Is patching Sol 10 machines with zones safe?

Similar Messages

• Deferred patching broken for machines with zones

  For a while I've noticed that Ive had trouble patching a couple of machines.
  I've managed to determine the significant characteristic identifying them.
  All the machines with a non global zone have the problem.
  To confirm, I added a test zone to a machine that was fine. And it immediately it developed the problem.
  Anyway, the symptom is that no deferred patches will install.
  So patches delayed by a "smpatch update" till the reboot fail to install.
  The sunucLog displays the following error
  Sep 17 10:30:05 webdb1 123186-03 [notice] Status Install Begin 123186-03
  Sep 17 10:30:05 webdb1 123186-03 [ALERT] Validating patches...
  Sep 17 10:30:05 webdb1 123186-03 [ALERT] Loading patches installed on the system...
  Sep 17 10:30:05 webdb1 123186-03 [ALERT] Loading patches requested to install.
  Sep 17 10:30:05 webdb1 123186-03 [ALERT] Checking patches that you specified for installation.
  Sep 17 10:30:05 webdb1 123186-03 [ALERT] svcadm: Instance "svc:/system/filesystem/local:default" has been disabled by another entity.
  Sep 17 10:30:05 webdb1 123186-03 [ALERT] ERROR: Enabling filesystem/local service failed.
  Sep 17 10:30:05 webdb1 123186-03 [ALERT] Status Install End 123186-03 Install Update installation failed
  Anyone got any workarounds for this problem.
  Is it a known issue.
  Or should I log a support request.

  Any progress on this? Its been 2 months. And sun has managed to put out an entire new update to Solaris.
  And a 119254-59 has been released. But neither includes a fix for this issue as far as I can tell...
  Its now basically impossible to patch machines with zones up to the latest kernel 137137-09 since that has a dependency on 119254-58.
  And machines with zones can't be patched if a version higher than 119254-53 is installed....

• Entire environment on one machine with zones

  I've been pondering some of what zones can do, and it occurred to me that one could build an entire reasonably secure environment using one machine with multiple zones...
  * Global zone with no network ports active, console only
  * One zone for firewall, heavily ipf'd - mapped to external and internal network ports
  * One zone for webserver - mapped to internal network port
  * One zone for fileserver - mapped to internal network port
  * Other zones as needed - probably all mapped to internal network ports
  * All zones secured with ipf to allow very little access, particularly from firewall zone
  It seems like this would allow a very flexible environment, and would give the security of having multiple boxes.
  Thoughts/Comments?

  I've been pondering some of what zones can do, and it
  occurred to me that one could build an entire
  reasonably secure environment using one machine with
  multiple zones...
  * Global zone with no network ports active,
  ve, console only
  * One zone for firewall, heavily ipf'd - mapped to
  to external and internal network ports
  * One zone for webserver - mapped to internal
  nal network port
  * One zone for fileserver - mapped to internal
  nal network port
  * Other zones as needed - probably all mapped to
  to internal network ports
  * All zones secured with ipf to allow very little
  tle access, particularly from firewall zone
  It seems like this would allow a very flexible
  environment, and would give the security of having
  multiple boxes.
  Thoughts/Comments? You are definately on the right track. If I haven't said it before, I will say it now - All services that can be, should be run in a zone. That means web servers, DNS servers, LDAP, file servers, etc. Between zones and least privilege (you are using least privilege aren't you), you can create a very secure and contained service environment.
  Imagine the surprise of a script kiddie when by pure luck they compromise your zone, but sadly they can't install their favorite rootkit because /dev/kmem, /usr, /devices, etc. are completely off limits no matter how much they scream about having UID 0. Remember, this is even more secure than having multiple boxes; this is like having multiple boxes where root ain't root. The best part is that zones are cheap. You can create them at will without performance impact, and can limit resource usage via a number of different means.
  There is a new paradigm in town and it's name is Zones. Use zones and use them often. This is a no lose proposition.
  Happy zoning.
  Thanks,
  Jarod

• When will updatemanager support system with zones

  Anyone aware when SUN updatemanager will support patching sol 10 systems with multiple zones ?

