights profiles for
designated users.
2.
3.
4.
10-27
10-28
Description
User Accounts
User Templates
Rights
(Rights Profiles)
Administrative
Roles
10-29
Description
Groups
Mailing Lists
Add a new mailing list. You can also use this tool
to view, add, or delete recipients in a mailing list.
6.
10-30
Select Add User from the Action menu, as shown in Figure 10-21.
10-31
Note The Add User Wizard works the same as the useradd command
and earlier GUI tools, such as AdminTool.
The Add User Wizard Step 1 window appears, as shown in
Figure 10-22.
4.
Full Name
Description
10-32
10-33
10-34
7.
8.
When prompted with a choice for the new users primary group
membership, accept the default group assignment, as shown in
Figure 10-25.
10-35
10-36
10-37
10-38
Note The host name in this example is sys44, and the user name is
user1.
# telnet sys44
Trying 127.0.0.1...
Connected to sys44.
Escape character is ^].
login: user1
Password:
Sun Microsystems Inc.
SunOS 5.10 s10_68
2.
$ who
root
console
Oct 22 13:45
(:0)
10-39
pts/4
Oct 22 09:29
(:0.0)
pts/5 Oct 22 14:32
(sys44)
$ id
uid=4001(user1) gid=10(staff)
$ ls -a
.
..
.cshrc
.login
$
3.
$ pkginfo -l
PKGINST:
NAME:
CATEGORY:
ARCH:
VERSION:
BASEDIR:
VENDOR:
DESC:
PSTAMP:
INSTDATE:
HOTLINE:
STATUS:
FILES:
.profile
Now that you have verified that the basic Solaris OS commands are
functioning within the new user account, try executing more
specialized commands within this account. Use the pkginfo
(package information) command and the pkgrm (package removal)
command. These examples use the SUNWpppg package.
SUNWpppg
SUNWpppg
GNU utilities for PPP
system
sparc
11.10.0,REV=2004.09.20.13.52
/
Sun Microsystems, Inc.
Optional GNU utilities for use with PPP
gaget20040920135926
Oct 15 2004 18:15
Please contact your local service provider
completely installed
12 installed pathnames
8 shared pathnames
8 directories
3 executables
190 blocks used (approx)
$ pkgrm SUNWpppg
pkgrm: not found
10-40
In the earlier example, user1 required access permissions to the full set of
package administration commands. You can create a rights profile called
Package Administration to add to the default rights profiles supplied with
the Solaris 10 OS release.
10-41
10-42
Select Add Right from the Action menu, as shown in Figure 10-31.
10-43
10-44
Description
Help File
Name
Note You should create the help file before referencing the help file in
this window.
4.
Select the Commands tab, as shown in Figure 10-33, and select the
commands that your rights profile will include as follows:
For each command that you want the rights profile to be able to
run, select it, and click Add.
The command moves to the Commands Permitted list.
b.
10-45
Note The online man pages do not always define the required execution
permissions. However, the /etc/security/exec_attr file is a good
source for the proper execution permissions for most commands.
10-46
5.
6.
Click OK to continue.
10-47
Note By default, the Solaris 10 OS does not have any roles defined.
10-48
10-49
10-50
Full Name
Description
Role ID
Number
Role Shell
6.
10-51
To build the administrative rights for this role, click the Package
Administrator rights profile in the left column, as shown in the Add
Administrative Role Step 3 window in Figure 10-40.
Click Add.
The rights are added to the Granted Rights in the right column.
Note The help that is available on this screen is derived from the help
files that are indicated in the Right Properties: Package Administration
window.
9.
10-52
10-53
To delete a user, click on the users name in the lower box, and
click Delete.
10-54
10-55
Log in as user1.
# telnet sys44
Trying 127.0.0.1...
Connected to sys44.
Escape character is ^].
login: user1
Password:
Sun Microsystems Inc.
SunOS 5.10 s10_68
2.
$ who
root
console Oct 28 13:45
(:0)
root
pts/6 Oct 2214:49
(:0.0)
user1
pts/7 Oct 2215:47
(sys44)
$ id
uid=4001(user1) gid=10(staff)
$ ls
$ ls -a
.
..
.cshrc
.login
.profile
10-56
$ /usr/sbin/pkgrm SUNWpppg
pkgrm: ERROR: You must be "root" for pkgrm to execute properly.
4.
5.
$ su - pkguser
Password:
$ /usr/ucb/whoami
pkguser
$ id
uid=5001(pkguser) gid=14(sysadmin)
$ echo $SHELL
/bin/pfsh
$
6.
$ /usr/sbin/pkgrm SUNWpppg
The following package is currently installed:
SUNWpppg
GNU utilities for PPP
(sparc) 11.9.0,REV=2002.02.12.18.33
Do you want to remove this package? [y,n,?,q] y
## Removing installed package instance <SUNWpppg>
## Verifying package dependencies.
## Processing package information.
## Removing pathnames in class <none>
/usr/share/man/man1m <shared pathname not removed>
/usr/share/man <shared pathname not removed>
/usr/share <shared pathname not removed>
/usr/lib/inet/ppp/passprompt.so
/usr/lib/inet/ppp/minconn.so
/usr/lib/inet/ppp <shared pathname not removed>
/usr/lib/inet <shared pathname not removed>
/usr/lib <shared pathname not removed>
/usr/bin/pppdump
/usr/bin <shared pathname not removed>
/usr <shared pathname not removed>
## Updating system information.
10-57
$ date
Fri Oct 22 16:02:57 BST 2004
8.
$ date
Fri Oct 22 16:02:57 BST 2004
$ date 10221600
date: Not owner
usage: date [-u] mmddHHMM[[cc]yy][.SS]
date [-u] [+format]
date -a [-]sss[.fff]
In summary, you built a regular user account named user1. This account
has access to perform regular user commands. However, when it is
necessary to perform a software package removal that requires root
access, user1 must switch to a role that is configured with the required
execution profile.
In the role of pkguser and using the Package Administrator rights profile,
user1 acquires the rights to remove a software package. However, it is the
pkguser role that has the rights to remove the software package.
This pkguser role is not configured with full superuser access. Therefore,
when you attempt to change the system date using this role, you are
unsuccessful. The inability to access all superuser commands
demonstrates the advantage of using RBAC instead of granting this access
through the superuser. You can configure each administrator to perform
only those tasks required in their job, and access to other tasks can remain
secure.
10-58
10-59
Preparation
During the lab, you are directed to execute commands that do not work to
demonstrate how the RBAC facility must be used by logged in users.
Discuss how to use the auths, profiles, and roles RBAC commands to
determine user privileges.
Task Summary
Perform the following tasks:
Using the command-line tools, create a role that can shut down the
system, and create a user named user9. Assign the role to user9 to
enable user9 to shut down the system.
If you have any problems that you cannot fix, see your instructor.
10-60
Preparation
During the lab, you are directed to execute commands that do not work to
demonstrate how the RBAC facility must be used by logged in users.
Discuss how to use the auths, profiles, and roles RBAC commands to
determine user privileges.
Task Summary
Perform the following tasks:
Using the command-line tools, create a role that can shut down the
system, and create a user named user9. Assign the role to user9 to
enable user9 to shut down the system.
If you have any problems that you cannot fix, see your instructor.
Tasks
Perform the following tasks.
2.
10-61
4.
5.
Create a user named user9 and assign it access to the sdown role.
Give this user a user ID of 4009 and a group ID of 10.
6.
7.
8.
9.
10-62
Name: user11
2.
3.
From the command line, check for user11 in the /etc/passwd file.
Why does user11 appear in the /etc/passwd file, but not in the
/etc/user_attr file?
_____________________________________________________________
4.
Name: tarback
Password: abc123
Rights: As appropriate
5.
10-63
From the command line, check for user and role creation.
Why does user11 now appear in the /etc/user_attr file?
_____________________________________________________________
Does the tarback role appear in both the /etc/passwd file and the
/etc/user_attr file?
_____________________________________________________________
7.
8.
9.
10-64
Preparation
During the lab, you are directed to execute commands that do not work to
demonstrate how the RBAC facility must be used by logged in users.
Discuss how to use the auths, profiles, and roles RBAC commands to
determine user privileges.
Task Summary
Perform the following tasks:
Using the command-line tools, create a role that can shut down the
system, and create a user named user9. Assign the role to user9to
enable user9 to shut down the system.
If you have any problems that you cannot fix, see your instructor.
10-65
# vi /etc/security/prof_attr
(output omitted for brevity)
Shut:::Able to shutdown the system:
3.
# more /etc/user_attr
5.
Create a user named user9 and assign it access to the sdown role.
Give this user a user ID of 4009 and a group ID of 10.
# vi /etc/security/exec_attr
Shut:suser:cmd:::/usr/sbin/shutdown:uid=0
8.
# su user9
10-66
As user9, without assuming the new role, shut down the system.
$ /usr/sbin/shutdown -i 6 -g 0
/usr/sbin/shutdown: Only root can run /usr/sbin/shutdown
What is the result of this shutdown attempt, and why?
This shutdown attempt fails because user9 has not assumed the sdown
role yet, and as a regular user, does not have the rights profile to execute the
shutdown command.
10. Execute the profiles command to determine which RBAC profiles
are associated with user9.
$ profiles
Basic Solaris User
All
11. Execute the roles command to determine which RBAC roles are
associated with user9.
$ roles
sdown
12. Assume the role sdown.
$ su sdown
Password:
$
13. Shut down the system by using the init command.
$ /usr/sbin/init 0
Insufficient privileges.
Depending on the users preferred shell, the message may also be "Must be
super-user".
What is the result of this shutdown attempt? Why?
This shut down attempt fails because, even after assuming the sdown role,
user9 does not have the execution attribute to execute the init
command.Depending on the users preferred shell, the message may also be
"Must be super-user" .
14. List the commands that the sdown profile can execute.
$ profiles -l
Shut:
/usr/sbin/shutdown
All:
*
uid=0
10-67
2.
10-68
Name: user11
From the command line, check for user11 in the /etc/passwd file.
Name: tarback
Password: abc123
5.
10-69
From the command line, check for user and role creation.
$ telnet localhost
Trying ...
Connected to localhost.
Escape character is ^].
login: user11
Password:
Last login: Thu May 2 14:56:46 from sys44
Sun Microsystems Inc.
SunOS 5.10 s10_68 Sep. 20, 2004
8.
$ id -a
uid=4011(user11) gid=10(staff) groups=10(staff)
$ pwd
/home/user11
9.
10-70
10-71
Exercise Summary
Exercise Summary
!
?
10-72
Experiences
Interpretations
Conclusions
Applications
Module 11
The course map in Figure 11-1 shows how this module fits into the current
instructional goal.
Control System Access and Configure System Messaging
Configure
Role-based
Access
Control
(RBAC)
Configure
ste
essaging
11-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
Messages
Destination
Daemon
Log File
kernel
User Processes
syslogd
daemon
logger Command
Console
User
Central Log Host
m4 reads /etc/syslog.conf
Figure 11-2 The syslog Structure
11-2
/var/adm/messages
where:
*.err
/var/adm/messages
11-3
Selector Field
The selector field is a semicolon-separated list of priority specifications in
the following format:
facility.level;facility.level
In the selector field syntax, facility is a system facility. Table 11-1 shows
values that the selector field (facility) can contain.
Table 11-1 Selector Field (facility) Options
11-4
Field
Description
kern
user
daemon
auth
syslog
lpr
news
uucp
cron
local0-7
mark
Note You can use the asterisk (*) to select all facilities (for example
*.err); however, you cannot use * to select all levels of a facility (for
example, kern.*)
In the selector field syntax, level is the severity or importance of the
message. Each level includes all the levels above (of a higher severity).
Table 11-2 shows the levels in descending order of severity.
Table 11-2 Selector Field (level) Options
Level
Priority
Description
emerg
alert
crit
err
warning
Warning messages
notice
info
Informational messages
debug
none
Note Not all levels of severity are implemented for all facilities in the
same way. For more information, refer to the online manual pages.
11-5
Action Field
The action field defines where to forward the message. This field can have
any one of the following entries:
/pathname
@host
user1, user2
Note You must manually create the /pathname full path and file name if
it does not already exist.
11-6
operator
root
*.emerg
ifdef(LOGHOST,/var/log/syslog, @loghost)
#
# Non-loghost machines will use the following lines to cause "user"
# log messages to be logged locally.
#
ifdef(LOGHOST,,
user.err
/dev/sysmsg
user.err
/var/adm/messages
user.alert
root, operator
user.emerg
*
)
11-7
Process
These conceptual phases are described as:
1.
2.
3.
syslog.conf
m4
Selector Action
Field
Field
syslogd
Figure 11-3 The m4 Macro Processor
11-8
2.
3.
Operation Phase 1
In the following examples, the syslogd daemon is running on the host1
system. This section contains two examples of the host1 systems
/etc/hosts file.
These /etc/hosts file examples are excerpts of the /etc/hosts/ file.
Example A /etc/hosts:
192.9.200.1 host1 loghost
192.9.200.2 host2
Example B /etc/hosts:
192.9.200.1 host1
192.9.200.2 host2 loghost
When the syslogd daemon starts at system boot, the syslogd daemon
evaluates the /etc/hosts file, and checks the Internet Protocol (IP)
address associated with the hostname as compared to the IP address
associated with loghost.
In Example A, host1 and loghost are both associated with IP address
192.9.200.1. Therefore, the syslogd daemon runs the first command
line: /usr/ccs/bin/m4 -D LOGHOST, causing the m4 LOGHOST variable to
be defined as TRUE during the parsing of the /etc/syslog.conf file.
11-9
Operation Phase 2
In the phase 2, the m4 macro processor parses the /etc/syslog.conf file.
For each line that is parsed, the m4 processor searches the line for m4
statements, such as an ifdef statement. If no ifdef statement is
encountered on the line, the m4 processor passes the line to the syslogd
daemon.
If the m4 processor finds a line with an ifdef statement, the line is
evaluated as follows:
For example:
mail.debug
mail.debug
/var/log/syslog
If the LOGHOST variable was evaluated as FALSE in phase 1, then the m4
processor returns:
mail.debug
@loghost
In either case, the output has an entry in the selector field and an entry in
the action field. The m4 processor then passes the output to the syslogd
daemon.
11-10
Operation Phase 3
For each line parsed in the /etc/syslog.conf file from phase 2, the m4
processor produces output in a two-column field: a selector field and an
action field. The output is sent to the syslogd daemon, which uses the
information to route messages to their appropriate destinations. After the
information is configured, the syslogd daemon continues to run with this
configuration.
11-11
Message Routing
The following excerpt from the /etc/syslog.conf file shows how
various events are logged by the system.
1
2
3
4
5
*.err;kern.notice;auth.notice
*.err;kern.debug;daemon.notice;mail.crit
*.alert;kern.err;daemon.err
*.alert
*.emerg
/dev/sysmsg
/var/adm/messages
operator
root
*
11-12
11-13
Note The Internet daemon inetd provides services for many network
protocols, including the Telnet and File Transfer Protocol (FTP) protocols.
You can enable the trace option for each inetd-managed service to send
messages to the syslogd daemon. Use the inetadm command to modify
the settings of the service to enable TCP tracing. When you enable the
trace option, it uses the daemon.notice to log the clients IP address and
TCP port number, and the name of the service. To enable tracing TCP
connections automatically, each service may have its trace capability
enabled separately.
For example, to allow tracing of telnet sessions, the following command
is issued:
# inetadm -m telnet tcp_trace=TRUE
# inetadm -l telnet
SCOPE
NAME=VALUE
name="telnet"
endpoint_type="stream"
proto="tcp6"
isrpc=FALSE
wait=FALSE
exec="/usr/sbin/in.telnetd"
user="root"
default bind_addr=""
default bind_fail_max=-1
default bind_fail_interval=-1
default max_con_rate=-1
default max_copies=-1
default con_rate_offline=-1
default failrate_cnt=40
default failrate_interval=60
default inherit_env=TRUE
tcp_trace=TRUE
default tcp_wrappers=FALSEgrep inetd /etc/init.d/inetsvc
/var/adm/messages
11-15
11-16
Number
Field
Result
Date/time
Jun 14 13:15:39
host1
Field
Result
Process name/PID
number
inetd[2359]
MsgID number/
selector
facility.level
Incoming request
telnet
PPID number
[2361]
IP address
192.9.200.1
Port number
45800
11-17
-f file
-p priority
-t tag
Marks each line added to the log file with the specified
tag
message
11-18
11-19
# smc &
The Solaris Management Console application launches.
2.
3.
4.
11-20
Click the down arrow icon in the Log Files selection box.
2.
Note You cannot manipulate the syslog message logs. You can only
view them chronologically as they were created.
11-21
Note You can sort and filter the message logs by using command-line
sorting and filtering tools, such as the sort and grep commands.
11-22
11-23
11-24
The date and time that the log entries start and stop
Log properties:
11-25
11-26
11-27
11-28
11-29
Select Log File Settings from the Action menu to modify the
automatic backup configuration setting on any selected log file, as
shown in Figure 11-18.
11-30
b.
c.
d.
b.
11-31
To exit the Log Viewer application window, select Exit from the
Console menu, as shown in Figure 11-20.
11-32
11-33
Preparation
This exercise requires installed manual (man) pages and two systems that
list each other in the /etc/hosts file. Verify that the CONSOLE variable is
commented out in the /etc/default/login file on both systems. Except
as noted otherwise, perform all steps on both systems. Refer to the lecture
notes as necessary to perform the steps listed.
