Vous êtes sur la page 1sur 29

EMC Power Path Solaris

Basically Multipathing is a fault-tolerance & performance enhancement technique where there will be more than one physical paths between the computer and its storage devices through the buses, controllers & switches. The product/software released by M! for this purpose is M! power path.

"irst of all to use this software it needs to be installed and it can be downloaded from powerlin# website . $nce it is installed and configured below are some of the commands for the administration purpose. % &hen new luns are added, to chec# the newly added luns

#/etc/powermt display #/etc/powermt display dev=all 'f it does not recogni(es then #devfsadm ) this ta#es the luns to $* control. To ma#e the configuration changes #/etc/powermt config To save the changes #/etc/powermt save To see all the devices and the logical device '+,* of the dis# #/etc/powermt display dev=all | more To remove "ailed devices & all the old device entries #/etc/powermt check 't shows the failed devices and as#s whether to delete the failed ones. "or e-ample &arning. ------- device path c/0t1d2 is currently dead. +o you want to remove it 3y/n/a/q45 y enter. 664 hat happens if v!configd is disa"led#

$ns%& Basically v-configd is the veritas volume manager configuration daemon.'t maintains dis# configuration and dis# groups in 7eritas volume manager. &hen ever this 3v-configd4 is disabled it stops ta#ing requests from other veritas volume manager utilities for configuration changes and

also stops updating the changes to the #ernel and configuration information stored on dis#. *o when ever this is disabled, we cannot wor# under 7eritas 7olume Manager. '( hat is )$#

$*S E+( )$ )igh $vaila"ility is a technology to achieve failover with very less latency, -ts a practical re./irement of data centers these days when c/stomers e!pect the servers to "e r/nning 01 ho/rs on all 2 days aro/nd the whole 345 days a year /s/ally referred as 01!2!345, So to achieve this6 a red/ndant infrastr/ct/re is created to make s/re if one data"ase server or if one app server fails there is a replica 7ata"ase or $ppserver ready to take&over the operations, End c/stomer never e!periences any o/tage when there is a )$ network infrastr/ct/re, Array '( hat is $rray#

$( $rray is a gro/p of -ndependent physical disks to config/re any 8ol/mes or +$-7 vol/mes, *89 '( hat is the highest and lowest priority of SCS-#

$( 9here are :4 different -7;s which can "e assigned to SCS- device 26 46 56 16 36 06 :6 <6 :56 :16 :36 :06 ::6 :<6 =6 >, )ighest priority of SCS- is -7 2 and lowest -7 is >, '()ow to find the *? orld * ide *ame( in solaris #

$( #fcinfo h"a&port | grep

9o see the model and firmware details #fcinfo h"a&port *ote % World Wide Name (WWN) are unique : byte identifiers in fibre channel which are similar to the M8! 8ddresses on a 9etwor# 'nterface !ard 39'!4. % World Wide port Name (WWpN) ; 't is a &&9 assigned to a port on a "abric

World Wide node Name (WWnN),'t is a &&9 assigned to a node/device on a "ibre !hannel fabric *89 <4 &hich one is the +efault '+ for *!*' =B85

84 >enerally the default '+ for *!*' =B8 is 1. *!*'- *mall !omputer *ystem 'nterface =B8 ; =ost Bus 8daptor <4=ow is a *89 managed5 84There are many management software,s used for managing *89,s to name a few - *antricity - 'BM Tivoli *torage Manager. - !8 ?nicenter. - 7eritas 7olumemanger. '( Can yo/ "riefly e!plain each of these Storage area components# $( @a"ric Switch% -t;s a device which interconnects m/ltiple network devices ,9here are switches starting from :4 port to 30 ports which connect :4 or 30 machine nodes etc, vendors who man/fact/re these kind of switches are Arocade6 Mc7ata '( hat is a typical storage area network consists of if we consider it for implementation in a small "/siness set/p# -f we consider any small "/siness following are essentials components of S$* $*S( @a"ric Switch & @C Controllers & BAC7;s '( hat is a )A$#

$( )ost "/s adapters ?)A$s( are needed to connect the server ?host( to the storage, '( hat are the advantages of S$*#

$( Massively e!tended scala"ility Dreatly enhanced device connectivity Storage consolidation E$*&free "ack/p Server&less ?active&fa"ric( "ack/p Server cl/stering )eterogeneo/s data sharing 7isaster recovery +emote mirroring hile answering people do *C9 portray clearly what they mean F what advantages each of them have6 which are cost effective F which are to "e /sed for the client;s re./irements, '( hat is the difference "/w S$* and *$S#

$( 9he "asic difference "etween S$* and *$S6 S$* is @a"ric "ased and *$S is Ethernet "ased, S$* Storage $rea *etwork -t accesses data on "lock level and prod/ces space to host in form of disk,

*$S *etwork attached Storage -t accesses data on file level and prod/ces space to host in form of shared network folder, main.cf 37!*4 '( hich two ways can the synta! of the main,cf file "e verified#

$nswer( :( Can check man/ally 0 ( $t 8CS start/p Jeopardy (VCS) '( 9here are three heart"eat connections6 two private and one low priority6 that are config/red and operational in a 8CS cl/ster, hat happens if "oth of the private heart"eat connections are /npl/gged# $nswer( 9he cl/ster enters Beopardy state, +isplay @oc#ed ?ser 8ccounts '( - have 0<< /ser acco/nts, )ow can - get the list of locked /ser acco/nts# $( Can /se the following command cat /etc/shadow | grep GHEIHJ hat is SCS- target -7 on the ga/ss disk # $ns% 5 Q: What is a zone? $% $ Kone is a virt/al operating system a"straction that provides a protected environment in which applications r/n, 9he applications are protected from each other to provide software fa/lt isolation, 9o ease the la"or of managing m/ltiple applications and their environments6 they co&e!ist within one operating system instance6 and are /s/ally managed as one entity, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: What is a container? $% $ Kone which also /ses the operating system#s reso/rce management facility is then called a container, Many people /se the two words GKoneJ and GcontainerJ interchangea"ly, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: What types of zones are available?

$% -t is possi"le to create non&glo"al Kones that r/n the same CS as the glo"al Kone6 which is the CS r/nning on the system, -t is also possi"le to create a non&glo"al Kone that r/ns a different operating environment from the glo"al Kone, 9he "randed Kone ?ArandL( framework e!tends the Solaris Lones infrastr/ct/re to incl/de the creation of "rands that contain alternative sets of r/ntime "ehaviors, 9he following types of non&glo"al Kones are availa"le%

native% 9he defa/lt SM CE and Solaris :< non&glo"al Kone is the native Kone, -t has the same characteristics as the Solaris :< Cperating System or SM release that is r/nning in the glo"al Kone, -f yo/ have config/red yo/r system with Solaris 9r/sted E!tensions6 each non& glo"al Kone is associated with a level of sec/rity6 or la"el, Ea"eled Kones can "e config/red starting with the Solaris :< ::/<4 release, @or more information6 see Solaris 9r/sted E!tensions -nstallation and Config/ration, ipkg% 9he ipkg non&glo"al Kone is the defa/lt on the CpenSolaris release, -t has the same characteristics as the CpenSolaris release that is r/nning in the glo"al Kone, Aranded Kones that r/n an environment different that the CS release on the system o 9he l! "randed Kone introd/ced in the SM 7E and Solaris :< >/<2 releases provides a Ein/! environment for yo/r applications and r/ns on !>4 and !41 machines, @or more information6 visit the CpenSolaris Comm/nity% ArandL, o 9he solaris> and solaris= "randed Kones ena"le yo/ to migrate a Solaris > or Solaris = system to a Solaris > or Solaris = container on a host r/nning the Solaris :< >/<2 Cperating System or later S:< release, 9he solaris> Kone is an environment for Solaris > applications on SP$+C machines, 9he solaris= Kone is an environment for Solaris = applications on SP$+C machines,

Q: What is a global zone? Sparse-root zone? Whole-root zone? ocal zone? $% $fter installing Solaris :< on a system6 "/t "efore creating any Kones6 all processes r/n in the glo"al Kone, $fter yo/ create a Kone6 it has processes that are associated with that Kone and no other Kone, $ny process created "y a process in a non&glo"al Kone is also associated with that non&glo"al Kone, $ny Kone which is not the glo"al Kone is called a non&glo"al Kone, Some people call non& glo"al Kones simply GKones,J Cthers call them Glocal KonesJ "/t this is disco/raged, 9he defa/lt native Kone filesystem model is called Gsparse&root,J 9his model emphasiKes efficiency at the cost of some config/ration fle!i"ility, Sparse&root Kones optimiKe physical memory and disk space /sage "y sharing some directories6 like //sr and /li", Sparse&root Kones have their own private file areas for directories like /etc and /var, hole&root Kones increase config/ration fle!i"ility "/t increase reso/rce /sage, 9hey do not /se shared filesystems for //sr6 /li"6 and a few others, 9here is no s/pported way to convert an e!isting sparse&root Kone to a whole&root Kone, Creating a new Kone is re./ired,

HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " create a zone #hich shares ($inherits%) some& b't not all of ('sr& (lib& (platform& (sbin? $% 9he original design of Solaris Containers ass/mes that those fo/r directories are either all shared ?GinheritedJ( or all not shared, Sharing some and not others will lead to /ndefined and/or /npredicta"le "ehavior, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# do " get zones or containers? $% Cperating systems "ased on the CpenSolaris code "ase may elect to incl/de s/pport for Kones, S/n provides Solaris :< and Solaris E!press6 each of which incl/de complete s/pport for Lones, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: What hard#are can 'tilize zones or containers? $% Lones and reso/rce management are all software feat/re of CpenSolaris6 and "y e!tension6 Solaris and other operating systems "ased on CpenSolaris, $s software feat/res6 they do not depend /pon any specific hardware platform, $ny hardware that r/ns CpenSolaris or one of its distros6 e,g, Solaris :<6 will "e a"le to have these feat/res, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: Will my soft#are r'n in a zone or container? $% Most Solaris software will r/n /nmodified in a Kone6 witho/t needing to re&compile, Nnprivileged software ?programs that do not r/n as root nor with specific privileges( typically r/n /nmodified in a Kone once they can "e s/ccessf/lly installed, -nstallation software m/st not ass/me that it can write into shared6 read&only filesystems6 e,g, //sr, 9his can "e circ/mvented "y adding a writa"le filesystem to the Kone ?e,g, at //sr/local( or /sing a whole&root Kone, )owever6 there are a few applications which need non&defa/lt privileges to r/n privileges not normally availa"le in a Kone6 s/ch as the a"ility to set the system#s time&of&day clock, @or these sit/ations6 the feat/re named Gconfig/ra"le privilegesJ has "een added, 9his feat/re allows the glo"al Kone administrator the person who manages Kones on a system to assign additional6 non&defa/lt privileges to a Kone, 9he Kone#s administrator can then allow individ/al /sers to /se those non&defa/lt privileges, $n application that re./ires privileges which cannot "e added to a Kone may need modification to r/n properly in a Kone, )ere are some g/idelines%

$n application that accesses the network and files6 and performs no other -/C6 sho/ld work correctly,

$pplications which re./ire direct access to certain devices6 e,g,6 a disk partition6 will /s/ally work if the Kone is config/red correctly, )owever6 in some cases this may increase sec/rity risks, $pplications which re./ire direct access to these devices m/st "e modified to work correctly% o /dev/kmem o a network device 6. Starting with CpenSolaris "/ild 32 and Solaris :< >/<26 a Kone can "e config/red as an Ge!cl/sive&-P KoneJ which gives it e!cl/sive access to the *-C?s( that the Kone has "een assigned, $pplications in s/ch a Kone can comm/nicate directly with the *-C?s( availa"le to the Kone, /. $pplications r/nning in shared&-P Kones sho/ld instead /se one of the many -P services,

@or more details6 read the white paper GAringing Oo/r $pplication -nto the LoneG, *ote that changes have "een made to privileges6 -P types6 and other areas /sed with Kones since this paper was p/"lished, @or c/rrent information6 also see the administration g/ide, Q: What feat'res are ne# in Solaris *+ *+(+,? $% *ew feat/res incl/de the following%

6. S/pport has "een added for /sing L@S clones when cloning a Kone, -f the so/rce and
the target Konepaths reside on L@S and "oth are in the same pool6 a snapshot of the so/rce Konepath is taken and Koneadm clone /ses L@S to clone the Kone, Oo/ can still specify that a L@S Konepath "e copied instead, -f neither the so/rce nor the target Konepath is on L@S6 or if one is on L@S and the other is not on L@S6 the clone process /ses the e!isting copy techni./e, -n all cases6 the system copies the data from a so/rce Konepath to a target Konepath if /sing a L@S clone is not possi"le, /. $ new &" option to Koneadm attach has also "een added, Nse this option to specify official or -nterim 7iagnostics +elief ?-7+( patches to "e "acked o/t of a Kone d/ring the attach, 9his option applies only to Kone "rands that /se S8r1 packaging, A. HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# $big% is a zone? $% -f config/red with defa/lt parameters6 a Kone re./ires a"o/t >5MA of free disk space per Kone when the glo"al Kone has "een installed with the G$llJ metacl/ster of Solaris packages, $dditional packages installed in the glo"al Kone will re./ire additional space in the non&glo"al Kones, S8M soft partitions can "e /sed to divide disk slices and enforce per& Kone disk space constraints, hen performing capacity planning6 1<MA of additional +$M per Kone is s/ggested, $pplications do not /se any Ge!traJ +$M "eca/se they are r/nning in a Kone, $ Kone installed /sing the Gf/ll&root modelJ will take /p as m/ch space as the initial Solaris :< installation6 which will "e more than 5<<MA in most cases, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# many containers can one copy of Solaris have?


hile the theoretical limit is over >6<<<6 the practical limit depends on% 9he amo/nt of hardware reso/rces /sed "y the applications vers/s the amo/nt availa"le in the system, 9his incl/des the n/m"er and processing power of CPNs6 memory siKe6 *-Cs6 )A$s6 etc, hat portion of the installed Kones are act/ally in /se, @or e!ample6 yo/ can create :<< Kones6 each ready to offer a we" service6 "/t only "oot the :< that yo/ need this month, 9he /n"ooted Kones take /p disk space6 "/t do not ca/se the /se of any e!tra CPN power6 +$M6 or -/C,

Consider these e!amples which worked%

1< Kones6 each r/nning five copies of the $pache we" service6 on an E05< with two 3<<M)K CPNs6 5:0MA +$M6 and three hard disk drives totalling 1<DA, ith all Kones r/nning and a load consisting of m/ltiple sim/ltaneo/s )99P re./ests to each Kone6 the overhead of /sing Kones was so small it wasn;t meas/ra"le ?P5Q(,

HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an each zone r'n a different Solaris version? $% *o, $ll of the Kones /se a single /nderlying kernel, 9he version of the kernel determines the version of every container in that domain, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: What types of re-config'rations re-'ire a non-global zone re-boot? $%

$dding a device to a non&glo"al Kone, Ainding a Kone to a pool,

HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an containers be cl'stered? $% Oes6 "/t not witho/t adding additional cl/ster management software, $s of this writing6 S/n is developing e!tensions to its S/n Cl/ster software6 so that +eso/rce Dro/ps can "e placed within non&glo"al Kones, P8eritas/SymantecR has also anno/nced s/pport for Lones in the 8eritas Cl/ster prod/ct, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " 'se Sys. shared memory bet#een containers? $% *o, 9his wo/ld violate several sec/rity principles, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH

Q: !an a zone incl'de m'ltiple zones (a/a $is the containment model hierarchical%)? $% *o6 the model is strictly two&level% one glo"al Kones and one or more non&glo"al Kones, Cnly the glo"al Kone can create non&glo"al Kones6 and each non&glo"al Kone m/st "e contained within the glo"al Kone, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " a'tomate the process of entering system information& e0g0 #ith sysidcfg? $% Oes6 after a Kone has "een installed6 copy a sysidcfg?1( file to the Kone;s /etc/sysidcfg "efore the first "oot of that Kone, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an some local zones be in different time zones? $% Oes, Each non&glo"al Kone has its own copy of /etc/defa/lt/init6 which contains the timeKone setting, Oo/ can change the line starting with G9L=J, 9he recogniKed names of timeKones are in //sr/share/li"/Koneinfo, @or e!ample6 Eastern Standard 9ime in the NS$ is defined in the file //sr/share/li"/Koneinfo/NS/Eastern, 9o set a non&glo"al Kone;s timeKone to that timeKone6 the line in /etc/defa/lt/init wo/ld look like this% 9L=NS/Eastern HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an some non-global zones have different date and(or time settings (i0e0 different cloc/s)? $% $ltho/gh different Kones can ;"e; in different time Kones6 each Kone gets its date and time clock from the same so/rce, 9his means that the time Kone setting gets applied after the c/rrent time data is o"tained from the kernel, -f yo/ wo/ld like the a"ility to have different clock so/rces per Kone6 please add a call record to +@E 5<331=2, S$/g/st 0<<5T HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " label my terminal #indo#s #ith the name of the zone "1m logged into? $% Oes, $fter logging into the Kone6 enter this command% KoneQ /"in/echo G33T<ULone V/"in/KonenameV<2WcJ HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# can " add a filesystem to an e2isting zone? $% 9here are fo/r methods, 9he following list /ses N@S e!amples6 "/t other types of file systems6 s/ch as )S@S and 8!@S6 can "e /sed in the Konecfg GfsJ reso/rce type property or attached "y mo/nt?:M(,

6. Create and mo/nt the filesystem in the glo"al Kone and /se EC@S to mo/nt it into
the non&glo"al Kone ?very safe(

/. Create the filesystem in the glo"al Kone and /se Konecfg to mo/nt the filesystem into
the Kone as a N@S filesystem ?very safe( A. E!port the device associated with the disk partition to the non&glo"al Kone6 create the filesystem in the non&glo"al Kone and mo/nt it, Sec/rity consideration% -f a X"lockX device is present in the Kone6 a malicio/s /ser co/ld create a corr/pt filesystem image on that device6 and mo/nt a filesystem, 9his might ca/se the system to panic, 9he pro"lem is less ac/te with raw ?character( devices, 7isk devices sho/ld only "e placed into a Kone that is part of a relatively tr/sted infrastr/ct/re, B. Mo/nt a N@S filesystem directly into the non&glo"al Kone;s directory str/ct/re ?allows dynamic modifications to the mo/nt witho/t re"ooting the non&glo"al Kone( HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# can " ma/e a #riteable ('sr(local in a sparse-root zone? $% Nse one of the methods a"ove6 for e!ample% glo"al# mkdir &p /path/to/some/storage/local/twilight glo"al# Konecfg &K twilight Konecfg%twilightR add fs Konecfg%twilight%fsR set dir=//sr/local Konecfg%twilight%fsR set special=/path/to/some/storage/local/twilight Konecfg%twilight%fsR set Konecfg%twilight%fsR end Konecfg%twilightR commit Konecfg%twilightR e!it glo"al# HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " assign an S.3 meta-device& or a .eritas .ol'me& to a non-global zone? $% ith Solaris :< :/<46 yo/ can directly assign an S8M meta&device into a non&glo"al Kone6 /sing the same method yo/ wo/ld with most other devices, Symantec s/pports the assignment of a 8eritas 8ol/me into a non&glo"al Kone, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH

Q: !an "& and sho'ld "& import ra# devices into a non-global zone? $% 9he Solaris Lones feat/re set provides the glo"al Kone administrator with the a"ility to allow a non&glo"al Kone to access a raw device, 9here are many sit/ations where this will "e the "est approach to solve a pro"lem, 9here are even sit/ations which re./ire s/ch /se, @irst6 however6 it is important to stress that there are /s/ally other sol/tions that do not re./ire direct device access, Eet;s disc/ss this first, ith regard to importing 8!8M devices into a Kone6 this is possi"le with 8!8M 5,<MP3 and /p, @or earlier versions6 yo/r options depend on the goal, -f the goal is to make a filesystem availa"le in the Kone6 the sol/tion is to create the filesystem in the glo"al Kone6 and EC@S or direct mo/nt the filesystem in the Kone, Cn the other hand6 if the goal is to make a mirrored "lock device availa"le in the Kone6 the only sol/tion is to /pgrade to 8!8M 5,<MP3 or higher, -f yo/ want to make a filesystem availa"le in the Kone6 create the filesystem in the glo"al Kone6 and /se EC@S to make the filesystem availa"le in the Kone, Cn the other hand6 if the goal is to make a mirrored "lock device availa"le in the Kone6 another sol/tion m/st "e fo/nd, -n any sit/ation6 if direct device access is re./ired within a Kone6 yo/ m/st perform caref/l fail/re analysis and eval/ation of the possi"le o/tcomes of Gcatastrophic application fail/re, -f the non&glo"al Kone will /se CC9S software6 and will "e managed "y tr/stworthy people6 then the risks will "e small, @ort/nately6 in most cases there are also other sol/tions which do not /se direct device access from a Kone, )ere are two e!treme e!amples%

6. $ Kone will "e created for the p/rpose of training st/dents on "asic Nni! commands,
9he root acco/nt will only "e /sed "y the glo"al Kone administrator, 9he system will "e attached to a E$* which is not connected to any other networks, 9he instr/ctor needs access to the so/nd device, 9here are very few risks associated with s/ch access it wo/ld "e very diffic/lt for the so/nd device to s/ffer a fail/re6 and even if it did it wo/ld "e /nlikely to affect other Kones, 9he Kone can "e given access to this via the Konecfg s/"&commands% glo"al# Konecfg &K Konename Konecfg%KonenameR add device Konecfg%Konename%deviceR set match=/dev/so/nd/H Konecfg%Konename%deviceR end Konecfg%KonenameR e!it 9he Kone will have access to so/nd devices6 "/t will not have access to any other devices, 0, $ Kone will "e created for the p/rpose of teaching st/dents a"o/t a data"ase program

that re./ires access to raw disk partitions, 9he instr/ctor knows how to /se Nni!6 "/t does not have a "ackgro/nd in Nni! system administration, @/rther6 the instr/ctor will re./ire /se of the root acco/nt to assist st/dents, -t is possi"le that the instr/ctor co/ld make a mistake6 or a malicio/s st/dent co/ld a"/se the raw disk access6 leading to a crash of the kernel, 9his wo/ld also stop all of the other non&glo"al Kones6 as well as the glo"al Kone, -f the other Kones are r/nning prod/ction software6 this re./est for raw disk access in a Kone sho/ld not "e f/lfilled, Cther sol/tions sho/ld "e p/rs/ed6 s/ch as creating an +A$C role for the instr/ctor which only gives the necessary privileges to the isntr/ctor;s Nni! acco/nt, Cther e!amples m/st "e Y/dged "y their partic/lars6 e,g, a prod/ction data"ase program which needs raw access, @actors to consider incl/de%

ho will login to the Kone# )ow tr/stworthy are they# -s this system protected from /na/thoriKed access "y a firewall# hat level of availa"ility is re./ired "y applications r/nning in this Kone and in other Kones#

HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " share an "(4 reso'rce (e0g0 N"!& )56) bet#een containers? $% Oes6 in fact6 that is the defa/lt model, Each container is assigned its own -P address6 "/t /s/ally m/ltiple containers will share one *-C, @/rther6 m/ltiple Kones may "e assigned separate filesystems accessed thro/gh one )A$, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an zones in one comp'ter comm'nicate via the net#or/? $% Aoth shared&-P and e!cl/sive&-P Kones can comm/nicate via the network, -n general6 a Kone is assigned to /se one or more network ports ?aka *-Cs(6 and network traffic to or from other comp/ters /ses the assigned *-C?s(6 following standard -P r/les, *etwork traffic "etween two Kones on the same system may re./ire e!tra planning, -f a Kone is an Ge!cl/sive&-PJ Kone6 its network packets will always leave the comp/ter6 and in"o/nd packets will always come from o/tside the comp/ter, @/rther6 an e!cl/sive&-P Kone performs all of its own network config/ration6 incl/ding ro/ting and -P filtering, Aefore Solaris :< :</<>6 network traffic "etween two shared-"7 Kones always stayed in the comp/ter6 i,e, it didn;t traverse the physical network, 9his provided very high "andwidth6 low latency transmission, )owever6 starting with Solaris :< :</<>6 traffic "etween two shared&-P Kones stays in the comp/ter 'nless a defa/lt ro/ter is /sed for one or "oth Kones, 9raffic from a Kone with a defa/lt ro/ter will go o/t to the ro/ter "efore coming "ack to the destination Kone, @or more information on defa/lt ro/ters for Kones6 see the doc/mentation and Steffen;s "log, @/ll -P&level f/nctionality is availa"le in an e!cl/sive&-P Kone, E!cl/sive&-P Kones always comm/nicate with each other over the physical network, 9hat comm/nication can "e restriced /sing -P @ilter from within s/ch Kones6 Y/st as it can for a separate system, @or shared&-P Kones in one comp/ter that comm/nicate /sing -P networking6the following applies%

-nter&Kone network latency is e!tremely small6 and "andwidth is e!tremely high Solaris -P @ilter can "e ena"led in non&glo"al Kones "y t/rning on loop"ack filtering as descri"ed in System $dministration D/ide% -P Services, @ilter r/les are still config/red in the glo"al Kone,

-t is possi"le to config/re ro/ting to "lock traffic "etween specific Kones completely, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# do " modify the net#or/ config'ration of a r'nning zone? $% @or shared&-P Kones6 the ifconfig?:M( command can "e /sed in the glo"al Kone to modify that Kone;s e!isting network config/ration or to add new logical interfaces to a Kone, )ere are some e!amples that add6 and then delete a logical interface assigned to a Kone% glo"al# ifconfig "ge< addif :=0,:4>,0<<,0<0 Kone myKone glo"al# ifconfig "ge< removeif :=0,:4>,0<<,0<0 HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an "7 3'ltipathing ("737) be 'sed #ith zones? $% Oes, E!cl/sive&-P Kones can /se -PMP, -PMP is config/red the same way in an e!cl/sive&-P Kone as it is on a system not /sing Kones, @or shared&-P Kones6 -PMP can "e config/red in the glo"al Kone, @ailover of a network link ?e,g, hme<( that is protected "y -PMP will "ring the associated logical interfaces ?e,g, hme<%3( for the Kones over to the secondary link ?e,g, "ge<(, @or more information6 see the section GNsing -P *etwork M/ltipathing on a Solaris System ith Lones -nstalledJ in System $dministration D/ide% Solaris Containers&+eso/rce Management and Solaris Lones, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an "7 8ilter be 'sed #ith zones? $% Oo/ have the same -P @ilter f/nctionality that yo/ have in the glo"al Kone in an e!cl/sive&-P Kone, -P @ilter is also config/red the same way in e!cl/sive&-P Kones and the glo"al Kone, @or shared&-P Kones6 the -P@ilter feat/res in Solaris :< can "e /sed to filter traffic passing "etween one non&glo"al Kone and other comp/ters on the network, 9his incl/des the a"ility to /se *$9 feat/res6 i,e,6 redirect traffic destined for the glo"al Kone to non&glo"al Kones, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " prevent a zone from 'sing the net#or/?

$% Oes, $ Kone does not need a network interface in order to operate, -f yo/ don;t specify a network interface when yo/ create the Kone6 it will still "oot correctly, -f an e!isting Kone has "een given access to a network interface6 yo/ can /se Konecfg?:M( to remove that access6 "/t if the Kone is r/nning yo/ m/st also either re&"oot the Kone or /se ifconfig?:M( to remove access /ntil the ne!t re&"oot, -t is also possi"le to allow a shared&-P Kone to access the network6 "/t not comm/nicate with other Kones on the same system, Cne method is to set /p a pair of ro/tes /sing the G&reYectJ arg/ment to the ro/te?:( command, @or e!ample6 if one Kone has an -P address of P$ddr:R and the second Kone has an address of P$ddr0R6 then the following commands will prevent network traffic from passing "etween the two Kones, S9'ly :++;T glo"al# ro/te add P$ddr:R P$ddr0R &interface &reYect glo"al# ro/te add P$ddr0R P$ddr:R &interface &reYect HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: 6re . 6Ns s'pported in zones? $% Oes, @or a shared&-P Kone6 the 8E$* interface m/st "e pl/m"ed in the glo"al Kone, E$* and 8E$* separation are availa"le in an e!cl/sive&-P non&glo"al Kone, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# do " config're a defa'lt ro'te in a container? $% @or a shared&-P config/ration% $ll ro/tes6 incl/ding defa/lt ro/tes6 m/st "e config/red "y the glo"al Kone administrator, Ay defa/lt6 s/ch Kones /se the glo"al Kone;s defa/lt ro/ter, Starting with Solaris :< :</<>6 each shared&-P Kone can "e assigned its own defa/lt ro/ter with the Gdefro/terJ setting, @or more information on defa/lt ro/ters for Kones6 see the doc/mentation and Steffen;s "log, @or an e!cl/sive&-P config/ration% 9he Kone administrator can config/re -P on those data& links with the same fle!i"ility and options as in the glo"al Kone, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# can " restrict a zone (or a fe# zones) to one N"! (net#or/ connector)? $% 9he glo"al Kone administrator config/res each Kone;s access to Kero or more *-Cs, $ shared&-P Kone can "e the only Kone /sing a *-C, E!cl/sive&-P Kones have more separation which reaches down to the data&link layer, Cne or more data&link names6 which can "e a *-C or a 8E$* on a *-C6 are assigned to an e!cl/sive&-P Kone "y the glo"al administrator, 9he Kone administrator can config/re -P on those data&links with the same options as in the glo"al Kone, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: When " tried to mo'nt a file system into a non-global zone& an error message displayed stating that the mo'nt point #as b'sy0 Why?

$% $ll accesses to entries in lofs mo/nted file systems map to their /nderlying file system, 9herefore6 if a mo/nt point is made availa"le in m/ltiple locations via lofs and it is in /se in any of those locations ?as a mo/nt point6 a c/rrent working directory6 etc,(6 an attempt to mo/nt a file system at that mo/nt point will fail /nless the overlay flag has "een specified, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# can " mo'nt a filesystem into t#o or more different zones safely? $% Create a directory in the glo"al Kone6 and remo/nt it into each non&glo"al Kone /sing lofs, 9his will allow reading and writing from "oth Kones witho/t corr/pting, -t;s the same mechanism /sed "y the a/tomo/nter in certain cases, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# can " create a zone #ith its o#n ('sr or root file system (a 1#hole root file system1)? $% Ay defa/lt a Kone shares //sr and a few other directories with the glo"al Kone, -f a Kone needs its own separate copy of //sr6 et al,6 yo/ m/st tell Konecfg to not /se the defa/lt config/ration, 9o do this6 /se the G&"J option on the GcreateJ s/"&command of the Konecfg?0( command, -f yo/ do this6 yo/ m/st specify each e!isting file system that yo/ do want to share with this new Kone, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# can " restrict a zone (or a fe# zones) to one )56 (storage connector)? Each Kone /ses space in at least one disk partition its root directory and several others ?e,g, /etc( live there, $ll of these files are part of Solaris, -n addition6 each Kone can "e given access to one or more file systems and/or one or more raw disks, Ay planning caref/lly6 yo/ can config/re one Kone so that all of its files and devices are accessi"le thro/gh one )A$6 and all of the storage of another Kone is accessi"le thro/gh a different )A$, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an a non-global zone N8S-mo'nt a file system that has been shared from its o#n global zone? $% *o, 9his may "e addressed in the f/t/re, )owever6 the filesystem can "e EC@S&mo/nted into the local Kone6 and6 if necessary6 the glo"al Kone can e!port the same filesystem via *@S so that other comp/ters can also access those files, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an a zone1s root directory be on a <8S file system? $% Solaris :< release% Placing a Kone;s root directory ?i,e, it;s P$9)*$ME( on L@S is s/pported starting with

Solaris :< :</<>6 and yo/ can then /pgrade with Eive Npgrade going forward, 9here are still iss/es with placing a Kone on L@S on a release prior to Solaris :< :</<> and then trying to /pgrade, Solaris E!press +elease HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an a zone be an N8S server? $% $ glo"al Kone can "e an *@S server, $ non&glo"al Kone cannot /se the Solaris *@S server feat/ers, 9his iss/e may "e addressed in the f/t/re, See +@E 5:<0<::, )owever6 non&Solaris *@S server software ?i,e, G/serlandJ *@S server software( has "een shown to work correctly in a non&glo"al Kone, S/ch software works "eca/se it does not r/n in the kernel6 /nlike the Solaris *@S server software which r/ns in the Solaris kernel, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an a zone be a =)!7 server? $% $ glo"al Kone can "e a 7)CP server, Starting with Solaris :< ::/<46 a non&glo"al Kone can "e a 7)CP server, 9his a"ility "ecame more fle!i"le with Solaris :< >/<26 which added a feat/re called -P -nstances, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an a zone be a =NS server? $% Oes, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an a zone be an N>7 client or server? $:% $ Kone can "e an *9P server, $0% 9he *9P client software sets the system time clock shared "y all Kones6 incl/ding the glo"al Kone, Ay defa/lt6 non&glo"al Kones cannot do this, )owever6 the glo"al Kone administrator can give a Kone the a"ility to change the system time clock with the GsysXtimeJ privilege, Ae aware that this changes the time clock for all Kones, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an a zone be a N"S (a/a yp)& N"S?& or =67 server? $% Oes6 yes6 and yes, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an a zone provide net#or/ login via telnet& rlogin& rsh or ssh?

$% Oes6 yes6 and yes, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an a zone be an ftp server? $% $ Kone can "e an ftp server6 "/t it is not possi"le to /se ftpconfig?:M( to set /p a Kone to "e an anonymo's ftp server, 9his is "eca/se ftpconfig attempts to set /p certain device special files6 and a Kone does not have the necessary privileges, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an a zone r'n sendmail? $% Oes, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " 'se @ #indo#s in a zone? $% 9here are a few different methods to /se M windows with Kones%

6. Cn the system console% at the login screen6 yo/ can choose G+emote )ostJ and enter
the hostname of the Kone, 9he M windows login screen sho/ld "e replaced with an M windows remote login screen, 0, $t the console6 logged into the glo"al Kone% yo/ can tell M to allow remote connections from the non&glo"al Kone6 telnet to that Kone6 and set the appropriate environment varia"le so that M sessions go to the glo"al Kone;s M windows session6 e,g, Gsetenv 7-SPE$O my&glo"al&KoneJ, 3, $t another system6 yo/ can login directly to the non&glo"al Kone6 and perform steps similar to the previo/s method, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# can " prevent one container from cons'ming all of the !7A po#er? $% Nse the reso/rce management feat/res of Containers, 9his re./ires /sing some com"ination of the @air Share Sched/ler6 CPN caps6 assigned ?;dedicated;( CPNs6 and/or S7ynamicT +eso/rce Pools feat/res, e" Einks% *on&Dlo"al Lone Config/ration ?Cverview( @air Share Sched/ler ?Cverview( CPN Caps 7ynamic +eso/rce Pools ?Cverview( HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: What is the reso'rce gran'larity for !7A assignment to a container?

$% @air Share Sched/ler% $r"itrary, @SS g/arantees a minim'm amo/nt of CPN /tiliKation6 so it doesn;t waste CPN cycles, E!cessive CPN /se is only prevented if there is contention for CPN reso/rces, Minima are specified "y GsharesJ and enforced "y the @air Share Sched/ler, @or e!ample6 CPN share assignments co/ld "e :6 :<<<6 ===6 res/lting in /tiliKation minima of <,<5Q6 5<Q6 and ?practically speaking( 5<Q, CPN Cap% n/m"er of CPNs6 in h/ndredths of a CPN, Cne Kone can "e capped at 1,<: CPNs6 and another can "e capped at 1,<0 CPNs, 7edicated CPN% !C? range, in integer number of !C?s. $n an -:2 system, *olaris considers every !C? core to be a D!C?.E $n *C8F! !MT systems, every hardware thread is a D!C?E so a four-soc#et T0BBG has /02 D!C?s.E $n other *C8F! systems, every !C? core is a D!C?.E HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# can " limit (cap) the !7A 'sage of an application? $% -n CpenSolaris6 and starting with Solaris :< 5/<>6 /se the capped&cp/ reso/rce type, -n CpenSolaris and starting with Solaris :< >/<26 yo/ can /se the dedicated&cp/ reso/rce type to a/tomatically create a temporary pool when the Kone "oots, See *on&Dlo"al Lone Config/ration ?Cverview(, $lternatively6 yo/ can create a processor set with one or more CPNs and "ind it to a reso/rce pool, 9hen create a Kone and "ind it to the same reso/rce pool, +/n the application in that Kone, 9he application will only GseeJ that set of processors, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# can " limit the memory 'sed by a container? $% Oo/ can /se the +eso/rce Capping 7aemon ?rcapd( for all releases, -n CpenSolaris6 and starting with Solaris :< >/<26 yo/ can /se the capped&memory reso/rce to set limits for physical6 swap6 and locked memory, 7etermine val/es for this reso/rce if yo/ plan to cap memory for the Kone "y /sing rcapd from the glo"al Kone, 9he physical property of the capped&memory reso/rce is /sed "y rcapd as the ma!&rss val/e for the Kone, e" Einks% *on&Dlo"al Lone Config/ration ?Cverview( $dministering the +eso/rce Capping 7aemon HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " dynamically change the -'antity of a reso'rce (!7A& memory& net#or/ band#idth) assigned to a container? $% 9o change the n/m"er of CPN shares associated with a container witho/t re&"ooting it6 /se the prctl command6 e,g, prctl &n Kone,cp/&shares &r &v ZS)$+ES Vpgrep &K ZLC*E*$ME initV

where ZS)$+ES is the new n/m"er of shares and ZLC*E*$ME is the name of the Kone, -n CpenSolaris and Solaris :< ?starting with 5/<>( similar methods can "e /sed to change the CPN cap6 +$M cap6 8M cap and shared memory cap, e" Einks% +eso/rce Controls Nsing the prctl Command @air Share Sched/ler ?Cverview( prctl?:( HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an s#ap space 'sage be managed? $% 9he entire swap partition is treated as a single glo"al reso/rce to processes r/nning in "oth glo"al and non&glo"al Kones, Aefore Solaris :< >/<26 yo/ co/ldn;t limit the amo/nt of swap /sed "y a Kone on a per&Kone "asis, Oo/ can glo"ally limit the siKe of the swap&"ased filesystems ?e,g, /tmp( "y /sing the GsiKeJ mo/nt option in the container;s /etc/vfsta" file6 e,g, GsiKe=0<<mJ, 9his allows yo/ to decrease the effect of many and/or large files created in /tmp, Starting with Solaris :< >/<26 yo/ can /se the capped&memory reso/rce to cap the amo/nt of virt/al memory ?8M( that a Kone /ses, 9his can also "e set dynamically with the reso/rce control Kone,ma!&swap, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " limit the net#or/ band#idth 'sed by a zone? $% Oes6 /se the -P'oS feat/res in Solaris :<, Oo/ m/st manage this from the glo"al Kone for the containers, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: =o containers 'se 'p alot of !7A po#er? $% CPN overhead of containers is hardly meas/ra"le ?i,e, P:Q( for a few Kones or even doKens of Kones6 depending somewhat on the applications, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an the share val'e for a r'nning proBect or zone be changed? $% Oes, )ere is an e!ample% prctl &n proYect,cp/&shares &v :< &r &i proYect gro/p,staff 9he prctl /tility allows the e!amination and modification of the reso/rce controls associated with an active process6 task or proYect on the system, -t allows access to the "asic and privileged limits on the specified entity,

&n specifies the name of the reso/rce to get or set &r specifies a replace operation &v specifies the new val/e for the reso/rce &i specifies the owning process6 task or proYect of the reso/rce, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " bind a zone to a pool? $% Oes6 "/t in CpenSolaris and Solaris :< >/<2 and later6 it;s m/ch easier to /se the ;dedicated&cp/s; feat/re, 9o "ind a Kone;s processes to a pool6 first create the pool6 then /se Konecfg?:M( to "ind a Kone to it,

6. Ena"le reso/rce pools on yo/r system /sing either svcadm or pooladm &e,
0, Nse pooladm &s to create the pool config/ration, 3, Nse pooladm &c to commit the config/ration at /etc/pooladm,conf, 1, Nse poolcfg &c to modify the config/ration, poolcfg &c ;create pset psetXKone ?/int pset,min = 3U /int pset,ma! = 3(; poolcfg &c ;create pool poolXKone ?string pool,sched/ler=J@SSJ(; poolcfg &c ;associate pool poolXKone ?pset psetXKone(; 5, Nse pooladm &c to commit the config/ration at /etc/pooladm,conf, See the administration g/ide, 9he command to perform the "inding6 from the glo"al Kone6 wo/ld "e% Konecfg &K Kone: set pool=poolXKone -f the Kone was r/nning6 yo/ m/st re&"oot it for the "inding to take effect6 /nless yo/ also dynamically assign the Kone to the pool HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an proBects(zones be reassigned to a different reso'rce pool #hile they are r'nning? $% Oes, )ere is an e!ample% pool"ind &p we"Xapp &i Koneid myKone 9he pool"ind command "inds Kones6 proYects6 tasks and processes to a pool, &p is the name of the pool to "ind &i specifies the process id6 Kone id6 task id or proYect id to "e "o/nd to the pool, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an yo' move processors bet#een processor sets #hile the system is r'nning?

$% Oes6 yo/ can, )ere is the command?s( yo/ wo/ld /se%

-f yo/ don;t care which CPNs yo/ move from a processor set the command wo/ld "e% poolcfg &dc Gtransfer 0 from pset pset: to pset0[ which will move any two processors from pset: to pset0 &d operate directly on the kernel state &c this signifies the command

-f yo/ want to move a specific CPN?s( here is the command% poolcfg &dc Gtransfer to pset pset0 ?CPN <6 CPN :(J which will move CPNs < and : to pset0, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# can " prevent one zone from 'sing all the s#ap space by filling 'p (tmp? $% @or man/al mo/nts6 /se the option G&o siKe=sKJ where sK is the siKe limit yo/ want, Ending the siKe in ;k; means kilo"ytes6 ending it in ;m; means mega"ytes, E!ample% G&o siKe=5<<mJ, 9his option can also "e added into /etc/vfsta", @or more details6 view the man pages for mo/ntXtmpfs?:M( and vfsta"?1(, ith Solaris :< >/<26 yo/ can /se the reso/rce control6 Kone,ma!&swap, ?9he swap property of the capped&memory reso/rce is the preferred way to set this control,( $lso6 note that +@E ::220<= will give the glo"al Kone administrator the a"ility to control the amo/nt of swap space /sed "y one Kone, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: =o " need to set a loc/ed memory cap for a zone? "f so& #hat val'e sho'ld " set? $% $ locked memory cap in a Kone can "e set /sing the Konecfg capped&memory reso/rce, $pplications generally do not lock significant amo/nts of memory6 "/t yo/ might decide to set locked memory if the Kone;s applications are known to lock memory, -f the Kone administrator is less than tr/sted or if 7CS e!ploits are of concern6 yo/ can also consider setting the locked memory cap to :<Q of the system;s physical memory or to the Kone;s physical memory cap, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: What soft#are can manage zones? $% )ere are Y/st a few of the software tools some free6 some not free which will help yo/ manage Solaris Lones%

S/nMC ?S/n Management Center( DNe"Min DN- has a Solaris Lones mod/le

Mone Control DN9he Lone Manager Command Lonestat command reports on reso/rce /sage and caps

HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# do " create a zone? $% @irst gather some information6 then /se the Solaris Container Manager DN- or the commands shown "elow, 9his is the simplest possi"le creation of a Kone that has network access, Oo/ will need this information ?e!ample val/es in parentheses%

6. *ame that yo/ choose for the Kone ?my&Kone(

0, )ostname that choose for the Kone ?my&Kone( 3, *ame of the directory in the glo"al Kone where all of the Kone;s operating system files will "e ?/Kones/KoneXroots/my&Kone( 1, -P address of the Kone ?:<,:,:,:( 5, *ame of the network device that the Kone sho/ld /se ?hme<( Nsing the sample information in the appropriate commands6 which will take a"o/t :< min/tes on a small system with a new installation of CpenSolaris or Solaris :<% glo"al# Konecfg &K my&Kone Konecfg%my&KoneR create Konecfg%my&KoneR set Konepath=/Kones/KoneXroots/my&Kone Konecfg%my&KoneR add net Konecfg%my&Kone%netR set address=:<,:,:,: Konecfg%my&Kone%netR set physical=hm< Konecfg%my&Kone%netR end Konecfg%my&KoneR commit Konecfg%my&KoneR e!it glo"al# Koneadm &K my&Kone install glo"al# Koneadm &K my&Kone "oot HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# do " remove a zone? $% Nse these commands6 s/"stit/ting the correct names for P"racketedR te!t,

