Unclear on branded solaris 9 zones and ipfilter

Similar Messages

• Which release?? branded solaris 9 and solaris 8.

  Hi people:
  First question using solaris 10u10 and making branded zones;
  which releases of solaris 9 and solaris8 are reported. I mean the printout of cat /etc/release of that branded zones will be...
  Second one.. can I use P2V to put a solaris 10u6 box into a Solaris 10u10 or solaris 11 on a T3-1B box.. I ask because the lowest solaris 10 supported is u9 on the T3-1B.
  Third one.. If question 2 isn't doable with Solaris10u10 could be done with Solaris11? Yes using P2V.
  Thanks for any comment!

  Yes, you'll need the x86 version, not the SPARC version.
  I'd guess you probably need a fairly late version of Solaris 9 too in order to even boot the kernel on the AMD processors.

• LDOMs, Solaris zones and Live Migration

  Hi all,
  If you are planning to use Solaris zones inside a LDOM and using an external zpool as Solaris zone disk, wouldn't this break one of the requirements for being able to do a Live Migration ? If so, do you have any ideas on how to use Solaris zones inside an LDOM and at the same time be able to do a Live Migration or is it impossible ? I know this may sound as a bad idea but I would very much like to know if it is doable.

  Thanks,
  By external pool I am thinking of the way you probably are doing it, separate LUNs mirrored in a zpool for the zones coming from two separate IO/Service domains. So even if this zpool exist inside the LDOM as zone storage this will not prevent LM ? That's good news. The requirement "no zpool if Live Migration" must then only be valid for the LDOM storage itself and not for storage attached to the running LDOM. I am also worried about a possible performance penalty introducing an extra layer of virtualisation. Have you done any tests regarding this ?

• Solaris Zones and NFS mounts

  Hi all,
  Got a customer who wants to seperate his web environments on the same node. The release of apache, Java and PHP are different so kind of makes sense. Seems a perfect opportunity to implement zoning. It seems quite straight forward to setup (I'm sure I'll find out its not). The only concern I have is that all Zones will need access to a single NFS mount from a NAS storage array that we have. Is this going to be a problem to configure and how would I get them to mount automatically on boot.
  Cheers

  Not necessarily, you can create (from Global zone) a /zone/zonename/etc/dfs/dfstab (NOT a /zone/[i[zonename[/i]/root/etc/dfs/dfstab notice you don't use the root dir) and from global do a shareall and the zone will start serving. Check your multi-level ports and make sure they are correct. You will run into some problems if you are running Trusted Extensions or the NFS share is ZFS but they can be overcome rather easily.
  EDIT: I believe you have to be running TX for this to work. I'll double check.
  Message was edited by:
  AdamRichards

• Solaris zone and IBM DB2

  We have a container in T3-1 in which IBM DB2 running it. Recently we migrated the container to T4-1 server. The container is up and running but unable to start DB2. The container configuration is similar as in T3-1. Did anyone faced similar issue while running DB2 on T4-1 server ?

  You can refer
  App Server 9.0 developer guide
  http://docs.sun.com/app/docs/doc/819-3659
  making driver .jar files accessible :
  http://docs.sun.com/app/docs/doc/819-3659/6n5s6m5bk?a=view#beamn
  IBM DB2 8.2 datasource configuration
  http://docs.sun.com/app/docs/doc/819-3658/6n5s5nklk?a=view#beanc
  If you are still not able to setup:
  can you post
  1) con pool configuration from domain.xml
  2) the error message that you get in domains/<domainname>logs/server.log
  Thanks,
  -Jagadish

• Recommendations for Solaris Zones for NW2004S?

  I'm new to Solaris zones and would appreciate any recommendations from you regarding the setup of zones to run NW2004S. I did a scan of SapNet and SDN, but found nothing.
  So, for example, would you insist on running a Prod instance in the global zone?  For an SAP that runs in a zone, which file-systems would you share from the global zone?
  Another tips/traps you have would be greatly appreciated.

  We consolidated already 7 systems:
  root@consbig / >zoneadm list -vi
    ID NAME             STATUS         PATH                         
     0 global           running        /                            
    22 srmtest          running        /zone/srmtest                
    23 nwdi_ext_1       running        /zone/nwdi_ext_1             
    32 bbbcpy           running        /zone/bbbcpy                 
    35 icht             running        /zone/icht                   
    40 osiris           running        /zone/osiris                 
    42 bi_oracle_test   running        /zone/biorat                 
    43 hpvm             running        /zone/hpvm      
  This is a HP DL585 with 4 CPUs and 48 GB RAM (Opteron, not SPARC).

• Solaris 10 Zones and networking..

