You are on page 1of 35

UnixCBT feat.

Solaris 10 Edition
Training Notes 20060801.01

Table of Contents
Apache Web Server - Notes.......................................................................................................................3 BIND DNS Implementation - Notes.......................................................................................................... 6 System Scheduler Cron - Notes.............................................................................................................. 8 File System Management - Notes............................................................................................................ 10 Volume Management - Notes.................................................................................................................. 12 File Transfer Protocol Daemon (FTPD) Implementation - Notes........................................................... 15 GNU Privacy Guard (GPG) - Notes........................................................................................................ 17 MySQL Implementation - Notes..............................................................................................................18 NETSTAT - Notes................................................................................................................................... 19 Network Configuration Overview - Notes...............................................................................................20 Network File System(NFS) - Notes......................................................................................................... 22 AutoFS - Notes.........................................................................................................................................23 Network Mapper Nmap - Notes...............................................................................................................23 Network Time Protocol (NTP) - Notes....................................................................................................24 Quota Implementation & Management - Notes....................................................................................... 25 Samba Windows Integration - Notes.................................................................................................... 25 Remote Desktop Installation - Notes....................................................................................................... 26 Samba Server Configuration - Notes....................................................................................................... 26 System Security Overview - Notes.......................................................................................................... 27 Sendmail MTA Features - Notes............................................................................................................. 27 Snoop Network Sniffer - Notes.............................................................................................................30 TCPDump Network Sniffer - Notes......................................................................................................30 Snort Network Intrusion Detection System (NIDS) - Notes....................................................................31 SYSLOG Implementation - Notes........................................................................................................... 32 Log Rotation using logadm - Notes......................................................................................................... 32 Zettabyte File System (ZFS) - Notes....................................................................................................... 33 Solaris Zones - Notes............................................................................................................................... 34

Apache Web Server - Notes


SAMP - Solaris Apache MySQL PHP/Perl LAMP - Linux Apache MySQL PHP/Perl/Python Modular & Reliable 2 Versions (1.3.33 & 2.0.50) are included with Solaris 10 svcs -a | grep -i apache Note: Apache2 documentation is available @: http://localhost/manual Steps to invoke Apache on Solaris 10: 1. cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf 2. update servername & server admin directives for main server 3. svcadm enable apache2 4. netstat -anP tcp | grep 80 && http://localhost/manual Note: 200 300 400 500 Typical classes of web server errors: OK Redirect client error server errors

Note: Apache ALWAYS maintains a DEFAULT HOST. Config is in httpd.conf and outside of ANY and ALL virtual hosts containers Note: Apache requires the following info. for the DEFAULT HOST: 1. ServerName linuxcbtsun1.linuxcbt.internal 2. ServerAdmin 3. DocumentRoot - where to serve content from 4. IP Address:Port to bind to - optional 5. Logging information - custom/combined & error logs Note: Listen directive controls IPs and ports that Apache binds to Note: specify 'Listen' directive(s) in the DEFAULT HOST(httpd.conf) Note: You can specify multiple Listen Directives Note: Apache binds to ALL IP addresses when 'Listen' is specified without an IP address DEFAULT HOST(IP:PORT) -Virtual Host 1 -Virtual Host 2 <Directory "/var/apache2/htdocs"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> <Directory "/var/apache2/htdocs/temp"> Options FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory>

Note: <Directory "/var/apache2/htdocs"> - applies to all sub-directories ###Order, Allow, Deny Rules### Note: Order is specified and Deny or Allow or combination follows Note: Allow|Deny supports the following attributes 1. IP Address - 127.0.0.1 2. IP Address range 3. IP Subnet Mask using CIDR or Class notation - 192.168.1.0/24 or 192.168.1.0/255.255.255.0 4. 192.168.1 5. ALL 6. Environment variables - referrer, user agents Used to influence default doc: DirectoryIndex index.html index.html.var LogFormat is used to define logging keywords that can be referenced Apache can log to multiple log files, various keywords, simultaneously ###Alias Directive### Maps webspace location to file system location, usually non-document root ###Files Directive### Facilitates restrictions on matchings files regardless of location on server <Files noaccess.html> Order allow,deny Deny from all </Files> Note: When applied OUTSIDE of <Directory> block, applies to all instances of named file throughout the web server Task: Create web-accessible directory, but, restrict access to certain IPs Steps: 1. mkdir /var/apache2/private 2. Create appropriate Alias - Alias /private/ /var/apache2/private/ 3. Create appropriate <Directory> block ###Virtual Hosts Support### 2 Types of Virtual Hosts are supported: 1. IP-based - Each virtual host is associated with a distinct address 2. Name Based - All or a group of Virtual Hosts share a distinct address ###IP-based Virtual Hosting### Note: System requires multiple IP addresses Note: Default Apache Host binds to ALL IP addresses on port 80 Steps: 1. Implement appropriate 'Listen' directive 2. Configure Virtual Hosts 3. Restart Apache 4. Test configuration Listen 192.168.1.50:80 <VirtualHost 192.168.1.50:80> ServerName linuxcbtsun1.linuxcbt.internal ServerAdmin unixcbt@linuxcbtsun1.linuxcbt.internal

DocumentRoot /var/apache2/ipvhost1 ErrorLog /var/apache2/logs/ipvhost1.error.log CustomLog /var/apache2/logs/ipvhost1.access.log </VirtualHost> Note: Apache will serve content from the DocumentRoot of DEFAULT HOST if a request does NOT match any of the Virtual Hosts Listen 192.168.1.51:80 <VirtualHost 192.168.1.51:80> ServerName linuxcbtsun3.linuxcbt.internal ServerAdmin unixcbt@linuxcbtsun1.linuxcbt.internal DocumentRoot /var/apache2/ipvhost2 ErrorLog /var/apache2/logs/ipvhost2.error.log CustomLog /var/apache2/logs/ipvhost2.access.log combined </VirtualHost> ###NameBased Virtual Hosting### Facilitates the sharing of 1 IP address by a group of web sites Steps: 1. Define appropriate Listen directive(s) 2. Define appropriate NameVirtualHost directive(s) 3. Define Virtual Hosts 4. Restart Apache 5. Confirm configuration Listen 80 NameVirtualHost *:80 - means to permit NameBased Virtual Hosts on ALL IPs Note: NameVirtualHost directive MUST match VirtualHost directive <VirtualHost *:80> ServerName linuxcbtsun1.linuxcbt.internal ServerAdmin unixcbt@linuxcbtsun1.linuxcbt.internal DocumentRoot /var/apache2/namevhost1 ErrorLog /var/apache2/logs/namevhost1.error.log CustomLog /var/apache2/logs/namevhost2.access.log combined </VirtualHost>

