Tuesday Nov 03, 2009

Solaris security feature: ZFS "zoned"

One of the coolest features in Solaris in my opinion is the "zoned" property of the ZFS. 

What does it do?

ZFS datasets can be exported to non-global zones using the "add dataset" property in zonecfg command. Now the user in the non-global zone may set setuid/symbolic links which are o.k. inside the non-global zone but not acceptable in global zone.  So zfs sets the "zoned" property automatically once the dataset is delegated to the non-global zone.   It doesn't get cleared automatically once you remove the delegation.  It has to be manually removed. If the property is not set off, sharing and other operations don't succeed on the global zone!

bash-3.00# zonecfg -z sparse-zone
zonecfg:sparse-zone> add dataset
zonecfg:sparse-zone:dataset> set name=test/testfs
zonecfg:sparse-zone:dataset> end
zonecfg:sparse-zone> exit
bash-3.00# zoneadm -z sparse-zone reboot
bash-3.00# zlogin sparse-zone
[Connected to zone 'sparse-zone' pts/1]
Last login: Tue Nov  3 00:09:04 on pts/1
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
# bash
bash-3.00# zfs list
NAME          USED  AVAIL  REFER  MOUNTPOINT
test          122K  19.6G    23K  /test
test/testfs    22K  19.6G    22K  /global/test
bash-3.00# exit
exit
# exit

[Connection to zone 'sparse-zone' pts/1 closed]
bash-3.00# zonecfg -z sparse-zone
zonecfg:sparse-zone> remove dataset
zonecfg:sparse-zone> exit
bash-3.00# zoneadm -z sparse-zone reboot
bash-3.00# zlogin sparse-zone
[Connected to zone 'sparse-zone' pts/1]
Last login: Tue Nov  3 01:58:01 on pts/1
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
# bash
bash-3.00# zfs list
no datasets available
bash-3.00# exit
# ^D
[Connection to zone 'sparse-zone' pts/1 closed]
bash-3.00# zfs sharenfs=on test/testfs
cannot set property for 'test/testfs': 'sharenfs' cannot be set on dataset in a non-global zone
bash-3.00# zfs set zoned=off test/testfs
bash-3.00# zfs sharenfs=on test/testfs
bash-3.00# dfshares
RESOURCE                                  SERVER ACCESS    TRANSPORT
   xxxxx:/global/test                  xxxxx  -         -

Really 8-)

Posted on: Nov 03, 2009

Posted by: maddy

Category: Sun

Tags:

Permanent link to this entry | Comments [0]

Monday Jul 27, 2009

Support for QFS 4.6 as a failover filesystem in HA Solaris Container

Standalone QFS 4.6 FCS and later is supported as a failover filesystem in Solaris Containers managed by SC HA agent for Solaris Container 
with Solaris Cluster 3.2 2/08 and later.

This configuration is supported with Solaris 10 5/08 and later, on SPARC and x64, with HA Solaris Containers and HAStoragePlus.

Posted on: Jul 27, 2009

Posted by: maddy

Category: SunCluster

Tags:

Permanent link to this entry | Comments [0]

Wednesday Apr 29, 2009

SAMP stack supported with Solaris Container Cluster

Solaris Cluster 3.2 1/09 and later now supports the following application agents in Zone Clusters:

 -- Failover Apache and Scalable Apache versions packaged with Solaris 10u6, and later.

-- MySQL 5.0.77 and later 5.1.x versions as qualified with Solaris Cluster.

note: to deploy MySQL in a Zone Cluster, patch 126032-06 or later is required on SPARC; patch 126033-07 or later is required on x86.

These agents are all supported on SPARC and x86. They can be deployed alone on a cluster, or combined together (any number of each application, each instance in its own Solaris Container Cluster) to deploy one or more SAMP stacks on one physical cluster.

**The SUNW.gds resource type is supported in Zone Clusters. 

It means that you can create your own agent to run the application inside Zone Clusters.