  My machine has only one NIC card (rtls0) and also only one public ipv4 IP. I am at the moment unable to get more than one public IP. I've also created a few zones on the machine which I have assigned an internal IP. Now, I can connect (say SSH for example) internally to these zones just fine using their internal IP from the global zone. However, obviously the outside world would not be able to do so. So I decided to simply use the built in firewall/nat tech in Solaris in order to port forward certain ports to internal zones. (Like say set up port 2223 on the global level to forward ssh to one of my created zones' ssh) I looked up and down everywhere with the ipf and ipv4 port forwarding down to enabling it via routeadm and also setting the value of /dev/tcp ip_forwarding to 1. Then when I add the following rule to ipnat:
  rdr rtls0 PUBLIC_IP/32 port 2223 -> 192.168.1.2 port 22 tcp
  It still has zero effect on the forwarding. It fails to forward, and nothing I've done works. I'm on my last leg here with this issue. Am I doing something wrong with ipfilter or is there a better way to go about doing this with Solaris Zones? (I mean surely there must be an easier way to create self contained zones with applications that still run services without having to resort to assigning it its own IP, no?) Any help is appreciated, thanks.

  First thing to check is if your zone can access the global zone (try pinging). If this isn't the case you probably need to setup a routing entry allowing the non-global zone some access.
  For example, say the global is 10.0.0.1 and the non-global 192.168.0.1 on eri0 you'd use something like:
  route add 10.0.0.1 192.168.0.1 -iface
  This tells your non-global zone that it can reach the global zone through the eri0 interface. Ofcourse you can also expand this to networks and such.
  Another very important factor to keep in mind when dealing with internet is trying to access it from the non-global zone (as a test). Your ipnat.conf entry should be enough, my guess for to the reason for not routing the data is a non-static arp entry of your internet gateway. Now, this is a mere guess but if you have a default route in your routing table setup for Internet access (netstat -rn) make sure that the host to which the default route is pointing also has a static arp entry (man arp). If this is indeed the case you may also need to setup a routing entry as mentioned above to allow your zone access to this remote gateway.
  After that things should work as usual. Hope this helps.

• Dedicating physical CPUs to a zone and migrating a Solaris 8 box to a zone?

  If I have a machine with a large number of cores (say 24), and dedicate 4 of the CPUs to the zone, psrinfo shows the number of CPU's dedicated to that zone as 4, however, the global zone still shows 24.
  Does this mean that if there's enough stuff running in global that it can preempt the stuff running inside the zone? The concern here is that the stuff we want to run in the zone is a bit more critical than in global, so we wouldn't want global to eat up CPU resources of the zone. (I suppose we could repurpose the stuff running inside global and the zone, but then we'd get the reverse isolation issue at some other point.)
  The other questions is that there's an old E450 running Solaris 8 and it's got a bunch of stuff installed on it. Would it be possible to somehow convert all the software and data of that E450 into a container or zone and run that on a more modern machine - say a T5420 which runs Solaris 10 (without upgrading the stuff running under the E450 to Solaris 10?)

  you can create a flar archive of the entire system and then import it as a solaris 8 zone. if you are doing this on a cool threads system, beware of the processor. it does well with threads. if what you run on the 450 is mostly single threaded or needs a decent cpu, the coolthreads servers are not a good fit.

• Global swap is not reflected in branded solaris 8 zone

  I have 32 GB in my global zone
  root@Z21-AP-02 # swap -s
  total: 5753912k bytes allocated + 511136k reserved = 6265048k used, 32257984k available
  when I look in my branded solaris 8 zone I see a much smaller value
  root@txpwrsrv07-2:/ # swap -s
  total: 3202696k bytes allocated + 0k reserved = 3202696k used, 2040184k available
  Tried
  zonecfg -z txpwrsrv07-2
  select capped-memory
  set swap=32g
  end
  exit
  no difference.
  Any help would be appreciated.

  Thanks for the reply
  did the following
  prctl -n project.max-shm-memory $$
  project.max-shm-memory
  privileged 7.71GB - deny -
  system 16.0EB max deny
  prctl -n project.max-shm-memory -r -v 32G -i project 3
  prctl -n project.max-shm-memory $$
  project.max-shm-memory
  privileged 7.71GB - deny -
  system 16.0EB max deny
  no change. Is there something else restricting this?

