Professional Documents
Culture Documents
D78415GC20
Activity Guide
Administration
Disclaimer
This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and
print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way.
Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display,
perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization
of Oracle.
The information contained in this document is subject to change without notice. If you find any problems in the document, please
report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United
States Government, the following notice is applicable:
Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective
owners.
Author
Uma Sannasi
Table of Contents
Practices for Lesson 1: Course Introduction ........................................................................................... 1-1
Practices for Lesson 1: Overview............................................................................................................. 1-2
Practice 1-1: Getting Familiar with the Practice Environment .................................................................... 1-5
Practice 1-2: Scenario-Based Practices ................................................................................................... 1-17
Practices for Lesson 2: Networking Fundamentals ................................................................................. 2-1
Practices for Lesson 2: Overview............................................................................................................. 2-2
Practice 2-1: Gather Network Information................................................................................................. 2-5
Practices for Lesson 3: Configuring a Virtual Network............................................................................ 3-1
Practices for Lesson 3: Overview............................................................................................................. 3-2
Practice 3-1: Configure Virtual Network for the zclient Zone on s11-client ................................................. 3-5
Practices Infrastructure
Your lab environment is based on the Oracle Virtual Machine (VM) VirtualBox (VBox)
virtualization software. The VBox software is a cross-platform virtualization application. The lab
These VMs are further configured to communicate with the Oracle Solaris 10 host machine
through the following shared directories.
Resource Name Location Description
Host share directory /opt/ora Is the shared directory that is
mapped to the host system
Student files /opt/ora/course_files Contains lab bundle content
Zone template files /opt/ora/zonetemplate Contains the XML files of the
zones to be created in the
s11-host02 VM
Script directory /opt/ora/script Contains the script file that
automates the creation of
resources on the s11-host02
VM
The following are the user credentials for accessing the s11-server, s11-client, s11-host01,
and s11-host02 VMs.
VM Credentials
s11-server Username: oracle
Password: oracle1
s11-client Username: oracle
Password: oracle1
S11-host01 Username: oracle
Password: oracle1
S11-host02 Username: oracle
Password: oracle1
Note: As an oracle user, use su to switch to the primary administrator (root) role. The
password is oracle1. root is configured as a role by default in Oracle Solaris 11. Note that
the first username created in the system during installation is the initial privileged user who can
assume the primary administrator role. This can be verified in the /etc/user_attr file.
Tasks
1. Power on the VMs.
a. On your host system, start the Oracle VM VirtualBox Manager by double-clicking its
icon on your desktop.
Note: The s11-client VM is configured with 3 GB base memory, whereas the remaining
VMS, s11-server, s11-host01, and s11-host02 are configured with 2 GB base memory.
oracle@s11-server:~$ su
Password: oracle1
Jan 28 05:50:27 s11-server su: su root succeeded for
oracle on /dev/console
Oracle Corporation SunOS 5.11 11.1 September 2012
root@s11-server:~#
c. Start the s11-client VM. If you receive any notice or a warning message or an
Information dialog box, click OK and continue.
f. To open a terminal window, right-click the desktop and select Open Terminal. The
default login prompt will have oracle as the user. Alternatively, you can also open a
terminal window by clicking the terminal icon (highlighted in red) at the top of the
window.
oracle@s11-server:~$
When you establish the ssh connection for the first time, you are asked to authenticate
the host VM. Reply with a yes to the question, Are you sure you want to continue
connecting (yes/no)? This adds the host permanently to the list of known hosts.
b. Run the su command to assume primary administrator privileges.
oracle@s11-server:~$ su
Password: oracle1
root@s11-server:~#
b. In the Set Title dialog box, enter the title name as s11-server and click the OK
button.
c. If a dialog box with the following message appears, ignore the message and continue
by clicking the Shutdown Anyway button.
e. In the Close Virtual Machine dialog box, select Send the shutdown signal option
and click OK. Alternatively, you can also use the Power off the machine option.
g. Now you can practice shutting down the s11-server VM. Click the (X) button at the
extreme right corner of the window, highlighted with a red circle:
h. In the Close Virtual Machine dialog box, select Send the shutdown signal and click
OK.
Overview
The practices in this course are designed around scenarios or situations that give you some of
the right reasons to deploy a particular technology and address a specific requirement. Know
that you are a stakeholder in this setup. Because the scenarios are linked to a larger lab
infrastructure, you will be able to appreciate the interplay of various features and technologies of
Oracle Solaris 11, rather than learn to use them in isolation.
In this practice, you are introduced to the following:
Stakeholders
Requirements and implementations
Topology diagram
Stakeholders
Murraya Inc., a world-wide freighter has considered phasing in Oracle Solaris 11 into its data
center. You are part of a larger team of network administrators at Murraya that is responsible for
configuring a prototype that makes a case for consolidating a vastly distributed network
infrastructure. You need to test the various Oracle Solaris networking features and technologies,
especially the network virtualization and Software Defined Network (SDN) capabilities before
migrating to a production environment.
Network-in-a-box VNICs
Etherstubs
Virtual switch
IP Forwarding
Isolated nodes across hosts VXLAN
EVS
IP failover IPMP
Trunk aggregation
Link failover
DLMP
Router failover L3 VRRP
Load balancing ILB
Centralized database for granting IP addresses ISC DHCP
Centralized database for host name resolution DNS
Centralized data store for user authentication LDAP
Bandwidth regulation on datalinks Datalink properties
Traffic control and regulation on specific ports/channels Flows
Datalink protection dhcp-nospoof
ip-nospoof
mac-nospoof
restricted
Regulate client access to network services (Firewall) IP Filter
Cloud integration OpenStack (Neutron
Keystone)
Topology Diagram
The topology diagram is a schematic representation of the recommended technology
implementations for the prototype. During the course of the practices, you will reconstruct this
setup piece by piece until you have assembled the whole. Know that you will have clear
instructions in each of the practices to achieve the desired outcomes.
f-ssh f-http
priority=high maxbw=7000 MB
stub01 stub02
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
cloudSwitch (192.168.20.x)
Keystone
Neutron
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
s11-server 192.168.20.x
192.168.0.100
s11-client zclient 192.168.10.11
192.168.0.111 192.168.1.2
s11-host01 zgateway1 192.168.10.22 192.168.3.2 192.168.2.4 192.168.1.3 192.168.10.100
Note of Assurance: Although the setup looks overwhelming at this stage, be assured that you
will be able to implement the setup in entirety by the end of the course, if you follow the
instructions carefully.
Practices Overview
Now is a good time to understand the base network that you will use for Murrayas prototype.
The base infrastructure consists of four hosts: s11-server, s11-client, s11-host01, and s11-
host02. These hosts are assigned over the 192.168.0.x network. The s11-server system is
configured as the local IPS repository. The s11-client will be the client interface to the other
hosts in the infrastructure.
In this lab, you will gather network information by probing the hosts and their devices.
Below is the schematic representation of the start state of the prototype infrastructure.
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
s11-server 192.168.20.x
192.168.0.100
Assumptions:
s11-server, s11-client, s11-host01, and s11-host02 VMs are running.
All tasks associated with the s11-server, s11-host01, and s11-host02 VMs are
performed via secure (ssh) login from the s11-client VM.
You perform all tasks in the root role, unless mentioned otherwise. (Assume root
privileges by using the su command and oracle1 as password.)
Some command output or values may vary across systems.
The font size of the output is reduced in a few places, to accommodate complete
command output.
General Instructions:
Overview
Apart from acquainting yourself with the start state of the hosts in the prototype infrastructure,
you will familiarize yourself with some basic network settings, and verify if all hosts are pinging
each other at this stage.
Tasks
In this practice, you will identity the network configuration of:
The s11-server VM
The s11-client VM
The active NCP is DefaultFixed. You can switch between the profile types. For
example, to switch from a fixed to a reactive profile, you can use the netadm enable
-p ncp Automatic command.
e. Display information about the physical attributes of the datalinks currently on the s11-
server VM.
root@s11-server:~# dladm show-phys
LINK MEDIA STATE SPEED DUPLEX DEVICE
net1 Ethernet unknown 0 unknown e1000g1
net2 Ethernet unknown 0 unknown e1000g2
net0 Ethernet up 1000 full e1000g0
net3 Ethernet unknown 0 unknown e1000g3
f. Find the active network configuration profile by using the netadm command.
root@s11-server:~# netadm list
TYPE PROFILE STATE
e. Display information about the physical attributes of the datalinks on the s11-host01
VM.
root@s11-host01:~# dladm show-phys
LINK MEDIA STATE SPEED DUPLEX DEVICE
net1 Ethernet unknown 0 unknown e1000g1
net2 Ethernet unknown 0 unknown e1000g2
net0 Ethernet up 1000 full e1000g0
net3 Ethernet unknown 0 unknown e1000g3
f. Find the active network configuration profile by using the netadm command.
root@s11-host01:~# netadm list
TYPE PROFILE STATE
e. Display information about the physical attributes of the datalinks on the s11-host02
VM.
root@s11-host02:~# dladm show-phys
LINK MEDIA STATE SPEED DUPLEX DEVICE
net1 Ethernet unknown 0 unknown e1000g1
net2 Ethernet unknown 0 unknown e1000g2
net0 Ethernet up 1000 full e1000g0
net3 Ethernet unknown 0 unknown e1000g3
f. Find the active network configuration profile by using the netadm command.
root@s11-host02:~# netadm list
TYPE PROFILE STATE
Practices Overview
By using the essential building blocks of network virtualization, such as VNICs, virtual switches,
etherstubs, and routing functionality, it is possible to consolidate an entire distributed computing
environment onto a single system for prototyping, testing, and deployment scenarios without the
restriction of the physical network devices attached to the system.
Below is the schematic representation of the setup you will build and test in this lab:
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11
192.168.2.4 198.168.2.5
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
s11-server
192.168.0.100 192.168.20.x
s11-client zclient
192.168.0.111 192.168.10.11 192.168.1.2
s11-host01 zgateway1 192.168.10.22 192.168.3.2 192.168.2.4 192.168.1.3 192.168.10.100
192.168.0.112 pri-
services 192.168.3.4
ws1 192.168.3.6
zapp1 192.168.2.2
s11-host02 zgateway2
Assumptions:
The s11-server, s11-client, s11-host01, and s11-host02 VMs are running.
All tasks associated with the s11-server, s11-host01, and s11-host02 VMs are
performed via secure (ssh) login from the s11-client VM.
You perform all tasks in the root role, unless mentioned otherwise. (Assume root
privileges by using the su command and oracle1 as password.)
Some command output or values may vary across systems.
The font size of the output is reduced in a few places, to accommodate complete
command output.
General Instructions:
Practice 3-1: Configure Virtual Network for the zclient Zone on s11-
client
Overview
In this practice, you create a nonglobal zone called zclient on the s11-client system. This
zone needs to be plumbed on the net1 interface and assigned a static IP address,
192.168.10.11. All client requests to the resources on s11-server, s11-host01, and s11-
host02 systems will be initiated from the zclient zone.
zclient
192.168.10.11
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
Tasks:
In this practice, you will configure virtual network for the zclient zone.
Task 1/1
1. Configure virtual network for the zclient zone.
Because this is a new zone, you will first configure the zclient zone and then configure
the virtual network for the zone.
a. Open the s11-client VM terminal and rename the terminal title as zclient.
b. List zone information by using the zoneadm command.
root@s11-client:~# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
The net1 interface will be used for configuring the 192.168.10.11 IP address.
d. Remove the net0 interface from the zone configuration.
