Beruflich Dokumente
Kultur Dokumente
11
Student Guide
O
racle University and ORACLE CORPORATION use only
D73819GC10
Edition 1.0
October 2011
D74667
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
other intellectual property laws. You may copy and print this document sole
ly for your
Marcus Flieri
own use in an Oracle training course. The document may not be modified or a
ltered
in any way. Except where your use constitutes \"fair use\" under copyright
law, you
Bart Smaalders
may not use, share, download, upload, copy, print, display, perform, reprod
uce,
Dave Miner
publish, license, post, transmit, or distribute this document in whole or i
n part without
Nicolas Droux
the express authorization of Oracle.
Dan Price
The information contained in this document is subject to change without not
ice. If you
find any problems in the document, please report them in writing to: Oracle
University,
Cindy Swearingen
500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is
not
Glenn Fadden
warranted to be error-free.
Liane Praza
Restricted Rights Notice
Mike Carew
The U.S. Government s rights to use, modify, reproduce, release, perform, dis
play, or
disclose these training materials are restricted by the terms of the applic
able Oracle
license agreement and/or the applicable U.S. Government contract.
Editor
Trademark Notice
Malavika Jinka
Oracle and Java are registered trademarks of Oracle and/or its affiliates.
Other names
may be trademarks of their respective owners.
Publishers
Nita Brozowski
Sumesh Koshy
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. CO
PYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Contents
Preface
1 Introduction
Oracle Solaris: The Mission Critical OS
Raising the Bar Set by Solaris 10
1-3
1-2
1-5
1-7
1-8
1-11
2-2
IPS Implementation
IPS Package
2-4
Package Naming
IPS Repository
2-3
2-5
2-6
2-17
2-18
2-19
2-22
2-24
iii
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
2-25
Creating an AI Service
2-26
Creating an IPS Repository
2-28
Creating AI Clients
2-29
JumpStart to AI Mapping
2-30
IPS References
AI References
2-31
2-32
3 Network Virtualization 1
Feature: Overview
3-2
Virtual NICs (VNICs)
3-3
Virtual NICs (VNICs) 2
Virtual Switches
3-5
3-4
3-6
3-8
3-9
3-10
3-13
3-12
Creating Flows
3-14
3-15
dlstat(1M) 3-17
Other Network Observability Enhancements
Rethinking Zones
3-19
Other Solaris 11 Enhancements
3-18
3-20
4-6
4-7
4-9
4-8
4-10
4-12
iv
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Deduplication Example - 1
4-13
Deduplication Example - 2
4-14
Root Pool Mirroring
4-15
Snapshot Differences
4-16
zfs diff Output
4-17
4-20
4-21
4-25
4-27
4-29
4-30
4-31
4-32
5 Zones
Changes Since Solaris 10 FCS
Design and Features 5-7
5-2
Storage 5-8
Networking: Exclusive IP Zones
Networking: Shared IP Zones
Zones Observability 5-12
5-9
IPMP
5-11
5-14
O
5-15
5-18
5-20
6 Network Virtualization 2
Advanced Network Features
6-2
ilbadm: L3/L4 Integrated Load Balancing
Load Balancing Components
6-4
6-3
v
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
ilbadm: Example
6-5
6-11
6-15
7-6
6-12
6-13
Features
7-2
Root Implemented as a Role
6-9
7-9
6-1
7-18
7-20
8-3
8-4
vi
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
8-5
8-9
O
racle University and ORACLE CORPORATION use only
vii
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Preface
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Profile
Before You Begin This Course
You should be able to configure and manage a system
running the Oracle Solaris
Operating system.
How This Course Is Organized
An understanding of Oracle Solaris features and wor
king knowledge of the Oracle
Solaris 10 Operating System is beneficial, but not
required
How This Course Is Organized
S What's New in Oracle Solaris 11
ctor-led seminar featuring lecture and
is an instru
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Related Publications
System release bulletins
Installation and user s guides
read.me
files
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Introduction
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
FMA, SMF
with application isolation and res
ource
management: Containers
Production Safe Observability: DTrace
Scalable to thousands of threads, terabytes of memory
Oracle Solaris 11
The Only Completely Virtualized OS
Availabilit : Greatly improved with new packaging tools, saf
e
online upgrades, faster reboots
Scalability and Performance
tes of
RAM, hundreds of Gbps network bandwidth
Efficienc : Virtualized network, storage and server resource
s;
binary compatibility; advanced power management
Securit : On-disk data encryption, secure process execution,
HW
certification of the OS at boot time
SPARC E
nterprise Servers
The Leade
r in System Scalability
5 Year Trajectory
Cores
4x
Threads
32
Memory Capacity
16
SP
x
x
ARC
Database TPM
40
1
10
+
x
-64 Sockets
x
2x Throughput
+
1.5x Single
M-Series
trand
8-64 Sockets
+2x
T-Series
Throughput
1-8 Sockets
M-Series
+3x
Throughput
8-64 Sockets
+6x Throughput
T-S
eries
+1.5x Single
1-4
Sockets
Strand
M-Series
+3x
Single Strand
T-Series
1-64 Socket
1-4 Socket
+ 20%
+ 2x
Throughput
laris 11
Solaris 11
Solaris 11
Solaris 11
So
Solaris 11
Update
Express
Update
Update
2012
2010
2013
2011
2014
2015
Copyrig
ht 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COP
YING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
SPA
RC T3-4
World s First 16
HIGH
Core Processor
64
cores
SPARC T3-2
51
2 threads
Best
scale
SPARC T3-1
32 cores
Mo
st security
16 cores
256 threads
SPARC T3-1B Blade
Medium scale
Enterpri
Middleware
consolidation
16 cores
Entry-level
Price/performa
Enterprise128 threads
ready
SYSTEM THROUGHPUT
nce
Best density
Best RAS
CONSOLIDATION
HIGH
VIRTUALIZATION
HIGH
Copyrig
ht 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COP
YING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Oracle Solaris:
exibility
Solaris
Solaris
laris
Solaris 10
ne
Zone*
Zone
So
8 or 9
Zo
Zone*
Oracle SPARC
x86
Oracle x86
Built-in scalable, platformolidation path for older Solaris
independent virtualization
Cons
versions
Native, bare metal performance
Le
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
a Single Vendor
Engineered Systems
Oracl
e s Optimized
HIGH
Solut
ions
App
lications
Fusio
n Middleware
Efficiency
Datab
ase
VM So
laris/OEL
Compute,
Storage, Network,
Server
Software
Stora
ge
HIGH
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Topic Outline
Morning
Image Packaging System
Automated Installer
Networking (Crossbow)
Afternoon
Solaris Containers
ZFS
Security
SMF (Application Deployment)
Module Structure
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
IPS Implementation
IPS Package
publisher
Uses a
f package model
Package Naming
(FMRI)
pkg://solaris/library/libc@5.11,5.110.75:20071001T163427Z
Package categories establish a namespace
Similar to SMF service names
Each version has its own tuple
libc@5.11,5.11-0.75:20071001T163427Z
< component
IPS Repository
2 - 6
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Starting the
ackagemanager
GUI
or
pkg
Subcommands
/usr/bin/pkg
pkg list
List packages installed on the system
pkg search <
pkg_name|pattern
>
pkg_name
>
pkg
Subcommands 2
pkg verify
ncftp' installed
# pkg install ncftp
Packages to install:
1
Create boot environment:
o
FILES
XFER (MB)
13/13
0.5/0.5
DOWNLOAD
PKGS
Completed
1/1
PHASE
ACTI
ONS
Install Phase
39
PHASE
IT
/39
EMS
Package State Update Phase
1/1
Image State Update Phase
2/2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
XFER (MB)
0/8732
0.0/68.0
8714/8732
68.0/68.0
8732/8732
68.0/68.0
DOWNLOAD
PKGS
library/desktop/libgweather
0/24
...
image/library/gegl
23/24
Completed
24/24
PHASE
ACTI
Install Phase
1/10
...
Install Phase
10557/10
ONS
557
557
PHASE
IT
EMS
Package State Update Phase
/24
...
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Verifying a Package
-r-xr-xr-x 1 root
bin
bin/ncftp
# chmod 775 /usr/bin/ncftp
# pkg verify ncftp
Verifying: PACKAGE
STATUS
pkg://solaris/network/ftp/ncftp
ERROR
file: usr/bin/ncftp
Mode: 0775 should be 05
55
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Fixing a
Package
55
Created ZFS snapshot: 2010-12-07-23:29:09
Repairing: pkg://solaris/network/ftp/ncftp
FILES
XFER (MB)
2/2
0.1/0.1
DOWNLOAD
PKGS
Completed
1/1
PHASE
Update Phase
ACTIONS
2/2
PHASE
ITEMS
1/1
1/1
2/2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Removing a Packa
ge
# pkg uninstall ncftp
Creating Plan
Packages to remove:
1
Create boot environment:
o
PHASE
ACTI
ONS
Removal Phase
Removal Phase
33
PHASE
IT
/33
/33
EMS
Package State Update Phase
1/1
Package State Update Phase
1/1
Package Cache Update Phase
1/1
Image State Update Phase
1/2
Image State Update Phase
2/2
Image State Update Phase
2/2
PHASE
IT
EMS
Reading Existing Index
1/8
Reading Existing Index
5/8
Reading Existing Index
8/8
Indexing Packages
1/1
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Updating a Pa
ckage
1
795
Yes
DOWNLOAD
FILES
PKGS
XFER (MB)
Completed
796/796
4754
/4754 205.2/205.2
PHASE
Removal Phase
ACTIONS
2561/2561
Install Phase
3967/3967
Update Phase
...
6277/6277
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Creating a Pa
ckage
>
pkgsend -s file:/tmp/test-repo import ~/ilb_dem
o
$
$ pkgsend -s file:/tmp/test-repo close
pkg://michael.oow.com/ilb_demo@1.0,5.11:20110912T01
2101Z
PUBLISHED
Or emit a manifest
$ pkgsend generate ~/fu
file gnome_terminal_fu group=bin mode=0644 owner=ro
ot
path=gnome_terminal_fu pkg.size=326
file netbeans_fu group=bin mode=0644 owner=root pat
h=netbeans_fu
pkg.size=283
file awk_fu group=bin mode=0644 owner=root path=awk
_fu pkg.size=110
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Group Packages
installs lim_install
is LiveCD content
babel_install
to manage
slim_install
Remove
slim_install
ges
The automated installer will do this for you
Other
pkg(5)
utilities
pkg publisher
pkg set-publisher
pkgrepo(1)
pkgsend(1)
pkgrecv(1)
pkgdepend(1)
pkg.depotd(1M)
pkgmogrify(1M)
To make updating/patching:
Faster
More reliable
Easily reversible
To leverage current technology
Integrate with ZFS
Leverage the IPS repository
Apply SMF naming scheme
To separate client and server dependencies
Make the installer platform-neutral
Let clients select their software repository
Solaris 10
Solaris 11
SVR4 Packages
IPS (SVR4 still supported)
Install media
St
, Update Manager
pkg
JumpStart
Automated Installer(AI)
JumpStart Profiles
AI Manifests
Flash Install replication
No equivalent yet
Blueprints for custom DVDs
Distribution Constructor
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Configure with
Observe clients using
Manage image with
livessh
install parameter
beadm(1M)
AI is WAN Boot-ready
AI Terminology
Criteria
appropriate manifest
Creating an AI Service
svc:/network/physical:default
(Not nwam
)
svc:/network/dns/multicast:default
/etc/netmasks
entry exists
Creating an AI Service
# pkg verify installadm
# installadm create-service -a sparc -n solaris_11 \
> -i 192.168.1.10 -c 3 -s ai_sparc_image.iso \
> /export/ai/sparc/solaris_11
# installadm list
-n name
-i IP>
-c count
>
Burn it to media
Or, mount it by using
lofiadm(1M)
rsync(1)
Creating AI Clients
JumpStart to AI Mapping
JumpStart
AI
setup_install_server installadm create-service
add_install_client
installadm cre
ate-client
Manifests, dr
iver updates, custom image
begin script
from Distribu
tion Constructor
Client profiles, rules
Manifests with
client criteria
pkg actuators
(before reboot)
finish script
First-boot SMF s
ervices
sysidcfg file
SMF profile
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
IPS References
AI References
http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=CMBE
A
Installing Oracle Solaris 11 Systems
http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=IOSU
I
Network Virtualization 1
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Feature: Overview
, and so on
Virtual Switches
etherstub :
Client
Host 1
Router
Host 2
Port 6
Port 9
Port 2
20.0.01
10.0.02
Port 1
20.0.03
10.0.01
1 Gbps
Gbps
100 Mbps
