How do I maintain a Solaris 10 branded zone?
I'm not sure whether I should be putting this on the Solaris 10 or the Solaris 11 discussion since Solaris 10 branded zones run on top of Solaris 11 but I decided to put it here. I also apologize is this is clearly documented somewhere but if it is I've not found it.
Once I've moved a Solaris 10 system or zone to a "Solaris 10 branded zone" how do I maintain it. As far as I can determine, I cannot apply maintenance updates to it (ie. go from Solaris 10 9/10 to Solaris 10 8/11). Attempts to apply the associated patch bundles seem to fail in the checking out the system code. So it appears that I'm stuck with simple patching. It also appears that you can't use Live Upgrade which means that you might destabilize the zone during patching which makes it awkward if you need to maintain uptime. Furthermore, if appears that backing out the kernel patch in the zone (on Intel at least) can clobber libc.so.1 which clobbers the zone (thank heaven for ZFS snapshots - rollback!).
What is the safest way to patch these zones? Yes, I could recreate the zone from a Solaris 10 system but I'm thinking down the road where we're running Solaris 11 and Solaris 10 exists only in zones.
I've not received an answer to this so I've started rolling my own procedure which I hope will work well; however, it seems that there should be some information available from Oracle about this.
Similar Messages
-
[Solved] Arch Linux in a Solaris branded Zone
Hello,
After having read this article at the Genunix WiKi, I 'd very much like to install Arch Linux (http://204.152.191.100/wiki/index.php/I … anded_zone) in a Solaris branded Zone. However, the Arch Linux file to download is about two years old now, so I 'd like to roll one with a bit more recent kernel.
I just wonder what might be the procedure to do so.
a) Is it just unpacking the ISO inside the zone and let it enroll whilst booting?, or
b) is it advisable to install the old package and upgrade from there?
I am quite curious to learn how this works.
TIA, Algey
Last edited by algernonz (2011-11-28 18:42:31)Hi,
it does indeed sound like an interesting little project. You should, however, revert to your procedure (a) and use one of the recent ISO images the Arch team has updated this year.
Using that old tar will give you numerous headaches when trying to upgrade. Doing a simple upgrade from that old file will most probably break the system, thats why they took the effort to provide the new ones.
Good luck. -
Solaris Branded Zones, Unable to reboot/Halt
Hi People,
Hoping someone can help. Im running Solaris 10 on a Sun Workstation Ultra 45. I have two disks. One disk has the default install of solaris 10 all updated to the latest patches.The second disk is mounted as /zones and holds each of the zones on ZFS. I have then downloaded and installed successfully Solaris 8 and Solaris 9 and Solaris 10 zones. So I have 3 zones.
The problem I am facing is I can boot up all 3 zones fine and they work great, however when I halt or reboot either Solaris 8 or solaris 9, they never come back up. I try and zlogin to them and telnet and ssh and they are totally unresponsive and quite literally dont boot. I have tried to pkill -9 -z zonename ; umount /zonesfilesystem; zpool clear and even rebooted the Global zone. Still will not come up. The only way they will boot after being shutdown is if i shutdown the global zones and turn the server off and back on.
Solaris 10 Zone boots up and down fine with no isses. I have tried this on both UFS and ZFS thinking it might be a file lock issue. Still unable to reboot or halt a zone and bring it back up.
Any help please :)
Thanks in advance.When they are unable to come back up, what does 'zoneadm list -cv' say? If the state of the zone is "down" or "shutting_down", you can probably benefit from the fix for:
7038404 outstanding zone references should not cause zone_destroy(2) to hang
This is available in 147440-05 (sparc) / 147441-05 (x86) or later. -
How do I get from Branded Zones to "real" Solaris 10 Zones?
My head is beginning to spin! I am beginning to think I have been led down a blind alley.
We have vast numbers of old Solaris 8 systems that we want to consolidate on new hardware in Solaris 10 Zones. We have been bombarded with advice that the way to go is to move it first to Branded Zones, as a stepping stone, and then migrate/upgrade it from there to Solaris 10. So we have started on our journey.
We now have our first bunch of Solaris 8 containers happily installed and running. And yes, it was relatively easy and painless, and the tool support was good. But now what? What are the steps and tools that will make the second step, from Solaris 8 to Solaris 10?
Everything out there hints that it is supposed to be easy. But every time I try and spec out the steps for our teams to follow I come unstuck. Does Live Upgrade feature in this anywhere? (And if so, at what point does my zone lose its Brand identity?) Is there some way to use archives? (And if so, how do I only include the bits I need to move?) Is there something magic under the covers of the Zone administration commands? (And if so, what pulls in my Solaris 8 stuff?) Is there at least some tool somewhere that will capture the configuration I need and build me a new one?
If the answer is that I just define the new Zone by hand and re-install all my applications from scratch, then can somebody explain just what I have achieved so far, and in what way it can be construed as a "stepping stone"?Correct. But we have now invested in the time taken to learn about Branded Zones, do the migrations, teach the support teams how to manage them... Plus we are paying the subscription for the Branded Zone software. And we still have pure Solaris 8 applications staring end-of-support in the face. We could have made the same investment to re-install the applications in a real Solaris 10 Zone and make them work "properly". All the publicity tells me I've made my migration to Solaris 10 much easier, but I still can't see how I'm any nearer my end point.Here's where your losing it. There is no real distinction between what you call a normal Solaris 10 zone and a Solaris Branded 8 zone. They could have called it something else and you would still insist that somehow one is normal and one is not. There are a variety of Branded Zones. There's a Solaris 8, Solaris 9, and Linux Branded Zones. They differ from what you call "normal" zones in that you basically are adding an OS to the Base OS and are not just copying files from the Base OS. That's the only difference. In all other respects they are the same. The only differentiators is for a Branded Zone you are adding the files from some other OS, even if it's just an earlier version of Solaris.
How do you migrate from a Solaris 8 zone to a Solaris 10 zone. The same way that you moved from the Solaris 8 physical box to the Solaris 8 branded zone. The steps should be the same. Implicite_Order pretty much said the same thing.
You seem to have a hang up on the words "normal zone." Yea I know, you've spent time and money and educated everyone and now your looking for the payoff. As I already stated and has been echoed by I_O, contact the vendor to see if they have Solaris 10 support, if they do, create a zone on a dev box, do some testing, and then create the zone on the real box, do the install, migrate the data. Just as you already did from the Solaris 8 box. If they don't have a Solaris 10 specific version you can still setup a test box, create a "normal" zone, install the app and some test data, make sure it works, and then create the "normal" zone, install the app, migrate the data, and relax.
alan -
How to unlock Root Account in non-global zone on Solaris 10 Branded Zone
Hello All,
I have a phsical x86 server running Solaris 11. On top of that, I have 3 Solaris 10 branded zones configured. Due to security policy the root account has been locked by 5 failed login attempts.
Is there a way by which I can unlock root account in non-global zone.
I have the root access of global zone.
Pls help as these are production servers.
RegardsHey,
It worked. Actually i forgot to save the file.
I changed the /<zonepath>/root/etc/shadow
Removed *LK* & then from global zone did zlogin -l root zonename
Thanks lot. -
How to migrate Solaris 9 running Oracle DB 9i into Solaris 9 brand zone
Dear all,
I am new in Solaris 10 zone. At this moment, my boss wants me to propose how to migrate legacy physical Solaris 9 server running Oracle 9i into container running in Solaris 10 T series machine.
I have down DB to perform full flar image. And I successfully install this flar image into Solaris 9 container.
But , oracle mount point such as /u01, /archivelog,... My DB is very simple, file system only, not raw partition...
May I need to create new DB mountpoints for this container?
And may I need to perform ufsdump and ufsrestore for these mount point?
Hope any one of you let me know.
Thanks,
MikeThank you!