By default, the net0 interface is a nonpersistent interface assigned to every zone from
the SYSdefault template. You can verify this by reading the
/etc/zones/zclient.xml file. Because you do not require this interface, for now
you will remove it.
e. Confirm that the zclient zone is configured and listed.
root@s11-client:~# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
- zclient configured /zones/zclient solaris excl
f. Verify that the s11-client VM can contact the IPS server, before installing the zclient
zone.
root@s11-client:~# pkg publisher
PUBLISHER TYPE STATUS P LOCATION
solaris origin online F http://s11-server.mydomain.com/
g. Install the zclient zone by using the zoneadm install command.
root@s11-client:~# zoneadm -z zclient install
The following ZFS file system(s) have been created:
rpool/zones
rpool/zones/zclient
Progress being logged to
/var/log/zones/zoneadm.20141008T025441Z.zclient.install
Image: Preparing at /zones/zclient/root.
done.
Next Steps: Boot the zone, then log into the zone console
(zlogin -C)
The installation process may take several minutes depending on the network speed.
h. Now check the status of the zclient zone.
root@s11-client:~# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
- zclient installed /zones/zclient solaris excl
Overview
For now, the s11-host VM will host three nonglobal zones: zgateway1, pri-services, and
ws1. The zgateway1 zone is the entry point to the pri-services and ws1 zones that are
configured over an etherstub (private virtual network). This implies that all communication from
the external network to the zones on the private virtual network will happen through
zgateway1. As you configure each of the zones, the requirement is to ensure that one by one
each of the zones is able to ping the other. They all need to communicate with each other:
within the private virtual network, within the host, and across hosts.
PHASE ITEMS
Installing new actions 71043/71043
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 1/1
Installation: Succeeded
done.
Next Steps: Boot the zone, then log into the zone console (zlogin
-C)
root@s11-host01:~#
The installation process may take several minutes depending on the network speed.
e. Display zone information by using the zoneadm command.
root@s11-host01:~# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
- zimage installed /zones/zimage solaris excl
Do not close this terminal. You can continue with the next task on this terminal.
Observation: The zimage zone has been successfully installed and will be used as a
zgateway1
192.168.10.22
zclient
192.168.10.11
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
zonecfg:zgateway1> create
create: Using system default template 'SYSdefault'
zonecfg:zgateway1> set zonepath=/zones/zgateway1
zonecfg:zgateway1> add net
zonecfg:zgateway1:net> set physical=net1
zonecfg:zgateway1:net> end
zonecfg:zgateway1> add net
zonecfg:zgateway1:net> set physical=net2
zonecfg:zgateway1:net> end
zonecfg:zgateway1> exit
stub01
zgateway1
192.168.10.22
zclient
192.168.10.11
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
a. From the s11-client desktop, open another terminal window and set the title of the
window as etherstub.
b. Establish a secure remote connection with the s11-host01 VM by using ssh.
oracle@s11-client:~$ ssh oracle@s11-host01
Password: oracle1
Last login: Wed Oct 8 07:54:59 2014 from 192.168.0.111
Oracle Corporation SunOS 5.11 11.2 June 2014
c. Switch to the root role by using the su command.
oracle@s11-host01:~$ su
Password: oracle1
root@s11-host01:~#
d. Create an etherstub called stub1.
root@s11-host01:~# dladm create-etherstub stub1
e. Verify that the etherstub has been created.
root@s11-host01:~# dladm show-etherstub -Z
LINK ZONE
stub1 global
f. Create three VNICs (vnic2, vnic4, and vnic6) over the stub1 etherstub.
root@s11-host01:~# dladm create-vnic -l stub1 vnic2
root@s11-host01:~# dladm create-vnic -l stub1 vnic4
root@s11-host01:~# dladm create-vnic -l stub1 vnic6
g. Display VNIC details.
root@s11-host01:~# dladm show-vnic
LINK OVER SPEED MACADDRESS MACADDRTYPE VIDS
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
stub01
zgateway1
192.168.10.22
zclient
192.168.10.11
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
Task 5/6
5. Reconfigure the zgateway1 zone for a different subnet.
For pri-services to be able to communicate with the external network, it has to go
through zgateway1, which is currently on the 192.168.10.x network. zgateway1 needs
to be additionally assigned to the 192.168.3.x network for zgateway1 and pri-
services to be able to communicate with each other. You will now plumb vnic2 (created
over stub1) on zgateway1 and assign it the 192.168.3.2 IP address.
stub01
zgateway1
192.168.10.22
192.168.3.2
zclient
192.168.10.11
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
Task 6/6
6. Configure the ws1 zone.
stub01
zgateway1
192.168.10.22
192.168.3.2
zclient
192.168.10.11
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
a. From the s11-client desktop, open another terminal window and set the title of the
window as ws1.
b. Establish a secure remote connection with the s11-host01 VM by using ssh.
oracle@s11-client:~$ ssh oracle@s11-host01
Password: oracle1
Last login: Wed Oct 8 07:54:59 2014 from 192.168.0.111
Oracle Corporation SunOS 5.11 11.2 June 2014
c. Switch to the root role by using the su command.
oracle@s11-host01:~$ su
Password: oracle1
root@s11-host01:~#
d. Display zone information by using the zoneadm command.
root@s11-host01:~# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
5 pri-services running /zones/pri-services solaris excl
6 zgateway1 running /zones/zgateway1 solaris excl
- zimage installed /zones/zimage solaris excl
e. Configure the ws1 zone by using the zonecfg command.
root@s11-host01:~# zonecfg -z ws1
134/134
Note: If it takes considerable amount of time for the console to appear, press Enter.
When prompted, provide the following information to set up the ws1 zone.
Item Value
Computer name ws1
Networking Manually
Manual network configuration vnic6
IP Address 192.168.3.6
DNS Do not configure DNS
vnic6/v6 addrconf ok
fe80::8:20ff:fe30:945d/10
n. Verify that the ws1 zone is able to communicate with the pri-services,
zgateway1, and zclient zones.
root@ws1:~# ping 192.168.3.4
192.168.3.4 is alive
root@ws1:~# ping 192.168.3.2
192.168.3.2 is alive
root@ws1:~# ping 192.168.10.22
192.168.10.22 is alive
root@ws1:~# ping 192.168.10.11
Overview
Just the way you created nonglobal zones in the s11-host01 system, you will now create a
similar setup on the s11-host02 system. You will be able to appreciate the usefulness of a
redundant system in the next lab on High Availability (HA). For now, you just create the setup
and ensure that all the zones (zgateway2, sec-services, and ws2) are on the network and
are able to communicate with each other within the host and across hosts.
To expedite the process, you will this time configure all these resources by just running a script.
However, just as you did in the s11-host01 system, you will start by creating a zone called
zimage with the most basic configuration to be used as a clone for configuring other zones in
Tasks
In this practice, you will perform the following tasks:
1. Create the zimage zone for cloning.
2. Run the zcreate.sh script to create resources on s11-host02.
3. Reconfigure the zgateway2 zone for a different subnet.
Task 1/3
1. Create the zimage zone for cloning.
a. From the s11-client desktop, open another terminal window and set the title of the
window as zimage.
b. Establish a secure remote connection with the s11-host02 VM by using ssh.
oracle@s11-client:~$ ssh oracle@s11-host02
Password: oracle1
Last login: Wed Oct 8 07:54:59 2014 from 192.168.0.111
Oracle Corporation SunOS 5.11 11.2 June 2014
c. Switch to the root role by using the su command.
oracle@s11-host02:~$ su
Password: oracle1
root@s11-host02:~#
d. Display zone information by using the zoneadm command.
root@s11-host02:~# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
e. Configure the zimage zone by using the zonecfg command.
root@s11-host02:~# zonecfg -z zimage
Use 'create' to begin configuring a new zone.
zonecfg:zimage> create
create: Using system default template 'SYSdefault'
zonecfg:zimage> set zonepath=/zones/zimage
zonecfg:zimage> exit
f. Install the zimage zone.
root@s11-host02:~# zoneadm z zimage install
The following ZFS file system(s) have been created:
rpool/zones
rpool/zones/zimage
Progress being logged to
/var/log/zones/zoneadm.20141008T025933Z.zimage.install
Image: Preparing at /zones/zimage/root.
PHASE ITEMS
Installing new actions 71043/71043
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 1/1
Installation: Succeeded
done.
Next Steps: Boot the zone, then log into the zone console
(zlogin -C)
The installation may take a few minutes depending on the network speed.
Task 2/3
2. Run the zcreate.sh script to create resources on s11-host02.
The zcreate.sh script is meant to create the zgateway2, sec-services, and ws2
zones, along with the stub2 etherstub and vnic3, vnic5, and vnic7 VNICs in the s11-
host02 system.
stub01 stub02
zgateway1 zgateway2
192.168.10.22 192.168.3.3
192.168.3.2
zclient
192.168.10.11
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
Task 3/3
3. Reconfigure the zgateway2 zone for a different subnet.
You will now reconfigure the zgateway2 zone by plumbing it with the net1 interface and
assigning it the 192.168.10.33 IP address to extend communication across subnets.
This will allow the zones on the private virtual network to communicate with the external
network through zgateway2.
stub01 stub02
zgateway1 zgateway2
192.168.10.22 192.168.3.3
192.168.3.2 192.168.10.33
zclient
192.168.10.11
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
This is because the zgateway2 zone is not on the 192.168.10.x subnet yet.
e. Shut down the zgateway2 zone.
root@zgateway2:~# shutdown y g0 i5
f. Assign the net1 and net2 interfaces to the zgateway2 zone from the global zone.
root@s11-host02:~# zonecfg -z zgateway2
zonecfg:zgateway2> add net
zonecfg:zgateway2:net> set physical=net1
zonecfg:zgateway2:net> end
zonecfg:zgateway2> add net
zonecfg:zgateway2:net> set physical=net2
zonecfg:zgateway2:net> end
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
zonecfg:zgateway2> exit
Although you will use the net1 interface to plumb on zgateway2 right away, you will
use the net2 interface later in a subsequent lab to configure IPMP.
g. Boot the zone.
root@s11-host02:~# zoneadm -z zgateway2 boot
h. Log in to the zone.
root@s11-host02:~# zlogin zgateway2
i. Display link details.
root@zgateway2:~# dladm show-link
Overview
EVS enables you to create and administer a virtual switch spanning multiple nodes. In
Murrayas prototype, you need to isolate the application zones (zapp1 and zapp2) across
hosts, s11-host01 and s11-host02. Secondly, these application zones need to communicate
with another set of isolated zones (zclient, zgateway1, and zgateway2 across three
different hosts) that provide connectivity with the external network.
stub01 stub02
zgateway1 zgateway2
192.168.10.22 192.168.3.3
192.168.3.2 192.168.10.33
zclient
192.168.10.11
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
a. Switch to the s11-server terminal and verify that the IPS repository is accessible.
root@s11-server:~# pkg publisher
PUBLISHER TYPE STATUS P LOCATION
solaris origin online F http://s11-server.mydomain.com/
b. Install the mandatory evs package. This package must be installed on all hosts that
participate in an EVS setup.