Port 3
10.0.03
1 Gbps
1 Gbps
Switch 3
Switch 1
Virtual Wire, V
irtual Machines
Virtual
Router
Client
Host 1
Host 2
VNIC6
VNIC9
VNIC2
20.0.01
10.0.02
VNIC1
20.0.03
10.0.01
1 Gbps
Gbps
100 Mbps
VNIC3
1 Gbps
1 Gbps
10.0.03
1
Etherstub 3
Etherstub 1
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
p maxbw=100M
LINK
vswitch1
dladm create-vnic -l vswitch1 -p maxbw=1000M
p cp
us=4,5,6 vnic3
dladm show-vnic
DWIDTH
=100M
LINK
OVER
MACTYPE
MACVALUE
BAN
vnic1
bge1
factory
-
0:1:2:3:4:5
vnic2
bge1
random
2:5:6:7:8:9
max
CPUS
4,5,6
vnic3
vswitch1 random
4:3:4:7:0:1
# dladm create-vnic -l ixgbe0 -v 1055 -p maxbw=50
max=1000M
0M -p cpus=1,2 vnic9
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
dladm [set,reset,show]-linkprop
Alternative to
ndd(1M)
utility
Single, stable interface for network property
consumers
Changes can be made temporary or persistent
$
LINK
DEFAULT
OSSIBLE
1000
1000
full
full
up
up
e1000g0
speed
r-
e1000g0
duplex
half,full
r-
e1000g0
state
up,down
r-
e1000g0
flowctrl
--
rw
no
bi
--
no,tx,rx,bi
e1000g0
-e1000g0
high
high
e1000g0
--
--
maxbw
--
rw
priority
rw
low,medium,high
protection
rw
mac-nospoof,
restricted,
ip-nospoof,
dhcp-nospoof
e1000g0
--
--
rxrings
--
rw
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Virtual Bridges
VNIC
VNIC
Connects NICs, etherstubs,
link aggregations
Lets you move a VNIC
Bridge
Transparent
etherstub
Interconnect of Lots of
Links)
NIC
NIC
Manages with
dladm
ipadm
Consolidates management of
Network interface state
IP address assignment
TCP/IP protocol properties
Uses action-object subcommands like
create-if show-if disable-addr
,
,
dladm
, and so o
n
Supercedes various commands and files
ifconfig
/etc/hostname.<
interface
>
ndd
IFNAME
STATE
CURRENT
PERSISTE
lo0
bge0
ok
ok
NT
play1
down
bm--------46 -46
# ipadm show-addr
ADDROBJ
TYPE
STATE
play1/v4static2
static
down
DDR
0.2.3.5/24
#
# ipadm up-addr play1/v4static2
# ipadm show-addr play1/v4static2
ADDROBJ
TYPE
STATE
play1/v4static2
static
ok
DDR
0.2.3.5/24
Copyrig
ht 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COP
YING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Managing Inte
rface Properties
PERSISTENT DEFAULT
ipv4 rw
on,off
rw
POSSIBLE
on
play1
--
arp
play1
--
forwarding
off
ipv4
off
play1
--
metric
ipv4
0
play1
--
mtu
1500
on
play1
--
exchange_routes ipv4
on
play1
--
usesrc
none
play1
--
forwarding
off
play1
metric
on
on,off
rw
-ipv4 rw
68-1500
rw
1500
on,off
ipv4 rw
none
-ipv6 rw
off
on,off
ipv6 rw
--
-1500
play1
--
mtu
ipv6 rw
1280-1500
on
play1
--
nud
ipv6 rw
on,off
on
play1
--
exchange_routes ipv6
on
play1
--
usesrc
none
rw
1500
on
on,off
ipv6 rw
none
--
Copyrig
ht 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COP
YING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Creating Flows
flowstat(1M)
Vanity naming
Set desired name via
dladm(1M)
/dev/net
List device interfaces in
Supports alternative to so-called PPA hack
PPA: Physical Point of Attachment
Name calculated with (VID*1000 + instance)
Example: bge + (487 * 1000 + 1) = bge487001
knickknack@os11e:/dev/net$ ls -l
total 0
crw-rw-rw- 1 root sys 58, 1001 2010-12-19 17:37 beatnic0
crw-rw-rw- 1 root sys 20,
1 2010-12-19 14:22 e1000g0
Resource Pools
Configured through
pools
data link property
# dladm show-linkprop p pool <
datalink
>
Alternative to manual setting (
cpus property)
dlstat(1M)
25.89K
16.90M
18.23K
play0
5.64K
1.51M
226
15
play1
5.55K
1.49M
131
4.42M
.61K
.63K
bge0
81
13.29K
19
7.13K
play0
62
9.37K
play1
62
9.37K
0
0
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
IP-layer observability
Snoop loopback traffic between zones using shared-IP
# snoop -I lo0
Network DTrace providers
udp: send , ceive
probes
ip: send , ceive dro, in drop-ou ,
tcp: send , ceive sta, -change,connect[request|refused|established| accept[refused|established]
tcpdump
and wireshark
Observe flows with
Observe IPMP groups with
probes
,
flowstat
ipmpstat
Rethinking Zones
exclusive-IP
prop
erty)
Per-NIC in Solaris 10, per-VNIC in Solaris 11
One example: the Immutable Service Container
http://blogs.sun.com/video/entry/immutable_service_conta
iners
dladm(1M)
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
Enhancements
Boot Environments
ZFS is required.
