Unformatted text preview: EIS Installation Checklist for Setting up Non-Global
Zones (Containers) on Solaris 11 Servers
Customer:
Sales Order Number:
CASE Number:
Technician:
Version EIS-DVD:
Date: • It is recommend that the EIS web pages are checked for the latest version of this
checklist prior to commencing the installation.
It is assumed that the installation is carried out with the help of the current EISDVD.
This checklist describes a standardised procedure for zone installation on Solaris
11 for non-clustered systems.
This document shows step-by-step procedure for creating one local zone.
The idea behind this checklist is to help the technician to install zones in a welldefined manner with “NO” system downtime.
It is assumed that the Solaris 11 has been installed on the system according to the
EIS Methodology.
This procedure requires advanced Solaris 11 system administration skills, this
checklist is not intended as replacement for appropriate training and experience!
Other virtualization concepts (like LDOMs, Xen etc.) might also use the term
"containers". In addition non-global zones can be installed as "branded zones" to
host other operating systems (like Linux or Solaris 10).
It is intended that this checklist is used in conjunction with the appropriate EIS
Installation checklist for the server class (available on EIS-web).
It is not intended that this checklist be handed over to the customer. • Solaris Containers = Non Global Zone = Local Zone = Zone •
•
•
•
•
•
•
• • For further information about the deployment of services within non-global zones
(including possible restrictions) see the Zone FAQ at:
Task Comment Check PREPARATION
Ensure that the Release Notes for the Solaris version used have been read and
understood. The Oracle Solaris 11 documentation is available here:
Ensure that zone configuration details are
available. Oracle Internal and Approved Partners Only Page 1 of 9 Vn 1.1 Created: 7 Feb 2013 Task Comment Check VERIFYING THAT GLOBAL ZONE IS UP-TO-DATE
If the server has been freshly installed according to the EIS Methodology
(including patching) then proceed to the next section “Saving the
Configuration”. Examine the file /var/sun/EIS-CD.log to confirm version of
EIS-DVD used and whether patching took place. If in doubt schedule
downtime for patch updating (follow the next steps).
Ensures that the Explorer package and
other EIS items are current. Insert EIS-DVD & run:
cd .../sun/install
sh setup-standard.sh Refer to the EIS Installation Checklist
for Solaris 11 for details on how to
update a Solaris 11 OS from the SRU. Update the OS from the SRU:
Reboot the server. SAVING THE CONFIGURATION
Ensure that customer creates a full (not
incremental!) tape backup of all system
and data volumes. Let customer backup the global zone
and verify this backup! Run explorer on the server and store
explorer output on system. Use latest release of explorer (from EISDVD – will have been installed by
setup-standard above). explorer -w default, secure, all Check /var/adm/messages for error
messages, warnings etc, eliminate all
hardware related issues found there. Oracle Internal and Approved Partners Only Page 2 of 9 Vn 1.1 Created: 7 Feb 2013 Task Comment Check GLOBAL ZONE CONFIGURATION
Become superuser or assume a role with To create and assign a role, refer to the
zone creation and management privileges. RBAC administration section in the
System Administration guide. If the system has sufficient disks to mirror the root zpool and to provide a
second larger zpool for zone storage, it is recommended that zones are placed
on the larger zpool. To create a zpool called zones which will be mounted
at /zones:
# zpool create zones mirror c4t0d0 c5t0d0 mirror c4t1d0 c5t1d0 It is then suggested that each zone's zonepath is set to: /zones/<zonename>
If zones are expected to be migrated between systems on a regular basis, it is
best to store the zones on shared storage that may be accessed by the multiple
systems. If all the zones will be migrated together, they may all exist in one
zpool and the example above is relevant. If they are expected to migrate
independently, each should be created on its own zpool. To create the zpool
for a zone named z1:
# zpool create -m /zones/z1 z1pool mirror c4t0d0 c5t0d0
# chmod 700 /zones/z1 If zones will be installed into the root pool, no special configuration is
required in this step.
It is also worth considering using quotas on each zonepath dataset (if there
are multiple zones per pool) so that one zone can't harm other zones by
consuming all the storage.
Dynamic Resource Pools:
If using resource pools, create a resource
pool using data from the worksheet
above. You will be using this resource
pool in configuration steps (see next
page). You can use the default pool named
pool_default or create your own.
Example:
# cat pool.host create system hostcreate pset dev_pset
(uint pset.min = 0; uint pset.max = 2)
associate pool dev_pool (pset dev_pset)
# poolcfg -f pool.host
# pooladm -c
if using capped-memory as in
add capped-memory
capped-memory> set physical=500m
capped-memory> set swap=1000m
capped-memory> end
Beware that swap equates to virtual
memory, similar to vmstat swap, as in
it's both physical RAM and physical
swap combined. If set swap is set to
less than set physical then total VM that
can be used will be less than the
physical memory allocated, this will
cause malloc etc to fail if swap total is
reached. Oracle Internal and Approved Partners Only Page 3 of 9 Vn 1.1 Created: 7 Feb 2013 Task Comment Check The preferred way to use FSS is to set FSS to be the system default
scheduling class with the dispadmin command. That way, all zones will
benefit from getting a fair share of the system CPU resources.
Refer to the relevant part of the Oracle Solaris Administration: Oracle
Solaris Zones, Oracle Solaris 11 Zones and Resource Management:
Based on the information collected in the If using configuration files, you can
worksheet above, you can configure zones create one file and duplicate it for
multiple zones.
using 2 methods:
1. Interactive mode using zonecfg
2. zonecfg Command-File mode Oracle Internal and Approved Partners Only Page 4 of 9 Vn 1.1 Created: 7 Feb 2013 Task Comment Zone
1 2 NON-GLOBAL (LOCAL) ZONE CONFIGURATION / INSTALLATION
The following shows a simple
configuration file to create a shared-IP
zone named zone1:
Example:
# cat zone1.cfg
create -t SYSdefault-shared-ip
set zonepath=/export/zones/zone1
set autoboot=false
set pool=dev_pool
add net
set physical=net0
set address="192.1.4.7/24"
set defrouter=”192.1.4.0”
end
verify
commit
exit Multiple zones can share the resources
of one pool.
For more information on configuration
files, please see steps below and also,
refer to the system administration
guide.
The default zone IP type is exclusive.
Using Resource Control pools is
optional.
If zones are of type ip-shared and are
on a different network than the global
zone and if the defrouter property on
the net resource is not set, they may
not be able to communicate beyond
the local subnet. it is recommended to
set defrouter in type ip-shared zones. Multiple zones can share the resources
The following shows a simple
configuration file to create a IP-Exclusive of one pool.
For more information on configuration
zone named zone2: Example:
# cat zone2.cfg
create
set zonepath=/export/zones/zone2
set autoboot=false
select anet linkname=net0
set lower-link=net3 1
end
verify
commit
exit files, please see steps below and also,
refer to the system administration
guide.
In this case you can use the create
command without any args as the
default template is ip-exclusive
Here we just select the anet resource
created by default and set which
physical interface it should use by
setting "lower-link" This can be configured with an IP
address post zoneinstall using ipadm.
Also is is worth considering use of
allowed-address so that the
zone admin can't configure arbitrary
IP addresses. In most cases where the
GZ admin and the NGZ admin are the
same, this isn't a big benefit. In
environments where zones are used for
security containment (e.g. DMZs,
hosting environments, etc.), it's
pretty important 1 In this example net3 is the vanity name for the 4th physical network device on the system. The
command dladm show-phys can be used on the global zone to view the NIC mappings.
Oracle Internal and Approved Partners Only Page 5 of 9 Vn 1.1 Created: 7 Feb 2013 Task Comment Zone
1 2 The following example shows how to add The section on the left can be included
in the zone configuration file.
filesystems to the zone using LOFS:
add fs
set dir=/usr/local The next step specifies that /opt/local in
the global zone will be mounted as
/usr/local in the local zone:
set special=/opt/local
set type=lofs
end The following example shows how to add The section on the left can be included
in the zone configuration file.
filesystems to the zone using ZFS:
Lets assume we have a zfs dataset in the
global zone called tank/z1 and we want
to delegate it to the non-global zone as an
rpool called tank:
add dataset
set name=tank/z1
set alias=tank
end Note that if one has an entry like
add fs
set type=zfs
set
special=tank/zone/shared
set dir=/opt/shared
end
then this means that the dataset
cannot be managed, as in it cannot be
snapshotted, set properties, or create
any descendant datasets. The best way
is to use add dataset, as in the
example, where tank/z1 appears as an
rpool called tank in the non-global
zone and can be administered by the
non-global zone admin, ie set
properties, create datasets etc.
Also note that if add fs is used to add
a ZFS dataset and it has
set dir=/export/shared
it will cause
svc:/system/filesystem/local
to go into maintenance as it will find
that when it tries to mount rpool/export
it will find /export/shared all ready
mounted and fail due to zfs mount -a
failing. The following example shows how to add The section on the left can be included
in the zone configuration file.
filesystems to the zone using UFS:
add
set
set
set
set
end fs
dir=/export/home
special=/dev/dsk/c1t1d0s0
raw=/dev/rdsk/c1t1d0s0
type=ufs Oracle Internal and Approved Partners Only Page 6 of 9 Vn 1.1 Created: 7 Feb 2013 Task Comment Zone
1 2 The following example shows how to add The section on the left can be included
in the zone configuration file.
“devices” to the zone:
add device
set match=/dev/sound/*
end To add a CD-ROM:
add
set
set
set
set
end fs
dir=/cdrom
special=/cdrom
type=lofs
options=[nodevices] Adding a CD-ROM has not been
tested by EIS. Ensure that the IPS Publisher is configured correctly.
If using a http_proxy to contact the IPS repository then ensure that
config/http_proxy in svc:/application/pkg/system-repository:default is
set as in:
svccfg -s svc:/application/pkg/system-repository:default setprop
config/http_proxy=astring: " ;
svcadm refresh svc:/application/pkg/system-repository:default If the IPS repository is using https then config/https will need to be set as
appropriate.
Create a zone configuration: Example: zonecfg -z <zonename> -f <zone config file> # zonecfg -z zone1 -f zone1.cfg Install the zone:
zoneadm -z <zonename> -m <manifest.xml> -c <sc-profile> install The default minifest file is available on Solaris 11 systems here:
/usr/share/auto_install/manifest/zone_default.xml
The default manifest sepcifies to the auto installer that solaris-small-server
is used to provision the zone and also the set of locales that are installed by
default. The -m argument is optional unless ones wants to change these
defaults.
See man solaris(5) for options to zoneadm install for solaris branded zones.
The -c argument is also optional. Sample system configuration profiles are
available here: /usr/share/auto_install/sc_profiles. If non-interactive
configuration is desired then either -c arg is needed, or the sysconfig
manifest(s) need to be copied to /etc/svc/profile/site/ within the zone before
first boot. See man sysconfig(5). All manifests must be valid xml, use
xmllint to verify. The -c argument can also be a directory containing more
that one xml file. sysconfig create-profile can be used to create
a sample profile.
Example:
# zoneadm -z zone1 install -c /tmp/sc_manifest.xml
Oracle Internal and Approved Partners Only Page 7 of 9 Vn 1.1 Created: 7 Feb 2013 Task Comment Zone
1 2 Example: Boot the new zone: # zoneadm -z zone1 boot # zoneadm -z <zonename> boot Booting the zone takes about 5-10
seconds. Login to the zone console using: Example: # zlogin -C <zonename> # zlogin -C zone1 Input system identification information:
• Hostname
• Security Policy
• Name Services
• Superuser password If you used the -c <sc-profile.xml>
flag above this step is unnecessary,
otherwise this information should be
available in the worksheet (above). Check the configuration of your zone: Example: # zonecfg -z <zonename> info # zonecfg -z zone1 info IP-Exclusive Zones Only:
An anet resource is automatically created for an IP-Exclusive zone. This
will be a VNIC on top of a dedicated physical NIC. It defaults to net0, but
can be specified via the lower-link setting during zone configuration with
zonecfg.
After the zone is installed, you can verify that the vnic is available with
ipadm as follows:
[email protected]:~# dladm show-vnic
LINK
OVER
SPEED MACADDRESS
MACADDRTYPE
VID
net0
?
1000
2:8:20:1:75:15
random
0
[email protected]:~# ipadm create-ip net0
[email protected]:~# ipadm create-addr -T static -a 192.1.4.7/24
net0/v4static0
[email protected]:~# ipadm show-addr
ADDROBJ
TYPE
STATE
ADDR
lo0/v4
static
ok
127.0.0.1/8
net0/v4static0
static
ok
192.1.4.7/24
lo0/v6
static
ok
::1/12
[email protected]:~# To display the vanity name to physical device mappings on the the global
zone, use dladm show-phys:
[email protected]# dladm show-phys
LINK
MEDIA
STATE
net1
Ethernet
unknown
net0
Ethernet
up
[email protected]# SPEED
0
1000 DUPLEX
unknown
full DEVICE
e1000g1
e1000g0 Finally...
Once a non-global zone has been set up the Solaris specific configuration needs to
be applied. Hence the above steps are just the starting point any you will need to
continue through the server-specific and Solaris 11 checklists. Oracle Internal and Approved Partners Only Page 8 of 9 Vn 1.1 Created: 7 Feb 2013 Task Comment Check EXPLORER & VERIFICATION
Since Oracle Explorer Data Collector can only be installed in the global zone, it
cannot be run on the newly-installed local zones. There is no specific ORAS/CLI
report for the local zones.
Run explorer in the global zone. explorer Run ORAS/CLI (from EIS-DVD)
locally to analyse the explorer output
files. cd /cdrom/...sun/tools/ORAS
sh run-oras.sh Examine the results.
If necessary repair & repeat
Explorer/ORAS sequence. Examine the resulting report:
cd /var/tmp/ORAS
more *EIS.Report.txt Upload the Explorer file via supportfiles:
1. Connect to
2. Select the Explorer file to be uploaded.
3. In the Destination pull-down select one of the following as appropriate:
AMER: explorer-amer
APAC: explorer-apac
EMEA: explorer-emea
4. Upload the file.
The explorer output file is normally in directory /opt/SUNWexplo/output with filename
explorer.<hostid>.<hostname>-<date>.tar.gz
If the above is not possible from the customer site please transport file to your office &
upload from there. Copies of the checklists are available on the EIS web pages or on the EIS-DVD. We recommend that
you always check the web pages for the latest version.
Comments & RFEs welcome. Oracle staff should mail to [email protected] .
Partners should mail to: [email protected] . Oracle Internal and Approved Partners Only Page 9 of 9 Vn 1.1 Created: 7 Feb 2013 ...
View
Full Document
