zones-s11-1375385.pdf - EIS Installation Checklist for Setting up Non-Global Zones(Containers on Solaris 11 Servers Customer Sales Order Number CASE

zones-s11-1375385.pdf - EIS Installation Checklist for...

This preview shows page 1 out of 9 pages.

Unformatted text preview: EIS Installation Checklist for Setting up Non-Global Zones (Containers) on Solaris 11 Servers Customer: Sales Order Number: CASE Number: Technician: Version EIS-DVD: Date: • It is recommend that the EIS web pages are checked for the latest version of this checklist prior to commencing the installation. It is assumed that the installation is carried out with the help of the current EISDVD. This checklist describes a standardised procedure for zone installation on Solaris 11 for non-clustered systems. This document shows step-by-step procedure for creating one local zone. The idea behind this checklist is to help the technician to install zones in a welldefined manner with “NO” system downtime. It is assumed that the Solaris 11 has been installed on the system according to the EIS Methodology. This procedure requires advanced Solaris 11 system administration skills, this checklist is not intended as replacement for appropriate training and experience! Other virtualization concepts (like LDOMs, Xen etc.) might also use the term "containers". In addition non-global zones can be installed as "branded zones" to host other operating systems (like Linux or Solaris 10). It is intended that this checklist is used in conjunction with the appropriate EIS Installation checklist for the server class (available on EIS-web). It is not intended that this checklist be handed over to the customer. • Solaris Containers = Non Global Zone = Local Zone = Zone • • • • • • • • • For further information about the deployment of services within non-global zones (including possible restrictions) see the Zone FAQ at: Task Comment Check PREPARATION Ensure that the Release Notes for the Solaris version used have been read and understood. The Oracle Solaris 11 documentation is available here: Ensure that zone configuration details are available. Oracle Internal and Approved Partners Only Page 1 of 9 Vn 1.1 Created: 7 Feb 2013 Task Comment Check VERIFYING THAT GLOBAL ZONE IS UP-TO-DATE If the server has been freshly installed according to the EIS Methodology (including patching) then proceed to the next section “Saving the Configuration”. Examine the file /var/sun/EIS-CD.log to confirm version of EIS-DVD used and whether patching took place. If in doubt schedule downtime for patch updating (follow the next steps). Ensures that the Explorer package and other EIS items are current. Insert EIS-DVD & run: cd .../sun/install sh setup-standard.sh Refer to the EIS Installation Checklist for Solaris 11 for details on how to update a Solaris 11 OS from the SRU. Update the OS from the SRU: Reboot the server. SAVING THE CONFIGURATION Ensure that customer creates a full (not incremental!) tape backup of all system and data volumes. Let customer backup the global zone and verify this backup! Run explorer on the server and store explorer output on system. Use latest release of explorer (from EISDVD – will have been installed by setup-standard above). explorer -w default, secure, all Check /var/adm/messages for error messages, warnings etc, eliminate all hardware related issues found there. Oracle Internal and Approved Partners Only Page 2 of 9 Vn 1.1 Created: 7 Feb 2013 Task Comment Check GLOBAL ZONE CONFIGURATION Become superuser or assume a role with To create and assign a role, refer to the zone creation and management privileges. RBAC administration section in the System Administration guide. If the system has sufficient disks to mirror the root zpool and to provide a second larger zpool for zone storage, it is recommended that zones are placed on the larger zpool. To create a zpool called zones which will be mounted at /zones: # zpool create zones mirror c4t0d0 c5t0d0 mirror c4t1d0 c5t1d0 It is then suggested that each zone's zonepath is set to: /zones/<zonename> If zones are expected to be migrated between systems on a regular basis, it is best to store the zones on shared storage that may be accessed by the multiple systems. If all the zones will be migrated together, they may all exist in one zpool and the example above is relevant. If they are expected to migrate independently, each should be created on its own zpool. To create the zpool for a zone named z1: # zpool create -m /zones/z1 z1pool mirror c4t0d0 c5t0d0 # chmod 700 /zones/z1 If zones will be installed into the root pool, no special configuration is required in this step. It is also worth considering using quotas on each zonepath dataset (if there are multiple zones per pool) so that one zone can't harm other zones by consuming all the storage. Dynamic Resource Pools: If using resource pools, create a resource pool using data from the worksheet above. You will be using this resource pool in configuration steps (see next page). You can use the default pool named pool_default or create your own. Example: # cat pool.host create system hostcreate pset dev_pset (uint pset.min = 0; uint pset.max = 2) associate pool dev_pool (pset dev_pset) # poolcfg -f pool.host # pooladm -c if using capped-memory as in add capped-memory