Tasks
Perform the following tasks:
11-34
11-35
Preparation
This exercise requires installed manual (man) pages and two systems that
list each other in the /etc/hosts file. Verify that the CONSOLE variable is
commented out in the /etc/default/login file on both systems. Except
as noted otherwise, perform all steps on both systems. Refer to the lecture
notes as necessary to perform the steps listed.
Task Summary
Complete the following steps:
11-36
Tasks
Perform the following tasks.
2.
Display the man page for the inetd process, and verify the
facility and level used by the inetd process when you run the
process with the -t option.
Which facility and level pair is the inetd daemon using?
________________________________________________
11-37
4.
Open a new terminal window, and use the tail command to view
new entries as they are recorded in the /var/adm/messages file.
5.
6.
Observe the window in which you are running the tail command.
Do any new telnet-related messages appear in the
/var/adm/messages file (yes or no)?
________________________________________________
7.
# inetadm -p
NAME=VALUE
bind_addr=""
bind_fail_max=-1
bind_fail_interval=-1
max_con_rate=-1
max_copies=-1
con_rate_offline=-1
failrate_cnt=40
failrate_interval=60
inherit_env=TRUE
tcp_trace=FALSE
tcp_wrappers=FALS
8.
# inetadm -M tcp_trace=TRUE
9.
11-38
local0.notice<TAB>/var/log/local0.log
2.
3.
4.
5.
6.
7.
Run the logger command from step 5 three times. Examine the
output from the tail command in the other window. How many
new messages appear in the /var/log/local0.log file?
8.
9.
11-39
local0.notice<TAB>@system2
2.
3.
4.
5.
6.
11-40
2.
3.
6.
7.
8.
9.
11-41
11-42
1.
2.
3.
4.
Preparation
This exercise requires installed manual (man) pages and two systems that
list each other in the /etc/hosts file. Verify that the CONSOLE variable is
commented out in the /etc/default/login file on both systems. Except
as noted otherwise, perform all steps on both systems. Refer to the lecture
notes as necessary to perform the steps listed.
Task Summary
Perform the following tasks:
11-43
# cd /etc
# cp syslog.conf syslog.conf.bak
2.
Display the man page for the inetd process, and verify the
facility and level used by the inetd process when you run the
process with the -tcptrace option.
# man inetd
Which facility and level pair is the inetd daemon using?
daemon.notice
11-44
4.
Open a new terminal window, and use the tail command to view
new entries as they are recorded in the /var/adm/messages file.
# tail -f /var/adm/messages
5.
# telnet host
Trying nnn.nnn.nnn.nnn...
Connected to host.
Escape character is '^]'.
login: root
Password:
Last login: Sat Nov 6 11:25:21 from sys-03
Sun Microsystems Inc.
SunOS 5.10
s10_68
SunOS gk 2004-09-20 [on10_68]
# exit
6.
Observe the window in which you are running the tail command.
Do any new telnet-related messages appear in the
/var/adm/messages file (yes or no)?
Before starting the inetd service with telnet tracing, no.
7.
Modify the inetd service, and change the default value of the
tcp_trace option to TRUE:
# inetadm -M tcp_trace=TRUE
11-45
Verify that the inetd daemon is running with the tracing option
enabled.
# inetadm -p
NAME=VALUE
bind_addr=""
bind_fail_max=-1
bind_fail_interval=-1
max_con_rate=-1
max_copies=-1
con_rate_offline=-1
failrate_cnt=40
failrate_interval=60
inherit_env=TRUE
tcp_trace=TRUE
tcp_wrappers=FALSE
9.
# touch /var/log/local0.log
3.
# tail -f /var/log/local0.log
11-46
Run the logger command from step 5 three times. Examine the
output from the tail command in the other window. How many
new messages appear in the /var/log/local0.log file?
One. The syslogd daemon will not report multiple instances of the same
message until a different message is logged, or the syslogd mark
interval is reached.
8.
Run the logger command with the crit level message instead of
the notice level message.
Which new messages appear in the /var/log/local0.log file?
A message indicating that the previous message was repeated a number of
times, and the new message, for example:
11-47
local0.notice<TAB>@system2
2.
# touch /var/log/local0.log
3.
Note If you did not already edit the /etc/syslog.conf file on the
system designated system2 from the previous task, do so now.
# tail -f /var/log/local0.log
5.
11-48
2.
3.
# tail -f /var/log/authlog
11-49
# rlogin system2
Password: xxxxxx
...
# exit
On system2, which message is displayed in the window running the
tail command?
A message similar to the following displays:
Mar 31 09:15:23 system2 login: [ID 254462 auth.notice] ROOT LOGIN
/dev/pts/7 FROM system2
On system1, does a new message display in the window running
the tail command (yes or no)?
No.
7.
# cd /etc/inet
# cp hosts hosts.bak
# vi hosts
8.
# rlogin system2
Password: xxxxxx
...
# exit
On system2, does a new message display in the window running
the tail command (yes or no)?
No.
On system1, which message is displayed in the window running the
tail command?
A message similar to the following displays:
Nov 06 09:34:46 system2 login: [ID 254462 auth.notice] ROOT LOGIN
/dev/pts/7 FROM system2
11-50
2.
3.
4.
11-51
Exercise Summary
Exercise Summary
!
?
11-52
Experiences
Interpretations
Conclusions
Applications
Module 12
The course map in Figure 12-1 shows how this module fits into the
current instructional goal.
Configuring
Name
Name
Services
Service Clients
Configuring
the Network
Information
Service (NIS)
12-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
Name
Server
Client
5
3
1
/etc/nsswitch.conf
Database
4
Local
File
/etc/hosts
Figure 12-2 Name Service Scenario
12-2
2.
The name service switch file instructs the client to first search the
local file for the information.
3.
When the information is not located in the local files, the clients
name service switch file redirects the search to a network name
server.
4.
The name server searches its database and locates the information.
5.
12-3
Nameless root
edu
com
acme
aus
mil
sun
eng
uk
corp
solaris
solaris.corp.sun.com
12-5
hosts.byaddr
hosts.byname
Note You can obtain a list of the full set of maps from an NIS-configured
system by running the ypwhich -m command.
NIS uses domains to define who can access the host names, user
information, and other administrative data in its namespace. However,
NIS does not use a domain hierarchy to store its data; therefore, the NIS
namespace is flat.
You cannot look up addresses on the Internet by using just NIS. However,
organizations that want to use NIS and also want to look up addresses on
the Internet can combine NIS with DNS. You can use NIS to manage all
local information and use DNS for Internet host lookup. The Solaris OS
also allows you to set up the /etc/nsswitch.conf file so that lookup
requests for hosts do the following:
Query DNS
Query DNS and then NIS, if the requests are not found by DNS
Query NIS and then DNS, if the requests are not found by NIS
12-6
12-7
12-8
Directory Entries
A directory server stores information in a Directory Information Tree
(DIT). Clients can query the directory server for information or make
changes to the information stored on the server.
The hierarchy of the directory tree structure is similar to that of the UNIX
file system. Entries are named according to their position in this tree
structure by a distinguished name (DN). The DN is similar to an absolute
path name in UNIX. A Relative Distinguished Name (RDN) is similar to a
relative path name in UNIX. As in the UNIX file system, sibling directory
entries must have unique RDNs.
A directory entry is composed of attributes that have a type and one or
more values. The syntax for each attribute defines the allowed values, or
the allowed data type of the attribute values, such as American Standard
Code for Information Interchange (ASCII) characters or a numerical data.
LDAP also defines how those values are interpreted during a directory
operation, for example, determining if a search or compare is case
sensitive.
Like the DNS namespace, LDAP names start with the least significant
component and proceed to the most significant; in other words, those just
below root. The DN is constructed by concatenating the sequence of
components up to the root of the tree.
Figure 12-4 shows an example of a Solaris LDAP Directory Information
Tree.
Directory Root
dc=suned, dc=com
ou = People
ou = Hosts
cn = John Jones
cn = mailserver
ou = Services
cn = telnet
12-9
DNS
NIS
NIS+
LDAP
Namespace
Hierarchical
Flat
Hierarchical
Hierarchical
Data storage
Files/resource
records
Two column
maps
Multicolumn tables
Directories
(varied)
Server types
Master/
slave/
caching only/
forwarding
Master/
slave
Root master/
non-root master/
replica
Master/
replica
Transport
IP
IP
IP
IP
Scale
Wide area
network (WAN)
Local area
network (LAN)
LAN
WAN
12-10
Local files
/etc/nsswitch.files
DNS
/etc/nsswitch.dns
NIS
/etc/nsswitch.nis
NIS+
/etc/nsswitch.nisplus
LDAP
/etc/nsswitch.ldap
/etc/nsswitch.nis:
An example file that could be copied over to /etc/nsswitch.conf; it
uses NIS (YP) in conjunction with files.
"hosts:" and "services:" in this file are used only if the
/etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
12-11
networks:
protocols:
rpc:
ethers:
netmasks:
bootparams:
publickey:
nis
nis
nis
nis
nis
nis
nis
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
netgroup:
nis
automount:
aliases:
files nis
files nis
files
files
files
files
files
files
files
files nis
files nis
files nis
The /etc/nsswitch.conf file includes a list of databases that are sources
of information about IP addresses, users, and groups. Data for these can
come from a variety of sources. For example, host names and host
addresses, are located in the /etc/inet/hosts file, NIS, NIS+, LDAP, or
DNS. Each database has zero or more sources; the sources and their
lookup order are specified in the /etc/nsswitch.conf file.
12-12
Database Sources
There is an entry in the /etc/nsswitch.conf file for each database. Some
typical examples of these entries are:
ipnodes: files
The information sources are listed in the order that they are searched, and
these sources are defined in Table 12-3.
Table 12-3 Information Sources
Information
Sources
Description
files
nisplus
nis
dns
ldap
user
There might be a single information source listed, in which case the search
terminates if the information is not found. If two or more sources are
listed, the first listed source is searched before moving on to the next
listed source. The relationships between these name service keywords,
when found in the nsswitch.conf file, is further explained in Table 12-4
on page 12-14 and Table 12-5 on page 12-14.
12-13
Status Codes
When multiple information sources are specified, it is sometimes
necessary to define precisely the circumstances under which each source
is searched. When a name service is referenced, the attempt to search this
source can return one of the following status codes, as shown in
Table 12-4.
Table 12-4 Status Message Codes
Status
Message
Meaning of Message
SUCCESS
UNAVAIL
NOTFOUND
TRYAGAIN
Actions
For each status code, two actions are possible, as shown in Table 12-5.
Table 12-5 Status Code Actions
12-14
Action
Meaning of Action
return
continue
SUCCESS = return
UNAVAIL = continue
NOTFOUND = continue
TRYAGAIN = continue
For example:
ipnodes:
files
In this example, the /etc/inet/ipnodes file is searched for the first entry
that matches the requested host name. If no matches are found, an
appropriate error is returned, and no further information sources are
searched.
Another example:
12-15
/var/adm/nscd.log
An example of an attribute, a cache name, and a value is:
enable-cache
hosts
no
# cat /etc/nscd.conf
#
# Copyright (c) 1994-2001 by Sun Microsystems, Inc.
12-16
1.6
01/01/26 SMI"
#
#
#
#
#
#
logfile
enable-cache
/var/adm/nscd.log
hosts
no
debug-level
positive-time-to-live
negative-time-to-live
suggested-size
keep-hot-count
old-data-ok
check-files
passwd
passwd
passwd
passwd
passwd
passwd
600
5
211
20
no
yes
positive-time-to-live
negative-time-to-live
suggested-size
keep-hot-count
old-data-ok
check-files
group
group
group
group
group
group
3600
5
211
20
no
yes
positive-time-to-live
negative-time-to-live
suggested-size
keep-hot-count
old-data-ok
check-files
hosts
hosts
hosts
hosts
hosts
hosts
3600
5
211
20
no
yes
positive-time-to-live
negative-time-to-live
suggested-size
keep-hot-count
old-data-ok
check-files
ipnodes
ipnodes
ipnodes
ipnodes
ipnodes
ipnodes
3600
5
211
20
no
yes
positive-time-to-live
negative-time-to-live
suggested-size
exec_attr
exec_attr
exec_attr
3600
300
211
12-17
exec_attr
exec_attr
exec_attr
20
no
yes
positive-time-to-live
negative-time-to-live
suggested-size
keep-hot-count
old-data-ok
check-files
prof_attr
prof_attr
prof_attr
prof_attr
prof_attr
prof_attr
3600
5
211
20
no
yes
positive-time-to-live
negative-time-to-live
suggested-size
keep-hot-count
old-data-ok
check-files
user_attr
user_attr
user_attr
user_attr
user_attr
user_attr
3600
5
211
20
no
yes
12-18
12-19
12-20
database
key
12-21
Preparation
If necessary, refer to your lecture notes to answer these exercise questions.
Tasks
Answer the following questions:
1.
2.
3.
4.
5.
Which file is referred to as the name service switch file, and why?
_________________________________________________________
_________________________________________________________
6.
If you decide to use the LDAP for name service resolution, which
template file would you use to create the name service switch file?
_________________________________________________________
_________________________________________________________
12-22
8.
12-23
Task Solutions
1.
2.
3.
4.
5.
Which file is referred to as the name service switch file, and why?
The /etc/nsswitch.conf file is referred to as the name service switch
file because the operating system uses it to determine where to go for any
information lookups. This file indicates whether DNS, NIS, NIS+, LDAP,
or local files are to be used for name service resolution. If more than one
name service is to be used, this file indicates the order in which these
services should be accessed.
6.
If you decide to use the LDAP for name service resolution, which
template file would you use to create the name service switch file?
/etc/nsswitch.ldap
7.
12-24
Exercise Summary
Exercise Summary
!
?
Experiences
Interpretations
Conclusions
Applications
12-25
Module 13
The course map in Figure 13-1 shows how this module fits into the
current instructional goal.
Configuring
Name
Name
Services
Service Clients
Configuring
the Network
Information
Service (NIS)
13-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
/etc/nsswitch.conf
13-2
In the Name Service window, select DNS as the name service, then
press Esc-2 to continue.
--Name Service---------On this screen you must provide name service information. Select the
name service that will be used by this system, or None if your system
will either not use a name service at all, or if it will use a name
service not listed here.
> To make a selection, use the arrow keys to highlight the option
and press Return to mark it [X].
Name service
[ ]
[ ]
[X]
[ ]
[ ]
NIS+
NIS
DNS
LDAP
None
Esc-2_Continue
2.
Esc-6_Help
In the Domain Name window, enter the DNS domain name to which
the client will belong and press Esc-2 to continue.
--Domain Name---------On this screen you must specify the domain where this system resides.
Make sure you enter the name correctly including capitalization and
punctuation.
Esc-2_Continue
Esc-6_Help
13-3
--DNS Server Addresses---------On this screen you must enter the IP address of your DNS server(s). You
must enter at least one address. IP addresses must contain four sets of
numbers separated by periods (for example 129.200.9.1).
Esc-2_Continue
4.
Esc-6_Help
In the DNS Search List window, enter search suffixes that will
supplement searches for names that are not fully qualified (names
that do not include a complete domain name), then press Esc-2 to
continue.
--DNS Search List---------On this screen you can enter a list of domains that will be searched when
a DNS query is made. If you do not enter any domains, DNS will only
search the DNS domain chosen for this system. The domains entered, when
concatenated, may not be longer than 250 characters.
Search
Search
Search
Search
Search
Search
domain: suned.sun.com
domain: training.sun.com
domain: classroom.sun.com
domain:
domain:
domain:
Esc-2_Continue
13-4
Esc-6_Help
Name service:
Domain name:
Server address(es):
Search domain(s):
Esc-2_Continue
DNS
suned.sun.com
192.168.30.61
suned.sun.com
training.sun.com
classroom.sun.com
Esc-4_Change
Esc-6_Help
domain
search
13-5
13-6
Client Authentication
An LDAP client must establish a session with an LDAP server. This
authentication process is known as binding. After a client is authenticated,
it can then perform operations, such as search and modify, on the data.
Authorization is the granting of access to controlled system resources.
Solaris OS LDAP clients have read-only access to name service data, such
as host names, email aliases, and net groups. Users have read-write access
to certain data, such as their own passwords. Privileged administrator
accounts have read-write access to other data. When finished, the client
unbinds, or closes, the session.
Details on how the client is authenticated and what data the client is
authorized to access is maintained on the LDAP server. To simplify
Solaris OS client setup and to avoid having to reenter the same
information for each and every client, a single client profile is created on
the directory server.
13-7
Client Initialization
The client profile and proxy account are created as part of the Sun Java
Directory Server setup procedures on the Solaris 10 OS. By default, the
client profile named default and the proxy account proxyagent are
created under a special profile directory entry.
When the Solaris LDAP client is initialized, a copy of the client profile is
retrieved from the server and stored on disk. On the LDAP client, the
ldap_cachemgr daemon is responsible for maintaining and updating the
changes to the client profile information. The ldap_cachemgr daemon
keeps a copy of the profile in memory and uses it when binding to the
server.
13-8
In the Name Service window, select LDAP as the name service, and
press Esc-2 to continue.
--Name Service---------On this screen you must provide name service information. Select the
name service that will be used by this system, or None if your system
will either not use a name service at all, or if it will use a name
service not listed here.
> To make a selection, use the arrow keys to highlight the option
and press Return to mark it [X].
Name service
[ ]
[ ]
[ ]
[X]
[ ]
NIS+
NIS
DNS
LDAP
None
Esc-2_Continue
Esc-6_Help
Note When you specify LDAP as the name service, the client host name
must exist in the ou=hosts container on the LDAP server.