A BE is a special-purpose ZFS snapshot.
beadm(1M)
replaces lu*
commands.
or kg up
date
solaris NR
48
------ ------S11-BE-1 -
110.0K
NR
2-06 03:48
Active flags
N = Active ow
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
------ ------S11-BE-1 R
2.81G s
06 03:48
After reboot
# beadm list
BE
Active Mountpoint Space Policy Created
-S11-BE-1 NR
solaris
3
atic 2010-12-06 03:48
7.37M st
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
# beadm list
BE
Active Mountpoint Space Policy Created
-S11-BE-1 NR
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
:23
S11-BE-2 -
45.0K
------ ------S11-BE-1 NR
4:23
S11-BE-2 -
/mnt
11.67M
------ ------S11-BE-1 NR
4:23
S11-BE-2 -
12.08M
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
------ ------S11-BE-1 NR
4:23
S11-BE-2 -
12.08M
XFER (MB)
13/13
0.5/0.5
DOWNLOAD
PKGS
Completed
1/1
PHASE
Install Phase
PHASE
Package State Update Phase
Image State Update Phase
ACTIONS
39/39
ITEMS
1/1
2/2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
PHASE
Reading Existing Index
Indexing Packages
ITEMS
8/8
1/1
------ ------S11-BE-1 N
23
S11-BE-2 -
12.08M s
2.85G s
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
pkg-update
BE Upgrade with
------ ------zfsBE
9.38M s
Oracle Universi
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Deduplication
dedup
property
compressratio
zpool status
operations have pool scope.
Deduplication Example - 1
bayle@os11e:~$
ls -l /usr/java/src.zip
cp /usr/java/src.zip /home/dei
rdre/src1.zip
<copy in src[23456].zip>
bayle@os11e:~$
zfs list rpool1/home/deirdre
NAME
USED
rpool1/home/deirdre
110M /home/deirdre
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Deduplication Example - 2
bayle@os11e:~$
zpool list
DEDUP
6.00x
NAME
SIZE ALLOC FREE
HEALTH ALTROOT
rpool1 15.9G 6.61G 9.27G
ONLINE bayle@os11e:~$
bayle@os11e:~$
DEDUP
1.00x
NAME
rpool1/home/deirdre
41%
rm /home/deirdre/*zip
zpool list
NAME
SIZE ALLOC FREE
HEALTH ALTROOT
rpool1 15.9G 6.61G 9.27G
ONLINE bayle@os11e:~$
CAP
CAP
41%
1K /home/deirdre
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Snapshot Differences
The
zfs diff
n two
snapshots.
ls /home/timh
fileA
zfs snapshot
tank/home/timh@old
<Create fileB>
ls /home/timh
fileA fileB
zfs snapshot
zfs diff
M
+
tank/home/timh@new
tank/home/timh@old tank/home/timh@new
/tank/home/timh/
/tank/home/timh/fileB
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
zfs diff
Output
4 - 17
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
ta
bpool/data
tank/da
SOURCE
PROPERTY
bpool/data compression on
off
local
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
The
-b
rty source.
# zfs send -b bpool/data@snap1 | zfs recv -d restorepoo
l
# zfs get -o all compression restorepool/data
NAME
PROPERTY
VALUE
RECEIVED SOUR
CE
restorepool/data compression off
off
received
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
The
receive -x
y settings.
Applies recursively to contained file systems
For example: Ignore
quota
proper
ty setting:
# zfs send -R tank/home@1020 | zfs recv -x quota
bpool/home
# zfs get -r quota bpool/home
NAME
PROPERTY VALUE SOURCE
bpool/home
quota
none
bpool/home@1020
quota
default
bpool/home/cindys
quota
none
local
bpool/home/cindys@1020 quota
bpool/home/tom
bpool/home/tom@1020
none
-
quota
quota
local
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
zpool clear
to resolve errors.
-m ).
