Non-Global Zone Routing

I have a V20z running a global zone on an IANA private network of 172.30.0.x and nic bge0
I also have a non-global zone on a public IP of 207.246.20.169 and nic bge1.
I am unable to ping from one zone to the next via a gateway. Normally the global zone would use a standard gateway for that network and my public network would also use a standard gateway for that network.
What appears to be happening is that despite what is in my /etc/defaultrouter the zone itself is the gateway.
For example, to ping something from either zone which would require the gateway results in:
ICMP Host Unreachable from gateway 'zone name' (zone ip address)
What I want to happen is that the global zone honors the gateway that is normally used in this network and the non-global zone uses/honors the gateway that is normally used in that network.
It doesn't seem to matter if I have the normal internal gateway in my /etc/defaultrouter or if I have the normal public gateway in /etc/defaultrouter or if I have both in /etc/defaultrouter (all in the global zone of course).
Do I need to use routed to achieve this? Am I missing something here?

I hammered the problem out by adding a static route in the global zone:
route add 172.30.0.0 207.246.20.161
Where 207.246.20.161 is my gateway on the public side.
I slapped this into an /etc/init.d script in the global zone and ran it from /etc/rc2.d like the article below suggests:
http://www.sun.com/bigadmin/content/submitted/persistent_routing.html

Similar Messages

Route between global and non-global zones

Hi Folks,
I haven't been able to find an answer to this question searching the archives, so I'll try here. My global zone gets her IP (10.153.197.n) via DHCP, and I've had to use 192.168.1.n addresses for the non global zones. Is there a simple route statement I can issue to allow communication between the global and non global zones? I'm running Solaris 10 x86 03/2005.
Thanks very much,
-Adam vonNieda

If you're only interested in passing traffic between the global zone and the non-global zones, just add a virtual interface to the global zone.
For example, in the global zone:
ifconfig ce0:4 plumb 192.168.1.x netmask + broadcast + up
Then you will be able to pass traffic between the global and non-global zones.
If you're looking for the global zone to proxy traffic between the non-global zones and the rest of the network, take a look at http://balance.sf.net

Ssh takes me to the global zone instead of the non-global zone

I have set up my first Solaris 10 server with a new zone. The ce device is set up on the zone as well as the global zone.
Output from ifconfig on the global zone:
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 172.16.1.217 netmask ffffff00 broadcast 172.16.1.255
ether 0:3:ba:f2:a1:54
ce1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 172.16.1.199 netmask ffffff00 broadcast 172.16.1.255
ether 0:3:ba:f2:a1:54
Output from the non-global zone:
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
ce1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 172.16.1.199 netmask ffff0000 broadcast 172.16.255.255
ether 0:3:ba:f2:a1:54
When I ssh into the non-global zone, I end up in the global zone? Can I ssh straight into the non-global zone? Am I missing something in the zone setup that keeps me from being able to ssh into the non-global zone?
Any help is appreciated. I have been racking my brain on this for several hours.
Thanks ahead of time.

TAdriver wrote:
The one thing I have found in the documentation is that if you set the network as an exclusive IP, you can only assign the physical name using zonecfg. You can't set the IP address or the default router. In fact, if you try to set either of those, you get an error saying you can't set those using an exclusive IP type.Correct. When doing a shared-IP zone, the zone has no privileges to do IP-level things. So the global zone (via the zone configuration) creates the virtual interface and sets the IP address. Then when the zone is booted, the interface is given to it.
With an exclusive-IP zone, the zone can do all this work itself. From its perspective, it's handed an interface like a regular machine. So the IP settings are done within the zone (/etc/hosts, /etc/hostname.XXX, /etc/netmasks).
Darren

Separate private ip addresses for non-global zones

I'm testing zones on one of our administrative servers and I'm wondering about the following scenario.
Zones can easily run away with a lot of ip addresses and I decided to try this. The machine has, in its global zone, a standard private address in the admin (192.168.129.0) segment on hme0. I have also given it another address, 192.168.229.1, configured on hme0:1 which I intend to be the defaultrouter for non-global zones.
Zone 1 has as its primary address 192.168.229.10, and I have tried to set the default router to 192.168.229.1 by various methods based on what I have read in here., including adding that address to the defaultrouter file in the global zone.
Zone 2 has 192.168.229.20 as its primary address and is intended to have the same default of 192.168.229.1.
So far I've not been able to make this work . Am I barking up the wrong tree?
TIA