2.
In the Domain Name window, enter the domain name where the
system is located and press Esc-2 to continue.
--Domain Name---------On this screen you must specify the domain where this system resides.
Make sure you enter the name correctly including capitalization and
punctuation.
Esc-2_Continue
Esc-6_Help
13-9
In the LDAP Profile window, enter the profile name and server IP
address, and press Esc-2 to continue.
--LDAP Profile---------On this screen you must specify the name of the LDAP profile to be used
to configure this system, as well as the IP address of the server that
contains the profile.
Esc-2_Continue
4.
Esc-6_Help
--Provide LDAP Proxy Bind Information---------If the profile you are using specifies a proxy credential level and the
authentication method is NOT none, provide LDAP proxy bind information.
> Use the arrow keys to select the option and press Return to
mark it [X].
Esc-2_Continue
13-10
Esc-6_Help
Name service:
Domain name:
Profile name:
Profile server IP address:
Specify LDAP Proxy Bind Information:
Esc-2_Continue
Esc-4_Change
LDAP
suned.sun.com
sunedprofile
192.168.0.1
No
Esc-6_Help
13-11
proxyPassword
proxyDN
domainname
192.168.0.100
13-12
13-13
more nsswitch.conf
An example file that could be copied over to /etc/nsswitch.conf; it
uses LDAP in conjunction with files.
"hosts:" and "services:" in this file are used only if the
/etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
ldap
ldap
ldap
ldap
ldap
ldap
ldap
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
netgroup:
ldap
automount:
aliases:
files ldap
files ldap
files
files
files
files
files
files
files
printers:
files ldap
13-15
13-16
13-17
Preparation
Refer to the lecture notes to perform the tasks listed. The instructors
system is configured as a DNS server and as an LDAP server for the
classroom network, using a domain name of suned.sun.com.
Tasks
Perform the following tasks:
13-18
Configure your system to use DNS, and verify that you can resolve
other systems in your domain.
Configure the system to be an LDAP client, and verify that you can
resolve other systems in the classroom network.
Preparation
Refer to the lecture notes to perform the tasks listed. The instructors
system is configured as a DNS server and as an LDAP server for the
classroom network, using a domain name of suned.sun.com.
Task Summary
Perform the following tasks:
Configure your system to use DNS and verify that you can resolve
other systems in your domain.
Configure the system to be an LDAP client and verify that you can
resolve other systems in the classroom network.
Tasks
Complete the following steps:
1.
2.
3.
a.
b.
Verify that you can access another system in the classroom by using
the ping command. First, use only the host name, and then use the
fully qualified domain name hostname.suned.sun.com.
13-19
5.
Verify the name service switch file has been updated with the LDAP
configuration.
6.
Verify that you can access another system in the classroom by using
the ping command.
7.
8.
9.
10. Verify the LDAP configuration has been removed from the name
service switch file.
13-20
Preparation
Refer to the lecture notes to perform the tasks listed. The instructors
system is configured as a DNS server and as an LDAP server for the
classroom network, using a domain name of suned.sun.com.
Task Summary
Perform the following tasks:
Configure your system to use DNS and verify that you can resolve
other systems in your domain.
Configure the system to be an LDAP client and verify that you can
resolve other systems in the classroom network.
13-21
# cp /etc/nsswitch.dns /etc/nsswitch.conf
2.
b.
# vi /etc/resolv.conf
Use vi to create the /etc/resolv.conf file, and insert the
following lines:
nameserver 192.168.30.30
domain suned.sun.com
3.
Verify that you can access another system in the classroom by using
the ping command. First, use only the host name, and then use the
fully qualified domain name, hostname.suned.sun.com.
# ping sys43
sys43 is alive
# ping sys43.suned.sun.com
sys43.suned.sun.com is alive
4.
Verify the name service switch file has been updated with the LDAP
configuration.
# more /etc/nsswitch.conf
6.
Verify that you can access another system in the classroom by using
the ping command.
7.
# ping sys43
sys43 is alive
# ldaplist
13-22
# ldaplist hosts
9.
# ldapclient -v uninit
10. Verify the LDAP configuration has been removed from the name
service switch file.
# more /etc/nsswitch.conf
13-23
Exercise Summary
Exercise Summary
!
?
13-24
Experiences
Interpretations
Conclusions
Applications
Module 14
Troubleshoot NIS
The course map in Figure 14-1 shows how this module fits into the
current instructional goal.
Configuring
Name
Name
Services
Service Clients
Configuring
the Network
Information
Service (NIS)
14-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
Master
Server
Maps
Slave
Server
Maps
Push
make
ASCII
Files
Lookup
Client
Client
Lookup
Client
Client
14-2
map
key
pag
dir
Sometimes searches are made using names. At other times, searches may
be performed using an ID number. It is worth noting that searches can be
forced to occur on the appropriate NIS map file. For example:
# ypmatch -k chris passwd.byname
chris: chris:MWnTvQ5PGuiYo:100:1::/export/home/chris:/usr/bin/ksh
# ypmatch -k chris passwd.byuid
Cant match key chris in map passwd.byuid. Reason: no such key in map.
# ypmatch -k 100 passwd.byuid
100: chris:MWnTvQ5PGuiYo:100:1::/export/home/chris:/usr/bin/ksh
14-3
# ypcat hosts
192.168.30.30
192.168.30.30
127.0.0.1
192.168.30.30
192.168.30.41
192.168.30.34
NIS Domains
An NIS domain is a collection of hosts and interconnecting networks that
are organized into a single administrative authority. NIS uses domains to
arrange the hosts, users, and networks in its namespace. An NIS
namespace does not use a domain hierarchy. Each NIS domain contains:
NIS clients
14-4
Contains the original source ASCII files used to build the NIS maps
Do not contain the original source ASCII files used to build the NIS
maps
Contain copies of the NIS maps copied from the NIS master server
NIS Clients
Within each domain, the NIS clients:
Do not contain the original source ASCII files used to build the NIS
maps
Note All hosts in the NIS environment are clients. All NIS clients that
are configured as NIS master server and NIS slave servers contain copies
of the NIS maps to support the server function.
14-5
NIS Processes
The main daemons involved in the running of an NIS domain are:
Daemons
ypserv
ypbind
rpc.yppasswdd
ypxfrd
rpc.ypupdated
Daemons
ypserv
ypbind
Master
Server
Slave
Server
Maps
Maps
Push
make
ASCII
Files
Lookup
Client
ypbind
Lookup
Client
Client
ypbind ypbind
14-6
Client
ypbind
14-7
14-8
cat /etc/nsswitch.nis
/etc/nsswitch.nis:
An example file that could be copied over to /etc/nsswitch.conf; it
uses NIS (YP) in conjunction with files.
"hosts:" and "services:" in this file are used only if the
/etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.
passwd:
files nis
group:
files nis
# consult /etc "files" only if nis is down.
hosts:
nis [NOTFOUND=return] files
# Note that IPv4 addresses are searched for in all of the ipnodes
databases
# before searching the hosts databases.
ipnodes:
nis [NOTFOUND=return] files
networks:
protocols:
rpc:
ethers:
netmasks:
bootparams:
publickey:
nis
nis
nis
nis
nis
nis
nis
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
netgroup:
nis
automount:
aliases:
files nis
files nis
files
files
files
files
files
files
files
14-9
files nis
user files nis
auth_attr:
prof_attr:
project:
files nis
files nis
files nis
The name service switch file is a database list. Each entry is followed by
ordered lists of information that help locate specific information from the
respective databases. Although you can customize the nsswitch.conf
file to specify any search order, the most common search orders are:
files
files
files
files
files
files
files
files
nis
nis
nis
nis
nis
nis
nis
nis
Using the passwd database as an example, the entry states that user
information lookup is performed first by using the /etc/passwd and
/etc/shadow files. If the information does not exist in these local files,
then the password lookup requests search the NIS maps on the NIS
server.
14-10
nis
nis
nis
nis
nis
nis
nis
nis
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
files
files
files
files
files
files
files
files
Using the hosts database as an example, the entry states that hosts
lookup requests first search the NIS maps on the NIS server. If these maps
do not contain the information, then the hosts lookup requests search the
/etc/inet/hosts file on the client system.
To further define this search, use a status message and a name service
switch action option. The [NOTFOUND=return] condition works as
follows:
If you get a no such entry response from the NIS maps, it indicates
that the NOTFOUND condition is configured with the return action,
which causes the system to stop looking for the information.
Therefore, when the entry is not found in the NIS map file, stop the
search.
The NIS client requests information from the NIS server as usual. If the
information is not found, the NIS client requests the information from the
DNS server directly. The NIS client is configured as a DNS client so that it
can request the information directly from the DNS server. Therefore, you
do not need to configure the Makefile file. Using this method, you can
configure the hosts database information source in the
/etc/nsswitch.conf file to recognize both NIS and DNS.
14-11
nis dns
Figure 14-4 shows the process of searching NIS and DNS namespaces. If
the information is not located in the NIS namespace, the NIS server
returns a status of NOTFOUND. In the name service switch, the default
action for the NOTFOUND status is to continue the search with the next
listed information source. In this case, the next information source is DNS;
therefore, the client requests the information from the DNS namespace.
NIS Client
NIS Server
DNS Server
Time
1
2
3
4
14-12
127.0.0.1
The following example describes a securenets file
where:
14-13
14-14
14-15
where your-choice is the name of the directory that you are using to
store the source files. This process enables you to keep the local files on
the server separate from those files used for NIS.
Caution Before you make any modifications to the /var/yp/Makefile
file, save a copy of the original Makefile file.
14-16
/
etc
hosts
passwd
shadow
defaultdomain
...
yp_dir
hosts
passwd
shadow
...
14-17
/
var
yp
*.time
Makefile
...
domainname
hosts.byaddr.dir
hosts.byaddr.pag
.
.
.
NIS Maps
binding
domainname
ypservers
Figure 14-6 Important Files on the NIS Master (Part 2)
The /var/yp directory contains a subdirectory named after the NIS
domain name. This domainname directory is the repository for the NIS
maps created by the ypinit script. The /var/yp/binding/domainname
directory contains the ypservers file where the names of the NIS master
server and NIS slave servers are stored.
14-18
/
usr
lib
netsvc
yp
ypstop
ypstart
Figure 14-7 Important Files on the NIS Master (Part 3)
14-19
14-20
1.
2.
# domainname domainname
For example:
# domainname classroom.Central.Sun.COM
4.
5.
If the files do not already exist, use the touch command to create
zero-length files with the following names: /etc/ethers,
/etc/bootparams, /etc/locale, /etc/timezone, /etc/netgroup,
and /etc/netmasks. These files are necessary for the creation of the
complete set of NIS maps as directed in the Makefile file. When you
initialize NIS, you receive error messages for each of these files if
they do not exist.
6.
Note The lab at the end of this module shows you how to create the
updated Makefile file.
7.
domainname
Create or populate the /etc/locale file, and make an entry for each
domain on your network using the following format:
locale
For example:
classroom.Central.Sun.COM
en_US
14-21
Initialize the master server by using the local /etc files. Enter the
ypinit -m command.
# ypinit -m
9.
a.
When the program prompts you for a list of slave servers and
after you complete your list, press Control-D. You can make
entries for all slaves now, or you can rerun the ypinit -m
command after you determine whether you need more or less
slave servers.
b.
# ypinit -m
In order for NIS to operate successfully, we have to construct a list of
the NIS servers. Please continue to add the names for YP servers in order
of preference, one per line. When you are done with the list, type a
<control D> or a return on a line by itself.
next host to add: server1
next host to add: <Control-D>
The current list of yp servers looks like this:
server1
Is this correct? [y/n: y] y
Installing the YP database will require that you answer a few questions.
Questions will all be asked at the beginning of the procedure.
Do you want this procedure to quit on non-fatal errors? [y/n: n] n
OK, please remember to go back and redo manually whatever fails. If you
don't, some part of the system (perhaps the yp itself) won't work.
Note If you have to restart the ypinit program, you are prompted to
destroy the /var/yp/domainname directory. Answer y.
10. Start the NIS daemons on the master server with the following
command:
# svcadm enable svc:/network/nis/server:default
11. If you want to stop the NIS service running on the NIS master,
perform the command:
# svcadm disable svc:/network/nis/server:default
14-22
ypmatch
ypwhich
14-23
Edit the /etc/inet/hosts file to ensure that the NIS master server
and all slave servers have been defined.
2.
# domainname domainname
For example:
# domainname classroom.Central.Sun.COM
14-24
4.
5.
When the system prompts you for a list of NIS servers, enter the
names of the NIS master and all slave servers.
6.
# ypinit -c
Note To exit the ypinit command without building a specific list of NIS
servers, press Control-D. The client then broadcasts to bind the first
available server during subsequent ypbind operations. When not
operating in broadcast mode, clients can only bind to servers that are
listed in their /var/yp/binding/domainname/ypservers file.
7.
# ypwhich -m
The output shows a list of maps together with the NIS master server
for each map.
Edit the /etc/inet/hosts file to ensure that the NIS master and all
NIS slave servers have been defined.
2.
# domainname domainname
For example:
# domainname classroom.Central.Sun.COM
3.
4.
# ypinit -c
Configuring the Network Information Service (NIS)
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
14-25
When the system prompts for a list of NIS servers, enter the NIS
master host followed by the name of the local host and all other NIS
slave servers on the local network.
6.
7.
Return to the proposed NIS slave system, and enter the ypstart
command to start the ypbind daemon.
# ypinit -s master
where master is the name of the NIS master.
Note If you did not add the name of the NIS slave server when you
initially configured the NIS master server using the ypinit command,
enter the ypinit -m command once more on the NIS master server. In the
process of updating the NIS master, the script prompts you for
confirmation when it is about to destroy the existing domain database.
Confirm by entering y.
10. Before starting the ypserv daemon on the slave server, stop the
client with the command:
# svcadm disable svc:/network/nis/client:default
11. When the NIS server is started, it also starts the ypbind client
daemon.
# svcadm enable svc:/network/nis/server:default
12. To test NIS client functionality on the newly configured NIS slave
server, perform the command:
# ypwhich -m
The output shows a list of maps together with the NIS master server
for each map.
14-26
Update the text files in your source directory (typically, /etc, unless
it was changed in the Makefile file).
2.
3.
# cd /var/yp
# /usr/ccs/bin/make
Slave
Server
Master
Server
Maps
Maps
Push
Update
ASCII
Files
Lookup
Client
yppasswd
Lookup
Client
Client
Client
passwd
14-27
$ passwd
Changing NIS password for user1 on server1.
Old password:
New password:
Retype new password:
NIS entry changed on server1
# vi /etc/timezone
2.
# cd /var/yp; /usr/ccs/bin/make
a.
If the push from the master server fails, the following command
runs on the slave server and manually pulls only the
timezone map from the master server.
# /usr/lib/netsvc/yp/ypxfr timezone.byname
b.
To pull all of the maps from the master server at once, perform
the command:
# ypinit -s nis_master
14-28
/usr/lib/netsvc/yp/ypxfr_1perhour
Slave
Server
Master
Server
Maps
Maps
Pull
Lookup
Client
Client
Lookup
Client
Client
14-29
-xv
group.byname
group.bygid
protocols.byname
protocols.bynumber
networks.byname
networks.byaddr
services.byname
ypservers
Advanced System Administration for the Solaris 10 Operating System
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
-xv
hosts.byname
hosts.byaddr
ethers.byaddr
ethers.byname
netgroup
netgroup.byuser
netgroup.byhost
mail.aliases
14-31
Building Targets
The make utility receives its instructions from the Makefile file. The
Makefile file uses variable definitions (called macros), targets, and
dependencies.
You can use macros as variables, similar to those used in a shell script.
You must define a macro at the beginning of the Makefile file. Prefix the
name of the macro with a dollar sign ($) when using it throughout the
Makefile file.
The make utility builds targets. Targets need dependencies. Dependencies
can represent other targets that must be completely built before the
original target is considered made. This structure enables you to nest
the target and dependency pairs to an arbitrary depth, letting you build
complex hierarchical code structures.
When making NIS maps, you should keep the target and dependency
relationship very basic.
14-32
14-33
Note The fourth section of the Makefile file is covered before the third
section, because the fourth section continues the dependency thread
introduced by the all target.
The entry in the fourth section of the Makefile file for each of the
dependencies in the all target is:
passwd: passwd.time
group: group.time
project: project.time
hosts: hosts.time
ipnodes: ipnodes.time
ethers: ethers.time
networks: networks.time
rpc: rpc.time
services: services.time
protocols: protocols.time
netgroup: netgroup.time
bootparams: bootparams.time
aliases: aliases.time
publickey: publickey.time
netid: netid.time
passwd.adjunct: passwd.adjunct.time
group.adjunct: group.adjunct.time
netmasks: netmasks.time
timezone: timezone.time
auto.master: auto.master.time
14-34
14-35
14-36
Instructions that begin with the at (@) sign are not echoed to the
terminal screen. Removing the @ sign is useful for debugging new
instructions.
14-37
Troubleshooting NIS
Troubleshooting NIS
If only one or two clients are experiencing symptoms that indicate NIS
binding difficulty, the problems are probably on those clients. If many NIS
clients are failing to bind properly, the problem probably exists on one or
more of the NIS servers.
No Server Available
If your domain name is set correctly, the ypbind daemon is running, and
you get messages indicating that the client cannot communicate with a
server, it can indicate a number of different problems:
14-38
Troubleshooting NIS
If the client does not have a server on the subnet or have a route
to one, install a new slave server on that subnet.