Posted on: Apr 29, 2009

Posted by: maddy

Category: SunCluster

Tags:

Permanent link to this entry | Comments [1]

Thursday Sep 25, 2008

How to create a zone cluster?

The introduction of the new zone cluster functionality in the SCX 9/08 release opens the door to very creative use of available system resources.  To get started with it, I have created a simple cheat sheet.

Basics:

1.  Zone cluster uses a new zone of brand "cluster".  

2. For the cluster to work properly, you need to edit the /usr/lib/brand/cluster/config.xml file and add the following line:

    <privilege set="default" name="contract_identity" />

before the </brand>.  Make sure that you backup the file before editing it.

3. The clzonecluster (1CL) command creates the zone and configures it. 

4.  You need to have the encrypted password of the root user copied from the /etc/shadow file before starting the configuration along with the nameservice configuration.

5. Exclusive IP zones are not possible.

Steps:

*We'll use NIS for the deployment example.

bash-3.2# clzc configure zone-cluster
zone-cluster: No such zone cluster configured
Use 'create' to begin configuring a new zone cluster.
clzc:zone-cluster> create
clzc:zone-cluster> add capped-memory
clzc:zone-cluster:capped-memory> set physical=512M
clzc:zone-cluster:capped-memory> set swap=4g

clzc:zone-cluster:capped-memory> end

clzc:zone-cluster> set autoboot=true
clzc:zone-cluster> add sysid
clzc:zone-cluster:sysid> set root_password=***********
clzc:zone-cluster:sysid> set name_service="NIS{domain_name=sun.com name_server=nis(1.1.1.1)}"
clzc:zone-cluster:sysid> end
clzc:zone-cluster> add node
clzc:zone-cluster:node> set physical-host=<physical hostname of node you want to add>
clzc:zone-cluster:node> set hostname=<intended hostname of the zone on that node>
clzc:zone-cluster:node> add net
clzc:zone-cluster:node:net> set physical=bge0
clzc:zone-cluster:node:net> set address=<hostname/address of the zone>
clzc:zone-cluster:node:net> end
clzc:zone-cluster:node> end
clzc:zone-cluster> add node
clzc:zone-cluster:node> set physical-host=<hostname of the physical node>
clzc:zone-cluster:node> set hostname=<hostname for zone>
clzc:zone-cluster:node> add net
clzc:zone-cluster:node:net> set physical=bge0
clzc:zone-cluster:node:net> set address=<hostname/address of zone>
clzc:zone-cluster:node:net> end
clzc:zone-cluster:node> end
clzc:zone-cluster> set zonepath=/export/zonecluster
clzc:zone-cluster> verify
clzc:zone-cluster> exit

To verify, you can execute :

clzc verify <zone-cluster name>

To save the configuration for future use,

clzc export -f <file-name> <zone-cluster name>

To install the zone cluster,

clzc install <zone-cluster name>

To boot the zone cluster,

clzc boot <zone-cluster name>

To check the status of the zone cluster,

clzc status <name>

eg)

bash-3.00# clzc status

=== Zone Clusters ===

--- Zone Cluster Status ---

Name         Node Name   Zone HostName   Status   Zone Status
----         ---------   -------------   ------   -----------
virt-ker      ker2     vker2         Online   Running
                 ker1     vker1         Online   Running
                 ker3     vker3         Online   Running
                 ker4    vker4         Online   Running

**After the zone cluster boots for the first time, the clzc status command will take some time for it to show status as online since the configuration has to be done on the zone similar to a native zone.

To halt the zone cluster,

clzc halt <zone-cluster>

Ain't it cool? Hats off to our engineers for designing such a cool feature!

Happy virtual clustering!!

Posted on: Sep 25, 2008

Posted by: maddy

Category: SunCluster

Tags:

Permanent link to this entry | Comments [18]

This blog copyright 2009 by maddy