STATE
READ WRIT
dozer
DEGRADED
E CKSUM
0
0
mirror-0
0
ONLINE
c3t1d0
ONLINE
c3t2d0
ONLINE
logs
14685044587769991702 UNAVAIL
0
0 was c3t3d0
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
The
Replaces the
zil_disable
tunable parameter
standard
Values for
Possible
sync
Property
standard
fsync(3C)
calls, pen(2)
O_DSYNC,
O_SYNC
always
.
Write and flush all transactions to stable
tter.
A sync
property value of
disabled
on the active
BE or
/var may produce undefined behavior.
Increases vulnerability to replay attacks
Understand all the risks before using this value
Processes that rely on synchronous behavior can lose
data with the
disabled
value.
RAIDZ/Mirror Performance
data
fsstat(1M)
zfs diff
to monitor changes.
Performance Notes
sync
proper
ty.
property
auto-snapshot
and
groupspace
subcommands
ZFS References
Zones
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Core
Configurable privileges (
limitpriv
Supports DTrace inside a zone
bootargs )
Packaging
Parallel patching, turbo SVR4 packaging
Live Upgrade support
Resource management
Overhauled and simplified (
zone.*
Networking
ip-type
defrouter
Brands
Oracle Solaris 8 Containers
Oracle Solaris 9 Containers
Trusted extensions
Sun Cluster integration
Oracle Enterprise Manager Ops Center 2.5 Integration
location
Changes in Oracle
Solaris 11
Oracle Un
iversity and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT
MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
lofiadm
support
ip-type
Storage
lofiadm(1M) lofi(7D)
supported
New resource control to limit
lofi
devices
zone.max-lofi
zonecfg:zone1>
zonecfg:zone1:rctl>
add rctl
set name=zone.max-
lofi
zonecfg:zone1:rctl>
ivileged, limit=10, action=none)
zonecfg:zone1:rctl>
zonecfg:zone1>
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Exclusive-IP options
allowed-address
prop
property supports
.
ip-type=exclusive
# zonecfg -z zone1
zonecfg:zone1>
set ip-type=exclusive
zonecfg:zone1>
add net
zonecfg:zone1:net>
set allowed-address=
192.168.1.10/32
zonecfg:zone1:net>
set physical=vnic1
zonecfg:zone1:net>
set defrouter=192.16
zonecfg:zone1:net>
end
8.1.1
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
IPMP
ce1:1
the next
Zone admin has no control
Solaris 11 IPMP
Zone retains same interface
ipmp0:2 remains ipmp0:2
Zones Observability
zonestat
zonestatd
Command
Nonroot users and nonglobal zone users can see (some of)
the information
zonestat
can monitor:
zonestat
Interval: Example
Cpus/Online: 32/32
Physical: 32.0G
Virtual: 47.9G
----------CPU---------- ----PHY
SICAL----- -----VIRTUAL----ZONE USED %PART %CAP %SHRU USED
%CAP USED
PCT
PCT %CAP
- 5660M 17.2%
- 5086M 15.5%
kodiak-dp
100% 46.0M 0.14% 4.49% 36.2M 0.07% 1.17%
1.00 100%
0%
2%
- 62.4M 0.12%
kodiak-rie
0.00 0.00%
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
zonestat
by
Resource: Example
SYSTEM LIMIT
292K
ZONE USED
PCT
CAP %CAP
[total]
-
191 0.63%
[system]
0 0.00%
global
-
167 0.55%
foo
300 8.00%
LWPS
system-limit
SYSTEM LIMIT
2047M
24 0.08%
ZONE USED
PCT
CAP %CAP
[total]
-
713 0.00%
[system]
0 0.00%
global
-
618 0.00%
foo
95 0.00%
1000 9.50%
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
Resource Manageme
nt
New
max-processes
resource control
# zonecfg -z zone1
zonecfg:zone1>
prctl
set max-processes=300
VALUE
FLAG
ACTION
system
18.4E
max
usage
privileged
28.3MB
3.00GB
system
16.0EB
max
deny
zone.max-swap
deny
deny
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Zones Security
Delegated administration
Authorizations can be configured directly in
zonecfg
login, manage, clonefrom
zonecfg -z zone1
zonecfg:zone1>
add admin
zonecfg:zone1:admin>
zonecfg:zone1:admin>
set user=jack
set auths=login,ma
zonecfg:zone1:admin>
end
nage
zonecfg:zone1>
commit
by
zonecf
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Solaris 10 Containers
solaris brand se
ttings on
Solaris 10
Promote adoption and compatibility of Oracle Solaris 11
Leverage existing investment in Solaris 10
Infrastructure, training, support
Allow new technology to support Oracle Solaris 10 contex
t
Virtualized networking among Solaris 10 instances
Application recertification for Solaris 11 unnecessary
Use p2v installation process
Or v2v for moving the existing Solaris 10 zones
Support instances on Solaris 10 10/09 or later
zone: db27-prod
redeploy
Solaris 10
Solaris10
Brand
zone: db27-prod
zone: db27-prod
p2v
Solaris 11
Solaris 11
Solaris 10
db27-prod
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
References
Network Virtualization 2
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
ilbadm
IP Filtering, forwarding in a zone
Hardware Lanes and dynamic polling
ipmpstat
Fiber Channel over Ethernet (FCoE)
VRPP support
NUMA I/O
Public GLDv3 APIs
ilbadm
Operational modes
Stateless Direct Server Return (DSR)
Half or Full NAT
Algorithms supported
Round robin
IP hashing: Source address or source address + port
Health-checking built-ins
TCP, UDP, ICMP probes
Apply as parameters to user-scripted tests
Performance comparable to IP forwarding
pkg://solaris/service/network/loadbalancer/ilb@0.5.11,5.11-0.148:
To configure:
Server group: list of host+port addresses
Virtual IP (aka logical host )
Algorithm, operational type
subcommands follow
rul.