14-39
Troubleshooting NIS
Server Malfunction
Make sure the servers are up and running. If you are not physically near
the servers, use the ping NIS_server command.
Note Do not use the -f option with the ps command, because this
option attempts to translate user IDs into names, which causes more name
service lookup requests that might not succeed.
If either the ypbind or ypserv daemons are not running, stop and then
restart the NIS services by performing the commands:
# svcadm disable network/nis/server:default
# svcadm enable network/nis/server:default
14-40
Troubleshooting NIS
If both the ypserv and ypbind processes are running on the NIS server,
and the ypwhich command does not respond, the ypserv process has
probably hung. You must restart the process. Log in as root on the server,
and kill the ypserv process.
# pkill ypserv
Start the ypserv process by restarting the NIS services. Perform the
commands:
# svcadm disable network/nis/server:default
# svcadm enable network/nis/server:default
14-41
Troubleshooting NIS
If the domain name returned by running the domainname command on a
client is not the same as the server domain name listed as a directory in
the /var/yp directory, the domain name specified in the clients
/etc/defaultdomain file is incorrect. Log in as superuser, and correct the
clients domain name in the clients /etc/defaultdomain file to ensure
that the domain name is correct every time the machine boots. Then
reboot the machine.
Note The domain name is case sensitive.
14-42
14-43
An NIS client
Preparation
Choose two partners for this lab, and determine which systems to
configure as the NIS master server, the NIS slave server, and the NIS
client.
NIS_master: ____________________________________
NIS_slave: _____________________________________
NIS_client: _____________________________________
domainname: _____________________________________
On all systems, verify that the entries for all three hosts exist in the
/etc/hosts file. Refer to your lecture notes as necessary to perform the
steps listed.
14-44
Tasks
Perform the following tasks:
Create and configure an NIS slave server. Set the NIS domain name
to be the same as in the NIS master. Use the ypinit -c command to
configure the system as an NIS client. Configure the
/etc/nsswitch.conf file for NIS, and start the NIS client daemons.
Use the ypinit -s command to configure the system as an NIS
slave server. Stop and restart the NIS daemons. Verify the list of
servers found in the ypservers map.
Create and configure an NIS client system. Set the NIS domain name
to be the same as in the NIS master. Use the ypinit -c command to
configure the system as an NIS client. Configure the
/etc/nsswitch.conf file for NIS, and start the NIS client daemons.
Test the configuration with the ypwhich command.
Test the dynamic rebind feature by stopping the NIS services on the
NIS master server. Monitor the NIS client with the ypwhich
command, and observe when the client binds to the slave server.
Start the NIS services on the NIS master.
Test if the new users can log in on all three systems. Verify that their
home directories automatically mount. Verify that the man pages are
available through the automount service on all three systems.
14-45
An NIS client
Preparation
Choose two partners for this lab, and determine which systems to
configure as the NIS master server, the NIS slave server, and the NIS
client.
NIS_master: ____________________________________
NIS_slave: _____________________________________
NIS_client: _____________________________________
domainname: _____________________________________
On all systems, verify that entries for all three hosts exist in the
/etc/hosts file. Refer to your lecture notes as necessary to perform the
steps listed.
14-46
Task Summary
Perform the following tasks:
Create and configure an NIS slave server. Set the NIS domain name
to be the same as in the NIS master. Use the ypinit -c command to
configure the system as an NIS client. Configure the
/etc/nsswitch.conf file for NIS and start the NIS client daemons.
Use the ypinit -s command to configure the system as an NIS
slave server. Stop and restart the NIS daemons. Verify the list of
servers found in the ypservers map.
Create and configure an NIS client system. Set the NIS domain name
to be the same as in the NIS master. Use the ypinit -c command to
configure the system as an NIS client. Configure the
/etc/nsswitch.conf file for NIS, and start the NIS client daemons.
Test the configuration with the ypwhich command.
Test the dynamic rebind feature by stopping the NIS services on the
NIS master server. Monitor the NIS client with the ypwhich
command, and observe when the client binds to the slave server.
Start the NIS services on the NIS master.
Test if the new users can log in on all three systems. Verify that their
home directories automatically mount. Verify that the man pages are
available through the automount service on all three systems.
14-47
Tasks
This section describes how to create and test the NIS master server, slave
server, and client. Perform the following tasks.
2.
3.
Verify that the /etc/hosts file contains entries for the systems that
will become the NIS slave server and the NIS client.
4.
Select a name to use as your NIS domain name. Set it by using the
domainname command.
5.
6.
7.
8.
9.
14-48
a.
b.
Check if the mountd and nfsd NFS server daemons are running.
c.
If the NFS server daemons are not running, start them. The
directory listed in /etc/dfs/dfstab will be automatically
shared.
d.
b.
Enter the name of the system that you want to use as an NIS
slave server. Press Control-D when the list is complete.
c.
14-49
Verify that the /etc/hosts file contains entries for the NIS master
server and that the system that will become the NIS client.
2.
Set the NIS domain for this system by using the domainname
command.
3.
4.
b.
When prompted for a list of NIS servers, enter the name of the
NIS master server followed by the name of the local host (which
subsequently becomes a slave server). Press ControlD to
terminate the list.
5.
6.
7.
Verify that this system is using NIS and is bound to the NIS master
by using the ypwhich command.
8.
Initialize the system as an NIS slave. Indicate that you do not want
the ypinit command to quit on nonfatal errors.
The ypinit command then proceeds to retrieve the required maps
from the master server.
If the initialization process is successful, the ypinit command
displays a message that indicates that the NIS database was set up
without any errors.
Note If you did not add the name of the NIS slave server when you
initially configured the NIS master, this process might fail. To correct the
problem, enter the ypinit -m command once more on the NIS master,
and add the slave servers host name. In the process of updating the NIS
master, the script prompts you for confirmation when it is about to
destroy the existing domain database. Confirm by typing y. Then,
initialize the slave server again.
9.
14-50
Note The output of the ypwhich command should include the name of
each map it provides to the NIS domain and include the name of the
master server that controls the maps.
11. List the ypservers map known to the local domain. The output
should include the names of the master and slave servers.
Verify that the /etc/hosts file contains entries for the NIS master
and slave servers.
2.
Set the NIS domain for this system using the domainname command.
3.
4.
b.
Enter the name of the NIS master server and the NIS slave
server (in order of preference), and press Control-D to terminate
the list.
5.
6.
7.
Verify that this system is using NIS by using the ypwhich command.
14-51
Confirm that the NIS client is bound to the NIS master server by
using the ypwhich command.
Note The output should list the name of the NIS master server.
2.
Test the clients ability to bind to the NIS slave server when the
master becomes unavailable:
Note This process only works if you entered the names of both the NIS
master and the NIS slave servers when you set up the client system by
using the ypinit -c command. The NIS client searches only for servers
listed in the /var/yp/binding/domainname/ypservers file, which the
ypinit -c command creates.
a.
b.
3.
14-52
On the NIS master server, edit the /var/yp/Makefile file, and make
the following changes:
a.
all: passwd group hosts ipnodes ethers networks rpc services protocols
netgroup bootparams aliases publickey netid netmasks c2secure
timezone auto.master auto.home
auth.attr exec.attr prof.attr user.attr audit.user auto.direct
b.
Add entries for the new map in the fourth section of the
/var/yp/Makefile file. Place a corresponding entry for
auto.direct and auto_direct below the entries for
auto.home and auto_home; for example:
auto.master: auto.master.time
auto.home: auto.home.time
auto.direct: auto.direct.time
$(DIR)/auto_master:
$(DIR)/auto_home:
$(DIR)/auto_direct:
c.
In the third section of the Makefile file, add the code required
to build the auto_direct map. Duplicate the lines associated
with auto.home, and substitute auto.direct or auto_direct
for each instance of auto.home or auto_home in that code. The
result should look like this:
auto.direct.time: $(DIR)/auto_direct
-@if [ -f $(DIR)/auto_direct ]; then \
sed -e "/^#/d" -e s/#.*$$// $(DIR)/auto_direct \
| $(MAKEDBM) - $(YPDBDIR)/$(DOM)/auto.direct; \
touch auto.direct.time; \
echo "updated auto.direct"; \
if [ ! $(NOPUSH) ]; then \
$(YPPUSH) auto.direct; \
echo "pushed auto.direct"; \
else \
: ; \
fi \
else \
echo "couldn't find $(DIR)/auto_direct"; \
fi
d.
14-53
3.
/usr/share/man
-nosuid
master_server:/usr/share/man2
4.
5.
6.
7.
9.
10. On the NIS slave server, use the ypxfr command to transfer the
auto.direct map for the first time.
11. On the NIS master server, update the NIS maps again by running the
make command. This time the make command should complete
successfully.
12. On all three hosts, use the init 6 command to reboot.
13. Verify that you can use the user accounts you created earlier to log in
to the NIS slave server and in to the NIS client.
14. On the NIS slave and NIS client, verify that your home directory
automatically mounts from the NIS master server.
15. On all systems, attempt to access the /usr/share/man directory by
using the man command.
If the content of the man page for the ls command is displayed,
your configuration of the direct map in NIS is correct.
14-54
An NIS client
Preparation
Choose two partners for this lab, and determine which systems to
configure as the NIS master server, the NIS slave server, and the NIS
client.
NIS_master: ____________________________________
NIS_slave: _____________________________________
NIS_client: _____________________________________
domainname: _____________________________________
On all systems, verify that entries for all three hosts exist in the
/etc/hosts file. Refer to your lecture notes as necessary to perform the
steps listed.
14-55
Task Summary
Perform the following tasks:
14-56
Create and configure an NIS slave server. Set the NIS domain name
to be the same as in the NIS master. Use the ypinit -c command to
configure the system as an NIS client. Configure the
/etc/nsswitch.conf file for NIS and start the NIS client daemons.
Use the ypinit -s command to configure the system as an NIS
slave server. Stop and restart the NIS daemons. Verify the list of
servers found in the ypservers map.
Create and configure an NIS client system. Set the NIS domain name
to be the same as in the NIS master. Use the ypinit -c command to
configure the system as an NIS client. Configure the
/etc/nsswitch.conf file for NIS, and start the NIS client daemons.
Test the configuration with the ypwhich command.
Test the dynamic rebind feature by stopping the NIS services on the
NIS master server. Monitor the NIS client with the ypwhich
command, and observe when the client binds to the slave server.
Start the NIS services on the NIS master.
Test if the new users can log in on all three systems. Verify that their
home directories automatically mount. Verify that the man pages are
available through the automount service on all three systems.
# cd /var/yp
# cp Makefile Makefile.orig
2.
3.
Verify that the /etc/hosts file contains entries for the systems that
will become the NIS slave server and the NIS client.
4.
Select a name to use as your NIS domain name. Set it by using the
domainname command.
# domainname yourdomain
# cd /etc
# domainname > defaultdomain
6.
14-57
your_timezone
yourdomain
Note Replace your_timezone time zone with your local time zone and
yourdomain with your own domain name. To see an example of a time
zone entry, cat the /etc/TIMEZONE file.
# cat /etc/timezone
US/Mountain
suned.sun.com
8.
-nosuid,nobrowse
-nobrowse
14-58
Check if the mountd and nfsd NFS server daemons are running.
If the NFS server daemons are not running, start them. The
directory listed in /etc/dfs/dfstab will be automatically
shared.
# shareall
11. Create one user account for each member of your lab team.
Note Create their respective home directories in /export/home; for
example: /export/home/user1 for user1, /export/home/user2 for
user2, and so on. If you use the Solaris Management Console application
to create the user accounts, the account is configured to use the
automount command, and the /export/home/user1 directory is
translated to the /home/user1 directory.
# mkdir -p /export/home/user1
# useradd -d /export/home/user1 user1
# chown -R user1 /export/home/user1
12. Create a password for each new user account.
# passwd user1
New Password:
Re-enter new Password:
passwd: password successfully changed for user1
14-59
# ypinit -m
The ypinit command lists the current system as an NIS server,
and then prompts you for the next host to add as an NIS slave
server.
b.
Enter the name of the system that you want to use as an NIS
slave server. Press Control-D when the list is complete.
14-60
Verify that the /etc/hosts file contains entries for the NIS master
server and that the system that will become the NIS client.
2.
Set the NIS domain for this system by using the domainname
command.
# domainname yourdomain
Note Replace yourdomain with the NIS domain name you used to set
up the NIS master server.
3.
# cd /etc
# domainname > defaultdomain
4.
b.
When prompted for a list of NIS servers, enter the name of the
NIS master server followed by the name of the local host (which
subsequently becomes a slave server). Press ControlD to
terminate the list.
# ypinit -c
14-61
Start the NIS server and client daemons if they were not running.
Verify that this system is using NIS and is bound to the NIS master
by using the ypwhich command.
9.
# ypwhich
# ypinit -s master_server
Indicate that you do not want the ypinit command to quit on
nonfatal errors.
...quit on nonfatal errors? [y/n: n] n
The ypinit command then proceeds to retrieve the required maps
from the master server.
Transferring
Transferring
Transferring
Transferring
...
...
audit_user...
user_attr...
prof_attr...
exec_attr...
14-62
Note If you did not add the name of the NIS slave server when you
initially configured the NIS master, this process might fail. To correct the
problem, enter the ypinit -m command once more on the NIS master,
and add the slave servers host name. In the process of updating the NIS
master, the script prompts you for confirmation when it is about to
destroy the existing domain database. Confirm by typing y. Then,
initialize the slave server again.
10. Stop and restart the NIS daemons on the slave server.
# svcadm disable network/nis/server:default
# svcadm enable network/nis/server:default
11. On the newly configured NIS slave server, test the NIS functionality
by entering the following commands:
# ypwhich -m
# ypcat hosts
Note The output of the ypwhich command should include the name of
each map it provides to the NIS domain and include the name of the
master server that controls the maps.
12. List the ypservers map known to the local domain. The output
should include the names of the master and slave servers.
# ypcat -k ypservers
master_server
slave_server
Verify that the /etc/hosts file contains entries for the NIS master
and slave servers.
2.
Set the NIS domain for this system using the domainname command.
# domainname yourdomain
Note Replace yourdomain with the NIS domain name you used to set
up the NIS master server.
14-63
# cd /etc
# domainname > defaultdomain
4.
b.
Enter the name of the NIS master server and the NIS slave
server (in order of preference), and press Control-D to terminate
the list.
# ypinit -c
# cd /etc
# cp nsswitch.nis nsswitch.conf
6.
Verify that this system is using NIS by using the ypwhich command.
# ypwhich -m
Confirm that the NIS client is bound to the NIS master server by
using the ypwhich command.
# ypwhich
master_server
Note The output should list the name of the NIS master server.
14-64
Test the clients ability to bind to the NIS slave server when the
master becomes unavailable:
Note This process only works if you entered the names of both the NIS
master and the NIS slave servers when you set up the client system by
using the ypinit -c command. The NIS client searches only for servers
listed in the /var/yp/binding/domainname/ypservers file, which the
ypinit -c command creates.
a.
# ypwhich
3.
14-65
On the NIS master server, edit the /var/yp/Makefile file, and make
the following changes:
a.
all: passwd group hosts ipnodes ethers networks rpc services protocols \
netgroup bootparams aliases publickey netid netmasks c2secure \
timezone auto.master auto.home \
auth.attr exec.attr prof.attr user.attr audit.user auto.direct
b.
Add entries for the new map in the fourth section of the
/var/yp/Makefile file. Place a corresponding entry for
auto.direct and auto_direct below the entries for
auto.home and auto_home; for example:
auto.master: auto.master.time
auto.home: auto.home.time
auto.direct: auto.direct.time
$(DIR)/auto_master:
$(DIR)/auto_home:
$(DIR)/auto_direct:
c.
In the third section of the Makefile file, add the code required
to build the auto_direct map. Duplicate the lines associated
with auto.home, and substitute auto.direct or auto_direct
for each instance of auto.home or auto_home in that code. The
result should look like this:
auto.direct.time: $(DIR)/auto_direct
-@if [ -f $(DIR)/auto_direct ]; then \
sed -e "/^#/d" -e s/#.*$$// $(DIR)/auto_direct \
| $(MAKEDBM) - $(YPDBDIR)/$(DOM)/auto.direct; \
touch auto.direct.time; \
echo "updated auto.direct"; \
if [ ! $(NOPUSH) ]; then \
$(YPPUSH) auto.direct; \
echo "pushed auto.direct"; \
else \
: ; \
fi \
else \
echo "couldn't find $(DIR)/auto_direct"; \
fi
d.
14-66
3.
/usr/share/man
4.
-nosuid
master_server:/usr/share/man2
# mv /usr/share/man /usr/share/man2
5.
# vi /etc/dfs/dfstab
share -o ro /usr/share/man2
6.
7.
# shareall
Note If the daemons are already running, perform the svcadm command
to stop them.
9.
# cd /var/yp
# /usr/ccs/bin/make
updated netid
pushed netid
updated auto.master
pushed auto.master
updated auto.direct
<Control-C>
*** auto.direct.time removed.
#
The make command hangs when it tries to push the new
auto.direct map to the slave server. Press Control-C to stop the
make command when this happens.
14-67
14-68
Exercise Summary
Exercise Summary
!
?
Experiences
Interpretations
Conclusions
Applications
14-69
Module 15
Introduction to Zones
Objectives
This module introduces the zones software partitioning technology, a new
feature included in the Solaris 10 Operating System (Solaris 10 OS).
Upon completion of this module, you should be able to:
Configure zones
Install zones
Boot zones
The following course map shows how this module fits into the current
instructional goal.
