Thursday Mar 21, 2013

How to Protect Your Oracle Solaris Zone Cluster

source

We just published an article by Subarna Ganguly that describes how to build a secure zone cluster. In other words, a zone cluster with trusted extensions. If you want to go straight to the article, scroll down to the bottom of this blog. If you're new to zones, clustering, or trusted extensions, I'll try to explain what's interesting about this article.

Vanilla Solaris

In the beginning there was root and user. Root could do anything anywhere, user could do very little. We improved that with the notion of roles. Access rights (permissions) were assigned to roles instead of users. And individual users were assigned to one or more roles. Access Control Lists (ACL) improved this even more.

Oracle Solaris has about 80 different roles. You can see the privileges each one has by looking at the /etc/user_attr.d directory

Trusted Extensions

Trusted extensions add "sensitivity" labels. These labels are similar to a security clearance in the military: confidential, secret, top secret, etc. With trusted extensions, you first label users, data, processes, peripherals, and pretty much everything that a user or process can access. Then you give uses and processes their own label. A user or process can only access something that has a label with the same or greater access.

"Trusted extensions ... is not something that can be just 'turned on' like a firewall. Trusted extensions fits into a framework where there's a formal security policy, possibly an LDAP server where users and their clearances are defined, as well as network access points that are labeled."
- Book: Oracle Solaris 11 System Administration, Chapter 18

Solaris Zones

Zones are virtual instances of the Solaris environment launched and controlled from the base OS environment, known as the non-global zone.

"Oracle Solaris Zones let you isolate one application from others on the same OS, allowing users to log in and do what they want from inside one zone without affecting anything outside that zone. In addition, Oracle Solaris Zones are secure from external attacks and internal malicious programs. Each Oracle Solaris Zone contains a complete resource-controlled environment that allows you to allocate resources such as CPU, memory, networking, and storage."
- OTN Article: How to Get Started Creating Zones in Oracle Solaris 11

Solaris Cluster

Oracle Solaris Cluster lets you deploy the Oracle Solaris operating system across different servers. If the server in your Barbados data center gets washed away by a hurricane that hates you and dropped off in West Africa, the other servers pick up the load, and the operating system continues to operate without interruption.

"Oracle Solaris Cluster delivers the high availability and disaster recovery capabilities of Oracle Solaris 11 and extends, with version 4.1, its built-in support for the Oracle software and hardware stack, to protect business critical application deployments in virtualized and traditional environments."
- White Paper: Oracle Solaris and Oracle Solaris Cluster

Zone Clusters

A zone cluster is a cluster created from Solaris zones that are physically located on different servers. That's similar to a regular cluster, but it uses zones instead of entire OS instances.

"Such large amounts of idle processing capacity present an almost irresistible opportunity for better system utilization. Organizations seek ways to reclaim this unused capacity, and thus are moving to host multiple applications on a single cluster. However, concerns about interactions between applications, especially in the areas of security and resource management, make people wary. Virtualization technologies address these security concerns and provide safe ways to host multiple applications in different clusters on a single hardware configuration.
- White Paper: How to Deploy Virtual Clusters and Why

Trusted Zone Clusters and Saburna's How To Article

Oracle Solaris Trusted Zone clusters became available in Oracle Solaris Cluster 4.1. They are zone clusters with the security capabilities (mandatory access control or MAC) provided by Trusted Extensions. The zones in the cluster are labeled in the same way that other objects are labeled, so that only other objects with the same (or higher) sensitivity label can access them. Saburna Ganguli walks you through the steps required to set one up:

OTN Article: How to Build a Trusted Zone Cluster with Oracle Solaris Cluster 4.1

More Cluster Resources

Note: Get big discounts on Safari Books online by subscribing to the OTN Systems Community Newsletter

- Rick

Follow me on:
Blog | Facebook | Twitter | YouTube | The Great Peruvian Novel

Friday Jan 18, 2013

Once Upon a Time in the Kingdom of Serv

If you're the type of person who has no time to read fairy tales, scroll to the very bottom for a link to the article.

Once upon a time there was a very happy Kingdom called Serv. It was ruled by inventors called engineers. Most of the engineers were clever, kind, and handsome. They had beautiful wives who cooked them tasty and nutritious meals.

A few of the engineers, however, had wives with big, hairy, purple moles, who sat around all day watching reruns of Bridezilla while chomping loudly on pork rinds. They never served their engineer husbands any meals and instead, screamed at them to get them another bag of pork rinds. And they hated sysadmins.

Sysadmins were the workers of the Kingdom. They were very playful, and they had big strong hands. They spent their days tossing servers back and forth to each other, or playing hacky sack.

The Kingdom was a happy place because the clever, kind, and handsome engineers had long ago invented a wonderful contraption called, as you would expect, a "server." Servers were loved throughout the Serv kingdom and all the surrounding kingdoms. They came in shiny metal boxes and had blinking lights. Best of all, they had straight edges so that sysadmins could toss them back and forth to each other. Sysadmins loved tossing servers back and forth to each other, and at lunch time it was not uncommon for several servers to be in the air at once. But when a sysadmin dropped a server, it usually broke. And when a server broke, it was called a "failure." And a failure always woke up The Boss.

The Boss was a hairy ugly giant with one eye. He did only two things. He slept. And he fired sysadmins for waking him up. Naturally, everybody preferred to keep the boss asleep. Especially sysadmins.

Polite people in the Kingdom never mentioned the word "failure" at dinner parties, not even in a whisper, lest they unwittingly awaken The Boss. But everybody knew that if sysadmins began to appear on their sofas in the middle of the night, somewhere in the Kingdom a failure had occurred.

The wives of the clever, kind, and handsome engineers begged their husbands to do something about the plight of the playful sysadmins. And so the clever, kind, and handsome engineers invented the cluster. A cluster was an enchanted cable that connected groups of servers in a magical way. When one server was dropped by a sysadmin, the cable moved that server's applications to another server so fast that nobody had time to even think of saying "failure," much less say it loud enough to wake The Boss. When the dropped server was fixed, the enchanted cable moved that server's applications back.

And so the Kingdom was full of happy sysadmins tossing servers back and forth during lunch, and sleeping in their very own beds at night.

This turn of events, of course, made the pork rind and Bridezilla wives jealous. During the commercials they screeched at their browbeaten husbands until they invented a curse to get the sysadmins fired again and back on the sofas of the beautiful wives who cooked their engineer husbands tasty and nutritious food.

It was an unspeakable curse, and polite people at dinner parties didn't dare to even whisper its name. When this curse was unleashed upon the Kingdom, all the beautiful metal servers disappeared. Except one. And inside that one server were trapped the spirits of all the other servers. The sysadmins stood around staring at it, wondering of what use their big strong hands were when the servers no longer had bodies.

One by one the sysadmins grew sad and left, and in no time at all, almost all the clever, kind, and handsome engineers had sysadmins sleeping on their sofas again.

The Kingdom was not a happy place.

Until one day, it occurred to the cleverest, kindest, and most handsome of the clever, kind, and handsome engineers to put a spell on the enchanted cable so that it could do the same thing for the spirit servers that it once did for the physical servers.

It was a wonderful invention, and the sysadmins jumped off their sofas to learn how to use it. And to keep the pork rind-chomping, Bridezilla-watching wives of the browbeaten engineers guessing, the enchanted cable could be used in two different ways:

Two Ways to Create a Cluster from Logical Domains

  • Configure logical domains within Oracle Solaris Cluster
  • Configure Oracle Solaris Cluster within Oracle VM Server for SPARC

The first approach is fairly obvious. You can put one or more applications inside each domain and create a cluster from all the domains. When a particular domain goes down, the applications running inside it get moved to a working domain. The domains are controlled individually through Oracle VM Server for SPARC, and the cluster is controlled by Oracle Solaris Cluster.

The second approach is more involved, but it provides significant benefits. It consists of setting up Oracle Solaris Cluster inside the control domain of Oracle VM Server for SPARC. When deployed this way, Oracle Solaris cluster can manage guest domains as "black boxes," which allows a site to isolate the administration of guest domains from each other. With this approach, from within Oracle Solaris Cluster you can:

  • Create guest domains
  • Live- and warm-migrate the guest domains
  • And manage individual applications like you can with the first approach

The second approach is well documented. In fact, Venkat Chennuru, a sysadmin with big strong hands who was elevated to the rank of clever, kind, and handsome engineer, took the trouble to write it down for us. You can find his article on OTN:

How to Configure a Failover Guest Domain in an Oracle Solaris Cluster

Read it, learn how to do it. Because as you know, evil never rests.

- Rick

Website Newsletter Facebook Twitter My Personal Blog

Monday Oct 29, 2012

Is This Your Idea of Disaster Recovery?

Don't just make do with less.

Protect what you've got.

By, for instance, deploying Oracle Solaris 10 inside a zone cluster.

"Wait," you say, "what is a zone cluster?"

It is a zone deployed across different physical servers.

"Who would do that!" you ask in a mild panic.

Why, an upstanding sysadmin citizen interested in protecting his or her employer's investment with appropriate high availability and disaster recovery. If one server gets wiped out by Hurricane Sandy along with pretty much the entire East Coast of the USA, your zone continues to run on the other server(s). Provided you set them up in Edinburgh. This white paper (pdf) explains what a zone cluster is and how to use it. If a white paper reminds you of having to read War and Peace in school, just use this Oracle RAC and Solaris Cluster Cheat Sheet, instead.

