Friday Mar 16, 2012

Great Solaris 10 features paving the way to Solaris 11

Karoly Vegh writes on the Oracle Systems Blog Austria about what you can do with Solaris 10 today that will get you ready for Solaris 11.

Even today, many people still use Solaris 10 as if it were a patch update to Solaris 8 or 9, missing out on the power behind Live Upgrade, Zones, resource management, and ZFS. Learning more about these will help set your feet on the road to the even more sophisticated capabilities of Oracle Solaris 11.

[Read More]

Monday Aug 29, 2011

Running GNOME Terminal From a Zone

As I've mentioned before, I VPN into the Oracle Intranet from within a zone. Once I establish the VPN connection, I'm no longer able to SSH into the zone, which is a slight drag if I'd like to open a new terminal window. The solution is to launch a new GNOME terminal window from within the zone. However, this wasn't without some minor hurdles to clear, so I'm documenting the process for future reference.

I'm assuming your zone already has a user account and the X authority file utility installed so you can launch X applications. If not, follow Steps 2 and 3 from the entry Running Firefox From a Zone.

Of course, GNOME Terminal needs to be installed:

bleonard@myzone:~$ sudo pkg install gnome-terminal
               Packages to install:     1
           Create boot environment:    No
               Services to restart:     2
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  1/1       80/80      2.1/2.1

PHASE                                        ACTIONS
Install Phase                                160/160 

PHASE                                          ITEMS
Package State Update Phase                       1/1 
Image State Update Phase                         2/2  

At this point, you'd like to think you could just launch gnome-terminal, but alas:

bleonard@myzone:~$ gnome-terminal
**
ERROR:terminal-app.c:1450:terminal_app_init: assertion failed: (app->default_profile_id != NULL)
Abort (core dumped)

It turns out you also need to install the SMF services responsible for updating the GNOME desktop caches (I've already filed an issue for this):

bleonard@myzone:~$ sudo pkg install desktop-cache
               Packages to install:     8
           Create boot environment:    No
               Services to restart:     5
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  8/8   3125/3125    13.5/13.5

PHASE                                        ACTIONS
Install Phase                              3566/3566 

PHASE                                          ITEMS
Package State Update Phase                       8/8 
Image State Update Phase                         2/2 

After installing the package, wait a few seconds while the cache is built. You can verify it's complete when the GNOME Gconf Cache Builder service state changes to online:

bleonard@myzone:~$ svcs -l gconf-cache
fmri         svc:/application/desktop-cache/gconf-cache:default
name         GNOME Gconf Cache Builder
enabled      true
state        online
next_state   none
state_time   August 29, 2011 04:50:45 PM EDT
logfile      /var/svc/log/application-desktop-cache-gconf-cache:default.log
restarter    svc:/system/svc/restarter:default
dependency   require_all/none svc:/system/filesystem/local (online)

After which, gnome-terminal should start successfully:

bleonard@myzone:~$ gnome-terminal &


If for some reason you still run into a problem, try refreshing the GNOME Gconf Cache Service:

bleonard@myzone:~$ sudo svcadm refresh gconf-cache

Thursday Jun 23, 2011

Giving a Zone "More Power"

In addition to the traditional virtualization benefits that Solaris zones offer, applications running in zones are also running in a more secure environment. One way to quantify this is compare the privileges available to the global zone with those of a local zone.

For example, there a 82 distinct privileges available to the global zone:

bleonard@solaris:~$ ppriv -l | wc -l 
82

You can view the descriptions for each of those privileges as follows:

bleonard@solaris:~$ ppriv -lv
contract_event
	Allows a process to request critical events without limitation.
	Allows a process to request reliable delivery of all events on
	any event queue.
contract_identity
	Allows a process to set the service FMRI value of a process
	contract template.
...

Or for just one or more privileges:

bleonard@solaris:~$ ppriv -lv file_dac_read file_dac_write
file_dac_read
	Allows a process to read a file or directory whose permission
	bits or ACL do not allow the process read permission.
file_dac_write
	Allows a process to write a file or directory whose permission
	bits or ACL do not allow the process write permission.
	In order to write files owned by uid 0 in the absence of an
	effective uid of 0 ALL privileges are required.

However, in a non-global zone, only 43 of the 83 privileges are available by default:

root@myzone:~# ppriv -l zone | wc -l      
43

The missing privileges are:

cpc_cpu
dtrace_kernel
dtrace_proc
dtrace_user
file_downgrade_sl
file_flag_set
file_upgrade_sl
graphics_access
graphics_map
net_mac_implicit
proc_clock_highres
proc_priocntl
proc_zone
sys_config
sys_devices
sys_ipc_config
sys_linkdir
sys_dl_config
sys_net_config
sys_res_bind
sys_res_config
sys_smb
sys_suser_compat
sys_time
sys_trans_label
virt_manage
win_colormap
win_config
win_dac_read
win_dac_write
win_devices
win_dga
win_downgrade_sl
win_fontpath
win_mac_read
win_mac_write
win_selection
win_upgrade_sl
xvm_control