Configure
Custom
JumpStart
Perform a
Flash
Installation
15-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
15-2
Resource Sharing
Zones allow the root user of the global zone to dedicate system resources
to individual zones. Each zone maintains their own root password and
user information, separate from other zones and the global system. Each
zone exists with separate process and file system space, and can only
monitor and interact with local processes. A single processor and single
disk system can support several zones, each with separate resources,
users, and process space as shown in Figure 15-2.
Introduction to Zones
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
15-3
Zone Features
15-4
Zone Concepts
Zone Concepts
You must understand the following concepts to understand the Solaris
Zones software partitioning technology:
Zone types
Zone daemons
Zone networking
Zone states
Zone Types
The Solaris Operating System supports two types of zones:
Global zone
Non-global zone
Global Zones
Every Solaris system contains a global zone (Figure 15-2 on page 15-3).
The global zone has two functions. The global zone is both the default
zone for the system and the zone used for system-wide administrative
control. The global zone is the only zone from which a non-global zone
can be configured, installed, managed, or uninstalled. All processes run in
the global zone if no non-global zones are created by the global
administrator.
Only the global zone is bootable from the system hardware.
Administration of the system infrastructure, such as physical devices,
routing, or dynamic reconfiguration (DR), is only possible in the global
zone. Additionally, the global zone contains a complete installation of the
Solaris system software packages. It can contain additional software not
installed through packages.
Introduction to Zones
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
15-5
Zone Concepts
The global zone is the only zone from which a non-global zone can be
configured, installed, managed, or uninstalled. Appropriately privileged
processes running in the global zone can access objects associated with
other zones. Unprivileged processes in the global zone might be able to
perform operations not allowed to privileged processes in a non-global
zone. For example, users in the global zone can view information about
every process in the system. If this capability presents a problem for your
site, you can restrict access to the global zone.
The global zone provides a complete database containing information
about all installed components. It holds configuration information specific
to the global zone only, such as the global zone host name and file system
table. The global zone is the only zone that is aware of all devices and all
file systems.
Each zone, including the global zone, is assigned a zone name. The global
zone always has the name global. Each zone is also given a unique
numeric identifier, which is assigned by the system when the zone is
booted. The global zone is always mapped to zone ID 0.
Non-Global Zone
The non-global zones contain an installed subset of the complete Solaris
Operating System software packages. They can also contain Solaris
software packages shared from the global zone and additional installed
software packages not shared from the global zone. Non-global zones can
contain additional software created on the non-global zone that are not
installed through packages or shared from the global zone.
The non-global zones share operation under the Solaris kernel booted
from the global zone. They are assigned a non-zero zone ID by the system
when the zone is booted and must have a user defined name.
The non-global zone is not aware of the existence of any other zones. It
cannot install, manage, or uninstall itself or any other zones.
15-6
Zone Concepts
Zone Daemons
The system uses two daemons to control zone operation: zoneadmd and
zsched.
The zoneadmd daemon is the primary process for managing the zones
virtual platform. There is one zoneadmd process running for each active
(ready, running, or shutting down) zone on the system.
The zoneadmd daemon is responsible for:
Introduction to Zones
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
15-7
Zone Concepts
By default, the directories /lib, /platform, /sbin, and /usr are
mounted in this manner. An example of shared file systems is shown in
Figure 15-3.
/
sbin
usr
export
etc
var
zones
sbin
usr
zonea
zoneb
zonec
etc
sbin
var
usr
sbin
usr
etc
var
etc
var
15-8
Zone Concepts
After it is installed a zone behaves as if it were separate from the global
zone. If an application or patch is to be added to the global zone it does
not become available to zones, unless the file system the application is
added too is mounted by the zones. Even if the file system is mounted,
there might be libraries, header files and other necessary installed files
that are not available to the zone. If an application or patch is added to a
zone a similar issue may take place. A zone is not able to write back to
mounted file systems, which may be necessary for the proper installation
of an application or patch. Currently, an application or patch being added
to the global zone requires each zone to be reinstalled.
Zone Networking
Each non-global zone that requires network connectivity has one or more
dedicated IP addresses. These addresses are associated with logical
network interfaces that can be placed in a zone by using the ifconfig
command. For example, if the primary network interface in the global
zone is ce0, then the non-globals logical network interface is ce0:1.
Zone interfaces configured by zonecfg will automatically be plumbed
and placed in the zone when it is booted. The ifconfig command can be
used to add or remove logical interfaces when the zone is running. Only
the global zone administrator can modify the interface configuration and
the network routes.
You can configure IPMP in the global zone, then extend the functionality
to non-global zones. The functionality is extended by placing the zones IP
address in an IPMP group when you configure the zone. Then, if one of
the interfaces in the global zone fails, the non-global zone addresses will
migrate to another network interface card.
Introduction to Zones
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
15-9
Zone Concepts
Zone States
To understand the operability of a zone we need to understand its state.
Zones behave like typical Solaris 10 OS installations, but do not have
resources such as power-on self-test (POST) or OpenBoot Programmable
Read-only Memory (OBP). Instead, theses settings and tests are managed
by the global zone. As a zone is configured, enabled, and used, its status
field in the zoneadm command output changes. Figure 15-4 shows the
zone states.
Delete
Configured
Install
Uninstall
Shutting Down
Reboot
Running
Installed
Ready
Create
Halt
Undefined
Ready
15-10
Zone Concepts
Ready In this state, the virtual platform for the zone is established.
The kernel creates the zsched process, network interfaces are
plumbed, file systems are mounted, and devices are configured. A
unique zone ID is assigned by the system. At this stage, no processes
associated with the zone have been started.
Running In this state, the user processes associated with the zone
application environment are running. The zone enters the running
state as soon as the first user process associated with the application
environment (init) is created.
Shutting down and Down - These states are transitional states that
are visible while the zone is being halted. However, a zone that is
unable to shut down for any reason will stop in one of these states.
Introduction to Zones
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
15-11
Configuring Zones
Configuring Zones
To configure a zone, you must perform these tasks:
A zone name
15-12
Configuring Zones
You can use soft partitions to divide disk slices or logical volumes into
partitions. You can use these partitions as zone roots, and thus limit perzone disk consumption. The soft partition limit is 8192 partitions.
An additional 40 megabytes of RAM per zone are suggested, but not
required on a machine with sufficient swap space.
Note There are many other operations that can be accomplished with
the zonecfg command, but are outside of the scope of this course.
There are several subcommands to configure and provision zones within
the zonecfg utility, as shown in Table 15-1. Several subcommands affect
the environment, depending on the current scope. The zonecfg prompt
indicates if the scope is global or resource scope. Many of the
subcommands also allow the f, or force, flag. If this flag is given, the
subcommand does not use interactive questioning safeguards.
Table 15-1 The zonecfg Subcommands
Command
Description
add
cancel
Introduction to Zones
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
15-13
Configuring Zones
Table 15-1 The zonecfg Subcommands (Continued)
Command
Description
commit
create
delete
end
export
info
remove
select
set
verify
revert
exit
15-14
zone name Defines the zone name and identifies the zone to the
configuration utility.
Configuring Zones
zonepath Defines the zone path resource and is the path to the
zone root.
special
type
options
Introduction to Zones
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
15-15
Configuring Zones
15-16
Configuring Zones
Line 3 - The zone path resource, /export/work-zone in this example, is
the path to the zone root. Each zone has a path to its root directory that is
relative to the global zones root directory. This path must exist at
installation time. The global zone directory is required to have restricted
visibility. It must be owned by root with the mode 700.
Line 4 - This indicates that a zone should be booted automatically at
system boot.
Line 5- This line begins the file system configuration section in this
procedure.
Line 6- Set the mount point for the file system, /mnt in this example.
Line 7- Specify that /dev/dsk/c0t0d0s7 blocked special file in the global
zone is to be mounted as /mnt in the work-zone.
Line 8- Specify that /dev/rdsk/c0t0d0s7 raw special file. The zoneadmd
daemon automatically runs the fsck command in non-interactive check
only mode on this device before it mounts the file system.
Line 9- This line specifies that the file system type is UFS.
Line 10 - This line specifies the file system-specific option, enable file
system logging in this procedure.
Line 11 - This line ends the file system configuration section in this
procedure.
Line 12 - This line begins the configuration of a shared file system that is
loopback-mounted from the global zone.
Line 13 - This line specifies that /usr/sfw is to be loopback mounted from
the global zone.
Line 14 - This line ends the mount loopback section in this procedure.
Line 15 - This line begins the network configuration section in this
procedure.
Line 16 - This line specifies the physical network interface to be used by
this zone is a GigaSwift.
Introduction to Zones
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
15-17
Configuring Zones
Line 17 - This line specifies the IP address for the network interface,
192.168.0.1 in this procedure.
Line 18 - This line ends the network configuration section in this
procedure.
Line 19- This line begins the device configuration section in this
procedure.
Line 20- This line sets the device match, /dev/sound/* in this procedure.
Line 21 - This line ends the device configuration section in this procedure.
Line 22 - This line begins the attribute configuration section in this
procedure.
Line 23 - This line sets the name of the name of the attribute, comment in
this procedure.
Line 24 - This line sets the type of attribute as a string of characters.
Line 25 - This line assigns a value to the string of characters, The work
zone. in this procedure.
Line 26 - This line ends the attribute configuration section in this
procedure.
Line 27- This line verifies the current configuration for correctness. It
ensure that all resources have all of their required properties specified.
Line 28- This line commits the current configuration from memory to
stable storage. Until the in-memory configuration is committed, changes
can be removed with the revert subcommand. A configuration must be
committed to be used by the zoneadm command. This operation is
attempted automatically when you complete a zonecfg session. Because
only a correct configuration can be committed, the commit operation
automatically does a verify.
Line 29- This line exits the zonecfg session. You can use the -F (force)
option with exit.
The zone is now ready to install, boot, and use.
15-18
Configuring Zones
Introduction to Zones
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
15-19
Install a zone
Boot a zone
Reboot a zone
Uninstall a zone
15-20
Booting a Zone
Booting a zone places the zone in the running state. If you set the
autoboot resource property in a zones configuration to true, that zone is
automatically booted when the global zone is booted. The default setting
is false.
A zone can be manually booted from the ready state or from the installed
state. You use the zoneadm -z zone_name boot command to boot a
zone:
global# zoneadm -z work-zone ready
global# zoneadm -z work-zone boot
global# zoneadm list -v
ID NAME
STATE
PATH
0
global
running /
1
work-zone running /export/work-zone
In this example, the work-zone has reached the running state. The zone
ID 1 has been assigned during the zone boot process.
Introduction to Zones
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
15-21
Halting a Zone
The zoneadm halt command is used to remove both the application
environment and the virtual platform for a zone. The zone is then brought
back to the installed state. All processes are killed, devices are
unconfigured, network interfaces are unplumbed, file systems are
unmounted, and the kernel data structures are destroyed.
global# zoneadm -z work-zone halt
global# zoneadm list -v
ID NAME
STATE
PATH
0
global
running
/
work-zone installed /export/work-zone
The halt command does not run any shutdown scripts within the zone.
Rebooting a Zone
The zoneadm reboot command is used to reboot a zone. The zone is
halted and then booted again.
global# zoneadm -z work-zone reboot
global# zoneadm list -v
ID NAME
STATE
PATH
0
global
running
/
2
work-zone running
/export/work-zone
In this example, before rebooting the zone ID is set to 1. After the zone is
rebooted, the zone ID has changed to 2.
15-22
sparc SUNW,Netra-T12
used
avail capacity
69941 547455
12%
69941 547455
12%
1893804 31039106
6%
1893804 31039106
6%
1893804 31039106
6%
1893804 31039106
6%
0
0
0%
0
0
0%
0
0
0%
32 7949008
1%
0 7949008
0%
Mounted on
/
/dev
/lib
/platform
/sbin
/usr
/proc
/etc/mnttab
/dev/fd
/var/run
/tmp
Introduction to Zones
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
15-23
PID
6965
PPID
6965
C
STIME TTY
0 12:35:38 ?
TIME CMD
0:00 zsched
twilight# ifconfig -a
lo0:1: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
ce0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index
2 inet 192.168.0.1 netmask ffffff00 broadcast 192.168.0.255
twilight# ~.
[Connection to zone 'work-zone' console closed]
Note The zone is now up and running. If you add (or delete) resources
to the running zone using the zonecfg command, you must restart the
zone for the changes to take effect.
To remove a resource from a domain, run the zonecfg command and
choose the remove subcommand with a reference to the device and
parameters.
# zonecfg z work-zone
zonecfg:work-zone> remove net physical=ce0
zonecfg:work-zone> commit
zonecfg:work-zone> exit
Deleting a Zone
When deleting a zone, be sure to back up any files that you want to keep.
The first stage in deleting a zone is halting the Solaris 10 OS and freeing
the system memory.
In the following example, the zone is removed from the global system:
Caution This operation is not a graceful or controlled shutdown of the
zone. Data loss is possible to processes running in the zone.
# zoneadm list -cp
0:global:running:/
3:work-zone:running:/export/work-zone
# zoneadm -z work-zone halt
# zoneadm list -cp
0:global:running:/
15-24
Introduction to Zones
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
15-25
Module 16
The following course map shows how this module fits into the current
instructional goal.
Configure
Custom
JumpStart
Perform a
Flash
Installation
16-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
Purpose of JumpStart
System administrators who need to install multiple systems with similar
configurations can use JumpStart to automate the installation process.
JumpStart eliminates the need for operator intervention during the
installation process.
The advantages of using JumpStart include the following:
16-2
Boot services
Identification services
Configuration services
Installation services
JumpStart Client
JumpStart Client
JumpStart
JumpStart Client
Server
JumpStart Client
Boot Server
JumpStart Client
Router
Boot Services
Boot Services
To boot the JumpStart client using the network, clients require support
from a server that can respond to their Reverse Address Resolution
Protocol (RARP), Trivial File Transfer Protocol (TFTP), and
BOOTPARAMS requests. A system that provides these services is called a
boot server. You can configure a boot server to provide any of the other
required JumpStart services, or to only provide boot services.
16-3
16-4
Identification Services
JumpStart clients require support from a server to automatically get the
answers to system identification questions that the client systems issue.
The identification service is often provided by a boot server, but the
service can be provided by any network server configured to provide
identification.
JumpStart clients can obtain identification information from different
sources, including:
16-5
Configurable With
the sysidcfg File?
Name service
Yes
Yes
Domain name
Yes
No
Name server
Yes
No
Network interface
Yes
No
Host name
Yes
Yes
IP address
Yes
Yes
Netmask
Yes
Yes
Yes
No
Yes
No
Default router
Yes
No
Root password
Yes
No
Security policy
Yes
No
Locale
Yes
Terminal Type
Yes
No
Time zone
Yes
Yes
Yes
Yes
No
No
Configuration Services
JumpStart clients require support from a server to obtain answers for
system configuration questions that they issue. A system that provides
this service is called a configuration server.
A configuration server provides information that specifies how the
Solaris Operating System installation proceeds on the JumpStart client.
Configuration information can include:
Installation type
System type
Description
16-7
Description
The profile
(class) files
The check
script
The rules.ok
file
Optional
begin and
finish scripts
Installation Services
JumpStart clients require support from a server to find an image of the
Solaris OS to install. A system that provides this service is called an install
server. An install server shares a Solaris OS image from a CD-ROM, DVD,
or local disk. JumpStart clients use the NFS service to mount the
installation image during the installation process.
16-8
The installation
image
16-9
16-10
2.
3.
4.
5.
6.
16-11
# mkdir /export/install
2.
3.
# cd /cdrom/cdrom0/s0/Solaris_10/Tools
4.
# ./setup_install_server /export/install
5.
# cd /
# eject cdrom
16-12
# cd /cdrom/cdrom0/Solaris_10/Tools
b.
# ./add_to_install_server /export/install
c.
# cd /
# eject cdrom
7.
16-13
16-14
Table 16-3 lists the keywords and arguments used in the construction of
the sysidcfg file.
Table 16-3 Keywords and Arguments Used in Constructing the sysidcfg File
Keywords
Arguments
name_service {domain_name}
16-15
Arguments
network_interface, hostname,
ip_address , netmask
root_password
root_password=root_password
(encrypted password from /etc/shadow)
security_policy
security_policy=kerberos, NONE
Options for kerberos:
{default_realm=FQDN
admin_server=FQDN kdc=FQDN1,FQDN2,FQDN3}
where FQDN is a fully qualified domain name.
You can list a maximum of three key distribution
centers (KDCs), but at least one is required.
system_locale
system_locale=locale
(entry from the /usr/lib/locale file)
terminal
terminal=terminal_type
(entry from the /usr/share/lib/terminfo
database) for the installation.
timezone
timezone=timezone
(entry from /usr/share/lib/zoneinfo file)
timeserver
16-16
# mkdir /export/config
2.
# cd /export/config
# vi sysidcfg
3.
In the sysidcfg file, add the following lines. Substitute values that
are appropriate for your systems, location, and network.
network_interface=hme0 {
primary
protocol_ipv6=no
netmask=netmask_value
default_route=router_IP}
security_policy=none
name_service=none
timezone=timezone
system_locale=locale
timeserver=timeserver_IP
root_password=Hx23475vABDDM
a.
b.
c.
For the timezone value, enter the correct time zone for your
location. Time zones are listed in the directory structure below
the /usr/share/lib/zoneinfo directory. For example, the
US/Mountain time zone refers to the
/usr/share/lib/zoneinfo/US/Mountain directory.
d.
For the locale value, enter the correct system locale for your
location. Locales are listed in the /usr/lib/locale directory.
e.
f.
16-17
16-18
match_key
16-19
match_value
begin
profile
finish
The example
hostname client1 - profile1 causes a JumpStart client called client1 to use a profile file called
profile1. The dash (-) characters before and after the profile1 file
indicate that the client1 system does not run a begin or a finish script.
To configure a simple rules and profile file on a JumpStart server,
complete the following steps:
1.
Create a directory to hold the rules file if this directory does not
already exist. Usually, the /export/config directory holds the
rules file.
# mkdir /export/config
2.
# cd /export/config
# vi rules
3.
16-20
# vi profile1
Add the following lines to the profile1 file:
install_type
system_type
partitioning
filesys
filesys
cluster
initial_install
standalone
explicit
cxtxdxs1 128
cxtxdxs0 free
SUNWCXall
6.
swap
/
a.
b.
For example, a simple profile file can contain the following information:
install_type
system_type
partitioning
filesys
filesys
cluster
package
initial_install
standalone
explicit
c0t0d0s0
free
c0t0d0s1
512
SUNWCXall
SUNWman delete
/
swap
This profile file declares that the JumpStart client performs an initial
installation as a standalone system, uses partitioning that allocates
512 Mbytes to the swap area, allocates the remainder of the disk space to
the root (/) file system, the client installs the Entire Distribution with
OEM support configuration cluster, and then removes the man pages.
16-21
# cd /export/install/Solaris_10/Misc/jumpStart_sample
2.
# cp check /export/config
3.
# cd /export/config
# ./check
Validating rules...
Validating profile profile1...
The custom JumpStart configuration is ok.
#
4.
If the check script reports an error, edit the rules or profile file to
correct the problem indicated. In the following example, the
profile1 file contains a spelling error. For the example, the
misspelling of the keyword, filesys, causes the check script to
report the following output:
Validating rules...
Validating profile profile1...
Error in file "profile1", line 4
fileys c0t0d0s0 free /
ERROR: Invalid keyword
5.
Once the rules or profile file have been edited to correct any errors,
run the check script again.
# cd /export/config
# ./check
Validating rules...
Validating profile profile1...
The custom JumpStart configuration is ok.
#
16-22
client1
An entry for client1 in /etc/ethers could appear as follows:
8:0:20:10c:88:5b client1
The server and path where the rules and profile files are located
(the -c option)
16-23
Edit the /etc/inet/hosts file, and add an entry for the JumpStart
client.
2.
Edit the /etc/ethers file, and add an entry for the JumpStart client.
3.
# cd /export/install/Solaris_10/Tools
The following example supplies the required information for a client
called client1:
# ./add_install_client -c server1:/export/config -p
server1:/export/config client1 sun4u
saving original /etc/dfs/dfstab in /etc/dfs/dfstab.orig
Adding "share -F nfs -o ro,anon=0 /export/install" to /etc/dfs/dfstab
making /tftpboot
enabling tftp in /etc/inetd.conf
starting rarpd
starting bootparamd
starting nfsd's
starting nfs mountd
updating /etc/bootparams
copying inetboot to /tftpboot
#
The add_install_client script automatically makes the changes
required to support RARP, TFTP, the bootparams file, and NFS requests
from the client, but it only causes the server to share the installation
directory. Sharing the installation directory allows the JumpStart client to
mount a root (/) file system during the network boot process, and to gain
access to the installation image.
Note The following example shows that for the client to mount the
configuration directory from the server, you must manually edit the
/etc/dfs/dfstab file and add an entry to share the configuration
directory:
share -o ro /export/config
16-24
Run the svcs command to check that NFS services are enabled.
FMRI
svc:/network/nfs/mapid:default
svc:/network/nfs/cbd:default
svc:/network/nfs/server:default
svc:/network/nfs/status:default
svc:/network/nfs/nlockmgr:default
svc:/network/nfs/client:default
svc:/network/nfs/rquota:ticlts
svc:/network/nfs/rquota:udp
FMRI
svc:/network/nfs/cbd:default
svc:/network/nfs/client:default
svc:/network/nfs/status:default
svc:/network/nfs/nlockmgr:default
svc:/network/nfs/mapid:default
svc:/network/nfs/rquota:ticlts
svc:/network/nfs/server:default
svc:/network/nfs/rquota:udp
ro,anon=0
ro
""
""
16-25
2.
# init 0
Task Preparation
Before beginning this lab, ensure that you have removed NIS from your
/etc/nsswitch.conf file, and unconfigured NIS. This includes the
following steps on the NIS master, as well as a subset of these steps on the
NIS slave and client:
cd /etc
cp nsswitch.files nsswitch.conf
rm /etc/defaultdomain
svcadm disable svc:/network/nis/client:default
svcadm disable svc:/network/nis/server:default
cd /var/yp
rm -r <domainname>
16-26
Task Summary
Perform the following tasks:
16-27
16-28
Tasks
Complete the following steps:
1.
2.
Edit the /etc/ethers file, and add an entry for the JumpStart client,
for example:
# cd /etc
8:0:20:2f:100:3d
3.
client1
Edit the /etc/hosts file, and add an entry for the JumpStart client,
if one does not already exist. Add the timehost alias to the
JumpStart server's entry, for example:
server1
client1
192.10.200.1
192.10.200.100
4.
loghost
timehost
192.10.200.0 255.255.255.0
5.
# mkdir /export/config
6.
# cd /cdrom/cdrom0/s0/Solaris_10/Misc/jumpstart_sample
7.
# cp -r
/export/config
8.
# cd /export/config
# mv rules rules.orig
9.
hostname
client1
Create a new file called rules that contains the following entry.
Enter the name of your JumpStart client instead of client1:
-
host_class
finish_script
16-29
initial_install
standalone
explicit
SUNWCreq
c0t0d0s0 300 /
c0t0d0s1 128 swap
c0t0d0s6 free /usr
11. In the /export/config directory, create a file called finish_script
that contains the following lines.
#!/bin/sh
touch /a/noautoshutdown
This command configures the JumpStart client to avoid using the
autoshutdown power-saving feature.
12. Change the permissions on finish_script to 755.
# chmod 755 finish_script
13. Run the /export/config/check program, and correct any problems
in the rules or host_class files that it reports. Verify that the
rules.ok file exists after the check program completes successfully.
# ./check
14. In the /export/config directory, create a file called sysidcfg that
contains the following lines. The string pVKN72yW0kCMs is a
13-character encrypted string for the password cangetin. You could
replace this string with a different encrypted password string by
copying one from your own /etc/shadow file. Use the netmask
appropriate to your network, as indicated by your instructor.
network_interface=hme0 { primary protocol_ipv6=no
netmask=255.255.255.0
default_route=none }
name_service=none
timezone=US/Mountain
system_locale=C
timeserver=localhost
security_policy=none
root_password=pVKN72yW0kCMs
16-30
share -o ro /export/config
16. Run the svcs command to see if the NFS service is online.
# svcs -a |grep nfs
STATE
STIME
disabled
14:56:34
disabled
14:56:34
disabled
14:56:36
online
14:56:56
online
14:56:57
online
14:57:13
online
14:57:13
online
14:57:13
FMRI
svc:/network/nfs/mapid:default
svc:/network/nfs/cbd:default
svc:/network/nfs/server:default
svc:/network/nfs/status:default
svc:/network/nfs/nlockmgr:default
svc:/network/nfs/client:default
svc:/network/nfs/rquota:ticlts
svc:/network/nfs/rquota:udp
17. If the NFS service is disabled, enable it using the svcadm command.
# svcadm enable network/nfs/server:default
18. Check that the NFS service is now online.
# svcs -a |grep nfs
STATE
STIME
disabled
14:56:34
online
14:57:13
online
16:01:13
online
16:01:13
online
16:01:14
online
16:01:14
online
16:01:15
online
16:01:15
FMRI
svc:/network/nfs/cbd:default
svc:/network/nfs/client:default
svc:/network/nfs/status:default
svc:/network/nfs/nlockmgr:default
svc:/network/nfs/mapid:default
svc:/network/nfs/rquota:ticlts
svc:/network/nfs/server:default
svc:/network/nfs/rquota:udp
19. If the NFS service is already running, run the shareall command:
# shareall
20. Change the directory to /cdrom/cdrom0/s0/Solaris_10/Tools.
# cd /cdrom/cdrom0/s0/Solaris_10/Tools
16-31
Action
/etc/dfs/dfstab file
/etc/inetd.conf file
/etc/nsswitch.conf file
/tftpboot file
in.rarpd daemon
rpc.bootparamd daemon
22. Boot the JumpStart client.
ok boot net - install nowin
16-32
Task Solutions
23. What actions does the add_install_client program report that
it takes regarding the files and daemons in Table 16-5?
Table 16-5 Results of add_install_client Program
File or Daemon
Action
/etc/dfs/dfstab file
/etc/inetd.conf file
Enables tftp
/etc/nsswitch.conf
file
/tftpboot file
rarpd daemon
bootparamd daemon
16-33
The flexibility in server and client configuration lets you build JumpStart
services to meet your specific software installation needs.
16-34
Client
Server
Time
tftp to request
inetboot program
4
Client runs
inetboot program
whoami request
Client sends a
6
7
Server looks up the host name,
and responds to client
8
Client sends a
getfile request
9
Server returns information obtained
from the
/etc/bootparams file
10
The
11
12
13
14
15
mounts the
kernel and
init program
Client uses
sysidtool
bootparams information
suninstall program
16-35
2.
b.
c.
3.
4.
The in.tftpd daemon on the boot server processes the clients TFTP
request. The daemon searches the /tftpboot directory for a file with
a hexadecimal representation of the clients IP address. The
hexadecimal representation is the name of the file. This file is a
symbolic link that points to a network bootstrap program.
5.
6.
7.
8.
9.
10. The server responds with the location of the root (/) file system,
obtained from the appropriate source:
11. After the client obtains its boot parameters, the network bootstrap
program mounts the root (/) file system from the boot server.
12. The client loads its kernel and starts the init program. When the
JumpStart client finishes booting, it attempts to find configuration
information.
16-36
16-37
16-38
and returns the information to the client. The client system uses this
information to mount the directories that it requires using the NFS
service.
The add_install_client script updates the /etc/bootparams file when
you run it to configure boot support for a JumpStart client. The
/etc/bootparams file contains one entry for each JumpStart client that
the boot server supports. Each entry lists the servers and directories that
provide boot, identification, configuration, and installation services.
The options and arguments that you specify when you run the
add_install_client script determine the content of the
/etc/bootparams file. The following example describes an example entry
in the /etc/bootparams file for a JumpStart client named client1:
client1
root=server1:/export/install/Solaris_10/Tools/Boot
install=server1:/export/install
boottype=:in
sysid_config=server1:/export/config
install_config=server1:/export/config
rootopts=:rsize=32768
The add_install_client command that creates the /etc/bootparams
entry in the following example is:
# cd /export/install/Solaris_10/Tools
# ./add_install_client -c server1:/export/config -p
server1:/export/config client1 sun4u
16-39
16-40
Entry
Definition
client1
root=server1:/export/
install/
Solaris_10/Tools/Boot
install=server1:/
export/install
boottype=:in
sysid_config=server1:/
export/config
install_config=server1:/
export/config
rootopts=:rsize=32768
16-41
Subnet Restrictions
JumpStart clients broadcast RARP requests when they attempt to boot
from the network. Broadcast network traffic is normally not forwarded to
networks other than the one where the broadcast traffic originated. This
situation requires that a JumpStart boot server exist on the same subnet to
which JumpStart clients are directly connected.
The initial network requests for boot-related services are the only
JumpStart client requests that are limited by these subnet restrictions.
Identification services can be provided by a sysidcfg file made available
to the client by using NFS or by binding the JumpStart client to a name
service in use. Configuration and installation services are also made
available using the NFS service. The NFS service and name services
generally allow for network traffic to route among subnets, but the
services that depend on them can be provided by servers on different
subnets from the one to which the client is directly attached.
16-42
JumpStart Client
JumpStart Client
JumpStart
JumpStart Client
Server
JumpStart Client
Boot Server
JumpStart Client
Router
Boot Services
16-43
# mkdir /export/install
2.
3.
# cd /cdrom/cdrom0/s0/Solaris_10/Tools
4.
# ./setup_install_server -b /export/install
5.
# cd /
# eject cdrom
16-44
client1
An entry for client1 in the /etc/ethers file could appear as follows:
8:0:20:10c:88:5b client1
If a name service is in use, you must edit the /etc/inet/hosts and
/etc/ethers files on the appropriate name service server, and run the
commands required to update the name service maps or tables.
The /etc/inet/hosts file on the boot server must also contain an entry
for each server you specify when you run the add_install_client
script.
The add_install_client script automatically makes the changes
required for the boot server to support RARP, TFTP, BOOTPARAMS ,
and NFS requests from the client. The add_install_client script
automatically causes the boot server to share the /export/install
directory, if that is where the boot image is spooled. Sharing the
/export/install directory lets the JumpStart client mount the boot
image during the network boot process.
The following procedure assumes that the Solaris 10 OS boot image has
been spooled below the /export/install directory on the boot server. It
also assumes that the JumpStart Server has the sysidcfg file, rules.ok
file, and class file located in the /export/config directory.
To run the add_install_client script on a boot server, complete the
following steps:
1.
2.
16-45
# cd /export/install/Solaris_10/Tools
Run the add_install_client script, and specify server and client
information as follows:
# ./add_install_client -c 192.168.1.1:/export/config -p
192.168.1.1:/export/config -s 192.168.2.1:/export/install clientA
sun4u
saving original /etc/dfs/dfstab in /etc/dfs/dfstab.orig
Adding "share -F nfs -o ro,anon=0 /export/install/Solaris_10/Tools/Boot"
to /etc/dfs/dfstab
making /tftpboot
enabling tftp in /etc/inetd.conf
starting rarpd
starting bootparamd
starting nfsd's
starting nfs mountd
updating /etc/bootparams
copying inetboot to /tftpboot
#
When you complete this procedure, and meet conditions on the other
servers, you can initiate the installation process on a JumpStart client.
16-46
IPv6
Kerberos configuration
Naming service
The sysidcfg file allows you to specify nearly all of the identification
information that a JumpStart client requires. The sysidcfg file can
contain:
16-47
16-48
primary hostname=sys01
ip_address=192.168.2.10
protocol_ipv6=no
netmask=255.255.255.0
default_route=192.168.2.1}
network_interface=qfe0 {
hostname=sys01
ip_address=192.168.2.101
protocol_ipv6=no netmask=255.255.255.0
default_route=192.168.2.1}
network_interface=qfe1 {
hostname=sys02
ip_address=192.168.2.111
protocol_ipv6=no netmask=255.255.255.0
default_route=192.168.2.1}
16-49
16-50
The second rule matches a machine with host name client2. The
class file is class_basic_user.
The fifth rule matches a machine using SPARC architecture and with
a memory size between 64 and 106 Mbytes. The class file is
class_prog_user.
Begin Scripts
Begin scripts are Bourne scripts that JumpStart clients run before installing
the Solaris OS. Begin scripts allow you to perform a variety of tasks on the
JumpStart client. Typically, you would use a begin script to back up data
from the client before proceeding with the Solaris OS installation.
The following example begin script causes the JumpStart client to copy its
existing /etc/passwd and /etc/shadow files to a directory on an NFS
server:
#!/bin/sh
HOSTNAME=`/bin/uname -n`
mount 192.10.10.100:/backup /mnt
if [ ! -d /mnt/${HOSTNAME} ]; then
mkdir /mnt/${HOSTNAME}
fi
if [ -d /mnt/${HOSTNAME} ]; then
mount /dev/dsk/c0t0d0s0 /a
cp /a/etc/passwd /a/etc/shadow /mnt/${HOSTNAME}
umount /a
fi
umount /mnt
This example script works only if the following conditions exist:
The JumpStart client has a previously installed root (/) file system
available as /dev/dsk/c0t0d0s0
This example script shows that a begin script can mount disk resources
from other systems, mount resources from the client itself, and copy files
between those mounted directories. File systems that exist on the client
are available using their standard logical device names. NFS provides
access to shared directories on the network. The mount points /a and
/mnt are available in the root (/)file system when the JumpStart client
mounts from the boot server.
16-51
16-52
Arguments
install_type
initial_install | upgrade |
flash_install | flash_upgrade
system_type
standalone | server
partitioning
cluster cluster_name
add | delete
package package_name
add | delete
usedisk
disk_name
dontuse
disk_name
locale
locale_name
num_clients
number
client_swap
size
client_arch
kernel_architecture
filesys
metadb
patch
patch_id_list | patch_file
patch_location
archive_location
retrieval_type location
16-53
Configuration Cluster
Name
Reduced Network
SUNWCrnet
Core
SUNWCreq
End User
SUNWCuser
Developer
SUNWCprog
Entire Distribution
SUNWCall
SUNWCXall
16-54
initial_install
standalone
explicit
c0t0d0s0 150
/
c0t0d0s1 128
swap
c0t0d0s6 800
/usr
c0t0d0s7 free /var
c0t1d0s7 all
/opt
SUNWCall
SUNWman
delete
16-55
initial_install
SUNWCXall
filesys
filesys
filesys
filesys
metadb
metadb
filesys
filesys
filesys
mirror
c0t0d0s0
mirror:d10 c0t0d0s1
c0t0d0s3
c1t3d0s3
c0t0d0s4
c1t3d0s4
mirror
c0t0d0s6
c0t0d0s7
c1t3d0s7
16-56
c1t3d0s0
c1t3d0s1
count 4
count 4
c1t3d0s6
850
1000
512
512
/
/var
swap
5000 /usr
free /export/home
free
2.