dladm
model.
ilbadm
: Example
ilbadm create-servergroup
\
> -s servers=apache-zone1:80,apache-zone2:80 \
apache_group
#
ilbadm create-rule
e p I vip=10.1.2.3,port=80
>
-m lbalg=rr,type=HALF-NAT
\
\
\
-h hc-name=/var/hc/apache_check
\
-o servergroup=apache_group
\
apacheload_rrobin
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
directory
See
/usr/share/ipfilter/examples
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
mtx
srw
srw
69 0 12
mtx
57 0 27
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Hardware Lanes
igE NICs
= linear scaling
Integrated with virtualization and Q
oS controls
Dynamic polling, packet chaining boo
st efficiency
Physical Machine
Physical NIC
C
Hardware
Virtual
VNIC
L
Rings/DMA
Machine/Zone
Kernel Threads
and Queues
A
S
Hardware Lane
Virtual
Rings/DMA
Machine/Zone
NIC
Kernel Threads
and Queues
Switch
S
I
VLAN
F
Separated
I
E
Hardware
Kernel Threads
Rings/DMA
Application
Flow
R
and Queues
Copyrig
ht 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COP
YING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
ipmpstat
in.mpathd
ipmpstat
: Example
STATE GROUP
INBO
OUTBOUND
play1 play0
play1 play0
fe80::897f:b644:ae41:e0b up
-10.2.3.5
up
blut0
--
blut0
play
10.9.8.7
blut0
play
STATE GROUP
INBO
up
OUTBOUND
play1
play1
fe80::897f:b644:ae41:e0b up
--
blut0
--
10.2.3.5
up
blut0
play
10.9.8.7
up
blut0
play
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
App
Network
Channel
for both Network Stack and FCoE
Stack
Stack
Virtual
FCoE
NIC
Glue
MAC
MAC
Client
Client
MAC Layer
Rx/Tx Ring
DMA
Rx/Tx Ring
DMA
Channel
Channel
FCoE Port
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
dladm(1M)
Consumer-transparent process
I/O
I/O topology
I/O
topology
Subsystem
onstructor
Admin
Interface
Core NUMA I/O
Framework
constraints
NUMA
I/O
Bind
topology
interrupt
Subsystem
NUMA lgrp
sub-system
nterrupt
Device
Driver
PCI/DDI
andles
Framework
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Dynamic polling
Packet chaining
Hardware checksumming offload
Large Send Offload (LSO)
Revamped driver property interface
Simplify driver development
Extensibility for future releases
First supported in Solaris 10 U9 (09/10 release)
See Chapter 19, Document #816-4854
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Security
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Features
Root as a role
On-disk file encryption
Network spoofing protection
Delegated administration
Zones, SMF services
In-kernel
pfexec
installer@os11e:~$
roles
root
installer@os11e:~$
Console User
profiles
Suspend To RAM
Suspend To Disk
Brightness
CPU Power Management
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
zfs(1M)
export/home/fng
fir@os11e:/$
grep key
ssphrase,prompt
ailable
rpool1/home/fng
local
rpool1/home/fng
keysource
pa
keystatus
av
rpool1/home/fng
rekeydate
Fr
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
ile path
Encryption policy is inherited and read-only
# pktool genkey keystore=file outkey=/dmkey.file
keytype=aes keylen=256
# zfs create -o encryption=aes-256-ccm -o
keysource=raw,file:///dmkey.file rpool1/home/fng
# zfs clone rpool1/home/fng@final rpool1/home/delivered
Enter passphrase for 'rpool1/home/delivered':
Enter again:
# zfs set encryption=off rpool1/home/delivered
cannot set property for 'rpool1/home/delivered:
'encryption' is readonly
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
(1M)
lofiadm
marty@os11e:/$
marty@os11e:/$
/var/tmp/setec
Enter passphrase:
Re-enter passphrase:
/dev/lofi/1
marty@os11e:/$
newfs /dev/rlofi/1
lofiadm
File
/var/tmp/setec
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
mac-nospoof
restricted
ip-nospoof
ips property
dhcp-nospoof
dladm(1M)
DEFAULT
POSS
IBLE
play0
protection
rw
--
--
ma
c-nospoof,
r
estricted,
i
p-nospoof,
d
hcp-nospoof
dladm set-linkprop -p protection=mac-nospoof play0
zonecfg(1)
file.