"But wait!" you exclaim. "I didn't realize Solaris 10 offered zone clusters!"

I didn't, either! And in an earlier version of this blog post I said that zone clusters were only available with Oracle Solaris 11. But Karoly Vegh pointed me to the documentation for Oracle Solaris Cluster 3.3, which explains how to manage zone clusters in Oracle Solaris 10. Bite my fist!

So, the point I was trying to make is not just that you can run Oracle Solaris 10 zone clusters, but that you can run them in an Oracle Solaris 11 environment. Now let's return to our conversation and pick up where we left off ...

"Oh no! Whatever shall I do?"

Fear not. Remember how Oracle Solaris 11 lets you create a Solaris 10 branded zone inside a system running Oracle Solaris 11? Well, the Solaris Cluster engineers thought that was a bang-up idea, and decided to extend Oracle Solaris Cluster so that you could run your Solaris 10 applications inside the protective cocoon of an Oracle Solaris 11 zone cluster. Take advantage of the installation improvements and network virtualization capabilities of Oracle Solaris 11 while still running your application on Oracle Solaris 10. You Luddite, you.

That capability is in the latest release of Oracle Solaris Cluster, version 4.1, which became available last Friday.

"Last Friday! Is it too late to get a copy?"

You can still get a free copy from our download center (see below). And, if you'd like to know what other goodies the 4.1 release of Oracle Solaris Cluster provides, see:

As always, you can get the latest information about Oracle Solaris Cluster, plus technical how-to articles, documentation, and more from Oracle Solaris Cluster Resource Page for Sysadmins and Developers.

And don't forget about the online launch of Oracle Solaris 11.1 and Oracle Solaris Cluster 4.1, scheduled for Nov 7.

"I feel so much better, now!"

Think nothing of it. That's what we're here for.

- Rick
Website Newsletter Facebook Twitter

Thursday Sep 20, 2012

Focus On Systems Admins and Developers

Even if you're not going to Oracle Open World, you might find it interesting to hear what the different technology groups at Oracle are going to be talking about. And if you are going, here's your Systems schedule:

Note: all links go to PDF files.

Focus On: Oracle Linux

Focus On: Oracle Solaris

Focus On: Oracle Solaris Cluster

Focus On: Oracle Solaris Studio

Focus On: Desktop Virtualization

Focus On: Oracle VM Server Virtualization

Focus On: SPARC Servers

Focus On: Storage

Focus On: Website Newsletter Facebook Twitter

Wednesday Sep 12, 2012

Reaping the Benefits of the Image Packaging System

source

One of the promises made about Oracle Solaris 11 was easier installation. Remember?

Do you also remember how involved installing Oracle Solaris Cluster used to be? It was so involved, in fact, that we (when we were Sun Microsystems) wouldn't even let you do it yourself.

How times have changed.

New - How to Automate The Installation of Oracle Solaris Cluster 4.0

Thanks to the new image packaging architecture in Oracle Solaris 11, you can now automate the installation of Oracle Solaris Cluster 4.0. Why is that such a big deal? As Lucia Lai explains it:

"Without the AI, you would have to manually install the cluster components on the cluster nodes, and then run the scinstall tool to add the nodes to the cluster. If, instead, you use the AI, both the Oracle Solaris 11 and the Oracle Solaris Cluster 4.0 packages are installed onto the cluster nodes directly from Image Packaging System (IPS) repositories, and the nodes are booted into a new cluster with minimum user intervention."

Lucia goes on to explain how to set up and configure the AI server, how to plan your cluster configuration for the automated installation, how to use the scinstall utility, how to set up the DHCP server, and more. A thorough, well-written article.

- Rick

Website Newsletter Facebook Twitter

Friday Aug 03, 2012

My Oracle RAC and Oracle Solaris Cluster Cheet Sheet

This gets complicated, so stop watching motoGP crash compilation videos for a sec.

We have Oracle Real Application Clusters (RAC). RAC lets you deploy a single Oracle Database across different servers. If the server in your Des Moines data center gets picked up by a tornado that hates you and dropped off in East Texas, the other servers pick up the load, and the database continues to operate without interruption. That's easy to understand.

We also have Oracle Solaris Cluster. It lets you deploy the Oracle Solaris operating system across different servers. If the server in your Barbados data center gets washed away by a hurricane that hates you and dropped off in West Africa, the other servers pick up the load, and the operating system continues to operate without interruption. A good quote:

White Paper: Extending Oracle Solaris for Business Continuity
"Oracle Solaris Cluster offers comprehensive and robust capabilities for keeping your business IT, including those running Oracle Database and Applications, up and running in the face of nearly every conceivable situation."