glo"al# Koneadm &K PKonenameR /ninstall glo"al# Konecfg &K PKonenameR delete HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: "s the ma2im'm n'mber of e2cl'sive-"7 zones limited to the n'mber of physical ethernet ports? $% *o6 if yo/ /se 8E$*s yo/ can have one per 8E$* per port, 9o /se the same "ase ;"ge<; for m/ltiple dhcp Kones6 in the case of 8E$*s yo/ wo/ld assign "ge:<<< to Kone$6 "ge0<<< to KoneA6 etc, 9he 8*-C component of Cross"ow allows m/ltiple virt/al *-Cs on a port witho/t any 8E$*s, Oo/ can try this o/t at Cross"ow proYect, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: 6re there any recent changes for e2cl'sive-"7 zones in 4penSolaris? $% Prior to "/ild >36 the data&link /sed with e!cl/sive&-P Kones m/st "e DE7v3, *ote that there is a patch Spatch -7 ::>222&:0T that allows the legacy ce device to "e /sed with e!cl/sive&-P Kones with "/ild ><&>0, -n CpenSolaris "/ild >3 and later6 the data&link /sed with e!cl/sive&-P Kones need not "e DE7v3 since the *emo /nification provides a way to present legacy device drivers as DE7v3 /sing a shim mod/le, )ence6 no patch to ce is necessary, Q: !an each container be a different Solaris patch level& so " can test patches in a $test% container before applying them to a $prod'ction% container? $% 9here are two parts to the answer% :( 9here is only one kernel r/nning on the system6 so all Kones m/st "e at the same patch level with respect to the kernel and core system components, S/ch patches can only "e applied from the glo"al Kone6 and they affect the glo"al and all local Kones e./ally, 9he IN is an e!ample of s/ch a patch, 0( Middleware s/ch as Bava Enterprise System can "e patched on a per&Kone "asis, -f the software can "e installed in the local Kone then it m/st "e patcha"le from the local Kone as well6 regardless of the Kone type6 whole&root or sparse&root, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " move a zone from one comp'ter(domain to another? $% Oes, See Migrating a *on&Dlo"al Lone to a 7ifferent Machine, @or information on migrating a Solaris > or Solaris = container6 see System $dministration D/ide% Solaris > Containers and System $dministration D/ide% Solaris = Containers, Q: "s there a #ay to correlate a'dit records from m'ltiple containers? $% Oes6 the glo"al Kone sees all a/dit records, Each non&glo"al Kone only sees its own a/dit records,

HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: " created a zone and booted it& b't it doesn1t #or/0 What sho'ld " do? $% 9he most common pro"lem is that the Kone doesn;t have its system identification information yet, Oo/ can determine if this is the pro"lem "y r/nning Gps &fK J in the glo"al Kone, -f the o/tp/t only shows Ksched6 init6 and a ?3&4( processes related to SM@ ?/li"/svc/ \6 //sr/s"in/svccfg( then system identification is not complete, 9o complete this6 attach to the Kone;s console "y r/nning GKlogin &C J in the glo"al Kone6 pressing once6 and following the instr/ctions, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " add pac/ages to B'st the global zone (for e2ample& SCS net!onnect)? $% Oes6 /se pgkadd &D, *ote that if the SN* XPIDX9)-SLC*E package parameter is set to tr/e6 yo/ do not have to /se the &D option HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: =o zones boot a'tomatically& or m'st " boot each one man'ally every time the system (re)boots? $% 9he Kones a/to"oot property determines whether the Kone is "ooted when the system "oots, 9he glo"al Kone adminstrator can set the a/to"oot property to Gtr/eJ or Gfalse,J 9he Kones service svc%/system/Kones%defa/lt m/st also "e ena"led, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: Sho'ld " halt a system1s zones before applying patches? $% 9here is no need to do this, -n fact6 the package and patch tools will perform their operations on all Kones that are r/nning6 as well as all Kones that are not c/rrently r/nning "/t are capa"le of "eing "ooted ?e,g, they are at least in the GinstalledJ state(, 9he r/nning Kones are operated on first6 and then for each Kone that is not r/nning "/t can "e "ooted6 the Kone is "ooted6 the operation is performed6 and the Kone is then halted, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: Where does a zone1s syslog o'tp't go? $% Ay defa/lt the syslog o/tp/t from a Kone goes only into the Kone;s syslog file, -f yo/ wo/ld like the o/tp/t to also appear in the glo"al Kone;s log files6 config/re the non&glo"al Kone;s loghost to "e the glo"al Kone, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: " removed a device from a zone& b't it1s still there0 Why& and ho# do " get rid of it?

$% 9his is "/g 1=4334>, 9he c/rrent ?@e" 0<<5( workaro/nd is% after /sing Konecfg to remove the device6 man/ally remove the corresponding entry in ]LC*EP$9)^/dev, -f yo/;re r/nning Solaris E!press6 this "/g is corrected in "/ilds 14 and higher, -f yo/ are r/nning Solaris :<6 this "/g is corrected in Solaris :< >/<2, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: 6re there any special g'idelines for 'sing ive Apgrade #ith zones? $% 9here are a n/m"er of considerations when /sing Eive Npgrade ?EN( on a system with Kones installed, -t is critical to avoid Kone state transitions d/ring l/create and l/mo/nt operations,

hen yo/ l/create an alternate "oot environment ?$AE(6 if a Kone is not r/nning6 then it cannot "e "ooted /ntil the l/create has completed, hen yo/ l/create an $AE6 if a Kone is r/nning6 it sho/ld not "e halted or re"ooted /ntil the l/create has completed, hen an $AE is l/mo/nted6 yo/ cannot "oot Kones or re"oot them6 altho/gh Kones that were r/nning "efore the l/mo/nt can contin/e to r/n,

Aeca/se a non&glo"al Kone can "e controlled "y a non&glo"al Kone administrator as well as the glo"al Kone administrator6 it is "est to have all Kones halted d/ring l/create or l/mo/nt, -t is important to note that when EN operations are /nderway6 non&glo"al Kone administrator involvement is critical, 9he /pgrade affects their work as administrators6 and they will "e dealing with the changes that occ/r as a res/lt of the /pgrade, 9hey sho/ld make s/re that any local packages are sta"le thro/gho/t the se./ence6 handle any post& /pgrade tasks ?s/ch as config/ration file tweaking(6 and generally sched/le aro/nd the system o/tage, )ere is an e!ample of a pro"lem that co/ld occ/r if these g/idelines are not followed, -f this se./ence of actions takes place%

6. -n glo"al Kone% l/create &n new

0, -n non&glo"al Kone% pkgadd @ooAar 3, -n glo"al Kone% l//pgrade &n new6 l/activate &n new6 init 4 hen the system comes "ack /p6 the non&glo"al Kone /sers will notice that they no longer have the @ooAar feat/re added "y the package, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: 6re Solaris *+ zones config'red on <8S prior to the Solaris *+ *+(+, release 'pgradeable 'sing ive Apgrade? $% *ot yet6 "/t it is "eing investigated, Eive Npgrade can "e /sed on Solaris :< :</<> systems that have Kones config/red with the Konepath on L@S, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH

Q: What is the defa'lt net#or/ing service config'ration of a non-global zone #hen it is installed? $% Cn Solaris :< systems6 the traditional open config/ration is installed, Cn SM systems6 the limited networking config/ration is installed, Oo/ can switch the Kone to either networking config/ration "y /sing the netservices command6 or ena"le and disa"le specific services "y /sing SM@ commands, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# do " clear a h'ng non-global zone? $% +e"oot the glo"al Kone, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " access one zone from another zone? $% Cnly thro/gh -P connections6 e,g, telnet6 rlogin, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " 1s'1 from one zone to another? $% *o6 this wo/ld violate the sec/rity implementation of Kones, -n this conte!t6 think of Kones as separate comp/ters yo/ can;t ;s/; from one Nni! comp/ter to another, Oo/ can /se the Klogin?:( command to login to a non&glo"al Kone from the glo"al Kone, Oo/ m/st have all privileges?5( to /se Klogin, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " prevent the root acco'nt in one zone from affecting other zones? $% Aeca/se each container has its own namespace6 each container has its own root acco/nt, Each Kone;s root acco/nt is /na"le to access other containers in any way, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an programs r'nning in one zone change the operation of programs r'nning in another container? $% $ great deal of design work was done to prevent containers from affecting each other, Ay defa/lt it is very diffic/lt for one local Kone to affect another Kone6 "/t it is possi"le, -t is also easy for the glo"al Kone administer to config/re containers /nsafely, Consider these factors%

