SNMPBased Monitoring
Early versions of the Solaris fault manager reported faults to the system log and console s . It provided a wealth of status information using fmadm 1M . But these reporting mechanisms leave much to be desired syslog messages must be parsed, and a busy central log host can easily lose important messages in the noise. Worse still, a privileged user must log into the affected system and run administrative commands to get information they need that is not contained in the message. SNMP is a...
Stateful Packet Filtering
Packet state filtering can be used for any TCP flow to short-cut later filtering. The shortcuts are kept in a table, with no alterations to the list of firewall rules. Subsequent packets, if a matching packet is found in the table, are not passed through the list making packet filtering much more efficient. For TCP flows, the filter follows the ack sequence numbers of packets and only allows packets through that fall inside the correct window. Keep state for all outgoing telnet connections and...
Tunable Kernel Parameters
The following list describes tunable kernel parameters related to NFS version 4. You can define these parameters in the etc system file, which is read during the boot process. You can identify each parameter by the name of the kernel module that it is in and a parameter name that identifies it. Each entry includes a description and suggestions when you might change the setting. Solaris is a multi-threaded, scalable UNIX OS that runs on SPARC and x86 processors. It is self-adjusting to system...
zfs get checksum tankws
The fourth column, SOURCE, indicates where this property value has been set from. You can use the special keyword all to retrieve all dataset properties. The following example uses the all keyword to retrieve all existing dataset properties The -s option to zfs get enables you to specify, by source value, the type of properties to display. This option takes a comma-separated list indicating the desired source types. Only properties with the specified source type are displayed. The valid source...
Modifying Disk Partition Tables Using a VTOC
This change enables you to preserve and use the system's existing disk slice tables during an installation by selecting Load VTOC. Figure 8-1 shows the Lay Out File Systems screen of the Solaris 10 Installer program. This is where you have the option to load an existing disk slice table for the selected disk by pressing the Load VTOC button. To modify the layout, select a disk and click Modify. Figure 8-1 Lay Out File Systems Screen A warning displays which allows you a chance to cancel your...
Installing Packages in Zones
The standard Solaris package management tools, for example, pkgadd and pkgrm, are used to administer packages on a system with zones installed. The global administrator can use these tools to manage the software on every zone in the system. Package parameters listed in the pkginfo file for a package control how the Solaris package tools can administer the package. These package parameters determine how package content can be distributed and made visible among zones, both global and non-global,...
Saving and Restoring NonGlobal Zone Configuration Information
You should create backup files of your non-global zone configurations. You can use these files to re-create zones if necessary. Create the copy of the zone's configuration after you have logged in to the zone for the first time and have responded to the sysidtool questions. This example procedure uses the zone named zone2 to illustrate the process. Creating a Copy of a Non-Global Zone Configuration To print the configuration of the non-global zone called zone2 to a file called backup...
zonecfg z workzone
work-zone No such zone configured Use 'create' to begin configuring a new zone. zonecfg work-zone gt create zonecfg work-zone gt add fs zonecfg work-zone fs gt set type zfs zonecfg work-zone fs gt set special tank zone work-zone zonecfg work-zone fs gt set dir export shared This syntax adds the ZFS file system, tank zone work-zone, to the zone work-zone, mounted at export shared. The mountpoint property of the file system must be set to legacy, and the file system cannot already be mounted in...
Fault Managed Resource Identifier
An event includes an event data payload comprised of name-value pairs or similar string one of the entities included in this is the fault managed resource identifier FMRI . An FMRI identifies resources that detected an error, are affected by an error, or have had a change of state following fault diagnosis. FMRI specifications describe the detector in error reports and the indicted Automated System Reconfiguration Unit ASRU , Field Replaceable Unit FRU , and resource in fault reports. An FMRI...
Using zonecfg Subcommands
Subcommands within the zonecfg utility are used to configure and provision zones see Table 1-1 . The zonecfg prompt indicates if the scope is global or is confined to a particular resource. Many subcommands also allow the -f, or force, flag. if this flag is used, the subcommand does not use interactive questioning safeguards. Exits from resources scope back to global. Partially specified resources are abandoned. Verifies settings and commits proper settings from memory to disk. The revert...
Using the inetadm Command
The inetadm 1M command allows observation and configuration of inetd-controlled services services with inetd as the restarter . The capabilities of inetadm are a combination of the svcs command, the svcadm command, and the svccfg command with some inetd-specific knowledge and validation built in. The inetadm command with no arguments lists all the services under the control of the inetd daemon. network security ktkt warn ticotsord
WAN Boot Troubleshooting
No OBP support for platform Is the network-boot-arguments NVRAM variable defined OpenBoot PROM cannot download the boot program Is the boot_file value a URI to the CGI program Did you check the web server logs Boot program cannot create ramdisk Does the client have 256 Mbytes of RAM Boot program cannot download component Are the values in wanboot.conf correct Did you run bootconfchk on wanboot.conf Is the HMAC SHA-1 key installed on client Does the client key match the client's key on the...
pkgadm addcert t f der tmprootcrt
Keystore Alias GTE CyberTrust Root Common Name GTE CyberTrust Root Certificate Type Trusted Certificate Issuer Common Name GTE CyberTrust Root Validity Dates lt Feb 23 23 01 00 1996 GMT gt - lt Feb 23 23 59 00 2006 GMT gt MD5 Fingerprint SHA1 Fingerprint Are you sure you want to trust this certificate y Trusting certificate lt GTE CyberTrust Root gt Type a Keystore protection Password. Press ENTER for no protection password not recommended mypass For Verification Type a Keystore protection...
ufsdump 0f backupzone2rootdump devrdskc0t0d0s7
DUMP Date of this level 0 dump Mon Dec 26 12 37 21 2005 DUMP Date of last level 0 dump the epoch DUMP Dumping dev rdsk c0t0d0s7 sys21 export zone2 to backup zone2_root_dump. DUMP DUMP DUMP DUMP DUMP DUMP DUMP DUMP Mapping Pass I regular files Mapping Pass II directories Writing 32 Kilobyte records Estimated 205872 blocks 100.52MB . Dumping Pass III directories Dumping Pass IV regular files 205822 blocks 100.50MB on 1 volume at 9534 KB sec DUMP IS DONE Create the backup of the non-global zone's...
SMF can be put in a debug mode by using the boot m debug command This causes
Executing last command boot -m debug Boot device pci 1f,0 pci 1 scsi 8 disk 0,0 a File and args -m debug SunOS Release 5.10 Version s10_66 64-bit Copyright 1983-2004 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. Sep 3 08 04 00 6 login default. Initialized restarter protocol Initialized restarter Initialized graph Graph adding svc system console-login default. Graph engine Refreshing svc system console- Graph adding svc system sysidtool net. Graph engine Refreshing...
New Solaris Live Upgrade Features
New features in Solaris Live Upgrade 2.1 provide the following new functionality. Solaris Live Upgrade uses Solaris Volume Manager technology to create a duplicate boot environment that contains file systems with RAID-1 volumes mirrors . The mirror provides data redundancy for any file systems, including the root file system.With the lucreate command, you can create mirrored file systems that contain up to three submirrors. With the lucreate command, you can now exclude some files and...
The l option of the inetadm command allows you to see all the properties for a
exec M usr sbin in.telnetdM user MrootM default bind_addr MM default bind_fail_max -1 default bind_fail_interval -1 default max_con_rate -1 default max_copies -1 default con_rate_offline -1 default failrate_cnt 40 default failrate_interval 60 default inherit_env TRUE default tcp_trace FALSE default tcp_wrappers FALSE
The cryptoadm1M Utility
The cryptoadm utility displays cryptographic provider information for a system, configures the mechanism policy for each provider, and installs or uninstalls a cryptographic provider. For kernel-level software providers, the cryptoadm utility provides two subcommands. The unload subcommand instructs the kernel to unload a kernel software providers module. The refresh subcommand resynchronizes the kernel-level cryptographic framework with the current kernel-level configuration. For the...
The ppriv 1 Utility
Process privilege sets and their attributes are viewed and modified by the program ppriv 1 . The ppriv utility examines processes and core files and prints or changes their privilege sets. ppriv can run commands with privilege debugging on or off or with fewer privileges than the invoking process. When executing a sub process, the only sets that can be modified are L and I. Privileges can only be removed from L and I as ppriv starts with P E I. ppriv can also be used to remove privileges from...
Command Line Tools
The Trusted Extensions software includes a number of user and administration command. It also modifies some of the standard Solaris commands. Table 7-5 lists Trusted Extensions specific user and administration commands. Table 7-5 User and Administration Trusted Extensions Commands Table 7-5 User and Administration Trusted Extensions Commands Enables a device to be allocated by adding the device to device allocation databases. By default, removable devices are allocatable. Translates a label...
fmadm faulty
faulted mem component Slot 20B 3A 20J3000 FMA keeps a resource database which contains the state of any resource which has occurred in an event. The possible states of a resource are as follows ok - The resource is present and in use and FMA detects no known problems. unknown - The resource is not present or not usable but has no known problems. This might indicate the resource has been disabled or unconfigured by an administrator. degraded - The resource is present and usable, but FMA has...
pprivCommand Examples
To list all currently defined privileges To show a specific privilege details Allows a process to change a file's owner user ID. Allows a process to change a file's group ID to one other than the process' effective group ID or one of the process' supplemental group IDs. To list the privileges that are available to your shell's process ,dtrace user,file chown,file chown self,file dac execute,file dac n_upgrade_sl To show a verbose listing of a process's privileges ppriv -v 441 441 usr sbin vold...
bootconfchk etcnetboot1291561980010003BA152A42wanbootconf
The CGI program usr lib inet wanboot wanboot-cgi fulfills client download requests for wanboot and the root file system. The wanboot-cgi file must be copied to the web server cgi-bin directory. The CGI program usr lib inet wanboot bootlog-cgi fulfills client requests for logging WAN Boot messages. It must be copied to the web server cgi-bin directory. The driver usr sbin wanbootutil serves as driver for wanboot_ keygen 1M , wanboot_keymgmt 1M , and wanboot_p12split 1M . It is executed by the...
Using zonecfg Resource Parameters
Resource types within the zonecfg utility include the following zonename - Defines the zone name and identifies the zone to the configuration utility. zonepath - Defines the zone path resource and is the path to the zone root. autoboot - Determines if the zone will reboot when the system reboots. pool - Associates the zone with a specific resource pool. dataset - The name of a ZFS dataset to be accessed from within the zone. fs - Assigns resource parameters for file systems. Use of the special...
Settable ZFS Properties
Settable properties are properties whose values can be both retrieved and set. Settable properties are set by using the zfs set command. With the exceptions of quotas and reservations, settable properties are inherited. Some settable properties are specific to a particular type of dataset. In such cases, the particular dataset type is mentioned in the description in the previous table. If not specifically mentioned, a property applies to all dataset types file systems, volumes, clones, and...
The next example shows you how to trace a SCSI disk driver You replace the sd
dtrace description 'fbt sd ' matched 513 probes CPU ID FUNCTION NAME sd_media_watch_cb entry sd_media_watch_cb return sd_media_watch_cb entry sd media watch cb return The next example shows you how to trace a higher level kernel event dtrace -n vminfo zfod dtrace description 'vminfo zfod' matched 3 probes CPU ID FUNCTION NAME The next example shows you how to trace all system calls dtrace -n syscall dtrace description 'syscall ' matched 456 probes CPU ID FUNCTION NAME To enable probes provided...
WAN Boot Changes
Previously JumpStart functioned with RARP, TFTP, and NFS protocols, which do not scale for WAN use. These protocols also do not have the ability to secure the installation process. WAN Boot utilizes advanced OBP or CDROM capabilities to scale and secure the installation process. In addition, WAN boot uses standard HTTP or HTTPS protocols, SHA-1 signatures, and 3DES or AES encryption to scale and secure the installation process in all scales of network environments including the Internet. By...
JumpStart Installation Package and Patch Enhancements
When installing and upgrading the Solaris OS by using the custom JumpStart installation method, new package and patch customizations enable the following A Solaris Flash installation with additional packages The custom JumpStart profile package keyword has been enhanced to enable installing a Solaris Flash archive with additional packages. For example, you can install the same base archive on two machines, but add a different set of packages to each machine. These packages do not have to be a...
IP Pools
IP pools is a method to group IP addresses that Solaris IP Filter rules use. Configuration and use of IP pools is not required in most instances of a host-based firewall. The pools are configured in a manually edited configuration file, etc ipf ippool.conf. This file is read at boot time. Two types of pools are supported a table type which can be a hash structure or a tree structure, and a group-map type. The group-map pool is used by using the ipf call function mechanism in the rule set, and...
poolcfg c info etcpooladmconf
Note - The etc pooladm.conf file does not exist by default. You can create it using the pooladm -s etc pooladm.conf command. The pooladm -c command reads etc pooladm.conf by default. Table 2-4 lists the properties for this example. Table 2-4 Pool Configuration File Properties Table 2-4 Pool Configuration File Properties Comment string describing the system. libpool version required to manipulate this configuration. If specified pool not found, bind to pool with pool.default property set to...
Debugging a System Hang During Boot
To debug a system hang during boot, use the -m option of the boot command. For this type of problem specify milestone none as the -m option see kernel lM . screen not found. Can't open input device. Keyboard not present. Using ttya for input and output. Sun Enterprise 420R 3 X UltraSPARC-II 450MHz , No Keyboard OpenBoot 3.29, 1024 MB memory installed, Serial 16241000. Ethernet address 8 0 20 f7 d1 68, Host ID 80f7d168. Rebooting with command boot -m milestone none Boot device pci 1f,4000 scsi 3...
Filtering IP Security Classes
For users who have packets which contain IP security bits, filtering on the defined classes and authority levels is supported. Currently, filtering on 16-bit authority flags is not supported. As with ipopts and other IP options, it is possible to say that the packet only matches if a certain class is not present. The following are examples of filtering on IP security options drop all packets without IP security options only allow packets in and out on le0 which are top secret pass out on le1...
Using NFS Over RDMA
Remote Direct Memory Access RDMA protocol is a technology for memory-to-memory transfer of data over high speed networks. The InfiniBand Architecture IBA is an industry standard that defines a new high-speed switched fabric subsystem. Solaris 10 OS supports Internet Protocol IP over InfiniBand IPoIB . IPoIB is compatible with existing TCP, UDP, IPv4, and IPv6. Support for IB has been added to the IP utilities netstat, ifconfig, and snoop. RDMA provides remote data transfer directly to and from...
Examining Performance Problems Using the vminfo Provider
The vminfo provider makes available probes from the virtual memory vm kernel statistics kstat kept by the kernel kstat facility. You can examine any unexplainable behavior observed from the vm specific output of the vmstat 1M command using this DTrace provider. A probe provided by the vminfo provider fires immediately before the corresponding vm kstat value is incremented. To display both the names and the current values counts of the vm named kstat, you can use the kstat 1M command as shown in...
Configuring an NFS Server
When configuring the NFS server in the Solaris 10, Update 3 environment, the first step is to add the appropriate entries in the etc default nfs file. This file allows NFS to be configured without making changes to the service management facility service properties. You must log in as superuser or assume an equivalent role to edit the file. 1. Edit the etc default nfs file. 2. Make the following entries to configure an NFS version 4 only server NFS_SERVER_VERSMAX 4 NFS_SERVER_VERSMIN 4 While...
fmstat s m cpumemdiagnosis
0f353373-67f0-6585-bd01-a405f6d9cdec gt 2 3d 3 200606494100ns fire The fmdump command is used to show information from the error and the fault logs kept by FMA. These logs are kept in the var fm fmd directory. However, these are binary files and can only be looked at using the fmdump command. When an error event is received by the fmd command, the event is logged to the error log prior to acknowledging receipt of the event to the transport. Initially the event is logged with a header that means...
fmdump Ve
Jul 26 12 49 27.613793750 ereport.cpu.ultraSPARC-IIIplus.ce nvlist version 0 class ereport.cpu.ultraSPARC-IIIplus.ce ena 0x1b130dc18000001 detector embedded nvlist nvlist version 0 version 0x0 scheme cpu cpuid 0x0 cpumask 0xb1 serial 0x12e066b4103 end detector afsr 0x20000003e afar-status 0x1 afar 0xb1f1b9c000 pc 0x7b6029cc tl 0x0 tt 0x63 privileged 1 multiple 0 syndrome-status 0x1 syndrome 0x3e error-type Persistent l2-cache-ways 0x1 l2-cache-data 0xec0106f1a6 0x39c000 0x0 0x2c7c6000002 0xb9...
rcapstat
id project nproc vm rss cap at avgat pg avgpg 101 regtool 3 4408K 792K 1000K 0K 0K 0K 0K In this rcapstat example, the key fields to observe are The vm field is the total virtual memory size of the project's processes, including all mapped files and devices. The rss field is the estimated total memory RSS of the project's processes. The cap field indicates the RSS cap defined for the project. The at, avgat, pg, and avgpg fields are project page-out indicators. The value of rss 792K is less than...
fmdump v u dbdc7f15848ccbdcb47fdeb9d9fff5c9
Jul 26 12 52 10.6786 dbdc7f15-848c-cbdc-b47f-deb9d9fff5c9 SUN4U-8000-1A 100 fault.memory.page FRU mem component Slot B J3000 rsrc mem component Slot B J3000 The following is a message recorded by syslog about an error that required a system reboot. Notice the individual ereport information given as a safety for the information not getting replayed properly. SUNW-MSG-ID SUNOS-8000-0G, TYPE Error, VER 1, SEVERITY Major EVENT-TIME 0x40c5f5b8.0x1017d044 0x69e2a9b6e4 PLATFORM SUNW,Sun-Fire-880, CSN...
Example of a Custom Tool Resembling the sar c Command
The following D script uses the sysinfo provider to implement a tool similar to the sar -c command. Usage . sar-c.d interval count printf 10s 10s 10s 10s 10s 10s 10s n, scall s, sread s, swrit s, fork s, exec s, rchar s, wchar s rchar 0 wchar 0 58 printf 10d 10d 10d 10d 10d 10d 10d n, scall i, 59 sread i, swrit i, fork i, exec i, rchar i, wchar i
Fragments
IP fragments are bad news, in general. A recent study showed that IP fragments can pose a large threat to Internet firewalls, if rules are used that rely on data that might be distributed across fragments. To Solaris IP Filter, the threat is that the TCP flags field of the TCP packet might be in the second or third fragment, or possibly be believed to be in the first, when the field is actually in the second or third fragment. It is possible to get rid of all IP fragments as follows block in...
RBAC Example
To allow a group of users to use DTrace, the you either create a role that had access to the DTrace privileges or assign the privilege directly to a user. For example, the following commands show how to create a role and assign privileges that allow users to work with DTrace First create a debug role and grant it the appropriate privileges using the roleadd and rolemod commands roleadd -u 201 -d export home debug -P Process Management debug Then add the necessary users to the debug role with...
Using the svccfg Command
The svccfg lM command can be used to either browse the SMF repository interactively or run a set of commands from a command file. An example of running the svccfg command interactively follows. After starting the svccfg utility, the list subcommand prints a list of the service identifiers for all services installed on the system. The select command identifies a service on which future svccfg commands should operate, similar to the concept of a shell's current working directory. SMF also...
Looking at FMA Data
FMA provides you with three robust information gathering utilities. These utilities are fmadm 1M , fmstat 1M , and fmdump 1M . Additionally, valuable FMA information may be captured by syslog. Figure 4-4 illustrates the FMA data gathering architecture. Figure 4-4 FMA Data Gathering Architecture Figure 4-4 FMA Data Gathering Architecture The fmadm and fmstat utilities are used to reconfigure and gather statistics from fmd. These tools can be used to force repair to faulty resources, load and...
Zone File Systems
There are two models for populating root file system space in non-global zones, the sparse root model and the whole root model. The sparse root model installs a minimal number of files from the global zone when you initialize a non-global zone. In this model, only certain root packages are installed in the non-global zone. These include a subset of the required root packages that are normally installed in the global zone, and additional root packages that the global administrator might have...
Zone States
To understand how zones operate, we need to understand that zones can exist in various states, and what those states mean. Non-global zones behave like typical Solaris 10 OS installations, but they do not have resources such as a power-on self-test POST or an OpenBoot Programmable Read-Only Memory OBP . These resources are managed by the global zone. As you configure a non-global zone, bring it into operation, use the zone, reboot, or shut it down, the state that the zoneadm command reports for...
Configuring Zone Resources
System-wide resources, such as CPUs, physical memory, and file systems, are shared by all zones. Each zone makes its own unique demands on these resources. Some zones will run lower priority workloads, some higher priority workloads. You can set limits on a zone's resource consumption by Allocating file system space Associating zones with resource pools created on your system Configuring zone-wide resource controls Capping physical memory in each project entry in each zone Creating resource...
Zone Networking
Each non-global zone that requires network connectivity has one or more dedicated IP addresses. These addresses are associated with logical network interfaces that can be placed in a zone by using the ifconfig command. For example, if the primary network interface in the global zone is ce0, then the non-global's logical network interface might be ce0 1. Logical interfaces are automatically assigned the next available identifier, for example, ce0 2, ce0 3. Zone interfaces configured by zonecfg...
Zone Daemons
The system uses two daemons to control zone operation, zoneadmd and zsched. The zoneadmd daemon is the primary process for managing the zone's virtual platform. There is one zoneadmd process running for each active ready, running, or shutting down zone on the system. The zoneadmd daemon is responsible for the following activities Managing zone booting and shutting down Allocating the zone ID and starting the zsched system process Setting zone-wide resource controls Preparing the zone's devices...
Solaris Zones and SolarisContainers
Solaris Containers provide isolation between software applications or services using flexible, software-defined boundaries. Applications can be managed independently of each other, even while running in the same instance of the Solaris Operating System. Solaris Containers create an execution environment within a single instance of the Solaris OS and provide Full resource containment and control for more predictable service levels Software fault isolation to minimize fault propagation and...