3.
The root (/) file system is created and mirrored on the slices
c0t0d0s0 c1t3d0s0 and is 850 Mbytes in size. The resulting RAID
volumes are automatically assigned names as none is specified.
4.
5.
6.
7.
Four state database replicas are created on slice c0t0d0s4 and slice
c1t3d0s4.
8.
9.
16-57
NFS server
HTTP server
Local device
Local file
The syntax for the entry in the profile varies depending on the location
selected, as shown in Table 16-9.
Table 16-9 Package Syntax
Package Source
Syntax example
NFS
HTTP
local_device
local_file
16-58
NFS server
HTTP server
Local device
Local file
Syntax Example
NFS
HTTP
patch 112233-01,223344-04
http://sys01/solaris10/patches
patch list_file http://sys01/solaris10/patches
local_device
local_file
16-59
Finish Scripts
Finish scripts are Bourne scripts that JumpStart clients run after installing
the Solaris Operating System but before they reboot. Finish scripts allow
you to perform a variety of post-installation tasks on the JumpStart client,
including:
The following example finish script causes the JumpStart client to turn off
automatic shutdown for power management, retrieve its backed-up
/etc/passwd and /etc/shadow files from a directory on an NFS server,
and copy a file from the configuration server to the JumpStart client.
#!/bin/sh
touch /a/noautoshutdown
HOSTNAME=`/bin/uname -n`
mount 192.10.10.100:/backup /mnt
if [ -d /mnt/${HOSTNAME} ]; then
echo "Copying passwd and shadow..."
cp /mnt/${HOSTNAME}/passwd /a/etc/passwd
cp /mnt/${HOSTNAME}/shadow /a/etc/shadow
fi
umount /mnt
mkdir /a/labfiles
cp ${SI_CONFIG_DIR}/files/setup.tar /a/labfiles
This example script works if the following conditions exist:
16-60
The configuration server has the file called setup.tar in the files
directory. The files directory must exist in the directory that this
server shares, and the client uses it as ${SI_CONFIG_DIR}.
16-61
16-62
2.
# cd /cdrom/cdrom0/s0/Solaris_10/Tools
3.
b.
16-63
d.
16-64
Troubleshooting JumpStart
If any of the four main JumpStart services are improperly configured, the
JumpStart clients can:
Fail to boot
Fail to partition disks or create file systems, and fail to load the
Operating System
16-65
Enter the commands required to update the name service in use. Usually,
the messages these commands issue will indicate whether an update for
the /etc/ethers or /etc/inet/hosts files was successful.
Check all of the physical network connections between the client and the
boot server to eliminate a potential source of the updating problem.
If you specify the incorrect platform group for the client when you run the
add_install_client script, the client might hang, or issue additional
error messages and panic early in the boot process. To solve this problem,
run the rm_install_client script and then the add_install_client
script, and specify the correct platform group.
If the boot server is not configured to allow the in.tftpd daemon to run
on demand, the client hangs. Usually, the add_install_client script
automatically modifies the boot server to provide this service. To correct
this problem, run the following commands to enable the TFTP service.
Check to see if the TFTP service is available:
# inetadm | grep tftp
If the command does produce any output, edit the
/etc/inet/inetd.conf file and ensure the following line is present:
# vi /etc/inet/inetd.conf
# TFTPD - tftp server (primarily used for booting)
tftp dgram
udp6
wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
svc:/network/ftp:default
svc:/network/tftp/udp6:default
16-67
16-68
The previous items can only be provided using the sysidcfg file.
You can use the sysidcfg file to provide information that a name service
could otherwise provide. You must verify the content of the sysidcfg file
or any information that it provides. Information provided in the
sysidcfg file overrides information in name services.
16-69
16-71
16-72
16-73
Preparation
Load the Solaris 10 OS 1 CD-ROM in the CD drive and let the Volume
Manger daemon mount it automatically.
Task Summary
Perform the following tasks:
16-74
16-75
Tasks
Complete the following steps:
1.
2.
Edit the /etc/ethers file, and add an entry for the JumpStart client,
for example:
# cd /etc
8:0:20:2f:100:3d
3.
client1
Edit the /etc/hosts file, and add an entry for the JumpStart client,
if one does not already exist.
server1
client1
192.10.200.1
192.10.200.100
4.
loghost
192.10.200.0 255.255.255.0
5.
6.
# mkdir /export/config
7.
Change directory to
/cdrom/cdrom0/s0/Solaris_10/Misc/jumpstart_sample.
# cd /cdrom/cdrom0/s0/Solaris_10/Misc/jumpstart_sample
8.
# cp -r
/export/config
9.
# cd /export/config
# mv rules rules.orig
10. Create a new file called rules that contains the following entry.
Enter the name of your JumpStart client instead of client1:
hostname
16-76
client1
mirror_class
finish_script
initial_install
explicit
SUNWCreq
metadb
metadb
c0t0d0s5
c1t3d0s5
filesys mirror:d10
filesys
filesys
filesys
filesys
/
/var
swap
/usr
/export/home
16-77
share -o ro /export/config
17. Run the svcs command to see if the NFS service is online.
# svcs -a |grep nfs
STATE
STIME
disabled
14:56:34
disabled
14:56:34
disabled
14:56:36
online
14:56:56
online
14:56:57
online
14:57:13
online
14:57:13
online
14:57:13
FMRI
svc:/network/nfs/mapid:default
svc:/network/nfs/cbd:default
svc:/network/nfs/server:default
svc:/network/nfs/status:default
svc:/network/nfs/nlockmgr:default
svc:/network/nfs/client:default
svc:/network/nfs/rquota:ticlts
svc:/network/nfs/rquota:udp
18. If the NFS service is disabled, enable it using the svcadm command.
# svcadm enable network/nfs/server:default
16-78
FMRI
svc:/network/nfs/cbd:default
svc:/network/nfs/client:default
svc:/network/nfs/status:default
svc:/network/nfs/nlockmgr:default
svc:/network/nfs/mapid:default
svc:/network/nfs/rquota:ticlts
svc:/network/nfs/server:default
svc:/network/nfs/rquota:udp
20. If the NFS service is already running, run the shareall command:
# shareall
21. Change the directory to /export/install/Solaris_10/Tools.
# cd /export/install/Solaris_10/Tools
22. Use the add_install_client program to add support for your
JumpStart client. The following command example is appropriate for
a server that provides access to the operating system using a
mounted Solaris 10 Software 1 CD-ROM. Replace server1 with the
name of your JumpStart server, client1 with the name of your
JumpStart client, and sun4x with the appropriate client architecture,
for example sun4u.
# ./add_install_client -c server1:/export/config
-p server1:/export/config client1 sun4x
What action does the add_install_client program report that it
takes regarding the files and daemons in Table 16-11?
Table 16-11 Results of add_install_client Program
File or Daemon
Action
/etc/dfs/dfstab file
/etc/inetd.conf file
/etc/nsswitch.conf file
/tftpboot directory
in.rarpd daemon
rpc.bootparamd daemon
16-79
Reloc
Yes
16-80
first blk
16
8208
16400
16
8208
16400
block count
8192
8192
8192
8192
8192
8192
/dev/dsk/c0t0d0s5
/dev/dsk/c0t0d0s5
/dev/dsk/c0t0d0s5
/dev/dsk/c1t3d0s5
/dev/dsk/c1t3d0s5
/dev/dsk/c1t3d0s5
Action
/etc/dfs/dfstab file
/etc/inetd.conf file
Enables tftp
/etc/nsswitch.conf
file
/tftpboot directory
in.rarpd daemon
rpc.bootparamd
daemon
16-81
Exercise Summary
Exercise Summary
!
?
16-82
Experiences
Interpretations
Conclusions
Applications
2.
3.
# cd /var/yp
# /usr/ccs/bin/make
16-83
client1
16-84
en_US
An entry for all systems in the NIS domain called Central.Sun.Com in
the /etc/locale file could appear as follows:
Central.Sun.COM
en_US
Note For a list of possible locale entries for this file, run the
locale -a command, or list the locales found in the /usr/lib/locale
directory.
16-85
# cd /var/yp
# vi Makefile
a.
The entry in the Makefile file for the timezone map contains
identical code except for the map name, therefore, duplicate the
timezone entry, and replace timezone with locale.
locale.time: $(DIR)/locale
-@if [ -f $(DIR)/locale ]; then \
sed -e "/^#/d" -e s/#.*$$// $(DIR)/locale \
| awk {for (i = 2; i<=NF; i++) print $$i, $$0} \
| $(MAKEDBM) - $(YPDBDIR)/$(DOM)/locale.byname; \
touch locale.time; \
echo "updated locale"; \
if [ ! $(NOPUSH) ]; then \
$(YPPUSH) locale.byname; \
echo "pushed locale"; \
else \
: ; \
fi \
else \
echo "couldnt find $(DIR)/locale"; \
fi
locale:
c.
Append the word locale to the line beginning with the word
all.
d.
locale.time
e.
2.
# cd /var/yp
# /usr/ccs/bin/make
...
<Control>-C
#
16-86
Note The make command hangs when it tries to push the new locale
map to slave servers. Press Control-C to stop the make command if the
command hangs.
3.
On any slave servers that exist in this NIS domain, run the ypxfr
command to transfer the locale.byname map for the first time.
# /usr/lib/netsvc/yp/ypxfr locale.byname
4.
On the NIS master server, again update the NIS maps by running the
make command.
# cd /var/yp
# /usr/ccs/bin/make
The make command should complete successfully.
client1
An entry for all systems in the NIS domain called Central.Sun.COM in
/etc/timezone could appear as follows:
US/Mountain
Central.Sun.COM
After you have completed the changes to the /etc/timezone file, you
must update the associated NIS map by running the /usr/ccs/bin/make
command.
Note Possible time zone entries for this file exist in the
/usr/share/lib/zoneinfo directory.
16-87
255.255.255.0
to specify that the Class C network 192.10.10.0 should use 24 bits to
identify the network, and 8 bits to identify the host.
Note Refer to the man page for the netmasks syntax for more examples
of subnet masks.
After you complete the changes to the /etc/netmasks file, enter the
/usr/ccs/bin/make command to update the associated NIS map.
16-88
16-89
Module 17
The following course map shows how this module fits into the current
instructional goal.
Configure
Custom
JumpStart
Perform a
Flash
Installation
17-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
17-2
17-3
An interactive install
The interactive method requires you to boot the system to be cloned from
the Solaris 10 OS 1 CD-ROM, or DVD.
To initiate the JumpStart procedure, the required JumpStart services must
be configured on an appropriate server. The Flash archive is extracted on
to the clone, replacing the package-based installation process.
Note Although most files on the master system are configured before
the archives are created, some network files might need re-configuration
after being deployed to the clone systems.
17-4
Hardware Requirements
The recommended system specifications for a Flash installation are:
A SPARC system for the clone and a SPARC system for the master
(or an UltraSPARC system for the clone and an UltraSPARC system
for the master).
The master and the clone must have the same kernel architecture,
such as sun4u.
Before you create the archive, you must install and configure the
master with the exact software, hardware, and peripheral device
package that you want on the clone. For example, to create a clone
that uses an Elite3D framebuffer, (even if the master does not use the
Elite3D card), you must include the necessary Solaris OS software
support in the archive.
Software Requirements
The recommended software specifications for a Flash installation is:
The Flash utility comes with Solaris 10 OS and is installed as part of
the Solaris OS. Flash utilities are also available with the minimum
Solaris software group (SUNWCuser). The Entire Distribution + OEM
software group is recommended for you to be able to include all files
and driver support when creating the Flash archive.
# more /var/sadm/system/admin/CLUSTER
CLUSTER=SUNWCXall
You can only create the archive from material available on the master
system.
17-5
For additional information about the Flash archive process, view the
online man pages.
The next section introduces the various Flash utility commands.
17-6
-R
-A
-i
-S
-c
-t
-m
-M
-a
-e
-x
-X
-y
-z
archive
17-7
Examples
The following example shows the creation of a Flash archive used to
install other systems. The master should be as quiescent as possible:
17-8
Differential Archives
If you have previously installed a clone using a Flash archive, it is now
possible to update that system with changes by using a differential
archive. If the master has been updated, for example, by applying patches,
or packages have been added or removed, these changes cam be applied
as a differential archive. The differential archive only overwrites files
specified in the archive, rather than the entire installation on the clone.
A list of new, changed or deleted files is generated, called a manifest.
A differential archive fails if the clone has been manually updated after it
was Flash installed from the master source.
A differential archive requires two images to compare. A source master
image, such as the original master flash configuration that has been left
untouched, and an updated master image. By default this updated master
image is the updated image, but it can be an image stored elsewhere. The
differential archive is made up of just the differences between the two
images.
The unchanged master image can be:
For more information on using Differential Flash archives see the Solaris
10 Release and Installation Collection, Solaris 10 Installation Guide,
Solaris Flash Archives.
17-9
-c
-s
Splits an archive into one file for each section of the archive
17-10
You can also use additional keywords for administering the archive.
17-11
Interactive Lab
You can perform interactive installation of the Solaris OS by using the
suninstall program. The Solaris suninstall program only installs the
Solaris OS software. After you install the Solaris OS software, you must
use other installation programs to install additional software.
1.
2.
Boot the Flash clone system from the Boot PROM prompt as follows:
17-12
F4_Flash
F5_Exit
F6_Help
17-13
F5_Cancel
5.
F6_Help
Press F2 to continue.
Next, you add a Flash archive. If the NFS file system is mounted and
shared, and if you can locate the Flash archive within the file system,
you are prompted for additional Flash archive names. A Solaris OS
image must exist on a clone system before you can install additional
Flash archives. The first Flash archive you install must also contain a
bootable Solaris OS image.
Name
====================================================================
NFS
build74L1
F2_Continue
17-14
F3_Go Back
F4_Edit
F5_New
F6_Help
Press F2 to continue.
Select Disks
On this screen you must select the disks for installing Solaris software.
Start by looking at the Suggested Minimum field; this value is the
approximate space needed to install the software youve selected. Keep
selecting disks until the Total Selected value exceeds the Suggested
Minimum value.
NOTE: ** denotes current boot disk
Disk Device
Available Space
=========================================================================
[X] ** c0t0d0
19457 MB (F4 to edit)
[ ]
c1t0d0
8633 MB
Total Selected:
Suggested Minimum:
F2_Continue
F3_Go Back
F4_Edit
F5_Exit
19457 MB
2171 MB
F6_Help
The Select Disks window identifies where you want to install the
Flash archive. This disk is now the boot disk for the clone system.
7.
Press F2 to continue.
The system is queried and you are given the opportunity to preserve
any existing data on the target disk. If you decide to preserve data
you then select the file systems to preserve.
17-15
Press F2 to continue.
Disk/Slice
Size
========================================================================
/
c0t0d0s0
5000
MB
swap
c0t0d0s1
512
MB
overlap
c0t0d0s2
19457
MB
/export/home
c0t0d0s7
13945
MB
F2_Continue
F3_Go Back
F4_Customize
F5_Exit
F6_Help
The File System and Disk Layout window appears. This screen
varies according to your disk partition specification in the
preconfigured profile files. Explicit partitioning configures the disk
as specified in the profile file, while existing partitioning specifies
that you should leave the disk as currently configured. The existing
specification brings up the next screen where you are prompted to
customize the existing partitions.
17-16
Press F2 to continue.
The Mount Remote File Systems window appears. If your Flash
archives are stored on the master Flash archive server, press F2 to
continue.
-Profile
The information shown below is your profile for installing Solaris
software.
It reflects the choices youve made on previous screens.
========================================================================
Installation Option: Flash
Boot Device: c0t0d0
Client Services: None
Software: 1 Flash Archive
NFS: build74L1
File System and Disk Layout: /
swap
/export/home
Esc-2_Begin Installation
F4_Change
F5_Exit
c0t0d0s0 3227 MB
c0t0d0s1 512 MB
c0t0d0s7 15718 MB
F6_Help
17-17
17-18
17-19
Network Files
When you use the JumpStart software method to deploy an archive to a
clone, the clone follows a standard network boot process. The boot
process uses Reverse Address Resolution Protocol (RARP) to get its
Internet address and host name that are preconfigured on the master
system files (/etc/ethers and /etc/inet/hosts).
# more /etc/ethers
8:0:20:93:c9:af sys41
8:0:20:9e:dc:04 sys42
8:0:20:b5:98:25 sys43
8:0:20:99:f2:22 sys44
# more /etc/inet/hosts
.
.(output truncated)
.
192.168.30.30
instructor
192.168.30.41
sys41
192.168.30.42
sys42
192.168.30.43
sys43
192.168.30.44
sys44
17-20
JumpStart Keywords
The JumpStart process uses keywords (added to the JumpStart profile
installation file) to determine specific configurations for the JumpStart
process. The Flash keywords new to JumpStart are:
install_type flash_install
where:
install_type
Standard keyword
flash_install
retrieval_type
location
Examples of locations:
archive_location nfs [server_ip:/path/filename]
archive_location http [server_ip:port_path/filename]
archive_location [local_tape_device_position]
Certain JumpStart profile keywords are incompatible with the
deployment of the Flash archives. Because a Flash deployment does not
use the package add process, these keywords are incompatible in a Flash
environment. Other packages are used for upgrades, which are not a part
of Flash. Incompatible keywords are:
cluster
package
isa_bits
geo
backup_media
layout_constraint
The flash_S10 file is a sample profile file for JumpStart using a Flash
archive.