BIND DNS Implementation - Notes


Bind 9.x SUNWbind(client & server utilities) & SUNWbindr(SMF) Steps to configure DNS: 1. Create /etc/named.conf - primary named/BIND/DNS configuration file options { directory "/var/named"; }; ###Special zone indicating the root of the DNS hierarchy### ###Downloaded named.root from: ftp://ftp.rs.internic.net/domain/named.root## zone "." { type hint; file "db.cache"; }; ###Reverse Zones### zone "0.0.127.in-addr.arpa" { type master; file "db.127.0.0"; }; zone "1.168.192.in-addr.arpa" { type master; file "db.192.168.1"; }; zone "20.16.172.in-addr.arpa" { type master; file "db.172.20.16"; }; ###Forward Zones### zone "unixcbt.internal" { type master; file "db.unixcbt.internal"; }; ###Zone File Syntax### Note: @ is a variable, which indicates the name of the zone as configured in /etc/named.conf svcadm enable dns/server Note: With or without master domains, BIND functions as a caching-only NS Our server is configured to be: 1. Caching-Only Server 2. Authoritative Server ###Mail Exchanger(MX) Record Setup### Note: Implement MX via 2 records 1. IN MX 10 mail.unixcbt.internal 2. mail IN A 192.168.1.197

###Slave DNS Server Configuration### Note: There really isn't a Slave DNS Server with BIND, however, there is a SLAVE ZONE Steps: 1. copy the following files to slave server: a. db.127.0.0 - houses reverse, loopback zone info. b. db.cache - houses root hints c. named.conf - primary DNS BIND configuration file Note: DNS BIND server can also be a slave server in addtion to caching-only and authoritative server.

System Scheduler Cron - Notes


Features: 1. Permits scheduling of scripts(shell/perl/python/ruby/PHP/etc.)/tasks on a peruser basis via individual cron tables. 2. Permits recurring execution of tasks 3. Permits one-time execution of tasks via 'at' 4. Logs results(exit status but can be full output) of executed tasks 5. Facilitates restrictions/permissions via - cron.deny,cron.allow,at.* Directory Layout for Cron daemon: /var/spool/cron - and sub-directories of to store cron & at entries /var/spool/cron/atjobs - houses one-off, atjobs - 787546321.a - corresponds to a user's atjob /var/spool/cron/crontabs - houses recurring jobs for users - username - these files house recurring tasks for each user Cron command: crontab - facilitates the management of cron table files -crontab -l - lists the cron table for current user - reads /var/spool/cron/crontabs/root ###Cron table format### m(0-59) h(0-23) dom(1-31) m(1-12) dow(0-6) command 10 3 * * * /usr/sbin/logadm - 3:10AM - every day 15 3 * * 0 /usr/lib/fs/nfs/nfsfind - 3:15 - every Sunday 30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean 1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1 m(0-59) h(0-23) dom(1-31) m(1-12) dow(0-6) command Note: (date/time/command) MUST be on 1 line m = minute(0-59) h = hour(0-23) dom = day of the month(1-31) m = month(1-12) dow = day of the week(0-6) - 0=Sunday Note: each line contains 6 fields/columns - 5 pertain to date & time of execution, and the 6th pertains to command to execute #m h dom m dow 10 3 * * * /usr/sbin/logadm - 3:10AM - every day * * * * * /usr/sbin/logadm - every minute,hour,dom,m,dow */5 * * * * /usr/sbin/logadm - every 5 minutes(0,5,10,15...) 1 0-4 * * * /usr/sbin/logadm - 1 minute after the hours 0-4 0 0,2,4,6,9 * * * /usr/sbin/logadm - top of the hours 0,2,4,6,9 1-9 0,2,4,6,9 * * * /usr/sbin/logadm - 1-9 minutes of hours 0,2,4,6,9 Note: Separate columns/fields using whitespace or tabs ###Create crontabs for root & unixcbt### Note: ALWAYS test commands prior to crontab/at submission

11 * * * * repquota -va >> /reports/`date +%F`.quota.report Note: set EDITOR variable to desired editor export EDITOR=vim ###unixcbt - execute quota -v### #!/usr/bin/bash HOME=/export/home/unixcbt quota -v >> $HOME/`date +%F`.unixcbt.quota.report #END Note: aim to reference scripts(shell/perl/python/ruby/PHP,etc.) instead of the various characters Note: Default Solaris install creates 'at.deny' & 'cron.deny' You MUST not be included in either file to be able to submit at & cron entries Conversely, if cron.allow and at.allow files exist, you MUST belong to either file to submit at or cron entries

File System Management - Notes


###Recap of steps necessary to partition/slice & create file systems### Steps: 1. unmount existing file systems -umount /data2 /data3 2. confirm fdisk partitions via 'format' utility -format - select disk - select fdisk 3. use partition - modify to create slices on desired drives DISK1 -slice 0 - /dev/dsk/c0t1d0s0 DISK2 -slice 0 - /dev/dsk/c0t2d0s0 4. Create file system using 'newfs /dev/rdsk/c0t0d0s0' 5. Use 'fsck /dev/rdsk/c0t1d0s0' to verify the consistency of the file system 6. Mount file systems at various mount points mount /dev/dsk/c0t1d0s0 /data2 && mount /dev/dsk/c0t2d0s0 /data3 7. create entries in Virtual File System Table (/etc/vfstab) file ###How to determine file system associated with device### 1. fstyp /dev/dsk/c0t0d0s0 - returns file system type 2. grep mount point from /etc/vfstab - returns matching line grep /var /etc/vfstab 3. cat /etc/mnttab - displays currently mounted file system ###Temporary File System (TEMPFS) Implementation### TempFS provides in-memory (RAM), very fast, storage and boosts application performance Steps: 1. Determine available memory and the amount you can spare for TEMPFS -prtconf - allocate 100MB 2. Execute mount command: mkdir /tempdata && chmod 777 /tempdata && mount -F tmpfs -osize=100m swap /tempdata Note: TEMPFS data does NOT persist/survive across reboots Note: TEMPFS data is lost when the following occurs: 1. TEMPFS mount point is unmounted: i.e. umount /tempdata 2. System reboot Modify /etc/vfstab to include the TEMPFS mount point for reboots swap - /tempdata tmpfs - yes ###Swap File/Partition Creation### swap -l | -s - to display swap information mkfile size location_of_file - to create swap file mkfile 512m /data2/swap2

swap -a /data2/swap2 - activates swap file To remove swap file: swap -d /data2/swap2 - removes swap space from kernel. does NOT remove file rm -rf /data2/swap2 ###Swap Partition Creation### format - select disk - partition - select slice/modify swap -a /dev/dsk/c0t2d0s1 Modify /etc/vfstab

Volume Management - Notes


Solaris' Volume Management permits the creation of 5 object types: 1. Volumes(RAID 0(concatenation or stripe)/1(mirroring)/5(striping with parity) 2. Soft partitions - permits the creation of very large storage devices 3. Hot spare pools - facilitates provisioning of spare storage for use when RAID1/5 volume has failed i.e. MIRROR -DISK1 -DISK2 -DISK3 - spare 4. State database replica - MUST be created prior to volumes - Contains configuration & status of ALL managed objects (volumes/hot spare pools/Soft partitions/etc.) 5. Disk sets - used when clustering Solaris in failover mode Note: Volume Management facilitates the creation of virtual disks Note: Virtual disks are accessible via: /dev/md/dsk & /dev/md/rdsk Rules regarding Volumes: 1. State database replicas are required 2. Volumes can be created using dedicated slices 3. Volumes can be created on slices with state database replicas 4. Volumes created by volume manager CANNOT be managed using 'format', however, can be managed using CLI-tools (metadb, metainit) and GUI tool (SMC) 5. You may use tools such as 'mkfs', 'newfs', 'growfs' 6. You may grow volumes using 'growfs' ###State Database Replicas### Note: At least 3 replicas are required for a consistent, functional, multi-user Solaris system. 3 - yields at least 2 replicas in the event of a failure Note: if replicas are on same slice or media and are lost, then Volume Management will fail, causing loss of data. Note: place replicas on as many distinct controllers/disks as possible Note: Max of 50 replicas per disk set Note: Volume Management relies upon Majority Consensu Algorithm (MCA) to determine the consistency of the volume information 3 replicas = 1.5(half) = 1-rounded-down +1 = 2 = MCA(half +1) Note: try to create an even amount of replicas 4 replicas = 2(half) + 1 = 3 State database replica is approximately 4MB by default - for local storage Rules regarding storage location of state database replicas: 1. dedicated partition/slice - c0t1d0s3 2. local partition that is to be used in a volume(RAID 0/1/5) 3. UFS logging devices 4. '/', '/usr', 'swap', and other UFS partitions CANNOT be used to store state database replicas

###Configure slices to accomodate State Database Replicas### c0t1d0s0 c0t2d0s0 RAID 0 (STRIPE) - 60GB ###Create RAID 0 (STRIPE) - NOT REDUNDANT### c0t1d0s0 c0t2d0s0 RAID 0 (STRIPE) - 60GB - /dev/md/dsk/d0 Note: Volumes can be created using slices from a single or multiple disks Note: State database replicas serve for ALL volumes managed by Volume Manager Note: RAID 0 Concatenation - exhausts DISK1 before writing to DISK2 Note: RAID 0 Stripe - distributes data evenly across members Note: Use the same size slices when using RAID0 with Striping Note: after defining volume, create file system newfs /dev/md/rdsk/d0 ###Suggested layout for creating volumes using volume manger### SERVER -DISK0 - SYSTEM DISK VOLUME MANAGE SECONDARY DISKS -DISK1 - SECONDARY DISK -DISK2 - SECONDARY DISK ##RAID-1 Configuration### Note: RAID-1 relies upon submirrors or existing RAID-0 volumes c0t1d0s0 - /dev/md/dsk/d0 c0t2d0s0 - /dev/md/dsk/d1 /dev/md/dsk/d2 d0 - source sub-mirror d1 - destination sub-mirror Create file system on mirrored volume '/dev/md/dsk/d2' newfs /dev/md/rdsk/d2 ###RAID-5 Configuration### Steps: 1. Ensure that 3 components(slices/disks) are available for configuration 2. Ensure that components are identical in size Slices for c0t1d0s0 c0t1d0s0 c0t2d0s0 RAID-5 10GB 10GB 10GB

/dev/md/dsk/d0 = RAID-5 = 20GB Note: You may attach components to RAID-5 volume, but they will not store parity information, however, their data will be protected. ###Using growfs to extend volumes### growfs extends mounted/unmounted volumes(UFS/ZFS)

Steps to grow a mounted/unmounted file syste 1. Find free slice(s) to add as component(s) to volume using SMC or metattach CLI 2. Add component slice - wait for initialization(concatenation) to complete 3. execute 'growfs -M /d0 /dev/md/rdsk/d0' Note: Once you've extended a volume, you CANNOT decrease it in size. Note: Concatenation of RAID-1/5 volumes yields an untrue RAID-1/5 volume. SLICE1 SLICE2 SLICE3 SLICE4 - Concatenated - NOT a true RAID-1/5 member (no parity is stored) Note: When extending RAID-1 volumes, extend each sub-mirror first, and then Solaris will automatically extend the RAID-1 volume. Then run 'growfs.' ###Soft Partitions### 1. Provides an abstracted, extensible partition object 2. Permits virtually unlimited segmentation of disk c0t1d0 - s0-9 (0-7 except 2, usable) 3. Permits creation of partitions on top of 1 or more slices Steps: 1. Clean up partitions on existing disks: c0t1d0 & c0t2d0

File Transfer Protocol Daemon (FTPD) Implementation - Notes


wu-ftpd FTPD binds to TCP port 21 and is running by default SMF controls service configuration svcs -l ftp - returns configuration pkginfo -x | grep -i ftp - returns SUNWftpu|r packages SUNWftpu - includes useful user packages ftpcount - dumps count per class ftpwwho - returns connected users & process information ftpconfig - used to setup anonymous/guest FTP SUNWftpr - includes server-side configuration files /etc/ftpd - ftpaccess - primary configuration file for wu-ftpd - ftphosts - allow|deny access to users from hosts - ftpservers - allows admin to define virtual hosts - ftpusers - users listed may NOT access the server via FTP - ftpconversions - facilitates tar, compress, gzip support wu-ftpd supports both types of FTP connections: 1. PORT - Active FTP - Client -> TCP:21(Server-Control-Connection) - Client executes 'ls' -> results in server initiating a connection back to the client usually on TCP:20(ftp-data) 2. PASV - Passive FTP - Client -> TCP:21(Server-Control-Connection) - Client executes 'ls' -> results in server opening a high-port and instructing the client to source(initiate) a connection to the server. - Client sources data connection to high-port on server ###Anonymous FTP configuration### use 'ftpconfig' to provision anonymous access Note: Guest connections are jailed using chroot() ###FTPD Class Support### Facilitates the grouping of users for the purpose of assigning directives 3 Default Classes: 1. realusers - CAN login using shell(SSH/Telnet) - CAN browse the entire directory tree 2. guestusers - Temporary users - see chrooted envrionment 3. anonusers - General public - primarily for download capability

###Guest User Support### Jailed/chrooted environment Steps: 1. useradd -d /home/guests/unixcbt4 -s /bin/true 2. mkdir /export/home/guests/unixcbt4 3. chown unixcbt4 /export/home/guests/unixcbt4 4. ftpconfig -d /export/home/guests/unixcbt4 - sets up chrooted environment 5. updated /etc/ftpd/ftpaccess - config file guestuser unixcbt4 6. restart ftp using svcadm restart ftp

Note: Guest users are similar to real users except guest users are chrooted/jailed. ###Virtual Hosts### wu-ftpd - supports 2 forms of virtual hosts: 1. Limited - relies upon primary config files /etc/ftpd{ftpaccess,ftpusers...} Admin. may define unique attributes including the following: a. banner b. logfile c. hostname d. email e. distinct IP address 2. Full - relies upon distinct config files in specified directory a. offers everything included with limited virtual hosts mode b. also adds distinct config files c. Note: Full-mode will use default config files in /etc/ftpd if the full virtual hosts instance is unable to find a distinct file. ###Limited Virtual Hosts Configuration### /etc/ftpaccess virtual 192.168.1.51 root /var/ftp2 virtual 192.168.1.51 hostname linuxcbtdb1.linuxcbt.internal virtual 192.168.1.51 banner /var/ftp2/.welcome_message.msg virtual 192.168.1.51 logfile /var/log/ftp2/xferlog virtual 192.168.1.51 allow unixcbt3

Note: Virtual hosts do not allow real & guest users access by default ###Full Virtual Hosts Configuration### /etc/ftpd/ftpservers address configuration_direction 192.168.1.51 /etc/ftpd/ftp2 192.168.1.52 /etc/ftpd/ftp3

GNU Privacy Guard (GPG) - Notes


Features: 1. Public key pair stored in ~/.gunpg 2. Encrypt/Decrypt 3. Encrypt/Decrypt 4. Generate/Manage generation & maintenance for all users on system. Keys are files - based on communication partner's public key E-mails - based on recipient's public key digital signatures(means of proving identity)

###Install GPG### 1. www.sunfreeware.com 2. gunzip gnupg-1.2.6-sol10-intel-local.gz && pkgadd -d gnupg-1.2.6-sol10-intellocal Note: GPG manages by default, 2 key chains: 1. Public - your public key, and potentially others a. use 'gpg --list-keys' to enumerate public keys 2. Private - your private key(s) Note: gpg uses recipient's public key to encrypt communications(e-mail/files) ###Create Public/Private Key-Pair### gpg --gen-key Note: 'gpg --gen-key' functions similarly to 'ssh-keygen' utility Note: passphrase is associated with 'private key' of pub/priv pair Note: GPG is compatible with PGP ###Import other's public keys###

MySQL Implementation - Notes


Included with the Software Companion DVD pkginfo -x | grep -i mysql Note: Current version of MySQL is NOT managed by SMF Steps to Initialization of MySQL: 1. /usr/sfw/bin/mysql_install_db - initializes default DBs & tables /usr/sfw/bin/mysqladmin -u root password 'abc123' 2. groupadd mysql && useradd -g mysql mysql && echo $? 3. chgrp -R mysql /var/mysql && chmod -R 770 /var/mysql && echo $? 4. installf SUNWmysqlr /var/mysql d 770 root mysql 5. cp /usr/sfw/share/mysql/my-medium.cnf /etc/my.cnf (global configuration) 6. /usr/sfw/sbin/mysqld_safe --user=mysql& - starts MySQL 7. symlink ln /etc/sfw/mysql/mysql.server /etc/rc3.d/S99mysql ln /etc/sfw/mysql/mysql.server /etc/rc0.d/K00mysql ln /etc/sfw/mysql/mysql.server /etc/rc1.d/K00mysql ln /etc/sfw/mysql/mysql.server /etc/rc2.d/K00mysql ln /etc/sfw/mysql/mysql.server /etc/rcS.d/K00mysql Note: MyISAM Tables usually contain at least 3 files: 1. .MYI - Index file 2. .MYD - Data File 3. .FRM - Form file(Describes Table Structure) Note: Client options specified on command-line override all other instances of the opion. Order of options/directives to be processed usually resembles the following: 1. /etc/my.cnf - global config file 2. /var/mysql/my.cnf - data-server specific config file 3. ~/my.cnf - user-specific config file 4. command line options Note: Drop test database using the following syntax: 'drop database test;' Note: You CANNOT drop the 'mysql' database because it contains the following critical information: 1. list of databases to manage 2. user table 3. privileges table Note: MySQL creates 2 default users: 'root & anonymous' Note: The anonymous user matches all unmatched users Create MySQL User using the following command: grant all privileges on *.* to 'unixcbt'@'localhost' IDENTIFIED BY 'abc123'; Note: After altering privileges, flush them to take effect using: flush privileges;

NETSTAT - Notes
Lists connections for ALL protocols & address families to and from machine Address Families (AF) include: INET - ipv4 INET6 - ipv6 UNIX - Unix Domain Sockets(Solaris/FreeBSD/Linux/etc.) Protocols Supported in INET/INET6 include: TCP, IP, ICMP(PING(echo/echo-reply)), IGMP, RAWIP, UDP(DHCP,TFTP,etc.) Lists routing table Lists DHCP status for various interfaces Lists net-to-media table - network to MAC(network card) table ###NETSTAT Usage### netstat - returns sockets by protocol using /etc/services for lookup /etc/nssswitch.conf is consulted by netstat to resolve names for IPs netstat -a - returns ALL protocols for ALL address families (TCP/UDP/UNIX) netstat -an - -n option disables name resolution of hosts & ports netstat -i - returns the state of interfaces. pay attention to errors/collisions/queue columns when troubleshooting performance netstat -m - returns streams(TCP) statistics netstat -p - returns net-to-media info (MAC/layer-2 info.) i.e. arp netstat -P protocol (ip|ipv6|icmp|icmpv6|tcp|udp|rawip|raw|igmp) - returns active sockets for selected protocol netstat -r - returns routing table netstat -D - returns DHCP configuration (lease duration/renewal/etc.) netstat -an -f address_family netstat -an -f inet|inet6|unix netstat -an -f inet - returns ipv4 only information netstat -n -f inet netstat -anf inet -P tcp netstat -anf inet -P udp

Network Configuration Overview - Notes


2-Modes 1. Local Files Mode - config is defined statically via key files 2. Network Client Mode - DHCP is used to auto-config interface(s) Current Dell PE server has 3 NICs: 1. e1000g0 - plumbed (configured for network client mode) 2. iprb0 - unplumbed 3. iprb1 - unplumbed 1-Virtual Mandatory interface lo0 - loopback Determine physical interfaces using 'dladm show-dev | show-link' Determine plumbed and loopback interfaces using 'ifconfig -a' NIC naming within Solaris OS: i.e. e1000g0 - e1000g(driver name) 0(instance) Layers 2 & 3 info. - ifconfig -a, or ifconfig e1000g0 Layer 1 info. - dladm show-dev | show-link ###Key network configuration files### svcs -a | grep physical svcs -a | grep loopback 1. IP Address - /etc/hostname.e1000g0, /etc/hostname.iprb0 | iprb1 2. Domain name - /etc/defaultdomain - linuxcbt.internal 3. Netmask - /etc/inet/netmasks - 192.168.1.0 255.255.255.0 4. Hosts database - /etc/hosts, /etc/inet/hosts - loopback & ALL interfaces 5. Client DNS resolver file - /etc/resolv.conf 6. Default Gateway - /etc/defaultrouter - 192.168.1.1, 172.16.20.1, 10.0.0.1 7. Node name - /etc/nodename Name service configuration file - /etc/nsswitch.conf netstat -D - returns DHCP configuration for ALL interfaces ifconfig -a - returns configuration for ALL interfaces Reboot system after transitioning from network client(DHCP) mode to local files(Static) mode mv dhcp.e1000g0 to some other name or remove the file so that the DHCP agent is NOT invoked echo "linuxcbtsun1" > /etc/nodename ###Plumb/enable the iprb0 100Mb/s interface### Plumbing interfaces is analagous to enabling interfaces Note: 172.16.20.11 is a Linux host waiting to communicate with iprb0 interface Steps: 1. ifconfig iprb0 plumb up - this will enable iprb0 interface 2. ifconfig iprb0 172.16.20.10 netmask 255.255.255.0 - this will enable layer-3 IPv4 address Steps to Unplumb an interface: 1. ifconfig iprb0 unplumb down

###Ensure that newly-plumbed interface settings persists across reboots### Steps include updating/creating the following files: 1. echo "172.16.20.10" > /etc/hostname.iprb0 2. create entry in /etc/hosts - 172.16.20.10 linuxcbtsun1 3. echo "172.16.20.0 255.255.255.0" >> /etc/inet/netmasks Note: To down interface, execute: ifconfig interface_name down ifconfig iprb0 down && ifconfig iprb0 ###Sub-interfaces/Logical Interfaces### e1000g0(physical interface) - 192.168.1.50(Primary Apache website) 192.168.1.51(Secondary Apache website) 192.168.1.52(Used for SSH) iprb0 - 172.16.20.10 iprb1 Use 'ifconfig interface_name addif ip_address <netmask>' ifconfig e1000g0 addif 192.168.1.51 (RFC-1918 - defaults /24) Note: This will automatically create an 'e1000g0:1' logical interface Note: Solaris places new logical interface in DOWN mode by default Note: use 'ifconfig e1000g0:1 up' to bring the interface up Note: logical/sub-interfaces are contingent upon physical interfaces Note: if physical interface is down, so will the logical interface(s) Note: connections are sourced using IP address of physical interface ###Save logical/sub-interface configuration for persistence across reboots### 1. 2. 3. 4. gedit /etc/hostname.e1000g0:1 - 192.168.1.51 gedit /etc/hostname.e1000g0:2 - 192.168.1.52 Optionally update /etc/hosts - /etc/inet/hosts Optionally update /etc/inet/netmasks - when subnetting

Note: To remove logical interface execute the following: ifconfig physical_interface_name removeif ip_address ifconfig iprb0 removeif 172.16.20.20 ###/etc/nsswitch.conf - name service configuration information ### functions as a policy/rules file for various resolution: 1. DNS 2. passwd(/etc/passwd,/etc/shadow),group(/etc/group) 3. protocols(/etc/inet/protocols) 4. ethers or mac-to-IP mappings 5. hosts - where to look for hostname resolution: files(/etc/hosts) dns(/etc/resolv.conf)

Network File System(NFS) - Notes


Implemented by most if not all nix-type OSs(Solaris/AIX/Linux/FreeBSD) NFS seamlessly mounts remote file systems locally NFS 1. 2. 3. Components include: NFS Client (mount(temporary access), /etc/vfstab) NFS Server AutoFS

NFS versions 3 & higher supports large files (>2GB) NFS 2 3 4 Major versions: original improved upon version 2 current version

Note: Solaris 10 simultaneously supports ALL NFS versions /etc/default/nfs - contains defaults for NFS server & client Note: client->server NFS connection involves negotiation of NFS version to use ###Steps for mounting remote file systems### 1. ensure that a local mount point exists & is empty Note: local mount points with files and/or directories will be unavailable while a remote file system is locally-mounted 2. ensure that NFS server is available and sharing directories 3. mount locally the remote file system. mount -F nfs -o ro linuxcbtmedia:/tempnfs1 /tempnfs1 Note: use 'man mount' to determine mount options for various FSs 4. setup persistent mounts in /etc/vfstab file ###Steps for sharing local file systems locations### 1. ensure that NFS is running svcs -a | grep -i nfs Note: you may enable the NFS server and update share information independently Start using: svcadm svc:network/nfs/server Note: NFS Server will NOT start if there are NO directories to share 2. share -F nfs -d test_share /tempnfssun1 - exports for current session. Does NOT persist across reboots 3. Configure NFS sharing for persistence, using share command share -F nfs -d test_share /tempnfssun1 shareall Note: consult 'man share_nfs' for permissions info.

AutoFS - Notes
Features: 1. Just-in-time mounting of file systems 2. Controlled by 'automountd' daemon 3. Managed via autofs service 4. References map files to determine file systems to mount 5. Obviates need to distribute root password to non-privileged users /etc/default/autofs - contains configuration directives for autofs ###AutoFS Maps### 3 Types: 1. Master map - /etc/auto_master 2. Direct map - /etc/auto_direct - facilitates direct mappings 3. Indirect map - /etc/auto_* - referenced from /etc/auto_master ###/etc/auto_master### Note: /etc/auto_master is always read by autofs(automountd daemon) /etc/nsswitch.conf - used to determine lookup location for automount -hosts - references hosts defined in /etc/hosts & the hosts MUST export shares using NFS Note: changes to /etc/auto_master(primary autofs policy file) usually requires a service restart: svcadm restart autofs Note: AutoFS defaults to permitting client to browse potential mount points ###Direct mapping example### Note: Direct mappings seamlessly merge remote exports with local directories Steps: 1. create auto_direct mapping in /etc/auto_master: /- auto_direct -vers=3

Network Mapper Nmap - Notes


Performs network reconnaissance/vulnerability testing www.insecure.org Compilation Instructions: 1. export PATH=$PATH:/usr/ccs/bin 2. ./configure 3. make || gmake 4. gmake install - copies nmap to /usr/local/bin Note: nmap can be run by any user on the system, however, only root, may perform more dangerous functions. i.e. SYN-based scans ###Check ports of hosts### nmap -v 192.168.1.102 as root, causes a SYN-based scan to occur: SYN -> SYN-ACK -> Termination SYN -> SYN-ACK -> ACK - TCP-based scan performed by normal users

Nmap can export to the following file types: 1. Normal 2. XML 3. Greppable

Network Time Protocol (NTP) - Notes


Synchronizes the local system and can be configured to synch any NTP-aware host Hierarchical in design - 1 through 16 strata Lower stratum values are more accurate time sources Stratum 1 servers are connected to external, more accurate time sources such as GPS Note: Less latency usually results in more accurate time External Time Source(GPS/Radio/etc.) -NTP - Stratum 1 -NTP Stratum 2 - Solaris Client/Server -... Note: A Solaris 10 NTP system can be both client & server Note: configure NTP clients to synch to 3 or more clocks(time sources) ###Client configuration### xntpd or the ntp service searches for /etc/inet/ntp.conf Note: NTP uses UDP 123 in source & destination ports ntpdate ntp_server - synchronizes, one-off, local clock Note: ntpdate does NOT update local clock if xntpd is running locally rdate - relies upon older time service ntpq - NTP query utility runs interactively & non-interactively ntpq -np - lists peers without name resolution - non-interactive invocation ntpq - invokes interactive mode ntptrace - traces path to time source ntpq - queries local or remote NTP servers ntptrace - traces path to external time source ntpdate - updates local clock /etc/inet/ntp.conf - (server server_ip) svcadm enable ntp - starts NTP (Server and/or Client) NTP Pool Site: www.pool.ntp.org (Derive NTP public servers from their lists)

Quota Implementation & Management - Notes


Features: Soft Limits - function as stage-1 or warning stage - if user exceeds soft limit, timer is invoked (default 7-days) i.e. 100MB - if user exceeds beyond timer, soft limit becomes hard limit Hard Limits - functions as a storage ceiling - CANNOT be exceeded - if user meets hard limit, system will not allocate additional storage File-system perspective of quotas: 2 objects are monitored: 1. BLOCKS 2. INODES FILE(test.txt) -> 1-INODE -> 1-or-more Data BLOCKS(default 1K) Quota Tools: 1. edquota - facilitates the creation of quotas for users 2. quotacheck - checks for consistency in usage and quota policy 3. quotaon - enables quotas on file system 4. repquota - displays quota information ###Steps to enable quota support### 1. modify /etc/vfstab - enable quotas per file system "Mount Options" column - 'rq' 2. create empty 'quotas' file in root of desired file system touch /export/home/quotas && chmod 600 /export/home/quotas 3. edquota unixcbt edquota -p unixcbt unixcbt2 unixcbt3 unixcbt4 - copies unixcbt's quota policy to users unixcbt2,3,4 4. quotacheck -va 5. quota -v unixcbt 6. quotaon -v /dev/dsk/c0t0d0s7 -enable quota support

Samba Windows Integration - Notes


Integrates Unix-type systems with Windows SMB(139)/CIFS(445) - 2 protocols used to communicate with Windows/Samba servers Key Client Utilities: 1. smbtree - network neighborhood text utility It enumerates workgroups, hosts & shares smbtree -b - relies upon broadcasts for resolving workgroups/hosts smbtree -D - echoes discovered workgroups using broadcasts/master browser 2. smbclient - provides an FTP-like interface to SMB/CIFS servers smbclient service_name(//LINUXCBTWIN1/LinuxCBT) Note: Most, if not all, Samba clients operate in case-insensitive mode smbclient //linuxcbtwin1/linuxcbt Note: when in smbclient interactive mode, prefix commands with '!' to execute locally on client, otherwise commands run on server smbclient -L linuxcbtwin1 - enumerates the shares on the server\

smbclient -A ./.smbpaswd //linuxcbtwin1/solaris10 .smbpaswd username=unixcbt password=abc123 3. smbtar - facilitates backups of remote shares smbtar -s linuxcbtwin1 -x solaris10 -t solaris10.tar - backup smbtar -s linuxcbtwin1 -x solaris10 -r -t solaris10.tar - restore

Remote Desktop Installation - Notes


Requirements - www.sunfreeware.com: 1. libiconv 2. libgcc 3.3.2 or higher 3. libopenssl 0.9.7 4. rdesktop-1.4.1 Features RDesktop support for Remote Desktop Protocol (RDP) versions 4 & 5 Connects to: 1. Windows XP - RDP-5 2. Windows 2000 - RDP-5 3. Windows 2003 - RDP-5 4. Windows NT Server 4 - Terminal Services Edition - RDP-4 ###usage### rdesktop -g 700x500 -a 16 server_name(192.168.1.102)

Samba Server Configuration - Notes


/etc/sfw/smb.conf-example - modify & save as /etc/sfw/smb.conf smb.conf - is the main configuration file for Samba server & many of the Samba clients search for key directives from the file. Features: 1. File & Print sharing 2. Implemented as 2 daemons (smbd & nmbd) smbd - file & print sharing - connections based on SMB/CIFS protocols SMB - TCP 139 CIFS - TCP 445 nmbd - handles NETBIOS names using primarily UDP connectivity Browse list (master browser or derive current list from master browser) Names of servers - derived using broadcast or WINS UDP 137 & 138 3. Legacy service - does not currently benefit from SMF 4. Service is located in: /etc/init.d & referenced via run-levels 5. Configuration changes to /etc/sfw/smb.conf are read automatically ###Samba Security Modes### Default = security = user - relies upon local Unix accounts database & Samba

database to grant or deny access to shared resources 1. /etc/passwd 2. /etc/sfw/smbpasswd - handles translation of Windows auth to Unix auth 3. /etc/sfw/smbusers - provides translation between Unix & Windows users i.e. translation of Windows' 'guest' user to Unix' 'nobody' user ###User Authentication Mode### Note: NETBIOS names are restricted to 16 characters, however, 15 characters are configurable linuxcbtsun1.linuxcbt.internal = FQDN Note: smbpasswd -a unixcbt - create permitted samba users in /etc/sfw/private/smbpasswd file - otherwise, access will be denied ###Samba Web Administration Tool (SWAT)### Steps to enable Swat: 1. create an /etc/services entry for SWAT - TCP:901 2. create an /etc/inetd.conf entry for SWAT swat stream tcp nowait root /usr/sfw/sbin/swat swat 3. Convert the inetd entry for SWAT to SMF using 'inetconv'

System Security Overview - Notes


/var/adm/sulog - houses SU attempts SU TIMESTAMP +||- TTY Switched_User_From_To SU 06/17 11:13 + pts/4 root-unixcbt /var/adm/loginlog - Does NOT exist by default NOte: houses failed logins after threshold(Default of 5) touch /var/adm/loginlog /etc/default/login logins command logins -x -l unixcbt - returns info. from /etc/{passwd,shadow} logins -p - lists users without passwords ###Password Generation Encryption Algorithm### Note: Default in Solaris 10 is UNIX, legacy encryption - The weakest /etc/security/policy.conf - man policy.conf(4) Note: password encryption changes take effect at user's next password change

Sendmail MTA Features - Notes


Default configuration runs Sendmail Runs as 2 daemons 1. queue runner - submits jobs into queue(PHP script/mailx/sendmail/etc.) a. it runs as a non-privileged user called 'smmsp' b. places messages into queue directory: /var/spool/mqueue c. mailq command dumps the current status of the queue(s) 2. MTA mode - message delivery to local/remote recipients b. it runs as root - to bind to well-known TCP:25 Note: Sendmail works with SMF

svcadm restart sendmail svcs -l sendmail Typical 1. MTA 2. MUA 3. MDA Mail Components in distributed mail environments: - Message Transfer Agent (Sendmail/Postfix/qmail) - Mail User Agent (mail, mutt, mailx, MS Outlook, Eudora, etc.) - Mail Delivery Agent (mail.local, procmail, etc.)

Config files: 1. /etc/mail/sendmail.cf - primary config file for Sendmail MTA 2. /etc/mail/submit.cf - primary config file for Sendmail MSP (smmsp) Config files macros using m4 language: 1. /etc/mail/cf/cf/sendmail.mc 2. /etc/mail/cf/cf/submit.mc Note: Sendmail does NOT understand m4 files. Use m4 to generate updated .cf files if necessary ####/etc/aliases - used for local mail delivery### Contains key aliases for 'postmaster' & system daemons unixcbt:unixcbt@linuxcbtsun1 unixcbt@localhost unixcbt@linuxcbtsun1 unixcbt@linuxcbtsun1.linuxcbt.internal /etc/mail/local-host-names unixcbt.internal unixcbt@linuxcbtsun1.unixcbt.internal newaliases - generates updated DB for aliases ###per-user mail### 1. Sendmail stores mail using the older mbox format, which stores all mail in 1 potentially huge ASCII text files 2. /var/mail/username - flagged with the STICKY bit ###Mail delivery using local tools### sendmail is monolothic - 1 program does it all (client/server/MSP/MTA) sendmail -v unixcbt Note: MSP submits to: /var/spool/clientmqueue ###Virtual Domains/Users Support### /etc/mail/relay-domains /etc/mail/local-host-names unixcbt.internal Virtual Users: Create: /etc/mail/virtusertable Populate with mappings: virtual_email_address local_mailbox|remote_email unixcbt@unixcbt.internal unixcbt Configure /etc/mail/sendmail.cf via /etc/mail/cf/cf/sendmail.mc

- FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db') makemap hash virtusertable - creates the DB file: /etc/mail/virtusertable.db ###Relay Domains### /etc/mail/relay-domains Houses domains that sendmail should relay; local and/or remote linuxcbt.com 192.168.1.100 ###IMAP/POP2|3 Support### Differences between IMAP & POP 1. IMAP stores messages on server 2. POP downloads messages to client Note: IMAP server must support mbox mail storage format and optionally Maildir mail storage format Download IMAP2004g from sunfreeware.com ###Configure INETD control of IMAP & POP3 services### /etc/inetd.conf pop3 stream tcp nowait root /usr/local/sbin/ipop3d ipop3d imap stream tcp nowait root /usr/local/sbin/imapd imapd Note: use 'inetconv' to convert INETD entries in /etc/inetd.conf to SMF ###Evolution MUA - Connect to POP3 & IMAP Service### Installed openssl-0.9.8 to support IMAP2004g Configure Evolution Note: Retrieving & Sending messages are distinct functions 1. SMTP - Sending 2. IMAP/POP3/MS Exchange/etc. - Retrieval

Snoop Network Sniffer - Notes


Features: 1. Packet capturing facilities (ALL levels of OSI model, minus physical) 2. Packet playback/replay facility 3. Sniffs on first detected, non-loopback interface - output to STDOUT 4. MUST be executed as root Note: Try to snoop to output of file as opposed to STDOUT for performance reasons (to minimize packet loss) snoop snoop -o snoop1.out - redirects captured traffic to file named 'snoop1.out' and returns a packet-count to STDOUT Note: If connected to a switched environment, MIRROR the traffic to the Sun box in order for traffic to be available to snoop snoop -i snoop1.out - reads the captured files Note: snoop captures packets until killed with CTRL-C or disk runs out of space snoop -i snoop1.out -p 11573,11577 - extracts packet ranges 11573-11577 snoop -v -i snoop1.out - VERBOSE (ALL OSI layers, 2-7) snoop -V -i snoop1.out - SUMMARY (Returns interesting packet payload) Note: snoop supports Boolean primitivies (host,tcp,udp,ip) & Boolean operators (AND,OR,NOT) snoop -i snoop1.out tcp port 80 Note: snoop -o output_file - captures layers 2-7 snoop -o snoop1.out udp snoop -o snoop1.out 192.168.1.50 192.168.1.102 ###FTP Traffic Snoop### snoop -o snoop_ftp_traffic.out host 192.168.1.102 linuxcbtsun1 and tcp and port 21

TCPDump Network Sniffer - Notes


www.tcpdump.org Packet Capturing - captures packets from network interfaces Note: 2 major utilities supporting TCPDump's format include: 1. Ethereal - GUI protocol analyzer/Sniffer 2. Snort NIDS - Sniffer/Logger/NIDS TCPDump supports 3 qualifiers to assist in creating expressions: 1. Type - host|net|port i.e. host 192.168.1.102 2. Direction - src|dst|src or dst|src and dst 3. Protocol - tcp|udp|ip Syntax:

tcpdump options expression tcpdump tcpdump tcpdump tcpdump tcpdump -D -i -q -n - returns available interfaces interface_name - binds to specific interface suppresses some packet header information - avoids name resoltion - improves performance

Snort Network Intrusion Detection System (NIDS) - Notes


Features: 1. Packet Capturing - libpcap.a(tcpdump.org) 2. Packet Logging - Captures are stored to disk (ASCII/TCPDump Formats) 3. Network Intrusion Detection Mode Note: Software Companion DVD includes Snort 2.0(older version) Requirements: 1. libpcap 2. libpcre ###Configuring Snort### ./configure --with-libpcap-libraries=/opt/sfw/lib --with-libpcreincludes=/opt/sfw/include --with-libpcre-libraries=/opt/sfw/lib Appended to PATH: /usr/sfw/bin:/usr/ccs/bin make make install ###Snort as a Sniffer### snort -v - Dumps link headers(Layers 3(IPs) & 4(Ports) of the OSI Model) snort -v -i e1000g0 snort -vd -i e1000g0 - Dumps Application Layer (Layer-7 of OSI Model) snort -ve -i e1000g0 - Dumps data-link layer (Layer-2 of OSI Model) snort -vde -i e1000g0 - Dumps Layers 2,3,4,7 of OSI Model ###Snort as a Packet Logger### Note: Identical to sniffer, except, data is directed to file. Improves I/O. snort -L snortlog.1 Note: Snort defaults to '/var/log/snort' to store binary log and alert file snort -L snortlog.1 -l ./log Note: Snort supports TCPDump's Boolean primitives and operators. Additionally, Snort support Berkeley Packet Filters (BPFs) snort options BPFs

SYSLOG Implementation - Notes


Note: Syslog is the default logging handler/router in Solaris Note: Defaults to UDP:514 Note: Segment your Syslog Host(s) on a distinct subnet, protected by ACLs pkgchk -lP /usr/sbin/syslogd Syslog can log to the following locations: 1. remote host 2. local file (Suggested destination because of I/O performance) 3. console 4. specific users 5. * Note: Syslog processes 3 pieces information represented by 2 fields: /etc/syslog.conf - primary configuration file for Syslog man syslog.conf 1: selector(*.emerg) 2: action(/dev/console) *.emerg /dev/console Selector = facility(user).severity_level(debug) Action = target for log entry (files, console, remote host) ###Syslog Recognized Facilities### USER,KERN,MAIL(Postfix,Sendmail),DAEMON(programs),AUTH,LPR,NEWS,CRON,AUDIT ,LOCAL0-7(provides 8 usable facilities),MARK,* ### 8 Syslog Recognized Severity Levels### 1. EMERG - yields least output 2. ALERT 3. CRIT 4. ERROR 5. WARNING 6. NOTICE 7. INFO 8. DEBUG - yields most output Note: restart syslog after changing /etc/syslog.conf local0.info /var/log/ciscofirewall1.log touch /var/log/ciscofirewall1.log svcadm restart system-log

Log Rotation using logadm - Notes


which logadm pkgchk -lP /usr/sbin/logadmd - member of SUNWcsu logadm is configured to run daily in root's crontab crontab -l

/etc/logadm.conf - default configuration file Note: don't memorize all parameters. Execute 'logadm -h' Note: command-line directives override /etc/logadm.conf directives Note: logadm preserves 10 backups of log files named logname.0-.9 Note: logadm supports shell wildcards '*', '?'

Zettabyte File System (ZFS) - Notes


Features: 1. 256 quadrillion zettabytes (Terabytes - Petabytes - Exabytes - Zettabytes(1024 Exabytes)) 2. RAID-0/1 & RAID-Z(RAID-5 with enhancements) (2-required virtual devices) 3. Snapshots - read-only copies of file systems or volumes 4. Creates volumes 5. Uses storage pools to manage storage - aggregates virtual devices 6. File systems attached to pools grow dynamically as storage is added 7. File systems may span multiple physical disks 8. ZFS is transactional 9. Pools & file systems are auto-mounted. No need to maintain /etc/vfstab 10. Supports file system hierarchies: /pool1/{home(5GB),var(10GB),etc.} 11. Supports reservation of storage: /pool1/{home(10GB),var} 12. Provides a secure web-based management tool-https://localhost:6789/zfs ###ZFS - CLI### zpool list - lists known pools zpool create pool_name(alphanumeric, _,-,:,.) Pool Name Constraints (DO NOT USE THESE NAMES FOR YOUR POOL NAMES): 1. mirror 2. raidz zpool create pool_name device_name1, device_name2, device_name3, etc. zpool create pool1 c0t1d0|/dev/dsk/c0t1d0 ZFS 1. 2. 3. 4. 5. Pool Statuses: ONLINE DEGRADED FAULTED OFFLINE UNAVAILABLE

zfs list - returns ZFS dataset info. zfs mount - returns pools and mount points zpool status - returns virtual devices that constitute pools Note: ZFS requires a minimum of 128MB virtual device to create a pool zpool destroy pool1 - Destroys pool and associated file systems ###Create file systems within pool1### zfs create pool1/home - creates file system named 'home' in pool1 Note: Default action of 'zfs create pool1/home' assigns all storage available to 'pool1', to 'pool1/home' ###Set quota on existing file system###

zfs set quota=10G pool1/home ###Create user-based file system beneath pool1/home### zfs create pool1/home/unixcbt Note: ZFS inherits properties from immediate ancestor zfs get -r compression pool1 - returns compression property for file systems associated with 'pool1' ###Rename File System### zfs rename pool1/home/unixcbt pool1/home/unixcbt2 ###Extending dynamically, pool storage### zpool add pool1 c0t2d0 ###ZFS Redundancy/Replication### 1. Mirroring - RAID-1 2. RAID-5 - RAID-Z Virtual Devices: 1. c0t1d0 - 36GB 2. c0t2d0 - 36GB Note: Redundancy/Replication is associated directly with the pool zpool create poolmirror1 mirror c0t1d0 c0t2d0 ###ZFS Snapshots### Features: 1. Read-only copies of volumes or file systems 2. Use no additional space, initially zfs list -t snapshot - returns available snapshots

Solaris Zones - Notes


Features: 1. Virtualization - i.e. VMWare 2. Solaris Zones can host only instances of Solaris. Not other OSs. 3. Limit of 8192 zones per Solaris host 4. Primary zone(global) has access to ALL zones 5. Non-global zones, do NOT have access to other non-global zones 6. Default non-global zones derive packages from global zone 7. Program isolation - zone1(Apache), zone2(MySQL) 8. Provides 'z' commands to manage zones: zlogin, zonename, zoneadm,zonecfg ###Features of GLOBAL zone### 1. Solaris ALWAYS boots(cold/warm) to the global zone 2. Knows about ALL hardware devices attached to the system 3. Knows about ALL non-global zones ###Features of NON-GLOBAL zones### 1. Installed at a location on the filesystem of the GLOBAL zone 'zone root path' /export/home/zones/{zone1,zone2,zone3,...} 2. Share packages with GLOBAL zone

3. Manage distinct hostname and tables files 4. Cannot communicate with other non-global zones by default. NIC must be used, which means, use standard network API(TCP) 5. GLOBAL zone admin. can delegate non-global zone administration ###Zone Configuration### Use: zonecfg - to configure zones Note: zonecfg can be run: interactively, non-interactively, command-file modes Requirements for non-global zones: 1. hostname 2. zone root path. i.e. /export/home/zones/testzone1 3. IP address - bound to logical or physical interface Zone Types: 1. Sparse Root Zones - share key files with global zone 2. Whole Root Zones - require more storage Steps for configuring non-global zone: 1. mkdir /export/home/zones/testzone1 && chmod 700 /export/home/zones/testzone1 2. zonecfg -z testzone1 3. create 4. set zonepath=/export/home/zones/testzone1 - sets root of zone 5. add net ; set address=192.168.1.60 6. set physical=e1000g0 7. (optional) set autoboot=true - testzone1 will be started when system boots 8. (optional) add attr ; set name=comment; set type=string; set value="TestZone1" 9. verify zone - verifies zone for errors 10. commit changes - commit 11. Zone Installation - zoneadm -z testzone1 install - places zone, 'testzone1' into 'installed' state. NOT ready for production 12. zoneadm -z testzone1 boot - boots the zone, changing its state ###Zlogin - is used to login to zones### Note: each non-global zone maintains a console. Use 'zlogin -C zonename' after installing zone to complete zone configuration Note: Zlogin permits login to non-global zone via the following: 1. Interactive - i.e. zlogin -l username zonename 2. Non-interactive - zlogin options command 3. Console mode - zlogin -C zonename 4. Safe mode - zlogin -S zoneadm -z testzone1 reboot - reboots the zone zlogin testzone1 shutdown