Sorry for the late reply.
So if I understand correctly, you want to put all your zones in a dedicated IP network (192.168.229.0/24).
To do this, you don't need to configure the global zone as default gateway for the zones (which doesn't work, as you noticed). You want to indicate to the zones that they can reach the other network (192.168.129.0/24) just by sending packets on hme0. To do so, you need to create interface routes in every zone:
# route add net 192.168.129.0/24 192.168.229.10 -interface(same for Zone 2, etc.)
The global zone then needs to advertise itself as gateway for the 192.168.229.0/24 network to the other hosts. I think in.routed(1M) can do this using special configuration in the gateways(4) file, but I don't know how. Otherwise, if you can administer the real router that the other hosts use, you can add a static route: destination 192.168.229.0/24, gateway [global zone IP].
hope this helps,
Blaise

Unexpected behavior: Solaris10 , vlan , ipmp, non-global zones

I've configured a System with several non-global zones.
Each of them has ip - connection via a seperate vlan (1 vlan for each nonglobal zone). The vlans are established by the global zone. They are additionally brought under control of ipmp.
I followed the instructions described at:
http://forum.sun.com/thread.jspa?threadID=21225&messageID=59653#59653
to create the defaultrouters for the non-global zones.
In addition to that, I've created the default route for the 2nd ipmp-interface. (to keep the route in the non-global Zone in case of ipmp-failover)
ie:
route add default 172.16.3.1 -ifp ce1222000
route add default 172.16.3.1 -ifp ce1222002Furthermore, i' ve put the 172.16.3.1 in the /etc/defaultrouter of the global zone, to ensure it will be the 1st entry in the routing table (because it's the defaultrouter for the global zone)
Here the unexpected:
Tried to reach a ip-target ouside the configured subnets, say 172.16.1.3 , via icmp. The router 172.16.3.1 knows the proper route to get it. The 1st tries (can't remember the exact number) went through ce1222000 and associated icmp-replies travelled back trough ce1222000. But suddenly the outgoing interface changed to ce1322000 or ce1122000 ! The defaultrouters configured on these vlans are not aware of the 172.16.1.3 (172.16.1.0/24), and there was no answer. The defaultroutes seemed to be "cycled" between the configured.
Furthermore the connection from the outside to the nonglobal-zones (wich do have only 1 defaultrouter configured: the one of the vlan the non-global Zone belongs to) was broken intermittent.
So, how to get the combination of VLAN ,IPMP, diff. defaultrouters, non-global Zones running?
Got the following config visible in the global zone:
(the 172.13.x.y are sc3.1u4 priv. interconnect)
netstat -rn
Routing Table: IPv4
Destination           Gateway           Flags Ref   Use   Interface
172.31.193.1         127.0.0.1            UH        1      0 lo0
172.16.19.0          172.16.19.6          U         1   4474 ce1322000
172.16.19.0          172.16.19.6          U         1      0 ce1322000:1
172.16.19.0          172.16.19.6          U         1   1791 ce1322002
172.31.1.0           172.31.1.2           U         1 271194 ce5
172.31.0.128         172.31.0.130         U         1 271158 ce1
172.16.11.0          172.16.11.6          U         1   8715 ce1122000
172.16.11.0          172.16.11.6          U         1      0 ce1122000:1
172.16.11.0          172.16.11.6          U         1   7398 ce1122002
172.16.3.0           172.16.3.6           U         1   4888 ce1222000
172.16.3.0           172.16.3.6           U         1      0 ce1222000:1
172.16.3.0           172.16.3.6           U         1   4236 ce1222002
172.16.27.0          172.16.27.6          U         1      0 ce1411000
172.16.27.0          172.16.27.6          U         1      0 ce1411000:1
172.16.27.0          172.16.27.6          U         1      0 ce1411002
192.168.0.0          192.168.0.62         U         1 24469 ce3
172.31.193.0         172.31.193.2         U         1    651 clprivnet0
172.16.11.0          172.16.11.6          U         1      0 ce1122002:1
224.0.0.0            192.168.0.62         U         1      0 ce3
default              172.16.3.1           UG        1   1454
default              172.16.19.1          UG        1      0 ce1322000
default              172.16.19.1          UG        1      0 ce1322002
default              172.16.11.1          UG        1      0 ce1122000
default              172.16.11.1          UG        1      0 ce1122002
default              172.16.3.1           UG        1      0 ce1222000
default              172.16.3.1           UG        1      0 ce1222002
127.0.0.1            127.0.0.1            UH        41048047 lo
#ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
        inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
        zone Z-BTO1-1
        inet 127.0.0.1 netmask ff000000
lo0:2: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
        zone Z-BTO1-2
        inet 127.0.0.1 netmask ff000000
lo0:3: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
        zone Z-ITR1-1
        inet 127.0.0.1 netmask ff000000
lo0:4: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
        zone Z-TDN1-1
        inet 127.0.0.1 netmask ff000000
lo0:5: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
        zone Z-DRB1-1
        inet 127.0.0.1 netmask ff000000
ce1: flags=1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500
index 10
        inet 172.31.0.130 netmask ffffff00 broadcast 172.31.0.255
        ether 0:3:ba:f:63:95
ce3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 8
        inet 192.168.0.62 netmask ffffff00 broadcast 192.168.0.255
        groupname ipmp0
        ether 0:3:ba:f:68:1
ce5: flags=1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500
index 9
        inet 172.31.1.2 netmask ffffff00 broadcast 172.31.1.127
        ether 0:3:ba:d5:b1:44
ce1122000: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500
index 2
        inet 172.16.11.6 netmask ffffff00 broadcast 172.16.11.127
        groupname ipmp2
        ether 0:3:ba:f:63:94
ce1122000:1:
flags=209040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,CoS>
mtu 1500 index 2
        inet 172.16.11.7 netmask ffffff00 broadcast 172.16.11.127
ce1122002:
flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu
1500 index 3
        inet 172.16.11.8 netmask ffffff00 broadcast 172.16.11.127
        groupname ipmp2
        ether 0:3:ba:f:68:0
ce1122002:1: flags=1040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4>
mtu 1500 index 3
        inet 172.16.11.10 netmask ffffff00 broadcast 172.16.11.255
ce1122002:2: flags=1040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4>
mtu 1500 index 3
        zone Z-ITR1-1
        inet 172.16.11.9 netmask ffffff00 broadcast 172.16.11.255
ce1222000: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500
index 4
        inet 172.16.3.6 netmask ffffff00 broadcast 172.16.3.127
        groupname ipmp3
        ether 0:3:ba:f:63:94
ce1222000:1:
flags=209040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,CoS>
mtu 1500 index 4
        inet 172.16.3.7 netmask ffffff00 broadcast 172.16.3.127
ce1222002:
flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu
1500 index 5
        inet 172.16.3.8 netmask ffffff00 broadcast 172.16.3.127
        groupname ipmp3
        ether 0:3:ba:f:68:0
ce1222002:1: flags=1040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4>
mtu 1500 index 5
        zone Z-BTO1-1
        inet 172.16.3.9 netmask ffffff00 broadcast 172.16.3.255
ce1222002:2: flags=1040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4>
mtu 1500 index 5
        zone Z-BTO1-2
        inet 172.16.3.10 netmask ffffff00 broadcast 172.16.3.255
ce1322000: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500
index 6
        inet 172.16.19.6 netmask ffffff00 broadcast 172.16.19.127
        groupname ipmp1
        ether 0:3:ba:f:63:94
ce1322000:1:
flags=209040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,CoS>
mtu 1500 index 6
        inet 172.16.19.7 netmask ffffff00 broadcast 172.16.19.127
ce1322002:
flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu
1500 index 7
        inet 172.16.19.8 netmask ffffff00 broadcast 172.16.19.127
        groupname ipmp1
        ether 0:3:ba:f:68:0
ce1322002:1: flags=1040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4>
mtu 1500 index 7
        zone Z-TDN1-1
        inet 172.16.19.9 netmask ffffff00 broadcast 172.16.19.255
ce1411000: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500
index 12
        inet 172.16.27.6 netmask ffffff00 broadcast 172.16.27.255
        groupname ipmp4
        ether 0:3:ba:f:63:94
ce1411000:1:
flags=209040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,CoS>
mtu 1500 index 12
        inet 172.16.27.7 netmask ffffff00 broadcast 172.16.27.255
ce1411002:
flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu
1500 index 13
        inet 172.16.27.8 netmask ffffff00 broadcast 172.16.27.255
        groupname ipmp4
        ether 0:3:ba:f:68:0
ce1411002:1: flags=1040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4>
mtu 1500 index 13
        zone Z-DRB1-1
        inet 172.16.27.9 netmask ffffff00 broadcast 172.16.27.255
clprivnet0:
flags=1009843<UP,BROADCAST,RUNNING,MULTICAST,MULTI_BCAST,PRIVATE,IPv4> mtu
1500 index 11
        inet 172.31.193.2 netmask ffffff00 broadcast 172.31.193.255
        ether 0:0:0:0:0:2