capped-memory> set physical=500m capped-memory> set swap=1000m capped-memory> end Beware that swap equates to virtual memory, similar to vmstat swap, as in it's both physical RAM and physical swap combined. If set swap is set to less than set physical then total VM that can be used will be less than the physical memory allocated, this will cause malloc etc to fail if swap total is reached. Oracle Internal and Approved Partners Only Page 3 of 9 Vn 1.1 Created: 7 Feb 2013 Task Comment Check The preferred way to use FSS is to set FSS to be the system default scheduling class with the dispadmin command. That way, all zones will benefit from getting a fair share of the system CPU resources. Refer to the relevant part of the Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 11 Zones and Resource Management: Based on the information collected in the If using configuration files, you can worksheet above, you can configure zones create one file and duplicate it for multiple zones. using 2 methods: 1. Interactive mode using zonecfg 2. zonecfg Command-File mode Oracle Internal and Approved Partners Only Page 4 of 9 Vn 1.1 Created: 7 Feb 2013 Task Comment Zone 1 2 NON-GLOBAL (LOCAL) ZONE CONFIGURATION / INSTALLATION The following shows a simple configuration file to create a shared-IP zone named zone1: Example: # cat zone1.cfg create -t SYSdefault-shared-ip set zonepath=/export/zones/zone1 set autoboot=false set pool=dev_pool add net set physical=net0 set address="192.1.4.7/24" set defrouter=”192.1.4.0” end verify commit exit Multiple zones can share the resources of one pool. For more information on configuration files, please see steps below and also, refer to the system administration guide. The default zone IP type is exclusive. Using Resource Control pools is optional. If zones are of type ip-shared and are on a different network than the global zone and if the defrouter property on the net resource is not set, they may not be able to communicate beyond the local subnet. it is recommended to set defrouter in type ip-shared zones. Multiple zones can share the resources The following shows a simple configuration file to create a IP-Exclusive of one pool. For more information on configuration zone named zone2: Example: # cat zone2.cfg create set zonepath=/export/zones/zone2 set autoboot=false select anet linkname=net0 set lower-link=net3 1 end verify commit exit files, please see steps below and also, refer to the system administration guide. In this case you can use the create command without any args as the default template is ip-exclusive Here we just select the anet resource created by default and set which physical interface it should use by setting "lower-link" This can be configured with an IP address post zoneinstall using ipadm. Also is is worth considering use of allowed-address so that the zone admin can't configure arbitrary IP addresses. In most cases where the GZ admin and the NGZ admin are the same, this isn't a big benefit. In environments where zones are used for security containment (e.g. DMZs, hosting environments, etc.), it's pretty important 1 In this example net3 is the vanity name for the 4th physical network device on the system. The command dladm show-phys can be used on the global zone to view the NIC mappings. Oracle Internal and Approved Partners Only Page 5 of 9 Vn 1.1 Created: 7 Feb 2013 Task Comment Zone 1 2 The following example shows how to add The section on the left can be included in the zone configuration file. filesystems to the zone using LOFS: add fs set dir=/usr/local The next step specifies that /opt/local in the global zone will be mounted as /usr/local in the local zone: set special=/opt/local set type=lofs end The following example shows how to add The section on the left can be included in the zone configuration file. filesystems to the zone using ZFS: Lets assume we have a zfs dataset in the global zone called tank/z1 and we want to delegate it to the non-global zone as an rpool called tank: add dataset set name=tank/z1 set alias=tank end Note that if one has an entry like add fs set type=zfs set special=tank/zone/shared set dir=/opt/shared end then this means that the dataset cannot be managed, as in it cannot be snapshotted, set properties, or create any descendant datasets. The best way is to use add dataset, as in the example, where tank/z1 appears as an rpool called tank in the non-global zone and can be administered by the non-global zone admin, ie set properties, create datasets etc. Also note that if add fs is used to add a ZFS dataset and it has set dir=/export/shared it will cause svc:/system/filesystem/local to go into maintenance as it will find that when it tries to mount rpool/export it will find /export/shared all ready mounted and fail due to zfs mount -a failing. The following example shows how to add The section on the left can be included in the zone configuration file. filesystems to the zone using UFS: add set set set set end fs dir=/export/home special=/dev/dsk/c1t1d0s0 raw=/dev/rdsk/c1t1d0s0 type=ufs Oracle Internal and Approved Partners Only Page 6 of 9 Vn 1.1 Created: 7 Feb 2013 Task Comment Zone 1 2 The following example shows how to add The section on the left can be included in the zone configuration file. “devices” to the zone: add device