  Its my understanding that the first official release should support zones as well.
  Note that it seems that you can use the update manager together with the regular tools, they only suggest that you shouldn't use them at the same time. In other words; in theory you should be able to use your current tools for supporting the zones, and the update manager to do the rest.
  Personally I wouldn't take the risk and wait for the official release.

• Cloning Solaris 10 with zones

  What is the best method to use when cloning a Solaris machine with zones, to ensure all software is included and can be easily installed
  on new hardware?
  Thank you!

  If you use UFS, then ufsdump/ufsrestore
  If you use ZFS, then zfs send/zfs receive
  But, if you are using hardware or software RAID, you can also try to move one disk to an another machine.
  You can see with these simple examples, that you have several methods and it depends how you configured your machine, Solaris and the zones. And finally, it depends too what is the source machine and what is the target machine, and how they are configured.

• Kernel Patching with zones

  I have a T2000 installed with the Solaris 10 1/06 release with several zones created on it. 4 zones are "sparse" root, and one (zone-5) is a "whole root" zone.
  In order to apply and certify (internally) the latest sendmail patch, Solaris 10 needs a later kernel patch than I had installed (this is a subject for another discussion...). So I downloaded the latest patch cluster (4/6 Recommended cluster) to apply it.
  I shut down the non-global zones, and took the machine to single user mode, and installed the cluster. It seemed to go in fine, except for the following error:
  Zone zone-5
  Rejected patches:
  122856-01
  Patches that passed the dependency check:
  None.
  Fatal failure occurred - impossible to install any patches.
  zone-5: For patch 122856-01, required patch 118822-30 does not exist.
  Fatal failure occurred - impossible to install any patches.Now, 118822-30 is a kernel patch series that is prerequisite for the latest kernel patch (118833-03). Zone-5 is my only whole-root zone. I then looked at the patch cluster log, and discovered that a handful of patches (including 118822-30) had also failed:
  titan15n> grep failed /var/sadm/install_data/Solaris_10_Recommended_Patch_Cluster_log
  Pkgadd failed. See /var/tmp/119254-19.log.6615 for details
  Pkgadd failed. See /var/tmp/118712-09.log.9307 for details
  Pkgadd failed. See /var/tmp/119578-18.log.15160 for details
  Pkgadd failed. See /var/tmp/121308-03.log.18339 for details
  Pkgadd failed. See /var/tmp/119689-07.log.22068 for details
  Pkgadd failed. See /var/tmp/118822-30.log.9404 for details
  Pkgadd failed. See /var/tmp/119059-11.log.29911 for details
  Pkgadd failed. See /var/tmp/119596-03.log.4724 for details
  Pkgadd failed. See /var/tmp/119985-02.log.8349 for details
  Pkgadd failed. See /var/tmp/122032-02.log.13334 for details
  Pkgadd failed. See /var/tmp/118918-14.log.27743 for detailsLooking at any of these logs (in the non-global zone-5's /var/tmp directory shows failures like the following snippet:
  pkgadd: ERROR: unable to create unique temporary file </usr/platform/sun4us/include/sys/cheetahregs.h6HaG8w>: (30) Read-only file sy
  stem
  pkgadd: ERROR: unable to create unique temporary file </usr/platform/sun4us/include/sys/clock.h7HaG8w>: (30) Read-only file system
  pkgadd: ERROR: unable to create unique temporary file </usr/platform/sun4us/include/sys/dvma.h8HaG8w>: (30) Read-only file systemQuestion(s):
  Why would there be read-only file systems where tmp files are getting written? Possibly a timing issue?
  Is there a "best practice" on applying patch clusters, and specifically, the kernel patch? Did I make a mistake in taking the zones down first? It seems like the zones were being booted up as the patches were getting applied, but I may be misinterpreting the output.
  Even though the patches failed to apply to zone-5, the uname -a output in the zone show the latest kernel patch, but does NOT show 118822-30 (118822-25 is what showrev -p in the non-global zone-5 shows -- which is the level I was at before attempting to patch).
  Any solutions?
  Thanks.

  The kernel config and patch are irrelevant - I have tried to compile the stock arch kernel just to make sure that it WASN'T the patch - I simple copied the folder from ABS, did makepkg and installed - no lucky. The problem seems to be that all of the kernels I compile end up with the folder in /lib/modules having -dirty on the end of them. How do I stop this '-dirty'?
  I notice in the build I get this message -
  ==> Building the kernel
  fatal: cannot describe '604d205b49b9a478cbda542c65bacb9e1fa4c840'
    CHK     include/linux/version.h

• PWA site template with warning "Your Local Machine Time Zone does not match your current Sharepoint Regional Settings"

  SharePoint 2010 (SP2010 SP1+ AU CU 2011) site built with Project Web Access template shows message in yellow "Your Local Machine Time Zone does not match your current Sharepoint Regional Settings."
  KB Article http://support.microsoft.com/kb/2749599/en-us suggests applying Windows and SharePoint updates, but does not points to a specific update. Also suggests to enable "Always follow
  web settings" for affected users who are in different time zone than the server time zone, but it does not work either.
  Manjeet Singh

  Hi,
  According to your post, my understanding is that SharePoint 2010 (SP2010 SP1+ AU CU 2011) site built with Project Web Access template shows warning "Your Local Machine Time Zone does not match your current Sharepoint Regional Settings".
  Users are getting this message even after correctly specifying and changing the timezone in their Sharepoint Settings. This is a common problem across the net, but we've found a workaround
  that will eliminate this problem.
  Step 1: Open your Web Database in your Browser
  Step 2: Click the Arrow Under the Login ID (upper right corner)
  Step 3: Choose My Settings
  Step 4: Click the My Regional Settings Link
  Step 5: Uncheck the 'Always Follow Web Settings' check and specify your time zone.
  Step 6: Click OK
  For more information, you can refer to:
  Warning Message about time zone difference between your computer and the regional settings
  of Sha...
  Thanks & Regards,
  Jason Guo
  Jason Guo
  TechNet Community Support

• Problem with zone installation on solaris 08/07

  Hello :)
  I need some help
  I install solaris 10 08/07 on my x2100 M2.Everything is ok.
  Then I try to install non-global zone named web-zone with the following commands:
  # mkdir /export/web-zone
  # chmod 700 /export/web-zone
  # zonecfg -z web-zone
  web-zone: No such zone configured
  Use 'create' to begin configuring a new zone.
  zonecfg:web-zone> create
  zonecfg:web-zone> set autoboot=true
  zonecfg:web-zone> set zonepath=/export/web-zone
  zonecfg:web-zone> add net
  zonecfg:web-zone:net> set address=192.168.0.3
  zonecfg:web-zone:net> set physical=bge1
  zonecfg:web-zone:net> end
  zonecfg:web-zone> info
  zonepath: /export/web-zone
  autoboot: true
  pool:
  inherit-pkg-dir:
  dir: /lib
  inherit-pkg-dir:
  dir: /platform
  inherit-pkg-dir:
  dir: /sbin
  inherit-pkg-dir:
  dir: /usr
  net:
  address: 192.168.0.3
  physical: bge1
  zonecfg:web-zone> verify
  zonecfg:web-zone> commit
  zonecfg:web-zone> exit
  # zoneadm -z web-zone verify
  # zoneadm -z web-zone install
  # zoneadm list -cv
  # zoneadm -z web-zone boot
  When I zlogin into zone configuration stack with:
  Fatal internal error: prompt_error called before prompt_open!
  The IP address previously set on the network interface
  is no longer available. The system state is corrupted. System identification
  can no longer continue.
  Press Return to continue
  And that�s it :)
  On interface bge1 I have 2 ip addresses, one for management processor (192.168.0.254) and one for global zone (192.168.0.2)
  The output from ifconfig �a is :
  # ifconfig -a
  lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  inet 127.0.0.1 netmask ff000000
  lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  zone web-zone
  inet 127.0.0.1 netmask ff000000
  bge1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  inet 192.168.0.2 netmask ffffff00 broadcast 192.168.0.255
  ether 0:1b:24:5:4f:6f
  bge1:1: flags=4001000842<BROADCAST,RUNNING,MULTICAST,IPv4,DUPLICATE> mtu 1500 index 2
  zone web-zone
  inet 192.168.0.3 netmask ffffff00 broadcast 192.168.0.255
  Any Ideas ?? :)
  Thaks
  pp Sory for my baad english :)

  Hi
  Thank you for replay
  This is happened exactly when I zlogin for first time to complete installation.
  The installation procedure flow flawless.I set terminal type 13 (dt terminal) and everything is OK, but when I try to setup hostname I�ve got this error.
  I try this with 3 different zones on this machine with same result
  I have old x86 machines with solaris 11/06 zones installed , everything works fine (1 year uptime)
  This is not the first zone in my life :)
  Best Regards
  DJ JAM

• Can not register a new machine with Updatemanager

  Hi,
  I just install a new machine with Solaris 10 using a Flash image and Live Upgrade. The original machine from we create the Flash image was registered succesfull using Update Manager.
  Now, when I try to register the new machine, the applications ask me the user and password, but do not makes anything. The dialog freeze. The only way to stop the Update Manager is killing them (at the end is the full java error stack).
  I try with sconadm,
  sconadm register -a -r /var/tmp/registration.profile
  Unsuccessfull too, with the same stack error (Caused by: javax.management.InstanceNotFoundException: ).
  I'm bored with the Solaris patch system: all the weekend was saying error 500 for all my other registered machines, and now I can not register a new machine....
  This system fails all the time.. Is runing under W2K3 server???
  Any Idea?
  Thanks in advance.
  H.
  P.S: Error stack output:
  Exception occurred during event dispatching:
  java.lang.reflect.UndeclaredThrowableException
          at $Proxy1.getInstanceName(Unknown Source)
          at com.sun.scn.client.SCNClientSession.login(SCNClientSession.java:371)
          at com.sun.cns.basicreg.cacao.ClientLoginCacaoAdapter.loginAccount(ClientLoginCacaoAdapter.java:209)
          at com.sun.cns.basicreg.wizard.cli.CmdLineWizard.outCall(CmdLineWizard.java:1109)
          at com.sun.cns.basicreg.wizard.cli.CmdLineWizard.output(CmdLineWizard.java:773)
          at com.sun.cns.basicreg.wizard.swing.WizardPanel.isNavigationAllowed(WizardPanel.java:1337)
          at com.sun.cns.basicreg.wizard.swing.WizardDialog.okByNavigationListener(WizardDialog.java:583)
          at com.sun.cns.basicreg.wizard.swing.WizardDialog.access$100(WizardDialog.java:64)
          at com.sun.cns.basicreg.wizard.swing.WizardDialog$NextButtonActionListener.actionPerformed(WizardDialog.java:404)
          at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1849)
          at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2169)
          at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:420)
          at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:258)
          at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:236)
          at java.awt.Component.processMouseEvent(Component.java:5517)
          at javax.swing.JComponent.processMouseEvent(JComponent.java:3135)
          at java.awt.Component.processEvent(Component.java:5282)
          at java.awt.Container.processEvent(Container.java:1966)
          at java.awt.Component.dispatchEventImpl(Component.java:3984)
          at java.awt.Container.dispatchEventImpl(Container.java:2024)
          at java.awt.Component.dispatchEvent(Component.java:3819)
          at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4212)
          at java.awt.LightweightDispatcher.processMouseEvent(Container.java:3892)
          at java.awt.LightweightDispatcher.dispatchEvent(Container.java:3822)
          at java.awt.Container.dispatchEventImpl(Container.java:2010)
          at java.awt.Window.dispatchEventImpl(Window.java:1791)
          at java.awt.Component.dispatchEvent(Component.java:3819)
          at java.awt.EventQueue.dispatchEvent(EventQueue.java:463)
          at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchThread.java:242)
          at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:163)
          at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:153)
          at java.awt.Dialog$1.run(Dialog.java:535)
          at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:209)
          at java.awt.EventQueue.dispatchEvent(EventQueue.java:461)
          at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchThread.java:242)
          at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:163)
          at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:157)
          at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:149)
          at java.awt.EventDispatchThread.run(EventDispatchThread.java:110)
  Caused by: javax.management.InstanceNotFoundException: com.sun.scn:name=SCNBaseServiceFactory,assetSubProfile=Factory,host=alcaudon.tsc.uc3m.es,assetProfile=Factory,scnType=ServiceFactory,Vendor=Sun Microsystems Inc
          at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getMBean(DefaultMBeanServerInterceptor.java:1010)
          at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getClassLoaderFor(DefaultMBeanServerInterceptor.java:1349)
          at com.sun.jmx.mbeanserver.JmxMBeanServer.getClassLoaderFor(JmxMBeanServer.java:1300)
          at com.sun.jdmk.interceptor.DefaultMBeanServerInterceptor.getClassLoaderFor(DefaultMBeanServerInterceptor.java:285)
          at com.sun.cacao.agent.DispatchInterceptor.getClassLoaderFor(DispatchInterceptor.java:548)
          at com.sun.cacao.agent.auth.impl.AccessControlInterceptor.getClassLoaderFor(AccessControlInterceptor.java:427)
          at com.sun.jdmk.JdmkMBeanServerImpl.getClassLoaderFor(JdmkMBeanServerImpl.java:1130)
          at com.sun.cacao.common.instrum.impl.InstrumDefaultForwarder.getClassLoaderFor(InstrumDefaultForwarder.java:153)
          at javax.management.remote.rmi.RMIConnectionImpl$4.run(RMIConnectionImpl.java:1308)
          at java.security.AccessController.doPrivileged(Native Method)
          at javax.management.remote.rmi.RMIConnectionImpl.getClassLoaderFor(RMIConnectionImpl.java:1305)
          at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:768)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:585)
          at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
          at sun.rmi.transport.Transport$1.run(Transport.java:153)
          at java.security.AccessController.doPrivileged(Native Method)
          at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
          at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
          at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
          at java.lang.Thread.run(Thread.java:595)
          at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:247)
          at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:223)
          at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:126)
          at com.sun.jmx.remote.internal.PRef.invoke(Unknown Source)
          at javax.management.remote.rmi.RMIConnectionImpl_Stub.invoke(Unknown Source)
          at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:972)
          at javax.management.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:201)
          ... 39 more

  Well,
  The problem was a Memory problem: The swap file was misconfigured. Once the system reboots with the correct swap configuration I was able to register the machine.
  Anyway, the problem to connect with SunSolve is continous, but it is other point of discussion.
  I hope this solution can help people with similar problems.
  H.

• Why does my bank website load in an old XP machine with 15.0.1 and will not load on win7 now, after I upgraded to 17.0.1

  I upgraded to 17.0.1 on a Win7 machine and now I can't access my bank website. I checked to see if the website was available on my old XP machine with 15.0.1 and I had no problem getting on my bank website. I tried again with my new machine, and I can't even get to the site, much less the sign in page.
  There are now a number of websites that I can no longer access, I get an "Unable to connect" page. I didn't have this problem BEFORE I upgraded to 17.0.1. And, something else is weird, when I do a google search, I usually can't click on the first link in the search results in 17.0.1, and sometimes other links.
  Linda

  Do a malware check with some malware scanning programs on the Windows computer.<br />
  You need to scan with all programs because each program detects different malware.<br />
  Make sure that you update each program to get the latest version of their databases before doing a scan.
  *http://www.malwarebytes.org/mbam.php - Malwarebytes' Anti-Malware
  *http://www.superantispyware.com/ - SuperAntispyware
  *http://www.microsoft.com/security/scanner/en-us/default.aspx - Microsoft Safety Scanner
  *http://www.microsoft.com/windows/products/winfamily/defender/default.mspx - Windows Defender: Home Page
  *http://www.safer-networking.org/en/index.html - Spybot Search & Destroy
  You can also do a check for a rootkit infection with TDSSKiller.
  *http://support.kaspersky.com/viruses/solutions?qid=208280684
  See also:
  *"Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked

• Patching  sol 10  1/06

  downloaded installed sol x86 1/06
  then downloaded and installed latest recommended patch cluster
  not many of the patch cluster loaded correctly
  a typical error is as follows
  ++++++++++++++++++++++++++++++++++++++++++++++++++++
  # cd /var/sadm/patch/118344-11
  # more log
  This appears to be an attempt to install the same architecture and
  version of a package which is already installed. This installation
  will attempt to overwrite this package.
  /export/home/hfxnss/10_x86_Recommended/118344-11/SUNWarc/install/checkinstall: /
  export/home/hfxnss/10_x86_Recommended/118344-11/SUNWarc/install/checkinstall: ca
  nnot open
  pkgadd: ERROR: checkinstall script did not complete successfully
  Dryrun complete.
  No changes were made to the system.
  +++++++++++++++++++++++++++++++++++++++++++++++++++
  yet a showrev -p displays an earlier version of the patch ?
  any suggestions as to why so many of the recommend cluster did not load
  Ran patch cluster in single user mode as root
  ...... any pointers appreciated .....thks ...... andy

  /export/home/hfxnss/10_x86_Recommended/118344-11/SUNWa
  rc/install/checkinstall: /
  export/home/hfxnss/10_x86_Recommended/118344-11/SUNWar
  c/install/checkinstall: ca
  nnot open
  pkgadd: ERROR: checkinstall script did not complete
  successfullySolaris 2 FAQ:
  http://www.science.uva.nl/pub/solaris/solaris2.html#q5.59
  5.59) Patch installation often fails with "checkinstall" errors.
  Try putting the patches in /tmp.
  Darren

• Patching JES  in whole root zone (where JES never installed in global zone)

  We ran into a problem today - we have a server (Solaris 10 x86 on 4150) with two full root zones. JES 5u1 was intsalled in each full root zone at a later date and never installed in the global zone. Now when trying to install the latest JES 5 patch cluster we have run into a problem. The patch cluster has a check that only lets it be run in the global zone. When we run it in the Global Zone - it exits every patch with a return code of 8 (software not installed).
  Is there any way we can run the patch bundle so it applies the patches to the no-global zones in this case? Will now installing teh shared components in the global zone then allow the patch cluster to run sucessfully.
  Thanks for any guidance here....

  Solution was to manually edit the patch cluster installation script and comment out the global zone check - it then installed perfecttly fine in the whole root zone

• Live Upgrade with Zones - still not working ?

  Hi Guys,
  I'm trying to do LiveUpdate from Solaris update 3 to update 4 with non-global zone installed. It's driving me crazy now.
  I did everything as described in documentation, installed SUNWlucfg and supposedly updated SUNWluu and SUNWlur (supposedly because they are exactly the same as were in update 3) both from packages and with script from update 4 DVD, installed all patches mentioned in 72099, but lucreate process still complains about missing patches and I've checked if they're installed five times. They are. It doesn't even allow to create second BE. Once I detached Zone - everything went smooth, but I had an impression that Live Upgrade with Zones will work in Update 4.
  It did create second BE before SUNWlucfg was installed, but failed on update stage with exactly the same message - install patches according to 72099. After installation of SUNWlucfg Live Upgrade process fails instantly, that's a real progress, must admit.
  Is it still "mission impossible" to Live Upgrade with non-global zones installed ? Or am I missed something ?
  Any ideas or success stories are greatly appreciated. Thanks.

  I upgraded from u3 to u5.
  The upgrade went fine, the zones boot up but there are problems.
  sshd doesn't work
  svsc -vx prints out this.
  svc:/network/rpc/gss:default (Generic Security Service)
  State: uninitialized since Fri Apr 18 09:54:33 2008
  Reason: Restarter svc:/network/inetd:default is not running.
  See: http://sun.com/msg/SMF-8000-5H
  See: man -M /usr/share/man -s 1M gssd
  Impact: 8 dependent services are not running:
  svc:/network/nfs/client:default
  svc:/system/filesystem/autofs:default
  svc:/system/system-log:default
  svc:/milestone/multi-user:default
  svc:/system/webconsole:console
  svc:/milestone/multi-user-server:default
  svc:/network/smtp:sendmail
  svc:/network/ssh:default
  svc:/network/inetd:default (inetd)
  State: maintenance since Fri Apr 18 09:54:41 2008
  Reason: Restarting too quickly.
  See: http://sun.com/msg/SMF-8000-L5
  See: man -M /usr/share/man -s 1M inetd
  See: /var/svc/log/network-inetd:default.log
  Impact: This service is not running.
  It seems as thought the container is not upgraded.
  more /etc/release in the container shows this
  Solaris 10 11/06 s10s_u3wos_10 SPARC
  Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
  Use is subject to license terms.
  Assembled 14 November 2006
  How do I get it to fix the inetd service?

• Patches for Solaris 9 with incompatible Packages

  I have a Sun Sparc machine with Solaris 9 on it as oracle server. We added two patches (112233-11: SunOS 5.9:Kernel Patch and 111722-04: SunOS 5.9:MathLibrary(libm)patch). When I prepared the server for Oracle installation, I checked patch with command: $/usr/sbin/patchadd -p | grep <patch_number>. Then UNIX told me that these two patches have incompatible packages. 112233 got 12 incompatible packages and 111722 got 3 incompatible patches. My question is: does this incompatible packages affect Solaris 9 operation on the Sparc machine? How serious will it be? Thanks.

  The syntax of ldapclient changed in Solaris 9 (at least by 9 12/03). You now specify it like this:
  # ldapclient -v init -a profileName=cn=myProfile,ou=profile,dc=example,dc=comIf you're using Proxy Authentication add the following:
  -a proxyDN=cn=proxyagent,ou=profile,dc=example,dc=com -a proxyPassword=ClearTextPWYou should have been able to create a profile (storing it in the DIT) when you ran idsconfig. If you took the default name of "default" (cn=default,ou=profile,dc=example,dc=com) you might not even have to specify the profile name to ldapclient.
  To generate a new profile and store it in the DIT use:
  $ ldapclient -vgenprofile -a profileName=cn=myProfile,ou=profile,dc=example,dc=com -a defaultSearchBase=dc=example,dc=com ...With your various attributes for your profile as specified in ldapclient(1M).
  As for pam, you have to decide which you're going to use: pam_unix or pam_ldap. Note that the Solaris pam_ldap is very different from the PADL pam_ldap used under Linux and elsewhere (this makes it easy to find apparently conflicting advice).

• I use Time Machine with an external hard disc which has worked perfectly for some years.  Recently Time Machine has aborted backups if the screen saver starts when back-up is in progress. I use a Maxtor OneTouch4 back-up system.  Any ideas?

  I use Time Machine with an external hard disc which has worked perfectly for some years.  Recently Time Machine has aborted backups if the screen saver starts when back-up is in progress. I use a Maxtor OneTouch4 back-up system.  Any ideas?
  Has Apple recently up-dated my OS (Lion) such that every time the screen saver starts it disables Time Machine.  I have to switch-off the computer and re-start in order to undertake  a back-up.  I have now switched of all screen savers.

  Please read this whole message before doing anything.
  This procedure is a diagnostic test. It’s unlikely to solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.
  The purpose of this exercise is to determine whether the problem is caused by third-party system modifications that load automatically at startup or login. Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards. Boot in safe mode and log in to the account with the problem. The instructions provided by Apple are as follows:
  Be sure your Mac is shut down.
  Press the power button.
  Immediately after you hear the startup tone, hold the Shift key. The Shift key should be held as soon as possible after the startup tone, but not before the tone.
  Release the Shift key when you see the gray Apple icon and the progress indicator (looks like a spinning gear).
  Safe mode is much slower to boot and run than normal, and some things won’t work at all, including wireless networking on certain Macs.
  The login screen appears even if you usually log in automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.
  Test while in safe mode. Same problem(s)?
  After testing, reboot as usual (i.e., not in safe mode.)