Non-global zones & vlan

I'm in a zoning frenzy now and has created a zone that connects to a vlan interface "ceXXX000". The zone is reachable from within it's subnet but could not route traffic beyond the gateway (which cannot be set). Any ideas? I left the vlan interface as 0.0.0.0 since the global zone does not need to talk in that VLAN.
Also, while changing the IP of the non-global zone, I missed "zoneadm halt". That resulted in the zone not being able to boot (or do anything). Rebooting recovers the zone(s). Is there anyway to work around that? zoneadmd was running for the zone.
The machine is b63.

I'm in a zoning frenzy now and has created a zone that
connects to a vlan interface "ceXXX000". The zone is
reachable from within it's subnet but could not route
traffic beyond the gateway (which cannot be set). Any
ideas? I left the vlan interface as 0.0.0.0 since
the global zone does not need to talk in that VLAN.You need to add the default gateway for the zone manually, in the global zone:
# route add default <gateway> -ifp ceXXX000You can only do this when the zone is in the "ready" state .This is not very convenient, we'll try to improve this in the future (not in the initial release of Solaris 10 though).
Also, while changing the IP of the non-global zone, I
missed "zoneadm halt". That resulted in the zone not
being able to boot (or do anything). Rebooting
recovers the zone(s). Is there anyway to work around
that? zoneadmd was running for the zone.Did you change the IP address in the zone configuration (using zonecfg) or directly using ifconfig? There is a known bug when you set the IP address in zonecfg to one that's already configured on another interface (this bug will be fixed in the next Solaris Express release). Otherwise, can you post the output of "pstack" on the zoneadmd process? Thanks.
Blaise

Add tape device to non-global zone

Hi,
I have a SCSI attached Ultrium tape device attached and configured against the global zone.
The /dev/rmt/0* definitions in the global zone are links to ../../devices/pci@2*
I need to be able to use this tape device from the non-global zones.
To enable this, I have done the following:
zonecfg -z <zone name>
add device
set match=/dev/rmt/0
end
verify
commit
exit
I repeated the above for /dev/rmt/0m and /dev/rmt/0mn
Then I restarted the zone with the command:
zoneadm -z <zone name> reboot
After the reboot, I can see the device when using "mt -f /dev/rmt/0 status", but whenever I try to write a SAP brbackup to the new (initialised and not write protected) tape within the drive I get the following error:
BR0278E Command output of 'LANG=C cd /oracle/<SID>/sapbackup && /usr/sap/<SID>/SYS/exe/run/brtools -f detach LANG=C cpio -iuvB .tape
sh: /dev/rmt/0mn: cannot open
BR0280I BRBACKUP time stamp: 2012-04-04 08.21.41
BR0279E Return code from 'LANG=C cd /oracle/<SID>/sapbackup && /usr/sap/<SID>/SYS/exe/run/brtools -f detach LANG=C cpio -iuvB .tape.
BR0359E Restore of /oracle/<SID>/sapbackup/.tape.hdr0 from /dev/rmt/0mn failed due to previous errors
Have I created the device incorrectly, or does anyone have any ideas what could be the reason the write fails?
Any help appreciated.
Edited by: user11329299 on 04-Apr-2012 01:09

Hi,
Just to bring you up to speed, I have now fixed the issue.
The resolution was all within the iniSID.sap file that the backup is using. I have changed a number of parameters within this file:
1.     tape_copy_cmd = dd (was cpio)
2.     rewind = "mt     -f $ rew; sleep 30" (was " mt -f $ rew")
3.     rewind_offline = "mt -f $ offline; sleep 30" (was "mt -f $ offline")
4.     tape_pos_cmd = "mt -f $ fsf $: sleep 30" (was "mt -f $ fsf $")
5.     tape_size = 500G (was 18000M)
After making those changes, the backup started from within DB13. I believe that the main culprit was the tape_copy_cmd, but the others were changed to allow the tape drive time to become online again after any query.

PHP in Solaris 10 and Non-Global Zones: Problem of performance?

Hi friends
We are feeling a poor performance with applications developed with PHP in Solaris 10, with non-global and global zones, while Intel platform (Xeon and Pentium), performance is very good. Difference between both platforms is about 200% aprox, one second in Intel to 9, 12 or 20 seconds in Solaris depending of model.
Our tests were developed in:
1. SF T2000 server Solaris 10 global zone
2. SF T2000 server Solaris 10 non-global zone
3. SF280R server Solaris 10 non-global zone
4. V240 server with 1 GB memory, 1*US III-i 1.0 GHz and Solaris 9 (really this version for test and comparisons)
5. V240 server with 8GB memory, 2*US III-i 1.5Ghz and Solaris 9 (really this version for test and comparisons too)
Intel platforms were:
1. Intel Pentium 4 2GHz 2GB memory, Linux Fedora and PHP 4.4.4
2. Intel Xeon 2 core, 2.33GHz 2GB memory, Linux Fedora and PHP 4.4.3
Versions of products are:
1. Solaris 9 or Solaris 10
2. PHP 4.4.7 downloaded from http://www.php.net/downloads.php
3. Apache 2.0.59
4. MySQL 4.1.15-log
Our php compilation and installation were:
./configure --prefix=/usr/local/php-4.4.7 \
--with-pear \
--with-openssl=/usr/local/ssl \
--with-gettext \
--with-ldap=/usr/local \
--with-iconv \
--enable-ftp \
--with-dom \
--with-mime-magic \
--enable-mbstring \
--with-zlib \
--enable-track-vars \
--enable-sigchild \
--disable-ctype \
--disable-overload \
--disable-tokenizer \
--disable-posix \
--with-gd \
--with-apxs2=/usr/local/apache2.0.53/bin/apxs \
--with-mysql \
--with-pgsql \
--with-oci8=/oracle/product/9.2.0 \
--with-oracle=/oracle/product/9.2.0 \
--with-png-dir=/usr/local \
--with-zlib-dir=/usr/local \
--with-freetype-dir=/usr/local \
--with-jpeg-dir=/usr/local
make
make install
Questions:
Is there any problem of PHP with SunFire T2000 servers or 64-bits platforms?
Is there any flag of PHP would be use to compilarion PHP in 64-bits or multithread?
I wait for any comments or suggestions about our problem with PHP compilation and performance in Solaris 10. Thanks a lot.
Sergio.

I presume you compiled php on the Sun server, was this done using gcc or the Sun One C compiler.
If the latter then you can also use the flag: --enable-nonportable-atomics when you run configure