@irst6 there are no known methods for one /ser ?even root( in one local Kone to ;"reak into; another Kone ?glo"al or non&glo"al(, )owever6 a modern comp/ter has many reso/rces6 some of them real6 some virt/al, 7enial of Service attacks often attempt to /se all of the instances of a virt/al

reso/rce, Cne early attack on Nni! systems was creating so many processes that all of the P-7s were in /se6 preventing the creation of new processes, 9here are now methods to prevent those attacks6 and those methods a/tomatically apply6 or have "een applied to6 Kones, -n some cases the method of prevention incl/des the man/al /se of Solaris feat/res6 e,g, proYects, Ay defa/lt it is diffic/lt to disr/pt operation of Kones, )owever6 the glo"al Kone administrator can make it easier for a non&glo"al Kone /ser to impact operation of one or more other Kones6 even the glo"al Kone, 9ry to avoid assigning disk devices directly to non&glo"al Kones% the root /ser of that Kone might "e a"le to take advantage of this to ca/se a SCS- "/s reset or even panic the kernel, $lso6 avoid assigning the same device or file system to m/ltiple Kones /nless needed to achieve a specific goal, -f that is necessary6 ens/re that all of the software in those two Kones will o"ey a synchroniKation mechanism when /sing the device or file system,

HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: )o# do " prevent a 1for/ bomb1 from affecting all of the zones? $% $ ;fork "om"; is a process which creates ?forks( as many child processes as possi"le6 attempting to /se /p all of the virt/al memory or P-7s in a system6 res/lting in a 7enial of Service to other /sers, -f yo/ wo/ld like to prevent someone from doing this in a non&glo"al Kone6 add this to a Kone;s config/ration6 /sing Konecfg?:M(% add rctl set name=Kone,ma!&lwps add val/e ?priv=privileged6limit=:<<<6action=deny( end 9hat will prevent a Kone;s processes from having a total of more than :<<< E Ps sim/ltaneo/sly, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an 4racle 'se shared memory in a !ontainer? $% -n Solaris6 Cracle /ses -SM ?-ntimate Shared Memory( or 7-SM ?7ynamic -SM(, 7-SM is preferred "eca/se it provides more fle!i"ility, -SM can "e /sed in a Solaris Container6 for any release of Solaris :<, Aeca/se we keep improving Containers6 there are slightly different answers to the ./estion Gcan 7-SM "e /sed6J depending on the partic/lar release of Solaris :<,

6. Solaris :< >/<2 and newer% Oes6 Cracle can /se 7-SM in a Container, Aeca/se the
Solaris privilege ;procXlockXmemory; is in a Kone;s defa/lt set of privileges6 yo/ sho/ld limit the amo/nt of +$M that a partic/lar Kone can lock, -f yo/ don;t do

this6 that Kone co/ld lock down eno/gh memory that the glo"al Kone incl/ding platform management tools cannot f/nction properly, -n Solaris :< 5/<> and later6 yo/ sho/ld set that limit with the following command% glo"al# Konecfg &K myKone add capped&memory set locked=1g end e!it *ote that common memory&siKe s/ffi!es can "e /sed% k or I ?kilo"ytes(6 m or M ?MA(6 g or D ?DA(6 etc, See Konecfg?:M( for more details, -n Solaris :< >/<2 yo/ sho/ld set that limit with the following command% glo"al# Konecfg &K myKone set ma!&locked&memory=1g e!it 0, Solaris :< ::/<4% Oes6 Cracle can /se 7-SM in a Container, 9o ena"le the /se of 7-SM6 the glo"al Kone administrator m/st add the privilege GprocXlockXmemoryJ to the Container, 9o do this6 /se Konecfg?:M( to add the line set limitpriv=defa/lt6procXlockXmemory to the Container;s config/ration, 3, Solaris :<6 +eleases 3/<56 :/<46 4/<4% $ Container can only /se -SM, -t cannot /se 7-SM, 9his is a side&effect of the implementation of the sec/rity "o/ndary which protects Kones from each other, HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: !an " 'se the Solaris *+ 8SS (8air Share Sched'ler) #ith 4racle in a Solaris !ontainer? $% 9here are c/rrently ?B/ne 0<<4( two distinct concerns regarding the /se of @SS in a Container when r/nning Cracle data"ases%

6. -n testing Cracle processes /se internal methods to prioritiKe themselves to

improve inefficiency, -t is possi"le that these methods might not work well in conY/nction with the Solaris @SS, $ltho/gh there are no known pro"lems with non& +$C config/rations6 S/n and Cracle are testing this type of config/ration to discover any negative interactions, 9his testing sho/ld "e completed soon, 0, -t is not possi"le to /se the Solaris @SS with Cracle +$C in a Container, $ Solaris patch is "eing tested that fi!es this pro"lem,

HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: What are zone1s strengths compared to other server virt'alization sol'tions? $% Solaris Lones have many strengths relative to other server virt/aliKation sol/tions6 incl/ding%

Cost% Kones are a feat/re of the operating system, 9here is no e!tra charge for /sing them, -ntegration% Lones are integrated into the operating system6 providing seamless f/nctionality and a smooth /pgrade path, Porta"ility% Lones are not tied to any one hardware platform, $s a device& independent feat/re set of CpenSolaris6 their f/nctionality is e!actly the same on all hardware to which CpenSolaris has "een ported, C"serva"ility% 9he Dlo"al Lone has visi"ility into all activity in all Kones6 incl/ding viewing process and network activity6 system&wide acco/nting and a/diting6 etc, 9his makes it possi"le to find performance pro"lems and resolve inter&Kone conflicts6 "oth of which are e!tremely diffic/lt pro"lems on most other S8 sol/tions, -t is even possi"le to re&host applications typically fo/nd on different systems ?e,g, we" server and app server( on different Kones in the same system6 and then /se 79race to analyKe their interactions, Managea"ility% Oo/ can manage all of the Kones on one system as one collection6 rather than as separate servers, 9his incl/des adding packages and patches once per system6 not once per Kone, S/n 7ynamic System 7omains

HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Q: 6re containers li/e .3#are? $% 9hey are only vag/ely similar, Aoth technologies are very /sef/l for consolidating servers, )owever6 the "asic model is different% Containers form isolated application environments that share one CS instance6 while 8Mware hosts m/ltiple CS instances, 9he differences also incl/de%

Containers are only availa"le for Solaris :< and SM *evada, 8Mware s/pports Solaris6 Microsoft indows and Ein/! clients6 sim/ltaneo/sly, 8Mware /ses a great deal of CPN capacity managing the m/ltiple environments, CPN overhead of containers is hardly meas/ra"le ?typically P:Q( for a few Kones or even doKens of Kones6 depending somewhat on the applications, Containers do not have any financial cost "eyond Solaris license and/or s/pport costs, 8Mware for prod/ction environments costs tho/sands of dollars6 and a license is necessary for each indows or +) instance hosted on top of 8Mware,

'()ow to find Dlo"al Kone name from local Lone# $( @rom the Eocal Lone +/n 9he following command # arp a | grep SP