• EM 12c and Solaris Zone Monitoring

  Hi all,
  I am using Oracle EM 12c to monitor Oracle database server which run on Solaris zone, which is capped to run using only 4 cores.
  BUT the Host management home page is still showing "Total Cores" of 8 (I am using Sun T4-1).
  Is there some configuration which required to be done to reflect the number of capped CPU.
  Also is there a way to isolate the CPU, Memory, Filesystem and Network utilization to only look at the local zone?
  I suspect what I see now represent the resource utilization of the physical machine.
  Thank you.
  -Joel

  Loc,
  I've opened quite a few SRs, some handled well, some not. My biggest issue perhaps is that SRs are needed at all. We are a small shop that relied on OEM 10.2 for a long time, skipped over 11G and went right to 12R2. It was a culture shock, and I'm not sure if skipping the version added to our woes.
  There are 3 DBAs here, with Oracle experience between 13 and 18 years, we are not newbies. I took the em12c class from Oracle.
  But still, acceptance of its use has not been high, mostly because it's no longer the quick, targeted place we 'go to'. It's a huge product now, with much built-in. We are finding we need a mind adjustment to use it and the transition period related to how much time we can spend on that. Our intent, though, was to make things easier, not harder.
  Case in point is our implementation of DataGuard. This project was new to us and I made EM12C upgrade as a predecessor project because I needed its help. I ultimately abandoned it, we hired a consultant, we learned manual steps, and that's what we use today. Everything is homegrown.
  I feel as through the purpose for EM moved from a DBA monitoring tool. Remember OEM 10.2 and its initial summary page that showed the overall health of everything on one shot? I can't do that in em12c, or at least haven't found that.
  Here are some SRs:
  SR 3-6392247151
  Sr 3-7159111371
  SR 3-6645421051
  * SR 3-6608820051
  SR 3-6667182071
  * Covers "invalid objects" missing, something we previously relied on.
  Back to the original question of this post - I understand now that if we use EM to switch our databases, the role reversal will show. We would have loved to rely on EM for everything. Now that we must do everything manually, I have to then manually drop the target being monitored and re-add it. Again, something that should make our jobs easier is now harder.
  Thanks for listening. Am I really the only DBA that says EM12C is harder to use for basic functionality?
  Sherrie

• SAP Java and Solaris Zones SolMan 4.0

  May require Solaris Zones experience to continue.
  I have three SAP database instances/central instances running in three sparse Solaris zones with no problem.
  I have created a new sparse zone for a new SAP installation (Solution Manager 4.0) and started the installation. SAP requires a 1.4.2 SDK even though Java 1.5 comes with Solaris 10. The 1.4.2 SDK is in /usr/j2se. The installation in the sparse zone errors out because it can't get "write" rights to /usr/j2se/jre/lib/security/local_policy.jar as it is trying to install some security encryption JCE component.
  I have thought about creating a /usr/j2se_zonename file system, copying the contents of /usr/j2se into it and then mounting /usr/j2se_zonename in the zone as a lofs with the name /usr/j2se. However when I do the copy of /usr/j2se I get some recursion errors.
  Any thoughts about how to add a writable /usr/j2se into the sparse zone with the least amount of effort ? Otherwise plan B would be to create a "large" zone with a writable /usr directory.
  Received a great answer, that while it may not be architecturally "pure" it may get the job done.
  You might just download the relevant JDK tarball and unpack that
  somewhere in your zone (anywhere you like), and point SAP at it...
  http://java.sun.com/j2se/1.4.2/download.html
  Get the one called "self extracting file"-- you can unpack that anywhere
  you want.
  Message was edited by: Atis Purins

  Hi Russ,
  no you only have to generate two RFCs to your R/3 and assign them in SMSY to for system monitoring
  Then you need a Solution, assign your R/3 to the Solution, setup the system monitoring.
  Regards,
  uDo

• Resource Management and Solaris Zones Developer Guide

  Solaris Information Products ("Pubs") is creating a
  developer guide for resource management and Solaris Zones.
  The department is seeking input on content from application
  developers and ISVs.
  We plan to discuss the different categories of applications
  that can take advantage of Solaris resource management
  features, and provide implementation examples that discuss
  the particular RM features that can be used.
  Although running in a zone poses no differences to most
  applications, we will describe any possible limitations and
  offer appropriate workarounds. We will also provide
  information needed by the ISV, such as determining
  the appropriate system calls to use in a non-global zone.
  We plan to use case studies to document the zones material.
  We would like to know the sorts of topics that you would
  like to see covered. We want to be sure that we address
  your specific development concerns with regard to these
  features.
  Thank you for your comments and suggestions.

  Hi there, i'm using solaris resource management in a
  server with more thant 2thousand acounts.
  Created profiles for users, defaul, staff, root and
  services.Seeing the contents of your /etc/project file could be helpful.
  But while using rctladm to enable syslog'ing, I set up
  global flags of "deny" and "no-local-action" in almos
  everything.The flags on the right hand side of the rctladm(1M) output are read-only:
  they are telling you the characteristics of the resource control in question (what
  operations the system will allow the resource control to take).
  Now, many aplications don't work because they are
  denied enough process.max-stack-size and
  process.max-file-descriptor for them to work.
  Applications such has prstat.If prstat(1) is failing due to the process.max-file-descriptor control value, that's
  probably a bug. prstat(1) is more likely bumping into the limit to assess how many file
  descriptors are available, and then carrying on--you're just seeing a log message since
  prstat(1) tested the file descriptor limit, and you've enabled syslog for that control. Please
  post the prstat(1) output, and we'll figure out if something's breaking.
  I don't find a way to disable the global flags. You can't. I would disable the syslog action on the process.max-stack-size control first;
  there is an outstanding bug on this control, in that it will report a false triggering event--
  no actual effect to the process. (If you send me some mail, I will add you as a call record
  on the bug.)
  Can anyone tell me:
  how to disable global flags?
  how to disable and enable solaris resource management
  all together?You could raise all of the control values, but the resource control facility (like the resource
  limit facility it superseded) is always active. Let's figure out if you're hitting the bug I mentioned,
  and then figure out how to proceed.
  - Stephen
  Stephen Hahn, PhD Solaris Kernel Development, Sun Microsystems
  [email protected]

• Solaris 11 - zones and repos

  Hi,
  We're customers with support and pointed our servers to access the SRU repo as per http://www.oracle.com/technetwork/articles/servers-storage-admin/o11-018-howto-update-s11-1572261.html
  Now we want to get started with zones for which Oracle recommends having a local IPS repo. All the docs seem to point to the public release repo as source for this local IPS repo.
  How does this work together then with the SRU? Syncing the SRU seems to result in HTTP 401 unauthorized errors.

  The way zones work with IPS is that they will communicate through the global zone. This means that whatever IPS publishers have been configured in the global zone, they get exposed within each of the non-global zones though what we call a 'system proxy'. You can compare this by typing 'pkg publisher' in both the global zone and any non-global zones.
  I'm not sure what problems you're experiencing, but if you have configured the support repository in the global zone, you should be able to provision (and install other software) within a non-global zone. Also, once one zone has been provisioned on the system, all the package data is cached in the global zone so that additional zone installs (rather than clones) are much faster.
  We use the release repository in many examples simply because it also allows administrators to evaluate the OS even if they don't have a current support contract through Oracle, but the same will work for those who do have a support contract and wish to the use the Oracle Solaris support repository.
  In terms of creating a local IPS repository, it depends on how your environment looks and how many systems you are needing to update. If this number is relatively low, you may consider just updating that system directly from the Oracle hosted repositories. However, if that number is large, you may be better off creating a local repository. This not only provides faster access for local clients, but also provides another level of change control - you can control how often you sync with the master Oracle repository. To synchronize the Oracle SRU repository, don't forget that you will need to use the key and cert options to pkgrecv to ensure that you have the appropriate credentials to access that repository.
  Good luck!

• OSB and Solaris Zones

  Hi,
  Does anybody have any experience of running OSB inside a Solaris zone?
  I'm experimenting with this at the moment and would like to share the OSB installation with the global zone, but keep the /usr/etc and /usr/tmp directories where the host-specific stuff is stored private.
  Thanks.

  I following Oracle® Secure Backup Installation and Configuration Guide
  Release 10.3 :
  - To Viewing SCSI Bus Name-Instance Parameter Values in Solaris :
  # cd /usr/local/oracle/backup/install
  # installdriver
  bash: installdriver: command not found
  # ./installdriver
  case: Too many arguments
  How could i can run the installdriver script for SCSI information
  Best Regards
  Ch

• Jumbo Frames within Solaris 10 zones and multiple interfaces...

  We have Jumbo Frames working in the Global Zone, and have the MaxFrameSize=3,3,3 etc...
  We also have our AGGR's built correctly and defined aggr1:1 and aggr1:2
  the problem is on boot-up, if all the name files (hostname.aggr1 and hostname.aggr1:1) are defined in the /etc directory, then you can't start the zones....?
  and if you place the files in the /export/zones/<machinename>/root/etc/ directory, than the interfaces do not start-up automatically..... ?
  So If I want all the interfaces in the global zone to be seen by the other zones, and for the interfaces to come live when the zones are booted.... where do the hostname.interface files live....???

  Darren:
  I understand where you're coming from from a technical perspective. But there is a way you could work around it.
  For argument's sake, zones a+b with e1000g0 - e1000g3
  From an implementation perspective, what's to stop you from:
  e1000g0 / e1000g1 shared between all
  e1000g2 plumbed at global, only assigned to zone a.
  e1000g3 plumbed at global, only assigned to zone b.
  You can certainly have an empty interface file (i.e. cp /dev/null /etc/hostname.e1000g2 ; cp /dev/null /etc/hostname.e1000g3). The interface will plumb but have no IP information configured.
  This doesn't give truly exclusive interfaces to either zone, but it operates effectively as though it were.
  Warning: I haven't actually tested this, but I see no reason that it wouldn't work.