Creating a Solaris 8 branded zone

Similar Messages

• Solaris 8 branded zone and privileges

  Hello,
  I've just installed a Solaris 8 Branded zone to migrate an old server. The migration worked like a charm, and everything seems ok excepted one thing. The zone must run a Lotus Domino server, so the process needs to bind ports 80, 443 and 389, but it can't.
  I've found things about the limitpriv directive for the zone configuration, and the net_privaddr privilege to allow a process to bind ports under 1024.
  So now, if I run the process in the non global zone as root, it can bind, but if it is launched as the user notes, it can't.
  If I use the ppriv command to see what are the privileges of the process, I see :
  1945:   /opt/lotus/notes/latest/sunspa/server
  flags = <none>
          E: file_link_any,proc_exec,proc_fork,proc_info,proc_session
          I: file_link_any,proc_exec,proc_fork,proc_info,proc_session
          P: file_link_any,proc_exec,proc_fork,proc_info,proc_session
          L: contract_event,contract_observer,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,
          file_dac_write,file_link_any,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,
          net_mac_aware,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_exec,proc_fork,proc_info,proc_lock_memory,
          proc_owner,proc_session,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_mount,sys_nfs,sys_resourceSo, the net_privaddr appears in the limit, but it is not enabled. How can I make it enabled for that process?
  Thanks

  Thanks for the link, good explanations about privileges but they seem unusable in Solaris 8 branded zone. It suggests to create a role with the privileges my process needs, using the "rolemod -K" command, but this option does not exist for the rolemod command in my Solaris 8 zone, it just supports "classic" RBAC.
  Maybe the solution would be to create the good profile for the user running the process, but I'm a little bit lost with RBAC and I can't find an existing profile corresponding to what I want.
  Actually, the limitpriv for my zone is "default,net_rawaccess,net_privaddr,file_dac_read" and that's all. I added net_privaddr and file_dac_read because I saw that a "ppriv -D" on the Lotus server complained about the lack of these privileges, but in fact they are already included in default privileges.

• Solaris 10-Branded Zone

  Hi,
  I am trying to establish whether the following configuration is officially supported (and documented):
  "Non-Global zone running a release of Solaris 10 which is older than the release of Solaris 10 running in the Global Zone".
  I'm familiar with the idea of Branded Zones to support Solaris 8, 9 & some Linux kernels, and have seen some forum posts where people have created Solaris 10-branded zones, but haven't really seen anything that puts the official seal of approval on that configuration. Also I'm familiar with LDOMs and appreciate that I could get to where I want to be that way too.
  Any help welcome.
  Thanks,
  Paul.

  This will be supported in Solaris 10 Upate 9 to a degree, using p2v. Below is a reply I had to a request I'd put in. You might also want to read this
  http://blogs.sun.com/jerrysblog/entry/zones_p2v
  Hi Sean,
  I got information that p2v project is being backported for S10u9
  This means, that you will be able to install a native zone from a flar.
  I don't have detailed information at the moment, how this will work in terms of
  patching in combination with Global Zone and other sibling NGZ's.
  +According to Jerry Jelinek, Solaris10-branded zones will not being backported to Solaris 10,+
  Got this info yesterday evening from Jerry.
  I'll provide some more info about the p2v project for native zones in coming Solaris 10_U9,
  once I got more details.
  So, I'd suggest to check, whether the mentioned p2v project with flar on native zones might fit your requirements.
  Thanks,
  Alfred
  Edited by: ftoomsh on Sep 2, 2010 3:02 AM

• Add zfs volume to Solaris 8 branded zone

  Hi,
  I need to add a zfs volume to a Solaris 8 branded zone.
  Basically ive created the zvol and added the following to the zone configuration.
  # zonecfg -z test
  zonecfg:test> add device
  zonecfg:test:device> set match=/dev/zvol/dsk/sol8/vol
  zonecfg:test:device> end
  When I boot the zone it comes up ok but I am unable to see the device, nothing in format, /dev/dsk etc etc
  Ive also tried to setmatch to the raw device as well to no avail.
  Basically I have numerous zvols to add and dont really want a load of mount points from the global zone then lofs back to the local zone
  Any ideas please??
  Thanks...

  Thanks but that's why I created zfs volumes and newfs'ed them to create UFS and presented those to the zone.
  In the end I just create a script in /etc/rc2.d and mounted the filesystems in there.

• Possible to upgrade Solaris 9 branded zone to 10?

  We have an application running in a Solaris 9 branded zone. The application version is not compatible with Solaris 10, however, the next version of the application is compatible with Solaris 10.
  So the plan is to upgrade the application in the branded zone, then upgrade the branded zone to Solaris 10.
  All the reading I have found so far indicates that it is not possible to upgrade a Solaris 9 branded zone to !0.
  Can it be done, and if so, pointers to a documented process would be helpful.

  fog-on-the-tyne wrote:
  We have an application running in a Solaris 9 branded zone. The application version is not compatible with Solaris 10, however, the next version of the application is compatible with Solaris 10.
  So the plan is to upgrade the application in the branded zone, then upgrade the branded zone to Solaris 10.If the next version is compatible with Solaris 10 then backup the data,
  create a new Solaris 10 zone
  install the new version into the zone
  migrate the data
  test
  destroy the now unnecessary Solaris 9 branded zone.
  For something like this play in a dev environment first.
  alan

• Solaris 8 branded zone core dump on cssd

  Hi,
  Just migrated my first Sol8 machine to a solaris 8 branded zone. but on the console I get error messages:
  Nov 8 12:45:42 gent320b cssd: The process "ccv.sh" has been killed by sig#139, core dumped
  Nov 8 12:45:47 gent320b cssd: The process "kkcv.sh" has been killed by sig#139, core dumped
  the netstat -f unix
  Active UNIX domain sockets
  Address Type Vnode Conn Local Addr Remote Addr
  stream-ord 6000ebffad8 00000000 /tmp/jd_sockV6
  output doesn't list any /dev/ccv or /dev/kkcv sockets like to 'real' machine.
  Any ideas?

  This error messages are output by
  cssd which is a input method of Japanese.
  If you don't use Japanese input method cs00, you can stop it by following method.
  # /etc/init.d/loc.ja.cssd stop
  # mv /etc/rc2.d/S90loc.ja.cssd /etc/rc2.d/_S90loc.ja.cssd

• Multithreading issue on Solaris 8 branded zone

  Hi,
  We are facing a multithreading problem in Solaris 8 container (branded zone) on Solaris 10.
  The core file shows 2 LWPs for a single thread.
  First LWP
  (dbx) lwp
  current LWP ($lwp) is l@1403
  (dbx) print this->m_ThreadId->m_IdImpl.m_PosixId
  this->m_ThreadId.m_IdImpl.m_PosixId = 1404U
  Second LWP
  (dbx) lwp
  current LWP ($lwp) is l@1404
  (dbx) print this->m_ThreadId->m_IdImpl.m_PosixId
  this->m_ThreadId.m_IdImpl.m_PosixId = 1404U
  Another point to note is that dbx returns 'MT support is disabled' for this program even though it has been built using the -mt option. The dbx version is Sun Dbx Debugger 7.5 2005/10/13.
  As far as I have read, the Solaris 8 branded zone uses the alternate T2 thread library. Note also that this program is linked with the alternate thread library @ /usr/lib/lwp.
  This alternate thread library is supposed to use the 1:1 thread model.
  Can someone explain why are we then seeing 2 LWPs for a single thread ?
  Thanks,
  Best regards,
  Raj Iyer

  This error messages are output by
  cssd which is a input method of Japanese.
  If you don't use Japanese input method cs00, you can stop it by following method.
  # /etc/init.d/loc.ja.cssd stop
  # mv /etc/rc2.d/S90loc.ja.cssd /etc/rc2.d/_S90loc.ja.cssd

• How to unlock Root Account in non-global zone on Solaris 10 Branded Zone

  Hello All,
  I have a phsical x86 server running Solaris 11. On top of that, I have 3 Solaris 10 branded zones configured. Due to security policy the root account has been locked by 5 failed login attempts.
  Is there a way by which I can unlock root account in non-global zone.
  I have the root access of global zone.
  Pls help as these are production servers.
  Regards

  Hey,
  It worked. Actually i forgot to save the file.
  I changed the /<zonepath>/root/etc/shadow
  Removed *LK* & then from global zone did zlogin -l root zonename
  Thanks  lot.

• Solaris 8 branded zone not booting after server reboot hangs at ready state

  Hi,
  For ipchange/hostname change we rebooted the physical server...once rebooting the Solaris brand 8 zone stucks at ready state.
  I have run the truss with zoneadm in the log process sleep and wait
  Will post the log soon..any help to troubleshoot the issue
  Both global zone and Ng zone having same hostid..
  dmesg::
  Apr 30 13:08:50 xyz zoneadmd[992]: [ID 702911 daemon.error] [zone 'abc'] WARNING: console /devices//pseudo/zconsnex@1/zcons@0 found, but it could not be removed.: I/O error
  bash-3.00# ps -ef|grep -i abc
  root 1441 1429 0 13:10:56 ? 0:00 /bin/ksh -p /usr/lib/brand/solaris8/s8_boot abc /abc
  root 1429 1 0 13:10:55 ? 0:00 zoneadmd -z abc
  root 1427 1397 0 13:10:54 pts/3 0:00 zoneadm -z abc boot -f -s
  root 1542 1441 0 13:10:56 ? 0:00 /bin/ksh -p /usr/lib/brand/solaris8/s8_boot abc /abc
  zoneadm list -cv
  2 abc ready /abc solaris8 shared
  Thanks
  Edited by: muvvas on Apr 30, 2012 2:25 PM

  moved the solaris 8 branded zone to other server.their its working fine.sorry for late reply.

• Inetd services (telnet, rlogin ,rsh) in Solaris 9 Branded Zone

  Hi,
  I've got two Solaris 9 Branded Zones running on an M3000. They both use exclusive IP.
  When I try and telnet, rlogin or rsh to either of my Solaris 9 zones from the other I get an error. With the r* commands I get a "Protocol error" message, and telnet just reports a terminated connection. I've tried Mr. Google, the results I get make sense for a physical host - i.e Protocol Error would occur if the server executable (in.rlogind, etc) was somehow messed up.
  Just to complicate things slightly the exclusive IP NICs are on a physically separate switch from the other NICs.
  I'd forgotten that with the Branded Zones some native features are actually handled by the underlying global zone (i.e. Solaris 10).
  Anyway, has anybody else had this same problem and how did you resolve it?
  Thanks
  Tim Shaw.

  I found out that the services in the Global Zone had been disabled. Simply enabling them fixed the problem :)

• How do I maintain a Solaris 10 branded zone?

  I'm not sure whether I should be putting this on the Solaris 10 or the Solaris 11 discussion since Solaris 10 branded zones run on top of Solaris 11 but I decided to put it here. I also apologize is this is clearly documented somewhere but if it is I've not found it.
  Once I've moved a Solaris 10 system or zone to a "Solaris 10 branded zone" how do I maintain it. As far as I can determine, I cannot apply maintenance updates to it (ie. go from Solaris 10 9/10 to Solaris 10 8/11). Attempts to apply the associated patch bundles seem to fail in the checking out the system code. So it appears that I'm stuck with simple patching. It also appears that you can't use Live Upgrade which means that you might destabilize the zone during patching which makes it awkward if you need to maintain uptime. Furthermore, if appears that backing out the kernel patch in the zone (on Intel at least) can clobber libc.so.1 which clobbers the zone (thank heaven for ZFS snapshots - rollback!).
  What is the safest way to patch these zones? Yes, I could recreate the zone from a Solaris 10 system but I'm thinking down the road where we're running Solaris 11 and Solaris 10 exists only in zones.

  I've not received an answer to this so I've started rolling my own procedure which I hope will work well; however, it seems that there should be some information available from Oracle about this.

• CREATING SOLARIS 8 BRANDED ZONE

  Attempting to configure a Solaris8 branded zone on a SunFireV125 (running Sol10_10/09). Got to the "zoneadm -z s8-zone boot" step and configuring for NIS when I received the following error:
  "The following error occurred while trying to set the netmask 255.255.248.0 on the network interface bge0:1: ioctl: Not owner"
  Running ifconfig -a on the global zone, bge0:1 shows up but with only the IP address. Any ideas out there in Sun land? I've tried a few things (even google) but to no affect.
  Btw, it is created as a shared-ip zone.
  Thanks,

  I would suggest setting the interface's netmask in the zone configuration.
  As an example:
  address=192.168.0.5/22
  Cheers,

• Trouble w/installing Solaris 10 branded zone on solaris 11.

  Having issues creating a policy that works installing solaris 10 u10 branded nfs zone on sol11 in opscenter 12c u1. Maybe i'm just overlooking something basic or it isn't supported in opscenter. I'm able to create the policy but seem to get a very non-informative error message when deploying it.
  Error Message:
  "The DeploymentPlan execution job failed because the DeploymentProvider ZoneDeploymentProvider for Step Create Solaris Zones failed to generate tasks for the job: Cannot prepare zone tasks: java.lang.NullPointerException. Contact My Oracle Support if the problem persists. (10445)"
  Here is the OpsCenter Profile:
  Name Prefix:      hous
  Starting Number:      1
  Zone Description:      solaris 10 update 10
  ZoneType:      
  Branded Zone
  Branded Zone Image:      
  s10-update10-flar
  Automatic Recovery:      
  Yes
  Priority of Recovery:      0
  CPU Shares:      1
  CPU Cap:      0
  Physical Memory Cap:      0
  Locked Memory Cap:      0
  Virtual Memory Cap:      0
  Language:      en_US.ISO8859-15
  Time Zone:      US/Central
  Terminal Type:      xterm
  NFSv4 Domain Name:      dynamic
  Automatically boot zone when the global zone is booted:      
  Yes
  Automatically boot zone after creation:      
  Yes
  Storage for the metadata Library:      NAS, zone-prod1

  Problem found. To jumpstart last two HP Blades we used the copies of AI templates. When we did it from scratch and re-installed the Solaris 11.0 we have no more errors.

• Build Solaris 8 branded zone with ufs /var  etc

  We have an ancient application which runs on Solaris 8 which we would like to move to a Branded zone. The issue we have is that the application does a fstyp (but within the binary) on any file system that its is writing to and barfs if it doesn't recognise the type. Unfortunately we are limited to basically ufs and vxfs.
  The problem is that I need to have /var configured as a UFS filesystem during the zone build ......
  Now I know all of the methods that can be used to mount a filesystem within a branded zone:
  1) Add FS within zonecfg ... fstype doesn't return UFS
  2) LOFS : Doesn't return UFS
  3) Mounting a file system after zone boot .... Great for non-system filesystems but not for /var
  4) "add device" ... might work BUT I need to build /var during zone configuration .,.....
  Any ideas?
  Edited by: user13012897 on Dec 8, 2010 5:41 AM

  It's not straightforward, but I'd consider writing an interposer library that gets loaded via LD_PRELOAD and gives a different answer than fstyp() would normally give.
  http://www.itworld.com/UIR000929interposers

• Probem in creating Solaris 10 branded zone on Solaris 11.0

  Hello,
  I'm creating a zone on HP Blade with Solaris 11.0 using VM template Solaris 10u10 (x86).
  I haven't /etc/defaultrouter file, my Solaris 11 is 11/11 and not Express version.
  The error shows that variable used for temporary directory is lost. It's very strange because I completed 5 installations in the same way without any problem. But two last just are stopping with this error:
  ./setupSysidcfgStaticIP[50]: America/Montreal/sysidcfg.VL-VM-LD104: cannot create [No such file or directory]
  cp: cannot access America/Montreal/sysidcfg.VL-VM-LD104
  chmod: WARNING: can't access America/Montreal/sysidcfg.VL-VM-LD104
  The "setupSysidcfgStaticIP" script is one of the many in the image which runs the creation of sysidcfg-file for the zone. It has 9 arguments to run:
  CONT=$1
  ZONEPATH=$2
  NIC=$3
  IP_ADDR=$4
  NETMASK=$5
  DEFROUT=$6
  PASSWD=$7
  TZONE=$8
  TMPDIR=$9
  The sysidcfg-filename is calculated as SYSIDCFG=$TMPDIR/sysidcfg.$CONT <- here is the error, the $TMPDIR fails
  After that the script creates the file and renames it:
  /usr/bin/rm -rf $SYSIDCFG
  /usr/bin/sed -e s/RzoneR/$CONT/ $_tktHome/conf/sysidcfgStaticIP |\
  /usr/bin/sed -e s/RnicR/$NIC/ |\
  /usr/bin/sed -e s/RnetmaskR/$NETMASK/ |\
  /usr/bin/sed -e s/RdefaultrouterR/$DEFROUT/ |\
  /usr/bin/sed -e s/Rip_addrR/$IP_ADDR/ |\
  /usr/bin/sed -e s]RtimezoneR]$TZONE] |\
  /usr/bin/sed -e s]RpasswdR]$PASSWD] >> $SYSIDCFG
  /usr/bin/cp $SYSIDCFG $ZONEPATH/root/etc/sysidcfg
  /usr/bin/chmod 777 $SYSIDCFG
  The tmpdir is created and used in main script but it fails in the subroutine. I don't understand why it was used before without any problem and now it fails. I spent yesterday about 6 hours to debug it but still don't have any idea how to fix it.
  I use the image solaris-10u10-x86.bin .
  I cannot use the newer image solaris-10u11-x86.bin (which works perfectly) because it isn't certified for our production and the set of servers needs to be installed with the same patch level.
  Any help will be appreciated!
  Vlad
  Edited by: 919435 on May 24, 2013 5:56 AM

  Problem found. To jumpstart last two HP Blades we used the copies of AI templates. When we did it from scratch and re-installed the Solaris 11.0 we have no more errors.