However, just like Tim Taylor, it is possible to give your zones more power. For example, a zone by default doesn't have the privileges to support DTrace:

root@myzone:~# dtrace -l
   ID   PROVIDER            MODULE                          FUNCTION NAME

The DTrace privileges can be added, however, as follows:

bleonard@solaris:~$ sudo zonecfg -z myzone
Password:
zonecfg:myzone> set limitpriv="default,dtrace_proc,dtrace_user"
zonecfg:myzone> verify
zonecfg:myzone> exit
bleonard@solaris:~$ sudo zoneadm -z myzone reboot

Now I can run DTrace from within the zone:

root@myzone:~# dtrace -l | more
   ID   PROVIDER            MODULE                          FUNCTION NAME
    1     dtrace                                                     BEGIN
    2     dtrace                                                     END
    3     dtrace                                                     ERROR
 7115    syscall                                               nosys entry
 7116    syscall                                               nosys return
...

Note, certain privileges are never allowed to be assigned to a zone. You'll be notified on boot if you attempt to assign a prohibited privilege to a zone:

bleonard@solaris:~$ sudo zoneadm -z myzone reboot
privilege "dtrace_kernel" is not permitted within the zone's privilege set
zoneadm: zone myzone failed to verify

Here's a nice listing of all the privileges and their zone status (default, optional, prohibited): Privileges in a Non-Global Zone.

Tuesday Jun 01, 2010

Zones and the Package Manager GUI

After getting a basic GUI to run from a zone, of course I was curious if I could run something more substantial. I don't normally use the Package Manager GUI, but I thought it would be a nice visual way to see what limited packages are installed in a zone.[Read More]

Thursday May 27, 2010

Zones, X and Roles

My last two blog entries were actually written to set up this entry. What if I'm logged into the zone, assumed a role and need to run a GUI? An example use case here would be assuming the role of oracle and wanting to run something like the Oracle Database Configuration Assistant (DBCA). For the purposes of this entry, however, I'll stick to the simple Python GUI I used in my previous entry.[Read More]

Friday Jul 17, 2009

Cloning Zones

Installing a zone in OpenSolaris requires a network connection and some patience as a little over 70MB of data is downloaded. Fortunately, after you've got the first zone installed, future zones can be cloned.[Read More]

Tuesday Jul 14, 2009

Zones and Network Virtualization

If you're like me and working with zones on your laptop and/or desktop, you probably only have one network interface card to work with. Therefore, the zones I've created share the single network interface with the global zone (ip-type=shared).

Behind the scenes, Solaris creates a logical interface for the zone to use. The logical interface appears in ifconfig as your physical interface with an instance number. For example:

bleonard@solaris:~$ ifconfig -au4
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
	inet 127.0.0.1 netmask ff000000 
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
	zone myzone
	inet 127.0.0.1 netmask ff000000 
e1000g0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 2
	inet 10.0.1.10 netmask ffffff00 broadcast 10.0.1.255
e1000g0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
	zone myzone
	inet 10.0.1.25 netmask ffffff00 broadcast 10.0.1.255

You can see both the loopback (loO) and physical (e1000g0) have an instance (lo0:1 and e1000g0:1) that was created for the zone myzone. These logical interfaces only exist when the zone is running. If you halt the zone, they disappear.

From inside the zone, I only see the logical interfaces:

root@myzone:~# ifconfig -au4
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000 
e1000g0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 10.0.1.25 netmask ffffff00 broadcast 10.0.1.255

However, I have no control over them. For example, if I try to bring down e1000g0:1:

root@myzone:~# ifconfig e1000g0:1 inet down
ifconfig: setifflags: SIOCSLIFFLAGS: e1000g0:1: permission denied 

The global zone is responsible for managing the local zone's network configuration.

Network Virtualization

Oracle Solaris 11 introduces network virtualization technology. For example, I can create a virtual network interface card (vnic) that has all the properties of a physical nic.

bleonard@solaris:~$ sudo dladm create-vnic -l e1000g0 myzone0
bleonard@solaris:~$ dladm show-link 
LINK        CLASS    MTU    STATE    OVER
e1000g0     phys     1500   up       --
iwh0        phys     1500   down     --
vboxnet0    phys     1500   unknown  --
myzone0     vnic     1500   up       e1000g0

Now it's as if my laptop has 2 physical network interface cards. Using this "new" card, I can create a zone with an exclusive IP stack. My zone config would look something like follows:

bleonard@solaris:~$ cat myzone.config
create
set zonepath=/zones/myzone
set ip-type=exclusive	
add net
set physical=myzone0
end

Note there's no longer an IP address associated with the zone configuration. With a dedicated IP stack the zone will be able to manage its own IP.