Hopefully you also know the solution for my next question to morrow:
<tt>NullPointerException at oracle.jbo.uicli.jui.JULovButtonBinding.actionPerformed(JULovButtonBinding.java:767)</tt>
;o)
bye
TPD -
Solaris 8 branded zone and privileges
Hello,
I've just installed a Solaris 8 Branded zone to migrate an old server. The migration worked like a charm, and everything seems ok excepted one thing. The zone must run a Lotus Domino server, so the process needs to bind ports 80, 443 and 389, but it can't.
I've found things about the limitpriv directive for the zone configuration, and the net_privaddr privilege to allow a process to bind ports under 1024.
So now, if I run the process in the non global zone as root, it can bind, but if it is launched as the user notes, it can't.
If I use the ppriv command to see what are the privileges of the process, I see :
1945: /opt/lotus/notes/latest/sunspa/server
flags = <none>
E: file_link_any,proc_exec,proc_fork,proc_info,proc_session
I: file_link_any,proc_exec,proc_fork,proc_info,proc_session
P: file_link_any,proc_exec,proc_fork,proc_info,proc_session
L: contract_event,contract_observer,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,
file_dac_write,file_link_any,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,
net_mac_aware,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_exec,proc_fork,proc_info,proc_lock_memory,
proc_owner,proc_session,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_mount,sys_nfs,sys_resourceSo, the net_privaddr appears in the limit, but it is not enabled. How can I make it enabled for that process?
ThanksThanks for the link, good explanations about privileges but they seem unusable in Solaris 8 branded zone. It suggests to create a role with the privileges my process needs, using the "rolemod -K" command, but this option does not exist for the rolemod command in my Solaris 8 zone, it just supports "classic" RBAC.
Maybe the solution would be to create the good profile for the user running the process, but I'm a little bit lost with RBAC and I can't find an existing profile corresponding to what I want.
Actually, the limitpriv for my zone is "default,net_rawaccess,net_privaddr,file_dac_read" and that's all. I added net_privaddr and file_dac_read because I saw that a "ppriv -D" on the Lotus server complained about the lack of these privileges, but in fact they are already included in default privileges. -
Solaris 8 graphical logon (CDE) in branded zone
How do I enable/configure a graphical interface (cde) for my Solaris 8 branded zone in solaris 10?
1. check if dtlogin is running in S8 BZ:
# ps -ef | grep dtlogin
if it's not running start it:
# /etc/init.d/dtlogin start
2. from client initiate a XDMCP request using the IP of this S8 BZ.
From Solaris 10 you can use "Options -> Remote Login". -
Hi,
I am trying to establish whether the following configuration is officially supported (and documented):
"Non-Global zone running a release of Solaris 10 which is older than the release of Solaris 10 running in the Global Zone".
I'm familiar with the idea of Branded Zones to support Solaris 8, 9 & some Linux kernels, and have seen some forum posts where people have created Solaris 10-branded zones, but haven't really seen anything that puts the official seal of approval on that configuration. Also I'm familiar with LDOMs and appreciate that I could get to where I want to be that way too.
Any help welcome.
Thanks,
Paul.This will be supported in Solaris 10 Upate 9 to a degree, using p2v. Below is a reply I had to a request I'd put in. You might also want to read this
http://blogs.sun.com/jerrysblog/entry/zones_p2v
Hi Sean,
I got information that p2v project is being backported for S10u9
This means, that you will be able to install a native zone from a flar.
I don't have detailed information at the moment, how this will work in terms of
patching in combination with Global Zone and other sibling NGZ's.
+According to Jerry Jelinek, Solaris10-branded zones will not being backported to Solaris 10,+
Got this info yesterday evening from Jerry.
I'll provide some more info about the p2v project for native zones in coming Solaris 10_U9,
once I got more details.
So, I'd suggest to check, whether the mentioned p2v project with flar on native zones might fit your requirements.
Thanks,
Alfred
Edited by: ftoomsh on Sep 2, 2010 3:02 AM -
Inetd services (telnet, rlogin ,rsh) in Solaris 9 Branded Zone
Hi,
I've got two Solaris 9 Branded Zones running on an M3000. They both use exclusive IP.
When I try and telnet, rlogin or rsh to either of my Solaris 9 zones from the other I get an error. With the r* commands I get a "Protocol error" message, and telnet just reports a terminated connection. I've tried Mr. Google, the results I get make sense for a physical host - i.e Protocol Error would occur if the server executable (in.rlogind, etc) was somehow messed up.
Just to complicate things slightly the exclusive IP NICs are on a physically separate switch from the other NICs.
I'd forgotten that with the Branded Zones some native features are actually handled by the underlying global zone (i.e. Solaris 10).
Anyway, has anybody else had this same problem and how did you resolve it?
Thanks
Tim Shaw.I found out that the services in the Global Zone had been disabled. Simply enabling them fixed the problem :)
-
Solaris 8 branded zone core dump on cssd
Hi,
Just migrated my first Sol8 machine to a solaris 8 branded zone. but on the console I get error messages:
Nov 8 12:45:42 gent320b cssd: The process "ccv.sh" has been killed by sig#139, core dumped
Nov 8 12:45:47 gent320b cssd: The process "kkcv.sh" has been killed by sig#139, core dumped
the netstat -f unix
Active UNIX domain sockets
Address Type Vnode Conn Local Addr Remote Addr
stream-ord 6000ebffad8 00000000 /tmp/jd_sockV6
output doesn't list any /dev/ccv or /dev/kkcv sockets like to 'real' machine.
Any ideas?This error messages are output by
cssd which is a input method of Japanese.
If you don't use Japanese input method cs00, you can stop it by following method.
# /etc/init.d/loc.ja.cssd stop
# mv /etc/rc2.d/S90loc.ja.cssd /etc/rc2.d/_S90loc.ja.cssd -
Multithreading issue on Solaris 8 branded zone
Hi,
We are facing a multithreading problem in Solaris 8 container (branded zone) on Solaris 10.
The core file shows 2 LWPs for a single thread.
First LWP
(dbx) lwp
current LWP ($lwp) is l@1403
(dbx) print this->m_ThreadId->m_IdImpl.m_PosixId
this->m_ThreadId.m_IdImpl.m_PosixId = 1404U
Second LWP
(dbx) lwp
current LWP ($lwp) is l@1404
(dbx) print this->m_ThreadId->m_IdImpl.m_PosixId
this->m_ThreadId.m_IdImpl.m_PosixId = 1404U
Another point to note is that dbx returns 'MT support is disabled' for this program even though it has been built using the -mt option. The dbx version is Sun Dbx Debugger 7.5 2005/10/13.
As far as I have read, the Solaris 8 branded zone uses the alternate T2 thread library. Note also that this program is linked with the alternate thread library @ /usr/lib/lwp.
This alternate thread library is supposed to use the 1:1 thread model.
Can someone explain why are we then seeing 2 LWPs for a single thread ?
Thanks,
Best regards,
Raj IyerThis error messages are output by
cssd which is a input method of Japanese.
If you don't use Japanese input method cs00, you can stop it by following method.
# /etc/init.d/loc.ja.cssd stop
# mv /etc/rc2.d/S90loc.ja.cssd /etc/rc2.d/_S90loc.ja.cssd -
Trouble w/installing Solaris 10 branded zone on solaris 11.
Having issues creating a policy that works installing solaris 10 u10 branded nfs zone on sol11 in opscenter 12c u1. Maybe i'm just overlooking something basic or it isn't supported in opscenter. I'm able to create the policy but seem to get a very non-informative error message when deploying it.
Error Message:
"The DeploymentPlan execution job failed because the DeploymentProvider ZoneDeploymentProvider for Step Create Solaris Zones failed to generate tasks for the job: Cannot prepare zone tasks: java.lang.NullPointerException. Contact My Oracle Support if the problem persists. (10445)"
Here is the OpsCenter Profile:
Name Prefix: hous
Starting Number: 1
Zone Description: solaris 10 update 10
ZoneType:
Branded Zone
Branded Zone Image:
s10-update10-flar
Automatic Recovery:
Yes
Priority of Recovery: 0
CPU Shares: 1
CPU Cap: 0
Physical Memory Cap: 0
Locked Memory Cap: 0
Virtual Memory Cap: 0
Language: en_US.ISO8859-15
Time Zone: US/Central
Terminal Type: xterm
NFSv4 Domain Name: dynamic
Automatically boot zone when the global zone is booted:
Yes
Automatically boot zone after creation:
Yes
Storage for the metadata Library: NAS, zone-prod1Problem found. To jumpstart last two HP Blades we used the copies of AI templates. When we did it from scratch and re-installed the Solaris 11.0 we have no more errors.
-
Add zfs volume to Solaris 8 branded zone
Hi,
I need to add a zfs volume to a Solaris 8 branded zone.
Basically ive created the zvol and added the following to the zone configuration.
# zonecfg -z test
zonecfg:test> add device
zonecfg:test:device> set match=/dev/zvol/dsk/sol8/vol
zonecfg:test:device> end
When I boot the zone it comes up ok but I am unable to see the device, nothing in format, /dev/dsk etc etc
Ive also tried to setmatch to the raw device as well to no avail.
Basically I have numerous zvols to add and dont really want a load of mount points from the global zone then lofs back to the local zone
Any ideas please??
Thanks...Thanks but that's why I created zfs volumes and newfs'ed them to create UFS and presented those to the zone.
In the end I just create a script in /etc/rc2.d and mounted the filesystems in there. -
Creating a Solaris 8 branded zone
I am in the process of configuring a Solaris 8 branded zone using the SUNWsolaris8 package and the instructions in the Solaris8 Container Guide. Solaris 10 08/07 is installed in the global zone. I have the following kernel patches installed as required: 127111-08 and 128548-08. I get the following error after configuring the zone when I try to verify the zone:
-bash-3.00# zonecfg -z gfxc-qazone
gfxc-qazone: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:gfxc-qazone> create -t SUNWsolaris8
zonecfg:gfxc-qazone> set autoboot=true
zonecfg:gfxc-qazone> set zonepath=/export/zones/gfxc-qazone
zonecfg:gfxc-qazone> add attr
zonecfg:gfxc-qazone:attr> set name=machine
zonecfg:gfxc-qazone:attr> set type=string
zonecfg:gfxc-qazone:attr> set value=sun4u
zonecfg:gfxc-qazone:attr> end
zonecfg:gfxc-qazone> verify
gfxc-qazone: unknown brand.
gfxc-qazone: Invalid document
I cannot find any other information anywhere on this error. I am hoping those that have successfully installed a Solaris 8 branded zone can help me out. Thanks.I have installed the SUNWs8brand packages before I started the configuration and I also installed the patch. I am not sure what you mean if the package installed in the correct order. I cannot find what I am missing. The original installation for the global zone was using the SUNCreq with other packages added during the installation. I realized after the O/S installation that I needed the zone packages as well as the live upgrade packages. After installing those packages I installed the SUNWs8brand packages. Let me know if there is something else that I am missing. I am thinking of re-installing the O/S with the End User software group.
Maybe you are looking for
-
The difference between "ipsec-isakmp dynamic" and "ipsec-isakmp profile" cyrpto map configs
The IOS documentation for the crypto map command gives the syntax as crypto map [ipv6] map-name seq-num [ ipsec-isakmp [ dynamic dynamic-map-name | discover | profile profile-name ] ] I have a 881w ISR. In what different situations do we use the ipse
-
How to go to footnote number automatically using Find or GREP
Hello, I have been looking for how to search within footnotes. I have a Paragraph Style for my footnotes and can easily search anything within the citation but it won't take me straight to the number because I need to know what page it is at. For ins
-
Am I able to upgrade the powersupply and GPU on a Pavilion 500-424
I have a Pavilion 500-424 and I would like to upgrade my GPU. This pc only has a 65 watt power supply and I am wondering if this and the GPU are upgradeable.
-
Folks, I've a packed inbound delivery which I want to unpack in HUPAST. When trying to unpack I get the following error: "No item record exists for the handling unit to be unpacked" To which item record is being referred?
-
Why do my phone say that my charger is not reliably supported?
I want to know why my phone is not charging? It is saying that my charging cable is not supported. Why? What is causing the problem?