Lucreate not working with ZFS and non-global zones

I replied to this thread: Re: lucreate and non-global zones as to not duplicate content, but for some reason it was locked. So I'll post here... I'm experiencing the exact same issue on my system. Below is the lucreate and zfs list output.
# lucreate -n patch20130408
Creating Live Upgrade boot environment...
Analyzing system configuration.
No name for current boot environment.
INFORMATION: The current boot environment is not named - assigning name <s10s_u10wos_17b>.
Current boot environment is named <s10s_u10wos_17b>.
Creating initial configuration for primary boot environment <s10s_u10wos_17b>.
INFORMATION: No BEs are configured on this system.
The device </dev/dsk/c1t0d0s0> is not a root device for any boot environment; cannot get BE ID.
PBE configuration successful: PBE name <s10s_u10wos_17b> PBE Boot Device </dev/dsk/c1t0d0s0>.
Updating boot environment description database on all BEs.
Updating system configuration files.
Creating configuration for boot environment <patch20130408>.
Source boot environment is <s10s_u10wos_17b>.
Creating file systems on boot environment <patch20130408>.
Populating file systems on boot environment <patch20130408>.
Temporarily mounting zones in PBE <s10s_u10wos_17b>.
Analyzing zones.
WARNING: Directory </zones/APP> zone <global> lies on a filesystem shared between BEs, remapping path to </zones/APP-patch20130408>.
WARNING: Device <tank/zones/APP> is shared between BEs, remapping to <tank/zones/APP-patch20130408>.
WARNING: Directory </zones/DB> zone <global> lies on a filesystem shared between BEs, remapping path to </zones/DB-patch20130408>.
WARNING: Device <tank/zones/DB> is shared between BEs, remapping to <tank/zones/DB-patch20130408>.
Duplicating ZFS datasets from PBE to ABE.
Creating snapshot for <rpool/ROOT/s10s_u10wos_17b> on <rpool/ROOT/s10s_u10wos_17b@patch20130408>.
Creating clone for <rpool/ROOT/s10s_u10wos_17b@patch20130408> on <rpool/ROOT/patch20130408>.
Creating snapshot for <rpool/ROOT/s10s_u10wos_17b/var> on <rpool/ROOT/s10s_u10wos_17b/var@patch20130408>.
Creating clone for <rpool/ROOT/s10s_u10wos_17b/var@patch20130408> on <rpool/ROOT/patch20130408/var>.
Creating snapshot for <tank/zones/DB> on <tank/zones/DB@patch20130408>.
Creating clone for <tank/zones/DB@patch20130408> on <tank/zones/DB-patch20130408>.
Creating snapshot for <tank/zones/APP> on <tank/zones/APP@patch20130408>.
Creating clone for <tank/zones/APP@patch20130408> on <tank/zones/APP-patch20130408>.
Mounting ABE <patch20130408>.
Generating file list.
Finalizing ABE.
Fixing zonepaths in ABE.
Unmounting ABE <patch20130408>.
Fixing properties on ZFS datasets in ABE.
Reverting state of zones in PBE <s10s_u10wos_17b>.
Making boot environment <patch20130408> bootable.
Population of boot environment <patch20130408> successful.
Creation of boot environment <patch20130408> successful.
# zfs list
NAME USED AVAIL REFER MOUNTPOINT
rpool 16.6G 257G 106K /rpool
rpool/ROOT 4.47G 257G 31K legacy
rpool/ROOT/s10s_u10wos_17b 4.34G 257G 4.23G /
rpool/ROOT/s10s_u10wos_17b@patch20130408 3.12M - 4.23G -
rpool/ROOT/s10s_u10wos_17b/var 113M 257G 112M /var
rpool/ROOT/s10s_u10wos_17b/var@patch20130408 864K - 110M -
rpool/ROOT/patch20130408 134M 257G 4.22G /.alt.patch20130408
rpool/ROOT/patch20130408/var 26.0M 257G 118M /.alt.patch20130408/var
rpool/dump 1.55G 257G 1.50G -
rpool/export 63K 257G 32K /export
rpool/export/home 31K 257G 31K /export/home
rpool/h 2.27G 257G 2.27G /h
rpool/security1 28.4M 257G 28.4M /security1
rpool/swap 8.25G 257G 8.00G -
tank 12.9G 261G 31K /tank
tank/swap 8.25G 261G 8.00G -
tank/zones 4.69G 261G 36K /zones
tank/zones/DB 1.30G 261G 1.30G /zones/DB
tank/zones/DB@patch20130408 1.75M - 1.30G -
tank/zones/DB-patch20130408 22.3M 261G 1.30G /.alt.patch20130408/zones/DB-patch20130408
tank/zones/APP 3.34G 261G 3.34G /zones/APP
tank/zones/APP@patch20130408 2.39M - 3.34G -
tank/zones/APP-patch20130408 27.3M 261G 3.33G /.alt.patch20130408/zones/APP-patch20130408

I replied to this thread: Re: lucreate and non-global zones as to not duplicate content, but for some reason it was locked. So I'll post here...The thread was locked because you were not replying to it.
You were hijacking that other person's discussion from 2012 to ask your own new post.
You have now properly asked your question and people can pay attention to you and not confuse you with that other person.

Non-Global Zones - how can I tell what the Global Zone is

Hi,
I have a host that I know is a non-global zone (ngz). I can ssh to the ngz as root or a non-privileged user.
But once there how do I know what the host name for the global zone is?
I could probably run a script from all global zones to report all running zones and so I'd know that way but I have a specific need to know from inside the ngz.
Thanks!
Brian

bdunbar wrote:
That's a built-in security feature; and I know of no way to circumvent this mechanism.
I had some hope that there was a way to 'see' at least the global-zone information from the zone. From the shell the 'zone' commands are available ..
:# zoneadm list -cv
ID NAME STATUS PATH
48 hostname_svn running / So it's at least aware that it is a zone, even if it can't tell me anything else about itself. I can still go the long way around to get the information for my need, thanks.
The global zone is the only thing that can see everything. The non-global zones can only see information specific to their zone.
This is by design and it really is a security mechanism. You don't want the zones running outside of their boundaries and information about the global zone (or any other zone) is outside the boundaries of a non-global zone.
Cheers,

How to enable GUI in a non global zone in solaris11?

How to enable graphical logon in a non global zone in solaris11, so the zone can be login by Xmanager? Thanks!

This guide will cover how to setup a basic VNC connection to a Solaris 11 machine. There is also an optional step to allow for persistent VNC connections.
Step 1
Configure GDM to include ‘[security] DisallowTCP=false’ and ‘[xdmcp] Enable=true’.
$ sudo gedit /etc/gdm/custom.conf
# GDM configuration storage
[daemon]
[security]
DisallowTCP=false
[xdmcp]
Enable=true
[greeter]
[chooser]
[debug]
Step 2
Configure X-Server to accept remote connections.
# svccfg -s application/x11/x11-server
svc:/application/x11/x11-server> setprop options/tcp_listen = boolean: true
svc:/application/x11/x11-server> end
Step 3
Configure the VNC service (you could change the ‘-geometry 1280×720′ to whatever resolution you would like).
# svccfg -s xvnc-inetd
svc:/application/x11/xvnc-inetd> setprop inetd_start/exec = astring: "/usr/bin/Xvnc -desktop sol11:0 -geometry 1024x768 -inetd -query localhost -once securitytypes=none"
svc:/application/x11/xvnc-inetd> setprop inetd/wait = boolean: true
svc:/application/x11/xvnc-inetd> end
** The line highlighted red is optional – only do this if you want your VNC connection to persist (as well as any potential security issues)
or
# svccfg -s xvnc-inetd
svc:/application/x11/xvnc-inetd> editprop
search for # setprop inetd_start/exec = astring: "/usr/bin/Xvnc
copy the line, uncomment the copy, makethe changes above, write the file out.
svcadm refresh xvnc-inetd
Step 4
Disable and the re-enable the GDM and VNC-inetd services for the changes to take effect.
$ su root
Password:
# svcadm disable gdm xvnc-inetd; svcadm enable gdm xvnc-inetd
If still in maintenance, reboot (I had to, don't know why).
Step 5
Point your favourite VNC client at your Solaris server and test if it accepts your VNC connection – you should be presented with a Username/Password login screen.
If you performed the optional step to make your connections persist – close your favourite VNC client and then reconnect – if you remained logged in you have a persistent connections.
Greg on said:
After a fresh text install of Solaris-11 (11/11) both xvnc-inetd and gdm are not present. After installing them (# pkg install xvnc-inetd gdm) I can’t get gdm to start:
# svcadm enable gdm
# svcs gdm
offline 10:24:03 svc:/application/graphical-login/gdm:default
Any thoughts?
Ron on said:
You are missing some X packages. Do the following:
pkg install slim_install           # installs 400+ packages
svcadm enable gdm && exit      # gdm now works
pkg uninstall slim_install           # uninstalls the installer package only

Make non-global zone svcs persistant accross reboots

Q: Solaris 10 services such as telnet will need to be enabled after installation of non-glabal zones. Command "svcs enable telnet" did not leave telnet enabled after rebooting a non-global zone. Any suggestions? Thanks.

Did you do the "svcs enable telnet" while zlogin'ed to the zone.
If so it should have worked.

Is it possible to patch Global Zone and only specific Non-Global Zones?

Hi Champs,
Is it possible to patch Global Zone and only specific Non-Global Zones? Idea is to patch DEV-zones only on the system & test applications and then patch only the STG-zones on same server!
Not sure if it is possible but just throwing a question...
Cheers,
Nitin

M10vir wrote:
Yes, if you have branded (non-sparse) zone!Branded zones and sparse zones don't have the relation that you imply. In Solaris 10, native zones can be sparse or whole-root (non-sparse, as you say). Zones that are not native zones are branded zones. Branded zones on Solaris 10 include Solaris Legacy Containers, previously known as Solaris 8 Containers and Solaris 9 Containers. That add-on product allows you to run Solaris 8 and Solaris 9 application environments under a thin layer of virtualization provided by the brands framework. solaris8 and solaris9 branded zones can be patched independently of each other and of the global zone.
Solaris 11 has no "native zones" - all zones use the brands framework. The "solaris" brand does no emulation and in that respect is very similar to native zones on Solaris 10. Solaris 11 also provides Solaris 10 Zones via the solaris10 brand. This allows zones or the global zone from a Solaris 10 system to be transferred to a Solaris 11 system and run as solaris10 zones. When running on Solaris 11, solaris10 zones can each be patched independently from each other and the Solaris 11 global zone. Technically, Solaris 11 doesn't have patches - it just has newer versions of packages to which the system is updated.

Failing to install pkg on non-global zone

(root)@syslog1:~# pkgadd -d . SUNWant
Processing package instance <SUNWant> from </home/iqbala>
Jakarta ANT(sparc) 11.10.0,REV=2005.01.08.05.16
WARNING: Stale lock installed for pkgrm, pkg SUNWaspell quit in remove-initial state.
Removing lock.
Using </> as the package base directory.
## Processing package information.
ERROR: Cannot allocate memory for package object array.
pkgadd: ERROR: memory allocation failure
pkgadd: ERROR: unable to process pkgmap
Installation of <SUNWant> failed (internal error).
No changes were made to the system.
(root)@syslog1:~#
(root)@syslog1:~# zonename
syslog
This non-global zone is capped to 1G phy memory out of 2G total of the T1000
(root)@syslog-global:~# uname -a
SunOS syslog-global 5.10 Generic_137137-09 sun4v sparc SUNW,Sun-Fire-T1000
(root)@syslog-global:~# zoneadm list
global
syslog
(root)@syslog-global:~# zonename
global
(root)@syslog-global:~# zonecfg -z syslog info
zonename: syslog
zonepath: /syslog
brand: native
autoboot: true
bootargs: -m verbose
pool:
limitpriv: default,sys_time
scheduling-class: FSS
ip-type: shared
inherit-pkg-dir:
     dir: /lib
inherit-pkg-dir:
     dir: /platform
inherit-pkg-dir:
     dir: /sbin
inherit-pkg-dir:
     dir: /usr
fs:
     dir: /var/logs
     special: /var/logs
     raw not specified
     type: lofs
     options: []
fs:
     dir: /usr/local
     special: /syslog-local/usr/local
     raw not specified
     type: lofs
     options: []
net:
     address: 192.168.0.114
     physical: aggr1
     defrouter: 192.168.0.1
dedicated-cpu:
     ncpus: 1-8
     importance: 10
capped-memory:
     physical: 1G
     [swap: 512M]
attr:
     name: comment
     type: string
     value: "syslog server"
rctl:
     name: zone.max-swap
     value: (priv=privileged,limit=536870912,action=deny)
(root)@syslog-global:~# prstat -Z
PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP
13118 root 7184K 5952K sleep 1 0 52:00:54 0.5% nco_p_syslog/10
11730 root 162M 123M sleep 59 0 38:51:35 0.1% splunkd/22
7324 root 12M 8280K sleep 59 0 0:58:06 0.0% syslogd/25
266 root 97M 24M sleep 49 0 31:45:02 0.0% poold/8
209 daemon 8104K 3080K sleep 59 0 24:39:56 0.0% rcapd/1
29553 root 2496K 2024K cpu4 59 5 0:00:00 0.0% splunk-optimize/1
21578 root 38M 36M sleep 59 0 0:01:10 0.0% puppetd/2
29554 root 6088K 3712K cpu0 49 0 0:00:00 0.0% prstat/1
24244 root 5760K 3104K sleep 49 0 0:00:00 0.0% bash/1
1024 noaccess 171M 96M sleep 59 0 8:41:32 0.0% java/18
27771 noaccess 189M 100M sleep 1 0 4:44:36 0.0% java/18
274 daemon 3192K 496K sleep 59 0 0:00:00 0.0% statd/1
279 daemon 2816K 576K sleep 60 -20 0:00:00 0.0% nfs4cbd/2
326 root 2304K 40K sleep 59 0 0:00:00 0.0% cimomboot/1
151 root 2576K 344K sleep 59 0 0:00:00 0.0% drd/2
ZONEID NPROC SWAP RSS MEMORY TIME CPU ZONE
3 47 465M 513M 25% 99:54:00 0.7% syslog
0 42 391M 466M 23% 71:04:39 0.1% global
Total: 89 processes, 386 lwps, load averages: 0.21, 0.26, 0.26
Am I hitting a bug?

If your pkg wants to be installed in /usr or another inherit-pkg-dir, it can't because they are share as read-only.
Verify wherer the pkg copies its files.

Can I import one non-global zone from one machine to another?

If create a non-global zone on one disk on machine A, is it possible to make a copy of that disk, and import the non-global zone to machine B? If yes, how to import the non-global zone?
Thanks!

It should be possible if your machines are installed at the same way, because you need the same environment (patches, packages,..).
If this is true you should export your zone definition on machine A (zonecfg export) and import it on machine B (zonecfg -f ...).
Then create the new zone on B. If finished get your zonepath with all data on A an copy it to B. That should be all.
With this solution I hope it would be possible to have a shadow instance on B and the aktiv instance on A. If you have your whole zonepath on external disks like EMC, you only have to mount your disks on B and start your zone.
harruh

Non-Global Zone Routing

Similar Messages

Maybe you are looking for