That's easy to understand, as well.

So why would somebody complicate our sysadmin lives by suggesting we install Oracle RAC on Oracle Solaris Cluster? What would that be, highly-available high availability?

Turns out that's not what they're suggesting. They're suggesting we install Oracle RAC not on Solaris Clusters, but on zone clusters. What's a zone cluster, you ask?

A zone cluster is a cluster created from Solaris zones that are physically located on different servers. That's similar to a regular cluster, but it uses zones instead of entire OS instances. Don't confuse a zone cluster with a failover cluster. Instead, read this white paper:

White Paper: Zone Clusters: How to Deploy Virtual Clusters and Why
This paper introduces the zone cluster, a virtual cluster in which an Oracle Solaris Zone is configured as a virtual node. The zone cluster supports the consolidation of multiple cluster applications on a single cluster.

That's all very interesting, but what about our original question:

Why would someone want to complicate our sysadmin lives by suggesting we install Oracle RAC on a zone cluster?

Turns out there two good reasons:

  • It's a better high-availability solution for a multi-tier application environment
  • It lets you isolate your database development, test, and deployment environments from each other.

How the Oracle RAC/Zone Cluster Combo Is Better For Multi-Tier Applications

Let's say that you are using your Oracle database as one tier in two different application environments. The first one is an HR application, the one second is an e-business suite. Both access the same database. Well, Oracle RAC would give you the high-availability for that database. But the applications would not be highly available. However, if you installed the database with Oracle RAC inside one zone cluster, and each application inside its own zone cluster, you'd make both application environments highly avaiable. And, if you limit the administrative privileges for each zone cluster, you'd get administrative isolation, as well.

How the Oracle RAC/Zone Cluster Combo Is Safer for Deployment

You've probably heard by now about Knight Capital Group's trading glitch that dropped the company's value by 50% in one day. I don't know exactly what happened, but I wonder if they didn't deploy either their development or their test environment instead of the one that was ready for prime time.

I suppose it's a sysadmin's duty to learn from another sysadmin's misfortune. So, if you divide your zone clusters into development, test, and deployment environments, you might have a better shot at avoiding a similar catastrophe. For example, install Oracle RAC with an Oracle DB into your development zone cluster, and keep it isolated from your test and deployment zone clusters. One sysadmin controls the development cluster. Another the test cluster. And the biggest, baddest sysadmin controls the deployment cluster. When the development environment is ready for testing, the test admin must OK the migration. That goes double for the deployment environment. And all the while, each environment remains highly available.

Resources

Turns out that Oracle and the portion of Oracle that was once Sun Microsystems have been collaborating on Oracle RAC/Solaris Cluster solutions for a long time. Customers like this approach so much that we just published three articles explaining how to do it. Each article covers a different version of the software:

Article RAC Version Solaris Version Cluster Version
How to Deploy Oracle RAC 11.2.0.2 on Oracle Solaris Zone Clusters 11.2.0.2 10 3.3
How to Deploy Oracle RAC 11.2.0.3 on Oracle Solaris Zone Clusters 11.2.0.3 10 3.3
How to Deploy Oracle RAC 11.2.0.3 on Oracle Solaris 11 Zone Clusters 11.2.0.3 11 4.0

And if you want more, we also have a page full of links to all our Solaris Cluster how-to articles and background white papers:

Where to find everything Solaris Cluster-related

Don't be the sysadmin who bankrupts your company in one day. Get educated.

- Rick

Website Newsletter Facebook Twitter

Thursday Jun 28, 2012

Similar But Not The Same

A few weeks ago we published an article that explained how to use Oracle Solaris Cluster 3.3 5/11 to provide a virtual, multitiered architecture for Oracle Real Application Cluster (Oracle RAC) 11.2.0.2. We called it ...

How to Deploy Oracle RAC on Zone Clusters

Welllllll ... we just published another article just like it. Except that it's different. The earlier article was for Oracle RAC 11.2.0.2. This one is for Oracle RAC 11.2.0.3. This one describes how to do the same thing as the earlier one --create an Oracle Solaris Zone cluster, install and configure Oracle Grid Infrastructure and Oracle RAC in the zone cluster, and create an Oracle Solaris Cluster resource for Oracle RAC-- but for version 11.2.0.3 of Oracle RAC. Even though the objective is the same, and the version is only a dot-dot-dot release away, the process is quite different. So we decided to call it:

How to Deploy Oracle RAC 11.2.0.3 on Zone Clusters

Hope you can keep the different versions clear in your head. If not, let me know, and I'll try to make them easier to distinguish.

- Rick

Website Newsletter Facebook Twitter
About

Contributors:
Rick Ramsey
Kemer Thomson
and members of the OTN community

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
12
13
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Blogs We Like