set match=/dev/sound/* end To add a CD-ROM: add set set set set end fs dir=/cdrom special=/cdrom type=lofs options=[nodevices] Adding a CD-ROM has not been tested by EIS. Ensure that the IPS Publisher is configured correctly. If using a http_proxy to contact the IPS repository then ensure that config/http_proxy in svc:/application/pkg/system-repository:default is set as in: svccfg -s svc:/application/pkg/system-repository:default setprop config/http_proxy=astring: " ; svcadm refresh svc:/application/pkg/system-repository:default If the IPS repository is using https then config/https will need to be set as appropriate. Create a zone configuration: Example: zonecfg -z <zonename> -f <zone config file> # zonecfg -z zone1 -f zone1.cfg Install the zone: zoneadm -z <zonename> -m <manifest.xml> -c <sc-profile> install The default minifest file is available on Solaris 11 systems here: /usr/share/auto_install/manifest/zone_default.xml The default manifest sepcifies to the auto installer that solaris-small-server is used to provision the zone and also the set of locales that are installed by default. The -m argument is optional unless ones wants to change these defaults. See man solaris(5) for options to zoneadm install for solaris branded zones. The -c argument is also optional. Sample system configuration profiles are available here: /usr/share/auto_install/sc_profiles. If non-interactive configuration is desired then either -c arg is needed, or the sysconfig manifest(s) need to be copied to /etc/svc/profile/site/ within the zone before first boot. See man sysconfig(5). All manifests must be valid xml, use xmllint to verify. The -c argument can also be a directory containing more that one xml file. sysconfig create-profile can be used to create a sample profile. Example: # zoneadm -z zone1 install -c /tmp/sc_manifest.xml Oracle Internal and Approved Partners Only Page 7 of 9 Vn 1.1 Created: 7 Feb 2013 Task Comment Zone 1 2 Example: Boot the new zone: # zoneadm -z zone1 boot # zoneadm -z <zonename> boot Booting the zone takes about 5-10 seconds. Login to the zone console using: Example: # zlogin -C <zonename> # zlogin -C zone1 Input system identification information: • Hostname • Security Policy • Name Services • Superuser password If you used the -c <sc-profile.xml> flag above this step is unnecessary, otherwise this information should be available in the worksheet (above). Check the configuration of your zone: Example: # zonecfg -z <zonename> info # zonecfg -z zone1 info IP-Exclusive Zones Only: An anet resource is automatically created for an IP-Exclusive zone. This will be a VNIC on top of a dedicated physical NIC. It defaults to net0, but can be specified via the lower-link setting during zone configuration with zonecfg. After the zone is installed, you can verify that the vnic is available with ipadm as follows: [email protected]:~# dladm show-vnic LINK OVER SPEED MACADDRESS MACADDRTYPE VID net0 ? 1000 2:8:20:1:75:15 random 0 [email protected]:~# ipadm create-ip net0 [email protected]:~# ipadm create-addr -T static -a 192.1.4.7/24 net0/v4static0 [email protected]:~# ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 net0/v4static0 static ok 192.1.4.7/24 lo0/v6 static ok ::1/12 [email protected]:~# To display the vanity name to physical device mappings on the the global zone, use dladm show-phys: [email protected]# dladm show-phys LINK MEDIA STATE net1 Ethernet unknown net0 Ethernet up [email protected]# SPEED 0 1000 DUPLEX unknown full DEVICE e1000g1 e1000g0 Finally... Once a non-global zone has been set up the Solaris specific configuration needs to be applied. Hence the above steps are just the starting point any you will need to continue through the server-specific and Solaris 11 checklists. Oracle Internal and Approved Partners Only Page 8 of 9 Vn 1.1 Created: 7 Feb 2013 Task Comment Check EXPLORER & VERIFICATION Since Oracle Explorer Data Collector can only be installed in the global zone, it cannot be run on the newly-installed local zones. There is no specific ORAS/CLI report for the local zones. Run explorer in the global zone. explorer Run ORAS/CLI (from EIS-DVD) locally to analyse the explorer output files. cd /cdrom/...sun/tools/ORAS sh run-oras.sh Examine the results. If necessary repair & repeat Explorer/ORAS sequence. Examine the resulting report: cd /var/tmp/ORAS more *EIS.Report.txt Upload the Explorer file via supportfiles: 1. Connect to 2. Select the Explorer file to be uploaded. 3. In the Destination pull-down select one of the following as appropriate: AMER: explorer-amer APAC: explorer-apac EMEA: explorer-emea 4. Upload the file. The explorer output file is normally in directory /opt/SUNWexplo/output with filename explorer.<hostid>.<hostname>-<date>.tar.gz If the above is not possible from the customer site please transport file to your office & upload from there. Copies of the checklists are available on the EIS web pages or on the EIS-DVD. We recommend that you always check the web pages for the latest version. Comments & RFEs welcome. Oracle staff should mail to [email protected] . Partners should mail to: [email protected] . Oracle Internal and Approved Partners Only Page 9 of 9 Vn 1.1 Created: 7 Feb 2013 ...
View Full Document

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture