Can I import one non-global zone from one machine to another?

Similar Messages

• What is the maximum number of datasets you can use in a non-global zone.

  I have been trying to assign 8 datasets to a non-global zone. Whilst I can create as many as I like using the zonecfg command, when I boot the zone only the first 7 ever get mounted. Running zfs list in the zone also only displays the first 7 datasets.
  Any assitance will be greatly appreciated.
  I am running
  Solaris 10 8/07 s10s_u4wos_12b SPARC
  Chris

  http://download-west.oracle.com/docs/cd/B19306_01/server.102/b14200/expressions014.htm
  A comma-delimited list of expressions can contain no more than 1000 expressions. A comma-delimited list of sets of expressions can contain any number of sets, but each set can contain no more than 1000 expressions.
  The following are some valid expression lists in conditions:
  (10, 20, 40)
  ('SCOTT', 'BLAKE', 'TAYLOR')
  ( ('Guy', 'Himuro', 'GHIMURO'),('Karen', 'Colmenares', 'KCOLMENA') )

• Pkgmap files missing in global zone, can't build non-global zone

  My solaris 10 server is missing the pkgmap files for the packages. As a result, I can't build a non-global zone. Is there a way to recreate the pkgmap files?
  The OS on the Solaris 10 server was installed via jumpstart (initial install). However, the Jumpstart process used a Solaris 9 boot server which seems to have caused the missing pkgmap problem.
  Does anyone know of any other problems which would result from a version mismatch between a boot and installation server during the jumpstart process?

  Hi, i have problems with building transmission from svn too:
  $ versionpkg
  ==> retrieving latest revision number from svn... 3730
  ==> newer revision detected: 3730
  ==> Entering fakeroot environment
  ==> Making package: transmission-svn 3730-1 (Di 6. Nov 08:28:38 CET 2007)
  ==> Checking Runtime Dependencies...
  ==> Checking Buildtime Dependencies...
  ==> Retrieving Sources...
  ==> Validating source files with md5sums
  ==> Extracting Sources...
  ==> Removing existing pkg/ directory...
  ==> Starting build()...
  Fetching external item into 'Transmission/third-party/libevent'
  Checked out external at revision 477.
  Checked out revision 3730.
  ==> SVN checkout done or server timeout
  ==> Starting make...
  ./autogen.sh: line 16: autoreconf: command not found
  Creating aclocal.m4 ...
  Running glib-gettextize...  Ignore non-fatal messages.
  Copying file mkinstalldirs
  Copying file po/Makefile.in.in
  Please add the files
    codeset.m4 gettext.m4 glibc21.m4 iconv.m4 isc-posix.m4 lcmessage.m4
    progtest.m4
  from the /aclocal directory to your autoconf macro directory
  or directly to your aclocal.m4 file.
  You will also need config.guess and config.sub, which you can get from
  ftp://ftp.gnu.org/pub/gnu/config/.
  Making aclocal.m4 writable ...
  Running intltoolize...
  PKGBUILD: line 33: ./configure: No such file or directory
  make: *** No targets specified and no makefile found.  Stop.
  ==> ERROR: Build Failed.  Aborting...
  ==> ERROR: Reverting pkgver...
  i dont know whats up with the autoreconf
  i hope anyone can help me!
  greez

• After installing 137137-09 patch OK in global zone, bad in non global zone

  Hi all,
  scratching my head with this one.
  Installed 137137-09 fine on Sun Fire V210. Machine has one non global zone running a proxy server (nothing very exciting there!). non global zone has a local filesystem attached, but don't think this is the issue (on my test V210 I created the same sort of filesystem and was unable to replicate the problem :( ).
  So 137137-09 is fine in the global zone (I had the non global zone halted when patch installed) it is also installed in the non global zone (ie, when zone boots it says it's at rev 137137-09 via uname) in the patch log in the non global zone I get this:
  PKG=SUNWust2.v
  Original package not installed.
  pkgadd: ERROR: ERROR: unable to get zone brand: zonecfg_get_brand: No such zone configured
  This appears to be an attempt to install the same architecture and
  version of a package which is already installed. This installation
  will attempt to overwrite this package.
  /usr/local/zones/cotchin/lu/dev/.SUNW_patches_1000109009-1847556-000000d3e42faa84/137137-09/FJSVcpcu/install/checkinstall: /usr/local/zones/cotchin/lu/dev/.SUNW_patches_1000109009-1847556-000000d3e42faa84/137137-09/FJSVcpcu/install/checkinstall: cannot open
  pkgadd: ERROR: checkinstall script did not complete successfully
  Dryrun complete.
  No changes were made to the system.
  I'm not sure if the branding error is causing the checkinstall postpatch script error or if they are not related. There doesn't seem to be any obvious permissions problems that I can find. I have checked that all the pkg and patch patches are up to date on the system. Searching on the brand error gives me a link to a problem with 127127-11, but that was installed on the system before the local zone was created and all the other seemingly appropriate patches (eg: 119254) are all up to date or at a higher revision than recommended.
  I see the same problem on a M5000 which has two non global zones on it.
  Both machines had the Solaris 10 50/08 update bundle applied when it came out,a nd have had recommended patch sets applied at regular intervals since.
  This issue only came to light when trying the latest bundles with 138888-01/02 in it, and those fail to install on the global zones because the non global zone install dies claiming 137137-09 is not installed (which is plainly wrong).
  I've tried to recreate this on a test server but unfortunately everything works as it should, even though the test server has a similar history in terms of patches and original setup to the others.
  I'm planning to try to detatch the non global zone and try an attach -u to see if it will update the patches properly, but I'm not holding out much hope on that one (I need to wait for a mainteiance window when I can take the zone down in a couple of days).
  Any ideas?

  Well, I am following up to my own post it seems I have determined what is causing the problem, or at least situations where the problem can be reproduced which I have been able to do on my test system.
  It seems that if the zone container's zonepath is in /usr (eg: /usr/zones, /usr/local/zones, or some other path under /usr) the patchadd of 137137-09 will fail with the log similar to posted above, and this will stop further kernel patches (eg: 138888-02) being added.
  The test system had everything patched to current and searching the web I can't find any other instances of this being an issue, but I have reproduced this problem on my test machine (which worked OK because it's test zones were in a filesystem mounted as /zones). When I used zoneadd -z <zonename> move to a zone in /usr/local and applied 137137-09 the same problem came up.
  Not sure what is causing this issue.. I imagine it might have to do with some sort of confusion with the patch utilities and the read-only loopback filesystems in the sparse root zone but I can't bs sure.
  Maybe someone at sun will see this and figure out what the deal is :)
  When I moved my test zone back to /zones the patch applied perfectly so it's definitely having it in /usr or /usr/local (I tried both locations, even though they are seperate ufs filesystems on my test server).
  Oh I am running DiskSuite to mirror filesystems on my V210's which may or may not have anything to do with it.
  Hope this helps someone in the future at least!

• Always install applications into non-global zones?

  I am planning on taking full advantage of Containers and Zones as I migrate servers and applications to Solaris 10. During this migration process, I believe that I will have a need to initially just run just one application on a server. I fear that if I do this in the global zone I will lose flexibility down the road for future projects and workloads. So, should I consider always installing applications in a non-global zone and never install applications in the global zone? This would keep the global zone as the controller of the non-global zones and ensure that I can always add more non-global zones later without having to worry about what is running in the global zone.
  Are there any thoughts or comments on this topic?

  Yes we've found it's best to run the applications in non-global zones. Here are a few benefits, basically we only put an application in the global zone if it requires it (like Oracle RAC). Note non-RAC instances of Oracle will run in a non-global zone just fine.
  Reasons to put applications in non-global zones
  o Increased security (self contained environment)
  o Increased flexibility for provisioning resources (CPU, memory, etc) when/if we decide to run multiple applications on the same hardware
  o Increased flexibility in starting up temporary environments to debug issues in parallel to the primary environment (i.e. in another non-global zone on the same server)
  o Works well with Sun Cluster (i.e. we cluster the non-global zones so that they can run across several hosts)
  o Improved trouble shooting and performance diagnosis as the applications are isolated to a non-global zone
  o Simplified environment for the application admins as the environment can be fine tuned for their needs (i.e. only let them see what they need)
  o Disaster recovery is much faster for a non-global zone

• NFS and non global zones

  Hi,
  Ive read numerous threads about mounting NFS shares to non global zones but have still not been able to successfully resolve my issue.
  I have 5 T3-2's which are being used as standalone SAP servers running Solaris 10u9 and numerous sparse non global zones. Basically I have a 1Tb HDS LUN presented to 1 T3-2 and have NFS shared this out as /stage to the remaining 4 global zones which works as expected.
  However I am unable to mount the shared NFS filesystem to the non global zones.
  When I try to mount the NFS share from the non global zone itself I receive RPC errors, I have also tried configuring the non global zone with the NFS mount (from the global zone) as lofs but the zone wont boot and also manually mounting the NFS mount from the global zone which looks like it works but when I do a df on the non global zone I receive stat erros.
  Ive even tried linking the NFS share on the global zone to the non global zone directory but that produces a strange linkage when the zone is booted.
  Numerous threads say this is not supported but I cant believe Oracle after ~6/7 years of zones and numerous threads on the subject wouldnt have resolved this issue.
  I could easily locally mount the storage locally and lofs it to the non global zone but unfortunately dont have the storage capacity available which is why I thought NFS mounting to the non global zone would work!!
  Any suggestions would be gratefully received!
  Thanks.

  If you are trying to mount NFS file system on non-global zone from global zone of the same server, use lofs instead.
  You can mount the same file system to all non-global zones using lofs and all non-global zones have read/write access to it.
  If it is global zone of some other server then you can use NFS. But before that check the way it is exported on NFS server whether the client from which you are trying to mount it has permissions to do so.

• Zfs package difference in Global and Non-Global zones

  I have a T2000 hosting many zones. The Global zone and all but one Non-Global zone has 3 zfs packages installed SUNWzfskr, SUNWzfsr, SUNWzfsu). Becuase this one non-global zone is missing the zfs packages, kernel patch 120011-14 also didn't install on that single non-global zone.
  I am curious, can i install SUNWzfskr, SUNWzfsr, SUNWzfsu on the non-global zone that is missing the packages?
  Any ideas how to resolve the kernel patch descrepancy between the global and non-global zone?

  patch 122640-05 installs the SUNWzfskr SUNWzfsr SUNWzfsu packages if they are not already installed on the system.

• Running commands across global and non-global zones

  Other than using ssh and public key access, is there better way to run a command in both the global and non-global zone? I need to disable some services (svcadm disable ... ) in both the global and non-global zones.
  Thanks,
  Roger S.

  You can run commands in the non-global zone with the "zlogin" command from the global zone.
  Running commands in a non-global zone from a non global zone works only with ssh, (or any other method using network)

• Ssh to non-global zone slow

  I'm running b60 on X86 with 1 zone. ssh into the global zone is fine with almost instant response. SSH into the non-global zone takes about 10-15 seconds to produce the password prompt. I've tried this with and without rctl limits, same behaviour.
  Any help is appreciated
  Thanks
  Suresh

  I'm using b63 on opteron with about a dozen zones and have no delay when
  ssh'ing to the global or non-global zones. One common thing to check is that your nameservice for
  performing reverse lookups is quick.
  Once you have logged in, try doing:
  time getent hosts <IP_YOU_LOGGED_IN_FROM>
  and see how long that takes to come back.
  Also check your /etc/hosts.allow & /etc/hosts.deny in case you are using identd or some other tweak
  to libwrap (tcpwrappers) that may trigger a delay.
  I'm running b60 on X86 with 1 zone. ssh into the
  global zone is fine with almost instant response. SSH
  into the non-global zone takes about 10-15 seconds to
  produce the password prompt. I've tried this with and
  without rctl limits, same behaviour.
  Any help is appreciated
  Thanks
  Suresh

• Non-global zones on a SAN???

  Hi everyone, i have a question that's probably been asked before and i'm sure many others are interested in knowing the answer.
  Is it possible to store non-global zone(s) on a SAN? The idea being that if the server hosting the non-global zone(s) dies, the non-global zone(s) can be brought up on another server that also has access to the same SAN. This is sort of what vmware can do. It would be great if Solaris 10 non-global zones could also do it.
  Stewart

  Yes it is possible to do this. In fact if you use Sun Cluster (now free) it can be setup so that the zones automatically start on another node within the cluster. Basically any application that can run in a non-global zone can be clustered.
  This also helps greatly with resource balancing as you can move zones between servers as needed. Note the zone does have to shutdown as start again but that usually takes less than a minute.

• Can I upgrade patches to non-global zones separate from a global zone?

  Normally, one would assume that you want to keep global and non-global zones in sync. However, at the software company I work for we could potentially want to test on different patch levels of Solaris10 simultaneously. I can't bring down the global zone and change it's patch set everytime I would need this. My only option would be to have separate hardware and separate global zone for each patch set which kinda defeats the purpose IMHO.
  Anybody out there know if this is possible?

  Whole root zones allow you to have different levels of an application installed in different zones.
  But they don't really provide a good mechanism for testing different patch levels of solaris itself.
  Since theres really only one copy of solaris running, its just providing different views of itself.
  If you want to actually test solaris patch levels you need to do "real" virtualisation rather than para virtualisation provided by zones.
  So either somethig like ldoms on sparc hardware, or vmware or equivalent on x86.

• SFTP chroot from non-global zone to zfs pool

  Hi,
  I am unable to create an SFTP chroot inside a zone to a shared folder on the global zone.
  Inside the global zone:
  I have created a zfs pool (rpool/data) and then mounted it to /data.
  I then created some shared folders: /data/sftp/ipl/import and /data/sftp/ipl/export
  I then created a non-global zone and added a file system that loops back to /data.
  Inside the zone:
  I then did the ususal stuff to create a chroot sftp user, similar to: http://nixinfra.blogspot.com.au/2012/12/openssh-chroot-sftp-setup-in-linux.html
  I modifed the /etc/ssh/sshd_config file and hard wired the ChrootDirectory to /data/sftp/ipl.
  When I attempt to sftp into the zone an error message is displayed in the zone -> fatal: bad ownership or modes for chroot directory /data/
  Multiple web sites warn that folder ownership and access privileges is important. However, issuing chown -R root:iplgroup /data made no difference. Perhaps it is something todo with the fact the folders were created in the global zone?
  If I create a simple shared folder inside the zone it works, e.g. /data3/ftp/ipl......ChrootDirectory => /data3/ftp/ipl
  If I use the users home directory it works. eg /export/home/sftpuser......ChrootDirectory => %h
  FYI. The reason for having a ZFS shared folder is to allow separate SFTP and FTP zones and a common/shared data repository for FTP and SFTP exchanges with remote systems. e.g. One remote client pushes data to the FTP server. A second remote client pulls the data via SFTP. Having separate zones increases security?
  Any help would be appreciated to solve this issue.
  Regards John

  sanjaykumarfromsymantec wrote:
  Hi,
  I want to do IPC between inter-zones ( commnication between processes running two different zones). So what are the different techniques can be used. I am not interested in TCP/IP ( AF_INET) sockets.Zones are designed to prevent most visibility between non-global zones and other zones. So network communication (like you might use between two physical machines) are the most common method.
  You could mount a global zone filesystem into multiple non-global zones (via lofs) and have your programs push data there. But you'll probably have to poll for updates. I'm not certain that's easier or better than network communication.
  Darren

• Non-Global Zones - how can I tell what the Global Zone is

  Hi,
  I have a host that I know is a non-global zone (ngz). I can ssh to the ngz as root or a non-privileged user.
  But once there how do I know what the host name for the global zone is?
  I could probably run a script from all global zones to report all running zones and so I'd know that way but I have a specific need to know from inside the ngz.
  Thanks!
  Brian

  bdunbar wrote:
  That's a built-in security feature; and I know of no way to circumvent this mechanism.
  I had some hope that there was a way to 'see' at least the global-zone information from the zone. From the shell the 'zone' commands are available ..
  :# zoneadm list -cv
  ID NAME             STATUS         PATH                         
  48 hostname_svn   running        /  So it's at least aware that it is a zone, even if it can't tell me anything else about itself. I can still go the long way around to get the information for my need, thanks.
  The global zone is the only thing that can see everything. The non-global zones can only see information specific to their zone.
  This is by design and it really is a security mechanism. You don't want the zones running outside of their boundaries and information about the global zone (or any other zone) is outside the boundaries of a non-global zone.
  Cheers,

• How can 2 non-global zones share a singe ethernet?

  This may be a very basic question. I am new the this board and trying to learn more about the Solaris Zone.
  I am trying to find out whether sharing an ethernet card between two non-global zones is possible.
  Where can I get additional infor on this topic?
  Thanks,

  I just found the answer to my question. Thanks, Can you post a link to where you found the answer?
  Birdman >>I'm not exactly sure what he found, but you might try this link, to the zones documentation:
  http://docs.sun.com/db/doc/817-1592/6mhahuos1?a=view#z.admin.ov-12
  The answer to the question is "yes" you can do this, and in fact it is somewhat trivial. We've long had a feature in Solaris called "logical network interfaces". This allows multiple logical interfaces to be defined atop a single physical one. Zones uses this feature and creates logical interfaces atop a single virtual interface. You can even have multiple network interfaces assigned to the same zone, without any problem.
  -dp

• *Missing utilities in Solaris11 Non global zone.*

  Hi,
  I created Non Global zone in Solaris 11, I found many utilities are missing in Non Global zone machine. For example in non global zone /usr/xpg4/bin contains only 2 utilities where as in global zone I have 68utilities. I copied few utilities from my global zone machine which ever is required for me(ex: id,grep,egrep....). I need to enable rlogin, telnet, ftp in my Solaris 11 non global zone machine. I installed pkg:/service/network/legacy-remote-utilities. But no luck. In some thread i found workaround to enable rlogin.
  rlogin on zones in solaris 11 i found a workaround.
  Need to copy 2 binaries and 2 .xml manifest from GZ to NGZ
  cp /usr/sbin/in.rlogind
  cp /lib/svc/manifest/network/login.xml
  cp /usr/sbin/in.rshd
  cp /lib/svc/manifest/network/shell.xml
  Question1: how about other services?
  Question2: As a concept It has to have all the utilities which is available in Global zone. Why these many utilities are missing? Am I doing any thing wrong or is it zone limitation? we are facing issue in only Solaris 11. where as in Solaris10 every thing works fine.

  What you observed is normal. The basic Solaris 11 zone install gives you a somewhat minimal install. If you want additional packages, you can install them. If you want the zone install to have what you would install from a CD I suppose you could do a the following:
  pkg install slim_install
  pkg uninstall slim_install
  My understanding is that the slim_install package contains dependencies which loads all of the desktop software but doesn't contain any content itself - which is why you can (and should) remove it afterwards.
  That said, normally one uses a zone for a particular purpose. A better approach might be to install only the software in the zone which is needed for that purpose. That would save space, limit security exposure and reduce maintenance overhead. If your purpose is to have a full user environment, that may be to include all the slim_install packages and maybe others as well.
  I would recommend that you not install services by copying files. If you need a service find out what package contains that service and install the package in the zone. That way you won't break maintenance via pkg update.
  So - your questions:
  1. A Solaris 11 zone install is minimal, presumably to make it easy to set up simple single function zones. Additional packages can be added as needed using "pkg install" as needed to provide any necessary services.
  2. Solaris 10 zones work differently and import most packages from the global zone. With Solaris 10 sparse zones, you actually use the same files from the global zone. Solaris 11 zones are different in that they are actually a separate install. The basic install is minimal, presumably to allow for small and simple single function zones. You are not doing anything wrong with respect to the basic install, this is just how things work.