zonecfg:webber>
syncs with GZ
info
/etc
zonename: webber
zonepath: /home/webber/zone
...
admin:
user: hen3ry
auths: login,manage
zonecfg:webber>
verify; exit
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
value_authorization
action_authorization
Restart/refresh (
)
Modify values in all or select property groups
via rbac(5)
smf_security(5)
Copyrig
ht 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COP
YING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Application-specific attributes
$ svcadm enable ipfilter
$ svccfg -s ipfilter:default setprop
firewall_config_default/policy = allow
$
low
$ svccfg -s ftp setprop firewall_config/apply_to =
network:192.168.1.0/24
svc.ipfd(1M)
for more
information.
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
net_priv_addr
proc_fork
proc_exec
hts reserved.
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKI
T MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
In-kernel
New
PRIV_PFEXEC
pfexec
process flag
exec(2)
basic
Read-only process:
Host-only process:
!file_write
!net_access
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Software Installa
tion
DTrace Analysis
Developer
Audit Review
File Integrity Verifi
cation
Internal
Auditor
Dataset Management
Backup Operator
Sys
Admin
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Sandboxing Enhancements
Kerberos Improvements
Key Management:
pkcs11_kms
Provid
er
See
http://docs.sun.com/app/docs/doc/316195103AA
Other Enhancements
Need-to-
Internal
know
Use
Public
(MAC)
Zones are classified ( lab
eled )
Multilevel Desktop Services
belled
(Global Zone)
assets
Networks, printers also
Solaris Kernel
labeled
net
net
net
net
tions
Designed for defense and
intelligence industry
requirements
Meets Common Criteria
Certifications at EAL
4+ levels
CLI
Crypto module
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Graph-dependent services
Start independent service paths concurrently
Common naming for all services
Not just daemon processes
It is either disabled
or some variation of
enabled
Service Templates
smf
_template(5)
remains fo
r compatibility
/lib/svc/manifest
manifest-import
, and
then /var/svc/manifest
service reads
.
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Fault Notif
ication
svccfg listnotify -g
Event: to-maintenance (source: svc:/system/
svc/global:default)
Notification Type: smtp
Active: true
to: admin@domain.com
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
IPS A
ctuators
prompts a se
rvice restart.
Per-file attribute
Remember that IPS only updates obj
ects as needed.
reboot-needed
indicate
0101109T051058Z
dir group=bin mode=0755 owner=root path=opt/app timesta
mp=20101109T051110Z
file opt/app/app-bin group=bin mode=0555 owner=root pat
h=opt/app/app-bin
pkg.size=48088
reboot-needed=true
file opt/app/app.conf group=bin mode=0644 owner=root pa
th=opt/app/app.conf
pkg.size=267
file lib/svc/manifest/application/lianep-app.xml mode=0
444 owner=root
path=lib/svc/manifest/application/lianep-app.xml
restart_fmri=svc:/system/manifest-import:default
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
proc_t
FMRI Stored in
Structure
#!/usr/sbin/dtrace
21
svc:/network/physical:nwam
40
svc:/network/ntp:default
50
svc:/system/hal:default
65
svc:/network/datalink-management:defaul
t
428
svc:/application/graphical-login/gdm:de
fault
274792
Copyrig
ht 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Universi
ty and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COP
YING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
O
racle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED