oracle solaris 10 exam 2 reference book

Exam Objectives ReferenceThe CX-310-202 Sun Certified System Administrator for Solaris 10 (SCSA) exam is the second of two examsrequired for obtaining the SCSA certification. Candidates can use this book to prepare for the SCSA Part II exam.The CX-310-202 exam tests the knowledge and skills you need to successfully install and manage a Solaris 10system. The exam includes topics on managing virtual file systems, managing storage volumes, controlling sys-tem access, configuring naming services, and advanced installation procedures.

The following topics are general guidelines for the content likely to be included on the Sun Certified SystemAdministrator for Solaris 10 Part II exam. The exam objectives could change at any time, so it is recommendedthat you visit the www.UnixEd.com website for any updates. Other related topics might also appear on any spe-cific delivery of the exam. To better reflect the contents of the exam and for purposes of clarity, the followingguidelines might change at any time without notice.

. Describe Network Basics

.Control and monitor network interfacesincluding MAC addresses, IP addresses, net-work packets, and configure the IPv4 inter-faces at boot time.

.Explain the client-server model andenable/disable server processes.

. Manage Virtual File Systems and Core Dumps

.Explain virtual memory concepts and given ascenario, configure, and manage swapspace.

.Manage crash dumps and core file behaviors.

.Explain NFS fundamentals, and configureand manage the NFS server and clientincluding daemons, files, and commands.

.Troubleshoot various NFS errors.

.Explain and manage AutoFS and use auto-mount maps (master, direct, and indirect) toconfigure automounting.

.Implement patch management using SunConnection Services including the UpdateManager client, the smpatch command line,and Sun Connection hosted Web application.

. Manage Storage Volumes

.Analyze and explain RAID (0,1,5) and SVMconcepts (logical volumes, soft partitions,state databases, hot spares, and hot sparepools).

.Create the state database, build a mirror, andunmirror the root file system.

.Describe the Solaris ZFS file system, createnew ZFS pools and file systems, modify ZFSfile system properties, mount and unmountZFS file systems, destroy ZFS pools and filesystems, work with ZFS snapshots andClones, and use ZFS datasets with SolarisZones.

. Control Access and Configure SystemMessaging

.Configure role-based access control (RBAC)including assigning rights profiles, roles,and authorizations to users.

.Analyze RBAC configuration file summariesand manage RBAC using the command line.

.Explain syslog function fundamentals, andconfigure and manage the /etc/syslog.conffile and syslog messaging.

. Naming Services

.Explain naming services (DNS, NIS, NIS+,and LDAP) and the naming service switchfile (database sources, status codes, andactions)

.Configure, stop, and start the Name ServiceCache Daemon (nscd) and retrieve namingservice information using the getent com-mand.

.Configure naming service clients duringinstall, configure the DNS client, and set upthe LDAP client (client authentication, clientprofiles, proxy accounts, and LDAP configu-rations) after installation.

00_0789738171_obj.qxd 4/13/09 7:30 PM Page i

.Explain NIS and NIS security including NISnamespace information, domains, process-es, securenets, and password.adjunct.

.Configure the NIS domain: build and updateNIS maps, manage the NIS master and slaveserver, configure the NIS client, and trou-bleshoot NIS for server and client failuremessages.

. Perform Advanced Installation Procedures

.Explain consolidation issues, features ofSolaris zones, and decipher between the different zone concepts including zonetypes, daemons, networking, commandscope, and given a scenario, create a Solariszone.

.Given a zone configuration scenario, identifyzone components and zonecfg resourceparameters, allocate file system space, usethe zonecfg command, describe the interac-tive configuration of a zone, and view thezone configuration file.

.Given a scenario, use the zoneadm com-mand to view, install, boot, halt, reboot, anddelete a zone.

.Explain custom jumpstart configurationincluding the boot, identification, configura-tion, and installation services.

.Configure a Jumpstart including implement-ing a Jumpstart server, editing the sysidcfg,rules and profile files, and establishingJumpstart software alternatives (setup,establishing alternatives, troubleshooting,and resolving problems).

.Explain Flash, create and manipulate theFlash archive and use it for installation.

.Given a PXE installation scenario, identifyrequirements and install methods, configureboth the install and DHCP server, and bootthe x86 client.

.Configure a WAN Boot Installation and perform a Live Upgrade Installation.

Exam CX-310-203 (Solaris 10 Upgrade Exam)

If you’re already certified on Solaris 2.6, 7, 8, or 9,you’ll only need to take the CX-310-203 upgrade examto update your certification. As of this writing, hereare the objectives for that exam (explained in the preceding section):

. Install software

. Manage file systems

. Perform system boot and shutdown proceduresfor SPARC-, x64-, and x86-based systems

. Perform user and security administration

. Perform system backups and restores

. Perform advanced installation procedures

Objective Matrix Continued

00_0789738171_obj.qxd 4/13/09 7:30 PM Page ii

Solaris 10 SystemAdministration(Exam CX-310-202), Part II

Bill Calkins

01_0789738171_fm.qxd 4/13/09 1:35 PM Page iii

Solaris 10 System Administration Exam Prep (Exam CX-310-202), Part IICopyright © 2009 by Que PublishingAll rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or trans-mitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without writ-ten permission from the publisher. No patent liability is assumed with respect to the use of theinformation contained herein. Although every precaution has been taken in the preparation of thisbook, the publisher and author assume no responsibility for errors or omissions. Nor is any liabilityassumed for damages resulting from the use of the information contained herein.ISBN-13: 978-0-7897-3817-2ISBN-10: 0-7897-3817-1

Library of Congress Cataloging-in-Publication Data:Calkins, Bill.

Solaris 10 system administration exam prep (Exam CX-310-200) / Bill Calkins.p. cm.

ISBN 978-0-7897-3790-8 (pbk. w/cd)1. Electronic data processing personnel--Certification. 2. Operating systems (Computers)--

Examinations--Study guides. 3. Solaris (Computer file) I. Title. QA76.3.C34346 2008005.4'32--dc22

2008031592Printed in the United States of AmericaFirst Printing: May 2009

TrademarksAll terms mentioned in this book that are known to be trademarks or service marks have beenappropriately capitalized. Que Publishing cannot attest to the accuracy of this information. Use of aterm in this book should not be regarded as affecting the validity of any trademark or service mark.

Warning and DisclaimerEvery effort has been made to make this book as complete and accurate as possible, but no warran-ty or fitness is implied. The information provided is on an “as is” basis. The author and the publish-er shall have neither liability nor responsibility to any person or entity with respect to any loss ordamages arising from the information contained in this book or from the use of the CD or programsaccompanying it.

Bulk SalesQue Publishing offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact:

U.S. Corporate and Government [email protected]

For sales outside of the U.S., please contact:International [email protected]

Associate PublisherDavid Dusthimer

Acquisitions EditorBetsy Brown

Senior DevelopmentEditorChristopher Cleveland

Technical EditorJohn Philcox

Managing EditorPatrick Kanouse

Project EditorJennifer Gallant

Copy EditorGayle Johnson

IndexerLisa Stumpf

ProofreaderArle Writing and Editing

Publishing CoordinatorVanessa Evans

Book DesignerGary Adair

Page LayoutMark Shirar

01_0789738171_fm.qxd 4/13/09 1:35 PM Page iv

Contents at a Glance

Introduction 1

Study and Exam Prep Tips 9

Part I: Exam Preparation

CHAPTER 1 The Solaris Network Environment 17

CHAPTER 2 Virtual File Systems, Swap Space, and Core Dumps 49

CHAPTER 3 Managing Storage Volumes 121

CHAPTER 4 Controlling Access and Configuring System Messaging 187

CHAPTER 5 Naming Services 217

CHAPTER 6 Solaris Zones 271

CHAPTER 7 Advanced Installation Procedures: JumpStart, Flash Archive, and PXE 315

CHAPTER 8 Advanced Installation Procedures: WAN Boot and Live Upgrade 415

CHAPTER 9 Administering ZFS File Systems 469

Part II: Final Review

FF Fast Facts 537

PE Practice Exam 565

PA Answers to Practice Exam 583

What’s on the CD-ROM (On the Book’s Website)

Glossary (On the Book’s Website)

Index 591

01_0789738171_fm.qxd 4/13/09 1:35 PM Page v

Table of ContentsIntroduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Study and Exam Prep Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Part I: Exam Preparation

Chapter 1: The Solaris Network Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Client/Server Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20IPv4 Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Controlling and Monitoring an IPv4 Network Interface . . . . . . . . . . . . . . . . . . . . 22Configuring an IPv4 Network Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Changing the System Hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31RPC Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Network Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Apply Your Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Exam Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Answers to Exam Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Suggested Reading and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` 47

Chapter 2: Virtual File Systems, Swap Space, and Core Dumps . . . . . . . . . . . . . . . . . . . . . . . . . . 49Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52The Swap File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Swap Space and TMPFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Sizing Swap Space. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Monitoring Swap Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Setting Up Swap Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Core File Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Crash Dump Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

NFS Version 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Servers and Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

01_0789738171_fm.qxd 4/13/09 1:35 PM Page vi

NFS Daemons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Setting Up NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Mounting a Remote File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74NFS Server Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Troubleshooting NFS Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

AutoFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81AutoFS Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85When to Use automount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Sun Update Connection Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Using the Update Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Sun Update Manager Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Apply Your Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Exam Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Answers to Exam Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Suggested Reading and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Chapter 3: Managing Storage Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

RAID 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126RAID 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128RAID 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129RAID 0+1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130RAID 1+0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Solaris Volume Manager (SVM). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132SVM Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Planning Your SVM Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Metadisk Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139SVM Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Creating the State Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Monitoring the Status of the State Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Creating a RAID 0 (Concatenated) Volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Creating a RAID 0 (Stripe) Volume. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Monitoring the Status of a Volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Creating a Soft Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Contentsvii

01_0789738171_fm.qxd 4/13/09 1:35 PM Page vii

Expanding an SVM Volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Creating a Mirror . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Unmirroring a Noncritical File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Placing a Submirror Offline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Mirroring the Root File System on a SPARC-Based System . . . . . . . . . . . . . . . . 162Mirroring the Root File System on an x86-Based System . . . . . . . . . . . . . . . . . . 166Unmirroring the Root File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Veritas Volume Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179Apply Your Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` 180

Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Exam Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Answers to Exam Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184


Chapter 4: Controlling Access and Configuring System Messaging. . . . . . . . . . . . . . . . . . . . . . . 187Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189Role-Based Access Control (RBAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Using RBAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190RBAC Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Using the logger Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208


Apply Your Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Exam Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Answers to Exam Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214


Chapter 5: Naming Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Name Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

The Name Service Switch File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222/etc Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226NIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

The Structure of the NIS Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227Determining How Many NIS Servers You Need . . . . . . . . . . . . . . . . . . . . . . . . . 228

viii

Contents

01_0789738171_fm.qxd 4/13/09 1:35 PM Page viii

Determining Which Hosts Will Be NIS Servers. . . . . . . . . . . . . . . . . . . . . . . . . . 229Information Managed by NIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229Planning Your NIS Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Configuring an NIS Master Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234Setting Up NIS Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243Setting Up NIS Slave Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244Creating Custom NIS Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245NIS Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246Troubleshooting NIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

NIS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248Hierarchical Namespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249NIS+ Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251Configuring the DNS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Lightweight Directory Access Protocol (LDAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254Sun Java System Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Name Service Cache Daemon (nscd) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258The getent Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261Apply Your Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262Exam Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264Answers to Exam Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269


Chapter 6: Solaris Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274Consolidation and Resource Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Consolidation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276Solaris Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Types of Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277Zone Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279Nonglobal Zone Root File System Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Networking in a Zone Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Zone Daemons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Contentsix

01_0789738171_fm.qxd 4/13/09 1:35 PM Page ix

Configuring a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282Viewing the Zone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287Installing a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289Booting a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289Halting a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290Rebooting a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291Uninstalling a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291Deleting a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292Zone Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292Creating a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296Making Modifications to an Existing Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299Moving a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300Migrating a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300Cloning a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302Backing Up a Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304




Chapter 7: Advanced Installation Procedures: JumpStart, Flash Archive, and PXE . . . . . . . . . . 315

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318Custom JumpStart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Preparing for a Custom JumpStart Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 320What Happens During a Custom JumpStart Installation? . . . . . . . . . . . . . . . . . . 321Differences Between SPARC and x86/x64-Based Systems . . . . . . . . . . . . . . . . . . 321The Boot Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324The Install Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329The Configuration Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331The Rules File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333begin and finish Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342Creating class Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343Testing Class Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363sysidcfg File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

x

Contents

01_0789738171_fm.qxd 4/13/09 1:35 PM Page x

Setting Up JumpStart in a Name Service Environment . . . . . . . . . . . . . . . . . . . . 372Setting Up Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372Troubleshooting JumpStart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375A Sample JumpStart Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Solaris Flash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382Creating a Flash Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383Using the Solaris Installation Program to Install a Flash Archive . . . . . . . . . . . . 387Creating a Differential Flash Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390Solaris Flash and JumpStart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Preboot Execution Environment (PXE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392Preparing for a PXE Boot Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393Booting the x86 Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402




Chapter 8: Advanced Installation Procedures: WAN Boot and Live Upgrade . . . . . . . . . . . . . . . 415

Introduction to WAN Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418WAN Boot Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418WAN Boot Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420The WAN Boot Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421The WAN Boot Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421Configure the WAN Boot Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422Configure the WAN Boot and JumpStart Files . . . . . . . . . . . . . . . . . . . . . . . . . . . 423The wanboot.conf File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428Booting the WAN Boot Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Solaris Live Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437Live Upgrade Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438Solaris Live Upgrade Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439Maintaining Solaris Live Upgrade Boot Environments . . . . . . . . . . . . . . . . . . . . 456


Contentsxi

01_0789738171_fm.qxd 4/13/09 1:35 PM Page xi

Apply Your Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463Exam Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463Answers to Exam Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466


Chapter 9: Administering ZFS File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Introduction to ZFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472ZFS Storage Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472ZFS Is Self-Healing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473Simplified Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474ZFS Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

ZFS Hardware and Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

ZFS RAID Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476Creating a Basic ZFS File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

Renaming a ZFS File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478Listing ZFS File Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

Removing a ZFS File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479Removing a ZFS Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480ZFS Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

Using Disks in a ZFS Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482Using Files in a ZFS Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Mirrored Storage Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483RAID-Z Storage Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484Displaying ZFS Storage Pool Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484Adding Devices to a ZFS Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488Attaching and Detaching Devices in a Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489

Converting a Nonredundant Pool to a Mirrored Pool . . . . . . . . . . . . . . . . . . . . . 490Detaching a Device from a Mirrored Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Taking Devices in a Storage Pool Offline and Online . . . . . . . . . . . . . . . . . . . . . . . . . . 492ZFS History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494ZFS Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

Setting ZFS Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497Mounting ZFS File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

Legacy Mount Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502Sharing ZFS File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504

xii

Contents

01_0789738171_fm.qxd 4/13/09 1:35 PM Page xii

ZFS Web-Based Management GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506ZFS Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508

Creating a ZFS Snapshot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508Listing ZFS Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509Saving and Restoring a ZFS Snapshot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510Destroying a ZFS Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510Renaming a ZFS Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510Rolling Back a ZFS Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

ZFS Clones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512Destroying a ZFS Clone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513Replacing a ZFS File System with a ZFS Clone . . . . . . . . . . . . . . . . . . . . . . . . . . 513

zpool Scrub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514Replacing Devices in a Storage Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515A ZFS Root File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517Using ZFS for Solaris Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518

Adding a ZFS Dataset to a Nonglobal Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519Delegating a ZFS Dataset to a Nonglobal Zone . . . . . . . . . . . . . . . . . . . . . . . . . . 521




Part II: Final Review

Fast Facts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537

Practice Exam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565

Answers to Practice Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

What’s on the CD-ROM (On the Book’s Website)

Glossary (On the Book’s Website)

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

Contentsxiii

01_0789738171_fm.qxd 4/13/09 1:35 PM Page xiii

About the AuthorBill Calkins is a Sun Certified System Administrator for the Solaris operating environment. Heis owner and president of Pyramid Consulting, Inc., a computer training and consulting firmlocated near Grand Rapids, Michigan, specializing in the implementation and administration ofopen systems. He has more than 20 years of experience in UNIX system administration, consult-ing, and training at more than 150 different companies. He has authored several UNIX textbooks,which are currently best sellers and are used by universities and training organizations worldwide:

. Solaris 2.6 Administrator Certification Training Guide, Part I (New Riders Publishing,ISBN 157870085X)

. Solaris 2.6 Administrator Certification Training Guide, Part II (New Riders Publishing,ISBN 1578700868)

. Solaris 7 Administrator Certification Training Guide, Part I and Part II (New RidersPublishing, ISBN 1578702496)

. Solaris 8 Training Guide (CX-310-011 and CX-310-012): System AdministratorCertification (New Riders Publishing, ISBN 1578702593)

. Inside Solaris 9 (New Riders Publishing, ISBN 0735711011)

. Solaris 9 Training Guide (CX-310-014 and CX-310-015): System AdministratorCertification (New Riders Publishing, ISBN: 0789729229)

. Solaris 10 System Administration Exam Prep (Que, ISBN 0-7897-3461-3)

. Solaris 10 System Administration Exam Prep, Part I (Que, ISBN 0-7897-3790-6)

Calkins has worked with Sun Press and Prentice Hall as a technical editor and a major con-tributor to many of their Solaris titles. His professional interests include consulting, writing,teaching, traveling, and developing web-based training materials.

He works as a consultant with the certification group at Sun Microsystems and assists with thedevelopment of the Solaris 10 SCSA, SCNA, and SCSECA certification exams. He also con-sults with Sun Microsystems Professional Services and assists in the development of Solaristraining and testing materials for the education division at Sun Microsystems.

Calkins also works as an instructor in government, corporate, and university settings. He hashelped thousands of administrators get their certification. Recently he was recognized by theUnited States Central Command (CENTCOM) as the “technical trainer of choice for thejoint war-fighting community.”

His experience covers all varieties of UNIX, including Solaris, HP-UX, AIX, IRIX, and Linux.When he’s not working in the field, he writes UNIX books and conducts training and educa-tional seminars on various system administration topics. He draws on his many years of expe-rience in system administration and training to provide a unique approach to UNIX training.

xiv

Contents

01_0789738171_fm.qxd 4/13/09 1:35 PM Page xiv

Acknowledgments

I’d like to thank John Philcox of Mobile Ventures Limited, who once again has helped me getthis book together. As always, John, you’ve done a great job. You’ve been a great asset and havebecome a good friend to have along on all of my books and projects. I want to thank all theeditors who have contributed to this book; I value your input greatly. With each book, our techeditors get more refined, and their work is a huge contribution to the quality of this book. It’sbeen a great team effort, and the book would not be as complete without your help.

Thank you, the reader, for buying my books and providing comments to improve the contentwith each new release. This book would not be what it is if it were not for your valuable inputover the years. May the material in this book help you better your skills, enhance your career,and achieve your goal to become certified. Best of luck!

A lot of people behind the scenes make a book like this happen. After several books, I still don’thave a clue how it all works, but it’s a great team effort. A big thanks to everyone who edits thetext, lays out the pages, and ships the book. My efforts would be lost in a closet somewhere ifit weren’t for your hard work.

01_0789738171_fm.qxd 4/13/09 1:35 PM Page xv

We Want to Hear from You!

As the reader of this book, you are our most important critic and commentator. We value youropinion, and we want to know what we’re doing right, what we could do better, what areasyou’d like to see us publish in, and any other words of wisdom you’re willing to pass our way.

As an associate publisher for Que Publishing, I welcome your comments. You can email orwrite me directly to let me know what you did or didn’t like about this book, as well as whatwe can do to make our books better.

Please note that I cannot help you with technical problems related to the topic of this book. We do havea User Services group, however, where I will forward specific technical questions related to the book.

When you write, please be sure to include this book’s title and author as well as your name,email address, and phone number. I will carefully review your comments and share them withthe author and editors who worked on the book.

Email: [email protected]

Mail: Dave DusthimerAssociate PublisherQue Publishing800 East 96th StreetIndianapolis, IN 46240 USA

Reader Services

Visit our website and register this book at www.quepublishing.com/register for convenientaccess to any updates, downloads, or errata that might be available for this book.

01_0789738171_fm.qxd 4/13/09 1:35 PM Page xvi

Introduction

Bill Calkins has been training Solaris system administrators for more than 15 years. This bookcontains the training material that he uses in his basic and advanced Solaris administrationcourses that, over the years, have helped thousands of Solaris administrators become certified.This is our second edition of the Solaris 10 System Administration Exam Prep. It covers updatesthat Sun has made to the Solaris 10 operating environment as of the October 2008 release. Itbegan with the Training Guide for Solaris 2.6, 7, 8, and 9 and is now the Exam Prep for Solaris10. Instructors from universities and training organizations around the world have used thebook as courseware in their Solaris administration courses. In addition, administrators fromaround the world have used this book for self-study when instruction from a Sun training cen-ter is either unavailable or not within their budget. Many of you have written with your suc-cess stories, suggestions, and comments. Your suggestions are what keep making this guidemore valuable.

The Solaris 10 System Administration Exam Prep books, Parts I and II, provide training materi-als for anyone interested in becoming a Sun Certified System Administrator (SCSA) for Solaris10. When used as a study guide, these two books will save you a great deal of time and effortsearching for information you will need to know when taking the exam. Each book covers theexam objectives in enough detail for inexperienced administrators to learn the objectives andapply the knowledge to real-life scenarios. Experienced readers will find the material in thesebooks complete and concise, making it a valuable study guide for the Sun Certified SystemAdministrator exams.

This book is not a cheat sheet or cram session for the exam; it is a training manual. In otherwords, it does not merely give answers to the questions you will be asked on the exam. We havemade certain that this book addresses the exam objectives in detail, from start to finish. If youare unsure about the objectives on the exams, this book teaches you what you need to know.After reading each chapter, assess your knowledge of the material covered using the reviewquestions at the end of the chapter. When you have completed reading a section, use the prac-tice exam at the end of the book and the ExamGear test engine on the CD-ROM to assess yourknowledge of the objectives covered on each exam. This CD-ROM contains sample questionssimilar to what you are likely to see on the real exams. More sample questions are available athttp://www.UnixEd.com, so make sure you visit this site to find additional training and studymaterials.

02_0789738171_intro.qxd 4/13/09 7:31 PM Page 1

2

How This Book Helps YouThis book teaches you advanced topics in administering the Solaris 10 operating system. Itoffers you a self-guided training course of all the areas covered on the CX-310-202 certifica-tion exam by installing, configuring, and administering the Solaris 10 operating environment.You will learn the specific skills that are required to administer a system and, specifically, topass the second part of the Sun Certified System Administrator exam for Solaris 10 (CX-310-202). If you are an experienced administrator who is upgrading an existing Solaris certification,you’ll find in-depth coverage of the new topics you need to learn for the CX-310-203 upgradeexam in both the SCSA Solaris 10 OS CX-310-200 and CX-310-202 Exam Prep books.

Throughout the book, we provide helpful tips and real-world examples that we have encoun-tered as system administrators. In addition, we provide useful, real-world exercises to help youpractice the material you have learned. This book is set up as follows:

. Organization: This book is organized according to individual exam objectives. Everyobjective you need to know to install, configure, and administer a Solaris 10 system isin this book. We have attempted to present the objectives in an order that is as close aspossible to that listed by Sun. However, we have not hesitated to reorganize them asneeded to make the material as easy as possible for you to learn. We have also attempt-ed to make the information accessible in the following ways:

. This book includes the full list of exam topics and objectives.

. Read the “Study and Exam Prep Tips” element early on to help develop studystrategies. This element provides you with valuable exam-day tips and informationon exam/question formats such as adaptive tests and case study-based questions.

. Each chapter begins with a list of the objectives to be covered, exactly as they aredefined by Sun. Throughout each section, material that is directly related to theexam objectives is identified.

. Each chapter also begins with an outline that provides you with an overview of thematerial and the page numbers where particular topics can be found.

. Instructional features: This book is designed to provide you with multiple ways tolearn and reinforce the exam material. The following are some of the helpful methods:

. Objective explanations: As mentioned, each chapter begins with a list of theobjectives covered in the chapter.

. Study strategies: The beginning of each chapter also includes strategies for studyingand retaining the material in the chapter, particularly as it is addressed on the exam.

. Exam Alerts: Throughout each chapter you’ll find exam tips that will help youprepare for exam day. These tips were written by those who have already taken theSolaris 10 certification exams.

Solaris 10 System Administration Exam Prep (Exam CX-310-202), Part II

02_0789738171_intro.qxd 4/13/09 7:31 PM Page 2

Introduction3

. Key Terms: A list of key terms appears near the end of each chapter.

. Notes: These contain various types of useful information, such as tips on technol-ogy or administrative practices, historical background on terms and technologies,or side commentary on industry issues.

. Cautions: When you use sophisticated information technology, mistakes or evencatastrophes are always possible because of improper application of the technology.Cautions alert you to such potential problems.

. Step By Steps: These are hands-on lab exercises that walk you through a particu-lar task or function relevant to the exam objectives.

. Exercises: Found near the end of the chapters, exercises are performance-basedopportunities for you to learn and assess your knowledge.

. Suggested Reading and Resources: At the end of each chapter is a list of addi-tional resources that you can use if you are interested in going beyond the objec-tives and learning more about the topics presented in the chapter.

. Extensive practice test options: The book provides numerous opportunities for youto assess your knowledge and practice for the exam. The practice options include thefollowing:

. Exam questions: Each chapter ends with questions. They allow you to quicklyassess your comprehension of what you just read in the chapter. Answers to thequestions are provided in a separate element titled “Answers to Exam Questions.”

. Practice exam: A practice exam is included in Part II, “Final Review,” for eachexam (as discussed in a moment).

. ExamGear: The ExamGear software included on the CD-ROM provides furtherpractice questions.

ExamGear software For a complete description of the ExamGear test engine, see Appendix A, “What’s onthe CD-ROM.”

NOTE

. Final Review: This part of the book provides you with three valuable tools for prepar-ing for the exam:

. Fast Facts: This condensed version of the information contained in the book willprove extremely useful for last-minute review.

. Practice Exam: A full practice exam is included, with questions written in stylessimilar to those used on the actual exam. Use the practice exam to assess yourreadiness for the real exam.

02_0789738171_intro.qxd 4/13/09 7:31 PM Page 3

4

. Answers to Practice Exam: This element provides the answers to the full practiceexam, with detailed explanations. These should help you assess your strengths andweaknesses.

. Appendixes: The book contains valuable appendixes as well, including a glossary and adescription of what is on the CD-ROM (Appendix A).

These and all the other book features mentioned previously will enable you to thoroughly pre-pare for the exam.

Conventions Used in This Book. Commands: In the steps and examples, the commands you type are displayed in a spe-

cial monospace font.

. Arguments, options, and <cr>: In command syntax, command options and argumentsare enclosed in < >. The words within the < > stand for what you will actually type. Youdon’t type the < >. The <cr> that follows the command means to press Enter. Youdon’t type the <cr>.lp -d<printer name> <filename> <cr>

. Using the mouse: When using menus and windows, you select items with the mouse.Here is the default mapping for a three-button mouse:

Left button: Select

Middle button: Transfer/adjust

Right button: Menu

You use the Select button to select objects and activate controls. The middle mousebutton is configured for either Transfer or Adjust. By default, it is set up for Transfer,which means that you use this button to drag or drop list or text items. You use the leftmouse button to highlight text, and then you use the middle button to move the text toanother window or to reissue a command. The middle button can also be used to movewindows around on the screen. You use the right mouse button, the Menu button, todisplay and choose options from pop-up menus.

. Menu options: The names of menus and the options that appear on them are separat-ed by a comma. For example, “Select File, Open” means to pull down the File menuand choose the Open option.

. Code continuation character: When a line of code is too long to fit on one line ofthe book, it is broken and continued to the next line. The continuation is preceded bya backslash.


02_0789738171_intro.qxd 4/13/09 7:31 PM Page 4

Introduction5

AudienceThis book is the second book in a series designed for anyone who has a basic understanding ofUNIX and wants to learn more about Solaris system administration. Whether or not you planto become certified, the Solaris 10 System Administration Exam Prep books, Part I and Part II,are the starting point to becoming a Solaris System Administrator. It’s the same training mate-rial that the author uses in his Solaris 10 Intermediate and Advanced System Administrationcourses. This book covers advanced system administration topics you need to know before youbegin administering the Solaris operating system. Our goal is to present the material in aneasy-to-follow format, with text that is easy to read and understand. The only prerequisite isthat you have read my Solaris 10 System Administration Exam Prep Part I book.

This book is intended for experienced system administrators who want to become certified,update their current Solaris certification, or simply learn about the features of the Solaris 10operating environment. To pass the CX-310-202 and CX-310-203 certification exams, youneed a solid understanding of the fundamentals of administering Solaris 10. This book helpsyou review the fundamentals required to pass the certification exam.

The Sun Certified System AdministratorExamsTo become a Sun Certified System Administrator, you need to pass two exams: CX-310-200(Part I) and CX-310-202 (Part II). This book covers the material on the Part II exam. You mustpass the CX-310-200 exam before taking the CX-310-202 exam. You will not receive a certifi-cate until you have passed both examinations. Also, if you are already certified in Solaris 2.6,7, 8, or 9, you need to know the material covered in this book as well as in Solaris 10 SystemAdministration Exam Prep: CX-310-200 Part I to take the upgrade exam, CX-310-203, tobecome certified on Solaris 10.

Beware of fakes. We have seen some websites promoting their own certification programs, sobe sure to evaluate them carefully. Certification programs promoted by these sites are not thesame as the Sun certification program. You will not receive a certificate from Sun until you passSun’s exams from a certified Sun testing center. Go to my website (www.UnixEd.com) for linksto the real exams and information on Sun’s certification program if you are in doubt. In addi-tion, feel free to visit our online Solaris certification discussion forum at www.UnixEd.com,where you can ask me questions directly.

02_0789738171_intro.qxd 4/13/09 7:31 PM Page 5

6

SummaryIt’s not uncommon for Sun to change the exam objectives or to shift them around after theexams have been published. We highly recommend that before you begin reading this book,you visit my website at www.UnixEd.com to get the most up-to-date list of exam objectives,the errata for this book, up-to-date sample exam questions, and any other last-minute notesabout these exams. We will provide all the information you need to pass the exam—all youneed to do is devote the time. Learning the objectives is the first step; the next step is to prac-tice. You need access to both SPARC and x86/x64-based systems running Solaris 10 so that youcan practice what you have learned. Unless you have a supernatural memory, it’s difficult topass the exams without practice.

In the back of this book is the ExamGear software test CD that will prepare you for the ques-tions you might see on the exam. The CD-ROM-based test engine was designed by educa-tional experts to help you learn as you test. It is a preview of the types of questions to expecton the exams and tests your knowledge of all the exam objectives. If you are weak in any area,the sample questions will help you identify that area so that you can go back to the appropri-ate chapter and study the topic. Each question on the CD-ROM has a flash card to help youin case you get stuck. This flash card contains brief, concise textbook excerpts that explain whyeach answer is correct so that you can learn as you test.

Also, for an additional cost, you can purchase more questions for the ExamGear test enginefrom our website. You’ll receive hundreds of questions that will take you deep into each examobjective. This will give you a comprehensive skills assessment and help you evaluate yourreadiness and retention of the materials.

Advice on Taking the ExamMore extensive tips are found in the “Study and Exam Prep Tips” element and throughout thebook, but keep in mind the following advice as you study for the exam:

. Read all the material. This book includes information not reflected in the examobjectives to better prepare you for the exam and for real-world experiences. Read allthe material to benefit from this.

. Do the step-by-step lab exercises and complete the exercises in each chapter.This will help you gain experience and prepare you for the scenario-type questions thatyou will encounter.

. Use the questions to assess your knowledge. Each chapter contains review ques-tions and exam questions. Use these to asses your knowledge and determine where youneed to review material.


02_0789738171_intro.qxd 4/13/09 7:31 PM Page 6

Introduction7

. Review the exam objectives. Develop your own questions and examples for eachtopic listed. If you can develop and answer several questions for each topic, you shouldnot find it difficult to pass the exam.

. Relax and sleep before taking the exam. The time for taking the examination is lim-ited. However, if you have prepared and you know Solaris network administration, youwill have plenty of time to answer all the questions. Be sure to sleep well the nightbefore the exam because of the stress that the time limitations put on you.

. Review all the material in the “Fast Facts” element the night before or themorning you take the exam.

. If you don’t know the answer to a question, just skip it and don’t waste time. Youneed to complete the exam in the time allotted. Don’t be lazy during the examination;answer all the questions as quickly as possible. Any unfinished questions will be markedincorrect.

. Visit my website, www.UnixEd.com. It contains the following:

. Late-breaking changes that Sun might make to the exam or the objectives. You canexpect Sun to change the exams frequently. Make sure you check my websitebefore taking the exam.

. A FAQs page with frequently asked questions and errata regarding this book or theexams.

. Links to other informative websites.

. Additional practice questions and sample exams for the ExamGear test engine.The ExamGear test engine has hundreds of questions that you can use to furtherassess your retention of the material presented in the book. The exams featureelectronic flash cards that take the place of those sticky notes that you’ve used asbookmarks throughout the book. Don’t attempt the real exam until you can passevery section of the practice exams with a 95% or better score.

. An online forum where you can discuss certification-related issues with me andother system administrators, including some who have already taken the exam.

. Additional study materials, training programs, and online seminars related toSolaris certification.

. You can also email me directly from this website with questions or commentsabout this book. I always try to answer each one.

When you feel confident, take the real exams and become certified. Don’t forget to drop mean email and let me know how you did on the exam ([email protected]).

02_0789738171_intro.qxd 4/13/09 7:31 PM Page 7

02_0789738171_intro.qxd 4/13/09 7:31 PM Page 8

Study and Exam Prep TipsThese study and exam prep tips provide you with some general guidelines to helpyou prepare for the Sun Certified Security Administrator exam. The informationis organized into two sections. The first section addresses your pre-exam prepa-ration activities and covers general study tips. The second section offers some tipsand hints for the actual test-taking situation. Before tackling those areas, howev-er, think a little bit about how you learn.

Learning as a ProcessTo better understand the nature of preparing for the exams, it is important tounderstand learning as a process. You probably know how you best learn newmaterial. You might find that outlining works best for you, or you might need to“see” things as a visual learner. Whatever your learning style, test preparationtakes place over time. Obviously, you cannot start studying for this exam thenight before you take it. It is important to understand that learning is a develop-mental process; as part of that process, you need to focus on what you know andwhat you have yet to learn.

Learning takes place when we match new information to old. You have some pre-vious experience with computers, and now you are preparing for this certificationexam. Using this book, software, and supplementary material will not just addincrementally to what you know. As you study, you will actually change theorganization of your knowledge as you integrate this new information into yourexisting knowledge base. This will lead you to a more comprehensive under-standing of the tasks and concepts outlined in the objectives and of computing ingeneral. Again, this happens as a repetitive process rather than a singular event.Keep this model of learning in mind as you prepare for the exam, and you willmake better decisions concerning what to study and how much more studyingyou need to do.

Study TipsThere are many ways to approach studying, just as there are many different typesof material to study. The following tips, however, should work well for the typeof material covered on the certification exam.

03_0789738171_study.qxd 4/13/09 7:32 PM Page 9

10

Study and Exam Prep Tips

Study StrategiesAlthough individuals vary in how they learn, some basic principles apply to everyone. Youshould adopt some study strategies that take advantage of these principles. One of these prin-ciples is that learning can be broken into various depths. Recognition (of terms, for example)exemplifies a more surface level of learning in which you rely on a prompt of some sort to elic-it recall. Comprehension or understanding (of the concepts behind the terms, for example)represents a deeper level of learning. The ability to analyze a concept and apply your under-standing of it in a new way represent an even deeper level of learning.

Your learning strategy should enable you to know the material at a level or two deeper thanmere recognition. This will help you do well on the exam. You will know the material so thor-oughly that you can easily handle the recognition-level types of questions used in multiple-choice testing. You also will be able to apply your knowledge to solve new problems.

Macro and Micro Study StrategiesOne strategy that can lead to this deeper learning includes preparing an outline that covers allthe exam objectives. You should delve a bit further into the material and include a level or twoof detail beyond the stated exam objectives. Then expand the outline by coming up with astatement of definition or a summary for each point in the outline.

An outline provides two approaches to studying. First, you can study the outline by focusingon the organization of the material. Work your way through the points and subpoints of youroutline, with the goal of learning how they relate to one another. Be certain, for example, thatyou understand how each of the objective areas is similar to and different from the others.Next, you can work through the outline, focusing on learning the details. Memorize andunderstand terms and their definitions, facts, rules and strategies, advantages and disadvantages,and so on. In this pass through the outline, attempt to learn detail rather than the big picture(the organizational information that you worked on in the first pass through the outline).

Research has shown that attempting to assimilate both types of information at the same timeseems to interfere with the overall learning process. To better perform on the exam, separateyour studying into these two approaches.

Active Study StrategiesDevelop and exercise an active study strategy. Write down and define objectives, terms, facts,and definitions. In human information-processing terms, writing forces you to engage in moreactive encoding of the information. Just reading over it exemplifies more passive processing.

Next, determine whether you can apply the information you have learned by attempting tocreate examples and scenarios on your own. Think about how or where you could apply theconcepts you are learning. Again, write down this information to process the facts and con-cepts in a more active fashion.

03_0789738171_study.qxd 4/13/09 7:32 PM Page 10

Exam Prep Tips11

Commonsense StrategiesFinally, you also should follow commonsense practices when studying. Study when you arealert, reduce or eliminate distractions, take breaks when you become fatigued, and so on.

Pretesting YourselfPretesting enables you to assess how well you are learning. One of the most important aspectsof learning is what has been called metalearning. Metalearning has to do with realizing whenyou know something well or when you need to study some more. In other words, you recog-nize how well or how poorly you have learned the material you are studying.

For most people, this can be difficult to assess objectively on their own. Practice tests are use-ful because they reveal more objectively what you have learned and what you have not learned.You should use this information to guide review and further study. Developmental learningtakes place as you cycle through studying, assessing how well you have learned, reviewing, andassessing again until you think you are ready to take the exam.

You might have noticed the practice exam included in this book. Use it as part of the learningprocess. The ExamGear software on the CD-ROM also provides a variety of ways to testyourself before you take the actual exam. By using the practice exam, you can take a timedpractice test that is quite similar to the actual Solaris exam. Set a goal for your pretesting. Areasonable goal would be to score consistently in the 95% range in all categories.

For a more detailed description of the exam simulation software, see Appendix A, “What’s onthe CD-ROM.”

Exam Prep TipsThe Solaris certification exam reflects the knowledge domains established by SunMicrosystems for Solaris OS administrators. The exam is based on a fixed set of exam ques-tions. The individual questions are presented in random order during a test session. If you takethe same exam more than once, you will see the same number of questions, but you won’t nec-essarily see the same questions.

Solaris exams are similar in terms of content coverage, number of questions, and allotted time,but the questions differ. You might notice, however, that some of the same questions appearon, or rather are shared among, different final forms. When questions are shared among mul-tiple final forms of an exam, the percentage of sharing generally is small.

You must complete the CX-310-200 exam before proceeding to the second exam—CX-310-202. You will not receive a certificate until you have successfully passed both exams.

Solaris exams also have a fixed time limit in which you must complete the exam.

03_0789738171_study.qxd 4/13/09 7:32 PM Page 11

12

Finally, the score you achieve on a fixed-form exam is based on the number of questions youanswer correctly. The exam’s passing score is the same for all final forms of a given fixed-formexam.

Table 1 shows the exam’s format.

Table 1 Time, Number of Questions, and Passing Score for the ExamExam Time Limit in Minutes Number of Questions Passing %

Sun Certified System Administrator for 105 60 63the Solaris 10 Operating System: Part II

Question types on the exam are multiple choice and drag-and-drop. As of this writing, thereare no true/false or free-response-type questions.

Remember not to dwell on any one question for too long. Your 105 minutes of exam time canbe consumed very quickly, and any unfinished questions are marked as incorrect.

You receive one point for each correctly answered question. Many of the multiple-choice ques-tions are scenarios that have more than one correct answer. The question tells you how manyanswers to select; however, if you get even one answer wrong, the entire question is markedwrong, and you do not receive a point.

When you finish the exam, you receive the results, with a report outlining your score for eachsection of the exam. You do not know which questions you answered correctly or incorrectly.

If you fail, you’ll need to purchase another voucher and retake the exam after a two-week wait-ing period. Every exam contains different questions.

If you feel that you were scored unfairly, you can request a review by sending an email [email protected]. For other information related to the SCSA exams, refer to SunMicrosystems’ FAQ at www.sun.com/training/certification/faq/index.html.

Putting It All TogetherGiven all these different pieces of information, the task now is to assemble a set of tips that willhelp you successfully tackle the Solaris certification exam.

More Pre-Exam Prep TipsGeneric exam-preparation advice is always useful. Here are some tips:

. The certification exams are directed toward experienced Solaris system administra-tors—typically those who have 6 to 12 months of actual job experience. Although theSun training courses can help you prepare, some of the material found on the exam isnot taught in the Sun training courses; however, every topic on the exam is covered in


03_0789738171_study.qxd 4/13/09 7:32 PM Page 12

Exam Prep Tips13

this book. To pass the exam, you need to retain everything presented in this book. Tohelp you assess your skills, I’ve created the ExamGear test engine, which you will useto assess your retention of the materials. In addition, you can purchase hundreds ofadditional ExamGear test questions from www.UnixEd.com to assess your knowledgeof the material. I don’t recommend taking the Sun certification exams until you consis-tently pass these practice exams with a 95% or higher in all categories.

. Become familiar with general terminology, commands, and equipment. Hands-onexperience is one of the keys to success; it is difficult, but not impossible, to pass theexam without that experience. Review the chapter-specific study tips at the beginningof each chapter for instructions on how to best prepare for the exam.

. Avoid using “brain dumps” available from various websites and newsgroups. Your exammay not match that particular user’s exam, and you’ll obtain a false sense of readiness.In addition, brain dumps do not prepare you for the scenario-type questions you willsee on the exam, and they may be illegal. You need to know the objectives, and there isno shortcut for learning the material. Sun goes through a 13-step process to developthese exams and to prevent cheating. You cannot pass these exams without understand-ing the material. Besides, what good is the certification if you don’t know the material?You’ll never get through the job interview screening.

. Review the current exam-preparation guide on the Sun website. Visit my website,www.UnixEd.com, for late-breaking changes and up-to-date study tips from otheradministrators who have taken the exam. Use the forum to talk to others who havetaken the exam.

. Memorize foundational technical detail, but remember that you need to be able tothink your way through questions as well.

. Take any of the available practice tests that assess your knowledge against the statedexam objectives—not the practice exams that cheat and promise to show you actualexam questions and answers. Sun knows that these exams and brain dumps are avail-able. Sun changes the questions too often for these types of practice exams to be useful.Too many users have written me to say that they thought they were prepared becausethey passed the exam simulators, only to find that the questions and answers were dif-ferent on the actual exam. I recommend the practice exams included in this book andthe exams available using the ExamGear software on the CD-ROM. These are trueskill assessment exams with flash cards to help you learn and retain information whiletaking the exams. The test engine on this CD is designed to complement the materialin this book and help you prepare for the real exam by helping you learn and assessyour retention of the materials. If you know the material, you can handle any scenario-based question thrown at you. For more sample test questions, you can visit my web-site, www.UnixEd.com. I keep the questions up to date and relevant to the objectives.In addition, through our Solaris Certification online forum, you can share your experi-ences with other Solaris administrators who are preparing for the exam, just like you,

03_0789738171_study.qxd 4/13/09 7:32 PM Page 13

14

and learn from those who have gone through the process. In addition, this website pro-vides up-to-date links to the official Sun certification websites.

During the Exam SessionThe following generic exam-taking advice that you have heard for years applies when you takethis exam:

. Take a deep breath and try to relax when you first sit down for your exam session. It isimportant to control the pressure you might (naturally) feel when taking exams.

. You will be provided scratch paper. Take a moment to write down any factual informa-tion and technical details you committed to short-term memory.

. Many questions are scenarios that require careful reading of all the information andinstruction screens. These displays have been put together to give you information rel-evant to the exam you are taking.

. Read the exam questions carefully. Reread each question to identify all relevant details.You may find that all answers are correct, but you may be asked to choose the bestanswer for that particular scenario.

. Tackle the questions in the order they are presented. Skipping around will not buildyour confidence; the clock is always counting down.

. Do not rush, but also do not linger on difficult questions. The questions vary in degreeof difficulty. Don’t get flustered by a particularly difficult or verbose question.

. Note the time allotted and the number of questions on the exam you are taking. Makea rough calculation of how many minutes you can spend on each question, and use thisto pace yourself through the exam.

. Take advantage of the fact that you can return to and review skipped or previouslyanswered questions. Record the questions you cannot answer confidently, noting therelative difficulty of each question, on the scratch paper provided. After you have madeit to the end of the exam, return to the more difficult questions.

. If session time remains after you have completed all the questions (and if you aren’t toofatigued!), review your answers. Pay particular attention to questions that seem to havea lot of detail or that involve graphics.

. As for changing your answers, the general rule of thumb is don’t! If you read the ques-tion carefully and completely the first time and you felt like you knew the right answer,you probably did. Do not second-guess yourself. As you check your answers, if oneclearly stands out as incorrectly marked, change it. If you are at all unsure, however, gowith your first instinct.

If you have done your studying and you follow the preceding suggestions, you should do well.Good luck!


03_0789738171_study.qxd 4/13/09 7:32 PM Page 14

P A R T I

Exam Preparation

Chapter 1 The Solaris Network Environment

Chapter 2 Virtual File Systems, Swap Space, and Core Dumps

Chapter 3 Managing Storage Volumes

Chapter 4 Controlling Access and Configuring System Messaging

Chapter 5 Naming Services

Chapter 6 Solaris Zones

Chapter 7 Advanced Installation Procedures: JumpStart, Flash Archive, and PXE

Chapter 8 Advanced Installation Procedures: WAN Boot and Live Upgrade

Chapter 9 Administering ZFS File Systems

04_0789738171_part1.qxp 4/13/09 7:33 PM Page 15

04_0789738171_part1.qxp 4/13/09 7:33 PM Page 16

1O N E

The Solaris NetworkEnvironment

ObjectivesThe following test objectives for Exam CX-310-202 are covered in this chapter:

Control and monitor network interfaces including MAC addresses, IP addresses,network packets, and configure the IPv4 interfaces at boot time.

. This chapter describes the files that are used to configure IPv4 networkinterfaces, how to start and stop these network interfaces, and how to testwhether the interfaces are working correctly. It also discusses two methodsof changing the system hostname: editing a number of system files and usingthe sys-unconfig command.

Explain the client/server model; enable/disable server processes.

. The network services are started and managed by the Service ManagementFacility (SMF). This chapter describes how to manage network services aswell as adding new ones to be managed by SMF. It also describes how theclient/server model functions in the Solaris 10 environment.

05_0789738171_01.qxd 4/13/09 7:35 PM Page 17

OutlineIntroduction

Client/Server Model

Hosts

IPv4 Addressing

Planning for IPv4 Addressing

Network Interfaces

Controlling and Monitoring an IPv4Network Interface

Configuring an IPv4 Network Interface

The /lib/svc/method/net-physical File

The /etc/hostname.<interface> File

The /etc/inet/hosts File

Changing the System Hostname

Network Services

RPC Services

Network Maintenance

Summary

Key Terms

Apply Your Knowledge

Exercises

Exam Questions

Answers to Exam Questions

Suggested Reading and Resources

05_0789738171_01.qxd 4/13/09 7:35 PM Page 18

Study StrategiesThe following study strategies will help you prepare for the test:

. As you study this chapter, it’s important that you practice using each command that ispresented on a Solaris system. Practice is very important on these topics, and you shouldpractice until you can repeat the procedure from memory.

. You should understand each command in this chapter and be prepared to match the com-mand to the correct description.

. You should know all the terms listed in the “Key Terms” section near the end of this chap-ter. You should pay special attention to the section on network services, which haschanged with the introduction of Solaris 10, and know how to convert services to use theService Management Facility (SMF). You should be prepared to match each term present-ed in this chapter with the correct definition.

05_0789738171_01.qxd 4/13/09 7:35 PM Page 19

20

Chapter 1: The Solaris Network Environment

IntroductionThis chapter covers the basics of the Solaris network environment. It does not go into toomuch detail because Sun provides a separate certification track for Solaris network adminis-trators, but it does provide you with the fundamental information you need to get startedmanaging a Solaris system in a networked environment. The topics discussed here include anoverview of the client/server model, information on setting up IPv4 network interfaces, man-aging network services, and configuring the services that are started automatically at boottime.

Client/Server ModelObjective

. Explain the client/server model.

The client/server model describes the communication process between computers or pro-grams. When the client makes a service request to the server, the server fulfils that request.Although a system can be both a server and a client, the model is more widely used across anetwork.

Typical examples of client/server relationships are with DNS and NFS. Both of these topicsare described later in this book.

A client is a host or process that uses services from another host or program. A client can alsoprovide services to other client applications.

A server can provide and manage many different services for the client. It is a host or processthat provides services to a client. For example, it may provide disk space, windowing, or webservices to a client. The later section “RPC Services” describes specifically how the serverresponds to a client’s request for services.

HostsIf you are an experienced UNIX/Solaris user, you are no doubt familiar with the term host,which is often used as a synonym for computer or machine. A server and client are both hosts onthe network, and each has a hostname. From a TCP/IP perspective, only two types of entitiesexist on a network: routers and hosts. When a host initiates communication, it is called a send-ing host, or sender. For example, a host initiates communications when the user uses ping orsends an email message to another user. The host that is the target of the communication iscalled the receiving host, or recipient.

05_0789738171_01.qxd 4/13/09 7:35 PM Page 20

Client/Server Model21

Each host has an Internet address and a hardware address that identify it to its peers on thenetwork, and usually a hostname. These are described in Table 1.1.

Table 1.1 Host InformationIdentity Description

Hostname Every system on the network usually has a unique hostname. Hostnames let usersrefer to any computer on the network by using a short, easily remembered namerather than the host’s network IP address.

Internet address Each machine on a TCP/IP network has a 32-bit Internet address (or IP address)that identifies the machine to its peers on the network. This address must beunique on the network.

Hardware address Each host on a network has a unique Ethernet address, also referred to as themedia access control (MAC) address. The manufacturer physically assigns thisaddress to the machine’s network interface card(s). This address is unique world-wide—not just for the network to which it is connected.

IPv4 AddressingIn IPv4, each host on a TCP/IP network has a 32-bit network address—called the IP address—that must be unique for each host on the network. If the host will participate on the Internet,this address must also be unique to the Internet. For this reason, IP addresses are assigned byspecial organizations known as regional Internet registries (RIRs). The IPv4 address space isthe responsibility of Internet Corporation for Assigned Names and Numbers (ICANN,www.icann.org). The overall responsibility for IP addresses, including the responsibility forallocation of IP ranges, belongs to the Internet Assigned Numbers Authority (IANA,www.iana.org).

An IPv4 address is a sequence of 4 bytes and is written in the form of four decimal integersseparated by periods (for example, 10.11.12.13). Each integer is 8 bits long and ranges from0 to 255. An IPv4 address consists of two parts: a network ID, which is assigned by an RIR,and a host ID, which is assigned by the local administrator. The first integer of the address(10.0.0.0) determines the address type and is referred to as its class. Five classes of IPv4addresses exist: A, B, C, D, and E.

IPv6 Due to limited address space and other considerations of the IPv4 scheme, a revised IP protocol isgradually being made available. The protocol, named IPv6, has been designed to overcome the major limi-tations of the current approach. IPv6 is compatible with IPv4, but IPv6 makes it possible to assign manymore unique Internet addresses and offers support for improved security and performance.

NOTE

05_0789738171_01.qxd 4/13/09 7:35 PM Page 21

22

Planning for IPv4 AddressingThe first step in planning for IPv4 addressing on a network is to determine how many IPaddresses you need and whether the network will be connected to the Internet. If the networkwon’t be connected to the Internet, you could choose addresses in the 10.x.x.x, or172.16.x.x to 172.31.x.x, or 192.168.x.x range. For networks that will be connected to theInternet—and hence visible to the rest of the world—you need to obtain legal IP addresses.This is necessary because each host on a network must have a unique IP address.


Be careful with IP addresses You should not arbitrarily assign network numbers to a network, even ifyou do not plan to attach your network to other existing TCP/IP networks. As your network grows, youmight decide to connect it to other networks. Changing IP addresses at that time can be a great deal ofwork and can cause downtime. Instead, you might want to use the specially reserved IPv4 networks192.168.x.x, or 172.16.x.x to 172.31.x.x, or 10.x.x.x for networks that are not connected tothe Internet.

NOTE

Network InterfacesA Sun system normally contains at least one network interface, to allow it to participate in anetwork environment. When you add a network interface to a system, a number of files needto be configured in order to create the connection between the hardware and the softwareaddress assigned to the interface. The following sections describe how to monitor, control,and configure an IPv4 network interface.

Controlling and Monitoring an IPv4 NetworkInterface

Objective

. Control and monitor network interfaces including MAC addresses, IP addresses, network packets, andconfigure the IPv4 interfaces at boot time.

As root, you can use the ifconfig -a command to display both the system’s IP and MACaddresses, as in this example:# ifconfig -a<cr>lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1

inet 127.0.0.1 netmask ff000000eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2

inet 192.168.1.106 netmask ffffff00 broadcast 192.168.1.255ether 0:3:ba:1f:85:7b

05_0789738171_01.qxd 4/13/09 7:35 PM Page 22

Network Interfaces23

You can also retrieve the MAC address from a system by using the banner command at theOpenBoot prompt:ok banner<cr>Sun Fire V120 (UltraSPARC-IIe 548MHz), No KeyboardOpenBoot 4.0, 1024 MB memory installed, Serial #52397435.Ethernet address 0:3:ba:1f:85:7b, Host ID: 831f857b.

Displaying a MAC address If you enter the /sbin/ifconfig -a command as a nonprivileged user, theMAC address is not displayed. To display the MAC address, the root user must enter the ifconfig -acommand.

NOTE

You can mark an Ethernet interface as up or down by using the ifconfig command. Markingan interface as up allows it to communicate with other systems on the network. For example,to mark the eri0 interface as down, you use the following command:# ifconfig eri0 down<cr># ifconfig -a<cr>lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1

inet 127.0.0.1 netmask ff000000eri0: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2


Notice that the up flag is no longer present for the eri0 interface and also that the value offlags has changed to 1000842.

To mark the interface as up, you use the following command:# ifconfig eri0 up<cr># ifconfig -a<cr>lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1


index 2 inet 192.168.1.106 netmask ffffff00 broadcast 192.168.1.255ether 0:3:ba:1f:85:7b

To determine whether another system can be contacted over the network, you use the pingcommand:# ping sunfire1<cr>

05_0789738171_01.qxd 4/13/09 7:35 PM Page 23

24

If host sunfire1 is up, this message is displayed:sunfire1 is alive


The message indicates that sunfire1 responded to the request and can be contacted.However, if sunfire1 is down or cannot receive the request (perhaps the network interfacehas been configured as down), you receive the following response:no answer from sunfire1

In order for a ping request to be successful, the following conditions must be met:

. The interface must be plumbed. This is automatically carried out at boot time bythe script /lib/svc/method/net-physical, as discussed in the section “Configuringan IPv4 Network Interface,” later in this chapter.

. The interface must be configured. An address must be assigned to a network inter-face; this is carried out initially when you install the Solaris operating environment.Configuring the interface is discussed in the section “Configuring an IPv4 NetworkInterface.”

. The interface must be up. The network interface can communicate only when it ismarked as up. This is done via the ifconfig command.

. The interface must be physically connected. The network interface must be con-nected to the network, using the appropriate cable.

. The interface must have valid routes configured. The routing provides the direc-tions to the destination computer when each computer exists on a different network.This is an advanced networking topic that is not covered on the exam, but it is includ-ed here for completeness. A separate Solaris certification exam, “Solaris NetworkAdministrator,” deals with routing in detail.

You can also use the /usr/sbin/snoop command to capture and inspect network packets toobserve network communication between systems. For example, to view data transmissionsbetween systemA and system, use the following command:# snoop systemA system<cr>

Names to addresses The sunfire1 is alive command assumes that the host sunfire1 can beresolved either through an entry in the /etc/hosts file or by using DNS. If you do not know the host-name, you can use the ping command with the IP address instead of the hostname.

NOTE

05_0789738171_01.qxd 4/13/09 7:35 PM Page 24


The system responds with one line of output for each packet on the network:192.168.1.27 -> sunfire1 TELNET C port=64311sunfire1 -> 192.168.1.27 TELNET R port=64311 Using device /dev/eri

The snoop command can be run only by the root user. snoop continues to display informa-tion until you press Ctrl+C to stop it. Table 1.2 lists some of the more common options usedwith the snoop command.

EXAM ALERTAlthough snoop is more of a networking topic, you should be familiar with its options, because youwill see questions on the exam related to the functionality of these options.

Table 1.2 snoop OptionsOption Description

-a Listens to packets on /dev/audio. This option enables audible clicks, which cannotify you of any network traffic.

-v Detailed verbose mode. Prints packet headers with lots of detail. More than one line isprinted for each packet.

-V Verbose summary mode. The output is less than what is displayed with the -voption.

-o <filename> Saves the captured packets to a file.

-i <filename> Displays packets that were previously captured in a file rather than from the networkinterface.

-d <devicename> Receives packets from the network using the interface specified by <devicename>.

-q The packet count is not displayed.

Expressions can also be supplied to the snoop command to filter the information. The followingexample uses the snoop command to enable audible clicks and to display only DHCP traffic:# snoop -a dhcp<cr>

The system displays the following:Using device /dev/eri (promiscuous mode)192.168.1.250 -> BROADCAST DHCP/BOOTP DHCPDISCOVER192.168.1.250 -> BROADCAST DHCP/BOOTP DHCPDISCOVER192.168.1.250 -> BROADCAST DHCP/BOOTP DHCPOFFER

05_0789738171_01.qxd 4/13/09 7:35 PM Page 25

26

Configuring an IPv4 Network InterfaceWhen you install the Solaris operating environment, you configure a network interface as partof the installation program. You can configure additional interfaces at system boot time, or youcan modify the original interface by having an understanding of only three files:

. /lib/svc/method/net-physical

. /etc/hostname.<interface>

. /etc/inet/hosts

Each of these is discussed in the following sections.

The /lib/svc/method/net-physical FileThe svc:/network/physical:default service calls the /lib/svc/method/net-physicalmethod script. It is one of the startup scripts that runs each time you boot the system. The/lib/svc/method/net-physical method script uses the ifconfig utility to configure eachnetwork interface that has an IP address assigned to it by searching for files named host-name.<interface> in the /etc directory. An example of such a file is /etc/hostname.eri0,which refers to the configuration file for the first eri network interface. (Interface numberingstarts with 0, not 1. Hence, eri1 would be the second eri interface on the system.)

For each hostname.<interface> file, the script runs the ifconfig command with the plumboption. This enables the kernel to communicate with the named network interface and sets upthe streams needed by IP to use the device.


A new startup script The file /lib/svc/method/net-physical is new in the Solaris 10 operatingenvironment. If you’re familiar with releases prior to Solaris 10, you’ll recognize that this script performsthe same functions as the file /etc/rcS.d/S30network.sh in previous releases, but it is now part ofthe Service Management Facility (SMF).

NOTE

The /etc/hostname.<interface> FileThe /etc/hostname.<interface> file defines the network interfaces on the local host. Atleast one /etc/hostname.<interface> file should exist on the local machine. The Solarisinstallation program creates this file for you. In the filename, <interface> is replaced by thedevice name of the primary network interface.

This file contains only one entry: the hostname or IP address associated with the networkinterface. For example, suppose eri0 is the primary network interface for a machine calledsystem1. The file would be called /etc/hostname.eri0, and the file would contain the entrysystem1.

05_0789738171_01.qxd 4/13/09 7:35 PM Page 26


The /etc/inet/hosts FileThe hosts database contains details of the machines on your network. This file contains thehostnames and IP addresses of the primary network interface and any other network address-es the machine must know about. You can use the /etc/inet/hosts file with other hostsdatabases, such as DNS, LDAP, NIS, and NIS+. When a user enters a command such as pingxena, the system needs to know how to get to the host named xena. The /etc/inet/hostsfile provides a cross-reference to look up and find xena’s network IP address. For compatibil-ity with Berkeley Software Distribution (BSD)-based UNIX operating systems, the file/etc/hosts is a symbolic link to /etc/inet/hosts.

Each line in the /etc/inet/hosts file uses the following format:<address> <hostname> <nickname> [#comment]

Each field in this syntax is described in Table 1.3.

Table 1.3 The /etc/inet/hosts File FormatField Description

<address> The IPv4 address for each interface the local host must know about.

<hostname> The hostname assigned to the machine at setup and the hostnames assigned to addi-tional network interfaces that the local host must know about.

<nickname> An optional field that contains a nickname or an alias for the host. More than one nick-name can exist.

[# comment] An optional field in which you can include a comment.

When you run the Solaris installation program on a system, it sets up the initial/etc/inet/hosts file. This file contains the minimum entries that the local host requires: itsloopback address, its IP address, and its hostname.

For example, the Solaris installation program might create the following entries in the/etc/inet/hosts file for a system called xena:127.0.0.1 localhost #loopback address192.9.200.3 xena loghost #hostname

In the /etc/inet/hosts file for the machine xena, the IP address 127.0.0.1 is the loopbackaddress, the reserved network interface used by the local machine to allow interprocess com-munication so that it sends packets to itself. The operating system, through the ifconfigcommand, uses the loopback address for configuration and testing. Every machine on aTCP/IP network must have an entry for the localhost and must use the IP address 127.0.0.1.

The following Step By Step demonstrates how to configure a network interface from the com-mand line. In this exercise, we’ll configure the primary network interface (eri0) to achieve

05_0789738171_01.qxd 4/13/09 7:35 PM Page 27

28

connectivity with other systems on the network. The hostname is set to Achilles, with an IPaddress of 192.168.0.111 and a network mask of 255.255.255.0, and the interface is madeoperational as well.

STEP BY STEP1.1 Configuring an IPv4 Network Interface

1. Take the network interface down using the ifconfig command:

# ifconfig eri0 down<cr>

Display the current network interface configuration using the ifconfig command and make sure theinterface is down:

# ifconfig -a<cr>lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232\index 1

inet 127.0.0.1 netmask ff000000eri0: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2


2. Edit the files /etc/inet/hosts and add the following entry:

192.168.0.111 achilles

3. Edit the file /etc/hostname.eri0 to contain the following entry:

achilles

4. Edit the file /etc/inet/netmasks and add the following entry:

192.168.0.0 255.255.255.0

5. The preconfiguration of the interface is now complete. We can now use the ifconfig command toinitialize the interface and make it operational:

# ifconfig eri0 achilles netmask + broadcast + up<cr>

6. Verify that the interface is now operational and correctly configured using the ifconfig -a command:

# ifconfig -a<cr>lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232\index 1


inet 192.168.0.111 netmask ffffff00 broadcast 192.168.0.255ether 0:3:ba:1f:85:7b 0


05_0789738171_01.qxd 4/13/09 7:35 PM Page 28


Changing the System HostnameThe system hostname can be changed temporarily or permanently. Use the hostname com-mand with an argument to temporarily change the hostname. For example, the following com-mand changes the system hostname to zeus:# hostname zeus<cr>

Verify the hostname by typing the hostname command with no argument:# hostname<cr>

The system responds with the current hostname:zeus

When the system is rebooted, the system changes back to its original hostname.

There are two methods available for permanently changing the system hostname: The first isto edit the necessary files manually and reboot the system, as described here.

Beginning with Solaris 10 08/07, the system’s hostname is contained within three files on aSolaris system. It is necessary to modify all these files in order to successfully change the host-name of a system manually. These files need to be changed:

. /etc/nodename: This file contains the local source for a system name. In other words,it contains the system’s hostname. The only information contained within this file isthe name of the system (for example, sunfire1). This is the location where the systemhostname is set. You can change the hostname by running the command uname -S andsupplying a new hostname, but if you do so, the change does not persist across reboots.The command uname -n, which prints the system’s node name, looks in this file for theinformation.

. /etc/hostname.<interface>: This file defines the network interfaces on the localhost and is discussed earlier in this chapter, in the section “The/etc/hostname.<interface> File.”

EXAM ALERTUse the plus (+) Using the + option to the ifconfig command causes a lookup in the/etc/inet/netmasks file to determine the correct values, based on the network mask value thathas been inserted for the relevant network. You must make sure the /etc/inet/netmasks file isaccurate for this to work correctly. You can always specify the full values to the ifconfig command,but it requires that the broadcast address is calculated manually, which can be difficult when subnet-works are used.

05_0789738171_01.qxd 4/13/09 7:35 PM Page 29

30

. /etc/inet/hosts: The hosts file contains details of the machines on your networkand is discussed earlier in this chapter, in the section “The /etc/inet/hosts File.”

Having changed the contents of the files just listed, the system needs to be rebooted to imple-ment the new hostname.

Before Solaris 10 08/07, you also needed to modify the /etc/inet/ipnodes file when chang-ing the system hostname. This file contained details of the machines on your network andincluded both IPv4 and IPv6 addresses. Since Solaris 10 08/07, it is not necessary to maintainIPv4 entries in both the /etc/inet/hosts and /etc/inet/ipnodes files. For backward com-patibility, the /etc/inet/ipnodes file is replaced with a symbolic link of the same name to/etc/inet/hosts.

The second method for changing the hostname is to use the sys-unconfig command. Theresult of running this command is the removal of the system identification details, similar towhen you initiate a Solaris 10 installation.

When the command completes, the system automatically shuts down. To complete theprocess, boot the system. You are presented with a number of configuration questions, such ashostname, IP address, subnet mask, default router, time zone, naming service configuration,and the root password—all very similar to when you perform an initial installation of theSolaris 10 Operating Environment.

Table 1.4 lists other network-related files that are worth noting but that are not required forconfiguring the network interface.

Table 1.4 Miscellaneous Network Configuration FilesFile Description

/etc/defaultdomain This file contains one entry: the fully qualified domain name of the administra-tive domain to which the local host’s network belongs. Without an entry in thisfile, the sendmail service displays the following message on the console:sunfire console login: Mar 10 18:54:29 sunfire send-mail[530]: My unqualified host name (sunfire) unknown;sleeping for retry

/etc/defaultrouter This file can contain an entry for each router that is directly connected to thenetwork. The entry should be the name of the network interface that functionsas a router between networks. The presence of the /etc/defaultrouterfile indicates that the system is configured to support static routing. Whenhostnames are used as entries in this file, corresponding hostnames need to bepresent in the /etc/inet/hosts file. This is because no name service isrunning when the /etc/defaultrouter file is read at boot time.


05_0789738171_01.qxd 4/13/09 7:35 PM Page 30

Network Services31

Table 1.4 Miscellaneous Network Configuration FilesFile Description

/etc/inet/netmasks You need to edit this file only if you have set up subnetting on your network.The netmasks database consists of a list of networks and their associatedsubnet masks.

/etc/inet/ipnodes Although this file had a role in previous versions of Solaris 10,/etc/inet/ipnodes is no longer functional in releases after Solaris 1011/06. It is now simply a link pointing to the /etc/inet/hosts file.

Network ServicesObjective

. Enable/disable server processes.

In previous releases of Solaris, the inetd network daemon was responsible for running net-work services on demand and was configured by editing the file, /etc/inetd.conf. As ofSolaris 10, this has all changed. The services that were previously configured using this file arenow configured and managed by the Service Management Facility (SMF). This topic isdescribed fully in Chapter 3 of the Solaris 10 System Administration Exam Prep, Part I book. Anew command, inetadm, is used to carry out the management of these network services.

The default /etc/inetd.conf file now contains only a few entries, unlike in previous versionsof Solaris where all the network services were listed. The /etc/inetd.conf file may still beused as a mechanism for adding new (third-party additional software) services, but in order tomake use of these services, they must be converted to run under SMF. This is carried out usingthe inetconv command. When you run this command with no options, it automatically readsthe /etc/inetd.conf file and converts any entries to services that can run under SMF. Theinetd daemon can no longer be run manually from the command line, nor can it be instruct-ed to re-read its configuration file, as in previous releases of Solaris. Changes or modificationsto the configuration of network services are done using the inetadm or svccfg commands.

The /etc/inetd.conf file You might need to make an entry in the /etc/inetd.conf file. Forexample, you might have a service that you want to have automatically started by the inetd daemon.Make the entry in /etc/inetd.conf, but make sure that you refresh the inetd daemon after makingchanges to its configuration file. The following command instructs inetd to reread its configuration data:

svcadm refresh inetd<cr>

If you attempt to run inetd manually, outside of SMF, you receive an error message.

NOTE

05_0789738171_01.qxd 4/13/09 7:35 PM Page 31

32

To see the network services being managed by SMF, enter the inetadm command with nooptions:# inetadm<cr>

ENABLED STATE FMRIenabled online svc:/network/rpc/gss:defaultenabled online svc:/network/rpc/mdcomm:defaultenabled online svc:/network/rpc/meta:defaultenabled online svc:/network/rpc/metamed:defaultenabled online svc:/network/rpc/metamh:defaultdisabled disabled svc:/network/rpc/rex:defaultenabled online svc:/network/rpc/rstat:defaultenabled online svc:/network/rpc/rusers:defaultdisabled disabled svc:/network/rpc/spray:defaultdisabled disabled svc:/network/rpc/wall:defaultdisabled disabled svc:/network/tname:defaultenabled online svc:/network/security/ktkt_warn:defaultenabled online svc:/network/telnet:defaultenabled online svc:/network/nfs/rquota:defaultdisabled disabled svc:/network/chargen:dgramdisabled disabled svc:/network/chargen:streamdisabled disabled svc:/network/daytime:dgramdisabled disabled svc:/network/daytime:streamdisabled disabled svc:/network/discard:dgramdisabled disabled svc:/network/discard:streamdisabled disabled svc:/network/echo:dgramdisabled disabled svc:/network/echo:streamdisabled disabled svc:/network/time:dgramdisabled disabled svc:/network/time:streamenabled online svc:/network/ftp:defaultdisabled disabled svc:/network/comsat:defaultenabled online svc:/network/finger:defaultdisabled disabled svc:/network/login:eklogindisabled disabled svc:/network/login:kloginenabled online svc:/network/login:rlogindisabled disabled svc:/network/rexec:defaultenabled online svc:/network/shell:defaultdisabled disabled svc:/network/shell:kshelldisabled disabled svc:/network/talk:defaultenabled online svc:/application/font/stfsloader:defaultenabled online svc:/application/x11/xfs:defaultenabled online svc:/network/rpc/smserver:defaultdisabled disabled svc:/network/rpc/ocfserv:defaultenabled offline svc:/application/print/rfc1179:defaultdisabled disabled svc:/platform/sun4u/dcs:defaultdisabled disabled svc:/network/uucp:defaultdisabled disabled svc:/network/security/krb5_prop:defaultdisabled disabled svc:/network/apocd/udp:default


05_0789738171_01.qxd 4/13/09 7:35 PM Page 32

Network Services33

enabled online svc:/network/rpc-100235_1/rpc_ticotsord:defaultenabled online svc:/network/rpc-100083_1/rpc_tcp:defaultenabled online svc:/network/rpc-100068_2-5/rpc_udp:defaultenabled online svc:/network/tftp/udp6:default

The preceding code shows, for example, that the spray service is in the disabled state. Toenable this service, use the inetadm command with the -e option:# inetadm -e spray<cr>

Now you can see that the service has been enabled and is available for use:# inetadm | grep spray<cr>

enabled online svc:/network/rpc/spray:default

To disable the spray service, use the inetadm command with the -d option:# inetadm -d spray<cr>

Check again to verify that the service is now disabled:# inetadm | grep spray<cr>

disabled disabled svc:/network/rpc/spray:default

Other commands work too You are not limited to the inetadm command to view and control legacynetwork services. The svcs -a command can also be used to view the status, and the svcadm commandcan control legacy network services as well.

You can also use the svcadm command to disable network services. For example, you could disablespray by typing svcadm disable svc:/network/rpc/spray:default.

NOTE

You can also list the properties and values of a selected network service using the -l option tothe inetadm command. The following code lists the properties of the spray service:# inetadm -l spray<cr>

SCOPE NAME=VALUEname=”sprayd”endpoint_type=”tli”proto=”datagram_v”isrpc=TRUErpc_low_version=1rpc_high_version=1wait=TRUEexec=”/usr/lib/netsvc/spray/rpc.sprayd”user=”root”

05_0789738171_01.qxd 4/13/09 7:35 PM Page 33

34

default bind_addr=””default bind_fail_max=-1default bind_fail_interval=-1default max_con_rate=-1default max_copies=-1default con_rate_offline=-1default failrate_cnt=40default failrate_interval=60default inherit_env=TRUEdefault tcp_trace=FALSEdefault tcp_wrappers=FALSE

Each network service uses a port that represents an address space and is reserved for that serv-ice. Systems communicate with each other through these ports. Well-known ports are listed inthe /etc/services file, which is a symbolic link to /etc/inet/services. The following area few entries from the /etc/services file:chargen 19/tcp ttytst sourcechargen 19/udp ttytst sourceftp-data 20/tcpftp 21/tcp

From these entries, you can see that the chargen service uses port 19 and uses both TCP andUDP protocols. It also has aliases assigned.

Each network service uses a well-known port number that is used by all the hosts on the net-work. Keeping track of these ports can be difficult, especially on a network that supports sev-eral network services.

RPC Services


EXAM ALERTYou’ll see several questions related to RPC services on the exam. Make sure that you understand thetwo types of RPC services and how the client interacts with the server when requesting RPC services.This section summarizes the information you need to know for the exam.

Solaris utilizes a client/server model known as remote procedure calls (RPC). With an RPC serv-ice, a client connects to a special server process, rpcbind, which is a “well-known service.”When you boot the Solaris 10 OS, the /lib/svc/method/rpc-bind startup script initializesthe rpcbind service. The port number used by the rpcbind daemon is listed in the/etc/inet/services file. After the system starts up, the rpcbind daemon starts listening atport 111.

05_0789738171_01.qxd 4/13/09 7:35 PM Page 34

Network Services35

RPC services are services developed using a set of utilities developed by Sun Microsystems,Inc. The developer assigns them a unique program number when they are written; typicallythey are not assigned to well-known ports. There are two types of RPC services:

. Services that start by default at system boot time (such as mountd)

. Services that do not start automatically at boot and must start on demand (such assprayd)

RPC services that are started at bootup are started via their individual startup scripts. An exam-ple of an RPC service is the mountd daemon, which is started automatically by the svc:/net-work/nfs/server service. RPC services are started on available ports above 32768.

Some RPC services are started on demand. When a client requests a service, the rpcbindprocess returns the port number of the requested service to the client. The client then gener-ates a new request using the port number it just received for the requested service. Here’s howthe process takes place:

1. The rpcbind daemon is started via its startup script. The sprayd service is listed in the/etc/rpc file. It registers its current port assignment and program number with therpcbind process during boot.

2. A user on a remote system, sysA (the client), issues a spray command to sysB (the serv-er). The spray request is initially addressed to port 111 and contains the programnumber of the sprayd service. When a remote system (client) makes an RPC call to agiven program number on a server, it must first contact the rpcbind service on theserver to obtain the port address. The client must do this before it can send the RPCrequests.

3. The rpcbind daemon on sysB reads the program number and determines that therequest is for the sprayd service. The rpcbind daemon returns the current port num-ber of the sprayd service to sysA.

4. sysA sends a second request to the port number of the sprayd service on sysB. Theinetd daemon receives the request.

5. This rpc.sprayd daemon takes over the spray session’s communication.

rpcbind registers port numbers associated with each RPC service listed in the /etc/rpc file.The rpcbind process receives all RPC-based client application connection requests and sendsthe client the appropriate server port number. For example, mountd is listed in the /etc/rpcfile as follows:mountd 100005 mount showmount

05_0789738171_01.qxd 4/13/09 7:35 PM Page 35

36

The mountd daemon has a program number of 100005 and is also known as mount andshowmount.

You use the rpcinfo utility with the -p option to list registered RPC programs running on asystem. For example, you can check on processes on another system like this:# rpcinfo -p 192.168.1.21<cr>

The system responds with a list of all the registered RPC services found running on thatsystem:program vers proto port service100005 1 udp 32784 mountd

The output displays the program number, version, protocol, port, and service name. One ofthem in this example is the mountd service.

You can also use rpcinfo to unregister an RPC program. When you use rpcinfo with the -doption, you can delete registration for a service. For example, if sprayd is running on the localsystem, you can unregister and disable it:# rpcinfo -d sprayd 1<cr>

The sprayd service would be unregistered from RPC. You could restart the sprayd service byissuing a restart command using the svcadm command:# svcadm restart spray<cr>

This causes the spray service to restart and automatically re-register the RPC program asso-ciated with the spray service.

Network MaintenanceSolaris provides several network commands that you can use to check and troubleshoot a net-work:

. ping: ping stands for packet Internet groper. As described earlier in this chapter, theping command sends an ICMP packet to another host to test its network status. Theremote system sends an ICMP packet back to the originating host if the ping com-mand succeeds. If no packet is received from the remote system, it is deemed to bedown, and a message is returned to the calling host. The options to the commandallow continuous packets or a specified number of packets to be sent as well as differentsizes of packets.

. snoop: As described earlier in this chapter, the snoop command captures and inspectsnetwork packets. Captured packets can be displayed as they are received or saved into a


05_0789738171_01.qxd 4/13/09 7:35 PM Page 36

Network Maintenance37

file to be analyzed later. snoop can produce large amounts of information, with eachentry being displayed in single-line summary form or multiline verbose form.

EXAM ALERTYou’ll see more than one question on the exam about using the snoop command to troubleshoot net-work connectivity problems.

. netstat: The netstat command displays network status information. You can see thestatus of the network interface, monitor how many packets are passing through theinterface, and monitor how many errors are occurring. This command is used exten-sively in identifying overloaded networks where the packet collision rate would bemuch higher than expected.

Each of the commands listed here are demonstrated in Step By Step 1.2.

STEP BY STEP1.2 Verifying That a Network Is Operational

1. Check the network connection to another system by typing the following:

# ping <options> <ip-address><cr>

For example, to check the network between systemA and systemB, type ping systemB fromsystemA. If the check is successful, the remote system replies with this:

systemB is alive

If the network is not active, you get this message:

no answer from systemB

If you get this negative response, check your cable and make sure that both the local system and theremote system are configured properly.

It could also be that the network interface is not marked as up. The ifconfig command can be usedas described earlier to check the status of the network interface.

2. Use the snoop utility to determine what information is flowing between systems. The snoop utilitycan show what actually happens when one system sends a ping to another system. The followingexample shows network traffic being monitored between two hosts, namely 192.168.1.106 and192.168.1.21:

# snoop 192.168.1.106 192.168.1.21<cr>

05_0789738171_01.qxd 4/13/09 7:35 PM Page 37

38

The system responds with one line of output for each packet on the network:

Using device /dev/hme (promiscuous mode)192.168.1.106 -> 192.168.1.21 ICMP Echo request (ID: 2677 Sequence number: 0)192.168.1.21 -> 192.168.1.106 ICMP Echo reply (ID: 2677 Sequence number: 0)

When you are finished viewing information from snoop, press Ctrl+C to quit.


The -d option On a system with multiple network interfaces, use the -d option with snoop to specifythe network device you want to watch. For example, to watch the eri0 interface only, type

# snoop -d eri0 192.168.1.106 192.168.1.21<cr>

NOTE

3. Check for network traffic by typing the following:# netstat -i 5<cr>

The system responds with this:input erieri0 output input (Total) outputpackets errs packets errs colls packets errs packets errs colls95218 49983 189 1 0 218706 49983 123677 1 00 0 0 0 0 3 0 3 0 00 0 0 0 0 4 0 4 0 01 1 0 0 0 144 1 143 0 00 0 0 0 0 256 0 256 0 00 0 0 0 0 95 0 95 0 00 0 0 0 0 1171 0 1171 0 0

The netstat command is used to monitor the system’s TCP/IP network activity. net-stat can provide some basic data about how much and what kind of network activityis happening. You should ignore the first line of output, as this shows the overall activ-ity since the system was last booted. The -i option shows the state of the networkinterface used for TCP/IP traffic. The last option, 5, reissues the netstat commandevery 5 seconds to get a good sampling of network activity, with each line showing theactivity since the last display, in this case 5 seconds. You can press Ctrl+C to break outof the netstat command.

05_0789738171_01.qxd 4/13/09 7:35 PM Page 38

Network Maintenance39

4. Look in the colls column to see if a large number of collisions occurred. To calculatethe network collision rate, divide the number of output collisions (output colls) bythe number of output packets. A network-wide collision rate greater than 10% canindicate an overloaded network, a poorly configured network, or hardware problems.

5. Examine the errs column to see if a large number of errors occurred. To calculate theinput packet error rate, divide the number of input errors by the total number of inputpackets. If the input error rate is high—more than 25%—the host might be droppingpackets because of transmission problems. Transmission problems can be caused byother hardware on the network and by heavy traffic and low-level hardware problems.Routers can drop packets, forcing retransmissions and causing degraded performance.

6. Type ping -sRv <hostname> from the client to determine how long it takes a packet tomake a round-trip on the network. If the round-trip takes more than a few millisec-onds, the routers on the network are slow or the network is very busy. Issue the pingcommand twice, and ignore the first set of results.

The ping -sRv command also displays packet losses. If you suspect a physical problem,you can use ping -sRv to find the response times of several hosts on the network. Ifthe response time (in milliseconds) from one host is not what you expect, you shouldinvestigate that host.

05_0789738171_01.qxd 4/13/09 7:35 PM Page 39

40


SummaryAlthough networking is a topic that could consume many chapters in this book, the fundamen-tals that you need to know to be able to manage a Solaris system on the network are describedhere. All the concepts that you need to know for the Sun Certified System Administrator forthe Solaris 10 Operating Environment exam (CX-310-202) are described.

After reading this chapter, you should understand how to configure and manage network serv-ices in Solaris 10. Some new commands were introduced—specifically, inetadm and inetconv.

In addition, this chapter discussed some of the network-related commands and utilities thatyou can use for monitoring and maintaining the network. In a networked environment, systemperformance depends on how well you’ve maintained your network. An overloaded networkcan disguise itself as a slow system and can even cause downtime. You should monitor yournetwork continuously. You need to know how the network looks when things are running wellso that you know what to look for when the network is performing poorly. The network com-mands described in this chapter only report numbers. You’re the one who decides whetherthese numbers are acceptable for your environment. As stated earlier, practice and experiencewill help you excel at system administration. The same holds true for network administration.

Chapter 2, “Virtual File Systems, Swap Space, and Core Dumps,” describes how to manageswap space, configure core and crash dump files, and use NFS to share file systems across anetwork. You’ll also learn how to configure the automounter for use with AutoFS.

Key Terms. Client/server model

. Host

. Hostname

. ICMP

. IP address

. MAC address

. Network interface

. Network mask

. Network service

. Packet

. Router

05_0789738171_01.qxd 4/13/09 7:35 PM Page 40

Apply Your Knowledge41

. Remote Procedure Calls (RPC)

. Service Management Facility (SMF)


ExercisesThe following exercises require that you have two hosts connected via an Ethernet network,one named hostA and the other named hostB.

1.1 Obtaining Network Information

In this exercise, you’ll use the various network commands and utilities to obtain informationabout your system and network.

Estimated time: 15 minutes

1. Log in as root on hostA. Make sure you have an entry in your /etc/inet/hosts filefor hostB.

2. As root, use the ifconfig command to display information about your network inter-face:# ifconfig -a<cr>lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4>,VIRTUAL mtu 8232 index 1\inet 127.0.0.1 netmask ff000000eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 2\inet 192.168.1.106 netmask ffffff00 broadcast 192.168.1.255ether 0:3:ba:1f:85:7b

The ifconfig utility shows that the Ethernet address of the eri0 interface is0:3:ba:1f:85:7b. The first half of the address is generally specific to the manufactur-er. In this case, 0:3:ba is Sun Microsystems. The last half of the address, in this case1f:85:7b, is unique for every system.

3. Use ping to send ICMP echo requests from hostA to hostB:# ping hostB<cr>

On hostA, use the rpcinfo utility to list the registered RPC programs:# rpcinfo<cr>

4. Look for the sprayd service on your system:# rpcinfo | grep sprayd<cr>

05_0789738171_01.qxd 4/13/09 7:35 PM Page 41

42

5. Stop the sprayd service on your local system:# rpcinfo -d sprayd 1<cr>

6. Verify that the sprayd service has been unregistered from RPC:# rpcinfo | grep sprayd<cr>

7. Restart the sprayd service by issuing the svcadm restart command:# svcadm restart spray<cr>

8. Verify that the sprayd service is now registered with RPC:

# rpcinfo | grep sprayd<cr>

1.2 Using snoop to Display Network Information

In this exercise, you’ll use the snoop, spray, and ping commands to obtain information fromyour network.


1. On hostA, log in to an X Window session (CDE, Gnome, or Java Desktop System[JDS]) as root. In one window, start up the snoop utility:# snoop hostA hostB<cr>

snoop shows what actually happens when hostA uses the ping command to communi-cate with hostB.

2. In a second window on hostA, type the following:# ping hostB<cr>

3. Watch the information that is displayed in the first window that is running snoop.

4. Issue the spray command to send a one-way stream of packets to hostB:# spray hostB<cr>

5. Watch the information that is displayed in the first window that is running snoop.


05_0789738171_01.qxd 4/13/09 7:35 PM Page 42


Exam Questions1. What is a name for a unique Ethernet address?

❍ A. IP address

❍ B. MAC address

❍ C. Internet address

❍ D. Hostname

2. When you are setting up at least one network interface, which of the following network configura-tion files does the Solaris installation program always set up? (Choose three.)

❍ A. /etc/hostname.interface

❍ B. /etc/nodename

❍ C. /etc/inet/hosts

❍ D. /etc/defaultdomain

❍ E. /etc/inet/ipnodes

3. Which command lists the network services and their current state?

❍ A. inetadm

❍ B. inetd

❍ C. rpcinfo

❍ D. nfsd

4. Which of the following statements about IPv4 addresses are true? (Choose all that apply.)

❍ A. IP addresses are written as four sets of numbers separated by periods.

❍ B. IP addresses provide a means of identifying and locating network resources.

❍ C. IP addresses are divided into three unique numbers: network, class, and host.

❍ D. The IP address identifies the machine to its peers on the network.

5. Which of the following statements is true about the /etc/hostname.xxy file?

❍ A. It is a system script file.

❍ B. It is a Sparc executable file.

❍ C. It contains the hostname of the local host.

❍ D. It identifies a network interface on the local host.

05_0789738171_01.qxd 4/13/09 7:35 PM Page 43

44

6. Which of the following contains the IP addresses and hostnames of machines on a network?

❍ A. /etc/inet/hosts

❍ B. /etc/hostname.xxy

❍ C. /etc/defaultdomain

❍ D. /etc/nodename

7. Which of the following are files that have to be edited when you manually change the hostname ona Solaris system? (Choose two.)

❍ A. /etc/nodename

❍ B. /etc/defaultdomain

❍ C. /etc/networks

❍ D. /etc/inet/hosts

❍ E. /etc/inet/ipnodes

8. Which of the following commands is used to monitor the system’s TCP/IP network activity?

❍ A. iostat

❍ B. vmstat

❍ C. netstat

❍ D. ping

9. Which command is used to determine the information that is flowing between systems across anetwork?

❍ A. netstat

❍ B. snoop

❍ C. iostat

❍ D. ping

10. Which of the following statements are true of the snoop command? (Choose two.)

❍ A. You press Ctrl+D to stop the command.

❍ B. You press Ctrl+C to stop the command.

❍ C. Each packet on the network produces one line of output.

❍ D. snoop displays the network statistics for the physical interfaces.


05_0789738171_01.qxd 4/13/09 7:35 PM Page 44


11. Which methods can you use to determine the MAC address of a Solaris-based system? (Choose two.)

❍ A. Use the banner command at the ok prompt.

❍ B. ifconfig <interfacename> -m

❍ C. uname -a

❍ D. ifconfig -a

❍ E. netstat -a

❍ F. eeprom

12. Which of the following are correct entries in the /etc/hostname.eri0 file? (Choose two.)

❍ A. 192.168.1.100

❍ B. example.com

❍ C. systemA

❍ D. eri0 192.168.1.100

❍ E. ifconfig 192.168.1.100

13. Your system has four network interfaces: qfe0, qfe1, qfe2, qfe3. When you issue the netstat -icommand, you see only information for qfe0 displayed. What is the problem?

❍ A. You must use netstat -a to see all the network interfaces.

❍ B. The interface is not plumbed.

❍ C. The interface is not configured with an IP address.

❍ D. You need to create a file named /etc/hostname.<interfacename> for eachnetwork interface.

Answers to Exam Questions1. B. A host’s unique Ethernet address is also referred to as the MAC address. Answers A

and C are wrong because these names refer to the unique Internet address that isassigned to a network interface by the system administrator. Answer D is wrongbecause the hostname is the alphanumeric system name that is assigned to a system.For more information, see the section “Hosts.”

2. A, B, C. The network configuration files /etc/hostname.interface, /etc/nodename,and /etc/inet/hosts are initially set up by the Solaris installation program. The/etc/defaultdomain file is an optional file and is not set up by the installation pro-gram. For more information, see the section “Configuring an IPv4 NetworkInterface.”

05_0789738171_01.qxd 4/13/09 7:35 PM Page 45

46

3. A. The inetadm command lists the network services and their current state. This is anew feature in Solaris 10. inetd and nfsd are daemons and do not list anything whenthey are executed. rpcinfo reports RPC information. For more information, see thesection “Network Services” for a full description of the inetadm command.

4. A, B, D. The following are true of IP addresses: IP addresses are written as four sets ofnumbers separated by periods, IP addresses provide a means of identifying and locatingnetwork resources, and IP addresses identify the machines to their peers on the net-work. Answer C is wrong because IP addresses are not divided into three numbers. Formore information, see the section “IPv4 Addressing.”

5. D. The /etc/hostname.xxy file identifies the network interface on the local host.Answers A and B are wrong because this file is neither a script nor an executable file.Answer C is wrong because the /etc/nodename file contains the hostname. For moreinformation, see the section “Configuring an IPv4 Network Interface.”

6. A. The /etc/inet/hosts file contains the IP addresses and hostnames of machines ona network. The /etc/hostname.xxy file contains either an IP address or a hostname,but not both. The /etc/defaultdomain file contains the domain name. The/etc/nodename file contains only the hostname, not an IP address. For more informa-tion, see the section “Configuring an IPv4 Network Interface.”

7. A, D. The file /etc/defaultdomain sets the domain name and /etc/networks identi-fies the different networks. For more information, see the section “Changing theSystem Hostname.”

8. C. The netstat command is used to monitor the system’s TCP/IP network activity.netstat can provide some basic data about how much and what kind of network activ-ity is happening. You use the iostat command to monitor disk I/O. vmstat is used tomonitor virtual memory statistics. ping is used to send ICMP packets to another net-work host. For more information, see the section “Network Maintenance.”

9. B. The snoop command is used to determine what information is flowing between sys-tems across a network. You use the iostat command to monitor disk I/O. netstat isused to monitor network statistics. ping is used to send ICMP packets to another net-work host. For more information, see the section “Network Maintenance.”

10. B, C. The snoop command continues to generate output until you press Ctrl+C to exitthe command. snoop generates one line of output for each packet on the network.Answer A is wrong because Ctrl+D does not exit the snoop command. Answer D iswrong because snoop does not display the network statistics of a physical interface. Usethe netstat -i command. For more information, see the section “NetworkMaintenance.”


05_0789738171_01.qxd 4/13/09 7:35 PM Page 46

Suggested Reading and Resources47

11. A, D. Two methods can be used to obtain the MAC address on a SPARC-based system:The banner command and the ifconfig -a command. For more information, see thesection “Controlling and Monitoring an IPv4 Network Interface.”

12. A, C. The /etc/hostname.<interface> file contains one entry: the hostname or IPv4address that is associated with the network interface. The IPv4 address can beexpressed in traditional dotted-decimal format or in CIDR notation. If you use a host-name as the entry for the /etc/hostname.<interface> file, that hostname must alsoexist in the /etc/inet/hosts file. For more information, see the section “The/etc/hostname.<interface> File.”

13. B. If the network interface is not plumbed, it does not show up with the netstat com-mand. Answer A is wrong because the -a command does not display the interface if itis not plumbed. Answer C is wrong because the netstat command displays informa-tion about a network interface even if it does not have an IP address assigned to it.Answer D is wrong because simply creating this file for the interface does not plumbthe interface unless the system is also rebooted or the network services restarted. Formore information, see the section “Configuring an IPv4 Network Interface.”

Suggested Reading and ResourcesInternetworking with TCP/IP: Principles, Protocols and Architecture. Douglas Comer. PrenticeHall, March 2000.

“IP Services” guide in the Solaris 10 documentation CD.

“IP Services” guide in the System Administration Collection of the Solaris 10 documentationset. See http://docs.sun.com.

“Managing Services” section in the “Basic System Administration” guide in the SystemAdministration Collection of the Solaris 10 documentation set. See http://docs.sun.com.

“Managing Services” section in the “Basic System Administration” guide in the Solaris 10 doc-umentation CD.

05_0789738171_01.qxd 4/13/09 7:35 PM Page 47

05_0789738171_01.qxd 4/13/09 7:35 PM Page 48

2T W O

Virtual File Systems, SwapSpace, and Core Dumps

ObjectivesThe following test objectives for exam CX 310-202 are covered in this chapter:

Explain virtual memory concepts and, given a scenario, configure and manageswap space.

. The Solaris operating environment can use disk space, called swap areas orswap space, for temporary memory storage when a system does not haveenough physical memory to handle currently running processes. A system’smemory requirements change, and you must be knowledgeable in swapspace management in order to monitor these resources and make ongoingadjustments, as needed.

Manage crash dumps and core file behaviors.

. You can configure the creation and storage of crash dump and core files,depending on the requirement. You can create application core files on aglobal or per-process basis. You must be able to customize the configurationaccording to various circumstances.

Explain NFS fundamentals, and configure and manage the NFS server and clientincluding daemons, files, and commands.

. Network File System (NFS) facilitates the sharing of data between networkedsystems. NFS servers share resources that are to be used by NFS clients.This chapter describes NFS and the tasks required to administer NFS serversand clients.

Troubleshoot various NFS errors.

. You must have a thorough understanding of the problems that can arise with-in the NFS client/server process and how to address them. This chapterdescribes a number of problem areas and what to do in order to rectify them.

Explain and manage AutoFS and use automount maps (master, direct, and indi-rect) to configure automounting.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 49

. AutoFS allows NFS directories to be mounted and unmounted automatically.It also provides for centralized administration of NFS resources. This chapterdescribes AutoFS and how to configure the various automount maps.

Implement patch management using Sun Connection Services including theUpdate Manager client, the smpatch command line, and Sun Connection hostedweb application.

. Sun’s Connection Service provides an automated approach to patch manage-ment, making it more convenient to keep your operating system up to datewith the latest updates from Sun. This chapter describes how to set up anduse Sun Connection services.

OutlineIntroduction

The Swap File System

Swap Space and TMPFS

Sizing Swap Space

Monitoring Swap Resources

Setting Up Swap Space

Core File Configuration

Crash Dump Configuration

NFS

NFS Version 4

Servers and Clients

NFS Daemons

Setting Up NFS

Mounting a Remote File System

NFS Server Logging

Troubleshooting NFS Errors

The stale NFS file handle Message

The RPC: Program not registered Error

The NFS: service not responding Error

The server not responding Error

The RPC: Unknown host Error

The NFS server not responding, still try-ing Message

The No such file or directory Error

AutoFS

AutoFS Maps

Master Maps

Direct Maps

Indirect Maps

When to Use automount

Sun Update Connection Service

Using the Update Manager

Sun Update Manager Proxy

Summary

Key Terms


Exercises

Exam Questions



06_0789738171_02.qxd 4/13/09 7:36 PM Page 50

Study StrategiesThe following study strategies will help you prepare for the test:

. As you study this chapter, it’s important that you practice on a Solaris system each StepBy Step and each command that is presented. Practice is very important on these topics,so you should practice until you can repeat each procedure from memory.

. You need to understand each command in this chapter and be prepared to match thecommand to the correct description.

. You need to know all the terms listed in the “Key Terms” section near the end of thischapter.

. You must understand the concept of a virtual file system, including how it works, how toconfigure additional swap space, and how to use tools to monitor it.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 51

52

IntroductionSwap space is used to supplement the use of physical memory when a running process requiresmore resources than are currently available. This chapter describes how to monitor the use ofswap space as well as how to add more when necessary and how to delete additional swap spaceif it is no longer required. Swap space can be allocated either as a dedicated disk slice or in anexisting file system as a normal file. The latter option is often only used as an emergency solu-tion. Both of these methods for adding swap space are described in this chapter.

Core files are produced when a process encounters an unexpected error. When this happens,the memory contents of the process are dumped to a file for further analysis. This chapterdescribes the configuration of core files and how they can be managed effectively. This chap-ter also describes crash dump files and how to manage and configure them. Crash dump filesare produced when a system encounters a failure that it cannot recover from. The contents ofkernel memory is dumped to a temporary location (normally the swap device) before the systemreboots and subsequently is moved to a permanent location to save it from being overwritten.

Network File System (NFS) is a means of sharing file systems across the network. NFS allowsmultiple systems to make use of the same physical file system without having to maintainnumerous copies of the data, which could cause consistency problems. NFS is discussed in thischapter, as is AutoFS, a method of automatically mounting file systems on demand andunmounting them when a specified amount of time has elapsed during which no activity hasoccurred. This chapter describes how to configure automount maps and make use of thisextremely useful feature. It also describes NFS troubleshooting procedures that can be bene-ficial when problems occur.

Sun Update Connection Manager is a facility that helps you keep your operating system up todate. You can use it to analyze all your systems for available operating system patches. You alsocan remotely manage updates on all your systems. The procedure for setting up and using theSun Update Connection Service is described in this chapter.

The Swap File SystemObjective

. Explain virtual memory concepts and, given a scenario, configure and manage swap space.

Physical memory is the random-access memory (RAM) installed in a computer. To view theamount of physical memory installed in your computer, type the following:# prtconf| grep ‘Memory size’<cr>

The system displays a message similar to the following:Memory size: 1024 Megabytes

Chapter 2: Virtual File Systems, Swap Space, and Core Dumps

06_0789738171_02.qxd 4/13/09 7:36 PM Page 52

The Swap File System53

Not all physical memory is available for Solaris processes. Some memory is reserved for ker-nel code and data structures. The remaining memory is referred to as available memory.Processes and applications on a system can use available memory.

Physical memory is supplemented by specially configured space on the physical disk that isknown as swap space; together they are referred to as virtual memory. Swap space is configuredeither on a special disk partition known as a swap partition or on a swap file system (swapfs).In addition to swap partitions, special files called swap files can also be configured in existingUNIX file systems (UFS) to provide additional swap space when needed.

Every process running on a Solaris system requires space in memory. Space is allocated toprocesses in units known as pages. Some of a process’s pages are used to store the process exe-cutable, and other pages are used to store the process’s data.

Physical memory is a finite resource on any computer, and sometimes there are not enoughpages in physical memory for all of a system’s processes. When a physical memory shortfall isencountered, the virtual memory system begins moving data from physical memory out to thesystem’s configured swap areas. When a process requests data that has been sent to a swap area,the virtual memory system brings that data back into physical memory. This process is knownas paging.

The Solaris virtual memory system maps the files on disk to virtual addresses in memory. Thisis referred to as virtual swap space. As data in those files is needed, the virtual memory systemmaps the virtual addresses in memory to real physical addresses in memory. This mappingprocess greatly reduces the need for large amounts of physical swap space on systems withlarge amounts of available memory.

The virtual swap space provided by swapfs reduces the need for configuring large amounts ofdisk-based swap space on systems with large amounts of physical memory. This is becauseswapfs provides virtual swap space addresses rather than real physical swap space addresses inresponse to the requests to reserve swap space.

With the virtual swap space provided by swapfs, real disk-based swap space is required onlywith the onset of paging, because when paging occurs, processes are contending for memory.In this situation, swapfs must convert the virtual swap space addresses to physical swap spaceaddresses in order for paging to actual disk-based swap space to occur.

Swap Space and TMPFSThe temporary file system (TMPFS) makes use of virtual memory for its storage. This can beeither physical RAM or swap space; it is transparent to the user. /tmp is a good example of aTMPFS file system where temporary files and their associated information are stored in mem-ory (in the /tmp directory) rather than on disk. This speeds up access to those files and resultsin a major performance enhancement for applications such as compilers and database manage-ment system (DBMS) products that use /tmp heavily.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 53

54

TMPFS allocates space in the /tmp directory from the system’s virtual memory resources. Thismeans that as you use up space in /tmp, you are also using up virtual memory space. So if yourapplications use /tmp heavily and you do not monitor virtual memory usage, your system couldrun out of this resource.

Sizing Swap SpaceThe amount of swap space required on a system is based on the following criteria:

. Application programs need a minimum amount of swap space to operate properly. Thisinformation is usually contained in the documentation that comes with the application.You should follow the manufacturer’s recommendation for swap space requirements.

. You need to determine whether large applications (such as compilers) will use the /tmpdirectory. Then you need to allocate additional swap space to be used by TMPFS.

. To prevent any possible panic dumps resulting from fatal system failures, there must besufficient swap space to hold the necessary kernel memory pages in RAM at the time ofa failure. Kernel memory accounts for around 20% of total memory, so if you have1GB of physical memory, you will need about 256MB of disk-based space for a worst-case crash dump.


Movement of swap Starting with the release of Solaris 9, the installation program allocates swap at thefirst available cylinder on the disk (this is normally cylinder 0). This practice allows the root file system themaximum space on the disk and allows for expansion of the file system during an upgrade.

NOTE

The amount of disk-based swap space on a system must be large enough to be able to accom-modate a kernel memory dump, plus the requirements of any concurrently running process-es, including third-party applications and compilers. Many other factors also contribute to theamount of swap space you need to configure, such as the number of concurrent users and thenaming service, Network Information System Plus (NIS+). It is quite rare nowadays to needmore swap space than RAM, which used to be a recommendation with older versions ofSunOS. In fact, the opposite is often true—you now often need less swap space than physicalRAM.

If you are prepared to keep track of your swap space and administer it regularly, you can runwith much less swap space than in older versions of SunOS. (How to monitor swap space andhow to add additional space to a running system are discussed in the next few sections.)

06_0789738171_02.qxd 4/13/09 7:36 PM Page 54


Monitoring Swap ResourcesIf you run into a swap shortfall due to heavy demand on memory, you get error messages onyour system’s console. The error might look something like this:<application> is out of memorymalloc error Omessages.1:SJul 18 15:12:47 sunfire genunix: [ID 470503 kern.warning]WARNING: Sorry, no swap space to grow stack for pid 100295 (myprog)

This error means that an application is trying to get more memory but no swap space is avail-able to accommodate it.

You could fill up a TMPFS file system due to the lack of available swap and get the followingerror message:<directory>: File system full, swap space limit exceeded

or this one:<directory>: File system full, memory allocation failed

This type of message is displayed if a page cannot be allocated when a file is being written.This can occur, for example, when TMPFS tries to write more than it is allowed or whenTMPFS runs out of physical memory while attempting to create a new file or directory.

A common problem is when someone uses /tmp as a place to store large temporary files. Beaware that anything in /tmp uses available swap space. By default, available space in the /tmpfile system is equal to the size of your swap space. Therefore, you may want to restrict howmuch space the /tmp file system can consume by specifying the size option in the/etc/vfstab file:swap - /tmp /tmpfs - yes size=4096m

This example limits the /tmp file system to 4096MB of space.

You need to regularly monitor your swap space. This helps you determine whether you arerunning on the edge and need to increase the resource or maybe you have too much swap spaceallocated and are wasting disk space. Most commercial performance monitoring tools keeptrack of swap space or can be configured to generate warnings when it gets low. Besides thesecommercial tools, you can use the helpful tools that Solaris provides (see Table 2.1). Systemperformance monitoring is not covered on the administrator certification exams, so this chap-ter describes only the /usr/sbin/swap command.

Reducing swap space problems If the amount of swap space is equal to the amount of physical RAM,you should generally experience no swap space problems, although the type of application being used onthe system is a major factor.

NOTE

06_0789738171_02.qxd 4/13/09 7:36 PM Page 55

56

Table 2.1 Swap Monitoring ToolsCommand Description

/usr/sbin/swap The /usr/sbin/swap utility provides a method for adding, deleting, andmonitoring the system swap areas used by the memory manager.

/usr/bin/ps You can use the -al options with the /usr/bin/ps command to report thetotal size of a process that is currently in virtual memory. The value includes allmapped files and devices, and it is reported in pages. These device mappings donot use swap space.

/usr/ucb/ps You can use this Berkley version of the ps command with the -alx options toreport the total size of a process that is currently in virtual memory. The valueincludes all mapped files and devices, and it is reported in kilobytes rather thanpages.

/usr/bin/vmstat This tool reports virtual memory statistics.

/usr/bin/sar This is a system activity reporter.

/usr/bin/prstat Use the prstat command with the -a option to report swap size informationfor processes and users. Use the -t option to report a total swap usage sum-mary for each user.

You can use two options with the /usr/sbin/swap command to monitor swap space. You canuse the -l option to list swap space and to determine the location of a system’s swap areas:# swap -l<cr>

The system displays details of the system’s physical swap space. This system has a 512MB swapslice allocated:swapfile dev swaplo blocks free/dev/dsk/c0t0d0s1 136,9 16 1049312 1049312

This output is described in Table 2.2.

Table 2.2 Output from the swap -l Command*

Keyword Description

path The pathname for the swap area (for example, /dev/dsk/c0t0d0s1).

dev The major/minor device number for a block special device; this value is zeros otherwise.

swaplo The swaplo value for the area, in 512-byte blocks. swaplo is a kernel parameter that youcan modify, and it represents the offset, in 512-byte blocks, where usable swap spacebegins.

blocks The swaplen value for the area, in 512-byte blocks. swaplen is a kernel parameter thatyou can modify, and it defines the size of the swap area, in 512-byte blocks.

free The number of 512-byte blocks in this area that are not currently allocated.*This table does not include swap space in the form of physical memory because that space is not associated with a partic-ular swap area.


06_0789738171_02.qxd 4/13/09 7:36 PM Page 56


You use the -s option to list a summary of the system’s virtual swap space:# swap -s<cr>

The system displays the following information, which shows the details of the system’s physi-cal swap space and includes physical memory too. This system has 384MB of physical memo-ry and a 512MB swap slice:total: 191388k bytes allocated + 38676k reserved = 230064k used,919848k available919848k available

This output is described in Table 2.3.

Table 2.3 Output from the swap -s CommandKeyword Description

bytes allocated The total amount of swap space, in 1,024-byte blocks, that is currently allocatedas backing store (that is, disk-backed swap space).

reserved The total amount of swap space, in 1,024-byte blocks, that is not currently allo-cated but is claimed by memory for possible future use.

used The total amount of swap space, in 1,024-byte blocks, that is either allocated orreserved.

available The total amount of swap space, in 1,024-byte blocks, that is currently availablefor future reservation and allocation.

You can use the amounts of swap space available and used (in the swap -s output) as a way tomonitor swap space usage over time. If a system’s performance is good, you can use swap -s tosee how much swap space is available. When the performance of a system slows down, you cancheck the amount of swap space available to see if it has decreased. Then you can identify whatchanges to the system might have caused swap space usage to increase.

Keep in mind when using the swap command that the amount of physical memory availablefor swap usage changes dynamically as the kernel and user processes reserve and release phys-ical memory.

Swap space calculations The swap -l command displays swap space in 512-byte blocks, and the

swap -s command displays swap space in 1,024-byte blocks. If you add up the blocks from swap -land convert them to kilobytes, you’ll see that it is less than the swap space used plus available (as shownin the swap -s output) because swap -l does not include physical memory in its calculation of swapspace.

NOTE

06_0789738171_02.qxd 4/13/09 7:36 PM Page 57

58

The software installation program adds entries for swap slices and files in the /etc/vfstabfile. These swap areas are activated each time the system is booted by /sbin/swapadd.

As system configurations change, more users are added, and new software packages areinstalled, you might need to add more swap space. There are two methods for adding moreswap to a system:

. Create a secondary swap partition

. Create a swap file in an existing UFS

Creating a secondary swap partition requires additional, unused disk space. You use the for-mat command as described in Solaris 10 System Administration Exam Prep (Exam CX-310-200),Part I to create a new partition on a disk. After you create the swap partition, you make anentry in the /etc/vfstab file so that the swap space is activated at bootup. The process isdescribed in Step By Step 2.1.

STEP BY STEP2.1 Creating a Secondary Swap Partition

1. Add an additional 512MB of swap space to your system. You don’t have any more room on thedisk for more swap space, but the /data directory (currently mounted on slice 4 of diskc0t1d0) is 512MB in size. Move all the data in /data to another server to free up the partitionso that you can use it as a swap partition. You can use any of the backup methods described inSolaris 10 System Administration Exam Prep (Exam CX-310-200), Part I.


Setting Up Swap SpaceSwap space is initially configured during software installation through the installation pro-gram. If you use the installation program’s automatic layout of disk slices and do not manual-ly change the size of the swap slice, the Solaris installation program allocates a default swapslice of 512MB.

Crash dumps As described later in this chapter, a crash dump is a disk copy of the kernel memory of thecomputer at the time of a fatal system error. When a fatal operating system error occurs, a messagedescribing the error is printed to the console. The operating system then generates a crash dump by writ-ing the contents of kernel memory to a predetermined dump device, which is typically a local disk parti-tion. You can then analyze this crash dump to determine the cause of the system error. By default, thedump device is configured to be an appropriate swap partition. Therefore, it’s necessary to make sure thatyour swap area is at least as large as about 25% of your physical RAM; otherwise, the system may nothave enough room to store the crash dump. Crash dumps and core files are discussed later in this chap-ter, in the sections “Core File Configuration” and “Crash Dump Configuration.”

NOTE

06_0789738171_02.qxd 4/13/09 7:36 PM Page 58


2. After freeing up the /data directory and unmounting /dev/dsk/c0t1d0s4, use the formatutility to set the tag name to swap and the permission flag to wu (writable and unmountable):

partition> 4Part Tag Flag Cylinders Size Block4 unassigned wm 3400 - 4480 512.37MB (1041/0/0) 1049328Enter partition id tag[unassigned]: swapEnter partition permission flags[wm]: wuEnter new starting cyl[3400]: <cr>Enter partition size[1049328b, 1041c, 1040e, 512.37mb, 0.50gb]: <cr>

The bold text indicates what the user enters.

Label the disk:

Partition> laReady to label disk? Y

3. Make an entry to the /etc/vfstab file, where the fields are as follows:

Device to mount: <name of swap block device or swap file>

Device to fsck: -

Mount point: -

FS-type: swap

fsck pass: -

Mount at boot: no

Mount options: -

Here’s an example of an entry for the swap partition just added:

/dev/dsk/c0t1d0s4 - - swap - no -

4. Run the swapadd script to add the swap to your system:

# /sbin/swapadd<cr>

5. Verify that the swap has been added:

# swap -l<cr>

The system responds with this:

swapfile dev swaplo blocks free/dev/dsk/c0t0d0s1 136,9 16 1049312 1049312/dev/dsk/c0t1d0s4 136,3 16 1052624 1052624

/dev/dsk/c0t1d0s4 has been added to the list of available swap areas.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 59

60

The additional notes explain how to add swap partitions:

. On systems running the 32-bit version of Solaris, swap areas must not exceed 2GB. Ifyou wanted to add a 9GB disk to a swap area, you should slice it up into 2GB chunks.Then, you need to put a separate entry in /etc/vfstab for each slice. On systems run-ning the 64-bit version of Solaris 10, you can use a block device larger than 2GB.

. You get a large performance benefit from having swap partitions spread across separatedisks. Swap space is allocated in a round-robin fashion from swap partition to swappartition, and it is not possible to prioritize usage of the various swap areas. Swap spaceis allocated 1MB at a time from each swap partition in turn, unless one is full.

. It is not worth making a striped metadevice to swap on; that would just add overheadand slow down paging.

The easiest way to add more swap space is to use the mkfile and swap commands to designatea part of an existing UFS file system as a supplementary swap area. You can do this as a tem-porary or semitemporary solution for a swap shortage. Although you can do this for longerdurations as well, it has a few disadvantages:

. A swap file is considered a file within a file system; therefore, when you back up a filesystem, a rather large swap file (empty file) is also backed up if you don’t specificallyexclude it.

. Because a swap file is simply a file in some file system, you cannot unmount that filesystem while the swap file is in use.

. This method of creating a swap file has a negative effect on system performancebecause the swap file is slower than a dedicated swap slice.

Step By Step 2.2 explains how to add more swap space without repartitioning a disk.

STEP BY STEP2.2 Adding Swap Space Without Repartitioning a Disk

1. As root, use the df -h command to locate a file system that has enough room to support a swapfile that’s the size that you want to add:


EXAM ALERT/etc/vfstab syntax You should be familiar with the entry for swap files in /etc/vfstab. The syntaxcan be tricky, especially because of the hyphens.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 60


# df -h<cr>Filesystem size used avail capacity Mounted on/dev/dsk/c0t0d0s0 4.9G 3.7G 1.2G 77% //devices 0K 0K 0K 0% /devicesctfs 0K 0K 0K 0% /system/contractproc 0K 0K 0K 0% /procmnttab 0K 0K 0K 0% /etc/mnttabswap 1.2G 1.0M 1.2G 1% /etc/svc/volatileobjfs 0K 0K 0K 0% /system/objectfd 0K 0K 0K 0% /dev/fd/dev/dsk/c0t0d0s7 4.0G 1.5G 2.4G 40% /varswap 1.2G 304K 1.2G 1% /tmpswap 1.2G 48K 1.2G 1% /var/run/dev/dsk/c0t1d0s0 3.9G 1.7G 2.2G 44% /data1/dev/dsk/c0t1d0s7 5.2G 7.1M 5.1G 1% /data2

Swap permissions You can create a swap file without root permissions, but it is a good idea forroot to be the owner of the swap file to prevent someone from accidentally overwriting it.

NOTE

2. Use the mkfile command to add a 512MB swap file named swapfile in the /data2 partition:

# mkfile 512m /data2/swapfile<cr>

Use the ls -l /data2 command to verify that the file has been created:

# ls -l /data2/swapfile<cr>-rw———T 1 root root 536870912 Aug 19 23:31 /data2/swapfile

The system shows the file named swapfile along with the file size. Notice that the sticky bit(which is described in Solaris 10 System Administration Exam Prep (Exam CX-310-200), Part I)has automatically been set.

3. Activate the swap area by using the swap command:

# /usr/sbin/swap -a /data2/swapfile<cr>

You must use the absolute pathname to specify the swap file. The swap file is added and availableuntil the file system is unmounted, the system is rebooted, or the swap file is removed. Keep inmind that you can’t unmount a file system while the swap file is still being used or a process isswapping to the swap file.

4. Verify that the new swap area was added:

# swap -l<cr>

The system should respond with a message such as the following that shows the swap file:

swapfile dev swaplo blocks free

06_0789738171_02.qxd 4/13/09 7:36 PM Page 61

62

/dev/dsk/c0t0d0s1 136,9 16 1049312 1049312/data2/swapfile - 16 1048560 1048560

5. If this will be a permanent swap area, add to the /etc/vfstab file an entry for the swap file thatspecifies the full pathname of the swap file and designate swap as the file system type:

/data2/swapfile - - swap - no -

There is some disagreement about which type of swap area provides the best performance: aswap partition or a swap file. Both scenarios have advantages; however, these are two of thebest reasons in favor of swap partitions:

. A partition provides contiguous space and can be positioned between the specific cylin-ders that will provide the best performance.

. A swap file has to work through the file system when updates are made, whereas a swappartition has data written to it at a lower level, bypassing the interaction with the filesystem; this makes a swap partition slightly faster than a swap file.

Sun’s official statement, and the general consensus in the user community, is that there will bea performance impact if you go the swap file route rather than the partition route. Sun recom-mends that you use swap files only as a temporary solution, until you can add a swap partition.


Swap files can be deleted as well as added. For example, you might determine that you haveallocated too much swap space and that you need that disk space for other uses. Alternativelythe additional swap space might have been temporarily added to accommodate a one-off largejob. The steps involved in removing a swap file are outlined in Step By Step 2.3.

STEP BY STEP2.3 Removing a Swap File

1. As root, use the swap -d command to remove the swap area. Use the following for a swappartition:

# swap -d /dev/dsk/c0t0d0s4<cr>

or use this for a swap file:

Swap files on NFS In an emergency, when no other local space is available, it’s possible to add a swapfile to a networked file system by using NFS; this is described later in this chapter. Using NFS to accessswap space on another host is not recommended, however, because it puts an increased load on your net-work and makes performance unacceptable. If you do need to use NFS for additional swap files, try usingthe -n option when you run mkfile, because this allocates disk blocks only as they are written.

NOTE

06_0789738171_02.qxd 4/13/09 7:36 PM Page 62

Core File Configuration63

# swap -d /data2/swapfile<cr>

2. Issue the swap -l command to ensure that the swap area is gone:

# swap -l<cr>swapfile dev swaplo blocks free/dev/dsk/c0t0d0s1 136,9 16 1049312 1049312

The swap file filename is removed from the list, so you know it is no longer available for swapping.The file itself is not deleted.

3. In the /etc/vfstab file, delete the entry for the swap file.

4. Remove the swap file to recover the disk space:

# rm /data2/swapfile<cr>

If the swap area was in a partition, you can now allocate this disk space as you would a normal filesystem.

Core File ConfigurationObjective

. Manage crash dumps and core file behaviors.

Core files are created when a program or application terminates abnormally. Not only can soft-ware problems cause core dumps, but so can hardware problems. The default location for acore file to be written is the current working directory. However, as the system administrator,you might want to configure the system so that all core files are written to a central location.This would make administration and management of core files much easier because core filescan sometimes take up a significant amount of disk space.

You manage core files by using the coreadm command:coreadm [-g <pattern>] [-G <content>] [-i <pattern>] [-I <content>] \[-d <option>...] [-e <option>...]

coreadm [-p <pattern>] [-P <content>] [pid]coreadm -u

The options for the coreadm command are described in Table 2.4.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 63

64

Table 2.4 coreadm Command OptionsOption Description

-g <pattern> Sets the global core file name pattern.

-G <content> Sets the global core file content using one of the description tokens.

-i <pattern> Sets the per-process core file name pattern.

-I <content> Sets the per-process core file name to content.

-d <option> Disables the specified core file option.

-e <option> Enables the specified core file option.

-p <pattern> Sets the per-process core file name pattern for each of the specified pids.

-P <content> Sets the per-process core file content to content.

-u Updates the systemwide core file options from the configuration file /etc/core-adm.conf.

Running coreadm with no options displays the current configuration, which you can deter-mine by reading the file /etc/coreadm.conf.

A core file name pattern consists of a file system pathname, along with embedded variables.These variables are specified with a leading % character. The values are then expanded when acore file is created. Valid pattern variables are described in Table 2.5.

Table 2.5 coreadm Patternscoreadm DescriptionPattern

%p Specifies the process ID (PID).

%u Specifies the effective user ID.

%g Specifies the effective group ID.

%d Specifies the executable file directory name.

%f Specifies the executable filename.

%n Specifies the system node name. This is the same as running uname -n.

%m Specifies the machine name. This is the same as running uname -m.

%t Specifies the decimal value of time, as the number of seconds since 00:00:00 January 1, 1970.

%z Specifies the name of the zone in which the process is executed (zonename).

%% Specifies the a literal % character.

The -d and -e flags of the coreadm command can take several options. These are listed inTable 2.6.


06_0789738171_02.qxd 4/13/09 7:36 PM Page 64

Core File Configuration65

Table 2.6 coreadm -d and -e Flag OptionsOption Description

global Allows core dumps, using the global core pattern.

process Allows core dumps, using the per-process core pattern.

global-setid Allows set-id core dumps, using the global core pattern.

proc-setid Allows set-id core dumps, using the per-process core pattern.

log Produces a syslog message when an attempt is made to generate a global core file.

To modify the core file configuration so that all files are dumped into the directory /cores andnamed core, followed by the system name and then the name of the program being run, youcan follow the procedure described in Step By Step 2.4.

STEP BY STEP2.4 Configuring Core Files

1. As root, use the coreadm command to display the current coreadm configuration:

# coreadm<cr>global core file pattern:global core file content: defaultinit core file pattern: coreinit core file content: default

global core dumps: disabledper-process core dumps: enabledglobal setid core dumps: disabled

per-process setid core dumps: disabledglobal core dump logging: disabled

2. As root, issue the following command to change the core file setup:

# coreadm -i /cores/core.%n.%f<cr>

3. Run coreadm again to verify that the change has been made permanent:

# coreadm<cr>global core file pattern:global core file content: default

init core file pattern: /cores/core.%n.%finit core file content: default

global core dumps: disabledper-process core dumps: enabledglobal setid core dumps: disabled

per-process setid core dumps: disabledglobal core dump logging: disabled

06_0789738171_02.qxd 4/13/09 7:36 PM Page 65

66

Use the gcore command to manually generate a core dump of a process. This is useful for ver-ifying your coreadm settings or if you need to generate a core dump for analysis purposes. Forexample, to create a per-process core image of the current shell, type# gcore -p $$<cr>

The system responds with this:gcore: /cores/core.sunfire.sh dumped

The -p option produces per-process specific content, and the -g option produces a global corefile. Various commands such as dbx, mdb, and pstack can be used to analyze a core dump file,but those commands are beyond the scope of this book.

The coreadm process is configured by the Service Management Facility (SMF) at system boottime. Use the svcs command to check its status. The service name for this process issvc:/system/coreadm:default.

Crash Dump ConfigurationObjective

. Manage crash dumps and core file behaviors.

When a serious error is encountered, the system displays an error message on the console,dumps the entire contents of physical memory to the disk, and then reboots the system. A crashdump is a snapshot of the physical memory, saved on disk, at the time a fatal system erroroccurs.

Normally, crash dumps are configured to use the swap partition to write the contents of mem-ory. The savecore program runs when the system reboots and saves the image in a predefinedlocation, usually /var/crash/<hostname>, where <hostname> represents the name of the sys-tem.

You configure crash dump files by using the dumpadm command. Running this command withno options displays the current configuration, which is obtained from the file/etc/dumpadm.conf:# dumpadm<cr>

The system responds with this:Dump content: kernel pages


06_0789738171_02.qxd 4/13/09 7:36 PM Page 66

Crash Dump Configuration67

Dump device: /dev/dsk/c0t0d0s1 (swap)Savecore directory: /var/crash/sunfireSavecore enabled: yes

The following is the syntax of the dumpadm command:/usr/sbin/dumpadm [-nuy] [-c <content-type>] [-d <dump-device>]\[-m <mink> | <minm> | <min%>] [-s <savecore-dir>] [-r <root-dir>]

The options for the dumpadm command are described in Table 2.7.

Table 2.7 dumpadm Command SyntaxOption Description

-c <content-type> Modifies crash dump content. Valid values are kernel (just kernel pages),all (all memory pages), and curproc (kernel pages and currently exe-cuting process pages).

-d <dump-device> Modifies the dump device. This can be specified either as an absolute path-name (such as /dev/dsk/c0t0d0s1) or the word swap, in which casethe system identifies the best swap area to use.

-m <mink> | Maintains minimum free space in the current savecore directory, <minm> | <min%> specified either in kilobytes, megabytes, or a percentage of the total current

size of the directory.

-n Disables savecore from running on reboot. This is not recommendedbecause with it, any crash dumps would be lost.

-s <savecore-dir> Specifies a savecore directory other than the default/var/crash/hostname.

-u Forcibly update the kernel dump configuration based on the contents of/etc/dumpadm.conf.

-r <root-dir> Specifies a different root directory. If this option is not used, the default /is used.

-y Enables savecore to run on the next reboot. This setting is used bydefault.

To set up a dedicated disk named c0t2d0s2 for crash dumps, you issue the following com-mand:# dumpadm -d /dev/dsk/c0t2d0s2<cr>

When you specify s2, the entire disk is used for a crash dump. The system responds with this:Dump content: kernel pagesDump device: /dev/dsk/c0t2d0s2 (dedicated)Savecore directory: /var/crash/sunfireSavecore enabled: yes

06_0789738171_02.qxd 4/13/09 7:36 PM Page 67

68

For testing purposes, you may want to generate a system crash dump. You can do this by issu-ing the reboot -d command or by using the savecore -L command to create a live OS coredump. To use the savecore command, you must first use dumpadm to set a nonswap device asthe dump device. Another method is to press Stop+A to get to the OpenBoot PROM and thentype the OBP command sync to force a crash dump.

The dumpadm process is now configured by the Service Management Facility (SMF) at systemboot time. Use the svcs command to check its status. The service name for this process issvc:/system/dumpadm:default.

NFSObjective

. Explain NFS fundamentals, and configure and manage the NFS server and client including daemons, files,and commands.

The NFS service lets computers of different architectures, running different operating sys-tems, share file systems across a network. Just as the mount command lets you mount a filesystem on a local disk, NFS lets you mount a file system that is located on another system any-where on the network. Furthermore, NFS support has been implemented on many platforms,ranging from Microsoft Windows on personal computers to mainframe operating systems,such as Multiprogramming using Virtual Storage (MVS). Each operating system applies theNFS model to its file system semantics. For example, a Sun system can mount the file systemfrom a Microsoft Windows or Linux system. File system operations, such as reading and writ-ing, function as though they are occurring on local files. Response time might be slower whena file system is physically located on a remote system, but the connection is transparent to theuser regardless of the hardware or operating systems.

The NFS service provides the following benefits:

. Lets multiple computers use the same files so that everyone on the network can accessthe same data. This eliminates the need to have redundant data on several systems.

. Reduces storage costs by having computers share applications and data.

. Provides data consistency and reliability because all users access the same data.

. Makes mounting of file systems transparent to users.

. Makes accessing remote files transparent to users.

. Supports heterogeneous environments.

. Reduces system administration overhead.


06_0789738171_02.qxd 4/13/09 7:36 PM Page 68

NFS69

The NFS service makes the physical location of the file system irrelevant to the user. You canuse NFS to allow users to see all the data, regardless of location. With NFS, instead of plac-ing copies of commonly used files on every system, you can place one copy on one computer’sdisk and have all other systems across the network access it. Under NFS operation, remote filesystems are almost indistinguishable from local ones.

NFS Version 4Solaris 10 introduced a new version of the NFS protocol, which has the following features:

. The User ID and Group ID are represented as strings. A new daemon process,nfsmapid, maps these IDs to local numeric IDs. The nfsmapid daemon is describedlater in this chapter, in the section “NFS Daemons.”

. The default transport for NFS version 4 is the Remote Direct Memory Access(RDMA) protocol, a technology for memory-to-memory transfer over high speed datanetworks. RDMA improves performance by reducing load on the CPU and I/O. IfRDMA is unavailable on both server and client, TCP is used as the transport.

. All state and lock information is destroyed when a file system is unshared. In previousversions of NFS, this information was retained.

. NFS version 4 provides a pseudo file system to give clients access to exported objectson the NFS server.

. NFS version 4 is a stateful protocol in that both the client and the server hold informa-tion about current locks and open files. When a crash or failure occurs, the client andthe server work together to re-establish the open or locked files.

. NFS version 4 no longer uses the mountd, statd, or nfslogd daemons.

. NFS version 4 supports delegation, a technique where management responsibility of afile can be delegated by the server to the client. Delegation is supported in both theNFS server and the NFS client. A client can be granted a read delegation, which canbe granted to multiple clients, or a write delegation, providing exclusive access to a file.

Servers and ClientsWith NFS, systems have a client/server relationship. The NFS server is where the file systemresides. Any system with a local file system can be an NFS server. As described later in thischapter, in the section “Setting Up NFS,” you can configure the NFS server to make file sys-tems available to other systems and users. The system administrator has complete control overwhich file systems can be mounted and who can mount them.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 69

70

An NFS client is a system that mounts a remote file system from an NFS server. You’ll learnlater in this chapter, in the section “Mounting a Remote File System,” how you can create alocal directory and mount the file system. As you will see, a system can be both an NFS serv-er and an NFS client.

NFS DaemonsNFS uses a number of daemons to handle its services. These services are initialized at startupfrom the svc:/network/nfs/server:default and svc:/network/nfs/client:defaultstartup service management functions. The most important NFS daemons are described inTable 2.8.

Table 2.8 NFS DaemonsDaemon Description

nfsd An NFS server daemon that handles file system exporting and file access requests fromremote systems. An NFS server runs multiple instances of this daemon. This daemon isusually invoked at the multi-user-server milestone and is started by the svc:/net-work/nfs/server:default service identifier.

mountd An NFS server daemon that handles mount requests from NFS clients. This daemon pro-vides information about which file systems are mounted by which clients. You use theshowmount command, described later in this chapter, to view this information. This dae-mon is usually invoked at the multi-user-server milestone and is started by thesvc:/network/nfs/server:default service identifier. This daemon is not used inNFS version 4.

lockd A daemon that runs on the NFS server and NFS client and provides file-locking servicesin NFS. This daemon is started by the svc:/network/nfs/client service identifierat the multi-user milestone.

statd A daemon that runs on the NFS server and NFS client and interacts with lockd to pro-vide the crash and recovery functions for the locking services on NFS. This daemon isstarted by the svc:/network/nfs/client service identifier at the multi-user mile-stone. This daemon is not used in NFS version 4.

rpcbind A daemon that facilitates the initial connection between the client and the server.

nfsmapid A new daemon that maps to and from NFS v4 owner and group identification and UIDand GID numbers. It uses entries in the passwd and group files to carry out the map-ping, and also references /etc/nsswitch.conf to determine the order of access.

nfs4cbd A new client side daemon that listens on each transport and manages the callback func-tions to the NFS server.

nfslogd A daemon that provides operational logging to the Solaris NFS server. nfslogd isdescribed later in this chapter, in the section “NFS Server Logging.” The nfslogd dae-mon is not used in NFS version 4.


06_0789738171_02.qxd 4/13/09 7:36 PM Page 70

NFS71

Setting Up NFSServers let other systems access their file systems by sharing them over the NFS environment.A shared file system is referred to as a shared resource. You specify which file systems are to beshared by entering the information in the file /etc/dfs/dfstab. Entries in this file are sharedautomatically whenever you start the NFS server operation. You should set up automatic shar-ing if you need to share the same set of file systems on a regular basis. Most file system shar-ing should be done automatically; the only time manual sharing should occur is during testingor troubleshooting.

The /etc/dfs/dfstab file lists all the file systems your NFS server shares with its NFSclients. It also controls which clients can mount a file system. If you want to modify/etc/dfs/dfstab to add or delete a file system or to modify the way sharing is done, you editthe file with a text editor, such as vi. The next time the computer enters the multi-user-serv-er milestone, the system reads the updated /etc/dfs/dfstab to determine which file systemsshould be shared automatically.

/etc/dfs/dfstab The system does not need to be rebooted just to share file systems listed in the/etc/dfs/dfstab file. The system also reads entries in the /etc/dfs/dfstab file when thenfs/server service is enabled:

# svcadm enable nfs/server<cr>

when the nfs/server service is restarted:

# svcadm restart nfs/server<cr>

or when you issue the /usr/sbin/shareall command:

# shareall<cr>

NOTE

Each line in the dfstab file consists of a share command, as shown in the following example:# more /etc/dfs/dfstab<cr>

The system responds by displaying the contents of /etc/dfs/dfstab:# Place share(1M) commands here for automatic execution# on entering init state 3.## Issue the command ‘svcadm enable network/nfs/server’ to# run the NFS daemon processes and the share commands, after adding# the very first entry to this file.## share [-F fstype] [ -o options] [-d “<text>”] <pathname> [resource]# .e.g,# share -F nfs -o rw=engineering -d “home dirs” /export/home2share -F nfs /export/install/sunfireshare -F nfs /jumpstart

06_0789738171_02.qxd 4/13/09 7:36 PM Page 71

72

The /usr/sbin/share command exports a resource or makes a resource available for mount-ing. If it is invoked with no arguments, share displays all shared file systems. The share com-mand can be run at the command line to achieve the same results as the /etc/dfs/dfstab file,but you should use this method only when testing.

This is the syntax for the share command:share -F <FSType> -o <options> -d <description> <pathname>

where <pathname> is the name of the file system to be shared. Table 2.9 describes the optionsof the share command.

Table 2.9 share Command SyntaxOption Description

-F <FSType> Specifies the file system type, such as NFS. If the -F option is omitted, the first file sys-tem type listed in /etc/dfs/fstypes is used as the default (nfs).

-o <options> One of the following options:

rw: Makes <pathname> shared read-write to all clients. This is also the default behavior.

rw=<client>[:<client>]...: Makes <pathname> shared read-write but only to thelisted clients. No other systems can access <pathname>.

ro: Makes <pathname> shared read-only to all clients.

ro=<client>[:<client>]...: Makes <pathname> shared read-only, but only to thelisted clients. No other systems can access <pathname>.

aclok: Allows the NFS server to do access control for NFS version 2 clients (runningSolaris 2.4 or earlier). When aclok is set on the server, maximum access is given to allclients. For example, with aclok set, if anyone has read permissions, everyone does. Ifaclok is not set, minimal access is given to all clients.

anon=<uid>: Sets <uid> to be the effective user ID (UID) of unknown users. By default,unknown users are given the effective UID nobody. If <uid> is set to -1, access is denied.

index=<file>: Loads a file rather than a listing of the directory containing this specificfile when the directory is referenced by an NFS uniform resource locator (URL).

nosub: Prevents clients from mounting subdirectories of shared directories. This onlyapplies to NFS versions 2 and 3 because NFS version 4 does not use the Mount protocol.

nosuid: Causes the server file system to silently ignore any attempt to enable thesetuid or setgid mode bits. By default, clients can create files on the shared file sys-tem if the setuid or setgid mode is enabled. See Solaris 10 System AdministrationExam Prep (Exam CX-310-200), Part I for a description of setuid and setgid.

public: Enables NFS browsing of the file system by a WebNFS-enabled browser. Onlyone file system per server can use this option. The -ro=<list> and -rw=<list>options can be included with this option.


06_0789738171_02.qxd 4/13/09 7:36 PM Page 72

NFS73

root=<host>[: <host>]...: Specifies that only root users from the specifiedhosts have root access. By default, no host has root access, so root users are mapped toan anonymous user ID (see the description of the anon=<uid> option).

sec=<mode>: Uses one or more of the security modes specified by <mode> to authen-ticate clients. The <mode> option establishes the security mode of NFS servers. If theNFS connection uses the NFS version 3 protocol, the NFS clients must query the serverfor the appropriate <mode> to use. If the NFS connection uses the NFS version 2 proto-col, the NFS client uses the default security mode, which is currently sys. NFS clientscan force the use of a specific security mode by specifying the sec=<mode> option onthe command line. However, if the file system on the server is not shared with that secu-rity mode, the client may be denied access. The following are valid modes: sys: Use AUTH_SYS authentication. The user’s UNIX user ID and group IDs are passed in clear text on the network, unauthenticated by the NFS server.

dh: Use a Diffie-Hellman public key system.

krb5: Use the Kerberos version 5 authentication.

krb5i: Use the Kerberos version 5 authentication with integrity checking to verify that the data has not been compromised.

krb5p: Use the Kerberos version 5 authentication with integrity checking and privacy protection (encryption). This is the most secure, but also incurs additional overhead.

none: Use null authentication.

log=<tag>: Enables NFS server logging for the specified file system. The optional<tag> determines the location of the related log files. The tag is defined inetc/nfs/nfslog.conf. If no tag is specified, the default values associated with theglobal tag in /etc/nfs/nfslog.conf are used. NFS logging is described later in thischapter, in the section “NFS Server Logging.” Support for NFS logging is only availablefor NFS versions 2 and 3.

-d <description> Describes the resource being shared.

When you execute the share command, the nfs/server service is enabled, and all therequired NFS server daemons are started automatically. However, because you did not makean entry in the /etc/dfs/dfstab file, the share is not persistent across reboots.

To share a file system as read-only every time the system is started, you add this line to the/etc/dfs/dfstab file:# share -F nfs -o ro /data1<cr>

After you edit the /etc/dfs/dfstab file, restart the NFS server to start the NFS server dae-mons by either rebooting the system, typing the shareall command, or restarting thenfs/server service as follows:# svcadm restart nfs/server<cr>

06_0789738171_02.qxd 4/13/09 7:36 PM Page 73

74

At startup, when the system enters the multi-user-server milestone, mountd and nfsd are notstarted if the /etc/dfs/dfstab file does not contain a share command. Even when you enablethe nfs/server service, if the /etc/dfs/dfstab file does not contain a share command, theservice remains disabled.

After you have made an initial entry in the /etc/dfs/dfstab file and have executed either theshareall or svcadm enable nfs/server command, you can add entries to the/etc/dfs/dfstab file without restarting the daemons. You simply execute the shareall com-mand, and any new entries in the /etc/dfs/dfstab file are shared.

You can share additional file systems by typing the share command directly from the com-mand line. Be aware, however, that if you don’t add the entry to the /etc/dfs/dfstab file, thefile system is not automatically shared the next time the system is restarted.


EXAM ALERTFile system sharing The exam often has at least one question related to the sharing of file systems.Remember that the NFS server daemons must be running in order for a shared resource to be avail-able to the NFS clients.

The dfshares command displays information about the shared resources that are available tothe host from an NFS server. Here is the syntax for dfshares:dfshares <servername>

You can view the shared file systems on a remote NFS server by using the dfshares com-mand, like this:# dfshares apollo<cr>

If no <servername> is specified, all resources currently being shared on the local host are dis-played. Another place to find information on shared resources is in the server’s/etc/dfs/sharetab file. This file contains a list of the resources currently being shared.

Mounting a Remote File SystemSolaris 10 System Administration Exam Prep (Exam CX-310-200), Part I describes how to mounta local file system by using the mount command. You can use the same mount command tomount a shared file system on a remote host using NFS. Here is the syntax for mounting NFSfile systems:mount -F NFS <options> <-o specific-options> <-O> <server>:<file-system> <mount-point>

In this syntax, <server> is the name of the NFS server in which the file system is located, <file-system> is the name of the shared file system on the NFS server, and <mount-point> is thename of the local directory that serves as the mount point. As you can see, this is similar tomounting a local file system. The options for the mount command are described in Table 2.10.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 74

NFS75

Table 2.10 NFS mount Command SyntaxOption Description

-F NFS Specifies the FSType on which to operate. In this case the value is NFS.

-r Mounts the specified file system as read-only.

-m Does not append an entry to the /etc/mnttab table of the mounted file systems.

-o <specific- Can be any of the following options, separated by commas:options>

rw | ro: The resource is mounted read-write or read-only. The default is rw.

acdirmax=<n>: The maximum time that cached attributes are held after directoryupdate. The default is 60 seconds.

acdirmin=<n>: The minimum time that cached attributes are held after directoryupdate. The default is 30 seconds.

acregmax=<n>: The maximum time that cached attributes are held after file modifica-tion. The default is 60 seconds.

acregmin=<n>: The minimum time that cached attributes are held after file modifica-tion. The default is 3 seconds.

actimeo=<n>: Set minimum and maximum times for directories and regular files, inseconds.

forcedirectio | noforcedirectio: If the file system is mounted withforcedirectio, data is transferred directly between client and server, with no buffer-ing on the client. Using noforcedirectio causes buffering to be done on the client.

grpid: The GID of a new file is unconditionally inherited from that of the parent directo-ry, overriding any set-GID options.

noac: Suppress data and attribute caching.

nocto: Do not perform the normal close-to-open consistency. This option can be usedwhen only one client is accessing a specified file system. In this case, performance maybe improved, but it should be used with caution.

suid | nosuid: setuid execution is enabled or disabled. The default is suid.

remount: If a file system is mounted as read-only, this option remounts it as read-write.

bg | fg: If the first attempt to mount the remote file system fails, this option retries it inthe background (bg) or in the foreground (fg). The default is fg.

quota: This option checks whether the user is over the quota on this file system. If thefile system has quotas enabled on the server, quotas are still checked for operations onthis file system.

noquota: This option prevents quota from checking whether the user has exceededthe quota on this file system. If the file system has quotas enabled on the server, quotasare still checked for operations on this file system.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 75

76

retry=<n>: This option specifies the number of times to retry the mount operation.The default is 10000.

vers=<NFS-version-number>: By default, the version of NFS protocol usedbetween the client and the server is the highest one available on both systems. If the NFSserver does not support the NFS 4 protocol, the NFS mount uses version 2 or 3.

port=<n>: This option specifies the server IP port number. The default is NFS_PORT.

proto=netid | rdma: The default transport is the first rdma protocol supported byboth client and server. If no rdma, TCP is used and, failing that, UDP. Note that NFS ver-sion 4 does not use UDP, so if you specify proto=udp, NFS version 4 is not used.

public: Forces the use of the public file handle when connecting to the NFS server.

sec=mode: Set the security mode for NFS transactions. NFS versions 3 and 4 mountsnegotiate a security mode. Version 3 mounts pick the first mode supported, whereas ver-sion 4 mounts try each supported mode in turn, until one is successful.

rsize=<n>: This option sets the read buffer size to <n> bytes. The default value is32768 with version 3 or 4 of the NFS protocol. The default can be negotiated down ifthe server prefers a smaller transfer size. With NFS version 2, the default value is 8192.

wsize=<n>: This option sets the write buffer size to <n> bytes. The default value is32768 with version 3 or 4 of the NFS protocol. The default can be negotiated down ifthe server prefers a smaller transfer size. With version 2, the default value is 8192.

timeo=<n>: This option sets the NFS timeout to <n> tenths of a second. The defaultvalue is 11 tenths of a second for connectionless transports and 600 tenths of a secondfor connection-oriented transports.

retrans=<n>: This option sets the number of NFS retransmissions to <n>; the defaultvalue is 5. For connection-oriented transports, this option has no effect, because it isassumed that the transport will perform retransmissions on behalf of NFS.

soft | hard: This option returns an error if the server does not respond (soft), or itcontinues the retry request until the server responds (hard). If you’re using hard, thesystem appears to hang until the NFS server responds. The default value is hard.

intr | nointr: This option enables or does not enable keyboard interrupts to kill aprocess that hangs while waiting for a response on a hard-mounted file system. Thedefault is intr, which makes it possible for clients to interrupt applications that mightbe waiting for an NFS server to respond.

xattr | noxattr: Allow or disallow the creation of extended attributes. The default isxattr (allow extended attributes).

-O: The overlay mount lets the file system be mounted over an existing mount point,making the underlying file system inaccessible. If a mount is attempted on a preexistingmount point and this flag is not set, the mount fails, producing the “device busy” error.


06_0789738171_02.qxd 4/13/09 7:36 PM Page 76

NFS77

File systems mounted with the bg option indicate that mount is to retry in the background ifthe server’s mount daemon (mountd) does not respond when, for example, the NFS server isrestarted. From the NFS client, mount retries the request up to the count specified in theretry=<n> option. After the file system is mounted, each NFS request made in the kernelwaits a specified number of seconds for a response (specified with the timeo=<n> option). If noresponse arrives, the timeout is multiplied by 2, and the request is retransmitted. If the num-ber of retransmissions has reached the number specified in the retrans=<n> option, a file sys-tem mounted with the soft option returns an error, and the file system mounted with the hardoption prints a warning message and continues to retry the request. Sun recommends that filesystems mounted as read-write or containing executable files should always be mounted withthe hard option. If you use soft-mounted file systems, unexpected I/O errors can occur. Forexample, consider a write request: If the NFS server goes down, the pending write request sim-ply gives up, resulting in a corrupted file on the remote file system. A read-write file systemshould always be mounted with the specified hard and intr options. This lets users make theirown decisions about killing hung processes. You use the following to mount a file systemnamed /data located on a host named thor with the hard and intr options:# mount -F nfs -o hard,intr thor:/data /data<cr>

If a file system is mounted hard and the intr option is not specified, the process hangs whenthe NFS server goes down or the network connection is lost. The process continues to hanguntil the NFS server or network connection becomes operational. For a terminal process, thiscan be annoying. If intr is specified, sending an interrupt signal to the process kills it. For aterminal process, you can do this by pressing Ctrl+C. For a background process, sending anINT or QUIT signal usually works:# kill -QUIT 3421<cr>

To mount a file system called /data that is located on an NFS server called thor, you issuethe following command, as root, from the NFS client:# mount -F nfs -o ro thor:/data /thor_data<cr>

In this case, the /data file system from the server thor is mounted read-only on /thor_dataon the local system. Mounting from the command line enables temporary viewing of the filesystem. If the umount command is issued or the client is restarted, the mount is lost. If youwould like this file system to be mounted automatically at every startup, you can add the fol-lowing line to the /etc/vfstab file:thor:/data - /thor_data nfs - yes ro

Overkill won’t work Sending a KILL signal (-9) does not terminate a hung NFS process.

NOTE

06_0789738171_02.qxd 4/13/09 7:36 PM Page 77

78

To view resources that can be mounted on the local or remote system, you use the dfmountscommand:# dfmounts sunfire<cr>

The system responds with a list of file systems currently mounted on sparcserver:RESOURCE SERVER PATHNAME CLIENTS- sunfire/usr 192.168.1.201

sunfire/usr/dt 192.168.1.201

Sometimes you rely on NFS mount points for critical information. If the NFS server were togo down unexpectedly, you would lose the information contained at that mount point. You canaddress this issue by using client-side failover. With client-side failover, you specify an alterna-tive host to use in case the primary host fails. The primary and alternative hosts should con-tain equivalent directory structures and identical files. This option is available only on read-only file systems.

To set up client-side failover, on the NFS client, mount the file system using the -ro option.You can do this from the command line or by adding an entry to the /etc/vfstab file thatlooks like the following:zeus,thor:/data - /remote_data nfs - no -o ro

If multiple file systems are named and the first server in the list is down, failover uses the nextalternative server to access files. To mount a replicated set of NFS file systems, which mighthave different paths to the file system, you use the following mount command:# mount -F nfs -o ro zeus:/usr/local/data,thor:/home/data/usr/local/data<cr>

Replication is discussed further in the “AutoFS” section, later in this chapter.

NFS Server LoggingA feature that first appeared in Solaris 8 is NFS server logging. NFS server logging provides eventand audit logging functionality to networked file systems. The daemon nfslogd provides NFSlogging, and you enable it by using the log=<tag> option in the share command, as describedearlier in this chapter, in the section “Setting Up NFS.” When NFS logging is enabled, the ker-nel records all NFS operations on the file system in a buffer. The data recorded includes a time-stamp, the client IP address (or hostname if it can be resolved), the UID of the requestor, the filehandle of the resource that is being accessed, and the type of operation that occurred. The nfs-logd daemon converts this information into ASCII records that are stored in ASCII log files.


mount permissions The mount and umount commands require root access. The umount command and/etc/vfstab file are described in Solaris 10 System Administration Exam Prep (Exam CX-310-200), Part I.

NOTE

06_0789738171_02.qxd 4/13/09 7:36 PM Page 78

NFS79

EXAM ALERTNSF server logging configuration You should be familiar with the concept of NFS server log-ging, especially the location of the configuration file (/etc/nfs/nfslog.conf). The nfs directory inthe path can be easily forgotten, and you lose an exam point unnecessarily if you leave it out.

Logging pros and cons NFS server logging is particularly useful for being able to audit operations car-ried out on a shared file system. The logging can also be extended to audit directory creations and dele-tions. With logging enabled, however, the logs can become large and consume huge amounts of disk space.It is necessary to configure NFS logging appropriately so that the logs are pruned at regular intervals.

NOTE

No logging in NFS version 4 Remember that NFS logging is not supported in NFS version 4.

NOTE

To enable NFS server logging, follow the procedure described in Step By Step 2.5.

STEP BY STEP2.5 Enabling NFS Server Logging

1. As root, share the NFS by typing the following entry at the command prompt:

# share -F nfs -o ro,log=global <file-system-name><cr>

Add this entry to your /etc/dfs/dfstab file if you want it to go into effect every time the serv-er is booted.

2. If the nfslogd daemon is not already running, start it by entering this:

#/usr/lib/nfs/nfslogd<cr>

You can change the configuration settings in the NFS server logging configuration file/etc/nfs/nfslog.conf. This file defines pathnames, filenames, and types of logging to beused by nfslogd. Each definition is associated with a tag. The global tag defines the defaultvalues, but you can create new tags and specify them for each file system you share. The NFSoperations to be logged by nfslogd are defined in the /etc/default/nfslogd configurationfile.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 79

80

Troubleshooting NFS Errors

Objective

. Troubleshoot various NFS errors

After you configure NFS, it’s not uncommon to encounter various NFS error messages. Thefollowing sections describe some of the common errors you may encounter while using NFS.

The stale NFS file handle MessageThis message appears when a file was deleted on the NFS server and replaced with a file of thesame name. In this case, the NFS server generates a new file handle for the new file. If theclient is still using the old file handle, the server returns an error that the file handle is stale. Ifa file on the NFS server was simply renamed, the file handle remains the same.

A solution to this problem is to unmount and remount the NFS resource on the client.

The RPC: Program not registered ErrorYou may receive this message while trying to mount a remote NFS resource or during the bootprocess. This message indicates that the NFS server is not running the mountd daemon.

To solve the problem, log in to the NFS server and type# who -r<cr>

Make sure that the server is at run level 3.

Check to verify that the nfsd daemon is running by issuing the following command:# pgrep -fl mountd<cr>

If nfsd is not running, verify that you have the directory shared in the /etc/dfs/dfstab file,and try starting the nfs/server service:# svcadm enable svc:/network/nfs/server<cr>

The NFS: service not responding ErrorThis error message indicates that the NFS server may not be running the required NFS serv-er daemons.

To solve the problem, log in to the NFS server and type:# who -r<cr>

Make sure that the server is at run level 3.

Check to verify that the mountd daemon is running by issuing the following command:# pgrep -fl mountd<cr>


06_0789738171_02.qxd 4/13/09 7:36 PM Page 80

AutoFS81

If mountd is not running, verify that you have the directory shared in the /etc/dfs/dfstabfile, and try starting the nfs/server service:# svcadm enable svc:/network/nfs/server<cr>

The server not responding ErrorThis message appears when the NFS server is inaccessible for some reason.

To solve the problem, verify that network connectivity exists between the client and the NFSserver.

The RPC: Unknown host ErrorThis message indicates that the hostname of the NFS server is missing from the hosts table.

To solve the problem, verify that you’ve typed the server name correctly and that the hostnamecan be resolved properly.

The NFS server not responding, still trying MessageThis message appears when the NFS server is inaccessible for some reason; your NFS servermight have failed. It’s possible that the NFS server hostname is down or a problem hasoccurred with the server or the network. It could be that the NFS server is too busy to respondto the NFS request.

To solve the problem, verify that network connectivity exists between the client and the NFSserver. You may need to set up a failover server or move the NFS resource to a server that hasthe capacity to better respond to the NFS requests.

The No such file or directory ErrorYou may receive this message while trying to mount a remote resource or during the bootprocess. This error indicates that an unknown file resource is on the NFS server.

To solve the problem, make sure that you are specifying the correct directory name that isshared on the server. Check the spelling on the command line or in the /etc/vfstab file.Execute the dfshares command on the server to verify the name of the shared resource.

AutoFSObjective

. Explain and manage AutoFS and use automount maps (master, direct, and indirect) to configure auto-mounting.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 81

82

When a network contains even a moderate number of systems, all trying to mount file systemsfrom each other, managing NFS can quickly become a nightmare. The AutoFS facility, alsocalled the automounter, is designed to handle such situations by providing a method by whichremote directories are mounted automatically, only when they are being used. AutoFS, a client-side service, is a file system structure that provides automatic mounting.

When a user or an application accesses an NFS mount point, the mount is established. Whenthe file system is no longer needed or has not been accessed for a certain period, the file sys-tem is automatically unmounted. As a result, network overhead is lower, the system bootsfaster because NFS mounts are done later, and systems can be shut down with fewer ill effectsand hung processes.

File systems shared through the NFS service can be mounted via AutoFS. AutoFS is initializedby automount, which is run automatically when a system is started. The automount daemon,automountd, runs continuously, mounting and unmounting remote directories on an as-need-ed basis.

Mounting does not need to be done at system startup, and the user does not need to know thesuperuser password to mount a directory (normally file system mounts require superuser priv-ilege). With AutoFS, users do not use the mount and umount commands. The AutoFS servicemounts file systems as the user accesses them and unmounts file systems when they are nolonger required, without any intervention on the part of the user.

However, some file systems still need to be mounted by using the mount command with rootprivileges. For example, on a diskless computer you must mount / (root), /usr, and /usr/kvmby using the mount command, and you cannot take advantage of AutoFS.

Two programs support the AutoFS service: automount and automountd. Both are run when asystem is started by the svc:/system/filesystem/autofs:default service identifier.

The automount service sets up the AutoFS mount points and associates the information in the/etc/auto_master file with each mount point. The automount command, which is called atsystem startup time, reads the master map file /etc/auto_master to create the initial set ofAutoFS mounts. These mounts are not automatically mounted at startup time. They aretrigger points, also called trigger nodes, under which file systems are mounted in the future. Thefollowing is the syntax for automount:automount [-t <duration>] [-v]

Table 2.11 describes the syntax options for the automount command.


06_0789738171_02.qxd 4/13/09 7:36 PM Page 82

AutoFS83

Table 2.11 automount Command SyntaxOption Description

-t <duration> Sets the time, in seconds, that a file system is to remain mounted if it is not beingused. The default value is 600 seconds.

-v Selects verbose mode. Running the automount command in verbose modeallows easier troubleshooting.

If it is not specifically set, the value for <duration> of an unused mount is set to 10 minutes.In most circumstances, this value is good; however, on systems that have many automountedfile systems, you might need to decrease the <duration> value. In particular, if a server hasmany users, active checking of the automounted file systems every 10 minutes can be ineffi-cient. Checking AutoFS every 300 seconds (5 minutes) might be better. You can edit the/etc/default/autofs script to change the default values and make them persistent acrossreboots.

If AutoFS receives a request to access a file system that is not currently mounted, AutoFS callsautomountd, which mounts the requested file system under the trigger node.

The automountd daemon handles the mount and unmount requests from the AutoFS service.The syntax of this command is as follows:automountd [-Tnv] [-D <name>=<value>]

Table 2.12 describes the syntax options for the automountd command.

Table 2.12 automountd Command SyntaxOption Description

-T Displays each remote procedure call (RPC) to standard output. You use thisoption for troubleshooting.

-n Disables browsing on all AutoFS nodes.

-v Logs all status messages to the console.

-D <name>=<value> Substitutes value for the automount map variable indicated by <name>. Thedefault <value> for the automount map is /etc/auto_master.

The automountd daemon is completely independent from the automount command. Becauseof this separation, it is possible to add, delete, or change map information without first havingto stop and start the automountd daemon process.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 83

84

When AutoFS runs, automount and automountd initiate at startup time from the svc:/sys-tem/filesystem/autofs service identifier. If a request is made to access a file system at anAutoFS mount point, the system goes through the following steps:

1. AutoFS intercepts the request.

2. AutoFS sends a message to the automountd daemon for the requested file system to bemounted.

3. automountd locates the file system information in a map and performs the mount.

4. AutoFS allows the intercepted request to proceed.

5. AutoFS unmounts the file system after a period of inactivity.


Automatic, not manual, mounts Mounts managed through the AutoFS service should not be manuallymounted or unmounted. Even if the operation is successful, the AutoFS service does not check that theobject has been unmounted, and this can result in possible inconsistency. A restart clears all AutoFSmount points.

NOTE

To see who might be using a particular NFS mount, you use the showmount command. Thesyntax for showmount is shown here:showmount <options>

The options for the showmount command are described in Table 2.13.

Table 2.13 showmount Command SyntaxOption Description

-a Prints all the remote mounts in the format <hostname> : <directory>. <hostname> isthe name of the client, and <directory> is the root of the file system that has been mounted.

-d Lists directories that have been remotely mounted by clients.

-e Prints the list of shared file systems.

The following example illustrates the use of showmount to display file systems currentlymounted from remote systems. On the NFS server named neptune, you could enter the fol-lowing command:# showmount -a<cr>

06_0789738171_02.qxd 4/13/09 7:36 PM Page 84

AutoFS85

The system would display the following information:apollo:/export/home/neil

showmount says that the remote host, apollo, is currently mounting /export/home/neil onthis server.

AutoFS MapsThe behavior of the automounter is governed by its configuration files, called maps. AutoFSsearches maps to navigate its way through the network. Map files contain information, such asthe location of other maps to be searched or the location of a user’s home directory, for example.

The three types of automount maps are the master map, the direct map, and the indirect map.Each is described in the following sections.

Master MapsTo start the navigation process, the automount command reads the master map at system start-up. This map tells the automounter about map files and mount points. The master map listsall direct and indirect maps and their associated directories.

The master map, which is in the /etc/auto_master file, associates a directory with a map.The master map is a list that specifies all the maps that AutoFS should check. The followingexample shows what an auto_master file could contain:# Master map for automounter#+auto_master/net -hosts -nosuid,nobrowse/home auto_home -nobrowse

This example shows the default auto_master file. The lines that begin with # are comments.The line that contains +auto_master specifies the AutoFS NIS table map, which is explainedin Chapter 5, “Naming Services.” Each line thereafter in the master map, /etc/auto_master,has the following syntax:<mount-point> <map-name> <mount-options>

Each of these fields is described in Table 2.14.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 85

86

Table 2.14 /etc/auto_master FieldsField Description

<mount-point> The full (absolute) pathname of a directory that is used as the mount point. If thedirectory does not exist, AutoFS creates it, if possible. If the directory does existand is not empty, mounting it hides its contents. In that case, AutoFS issues awarning. Using the notation /- as a mount point indicates that a direct map withno particular mount point is associated with the map.

<map-name> The map that AutoFS uses to find directions to locations or mount information. Ifthe name is preceded by a slash (/), AutoFS interprets the name as a local file.Otherwise, AutoFS searches for the mount information by using the search speci-fied in the name service switch configuration file (/etc/nsswitch.conf).Name service switches are described in Chapter 9, “Administering ZFS FileSystems.”

<mount-options> An optional comma-separated list of options that apply to the mounting of theentries specified in <map-name>, unless the entries list other options. Options foreach specific type of file system are listed in Table 2.10. For NFS-specific mountpoints, the bg (background) and fg (foreground) options do not apply.


Map format A line that begins with a pound sign (#) is a comment, and everything that follows it untilthe end of the line is ignored. To split long lines into shorter ones, you can put a backslash (\) at the endof the line. The maximum number of characters in an entry is 1,024.

NOTE

Every Solaris installation comes with a master map, called /etc/auto_master, that has thedefault entries described earlier. Without any changes to the generic system setup, clientsshould be able to access remote file systems through the /net mount point. The followingentry in /etc/auto_master allows this to happen:/net -hosts -nosuid,nobrowse

For example, let’s say that you have an NFS server named apollo that has the /export filesystem shared. Another system, named zeus, exists on the network. This system has thedefault /etc/auto_master file; by default, it has a directory named /net. If you type the fol-lowing, the command comes back showing that the directory is empty—nothing is in it:# ls /net<cr>

Now type this:# ls /net/apollo<cr>

The system responds with this:export

06_0789738171_02.qxd 4/13/09 7:36 PM Page 86

AutoFS87

Why was the /net directory empty the first time you issued the ls command? When youissued ls /net/apollo, why did it find a subdirectory? This is the automounter in action.When you specified /net with a hostname, automountd looked at the map file—in this case,/etc/hosts—and found apollo and its IP address. It then went to apollo, found the export-ed file system, and created a local mount point for /net/apollo/export. It also added thisentry to the /etc/mnttab table:-hosts /net/apollo/export autofs nosuid,nobrowse,ignore,nest,dev=2b80005 941812769

This entry in the /etc/mnttab table is referred to as a trigger node (because changing to thespecified directory, the mount of the file system is “triggered”).

If you enter mount, you won’t see anything mounted at this point:# mount<cr>

The system responds with this:/ on /dev/dsk/c0t3d0s0 read/write/setuid/largefiles on Mon Aug 11 09:45:21 2008/usr on /dev/dsk/c0t3d0s6 read/write/setuid/largefiles on Mon Aug 11 09:45:21 2008/proc on /proc read/write/setuid on Mon Aug 11 09:45:21 2008/dev/fd on fd read/write/setuid on Mon Aug 11 09:45:21 2008/export on /dev/dsk/c0t3d0s3 setuid/read/write/largefiles on \Mon Aug 11 09:45:24 2008/export/swap on /dev/dsk/c0t3d0s4 setuid/read/write/largefiles on \Mon Aug 11 09:45:24 2008/tmp on swap read/write on Mon Aug 11 09:45:24 2008

Now type this:# ls /net/apollo/export<cr>

You should have a bit of a delay while automountd mounts the file system. The systemresponds with a list of files located on the mounted file system. For this particular system, itresponds with the following:files lost+found

The files listed are files located on apollo, in the /export directory. If you enter mount, yousee a file system mounted on apollo that wasn’t listed before:# mount<cr>/ on /dev/dsk/c0t3d0s0 read/write/setuid/largefiles on Mon Aug 11 09:45:21 2008/usr on /dev/dsk/c0t3d0s6 read/write/setuid/largefiles on Mon Aug 11 09:45:21 2008/proc on /proc read/write/setuid on Mon Aug 11 09:45:21 2008/dev/fd on fd read/write/setuid on Mon Aug 11 09:45:21 2008

06_0789738171_02.qxd 4/13/09 7:36 PM Page 87

88

/export on /dev/dsk/c0t3d0s3 setuid/read/write/largefiles on Mon Aug 11 09:45:24 2008/export/swap on /dev/dsk/c0t3d0s4 setuid/read/write/largefiles on Mon Aug 11 09:45:24 \2008/tmp on swap read/write on Mon Aug 11 09:45:24 2008/net/apollo/export on apollo:/export nosuid/remote on \Fri Aug 15 09:48:03 2008

The automounter automatically mounted the /export file system that was located on apollo.Now look at the /etc/mnttab file again, and you will see additional entries:# more /etc/mnttab<cr>/dev/dsk/c0t3d0s0 / ufs rw,suid,dev=800018,largefiles 941454346/dev/dsk/c0t3d0s6 /usr ufs rw,suid,dev=80001e,largefiles 941454346/proc /proc proc rw,suid,dev=2940000 941454346fd /dev/fd fd rw,suid,dev=2a00000 941454346/dev/dsk/c0t3d0s3 /export ufs suid,rw,largefiles,dev=80001b 941454349/dev/dsk/c0t3d0s4 /export/swap ufs suid,rw,largefiles,\dev=80001c 941454349swap /tmp tmpfs dev=1 941454349-hosts /net autofs ignore,indirect,nosuid,nobrowse,dev=2b80001\

941454394auto_home /home autofs ignore,indirect,nobrowse,dev=2b80002\

941454394-xfn /xfn autofs ignore,indirect,dev=2b80003 941454394sunfire:vold(pid246) /vol nfs ignore,noquota,dev=2b40001\941454409-hosts /net/apollo/export autofs nosuid,nobrowse,ignore,nest,\dev=2b80005 941812769apollo:/export /net/apollo/export nfs nosuid,dev=2b40003 941813283

If the /net/apollo/export directory is accessed, the AutoFS service completes the process,with these steps:

1. It pings the server’s mount service to see if it’s alive.

2. It mounts the requested file system under /net/apollo/export. Now the /etc/mnt-tab file contains the following entries:

-hosts /net/apollo/export autofs nosuid,nobrowse,ignore,nest,\dev=2b80005 941812769apollo:/export /net/apollo/export nfs nosuid,dev=2b40003 941813283


06_0789738171_02.qxd 4/13/09 7:36 PM Page 88

AutoFS89

Because the automounter lets all users mount file systems, root access is not required. AutoFSalso provides for automatic unmounting of file systems, so there is no need to unmount themwhen you are done.

Direct MapsA direct map lists a set of unrelated mount points that might be spread out across the file sys-tem. A complete path (for example, /usr/local/bin, /usr/man) is listed in the map as amount point. A good example of where to use a direct mount point is for /usr/man. The /usrdirectory contains many other directories, such as /usr/bin and /usr/local; therefore, itcannot be an indirect mount point. If you used an indirect map for /usr/man, the local /usrfile system would be the mount point, and you would cover up the local /usr/bin and/usr/etc directories when you established the mount. A direct map lets the automountercomplete mounts on a single directory entry such as /usr/man, and these mounts appear aslinks with the name of the direct mount point.

A direct map is specified in a configuration file called /etc/auto_direct. With a direct map,there is a direct association between a mount point on the client and a directory on the serv-er. A direct map has a full pathname and indicates the relationship explicitly. This is a typical/etc/auto_direct map:/usr/local -ro/share ivy:/export/local/share/src ivy:/export/local/src/usr/man -ro apollo:/usr/man zeus:/usr/man neptune:/usr/man/usr/game -ro peach:/usr/games/usr/spool/news -ro jupiter:/usr/spool/news saturn:/var/spool/news

Map naming The direct map name /etc/auto_direct is not a mandatory name; it is used here asan example of a direct map. The name of a direct map must be added to the /etc/auto_master file,but it can be any name you choose, although it should be meaningful to the system administrator.

NOTE

Lines in direct maps have the following syntax:<key> <mount-options> <location>

The fields of this syntax are described in Table 2.15.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 89

90

Table 2.15 Direct Map FieldsField Description

<key> Indicates the pathname of the mount point in a direct map. This pathname specifiesthe local directory on which to mount the automounted directory.

<mount-options> Indicates the options you want to apply to this particular mount. These options,which are listed in Table 2.10, are required only if they differ from the map defaultoptions specified in the /etc/auto_master file. There is no concatenation ofoptions between the automounter maps. Any options added to an automountermap override all the options listed in previously searched maps. For instance,options included in the auto_master map would be overwritten by correspon-ding entries in any other map.

<location> Indicates the remote location of the file system, specified as <server:path-name>. More than one location can be specified. <pathname> should not includean automounted mount point; it should be the actual absolute path to the file sys-tem. For instance, the location of a home directory should be listed asserver:/export/home/username, not as server:/home/username.

In the previous example of the /etc/auto_direct map file, the mount points, /usr/man and/usr/spool/news, list more than one location:/usr/man -ro apollo:/usr/man zeus:/usr/man neptune:/usr/man/usr/spool/news -ro jupiter:/usr/spool/news saturn:/var/spool/news

Multiple locations, such as those shown here, are used for replication, or failover. For the pur-poses of failover, a file system can be called a replica if each file is the same size and it is thesame type of file system. Permissions, creation dates, and other file attributes are not a consid-eration. If the file size or the file system types are different, the remap fails and the processhangs until the old server becomes available.

Replication makes sense only if you mount a file system that is read-only because you musthave some control over the locations of files that you write or modify. You don’t want to mod-ify one server’s files on one occasion and, minutes later, modify the “same” file on another serv-er. The benefit of replication is that the best available server is used automatically, without anyeffort required by the user.

If the file systems are configured as replicas, the clients have the advantage of using failover.Not only is the best server automatically determined, but, if that server becomes unavailable,the client automatically uses the next-best server.

An example of a good file system to configure as a replica is the manual (man) pages. In a largenetwork, more than one server can export the current set of man pages. Which server youmount them from doesn’t matter, as long as the server is running and sharing its file systems.In the previous example, multiple replicas are expressed as a list of mount locations in the mapentry. With multiple mount locations specified, you could mount the man pages from the


06_0789738171_02.qxd 4/13/09 7:36 PM Page 90

AutoFS91

apollo, zeus, or neptune servers. The best server depends on a number of factors, includingthe number of servers supporting a particular NFS protocol level, the proximity of the server,and weighting. The process of selecting a server goes like this:

1. During the sorting process, a count of the number of servers supporting the NFS ver-sion 2, 3, and 4 protocols is done. The protocol supported on the most servers is theprotocol that is supported by default. This provides the client with the maximum num-ber of servers to depend on. If version 3 servers are most abundant, the sorting processbecomes more complex, because they will be chosen as long as a version 2 server onthe local subnet is not being ignored. Normally servers on the local subnet are givenpreference over servers on a remote subnet. A version 2 server on the local subnet cancomplicate matters because it could be closer than the nearest version 3 server. If thereis a version 2 server on the local subnet, and the closest version 3 server is on a remotesubnet, the version 2 server is given preference. This is checked only if there are moreversion 3 servers than version 2 servers. If there are more version 2 servers than ver-sion 3 servers, only a version 2 server is selected.

2. After the largest subset of servers that have the same protocol version is found, thatserver list is sorted by proximity. Servers on the local subnet are given preference overservers on a remote subnet. The closest server is given preference, which reduceslatency and network traffic. If several servers are supporting the same protocol on thelocal subnet, the time to connect to each server is determined, and the fastest time isused.

You can influence the selection of servers at the same proximity level by adding anumeric weighting value in parentheses after the server name in the AutoFS map.Here’s an example:/usr/man -ro apollo,zeus(1),neptune(2):/usr/man

Servers without a weighting have a value of 0, which makes them the most likelyservers to be selected. The higher the weighting value is, the less chance the server hasof being selected. All other server-selection factors are more important than weighting.Weighting is considered only in selections between servers with the same networkproximity.

With failover, the sorting is checked once at mount time, to select one server from which tomount, and again if the mounted server becomes unavailable. Failover is particularly useful ina large network with many subnets. AutoFS chooses the nearest server and therefore confinesNFS network traffic to a local network segment. In servers with multiple network interfaces,AutoFS lists the hostname associated with each network interface as if it were a separate serv-er. It then selects the nearest interface to the client.

In the following example, you set up a direct map for /usr/local on zeus. Currently, zeushas a directory called /usr/local with the following directories:

06_0789738171_02.qxd 4/13/09 7:36 PM Page 91

92

# ls /usr/local<cr>

The following local directories are displayed:bin etc files programs

If you set up the automount direct map, you can see how the /usr/local directory is over-written by the NFS mount. Follow the procedure shown in Step By Step 2.6.

STEP BY STEP2.6 Creating a Direct Map

For this Step By Step, you need two systems: a local system (client) and a remote system named zeus.It does not matter what the local (client) system is named, but if your remote system name is not namedzeus, be sure to substitute your system’s hostname.

Perform steps 1 and 2 on the remote system, zeus:

1. Create a directory named /usr/local, and share it:

# mkdir /usr/local<cr># share -F nfs /usr/local<cr>

2. Create the following files and directories in the /usr/local directory:

# mkdir /usr/local/bin /usr/local/etc<cr># touch /usr/local/files /usr/local/programs<cr>

Perform steps 3 through 5 on the local system (client):

3. Add the following entry in the master map file called /etc/auto_master:

/- /etc/auto_direct

4. Create the direct map file called /etc/auto_direct with the following entry:

/usr/local zeus:/usr/local

5. Because you’re modifying a direct map, run automount to reload the AutoFS tables:

# automount<cr>

If you have access to the /usr/local directory, the NFS mount point is established by using thedirect map you have set up. The contents of /usr/local have changed because the direct maphas covered up the local copy of /usr/local:

# ls /usr/local<cr>

You should see the following directories listed:

fasttrack answerbook


06_0789738171_02.qxd 4/13/09 7:36 PM Page 92

AutoFS93

If you enter the mount command, you see that /usr/local is now mounted remotely fromzeus:# mount<cr>/ on /dev/dsk/c0t3d0s0 read/write/setuid/largefiles on Mon Aug 11 09:45:21 2008/usr on /dev/dsk/c0t3d0s6 read/write/setuid/largefiles on Mon Aug 11 09:45:21 2008/proc on /proc read/write/setuid on Mon Aug 11 09:45:21 2008/dev/fd on fd read/write/setuid on Mon Aug 11 09:45:21 2008/export on /dev/dsk/c0t3d0s3 setuid/read/write/largefiles on Mon Aug 11 09:45:24 2008/export/swap on /dev/dsk/c0t3d0s4 setuid/read/write/largefiles on Mon Aug 11 09:45:24 2008/tmp on swap read/write on Mon Aug 11 09:45:24 2008/usr/local on zeus:/usr/local read/write/remote on Sat Aug 16 08:06:40 2008

Indirect MapsIndirect maps are the simplest and most useful AutoFS maps. An indirect map uses a key’s sub-stitution value to establish the association between a mount point on the client and a directo-ry on the server. Indirect maps are useful for accessing specific file systems, such as home direc-tories, from anywhere on the network. The following entry in the /etc/auto_master file isan example of an indirect map:/share /etc/auto_share

With this entry in the /etc/auto_master file, /etc/auto_share is the name of the indirectmap file for the mount point /share. For this entry, you need to create an indirect map filenamed /etc/auto_share, which would look like this:# share directory map for automounter#ws neptune:/export/share/ws

If the /share/ws directory is accessed, the AutoFS service creates a trigger node for/share/ws, and the following entry is made in the /etc/mnttab file:-hosts /share/ws autofs nosuid,nobrowse,ignore,nest,dev=###

Overlay mounting The local contents of /usr/local have not been overwritten. After the NFS mountpoint is unmounted, the original contents of /usr/local are redisplayed.

NOTE

06_0789738171_02.qxd 4/13/09 7:36 PM Page 93

94

If the /share/ws directory is accessed, the AutoFS service completes the process with these steps:

1. It pings the server’s mount service to see if it’s alive.

2. It mounts the requested file system under /share. Now the /etc/mnttab file containsthe following entries:

-hosts /share/ws autofs nosuid,nobrowse,ignore,nest,dev=###neptune:/export/share/ws /share/ws nfs nosuid,dev=#### #####

Lines in indirect maps have the following syntax:<key> <mount-options> <location>

The fields in this syntax are described in Table 2.16.

Table 2.16 Indirect Map Field SyntaxField Description

<key> A simple name (with no slashes) in an indirect map.

<mount-options> The options you want to apply to this particular mount. These options, which aredescribed in Table 2.10, are required only if they differ from the map defaultoptions specified in the /etc/auto_master file.

<location> The remote location of the file system, specified as <server:pathname>.More than one location can be specified. <pathname> should not include anautomounted mount point; it should be the actual absolute path to the file system.For instance, the location of a directory should be listed asserver:/usr/local, not as server:/net/server/usr/local.

For example, say an indirect map is being used with user home directories. As users log in toseveral different systems, their home directories are not always local to the system. It’s conven-ient for the users to use the automounter to access their home directories, regardless of whatsystem they’re logged in to. To accomplish this, the default /etc/auto_master map file needsto contain the following entry:/home /etc/auto_home -nobrowse

/etc/auto_home is the name of the indirect map file that contains the entries to be mountedunder /home. A typical /etc/auto_home map file might look like this:# more /etc/auto_home<cr>dean willow:/export/home/deanwilliam cypress:/export/home/williamnicole poplar:/export/home/nicoleglenda pine:/export/home/glendasteve apple:/export/home/steveburk ivy:/export/home/burkneil -rw,nosuid peach:/export/home/neil


06_0789738171_02.qxd 4/13/09 7:36 PM Page 94

NOTE

AutoFS95

Indirect map names As with direct maps, the actual name of an indirect map is up to the system admin-istrator, but a corresponding entry must be placed in the /etc/auto_master file, and the name shouldbe meaningful to the system administrator.

Now assume that the /etc/auto_home map is on the host oak. If user neil has an entry in thepassword database that specifies his home directory as /home/neil, whenever he logs in tocomputer oak, AutoFS mounts the directory /export/home/neil, which resides on thecomputer peach. Neil’s home directory is mounted read-write, nosuid. Anyone, includingNeil, has access to this path from any computer set up with the master map referring to the/etc/auto_home map in this example. Under these conditions, user neil can run login, orrlogin, on any computer that has the /etc/auto_home map set up, and his home directory ismounted in place for him.

Another example of when to use an indirect map is when you want to make all project-relat-ed files available under a directory called /data that is to be common across all workstationsat the site. Step By Step 2.7 shows how to do this.

STEP BY STEP2.7 Setting Up an Indirect Map

1. Add an entry for the /data directory to the /etc/auto_master map file:

/data /etc/auto_data -nosuid

The auto_data map file, named /etc/auto_data, determines the contents of the /datadirectory.

2. Add the -nosuid option as a precaution. The -nosuid option prevents users from creating fileswith the setuid or setgid bit set.

3. Create the /etc/auto_data file and add entries to the auto_data map. The auto_datamap is organized so that each entry describes a subproject. Edit /etc/auto_data to create amap that looks like the following:

compiler apollo:/export/data/&window apollo:/export/data/&files zeus:/export/data/&drivers apollo:/export/data/&man zeus:/export/data/&tools zeus:/export/data/&

06_0789738171_02.qxd 4/13/09 7:36 PM Page 95

96

Because the servers apollo and zeus view similar AutoFS maps locally, any users who log in tothese computers find the /data file system as expected. These users are provided direct accessto local files through loopback mounts instead of NFS mounts.

4. Because you changed the /etc/auto_master map, the final step is to reload the AutoFS tables:

# automount<cr>

Now, if a user changes to the /data/compiler directory, the mount point toapollo:/export/data/compiler is created:

# cd /data/compiler<cr>

5. Type mount to see the mount point that was established:

# mount<cr>

The system shows that /data/compiler is mapped to apollo:/export/data/compiler:

/data/compiler on apollo:/export/data/compiler read/write/remote on Fri Aug\15 17:17:02 2008

If the user changes to /data/tools, the mount point to zeus:/export/data/tools is creat-ed under the mount point /data/tools.


Using the entry key The ampersand (&) at the end of each entry is an abbreviation for the entry key. Forinstance, the first entry is equivalent to the compiler apollo:/export/data/compiler.

NOTE

Directory creation There is no need to create the directory /data/compiler to be used as the mountpoint. AutoFS creates all the necessary directories before establishing the mount.

NOTE

You can modify, delete, or add entries to maps to meet the needs of the environment. As appli-cations (and other file systems that users require) change location, the maps must reflect thosechanges. You can modify AutoFS maps at any time. However, changes do not take place untilthe file system is unmounted and remounted. If a change is made to the auto_master map orto a direct map, those changes do not take place until the AutoFS tables are reloaded:# automount<cr>

06_0789738171_02.qxd 4/13/09 7:36 PM Page 96

Sun Update Connection Service97

When to Use automountThe most common and advantageous use of automount is for mounting infrequently used filesystems on an NFS client, such as online reference man pages. Another common use is access-ing user home directories anywhere on the network. This works well for users who do not havea dedicated system and who tend to log in from different locations. Without the AutoFS serv-ice, to permit access, a system administrator has to create home directories on every systemthat the user logs in to. Data has to be duplicated everywhere, and it can easily become out ofsync. You certainly don’t want to create permanent NFS mounts for all user home directorieson each system, so mounting infrequently used file systems on an NFS client is an excellentuse for automount.

You also use automount if a read-only file system exists on more than one server. By usingautomount instead of conventional NFS mounting, you can configure the NFS client to queryall the servers on which the file system exists and mount from the server that responds first.

You should avoid using automount to mount frequently used file systems, such as those thatcontain user commands or frequently used applications; conventional NFS mounting is moreefficient in this situation. It is quite practical and typical to combine the use of automount withconventional NFS mounting on the same NFS client.

Sun Update Connection ServiceObjective:

. Implement patch management using Sun Connection Services including the Update Manager client, thesmpatch command line, and Sun Connection hosted web application.

Patching the operating system is covered in Solaris 10 System Administration Exam Prep (ExamCX-310-200), Part I, so I won’t explain all the methods used to manage patches. That bookdescribes how to verify, install, and remove OS patches. This section describes how to use theSun Update Manager to handle the OS patching process.

The Sun Update Connection service has been available in Solaris 10 since the 1/06 release.You’ll use the service to keep your system up to date with all the latest OS patches. The Sun

EXAM ALERTDirect versus indirect maps Remember the difference between direct and indirect maps. The /-entry in /etc/auto_master signifies a direct map because no mount point is specified. This meansthat an absolute pathname is specified in the map. Indirect maps contain relative addresses, so thestarting mount point, such as /home, appears in the /etc/auto_master entry for an indirect map.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 97

98

Update Connection services include the following:

. Sun Update Manager: Consists of two interfaces: a graphical and command-lineinterface that you will use to manage the updates on your system.

. Sun Update Connection: A web application hosted at Sun that allows you to remote-ly manage the updates on all your Sun systems.

. Sun Update Connection Proxy: A local caching proxy that provides all the OSupdates obtained from Sun to the clients inside your network.

. SunSolve Patch and Updates Portal: Provides access to OS patches for manualdownload.

Using the Update ManagerThe Update Manager replaces the Solaris Patch Manager application that was available in pre-vious releases of Solaris. Using an updated version of the PatchPro tool, Update Manager per-forms the following tasks:

. Analyzes your system for available OS updates

. Displays the list of updates that are available for your system

. Provides details of each available OS update

. Installs selected OS updates

. Removes (backs out) installed OS updates

You begin by starting the Update Manager client software. Choose either the GUI version orthe command-line version of Update Manager, but do not use both at the same time. To startthe GUI, type# /usr/bin/updatemanager<cr>

The Sun Update Manager GUI opens, as shown in Figure 2.1.


06_0789738171_02.qxd 4/13/09 7:36 PM Page 98


FIGURE 2.1 Sun Update Manager.

The following examples use the command-line interface, so I’ll type#/usr/sbin/smpatch<cr>

The command syntax for the smpatch command varies, depending on the mode of operation.The basic syntax is as follows:/usr/sadm/bin/smpatch <subcommand> [<auth_args> ] — [<subcommand_args>]

The smpatch command uses subcommands for the various modes of operation; each subcom-mand has its own list of options. The smpatch subcommands are as follows:

. add: Installs patches on single or multiple machines.

. analyze: Analyzes and lists the patches required for a specified machine.

. download: Downloads patches from the SunSolve Online database to the patch direc-tory.

. remove: Removes a single patch from a system.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 99

100

Refer to the online man pages for a complete set of options for each subcommand.

The advantage of using the command-line version of Update Manager is that you can embedthe smpatch commands into shell scripts to increase efficiency.

You need to register your system at Sun before you can use the Update Manager client. If youdo not already have a Sun online account, you need to establish one. The types of patches thatyou can download depends on the type of Sun service contract you have. If you do not have aservice contract, you can still register, but you can download only security, hardware driver,and data integrity updates.

Use the sconadm command to register. Its syntax is as follows:/usr/sbin/sconadm register -a

[-e softwareUpdate | -E softwareUpdate][-h <hostname>] [-l <logfile>] [-N][-p <proxy_host>[:<proxy_port>]][-r <registration_profile>] [-u <username>][-x <proxy_username>]

where:

. -a: Is used to accept the Terms of Use and Binary Code License. Absence of thisoption means that you do not accept the license.

. -e softwareUpdate: Enables the client to be managed at the Sun-hosted UpdateConnection Service.

. -E softwareUpdate: Disables the client’s ability to be managed at the Sun-hostedUpdate Connection Service.

. -h <hostname>: Specifies the hostname of the machine you want to register.

. -l <logfile>: Specifies the pathname of a log file.

. -N: Never registers.

. -p <proxy_host>[:<proxy_port>]: Proxy hostname and optional proxy port number.

. -r <registration_profile>: Pathname to a registration profile. The registration pro-file is described later in this section.

. -u <username>: Specifies the username used to connect to the Sun Online Account.

. -x <proxy_username>: Specifies the username on the proxy host.

Before you use the sconadm command, create a registration profile. Information in this file willbe used when you register. For the example, in Step By Step 2.8, you’ll use the vi editor tocreate a profile file named /tmp/regprofile.


06_0789738171_02.qxd 4/13/09 7:36 PM Page 100


STEP BY STEP2.8 Registering Your System with Sun Connection Services

1. Use the vi editor to open the profile named regprofile:

# vi /tmp/regprofile<cr>

2. Add the following lines to your profile using your Sun Online user account name and password:

userName=<Sun Online account username>password=<password>hostName=subscriptionKey=portalEnabled=falseproxyHostName=proxyPort=proxyUserName=proxyPassword=

3. Change the permissions on the profile to 400 or 600:

# chmod 600 /tmp/regprofile<cr>

4. Register using the sconadm command:

# sconadm register -a -r /tmp/regprofile<cr>sconadm is runningAuthenticating user ...finish registration!

The -a option is used to accept the terms of the license, and the -r option specifies the use of a regis-tration profile.

Now that the system is registered, you can use the smpatch command to analyze your systemfor patches:# smpatch analyze<cr>

A list of patches is displayed:120199-13 SunOS 5.10: sysidtool patch119252-23 SunOS 5.10: System Administration Applications Patch124630-17 SunOS 5.10: System Administration Applications, Network, and \Core Libraries Patch121430-25 SunOS 5.8 5.9 5.10: Live Upgrade Patch124628-06 SunOS 5.10: CD-ROM Install Boot Image Patch119254-57 SunOS 5.10: Install and Patch Utilities Patch119963-10 SunOS 5.10: Shared library patch for C++119280-18 CDE 1.6: Runtime library patch for Solaris 10

06_0789738171_02.qxd 4/13/09 7:36 PM Page 101

102

119278-23 CDE 1.6: dtlogin patch<output has been truncated>

To download a specific patch using smpatch, type# smpatch download -i 119278-23<cr>

The system responds with this:119278-23 has been validated.

The patch is downloaded into the spool directory, which, by default, is /var/sadm/spool. Usethe following command to verify that this directory is the default and has not been modified:# smpatch get<cr>

The system responds with this:patchpro.backout.directory - “”patchpro.baseline.directory - /var/sadm/spoolpatchpro.download.directory - /var/sadm/spoolpatchpro.install.types - rebootafter:reconfigafter:standardpatchpro.patch.source - https://getupdates1.sun.com/patchpro.patchset - currentpatchpro.proxy.host - “”patchpro.proxy.passwd **** ****patchpro.proxy.port - 8080patchpro.proxy.user - “”

Just because the patch has been downloaded doesn’t mean it has been installed. You still needto install the patch using the following command:#smpatch add -i 119278-23<cr>

The system responds with this:add patch 119278-23Transition old-style patching.Patch 119278-23 has been successfully installed.

As an alternative to performing all the previous steps, you can analyze, download, and install apatch in one step:# smpatch update -i 119278-23<cr>

The system responds with this:Installing patches from /var/sadm/spool...119278-23 has been applied./var/sadm/spool/patchpro_dnld_2008.07.17@19:01:35:EDT.txt has been moved \to /var/sadm/spool/patchproSequester/patchpro_dnld_2008.07.17@19:01:35:EDT.txt


06_0789738171_02.qxd 4/13/09 7:36 PM Page 102


/var/sadm/spool/patchpro_dnld_2008.07.17@19:18:09:EDT.txt has been moved \to /var/sadm/spool/patchproSequester/patchpro_\dnld_2008.07.17@19:18:09:EDT.txt

To remove (back out) the 119278-23 patch, issue the following command:# smpatch remove -i 119278-23<cr>remove patch 119278-23Transition old-style patching.Patch 119278-23 has been backed out.

Sun Update Manager ProxyMany systems cannot be directly connected to the Internet due to security concerns. Toaddress this, use the Sun Update Manager Proxy. When you configure an Update Managerproxy server on your network, the proxy server obtains the updates from Sun via the Internetand serves those updates to your local systems. The Update Manager proxy is an optional fea-ture, available only to those with Sun service contracts.

There is much more to the Sun Update Connection service that I have not covered. I recom-mend that you refer to the “Sun Update Connection System Administrator Guide” describedat the end of this chapter for more information.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 103

104

SummaryIn this chapter, you have learned how a Solaris system utilizes the swapfs file system as virtu-al memory storage when the system does not have enough physical memory to handle theneeds of the currently running processes. You have learned how to add, monitor, and deleteswap files and partitions. You have also learned how to manage core files and crash dumps.

This chapter also described what NFS is and how to share resources on an NFS server.Accessing resources on the NFS client from a server was discussed, as was configuring NFS torecord all activity via the NFS logging daemon, nfslogd. The troubleshooting sectiondescribed some of the more common problems and error messages that you may encounterwhile using NFS.

This chapter also described AutoFS and the many options that are available when you’remounting NFS resources so that user downtime is minimized by unplanned system outagesand unavailable resources.

Finally, I described the Sun Update Connection Service for automating the installation of OSpatches. You were reintroduced to the smpatch command, which is described in Solaris 10System Administration Exam Prep (Exam CX-310-200), Part I. There is much more to discuss onthis topic. I recommend that you look over the suggested readings at the end of this chapter.

Key Terms. automount

. Core file

. Crash dump

. Direct map

. Dynamic failover

. Hard mount

. Indirect map

. lockd

. Master map

. mountd

. NFS

. nfs4cbd


06_0789738171_02.qxd 4/13/09 7:36 PM Page 104


. NFS client

. nfsd

. NFS logging

. nfsmapid

. NFS server

. NFS Version 4

. Replication

. Secondary swap partition

. Shared resource

. Soft mount

. Swap file

. Trigger point

. Update Manager

. Update Manager Client

. Update Manager Proxy

. Virtual file system


Exercises2.1 Adding Temporary Swap Space

In this exercise, you’ll create a swap file to add additional, temporary swap space on your sys-tem.


1. As root, use the df -h command to locate a file system that has enough room to sup-port a 512MB swap file.

2. Use the mkfile command to add a 512MB swap file named swapfile in a directory:# mkfile 512m /<directory>/swapfile<cr>

06_0789738171_02.qxd 4/13/09 7:36 PM Page 105

106

3. Use the ls -l /<directory> command to verify that the file has been created.

4. Activate the swap area with the swap command:# /usr/sbin/swap -a /<directory>/swapfile<cr>

5. Use the swap -l command to verify that the new swap area was added:# swap -l<cr>

6. Use the swap -d command to remove the swap area:# swap -d /<directory>/swapfile<cr>

7. Issue the swap -l command to verify that the swap area is gone:# swap -l<cr>

8. Remove the swap file that was created:

# rm /<directory>/swapfile<cr>

The following two exercises require a minimum of two networked Solaris systems. You needto determine in advance which system will serve as the NFS server and which system will bethe NFS client. The NFS server must have man pages installed in the /usr/share/man direc-tory.

2.2 NFS Server Setup

In this exercise, you’ll set up an NFS server to share the contents of the /usr/share/mandirectory for read-only access.


1. Make the following entry in the /etc/dfs/dfstab file:# share -F nfs -o ro /usr/share/man<cr>

2. Restart the NFS server service to start the nfsd and mountd daemons:# svcadm restart nfs/server<cr>

3. Verify that the NFS server service is online by typing this:# svcs nfs/server<cr>

4. Verify that the resource is shared by typing this:# share<cr>

The system displays this:- /usr/share/man “ro “”


06_0789738171_02.qxd 4/13/09 7:36 PM Page 106


5. On the NFS client, rename the /usr/share/man directory so that man pages are nolonger accessible:# cd /usr/share<cr># mv man man.bkup<cr>

6. Verify that the manual pages are no longer accessible by typing this:# man tar<cr>

7. Create a new man directory to be used as a mount point:# mkdir man<cr>

8. Verify that you can see the shared resource on the NFS server by typing this:# dfshares <nfs-server-name><cr>

The system should display a message similar to the following:RESOURCE SERVER ACCESS TRANSPORT192.168.0.4:/usr/share/man 192.168.0.4 -

9. Mount the /usr/share/man directory located on the NFS server to the directory youcreated in step 8:# mount <nfs-server-name>:/usr/share/man /usr/share/man<cr>

10. See if the man pages are accessible by typing this:# man tar<cr>

11. Verify the list of mounts that the server is providing by typing this:# dfmounts <nfs-server-name><cr>

The system should display something like this:RESOURCE SERVER PATHNAME CLIENTS- 192.168.0.4 /usr/share/man 192.168.0.21

12. Unmount the directory on the NFS client:# umountall -r<cr>

The -r option specifies that only remote file system types are to be unmounted.

13. Verify that the file system is no longer mounted by typing this:# dfmounts <nfs-server-name><cr>

14. On the NFS server, unshare the /usr/share/man directory:# unshare /usr/share/man<cr>

06_0789738171_02.qxd 4/13/09 7:36 PM Page 107

108

15. On the NFS client, try to mount the /usr/share/man directory from the NFS server:# mount <nfs-server-name>:/usr/share/man /usr/share/man<cr>

The NFS server should not allow you to mount the file system.

16. Check the shared resources on the NFS server by typing this:# dfshares <nfs-server-name><cr>

The file system can no longer be mounted because it is no longer shared.

2.3 Using AutoFS

This exercise demonstrates the use of AutoFS.


1. The NFS server should already have an entry in the /etc/dfs/dfstab file from theprevious exercise. It looks like this:# share -F nfs -o ro /usr/share/man<cr>

The nfsd and mountd daemons should also be running on this server. On the NFSclient, verify that the man pages are not working by typing this:# man tar<cr>

2. On the NFS client, remove the directory you created in Exercise 2.2:# rmdir /usr/share/man<cr>

3. On the NFS client, edit the /etc/auto_master file to add the following line for adirect map:/- auto_direct

4. On the NFS client, use vi to create a new file named /etc/auto_direct. Add the fol-lowing line to the new file:# /usr/share/man <nfs-server-name>:/usr/share/man<cr>

5. Run the automount command to update the list of directories managed by AutoFS:# automount -v<cr>

6. See if man pages are working on the NFS client by typing this:# man tar<cr>

7. On the NFS client, use mount to see whether AutoFS automatically mounted theremote directory on the NFS server:# mount<cr>


06_0789738171_02.qxd 4/13/09 7:36 PM Page 108


8. On the NFS server, unshare the shared directory by typing this:# unshareall<cr>

9. On the NFS server, shut down the NFS server daemons:# svcadm disable nfs/server<cr>

10. On the NFS client, edit the /etc/auto_master file and remove this line:/- auto_direct

11. On the NFS client, remove the file named /etc/auto_direct:# rm /etc/auto_direct<cr>

12. On the NFS client, run the automount command to update the list of directories man-aged by AutoFS:# automount -v<cr>

13. On the NFS client, return /usr/share/man to its original state, like this:# cd /usr/share<cr># rmdir man<cr># mv man.bkup man<cr>

Exam Questions1. After you create and add additional swap space, what is the correct method to ensure the swap

space is available following subsequent reboots?

A. You can add an entry to the /etc/vfstab file.

B. You can modify the startup scripts to include a swapadd command.

C. Swap cannot be added; therefore, you must adjust the size of the swap partition.

D. Additional steps are required because the necessary changes are made to the startupfile when the swap space is added.

2. Which command is used to create a swap file?

A. cat

B. touch

C. mkfile

D. swapadd

E. newfs

06_0789738171_02.qxd 4/13/09 7:36 PM Page 109

110

3. Which command is used to show the available swap space?

A. prtconf

B. iostat

C. swap -s

D. swap -l

E. /usr/bin/ps

4. How are swap areas activated each time the system boots?

A. The entry in the /etc/vfstab file activates them.

B. The /sbin/swapadd script activates them.

C. The /usr/sbin/swap -a command activates them.

D. The swapon command activates them.

5. Which statements are true about swap areas? (Choose three.)

A. An NFS file system can be used for a temporary swap area.

B. A swap file is the preferred method of adding swap space on a permanent basis.

C. A swap file is created in any ordinary file system.

D. You cannot unmount a file system while a swap file is in use.

E. A swap area must not exceed 2GB on a Solaris 10 system.

F. Using a striped metadevice for swap space is very advantageous and improves per-formance.

6. If you add resources to a particular file, you can then make the resources available and unavailableby using the shareall and unshareall commands. Which file does this describe?

A. /etc/dfs/dfstab

B. /etc/dfs/sharetab

C. /etc/vfstab

D. /etc/mnttab

7. To stop and restart NFS to enable a new share, which of the following do you use?

A. svcadm restart autofs

B. svcadm restart nfs/client

C. svcadm restart nfs/server

D. automount -v


06_0789738171_02.qxd 4/13/09 7:36 PM Page 110


8. In AutoFS, which of the following associates a directory with a map?

A. indirect

B. direct

C. automount

D. automountd

9. Which of the following maps has a full pathname and indicates the relationship explicitly?

A. NIS

B. auto_master

C. indirect

D. direct

10. NFS daemons are started at bootup from which of the following services or files? (Choose two.)

A. svc:/network/nfs/server

B. svd:/network/nfs/client

C. svc:/system/filesystem/autofs

D. /etc/inittab

11. Which of the following is not an NFS daemon?

A. rpcd

B. mountd

C. lockd

D. statd

12. Which NFS daemons are found only on the NFS server? (Choose three.)

A. nfsd

B. lockd

C. mountd

D. nfslogd

13. Which file do you use to specify the file systems that are to be shared?

A. /etc/dfs/sharetab

B. /etc/dfs/dfstab

C. /etc/vfstab

D. /etc/mnttab

06_0789738171_02.qxd 4/13/09 7:36 PM Page 111

112

14. Which command makes a resource available for mounting?

A. export

B. share

C. exportfs

D. mount

15. Which command displays information about shared resources that are available to the host froman NFS server?

A. shareall

B. share

C. dfshares

D. dfinfo

16. File systems mounted with which of the following options indicate that mount is to retry in thebackground if the server’s mount daemon (mountd) does not respond?

A. intr

B. fg

C. bg

D. soft

17. Which of the following options to the mount command specifies how long (in seconds) each NFSrequest made in the kernel should wait for a response?

A. retrans

B. timeo

C. retry

D. remount

18. File systems that are mounted read-write or that contain executable files should always be mount-ed with which option?

A. hard

B. intr

C. soft

D. nointr


06_0789738171_02.qxd 4/13/09 7:36 PM Page 112


19. From the NFS client, which of the following options makes mount retry the request up to aspecified number of times when the NFS server becomes unavailable?

A. retry

B. retrans

C. remount

D. timeo

20. When an NFS server goes down, which of the following options to the mount command allowsyou to send a kill signal to a hung NFS process?

A. bg

B. nointr

C. intr

D. timeo

21. Which of the following programs support the AutoFS service? (Choose two.)

A. automount

B. automountd

C. mount

D. share

22. From which of the following files does automountd start?

A. /etc/init.d/volmgt

B. svc:/system/filesystem/autofs

C. svc:/network/nfs/server

D. svc:/network/nfs/client

23. Which of the following commands do you use to see who is using a particular NFS mount?

A. nfsstat

B. dfshares

C. showmount

D. ps

06_0789738171_02.qxd 4/13/09 7:36 PM Page 113

114

24. Which of the following files lists all direct and indirect maps for AutoFS?

A. /etc/auto_master

B. /etc/auto_direct

C. /etc/auto_share

D. /lib/svc/method/svc-autofs

25. Every Solaris installation comes with a default master map with default entries. Without anychanges to the generic system setup, clients should be able to access remote file systems throughwhich of the following mount points?

A. /tmp_mnt

B. /net

C. /export

D. /export/home

26. Which of the following is the simplest and most useful AutoFS map?

A. Direct map

B. Indirect map

C. Master map

D. All are equal

27. What is the default time for automountd to unmount a file system that is not in use?

A. 600 seconds

B. 60 seconds

C. 120 seconds

D. 180 seconds

28. What types of maps are available in AutoFS?

A. Direct and indirect

B. Master, direct, and indirect

C. Master and direct

D. Master and indirect

29. Which of the following commands is used to cause a disk resource to be made available to othersystems via NFS?

A. mount

B. share


06_0789738171_02.qxd 4/13/09 7:36 PM Page 114


C. export

D. dfshares

30. Which of the following scripts or services starts the NFS log daemon?

A. /usr/lib/nfs/nfslogd

B. /etc/nfs/nfslog.conf

C. /etc/dfs/dfstab

D. /etc/default/nfs

31. Which of the following daemons provides NFS logging?

A. syslogd

B. nfsd

C. statd

D. nfslogd

32. Your company does not have a Sun service contract. When using the smpatch command to ana-lyze your system, which patches will you have access to? (Choose three.)

A. Data integrity patches

B. Recommended patches

C. Driver patches

D. Security patches

E. All patches

33. Which command-line utility allows the system administrator to embed the patch analyze,download, and add commands into shell scripts to increase efficiency?

A. smpatch

B. PatchTool

C. Update Manager

D. Patchadd

34. Which of the following describes how to register your system with Sun Update Connection services?

A. sconadm

B. Update Manager

C. smpatch -u <username> -p <password>

D. Go to http://sunsolve.sun.com and create an account.

06_0789738171_02.qxd 4/13/09 7:36 PM Page 115

116

Answers to Exam Questions1. A. After you create and add additional swap space, you can add an entry for that swap space in the

/etc/vfstab file to ensure that the swap space is available following subsequent reboots.Answer B is wrong because editing startup scripts directly to add swap is a poor policy. Correctprocedure is to add the entry to the vfstab file. For more information, see the section “SettingUp Swap Space.”

2. C. You use the mkfile and swap commands to designate a part of an existing UFS as a supple-mentary swap area. The cat command does not create a swap file; it’s used to view a file. Thetouch command is used to change the time and date on a file or creates an empty file when usedon a filename that does not exist. The newfs command is used to create a file system, not swap.For more information, see the section “Setting Up Swap Space.”

3. C. The swap -s command is used to display the available swap space on a system. prtconf isused to print the system configuration, but not swap. iostat is used to display I/O statistics. Theps command is used to display process information. For more information, see the section“Setting Up Swap Space.”

4. B. Swap areas are activated by the /sbin/swapadd script each time the system boots. An entryin the vfstab file is used by swapadd, but it does not activate the swap space directly. swap -ais used to add swap space on a running system, but not during the boot process. swapon is notused during the boot process and is not available on Solaris 10. For more information, see the sec-tion “Setting Up Swap Space.”

5. A, C, D. These statements are all true of a swap area: An NFS file system can be used for a swaparea, but only in emergencies; a swap file is created in any ordinary file system; and you cannotunmount a file system while a swap file is in use. Answer B is wrong because a swap file shouldbe used only on a temporary basis. Answer E is wrong because swap can exceed 2GB. Answer F iswrong because swap should not be put on a striped device. It adds overhead and can slow downpaging. For more information, see the section “Setting Up Swap Space.”

6. C is wrong because the vfstab file is used to mount a shared resource, not to share a resource.For more information, see the section “Setting Up NFS.”

7. C. To restart NFS to enable a new share, you type svcadm restart nfs/server. Answer A iswrong because autofs is not used to stop and start NFS server daemons and enable a newshare. Answer B is wrong because the service name should be nfs/server, not nfs/client.Answer D is wrong because the automount command is not used to stop and start NFS serverdaemons or to enable a share. For more information, see the section “NFS Daemons.”

8. C. The automount command, which is called at system startup time, reads the master map filenamed auto_master to create the initial set of AutoFS mounts. Answers A and B are wrongbecause indirect and direct are invalid commands. Answer D is wrong because auto-mountd answers file system mount and unmount requests described by the automount com-mand. For more information, see the section “AutoFS.”


06_0789738171_02.qxd 4/13/09 7:36 PM Page 116


9. D. With a direct map, there is a direct association between a mount point on the client and adirectory on the server. A direct map has a full pathname and indicates the relationship explicit-ly. Answer A is wrong because NIS is a name service. Answer B is wrong because auto_master isthe master map for automounter. Answer C is wrong because there is not a direct associationbetween a mount point when using indirect maps. For more information, see the section “AutoFSMaps.”

10. A, B. NFS uses a number of daemons to handle its services. These services are initialized at start-up from the svc:/network/nfs/server and svc:/network/nfs/client service identi-fiers. Answers C and D are wrong because neither of these starts the NFS server daemons. Formore information, see the section “NFS Daemons.”

11. A. mountd, lockd, and statd are all NFS daemons. rpcd is not an NFS daemon. For moreinformation, see the section “NFS Daemons.”

12. A, C, D. The NFS daemons found only on the NFS server are nfsd, mountd, and nfslogd.lockd is both an NFS server and client daemon. For more information, see the section “NFSDaemons.”

13. B. A shared file system is called a shared resource. You specify which file systems are to beshared by entering the information in the file /etc/dfs/dfstab. The sharetab and mnttabfiles are not edited directly. The vfstab file contains all the mount points that are to be mountedduring the boot process; it is not used to share file systems. For more information, see the section“Setting Up NFS.”

14. B. The share command exports a resource and makes a resource available for mounting. Theexport command is a shell built-in used to export variables. exportfs is a compatibility scriptthat uses the share command to share file systems. It is part of the BSD compatibility package.The mount command does not share a resource. For more information, see the section “SettingUp NFS.”

15. C. The dfshares command displays information about the shared resources that are available tothe host from an NFS server. The share command shares file systems, but it also displays infor-mation about shared file systems when used alone, with no arguments on the NFS server. Whenused from the client, it does not display shared resources on an NFS server. The shareall com-mand is used to share all the file systems listed in the /etc/dfs/dfstab file. dfinfo is aninvalid command. For more information, see the section “Setting Up NFS.”

16. C. File systems mounted with the bg option indicate that mount is to retry in the background ifthe server’s mount daemon (mountd) does not respond when, for example, the NFS server isrestarted. The intr option allows keyboard interrupts to kill a process that is waiting for aresponse from a hard-mounted file system. File systems mounted with the fg option indicate thatmount is to retry in the foreground if the server’s mount daemon (mountd) does not respond.The soft option makes the NFS client give up and return an error when the NFS server does notrespond. For more information, see the section “Mounting a Remote File System.”

06_0789738171_02.qxd 4/13/09 7:36 PM Page 117

118

17. B. After the file system is mounted, each NFS request made in the kernel waits a specified numberof seconds for a response (which is specified with the timeo=<n> option). The retrans optionsets the number of retransmission attempts. The retry option sets the number of times to retrythe mount operation. The remount option sets a read-only file system as read-write (using the rwoption). For more information, see the section “Mounting a Remote File System.”

18. A. Sun recommends that file systems that are mounted as read-write or that contain executablefiles should always be mounted with the hard option. The intr option allows keyboard interruptsto kill a process that is waiting for a response from a hard-mounted file system. The nointroption disallows keyboard interrupts to kill a process that is waiting for a response from a hard-mounted file system. Only file systems that are mounted as read-only should be mounted with thesoft option. For more information, see the section “Mounting a Remote File System.”

19. A. From the NFS client, mount retries the request up to the count specified in the retry=<n>option. After the file system is mounted, each NFS request that is made in the kernel waits a speci-fied number of seconds for a response. The retrans option sets the number of retransmissionattempts. The remount option sets a read-only file system as read-write (using the rw option).The timeo option sets the NFS timeout value. For more information, see the section “Mounting aRemote File System.”

20. C. If a file system is mounted hard and the intr option is not specified, the process hangs untilthe remote file system reappears if the NFS server goes down. If intr is specified, sending aninterrupt signal to the process kills it. The nointr option disallows keyboard interrupts to kill aprocess that is waiting for a response from a hard-mounted file system. File systems mountedwith the bg option indicate that mount is to retry in the background if the server’s mount daemon(mountd) does not respond. The timeo option sets the NFS timeout value. For more information,see the section “Mounting a Remote File System.”

21. A, B. File systems that are shared through the NFS service can be mounted by using AutoFS.AutoFS, a client-side service, is a file system structure that provides automatic mounting. AutoFSis initialized by automount, which is run automatically when a system is started. The automountdaemon, named automountd, runs continuously, mounting and unmounting remote directorieson an as-needed basis. The share command is executed on the NFS server to share a resource.The mount command is used to manually mount a file system. For more information, see the sec-tion “AutoFS.”

22. B. Two programs support the AutoFS service: automount and automountd. Both are run whena system is started by the svc:/system/filesystem/autofs service identifier. Answers A,C, and D are commands, not files. For more information, see the section “AutoFS.”

23. C. To see who is using a particular NFS mount, you use the showmount command. Thedfshares command is used to list available resources. The nfsstat command displays NFSstatistics. The ps command displays system process information. For more information, see thesection “AutoFS.”

24. A. A master map, which is in the /etc/auto_master file, associates a directory with a map. Amaster map is a list that specifies all the maps that AutoFS should check. /etc/auto_directand /etc/auto_share are not master maps and do not list direct and indirect maps.


06_0789738171_02.qxd 4/13/09 7:36 PM Page 118


/lib/svc/method/svc-autofs is not a master map. For more information, see the section“AutoFS Maps.”

25. B. Without any changes to the generic system setup, clients should be able to access remote filesystems through the /net mount point. /tmp_mnt, /export, and /export/home are notdefault mount points for NFS file systems. For more information, see the section “AutoFS Maps.”

26. B. Indirect maps are the simplest and most useful maps. Indirect maps are useful for accessingspecific file systems, such as home directories, from anywhere on the network. A direct map is amore complex AutoFS map compared to an indirect map. A master map, which is in the/etc/auto_master file, associates a directory with a map. A master map is a list that specifiesall the maps that AutoFS should check. For more information, see the section “AutoFS Maps.”

27. A. The -t option to the automount command sets the time, in seconds, that a file system is toremain mounted if it is not being used. The default is 600 seconds. For more information, see thesection “AutoFS.”

28. B. The three types of AutoFS maps are master, direct, and indirect maps. For more information,see the section “AutoFS Maps.”

29. B. The share command is used to specify a disk resource that is to be made available to othersystems via NFS. share exports a resource or makes a resource available for mounting. Themount command simply connects to the remote resource. export is a built-in shell for exportingshell variables. The dfshares command lists available resources. For more information, see thesection “Setting Up NFS.”

30. A. The /usr/lib/nfs/nfslogd script starts the NFS log daemon (nfslogd). nfslog.confis the NFS server logging configuration file. The dfstab file contains a list of file systems to beshared. The /etc/default/nfs file is used to configure NFS parameters. For more information,see the section “NFS Server Logging.”

31. D. The nfslogd daemon provides NFS logging and is enabled by using the log=<tag> optionin the share command. When NFS logging is enabled, all NFS operations on the file system arerecorded in a buffer by the kernel. The syslogd daemon logs system messages. The statd dae-mon works with the lockd daemon to provide crash recovery functions for the NFS lock manager.The nfsd daemon handles client file system requests. For more information, see the section “NFSServer Logging.”

32. A, C, D. The types of patches you can download depends on the type of Sun service contract youhave. If you do not have a service contract, you can still register, but you can download only secu-rity, hardware driver, and data integrity updates. Recommended patches are provided only to com-panies that have an active Sun service contract. For more information, see the section “Using theUpdate Manager.”

33. A. The advantage of using smpatch is that you can embed all the smpatch commands into shellscripts. For more information, see the section “Using the Update Manager.”

34. A. You use the sconadm command to register your system with Sun Update Connection services.For more information, see the section “Using the Update Manager.”

06_0789738171_02.qxd 4/13/09 7:36 PM Page 119

120

Suggested Reading and Resources“System Administration Guide: Advanced Administration” and “System AdministrationGuide: Network Services” manuals from the Solaris 10 documentation CD.

“System Administration Guide: Network Services,” and “System Administration Guide:Advanced Administration” books in the System Administration Collection of the Solaris 10documentation set. See http://docs.sun.com.

“Sun Update Connection System Administrator Guide,” part number 819-4687-10 athttp://docs.sun.com.


06_0789738171_02.qxd 4/13/09 7:36 PM Page 120

3T H R E E

Managing Storage Volumes


Analyze and explain RAID (0, 1, 5) and SVM concepts (logical volumes, soft parti-tions, state databases, hot spares, and hot spare pools).

. A thorough understanding of the most popular RAID levels is essential to anysystem administrator managing disk storage. This chapter covers all thebasic Solaris Volume Manager (SVM) concepts that the system administratorneeds to know for the exam.

Create the state database, build a mirror, and unmirror the root file system.

. The system administrator needs to be able to manipulate the state databasereplicas and create logical volumes, such as mirrors (RAID 1). This chapterdetails the procedure for creating the state databases as well as mirroringand unmirroring the root file system.

07_0789738171_03.qxd 4/13/09 7:38 PM Page 121

OutlineIntroduction

RAID

RAID 0

RAID 1

RAID 5

RAID 0+1

RAID 1+0

Solaris Volume Manager (SVM)

SVM Volumes

Concatenations

Stripes

Concatenated Stripes

Mirrors

RAID 5 Volumes

Planning Your SVM Configuration

Metadisk Driver

SVM Commands

Creating the State Database

Monitoring the Status of the State Database

Recovering from State Database Problems

Creating a RAID 0 (Concatenated ) Volume

Creating a RAID 0 (Stripe) Volume

Monitoring the Status of a Volume

Creating a Soft Partition

Expanding an SVM Volume

Creating a Mirror

Unmirroring a Noncritical File System

Placing a Submirror Offline

Mirroring the Root File System on aSPARC-Based System

Mirroring the Root File System on an x86-Based System

Unmirroring the Root File System

Troubleshooting Root File SystemMirrors

Veritas Volume Manager

Summary

Key Terms


Exercise

Exam Questions



07_0789738171_03.qxd 4/13/09 7:38 PM Page 122

Study StrategiesThe following strategies will help you prepare for the test:

. As you study this chapter, the main objective is to become comfortable with the termsand concepts that are introduced.

. For this chapter it’s important that you practice each Step By Step example on bothSolaris SPARC and x86/x64-based systems (with more than one disk). Practice is veryimportant on these topics, so you should practice until you can repeat each procedurefrom memory. Questions on SVM will be scenario-based and quite lengthy. They willdescribe various IT situations, and you will need to choose the best storage solution.

. Be sure that you understand the levels of RAID discussed and the differences betweenthem. You’ll be required to recommend the best storage configuration for a particular“real-life” scenario.

. Be sure that you know all the terms listed in the “Key Terms” section near the end of thischapter. Pay special attention to metadevices and the different types that are available.

07_0789738171_03.qxd 4/13/09 7:38 PM Page 123

124

Chapter 3: Managing Storage Volumes

IntroductionWith standard disk devices, each disk slice has its own physical and logical device. In addition,with standard Solaris file systems, a file system cannot span more than one disk slice. In otherwords, the maximum size of a file system is limited to the size of a single disk. On a large serv-er with many disk drives, or a SAN connection, standard methods of disk slicing are inade-quate and inefficient. This was a limitation in all UNIX systems until the introduction of vir-tual disks, also called virtual volumes. To eliminate the limitation of one slice per file system,virtual volume management packages can create virtual volume structures in which a singlefile system can consist of nearly an unlimited number of disks or partitions. The key featureof these virtual volume management packages is that they transparently provide a virtual vol-ume that can consist of many physical disk partitions. In other words, disk partitions aregrouped across several disks to appear as a single volume to the operating system.

Each flavor of UNIX has its own method of creating virtual volumes, and Sun has addressedvirtual volume management with their Solaris Volume Manager product called SVM, whichhas always been included as part of the standard Solaris 10 release. New in the Solaris 10 6/06release is the ZFS file system, another form of creating virtual volumes. Because ZFS is a largetopic, I’ve devoted an entire chapter to it. Refer to Chapter 9, “Administering ZFS FileSystems,” for more information.

The objectives on the Part II exam have changed so that you are now required to be able toset up virtual disk volumes. This chapter introduces you to SVM and describes SVM inenough depth to meet the objectives of the certification exam. It is by no means a completereference for SVM.

Also in this chapter, we have included a brief introduction of Veritas Volume Manager, anunbundled product that is purchased separately. Even though this product is not specificallyincluded in the objectives for the exam, it provides some useful background information.

RAIDObjective

. Analyze and explain RAID (Redundant Array of Independent Disks).

When describing SVM volumes, it’s common to describe which level of RAID the volumeconforms to. RAID is an acronym for Redundant Array of Inexpensive (or Independent) Disks.Usually these disks are housed together in a cabinet and referred to as an array. Several RAIDlevels exist, each referring to a method of organizing data while ensuring data resilience orperformance. These levels are not ratings, but rather classifications of functionality. DifferentRAID levels offer dramatic differences in performance, data availability, and data integrity

07_0789738171_03.qxd 4/13/09 7:38 PM Page 124

RAID125

depending on the specific I/O environment. Table 3.1 describes the various levels of RAIDsupported by Solaris Volume Manager.

Table 3.1 RAID LevelsRAID Level Description

0 Striped disk array without fault tolerance.

1 Maintains duplicate sets of all data on separate disk drives (mirroring).

2 Data striping and bit interleave. Data is written across each drive in succession one bit ata time. Checksum data is recorded in a separate drive. This method is very slow for diskwrites and is seldom used today since Error Checking and Correction (ECC) is embeddedin almost all modern disk drives.

3 Data striping with bit interleave and parity checking. Data is striped across a set of disksone byte at a time, and parity is generated and stored on a dedicated disk. The parityinformation is used to re-create data in the event of a disk failure.

4 This is the same as level 3 RAID except data is striped across a set of disks at a blocklevel. Parity is generated and stored on a dedicated disk.

5 Unlike RAID 3 and 4, where parity is stored on one disk, both parity and data are stripedacross a set of disks.

6 Similar to RAID 5, but with additional parity information written to recover data if twodrives fail.

0+1 Also referred to as a “mirrored stripe” or “mirroring above striping.” First, a stripe is cre-ated by spreading data across multiple slices or entire disks. Then, the entire stripe ismirrored for redundancy. For mirroring above striping to be effective, the stripe and itsmirrors must be allocated from separate disks.

1+0 Also referred to as a “striped mirror” or “striping above mirroring.” Create a RAID 1+0device opposite of how you would create a RAID 0+1 device. The slices, or entire disks,are mirrored first. Then the slices are combined into a stripe. If the hardware is properlyconfigured, a RAID 1+0 volume can tolerate a higher percentage of hardware failuresthan RAID 0+1 without disabling the volume.

RAID level 0 does not provide data redundancy, but is usually included as a RAID classifica-tion because it is the basis for the majority of RAID configurations in use. Table 3.1 describedsome of the more popular RAID levels; however, many are not provided in SVM. The follow-ing is a more in-depth description of the RAID levels provided in SVM.

EXAM ALERTRAID levels For the exam, you should be familiar with RAID levels 0, 1, 5, 0+1, and 1+0. These arethe only levels that can be used with Solaris Volume Manager.

07_0789738171_03.qxd 4/13/09 7:38 PM Page 125

126

RAID 0Although they do not provide redundancy, concatenations and stripes are often referred to asRAID 0.

With concatenations, a logical device is created by combining slices from two or more physi-cal disks, as shown in Figure 3.1. More space can easily be added to a concatenation simply byadding more disk slices. With a concatenated device, the size of each individual slice can vary.As data is written to a concatenated device, the first slice is filled first, and then the second isfilled, and so on. The process continues until all the slices in the concatenated device are full.Because data is written to one disk at a time, performance is no better than with a single disk.

FIGURE 3.1 RAID 0 concatenated volume.

With striping, a logical device is created by combining slices from multiple disks. These slicesmust be of equal size, as shown in Figure 3.2. With striping, I/O is balanced and significantlyimproved by using parallel data transfer to and from the multiple disks. The I/O data stream


Physical disk 136GB

RAID 0 Concatenated Volume108 GB

Physical disk 236GB

Physical disk 336GB

Interface 1

Interface 2

Interface 3

Interface 4

Interface 5

Interface 6

Interface 7

Interface 8

Interface 9

Interface 10

Interface 11

Interface 12

Interface 1

Interface 2

Interface 3

Interface 4

Interface 5

Interface 6

Interface 7

Interface 8

Interface 9

Interface 10

Interface 11

Interface 12

07_0789738171_03.qxd 4/13/09 7:38 PM Page 126

RAID127

is divided into segments called interlaces. The interlaces are spread across relatively small, equallysized fragments that are allocated alternately and evenly across multiple physical disks. If addi-tional space is needed in a striped device, it cannot be added as easily as with the concatenateddevice. To add more space to a stripe, the logical device must be destroyed and re-created.

FIGURE 3.2 RAID 0 striped volume.

The advantages of RAID 0 concatenated devices are as follows:

. Read operations on a RAID 0 concatenated device may be improved slightly over thatof a standard UNIX partition when read operations are random and the data accessedis spread over multiple disk drives.

. It is quite easy to add space to a RAID 0 concatenated device.

. A RAID 0 striped device has better performance than a concatenated device.

. With both RAID 0 configurations, all the disk drive capacity is available for use.

The disadvantage of a RAID 0 logical device is that it has no redundancy. The loss of a singledisk results in the loss of all the data across the entire logical device.

Physical disk 136GB

RAID 0 Striped Volume108 GB

Physical disk 236GB

Physical disk 336GB

Interface 1

Interface 4

Interface 7

Interface 10

Interface 2

Interface 5

Interface 8

Interface 11

Interface 3

Interface 6

Interface 9

Interface 12

Interface 1

Interface 2

Interface 3

Interface 4

Interface 5

Interface 6

Interface 7

Interface 8

Interface 9

Interface 10

Interface 11

Interface 12

07_0789738171_03.qxd 4/13/09 7:38 PM Page 127

128

RAID 1RAID 1 employs data mirroring to achieve redundancy. Two copies of the data are created andmaintained on separate disks, each containing a mirror image of the other. RAID 1 provides anopportunity to improve performance for reads, because read requests are directed to the mir-rored copy if the primary copy is busy. However, mirroring can degrade performance for writeoperations, because data must be written on both submirrors. See the following sections onRAID 0+1 and RAID 1+0, where striping is used to improve performance on a mirrored volume.

RAID 1 is the most expensive of the array implementations because the data is duplicated. Inthe event of a disk failure, RAID 1 provides a high level of availability because the system canswitch automatically to the mirrored disk with minimal impact on performance and no needto rebuild lost data.

On the other hand, when a disk in a submirror fails and the disk is replaced, the entire submir-ror must be resynchronized. Although data remains available during the resync process, per-formance of the entire mirror is degraded. On a large volume, this resync process can belengthy.

In Figure 3.3, four drives are used to create a mirrored volume. To begin, two physical disksare concatenated to form each RAID 0 volume—the submirrors. Finally, the two submirrorsare mirrored to form a RAID 1 volume.


RAID 1 (Mirror)2GB

RAID 0 (concatenation)

2GB

submirror

Physical disk 4Slice 01GB


RAID 0 (concatenation)

2GB

submirror



FIGURE 3.3 RAID 1 volume.

07_0789738171_03.qxd 4/13/09 7:38 PM Page 128

RAID129

RAID 5RAID 5 provides data striping with distributed parity. RAID 5 does not have a dedicated pari-ty disk, but instead interleaves both data and parity on all disks, as shown in Figure 3.4. In RAID5, the disk access arms can move independently of one another. This enables multiple concur-rent accesses to the multiple physical disks, thereby satisfying multiple concurrent I/O requestsand providing higher transaction throughput. RAID 5 is best suited for random access data insmall blocks. A “write penalty” is associated with RAID 5. Every write I/O results in four actu-al I/O operations—two to read the old data and parity, and two to write the new data and parity.Therefore, volumes with more than approximately 20% writes would not be good candidatesfor RAID 5. If data redundancy is needed on a write-intensive volume, consider mirroring.

RAID 5 Volume108 GB

Physical disk 136GB

Interface 1

Interface 4

Interface 7

Parity for 10-12

Physical disk 236GB

Interface 2

Interface 5

Parity for 7-9

Interface 10

Physical disk 336GB

Interface 3

Parity for 4-6

Interface 8

Interface 11

Physical disk 436GB

Parity for 1-3

Interface 6

Interface 9

Interface 12

Interface 1

Interface 2

Interface 3

Interface 4

Interface 5

Interface 6

Interface 7

Interface 8

Interface 9

Interface 10

Interface 11

Interface 12

FIGURE 3.4 RAID 5 volume.

07_0789738171_03.qxd 4/13/09 7:38 PM Page 129

130

A RAID 5 device must consist of at least three components. With no hot spares, it can handleonly a single component failure.

In Figure 3.4, four disk drives are being striped. The first three data segments are written to disk1, disk 2, and disk 3. A parity segment for these is then written to disk 4. The segment consistsof an exclusive OR of the first three segments of data. With this scheme, data and parity segmentsare spread across all the disks, with the parity protecting against a single disk failure. As you cansee, approximately 25% of the disk space is used to store parity data. A RAID 5 volume uses stor-age capacity equivalent to one component in the volume to store parity information. This redun-dant data contains information about user data stored on the remainder of the RAID 5 volume’scomponents. Therefore, if the volume has three components, the equivalent of one componentis used for the parity information. If the volume has five components, the equivalent of one com-ponent is used for parity information. The parity information is distributed across all compo-nents in the volume. Similar to a mirror, a RAID 5 volume increases data availability, but with aminimum of cost in terms of hardware and only a moderate penalty for write operations.

RAID 0+1SVM supports RAID 0+1 (stripes that are then mirrored), also called a “mirrored stripe.” Asdescribed in the “RAID 1” section, write performance can suffer on a mirrored volume.Therefore, many administrators add striping to the mirrored volume to improve disk I/O.With RAID 0+1, data is striped across multiple disk drives to improve disk I/O and then is mir-rored to add redundancy, as shown in Figure 3.5. When a disk fails in a RAID 0+1 volume, theentire submirror fails; however, data is still available from the alternate submirror. Be awarethat when the failed disk is replaced, the entire submirror must be resynchronized. This resyncprocess degrades performance and can be lengthy for a large volume.

RAID 1+0SVM also supports RAID 1+0 (mirrors that are then striped). As with RAID 0+1, this config-uration combines the benefits of RAID 1 (mirroring) for redundancy and RAID 0 (striping)for performance. The two levels of RAID differ in how they are constructed. With RAID 0+1,the stripes are created and then mirrored. With RAID 1+0, the slices are first mirrored andthen striped, as shown in Figure 3.6. This method enhances redundancy and reduces recoverytime after a disk failure. The failure of a single disk in a RAID 1+0 volume affects only the sub-mirror it was located in. All other submirrors remain functional. When the disk is replaced,only the data in that submirror needs to be resynced. Even if a second disk fails in another sub-mirror, the data in the RAID 1+0 volume is still available, so a RAID 1+0 is less vulnerable thana RAID 0+1 volume.


07_0789738171_03.qxd 4/13/09 7:38 PM Page 130

RAID131

FIGURE 3.5 RAID 0+1 (mirrored stripe).

FIGURE 3.6 RAID 1+0 (striped mirror).

If a device fails, the entire stripe or concatenation is not taken offline, only the failed device.

RAID 1+0Mirrored Volume

2GB

RAID 0 Stripe2GB



RAID 0 Stripe2GB



RAID 1+0Mirrored Volume

2GB

RAID 1submirror

1GB



RAID 1submirror

1GB





RAID 1submirror

1GB

07_0789738171_03.qxd 4/13/09 7:38 PM Page 131

132

Solaris Volume Manager (SVM)Objective

. Analyze and explain SVM concepts (logical volumes, soft partitions, state databases, hot spares, and hotspare pools).

. Create the state database, build a mirror, and unmirror the root file system.

SVM, formerly called Solstice DiskSuite, comes bundled with the Solaris 10 operating systemand uses virtual disks, called volumes, to manage physical disks and their associated data. A vol-ume is functionally identical to a physical disk from the point of view of an application. Youmay also hear volumes referred to as virtual or pseudo devices.

A recent feature of SVM is soft partitions. This breaks the traditional eight-slices-per-disk bar-rier by allowing disks, or logical volumes, to be subdivided into many more partitions. Onereason for doing this might be to create more manageable file systems, given the ever-increas-ing capacity of disks.


SVM terminology If you are familiar with Solstice DiskSuite, you’ll remember that virtual disks werecalled metadevices. SVM uses a special driver, called the metadisk driver, to coordinate I/O to and fromphysical devices and volumes, enabling applications to treat a volume like a physical device. This type ofdriver is also called a logical or pseudo driver.

NOTE

In SVM, volumes are built from standard disk slices that have been created using the formatutility. Using either the SVM command-line utilities or the graphical user interface of theSolaris Management Console (SMC), the system administrator creates each device by execut-ing commands or dragging slices onto one of four types of SVM objects: volumes, disk sets,state database replicas, and hot spare pools. These elements are described in Table 3.2.

Table 3.2 SVM ElementsObject Description

Volume Also called a metadevice. A group of physical slices that appear to the system as a sin-gle, logical device. A volume is used to increase storage capacity and increase data avail-ability. Solaris 10 SVM can support up to 8,192 logical volumes per disk set, but thedefault is to support 128 logical volumes—namely, d0 through d127. The various typesof volumes are described in the next section of this chapter.

07_0789738171_03.qxd 4/13/09 7:38 PM Page 132

Solaris Volume Manager (SVM)133

Table 3.2 SVM ElementsObject Description

State database A database that stores information about the state of the SVM configuration. Each statedatabase is a collection of multiple, replicated database copies. Each copy is referred toas a state database replica. SVM cannot operate until you have created the state databaseand its replicas. You should create at least three state database replicas when using SVMbecause the validation process requires a majority (half + 1) of the state databases to beconsistent with each other before the system will start up correctly. Each state databasereplica should ideally be physically located on a separate disk (and preferably a separatedisk controller) for added resilience.

Soft partition A means of dividing a disk or volume into as many partitions as needed, overcoming thecurrent limitation of eight. This is done by creating logical partitions within physical diskslices or logical volumes.

Disk set A set of disk drives containing state database replicas, volumes, and hot spares that canbe shared exclusively, but not at the same time, by multiple hosts. If one host fails, anoth-er host can take over the failed host’s disk set. This type of fail-over configuration isreferred to as a clustered environment.

Hot spare A slice that is reserved for use in case of a slice failure in another volume, such as a sub-mirror or a RAID 5 metadevice. It is used to increase data availability.

Hot spare pool A collection of hot spares. A hot spare pool can be used to provide a number of hotspares for specific volumes or metadevices. For example, a pool may be used to provideresilience for the rootdisk, while another pool provides resilience for data disks.

SVM VolumesThe types of SVM volumes you can create using Solaris Management Console or the SVMcommand-line utilities are concatenations, stripes, concatenated stripes, mirrors, and RAID 5volumes. All the SVM volumes are described in the following sections.

ConcatenationsConcatenations work much the same way the UNIX cat command is used to concatenate twoor more files to create one larger file. If partitions are concatenated, the addressing of the com-ponent blocks is done on the components sequentially. This means that data is written to thefirst available slice until it is full and then moves to the next available slice. The file system can

No more transactional volumes As of Solaris 10, you should note that transactional volumes are nolonger available with the Solaris Volume Manager (SVM). Use UFS logging to achieve the samefunctionality.

NOTE

07_0789738171_03.qxd 4/13/09 7:38 PM Page 133

134

use the entire concatenation, even though it spreads across multiple disk drives. This type ofvolume provides no data redundancy, and the entire volume fails if a single slice fails. A con-catenation can contain disk slices of different sizes because they are merely joined together.

StripesA stripe is similar to a concatenation, except that the addressing of the component blocks isinterlaced on all the slices comprising the stripe rather than sequentially. In other words, alldisks are accessed at the same time in parallel. Striping is used to gain performance. When datais striped across disks, multiple controllers can access data simultaneously. An interlace refersto a grouped segment of blocks on a particular slice, the default value being 16K. Differentinterlace values can increase performance. For example, with a stripe containing five physicaldisks, if an I/O request is, say, 64K, four chunks of data (16K each because of the interlace size)are read simultaneously due to each sequential chunk residing on a separate slice.

The size of the interlace can be configured when the slice is created and cannot be modifiedafterward without destroying and recreating the stripe. In determining the size of the inter-lace, the specific application must be taken into account. For example, if most of the I/Orequests are for large amounts of data, such as 10 megabytes, an interlace size of 2 megabytesproduces a significant performance increase when using a five disk stripe. You should note that,unlike a concatenation, the components making up a stripe must all be the same size.

Concatenated StripesA concatenated stripe is a stripe that has been expanded by concatenating additional stripedslices.

MirrorsA mirror is composed of one or more stripes or concatenations. The volumes that are mirroredare called submirrors. SVM makes duplicate copies of the data located on multiple physicaldisks, and presents one virtual disk to the application. All disk writes are duplicated; disk readscome from one of the underlying submirrors. A mirror replicates all writes to a single logicaldevice (the mirror) and then to multiple devices (the submirrors) while distributing read oper-ations. This provides redundancy of data in the event of a disk or hardware failure.

Some mirror options can be defined when the mirror is initially created, or following thesetup. For example, these options can allow all reads to be distributed across the submirrorcomponents, improving read performance. Table 3.3 describes the mirror read policies thatcan be configured.


07_0789738171_03.qxd 4/13/09 7:38 PM Page 134


Table 3.3 Mirror Read PoliciesRead Policy Description

Round Robin This is the default policy and distributes the reads across submirrors.

Geometric Reads are divided between the submirrors based on a logical disk block address.

First This directs all reads to use the first submirror only.

Write performance can also be improved by configuring writes to all submirrors simultaneous-ly. The trade-off with this option, however, is that all submirrors will be in an unknown stateif a failure occurs. Table 3.4 describes the write policies that can be configured for mirror vol-umes.

Table 3.4 Mirror Write PoliciesWrite Policy Description

Parallel This is the default policy and directs the write operation to all submirrors simultaneously.

Serial This policy specifies that writes to one submirror must complete before writes to the nextsubmirror are started.

If a submirror goes offline, it must be resynchronized when the fault is resolved and it returnsto service.

EXAM ALERTRead and write policies Make sure you are familiar with the policies for both read and write. Therehave been exam questions that ask for the valid mirror policies.

RAID 5 VolumesA RAID 5 volume stripes the data, as described in the “Stripes” section earlier, but in additionto striping, RAID 5 replicates data by using parity information. In the case of missing data,the data can be regenerated using available data and the parity information. A RAID 5 metade-vice is composed of multiple slices. Some space is allocated to parity information and is dis-tributed across all slices in the RAID 5 metadevice. The striped metadevice performance isbetter than the RAID 5 metadevice because the RAID 5 metadevice has a parity overhead, butmerely striping doesn’t provide data protection (redundancy).

07_0789738171_03.qxd 4/13/09 7:38 PM Page 135

136

Planning Your SVM Configuration


EXAM ALERTYou’ll see several questions that describe various data center scenarios. You’ll be given criteria, andyou’ll be asked to choose which SVM configuration is best for a given situation. You might need tochoose a configuration based on cost constraints, data availability, or performance. Try to memorizethe following guidelines so that you understand why one configuration might be chosen over anotherfor a given situation.

When designing your storage configuration, keep in mind the following guidelines:

. RAID 0 striping generally has the best performance, but it offers no data protection.For write-intensive applications, RAID 1 generally has better performance than RAID 5.

. RAID 1 and RAID 5 volumes both increase data availability, but both generally resultin lower performance, especially for write operations. Mirroring does improve randomread performance, and if the underlying submirror is a stripe, mirroring can improvewrite operations.

. RAID 5 requires less disk space, therefore RAID 5 volumes have a lower hardwarecost than RAID 1 volumes. RAID 0 volumes have the lowest hardware cost.

. Identify the most frequently accessed data, and increase access bandwidth to that datawith mirroring or striping.

. Both RAID 0 stripes and RAID 5 volumes distribute data across multiple disk drivesand help balance the I/O load.

. A RAID 0 stripe’s performance is better than that of a RAID 5 volume, but RAID 0stripes do not provide data protection (redundancy).

. RAID 5 volume performance is lower than a striped RAID 0 performance for writeoperations because the RAID 5 volume requires multiple I/O operations to calculateand store the parity.

. For raw random I/O reads, the RAID 0 stripe and the RAID 5 volume are compara-ble. Both the stripe and RAID 5 volume split the data across multiple disks, and theRAID 5 volume parity calculations aren’t a factor in reads except after a slice failure.

. For raw random I/O writes, a RAID 0 stripe is superior to RAID 5 volumes.

EXAM ALERTRAID solutions You might get an exam question that describes an application and then asks whichRAID solution would be best suited for it. For example, a financial application with mission-criticaldata would require mirroring to provide the best protection for the data, whereas a video editing appli-cation would require striping for the pure performance gain. Make sure you are familiar with the prosand cons of each RAID solution.

07_0789738171_03.qxd 4/13/09 7:38 PM Page 136


Using SVM, you can utilize volumes to provide increased capacity, higher availability, and bet-ter performance. In addition, the hot spare capability provided by SVM can provide anotherlevel of data availability for mirrors and RAID 5 volumes. Hot spares were described earlier inthis chapter.

After you have set up your configuration, you can use Solaris utilities such as iostat, metas-tat, and metadb to report on its operation. The iostat utility is used to provide informationon disk usage and shows you which metadevices are being heavily utilized. The metastat andmetadb utilities provide status information on the metadevices and state databases, respectively.

The metastat command displays the current status for each metadevice. Its syntax is as follows:metastat [<options>] <metadevice>

The options are as follows:

. -a: Displays all disk sets.

. -B: Displays the current status of all the 64-bit metadevices and hot spares.

. -c: Displays concise output.

. -h: Displays the command usage message.

. -i: Checks the status of all active metadevices and hot spares. The inquiry causes allcomponents of each metadevice to be checked for accessibility, starting at the top-level metadevice. When problems are discovered, the metadevice state databasesare updated as if an error occurred.

. -p: Displays the active metadevices in the same format as the md.tab file.

. -q: Displays the status of metadevices without the device relocation information.

. -r: Displays whether subdevices are relocatable.

. -s: Specifies the name of the disk set on which metastat works.

. -t: Prints the current status and timestamp for the specified metadevices and hot sparepools. The timestamp provides the date and time of the last state change.

For example, the following output provides information from the metastat utility while twomirror metadevices are being synchronized:# metastat -i<cr>d60: Mirror

Submirror 0: d61State: Okay

Submirror 1: d62State: Resyncing

Resync in progress: 16 % done

07_0789738171_03.qxd 4/13/09 7:38 PM Page 137

138

Pass: 1Read option: roundrobin (default)Write option: parallel (default)Size: 10420224 blocks (5.0 GB)

d61: Submirror of d60State: OkaySize: 10420224 blocks (5.0 GB)Stripe 0:

Device Start Block Dbase State Reloc Hot Sparec2t4d0s6 0 No Okay Yes

d62: Submirror of d60State: ResyncingSize: 10420224 blocks (5.0 GB)Stripe 0:


Device Relocation Information:Device Reloc Device IDc2t5d0 Yes id1,sd@SATA_____VBOX_HARDDISK____VB62849a49-3829a15bc2t4d0 Yes id1,sd@SATA_____VBOX_HARDDISK____VB139b5e81-7e6b7a18#

Notice from the preceding output that there are two mirror metadevices, each containing twosubmirror component metadevices. d60 contains submirrors d61 and d62, and d50 containssubmirrors d51 and d52. It can be seen that the metadevices d52 and d62 are in the process ofresynchronization. Use of this utility is important as there could be a noticeable degradationof service during the resynchronization operation on these volumes, which can be closely mon-itored as metastat also displays the progress of the operation, in percentage complete terms.Further information on these utilities is available from the online manual pages.

You can also use SVM’s Simple Network Management Protocol (SNMP) trap generating dae-mon to work with a network monitoring console to automatically receive SVM error messages.Configure SVM’s SNMP trap to trap the following instances:

. A RAID 1 or RAID 5 subcomponent goes into “needs maintenance” state. A disk fail-ure or too many errors would cause the software to mark the component as “needsmaintenance.”

. A hot spare volume is swapped into service.

. A hot spare volume starts to resynchronize.

. A hot spare volume completes resynchronization.


07_0789738171_03.qxd 4/13/09 7:38 PM Page 138


. A mirror is taken offline.

. A disk set is taken by another host and the current host panics.

The system administrator now can receive, and monitor, messages from SVM when an errorcondition or notable event occurs. All operations that affect SVM volumes are managed by themetadisk driver, which is described in the next section.

Metadisk DriverThe metadisk driver, the driver used to manage SVM volumes, is implemented as a set of load-able pseudo device drivers. It uses other physical device drivers to pass I/O requests to andfrom the underlying devices. The metadisk driver operates between the file system and appli-cation interfaces and the device driver interface. It interprets information from both the UFSor applications and the physical device drivers. After passing through the metadevice driver,information is received in the expected form by both the file system and the device drivers.The metadevice is a loadable device driver, and it has all the same characteristics as any otherdisk device driver.

The volume name begins with “d” and is followed by a number. By default, there are 128unique metadisk devices in the range of 0 to 127. Additional volumes, up to 8192, can be addedto the kernel by editing the /kernel/drv/md.conf file. The meta block device accesses thedisk using the system’s normal buffering mechanism. There is also a character (or raw) devicethat provides for direct transmission between the disk and the user’s read or write buffer. Thenames of the block devices are found in the /dev/md/dsk directory, and the names of the rawdevices are found in the /dev/md/rdsk directory. The following is an example of a block andraw logical device name for metadevice d0:/dev/md/dsk/d0 - block metadevice d0/dev/md/rdsk/d0 - raw metadevice d0

You must have root access to administer SVM or have equivalent privileges granted throughRBAC. (RBAC is described in Chapter 4, “Controlling Access and Configuring SystemMessaging.”)

SVM CommandsA number of SVM commands help you create, monitor, maintain, and remove metadevices.All the commands are delivered with the standard Solaris 10 Operating Environment distribu-tion. Table 3.5 briefly describes the function of the more frequently used commands that areavailable to the system administrator.

07_0789738171_03.qxd 4/13/09 7:38 PM Page 139

140

Table 3.5 Solaris Volume Manager CommandsCommand Description

metaclear Used to delete metadevices and can also be used to delete hot spare pools.

metadb Used to create and delete the state database and its replicas. metadb with the -i optionis used to monitor the status of the state database and its replicas.

metadetach Used to detach a metadevice, typically removing one half of a mirror.

metadevadm Used to update the metadevice information, an example being if a disk device changes itstarget address (ID).

metahs Used to manage hot spare devices and hot spare pools.

metainit Used to configure metadevices. You would use metainit to create concatenations orstriped metadevices.

metattach Used to attach a metadevice, typically used when creating a mirror or adding additionalmirrors.

metaoffline Used to place submirrors in an offline state.

metaonline Used to place submirrors in an online state.

metareplace Used to replace components of submirrors or RAID 5 metadevices. You would usemetareplace when replacing a failed disk drive.

metarecover Used to recover soft partition information.

metaroot Used to set up the system files for the root metadevice. metaroot configures the /(root) file system to use a metadevice. It adds an entry to /etc/system and alsoupdates /etc/vfstab to reflect the new device to use to mount the root (/) file sys-tem.

metastat Used to display the status of a metadevice, all metadevices, or hot spare pools.


Where they live The majority of the SVM commands reside in the /usr/sbin directory, although youshould be aware that metainit, metadb, metastat, metadevadm, and metarecover reside in/sbin. /usr/sbin contains links to these commands as well.

NOTE

No more metatool You should note that the metatool command is no longer available in Solaris 10.Similar functionality—managing metadevices through a graphical utility—can be achieved using theSolaris Management Console (SMC)—specifically, the Enhanced Storage section.

NOTE

07_0789738171_03.qxd 4/13/09 7:38 PM Page 140


Creating the State DatabaseThe SVM state database contains vital information on the configuration and status of all vol-umes, hot spares, and disk sets. There are normally multiple copies of the state database, calledreplicas. It is recommended that state database replicas be located on different physical disks,or even different controllers if possible, to provide added resilience.

The state database, together with its replicas, guarantees the integrity of the state database byusing a majority consensus algorithm. The algorithm used by SVM for database replicas is as follows:

. The system will continue to run if at least half of the state database replicas are avail-able.

. The system will panic if fewer than half of the state database replicas are available.

. The system cannot reboot into multiuser mode unless a majority (half + 1) of the totalnumber of state database replicas are available.

. The Solaris operating system continues to function normally if all state database repli-cas are deleted. However, when the system is rebooted, the system loses all Solaris VolumeManager configuration data when no state database replicas are available on a disk.

No automatic problem detection The SVM software does not detect problems with state database repli-cas until an existing SVM configuration changes and an update to the database replicas is required. Ifinsufficient state database replicas are available, you need to boot to single-user mode, and delete orreplace enough of the corrupted or missing database replicas to achieve a quorum.

NOTE

If a system crashes and corrupts a state database replica, the majority of the remaining repli-cas must be available and consistent—that is, half + 1. This is why at least three state databasereplicas must be created initially to allow for the majority algorithm to work correctly.

You also need to put some thought into the placement of your state database replicas. The fol-lowing are some guidelines:

. When possible, Sun recommends that you create state database replicas on a dedicatedslice that is at least 4MB in size for each database replica it will store. I recommend 10MBper state database replica, because disk space is relatively cheap, and the size of a databasereplica could be increased if you create more than 128 metadevices. Also, I’ve seen Sunincrease the size of a metadb in the past from 1024 blocks to 8192, so I like to be prepared.

. You cannot create state database replicas on slices containing existing file systems or data.

. When possible, place state database replicas on slices that are on separate disk drives.If possible, use drives that are on different host bus adapters.

07_0789738171_03.qxd 4/13/09 7:38 PM Page 141

142

. When distributing your state database replicas, follow these rules:

. Create three replicas on one slice for a system with a single disk drive. Realize,however, that if the drive fails, all your database replicas will be unavailable, and yoursystem will crash.

. Create two replicas on each drive for a system with two to four disk drives.

. Create one replica on each drive for a system with five or more drives.

The state database and its replicas are managed using the metadb command. The syntax of thiscommand is as follows:/sbin/metadb -h<cr>

/sbin/metadb [-s <setname>]/sbin/metadb [-s <setname>] -a [-f] [-k <system-file>] mddbnn/sbin/metadb [-s <setname>] -a [-f] [-k <system-file>] [-c <number>]\[-l <length>] slice.../sbin/metadb [-s <setname>] -d [-f] [-k <system-file>] mddbnn/sbin/metadb [-s <setname>] -d [-f] [-k <system-file>] slice.../sbin/metadb [-s <setname>] -i/sbin/metadb [-s <setname>] -p [-k <system-file>] [mddb.cf-file]

Table 3.6 describes the options available for the metadb command.

Table 3.6 metadb Command OptionsOption Description

-a Specifies the creation of a new database replica.

-c <number> Specifies the number of replicas to be created on each device. The default is 1.

-d Deletes all the replicas that are present in the specified slice.

-f Forces the creation of the first database replica (when used in conjunction withthe -a option) and the deletion of the last remaining database replica (when usedin conjunction with the -d option).

-h Displays the usage message.

-i Displays status information about all database replicas.

-k <system-file> Specifies the name of the kernel file where the replica information should be writ-ten; by default, this is /kernel/drv/md.conf.

-l <length> Specifies the size (in blocks) of each replica. The default length is 8,192 blocks.

-p Specifies that the system file (the default is /kernel/drv/md.conf) shouldbe updated with entries from /etc/lvm/mddb.cf.

-s <setname> Specifies the name of the disk set on which metadb should run.

slice Specifies the disk slice to use, such as /dev/dsk/c0t0d0s6.


07_0789738171_03.qxd 4/13/09 7:38 PM Page 142


In the following example, I have reserved a slice (slice 4) on each of two disks to hold the copiesof the state database, and I’ll create two copies in each reserved disk slice, giving a total of fourstate database replicas. In this scenario, the failure of one disk drive will result in the loss ofmore than half of the operational state database replicas, but the system will continue to func-tion. The system will panic only when more than half of the database replicas are lost. Forexample, if I had created only three database replicas and the drive containing two of the repli-cas fails, the system will panic.

To create the state database and its replicas, using the reserved disk slices, enter the followingcommand:# metadb -a -f -c2 c0t0d0s4 c0t1d0s4<cr>

Here, -a indicates a new database is being added, -f forces the creation of the initial database,-c2 indicates that two copies of the database are to be created, and the two cxtxdxsx entriesdescribe where the state databases are to be physically located. The system returns the prompt;there is no confirmation that the database has been created.

The following example demonstrates how to remove the state database replicas from two diskslices, namely c0t0d0s4 and c0t1d0s4:# metadb -d c0t0d0s4 c0t1d0s4<cr>

The next section shows how to verify the status of the state database.

Monitoring the Status of the State DatabaseWhen the state database and its replicas have been created, you can use the metadb command,with no options, to see the current status. If you use the -i flag, you also see a description ofthe status flags.

Examine the state database as shown here:# metadb -i<cr>

flags first blk block counta m p luo 16 8192 /dev/dsk/c0t0d0s4a p luo 8208 8192 /dev/dsk/c0t0d0s4a p luo 16 8192 /dev/dsk/c0t1d0s4a p luo 8208 8192 /dev/dsk/c0t1d0s4

r - replica does not have device relocation informationo - replica active prior to last mddb configuration changeu - replica is up to datel - locator for this replica was read successfullyc - replica’s location was in /etc/lvm/mddb.cfp - replica’s location was patched in kernelm - replica is master, this is replica selected as inputW - replica has device write errors

07_0789738171_03.qxd 4/13/09 7:38 PM Page 143

144

a - replica is active, commits are occurring to this replicaM - replica had problem with master blocksD - replica had problem with data blocksF - replica had format problemsS - replica is too small to hold current data baseR - replica had device read errors

Each line of output is divided into the following fields:

. flags: This field contains one or more state database status letters. A normal status is a“u” and indicates that the database is up-to-date and active. Uppercase status lettersindicate a problem and lowercase letters are informational only.

. first blk: The starting block number of the state database replica in its partition.Multiple state database replicas in the same partition will show different startingblocks.

. block count: The size of the replica in disk blocks. The default length is 8192 blocks(4MB), but the size could be increased if you anticipate creating more than 128metadevices, in which case, you would need to increase the size of all state databases.

The last field in each state database listing is the path to the location of the state database replica.

As the code shows, there is one master replica; all four replicas are active and up to date andhave been read successfully.

Recovering from State Database ProblemsSVM requires that at least half of the state database replicas must be available for the systemto function correctly. When a disk fails or some of the state database replicas become corrupt,they must be removed with the system at the Single User state, to allow the system to bootcorrectly. When the system is operational again (albeit with fewer state database replicas),additional replicas can again be created.

The following example shows a system with two disks, each with two state database replicas onslices c0t0d0s7 and c0t1d0s7.

If we run metadb -i, we can see that the state database replicas are all present and working cor-rectly:# metadb -i<cr>

flags first blk block counta m p luo 16 8192 /dev/dsk/c0t0d0s7a p luo 8208 8192 /dev/dsk/c0t0d0s7a p luo 16 8192 /dev/dsk/c0t1d0s7a p luo 8208 8192 /dev/dsk/c0t1d0s7

r - replica does not have device relocation informationo - replica active prior to last mddb configuration change


07_0789738171_03.qxd 4/13/09 7:38 PM Page 144


u - replica is up to datel - locator for this replica was read successfullyc - replica’s location was in /etc/lvm/mddb.cfp - replica’s location was patched in kernelm - replica is master, this is replica selected as inputW - replica has device write errorsa - replica is active, commits are occurring to this replicaM - replica had problem with master blocksD - replica had problem with data blocksF - replica had format problemsS - replica is too small to hold current data baseR - replica had device read errors

Subsequently, a disk failure or corruption occurs on the disk c0t1d0 and renders the two repli-cas unusable. The metadb -i command shows that errors have occurred on the two replicas onc0t1d0s7:# metadb -i<cr>

flags first blk block counta m p luo 16 8192 /dev/dsk/c0t0d0s7a p luo 8208 8192 /dev/dsk/c0t0d0s7M p 16 unknown /dev/dsk/c0t1d0s7M p 8208 unknown /dev/dsk/c0t1d0s7

r - replica does not have device relocation informationo - replica active prior to last mddb configuration changeu - replica is up to datel - locator for this replica was read successfullyc - replica’s location was in /etc/lvm/mddb.cfp - replica’s location was patched in kernelm - replica is master, this is replica selected as inputW - replica has device write errorsa - replica is active, commits are occurring to this replicaM - replica had problem with master blocksD - replica had problem with data blocksF - replica had format problemsS - replica is too small to hold current data baseR - replica had device read errors

When the system is rebooted, the following messages appear:Insufficient metadevice database replicas located.Use metadb to delete databases which are broken.Ignore any Read-only file system error messages.Reboot the system when finished to reload the metadevice database.After reboot, repair any broken database replicas which were deleted.

To repair the situation, you need to be in single-user mode, so boot the system with -s andthen remove the failed state database replicas on c0t1d0s7:# metadb -d c0t1d0s7<cr>

07_0789738171_03.qxd 4/13/09 7:38 PM Page 145

146

Now reboot the system again. It boots with no problems, although you now have fewer statedatabase replicas. This enables you to repair the failed disk and re-create the metadevice statedatabase replicas.

Creating a RAID 0 (Concatenated) VolumeA RAID 0 volume is also called a concatenated volume or a simple volume. It provides noredundancy but gives you a method to quickly expand disk storage. The concatenated volumespreads data across all the components in the volume, but it starts with the first available com-ponent and uses it until it’s full. When the first component is full, the volume starts to fill thenext available component. There is no performance gain over conventional file systems andslices, because the system still writes to only one disk at a time.

You create a concatenated volume when you want to place an existing file system under SVMcontrol. Use the metainit command to create an SVM volume. Use the following syntaxwhen using metainit to create a concatenated volume:/sbin/metainit <volume-name> <number-of-stripes> <components-per-stripe>\<component-names> [-i <interlace>]

Table 3.7 describes the metainit options used to create a concatenated volume.

Table 3.7 metainit Command OptionsCommand Option Description

<volume-name> Specifies the name of the volume to create. Use a standard naming conventionfor your volume names to simplify administration. This is especially true when Idescribe setting up mirrored volumes. We currently don’t have much flexibilityin our volume names. Solaris 10 currently requires that all volume names beginwith d followed by a number, such as d0 and d10. This probably will change inthe future. In fact, some releases of OpenSolaris allow the use of descriptivenames.

<number-of- Specifies the number of stripes to create.stripes>

<components- Specifies the number of components each stripe should have.per-stripe>

<component-names> Specifies the names of the components that are used. If more than one compo-nent is used, separate each component with a space. The component namecould be a physical disk slice, such as c0t1d0s2, or another volume, such asd1.

-i <interlace> Specifies the interlace width to use for the stripe. The interlace width is a value,followed by either k for kilobytes, m for megabytes, or b for blocks. The inter-lace specified cannot be less than 16 blocks or greater than 100 megabytes.The default interlace width is 16 kilobytes.


07_0789738171_03.qxd 4/13/09 7:38 PM Page 146


Table 3.7 metainit Command OptionsGeneric Command DescriptionOption That Can Be Used When Creating All Types of SVM Volumes

-f Forces the metainit command to continue even if one of the slices containsa mounted file system or is being used as swap. This option is useful whenyou’re configuring mirrors on root (/), swap, and /usr.

-h Displays the command usage message.

-n Checks the syntax of your command line or md.tab entry without actually setting up the metadevice. If used with -a, all devices are checked but not initialized.

-r Used only in a shell script at boot time. Sets up all metadevices that were con-figured before the system crashed or was shut down.

-s <setname> Specifies the name of the disk set on which metainit will work. Without thisoption, metainit operates on your local metadevices and/or hot spares.

In the following example, a concatenated metadevice (simple volume) is created using a singledisk slice named /dev/dsk/c0t0d0s5. The metadevice is named d100. The concatenationconsists of one stripe (number of stripes = 1), and the stripe is composed of one slice (compo-nents per stripe = 1):# metainit -f d100 1 1 c0t0d0s5<cr>d100: Concat/Stripe is setup

The -f option is a generic option that forces the metainit command to continue even if oneof the slices contains a mounted file system or is being used as swap. This option is necessaryif you are configuring mirrors on root (/), swap, or /usr.

View the metadevice with the metastat command as follows:# metastat -c<cr>d100 s 2.0GB c0t0d0s5

The -c option to the metastat command displays the output in a concise format.

A metadevice is removed with the metaclear command. The syntax for the metaclear com-mand is as follows:/sbin/metaclear [<options>] <metadevice>

Table 3.8 lists the options of the metaclear command.

07_0789738171_03.qxd 4/13/09 7:38 PM Page 147

148

Table 3.8 metaclear Command OptionsOption Description

-a Deletes all metadevices.

-f Deletes forcibly. Use this to delete a metadevice or component that is in an error state.

-h Displays the metaclear usage message.

-p Purges (deletes) all soft partitions from the specified metadevice or component.

-r Recursively deletes specified metadevices and hot spares. This option does not delete metadeviceson which other metadevices depend.

Remove the metadevice with the metaclear command:# metaclear d100<cr>d100: Concat/Stripe is cleared

In this next example, I’ll create a concatenation of three separate disk slices (c2t1d0s6,c2t2d0s6, and c2t3d0s6). The metadevice is named d101. The concatenation consists ofthree stripes (number of stripes = 3), and each stripe is composed of one slice (componentsper stripe = 3):# metainit -f d101 3 1 c2t1d0s6 1 c2t2d0s6 1 c2t3d0s6<cr>d101: Concat/Stripe is setup

View the metadevice with the metastat command as follows:# metastat<cr>d101: Concat/Stripe

Size: 50135040 blocks (23 GB)Stripe 0:

Device Start Block Dbase Relocc2t1d0s6 0 No Yes

Stripe 1:Device Start Block Dbase Relocc2t2d0s6 0 No Yes

Stripe 2:Device Start Block Dbase Relocc2t3d0s6 0 No Yes

Use the metaclear command to remove an SVM volume. For example, to remove the volumenamed d101, type the following:# metaclear d101<cr>d101: Concat/Stripe is cleared


07_0789738171_03.qxd 4/13/09 7:38 PM Page 148


Creating a RAID 0 (Stripe) VolumeA RAID 0 stripe volume provides better performance than a RAID 0 concatenated volume becauseall the disks are accessed in parallel rather than sequentially, as with the concatenated stripe.

You create a striped volume using the metainit command that was described earlier when Icreated a RAID 0 concatenated volume. However, when I create the stripe volume, I’ll speci-fy more than one slice per stripe:# metainit -f d200 1 3 c2t1d0s6 c2t2d0s6 c2t3d0s6<cr>d200: Concat/Stripe is setup

The volume named d200 consists of a single stripe (number of stripes = 1), and the stripe iscomposed of three slices (components per stripe = 3). The slices used are c2t1d0s6, c2t2d0s6,and c2t3d0s6.

Display the metadevice with the metastat command:# metastat<cr>d200: Concat/Stripe

Size: 50135040 blocks (23 GB)Stripe 0: (interlace: 32 blocks)

Device Start Block Dbase Relocc2t1d0s6 0 No Yesc2t2d0s6 0 No Yesc2t3d0s6 0 No Yes

Notice the difference between this striped metadevice (d200) and the concatenated metadevice(d101) that was created in the previous section.

Use the metaclear command to remove an SVM volume. For example, to remove the RAID0 volume named d200, type the following:# metaclear d200<cr>d200: Concat/Stripe is cleared

Monitoring the Status of a VolumeSolaris Volume Manager provides the metastat command to monitor the status of all vol-umes. The syntax of this command is as follows:/usr/sbin/metastat -h/usr/sbin/metastat [-a] [-B] [-c] [-i] [-p] [-q] [-s <setname>] [-t <metadevice>] com-ponent

07_0789738171_03.qxd 4/13/09 7:38 PM Page 149

150

Table 3.9 describes the options for the metastat command.

Table 3.9 metastat Command OptionsOption Description

-a Displays the metadevices for all disk sets owned by the current host.

-B Displays the status of all 64-bit metadevices and hot spares.

-c Displays concise output, only one line per metadevice.

-h Displays a usage message.

-i Checks the status of RAID 1 (mirror) volumes as well as RAID 5 and hot spares.

-p Displays the list of active metadevices and hot spare pools. The output is dis-played in the same format as the configuration file md.tab.

-q Displays the status of metadevices, but without the device relocation information.

-s <setname> Restricts the status to that of the specified disk set.

-t <metadevice> Displays the status and timestamp of the specified metadevices and hot spares.The timestamp shows the date and time of the last state change.

component Specifies the component or metadevice to restrict the output. If this option isomitted, the status of all metadevices is displayed.

In the following example, the metastat command is used to display the status of a singlemetadevice, d100:# metastat d100<cr>d100: Concat/Stripe

Size: 10489680 blocks (5.0 GB)Stripe 0:


Device Relocation Information:Device Reloc Device IDc0t0d0 Yes id1,dad@ASAMSUNG_SP0411N=S01JJ60X901935

In the next example, the metastat -c command displays the status for the same metadevice(d100), but this time in concise format:# metastat -c d100<cr>d100 s 5.0GB c0t0d0s5

Creating a Soft PartitionSoft partitions are used to divide large partitions into smaller areas, or extents, without the lim-itations imposed by hard slices. The soft partition is created by specifying a start block and ablock size. Soft partitions differ from hard slices created using the format command because


07_0789738171_03.qxd 4/13/09 7:38 PM Page 150


soft partitions can be noncontiguous, whereas a hard slice is contiguous. Therefore, soft par-titions can cause I/O performance degradation.

A soft partition can be built on a disk slice or another SVM volume, such as a concatenateddevice. For maximum flexibility and high availability, build RAID 1 (mirror) or RAID 5 vol-umes on disk slices, and then create soft partitions on the mirror or RAID volume.

As when creating other SVM volumes, you create soft partitions using the SVM commandmetainit. The syntax is as follows:metainit <soft-partition> -p [-e] <component> <size>

Table 3.10 describes the metainit options used to create a soft partition.

Table 3.10 metainit Command OptionsCommand Option Description

<soft-partition> The name of the metadevice. The name begins with d followed by a number.

<component> The name of the disk slice or SVM volume that the soft partition will be created on.

<size> Specifies the size of the soft partition. The size is specified as a number fol-lowed by M or m for megabytes, G or g for gigabytes, T or t for terabytes, or Bor b for blocks.

-p Specifies that the metadevice will be a soft partition.

-e Specifies that the entire disk should be reformatted. Formatting the disk createsslice 0, which takes most of the disk. Slice 7 is also created, with a size of 4MB,for storing a state database replica.

For example, let’s say that we have a hard slice named c2t1d0s1 that is 10GB in size and wascreated using the format command. To create a soft partition named d10 which is 1GB in size,and assuming that you’ve already created the required database replicas, issue the followingcommand:# metainit d10 -p c2t1d0s1 1g<cr>

The system responds withd10: Soft Partition is setup

View the soft partition using the metastat command:# metastat d10<cr>d10: Soft Partition

Device: c2t1d0s1State: OkaySize: 2097152 blocks (1.0 GB)

Device Start Block Dbase Relocc2t1d0s1 25920 Yes Yes

07_0789738171_03.qxd 4/13/09 7:38 PM Page 151

152

Extent Start Block Block count0 25921 2097152

Device Relocation Information:Device Reloc Device IDc2t1d0 Yes id1,sd@SIBM_____DDRS34560SUN4.2G564442__________

Create a file system on the soft partition using the newfs command:# newfs /dev/md/rdsk/d10<cr>

It’s good practice to check the new file system using the fsck command:# fsck /dev/md/rdsk/d10<cr>

Now you can mount a directory named /data onto the soft partition:# mount /dev/md/dsk/d10 /data<cr>

To remove the soft partition named d10, unmount the file system that is mounted to the softpartition and issue the metaclear command:# metaclear d10<cr>


Removing the soft partition destroys all data that is currently stored on that partition.

CAUTION

The system responds withd10: Soft Partition is cleared

You can also create a soft partition on an existing SVM volume, such as a striped or mirroredvolume. In the following example, I’ve already created a RAID 0 striped volume named d200.The stripe is built on top of three 2GB slices; therefore, d200 represents a volume that isapproximately 6GB. I’ll create two 500MB soft partitions named d40 and d50 on this stripedvolume:# metainit d40 -p d200 500m<cr>d40: Soft Partition is setup# metainit d50 -p d200 500m<cr>d50: Soft Partition is setup

Because the soft partitions are built on top of a striped volume, my performance will beimproved as a result of the striped volume.

07_0789738171_03.qxd 4/13/09 7:38 PM Page 152


Remove all the metadevices by typing this:# metaclear -a<cr>d50: Soft Partition is clearedd40: Soft Partition is cleared

The -a option deletes all metadevices.

Expanding an SVM VolumeWith SVM, you can increase the size of a file system while it is active and without unmount-ing the file system. The process of expanding a file system consists of first increasing the sizeof the SVM volume using the metattach command. The metattach command is used to growsoft partitions, metadevices, submirrors, and mirrors. Furthermore, metadevices can be grownwithout interrupting service. The syntax for using the metattach command to expand a softpartition is as follows:/sbin/metattach [-s <setname>] <metadevice> <size>

where:

. -s <setname>: Specifies the name of the disk set on which the metattach or metade-tach command will work. Using the -s option causes the command to perform itsadministrative function within the specified disk set. Without this option, the com-mand performs its function on local metadevices.

. <metadevice>: Specifies the metadevice name of the existing soft partition or metadevice.

. <size>: Specifies the amount of space to add to the soft partition in K or k for kilo-bytes, M or m for megabytes, G or g for gigabytes, T or t for terabytes, or B or b forblocks (sectors).

After increasing the size of the volume with metattach, you grow the file system that has beencreated on the partition using the growfs command. growfs nondestructively expands amounted or unmounted UNIX file system (UFS) to the size of the file system’s slice(s). Thesyntax for the growfs command is as follows:/sbin/growfs [-M <mountpoint>] [<newfs-options>] [<raw-device>]

where:

. -M <mountpoint>: Specifies that the file system to be expanded is mounted on <mount-point>. File system locking (lockfs) is used.

. <newfs-options>: See the newfs man pages.

. <raw-device>: Specifies the name of the raw metadevice residing in /dev/md/rdsk or/dev/rdsk.

07_0789738171_03.qxd 4/13/09 7:38 PM Page 153

154

In Step By Step 3.1, I’ll use metattach to increase the size of a soft partition, and I’ll usegrowfs to increase the size of the file system mounted on it.

STEP BY STEP3.1 Increasing the Size of a Mounted File System

1. Check the current size of the /data file system:

# df -h /data<cr>Filesystem size used avail capacity Mounted on/dev/md/dsk/d10 960M 1.0M 901M 1% /data

Note that the size of /data is currently 960MB.

A metastat -c shows the size as 1.0GB:

# metastat -c d10<cr>d10 p 1.0GB c2t1d0s1

2. Use the metattach command to increase the SVM volume named d10 from 1GB to 2GB as follows:

# metattach d10 1gb<cr>

Another metastat -c shows that the soft partition is now 2GB, as follows:

# metastat -c d10<cr>d10 p 2.0GB c2t1d0s1

Check the size of /data again, and note that the size did not change:

# df -h /data<cr>Filesystem size used avail capacity Mounted on/dev/md/dsk/d10 960M 1.0M 901M 1% /data

3. To increase the mounted file system /data, use the growfs command:

# growfs -M /data /dev/md/rdsk/d10<cr>Warning: 416 sector(s) in last cylinder unallocated/dev/md/rdsk/d10: 4194304 sectors in 1942 cylinders of 16 tracks,135 sectors

2048.0MB in 61 cyl groups (32 c/g, 33.75MB/g, 16768 i/g)super-block backups (for fsck -F ufs -o b=#) at:32, 69296, 138560, 207824, 277088, 346352, 415616, 484880, 554144, 623408,3525584, 3594848, 3664112, 3733376, 3802640, 3871904, 3941168, 4010432,4079696, 4148960,

Another df -h /data command shows that the /data file system has been increased as follows:

# df -h /data<cr>Filesystem size used avail capacity Mounted on/dev/md/dsk/d10 1.9G 2.0M 1.9G 1% /data


07_0789738171_03.qxd 4/13/09 7:38 PM Page 154


Soft partitions can be built on top of concatenated devices, and you can increase a soft parti-tion as long as there is room on the underlying metadevice. For example, you can’t increase a1GB soft partition if the metadevice on which it is currently built is only 1GB in size. However,you could add another slice to the underlying metadevice d9.

In Step By Step 3.2 you will create an SVM device on c2t1d0s1 named d9 that is 4GB in size.You then will create a 3GB soft partition named d10 built on this device. To add more spaceto d10, you first need to increase the size of d9. The only way to accomplish this is to add morespace to d9, as described in the Step by Step.

STEP BY STEP3.2 Concatenate a New Slice to an Existing Volume

1. Log in as root and create the state database replicas as described earlier in this chapter.

2. Use the metainit command to create a simple SVM volume on c2t1d0s1:

# metainit d9 1 1 c2t1d0s1<cr>d9: Concat/Stripe is setup

Use the metastat command to view the simple metadevice named d9:

# metastat d9<cr>d9: Concat/Stripe

Size: 8311680 blocks (4.0 GB)Stripe 0:

Device Start Block Dbase State Reloc Hot Sparec2t1d0s1 25920 Yes Okay Yes

Device Relocation Information:Device Reloc Device IDc2t1d0 Yes id1,sd@SIBM_____DDRS34560SUN4.2G564442__________

3. Create a 3GB soft partition on top of the simple device:

# metainit d10 -p d9 3g<cr>d10: Soft Partition is setup

4. Before we can add more space to d10, we first need to add more space to the simple volume by con-catenating another 3.9GB slice (c2t2d0s1) to d9:

# metattach d9 c2t2d0s1<cr>d9: component is attached

The metastat command shows the following information about d9:

# metastat d9<cr>d9: Concat/Stripe

Size: 16670880 blocks (7.9 GB)

07_0789738171_03.qxd 4/13/09 7:38 PM Page 155

156

Stripe 0:Device Start Block Dbase State Reloc Hot Sparec2t1d0s1 25920 Yes Okay Yes

Stripe 1:Device Start Block Dbase State Reloc Hot Sparec2t2d0s1 0 No Okay Yes

Device Relocation Information:Device Reloc Device IDc2t1d0 Yes id1,sd@SIBM_____DDRS34560SUN4.2G564442__________c2t2d0 Yes id1,sd@SIBM_____DDRS34560SUN4.2G3Z1411__________

Notice that the metadevice d9 is made up of two disk slices (c2t1d0s1 and c2t2d0s1) and that thetotal size of d9 is now 7.9GB.

5. Now we can increase the size of the metadevice d10 using the metattach command described inStep By Step 3.1.

Creating a MirrorA mirror is a logical volume that consists of more than one metadevice, also called a submirror.You create a mirrored volume using the metainit command used earlier to create a RAID 0volume. However, the syntax and options are not the same:/sbin/metainit [<generic options>] <mirror> -m <submirror> [<read_options>]\[<write_options>] [<pass_num>]

Table 3.11 describes the generic options for the metainit command and the options specificto creating a mirror.

Table 3.11 metainit Mirror OptionsCommand Option Description

<mirror> -m <submirror> <mirror> is the metadevice name of the mirror. The -m option indi-cates that the configuration being created is a mirror. <submirror> isa metadevice that makes up the initial one-way mirror.

<read_options>: The following Descriptionread options are available for mirrors:

-g Enables the geometric read option, which results in faster performanceon sequential reads.

-r Directs all reads to the first submirror. This flag cannot be used with the-g option.


07_0789738171_03.qxd 4/13/09 7:38 PM Page 156


Table 3.11 metainit Mirror Options<write_options>: The following Descriptionwrite options are available for mirrors:

-S Performs serial writes to mirrors. The first submirror write completesbefore the second is started. This may be useful if hardware is suscepti-ble to partial sector failures. If -S is not specified, writes are replicatedand dispatched to all mirrors simultaneously.

<pass_num> A number in the range 0 to 9 at the end of an entry defining a mirrorthat determines the order in which that mirror is resynced during areboot. The default is 1. Smaller pass numbers are resynced first. Equalpass numbers are run concurrently. If 0 is used, the resync is skipped.0 should be used only for mirrors mounted as read-only, or as swap.

This example has two physical disks: c0t0d0 and c0t1d0. Slice 5 is free on both disks, whichwill comprise the two submirrors, d12 and d22. The logical mirror will be named d2; it is thisdevice that will be used when a file system is created. Step By Step 3.3 details the wholeprocess.

STEP BY STEP3.3 Creating a Mirror

1. Create the two simple metadevices that will be used as submirrors:

# metainit d12 1 1 c0t0d0s5<cr>d12: Concat/Stripe is setup# metainit d22 1 1 c0t1d0s5<cr>d22: Concat/Stripe is setup

2. Having created the submirrors, now create the actual mirror device, d2, but attach only one of the sub-mirrors. The second submirror will be attached manually.

# metainit d2 -m d12<cr>d2: Mirror is setup

At this point, a one-way mirror has been created.

3. Attach the second submirror to the mirror device, d2:

# metattach d2 d22<cr>d2: Submirror d22 is attached

At this point, a two-way mirror has been created. The second submirror will be synchronized with thefirst submirror to ensure that they are identical.

07_0789738171_03.qxd 4/13/09 7:38 PM Page 157

158

4. Verify that the mirror has been created successfully and that the two submirrors are beingsynchronized:

# metastat -q<cr>d2: Mirror



Resync in progress: 27 % donePass: 1Read option: roundrobin (default)Write option: parallel (default)Size: 4194828 blocks (2.0 GB)





Notice that the status of d12, the first submirror, is Okay, and that the second submirror, d22, is cur-rently Resyncing and is 27% complete. The mirror is now ready for use as a file system.

5. Create a UFS file system on the mirrored device:

# newfs /dev/md/rdsk/d2<cr>newfs: construct a new file system /dev/md/rdsk/d2: (y/n)? yWarning: 4016 sector(s) in last cylinder unallocated/dev/md/rdsk/d2: 4194304 sectors in 1029 cylinders of 16 tracks,\255 sectors

2048.0MB in 45 cyl groups (23 c/g, 45.82MB/g, 11264 i/g)super-block backups (for fsck -F ufs -o b=#) at:32, 94128, 188224, 282320, 376416, 470512, 564608, 658704, 752800, 846896,3285200, 3379296, 3473392, 3567488, 3661584, 3755680, 3849776, 3943872,4037968, 4132064,


It is not recommended that you create a mirror device and specify both submirrors on the command line.Even though this would work, no resynchronization will occur between the two submirrors, which couldlead to data corruption.

CAUTION

07_0789738171_03.qxd 4/13/09 7:38 PM Page 158


Note that it is the d2 metadevice that has the file system created on it.

6. Run fsck on the newly created file system before attempting to mount it. This step is not absolutelynecessary, but is good practice because it verifies the state of a file system before it is mounted for thefirst time:

# fsck /dev/md/rdsk/d2<cr>** /dev/md/rdsk/d2** Last Mounted on** Phase 1 - Check Blocks and Sizes** Phase 2 - Check Pathnames** Phase 3 - Check Connectivity** Phase 4 - Check Reference Counts** Phase 5 - Check Cyl groups2 files, 9 used, 2033046 free (14 frags, 254129 blocks, 0.0% fragmentation)

The file system can now be mounted in the normal way. Remember to edit /etc/vfstab to make themount permanent. Remember to use the md device and for this example, we’ll mount the file system on/mnt.

# mount /dev/md/dsk/d2 /mnt<cr>#

Unmirroring a Noncritical File SystemThis section details the procedure for removing a mirror on a file system that can be removedand remounted without having to reboot the system. The metadetach command is used todetach submirrors from a mirror. When the submirror is detached, it is no longer part of themirrored volume. You cannot detach the only existing submirror from a mirrored volume. Thesyntax for the metadetach command is as follows:/sbin/metadetach <mirror> <metadevice>

where:

. <mirror>: Specifies the name of the mirrored volume that the submirror is beingdetached from.

. <metadevice>: Specifies the name of the submirror that will be detached from themirrored volume.

Step By Step 3.4 shows how to detach a submirror and then remove the mirrored volume. Thisexample uses a file system, /test, that is currently mirrored using the metadevice, d2, a mir-ror that consists of submirrors d12 and d22. To start, /test will be unmounted. Then I willuse metadetach to break the submirror d12 (c0t0d0s5) away from the mirrored volume. I’lluse metaclear to remove the mirrored volume and remaining submirror, d22. Finally, I’llmount /dev/dsk/c0t0d0s5 onto the /test mountpoint in a nonmirrored environment.

07_0789738171_03.qxd 4/13/09 7:38 PM Page 159

160

STEP BY STEP3.4 Unmirror a Noncritical File System

1. Unmount the /test file system:

# umount /test<cr>

2. Detach the submirror, d12, that will be used as a UFS file system:

# metadetach d2 d12<cr>d2: submirror d12 is detached

3. Delete the mirror (d2) and the remaining submirror (d22):

# metaclear -r d2<cr>d2: Mirror is clearedd22: Concat/Stripe is cleared

At this point, the file system is no longer mirrored. It is worth noting that the metadevice, d12, stillexists and can be used as the device to mount the file system. Alternatively, the full device name,/dev/dsk/c0t0d0s5, can be used if you do not want the disk device to support a volume. For thisexample, we will mount the full device name (as you would a normal UFS file system), so we will deletethe d12 metadevice first.

4. Delete the d12 metadevice:

# metaclear d12<cr>d12: Concat/Stripe is cleared

5. Edit /etc/vfstab to change this entry:

/dev/md/dsk/d2 /dev/md/rdsk/d2 /test ufs 2 yes -

to this:

/dev/dsk/c0t0d0s5 /dev/rdsk/c0t0d0s5 /test ufs 2 yes -

6. Remount the /test file system:

# mount /test<cr>

Placing a Submirror OfflineTaking a submirror offline is preferred to detaching a submirror when you simply want to takea submirror offline temporarily, such as to perform a backup. Use the metaoffline commandto take a submirror offline. The metaoffline command differs from the metadetach com-mand in that it does not sever the logical association between the submirror and the mirror. Asubmirror that has been taken offline remains offline until the metaonline command isinvoked or the system is rebooted.


07_0789738171_03.qxd 4/13/09 7:38 PM Page 160


In Step By Step 3.5, I have a mirrored volume named d10. I’ll offline the d12 submirror so that Ican back up the submirror. This allows me to back up a read-only image of the data on d10 with-out backing up a live file system. While I run the backup, read/write operations can still take placeon d10, but the mirror is inactive. Data will be out of sync on d12 as soon as data is written to d10.

STEP BY STEP3.5 Offlining a Submirror

1. Use the metastat command to view the current SVM configuration. The system has a file systemnamed /data that has been created on a mirrored volume named d10. The d10 mirror has two sub-mirrors, d11 and d12:

# metastat -c<cr>d10 m 2.0GB d11 d12

d11 s 2.0GB c2t0d0s6d12 s 2.0GB c2t1d0s6

2. Take the d12 submirror (c2t1d0s6) offline using the metaoffline command:# metaoffline d10 d12<cr>d10: submirror d12 is offlinedA second metastat shows the status as offline:# metastat -c<cr>d10 m 2.0GB d11 d12 (offline)

d11 s 2.0GB c2t0d0s6d12 s 2.0GB c2t1d0s6

The /data file system continues to run, and users can read/write to that file system. However, as soonas a write is made to /data, the mirror is out of sync. The writes to d10 are tracked in a dirty regionlog so that d12 can be resynchronized when it is brought back online with the metaonline command.

3. Mount the offlined submirror (d12) onto a temporary mount point so that you can back up the data onthe submirror:

# mkdir /bkup<cr># mount -o ro /dev/md/dsk/d12 /bkup<cr>

You can only mount the d12 submirror as read-only. A read-only image of the data (at the time thesubmirror was offlined) exists in the /bkup file system.

Now you can back up the /bkup file system safely with ufsdump, tar, or cpio.

4. When the backup is complete, umount the submirror, and bring the submirror back online:

# cd /<cr># umount /bkup<cr># metaonline d10 d12<cr>d10: submirror d12 is onlined

07_0789738171_03.qxd 4/13/09 7:38 PM Page 161

162

When the metaonline command is used, read/write operations to the d12 submirrorresume. A resync is automatically invoked to resync the regions written while the sub-mirror was offline. Writes are directed to the d12 submirror during resync. Reads,however, come from submirror d11 until d12 is back in sync. When the resync opera-tion completes, reads and writes are performed on submirror d12. The metaonlinecommand is effective only on a submirror of a mirror that has been taken offline.

Mirroring the Root File System on a SPARC-BasedSystemIn this section we will create another mirror, but this time it will be the root file system on aSPARC-based system. This is different from Step By Step 3.3 because we are mirroring anexisting file system that cannot be unmounted. We can’t do this while the file system is mount-ed, so we’ll configure the metadevice and a reboot will be necessary to implement the logicalvolume and to update the system configuration file. The objective is to create a two-way mir-ror of the root file system, currently residing on /dev/dsk/c0t0d0s0. We will use a spare diskslice of the same size, /dev/dsk/c0t1d0s0, for the second submirror. The mirror will benamed d10, and the submirrors will be d11 and d12. Additionally, because this is the root (/)file system, we’ll also configure the second submirror as an alternate boot device, so that thissecond slice can be used to boot the system if the primary slice becomes unavailable. Step ByStep 3.6 shows the procedure to follow for mirroring the boot disk on a SPARC-based system:

STEP BY STEP3.6 Mirror the Boot Disk on a SPARC-Based System


The system that we are mirroring in this Step By Step has a single hard partition for / (root) and a secondhard partition for swap. Everything (/var, /opt, /usr, and /export/home) is in the / (root) file sys-tem on a single slice. This is the scenario that you will likely see on the certification exam. However, if youhave a separate partition for /var and/or /export/home, this procedure must be modified accordingly.If your system has separate disk partitions for /var and/or /export/home, you may want to reviewStep By Step 3.7, which describes how to mirror a boot disk on an x86-based system that has a separate/ (root), /var, and /export/home file system.

NOTE

1. Verify that the current root file system is mounted from /dev/dsk/c0t0d0s0:

# df -h /<cr>Filesystem size used avail capacity Mounted on/dev/dsk/c0t0d0s0 4.9G 3.7G 1.2G 77% /

07_0789738171_03.qxd 4/13/09 7:38 PM Page 162


2. Create the state database replicas, specifying the disk slices c0t0d0s4 and c0t1d0s5. We will createtwo replicas on each slice.

# metadb -a -f -c2 c0t0d0s4 c0t1d0s4<cr>

3. Create the two submirrors for the / (root) file system, d11 and d12:

# metainit -f d11 1 1 c0t0d0s0<cr>d11: Concat/Stripe is setup# metainit d12 1 1 c0t1d0s0<cr>d12: Concat/Stripe is setup

Note that the -f option was used in the first metainit command. This is the option to force the exe-cution of the command, because we are creating a metadevice on an existing, mounted file system. The-f option was not necessary in the second metainit command because the slice is currentlyunused.

4. Create the two submirrors for swap, d21 and d22:

# metainit d21 1 1 c0t0d0s3<cr>d11: Concat/Stripe is setup# metainit d22 1 1 c0t1d0s3<cr>d12: Concat/Stripe is setup

5. Create a one-way mirror for / (root), d10, specifying d11 as the submirror to attach:


6. Create a one-way mirror for swap, d20, specifying d21 as the submirror to attach:


7. Set up the system files to support the new metadevice, after taking a backup copy of the files that willbe affected. It is a good idea to name the copies with a relevant extension, so that they can be easilyidentified if you later have to revert to the original files, if problems are encountered. We will use the.nosvm extension in this Step By Step.

# cp /etc/system /etc/system.nosvm<cr># cp /etc/vfstab /etc/vfstab.nosvm<cr># metaroot d10<cr>

The metaroot command has added the following lines to the system configuration file, /etc/sys-tem, to allow the system to boot with the / file system residing on a logical volume. This command isonly necessary for the root device.

* Begin MDD root info (do not edit)rootdev:/pseudo/md@0:0,0,blk* End MDD root info (do not edit)

07_0789738171_03.qxd 4/13/09 7:38 PM Page 163

164

It has also modified the /etc/vfstab entry for the / file system. It now reflects the metadevice touse to mount the file system at boot time:

/dev/md/dsk/d10 /dev/md/rdsk/d10 /ufs 1 no -

You also need to modify swap in the /etc/vfstab file:

/dev/md/dsk/d20 - - swap - no -

8. Synchronize file systems prior to rebooting the system:

# lockfs -fa<cr>

The lockfs command is used to flush all buffers so that when the system is rebooted, the file sys-tems are all up to date. This step is not compulsory, but is good practice.

9. Reboot the system:

# init 6<cr>

10. Verify that the root file system is now being mounted from the metadevice /dev/md/dsk/d0:

# df -h /<cr>Filesystem size used avail capacity Mounted on/dev/md/dsk/d10 4.9G 3.7G 1.2G 77% /

11. Attach the second submirror for / (root) and verify that a resynchronization operation is carried out:


Verify the new metadevice:

# metastat -q d10<cr>d10: Mirror



Resync in progress: 62 % donePass: 1Read option: roundrobin (default)Write option: parallel (default)Size: 10462032 blocks (5.0 GB)



d12: Submirror of d10


07_0789738171_03.qxd 4/13/09 7:38 PM Page 164


State: ResyncingSize: 10462032 blocks (5.0 GB)Stripe 0:


12. Attach the second submirror for swap:


13. Install a boot block on the second submirror to make this slice bootable. This step is necessary becauseit is the root (/) file system that is being mirrored.

# installboot /usr/platform/’uname -i’/lib/fs/ufs/bootblk /dev/rdsk/c0t1d0s0<cr>#

The uname -i command substitutes the system’s platform name.

14. Identify the physical device name of the secondary submirror. This is required to assign an OpenBootalias for a backup boot device.

# ls -l /dev/dsk/c0t1d0s0<cr>lrwxrwxrwx 1 root root 46 Mar 12 2008 /dev/dsk/c0t1d0s0 ->\../../devices/pci@1f,0/pci@1,1/ide@3/dad@1,0:a#

Record the address starting with /pci... and change the dad string to disk. In this case, thisleaves you with /pci@1f,0/pci@1,1/ide@3/disk@1,0:a.

15. The dump device currently points to the physical device, so you need to change the dump device toreflect the metadevice:

# dumpadm -s /var/crash/’hostname’ -d /dev/md/dsk/d20<cr>

The system responds with the following:

Dump content: kernel pagesDump device: /dev/md/dsk/d20 (swap)

Savecore directory: /var/crash/train10Savecore enabled: yes

16. For this step you need to be at the ok prompt, so enter init 0 to shut down the system:

# init 0<cr># svc.startd: The system is coming down. Please wait.svc.startd: 74 system services are now being stopped.[ output truncated ]ok

07_0789738171_03.qxd 4/13/09 7:38 PM Page 165

166

Enter the nvalias command to create an alias named backup-root, which points to the addressrecorded in step 11:

ok nvalias backup-root /pci@1f,0/pci@1,1/ide@3/disk@1,0:a<cr>

Inspect the current setting of the boot-device variable and add the name backup-root as thesecondary boot path, so that this device is used before going to the network. When this has been done,enter the nvstore command to save the alias created:

ok printenv boot-device<cr>boot-device = disk netok setenv boot-device disk backup-root net<cr>boot-device = disk backup-root netok nvstore<cr>

17. Boot the system from the secondary submirror to prove that it works. This can be done manually fromthe ok prompt:

ok boot backup-root<cr>Resetting ...[... output truncated]

Rebooting with command: boot backup-rootBoot device: /pci@1f,0/pci@1,1/ide@3/disk@1,0 File and args:SunOS Release 5.10 Version Generic 64-bitCopyright 1983-2008 Sun Microsystems, Inc. All rights reserved.Use is subject to license terms.[.. output truncated]<hostname> console login:

Mirroring the Root File System on an x86-BasedSystemIn this section I will describe how to create a mirror of the boot disk on an x86/x64-based sys-tem. The process is similar to mirroring the boot disk on a SPARC-based system, as describedearlier, with the following exceptions:

. Disk device names are different on the x86/x64 platform.

. Run fdisk on a new disk before it is partitioned.

. Execute the installgrub command to install the stage1 and stage2 programs.

. Modify the menu.lst file to set up the alternate boot device.


07_0789738171_03.qxd 4/13/09 7:38 PM Page 166


The x86 system that will be used in the Step By Step is configured as follows:

. Solaris 10 is currently installed on c0d0.

. / (root) is on slice 0.

. /var is on slice 1.

. swap is on slice 3.

. /export/home is on slice 7.

. The alternate boot disk that will be used for the secondary submirror is c0d1.

. Slice 5 is available and will be used to store the state database replicas.

. The format command was used to partition c1d0 exactly like c0d0. Another option isto use the fmthard command to copy the label from c0d0 to c1d0:

# prtvtoc /dev/rdsk/c0d0s2 | fmthard -s - /dev/rdsk/c1d0s2<cr>

Step By Step 3.7 shows the procedure to follow for mirroring the boot disk on an x86/x64-based system.

STEP BY STEP3.7 Mirror the root File System on an x86/x64-Based System

1. Verify that the current root file system is mounted from /dev/dsk/c0d0s0:

# df -h /<cr>Filesystem size used avail capacity Mounted on/dev/dsk/c0d0s0 4.3G 3.1G 1.1G 74% /

2. Create the state database replicas on slice 5.

The boot disk does not have an empty partition, so I’ll create one using the format command. I’lldefine slice 5 to start at cylinder 3531, and I’ll make it 20MB.

Now, I’ll create two state databases on c0d0s5 and c1d0s5:

# metadb -a -f -c2 c0d0s5 c1d0s5<cr>

Verify the database replicas as follows:

# metadb -i<cr>flags first blk block count

a u 16 8192 /dev/dsk/c0d0s5a u 8208 8192 /dev/dsk/c0d0s5a u 16 8192 /dev/dsk/c1d0s5a u 8208 8192 /dev/dsk/c1d0s5

07_0789738171_03.qxd 4/13/09 7:38 PM Page 167

168

3. Create the primary submirrors on c0d0 for /, /var, swap, and /export/home. These are RAID 0simple volumes.

a. Create the primary submirror for / (root):

# metainit -f d11 1 1 c0d0s0<cr>d11: Concat/Stripe is setup

b. Create the primary submirror for /var:


c. Create the primary submirror for swap:


d. Create the primary submirror for /export/home:


4. Create the secondary submirrors on c1d0 for /, /var, swap, and /export/home. These are alsoRAID 0 simple volumes.

a. Create the secondary submirror for / (root):

# metainit d12 1 1 c1d0s0<cr>d12: Concat/Stripe is setup

b. Create the secondary submirror for /var:


c. Create the secondary submirror for swap:


d. Create the secondary submirror for /export/home:


5. Create a RAID 1 volume (a one-way mirror) for each file system on c0d0 specifying the primary sub-mirror as the source. The volume names for the RAID 1 mirrors will be as follows:

d10: / (root)

d20: /var

d30: swap


07_0789738171_03.qxd 4/13/09 7:38 PM Page 168


d40: /export/home

a. Create the RAID 1 volume for /:


b. Create the RAID 1 volume for /var:


c. Create the RAID 1 volume for swap:


d. Create the RAID 1 volume for /export/home:


Why mirror swap? If we want to survive the loss of a submirror, we need to have swap mirrored just likeany other file system. Also, swap will point to d30 and not a physical device. That way, if a drive fails, wecan still boot to the alternate disk, and swap will point to the available submirror—whichever that goodsubmirror may be at that time.

NOTE

6. Set up the system files to support the new metadevice, after taking a backup copy of the files that willbe affected. It is a good idea to name the copies with a relevant extension so that they can be easilyidentified if you later have to revert to the original files if problems are encountered. We will use the.nosvm extension in this Step By Step.

# cp /etc/system /etc/system.nosvm<cr># cp /etc/vfstab /etc/vfstab.nosvm<cr># metaroot d10<cr>

The metaroot command has added the following lines to the system configuration file, /etc/sys-tem, to allow the system to boot with the / file system residing on a logical volume. This command isonly necessary for the root device.

* Begin MDD root info (do not edit)rootdev:/pseudo/md@0:0,0,blk* End MDD root info (do not edit)

It has also modified the /etc/vfstab entry for the / file system. The /etc/vfstab file nowreflects the metadevice to use to mount the file system at boot time:

/dev/md/dsk/d0 /dev/md/rdsk/d0 / ufs 1 no -

07_0789738171_03.qxd 4/13/09 7:38 PM Page 169

170

If you look at the /etc/vstab file, it now looks like this:

# more /etc/vfstab<cr>#device device mount FS fsck mount mount#to mount to fsck point type pass at boot options#fd - /dev/fd fd - no -/proc - /proc proc - no -/dev/dsk/c0d0s3 - - swap - no -/dev/md/dsk/d10 /dev/md/rdsk/d10 / ufs 1 no -/dev/dsk/c0d0s1 /dev/rdsk/c0d0s1 /var ufs 1 no -/dev/dsk/c0d0s7 /dev/rdsk/c0d0s7 /export/home ufs 2 yes -/devices - /devices devfs - no -ctfs - /system/contract ctfs - no -objfs - /system/object objfs - no -swap - /tmp tmpfs - yes -

You still need to make additional modifications to the /etc/vfstab file for the /var, swap, and/export/home file systems:

#device device mount FS fsck mount mount#to mount to fsck point type pass at boot options#fd - /dev/fd fd - no -/proc - /proc proc - no -/dev/md/dsk/d30 - - swap - no -/dev/md/dsk/d10 /dev/md/rdsk/d10 / ufs 1 no -/dev/md/dsk/d20 /dev/md/rdsk/d20 /var ufs 1 no -/dev/md/dsk/d40 /dev/md/rdsk/d40 /export/home ufs 2 yes -/devices - /devices devfs - no -ctfs - /system/contract ctfs - no -objfs - /system/object objfs - no -swap - /tmp tmpfs - yes -

7. The dump device currently points to the physical device, so you need to change the dump device toreflect the metadevice:

# dumpadm -s /var/crash/’hostname’ -d /dev/md/dsk/d30<cr>


Dump content: kernel pagesDump device: /dev/md/dsk/d30 (swap)

Savecore directory: /var/crash/train10Savecore enabled: yes

8. Synchronize file systems before rebooting the system:

# lockfs -fa<cr>


07_0789738171_03.qxd 4/13/09 7:38 PM Page 170


The lockfs command is used to flush all buffers so that when the system is rebooted, the file sys-tems are all up to date. This step is not compulsory, but is good practice.

9. Reboot the system:

# init 6<cr>

10. Verify that the file systems are now being mounted from the metadevices:

# df -h<cr>Filesystem size used avail capacity Mounted on/dev/md/dsk/d10 4.3G 3.1G 1.1G 74% //devices 0K 0K 0K 0% /devicesctfs 0K 0K 0K 0% /system/contractproc 0K 0K 0K 0% /procmnttab 0K 0K 0K 0% /etc/mnttabswap 702M 908K 701M 1% /etc/svc/volatileobjfs 0K 0K 0K 0% /system/object/usr/lib/libc/libc_hwcap1.so.1

4.3G 3.1G 1.1G 74% /lib/libc.so.1fd 0K 0K 0K 0% /dev/fd/dev/md/dsk/d20 940M 72M 812M 9% /varswap 701M 80K 701M 1% /tmpswap 701M 28K 701M 1% /var/run/dev/md/dsk/d40 940M 111M 773M 13% /export/home

Notice that / is mounted on metadevice d10, /var is mounted on d20, and /export/home ismounted on d40.

Now check swap:

# swap -l<cr>swapfile dev swaplo blocks free/dev/md/dsk/d30 85,30 8 1208312 1208312

11. Attach the secondary submirrors on c1d0 using metattach:

# metattach d10 d12<cr>d10: submirror d12 is attached# metattach d20 d22<cr>d20: submirror d22 is attached# metattach d30 d32<cr>d30: submirror d32 is attached# metattach d40 d42<cr>D40: submirror d32 is attached

Verify that a resynchronization operation is carried out:

# metastat -c<cr>d40 m 2.0GB d41 d42 (resync-0%)

d41 s 2.0GB c0d0s7d42 s 2.0GB c1d0s7

07_0789738171_03.qxd 4/13/09 7:38 PM Page 171

172

d30 m 590MB d31 d32 (resync-85%)d31 s 590MB c0d0s3d32 s 590MB c1d0s3

d20 m 1.0GB d21 d22 (resync-65%)d21 s 1.0GB c0d0s1d22 s 1.0GB c1d0s1

d10 m 4.4GB d11 d12 (resync-15%)d11 s 4.4GB c0d0s0d12 s 4.4GB c1d0s0

Notice that the secondary submirrors are being synchronized.

12. Use the installgrub command to install the stage1 and stage2 programs onto the Solarisfdisk partition of the secondary disk drive:

# installgrub /boot/grub/stage1 /boot/grub/stage2 /dev/rdsk/c1d0s0<cr>


stage1 written to partition 0 sector 0 (abs 4096)stage2 written to partition 0, 233 sectors starting at 50 (abs 4146)

13. You need to configure your system to boot from the secondary submirror if the primary submirror fails.The secondary submirror will be the alternate boot device.

You need to define the alternate boot path in the /boot/grub/menu.lst GRUB configuration file.Currently, the menu.lst file is configured to boot from the master IDE drive connected to the primaryIDE controller (hd0,0,a):

#————— ADDED BY BOOTADM - DO NOT EDIT —————title Solaris 10 5/08 s10x_u5wos_10 X86kernel /platform/i86pc/multibootmodule /platform/i86pc/boot_archive

I’ll add a new entry to the menu.lst file to allow booting from the alternate boot device, c1d0. Thiswill be the master IDE drive that is connected to the secondary IDE controller; it is referred to ashd1,0,a. The entry to boot from the alternate disk will be added to the end of the/boot/grub/menu.lst file and is as follows:

#——————————-END BOOTADM——————————title Solaris 10 5/08 s10x_u5wos_10 X86 (Alternate Boot Path)root (hd1,0,a)kernel /platform/i86pc/multibootmodule /platform/i86pc//boot_archive

14. After the submirrors have finished synchronizing, restart the system. At the GRUB menu, select theentry titled “Solaris 10 5/08 s10x_u5wos_10 X86 (Alternate Boot Path),” and make sure that the systemboots from the alternate boot device for verification.


07_0789738171_03.qxd 4/13/09 7:38 PM Page 172


Unmirroring the Root File SystemUnlike Step By Step 3.4, where a file system was unmirrored and remounted without affect-ing the operation of the system, unmirroring a root file system is different because it cannotbe unmounted while the system is running. In this case, it is necessary to perform a reboot toimplement the change. Step By Step 3.8 shows how to unmirror the root file system that wassuccessfully mirrored in Step By Step 3.6. This example comprises a mirror of / (root), d10,consisting of two submirrors, d11 and d12. There is also a mirror of swap, d20, consisting ofsubmirrors d21 and d22. The objective is to remount the / file system using its full disk devicename, /dev/dsk/c0t0d0s0, instead of using /dev/md/dsk/d10 and remount swap on/dev/dsk/c0t0d0s3.

In this next scenario, the boot disk has two partitions: slice 0 is used for / (root), and slice 3 isused for swap. The primary submirror is on c0t0d0, and the secondary submirror is onc1t0d0. When the file systems have been unmirrored, c1t0d0 will be unused. If your boot diskhas separate file systems for /var and/or /export/home, you need to modify this procedure toalso unmirror those additional file systems.

STEP BY STEP3.8 Unmirror the Boot Disk

1. Verify that the current root file system is mounted from the metadevice /dev/md/dsk/d10:

# df -h /<cr>Filesystem size used avail capacity Mounted on/dev/md/dsk/d10 4.9G 3.7G 1.2G 77% /

2. Detach the submirror that is to be used as the / file system:

# metadetach d10 d11<cr>d10: Submirror d11 is detached

3. Set up the /etc/system file and /etc/vfstab to revert to the full disk device name,/dev/dsk/c0t0d0s0. If you created backup copies of the /etc/vfstab and /etc/system filesbefore setting up the mirror, you could simply move those backup files back into place. If you don’thave backup copies, issue the following command:

# metaroot /dev/dsk/c0t0d0s0<cr>

Notice that the entry that was added to /etc/system when the file system was mirrored has beenremoved, and that the /etc/vfstab entry for / has reverted to /dev/dsk/c0t0d0s0. You stillneed to manually edit the /etc/vfstab file to revert to /dev/dsk/c0t0d0s3.

a. Detach the submirror that is being used as swap:

# metadetach d20 d21<cr>d20: Submirror d21 is detached

07_0789738171_03.qxd 4/13/09 7:38 PM Page 173

174

b. Remove the submirror named d21 as follows:

# metaclear d21<cr>

c. Change the dump device to the physical slice c0t0d0s3:

#dumpadm -s /var/crash/’hostname’ -d /dev/dsk/c0t0d0s3<cr>

4. Reboot the system to make the change take effect:

# init 6<cr>

5. Verify that the root file system is now being mounted from the full disk device,/dev/dsk/c0t0d0s0:

# df -h /<cr>Filesystem size used avail capacity Mounted on/dev/dsk/c0t0d0s0 4.9G 3.7G 1.2G 77% /

6. Remove the mirror d10, and its remaining submirrors, d11 and d12:

# metaclear -r d10<cr>d10: Mirror is clearedd11: Concat/Stripe is clearedd12: Concat/Stripe is cleared

Remove the mirror d20, and its remaining submirrors

# metaclear -r d20<cr>d20: Mirror is clearedd22: Concat/Stripe is cleared

Troubleshooting Root File System MirrorsOccasionally, a root mirror fails and recovery action has to be taken. Often, only one side ofthe mirror fails, in which case it can be detached using the metadetach command. You thenreplace the faulty disk and reattach it. Sometimes, though, a more serious problem occurs, pro-hibiting you from booting the system with SVM present. In this case, you have two options.First, temporarily remove the SVM configuration so that you boot from the original c0t0d0s0device. Second, you can boot from a CD-ROM and recover the root file system manually bycarrying out an fsck.

To disable SVM, you must reinstate pre-SVM copies of the files /etc/system and/etc/vfstab. In Step By Step 3.6 we took a copy of these files (step 7). This is good practiceand should always be done when editing important system files. Copy these files again, to takea current backup, and then copy the originals back to make them operational, as shown here:# cp /etc/system /etc/system.svm<cr># cp /etc/vfstab /etc/vfstab.svm<cr># cp /etc/system.nosvm /etc/system<cr># cp /etc/vfstab.nosvm /etc/vfstab<cr>


07_0789738171_03.qxd 4/13/09 7:38 PM Page 174


You should now be able to reboot the system to single-user without SVM and recover anyfailed file systems.

If the preceding does not work, you might need to repair the root file system manually, requir-ing you to boot from a DVD or CD-ROM. (On an x86/x65-based system, boot to Failsafemode from the GRUB menu.) On a SPARC-based system, insert the Solaris 10 DVD disk (orthe Solaris 10 CD 1) and shut down the system if it is not already shut down.

On a SPARC system, boot to single-user from the CD-ROM as follows:ok boot cdrom -s<cr>

When the system prompt is displayed, you can manually run fsck on the root file system. Inthis example, I assume that a root file system exists on /dev/rdsk/c0t0d0s0:# fsck /dev/rdsk/c0t0d0s0<cr>** /dev/rdsk/c0t0d0s0** Last Mounted on /** Phase 1 - Check Blocks and Sizes** Phase 2 - Check Pathnames** Phase 3 - Check Connectivity** Phase 4 - Check Reference Counts** Phase 5 - Check Cyl groupsFREE BLK COUNT(S) WRONG IN SUPERBLKSALVAGE? y136955 files, 3732764 used, 1404922 free (201802 frags, 150390 blocks, \3.9% fragmentation)***** FILE SYSTEM WAS MODIFIED *****

You should now be able to reboot the system using SVM, and you should resynchronize theroot mirror as soon as the system is available. This can be achieved easily by detaching the sec-ond submirror and then reattaching it. The following example shows a mirror d10 consistingof d11 and d12:# metadetach d10 d11<cr>d10: submirror d11is detached# metattach d10 d11<cr>d10: submirror d11 is attached

To demonstrate that the mirror is performing a resynchronization operation, you can issue themetastat command as follows, which shows the progress as a percentage:# metastat d10<cr>d10: Mirror



Resync in progress: 37 % done

07_0789738171_03.qxd 4/13/09 7:38 PM Page 175

176

Pass: 1Read option: roundrobin (default)Write option: parallel (default)Size: 10462032 blocks (5.0 GB)





Device Relocation Information:Device Reloc Device IDc0t0d0 Yes id1,dad@AWDC_AC310200R=WD-WT6750311269c0t1d0 Yes id1,dad@ASAMSUNG_SP0411N=S01JJ60X901935

Veritas Volume Manager


EXAM ALERTVeritas Volume Manager The exam has no questions on the Veritas Volume Manager. This sectionhas been included solely to provide some additional information for system administrators and toallow comparison between this product and the Solaris Volume Manager. A course is run by SunMicrosystems for administrators using Veritas Volume Manager.

Veritas Volume Manager is an unbundled software package that can be purchased separately viaSun, or direct from Symantec, and does not come as part of the standard Solaris 10 release.This product has traditionally been used for managing SAN connected storage. It is widelyused for performing Virtual Volume Management functions on large scale systems such asSun, Sequent, and HP. Although Veritas Volume Manager also provides the capability to mir-ror the OS drive, in actual industry practice, you’ll still see SVM used to mirror the OS drive,even on large Sun servers that use Veritas Volume Manager to manage the remaining data. Itused to be much more robust than the older Solstice DiskSuite product—the predecessor tothe Solaris Volume Manager—providing tools that identify and analyze storage access patternsso that I/O loads can be balanced across complex disk configurations. SVM is now a muchmore robust product, but the difference is negligible.

07_0789738171_03.qxd 4/13/09 7:38 PM Page 176

Veritas Volume Manager177

Veritas Volume Manager is a complex product that would take much more than this chapterto describe in detail. This chapter introduces you to the Veritas Volume Manager and some ofthe terms you will find useful.

The Volume Manager builds virtual devices called volumes on top of physical disks. A physicaldisk is the underlying storage device (media), which may or may not be under Volume Managercontrol. A physical disk can be accessed using a device name such as /dev/rdsk/c#t#d. Thephysical disk can be divided into one or more slices.

Volumes are accessed by the Solaris file system, a database, or other applications in the sameway physical disk partitions would be accessed. Volumes and their virtual components arereferred to as Volume Manager objects.

The Volume Manager uses several Volume Manager objects to perform disk managementtasks, as shown in Table 3.12.

Table 3.12 Volume Manager ObjectsObject Name Description

VM disk A contiguous area of disk space from which the Volume Manager allocates storage.Each VM disk corresponds to at least one partition. A VM disk usually refers to a physi-cal disk in the array.

Disk group A collection of VM disks that share a common configuration. The default disk groupused to be rootdg (the root disk group) in versions prior to version 4, but now nodefault disk group is assigned. Additional disk groups can be created as necessary.Volumes are created within a disk group; a given volume must be configured from disksbelonging to the same disk group. Disk groups allow the administrator to group disksinto logical collections for administrative convenience.

Subdisk A set of contiguous disk blocks; subdisks are the basic units in which the VolumeManager allocates disk space. A VM disk can be divided into one or more subdisks.

Plex Often referred to as mirrors; a plex consists of one or more subdisks located on one ormore disks, forming one side of a mirror configuration. The use of two or more plexesforms a functional mirror.

Volume A virtual disk device that appears to be a physical disk partition to applications, databas-es, and file systems, but does not have the physical limitations of a physical diskpartition. Volumes are created within a disk group; a given volume must be configuredfrom disks belonging to the same disk group.

Plex configuration A number of plexes (usually two) are associated with a volume to form a workingmirror. Also, stripes and concatenations are normally achieved during the creation of the plex.

NOTE

07_0789738171_03.qxd 4/13/09 7:38 PM Page 177

178

Volume Manager objects can be manipulated in a variety of ways to optimize performance,provide redundancy of data, and perform backups or other administrative tasks on one or morephysical disks without interrupting applications. As a result, data availability and disk subsys-tem throughput are improved.

Veritas Volume Manager manages disk space by using contiguous sectors. The application for-mats the disks into only two slices: Slice 3 and Slice 4. Slice 3 is called a private area, and Slice4 is the public area. Slice 3 maintains information about the virtual to physical device mappings,while Slice 4 provides space to build the virtual devices. The advantage of this approach is thatthere is almost no limit to the number of subdisks you can create on a single drive. A standardSolaris disk partitioning environment has an eight-partition limit per disk.

The names of the block devices for virtual volumes created using Veritas Volume Manager arefound in the /dev/vx/dsk/<disk_group>/<volume_name> directory, and the names of theraw devices are found in the /dev/vx/rdsk/<disk_group>/<volume_name> directory. Thefollowing is an example of a block and raw logical device name:/dev/vx/dsk/apps/vol01 - block device /dev/vx/rdsk/apps/vol01 - raw device


07_0789738171_03.qxd 4/13/09 7:38 PM Page 178

179

Summary

SummaryThis chapter described the basic concepts behind RAID and the Solaris Volume Manager(SVM). This chapter described the various levels of RAID along with the differences betweenthem, as well as the elements of SVM and how they can be used to provide a reliable data stor-age solution. We also covered the creation and monitoring of the state database replicas andhow to mirror and unmirror file systems. Finally, you learned about Veritas Volume Manager,a third-party product used predominantly in larger systems with disk arrays.

Key Terms. Virtual volume

. Metadevice

. RAID (0, 1, 5, 1+0, 0+1)

. Metadisk

. Soft partition

. Volume

. Concatenation

. Stripe

. Mirror

. Submirror

. Meta state database

. Hot spare pool

. Interlaces

. Veritas Volume Manager objects

. Hot-pluggable

. Hot-swappable

07_0789738171_03.qxd 4/13/09 7:38 PM Page 179

180


ExerciseAlong with the exercise in this section, make sure that you can perform all the Step By Stepsin this chapter from memory.

3.1 Monitoring Disk Usage

In this exercise, you’ll see how to use the iostat utility to monitor disk usage. You need aSolaris 10 workstation with local disk storage and a file system with at least 50 Megabytes offree space. You also need CDE window sessions. For this exercise, you do not have to makeuse of metadevices, because the utility displays information on standard disks as well asmetadevices. The commands are identical whether or not you are running Solaris VolumeManager. Make sure you have write permission to the file system.


1. In the first window, start the iostat utility so that extended information about eachdisk or metadevice can be displayed. Also, you will enter a parameter to produce out-put every 3 seconds. Enter the following command at the command prompt:

# iostat -xn 3<cr>

2. The output is displayed and is updated every 3 seconds. Watch the %b column, whichtells you how busy the disk, or metadevice, is at the moment.

3. In the second window, change to the directory where you have at least 50 Megabytes offree disk space and create an empty file of this size, as shown in the following code. Myexample directory is /data. The file to be created is called testfile.

# cd /data<cr># mkfile 50M testfile<cr>

4. The file will take several seconds to be created, but watch the output being displayed inthe first window and notice the increase in the %b column of output. You should see theaffected disk slice suddenly become a lot busier. Continue to monitor the output whenthe command has completed and notice that the disk returns to its normal usage level.

5. Press Ctrl+C to stop the iostat output in the first window and delete the file createdwhen you have finished, as shown here:

# rm testfile<cr>


07_0789738171_03.qxd 4/13/09 7:38 PM Page 180


Exam Questions1. Which of the following is a device that represents several disks or disk slices?

❍ A. Physical device

❍ B. Volume

❍ C. Pseudo device

❍ D. Instance

2. Which of the following provides redundancy of data in the event of a disk or hardware failure?

❍ A. Mirror

❍ B. Concatenated stripe

❍ C. Stripe

❍ D. Metadevice

3. Which of the following types of addressing interlaces component blocks across all the slices?

❍ A. Metadevice

❍ B. Concatenated stripe

❍ C. Mirror

❍ D. Stripe

4. Which of the following volumes organizes the data sequentially across slices?

❍ A. Mirror

❍ B. Stripe

❍ C. Concatenation

❍ D. Metadevice

5. Which of the following is a collection of slices reserved to be automatically substituted in case ofslice failure in either a submirror or RAID 5 metadevice?

❍ A. Hot spare pool

❍ B. Subdisks

❍ C. Plexes

❍ D. Disk group

07_0789738171_03.qxd 4/13/09 7:38 PM Page 181

182


6. Which of the following replicates data by using parity information, so that in the case of missingdata, the missing data can be regenerated using available data and the parity information?

❍ A. Hot spare pool

❍ B. Mirroring

❍ C. Trans

❍ D. RAID 5

7. Which of the following has an eight-partition limit per disk?

❍ A. Solaris Volume Manager

❍ B. Veritas Volume Manager

❍ C. VM disk

❍ D. Standard Solaris SPARC disk

❍ E. Plex

8. Which of the following commands would create 3-state database replicas on slice c0t0d0s3?

❍ A. metadb -i

❍ B. metainit -a -f -c3 c0t0d0s3

❍ C. metadb -a -f -c3 c0t0d0s3

❍ D. metaclear

9. Which of the following commands would create a one-way mirror (d1), using metadevice d14 asthe submirror?

❍ A. metaclear -r d1

❍ B. metainit d1 -m d14

❍ C. metainit d1 1 1 d14

❍ D. metadb -i

10. Your supervisor has given you the task of building an array of disks for an application that is verywrite-intensive. The budget is tight, so he has not requested any redundancy. Which SVM volumewould you use?

❍ A. RAID 0 concatenation volume

❍ B. RAID 0 stripe volume

❍ C. RAID 1 volume

❍ D. RAID 5 volume

07_0789738171_03.qxd 4/13/09 7:38 PM Page 182


11. Your client has given you the task of building an array of disks for an application that is read- andwrite-intensive. Data availability is critical, and cost is not an issue. Which options would youchoose? (Choose two.)

❍ A. RAID 0 concatenation volume

❍ B. RAID 0 stripe volume

❍ C. RAID 1 volume

❍ D. RAID 5 volume

❍ E. RAID 0+1

❍ F. RAID 1+0

12. Your server uses SVM volumes to mirror the operating system disks. The server has two physicaldisks and two state database replicas on slice 7 of each disk. What would happen if one of the diskdrives failed? (Choose two.)

❍ A. The system will continue to run.

❍ B. The system will panic.

❍ C. The system cannot reboot to multiuser mode.

❍ D. Nothing will happen with the current number of state database replicas still online.

13. What is the recommended placement of your state database replicas when you have four diskdrives?

❍ A. Create three state databases on each disk.

❍ B. Create two state databases on each disk.

❍ C. Create one state database on each disk.

❍ D. Create at least three state database replicas (one per disk).

14. Which entry in the menu.lst file provides an option to boot to the alternate boot device, c1d0(the master IDE drive on the secondary IDE controller)?

❍ A. root (hd0,1,a)

❍ B. root (hd1,0,a)

❍ C. altbootpath=/eisa/eha@1000,0/cmdk@1,0:a

❍ D. altbootpath=hd1,0,a

07_0789738171_03.qxd 4/13/09 7:38 PM Page 183

184

Answers to Exam Questions1. B. A volume (often called a metadevice) is a group of physical slices that appear to the system

as a single, logical device. A volume is used to increase storage capacity and increase data avail-ability. For more information, see the “Solaris SVM” section.

2. A. A mirror is composed of one or more simple metadevices called submirrors. A mirror replicatesall writes to a single logical device (the mirror) and then to multiple devices (the submirrors) whiledistributing read operations. This provides redundancy of data in the event of a disk or hardwarefailure. For more information, see the “Solaris SVM” section.

3. D. A stripe is similar to concatenation, except that the addressing of the component blocks is inter-laced on all the slices rather than sequentially. For more information, see the “SVM Volumes” section.

4. C. Concatenations work in much the same way as the UNIX cat command is used to concatenatetwo or more files to create one larger file. If partitions are concatenated, the addressing of thecomponent blocks is done on the components sequentially. The file system can use the entire con-catenation. For more information, see the “SVM Volumes” section.

5. A. A hot spare pool is a collection of slices (hot spares) reserved to be automatically substituted incase of slice failure in either a submirror or RAID 5 metadevice. For more information, see the“Solaris SVM” section.

6. D. RAID 5 replicates data by using parity information. In the case of missing data, the data can beregenerated using available data and the parity information. For more information, see the “RAID”section.

7. D. A standard Solaris SPARC disk-partitioned environment has an eight-partition limit per disk. Formore information, see the “Solaris SVM” section.

8. C. The command metadb -a -f -c3 c0t0d0s3 would create the required state database repli-cas; see the “Creating the State Database” section.

9. B. The command metainit d1 -m d14 would create a one-way mirror; see the “Creating aMirror” section.

10. B. RAID 0 stripes and concatenations do not provide redundancy. However, a RAID 0 stripespreads data evenly across multiple physical disks, thus providing high data transfer rates andhigh I/O throughput. RAID 1 mirrored volumes and RAID 5 striped volumes provide redundancyand therefore require additional disks and money. A RAID 5 stripe performs slower than a RAID 0stripe. For more information, see the “Planning Your SVM Configuration” section.

11. E, F. A RAID 1+0 and RAID 0+1 volume would provide the best option for redundancy and fast I/Othroughput on read/write operations. A RAID 5 stripe provides the best performance for read oper-ations while providing redundancy in the event of a disk failure, but there is a penalty for writeoperations. For more information, see the “Planning Your SVM Configuration” section.

12. A, C. With two state database replicas on each of two disks, when one disk fails, the server contin-ues to run. At the next reboot, you will need to boot into single-user mode and delete the failedstate database replicas before you can boot the system into multiuser mode. For more information,see the “Creating the State Database” section.


07_0789738171_03.qxd 4/13/09 7:38 PM Page 184


13. B. When distributing your state database replicas, create two state database replicas on each drivefor a system with two to four disk drives. For more information, see the “Creating the StateDatabase” section.

14. B. Add the following new entry to the menu.lst file to allow booting from the alternate bootdevice, c1d0:

root (hd1,0,a)

For more information, see the “Mirroring the Root File System on an x86-Based System” section.

Suggested Reading and ResourcesSolaris 10 Documentation CD, ”Solaris Volume Manager Administration Guide” manual.Also available at http://docs.sun.com, part number 816-4520-12.

07_0789738171_03.qxd 4/13/09 7:38 PM Page 185

07_0789738171_03.qxd 4/13/09 7:38 PM Page 186

4F O U R

Controlling Access andConfiguring System Messaging


Configure Role-Based Access Control (RBAC), including assigning rights profiles,roles, and authorizations to users.

. This chapter describes Role-Based Access Control (RBAC), and identifies thefour main databases involved with RBAC. The system administrator needs tounderstand the function and structure of each of these databases and how toapply the RBAC functionality in real-world situations.

Analyze RBAC configuration file summaries and manage RBAC using the commandline.

. You will see how to assign a role to a user and use rights profiles by usingcommands that are described in this chapter. These can greatly assist thesystem administrator when managing a large number of rights that are to beassigned to a number of users.

Explain syslog function fundamentals, and configure and manage the/etc/syslog.conf file and syslog messaging.

. This chapter describes the basics of system messaging in the Solaris operat-ing environment, introduces the daemon responsible for managing the mes-saging, and describes the configuration file that determines what informa-tion is logged and where it is stored. It also describes the new method ofrestarting/refreshing the syslog process when changes are made to its con-figuration file.

08_0789738171_04.qxd 4/13/09 7:42 PM Page 187

OutlineIntroduction

Role-Based Access Control (RBAC)Using RBAC

RBAC Components

Extended User Attributes (user_attr)Database

Authorizations (auth_attr) Database

Rights Profiles (prof_attr) Database

Execution Attributes (exec_attr)Database

syslogUsing the logger Command

SummaryKey Terms

Apply Your KnowledgeExercise

Exam Questions




. As you study this chapter, it’s important that you practice each exercise and each com-mand that is presented on a Solaris system. Hands-on experience is important whenlearning these topics, so practice until you can repeat the procedures from memory.

. Be sure you understand each command and be prepared to match the command to thecorrect description.

. Be sure you know all the terms listed in the “Key Terms” section near the end of this chap-ter. Pay special attention to the databases used in Role-Based Access Control (RBAC) andthe uses and format of each. Be prepared to match the terms presented in this chapterwith the correct description.

. Finally, you must understand the concept of system messaging—its purpose, how itworks, and how to configure and manage it.

08_0789738171_04.qxd 4/13/09 7:42 PM Page 188

Role-Based Access Control (RBAC)189

IntroductionThis chapter covers two main topics—Role-Based Access Control (RBAC) and system mes-saging (syslog). These are both related in that they participate in the securing and monitor-ing of systems in a Solaris environment. The use of Role-Based Access Control makes the del-egation of authorizations much easier for the system administrator to manage, as groups ofprivileges can easily be given to a role through the use of profiles. Also, the use of roles meansthat a user has to first log in using his or her normal ID and then use the su command to gainaccess to the role (and therefore assigned privileges). This has the advantage of being loggedand therefore helps establish accountability. The system messaging service (syslog) storesimportant system and security messages and is fully configurable. The system administratorcan tune the service so that certain messages are delivered to several places (such as a log file,a message, and the system console), greatly increasing the chances of it being noticed quickly.

Role-Based Access Control (RBAC)Objectives

. Configure Role-Based Access Control (RBAC) including assigning rights profiles, roles, and authoriza-tions to users.

. Analyze RBAC configuration file summaries and manage RBAC using the command line.

Granting superuser access to nonroot users has always been an issue in UNIX systems. In thepast, you had to rely on a third-party package, such as sudo, to provide this functionality. Theproblem was that sudo was an unsupported piece of freeware that had to be downloaded fromthe Internet and installed onto your system. In extreme cases, the system administrator had toset the setuid permission bit on the file so that a user could execute the command as root.

With Role-Based Access Control (RBAC) in the Solaris 10 operating environment, adminis-trators can not only assign limited administrative capabilities to nonroot users, they can alsoprovide the mechanism where a user can carry out a specific function as another user (ifrequired). This is achieved through three features:

. Authorizations: User rights that grant access to a restricted function.

. Execution profiles: Bundling mechanisms for grouping authorizations and commandswith special attributes; for example, user and group IDs or superuser ID.

. Roles: Special type of user accounts intended for performing a set of administrativetasks.

08_0789738171_04.qxd 4/13/09 7:42 PM Page 189

190

Using RBACTo better describe RBAC, it’s easier to first describe how a system administrator would utilizeRBAC to delegate an administrative task to a nonroot user in a fictional setting at Acme Corp.

At Acme Corp., the system administrator is overwhelmed with tasks. He decides to delegatesome of his responsibility to Neil, a user from the engineering department who helps outsometimes with system administration tasks.

The system administrator first needs to define which tasks he wants Neil to help with. He hasidentified three tasks:

. Change user passwords, but do not add or remove accounts.

. Mount and share file systems.

. Shut down the system.

In RBAC, when we speak of delegating administrative tasks, it is referred to as a role account.A role account is a special type of user account that is intended for performing a set of adminis-trative tasks. It is like a normal user account in most respects except that users can gain accessto it only through the su command after they have logged in to the system with their normallogin account. A role account is not accessible for normal logins, for example, through theCDE login window. From a role account, a user can access commands with special attributes,typically the superuser privilege, which are unavailable to users with normal accounts.

At Acme Corp., the system administrator needs to define a role username for the tasks hewants to delegate. Let’s use the role username “adminusr.” After Neil logs in with his normallogin name of ncalkins, he then needs to issue the su command and switch to adminusrwhenever he wants to perform administrative tasks. In this chapter, you learn how to create arole account using the command line interface, although you should note that the SolarisManagement Console can also be used.

So far we have determined that we want to name the role account adminusr. The systemadministrator creates the role account using the roleadd command. The roleadd commandadds a role account to the /etc/passwd, etc/shadow, and /etc/user_attr files. The syntaxfor the roleadd command is as follows:

Chapter 4: Controlling Access and Configuring System Messaging

Assigning superuser access using RBAC Most often, you will probably use RBAC to provide superuseraccess to administrative tasks within the system. Exercise caution and avoid creating security lapses byproviding access to administrative functions by unauthorized users.

CAUTION

08_0789738171_04.qxd 4/13/09 7:42 PM Page 190


roleadd [-c comment] [-d dir] [-e expire] [-f inactive] [-g group] \[-G group] [-m] [-k skel_dir] [-u uid] [-s shell] \[-A authorization] [-P profile ] <role username>

You’ll notice that roleadd looks a great deal like the useradd command. Table 4.1 describesthe options for the roleadd command.

Table 4.1 roleadd OptionsOption Description

-c <comment> Any text string to provide a brief description of the role.

-d <dir> The home directory of the new role account.

-m Creates the new role’s home directory if it does not already exist.

-e <expire> Specifies the expiration date for a role. After this date, no user can access thisrole. The <expire> option argument is a date entered using one of the dateformats included in the template file /etc/datemsk.For example, you can enter 10/30/02 or October 30, 2002. A value of “ “defeats the status of the expired date.

-f <inactive> Specifies the maximum number of days allowed between uses of a login IDbefore that login ID is declared invalid. Normal values are positive integers.

-g <group> Specifies an existing group’s integer ID or character-string name. It redefinesthe role’s primary group membership.

-G <group> Specifies an existing group’s integer ID, or character string name. It redefinesthe role’s supplementary group membership. Duplicates between groups withthe -g and -G options are ignored.

-k <skeldir> A directory that contains skeleton information (such as .profile) that can becopied into a new role’s home directory. This directory must already exist. Thesystem provides the /etc/skel directory that can be used for this purpose.

-s <shell> Specifies the user’s shell on login. The default is /bin/pfsh.

-A <authorization> Both of these options respectively assign authorizations and profiles to the role.

-P <profile> Authorizations and profiles are described later in this section.

-u <uid> Specifies a UID for the new role. It must be a nonnegative decimal integer. TheUID associated with the role’s home directory is not modified with this option; arole does not have access to its home directory until the UID is manually reas-signed using the chown command.

The other options are the same options that were described for the useradd command, out-lined in Solaris 10 System Administration Exam Prep: CX-310-200, Part I.

When creating a role account with the roleadd command, you need to specify an authoriza-tion or profile to the role. An authorization is a user right that grants access to a restricted func-tion. It is a unique string that identifies what is being authorized as well as who created theauthorization.

08_0789738171_04.qxd 4/13/09 7:42 PM Page 191

192

Certain privileged programs check the authorizations to determine whether users can executerestricted functionality. Following are the predefined authorizations from the /etc/securi-ty/auth_attr file that apply to the tasks to be delegated:solaris.admin.usermgr.pswd:::Change Password::help=AuthUserMgrPswd.htmlsolaris.system.shutdown:::Shutdown the System::help=SysShutdown.htmlsolaris.admin.fsmgr.write:::Mount and Share File Systems::\help=AuthFsMgrWrite.html

All authorizations are stored in the auth_attr database, so the system administrator needs touse one or more of the authorizations that are stored in that file. For the Acme Corp. exam-ple, the system administrator needs to specify the authorizations shown here:solaris.admin.usermgr.pswdsolaris.system.shutdownsolaris.admin.fsmgr.write

The system administrator would therefore issue the roleadd command as follows:# roleadd -m -d /export/home/adminusr -c “Admin Assistant” \-A solaris.admin.usermgr.pswd,solaris.system.shutdown,\solaris.admin.fsmgr.write adminusr<cr>

A role account named adminusr with the required directory structures has been created. Thenext step is to set the password for the adminusr role account by typing the following:passwd adminusr

You are prompted to type the new password twice.

Now we need to set up Neil’s account so he can access the new role account named adminusr.With the usermod command, we assign the role to the user account using the -R option:usermod -R adminusr neil


No need to be logged out Previously, you needed to ensure that the user was not logged in at the timeof assigning a role; otherwise, you received an error message and the role was not assigned. This is nolonger the case. A role can be assigned to a user while the user is still logged in.

NOTE

To access the administrative functions, Neil needs to first log in using his regular user accountnamed neil. Neil can check which roles he has been granted by typing the following at thecommand line:$ roles<cr>

The system responds with the roles that have been granted to the user account neil:adminusr

08_0789738171_04.qxd 4/13/09 7:42 PM Page 192


Neil then needs to su to the adminusr account by typing the following:$ su adminusr<cr>

Neil is prompted to type the password for the role account.

Now Neil can modify user passwords, shut down the system, and mount and share file systems.Any other user trying to su to the adminusr account gets this message:$ su adminusr<cr>Password:Roles can only be assumed by authorized userssu: Sorry$

If the system administrator later wants to assign additional authorizations to the role accountnamed adminusr, he would do so using the rolemod command. The rolemod command modi-fies a role’s login information on the system. The syntax for the rolemod command is as follows:rolemod [-u uid] [-o] [-g group] [-G group] [-d dir] [-m] [-s shell]\[-c comment] [-l new_name] [-f inactive] [-e expire] [-A Authorization]\[-P profile] <role account>

Table 4.2 describes options for the rolemod command where they differ from the roleaddcommand.

Table 4.2 rolemod OptionsOption Description

-A <authorization> One or more comma-separated authorizations as defined in the auth_attrdatabase. This replaces any existing authorization setting.

-d <dir> Specifies the new home directory of the role. It defaults to<base_dir>/<login>, in which <base_dir> is the base directory fornew login home directories, and <login> is the new login.

-l <new_logname> Specifies the new login name for the role. The <new_logname> argument isa string no more than eight bytes consisting of characters from the set ofalphabetic characters, numeric characters, period (.), underline (_), andhyphen (-). The first character should be alphabetic and the field should con-tain at least one lowercase alphabetic character. A warning message is writtenif these restrictions are not met. A future Solaris release might refuse to acceptlogin fields that do not meet these requirements. The <new_logname> argu-ment must contain at least one character and must not contain a colon (:) ornewline (\n).

-m Moves the role’s home directory to the new directory specified with the -doption. If the directory already exists, it must have permissions read/write/exe-cute by group, in which group is the role’s primary group.

08_0789738171_04.qxd 4/13/09 7:42 PM Page 193

194

Table 4.2 rolemod OptionsOption Description

-o Allows the specified UID to be duplicated (nonunique).

-P <profile> Replaces any existing profile setting. One or more comma-separated executionprofiles are defined in the auth_attr database.

-u <uid> Specifies a new UID for the role. It must be a nonnegative decimal integer. TheUID associated with the role’s home directory is not modified with this option;a role does not have access to its home directory until the UID is manuallyreassigned using the chown command.

To add the ability to purge log files, you need to add solaris.admin.logsvc.purge to the listof authorizations for adminusr. To do this, issue the rolemod command:# rolemod -A solaris.admin.usermgr.pswd,solaris.system.shutdown,\solaris.admin.fsmgr.write,solaris.admin.logsvc.purge adminusr<cr>

You can verify that the new authorizations have been added to the role by typing the authscommand at the command line:# auths adminusr<cr>solaris.admin.usermgr.pswd,solaris.system.shutdown,solaris.admin.fsmgr.\write,solaris.admin.logsvc.purge,...[ output has been truncated]


If you want to remove a role account, use the roledel command:roledel [-r] <role account name>

The -r option removes the role’s home directory from the system. For example, to removethe adminusr role account, issue the following command:# roledel -r adminusr<cr>

The next section discusses each of the RBAC databases in detail, describing the entries madewhen we executed the roleadd and usermod commands.

rolemod warning The rolemod command does not add to the existing authorizations; it replaces anyexisting authorization setting.

CAUTION

08_0789738171_04.qxd 4/13/09 7:42 PM Page 194


RBAC ComponentsRBAC relies on the following four databases to provide users access to privileged operations:

. /etc/user_attr (extended user attributes database): Associates users and roles withauthorizations and profiles.

. /etc/security/auth_attr (authorization attributes database): Defines authoriza-tions and their attributes and identifies the associated help file.

. /etc/security/prof_attr (rights profile attributes database): Defines profiles, liststhe profile’s assigned authorizations, and identifies the associated help file.

. /etc/security/exec_attr (profile attributes database): Defines the privilegedoperations assigned to a profile.

These four databases are logically interconnected.

EXAM ALERTRBAC database functions You need to be able to correctly identify the function and location of eachRBAC database. A common exam question is to match the description with the relevant RBAC data-base. Remember that the user_attr database resides in the /etc directory and not in the/etc/security directory.

Extended User Attributes (user_attr) DatabaseThe /etc/user_attr database supplements the passwd and shadow databases. It containsextended user attributes, such as authorizations and profiles. It also allows roles to be assignedto a user. Following is an example of the /etc/user_attr database:# more /etc/user_attr<cr># Copyright 2003 by Sun Microsystems, Inc. All rights reserved.## /etc/user_attr## user attributes. see user_attr(4)##pragma ident “@(#)user_attr 1.1 03/07/09 SMI”#adm::::profiles=Log Managementlp::::profiles=Printer Managementroot::::auths=solaris.*,solaris.grant;profiles=Alladminusr::::type=role;auths=solaris.admin.usermgr.pswd,/solaris.system.shutdown,solaris.admin.fsmgr.write;profiles=Allneil::::type=normal;roles=adminusr

08_0789738171_04.qxd 4/13/09 7:42 PM Page 195

196

The following fields in the user_attr database are separated by colons:user:qualifier:res1:res2:attr

Each field is described in Table 4.3.

Table 4.3 user_attr FieldsField Name Description

user Describes the name of the user or role, as specified in the passwd database.

qualifier Reserved for future use.

res1 Reserved for future use.


attr Contains an optional list of semicolon-separated (;) key-value pairs that describethe security attributes to be applied when the user runs commands. Eight validkeys exist: auths, profiles, roles, type, project, defaultpriv, lim-itpriv, and lock_after_retries:

auths specifies a comma-separated list of authorization names chosen fromnames defined in the auth_attr database. Authorization names can include theasterisk (*) character as a wildcard. For example, solaris.device.* means allthe Solaris device authorizations.

profiles contains an ordered, comma-separated list of profile names chosenfrom prof_attr. A profile determines which commands a user can execute andwith which command attributes. At a minimum, each user in user_attr shouldhave the All profile, which makes all commands available but without attributes.The order of profiles is important; it works similarly to UNIX search paths. The firstprofile in the list that contains the command to be executed defines which (if any)attributes are to be applied to the command. Profiles are described in the sectiontitled “Authorizations (auth_attr) Database.”

roles can be assigned to the user using a comma-separated list of role names.Note that roles are defined in the same user_attr database. They are indicatedby setting the type value to role. Roles cannot be assigned to other roles.

type can be set to normal, if this account is for a normal user, or to role, if thisaccount is for a role. A normal user assumes a role after he has logged in.

project can be set to a project from the projects database, so that the user isplaced in a default project at login time.

defaultpriv is the list of default privileges the user is assigned.

limitpriv: The system administrator can limit the set of privileges allowed, andthis attribute contains the maximum set of privileges the user can be allowed. Caremust be taken when limiting privileges so as to not affect other applications theuser might execute.


08_0789738171_04.qxd 4/13/09 7:42 PM Page 196


lock_after_retries specifies whether an account is locked out following anumber of failed logins. The number of failed logins is taken from the RETRIESoption in /etc/default/login. The default is no.

In the previous section, we issued the following roleadd command to add a role named admi-nusr:# roleadd -m -d /export/home/adminusr -c “Admin Assistant”\-A solaris.admin.usermgr.pswd,solaris.system.shutdown,\solaris.admin.fsmgr.write adminusr<cr>

The roleadd command made the following entry in the user_attr database:adminusr::::type=role;auths=solaris.admin.usermgr.pswd,\solaris.system.shutdown,solaris.admin.fsmgr.write;profiles=All

We can then issue the following usermod command to assign the new role to the user neil:# usermod -R useradmin neil<cr>

and then make the following entry to the user_attr database:neil::::type=normal;roles=adminusr

Authorizations (auth_attr) DatabaseAn authorization is a user right that grants access to a restricted function. In the previous sec-tion, the system administrator wanted to delegate some of the system administrative tasks toNeil. Assigning authorizations to the role named adminusr did this. An authorization is aunique string that identifies what is being authorized as well as who created the authorization.Remember that we used the following authorizations to give Neil the ability to modify userpasswords, shut down the system, and mount and share file systems:solaris.admin.usermgr.pswdsolaris.system.shutdownsolaris.admin.fsmgr.write

Certain privileged programs check the authorizations to determine whether users can executerestricted functionality. For example, the solaris.jobs.admin authorization is required forone user to edit another user’s crontab file.

All authorizations are stored in the auth_attr database. If no name service is used, the data-base is located in a file named /etc/security/auth_attr. Authorizations can be assigneddirectly to users (or roles), in which case they are entered in the user_attr database.Authorizations can also be assigned to profiles, which in turn are assigned to users. They aredescribed in the “Rights Profiles (prof_attr) Database” section, later in this chapter.

The fields in the auth_attr database are separated by colons, as shown here:authname:res1:res2:short_desc:long_desc:attr

08_0789738171_04.qxd 4/13/09 7:42 PM Page 197

198

Each field is described in Table 4.4.

Table 4.4 auth_attr FieldsField Name Description

authname[suffix] A unique character string used to identify the authorization in the format prefix.Authorizations for the Solaris operating environment use solaris as a prefix. Allother authorizations should use a prefix that begins with the reverse-order Internetdomain name of the organization that creates the authorization (for example,com.xyzcompany). The suffix indicates what is being authorized—typically, thefunctional area and operation.When no suffix exists (that is, the authname consists of a prefix and functionalarea and ends with a period), the authname serves as a heading for use by appli-cations in their GUIs rather than as an authorization. The authnamesolaris.printmgr is an example of a heading.When the authname ends with the word grant, the authname serves as agrant authorization and allows the user to delegate related authorizations (that is,authorizations with the same prefix and functional area) to other users. Theauthname solaris.printmgr.grant is an example of a grant authorization;it gives the user the right to delegate such authorizations as solaris.printm-gr.admin and solaris.printmgr.nobanner to other users.



short_desc A shortened name for the authorization suitable for displaying in user interfaces,such as in a scrolling list in a GUI.

long_desc A long description. This field identifies the purpose of the authorization, the appli-cations in which it is used, and the type of user interested in using it. The longdescription can be displayed in the help text of an application.

attr An optional list of semicolon-separated (;) key-value pairs that describe the attrib-utes of an authorization. Zero or more keys can be specified.The keyword help identifies a help file in HTML. Help files can be accessed fromthe index.html file in the /usr/lib/help/auths/locale/C directory.

The following are some typical values found in the default auth_attr database:solaris.admin.usermgr.pswd:::Change Password::help=AuthUserMgrPswd.htmlsolaris.system.shutdown:::Shutdown the System::help=SysShutdown.htmlsolaris.admin.fsmgr.write:::Mount and Share File Systems::\help=AuthFsMgrWrite.html

Look at the relationship between the auth_attr and the user_attr databases for the admi-nusr role we added earlier:adminusr::::type=role;auths=solaris.admin.usermgr.pswd,\solaris.system.shutdown,solaris.admin.fsmgr.write;profiles=All


08_0789738171_04.qxd 4/13/09 7:42 PM Page 198


Notice the authorization entries that are bold. These authorization entries came out of theauth_attr database, shown previously. The solaris.system.shutdown authorization, whichis defined in the auth_attr database, gives the role the right to shut down the system.

Rights Profiles (prof_attr) DatabaseWe referred to rights profiles, or simply profiles, earlier in this chapter. Up until now, weassigned authorization rights to the role account. Defining a role account that has severalauthorizations can be tedious. In this case, it’s better to define a profile, which is severalauthorizations bundled together under one name called a profile name. The definition of theprofile is stored in the prof_attr database. Following is an example of a profile namedOperator, which is in the default prof_attr database. Again, if you are not using a name serv-ice, the prof_attr file is located in the /etc/security directory.Operator:::Can perform simple administrative tasks:profiles=PrinterManagement,Media Backup,All;help=RtOperator.html

Several other profiles are defined in the prof_attr database. Colons separate the fields in theprof_attr database:profname:res1:res2:desc:attr

The fields are defined in Table 4.5.

Table 4.5 prof_attr FieldsField Name Description

profname The name of the profile. Profile names are case-sensitive.

res1 A field reserved for future use.

res2 A field reserved for future use.

desc A long description. This field should explain the purpose of the profile, including whattype of user would be interested in using it. The long description should be suitable fordisplaying in the help text of an application.

attr An optional list of key-value pairs separated by semicolons (;) that describe the securityattributes to apply to the object upon execution. Zero or more keys can be specified.The four valid keys are help, auths, privs, and profiles.The keyword help identifies a help file in HTML. Help files can be accessed from theindex.html file in the /usr/lib/help/auths/locale/C directory.auths specifies a comma-separated list of authorization names chosen from thosenames defined in the auth_attr database. Authorization names can be specifiedusing the asterisk (*) character as a wildcard.

08_0789738171_04.qxd 4/13/09 7:42 PM Page 199

200

Perhaps the system administrator wants to create a new role account and delegate the task ofprinter management and backups. He could look through the auth_attr file for each author-ization and assign each one to the new role account using the roleadd command, as describedearlier. Or, he could use the Operator profile currently defined in the prof_attr database,which looks like this:

The Operator profile consists of three other profiles:

. Printer Management

. Media Backup

. All

Let’s look at each of these profiles as defined in the prof_attr database:Printer Management:::Manage printers, daemons, spooling:help=RtPrntAdmin.\html;auths=solaris.admin.printer.read,solaris.admin.printer.modify,\solaris.admin.printer.deleteMedia Backup:::Backup files and file systems:help=RtMediaBkup.htmlAll:::Execute any command as the user or role:help=RtAll.html

Printer Management has the following authorizations assigned to it:

. solaris.admin.printer.read

. solaris.admin.printer.modify

. solaris.admin.printer.delete

When you look at these three authorizations in the auth_attr database, you see the followingentries:solaris.admin.printer.read:::View Printer Information::help=AuthPrinterRead.htmlsolaris.admin.printer.modify:::Update Printer Information::help=AuthPrinterModify.htmlsolaris.admin.printer.delete:::Delete Printer Information::help=AuthPrinterDelete.html

Assigning the Printer Management profile is the same as assigning the three authorizations forviewing, updating, and deleting printer information.

The Media Backup profile provides authorization for backing up data, but not restoring data.The Media Backup profile does not have authorizations associated with it like the PrinterManagement profile has. I’ll describe how this profile is defined in the next section when Idescribe execution attributes.


08_0789738171_04.qxd 4/13/09 7:42 PM Page 200


The All profile grants the right for a role account to use any command when working in anadministrator’s shell. These shells can only execute commands that have been explicitlyassigned to a role account through granted rights. We’ll explore this concept further when Idescribe execution attributes in the next section.

To create a new role account named admin2 specifying the Operator profile, use the roleaddcommand with the -P option:# roleadd -m -d /export/home/admin2 -c “Admin Assistant” -P Operator admin2<cr>

The following entry is added to the user_attr database:admin2::::type=role;profiles=Operator

At any time, users can check which profiles have been granted to them with the profilescommand:$ profiles<cr>

The system lists the profiles that have been granted to that particular user account.

Execution Attributes (exec_attr) DatabaseAn execution attribute associated with a profile is a command (with any special security attrib-utes) that can be run by those users or roles to which the profile is assigned. For example, inthe previous section, we looked at the profile named Media Backup in the prof_attr database.Although no authorizations were assigned to this profile, the Media Backup profile was definedin the exec_attr database as follows:Media Backup:solaris:act:::Tar;*;*;*;*:privs=allMedia Backup:solaris:act:::Tar;*;TAR,MAGTAPE;*;>0:privs=allMedia Backup:solaris:act:::TarList;*;*;*;*:Media Backup:suser:cmd:::/usr/bin/mt:euid=0Media Backup:suser:cmd:::/usr/lib/fs/ufs/ufsdump:euid=0;gid=sysMedia Backup:suser:cmd:::/usr/sbin/tar:euid=0

The fields in the exec_attr database are as follows and are separated by colons:name:policy:type:res1:res2:id:attr

The fields are defined in Table 4.6.

08_0789738171_04.qxd 4/13/09 7:42 PM Page 201

202

Table 4.6 exec_attr FieldsField Name Description

Name The name of the profile. Profile names are case-sensitive.

policy The security policy associated with this entry. Currently, suser (the superuser policymodel) and solaris are the only valid policy entries. The solaris policy recognizesprivileges, whereas the suser policy does not.

type The type of entity whose attributes are specified. The two valid types are cmd (com-mand) and act. The cmd type specifies that the ID field is a command that would beexecuted by a shell. The act type is available only if the system is configured withTrusted Extensions.

res1 This field is reserved for future use.

res2 This field is reserved for future use.

id A string identifying the entity; the asterisk (*) wildcard can be used. Commands shouldhave the full path or a path with a wildcard. To specify arguments, write a script withthe arguments and point the id to the script.

attr An optional list of semicolon (;) separated key-value pairs that describe the securityattributes to apply to the entity upon execution. Zero or more keys can be specified. Thelist of valid keywords depends on the policy being enforced. Six valid keys exist: euid,uid, egid, gid, privs, and limitprivs.

euid and uid contain a single username or numeric user ID. Commands designatedwith euid run with the effective UID indicated, which is similar to setting the setuidbit on an executable file. Commands designated with uid run with both the real andeffective UIDs.

egid and gid contain a single group name or numeric group ID. Commands designat-ed with egid run with the effective GID indicated, which is similar to setting the set-gid bit on an executable file. Commands designated with gid run with both the realand effective GIDs.


Trusted Solaris You will see an additional security policy if you are running Trusted Solaris, a special secu-rity-enhanced version of the operating environment. The policy tsol is the trusted solaris policy model.

NOTE

Looking back to the Media Backup profile as defined in the exec_attr database, we see thatthe following commands have an effective UID of 0 (superuser):/usr/bin/mt/usr/sbin/tar/usr/lib/fs/ufs/ufsdump

08_0789738171_04.qxd 4/13/09 7:42 PM Page 202

syslog203

Therefore, any user that has been granted the Media Backup profile can execute the previousbackup commands with an effective user ID of 0 (superuser).

In the prof_attr database, we also saw that the Operator profile consisted of a profile namedAll. Again, All did not have authorizations associated with it. When we look at the exec_attrdatabase for a definition of the All profile, we get the following entry:All:suser:cmd:::*:

Examining each field, we see that All is the profile name, the security policy is suser, and thetype of entity is cmd. The attribute field has an *.

It’s common to grant all users the All profile. The * is a wildcard entry that matches everycommand. In other words, the user has access to any command while working in the shell.Without the All profile, a user would have access to the privileged commands, but no accessto normal commands such as ls and cd. Notice that no special process attributes are associat-ed with the wildcard, so the effect is that all commands matching the wildcard run with theUID and GID of the current user (or role).

The All profile Always assign the All profile last in the list of profiles. If it is listed first, no otherrights are consulted when you look up command attributes.

NOTE

syslogObjective

. Explain syslog function fundamentals and configure and manage the /etc/syslog.conf file andsyslog messaging.

A critical part of the system administrator’s job is monitoring the system. Solaris uses the sys-log message facility to do this. syslogd is the daemon responsible for capturing system mes-sages. The messages can be warnings, alerts, or simply informational messages. As the systemadministrator, you customize syslog to specify where and how system messages are to be saved.

The syslogd daemon receives messages from applications on the local host or from remotehosts and then directs messages to a specified log file. To each message that syslog captures,it adds a timestamp, the message type keyword at the beginning of the message, and a new-line at the end of the message. For example, the following messages were logged in the/var/adm/messages file:July 15 23:06:39 sunfire ufs: [ID 845546 kern.notice] NOTICE: alloc: /var: \file system fullSep 1 04:57:06 docbert nfs: [ID 563706 kern.notice] NFS server saturn.east ok

08_0789738171_04.qxd 4/13/09 7:42 PM Page 203

204

syslog enables you to capture messages by facility (the part of the system that generated themessage) and by level of importance. Facility is considered to be the service area generatingthe message or error (such as printing, email, or network), whereas the level can be consideredthe level of severity (such as notice, warning, error, or emergency). syslog also enables you toforward messages to another machine so that all your messages can be logged in one location.The syslogd daemon reads and logs messages into a set of files described by the configura-tion file /etc/syslog.conf. When the syslogd daemon starts up, it preprocesses the/etc/syslog.conf file through the m4 macro processor to get the correct information forspecific log files. syslogd does not read the /etc/syslog.conf file directly. syslogd starts m4,which parses the /etc/syslog.conf file for ifdef statements that can be interpreted by m4.The function ifdef is an integral part of m4 and identifies the system designated as LOGHOST.The macro then can evaluate whether log files are to be held locally or on a remote system, ora combination of both.

If m4 doesn’t recognize any m4 commands in the syslog.conf file, output is passed back tosyslogd. syslogd then uses this output to route messages to appropriate destinations. Whenm4 encounters ifdef statements that it can process, the statement is evaluated for a true orfalse condition and the message is routed relative to the output of the test.


EXAM ALERT/etc/syslog.conf and ifdef statements Make sure you become familiar with the facilities andvalues listed in the tables in this section. An exam question might provide a sample file and ask wherea specific type of message, such as a failed login, will be logged. Also watch out for the ifdef state-ments to see if the logging is being carried out on a remote system.

An entry in the /etc/syslog.conf file is composed of two fields:selector action

The selector field contains a semicolon-separated list of priority specifications of this form:facility.level [ ; facility.level ]

The action field indicates where to forward the message. Many defined facilities exist.

EXAM ALERTSeparate with tabs The separator between the two fields must be a tab character. Spaces do not workand give unexpected results. This is a very common mistake.

08_0789738171_04.qxd 4/13/09 7:42 PM Page 204

syslog205

The facilities are described in Table 4.7.

Table 4.7 Recognized Values for FacilitiesValue Description

user Messages generated by user processes. This is the default priority for messages from pro-grams or facilities not listed in this file.

kern Messages generated by the kernel.

mail The mail system.

daemon System daemons, such as in.ftpd.

auth The authorization system, such as login, su, getty, and others.

lpr lpr is the syslogd facility responsible for generating messages from the line printerspooling system—lpr and lpc.

news Reserved for the Usenet network news system.

uucp Reserved for the UUCP system. It does not currently use the syslog mechanism.

cron The cron/at facility, such as crontab, at, cron, and others.

audit The audit facility, such as auditd.

local0-7 Reserved for local use.

mark For timestamp messages produced internally by syslogd.

* Indicates all facilities except the mark facility.

Table 4.8 lists recognized values for the syslog level field. They are listed in descendingorder of severity.

Table 4.8 Recognized Values for levelValue Description

emerg Panic conditions that would normally be broadcast to all users.

alert Conditions that should be corrected immediately, such as a corrupted system database.

crit Warnings about critical conditions, such as hard device errors.

err Other errors.

warning Warning messages.

Notice Conditions that are not error conditions but that might require special handling, such as afailed login attempt. A failed login attempt is considered a notice and not an error.

info Informational messages.

debug Messages that are normally used only when debugging a program.

none Does not send messages from the indicated facility to the selected file. For example, theentry *.debug;mail.none in /etc/syslog.conf sends all messages except mailmessages to the selected file.

08_0789738171_04.qxd 4/13/09 7:42 PM Page 205

206

Values for the action field can have one of four forms:

. A filename, beginning with a leading slash. This indicates that messages specified bythe selector are to be written to the specified file. The file is opened in append modeand must already exist. syslog does not create the file if it doesn’t already exist.

. The name of a remote host, prefixed with a @. An example is @server, which indicatesthat messages specified by the selector are to be forwarded to syslogd on the namedhost. The hostname loghost is the hostname given to the machine that will log sys-logd messages. Every machine is its own loghost by default. This is specified in thelocal /etc/hosts file. It is also possible to specify one machine on a network to beloghost by making the appropriate host table entries. If the local machine is designat-ed as loghost, syslogd messages are written to the appropriate files. Otherwise, theyare sent to the machine loghost on the network.

. A comma-separated list of usernames, which indicates that messages specified by theselector are to be written to the named users if they are logged in.

. An asterisk, which indicates that messages specified by the selector are to be written toall logged-in users.

Blank lines are ignored. Lines in which the first nonwhitespace character is a # are treated ascomments.

All of this becomes much clearer when you look at sample entries from an /etc/syslog.conffile:*.err /dev/console*.err;daemon,auth.notice;mail.crit /var/adm/messagesmail.debug /var/log/syslog*.alert root*.emerg *kern.err @server*.alert;auth.warning /var/log/auth

In this example, the first line prints all errors on the console.

The second line sends all errors, daemon and authentication system notices, and critical errorsfrom the mail system to the file /var/adm/messages.


Levels include all higher levels too When you specify a syslog level, it means that the specified leveland all higher levels. For example, if you specify the err level, this includes crit, alert, and emerglevels as well.

NOTE

08_0789738171_04.qxd 4/13/09 7:42 PM Page 206

syslog207

The third line sends mail system debug messages to /var/log/syslog.

The fourth line sends all alert messages to user root.

The fifth line sends all emergency messages to all users.

The sixth line forwards kernel messages of err (error) severity or higher to the machine namedserver.

The last line logs all alert messages and messages of warning level or higher from the author-ization system to the file /var/log/auth.

The level none may be used to disable a facility. This is usually done in the context of elimi-nating messages. For example:*.debug;mail.none /var/adm/messages

This selects debug messages and above from all facilities except those from mail. In otherwords, mail messages are disabled. The mail system, sendmail, logs a number of messages. Themail system can produce a large amount of information, so some system administrators disablemail messages or send them to another file that they clean out frequently. Before disabling mailmessages, however, remember that sendmail messages come in very handy when you’re diag-nosing mail problems or tracking mail forgeries.

As of Solaris 10, the mechanism for stopping, starting, and refreshing syslogd has changed.The syslog function is now under the control of the Service Management Facility (SMF),which is described in detail in the book Solaris 10 System Administration Exam Prep: CX-310-200, Part I.

To stop or start syslogd, use the svcadm command with the appropriate parameter, enable ordisable:# svcadm enable -t system-log<cr># svcadm disable -t system-log<cr>

The syslog facility reads its configuration information from /etc/syslog.conf whenever itreceives a refresh command from the service administration command, svcadm, and when thesystem is booted. You can make your changes to /etc/syslog.conf and then run the follow-ing command to cause the file to be reread by the syslogd daemon:# svcadm refresh system-log<cr>

EXAM ALERTNo more kill -HUP Make sure you remember that the kill -HUP facility should no longer be usedto try to cause a daemon process to re-read its configuration file, even though it still works. Thesvcadm refresh command is now the recommended way of achieving this.

08_0789738171_04.qxd 4/13/09 7:42 PM Page 207

208

The first message in the log file is logged by the syslog daemon itself to show when theprocess was started.

syslog logs are automatically rotated on a regular basis. In previous Solaris releases, this wasachieved by the program newsyslog. A new method of log rotation was introduced withSolaris 9—logadm, a program normally run as a root-owned cron job. A configuration file/etc/logadm.conf is now used to manage log rotation and allows a number of criteria to bespecified. See the logadm and logadm.conf manual pages for further details.

Using the logger CommandThe logger command provides the means of manually adding one-line entries to the systemlogs from the command line. This is especially useful in shell scripts.

The syntax for the logger command is as follows:logger [-i] [-f file] [-p priority] [-t tag] [message] ...

Options to the logger command are described in Table 4.9.

Table 4.9 logger OptionsOption Description

-i Logs the Process ID (PID) of the logger process with each line written to a log file.

-f <file> Use the contents of file as the message to be logged.

-p <priority> The message priority. This can be defined as a numeric value or as afacility.level pair, as described in Tables 4.7 and 4.8. The default priority isuser.notice.

-t <tag> Marks each line with the specified tag.

message One or more string arguments, separated by a single space character comprising thetext of the message to be logged.

For example, perhaps you have a simple shell script that backs up files:#/bin/kshtar cvf /tmp/backup .logger -p user.alert “Backups Completed”

The last line of the script uses the logger command to send a “Backups Completed” messageto the default system log (/var/adm/messages). After running the script, I see the followingmessage appended to the log file:Jan 23 14:02:52 sunfire root: [ID 702911 user.alert] Backups Completed


08_0789738171_04.qxd 4/13/09 7:42 PM Page 208

Summary209

SummaryIn this chapter you learned about Role-Based Access Control (RBAC), which allows the sys-tem administrator to delegate administrative responsibilities to users without having to divulgethe root password. A number of profiles allow privileges to be grouped together so that a usercan easily be granted a restricted set of additional privileges. Four main RBAC databases inter-act with each other to provide users with access to privileged operations:

. /etc/security/auth_attr: Defines authorizations and their attributes and identifiesthe associated help file.

. /etc/security/exec_attr: Defines the privileged operations assigned to a profile.

. /etc/security/prof_attr: Defines the profiles, lists the profile’s assigned authoriza-tions, and identifies the associated help file.

. /etc/user_attr: Associates users and roles with authorizations and execution profiles.

Also in this chapter, you learned about the system logging facility (syslog) and the configura-tion that facilitates routing of system messages according to specific criteria, as well as deter-mining where the messages are logged. The logger command was covered, which allows thesystem administrator to enter ad-hoc messages into the system log files.

Key Terms. Authorization

. Execution profile

. logger

. RBAC

. RBAC databases (know about all four)

. Rights profile

. Role

. syslog

. svcadm command

08_0789738171_04.qxd 4/13/09 7:42 PM Page 209

210


Exercise4.1 Creating a User and a Role

In this exercise, you’ll create a new role named admin1 and a profile called Shutdown. TheShutdown profile will be added to the role. A user account trng1 will be created and have theadmin1 role assigned to it. The user will then assume the role and execute a privileged com-mand to shut down the system.


To create a user and a role, follow these steps:

1. Create the role named admin1:# roleadd -u 2000 -g 10 -d /export/home/admin1 -m admin1<cr># passwd admin1<cr>

You are prompted to enter the password twice.

2. Create a profile to allow the user to shut down a system.

Edit the /etc/security/prof_attr file and enter the following line:Shutdown:::Permit system shutdown:

Save and exit the file.

3. Add the Shutdown and All profiles to the role:# rolemod -P Shutdown,All admin1<cr>

4. Verify that the changes have been made to the user_attr database:# more /etc/user_attr<cr>

5. Create the user account and assign it access to the admin1 role:# useradd -u 3000 -g 10 -d /export/home/trng1 -m -s /bin/ksh -R admin1 trng1<cr>

6. Assign a password to the new user account:# passwd trng1<cr>

You are prompted to enter the password twice.

7. Verify that the entry has been made to the passwd, shadow, and user_attr files:# more /etc/passwd<cr># more /etc/shadow<cr># more /etc/user_attr<cr>


08_0789738171_04.qxd 4/13/09 7:42 PM Page 210


8. Assign commands to the Shutdown profile:

Edit the /etc/security/exec_attr file and add the following line:Shutdown:suser:cmd:::/usr/sbin/shutdown:uid=0


9. Test the new role and user account as follows:

a. Log in as trng1.

b. List the roles that are granted to you by typing the following:$ roles<cr>

c. Use the su command to assume the role admin1:$ su admin1<cr>

You are prompted to enter the password for the role.

d. List the profiles that are granted to you by typing the following:$ profiles<cr>

e. Shut down the system:$ /usr/sbin/shutdown -i 0 -g 0<cr>

Exam Questions1. Which of the following commands is used to create a role?

❍ A. useradd

❍ B. makerole

❍ C. roleadd

❍ D. addrole

2. In Role-Based Access Control, which file contains details of the user attributes?

❍ A. /etc/security/prof_attr

❍ B. /etc/user_attr

❍ C. /etc/security/user_attr

❍ D. /etc/shadow

08_0789738171_04.qxd 4/13/09 7:42 PM Page 211

212

3. Which two statements about the roleadd command are true? (Choose two.)

❍ A. roleadd looks similar to the useradd command.

❍ B. roleadd uses the profile shell (pfsh) as the default shell.

❍ C. The -A option associates an account with a profile.

❍ D. An account created with roleadd is the same as a normal login account.

4. Which component of RBAC associates users and roles with authorizations and profiles?

❍ A. user_attr

❍ B. prof_attr

❍ C. auth_attr

❍ D. exec_attr

5. Which component of RBAC defines the privileged operations assigned to a profile?

❍ A. user_attr

❍ B. prof_attr

❍ C. auth_attr

❍ D. exec_attr

6. In the execution attributes database, which of the following is not a valid value for the attr field?

❍ A. euid

❍ B. uid

❍ C. egid

❍ D. suid

7. After creating an RBAC role, you find that the only commands that can be executed within the roleare the privileged commands that you have set up. Ordinary nonprivileged commands are notavailable. The RBAC setup has a problem. What is the cause of this problem?

❍ A. The role is not associated with a correct profile.

❍ B. The access mechanism to the role is not initializing properly.

❍ C. The role’s profile is not associated with the correct commands.

❍ D. The file identifying the privileged commands has missing entries.

❍ E. The role’s profile is not associated with the correct authorizations.


08_0789738171_04.qxd 4/13/09 7:42 PM Page 212


8. Which of the following are valid RBAC databases? (Choose three.)

❍ A. /etc/usr_attr


❍ C. /etc/security/exec_attr

❍ D. /etc/security/prof_attr

9. You want to enable a user to administer all user cron tables. This includes amending entries inany user’s crontab. Given due care to system security, what should you do to enable the user tocarry out this duty?

❍ A. Give the user the root password.

❍ B. Set the suid on the crontab command.

❍ C. Use RBAC to authorize the user to administer cron tables.

❍ D. Use RBAC to give the user an ID of root when executing the crontab command.

❍ E. Use the ACL mechanism to give the user RW access to each crontab table.

10. Which command(s) grant a user access to a role account? (Choose two.)

❍ A. roleadd

❍ B. rolemod

❍ C. useradd

❍ D. usermod

11. Which option to the rolemod command appends an authorization to an exiting list of authorizations?

❍ A. -A

❍ B. -P

❍ C. -a

❍ D. -o

❍ E. None

12. In which files are profiles defined? Choose all that apply. (Choose two.)



❍ C. /etc/security/exec_attr

❍ D. /etc/security/auth_attr

08_0789738171_04.qxd 4/13/09 7:42 PM Page 213

214

13. Which statements are true regarding the following line? (Choose all that apply.)

Media Restore:suser:cmd:::/usr/lib/fs/ufs/ufsrestore:euid=0

❍ A. It represents a profile in the exec_attr database.

❍ B. Any role that has Media Restore as a profile can execute the ufsrestore commandwith an effective UID of root.

❍ C. It represents a profile in the prof_attr database.

❍ D. It represents a role definition in the user_attr database.

14. In RBAC, which of the following is a bundling mechanism for grouping authorizations and commands with special attributes?

❍ A. Profile

❍ B. Role

❍ C. Authorization

❍ D. Group

Answers to Exam Questions1. C. Use the roleadd command to create a role account. For more information, see the “Using

RBAC” section.

2. B. /etc/user_attr contains details of the extended user attributes. For more information, seethe “RBAC Components” section.

3. A, B. The roleadd command looks very similar to the useradd command, but it uses the pro-file shell as the default shell. For more information, see the “Using RBAC” section.

4. A. user_attr (extended user attributes database) associates users and roles with authorizationsand profiles. For more information, see the “RBAC Components” section.

5. D. exec_attr (profile attributes database) defines the privileged operations assigned to a profile.For more information, see the “RBAC Components” section.

6. D. Six valid keys exist: euid, uid, egid, gid, privs, and limitprivs. For more information,see the “RBAC Components” section.

7. A. If a role is not associated with a correct profile, the only commands that can be executed withinthe role are the privileged commands that you have set up. Ordinary nonprivileged commands areunavailable. For more information, see the “RBAC Components” section.


08_0789738171_04.qxd 4/13/09 7:42 PM Page 214


8. B, C, D. The three valid RBAC databases are /etc/user_attr,/etc/security/exec_attr, and /etc/security/prof_attr. For more information, seethe “RBAC Components” section.

9. C. To enable a user to administer all user cron tables, configure RBAC to authorize the user toadminister cron tables. For more information, see the “Using RBAC” section.

10. C, D. Use the roleadd command to create a role account. Then, with the usermod command,assign the role to an existing user account using the -R option. If you are creating a new useraccount, use the useradd command with the -R option to assign the role to the new useraccount. For more information, see the “Using RBAC” section.

11. E. The rolemod command does not add to the existing authorizations; it replaces any existingauthorization setting. For more information, see the “Using RBAC” section.

12. A, C. /etc/security/prof_attr (rights profile attributes database) defines profiles, lists theprofile’s assigned authorizations, and identifies the associated help file./etc/security/exec_attr (profile attributes database) defines the privileged operationsassigned to a profile. For more information, see the “RBAC Components” section.

13. A, B. The following entry in the exec_attr database represents a profile named Media Restore:

Media Restore:suser:cmd:::/usr/lib/fs/ufs/ufsrestore:euid=0

Any role that has Media Restore as a profile can execute the ufsrestore command with aneffective UID of root. For more information, see the “RBAC Components” section.

14. A. Execution profiles are bundling mechanisms for grouping authorizations and commands withspecial attributes. For more information, see the “RBAC Components” section.

Suggested Reading and ResourcesSolaris 10 Documentation CD: “Security Services” and “System Administration Guide:Advanced Administration” manuals.

http://docs.sun.com. Solaris 10 documentation set: “Security Services” and “SystemAdministration Guide: Advanced Administration” books in the System Administration collection.

08_0789738171_04.qxd 4/13/09 7:42 PM Page 215

08_0789738171_04.qxd 4/13/09 7:42 PM Page 216

5F I V E

Naming Services

ObjectivesThe following test objectives for exam CX-310-202 are covered in this chapter:

Explain naming services (DNS, NIS, NIS+, and LDAP) and the naming serviceswitch file (database sources, status codes, and actions).

. The name services in Solaris help to centralize the shared information onyour network. This chapter describes the name services available in Solaris10 so that you can identify the appropriate name service to use for your net-work. The name service switch file /etc/nsswitch.conf is used to directrequests to the correct name service in use on the system or network. Thischapter describes how to select and configure the correct file for use withthe available naming services.

Configure, stop and start the Name Service Cache Daemon (nscd) and retrievenaming service information using the getent command.

. This chapter describes the use of the Name Service Cache Daemon (nscd),which speeds up queries of the most common data and the getent commandto retrieve naming service information from specified databases.

Configure naming service clients during install, configure the DNS client, and setup the LDAP client (client authentication, client profiles, proxy accounts, andLDAP configurations) after installation.

. This chapter describes how to configure a DNS client and an LDAP client. Itassumes, however, that a DNS server and an LDAP server have already beenconfigured elsewhere.

Explain NIS and NIS security including NIS namespace information, domains,processes, securenets, and password.adjunct.

. The NIS name service is covered along with what a domain is and whichprocesses run to manage the domain from a master server, slave server, andclient perspective. This chapter also discusses NIS security.

Configure the NIS domain: Build and update NIS maps, manage the NIS master andslave server, configure the NIS client, and troubleshoot NIS for server and clientfailure messages.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 217

. This chapter describes how to configure and manage an NIS domain, includ-ing setting up an NIS master server, an NIS slave server, and an NIS client.NIS provides a number of default maps, which also are examined, along withthe failure messages that can be encountered both on a server and a client.

OutlineIntroduction

Name Services Overview

The Name Service Switch File

/etc Files

NIS

The Structure of the NIS Network

Determining How Many NIS Servers You Need

Determining Which Hosts Will Be NISServers

Information Managed by NIS

Planning Your NIS Domain

Configuring an NIS Master Server

Creating the Master passwd File

Creating the Master Group File

Creating the Master hosts File

Creating Other Master Files

Preparing the Makefile

Setting Up the Master Server with ypinit

Starting and Stopping NIS on theMaster Server

Setting Up NIS Clients

Setting Up NIS Slave Servers

Creating Custom NIS Maps

NIS Security

The passwd.adjunct Map

The securenets File

Troubleshooting NIS

Binding Problems

Server Problems

NIS+

Hierarchical Namespace

NIS+ Security

Authentication

Authorization

DNS

Configuring the DNS Client

Lightweight Directory Access Protocol (LDAP)

Sun Java System Directory Server

Setting Up the LDAP Client

Modifying the LDAP Client

Listing the LDAP Client Properties

Uninitializing the LDAP Client

Name Service Cache Daemon (nscd)

The getent Command

Summary

Key Terms


Exercises

Exam Questions



09_0789738171_05.qxd 4/13/09 7:45 PM Page 218


. As you study this chapter, be prepared to state the purpose of a name service and thetype of information it manages. You’ll need at least two networked Solaris systems topractice the examples and step-by-step exercises. We highly recommend that you practicethe tasks until you can perform them from memory.

. NIS is covered in depth as the main naming service, although you have to know how toconfigure LDAP and DNS clients. See if you can make use of an existing LDAP or DNSserver to practice client commands. The exam focuses mainly on NIS with only a fewquestions on the other name services. Be sure that you understand how to configure NISmaster servers, slave servers, and clients. You’ll need to understand entries in the NISname service switch file.

. Be prepared to describe the characteristics of each naming service, compare their func-tionality, and identify the correct name service switch file associated with a naming serv-ice.

. Finally, study the terms provided near the end of this chapter in the “Key Terms” section.Also, be sure you can describe each command we’ve covered in this chapter, specificallythe ones we’ve used as examples. On the exam you will be asked to match a command orterm with the appropriate description.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 219

220

Chapter 5: Naming Services

IntroductionThis chapter concentrates mainly on how to configure and administer the servers and clientsin an NIS (Network Information Service) domain. NIS is a huge topic that could potentiallyspan several volumes. The purpose of this chapter is to prepare you for questions regardingNIS that might appear on the exam. We also want to provide an overview of NIS, completeenough so that you are equipped to set up a basic NIS network and understand its use. A briefoverview of NIS+, originally designed as a replacement for NIS, is included in this chapter,but you should note that Sun does not intend to support this name service in future releasesof the Solaris operating environment. It is included here for background information andcomprehensiveness, as it is not specifically tested in the exam other than to explain what it is.

DNS and LDAP are also introduced in this chapter (LDAP is expected to replace NIS andNIS+ in the future). This chapter shows how to set up a client using the LDAP and DNSNaming Services.

Name Services OverviewName services store information in a central location that users, systems, and applicationsmust be able to access to communicate across the network. Information is stored in files, maps,or database tables. Without a central name service, each system would have to maintain itsown copy of this information. Therefore, centrally locating this data makes it easier to admin-ister large networks.

DNS exception The DNS name service can be thought of as an exception when considering its globalnature because information is stored in hierarchical root servers and in many other servers around theworld. The examples provided in this book relate to local area networks, where a DNS server would con-tain host information relating to the local environment, and is therefore centrally located. The exceptionapplies when the DNS server is connected to the Internet and is part of the global DNS namespace.

NOTE

09_0789738171_05.qxd 4/13/09 7:45 PM Page 220

221


The information handled by a name service includes, but is not limited to, the following:

. System (host) names and addresses

. User names

. Passwords

. Groups

. Automounter configuration files (auto.master, auto.home)

. Access permissions and RBAC database files

The Solaris 10 release provides the name services listed in Table 5.1.

Table 5.1 Solaris 10 Name ServicesName Service Description

/etc files The original UNIX naming system

NIS The Network Information Service

NIS+ The Network Information Service Plus (NIS+ is being dropped from future Solarisreleases; NIS+ users are recommended to migrate to LDAP)

DNS The Domain Name System

LDAP Lightweight Directory Access Protocol

A name service enables centralized management of host files so that systems can be identifiedby common names instead of by numeric addresses. This simplifies communication becauseusers do not have to remember to enter cumbersome numeric addresses such as 129.44.3.1.

Addresses are not the only network information that systems need to store. They also need tostore security information, email addresses, information about their Ethernet interfaces, net-work services, groups of users allowed to use the network, services offered on the network, andso on. As networks offer more services, the list grows. As a result, each system might need tokeep an entire set of files similar to /etc/hosts.

As this information changes, without a name service, administrators must keep it current onevery system in the network. In a small network, this is simply tedious, but on a medium orlarge network, the job becomes not only time-consuming but also nearly unmanageable.

A name service solves this problem. It stores network information on servers and provides theinformation to clients that ask for it.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 221

222

The Name Service Switch FileThe name service switch file controls how a client machine (or application) obtains networkinformation. The name service switch file coordinates the usage of the different naming serv-ices and has the following roles:

. It contains the information that the client system needs to locate user authorizationsand profiles.

. It determines which sources will be used to resolve names of other hosts on the net-work. This can be a single source or multiple sources. All sources are searched until theinformation is found.

. It is used to determine how user logins and passwords are resolved at login.

The name service switch is often simply referred to as “the switch.” The switch determineswhich naming services an application uses to obtain naming information, and in what order. Itis a file called nsswitch.conf, which is stored in each system’s /etc directory. Also, in everysystem’s /etc directory, you’ll find templates that can be used as the nsswitch.conf file, asdescribed in Table 5.2. Whatever name service you choose, select the appropriate name serv-ice switch template, copy it to nsswitch.conf, and customize it as required.

Table 5.2 Name Service Switch File TemplatesName Description

nsswitch.files Use this template when local files in the /etc directory are to be used and no nameservice exists.

nsswitch.nis Uses the NIS database as the primary source of all information except the passwd,group, automount, auth_attr, prof_attr, project, services, andaliases maps. These are directed to use the local /etc files first and then theNIS databases. The printers map searches local user files first, and then /etcfiles, and the NIS database last.

nsswitch. Uses the NIS+ database as the primary source of all information except the passwd, nisplus group, automount, auth_attr, prof_attr, project, and aliases tables.

These are directed to use the local /etc files first and then the NIS+ databases. Theprinters map searches local user files first, and then the NIS+ database, and the/etc local files last.


09_0789738171_05.qxd 4/13/09 7:45 PM Page 222

223

Table 5.2 Name Service Switch File TemplatesName Description

nsswitch.dns Sets up the name service to search the local /etc files for all entries. If, for exam-ple, a host entry is not located in the /etc/hosts file, the hosts entry is direct-ed to use DNS for lookup.

nsswitch.ldap Uses LDAP as the primary source of all information except the passwd, group,automount, auth_attr, prof_atrr, project, and aliases tables. Theseare directed to use the local /etc files first and then the LDAP databases. Thesearch sequence for the tnrhtp and tnrhdb databases is local /etc files firstand the ldap databases last.

When you install Solaris 10, the correct template file is copied to /etc/nsswitch.conf. Thistemplate file contains the default switch configurations used by the chosen naming service. If,during software installation, you select “none” as the default name service, the local /etc files areused. In this case, /etc/nsswitch.conf is created from nsswitch.files, which looks like this:# /etc/nsswitch.files:## An example file that could be copied over to /etc/nsswitch.conf; it# does not use any naming service.## “hosts:” and “services:” in this file are used only if the# /etc/netconfig file has a “-” for nametoaddr_libs of “inet” transports.

passwd: filesgroup: fileshosts: filesipnodes: filesnetworks: filesprotocols: filesrpc: filesethers: filesnetmasks: filesbootparams: filespublickey: files# At present there isn’t a ‘files’ backend for netgroup; the system will# figure it out pretty quickly, and won’t use netgroups at all.netgroup: filesautomount: filesaliases: filesservices: filessendmailvars: files


09_0789738171_05.qxd 4/13/09 7:45 PM Page 223

224

printers: user filesauth_attr: filesprof_attr: filesproject: files

If you decide to use a different name service after software installation, you can move the cor-rect switch file into place manually. For example, if you start using NIS, copy /etc/nss-witch.nis as follows:# cp /etc/nsswitch.nis /etc/nsswitch.conf<cr>

The default /etc/nsswitch.nis file looks like this:# /etc/nsswitch.nis:## An example file that could be copied over to /etc/nsswitch.conf; it# uses NIS (YP) in conjunction with files.## “hosts:” and “services:” in this file are used only if the# /etc/netconfig file has a “-” for nametoaddr_libs of “inet” transports.

# NIS service requires that svc:/network/nis/client:default be enabled# and online.

# the following two lines obviate the “+” entry in /etc/passwd and /etc/group.passwd: files nisgroup: files nis

# consult /etc “files” only if nis is down.hosts: nis [NOTFOUND=return] files

# Note that IPv4 addresses are searched for in all of the ipnodes databases# before searching the hosts databases.ipnodes: nis [NOTFOUND=return] files

networks: nis [NOTFOUND=return] filesprotocols: nis [NOTFOUND=return] filesrpc: nis [NOTFOUND=return] filesethers: nis [NOTFOUND=return] filesnetmasks: nis [NOTFOUND=return] filesbootparams: nis [NOTFOUND=return] filespublickey: nis [NOTFOUND=return] files

netgroup: nis

automount: files nisaliases: files nis


09_0789738171_05.qxd 4/13/09 7:45 PM Page 224

225

# for efficient getservbyname() avoid nisservices: files nisprinters: user files nis

auth_attr: files nisprof_attr: files nisproject: files nis

Each line of the /etc/nsswitch.nis file identifies a particular type of network information, suchas host, password, and group, followed by one or more sources, such as NIS maps, the DNS hoststable, or the local /etc files. The source is where the client looks for the network information.For example, the system should first look for the passwd information in the /etc/passwd file.Then, if it does not find the login name there, it needs to query the NIS server.

The name service switch file lists many types of network information, called databases, withtheir name service sources for resolution, and the order in which the sources are to besearched. Table 5.3 lists valid sources that can be specified in this file.

Table 5.3 Name Service SourcesSource Description

files Refers to the client’s local /etc files.

nisplus Refers to an NIS+ table.

nis Refers to an NIS table.

user Refers to the ${HOME}/.printers file.

dns Applies only to the hosts entry.

ldap Refers to the LDAP directory.

compat Supports an old-style + syntax that used to be used in the passwd and group information.

As shown in the previous nsswitch.nis template file, the name service switch file can containaction values for several of the entries. When the naming service searches a specified source, suchas local files or NIS, the source returns a status code. These status codes are described in Table 5.4.

Table 5.4 Name Service Source Status CodesSource Description

SUCCESS The requested entry was found.

UNAVAIL The source was unavailable.

NOTFOUND The source contains no such entry.

TRYAGAIN The source returned an “I am busy, try later” message.


09_0789738171_05.qxd 4/13/09 7:45 PM Page 225

226

For each status code, two actions are possible:

. Continue: Try the next source.

. Return: Stop looking for an entry.

The default actions are as follows:

SUCCESS = return

UNAVAIL = continue

NOTFOUND = continue

TRYAGAIN = continue

Normally, a success indicates that the search is over and an unsuccessful result indicates thatthe next source should be queried. But sometimes you want to stop searching when an unsuc-cessful search result is returned. For example, the following entry in the nsswitch.nis tem-plate states that only the NIS hosts table in the NIS map is searched:hosts: nis [NOTFOUND=return] files

If the NIS map has no entry for the host lookup, the system would not reference the local/etc/hosts file. Remove the [NOTFOUND=return] entry if you want to search the NIS hoststable and the local /etc/hosts file.


NOTFOUND=return The next source in the list is searched only if NIS is down or has been disabled.

NOTE

/etc Files/etc files are the traditional UNIX way of maintaining information about hosts, users, pass-words, groups, and automount maps, to name just a few. These files are text files located oneach individual system that can be edited using the vi editor or the text editor within CDE.

Each file needs to be individually maintained and on a large network, this can be a difficulttask. As IP addresses change, and users’ accounts are added and deleted, it can become diffi-cult to maintain all these files and keep them in sync between each system. On a large chang-ing network, the traditional approach to maintaining this information had to change; there-fore, the following name services were introduced.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 226

227

NIS

NISNIS formerly called the Yellow Pages (YP), is a distributed database system that lets the sys-tem administrator administer the configuration of many hosts from a central location.Common configuration information, which would have to be maintained separately on eachhost in a network without NIS, can be stored and maintained in a central location and thenpropagated to all the nodes in the network. NIS stores information about workstation namesand addresses, users, the network itself, and network services. This collection of network infor-mation is referred to as the NIS namespace.

YP to NIS As stated, NIS was formerly known as Sun Yellow Pages (YP). The functionality of the tworemains the same; only the name has changed.

NOTE

Before beginning the discussion of the structure of NIS, you need to be aware that the NISadministration databases are called maps. An NIS domain is a collection of systems that sharea common set of NIS maps.

The Structure of the NIS NetworkThe systems within an NIS network are configured in the following ways:

. Master server

. Slave servers

. Clients of NIS servers

The center of the NIS network is the NIS master server. The system designated as master serv-er contains the set of maps that you, the NIS administrator, create and update as necessary.After the NIS network is set up, any changes to the maps must be made on the master server.Each NIS domain must have one, and only one, master server. The master server should be asystem that can handle the additional load of propagating NIS updates with minimal perform-ance degradation.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 227

228


In addition to the master server, you can create backup servers, called NIS slave servers, to takesome of the load off the master server and to substitute for the master server if it goes down.If you create an NIS slave server, the maps on the master server are copied to the slave server.A slave server has a complete copy of the master set of NIS maps. If a change is made to a mapon the master server, the updates are propagated among the slave servers. The existence ofslave servers lets the system administrator evenly distribute the load that results from answer-ing NIS requests. It also minimizes the impact of a server becoming unavailable.

Typically, all the hosts in the network, including the master and slave servers, are NIS clients.If a process on an NIS client requests configuration information, it calls NIS instead of look-ing in its local configuration files. For group and password information and mail aliases, the/etc files might be consulted first, and then NIS might be consulted if the requested informa-tion is not found in the /etc files. Doing this, for example, allows each physical system to havea separate root account password.

Any system can be an NIS client, but only systems with disks should be NIS servers, whethermaster or slave. Servers are also clients of themselves.

As mentioned earlier, the set of maps shared by the servers and clients is called the NIS domain.The master copies of the maps are located on the NIS master server, in the directory/var/yp/<domainname>, in which <domainname> is the chosen name for your own domain.Under the <domainname> directory, each map is stored as two files: <mapname>.dir and <map-name>.pag. Each slave server has an identical directory containing the same set of maps.

When a client starts up, it broadcasts a request for a server that serves its domain. Any serverthat has the set of maps for the client’s domain, whether it’s a master or a slave server, cananswer the request. The client “binds” to the first server that answers its request, and that serv-er then answers all its NIS queries.

Normally, an NIS master server supports only one NIS domain, but it can be configured tosupport multiple domains. However, a master server for one domain might be a slave serverfor another domain. A host can be a slave server for multiple domains. A client, however,belongs to only one domain.

Determining How Many NIS Servers You NeedThe following guidelines can be used to determine how many NIS servers you need in yourdomain:

. You should put at least one server on each subnet in your domain, depending on thetotal number of clients. When a client starts up, it broadcasts a message to find thenearest server. Solaris 10 does not require the server to be on the same subnet, but it isfaster and more resilient to do so.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 228

229

NIS

. In general, the number of NIS clients a server can handle is limited by the physicalhardware specification and current load of the server. A fast, lightly loaded server caneasily support hundreds of NIS clients, while a slower, heavily loaded database server,for example, would struggle to support 50 clients. You might even see situations wherethe master and slave servers are running in Solaris zones sharing the hardware withother virtual servers, but this is a topic for another time.

Determining Which Hosts Will Be NIS ServersDetermine which systems on your network will be NIS servers as follows:

. Choose servers that are reliable and highly available.

. Choose fast servers that are not used for CPU-intensive applications. Do not use gate-ways or terminal servers as NIS servers.

. Although it isn’t a requirement, it’s a good idea to distribute servers appropriatelyamong client networks. In other words, each subnet should have enough servers toaccommodate the clients on that subnet.

Information Managed by NISAs discussed, NIS stores information in a set of files called maps. Maps were designed toreplace UNIX /etc files, as well as other configuration files.

NIS maps are two-column tables. One column is the key, and the other column is the infor-mation value related to the key. NIS finds information for a client by searching through thekeys. Some information is stored in several maps because each map uses a different key. Forexample, the names and addresses of systems are stored in two maps: hosts.byname andhosts.byaddr. If a server has a system’s name and needs to find its address, it looks in thehosts.byname map. If it has the address and needs to find the name, it looks in thehosts.byaddr map.

Maps for a domain are located in each server’s /var/yp/<domainname> directory. For exam-ple, the maps that belong to the domain pyramid.com are located in each server’s/var/yp/pyramid.com directory.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 229

230


Creating NIS maps is described in more detail later in this chapter in the “Configuring an NISMaster Server” section.

Solaris provides a default set of NIS maps. They are described in Table 5.5, including the corre-sponding file that is used to create each of them. You might want to use all or only some of thesemaps. NIS can also use whatever maps you create or add, if you install other software products.

Table 5.5 Default NIS MapsMap Name Admin File Description

ageing.byname /etc/shadow Contains password aging information.

audit_user /etc/security/ Contains per user auditing preselection data.audit_user

auth_attr /etc/security/ Contains the authorization description database, auth_attr part of RBAC.

auto.home /etc/auto_home Automounter file for home directories.

auto.master /etc/auto_master Master automounter map.

bootparams /etc/bootparams Contains the pathnames that clients need duringstartup: root, swap, and possibly others.

ethers.byaddr /etc/ethers Contains system names and Ethernet addresses.The Ethernet address is the key in the map.

ethers.byname /etc/ethers Contains system names and Ethernet addresses.The system name is the key.

Generate maps on the master server only Always make the maps on the master server and never on aslave server. If you run make on a slave server, the maps are generated from data in the slave server’slocal files and are inconsistent with the rest of the domain. Additionally, NIS clients that are bound to theslave server will query inconsistent data and receive unexpected results.

NOTE

An NIS Makefile is stored in the /var/yp directory of the NIS server at installation time.If you run the /usr/ccs/bin/make command in that directory, makedbm creates or modifiesthe default NIS maps from the input files. For example, an input file might be /etc/hosts.Issue the following command to create the NIS map files:# cd /var/yp<cr># /usr/ccs/bin/make<cr>

09_0789738171_05.qxd 4/13/09 7:45 PM Page 230

231

NIS


exec_attr /etc/security/ Contains execution profiles, part of RBAC.exec_attr

group.adjunct. /etc/group C2 security option for group files that use byname passwords.

group.bygid /etc/group Contains group security information. The GID(group ID) is the key.

group.byname /etc/group Contains group security information. The groupname is the key.

hosts.byaddr /etc/hosts Contains the system name and IP address. TheIP address is the key.

hosts.byname /etc/hosts Contains the system name and IP address. Thesystem (host) name is the key.

ipnodes.byaddr /etc/inet/ipnodes Contains the system name and IP address. TheIP address is the key.

ipnodes.byname /etc/inet/ipnodes Contains the system name and IP address. Thesystem (host) name is the key.

mail.aliases /etc/mail/aliases Contains aliases and mail addresses. The alias isthe key.

mail.byaddr /etc/mail/aliases Contains mail addresses and aliases. The mailaddress is the key.

netgroup /etc/netgroup Contains the group name, username, and systemname. The group name is the key.

netgroup.byhost /etc/netgroup Contains the group name, username, and systemname. The system name is the key.

netgroup.byuser /etc/netgroup Contains the group name, username, and systemname. The username is the key.

netid.byname /etc/passwd Used for UNIX-style hosts and group authentica-tion. It contains the system name and mailaddress (including domain name). If a netidfile is available, it is consulted in addition to thedata available through the other files.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 231

232



netmasks.byaddr /etc/netmasks Contains the network masks to be used with IPsubnetting. The address is the key.

networks.byaddr /etc/networks Contains names of networks known to your sys-tem and their IP addresses. The address is thekey.

networks.byname /etc/networks Contains names of networks known to your sys-tem and their IP addresses. The name of the net-work is the key.

passwd.adjunct. /etc/passwd and Contains auditing shadow information and the byname /etc/shadow hidden password information for C2 clients.

passwd.byname /etc/passwd and Contains password and shadow information. /etc/shadow The username is the key.

passwd.byuid /etc/passwd and Contains password and shadow information. /etc/shadow The user ID is the key.

prof_attr /etc/security/ Contains profile descriptions, part of RBAC.prof_attr

project.byname /etc/project Contains the projects in use on the network. The project name is the key.

project.bynumber /etc/project Contains the projects in use on the network. Theproject number (ID) is the key.

protocols.byname /etc/protocols Contains the network protocols known to yournetwork. The protocol is the key.

protocols.bynumber /etc/protocols Contains the network protocols known to yournetwork. The protocol number is the key.

publickey.byname /etc/publickey Contains public or secret keys. The username isthe key.

rpc.bynumber /etc/rpc Contains the program number and the name ofRemote Procedure Calls (RPCs) known to yoursystem. The program number is the key.

services.byname /etc/services Lists Internet services known to your network.The key port or protocol is the key.

services.byservice /etc/services Lists Internet services known to your network.The service name is the key.

timezone.byname /etc/timezone Contains the default timezone database. Thetimezone name is the key.

user_attr /etc/user_attr Contains the extended user attributes database,part of RBAC.

ypservers N/A Lists the NIS servers known to your network. It’sa single-column table with the system name asthe key.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 232

233

NIS

The information in these files is put into NIS databases automatically when you create an NISmaster server. Other system files can also be managed by NIS if you want to customize yourconfiguration.

NIS makes updating network databases much simpler than with the /etc file system. You nolonger have to change the administrative /etc files on every system each time you modify thenetwork environment. For example, if you add a new system to a network running NIS, youonly have to update the input file on the master server and run /usr/ccs/bin/make from the/var/yp directory. This process automatically updates the hosts.byname and hosts.byaddrmaps. These maps are then transferred to any slave servers and made available to all thedomain’s client systems and their programs.

Just as you use the cat command to display the contents of a text file, you can use the ypcatcommand to display the values in a map. Here is the basic ypcat syntax:ypcat [-k] <mapname>

If a map is composed only of keys, as in the case of ypservers, use ypcat -k. Otherwise, ypcatprints blank lines.

In this case, mapname is the name of the map you want to examine.

You can use the ypwhich command to determine which server is the master of a particular map:ypwhich -m <mapname>

In this case, mapname is the name of the map whose master you want to find. ypwhich respondsby displaying the name of the master server.

These and other NIS commands are covered in the following sections.

Planning Your NIS DomainBefore you configure systems as NIS servers or clients, you must plan the NIS domain. Eachdomain has a domain name, and each system shares the common set of maps belonging to thatdomain. Step By Step 5.1 outlines the steps for planning an NIS domain.

STEP BY STEP5.1 Planning Your NIS Domain

1. Decide which systems will be in your NIS domain.

2. Choose an NIS domain name. AN NIS domain name can be up to 256 characters long, although muchshorter names are more practical. A good practice is to limit domain names to no more than 32 charac-ters. Domain names are case-sensitive. For convenience, you can use your Internet domain name as thebasis for your NIS domain name. For example, if your Internet domain name is pdesigninc.com,you can name your NIS domain pdesigninc.com.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 233

234


3. Before a system can use NIS, the correct NIS domain name and system name must be set. This mustbe done on the NIS servers as well as the clients. A system’s hostname is set by the system’s/etc/nodename file, and the system’s domain name is set by the system’s /etc/defaultdomainfile. These files are read at startup, and the contents are used by the uname -s and domainnamecommands, respectively. A sample /etc/nodename file would look like this:

# more /etc/nodename<cr>


sunfire

A sample /etc/defaultdomain file would look like this:

# more /etc/defaultdomain<cr>


pdesigninc.com

To set the domain name, you would either have to run the domainname command, entering yourdomain name as the argument to the command, or reboot if you have edited /etc/defaultdomain.Whichever way you choose, you are now ready to configure your NIS master server.

Configuring an NIS Master ServerBefore configuring an NIS master server, be sure the NIS software cluster is installed. Thepackage names are SUNWypu and SUNWypr. Use the pkginfo command to check for thesepackages. Both packages are part of the standard Solaris 10 release. The daemons that supportthe NIS are described in Table 5.6.

Table 5.6 NIS DaemonsDaemon Description

ypserv This daemon is the NIS database lookup server. The ypserv daemon’s primaryfunction is to look up information in its local database of NIS maps. If the/var/yp/ypserv.log file exists when ypserv starts up, log information iswritten to it (if error conditions arise). At least one ypserv daemon must be pres-ent on the network for the NIS service to function.

ypbind This daemon is the NIS binding process that runs on all client systems that are setup to use NIS. The function of ypbind is to remember information that lets all NISclient processes on a node communicate with some NIS server process.

ypxfrd This daemon provides the high-speed map transfer. ypxfrd moves an NIS map inthe default domain to the local host. It creates a temporary map in the directory/var/yp/ypdomain.

rpc.yppasswdd This daemon handles password change requests from the yppasswd command. Itchanges a password entry in the passwd, shadow, andsecurity/passwd.adjunct files.

rpc.ypupdated This daemon updates NIS information. ypupdated consults the updaters file inthe /var/yp directory to determine which NIS maps should be updated and howto change them.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 234

235

NIS

The commands that you use to manage NIS are shown in Table 5.7. We describe some of thesecommands in more detail later when we show examples of setting up NIS.

Table 5.7 NIS Management CommandsUtility Description

make This command updates NIS maps by reading the Makefile (if run in the /var/yp directory).You can use make to update all maps based on the input files or to update individual maps.

makedbm This command creates a dbm file for an NIS map. The makedbm command takes an inputfile and converts it to a pair of files in ndbm format. When you run make in the /var/ypdirectory, makedbm creates or modifies the default NIS maps from the input files.

ypcat This command lists data in an NIS map.

ypinit This command builds and installs an NIS database and initializes the NIS client’s (andserver’s) ypservers list. ypinit is used to set up an NIS client system. You must bethe superuser to run this command.

yppoll This command gets a map order number from a server. The yppoll command asks aypserv process what the order number is and which host is the master NIS server forthe named map.

yppush This command propagates a new version of an NIS map from the NIS master server toNIS slave servers.

ypset This command sets binding to a particular server. ypset is useful for binding a clientnode that is on a different broadcast network.

ypstart This command is used to start NIS. After the host has been configured using the ypinitcommand, ypstart automatically determines the machine’s NIS status and starts theappropriate daemons. This command, although still available, is not the recommendedway to start NIS and might even have unpredictable results. NIS should be started via theService Management Facility (SMF).

ypstop This command is used to stop the NIS processes. This command, although still available,is not the recommended way to stop the NIS processes and might even have unpre-dictable results. NIS should be stopped via the Service Management Facility (SMF).

ypwhich This command returns the name of the NIS server that supplies the NIS name services toan NIS client, or it returns the name of the master for a map.

EXAM ALERTIdentifying daemons versus commands Make sure you are familiar with what each daemonand command does. Exam questions are frequently presented by describing the daemon or commandand asking you to identify it correctly.

An NIS master server holds the source files for all the NIS maps in the domain. Any changesto the NIS maps must be made on the NIS master server. The NIS master server deliversinformation to NIS clients and supplies the NIS slave servers with up-to-date maps. Beforethe NIS master server is started, some of the NIS source files need to be created.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 235

236

The basic steps for setting up an NIS master server are as follows:

. Creating the master passwd file

. Creating the master group file

. Creating the master hosts file

. Creating other master files

. Preparing the Makefile

. Setting up the master server with ypinit

. Starting and stopping NIS on the master server

. Setting up the name service switch

Each of these tasks is described in the following subsections.

Creating the Master passwd FileThe first task in setting up an NIS master server is to prepare the source file for the passwdmap. However, be careful with this source file. The source files can be located either in the/etc directory on the master server or in some other directory. Locating the source files in/etc is undesirable because the contents of the maps are then the same as the contents of thelocal files on the master server. This is a special problem for passwd and shadow files becauseall users would have access to the master server maps, and because the root password would bepassed to all YP clients through the passwd map.

Sun recommends that for security reasons, and to prevent unauthorized root access, the filesused to build the NIS password maps should not contain an entry for root. Therefore, thepassword maps should not be built from the files located in the master server’s /etc directory.The password files used to build the passwd maps should have the root entry removed fromthem, and they should be located in a directory that can be protected from unauthorizedaccess.

For this exercise, copy all the source files from the /etc directory into the /var/yp directory.Because the source files are located in a directory other than /etc, modify the Makefile in/var/yp by changing the DIR=/etc line to DIR=/var/yp. Also, modify the PWDIR passwordmacro in the Makefile to refer to the directory in which the passwd and shadow files resideby changing the line PWDIR=/etc to PWDIR=/var/yp.

Now, to create the passwd source file, use a copy of the /etc/passwd file on the system thatbecomes the master NIS server. Create a passwd file that has all the logins in it. This file isused to create the NIS map. Step By Step 5.2 shows you how to create the passwd source file.


09_0789738171_05.qxd 4/13/09 7:45 PM Page 236

237

NIS

STEP BY STEP5.2 Creating the Password Source File

1. Copy the /etc/passwd file from each host in your network to the /var/yp directory on the hostthat will be the master server. Name each copy /var/yp/passwd.<hostname>, in which <host-name> is the name of the host it came from.

2. Concatenate all the passwd files into a temporary passwd file:

# cd /var/yp<cr># cat passwd passwd.hostname1 passwd.hostname2 ... > passwd.temp<cr>

3. Issue the sort command to sort the temporary passwd file by username, and then pipe it to theuniq command to remove duplicate entries:

# sort -t : -k 1,1 /var/yp/passwd.temp | uniq > /var/yp/passwd.temp<cr>

Sorting the passwd file NIS does not require that the passwd file be sorted in any particular way.Sorting the passwd file simply makes it easier to find duplicate entries.

NOTE

4. Examine /var/yp/passwd.temp for duplicate usernames that were not caught by the previousuniq command. This could happen if a user login occurs twice, but the lines are not exactly the same.If you find multiple entries for the same user, edit the file to remove redundant ones. Be sure each userin your network has a unique username and UID (user ID).

5. Issue the following command to sort the temporary passwd file by UID:

# sort -o /var/yp/passwd.temp -t: -k 3n,3 /var/yp/passwd.temp<cr>

6. Examine /var/yp/passwd.temp for duplicate UIDs once more. If you find multiple entries with thesame UID, edit the file to change the UIDs so that no two users have the same UID.

Duplicate UIDs and usernames You have to resolve duplicate UIDs (where the same UID hasbeen used on more than one system) and usernames (where a user has previously had home direc-tories on each system). The NIS-managed UID has ownership of any duplicated UIDs’ files unlessthey are changed accordingly to match modifications made to this file.

NOTE

7. Remove the root login from the /var/yp/passwd.temp file. If you notice that the root login occursmore than once, remove all entries.

8. After you have a complete passwd file with no duplicates, move /var/yp/passwd.temp (the sort-ed, edited file) to /var/yp/passwd. This file is used to generate the passwd map for your NISdomain. Remove all the /var/yp/passwd.<hostname> files from the master server.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 237

238


Creating the Master Group FileJust like creating a master /var/yp/passwd file, the next task is to prepare one master/var/yp/group file to be used to create an NIS map. Step By Step 5.3 shows you how to cre-ate the master group file.

STEP BY STEP5.3 Creating the Master Group File

1. Copy the /etc/group file from each host in your NIS domain to the /var/yp directory on the hostthat will be the master server. Name each copy /var/yp/group.<hostname>, in which <host-name> is the name of the host it came from.

2. Concatenate all the group files, including the master server’s group file, into a temporary group file:

# cd /var/yp<cr># cat group group.hostname1 group.hostname2 ... > group.temp<cr>

3. Issue the following command to sort the temporary group file by group name:

# sort -o /var/yp/group.temp -t: -k1,1 /var/yp/group.temp<cr>

NIS does not require that the group file be sorted in any particular way. Sorting the group file simplymakes it easier to find duplicate entries.

4. Examine /var/yp/group.temp for duplicate group names. If a group name appears more thanonce, merge the groups that have the same name into one group and remove the duplicate entries.

5. Issue the following command to sort the temporary group file by GID:

# sort -o /var/yp/group.temp -t: -k 3n,3 /var/yp/group.temp<cr>

6. Examine /var/yp/group.temp for duplicate GIDs. If you find multiple entries with the same GID,edit the file to change the GIDs so that no two groups have the same GID.

7. Move /var/yp/group.temp (the sorted, edited file) to /var/yp/group. This file is used to gen-erate the group map for your NIS domain. Remove the /var/yp/group.<hostname> files fromthe master server.

Duplicate GIDs You have to resolve duplicate GIDs (where the same GID has been used on morethan one system) and group names (where a group has previously existed on each system). TheNIS-managed GID will have group ownership of any duplicated GIDs’ files unless they are changedaccordingly to match modifications made to this file.

NOTE

09_0789738171_05.qxd 4/13/09 7:45 PM Page 238

239

NIS

Creating the Master hosts FileNow create the master /etc/hosts file the same way you created the master /var/yp/pass-wd and /var/yp/group files (see Step By Step 5.4).

STEP BY STEP5.4 Creating the Master hosts File

1. Copy the /etc/hosts file from each host in your NIS domain to the /var/yp directory on the hostthat will be the master server. Name each copy /var/yp/hosts.<hostname>, in which <host-name> is the name of the host from which it came.

2. Concatenate all the host files, including the master server’s host file, into a temporary hosts file:

# cd /var/yp<cr># cat hosts hosts.hostname1 hosts.hostname2 ... > hosts.temp<cr>

3. Issue the following command to sort the temporary hosts file so that duplicate IP addresses are onadjacent lines:

# sort -o /var/yp/hosts.temp /var/yp/hosts.temp<cr>

4. Examine /var/yp/hosts.temp for duplicate IP addresses. If you need to map an IP address to mul-tiple hostnames, include them as aliases in a single entry.

5. Issue the following command to sort the temporary hosts file by hostname:

# sort -o /var/yp/hosts.temp -b -k 2,2 /var/yp/hosts.temp<cr>

6. Examine /var/yp/hosts.temp for duplicate hostnames. A hostname can be mapped to multiple IPaddresses only if the IP addresses belong to different LAN cards on the same host. If a hostnameappears in multiple entries that are mapped to IP addresses on different hosts, remove all the entriesbut one.

7. Examine the /var/yp/hosts.temp file for duplicate aliases. No alias should appear in more thanone entry.

8. Move /var/yp/hosts.temp (the sorted, edited file) to /var/yp/hosts. This file is used to gener-ate the host’s map for your NIS domain. Remove the /var/yp/hosts.<hostname> files from themaster server.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 239

240


Creating Other Master FilesThe following files, which were described in Table 5.2, can also be copied to the /var/ypdirectory to be used as source files for NIS maps. But first be sure that they reflect an up-to-date picture of your system environment:

. /etc/security/audit_user

. /etc/security/auth_attr

. /etc/auto_home

. /etc/auto_master

. /etc/bootparams

. /etc/ethers

. /etc/security/exec_attr

. /etc/inet/ipnodes

. /etc/netgroup

. /etc/netmasks

. /etc/networks

. /etc/security/prof_attr

. /etc/project

. /etc/protocols

. /etc/publickey

. /etc/rpc

. /etc/services

. /etc/shadow

. /etc/timezone

. /etc/user_attr

Unlike other source files, the /etc/mail/aliases file cannot be moved to another directory.This file must reside in the /etc/mail directory. Be sure that the /etc/mail/aliases sourcefile is complete by verifying that it contains all the mail aliases that you want to have availablethroughout the domain.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 240

241

NIS

Preparing the MakefileAfter checking the source files and copying them into the source file directory, you need toconvert those source files into the ndbm format maps that NIS uses. This is done automatical-ly for you by ypinit. We describe how to use ypinit in the next section.

The ypinit script calls the program make, which uses the file Makefile located in the/var/yp directory. A default Makefile is provided for you in this directory. It contains thecommands needed to transform the source files into the desired ndbm format maps.

The function of the Makefile is to create the appropriate NIS maps for each of the databas-es listed under “all.” After passing through makedbm, the data is collected in two files,mapname.dir and mapname.pag. Both files are located in the /var/yp/<domainname> directo-ry on the master server.

The Makefile builds passwd maps from the $PWDIR/passwd, $PWDIR/shadow, and$PWDIR/security/passwd.adjunct files, as appropriate.

Setting Up the Master Server with ypinitThe /usr/sbin/ypinit shell script sets up master and slave servers and clients to use NIS. Italso initially runs make to create the maps on the master server. Step By Step 5.5 shows youhow to set up a master server using ypinit.

STEP BY STEP5.5 Using ypinit to Set Up the Master Server

1. Become root on the master server and ensure that the name service receives its information from the/etc files, not from NIS, by typing the following:

# cp /etc/nsswitch.files /etc/nsswitch.conf<cr>

2. Edit the /etc/hosts file to add the name and IP address of each of the NIS servers.

3. To build new maps on the master server, type

# /usr/sbin/ypinit -m<cr>

ypinit prompts you for a list of other systems to become NIS slave servers. Type the name of theserver you are working on, along with the names of your NIS slave servers. Enter the server name, andthen press Enter. Do this for each server. Enter each server on a separate line. Press Ctrl+D when you’refinished. At this point, the entered list of servers is displayed and you are asked if it is correct. Type y ifit is correct. If the list is incorrect, type n; you are returned to the list of servers to add extra entries.

4. ypinit asks whether you want the procedure to terminate at the first nonfatal error or to continuedespite nonfatal errors. Type y.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 241

242


If you typed y, ypinit exits upon encountering the first problem; you can then fix the problem andrestart ypinit. This procedure is recommended if you are running ypinit for the first time. If youprefer to continue, you can manually try to fix all the problems that might occur, and then restartypinit.

Nonfatal errors A nonfatal error might be displayed if some of the map files are not present.These errors do not affect the functionality of NIS.

NOTE

5. ypinit asks whether the existing files in the /var/yp/<domainname> directory can be destroyed.

This message is displayed only if NIS was previously installed. You must answer yes to install the newversion of NIS.

6. After ypinit has constructed the list of servers, it invokes make.

The make command uses the instructions contained in the Makefile located in /var/yp. It cleansany remaining comment lines from the files you designated and then runs makedbm on them, creatingthe appropriate maps and establishing the name of the master server for each map.

7. To enable NIS as the naming service, type

# cp /etc/nsswitch.nis /etc/nsswitch.conf<cr>

This command replaces the current switch file with the default NIS-oriented one. You can edit this fileas necessary. The name service switch file /etc/nsswitch.conf is described later in this chapter.

Now that the master maps are created, you can start the NIS daemons on the master server.

EXAM ALERTSelecting the correct command option Exam questions are often based on the syntax ofthe ypinit command. You might be given a scenario where you are asked to select the correct com-mand option to initialize either a master server, a slave server, or a client. Ensure that you are com-pletely familiar with what each command option achieves.

Starting and Stopping NIS on the Master ServerTo start up NIS on the master server, you need to start the ypserv process on the server andrun ypbind. The daemon ypserv answers information requests from clients after lookingthem up in the NIS maps. You can start up NIS manually on the server by running the svcadmenable nis/server command from the command line, followed by svcadm enable

nis/client. After you configure the NIS master server by running ypinit, the NIS server isautomatically invoked to start ypserv whenever the system is started. This is accomplished viaSMF.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 242

243

NIS

To manually stop the NIS server processes, run the svcadm disable nis/server command onthe server as follows:# svcadm disable nis/server<cr># svcadm disable nis/client<cr>

NIS and SMF You should note that the NIS service is now managed via the Service Management Facility(SMF) and can be stopped and started using the svcadm command. You can still use the ypstop andypstart commands, but you might get unexpected results, especially as SMF could automatically restartthe service if you stop it manually. The recommended way to start and stop NIS is via SMF.

NOTE

Setting Up NIS ClientsAs root, you must perform four tasks to set up a system as an NIS client:

. Ensure that user account information from the /etc/passwd and /etc/group files onthe client has already been taken into account in the master passwd and group files. Ifnot, refer to the earlier sections “Setting Up the Master passwd File” and “Creatingthe Master Group File” for details on how to merge existing account information intothe NIS-managed maps.

Client home directories Home directories that have previously existed on separate systems need to betaken into account when NIS is introduced. Without correct handling, a user’s files might come under theownership of another user, unless they are dealt with at the time of any passwd and group modifications.

NOTE

. Set the domain name on the client.

. Set up the nsswitch.conf file on the client, as described earlier in this chapter.

. Configure the client to use NIS, as explained next.

The first step is to remove from the /etc/passwd file all the user entries that are managed bythe NIS server. Don’t forget to update the /etc/shadow file. Also, remove entries from/etc/group, /etc/hosts, and any other network files that are now managed by NIS.

After setting up the nsswitch.conf file and setting your domain name as described in the sec-tion titled “Planning Your NIS Domain,” you configure each client system to use NIS by log-ging in as root and running the /usr/sbin/ypinit command:# ypinit -c<cr>

09_0789738171_05.qxd 4/13/09 7:45 PM Page 243

244


You are asked to identify the NIS servers from which the client can obtain name service infor-mation. Enter each server name, followed by a carriage return. You can list one master and asmany slave servers as you want. The servers that you list can be located anywhere in thedomain. It is good practice to first list the servers closest (in network terms) to the system, fol-lowed by the more distant servers on the network because the client attempts to bind to thefirst server on the list.

When you enter a server name during the client setup, the file /var/yp/<domainname>/ypservers is populated with the list of servers you enter. This list is used each time the clientis rebooted, to establish a “binding” with an NIS server. An alternative method is to renamethe previously mentioned file and restart NIS. This causes the client to “broadcast” over thelocal subnet to try to find an NIS server to bind to. If no server responds, the client is unableto use the name service until either an NIS slave server is configured on the same subnet, orthe list of servers is reinstated.

Test the NIS client by logging out and logging back in using a login name that is no longer inthe /etc/passwd file and is managed by NIS. Test the host’s map by pinging a system that isnot identified in the local /etc/hosts file.

Setting Up NIS Slave ServersBefore setting up the NIS slave server, you must set it up as an NIS client. After you’ve veri-fied that the NIS master server is functioning properly by testing the NIS on this system, youcan set up the system as a slave server. Your network can have one or more slave servers.Having slave servers ensures the continuity of NIS if the master server is unavailable. Beforeactually running ypinit to create the slave servers, you should run the domainname command oneach NIS slave to be sure that the domain name is consistent with the master server. Remember,the domain name is set by adding the domain name to the /etc/defaultdomain file.

To set up an NIS slaver server, see Step By Step 5.6.

STEP BY STEP5.6 Setting Up the NIS Slave Server

1. As root, edit the /etc/hosts file on the slave server to add the name and IP address of the NISmaster server. At this point, we are assuming that you’re not using DNS to manage hostnames (DNS iscovered later in this chapter). Step 3 prompts you for the hostname of the NIS master server. You needan entry for this hostname in the local /etc/hosts file; otherwise, you need to specify the IP addressof the NIS server.

2. Change directories to /var/yp on the slave server.

3. To initialize the slave server as a client, type the following:

# /usr/sbin/ypinit -c<cr>

09_0789738171_05.qxd 4/13/09 7:45 PM Page 244

245

The ypinit command prompts you for a list of NIS servers. Enter the name of the local slave you areworking on first and then the master server, followed by the other NIS slave servers in your domain, inorder, from the physically closest to the farthest (in network terms).

4. You need to determine whether ypbind is already running. If it is running, you need to stop and restartit. Check to see if ypbind is running by typing this:

# pgrep -l ypbind<cr>

If a listing is displayed, ypbind is running. If ypbind is running, stop it by typing this:

# svcadm disable nis/client<cr>

5. Type the following to restart ypbind:

# svcadm enable nis/client<cr>

6. To initialize this system as a slave, type the following:

# /usr/sbin/ypinit -s <master><cr>

In this example, <master> is the system name of the existing NIS master server.

Repeat the procedures described in these steps for each system that you want configured as an NISslave server.

7. Now you can start daemons on the slave server and begin the NIS. First, you must stop all existing ypprocesses by typing the following:

# svcadm disable nis/server<cr>

To start ypserv on the slave server and run ypbind, you can either reboot the server or type the fol-lowing:

# svcadm enable nis/server<cr>

Creating Custom NIS MapsNIS provides a number of default maps, as we have already seen earlier in this chapter. You canalso add your own map to be managed by NIS. This is a simple process where you first createthe file with a normal text editor such as vi and then create the map. The following exampleshows how to create a fictional address book map called abook from the text file /etc/abook.We assume here that the domain being used is pdesigninc.com:# cd /var/yp<cr># makedbm /etc/abook pdesigninc.com/abook<cr>

The map is now created and exists in the master server’s directory. You can now run such com-mands as ypcat to list the contents of the map. To distribute it to other slave servers, use theypxfr command.

NIS

09_0789738171_05.qxd 4/13/09 7:45 PM Page 245

246


If you want to verify the contents of an NIS map, you can use the makedbm command with the-u flag. This writes the contents of the map to the screen, so redirect the output to anotherfile if it will produce a large amount of text.

To make a new NIS map permanent, you have to add the details of the new map to theMakefile in /var/yp. Have a look at the Makefile to see how to modify it to add a newentry. When this has been done, any further changes to the new map are automatically prop-agated to all other NIS servers when the make command is run.

NIS SecurityNIS has been traditionally insecure because the passwd map contains the encrypted passwordsfor all user accounts. Any user can list the contents of the passwd map, so a potential attackercould easily gather the encrypted passwords for use with a password cracking program. Thisissue is partially addressed in two ways: by using the passwd.adjunct file to remove encrypt-ed passwords from the passwd map, and using the securenets file to restrict the hosts, or net-works, that can access the NIS maps.

The passwd.adjunct MapIf you copy the contents of your shadow file to passwd.adjunct in the same directory as yourpasswd and shadow files (/var/yp in the examples used in this chapter), a separate map, pass-wd.adjunct.byname, is created. This map is accessible only by the root user; it protects theencrypted passwords from unauthorized users. In addition to creating the file, you also have tomodify the NIS Makefile (held in /var/yp) to add the passwd.adjunct entry to the “all”section. This ensures that the map is updated when changes are made.

The securenets FileA further enhancement to NIS security is to restrict the hosts, or networks, that can access theNIS namespace. The file /var/yp/securenets achieves this.

Entries in this file consist of two fields, a netmask and a network.

An example securenets file is shown here:255.255.255.0 210.100.35.0255.255.255.0 210.100.36.0255.255.255.0 210.100.37.0

Extra editing The only downside of using this option is that when a new user is created or an existinguser modified, the passwd.adjunct file must be amended to correctly reflect the current shadow file.This is an overhead for the system administrator, but should be offset against the increased security that isachieved by doing this.

NOTE

09_0789738171_05.qxd 4/13/09 7:45 PM Page 246

247

NIS

This code shows that only hosts with IP addresses in the specified networks can access the NISnamespace.

You can also add entries for specific hosts. The following modified securenets file was creat-ed by adding two individual hosts:host 10.48.76.3host 10.48.76.4255.255.255.0 210.100.35.0255.255.255.0 210.100.36.0255.255.255.0 210.100.37.0

securenets Don’t fall into the trap of not allowing your own NIS servers to access the NIS name-space. You should make sure that all NIS servers are covered by the network entries in the securenets file;otherwise they might not be authorized. If any servers are not on these networks, you need to add individ-ual host entries.

NOTE

The securenets file is read by the ypserv and ypxfrd processes on startup. If you make anymodifications to the securenets file, you must also restart the NIS daemons to allow thechanges to take effect.

Troubleshooting NISThis section provides some details of how to troubleshoot NIS when problems occur, and theactions to take. It looks briefly at some of the errors seen on the server as well as some of theerrors seen on a client.

Binding ProblemsNormally, when a client fails to bind with an NIS server, one of the following has occurred:

. ypbind isn’t running on the client: In this case enter svcadm enable network/nis/client to start the process.

. The domain name is set incorrectly or not set at all: Check the contents of/etc/defaultdomain or run the domainname command. Frequently, this problemoccurs because the domain name has been set manually, but not entered into the file/etc/defaultdomain, so when the system is rebooted, the domain name is lost.

. No NIS server is available: This would point to a possible network problem, particu-larly if you have several NIS servers configured in the domain. Check that the clienthas network connectivity. If only a single NIS server is present, you should check thatthe ypserv daemon is running. Also, check that the client’s /etc/nsswitch.conf isconfigured correctly.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 247

248


Server ProblemsProblems encountered in an NIS environment normally point to network or hardware prob-lems, especially when several NIS servers are available. If you find that you cannot connect toan NIS server, or if you are not getting any response to NIS commands, try the following:

. ping the server to make sure it is accessible across the network.

. Run ypwhich to verify which server you are meant to be bound to.

. Check that the NIS daemons are running on the server and restart the service if neces-sary. You can restart the NIS server by executing svcadm restart network/nis/server.

. Check that the server isn’t busy or overloaded. Use commands such as vmstat, iostat,and netstat to monitor the server for possible performance issues.

NIS+NIS+ is similar to NIS, but with more features. NIS+ is not an extension of NIS, but a newsystem. It was designed to replace NIS.

End of life for NIS+ It is important to note that Sun Microsystems issued an end of support notice for

NIS addresses the administrative requirements of small-to-medium client/server computingnetworks—those with less than a few hundred clients. Some sites with thousands of users findNIS adequate as well. NIS+ is designed for the now-prevalent larger networks in which sys-tems are spread across remote sites in various time zones and in which clients number in thethousands. In addition, the information stored in networks today changes much more fre-quently, and NIS had to be updated to handle this environment. Last but not least, systemstoday require a higher level of security than provided by NIS, and NIS+ addresses many secu-rity issues that NIS did not.

NIS+ with the release of Solaris 9, and again with the release of Solaris 10. It is likely that Solaris 10 willbe the last release to contain NIS+ as a naming service. Sun recommends that users of NIS+ migrate toLDAP using the Sun Java System Directory Server. To this end, and because NIS+ is not mentioned as anobjective for this exam, it is covered only briefly in this chapter.

NOTE

09_0789738171_05.qxd 4/13/09 7:45 PM Page 248

249

Hierarchical NamespaceNIS+ lets you store information about workstation addresses, security, mail, Ethernet inter-faces, and network services in central locations where all workstations on a network can accessit. This configuration of network information is referred to as the NIS+ namespace.

The NIS+ namespace is the arrangement of information stored by NIS+. The namespace canbe arranged in a variety of ways to fit an organization’s needs. NIS+ can be arranged to man-age large networks with more than one domain. Although the arrangement of an NIS+ name-space can vary from site to site, all sites use the same structural components: directories, tables,and groups. These components are called objects, and they can be arranged into a hierarchy thatresembles a UNIX file system.

Directory objects form the skeleton of the namespace. When arranged in a treelike structure,they divide the namespace into separate parts, much like UNIX directories and subdirectories.The topmost directory in a namespace is the root directory. If a namespace is flat, it has onlyone directory: the root directory. The directory objects beneath the root directory are calleddirectories.

A namespace can have several levels of directories. When identifying the relation of one direc-tory to another, the directory beneath is called the child directory, and the directory above is theparent.

Although UNIX directories are designed to hold UNIX files, NIS+ directories are designed tohold NIS+ objects: other directories, tables, and groups. Any NIS+ directory that stores NIS+groups is named groups_dir, and any directory that stores NIS+ system tables is namedorg_dir.

NIS+ SecurityNIS+ security is enhanced in two ways. First, it can authenticate access to the service, so it candiscriminate between access that is enabled to members of the community and other networkentities. Second, it includes an authorization model that allows specific rights to be granted ordenied based on this authentication.

AuthenticationAuthentication is used to identify NIS+ principals. An NIS+ principal might be someone whois logged in to a client system as a regular user, someone who is logged in as superuser, or anyprocess that runs with superuser permission on an NIS+ client system. Thus, an NIS+ princi-pal can be a client user or a client workstation. Every time a principal (user or system) tries toaccess an NIS+ object, the user’s identity and password are confirmed and validated.

NIS+

09_0789738171_05.qxd 4/13/09 7:45 PM Page 249

250


AuthorizationAuthorization is used to specify access rights. Every time NIS+ principals try to access NIS+objects, they are placed in one of four authorization classes, or categories:

. Owner: A single NIS+ principal

. Group: A collection of NIS+ principals

. World: All principals authenticated by NIS+

. Nobody: Unauthenticated principals

The NIS+ server finds out what access rights are assigned to that principal by that particularobject. If the access rights match, the server answers the request. If they do not match, theserver denies the request and returns an error message.

NIS+ authorization is the process of granting NIS+ principals access rights to an NIS+ object.Access rights are similar to file permissions. Four types of access rights exist:

. Read: The principal can read the contents of the object.

. Modify: The principal can modify the contents of the object.

. Create: The principal can create new objects in a table or directory.

. Destroy: The principal can destroy objects in a table or directory.

Access rights are displayed as 16 characters. They can be displayed with the command nisls-l and can be changed with the command nischmod.

The NIS+ security system lets NIS+ administrators specify different read, modify, create, anddestroy rights to NIS+ objects for each class. For example, a given class could be permitted tomodify a particular column in the passwd table but not read that column, or a different classcould be allowed to read some entries of a table but not others.

The implementation of the authorization scheme just described is determined by the domain’slevel of security. An NIS+ server can operate at one of three security levels, summarized inTable 5.8.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 250

251

DNS

Table 5.8 NIS+ Server Security LevelsSecurity Level Description

0 Security level 0 is designed for testing and setting up the initial NIS+ namespace. AnNIS+ server running at security level 0 grants any NIS+ principal full access rights to allNIS+ objects in the domain. Level 0 is for setup purposes only, and administratorsshould use it only for that purpose. Regular users should not use level 0 on networks innormal operation.

1 Security level 1 uses AUTH_SYS security. This level is not supported by NIS+, and itshould not be used.

2 Security level 2 is the default. It is the highest level of security currently provided byNIS+ and is the default level assigned to an NIS+ server. It authenticates only requeststhat use Data Encryption Standard (DES) credentials. Requests with no credentials areassigned to the nobody class and have whatever access rights have been granted tothat class. Requests that use invalid DES credentials are retried. After repeated failuresto obtain a valid DES credential, requests with invalid credentials fail with an authentica-tion error. (A credential might be invalid for a variety of reasons. The principal makingthe request might not be logged in on that system, the clocks might be out of sync,there might be a key mismatch, and so forth.)

DNSDNS is the name service used by the Internet and other Transmission ControlProtocol/Internet Protocol (TCP/IP) networks. It was developed so that workstations on thenetwork can be identified by common names instead of Internet addresses. DNS is a systemthat converts domain names to their IP addresses and vice versa. Without it, users would haveto remember numbers instead of words to get around the Internet. The process of finding acomputer’s IP address by using its hostname as an index is referred to as name-to-address reso-lution, or mapping. DNS duplicates some of the information stored in the NIS or NIS+ tables,but DNS information is available to all hosts on the network.

The collection of networked systems that use DNS is referred to as the DNS namespace. TheDNS namespace can be divided into a hierarchy of domains. A DNS domain is simply a groupof systems. Two or more name servers support each domain: the primary, secondary, or cache-only server. Each domain must have one primary server and should have at least one second-ary server to provide backup.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 251

252


Configuring the DNS ClientOn the client side, DNS is implemented through a set of dynamic library routines, collective-ly called the resolver. The resolver’s function is to resolve users’ queries. The resolver is neithera daemon nor a single program; instead, it is a set of dynamic library routines used by applica-tions that need to find IP addresses given the domain names.

The resolver library uses the file /etc/resolv.conf, which lists the addresses of DNS serverswhere it can obtain its information. The resolver reads this /etc/resolv.conf file to find thename of the local domain and the location of domain name servers. It sets the local domainname and instructs the resolver routines to query the listed name servers for information.Normally, each DNS client system on your network has a resolv.conf file in its /etc direc-tory. (If a client does not have a resolv.conf file, it defaults to using a server at IP address127.0.0.1, which is the local host.) Here’s an example of the /etc/resolv.conf file:; Sample resolv.conf file for the machine server1domain example.com; try local name servernameserver 127.0.0.1; if local name server down, try these serversnameserver 123.45.6.1nameserver 111.22.3.5

The first line of the /etc/resolv.conf file lists the domain name in this form:domain <domainname>

<domainname> is the name registered with the Internet’s domain name servers.

Domain name format No spaces or tabs are permitted at the end of the domain name. Make sure thatyou enter a hard carriage return immediately after the last character of the domain name.

NOTE

The second line identifies the loopback name server in the following form:nameserver 127.0.0.1

The remaining lines list the IP addresses of up to three DNS master, secondary, or cache-onlyname servers that the resolver should consult to resolve queries. (Do not list more than threeprimary or secondary servers.) Name server entries have the following form:nameserver <IP_address>

<IP_address> is the IP address of a DNS name server. The resolver queries these nameservers in the order they are listed until it obtains the information it needs.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 252

253

Whenever the resolver must find the IP address of a host (or the hostname corresponding toan address), it builds a query package and sends it to the name servers listed in/etc/resolv.conf. The servers either answer the query locally or contact other serversknown to them, ultimately returning the answer to the resolver.

After the resolver is configured, a system can request DNS service from a name server. If a sys-tem’s /etc/nsswitch.conf file specifies hosts: dns, the resolver libraries are automaticallyused. If the nsswitch.conf file specifies some other name service before DNS, such as NIS,that name service is consulted first for host information. Only if that name service does notfind the host in question are the resolver libraries used.

For example, if the hosts line in the nsswitch.conf file specifies hosts: nis dns, the NISname service is first searched for host information. If the information is not found in NIS, theDNS resolver is used. Because name services such as NIS and NIS+ contain only informationabout hosts in their own network, the effect of a hosts: nis dns line in a switch file is to spec-ify the use of NIS for local host information and DNS for information on remote hosts on theInternet. If the resolver queries a name server, the server returns either the requested informa-tion or a referral to another server.

Name-to-address mapping occurs if a program running on your local system needs to contacta remote computer. The program most likely knows the hostname of the remote computer butmight not know how to locate it, particularly if the remote system is in another network. Toobtain the remote system’s address, the program requests assistance from the DNS softwarerunning on your local system, which is considered a DNS client.

The DNS client sends a request to a DNS name server, which maintains the distributed DNSdatabase. Each DNS server implements DNS by running a daemon called in.named. Whenrun without any arguments, in.named reads the default configuration file /etc/named.conf,loads DNS zones it is responsible for, and listens for queries from the DNS clients.

The files in the DNS database bear little resemblance to the NIS+ host table or even to thelocal /etc/hosts file, although they maintain similar information: the hostnames, IP address-es, and other information about a particular group of computers. The name server uses thehostname that your system sent as part of its request to find or “resolve” the IP address of theremote system. It then returns this IP address to your local system if the hostname is in itsDNS database.

If the hostname is not in that name server’s DNS database, this indicates that the system is out-side its authority—or, to use DNS terminology, outside the local administrative domain. Ifyour network is connected to the Internet, external servers are consulted to try and resolve thehostname.

Because maintaining a central list of domain name/IP address correspondences would beimpractical, the lists of domain names and IP addresses are distributed throughout the Internetin a hierarchy of authority. A DNS server that maps the domain names in your Internet

DNS

09_0789738171_05.qxd 4/13/09 7:45 PM Page 253

254


requests or forwards them to other servers the Internet. It is probably provided by yourInternet access provider.

Lightweight Directory Access Protocol(LDAP)LDAP is the latest name-lookup service to be added to Solaris. It can be used in conjunctionwith or in place of NIS+ or DNS. Specifically, LDAP is a directory service. A directory serv-ice is like a database, but it contains more descriptive, attribute-based information. The infor-mation in a directory is generally read, not written.

LDAP is used as a resource locator, but it is practical only in read-intensive environments inwhich you do not need frequent updates. LDAP can be used to store the same information thatis stored in NIS or NIS+. Use LDAP as a resource locator for an online phone directory toeliminate the need for a printed phone directory. This application is mainly read-intensive, butauthorized users can update the contents to maintain its accuracy.

LDAP provides a hierarchical structure that more closely resembles the internal structure ofan organization and can access multiple domains, similar to DNS or NIS+. NIS provides onlya flat structure and is accessible by only one domain. In LDAP, directory entries are arrangedin a hierarchical, tree-like structure that reflects political, geographic, or organizationalboundaries. Entries representing countries appear at the top of the tree. Below them areentries representing states or national organizations. Below them might be entries represent-ing people, organizational units, printers, documents, or just about anything else you can thinkof.

LDAP has provisions for adding and deleting an entry from the directory, changing an exist-ing entry, and changing the name of an entry. Most of the time, though, LDAP is used tosearch for information in the directory.

LDAP information LDAP is a protocol that email programs can use to look up contact information from aserver. For instance, every email program has a personal address book, but how do you look up anaddress for someone who has never sent you email? Client programs can ask LDAP servers to look upentries in a variety of ways. The LDAP search operation allows some portion of the directory to besearched for entries that match some criteria specified by a search filter.

NOTE

LDAP servers index all the data in their entries, and filters may be used to select just the per-son or group you want and return just the information you want to see. Information can berequested from each entry that matches the criteria. For example, here’s an LDAP searchtranslated into plain English: “Search people located in Hudsonville whose names contain

09_0789738171_05.qxd 4/13/09 7:45 PM Page 254

255

‘Bill’ and who have an email address. Return their full name and email address.”

Perhaps you want to search the entire directory subtree below the University of Michigan forpeople with the name Bill Calkins, retrieving the email address of each entry found. LDAP letsyou do this easily. Or, you might want to search the entries directly below the U.S. entry fororganizations with the string “Pyramid” in their names and that have a fax number. LDAP letsyou do this.

Some directory services provide no protection, allowing anyone to see the information. LDAPprovides a method for a client to authenticate, or prove, its identity to a directory server,paving the way for rich access control to protect the information the server contains.

LDAP was designed at the University of Michigan to adapt a complex enterprise directory sys-tem, called X.500, to the modern Internet. A directory server runs on a host computer on theInternet, and various client programs that understand the protocol can log in to the server andlook up entries. X.500 is too complex to support on desktops and over the Internet, so LDAPwas created to provide this service to general users.

Sun Java System Directory ServerSun Java System Directory Server is a Sun product that provides a centralized directory serv-ice for your network and is used to manage an enterprise-wide directory of information,including the following:

. Physical device information, such as data about the printers in your organization. Thiscould include information on where they are located, whether they support color orduplexing, the manufacturer and serial number, company asset tag information, and so on.

. Public employee information, such as name, phone number, email address, and depart-ment.

. Logins and passwords.

. Private employee information, such as salary, employee identification numbers, phonenumbers, emergency contact information, and pay grade.

. Customer information, such as the name of a client, bidding information, contractnumbers, and project dates.

Sun Java System Directory Server meets the needs of many applications. It provides a standardprotocol and a common application programming interface (API) that client applications andservers need to communicate with each another.

As discussed earlier, Java System Directory Server provides a hierarchical namespace that canbe used to manage anything that has previously been managed by the NIS and NIS+ name


09_0789738171_05.qxd 4/13/09 7:45 PM Page 255

256

services. The advantages of the Java System Directory Server over NIS and NIS+ are listed here:

. It gives you the capability to consolidate information by replacing application-specificdatabases. It also reduces the number of distinct databases to be managed.

. It allows for more frequent data synchronization between masters and replicas.

. It is compatible with multiple platforms and vendors.

. It is more secure.

Because LDAP is platform-independent, it very likely will eventually replace NIS and NIS+,providing all the functionality once provided by these name services.

The Java System Directory Server runs as the ns-slapd process on your directory server. Theserver manages the directory databases and responds to all client requests. Each host in thedomain that uses resources from the LDAP server is referred to as an LDAP client.

Setting Up the LDAP ClientIt’s not within the scope of this chapter to describe how to set up an LDAP server; this requiresan in-depth working knowledge of LDAP. For background information on LDAP and JavaSystem Directory Server, refer to the System Administration Guide: Naming and DirectoryServices (DNS, NIS, and LDAP) Guide available at http://docs.sun.com.

It’s assumed that the LDAP server has already been configured as a naming service with theappropriate client profiles in place. The scope of this chapter is to describe how to set up theLDAP client.

Before setting up the LDAP client, a few things must already be in place:

. The client’s domain name must be served by the LDAP server.

. The nsswitch.conf file must point to LDAP for the required services. This would beachieved by copying the file /etc/nsswitch.ldap to /etc/nsswitch.conf.

. At least one server for which a client is configured must be up and running.

The ldapclient utility is used to set up LDAP client. ldapclient assumes that the server hasalready been configured with the appropriate client profiles. The LDAP client profile consistsof configuration information that the client uses to access the LDAP information on theLDAP server. You must install and configure the LDAP server with the appropriate profilesbefore you can set up any clients.

To initialize a client using a profile, log in as root.

Run the ldapclient command as follows:# ldapclient init -a profileName=new -a domainName=east.example.com 192.168.0.1<cr>


09_0789738171_05.qxd 4/13/09 7:45 PM Page 256

257

Whereas init initializes the host as an LDAP client, profileName refers to an existing pro-file on the LDAP server. domainName refers to the domain for which the LDAP server is con-figured.

The system responds with this:System successfully configured

To initialize a client using a proxy account, run the ldapclient command as follows:# ldapclient init -a proxyDN=proxyagent \-a profileName=new \-a domainName=east.example.com \-a proxyPassword=test0000 \192.168.0.1<cr>

The proxyDN and proxyPassword parameters are necessary if the profile is to be used as aproxy. The proxy information is stored in the file /var/ldap_client_cred. The remainingLDAP client information is stored in the file /var/ldap_client_file.

Modifying the LDAP ClientAfter the LDAP client has been set up, it can be modified using the ldapclient mod com-mand. One of the things you can change here is the authentication mechanism used by theclient. If no particular encryption service is being used, set this to simple, as shown here:# ldapclient mod -a authenticationMethod=simple<cr>

Listing the LDAP Client PropertiesTo list the properties of the LDAP client, use the ldapclient list command as shown here:# ldapclient list<cr>NS_LDAP_FILE_VERSION= 2.0NS_LDAP_BINDDN= cn=proxyagentNS_LDAP_BINDPASSWD= <encrypted password>NS_LDAP_SERVERS= 192.168.0.1NS_LDAP_AUTH= simple

Uninitializing the LDAP ClientTo remove an LDAP client and restore the name service that was in use prior to initializingthis client, use the ldapclient uninit command as follows:# ldapclient uninit<cr>

The system responds with this:System successfully recovered


09_0789738171_05.qxd 4/13/09 7:45 PM Page 257

258

Name Service Cache Daemon (nscd)nscd is a daemon that runs on a Solaris system and provides a caching mechanism for the mostcommon name service requests. It is automatically started when the system boots to a multi-user state. nscd provides caching for the following name service databases:

. passwd

. group

. hosts

. ipnodes

. exec_attr

. prof_attr

. user_attr

Because nscd is running all the time as a daemon, any nscd commands that are entered arepassed to the already running daemon transparently. The behavior of nscd is managed via aconfiguration file /etc/nscd.conf. This file lists a number of tunable parameters for each ofthe supported databases just listed. The following is an example of the /etc/nscd.conf file:debug-level 0

positive-time-to-live audit_user 3600negative-time-to-live audit_user 5keep-hot-count audit_user 20check-files audit_user yes

positive-time-to-live auth_attr 3600negative-time-to-live auth_attr 5keep-hot-count auth_attr 20check-files auth_attr yes

<output has been truncated>

Each line in this file specifies an attribute and a value. The attributes are described in Table 5.9.

Table 5.9 /etc/nscd.conf AttributesAttribute Description

logfile <debug-file-name> Specifies the name of the file where debug info shouldbe written. /dev/tty is used for standard output.

debug-level <value> Sets the desired debug level, 0 to 10. The default is 0.


09_0789738171_05.qxd 4/13/09 7:45 PM Page 258

259

Name Service Cache Daemon (nscd)

Table 5.9 /etc/nscd.conf AttributesAttribute Description

enable-cache <cachename> <value> Enables or disables the specified cache. <value> maybe either yes or no.

positive-time-to-live Sets the time-to-live for positive entries (successful <cachename> <value> queries) in the specified <cachename>. <value> is

in integer seconds. Larger values can be specified toincrease the cache hit rates and reduce mean responsetimes, but this can increase problems with cache coherence.

negative-time-to-live Sets the time-to-live for negative entries (unsuc-<cachename> <value> cessful queries) in the specified <cachename>.

<value> is in integer seconds. This attribute can beadjusted to significantly improve performance if thereare several files owned by UIDs not found in the systemdatabases. The <value> should be kept small toreduce cache coherency problems.

The syntax for the nscd command is as follows:nscd [-f configuration-file] [-g] [-e cachename , yes | no] [-i cachename]

The options for the nscd command are described in Table 5.10.

Table 5.10 nscd Command OptionsOption Description

-f <configuration-file> Causes nscd to read its configuration data from the specified file.

-g Displays current configuration and statistical data.

-e <cachename>, yes|no Enables or disables the specified cache.

-i <cachename> Invalidates the specified cache.

Whenever a change is made to the name service switch file, /etc/nsswitch.conf, the nscddaemon must be stopped and started so that the changes take effect. The commands to stopand start nscd have changed because the cache daemon is now managed by the ServiceManagement Facility (SMF). The commands to use are as follows:# svcadm restart system/name-service-cache<cr>

Restarting nscd restarts the nscd daemon, forces the nscd daemon to reread its configurationfile, /etc/nscd.conf, and clears out any information that the nscd daemon may have storedin its cache.

Statistics can be obtained from nscd by running the command with the -g flag. This is the onlyoption that can be run by a nonprivileged user. The truncated output that follows shows theresults of the cache statistics for the hosts database:

09_0789738171_05.qxd 4/13/09 7:45 PM Page 259

260

#nscd -g[...output truncated...]hosts cache:

Yes cache is enabled44 cache hits on positive entries0 cache hits on negative entries3 cache misses on positive entries1 cache misses on negative entries

91.7% cache hit rate0 queries deferred4 total entries

211 suggested size3600 seconds time to live for positive entries

5 seconds time to live for negative entries20 most active entries to be kept valid

Yes check /etc/{passwd, group, hosts, inet/ipnodes} file for changesNo use possibly stale data rather than waiting for refresh

[...output truncated...]

The getent CommandThe getent command is a generic user interface that is used to get a list of entries from anyof the name service databases. getent consults each name service database in the order listedin the /etc/nsswitch.conf file.

The syntax for the getent command is shown in the following code:getent database [key...]

The options for the getent command are described in Table 5.11.

Table 5.11 getent Command OptionsOption Description

database The name of the database to be examined. This can be hosts, group, passwd,ipnodes, services, protocols, ethers, networks, or netmasks.

Key ... An appropriate key for the specified database. For example, hostname or IP addressfor the hosts database. Multiple keys can be specified.

The getent command displays the entries of the specified database that match each of thekeys. If no key is specified, all entries are printed. The following example looks at the rootentry of the passwd database:# getent passwd root<cr>root:x:0:1:Super-User:/:/sbin/sh


09_0789738171_05.qxd 4/13/09 7:45 PM Page 260

261

SummaryThis chapter covered all the name service topics that are included in the Solaris 10 SystemAdministrator exams. This includes the local files in the /etc directory, NIS, NIS+, DNS, andLDAP.

This chapter described how to configure the master server, slave servers, and clients for themost commonly used name service, NIS. Configuring clients for DNS and LDAP were alsocovered briefly. The name service switch file used by the operating system for any networkinformation lookups was covered.

In addition, this chapter described the Sun Java System Directory Server that could soonreplace NIS+, and eventually NIS. If you will be migrating from NIS+, you can refer to thesection titled “Transitioning from NIS+ to LDAP” in the Solaris 10 System AdministrationGuide: Naming and Directory Services (NIS+), which is available on the Solaris DocumentationCD and the online documentation site, http://docs.sun.com.

Finally in this chapter, we described the Name Service Cache Daemon used to speed uprequests for the most common name service requests, and also the getent command, which isused to retrieve entries from specified name service databases.

Of course, better understanding of the naming services will come as you use the systemsdescribed and become experienced over time. Many large networks that use a name service areheterogeneous, meaning that they have more than just Solaris systems connected to the net-work. Refer to the vendor’s documentation for each particular system to understand how eachdifferent operating system implements name services. You will see that most are similar in theirimplementation, with only subtle differences.

Key Terms. DNS

. DNS resolver

. Hierarchical namespace

. LDAP

. Makefile

. Master NIS server

. Name service

. Name service switch

. NIS

Summary

09_0789738171_05.qxd 4/13/09 7:45 PM Page 261

262


. NIS client

. NIS map

. NIS security (passwd.adjunct)

. NIS source file

. NIS+

. NIS+ authorization (four classes and four types of access rights)

. NIS+ objects

. NIS+ security levels (three levels)

. nscd (Name Service Cache Daemon)

. /var/yp/securenets file

. Slave NIS server


ExercisesFor these exercises, you’ll need two Solaris systems attached to a network. One system will beconfigured as the NIS master server, and the other will be the NIS client.

5.1 Setting Up the NIS Master Server

In this exercise, you’ll go through the steps to set up your NIS master server.


1. Log in as root.

2. Set your domain name if it is not already set:

# domainname <yourname>.com<cr>

Populate the /etc/defaultdomain file with your domain name:# domainname > /etc/defaultdomain<cr>

3. On the system that will become your master NIS server, create the master /var/yp/passwd,/var/yp/group, and /var/yp/hosts files. Follow the instructions described in this chapterto create these files.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 262

263

4. Change entries for /etc to /var/yp in /var/yp/Makefile as follows:

Change this:

DIR = /etcPWDIR = /etc

to this:

DIR = /var/ypPWDIR = /var/yp

5. Create the name service switch file by copying the NIS template file as follows:


6. Run the ypinit command as follows to set up this system as the NIS master:

# ypinit -m<cr>

When asked for the next host to add as an NIS slave server, press Ctrl+D. For this exercise, we willnot add an NIS slave server.

Indicate you do not want ypinit to quit on nonfatal errors by typing N when asked.

You’ll know the process was successful when you get the message indicating that the current-system was set up as a master server without any errors.

7. Start up the NIS service on the master server by running

# svcadm enable network/nis/server<cr>

8. Verify that the NIS master server is up by typing

# ypwhich -m<cr>

5.2 Setting Up the NIS Client

In this exercise, you’ll go through the steps to set up your NIS client.


1. Log in as root.

2. Set your domain name if it is not already set:

# domainname <yourname>.com<cr>

Populate the /etc/defaultdomain file with your domain name:

# domainname > /etc/defaultdomain<cr>

3. Create the name service switch file by copying the NIS template file as follows:



09_0789738171_05.qxd 4/13/09 7:45 PM Page 263

264


4. Configure the client system to use NIS by running the ypinit command:

# ypinit -c<cr>

You are asked to identify the NIS server from which the client can obtain name service information.Type the NIS master server name, followed by a carriage return.

When asked for the next host to add, press Ctrl+D.

5. Start the NIS daemons by executing the following script:

# svcadm enable network/nis/server<cr>

6. Verify that the NIS client is bound to the NIS master by typing

# ypwhich<cr>

The master server name should be displayed.

7. Test the NIS client by logging out and logging back in using a login name that is no longer in thelocal /etc/passwd file and is managed by NIS.

Exam Questions1. Which of the following services stores information that users, systems, and applications must

have access to in order to communicate across the network, in a central location?

❍ A. NIS

❍ B. NFS service

❍ C. Automount

❍ D. AutoFS

2. Which of the following is not a Solaris name service?

❍ A. DES

❍ B. /etc

❍ C. NIS+

❍ D. DNS

3. Which of the following is the traditional UNIX way of maintaining information about hosts, users,passwords, groups, and automount maps?

❍ A. DNS

❍ B. NIS

❍ C. NIS+

❍ D. /etc

09_0789738171_05.qxd 4/13/09 7:45 PM Page 264

265


4. What are the NIS administration databases called?

❍ A. Files

❍ B. Tables

❍ C. Maps

❍ D. Objects

5. What is the set of maps shared by the servers and clients called?

❍ A. A table

❍ B. An object

❍ C. The NIS Namespace

❍ D. None of the above

6. When you add a new system to a network running NIS, you have to update the input file in themaster server and run which of the following?

❍ A. makedbm

❍ B. make

❍ C. yppush

❍ D. ypinit

7. Which of the following commands is used to display the values in an NIS map?

❍ A. ypcat

❍ B. ypwhich

❍ C. ypserv

❍ D. ypbind

8. Which of the following commands can be used to determine which server is the master of aparticular map?

❍ A. ypbind

❍ B. ypcat

❍ C. ypserv

❍ D. ypwhich -m

09_0789738171_05.qxd 4/13/09 7:45 PM Page 265

266


9. Which of the following propagates a new version of an NIS map from the NIS master server to NISslave servers?

❍ A. ypinit

❍ B. yppush

❍ C. make

❍ D. yppoll

10. Which of the following sets up master and slave servers and clients to use NIS?

❍ A. makedbm

❍ B. make

❍ C. ypinit

❍ D. yppush

11. Which of the following is the configuration file for the name service switch?

❍ A. nsswitch.conf

❍ B. resolve.conf

❍ C. /etc/netconfig

❍ D. nsswitch.nis

12. Each line of which of the following files identifies a particular type of network information, such ashost, password, and group, followed by one or more sources, such as NIS+ tables, NIS maps, theDNS hosts table, or local /etc?

❍ A. resolve.conf

❍ B. nsswitch.conf

❍ C. /etc/netconfig

❍ D. nsswitch.nis

13. In the name service switch file, what does the following entry mean if the NIS naming service isbeing used?

hosts: nis [NOTFOUND=return] files

❍ A. Search the NIS map and then the local /etc/hosts file.

❍ B. Search only the NIS hosts table in the NIS map.

❍ C. Search only the /etc/hosts file.

❍ D. Do not search the NIS hosts table or the local /etc/hosts file.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 266

267


14. Which name service switch template files are found in Solaris 10? (Choose two.)

❍ A. nsswitch.files

❍ B. nsswitch.nis+

❍ C. nsswitch.nisplus

❍ D. nsswitch.fns

15. What are the four types of NIS+ access rights?

❍ A. Read, write, create, modify

❍ B. Read, write, execute, no access

❍ C. Read, write, delete, modify

❍ D. Read, modify, create, destroy

16. Which of the following is the name service provided by the Internet for TCP/IP networks?

❍ A. DNS

❍ B. NIS

❍ C. NIS+

❍ D. None of the above

17. Each server implements DNS by running a daemon called what?

❍ A. named

❍ B. in.named

❍ C. nfsd

❍ D. dnsd

18. The primary task of DNS is to provide what?

❍ A. Security service

❍ B. Name-to-address resolution

❍ C. Name service

❍ D. Namespace services

09_0789738171_05.qxd 4/13/09 7:45 PM Page 267

268

19. Which of the following describes the difference between NIS+ authentication and authorization?

❍ A. Authentication is checking whether the information requester is a valid user on the net-work, and authorization determines whether the particular user is allowed to have ormodify the information.

❍ B. Authorization is checking whether the information requester is a valid user on the net-work, and authentication determines whether the particular user is allowed to have ormodify the information.

20. This file determines how a particular type of information is obtained and in which order the namingservices should be queried. Which file is being described?

❍ A. /etc/nsswitch.conf

❍ B. /etc/resolve.conf

❍ C. /etc/nsswitch.nis

❍ D. /etc/nsswitch.nisplus

21. How many name services does Solaris 10 support?

❍ A. Three

❍ B. Four

❍ C. Five

❍ D. Six

22. Which of the following is the name service used by the Internet?

❍ A. DNS

❍ B. NIS

❍ C. NIS+

❍ D. DES

23. Which of the following commands is used to set up an NIS master server?

❍ A. ypserver -m

❍ B. nisinit -m

❍ C. nisserver -m

❍ D. ypinit -m


09_0789738171_05.qxd 4/13/09 7:45 PM Page 268

269


Answers to Exam Questions1. A. NIS stores information about workstation names, addresses, users, the network itself, and net-

work services. For more information, see the “Name Services Overview” section.

2. A. DES is not a Solaris name service. For more information, see the “Name Services Overview”section.

3. D. /etc files are the traditional UNIX way of maintaining information about hosts, users, pass-words, groups, and automount maps. For more information, see the “Name Services Overview”section.

4. C. The NIS administration databases are called maps. For more information, see the “NameServices Overview” section.

5. C. The set of maps shared by the servers and clients is called the NIS Namespace. For more infor-mation, see the “Name Services Overview” section.

6. B. To update the input file in the master server with a new system name, you execute the/usr/ccs/bin/make command. For more information, see the “Configuring an NIS MasterServer” section.

7. A. Just as you use the cat command to display the contents of a text file, you can use the ypcatcommand to display the values in a map. For more information, see the “Configuring an NISMaster Server” section.

8. D. You can use the ypwhich -m command to determine which server is the master of a particularmap. For more information, see the “Configuring an NIS Master Server” section.

9. B. The command yppush propagates a new version of an NIS map from the NIS master server toNIS slave servers. For more information, see the “Configuring an NIS Master Server” section.

10. C. The ypinit command builds and installs an NIS database and initializes the NIS client’s (andserver’s) ypservers list. For more information, see the “Configuring an NIS Master Server” section.

11. A. In setting up the NIS, set up the name service switch, which involves editing the /etc/nss-witch.conf file. For more information, see the “The Name Service Switch” section.

12. B. Each line of the /etc/nsswitch.conf file identifies a particular type of network information,such as host, password, and group, followed by one or more sources, such as NIS+ tables, NISmaps, the DNS hosts table, or the local /etc. For more information, see the “The Name ServiceSwitch” section.

13. B. The following entry in the nsswitch.nis template states that only the NIS hosts table in theNIS map is searched:

hosts: nis [NOTFOUND=return] files

For more information, see the “The Name Service Switch” section.

14. A, C. The following template files are available: nsswitch.files, nsswitch.nisplus,nsswitch.nis, nsswitch.dns, and nsswitch.ldap. For more information, see the “TheName Service Switch” section.

09_0789738171_05.qxd 4/13/09 7:45 PM Page 269

270

15. D. Access rights are similar to file permissions. The four types of access rights are read, modi-fy, create, and destroy. For more information, see the “NIS+ Security” section.

16. A. DNS is the name service provided by the Internet for Transmission Control Protocol/InternetProtocol (TCP/IP) networks. For more information, see the “DNS” section.

17. B. Each server implements DNS by running a daemon called in.named. For more information,see the “DNS” section.

18. B. The process of finding a computer’s IP address by using its hostname as an index is referred toas name-to-address resolution, or mapping. The primary task of DNS is to provide name-to-address resolution. For more information, see the “DNS” section.

19. A. Authentication is used to identify NIS+ principals. An NIS+ principal can be a client user or aclient workstation. Every time a principal (user or system) tries to access an NIS+ object, theuser’s identity and secure RPC password are confirmed and validated. Authorization is used tospecify access rights. For more information, see the “NIS+ Security” section.

20. A. The /etc/nsswitch.conf file determines how a particular type of information is obtainedand in which order the naming services should be queried. For more information, see the “TheName Service Switch” section.

21. C. Solaris 10 supports five name services: /etc files, NIS, NIS+, DNS, and LDAP. For more infor-mation, see the “Name Services Overview” section.

22. A. DNS is the name service used by the Internet. For more information, see the “DNS” section.

23. D. To build new maps on the master server, type /usr/sbin/ypinit -m. For more information,see the “Configuring an NIS Master Server” section.

Suggested Reading and ResourcesSolaris 10 Documentation CD: System Administration Guide: Advanced Administration andSystem Administration Guide: Naming and Directory Services manuals.

http://docs.sun.com. Solaris 10 documentation set. System Administration Guide: AdvancedAdministration and System Administration Guide: Naming and Directory Services books in theSystem Administration collection.


09_0789738171_05.qxd 4/13/09 7:45 PM Page 270

6S I X

Solaris Zones


. Explain consolidation issues, features of Solaris zones, and decipherbetween the different zone concepts, including zone types, daemons, net-working, command scope and, given a scenario, create a Solaris zone.

This chapter helps you understand the components of the new zones feature,first introduced in Solaris 10. It describes the zone concepts and how they fitinto the overall container structure.

. Given a zone configuration scenario, identify zone components and zonecfgresource parameters, allocate file system space, use the zonecfg com-mand, describe the interactive configuration of a zone, and view the zoneconfiguration file.

This chapter explains the different components of a zone and how to carryout zone configuration. It also describes the zone configuration and themechanism to verify that a zone has been configured correctly.

. Given a scenario, use the zoneadm command to view, install, boot, halt, andreboot a zone.

In this chapter, we create a zone. You’ll see how to install zones, check thestatus of installed zones, boot and reboot, as well as uninstall and removezones. We also show how zones are viewed from a global zone.

10_0789738171_06.qxd 4/13/09 7:47 PM Page 271

OutlineIntroduction

Consolidation and Resource Management

Consolidation

Solaris Zones

Types of Zones

Zone States

Zone Features

Nonglobal Zone Root File System Models

Sparse Root Zones

Whole Root Zones

Networking in a Zone Environment

Zone Daemons

Configuring a Zone

The zonecfg Command

Viewing the Zone Configuration

Installing a Zone

Booting a Zone

Halting a Zone

Rebooting a Zone

Uninstalling a Zone

Deleting a Zone

Zone Login

Initial Zone Login

Using a sysidcfg File

Logging in to the Zone Console

Logging in to a Zone

Running a Command in a Zone

Creating a Zone

Making Modifications to an Existing Zone

Moving a Zone

Migrating a Zone

Cloning a Zone

Backing Up a Zone

Summary

Key Terms


Exercise

Exam Questions



10_0789738171_06.qxd 4/13/09 7:47 PM Page 272


. Make sure you are familiar with all the concepts introduced in this chapter, particularly thetypes of zones and the commands used to create, manipulate, and manage them.

. Practice the step-by-step examples provided in this chapter on a Solaris system. Be surethat you understand each step and can describe the process of setting up a zone,installing and booting a zone, as well as uninstalling and deleting a zone.

. You need to know all the terms listed in the “Key Terms” section near the end of thischapter.

. Understand each of the commands described in this chapter. Get familiar with all theoptions, especially the ones used in the examples. You’ll see questions on the exam relat-ed to the zonecfg, zoneadm, and zlogin commands.

10_0789738171_06.qxd 4/13/09 7:47 PM Page 273

274

IntroductionSolaris zones is a major new feature of Solaris 10 and provides additional facilities that werenot available in previous releases of the Operating Environment. Zones allow virtual environ-ments to run on the same physical system. Previously, the only way of compartmenting anenvironment was to purchase a separate server, or use an expensive high-end server capable ofphysical partitioning, such as the Starfire servers. Now you can create virtual environments onany machine capable of running the Solaris 10 Operating Environment.

Zones provide a virtual operating system environment within a single physical instance ofSolaris 10. Applications can run in an isolated and secure environment. This isolation preventsan application running in one zone from monitoring or affecting an application running in adifferent zone. A further important aspect of zones is that a failing application, such as one thatwould traditionally have leaked all available memory, or exhausted all CPU resources, can belimited to affect only the zone in which it is running. This is achieved by limiting the amountof physical resources on the system that the zone can use.

The following are features provided by zones:

. Security: When a process is created in a zone, that process (and any of its children)cannot change zones or affect other zones.

Network services can be isolated to each zone so that if a network service is compro-mised in a zone, activities using that service affect only that zone.

. Isolation: Multiple applications can be deployed on the same machine, each in differ-ent zones. An application in one zone does not affect applications in another zone onthe same system.

Each zone has its own set of user accounts, root account, and passwords.

. Network isolation: Allows the zone to have an exclusive IP, allowing the zone to runon a different LAN or VLAN (when used on an exclusive NIC) than the global zone.

. Virtualization: In a virtualized environment, each zone is administered separately.Details about the system’s physical devices and primary IP address are hidden from theapplications in each zone.

Chapter 6: Solaris Zones

10_0789738171_06.qxd 4/13/09 7:47 PM Page 274

Introduction275

. Granularity: Hardware resources can be shared between several zones or allocated ona per-zone basis using Solaris resource management tools.

. Environment: Zones provide the same standard Solaris interfaces and applicationenvironment that applications expect on a Solaris 10 system. In fact, with brandedzones, it is possible to run a different operating environment inside a nonglobal zone,such as a Solaris 8, Solaris 9, or Linux environment.

You might be familiar with VMware, which is available on x86-compatible computers. It isused to host multiple OS instances on a single computer. Zones differ from VMware in thatVMware uses large amounts of the system’s CPU capacity to manage the VMware environ-ments. With zones, the system overhead is negligible. In most cases, several dozen zones cantake up less than 1% of the system’s resources. The best comparison of zones to existing tech-nology would be FreeBSD Jails.

This chapter looks at the whole concept of Solaris zones and how to configure and create azone, make it operational, and then remove it. Resource management is not an objective forexam CX-310-202, but a brief introduction is included in this chapter to help put the zonesfeature in the correct context.

Zones and containers Some people refer to zones and containers interchangeably, as if they are thesame thing. This is incorrect. Containers are a technology that combines a zone with the operating sys-tem’s Resource Management (RSM) features. With containers, a system administrator can use theresource management facility to allocate resources such as memory and CPU to applications and serviceswithin each zone. Therefore, Solaris zones is a subset of containers, so the two terms should not be usedinterchangeably.

CAUTION

Consolidation and Resource ManagementResource management (RSM) is one of the components of the Solaris 10 containers technol-ogy. It allows you to do the following:

. Allocate specific computer resources, such as CPU time and memory.

. Monitor how resource allocations are being used, and adjust the allocations whenrequired.

10_0789738171_06.qxd 4/13/09 7:47 PM Page 275

276

. Generate more detailed accounting information. The extended accounting feature ofSolaris 10 provides this facility.

. A new resource capping daemon (rcapd) allows you to regulate how much physicalmemory is used by a project by “capping” the overall amount that can be used.Remember that a project can be a number of processes or users, so it provides a usefulcontrol mechanism for a number of functions.

Using the resource management facility is beyond the scope of this book and is not covered onthe CX-310-202 certification exam. For more information on RSM, refer to the SunMicrosystems “Solaris Containers—Resource Management and Solaris Zones” administrationguide, described at the end of this chapter.

ConsolidationThe resource management feature of Solaris containers is extremely useful when you want toconsolidate a number of applications to run on a single server.

Consolidation has become more popular in recent years because it reduces the cost and com-plexity of having to manage numerous separate systems. You can consolidate applications ontofewer, larger, more scalable servers, and also segregate the workload to restrict the resourcesthat each can use.

Previously, a number of applications would run on separate servers, with each application hav-ing full access to the system on which it is running. Using the resource management feature,multiple workloads can now be run on a single server, providing an isolated environment foreach, so that one workload cannot affect the performance of another.

Resource pools can be utilized to group applications, or functions, together and control theirresource usage globally, such as the maximum amount of CPU resource or memory.Additionally, the resource management feature can tailor the behavior of the Fair ShareScheduler (FSS) to give priority to specific applications. This is very useful if you need to allo-cate additional resources to a group of resources for a limited period of time. An example ofthis would be when a company runs end-of-month reports. Before resource management wasintroduced, this would have meant that a larger server would be needed to accommodate theresource requirement, even though it would be used to its capacity only once a month. Nowthe resources can be allocated according to priority, allowing the server to be more efficientlyutilized.


10_0789738171_06.qxd 4/13/09 7:47 PM Page 276

Solaris Zones277

Solaris ZonesObjectives

. Explain consolidation issues and features of Solaris zones, and decipher between the different zone con-cepts including zone types, daemons, networking, command scope, and given a scenario, create a Solariszone.

. Given a zone configuration scenario, identify zone components and zonecfg resource parameters, allo-cate file system space, use the zonecfg command, describe the interactive configuration of a zone, andview the zone configuration file.

. Given a scenario, use the zoneadm command to view, install, boot, halt, and reboot a zone.

The zones technology provides virtual operating system services to allow applications to runin an isolated and secure environment. A zone is a virtual environment that is created within asingle running instance of the Solaris Operating Environment. Applications running in a zoneenvironment cannot affect applications running in a different zone, even though they exist andrun on the same physical server. Even a privileged user in a zone cannot monitor or accessprocesses running in a different zone.

Types of ZonesThe two types of zones are global and nonglobal. Think of a global zone as the server itself, thetraditional view of a Solaris system as we all know it, where you can log in as root and have fullcontrol of the entire system. The global zone is the default zone and is used for system-wideconfiguration and control. Every system contains a global zone and there can only be oneglobal zone on a physical Solaris server.

A nonglobal zone is created from the global zone and also managed by it. You can have up to8,192 nonglobal zones on a single physical system. The only real limitation is the capability ofthe server itself. Applications that run in a nonglobal zone are isolated from applications run-ning in a separate non-global zone, allowing multiple versions of the same application to runon the same physical server.

By default, a nonglobal zone has the same operating system and characteristics of the globalzone, because they share the same kernel. Beginning with Solaris 10 version 08/07, it is possi-ble to run a different operating environment inside a nonglobal zone. This is called a brandedzone (BrandZ). It allows the creation of brands, which allow an alternative runtime configura-tion within each zone. This brand could be used to “emulate” Solaris 8, Solaris 9, or evenLinux. For example, the lx brand provides a Linux environment for the x86/x64-based plat-forms. The zone does not actually run the Linux OS. It enables binary applications designedfor specific distributions of Linux to run unmodified within the Solaris zone.

10_0789738171_06.qxd 4/13/09 7:47 PM Page 277

278

In branded zones, the brand defines the operating environment to be installed and how thesystem will behave within the zone.

Zone StatesNonglobal zones are referred to simply as zones and can be in a number of states depending onthe current state of configuration or readiness for operation. You should note that zone statesrefer only to nonglobal zones, because the global zone is always running and represents thesystem itself. The only time the global zone is not running is when the server has been shutdown.

Table 6.1 describes the six states that a zone can be in.

Table 6.1 Zone StatesState Description

Configured A zone is in this state when the configuration has been completed and storagehas been committed. Additional configuration that must be done after the initialreboot has yet to be done.

Incomplete A zone is set to this state during an install or uninstall operation. Upon comple-tion of the operation, it changes to the correct state.

Installed A zone in this state has a confirmed configuration. The zoneadm command isused to verify that the zone will run on the designated Solaris system. Packageshave been installed under the zone’s root path. Even though the zone isinstalled, it still has no virtual platform associated with it.

Ready The zone’s virtual platform is established. The kernel creates the zschedprocess, the network interfaces are plumbed and file systems are mounted. Thesystem also assigns a zone ID at this state, but no processes are associatedwith this zone.

Running A zone enters this state when the first user process is created. This is the nor-mal state for an operational zone.

Shutting Down + Down Transitional states that are visible only while a zone is in the process of beinghalted. If a zone cannot shut down for any reason, it also displays this state.


EXAM ALERTKnow your zone states The exam often has at least one question about the different zone states. Payparticular attention to the differences between the configured, installed, ready, and running states.You may get a question that asks you to match the correct state to the correct description.

10_0789738171_06.qxd 4/13/09 7:47 PM Page 278

Solaris Zones279

Zone FeaturesThis section describes the features of both the global zone and nonglobal zones.

EXAM ALERTBe very familiar with the characteristics of the global zone and the nonglobal zone. Several questionson the exam will require you to thoroughly understand these characteristics.

The global zone has the following features:

. The global zone is assigned zone ID 0 by the system.

. It provides the single bootable instance of the Solaris Operating Environment thatruns on the system.

. It contains a full installation of Solaris system packages.

. It can contain additional software, packages, file, or data that was not installed throughthe packages mechanism.

. Contains a complete product database of all installed software components.

. It holds configuration information specific to the global zone, such as the global zonehostname and the file system table.

. It is the only zone that is aware of all file systems and devices on the system.

. It is the only zone that is aware of nonglobal zones and their configuration.

. It is the only zone from which a nonglobal zone can be configured, installed, managed,and uninstalled.

Nonglobal zones have the following features:

. The nonglobal zone is assigned a zone ID by the system when it is booted.

. It shares the Solaris kernel that is booted from the global zone.

. It contains a subset of the installed Solaris system packages.

. It can contain additional software packages, shared from the global zone.

. It can contain additional software packages that are not shared from the global zone.

. It can contain additional software, files, or data that was not installed using the pack-age mechanism, or shared from the global zone.

10_0789738171_06.qxd 4/13/09 7:47 PM Page 279

280

. It contains a complete product database of all software components that are installed inthe zone. This includes software that was installed independently of the global zone aswell as software shared from the global zone.

. It is unaware of the existence of other zones.

. It cannot install, manage, or uninstall other zones, including itself.

. It contains configuration information specific to itself, the nonglobal zone, such as thenonglobal zone hostname and file system table, domain name, and NIS server.

. A nonglobal zone cannot be an NFS server.


Zones Only one kernel is running on the system, and it is running on the global zone. The nonglobalzones share this kernel. Therefore, all nonglobal zones are at the same kernel patch level as the globalzone. However, for middleware applications such as Java Enterprise System, each zone can be patched ona per-zone basis.

NOTE

Nonglobal Zone Root File System ModelsA nonglobal zone contains its own root (/) file system. The size and contents of this file sys-tem depend on how you configure the global zone and the amount of configuration flexibili-ty that is required.

There is no limit on how much disk space a zone can use, but the zone administrator, normal-ly the system administrator, must ensure that sufficient local storage exists to accommodatethe requirements of all nonglobal zones being created on the system.

The system administrator can restrict the overall size of the nonglobal zone file system byusing any of the following:

. Standard disk partitions on a disk can be used to provide a separate file system for eachnonglobal zone.

. Soft partitions can be used to divide disk slices or logical volumes into a number ofpartitions. Soft partitions are covered in Chapter 3, “Managing Storage Volumes.”

. Use a lofi-mounted file system to place the zone on. For further information on theloopback device driver, see the manual pages for lofi and lofiadm.

10_0789738171_06.qxd 4/13/09 7:47 PM Page 280

Solaris Zones281

Sparse Root ZonesWhen you create a nonglobal zone, you have to decide how much of the global zone file sys-tem you want to be inherited from the global zone. A sparse root zone optimizes sharing byimplementing read-only loopback file systems from the global zone and installing only a subsetof the system root packages locally. The majority of the root file system is shared (inherited)from the global zone. Generally this model would require about 100MB of disk space when theglobal zone has all the standard Solaris packages installed. A sparse root zone uses the inherit-pkg-dir resource, where a list of inherited directories from the global zone are specified.

Whole Root ZonesThis model provides the greatest configuration flexibility because all the required (and anyother selected) Solaris packages are copied to the zone’s private file system, unlike the sparseroot model, where loopback file systems are used. The disk space requirement for this modelis considerably greater and is determined by evaluating the space used by the packages current-ly installed in the global zone.

Networking in a Zone EnvironmentOn a system supporting zones the zones can communicate with each other over the network,but even though the zones reside on the same physical system, network traffic is restricted sothat applications running on a specified zone cannot interfere with applications running on adifferent zone.

Each zone has its own set of bindings and zones can all run their own network daemons. As anexample, consider three zones all providing web server facilities using the apache package.Using zones, all three zones can host websites on port 80, the default port for http traffic,without any interference between them. This is because the IP stack on a system supportingzones implements the separation of network traffic between zones.

The only interaction allowed is for ICMP traffic to resolve problems, so that commands suchas ping can be used to check connectivity.

Of course, when a zone is running, it behaves like any other Solaris system on the network inthat you can telnet or ftp to the zone as if it were any other system, assuming that the zonehas configured these network services for use.

When a zone is created, a dedicated IP address is configured that identifies the host associat-ed with the zone. In reality, though, the zone’s IP address is configured as a logical interfaceon the network interface specified in the zone’s configuration parameters. Only the global zonehas visibility of all zones on the system and can also inspect network traffic, using, for exam-ple, snoop.

10_0789738171_06.qxd 4/13/09 7:47 PM Page 281

282

Zone DaemonsThe zone management service is managed through the Service Management Facility (SMF);the service identifier is called svc:/system/zones:default.

Two daemon processes are associated with zones—zoneadmd and zsched.

The zoneadmd daemon starts when a zone needs to be managed. An instance of zoneadmd isstarted for each zone, so it is not uncommon to have multiple instances of this daemon run-ning on a single server. It is started automatically by SMF and is also shut down automatical-ly when no longer required. The zoneadmd daemon carries out the following actions:

. Allocates the zone ID and starts the zsched process

. Sets system-wide resource controls

. Prepares the zone’s devices if any are specified in the zone configuration

. Plumbs the virtual network interface

. Mounts any loopback or conventional file systems

The zsched process is started by zoneadmd and exists for each active zone (a zone is said to beactive when in the ready, running, or shutting down state). The job of zsched is to keep track ofkernel threads running within the zone. It is also known as the zone scheduler.

Configuring a ZoneBefore a zone can be installed and booted, it has to be created and configured. This sectiondeals with the initial configuration of a zone and describes the zone components.

A zone is configured using the zonecfg command. The zonecfg command is also used to ver-ify that the resources and properties that are specified during configuration are valid for useon a Solaris system. zonecfg checks that a zone path has been specified and that for eachresource, all the required properties have been specified.

The zonecfg Command

Objective

. Given a zone configuration scenario, identify zone components and zonecfg resource parameters, allo-cate file system space, use the zonecfg command, describe the interactive configuration of a zone, andview the zone configuration file.


10_0789738171_06.qxd 4/13/09 7:47 PM Page 282

Solaris Zones283

The zonecfg command is used to configure a zone. It can run interactively, on the commandline, or using a command file. A command file is created by using the export subcommand ofzonecfg. zonecfg carries out the following operations:

. Create, or delete, a zone configuration

. Add, or remove, resources in a configuration

. Set the properties for a resource in the configuration

. Query and verify a configuration

. Commit (save) a configuration

. Revert to a previous configuration

. Exit from a zonecfg session

When you enter zonecfg in interactive mode, the prompt changes to show that you are in azonecfg session. If you are configuring a zone called apps, the prompt changes:# zonecfg -z apps<cr>zonecfg:apps>

This is known as the global scope of zonecfg. When you configure a specific resource, theprompt changes to include the resource being configured. The command scope also changesso that you are limited to entering commands relevant to the current scope. You have to enteran end command to return to the global scope.

Table 6.2 describes the subcommands that are available with the interactive mode of zonecfg.

Table 6.2 zonecfg SubcommandsSubcommand Description

help Prints general help, or help about a specific resource.

create Begins configuring a zone. This starts a configuration in memory for a new zone.

export Prints the configuration to stdout, or to a specified file name, which can be used as acommand file.

add In the global scope, this command takes you to the specified resource scope. In theresource scope, it adds the specified property to the resource type.

set Sets a specified property name to a specified property value.

select This is applicable only in the global scope; it selects the resource of the specified type. Thescope changes to the resource, but you have to enter sufficient property name-value pairsto uniquely identify the required resource.

remove In the global scope, removes the specified resource type. You have to enter sufficient prop-erty name-value pairs to uniquely identify the required resource.

10_0789738171_06.qxd 4/13/09 7:47 PM Page 283

284

Table 6.2 zonecfg SubcommandsSubcommand Description

end This is available only in the resource scope and ends the current resource specification.

cancel This is available only in the resource scope. It ends the resource specification and returnsto the global scope. Any partially specified resources are discarded.

delete Destroys the specified configuration. You need to use the -F option to force deletion withthis option.

info Displays information about the current configuration. If a resource type is specified, it dis-plays information about the resource type.

verify Verifies the current configuration to ensure that all resources have the required propertiesspecified.

commit Commits the current configuration from memory to disk. A configuration must be commit-ted before it can be used by the zoneadm command, described later in this chapter.

revert Reverts the configuration to the last committed state.

exit -F Exits the zonecfg session. You can use the -F option with this subcommand to force thecommand to execute.

Table 6.3 lists the resource types that are applicable to the zonecfg command.

Table 6.3 zonecfg Resource TypesResource Type Description

zonename Identifies the zone and must be unique. It can’t be longer than 64 characters.It’s case-sensitive and must begin with an alphanumeric character. It can alsocontain underscores (_), hyphens (-), and periods (.). The name global andall names beginning with SUNW are reserved and not allowed.

zonepath The path to the zone root in relation to the global zone’s root directory (/). Torestrict visibility to nonprivileged users in the global zone, the permissions onthe zonepath directory should be set to 700.

fs Each zone can mount file systems. This resource specifies the path to the filesystem mount point.

inherit-pkg-dir Specifies directories that contain software packages that are shared with theglobal zone, or inherited from the global zone. The nonglobal zone inheritsonly read-only access. Four default inherit-pkg-dir resources areincluded in the configuration—/lib, /sbin, /platform, and /usr. Thepackages associated with these directories are inherited (in a read-only loop-back file system mount) by the nonglobal zone.

net Each zone can have network interfaces that are plumbed when the zone tran-sitions from the installed state to the ready state. Network interfaces areimplemented as virtual interfaces.


10_0789738171_06.qxd 4/13/09 7:47 PM Page 284

Solaris Zones285

Table 6.3 zonecfg Resource TypesResource Type Description

device Each zone can have devices that are configured when the zone transitionsfrom the installed state to the ready state.

rctl Used for zone-wide resource controls. The controls are enabled when thezone transitions from the installed state to the ready state. The zone-wideresource controls implemented in Solaris 10 are zone.cpu-shares andzone.max-lwps.

attr A generic type most often used for comments.

Some of the resource types described in Table 6.3 also have properties that need to be config-ured if the resource type is to be used. The following list describes the properties and theparameters, along with examples of usage:

. fs: dir, special, raw, type, options

The following code gives an example of how these properties are used. The text inbold type indicates what the user enters.zonecfg:apps> add fszonecfg:apps:fs> set dir=/testmountzonecfg:apps:fs> set special=/dev/dsk/c0t1d0s0zonecfg:apps:fs> set raw=/dev/rdsk/c0t1d0s0zonecfg:apps:fs> set type=ufszonecfg:apps:fs> add options [logging, nosuid]zonecfg:apps:fs> end

This code example specifies that /dev/dsk/c0t1d0s0 in the global zone is to bemounted on directory /testmount in the nonglobal zone and that the raw device/dev/rdsk/c0t1d0s0 is the device to fsck before attempting the mount. The file sys-tem is of type ufs, and a couple of mount options have been added.

. inherit-pkg-dir: dir

This specifies the directory that is to be loopback-mounted from the global zone. Thefollowing example shows that /opt/sfw is to be mounted:zonecfg:apps> add inherit-pkg-dirzonecfg:apps:inherit-pkg-dir> set dir=/opt/sfwzonecfg:apps:inherit-pkg-dir> end

10_0789738171_06.qxd 4/13/09 7:47 PM Page 285

286

. net: address, physical

This specifies the setup of the network interface for the zone. The following codeexample specifies an IP address of 192.168.0.42 and that the physical interface to beused is eri0:zonecfg:apps> add netzonecfg:apps:net> set physical=eri0zonecfg:apps:net> set address=192.168.0.42zonecfg:apps:net> end

. device: match

This specifies a device to be included in the zone. The following code exampleincludes a tape drive, /dev/rmt/0:zonecfg:apps> add devicezonecfg:apps:device> set match=/dev/rmt/0zonecfg:apps:device> end

. rctl: name, value

. attr: name, type, value

The attr resource type is mainly used for adding a comment to a zone. The followingexample adds a comment for the zone apps:

zonecfg:apps> add attrzonecfg:apps:attr> set name=commentzonecfg:apps:attr> set type=stringzonecfg:apps:attr> set value=”The Application Zone”zonecfg:apps:attr> end

There are several zone-wide resource controls:

. zone.cpu-shares: The number of fair share scheduler (FSS) CPU shares for this zone.

. zone.max-locked-memory: The total amount of physical locked memory available to azone.

. zone.max-lwps: The maximum number of LWPs simultaneously available to this zone.

. zone.max-swap: The total amount of swap that can be consumed by user processaddress space mappings and tmpfs mounts for this zone.

The zone.cpu-shares and zone.max-lwps controls prevent the zone from exhaustingresources that could affect the performance or operation of other zones.


10_0789738171_06.qxd 4/13/09 7:47 PM Page 286

Solaris Zones287

The following example allocates 20 CPU shares to the zone. This demonstrates the use of theSolaris Containers feature to manage a resource within a zone. The resource manager inSolaris 10 is based on a Fair Share Scheduler (FSS). FSS ensures that processes get their fairshare of the processing power as opposed to a percentage. If nothing else is using the proces-sor, this zone gets 100% of the CPU power. If other zones are contending for CPU power, theshares determine who gets what.zonecfg:apps> add rctlzonecfg:apps:rctl> set name=zone.cpu-shareszonecfg:apps:rctl> set value=(priv=privileged,limit=20,action=none)zonecfg:apps:rctl> end

There are no known methods of breaking into a zone from another zone. However, it is pos-sible for an attacker to try to use up all the PIDs in a system by issuing a denial-of-service(DOS) attack on one zone. Using up all the PIDs in a zone could essentially use up all the PIDsand virtual memory on the entire system, including the global zone. To prevent this type ofattack, you could limit the number of lightweight processes (LWPs) that can be run simulta-neously within a given zone:zonecfg:apps> add rctlzonecfg:apps:rctl> set name=zone.max-lwpszonecfg:apps:rctl> add value (priv=privileged,limit=1000,action=deny)zonecfg:apps:rctl> end

This prevents a zone’s processes from having more than 1,000 simultaneous LWPs.

For an overview of CPU shares and the Fair Share Scheduler (FSS), refer to the SunMicrosystems “Solaris Containers—Resource Management and Solaris Zones” administrationguide, described at the end of this chapter.

Viewing the Zone Configuration

Objective:

. Given a scenario, use the zoneadm command to view a zone.

The zone configuration data can be viewed in two ways:

. By viewing a file

. By using the export option of zonecfg

Both of these methods are described next.

The zone configuration file is held in the /etc/zones directory and is stored as an xml file. Toview the configuration for a zone named testzone, you would enter# cat /etc/zones/testzone.xml<cr>

10_0789738171_06.qxd 4/13/09 7:47 PM Page 287

288

The alternative method of viewing the configuration is to use the zonecfg command with theexport option. The following example shows how to export the configuration data for zonetestzone:# zonecfg -z testzone export<cr>

By default, the output goes to stdout, but you can change this by entering a filename instead.If you save the configuration to a file, it can be used later, if required, as a command file inputto the zonecfg command. This option is useful if you have to re-create the zone for anyreason.

You can also view the zone configuration by using the info option with the zonecfg com-mand:# zonecfg -z testzone info<cr>The system displays the following information about the zone:zonename: testzonezonepath: /export/zones/testzonebrand: nativeautoboot: truebootargs:pool:limitpriv:scheduling-class:ip-type: sharedinherit-pkg-dir:

dir: /libinherit-pkg-dir:

dir: /platforminherit-pkg-dir:

dir: /sbininherit-pkg-dir:

dir: /usrfs:

dir: /dataspecial: /dev/dsk/c0t1d0s7raw: /dev/rdsk/c0t1d0s7type: ufsoptions: []

net:address: 192.168.0.43physical: eri0

attr:name: commenttype: stringvalue: “first zone - testzone”


10_0789738171_06.qxd 4/13/09 7:47 PM Page 288

Solaris Zones289

View all zones installed on a system by issuing the following command:# zoneadm list -iv<cr>ID NAME STATUS PATH BRAND IP0 global running / native shared- testzone installed /export/zones/testzone native shared- clonezone installed /export/zones/clonezone native shared

Installing a Zone

Objective:

. Given a scenario, use the zoneadm command to install a zone.

When a zone has been configured, the next step in its creation is to install it. This has the effectof copying the necessary files from the global zone and populating the product database for thezone. You should verify a configuration before it is installed to ensure that everything is set upcorrectly.

To verify the zone configuration for a zone named testzone, enter the following command:# zoneadm -z testzone verify<cr>

If, for example, the zonepath does not exist, or it does not have the correct permissions set,the verify operation generates a suitable error message.

When the zone has been successfully verified, it can be installed:# zoneadm -z testzone install<cr>

A number of status and progress messages are displayed on the screen as the files are copiedand the package database is updated.

Notice that while the zone is installing, its state changes from configured to incomplete. The statechanges to installed when the install operation has completed.

Booting a Zone

Objective:

. Given a scenario, use the zoneadm command to boot a zone.

Before the boot command is issued, a zone needs to be transitioned to the ready state. Thiscan be done using the zoneadm command:# zoneadm -z testzone ready<cr>

10_0789738171_06.qxd 4/13/09 7:47 PM Page 289

290

The effect of the ready command is to establish the virtual platform, plumb the network inter-face, and mount any file systems. At this point, though, no processes are running.

To boot the zone testzone, issue the following command:# zoneadm -z testzone boot<cr>

Confirm that the zone has booted successfully by listing the zone using the zoneadm command:# zoneadm -z testzone list -v<cr>

The state of the zone will have changed to running if the boot operation was successful.


No need to ready If you want to boot a zone, there is no need to transition to the ready state. The bootoperation does this automatically before booting the zone.

NOTE

You can also supply other boot arguments when booting a zone:

. To boot the zone into single-user mode, issue the following command:# zoneadm -z testzone boot -s<cr>

. To boot a zone using the verbose option, issue the following command:# zoneadm -z testzone boot -- -m verbose<cr>

. Boot a zone into the single-user milestone as follows:

# zoneadm -z testzone boot -- -m milestone=single-user<cr>

Halting a Zone

Objective:

. Given a scenario, use the zoneadm command to halt a zone.

To shut down a zone, issue the halt option of the zoneadm command:# zoneadm -z testzone halt<cr>

The zone state changes from running to installed when a zone is halted.

10_0789738171_06.qxd 4/13/09 7:47 PM Page 290

Solaris Zones291

Rebooting a Zone

Objective:

. Given a scenario, use the zoneadm command to reboot a zone.

A zone can be rebooted at any time without affecting any other zone on the system. Thereboot option of the zoneadm command is used to reboot a zone to reboot the zone testzone:# zoneadm -z testzone reboot<cr>

The state of the zone should be running when the reboot operation has completed.

You can also use the zlogin command to reboot a zone:# zlogin <zone> reboot<cr>

zlogin is described later, in the “Zone Login” section.

Uninstalling a ZoneWhen a zone is no longer required, it should be uninstalled before it is deleted. In order touninstall a zone, it must first be halted. When this has been done, issue the uninstall com-mand to uninstall the zone testzone2:# zoneadm -z testzone2 uninstall -F<cr>

The -F option forces the command to execute without confirmation. If you omit this option,you are asked to confirm that you want to uninstall the zone.

List the zones on the system to verify that the zone has been uninstalled:# zoneadm list -iv<cr>ID NAME STATUS PATH BRAND IP0 global running / native shared- testzone1 installed /export/zones/testzone native shared

The zone is not listed because the -i option displays only zones in the installed state. To viewall configured zones, regardless of their state, type the following:# zoneadm list -cv<cr>ID NAME STATUS PATH BRAND IP0 global running / native shared- testzone1 installed /export/zones/testzone1 native shared- testzone2 configured /export/zones/testzone2 native shared

10_0789738171_06.qxd 4/13/09 7:47 PM Page 291

292

Deleting a Zone

Objective:

. Given a scenario, use the zonecfg command to delete a zone.

When a zone has been successfully uninstalled, its configuration can be deleted from the sys-tem. Enter the zonecfg command to delete the zone testzone from the system:# zonecfg -z testzone delete -F<cr>

The -F option forces the command to execute without confirmation. If you omit this option,you are asked to confirm that you want to delete the zone configuration.


EXAM ALERTRemember the force Unlike most other UNIX commands, zoneadm and zonecfg use an uppercaseletter F to force the command to be executed without prompting you for confirmation. All other com-mands, such as mv, rm, and umount, for example, always use a lowercase letter f. Make sure youare aware of this anomaly when you take the exam.

Zone LoginWhen a zone is operational and running, the normal network access commands can be usedto access it, such as telnet, rlogin, and ssh, but a nonglobal zone can also be accessed fromthe global zone using zlogin. This is necessary for administration purposes and to be able toaccess the console session for a zone. Only the superuser (root), or a role with the RBAC pro-file “Zone Management,” can use the zlogin command from the global zone.

The syntax for the zlogin command is as follows:zlogin [-CE] [-e c] [-l <username>] <zonename>zlogin [-ES] [-e c] [-l <username>] <zonename> <utility> [argument...]

zlogin works in three modes:

. Interactive: A login session is established from the global zone.

. Noninteractive: A single command or utility can be executed. Upon completion ofthe command (or utility), the session is automatically closed.

. Console: A console session is established for administration purposes.

Table 6.4 describes the various options for zlogin.

10_0789738171_06.qxd 4/13/09 7:47 PM Page 292

Solaris Zones293

Table 6.4 zlogin OptionsOption Description

-C A connection is made to the zone’s console device, and zlogin operates in console mode.

-e c Changes the escape sequence to exit from the console session. The default is the tilde dot (~.).

-E Disables the use of extended functions and also prohibits the use of the Escape sequenceto disconnect from the session.

-l <username> Specifies a different user for the zone login. User root is used when this option is omit-ted. This option cannot be used when using zlogin in console mode.

-S “Safe” login mode. This option is used to recover a damaged zone when other loginforms do not work. This option cannot be used in console mode.

<zonename> Specifies the zone to connect to.

<utility> Specifies the utility, or command, to run in the zone.

<argument> This option allows arguments to be specified and passed to the utility or command beingexecuted.

Initial Zone LoginWhen a zone has been installed and is booted for the first time, it is still not fully operational,because the internal zone configuration needs to be completed. This includes setting thefollowing:

. Language

. Terminal type

. Hostname

. Security policy

. Name service

. Time zone

. Root password

These settings are configured interactively the first time you use zlogin to connect to the zoneconsole, similar to when you first install the Solaris 10 Operating Environment. The zone thenreboots to implement the changes. When this reboot completes, the zone is fully operational.

Initial console login You must complete the configuration by establishing a console connection. If this isnot completed, the zone will not be operational, and users will be unable to connect to the zone across thenetwork.

NOTE

10_0789738171_06.qxd 4/13/09 7:47 PM Page 293

294

Using a sysidcfg FileInstead of completing the zone configuration interactively, you can preconfigure the requiredoptions in a sysidcfg file. This enables the zone configuration to be completed without inter-vention. The sysidcfg file needs to be placed in the /etc directory of the zone’s root. For azone named testzone with a zonepath of /export/zones/testzone, the sysidcfg file wouldbe placed in /export/zones/testzone/root/etc.

The following example of a sysidcfg file sets the required parameters for a SPARC based sys-tem but doesn’t use a naming service, or a security policy. Note that the root password entryneeds to include the encrypted password:lang=Csystem_locale=en_GBterminal=vt100network_interface=primary {

hostname=testzone}security_policy=NONEname_service=NONEtimezone=GBnfs4_domain=dynamicroot_password=dKsw26jNk2CCE

In previous releases of Solaris 10, you could suppress the prompt for an NFSv4 domain nameduring the installation by creating the following file in the zone’s root /etc directory:# touch /export/zones/testzone/root/etc/.NFS4inst_state.domain<cr>

Since Solaris 10 08/07, this file is no longer created and has been replaced by the nfs4_domainkeyword in the sysidcfg file.


Install sysidcfg before boot You need to install the sysidcfg file and create the.NFS4inst_state.domain file before the initial boot of the zone. Otherwise, the files will be ignored,and you will have to complete the zone setup interactively.

NOTE

Logging in to the Zone ConsoleYou can access the console of a zone by using the zlogin -C <zonename> command. If you arecompleting a hands-off configuration, connect to the console before the initial boot. You willsee the boot messages appear in the console as well as the reboot after the sysidcfg file hasbeen referenced. The zone console is available as soon as the zone is in the installed state.

The following session shows what happens when the zone testzone is booted for the firsttime, using a sysidcfg file:# zlogin -C testzone<cr>

10_0789738171_06.qxd 4/13/09 7:47 PM Page 294

Solaris Zones295

[NOTICE: Zone readied]

[NOTICE: Zone booting up]

SunOS Release 5.10 Version Generic 64-bitCopyright 1983-2008 Sun Microsystems, Inc. All rights reserved.Use is subject to license terms.Hostname: testzoneLoading smf(5) service descriptions: 100/100Creating new rsa public/private host key pairCreating new dsa public/private host key pairConfiguring network interface addresses: eri0.

rebooting system due to change(s) in /etc/default/init

[NOTICE: Zone rebooting]

SunOS Release 5.10 Version Generic 64-bitCopyright 1983-2008 Sun Microsystems, Inc. All rights reserved.Use is subject to license terms.Hostname: testzone

testzone console login:

Connections to the console persist even when the zone is rebooted. To disconnect from thezone console, type ~. to break the connection. Be aware that breaking the connection to thezone’s console is not the same as logging out.

Logging in to a ZoneThe superuser (root), or a role with the RBAC profile “Zone Management,” can log directlyinto a zone from the global zone, without having to supply a password. The system adminis-trator uses the zlogin command. The following example shows a zone login to the testzonezone. The command zonename is run to display the name of the current zone, and then theconnection is closed:# zlogin testzone<cr>[Connected to zone ‘testzone’ pts/6]Sun Microsystems Inc. SunOS 5.10 Generic January 2005# zonename<cr>testzone# exit<cr>

[Connection to zone ‘testzone’ pts/6 closed]

10_0789738171_06.qxd 4/13/09 7:47 PM Page 295

296

Running a Command in a ZoneIn the previous section an interactive login to a zone was achieved. Here, a noninteractivelogin is initiated and a single command is executed. The connection is automatically discon-nected as soon as the command has completed. The following example shows how this works.First, the hostname command is run, demonstrating that we are on the host called global. Thena noninteractive login to the testzone zone runs, which runs the zonename command andthen exits automatically. Finally, the same hostname command is run, which shows we are backon the host called global:# hostname<cr>global# zlogin testzone zonename<cr>testzone# hostname<cr>global


EXAM ALERTNo -z in zlogin Be careful not to include the -z option when answering exam questions on zlo-gin. It’s easy to get confused with the zoneadm command, where the -z option is used.

Creating a ZoneNow that we have seen the technicalities of configuring a zone, let’s put it all together and cre-ate a zone. Step By Step 6.1 configures the zone named testzone, installs it, and boots it.Finally, we will list the zone configuration data.

STEP BY STEP6.1 Creating a Zone

1. Perform the initial configuration on a zone named testzone. The zonepath will be/export/zones/testzone, and the IP address will be 192.168.0.43. This zone willbe a sparse root zone with no additional file systems being mounted from the globalzone. Create the zonepath, and assign the correct permission (700) to the directory.The text in bold indicates what the user enters:# mkdir -p /export/zones/testzone<cr># chmod 700 /export/zones/testzone<cr>

2. Enter the zonecfg command to configure the new zone:# zonecfg -z testzone<cr>testzone: No such zone configuredUse ‘create’ to begin configuring a new zone.

10_0789738171_06.qxd 4/13/09 7:47 PM Page 296

Solaris Zones297

zonecfg:testzone>createzonecfg:testzone>set zonepath=/export/zones/testzonezonecfg:testzone>set autoboot=truezonecfg:testzone>add netzonecfg:testzone:net>set physical=eri0zonecfg:testzone:net>set address=192.168.0.43zonecfg:testzone:net>endzonecfg:testzone> add rctlzonecfg:testzone:rctl> set name=zone.cpu-shareszonecfg:testzone:rctl> add value (priv=privileged,limit=20,action=none)zonecfg:testzone:rctl> endzonecfg:testzone> add attrzonecfg:testzone:attr> set name=commentzonecfg:testzone:attr> set type=stringzonecfg:testzone:attr> set value=”First zone - Testzone”zonecfg:testzone:attr> end

3. Having entered the initial configuration information, use a separate login session tocheck to see if the zone exists using the zoneadm command:# zoneadm -z testzone list -v<cr>zoneadm: testzone: No such zone configured

At this point the zone configuration has not been committed and saved to disk, so itexists only in memory.

4. Verify and save the zone configuration. Exit zonecfg, and then check to see if the zoneexists using the zoneadm command.zonecfg:testzone> verifyzonecfg:testzone> commitzonecfg:testzone> exit# zoneadm -z testzone list -v<cr>ID NAME STATUS PATH- testzone configured /export/zones/testzone

Notice that the zone now exists and that it has been placed in the configured state.

If you do not verify the zone prior to installing it, the verification is performed auto-matically when the zone is installed.

5. Use the zoneadm command to verify that the zone is correctly configured and ready tobe installed:# zoneadm -z testzone verify<cr>

6. Install the zone:# zoneadm -z testzone install<cr>Preparing to install zone <testzone>.

10_0789738171_06.qxd 4/13/09 7:47 PM Page 297

298

Creating list of files to copy from the global zone.Copying <77108> files to the zone.Initializing zone product registry.Determining zone package initialization order.Preparing to initialize <1141> packages on the zone.Initialized <1141> packages on zone.Zone <testzone> is initialized.The file </export/zones/testzone/root/var/sadm/system/logs/\install_log> contains a log of the zone installation.

7. The zone is now ready to be used operationally. Change the state to ready and verifythat it has changed, and then boot the zone and check that the state has changed torunning:# zoneadm -z testzone ready<cr># zoneadm -z testzone list -v<cr>ID NAME STATUS PATH7 testzone ready /export/zones/testzone# zoneadm -z testzone boot<cr># zoneadm -z testzone list -v<cr>ID NAME STATUS PATH7 testzone running /export/zones/testzone

8. Connect to the console to watch the system boot and to finish the configuration:# zlogin -C testzone<cr>[Connected to zone ‘testzone’ console]

After the system initializes, you’re prompted to enter the system identification infor-mation, such as hostname, network information, time zone, and root password.

9. View the configuration data by exporting the configuration to stdout:# zonecfg -z testzone export<cr>The system displays the following information:create -bset zonepath=/export/zones/testzoneset autoboot=trueadd inherit-pkg-dirset dir=/libendadd inherit-pkg-dirset dir=/platformendadd inherit-pkg-dirset dir=/sbinendadd inherit-pkg-dirset dir=/usr


10_0789738171_06.qxd 4/13/09 7:47 PM Page 298

Solaris Zones299

endadd netset address=192.168.0.43set physical=eri0endadd rctlset name=zone.cpu-sharesadd value (priv=privileged,limit=20,action=none)endadd attrset name=commentset type=stringset value=”First zone - Testzone”end

Notice the four default inherit-pkg-dir entries showing that this is a sparse root zone.

EXAM ALERTZone configuration file You can also view the configuration file directly by viewing the/etc/zones/<zonename>.xml file from the global zone. This file is created when you save theconfiguration using zonecfg. You might be asked this location on the exam.

Making Modifications to an Existing ZoneAfter a zone has been installed, you can still reconfigure it. For example, suppose you want toadd a file system to an existing zone. Let’s say that you have a file system named /data in theglobal zone, and you want to add it to the nonglobal zone named testzone. This task is per-formed from the global zone:

Halt the zone:# zoneadm -z testzone halt<cr>

After the zone has been halted, use the zonecfg command to edit the zone configuration:# zonecfg -z testzone<cr>zonecfg:testzone> add fszonecfg:testzone:fs> set dir=/datazonecfg:testzone:fs> set special=/dev/dsk/c0t1d0s7zonecfg:testzone:fs> set raw=/dev/rdsk/c0t1d0s7zonecfg:testzone:fs> set type=ufszonecfg:testzone:fs> endzonecfg:testzone > exit

10_0789738171_06.qxd 4/13/09 7:47 PM Page 299

300

View the entire zone configuration using the following command:# zonecfg -z testzone info<cr>

All the information about the zone configuration is displayed. The following is the informa-tion displayed from the zonecfg command related to the file system that was just added:<output has been truncated>fs:

dir: /dataspecial: /dev/dsk/c0t1d0s7raw: /dev/rdsk/c0t1d0s7type: ufsoptions: []

<output has been truncated>

Boot the nonglobal zone. The /data file system will be mounted during the boot process.

Many operations can be performed on a running zone without a reboot, such as adding a net-work controller, storage device, or file system. But this would require additional steps.

Moving a ZoneYou will move a zone when you simply want to relocate a nonglobal zone from one point on asystem to another point. Typically, it’s when you want to move a zone’s path on a system fromone directory to another. The new directory can be on an alternate file system, but it cannotbe on an NFS mounted file system. When the zone is moved to a different file system, the datais copied, and the original directory is removed. All data is copied using cpio to preserve alldata within the zone.

The zoneadm command is used to halt and then move a zone, as demonstrated in the follow-ing example. I move the zone named testzone from /export/zones/testzone to the /test-zone file system:# zoneadm -z testzone halt<cr># zoneadm -z testzone move /testzone<cr>

Migrating a ZoneYou migrate a zone when you want to move a zone from one system to another. The follow-ing rules apply when migrating a zone:

. Starting with the Solaris 10/08 release, if the new host has the same or later versions ofthe zone-dependent packages and associated patches, using zoneadm attach with the -u option updates those packages within the zone to match the new host. If the newhost has a mixture of higher and lower version patches as compared to the source host,


10_0789738171_06.qxd 4/13/09 7:47 PM Page 300

Solaris Zones301

an update during the attach operation is not allowed.

. Beginning with the Solaris 10/08 release, zoneadm attach with the -u option alsoenables migration between machine classes, such as from sun4u to sun4v.

During this procedure, you halt the zone, detach the zone, copy the zone configuration to thenew system, reconfigure the zone on the new system, and finally attach the zone and boot it.Step By Step 6.2 describes the process of migrating a zone from systemA to systemB.

STEP BY STEP6.2 Migrating a Zone

A zone named “testzone” already exists and is currently running on systemA. The zone’s pathis /export/zones/testzone.

1. Halt the zone:# zoneadm -z testzone halt<cr>

2. Detach the zone. Detaching a zone leaves the zone in a configured state on the originalsystem. An XML file, called the manifest, is generated and stored in the zone’s path.The manifest describes the versions of installed packages and patches installed on thehost. The manifest contains information required to verify that the zone can be suc-cessfully attached to systemB. The following command detaches the testzone:# zoneadm -z testzone detach<cr>

3. Gather the data from the zone path on the original system, and copy it to systemB. I’lluse the tar command to create a tar file of the data:# cd /export/zones<cr># tar cf testzone.tar testzone<cr>

4. I’ll use sftp to transfer the tar file to systemB:# sftp systemB<cr>Connecting to systemB . .Password:sftp> cd /export/zonessftp> put testzone.tarUploading testzone.tar to /export/zones/testzone.tarsftp> bye

5. Log into systemB, and change to the /export/zones directory:# cd /export/zones<cr>

10_0789738171_06.qxd 4/13/09 7:47 PM Page 301

302

6. Extract the tar file:# tar xf testzone.tar<cr>

7. Use the zonecfg command to create the zone configuration:# zonecfg -z testzone<cr>testzone: No such zone configured

8. The system displays the zonecfg:testzone> prompt. Use the create subcommand tobegin configuring a new zone:zonecfg:testzone> create -a /export/zones/testzone

The -a option instructs zonecfg to use the XML description of the detached zone.

9. Now is the time to make any changes to the zone configuration. For example, ifsystemB has a different network interface than what was installed on systemA, youneed to make this modification. Let’s assume that systemA has an hme interface andsystemB has an eri interface. I would make this change to the network interface:zonecfg:testzone> select net physical=hme0zonecfg:testzone:net> set physical=eri0

10. Now that the configuration is correct, you can attach the zone:

# zoneadm -z testzone attach<cr>

Cloning a ZoneYou clone a zone when it is copied from its current zone path to a new zone path. The objec-tive is to have two identical nonglobal zones running on the same global zone. The process toclone a zone is outlined in Step By Step 6.3.

STEP BY STEP6.3 Cloning a Zone

A zone named “testzone” already exists and is currently running on systemA. The zone’s pathis /export/zones/testzone. You want to create a clone of this zone and name it “clonezone.”Its zone path will be /export/zones/clonezone.

1. As root (on the global zone), halt the testzone:# zoneadm -z testzone halt<cr>


10_0789738171_06.qxd 4/13/09 7:47 PM Page 302

Solaris Zones303

2. Configure the new zone, clonezone, by exporting the configuration from testzone.The procedure will create a configuration file named /export/zones/master:# zonecfg -z testzone export -f /export/zones/master<cr>

3. Use the vi editor to edit the master file that was created in the previous step. Modifythe zone properties, such as zonepath.

The following output is a sample master file that was created in the previous step. Theitems in bold have been modified for the new zone, clonezone.# more /export/zones/master<cr>The system displays the following information:create -bset zonepath=/export/zones/clonezoneset autoboot=trueset ip-type=sharedadd inherit-pkg-dirset dir=/libendadd inherit-pkg-dirset dir=/platformendadd inherit-pkg-dirset dir=/sbinendadd inherit-pkg-dirset dir=/usrendadd fsset dir=/dataset special=/dev/dsk/c0t2d0s7set raw=/dev/rdsk/c0t2d0s7set type=ufsendadd netset address=192.168.0.44set physical=eri0endadd attrset name=commentset type=stringset value=”first zone - clonezone”

4. Create a directory for the new zone, and set the permissions:# mkdir /export/zones/clonezone<cr># chmod 700 /export/zones/clonezone<cr>

10_0789738171_06.qxd 4/13/09 7:47 PM Page 303

304

5. Create the new zone, clonezone:# zonecfg -z clonezone -f /export/zones/master<cr>

6. Install the new zone by cloning testzone:# zoneadm -z clonezone clone testzone<cr>

Cloning zonepath /export/zones/testzone...

7. List the zones on the system, and verify that both zones are installed:# zoneadm list -iv<cr>ID NAME STATUS PATH BRAND IP0 global running / native shared- testzone installed /export/zones/testzone native shared- clonezone installed /export/zones/clonezone native shared

Backing Up a ZoneTo make a backup of a zone from the global zone, follow the steps outlined in Step By Step6.4.

STEP BY STEP

6.4 Backing Up a Zone

A zone named testzone already exists and is currently running on systemA. The zone’s pathis /export/zones/testzone. Follow these steps to back up this zone using ufsdump. Thebackup will be saved in /backup/testzonebkup.dmp.

1. Halt the zone:# zoneadm -z testzone halt<cr>

2. Perform the backup:# ufsdump 0f /backup/testzonebkup.dmp /export/zones/testzone<cr>

3. After the ufsdump is complete, boot the zone:

# zoneadm -z testzone boot<cr>

You could also back up a zone while it is running by first creating a UFS snapshot of the zone’spath using fssnap and then backing up the snapshot using ufsdump. UFS snapshot isdescribed in the Solaris 10 System Administration Part 1 book.


10_0789738171_06.qxd 4/13/09 7:47 PM Page 304

Summary305

SummaryThe Solaris zones facility is a major step forward in the Solaris Operating Environment. Itallows virtualization of operating system services so that applications can run in an isolated andsecure environment. Previously, this functionality has been available only on high-end,extremely expensive servers. One of the advantages of zones is that multiple versions of thesame application can be run on the same physical system, but independently of each other.Solaris zones also protects the user from having a single application that can exhaust the CPUor memory resources when it encounters an error.

This chapter has described the concepts of Solaris zones and the zone components as well asthe types of zone that can be configured.

You have seen how to configure a zone from scratch and install and boot a zone. You’ve learnedhow to list, view, uninstall, remove, move, migrate, and clone a zone configuration.

You’ve also learned how to access the zone console and log in to a zone for system administra-tion purposes.

Key Terms. Branded zone

. Consolidation

. Container

. Global zone

. Isolation

. Nonglobal zone

. Resource management

. Sparse root zone

. Virtualization

. Whole root zone

. zlogin

. zone

. zoneadm

. zoneadmd

. zonecfg

. zsched

10_0789738171_06.qxd 4/13/09 7:47 PM Page 305

306


Exercise6.1 Creating a Whole Root Zone

In this exercise, you’ll see how to create a nonglobal zone, which copies the Solaris packagesto the zone’s private file system. You will need a Solaris 10 workstation with approximately3.5GB of free disk space. Make sure you are logged in as root and are running a window sys-tem (either CDE or Gnome). The zone you will create will be called zone1, and its IP addresswill be 192.168.0.28.

Estimated time: 1 hour

1. Open a terminal window, and identify a file system with at least 3.5GB of free diskspace. For this example, we have used the /export file system. Create the zone direc-tory. You also need to set the permissions on the directory. Enter the following com-mands at the command prompt:# mkdir -p /export/zones/zone1<cr># chmod 700 /export/zones/zone1<cr>

2. Start creating the zone using the zonecfg command. In this exercise, only the basicsetup is required, but in order to create a whole root zone, the default inherited file sys-tems must be removed. This is necessary to ensure that the entire Solaris package col-lection is copied to the zone. Enter the commands shown in bold:# zonecfg -z zone1<cr>zone1: No such zone configuredUse ‘create’ to begin configuring a new zone.zonecfg:zone1> createzonecfg:zone1> set zonepath=/export/zones/zone1zonecfg:zone1> set autoboot=truezonecfg:zone1> add netzonecfg:zone1:net> set address=192.168.0.28zonecfg:zone1:net> set physical=eri0zonecfg:zone1:net> endzonecfg:zone1> add rctlzonecfg:zone1:rctl> set name=zone.cpu-shareszonecfg:zone1:rctl> add value (priv=privileged,limit=20,action=none)zonecfg:zone1:rctl> endzonecfg:zone1> add attrzonecfg:zone1:attr> set name=commentzonecfg:zone1:attr> set type=stringzonecfg:zone1:attr> set value=”This is a whole root zone”zonecfg:zone1:attr> endzonecfg:zone1> remove inherit-pkg-dir dir=/lib


10_0789738171_06.qxd 4/13/09 7:47 PM Page 306


zonecfg:zone1> remove inherit-pkg-dir dir=/platformzonecfg:zone1> remove inherit-pkg-dir dir=/sbinzonecfg:zone1> remove inherit-pkg-dir dir=/usrzonecfg:zone1> verifyzonecfg:zone1> commitzonecfg:zone1> exit

3. The zone has now been created and should be in the configured state. You can view thestate by entering the following command:# zoneadm -z zone1 list -v<cr>

4. Verify the zone, and then enter the command to install the files from the global zone:# zoneadm -z zone1 verify<cr># zoneadm -z zone1 install<cr>

5. Several messages inform you of the progress of the installation. When it has complet-ed, verify that the zone state has now changed to installed by re-entering the followingcommand:# zoneadm -z zone1 list -v<cr>

6. The next thing to do is to make the zone ready and boot it so that it is running:# zoneadm -z zone1 ready<cr># zoneadm -z zone1 boot<cr>

7. Add an entry to the global zone /etc/hosts file, and try to connect to the hostnamefor the zone using telnet. This will fail, because the internal configuration of the zonehas yet to be completed. Complete the installation by logging in to the console of thenewly created zone:# zlogin -C zone1<cr>

8. A console session is established with the new zone. A number of questions need to beanswered before the zone is fully operational. Enter the language, locale, terminal, thehostname for the zone, a security policy (if required), a naming service (choose “none”if a naming service is not being used), and a time zone. Finally, you will be asked toenter a root password.

9. When you have entered all the required information, a final prompt appears concern-ing the NFSv4 domain name. Answer this question (“no” is the default).

10. The zone reboots to implement the configuration you have just specified. The reboottakes only a few seconds. When it’s complete, you will be able to telnet to the zone asif it were any other remote system.

10_0789738171_06.qxd 4/13/09 7:47 PM Page 307

308

Exam Questions1. Which of the following is the correct command to install the zone called appzone1?

❍ A. zonecfg -z appzone1 install

❍ B. zoneadm appzone1 install

❍ C. zoneadm -z appzone1 install

❍ D. zonecfg appzone1 install

2. Which of the following would uninstall the zone called appzone1 automatically, without request-ing confirmation from the system administrator?

❍ A. zonecfg appzone1 uninstall

❍ B. zoneadm -z appzone1 uninstall -F

❍ C. zoneadm -z appzone1 install -U

❍ D. zoneadm -z appzone1 uninstall

3. Which of the following are valid types of Root File System types for a nonglobal zone? (Choose two.)

❍ A. Whole Root

❍ B. Zone Root

❍ C. Part Root

❍ D. Sparse Root

4. You are the system administrator, and you need to administer a zone called testzone. Whichcommand will perform an interactive administration login to the zone directly from the globalzone?

❍ A. zlogin -z testzone

❍ B. zlogin testzone

❍ C. zoneadm testzone

❍ D. zoneadm -z testzone


10_0789738171_06.qxd 4/13/09 7:47 PM Page 308


5. You are the system administrator, and you need to see if the user account testuser has beencreated in the zone testzone. Which command from the global zone will achieve this using anoninteractive login to the zone?

❍ A. zoneadm testzone grep testuser /etc/passwd

❍ B. zlogin -z testzone grep testuser /etc/passwd

❍ C. grep testuser /etc/passwd

❍ D. zlogin testzone grep testuser /etc/passwd

6. You are creating a new nonglobal zone. Which of the following zone names is invalid?

❍ A. zone1

❍ B. sunzone

❍ C. SUNWzone

❍ D. sun-zone

7. Which of the following are features of the global zone? (Choose three.)

❍ A. The global zone is not aware of the existence of other zones.

❍ B. The global zone is always assigned Zone ID 0.

❍ C. It contains a full installation of Solaris system packages.

❍ D. It contains a subset of the installed Solaris system packages.

❍ E. It provides the single bootable instance of the Solaris Operating Environment that runson the system.

8. Which of the following describes how networking in a nonglobal zone is implemented in Solariszones?

❍ A. Each nonglobal zone requires its own physical network interface.

❍ B. All nonglobal zones must use the same IP address.

❍ C. Each nonglobal zone uses a logical interface and is assigned a unique IP address.

❍ D. Nonglobal zones must use unique port numbers to avoid conflict.

9. Which command displays the current state of the zone testzone?

❍ A. zoneadm list

❍ B. zoneadm -z testzone list -v

❍ C. zonecfg -z testzone list

❍ D. zlogin testzone zonename

10_0789738171_06.qxd 4/13/09 7:47 PM Page 309

310

10. Which daemon process allocates the zone ID for a nonglobal zone, plumbs the virtual networkinterface, and mounts any loopback or conventional file systems?

❍ A. zoneadmd

❍ B. zsched

❍ C. init

❍ D. inetd

11. You are configuring a nonglobal zone called zone1, which has a zonepath of/export/zones/zone1. You have preconfigured the zone configuration by creating a sysid-cfg file, and you need to install it in the correct location so that when you log in following the ini-tial boot of the zone, the configuration will complete automatically. Where will you install thesysidcfg file?

❍ A. /export/zones/zone1

❍ B. /etc

❍ C. /export/zones/zone1/etc

❍ D. /export/zones/zone1/root/etc

12. Which transitional zone state can be seen when a nonglobal zone is being installed or uninstalled?

❍ A. Ready

❍ B. Incomplete

❍ C. Configured

❍ D. Installed

13. You have a nonglobal zone called tempzone that is no longer required. The zone has already beenhalted and uninstalled. Which command deletes the zone configuration for this zone without askingfor confirmation?

❍ A. zonecfg delete tempzone

❍ B. zoneadm -z tempzone delete -F

❍ C. zonecfg -z tempzone delete -F

❍ D. zoneadm delete tempzone

14. Which option of the zlogin command would be used to gain access to a damaged zone forrecovery purposes when other forms of login are not working?

❍ A. -C

❍ B. -S


10_0789738171_06.qxd 4/13/09 7:47 PM Page 310


❍ C. -l

❍ D. -E

15. Which of the following are valid states for a nonglobal zone? (Choose three.)

❍ A. Configured

❍ B. Prepared

❍ C. Uninstalled

❍ D. Ready

❍ E. Booting

❍ F. Running

16. Which of the following are features of a nonglobal zone? (Choose two.)

❍ A. It provides the single bootable instance of the Solaris Operating Environment that runson a system.

❍ B. It contains a full installation of Solaris system packages.

❍ C. It contains a subset of the installed Solaris system packages.

❍ D. Its zone ID is assigned when it is booted.

❍ E. It is always assigned Zone ID 0.

17. You have created a new nonglobal zone called newzone, and you want to view the zone configu-ration data. Which of the following will display the required information? (Choose two.)

❍ A. cat /etc/zones/newzone.xml

❍ B. cat /export/zones/newzone/root/etc/zones/newzone.xml

❍ C. zoneadm -z newzone list -v

❍ D. zonecfg -z newzone export

18. Which commands can be used to boot a zone into single-user mode or into the single-user mile-stone? (Choose two.)

❍ A. zoneadm -zs testzone boot

❍ B. zoneadm -z testzone boot -s

❍ C. zoneadm -z testzone -s boot

❍ D. zoneadm -z testzone boot -- -m single-user

❍ E. zoneadm -z testzone boot -- -m milestone=single-user

10_0789738171_06.qxd 4/13/09 7:47 PM Page 311

312

Answers to Exam Questions1. C. The command zoneadm -z appzone1 install will successfully install the zone called

appzone1. For more information, see the section “Installing a Zone.”

2. B. The command zoneadm -z appzone1 uninstall -F will successfully uninstall the zonecalled appzone1 without asking the administrator for confirmation. For more information, see thesection “Uninstalling a Zone.”

3. A, D. Whole Root and Sparse Root are valid types of Root File System in the nonglobal zone. Formore information, see the section “Nonglobal Zone Root File System Models.”

4. B. The command zlogin testzone will initiate an interactive login to the zone from the globalzone. For more information, see the section “Logging in to a Zone.”

5. D. The command zlogin testzone grep testuser /etc/passwd will run the commandgrep testuser /etc/passwd in the testzone zone, in a noninteractive login from the glob-al zone. For more information, see the section “Running a Command in a Zone.”

6. C. The zone name “SUNWzone” is invalid because all zone names beginning with “SUNW” arereserved. For more information, see the section “The zonecfg Command.”

7. B, C, E. The global zone is always assigned Zone ID 0, it contains a full installation of Solaris sys-tem packages, and it also provides the single bootable instance of the Solaris OperatingEnvironment that runs on the system. For more information, see the section “Zone Features.”

8. C. Networking in nonglobal zones is implemented by using a logical network interface and thezone is assigned a unique IP address. For more information, see the section “Networking in a ZoneEnvironment.”

9. B. The command zoneadm -z testzone list -v displays the current state of the zone calledtestzone. For more information, see the section “Booting a Zone.”

10. A. The zoneadmd daemon process assigns the zone ID to a nonglobal zone; it also plumbs thevirtual network interface and mounts any loopback or conventional file systems. For more informa-tion, see the section “Zone Daemons.”

11. D. In order to get the nonglobal zone zone1 to automatically complete the zone configuration, thesysidcfg would be installed in the /export/zones/zone1/root/etc directory. For moreinformation, see the section “Using a sysidcfg File.”

12. B. The zone state being described is incomplete, because it is a transitional state that is displayedwhen a nonglobal zone is being installed or uninstalled.

13. C. The command zonecfg -z tempzone delete -F will successfully delete the configurationfor zone tempzone.

14. B. The zlogin -S command is used to gain access to a damaged zone for recovery purposeswhen other forms of login are not working. For more information, see the section “Zone Login.”


10_0789738171_06.qxd 4/13/09 7:47 PM Page 312


15. A, D, ,F. The valid zone states are configured, ready, and running. For more information, see thesection “Zone States.”

16. C, D. The nonglobal zone contains a subset of the installed Solaris system packages and its zoneID is assigned by the system when it boots.

17. A, D. The two ways of displaying the zone configuration data for the zone newzone are cat/etc/zones/newzone.xml and zonecfg -z newzone export. For more information, seethe section “Viewing the Zone Configuration.”

18. B, E. Boot a zone into single user-mode using zoneadm -z testzone boot -s. You can alsoboot into the single-user milestone using the following command: zoneadm -z testzone boot— -m milestone=single-user. For more information, see the section “Booting a Zone.”

Suggested Reading and Resources“System Administration Guide: Solaris Containers—Resource Management and SolarisZones” manual from the Solaris 10 Documentation CD.

“System Administration Guide: Solaris Containers—Resource Management and SolarisZones” book in the System Administration Collection of the Solaris 10 documentation set,part number 817-1592-15, available at http://docs.sun.com.

10_0789738171_06.qxd 4/13/09 7:47 PM Page 313

10_0789738171_06.qxd 4/13/09 7:47 PM Page 314

7S E V E N

Advanced InstallationProcedures: JumpStart, Flash

Archive, and PXE


Explain custom JumpStart configuration, including the boot, identification, con-figuration, and installation services.

. This chapter helps you understand the components of a JumpStart networkinstallation. You’ll learn about setting up servers and clients to support aJumpStart installation, including JumpStart related commands, configurationfiles, and services.

Configure a JumpStart including implementing a JumpStart server; editing thesysidcfg, rules, and profile files; and establishing JumpStart software alterna-tives (setup, establishing alternatives, troubleshooting, and resolving problems).

. This chapter shows you how to implement a JumpStart installation, as wellas the files and scripts that are modified and used.

Explain Flash, create and manipulate the Flash archive, and use it for installation.

. The Solaris Flash feature takes a snapshot of a Solaris operating environ-ment, complete with patches and applications, if desired. It can be usedonly in initial installations, however, not upgrades.

Given a Preboot Execution Environment (PXE) installation scenario, identifyrequirements and install methods, configure both the install and DHCP server,and boot the x86 client.

. This chapter shows you how to use the PXE to boot and install an x86 clientacross the network.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 315

OutlineIntroduction

Custom JumpStartPreparing for a Custom JumpStart

InstallationWhat Happens During a Custom

JumpStart Installation?Differences Between SPARC and

x86/x64-Based SystemsJumpStart Stages: SPARC SystemJumpStart Stages: x86/x64 System

The Boot Server/etc/ethers/etc/hosts/etc/dfs/dfstab/etc/bootparams/tftpbootSetting Up the Boot Server

The Install ServerThe Configuration Server

Setting Up a Profile DisketteThe Rules File

Rules File RequirementsRules File MatchesValidating the Rules File

begin and finish ScriptsCreating class Files

archive_locationbackup_mediaboot_devicebootenv_createbeclient_archclient_rootclient_swapclusterdontusefilesysforced_deploymentinstall_typegeolayout_constraintlocal_customizationlocalemetadbno_content_checkno_master_checknum_clients

packagepartitioningpoolroot_devicesystem_typeusedisk

Testing Class Filessysidcfg File

Name Service, Domain Name, and Name Server Keywords

Network-Related KeywordsSetting the Root PasswordSetting the System Locale, Terminal,

Time Zone, and Time ServerSetting Up JumpStart in a

Name Service EnvironmentSetting Up ClientsTroubleshooting JumpStart

Installation SetupClient Boot Problems

A Sample JumpStart InstallationSetting Up the Install ServerCreating the JumpStart DirectorySetting Up a Configuration ServerSetting Up ClientsStarting Up the Clients

Solaris FlashCreating a Flash ArchiveUsing the Solaris Installation Program to

Install a Flash ArchiveCreating a Differential Flash ArchiveSolaris Flash and JumpStart

Preboot Execution Environment (PXE)Preparing for a PXE Boot Client

Configuring the DHCP ServerAdding an x86 Client to Use DHCP

Booting the x86 Client

SummaryKey Terms

Apply Your KnowledgeExerciseExam QuestionsAnswers to Exam Questions


11_0789738171_07.qxd 4/13/09 7:48 PM Page 316


. Practice the Step By Step examples provided in this chapter on a Solaris system. Be surethat you understand each step and can describe the process of setting up a boot server,an install server, and a configuration server. You should also be able to identify the eventsthat occur during the JumpStart client boot sequence.

. Understand each of the commands described in this chapter. Get familiar with all theoptions, especially the ones used in the examples. You’ll see questions on the exam relat-ed to the add_install_client and add_to_install_server scripts.

. State the purpose of the sysidcfg file, the class file, and the rules file. Given the appro-priate software source, be prepared to explain how to create a configuration server with acustomized rules file and class files.

. State the purpose of the JumpStart server and identify the main components of each typeof server. Learn the terms listed in the “Key Terms” section near the end of this chapter.Be prepared to define each term.

. State the features and limitations of Solaris Flash and be able to implement a FlashArchive. Practice the Flash Archive example in this chapter using two Solaris systems.Make sure you are comfortable with the concepts being introduced, as well as the proce-dures to successfully use this powerful feature.

. Become familiar with the Preboot Execution Environment (PXE) features, the require-ments, and the procedures to follow in order to get an x86 client to successfully bootacross the network. Also, make sure you understand what the DHCP symbols represent,and be prepared for a question in the exam that asks you to match a symbol with itscorresponding description.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 317

318

Chapter 7: Advanced Installation Procedures: JumpStart, Flash Archive, and PXE

IntroductionThere are six ways to install the Solaris software on a system. The first two interactive meth-ods of installation, GUI and command-line, are described in Solaris 10 System AdministrationExam Prep (Exam CX-310-200), Part I. The more advanced installation methods—customJumpStart, WAN boot, Solaris Flash, and Live Upgrade—are described in this book. The top-ics are quite lengthy, so I divided them into two chapters.

In this chapter, I describe how to use custom JumpStart to install the operating system ontoSPARC-based clients across the network. Custom JumpStart is used to install groups of sim-ilar systems automatically and identically.

Also in this chapter, I describe the Solaris Flash Archive method of installation. With a FlashArchive, you can take a complete snapshot of the Solaris operating environment on a runningsystem, including patches and applications, and create an archive that can be used to installother systems. This method effectively creates a clone.

Finally, I describe the Preboot Execution Environment (PXE). PXE is a direct form of net-work boot that can be used to install the Solaris Operating Environment onto x86/x64-basedsystems across the network using DHCP. It does not require the client to have any form oflocal boot media.

Custom JumpStartObjectives

. Explain custom JumpStart configuration, including the boot, identification, configuration, and installationservices.

. Configure a JumpStart including implementing a JumpStart server; editing the sysidcfg, rules, andprofile files; and establishing JumpStart software alternatives (setup, establishing alternatives, trou-bleshooting, and resolving problems).

The custom JumpStart method of installing the operating system provides a way to installgroups of similar systems automatically and identically. If you use the interactive method toinstall the operating system, you must interact with the installation program by answering var-ious questions. At a large site with several systems that are to be configured exactly the same,this task can be monotonous and time-consuming. In addition, there is no guarantee that eachsystem is set up the same. Custom JumpStart solves this problem by providing a method tocreate sets of configuration files beforehand so that the installation process can use them toconfigure each system automatically.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 318

Custom JumpStart319

Custom JumpStart requires up-front work, creating custom configuration files before the sys-tems can be installed, but it’s the most efficient way to centralize and automate the operatingsystem installation at large enterprise sites. Custom JumpStart can be set up to be completelyhands-off.

The custom configuration files that need to be created for JumpStart are the rules and classfiles. Both of these files consist of several keywords and values and are described in this chap-ter.

Another file that is introduced in this chapter is the sysidcfg file, which can be used to pre-configure the system identification information and achieve a fully hands-off installation.

Table 7.1 lists the various commands that are introduced in this chapter.

Table 7.1 JumpStart CommandsCommand Description

setup_install_server Sets up an install server to provide the operating system to the clientduring a JumpStart installation. This command is also used to set up aboot-only server when the -b option is specified.

add_to_install_server A script that copies additional packages within a product tree on theSolaris 10 Software and Solaris 10 Languages CDs to the local disk onan existing install server. This option is not necessary when creating aninstall server from a DVD.

add_install_client A command that adds network installation information about a systemto an install or boot server’s /etc files so that the system can installover the network.

rm_install_client Removes JumpStart clients that were previously set up for networkinstallation.

check Validates the information in the rules file.

pfinstall Performs a dry run installation to test the class file.

patchadd -C A command to add patches to the files in the miniroot (located in theSolaris_10/Tools/Boot directory) of an installation image creat-ed by setup_install_server. This facility enables you to patchSolaris installation commands and other miniroot-specific commands.

JumpStart has three main components:

. Boot and Client Identification Services: These services typically are provided by anetworked boot server and provide the information that a JumpStart client needs toboot using the network. Alternatively, the identification service can be provided by anynetwork server configured to provide this service.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 319

320

. Installation Services: These are provided by a networked install server, which pro-vides an image of the Solaris operating environment the JumpStart client uses as itssource of data to install.

. Configuration Services: These are provided by a networked configuration server andprovide information that a JumpStart client uses to partition disks and create file sys-tems, add or remove Solaris packages, and perform other configuration tasks.


Each of these components is described in this chapter. If any of these three components isimproperly configured, the JumpStart clients can

. Fail to boot.

. Fail to find a Solaris Operating Environment to load.

. Ask questions interactively for configuration.

. Fail to partition disks, create file systems, and load the operating environment.

Preparing for a Custom JumpStart InstallationThe first step in preparing a custom JumpStart installation is to decide how you want the sys-tems at your site to be installed. Here are some questions you should answer before you begin:

. Will the installation be an initial installation or an upgrade?

. What applications will the system support?

. Who will use the system?

. How much swap space is required?

These questions will help you group the systems when you create the class and rules files laterin this chapter.

Additional concerns to be addressed include what software packages need to be installed andwhat size the disk partitions need to be in order to accommodate the software. After youanswer these questions, group systems according to their configuration (as shown in the exam-ple of a custom JumpStart near the end of this chapter).

Server configurations At times we describe the boot server, the install server, and the configurationserver as though they are three separate systems. The reality, however, is that most sites have one systemthat performs all three functions. This topic is discussed in more detail in the section “The Install Server.”

NOTE

11_0789738171_07.qxd 4/13/09 7:48 PM Page 320

Custom JumpStart321

The next step in preparing a custom JumpStart installation is to create the configuration filesthat will be used during the installation: the rules.ok file (a validated rules file) and a class filefor each group of systems. The rules.ok file is a file that should contain a rule for each groupof systems you want to install. Each rule distinguishes a group of systems based on one or moresystem attributes. The rule links each group to a class file, which is a text file that defines howthe Solaris software is to be installed on each system in the group. Both the rules.ok file andthe class files must be located in a JumpStart directory you define.

The custom JumpStart configuration files that you need to set up can be located on either adiskette (called a configuration diskette) or a server (called a configuration server). Use a configu-ration diskette when you want to perform custom JumpStart installations on nonnetworkedstandalone systems. Use a configuration server when you want to perform custom JumpStartinstallations on networked systems that have access to the server. This chapter covers bothprocedures.

What Happens During a Custom JumpStartInstallation?This section provides a quick overview of what takes place during a custom JumpStart instal-lation. Each step is described in detail in this chapter.

To prepare for the installation, you create a set of JumpStart configuration files, the rules andclass files, on a server that is located on the same network as the client you are installing. Next,you set up the server to provide a startup kernel that is passed to the client across the network.This is called the boot server (or sometimes it is called the startup server).

After the client starts up, the boot server directs the client to the JumpStart directory, whichis usually located on the boot server. The configuration files in the JumpStart directory directand automate the entire Solaris installation on the client.

To be able to start up and install the operating system on a client, you need to set up threeservers: a boot server, an install server, and a configuration server. These can be three separateservers; however, in most cases, one server provides all these services.

Differences Between SPARC and x86/x64-BasedSystemsSPARC and x86/x64-based systems differ in how they perform a network boot. SPARC sys-tems initiate a network boot by executing the boot net command from the OpenBoot prompt.On the other hand, most x86/x64-based systems can boot directly from a network interfacecard using the Preboot Execution Environment (PXE). These differences affect the JumpStartprocess and are worth noting.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 321

322

JumpStart Stages: SPARC SystemThe JumpStart stages for a SPARC-based system are as follows:

1. Boot the client from the OpenBoot PROM:ok> boot net - install<cr>

2. The client broadcasts a reverse address resolution protocol (RARP) request over thenetwork requesting an IP address.

3. A rarpd daemon, running on a boot server, responds to the RARP request with an IPaddress for the boot client.

4. The client issues a TFTP request to the boot server to send over the bootstrap loader.

5. At the boot server, the inetd daemon receives the TFTP request and starts thein.tftpd daemon. The in.tftpd daemon locates an IP address along with the bootclient’s architecture in the /tftpboot directory. The boot server sends a JumpStartmini-root kernel to the client via TFTP.

6. The boot client boots to the mini-root kernel that was sent from the boot server.

7. The boot client broadcasts another RARP request, asking for an IP address.

8. The boot server searches the ethers and hosts databases to map the client’s EthernetMAC address to an IP address. The boot server responds to the RARP request with anIP address.

9. The client sends a BOOTPARAMS request to the boot server to get its hostname.

10. The boot server returns a hostname obtained from its bootparams table.

11. The client sends a BOOTPARAMS request to the boot server to get a root (/) file system.

12. The boot server locates the information in the bootparams table and sends the root filesystem information to the client.

13. Using the bootparams information just received, the client uses NFS to mount the root(/) file system from the boot server and starts the init program.

14. After the boot server is finished bootstrapping the client, it locates the client’s configu-ration server in the bootparams table. It sends this information to the client.

15. The client uses the BOOTPARAMS information to search for the configuration server.

16. The client mounts the OS image from the install server and executes sysidtool toobtain system identification information.

17. The client mounts the OS image on the install server.

18. The client runs install-solaris and installs the OS.


11_0789738171_07.qxd 4/13/09 7:48 PM Page 322

Custom JumpStart323

JumpStart Stages: x86/x64 SystemThe JumpStart Stages for an x86/x64-based system are as follows:

1. A network boot is configured in the system’s BIOS (or in the network interface utility),or the user can press the appropriate key at boot time to display a menu of bootoptions. Typically, this key is F12.

2. During the network boot, the PXE client broadcasts a DHCPDISCOVER messagecontaining an extension that identifies the request as coming from a client that imple-ments the PXE protocol.

3. The boot server sends the PXE client a list of appropriate boot servers.

4. The client then discovers the boot server and receives the name of an executable fileon the chosen boot server. The client issues a TFTP request based on the BootSrvAand BootFile parameters it received from the DHCP server and requests a downloadof the executable from the boot server.

The BootFile parameter specifies the file that the PXE client will use to boot throughthe network.

The BootsrvA parameter specifies the IP address of the boot server.

5. At the boot server, the inetd daemon receives the TFTP request and starts thein.tftpd daemon. The in.tftpd daemon locates an IP address along with the bootclient’s architecture in the /tftpboot directory. The boot server sends a JumpStartmini-root kernel to the client via TFTP.

6. The PXE client downloads the executable file using either standard TFTP or MTFTP(Multisource File Transfer Protocol).

7. The PXE client initiates execution of the downloaded image.

8. After obtaining the boot image, the PXE client issues another DHCPDISCOVERrequest message, requesting a new IP address. The boot server responds with a net-work bootstrap program filename.

Configuring a DHCP server For SPARC-based clients, you have the option of using RARP or DHCP tosupply the identity information they require to boot and begin the system identification and installationprocess. But x86/x64 clients that use the PXE use only DHCP for their configuration. Therefore, you mustconfigure a DHCP server to support the boot and identification operations of x86/x64-based JumpStartclients. The same boot server may provide ARP/RARP services for SPARC clients and DHCP services forx86/x64 clients, or both SPARC and x86/x64 clients could use DHCP.

Setting up a DHCP server to support PXE clients is described later in this chapter.

NOTE

11_0789738171_07.qxd 4/13/09 7:48 PM Page 323

324

9. The DHCP server responds with a DHCPACK, also called DHCPOFFERACK,which includes the following:

. SrootNM and SrootIP4: Hostname and IP address of the boot server

. SrootPTH: Path to the exported mini-root file system on the boot server

. SinstNM and SinstIP4: Hostname and IP address of the install server

. SrootPTH: Path to the exported Solaris distribution on the install server

. SjumpsCF: Path to the Jumpstart configuration

. SsysidCF: Path to the sysidcfg

10. Using this DHCP information received from the DHCP server, the PXE client usesNFS to mount the root (/) file system from the boot server and to locate the configu-ration server.

11. The client mounts the configuration server and executes sysidtool to obtain systemidentification information.

12. The client mounts the OS image on the install server.

13. The client runs install-solaris and installs the OS.

The Boot ServerThe boot server, also called the startup server, is where the client systems access the startupfiles. This server must be on the local subnet (not across routers). Although it is possible toinstall systems over the network that are not on the same subnet as the install server, theremust be a boot server that resides on the same subnet as the client.

When a client is first turned on, it does not have an operating system installed or an IP addressassigned; therefore, when the client is first started, the boot server provides this information.The boot server running the RARP (Reverse Address Resolution Protocol) daemon,in.rarpd, looks up the Ethernet address in the /etc/ethers file, checks for a correspondingname in its /etc/hosts file, and passes the Internet address back to the client.


Check the rarpd daemon rarpd is a daemon that is not always running. The in.rarpd service ismanaged by the service management facility under the FMRI svc:/network/rarp. Make sure that thisservice is enabled by issuing the following command:

svcadm enable svc:/network/rarp

NOTE

11_0789738171_07.qxd 4/13/09 7:48 PM Page 324

Custom JumpStart325

RARP is a method by which a client is assigned an IP address based on a lookup of its Ethernetaddress. After supplying an IP address, the server searches the /tftpboot directory for a sym-bolic link named for the client’s IP address expressed in hexadecimal format. This link pointsto a boot program for a particular Solaris release and client architecture. For SPARC systems,the filename is <hex-IP address.architecture>. For example:C009C864.SUN4U -> inetboot.sun4u.Solaris_10-1

The boot server uses the in.tftpd daemon to transmit the boot program to the client viaTrivial File Transfer Protocol (TFTP). The client runs this boot program to start up.

Make sure that the in.tftpd daemon is enabled on your boot server by typing:# svcs -a|grep tftp<cr>

If nothing is displayed, the in.tftpd daemon is not enabled. Although the service is managedby SMF under the FMRI svcs:/network/tftp/udp6:default, you enable it by uncomment-ing the following line in the /etc/inetd.conf file:tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot

After uncommenting the line, run the following command:# /usr/sbin/inetconv<cr>

Check that the service is running by typing:# svcs -a|grep tftp<cr>

The system displays this:online 10:02:35 svc:/network/tftp/udp6:default

The boot program tries to mount the root file system. To do so, it issues the whoami requestto discover the client’s hostname. The boot server running the boot parameter daemon,rpc.bootparamd, looks up the hostname and responds to the client. The boot program thenissues a getfile request to obtain the location of the client’s root and swap space. The bootserver responds with the information obtained from the /etc/bootparams file.

As soon as the client has its boot parameters, the boot program on the client mounts the /(root) file system from the boot server. The client loads its kernel and starts the init program.When the boot server is finished bootstrapping the client, it redirects the client to the config-uration server.

The client searches for the configuration server using the bootparams information. The clientmounts the configuration directory and runs sysidtool, which is a suite of tools used to con-figure the system identification information. Typically, all the system identification informa-tion is stored in the sysidcfg file, described later in this chapter. The client then uses the

11_0789738171_07.qxd 4/13/09 7:48 PM Page 325

326

bootparams information to locate and mount the installation directory where the Solarisimage resides. The client then runs the install-solaris program and installs the operatingsystem.

For boot operations to proceed, the following files, directories, and services must be properlyconfigured on the boot server:

. /etc/ethers

. /etc/hosts

. /etc/dfs/dfstab

. /etc/bootparams

. /tftpboot

. The TFTP service in SMF

. The rarpd service in SMF

The following sections describe each file.

/etc/ethersThis file is required on the boot server. It supports RARP requests sent from the SPARC-basedJumpStart client. When the JumpStart client boots, it has no IP address, so it broadcasts itsEthernet address to the network using RARP. The boot server receives this request andattempts to match the client’s Ethernet address with an entry in the local /etc/ethers file.

If a match is found, the client name is matched to an entry in the /etc/hosts file. In responseto the RARP request from the client, the boot server sends the IP address from the/etc/hosts file back to the client. The client continues the boot process using the assigned IPaddress.

An entry for the JumpStart client must be created by editing the /etc/ethers file or using theadd_install_client script described later in this chapter in the section “Setting Up Clients.”

/etc/hostsThe /etc/hosts file was described in Chapter 1, “The Solaris Network Environment.” The/etc/hosts file is the local file that associates the names of hosts with their IP addresses. Theboot server references this file when trying to match an entry from the local /etc/ethers filein response to a RARP request from a client. In a name service environment, this file wouldbe controlled by NIS. See Chapter 5, “Naming Services,” for more information on how thisfile can be managed by NIS.


11_0789738171_07.qxd 4/13/09 7:48 PM Page 326

Custom JumpStart327

/etc/dfs/dfstabThe /etc/dfs/dfstab file lists local file systems to be shared to the network. This file isdescribed in detail in Chapter 2, “Virtual File Systems, Swap Space, and Core Dumps.”

/etc/bootparamsThe /etc/bootparams file contains entries that network clients use for booting. JumpStartclients retrieve the information from this file by issuing requests to a server running therpc.bootparamd program. See the section “Setting Up Clients” later in this chapter for moreinformation on how this file is configured.

/tftpboot/tftpboot is a directory that contains the inetboot.SUN4x.Solaris_10-1 file that is createdfor each JumpStart client when the add_install_client script is run.

The client’s IP address is expressed in hexadecimal format. This link points to a boot programfor a particular Solaris release and client architecture.

When booting over the network, the JumpStart client’s boot PROM makes a RARP request,and when it receives a reply, the PROM broadcasts a TFTP request to fetch the inetboot filefrom any server that responds and executes it. See how this directory is configured in the sec-tion “Setting Up Clients.”

Setting Up the Boot ServerThe boot server is set up to answer RARP, TFTP, and BOOTPARAMS requests from clientsusing the add_install_client command. Before a client can start up from a boot server, thesetup_install_server command is used to set up the boot server. If the same server will beused as a boot server and an install server, proceed to the next section, “The Install Server.”

To set up the boot server, follow the steps in Step By Step 8.1.

DHCP services on the boot server can be used as an alternate method of providing boot and identificationinformation to the JumpStart client. In fact, DHCP is used to support x86/x64-based JumpStart clients. Itis described later in this chapter.

NOTE

Booting on a separate subnet Normally, the install server also provides the boot program for bootingclients. However, the Solaris network booting architecture requires you to set up a separate boot serverwhen the install client is on a different subnet than the install server. Here’s the reason: SPARC installclients require a boot server when they exist on different subnets because the network booting architectureuses Reverse Address Resolution Protocol (RARP). When a client boots, it issues a RARP request toobtain its IP address. RARP, however, does not acquire the netmask number, which is required to commu-nicate across a router on a network. If the boot server exists across a router, the boot fails, because thenetwork traffic cannot be routed correctly without a netmask.

NOTE

11_0789738171_07.qxd 4/13/09 7:48 PM Page 327

328

STEP BY STEP8.1 Setting Up the Boot Server

1. On the system that is the boot server, log in as root. Ensure the system has an emptydirectory with approximately 350MB of available disk space.

2. Insert the Solaris 10 DVD or Software CD 1 into the DVD/CD-ROM drive, allowingvold to automatically mount the media. Change the directory to the mounted media.Here is an example:# cd /cdrom/cdrom0/s0/Solaris_10/Tools<cr>

3. Use the setup_install_server command to set up the boot server. The -b optioncopies just the startup software from the Solaris media to the local disk. Enter thiscommand:# ./setup_install_server -b <boot_dir_path><cr>

where -b specifies that the system is set up as a boot server and <boot_dir_path>specifies the directory where the Solaris image is to be copied. You can substitute anydirectory path, as long as that path is shared across the network.

For example, the following command copies the kernel architecture information intothe /export/jumpstart directory:# ./setup_install_server -b /export/jumpstart<cr>

The system responds with this:Verifying target directory...Calculating space required for the installation boot imageCopying Solaris_10 Tools hierarchy...Copying Install Boot Image hierarchy...Install Server setup complete


Insufficient disk space The following error indicates that there is not enough room in the directory toinstall the necessary files. You need to either clean up files in that file system to make more room orchoose a different file system:

ERROR: Insufficient space to copy Install Boot image362978 necessary -69372 available.

NOTE

11_0789738171_07.qxd 4/13/09 7:48 PM Page 328

Custom JumpStart329

If no errors are displayed, the boot server is now set up. This boot server will handle all bootrequests on this subnet. A client can only boot to a boot server located on its subnet. If youhave JumpStart clients on other subnets, you need to create a boot server for each of those sub-nets. The installation program creates a subdirectory named Solaris_10 in the<boot_dir_path> directory.

The Install ServerAs explained in the previous section, the boot server and the install server are typically thesame system. The exception is when the client on which Solaris 10 is to be installed is locatedon a different subnet than the install server. Then a boot server is required on that subnet.

The install server is a networked system that provides the Solaris 10 operating system image.This can be any of the following:

. A shared CD-ROM or DVD-ROM drive with the Solaris OE media inserted

. A spooled image from either CD or DVD media

. A Flash installation image

Typically, we create an install server by copying the images from the Solaris installation mediaonto the server’s hard disk. This chapter focuses on using CD images, but you should be awarethat Solaris 10 is also available on a single DVD.

By copying these CD images (or single DVD image) to the server’s hard disk, you enable a sin-gle install server to provide Solaris 10 CD images for multiple releases, including Solaris 10 CDimages for different platforms. For example, a SPARC install server could provide the following:

. Solaris 10 Software CD 1 CD image




. Solaris 10 Languages CD image (this CD is optional)

Destination must be empty The location in which you are trying to create the boot server must beempty. You see the following error if the target directory is not empty:

The target directory /export/jumpstart is not empty. Pleasechoose an empty directory or remove all files from thespecified directory and run this program again.

NOTE

11_0789738171_07.qxd 4/13/09 7:48 PM Page 329

330

To set up a server as a boot and installer server, complete Step By Step 8.2. This Step by Stepassumes that all systems are on the same subnet, and the boot and install server are to be onthe same system.

STEP BY STEP8.2 Setting Up a Server as a Boot and Install Server

1. The first step is to copy the Solaris 10 Software CD images to the server:

Insert the CD labeled “Solaris 10 Software CD 1” into the CD-ROM, and allow vold to automaticallymount the CD. Change to the Tools directory on the CD:

# cd /cdrom/cdrom0/s0/Solaris_10/Tools<cr>

2. Use the setup_install_server command to install the software onto the hard drive:

# ./setup_install_server <install_dir_path><cr>

<install_dir_path> is the path to which the CD images will be copied. This directory must beempty, and it must be shared so that the JumpStart client can access it across the network during theJumpStart installation. Many system administrators like to put the CD images for the boot server andinstall server into /export/install and create a directory for each architecture being installed,such as sparc_10, or x86_10. This is because the install server could be used to hold multiple ver-sions and multiple architectures. It’s a personal preference; just be sure that the target directory isempty, shared, and has approximately 3GB of space available, if all four CD images and the LanguageCD image are to be copied.

To install the operating environment software into the /export/install/sparc_10 directory,issue the following command:

# ./setup_install_server /export/install/sparc_10<cr>


Verifying target directory...Calculating the required disk space for the Solaris_10 ProductCalculating space required for the installation boot imageCopying the CD image to disk...Copying Install boot image hierarchy...Install Server setup complete

3. Eject the CD, and insert the CD labeled “Solaris 10 Software CD 2” into the CD-ROM, allowing vold toautomatically mount the CD.

Change to the Tools directory on the mounted CD:

# cd /cdrom/cdrom0/Solaris_10/Tools<cr>


11_0789738171_07.qxd 4/13/09 7:48 PM Page 330

Custom JumpStart331

4. Run the add_to_install_server script to install the additional software into the<install_dir_path> directory:

# ./add_to_install_server <install_dir_path><cr>

For example, to copy the software into the /export/install/sparc_10 directory, issue the fol-lowing command:

# ./add_to_install_server /export/install/sparc_10<cr>

The system responds with the following messages:

The following Products will be copied to /export/install/sparc_10/Solaris_10/Product:

Solaris_2

If only a subset of products is needed enter Control-C \and invoke ./add_to_install_server with the -s option.

Checking required disk space...

Copying Top Level Installer...131008 blocks

Copying Tools Directory...4256 blocks

Processing completed successfully.

After checking for the required disk space, the image is copied from CD to disk. When it’s finishedinstalling, repeat the process with the remaining CDs and then with the Solaris 10 Languages CD if youare planning to support multiple languages. When using a DVD, these additional steps are not required.

After copying the Solaris CDs, you can use the patchadd -C command to patch the Solaris minirootimage on the install server’s hard disk. This option patches only the miniroot. Systems that are installedstill have to apply recommended patches if they are required.

The Configuration ServerIf you are setting up custom JumpStart installations for systems on the network, you have tocreate a directory on a server called a configuration directory. This directory contains all theessential custom JumpStart configuration files, such as the rules file, the rules.ok file, theclass file, the check script, and the optional begin and finish scripts.

The server that contains a JumpStart configuration directory is called a configuration server. Itis usually the same system as the install and boot server, although it can be a completely dif-

11_0789738171_07.qxd 4/13/09 7:48 PM Page 331

332

ferent server. The configuration directory on the configuration server should be owned byroot and should have permissions set to 755.

To set up the configuration server, follow Step By Step 8.3.

STEP BY STEP8.3 Setting Up a Configuration Server

1. Choose the system that acts as the server, and log in as root.

2. Create the configuration directory anywhere on the server (such as /export/jumpstart).

3. To be certain that this directory is shared across the network, edit the /etc/dfs/dfstab file and addthe following entry:

share -F nfs -o ro,anon=0 /export/jumpstart

4. Execute the svcadm enable network/nfs/server command. If the system is already an NFSserver, you only need to type shareall and press Enter.

5. Place the JumpStart files (that is, rules, rules.ok, and class files) in the /export/jumpstartdirectory. The rules, rules.ok, and class files are covered later in this section. Sample copies of thesefiles can be found in the Misc/jumpstart_sample subdirectory of the location where you installedthe JumpStart install server.

You can also use the add_install_client script, which makes an entry into the/etc/dfs/dfstab file as part of the script. The add_install_client script is described in thesection “Setting Up Clients.”

Setting Up a Profile DisketteAn alternative to setting up a configuration server is to create a profile diskette, also called aconfiguration diskette (provided that the systems that are to be installed have diskette drives).If you use a diskette for custom JumpStart installations, the essential custom JumpStart files(the rules file, the rules.ok file, and the class files) must reside in the root directory on thediskette. The diskette that contains JumpStart files is called a profile diskette. The customJumpStart files on the diskette should be owned by root and should have permissions set to755. See Step By Step 8.4 to set up a profile diskette.

STEP BY STEP8.4 Setting Up a Profile Disk

1. Format the disk by typing the following:

# fdformat -U<cr>


11_0789738171_07.qxd 4/13/09 7:48 PM Page 332

Custom JumpStart333

2. If your system uses Volume Manager, insert the disk. It will be mounted automatically.

3. Create a file system on the disk by issuing the newfs command:

# newfs /vol/dev/aliases/floppy0<cr>

4. Eject the disk by typing the following:

# eject floppy<cr>

5. Insert the formatted disk into the disk drive.

You have completed the creation of a diskette that can be used as a profile diskette. Now youcan create the rules file and create class files on the configuration diskette to perform customJumpStart installations.

The Rules FileThe rules file is a text file that should contain a rule for each group of systems you want toinstall automatically. Each rule distinguishes a group of systems based on one or more systemattributes and links each group to a class file, which is a text file that defines how the Solarissoftware is installed on each system in the group.

After deciding how you want each group of systems at your site to be installed, you need tocreate a rules file for each specific group of systems to be installed. The rules.ok file is a val-idated version of the rules file that the Solaris installation program uses to perform a customJumpStart installation.

After you create the rules file, validate it with the check script by changing to the/export/jumpstart directory and issuing the check command. If the check script runs suc-cessfully, it creates the rules.ok file. During a custom JumpStart installation, the Solarisinstallation program reads the rules.ok file and tries to find the first rule that has a systemattribute matching the system being installed. If a match occurs, the installation program usesthe class file specified in the rule to install the system.

A sample rules file for a Sun Ultra is shown next. You’ll find a sample rules file on the installserver located in the <install_dir_path>/Solaris_10/Misc/jumpstart_sample directory,where <install_dir_path> is the directory that was specified using thesetup_install_server script when the install server was set up. For the examples in thischapter, the install directory is /export/install/sparc_10.

Notice that almost all the lines in the sample rules file are commented out. These are simplyinstructions and sample entries to help the system administrator make the correct entry. Thelast, uncommented line is the rule we added for the example. The syntax is discussed later inthis chapter. Each line in the code table has a rule keyword and a valid value for that keyword.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 333

334

The Solaris installation program scans the rules.ok file from top to bottom. If the programmatches a rule keyword and value with a known system, it installs the Solaris software speci-fied by the class file listed in the class file field.## @(#)rules 1.12 94/07/27 SMI## The rules file is a text file used to create the rules.ok file for# a custom JumpStart installation. The rules file is a lookup table# consisting of one or more rules that define matches between system# attributes and profiles.## This example rules file contains:# o syntax of a rule used in the rules file# o rule_keyword and rule_value descriptions# o rule examples## See the installation manual for a complete description of the rules file############################################################################## RULE SYNTAX:## [!]rule_keyword rule_value [&& [!]rule_keyword rule_value]...# begin profile finish## “[ ]” indicates an optional expression or field# “...” indicates the preceding expression may be repeated# “&&” used to “logically AND” rule_keyword and rule_value pairs# together# “!” indicates negation of the following rule_keyword## rule_keyword a predefined keyword that describes a general system# attribute. It is used with the rule_value to match a# system with the same attribute to a profile.## rule_value a value that provides the specific system attribute# for the corresponding rule_keyword. A rule_value can# be text or a range of values (NN-MM).# To match a range of values, a system’s value must be# greater than or equal to NN and less than or equal# to MM.## begin a file name of an optional Bourne shell script# that will be executed before the installation begins.# If no begin script exists, you must enter a minus sign (-)# in this field. #


11_0789738171_07.qxd 4/13/09 7:48 PM Page 334

Custom JumpStart335

# profile a file name of a text file used as a template by the# custom JumpStart installation software that defines how# to install Solaris on a system.## finish a file name of an optional Bourne shell script# that will be executed after the installation completes.# If no finish script exists, you must enter a minus sign (-)# in this field.## Notes:# 1. You can add comments after the pound sign (#) anywhere on a# line.# 2. Rules are matched in descending order: first rule through# the last rule.# 3. Rules can be continued to a new line by using the backslash# (\) before the carriage return.# 4. Don’t use the “*” character or other shell wildcards,# because the rules file is interpreted by a Bourne shell script.############################################################################## RULE_KEYWORD AND RULE_VALUE DESCRIPTIONS### rule_keyword rule_value Type rule_value Description# —————— ———————- ———————————# any minus sign (-) always matches# arch text system’s architecture type# domainname text system’s domain name# disksize text range system’s disk size# disk device name (text)# disk size (MBytes range)# hostname text system’s host name# installed text text system’s installed version of Solaris# disk device name (text)# OS release (text)# karch text system’s kernel architecture# memsize range system’s memory size (MBytes range)# model text system’s model number# network text system’s IP address# totaldisk range system’s total disk size (MBytes range)############################################################################## RULE EXAMPLES## The following rule matches only one system:

11_0789738171_07.qxd 4/13/09 7:48 PM Page 335

336

#

#hostname sample_host - host_class set_root_pw

# The following rule matches any system that is on the 924.222.43.0# network and has the sun4u kernel architecture:# Note: The backslash (\) is used to continue the rule to a new line.

#network 924.222.43.0 && \# karch sun4c - net924_sun4u -

# The following rule matches any sparc system with a c0t3d0 disk that is# between 400 to 600 MBytes and has Solaris 2.1 installed on it:

#arch sparc && \# disksize c0t3d0 400-600 && \# installed c0t3d0s0 solaris_2.1 - upgrade -

## The following rule matches all x86 systems:

#arch i386 x86-begin x86-class -

## The following rule matches any system:

#any - - any_machine -## END RULE EXAMPLES##karch sun4u - basic_prof -

Table 7.2 describes the syntax that the rules file must follow.

Table 7.2 Rule SyntaxField Description

! Use this before a rule keyword to indicate negation.

[ ] Use this to indicate an optional expression or field.

... Use this to indicate that the preceding expression might be repeated.

rule_keyword A predefined keyword that describes a general system attribute, such as a host-name (hostname) or the memory size (memsize). It is used withrule_value to match a system with the same attribute to a profile. The com-plete list of rule_keywords is described in Table 7.3.


11_0789738171_07.qxd 4/13/09 7:48 PM Page 336

Custom JumpStart337

Table 7.2 Rule SyntaxField Description

rule_value Provides the specific system attribute value for the corresponding rule_key-word. See Table 7.3 for the list of rule_values.

&& Use this to join rule keyword and rule value pairs in the same rule (a logical AND).During a custom JumpStart installation, a system must match every pair in therule before the rule matches.

<begin> A name of an optional Bourne shell script that can be executed before the installa-tion begins. If no begin script exists, you must enter a minus sign (-) in thisfield. All begin scripts must reside in the JumpStart directory. See the section“begin and finish Scripts” for more information.

<profile> The name of the class file, a text file that defines how the Solaris software isinstalled on the system if a system matches the rule. The information in a classfile consists of class file keywords and their corresponding class file values. Allclass files must reside in the JumpStart directory. Class files are described in thesection “Creating Class Files.”

<finish> The name of an optional Bourne shell script that can be executed after the installa-tion completes. If no finish script exists, you must enter a minus sign (-) inthis field. All finish scripts must reside in the JumpStart directory. See the sec-tion “begin and finish Scripts” for more information.

Rules File RequirementsThe rules file must have the following:

. At least one rule

. The name “rules”

. At least a rule keyword, a rule value, and a corresponding profile

. A minus sign (-) in the begin and finish fields if there is no entry

The rules file should be saved in the JumpStart directory, should be owned by root, and shouldhave permissions set to 644.

The rules file can contain any of the following:

. A comment after the pound sign (#) anywhere on a line. If a line begins with a #, theentire line is a comment. If a # is specified in the middle of a line, everything after the# is considered a comment.

. Blank lines.

. Rules that span multiple lines. You can let a rule wrap to a new line, or you can contin-ue a rule on a new line by using a backslash (\) before pressing Enter.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 337

338

Table 7.3 describes the rule_keywords and rule_values that were mentioned in Table 7.2.

Table 7.3 rule_keyword and rule_value DescriptionsRule Keyword Rule Value Description

any Minus sign (-) The match always succeeds.

arch <processor_type> The system’s architecture processor type asreported by the arch or the uname –i com-mands. For example, i86pc or sparc.

disksize <disk_name> <size_range> Matches a system’s disk (in MB), such as <disk_name> disksize c0t0d0 32768 to 65536. This exampleA disk name in the form c?t?d?, tries to match a system with a c0t0d0 disk that such as c0t0d0, or the special is between 32768 and 65536MB (32 to 64GB).word rootdisk. If rootdisk Note: When calculating size_range, is used, the disk to be matched is remember that a megabyte equals 1,048,576determined in the following order: bytes.1. The disk that contains the preinstalled boot image (a new SPARC-based system with factory JumpStart installed).2. The c0t0d0s0 disk, if it exists.3. The first available disk (searchedin kernel probe order).4. <size_range>. The size of disk, which must be specified as a range of MB (xx to xx).

domainname <domain_name> Matches a system’s domain name, which con-trols how a name service determines informa-tion. If you have a system already installed, thedomainname command reports the system’sdomain name.

hostaddress <IP_address> Matches a system’s IP address.

hostname <host_name> Matches a system’s hostname. If you have asystem already installed, the uname -n com-mand reports the system’s hostname.

installed <slice> <version> Matches a disk that has a root file system <slice> corresponding to a particular version of SolarisA disk slice name in the form c?t software. Example: installed c0t0d0s0?d?s?, such as c0t0d0s5, or Solaris_9. This example tries to match athe special words any or root system that has a Solaris 9 root file system disk. If any is used, all the on c0t0d0s0.system’s disks will try to be matched (in kernel probe order).


11_0789738171_07.qxd 4/13/09 7:48 PM Page 338

Custom JumpStart339

Table 7.3 rule_keyword and rule_value Descriptions

Rule Keyword Rule Value Description

If root disk is used, the disk to be matched is determined in the following order:1. The disk that contains the preinstalled boot image (a new SPARC-based system with factory JumpStart installed).2. The disk c0t0d0s0, if it exists.3. The first available disk (searched in kernel probe order).4. <version>. A version name, Solaris_2.x, or the special words any or upgrade. If any is used, any Solaris or SunOS release is matched. If upgrade is used, any upgradeable Solaris 2.1 or greater release is matched.

karch <platform_group> Matches a system’s platform group. If you haveValid values are sun4m, sun4u, a system already installed, the arch -ki86pc, and prep (the name for command or the uname -m command reportsPowerPC systems). the system’s platform group.

memsize <physical_mem> Matches a system’s physical memory size (inThe value must be a range of MB MB). Example: memsize 256-1024. The(xx to xx) or a single MB value. example tries to match a system with a physical

memory size between 256 and 1GB. If you havea system already installed, the output of theprtconf command (line 2) reports the sys-tem’s physical memory size.

model <platform_name> Matches a system’s platform name. Any validplatform name will work. To find the platformname of an installed system, use the uname -icommand or the output of the prtconf com-mand (line 5). Note: If the <platform_name>contains spaces, you must enclose it in singlequotes (‘). Example: ‘SUNW,Ultra-5_10’.

network <network_num> Matches a system’s network number, which theSolaris installation program determines by per-forming a logical AND between the system’s IPaddress and the subnet mask. Example: net-work 193.144.2.1. This example tries tomatch a system with a 193.144.2.0 IP address(if the subnet mask were 255.255.255.0).

11_0789738171_07.qxd 4/13/09 7:48 PM Page 339

340

Table 7.3 rule_keyword and rule_value DescriptionsRule Keyword Rule Value Description

osname <solaris_2.x> Matches a version of Solaris software alreadyinstalled on a system. Example: osnameSolaris_9. This example tries to match a sys-tem with Solaris 9 already installed.

probe <probe_keyword> Use the probe keyword to return a value from asystem. For example, probe disks returnsthe size of the system’s disks in megabytes andin kernel probe order.

totaldisk <size_range> Matches the total disk space on a system (in The value must be specified as a MB). The total disk space includes all the range of MB (xx to xx). operational disks attached to a system. Example:

totaldisk 32768-65536. This exampletries to match a system with a total disk spacebetween 32GB and 64GB.

During a custom JumpStart installation, the Solaris installation program attempts to match the sys-tem being installed to the rules in the rules.ok file in order—the first rule through the last rule.

Rules File MatchesA rule match occurs when the system being installed matches all the system attributes definedin the rule. As soon as a system matches a rule, the Solaris installation program stops readingthe rules.ok file and begins installing the software based on the matched rule’s class file.

Here are a few sample rules:karch sun4u - basic_prof -

The preceding example specifies that the Solaris installation program should automaticallyinstall any system with the sun4u platform group based on the information in the basic_profclass file. There is no begin or finish script.hostname pyramid2 - ultra_class -

The rule matches a system on the network called pyramid2. The class file to be used is namedultra_class. No begin or finish script is specified:network 192.168.0.0 && !model ‘SUNW,Ultra-5_10’ - net_class set_root_passwd

The third rule matches any system on the network that is not an Ultra 5 or Ultra 10. The classfile to be used is named net_class, and the finish script to be run is named set_root_passwd.any - - generic_class -

The last example matches any system. The class file to be used is named generic_class,located in the /export/jumpstart directory. There is no begin or finish script.


11_0789738171_07.qxd 4/13/09 7:48 PM Page 340

Custom JumpStart341

Validating the Rules FileBefore the rules file can be used, you must run the check script to validate that this file is setup correctly. If all the rules are valid, the rules.ok file is created.

To validate the rules file, use the check script provided in the <install_dir_path>/Solaris_10/Misc/jumpstart_sample directory on the install server.

Copy the check script to the directory containing your rules file and run the check script tovalidate the rules file:# cd /export/jumpstart<cr>./check [-p <path>] [-r <file_name>]

<install_dir_path> is the directory that was specified using the setup_install_serverscript when the install server was set up.

The check script options are described in Table 7.4.

Table 7.4 Check Script OptionsOption Description

-p <path> Validates the rules file by using the check script from a specified Solaris 10 CDimage, instead of the check script from the system you are using. <path> isthe pathname to a Solaris installation image on a local disk or a mountedSolaris CD. Use this option to run the most recent version of check if your sys-tem is running a previous version of Solaris.

-r <file_name> Specifies a rules file other than a file named “rules.” Using this option, you cantest the validity of a rule before integrating it into the rules file. With this option,a rules.ok file is not created.

When you use check to validate a rules file, the following things happen:

1. The rules file is checked for syntax. check makes sure that the rule keywords are legiti-mate, and the <begin>, <class>, and <finish> fields are specified for each rule.

2. If no errors are found in the rules file, each class file specified in the rules file ischecked for syntax. The class file must exist in the JumpStart installation directory andis covered in the next section.

3. If no errors are found, check creates the rules.ok file from the rules file, removing allcomments and blank lines, retaining all the rules, and adding the following commentline to the end:version=2 checksum=<num>

11_0789738171_07.qxd 4/13/09 7:48 PM Page 341

342

As the check script runs, it reports that it is checking the validity of the rules file and thevalidity of each class file. If no errors are encountered, it reports the following:

The custom JumpStart configuration is ok.

The following is a sample session that uses check to validate a rules and class file. I named therules file “rulestest” temporarily, the class file is named “basic_prof” and I am using the -roption. With -r, the rules.ok file is not created, and only the rulestest file is checked.# /export/install/Solaris_10/Misc/jumpstart_sample/check -r/tmp/rulestest<cr>Validating /tmp/rulestest...Validating profile basic_prof...

Error in file “/tmp/rulestest”, line 113any - - any_maine -

ERROR: Profile missing: any_maine

In this example, the check script found a bad option. any_machine was incorrectly entered asany_maine. The check script reported this error.

In the next example, the error has been fixed, we copied the file from rulestest to/export/jumpstart/rules, and reran the check script:# cp rulestest /export/jumpstart/rules<cr># cd /export/jumpstart<cr># /export/install/Solaris_10/Misc/jumpstart_sample/check<cr>Validating rules...Validating profile basic_prof...Validating profile any_machine...The custom JumpStart configuration is ok.

As the check script runs, it reports that it is checking the validity of the rules file and the valid-ity of each class file. If no errors are encountered, it reports The custom JumpStart configu-

ration is ok. The rules file is now validated.

After the rules.ok file is created, verify that it is owned by root and that it has permissions setto 644.

begin and finish ScriptsA begin script is a user-defined Bourne shell script, located in the JumpStart configuration direc-tory on the configuration server, specified within the rules file, that performs tasks before the Solarissoftware is installed on the system. You can set up begin scripts to perform the following tasks:

. Backing up a file system before upgrading

. Saving files to a safe location

. Loading other applications


11_0789738171_07.qxd 4/13/09 7:48 PM Page 342

Custom JumpStart343

Output from the begin script goes to /var/sadm/system/logs/begin.log.

Beware of /a Be careful not to specify something in the script that would prevent the mounting of filesystems to the /a directory during an initial or upgrade installation. If the Solaris installation program can-not mount the file systems to /a, an error occurs, and the installation fails.

CAUTION

begin scripts should be owned by root and should have permissions set to 744.

In addition to begin scripts, you can also have finish scripts. A finish script is a user-definedBourne shell script, specified within the rules file, that performs tasks after the Solaris softwareis installed on the system but before the system restarts. finish scripts can be used only withcustom JumpStart installations. You can set up finish scripts to perform the following tasks:

. Move saved files back into place.

. Add packages or patches.

. Set the system’s root password.

Output from the finish script goes to /var/sadm/system/logs/finish.log.

When used to add patches and software packages, begin and finish scripts can ensure thatthe installation is consistent between all systems.

Creating class FilesA class file is a text file that defines how to install the Solaris software on a system. Every rulein the rules file specifies a class file that defines how a system is installed when the rule ismatched. You usually create a different class file for every rule; however, the same class filecan be used in more than one rule.

EXAM ALERTTerminology warning You’ll see the class file referred to as the profile in many Sun documents,scripts, and programs that relate to JumpStart. In Sun System Administration training classes, howev-er, it is sometimes called a class file. That’s how we refer to it throughout this chapter. On the exams,it is also called both a profile and a class file. The same is true of the configuration server. SometimesSun calls this server a profile server.

A class file consists of one or more class file keywords (they are described in the followingsections). Each class file keyword is a command that controls one aspect of how the Solarisinstallation program installs the Solaris software on a system. Use the vi editor (or any other

11_0789738171_07.qxd 4/13/09 7:48 PM Page 343

344

text editor) to create a class file in the JumpStart configuration directory on the configura-tion server. You can create a new class file or edit one of the sample profiles located in/cdrom/cdrom0/s0/Solaris_10/Misc/jumpstart_sample on the Solaris 10 Software CD 1.The class file can be named anything, but it should reflect the way in which it installs theSolaris software on a system. Sample names are basic_install, eng_profile, andaccntg_profile.

A class file must have the following:

. The install_type keyword as the first entry

. Only one keyword on a line

. The root_device keyword if the systems being upgraded by the class file have morethan one root file system that can be upgraded

A class file can contain either of the following:

. A comment after the pound sign (#) anywhere on a line. If a line begins with a #, theentire line is a comment. If a # is specified in the middle of a line, everything after the# is considered a comment.

. Blank lines.

The class file is made up of keywords and their values. The class file keywords and theirrespective values are described in the following sections.

archive_locationThis keyword is used when installing a Solaris Flash Archive and specifies the source of theFlash Archive. The syntax for this option is shown here:archive_location retrieval type location

The retrieval_type parameter can be one of the following:

. NFS

. HTTP or HTTPS

. FTP

. Local tape

. Local device

. Local file


11_0789738171_07.qxd 4/13/09 7:48 PM Page 344

Custom JumpStart345

The syntax for a Flash Archive located on an NFS server is as follows:archive_location nfs server_name:/path/filename <retry n>

where <retry n> specifies the maximum number of attempts to mount the archive.

The syntax for a Flash Archive located on an HTTP or HTTPS server is as follows:archive_location http://server_name:port/path/filename <optional keywords>

archive_location https://server_name:port/path/filename <optional keywords>

Table 7.5 lists the optional keywords that can be used with this option.

Table 7.5 HTTP Server Optional KeywordsKeyword Description

auth basic user <password> If the HTTP server is password-protected, a username and pass-word must be supplied to access the archive.

timeout <min> Specifies the maximum time, in minutes, that is allowed to elapsewithout receiving data from the HTTP server.

proxy <host>:<port> Specifies a proxy host and port. The proxy option can be usedwhen you need to access an archive from the other side of a fire-wall. The <port> value must be supplied.

The syntax for a Flash Archive located on an FTP server is as follows:archive_location ftp://username:password@server_name:port/path/filename <optionalkeywords>


Table 7.6 FTP Server Optional KeywordsKeyword Description

timeout <min> Specifies the maximum time, in minutes, that is allowed to elapse withoutreceiving data from the FTP server.

proxy <host>:<port> Specifies a proxy host and port. The proxy option can be used when youneed to access an archive from the other side of a firewall. The <port>value must be supplied.

The syntax for a Flash Archive located on local tape is as follows:archive_location local_tape <device> <position>

where <device> specifies the device path of the tape drive and <position> specifies the filenumber on the tape where the archive is located. The <position> parameter is useful becauseyou can store a begin script or a sysidcfg file on the tape prior to the actual archive.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 345

346

The syntax for a Flash Archive located on a local device is as follows:archive_location local_device device path/filename file_system_type

The syntax for a Flash Archive located in a local file is as follows:archive_location local_file path/filename

All that is needed for this option is to specify the full pathname to the Flash Archive file.

backup_mediabackup_media defines the medium that is used to back up file systems if they need to be real-located during an upgrade because of space problems. If multiple tapes or disks are requiredfor the backup, you are prompted to insert these during the upgrade. Here is thebackup_media syntax:backup_media <type> <path>

<type> can be one of the keywords listed in Table 7.7.

Table 7.7 backup_media KeywordsKeyword Description

local_tape Specifies a local tape drive on the system being upgraded. The <path> mustbe the character (raw) device path for the tape drive, such as /dev/rmt/0.

local_diskette Specifies a local diskette drive on the system being upgraded. The <path> isthe local diskette, such as /dev/rdiskette0. The diskette must be formatted.

local_filesystem Specifies a local file system on the system being upgraded. The <path> canbe a block device path for a disk slice or the absolute <path> to a file systemmounted by the /etc/vfstab file. Examples of <path> are/dev/dsk/c0t0d0s7 and /home.

remote_filesystem Specifies an NFS file system on a remote system. The <path> must includethe name or IP address of the remote system (host) and the absolute <path>to the file system. The file system must have read/write access. A sample<path> is sparc1:/home.

remote_system Specifies a directory on a remote system that can be reached by a remoteshell (rsh). The system being upgraded must have access to the remote sys-tem. The <path> must include the name of the remote system and theabsolute path to the directory. If a user login is not specified, the login is triedas root. A sample <path> is bcalkins@sparcl:/home.

Here are some examples of class file keywords being used:backup_media local_tape /dev/rmt/0backup_media local_diskette /dev/rdiskette0backup_media local_filesystem /dev/dsk/c0t3d0s7


11_0789738171_07.qxd 4/13/09 7:48 PM Page 346

Custom JumpStart347

backup_media local_filesystem /exportbackup_media remote_filesystem sparc1:/export/tempbackup_media remote_system bcalkins@sparc1:/export/temp

backup_media must be used with the upgrade option only when disk space reallocation is nec-essary.

boot_deviceboot_device designates the device where the installation program installs the root file systemand consequently what the system’s startup device is. The boot_device keyword can be usedwhen you install either a UFS file system or ZFS root pool. The eeprom value also lets youupdate the system’s EEPROM if you change its current startup device so that the system canautomatically start up from the new startup device.

Here’s the boot_device syntax:boot_device <device> <eeprom>

Table 7.8 describes the <device> and <eeprom> values.

Table 7.8 boot_device KeywordsKeyword Description

<device> Specifies the startup device by specifying a disk slice, such as c0t1d0s0 (c0d1 for x86systems). It can be the keyword existing, which places the root file system on theexisting startup device, or the keyword any, which lets the installation program choosewhere to put the root file system.

<eeprom> Specifies whether you want to update the system’s EEPROM to the specified startupdevice. <eeprom> specifies the value update, which tells the installation program toupdate the system’s EEPROM to the specified startup device, or preserve, which leavesthe startup device value in the system’s EEPROM unchanged. An example for a SPARCsystem is boot_device c0t1d0s0 update.

x86 preserve only For x86 systems, the <eeprom> parameter must be preserve.

NOTE

The installation program installs the root file system on c0t1d0s0 and updates the EEPROMto start up automatically from the new startup device. For more information on the bootdevice, see Chapter 3, “Perform System Boot and Shutdown Procedures,” in Solaris 10 SystemAdministration Exam Prep (Exam CX-310-200), Part I.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 347

348

bootenv_createbebootenv_createbe enables an empty, inactive boot environment to be created at the sametime the Solaris OS is installed. The bootenv keyword can be used when you install either aUFS file system or ZFS root pool. You only need to create a / file system; other file systemslices are reserved, but not populated. This kind of boot environment is installed with a SolarisFlash Archive, at which time the other reserved file system slices are created.

Here’s the bootenv createbe syntax:bootenv createbe bename <new_BE_name> filesystem <mountpoint:device:fs_options>

The bename and filesystem values are described in Table 7.9.

Table 7.9 bootenv createbe KeywordsKeyword Description

bename <new_BE_name> Specifies the name of the new boot environment to be created. It can beno longer than 30 characters, all alphanumeric, and must be unique onthe system.

filesystem <mount Specifies the type and number of file systems to be created in the new pointdevice:device:fs_ boot environment. The mountpoint can be any valid mount point, or a options> hyphen (-) for swap, and fs_options can be swap or ufs. You can-

not use Solaris Volume Manager volumes or Veritas Volume Managerobjects. The device must be in the form /dev/dsk/cwtxdysz.

For a ZFS root pool, the bootenv keyword changes the characteristics of the default boot envi-ronment that is created at install time. This boot new boot environment is a copy of the rootfile system you are installing. The following options can be used when creating a ZFS root pool:

. installbe: Used to change the characteristics of the default boot environment thatgets created during the installation.

. bename <name>: Specifies the name of the new boot environment.

. dataset <mountpoint>: Identifies a /var dataset that is separate from the ROOTdataset. The <mountpoint> value is limited to /var.

For example, to create a ZFS root pool with a boot environment named “zfsroot” and a sepa-rate /var dataset, use the following syntax:bootenv installbe bename zfsroot dataset /var

client_archclient_arch indicates that the operating system server supports a platform group other thanits own. If you do not specify client_arch, any diskless client that uses the operating systemserver must have the same platform group as the server. client_arch can be used only when


11_0789738171_07.qxd 4/13/09 7:48 PM Page 348

Custom JumpStart349

system_type is specified as server. You must specify each platform group that you want theoperating system server to support.

Here’s the client_arch syntax:client_arch karch_value [karch_value...]

Valid values for <karch_value> are sun4u and i86pc.

Here’s an example:client_arch sun4u

client_rootclient_root defines the amount of root space, in MB, to allocate for each diskless client. Ifyou do not specify client_root in a server’s profile, the installation software automaticallyallocates 15MB of root space per client. The size of the client root area is used in combinationwith the num_clients keyword to determine how much space to reserve for the /export/rootfile system. You can use the client_root keyword only when system_type is specified asserver.

Here’s the syntax:client_root <root_size>

where <root_size> is specified in MB. Here’s an example:client_root 20

Don’t waste space When allocating root space, 20MB is an adequate size. 15MB is the minimum sizerequired. Any more than 20MB is just wasting disk space.

NOTE

client_swapclient_swap defines the amount of swap space, in MB, to allocate for each diskless client. Ifyou do not specify client_swap, 32MB of swap space is allocated. Physical memory plus swapspace must be a minimum of 32MB. If a class file does not explicitly specify the size of swap,the Solaris installation program determines the maximum size that the swap file can be, basedon the system’s physical memory. The Solaris installation program makes the size of swap nomore than 20% of the disk where it resides, unless free space is left on the disk after the otherfile systems are laid out.

Here’s the syntax:client_swap <swap_size>

11_0789738171_07.qxd 4/13/09 7:48 PM Page 349

350

where <swap_size> is specified in MB.

Here’s an example:client_swap 64

This example specifies that each diskless client has a swap space of 64MB.

clustercluster designates which software group to add to the system. Table 7.10 lists the softwaregroups.

Table 7.10 Software GroupsSoftware Group group_name

Reduced network support SUNWCrnet

Core SUNWCreq

End-user system support SUNWCuser

Developer system support SUNWCprog

Entire distribution SUNWCall

Entire distribution plus OEM support SUNWCXall

You can specify only one software group in a profile, and it must be specified before other clus-ter and package entries. If you do not specify a software group with cluster, the end-user soft-ware group, SUNWCuser, is installed on the system by default.

Here is cluster’s syntax:cluster <group_name>

Here’s an example:cluster SUNWCall

This example specifies that the Entire Distribution group should be installed.

The cluster keyword can also be used to designate whether a cluster should be added to ordeleted from the software group that was installed on the system. add and delete indicatewhether the cluster should be added or deleted. If you do not specify add or delete, add is setby default.

Here’s the syntax:cluster <cluster_name> [add | delete]

<cluster_name> must be in the form SUNWCname.


11_0789738171_07.qxd 4/13/09 7:48 PM Page 350

Custom JumpStart351

dontusedontuse designates one or more disks that you don’t want the Solaris installation program touse. By default, the installation program uses all the operational disks on the system.<disk_name> must be specified in the form c?t?d? or c?d?, such as c0t0d0.

Here’s the syntax:dontuse disk_name [disk_name...]

Here’s an example:dontuse c0t0d0 c0t1d0

dontuse and usedisk You cannot specify the usedisk keyword and the dontuse keyword in thesame class file, because they are mutually exclusive.

NOTE

filesysfilesys can be used to create local file systems during the installation by using this syntax:filesys <slice> <size> [file_system] [optional_parameters]

The values listed in Table 7.11 can be used for <slice>.

Table 7.11 <slice> ValuesValue Description

any This variable tells the installation program to place the file system on any disk.

c?t?d?s? or c?d??z The disk slice where the Solaris installation program places the file system, suchas c0t0d0s0.

rootdisk.sn The variable that contains the value for the system’s root disk, which is deter-mined by the Solaris installation program. The sn suffix indicates a specific sliceon the disk.

The values listed in Table 7.12 can be used for <size>.

Table 7.12 <size> ValuesValue Description

num The size of the file system in MB.

existing The current size of the existing file system.

auto The size of the file system is determined automatically, depending on the selected software.

all The specified slice uses the entire disk for the file system. When you specify this value,no other file systems can reside on the specified disk.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 351

352

Table 7.12 <size> ValuesValue Description

free The remaining unused space on the disk is used for the file system.

<start>: The file system is explicitly partitioned. <start> is the cylinder where the slice begins, <size> and <size> is the number of cylinders for the slice.

file_system is an optional field when slice is specified as any or c?t?d?s?. If file_systemis not specified, unnamed is set by default, but you can’t specify the optional_parametersvalue.

The values listed in Table 7.13 can be used for file_system.

Table 7.13 file_system ValuesValue Description

<mount_pt_name> The file system’s mount point name, such as /opt.

<swap> The specified slice is used as swap.

<overlap> The specified slice is defined as a representation of the whole disk. overlapcan be specified only when <size> is existing, all, or start:size.

<unnamed> The specified slice is defined as a raw slice, so the slice does not have a mountpoint name. If file_system is not specified, unnamed is set by default.

<ignore> The specified slice is not used or recognized by the Solaris installation program.This can be used to ignore a file system on a disk during an installation so that theSolaris installation program can create a new file system on the same disk with thesame name. ignore can be used only when existing partitioning is specified.

In the following example, the size of swap is set to 512MB, and it is installed on c0t0d0s1:filesys c0t0d0s1 512 swap

In the next example, /usr is based on the selected software, and the installation program deter-mines what disk to put it on when you specify the any value:filesys any auto /usr

The optional_parameters field can be one of the options listed in Table 7.14.

Table 7.14 optional_parameters OptionsOption Description

preserve The file system on the specified slice is preserved. preserve can be specifiedonly when size is existing and slice is c?t?d?s?.

<mount_options> One or more mount options that are added to the /etc/vfstab entry for thespecified <mount_pt_name>.


11_0789738171_07.qxd 4/13/09 7:48 PM Page 352

Custom JumpStart353

A new option to the filesys keyword in Solaris 10 is mirror, which facilitates the creation ofRAID-1 volumes as part of the custom JumpStart installation. This facility allows the creationof mirrored file systems. You can issue this keyword more than once to create mirrors for dif-ferent file systems.

Only on initial install The filesys mirror keyword is supported for only initial installations.

NOTE

The syntax for the filesys mirror keyword is as follows:Filesys mirror [:<name>]slice [<slice>] <size> <file_system> <optional_parameters>

Table 7.15 details the available options for the filesys mirror keyword.

Table 7.15 filesys mirror OptionsOption Description

<name> An optional keyword allowing you to name the mirror. The naming convention fol-lows metadevices in Solaris Volume Manager, in the format dxxx (where xxx is anumber between 0 and 127)—for example, d50. If a name is not specified, the cus-tom JumpStart program assigns one for you.

<slice> Specifies the disk slice where the custom JumpStart program places the file systemyou want to duplicate with the mirror.

<size> The size of the file system in megabytes.

<file_system> Specifies the file system you are mirroring. This can be any file system, includingroot (/) or swap.

<optional One or more mount options that are added to the /etc/vfstab entry for the parameters> specified <mount_pt_name>.

filesys can also be used to set up the installed system to mount remote file systems automat-ically when it starts up. You can specify filesys more than once. The following syntaxdescribes using filesys to set up mounts to remote systems:filesys <server>:<path> <server_address> <mount_pt_name> [mount_options]

The filesys keywords are described in Table 7.16.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 353

354

Table 7.16 filesys Remote Mount KeywordsKeyword Description

<server>: The name of the server where the remote file system resides. Don’t forget toinclude the colon (:).

<path> The remote file system’s mount point name.

<server_address> The IP address of the server specified in <server>:<path>. If you don’t havea name service running on the network, this value can be used to populate the/etc/hosts file with the server’s IP address, but you must specify a minussign (-).

<mount_pt_name> The name of the mount point where the remote file system will be mounted.

[mount_options] One or more mount options that are added to the /etc/vfstab entry for thespecified <mount_pt_name>. If you need to specify more than one mountoption, the mount options must be separated by commas and no spaces. Anexample is ro,quota.

Here’s an example:filesys zeus:/export/home/user1 192.9.200.1 /home ro,bg,intr

forced_deploymentThis keyword forces a Solaris Flash differential archive to be installed on a clone system eventhough the clone system is different from what the software expects. This option deletes filesto bring the clone system to an expected state, so it should be used with caution.

install_typeinstall_type specifies whether to perform the initial installation option or the upgradeoption on the system. install_type must be the first class file keyword in every profile.

Here is the syntax:install_type [initial_install | upgrade]

Select one of initial_install, upgrade, flash_install, or flash_update.

For a ZFS installation, only the initial_install keyword can be used.

Here’s an example:install_type initial_install

geoThe geo keyword followed by a <locale> designates the regional locale or locales you wantto install on a system (or to add when upgrading a system). The syntax isgeo <locale>


11_0789738171_07.qxd 4/13/09 7:48 PM Page 354

Custom JumpStart355

Values you can specify for <locale> are listed in Table 7.17.

Table 7.17 <locale> ValuesValue Description

N_Africa Northern Africa, including Egypt

C_America Central America, including Costa Rica, El Salvador, Guatemala, Mexico, Nicaragua, andPanama

N_America North America, including Canada and the United States

S_America South America, including Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Paraguay,Peru, Uruguay, and Venezuela

Asia Asia, including Japan, Republic of China, Republic of Korea, Taiwan, and Thailand

Ausi Australasia, including Australia and New Zealand

C_Europe Central Europe, including Austria, Czech Republic, Germany, Hungary, Poland, Slovakia,and Switzerland

E_Europe Eastern Europe, including Albania, Bosnia, Bulgaria, Croatia, Estonia, Latvia, Lithuania,Macedonia, Romania, Russia, Serbia, Slovenia, and Turkey

N_Europe Northern Europe, including Denmark, Finland, Iceland, Norway, and Sweden

S_Europe Southern Europe, including Greece, Italy, Portugal, and Spain

W_Europe Western Europe, including Belgium, France, Great Britain, Ireland, and the Netherlands

M_East Middle East, including Israel

Refer to the “International Language Environments Guide” in the “Solaris 10 InternationalLanguage Support Collection” for a complete listing of <locale> values. This guide is avail-able on the Solaris 10 documentation CD, or online at http://docs.sun.com.

Here’s an example where the locale specified is S_America:geo S_America

layout_constraintlayout_constraint designates the constraint that auto-layout has on a file system if it needsto be reallocated during an upgrade because of space problems. layout_constraint can beused for the upgrade option only when disk space reallocation is required.

With layout_constraint, you specify the file system and the constraint you want to put on it.

Here’s the syntax:layout_constraint <slice> <constraint> [minimum_size]

The <slice> field specifies the file system disk slice on which to specify the constraint. It mustbe specified in the form c?t?d?s? or c?d?s?.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 355

356

Table 7.18 describes the options for layout_constraint.

Table 7.18 layout_constraint OptionsOption Description

changeable Auto-layout can move the file system to another location and can change its size.You can change the file system’s size by specifying the minimum_size value. Whenyou mark a file system as changeable and minimum_size is not specified, thefile system’s minimum size is set to 10% greater than the minimum size required. Forexample, if the minimum size for a file system is 1000MB, the changed size would be1010MB. If minimum_size is specified, any free space left over (the original sizeminus the minimum size) is used for other file systems.

movable Auto-layout can move the file system to another slice on the same disk or on a differ-ent disk, and its size stays the same.

available Auto-layout can use all the space on the file system to reallocate space. All the datain the file system is then lost. This constraint can be specified only on file systemsthat are not mounted by the /etc/vfstab file.

collapse Auto-layout moves (collapses) the specified file system into its parent file system.You can use this option to reduce the number of file systems on a system as part ofthe upgrade. For example, if the system has the /usr and /usr/openwin file sys-tems, collapsing the /usr/openwin file system would move it into /usr (its par-ent).

minimum_size This value lets you change the size of a file system by specifying the size you want itto be after auto-layout reallocates. The size of the file system might end up beingmore if unallocated space is added to it, but the size is never less than the value youspecify. You can use this optional value only if you have marked a file system aschangeable. The minimum_size cannot be less than the file system needs for itsexisting contents.

The following are some examples:layout_constraint c0t0d0s3 changeable 1200

The file system c0t0d0s3 can be moved to another location, and its size can be changed tomore than 1200MB but no less than 1200MB.layout_constraint c0t0d0s4 movable

The file system on slice c0t0d0s4 can move to another disk slice, but its size stays the same:layout_constraint c0t2d0s1 collapse

c0t2d0s1 is moved into its parent directory to reduce the number of file systems.


11_0789738171_07.qxd 4/13/09 7:48 PM Page 356

Custom JumpStart357

local_customizationThis keyword is used when installing Solaris Flash Archives and can be used to create customscripts to preserve local configurations on a clone system before installing a Solaris FlashArchive. The syntax for this option islocal_customization local_directory

The local_directory parameter specifies the directory on the clone system where any scriptsare held.

localelocale designates which language or locale packages should be installed for the specifiedlocale_name. A locale determines how online information is displayed for a specific lan-guage or region, such as date, time, spelling, and monetary value. Therefore, if you wantEnglish as your language but you also want to use the monetary values for Australia, you wouldchoose the Australia locale value (en_AU) instead of the English language value (.

The English language packages are installed by default. You can specify a locale keyword foreach language or locale you need to add to a system.

Following is the locale syntax:locale <locale_name>

Here’s an example:locale es

This example specifies Spanish as the language package you want installed.

metadbThe metadb keyword allows you to create Solaris Volume Manager state database replicas aspart of the custom JumpStart installation. You can use this keyword more than once to createstate database replicas on several disk slices.

The syntax for this keyword is shown here:metadb slice [size <size-in-blocks>] [count <number-of-replicas>]

Table 7.19 describes the options for metadb.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 357

358

Table 7.19 metadb OptionsOption Description

slice The disk slice on which you want to place the state database repli-ca. It must be in the format cwtxdysz.

size <size-in-blocks> The number of blocks specifying the size of the replica. If thisoption is omitted, a default size of 8192 is allocated.

count <number-of-replicas> The number of replicas to create. If this option is omitted, threereplicas are created by default.

no_content_checkThis keyword is used when installing Solaris Flash Archives. When specified, it ignores file-by-file validation, which is used to ensure that a clone system is a duplicate of the master sys-tem. Use this option only if you are sure the clone is a duplicate of the master system, becausefiles are deleted to bring the clone to an expected state if discrepancies are found.

no_master_checkThis keyword is used when installing Solaris Flash Archives. When specified, it ignores thecheck to verify that a clone system was built from the original master system. Use this optiononly if you are sure the clone is a duplicate of the original master system.

num_clientsWhen a server is installed, space is allocated for each diskless client’s root (/) and swap filesystems. num_clients defines the number of diskless clients that a server supports. If you donot specify num_clients, five diskless clients are allocated. You can use this option only whensystem_type is set to server.

Following is the syntax:num_clients client_num

Here’s an example:num_clients 10

In this example, space is allocated for 10 diskless clients.

packagepackage designates whether a package should be added to or deleted from the software groupthat is installed on the system. add or delete indicates the action required. If you do not spec-ify add or delete, add is set by default.

Following is the syntax:package <package_name> [add [<retrieval_type> location] | delete]


11_0789738171_07.qxd 4/13/09 7:48 PM Page 358

Custom JumpStart359

The <package_name> must be in the form SUNWname.

The <retrieval_type> parameter can be one of the following:

. NFS

. HTTP or HTTPS

. Local device

. Local file

The syntax for a package located on an NFS server is as follows:package <package_name> add nfs server_name:/path <retry n>

where <retry n> specifies the maximum number of attempts to mount the directory.

The syntax for a package located on an HTTP or HTTPS server is as follows:package <package_name> add http://server_name:port/path <optional keywords>package <package_name> add https://server_name:port/path <optional keywords>


Table 7.20 HTTP package Optional KeywordsKeyword Description

timeout <min> Specifies the maximum time, in minutes, that is allowed to elapse without receiv-ing data from the HTTP server.

proxy <host>:<port> Specifies a proxy host and port. The proxy option can be used when you needto access a package from the other side of a firewall. The <port> value must besupplied.

The syntax for a package located on a local device is as follows:package <package_name> add <local_device> <device> <path> <file_system_type>

The syntax for a package located in a local file is as follows:package <package_name> add <local_file> <path>

All that is needed for this option is to specify the full pathname to the directory containing thepackage.

Here’s an example:package SUNWxwman add nfs server1:/var/spool/packages retry 5

In this example, SUNWxwman (X Window online man pages) is being installed on the systemfrom a location on a remote NFS server.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 359

360

partitioningpartitioning defines how the disks are divided into slices for file systems during the installa-tion. If you do not specify partitioning, the default is set.

Following is the syntax:partitioning default|existing|explicit

The partitioning options are described in Table 7.21.

Table 7.21 partitioning OptionsOption Description

default The Solaris installation program selects the disks and creates the file systems where thespecified software is installed. Except for any file systems specified by the filesyskeyword, rootdisk is selected first. Additional disks are used if the specified softwaredoes not fit on rootdisk.

existing The Solaris installation program uses the existing file systems on the system’s disks. Allfile systems except /, /usr, /usr/openwin, /opt, and /var are preserved. Theinstallation program uses the last mount point field from the file system superblock todetermine which file system mount point the slice represents. When you specify thefilesys class file keyword with partitioning, existing must be specified.

explicit The Solaris installation program uses the disks and creates the file systems specified bythe filesys keywords. If you specify only the root (/) file system with the filesyskeyword, all the Solaris software is installed in the root file system. When you use theexplicit class file value, you must use the filesys class file keyword to specifywhich disks to use and what file systems to create.

poolThe pool keyword is used for ZFS only and defines the new root pool to be created. The syn-tax for this keyword is as follows:pool <poolname> <poolsize> <swapsize> <dumpsize> <vdevlist>

where <poolname> is the name of the new ZFS pool to be created.

The <poolsize>, <swapsize>, <dumpsize>, and <vdevlist> options, described in the follow-ing list, are required:

. <poolsize>: A value specifying the size of the new pool to be created. The size isassumed to be in megabytes unless g or auto is specified. auto allocates the largestpossible pool size on the device.

. <swapsize>: A value specifying the size of the swap volume (zvol). The options areauto and size. When using auto, the swap area is automatically sized. The default size


11_0789738171_07.qxd 4/13/09 7:48 PM Page 360

Custom JumpStart361

is one half the size of physical memory, but no less than 512MB and no greater than2GB. You can set the size outside this range by using the size option. size is assumedto be in megabytes, unless specified by g (gigabytes).

. <dumpsize>: Specifies the size of the dump volume that will be created within the newroot pool. Use the auto option to use the default swap size, or specify a custom sizeusing the size option.

. <vdevlist>: Specifies the devices used to create the pool. Devices in the vdevlistmust be slices for the root pool. vdevlist can be either a <single-device-name> inthe form c#t#d#s#, or mirror or any option:

. <single-device-name>: A disk slice in the form or c#t#d#s#, such as c0t0d0s0.

. mirror <device-names>: Specifies the mirroring of the disk. The device names arein the form of c#t#d#s#.

. mirror any: Enables the installer to select a suitable device.

The following example creates a new 20GB root pool on device c0t0d0s0, the swap and dumpvolumes are 4GB each:pool rpool 20G 4G 4G c0t0d0s0

The following example installs a mirrored ZFS root pool. The root pool is named “rootpool,”the disk slice is 80GB, and the swap and dump volumes are 2GB each. The root pool will bemirrored and will use any two available devices that are large enough to create an 80GB pool:pool rootpool 80g 2g 2g mirror any any

This example is the same as the previous one, except that the disk devices are specified:pool rootpool 80g 2g 2g mirror c0t0d0s0 c1t0d0s0

This example creates a new root pool named “rootpool.” The size of the pool is determinedautomatically by the size of the disks, the swap is sized automatically (half of physical memo-ry), the dump device is sized automatically, and the mirror is set up on devices c0t0d0s0 andc1t0d0s0:pool rootpool auto auto auto mirror c0t0d0s0 c0t1d0s0

patchpatch specifies the patch ID numbers that are to be installed. The list should be a list ofcomma-separated Solaris patch IDs (no spaces). The patches are installed in the order speci-fied in the list. The syntax for this keyword is as follows:patch <patchid_list>

11_0789738171_07.qxd 4/13/09 7:48 PM Page 361

362

orpatch <patch_file> <patch_location> <optional_keywords>

where:

. <patchid_list>: Specifies the patch ID numbers that are to be installed.

. <patch_file>: A file that contains a list of patches that are found in the <patch_loca-tion>.

. <patch_location>: Specifies the location where the patches are found. This locationcan be an NFS server, HTTP server, local device, or local file.

. <optional_keywords>: Optional keywords that depend on where the patches arestored. Refer to “Solaris 10 Installation Guide: JumpStart and Advanced Installations”for a list of keywords.

root_deviceroot_device designates the system’s root disk.

Following is the syntax:root_device <slice>

Here’s an example:root_device c0t0d0s0


system_typesystem_type defines the type of system being installed. If you do not specify system_type ina class file, standalone is set by default.

Following is the syntax:system_type [standalone | server]

Here’s an example:system_type server

Specifying mirrors If you are upgrading a RAID-1 (mirror) volume, the slice you specify should be oneside of the mirror. The other side will be upgraded automatically.

NOTE

11_0789738171_07.qxd 4/13/09 7:48 PM Page 362

Custom JumpStart363

usediskusedisk designates one or more disks that you want the Solaris installation program to usewhen the partitioning default is specified. By default, the installation program uses all theoperational disks on the system. disk_name must be specified in the form c?t?d? or c?d?, suchas c0t0d0. If you specify the usedisk class file keyword in a class file, the Solaris installationprogram uses only the disks that you specify.

Following is the syntax:usedisk <disk_name> [<disk_name>]

Here’s an example:usedisk c0t0d0 c0t1d0

dontuse and usedisk You cannot specify the usedisk keyword and the dontuse keyword in thesame class file, because they are mutually exclusive.

NOTE

Testing Class FilesAfter you create a class file, you can use the pfinstall command to test it. Testing a class fileis sometimes called a dry run installation. By looking at the installation output generated bypfinstall, you can quickly determine whether a class file will do what you expect. For exam-ple, you can determine whether a system has enough disk space to upgrade to a new release ofSolaris before you actually perform the upgrade.

To test a class file for a particular Solaris release, you must test it within the Solaris environ-ment of the same release. For example, if you want to test a class file for Solaris 10, you haveto run the pfinstall command on a system running Solaris 10.

To test the class file, change to the JumpStart directory that contains the class file, and typethe following:# /usr/sbin/install.d/pfinstall -d<disk_config><cr>

or type the following:# /usr/sbin/install.d/pfinstall -D<cr>

Install or test? Without the -d or -D option, pfinstall actually installs the Solaris software on thesystem by using the specified class file, and the data on the system is overwritten.

NOTE

11_0789738171_07.qxd 4/13/09 7:48 PM Page 363

364

Following is the syntax for pfinstall:/usr/sbin/install.d/pfinstall [-D|-d] <disk_config> [-c <path>] <profile>

The pfinstall options are described in Table 7.22.

Table 7.22 pfinstall OptionsOption Description

-D Tells pfinstall to use the current system’s disk configuration to test theclass file against.

-d <disk_config> Tells pfinstall to use a disk configuration file, <disk_config>, to test theclass file against. If the <disk_config> file is not in the directory wherepfinstall is run, you must specify the path. This option cannot be used withan upgrade class file (an install-type upgrade). You must always test an upgradeclass file against a system’s disk configuration using the -D option. A disk con-figuration file represents a disk’s structure. It describes a disk’s bytes per sector,flags, and slices.See the example following this table of how to create the <disk_config> file.

-c <path> Specifies the path to the Solaris CD image. This is required if the Solaris CD isnot mounted on /cdrom. For example, use this option if the system is usingVolume Manager to mount the Solaris CD.

<profile> Specifies the name of the class file to test. If class file is not in the directorywhere pfinstall is being run, you must specify the path.

You can create a <disk_config> file by issuing the following command:prtvtoc /dev/rdsk/<device_name> > <disk_config>

where /dev/rdsk/<device_name> is the device name of the system’s disk. <device_name>must be in the form c?t?d?s2 or c?d?s2. <disk_config> is the name of the disk configura-tion file to contain the redirected output.


Identifying disks c?t?d?s2 designates a specific target for a SCSI disk, and c?d?s2 designates anon-SCSI disk.

NOTE

Here’s an example:# prtvtoc /dev/rdsk/c0t0d0s2 > test<cr>

The file named “test” created by this example would be your <disk_config> file, and it wouldlook like this:* /dev/rdsk/c0t0d0s2 partition map*

11_0789738171_07.qxd 4/13/09 7:48 PM Page 364

Custom JumpStart365

* Dimensions:* 512 bytes/sector* 126 sectors/track* 4 tracks/cylinder* 504 sectors/cylinder* 4106 cylinders* 4104 accessible cylinders** Flags:* 1: unmountable* 10: read-only** First Sector Last*Partition Tag Flags Sector Count Sector Mount Directory

0 2 00 0 268632 268631 /1 3 01 268632 193032 4616632 5 00 0 2068416 20684153 0 00 461664 152712 614375 /export4 0 00 614376 141624 755999 /export/swap6 4 00 756000 1312416 068415 /usr

The following example tests the ultra_class class file against the disk configuration on aSolaris 10 system on which pfinstall is being run. The ultra_class class file is located inthe /export/jumpstart directory, and the path to the Solaris CD image is specified becauseVolume Management is being used.

In addition, if you want to test the class file for a system with a specific system memory size,set SYS_MEMSIZE to the specific memory size in MB. For this example, I’ll set SYS_MEMSIZE to512MB:# SYS_MEMSIZE=512<cr># export SYS_MEMSIZE<cr># cd /export/jumpstart<cr># /usr/sbin/install.d/pfinstall -D -c /cdrom/cdrom0/s0 ultra_class<cr>

The system tests the class file and displays several pages of results. Look for the followingmessage, which indicates that the test was successful:Installation completeTest run complete. Exit status 0.

Multiple disks If you want to test installing Solaris software on multiple disks, concatenate single diskconfiguration files and save the output to a new file.

NOTE

11_0789738171_07.qxd 4/13/09 7:48 PM Page 365

366

sysidcfg FileWhen a SPARC-based JumpStart client boots for the first time, the booting software first triesto obtain the system identification information from either the sysidcfg file or a name serv-ice. The identification information and the configurable sources are described in Table 7.23.

Table 7.23 JumpStart Client Identification InformationJumpStart Client Configurable Using Configurable Using Identification Item the sysidcfg file? a Name Service?

Name service Yes Yes

Domain name Yes No

Name server Yes No

Network interface Yes No

Hostname Yes Yes

IP address Yes Yes

Netmask Yes Yes

DHCP Yes No

IPv6 Yes No

Default router Yes No

Root password Yes Yes if NIS or NIS+

Security policy Yes No if DNS or LDAP

Locale Yes No

Terminal type Yes Yes

Time zone Yes Yes

Date and time Yes No

Power management No No

Service profile Yes No

Terminal type Yes No

Date and time Yes Yes

Timeserver Yes No

Keyboard Yes No

NFS4 domain Yes No

The JumpStart client determines the location of the sysidcfg file from the BOOTPARAMSinformation provided by the boot server. The location of the sysidcfg file was specified whenyou set up the JumpStart client on the boot server using the add_install_client script. Ifyou’re not using a name service, you’ll use the sysidcfg file to answer system identification


11_0789738171_07.qxd 4/13/09 7:48 PM Page 366

Custom JumpStart367

questions during the initial part of the installation. If you’re using a name service, you’ll wantto look over the section “Setting Up JumpStart in a Name Service Environment.”

You’ll use the sysidcfg file to answer system identification questions during the initial part ofthe installation. If the JumpStart server provides this information, the client bypasses the ini-tial system identification portion of the Solaris 10 installation process. Without the sysidcfgfile, the client displays the appropriate interactive dialog to request system identification infor-mation. You must create a unique sysidcfg file for every system that requires different con-figuration information.

The sysidcfg file can reside on a shared NFS directory or the root (/) directory on a UFS filesystem. It can also reside on a PCFS file system located on a diskette. Only one sysidcfg file canreside in a directory or on a diskette. The location of the sysidcfg file is specified by the -p argu-ment to the add_install_client script used to create a JumpStart client information file.

Creating a sysidcfg file requires the system administrator to specify a set of keywords in thesysidcfg file to preconfigure a system. You use two types of keywords in the sysidcfg file:independent and dependent. Here’s an example illustrating independent and dependent key-words:name_service=NIS {domain_name=pyramid.com name_server=server(192.168.0.1)}

In this example, name_service is the independent keyword, and domain_name andname_server are the dependent keywords.

To help explain sysidcfg keywords, we’ll group them in categories and describe each of themin detail.

Name Service, Domain Name, and Name Server KeywordsThe following keywords are related to the name service you will be using.

The name_service=<value> keyword is assigned one of five values that specify the nameservice to be used: NIS, NIS+, LDAP, DNS, and NONE:

. NIS or NIS+: If you are using NIS as your name service, for example, specify the fol-lowing:name_service=NIS

For the NIS and NIS+ values, additional keywords are specified:domain_name=<value>

Dependent keywords Enclose all dependent keywords in curly braces ({ }) to tie them to their associatedindependent keyword. Values can optionally be enclosed in single quotes (‘) or double quotes (“).

NOTE

11_0789738171_07.qxd 4/13/09 7:48 PM Page 367

368

The domain <value> in the previous line is the domain name, such as pyramid.com.name_server=<value>

The name_server <value> is the hostname or IP address for the name server. For thename_server <value>, you can specify up to three IP addresses for the name_server.For example:name_server=192.168.0.1,192.168.0.2,192.168.0.3

. DNS: If you are using DNS for the name_service <value>, specify the following:name_service=DNS

Then you need to specify the following additional dependent keywords:domain_name=<value>

Enter the domain name for the domain_name <value>. For example, if the domainname is pyramid.com, specify it as follows:domain_name=pyramid.com

For the name_server <value>, you can specify up to three IP addresses for thename_server. For example:name_server=192.168.0.1,192.168.0.2,192.168.0.3

The search option adds the values to the search path to use for DNS queries. Specifythe following:search=<value>

where <value> is the search entry, which cannot exceed 250 characters. Here’s a sam-ple DNS search entry:search=pyramid.com,east.pyramid.com,west.pyramid.com

. LDAP: If you are using LDAP for the name_service <value>, specify the following:name_service=LDAP

Then you need to specify the following additional dependent keywords:domain_name=<value>

Enter the domain name for the domain_name <value>. For example, if the domainname is pyramid.com, specify it as follows:domain_name=pyramid.com


11_0789738171_07.qxd 4/13/09 7:48 PM Page 368

Custom JumpStart369

The profile parameter can also be specified to identify an LDAP profile to use.Specify this as follows:profile=<value>

where <value> is the profile name.

The profile server identifies the IP address of the profile server from which the LDAPprofile can be obtained. Specify this as follows:profile_server=<value>

where <value> is the IP address of the profile server.

Here’s an example LDAP entry with its dependent keywords:

name_service=LDAP{domain_name=west.pyramid.comprofile=defaultprofile_server=192.168.0.100}

Network-Related KeywordsNetwork-related keywords relate to the network interface to be used. Specify this item as fol-lows:network_interface=<value>

Specify a <value> for the interface to be configured. You can enter a specific interface, such aseri0, or you can enter NONE (if there are no interfaces to configure) or PRIMARY (to select theprimary interface):network_interface=eri0

If you are not using DHCP, the dependent keywords for a PRIMARY interface are as follows:hostname=<hostname>ip_address=<ip_address>netmask=<netmask value>default_route=<ip_address>protocol_ipv6=<yes or no>

For example, if your primary network interface is named eri0, here’s a sample sysidcfg file:network_interface=eri0{primary hostname=client1ip_address=192.168.0.10netmask=255.255.255.0default_route=192.168.0.1protocol_ipv6=no}

11_0789738171_07.qxd 4/13/09 7:48 PM Page 369

370

If you are using DHCP, the only keywords available are the following:dhcp protocol_ipv6=<yes or no>

For example, here’s a sample entry:network_interface=eri0{primary dhcp protocol_ipv6=no}

Whether using DHCP or not, the protocol_ipv6 keyword is optional.


Multiple interfaces allowed You can now enter multiple network interfaces into the sysidcfg file; justspecify a separate network_interface entry for each one to be included.

NOTE

Setting the Root PasswordThe root password keyword isroot_password=<encrypted passwd>

The value for <encrypted passwd> is taken from the /etc/shadow file. For example, an entrymight look like this:root_password=XbcjeAgl8jLeI

The following is the security related keyword:security_policy=<value>

where <value> is either KERBEROS or NONE.

When specifying the KERBEROS value, you also need to specify the following dependent key-words:default_realm=<fully qualified domain name>admin_server=<fully qualified domain name>kdc=<value>

where <value> can list a maximum of three key distribution centers (KDCs) for asecurity_policy keyword. At least one is required. Here’s an example using thesecurity_policy keyword:security_policy=kerberos{default_realm=pyramid.comadmin_server=krbadmin.pyramid.comkdc=kdc1.pyramid.com,kdc2.pyramid.com}

11_0789738171_07.qxd 4/13/09 7:48 PM Page 370

Custom JumpStart371

Setting the System Locale, Terminal, Time Zone, and Time ServerThe keyword used to set the system locale issystem_locale=<value>

where <value> is an entry from the /usr/lib/locale directory. The following example setsthe value to English:system_locale=en_US

The keyword to set the terminal type is as follows:terminal=<terminal_type>

where <terminal_type> is an entry from the /usr/share/lib/terminfo database. The fol-lowing example sets the terminal type to vt100:terminal=vt100

The keyword to set the time zone is as follows:timezone=<timezone>

where <timezone> is an entry from the /usr/share/lib/zoneinfo directory. The followingentry sets the time zone to Eastern Standard Time:timezone=EST

The keyword to set the time server is as follows:timeserver=<value>

where <value> can be LOCALHOST, HOSTNAME, or IP_ADDRESS. The following example sets thetime server to be the localhost:timeserver=localhost

The following rules apply to keywords in the sysidcfg file:

. Keywords can be in any order.

. Keywords are not case-sensitive.

. Keyword values can be optionally enclosed in single quotes (‘).

. Only the first instance of a keyword is valid; if you specify the same keyword morethan once, the first keyword specified is used.

The following is a sample sysidcfg file, located in the configuration directory named/export/jumpstart:

11_0789738171_07.qxd 4/13/09 7:48 PM Page 371

372

system_locale=en_UStimezone=ESTtimeserver=localhostterminal=vt100name_service=NONEsecurity_policy=noneroot_password=XbcjeAgl8jLeInfs4_domain=dynamicnetwork_interface=eri0 {primary hostname=sunfire ip_address=192.168.1.10\protocol_ipv6=no netmask=255.255.255.0}

Setting Up JumpStart in a Name Service EnvironmentAs stated in the previous section, you can use the sysidcfg file to answer system identificationquestions during the initial part of installation regardless of whether a name service is used.When the sysidcfg file is used with the NIS naming service, identification parameters suchas locale and time zone can be provided from the name service. The sysidcfg file necessaryfor installing a JumpStart client on a network running the NIS name service is typically muchshorter, and a separate sysidcfg file for each client is unnecessary.

You’ll use the /etc/locale, /etc/timezone, /etc/hosts, /etc/ethers, and /etc/netmasksfiles as the source for creating NIS databases to support JumpStart client installations. SeeChapter 5 for more information on NIS and how to create NIS maps.

Setting Up ClientsNow you need to set up the clients to install over the network. After setting up the/export/jumpstart directory and the appropriate files, use the add_install_client com-mand on the install server to set up remote workstations to install Solaris from the install serv-er. The command syntax for the add_install_client command is as follows:add_install_client [-e <ethernet_addr>] [-i <ip_addr>] \[-s <install_svr:/dist>] [-c <config_svr:/config_dir>] \[-p <sysidcfg_svr/sysid_config_dir>] <host_name> <platform group>

add_install_client -d [-s <install_svr:/dist>] [-c\<config_svr:/config_dir>] [-p <sysidcfg_svr/sysid_config_dir>]\[-t install_boot_image_path] <platform_name> <platform group>

The add_install_client options are described in Table 7.24.


11_0789738171_07.qxd 4/13/09 7:48 PM Page 372

Custom JumpStart373

Table 7.24 add_install_client OptionsOption Description

-d Specifies that the client is to use DHCP to obtain the networkinstall parameters. This option must be used for PXE clients toboot from the network.

-e <ethernet_addr> Specifies the Ethernet address of the install client and is nec-essary if the client is not defined in the name service.

-i <ip_addr> Specifies the IP address of the install client and is necessary ifthe client is not defined in the name service.

-s <install_svr:/dist> Specifies the name of the install server (install_svr) andthe path to the Solaris 10 operating environment distribution(/dist). This option is necessary if the client is being addedto a boot server.

-p<sysidcfg_svr/sysid_config_dir> Specifies the configuration server (sysidcfg_svr) and thesysid_config_dir> path to the sysidcfg file (/sysidcfg_dir).

-t < install_boot_image_path> Allows you to specify an alternate miniroot.

<host_name> The hostname for the install client.

-c <config_svr:/config_dir> Specifies the configuration server (config_svr) and path(/config_dir) to the configuration directory.

<platform_name> Specifies the platform group to be used. Determine the plat-form group of the client by running uname -i. For a Sunfirebox, this would be set to SUNW, UltraAX-i2.

<platform_group> Specifies the client’s architecture of the systems that use<servername> as an install server.

For additional options to the add_install_client command, see the Solaris online manualpages.

In Step By Step 8.5, you’ll create a JumpStart client that will boot from a system that is con-figured as both the boot and install server. In addition, the entire Solaris 10 media is copied tothe local disk.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 373

374

STEP BY STEP8.5 Creating a JumpStart Client


Sample setup In the following steps, the following associations have been made in the examples:

Install server name: sunserver

Distribution directory: /export/jumpstart/install

Configuration server name: sunserver

Configuration directory: /export/jumpstart/config

Boot server name: sunserver

Install client: client1

Install client’s MAC address: 8:0:20:21:49:25

Client architecture: sun4u

NOTE

1. On the install server, change to the directory that contains the installed Solaris 10 OperatingEnvironment image:

# cd /export/jumpstart/install/Solaris_10/Tools<cr>

2. Create the JumpStart client using the add_install_client script found in the local directory:

# ./add_install_client -s sunfire:/export/jumpstart/install -c \sunfire: /export/jumpstart/config -p sunfire:/export/jumpstart -e \8:0:20:21:49:25 -i 192.168.1.106 client1 sun4u<cr>


Adding Ethernet number for client1 to /etc/ethersAdding “share -F nfs -o ro,anon=0 /export/jumpstart/install” to\/etc/dfs/dfstabmaking /tftpbootenabling tftp in /etc/inetd.confupdating /etc/bootparamscopying inetboot to /tftpboot

The add_install_client script automatically made entries into the following files and directory:

/etc/ethers8:0:20:21:49:25 client1/etc/dfs/dfstabshare -F nfs -o ro,anon=0 /export/jumpstart/install/etc/bootparamsclient1 root=sunfire:/export/jumpstart/Solaris_10/Tools/Boot \install=sunfire:/export/jumpstart/install boottype=:in sysid_\

11_0789738171_07.qxd 4/13/09 7:48 PM Page 374

Custom JumpStart375

config=sunfire:/export/jumpstart/configinstall_config=sunfire:/export/jumpstart rootopts=:rsize=32768/tftpboot directorylrwxrwxrwx 1 root other 26 Jun 19 16:11 C0A8016A -> \inetboot.SUN4U.Solaris_10-1lrwxrwxrwx 1 root other 26 Jun 19 16:11 C0A8016A.SUN4U ->\inetboot.SUN4U.Solaris_10-1-rwxr-xr-x 1 root other 158592 Jun 19 16:11 \inetboot.SUN4U.Solaris_10-1-rw-r—r— 1 root other 317 Jun 19 16:11 rm.192.168.1.106\lrwxrwxrwx 1 root other 1 Jun 19 16:11 tftpboot -> .

3. Use the rm_install_client command to remove a JumpStart client’s entries and configurationinformation from the boot server:

#./rm_install_client client1<cr>


removing client1 from bootparamsremoving /etc/bootparams, since it is emptyremoving /tftpboot/inetboot.SUN4U.Solaris_10-1removing /tftpbootdisabling tftp in /etc/inetd.conf

Know your config files Make sure you are familiar with the differences between the rules file, a classfile, and the sysidcfg file. It is quite common to get an exam question that displays the contents of oneof them and asks you to identify which one it is.

TIP

Troubleshooting JumpStartThe most common problems encountered with custom JumpStart involve the setting up ofthe network installation, or booting the client. This section describes briefly some of the morepopular errors and what to do if you are faced with them.

Installation SetupWhen running the add_install_client command to set up a new JumpStart client, youmight get the following message:Unknown client “hostname”

The probable cause of this error message is that the client does not have an entry in the hostsfile (or table if using a name service).

11_0789738171_07.qxd 4/13/09 7:48 PM Page 375

376

Make sure the client has an entry in the hosts file, or table, and rerun theadd_install_client command.

When you have set up the JumpStart Install server, make sure the relevant directories areshared correctly. It is a common problem to share the file systems at the wrong level so thatthe table of contents file cannot be found when the client tries to mount the remote file sys-tem.

Client Boot ProblemsThe following error message can appear if the Ethernet address of the JumpStart client hasbeen specified incorrectly:Timeout waiting for ARP/RARP packet...

Check the /etc/ethers file on the JumpStart server, and verify that the client’s Ethernetaddress has been specified correctly.

When booting the client from the network, to initiate a custom JumpStart installation, youmight get the following error message if more than one server attempts to respond to the bootrequest:WARNING: getfile: RPC failed: error 5 (RPC Timed out).

This error indicates that more than one server has an entry for the client in its /etc/boot-params file. To rectify this problem, you need to check the servers on the subnet to find anyduplicate entries and remove them, leaving only the entry required on the JumpStart server.

When booting the client from the network, you could get the following error message if thesystem cannot find the correct media required for booting:The file just loaded does not appear to be executable

You need to verify that the custom JumpStart server has been correctly set up as a boot andinstall server. Additionally, make sure you specified the correct platform group for the clientwhen you ran add_install_client to set up the client to be able to use JumpStart.

A Sample JumpStart InstallationThe following example shows how you would set up a custom JumpStart installation for a fic-titious site. The network consists of an Enterprise 3000 server and five Ultra workstations.The next section details how to start the JumpStart installation process by creating the installserver.

Setting Up the Install ServerThe first step is to set up the install server (see Step By Step 8.6). You’ll choose the Enterpriseserver. This is where the contents of the Solaris CD are located. The contents of the CD can


11_0789738171_07.qxd 4/13/09 7:48 PM Page 376

Custom JumpStart377

be made available by either loading the CD in the CD-ROM drive or copying the CD to theserver’s local hard drive. For this example, you will copy the files to the local hard drive. Usethe setup_install_server command to copy the contents of the Solaris CD to the server’slocal disk. Files are copied to the /export/install directory.

STEP BY STEP8.6 Setting Up the Install Server

1. Insert the Solaris Software CD 1 into the server’s CD-ROM drive.

2. Type the following:

# cd /cdrom/cdrom0/s0/Solaris_10/Tools<cr># ./setup_install_server /export/install<cr>


Verifying target directory...Calculating the required disk space for the Solaris_10 ProductCalculating space required for the installation boot imageCopying the CD image to disk...Copying Install boot image hierarchy...Install Server setup complete

3. Eject the Solaris 10 Software CD 1, and put in the Solaris 10 Software CD 2. Let vold automaticallymount the CD.

4. Change to the Tools directory on the CD:

# cd /cdrom/cdrom0/Solaris_10/Tools<cr>

5. Execute the add_to_install_server script as follows to copy the images from the CD to the/export/install directory:

# ./add_to_install_server /export/install<cr>

6. Repeat steps 3, 4, and 5 for the remaining CDs.

Creating the JumpStart DirectoryAfter you install the install server, you need to set up a JumpStart configuration directory onthe server. This directory holds the files necessary for a custom JumpStart installation of theSolaris software. You set up this directory by copying the sample directory from one of theSolaris CD images that has been put in /export/install. Do this by typing the following:# mkdir /export/jumpstart<cr># cp -r /export/install/Solaris_10/Misc/jumpstart_sample/* /export/jumpstart<cr>

11_0789738171_07.qxd 4/13/09 7:48 PM Page 377

378

Any directory name can be used. You’ll use /export/jumpstart for this example.

Setting Up a Configuration ServerFollow the procedure in Step By Step 8.7 to set up a configuration server.

STEP BY STEP8.7 Setting Up a Configuration Server

1. Log in as root on the server where you want the JumpStart configuration directory to reside.

2. Edit the /etc/dfs/dfstab file. Add the following entry:

# share -F nfs -o ro,anon=0 /export/jumpstart<cr>


NFS server It may be necessary to run the svcadm enable nfs/server command if theNFS server daemons are not running.

NOTE

3. Type shareall and press Enter. This makes the contents of the /export/jumpstart directoryaccessible to systems on the network.

4. Working with the sample class file and rules files that were copied into the JumpStart directory earlier,use them to create configuration files that represent your network. For this example, I create a class filenamed engrg_prof. It looks like this:

#Specifies that the installation will be treated as an initial#installation, as opposed to an upgrade.install_type initial_install#Specifies that the engineering systems are standalone systems.system_type standalone#Specifies that the JumpStart software uses default disk#partitioning for installing Solaris software on the engineering#systems.partitioning default#Specifies that the developer’s software group will be installed.Cluster SUNWCprog#Specifies that each system in the engineering group will have 2048#Mbytes of swap space.filesys any 2048 swap

The rules file contains the following rule:

network 192.9.200.0 - engrg_prof -

This rules file states that systems on the 192.9.200.0 network are installed using the engrg_profclass file.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 378

Custom JumpStart379

5. Validate the rules and class files:

# cd /export/jumpstart<cr># ./check<cr>Validating rules...Validating profile eng_prof...The custom JumpStart configuration is ok.# /usr/sbin/install.d/pfinstall -D -c /export/install engrg_prof<cr>

If check doesn’t find any errors, it creates the rules.ok file. Look for the following message, whichindicates that the pfinstall test was successful:

Installation completeTest run complete. Exit status 0.

You are finished creating the configuration server.

Setting Up ClientsNow, on the install server, set up each client:# cd /export/install/Solaris_10/Tools<cr>

# ./add_install_client -s sparcserver:/export/install -c sparcserver:\/export/jumpstart -p sparcserver:/export/jumpstart -e 8:0:20:21:49:25\-i 192.9.200.106 sun1 sun4u<cr>

# ./add_install_client -s sparcserver:/export/install -c sparcserver:\/export/jumpstart -p sparcserver:/export/jumpstart -e 8:0:20:21:49:24-i 192.9.200.107 sun2 sun4u<cr>

This example sets up two engineering workstations, sun1 and sun2, so that they can beinstalled over the network from the install server named sparcserver. It is assumed that asysidcfg file is located in the /export/jumpstart directory on “sparcserver” and that bothclients will use the same sysidcfg file.

Starting Up the ClientsAfter the setup is complete, you can start up the engineering systems by using the followingstartup command at the OK (PROM) prompt of each system:# boot net - install<cr>

You see the following:Rebooting with command: net - installBoot device: /pci@1f,0/pci@1,1/network@1,1 File and args: - install20800SunOS Release 5.10 Version Generic_127127-11_64-bitCopyright 1983-2008 Sun Microsystems, Inc. All rights reserved.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 379

380

whoami: no domain nameConfiguring /dev and /devicesUsing RPC Bootparams for network configuration information.Configured interface eri0Using sysid configuration file 192.9.200.101:/export/jumpstart/sysidcfgThe system is coming up. Please wait.Starting remote procedure call (RP services: sysidns done.Starting Solaris installation program...Searching for JumpStart directory...Using rules.ok from 192.9.200.101:/export/jumpstart.Checking rules.ok file...Using profile: engrg_profExecuting JumpStart preinstall phase...Searching for SolStart directory...Checking rules.ok file...Using begin script: install_beginUsing finish script: patch_finishExecuting SolStart preinstall phase...Executing begin script “install_begin”...Begin script install_begin execution completed.Processing default locales

- Specifying default locale (en_US)Processing profile

- Selecting cluster (SUNWCprog)

WARNING: Unknown cluster ignored (SUNWCxgl)- Selecting package (SUNWaudmo)- Selecting locale (en_US)

Installing 64 Bit Solaris Packages- Selecting all disks- Configuring boot device- Configuring swap (any)- Configuring /opt (any)- Automatically configuring disks for Solaris operating environment

Verifying disk configurationVerifying space allocation

- Total software size: 3771.46 MbytesPreparing system for Solaris installConfiguring disk (c0t0d0)

- Creating Solaris disk label (VTO

Creating and checking UFS file systems- Creating / (c0t0d0s0)- Creating /opt (c0t0d0s5)

Beginning Solaris software installationStarting software installation


11_0789738171_07.qxd 4/13/09 7:48 PM Page 380

Custom JumpStart381

SUNWxwrtl...done. 3756.31 Mbytes remaining.

<output truncated>

Completed software installation

Solaris 10 software installation succeeded

Customizing system files- Mount points table (/etc/vfstab)- Network host addresses (/etc/hosts)

Customizing system devices- Physical devices (/devices)- Logical devices (/dev)

Installing boot information- Installing boot blocks (c0t0d0s0)

Installation log location- /a/var/sadm/system/logs/install_log (before reboot)- /var/sadm/system/logs/install_log (after reboot)

Installation completeExecuting SolStart postinstall phase...Executing finish script “patch_finish”...

Finish script patch_finish execution completed.Executing JumpStart postinstall phase...

The begin script log ‘begin.log’is located in /var/sadm/system/logs after reboot.

The finish script log ‘finish.log’is located in /var/sadm/system/logs after reboot.

syncing file systems... donerebooting...

The client reads the sysidcfg file, and then the class file, and then the rules.ok file on theserver. If any system identification information is missing in the sysidcfg file, the client dis-plays the appropriate dialog requesting identification information. The system then automat-ically installs the Solaris operating environment.

This completes the JumpStart configuration.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 381

382

Solaris FlashObjective

. Explain Flash, create and manipulate the Flash Archive, and use it for installation.

The main feature of Solaris Flash is to provide a method to store a snapshot of the Solarisoperating environment, complete with all installed patches and applications. This snapshot iscalled the Flash Archive, and the system that the archive is taken from is called the mastermachine. This archive can be stored on disk, CD-ROM, or tape media. You can use thisarchive for disaster recovery purposes or to replicate (clone) an environment on one or moreother systems. When using a Flash Archive to install the Solaris environment onto a system,the target system we are installing the environment on is called the installation client.

When you’re ready to install the Solaris environment using the Flash Archive, you can accessthe archive on either local media or across the network. The Flash Archive is made availableacross the network by using FTP, NFS, HTTP, or HTTPS. Furthermore, when installingfrom a Flash Archive onto the installation client, the install can be modified from the originalarchive to accommodate things such as kernel architecture, device differences, and partition-ing schemes between the master machine and the installation client.

A few limitations of the Flash Archive are worth noting:

. Flash does not support metadevices or non-UFS file systems.

. The archive can only be generated using packages that are currently installed and avail-able on the master server.

You can also initiate pre- and post-installation scripts to further customize the system beforeor after the installation of the Flash Archive. These standard shell scripts can be run duringcreation, installation, post-installation, and the first reboot. Specifically, you could use thesescripts to perform the following tasks:

. Configure applications on the clone.

. Validate the installation on the clone.

. Protect local customizations from being overwritten by the Solaris Flash software.

This section describes how to create the Flash Archive using the flarcreate command, howto obtain information from an existing Flash Archive using the flar command, and how toinstall the operating system on an installation client from a Flash Archive.


11_0789738171_07.qxd 4/13/09 7:48 PM Page 382

Solaris Flash383

Creating a Flash ArchiveThe first step is to identify the master machine. This system will serve as the template for thearchive. All software and data on the master machine, unless specifically excluded, will becomepart of the Flash Archive that will be installed on the installation client.

Next, make sure that the master machine is completely installed, patched, and has all its appli-cations installed. Depending on the application, you may want to create the archive before theapplication is configured, however. This will allow you to configure the application specifical-ly for each system it is running on. To ensure that the archive is clean, it’s recommended thatthe archive be created before the master machine has ever gone into production and while thesystem is in a quiescent state.

Finally, determine where the archive will be stored. You can store the archive onto a disk, aCD-ROM, or a tape. After the archive has been stored, you can even compress it so that ittakes up less space. Because these archives can be used for disaster recovery, store the archivesomewhere offsite.

You’ll use the flarcreate command to create the archive. The syntax for the command is asfollows:flarcreate -n <name> [-R <root>] [-A <system_image>] [-H] [-I] [-L <archiver>]\[-M] [-S] [-c] [-t [-p <posn>] [-b <blocksize>]] [-i <date>]\[-u <section>...] [-m <master>] [-f [<filelist> | -] [-F]] [-a <author>]\[-e <descr> | -E <descr_file>] [-T <type>] [-U key=value...]\[-x <exclude>...] [-y <include>...][-z <filelist>...] [-X <filelist>...]\archive

The options to the flarcreate command are described in Table 7.25. In this command syn-tax, <archive> is the name of the archive file to be created. If you do not specify a path, flar-create saves the archive file in the current directory.

Flash install enhancement A Flash installation can now be used to update a system, using a differentialFlash Archive. Previously, a Flash Install could only be used to perform an initial installation. A new<install_type> of flash_update is available with Solaris 10.

NOTE

11_0789738171_07.qxd 4/13/09 7:48 PM Page 383

384

Table 7.25 Command-Line Options for flarcreateOption Description

The Following Option Is Required

-n <name> The value of this flag is the name of the archive. This is a name stored inter-nally in the archive and should not be confused with the filename used whenstoring the archive.

The Following General Options Are Available

-A <system_image> Creates a differential Flash Archive by comparing a new system image with theimage specified by system_image.

-f <filelist> Uses the contents of <filelist> as a list of files to include in the archive.

-F Uses only files listed in <filelist>, making this an absolute list of files,instead of an addition to the normal file list.

-c Compresses the archive by using the compress command.

-H Does not generate a hash identifier.

-I Ignores the integrity check.

-L <archiver> The value for the file_archived_method field in the identification sec-tion. cpio is the default method used, but you could specify -L pax to usethe pax utility to create an archive without a 4GB limitation on individual filesizes.

-M Used only when you are creating a differential Flash Archive (described in thenext section). When creating a differential archive, flarcreate creates along list of the files in the system that remain the same, are changed, and areto be deleted on clone systems. This list is stored in the manifest section ofthe archive. When the differential archive is deployed, the Flash software usesthis list to perform a file-by-file check, ensuring the integrity of the clone sys-tem. Use of this option to avoids this check and saves the space used by themanifest section in a differential archive. However, you must weigh the savingsin time and disk space against the loss of an integrity check upon deployment.Because of this loss, use of this option is not recommended.

-R <root> Creates the archive from the file system tree that is rooted at root. If you donot specify this option, flarcreate creates an archive from a file systemthat is rooted at /.

-S Skips the disk space check and doesn’t write archive size data to the archive.

-s Does not include sizing information in the archive.

-x <exclude> Excludes the file or directory from the archive. If you specify a file system with-R <root>, the path to the directory to exclude is assumed to be relative to<root>.

-y <include> Includes the file or directory in the archive. This option can be used in con-junction with the x option to include a specific file or directory within anexcluded directory.


11_0789738171_07.qxd 4/13/09 7:48 PM Page 384

Solaris Flash385

Table 7.25 Command-Line Options for flarcreateOption Description

-X <filelist> Uses the contents of filelist as a list of files or directories to exclude fromthe archive.

-z <filelist> The filelist argument contains filenames, or directory names, prefixedwith either a plus (+), to include in the archive, or minus (-), to exclude fromthe archive.

Options for Archive Identification

-i <date> If you do not specify a date, flarcreate uses the current system time anddate.

-m <master> If you do not specify a master, flarcreate uses the system name that isreported by uname -n.

-e <descr> Specifies a description.

-E <descr_file> Specifies that a description is contained in the file <descr_file>.

-T <type> Specifies the archive’s content type.

-t Creates an archive on a tape device.

-a <author> Allows you to specify the archive’s author.

Additional options are available, such as for creating the archive on tape and adding some user-defined options. Information on these options is found in the online manual pages and in theSolaris 10 Installation Guide in the Solaris 10 Release and Installation Collection.

The following example shows how to use the flarcreate command to create the FlashArchive:# flarcreate -n “Solaris 10 Ultra Archive” -a “WS Calkins” -R / /u01/ultra.lfar<cr>

In the previous example, we are creating a Flash Archive named “Solaris 10 Ultra Archive.”We are specifying the author (creator) to be labeled as “WS Calkins.” The -R option specifiesto recursively descend from the specified directory. The last part of the command specifieswhich directory to store the archive in and what to name the archive.

After you enter the command and press Enter, the flarcreate command displays the statusof the operation:Full FlashChecking integrity...Integrity OK.Running precreation scripts...Precreation scripts done.Determining the size of the archive...8172587 blocksThe archive will be approximately 3.89GB.Creating the archive...8172587 blocks

11_0789738171_07.qxd 4/13/09 7:48 PM Page 385

386

Archive creation complete.Running postcreation scripts . . .Postcreation scripts done.

Running pre-exit scripts. . .Pre-exit scripts done.

When the operation is complete, you can see the archive file by issuing the ls command:# ls -l /u01/ultra.flar<cr>-rw-r—r— 1 root other 3820943938 Sep 3 11:12 ultra.flar

The flar command is used to administer Flash Archives. With the flar command, you can

. Extract information from an archive

. Split archives

. Combine archives

To use the flar command to extract information from an archive, use the following command:# flar -i /u01/ultra.flar<cr>

The system displays the following information about the Flash Archive:archive_id=fb2cfa3c51d3af4a10ce6e804243fe19files_archived_method=cpiocreation_date=20090217003131creation_master=ultracontent_name=Solaris 10 Ultra Archivecreation_node=ultra10creation_hardware_class=sun4ucreation_platform=SUNW, UltraAX-i2creation_processor=sparccreation_release=5.10creation_os_name=SunOScreation_os_version=Generic_137137-09files_compressed_method=nonefiles_archived_size=4184375301files_unarchived_size=4184375301content_author=WS Calkinscontent_architectures=sun4utype=FULL

For additional information on the flarcreate or flar commands, refer to the online manu-al pages or the Solaris 10 Installation Guide: Solaris Flash Archive (Creation and Installation)”in the Solaris 10 Release and Installation Collection.


11_0789738171_07.qxd 4/13/09 7:48 PM Page 386

Solaris Flash387

Using the Solaris Installation Program to Install aFlash ArchiveIn the previous section we described how to create a Flash Archive. In this section, you learnhow to install this archive on an installation client using the GUI-based Solaris installationprogram.

The Flash Archive was created on a system named ultra10 with the IP address of192.168.0.110 and placed into a file system named /u01. On ultra10 we need to share the/u01 file system so that the archive is available to other systems on the network via NFS. Youuse the share command to do this. NFS and the share command are described in Chapter 2.

Initiate a Solaris installation from CD-ROM. When prompted to select the InstallationMedia, as shown in Figure 7.1, select Network File System.

FIGURE 7.1 Specify Media window.

Click the Next button. You’re prompted to enter the path to the network file system that con-tains the Flash Archive, as shown in Figure 7.2.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 387

388

FIGURE 7.2 Specify Network file system path window.

After entering the path, click the Next button. The Flash Archive Summary window appears,as shown in Figure 7.3.


FIGURE 7.3 Flash Archive Summary window.

The selected archive is listed. Verify that it is correct, and then click the Next button. You’reprompted to enter any additional archives you want to install, as shown in Figure 7.4.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 388

Solaris Flash389

FIGURE 7.4 Additional Flash Archives window.

You have no additional archives to install, so click the Next button. The system is initialized,as shown in Figure 7.5.

FIGURE 7.5 Initialization window.

After the system initialization is finished, you see the Disk Selection window displayed as witha normal GUI-based installation. From this point forward, the installation continues as a nor-mal GUI-based installation. The difference is that you are not asked to select the software youwant to install. Instead, the entire Flash Archive is installed. When the installation is complete,the system reboots (if you selected this option during the earlier dialog), and the login mes-sage appears. The final step is to log in as root, configure your applications, and make system-specific customizations. The system is now ready for production use.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 389

390

Creating a Differential Flash ArchiveIf you created a clone system using a Flash Archive, you can update that clone using a differ-ential archive. For example, let’s say you have already created a Flash Archive on a master serv-er using the flarcreate command, and you used that archive to install a clone system. Later,on the master server, you install updates and make other changes to the OS, and you want toapply these changes to the clone system. You’ll use a differential archive to accomplish the task.When installing the differential archive on the clone, using custom JumpStart or LiveUpgrade, only the files that are in the differential archive are changed.


When creating a differential archive on the master server, the original master Flash Archivemust still be present and untouched. After updating or making changes to the master server’sOS, you’ll create a differential archive by comparing the current OS to the original masterFlash Archive. The differential archive is created and contains the differences between the twoarchives.

Step By Step 7.8 describes the process of creating a differential archive.

STEP BY STEP7.8 Creating a Differential Archive

1. Create your original Flash Archive on the master server:

# flarcreate -n “Archive” /u01/original.flar <cr>

This is the archive that was initially used to create the clone.

2. After modifying the master server (adding/removing packages, patches, and so on), create a differentialarchive by comparing the original Flash Archive with the current OS image that is installed in (/):

# flarcreate -n “differential archive” -A /u01/original.flar /u01/diff_archive <cr>

where -A specifies the location of the original, unchanged master Flash Archive.

The name of the new differential archive is /u01/diff_archive.

Now you can install the differential archive on the clone system with custom JumpStart. Or you can useSolaris Live Upgrade to install the differential archive on an inactive boot environment.

Differential update failure If the clone has been manually updated after it was originally created fromthe master server’s archive, the differential update fails.

NOTE

11_0789738171_07.qxd 4/13/09 7:48 PM Page 390

Solaris Flash391

Solaris Flash and JumpStartEarlier in this chapter, I described how to set up a JumpStart installation. If you recall, we setup a boot server, which provided the information that a JumpStart client needed to boot acrossthe network. We also set up an install server, which supplied the Solaris image, and we creat-ed the profile and rules configuration files which provided additional setup information suchas disk partitions and software packages.

You can utilize a Solaris Flash Archive in a JumpStart installation, but first you need to add theinstallation client to the JumpStart boot server as described earlier in this chapter.

The next step is to create a profile for the installation client. This was also described earlier inthis chapter. However, when using JumpStart to install from a Flash Archive, only the follow-ing keywords can be used in the profile:

. archive_location

. install_type: For a full flash archive install, specify this option as flash_install. For adifferential flash archive, specify flash_update.

. partitioning: Only the keyword values of explicit or existing must be used.

. filesys: The keyword value auto must not be used.

. forced_deployment

. local_customization

. no_content_check: Used only for a differential flash archive.

. no_master_check: Used only for a differential flash archive.

. package: Used only for a full flash installation; cannot be used with a differential flasharchive.

. root_device

Here’s a sample profile for an installation client using a Flash Archive:install_type flash_installarchive_location nfs://192.168.0.110/u01/ultra.flarpartitioning explicit##8 GB / and 1GB swap on a 9GB Disk#filesys rootdisk.s0 free /filesys rootdisk.s1 1:449 swap

11_0789738171_07.qxd 4/13/09 7:48 PM Page 391

392

The rules and sysidcfg files for the Flash installation client would be the same as describedearlier in this chapter.

When finished configuring the profile, rules, and sysidcfg files, and assuming the FlashArchive is available on the install server in a shared file system, you can boot the installationclient using this:ok boot net - install<cr>

The automated installation proceeds without further intervention, and the system will beinstalled using the Flash Archive.

Preboot Execution Environment (PXE)The Preboot Execution Environment (PXE) is a direct form of network boot that can be usedto install the Solaris Operating Environment over the network using DHCP. It does notrequire the client to have any form of local boot media. With PXE, x86/x64-based clients canboot consistently and in an interoperable manner, regardless of the sources or vendors of thesoftware and the hardware of both client and server machines. This is accomplished via a uni-form and consistent set of preboot protocol services within the client. They ensure that net-work-based booting is accomplished through industry-standard protocols used to communi-cate with the server. In addition, to ensure interoperability, the downloaded NetworkBootstrap Program (NBP) is presented with a uniform and consistent preboot operating envi-ronment within the booting client, so it can accomplish its task independent of the type of net-work adapter implemented in the system.

PXE is available only to x86/x64-based systems that implement the Intel Preboot ExecutionEnvironment specification. Depending on your system, PXE may be implemented in the sys-tem’s BIOS or might be configurable via the network adapter’s configuration utility. You needto consult the hardware documentation for your system to determine whether it supports thePXE network boot.

To use PXE, you need three systems:

. A configured install server containing the Solaris boot image and images of the SolarisCDs

. A configured DHCP server from which to boot successfully

. An x86 client that supports the PXE network boot


Only one DHCP server You must make sure that only one DHCP server is on the same subnet as thePXE client, because the PXE network boot does not work properly on a subnet containing multiple DHCPservers.

NOTE

11_0789738171_07.qxd 4/13/09 7:48 PM Page 392

Preboot Execution Environment (PXE)393

Preparing for a PXE Boot ClientAs you saw in the previous section, three systems are required in order to be able to make useof the PXE network boot. The first of these is the install server. Setting up the install serverwas described earlier in this chapter, in the section “The Install Server.” The procedure for anx86 install server is the same, but you store x86 CD images instead of SPARC.

Configuring the DHCP ServerA few parameters need to be configured to ensure that the client, when booted, has all theinformation it requires in order to boot successfully and then access the install server contain-ing the correct CD images, required for the installation of the Solaris OperatingEnvironment. Table 7.26 lists some of the most common parameters.

Table 7.26 Vendor Client Class OptionsSymbol Name Code Type Granularity Max Description

SrootIP4 2 IP Address 1 1 The root server’s IP address

SrootNM 3 ASCII Text 1 0 The root server’s hostname

SrootPTH 4 ASCII Text 1 0 The path to the client’s root directory onthe root server

The third system is also very straightforward, because you have to consult your hardware doc-umentation to verify whether PXE network boot is supported by the BIOS. It is worth inves-tigating whether an upgrade to the BIOS firmware is necessary as well.

It is the second of these systems that requires the most work. Configuring a DHCP server isbeyond the scope of this exam and is covered completely in the Solaris 10 NetworkAdministrator Exam (Exam 310-302). It is necessary, however, to create some vendor classmacros so that the correct configuration information is passed to the client when bootingacross the network.

You can still use SPARC Even though you are setting up an x86 installation, you can still use a SPARCsystem as your install server if you want to. All it does is share the CD images over the network, and a sin-gle install server can serve both SPARC and x86 clients. Remember that you cannot run setup installserver on a SPARC system using an x86 CD, or vice versa, but you can from a DVD.

NOTE

DHCP already configured You should note that a working DHCP server should already be configured.The details described in this section merely configure some parameters within the DHCP server.

NOTE

11_0789738171_07.qxd 4/13/09 7:48 PM Page 393

394

Table 7.26 Vendor Client Class OptionsSymbol Name Code Type Granularity Max Description

SinstIP4 10 IP Address 1 1 The JumpStart install server’s IP address

SinstNM 11 ASCII Text 1 0 The JumpStart install server’s hostname

SinstPTH 12 ASCII Text 1 0 The path to the installation image on theJumpStart install server

SrootOpt 1 ASCII Text 1 0 NFS mount options for the client’s root filesystem

SbootFIL 7 ASCII Text 1 0 Path to the client’s boot file

SbootRS 9 Number 2 1 NFS read size used by standalone bootprogram when loading the kernel

SsysidCF 13 ASCII Text 1 0 Path to the sysidcfg file, in the format<server>:</path>

SjumpsCF 14 ASCII Text 1 0 Path to the JumpStart configuration file, inthe format <server>:</path>

The fields are described here:

. Symbol Name: The name of the symbol.

. Code: A unique code number.

. Type: The data type of the entry.

. Granularity: The number of instances. For example, a symbol with a data type of IPAddress and a Granularity of 2 means that the entry must contain two IP addresses.

. Max: The maximum number of values. For example, a symbol with a data type of IPAddress, a Granularity of 2, and a Max of 2 means that the symbol can contain a maxi-mum of two pairs of IP addresses.

. Description: A textual description of the symbol.

You can add these symbols to the DHCP server by using the dhtadm command:dhtadm -A -s <macro> -d <definition>

or by using the GUI-based dhcpmgr command. The following example shows how to add asymbol (SrootIP4) and Vendor Client Class (SUNW.i86pc) to the achilles macro using theGUI-based dhcpmgr:

1. Start dhcpmgr by entering /usr/sadm/admin/bin/dhcpmgr & from any CDE window.The DHCP manager window appears, as shown in Figure 7.6.

Note that the DHCP server is already configured to support 10 IP addresses and thatthe DHCP server name is achilles.


11_0789738171_07.qxd 4/13/09 7:48 PM Page 394


FIGURE 7.6 DHCP Manager window.

2. Select the Options tab; the Options window appears. Select Edit, Create, as shown inFigure 7.7.

FIGURE 7.7 DHCP Options window.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 395

396

3. A subwindow appears to create the option. Enter the name SrootIP4 in the Namefield. The next field is a pull-down menu; select Vendor from this menu, as shown inFigure 7.8.


FIGURE 7.8 DHCP Create Options window.

4. Refer to Table 7.26, which lists the valid values for the symbols to be added. In thiscase, the code value for the symbol SrootIP4 is 2. The type is currently set to IPAddress, which is correct. Table 7.26 also states the values for Granularity andMaximum; enter these accordingly into their correct locations.

5. On the right side of the window is the Vendor Client Classes box. This is where youspecify which class of systems the option applies to. For example, if an x86 client isbeing used, the client class is SUNW.i86pc. Enter this in the box provided and clickAdd. The class now appears in the list, as shown in Figure 7.9.

6. Make sure the box titled Notify DHCP server of change is checked, and click OK tocomplete the operation.

7. You are returned to the Options window, which now includes the symbol just created,as shown in Figure 7.10.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 396


FIGURE 7.9 DHCP completed Create Options window.

FIGURE 7.10 DHCP Options window with a symbol defined.

8. The remaining symbols can be added by repeating the previous steps.

9. To add the symbol SrootIP4 to the achilles macro, select the Macro tab and theachilles macro from the list on the left. Figure 7.11 shows the current contents ofthis macro.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 397

398

FIGURE 7.11 The achilles macro.

10. Select Edit, Properties. Figure 7.12 shows the Properties window.


FIGURE 7.12 The Properties window.

11. You need to locate the symbol that you want to add, so click Select to the right of theOption Name field. The Select Option window appears, as shown in Figure 7.13.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 398


FIGURE 7.13 The Select Option (Standard) window.

12. The symbol just created is a Vendor class symbol, and the options being displayed arestandard symbols. The selector field is a pull-down menu, so click the menu andchoose Vendor. The symbol SrootIP4 appears, as shown in Figure 7.14.

FIGURE 7.14 The Select Option (Vendor) window.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 399

400

13. Click the symbol SrootIP4, and then click OK to display the Macro Propertieswindow. This symbol identifies the IP Address of the JumpStart root server, which is192.168.0.110 for this example. Enter this in the Option Value field, as shown inFigure 7.15.


FIGURE 7.15 The Macro Properties window.

14. Click Add to insert the symbol and value into the macro properties. Figure 7.16 showsthat the symbol SrootIP4 has been added to the macro.

FIGURE 7.16 The Macro Properties window with symbol added.

15. When you click OK to complete the operation, you are returned to the macro win-dow, showing the contents of the achilles macro. Figure 7.17 shows the completedoperation.

11_0789738171_07.qxd 4/13/09 7:48 PM Page 400


FIGURE 7.17 The achilles macro with symbol added.

16. Repeat this operation for the other symbols that the DHCP server requires to properlysupport the PXE network boot.

When the macro and symbols have been configured, the DHCP server is ready to handle theclient correctly when it boots across the network.

Adding an x86 Client to Use DHCPHaving configured the DHCP server, the next task is to add the client to the install server.This is carried out using the add_install_client command, virtually the same as for a cus-tom JumpStart, but this time the majority of the configuration information is supplied by theDHCP server. The following command adds support for the SUNW.i86pc class of system:# cd /export/install/x86pc/Tools<cr># ./add_install_client -d SUNW.i86pc i86pc<cr>

This add_install_client example configures DHCP to PXE boot a class of machines. Thenext example configures DHCP to PXE boot one specific machine based on its MAC addressof 00:21:9b:33:c0:d7:# ./add_install_client -d -e 00:21:9b:33:c0:d7<cr>

11_0789738171_07.qxd 4/13/09 7:48 PM Page 401

402

Booting the x86 ClientWhen the install server and the DHCP server have been configured correctly and the x86client has been added, the only remaining thing to do is to boot the x86 client to install overthe network. The way in which this is done depends on the hardware that you have, but usu-ally one of the following will have the desired effect:

. Enter the system BIOS using the appropriate keystrokes.

. Configure the BIOS to boot from the network.

. Adjust the boot device priority list, if present, so that a network boot is attempted first.

. Exit the system BIOS.

The system should start booting from the network and should prompt you for the type ofinstallation you want to run. The remainder of the installation process depends on whichinstallation type you choose.


Set back boot options Remember when the installation finishes and the system reboots to re-enter thesystem BIOS and restore the original boot configuration.

NOTE

11_0789738171_07.qxd 4/13/09 7:48 PM Page 402

403

SummaryIt’s been my experience that JumpStart is not widely used, mainly because of its complexity.Many system administrators would rather go through an interactive installation for each sys-tem than automate the process. Many of the popular UNIX systems have installation programssimilar to JumpStart, and most are underutilized. System administrators could save a great dealof time if they would only learn more about this type of installation.

The key to using JumpStart is whether it will benefit you to spend the time learning andunderstanding what is required; and then creating the necessary class files, an install server, anda configuration server; and editing a rules file to ensure that all systems are accommodated.For system administrators managing large numbers of systems—say, more than 100—it isprobably worth the effort, especially if the JumpStart installation is to be used more than once.A good example of this is in a test environment, where systems might have to be regularly rein-stalled to a particular specification. On the other hand, if the system administrator managesonly three or four systems, and they need to be installed only once, it is questionable as towhether the time is worth investing. It might be more efficient to carry out interactive instal-lations.

I described the entire process of installing a networked system via JumpStart, including howto set up the boot server, the install server, and the configuration files located on the configu-ration server. I also described the necessary procedures that need to be performed for eachclient that you plan to install.

You also learned how to use the Solaris Flash Archive feature to create an exact image of a par-ticular Solaris environment and replicate this environment across many systems, or simplystore it away in case you need to rebuild the system as a result of a system failure. You alsolearned how to create a differential Flash Archive by comparing a new root (/) image to anexisting Flash Archive. You learned how the Flash Archive can be used in a JumpStart sessionfor a completely automated installation.

Finally, you learned about a new facility, the Preboot Execution Environment (PXE), whichfacilitates the installing of x86 clients across the network using a DHCP server to provide theboot configuration information. You also learned how to configure a DHCP server to add therequired symbols to properly support a booting x86 client.

Key Terms. Boot server

. Class file

. Clone system

Summary

11_0789738171_07.qxd 4/13/09 7:48 PM Page 403

404

. Configuration server

. Custom JumpStart

. DHCP server

. Differential archive

. Flash Archive

. Flash installation

. Install server

. JumpStart client

. JumpStart directory

. JumpStart server

. MTFTP

. NBP

. Preboot Execution Environment (PXE)

. Profile

. RARP

. Rules file

. Solaris Flash

. TFTP


Exercise8.1 Creating JumpStart Servers

In this exercise, you’ll create a JumpStart boot server, install server, configuration server, con-figuration files, and configure a JumpStart client to automatically install the Solaris 10 operat-ing environment across the network.

For this exercise, you’ll need two systems connected on a network. One system will serve asthe boot/install/configuration server, so it needs about 5GB of free disk space. The sec-ond system will be the client and will have the entire disk destroyed and the operating systemreloaded.


11_0789738171_07.qxd 4/13/09 7:48 PM Page 404


Estimated time: 1 hour

1. On the system that will be used as the boot and install server, log in as root.

2. Edit the /etc/hosts file, and make an entry for the JumpStart client.

3. Create the boot server:

a. Insert the Solaris DVD (or CD labeled Solaris 10 CD 1), and let vold automati-cally mount the DVD/CD.

b. Change to the Tools directory on the CD:# cd /cdrom/cdrom0/s0/Solaris_10/Tools<cr>

c. Run the setup_install_server script, and specify the location for the Solarisimage. Be sure you have about 5GB of free space and that the target directory isempty. In the following example, I use /export/install as the install directory:# ./setup_install_server /export/install<cr>

4. Add the additional software:

a. Eject the Solaris 10 CD 1, and put in the Solaris 10 CD 2. Let vold automatical-ly mount the CD.

b. Change to the Tools directory on the CD:# cd /cdrom/cdrom0/Solaris_10/Tools<cr>

c. Execute the add_to_install_server script as follows to copy the images fromthe CD to the /export/install directory:# ./add_to_install_server /export/install<cr>

d. Repeat the procedure with the remaining CDs.

5. Create the JumpStart configuration directory:# mkdir /export/jumpstart<cr>

6. Add the following entry in the /etc/dfs/dfstab file for this directory to share itacross the network:share -F nfs -o ro,anon=0 /export/jumpstart<cr>

Destructive process This procedure destroys data on the disk. Be sure you have proper backups if youwant to save any data on these systems.

CAUTION

11_0789738171_07.qxd 4/13/09 7:48 PM Page 405

406

7. Start the NFS server as follows if the nfsd daemon is not already running:# svcadm enable nfs/server<cr>

8. In the /export/jumpstart directory, use the vi editor to create a class file namedbasic_class with the following entries:#Specifies that the installation will be treated as an initial#installation, as opposed to an upgrade.install_type initial_install#Specifies that the engineering systems are standalone#systems.system_type standalone#Specifies that the JumpStart software uses default disk#partitioning for installing Solaris software on the#engineering systems.partitioning default#Specifies that the developer’s software group will be installedcluster SUNWCprog#Specifies that each system in the engineering group will have#2048 Mbytes of swap space.filesys any 2048 swap

9. In the /export/jumpstart directory, use the vi editor to create a rules file namedrules with the following entry:hostname sun1 - basic_class -

10. Validate the class and rules files with the check and pfinstall commands:# cd /export/jumpstart<cr># /export/install/Solaris_10/Misc/export/jumpstart_sample/check<cr># /usr/sbin/install.d/pfinstall -D -c /export/install basic_class<cr>

11. Set up the JumpStart client:# cd /export/install/Solaris_10/Tools<cr># ./add_install_client -s <SERVERNAME>:/export/install \-c <SERVERNAME>:/export/jumpstart -p <SERVERNAME>:/export/jumpstart\-e <MAC ADDRESS> <CLIENTNAME> <PLATFORM><cr>

where SERVERNAME is the hostname of your boot/install server, MAC ADDRESS is yourclient’s Ethernet address, CLIENTNAME is your client’s hostname, and PLATFORM is yourclient’s architecture (such as sun4u).

For example:# ./add_install_client -s sparcserver:/export/install\-c sparcserver:/export/jumpstart -p sparcserver:/export/jumpstart \-e 8:0:20:21:49:24 sun1 sun4u<cr>


11_0789738171_07.qxd 4/13/09 7:48 PM Page 406


12. Go to the client and turn on the power. At the boot PROM, issue the following com-mand:ok boot net - install<cr>

The JumpStart installation executes.

Exam Questions1. Which of the following is a method to automatically install Solaris on a new SPARC system by

inserting the Solaris Operating System DVD in the drive and powering on the system?

❍ A. JumpStart

❍ B. WAN boot installation

❍ C. Interactive installation

❍ D. Custom JumpStart

2. Which of the following is a method to automatically install groups of identical systems?

❍ A. Custom JumpStart

❍ B. JumpStart

❍ C. Network Installation

❍ D. Interactive installation

3. Which of the following sets up an install server to provide the operating system to the client duringa JumpStart installation?

❍ A. add_install_client

❍ B. add_install_server

❍ C. pfinstall

❍ D. setup_install_server

4. For a JumpStart installation, which of the following files should contain a rule for each group ofsystems that you want to install?

❍ A. sysidcfg

❍ B. rules.ok

❍ C. profile

❍ D. check

11_0789738171_07.qxd 4/13/09 7:48 PM Page 407

408

5. For a JumpStart installation, which of the following servers is set up to answer RARP requestsfrom clients?

❍ A. Boot server

❍ B. Install server

❍ C. Configuration server

❍ D. JumpStart server

6. Which of the following is used as an alternative to setting up a configuration directory?

❍ A. Boot server


❍ C. Configuration diskette

❍ D. rules.ok file

7. For a JumpStart installation, which of the following files contains the name of a finish script?

❍ A. check

❍ B. profile

❍ C. rules.ok

❍ D. profile diskette

8. Which of the following is a user-defined Bourne shell script, specified within the rules file?

❍ A. add_install_client script

❍ B. class file

❍ C. check script

❍ D. begin script

9. In JumpStart, which of the following files defines how to install the Solaris software on a system?

❍ A. class file

❍ B. rules

❍ C. rules.ok

❍ D. install.log


11_0789738171_07.qxd 4/13/09 7:48 PM Page 408


10. Which of the following is used to test a JumpStart class file?

❍ A. check

❍ B. pfinstall

❍ C. rules

❍ D. add_install_client

11. When working with JumpStart, which of the following files is not used to provide informationabout clients?

❍ A. rules

❍ B. sysidcfg

❍ C. check

❍ D. class

12. Which of the following is not a valid entry in the first field in the rules file?

❍ A. karch

❍ B. any

❍ C. hostname

❍ D. ip_address

13. Which of the following files is the JumpStart file that can use any name and still work properly?

❍ A. class

❍ B. rules

❍ C. sysidcfg

❍ D. pfinstall

14. Which of the following scripts updates or creates the rules.ok file?

❍ A. pfinstall

❍ B. check

❍ C. setup_install_server

❍ D. install_type

11_0789738171_07.qxd 4/13/09 7:48 PM Page 409

410

15. Which of the following supplies the operating system during a JumpStart installation?

❍ A. Setup server


❍ C. Profile server

❍ D. /jumpstart directory

16. Which of the following contains the JumpStart directory and configuration files such as the classfile and the rules file?

❍ A. Profile diskette

❍ B. Setup server

❍ C. Install server

❍ D. Configuration server

17. Which of the following commands is issued on the install server to set up remote workstations toinstall Solaris from the install server?

❍ A. add_install_client

❍ B. add_install_server

❍ C. setup_install_client

❍ D. setup_client

18. Which of the following commands sets up a system as a boot server only?

❍ A. setup_install_server

❍ B. add_install_server -b

❍ C. setup_install_server -b

❍ D. setup_boot_server

19. Which of the following commands is used on a JumpStart client to start the installation?

❍ A. boot net - install

❍ B. boot net

❍ C. boot - jumpstart

❍ D. boot net - jumpstart


11_0789738171_07.qxd 4/13/09 7:48 PM Page 410


20. Which script copies additional packages within a product tree to the local disk on an existing installserver?

❍ A. add_install_server -a

❍ B. add_to_install_server

❍ C. setup_install_server

❍ D. _server -a

21. Which of the following class file keywords is valid only for a Solaris Flash Install using JumpStart?

❍ A. archive_location

❍ B. install_type

❍ C. locale

❍ D. system_type

22. Which of the following are required to be able to boot an x86 client using the PXE network bootand install method? (Choose three.)

❍ A. A system with more than 1 GB of physical memory

❍ B. An x86 client with a system BIOS that supports the Intel Preboot ExecutionEnvironment specification

❍ C. A configured DHCP server

❍ D. A server running either NIS or NIS+ naming service

❍ E. An install server

23. Which of the following symbols would you configure in a DHCP server to correctly specify theHostname of the JumpStart Install server so that a PXE network client would be passed the correctconfiguration information at boot time?

❍ A. SinstIP4

❍ B. SinstNM

❍ C. SrootNM

❍ D . SrootIP4

11_0789738171_07.qxd 4/13/09 7:48 PM Page 411

412

24. Which option is used to create a differential Flash Archive?

❍ A. -D

❍ B. -A

❍ C. -C

❍ D. -M

Answers to Exam Questions1. A . JumpStart lets you automatically install the Solaris software on a SPARC-based system just by

inserting the Solaris CD and powering on the system. You do not need to specify the boot com-mand at the ok prompt. For more information, see the section “JumpStart.”

2. A. The custom JumpStart method of installing the operating system provides a way to installgroups of similar systems automatically and identically. For more information, see the section“JumpStart.”

3. D. The setup_install_server script sets up an install server to provide the operating sys-tem to the client during a JumpStart installation. For more information, see the section “The InstallServer.”

4. B. The rules.ok file is a file that should contain a rule for each group of systems you want toinstall. For more information, see the section “The Rules File.”

5. A. The boot server is set up to answer RARP requests from a JumpStart client. For more informa-tion, see the section “Setting Up the Boot Server.”

6. C. A configuration disk is used as an alternate to setting up a configuration directory. For moreinformation, see the section “Setting Up a Configuration Diskette.”

7. C. The rules.ok file contains the name of a finish script. For more information, see the sec-tion “The Rules File.”

8. D. A begin script is a user-defined Bourne shell script, located in the JumpStart configurationdirectory on the configuration server, specified within the rules file, that performs tasks before theSolaris software is installed on the system. For more information, see the section “begin andfinish Scripts.”

9. A. A class file is a text file that defines how to install the Solaris software on a system. For moreinformation, see the section “Creating Class Files.”

10. B. After you create a class file, you can use the pfinstall command to test it. For more infor-mation, see the section “Testing Class Files.”


11_0789738171_07.qxd 4/13/09 7:48 PM Page 412


11. C. The sysidcfg, rules, and class files all provide information about the JumpStart client.The check script is used to validate the rules file. For more information, see the section“JumpStart.”

12. D. any, hostname, and karch are all valid keywords that can be used in the rules file. For moreinformation, see the section “The Rules File.”

13. A. The class file can be named anything, but it should reflect the way in which it installs theSolaris software on a system. For more information, see the section “Creating Class Files.”

14. B. The check script updates or creates the rules.ok file. For more information, see the section“Validating the Rules File.”

15. B. The install server supplies the operating system during a JumpStart installation. For more infor-mation, see the section “The Install Server.”

16. D. The configuration server contains all the essential custom JumpStart configuration files, suchas the rules file, the rules.ok file, the class file, the check script, and the optional beginand finish scripts. For more information, see the section “Configuration Server.”

17. A. Use the add_install_client command on the install server to set up remote workstationsto install Solaris from the install server. For more information, see the section “Setting Up Clients.”

18. C. setup_install_server -b sets up a system as a boot server only. For more information,see the section “Setting Up the Boot Server.”

19. A. boot net - install is used on a JumpStart client to start the installation. For more infor-mation, see the section “Starting Up the Clients.”

20. B. The add_to_install_server script copies additional packages within a product tree to thelocal disk on an existing install server. For more information, see the section “The Install Server.”

21. A. The archive_location option is a valid class file keyword that is used only when installinga Flash Archive using JumpStart. For more information, see the section “Creating Class Files.”

22. B, C, E. The requirements for a PXE network boot are an install server, a configure DHCP server,and an x86 client that supports the Intel Preboot Execution Environment specification. For moreinformation, see the section “Preboot Execution Environment.”

23. B. The DHCP symbol SinstNM specifies the hostname of the JumpStart Install server. For moreinformation, see the section “Configuring the DHCP Server .”

24. B. The -A option is used to create a differential Flash Archive by comparing a new system imageto the original Flash Archive image. For more information, see the section “Creating a FlashArchive.”

11_0789738171_07.qxd 4/13/09 7:48 PM Page 413

414

Suggested Reading and ResourcesSolaris 10 Documentation CD. “Solaris 10 Installation Guide: Custom JumpStart andAdvanced Installations” manual.

http://docs.sun.com. Solaris 10 documentation set. “Solaris 10 Installation Guide: CustomJumpStart and Advanced Installations” book in the Solaris 10 Release and Installation collec-tion.

Solaris 10 Documentation CD. “Solaris 10 Installation Guide: Solaris Flash Archives(Creation and Installation)” manual.

http://docs.sun.com. Solaris 10 documentation set. “Solaris 10 Installation Guide: SolarisFlash Archives (Creation and Installation)” book in the Solaris 10 Release and Installation col-lection.

Solaris 10 Documentation CD. “Solaris 10 Installation Guide: Network Based Installations”manual.

http://docs.sun.com. Solaris 10 documentation set. “Solaris 10 Installation Guide: NetworkBased Installations” book in the Solaris 10 Release and Installation collection.


11_0789738171_07.qxd 4/13/09 7:48 PM Page 414

8E I G H T

Advanced InstallationProcedures: WAN Boot and

Live Upgrade


Configure a WAN boot installation and perform a Live Upgrade installation.

. You’ll understand the differences between a WAN boot installation and acustom JumpStart installation.

. You’ll learn the requirements for a WAN boot installation.

. You’ll learn how to configure and perform a secure WAN boot installationacross a wide area network.

. You’ll learn how to perform an operating system upgrade while the system isrunning.

12_0789738171_08.qxd 4/13/09 7:50 PM Page 415

OutlineIntroduction to WAN Boot

WAN Boot Requirements

WAN Boot Components

The WAN Boot Process

The WAN Boot Server

Configure the WAN Boot Server

Configure the WAN Boot and JumpStart Files

The wanboot.conf File

Booting the WAN Boot Client

Boot the Client from the Local CD/DVD

Boot the Client Interactively from the OBP

Boot the Client Noninteractively from the OBP

Boot the Client with a DHCP Server

Solaris Live Upgrade

Live Upgrade Requirements

Solaris Live Upgrade Process

Creating a New Boot Environment

Displaying the Status of the New Boot Environment

Upgrading the New Boot Environment

Activating the New Boot Environment

luactivate on the x86/x64 Platform

lucreate on the SPARC Platform

Maintaining Solaris Live UpgradeBoot Environments

Removing Software Packages from a Boot Environment

Adding Software Packages from a Boot Environment

Removing Patches on an OS Installed on a Boot Environment

Adding Patches to an OS Installed on a New Boot Environment

Deleting an Inactive Boot Environment

Changing the Name of a Boot Environment

Changing the Description of a Boot Environment

Viewing the Configuration of a Boot Environment

Summary

Key Terms


Exercises

Exam Questions



12_0789738171_08.qxd 4/13/09 7:50 PM Page 416


. Practice the step-by-step examples provided in this chapter on a Solaris system. BecauseWAN boot is built on JumpStart, be sure you thoroughly understand how to set up a cus-tom JumpStart installation, as described in Chapter 7, “Advanced Installation Procedures:JumpStart, Flash Archive, and PXE.”

. Understand how to configure a WAN boot server.

. Understand how to initiate a WAN boot installation from the client.

. Be familiar with all the configuration files and scripts that are associated with a WAN bootinstallation.

. Know the requirements for performing a Solaris Live Upgrade.

. Understand how to perform a Live Upgrade on a system, including a system that has lim-ited disk space.

12_0789738171_08.qxd 4/13/09 7:50 PM Page 417

418

Introduction to WAN BootObjective:

. Configure a WAN boot installation

A WAN boot installation enables a system administrator to boot and install software over awide area network (WAN) by using HTTP. WAN boot is used to install the Solaris OS onSPARC-based systems over a large public network where the network infrastructure might beuntrustworthy. x86/x64-based systems currently cannot be installed using a WAN boot instal-lation. You can use WAN boot with security features to protect data confidentiality and instal-lation image integrity.

Chapter 7 describes how to perform a custom JumpStart installation. A WAN boot installa-tion performs a custom JumpStart installation, but it goes beyond a custom JumpStart instal-lation in that it provides the following advantages:

. JumpStart boot services are not required to be on the same subnet as the installationclient.

. WAN boot provides a scalable process for the automated installation of systems any-where over the Internet or other WANs.

. A WAN boot installation is more secure than a custom JumpStart installation for thefollowing reasons:

.The WAN boot client and server can authenticate using SHA hash algorithms.

.The Solaris 10 OS can be downloaded to the WAN boot client using HTTPS.

Chapter 8: Advanced Installation Procedures: WAN Boot and Solaris Live Upgrade

EXAM ALERTUnderstand the advantages of a WAN boot installation over a JumpStart installation.

WAN Boot RequirementsEXAM ALERTUnderstand all the requirements of a WAN boot installation.

Before you can perform a WAN boot installation, you need to make sure that your systemmeets the minimum requirements for a WAN boot. It’s best if the WAN boot client system’s

12_0789738171_08.qxd 4/13/09 7:50 PM Page 418

Introduction to WAN Boot419

OpenBoot PROM (OBP) supports WAN boot, which requires a minimum of OpenBootfirmware version 4.14. You can check your PROM version as follows:# prtconf -V<cr>OBP 4.0.12 2002/01/08 13:01

Or you can check it as follows:# eeprom | grep network-boot-arguments<cr>

If the variable network-boot-arguments is displayed, or if the preceding command returnsthe output network-boot-arguments: data not available, the OBP supports a WAN bootinstallation.

If the client’s OBP does not support WAN boot, you can still perform a WAN boot installa-tion by utilizing WAN boot programs from a local CD/DVD.

The WAN boot client must have

. A minimum of 512MB of RAM

. An UltraSPARC II processor or newer

. At least 2GB of hard drive space

For clients with OpenBoot firmware that does not support WAN boot, perform the WANboot installation from the Solaris Software CD1 or DVD. This option works in all cases whenthe current OBP does not provide WAN boot support.

WAN boot requires a web server configured to respond to WAN boot client requests. If youwant to use HTTPS in your WAN boot installation, the web server software must supportSSL. In addition, Flash Archives must be available to the web server. Traditional JumpStartimages, such as a spooled image of the CD/DVD that performed a pkgadd-style install, do notwork with WAN boot. Flash Archives are the only format supported.

In addition, the WAN boot server must meet these requirements:

. Must be a SPARC or x86-based system running Solaris 9 release 12/03 or higher.

. Must be configured as a web server and must support HTTP 1.1 minimum. If youwant to use HTTPS in your WAN boot installation, the web server software must sup-port SSL version 3.

. Must have enough disk space to hold the Flash Archive.

. Must have a local CD or DVD.

. Must be running Solaris 9 release 12/03 or higher.

. Must be configured as a web server, and must support HTTP 1.1 minimum.

12_0789738171_08.qxd 4/13/09 7:50 PM Page 419

420

WAN Boot ComponentsTo perform a WAN boot installation, you must first configure the WAN boot server. Thisinvolves configuring the web server, an optional DHCP server, and a JumpStart server.Configuring the WAN boot server is described later in this chapter.

Before describing the WAN boot process, it’s necessary to define some of the WAN boot filesand components that you’ll see used throughout this chapter:

. wanboot program: A second-level boot program that is used to load the miniroot,installation, and configuration files onto the WAN boot client. The wanboot programperforms tasks similar to those that are performed by the ufsboot and inetboot sec-ond-level boot programs.

. wanboot-cgi: A Common Gateway Interface (CGI) program on the web server thatservices all client requests. It parses the WAN boot server files and client configurationfiles into a format that the WAN boot client expects.

. bootlog-cgi: A CGI program on the web server that creates a log of all client activityin the /tmp/bootlog.client file.

. wanboot.conf: A text file in which you specify the configuration information and secu-rity settings that are required to perform a WAN boot installation.

. WAN boot file system: Files used to configure and retrieve data for the WAN bootclient installation are stored on the web server in /etc/netboot. The information inthis directory is transferred to the client via the wanboot-cgi program as a file system,referred to as the WAN boot file system.

. WAN boot miniroot: A version of the Solaris miniroot that has been modified to per-form a WAN boot installation. The WAN boot miniroot, like the Solaris miniroot,contains a kernel and just enough software to install the Solaris environment. TheWAN boot miniroot contains a subset of the software found in the Solaris miniroot.

. JumpStart and JumpStart configuration files: These terms are described fully inChapter 7.

. Install server: Provides the Solaris Flash Archive and custom JumpStart files that arerequired to install the client.


Solaris 10 version This chapter was written using Solaris 10 05/08. If you are installing a more recentversion of Solaris 10, be sure to read the Solaris 10 release notes that accompany that release. Review anynew installation issues or requirements associated with a Solaris Live Upgrade before beginning theupgrade.

NOTE

12_0789738171_08.qxd 4/13/09 7:50 PM Page 420


. WAN boot server: A web server that provides the wanboot program, the configura-tion and security files, and the WAN boot miniroot. The WAN boot server isdescribed later in this chapter.

EXAM ALERTUnderstand all the WAN boot components. Pay special attention to the wanboot-cgi program.

The WAN Boot ProcessWhen the WAN boot client is booted, OpenBoot uses configuration information to commu-nicate with the wanboot-cgi program on the WAN boot server and request a download of thewanboot program from the server. Alternatively, the client can request the wanboot programfrom the local CD/DVD.

After the download, the client executes the wanboot program. The wanboot program per-forms the following functions on the client:

. wanboot requests a download of authentication and configuration information fromthe WAN boot server. The information gets transmitted to the client by the server’swanboot-cgi program using HTTP or HTTPS.

. wanboot requests a download of the miniroot from the WAN boot server, and theinformation is transmitted using either HTTP or HTTPS.

. wanboot loads the UNIX kernel into RAM and executes the kernel.

The kernel loads and mounts the WAN boot file system and begins the installation program.

The installation program requests a download of the Flash Archive and custom JumpStart filesfrom the install server and installs the Solaris Flash Archive. The archive and files are trans-mitted using either HTTP or HTTPS.

The installation program begins a custom JumpStart installation to install the Solaris FlashArchive on the client.

The WAN Boot ServerThe WAN boot server provides the boot and configuration data during the WAN boot instal-lation. The WAN boot server can be a single server, or the functions can be spread across sev-eral servers.

. Single server: Centralize the WAN boot data and files on one system by hosting allthe servers on the same machine. You can administer all your different servers on onesystem, and you need to configure only one system as a web server.

12_0789738171_08.qxd 4/13/09 7:50 PM Page 421

422

. Multiple servers: If you want to distribute the installation data and files across yournetwork, you can host these servers on multiple machines. You could set up a centralWAN boot server and configure one or more install servers to host the Solaris FlashArchives.

For the examples in this book, I’ll use the single-server method.

You will configure three components on the WAN boot server:

. The web server

. The optional DHCP server

. The JumpStart server

Before beginning the WAN boot setup, I recommend that you gather all the information youwill need, as provided in the following lists:

WAN boot server information:

. Path to the WAN boot miniroot

. Path to the custom JumpStart files

. Path to the wanboot program

. URL of the wanboot-cgi program

. Path to the client’s subdirectory in the /etc/netboot hierarchy

WAN boot client information:

. IP address for the client’s router

. The client’s IP address

. The client’s subnet mask

. The client’s hostname

. The client’s MAC address

Configure the WAN Boot ServerThe first step of setting up the WAN boot server is to configure it as a web server, as describedin Step By Step 8.1. In this example, you configure the Apache version 2 web server for anunsecure WAN boot installation.


12_0789738171_08.qxd 4/13/09 7:50 PM Page 422


STEP BY STEP8.1 Configuring the Apache Web Server

1. Move the unused index files from the Apache document root directory:

# cd /var/apache2/htdocs<cr># cp index.html.en index.html<cr># mkdir INDEX<cr># mv index.html.* INDEX<cr>

2. Update the primary Apache configuration file with the WAN boot server’s IP address:

# cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf<cr># vi /etc/apache2/httpd.conf<cr>

Edit the following line:

ServerName 127.0.0.1

Replace the IP address with the hostname of the WAN boot server. My server is named “sunfire,”so I’ll change the line to the following:

ServerName sunfire


3. Start the Apache web server:

# svcadm enable apache2<cr>

4. Verify that the web server is running on port 80 by issuing the following command:

# netstat -an|grep 80<cr>*.32780 *.* 0 0 49152 0 LISTEN*.80 *.* 0 0 49152 0 LISTEN*.80 *.* 0 0 49152 0 LISTEN

Configure the WAN Boot and JumpStart FilesAfter configuring the web server, you are ready to set up the files necessary to perform a WANboot. These files must be made accessible to the web server by storing them in the WAN bootserver’s document root directory, which in our example will be the /var/apache/htdocsdirectory. Step By Step 8.2 describes the process of setting up these files.

12_0789738171_08.qxd 4/13/09 7:50 PM Page 423

424

STEP BY STEP8.2 Configuring the WAN Boot and JumpStart Files for an Unsecure WAN Boot

Installation

1. Place the Solaris 10 DVD into the DVD drive. If you are using a CD, place CD #1 into the CD-ROMdrive.

2. Create the directories needed for the WAN boot configuration in the /var/apache/htdocsdirectory:

# cd /var/apache2/htdocs<cr>

a. Create the wanboot directory. This directory will contain the WAN boot miniroot imageneeded to start the JumpStart process over HTTP.

# mkdir wanboot<cr>

b. Create the install directory. This directory will contain the remote root file system.

# mkdir install<cr>

c. Create the miniroot directory. This directory will contain the ramdisk image used to start theclient boot process.

# mkdir miniroot<cr>

d. Create the config directory. This directory will contain the WAN boot JumpStart configura-tion files.

# mkdir config<cr>

3. Create the /var/apache2/htdocs/flash directory, and place your Flash Archive file in it.

4. Set up the WAN boot install server using the setup_install_server command. Because Iwill be using a Flash Archive for the installation, it is not necessary to spool the entire contents ofthe DVD/CD onto the server.

Use the -b option to install the boot image only into the /var/apache2/htdocs/installdirectory and the -w option to copy the WAN boot miniroot image into the/var/apache2/htdocs/wanboot directory:

# cd /cdrom/sol_10_508_sparc/s0/Solaris_10/Tools<cr># ./setup_install_server -b -w /var/apache2/htdocs/wanboot//var/apache2/htdocs/install<cr>

The system responds with the following:

Verifying target directory...Calculating space required for the installation boot imageCopying Solaris_10 Tools hierarchy...Copying Install Boot Image hierarchy...


12_0789738171_08.qxd 4/13/09 7:50 PM Page 424


Starting WAN boot Image buildCalculating space required for WAN boot ImageCopying WAN boot Image hierarchy...686800 blocksRemoving unneeded packages from WAN boot Image hierarchyCreating the WAN boot Image fileImage size is 288128000 bytesCopying WAN boot to Image file...567008 blocksWAN boot Image creation complete

The WAN boot Image file has been placed in/var/apache2/htdocs/wanboot/miniroot

Ensure that you move this file to a locationaccessible to the web server, and that theWAN boot configuration file wanboot.conf(4)for each WAN boot client contains the entries:

root_server=<URL>where <URL> is an HTTP or HTTPS URLscheme pointing to the location of theWAN boot CGI program

root_file=<miniroot>where <miniroot> is the path and filename, relative to the web serverdocument directory, of ‘miniroot’

You should also make sure you have initializedthe key generation process by issuing (once):

# /usr/sbin/wanbootutil keygen -m

Install Server setup complete

5. Copy the architecture-specific wanboot program from the CD/DVD to the wanboot directory onthe WAN server:

# cd /cdrom/cdrom0/s0/Solaris_10/Tools/Boot/platform/sun4u/<cr># cp wanboot /var/apache2/htdocs/wanboot/wanboot.s10_sparc<cr>

6. Copy the CGI scripts into the web server software directory, and set the file permissions:

# cp /usr/lib/inet/wanboot/wanboot-cgi /var/apache2/cgi-bin/wanboot-cgi<cr>

# chmod 755 /var/apache2/cgi-bin/wanboot-cgi<cr># cp /usr/lib/inet/wanboot/bootlog-cgi /var/apache2/cgi-bin/bootlog-cgi<cr>

12_0789738171_08.qxd 4/13/09 7:50 PM Page 425

426

# chmod 755 /var/apache2/cgi-bin/bootlog-cgi<cr>

7. Create the /etc/netboot hierarchy. The WAN boot installation programs will retrieve configura-tion and security information from this directory during the installation. Create the /etc/net-boot directory, and set the permissions:

# mkdir /etc/netboot<cr># chmod 700 /etc/netboot<cr># chown webservd:webservd /etc/netboot<cr>

8. Configure the install server WAN boot parameters in the /etc/netboot/wanboot.conf file.Open the file using the vi editor:

# vi /etc/netboot/wanboot.conf<cr>

Make the following entries, and save the file:

boot_file=/wanboot/wanboot.s10_sparcroot_server=http://192.168.1.109/cgi-bin/wanboot-cgiroot_file=/wanboot/minirootsignature_type=encryption_type=server_authentication=noclient_authentication=noresolve_hosts=boot_logger=http://192.168.1.109/cgi-bin/bootlog-cgisystem_conf=system.conf

In the sample wanboot.conf file, my web server’s IP address is 192.168.1.109. Substitute yourweb server’s IP address for the root_server and boot_logger entries.

Also in the example, the boot_logger is set to log all messages to the WAN boot server in the/tmp directory. If you leave this line blank, all log messages will be displayed on the WAN bootclient’s console.

The wanboot.conf file parameters and syntax are described in the next section.

9. Configure the client configuration file pointer parameters in the /etc/netboot/system.conffile. Open the file using the vi editor:

# vi /etc/netboot/system.conf<cr>

Make the following entries, and save the file:

SsysidCF=http://192.168.1.109/configSjumpsCF=http://192.168.1.109/config

In the sample system.conf file, my web server’s IP address is 192.168.1.109. Substitute yourweb server’s IP address in both lines.


12_0789738171_08.qxd 4/13/09 7:50 PM Page 426


10. Change to the /var/apache2/htdocs/config directory, and configure the client installationparameters by creating a profile. Configuring the profile for a JumpStart installation is covered indetail in Chapter 7. Refer to that chapter for instructions. You will configure the profile for a WANboot client the same as you would for a JumpStart installation. You could also use a template sup-plied on the CD/DVD in the /cdrom/cdrom0/s0/Solaris_10/Misc/jumpstart_sampledirectory. For this example, I made the following entries in the profile, and I named the file pro-file:

# cd /var/apache2/htdocs/config<cr># more /var/apache2/htdocs/config/profile<cr>install_type flash_installarchive_location http://192.168.1.109/flash/archive.flarpartitioning explicitfilesys c0t0d0s0 free /filesys c0t0d0s1 512 swap

I placed the Flash Archive in the /var/apache2/htdocs/flash directory and named the filearchive.flar.

11. In the /var/apache2/htdocs/config directory, create the sysidcfg file. Configuring thesysidcfg file for a JumpStart installation is covered in detail in Chapter 7. Refer to that chapterfor instructions. You will configure the sysidcfg file for a WAN boot client the same as youwould for a JumpStart installation. For this example, I made the following entries in the sysid-cfg file, and I named the file sysidcfg:

# more /var/apache2/htdocs/config/sysidcfg<cr>timeserver=localhostsystem_locale=Cnetwork_interface=eri0 { default_route=none netmask=255.255.255.0protocol_ipv6=no }timezone=US/Centralnfs4_domain=dynamicterminal=vt100name_service=NONEsecurity_policy=NONEroot_password=dT/6kwp5bQJIo

File ownership Set the file ownership on the following files so that they are owned by the web server:# chown webservd:webservd /var/apache2/cgi-bin/wanboot-cgi\/etc/netboot/wanboot.conf /etc/netboot/system.conf<cr>

Your system may be different, so be sure to verify the web server ownership. You can check by runningthe following command:# ps -ef |grep httpd<cr>webservd 5298 5297 0 Sep 18 ? 0:00 /usr/apache2/bin/httpd -k start

NOTE

12_0789738171_08.qxd 4/13/09 7:50 PM Page 427

428

In the sample sysidcfg file, the eri0 network interface and encrypted root password areunique for the system. Substitute the values used in this example with the network device and rootpassword (cut and pasted from your system’s /etc/shadow file) that are specific to your system.

12. Copy the sample rules file from the CD/DVD:

# cd /var/apache2/htdocs/config<cr># cp /cdrom/sol_10_508_sparc/s0/Solaris_10/Misc/jumpstart_sample/rules .<cr>

Configuring the rules file for a JumpStart installation is covered in detail in Chapter 7. Refer tothat chapter for instructions. You will configure the rules file for a WAN boot client the same asyou would for a JumpStart installation. For this example, I made the following entry in the rulesfile:

# more rules<cr>any - - profile -

After creating the rules file, check it using the check script, as described in Chapter 7:

# ./check<cr>Validating rules...Validating profile profile...The custom JumpStart configuration is ok.

If the check script is not in the /var/apache2/htdocs/config directory, copy it there fromthe CD/DVD:

# cp /cdrom/sol_10_508_sparc/s0/Solaris_10/Misc/jumpstart_sample/\check/var/apache2/htdocs/config <cr>

13. Verify the configuration of the WAN boot server:

# bootconfchk /etc/netboot/wanboot.conf<cr>#

No output appears if the server has been configured successfully.

The wanboot.conf File


EXAM ALERTUnderstand the purpose of the wanboot.conf file and the configuration information it contains.

The wanboot.conf file is a plain-text configuration file that is stored in the client’s subdirec-tory located in the /etc/netboot directory. It is the repository for WAN boot configurationdata (file paths, encryption type, signing policies). The following WAN boot installation pro-grams and files use it to perform the WAN boot installation:

12_0789738171_08.qxd 4/13/09 7:50 PM Page 428


. wanboot-cgi program

. WAN boot file system

. WAN boot miniroot

Each line in the wanboot.conf file has the following syntax:<parameter>=<value>

Parameter entries cannot span lines. You can include comments in the file by preceding thecomments with the # character.

Table 8.1 describes each wanboot.conf parameter.

Table 8.1 wanboot.conf File ParametersParameter Description

boot_file=<wanboot-path> Specifies the path to the wanboot program. The value specifies thepath to the document root directory on the WAN boot server. Forexample: boot_file=/wanboot/wanboot.s10_sparc

root_server=<wanboot/ Specifies the URL of the wanboot-cgi program on the WAN CGI-URL>/wanboot-cgi boot server. The following is a sample setting used for an unsecure

WAN boot installation:root_server=http://www.example.com/cgi-/bin/wanboot-cgiThe following example is for a secure installation:root_server=https://www.example.com/cgi-bin/wanboot-cgi

root_file=<miniroot-path> Specifies the path to the WAN boot miniroot on the WAN boot serv-er. The value is a path relative to the document root directory on theWAN boot server. For example: root_file=/miniroot/miniroot.s10

signature_type=sha1 | <empty> Specifies the type of hashing key used to check the integrity of the data and files that are transmitted during a WAN boot installation.For secure WAN boot installations that use a hashing key to pro-tect the wanboot program, set this value to sha1. For example:signature_type=sha1For an insecure WAN boot installation that does not use a hashingkey, leave this value blank: signature_type=

encryption_type= Specifies the type of encryption used to encrypt the wanboot pro3des | aes |<empty> gram and WAN boot file system. For WAN boot installations that

use HTTPS, set this value to 3des or aes to match the key for-mats you use. For example: encryption_type=3des. Whensetting the encryption type to 3des or aes, you must also set thesignature_type keyword value to sha1. For an unsecureWAN boot installation that does not use an encryption key, youmay leave this value blank: encryption_type=

12_0789738171_08.qxd 4/13/09 7:50 PM Page 429

430

Table 8.1 wanboot.conf File Parameters

Parameter Description

server_authentication= Specifies if the server is authenticated during the WAN boot yes | no installation. When using server authentication, or server and client

authentication, set this value to yes: server_authentica-tion=yesWhen the value is set to yes, you must also set the value of sig-nature_type to sha1, set encryption_type to 3des oraes, and set the URL of root_server to an HTTPS value.For an unsecure WAN boot installation that does not use authenti-cation, set this value to no. You can also leave the value blank:server_authentication=

client_authentication= Specifies if the client should be authenticated during a WAN bootyes | no installation.

When using server and client authentication, set this value to yes:client_authentication=yesWhen the value is set to yes, you must also set the value of sig-nature_type to sha1, set encryption_type to 3des oraes, and set the URL of root_server to an HTTPS value.For an unsecure WAN boot installation that does not use authenti-cation, set this value to no. You can also leave the value blank:client_authentication=

resolve_hosts= Specifies additional hosts that need to be resolved for the <hostname> | <empty> wanboot-cgi program during the installation. Set the value to

the hostnames of systems that have not already been specified inthe wanboot.conf file or in a client certificate. If all the requiredhosts are listed in the wanboot.conf file or the client certificate,leave this value blank: resolve_hosts=When specifying hostnames, use this syntax:resolve_hosts=sysA,sysB

boot_logger=<bootlog-cgi- Specifies the URL to the bootlog-cgi script on the logging path> | <empty> server. To send WAN boot log messages to a dedicated log server,

use the following syntax: boot_logger=http://www.exam-ple.com/cgi-bin/bootlog-cgi=To display WAN boot and installation messages on the client con-sole, leave the value of this parameter blank: boot_logger=

system_conf=system.conf Specifies the path to the system configuration file. The value of | <custom-system-conf> this parameter is the path to the sysidcfg and custom

JumpStart files on the web server. For example:system_conf=sys.conf


12_0789738171_08.qxd 4/13/09 7:50 PM Page 430


Booting the WAN Boot ClientEXAM ALERTUnderstand the OBP commands used to initiate the four types of WAN boot installation methodsdescribed in this section.

You have four options when booting and installing the WAN boot client:

. Installing with local CD/DVD media: If your client’s OBP does not support a WANboot, this method allows you to boot the client from a local CD/DVD and then con-tinue the installation via the WAN boot server.

. Interactive installation: Use this method if you want to be prompted for the clientconfiguration information during the boot process, before the OS is installed.

. Noninteractive installation: Hands-off installation. All the client information is con-figured on the WAN boot server so that no questions are asked during the installationprocess.

. Installing with a DHCP server: Configure the network DHCP server to provide theclient configuration information during the installation.

The following sections describe how to boot a client using the various methods.

Boot the Client from the Local CD/DVDSome older SPARC stations have OpenBoot PROM versions that do not support a WANboot. It’s still possible to use WAN boot to install the OS on these systems, but you need toperform the WAN boot from CD/DVD rather than directly from the OpenBoot PROM.When you use a local CD/DVD, the client retrieves the wanboot program from the localmedia, rather than from the WAN boot server. The instructions to boot from a CD/DVD aredescribed in Step By Step 8.3. They can be performed on any SPARC-based client.

STEP BY STEP8.3 Booting a SPARC System from a Local CD/DVD

1. Power on the system, and insert the Solaris software DVD or the Solaris Software #1 CD in theCD-ROM/DVD drive. From the OpenBoot ok prompt, type

ok boot cdrom -o prompt -F wanboot - install<cr>

12_0789738171_08.qxd 4/13/09 7:50 PM Page 431

432

The following options are used with the boot command:

. cdrom: Instructs the OBP to boot from the local CD-ROM.

. -o prompt: Instructs the wanboot program to prompt the user to enter client configuration information.

. -F wanboot: Instructs the OBP to load the wanboot program from the CD-ROM.

. -install: Instructs the client to perform a WAN boot installation.

After you enter the boot command, the system responds with the following:

Boot device: /pci@1f,0/pci@1,1/ide@d/cdrom@0,0:f File and args:\-o prompt -F wanboot - install<time unavailable> wanboot info: WAN boot messages->console<time unavailable> wanboot info: Default net-config-strategy: manual

The boot prompt appears:

boot>

2. At the boot> prompt, issue the prompt command:

boot> prompt<cr>

3. The system prompts you for the client’s network interface settings and encryption keys to beentered. Each prompt is described next:

Enter the client’s IP address:

host-ip? 192.168.1.102<cr>

Enter the client’s subnet mask value:

subnet-mask? 255.255.255.0<cr>

Enter the IP address of the network router:

router-ip? 192.168.1.1<cr>

Enter the client’s hostname:

hostname? client1<cr>

You may leave the remaining prompts blank by just pressing Enter. They are not needed for an unsecure installation.

http-proxy?<cr>client-id?<cr>aes?<cr>3des?<cr>sha1?<cr>


12_0789738171_08.qxd 4/13/09 7:50 PM Page 432


Enter the information for the WAN boot server (use the IP address of the WAN boot server):

bootserver? http://192.168.1.109/cgi-bin/wanboot-cgi<cr>

The system responds with the following error, which you can ignore:

Unknown variable ‘/192.168.1.109/cgi-bin/wanboot-cgi’; ignoredboot>

4. At the boot> prompt, use the list command to display and verify the settings:

boot> list<cr>

The system responds with a summary of the information you entered:

host-ip: 192.168.1.102subnet-mask: 255.255.255.0router-ip: 192.168.1.1hostname: client1http-proxy: UNSETclient-id: UNSETaes: *HIDDEN*3des: *HIDDEN*sha1: *HIDDEN*bootserver: http://192.168.1.109/cgi-bin/wanboot-cgi

5. Initiate the WAN boot installation with the go command:

boot> go<cr>

The system begins to boot from the WAN boot server, and the following information is displayed:

<time unavailable> wanboot progress: wanbootfs: Read 72 of 368 kB (19%)<time unavailable> wanboot progress: wanbootfs: Read 152 of 368 kB (41%)<time unavailable> wanboot progress: wanbootfs: Read 368 of 368 kB(100%)<time unavailable> wanboot info: wanbootfs: Download complete

After downloading the WAN boot miniroot, the system reboots:

Mon Sep 22 18:35:10 wanboot info: WAN boot messages->192.168.1.109:80

SunOS Release 5.10 Version Generic_127127-11 64-bitCopyright 1983-2008 Sun Microsystems, Inc. All rights reserved.Use is subject to license terms.Configuring devices.Network interface was configured manually.192.168.1.102Beginning system identification...syslogd: line 24: WARNING: loghost could not be resolvedSearching for configuration file(s)...Sep 22 11:28:01 client eri: SUNW,eri0 : 100 Mbps full duplex link upUsing sysid configuration file http://192.168.1.109/config/sysidcfg

12_0789738171_08.qxd 4/13/09 7:50 PM Page 433

434

Search complete.Discovering additional network configuration...Completing system identification...Starting remote procedure call (RPC) services: done.

At this point, the Solaris installation program begins the boot process and installation over the WAN.The client is configured according to the configuration files on the WAN boot server, and the FlashArchive is extracted and installed. If the WAN boot programs do not find all the necessary installationinformation, the wanboot program prompts you to provide the missing information.

Boot the Client Interactively from the OBPUse the interactive installation method, as described in Step By Step 8.4, if you want to installkeys and set client configuration information from the command line during the installation.Your OBP must support WAN boot to perform this type of installation.

STEP BY STEP8.4 Booting the Client Interactively from the OBP

At the ok prompt on the client system, begin by setting the network-boot-arguments variable in OBP.

1. At the ok prompt on the client system, set the network-boot-arguments variable in OBP:

ok setenv network-boot-arguments host-ip=<client-IP>,\router-ip=<router-ip>,subnet-mask=<value>,hostname=<client-name>,\http-proxy=<proxy-ip:port>,bootserver=<wanbootCGI-URL><cr>

The network-boot-arguments variable instructs the OBP to set the following boot arguments:

. host-ip=<client>: Specifies the client’s IP address.

. router-ip=<router-ip>: Specifies the network router’s IP address.

. subnet-mask=<value>: Specifies the subnet mask value.

. hostname=<client-name>: Specifies the client’s hostname.

. http-proxy=<proxy-ip:port>: An optional variable used to specify the IP address and portof the network’s proxy server.

. bootserver=<wanbootCGI-URL>: Specifies the URL of the web server’s wanboot-cgiprogram. The URL value for the bootserver variable must not be an HTTPS URL. The URLmust start with http://.

2. Boot the client from the network using the network boot argument variables:

ok boot net -o prompt - install<cr>Resetting . . . .


12_0789738171_08.qxd 4/13/09 7:50 PM Page 434


net -o prompt - install instructs the client to boot from the network. It also instructs thewanboot program to prompt the user to set the key values for the client system at the boot>prompt. If you are performing an insecure installation that does not use keys, go directly to step 3.For a secure WAN boot installation using HTTPS, the information entered at the boot> prompt isas follows:

boot> 3des=<key-value><cr>

where 3des=<key-value> specifies the hexadecimal string of the 3DES key.

If you use an AES encryption key, use the following format for this command:

boot> aes=<key-value><cr>

At the next boot> prompt, type the hashing key value:

boot> sha1=<key-value><cr>

where sha1=<key-value> specifies the hashing key value.

Obtain the client’s SHA1 key value on the WAN boot server by using the wanbootutil command. Thewanbootutil keygen command is used to create and display client and server HMAC, SHA1, 3DES,and AES keys by typing the following:

# wanbootutil keygen -d -c -o net=<network-IP>,cid=<client-ID>, type=sha1<cr>

where:

. -d: Generates and stores per-client 3DES/AES encryption keys, avoiding any DES weak keys.

. -c: Displays a key of the type specified by the key type, which must be either 3des, aes, orsha1.

. -o: Specifies the WAN boot client and/or key type.

. net=<network-IP>: The IP address of the client’s subnet.

. cid=<client-ID>: The ID of the client you want to install. The client ID can be a user-definedID or the DHCP client ID.

. type=<key-type>: The key type that you want to install on the client. Valid key types are3des, aes, and sha1.

The hexadecimal value for the key is displayed:

b482aaab82cb8d5631e16d51478c90079cc1d463

Obtain the client’s 3DES key value on the WAN boot server by typing the following:

# wanbootutil keygen -d -c -o net=<network-IP>,cid=<client-ID>,type=3des<cr>

The hexadecimal value for the key is displayed:

9ebc7a57f240e97c9b9401e9d3ae9b292943d3c143d07f04

12_0789738171_08.qxd 4/13/09 7:50 PM Page 435

436

3. After you enter the client key values, start the boot process by typing go:

boot> go<cr>

The system begins the boot process and installation over the WAN. If the WAN boot programs donot find all the necessary installation information, the wanboot program prompts you to providethe missing information.

Boot the Client Noninteractively from the OBPUse this installation method to boot the client without any interaction after entering the ini-tial boot command. For you to perform this type of interactive boot, your system’s OpenBootPROM must support WAN boot. After setting up the WAN boot server, follow these instruc-tions to boot the client:

1. At the ok prompt on the client system, set the network-boot-arguments variable in OBP:

ok setenv network-boot-arguments host-ip=<client-IP>,\router-ip=<router-ip>,subnet-mask=<value>,hostname=<client-name>,\http-proxy=<proxy-ip:port>,bootserver=<wanbootCGI-URL><cr>


ok boot net - install<cr>Resetting . . . .

The system begins the boot process and installation over the WAN. If the WAN bootprograms do not find all the necessary installation information, the wanboot programprompts you to provide the missing information.

Boot the Client with a DHCP ServerIf you configured a DHCP server to support WAN boot options, you can use the DHCP serv-er to provide client configuration information during bootup and installation. Before you tryto boot with a DHCP server, make sure your client’s OBP supports a WAN boot installation,as described earlier in this chapter.

To boot a client using a DHCP server, you must first configure your DHCP server to supplythe following information:

. The Proxy server’s IP address: Specified using the SHTTPproxy option on your DHCPserver.

. The location of the wanboot-cgi program: Specified using the SbootURI option onyour DHCP server.


12_0789738171_08.qxd 4/13/09 7:50 PM Page 436

Solaris Live Upgrade437

I won’t go into the details of setting up a DHCP server on the network. This topic is coveredin the Solaris Installation Guide published by Sun Microsystems for each version of the Solaris10 operating system.

After you’ve configured the DHCP server, follow these instructions to boot the client:

1. At the ok prompt, set the network-boot-arguments variable:ok setenv network-boot-arguments dhcp,hostname=<client-name><cr>

The network-boot-arguments variable instructs the OBP to set the following bootarguments:

. dhcp: Instructs the OBP to use the DHCP server to configure the client.

. hostname=<client-name>: Specifies the hostname that you want assigned to theclient.


ok boot net - install<cr>Resetting . . . .

The system begins the boot process and installation over the WAN. If the WAN boot pro-grams do not find all the necessary installation information, the wanboot program prompts youto provide the missing information.

Solaris Live UpgradeObjective:

. Perform a Live Upgrade installation

Solaris Live Upgrade significantly reduces downtime caused by an operating system upgradeby allowing the system administrator to upgrade the operating system, or install a FlashArchive, while the system is in operation. The Live Upgrade process involves creating a dupli-cate of the running environment and upgrading that duplicate. The current running environ-ment remains untouched and unaffected by the upgrade. The upgrade does not necessarilyneed to be a complete OS upgrade; it could simply consist of adding a few OS patches. In addi-tion, you could use Solaris Live Upgrade to clone an active boot environment for purposesother than an OS upgrade. It’s a great way to simply create a backup of the current boot disk.

When the upgrade is complete, the upgrade is activated with the luactivate command and asystem reboot. If, after testing, you want to go back to the old operating environment, you canreboot to the old environment anytime.

12_0789738171_08.qxd 4/13/09 7:50 PM Page 437

438

Solaris Live Upgrade enables you to perform the following tasks on a running system:

. Upgrade the operating system to a new OS release or new patch level. In fact, this isthe recommended way to do all patching and OS upgrades.

. Resize the boot disk configuration, such as changing file system types, sizes, and lay-outs on the new boot environment.

. Maintain numerous boot images, such as images with different patch levels, or a differ-ent OS release.

Live Upgrade RequirementsSolaris Live Upgrade is included in the Solaris 10 operating environment. However, you mustensure that the system meets current patch requirements before attempting to install and usethe Solaris Live Upgrade software on your system. For the Solaris 10 05/08 release, thesepatches are listed in the Sun Microsystems info doc 206844, which can be found on Sun’s web-site. You can also locate the list of patches by searching for “Live Upgrade Patch” at http://sun-solve.sun.com.


An important point about the Live Upgrade software The release of the Live Upgrade software packagesmust match the release of the OS you are upgrading to. For example, if your current OS is the Solaris 9release, and you want to upgrade to the Solaris 10 10/08 release, you need to install the Solaris LiveUpgrade packages from the Solaris 10 10/08 release. Therefore, you probably will install a more currentversion of the Solaris Live Upgrade software than what is currently on your system.

TIP

Step By Step 8.5 describes the process of installing the required Solaris Live Upgrade pack-ages.

STEP BY STEP8.5 Installing the Solaris Live Upgrade Packages

1. Insert the CD/DVD from the version of Solaris OS that you will be upgrading to.

2. Remove the existing Live Upgrade packages:

# pkgrm SUNWlucfg SUNWlur SUNWluu<cr>

3. Install the packages in the following order:

# pkgadd -d <path_to_packages> SUNWlucfg SUNWlur SUNWluu<cr>

12_0789738171_08.qxd 4/13/09 7:50 PM Page 438


where <path_to_packages> specifies the absolute path to the software packages on theCD/DVD. Currently (as of the Solaris 10 05/08 release), the Live Upgrade packages are located onCD #2 using the following path:

/cdrom/sol_10_508_sparc_2/Solaris_10/Product

4. Verify that the packages have been installed successfully:

# pkginfo | grep -i “live upgrade”<cr>application SUNWlucfg Live Upgrade Configurationapplication SUNWlur Live Upgrade (root)application SUNWluu Live Upgrade (usr)application SUNWluzone Live Upgrade (zones support)

The disk on the new boot environment must be able to serve as a boot device. The disk mightneed to be prepared with format or fdisk before you create the new boot environment. Checkthat the disk is formatted properly, and verify that the disk slices are large enough to hold thefile systems to be copied.

When you create a new inactive boot environment, the root (/) file system does not need tobe on the same physical disk as the currently active root (/) file system, as long as the disk canbe used as a boot device. In fact, it’s preferable that the new boot environment be put on a sep-arate disk if your system has one available.

Disk space requirements for the new boot environment vary, depending on which softwarepackages are currently installed and what version of the OS you are upgrading to. Therefore,to estimate the file system size that is needed to create the new boot environment, start thecreation of a new boot environment, as described in the upcoming section “Creating a NewBoot Environment.” The size is calculated. You can then abort the process.

Solaris Live Upgrade ProcessAfter installing the necessary patches and software packages to support Solaris Live Upgrade,you need to create a new boot environment. Creating the new boot environment involvescopying the critical file systems from an active boot environment to the new boot environ-ment. This task is covered in the next section.

After you have created a new boot environment, you perform an upgrade on that boot envi-ronment. When upgrading the inactive boot environment, you do not affect the active bootenvironment. The new files merge with the inactive boot environment critical file systems, butshareable file systems are not changed. The following list describes critical and shareable filesystems:

. Critical file systems are required by the Solaris OS. These file systems are separatemount points in the /etc/vfstab file of the active and new (inactive) boot environ-ments. These file systems are always copied from the source to the new boot environ-

12_0789738171_08.qxd 4/13/09 7:50 PM Page 439

440

ment. Critical file systems are sometimes called nonshareable file systems. Examples ofcritical file systems are root (/), /usr, /var, and /opt.

. Shareable file systems are user-defined files such as /export that contain the samemount point in the /etc/vfstab file in both the active and inactive boot environ-ments. Like a shareable file system, all swap slices are shared by default. Shareable filesystems are not copied, but they are shared. Updating shared files in the active bootenvironment also updates data in the inactive boot environment.

Rather than upgrading the new boot environment, you could install a Flash Archive on thenew boot environment. When you install the Solaris Flash Archive, the archive replaces all thefiles on the existing boot environment as if you performed an initial installation.

The final step in the Live Upgrade process is to activate the new boot environment. Activatinga boot environment makes it bootable on the next reboot of the system. You can also switchback quickly to the original boot environment if a failure occurs on booting the newly activeboot environment or if you simply want to go back to the older version of the OS.

Solaris Live Upgrade is performed from the command line using the commands listed in Table8.2.

Table 8.2 Solaris Live Upgrade CommandsCommand Description

luactivate Activates an inactive boot environment.

lucancel Cancels a scheduled copy or create job.

lucompare Compares an active boot environment with an inactive boot environment.

lumake Recopies file systems to update an inactive boot environment.

lucreate Creates a boot environment.

lucurr Names the active boot environment.

ludelete Deletes a boot environment.

ludesc Adds a description to a boot environment name.

lufslist Lists critical file systems for each boot environment.

lumount Enables a mount of all the file systems in a boot environment. This command enablesyou to modify the files in a boot environment while that boot environment is inactive.

luupgrade Enables you to install software on a specified boot environment.

lurename Renames a boot environment.

You can also use the lu command to get into the Live Upgrade utility to perform any of theLive Upgrade functions. A bitmapped terminal is not required; the menu will be displayed onany ASCII terminal. Sun Microsystems no longer recommends the use of the lu utility. Sun


12_0789738171_08.qxd 4/13/09 7:50 PM Page 440


recommends that you issue the Live Upgrade commands from the command line, as done inthis chapter.

Creating a New Boot EnvironmentCreating a new, inactive boot environment involves copying critical file systems from theactive environment to the new boot environment using the lucreate command. The syntaxfor the lucreate command is as follows, along with some of its more common options:lucreate [-A ‘<description>’] [-c <name>] [-x <file>]\-m <mountpoint>:<device>:<ufstype> [-m ...] -n <name>

where:

. -A <description>: (optional) Assigns a description to the boot environment.

. -c <name>: (optional) Assigns a name to the active boot environment. If you do notspecify a name, the system assigns one.

. -m <mountpoint>:<device>:<ufstype>: Specifies the /etc/vfstab information forthe new boot environment. The file systems that are specified as arguments to -m canbe on the same disk, or they can be spread across multiple disks. Use this option asmany times as necessary to create the number of file systems that are needed to sup-port the new boot environment.

<mountpoint> can be any valid mount point. A - (hyphen) indicates a swap partition.

<device> can be any of the following:

. The name of a disk device

. An SVM volume (such as /dev/md/dsk/<devicename>)

. A Veritas volume (such as /dev/md/vxfs/dsk/<devicename>)

. The keyword merged can be used in the <device> field, indicating that the file sys-tem at the specified mount point is to be merged with its parent.

<ufstype> can be one or more of the following keywords: ufs, xvfs, preserve,mirror, attach, detach, swap.

. -n <name>: The name of the boot environment to be created. The name must beunique for the system.

. -x <file>: (optional) Excludes the file or directory from the new boot environment.

First, you need to select an unused disk slice where the new boot environment will be created.It must be on a bootable disk drive. If a slice is not available, you need to create one. If yoursystem has only a single disk, you can still perform a Solaris Live Upgrade, but you need

12_0789738171_08.qxd 4/13/09 7:50 PM Page 441

442

enough space on the disk to create an empty slice large enough to hold the new boot environ-ment.

In Solaris 10 10/08, for a bootable ZFS root pool, the disks in the pool must contain slices.The simplest configuration is to put the entire disk capacity in slice 0 and then use that slicefor the root pool. This process is described later in this section. Migrating a UFS root (/) filesystem to a ZFS root pool is beyond the scope of this chapter. Refer to “Solaris 10 10/08Installation Guide: Solaris Live Upgrade and Upgrade Planning” for information on migrat-ing from a UFS file system to a ZFS root pool.

Every system configuration varies, so covering all the possible various disk scenarios is not pos-sible. For simplicity, and to cover the topics that you will encounter on the exam, I’ll describea very common configuration.

In my example, I have a system with two 36GB hard drives: c0t0d0 and c0t1d0. The currentboot drive is c0t0d0, and I want to upgrade the OS to Solaris 10 05/08.

To create the new boot environment on c0t1d0, I’ll use the lucreate command:# lucreate -A ‘My first boot environment’ -c active_boot \-m /:/dev/dsk/c0t1d0s0:ufs -n new_BE <cr>

Several lines of output are displayed as the new boot environment is being created and copied.The following messages appear when the operation is complete:<output truncated>Population of boot environment <new_BE> successful.Creation of boot environment <new_BE> successful.#

The previous command created a new boot environment with the following characteristics:

. The description of the new boot environment is “My first boot environment.”

. The current (Active) boot environment is named “active_boot.”

. A file system is created on the secondary disk (c0t1d0) for root (/).

. The new boot environment is named “new_BE.”

Optionally, I could create a new boot environment where root (/) and /usr are split into twoseparate file systems. To split the root (/) file system into two file systems, issue the followingcommand:# lucreate -A ‘My first boot environment’ -c active_boot -m \/:/dev/dsk/c0t1d0s0:ufs -m /usr:/dev/dsk/c0t1d0s3:ufs -n new_BE<cr>


12_0789738171_08.qxd 4/13/09 7:50 PM Page 442


In the previous examples, swap slices are shared between boot environments. Because I did notspecify swap with the -m option, the current and new boot environment share the same swapslice. In the following example, I’ll use the -m option to add a swap slice in the new boot envi-ronment, which is recommended:# lucreate -A ‘My first boot environment’ -c active_boot -m \/:/dev/dsk/c0t1d0s0:ufs -m -:/dev/dsk/c0t1d0s1:swap -n new_BE<cr>

If you want a shareable file system to be copied to the new boot environment, specify themount point of the file system to be copied using the -m option. Otherwise, shareable file sys-tems are shared by default, and they maintain the same mount point in the /etc/vfstab file.Any change or update made to the shareable file system is available to both boot environments.For example, to copy the /data file system to the new boot environment, issue the followingcommand:# lucreate -A ‘My first boot environment’ -c active_boot -m \/:/dev/dsk/c0t1d0s0:ufs -m /data:/dev/dsk/c0t1d0s4:ufs -n new_BE<cr>

You can also create a new boot environment and merge file systems in the new BE. For exam-ple, in the current boot environment (active_boot) we have root (/), /usr and /opt. The /optfile system is combined with its parent file system /usr. The new boot environment is namenew_BE. The command to create this new boot environment is as follows:# lucreate -A ‘My first boot environment’ -c active_boot -m \/:/dev/dsk/c0t1d0s0:ufs -m /usr:/dev/dsk/c0t1d0s1:ufs\-m /usr/opt:merged:ufs -n new_BE<cr>

In some cases, you might want to create an empty boot environment. When you use thelucreate command with the -s - option, lucreate creates an empty boot environment. Theslices are reserved for the file systems that are specified, but no file systems are copied. Theboot environment is named, but it is not actually created until it is installed with a Solaris FlashArchive. The following example creates an empty boot environment:# lucreate -A ‘My first boot environment’ -s - -c active_boot -m \/:/dev/dsk/c0t1d0s0:ufs -n new_BE<cr>

If you are running Solaris 10 10/08 and are currently using a ZFS root pool, you can eithercreate a new ZFS boot environment within the same root pool or create the new boot envi-ronment on a new root pool. The quickest method is to create a new boot environment withthe same ZFS root pool. The lucreate command creates a snapshot from the source bootenvironment, and then a clone is built from the snapshot. The amount of space required varies;it depends on how many files are replaced as part of the upgrade process.

To create a new boot environment within the same root pool, issue the following command:# lucreate -c current_zfsBE -n new_zfsBE<cr>

12_0789738171_08.qxd 4/13/09 7:50 PM Page 443

444

The system displays the following output (the entire process took less than a minute):Analyzing system configuration.No name for current boot environment.Current boot environment is named <current_zfsBE>.Creating initial configuration for primary boot environment<current_zfsBE>.The device </dev/dsk/c1t0d0s0> is not a root device for any bootenvironment; cannot get BE ID.PBE configuration successful: PBE name <current_zfsBE> PBE Boot Device</dev/dsk/c1t0d0s0>.Comparing source boot environment <current_zfsBE> file systems with thefile system(s) you specified for the new boot environment. Determiningwhich file systems should be in the new boot environment.Updating boot environment description database on all BEs.Updating system configuration files.Creating configuration for boot environment <new_zfsBE>.Source boot environment is <current_zfsBE>.Creating boot environment <new_zfsBE>.Cloning file systems from boot environment <current_zfsBE> to create bootenvironment <new_zfsBE>.Creating snapshot for <rpool/ROOT/s10s_u6wos_07b> on<rpool/ROOT/s10s_u6wos_07b@new_zfsBE>.Creating clone for <rpool/ROOT/s10s_u6wos_07b@new_zfsBE> on<rpool/ROOT/new_zfsBE>.Setting canmount=noauto for </> in zone <global> on<rpool/ROOT/new_zfsBE>.Creating snapshot for <rpool/ROOT/s10s_u6wos_07b/var> on<rpool/ROOT/s10s_u6wos_07b/var@new_zfsBE>.Creating clone for <rpool/ROOT/s10s_u6wos_07b/var@new_zfsBE> on<rpool/ROOT/new_zfsBE/var>.Setting canmount=noauto for </var> in zone <global> on <rpool/ROOT/new_zfsBE/var>.Population of boot environment <new_zfsBE> successful.Creation of boot environment <new_zfsBE> successful.#

A second option when creating a new boot environment from a ZFS root pool is to create thenew boot environment on another root pool. You need to be aware of a few requirements forthe new root pool:

. The ZFS storage pool must be created with slices rather than whole disks. The poolmust have an SMI label. An EFI-labeled disk cannot be booted.

. On the x86 platform only, the ZFS pool must be in a slice with an fdisk partition.

. If you mirror the boot disk later, make sure you specify a bootable slice and not thewhole disk, because the latter may try to install an EFI label.


12_0789738171_08.qxd 4/13/09 7:50 PM Page 444


. You cannot use a RAID-Z configuration for a root pool. Only single-disk pools orpools with mirrored disks are supported. You will see the following message if youattempt to use an unsupported pool for the root pool:

ERROR: ZFS pool <pool-name> does not support boot environments

The process of creating a new boot environment on another root pool is described in Step ByStep 8.6.

STEP BY STEP8.6 Creating a New Boot Environment in Another Root Pool

1. Create a new ZFS pool on a slice located on a secondary disk. You must create the root pool on adisk slice. For the example, I’ll be performing the steps on an x86-based Solaris system. I’vealready used the format command to put the entire disk capacity of c1d1 in slice 0. I’ll use thatslice when I create the root pool:

# zpool create rpool2 c1d1s0<cr>

Creating a ZFS pool is described in Chapter 9, “Administering ZFS File Systems.”

2. Create the new boot environment on rpool2:

# lucreate -n new_zfsBE -p rpool2<cr>

The new boot environment is named new_zfsBE. Because I didn’t use the -c option to name thecurrent boot environment, it is given a default name, as shown in the following output:

Checking GRUB menu...Analyzing system configuration.No name for current boot environment.INFORMATION: The current boot environment is not named - assigning name<s10x_u6wos_07b>.Current boot environment is named <s10x_u6wos_07b>.Creating initial configuration for primary boot environment<s10x_u6wos_07b>.The device </dev/dsk/c0d0s0> is not a root device for any bootenvironment; cannot get BE ID.PBE configuration successful: PBE name <s10x_u6wos_07b> PBE Boot Device</dev/dsk/c0d0s0>.Comparing source boot environment <s10x_u6wos_07b> file systems with thefile system(s) you specified for the new boot environment. Determiningwhich file systems should be in the new boot environment.Updating boot environment description database on all BEs.Updating system configuration files.The device </dev/dsk/c1d1s0> is not a root device for any bootenvironment; cannot get BE ID.

12_0789738171_08.qxd 4/13/09 7:50 PM Page 445

446

Creating configuration for boot environment <new_xfsBE>.Source boot environment is <s10x_u6wos_07b>.Creating boot environment <new_xfsBE>.Creating file systems on boot environment <new_xfsBE>.Creating <zfs> file system for </> in zone <global> on<rpool2/ROOT/new_xfsBE>. Creating <zfs> file system for </var> in zone<global> on <rpool2/ROOT/new_xfsBE/var>.Populating file systems on boot environment <new_xfsBE>.Checking selection integrity.Integrity check OK. Populating contents of mount point </>.Populating contents of mount point </var>.Copying.Creating shared file system mount points.Copying root of zone <testzone>.zoneadm: zone ‘testzone’: illegal UUID value specifiedCopying root of zone <testzone2>.Creating compare databases for boot environment <new_xfsBE>.Creating compare database for file system </var>.Creating compare database for file system </rpool2/ROOT>.Creating compare database for file system </>.Updating compare databases on boot environment <new_xfsBE>.Making boot environment <new_xfsBE> bootable.Updating bootenv.rc on ABE <new_xfsBE>.File </boot/grub/menu.lst> propagation successfulCopied GRUB menu from PBE to ABENo entry for BE <new_xfsBE> in GRUB menuPopulation of boot environment <new_xfsBE> successful.Creation of boot environment <new_xfsBE> successful.#

You have several other options when creating a new boot environment:

. Creating a boot environment from a different source (other than the active boot envi-ronment)

. Merging file systems in the new boot environment

. Reconfiguring swap in the new boot environment

. Creating a boot environment with RAID-1 (mirrored) volumes

. Migrating a UFS root (/) file system to a ZFS root pool


Creating a boot environment Refer to the Sun Microsystems “Solaris 10 5/08 Installation Guide: SolarisLive Upgrade and Upgrade Planning” for more information.

NOTE

12_0789738171_08.qxd 4/13/09 7:50 PM Page 446


Displaying the Status of the New Boot EnvironmentVerify the status of the new boot environment using the lustatus command:# lustatus<cr>Boot Environment Is Active Active Can CopyName Complete Now On Reboot Delete Status————————————— ———— ——— ————- ——— —————active_boot yes yes yes no -new_BE yes no no yes -

Table 8.3 describes the columns of information that are displayed.

Table 8.3 lustatus InformationBoot Environment Status Description

Boot Environment Name The name of the active and inactive boot environments.

Is Complete Specifies whether a boot environment can be booted. Complete indi-cates that the environment is bootable.

Active Now Indicates which environment is currently active.

Active On Reboot Indicates which boot environment will be active on the next system boot.

Can Delete Indicates that no copy, compare, or upgrade operations are being per-formed on a boot environment. Also, none of that boot environment’sfile systems are currently mounted. With all these conditions in place,the boot environment can be deleted.

Copy Status Indicates whether the creation or repopulation of a boot environment isscheduled or active. A status of ACTIVE, COMPARING, UPGRADING, orSCHEDULED prevents a Live Upgrade copy, rename, or upgrade operation.

At this point, the new boot environment is set up. You can even test it by booting to c0t1d0from the OBP.

Upgrading the New Boot EnvironmentAfter creating the new boot environment, you will use the luupgrade command to upgradethe new boot environment.

The luupgrade command enables you to install software in a specified boot environment.Specifically, luupgrade performs the following functions:

. Upgrades an operating system image on a boot environment. The source of the imagecan be any valid Solaris installation medium.

. Runs an installer program to install software from an installation medium.

. Extracts a Solaris Flash Archive onto a boot environment.

12_0789738171_08.qxd 4/13/09 7:50 PM Page 447

448

. Adds or removes a package to or from a boot environment.

. Adds or removes a patch to or from a boot environment.

. Checks or obtains information about software packages.

. Checks an operating system installation medium.

The syntax isluupgrade [-iIufpPtTcC] [<options>]

where the options are as follows:

. -l <logfile>: Error and status messages are sent to <logfile>, in addition to wherethey are sent in your current environment.

. -o <outfile>: All command output is sent to <outfile>, in addition to where it issent in your current environment.

. -N: Dry-run mode. Enables you to determine whether your command arguments arecorrectly formed.

. -X: Enables XML output.

. -f: Extracts a Soloris Flash Archive onto a Boot Environment.

The following luupgrade options apply when you’re upgrading an operating system:

. -u: Upgrades an OS.

. -n <BE_name>: Specifies the name of the boot environment to receive the OS upgrade.

. -s <os_path>: Specifies the pathname of a directory containing an OS image. This canbe a directory, CD-ROM, or an NFS mount point.

The following luupgrade options apply when you’re upgrading from a Solaris Flash Archive:


. -s <os_path>: Specifies the pathname of a directory containing an OS image. This canbe a directory on an installation medium such as a CD-ROM, or it can be an NFS orUFS directory.

. -a <archive>: Specifies the path to the Flash Archive.

The following luupgrade options apply when you add or remove software packages:

. -p: Adds software packages.


12_0789738171_08.qxd 4/13/09 7:50 PM Page 448


. -P: Removes software packages.


. -s <pkgs_path>: Specifies the pathname of a directory containing software packages toadd.

. -O: Used to pass options to the pkgadd and pkgrm commands.

I’ll describe how to upgrade the new boot environment using both a Solaris CD/DVD (StepBy Step 8.7) and a Flash Archive (Step By Step 8.8).

In the first example, I have a Solaris x86-based system with two disk drives and running Solaris10 release 08/07. I’ve created the new boot environment, which is as follows:# lustatus<cr>Boot Environment Is Active Active Can CopyName Complete Now On Reboot Delete Status————————————— ———— ——— ————- ——— —————active_boot yes yes yes no -new_BE yes no no yes -

Step By Step 8.7 describes how to update the new boot environment named new_BE on c0d1.In the example, I’ll update the system to Solaris 10 release 05/08 from the local DVD. I’vealready installed the Live Upgrade packages and patches from the Solaris 10 05/08 release asdescribed earlier in this chapter.

STEP BY STEP8.7 Performing a Solaris Live Upgrade from a Local DVD

1. Insert the Solaris 10 05/08 DVD into the DVD-ROM.

2. Issue the luupgrade command:

# luupgrade -u -n new_BE -s /cdrom/cdrom0<cr>

Several lines of output are displayed as the new boot environment is being upgraded. The follow-ing messages are displayed when the operation is complete:

Upgrading Solaris: 100% completed...<output has been truncated>The Solaris upgrade of the boot environment <new_BE> is complete.Installing failsafeFailsafe install is complete#

12_0789738171_08.qxd 4/13/09 7:50 PM Page 449

450

When using Live Upgrade to install a Flash Archive, use the lucreate command with the -soption, as described earlier in this chapter. When the empty boot environment is complete, aFlash Archive can be installed on the boot environment, as described in Step By Step 8.8.

STEP BY STEP8.8 Upgrading from a Flash Archive from a DVD

1. Insert the Solaris 10 05/08 DVD into the DVD-ROM.

2. Issue the luupgrade command:

# luupgrade -f -n new_BE -s /cdrom/cdrom0 -a /export/home/flash.flar<cr>

where -a /export/home/flash.flar is the name of the Flash Archive.

Several lines of output are displayed as the new boot environment is being upgraded. The follow-ing messages are displayed when the operation is complete:

<output has been truncated>Upgrading Solaris: 100% completed...<output has been truncated>The Solaris upgrade of the boot environment <new_BE> is complete.Installing failsafeFailsafe install is complete#

Activating the New Boot EnvironmentActivating the upgraded boot environment with the luactivate command will make itbootable at the next reboot. In addition, you can use the luactivate command to switch backto the old boot environment if necessary. To activate a boot environment, the followingrequirements must be met:

. The boot environment must have a status of “complete.”

. If the boot environment is not the current boot environment, you cannot have mount-ed the partitions of that boot environment using the luumount or mount commands.

. The boot environment that you want to activate cannot be involved in a comparisonoperation (lucompare).

. If you want to reconfigure swap, make this change prior to booting the inactive bootenvironment. By default, all boot environments share the same swap devices.

In the previous section, I upgraded the OS on an x86/x64-based system. Before I activate thenew boot environment, I’ll check the status again:# lustatus<cr>Boot Environment Is Active Active Can Copy


12_0789738171_08.qxd 4/13/09 7:50 PM Page 450


Name Complete Now On Reboot Delete Status————————————— ———— ——— ————- ——— —————active_boot yes yes yes no -new_BE yes no no yes -

The status shows “Complete,” so I’m ready to issue the luactivate command. The syntax forthe luactivate command is as follows:# luactivate [-s] [-l] [-o] <new_BE><cr>

where:

. <new_BE>: Specifies the name of the upgraded boot environment you want to activate.

. -o <out_file>: All output is sent to the <out_file> file in addition to your currentenvironment.

. -l <errlog>: Error and status messages are sent to the <errlog> file in addition toyour current environment.

. -s: Forces a synchronization of files between the last-active boot environment and thenew boot environment. The first time a boot environment is activated, the filesbetween the boot environments are synchronized. With subsequent activations, thefiles are not synchronized unless you use the -s option. “Synchronize” means that cer-tain critical system files and directories are copied from the last-active boot environ-ment to the boot environment being booted.

The luactivate command performs the following tasks:

. The first time you boot to a new boot environment (BE), the Solaris Live Upgradesoftware synchronizes this BE with the BE that was last active.

. If luactivate detects conflicts between files that are subject to synchronization, itissues a warning and does not perform the synchronization for those files. However,activation can still complete successfully, in spite of such a conflict. A conflict can occurif you make changes to the same file on both the new boot environment and the activeboot environment. For example, you make changes to the /etc/vfstab file in theoriginal boot environment. Then you make other changes to the /etc/vfstab file inthe new boot environment. The synchronization process cannot choose which file tocopy for the synchronization.

. luactivate checks to see whether upgrade problems occurred. For example, impor-tant software packages might be missing. This package check is done for the globalzone as well as all nonglobal zones inside the BE. The command can issue a warningor, if a BE is incomplete, can refuse to activate the BE.

12_0789738171_08.qxd 4/13/09 7:50 PM Page 451

452

. On a SPARC system, luactivate determines whether the bootstrap program requiresupdating and takes steps to update if necessary. If a bootstrap program changed fromone operating release to another, an incorrect bootstrap program might render anupgraded BE unbootable.

. luactivate modifies the root partition ID on a Solaris x86/x64-based disk to enablemultiple BEs to reside on a single disk. In this configuration, if you do not runluactivate, booting of the BE will fail.

luactivate on the x86/x64 PlatformTo activate the upgraded boot environment on the x86/x64-based platform, issue the luacti-vate command:# luactivate -s new_BE<cr>

The system displays the steps to be taken for fallback in case problems are encountered on thenext reboot. Make note of these instructions, and follow them exactly if it becomes necessaryto fall back to the previous boot environment:System has findroot enabled GRUBGenerating boot-sign, partition and slice information for PBE <active_BE>A Live Upgrade Sync operation will be performed on startup of bootenvironment <new_BE>.

Generating boot-sign for ABE <new_BE>Generating partition and slice information for ABE <new_BE>Boot menu exists.Generating multiboot menu entries for PBE.Generating multiboot menu entries for ABE.Disabling splashimageRe-enabling splashimageNo more bootadm entries. Deletion of bootadm entries is complete.GRUB menu default setting is unaffectedDone eliding bootadm entries.

**********************************************************************

The target boot environment has been activated. It will be used when youreboot. NOTE: You MUST NOT USE the reboot, halt, or uadmin commands. YouMUST USE either the init or the shutdown command when you reboot. If youdo not use either init or shutdown, the system will not boot using thetarget BE.

**********************************************************************


12_0789738171_08.qxd 4/13/09 7:50 PM Page 452


In case of a failure while booting to the target BE, the followingprocess needs to be followed to fallback to the currently working bootenvironment:

1. Boot from the Solaris failsafe or boot in Single User mode from SolarisInstall CD or Network.

2. Mount the Parent boot environment root slice to some directory (like/mnt). You can use the following command to mount:

mount -Fufs /dev/dsk/c0d0s0 /mnt

3. Run <luactivate> utility with out any arguments from the Parent bootenvironment root slice, as shown below:

/mnt/sbin/luactivate

4. luactivate, activates the previous working boot environment andindicates the result.

5. Exit Single User mode and reboot the machine.

**********************************************************************

Modifying boot archive servicePropagating findroot GRUB for menu conversion.File </etc/lu/installgrub.findroot> propagation successfulFile </etc/lu/stage1.findroot> propagation successfulFile </etc/lu/stage2.findroot> propagation successfulFile </etc/lu/GRUB_capability> propagation successfulDeleting stale GRUB loader from all BEs.File </etc/lu/installgrub.latest> deletion successfulFile </etc/lu/stage1.latest> deletion successfulFile </etc/lu/stage2.latest> deletion successfulActivation of boot environment <new_BE> successful.

In addition, when you activate a boot environment on an x86/x64-based system, the luacti-vate command modifies the menu.lst file (GRUB boot menu), as shown in Figure 8.1.

12_0789738171_08.qxd 4/13/09 7:50 PM Page 453

454

FIGURE 8.1

Modifying the menu.lst file.

The next time you boot, you can choose the boot environment directly from the GRUB menuwithout using the luactivate command. However, when you switch between boot environ-ments with the GRUB menu, files are not synchronized. If a boot environment was created withthe Solaris 8, 9, or 10 3/05 release, the boot environment must always be activated with theluactivate command. These older boot environments do not appear on the GRUB menu.

Keep in mind a couple cautions when using the GRUB menu to boot to an alternate boot envi-ronment:

. The GRUB menu is stored on the primary boot disk, not necessarily on the activeboot environment disk. Be careful if you change the disk order in the BIOS. Changingthe order might cause the GRUB menu to become invalid. If this problem occurs,changing the disk order back to the original state fixes the GRUB menu.

. The menu.lst file contains the information that is displayed in the GRUB menu. Donot use the GRUB menu.lst file to modify Solaris Live Upgrade entries.Modifications could cause Solaris Live Upgrade to fail. The preferred method for cus-tomization is to use the eeprom command when possible.

For more information on booting x86/x64-based systems and the GRUB menu, refer to Solaris10 System Administration Exam Prep (Exam CX-310-200), Part I.

After you run the luactivate command on an x86/x64-based system and then shut down fora reboot, you must use the shutdown or init command. This is necessary only when you’reperforming the first reboot after running the lucreate command. The reboot, halt, anduadmin commands do not switch boot environments, and the system boots to the last-activeboot environment.


12_0789738171_08.qxd 4/13/09 7:50 PM Page 454


luactivate on the SPARC PlatformTo activate the upgraded boot environment on the SPARC platform, issue the following com-mand:# luactivate new_BE<cr>

The system displays the steps to be taken for fallback in case problems are encountered on thenext reboot. Make note of these instructions, and follow them exactly if it becomes necessaryto fall back to the previous boot environment:****************************************************************The target boot environment has been activated. It will be used when youreboot. NOTE: You MUST NOT USE the reboot, halt, or uadmin commands. YouMUST USE either the init or the shutdown command when you reboot. If youdo not use either init or shutdown, the system will not boot using thetarget BE.****************************************************************In case of a failure while booting to the target BE, the followingprocess needs to be followed to fallback to the currently working bootenvironment:1. Enter the PROM monitor (ok prompt).2. Change the boot device back to the original boot environment by typing:

setenv boot-device /pci@1f,0/pci@1/scsi@8/disk@0,0:a3. Boot to the original boot environment by typing:

boot

****************************************************************Activation of boot environment <new_BE> successful.#

After running the luactivate command on a SPARC system, when you shut down for areboot, you must use the shutdown or init command. This is because it’s important to run theshutdown scripts necessary to perform the upgrade. The reboot and halt commands do notswitch boot environments, and the system boots to the last-active boot environment.

During the first boot of a new boot environment, data is copied from the source boot environ-ment. This list of files copied is maintained in /etc/lu/synclist.

Verify that the OS has been upgraded to the Solaris 10 /05/08 release with the following com-mand:# cat /etc/release<cr>Solaris 10 5/08 s10s_u5wos_10 SPARCCopyright 2008 Sun Microsystems, Inc. All Rights Reserved.Use is subject to license terms.Assembled 24 March 2008

12_0789738171_08.qxd 4/13/09 7:50 PM Page 455

456

Maintaining Solaris Live Upgrade Boot EnvironmentsYou can perform various administrative tasks on an inactive boot environment:

. Adding and removing packages for an OS installed on a new boot environment

. Removing patches on an OS installed on a boot environment

. Adding patches to an OS installed on a new boot environment

. Updating the contents of a previously configured boot environment

. Checking for differences between the active boot environment and other boot environments

. Deleting an inactive boot environment

. Changing the name or description of a boot environment

. Viewing the configuration of a boot environment

These administrative tasks are described in the following sections.

Removing Software Packages from a Boot EnvironmentThe following example uses the luupgrade command with the -P option to remove theSUNWgzip software package from the OS image on an inactive boot environment namednew_BE:# luupgrade -P -n new_BE SUNWgzip<cr>

where:

. -P: Used to remove the named software packages from the boot environment.

. -n <BE_name>: Specifies the name of the boot environment where the package is to beremoved.

The system responds with the following output:Mounting the BE <new_BE>.Removing packages from the BE <new_BE>.The following package is currently installed:

SUNWgzip The GNU Zip (gzip) compression utility(sparc) 11.10.0,REV=2005.01.08.05.16

Do you want to remove this package? [y,n,?,q] y<cr>

## Removing installed package instance <SUNWgzip>## Verifying package <SUNWgzip> dependencies in global zoneWARNING:

The <SUNWdtdte> package depends on the packagecurrently being removed.

WARNING:The <SUNWfppd> package depends on the package currentlybeing removed.


12_0789738171_08.qxd 4/13/09 7:50 PM Page 456


Dependency checking failed.

Do you want to continue with the removal of this package [y,n,?,q] y<cr>## Processing package information.## Removing pathnames in class <none>/a/usr/bin/gznew/a/usr/bin/gzmore/a/usr/bin/gzless/a/usr/bin/gzip/a/usr/bin/gzgrep/a/usr/bin/gzforce/a/usr/bin/gzfgrep/a/usr/bin/gzexe/a/usr/bin/gzegrep/a/usr/bin/gzdiff/a/usr/bin/gzcmp/a/usr/bin/gzcat/a/usr/bin/gunzip/a/usr/bin <shared pathname not removed>/a/usr <shared pathname not removed>## Updating system information.

Removal of <SUNWgzip> was successful.Unmounting the BE <new_BE>.The package remove from the BE <new_BE> completed. #

Adding Software Packages from a Boot EnvironmentThe following example uses the luupgrade command with the -p option to add theSUNWgzip software package to the OS image on an inactive boot environment namednew_BE:# luupgrade -p -n new_BE -s /cdrom/sol_10_508_sparc_2/Solaris_10/Product SUNWgzip<cr>

where:

. -p: Used to add the named software packages from the boot environment.

. -s <path-to-pkg>: Specifies the path to a directory containing the package or pack-ages to be installed.

. -n <BE_name>: Specifies the name of the boot environment where the package is to beadded.

The system responds with the following output:Validating the contents of the media </cdrom/sol_10_508_sparc_2/Solaris_10/Product>.

Mounting the BE <new_BE>.Adding packages to the BE <new_BE>.

12_0789738171_08.qxd 4/13/09 7:50 PM Page 457

458

Processing package instance <SUNWgzip> from</cdrom/sol_10_508_sparc_2/Solaris_10/Product>

The GNU Zip (gzip) compression utility(sparc) 11.10.0,REV=2005.01.08.05.16

Copyright 1992-1993 Jean-loup GaillyThis program is free software; you can redistribute it and/or modifyit under the terms of the GNU General Public License as published bythe Free Software Foundation; either version 2, or (at your option)any later version.

This program is distributed in the hope that it will be useful,but WITHOUT ANY WARRANTY; without even the implied warranty ofMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See theGNU General Public License for more details.

You should have received a copy of the GNU General Public Licensealong with this program; if not, write to the Free SoftwareFoundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

Using </a> as the package base directory.## Processing package information.## Processing system information.

2 package pathnames are already properly installed.## Verifying package dependencies.## Verifying disk space requirements.## Checking for conflicts with packages already installed.## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-userpermission during the process of installing this package.

Do you want to continue with the installation of <SUNWgzip> [y,n,?] y<cr>

Installing The GNU Zip (gzip) compression utility as <SUNWgzip>

## Installing part 1 of 1.160 blocks

Installation of <SUNWgzip> was successful.Unmounting the BE <new_BE>.The package add to the BE <new_BE> completed.#

Removing Patches on an OS Installed on a Boot EnvironmentThe following example uses the luupgrade command to remove a software patch named119317-01 from the OS image on an inactive boot environment named new_BE:# luupgrade -T -n new_BE 119317-01<cr>

where -T is used to remove a patch from the named boot environment.


12_0789738171_08.qxd 4/13/09 7:50 PM Page 458


Adding Patches to an OS Installed on a New Boot EnvironmentThe following example uses the luupgrade command to add a software patch named 119317-01 to the OS image on an inactive boot environment named new_BE:# luupgrade -t -n ‘new_BE’ -s /tmp/119317-01 119317-01<cr>

where:

. -t: Adds a patch or patches to an inactive boot environment.

. -s: Specifies the path to the directory containing the patch.

Other tasks, such as updating an existing boot environment and checking for differencesbetween boot environments, are beyond the scope of the CX-310-202 exam and this book. Ifyou would like more information on these topics, refer to Sun Microsystems’ Solaris 10 5/08Installation Guide.

Deleting an Inactive Boot EnvironmentUse the ludelete command to delete an inactive boot environment. The following limitationsapply to the ludelete command:

. You cannot delete the active boot environment or the boot environment that is activat-ed on the next reboot.

. You cannot delete a boot environment that has file systems mounted with lumount.

. You can only delete a boot environment that has a status of complete.

. x86/x64-based systems: Starting with the Solaris 10 1/06 release, you cannot delete aboot environment that contains the active GRUB menu.

The following boot environments are available on the system:# lustatus<cr>Boot Environment Is Active Active Can CopyName Complete Now On Reboot Delete Status————————————— ———— ——— ————- ——— —————active_boot yes yes yes no -new_BE yes no no yes -

Notice that the “Can Delete” field is marked yes for the new_BE boot environment. Toremove the new_BE boot environment, issue the following command:# ludelete new_BE<cr>

The system responds with this:Determining the devices to be marked free.Updating boot environment configuration database.

12_0789738171_08.qxd 4/13/09 7:50 PM Page 459

460

Updating boot environment description database on all BEs.Updating all boot environment configuration databases.Boot environment <new_BE> deleted. #

Changing the Name of a Boot EnvironmentYou can rename a boot environment using the lurename command. In the following example,I rename the boot environment from new_BE to solaris10_0508_BE:# lurename -e new_BE -n solaris10_0508_BE<cr>

where:

. -e <name>: Specifies the inactive boot environment name to be changed.

. -n <newname>: Specifies the new name of the inactive boot environment.

The system responds with this:Renaming boot environment <new_BE> to <solaris10_0508_BE>.

Changing the name of BE in the BE definition file.Changing the name of BE in configuration file.Updating compare databases on boot environment <solaris10_0508_BE>.Changing the name of BE in Internal Configuration Files.Propagating the boot environment name change to all BEs.Boot environment <new_BE> renamed to <solaris10_0508_BE>.#

Verify that the name was changed with the lustatus command:# lustatus<cr>Boot Environment Is Active Active Can CopyName Complete Now On Reboot Delete Status————————————— ———— ——— ————- ——— —————active_boot yes yes yes no -solaris10_0508_BE yes no no yes -

Changing the Description of a Boot EnvironmentIt’s a good idea to have a description associated with each boot environment on your system.You can create a description when you create the boot environment using the lucreate -A

option or after the boot environment has been created using the ludesc command.

In the following example, I add a description to an existing boot environment:# ludesc -n solaris10_0508_BE “Solaris 10 05/08 upgrade” <cr>


12_0789738171_08.qxd 4/13/09 7:50 PM Page 460


where -n <BEname> specifies the boot environment name, followed by the description enclosedin double quotes (“ ”).

The system responds with this:Setting description for boot environment <solaris10_0508_BE>.Updating boot environment description database on all BEs.

Issuing the lustatus command displays the following information:# lustatus<cr>Boot Environment Is Active Active Can CopyName Complete Now On Reboot Delete Status————————————— ———— ——— ————- ——— —————active_boot yes yes yes no -solaris10_0508_BE yes no no yes -

I can view the description by using the ludesc command with the -n option followed by theboot environment’s name:# ludesc -n solaris10_0508_BE<cr>

The system responds with this:.Solaris 10 05/08 upgrade.#

In the output, ludesc does not append a newline to the display of the BE description text string.

Viewing the Configuration of a Boot EnvironmentUse the lufslist command to display the configuration of a particular boot environment.Where the lustatus command is used to display the status of a boot environment, the lufs-list command displays the disk slice, file system type, and file system size of each boot envi-ronment mount point:# lufslist -n solaris10_0508_BE<cr>

boot environment name: solaris10_0508_BEThis boot environment will be active on next system boot.

Filesystem fstype device size Mounted on Mount Options—————————- ———— —————- ——————— ———————/dev/dsk/c0t0d0s3 swap 2097460224 - -/dev/dsk/c0t1d0s0 ufs 10738759680 / -/dev/dsk/c0t0d0s7 ufs 10485821952 /export/home -#

12_0789738171_08.qxd 4/13/09 7:50 PM Page 461

462

SummaryThis chapter has described how to configure a WAN boot installation and perform a SolarisLive Upgrade installation.

You read about how to use a WAN boot installation to install the operating system securelyand insecurely over a WAN and how to use a Solaris Live Upgrade to copy and update anexisting OS.

For the certification exam, you need to understand the advantages of a WAN boot installationover other methods used to install the OS. Understand the requirements for a WAN bootinstallation, and know which types of media you can use with a WAN boot install. Finally,know how to perform a WAN boot installation. Go back and perform the steps I’ve outlinedin this chapter to become familiar with the process and the files that are associated with aWAN boot installation.

For the Solaris Live Upgrade portion of the certification exam, you should know the systemrequirements and the various Live Upgrade commands described in this chapter. Understandthe use and, in some cases, limitations associated with each command.

The next chapter describes ZFS file systems and how they’ve revolutionized disk storage. Asof the Solaris 10 05/08 release, Solaris Live Upgrade cannot be performed on a ZFS file sys-tem. New in the Solaris 10 10/08 release, administrators can migrate from a UFS file systemto a ZFS file system during a Solaris Live Upgrade.

Key Terms. Boot environment

. bootlog-cgi

. CGI

. DES

. DHCP

. Document root directory

. Encryption

. Fallback

. Flash Archive

. GRUB

. Hashing

. HMAC


12_0789738171_08.qxd 4/13/09 7:50 PM Page 462


. HTTP

. HTTPS

. Key

. SHA1

. Solaris Live Upgrade

. SSL

. sysidcfg file

. URL

. WAN

. wanboot-cgi

. wanboot.conf

. WAN boot installation

. WAN boot miniroot

. wanboot program

. WAN boot server


ExercisesPerform Step By Steps 8.2, 8.3, and 8.7.

Exam Questions1. Which of the following describe the advantages of a WAN boot installation over a JumpStart instal-

lation? (Choose four.)

❍ A. Boot services are not required to be on the same subnet as the installation client.

❍ B. A WAN boot installation is more secure than a custom JumpStart installation.

❍ C. A WAN boot provides a scalable process for the automated installation of systems.

❍ D. A WAN boot supports all SPARC-based systems.

❍ E. A WAN boot supports all x86-based systems.

12_0789738171_08.qxd 4/13/09 7:50 PM Page 463

464

2. Before you can perform a WAN boot installation, you need to make sure that the WAN boot clientmeets the minimum requirements for a WAN boot installation. Which of the following are require-ments that your system must meet before it can be used as a client in a WAN boot installation?(Choose two.)

❍ A. A minimum OpenBoot firmware version of 4.14

❍ B. The WAN boot client must have a minimum of 512MB of RAM.

❍ C. The WAN boot client must have a SPARC II processor or newer.

❍ D. x86 systems must support a PXE boot.

3. Before you can perform a WAN boot installation, you need to make sure that your server meets theminimum requirements for a WAN boot installation. Which of the following are requirements thatyour server must meet before it can be used as a WAN boot server?

❍ A. The WAN boot server must be a SPARC or x86-based system running Solaris 9 release12/03 or higher.

❍ B. The WAN boot server must be a SPARC system running Solaris 9 release 12/03 orhigher.

❍ C. The WAN boot server must be a SPARC or x86-based system running Solaris 10 orhigher.

❍ D. A WAN boot requires a web server to be configured, and it must support SSL version 3.

4. Which of the following is a second-level boot program that is used to load the miniroot, installa-tion, and configuration files onto the WAN boot client?

❍ A. ufsboot

❍ B. wanboot-cgi

❍ C. bootlog-cgi

❍ D. wanboot program

❍ E. wan boot miniroot

5. OpenBoot uses configuration information to communicate with this program on the WAN bootserver and request a download of the wanboot program from the server. Which of the followingservices all WAN boot client requests and parses the WAN boot server files and client configura-tion files into a format that the WAN boot client expects?

❍ A. wanboot program

❍ B. wanboot-cgi

❍ C. bootlog-cgi

❍ D. HTTP


12_0789738171_08.qxd 4/13/09 7:50 PM Page 464


6. On the WAN boot server, where does the wanboot program reside?

❍ A. In an NFS shared (exported) directory on the WAN boot server

❍ B. Either in an NFS shared (exported) directory on the WAN boot server or on the client’slocal CD or DVD

❍ C. In the WAN boot server’s document root directory

❍ D. In /etc/netboot on the WAN boot server

7. Which of the following is a file in which you specify the configuration information and security settings(file paths, encryption type, signing policies) that are required to perform a WAN boot installation?

❍ A. wanboot

❍ B. wanboot.conf

❍ C. bootlog.conf

❍ D. /etc/netboot

8. Which of the following can be used to supply the operating system during a WAN boot installation?

❍ A. Local CD/DVD

❍ B. A spooled image of the DVD or CDs

❍ C. Flash Archive

❍ D. Any image supported by JumpStart is also supported by WAN boot.

9. Which commands (issued on the WAN boot client) can be used to initiate the WAN boot installa-tion? (Choose two.)

❍ A. ok boot net - install

❍ B. ok boot cdrom -o prompt -F wanboot - install

❍ C. ok boot net - wanboot

❍ D. ok boot net

❍ E. ok boot -F wanboot - install

10. In terms of a Solaris Live Upgrade, which of the following are examples of shareable file systems?(Choose two.)

❍ A. /

❍ B. /usr

❍ C. swap

❍ D. /export

12_0789738171_08.qxd 4/13/09 7:50 PM Page 465

466

11. Which of the following are requirements for performing a Solaris Live Upgrade? (Choose two.)

❍ A. Ensure that the system meets current patch requirements.

❍ B. The release of the Live Upgrade software packages must match the release of the OSyou are upgrading to.

❍ C. Only SPARC-based systems can use Solaris Live Upgrade.

❍ D. The root (/) file system of the new inactive boot environment must be on the samephysical disk as the currently active root (/) file system.

12. Creating a new, inactive boot environment involves copying critical file systems from the activeenvironment to the new boot environment. Which command is used to accomplish this?

❍ A. luactivate

❍ B. lumake

❍ C. lucopy

❍ D. lucreate

❍ E. luupgrade

Answers to Exam Questions1. A, B, C, D. All the answers describe advantages of a WAN boot installation over a JumpStart

installation except answer E. x86/x64-based systems cannot be installed using a WAN boot installation.For more information, see the section “Introduction to WAN Boot.”

2. B, C. Although it’s best if the WAN boot client system’s OpenBoot PROM (OBP) supports WANboot, it is not a requirement. You can still perform a WAN boot installation by utilizing WAN bootprograms from a local CD/DVD. The WAN boot client must have a minimum of 512MB of RAM,and the WAN boot client must have a SPARC II processor or newer. x86/x64-based systems can-not be installed using a WAN boot installation. For more information, see the section “WAN BootRequirements.”

3. A. The WAN boot server must be running Solaris 9 release 12/03 or higher, it must be configuredas a web server, and it must support HTTP 1.1 minimum. The server can be a SPARC or x86-based system. For more information, see the section “WAN Boot Requirements.”

4. D. The wanboot program is a second-level boot program that is used to load the miniroot, instal-lation, and configuration files onto the WAN boot client. The wanboot program performs taskssimilar to those that are performed by the ufsboot or inetboot second-level boot programs.For more information, see the section “Understanding the WAN Boot Process.”

5. B. When the WAN boot client is booted, OpenBoot uses configuration information to communicatewith the wanboot-cgi program on the WAN boot server and to request a download of the wan-boot program from the server. wanboot-cgi is a Common Gateway Interface (CGI) program on


12_0789738171_08.qxd 4/13/09 7:50 PM Page 466


the web server that services all client requests. It parses the WAN boot server files and client con-figuration files into a format that the WAN boot client expects. For more information, see the sec-tion “Understanding the WAN Boot Process.”

6. C. The files necessary to perform a WAN boot must be made accessible to the web server by stor-ing them in the WAN boot server’s document root directory. For more information, see the section“Configure the WAN Boot and JumpStart Files.”

7. B. The wanboot.conf file is a text file in which you specify the configuration information andsecurity settings that are required to perform a WAN boot installation. For more information, seethe section “The wanboot.conf File.”

8. C. Traditional JumpStart images, such as a spooled image of the CD/DVD that performed apkgadd-style install, or a local DVD/CD, do not work with WAN boot. Flash Archives are the onlyformat supported. For more information, see the section “WAN Boot Requirements.”

9. A, B. When the OBP supports WAN boot, you use the boot net - install command to bootthe WAN boot client. If the OBP does not support WAN boot, you can still boot using the WANboot programs located on the local CD/DVD as follows: boot cdrom -o prompt -F wanboot -install. For more information, see the section “Booting the WAN Boot Client.”

10. C, D. Shareable file systems are user-defined files such as /export that contain the same mountpoint in the /etc/vfstab file in both the active and inactive boot environments. Like a shareablefile system, all swap slices are shared by default. Shareable file systems are not copied, but theyare shared. For more information, see the section “Solaris Live Upgrade Process.”

11. A, B. You must ensure that the system meets current patch requirements before attempting toinstall and use the Solaris Live Upgrade software on your system. In addition, the release of theLive Upgrade software packages must match the release of the OS you are upgrading to. The diskon the new boot environment must be able to serve as a boot device. However, when you create anew inactive boot environment, the root (/) file system does not need to be on the same physicaldisk as the currently active root (/) file system, as long as the disk can be used as a boot device.For more information, see the section “Live Upgrade Requirements.”

12. D. Creating a new, inactive boot environment involves copying critical file systems from the activeenvironment to the new boot environment using the lucreate command. For more information,see the section “Creating a New Boot Environment.”

Suggested Reading and Resources“Solaris Installation Guide: Solaris Live Upgrade and Upgrade Planning,” Sun Microsystemspart number 820-4041-11, available at http://docs.sun.com.

“Solaris Installation Guide: Network-Based Installations,” Sun Microsystems part number820-4040-10, available at http://docs.sun.com.

12_0789738171_08.qxd 4/13/09 7:50 PM Page 467

12_0789738171_08.qxd 4/13/09 7:50 PM Page 468

9N I N E

Administering ZFS File Systems


. Describe the Solaris ZFS file system, create new ZFS pools and file systems,modify ZFS file system properties, mount and unmount ZFS file systems,destroy ZFS pools and file systems, work with ZFS snapshots and Clones, anduse ZFS datasets with Solaris Zones. In addition, you’ll learn the followingabout ZFS file systems:

. Why the Solaris ZFS file system is a revolutionary file system when com-pared to traditional Solaris file systems. You’ll also learn about the fea-tures and benefits of ZFS and how ZFS file systems differ from traditionalSolaris file systems.

. How to create and remove ZFS pools and ZFS file systems.

. How to view and modify ZFS file system properties.

. Mounting and unmounting ZFS file systems.

. Creating ZFS snapshots.

. Cloning ZFS file systems.

. How to set up a bootable ZFS root file system during the installation ofthe operating system.

. Using ZFS datasets with Solaris Zones.

13_0789738171_09.qxd 4/13/09 7:51 PM Page 469

OutlineIntroduction to ZFS

ZFS Storage Pools

ZFS Is Self-Healing

Simplified Administration

ZFS Terms

ZFS Hardware and Software Requirements

ZFS RAID Configurations

Creating a Basic ZFS File SystemRenaming a ZFS File System

Listing ZFS File Systems

Removing a ZFS File System

Removing a ZFS Storage Pool

ZFS ComponentsUsing Disks in a ZFS Storage Pool

Using Files in a ZFS Storage Pool

Mirrored Storage Pools

RAID-Z Storage Pools

Displaying ZFS Storage Pool Information

Adding Devices to a ZFS Storage Pool

Attaching and Detaching Devices in a Storage Pool

Converting a Nonredundant Pool to a Mirrored Pool

Detaching a Device from a Mirrored Pool

Taking Devices in a Storage Pool Offline and Online

ZFS History

ZFS PropertiesSetting ZFS Properties

Mounting ZFS File SystemsLegacy Mount Points

Sharing ZFS File Systems

ZFS Web-Based Management GUI

ZFS SnapshotsCreating a ZFS Snapshot

Listing ZFS Snapshots

Saving and Restoring a ZFS Snapshot

Destroying a ZFS Snapshot

Renaming a ZFS Snapshot

Rolling Back a ZFS Snapshot

ZFS ClonesDestroying a ZFS Clone

Replacing a ZFS File System with a ZFSClone

zpool Scrub

Replacing Devices in a Storage Pool

A ZFS Root File System

Using ZFS for Solaris ZonesAdding a ZFS Dataset to a Nonglobal Zone

Delegating a ZFS Dataset to a NonglobalZone

SummaryKey Terms

Apply Your KnowledgeExercise

Exam Questions



13_0789738171_09.qxd 4/13/09 7:51 PM Page 470


. Practice the Step By Step examples provided in this chapter on either a SPARC-based orx86-based Solaris system. It is recommended that your Solaris system have at least threespare disks.

. Understand all the ZFS terms described in this chapter, as well as system requirementsthat are outlined.

13_0789738171_09.qxd 4/13/09 7:51 PM Page 471

472

Chapter 9: Administering ZFS File Systems

Introduction to ZFSZFS is a 128-bit file system that was introduced in the 6/06 update of Solaris 10 in June 2006.ZFS comes from the acronym for “Zettabyte File System,” mainly because “Zetta” was one ofthe largest SI prefixes. The name referred to the fact that ZFS could store 256 quadrillionzettabytes of data. Since then, we simply call it ZFS, and it is no longer an acronym for any-thing.

ZFS represents an entirely new approach to managing disk storage space. It revolutionizes thetraditional Solaris file systems described in Solaris 10 System Administration Exam Prep (ExamCX-310-200), Part I. ZFS does not replace those traditional file systems, nor is it an improve-ment on that existing technology, but it is a fundamental new approach to data management.ZFS was designed to be more robust, more scalable, and easier to administer than traditionalSolaris file systems.

ZFS allows for 256 quadrillion zettabytes of storage. All metadata is allocated dynamically, sothere is no need to preallocate I-nodes or otherwise limit the scalability of the file system whenit is first created. All the algorithms were written with scalability in mind. Directories can haveup to 256 trillion entries, and no limit exists on the number of file systems or number of filesthat can be contained within a ZFS file system.

As you learn about ZFS, it’s best to try to forget everything you know about traditional filesystems and volume management. ZFS is quite different and much easier to administer.

ZFS Storage PoolsWith conventional file systems, we add disks to the system and then divide those disks intoone or more file systems. As we add data to a file system, the file system begins to fill up. Ifwe need more space, we manually allocate more space to that file system. Sometimes we allo-cate too much space to one file system while another file system fills up. To get more free diskspace, we either add another disk or take away space from another file system. Taking awayspace from an existing file system typically requires backing up, destroying, and rebuilding theexisting file system.

With ZFS, disk space is not allocated to a file system, much as we do not worry about allocat-ing physical memory when we add DIMMs (dual inline memory modules) to a server. WhenI add RAM to a server, I don’t partition it and allocate the RAM to each application one chipat a time. I simply install the DIMMs and let the kernel manage it all. That is precisely whatZFS does to the disks installed on a server. ZFS has no slices, no file system consistencychecks, no initialization or mount procedures. There is just a pool of disks, and ZFS manageshow the storage gets allocated.

13_0789738171_09.qxd 4/13/09 7:51 PM Page 472

Introduction to ZFS473

ZFS uses storage pools, called “zpools,” to manage physical storage. Block devices (disks ordisk slices) make up the zpool. Your server may have one or more zpools.

When I create a ZFS file system, I specify which zpool the file system belongs to. I do not,however, specify the size of the file system. The file system takes data blocks from the zpool asit needs the storage space. I can limit how much space the ZFS file system takes from thezpool, or I simply let ZFS use as much as it needs. When I run out of space in the zpool, I addanother block device to increase the size of the zpool. ZFS allocates the space as it is needed.As with the Solaris Volume Manager (SVM), described in Chapter 3, “Managing StorageVolumes,” ZFS file systems can span multiple devices. However, ZFS differs from SVM in thatwe do not need to allocate blocks of storage to each file system as it is created.

ZFS Is Self-HealingZFS is a transactional file system that ensures that data is always consistent. Traditional file sys-tems simply overwrite old data as data changes. ZFS uses copy-on-write semantics, in whichlive data is never overwritten, and any sequence of operations is either entirely committed orentirely ignored. This mechanism ensures that the ZFS file system can never be corruptedthrough loss of power or a system crash. In addition, there is no need for an fsck equivalent.The most recently written pieces of data might be lost, but the file system itself is always con-sistent.

ZFS file system The ZFS transactional file system should not be confused with file system journaling,described in previous chapters. The journaling process, which is used on traditional file systems, recordsan action in a separate journal. The journal can be replayed if a system crash occurs. The journalingprocess introduces unnecessary overhead, however, because the data needs to be written twice. This oftenresults in a new set of problems, such as when the journal can’t be replayed properly.

NOTE

In a ZFS file system, every block is checksummed to prevent silent data corruption.

What is a checksum? A checksum is a value used to ensure that data is stored without error. It isderived by calculating the binary value in a block of data using a particular algorithm and storing the calcu-lated results with the data. When data is retrieved, the checksum is recalculated and matched against thestored checksum. If the checksums are the same, the data has not changed. If the checksums are differ-ent, the data has been changed, corrupted, or tampered with.

NOTE

Furthermore, in a replicated (mirrored or RAID) configuration, if one copy is damaged, ZFSdetects it and uses another copy to repair it. In a mirrored ZFS file system, ZFS checksums

13_0789738171_09.qxd 4/13/09 7:51 PM Page 473

474

each block as it is returned from disk. If there’s a disparity between the 256-bit checksum andthe block, ZFS terminates the request and pulls the block from the other member of the mir-ror set, matching the checksums and delivering the valid data to the application. In a subse-quent operation, the bad block seen on the first disk is replaced with a good copy of the datafrom the redundant copy, essentially providing a continuous file system check-and-repairoperation. Performance is not negatively affected on newer systems, because performance ismaintained by delegating a single core of a multicore CPU to perform the checksums.

Simplified AdministrationZFS greatly simplifies file system administration as compared to traditional file systems. Thesystem administrator will find it easy to create and manage file systems without issuing multi-ple commands or editing configuration files. You’ll find it easy to mount file systems, set diskquotas, enable file compression, and manage numerous file systems with a single command. Allthese tasks are described in this chapter.

ZFS TermsBefore I describe how to manage ZFS, Table 9.1 defines some terms that you will need tounderstand for this chapter.

Table 9.1 ZFS TerminologyTerm Definition

Checksum A 256-bit hash of the data in a file system block.

Clone A file system with contents that are identical to the contents of a ZFS snapshot.

Dataset A generic name for the following ZFS entities: clones, file systems, snapshots,and volumes. Each dataset is identified by a unique name in the ZFS namespace.Datasets are identified using the following format:<pool>/<path>[@<snapshot><pool> is the name of the storage pool that contains the dataset.<path> is a slash-delimited pathname for the dataset object.[<snapshot>] is an optional component that identifies a snapshot of a dataset.

Default file system A file system that is created by default when using Solaris Live Upgrade tomigrate from UFS to a ZFS root file system. The current set of default file sys-tems is /, /usr, /opt, and /var.

ZFS file system A ZFS dataset that is mounted within the standard system namespace andbehaves like other traditional file systems.

Mirror A virtual device, also called a RAID-1 device, that stores identical copies of dataon two or more disks.


13_0789738171_09.qxd 4/13/09 7:51 PM Page 474

ZFS Hardware and Software Requirements475

Table 9.1 ZFS TerminologyTerm Definition

Pool A logical group of block devices describing the layout and physical characteris-tics of the available storage. Space for datasets is allocated from a pool. Alsocalled a storage pool or simply a pool.

RAID-Z A virtual device that stores data and parity on multiple disks, similar to RAID-5.

Resilvering The process of transferring data from one device to another. For example, whena mirror component is taken offline and then later is put back online, the datafrom the up-to-date mirror component is copied to the newly restored mirrorcomponent. The process is also called mirror resynchronization in traditional vol-ume management products.

Shared file systems The set of file systems that are shared between the alternate boot environmentand the primary boot environment. This set includes file systems, such as/export, and the area reserved for swap. Shared file systems might also con-tain zone roots.

Snapshot A read-only image of a file system or volume at a given point in time.

Virtual device A logical device in a pool, which can be a physical device, a file, or a collection ofdevices.

Volume A dataset used to emulate a physical device. For example, you can create a ZFSvolume as a swap device.

ZFS Hardware and Software RequirementsThe system must meet the following requirements before ZFS can be utilized:

. The machine must be a SPARC or x86/x64 system that is running Solaris 10 6/06release or newer.

. The minimum disk size that can be used in a ZFS environment is 128MB. The mini-mum amount of disk space for a storage pool is approximately 64MB.

. For good ZFS performance, at least 1GB or more of memory is recommended.

. Multiple controllers are recommended for a mirrored disk configuration, but this is nota requirement.

13_0789738171_09.qxd 4/13/09 7:51 PM Page 475

476

ZFS RAID ConfigurationsZFS supports the following RAID (Redundant Array of Inexpensive Disks) configurations:

. RAID-0: Data is distributed across one or more disks with no redundancy. If a singledisk fails, all data is lost.

. RAID-1: Mirrored disks where two or more disks store exactly the same data, at thesame time. Data is not lost as long as one mirror set survives.

. RAID-Z: A ZFS redundancy scheme using a copy-on-write policy, rather than writingover old data. Using a dynamic stripe width, every block of data is its own RAID-Zstripe so that every write is a full stripe write. RAID-Z is similar to RAID-5, butRAID-Z eliminates a flaw in the RAID-5 scheme called the RAID-5 write hole.

Creating a Basic ZFS File SystemThe easiest way to create a basic ZFS file system on a single disk is by using the zpool create

command:# zpool create pool1 c1t1d0<cr>


Pool terminology The terms storage pool, zpool, and pool are used interchangeably. All three terms referto a logical group of block devices describing the layout and physical characteristics of the available stor-age in a ZFS file system.

NOTE

In the previous example, I created a RAID-0 zpool named “pool1” on a 36GB disk named“c1t1d0.” Notice that I did not specify a slice, so the entire 36GB disk is assigned to the zpool.

If the disk has an existing file system, you receive the following error:invalid vdev specificationuse ‘-f’ to override the following errors:/dev/dsk/c1t1d0s0 contains a ufs filesystem./dev/dsk/c1t1d0s2 contains a ufs filesystem.

To force the system to overwrite the file system, type this:# zpool create -f pool1 c1t1d0<cr>#

The system returns to the prompt if successful.

13_0789738171_09.qxd 4/13/09 7:51 PM Page 476

Creating a Basic ZFS File System477

When I issue the df -h command, I see that the following /pool1 file system is ready for data:# df -h<cr>Filesystem size used avail capacity Mounted onrpool/ROOT/s10s_u6wos_07b

33G 4.2G 27G 14% //devices 0K 0K 0K 0% /devicesctfs 0K 0K 0K 0% /system/contractproc 0K 0K 0K 0% /procmnttab 0K 0K 0K 0% /etc/mnttabswap 985M 1.4M 983M 1% /etc/svc/volatileobjfs 0K 0K 0K 0% /system/objectsharefs 0K 0K 0K 0% /etc/dfs/sharetabfd 0K 0K 0K 0% /dev/fdrpool/ROOT/s10s_u6wos_07b/var

33G 67M 27G 1% /varswap 983M 0K 983M 0% /tmpswap 984M 40K 983M 1% /var/runrpool/export 33G 20K 27G 1% /exportrpool/export/home 33G 18K 27G 1% /export/homerpool 33G 94K 27G 1% /rpoolpool1 33G 18K 33G 1% /pool1

The previous zpool create command created a zpool named “pool1” and a ZFS file systemin that pool, also named “pool1.” The /pool1 directory should be empty or, better yet, mustnot exist before the storage pool is created. ZFS creates this directory automatically when thepool is created. As you can see, the ZFS file system is mounted automatically after it is created.

The pool1 pool is 33GB, the entire size of my disk (minus 3GB for overhead). The /pool1file system has 33GB available. Now, I’ll create another ZFS file system in the same zpool:# zfs create pool1/data<cr>

I’ve just created a ZFS file system named /pool1/data in the pool1 zpool. The new file sys-tem is called a descendant of the pool1 storage pool; pool1 is its parent file system.

A df -h command shows the following information:<df output has been truncated>pool1 33G 18K 33G 1% /pool1pool1/data 33G 18K 33G 1% /pool1/data

Again, the /pool1/data file system has 33GB available. Each of the file systems has access toall the space in the zpool. Now, I’ll create a 1GB file in the /pool1/data file system:# mkfile 1g /pool1/data/largefile<cr>

The df -h command displays the following storage information for each of the ZFS file systems:<df output has been truncated>pool1 33G 19K 32G 1% /pool1pool1/data 33G 925M 32G 3% /pool1/data

13_0789738171_09.qxd 4/13/09 7:51 PM Page 477

478

Notice how the available space has decreased for each file system.

The example I’ve shown is a quick and easy way to create a ZFS file system. However, you maywant more control over the hierarchy of the file systems, which I’ll describe later.

Renaming a ZFS File SystemYou can rename a ZFS file system using the zfs rename command. In the following example,the zfs rename command is used to rename the pool1/data file system to pool1/documents:# zfs rename pool1/data pool1/documents<cr>

Listing ZFS File SystemsList all the active ZFS file systems and volumes on a machine using the zfs list command:# zfs list<cr>

All the file systems and volumes on this particular system are displayed:NAME USED AVAIL REFER MOUNTPOINTpool1 106K 4.89G 18K /pool1pool2 150K 4.89G 18K nonepool2/data 18K 4.89G 18K /export/datarpool 4.72G 12.9G 35.5K /rpoolrpool/ROOT 3.44G 12.9G 18K legacyrpool/ROOT/s10x_u6wos_07b 3.44G 12.9G 3.38G /rpool/ROOT/s10x_u6wos_07b/var 67.9M 12.9G 67.9M /varrpool/dump 788M 12.9G 788M -rpool/export 39K 12.9G 21K /exportrpool/export/home 18K 12.9G 18K /export/homerpool/swap 512M 13.3G 59.5M -

The information displayed includes the following:

. NAME: The name of the dataset.

. USED: The amount of space consumed by the dataset and all its descendents.

. AVAIL: The amount of space available to the dataset and all its children. This space isshared with all the datasets within that pool. The space can be limited by quotas andother datasets within that pool.

. REFER: The amount of data accessible by this dataset, which might or might not beshared with other datasets in the pool.

. MOUNTPOINT: The mount point used by this file system. If the value is legacy, thefile system is mounted manually using the mount command.


13_0789738171_09.qxd 4/13/09 7:51 PM Page 478

Removing a ZFS File System479

To recursively list only the datasets in the pool2 storage pool, use the -r option followed bythe pool name:# zfs list -r pool2<cr>NAME USED AVAIL REFER MOUNTPOINTpool2 150K 4.89G 18K nonepool2/data 18K 4.89G 18K /export/data

Removing a ZFS File SystemUse the zfs destroy command to remove a ZFS file system.

Destroying data The zfs destroy and zpool destroy commands destroy data. You receive noconfirmation prompt after the command is executed. Make certain that you are destroying the correct filesystem or storage pool. If you accidentally destroy the wrong file system or pool, you’ll lose data. You canattempt to recover the pool using zpool import, but you risk losing all the data in that pool.

CAUTION

I’ll use the zfs destroy command to remove the /pool1/data file system created earlier:# zfs destroy pool1/data<cr>

Destroying a file system can fail for the following reasons:

. The file system could be in use and busy.

When a file system is busy, you can forcibly remove it using the -f option. In the fol-lowing example, I forcibly remove the pool1/data file system:# zfs destroy -f pool1/data<cr>

The -f option Use the -f option with caution, because it will unmount, unshare, and destroy active filesystems, causing unexpected application behavior.

CAUTION

. The file system has children. In other words, it is a parent file system, and other ZFSfile systems are created under it:pool1 33G 20K 33G 1% /pool1pool1/data 33G 19K 33G 1% /pool1/datapool1/data/app1 33G 18K 33G 1% /pool1/data/app1pool1/data/app2 33G 18K 33G 1% /pool1/data/app2

13_0789738171_09.qxd 4/13/09 7:51 PM Page 479

480

For a ZFS file system with children, use the -r option to recursively destroy the parentfile system named pool1/data and all its descendants:# zfs destroy -r pool1/data<cr>

. The ZFS file system has indirect dependents such as clones or snapshots associatedwith it.

Use the -R option to destroy a file system and all its dependents, but use extreme cau-tion when using this option. You receive no confirmation prompt, and you couldremove dependents that you did not know existed. In the following example, I’llremove the file system named pool1/data and all its dependents:

# zfs destroy -R pool1/data<cr>


Object sets ZFS supports hierarchically structured object sets—object sets within other object sets. Achild dataset is dependent on the existence of its parent. A parent cannot be destroyed without firstdestroying all children. The -R option to the zfs destroy command overrides this and automaticallyremoves the parent and its children.

You can view a dataset’s dependencies by looking at the properties for that particular dataset. For example,the origin property for a ZFS clone displays a dependency between the clone and the snapshot. Thezfs destroy command lists any dependencies, as shown in the example when I try to destroy thepool1/data@today snapshot:

# zfs destroy pool1/data@today<cr>cannot destroy ‘pool1/data@today’: snapshot has dependent clonesuse ‘-R’ to destroy the following datasets:pool1/clone

NOTE

Removing a ZFS Storage PoolUse the zpool destroy command to remove an entire storage pool and all the file systems itcontains. Earlier in this chapter, I created a storage pool named pool1. I’ll remove pool1 usingthe following command:# cd /<cr># zpool destroy pool1<cr>

When I destroy the storage pool, everything in that pool is also destroyed. In this example,the /pool1 and /pool1/data ZFS file systems that I created earlier have been removed.

If you accidentally destroy a pool, you can attempt to recover it by using the zpool import

command. When you destroy a pool, ZFS marks that pool as destroyed, but nothing is actu-ally erased. This space will get used over time, so the amount of time that this destroyed pool

13_0789738171_09.qxd 4/13/09 7:51 PM Page 480

ZFS Components481

remains available for recovery will vary. List your destroyed pools using the zpool import

command with the -D option:# zpool import -D<cr>

The system responds with this:pool: pool1id: 11755426293844032183

state: ONLINE (DESTROYED)action: The pool can be imported using its name or numeric identifier.config:

pool1 ONLINEc1t1d0 ONLINE

In the output produced from zpool import, you can identify the pool1 pool that wasdestroyed earlier. To recover the pool, issue the zpool import command again using the -Dand -f options, and specify the name of the pool to be recovered:# zpool import -Df pool1<cr>

The -f option forces the import of the pool, even if the pool has been destroyed.

Now, list the pool:# zpool list pool1<cr>NAME SIZE USED AVAIL CAP HEALTH ALTROOTpool1 33.8G 50.2M 33.7G 0% ONLINE -

The pool has been recovered, and all the data is accessible.

ZFS ComponentsThe following are considered ZFS components:

. Disks

. Files

. Virtual devices

Follow these rules when naming ZFS components:

. Empty components are not permitted.

. Each component can contain only alphanumeric characters in addition to the following:

. Underscore (_)

. Hyphen (-)

13_0789738171_09.qxd 4/13/09 7:51 PM Page 481

482

. Colon (:)

. Period (.)

. Pool names must begin with a letter, except for the following restrictions:

. The beginning sequence c[0-9] is not allowed.

. The name “log” is reserved and cannot be used.

. A name that begins with “mirror,” “raidz,” or “spare” is not allowed, because thesename are reserved.

. Pool names cannot begin with a percent sign (%).

. Dataset names must begin with an alphanumeric character.

. Dataset names must not contain a percent sign (%).

Using Disks in a ZFS Storage PoolThe most basic element in a storage pool is a physical storage device, which can be either adisk or a slice on a disk. The only requirement is that the device must be at least 128MB insize.

It is recommended that an entire disk be allocated to a storage pool. Although disk slices canbe used in storage pools, it makes administration more difficult, and performance could beadversely affected. When using an entire disk for ZFS, there is no need to format the disk. ZFSformats the disk for you using an EFI disk label, and slice 0 encompasses the entire disk. Formore information on disk slices and EFI disk labels, refer to Solaris 10 System AdministrationExam Prep (Exam CX-310-200), Part I.

Using Files in a ZFS Storage PoolYou can use UFS files as virtual devices in your ZFS storage pool. Use this feature for testingpurposes only, because any use of files relies on the underlying file system for consistency. Ifyou create a ZFS pool backed by files on a UFS file system, you are relying on UFS to guar-antee correctness and synchronous semantics and not fully utilizing the benefits of ZFS.

I’ll create a ZFS pool on a file located in a UFS file system when I don’t have any physicaldevices; I’ll do this strictly for testing purposes. The example in Step By Step 9.1 creates a ZFSpool in a UFS file.


13_0789738171_09.qxd 4/13/09 7:51 PM Page 482

Mirrored Storage Pools483

STEP BY STEP9.1 Using a UFS File for a ZFS Storage Pool

1. Use the mkfile command to create an empty file in the /export/home file system. I’ll use the -noption, which only “reserves” the space and does not actually allocate disk blocks to the file systemuntil data is written to the file:

# mkfile -n 200m /export/home/zfsfile<cr>

2. Create a ZFS pool and file system named “tempzfs” on the UFS file:

# zpool create tempzfs /export/home/zfsfile<cr>

3. Verify the status of the new pool:

# zpool status -v tempzfs<cr>

The system displays the following information:

pool: tempzfsstate: ONLINEscrub: none requestedconfig:

NAME STATE READ WRITE CKSUMtempzfs ONLINE 0 0 0/export/home/zfsfile ONLINE 0 0 0

errors: No known data errors

Mirrored Storage PoolsAt least two disks are required for a mirrored storage pool. It’s recommended that each of thesedisks be connected to separate disk controllers. A storage pool can contain more than one mir-ror. A two-way mirror consists of two disks, and a three-way mirror consists of three disks.

When creating a mirrored pool, a separate top-level device is created. Use the following com-mand to create a two-way mirror device:# zpool create pool2 mirror c2t2d0 c2t3d0<cr>

This pool was created using two 5GB disks. The df -h command shows that the following filesystem has been created:pool2 4.9G 1K 4.9G 1% /pool2

13_0789738171_09.qxd 4/13/09 7:51 PM Page 483

484

RAID-Z Storage PoolsRAID-Z provides a mirrored storage pool, but it also provides single or double parity fault tol-erance. Single parity is similar to RAID-5, and double-parity RAID-Z is similar to RAID-6.Like RAID-5, RAID-Z can handle a whole-disk failure, but it can also be more proactive andactually detect and correct any corruption it encounters. When ZFS reads a RAID-Z block,ZFS compares it against its checksum. If the data disks didn’t return the right answer, ZFS readsthe parity and then does reconstruction to figure out which disk returned the bad data. It thenrepairs the damaged disk and returns good data to the application. ZFS also reports the inci-dent through Solaris FMA (Fault Management Architecture) so that the system administratorknows that one of the disks is silently failing.

Use the zpool create command to create a single RAID-Z (single-parity) device that consistsof three disks:# zpool create pool3 raidz c2t2d0 c2t3d0 c2t4d0<cr>

This RAID-Z pool is created from three 5GB disks. The df -h command shows the followinginformation:pool3 9.8G 24K 9.8G 1% /pool3

You need at least two disks for a single-parity RAID-Z configuration and at least three disksfor a double-parity RAID-Z configuration. Create a double-parity RAID-Z configuration byusing the raidz2 keyword:# zpool create pool3 raidz2 c2t2d0 c2t3d0 c2t4d0<cr>

Displaying ZFS Storage Pool InformationYou can display status information about the usage, I/O statistics, and health of your ZFS poolsusing the zpool list command. To display basic status information about all the storage poolsinstalled on the system, type the following command:# zpool list<cr>

The system displays this:NAME SIZE USED AVAIL CAP HEALTH ALTROOTpool1 9.94G 112K 9.94G 0% ONLINE -pool2 4.97G 111K 4.97G 0% ONLINE -rpool 17.9G 4.27G 13.6G 23% ONLINE -

To display information about a specific pool, specify the pool name:# zpool list pool1<cr>NAME SIZE USED AVAIL CAP HEALTH ALTROOTpool1 9.94G 112K 9.94G 0% ONLINE -


13_0789738171_09.qxd 4/13/09 7:51 PM Page 484

Displaying ZFS Storage Pool Information485

The information displayed includes the following:

. NAME: The pool’s name.

. SIZE: The pool’s total size. The size represents the total size of all top-level virtualdevices.

. USED: The amount of space allocated by all the datasets.

. AVAILABLE: The unallocated space in the pool.

. CAPACITY: The space used, calculated as a percentage of total space.

. HEALTH: The pool’s current health status.

. ALTROOT: The alternate root of the pool if an alternate exists. Alternate root poolsare used with removable media, where users typically want a single file system and theywant it mounted wherever they choose. An alternate root pool is created using the -Roption, as shown in the example where I create a new pool named pool2 using /mnt asthe alternate root path.

zpool list shows the following information:# zpool list<cr>NAME SIZE USED AVAIL CAP HEALTH ALTROOTpool2 195M 103K 195M 0% ONLINE /mntrpool 33.8G 5.30G 28.4G 15% ONLINE -#

In addition, pools can be imported using an alternate root. An example is a recovery situation,where the mount point must not be interpreted in the context of the current root directory,but under some temporary directory where repairs can be made.

Instruct the system to display only specific information about the pool:# zpool list -o name,size pool1<cr>

The system displays only the name and the total size for pool1:NAME SIZEpool1 9.94Gpool2 4.97Grpool 17.9G

The following storage pool I/O statistics can also be displayed for each pool:

. USED CAPACITY: The amount of data currently stored in the pool or device.

. AVAILABLE CAPACITY: The amount of space available in the pool or device.

13_0789738171_09.qxd 4/13/09 7:51 PM Page 485

486

. READ OPERATIONS: The number of read I/O operations sent to the pool or device.

. WRITE OPERATIONS: The number of write I/O operations sent to the pool ordevice.

. READ BANDWIDTH: The bandwidth of all read operations (including metadata),expressed as units per second.

. WRITE BANDWIDTH: The bandwidth of all write operations, expressed as unitsper second.

Use the following command to list all the I/O statistics for each storage pool:# zpool iostat<cr>

The system displays the following:capacity operations bandwidth

pool used avail read write read write————— ——- ——- ——- ——- ——- ——-pool1 112K 9.94G 0 0 240 2.23Kpool2 111K 4.97G 0 0 0 270rpool 4.27G 13.6G 2 1 183K 16.9K————— ——- ——- ——- ——- ——- ——-

All the statistics displayed are cumulative since the system was booted. It’s best to specify aninterval with the zpool command, where the first line of output is cumulative and the nextlines represent activity since the previous stat. The following command displays current statsevery 2 seconds until Ctrl+C is pressed:# zpool iostat pool1 2<cr>

The system displays the following:capacity operations bandwidth

pool used avail read write read write————— ——- ——- ——- ——- ——- ——-pool1 112K 9.94G 0 0 204 1.90Kpool1 112K 9.94G 0 0 0 0pool1 112K 9.94G 0 0 0 0pool1 112K 9.94G 0 0 0 0<Ctrl+C>#

Last, view the health of the storage pools and devices using the zpool status command. Thehealth of the storage pool is determined by the health of the devices that make up the pool.Use the zpool status command to obtain the health information:# zpool status <cr>


13_0789738171_09.qxd 4/13/09 7:51 PM Page 486

Displaying ZFS Storage Pool Information487

The system displays the following:pool: pool1state: ONLINEscrub: none requestedconfig:

NAME STATE READ WRITE CKSUMpool1 ONLINE 0 0 0c2t2d0 ONLINE 0 0 0c2t3d0 ONLINE 0 0 0


The following two options are available with the zpool status command:

. The -v option displays verbose output. The default is to display verbose output.

. The -x option can be used to display only the status of pools that are exhibiting errorsor are otherwise unavailable:

#zpool status -x<cr>all pools are healthy

The health status of each device falls into one of the following states:

.ONLINE: The device is normal and in good working order. In this state, it’s possiblefor some transient errors to still occur.

.DEGRADED: The virtual device has experienced a failure, but the device can stillfunction. This state is most common when a mirror or RAID-Z device has lost one ormore constituent devices. The pool’s fault tolerance might be compromised, because asubsequent fault in another device might be unrecoverable.

.FAULTED: The virtual device is inaccessible due to a total failure. ZFS is incapableof sending data to it or receiving data from it. If a top-level virtual device is in thisstate, the pool is inaccessible.

.OFFLINE: The administrator has taken the virtual device offline.

.UNAVAILABLE: The device or virtual device cannot be opened. In some cases,pools with UNAVAILABLE devices appear in DEGRADED mode. If a top-level vir-tual device is UNAVAILABLE, nothing in the pool can be accessed.

.REMOVED: The device was physically removed while the system was running.Device removal detection is hardware-dependent and might not be supported on allplatforms.

The health of the storage pool is determined by the health of all its top-level virtual devices.If all virtual devices are ONLINE, the storage pool is ONLINE. If a virtual device is FAULT-ED, the pool is also FAULTED.

13_0789738171_09.qxd 4/13/09 7:51 PM Page 487

488

The following example displays the health status of a pool with a failed disk drive:# zpool status -x<cr>pool: pool1state: DEGRADEDstatus: One or more devices could not be opened. Sufficient replicas existfor the pool to continue functioning in a degraded state.action: Attach the missing device and online it using ‘zpool online’.

see: http://www.sun.com/msg/ZFS-8000-2Qscrub: none requestedconfig:

NAME STATE READ WRITE CKSUMpool1 DEGRADED 0 0 0c2t2d0 ONLINE 0 0 0c2t3d0 UNAVAIL 0 0 0 cannot open


Notice the link displayed in the output. This link (http://www.sun.com/msg/ZFS-8000-2Q)points to an online article to visit for more information. It provides up-to-date information onthe problem and describes the best recovery procedure.

Adding Devices to a ZFS Storage PoolAdd more space to a storage pool using the zpool add command. The additional spacebecomes available immediately to all datasets within the pool.

The following example shows a storage pool named pool1 with a dataset named /pool1/data:# zfs list -r pool1<cr>NAME USED AVAIL REFER MOUNTPOINTpool1 3.96G 949M 19K /pool1pool1/data 3.96G 949M 3.96G /pool1/data

Storage pool1 currently has a single 5GB disk (c2t2d0).

Add another 5GB disk drive (c2t3d0) to the pool:# zpool add pool1 c2t3d0<cr>

Another check of the storage pool shows that the size has been increased:# zfs list -r pool1<cr>NAME USED AVAIL REFER MOUNTPOINTpool1 4.00G 5.78G 19K /pool1pool1/data 4.00G 5.78G 4.00G /pool1/data


13_0789738171_09.qxd 4/13/09 7:51 PM Page 488

Attaching and Detaching Devices in a Storage Pool489

A check of the storage pool shows the status of the two disk drives:# zpool status pool1<cr>pool: pool1state: ONLINEscrub: none requestedconfig:

NAME STATE READ WRITE CKSUMpool1 ONLINE 0 0 0c2t2d0 ONLINE 0 0 0c2t3d0 ONLINE 0 0 0


Attaching and Detaching Devices in aStorage PoolAdd another device to a mirrored storage pool using the zpool attach command. The follow-ing example shows a two-way mirrored storage pool named pool2 with a dataset named/pool2/docs:# zfs list -r pool2<cr>NAME USED AVAIL REFER MOUNTPOINTpool2 132K 4.89G 19K /pool2pool2/docs 18K 4.89G 18K /pool2/docs

A check of the storage pool shows the mirror’s status:# zfs list -r pool2<cr>NAME USED AVAIL REFER MOUNTPOINTpool2 132K 4.89G 19K /pool2pool2/docs 18K 4.89G 18K /pool2/docs# zpool status pool2<cr>pool: pool2state: ONLINEscrub: none requestedconfig:

NAME STATE READ WRITE CKSUMpool2 ONLINE 0 0 0mirror ONLINE 0 0 0c2t2d0 ONLINE 0 0 0c2t3d0 ONLINE 0 0 0


13_0789738171_09.qxd 4/13/09 7:51 PM Page 489

490

To convert this pool to a three-way mirror, attach another 5GB disk (c2t4d0) to the pool:# zpool attach pool2 c2t3d0 c2t4d0<cr>

A check of the storage pool shows the mirror’s status:# zpool status pool2<cr>pool: pool2state: ONLINEscrub: resilver completed after 0h0m with 0 errors on Thu Dec 11 09:26:01 2008config:

NAME STATE READ WRITE CKSUMpool2 ONLINE 0 0 0mirror ONLINE 0 0 0c2t2d0 ONLINE 0 0 0c2t3d0 ONLINE 0 0 0c2t4d0 ONLINE 0 0 0


The three-way mirror is online, and resilvering is complete.

Converting a Nonredundant Pool to a Mirrored PoolUse the zpool attach command to convert a nonredundant pool into a mirrored (redundant)storage pool. Step By Step 9.2 describes the process.

STEP BY STEP9.2 Convert a Nonredundant Pool to a Mirrored Storage Pool

1. Create a nonredundant storage pool:

# zpool create mypool c2t2d0<cr>

Verify the pool:

# zpool status mypool<cr>

The system displays this:

pool: mypoolstate: ONLINEscrub: none requestedconfig:

NAME STATE READ WRITE CKSUMmypool ONLINE 0 0 0c2t2d0 ONLINE 0 0 0


13_0789738171_09.qxd 4/13/09 7:51 PM Page 490

Attaching and Detaching Devices in a Storage Pool491


2. Attach a second disk to the pool to create a mirrored (redundant) pool:

# zpool attach mypool c2t2d0 c2t3d0<cr>

Verify the creation of the redundant pool:

# zpool status mypool<cr>pool: mypoolstate: ONLINEscrub: resilver completed after 0h0m with 0 errors on Thu Dec 11\09:37:23 2008config:

NAME STATE READ WRITE CKSUMmypool ONLINE 0 0 0mirror ONLINE 0 0 0c2t2d0 ONLINE 0 0 0c2t3d0 ONLINE 0 0 0


Notice that the STATE is ONLINE and resilvering is complete.

Detaching a Device from a Mirrored PoolUse the zpool detach command to detach a device from a mirrored storage pool. For exam-ple, in the previous section we created a redundant pool name mypool. The current status is asfollows:# zpool status mypool<cr>pool: mypoolstate: ONLINEscrub: resilver completed after 0h0m with 0 errors on Thu Dec 11\09:37:23 2008config:

NAME STATE READ WRITE CKSUMmypool ONLINE 0 0 0mirror ONLINE 0 0 0c2t2d0 ONLINE 0 0 0c2t3d0 ONLINE 0 0 0


To detach the device c2t3d0 and convert the mirror back to a nonredundant pool, issue thezpool detach command:

13_0789738171_09.qxd 4/13/09 7:51 PM Page 491

492

# zpool detach mypool c2t3d0<cr>

A check of the storage pool shows the status:# zpool status mypool<cr>pool: mypoolstate: ONLINEscrub: resilver completed after 0h0m with 0 errors on Thu Dec 11\09:37:23 2008config:

NAME STATE READ WRITE CKSUMmypool ONLINE 0 0 0c2t2d0 ONLINE 0 0 0


Notice that the zfs status shows that a resilvering operation was performed. ZFS did not per-form a resilvering operation when the c2t1d0 device was detached. The message refers to theprevious resilver operation that was performed when the pool was originally mirrored. Thescrub message gets updated only when a ZFS scrub or resilvering operation completes. Thatmessage remains until the next operation. Because the detach operation did not perform ascrub, the old message still appears.


A device cannot be detached from a nonredundant pool.

NOTE

Taking Devices in a Storage Pool Offlineand OnlineTo temporarily disconnect a device from a storage pool for maintenance purposes, ZFS allowsa device to be taken offline using the zpool offline command. Taking a device offline is notthe same as detaching a device, which was described earlier. Offlining a device is meant to bea temporary state, whereas detaching a device is a permanent state.

In the following example, a redundant storage pool named mypool is set up on a server. Acheck of the status shows the following information about that pool:# zpool status mypool<cr>pool: mypoolstate: ONLINEscrub: resilver completed after 0h0m with 0 errors on Thu Dec 11 10:58:07 2008config:

NAME STATE READ WRITE CKSUM

13_0789738171_09.qxd 4/13/09 7:51 PM Page 492

Taking Devices in a Storage Pool Offline and Online493

mypool ONLINE 0 0 0mirror ONLINE 0 0 0c2t2d0 ONLINE 0 0 0c2t3d0 ONLINE 0 0 0


Take the c2t2d0 device offline using the following command:# zpool offline mypool c2t2d0<cr>

The pool’s status has changed, as displayed by the following zpool status command:# zpool status mypool<cr>pool: mypoolstate: DEGRADEDstatus: One or more devices has been taken offline by the administrator.Sufficient replicas exist for the pool to continue functioning in a degraded state.action: Online the device using ‘zpool online’ or replace the device with\‘zpool replace’.scrub: resilver completed after 0h0m with 0 errors on Thu Dec 11\10:58:07 2008config:

NAME STATE READ WRITE CKSUMmypool DEGRADED 0 0 0mirror DEGRADED 0 0 0c2t2d0 OFFLINE 0 0 0c2t3d0 ONLINE 0 0 0


The offline state is persistent, and this device remains offline even after the system has beenrebooted.

While the device is offline, data can still be written to the mypool storage pool. All the datagets written to the c2t3d0 device, and there is no redundancy.

To bring the c2t2d0 device back online, issue the following command:# zpool online mypool c2t2d0<cr>

A device can be brought back online while the file system is active. When a device is broughtback online, any information that was previously written to the storage pool is resynchronizedto the newly available device.

Offlining a device Note that you cannot use device onlining to replace a disk. If you offline a device,replace the drive, and try to bring it online, the device remains in a faulted state.

NOTE

13_0789738171_09.qxd 4/13/09 7:51 PM Page 493

494

ZFS HistoryThe system administrator can view all the operations that have been performed on a ZFS poolby viewing the history. Use the zpool history command:# zpool history pool2<cr>

The system displays all the history for that pool:History for ‘pool2’:2009-02-22.13:33:34 zpool create -R /mnt pool2 /export/home/zfsfile2009-02-22.15:49:28 zpool attach pool2 /export/home/zfsfile/export/home/mirror2009-02-22.15:50:29 zpool detach pool2 /export/home/mirror2009-02-22.15:55:34 zpool scrub pool22009-02-22.15:56:24 zpool attach pool2 /export/home/zfsfile/export/home/mirror2009-02-22.15:56:47 zpool detach pool2 /export/home/mirror2009-02-22.15:59:13 zpool scrub pool2

Use the -l option to display the log records in long format:# zpool history -l pool2<cr>History for ‘pool2’:2009-02-22.13:33:34 zpool create -R /mnt pool2 /export/home/zfsfile [user\root on server:global]2009-02-22.15:49:28 zpool attach pool2 /export/home/zfsfile\/export/home/mirror [user root on server:global]2009-02-22.15:50:29 zpool detach pool2 /export/home/mirror [user root on\server:global]2009-02-22.15:55:34 zpool scrub pool2 [user root on server:global]2009-02-22.15:56:24 zpool attach pool2 /export/home/zfsfile\/export/home/mirror [user root on server:global]2009-02-22.15:56:47 zpool detach pool2 /export/home/mirror [user root on\server:global]2009-02-22.15:59:13 zpool scrub pool2 [user root on server:global]

The -i option displays internally logged ZFS events in addition to user-initiated events.

ZFS PropertiesWhen you create ZFS file systems, a default set of properties control the behavior of the filesystems and volumes. These properties are divided into two types: native and user-defined.

Native properties either export internal statistics or control ZFS file system behavior. In addi-tion, native properties are either read-only or settable. User properties have no effect on ZFSfile system behavior, but you can use them to annotate datasets in a way that is meaningful inyour environment.


13_0789738171_09.qxd 4/13/09 7:51 PM Page 494

ZFS Properties495

Many settable properties are inherited from the parent and are propagated to its descendants.All inheritable properties have an associated source indicating how the property was obtained.The source can have the following values:

. default: A value of default means that the property setting was not inherited or setlocally. This source is a result of no ancestor’s having the property as source local.

. local: A local source indicates that the property was explicitly set on the dataset byusing the zfs set command.

. inherited from <dataset-name>: <dataset-name> specifies where that property wasinherited.

ZFS dataset properties are managed using the zfs set, zfs inherit, and zfs get commands.Use the zfs get command with the all keyword to view all the dataset properties for the stor-age pool named pool1:# zfs get all pool1<cr>

The system displays the list of properties:NAME PROPERTY VALUE SOURCEpool1 type filesystem -pool1 creation Mon Dec 8 14:39 2008 -pool1 used 136K -pool1 available 9.78G -pool1 referenced 20K -pool1 compressratio 1.00x -pool1 mounted yes -pool1 quota none default<the list has been truncated>

Table 9.2 lists some of the more common native read-only ZFS file system properties. Theseproperties cannot be set, nor are they inherited. For a complete set of ZFS properties, see theZFS man pages by typing man zfs at the command prompt.

Table 9.2 Native Read-Only ZFS PropertiesProperty Name Description

Available The amount of space available to the dataset and all its children, assuming no otheractivity in the pool.

compressratio A read-only property that identifies the compression ratio achieved for this dataset.

creation The time when the dataset was created.

mounted For file systems, indicates whether the file system is currently mounted. This proper-ty can be either yes or no.

13_0789738171_09.qxd 4/13/09 7:51 PM Page 495

496

Table 9.2 Native Read-Only ZFS PropertiesProperty Name Description

origin For cloned file systems or volumes, the snapshot from which the clone was created.

type The type of dataset: filesystem, volume, snapshot, or clone.

used The amount of space consumed by this dataset and all its descendents.

Table 9.3 lists the settable ZFS properties. These are properties whose values can be bothretrieved and set. These properties are set using the zfs set command, described later in thissection. Most of these properties are inherited from the parent, with the exception of “quota”and “reservation.”

Table 9.3 Settable ZFS PropertiesProperty Name Default Value Description

aclinherit secure Controls how ACL entries are inherited when files and directories arecreated.

aclmode groupmask Controls how an ACL is modified during chmod.

atime on Controls whether the access time for files is updated when they areread.

canmount on If this property is set to off, the file system cannot be mounted byusing the zfs mount or zfs mount -a command.

checksum on Controls the checksum used to verify data integrity.

compression off Controls the compression algorithm used for this dataset.

devices on Controls whether device nodes can be opened on this file system.

exec on Controls whether processes can be executed from within this filesystem.

mountpoint N/A Controls the mount point used for this file system.

quota none Limits the amount of space a dataset and its descendents can con-sume. This property enforces a hard limit on the amount of spaceused.

readonly off Controls whether this dataset can be modified.

recordsize 128K Specifies a suggested block size for files in the file system.

reservation none The minimum amount of space guaranteed to a dataset and itsdescendents.

setuid on Controls whether the set-UID bit is respected for the file system.

sharenfs off Controls whether the file system is shared via NFS, and what optionsare used. A file system with a sharenfs property of off is man-aged through traditional tools such as share, unshare, anddfstab.


13_0789738171_09.qxd 4/13/09 7:51 PM Page 496

ZFS Properties497

Table 9.3 Settable ZFS PropertiesProperty Name Default Value Description

snapdir hidden Controls whether the .zfs directory is hidden or visible in the rootof the file system, as discussed in the “ZFS Snapshots” section.

volsize 8Kbytes For volumes, specifies the volume’s logical size.

zoned off Controls whether the dataset is managed from a nonglobal zone.

In addition to the native properties that have been described, ZFS supports arbitrary userproperties. The user properties have no effect on the ZFS behavior, but they can be used toannotate datasets with meaningful information. The user properties must conform to the fol-lowing rules:

. Contain a colon (:) character to distinguish them from native properties.

. Contain lowercase letters, numbers, and the following punctuation characters: :, +, ., _.

. The maximum user property name is 256 characters.

Typically, the property name is divided into the following two components, but thisnamespace is not enforced by ZFS:

<module>:<property>

. Arbitrary strings that are always inherited and are never validated.

. The maximum user property value is 1,024 characters.

Here are two examples of user properties:

dept:users=financebackup:frequency=daily

Setting ZFS PropertiesYou can modify any of the ZFS settable properties using the zfs set command. The syntax isas follows:zfs set <property>=<value>

Only one property can be set or modified during each zfs set invocation.

The following command sets the file system quota to 25GB. This prevents the pool1/data filesystem from using all the space in the pool:# zfs set quota=25G pool1/data<cr>

13_0789738171_09.qxd 4/13/09 7:51 PM Page 497

498

View a specific property using the following command:# zfs get quota pool1/documents<cr>

The system displays the following:NAME PROPERTY VALUE SOURCEpool1/documents quota 25G local

In this example, I’ll create a user-definable property named backup:frequency and set thevalue to daily:# zfs set backup:frequency=daily pool1/documents<cr>

Now I’ll use the -s option to list the properties by source type. The valid source types arelocal, default, inherited, temporary, and none. The following example uses the -s optionto list only properties that were set locally on pool1:# zfs get -s local all pool1/documents<cr>

The system displays this:NAME PROPERTY VALUE SOURCEpool1/documents quota 25G localpool1/documents backup:frequency daily local

The following illustrates how properties are inherited. In this example, I have a storage poolnamed pool1 and a ZFS file system in that pool named pool1/documents. I’ll start by settingthe compression property on the storage pool named pool1:# zfs set compression=on pool1<cr>


Compression In addition to reducing space usage by two to three times, compression reduces theamount of I/O by two to three times. For this reason, enabling compression actually makes some work-loads go faster.

NOTE

Use the -r option to recursively display the compression property for all the children of thepool1 dataset:# zfs get -r compression pool1<cr>

The system displays only the compression property:NAME PROPERTY VALUE SOURCEpool1 compression on localpool1/documents compression off local

13_0789738171_09.qxd 4/13/09 7:51 PM Page 498

ZFS Properties499

Notice that compression is set to on for pool1 but is set to off for pool1/documents, whichwas a previously created dataset.

Now, I’ll create two new file systems in pool1:# zfs create pool1/bill<cr># zfs create pool1/data<cr>

Check the compression property for all the datasets in pool1:# zfs get -r compression pool1<cr>

The system displays the following information. Notice that compression in pool1/bill andpool1/data was automatically set to on:NAME PROPERTY VALUE SOURCEpool1 compression on localpool1/bill compression on inherited from pool1pool1/data compression on inherited from pool1pool1/documents compression off local

The compression property for both datasets was inherited from pool1.

When you issue the zfs inherit command, the compression property goes back to its defaultvalue for all the datasets:# zfs inherit compression pool1<cr># zfs get -r compression pool1<cr>

The system displays the following:NAME PROPERTY VALUE SOURCEpool1 compression off defaultpool1/bill compression off defaultpool1/data compression off defaultpool1/documents compression off local

Notice that compression=off for all the datasets in pool1. The use of the -r option clears thecurrent property setting for all descendant datasets. Therefore, you can use the zfs inherit

command to clear a property setting for all the datasets in a pool.

Setting the compression property again automatically sets it for all the datasets exceptpool1/documents:# zfs set compression=on pool1<cr># zfs get -r compression pool1<cr>

The system displays the following:NAME PROPERTY VALUE SOURCEpool1 compression on local

13_0789738171_09.qxd 4/13/09 7:51 PM Page 499

500

pool1/bill compression on inherited from pool1pool1/data compression on inherited from pool1pool1/documents compression off local

Mounting ZFS File SystemsAs you can see by now, a ZFS file system is automatically mounted when it is created. It is notnecessary to manually mount a ZFS file system, as was required with traditional file systems.At boot time, ZFS file systems are automatically mounted by SMF via thesvc://system/filesystem/local service. It is not necessary to make an entry in the/etc/vfstab file for a ZFS file system to be mounted at boot time.

Use the zfs mount command to list all currently mounted file systems that are managed byZFS:# zfs mount<cr>rpool/ROOT/s10x_u6wos_07b /rpool/ROOT/s10x_u6wos_07b/var /varrpool/export /exportrpool/export/home /export/homerpool /rpoolpool2/data /export/datapool1 /mnt

ZFS uses the value of the mountpoint property when mounting a ZFS file system. For exam-ple, the mountpoint property for the pool2/data file system can be displayed as follows:# zfs get mountpoint pool2/data<cr>NAME PROPERTY VALUE SOURCEpool2/data mountpoint /pool2/data default

The ZFS file system is automatically mounted on /pool2/data, as shown in the output fromthe following df -h command:pool2/data 4.9G 18K 4.9G 1% /pool2/data

When the pool2/data file system was created, the mountpoint property was inherited.However, a file system’s mount point can be changed simply by changing the mountpointproperty. For example, change the mount point on pool2/data to /export/data:# zfs set mountpoint=/export/data pool2/data<cr>

Whenever the mountpoint property is changed, the file system is automatically unmountedfrom the old mount point and remounted to the new mount point.

Now the df -h command shows the following information:pool2/data 5128704 18 5128563 1% /export/data


13_0789738171_09.qxd 4/13/09 7:51 PM Page 500

Mounting ZFS File Systems501

Notice how I was able to change the mount point to /export/data without creating the/export/data directory. ZFS creates the mount point directories as needed and removes themwhen they are no longer needed.

Mounted ZFS file systems can be unmounted manually using the zfs umount command. Forexample, to unmount the /export/data file system, issue the following command:# zfs umount /export/data<cr>

The file system can be mounted as follows:# zfs mount pool2/data<cr>

Notice how the dataset name is specified (pool2/data) rather than the mountpoint propertyvalue /export/data.

The mountpoint property could be set to none, preventing the file system from being mount-ed:# zfs set mountpoint=none pool2<cr>

Now, /pool2 does not show up when the df -h command is executed. This can be useful forthe following reason. When I create a ZFS file system using the following command:# zpool create pool1<cr># zfs create pool1/data<cr>

Two file systems are created: /pool1 and /pool1/data. I typically don’t want users puttingfiles directly into the top-level file system named /pool1. Therefore, I simply don’t mount/pool1 by setting the mountpoint property to none. With the mountpoint property set tonone, the /pool1 file system does not get mounted. A listing of the system’s file systems showsthe following:# df -h<cr>Filesystem size used avail capacity Mounted onrpool/ROOT/s10x_u6wos_07b

18G 3.4G 13G 22% //devices 0K 0K 0K 0% /devicesctfs 0K 0K 0K 0% /system/contractproc 0K 0K 0K 0% /procmnttab 0K 0K 0K 0% /etc/mnttabswap 862M 924K 861M 1% /etc/svc/volatileobjfs 0K 0K 0K 0% /system/objectsharefs 0K 0K 0K 0% /etc/dfs/sharetabfd 0K 0K 0K 0% /dev/fdrpool/ROOT/\s10x_u6wos_07b/var

18G 70M 13G 1% /varswap 861M 84K 861M 1% /tmpswap 861M 28K 861M 1% /var/run

13_0789738171_09.qxd 4/13/09 7:51 PM Page 501

502

rpool/export 18G 21K 13G 1% /exportrpool/export/home 18G 18K 13G 1% /export/homerpool 18G 35K 13G 1% /rpool

The descendants of pool1 inherited the mountpoint property, so /pool1/data also was set tonone:# zfs get -r mountpoint pool1<cr>NAME PROPERTY VALUE SOURCEpool1 mountpoint none localpool1/data mountpoint none inherited from pool1

Therefore, I’ll change the pool1/data mountpoint property to /pool1/data:# zfs set mountpoint=/pool1/data pool1/data<cr>

Now, /pool1 is not mounted and /pool1/data is mounted:# df -h<cr>Filesystem size used avail capacity Mounted on<output has been truncated>pool1/data 4.9G 18K 4.9G 1% /pool1/data

ZFS mount properties can be changed temporarily. Temporary properties revert to their orig-inal settings when the file system is unmounted. In the following example, the readonly prop-erty is temporarily changed to on for a file system that is currently mounted:# zfs mount -o remount,ro pool2/data<cr>

To temporarily change a property on a file system that is currently mounted, you must use thespecial remount option.

Display the readonly property using the following command:# zfs get readonly pool2/data<cr>

The readonly value is displayed:NAME PROPERTY VALUE SOURCEpool2/data readonly on temporary

Legacy Mount PointsFile systems can also be managed through the legacy mount command and the /etc/vfstabfile. If you set the file system’s mountpoint property to legacy, ZFS will not automaticallymount and manage this file system. The file system must be managed using the legacy com-mands mount and umount and the /etc/vfstab file. Step By Step 9.3 describes how to set upa ZFS file system using a legacy mount point.


13_0789738171_09.qxd 4/13/09 7:51 PM Page 502

Mounting ZFS File Systems503

STEP BY STEP9.3 Set up a Legacy Mount Point for a ZFS File System

1. Find an unused disk that is available for use in a ZFS storage pool.

a. Use the format command to find all the available disks on your system:

# format<cr>Searching for disks-done

AVAILABLE DISK SELECTIONS:1. c0d0 <DEFAULT cyl 2346 alt 2 hd 255 sec 63>

/pci@0,0/pci-ide@1,1/ide@0/cmdk@0,02. c0d1 <DEFAULT cyl 2557 alt 2 hd 128 sec 32>

/pci@0,0/pci-ide@1,1/ide@0/cmdk@1,03. c1d1 <DEFAULT cyl 2347 alt 2 hd 255 sec 63>

/pci@0,0/pci-ide@1,1/ide@1/cmdk@1,04. c2t2d0 <ATA-VBOX HARDDISK-1.0-5.00GB>

/pci@0,0/pci8086,2829@d/disk@2,05. c2t3d0 <ATA-VBOX HARDDISK-1.0-5.00GB>



/pci@0,0/pci8086,2829@d/disk@5,0Specify disk (enter its number):

All the available disks are listed.

b. Check which disks ZFS is using:

# zpool status<cr>pool: pool2state: ONLINEscrub: none requestedconfig:



pool: rpoolstate: ONLINEscrub: none requestedconfig:

13_0789738171_09.qxd 4/13/09 7:51 PM Page 503

504

NAME STATE READ WRITE CKSUMrpool ONLINE 0 0 0c0d0s0 ONLINE 0 0 0


In the output, notice that c2t4d0 and c2t5d0 are in use for the pool2 mirror and that c0d0s0 is inuse for rpool.

c. Make sure that none of the disks are being used for traditional file systems by issuing the df -hcommand and checking for mounted slices, SVM, or Veritas volumes.

2. After verifying that the disk was not being used, I chose c2t2d0. Create a ZFS pool and file system onthat disk:

# zpool create pool1 c2t2d0<cr>

Verify that /pool1 is mounted by issuing the df -h command.

3. Change the mountpoint property to legacy:

# zfs set mountpoint=legacy pool1<cr>

The df -h command verifies that the /pool1 file system is no longer mounted.

4. Create a directory for the mount point:

# mkdir /data<cr>

5. Mount the ZFS file system:

# mount -F zfs pool1 /data<cr>

Use the df -h command to verify that the file system is mounted as /data.

6. To automatically mount the ZFS file system at bootup, make the following entry in the /etc/vfstabfile:

pool1 - /data zfs - yes -

Legacy mount points must be managed through legacy tools. Any attempt to use ZFS toolswill result in an error. Any mount point properties are set explicitly using the mount -o com-mand and by specifying the required mount options.

Sharing ZFS File SystemsZFS can automatically share file systems as an NFS resource by setting the sharenfsproperty to on. Using this method, ZFS file systems do not need to be shared using the/etc/dfs/dfstab file or the share command. The sharenfs property is a comma-separated


13_0789738171_09.qxd 4/13/09 7:51 PM Page 504

Sharing ZFS File Systems505

list of options that are passed to the share command. When the sharenfs property is set tooff, the file system is not managed by ZFS and can be shared using traditional methods, suchas the /etc/dfs/dfstab file. All ZFS file systems whose sharenfs property is not off areshared during boot.

The default is to set all ZFS file systems as unshared. Share a file system using the zfs set

command:# zfs set sharenfs=on pool2/data<cr>

Issue the share command, and you’ll see that the file system is now shared:# share<cr>

The system displays all active shares:- /pool2/data rw “”

The sharenfs property is inherited, and file systems are automatically shared on creation iftheir inherited property is not off. For example, create a new file system:# zpool create pool2 c2t3d0<cr>

Turn on sharenfs for pool2:# zfs set sharenfs=on pool2<cr>

Create a new file system under pool2:# zfs create pool2/data<cr>

List the sharenfs property for pool2 and its descendants:# zfs get -r sharenfs pool2<cr>

The sharenfs property is inherited, as shown in the output:NAME PROPERTY VALUE SOURCEpool2 sharenfs on localpool2/data sharenfs on inherited from pool2

File systems are initially shared writeable. To set them as readonly, change the sharenfsproperty to readonly:# zfs set sharenfs=ro pool2/data<cr>

The share command shows the following active shares:# share<cr>- /pool2 rw “”- /pool2/data sec=sys,ro “”

13_0789738171_09.qxd 4/13/09 7:51 PM Page 505

506

ZFS file systems can be unshared using the zfs unshare command:# zfs unshare pool2/data<cr>

The command unshares the /pool2/data file system.

If the sharenfs property is off, ZFS does not attempt to share or unshare the file system atany time. This setting enables you to administer the NFS resource through traditional meanssuch as the /etc/dfs/dfstab file. For more information on administering NFS, refer toChapter 2, “Virtual File Systems, Swap Space, and Core Dumps.”

ZFS Web-Based Management GUIThroughout this chapter I’ve described how to manage ZFS from the command line. If youprefer a GUI interface, you can use the ZFS web-based interface to manage ZFS. Use thisGUI to perform the following tasks:

. Create a new storage pool

. Add capacity to an existing pool

. Move (export) a storage pool to another system

. Import a previously exported storage pool to make it available on another system

. View information about storage pools

. Create a file system

. Create a volume

. Take a snapshot of a file system or volume

. Roll back a file system to a previous snapshot

You first need to start the SMC web server by executing the following command:# /usr/sbin/smcwebserver start<cr>

You can set the server to start automatically at bootup by enabling the SMF service:# /usr/sbin/smcwebserver enable<cr>

Access the Administration console by opening a web browser and entering the following URL:https://localhost:6789/zfs

The Java Web Console login screen appears, as shown in Figure 9.1.


13_0789738171_09.qxd 4/13/09 7:51 PM Page 506


FIGURE 9.1

Web Console login screen.

At the Java Web Console screen, enter the administrator login and password and then click theLog In button to proceed. The ZFS Administration window appears, as shown in Figure 9.2.

FIGURE 9.2

ZFS administration window.

13_0789738171_09.qxd 4/13/09 7:51 PM Page 507

508

ZFS SnapshotsA ZFS snapshot is a read-only copy of a ZFS file system. A snapshot can be created quickly,and it initially consumes no space within the pool. The snapshot simply references the data inthe file system from which it was created. As the file system from which the snapshot was cre-ated changes, the snapshot grows and consumes space in the storage pool. Use the snapshotfeature to create backups of live file systems.

ZFS snapshots provide the following features:

. The snapshot persists across reboots.

. The snapshot does not use a separate backing store. However, the snapshot consumesspace from the same storage pool as the file system from which it was created.

. Snapshots are created almost instantly.

. Any snapshot can be used to generate a full backup, and any pair of snapshots can beused to generate an incremental backup.

. The number of snapshots that can be taken is virtually unlimited. The theoreticalmaximum is 264.

As you’ll see, snapshots are a great tool for backing up live file systems.

Creating a ZFS SnapshotCreate a snapshot using the zfs snapshot command followed by the name of the snapshot.The snapshot name follows this format:<filesystem>@<snapname>

or<volume>@<snapname>

For example, to take a snapshot of the pool2/data file system, the name of the snapshot couldbe pool2/data@tues_snapshot.

Issue the following command to create the snapshot of the /pool2/data file system:# zfs snapshot pool2/data@tues_snapshot<cr>


13_0789738171_09.qxd 4/13/09 7:51 PM Page 508


Listing ZFS SnapshotsAfter creating the snapshot, list all the snapshots on the system by issuing the following com-mand:# zfs list -t snapshot<cr>NAME USED AVAIL REFER MOUNTPOINTpool2/data@tues_snapshot 0 - 22K -

The snapshot is stored in the /pool2/data file system, but you can’t see it because the snapdirproperty is set to hidden. Change that property to visible:# zfs set snapdir=visible pool2/data<cr>

Now, when you list the contents of the /pool2/data file system, you see the snapshot direc-tory named .zfs:# ls -la /pool2/data<cr>total 15drwxr-xr-x 6 root root 5 Dec 10 13:01 .drwxr-xr-x 3 root root 3 Dec 9 20:14 ..dr-xr-xr-x 3 root root 3 Dec 9 20:14 .zfsdrwxr-xr-x 2 root root 2 Dec 10 12:22 dir1

Change into the snapshot directory:# cd /pool2/data/.zfs/snapshot/tues_snapshot<cr>

Issue the ls -la command. You see a read-only copy of the /pool2/data file system:# ls -l<cr>total 13drwxr-xr-x 2 root root 2 Dec 10 12:22 dir1drwxr-xr-x 2 root root 2 Dec 10 12:22 dir2drwxr-xr-x 2 root root 2 Dec 10 12:22 dir3-rw-r—r— 1 root root 0 Dec 10 12:22 foo-rw-r—r— 1 root root 0 Dec 10 12:22 foo1-rw-r—r— 1 root root 0 Dec 10 12:22 foo2-rw-r—r— 1 root root 0 Dec 10 12:22 foo3

This is an exact duplicate of the /pool2/data file system, as it looked when the snapshot wastaken earlier. As data is added to and changed in the /pool2/data file system, this snapshotdoes not change or update. Because it’s a read-only snapshot, you can copy data from thisdirectory, but you cannot modify it.

13_0789738171_09.qxd 4/13/09 7:51 PM Page 509

510

Saving and Restoring a ZFS SnapshotA snapshot can be saved to tape or to a disk on the local system or a remote system. Use thezfs send command to save the snapshot to tape:# zfs send pool2/data@tues_snapshot > /dev/rmt/0<cr>

To retrieve the files from tape, use the zfs recv command:# zfs recv pool2/data@tues_snapshot < /dev/rmt/0<cr>

This restores the snapshot to the storage pool it came from.

Rather than saving the snapshot to tape, you can save the snapshot to disk on a remote system:# zfs send pool2/data@tues_snapshot | ssh host2 zfs recv newpool/data<cr>

The snapshot is sent to the remote host named “host2” and is saved in the /newpool/data filesystem.

Compress a ZFS snapshot stream using the following command:# zfs send pool2/data@tues_snapshot | gzip > backupfile.gz<cr>

Now the backup.gz file can be sent via FTP to another system for a remote backup.

Destroying a ZFS SnapshotTo remove the snapshot from the system, use the zfs destroy command:# zfs destroy pool2/data@tues_snapshot<cr>


Destruction A dataset cannot be destroyed if snapshots of the dataset exist. In addition, if clones havebeen created from a snapshot, they must be destroyed before the snapshot can be destroyed.

NOTE

Renaming a ZFS SnapshotYou can rename a snapshot within the pool and the dataset from which it came using the zfsrename command:# zfs rename pool2/data@tues_snapshot pool2/data@backup<cr>

List the snapshots on the system to verify the name change:# zfs list -t snapshot<cr>NAME USED AVAIL REFER MOUNTPOINTpool2/data@backup 0 - 22K -

13_0789738171_09.qxd 4/13/09 7:51 PM Page 510


Rolling Back a ZFS SnapshotRoll back a ZFS snapshot to discard all changes made to a file system since a specific snapshotwas created. Using the zfs rollback command, the file system reverts to the state at the timethe snapshot was taken.

Step By Step 9.4 describes how to revert the /pool2/data file system to the most recent snap-shot.

STEP BY STEP9.4 Roll Back a Snapshot and ZFS File System

In this exercise, we’ll use the zfs rollback command to revert the /pool2/data file system to themost recent snapshot.

1. List the snapshots currently available on the system:

# zfs list -t snapshot<cr>NAME USED AVAIL REFER MOUNTPOINTpool1/docs@tues_snapshot 0 - 18K -pool2/data@backup 0 - 22K -pool2/data@tues_snapshot 0 - 22K -pool2/data@weds_snapshot 0 - 22K -

Four snapshots are listed.

2. List the contents of the /pool2/data file system:

# ls -la /pool2/data<cr>total 12drwxr-xr-x 5 root root 4 Dec 10 14:31 .drwxr-xr-x 3 root root 3 Dec 9 20:14 ..dr-xr-xr-x 3 root root 3 Dec 9 20:14 .zfsdrwxr-xr-x 2 root root 2 Dec 10 12:22 dir1drwxr-xr-x 2 root root 2 Dec 10 12:22 dir2

3. Roll back the /pool2/data file system to the tues_snapshot:

# zfs rollback pool2/data@tues_snapshot<cr>cannot rollback to ‘pool2/data@tues_snapshot’: more recent snapshots\exist use ‘-r’ to force deletion of the following snapshots:\pool2/data@weds_snapshot

The error indicates that there is a more recent backup named weds_snapshot. You can only revert a filesystem to the most recent snapshot. To use the older tues_snapshot, you need to force ZFS to use thetues_snapshot and remove the weds_snapshot. You do this using the -r option:

# zfs rollback -r pool2/data@tues_snapshot<cr>

13_0789738171_09.qxd 4/13/09 7:51 PM Page 511

512

4. The zfs list command shows that the weds_snapshot was removed:

# zfs list -t snapshot<cr>NAME USED AVAIL REFER MOUNTPOINTpool1/docs@tues_snapshot 0 - 18K -pool2/data@backup 0 - 22K -pool2/data@tues_snapshot 0 - 22K -

5. List the contents of the /pool2/data file system, and you’ll see that the file system has changed:

# ls -la /pool2/data<cr>total 15drwxr-xr-x 6 root root 5 Dec 10 13:01 .drwxr-xr-x 3 root root 3 Dec 9 20:14 ..dr-xr-xr-x 3 root root 3 Dec 9 20:14 .zfsdrwxr-xr-x 2 root root 2 Dec 10 12:22 dir1drwxr-xr-x 2 root root 2 Dec 10 12:22 dir2drwxr-xr-x 2 root root 2 Dec 10 12:22 dir3

The dir3 directory, which was missing, has been restored.

ZFS ClonesA snapshot is a read-only point-in-time copy of a file system, and a clone is a writable copy ofa snapshot. Clones provide an extremely space-efficient way to store many copies of mostlyshared data such as workspaces, software installations, and diskless clients.

A clone is related to the snapshot from which it originated. After a clone is created, the snap-shot from which it originated cannot be deleted unless the clone is deleted first.

The zfs clone command is used to specify the snapshot from which to create the clone. Inthe following example, a clone is created from the snapshot named pool2/data@tues_snap-shot:# zfs clone pool2/data@tues_snapshot pool2/docs<cr>

The zfs list command shows that a new ZFS file system named /pool2/docs has been cre-ated:# zfs list<cr>NAME USED AVAIL REFER MOUNTPOINTpool1 133K 4.89G 19K /pool1pool1/docs 18K 4.89G 18K /pool1/docspool1/docs@tues_snapshot 0 - 18K -pool2 168K 4.89G 21K /pool2pool2/data 22K 4.89G 22K /pool2/datapool2/data@backup 0 - 22K -


13_0789738171_09.qxd 4/13/09 7:51 PM Page 512

ZFS Clones513

pool2/data@tues_snapshot 0 - 22K -pool2/docs 0 4.89G 22K /pool2/docs

The contents are exactly the same as /pool2/data:# ls -la /pool2/docs<cr>total 15drwxr-xr-x 5 root root 5 Dec 10 13:01 .drwxr-xr-x 4 root root 4 Dec 10 14:46 ..drwxr-xr-x 2 root root 2 Dec 10 12:22 dir1drwxr-xr-x 2 root root 2 Dec 10 12:22 dir2drwxr-xr-x 2 root root 2 Dec 10 12:22 dir3

The clone must be created in the same storage pool that the snapshot is in. When you try tocreate the clone outside the pool2 storage pool, the following error is reported:# zfs clone pool2/data@tues_snapshot pool1/data1<cr>cannot create ‘pool1/data1’: source and target pools differ

Destroying a ZFS CloneDestroy a ZFS cloned file system just like you would destroy any other ZFS file system—byusing the zfs destroy command:# zfs destroy pool2/docs<cr>

Clones must be destroyed before the parent snapshot can be destroyed. In the following exam-ple, I’ll try to destroy the tues_snapshot before I destroy the file system that was cloned fromthat snapshot:# zfs destroy pool2/data@tues_snapshot<cr>cannot destroy ‘pool2/data@tues_snapshot’: snapshot has dependent clones\use ‘-R’ to destroy the following datasets: pool2/docs

Replacing a ZFS File System with a ZFS CloneAn active ZFS file system can be replaced by a clone of that file system using the zfs promote

command. This feature makes it possible to destroy the “original” file system—the file systemthat the clone was originally created from. Without clone promotion, you cannot destroy the“original” file system of an active clone.

In the preceding section, I created a clone named /pool2/docs. This clone was created froma snapshot of the /pool2/data file system. To replace the /pool2/data file system with theclone named /pool2/docs, follow the steps described in Step By Step 9.5.

13_0789738171_09.qxd 4/13/09 7:51 PM Page 513

514

STEP BY STEP9.5 Replace a ZFS File System with a ZFS Clone

In this exercise, the /pool2/data file system will be replaced by its clone, /pool2/docs.

1. Create a snapshot of the /pool2/data file system:

# zfs snapshot pool2/data@tues_snapshot<cr>

2. Create a clone of the snapshot:

# zfs clone pool2/data@tues_snapshot pool2/docs<cr>

3. Promote the cloned file system:

# zfs promote pool2/docs<cr>

4. Rename the /pool2/data file system:

# zfs rename pool2/data pool2/data_old<cr>

5. Rename the cloned file system:

# zfs rename pool2/docs pool2/data<cr>

6. Remove the original file system:

# zfs destroy pool2/data_old<cr>

zpool ScrubCheap disks can fail, so ZFS provides disk scrubbing. Like ECC memory scrubbing, the ideais to read all data to detect latent errors while they’re still correctable. A scrub traverses theentire storage pool to read every copy of every block, validate it against its 256-bit checksum,and repair it if necessary.

The simplest way to check your data integrity is to initiate an explicit scrubbing of all datawithin the pool. This operation traverses all the data in the pool once and verifies that allblocks can be read. Scrubbing proceeds as fast as the devices allow, although the priority of anyI/O remains below that of normal operations. This operation might negatively impact per-formance, but the file system should remain usable and nearly as responsive while the scrub-bing occurs. To initiate an explicit scrub, use the zpool scrub command:# zpool scrub pool1<cr>

You can stop a scrub that is in progress by using the -s option:# zpool scrub -s pool1<cr>


13_0789738171_09.qxd 4/13/09 7:51 PM Page 514

Replacing Devices in a Storage Pool515

Replacing Devices in a Storage PoolIf a disk in a storage pool fails and needs to be replaced, swap out the disk and use the zpoolreplace command to replace the disk within ZFS.

In the following example, a zpool status shows that mypool is in a DEGRADED state:# zpool status -x mypool<cr>pool: mypoolstate: DEGRADEDstatus: One or more devices could not be opened. Sufficient replicas existfor the pool to continue functioning in a degraded state.action: Attach the missing device and online it using ‘zpool online’.

see: http://www.sun.com/msg/ZFS-8000-2Qscrub: none requestedconfig:

NAME STATE READ WRITE CKSUMmypool DEGRADED 0 0 0mirror DEGRADED 0 0 0c2t2d0 UNAVAIL 0 0 0 cannot openc2t3d0 ONLINE 0 0 0


Notice in the output that the storage pool is a mirror but is in a DEGRADED state. Thismeans that the virtual device has experienced failure but still can function. The zpool status

output shows that c2t2d0 is in an UNAVAIL state, which means that the device cannot beopened. The physical disk is either disconnected or has failed. The mirror continues tooperate.

The steps for replacing a failed disk in a ZFS pool are as follows:

1. Offline the disk using the zpool offline command.

2. Remove the disk to be replaced.

3. Insert the replacement disk.

4. Run the zpool replace command.

Step By Step 9.6 describes the process of replacing a failed disk in a mirrored storage pool withanother disk.

13_0789738171_09.qxd 4/13/09 7:51 PM Page 515

516

STEP BY STEP9.6 Replace a Disk in a Mirrored Storage Pool

A mirrored storage pool named mypool has a failing disk drive (c2t2d0). A spare disk (c2t4d0) thatis already connected to the system can be used as a replacement. Follow these steps to replace the fail-ing disk with the replacement disk:

1. Take the failed disk offline:

# zpool offline mypool c2t2d0<cr>

2. Replace the failed disk with the good disk:

# zpool replace mypool c2t2d0 c2t4d0<cr>

3. Check the pool’s status:

# zpool status mypool<cr>pool: mypoolstate: DEGRADEDscrub: resilver completed after 0h0m with 0 errors on Fri Dec 12\10:28:51 2008config:

NAME STATE READ WRITE CKSUMmypool DEGRADED 0 0 0mirror DEGRADED 0 0 0replacing DEGRADED 0 0 0c2t2d0 OFFLINE 0 0 1c2t4d0 ONLINE 0 0 0

c2t3d0 ONLINE 0 0 0


Note that the preceding zpool status output might show both the new and old disks under areplacing heading. This text means that the replacement process is in progress and the new disk isbeing resilvered.

After a few minutes, the zpool status command displays the following:

# zpool status mypool<cr>pool: mypoolstate: ONLINEscrub: resilver completed after 0h0m with 0 errors on Fri Dec 12\10:28:51 2008config:

NAME STATE READ WRITE CKSUMmypool ONLINE 0 0 0mirror ONLINE 0 0 0


13_0789738171_09.qxd 4/13/09 7:51 PM Page 516

A ZFS Root File System517

c2t4d0 ONLINE 0 0 0c2t3d0 ONLINE 0 0 0


Now that the c2t2d0 disk has been offlined and replaced, the physical disk can be removedfrom the system and replaced.

A ZFS Root File SystemNew in the Solaris 10 10/08 release is the ability to install and boot from a ZFS root file sys-tem. Here are the new features:

. The ability to perform an initial installation where ZFS is selected as the root file sys-tem.

. You can use the Solaris Live Upgrade feature to migrate a UFS root file system to aZFS root file system. In addition, you can use Solaris Live Upgrade to perform the fol-lowing tasks:

. Create a new boot environment within an existing ZFS root pool.

. Create a new boot environment within a new ZFS root pool.

During the initial installation of the Solaris OS, you’re given the option to install on a UFS orZFS root file system. Select a ZFS file system, and everything is set up automatically.

The entire installation program is the same as previous releases, with the following exception:A screen prompts you to select either a UFS or ZFS file system:Choose Filesystem Type

Select the filesystem to use for your Solaris installation[ ] UFS[ ] ZFS

After you select the software to be installed, you are prompted to select the disks to create yourZFS storage pool. This screen is similar to those in previous Solaris releases, except for the fol-lowing text:For ZFS, multiple disks will be configured as mirrors, so the disk youchoose, or the slice within the disk must exceed the Suggested Minimum value.

You can select the disk or disks to be used for your ZFS root pool. If you select two disks, amirrored two-disk configuration is set up for your root pool.

13_0789738171_09.qxd 4/13/09 7:51 PM Page 517

518

After you have selected a disk or disks for your ZFS storage pool, the following screen is dis-played:Configure ZFS SettingsSpecify the name of the pool to be created from the disk(s) you havechosen. Also specify the name of the dataset to be created within thepool that is to be used as the root directory for the filesystem.ZFS Pool Name: rpoolZFS Root Dataset Name: s10s_u6wos_nightlyZFS Pool Size (in MB): 34731Size of Swap Area (in MB): 512Size of Dump Area (in MB): 512(Pool size must be between 6413 MB and 34731 MB)

[ ] Keep / and /var combined[X] Put /var on a separate dataset

From this screen you can make changes such as the name of the ZFS pool, dataset names, andpool size. You also can size your swap and dump devices. In addition, you can choose how youwant the /var file system created and mounted.

The following is an example of a ZFS root pool after the OS has been installed:# zfs list<cr>NAME USED AVAIL REFER MOUNTPOINTrpool 4.72G 12.9G 35.5K /rpoolrpool/ROOT 3.45G 12.9G 18K legacyrpool/ROOT/s10x_u6wos_07b 3.45G 12.9G 3.38G /rpool/ROOT/s10x_u6wos_07b/var 68.7M 12.9G 68.7M /varrpool/dump 788M 12.9G 788M -rpool/export 39K 12.9G 21K /exportrpool/export/home 18K 12.9G 18K /export/homerpool/swap 512M 13.3G 59.5M -

Using ZFS for Solaris ZonesZFS can be used with Solaris zones, but keep in mind a few points:

. The root file system of a nonglobal zone can reside on ZFS starting with the Solaris 1010/08 release. Prior to this release, the zonepath of a nonglobal zone should not resideon a ZFS file system.

. The global administrator can add a ZFS file system or a ZFS clone to a nonglobal zonewith or without delegating administrative control.

. You can add a ZFS volume as a device to nonglobal zones.

. You cannot associate ZFS snapshots with zones at this time.


13_0789738171_09.qxd 4/13/09 7:51 PM Page 518

Using ZFS for Solaris Zones519

. A ZFS file system that is added to a nonglobal zone must have its mountpoint propertyset to legacy.

. ZFS storage pools cannot be created or modified from within a nonglobal zone.

. Currently you should not add a ZFS dataset to a nonglobal zone when the nonglobalzone is configured. This is due to an existing software bug, 6449301. Instead, add aZFS dataset after the zone is installed.

Adding a ZFS Dataset to a Nonglobal ZoneA ZFS dataset that has been created in the global zone using the zfs create command can beadded as a legacy file system to a nonglobal zone. Step By Step 9.7 describes how to do this.

STEP BY STEP9.7 Adding a ZFS Dataset to a Nonglobal Zone

1. From the global zone, create a ZFS file system named /pool1/zone1. This dataset will be used as thezonepath for the nonglobal zone that will be created in step 2.

global-zone# zpool create pool1 c2t2d0<cr>global-zone# zfs create pool1/zone1<cr>global-zone# chmod 700 /pool1/zone1<cr>

2. Create a nonglobal zone named “testzone”:

global-zone# zonecfg -z testzone<cr>testzone: No such zone configuredUse ‘create’ to begin configuring a new zone.zonecfg:testzone> create<cr>zonecfg:testzone> set zonepath=/pool1/zone1<cr>zonecfg:testzone> set autoboot=true<cr>zonecfg:testzone> add net<cr>zonecfg:testzone:net> set physical=e1000g1<cr>zonecfg:testzone:net> set address=192.168.1.196<cr>zonecfg:testzone:net> end<cr>zonecfg:testzone> verify<cr>zonecfg:testzone> commit<cr>zonecfg:testzone> exit<cr>global-zone#global-zone# zoneadm -z testzone verify<cr>global-zone# zoneadm -z testzone install<cr>


Preparing to install zone <testzone>.Creating list of files to copy from the global zone.Copying <7505> files to the zone.

13_0789738171_09.qxd 4/13/09 7:51 PM Page 519

520


Initializing zone product registry.Determining zone package initialization order.Preparing to initialize <1091> packages on the zone.Initialized <1091> packages on zone.Zone <testzone> is initialized.Installation of these packages generated warnings: <SUNWvboxguest>The file </pool1/zone1/root/var/sadm/system/logs/install_log> contains\a log of the zone installation.#

3. Make the zone ready, and boot it so that it is running:

global-zone# zoneadm -z testzone ready<cr>global-zone# zoneadm -z testzone boot<cr>

4. Log in to the zone console, and finalize the installation by completing the system identification phase:

global-zone# zlogin -C testzone<cr>

5. Create a second ZFS file system in the global zone, to be used for the testzone:

global-zone# zfs create pool1/test_data<cr>

6. Set the mountpoint property to legacy:

global-zone # zfs set mountpoint=legacy pool1/test_data<cr>

7. Halt the zone, and add the new ZFS file system to the nonglobal zone:

global-zone# zoneadm -z testzone halt<cr>global-zone# zonecfg -z testzone<cr>zonecfg:testzone> add fs<cr>zonecfg:testzone:fs> set type=zfs<cr>zonecfg:testzone:fs> set special=pool1/test_data<cr>zonecfg:testzone:fs> set dir=/export/shared<cr>zonecfg:testzone:fs> end<cr>zonecfg:testzone> exit<cr>#

The pool1/test_data file system has been added and will be mounted in the nonglobal zone as/export/shared.

8. Boot the zone:

global-zone# zoneadm -z testzone boot<cr>

9. Log into the nonglobal zone (testzone), and verify that the file system has been added with the df -hcommand:

# df -h<cr>Filesystem size used avail capacity Mounted on/ 0K 494M 4.4G 10% /

13_0789738171_09.qxd 4/13/09 7:51 PM Page 520

Using ZFS for Solaris Zones521

/dev 4.9G 494M 4.4G 10% /devpool1/test_data 0K 18K 4.4G 1% /export/shared<output has been truncated>

10. The ZFS file system has been added as a legacy file system mounted as /export/shared. Therefore,when the zfs list command is executed, the nonglobal zone reports that no ZFS datasets areavailable:

# zfs list<cr>no datasets available#

Delegating a ZFS Dataset to a Nonglobal ZoneIn the preceding section, a ZFS file system was added to the nonglobal zone as a legacy filesystem. In that scenario, the global zone administrator is responsible for setting and control-ling the properties of that file system. The nonglobal zone administrator has no control overthe ZFS properties of that dataset. In fact, to the nonglobal zone administrator, the datasetappears to be a traditional UFS file system.

To add a ZFS file system to a nonglobal zone that can then be administered within the non-global zone, the ZFS file system must be delegated to the nonglobal zone. The administratorof the global zone delegates the file system to the nonglobal zone. When the ZFS file systemhas been delegated, it is visible within the nonglobal zone via the zfs list command. Thezone administrator can set ZFS file system properties, as well as create children. In addition,the zone administrator can take snapshots, create clones, and otherwise control the entire filesystem hierarchy.

To delegate a ZFS dataset to a nonglobal zone, follow the procedure described in Step By Step9.8.

STEP BY STEP9.8 Delegate a ZFS Dataset to a Nonglobal Zone

1. Halt the nonglobal zone:

globalzone# zoneadm -z testzone halt<cr>

2. Create the ZFS dataset named /pool1/docs:

global-zone# zfs create pool1/docs<cr>

3. Delegate the ZFS file system to the zone:

# zonecfg -z testzone<cr>zonecfg:testzone> add dataset<cr>zonecfg:testzone:dataset> set name=pool1/docs<cr>

13_0789738171_09.qxd 4/13/09 7:51 PM Page 521

522

zonecfg:testzone:dataset> end<cr>zonecfg:testzone> exit<cr>

4. Boot the testzone:

global-zone# zoneadm -z testzone boot<cr>

5. Log into the nonglobal zone console, and verify that the ZFS dataset is visible within that zone:

global-zone# zlogin -C testzone<cr># zfs list<cr>NAME USED AVAIL REFER MOUNTPOINTpool1 494M 4.41G 19K /pool1pool1/docs 19K 4.41G 19K /pool1/docs

ZFS storage pools cannot be created or modified within a nonglobal zone. For example, in thepreceding Step By Step, you cannot set the quota property on the pool1/docs dataset.However, you can create a ZFS file system under the pool1/docs dataset and set the quotaproperty on that file system:# zfs create pool1/docs/personal<cr># zfs set quota=50m pool1/docs/personal<cr>

A pool-level dataset can be added to a zone, but any command that modifies the pool’s physi-cal characteristics is not allowed. This includes adding devices to or removing devices from thepool.

When a dataset is added to a nonglobal zone under the control of a zone administrator, its con-tents can no longer be trusted. setuid binaries or other questionable contents could compro-mise the security of the global zone. To address this issue, ZFS uses the zoned property to indi-cate that the dataset has been delegated to a nonglobal zone. By listing this property on thepool1/docs dataset, we can see that the zoned property was turned on:# zfs list -o zoned pool1/docs<cr>ZONED

on

The zoned property is set when the nonglobal zone containing the ZFS dataset is first boot-ed. When the zoned property is set to on, the dataset cannot be mounted or shared in the glob-al zone. When the dataset is removed from the nonglobal zone, or if the zone is destroyed, thezoned property does not get reset to off. The zoned property must be manually cleared by theglobal administrator if you want to reuse the dataset in any way. Change this property onlywhen you are sure that this dataset is no longer in use by a nonglobal zone.


13_0789738171_09.qxd 4/13/09 7:51 PM Page 522

Summary523

SummaryThis chapter has described how to administer ZFS datasets. After reading this chapter, youshould understand the advantages of a ZFS file system over traditional file systems. You alsoshould understand how to create and remove a ZFS storage pool and file system.

You learned about the various ZFS configurations: RAID-0, mirrored, and RAID-Z storagepools. You should understand the advantages and disadvantages of each, and you should knowhow to create each type of storage pool.

You should understand how to display the ZFS datasets installed on your system and be ableto identify which types of storage pools have been configured. You should also be able to iden-tify all the components of a ZFS file system.

I also described the various health states of a ZFS dataset. You should know how to view thecurrent state of ZFS datasets on your system, identify problems, and understand how to recov-er from problems such as a disk failure.

You learned about the properties that are associated with ZFS datasets. You should understandthe purpose of these properties, and you should understand how to manage them.

ZFS snapshots were described. You should understand their purpose and how to create a ZFSsnapshot, back up and restore a snapshot, list a snapshot, roll back a snapshot, and remove asnapshot. In addition, you should understand how to create a read-only clone and how to pro-mote a clone to make it a writeable ZFS file system.

I described how to install a bootable root (/) ZFS file system during the installation of the OS.

Lastly, the chapter described how to utilize ZFS datasets in nonglobal zones.

There are many more topics to explore with ZFS file systems, but the topics I have covered inthis chapter will get you off to a good start. Later, you may want to learn more about trou-bleshooting and recovering ZFS file systems.

This chapter concludes the study material for the CX-310-202 SCSA exam. I encourage youto use the practice exams on the enclosed CD-ROM to test your knowledge. If you fullyunderstand all the material covered in this book, you should have no problem passing theexam. If you don’t score well on the practice tests, go back and review the topics you are weak in.

Before taking the exam, visit www.UnixEd.com and read up-to-date information about theexams, comments from others who have taken the exams, and test-taking tips. You’ll also findlinks to additional study materials. You want to be sure you are adequately prepared beforespending $300 for the exam.

13_0789738171_09.qxd 4/13/09 7:51 PM Page 523

524

Key Terms. Checksum

. Clone

. Dataset

. File system (ZFS)

. Global zone

. Mirror

. NFS

. Nonglobal zone

. Primary boot environment

. RAID-Z

. Resilvering

. Rollback

. Root pool

. Snapshot

. Storage pool

. Virtual device

. Volume

. zpool


ExerciseIn this exercise, you’ll create a mirrored ZFS file system. In addition, you’ll modify the mount-point properties to override the default mount point. For this exercise, you’ll need a SPARCor x86-based Solaris system with two additional spare disk drives.


Destructive process This procedure destroys data on the disk. Be sure you have proper backups if you wantto save any data on this system.

CAUTION

13_0789738171_09.qxd 4/13/09 7:51 PM Page 524



1. Use the format command to identify two spare disk drives. Write down the devicenames. On my system, I’ve identified spare disks. I’ll use c2t3d0 and c2t4d0 for thisexercise.

2. Create the storage pool, and name it mypool:# zpool create mypool c2t3d0 c2t4d0<cr>

3. Verify that the storage pool has been created and is online:# zpool status mypool<cr>

4. Create two ZFS file systems in that pool—data1 and data2:# zfs create mypool/data1<cr># zfs create mypool/data2<cr>

5. Set the quota property so that each file system has 50MB of space:# zfs set quota=50m mypool/data1<cr># zfs set quota=50m mypool/data2<cr>

6. Verify that the property has been set on each dataset:# zfs get quota mypool/data1 mypool/data2<cr>

7. Remove the pool and datasets from the system:# zpool destroy mypool<cr>

Exam Questions1. Before you can implement ZFS, you need to make sure that your system meets the requirements

for supporting ZFS. Which of the following describe the hardware and software requirements yoursystem must meet before you can implement ZFS? (Choose three.)

❍ A. The minimum disk size is 128MB.

❍ B. The minimum amount of disk space for a storage pool is 64MB.

❍ C. For a mirrored storage pool, the system must have multiple disk controllers.

❍ D. 1GB of RAM is recommended for ZFS.

❍ E. 1GB of RAM is required for ZFS.

13_0789738171_09.qxd 4/13/09 7:51 PM Page 525

526

2. Which of the following statements are true of Solaris ZFS file systems? (Choose two.)

❍ A. ZFS replaces traditional Solaris file systems.

❍ B. You cannot use ZFS on a bootable root (/) file system.

❍ C. There is no limit on the number of file systems or files that can be contained within aZFS file system.

❍ D. ZFS can be used on a Solaris 10 system beginning with release 6/06.

3. You have been instructed to create a ZFS file system that meets the following specifications:

. The storage pool is to be named pool1.

. The storage pool will be a nonredundant device and will use c2t2d0 as a device.

. The ZFS file system is to be named docs.

. The ZFS file system must be mounted automatically at each boot.

Which of the following is the correct procedure to create a ZFS file system that meets these speci-fications?

❍ A. zpool create pool1 c2t2d0; zfs create pool1/docs

❍ B. zfs create pool1/docs c2t2d0

❍ C. zpool create pool1/docs c2t2d0

Make an entry in the /etc/vfstab file.

❍ D. zpool create pool1/docs c2t2d0

4. You have the following ZFS datasets on your system:

NAME USED AVAIL REFER MOUNTPOINTpool1 133K 4.89G 19K /pool1pool1/docs 18K 4.89G 18K /pool1/docs

Which command would you use to remove the /pool1/docs dataset?

❍ A. zpool destroy pool1

❍ B. zpool destroy pool1/docs

❍ C. zfs destroy pool1/docs

❍ D. zfs remove pool1/docs

5. When you check the status of your pool, the following information is displayed:

NAME STATE READ WRITE CKSUMmypool DEGRADED 0 0 0mirror DEGRADED 0 0 0


13_0789738171_09.qxd 4/13/09 7:51 PM Page 526


c2t2d0 UNAVAIL 0 0 0 cannot openc2t3d0 ONLINE 0 0 0

Which of the following describes the most likely problem?

❍ A. The mypool storage pool is unavailable.

❍ B. c2t2d0 has been taken offline.

❍ C. c2t2d0 has failed, but the storage pool is still available.

❍ D. c2t2d0 experienced a failure but still can function.

6. What is the correct sequence of steps required to replace a failed disk in a ZFS storage pool?

❍ A. Insert the replacement disk.

Run the zpool replace command.

❍ B. Offline the disk using the zpool offline command.

Remove the disk to be replaced.

Insert the replacement disk.

Run the zpool replace command.

❍ C. Run the zpool replace command.

Offline the disk using the zpool offline command.

Remove the disk to be replaced.


❍ D. Remove the disk to be replaced.


7. The following ZFS datasets are available on your system:

NAME USED AVAIL REFER MOUNTPOINTpool2 150K 4.89G 18K nonepool2/data 18K 4.89G 18K /export/data

Which command would you use to create a ZFS file system named /pool2/docs?

❍ A. zpool create pool2/docs

❍ B. zfs create docs

❍ C. zfs create pool2/docs

❍ D. zfs set mountpoint=/pools/docs pool2

13_0789738171_09.qxd 4/13/09 7:51 PM Page 527

528

8. You have been instructed to create a three-way mirrored storage pool on a server. The specifica-tions are as follows:

. The following spare devices are available: c1t1d0, c2t1d0, c3t1d0, c4t1d0, c3t2d0, andc3t2d0.

. The storage pool is to be named mypool.

. Create two ZFS file systems in the mirrored storage pool named data and docs.

Which of the following describes the sequence of steps to be taken to create this storage pool?

❍ A. zpool create mypool mirror c1t1d0 c2t1d0 mirror c3t1d0 c3t2d0

zfs create mypool/data

zfs create mypool/docs

❍ B. zpool create mypool mirror c1t1d0 c2t1d0 mirror c3t1d0 c3t2d0

zfs create mirror mypool/data

zfs create mirror mypool/docs

❍ C. zpool create mypool -m3 c1t1d0 c2t1d0 c3t2d0


zfs create mypool/docs

❍ D. zfs create mypool/data mirror c1t1d0 c2t1d0 mirror c3t1d0 c3t2d0

zfs create mypool/docs mirror c1t1d0 c2t1d0 mirror c3t1d0 c3t2d0

9. The following ZFS datasets exist on your server:

NAME USED AVAIL REFER MOUNTPOINTpool1 133K 4.89G 19K /pool1pool1/docs 18K 4.89G 18K /pool1/docspool1/data 18K 4.89G 18K /pool1/data

You need to restrict the amount of storage space that the files in /pool1/docs can consume,and you want to limit the file system to a maximum of 5GB. Which command would you execute?

❍ A. zfs create 5g pool1/docs

❍ B. zfs set reservation=5g pool1/docs

❍ C. zfs create quota=5g mypool/bill

❍ D. zfs set quota=5g mypool/docs


13_0789738171_09.qxd 4/13/09 7:51 PM Page 528




You want to change the /pool1/docs file system so that the mount point is named/export/docs, and you want this name to be persistent across reboots. Which of the followingdescribes how to make this happen?

❍ A. zfs rename pool1/data /export/docs

❍ B. Change the /etc/vfstab file so that the mount point is set to /export/docs forthe pool1/docs dataset.

❍ C. zfs set mountpoint=/export/docs pool1/data

❍ D. The name of the ZFS storage pool (pool1) cannot be changed to /export withoutdestroying the pool and re-creating it with the new name.



You want to make /pool1 invisible to the users, but you want pool1/docs and pool1/datato be available and visible. Which of the following describes how to make this happen?

❍ A. umount /pool1

❍ B. zfs umount /pool1

❍ C. zfs set mountpoint=none pool1

zfs set mountpoint=/pool1/data pool1/data

❍ D. zfs set mountpoint=none pool1



The /pool1/data file system contains an active database that must remain operational 24 hoursa day, seven days a week. Which of the following is the best way to back up this data on a dailybasis without taking down the database?

13_0789738171_09.qxd 4/13/09 7:51 PM Page 529

530

❍ A. fssnap -F zfs -o bs=/var/tmp /pool1/data

ufsdump 0ucf /dev/rmt/0 /dev/fssnap/0

❍ B. zfs snapshot pool1/data@tues_snapshot

zfs send pool1/data@tues_snapshot > /dev/rmt/0

❍ C. zfs snapshot pool1/data@tues_snapshot

ufsdump 0ucf /dev/rmt/0 pool2/data@tues_snapshot

❍ D. zfs snapshot pool1/data@tues_snapshot

zfs recv pool1/data@tues_snapshot > /dev/rmt/0

13. You’ve been instructed to create a ZFS file system and have been given the following specifica-tions:

. Create the file system on the following devices: c1t1d0, c3t1d0, c4t1d0.

. Name the storage pool “mypool” and the file system “data.”

. Use a RAID-Z dataset.

Which of the following is the correct command to issue?

❍ A. zpool create raidz mypool c1t1d0 c3t1d0 c4t1d0


❍ B. zpool create mypool/data raidz c1t1d0 c3t1d0 c4t1d0

❍ C. zpool create mypool raidz c1t1d0 c3t1d0 c4t1d0


❍ D. zpool create mypool c1t1d0 c3t1d0 c4t1d0

zfs create raidz mypool/data

14. Which command displays only the status of pools that are exhibiting errors or are otherwiseunavailable?

❍ A. zpool status -x

❍ B. zfs list

❍ C. zfs list -x

❍ D. zpool status -v


13_0789738171_09.qxd 4/13/09 7:51 PM Page 530



NAME USED AVAIL REFER MOUNTPOINTpool2 132K 4.89G 19K /pool2pool2/docs 18K 4.89G 18K /pool2/docs# zpool status pool2<cr>pool: pool2state: ONLINEscrub: none requestedconfig:


Which command is used to take c2t3d0 out of the storage pool temporarily for maintenance?

❍ A. zfs offline mypool c2t3d0

❍ B. zpool demote mypool c2t3d0

❍ C. zpool detach mypool c2t3d0

❍ D. zpool offline mypool c2t3d0

16. You have been given a snapshot of the pool2/data file system (pool2/data@tues_snap-shot), and you have been instructed to create a new file system from this snapshot. The snap-shot must be writable, and the new file system must be named /pool2/docs. Which of the fol-lowing is the command sequence used to build this new file system?

❍ A. zfs rollback pool2/data@tues_snapshot pool2/docs

❍ B. zfs clone pool2/data@tues_snapshot pool2/docs

❍ C. zfs send pool2/data@tues_snapshot

zfs recv pool2/docs

❍ D. zfs clone pool2/data@tues_snapshot pool2/docs

zfs promote pool2/docs

13_0789738171_09.qxd 4/13/09 7:51 PM Page 531

532

Answers to Exam Questions1. A, B, D. The minimum disk size that can be used in a ZFS environment is 128MB. The minimum

amount of disk space for a storage pool is approximately 64MB. Answer C is incorrect becausealthough multiple controllers are recommended, this is not a requirement. Answer D is correctbecause 1GB of RAM is recommended. Answer E is incorrect because 1GB of RAM is not required.For more information, see the section “ZFS Hardware and Software Requirements.”

2. C, D. Directories can have up to 248 (256 trillion) entries, and no limit exists on the number of filesystems or number of files that can be contained within a ZFS file system. Answer D is correctbecause ZFS was not implemented in Solaris 10 until release 6/06. Answer A is incorrect becauseZFS does not replace traditional Solaris file systems. They can be used together. Answer B is incor-rect because with Solaris 10 release 10/08, ZFS supports bootable, root (/) file systems. For moreinformation, see the section “Introduction to ZFS.”

3. A. Use the zpool create command to create the storage pool, and use the zfs create com-mand to create the ZFS file system in the storage pool. Answer B is incorrect because zfs cre-ate is not used to create a storage pool. Answers C and D are incorrect because you cannot usethe zpool command to create both the pool and a dataset in that pool. For more information, seethe section “Creating a Basic ZFS file System.”

4. C. Use the zfs destroy command to remove a ZFS file system. Answers A and B are incorrectbecause the zpool destroy command destroys the entire storage pool. Answer D is incorrectbecause zfs remove is an invalid command. For more information, see the section “Destroy aZFS File System.”

5. C. c2t2d0 cannot be opened and has failed. The pool is still available but is no longer fault-toler-ant. Answer A is wrong because the pool is still available, but in a degraded state. Answer B iswrong because if the disk was taken offline, it would be marked as offline. Answer D is wrongbecause the disk, c2t2d0, cannot be opened and cannot function. For more information, see thesection “Displaying ZFS Storage Pool Information.”

6. B. Answers A, C, and D do not describe the proper sequence of steps required to replace a faileddisk. For more information, see the section “Replacing Devices in a Storage Pool.”

7. C. Use the zfs create command to create a ZFS file system in an existing pool. Answer B isincorrect because it does not specify the pool. Answer A is wrong because the zpool createcommand is used only to create the initial pool. Answer D is wrong because the zfs set com-mand is used to set a property on an existing file system. For more information, see the section“Creating a Basic ZFS File System.”

8. A. Use the following command to create the three-way mirror: zpool create mypool mirrorc1t1d0 c2t1d0 mirror c3t1d0 c3t2d0. Answer B is wrong because zfs create mir-ror is invalid syntax. Answer C is wrong because –m3 is an invalid option for the zpool com-mand. Answer D is wrong because mirror is an invalid option for the zfs create command.For more information, see the section “Attaching and Detaching Devices in a Storage Pool.”


13_0789738171_09.qxd 4/13/09 7:51 PM Page 532


9. D. Use the zfs set quota=5g command to set the maximum size on a ZFS file system. AnswerB is wrong because the reservation property specifies the minimum amount of space guaran-teed to a dataset and its descendents and is not used to limit the size of the file system. Answer Cis wrong because the file system is already created. For more information, see the section “SettingZFS Properties.”

10. C. Change a ZFS file system’s mount point by changing the mountpoint property using the zfsset command. Answer A is wrong because you cannot change the name of a storage pool usingthe zfs rename command. Answer B is wrong because you cannot use the /etc/vfstab fileto set a mount point for a ZFS file system that is not set up as a legacy file system. Answer D iswrong because the mount point can be changed using the zfs set command; the pool does notneed to be renamed. For more information, see the section “Mounting ZFS File Systems.”

11. C. Answer C is correct because when you set the mountpoint property to none for pool1, allthe descendants also become invisible. You then must set the mountpoint property for thedescendant to make it visible again. Answer A is wrong because you cannot unmount a ZFS stor-age pool. Answer B is wrong because if you unmount /pool1, /pool1/data will also beunmounted. Answer D is wrong because if you set the mountpoint to none on pool1, thedescendant pool1/data will also be unmounted. For more information, see the section“Mounting ZFS File Systems.”

12. B. Answer A is wrong because the fssnap command syntax is incorrect, and a ZFS snapshotshould be used to take a snapshot of a live ZFS file system. Answer C is wrong because the ufs-dump command is not used to back up a ZFS snapshot to tape. Answer D is wrong because thezfs send command should be used to save a snapshot to tape, not zfs recv. For more infor-mation, see the section “ZFS Snapshots.”

13. C. Answers A and B are wrong because the zpool create command syntax is incorrect. AnswerD is wrong because the raidz pool is created with the zpool create command, not the zfscreate command. For more information, see the section “RAID-Z Storage Pools.”

14. A. The -x option can be used with the zpool status command to display only the status ofpools that are exhibiting errors or are otherwise unavailable. Answers B and C are wrong becausethe zfs list command does not display the health status of a storage pool. Answer D is wrongbecause the -v option displays verbose output and displays all the pools, whether or not they areexhibiting errors. For more information, see the section “Displaying ZFS Storage PoolInformation.”

15. D. Use the zpool offline command to temporarily disconnect a device from a storage pool formaintenance purposes. Answers A and B are invalid commands. Answer C is wrong because thezpool detach command is used to permanently remove a disk from a storage pool. For moreinformation, see the section “Offlining and Onlining Devices in a Storage Pool.”

16. B. Answer A is wrong because the zfs rollback command is not used to clone a file system.Answer C is wrong because the zfs send and zfs recv commands are not used to create aclone of a ZFS file system. Answer D is wrong because the zfs promote command is notrequired. For more information, see the section “ZFS Clones.”

13_0789738171_09.qxd 4/13/09 7:51 PM Page 533

534

Suggested Reading and ResourcesSolaris ZFS Administration Guide by Sun Microsystems, available at http://docs.sun.coim, partnumber 819-5461-14.


13_0789738171_09.qxd 4/13/09 7:51 PM Page 534

P A R T I I

Final Review

FF Fast Facts

PE Practice Exam

PA Answers to Practice Exam

14_0789738171_part2.qxd 4/13/09 7:52 PM Page 535

14_0789738171_part2.qxd 4/13/09 7:52 PM Page 536

Fast FactsThe Fast Facts are designed as a refresher of key points, topics, and knowledgethat are required to be successful on the Sun Certified System Administrator forthe Solaris 10 Operating Environment, Part II exam (CX-310-202). By usingthese summaries of key points, you can spend an hour prior to your exam refresh-ing your understanding of key topics. The Fast Facts will help ensure that youhave a solid understanding of the objectives and the information required to suc-ceed in each major area of the exam.

The Fast Facts are designed as a quick study aid that you can use just before tak-ing the exam. You should be able to review the Fast Facts for this exam in lessthan an hour. They cannot serve as a substitute for knowing the material suppliedin these chapters. However, these key points should refresh your memory on crit-ical topics. In addition to this information, remember to review the glossaryterms, because they are intentionally not covered here.

The Solaris Network EnvironmentIn the ISO/OSI model, services that are required for communication arearranged in seven layers that build on one another. Think of the layers as stepsthat must be completed before you can move on to the next step and ultimatelycommunicate between systems. Table FF.1 describes the function of each layer.

Table FF.1 ISO/OSI Network LayersLayer Name Layer Number Description

Physical 1 Describes the network hardware, including electricaland mechanical connections to the network.

Data link 2 Splits data into frames for sending on to the physicallayer and receives acknowledgment frames.Performs error checking and retransmits frames notreceived correctly.

Network 3 Manages the delivery of data via the data link layerand is used by the transport layer. The most com-mon network layer protocol is IP.

Transport 4 Determines how to use the network layer to providea virtual, error-free, point-to-point connection so thathost A can send data to host B and it will arriveuncorrupted and in the correct order.

15_0789738171_ff.qxd 4/13/09 7:53 PM Page 537

538

Table FF.1 ISO/OSI Network LayersLayer Name Layer Number Description

Session 5 Uses the transport layer to establish a connection between processeson different hosts. It handles security and creation of the session.

Presentation 6 Performs functions such as text compression and code or formatconversion to try to smooth out differences between hosts. Allowsincompatible processes in the application layer to communicate viathe session layer.

Application 7 Concerned with the user’s and applications’ view of the network. Thepresentation layer provides the application layer with a familiar localrepresentation of data independent of the format used on the net-work.

Network Definitions and HardwareFollowing are some network definitions and descriptions of networking hardware components:

. Packet: The unit of data to be transferred over the network, typically 1,500 bytes forEthernet.

. Ethernet: A set of standards that define the physical components and protocol that amachine uses to access the network, and the speed at which the network runs. It includesspecifications for cabling, connectors, and computer interface components. Furthermore,the Ethernet standards include data link layer protocols that run on Ethernet hardware.

. NIC: The computer hardware that lets you connect the computer to a network isknown as a Network Interface Card (NIC) or network adapter. Most computers nowa-days come with a NIC already installed.

. Host: If you are an experienced Solaris user, you are no doubt familiar with the termhost, often used as a synonym for computer or machine. From a TCP/IP perspective,only two types of entities exist on a network: routers and hosts.

. Switch: A multiport device that connects a number of systems on a network. Unlikethe hub, the switch reduces network collisions by only sending packets to the intendeddestination, instead of sending them to all connected systems. Switches are now usedmore commonly than hubs.

. Hubs and cabling: Ethernet cabling is run to each system from a hub or switch. The hubdoes nothing more than connect all the Ethernet cables so that the computers can connectto one another. It does not boost the signal or route packets from one network to another.

. Router: A machine that forwards packets from one network to another. In otherwords, the router connects networks, and the hub connects hosts.


15_0789738171_ff.qxd 4/13/09 7:53 PM Page 538

Fast Facts539

Network ClassesThere are five classes of IP addresses: A, B, C, D, and E. The following is a brief descriptionof each class.

Class A NetworksClass A networks are used for large networks with millions of hosts, such as large multinationalbusinesses with offices around the world. A Class A network number uses the first 8 bits of theIP address as its network ID. The remaining 24 bits comprise the host part of the IP address.The values assigned to the first byte of Class A network numbers fall within the range 0 to 127.For example, consider the IP address 75.4.10.4. The value 75 in the first byte indicates thatthe host is on a Class A network. The remaining bytes, 4.10.4, establish the host address. TheInternet registries assign only the first byte of a Class A number. Use of the remaining 3 bytesis left to the discretion of the owner of the network number. Only 127 Class A networks canexist; each of these networks can accommodate up to 16,777,214 hosts.

Class B NetworksClass B networks are medium-sized networks, such as universities and large businesses withmany hosts. A Class B network number uses 16 bits for the network number and 16 bits forhost numbers. The first byte of a Class B network number is in the range 128 to 191. In thenumber 129.144.50.56, the first 2 bytes, 129.144, are assigned by the Internet registries andcomprise the network address. The last 2 bytes, 50.56, make up the host address and areassigned at the discretion of the network’s owner. A Class B network can accommodate a max-imum of 65,534 hosts.

Class C NetworksClass C networks are used for small networks containing fewer than 254 hosts. Class C net-work numbers use 24 bits for the network number and 8 bits for host numbers. A Class Cnetwork number occupies the first 3 bytes of an IP address; only the fourth byte is assigned atthe discretion of the network’s owner. The first byte of a Class C network number covers therange 192 to 223. The second and third bytes each cover the range 0 to 255. A typical Class Caddress might be 192.5.2.5, with the first 3 bytes, 192.5.2, forming the network number.The final byte in this example, 5, is the host number. A Class C network can accommodate amaximum of 254 hosts.

Class D and E NetworksClass D addresses cover the range 224 to 239 and are used for IP multicasting as defined inRFC 988. Class E addresses cover the range 240 to 255 and are reserved for experimental use.

15_0789738171_ff.qxd 4/13/09 7:53 PM Page 539

540

Classless Internet and Classless Interdomain Routing (CIDR)CIDR, also called supernetting, uses (typically) the first 18 bits of an IPv4 address as the net-work portion, leaving 14 bits to be used for the host. This implementation has meant thatnetworks can be aggregated by routers for ease of delivery, in the same way as the telephonesystem uses area codes to route telephone calls. The Internet now operates in a classless mode,and has greatly increased the number of IPv4 addresses that are available. There will not beany questions on the exam about CIDR. This is included for information only.

Configuring Network InterfacesYou can configure additional interfaces at system boot or modify the original interface by hav-ing an understanding of only three files: /etc/hostname.<interface>, /etc/inet/hosts,and /etc/inet/ipnodes.

/etc/hostname.<interface>This file defines the network interfaces on the local host. At least one/etc/hostname.<interface> file should exist on the local machine. The Solaris installationprogram creates this file for you. In the filename, <interface> is replaced by the device nameof the primary network interface.

The file contains only one entry: the hostname or IP address associated with the networkinterface. For example, suppose eri1 is the primary network interface for a machine calledsystem1. The file would be called /etc/hostname.eri1, and the file would contain the entrysystem1. An entry for system1 should also exist in the /etc/inet/hosts file.

/etc/inet/hostsThe hosts database contains details of the machines on your network. This file contains thehostnames and IPv4 addresses of the primary network interface and any other networkaddresses the machine must know about. When a user enters a command such as ping xena,the system needs to know how to get to the host named xena. The /etc/inet/hosts file pro-vides a cross-reference to look up and find xena’s network IP address. For compatibility withBSD-based operating systems, the file /etc/hosts is a symbolic link to /etc/inet/hosts.

Each line in the /etc/inet/hosts file uses the following format:<address> <hostname> [nickname] [#comment]

Each field in this syntax is described in Table FF.2.


15_0789738171_ff.qxd 4/13/09 7:53 PM Page 540

Fast Facts541

Table FF.2 /etc/inet/hosts File Format FieldsField Description

<address> The IP address for each interface the local host must know about.

<hostname> The hostname assigned to the machine at setup and the hostnames assigned to addition-al network interfaces that the local host must know about.

[nickname] An optional field containing a nickname or alias for the host. More than one nickname canexist.

[#comment] An optional field where you can include a comment.

/etc/inet/ipnodesThe ipnodes database also contains details of the machines on your network. This file con-tains the hostnames and IPv4 or IPv6 addresses of the primary network interface and any othernetwork addresses the machine must know about. You should note that, unlike the /etc/hostsfile, which is a link to /etc/inet/hosts, there is no /etc/ipnodes link. The syntax for theipnodes file is the same as the hosts file.

Changing the System HostnameTo manually change a system’s hostname, modify the following four files and reboot:

. /etc/nodename: This file contains the official name when referring to a system; this isthe hostname of the system.

. /etc/hostname.<interface>: This file defines the network interfaces on the localhost.

. /etc/inet/hosts: The hosts file contains details of the machines on your network.This file contains only the IPv4 address for a host.

You can also use the sys-unconfig command to change the system hostname. This methodactually requires you to re-enter most of the system identification that was entered when theSolaris Operating Environment was initially installed. When you run sys-unconfig, the sys-tem automatically shuts down. When it is next started, you are prompted to enter the infor-mation for IP address, hostname, network mask, time zone, name service, and the root pass-word .

15_0789738171_ff.qxd 4/13/09 7:53 PM Page 541

542

Virtual File Systems, Swap Space, andCore DumpsPhysical memory is supplemented by specially configured space on the physical disk known asswap. Swap is configured either on a special disk partition known as a swap partition or on aswap file system. In addition to swap partitions, special files called swap files can also be con-figured in existing UFSs to provide additional swap space when needed. The Solaris virtualmemory system provides transparent access to physical memory, swap, and memory-mappedobjects.

Swap SpaceThe swap command is used to add, delete, and monitor swap files. The options for swap areshown in Table FF.3.

Table FF.3 swap Command OptionsOption Description

-a Adds a specified swap area. You can also use the script /sbin/swapadd to add a new swap file.

-d Deletes a specified swap area.

-l Displays the location of your systems’ swap areas.

-s Displays a summary of the system’s swap space.

The Solaris installation program automatically allocates 512MB of swap if a specific value isnot specified.

Core File and Crash Dump ConfigurationCore files are created when a program, or application, terminates abnormally. The defaultlocation for a core file to be written is the current working directory.

Core files are managed using the coreadm command. When entered with no options, coreadmdisplays the current configuration, as specified by /etc/coreadm.conf. The options are shownin Table FF.4.


15_0789738171_ff.qxd 4/13/09 7:53 PM Page 542

Fast Facts543

Table FF.4 coreadm SyntaxOption Description

-g pattern Sets the global core file name pattern.

-G content Sets the global core file content using one of the description tokens.

-i pattern Sets the per-process core file name pattern.

-I content Sets the per-process core file name to content.

-d option Disables the specified core file option.

-e option Enables the specified core file option.

-p <pattern> Sets the per-process core file name pattern for each of the specified pids.

-P <content> Sets the per-process core file content to content.

-u Updates the systemwide core file options from the configuration file /etc/coreadm.conf.

Core file names can be customized using a number of embedded variables. Table FF.5 lists thepossible patterns.

Table FF.5 coreadm Patternscoreadm Pattern Description

%p Process ID (PID)

%u Effective User ID

%g Effective Group ID

%d Specifies the executable file directory name.

%f Executable filename

%n System node name (same as running uname -n)

%m Machine name (same as running uname -m)

%t Decimal value of time (number of seconds since 00:00:00 January 1, 1970)

-z Specifies the name of the zone in which the process executed (zonename)

%% A literal % character

A crash dump is a snapshot of the kernel memory, saved on disk, at the time a fatal system erroroccurred. When a serious error is encountered, the system displays an error message on theconsole, dumps the contents of kernel memory by default, and then reboots the system.

Normally, crash dumps are configured to use the swap partition to write the contents of mem-ory. The savecore program runs when the system reboots and saves the image in a predefinedlocation, usually /var/crash/<hostname>, where <hostname> represents the name of yoursystem.

15_0789738171_ff.qxd 4/13/09 7:53 PM Page 543

544

Configuration of crash dump files is carried out with the dumpadm command. Running thiscommand with no options displays the current configuration by reading the file/etc/dumpadm.conf.

dumpadm options are shown in Table FF.6.

Table FF.6 dumpadm OptionsOption Description

-c content-type Modifies crash dump content. Valid values are kernel (just kernel pages), all(all memory pages), and curproc (kernel pages and currently executing processpages).

-d dump-device Modifies the dump device. This can be specified either as an absolute pathname(such as /dev/dsk/c0t0d0s3) or the word swap when the system identifiesthe best swap area to use.

-mink|minm|min% Maintains minimum free space in the current savecore directory, specified eitherin kilobytes, megabytes, or a percentage of the total current size of the directory.

-n Disables savecore from running on reboot. This is not recommended, becauseany crash dumps would be lost.

-r root-dir Specifies a different root directory. If this option is not used, the default / is used.

-s savecore-dir Specifies a different savecore directory, instead of the default/var/crash/hostname.

-y Enables savecore to run on the next reboot. This setting is used by default.

The gcore command can be used to create a core image of a specified running process. Bydefault, the resulting file is named core.<pid>, where <pid> is the pid of the running process.

gcore options are shown in Table FF.7.

Table FF.7 gcore OptionsOption Description

-c content-coreadm, type Produces image files with the specified content. This uses the sametokens as but it cannot be used with the -p or -g options.

-F Force. This option grabs the specified process even if anotherprocess has control.

-g Produces core image files in the global core file repository, using theglobal content that was configured with coreadm.

-o filename Specifies filename to be used instead of core as the first part ofthe name of the core image files.

-p Produces process-specific core image files, with process-specificcontent, as specified by coreadm.


15_0789738171_ff.qxd 4/13/09 7:53 PM Page 544

Fast Facts545

Network File System (NFS)The NFS service allows computers of different architectures, running different operating sys-tems, to share file systems across a network. Just as the mount command lets you mount a filesystem on a local disk, NFS lets you mount a file system that is located on another system any-where on the network. The NFS service provides the following benefits:

. It lets multiple computers use the same files so that everyone on the network canaccess the same data. This eliminates the need to have redundant data on several sys-tems.

. It reduces storage costs by having computers share applications and data.

. It provides data consistency and reliability, because all users can read the same set offiles.

. It makes mounting of file systems transparent to users.

. It makes accessing remote files transparent to users.

. It supports heterogeneous environments.

. It reduces system administration overhead.

Solaris 10 introduced NFS version 4, which has the following features:

. The UID and GID are represented as strings, and a new daemon, nfs4mapid, providesthe mapping to numeric IDs.

. The default transport for NFS version 4 is the Remote Direct Memory Access(RDMA) protocol, a technology for memory-to-memory transfer over high-speed datanetworks.

. All state and lock information is destroyed when a file system is unshared. In previousversions of NFS, this information was retained.

. NFS4 provides a pseudo file system to give clients access to exported objects on theNFS server.

. NFS4 is a stateful protocol, in which both the client and server hold information aboutcurrent locks and open files. When a failure occurs, the two work together to re-estab-lish the open or locked files.

. NFS4 no longer uses the mountd, statd, or nfslogd daemons.

15_0789738171_ff.qxd 4/13/09 7:53 PM Page 545

546

. NFS4 supports delegation, which allows a file’s management responsibility to be dele-gated to the client. Both the server and client support delegation. A client can begranted a read delegation, which can be granted to multiple clients, or a write delega-tion, providing exclusive access to a file.

NFS uses a number of daemons to handle its services. These services are initialized at startupfrom the svc:/network/nfs/server:default and svc:/network/nfs/client:defaultstartup service management functions. The most important NFS daemons are outlined inTable FF.8.

Table FF.8 NFS DaemonsDaemon Description

nfsd This daemon handles file system exporting and file access requests from remote systems.An NFS server runs multiple instances of this daemon. This daemon is usually invoked atthe multi-user-server milestone and is started by thesvc:/network/nfs/server:default service identifier.

mountd This daemon handles mount requests from NFS clients. This daemon also provides infor-mation about which file systems are mounted by which clients. Use the showmountcommand to view this information. This daemon is usually invoked at the multi-user-server milestone and is started by the svc:/network/nfs/server:defaultservice identifier. This daemon is not used in NFS version 4.

lockd This daemon runs on the NFS server and NFS client, and provides file-locking services inNFS. This daemon is started by the svc:/network/nfs/client service identifier atthe multi-user milestone.

statd This daemon runs on the NFS server and NFS client, and interacts with lockd to providethe crash and recovery functions for the locking services on NFS. This daemon is startedby the svc:/network/nfs/client service identifier at the multi-user mile-stone. This daemon is not used in NFS version 4.

rpcbind This daemon facilitates the initial connection between the client and the server.

nfsmapid A new daemon that maps to and from NFS v4 owner and group identification and UID andGID numbers. It uses entries in the passwd and group files to carry out the mapping,and also references /etc/nsswitch.conf to determine the order of access.

nfs4cbd A new client side daemon that listens on each transport and manages the callback func-tions to the NFS server.

nfslogd This daemon provides operational logging to the Solaris NFS server. NFS logging uses theconfiguration file /etc/nfs/nfslog.conf. The nfslogd daemon is not used inNFS version 4.


15_0789738171_ff.qxd 4/13/09 7:53 PM Page 546

Fast Facts547

AutofsWhen a network contains even a moderate number of systems, all trying to mount file systemsfrom each other, managing NFS can quickly become a nightmare. The Autofs facility, alsocalled the automounter, is designed to handle such situations by providing a method in whichremote directories are mounted only when they are being used.

When a request is made to access a file system at an Autofs mount point, the system goesthrough the following steps:

1. Autofs intercepts the request.

2. Autofs sends a message to the automountd daemon for the requested file system to bemounted.

3. automountd locates the file system information in a map and performs the mount.

4. Autofs allows the intercepted request to proceed.

5. Autofs unmounts the file system after a period of inactivity.

Managing Storage VolumesSolaris Volume Manager (SVM), formally called Solstice DiskSuite, comes bundled with theSolaris 10 operating system and uses virtual disks, called volumes, to manage physical disks andtheir associated data. A volume is functionally identical to a physical disk in the view of anapplication. You may also hear volumes called virtual or pseudo devices. SVM uses metadeviceobjects, of which there are four main types: metadevices, state database replicas, disk sets, andhot spare pools. These are described in Table FF.9.

Table FF.9 SVM ObjectsObject Description

Volume A group of physical slices that appear to the system as a single, logical device. A volumeis used to increase storage capacity and increase data availability. The various types ofvolumes are described next.

State database Stores information about the state of the SVM configuration. Each state database is a col-lection of multiple, replicated database copies. Each copy is called a state database repli-ca. SVM cannot operate until you have created the state database and its replicas.

Disk sets A set of disk drives containing state database replicas, volumes, and hot spares that mul-tiple hosts can share exclusively, but not at the same time. If one host fails, another hostcan take over the failed host’s disk set. This type of failover configuration is called a clus-tered environment.

Hot spare pool A collection of slices (hot spares) reserved for automatic substitution in case of slice fail-ure in either a submirror or RAID 5 metadevice. Hot spares are used to increase dataavailability.

15_0789738171_ff.qxd 4/13/09 7:53 PM Page 547

548

The types of SVM volumes you can create using Solaris Management Console or the SVMcommand-line utilities are concatenations, stripes, concatenated stripes, mirrors, and RAID5volumes. SVM volumes can be any of the following:

. Concatenation: Works much like the UNIX cat command is used to concatenate twoor more files to create one larger file. If partitions are concatenated, the addressing ofthe component blocks is done on the components sequentially. This means that data iswritten to the first available stripe until it is full and then moves to the next availablestripe. The file system can use the entire concatenation, even though it spreads acrossmultiple disk drives. This type of volume provides no data redundancy and the entirevolume fails if a single slice fails.

. Stripe: Similar to concatenation, except that the addressing of the component blocks isinterlaced on the slices rather than sequentially. In other words, all disks are accessed atthe same time in parallel. Striping is used to gain performance. When data is stripedacross disks, multiple disk heads and possibly multiple controllers can access datasimultaneously. Interlace refers to the size of the logical data chunks on a stripe.Different interlace values can increase performance.

. Concatenated stripe: A stripe that has been expanded by concatenating additionalstriped slices.

. Mirror: Composed of one or more stripes or concatenations. The volumes that aremirrored are called submirrors. SVM makes duplicate copies of the data located onmultiple physical disks and presents one virtual disk to the application. All disk writesare duplicated; disk reads come from one of the underlying submirrors. A mirror repli-cates all writes to a single logical device (the mirror) and then to multiple devices (thesubmirrors) while distributing read operations. This provides redundancy of data in theevent of a disk or hardware failure.

. RAID 5: Stripes the data across multiple disks to achieve better performance. In addi-tion to striping, RAID 5 replicates data by using parity information. In the case ofmissing data, the data can be regenerated using available data and the parity informa-tion. A RAID 5 metadevice is composed of multiple slices. Some space is allocated toparity information and is distributed across all slices in the RAID5 metadevice. Thestriped metadevice performance is better than the RAID 5 metadevice, but it doesn’tprovide data protection (redundancy).

RAID (Redundant Array of Inexpensive Disks)When describing SVM volumes, it’s common to describe which level of RAID the volumeconforms to. Usually these disks are housed together in a cabinet and are called an array. Thereare several RAID levels, each referring to a method of distributing data while ensuring data


15_0789738171_ff.qxd 4/13/09 7:53 PM Page 548

Fast Facts549

redundancy. These levels are not ratings, but rather classifications of functionality. DifferentRAID levels offer dramatic differences in performance, data availability, and data integritydepending on the specific I/O environment. Table FF.10 describes the various levels of RAID.

Table FF.10 RAID LevelsRAID Level Description

0 Striped disk array without fault tolerance.

1 Maintains duplicate sets of all data on separate disk drives. Commonly called mirroring.

2 Data striping and bit interleave. Data is written across each drive in succession 1 bit at atime. Checksum data is recorded in a separate drive. This method is very slow for diskwrites and is seldom used today because ECC is embedded in almost all modern disk drives.

3 Data striping with bit interleave and parity checking. Data is striped across a set of disks 1byte at a time, and parity is generated and stored on a dedicated disk. The parity informationis used to re-create data in the event of a disk failure.

4 The same as level 3, except that data is striped across a set of disks at a block level. Parity isgenerated and stored on a dedicated disk.

5 Unlike RAID 3 and 4, where parity is stored on one disk, both parity and data are stripedacross a set of disks.

6 Similar to RAID 5, but with additional parity information written to recover data if two drivesfail.

1+0 A combination of RAID 1 (mirror) for resilience and RAID 0 for performance. The benefit ofthis RAID level is that a failed disk renders only the unit unavailable, not the entire stripe.

The State DatabaseThe SVM state database contains vital information on the configuration and status of all vol-umes, hot spares, and disk sets. There are normally multiple copies of the state database, calledreplicas, and it is recommended that state database replicas be located on different physicaldisks, or even controllers if possible, to provide added resilience.

The state database, together with its replicas, guarantees the integrity of the state database byusing a majority consensus algorithm.

The state database is created and managed using the metadb command. Table FF.11 shows themetadb options.

15_0789738171_ff.qxd 4/13/09 7:53 PM Page 549

550

Table FF.11 metadb OptionsOption Description

-a Attaches a new database device.

-c number Specifies the number of state database replicas to be placed on each device. Thedefault is 1.

-d Deletes all replicas on the specified disk slice.

-f Used to create the initial state database. It is also used to force the deletion of thelast replica.

-h Displays a usage message.

-i Inquires about the status of the replicas.

-k system-file Specifies a different file where replica information should be written. The default is /kernel/drv/md.conf.

-l length Specifies the length of each replica. The default is 8192 blocks.

-p Specifies that the system file (default /kernel/drv/md.conf) is updated withentries from /etc/lvm/mddb.cf.

-s setname Specifies the name of the diskset to which the metadb command applies.

Administering ZFS File SystemsZFS represents an entirely new approach to managing disk storage space. It revolutionizes thetraditional Solaris file systems. It was introduced in Solaris 10 06/06. ZFS is a transactional filesystem that ensures that data is always consistent. ZFS greatly simplifies file system adminis-tration as compared to traditional file systems. The system administrator will find it easy tocreate and manage file systems without issuing multiple commands or editing configurationfiles.

ZFS Storage PoolsZFS uses storage pools, called zpools, to manage physical storage. Block devices (disks or diskslices) make up the zpool.

Create ZFS basic storage pools using the zpool create command. Monitor the health of ZFSstorage pools using the zpool status command.

You can display status information about the usage, I/O statistics, and health of your ZFS poolsusing the zpool list command.

Use the following command to create a two-way mirror device:# zpool create pool2 mirror c2t2d0 c2t3d0<cr>


15_0789738171_ff.qxd 4/13/09 7:53 PM Page 550

Fast Facts551

Use the zpool create command to create a single RAID-Z (single-parity) device that consistsof three disks:# zpool create pool3 raidz c2t2d0 c2t3d0 c2t4d0<cr>

Add more space to a storage pool using the zpool add command. For example, you would addanother 5GB disk drive (c2t3d0) to the pool as follows:# zpool add pool1 c2t3d0<cr>

Add another device to a mirrored storage pool using the zpool attach command. For exam-ple, to convert this pool to a three-way mirror, attach another 5GB disk (c2t4d0) to the pool:# zpool attach pool2 c2t3d0 c2t4d0<cr>

Use the zpool detach command to detach a device from a mirrored storage pool. To detachthe device c2t3d0 and convert the mirror back to a nonredundant pool, issue the zpooldetach command:# zpool detach mypool c2t3d0<cr>

To temporarily disconnect a device from a storage pool for maintenance purposes, ZFS allowsa device to be taken offline using the zpool offline command. For example, take the c2t2d0device offline using the following command:# zpool offline mypool c2t2d0<cr>

Use the zfs get command with the all keyword to view all the dataset properties for the stor-age pool named pool1:# zfs get all pool1<cr>

You can modify any of the ZFS settable properties using the zfs set command. The follow-ing command sets the file system quota to 25GB. This prevents the pool1/data file systemfrom using all the space in the pool:# zfs set quota=25G pool1/data<cr>

By setting the file system’s mountpoint property to legacy, ZFS does not automatically mountand manage this file system. The file system must be managed using the legacy commandsmount and umount and the /etc/vfstab file.

Remove ZFS pools using the zpool destroy command:# zpool destroy pool1<cr>

15_0789738171_ff.qxd 4/13/09 7:53 PM Page 551

552

ZFS Terms. Clone: A file system with contents that are identical to the contents of a ZFS snapshot.

. Dataset: A generic name for the following ZFS entities: clones, file systems, snapshots,and volumes.

. ZFS file system: A ZFS dataset that is mounted within the standard system namespaceand behaves like other traditional file systems.

. Mirror: A virtual device, also called a RAID-1 device, that stores identical copies ofdata on two or more disks.

. Pool: A logical group of block devices describing the layout and physical characteristicsof the available storage. Space for datasets is allocated from a pool. Also called a stor-age pool or simply a pool.

. RAID-Z: A virtual device that stores data and parity on multiple disks, similar toRAID-5.

. Resilvering: The process of transferring data from one device to another. In SVM,this was called syncing.

. Snapshot: A read-only image of a file system or volume at a given point in time.

. Virtual device: A logical device in a pool, which can be a physical device, a file, or acollection of devices.

. Volume: A dataset used to emulate a physical device.

ZFS States. ONLINE: The device is normal and in good working order. In this state, it’s possible

for some transient errors to still occur.

. DEGRADED: The virtual device has experienced a failure, but the device still canfunction. This state is most common when a mirror or RAID-Z device has lost one ormore constituent devices. The pool’s fault tolerance might be compromised, because asubsequent fault in another device might be unrecoverable.

. FAULTED: The virtual device is inaccessible due to a total failure. ZFS is incapable ofsending data to it or receiving data from it. If a top-level virtual device is in this state,the pool is completely inaccessible.

. OFFLINE: The administrator has taken the virtual device offline.


15_0789738171_ff.qxd 4/13/09 7:53 PM Page 552

Fast Facts553

. UNAVAILABLE: The device or virtual device cannot be opened. In some cases, poolswith UNAVAILABLE devices appear in DEGRADED mode. If a top-level virtualdevice is UNAVAILABLE, nothing in the pool can be accessed.

. REMOVED: The device was physically removed while the system was running.Device removal detection is hardware-dependent and might not be supported on allplatforms.

ZFS Hardware and Software Requirements. The machine must be a SPARC or x86/x64 system that is running Solaris 10 6/06 or

newer.

. The minimum disk size that can be used in a ZFS environment is 128MB. The mini-mum amount of disk space for a storage pool is approximately 64MB.

. For good ZFS performance, at least 1GB or more of memory is recommended.

. Multiple controllers are recommended for a mirrored disk configuration, but this is nota requirement.

Managing ZFS File SystemsCreate a pool and file system named pool1 on device c2td0:# zpool create pool1 c2t2d0<cr>

Create a ZFS file system named /pool1/data on an existing storage pool:# zfs create pool1/data<cr>

You can rename a ZFS file system using the zfs rename command. Rename the pool1/datafile system pool1/documents:# zfs rename pool1/data pool1/documents<cr>

List all the active ZFS file systems and volumes on a machine using the zfs list command:# zfs list<cr>

Use the zfs destroy command to remove a ZFS file system. Use the command to remove the/pool1/data file system that was created:# zfs destroy pool1/data<cr>

15_0789738171_ff.qxd 4/13/09 7:53 PM Page 553

554

Create a snapshot using the zfs snapshot command followed by the name of the snapshot.For example, to take a snapshot of the pool2/data file system, issue the following commandto create a snapshot of the /pool2/data file system:# zfs snapshot pool2/data@tues_snapshot<cr>

Use the zfs send command to save the snapshot and zfs recv to restore a snapshot.

To remove the snapshot from the system, use the zfs destroy command:# zfs destroy pool2/data@tues_snapshot<cr>

Roll back a ZFS snapshot to discard all changes made to a file system since a specific snapshotwas created. Using the zfs rollback command, the file system reverts to the state at the timethe snapshot was taken.

A snapshot is a read-only point-in-time copy of a file system, and a clone is a writable copy ofa snapshot. The zfs clone command is used to specify the snapshot from which to create theclone. In the following example, a clone is created from the snapshot namedpool2/data@tues_snapshot:# zfs clone pool2/data@tues_snapshot pool2/docs<cr>

Destroy a ZFS cloned file system just like you would destroy any other ZFS file system—byusing the zfs destroy command:# zfs destroy pool2/docs<cr>

The steps for replacing a failed disk in a ZFS pool are as follows:

1. Offline the disk using the zpool offline command.

2. Remove the disk to be replaced.

3. Insert the replacement disk.

4. Run the zpool replace command.

Controlling Access and Configuring SystemMessagingRole-Based Access Control (RBAC) and system logging are related in that they are involvedin securing and monitoring systems in a Solaris environment.


15_0789738171_ff.qxd 4/13/09 7:53 PM Page 554

Fast Facts555

Role-Based Access Control (RBAC)With RBAC in the Solaris 10 operating environment, administrators can assign limited admin-istrative capabilities to nonroot users. This is achieved through three features:

. Authorizations: User rights that grant access to a restricted function.

. Execution profiles: Bundling mechanisms for grouping authorizations and commandswith special attributes, such as user and group IDs or superuser ID.

. Roles: Special types of user accounts intended for performing a set of administrativetasks.

RBAC relies on the following four databases to give users access to privileged operations:

. user_attr (extended user attributes database): Associates users and roles withauthorizations and profiles.

. auth_attr (authorization attributes database): Defines authorizations and theirattributes and identifies the associated help file.

. prof_attr (rights profile attributes database): Defines profiles, lists the profile’sassigned authorizations, and identifies the associated help file.

. exec_attr (profile attributes database): Defines the privileged operations assigned toa profile.

Naming ServicesThe information handled by a name service includes the following:

. System (host) names and addresses

. Usernames

. Passwords

. Access permissions

Table FF.12 describes the name services available in Solaris 10.

15_0789738171_ff.qxd 4/13/09 7:53 PM Page 555

556

Table FF.12 Name ServicesName Service Description

/etc files The original UNIX naming system

NIS Network Information Service

NIS+ Network Information Service Plus

DNS Domain Name System

LDAP Lightweight Directory Access Protocol

/etc Files/etc files are the traditional UNIX way of maintaining information about hosts, users, pass-words, groups, and automount maps, to name just a few. These files are text files located oneach individual system that can be edited using the vi editor or the text editor within CDE.

NISThe NIS, formerly called the Yellow Pages (YP), is a distributed database system that allowsthe system administrator to administer the configuration of many hosts from a central loca-tion. Common configuration information, which would have to be maintained separately oneach host in a network without NIS, can be stored and maintained in a central location andthen propagated to all the nodes in the network. NIS stores information about workstationnames and addresses, users, the network itself, and network services.

The systems within an NIS network are configured in the following ways:

. Master server

. Slave servers

. Clients of NIS servers

The name service switch controls how a client workstation or application obtains networkinformation. Each workstation has a name service switch file in its /etc directory. In every sys-tem’s /etc directory, you’ll find templates for the nsswitch.conf file. These templates aredescribed in Table FF.13.


15_0789738171_ff.qxd 4/13/09 7:53 PM Page 556

Fast Facts557

Table FF.13 Name Service Switch Template FilesName Description

nsswitch.files Used when local files in the /etc directory are to be used and no name service exists.

nsswitch.nis Uses the NIS database as the primary source of all information except the pass-wd, group, automount, and aliases maps. These are directed to use thelocal /etc files first and then the NIS databases.

nsswitch.nisplus Uses the NIS+ database as the primary source of all information except thepasswd, group, automount, and aliases tables. These are directed touse the local /etc files first and then the NIS+ databases.

nsswitch.dns Searches the local /etc files for all entries except the hosts entry. The hostsentry is directed to use DNS for lookup.

nsswitch.ldap Uses LDAP as the primary source of all information except the passwd, group,automount, and aliases tables. These are directed to use the local /etcfiles first and then the LDAP databases.

The name service switch file contains a list of more than 19 types of network information,called databases, with their name service sources for resolution and the order in which thesources are to be searched. Table FF.14 lists valid sources that can be specified in this file.

Table FF.14 Database Sources for Services in /etc/nsswitch.confSource Description

files Refers to the client’s local /etc files.

nisplus Refers to an NIS+ table.

nis Refers to an NIS table.

user Applies to printers only and specifies that printer information be obtained from the${HOME}/.printers file.

dns Applies only to the hosts entry.

ldap Refers to a dictionary information tree (DIT).

compat Supports an old-style [+] syntax that was used in the passwd and group information.

NIS+NIS+ is similar to NIS, but with more features. NIS+ is not an extension of NIS, but a newsystem. It was designed to replace NIS.

NIS addresses the administrative requirements of small-to-medium client/server computingnetworks—those with fewer than a few hundred clients. Some sites with thousands of usersfind NIS adequate as well. NIS+ is designed for the now-prevalent larger networks in whichsystems are spread across remote sites in various time zones and in which clients number in

15_0789738171_ff.qxd 4/13/09 7:53 PM Page 557

558

the thousands. In addition, the information stored in networks today changes much more fre-quently, and NIS had to be updated to handle this environment. Last, systems today require ahigh level of security, and NIS+ addresses many security issues that NIS did not.

Remember that NIS+ is being discontinued and will not be part of a future Solaris release.

DNSDNS is the name service used by the Internet and other Transmission ControlProtocol/Internet Protocol (TCP/IP) networks. It was developed so that workstations on thenetwork could be identified by common names instead of numeric Internet addresses. DNS isa program that converts domain names to their IP addresses. Without it, users have to remem-ber numbers instead of words to get around the Internet. The process of finding a computer’sIP address by using its hostname as an index is called name-to-address resolution, or mapping.

Lightweight Directory Access Protocol (LDAP)LDAP is the latest name-lookup service to be added to Solaris and is expected to replace NISand NIS+ in the future. Specifically, LDAP is a directory service. A directory service is like adatabase, but it tends to contain more descriptive, attribute-based information. The informa-tion in a directory is generally read, not written.

Solaris ZonesZones provide a virtual operating system environment within a single physical instance ofSolaris 10. Applications can run in an isolated and secure environment. This isolation preventsan application running in one zone from monitoring or affecting an application running in adifferent zone.

The two types of zones are global and nonglobal. Think of a global zone as the server itself, thetraditional view of a Solaris system as you know it. On the other hand, a nonglobal zone is cre-ated from the global zone and also is managed by it. You can have up to 8,192 nonglobal zoneson a single physical system. Applications running in a nonglobal zone are isolated from appli-cations running in a different nonglobal zone, allowing multiple versions of the same applica-tion to run on the same physical server.

A zone is created using the zonecfg command. With this command you can do the following:

. Create or delete a zone configuration

. Add or remove resources in a configuration

. Set the properties for a resource in the configuration


15_0789738171_ff.qxd 4/13/09 7:53 PM Page 558

Fast Facts559

. Query and verify a configuration

. Commit (save) a configuration

. Revert to a previous configuration

. Exit from a zonecfg session

Advanced Installation ProceduresThis section concentrates on two facilities that make it easier to install the Solaris operatingenvironment on multiple systems. JumpStart and Solaris Flash allow identical systems to beinstalled automatically without the need for manual intervention. Each of these is covered inthe following sections.

JumpStartJumpStart has three main components:

. Boot and Client Identification Services: Provided by a networked boot server, theseservices provide the information that a JumpStart client needs to boot using the network.

. Installation Services: Provided by a networked install server, Installation Services pro-vide an image of the Solaris operating environment that a JumpStart client uses as itsmedia source. The image is normally a disk file located on the install server.

. Configuration Services: Provided by a networked configuration server, these servicesprovide information that a JumpStart client uses to partition disks and create file sys-tems, add or remove Solaris packages, and perform other configuration tasks.

Table FF.15 lists and describes some JumpStart commands.

Table FF.15 JumpStart CommandsCommand Description

setup_install_server Sets up an install server to provide the operating system to the clientduring a JumpStart installation.

add_to_install_server Copies additional packages within a product tree on the Solaris 10Software and Solaris 10 Languages CDs to the local disk on an existinginstall server.

add_install_client Adds network installation information about a system to an install orboot server’s /etc files so that the system can install over the network.

rm_install_client Removes JumpStart clients that were previously set up for networkinstallation.

15_0789738171_ff.qxd 4/13/09 7:53 PM Page 559

560

Table FF.15 JumpStart CommandsCommand Description

check Validates the information in the rules file.

pfinstall Performs a “dry run” installation to test the profile.

patchadd -C Adds patches to the files located in the miniroot (that is,Solaris_10/Tools/Boot) on an image of an installation CD imagecreated by setup_install_server. This facility enables you topatch Solaris installation commands and other miniroot-specific com-mands.

Solaris FlashThe main feature of Solaris Flash is to provide a method to store a snapshot of the Solarisoperating environment complete with all installed patches and applications. This snapshot iscalled the Flash Archive, and the system that the archive is taken from is called the mastermachine.

A Flash installation can be used to perform an initial installation or to update an existing instal-lation.

A Flash Archive is created with the flarcreate command. You can create a Flash Archive thatcontains a full snapshot of the system, or a differential archive containing only the changes thathave been applied when compared to an existing Flash Archive. Flash Archives are adminis-tered with the flar command.

With the flar command, you can

. Extract information from an archive.

. Split archives.

. Combine archives.

When using JumpStart to install from a Flash Archive, only the following keywords can beused in the profile:

. archive_location

. install_type: For a full Flash Archive install, specify this option as Flash_install.For a differential Flash Archive, specify flash_update.

. partitioning: Only the keyword values of explicit or existing must be used.

. filesys: The keyword value auto must not be used.

. forced_deployment


15_0789738171_ff.qxd 4/13/09 7:53 PM Page 560

Fast Facts561

. local_customization

. no_content_check: Used only for a differential Flash Archive.

. no_master_check: Used only for a differential Flash Archive.

. package: Only used for a full Flash installation; cannot be used with a differential FlashArchive.

. root_device

WAN BootA WAN boot installation enables a system administrator to boot and install software over awide area network (WAN) by using HTTP. You can use WAN boot with security features toprotect data confidentiality and installation image integrity.

Advantages of a WAN boot installation over a JumpStart installation include the following:

. JumpStart boot services are not required to be on the same subnet as the installationclient.

. WAN boot provides a scalable process for the automated installation of systems any-where over the Internet or other WANs.

. A WAN boot installation is more secure than a Custom JumpStart installation for thefollowing reasons:

.The WAN boot client and server can authenticate using SHA hash algorithms.

.The Solaris 10 OS can be downloaded to the WAN boot client using HTTPS.

WAN Boot Requirements. A minimum of OpenBoot firmware version 4.14.

. The WAN boot client must have a minimum of 512MB of RAM, an UltraSPARC IIprocessor or newer, and at least 2GB of hard drive space.

. The WAN boot server must be a SPARC or x86-based system running Solaris 9 release12/03 or higher, it must be configured as a web server, and it must support HTTP 1.1minimum.

. The WAN boot install server must have enough disk space to hold the Flash Archive.It must have a local CD or DVD, it must be running Solaris 9 release 12/03 or higher,it must be configured as a web server, and it must support HTTP 1.1 minimum.

15_0789738171_ff.qxd 4/13/09 7:53 PM Page 561

562

WAN Boot Components. wanboot program: A second-level boot program that is used to load the miniroot,

installation, and configuration files onto the WAN boot client. The wanboot programperforms tasks similar to those that are performed by the ufsboot and inetboot sec-ond-level boot programs.

. wanboot-cgi: A Common Gateway Interface (CGI) program on the web server thatservices all client requests. It parses the WAN boot server files and client configurationfiles into a format that the WAN boot client expects.

. bootlog-cgi: A Common Gateway Interface (CGI) program on the web server thatcreates a log of all client activity in the /tmp/bootlog.client file.

. wanboot.conf: A text file in which you specify the configuration information and secu-rity settings that are required to perform a WAN boot installation.

. WAN boot file system: Files used to configure and retrieve data for the WAN bootclient installation are stored on the web server in /etc/netboot. The information inthis directory is transferred to the client via the wanboot-cgi program as a file system,called the WAN boot file system.

. WAN boot miniroot: A version of the Solaris miniroot that has been modified to per-form a WAN boot installation. The WAN boot miniroot, like the Solaris miniroot,contains a kernel and just enough software to install the Solaris environment. TheWAN boot miniroot contains a subset of the software found in the Solaris miniroot.

. JumpStart and JumpStart configuration files: These terms are described fully inChapter 7.

. Install Server: Provides the Solaris Flash Archive and custom JumpStart files that arerequired to install the client.

. WAN Boot Server: A web server that provides the wanboot program, the configura-tion and security files, and the WAN boot miniroot.


15_0789738171_ff.qxd 4/13/09 7:53 PM Page 562

Fast Facts563

The WAN Boot ClientBoot the WAN boot client from a CD-ROM at the OpenBoot ok prompt:ok boot cdrom -o prompt -F wanboot - install<cr>

To perform a noninteractive boot, your system’s OpenBoot PROM must support WAN boot.After setting up the WAN boot server, follow these instructions to boot the client:

1. At the ok prompt on the client system, set the network-boot-arguments variable inOBP:ok setenv network-boot-arguments host-ip=<client-IP>,\router-ip=<router-ip>,subnet-mask=<value>,hostname=<client-name>,\http-proxy=<proxy-ip:port>,bootserver=<wanbootCGI-URL><cr>


ok boot net - install<cr>

Solaris Live UpgradeThe Live Upgrade process involves creating a duplicate of the running environment andupgrading that duplicate. The current running environment remains untouched and unaffect-ed by the upgrade. When the upgrade is complete, the upgrade is activated with the luacti-vate command and a system reboot.

Creating a new, inactive boot environment involves copying critical file systems from theactive environment to the new boot environment using the lucreate command. To create thenew boot environment on c0t1d0, use the lucreate command:# lucreate -A “My first boot environment” -c active_boot \-m /:/dev/dsk/c0t1d0s0:ufs -n new_BE <cr>

Verify the status of the new boot environment using the lustatus command:# lustatus<cr>

After creating the new boot environment, you use the luupgrade command to upgrade thenew boot environment:# luupgrade -u -n new_BE -s /cdrom/cdrom0<cr>

15_0789738171_ff.qxd 4/13/09 7:53 PM Page 563

564

Activating the upgraded boot environment with the luactivate command makes it bootableat the next reboot. In addition, you can use the luactivate command to switch back to theold boot environment if necessary. To activate a boot environment, the following requirementsmust be met:

. The boot environment must have a status of “complete.”

. If the boot environment is not the current boot environment, you cannot have mount-ed the partitions of that boot environment using the luumount or mount commands.

. The boot environment that you want to activate cannot be involved in a comparisonoperation (lucompare).

. If you want to reconfigure swap, make this change before booting the inactive bootenvironment. By default, all boot environments share the same swap devices.

Use the lufslist command to display the configuration of a particular boot environment.Use the ludelete command to delete an inactive boot environment.


15_0789738171_ff.qxd 4/13/09 7:53 PM Page 564

Practice ExamThis exam consists of 60 questions reflecting the material covered in this book.The questions are representative of the types of questions you should expect tosee on the CX-310-202 Solaris exam; however, they are not intended to matchexactly what is on the exam.

Some of the questions require that you choose the best possible answer. Often,you are asked to identify the best course of action to take in a given situation. Thequestions require that you read them carefully and thoroughly before youattempt to answer them. It is strongly recommended that you treat this practiceexam as if you were taking the actual exam. Time yourself, read carefully, andanswer all the questions to the best of your ability.

The answers appear in the “Answers to Practice Exam Questions.” Check youranswers against those in the “Answers at a Glance” section, and then read theexplanations provided. You may also want to return to the appropriate chaptersto review the material associated with your incorrect answers.

16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 565

566

Practice Exam Questions1. Which of the following is a direct form of network boot, available only on the x86 platform, that

can be used to install the Solaris Operating Environment over the network using DHCP?

❍ A. OpenBoot

❍ B. GRUB

❍ C. BIOS

❍ D. PXE

2. You want to use JumpStart to install Solaris on an x86-based system. Which of the following arerequirements for performing a network boot on an x86-based system? (Choose three.)

❍ A. An x86 Solaris system configured as an install server containing the Solaris x86 bootimage and images of the Solaris CDs. This server cannot be a SPARC server.

❍ B. A configured DHCP server from which to boot successfully

❍ C. An x86 client that supports a PXE network boot

❍ D. A configured boot server, in addition to a DHCP server, to provide the boot image

❍ E. An x86- or SPARC-based Solaris system configured as an install server containing theSolaris x86 boot image and images of the Solaris CDs.

3. On the Solaris x86 platform, which of the following is used to answer system identification ques-tions during the initial part of the JumpStart installation?

❍ A. rules.ok

❍ B. profile

❍ C. sysidcfg

❍ D. DHCP server provides this function.

4. What are the minimum entries that the local host requires in its /etc/inet/hosts file? (Choosethree.)

❍ A. Its IP address

❍ B. Its hostname

❍ C. Its MAC address

❍ D. Its network interface

❍ E. Its loopback address


16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 566

Practice Exam567

5. Which file contains the default gateway information?

❍ A. /etc/defaultdomain

❍ B. /etc/defaultrouter

❍ C. /etc/inet/netmasks

❍ D. /etc/inet/ipnodes

6. How many IP addresses are available to be assigned within a Class C network?

❍ A. 254

❍ B. 24

❍ C. 65,534

❍ D. None

7. Which pseudo file system resides on a physical disk?

❍ A. procfs

❍ B. swapfs

❍ C. tmpfs

❍ D. fdfs

8. Which command is used to create an install server for use with a custom JumpStart installation?

❍ A. check

❍ B. setup_install_server

❍ C. add_install_client

❍ D. setup_install_server -b

9. Network file systems that are mounted read-write or that contain executable files should always bemounted with which of the following options? (Choose all that apply.)

❍ A. hard

❍ B. intr

❍ C. soft

❍ D. nointr

16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 567

568

10. When you share a file system across the network for the first time, the NFS server must be started.Which command achieves this?

❍ A. share

❍ B. svcadm enable nfs/server

❍ C. mountall

❍ D. svcs -l nfs/server

11. Which of the following provide a means for selective access to administrative capabilities? (Choosetwo.)

❍ A. Giving a user the root password

❍ B. Use of the sudo command

❍ C. RBAC

❍ D. usermod

12. You have created a metadevice, d30, that is a mirror of the root file system. Which command car-ries out the necessary setup to complete the operation by editing /etc/vfstab and/etc/system?

❍ A. metadb

❍ B. metainit

❍ C. metaroot

❍ D. metaclear

13. How would you determine the NIS server used by a given machine?

❍ A. Use ypwhich.

❍ B. Use ypcat.

❍ C. Look in the /etc/nsswitch.conf file.

❍ D. Use nisls.

14. What file would you edit to make the local /etc/hosts file take precedence over DNS or NIShost lookups?

❍ A. /etc/inetd.conf

❍ B. /etc/resolv.conf

❍ C. /etc/defaultrouter

❍ D. /etc/nsswitch.conf


16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 568

Practice Exam569

15. hich of the following are ways to automatically install groups of identical systems without anymanual intervention? (Choose two.)

❍ A. JumpStart

❍ B. Custom JumpStart

❍ C. Interactive installation

❍ D. WAN boot install

16. Which command would you use to do a dry-run installation to test a JumpStart profile?

❍ A. check

❍ B. patchadd -C

❍ C. fsck

❍ D. pfinstall

17. Which of the following files would not be used to manually change the hostname of a Solaris 10system? (Choose two.)

❍ A. /etc/inet/hosts

❍ B. /etc/defaultrouter

❍ C. /etc/nodename

❍ D. /etc/net/ticlts/hosts

18. Which command would you use to configure the behavior of core files?

❍ A. savecore

❍ B. svcadm restart svc:/system/coreadm:default

❍ C. coreadm

❍ D. admcore

19. Which command would you use to modify the default crash dump device?

❍ A. crashadm

❍ B. dumpadm

❍ C. /var/crash

❍ D. gcore

16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 569

570

20. Which of the following assigns the role adminusr to the user bill?

❍ A. rolemod adminusr -u bill

❍ B. moduser bill -R adminusr

❍ C. usermod -R adminusr bill

❍ D. modrole -u bill -r adminusr

21. You have created a new zone called apps, and you need to check on its current state. Which com-mand displays the state of this zone?

❍ A. zoneadm -z apps list -v

❍ B. zlogin apps

❍ C. zlogin -C apps

❍ D. zoneadm -z apps install

22. Which of the following is not an RBAC database?


❍ B. /etc/security/exec_attr

❍ C. /etc/security/user_attr

❍ D. /etc/security/auth_attr

23. Where does the configuration file reside that handles NFS logging?

❍ A. /etc/nfslog

❍ B. /etc/nfs/nfslog.conf

❍ C. /etc/inetd.conf

❍ D. /etc/default/nfs

24. Which RAID configuration maintains duplicate sets of all data on separate disk drives?

❍ A. RAID 0

❍ B. RAID 1

❍ C. RAID 5

❍ D. RAID 53


16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 570

Practice Exam571

25. Which RAID configuration stripes data and parity across a set of disks?

❍ A. RAID 0

❍ B. RAID 1

❍ C. RAID 5

❍ D. RAID 10

26. Which command is used to add a client to the LDAP naming service?

❍ A. add_ldap

❍ B. ldapclient

❍ C. add_client ldap

❍ D. ldapinstall

27. You have modified your syslog configuration to allow extra messages to be logged. Which com-mand forces the syslogd daemon to reread the configuration file and make the change active?

❍ A. svcs -l system/system-log

❍ B. svcadm disable system/system-log

❍ C. svcadm refresh system/system-log

❍ D. syslogd -HUP

28. You have inherited a system, and you are examining the custom JumpStart file to provide a hands-off installation. One of the parameters specifies archive_location and lists an NFS mount asits parameter. What does this tell you about the custom JumpStart process?

❍ A. The system being installed is being used as a file server and will share the specified filesystem.

❍ B. The installation will use a Solaris Flash Archive, and the location of the Flash Archive iscontained in the parameter.

❍ C. The system being installed will use this location to back up its existing file systembefore the installation commences.

❍ D. This points to the install server where the Solaris CD images can be found.

16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 571

572

29. Your system currently has four state database replicas installed, two on each disk. What happensto a running system if one of the disk drives fails and you lose two of the state database replicas?(Choose two.)

❍ A. The system keeps running.

❍ B. The system panics.

❍ C. The system will not start SVM the next time it boots and must be booted into single-user mode.

❍ D. The system hangs.

30. Which of the following describe the main differences between WAN boot and JumpStart? (Choosefour.)

❍ A. WAN boot is supported only on the SPARC platform.

❍ B. With WAN boot, boot services are not required to be on the same subnet as the instal-lation client.

❍ C. WAN boot provides a scalable process for the automated installation of systems any-where over the Internet.

❍ D. A WAN boot installation is more secure than a Custom JumpStart installation.

❍ E. A WAN boot mini-root can be served only from a SPARC-based server.

31. Which WAN boot component is a file in which you specify the configuration information and secu-rity settings that are required to perform a WAN boot installation?

❍ A. wanboot-cgi

❍ B. wanboot program

❍ C. wanboot.conf

❍ D. /etc/netboot

32. Which of the following are required in a single-server WAN boot server configuration? (Choose two.)

❍ A. Web server

❍ B. DHCP server

❍ C. JumpStart server

❍ D. Flash Archive file


16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 572

Practice Exam573

33. In terms of a Solaris Live Upgrade, which of the following represent a critical file system? (Choosethree.)

❍ A. /usr

❍ B. /export

❍ C. /var

❍ D. /opt

❍ E. swap

34. When you perform a Solaris Live Upgrade, which command is used to install software on a bootenvironment?

❍ A. luactivate

❍ B. luinstall

❍ C. luupgrade

❍ D. lucreate

35. Which of the following requirements must be met before activating a boot environment during aSolaris Live Upgrade? (Choose two.)

❍ A. The boot environment must have a status of “complete.”

❍ B. The boot environment you want to activate cannot be involved in a comparison opera-tion.

❍ C. The boot environment must have a status of “Active on Reboot.”

❍ D. The boot environment must have a status of “Active Now.”

36. Which of the following are functions of the luupgrade command? (Choose four.)

❍ A. Upgrading an operating system image on a boot environment

❍ B. Merging file systems in the new boot environment

❍ C. Running an installer program to install software from an installation medium

❍ D. Checking or obtaining information about software packages

❍ E. Adding a package to or removing a package from a boot environment

16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 573

574

37. Which of the following NFS daemons run on both the NFS server and the NFS clients? (Choosetwo.)

❍ A. nfsd

❍ B. statd

❍ C. mountd

❍ D. lockd

38. Which configuration option is used to create a whole root zone?

❍ A. inherit-pkg-dir dir=/usr

❍ B. remove inherit-pkg-dir dir=/usr

❍ C. inherit-pkg-dir dir=/

❍ D. add fs

set dir=/

39. Which of the following describes the configuration steps necessary to add the /data file system,as a read-write file system, to a nonglobal zone?

❍ A. add fs

set dir=/data

set special=/dev/dsk/c0t1d0s0

set raw=/dev/rdsk/c0t1d0s0

add options [rw, logging,nosuid]

end

❍ B. add fs

set dir=/data

set options=rw



end


16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 574

Practice Exam575

❍ C. add fs

set dir=/data


set type=ufs

add options=[rw,logging, nosuid]

end

❍ D. add fs

set dir=/data



set type=ufs

add options [logging, nosuid]

end

40. Which of the following describes the configuration steps required to share the /data file systembetween the global zone and a nonglobal zone?

❍ A. add fs

set dir=/export

set special=/export

set type=lofs

add options shared

❍ B. inherit-pkg-dir=/data

❍ C. add fs

set dir=/export

set special=/export

set type=lofs

add options rw

end

❍ D. add inherit-pkg-dir=/data

16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 575

576

41. Which of the following statements are true of a nonglobal zone? (Choose two.)

❍ A. A nonglobal zone cannot be patched differently from the global zone.

❍ B. A nonglobal zone shares the kernel with the global zone.

❍ C. A nonglobal zone has its own kernel, separate from the global zone.

❍ D. A nonglobal zone can have its own set of software packages installed—different pack-ages than what are installed in the global zone.

42. After a zone is configured and installed, which modifications can be made to it without requiringthe zone to be reinstalled? (Choose two.)

❍ A. fs

❍ B. zonepath

❍ C. zone name

❍ D. inherit-pkg-dir

❍ E. device

43. The following information is reported on your system:

ID NAME STATUS PATH0 global running /- testzone1 incomplete /export/zones/testzone1- testzone2 installed /export/zones/testzone2

Which of the following statements about the zones on this system are true? (Choose two.)

❍ A. One zone is in use.

❍ B. testzone2 is ready to be configured.

❍ C. testzone1 is not configured.

❍ D. testzone2 is ready to be booted.

44. When cloning a zone, you create a configuration file from the current zone. Which of the followingdescribes how this configuration file is created?

❍ A. zoneadm -z testzone export -f <filename>

❍ B. zonecfg -z testzone migrate -f <filename>

❍ C. zonecfg -z testzone create -f <filename>

❍ D. zonecfg -z testzone export -f <filename>


16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 576

Practice Exam577

45. Which of the following statements about the snoop command are true? (Choose two.)

❍ A. You can stop snoop by pressing Ctrl+C.

❍ B. Pressing Ctrl+Q stops the snoop command.

❍ C. snoop does not display packets sent using the secure shell.

❍ D. snoop produces one line of output for each packet sent on the network.

46. Changes or modifications to the configuration of network services are done using which com-mands? (Choose two.)

❍ A. inetadm

❍ B. svfcfg

❍ C. svcconf

❍ D. inetcfg

47. You are using Solaris Volume Manager to mirror your boot drives. Your server has two internaldisks that will be mirrored for this purpose. In addition, your system has two external disk drives.How should your metadbs be configured on this server?

❍ A. Create three replicas on one slice.

❍ B. Create two replicas on each drive.

❍ C. Create one replica on each drive.

❍ D. Create two replicas on each of the internal drives that will be mirrored.

48. In Solaris Volume Manager, which RAID level is called a striped mirror, in which the slices, orentire disks, are mirrored first, and then the slices are combined into a stripe?

❍ A. 0+1

❍ B. 5

❍ C. 1+0

❍ D. 1

16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 577

578

49. Before using ZFS, you need to make sure that your system meets the minimum requirements forsupporting ZFS. Which of the following statements describe the hardware and software require-ments that your system must meet? (Choose two.)

❍ A. The system must be a SPARC-based machine.

❍ B. 1GB of RAM is recommended.

❍ C. The minimum amount of disk space for a storage pool is 64MB.

❍ D. The minimum amount of disk space for a storage pool is 128MB.

❍ E. A storage pool requires a minimum of 12GB.

50. Your system has a spare disk drive, c1t0d0. Your task is to create a ZFS dataset on that entiredrive. The storage pool is to be named pool1, and the ZFS file system is to be named /data.Which command would you issue to create the dataset?

❍ A. zpool create pool1; zfs create /data pool1

❍ B. zfs create -f pool1/data

❍ C. zpool create -f pool1/data

❍ D. zpool create -f pool1;zfs create pool1/data

51. Your system has the following ZFS file systems:

pool1 33G 20K 33G 1% /pool1pool1/data 33G 19K 33G 1% /pool1/datapool1/data/app1 33G 18K 33G 1% /pool1/data/app1pool1/data/app2 33G 18K 33G 1% /pool1/data/app2

Which command can you use to remove the pool1 storage pool and all the ZFS file systems inthat pool?

❍ A. zfs destroy -R pool1/data

❍ B. zfs destroy pool1

❍ C. zpool destroy pool1

❍ D. zpool destroy pool1/data


16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 578

Practice Exam579

52. Your system has two disk drives available for a ZFS storage pool—c2t2d0 and c3t2d0. Youwant to create a RAID1 ZFS storage pool named data and a ZFS file system in that storage poolnamed /data that uses these drives. Which command would you use?

❍ A. zpool create data c2t2d0 c3t2d0

❍ B. zpool mirror data c2t2d0 c3t2d0

❍ C. zpool create data; zfs create /data c2t2d0 c3t2d0

❍ D. zpool create data mirror c2t2d0 c3t2d0

53. Your system already has a storage pool named pool1. You need to create a new ZFS file systemin that pool named /data. Which command would you use?

❍ A. zpool create pool1/data

❍ B. zfs create /pool1/data

❍ C. zfs create pool1/data

❍ D. zpool create -f /pool1/data

54. For training purposes, you want to create a mirrored ZFS storage pool, but you don’t have anyspare disks to practice with. In fact, there are no spare slices either. Which of the followingdescribes how you could create a storage pool and ZFS file system on this machine?

❍ A. mkfile -n 200m /export/home/zfs1; mkfile -n 200m/export/home/zfs2

zpool create data mirror /export/home/zfs1 /export/home/zfs2

❍ B. You cannot create a ZFS storage pool.

❍ C. zpool create data mirror /export/home/zfs1; zpool createdata mirror /export/home/zfs1

❍ D. mkfile -n 200m /export/home/zfs1; mkfile -n 200m/export/home/zfs2

zfs create data mirror /export/home/zfs1 /export/home/zfs2

55. Your system has a RAID0 ZFS file system named /pool1/data created on c1t1d0. You want tomirror this file system onto c2t1d0. Which command would you use?

❍ A. zpool create pool1 mirror c1t1d0 c2t1d0

❍ B. zpool destroy -f pool1; zpool create pool1 mirror c1t1d0 c2t1d0

❍ C. zpool attach pool1 c2t1d0

❍ D. zpool attach pool1 c1t1d0 c2t1d0

16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 579

580

56. You create a ZFS file system on a 36GB disk using the following command:

zpool create pool1 c1t1d0

Now you want to make sure that the /pool1 file system can only use 1GB of the storage pool.Which command would you use to limit this file system to 1GB?

❍ A. quota pool1 1G

❍ B. zpool set quota=1g pool1

❍ C. zfs set quota=1g pool1

❍ D. zfs set quota=1g /pool1

57. You have a storage pool named pool1. In that storage pool, you have a ZFS file system nameddata (pool1/data). When you list the file systems with df -h, you see the following output:

pool1 100M 18K 100M 1% /pool1pool1/data 100M 18K 100M 1% /pool1/data

You want to make pool1 invisible to users so that they see only the pool1/data file systemwhen issuing the df -h command. Which command would you use?

❍ A. zfs set mountpoint=none pool1

❍ B. zpool set mountpoint=none pool1

❍ C. umount /pool1

❍ D. zfs set mountpoint=legacy pool1

58. Which of the following syslogd severity levels is the highest?

❍ A. emerg

❍ B. crit

❍ C. warning

❍ D. alert

59. Which of the following are valid entries for the /etc/hostname.eri0 file? (Choose two.)

❍ A. systemA

❍ B. 192.168.1.100

❍ C. eri0 dhcp

❍ D. ifconfig dhcp


16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 580

Practice Exam581

60. You cannot access the server named sysA using Telnet. The following information is displayed onsysA when you issue the ifconfig command:

lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL>\mtu 8232 index 1

inet 127.0.0.1 netmask ff000000eri0: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500\index 2


Which command should you issue?

❍ A. ifconfig eri0 plumb

❍ B. dladm eri0

❍ C. ifconfig eri0 up

❍ D. route add

16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 581

16_0789738171_pe1.qxd 4/13/09 7:54 PM Page 582

Answers to Practice Exam

Answers at a Glance to the PracticeExam

1. D

2. B, C, E

3. D

4. A, B, E

5. B

6. A

7. B

8. B

9. A, B

10. B

11. B, C

12. C

13. A

14. D

15. B, D

16. D

17. B, D

18. C

19. B

20. C

21. A

17_0789738171_pa1.qxd 4/13/09 7:55 PM Page 583

584

22. C

23. B

24. B

25. C

26. B

27. C

28. B

29. A, C

30. A, B, C, D

31. C

32. A, C

33. A, C, D

34. C

35. A, B

36. A, C, D, E

37. B, D

38. B

39. D

40. C

41. B, D

42. A, E

43. A, D

44. D

45. A, D

46. A, B

47. B

48. C

49. B, C

50. D

51. C


17_0789738171_pa1.qxd 4/13/09 7:55 PM Page 584

Answers to Practice Exam Questions585

52. D

53. C

54. A

55. D

56. C

57. A

58. A

59. A, B

60. C

Answers with Explanations1. D. Answer A is wrong because OpenBoot is not available on the x86 platform. Answer B is the

bootloader that appears on the x86 platform, but GRUB does not perform the network boot opera-tion. Answer C is available on every x86 platform and can be used to configure PXE, but the BIOSdoes not perform the network boot operation. For more information, see Chapter 7, “AdvancedInstallation Procedures: JumpStart, Flash Archive, and PXE.”

2. B, C, E. Answer D is wrong because the DHCP server performs the function of the boot server.Answer A is wrong because, even though you are setting up an x86 installation, you can still use aSPARC system as your install server. All it does is share the CD images over the network, and asingle install server can serve both SPARC and x86 clients. For more information, see Chapter 7.

3. D. You must configure a DHCP server to support the boot and identification operations of x86/x64-based JumpStart clients. For more information, see Chapter 7.

4. A, B, E. Answer C is wrong because the MAC address is not entered in the hosts file. Answer Dis wrong because the network interface is not required in this file. For more information, seeChapter 1, “The Solaris Network Environment.”

5. B. Answer A is wrong because the /etc/defaultdomain file contains the fully qualifieddomain name of the administrative domain to which the local host’s network belongs. Answer C iswrong because the netmasks file consists of a list of networks and their associated subnetmasks. Answer D is wrong because the ipnodes file is no longer used in Solaris 10. For moreinformation, see Chapter 1.

6. A. Class C network numbers use 24 bits for the network number and 8 bits for host numbers. AClass C network number occupies the first 3 bytes of an IP address; only the fourth byte isassigned at the discretion of the network’s owner. The first and last addresses on a network arereserved for the network number and broadcast address. Therefore, a Class C network can accom-modate a maximum of 254 hosts. For more information, see Chapter 1.

17_0789738171_pa1.qxd 4/13/09 7:55 PM Page 585

586

7. B. The swapfs pseudo file system is either a swap partition on a disk or a swap file residing inanother file system on a disk. The procfs, tmpfs, and fdfs file systems all reside in memory. Formore information, see Chapter 2, “Virtual File Systems, Swap Space, and Core Dumps.”

8. B. The setup_install_server command is used to create an install server for use within acustom JumpStart environment. Answer A is the command to verify the rules file and create therules.ok file. Answer C is used to set up a client to be able to boot across the network andinstall using custom JumpStart. Answer D is the command to set up a boot-only server, whichwould not contain the Solaris images. For more information, see Chapter 7.

9. A, B. Sun recommends that file systems mounted as read-write, or containing executable files,should always be mounted with the hard option. If you use soft-mounted file systems, unexpect-ed I/O errors can occur. For example, consider a write request. If the NFS server goes down, thepending write request simply gives up, resulting in a corrupted file on the remote file system. Aread-write file system should always be mounted with the specified hard and intr options. Thislets users make their own decisions about killing hung processes. For more information, seeChapter 2.

10. B. The correct command to start the NFS server service after the initial share has been configuredis svcadm enable nfs/server. Answer A is the command that is entered into/etc/dfs/dfstab to define the share. Answer C is the command to mount all file systems list-ed in /etc/vfstab. Answer D is the command to list the details and dependencies of the NFSserver service. For more information, see Chapter 2.

11. B, C. Both sudo and Role-Based Access Control (RBAC) allow the system administrator to assignlimited administrative capabilities to nonroot users, albeit in different ways. Answer A is wrongbecause giving out the root password would give a user full access to all the powers of root, mak-ing for very poor security. Answer D is wrong because the usermod command is used to modifya user’s login information. For more information, see Chapter 4, “Controlling Access andConfiguring System Messaging.”

12. C. The metaroot command is used to carry out the necessary setup for putting a root file sys-tem under SVM control. Answer A is the command for creating and managing the state database,Answer B is the command for creating new metadevices, and Answer D is the command for clear-ing or removing metadevices. For more information, see Chapter 3, “Managing Storage Volumes.”

13. A. With no arguments, the ypwhich command displays the server currently providing NIS servic-es—that is, the server that the client is bound to. The current NIS master server is determined byrunning ypwhich -m, which lists all the maps and the master server for each map. The ypcatcommand is used to display the contents of a NIS map. /etc/nsswitch.conf is used to deter-mine the order in which data is obtained, and the nisls command is used in NIS+ to display thecontents of an object. For more information, see Chapter 5, “Naming Services.”

14. D. The name service switch, /etc/nsswitch.conf, controls how a client workstation or appli-cation obtains network information. In this case, you would edit the /etc/nsswitch.conf fileand change the hosts line to read hosts: files dns nis. The file /etc/inetd.conf isused to configure legacy network services. DNS uses /etc/resolv.conf to identify the DNSlookup servers. /etc/defaultrouter is used to identify the default route address. For moreinformation, see Chapter 5.


17_0789738171_pa1.qxd 4/13/09 7:55 PM Page 586


15. B, D. The Custom JumpStart and WAN boot (with a Flash Archive) methods of installing the oper-ating system provide a way to install groups of similar systems automatically and identically. If youuse the JumpStart or interactive install methods to install the operating system, you must carry ona dialog with the installation program by answering various questions. For more information, seeChapter 7 and Chapter 8, “Advanced Installation Procedures: WAN Boot and Solaris Live Upgrade.”

16. D. After you create a profile, you can use the pfinstall command to test it. Testing a class fileis sometimes called a dry run installation. By looking at the installation output generated bypfinstall, you can quickly determine whether a class file will do what you expect. The checkcommand is used to verify the rules file. patchadd is used to install operating environmentpatches to the system. fsck is used to check the consistency of file systems. For more informa-tion, see Chapter 7.

17. B, D. In Solaris 10, the files /etc/defaultrouter and /etc/net/ticlts/hosts are notused to change the hostname of a Solaris system. For more information, see Chapter 1.

18. C. The coreadm command is used to configure core file behavior. The savecore command isused to save a memory dump following a reboot of the system. This is because the memory dumpnormally is stored temporarily in the system swap space and would be overwritten. The commandsvcadm restart svc:/system/coreadm:default would restart the coreadm process.admcore is a nonexistent command. For more information, see Chapter 2.

19. B. dumpadm is used to change the default crash dump device. The crashadm command does notexist. The /var/crash directory normally is used to store crash dumps. The gcore commandis used to create core files from a running process without damaging that process. For more infor-mation, see Chapter 2.

20. C. The usermod command with the -R flag is used to add role privileges to a user. usermod -Radminusr bill is the correct answer. The commands modrole and moduser do not exist.The rolemod command is used to modify the specification of a role. For more information, seeChapter 4.

21. A. The command zoneadm -z apps list -v displays the current status of the zone calledapps. Answer B would be used to log in to the apps zone from the global zone. Answer C wouldbe used to log in to the console of zone apps from the global zone. Answer D is the commandthat would carry out the installation of zone apps. For more information, see Chapter 6, “SolarisZones.”

22. C. The correct path for this RBAC database is /etc/user_attr. The other files are valid RBACdatabase names. For more information, see Chapter 4.

23. B. /etc/nfs/nfslog.conf is the file that manages NFS logging behavior, although NFS log-ging is not supported in NFS Version 4. The file /etc/nfslog does not exist./etc/inetd.conf is a legacy file used to configure the inetd daemon, but it is no longerused and has been replaced by SMF. /etc/default/nfs is the file used to configure defaultparameters for NFS operation. For more information, see Chapter 2.

17_0789738171_pa1.qxd 4/13/09 7:55 PM Page 587

588

24. B. RAID 1 maintains duplicate sets of all data on separate disk drives. This is also known as mir-roring. Answers A, C, and D do not provide redundancy. For more information, see Chapter 3.

25. C. RAID 5 is where both parity and data are striped across a set of disks. Answers A, B, and D arewrong because they do not use parity and do not stripe data. For more information, see Chapter 3.

26. B. ldapclient is used to add a client to the LDAP naming service. The other answers are allnonexistent commands. For more information, see Chapter 5.

27. C. The command svcadm refresh system/system-log forces the syslogd daemon toreread its configuration file after a change is made to the file /etc/syslog.conf. Answer Awould list the details and dependencies of the system-log service. Answer B would disable thesystem-log service. Answer D is an invalid option to the syslogd command. For more infor-mation, see Chapter 4.

28. B. The archive_location option indicates that a Solaris Flash Archive is being used to installthe system, and the parameter specifies the network location of the Flash Archive to use for theinstallation. For more information, see Chapter 7.

29. A, C. Answer B is wrong because your system still has 50% of the state database replicas intact,therefore it keeps running. The system does not panic unless more than 50% of the metadbs areunavailable. Answer D is wrong because 50% of the metadbs are still available, so the system con-tinues to run. For more information, see Chapter 3.

30. A, B, C, D. Answer E is wrong because a WAN boot mini-root can be served from an x86-basedserver. For more information, see Chapter 8.

31. C. Answer A is wrong because wanboot-cgi is a Common Gateway Interface (CGI) program onthe web server that services all client requests. It parses the WAN boot server files and client con-figuration files into a format that the WAN boot client expects. Answer B is wrong because thewanboot program is a second-level boot program that is used to load the miniroot, installation,and configuration files onto the WAN boot client. Answer D is wrong because /etc/netboot isa directory where files used to configure and retrieve data for the WAN boot client installation arestored. For more information, see Chapter 8.

32. A, C. Answer B is wrong because the DHCP server is optional. Answer D is wrong because theFlash Archive can be located on a different installation server and is not required to be located onthe WAN boot server. For more information, see Chapter 8.

33. A, C, D. Answers B and E are wrong because /export and swap are shareable file systems. Formore information, see Chapter 8.

34. C. Answer A is wrong because luactivate is used to activate an inactive boot environment.Answer B is wrong because luinstall is an invalid command. Answer D is wrong becauselucreate is used to create a boot environment. For more information, see Chapter 8.

35. A, B. Answers C and D are wrong because the boot environment must have a status of “complete”before it can be activated. For more information, see Chapter 8.

36. A, C, D, E. Answer B is wrong because the lucreate command is used to merge file systems inthe new boot environment. For more information, see Chapter 8.


17_0789738171_pa1.qxd 4/13/09 7:55 PM Page 588


37. B, D. Two NFS daemons, statd and lockd, run on NFS servers and the NFS clients. Both thestatd and lockd daemons provide crash recovery and locking services for NFS version 2 and 3.For more information, see Chapter 2.

38. B. Answer A creates a loopback file system for /usr where the file system is shared with theglobal zone. Answer C is wrong because the root file system is already copied to the nonglobalzone. Answer D is wrong because add fs is used to add a file system to a nonglobal zone; it isnot used to set up a whole root zone. For more information, see Chapter 7.

39. D. Answer A is wrong because the set type command is missing. Answer B is wrong becausethe set options command is not used to mount the read-write mount option. Answer C iswrong because the = sign is not required with the add options command, and the set spe-cial command is missing. For more information, see Chapter 7.

40. C. Answer A is wrong because shared is not a valid option for the add options command.Answer B is wrong because the inherit-pkg-dir command is used to specify directories thatcontain software packages that are shared with the global zone—/lib, /bin, /platform, and/usr. Answer D is wrong because add inherit-pkg-dir is an invalid command. For moreinformation, see Chapter 7.

41. B, D. Answer A is wrong because a nonglobal zone can have a different set of patches installed.Answer C is wrong because a nonglobal zone shares the kernel with the global zone. For moreinformation, see Chapter 7.

42. A, E. Answers B, C, and D are wrong because these resources require the zone to be reinstalled.For more information, see Chapter 7.

43. A, D. Answer B is wrong because the installed state comes after the configured state.Answer C is wrong because the incomplete state is displayed after a zone is configured and isbeing installed or uninstalled. For more information, see Chapter 7.

44. D. Answer A is wrong because zoneadm does not export a zone’s configuration. Answers B and Care wrong because migrate and create are invalid options to the zonecfg command. Formore information, see Chapter 7.

45. A, D. Answer B is wrong because you stop snoop manually by pressing Ctrl+C. Answer C iswrong because snoop displays SSH packets, but the packets are encrypted. For more information,see Chapter 1.

46. A, B. Answers C and D are wrong because these are invalid commands. For more information, seeChapter 1.

47. B. Answers A, C, and D are wrong because the recommendation for a system with two to fourdisks is to create two replicas on each drive. For more information, see Chapter 3.

48. C. Answer A is wrong because, with this level of RAID, a stripe is created by spreading data acrossmultiple slices or entire disks. Then the entire stripe is mirrored for redundancy. Answer B iswrong because, with this level of RAID, both parity and data are striped across a set of disks.Answer D is wrong because RAID 1 is mirroring with no striping. For more information, seeChapter 3.

17_0789738171_pa1.qxd 4/13/09 7:55 PM Page 589

590

49. B, C. Answer A is wrong because ZFS is supported on the SPARC and x86 platforms. Answers Dand E are wrong because the minimum amount of disk space for a storage pool is approximately64MB. For more information, see Chapter 9, “Administering ZFS File Systems.”

50. D. Answer A is wrong because the zfs create command does not use the proper syntax.Answer B is wrong because zfs create cannot be used to create a ZFS pool. Answer C is wrongbecause zpool create cannot create both a pool named pool1 and a ZFS file system named/data. For more information, see Chapter 9.

51. C. Answer A is wrong because this command will not remove the pool1 storage pool. Answer Bis wrong because the zfs command is not used to remove storage pools. Answer D is wrongbecause you cannot specify a storage pool and file system as an argument with the zpool com-mand. Only the storage pool is specified as an argument. For more information, see Chapter 9.

52. D. Answer A is wrong because this command would create a RAID0 device. Answers B and C arewrong because they have invalid syntax. For more information, see Chapter 9.

53. C. Answers A and D are wrong because the zpool command cannot be used to create a ZFS filesystem in an existing storage pool. Answer B is wrong because the command syntax is invalid.There should not be a leading slash (/) in the file system name. For more information, see Chapter 9.

54. A. Answer B is wrong because you can create a ZFS storage pool on a disk, a disk slice, a virtualdevice, or a file. Answer C is wrong because you first need to create the zfs1 and zfs2 files.Secondly, you would not create the mirror using two separate zpool create commands.Answer D is wrong because the zfs create command is not used to create a mirror. For moreinformation, see Chapter 9.

55. D. Answer A is wrong because you cannot use the zpool create command on an existing stor-age pool. Answer B is wrong because you would destroy all the data in the /data file system.Secondly, you would only create a new storage pool and ZFS file system named pool1. Answer Cis wrong because you need to specify both devices with the zpool attach command. For moreinformation, see Chapter 9.

56. C. Answers A and B are wrong because they are invalid commands. Answer D is wrong because/pool1 is an invalid dataset name. For more information, see Chapter 9.

57. A. Answer B is wrong because you cannot use the zpool command to set the mountpointproperty. Answer C is wrong because only a ZFS file system, with the mountpoint property setto legacy, can be unmounted. Answer D is wrong because this would make pool1 andpool1/data invisible. For more information, see Chapter 9.

58. A. syslogd severity levels are as follows (listed from highest to lowest): emerg, alert, crit,err, warning, notice, info, and debug. For more information, see Chapter 4.

59. A, B. Answers C and D are invalid entries in the /etc/hostname.eri0 file. For more informa-tion, see Chapter 1.

60. C. Answer A is wrong because if eri0 were not plumbed, it would not show up with the ifcon-fig command. Answer B is wrong because the dladm command is used to configure data links.Answer D is wrong because route add is used to add a route, and that is not the issue.


17_0789738171_pa1.qxd 4/13/09 7:55 PM Page 590

Index

Aaction field (syslog), 206activating, new boot environments, 450-452active study strategies, 10add install client, options, 372adding

devices to ZFS storage pools, 488-489patches on OS installed boot environments, 459software packages to boot environments,

457-458ZFS datasets to non-global zones, 519-521

addresses, displaying MAC addresses, 23administration, ZFS, 474all profiles, 203answers to practice exam, 583-590archive_location keyword (class files), 344-346attributes, /etc/nscd.conf, 258-259auth attr database, 198authentication (NIS+), 249authorization

NIS+, 250-251roleadd, 191-192

authorizations (auth attr) database, RBAC, 197auths command, 194autofs, 547AutoFS, 97. See also automount command

exam question answers, 116-119exam questions, 109-114exercises, 108-109maps

direct maps, 89-93, 97indirect maps, 93-97master maps, 85-89naming, 89overview, 85

overview, 82-85automount command. See also AutoFS

overview, 82-85when to use, 97

automountd command, 83

18_0789738171_Index.qxd 4/13/09 8:13 PM Page 591

592

Bbacking up, zones, 304backup_media keyword (class files), 346-347begin scripts, JumpStart, 342-343binding problems (NIS), 247block devices

Solaris Volume Manager, 139Zpools, 473

boot environments, maintaining with Solaris LiveUpgrade, 456

addingpatches on OS installed boot environments, 459software packages, 457-458

changingdescriptions of, 460-461names, 460

deleting inactive boot environments, 459-460removing

patches on OS installed boot environments, 458software packages, 456-457

viewing configuration of, 461boot servers, JumpStart, 324-329

/etc/bootparams, 327/etc/dfs/dfstab, 327/etc/ethers, 326/etc/hosts, 326/tftpboot, 327

bootingWAN boot client, 431

from local CD/DVD, 431-434from the OBP interactively, 434-436from the OBP non-interactively, 436with DHCP servers, 436-437

zones, 289-291booting x86 clients, 402bootlog-cgi, 420boot_createbe keyword (class files), 348boot_device keyword (class files), 347

CCalkins, Bill, 1certification programs, 5character devices, Solaris Volume Manager, 139check script (rules files), 341-342check script options, 341checksum, ZFS, 473

child directories, 249CIDR (classless inter domain routing), description of, 540class A networks, 539class B networks, 539class C networks, 539class D networks, 539class files (JumpStart)

archive_location, 344-346backup_media, 346-347boot_createbe, 348boot_device, 347client_arch, 348-349client_root, 349client_swap, 349-350cluster, 350dontuse, 351, 363filesys, 351-354forced_deployment, 354geo, 354-355install_type, 354layout_constraint, 355-356locale, 355-357local_customization, 357metadb, 357-358no_content_check, 358no_master_check, 358num_clients, 358overview, 343-344package, 358-359partitioning, 360patch, 361-362pool, 360-361root_device, 362system_type, 362testing class files, 363-365usedisk, 351, 363

client boot problems, troubleshooting JumpStart, 376client-side failovers, 78client/server model, 20

hosts, 20-21IPv4, 21-22

clients, 20DNS, 252-254JumpStart

sample installation, 379-381setting up, 372-376

LDAP (Lightweight Directory Access Protocol),256-257

NFS, 69-70

backing up, zones

18_0789738171_Index.qxd 4/13/09 8:13 PM Page 592

devices593

NIS, 243-244WAN boot, 563WAN boot clients, booting, 431

with DHCP servers, 436-437from local CD/DVD, 431-434interactively from OBP, 434-436noninteractively from OBP, 436

client_arch keyword (class files), 348-349client_root keyword (class files), 349client_swap keyword (class files), 349-350clones, ZFS, 512-513, 552

destroying, 513replacing ZFS file systems, 513-514

cloning zones, 302-304Cluster keyword (class files), 350Clustered environments, 133commands

metastat, 137running in zones, 296

common sense study strategies, 11components

of WAN boot, 420-421, 562of ZFS, 481-482

disks in storage pools, 482files in storage pools, 482-483

concatenated stripes, 134, 548concatenated volumes, creating, 146-147concatenations, 126-127, 548

SVM, 133-134configuration diskettes, JumpStart, 332-333configuration servers, JumpStart, 331-332

configuration diskettes, 332-333sample installation, 378-379

configuringJumpStart files, 423-428SVM, 136WAN boot files, 423-428WAN boot servers, 422-423

consolidation (containers), overview, 276containers

consolidation, 276resource management, 275-276versus zones, 275. See also zones

copy-on-write semantics, ZFS, 473-474core dumps, 542. See also virtual memorycore files

definition of, 542

overview, 63-66coreadm command, 63, 66, 542-543

-d and –e flag options, 65options, 64patterns, 543

coreadm patterns, 64crash dumps, 543-544

configuring, 66, 68exam question answers, 116-119exam questions, 109-114swap spaces for, 58

critical file systems, Solaris Live Upgrade, 439custom installations. See JumpStartCX-310-202 exam, i

objectives reference, i-iiCX-310-203 exam, ii

Ddaemons. See individual daemon namesdata, destroying in ZFS, 479data mirroring, 128data striping, 134-136

concatenated stripes, 134data striping (RAID 0), 126-127databases

state databases (SVM)creating, 141-143monitoring, 143-144recovering from problems, 144-146

state databases, SVM, 133datasets, ZFS, 552

adding to non-global zones, 519-521delegating to non-global zones, 521-522

delegating ZFS datasets to non-global zones, 521-522deleting

inactive boot environments, 459-460zones, 292

dependent keywords, 367descriptions, changing in boot environments, 460-461destroying

ZFS clones, 513ZFS data, 479ZFS snapshots, 510

detaching devices from mirrored pools, 491-492devices

adding to ZFS storage pools, 488-489

How can we make this index more useful? Email us at [email protected]

18_0789738171_Index.qxd 4/13/09 8:13 PM Page 593

594

detaching from mirrored pools, 491-492replacing in storage pools (ZFS), 515-517storage pools, 489-490

taking offline and online, 492-493dfmounts command, 78dfshares command, 74DHCP

PXE (Preboot Execution Environment), 392configuring the server, 393-401preparing for, 393

PXE clients, 392X86 clients, 401

DHCP serversbooting WAN boot clients, 436-437configuring for SPARC-based clients, 323

differential Flash Archives, creating, 390direct map fields, 90direct maps, 89-93, 97

naming, 89disk reads, 134-135disk scrubbing, ZFS, 514disk sets, 133disk storage, SVM volumes, 124, 133. See also SVMdisk writes, 134-135disks in ZFS storage pools, 482displaying

MAC addresses, 23network information with snoop, 42ZFS storage pool information, 484-488

DNS, 254. See also NISclients, configuring, 252-254name service exception, 220overview, 251, 558

domain name keywords (JumpStart), 367-369domains, NIS (planning), 233-234dontuse keyword (class files), 351, 363drivers, Metadisk driver, 132, 139dry run installations, 363dumpadm command, 66-68, 544

options, 544duration values, 83

Ee flags

coreadm, 65r option, 194

errorsNFS: service not responding error, 80No such file or directory error, 81RPC: Program not registered error, 80RPC: Unknown host error, 81Server not responding error, 81

etc files, 556overview, 226

etc/auth_attr databases, 197-199etc/auto master, 85-86etc/bootparams, JumpStart, 327etc/defaultdomain, 30etc/defaultrouter, 30etc/dfs/dfstab, 71-74

JumpStart, 327etc/ethers, JumpStart, 326etc/exec_attr databases, 201-203etc/hostname.*interface* files, 26etc/hostname.interface, 540etc/hosts, JumpStart, 326etc/inet/hosts, 27, 540-541etc/inet/ipnodes, 31, 541etc/inet/netmasks, 29-31etc/inetd.conf file, 31etc/mnttab, 87-89etc/nscd.conf, attributes, 258-259etc/nsswitch.conf, 223-225, 557etc/prof_attr databases, 199-201etc/services files, 34etc/syslog.conf, 204etc/user_attr databases, 195-197etc/vfstab, swap spaces, 60exam question answers, 116-119

crash dumps, 116-119Flash Archives, 412-413JumpStart, 412-413name services, 269-270networks, 46NFS, 116-119PXE (Preboot Execution Environment), 412-413RBAC (Role-Based Access Control), 214-215SVM, 184swap spaces, 116-119syslog, 214-215zones, 312-313

exam questionsautoFS, 109-114crash dumps, 109-114

dfmounts command

18_0789738171_Index.qxd 4/13/09 8:13 PM Page 594

hot spares595

Flash Archives, 407, 411JumpStart, 407, 411name services, 264-268networks, 43-44NFS, 109-114PXE (Preboot Execution Environment), 407-411RBAC (Role-Based Access Control), 211-213SVM, 181-182swap spaces, 109-114syslog, 211-213WAN boot, 463-466

answers to, 466-467for ZFS, 525-529, 531-533zones, 308-310

examsadvice for taking, 6-7CX-310-202, objectives reference, i-iiCX-310-203, iipractice exams, 565-581preparing for, 11-12

exec attr database, 201execution attributes database, RBAC, 201exercises

autoFS, 108-109JumpStart, 404-407name services, 262-264networks, 41-42NFS, 106-108RBAC, 210-211SVM, 180swap spaces, 105-106for ZFS, 524-525

Ff versus f, 292facilities (syslog), 205file ownership, WAN boot files, 427file systems. See also remote file systems

expanding with SVM, 153-156mirroring, 162-166, 169

troubleshooting, 174-176unmirroring, 159-160, 173-174ZFS, 550

managing, 553-554files

wanboot.conf file, 428-430in ZFS storage pools, 482-483

filesys mirror options, 353finish scripts, JumpStart, 343flags, Coreadm, 65flar command, 560flarcreate command, 383-386, 390, 560Flash Archives, 560-561. See also Solaris Flash

creating, 383, 385-386differential Flash Archives, 390

exam question answers, 412-413exam questions, 407, 411installing with Solaris installation, 387-389JumpStart, 391-392overview, 382

forced_deployment keyword (class files), 354

Ggcore command, 544geo keyword (class files), 354-355getent command, 260GIDs, resolving duplicates, 238global zones, 558

description of, 277. See also zonesfeatures of, 279

group files, creating, 238GRUB menu, Alternate boot environments, 454

Hhalting zones, 290hardware, networks, 21hardware addresses, 21hardware requirements, for ZFS, 475hierarchical namespaces, NIS+, 249history of ZFS, 494host files, creating, 239hostnames, 21

changing, 541hosts

client/server model, 20-21names, changing, 29-30overview, 20-21

hosts databases, 27hot spare pools, 133, 137hot spares, 133


18_0789738171_Index.qxd 4/13/09 8:13 PM Page 595

596

Iifconfig utility. See also network interfaces

configuring, 26ifdef statements, 204. See also syslogindirect maps, 93-97inetadm command, 31-33inetconv command, 31initial zone login, 293install servers (JumpStart), 329-331

sample installation, 376-377installation setup (JumpStart), troubleshooting, 375installations, JumpStart. See JumpStartinstalling

Solaris Live Upgrade, 438-439zones, 289

install_type keyword (class files), 354interfaces (network), configuring, 540-541interlaces, 134internet addresses, 21iostat command, 137IP addresses, 22ipnodes databases, 541IPv4, client/server model, 21-22IPv4 addresses

cautions, 22overview, 21planning for, 22

IPv4 network interfaces. See also network interfacesconfiguring, 26-28

/etc/hostname.*interface* file, 26/etc/inet/hosts file, 27-28/lib/svc/method/net-physical file, 26

Jjournaling process, ZFS file system, 473JumpStart

begin scripts, 342-343boot servers, 324-329

/etc/bootparams, 327/etc/dfs/dfstab, 327/etc/ethers, 326/etc/hosts, 326/tftpboot, 327

class filesarchive_location, 344, 346backup_media, 346-347

boot_createbe, 348boot_device, 347client_arch, 348-349client_root, 349client_swap, 349-350cluster, 350dontuse, 351, 363filesys, 351-354forced_deployment, 354geo, 354-355install_type, 354layout_constraint, 355-356locale, 355-357local_customization, 357metadb, 357-358no_content_check, 358no_master_check, 358num_clients, 358overview, 343-344package, 358-359partitioning, 360patch, 361-362pool, 360-361root_device, 362system_type, 362testing class files, 363-365usedisk, 351, 363

clients, setting up, 372-376commands, list of, 319components of, 319-320, 559-560configuration servers, 331-332

configuration diskettes, 332-333custom installation process, 321/etc/bootparams, 327exam question answers, 412-413exam questions, 407, 411exercises, 404-407files, configuring, 423-428finish scripts, 343Flash Archives, 391-392install servers, 329-331name service environments, 372overview, 318-319preparing for, 320-321rules files

check script, 341-342matches, 340overview, 333-334, 336requirements of, 337syntax of, 336-337

ifconfig utility

18_0789738171_Index.qxd 4/13/09 8:13 PM Page 596

maps597

rules keywords, 338-340rules values, 338-340sample installation

clients, setting up, 379-381configuration servers, setting up, 378-379install servers, setting up, 376-377JumpStart directories, creating, 377-378

SPARC, 322sysidcfg files, 366-367

name service keywords, 367, 369network keywords, 369-370root passwords, setting, 370time servers, setting, 371

/tftpboot, 327troubleshooting, 375-376

client boot problems, 376installation setup, 375

X86/x64 systems, 323-324

Kkeywords, dependent keywords, 367Kill –HUP, 207

Llayers, network layers, 537-538layout_constraint keyword (class files), 355-356LDAP (Lightweight Directory Access Protocol)

clients, 256-257listing client properties, 257modifying clients, 257overview, 254-255, 558. See also DNSSun Java System Directory Server, 255-256uninitializing clients, 257

learning processes, 9legacy mount points, ZFS file systems, 502-504level field (syslog), 205levels of RAID, 125lib/svc/method/net-physical files, 26listing LDAP client properties, 257live Upgrade Patch, 438locale keyword (class files), 355-357local_customization keyword (class files), 357lockfs command, 164, 171logger command, 208logical driver. See metadisk driver

logins, zones. See zloginlu command, 440luactivate, 440

activating new boot environments, 450-452SPARC platforms, 455X86/x64 platforms, 452-454

lucancel, 440lucompare, 440lucreate, 440

creating new boot environments, 441-445in another root pool, 445-446

lucurr, 440ludelete, 440ludesc, 440, 461lufslist, 440lumake, 440lumount, 440lurename, 440lustatus command, 447luupgrade, 440

upgrading new boot environments, 447-449

MMAC addresses

displaying, 23monitoring, 22

macro/micro study strategies, 10maintaining boot environments (Solaris Live Upgrade), 456

addingpatches on OS installed boot environments, 459software packages, 457-458

changingdescriptions of, 460-461names, 460

deleting inactive boot environments, 459-460removing

patches on OS installed boot environments, 458software packages, 456-457

viewing configuration of, 461makefiles, preparing, 241management commands, NIS, 235mapping, description of, 251maps. See also NIS

AutoFSdirect maps, 89-93, 97indirect maps, 93-97


18_0789738171_Index.qxd 4/13/09 8:13 PM Page 597

598

master maps, 85-89overview, 85

naming, 89NIS, 229, 231-233

creating custom maps, 245-246passwd maps, 246where to generate, 230

master files, creating, 240master group files, creating, 238master host files, creating, 239master maps, 85-89master passwd files, creating, 236-237master servers

NISconfiguring, 234-236ypinit, 241-242

starting/stopping NIS, 242-243menu.lst file, 454metaclear command, options, 147metadb command, 137, 357, 549-550

options, 142state databases, creating, 142

metadb keyword (class files), 357-358Metadisk driver, 132, 139Metainit command, 146-147

options, 146-147for creating soft partitions, 151mirrors, creating, 156-157

metastat command, 137-138, 149-150options, 150

migrating zones, 300-302mirrored storage pools, 483

converting from nonredundant pools, 490-491detaching devices, 491-492replacing disks in, 516-517

mirroring, 128root file systems, 162-166, 169

on x86-based systems, 166-172unmirroring, 173-174

unmirroring systems, 159-160mirrors, 134-135, 548

creating, 156-159root file systems, troubleshooting, 174-176submirrors, placing offline, 160-162ZFS, 552

mkfile command, swap spaces, 60-62

modifyingexisting zones, 299-300LDAP clients, 257

monitoring swap resources, 55-57mount command, NFS, 74-78mounting ZFS file systems, 500-502

legacy mount points, 502-504moving zones, 300

Nname Service Cache Daemon. See nscdname service keywords (JumpStart), 367-369name services. See also LDAP

DNS exception, 220exam question answers, 269-270exam questions, 264-268exercises, 262-264getent command, 260JumpStart, setting up, 372overview, 220-221source status codes, 225sources, 225switch files, 222-226Switch template files, 557

name-to-address resolutions. See mappingnames, changing in boot environments, 460naming

ZFS file system, 478ZFS snapshots, 510

naming servicesDNS, 558/etc files, 556LDAP, 558NIS, 556-557NIS+, 557-558overview, 555-556

native read-only ZFS properties, 495-496netstat command, 37-38network File System, 52network hardware, overview, 21network information, displaying with snoop, 42network Interface Card (NIC), 538network interfaces, 22

configuring, 28, 540-541/etc/hostname.[lt]interface[gt] files, 26/etc/inet/hosts files, 27/etc/inet/netmasks files, 29

master files, creating

18_0789738171_Index.qxd 4/13/09 8:13 PM Page 598

no_master_check keyword (class files)599

/lib/svc/method/net-physical files, 26overview, 26system hostnames, 29-30

controlling, 22-25network keywords (JumpStart), 369-370network layers, list of, 537-538network maintenance

overview, 36-39verifying operation of, 37-39

network servicesoverview, 31-34RPC services, 34-36

networking zones, 281networks

CIDR, 540class A networks, 539class B networks, 539class C networks, 539class D networks, 539components of, 538exam question answers, 46exam questions, 43-44exercises, 41-42NFS services, 545-546

NFS (Network File System), 69AutoFS, 547

overview, 82-85automount command. See automount commandclients/servers, 69daemons, 70exam question answers, 116-119exam questions, 109-114exercises, 106-108mount command, 75overview, 68-69remote file systems, mounting, 74-78server logging, 78-79servers and clients, 70setting up, 71-74swap spaces, 62troubleshooting errors, 80

NFS server not responding, still trying message,81

NFS: service not responding error, 80No such file or directory error, 81RPC: Program not registered error, 80RPC: Unknown host error, 81Server not responding error, 81

Stale NFS file handle message, 80version 4, 69

NFS daemons, list of, 546NFS server not responding, still trying message, 81NFS services, 545-546NFS: service not responding error, 80NIC (Network Interface Card), 538NIS (Network Information Service)

binding problems, 247clients, setting up, 243-244daemons, 234determining hosts as servers, 229determining servers needed, 228-229domains, planning, 233-234makefiles, preparing, 241maps. See mapsmaster files, creating, 240master group files, creating, 238master host files, creating, 239master passwd files, creating, 236-237master servers, configuring, 234-236overview, 227, 556-557security, 246-247server problems, 248slave servers, 244-245SMF, 243starting/stopping, 242-243structure of, 227-228Ypinit, 241-242

NIS commands, 235NIS daemons, 234NIS+

authorization, 250-251hierarchical namespaces, 249overview, 248, 557-558principals, 249security, 249

No such file or directory error, 81nonglobal zones, 558

description of, 277. See also zonesfeatures of, 279-280root file system models, 280-281

nonredundant pools, converting to mirrored pools, 490-491

no_content_check keyword (class files), 358no_master_check keyword (class files), 358


18_0789738171_Index.qxd 4/13/09 8:13 PM Page 599

600

nscd (Name Service Cache Daemon). See also nameservices

command options, 259overview, 258-260

num_clients keyword (class files), 358nvalias command, 166

Oobject sets, ZFS file systems, 480objects, Volume Manager objects, 177OBP (OpenBoot PROM), 419

interactively booting WAN boot client, 434-436noninteractively booting WAN boot client, 436

offlining devices, 493optional parameters field (filesys), 352optional parameters options (file sys), 352options

coreadm command, 64logger command, 208metaclear command, 147metadb command, 142metainit command, 146-147

mirrors, creating, 156-157soft partitions, creating, 151

metastat command, 150nscd command options, 259roleadd command, 191rolemod command, 193

OS installed boot environmentsadding patches, 459removing patches from, 458

Ppackage keyword (class files), 358-359pages, space allocation, 53paging, description of, 53parameters, wanboot.conf, 429partitioning keyword (class files), 360partitions, creating soft partitions, 150-152passwd files, creating, 236-237passwd maps, 246patch keyword (class files), 361-362performing Solaris Live Upgrade from local DVDs, 449pfinstall command

class files (testing), 363-365options, 364

physical memory, description of, 52-53. See also RAMping, 36

conditions for success, 24ping success, conditions for, 24pool keyword (class files), 360-361pool1 command, 477pools, ZFS, 552practice exam, 565-581

answers to, 583-590preparing for exam, 11-12pretesting, importance of, 11principals, NIS+, 249processes, Solaris Live Upgrade, 439-440

activating new boot environments, 450-452creating new boot environments, 441-446displaying the status of new boot environments, 447luactivate

on SPARC platforms, 455on x86/x64 platforms, 452-454

upgrading new boot environments, 447-449prof attr database, 199profile diskettes. See configuration diskettesprofile names, 199. See also /etc/prof_attr databasesproperties

listing LDAP client properties, 257ZFS, 494-497

native read-only ZFS properties, 495-496settable ZFS properties, 496-497setting, 497-500

pseudo driver. See metadisk driverPXE (Preboot Execution Environment)

configuring DHCP servers, 393-401exam question answers, 412-413exam questions, 407-411overview, 392preparing for, 393

RRAID (Redundant Array of Inexpensive Disks),

124-125levels of, 125overview, 125RAID 0, 126-127, 136RAID 0+1 (mirrored stripe), 130RAID 1, 128, 136RAID 1+0, 130RAID 5, 129-130, 135-136

nscd (Name Service Cache Daemon)

18_0789738171_Index.qxd 4/13/09 8:13 PM Page 600

security601

SVM, 548-549ZFS, 476

RAID 0 (concatenated), creating volumes, 146-149RAID 0+1 (mirrored stripe), 130RAID 5, 548RAID-Z, 476

storage pools, 484ZFS, 552

RAM (random-access memory), 52RARP (reverse address resolution protocol), 327

JumpStart, 325raw devices, Solaris Volume Manager, 139RBAC (Role-Based Access Control), 189

authorizations databases, 197-199components of, 195exam question answers, 214-215exam questions, 211-213execution attributes databases, 201-203exercises, 210-211extended user attributes databases, 195-197overview, 189, 555rights profiles databases, 199-201utilizing, 190-194

read policies, 134-135ready state, zones (transitioning to), 289-290rebooting zones, 291recipients (hosts), 20Redundant Array of Inexpensive Disks. See RAIDRegional Internet registries (RIRs), 21registering Sun Connection Services, 101remote file systems, mounting, 74-78removing

patches on OS installed boot environments, 458software packages from boot environments, 456-

457ZFS file systems, 479-480ZFS storage pools, 480-481

renamingZFS file system, 478ZFS snapshots, 510

replacingdevices in storage pools (ZFS), 515-517ZFS file systems with ZFS clones, 513-514

replicas, 90requirements

for Solaris Live Upgrade, 438for WAN boot, 418-419, 561

for ZFS, 553hardware and software requirements, 475

resilvering ZFS, 552resource management (containers), 275-276restoring ZFS snapshots, 510review exercises, zones, 306-307rights profiles (prof attr) database, RBAC, 199RIRs (regional Internet registries), 21Role-Based Access Control. See RBACroleadd command, 190-192roledel command, 194rolemod command, 193-194rolling back ZFS snapshots, 511-512root file system models (zones)

overview, 280sparse root zones, 281whole root zones, 281

root file systemsmirroring, 162-166, 169

on x86-based systems, 166-172mirrors, troubleshooting, 174-176unmirroring, 173-174ZFS, 517-518

root passwords (JumpStart), setting, 370root pools, creating new boot environments, 445-446root_device keyword (class files), 362RPC (remote procedure calls), 34-36RPC services, 34-36RPC: Program not registered error, 80RPC: Unknown host error, 81rules files (JumpStart)

check script, 341-342matches, 340overview, 333-336requirements of, 337syntax of, 336-337

rules keywords (JumpStart), 338-340rules values (JumpStart), 338-340

Ssaving ZFS snapshots, 510scores, 12secure nets files, 246-247security

NIS, 246-247NIS+, 249


18_0789738171_Index.qxd 4/13/09 8:13 PM Page 601

602

senders (hosts), 20server logging (NFS), 78-79Server not responding error, NFS, 81server problems (NIS), 248servers, 20

DHCP servers, Booting WAN boot clients, 436-437NFS, 69-70WAN boot servers, 421-422

configuring, 422-423services (network)

overview, 31-34RPC services, 34-36

settable ZFS properties, 496-497share command, 72-74, 504

NFS, 71-73shareable file systems, Solaris Live Upgrade, 440shared resources, 71. See also NFSsharenfs property, 505sharing ZFS file systems, 504-506showmount command, 84-85[lt]size[gt] values (filesys), 351-352Sizing swap space, 4Slave servers (NIS), 244-245[lt]slice[gt] values (filesys), 351SMC (Solaris Management Console), 140SMF, NIS, 243snapshots, ZFS, 508, 552

creating, 508destroying, 510listing, 509renaming, 510rolling back, 511-512saving and restoring, 510

SNMP (Simple Network Management Protocol), trap gen-erating daemon, 138-139

snoop, 25, 36displaying network information, 42

soft partitions, 32-133creating, 150-152

software packagesadding to boot environments, 457-458removing from boot environments, 456-457

software requirements for ZFS, 475Solaris Flash, 560-561. See also Flash ArchivesSolaris Live Upgrade, 437-438, 563-564

commands, 440installing, 438-439

maintaining boot environments, 456adding patches on OS installed boot

environments, 459adding software packages, 457-458changing descriptions of, 460-461changing names, 460deleting inactive boot environments,

459-460removing patches on OS installed boot environ-

ments, 458removing software packages, 456-457viewing configuration of, 461

performing from local DVDs, 449processes, 439-440

activating new boot environments, 450-452

creating new boot environments, 441-446displaying the status of new boot environments,

447luactivate on SPARC platforms, 455luactivate on x86/x64 platforms, 452-454upgrading new boot environments,

447-449requirements for, 438upgrading from Flash Archive from a DVD, 450

Solaris Management Console (SMC), 140Solaris Volume Manager. See SVMSolaris zones. See also zones

ZFS, 518-519adding ZFS datasets to nonglobal zones, 519-

521delegating ZFS datasets to nonglobal zones,

521-522source status codes, name services, 225sources, name services, 225SPARC, JumpStart, 322SPARC platform, luactivate, 455SPARC systems, as install servers, 393Sparse root zones, 281Spray services, enabling/disabling, 33stale NFS file handle message, troubleshooting NFS

errors, 80state databases (SVM), 133, 549-550

creating, 141-143monitoring, 143-144recovering from problems, 144-146

statements, ifdef, 204states

ZFS, 552-553zones, 278

senders (hosts)

18_0789738171_Index.qxd 4/13/09 8:13 PM Page 602

swap spaces603

storage poolsmirrored storage pools, 483RAID-Z, 484ZFS, 472-473, 550-551

adding devices to, 488-489converting nonredundant pools to mirrored

pools, 490-491devices, 489-490removing, 480-481replacing devices, 515-517taking devices offline and online, 492-493

storage volumes, 124, 133. See also SVMstripes, 126-127, 134-136, 548

concatenated stripes, 134striping

with distributed parity (RAID 5), 129-130with parity (RAID 5), 135

study strategiesactive strategies, 10commonsense strategies, 11macro/micro strategies, 10overview, 10

su command (RBAC), 190, 193submirrors, 134-135, 548. See also mirrors

placing offline, 160-162subnets, booting on, 327Sun Connection Services, registering, 101Sun Java System Directory Server, 256. See also LDAP

(Lightweight Directory Access Protocol)Sun Update Connection, 98Sun Update Connection Proxy, 98Sun Update Connection service, 97

Update Manager, 98-103Update Manager Proxy, 103

Sun Update Manager, 98-103Sun Update Manager Proxy, 103SunSolve Patch and Updates Portal, 98supernetting. See CIDRSuperuser access, assigning with RBAC

(Role-Based Access Control), 190Svcadm command, 207Svccfg command, 31SVM (Solaris Volume Manager), 130-132

commands, 139-140concatenated volumes, creating, 146-147configurations planning, 136-139disk sets, 133

exam question answers, 184exam questions, 181-182exercises, 180hot spare pool, 137metadisk driver, 132, 139mirroring root file systems, 162-166, 169mirrors

creating, 156, 158-159troubleshooting, 174-176

objects, 547overview, 132, 547-548placing submirror offline, 160-162RAIDs, 548-549SNMP trap generating daemon, 138-139soft partitions, 132

creating, 150-152state databases, 133, 549-550

creating, 141-143monitoring, 143-144recovering from problems, 144-146

unmirroring systems, 159-160root file systems, 173-174

volume statuses, monitoring, 149-150volumes, 132

concatenated stripes, 134concatenations, 133-134expanding, 153-156mirrors, 134-135overview, 133RAID 5, 135stripes, 134-136

swap -l command, 56swap -s command, 57swap command, 542swap files, 542. See also core dumpsswap monitoring tools, 56swap spaces

caluclations, 57crash dump space, 58deleting, 62-63/etc/vfstab, 60exam question answers, 116-119exam questions, 109-114exercises, 105-106monitoring resources, 55-57NFS, 62

overview, 52-53permissions, 61setting up, 58-62


18_0789738171_Index.qxd 4/13/09 8:13 PM Page 603

604

sizing, 54TMPFS, 53-54troubleshooting, 55

swapfs, 53. See also swap spacesswaps, definition of, 542switch files, name services, 222-226switch template files (name services), 557sys-unconfig command, 541sysidcfg files

installing, 294JumpStart, 366-367

name service keywords, 367-369name services, 372network keywords, 369-370root passwords, setting, 370time servers, setting, 371

zones, configuring, 294syslog

exam question answers, 214-215exam questions, 211-213logger command, 208overview, 203-208

syslogd daemon, 203-204system hostnames, changing, 29-30system_type keyword (class files), 362

Ttftpboot, JumpStart, 327time limits, 11time servers (JumpStart), setting, 371tips for success, 12-14TMPFS (temporary file system), 53-54. See also swap

spacestools, swap monitoring tools, 56trigger nodes, 87troubleshooting

JumpStart, 375client boot problems, 376installation setup, 375

NFS errors, 80NFS server not responding, still trying message,

81NFS: service not responding error, 80No such file or directory error, 81PRC: Program not registered error, 80RPC: Unknown host error, 81

Server not responding error, 81Stale NFS file handle message, 80

Trusted Solaris, 202

UUFS (UNIX file systems), 53UFS files, in ZFS storage pools, 482-483UIDs, resolving duplicates, 237umount command, 78. See also mount commanduname command, 165uninitializing LDAP clients, 257uninstalling zones, 291UNIX file systems (UFS), 53UnixEd.com, 7unmirroring root file systems, 173-174Update Manager, Sun Update Connection service, 98-103Update Manager Proxy, Sun Update Connection service,

103upgrading

Flash Archive from DVD, Solaris Live Update, 450new boot environments, 447-449

usedisk keyword (class files), 351, 363user attr database, 196usermod command, 192usernames, resolving duplicates, 237

Vvalidating rules files, 341-342verifying operation of networks, 37-39Veritas Volume Manager, overview, 176-178viewing configurations of boot environments, 461virtual devices, ZFS, 552virtual memory, 53, 542. See also swap files; swap

spacesvirtual swap spaces, description of, 53virtual volume management, SVM, 133virtual volumes, 124. See also SVMvolume Manager objects, 177-178volumes

defined, 132managing. See SVMRAID 0 (concatenated), creating, 146-148RAID 0 (stripe), creating, 149Veritas Volume Manager, 176-178ZFS, 552

swapfs

18_0789738171_Index.qxd 4/13/09 8:13 PM Page 604

ZFS (Zettabyte File System)605

WWAN boot, 418, 561

clients, 563components of, 420-421, 562exam questions, 463-466

answers, 466-467files, configuring, 423-428processes, 421requirements for, 418-419, 561wanboot.conf file, 428-430

WAN boot client, booting, 431with DHCP servers, 436-437from local CD/DVD, 431-434interactively from OBP, 434-436noninteractively from OBP, 436

WAN boot file system, 420WAN boot miniroot, 420WAN boot servers, 421-422

configuring, 422-423wanboot program, 420wanboot-cgi, 420wanboot.conf, 420wanboot.conf file, 428-430WANs (wide area networks), 418Web-based interfaces, ZFS, 506-507whole root zones, 281wide area networks. See WANswrite policies, 135

XX64 systems, JumpStart, 323-324X86 clients

booting, 402DHCP, 401

X86 systemsJumpStart, 323-324Preserve, 347

X86-based systems, mirroring root file systems, 166-172X86/x64 platform, luactivate, 452-454

YYellow Pages, 556ypcat command, 233

ypinit, 241-242ypserv, 242

Zz option

zlogin, 296etc files, 556overview, 226etc/auth_attr databases, 197-199etc/auto master85-86

ZFS (Zettabyte File System), 472administration, 474basic file systems, creating, 476-478clones, 512-513

destroying, 513replacing ZFS file systems, 513-514

components of, 481-482disks in storage pools, 482files in storage pools, 482-483

copy-on-write semantics, 473-474disk scrubbing, 514exam questions, 525-533exercises for, 524-525file systems, 550

managing, 553-554hardware and software requirements, 475history of, 494mirrored storage pools, 483object sets, 480overview, 472properties, 494-497

native read-only ZFS properties, 495-496settable ZFS properties, 496-497setting, 497-500

RAID configurations, 476requirements for, 553root pool, 518snapshots, 508

creating, 508destroying, 510listing, 509renaming, 510rolling back, 511-512saving and restoring, 510

Solaris zones, 518-519adding ZFS datasets to nonglobal zones, 519-521delegating ZFS datasets to nonglobal zones,

521-522


18_0789738171_Index.qxd 4/13/09 8:13 PM Page 605

606

states, 552-553storage pools, 472-473, 550-551

adding devices to, 488-489attaching devices, 489-490converting nonredundant pools to mirrored

pools, 490-491detaching devices from mirrored pools, 491-492displaying information, 484-488removing, 480-481replacing devices, 515-517taking devices offline and online, 492-493

terminology for, 474-475terms for, 552Web-based management GUI, 506-507

zfs destroy command, 513ZFS file systems, 473

listing, 478-479mounting, 500-502

legacy mount points, 502-504removing, 479-480renaming, 478sharing, 504-506

zfs mount command, 500zfs rename command, 510zfs rollback command, 511ZFS root file system, 517-518zfs set command, 497zlogin

z option, 296initial logins, 293overview, 292-293zone console, logging in, 294-295

zone console, logging in, 294-295zoneadm command, 300zoneadmd, description of, 282zonecfg command, 558

overview, 283-287properties/parameters, 285-286resource types, 284-285subcommands, 283-284

zonesbacking up, 304booting, 289-290cloning, 302-304commands, running in zones, 296configuration files, viewing, 299configurations, viewing, 287-289configuring. See zonecfg command

versus containers, 275. See also containerscreating, 296-299daemons, 282deleting, 292exam question answers, 312-313exam questions, 308-310f versus f, 292global zones

description of, 277features of, 279

halting, 290installing, 289logging in, 295. See also zloginmigrating, 300-302modifying existing, 299-300moving, 300networking, 281non-global zones

description of, 277features of, 279-280

overview, 274-275, 558-559practice exercises, 306-307rebooting, 291root file system models

overview, 280sparse root zones, 281whole root zones, 281

sysidcfg files, utilizing, 294uninstalling, 291zone states, 278

zpool attach command, 489zpool create command, 477, 484zpool destroy command, 480zpool detach command, 491zpool history command, 494zpool offline command, 492zpool replace command, 515zpool scrub command, 514zpool status command, 516zpools, 473, 550zsched, description of, 282

zfs destroy command

18_0789738171_Index.qxd 4/13/09 8:13 PM Page 606

Your purchase of Solaris 10 System Administration Exam Prep: Exam CX-310-202

Part II includes access to a free online edition for 45 days through the Safari Books Online subscription service. Nearly every Que book is available online through Safari Books Online, along with more than 5,000 other technical books and videos from publishers such as Cisco Press, Exam Cram, IBM Press, O’Reilly, Prentice Hall, and Sams.

SAFARI BOOKS ONLINE allows you to search for a specifi c answer, cut and paste code, download chapters, and stay current with emerging technologies.

Activate your FREE Online Edition at

www.informit.com/safarifree

STEP 1: Enter the coupon code: HJFUQGA.

STEP 2: New Safari users, complete the brief registration form. Safari subscribers, just log in.

If you have diffi culty registering on Safari or accessing the online edition, please e-mail [email protected]

FREE Online Edition

oracle solaris 10 exam 2 reference book

Documents