Create the zone:

bleonard@solaris:~$ sudo zonecfg -z myzone -f myzone.config

Install the zone:

bleonard@solaris:~$ sudo zoneadm -z myzone install
A ZFS file system has been created for this zone.
   Publisher: Using solaris (https://pkg.oracle.com/solaris/support/ ).
       Image: Preparing at /zones/myzone/root.
 Credentials: Propagating Oracle_Solaris_11_Express_Support.key.pem
 Credentials: Propagating Oracle_Solaris_11_Express_Support.certificate.pem
       Cache: Using /var/pkg/download.
Sanity Check: Looking for 'entire' incorporation.
  Installing: Core System (output follows)
               Packages to install:     1
           Create boot environment:    No
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  1/1         1/1      0.0/0.0

PHASE                                        ACTIONS
Install Phase                                  11/11 

PHASE                                          ITEMS
Package State Update Phase                       1/1 
Image State Update Phase                         2/2 
               Packages to install:    45
           Create boot environment:    No
               Services to restart:     3
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                45/45 12511/12511    89.1/89.1

PHASE                                        ACTIONS
Install Phase                            17958/17958 

PHASE                                          ITEMS
Package State Update Phase                     45/45 
Image State Update Phase                         2/2 
  Installing: Additional Packages (output follows)
               Packages to install:    46
           Create boot environment:    No
               Services to restart:     2
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                46/46   4498/4498    26.5/26.5

PHASE                                        ACTIONS
Install Phase                              6143/6143 

PHASE                                          ITEMS
Package State Update Phase                     46/46 
Image State Update Phase                         2/2 

        Note: Man pages can be obtained by installing SUNWman
 Postinstall: Copying SMF seed repository ... done.
 Postinstall: Applying workarounds.
        Done: Installation completed in 486.420 seconds.

  Next Steps: Boot the zone, then log into the zone console (zlogin -C)
              to complete the configuration process.

Create a configuration file for the zone. Note, here we can define the zone's IP configuration (or we could do it later):

bleonard@solaris:~$ cat sysidcfg
system_locale=C
terminal=xterms
network_interface=myzone0 {
	hostname=myzone
	ip_address=10.0.1.25
        default_route=NONE
	netmask=255.255.255.0
 	protocol_ipv6=no}
security_policy=none
name_service=NONE
nfs4_domain=dynamic
timezone=US/Eastern
root_password=fto/dU8MKwQRI

Copy the sysidcfg file to the zone:

bleonard@solaris:~$ sudo cp sysidcfg /zones/myzone/root/etc/.

Boot the zone:

bleonard@solaris:~$ sudo zoneadm -z myzone boot

Log into zone. The first login will take some time as the zone completes it's system configuration:

bleonard@solaris:~$ sudo zlogin -C myzone
[Connected to zone 'myzone' console]
100/100
Hostname: myzone
Loading smf(5) service descriptions: 3/3
 network_interface=myzone0 {
myzone0 is not a valid network interface  line 3 position 19
Creating new rsa public/private host key pair
Creating new dsa public/private host key pair
Configuring network interface addresses: myzone0.
Note the message about myzone0 being an invalid network interface. This appears to be benign as a few lines down we see myzone0 getting configured. If you used the root_password setting from above, you can log in as root/abc123:
myzone console login: root
Password: abc123
May 31 08:30:02 myzone login: ROOT LOGIN /dev/console
Oracle Corporation      SunOS 5.11      snv_151a        April 2011
root@myzone:~#

As with shared IP, you can see the interface using ifconfig:

root@myzone:~# ifconfig -au4
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000 
myzone0: flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 10.0.1.25 netmask ffffff00 broadcast 10.0.1.255
        ether 2:8:20:59:0:b5 

However, now you can also manage it. For example:

root@myzone:~# ifconfig myzone0 down
root@myzone:~# ifconfig -au4
lo0: flags=2001000849<⁞UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000 

And back in the global zone, there's no more logical interfaces cluttering up the ifconfig output:

bleonard@solaris:~$ ifconfig -au4
lo0: flags=2001000849<UP,LOOPBACK,⁞RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
	inet 127.0.0.1 netmask ff000000 
e1000g0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 2
	inet 10.0.1.10 netmask ffffff00 broadcast 10.0.1.255
In addtion to this, virtual nics provide a whole bunch of control over the data passing through the network interface. For a brief introduction to that see Fun with Crossbow.

Monday Jul 13, 2009

Zones and DNS

If you've preconfigured your zone as I did, you will probably be frustrated that there's no DNS. This is easy enough to fix.

[Read More]

Preconfiguring Zones

In the Zones blog I posted a few weeks back, a couple of the steps required interactive configuration. In this entry I'm going to create the same zone, however in a much streamlined manner.[Read More]

Tuesday May 19, 2009

Zones

The installation of a zone in OpenSolaris is a bit different than in Solaris 10 (or SXCE) and it's due to IPS, which is unique to OpenSolaris.[Read More]
About

The Observatory is a blog for users of Oracle Solaris. Tune in here for tips, tricks and more as we explore the Solaris operating system from Oracle.

Connect with Oracle Solaris:


Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
20
21
22
23
24
25
26
27
28
29
30
   
       
Today