17-21
Note Configuration files, such as the profile file, the rules files, and the
sysidcfg file, are stored in the NFS directory that is invoked by using the
add_install_client command.
Add the host name for the clone, the path to the sysidcfg file, and the
path to the configuration directory using the add_install_client utility
from the Solaris OS Installation CD 1, under the
/cdrom/Solaris_10_sparc/s0/Solaris_10/Tools directory:
# ./add_install_client -p instructor:/export/config \
-c instructor:/export/config sys41 sun4u
making /tftpboot
enabling tftp in /etc/inetd.conf
updating /etc/bootparams
copying inetboot to /tftpboot
17-22
STIME
14:56:34
14:56:34
14:56:36
14:56:56
14:56:57
14:57:13
14:57:13
14:57:13
FMRI
svc:/network/nfs/mapid:default
svc:/network/nfs/cbd:default
svc:/network/nfs/server:default
svc:/network/nfs/status:default
svc:/network/nfs/nlockmgr:default
svc:/network/nfs/client:default
svc:/network/nfs/rquota:ticlts
svc:/network/nfs/rquota:udp
STIME
14:56:34
14:57:13
16:01:13
16:01:13
16:01:14
16:01:14
16:01:15
16:01:15
FMRI
svc:/network/nfs/cbd:default
svc:/network/nfs/client:default
svc:/network/nfs/status:default
svc:/network/nfs/nlockmgr:default
svc:/network/nfs/mapid:default
svc:/network/nfs/rquota:ticlts
svc:/network/nfs/server:default
svc:/network/nfs/rquota:udp
/export
/flash
ro,anon=0
ro,anon=0
""
""
Check the /etc/bootparams file to make sure that the command points
to the correct installation directories:
17-23
17-24
0% of 1670.59 MB archive)
0% of 1670.59 MB archive)
0% of 1670.59 MB archive)
. (output truncated)
Extracted 1670.00 MB ( 99% of 1670.59 MB archive)
Extracted 1670.59 MB (100% of 1670.59 MB archive)
Extraction complete
17-25
Postdeployment processing
No local customization defined
Customizing system files
- Mount points table (/etc/vfstab)
- Unselected disk mount points
(/var/sadm/system/data/vfstab.unselected)
- Network host addresses (/etc/hosts)
- Network host addresses (/etc/hosts)
Cleaning devices
Customizing system devices
- Physical devices (/devices)
- Logical devices (/dev)
Installing boot information
- Installing boot blocks (c0t0d0s0)
Installation log location
- /a/var/sadm/system/logs/install_log (before reboot)
- /var/sadm/system/logs/install_log (after reboot)
Flash installation complete
Executing JumpStart postinstall phase...
The begin script log begin.log
is located in /var/sadm/system/logs after reboot.
syncing file systems... done
rebooting...
Resetting ...
After the clone system has completely rebooted, log in to the clone and
use the ping command to verify connectivity to the master.
17-26
Live Upgrade
Solaris Live Upgrade can be used to upgrade a system. Live Upgrade
creates a copy of the existing OS and this copy can be upgraded. The
system administrator can then boot from the new environment with the
minimum of down time. If any problems or failures occur, it is possible to
revert to the old OS by a single reboot. For more information on Live
Upgrade consult the Solaris 10 OS Release and Installation Collection, Solaris
10 OS Installation Guide, and the Solaris OS Live Upgrade and Installation
Planning Guide.
WANboot
Introducing the Basics of WANboot
WANboot is an automatic installation process. It encompasses the existing
JumpStart framework. WANboot enables automatic installation of
multiple Solaris 10 systems across the WAN. WANboot builds on the
existing JumpStart capabilities and provides enhancements to security
and scalability to enable system administrator to install multiple systems
connected by a WAN such as the Internet.
Advantages of WANboot
The advantages of WANboot over basic JumpStart include:
Limitations of WANboot
17-27
Exercise Summary
Exercise Summary
!
?
17-28
Experiences
Interpretations
Conclusions
Applications
Index
Symbols
# (pound) 2-18
* (asterisk) 11-3
. (period) 11-3
/etc/bootparams file 16-4,
16-37, 16-38, 16-40, 16-41, 16-89
/etc/coreadm.conf file 5-8
/etc/default/nfslogd file 6-9
/etc/defaultdomain file 14-17
/etc/dfs/dfstab file 6-9, 6-10,
6-15, 16-4, 16-38, 16-42
/etc/dfs/fstypes file 6-9, 6-25
/etc/dfs/sharetab file 6-9,
6-10, 6-13
/etc/dumpadm.conf file 5-3, 5-4
/etc/ethers file 16-4, 16-38
/etc/hostname.eri0 file 1-7
/etc/hostname.hme0 file 1-7
/etc/hostname.hme1 file 1-7
/etc/hostname.qfe0 file 1-7
/etc/hostname.xxn file 1-6, 1-7
/etc/hosts file 1-7, 12-2
/etc/inet/hosts file 1-6, 1-8,
16-4, 16-38
/etc/inet/hosts/ file 1-8
/etc/inet/inetd.conf
file 2-16, 2-18
/etc/inet/service file 2-23
/etc/inet/services file 2-25
/etc/mnttab file 6-13, 6-25
/etc/mnttab file system 7-15
/etc/netmasks file 16-88, 16-89
Index-1
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
A
action field 11-3, 11-6
add_install_client script 16-23,
16-40, 16-68, 16-89
addresses
Ethernet 1-2
anonymous memory pages 4-2
AutoFS file system 7-2
automount
maps 7-5
script 7-2
automount command 7-2, 7-14
automount system
starting 7-16
stopping 7-16
automountd daemon 7-2
B
banner command 1-2
begin script 16-52
boot programmable read only memory
See boot PROM
boot PROM 1-2
bounds file 5-2
Index-2
C
canonical host name 1-9
check script 16-21
client 2-3
client processes 2-2
client-server 2-1, 2-4
introducing 2-2
relationship 2-2, 12-8
clone 17-2
commands
/usr/sbin/flar 17-10
/usr/sbin/sys-unconfig 1-10
automount 7-2, 7-14
banner 1-2
coreadm 5-6, 5-9, 5-10, 5-12
dfshares 6-23
dumpadm 5-2, 5-3, 5-4
flarcreate 17-7
ifconfig 1-3
ifconfig -a 1-2, 1-3
make 14-16, 16-87
mount 6-11
pagesize 4-5
ping 1-4, 1-5
rpcbind 2-28
rpcinfo 2-28
savecore 5-2, 5-3
share 6-10, 6-11, 6-17, 6-19
shareall 6-10
swap -a 4-8
swap -l 8-13
sys-unconfig 1-11
uname -n 5-2, 5-5
unshare 6-17, 6-22
ypinit 14-20
ypstop 14-19
ypwhich -m 12-6
core file
definition 5-6
paths 5-9
pattern 5-11
coreadm command 5-6, 5-7, 5-8, 5-9, 5-10,
5-12
crash dump 5-2
daemons
/usr/sbin/in.rarpd 16-37
automountd 7-2
in.tftpd 16-68
inetd 2-16
Internet Service. See inetd
lockd 6-12
mountd 6-11, 6-12
nfsd 6-12, 6-13
nfslogd 6-9, 6-12, 6-14, 6-34
nscd 12-18
rpc.spayd 2-27
rpc.yppasswdd 14-7
rpc.ypupdated 14-8
statd 6-12
syslogd 11-2, 11-8
ypbind 12-7, 14-7
ypserv 14-7
ypxfrd 14-7
databases
/etc/security/auth_attr 10-27
passwd 14-10
delimiter 11-3
dfshares command 6-23
dfstab file 6-10
directories
/tftpboot 16-38, 16-68
/usr/lib/help/auths/locale/C 10-4
DNS 1-8, 2-2, 2-4, 12-7, 13-2
configure 13-3
edit client configuration files 13-6
namespace 12-4
Domain Name System. See DNS
dump device 5-2
dumpadm command 5-2, 5-3, 5-4
Dynamic Host Configuration Protocol
(DHCP) 1-5, 1-9
facility 11-3
file systems
/etc/mnttab 7-15
AutoFS 7-2
mntfs 6-25
swapfs 4-4
UFS 8-4
files
/etc/bootparams 16-4, 16-37, 16-38,
16-40, 16-41, 16-89
/etc/coreadm.conf 5-8
/etc/default/nfslogd 6-9
/etc/defaultdomain 14-17
/etc/dfs/dfstab 6-9, 6-10, 6-15, 16-4,
16-38, 16-42
/etc/dfs/fstypes 6-9, 6-25
/etc/dfs/sharetab 6-9, 6-10, 6-13
/etc/dumpadm.conf 5-3, 5-4
/etc/ethers 16-4, 16-38
/etc/hostname.eri0 1-7
/etc/hostname.hme0 1-7
/etc/hostname.hme1 1-7
/etc/hostname.qfe0 1-7
/etc/hostname.xxn 1-6, 1-7
/etc/hosts 1-7, 12-2
/etc/inet/hosts 1-6, 1-8, 16-4, 16-38
/etc/inet/hosts/ 1-8
/etc/inet/inetd.conf 2-16, 2-18
/etc/inet/service 2-23
/etc/inet/services 2-25
/etc/mnttab 6-13
/etc/netmasks 16-88, 16-89
/etc/nfs/nfslog.conf 6-9
/etc/nodename 1-9
/etc/nsswitch.conf 12-14
/etc/passwd 16-61
/etc/rcS.d/S30network.sh 1-6
/etc/rcS.d/S30rootusr.sh 1-6
/etc/rmtab 6-9, 6-11
/etc/shadow 16-61
/etc/syslog.conf 11-2, 11-3, 11-7
/etc/timezone 16-88
/etc/vfstab 4-3, 4-6, 4-8, 4-9
/tftpboot 16-4
/usr/include/sys/syslog.h 11-3
E
err field 11-3
Ethernet
address 1-2
displaying 1-2
marking interfaces up and down 1-3
Index
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
Index-3
/var/adm/messages 11-3
/var/crash/nodename/unix.X 5-2
/var/crash/nodename/vmcore.X 52
/var/yp/Makefile 16-86
/var/yp/securenets 14-13
bounds 5-2
dfstab 6-10
hostname.xxn 1-6
Makefile 14-19
minfree 5-5
name service switch 14-10
passwd.adjunct 14-14
profile 16-19, 16-53
rules 16-8, 16-19
sysidcfg 16-5, 16-13, 16-43
ypservers 14-18
finish script 16-61
flarcreate command 17-7
flash
deployment 17-3
installation 17-2, 17-3
installation logs 17-26
limitations of 17-5
flash archive
administration 17-10
creation 17-4
extraction 17-3
JumpStart installation 17-19
flash installation
/usr/sbin/flar command 17-6
/usr/sbin/flarcreate
command 17-6
hardware requirements 17-5
folder 3-5
G
GUI 10-30
H
hang-up signal. See HUP signal
hostname.xxn file 1-6
hot spare 8-26
Index-4
I
ICMP ECHO_REQUEST packets 1-4
ifconfig -a command 1-2, 1-3
ifconfig command 1-3
ifconfig utility 1-6
in.ftpd server process 2-18
in.tftpd daemon 16-68
inetd daemon 2-16
init process 5-7
Internet Protocol (IP) address 1-2
Internet service daemon 2-16
IPv4 1-6
IPv4 Interface
describing and configuring 1-6
J
JumpStart
boot problems 16-67
client 16-4
booting 16-26, 16-36
configuration services 16-7
identification items 16-6
installation services 16-9
spooled image 16-10
configuring 16-3
identification services 16-5
procedure 16-2
process 16-37
server
boot services 16-4
component services 16-3
implementing 16-11
troubleshooting 16-67
versus Flash installation 17-2
LAN 1-2
LDAP 2-4, 12-9, 13-8
client 13-8
authentication 13-8
configure 13-10
unconfigure 13-18
legacy application 3-2, 3-5, 3-14, 4-5
local area network
See LAN
lockd daemon 6-12
log host 11-2
logical storage volumes 8-2, 9-2
loopback interface 1-3
M
m4 macro processor 11-8
MAC address 1-2
majority consensus algorithm 8-24
make command 14-16, 16-87
Makefile file 14-19
management scope 3-28
management tools 3-4
master 17-2
media access control (MAC) address 1-2
metadevices 8-2, 9-2
minfree file 5-5
mirror
configuring 8-7, 9-31
one-way 8-26
read policies 8-11, 9-32
write policies 8-11, 9-32
mntfs file system 6-25
mount command 6-11
mountd daemon 6-11, 6-12
MPSS 4-5
Multiple Page Size Support service
(MPSS) 4-5
Index
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
Index-5
P
pagesize command 4-5
paging 4-5
panic routine 5-2
passwd database 14-10
passwd.adjunct file 14-14
physical addresses 4-2
physical memory 4-2
ping command 1-4, 1-5
port assignments 2-21
process
init 5-7
rpcbind 2-25
sendmail 2-22
profile 16-53
profile file 16-19, 16-53
PROM 1-2
protocols
Dynamic Host Configuration Protocol.
See DHCP 1-5
R
RAID 8-13
description of 8-2
levels 8-2, 9-2
RAID 0+1 8-7
RAID 1+0 8-7
RAID 5 8-13
distributed parity 8-14
requirements 8-15
RAID-5 volumes
hardware considerations 8-16
suggestions 8-15
RARP 16-4, 16-43
RBAC 3-3, 10-2
component interaction 10-21
features 10-31
managing
building roles 10-52
building user accounts 10-35
using the GUI 10-30
RBAC databases
/etc/security/exec_attr
database 10-7
Index-6
/etc/security/prof_attr 10-22
/etc/user_attr 10-2
redundant array of independent disks
See RAID
relationships, client-server 12-8
remote procedure calls (RPC) 1-9
Reverse Address Resolution Protocol. See
RARP
right 10-4
role
definition 10-3
modify 10-9
role-based access control.See RBAC
root toolbox 3-4
root user 3-3, 10-3
routine, panic 5-2
RPC 1-9
rpc.spayd daemon 2-27
rpc.yppasswdd daemon 14-7
rpc.ypupdated daemon 14-8
rpcbind command 2-28
rpcbind process 2-25
rpcinfo command 2-28
rules file 16-8, 16-19
S
savecore command 5-2, 5-3
scripts
/etc/rc2.d/S88sendmail 2-22
add_install_client 16-23, 16-40,
16-68, 16-89
automount 7-2
begin 16-52
check 16-21
finish 16-61
ypinit 14-18
SCSI 8-12
SDK 3-4
selector 11-3
selector field, facility.level 11-3
sendmail process 2-22
server 2-1, 2-3, 2-16
services
Multiple Page Size Support serviceSee
MPSS
telnet 2-23
setgid mode 5-7
setuid mode 5-7
share command 6-10, 6-11, 6-17, 6-19
shareall command 6-10
Small Computer System Interface
(SCSI) 8-12
smc & command 3-6
smc edit & command 3-10
smc edit command 3-4
smcregister utility 3-4
snoop
options 1-5
utility 1-5
Solaris 9 Operating Environment (Solaris 9
OE) 11-2
Solaris Management Console
components 3-2
log viewer 11-1
rights tool 10-5
server 3-2
software development kit (SDK) 3-4
start 3-6
toolbox editor 3-2, 3-4
Solaris Management Console Toolbox
add tool 3-17
saving 3-32
Solaris Management Console Toolbox
Editor
start 3-10
uses 3-19
Solaris OE 8-4
Solaris Volume Manager 8-2, 8-6, 8-12, 9-2
Solstice DiskSuite 8-26
sprayd service 2-27
statd daemon 6-12
state database 8-23
state database replicas 8-25
storage volumes
concatenated 8-2, 9-14
striped 8-2, 9-14
submirrors 8-7
suninstall command 16-38
swap 4-6
swap -a command 4-8
swap area, adding 4-8
swap file
adding 4-8
definition 4-3
deleting 4-9
removing 4-9
swap -l command 8-13
swap partition 4-4
swap slices 4-3, 4-8
swap space
adding 4-8
allocation 4-7
definition 4-2
deleting 4-9
physical 4-4
removing 4-9
swap utility 4-6
swapfs file system 4-4
swapping, definition 4-5
switch, /etc/nsswitch.conf 14-9
sysidcfg file 16-5, 16-13, 16-43
syslog concept 11-2
syslog function 11-1, 11-2
syslogd daemon 11-2, 11-8
system console 11-2
system host name
canonical 1-9
changing 1-9
system log 11-2
system messaging 11-1
sys-unconfig command 1-11
T
TCP 2-21
telnet service 2-23
TFTP 16-4, 16-43, 16-68
tool 3-4
toolbox
link 3-4
URL 3-4
transport protocols
TCP 2-21
trivial file transfer protocol See TFTP
Index
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1
Index-7
U
UDP 2-21
UFS file system 8-4
uname -n command 5-2, 5-5
UNIX 10-2, 12-2, 12-8
unshare command 6-17, 6-22
user, regular 3-3
utilities
ifconfig 1-6
smcregister 3-4
snoop 1-5
swap 4-6
V
virtual addresses 4-2
virtual memory 4-2
volumes
concatenated 8-3
striped 8-5, 9-15
W
Web Start 17-2
X
X application 3-5
Y
ypbind daemon 12-7, 14-7
ypinit command 14-20
ypinit script 14-18
ypserv daemon 14-7
ypservers file 14-18
ypstop command 14-19
ypwhich -m command 12-6
ypxfrd daemon 14-7
Index-8