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
PHASE ITEMS
PHASE ITEMS
Installing new actions 32/32
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 1/1
root@s11-server:~#
d. Restart the rad:local service to load the EVS controller.
root@s11-server:~# svcadm restart rad:local
root@s11-server:~# svcs rad:local
STATE STIME FMRI
online 10:49:58 svc:/system/rad:local
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
e. Generate an RSA key pair in the local system to set up SSH authentication.
root@s11-server:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): <Enter>
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): <Enter>
Enter same passphrase again: <Enter>
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
0b:b2:0f:f9:68:be:09:dd:ee:37:72:0a:73:33:2d:d2 root@s11-server
Task 2/4
2. Configure EVS controller properties.
Because the plan is to use VXLAN as the EVS backbone, you need to set the properties on
the EVS controller accordingly.
a. Display the properties of the EVS controller.
root@s11-server:~# evsadm show-controlprop
PROPERTY PERM VALUE DEFAULT HOST
l2-type rw vlan vlan --
uplink-port rw -- -- --
vlan-range rw -- -- --
vxlan-range rw -- -- --
vxlan-range-avail r- -- -- --
d. Set the VXLAN range.
root@s11-server:~# evsadm set-controlprop -p vxlan-range=200-300
root@s11-server:~# evsadm show-controlprop
PROPERTY PERM VALUE DEFAULT HOST
l2-type rw vxlan vlan --
uplink-port rw -- -- --
vlan-range rw -- -- --
vlan-range-avail r- -- -- --
vxlan-addr rw 192.168.0.0/24 0.0.0.0 --
stub01 stub02
zgateway1 zgateway2
192.168.10.22 192.168.3.3
192.168.3.2
zclient
192.168.10.11
appSwitch (192.168.2.x)
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
Task 4/4
4. Create the gateSwitch EVS on the EVS controller.
The gateSwitch EVS is the second EVS switch that will isolate the zgateway1,
zgateway2, and zclient zones across three different hosts. These zones are the main
channels of communication with the external network. The gateSwitch EVS needs to be
over the 192.168.1.x subnet.
zgateway1 zgateway2
192.168.10.22 192.168.3.3
192.168.3.2
zclient
192.168.10.11
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
Overview
The EVS controller, along with the appSwitch and gateSwicth EVSs, has been configured.
You now need to isolate nodes over these EVSs. The zapp1 and zapp2 zones will go over the
appSwitch EVS, whereas the zgateway1, zgateway2, and zclient zones will go over the
gateSwitch EVS. You will be exposed to specific requirements of isolating the zones under
each task, as you perform them.
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2
192.168.10.22 192.168.3.3
192.168.3.2
zclient
192.168.10.11
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
a. From the s11-client desktop, open a terminal window and set the title of the window as
zapp1.
b. Establish a secure remote connection with the s11-host01 VM by using ssh.
oracle@s11-client:~$ ssh oracle@s11-host01
Password: oracle1
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
The EVS node has now been authenticated by the EVS controller.
j. Now, switch back to the zapp1 terminal.
k. Set the controller property to use the user, evsuser.
root@s11-host01:~# evsadm set-prop -p
controller=ssh://evsuser@s11-server
root@s11-host01:~# evsadm show-prop
PROPERTY PERM VALUE DEFAULT
controller rw ssh://evsuser@s11-server --
l. Log in to the remote system as evsuser from the local system.
root@s11-host01:~# ssh evsuser@s11-server
Last login: Fri Oct 10 04:54:10 2014
Oracle Corporation SunOS 5.11 11.2 June 2014
evsuser@s11-server:~$ exit
m. Display EVS information.
root@s11-host01:~# evsadm
NAME TENANT STATUS VNIC IP
HOST
appSwitch sys-global idle -- app_ipnet --
Now that the host has been authenticated with the EVS controller system, you can
configure the zapp1 zone as an EVS node.
n. Configure the zapp1 zone with the appSwitch EVS on the vport0 port.
root@s11-host01:~# zonecfg -z zapp1
Use 'create' to begin configuring a new zone.
zonecfg:zapp1> create
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
Observe that the 192.168.2.2 IP address for the net1/v4 interface has been
inherited from the EVS controller. Note that the net1/v4 nomenclature has nothing to
do with the physical net1 interface. The net1/v4 interface here has been created
over a vport, vport0.
w. Switch to the s11-server terminal and display EVS details.
root@s11-server:~# evsadm
NAME TENANT STATUS VNIC IP HOST
appSwitch sys-global busy -- app_ipnet s11-
host01
vport0 -- used zapp1/net1 192.168.2.2/24 s11-
host01
vport1 -- free -- 192.168.2.3/24 --
vport2 -- free -- 192.168.2.4/24 --
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2
zclient
192.168.10.11
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
a. From the s11-client desktop, open a terminal window and set the title of the window as
zapp2.
b. Establish a secure remote connection with the s11-host02 VM by using ssh.
oracle@s11-client:~$ ssh oracle@s11-host02
Password: oracle1
Last login: Wed Oct 8 07:54:59 2014 from 192.168.0.111
Oracle Corporation SunOS 5.11 11.2 June 2014
c. Switch to the root role by using the su command.
oracle@s11-host02:~$ su
Password: oracle1
root@s11-host02:~#
d. Install the mandatory evs package on the host system.
root@s11-host02:~# pkg install evs
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
Packages to install: 1
Services to change: 1
Create boot environment: No
Create backup boot environment: No
Planning linked: 0/4 done; 1 working: zone:zimage
Planning linked: 1/4 done; 1 working: zone:sec-services
Planning linked: 2/4 done; 1 working: zone:ws2
Planning linked: 3/4 done; 1 working: zone:zgateway2
Planning linked: 4/4 done
DOWNLOAD PKGS FILES
XFER (MB) SPEED
root@s11-host02:~# ls /root/.ssh
id_rsa id_rsa.pub
f. Copy the id_rsa.pub file to the /var/tmp/ local directory.
root@s11-host02:~# cat /root/.ssh/id_rsa.pub >>
/var/tmp/host02.public
g. Copy the host01.public file to the /var/tmp folder on the s11-server system.
root@s11-host02:~# scp /var/tmp/host02.public oracle@s11-
server:/var/tmp
The authenticity of host 's11-server (192.168.0.100)' can't be
established.
RSA key fingerprint is
Now that the s11-host02 system has been authenticated by the EVS controller, you
can configure the zapp2 zone to connect with the appSwitch EVS.
n. Configure the zapp2 zone with the appSwitch EVS on the vport1 port.
root@s11-host02:~# zonecfg -z zapp2
Use 'create' to begin configuring a new zone.
zonecfg:zapp2> create
create: Using system default template 'SYSdefault'
zonecfg:zapp2> set zonepath=/zones/zapp2
zonecfg:zapp2> add anet
zonecfg:zapp2:anet> set evs=appSwitch
zonecfg:zapp2:anet> set vport=vport1
controller.
Also note that you will not see
pages to configure DNS and
LDAP, because there is no
network interface at all.
Time zone Choose appropriately
Time zone locations Choose appropriately
Root password oracle1
Username oracle
User password oracle1
Hostname: zapp2
zapp2 console login:
t. Log in to the zapp2 zone.
zapp2 console login: oracle
Password: oracle1
Oracle Corporation SunOS 5.11 11.2 June 2014
oracle@zapp2:~$
u. Assume the root role by using the su command.
oracle@zapp2:~$ su
password: oracle1
root@zapp2:~#
v. Verify the IP address of the zapp2 zone.
root@zapp2:~# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
net1/v4 inherited ok 192.168.2.3/24
lo0/v6 static ok ::1/128
Observe that the 192.168.2.3 IP address for the net1/v4 interface has been
inherited from the EVS controller.
w. Verify if the zapp2 zone is able to communicate with the zapp1 zone across hosts.
root@zapp2:~# ping 192.168.2.2
192.168.2.2 is alive
x. Switch to the s11-server terminal and display EVS details.
root@s11-server:~# evsadm
NAME TENANT STATUS VNIC IP
HOST
appSwitch sys-global busy -- app_ipnet s11-
host01,s11-host02
vport0 -- used zapp1/net1 192.168.2.2/24 s11-
host01
vport1 -- used zapp2/net1 192.168.2.3/24 s11-
host02
Task 3/5
3. Assign the gateSwitch EVS to the zclient zone.
Because the s11-client system has not yet been authenticated by the EVS controller, you
need to perform host authentication with s11-server before assigning the gateSwitch
EVS to the zclient zone.
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient
192.168.10.11
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
a. Switch to the zclient terminal and exit out of the zclient zone.
root@zclient:~# shutdown y g0 i5
root@s11-client:~#
b. Install the mandatory evs package on the s11-client host system.
root@s11-client:~# pkg install evs
Packages to install: 1
Services to change: 1
Create boot environment: No
Create backup boot environment: No
Planning linked: 0/1 done; 1 working: zone:zclient
Planning linked: 1/1 done
Task 4/5
4. Assign the gateSwitch EVS to the zgateway1 and zgateway2 zones.
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11
192.168.1.2
gateSwitch(192.168.1.x)
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
a. Now, switch to the zgateway1 terminal and shut down the zgateway1 zone.
root@zgateway1:~# shutdown y g0 i5
b. Assign the gateSwitch EVS to zgateway1.
root@s11-host01:~# zonecfg z zgateway1
zonecfg:zgateway1> add anet
zonecfg:zgateway1:anet> set evs=gateSwitch
zonecfg:zgateway1:anet> set vport=vport1
zonecfg:zgateway1:anet> end
zonecfg:zgateway1> exit
c. Boot the zgateway1 zone.
root@s11-host01:~# zoneadm -z zgateway1 boot
d. Log in to the zone.
root@s11-host01:~# zlogin zgateway1
e. Display the IP address details.
root@zgateway1:~# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
net0/v4 inherited ok 192.168.1.3/24
net1/v4 static ok 192.168.10.22/24
vnic2/v4 static ok 192.168.3.2/24
lo0/v6 static ok ::1/128
net1/v6 addrconf ok
fe80::a00:27ff:fe48:25db/10
The 192.168.1.3 IP address has been inherited from the gateSwitch EVS. You
have successfully attached the zgateway1 zone to the gateSwitch EVS.
f. Now, switch to the zgateway2 terminal and shut down the zgateway2 zone.
root@zgateway2:~# shutdown -y g0 i5
g. Assign the gateSwitch to zgateway2.
root@s11-host02:~# zonecfg z zgateway2
zonecfg:zgateway2> add anet
zonecfg:zgateway2:anet> set evs=gateSwitch
The 192.168.1.4 IP address has been inherited from the gateSwitch EVS. You
have successfully attached the zgateway2 zone to the gateSwitch EVS.
k. Now, ping the zgateway1 zone on 192.168.1.3.
root@zgateway2:~# ping 192.168.1.3
192.168.1.3 is alive
l. Switch to the zgateway1 terminal, and ping the zgateway2 zone on 192.168.1.4.
root@zgateway1:~# ping 192.168.1.4
192.168.1.4 is alive
Observation: Both the zgateway1 and zgateway2 zones are able to ping each other
over the 192.168.1.x VXLAN network. However, they cannot communicate with the
zones on the appSwicth EVS, which is on the 192.168.2.x VXLAN network.
Task 5/5
5. Assign the appSwitch EVS to the zgateway1 and zgateway2 zones.
A zone can belong to two different EVS switches. In this case, the zgateway zones over
the gateSwitch EVS need to be able to communicate with the zapp zones over the
appSwitch EVS.
stub01 stub02
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
a. Switch to the zgateway1 terminal and shut down the zgateway1 zone.
root@zgateway1:~# shutdown y g0 i5
b. Assign the appSwitch EVS to the zgateway1 zone.
root@s11-host01:~# zonecfg z zgateway1
zonecfg:zgateway1> add anet
zonecfg:zgateway1:anet> set evs=appSwitch
zonecfg:zgateway1:anet> set vport=vport2
zonecfg:zgateway1:anet> end
zonecfg:zgateway1> exit
Recall that vports, vport0 and vport1 have already been taken by zapp1 and zapp2
zones.
c. Boot the zone.
root@s11-host01:~# zoneadm z zgateway1 boot
d. Log in to the zone.
root@s11-host01:~# zlogin zgateway1
e. Display IP address details.
root@zgateway1:~# ipadm show-addr
ADDROBJ TYPE STATE ADDR
The zgateway1 zone has picked up another IP, 192.168.2.4, this time from the
appSwitch EVS.
The zgateway2 zone has picked up the 192.168.2.5 IP address from the
appSwitch EVS.
n. Now, ping the zapp1 zone.
root@zgateway2:~# ping 192.168.2.2
192.168.2.2 is alive
Notice that you can now also ping zones on the appSwitch EVS through zgateway1
and zgateway2 but not from zclient. That is because the zgateway zones are part
of the appSwitch EVS as well, which the zclient zone is not.
o. Switch to the s11-server terminal and collect the overall EVS statistics.
Observe how easily zones can be isolated and consolidated by using EVS. You have
successfully tested the EVS setup. You also managed to illustrate that one zone can
belong to two different EVS switches. In this case, the zgateway zones are part of
both the appSwitch and gateSwitch EVSs.
Note: Now, given that this is a VBox environment, with certain limitations on resources, it
would help to unconfigure the zclient, zgateway1, and zgateway2 zones off the EVS
switches for now. The multiple IPs inherited from EVSs and the vports on a VBox setup can
potentially lead to router conflicts. By unconfiguring the three zones off the EVS setup, you
pre-empt any such disruptions.
p. Switch to the zclient terminal and unconfigure the zclient zone from the
gateSwitch EVS.
root@zclient:~# shutdown y g0 i5
root@s11-client:~# zonecfg z zclient remove anet
evs=gateSwitch
root@s11-client:~# zoneadm z zclient boot
root@s11-client:~# zlogin zclient
root@zclient:~#
q. Switch to the zgateway1 terminal and unconfigure the zgateway1 zone from the
gateSwitch and appSwitch EVSs.
root@zgateway1:~# shutdown y g0 i5
Practices Overview
Murraya Inc. requires a network that is failure proof. In one of the previous labs, you created a
set of redundant resources on a redundant system, s11-host02. A redundant host ensures that
the network and network services continue to operate on the alternative host, if one of the hosts
fails. Now, within each of these hosts, you will establish network High Availability (HA) at various
levels, such as IPMP for IP failover, link aggregation for higher bandwidth and datalink HA, L3
VRRP for router failover, and ILB for load balancing across nodes.
In this lab, you will perform the following practices:
Configure IPMP
Configure link aggregation
The following is the schematic representation of the setup you will build and test in this lab:
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11 192.168.10.100 192.168.10.100
192.168.2.4 198.168.2.5
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
s11-server
192.168.0.100 192.168.20.x
s11-client zclient
192.168.0.111 192.168.10.11 192.168.1.2
s11-host01 zgateway1 192.168.10.22 192.168.3.2 192.168.2.4 192.168.1.3 192.168.10.100
192.168.0.112 pri-
services 192.168.3.4
ws1 192.168.3.6
zapp1 192.168.2.2
s11-host02 zgateway2
Assumptions:
The s11-server, s11-client, s11-host01, and s11-host02 VMs are running.
All tasks associated with the s11-server, s11-host01, and s11-host02 VMs are
performed via secure (ssh) login from the s11-client VM.
You perform all tasks in the root role, unless mentioned otherwise. (Assume root
privileges by using the su command and oracle1 as password.)
Some command output or values may vary across systems.
The font size of the output is reduced in a few places, to accommodate complete
command output.
General Instructions:
Overview
The zgateway1 and zgateway2 zones are the entry zones for the network-in-a-box setup.
These zones are configured over the net1 interfaces. This means that if there is network failure
on the net1 interfaces of the zgateway1 or zgateway2 zones, all zones in the internal
network lose network connectivity with the external network. It is therefore critical to configure a
redundant interface so that network continuity is ensured in the event of any one interface
failing.
Tasks
In this practice, you will perform the following tasks:
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11 192.168.2.4 192.168.2.5
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
where:
m indicates that the interface is designated for sending and receiving IPv4 multicast
traffic for the IPMP group
b indicates that the interface is designated for receiving broadcast traffic for the IPMP
group
M indicates that the interface is designated for sending and receiving IPv6 multicast
traffic for the IPMP group
l. Verify that zgateway1 is able to communicate with zgateway2 and zclient over
the 192.168.10.x network.
root@zgateway1:~# ping 192.168.10.11
192.168.10.11 is alive
root@zgateway1:~# ping 192.168.10.33
192.168.10.33 is alive
Observation: The zgateway1 zone is plumbed over an IPMP group, ipmp2 with the
192.168.10.22 IP address. This means, that even if one of the underlying interfaces
were to fail, either net1 or net2, the alternative interface would become operational.
Task 2/2
2. Assign an IPMP group to the zgateway2 zone.
To configure an IPMP group on the zgateway2 zone, perform similar steps as you did in
the zgateway1 zone.
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
Overview
Link aggregation allows multiple NICs to be grouped into a single logical interface. Link
aggregations provide cumulative bandwidth as well as HA. The zclient zone would do better
with aggregated bandwidth than just the bandwidth from a single interface.
Tasks
In this practice, you will configure trunk aggregation for the zclient zone.
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11 192.168.2.4 198.168.2.5
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
Task 1/1
1. Configure trunk aggregation for the zclient zone.
To configure trunk aggregation, you again require a minimum of two interfaces. The net1
interface has already been configured on the zclient zone. You, therefore, need to
dismantle and repurpose it along with net2 for creating the aggregation, aggr0.
Note that trunk aggregation can only be created in the global zone. After plumbing the
aggregation to a zone, you then assign it with an IP address from inside the nonglobal
zone.
a. Open the zclient terminal and display link information.
root@zclient:~# dladm show-link
LINK CLASS MTU STATE OVER
net1 phys 1500 up --
Apart from adding the aggr0 interface to the zclient zone, you also need to add the
At the first attempt at displaying the IP information, you might see the aggregation
STATE as disabled. Try the ipadm show-addr command again and it should show
OK.
n. Verify that zclient is able to ping the zgateway1 and zgateway2 zones.
root@zclient:~# ping 192.168.10.22
192.168.10.22 is alive
root@zclient:~# ping 192.168.10.33
192.168.10.33 is alive
Observation: You have successfully configured an aggregation, aggr0 and assigned the
collective bandwidth of the aggregation to the zclient zone.
Overview
Oracle Solaris 11 provides proprietary Layer 3 VRRP to support the creation of VRRP routers
over IPMP and infiniBand interfaces. Configuring L3 VRRP over the ipmp2 interfaces on
zgateway1 and zgateway2 will ensure that if either of the zgateway zones is down, the
VRRP router on the alternative zgateway zone would continue to route data packets.
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11 192.168.10.100
192.168.2.4 198.168.2.5
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
PHASE ITEMS
Installing new actions 42/42
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 1/1
b. Display IP address information.
root@zgateway1:~# ipadm show-addr
ADDROBJ TYPE STATE ADDR
The vrrp2 router at this point is the MASTER router as indicated by its STATE.
e. Display the currently active routes.
root@zgateway1:~# netstat -rm
streams allocation:
cumulative allocation current maximum total failures
streams 458 470 104102 0
queues 984 996 119673 0
mblk 11502 11780 73016 0
dblk 11503 12573 1888573 0
linkblk 42 83 77 0
syncq 12 25 199 0
qband 0 0 0 0
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11 192.168.10.100 192.168.10.100
192.168.2.4 198.168.2.5
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
It is important that the VIP of the router is the same across both the zgateway1 and
zgateway2 zones. Only then router failover is possible.
However, the p value for priority should be different on the routers. p 255 specified
on zgateway1 is the priority of the MASTER router. p 100 specified on the
zgateway2 zone is the priority of the BACKUP router.
The vrrp2 router on zgateway2 is in the BACKUP state. This is because currently the
VRRP router in zgateway1 is in the MASTER state.
e. Display the currently active routes.
root@zgateway2:~# netstat -rm
streams allocation:
cumulative allocation current maximum total failures
The 192.168.10.100 IP does not appear in the routing list because, the IP is active
on the MASTER router, zgateway1.
f. Now, switch to the zgateway1 terminal and bring down the zgateway1 zone.
root@zgateway1:~# init 5
g. Switch back to the zgateway2 terminal, and watch the state of the VRRP router.
root@zgateway2:~# vrrpadm show-router
NAME VRID TYPE IFNAME AF PRIO ADV_INTV MODE STATE VNIC
vrrp2 1 L3 ipmp2 IPv4 100 1000 e-pa- MASTER --
Observation: As zgateway1 comes down, the state of the VRRP router changes from
BACKUP to MASTER on zgateway2.
Overview
Another level of HA implementation is through ILB. ILB provides Layer 3 and Layer 4 load-
balancing capabilities on SPARC and x86-based Oracle Solaris systems. ILB intercepts
incoming requests from clients, decides which back-end server should address the request
based on load-balancing rules, and then forwards the request to the selected server.
You will configure ILB on the zgateway1 and zgateway2 zones to implement load balancing
over the ws1 and ws2 zones that act as web servers across two hosts.
Tasks
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11 192.168.10.100 192.168.10.100
192.168.2.4 198.168.2.5
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
A server group is a bunch of servers across which the load balancing algorithm
operates. In this case, it would be ws1 and ws2 zones, configured across two hosts.
g. Create a health check, hc1 by using the built-in PING probe to monitor the health of
the server group.
root@zgateway1:~# ilbadm create-healthcheck h hc-test=PING,hc-
timeout=2,hc-count=3,hc-interval=10 hc1
root@zgateway1:~# ilbadm show-healthcheck
HCNAME TIMEOUT COUNT INTERVAL DEF_PING TEST
hc1 2 3 10 y PING
PHASE ITEMS
Installing new actions 945/945
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 1/1
l. Make the following entry in the index.html file.
root@ws1:~# echo "WS1 responding..." >
/var/apache2/2.2/htdocs/index.html
Depending on which web server responds to the client request, you will see the
respective index.html file being called.
m. Enable the http service.
root@ws1:~# svcadm enable http
n. Finally, add the 192.168.3.2 IP address of zgateway1 as the default route on ws1.
root@ws1:~# route add default 192.168.3.2
Observation: You have successfully configured ILB on the zgateway1 zone and the
Apache web server on the ws1 zone.
Task 2/3
2. Install ILB on the zgateway2 zone.
Because the plan is to test load-balancing implemented over a VRRP setup, you will
configure ILB and Apache web server on the zgateway2 and ws2 zones, respectively.
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11 192.168.10.100 192.168.10.100
192.168.2.4 198.168.2.5
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
PHASE ITEMS
Installing new actions 56/56
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 1/1
PHASE ITEMS
Installing new actions 945/945
Updating package state database Done
Updating package cache 0/0
Depending on which web server responds to the client request, you will see the
respective index.html file being called.
k. Enable the http service.
root@ws2:~# svcadm enable http
l. Also, add the 192.168.3.3 IP address of zgateway2 as the default route on ws2.
root@ws2:~# route add default 192.168.3.3
Observation: You have successfully configured the redundant ILB on the zgateway2
zone and the Apache web server on the ws2 zone.
Task 3/3
3. Test http requestresponse activity.
a. Open the zclient terminal.
b. Add the 192.168.10.100 IP address of the VRRP router as the default route.
root@zclient:~# route add default 192.168.10.100
Know that route add default is a nonpersistent command. So if ever, you reboot
the zclient zone and would like to retest the http requestresponse activity, ensure
that you make the route add default entry once again.
c. Make an http request to the web server.
root@zclient:~# wget http://192.168.10.100:80
--2014-09-22 17:50:27-- http://192.168.10.100/
Connecting to 192.168.10.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17 [text/html]
Saving to: index.html
100%[======================================>] 17 --.-
K/s in 0s
This indicates that the http request went to the zgateway1 zone, where ILB routed
the request to the web server on the ws1 zone. This is when both zgateway1 and
zgateway2 zones are up.
e. Now, switch to the zgateway1 terminal and bring down the zgateway1 zone.
root@zgateway1:~# init 5
f. Switch back to the zclient terminal and make an http request to the web server
again.
root@zclient:~# wget http://192.168.10.100:80
--2014-09-22 17:50:27-- http://192.168.10.100/
Connecting to 192.168.10.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17 [text/html]
Saving to: index.html.1
100%[======================================>] 17 --.-
K/s in 0s
The x in the index.html.x file carries an incremental value with every response from
the web server.
g. Output the index.html.1 file to verify which of the web servers responded to your
request.
root@zclient:~# cat index.html.1
WS2 responding
root@zclient:~#
This time the request was answered by the ws2 zone. Because zgateway1 was
down, VRRP router became the MASTER router on the zgateway2 zone. The ILB on
the zgateway2 zone sends the request to the web server on the ws2 zone.
Note: Now that you have understood how a redundant system provides HA to the
infrastructure, you can continue to build redundant resources on the s11-host02 system,
just as you did in this lab. However, for the sake of convenience, and to optimize on
memory resources in a VBox setup, you will only reinforce the s11-host01 system with
network services and resource optimization. Therefore, you can now shut down the s11-
host02 resources.
h. Switch to the zgateway2 terminal and shut down the zones running in the s11-host02
system.
root@zgateway2:~# shutdown y g0 i5
Practices Overview
Murraya Inc. requires a centralized database for leasing IP addresses to clients, a centralized
naming server for host name resolution, and a central data store for user authentication. In
addition, Murraya also requires resource-sharing capabilities between the Oracle Solaris and
Windows platforms. You will, therefore, implement the following solutions to address each of the
above requirements: DHCP, DNS, and LDAP.
In this lab, you will perform the following practices:
Configure ISC DHCP
Configure DNS
The following is the schematic representation of the setup you will build and test in this lab:
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11 192.168.10.100 192.168.10.100
192.168.2.4 198.168.2.5
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
s11-server
192.168.0.100 192.168.20.x
s11-client zclient
192.168.0.111 192.168.10.11 192.168.1.2
s11-host01 zgateway1 192.168.10.22 192.168.3.2 192.168.2.4 192.168.1.3 192.168.10.100
192.168.0.112 pri-
services 192.168.3.4
ws1 192.168.3.6
zapp1 192.168.2.2
s11-host02 zgateway2
Assumptions:
The s11-server, s11-client, s11-host01, and s11-host02 VMs are running.
All tasks associated with the s11-server, s11-host01, and s11-host02 VMs are
performed via secure (ssh) login from the s11-client VM.
You perform all tasks in the root role, unless mentioned otherwise. (Assume root
privileges by using the su command and oracle1 as password.)
Some command output or values may vary across systems.
The font size of the output is reduced in a few places, to accommodate complete
command output.
General Instructions:
Overview
To address the need for a dedicated and centralized data store for managing IP addresses for
clients within the network, you will configure the DHCP server in the pri-services zone on
the s11-host01 system. The DHCP relay agent will be configured on the zgateway1 zone, and
the zclient zone on the s11-client system will act as the DHCP client.
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11 192.168.10.100 192.168.10.100
192.168.2.4 198.168.2.5
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
Tasks
In this practice, you will perform the following tasks:
1. Configure the DHCP server on the pri-services zone.
2. Configure the DHCP relay agent on the zgateway1 zone.
3. Request an IP address from the DHCP server.
Task 1/3
1. Configure the DHCP server on the pri-services zone.
a. Switch to the pri-services terminal.
b. Install the isc-dhcp package.
root@pri-services:~# pkg install isc-dhcp
Packages to install: 1
Services to change: 2
Create boot environment: No
Create backup boot environment: No
PHASE ITEMS
Installing new actions 65/65
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
The DHCP server addresses both, DHCP and BOOTP requests from IPv4 clients.
Task 2/3
2. Configure the DHCP relay agent.
The relay agent relays both, DHCP and BOOTP requests from IPv4 clients to the DHCP
server.
a. Switch to the zgayeway1 terminal.
b. Because the zgateway1 zone was shut down in the previous task, boot up the zone.
root@s11-host01:~# zoneadm z zgateway1 boot
c. Log in to the zgateway1 zone.
root@s11-host01:~# zlogin zgateway1
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
The IP address 192.168.3.4 specified in the command is the IP address of the pri-
services zone that is configured as the DHCP server.
Observation: You have successfully configured both the ISC DHCP server and the DHCP
relay agent. You should now be able to request for IP addresses from the DHCP server.
Task 3/3
3. Request an IP address from the DHCP server.
To verify that the DHCP server is working, request for a test IP for the net3 interface on
the zclient zone.
a. Switch to the zclient terminal window and exit from the zclient zone.
root@zclient:~# exit
b. Add the net3 interface to the zclient zone and reboot the zone.
root@s11-client:~# zonecfg z zclient
zonecfg:zclient> add net
zonecfg:zclient:anet> set physical=net3
zonecfg:zclient:anet> end
zonecfg:zclient> exit
root@s11-client:~# zoneadm z zclient reboot
c. Log in to the zclient zone.
root@s11-client:~# zlogin zclient
d. Display IP address and link information.
The IP address granted to the net3 interface is a dynamic address from the range
specified in the dhcpd.conf file in the DHCP server.
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
g. For now, there is no need for a net3 interface. So, delete the interface.
root@zclient:~# ipadm delete-addr net3/v4
root@zclient:~# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
aggr0/v4 static ok 192.168.10.11/24
lo0/v6 static ok ::1/128
Observation: The zclient zone is able to fetch the DHCP address from the DHCP server
configured on the pri-services zone on the s11-host01 system.
Overview
You will once again use the pri-services zone to configure the DNS server and the
zclient zone will be your DNS client. After successfully configuring this setup, zclient
should be able to access any other system (zone) in the network by using host names.
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11 192.168.10.100 192.168.10.100
192.168.2.4 198.168.2.5
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
Tasks
In this practice, you will perform the following tasks:
1. Configure the DNS server.
2. Configure the DNS client.
Task 1/2
1. Configure the DNS server.
a. Switch to the pri-services terminal window.
b. Install the DNS package. Configuring the DNS server involves installing DNS BIND,
which is a DNS server package.
root@pri-services:~# pkg install
pkg://solaris/service/network/dns/bind
Packages to install: 1
Services to change: 1
Create boot environment: No
Create backup boot environment: No
DOWNLOAD PKGS FILES
XFER (MB) SPEED
PHASE ITEMS
Installing new actions 71/71
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 1/1
c. Create the main configuration file for the DNS server. Before the named daemon starts,
Do not forget to log back in to the pri-services zone to continue with the procedure.
Or, create the file by using the vi editor and enter the following details about the db
files associated with each subnet.
root@pri-services:~# vi /etc/named.conf
options {
directory "/var/named";
};
Copy the files by first exiting to the s11-host01 system and then using the scp
command.
root@pri-services:~# exit
root@s11-host01:~# scp /opt/ora/course_files/dns/db/*
/zones/pri-services/root/var/named/
root@s11-host01:~# zlogin pri-services
root@pri-services:~# cd /var/named
Or, create each of the following individual db files by using the vi editor.
root@pri-services:/var/named# vi db.127.0.0
$TTL 86400
@ SOA pri-services.mydomain.com
root@pri-services:/var/named# vi db.mydomain
$TTL 86400
@ SOA pri-services root (2 10800 3600
604800 600)
NS pri-services
localhost A 127.0.0.1
zgateway1 A 192.168.10.22
zgateway1 A 192.168.3.2
pri-services A 192.168.3.4
ws1 A 192.168.3.6
zgateway2 A 192.168.10.33
zgateway2 A 192.168.3.3
sec-services A 192.168.3.5
ws2 A 192.168.3.7
zclient A 192.168.10.11
s11-server A 192.168.0.100
s11-client A 192.168.0.111
s11-host01 A 192.168.0.112
s11-host02 A 192.168.0.113
:wq
root@pri-services:/var/named# vi db.192.168.0
$TTL 86400
@ SOA pri-services.mydomain.com root.mydomain.com
(2 10800 3600 604800 600)
NS pri-services.mydomain.com
100 PTR s11-server.mydomain.com
111 PTR s11-client.mydomain.com
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
root@pri-services:/var/named# vi db.192.168.10
$TTL 86400
@ SOA pri-services.mydomain.com root.mydomain.com
(2 10800 3600 604800 600)
NS pri-services.mydomain.com
11 PTR zclient.mydomain.com
22 PTR zgateway1.mydomain.com
33 PTR zgateway2.mydomain.com
root@pri-services:/var/named# vi db.192.168.3
$TTL 86400
@ SOA pri-services.mydomain.com
root.mydomain.com (2 10800 3600 604800 600)
NS pri-services.mydomain.com
2 PTR zgateway1.mydomain.com
4 PTR pri-services.mydomain.com
6 PTR ws1.mydomain.com
3 PTR zgateway2.mydomain.com
5 PTR sec-services.mydomain.com
7 PTR ws2.mydomain.com
:wq
f. Check the files in the directory.
root@pri-services:/var/named# ls
db.127.0.0 db.192.168.10 db.mydomain
db.192.168.0 db.192.168.3
All five db files have been created inside the /var/named directory.
g. Check the validity of the /etc/named.conf configuration file.
root@pri-services:/var/named# cd
root@pri-services:~# named-checkconf
You should not see an error message. That indicates that the named.conf file is
correct.
h. Now start the DNS server.
root@pri-services:~# svcs -a | grep dns/server
disabled 10:22:44 svc:/network/dns/server:default
root@pri-services:~# svcadm enable dns/server
Task 2/2
1. Configure the DNS client.
a. Switch to the zclient terminal.
b. Update the network/dns/client service.
root@zclient:~# svccfg -s network/dns/client
svc:/network/dns/client> setprop config/search=astring:
("mydomain.com")
Name: zgateway1.mydomain.com
Address: 192.168.3.2
Name: zgateway1.mydomain.com
Address: 192.168.10.22
Name: zgateway1.mydomain.com
Overview
Murrayas next requirement is an LDAP server. The primary function of the LDAP server is to
authenticate users on the network. You will now configure the LDAP server on the pri-
services zone and the zclient zone will act as the LDAP client.
Know that there are two implementations of LDAP in Oracle Solaris 11, Oracle Directory Server
Enterprise Edition (DSEE) and OpenLDAP. For the purpose of this setup, you will use
OpenLDAP, which is the default LDAP server in Oracle Solaris 11.
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11 192.168.10.100 192.168.10.100
192.168.2.4 198.168.2.5
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
Tasks
In this practice, you will perform the following tasks:
1. Configure the LDAP server.
2. Configure the LDAP client.
3. Verify LDAP client communication with the LDAP server.
Task 1/3
1. Configure the LDAP server.
a. In the pri-services terminal, verify the SMF status of the OpenLDAP server.
root@pri-services:~# svcs network/ldap/server
STATE STIME FMRI
disabled Oct_09 svc:/network/ldap/server:openldap_24
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
pidfile /var/openldap/run/slapd.pid
argsfile /var/openldap/run/slapd.args
################################################################
#######
# BDB database definitions
################################################################
#######
database bdb
suffix "dc=mydomain,dc=com"
rootdn "cn=Manager,dc=mydomain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
A directory schema specifies, among other rules, the types of objects that a directory
may have and the mandatory and optional attributes of each object type.
f. Change the ownership of the openldap directory to the default LDAP user,
openldap.
root@pri-services:~# chown -R openldap:openldap /var/openldap
g. Enable the LDAP server.
root@pri-services:~# svcadm enable ldap/server
root@pri-services:~# svcs ldap/server
STATE STIME FMRI
online 11:18:57 svc:/network/ldap/server:openldap_24
h. The LDAP Data Interchange Format (LDIF) file needs to be created. The LDIF file is a
standard plain text data interchange format for representing LDAP directory content
and update requests. This file contains the user information directory. You can either:
Copy the file from the host system.
root@pri-services:~# exit
root@s11-host01:~# scp /opt/ora/course_files/ldap/data.ldif
/zones/pri-services/root/root/
root@s11-host01:~# zlogin pri-services
Or, create the file by using the vi editor.
root@pri-services:~# vi /root/data.ldif
dn: dc=mydomain,dc=com
o: mydomain
objectClass: dcObject
dc: mydomain
objectClass: organization
dn: ou=profile,dc=mydomain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: profile
dn: cn=default,ou=profile,dc=mydomain,dc=com
objectClass: DUAConfigProfile
cn: default
defaultSearchBase: dc=mydomain,dc=com
dn: ou=groups,dc=mydomain,dc=com
objectClass: organizationalUnit
ou: groups
dn: cn=staff,ou=groups,dc=mydomain,dc=com
gidNumber: 10
cn: staff
objectClass: posixGroup
objectClass: top
dn: ou=users,dc=mydomain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
dn: uid=scarter,ou=users,dc=mydomain,dc=com
cn: Sam Carter
sn: Carter
givenName: Sam
uid: scarter
uidNumber: 1002
gidNumber: 10
homeDirectory: /home/scarter
loginShell: /bin/bash
gecos: Normal User
mail: sam.carter@mydomain.com
shadowMax: 45
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
dn: uid=proxy,dc=mydomain,dc=com
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
userPassword: oracle1
uid: proxy
i. Add the ldap directory content to the data.ldif configuration file.
root@pri-services:~# ldapadd -D "cn=Manager,dc=mydomain,dc=com"
-f /root/data.ldif
Enter bind password: secret
adding new entry dc=mydomain,dc=com
root@zclient:~# cd /export/home
root@zclient:/export/home# mkdir scarter
c. Add the user directory information marked in red to the /etc/auto_home file. This
ensures that the home directory is auto-mounted.
root@zclient:/export/home# vi /etc/auto_home
#
# Copyright 2005 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "%Z%%M% %I% %E% SMI"
#
Parsing proxyPassword=oracle1
Parsing defaultServerList=192.168.3.4
Parsing defaultSearchBase=dc=mydomain,dc=com
Parsing
serviceSearchDescriptor=passwd:ou=users,dc=mydomain,dc=com?one
Parsing
serviceSearchDescriptor=group:ou=groups,dc=mydomain,dc=com?one
Arguments parsed:
authenticationMethod: simple
defaultSearchBase: dc=mydomain,dc=com
credentialLevel: proxy
b. Set the LDAP search host path by using the ldapsearch command. The
ldapsearch utility connects with the LDAP server, binds, and performs a search
using a filter.
root@zclient:~# ldapsearch -h 192.168.3.4 -D
'cn=Manager,dc=mydomain,dc=com' -b 'dc=mydomain,dc=com'
objectClass=*
Enter bind password: secret
version: 1
dn: dc=mydomain,dc=com
o: mydomain
objectClass: dcObject
objectClass: organization
dn: ou=profile,dc=mydomain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: profile
dn: cn=default,ou=profile,dc=mydomain,dc=com
objectClass: DUAConfigProfile
cn: default
defaultSearchBase: dc=mydomain,dc=com
credentialLevel: anonymous
authenticationMethod: none
defaultSearchScope: sub
profileTTL: 300
searchTimeLimit: 60
defaultServerList: 192.168.3.4
serviceSearchDescriptor: passwd: ou=users,dc=mydomain,dc=com
serviceSearchDescriptor: shadow: ou=users,dc=mydomain,dc=com
serviceSearchDescriptor: group: ou=groups,dc=mydomain,dc=com
dn: ou=groups,dc=mydomain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
dn: cn=staff,ou=groups,dc=mydomain,dc=com
gidNumber: 10
cn: staff
objectClass: posixGroup
objectClass: top
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
dn: ou=users,dc=mydomain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
dn: uid=scarter,ou=users,dc=mydomain,dc=com
cn: Sam Carter
sn: Carter
givenName: Sam
uid: scarter
dn: uid=proxy,dc=mydomain,dc=com
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
userPassword: oracle1
uid: proxy
c. Retrieve the LDAP user password information by using the getent command. This
command helps a user get entries from LDAP databases.
root@zclient:~# getent passwd
root:x:0:0:Super-User:/root:/usr/bin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp
Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
dladm:x:15:65:Datalink Admin:/:
netadm:x:16:65:Network Admin:/:
netcfg:x:17:65:Network Configuration Admin:/:
smmsp:x:25:25:SendMail Message Submission Program:/:
gdm:x:50:50:GDM Reserved UID:/var/lib/gdm:
zfssnap:x:51:12:ZFS Automatic Snapshots Reserved
UID:/:/usr/bin/pfsh
upnp:x:52:52:UPnP Server Reserved UID:/var/coherence:/bin/ksh
xvm:x:60:60:xVM User:/:
The information about the LDAP user, scarter, is coming from the LDAP server.
d. Identify the LDAP user group by using the getent command.
root@zclient:~# getent group
root::0:
other::1:root
bin::2:root,daemon
sys::3:root,bin,adm
adm::4:root,daemon
uucp::5:root
mail::6:root
tty::7:root,adm
lp::8:root,adm
nuucp::9:root
staff::10:
daemon::12:root
sysadmin::14:
games::20:
smmsp::25:
gdm::50:
upnp::52:
xvm::60:
netadm::65:
mysql::70:
openldap::75:
webservd::80:
postgres::90:
unknown::96:
dn: ou=groups,dc=mydomain,dc=com
dn: ou=users,dc=mydomain,dc=com
dn: uid=proxy,dc=mydomain,dc=com
root@zclient:~# su - scarter
Oracle Corporation SunOS 5.11 11.2 June 2014
-bash-4.1$ id
uid=1002(scarter) gid=10(staff)
-bash-4.1$ exit
logout
root@zclient:~#
Observation: The naming information for the user, scarter, is coming from the
LDAP server. This indicates that LDAP has been successfully configured.
Summary: Recall the schematic representation of the tasks that you set out to accomplish
at the start of this lab. You have successfully configured ISC DHCP, DNS, and LDAP. In the
next lab, you will secure the network by using IP Filter.
Practices Overview
Given that Murrayas DNS, DHCP, and LDAP servers along with the web server would be high-
impact systems, you need to regulate the network resources so that network processes can
proceed without being interrupted or blocked. Network bandwidth is one such resource that
needs to be regulated. The bandwidth limit can be applied either directly to a datalink, such as a
VNIC, or to a user-defined flow.
s11-server
192.168.0.100 192.168.20.x
s11-client zclient
192.168.0.111 192.168.10.11 192.168.1.2
s11-host01 zgateway1 192.168.10.22 192.168.3.2 192.168.2.4 192.168.1.3 192.168.10.100
192.168.0.112 pri-
services 192.168.3.4
ws1 192.168.3.6
zapp1 192.168.2.2
s11-host02 zgateway2 192.168.10.33 192.168.3.3 192.168.2.5 192.168.1.4 192.168.10.100
192.168.0.113 sec-
services 192.168.3.5
ws2 192.168.3.7
zapp2 192.168.2.3
Assumptions:
The s11-server, s11-client, s11-host01, and s11-host02 VMs are running.
All tasks associated with the s11-server, s11-host01, and s11-host02 VMs are
performed via secure (ssh) login from the s11-client VM.
You perform all tasks in the root role, unless mentioned otherwise. (Assume root
privileges by using the su command and oracle1 as password.)
Some command output or values may vary across systems.
The font size of the output is reduced in a few places, to accommodate complete
command output.
General Instructions:
Overview
The three VNICs created over stub1 have a maximum bandwidth of 40000 MB. At any given
time, any one zone over these VNICs could consume the entire bandwidth, crowding out the
other channels. It would, therefore, be prudent to assign a fixed quota of bandwidth to each of
these VNICs depending on the load-bearing capacity. Regulate bandwidth among the three
VNICs as follows: vnic2=20000, vnic4=10000, and vnic6=10000.
10000 MB 10000 MB
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
20000 MB
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
Task 1/1
1. Configure the bandwidth datalink property.
a. From the s11-client desktop, open a terminal window and set the title of the window as
s11-host01.
b. Establish a secure remote connection with the s11-host01 VM by using ssh.
oracle@s11-client:~$ ssh oracle@s11-host01
Password: oracle1
Last login: Wed Oct 8 07:54:59 2014 from 192.168.0.111
Oracle Corporation SunOS 5.11 11.2 June 2014
c. Switch to the root role by using the su command. Password is oracle1.
oracle@s11-host01:~$ su
Password: oracle1
root@s11-host01:~#
d. Display VNIC information on the host.
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
The maxbw value under Property indicates that the current bandwidth allocation on
the etherstub-based VNICs is set to maximum. That would be 40000 MB. This implies
that at any given time, any one of the VNICs can possibly consume all of the 40000
MB, depriving the other VNICs. Considering the traffic-bearing capacity of each of the
VNICs, you can regulate the bandwidth accordingly.
f. Regulate bandwidth among the three VNICs as follows: vnic2=20000, vnic4=10000,
and vnic6=10000.
root@s11-host01:~# dladm set-linkprop -p maxbw=20000
zgateway1/vnic2
root@s11-host01:~# dladm set-linkprop -p maxbw=10000 pri-
services/vnic4
root@s11-host01:~# dladm set-linkprop -p maxbw=10000 ws1/vnic6
g. Now, display details about the datalink properties.
root@s11-host01:~# dladm show-linkprop -p maxbw
Overview
The zgateway1 zone functions as the gateway for SSH and HTTP requestresponse traffic to
and from pri-services and ws1 zones, respectively. The network traffic to ws1 is higher but
is not time sensitive. Whereas, the network traffic to pri-services is low and time sensitive.
Therefore, to process network traffic faster for pri-services, you need to limit the bandwidth
allocated to the network traffic for ws1. If the bandwidth allocated for ws1 is not limited, it could
potentially use up all the available bandwidth leading to a denial of bandwidth to pri-
services.
f-ssh f-http
priority=high maxbw=7000 MB
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11 192.168.10.100 192.168.10.100
192.168.2.4 198.168.2.5
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
Tasks
In this practice, you will create flows to regulate bandwidth and priority.
Task 1/1
1. Create flows to regulate bandwidth and priority.
a. Switch to the zgateway1 terminal.
b. Create a flow called f-http for the HTTP traffic to ws1 (192.168.3.6). The traffic
here is higher but not time sensitive.
root@zgateway1:~# flowadm add-flow -l vnic2 -a
transport=tcp,local_ip=192.168.3.2,remote_ip=192.168.3.6,local_p
ort=80 f-http
c. Create a flow called f-ssh for the SSH traffic to pri-services (192.168.3.4). The
traffic here is low but time sensitive.
Practices Overview
Although a network can be secured in many ways and at many levels, firewall is one of the
primary mechanisms, and also a robust one. A general implementation of the firewall is to close
the internal network from the outside world. Then, based on requirements, the internal network
and its resources can be allowed access from the external network and vice versa.
Note: Certain limitations in the VBox environment will not allow you to implement link protection
in the virtual network. You will, therefore, deploy only IP Filter in this lab.
Below is the schematic representation of the setup you will build and test in this lab:
f-ssh f-http
priority=high maxbw=7000 MB
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11 192.168.10.100 192.168.10.100
192.168.2.4 198.168.2.5
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
s11-server
192.168.0.100 192.168.20.x
s11-client zclient
192.168.0.111 192.168.10.11 192.168.1.2
s11-host01 zgateway1 192.168.10.22 192.168.3.2 192.168.2.4 192.168.1.3 192.168.10.100
192.168.0.112 pri-
services 192.168.3.4
ws1 192.168.3.6
zapp1 192.168.2.2
s11-host02 zgateway2 192.168.10.33 192.168.3.3 192.168.2.5 192.168.1.4 192.168.10.100
192.168.0.113 sec-
services 192.168.3.5
ws2 192.168.3.7
zapp2 192.168.2.3
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
Assumptions:
The s11-server, s11-client, s11-host01, and s11-host02 VMs are running.
All tasks associated with the s11-server, s11-host01, and s11-host02 VMs are
performed via secure (ssh) login from the s11-client VM.
You perform all tasks in the root role, unless mentioned otherwise. (Assume root
privileges by using the su command and oracle1 as password.)
Some command output or values may vary across systems.
The font size of the output is reduced in a few places, to accommodate complete
command output.
Overview
The zgateway1 zone, being the gateway to the external network, is the most crucial zone in
the box. It is, therefore, a good practice to initially block all access to the internal network and its
resources. Then, use a need-based approach to open up the services one by one, while the rest
of the network continues to remain inaccessible to the outside world.
Task 1/5
1. Check the network services that are running.
Before configuring IP Filter, check whether all the network services are accessible from the
zclient zone.
a. Switch to the zclient terminal and verify that DNS lookup is taking place by running the
nslookup command for the zgateway1 zone.
root@zclient:~# nslookup zgateway1
Server: 192.168.3.4
Address: 192.168.3.4#53
Name: zgateway1.mydomain.com
Address: 192.168.3.2
Name: zgateway1.mydomain.com
Address: 192.168.10.22
b. Check the LDAP client service status. If the service is in the maintenance mode,
disable and enable the service again.
root@zclient:~# svcadm disable ldap/client
root@zclient:~# svcadm enable ldap/client
root@zclient:~# svcs -a | grep ldap/client
online 17:19:06 svc:/network/ldap/client:default
c. Verify that the LDAP server is operational.
root@zclient:~# getent passwd
root:x:0:0:Super-User:/root:/usr/bin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
100%[======================================>] 17 --.-
K/s in 0s
root@zclient:~#
Task 2/5
2. Block all client requests to the zgateway1 zone.
Because zgateway1 is the access zone for all other zones in the box, you will configure IP
Filter on the zgateway1 zone to block all client requests. Thereafter, you will discerningly
edit the firewall rules to allow specific client requests.
a. Switch to the zgateway1 terminal.
aiuser:x:61:61:AI User:/:
pkg5srv:x:97:97:pkg(5) server UID:/:
oracle:x:100:10:oracle:/export/home/oracle:/usr/bin/bash
Task 3/5
3. Allow ping and ssh communication.
Reconfigure the IP Filter rule to allow ping and ssh communication with the zgateway1
zone.
a. Switch to the zgateway1 terminal.
b. Run the ipfstat -io command to display the I/O statistics for IP Filter.
root@zgateway1:~# ipfstat -io
empty list for ipfilter(out)
block in on ipmp0 all
c. Run the ipfstat command to view the detailed statistics for IP Filter.
root@zgateway1:~# ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 0
input packets: blocked 4 passed 5 nomatch 5 counted 0
short 0
output packets: blocked 0 passed 85 nomatch 85 counted 0
short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
h. Now, switch to the zclient terminal and verify that the IP addresses configured on the
ipmp2 interface of the zgateway1 zone are reachable by using the ping command.
root@zclient:~# ping 192.168.10.22
192.168.10.22 is alive
root@zclient:~# ping 192.168.10.100
192.168.10.100 is alive
i. Verify that the 192.168.10.22 (zgateway1) IP is accessible by using the ssh
command.
root@zclient:~# ssh oracle@192.168.10.22
The authenticity of host '192.168.10.22 (192.168.10.22)' can't
be established.
Task 4/5
4. Allow host name resolution.
Reconfigure the IP Filter rule to open the DNS port for host name resolution.
a. Switch to the zgateway1 terminal.
b. Modify the firewall rules to open the DNS port.
root@zgateway1:~# vi /etc/ipf/ipf.conf
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
Name: zgateway1.mydomain.com
Address: 192.168.3.2
Name: zgateway1.mydomain.com
Address: 192.168.10.22
Practices Overview
With Oracle Solaris 11, OpenStack is bundled with the OS. The group package,
pkg:/cloud/openstack installs all components of OpenStack. However, you will specifically
use the Keystone and Neutron packages to configure Neutron in this lab.
Note: The entire OpenStack configuration is beyond the scope of this course. This lab is meant
to expose you to the Neutron component of OpenStack and appreciate its role in configuring
cloud-ready EVS switches that can be assigned to Nova compute instances, in case Nova
should also be configured. Also note that Horizon is not configured in this lab because of
dependencies with other OpenStack components. The Horizon dashboard is a graphic interface
that allows you to manage OpenStack components. You can manage your Neutron entities
f-ssh f-http
priority=high maxbw=7000 MB
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11 192.168.10.100 192.168.10.100
192.168.2.4 198.168.2.5
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
cloudSwitch (192.168.20.x)
Keystone
Neutron
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |
s11-server
192.168.0.100 192.168.20.x
s11-client zclient
192.168.0.111 192.168.10.11 192.168.1.2
s11-host01 zgateway1 192.168.10.22 192.168.3.2 192.168.2.4 192.168.1.3 192.168.10.100
192.168.0.112 pri-
services 192.168.3.4
ws1 192.168.3.6
zapp1 192.168.2.2
s11-host02 zgateway2
Assumptions:
The s11-server, s11-client, s11-host01, and s11-host02 VMs are running.
All tasks associated with the s11-server, s11-host01, and s11-host02 VMs are
performed via secure (ssh) login from the s11-client VM.
You perform all tasks in the root role, unless mentioned otherwise. (Assume root
privileges by using the su command and oracle1 as password.)
Some command output or values may vary across systems.
The font size of the output is reduced in a few places, to accommodate complete
command output.
General Instructions:
Overview
Recall that in an earlier lab, you have already configured the EVS setup. That EVS setup you
built was for isolating nonglobal zones across hosts. Now, consider scaling up a similar setup
for the cloud.
Oracle Solaris 11 integrates with OpenStack to allow you to set up your infrastructure on the
cloud. You can interface with the Neutron component of OpenStack by using EVS as a
backbone. In this lab, you will work only with the Neutron component. However, the same setup
that you will build and test in this lab can be performed through the Horizon dashboard, where
you can assign Nova instances in the Glance database to the EVS switches created using
Neutron. Because that is beyond the scope of this course, you will work the Neutron component
for now. As you complete the setup, you will appreciate the fact that your existing EVS setup is
Task 1/5
1. Install the packages.
There are multiple ways to install OpenStack. In this instance, you will perform a manual
install of the required packages. Because the s11-server system has already been
configured as an EVS controller, later in the procedure, make note of the steps that you can
skip. If you were to configure Neutron on a new system, then you will need to perform all the
steps listed here.
a. Switch to the s11-server terminal.
b. Install the openstack, rabbitmq, and rad-evs-controller packages.
root@s11-server:~# pkg install openstack rabbitmq rad-evs-
controller
Packages to install: 178
Services to change: 3
Create boot environment: No
Create backup boot environment: Yes
DOWNLOAD PKGS FILES
XFER (MB) SPEED
Completed 178/178 23165/23165
116.2/116.2 799k/s
PHASE ITEMS
Installing new actions 26486/26486
Updating package state database Done
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
RabbitMQ provides support for the Advanced Message Queuing Protocol (AMQP),
Task 2/5
2. Authenticate with Keystone.
The Keystone component of OpenStack is the authentication module.
a. Customize the Keystone configuration, by editing the keystone.conf file. In the file,
go to the specific sections and either uncomment the following entries or provide
values as specified.
root@s11-server:~# vi /etc/keystone/keystone.conf
[DEFAULT]
admin_token=ADMIN
[identity]
driver=keystone.identity.backends.sql.Identity
[token]
provider=keystone.token.providers.uuid.Provider
[signing]
token_format=UUID
:wq
Note: The keystone.conf fie is a very long file. Be careful not to edit out anything
else in the file.
Tip: To look for a specific entry in the file, you can use the search (/) option. Press /
and enter the word you are looking for, and press Enter. The cursor will take you to the
word that matches your search. You can repeat the same step for the next word.
b. Enable the keystone service.
root@s11-server:~# svcadm enable -rs keystone
root@s11-server:~# svcs keystone
STATE STIME FMRI
online 8:18:54 svc:/application/openstack/keystone:default
c. Populate the Keystone database. This can be done manually or by using the
convenience script provided with the OpenStack bundle.
root@s11-server:~# /usr/demo/openstack/keystone/sample_data.sh
+-------------+---------------------------------------+
| Property | Value |
+-------------+---------------------------------------+
| adminurl | http://localhost:$(admin_port)s/v2.0 |
| id | fedef812340ce9779bbbae00ef4c713f |
| internalurl | http://localhost:$(public_port)s/v2.0 |
| publicurl | http://localhost:$(public_port)s/v2.0 |
| region | RegionOne |
| service_id | 3e573eeb029160968f3aff4752e11259 |
+-------------+---------------------------------------+
+-------------+-------------------------------------------------
| id | d59a0a1e92dece5ac223d960fcc0ab56 |
| internalurl | http://localhost:9292 |
| publicurl | http://localhost:9292 |
| region | RegionOne |
| service_id | 4796b084f2cfe2cfe820fc0283d5d655 |
+-------------+----------------------------------+
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| adminurl | http://localhost:8773/services/Admin |
| id | e8fdb8fd7a36ceb2e768f7658379b7f9 |
+----------------------------------+---------+---------+-------+
| id | name | enabled | email |
+----------------------------------+---------+---------+-------+
| b5a99fc19e0a6787f033aaaa96ef88b2 | admin | True | |
| 6d814f10dc066ae2db62d23b648ca75a | cinder | True | |
| 877f67afbe5a4cb8ec65cf5c8a3ff55e | ec2 | True | |
| 0a259f9203596a5bcd7ef4e05407d9fe | glance | True | |
| b46637c20ec046f2c9ffc8c3a324fccc | neutron | True | |
| da0a11518933ce83f55587d838cd1eb1 | nova | True | |
| 4f8b72fc1ea3e627d72b8f702126e004 | swift | True | |
+----------------------------------+---------+---------+-------+
d. For these accounts, verify that SSH connectivity is working correctly by using ssh to
connect as evsuser@localhost.
root@s11-server:~# su - evsuser -c "ssh evsuser@localhost
whoami"
The authenticity of host 'localhost (::1)' can't be established.
RSA key fingerprint is
bf:5d:9a:4b:60:e8:2f:6b:eb:46:ad:b3:4c:a6:df:22.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of
known hosts.
evsuser
root@s11-server:~# su - neutron -c "ssh evsuser@localhost
Task 4/5
4. Configure the EVS controller properties.
If you were to configure EVS on a new system, you would need to perform all the steps
mentioned here. However, because you have already configured the EVS controller
properties in an earlier lab, you can skip the following steps:
root@s11-server:~# evsadm set-prop -p
controller=ssh://evsuser@localhost
root@s11-server:~# evsadm set-controlprop -p l2-type=vxlan
root@s11-server:~# evsadm set-controlprop -p vxlan-range=200-300
root@s11-server:~# evsadm
NAME TENANT STATUS VNIC IP
HOST
appSwitch sys-global busy -- app_ipnet
s11-host01,s11-host02
vport0 -- used zapp1/net1 192.168.2.2/24
s11-host01
vport1 -- used zapp2/net1 192.168.2.3/24
s11-host02
vport2 -- used zgateway1/net4 192.168.2.4/24 s11-
host01
vport3 -- used zgateway2/net3 192.168.2.5/24 s11-
host02
Task 5/5
5. Configure Neutron.
a. Customize the Neutron component by either uncommenting or adding values to
the neutron.conf files.
root@s11-server:~# vi /etc/neutron/neutron.conf
auth_strategy=keystone
rabbit_host=localhost
auth_uri=http://127.0.0.1:5000/v2.0
identity_uri=http://127.0.0.1:35357
admin_tenant_name=service
admin_user=neutron
admin_password=neutron
Observe that the appSwitch and gateSwitch EVSs configured earlier with the
evsadm command have been picked up in the statistics.
f. Now create another switch called cloudSwich specifically for any Nova instances that
you might create in the future.
root@s11-server:~# neutron net-create cloudSwitch
Created a new network:
+--------------------------+------------------------------------
--+
| Field | Value
|
+--------------------------+------------------------------------
g. Display EVS details again with the neutron command. Know that you can also use the
evsadm command.
root@s11-server:~# neutron net-list
+--------------------------------------+-------------+----------
-------------------------------------------+
| id | name | subnets
|
+--------------------------------------+-------------+----------
-------------------------------------------+
| 85aa1672-5769-11e4-a20c-bd72f1a7608c | appSwitch | b4b1a1b0-
5769-11e4-a20d-bd72f1a7608c 192.168.2.0/24 |
| 6ac855de-576a-11e4-a212-bd72f1a7608c | gateSwitch | a5e3b5fa-
Observe that cloudSwitch EVS now shows up in the list of configured EVSs.
However, although appSwitch and gateSwitch show subnet details, cloudSwitch
at this point has no subnet assigned to it.
h. Display subnet details.
root@s11-server:~# neutron subnet-list
+--------------------------------------+------------+-----------
-----+--------------------------------------------------+
| id | name | cidr
| allocation_pools |
+--------------------------------------+------------+-----------
-----+--------------------------------------------------+
| b4b1a1b0-5769-11e4-a20d-bd72f1a7608c | app_ipnet |
192.168.2.0/24 | {"start": "192.168.2.2", "end":
"192.168.2.254"} |
| a5e3b5fa-576a-11e4-a213-bd72f1a7608c | gate_ipnet |
192.168.1.0/24 | {"start": "192.168.1.2", "end":
"192.168.1.254"} |
+--------------------------------------+------------+-----------
-----+--------------------------------------------------+
Because there is no subnet for cloudSwitch yet, it does not appear in both the
outputs.
i. Assign a subnet to the cloudSwitch EVS.
root@s11-server:~# neutron subnet-create --enable-dhcp=False --
name cloudsubnet cloudSwitch 192.168.20.0/24
Created a new subnet:
+------------------+--------------------------------------------
--------+
| Field | Value
|
+------------------+--------------------------------------------
--------+
Observe that the cloudSwitch EVS now appears with its subnet details just as the
other two switches do.
Summary: You have successfully configured the Neutron component of OpenStack. This
is by no means a complete setup for the cloud. The EVS switch that you just created is now
cloud ready. In the sense, that you could assign Nova instances to the cloudSwitch EVS
just as you assigned the zapp1 and zapp2 nonglobal zones to the appSwitch EVS in
your prototype earlier.
Practices Overview
With your background knowledge about the Oracle Solaris 11 networking technology, you will
attempt to resolve some cases in this lab.
In this lab, you will perform the following tasks:
Address host name resolution failure
Address web server failure
Assumptions:
The s11-server, s11-client, s11-host01, and s11-host02 VMs are running.
General Instructions:
Ensure that you set a title to the terminal window for easier recognition. These terminal
windows will be referenced by their titles in the labs. So follow the naming convention
mentioned in the procedures.
Keep the terminal windows open unless specifically asked to close.
In case, you happen to shut down a specific terminal, you can re-establish the
connection:
o Open a new terminal window.
o SSH to the host (global zone) by using the ssh oracle@s11-<host>
command and specifying oracle1 as password.
o Assume root privileges by using the su command and oracle1 as password.
There will be occasions where you will use the shutdown command to shut down the
nonglobal zones. In case, your terminal hangs while shutting down, open a new
terminal and re-establish the connection as mentioned in the previous step.
In case, a zone is not running, boot the zone first by using the zoneadm z
<zonename> boot command. Then log in to the zone by using the zlogin
<zonename> command.
Overview
Recall that you had successfully configured DNS on the pri-services zone. You also tested
its validity from the zclient zone by pinging various resources. However, now during final
testing, DNS host name resolution is again failing. You need to identify the root cause and
address the gap.
In this practice, you will address host name resolution failure.
Task 1/1
1. Address host name resolution failure.
The zclient zone is unable to resolve zgateway1.
Name: zgateway1.mydomain.com
Address: 192.168.3.2
Name: zgateway1.mydomain.com
Address: 192.168.10.22
While nslookup is working, why is ping <hostname> not getting resolved? Here is
a clue:
Recall that you configured LDAP after configuring DNS. While configuring the LDAP
client, the LDAP configuration file overwrites the network services switch configuration
file, /etc/nsswitch.conf. This removes the DNS entry from the
/etc/nsswitch.conf file, which impacts DNS hostname resolution. Note that the
/etc/nsswitch.conf file is used to configure services that are used for determining
information such as host names, password files, and group files.
c. Edit the /etc/nsswitch.conf file and modify the hosts entry to look up the DNS
server. Add dns against hosts and ipnodes as marked in the following file:
root@zclient:~# vi /etc/nsswitch.conf
#
# _AUTOGENERATED_FROM_SMF_V1_
#
# WARNING: THIS FILE GENERATED FROM SMF DATA.
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
:wq
d. Run the name service configuration command to import name service resolution
content from the SMF service.
root@zclient:~# nscfg import f name-service/switch
e. Ping zgateway1 to verify if host name resolution is taking place.
root@zclient:~# ping zgateway1
zgateway1 is alive
f. Verify that DNS lookup is also taking place.
root@zclient:~# nslookup zgateway1
Server: 192.168.3.4
Address: 192.168.3.4#53
Name: zgateway1.mydomain.com
Address: 192.168.3.2
Name: zgateway1.mydomain.com
Address: 192.168.10.22
Observation: DNS service is now operational. zclient is able to resolve zgateway1.
Overview
Recall that you had successfully configured DNS on the pri-services zone. You also tested
its validity from the zclient zone by pinging various resources. However, now during final
testing, DNS host name resolution is again failing. You need to identify the root cause and
address the gap.
In this practice, you will address web server failure.
Task 1/1
1. Address web server failure.
zclient is not receiving a response from the Apache web server.
If it takes very long to connect, or you notice a connection timed out message, it
means that the web server is not reachable.
When you configured ILB earlier, Apache web server was responding to client
requests. You tested load balancing over VRRP and it was operational then. Here is a
clue:
Recall that while setting up firewall rules in a previous lab, you blocked all network
services. You created an IP Filter rule by adding the line block in on ipmp2 all
in the IP Filter configuration file, /etc/ipf/ipf.conf.
b. Switch to the zgateway1 terminal and modify the configuration file to include the
Apache web servers entry.
root@zgateway1:~# vi /etc/ipf/ipf.conf
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
block in on ipmp2 all
# adding for ping and SSH
pass in quick on ipmp2 proto ICMP from any to any keep state
pass in quick on ipmp2 proto tcp from any to 192.168.10.2/24
port=22 keep state
# adding for DNS
pass in log proto tcp from any to any port = 53 keep state
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
pass in log proto udp from any to any port = 53 keep state
# ading for LDAP
pass in proto tcp from any to any port = 389 keep state
# adding for Web Server
pass in proto tcp from any to any port = 80 keep state
:wq
c. Validate the configuration file.
root@zgateway1:~# ipf -f /etc/ipf/ipf.conf
9:ioctl(add/insert rule): File exists
10:ioctl(add/insert rule): File exists
13:ioctl(add/insert rule): File exists
100%[======================================>] 17 --.-
K/s in 0s
root@zclient:~#
Observation: You have successfully unblocked port 80 and restored http request
response activities from the client.
Summary: With this, you have successfully configured the prototype you set out to build
and test. A glance at the topology diagram will indicate that you have been able to
implement the setup in entirety, starting from the very first interface you plumbed on the
zclient zone up until you integrated with the Neutron component of OpenStack.
f-ssh f-http
priority=high maxbw=7000 MB
stub01 stub02
zapp1
zgateway1 192.168.2.2 zgateway2 zapp2
192.168.10.22 192.168.3.3 192.168.2.3
192.168.3.2 192.168.10.33
zclient 192.168.1.3 192.168.1.4
192.168.10.11 192.168.10.100 192.168.10.100
192.168.2.4 198.168.2.5
192.168.1.2
appSwitch (192.168.2.x)
gateSwitch(192.168.1.x)
IPMP IPMP
cloudSwitch (192.168.20.x)
Keystone
Neutron
Virtual Box Copyright 2014, Oracle and/or its affiliates. All rights reserved. |