D73488GC11 SG

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY.
COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
D74866
Edition 1.1
D73488GC11
November 2011
Student Guide
Transition to Oracle Solaris 11
Oracle University and Knowledge Transfer Centre use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Author Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Dave Giroux Disclaimer
This document contains proprietary y information and is protected by

y copyright
y g and
Technical Contributors other intellectual property laws. You may copy and print this document solely for your
own use in an Oracle training course. The document may not be modified or altered
and Reviewers in any way. Except where your use constitutes "fair use" under copyright law, you
Alta Elstad may not use, share, download, upload, copy, print, display, perform, reproduce,
publish, license, post, transmit, or distribute this document in whole or in part without
Glenn Faden the express authorization of Oracle.
Glynn Foster
The information contained in this document is subject to change without notice. If you
Dave Miner find any problems in the document, please report them in writing to: Oracle University,
500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not

John Powell warranted
t d tto be
b error-free.
f
Gary Riseborough
Restricted Rights Notice
Bart Smaalders
If this documentation is delivered to the United States Government or anyone using
the documentation on behalf of the United States Government, the following notice is
Editors applicable:
Aju Kumar
U.S. GOVERNMENT RIGHTS
Raj Kumar The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or
disclose these training materials are restricted by the terms of the applicable Oracle
license agreement and/or the applicable U.S. Government contract.
Graphic Designer
Trademark Notice
Seema M. Bopaiah
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names
may be trademarks of their respective owners.
Publishers
Nita Brozowski
Jobi Varghese
g
Contents
1 Introduction
Overview 1-2

Course Goals 1-3
Agenda 1-4
Practices 1-5
Introductions 1-6
Your Learning Center 1-7
2 Introducing the Oracle Solaris 11 New Features and Enhancements

Objectives 2-2
Agenda 2-3
Oracle Solaris 11 New Features and Enhancements 2-4
Oracle Solaris 11 Features and Enhancements 2-5
Image Packaging System (IPS) 2-7
Operating System Installation 2-8
Oracle Solaris 11 Zones 2-9
Networking Features and Enhancements 2-11
Storage Enhancements 2-13
User Environment Enhancements 2-15
System Security Enhancements 2-16
Lesson Agenda 2-18
Comparing Key Features: Then and Now 2-19
Lesson Agenda 2-20
Transitioning Strategy 2-21
Summary 2-22
3 Managing Software Packages in Oracle Solaris 11

Objectives 3-2
Agenda 3-3
What Is IPS? 3-4
Planning for IPS 3-5
IPS Components 3-6
Agenda 3-8
Local Package Repository 3-9
Creating a Local Repository 3-10
iii
Configuring the IPS Clients 3-12

Configuring a Repository Mirror 3-13
Practices 3-1 and 3-2: Overview 3-15
Agenda 3-16
Package Management: pkg (1) 3-17
pkg Command Examples: search and info 3-18
pkg Command Examples: install 3-19
pkg Command Examples: list, verify, and contents 3-20

pkg Command Examples: uninstall 3-21
Package Manager 3-22
Managing Packages by Using a Web Browser 3-23
Update Manager 3-24
Agenda 3-26
Publishing a Package in IPS 3-27
Practice 3-5: Overview 3-28
Agenda 3-29
Boot Environment (BE) 3-30
The beadm Utility 3-31
beadm Command Examples: list 3-33
beadm Command Examples: create 3-34
beadm Command Examples: activate, rename, and destroy 3-35
beadm Command Examples: mount and unmount 3-36
Package Manager BE Features 3-37
Quiz 3-38
Summary 3-47
4 Installing the Oracle Solaris 11 Operating System

Objectives 4-2
Agenda 4-3
Oracle Solaris 11 Installation Options 4-4
Oracle Solaris 11 System Requirements 4-5
Agenda 4-6
Oracle Solaris 11 Text Installer 4-7
Oracle Solaris 11 Text Installation: Disks 4-10
Oracle Solaris 11 Text Installation: Network 4-11
Oracle Solaris 11 Text Install: Users 4-12
Oracle Solaris 11 LiveCD 4-13
Oracle Solaris 11 LiveCD: Device Driver Utility 4-14
Oracle Solaris 11 LiveCD: Partition Editor 4-15
iv
Oracle Solaris 11 LiveCD Installer: Disk 4-16

Oracle Solaris 11 LiveCD Installer: Time Zone 4-17
Oracle Solaris 11 LiveCD Installer: Users 4-18
SMF-Based System and Network Configuration 4-20
Configuring an Oracle Solaris 11 Image 4-22
Agenda 4-23
Oracle Solaris 11 Automated Installation 4-24

How Automated Installation Works 4-25
AI Environmental Requirements 4-26
IPS Case: Using Default Manifest 4-28
IPS Case: Using Custom Manifest 4-30
IPS Case: Using an SC Profile 4-32
IPS Case: Multiple AI Services 4-33
Configuring the AI Server 4-34
Setting Up the AI Server 4-35
AI Manifests 4-36
The default.xml File 4-37
The Criteria Manifest 4-39
Criteria Manifest: Examples 4-41
System Configuration Profiles 4-42
SC Profile: Example 4-43
Administering the AI SMF Service 4-48
AI Server Configuration Walkthrough 4-49
Agenda 4-53
Comparing JumpStart to AI 4-54
Comparing Rules Keywords and Criteria Directives 4-55
Converting a JumpStart Profile to an AI Manifest 4-58
Agenda 4-61
Distribution Constructor 4-62
Distribution Constructor Manifest Files 4-63
Building an OS Image 4-64
Quiz 4-65
Summary 4-71
Practices 4-3, 4-4, and 4-5: Overview 4-72
5 Administering Oracle Solaris 11 Zones

Objectives 5-2
Agenda 5-3
New Zones Features 5-5
v
Agenda 5-7
Migrating Solaris 10 Zones (V2V) 5-10
Migrating Solaris 10 Global Zones (P2V) 5-12
Agenda 5-14
Configuring Non-Global Zones by Using the Automated Installer (AI) 5-15
Specifying a Non-Global Zone in the AI Manifest 5-16
Non-Global Zone Configuration Files 5-17

Adding a Non-Global Zone Manifest and Profile 5-18
Agenda 5-19
Delegating Zone Administration 5-20
Monitoring Zone Resource Consumption 5-21
Monitoring Zone Memory Consumption 5-22
Monitoring Zone CPU Consumption 5-23
Total and High Zone Resource Consumption 5-24
Quiz 5-25
Summary 5-27
Practice 5 Overview: Migrating Oracle Solaris 10 Zones to Oracle Solaris 11 5-28
Practice Environment 5-29
6 Oracle Solaris 11 Network Enhancements

Objectives 6-2
Agenda 6-3
Introducing Oracle Solaris 11 Network Enhancements 6-4
Agenda 6-6
Network Auto-Magic (NWAM) 6-7
How NWAM Works 6-9
Interaction with Other Oracle Solaris Technologies 6-10
The netcfg Command 6-12
The netadm Command 6-13
Configuring NWAM 6-14
Agenda 6-17
The ipadm Utility 6-18
dladm Enhancements 6-20
Agenda 6-23
Transitioning to Virtual Networking 6-24
Virtual Network Components 6-26
Building a Simple Virtual Network 6-28
Configuring a Private Virtual Network 6-29
vi
Accessing a Virtual Network Configuration 6-30

Bandwidth Management 6-31
Managing Bandwidth 6-32
Agenda 6-34
IP Multipathing (IPMP) 6-35
IPMP Configurations 6-36
How IPMP Works: Active-Active 6-37

How IPMP Works: Active-Standby 6-41
Configuring IPMP: Active-Active 6-46
Configuring IPMP: Active-Standby 6-47
Monitoring IPMP 6-48
Agenda 6-52
Network Bridging 6-53
Configuring a Network Bridge 6-55
Agenda 6-57
The wireshark Utility 6-58
The dlstat Utility 6-59
dlstat: Examples 6-60
The flowstat Utility 6-62
flowstat Examples 6-63
Quiz 6-64
Summary 6-78
7 Oracle Solaris 11 Storage Enhancements

Objectives 7-2
Agenda 7-3
Introducing Oracle Solaris 11 Storage Enhancements 7-4
Agenda 7-6
ZFS Shadow Data Migration 7-7
Shadow Migration Considerations 7-8
Configuring ZFS Shadow Data Migration 7-10
Agenda 7-11
Splitting a Mirrored ZFS Storage Pool 7-12
Splitting a ZFS Mirrored Pool: Example 7-13
Agenda 7-14
Identifying ZFS Snapshot Differences 7-15
Identifying ZFS Snapshot Differences: Example 7-16
vii
Agenda 7-17
ZFS Deduplication 7-18
ZFS Deduplication Properties 7-20
ZFS Deduplication: Example 7-21
Agenda 7-22
Common Multiprotocol SCSI Target (COMSTAR) 7-23
COMSTAR Benefits and Limitations 7-24
Configuring COMSTAR 7-26

Quiz 7-28
Summary 7-35
Practice 7 Overview: Oracle Solaris 11 Storage Enhancements 7-36
8 Oracle Solaris 11 Security Enhancements

Objectives 8-2
Agenda 8-3
Oracle Solaris 11 Security Enhancements 8-4
Agenda 8-7
Oracle Solaris Cryptographic Framework 8-8
Administrative Command: Examples 8-10
User Command: Examples 8-13
Agenda 8-15
ZFS Dataset Encryption 8-16
ZFS Pool Encryption: Example 8-17
ZFS File System Encryption: Example 8-18
Agenda 8-19
Read-Only (Immutable) Zones 8-20
The file-mac-profile Property 8-21
Administering Read-Only Zones 8-22
Agenda 8-24
Basic Audit Reporting Tool (BART) 8-25
BART: Example 8-26
Quiz 8-28
Summary 8-32
Practice 8 Overview: Oracle Solaris 11 Security Enhancements 8-33
viii
I t d ti
Introduction
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Overview
• Course goals
• Agenda
• Practices

• Introductions
• Your learning center
Welcome to the Transition to Oracle Solaris 11 course. This is an advanced course that builds
on Oracle Solaris 10 system administration courses. It is focused on the skills and knowledge
required for transitioning from the Oracle Solaris 10 operating environment to the Oracle
Solaris 11 operating environment.
This course highlights the new features delivered with Oracle Solaris 11, including the
Automated Installer (AI), the Image Packing System (IPS), and network virtualization.
Throughout the course, you learn how to transition to the Oracle Solaris 11 operating
environment by performing a series of guided hands-on practices that walk you through the
critical tasks associated with operating system migration activities. These practices include
case studies that illustrate best practices when transitioning from Oracle Solaris 10 to Oracle
Solaris 11.
This course does not address system administration tasks currently supported in Oracle
Solaris 10 (or other) operating systems. Rather, it focuses on the new and enhanced features
found in the Oracle Solaris 11 operating system. It is assumed that you already have the skills
and knowledge necessary for administering Oracle Solaris 10.
Transition to Oracle Solaris 11 1 - 2

Course Goals
The goals of this course are to:

• Familiarize you with the Oracle Solaris 11 new features
and enhancements:
– Image Packaging System (IPS)

– Automated Installer (AI)
– Oracle Solaris containers
– Network virtualization
– Security
• Provide you with the skills necessary for a successful
transition from Oracle Solaris 10 to Oracle Solaris 11
Goals
Transitioning to a new operating system can be a very daunting task. It involves working with
a wide range of complex technologies and procedures
procedures, many of which are new to the
personnel participating in the project.

Agenda
Day 1
• Lesson 1: Introduction
• Lesson 2: Introducing the Oracle Solaris 11 New Features and
Enhancements
• Lesson 3: Managing Software Packages in Oracle Solaris 11

Day 2
• Lesson 3: Managing Software Packages in Oracle Solaris 11
• Lesson 4: Installing the Oracle Solaris 11 OS
Day 3
• Lesson 5: Administering Oracle Solaris 11 Containers
• Lesson 6: Oracle Solaris 11 Networking Enhancements
Day 4
• Lesson 6: Oracle Solaris 11 Networking Enhancements
Day 5
• Lesson 7: Oracle Solaris 11 Storage Enhancements
• Lesson 8: Oracle Solaris 11 Security Enhancements

Practices
• Practices are run in a virtual environment.

• Practice exercises reinforce critical Solaris 11 OS features.
• Each practice contains guided, step-by-step exercises.

• Exercises are based on best practices
practices.
Starting with the lesson titled “Managing Software Packages in Oracle Solaris 11,” each
lesson in this course has an associated practice. Within each practice, you are provided with
a virtual environment that contains all the resources needed to install the Oracle Solaris 11
operating system and configure the new features and enhancements.

Introductions
• Name
• Company affiliation
• Title, function, and job responsibility

• Experience related to topics in this course
• Reasons for enrolling in this course
• Expectations from this course

Your Learning Center
• Logistics
– Restrooms
– Break rooms and designated smoking areas
– Local cafeterias and restaurants

• Emergency evacuation procedures
• Instructor contact information
• Cell phone usage
• Online course attendance confirmation form


t d i
IIntroducing the O
th Oracle
l Solaris

S l i 11
New Features and Enhancements

Objectives
After completing this lesson,
lesson you should be able to:
• Describe the Oracle Solaris 11 operating system
• List new features and enhancements of Oracle Solaris 11
• Describe the new operating system installation features
• Describe the new software updating
p g features

• Describe the new Oracle Solaris zone features
• Describe the new networking features and enhancements
• Describe the new storage enhancements
• Describe the new user environment enhancements
• Describe the new system security enhancements
• Compare the features of Oracle Solaris 10 and Oracle
Solaris 11
• Describe a strategy for transitioning from Oracle Solaris 10
to Oracle Solaris 11
This lesson introduces you to the new features and enhancements found in the Oracle Solaris
11 operating system. The lesson begins with a description of Oracle Solaris 11 and continues
with a high-level description of each new feature and enhancement.
Next, the lesson provides a comparison of the features found in Oracle Solaris 10 with those
of Oracle Solaris 11. This is followed by a description of a strategy for transitioning from
Oracle Solaris 10 to Oracle Solaris 11.

Agenda
• Oracle Solaris 11 new features and enhancements

• Features comparison
• Strategy for transitioning to Oracle Solaris 11


Oracle Solaris 11 New Features

and Enhancements
Oracle Solaris 11:
• Builds on the proven technologies of Oracle Solaris 10
• Provides access to the latest Oracle Solaris 11 technology

• Has been tested and optimized for Oracle hardware and
software
• Offers state-of-the-art reliability, availability, and
serviceability
• Is an integrated component of Oracle's Exadata and
E l i systems
Exalogic t
Oracle Solaris is the industry-leading operating system for the enterprise. Oracle Solaris 11
raises the bar for the innovation introduced in Oracle Solaris 10 with a unique feature set that
few other operating systems can offer. Oracle Solaris 11 has been tested and optimized for
Oracle hardware and software and is an integral part of Oracle’s combined hardware and
software portfolio.
Oracle Solaris 11 provides customers with the latest access to Oracle Solaris 11 technology,
allowing developers, architects, and administrators to test and deploy applications within large
data centers, which greatly simplifies their day-to-day operations. Oracle Solaris 11 is
characterized by the reliability, availability, and serviceability that you expect from a leading
enterprise operating system.
system
Oracle Solaris 11 provides new optimizations and features designed to deliver proven
scalability and reliability as an integrated component of Oracle’s Exadata and Exalogic
systems.

Oracle Solaris 11 Features and Enhancements
• New operating system installation features

• New software packages updating feature
• Oracle Solaris 10 zone features

• New networking features and enhancements
• Storage enhancements
• User environment enhancements
• System security enhancements
Oracle Solaris 11 introduces a new, modern software installation architecture, offering a

number of installation choices. This includes a completely hands-free automated network
installation experience, a graphical LiveCD installer, and an interactive text-based installation
for systems without a graphical display.
Oracle Solaris 11 introduces the Image Packaging System (IPS). IPS is the next-generation
packaging system that provides safe system updates and upgrades.
Oracle Solaris 11 enhances its virtualization solution with Oracle Solaris 10 zones (also
known as solaris10 branded zones). Oracle Solaris 10 zones provide a seamless method
for migrating to Oracle Solaris 11. Additional features such as delegated zone administration,
b t environment
boot i t (BE) for
f zones, andd enhanced
h d zone monitoring
it i are also
l iincluded.
l d d
Oracle Solaris 11 brings significant enhancements to networking. Features such as virtual
networks, Network Auto-Magic (NWAM), and improved IP multipathing (IPMP) provide
enhanced security, availability, and management.

Oracle Solaris 11 expands support for Oracle Solaris 10 storage technologies. The ZFS file
system includes a number of enhancements, including ZFS as the root file system,
deduplication, and ZFS snapshot differences. Additional enhancements include Common
Multiprotocol SCSI Target (COMSTAR) technology and Common Internet File System (CIFS)
support for seamless file sharing with Windows environments.
Oracle Solaris 11 includes GNOME 2.30, an intuitive, easy-to-use desktop environment, and
the Firefox 3.6.10 web browser, among a variety of other software included in the network
package repository. GNU (not UNIX) commands and a default bash shell environment are
also available.
Oracle Solaris 11 continues to optimize security controls. This release supplies a number of

security related enhancements: root as a role,
security-related role encrypted ZFS datasets
datasets, Trusted Platform
Module (TPM) support, and enhancements to Oracle Solaris Trusted Extensions.

Image Packaging System (IPS)
• Completely redesigned software packaging system

• Comprehensive delivery framework for software life cycle:
– Software installation
– Software updates

– Operating system upgrades
– Removal of software packages
• Intelligent package management
Oracle Solaris 11 provides a completely redesigned software packaging model: the Image
Packaging System (IPS). IPS is a comprehensive delivery framework that spans the complete
software life cycle, addressing software installation, updates, operating system upgrades, and
the removal of software packages.
In contrast to the SVR4 packaging model used in earlier Oracle Solaris releases, IPS
eliminates the need for patching. Relying on the use of network repositories of software
packages, IPS dramatically changes how an administrator updates system and application
software. IPS packages can be installed into nonglobal zones in addition to the global zone.

Operating System Installation
• Unattended installation
– Oracle Solaris 11 Automated Installer (AI)
— Network installation
— Installation manifest

— Client profiles
• Interactive installation
– Oracle Solaris 11 LiveCD installation
— Suited for desktops and notebooks
— GUI interface
– Interactive text install

— Suited for server deployments
— Text-based interface
Oracle Solaris 11 offers a number of installation options:

• Unattended installation: An improved “hands-off” automated installation process that
goes beyo
beyond dO
Oracle
ac e So
Solaris
a s Ju
JumpStart
pSta t functionality
u ct o a ty in O
Oracle
ac e So
Solaris
a s 10
0aandd ea
earlier
e
releases
• Interactive installation: Interactive installation using a text-based user interface
(because most servers use a text-based console for installation), and interactive
installation for x86 desktop and notebook systems using the Oracle Solaris 11 LiveCD
for x86

Oracle Solaris 11 Zones
• Support for Oracle Solaris 10 Zones

• New boot environment for zones
• Zone resource monitoring

• Delegated administration
Oracle Solaris 11 includes significant enhancements to zone administration and monitoring,

helping administrators more efficiently manage consolidated and virtualized workloads.
For users running applications either in zones or on bare metal on Oracle Solaris 10 systems,
virtual-to-virtual (v2v) and physical-to-virtual (p2v) tools are provided to help this transition to
an Oracle Solaris 10 zone running in Oracle Solaris 11. An Oracle Solaris 10 zone can have a
shared IP stack with the global zone or an exclusive IP stack. Oracle Solaris 10 Zones
provide a proven and fully supported option for quick adoption of Oracle Solaris 11, allowing
administrators to benefit immediately from all the new features available while providing an
easy application migration path.
A th enhancement
Another h t to
t zone technology
t h l iis th
thatt th
the di
distinction
ti ti iin O
Oracle
l SSolaris
l i 10 b
between
t
whole root and sparse root is irrelevant. In Oracle Solaris 10, sparse root zones conserve disk
space and permit fast zone creation by sharing a single instance of key file systems among
multiple zones. In Oracle Solaris 11, the root file system is ZFS and zone creation leverages
ZFS clones for similar space and time savings. When a new boot environment is created by
cloning an existing one, the base boot environment’s zones are also cloned into the new boot
environment. As a result, you no longer have to choose between different zone types.

Oracle Solaris 11 greatly enhances your ability to monitor zone resource consumption with
the introduction of zonestat. With zonestat, you can observe memory and CPU
utilization, utilization of resource control limits, total utilization, and per-zone utilization
breakdowns over specified time periods.
With Oracle Solaris 11, you can delegate specific zone administration tasks to different
administrators using Role-Based Access Control (RBAC). With delegated administration
standard, users are identified with the permissions to log in, manage, or clone that zone.

Networking Features and Enhancements
• Network virtualization
• Network Auto-Magic (NWAM)
• Improved IP multipathing (IPMP)

• New sockets architecture
• Load balancing
• Bridging and tunneling
• The ipadm command
Oracle Solaris 11 introduces built-in network virtualization and resource management,

providing more effective sharing of network resources and enhancing the ability to consolidate
server workloads.
In Oracle Solaris 11, Network Auto-Magic (NWAM) automates network configuration and
connection. NWAM enables users to automatically discover and connect to networks
depending on their network conditions and profiles. NWAM is the default network
configuration behavior on all installations of Oracle Solaris 11.
In Oracle Solaris 11, IP multipathing (IPMP) has been redesigned to enhance the
administrative model and improve monitoring. An IPMP group (which has a set of associated
IP addresses
dd th
thatt are d
dynamically
i ll bboundd tto a sett off underlying
d l i physical
h i l iinterfaces)
t f ) iis
represented by an IPMP interface. All IP administrative tasks take effect on the IPMP group
simply by referencing the IPMP interface. The new ipmpstat utility provides visibility to the
IPMP subsystem.

Network sockets implementation has been improved and no longer uses the STREAMS
module. This not only means performance improvements but also a new, simplified developer
interface for adding new socket types. The architecture also keeps an eye on network traffic
volume, allowing it to shift from interrupt driven to polling mode, which is much more efficient
when dealing with high network traffic volumes.
Oracle Solaris 11 includes an integrated L3/L4 load balancer. This addition includes stateless
Direct Server Return (DSR) and Network Address Translation (NAT) operation modes on a
variety of load-balancing algorithms, a command-line, and configuration API to configure
various features as well as view statistics and other configuration details.
Ethernet bridging is supported in Oracle Solaris 11 with the addition of the Spanning Tree and

Transport Interconnect of Lots of Links (TRILL) protocols
protocols. Also
Also, IP tunneling functionality has
been reimplemented, delivering a generic LAN driver (iptun) that implements IP tunnel links
on which IP interfaces can be plumbed and managed using the dladm utility.
In addition to the important network features, Oracle Solaris 11 introduces the ipadm
command. The ipadm command provides a set of subcommands that can be used to
manage interfaces, addresses, and TCP/IP protocol properties. Over time, the ipadm
command will replace traditional network management commands such as ifconfig.

Storage Enhancements
• ZFS enhancements
– Default file system
– Deduplication
– ZFS snapshot differences (zfs diff)

– ZFS shadow migration
• COMSTAR
• CIFS support
ZFS is the default root file system in Oracle Solaris 11. UFS is still available for nonroot file
systems. Oracle Solaris 11 has added ZFS deduplication, which detects and removes
redundant data from ZFS file systems. If a ZFS file system has the dedup property enabled,
duplicate data blocks are removed synchronously. As a result, the file system stores only
unique data. Support for listing the differences between ZFS snapshots (zfs diff) has
been added with Oracle Solaris 11. Also, now you can use the shadow migration feature to
migrate data from an old file system to a new one while simultaneously allowing access and
modification of the new file system during the migration process.
COMSTAR (Common Multiprotocol SCSI Target) technology, introduced in Oracle Solaris 11,
allows network file sharing,
sharing similar to NFS and CIFS,
CIFS but for raw block
block-device
device access via
iSCSI or SAN. This technology enables any Oracle Solaris 11 host to become a SCSI target,
allowing it to be accessed over a storage network by a variety of initiator hosts. COMSTAR
supplies a software framework that makes it possible for all SCSI device types to connect to a
transport protocol and provide network device access. In this way, virtual machines can share
image files or access to a database.

Oracle Solaris 11 provides in-kernel CIFS support for seamless file sharing with Windows
environments. The CIFS service also includes new features, such as host-based access
control (allowing a CIFS server to restrict access to specific clients according to IP
addresses), access control lists (ACLs) on shares, and client-side caching of offline files with
synchronization on reconnect.

User Environment Enhancements
• Enhanced desktop environment

• Time Slider snapshot management
• Command-line familiarity

• CUPS printing
For desktop users, Oracle Solaris 11 offers a state-of-the-art GNOME desktop. The desktop
includes the innovative Time Slider tool. Integrated with the File Browser, Time Slider
supports file and directory recovery, which is made possible through native snapshot and
clone capabilities in ZFS. A user can click in Time Slider to snapshot a home directory and
later revert to it if necessary.
There are other changes in Oracle Solaris 11 that affect the user experience. The default user
path places /usr/gnu/bin before /usr/bin, giving users a familiar GNU-like environment
by default. The bash shell is now the default interactive shell, and ksh93 replaces ksh as the
default system shell.
Th C
The Common UNIX P Printing
i ti S System
t (CUPS) h has b
been selected
l t d as th
the d
default
f lt print
i t service
i on
Oracle Solaris 11, replacing the LP print service. CUPS support includes a web and graphical
interface to manage your printing environment. A system that is running CUPS becomes a
host that can accept print requests from client systems, process those requests, and then
send them to the appropriate printer.

System Security Enhancements
• Secure by default
• Root treated as a role
• Robust data encryption

• Driver support for Trusted Platform Module (TPM)
• Trusted Extensions enhancements
Oracle Solaris 11 provides a fully secure-by-default environment. With automatic secure by

default, network services are disabled by default, or set to listen for local system
communications only.
In Oracle Solaris 11, root is treated as a role rather than a user. During system installation, an
initial user is defined. After an initial user login, a user with the appropriate privileges can
subsequently assume the role of root by using su or by performing administrative tasks after
authentication using sudo or pfexec. pfexec is a new feature that allows you to directly
assign a rights profile or more roles directly to a user account.
Oracle Solaris 11 supports a robust mechanism for your data protection by implementing on-
di k encryption/decryption
disk ti /d ti supportt and
d kkey managementt for
f ZFS d datasets.
t t InI the
th eventt off
theft or in the case of untrusted paths to networked storage, encrypted ZFS datasets can help
to safeguard data and prevent unauthorized access. The kernel implements raw
encryption/decryption functions that are applied to all data and file system metadata.
Oracle Solaris 11 includes driver support for Trusted Platform Module (TPM) hardware. TPM
devices are often embedded in systems to securely store certificates or encryption keys that
help to perform platform authentication and/or attestation. Attestation is a process that
determines whether a server is trustworthy and has not been breached.

Oracle Solaris 11 enhances Oracle Solaris Trusted Extensions by introducing labeled IPsec
and labeled ZFS datasets. Additionally, Trusted Extensions now enables per-label and per-
user credentials, allowing administrators to require a unique password for each label. This
password is in addition to the session login password, thus allowing administrators to set a
per-zone encryption key for each label of every user’s home directory.

Lesson Agenda



Comparing Key Features: Then and Now
Feature Oracle Solaris 10 Oracle Solaris 11

Packaging model SVR4 packaging Image Packaging System
(IPS)
Maintaining system SVR4 Patching Image Packaging System
software (IPS)

OS installation • Interactive: Install DVD • Interactive: Install CD
• Automated: Oracle and package
Solaris JumpStart repositories
• Automated: Automated
Installer and package
repositories
Buildingg a customized Blueprints
p for custom Distribution Constructor to
distribution image DVDs create ISO and virtual
machine images
Virtual Networking N/A Network virtualization and
resource management
User environment Ksh and SVR4 commands Bash, GNU, and SVR4
commands
This table shows the major changes made to some of the key features of Oracle Solaris 10 in
Oracle Solaris 11.

Lesson Agenda



Transitioning Strategy
• A sound understanding of the key features for

Oracle Solaris 10 is critical.
• Solaris is binary compatible across hardware architectures.
• Source code is compatible across different machine

architectures.
• Migration path for ZFS and UFS file systems
• Multiple migration paths for transitioning applications:
– Applications can run directly on Oracle Solaris 11.
– Applications
A li i can run iin O
Oracle
l SSolaris
l i 10 zones.
Administrators can prepare for transitioning to Solaris 11 by having a sound understanding of

the key features in Oracle Solaris 10, including Oracle Solaris Zones and ZFS (especially to
support root file systems). Oracle Solaris 11 builds upon these features, so having a solid
working knowledge of them can help to prepare for a transition.
Oracle continues the Solaris commitment to binary compatibility across hardware
architectures. This simplifies migrations between major Oracle Solaris releases and allows
applications to take advantage of performance gains from Oracle’s newest SPARC and x86
hardware systems. Oracle guarantees source code compatibility across different machine
architectures, allowing software providers to simply recompile applications across hardware
architectures.
architectures
Oracle Solaris 11 supports a migration path for ZFS and UFS file systems using the ZFS
shadow migration feature. You can migrate data from an old file system to a new file system
while simultaneously allowing access and modification of the new file system during the
migration process.
Oracle offers multiple migration paths for transitioning applications to Oracle Solaris 11.
Applications can run directlyy on Oracle Solaris 11 in global
g or nonglobal
g zones. The release
also supports Oracle Solaris 10 zones hosted within an Oracle Solaris 11 global zone. Just as
Oracle Solaris 8 and 9 branded zones helped to transition applications to Oracle Solaris 10,
Oracle Solaris 10 branded zones in Oracle Solaris 11 enable a more gradual, step-by-step
approach to an OS migration.
Summary
In this lesson, you should have learned how to:

• Identify the new Oracle Solaris 11 features and
enhancements
• Identify the key differences between Oracle Solaris 10 and

the Oracle Solaris 11 features
• Strategically prepare to transition to Oracle Solaris 11

M i
Managing S ft
Software P
in Oracle Solaris 11
k

Packages

Objectives
After completing this lesson, you should be able to:

• Describe the Image Packaging System (IPS)
• Plan for moving to IPS

• Configure a local package repository
• Configure network client systems to use IPS
• Search for software packages by using IPS
• Install software packages by using IPS
• Remove software p packages
g by y using
g IPS
• Update the OS image by using IPS
• Publish a software package by using IPS
• Manage boot environments
This lesson introduces you to the new Oracle Solaris 11 software packaging feature: Image
Packaging System (IPS). The lesson begins with a description of IPS and later compares IPS
to package management in the Oracle Solaris 10 operating system.
Next, the lesson shows you how to configure and work with the IPS features. This is followed
by a description of the method of publishing your own packages in IPS and creating IPS
images.

Agenda
• Introducing the Image Packaging System (IPS)

• Configuring a local IPS repository
• Managing software packages by using IPS

• Publishing a software package in IPS
• Managing boot environments

What Is IPS?

The Image Packaging System (IPS) is a framework that provides for software lifecycle
management, such as installation, upgrade, and removal of packages. IPS also allows users
to create their own software packages, create and manage package repositories, and copy
and mirror existing package repositories. An image is a bootable instance of the Oracle
Solaris 11 operating system.
With IPS, you can perform the following tasks:
• Create and manage images.
• Search the IPS packages on your system and in IPS repositories.
• Copy, y mirror, create, and administer package
g repositories.
• Create and publish IPS packages to a package repository.
• Republish the content of an existing package in a package repository.

Planning for IPS
• Oracle Solaris 11 2010_11 or later

• SPARC and x86 architectures
• Web-based or local package repository

• Repository mirroring
• Client access to IPS server
To use IPS for software package management, you must be running the Oracle Solaris 11
2010_11 (or later) operating system. IPS is not compatible with Oracle Solaris 10 (or earlier)
operating systems. IPS is compatible with both SPARC (sun4v) and x86 (64 bit-based)
systems.
A key component of IPS is the package repository. A package repository is a location where
software packages are stored and from where packages are retrieved by clients systems.
An important feature of IPS is that it enables users to mirror the package repository to another
server. IPS can retrieve content from mirrored servers. A mirror provides a complete copy of a
repository’s catalog of packages. Using a nearby mirror can speed up system updates,
di t ib ti construction,
distribution t ti zone creation,
ti and
d other
th packaging-intensive
k i i t i operations.
ti
Providing the appropriate network infrastructure that allows client systems to access the IPS
server is crucial to making the IPS package scheme work. Clients rely heavily on network
services, such as DNS, for finding their way to the package repository.

IPS Components
Original Mirror
Repository Repository

Catalog Package
Server Repository Payload
Client CLI – pkg (1)

Desktop – Package Manager
Web Browser
IPS is made up of key components. Each component has a role to play. These components
include:
• Package:
ac age A pacpackage
age in IPS
S iss a collection
co ect o ofo act
actions
o s de
defined
ed by a set o
of key-value
ey a ue pa
pairs
s
that represent metadata such as classification, descriptions, or other attributes such as
path and alias. The key-value pair could also represent a data payload. These actions
can represent items such as files found in a file system or installable objects, such as
drivers, services, groups, and users. Each IPS package is represented by a Fault
Management Resource Identifier (FMRI). FMRIs are used with the pkg (1) command
to indicate which packages to perform operations on.

• Fault Management Resource Identifier (FMRI): The FMRI includes descriptive

information about the package, such as the package name, version information, and
date. For example, the FMRI, pkg://solaris/developer/apptrace@0.5.11,5.11-
0.151.0.1:20101104T230706Z consists of the following information:
- Scheme: pkg
- Publisher: solaris
- Category: developer
- Package Name: apptrace
- Component Version: 0.5.11
- Build Version: 5.11 5 11

- Branch Version: 0.151.0.1
- Timestamp (when the package was published): 20101104T230706Z
• Repository: A repository is a location where clients publish and retrieve packages. The
location is described by a uniform resource identifier (URI) such as
http://pkg.oracle.com/solaris/release. A repository is also called a depot server. A
repository
p y contains packages
p g from a singleg ppublisher ((for example,
p Solaris). ) Ap publisher
can publish to multiple repositories. A repository has an origin and zero or more mirrors.
The repository origin is the location of a package repository that contains both package
metadata (package manifests and catalogs) and package content (package files). A
mirror is a location of a package repository that contains only package content.
• Catalog: A catalog consists of all the packages in an IPS package repository. The
packages in a catalog are associated with a specific publisher.
• Manifest: A manifest describes the components and attributes that make up a package. package
• Mirror: A mirror provides a subset of the data that origins provide. Mirrors can be used
only for downloading package files. Package metadata is downloaded from the origin.
IPS clients access the origin to obtain a publisher's catalog, even when the clients
download package content from a mirror.
• Client package management utilities:
- pkg (1): A command-line
command line command that can be used to create and manage
images, search package data, and perform software installation, upgrade, and
removal
- Package Manager: The Package Manager application provides a graphical user
interface (GUI) for IPS. It also provides a subset of the functionality offered by the
command-line commands provided with IPS.
- Web browser: A web browser can be used to search for and install software
packages from an IPS repository.
• Boot environment (not shown): A boot environment is a bootable instance of an
Oracle Solaris 11 operating system image plus any other application software packages
installed into that image. System administrators can maintain multiple boot
environments in their systems, and each boot environment can have different software
versions installed.

Agenda



Local Package Repository
• Default package repository:

http://pkg.oracle.com/solaris/release/
• Reasons for creating a local repository:
– Default repository not available to clients

– Performance
– Security
– Replication
IPS manages software in units of packages. An IPS package is a collection of directories,

files, links, drivers, dependencies, groups, users, and license information in a defined format.
This collection represents the installable objects of a package. Packages have attributes such
as package name and description. When you install or upgrade to the Oracle Solaris 11
release, the system initially has one publisher configured: the Solaris publisher. The default
publisher has the following repository origin: http://pkg.oracle.com/solaris/release/.
You can create your own local package repository. Having a local package repository is
necessary when your network clients do not have access to the web-based default repository.
Other reasons you might want to have a local copy of a package repository include:
• Performance: Having a local package repository allows clients access to packages at
local network speeds.
• Security: You might not want your client systems to have access to the Internet.
• Replication: You want to ensure that an installation that you perform next year is
exactly the same as the installation you perform today.

Creating a Local Repository
1. Obtain software packages:

– Download ISO image.
– Copy from the default package repository.
2. Create a ZFS file system for the repository
2 repository.

3. Copy the packages to the repository.
4. Set the appropriate pkg.repotd properties.
5. Set the preferred publisher.
6. Refresh the repository catalog.
When you create a local repository, you must perform these steps:
1. Obtain software packages: When creating a local package repository, you must first
download
do oad tthe
eO Oracle
ac e So
Solaris
a s 11 repository
epos to y image
age from:
o
http://www.oracle.com/technetwork/server-storage/solaris11/downloads/index.html
The repository image provides you with a complete archive of software packages to
allow you to set up a local network IPS repository that client systems can connect to.
The repository image is provided in two parts that must be concatenated. You use the
following command-line instructions to successfully create a full ISO image that can be
burned to a dual-layer DVD or directly mounted using the lofiadm command. You
d
download
l d parts t A andd B off th
the repository
it ISO by
b clicking
li ki th
these lilinks:
k
- Download Part A SPARC, x86 (2 GB)
- Download Part B SPARC, x86 (2 GB)

The following commands are used to concatenate parts A and B:

• $ unzip sol-11-exp-201011-repo-full-iso-a.zip
• $ unzip sol-11-exp-201011-repo-full-iso-b.zip
• $ cat sol sol-11-exp-201011-repo-full.iso-a
11 exp 201011 repo full iso a sol sol-11-exp-201011-repo-
11 exp 201011 repo
full.iso-b > sol-11-exp-201011-repo-full.iso
Alternatively, you can copy the packages directory from the default image repository.
2. Create a ZFS file system for the repository: A good practice is to store the repository
in a separate ZFS file system with compression enabled.
3. Copy the packages to the repository: If you copy from an ISO image, use the rsync

command If you copy directly from another repository
command. repository, use the pkgrecv command.
command
Note that when copying from another repository, you should have already obtained a
key and certificate and installed them on your system.
4. Set the appropriate pkg.depotd properties: Make sure that the pkg/inst_root
and pkg/readonly properties are set appropriately.
5. Set the preferred publisher: The default preferred publisher for Oracle Solaris 11
systems is Solaris and the default origin for that publisher is
http://pkg.oracle.com/solaris/release. If you want your clients to get packages from your
local repository, you must reset the origin for the Solaris publisher as shown in the next
slide.
6. Refresh the repository catalog: Be sure to use the pkgrepo refresh command to
update the repository catalogs and any new packages found in the repository.

Configuring the IPS Clients
Set the local IPS publisher.
root@s11-desktop:~# pkg publisher

PUBLISHER TYPE STATUS URI
Solaris (preferred) origin online http://pkg.oracle.com/solaris/release/
root@s11-desktop:~# pkg set-publisher –G \
http://pkg.oracle.com/solaris/release/ -g \
http://s11-serv1.mydomain.com/ solaris
root@s11-desktop:~# pkg publisher
PUBLISHER TYPE STATUS URI
solaris (preferred) origin online http://s11-serv1.mydomain.com/
For client systems to access a local repository, you must set the preferred publisher to the
local IPS publisher as shown in the example in the slide.

Configuring a Repository Mirror
To configure a repository mirror:

1. Import the SMF service manifest.
2. Prepare a location on your mirror server.

3 Create the appropriate directory structures
3. structures.
4. Deploy a second instance of the packaging server to run
as a read-only mirror.
5. Refresh the mirror.
6. Enable the mirror.
7. Mount the file system that contains your repository with the
noatime attribute.
8. Add a mirror to the configuration.
A mirror provides a complete copy of a repository's catalog of packages. Using a nearby

mirror can speed up system updates, distribution construction, zone creation, and other
packaging-intensive operations.
The following example demonstrates how to configure a repository mirror:
# svccfg import /var/svc/manifest/application/pkg-server.xml
# mkdir /export/pkg
# /usr/lib/pkg.depotd -d /export/pkg -p 8009
# svccfg -s pkg/server
svc:/application/pkg/server> add mirror
svc:/application/pkg/server> select mirror
svc:/application/pkg/server> addpg pkg application
svc:/application/pkg/server> addpg start method

svc:/application/pkg/server> setprop start/exec= astring: \
"/usr/lib/pkg.depotd --mirror -p %{pkg/port} -d
%{pkg/inst_root}\
-t %{pkg/socket_timeout}
_ –s % {pkg/threads} --proxy- \
base=%{pkg/proxy_base} --log-access=%{pkg/log_access} –log \
errors=%{pkg/log_errors}"
svc:/application/pkg/server> setprop pkg/inst_root = astring: \
"/export/pkg"
svc:/application/pkg/server> setprop pkg/threads = count: 50
svc:/application/pkg/server> setprop

exit
# svcadm refresh pkg/server:mirror
# svcadm enable pkg/server:mirror
# zfs set atime=off filesystem_name
# pkg set-publisher -m http://s11-serv2.com solaris

Practices 3-1 and 3-2: Overview
• Practice 3-1 covers the following topics:

– Creating a ZFS file system for the package repository
– Copying the package repository from an ISO image to local
storage
g

– Configuring the IPS service with the new repository location
– Updating the repository catalog
– Testing the new repository
• Practice 3-2 covers configuring a network client to access
the local IPS repository
repository.

Agenda



Package Management: pkg (1)
Package Management Task IPS Command Solaris 10 Equivalent

Install package. pkg install pkgadd -a
Display package state and pkg list pkginfo

version information.
information
Verify package installation. pkg verify pkgchk -v
Display package information. pkg info pkginfo -v
Display the contents of a pkg contents pkgchk -l

package.
Search for a package. pkg search pkgchk –l -p
Uninstall a package. pkg uninstall pkgrm
Install package updates. pkg update pkgadd
The pkg command is used to interact with the Image Packaging System. With a valid
configuration, pkg can be invoked to create locations for packages to be installed (as what
are called “images”) and manage packages in those images.
The table in this slide shows which pkg commands are used to perform common package
management tasks. It compares these commands to equivalent commands used in Oracle
Solaris 10.

pkg Command Examples: search and info
root@s11-desktop:~# pkg search apptrace

INDEX ACTION VALUE PACKAGE
pkg.description set Apptrace processor specific shared objects
pkg:/developer/apptrace/platform@0.5.11-0.171.0.1
…
root@s11-desktop:~# pkg info -r apptrace

Name: developer/apptrace
Summary: Apptrace Utility
Description: Apptrace utility for application tracing, including
shared
objects
Category: Development/System
State: Installed
Publisher: solaris
V
Version:
i 0
0.5.11
5 11
Build Release: 5.11
Branch: 0.151.0.1
Packaging Date: November 4, 2010 11:07:06 PM
Size: 122.41 kB
FMRI: pkg://solaris/developer/apptrace@0.5.11,5.11-0.171
This slide shows examples of searching for a package (apptrace) and displaying package
information.
The –rr option retrieves the information data from the repositories of the image's
image s configured
publishers.

pkg Command Examples: install

root@s11-desktop:~# pkg install -nv apptrace
Packages to install: 1
Create boot environment: No
Rebuild boot archive: No
Changed fmris:
None -> pkg://solaris/developer/apptrace@0.5.11,5.110.171:20101104T230706Z
Services:

None
root@s11-desktop:~# pkg install apptrace

Creating plan...
Packages to install: 1
DOWNLOAD PKGS FILES XFER (MB)
Completed 1/1 4/4 0.1/0.1
PHASE A CTIONS
Install Phas 19/19
PHASE ITEMS
Package State Update Phase 1/1
Image State Update Phase 2/2
This slide shows examples of performing a package (apptrace) installation dry-run (-nv)
and a real package installation.

pkg Command Examples:

verify and contents
list verify,
list,
root@s11-desktop:~# pkg list apptrace
NAME (PUBLISHER) VERSION STATE UFOXI
developer/apptrace 0.5.11-0.171 I installed
-----

root@s11-desktop:~# pkg verify -v apptrace
Verifying: PACKAGE STATUS
pkg://solaris/developer/apptrace OK
root@s11-desktop:~# pkg contents apptrace

PATH
usr
usr/bin
usr/bin/apptrace
usr/lib
/ i
usr/lib/abi
usr/lib/abi/amd64
usr/lib/abi/amd64/apptrace.so.1
usr/lib/abi/apptrace.so.1
root@s11-desktop:~#
This slide shows examples of listing an installed package (apptrace), verifying package
status, and displaying the contents of a package.

pkg Command Examples: uninstall
root@s11-desktop:~# pkg uninstall apptrace

Packages to remove: 1
PHASE ACTIONS
Removal Phase 17/17

PHASE ITEMS
Package State Update Phase 1/1
Package Cache Update Phase 1/1
Image State Update Phase 2/2
This slide shows an example of uninstalling a package (apptrace).

Package Manager

The Package Manager provides most package and publisher operations and some boot
environment (BE) operations. If you are new to the Oracle Solaris 11 and IPS technologies,
use the Package Manager to quickly download and install packages.

Managing Packages by Using a Web Browser

IPS allows you to access the package repository by using a web browser. With a web
browser, you can search for and install packages, and view the contents of a package
manifest.

Update Manager
• Updates all installed packages to the newest version

• Can be invoked in one of the following three ways:
– In the Package Manager GUI, click the Updates button or
g > Updates
select the Package p menu option.
p

– pm-launch with packagemanager sub-command:
— $ /usr/lib/pm-launch packagemanager –
update –all
– pkg CLI command:
— # pkg
p g update
p
Another important feature of IPS is the Update Manager. Update Manager updates all
installed packages to the newest version allowed by the constraints imposed on the system
by installed packages and publisher configuration.
The Update Manager feature can be invoked in one of the three following ways:
• In the Package Manager GUI, click the Updates button or select the Package > Updates
menu option.
• Use pm-launch with the packagemanager sub-command:
$ /usr/lib/pm-launch packagemanager –update –all
• Use the pkg CLI command:
# pkg update
If the system created a new boot environment (BE) for the update, you edit the default BE
name. Click the Restart Now button to restart your system immediately or the Restart Later
button to restart your system at a later time. You must restart to boot into the new BE. The
new BE will become your default boot environment. Your current BE will be available as an
alternate
a te ate boot choice.
c o ce

• Practice 3-3 provides demonstrations showing how to

update an image by using:
– The pkg update command
– Package
g Manager
g

• Practice 3-4 covers managing software packages by using:
– The pkg utility
– The Package Manager GUI
– A web browser

Agenda



Publishing a Package in IPS
To publish a package in IPS:

1. Enable package repository modification.
2. Use the pkgsend command to publish packages.

3. Open a package publication transaction
3 transaction.
4. Export the PKG_TRANS_ID variable.
5. Use pkgsend to add the package actions.
6. Close the transaction.
7. Disable p
package
g repository
p y modification.
You can create several different types of IPS packages. The package is then published to the
repository by using the pkgsend command. You must perform the steps shown in the slide to
publish a package in IPS.

Practice 3-5: Overview
This practice covers the following topics:

• Creating a new software package
• Publishing the new software package

• Testing the new software package
In this practice, you work with the IPS package publishing feature. During this practice, you
create a simple software package and deploy it by using IPS.

Agenda



Boot Environment (BE)
• A boot environment (BE) is a bootable instance of an

Oracle Solaris 11 operating system image.
• Multiple boot environments can be maintained on a
system.
y

• BEs can have different software versions installed.
• BEs make updating software a low-risk operation.
• BE management utilities include:
– The beadm command
– Package
P k M
Manager GUI
A boot environment (BE) is a bootable instance of an Oracle Solaris 11 operating system

image plus any other application software packages installed into that image.
System administrators can maintain multiple boot environments on their systems, and each
boot environment can have different software versions installed.
With multiple boot environments, the process of updating software becomes a low-risk
operation because system administrators can create backup boot environments before
making any software updates to their system. If needed, they have the option of booting a
backup boot environment.
Upon the initial installation of Oracle Solaris 11 onto a system, a boot environment is created.
Use the beadm utility or the Package Manager to administer additional boot environments on
your system.

The beadm Utility
• Primary BE management tool

• Enables you to:
– Create a new boot environment
– Create a snapshot of an existing boot environment

– Create a boot environment based on a snapshot
– Activate an existing, inactive boot environment
– Mount and unmount a boot environment
– Destroy boot environments and snapshots
– Rename boot environments
– Display boot environment information
The beadm utility is the primary BE management tool. The beadm utility aggregates all
datasets in a boot environment and performs actions on the entire boot environment at once.
You no longer need to perform ZFS commands to modify each dataset individually. It
manages the dataset structures within boot environments. For example, when the beadm
utility clones a boot environment that has shared datasets, the utility automatically recognizes
and manages those shared datasets for the new boot environment.
The beadm utility enables you to perform administrative tasks on your boot environments.
These tasks can be performed without upgrading your system. It automatically manages and
updates the GRUB menu for x86 systems, or the boot menu for SPARC systems. For
example when you use the beadm utility to create a new boot environment,
example, environment that environment
is automatically added to the GRUB menu or boot menu.

The beadm utility enables you to perform the following tasks:

• Create a new boot environment based on the active boot environment.
• Create a new boot environment based on an inactive boot environment.
• Create a snapshot of an existing boot environment.
environment
• Create a new boot environment based on an existing snapshot.
• Create a new boot environment and add a custom title to the x86 GRUB menu or the
SPARC boot menu.
• Activate an existing, inactive boot environment.
• Mount a boot environment.

• U
Unmount tabboott environment.
i t
• Destroy a boot environment.
• Destroy a snapshot of a boot environment.
• Rename an existing, inactive boot environment.
• Display information about your boot environment snapshots and datasets.

beadm Command Examples: list
root@s11-desktop:~# beadm list

BE Active Mountpoint Space Policy Created
-- ------ ------- --- ----- -------------

solaris NR / 3
3.82G
82G static 2011-03-04
2011 03 04 22:14
solaris-1 - - 41.02M static 2011-03-18 14:13
solaris-2 - - 60.0K static 2011-03-20 10:59
root@s11-desktop:~# beadm list -a solaris

BE/Dataset/Snapshot Active Mountpoint Space Policy Created
------------------- ------ ---------- ----- ------ -------
solaris
rpool/ROOT/solaris NR / 3.67G static 2011-03-04 22:14
rpool/ROOT/solaris@2011... - - 35.78M static 2011-03-18 14:13
rpool/ROOT/solaris@2011...
/ / i - - 43.0K static
i 2011-03-20 10:59
rpool/ROOT/solaris@backup - - 42.0K static 2011-03-20 11:03
rpool/ROOT/solaris@install - - 115.97M static 2011-03-04 22:33
This slide shows examples of listing boot environments and associated snapshots.
N means that the boot environment is currently active, and R means that it will be the boot
environment that will be active on reboot as well.

beadm Command Examples: create
root@s11-desktop:~# beadm create solaris-2

root@s11-desktop:~# beadm create solaris-2@backup
root@s11-desktop:~# beadm create -e solaris-2@backup solaris-3

This slide shows examples of creating a new boot environment and a clone.
• The first command creates a new boot environment.
• The second command creates a snapshot of the new boot environment
environment.
• The third command creates a boot environment clone from a snapshot.

beadm Command Examples:

rename and destroy
activate rename,
activate,
root@s11-desktop:~# beadm activate solaris-3

root@s11-desktop:~# beadm rename solaris-2 solaris-old
root@s11-desktop:~# beadm destroy solaris

This slide shows examples of activating, renaming, and destroying boot environments.

beadm Command Examples: mount and unmount
root@s11-desktop:~# beadm mount solaris-1 /solaris-1

root@s11-desktop:~# beadm unmount solaris-1

This slide shows examples of mounting and unmounting inactive boot environments.

Package Manager BE Features

The Package Manager is a graphical user interface that enables you to install, update, and
manage packages on your installed system. If you use the Package Manager to update all the
packages on your system, a clone of the active boot environment is created. This clone
enables you to, if necessary, boot into the boot environment state that existed before the
update process was started.
You can use the Package Manager to manage your boot environments as follows:
• You can delete old and unused boot environments to make the disk space available.
• You can change the default boot environment on your system.
• You can activate a boot environment.

Quiz
What benefits does a local IPS repository provide?

a. Greater capacity for more packages in the repository
b. Automatically created backup BEs

c Increased performance for package retrieval
c.
Answer: c

Quiz
Which utility is used to manage BEs in Oracle Solaris 11?

a. Live Upgrade
b. beadm

c BE Manager
c.
Answer: b

Quiz
Which command enables you to configure your current image

to ensure that all manifests with signatures are validly signed?
a. # pkg set-property signature-policy verify

b # pkg set-property
b. set property signature-policy
signature policy
require-names
c. # pkg set-property signature-policy
require-signature
Answer: a

Quiz
What pkg subcommand or option of the set-publisher

subcommand is used to configure publisher properties for
signed packages?
a. set-property
p p y

b. set-publisher
c. set-publisher property
d. --set-publisher
Answer: b

Quiz
You have three publishers listed in this order:
mypublisher.com, which is the highest ranked publisher,
solaris, and whoisit. For search order purposes, you want
to move the whoisit publisher before the solaris
p
publisher.

Which command would you use to execute this task?
a. pkg set-publisher --search-before solaris
whoisit
b. pkg set-publisher --search-after solaris
whoisit
c. pkg set-publisher --search-before whoisit
solaris
d. pkg set-publisher --search-after whoisit
solaris
Answer: d

Quiz
You want to gather installation information on a new application

without actually installing the software. Which command is most
appropriate for this task?
a. p
pkgg install –dry y new_app pp

b. pkg install –noinstall new_app
c. pkg install –dv new_app
d. pkg install –nv new_app
Answer: d

Quiz
Which command is used to verify a package installation?

a. pkg verify new_package
b. pkg status new_package

c pkg –v
c. v new_package
new package
d. pkg validate new_package
Answer: a

Quiz
Which command is used to set solaris-alt as the default boot

environment?
a. activate –v solaris-alt

b beadm solaris-alt
b. solaris alt boot
c. beadm activate solaris-alt
d. activate –d solaris-alt
Answer: c

Quiz
Nonactive boot environments can be manually mounted in an

active boot environment.
a. True
b False
b.

Answer: a

Summary

• Describe the Image Packaging System (IPS)
• Plan for moving to IPS

• Configure a local package repository
• Configure network client systems to use IPS
• Search for software packages by using IPS
• Install software packages by using IPS
• Remove software p packages
g by y using
g IPS
• Update the OS image by using IPS
• Publish a software package by using IPS
• Manage boot environments


• Displaying boot environments
• Creating boot environments

• S l ti b
Selecting boott environments
i t
• Removing boot environments

t lli
IInstalling the O
th Oracle
Operating System
l Solaris

S l i 11

Objectives

• Describe Oracle Solaris 11 installation options
• Plan for an Oracle Solaris 11 installation
• Describe an Oracle Solaris 11 LiveCD installation

• Describe an Oracle Solaris 11 Text installation
• Describe an Oracle Solaris 11 Automated installation
• Configure a system image
• Configure an AI server
• Configure an AI client
• Install Oracle Solaris 11 by using AI
• Compare a JumpStart OS installation to an AI OS installation
• Convert a JumpStart configuration to an AI configuration
• Describe the distribution constructor
This lesson introduces you to the new Oracle Solaris 11 operating system installation
methods. You explore both interactive and automated installations. Next, you compare and
convert Oracle Solaris 10 JumpStart installation to Oracle Solaris 11 installation. The lesson
also shows you how to configure and work with automated installation features. Finally, you
are introduced to the distribution constructor.

Agenda
• Introducing Oracle Solaris 11 Operating System installation

options
• Performing interactive installations of the Oracle Solaris 11
Operating
p g System
y

• Configuring an AI Server and clients
• Comparing and converting JumpStart to AI
• Working with the distribution constructor

Oracle Solaris 11 Installation Options
• Oracle Solaris 11 Text installation

• Oracle Solaris 11 LiveCD installation
• Oracle Solaris 11 Automated installation

• Installation images can be downloaded from:
http://www.oracle.com/technetwork/server-
storage/solaris11/downloads
Oracle Solaris 11 can be installed in the following three ways:

• Oracle Solaris 11 Text installation: You use the Oracle Solaris 11 Text installation for
x86-
86 o or S
SPARC-based
C based syste
systems. s This
s method
et od is
s used for
o syste
systemss tthat
at do not
ot have
a ea
graphic display. It contains software packages normally found in server environments.
• Oracle Solaris 11 LiveCD: You use the Oracle Solaris 11 LiveCD install for x86-based
systems. This method is used for systems that have a graphic display. It contains
software packages normally found in workstations and notebooks environments.
• Oracle Solaris 11 Automated installation: The Oracle Solaris 11 Automated
installation provides a “hands-free” network installation for multiple client systems,
allowing
ll i administrators
d i i t t tto create
t andd manage customized
t i d iinstallation
t ll ti profiles
fil ffor
different systems.
The Oracle Solaris 11 ISO images can be downloaded from
http://www.oracle.com/technetwork/server-storage/solaris11/downloads.
All installation downloads are in an ISO image format that can be burned to a CD or a DVD, or
used directly within Oracle VM Server or other virtualization software.

Oracle Solaris 11 System Requirements
Hardware Requirement
Disk space Disk space: Recommended size is 7
GB. A minimum of 3 GB is required.

Memory The minimum requirement is 512 MB
MB.
Recommended size is 768 MB.
Architectures SPARC* and x86 (64 bits only)
*Supported on sun4v- and M-Series
sun4u based systems with OBP (Open
Boot PROM) level 4.17 or higher
This slide shows the hardware requirements needed for installing Oracle Solaris 11.

Agenda

options
Operating
p g System
y


Oracle Solaris 11 Text Installer

When starting the Oracle Solaris 11 Text installer, you are provided with a menu of keyboard
layouts as shown in this slide. The default is US English.


This screen provides language options. The default is English.


The installation menu provides you with options such as installing additional device drivers
and changing the terminal type. The default is “Install Oracle Solaris” (option 1).

Oracle Solaris 11 Text Installation: Disks

During the Oracle Solaris 11 Text installation, you must choose the disk on which to install the
OS.

Oracle Solaris 11 Text Installation: Network

You are required to assign a name to the install system. This is the network hostname. Also,
you must decide how the installation system network is to be configured:
• Automatically:
uto at ca y Thiss option
opt o uses tthee Network
et o Auto-Magic
uto ag c ((NWAM)) feature.
eatu e NWAM is sa
daemon that takes care of the connection to the network. As the name suggests, the
network connection should work auto-magically, which means that most of the time, you
do not need to care about your connection.
• None: This option disables NWAM. When selecting this option, you must configure the
network manually.

Oracle Solaris 11 Text Install: Users

In Oracle Solaris 11, root is configured by default as a role rather than a user. During system
installation, the Text installer helps you to set up the root password and initial user account.
You use the initial user account to log in to the system. After initial user login, a user with the
appropriate privileges can subsequently assume the role of root using su or perform
administrative tasks after authentication using sudo or pfexec.

Oracle Solaris 11 LiveCD

The Oracle Solaris 11 LiveCD for x86 provides a GUI-based interactive installation that steps
through the process of configuring the system for the OS installation. The LiveCD then installs
a software payload that includes a full desktop operating environment. The LiveCD also
provides additional utilities, such as the Device Driver Utility and partition editor, to help
ensure successful installations.

Oracle Solaris 11 LiveCD: Device Driver Utility

The Device Driver Utility helps you to detect whether Oracle Solaris 11 can be installed on
your x86 system. When started, it runs a quick device compatibility check on your system. If a
device driver problem is detected, it provides the tools for installing the appropriate device
driver packages from a file, web, or IPS repository.

Oracle Solaris 11 LiveCD: Partition Editor

The GParted Partition Editor allows you to customize the installation disk layout before you
begin the OS installation. Note that GParted is usually used only if you are attempting to set
up a disk to boot multiple operating systems.

Oracle Solaris 11 LiveCD Installer: Disk

An Oracle Solaris 11 LiveCD installer helps you choose the target installation disk or partition.

Oracle Solaris 11 LiveCD Installer: Time Zone

The Oracle Solaris 11 LiveCD installer provides a point-and-click time zone configuration
interface. Simply click the city nearest to your installation location.

Oracle Solaris 11 LiveCD Installer: Users

As we saw with the Text installer, in Oracle Solaris 11 root is configured by default as a role
rather than a user. As with the Text installer, during system installation, the LiveCD installer
helps you set up the root password and initial user account. You use the initial user account to
log in to the system. After initial user login, a user with the appropriate privileges can
subsequently assume the role of root using su or perform administrative tasks after
authentication using sudo or pfexec. Note that the root password will be the same as the
user account password entered here.
In addition to the initial user configuration, the Users dialog box allows you to set the
hostname for your system. The network configuration method is automatically set to NWAM.

• Practice 4-1 covers installing Oracle Solaris 11 using the

Text installer.
• Practice 4-2 covers installing Oracle Solaris 11 using the
LiveCD installer.

In these practices, you perform interactive installations of the Oracle Solaris 11 operating
system.

SMF-Based System and Network Configuration
• System and network configuration files moved from /etc

to SMF repository
• System and network configuration changes:
– File system sharing

– Network configuration
– The system host name
– Power management
– Time zone
– Naming services
– Domain name
– Environment variables
In Oracle Solaris 11, system and network configuration that was previously stored in the /etc
directory is now stored in an SMF repository. Moving configuration data to SMF service
properties enables the delivery of a uniform, extensible architecture for system configuration
that provides you with more complete capability to manage the system configuration.
The following network configuration features have changed in Oracle Solaris 11:
• File system sharing: Sharing a file system is managed through SMF and administered
by using the zfs command. The /etc/dfs/dfstab file is only meaningful for legacy
files systems.
• Network configuration: Network configuration persistence through the editing of these
fil iis no llonger necessary. Y
files You use commandsd such
h as svccfg, svcprop, ipadm,
i
and dladm to manage this type of network configuration. Files such as:
/etc/hostname, /etc/dhcp, and /etc/hostname.ip* .tun* are no longer
relevant.
• The system host name: A system's host name is now set by configuring the
config/nodename service property of the svc:/system/identity:node SMF
service. The /etc/nodename file is no longerg relevant.

• Power management: Power management is now administered by using the poweradm

command. The /etc/power.conf file and the pmconfig command are no longer
relevant.
• Time zone: A new svc:/system/timezone:default SMF service enables you to
set the time zone on an Oracle Solaris 11 system.
• Naming services: The primary repository for all naming services configuration is the
SMF repository. All legacy configuration files, such as the resolv.conf ,
nsswitch.conf , /var/yp/* , and /var/ldap/, are regenerated from the SMF
data when an appropriate service is started or refreshed. You do not edit this files
directly.

• Domain name: The system’s
system s domain name is now handled by the
svc:/system/identity/domain service. The /etc/defaultdomain file is no longer
relevant.
• Environment variables: The system’s environment variables are now being handled by
the svc:/system/environment service. The /etc/default/init file is no longer
relevant.

Configuring an Oracle Solaris 11 Image
• The sysconfig utility

– Replaces sysunconfig and sysidtool
• Unconfigure the system
– sysconfig unconfigure

– The unconfigure operation
• Configure the system
– sysconfig configure
• System configuration (SC) profile creation
– sysconfig create-profile
The sysconfig utility is used in Oracle Solaris 11 to unconfigure and reconfigure an existing
Oracle Solaris 11 system. This tool replaces the sysunconfig and sysidtool utilities.
The sysconfig utility launches the System Configuration (SC) tool . You use the System
Configuration (SC) tool to interactively unconfigure and configure the OS image.
There are three operations that you can perform using the sysconfig utility:
• Unconfiguration of the system: This operation brings the OS image to a pristine
(unconfigured) state.
• Configuration of the system: This operation allows you to reconfigure the OS image. It
helps you change the host name, IP address, name service, time zone, initial user
account,
t and
d root password.d
• System configuration (SC) profile creation: This operation helps you create an SC
profile. The SC profile is an XML-based file that contains the host name, IP address,
name service, time zone, initial user account, and root password configuration
properties. The SC profile can be used with the sysconfig configure command or
with Automatic Installation (AI) to configure an OS image.

Agenda

options
Operating
p g System
y


Oracle Solaris 11 Automated Installation

AI Server
S
Install Service
Manifests
M M M
...

Boot Image
DHCP ... IPS

Server Install Service Repository
1 3
Automated Installations Over the Network
The automated installer is used to automate the installation of the Oracle Solaris 11 OS on
one or more SPARC and x86 systems over a network. The installations can differ in
architecture, packages installed, disk capacity, network configuration, and other parameters.
Automated installation can be run in a “serverless” mode where the client boots from the ISO
and uses a manifest that is either located on the media or obtained from a network location
that you have access to. Client access to an IPS original repository and DHCP service are
required.
An automated installation over the network to a client system, as shown in the slide, performs
the following core steps:
1. A client system boots and gets IP information from the DHCP server.
2. The client contacts an install service on the AI server and accesses the boot image and
the AI manifest containing the installation specifications.
3. The client is installed with the operating system, pulling packages from the IPS original
repository specified in the AI manifest.

How Automated Installation Works

Assume that you have set up an installation server with one or more install services. You've
customized the installation specifications for the installation services to suit your needs. Now,
you are ready to install the Oracle Solaris 11 OS to client systems on the network. You need
only to boot the client, and the process runs to completion without further input from you.
This flowchart illustrates how a client system is installed. The client browses for available
installation services, seeking a service where the installation criteria in the service's manifest
file match the characteristics of the client system. When a match is found, the installation is
performed on the client system, using a boot image and manifest specifications provided by
the installation service.

AI Environmental Requirements
• The network
• Client access to AI service and IPS repository
• AI service storage location

• Manifests and system configuration profiles
• Custom manifest and profile storage location
To use AI to install client systems over the network, you must set up DHCP and also an AI
install service on an install server. AI uses DHCP to provide the IP address, subnet mask,
router, DNS server, and the location of the install server to the client machine to be installed.
The DHCP server and AI install server can be the same machine or two different machines.
The client machines you want to install must be able to access an Oracle Solaris Image
Packaging System (IPS) software package repository. The IPS package repository can be on
the install server, on another server on the local network, or on the Internet. An AI install
service is associated with a SPARC or x86 network boot image (net image), one or more
installation instruction files (AI manifests), and zero or more system configuration instruction
files (SC profiles).
profiles) The net image is not a complete installation.
installation Client machines must access
an IPS package repository to complete their installations. The AI manifest specifies one or
more IPS package repositories where the client retrieves the packages needed to complete
the installation. The AI manifest also includes the names of additional packages to install and
information such as target device and partition information. You can also specify instructions
for configuring the client.
AI does not support storing the AI service in a dedicated ZFS file system. When creating the
AI service,
i store
t th
the service
i iin a standard
t d d didirectory.
t

If two client machines have different architectures or need to be installed with different
versions of the Oracle Solaris 11 OS, you create two AI install services and associate each
install service with a different net image. If two client machines need to be installed with the
same version of the Oracle Solaris 11 OS but need to be installed differently in other ways,
you create two AI manifests for the AI install service. The different AI manifests can specify
different packages to install or a different slice as the install target. If client systems need to
have different configurations applied, create multiple SC profiles for the install service. The
different system configuration (SC) profiles can specify different network or locale setup or
unique host name and IP address.
AI stores the default manifest files in ../auto_install/manifest. Custom manifests and
profiles should never be stored inside the AI service directory structure.

IPS Case: Using Default Manifest

The minimum you have to do to use AI is create one install service. In this minimal scenario,
all clients have the same architecture and are installed with the same version of the Oracle
Solaris OS. The installations use the default AI manifest, which specifies the most recent
version of the OS available from the default IPS package repository on the Internet.
1. Make sure the install server has a static IP address and default route.
2. Install the installation tools package, install/installadm.
3. Run the installadm create-service command.
4. Make sure the clients can access a DHCP server.
5. Make sure the necessaryy information is available in the DHCP configuration
g to boot the
service.
6. Make sure the clients can access an IPS software package repository. To use the
default IPS package repository, the clients must be able to access the Internet.
7. Network boot the client.

When you network boot the client, the following steps are performed:
1. The client gets the install server address from the DHCP server.
2. Because the install server has only one install service, the client uses that service if the
architecture matches.
matches
3. Because the install service has only one AI manifest, the client uses that default AI
manifest, installing software packages from the IPS package repository over the
network.
4. When the client boots after installation, an interactive tool prompts for system
configuration information because no system configuration profile is provided.

IPS Case: Using Custom Manifest

To specify installation parameters such as a local IPS publisher, the target disk for installation,
partition or mirror configuration, or additional software packages to install, provide a
customized AI manifest. Perform the following steps before you boot the client, in addition to
the minimum required steps:
1. Create a new AI manifest, or write a script that dynamically creates a custom AI
manifest at client installation time.
2. Run the installadm create-manifest command to add the new manifest or
script to the install service. Specify criteria for the client to select this manifest or script,
or use the -d option to make this manifest or script the default manifest specification for
this service.
service

2. Since the install server has only one install service, the client uses that service if the
matches
3. The client is directed to the correct provisioning manifest by criteria specified to
create-manifest. If no criteria match, the client uses the default manifest for this
service.
4. The client is provisioned according to the selected manifest.
configuration
g information because no system
y configuration
g p
profile is p
provided.

IPS Case: Using an SC Profile

To specify system configuration parameters such as time zone, user accounts, and networking,
provide a Service Management Facility (SMF) system configuration profile (SC profile).
Perform the following steps before you boot the client, in addition to the minimum required
steps:
1. Create an SC profile using the sysconfig create-profile utility.
2. Run the installadm create-profile command to validate the profile, add the
profile to the install service, and specify criteria to select which clients should use this SC
profile.
2. Since the install server has only one install service, the client uses that service if the
3. Since the install service has only one AI manifest, the client uses that default AI manifest,
installing software packages from the IPS package repository over the network.
4. The client is directed to the correct system configuration profile by criteria specified to
create-profile.
t fil
5. The client is configured according to the selected configuration profile. If no configuration
profile is selected because the criteria do not match, the interactive configuration tool
starts.
IPS Case: Multiple AI Services

To install different versions of the Oracle Solaris 11 OS, create additional AI install. Perform
the following steps before you boot the client, in addition to the minimum required steps:
1. Run the installadm create-service command and specify p y a different net image.
g
2. Run the installadm create-client command to direct the client to this new
install service.
3. Create custom manifests and SC profiles (if required) and associate them with the
appropriate AI service.
2. The client is directed to this new install service by create-client.
3. The client is provisioned according to the default provisioning manifest for this service.
configuration information because no system configuration profile is provided.

Configuring the AI Server
• Set up the AI service:

– Installation images
– DHCP server
• Set up or remove clients
clients.

• Add or delete manifest files.
• Add or delete system configuration profiles.
• Enable or disable install services.
• Administer install services by using the AI SMF service.
This slide provides an overview of the tasks you must perform when configuring your AI
server.

Setting Up the AI Server
• Enable DNS multicast on the AI server:

– svcadm enable svc:/network/dns/multicast:default
• Install the installadm package:
– pkg list installadm

pkg
k li
list:
t no packages
k matching
t hi ‘installadm’
‘i t ll d ’
installed
– pkg install installadm
• Create the AI service by using installadm create-
service:
– installadm create-service -n x86_clients \
–i 192.168.0.100 -c 50 \
-s /export/images/sol-11-exp-201011-ai-x86.iso \
-d /rpool/ai/x86_clients
• Add AI clients by using installadm create-client:
– installadm create-client -e 08:00:27:85:C7:D6 \
-n x86_clients
Setting up the AI server involves the four key tasks shown in the slide.
Note that create-service automatically enables the AI service in SMF.
Also note that create-client
create client is needed only if more than one service for a particular
architecture (Sparc or x86) is provided on the AI server. When there is only one, they will all
use that service by default and do not need to be specifically configured with create-
client.

AI Manifests
• Default manifest
• Custom manifest
• Criteria manifest

AI manifests are XML files used to specify multiple sets of installation and system
configuration instructions for each install service.
AI has three types of manifests:
• Default manifest: A default manifest is an installation manifest that has no criteria
associated with it. The default manifest is used by clients when no other installation
manifest’s criteria match the client.
• Custom manifest: To perform different installations on different clients by using the
same install image, you need to provide customized AI manifests for that install service.
Clients that do not match the criteria specific to any custom manifest are installed using
the instructions in the default
f manifest.
f
• Criteria manifest: The criteria manifest allows you to associate client-specific
installation instructions with AI services. When the client matches the criteria that have
been specified for a criteria manifest, the client uses the associated manifest.

The default.xml File
<!DOCTYPE auto_install SYSTEM

"file:///usr/share/install/ai.dtd">
<auto_install>
<ai_instance name="default">

<target>
<logical>
<zpool name="rpool" is_root="true">
<filesystem name="export" mountpoint="/export"/>
<filesystem name="export/home"/>
<be name="solaris"/>
</zpool>
</logical>
</target>
The default.xml manifest file provides a generic configuration applicable to most clients.
You can change the AI defaults by copying the default.xml file to a new file and editing the
new file as desired. You can then apply the new manifest by using the installadm add-
manifest –f command, as in this example:
installadm create-manifest –f new_manifest –n AI_service_name
The <target> element is used to configure the disk drive used for the OS installation.

The default.xml File
<software type="IPS">
<source>
<publisher name="solaris">

<origin
name="http://pkg.oracle.com/solaris/release"/>
</publisher>
</source>
<software_data action="install">
<name>pkg:/entire</name>
<name>pkg:/group/system/solaris-large-server</name>
</software_data>
</software>
</ai_instance>
</auto_install>
This slide shows the IPS and packages sections of the default manifest file. The
<software> element defines the location of the IPS origin and which software packages to
install and uninstall. The entire package is recommended so that the system will be
updated coherently when patching or upgrading in the future. The solaris-large-server
package is suitable for a server installation.

The Criteria Manifest
• Associates client-specific installation instructions with AI

services
• Uses an AI manifest selection algorithm
• Uses multiple non-overlapping
non overlapping criteria

• Can be added using the
installadm create-manifest command:
installadm create-manifest
-f /export/manifests/manifest_x86.xml \
-n s11-x86 \
–C /export/manifests/criteria_x86.xml
The criteria manifest allows you to associate client-specific installation instructions with AI
services. When the client matches the criteria that have been specified for a criteria manifest,
the client uses that manifest.
An AI manifest is selected for a client according to the following algorithm:
• If custom manifests are defined for this install service but the client does not match
criteria for any custom manifest, the client uses the default manifest.
• If the client matches criteria that have been specified for a custom manifest, the client
uses the associated manifest.

If client characteristics match multiple manifests, the client characteristics are evaluated in the
following order:
• mac
• ipv4
• platform
• arch
• cpu
• mem
For example, if one criteria specification matches the client’s MAC address and another

criteria specification matches the same client’s
client s IP address,
address the manifest associated with the
MAC address criteria specification is used, because mac is higher priority for selection than
ipv4.
You use the installadm create-manifest command to add a criteria manifest to a
service, as in this example:
pfexec installadm create-manifest -m
/export/manifests/manifest
/e po t/ a ests/ a est_x86.xml
86. -n ss11-x8686 \
–C /export/manifests/criteria_x86.xml
In this case, when a client meets the criteria identified in the criteria_x86.xml criteria file,
the manifest_x86.xml will be applied to that client.

Criteria Manifest: Examples
• arch criteria manifest file:

<ai_criteria_manifest>
<ai_criteria name="arch">
<value>i86pc</value>
</ai_criteria>

</ai criteria manifest>
</ai_criteria_manifest>
• mac criteria manifest file:

<ai_criteria name=“mac">
<value>0:14:4F:20:53:94</value>
</ai_criteria>
• ipv4 criteria manifest file:

<ai_criteria name=“ipv4">
<value>192.168.0.114</value>
</ai_criteria>
This slide shows examples of arch, mac, and ipv4 criteria files.

System Configuration Profiles
• SC profiles specify client configuration.

• SC profiles set SMF properties for appropriate SMF
services.
• SC profiles are applied during the first client boot after

installation.
• AI clients have multiple SC profiles.
• If no SC profile is specified, the interactive system
configuration tool is used at first client boot.
• SC profiles
fil are created
t d using
i th the
sysconfig create-profile utility.
The System configuration profiles (SC profiles) specify client system configuration as a set of
configuration parameters in the form of a Service Management Facility (SMF) profile. The SC
profile sets SMF properties for appropriate SMF services.
SC profiles are applied during the first boot of the system after AI installation. SMF services
responsible for particular configuration areas process SMF properties and configure the
system accordingly.
Each client can use any number of SC profiles. For example, a client might be assigned one
profile that provides only the hostname and IP address for that client. The same client and
many other clients might be assigned other profiles that set more broadly applicable property
values.
l If no SC profile
fil is
i provided
id d ffor a particular
ti l client,
li t th
the iinteractive
t ti configuration
fi ti tool
t l iis
started on that client.
The SC profiles can be created using the sysconfig create-profile utility or using a
text editor.

SC Profile: Example
<!DOCTYPE service_bundle SYSTEM

"/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="profile" name="sysconfig">
<service version="1" type="service" name="system/config-user">
<instance enabled="true" name="default">

<property group type
<property_group type="application"
application name
name="root
root_account
account">
>
<propval type="astring" name="login" value="root"/>
<propval type="astring" name="password"
value="$5$bypT4oRp$Dsy3J0FhJNBXqlxDtCJjlqk3k3ZHAg8cb98bPLs3kI9"/>
<propval type="astring" name="type" value="role"/>
</property_group>
<property_group type="application" name="user_account">
<propval type="astring" name="login" value="oracle1"/>
<propval type="astring" name="password"
value "$5$LuaMBnZg$m2YIULH2KoMJeTIm2ahxm08rsKEmMQxYtK8KHMKwFr6"/>
value="$5$LuaMBnZg$m2YIULH2KoMJeTIm2ahxm08rsKEmMQxYtK8KHMKwFr6"/>
<propval type="astring" name="type" value="normal"/>
<propval type="astring" name="description" value="Oracle"/>
<propval type="count" name="gid" value="10"/>
<propval type="astring" name="shell" value="/usr/bin/bash"/>
<propval type="astring" name="roles" value="root"/>
<propval type="astring" name="profiles" value="System
Administrator"/>
The SC profile is used to configure client systems. This slide shows entries for configuring the
initial standard user and root role.

SC Profile: Example
<propval type="astring" name="sudoers" value="ALL=(ALL) ALL"/>

</property_group>
</instance>
</service>

<service version="1" type="service"
yp name="system/timezone">
y
<property_group type="application" name="timezone">
<propval type="astring" name="localtime" value="US/Mountain"/>
</property_group>
</instance>
</service>
<service version
version="1"
1 type
type="service"
service name
name="system/identity">
system/identity >
<instance enabled="true" name="node">
<property_group type="application" name="config">
<propval type="astring" name="nodename" value="s11-client3"/>
</property_group>
</instance>
</service>
This slide shows the entries for setting up the time zone and node host name.

SC Profile: Example
<service version="1" type="service" name="system/keymap">

<property_group type="system" name="keymap">
<propval type="astring" name="layout" value="US-English"/>

</property group>
</property_group>
</instance>
</service>
<service version="1" type="service" name="system/console-login">
<property_group type="application" name="ttymon">
<propval type="astring" name="terminal_type" value="sun-color"/>
</property_group>
</service>
<service version
version="1"
1 type
type="service"
service name
name="network/physical">
network/physical >
<property_group type="application" name="netcfg">
<propval type="astring" name="active_ncp" value="DefaultFixed"/>
</property_group>
</instance>
</service>
This slide shows entries for setting up the system keymap, terminal type, and network type.

SC Profile: Example
<service version="1" type="service" name="network/install">
<property_group type="application" name="install_ipv4_interface">
<propval type="astring" name="address_type" value="static"/>
<propval type="net_address_v4" name="static_address"
value="192.168.0.140/24"/>
<propval type="astring" name="name" value="net0/v4"/>

</property
/p p y_g
group>
p
<property_group type="application" name="install_ipv6_interface">
<propval type="astring" name="stateful" value="yes"/>
<propval type="astring" name="stateless" value="yes"/>
<propval type="astring" name="address_type" value="addrconf"/>
<propval type="astring" name="name" value="net0/v6"/>
</property_group>
</instance>
</service>
<service version="1" type="service" name="system/name-service/switch">
<propval type="astring" name="default" value="files"/>
<propval type="astring" name="host" value="files dns"/>
<propval type="astring" name="printer" value="user files"/>
</property_group>
<instance enabled="true" name="default"/>
</service>
This slide shows entries for configuring an IP address and the name-service switch.

SC Profile: Example
<service version="1" type="service" name="network/dns/client">

<property type="net_address" name="nameserver">
<net_address_list>

<value_node
_ value="192.168.0.100"/>
</net_address_list>
</property>
<property type="astring" name="search">
<astring_list>
<value_node value="mydomain.com"/>
</astring_list>
</property>
</property_group>
<instance enabled="true" name="default"/>
/
</service>
</service_bundle>
This slide shows entries for configuring DNS.

Administering the AI SMF Service
• Enable the AI SMF service:
svcadm enable svc:/system/install/server:default

• Disable the AI SMF service:
svcadm disable svc:/system/install/server:default
This slide shows how to enable and disable the AI SMF service.

AI Server Configuration Walkthrough
root@s11-serv1:~# mkdir –p /export/ai/custom_ai

root@s11-serv1:~# installadm create-service -n custom_ai \
-s /opt/ora/course_files/sol-11-dev-171-ai-x86.iso \

-i 192.168.0.130 -c 5 -d /export/ai/custom_ai
/ / /
root@s11-serv1:~# installadm create-client -e \
08:00:27:85:C7:D8 -n custom_ai
This slide begins a step-by-step walkthrough for configuring an AI service. This walkthrough
includes:
• C Creating
eat g tthee AI se
service
ce
• Adding a client to the AI service
• Creating a custom manifest
• Creating a criteria manifest
• Adding manifests to the AI service
• Creating an SC profile
• Adding the profile to the AI service
ser ice
• Validating the SC profile
In this slide, you create a new AI service named custom_ai in the
/export/AI/custom_ai directory. The AI image used in this service is sol-11-dev-
171-ai-x86.iso (Oracle Solaris 11 Build 171). Next, you add client
08:00:27:85:C7:D8 to the custom_ai AI service.

root@s11-serv1:~# vi /var/tmp/manifests/custom_manifest.xml
<!DOCTYPE auto_install SYSTEM
"file:///usr/share/install/ai.dtd">
<auto_install>
<ai_instance name="custom_ai" auto_reboot="true">

<target>
<logical>
<zpool name="rpool" is_root="true">
<filesystem name="export" mountpoint="/export"/>
<filesystem name="export/home"/>
<be name="solaris"/>
</zpool>
</logical>
</target>
<software type="IPS">
<source>
<publisher name="solaris">
<origin name="http://s11-serv1.mydomain.com"/>
</publisher>
</source>
Now that the custom_ai service exists, you create a custom manifest file named
custom_manifest.xml. Here, you set the image name to custom_ai. This results in a
manifest name (identifier) that is used to manage the manifest. Next, the target element
configures the client default boot disk using Oracle Solaris 11 standard conventions. Then,
you set the IPS publisher to a local origin (http://s11-serv1.mydomain.com).

<software_data action="install">
<name>pkg:/group/system/solaris-large-server</name>
</software_data>
_

</software>
</ai_instance>
</auto_install>
root@s11-serv1:~# vi /var/tmp/manifests/criteria_custom_ai.xml
<ai_criteria
_ name="mac">
<value>
08:00:27:85:C7:D8
</value>
</ai_criteria>
This slide continues the custom_mainfest edit. Here, you identify which software packages
are to be loaded on the client system from the IPS server.
After the custom manifest build is completed, you create a criteria manifest for the client
system. In this case, you use the client’s MAC address as the criteria.

root@s11-serv1:~# installadm add-manifest –n custom_ai \

-f /var/tmp/manifests/custom_manifest.xml \
–C /var/tmp/manifests/criteria_custom_ai.xml

root@s11-serv1:~# sysconfig
y g create-profile
p \
-o /var/tmp/manifests/client_profile.xml
root@s11-serv1:~# installadm create-profile –n custom_ai \
-f /var/tmp/manifests/client_profile.xml –p client_profile \
-C /var/tmp/manifests/criteria_custom_ai.xml
root@s11-serv1:~# installadm validate -n custom_ai \
-p
p client_p
profile
Now that the custom manifest and criteria manifest are built, you associate them with the
custom_ai AI service using the installadm add-manifest command.
Next, you use the sysconfig create-profile
create profile utility to create a system configuration
profile named client_profile for the AI client. The sysconfig create-profile
utility starts the interactive system configuration tool, which guides you through the SC profile
design.
After the SC profile is completed, you use the installadm create-profile command to
associate the new SC profile with the custom_ai AI service and the client criteria manifest.
Finally, you validate the SC profile. If the SC profile passes validation checks, the AI service is
completed and available.

Agenda

options
Operating
p g System
y


Comparing JumpStart to AI
Task JumpStart AI
Set up an install Use the Use the installadm
server. setup_install_serve create-service

r command.
command command
command.
Add clients to the Use the Use the installadm
installation. add_install_client create-client
command. command.
Specify installation Use profile files. Use AI manifest files.
instructions.
Specify client Use rules files to Use the installadm
customization. associate set-criteria command.
clients with profile files.
Specify Use finish scripts and Use sc-profile files.
post-installation sysidcfg files.
client configuration.
This table in the slide compares the methods used to accomplish JumpStart tasks and AI
tasks.

Comparing Rules Keywords

and Criteria Directives
JumpStart Rules File

AI Criteria File Directives
Keyword
Any For client systems that do not match any selection
criteria, the AI install service provides a default AI

manifest.
if
arch sparc Command option: -c cpu=sparc
Criteria file:
<ai_criteria name="cpu">
<value>sparc</value>
</ai_criteria>
karch i86pc Command option: -cc arch=i86pc
arch i86pc
Criteria file:
<ai_criteria name="arch">
<value>i86pc</value>
</ai_criteria>
This table compares Oracle Solaris 10 JumpStart rules file keywords to Oracle Solaris 11 AI
criteria file directives.



Keyword
hostaddress xx.xx.xx.xx Command option: -c ipv4=xx.xx.xx.xx
Criteria file:

<ai_criteria
i i i name="ipv4">
i
<value>xx.xx.xx.xx</value>
</ai_criteria>
network xx.xx.xx.xx Use ipv4 with a range.
Command option: -c ipv4=xx.xx.xx.xx-
yy.yy.yy.yy
Criteria file:
<ai_criteria name="ipv4">
<range>xx.xx.xx.xx yy.yy.yy.yy</range>
</ai_criteria>
hostname xxxxxx To uniquely identify a host in AI, use either the IP
address or the MAC address.
This table continues the comparison of Oracle Solaris 10 JumpStart rules file keywords to
Oracle Solaris 11 AI criteria file directives.



Keyword
memsize xxxx Command option: -c mem=xxxx
Criteria file:

<ai_criteria
i i i name=“mem">
<value>xxxx</value>
</ai_criteria>
model 123-xyz Use ipv4 with a range.
Command option: -c platform=123-xyz
Criteria file:
<ai_criteria name=“platform">
<range>123-xyz</range>
</ai_criteria>
This table continues the comparison of Oracle Solaris 10 JumpStart rules file keywords to
Oracle Solaris 11 AI criteria file directives.

Converting a JumpStart Profile to an AI Manifest
JumpStart
Rules File AI Manifest Directives
Keyword
boot_device <target>

c0t0d0s0 <target device>
<target_device>
update <disk>
<disk_name name="c0t0d0" name_type="ctd"/>
<slice name="0" is_root="true" force="true"/>
</disk>
</target_device>
</target>
b t
bootenv A boot
b t environment
i t is
i automatically
t ti ll created
t d on
the Oracle Solaris OS.
cluster <software_data action="install" type="IPS">
SUNWCXall <name>pkg:/entire</name>
<name>pkg:/group/system/solaris-desktop</name>
</software_data>
This table shows how to convert Oracle Solaris 10 JumpStart rules file keywords to Oracle
Solaris 11 AI manifest directives.


AI Manifest Directives
Keyword
fdisk c0t3d0 solaris maxfree <target>
<target_device>

<disk>
<disk_name name="c0t3d0"
name_type="ctd"/>
<partition name="1"
part_type="SOLARIS">
</disk>
</target_device>
</target
/ g
filesys AI creates ZFS file systems, not UFS file systems.
geo Geographic regions for language support are specified

through pkg group packages.
locale Locale support is specified through pkg group
packages.


AI Manifest Directives
Keyword
package 123xyz add <software name="IPS">
<software_data action="install"

type="IPS">
<name>pkg:/solaris-small-server</name>
<name>pkg:/xxxxxx/123xyz</name>
</software_data>
</software>
package 123xyz delete <software_data action="uninstall"
type="IPS">
<name>pkg:/xxxxxx/123xyz</name>
</software_data>

Agenda

options
Operating
p g System
y

• Converting JumpStart to AI

Distribution Constructor
• Is used to build custom Oracle Solaris images

• Builds an ISO image or Virtual Machine
• Allows customized versions of the following Oracle Solaris
11 image types:

– x86 or SPARC Oracle Solaris text installer image
– Oracle Solaris x86 LiveCD image
– x86 or SPARC ISO image for Automated Installations
– x86 Oracle Solaris Virtual Machine
• Th di
The distribution-constructor
t ib ti t t package
k contains:
t i
– The distro_const command-line utility
– Manifest files
You use the distribution constructor to build custom Oracle Solaris images. These images can
be used to install the Oracle Solaris software on individual systems, multiple systems, or
Virtual Machines (VMs) that run the Oracle Solaris 11 operating system. The distribution
constructor takes an XML manifest file as input and builds an ISO image or Virtual Machine
image that is based on the parameters specified in the manifest file.
Using the distribution constructor, you can build customized versions of the following types of
Oracle Solaris 11 images:
• x86 or SPARC Oracle Solaris Text installer image
• Oracle Solaris x86 LiveCD image
• x86 or SPARC ISO image for Automated Installations
• x86 Oracle Solaris Virtual Machine
The distribution constructor is distributed in the distribution-constructor package. The
distribution-constructor package contains the distro_const command-line utility for
building custom Oracle Solaris images and Virtual Machine images. It also contains default
manifest files that are used to describe the various image types.

Distribution Constructor Manifest Files
Manifest File Manifest Type Description

text_mode_x86.xml x86 Text installer ISO image Used to create an ISO image that
you can boot to initiate a Text
installation of the Oracle Solaris
OS on x86 machines
SPARC Text installer ISO image Used to create an ISO image that

text_mode_sparc.xml
you can boot to initiate a Text
installation of the Oracle Solaris
OS on SPARC machines
all_lang_slim_cd_x86.xml x86 LiveCD ISO image Used to create an ISO image
comparable to the Oracle Solaris
LiveCD
ai_sparc_image.xml SPARC AI ISO image Used to create a SPARC AI ISO
image for automated installations of
the Oracle Solaris OS to SPARC
clients
ai_x86_image.xml x86 AI ISO image Used to create an x86 AI ISO
image for automated installations of
the Oracle Solaris OS to x86
clients
vmc_image.xml x86 Virtual Machine Used to create a Virtual Machine
image
This table lists the default manifest files shipped with the distribution-constructor package.
After you install the distribution-constructor package, you can locate these manifest files in the
/usr/share/distro_const/image_type directory.
The distribution-constructor package also contains additional “finalizer” scripts that can be
used to make installation customizations based on the type of image that you are building.
The manifest files point to the finalizer scripts, and the finalizer scripts transform the generic
image into a media-specific distribution. You can create your own finalizer scripts. If you do
create new scripts, edit the manifest files to point to these new scripts.
Note: See the Oracle Solaris 11 Distribution Constructor Guide for more information about
creating
ti custom
t finalizer
fi li scripts.
i t

Building an OS Image
• The build process can be performed in one step:

distro_const build manifest
• Checkpointing is enabled by default.

• The build process can be stopped and resumed at a
specific checkpoint (step):
distro_const build -p step manifest
distro_const build -r step manifest
• Checkpointing can be disabled by setting
checkpoint_enable to false.
Building an OS image can be done in one step by using the distro_const command
without options. You use the options provided in the distro_const command to stop and
restart the build process at various stages in the image-generation process, in order to check
and debug your selection of files, packages, and scripts for the image that is being built. This
process of stopping and restarting during the build process is called checkpointing.
Checkpointing supports the process of developing and debugging images. You can start
building an image, pause at any stage you want and examine the contents of the image, and
then resume building the image. Checkpointing is optional. The checkpointing feature is
enabled by default in the manifest file. A ZFS dataset, or a mount point that correlates to a
ZFS dataset
dataset, must be specified as the build area
area.
Checkpointing allows you to stop and resume at a specific checkpoint (step).
Example:
• distro_const build -p step manifest
• distro_const build -r step manifest
Alternatively, you can disable checkpointing in the manifest file by setting the
checkpoint enable parameter to false
checkpoint_enable false.
Checkpointing should not be disabled, because it makes debugging problems very difficult.

Quiz
Which of the following best describe the components that make

up the AI service?
a. AI server, IPS server, and DNS server
b AI server,
b. server DHCP server,
server and IPS server

c. AI server, DHCP server, and DNS server
d. AI server, DHCP server , IPS server, and DNS server
Answer: b

Quiz
Which of the following AI components provides installation

instructions to the client system?
a. AI server
b DHCP server
b.

c. IPS repository
Answer: a

Quiz
During an automated installation, the client system that is being

installed always requires access to an IPS repository.
a. True
b False
b.

Answer: b

Quiz
Which command is used to reconfigure a Solaris 11 image to a

pristine state?
a. sysconfig -d image-name
b sysconfig -u
b. u image
image-name
name

c. sysconfig unconfigure
d. sysconfig deconfigure
Answer: c

Quiz
Which command is used to create a system configuration (SC)

profile?
a. screate -o /var/tmp/output_file.xml
b sysconfig create-sc
b. create sc –ff /var/tmp/output
/var/tmp/output_file.xml
file xml

c. screate -f /var/tmp/output_file.xml
d. sysconfig create-profile –o /var/tmp/output_file.xml
Answer: d

Quiz
Which command enables you to build an OS image in one

step?
a. distro_const

b distro_const
b. distro const build
c. distro_const build manifest
Answer: c

Summary
• Describe Oracle Solaris 11 installation options
• Plan for an Oracle Solaris 11 installation
• Describe an Oracle Solaris 11 LiveCD installation
• Describe an Oracle Solaris 11 Text installation

• Describe an Oracle Solaris 11 Automated installation
• Configure a system image
• Configure an AI server
• Configure an AI client
• Install
I t ll OOracle
l S
Solaris
l i 11 by
b using
i AI
• Compare a JumpStart OS installation to an AI OS
installation
• Convert a JumpStart configuration to an AI configuration
• Describe the distribution constructor
In this lesson, you were presented with the Oracle Solaris 11 installation options. You were
shown how to install the operating system using the interactive options (text installer and
LiveCD) as well as automated installation. You then spent some time looking at how to
configure an AI server and client. You also had the opportunity to compare a JumpStart OS
installation to an AI OS installation and see how to perform the conversion. Finally, you were
introduced to the distribution constructor and shown how to build an OS image.

Practices 4-3, 4-4, and 4-5: Overview
These practices cover the following topics:

• Installing Oracle Solaris 11 network clients by using the
Automated Installer (AI)
• Verifying that the system meets AI requirements

• Configuring the AI server
• Deploying the OS to network clients
• Configuring an OS image

Ad i i t i
Administering O
Oracle
l Solaris

Z
S l i 11 Zones

Objectives

• Describe the new zone features and enhancements
• Configure a Solaris 10 zone

• Perform a virtual
virtual-to-virtual
to virtual migration of zones present in
the source system (V2V)
• Migrate a physical Solaris 10 system to a Solaris 10 zone
(P2V)
• Configure a non-global zone by using AI
• Monitor zone resource consumption
• Describe how to delegate zone administration
This lesson introduces you to the new Oracle Solaris 11 zones features and enhancements.
You learn how to configure a Solaris 10 zone in Oracle Solaris 11 and migrate Solaris 10
zones from Oracle Solaris 10. Finally, you monitor zone resource consumption and delegate
zone administration.

Agenda
• Introducing Oracle Solaris 11 zones

• Migrating Solaris 10 zones
• Configuring zones by using AI

• Monitoring zone resource consumption


Oracle Solaris Zones is a built-in OS virtualization with a long and distinguished pedigree.
One of the most highly adopted, highly used, mature virtualization technologies, Oracle
Solaris Zones was first introduced as a core part of Oracle Solaris 10. As of Oracle Solaris 11,
Oracle Solaris Zones becomes even more central to both the application and the end user.
Enhancements and new features include:
• Integration into the new packaging system (IPS)
• Support for Oracle Solaris 10 Zones
• Integration with the new Oracle Solaris 11 network stack architecture
• Improved observability
• Increased control over administration
• Tight integration with ZFS

New Zones Features
Zones Feature Description

Solaris 10 zones Solaris 10 zones host Solaris 10 user
environments inside zones on Oracle

Solaris 11
11.
Boot environments for zones Boot environments are integrated with
Oracle Solaris Zones.
IPS integration Oracle Solaris Zones have been
integrated with the new IPS package
management tools in Oracle Solaris 11.
Zone resource monitoring Oracle Solaris 11 features a robust zones
resource monitoring utility, zonestat.
Delegated administration Delegate common zone administration
tasks for specific zones to different
administrators by using Role-Based
Access Control (RBAC).
This slide shows the new Oracle Solaris 11 Zones features.

Oracle Solaris 10 Zones host Solaris 10 (S10) user environments inside zones on Oracle
Solaris 11. They are meant to help maintainers of Solaris 10 systems consolidate their
production environments onto systems running Oracle Solaris 11. Workloads running within
Solaris 10 zones can take advantage of the performance improvements made to the Oracle
Solaris 11 kernel and use some of the innovative technologies available only on Oracle
Solaris 11 (such as virtualized NICs). The Solaris 10 zones support x86 and SPARC Solaris
10 9/10 (or later released Oracle Solaris 10 update) zones. Note that it is possible to use an
earlier update release if you first install the kernel patch 142909-17 (SPARC) or 142909-17
(x86/x64) or later version
(x86/x64), version.

Boot Environments for Zones

Boot environments are integrated with Oracle Solaris Zones. Zone root file systems use Zone
Boot Environment (ZBE) datasets. When a new boot environment is created by cloning an
g one,, the base boot environment’s zones are also cloned into the new boot
existing
environment.
IPS Integration
Oracle Solaris Zones have been integrated with the new IPS package management tools in
Oracle Solaris 11. Zones require an active network connection for their creation and must be
manually updated (by using zoneadm attach -u) to stay in sync with the global zone.
Sparse root zones are not supported in Oracle Solaris 11.

Zone Resource Monitoring
Oracle Solaris 11 features a robust zones resource monitoring utility, zonestat. The
zonestat utility greatly enhances the observation of system resources consumed by Oracle
Solaris Zones. You can observe memory and CPU utilization, utilization of resource control
limits, and total utilization and per-zone utilization breakdowns over specified time periods.
Delegated Administration
With Oracle Solaris 11, you can delegate common zone administration tasks for specific
zones to different administrators by using Role-Based Access Control (RBAC). With
delegated administration, for each zone, a user or set of users may be identified with the
permissions to log in, manage, or clone that zone. These specific authorizations are
interpreted by the appropriate commands running in the global zone to allow access at the
correct authorization level to the correct user.

Agenda

• Configuring zones by Using AI


• A complete runtime environment for Oracle Solaris 10

– Oracle Solaris 10 9/10 or later
• Supported on SPARC and x86 architectures

• Supports 3232-bit
bit and 64
64-bit
bit applications
• Virtual-to-virtual (V2V)
• Physical-to-virtual (P2V)
• Supports only ZFS
• Limitations
The Oracle Solaris 10 zone is a complete run-time environment for Oracle Solaris 10
applications on SPARC and x86 machines running the Oracle Solaris 10 9/10 operating
system or later. You must install the s10 patch before you create the archive that will be used
to install the zone. The Oracle Solaris 10 zones are supported on all SPARC, and x86
architecture machines that the Oracle Solaris 11 release has defined as supported platforms.
The Oracle Solaris 10 zone supports the execution of 32-bit and 64-bit Oracle Solaris 10
applications. Oracle Solaris 10 zones include the tools required to install an Oracle Solaris 10
system image into a zone.
You cannot install a Solaris 10 zone directly from Oracle Solaris 10 media. A physical-to-
virtual (P2V) capability is used to directly migrate an existing system to a zone on a target
system. The Oracle Solaris 10 zone also supports the tools used to migrate a Solaris 10 zone
to an Oracle Solaris 10 zone. The virtual-to-virtual (V2V) process for migrating a Solaris 10
zone into an Oracle Solaris 10 zone supports the same archive formats as P2V. The Oracle
Solaris 10 zone supports the whole root zone model. All of the required Oracle Solaris 10
software and any additional packages are installed into the private file systems of the zone.

The zone must reside on its own ZFS dataset; only ZFS is supported. The ZFS dataset will be
created automatically when the zone is installed or attached. If a ZFS dataset cannot be
created, the zone will not install or attach. Note that the parent directory of the zone path must
also be a ZFS dataset or the file system creation will fail. Any script or program that executes
in an Oracle Solaris 10 zone should also work in a Solaris 10 zone.
A /dev/sound device cannot be configured into the Solaris 10 zone.

Migrating Solaris 10 Zones (V2V)
1. Assess the Solaris 10 zone to be migrated.

2. Create an archive of the Solaris 10 zone to be migrated.
3. Prepare the Oracle Solaris 11 target system.

4
4. Migrate Solaris 10
10.
There are four key tasks to migrating an Oracle Solaris 10 zone to Oracle Solaris 11:
1. Assess the Solaris 10 zone to be migrated. An existing Oracle Solaris 10 9/10 system
(or later
(o ate released
e eased Solaris
So a s 10 0 update) canca be ddirectly
ect y migrated
g ated into
to a Solaris
So a s 10
0 zone
o eoon
an Oracle Solaris 11 system. Depending on the services performed by the original
system, you might need to manually customize the zone after it has been installed. For
example, the privileges assigned to the zone might need to be modified or the network
interface is different. It is critical that you examine the source system and collect the
following information:
- Host name
- Host
H t ID
- Domain name
- Root password
- Running applications
- Networking
- Storage
- Zone configuration

2. Create an archive of the Solaris 10 zone to be migrated. You have a variety of methods
available for creating the archive. The installer can accept the following archive formats:
- flar image
- cpio archives
- gzip compressed cpio archives
- bzip2 compressed cpio archives
- pax archives created with the -x xustar (XUSTAR) format
- ufsdump level zero (full) backups
After you have created an archive, you must provide a method (such as NFS) of

transporting it to the target system.
system
3. Prepare the Oracle Solaris 11 target system. Before you can migrate the Solaris 10
zone, you must first prepare the target system. This normally involves:
- Configuring the client side of the image transport
- Installing the SUNWs10brand package
- Configuring the Solaris 10 zone
4 Migrate
4. Mi t th the SSolaris
l i 10 zone. Aft
After performing
f i ththe previous
i ttask,
k use th
the zoneadm
d
attach subcommand to migrate the Solaris 10 zone. Finally, after completing the
migration, you can perform the post-migration configuration based on the information
that you gathered when assessing the source system.

Migrating Solaris 10 Global Zones (P2V)
1. Assess the global zone to be migrated.

2. Create an archive of the global zone to be migrated.
3. Prepare the Oracle Solaris 11 target system.

4
4. Migrate the Solaris 10 global zone
zone.
There are four key tasks to migrating an Oracle Solaris 10 global zone to Oracle Solaris 11:
1. Assess the global zone to be migrated. An existing Oracle Solaris 10 19/10 system (or
later
ate released
e eased So Solaris
a s 10 0 update) ca
can be d
directly
ect y migrated
g ated into
to a So
Solaris
a s 10
0 zone
o eoon a
an
Oracle Solaris 11 system. Depending on the services performed by the original system,
you might need to manually customize the zone after it has been installed. For example,
the privileges assigned to the zone might need to be modified or the network interface is
different. It is critical that you examine the source system and collect the following
information:
- Host name
- Host
H t ID
- Domain name
- Root password
- Running applications
- Networking
- Storage

2. Create an archive of the global zone to be migrated. You have a variety of methods
available for creating the archive. The installer can accept the following archive formats:
- flar image
- cpio archives
- gzip compressed cpio archives
- bzip2 compressed cpio archives
- pax archives created with the -x xustar (XUSTAR) format
- ufsdump level zero (full) backups
After you have created an archive, you must provide a method (such as NFS) of

transporting it to the target system.
system
3. Prepare the Oracle Solaris 11 target system. Before you can migrate the global zone,
you must first prepare the target system. This normally involves:
- Configuring the client side of the image transport
- Configuring the Solaris 10 zone
4. Migrate the Solaris 10 global zone. After performing the previous task, use the zoneadm
attach subcommand to migrate the Solaris 10 global zone zone. Finally
Finally, after completing
the migration, you can perform the post-migration configuration based on the information
that you gathered when assessing the source system.

Agenda



Configuring Non-Global Zones

by Using the Automated Installer (AI)
• AI supports non-global zone installation.
• AI manifest
• The configuration element

• The zone
zone’s
s self-assembly
self assembly SMF service
Oracle Solaris 11 supports non-global zone installation by using the Automated Installer (AI).
Non-global zones are installed and configured on the first reboot after the global zone is
installed. When a system is installed by using AI, non
non-global
global zones can be installed on that
system by using the configuration element in the AI manifest.
When the system first boots after the global zone installation, the zone’s self-assembly SMF
service (svc:/system/zones-install:default) configures and installs each non-
global zone defined in the global zone AI manifest.

Specifying a Non-Global Zone in the AI Manifest
…
</software>
<configuration type="zone" name=“zone5“ source=“http://s11-
ss.mydomain.com/zone_configs/zone5.cfg"/>
</ai_instance>

</auto_install>
This example shows an excerpt from an AI manifest file. The configuration element is
highlighted. You use the configuration element in the AI manifest for the client system to
specify non-global zones. Use the name attribute of the configuration element to specify
the name of the zone. Use the source attribute to specify the location of the configuration file
for the zone. The zone configuration file must be in zonecfg export format. AI copies this
configuration file onto the installed client system to be used to configure the zone. The source
location can be any http:// or file:// location that the client can access during installation.

Non-Global Zone Configuration Files
• Zone configuration file

• AI manifest
– zonename criteria keyword

• SC profile
– zonename criteria keyword
The following files are used to configure and install non-global zones:
• Zone configuration file: The zone configuration file is the zone's configuration in file form
from the outputp of the zonecfg g export
p command. The location of the zone configuration
g
file is specified by the source attribute of the configuration element in the AI manifest. AI
copies this zone configuration file onto the installed client system to be used to configure the
zone.
• AI manifest (optional): This AI manifest for zone installation specifies packages to be
installed in the zone, along with publisher information and certificate and key files as
necessary. To provide a custom AI manifest for a zone, you add the manifest to the install
service that is installing
g the g
global zone. In the create-manifest command, specify p y the
zonename criteria keyword with the names of all zones that should use this AI manifest. If
you do not provide a custom AI manifest for a non-global zone, the default AI manifest for
zones is used.
• SC profile (optional): You can provide zero or more configuration files for a non-global zone.
These SC profiles are similar to the SC profiles for configuring the global zone. You might
want to provide SC profile files to specify zone configuration such as users and the root
password for the zone administrator. To p
p provide SC profile
p files for a zone, add the
configuration profiles to the install service that is installing the global zone. In the create-
profile command, specify the zonename criteria keyword with the names of all zones
that should use this SC profile.

Adding a Non-Global Zone Manifest and Profile

# installadm create-manifest -n custom_ai -f /manifests/zone_ai \
–c zonename=“zone5”
# installadm create-profile -n custom_ai \
-f /manifests/zone5_profile.xml -p zone5_profile \
–c zonename=“zone5”
# installadm list –c -m -p -n custom_ai

Service Name Client Address Arch Image Path
------------ -------------- ---- ----------
custom_ai 08:00:27:85:C7:D9 i386 /export/ai/custom_ai
Manifest Status Criteria

-------- ------ --------
custom_ai mac = 08:00:27:85:C7:D9
zone_ai
_ zonename = zone5
Profile Criteria
------- --------
client4_profile mac = 08:00:27:85:C7:D9
zone5_profile zonename = zone5
This slide shows an example of adding a non-global zone manifest and a profile to an existing
AI service named custom_ai.

Agenda



Delegating Zone Administration
• Delegate zones administration to different users.

• The auth property
– login (solaris.zone.login)
– manage (solaris

(solaris.zone.manage)
zone manage)
– clone (solaris.zone.clonefrom)
• The admin zone property
– zonecfg:zone1> add admin
– zonecfg:zone1:admin> set user=oracle
– zonecfg:zone1:admin>
f 1 d i set
t auths=login,manage
th l i
– zonecfg:zone1:admin> end
With Oracle Solaris 11, you can delegate common zone administration tasks for specific
zones to different administrators by using Role-Based Access Control (RBAC). With
delegated administration, for each zone, a user or set of users may be identified with the
permissions to log in, manage, or clone that zone. These specific authorizations associated
with the auth property are interpreted by the appropriate commands running in the global
zone to allow access at the correct authorization level to the correct user.
The admin zone property defines the username and the authorizations for that user for a
given zone (as shown in the example in the slide).

Monitoring Zone Resource Consumption
• The zonestat utility monitors zone resources:

– CPU consumption
– Memory consumption

– Resource control utilization
• The utility can print:
– A series of reports at specified intervals
– One or more summary reports
• The utility
y runs as a service in the g
global zone.
The zonestat utility reports on the CPU, memory, and resource control utilization of the
currently running zones. Each zone’s utilization is reported as a percentage of both system
resources and the zone’s configured limits.
The zonestat utility prints a series of reports at specified intervals. It can print one or more
summary reports. When run from within a zone, only processor sets visible to that zone are
reported. The zone output will include all of the memory resources and the limits resource.
The zonestat service in the global zone must be online to use the zonestat service in the
zone. The zonestat service in each zone reads system configuration and utilization data
from the zonestat service in the global zone. The zonestatd system daemon is started
d i system
during t b
boot.
t Th
The d
daemon monitors
it th
the utilization
tili ti off system
t resources b by zones as
well as zone and system configuration information, such as psrset processor sets, pool
processor sets, and resource control settings. There are no configurable components.

Monitoring Zone Memory Consumption
root@s11-desktop:~# zonestat -z global -r physical-memory 5

Collecting data for first interval...
Interval: 1, Duration: 0:00:05
PHYSICAL-MEMORY SYSTEM MEMORY
mem_default 767M

ZONE USED PCT CAP %CAP
[total] 631M 82.2% - -
[system] 215M 28.1% - -
global 14.9M 1.94% - -
zone1 123M 15.8% - -
zone2 137M 18.3% - -
In the slide you see a zonestat utility report on zone memory consumption. This example
shows a summary of utilization every five seconds.

Monitoring Zone CPU Consumption
root@s11-desktop:~# zonestat -r default-pset 1 1m

Interval: 8, Duration: 0:00:08
PROCESSOR_SET TYPE ONLINE/CPUS MIN/MAX
pset_default default-pset 1/1 1/1

ZONE USED PCT CAP %CAP SHRS %SHR %SHRU
[total] 0.11 11.0% - - - - -
[system] 0.03 3.11% - - - - -
Global 0.06 6.01% - - - - -
Zone1 0.01 1.11% - - - - -
Zone2 0.00 0.82% - - - - -
In the slide you see a zonestat utility report on zone CPU (processor sets) consumption.
This example shows a report on the default processor set (pset) once a second for one
minute.

Total and High Zone Resource Consumption
o root@s11-desktop:~# zonestat -q -R total,high 10s 1m 1m

Report: Total Usage
Start: Sat Apr 2 11:24:35 MDT 2011
End: Sat Apr 2 11:25:35 MDT 2011
Intervals: 6, Duration: 0:01:00
SUMMARY Cpus/Online: 1/1 Physical: 767M Virtual: 2000M

----------CPU----------
CPU ----PHYSICAL-----
PHYSICAL -----VIRTUAL-----
VIRTUAL
ZONE USED %PART %CAP %SHRU USED PCT %CAP USED PCT %CAP
[total] 0.05 5.14% - - 635M 82.8% - 882M 44.0% -
[system] 0.02 2.28% - - 213M 27.8% - 324M 16.2% -
global 0.02 2.31% - - 15.1M 1.97% - 355M 17.7% -
zone1 0.00 0.47% - - 122M 15.9% - 184M 9.20% -
zone2 0.00 0.06% - - 0 0.00% - 17.6M 0.88% -
Report: High Usage

Start: Sat Apr 2 11:24:35 MDT 2011
End: Sat Apr 2 11:25:35 MDT 2011
Intervals: 6, Duration: 0:01:00
SUMMARY Cpus/Online: 1/1 Physical: 767M Virtual: 2000M
----------CPU---------- ----PHYSICAL----- -----VIRTUAL-----
ZONE USED %PART %CAP %SHRU USED PCT %CAP USED PCT %CAP
[total] 0.06 6.53% - - 636M 82.8% - 882M 44.1% -
[system] 0.02 2.42% - - 213M 27.8% - 325M 16.2% -
global 0.03 3.64% - - 15.1M 1.97% - 355M 17.7% -
zone1 0.00 0.67% - - 122M 15.9% - 184M 9.20% -
zone2 0.00 0.09% - - 0 0.00% - 17.6M 0.88% -
You can use the zonestat utility to report total and high zone resource utilization. In this
example, the zonestat utility silently monitors at 10-second intervals for one minute, and
then produces a report on the total and high utilizations.

Quiz
When creating an archive of the Solaris 10 zone to be migrated

to a Solaris 11 system, which of the following archive formats is
not supported?
a. zipp

b. flar
c. gzip
d. cpio
Answer: a

Quiz
Which command is used to report zone CPU and memory

resource utilization?
a. zoneadm

b zonestat
b.
c. zoneprt
d. ztop
Answer: b

Summary

• Describe the new zone features and enhancements
• Configure a Solaris 10 zone

• Perform a virtual
virtual-to-virtual
to virtual migration of Solaris 10 zones
present in the source system (V2V)
• Migrate a physical Solaris 10 system to a Solaris 10 zone
(P2V)
• Configure a non-global zone by using AI
• Monitor zone resource consumption
• Describe how to delegate zone administration
In this lesson, you were presented with the new Oracle Solaris 11 zones features. You were
also shown the tasks involved in migrating Oracle Solaris 10 zones to Oracle Solaris 11. You
learned that non-global zones can be installed by using the AI service. Finally, you learned
how to monitor zone resource consumption and delegate zone administration.

Practice 5 Overview: Migrating

Oracle Solaris 10 Zones to Oracle Solaris 11
• Migrating Oracle Solaris 10 zones to Oracle Solaris 11
(V2V)
• Migrating Oracle Solaris 10 global zones to Oracle Solaris

11 (P2V)
• Monitoring zone resource utilization

Practice Environment

Recall from the lessons titled “Managing Software Packages in Oracle Solaris 11” and
“Installing the Oracle Solaris 11 Operating System” that your practice environment is based
on the Oracle VM VirtualBox virtualization software.
The following four virtual machines (VMs) play an important role in this lesson’s practice:
• Sol11X-SuperServer: This VM provides network services such as DNS and NFS used
by the VMs in the practice.
• Sol11X -Server1: This is the IPS server used to install the SUNWs10brand package.
• Sol10- Server1: This is the source system for the zone migration practice.
• Sol11X
Sol11X- Desktop: This is the target system for the zone migration practice.


O
Oracle
l Solaris N t
S l i 11 Network E h

t
k Enhancements

Objectives

• Describe the new network features and enhancements
• List the new and enhanced network management utilities

• Configure Network AutoAuto-Magic
Magic (NWAM)
• Configure network virtualization
• Configure IPMP
• Configure a network bridge
• List new network monitoring g utilities
This lesson introduces you to the new Oracle Solaris 11 network features and enhancements.
You will learn how to set up and manage NWAM, configure IPMP, configure a virtual network,
configure a network bridge, and configure network link aggregation.

Agenda
• Introducing Oracle Solaris 11 network enhancements

• Managing NWAM
• New and enhanced network utilities

• Configuring network virtualization
• Configuring IPMP
• Configuring network bridges
• New network monitoring utilities

Introducing Oracle Solaris 11 Network

Enhancements
• Network management and observability
– The ipadm utility
– The dladm utility
– The dlstat command

– Wireshark
• Network Auto-Magic (NWAM)
• Network virtualization
• Network bridging
• Enhanced IPMP
The networking stack has been redesigned to unify, simplify, and enhance the observability
and interoperability of network interfaces and features. A new GLDv3 network driver
framework has been added to p provide support
pp for Virtual LANs ((VLANs),
), bridging,
g g, and link
aggregation. The GLDv3 framework also provides the ability to support MAC layers other than
Ethernet.
Here are the key network enhancements:
• Network management and observability: Oracle Solaris 11 adds a variety of robust
new network utilities. For network management, the ipadm utility command provides a
set of subcommands that can be used to manage interfaces (interface creation and
deletion, modifying interface properties, and displaying interface configuration), manage
addresses (address creation and deletion, modifying address properties, and displaying
address configuration), and manage TCP/IP protocol properties (modifying and
displaying them). The ipadm command replaces the traditional ifconfig command.
The dladm command has been enhanced to manage new network devices such as
g
virtual NICs and bridges. For network observability,
y the new wireshark and dlstat
utilities have been added. Wireshark is a powerful network protocol analyzer that
allows you to capture and interactively browse the traffic running on a computer network.
By using dlstat, you can generate reports containing runtime statistics about the
network data links.
• Network Auto-Magic (NWAM): NWAM simplifies and automates network configuration

on Oracle Solaris 11. Using NWAM, users can automatically discover and connect to
networks depending on their network conditions and profiles (that is, whether the users
are connected through an Ethernet cable or connected wirelessly). NWAM is the default
behavior on all installations of Oracle Solaris 11.
• Network virtualization: Network virtualization takes server virtualization to the next
level with the ability to virtualize entire network topologies of servers, routers, switches,
and firewalls, all running on a single platform and requiring no additional investment in
networking hardware. Using the basic building blocks of Virtual Network Interface
Controllers (VNICs), virtual switches and interconnects, Virtual LANs (VLANs), and
routing
g and firewall functionality,y, network virtualization can be used for a varietyy of

purposes: from prototyping, to developing and testing, to network service deployment.
• Bridging: Bridging is a general layer two (L2 or data link) technology that is used to
connect separate L2 subnetworks, allowing communication between
attached nodes as if only a single subnetwork were in use. Basic Ethernet bridging
support has been added to Oracle Solaris 11 by using the Spanning
Tree Protocol (STP, IEEE 802.1D-1998) and TRILL protocol.
• E h
Enhanced d IPMP
IPMP: The
Th ffollowing
ll i ffeatures
t diff
differentiate
ti t th
the currentt IPMP iimplementation
l t ti
from the previous implementation:
- An IPMP group is represented as an IPMP IP interface. This interface is treated
just like any other interface on the IP layer of the networking stack. All IP
administrative tasks, routing tables, Address Resolution Protocol (ARP) tables,
firewall rules, and other IP-related procedures work with an IPMP group by
referring to the IPMP interface.
- The system becomes responsible for the distribution of data addresses among
underlying active interfaces. In the previous IPMP implementation, the
administrator initially determines the binding of data addresses to corresponding
interfaces when the IPMP group is created. In the current implementation, when
the IPMP group is created, data addresses belong to the IPMP interface as an
address pool. The kernel then automatically and randomly binds the data
addresses to the underlying active interfaces of the groupgroup.
- The ipmpstat tool is introduced as the principal tool to obtain information about
IPMP groups. This command provides information about all aspects of the IPMP
configuration, such as the underlying IP interfaces of the group, test and data
addresses, types of failure detection being used, and the interfaces that have
failed.
- The IPMP interface can be assigned a customized name to identify the IPMP
group more easily within your network setup.
- In Oracle Solaris 11, IPMP has the ability to use virtual network interfaces.

Agenda
• Introducing the Oracle Solaris 11 network enhancements

• Managing NWAM
• New and enhanced network utilities


Network Auto-Magic (NWAM)
• NWAM automatically configures Ethernet and Wi-Fi

connections.
• The primary focus of NWAM is mobility.
• NWAM automatically manages network configuration by

storing information in the form of profiles on the system.
• You use the netcfg and netadm commands to create
and customize new profiles.
• NWAM configuration components consist of:
– Network
N t kCConfiguration
fi ti P Profiles
fil (NCP
(NCPs))
– Location profile
– Network Configuration Units (NCUs)
– External Network Modifiers (ENMs)
– Known WLANs
The Network Auto-Magic (NWAM) feature simplifies basic network configuration by

automatically addressing basic Ethernet and Wi-Fi configurations, such as connecting to your
wired or wireless network at startup and displaying notifications about the status of your
currently active network connection from the desktop. With its primary focus on mobility,
NWAM is capable of dynamically changing a system’s configuration in response to different
network events or at a user's request.
You use NWAM to set up user-defined profiles that enable you to connect to networks in a
variety of settings, such as in the office, at home, or at your local coffee shop. NWAM is an
essential tool if you have a laptop and system that require frequent changes in network
environments.
environments
NWAM automatically manages network configuration by storing information in the form of
profiles on the system. NWAM then determines which profile should be activated, depending
on current network conditions (that is, whether a system is connected through a wired
Ethernet cable or a wireless connection on a laptop), and subsequently activates that profile.
The use of profiles is a primary component of NWAM.
You use the netcfg command to create new profiles and customize them, and you use the
netadm command to display information about existing profiles and to manage user-defined
profiles.

The profile and configuration object types are:

• Network Configuration Profiles (NCPs): An NCP specifies the configuration of
network links and interfaces. This profile is one of the primary profile types that compose
the NWAM configuration.
g The second p primary yp
profile type
yp is the Location p
profile. There
are two NCP types:
- Automatic: The Automatic NCP is a system-defined profile that is automatically
created by NWAM. The Automatic NCP is a representation of all of the links and
interfaces that are currently in the system. The content of the Automatic NCP
changes if network devices are added or removed. However, the configuration
preferences that are associated with the Automatic NCP cannot be edited. The

Automatic NCP is created to provide access to a profile that utilizes DHCP and
address auto-configuration that make it possible to obtain IP addresses for the
system. This profile also implements a link selection policy that favors wired links
over wireless links. If the specification of an alternate IP configuration policy, or an
alternate link selection policy is required, you would create additional user-defined
NCPs on your system.
- User-defined: User-defined NCPs are profiles that you create to meet the needs
off your particular
ti l network
t k configuration.
fi ti A user-defined
d fi d NCP can b be modified
difi d andd
removed by the user.
• Location Profile: The Location profile specifies the system-wide network configuration.
The name services, domain, the IP Filter, and IPsec configuration are examples. The
information consists of a set of properties that defines the system-wide network
configuration. There are both system-defined and user-defined locations.
• Network Configuration Units (NCUs): NCUs are the individual configuration objects
(or profiles) that contain all of the properties that make up an NCP. The NCP is
essentially a container that stores the NCUs that define it. Each NCU correlates to an
individual link or interface in the system. There are two types of NCUs:
- Link NCUs: Link NCUs, for example, physical devices, are Layer 2 entities in the
Open Systems Interconnection (OSI) model. Link NCUs represent data links.
There are several different classes of data links:
• Physical
Ph i l links li k (Eth(Ethernet t or WiFi)
• Tunnels
• Aggregations
• Virtual local area networks (VLANs)
• Virtual network interface cards (VNICs)
- Interface NCUs: Interface NCUs, specifically, IP interfaces, are Layer 3 entities in
the OSI model.
• External Network Modifiers (ENMs): ENMs are profiles that are used to manage
applications that are external to NWAM, such as a VPN application. These applications
can modify and create a network configuration. The nwamd daemon activates or
deactivates an ENM, depending on the conditions that are specified as part of the ENM.
• Known Wireless Local Area Networks (WLANs): Known WLANs are configuration
objects that NWAM uses to monitor and store information about wireless networks that
are known to your system. NWAM maintains a list of all such wireless networks and then
refers to this list to determine the order in which connections to available wireless
networks are attempted.
How NWAM Works
• One NCP and one Location profile must be active.

• At boot time, nwamd performs these steps:
1. Consults the profile repository for the currently active NCP
2. Proceeds until one or more IP addresses have been

configured
3. Checks the conditions of the Location profiles
4. Activates the Location profile that is specified by the policy
engine
5. Configures the network, or networks, accordingly
• When an event triggers a change:
1. As an event handler, nwamd detects each event as it
occurs.
2. As a profile daemon, nwamd consults the active profile.
3. Depending on the change, nwamd might reconfigure the
gy
network, or networks, accordingly.
At all times, one NCP and one Location profile must be active on the system. During a system
boot, the profile daemon (nwamd) performs the first set of steps presented in the slide.
When an event triggers a change in the network configuration, the NWAM daemon (nwamd)
functions in various roles and performs the operations presented in the second set of steps
presented in the slide.
The following are some of the event triggers:
• Connecting or disconnecting an Ethernet cable
• Connecting or disconnecting a WLAN card
• Booting a system when a wired interface
interface, a wireless interface
interface, or both are available
• Resuming from suspend when a wired interface, a wireless interface, or both are
available (if supported)
• Acquiring or losing a DHCP lease

Interaction with Other

Oracle Solaris Technologies
• IP Multipathing (IPMP)
• Virtualization
– Oracle VM Server for SPARC
– VirtualBox

– Solaris zones
– Virtual networks
• Bridging
• Service Management Facility (SMF)
• Networking utilities
Consider the following when using NWAM with other Oracle Solaris technologies:
• IP Multipathing (IPMP): Before configuring your network by using IPMP, you must
disable the network/physical:nwam
/p y SMF service.
• Oracle VM Server for SPARC and VirtualBox: NWAM is supported in both Oracle
Solaris hosts and guests. NWAM manages only the interfaces that belong to the
specified virtual machines and does not interfere with other virtual machines.
• Solaris zones: NWAM works in global zones or in an exclusive stack non-global zone.
NWAM does not work in a shared stack non-global zone.
• Virtual networks: NWAM currently does not manage VNICs and etherstubs.
• Bridging: NWAM implementation does not actively support network configurations that
use the bridging technology. You do not need to disable the
network/physical:nwam service before using this technology on your system.

• Service Management Facility (SMF): At any given time, either the

network/physical:default service or the network/physical:nwam service
must be enabled on your system. If the network/physical:default service is
enabled, the traditional network configuration is used. If the network/physical:nwam
service is enabled, the traditional configuration files are ignored, and NWAM manages
the network configuration according to the policy that is specified by the profiles that are
enabled on the system.
• Networking utilities: When the network/physical:nwam service is enabled, you
can still use command-line networking utilities (such as dlstat, dladm, and ipadm) to
monitor the components of your current network configuration.

The netcfg Command
netcfg
Description
Subcommand
Create Create an in-memory profile of specific type.
Select Open an existing profile.
Walk each pproperty

p y associated with the current p
profile. For each pproperty,
p y the name

Walkprop
and current value are displayed, and a prompt is given to allow the user to change
the current value.
set prop-name=value1 Set the current (in-memory) value of the specified property. If performed in
noninteractive mode, the change is also committed to persistent storage.
List List all profiles, property-value pairs, and resources that exist at the current or
specified scope.
verify Verify that the current in-memory object has a valid configuration.
commit Commit the current in-memory profile to persistent storage.
end End the current profile specification, and pop up to the next higher scope.
exit Exit the netcfg session. The current profile is verified and committed before
ending.
destroy Remove all of the specified profile from memory and persistent storage.
The netcfg command is used to create and modify NWAM profiles. Using the netcfg
command, you can perform the following tasks:
• C Create
eate or
o destroy
dest oy a use
user-defined
de ed p profile.
o e
• Open an existing profile for viewing and/or editing.
• List all of the profiles that exist on a system and their property values.
• List all of the property values and resources for a specified profile.
• Display each property that is associated with a profile.
• Set or modify one or all of the properties of a specified profile.
• Export
E port the ccurrent
rrent config
configuration
ration for a user-defined
ser defined profile to standard o
output
tp t or a file
file.
• Delete any changes that were made to a profile and revert to the previous configuration
for that profile.
• Verify that a profile has a valid configuration.
This slide shows the netcfg subcommands.

The netadm Command
netadm
Description
Subcommand
enable Enable the specified profile. If the profile name is not unique, the profile type must
be specified to identify the profile to be enabled.

disable Disable the specified profile
profile. If the profile name is not unique
unique, the profile type must
be specified to identify the profile to be disabled.
list List all available profiles and their current state. If a specific profile is specified by
name, list only the current state of that profile.
show-events Listen for stream of events from the NWAM daemon and display them.
scan-wifi Initiate a wireless scan on link linkname.
select-wifi Select a wireless network to connect to from scan results on link linkname. Prompts
for selection, Wi-Fi key, and so forth, if necessary.
help Display a usage message with short descriptions for each subcommand.
The netadm command is used to administer NWAM profiles and interact with the NWAM
daemon.
The subcommands supported by the netadm command are shown in this slide.

Configuring NWAM
• Enable NWAM.
# svcadm disable network/physical:default
# svcadm enable network/physical:nwam
• View current NWAM NCPs
NCPs, NCUs
NCUs, and locations
locations.

# netadm list
• Create an NCP and NCU.
# netcfg
netcfg> create ncp oracle_profile
netcfg:ncp:oracle_profile>
t f l fil create
t ncu phys
h net0
t0
• Enable an NWAM profile.
# netadm enable -p loc classroom
# netadm enable -p ncp oracle_profile
Here are the tasks involved in configuring NWAM:

• Enable NWAM: The NWAM service must be enabled before you can configure it. If the
NWAM se service
ce is
s not
ot cu
currently
e tye enabled,
ab ed, first
st d
disable
sab e sta
standard
da d network
et o coconfiguration,
gu at o , a
and
d
then enable NWAM.
Example:
# svcadm disable network/physical:default
# svcadm enable network/physical:nwam
• View current NWAM profiles: You can display information on the NCP, NCU, and
location profiles currently configured on the system.
# netadm list
• Create an NCP and NCU: Using the netadm utility, you can create custom NCPs.
NCPs have associated NCUs, which describe the network interface configuration.
# netcfg
netcfg> create ncp oracle_profile
netcfg:ncp:oracle
g p _pprofile> create ncu p phys
y net0
…

• Enable the NWAM profile: Once you have created the NWAM profiles, you use
netadm to enable locations and Network Configuration Profiles (NCPs).
Example:
- To enable the classroom location, use:
# netadm enable -p loc classroom
- To enable the oracle_profile ncp, use:
# netadm enable -p ncp oracle_profile


• Enabling NWAM
• Creating and deploying an NWAM profile

• Disabling NWAM

Agenda

• Managing NWAM
• New and enhanced network management utilities


The ipadm Utility

ipadm Subcommand Description
create-if, delete-if, show-if Create or delete an IP interface that handles both IPv4 and IPv6 packets.
show-if displays IP interface information.
enable-if, disable-if Enable or disable the given interface by reading the configuration from the
persistent store.
set-ifprop, reset-ifprop, set-ifprop modifies an interface property to the value specified by the
show-ifprop user. reset-ifprop resets an interface property to its default value. show-
ifprop displays the current value of an interface property.

create-addr, delete-addr, Create or delete an IPv4 or IPv6 address on the interface address object. The
show-addr address type can be specified as static, DHCP, or auto-configured in the case
of IPv6. show-addr shows IP address information.
up-addr, down-addr Mark an IP address as up or down.
refresh-addr If the address is of the type “static,” DAD (Duplicate Address Detection) will be
restarted (if necessary) on the address identified by the address object. If the
address is of the type "dhcp,” the lease duration
obtained on the address will be extended by y the DHCP client daemon.
enable-addr, disable-addr Create, delete, and show a virtual switch between the VNICs.
set-prop, reset-prop, show- set-prop sets the protocol property to a specific value. reset-prop resets
prop a protocol property to its default value. show-prop displays the current value
of a protocol property.
set-addrprop, reset-addrprop, set-addrprop modifies the value of a property on an address object.
show-addrprop reset-addrprop resets an address property to its default value. show-
addrprop displays the current value of an address property.
Advances in Oracle Solaris have surpassed the capabilities of traditional tools to efficiently
administer various aspects of network configuration. The ifconfig command, for example,
has been the customary tool to configure network interfaces. However, this command does
not implement persistent configuration settings. Over time, ifconfig has undergone
enhancements for added capabilities in network administration. However, as a consequence,
the command has become complex and confusing to use. Another issue with interface
configuration and administration is the absence of simple tools to administer TCP/IP Internet
protocol properties or tunables. The ndd command has been the prescribed customization
tool for this purpose. However, like the ifconfig command, ndd does not implement
persistent configuration
p g settings.
g Previously,
y ppersistent settings
g could be simulated for a
network scenario by editing the boot scripts. With the introduction of the Service Management
Facility (SMF), using such workarounds can become risky because of the complexities of
managing SMF dependencies, particularly in the light of upgrades to the Oracle Solaris
installation.

The ipadm command has been introduced to eventually replace the ifconfig command for
interface configuration. The command also replaces the ndd command to configure protocol
properties. As a tool for configuring interfaces, the ipadm command offers the following
advantages:
• It manages IP interfaces and IP addresses more efficiently by being the tool uniquely
designed for IP interface administration, unlike the ifconfig command that is used for
purposes other than interface configuration.
• It provides an option to implement persistent interface and address configuration
settings.
As a tool to set protocol properties, the ipadm command provides the following benefits:

• It can set temporary or persistent protocol properties for IP, Address Resolution Protocol
(ARP), Stream Control Transmission Protocol (SCTP), and Internet Control Messaging
Protocol (ICMP), as well as upper-layer protocols, such as TCP and User Datagram
Protocol (UDP).
• It provides information about each TCP/IP parameter, such as a property’s current and
default setting, as well as the range of possible settings. Thus, debugging information is
more easily obtained.
• The ipadm command also follows a consistent command syntax and, therefore, is
easier to use.
The slide shows the subcommands currently supported by the ipadm utility.

dladm Enhancements
dladm Subcommand Description

rename-link Give a link a meaningful name.
delete-phys Delete the persistent configuration of a link associated with physical

hardware that has been removed from the system.
show-phys Show the physical device and attributes of all physical links.

create-vlan, delete-vlan, Create, delete, and show a tagged VLAN link with an ID of vid over
show-vlan Ethernet link ether-link.
scan-wifi, show-wifi, connect- Scan for, show, connect to, and disconnect from one or more Wi-Fi
wifi, disconnect-wifi networks.
show-ether Show state information for all physical Ethernet links.
create-secobj, delete-secobj, Create, delete, and show a secure object in the specified class to be
show-secobj
h bj used
d as a WEP or WPA k key in
i connecting
ti tot an encryptedt d network.
t k
create-vnic, delete-vnic, Create, delete, and show a VNIC over the specified link.
show-vnic
create-etherstub, delete- Create, delete, and show a virtual switch between the VNICs.
etherstub, show-etherstub
show-ib Display InfiniBand (IB) link information.
The dladm command is used to configure data links. This slide shows the new capabilities of
the dladm utility.

dladm Enhancements
dladm Subcommand Description

create-iptun, modify-iptun, Create, delete, modify, and show an IP tunnel.
remove-iptun, show-iptun
create-bridge, modify-bridge, Create, delete, modify, and show a layer two bridge.
remove-bridge, show-bridge

The dladm command is used to configure data links. This slide shows the new capabilities of
the dladm utility.

This practice covers exploring the new capabilities of the

ipadm and dladm utilities:
• Manage data links by using dladm.
• Manage IP configuration by using ipadm.

ipadm

Agenda

• Managing NWAM


Transitioning to Virtual Networking

Network
Physical Link 1
vnic vnic
Webserver 1 Zone Webserver 2 Zone

Network Network

vnic vnic
Webserver 1 Webserver 2 Virtual Switch Etherstub

vnic
Router
Router Zone
db1 db1 db1 vnic

Server Server Server
Vi t l Switch
Virtual S it h Etherstub
vnic vnic vnic

db1 db2 db3
Server Zone Server Zone Server Zone
Oracle Solaris 11
Network virtualization is the process of combining hardware network resources and software
network resources into a single administrative unit. The goal of network virtualization is to
provide systems and users with efficient, controlled, and secure sharing of the networking
resources. The end product of network virtualization is the virtual network.
Virtual networks are classified into two broad types: external and internal. External virtual
networks consist of several local networks that are administered by software as a single
entity. The building blocks of classic external virtual networks are switch hardware and VLAN
software technology.

Today’s IT organizations face the costly management of server sprawl (shown on the left in
the slide diagram). This includes the hardware, maintenance, and personnel resources
needed to manage, operate, and administer those servers on a daily basis. Oracle’s network
virtualization solution allows enterprises to enable workload isolation and granular resource
control for all of the system’s computing and I/O resources. Using virtual infrastructure (shown
on the right in the slide diagram) to consolidate physical systems in the data center,
enterprises can experience the following:
• Lower total cost of ownership of servers
• Higher server utilization
• Increased operational efficiency

• Tighter security

Virtual Network Components
Components Description
Solaris zone A Solaris zone is the combination of system resource controls
and the boundary separation provided by zones.
Virtual NIC (VNIC) A VNIC is a virtual network device with the same data link
functionality as physical interface.

Virtual switch The virtual switch provides the same connectivity between
VNICs on a virtual network that switch hardware provides for
the systems connected to a switch's ports.
Etherstub An etherstub is a pseudo-network interface that provides an
unmanaged virtual Ethernet switch for virtual interfaces.
Flows A flow is a stream of packets all having the same
characteristics, such as the port number or destination
address.
address
Physical network interface A physical network interface (phys) is an interface controlled
by a hardware driver.
This table shows the key components that make up a virtual network.
• Solaris zone: A Solaris zone is the combination of system resource controls and the
boundary
bou da y sepa
separation
at o pprovided
o ded by zones.
o es Zones
o es act as co
completely
p ete y isolated
so ated virtual
tua se
servers
es
within a single operating system instance. The Solaris zone is the basic server building
block of a virtual network.
• Virtual NIC (VNIC): A VNIC is a virtual network device with the same data link
functionality as physical interface. You configure VNICs on top of a physical interface or
etherstub. You configure VNICs as you configure any physical port, using the same
commands with the same syntax.
• Virtual
Vi t l switch:
it h The
Th virtual
i t l switch
it h provides
id ththe same connectivity
ti it between
b t VNICs
VNIC on a
virtual network that switch hardware provides for the systems connected to a switch’s
ports. Each VNIC is implicitly connected to a virtual switch that corresponds to the
physical interface. You create VNICs on top of a physical NIC or an etherstub.

• Etherstub: An etherstub is a pseudo-network interface that provides an unmanaged

virtual Ethernet switch for virtual interfaces. You use etherstubs to isolate the virtual
network from the rest of the virtual networks in the system as well as from the external
network to which the system is connected. Network traffic originating from virtual links
connected to the etherstub is directed to other virtual interfaces connected to the same
etherstub.
• Flows: A flow is a stream of packets all having the same characteristics, such as the
port number or destination address. These flows are managed by transport, service, or
virtual machine, including zones. Flows cannot exceed the amount of bandwidth that is
guaranteed to the application or to the customer’s purchased share.

• Physical network interface: A physical network interface (phys) is an interface
controlled by a hardware driver. You need at least one physical network interface.

Building a Simple Virtual Network
Global Zone
Zone 1 Zone 2
vnic 1 vnic 2

Virtual Switch
net0
Network
root@s11-serv1:~# dladm create-vnic -l net0 vnic1

root@s11-serv1:~# dladm create-vnic -l net0 vnic2
This slide shows a simple virtual network with two Solaris zones. Whenever you create two or
more VNICs on the same physical port, a virtual switch will be created at the MAC layer. The
effect of the creation of the virtual switch is that traffic between Zone 1 and Zone 2 is switched
at the MAC layer. It is not necessary to stop using the physical NIC (net0) to be switched by
some external piece of hardware. As long as the VNICs share the same physical NIC and are
on the same VLAN, this MAC layer virtual switch can be employed.
This slide shows you how to create two VNICs on the physical interface.

Configuring a Private Virtual Network
Global Zone
Zone 3 Zone 4
vnic 1 vnic 2

Stub 0 192.168.1 Network
vnic 0
net0
192 168 0 N
192.168.0 Network
t k
root@s11-serv1:~# dladm create-etherstub stub0

root@s11-serv1:~# dladm create-vnic -l stub0 vnic0
This slide shows a simple isolated private virtual network with two Solaris zones. This virtual
network consists of the following:
• GLDv3 network interface net0: This interface connects the g global zone to the p
public
network.
• Etherstub stub0: You use etherstubs to isolate the virtual network from the rest of the
virtual networks in the system as well as the external network to which the system is
connected. You cannot use an etherstub just by itself. Instead, you use VNICs with an
etherstub to create the private or isolated virtual networks. You can create as many
etherstubs as you require. You can also create as many VNICs over each etherstub as
required.
required
• Three VNICs: vnic0 is created over etherstub stub0. This interface can be configured
in the global zone to provide a route between the private virtual network (192.168.1.0)
and the public network. Technologies, such as IP forwarding, IP filtering, and Network
Address Translation (NAT), can be used to customize the relationship between the
private and public networks. VNICs vnic1 and vnic2 are also created over etherstub
stub0 and are used to attach the non-global zones to stub0.
• Two exclusive IP zones: The two exclusive IP zones each have a VNIC assigned.
vnic1 is assigned to Zone 3, and vnic2 is assigned to Zone 4.

Accessing a Virtual Network Configuration
root@s11-serv1:~# dladm show-link

LINK CLASS MTU STATE BRIDGE OVER
net0 phys 1500 up -- --
net1 phys 1500 unknown -- --

Stub0 etherstub 9000 unknown -- --
vnic0 vnic 9000 up -- stub0
root@s11-serv1:~# dladm show-vnic
LINK OVER SPEED MACADDRESS MACADDRTYPE VID
vnic0 stub0 0 2:8:20:70:d0:f8 random 0
vnic1 stub0 0 2:8:20:80:65:0 random 0
vnic2 stub0 0 2:8:20:1f:c5:bd random 0
root@s11-serv1:~#
11 1 # dladm
dl d show-etherstub
h h b
LINK
stub0
This slide shows useful commands for accessing your virtual network configuration. The first
command (dladm show-link) shows you how to list all the link configured in your system.
This includes VNICs and etherstubs. The next command (dladm show-vnic) shows you
how to list the VNIC links. The last command (dladm show-etherstub) shows you how to
list the etherstubs.

Bandwidth Management
• Enables assignment of a portion of the available bandwidth

of a NIC
• The allocated portion of bandwidth is known as a share.
– The limit is the maximum allocation of bandwidth that the

share can consume.
Bandwidth management enables you to assign a portion of the available bandwidth of an NIC
to a consumer, such as an application or customer. You can control bandwidth on a per-
application, per-port, per-protocol, and per-address basis. Bandwidth management ensures
efficient use of the large amount of bandwidth available from the new GLDv3 network
interfaces. Resource control features enable you to implement a series of controls on an
interface's available bandwidth.
The allocated portion of bandwidth is known as a share. By setting up shares, you can
allocate enough bandwidth for applications that cannot function properly without a certain
amount of bandwidth. For example, streaming media and Voice-over IP consume a great deal
of bandwidth
bandwidth. You can use the resource control features to guarantee that these two
applications have enough bandwidth to successfully run. You can also set a limit on the
share. The limit is the maximum allocation of bandwidth that the share can consume. Using
limits, you can contain noncritical services from taking away bandwidth from critical services.
You can prioritize among the various shares allotted to consumers. You can give highest
priority to critical traffic, such as heartbeat packets for a cluster, and lower priority for less
critical applications.
You can control bandwidth usage through the management of flows (by using the flowadm
command) and link utilization (by using the dladm command).

Managing Bandwidth
Global Zone
Zone 3 Zone 4
vnic 1 vnic 2
Stub 0 192.168.1 Network

vnic 0
Firewall 100Mb/s
Priority = Low
net0
192.168.0 Network
root@s11-serv1:~# flowadm add-flow -l vnic2 -a transport=tcp,local_port=80 http1

root@s11-serv1:~#
t@ 11 1 # flowadm
fl d set-flowprop
t fl –p maxbx=100M
b 100M htt
http1
1
root@s11-serv1:~# flowadm show-flowprop http1
FLOW PROPERTY VALUE DEFAULT POSSIBLE
http1 maxbw 100 -- --
root@s11-serv1:~# dladm set-linkprop –p priority=low vnic2
root@s11-serv1:~# dladm show-linkprop –p priority vnic2
LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
vnic2 priority rw low high low, medium, high
This slide shows you how to restrict flows and lower priority on a VNIC. Flows consist of
network packets that are organized according to an attribute. Flows enable you to further
allocate network resources.
In this example, a flow named http1 is created by using the flowadm command. This user-
designed flow (http1) restricts vnic2 bandwidth to 100 Mbits/s and sets the link priority to
low.

This practice covers exploring Oracle Solaris 11 network

virtualization:
• Configure two zones on a private virtual network.
• Configure the virtual network for public access.
access

• Secure the virtual network behind a firewall.
• Control network traffic flow.

Agenda

• Managing NWAM


IP Multipathing (IPMP)

In production environments, it is important to eliminate any single point of failure. IP

multipathing (IPMP) provides a mechanism for building redundant network interfaces to guard
against failures with network interfaces, cables, switches, or other networking hardware. In
addition to eliminating any single point of failure, the IPMP load spreading feature increases
the machine's bandwidth by spreading the outbound load among all the cards in the same
IPMP group.
With IPMP, you can assign two or more NICs to a failover group. Each interface is assigned a
static test IP address, which is used by Solaris to verify the operational state of the interface.
These IP links will be used to periodically send an Internet Control Message Protocol (ICMP)
echo request to a target system and listen for the response
response. If no response occurs within a
given number of tries, the link is marked as failed. IPMP will fail over all application IP
addresses currently configured on that physical interface to another physical interface within
the IPMP group. In this way, network outages due to failed network hardware are eliminated.

IPMP Configurations
• Two or more physical interfaces are assigned to an IPMP

group.
• IPMP group configurations:
– Active
Active-active
active configuration

– Active-standby configuration
An IPMP configuration typically consists of two or more physical interfaces on the same
system that are attached to the same LAN. These interfaces can belong to an IPMP group in
either of the following configurations:
Active-active configuration: In this configuration, all underlying interfaces are active. An
active interface is an IP interface that is currently available for use by the IPMP group. By
default, an underlying interface becomes active when you configure the interface to become
part of an IPMP group.
Active-standby configuration: In this configuration, at least one interface is administratively
configured as a reserve. The reserve interface is called the standby interface. Although idle,
th standby
the t db IP interface
i t f is
i monitored
it d by
b the
th multipathing
lti thi d daemon tto ttrackk th
the iinterface's
t f '
availability, depending on how the interface is configured. If link-failure notification is
supported by the interface, link-based failure detection is used. If the interface is configured
with a test address, probe-based failure detection is also used. If an active interface fails, the
standby interface is automatically deployed as needed. You can configure as many standby
interfaces as you want for an IPMP group.

How IPMP Works: Active-Active

This slide shows an IPMP active-active configuration. In this configuration, all underlying
interfaces are active. No underlying interfaces are reserved for replacement in the event of an
active interface failure.
IPMP failure detection can be link-based, probe-based, or both to determine the availability of
a specific underlying IP interface in the group. If IPMP determines that an underlying interface
has failed, that interface is flagged as failed and is no longer usable. The data IP address that
was associated with the failed interface is then redistributed to another functioning interface in
the group. If available, a standby interface is also deployed to maintain the original number of
active interfaces.

This slide shows a two-interface IPMP group ipmp0 with an active-active configuration.
• Two data addresses are assigned to the group: 192.168.10.112 and 192.168.10.113.
• Two underlying interfaces are configured as active interfaces and are assigned flexible
link names: link0
link0_ipmp0
ipmp0 and link1
link1_ipmp0.
ipmp0
Probe-based failure detection is used, and thus the active interfaces are configured with test
addresses, as follows:
• link0_ipmp0: 192.168.0.142
• link1_ipmp0: 192.168.0.143
The Active and Failed areas in the diagram indicate only the status of underlying interfaces,

and not physical locations
locations. No physical movement of interfaces or addresses
addresses, and no transfer
of IP interfaces, occurs within this IPMP implementation. The areas serve to show only how
an underlying interface changes status as a result of either failure or repair.


Here, IPMP determines that an underlying interface link0_ipmp0 has failed. The failed
interface is flagged as Failed and is no longer usable. The data IP address that was
associated with the failed interface is then redistributed to the remaining functioning interface
in the group. The IPMP group has been reduced to one active interface and thus a single-
point-of-failure.


IPMP continues to probe the failed underlying interface (link0_ipmp0) to determine if it has
been repaired. When IPMP determines that an underlying interface has been repaired, it flags
the interface as Active. The data IP address that was associated with the failed interface is
then redistributed to the repaired interface.

How IPMP Works: Active-Standby

IPMP maintains network availability by attempting to preserve the original number of active
and standby interfaces when the group was created.
IPMP failure detection can be link-based,
link based, probe-based,
probe based, or both to determine the availability of
a specific underlying IP interface in the group. If IPMP determines that an underlying interface
has failed, that interface is flagged as Failed and is no longer usable. The data IP address
that was associated with the failed interface is then redistributed to another functioning
interface in the group. If available, a standby interface is also deployed to maintain the original
number of active interfaces.

This slide shows a three-interface IPMP group ipmp0 with an active-standby configuration.
• Two data addresses are assigned to the group: 192.168.10.112 and 192.168.10.113.
• Two underlying interfaces are configured as active interfaces and are assigned flexible
link names: link0_ipmp0
link0 ipmp0 and link1_ipmp0.
link1 ipmp0.
• The group has one standby interface, also with a flexible link name: link2_ipmp0.
Probe-based failure detection is used, and thus the active and standby interfaces are
configured with test addresses, as follows:
• link0_ipmp0: 192.168.0.142
• link1_ipmp0: 192.168.0.143

link2 ipmp0: 192
• link2_ipmp0: 192.168.0.144
168 0 144
The Active, Offline, Reserve, and Failed areas in the figures indicate only the status of
underlying interfaces, and not physical locations. No physical movement of interfaces or
addresses, and no transfer of IP interfaces, occurs within this IPMP implementation. The
areas serve to show only how an underlying interface changes status as a result of either
failure or repair.


Here, IPMP determines that an underlying interface link0_ipmp0 has failed. The failed
interface is flagged as Failed and is no longer usable. The data IP address that was
associated with the failed interface is then redistributed to another functioning interface in the
group. The available standby interface link2_ipmp0 is moved to an active state to maintain
the original number of active interfaces.


IPMP continues to probe the failed underlying interface (link0_ipmp0) to determine if it has
been repaired. When IPMP determines that an underlying interface has been repaired, it flags
the interface as Active and the standby interface (link2_ipmp0) is moved back to a standby
state. The data IP address that was associated with the failed interface is then redistributed to
the repaired interface.


In the case where the administrator offlines an underlying interface (link1_ipmp0 in the
example in the slide), IPMP flags the interface as Offline and it is no longer usable. The data
IP address that was associated with the failed interface is then redistributed to another
functioning interface in the group. The available standby interface link2_ipmp0 is moved to
an active state to maintain the original number of active interfaces.

Configuring IPMP: Active-Active
root@s11-serv1:~# dladm rename-link net0 link0_ipmp0

root@s11-serv1:~# ipadm create-ip link0_ipmp0

root@s11-serv1:~# ipadm create-ipmp ipmp0
root@s11-serv1:~# ipadm add-ipmp –i link0_ipmp0 \
–i link1_ipmp0 ipmp0
root@s11-serv1:~# ipadm create-addr –T static \

–a 192.168.0.112/24 ipmp0/v4add1
–a 192.168.0.113/24 ipmp0/v4add2

–a 192.168.0.142/24 link0_ipmp0/test
–a 192.168.0.143/24 link1_ipmp0/test
This slide shows you the steps to configure an active-active IPMP configuration with flexible
data link names as shown in the diagram in the earlier slide titled “How IPMP Works: Active-
Active.” Here, you rename the data links net0 and net1 to link0_ipmp0 and
link1_ipmp0, respectively. Before these data links can be used by IPMP, you must create
an IP interface for each one.
Now you are ready to create the IPMP group. This involves two steps. You first create the
IPMP group (ipmp0 in this example), and then you add the underlying interfaces
(link0_ipmp0 and link1_ipmp0) to the group. Note that this example shows vanity
naming of the network interfaces. You use vanity naming to label network components. This
helps you clarify complex network topologies
topologies.
Next, assign the data IP addresses to the IPMP interface (ipmp0) in the form of IP address
objects (ipmp0/v4add1 and ipmp0/v4add2).
Finally, assign the test IP addresses to each underlying interface in the form of IP address
objects (link0_ipmp0/test and link1_ipmp0/test).

Configuring IPMP: Active-Standby


p
root@s11-serv1:~# ipadm create-ipmp
p p ipmp0
p p
root@s11-serv1:~# ipadm add-ipmp –i link0_ipmp0 \
–i link1_ipmp0 –i link2_ipmp0 ipmp0
root@s11-serv1:~# ipadm set-ifprop -p standby=on -m ip link2_ipmp0
–a 192.168.0.112/24 ipmp0/v4add1
–a 192.168.0.113/24 ipmp0/v4add2
root@s11 serv1: # ipadm create-addr
root@s11-serv1:~# create addr –T
T static \
–a 192.168.0.142/24 link0_ipmp0/test
–a 192.168.0.143/24 link1_ipmp0/test
–a 192.168.0.144/24 link2_ipmp0/test
This slide shows you the steps to configure an active-standby IPMP configuration with flexible
data link names as shown in the diagram in the earlier slide titled “How IPMP Works: Active-
Active.” The steps are similar to those shown on the previous slide.
Here, you rename the data links net0, net1, and net2 to link0_ipmp0, link1_ipmp0,
and link2_ipmp0, respectively. You then create an IP interface for each one.
Now you create the IPMP group. This involves two steps. You first create the IPMP group
(ipmp0 in this example), and then you add the underlying interfaces (link0_ipmp0,
link1_ipmp0, and link2_ipmp0) to the group.
Once the IMP group is created, you set the standby property in one of the underlying
interfaces (link2_ipmp0 in this example) to on.
Next, assign the data IP addresses to the IPMP interface (ipmp0) in the form of IP address
objects (ipmp0/v4add1 and ipmp0/v4add2).
Finally, assign the test IP addresses to each underlying interface in the form of IP address
objects (link0_ipmp0/test, link1_ipmp0/test, and link2_ipmp0).

Monitoring IPMP
root@s11-serv1:~# ipmpstat -g
GROUP GROUPNAME STATE FDT INTERFACES
ipmp0 ipmp0 degraded 10.00s link2_ipmp0 link1_ipmp0 [link0_ipmp0]
root@s11-serv1:~# ipmpstat -i

INTERFACE ACTIVE GROUP FLAGS LINK PROBE STATE
link2_ipmp0 yes ipmp0 -s----- up ok ok
link1_ipmp0 yes ipmp0 --mbM-- up ok ok
link0_ipmp0 no ipmp0 ------- up failed failed
root@s11-serv1:~# ipmpstat -an

ADDRESS STATE GROUP INBOUND OUTBOUND
:: down ipmp0 -- --
192.168.0.113 up ipmp0 link1_ipmp0 link2_ipmp0 link1_ipmp0
192.168.0.112 up ipmp0 link2_ipmp0 link2_ipmp0 link1_ipmp0
You use the ipmpstat command to monitor IPMP group activity and health.
This slide shows three examples of ipmpstat usage. The examples that you see here are
taken from an IPMP active-standby
active standby configuration created by the procedure shown in the
previous slide. Here, one of the underlying interfaces has failed.
The first example (ipmpstat –g) displays information about the IPMP group. The IPMP
group is named ipmp0. It has three underlying interfaces: link0_ipmp0, link1_impm0,
and link2_ipmp0. Note that the state of the IPMP group is degraded and the underlying
interface link0_ipmp0 has brackets around it (boxed) indicating that it has failed.
The second example (ipmpstat –i) displays information about the IP interfaces. Here,
link2_ipmp0 is in the Active state and link0_ipmp0 is in the Failed state.

Note the FLAG field. The interface flags are defined as:
• i = Unusable due to being INACTIVE
• s = Masked STANDBY
• m = Nominated to send/receive IPv4 multicast for its IPMP group
• b = Nominated to send/receive IPv4 broadcast for its IPMP group
• M = Nominated to send/receive IPv6 multicast for its IPMP group
• d = Unusable due to being down
• H = Unusable due to being brought OFFLINE by in.mpathd (IPMP daemon) because
of a duplicate hardware address

The third example (ipmpstat –an) displays information about the IPMP data addresses. IP
address 192.168.0.112 is currently assigned to the standby interface (link2_ipmp0) and
192.168.0.113 is assigned to link1_ipmp0 for all INBOUND data traffic.
OUTBOUND data traffic is spread across both active interfaces for each IP address.

Monitoring IPMP
root@s11-serv1:~# ipmpstat -pn

TIME INTERFACE PROBE NETRTT RTT RTTAVG TARGET
0.06s link2_ipmp0 i163 0.26ms 0.49ms 0.33ms 192.168.0.100

0 49s
0.49s link0_ipmp0
link0 ipmp0 i161 -- -- -- 192 168 0 100
192.168.0.100
-0.49s link0_ipmp0 i160 -- -- -- 192.168.0.100
2.31s link0_ipmp0 i162 -- -- -- 192.168.0.100
...
This example (ipmpstat –pn) displays information about the IPMP probe. For IPMP
probing to work correctly, the IPMP group must be connected to the local area network and at
least one other host (the probe target) must also be connected to the same network.
Here, interfaces link2_ipmp0 (standby) and link1_ipmp0 are actively probing target
192.168.0.100. Interface link0_ipmp0 probing is failing.

This practice covers exploring IP network multipathing (IPMP):

• Create an IPMP active-active configuration.
• Create an IPMP active-standby configuration.


Agenda

• Managing NWAM


Network Bridging

• Bridging is used to connect separate network segments.
• Bridging
g g simplifies
p network administration.
• Bridges use a packet-forwarding mechanism.
• Bridging supports Spanning Tree Protocol (STP) and
TRILL.
Network bridges are used to connect separate network segments. When connected by a
bridge, the attached network segments communicate as if they were a single network
segment. Bridging is implemented at the data link layer (L2) of the networking stack to
connect subnetworks together.
Using a bridge configuration simplifies the administration of the various nodes in the network
by connecting them to a single network. By connecting these segments through a bridge, all
the nodes share a single broadcast network. Thus, each node can reach the others by using
network protocols such as IP rather than by using routers to forward traffic across network
segments. If you do not use a bridge, you must configure IP routing to permit the forwarding of
IP traffic between nodes.
nodes
To forward packets to their destinations, bridges must listen in promiscuous mode on every
link that is attached to the bridge. Listening in promiscuous mode causes bridges to become
vulnerable to the occurrences of forwarding loops, in which packets circle forever at full line
rate. To prevent this, bridging uses the Spanning Tree Protocol (STP) to prevent network
loops that would render the subnetworks unusable. In addition to STP, Oracle Solaris 11
supports Transparent Interconnect of Lots of Links (TRILL) protocol.

Unlike STP and RSTP, TRILL does not shut down physical links to prevent loops. Instead,
TRILL computes the shortest-path information for each TRILL node in the network and uses
that information to forward packets to individual destinations. As a result, TRILL enables the
system to leave all links in use at all times.

Configuring a Network Bridge
root@s11-serv1:~# dladm create-bridge -l net0 -l net3 tonowhere

root@s11-serv1:~# dladm show-bridge
BRIDGE PROTECT ADDRESS PRIORITY DESROOT
Tonowhere stp 32768/8:0:27:15:2:19 32768 32768/8:0:27:15:2:19
root@s11-serv1:~# dladm show-bridge -l tonowhere

LINK STATE UPTIME DESROOT
net0 forwarding 90 32768/8:0:27:15:2:19
net3 discarding 90 32768/8:0:27:15:2:19
root@s11-serv1:~# dladm remove-bridge -l net0 -l net3 tonowhere
root@s11-serv1:~# dladm delete-bridge tonowhere
This slide shows you how to create, display, and remove a network bridge.

• Practice 6-5 covers creating a bridge between two network

interfaces.
• Practice 6-6 covers creating a link aggregation.


Agenda

• New network utilities
• Managing NWAM


The wireshark Utility

Wireshark is a network protocol analyzer. You can use it to capture and interactively browse
the traffic running on a computer network. Because of its rich and powerful feature set, system
administrators, security experts, developers, and educators around the world use it regularly.
It is freely available as open source and is released under the GNU General Public License
version 2.
With Wireshark you can:
• Capture live packet data from a network interface
• Display packets with very detailed protocol information
• Open and save captured packet data
• Import and export packet data from and to many other capture programs
• Filter packets by using many criteria
• Search for packets by using many criteria
• Colorize packet display based on filters
• View various statistics
This slide shows the Wireshark packet analyzer interface
interface.

The dlstat Utility
• Reports runtime statistics about data links.

• dlstat allows you to:
– Examine all links and reports statistics
– Examine a specific link and reports statistics

– Examine physical network devices and reports statistics
– Examine link aggregations and reports statistics
– Specify a sampling interval
The dlstat command reports runtime statistics about data links. The output is sorted in the
descending order of link utilization. The slide lists what you can do using dlstat.

dlstat: Examples
root@s11-serv1:~# dlstat
LINK IPKTS RBYTES OPKTS OBYTES
vnic0 222 9.42K 1.50K 118.00K
vnic1 1.10K 82.73K 168 7.15K
vnic2 1.10K 82.73K 168 7.15K
speedway08.95K 713.56K 17.69K 20.80M

root@s11-serv1:~# dlstat show-phys
LINK TYPE INDEX PKTS BYTES
net0 rx 0 5.25K 464.55K
net1 rx 0 1.32K 93.89K
net2 rx 0 1.32K 93.89K
net3 rx 0 1.32K 93.89K
speedway0 rx 0 5.25K 464.55K
speedway0
p y rx 2 1.32K 93.89K
speedway0 tx 0 4.86K 3.46M
speedway0 tx 1 885 831.00K
The slide shows examples of dlstat usage.

In the first example, running dlstat without subcommands displays a summary of statistics
for all the links. The report shows incoming traffic (IPKTS and RBYTES) and outgoing traffic
(OPKTS and OBYTES).
In the second example, the show-phys subcommand reports network traffic statistics for
each physical network device. The INDEX field identifies the ring queue associated with a
device. The report includes statistics for data received (rx) and data transmitted (tx). Note
that if your link aggregations (speedway0) are present, they are also displayed.

dlstat: Examples
root@s11-serv1:~# dlstat show-link

LINK TYPE ID INDEX PKTS BYTES
vnic0 rx local -- 114 4.84K
vnic0 rx bcast -- 112 4.75K
vnic0 rx sw -- 0 0

vnic0 tx bcast -- 1.01K 79.68K
vnic0 tx sw -- 514 40.38K
…
speedway0 rx hw 0 5.22K 458.88K
root@s11-serv1:~# dlstat show-aggr
LINK PORT IPKTS RBYTES OPKTS OBYTES
speedway0 -- 9.26K 751.05K 17.78K 20.82M
speedway0 net0 5.28K 466.74K 4.89K 3.46M
speedway0 net1 1.33K 94.77K 885 831.00K
The show-link subcommand reports network traffic statistics for each network link. In the
output, the ID field indicates whether hardware rings are exclusively assigned (indicated by
hw) or shared (indicated by sw) among clients. rx rings are shared if other clients, such as
VNICs, are configured over the link as well. In the example shown in the slide, sharing is
indicated by the vnic0 sw value in the ID column.
The show-aggr subcommand reports incoming and outgoing network traffic statistics for
aggregated links. The PORT field indicates the devices that make up the link aggregation.

The flowstat Utility
• Enables you to gather run-time statistic on user-defined

flows
• Using flowstat, you can:
– Display receive-side
receive side statistics only (includes bytes)

– Display transmit-side statistics only
– Specify an interval in seconds at which statistics are
refreshed. The default interval is one second.
– Display statistics for all flows on the specified link or statistics
for the specified
p flow
The flowstat Utility

Flows consist of network packets that are organized according to an attribute. Flows enable
you to further allocate network resources.
resources Packets traverse a path when they flow into or out
of a system. On a granular level, packets are received and transmitted through receive (Rx)
rings and transmit (Tx) rings of an NIC. From these rings, received packets are passed up the
network stack for further processing while outbound packets are sent to the network.
The flowstat command allows you to gather reports on run-time statistics about user
defined flows.
Using flowstat you can:
• Display receive-side statistics only. Includes bytes
• Display transmit-side statistics only
• Specify an interval in seconds at which statistics are refreshed. The default interval is
one second.
• Display statistics for all flows on the specified link or statistics for the specified flow

flowstat Examples
root@s11-serv1:~# flowstat –i 1
FLOW IPKTS RBYTES IDROPS OPKTS OBYTES ODROPS
http1 430.45K 910.46M 0 398.22K 44.09M 0
root@s11-serv1:~# flowstat -r
FLOW IPKTS RBYTES IDROPS

h
http11 2
2.95M
95M 3
3.44M
44M 0
root@s11-serv1:~# flowstat -t
FLOW OPKTS OBYTES ODROPS
http1 17.89M 987.22M 0
flowstat Examples
The first example shows information every second about incoming and outgoing traffic on all
configured
fi d flflows on th
the system.
t
The second example shows receive-side statistics for all flows.
The third example shows transmit-side statistics for all flows.

Quiz
Which command is used to enable an NWAM profile?

a. nwamadm enable profile_name
b. nwamadm –p profile_name

c netadm enable profile
c. profile_name
name
d. netadm –e profile_name
Answer: c

Quiz
Which command is used to display a network interface IP

address?
a. ipadm show-ip interface

b ipadm show-if
b. show if interface
c. ipadm show-all interface
d. ipadm show-addr interface
Answer: d

Answer: a
a. True
b. False
Quiz

IPMP can be configured for both IPv4 and IPV6.

Quiz
Which IPMP component is responsible for detecting failures?

a. IPMP daemon
b. IPMP service

c DHCP
c.
Answer: a

Quiz
Which command is used to create an IPMP group?

a. dladm create-ipmp ipmp_name
b. ipadm create-group ipmp_name

c dladm create
c. create-group
group ipmp_name
ipmp name
d. ipadm create-ipmp ipmp_name
Answer: d

Quiz
Which command is used to display IPMP group information?

a. ipmpstat -g
b. ipmpadm -g

c ipmpcfg –g
c. g
d. ipmpconf -g
Answer: a

Quiz
A VNIC is a virtual network device with the same datalink

interface as a physical interface.
a. True
b False
b.

Answer: a

Quiz
In which order is a virtual network created?

a. Virtual switch, VNICs, zones
b. Zones, VNICs, virtual switch

c VNICs,
c. VNICs virtual switch
switch, zones
Answer: a

Quiz
Which property controls maximum flow bandwidth?

a. speed
b. maxbw

c threshold
c.
d. maximum
Answer: b

Quiz
What utility is used to create virtual switches and VNICs?

a. lnkadm
b. dladm

c vniccfg
c.
d. dlcfg
Answer: b

Quiz
To use VNICs, a zone must be configured as what IP type?

a. Shared-IP
b. Exclusive-IP

c Either shared or exclusive
c.
Answer: b

Quiz
You have created an etherstub called stub2. You now want to

create vnic1 and attach it to stub2. Which command(s)
would you use to do this?
a. # dladm create-vnic1

b. # dladm create-vnic -l vnic1
c. # dladm create-vnic -l stub2 vnic0
d. # dladm create-vnic -l stub2 vnic1
Answer: c

Quiz
Solaris 11 network bridges which bridging protocols?

a. STP only
b. TRILL only

c STP and TRILL
c.
Answer: c

Quiz
Which command is used to display data link statistics?

a. dladm
b. dlmon

c dlstat
c.
d. dlcfg
Answer: c

Summary

• Describe the new network features and enhancements
• List the new and enhanced network management utilities

• Configure Network AutoAuto-Magic
Magic (NWAM)
• Configure IPMP
• Configure network virtualization
• Configure a network bridge
• List the new network monitoring g utilities
In this lesson, you were presented with the new Oracle Solaris 11 network features. You were
also shown the tasks involved in managing NWAM and configuring virtual networks. Finally,
you learned how to configure a network bridge.

This practice covers using the new Oracle Solaris 11 utilities to

monitor the network:
• Install and explore the wireshark utility.
• Install and explore the dlstat utility.
utility



O
Oracle
l Solaris
S l i 11 St
Storage E h

t
Enhancements

Objectives

• Describe the new storage features and enhancements
• Split a mirrored ZFS storage pool

• Identify ZFS snapshot differences
• Configure ZFS deduplication
• Configure COMSTAR
Transition to Oracle Solaris 11 7-2

Agenda
• Introducing the Oracle Solaris 11 storage enhancements

• Migrating UFS and ZFS file systems
• Splitting a mirrored ZFS storage pool

• Identifying ZFS snapshot differences
• Configuring ZFS deduplication
• Configuring COMSTAR

Introducing Oracle Solaris 11

Storage Enhancements
• ZFS is the default root file system.
• You can migrate UFS and ZFS file systems.
• You can split a mirrored ZFS storage pool.

• You can determine ZFS snapshot differences
differences.
• You can use deduplication in ZFS to save storage space.
• COMSTARs for iSER, SRP, and FCoE are now supported.
• There is greater Microsoft interoperability with fully
integrated CIFS support.
A number of important storage features and enhancements have been introduced with the
release of the Oracle Solaris 11 operating system. These features and enhancements
include:
• ZFS d default
f l root fil
file system: ZFS iis the
h ddefault
f l root fil
file system ffor the
h OOracle
l SSolaris
l i
11 operating system. With a ZFS root pool, you do not have to worry about calculating
slice sizes for /, /var, /export, and so on only to find out you did not create them with
enough space (or with too much). With ZFS, they consume only as much space as they
need. ZFS reduces complexity by eliminating the need for multiple volume management
tools. Another benefit to having a ZFS root pool is that you can mirror your root file
system with very little effort.
• Migrating UFS and ZFS file systems: You can use the ZFS Shadow Migration feature
to migrate data from old UFS and ZFS file systems to new file systems while
simultaneously allowing access and modification of the new file systems during the
migration process.
• Splitting mirrored ZFS storage pools: A mirrored ZFS storage pool can be quickly
cloned as a backup pool.
• ZFS snapshot differences: A very useful feature has been implemented for ZFS in
Oracle Solaris 11, which allows you to list all file changes between two snapshots of a
ZFS file system.

• ZFS deduplication: Deduplication is the process of eliminating duplicate copies of data.

ZFS deduplication saves space and unnecessary I/O, which can lower storage costs
and improve performance. ZFS deduplication automatically avoids writing the same data
twice on your drive by detecting duplicate data blocks and keeping track of the multiple
places where the same block is needed.
• COMSTAR targets for iSER, SRP, and FCoE: COMSTAR (Common Multiprotocol
SCSI Target) is the software framework that enables the ability to turn any Oracle
Solaris host into a target device that can be accessed over a storage network. The
COMSTAR framework makes it possible for all SCSI device types (tape, disk, and the
like) to connect to a transport (such as Fibre Channel) with concurrent access to all
logical
g unit numbers ((LUN)) and a single
g p point of management.
g Support
pp for a number of

protocols has been added: iSCSI Extensions for RDMA (iSER) and SCSI RDMA
Protocol (SRP) for hosts that include an InfiniBand Host Channel Adapter, iSCSI, and
Fibre Channel over Ethernet (FCoE). Oracle Solaris DTrace probes have also been
added to COMSTAR in the SCSI Target Mode Framework (STMF) and SCSI Block
Device (SBD).
• Greater Microsoft interoperability with fully integrated CIFS: Oracle Solaris 11
includes fully integrated CIFS.
CIFS The Common Internet File System (CIFS),
(CIFS) also known as
SMB, is the standard for Microsoft file-sharing services. The Oracle Solaris CIFS service
provides file sharing and MS-RPC administration services required for Windows-like
behavior for interoperability with CIFS clients, including many new features such as
host-based access control, which allows a CIFS server to restrict access to specific
clients by IP address, ACLs (access control lists) on shares, and synchronization of
client-side offline file caching during reconnection. Microsoft ACLs are also supported in
ZFS.
ZFS

Agenda



ZFS Shadow Data Migration
• Used for migrating data from one system to another

• Supported file system types:
– A local or remote ZFS file system to a target ZFS file system
– A local or remote UFS file system to a target ZFS file system

• Shadow migration method:
– Create an empty ZFS file system.
– Set the shadow property on an empty ZFS file system to
point to the file system to be migrated.
– Data from source file system is copied to the shadow file
system.
ZFS Shadow Data Migration

A common task for administrators is to migrate data from one system to another. In the most
abstract sense,
sense this problem encompasses a large number of use cases
cases, from replicating data
between servers to keeping user data on laptops in sync with servers. The ZFS Shadow Data
Migration feature in Oracle Solaris 11 OS provides a simple-to-use solution for moving data
quickly and safely between systems.
You can use the shadow migration feature to migrate file systems as follows:
• A local or remote ZFS file system to a target ZFS file system
• A local
oca oor remote
e ote U
UFS
S file
e syste
system to a ta
target
get ZFS
S file
e syste
system
ZFS Shadow Data Migration uses a simple method that pulls the data to be migrated:
• Create an empty ZFS file system.
• Set the shadow property on an empty ZFS file system, which is the target (or shadow)
file system, to point to the file system to be migrated.
• Data from the file system to be migrated is copied over to the shadow file system.

Shadow Migration Considerations
• Source file system must be set to read-only.

• The target file system must be completely empty.
• Migration continues across reboots.

• Determine whether UID,
UID GID,
GID and ACL information is to be
migrated.
• Be patient.
• Use the shadowstat command to monitor shadow
migration activity.
Shadow Migration Considerations

When planning your shadow migration configuration, consider the following:
• The file system to be migrated must be set to read
read-only.
only If the file system is not set to
read-only, in-progress changes might not be migrated.
• The target file system must be completely empty.
• If the system is rebooted during a migration, the migration continues after the system is
booted.
• Access to directory content that is not completely migrated or access to file content that
is not completely migrated is blocked until the entire content is migrated
migrated.
• If you want the UID, GID, and ACL information to be migrated to the shadow file system
during an NFS migration, make sure that the name service information is accessible
between the local and remote systems. You might consider copying a subset of the file
system data to be migrated for a test migration to see that all the information is migrated
properly before completing a large migration of data over NFS.
• Migrating file system data over NFS can be slow, depending on your network
bandwidth. Be patient.

• You can use the shadowstat command to monitor a file system migration, which
provides the following data:
- The BYTES XFRD column identifies how many bytes have been transferred to the
shadow file system.
y
- The BYTES LEFT column fluctuates continuously until the migration is almost
complete. ZFS does not identify how much data needs to be migrated at the
beginning of the migration because this process might be too time-consuming.
- Consider using the BYTES XFRD and the ELAPSED TIME information to estimate
the length of the migration process.

Configuring ZFS Shadow Data Migration

root@s11-source:~# share –F nfs –o ro /export/UFS_data
root@s11-source:~# share –F nfs –o ro /export/ZFS_data
root@s11-target:~# pkg install shadow-migration
root@s11-target:~# svcadm enable shadowd
root@s11-target:~# zfs create -o \
shadow=nfs://s11-source/export/UFS_data \

rpool/export/shadow_UFS_data
root@s11-target:~# zfs create -o \
shadow=nfs://s11-source/export/ZFS_data \
rpool/export/shadow_ZFS_data
root@s11-target:~ # shadowstat
EST
BYTES BYTES ELAPSED
DATASET XFRD LEFT ERRORS TIME
rpool/export/UFS_shadow 85.7M 77.75M - 00:05:11
rpool/export/ZFS_shadow - - - 00:05:12
…
No migrations in progress
Splitting a ZFS Mirrored Pool: Example

The slide shows an example of setting up ZFS shadow data migration on a remote host
containing the file system to be migrated and the target host containing the shadow file
system.
Here, two remote file systems (one UFS, one ZFS) are exported as read-only NFS file
systems.
On the target host, you must first install the shadow-migration software package. After the
package is installed, enable the shadowd service.
Finally create an empty ZFS file system for each exported file system on the remote host
Finally, host. On
each ZFS shadow file system, set the shadow option to
nfs://remote_system/exported_file_system.
Run the shadowstat command on the target host to monitor shadow migration activity.

Agenda



Splitting a Mirrored ZFS Storage Pool
• Use the zpool split command to split a mirrored ZFS

storage pool.
• Splitting detaches a disk from a mirrored pool to create a
new pool.
p

• The new pool contents are identical to the original mirror
pool.
• By default, zpool split detaches the last disk.
• After splitting, the new pool must be imported to be
accessible.
accessible
A mirrored ZFS storage pool can be quickly cloned as a backup pool by using the zpool
split command. Currently, this feature cannot be used to split a mirrored root pool.
You use the zpool split command to detach disks from a mirrored ZFS storage pool to
create a new pool with one of the detached disks. The new pool will have identical contents to
the original mirrored ZFS storage pool. By default, a zpool split operation on a mirrored
pool detaches the last disk for the newly created pool. After the split operation, the new pool
must be imported to be accessible.

Splitting a ZFS Mirrored Pool: Example

root@s11-serv1:~# zpool create newpool mirror c7t2d0 c7t3d0
root@s11-serv1:~# zpool split -n newpool newpool1
would create 'newpool1' with the following layout:
newpool1
c7t3d0
root@s11-serv1:~# zpool split newpool newpool1
root@s11-serv1:~# zpool import newpool1

root@s11-serv1:~# zpool status
pool: newpool
state: ONLINE
scan: none requested
config:
NAME STATE READ WRITE CKSUM
newpool ONLINE 0 0 0
c7t2d0 ONLINE 0 0 0
…
pool: newpool1
state: ONLINE
scan: none requested
config:
NAME STATE READ WRITE CKSUM
newpool1 ONLINE 0 0 0
c7t3d0 ONLINE 0 0 0
The slide shows an example of splitting a ZFS mirrored storage pool.

In this example, you create a mirrored pool (newpool). Then you run the zpool split –n
command to perform a “dry
dry run
run” on the spilt operation. Next, you split the mirror to create the
newpool1 pool. Finally, you import the newpool1 pool and check ZFS pool status. The
status shows that the newpool and newpool1 pools each contain one disk from the original
mirrored ZFS pool.

Agenda



Identifying ZFS Snapshot Differences
• You can determine ZFS snapshot differences by using the

zfs diff command.
• The zfs diff command gives a high-level description of
p
the differences between a snapshot and a descendent

dataset.
• The type of change is described along with the name of
the file:
– + indicates that the file was added in the later dataset.
– – indicates that the file was removed in the later dataset
dataset.
– M indicates that the file was modified in the later dataset.
– R indicates that the file was renamed in the later dataset.
In Oracle Solaris 11, you can determine ZFS snapshot differences by using the zfs diff
command. The zfs diff command gives a high-level description of the differences between
a snapshot and a descendent dataset. The descendent can be either a snapshot of the
dataset or the current dataset.
For each file that has undergone a change between the original snapshot and the
descendent, the type of change is described along with the name of the file. In the case of a
rename, both the old and new names are shown. The type of change follows any timestamp
displayed and is described with a single character (as listed in the slide).

Identifying ZFS Snapshot Differences:

Example
root@s11-serv1:~# zfs snapshot newpool/mydata@before

root@s11-serv1:~# touch /newpool/mydata/newfile
root@s11-serv1:~# zfs snapshot newpool/mydata@after

root@s11-serv1:~#
root@s11 serv1:~# zfs list -r
r -t
t snapshot -o
o name,creation
NAME CREATION
newpool/mydata@before Mon Apr 6 14:54 2011
newpool/mydata@after Mon Apr 6 14:59 2011
rpool/ROOT/solaris@install Fri Mar 4 22:33 2011
root@s11-serv1:~# zfs diff newpool/mydata@before newpool/mydata@after
M /newpool/mydata/
+ /newpool/mydata/newfile
root@s11-serv1:~#
This slide shows an example of identifying ZFS snapshot differences.

In the example, you take a before snapshot of the newpool/mydata ZFS file system. Then
you create a new file (newfile) in /newpool/mydata. You take another snapshot (after)
of the same ZFS file system and list the snapshots based on name and creation date. Finally,
you compare the before and after snapshots to determine the differences. Note that in the
zfs diff command output, M indicates that /newpool/mydata/ was modified and +
indicates that a file (/newpool/mydata/newfile) was added to the later dataset.

Agenda



ZFS Deduplication
• Is the process of identifying redundancies within a data set

and eliminating them
• Significantly shrinks storage requirements and improves
bandwidth efficiencyy

• Enables data deduplication at the level of files, blocks, or
bytes
• Is synchronous
• Benefits these applications:
– Backup
B k to t disk
di k storage
t
– Mail servers
– File servers
– Virtualization storage
Deduplication is the process of identifying redundancies within a data set and eliminating
them. Eliminating redundant data can significantly shrink storage requirements and improve
bandwidth efficiency. Because primary storage has become cheaper over time, enterprises
typically store many versions of the same information so that new work can reuse old work.
Some operations, such as backup, store extremely redundant information. Deduplication
lowers storage costs because fewer disks are needed, and shortens backup/recovery times
because there can be far less data to transfer.
In Oracle Solaris 11, ZFS deduplication automatically avoids writing the same data twice on
your drive by detecting duplicate data blocks and keeping track of the multiple places where
the same block is needed.
needed With ZFS deduplication,
deduplication data can be deduplicated at the level of
files, blocks, or bytes. ZFS deduplication is synchronous. It instantly removes redundant data
during writes, without the need for background deduplication processes.

Here are some applications that typically benefit from ZFS deduplication:
• Backup to disk storage: On systems with many users, backing up user files to disk
storage has a potential for multiple copies of the same data, such as applications,
system
y files, documents, images,
g and videos.
• Mail servers: Mail servers are classic examples of data duplication. When a user sends
a mail attachment to a mailing list on the network, the mail server maintains a copy of
the same attachment for each recipient. Only one copy of the attachment is really
necessary.
• File servers: When users collaborate on projects, the chances are good that they will
end up storing many documents multiple times.

• Virtualization storage: Server virtualization, such as Solaris zones, is another area with
much duplicate data. Multiple installations of the same virtualized operating system
share the same kernel, libraries, system files, and applications.
When you run these types of applications on deduplication-enabled ZFS file systems, data is
stored only once.

ZFS Deduplication Properties
• One new ZFS file system property: dedup

• Two new ZFS pool properties
– dedupratio
– dedupditto

To support the deduplication feature, Oracle Solaris 11 adds new properties to ZFS.
ZFS has one new ZFS file system property to support deduplication, dedup. You use the
deduplication (dedup) property to remove redundant data from your ZFS file systems. If a file
system has the dedup property enabled, duplicate data blocks are removed synchronously.
The result is that only unique data is stored and common components are shared between
files. When dedup is enabled, the dedup checksum algorithm overrides the checksum
property. Setting the value to verify is equivalent to specifying sha256 for the checksum
property. If the property is set to verify and two blocks have the same signature, ZFS does a
byte-for-byte comparison with the existing block to ensure that the contents are identical.
ZFS has two new ZFS pool properties to support deduplication: dedupratio
d d ti and
dedupditto. The dedupratio property is a read-only value used as a multiplier that
indicates the deduplication ratio achieved for a ZFS pool. The dedupditto property sets a
deduplication copy threshold. If the reference count for a deduped block goes above this
threshold, another ditto copy of the block is stored automatically.
By telling ZFS to store an additional copy after a specific number of references, you build in
some redundancyy just
j in case the original
g block g
gets checksum errors.

ZFS Deduplication: Example

root@s11-serv1:~# zpool list
NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT
Newpool 1.07G 169K 1.07G 0% 1.00x ONLINE -
Newpool1 1.07G 130K 1.07G 0% 1.00x ONLINE -
Rpool 15.9G 4.12G 11.8G 25% 1.00x ONLINE -
root@s11-serv1:~# zpool get all newpool|grep dedup
Newpool dedupditto 0 default
newpool dedupratio 1.00x -

root@s11-serv1:~# zfs get all newpool/mydata|grep dedup
newpool/mydata dedup off default
root@s11-serv1:~# zfs set dedup=on newpool/mydata
root@s11-serv1:~# zfs get all newpool/mydata|grep dedup
newpool/mydata dedup on local
root@s11-serv1:~# cp /opt/ora/course_files/bigfile.zip /newpool/mydata/dir1
root@s11-serv1:~#
root@s11 serv1: # zpool list
NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT
Newpool 1.07G 302M 794M 27% 3.00x ONLINE -
Newpool1 1.07G 130K 1.07G 0% 1.00x ONLINE -
Rpool 15.9G 4.12G 11.8G 25% 1.00x ONLINE -
root@s11-serv1:~# zpool get all newpool|grep dedup
Newpool dedupditto 0 default
Newpool dedupratio 3.00x -
In this example, you check the ZFS properties to determine whether deduplication has been
enabled. The properties show that deduplication is currently disabled. Next, you enable
deduplication. You copy the same file to the three different directories in the file system that
has deduplication enabled. Finally, you recheck the ZFS properties and find that the deduped
file system has a deduplication factor of 3.

Agenda



Common Multiprotocol SCSI Target (COMSTAR)

Common Multiprotocol SCSI Target (COMSTAR)

Common Multiprotocol SCSI Target, or COMSTAR, is a software framework that provides
support for the iSCSI protocol
protocol. iSCSI is an Internet Protocol (IP)–based
(IP) based storage networking
standard for linking data storage subsystems. By carrying SCSI commands over IP networks,
the iSCSI protocol enables you to mount disk devices from across the network onto your local
system. On your local system, you can use the devices like block devices.
COMSTAR enables you to convert any Oracle Solaris 11 host into a SCSI target device that
can be accessed over a storage network by initiator hosts by using a SCSI Target Mode
Framework (STMF) to manage target storage devices. STMF provides the following
components:
t
• Port providers (or plug-ins): Implement protocols, such as Fibre Channel (FC) and
iSCSI
• Logical unit providers: Emulate various SCSI devices, such as disk and tape devices
• The management library (libstmf): Provides the COMSTAR management interface

COMSTAR Benefits and Limitations
• Benefits:
– The iSCSI protocol runs across existing Ethernet networks.
– Existing Fibre Channel devices can be connected to clients
without the cost of Fibre Channel HBAs.

– Systems with dedicated arrays can export replicated storage.
– There is no upper limit on the maximum number of
configured iSCSI target devices.
– You can connect to Fibre Channel or SAN environments.
• Limitations:
– Does not support iSCSI devices that use SLP.
– iSCSI targets cannot be configured as dump devices.
– Transferring large amounts of data over your existing
network can affect performance.
Benefits of using Solaris iSCSI targets and initiators include the following:
• The iSCSI protocol runs across existing Ethernet networks.
- You can use any supported network interface card (NIC) (NIC), Ethernet hub,
hub or
Ethernet switch.
- One IP port can handle multiple iSCSI target devices.
- You can use existing infrastructure and management tools for IP networks.
• Existing Fibre Channel devices can be connected to clients without the cost of Fibre
Channel HBAs.
• Systems with dedicated arrays can now export replicated storage with ZFS or UFS file
systems.
• There is no upper limit on the maximum number of configured iSCSI target devices.
• The protocol can be used to connect to Fibre Channel or iSCSI Storage Area Network
(SAN) environments with the appropriate hardware.

Current limitations or restrictions on using the Solaris iSCSI initiator software include the
following:
• Support for iSCSI devices that use service locator protocol (SLP) is not currently
available.
• iSCSI targets cannot be configured as dump devices.
• Transferring large amounts of data over your existing network can adversely affect
performance.

Configuring COMSTAR
• Install the storage-server software package.

• Create an iSCSI LUN.
– Enable the stmf service.
– Identify a disk volume to serve as the SCSI target.
– Run the stmfadm utility to create a LUN.

– Make the LUN viewable to the initiators.
• Create the iSCSI target.
– Enable the target service.
– Run the itadm utility to create an iSCSI target.
• Configure an iSCSI initiator.
– Enable initiator service.
– Configure the target device discovery method.
– Reconfigure the /dev namespace to recognize the iSCSI
disk.
• Access the iSCSI disk.
– Use the format utility to identify the iSCSI LUN information.
– Create a ZFS file system on the iSCSI LUN.
Tasks required for configuring COMSTAR:

• Install the storage-server software package: This package contains all the software
required
equ ed to co
configure
gu e SCS
SCSI ta
targets.
gets Thee sto
storage-server
age se e software
so t a e package
pac age iss installed
sta ed oon
the system that provides the storage devices.
• Create an iSCSI LUN: This task is performed on the system that provides the disk
volumes. The disk volume provided by the server is referred to as the target. When the
LUN is associated with an iSCSI target, it can be accessed by an iSCSI initiator. This
task involves:
- Enabling the stmf service
- Identifying a disk volume to serve as the SCSI target
- Running the stmfadm utility to create a LUN
- Making the LUN viewable to the initiators
• Create the iSCSI target: This task is performed on the system that provides the disk
volumes. This task involves:
- Enabling the target service
- Running the itadm utility to create an iSCSI target

• Configure an iSCSI initiator: This task is performed on the initiator client host. This
task involves:
- Enabling initiator service
- Configuring the target device discovery method
- Reconfiguring the /dev namespace to recognize the iSCSI disk
• Access the iSCSI disk: This task is performed on the initiator client host. This task
involves:
- Using the format utility to identify the iSCSI LUN information
- Creating a ZFS file system on the iSCSI LUN

Quiz
Which software package provides support for ZFS shadow data

migration?
a. shadow
b shadow
b. shadow-migration
migration

c. zfs-shadow
d. zfs-migration
Answer: b

Quiz
Which command is used to monitor ZFS shadow data migration

progress?
a. shadowadm

b shadow
b.
c. shadowstat
d. migrationstat
Answer: c

Quiz
ZFS deduplication is the process of identifying redundancies

within a data set and eliminating them.
a. True
b False
b.

Answer: a

Quiz
Which property sets the deduplication copy threshold?

a. dedupratio
b. dedupmax

c maxdedup
c.
d. dedupditto
Answer: d

Quiz
Which software package provides support for iSCSI devices in

Solaris 11?
a. comstar
b iscsi
b.

c. storage-server
d. iscsi-storage
Answer: c

Quiz
Which service must be enabled to create an iSCSI LUN?

a. iscsi
b. stmf

c comstar
c.
d. iscsitgt
Answer: b

Quiz
Which utility is used to create an iSCSI target?

a. iscsiadm
b. stmf

c itadm
c.
d. stmfadm
Answer: c

Summary

• Describe the new storage features and enhancements
• Split a mirrored ZFS storage pool

• Identify ZFS snapshot differences
• Configure ZFS deduplication
• Configure COMSTAR

Practice 7 Overview:
Oracle Solaris 11 Storage Enhancements


O
Oracle
l Solaris S
S l i 11 Security E h

t
it Enhancements

Objectives

• Describe the new security features and enhancements
• Explore the Oracle Solaris cryptographic framework

• Encrypt ZFS data
• Managing read-only zones
• Use the Basic Audit Reporting Tool (BART) to audit
system files

Agenda
• Oracle Solaris 11 security enhancements

• Oracle Solaris Cryptographic Framework
• ZFS dataset encryption

• Managing read
read-only
only zones
• Basic Audit Reporting Tool (BART)

Oracle Solaris 11 Security Enhancements
• Secure by Default
• Root account as a role
• RBAC kernel enhancements

• Read-only zones
• Basic Auditing Reporting Tool (BART)
• Labeled IPsec
• Trusted Extension enhancements
A number of important security features and enhancements have been introduced with the
release of the Oracle Solaris 11 operating system, including the following:
• Secu
Secure e by Default:
e au t O
Oracle
ac e So
Solaris
a s 11 pprovides
o des a fully
u y Secu
Securee by Default
e au t e
environment.
o e t
Oracle Solaris Secure by Default reduces the attack surface of the Oracle Solaris OS by
disabling as many network services as possible while still leaving a useful system. In
this way, the number of exposed network services is dramatically reduced. With
automatic Secure by Default, network services are disabled by default or set to listen for
local system communications only.
• Root account as a role: Oracle Solaris 11 implements a role for root. The root as a role
option was first delivered in Solaris 8 (1998)
(1998). What is different in Oracle Solaris 11 is that
this option is enabled by default during installation. The advantage of root as a role is
that it ensures that administrative actions done by the root account are attributable to a
real (unique) person. Because you must have at least one user who is authorized to
assume the root role, a standard user account (which can assume that role) is
automatically created during the installation process. If you do not want this feature, you
can revert to Solaris 10 behavior by running the following command:
# rolemod -K K type
type=normal
normal root

• RBAC kernel enhancements: In Oracle Solaris 11, an in-kernel pfexec

implementation is used to execute administrative commands requiring a higher privilege
level. Unlike in Solaris 10, in Oracle Solaris 11 the pfexec program is no longer a
privileged program,
program so it cannot pass any privileges to other programs
programs. Instead
Instead, it sets a
process execution mode flag that specifies that all subsequent executions are subject to
the RBAC policy specified in rights profiles. You use the usermod –P command to
delegate administrative privileges to trusted users.
Unlike in Solaris 10, the process privileges of setuid-to-root binaries are also specified
by using RBAC. A new rights profile, Forced Privileges, specifies the required privilege
set for these applications, instead of granting all privileges. This significantly reduces the

potential to be an attack vector against the system.
system
Oracle Solaris 11 adds new privileges: file read, file write, and net access. These
privileges restrict read, write, and outbound network access. Additionally, a new rights
profile, Stop, removes default authorizations and execution rights from specific users
facilitating the creation of restricted execution environments.
• Oracle Solaris Cryptographic Framework: Cryptography is the science of encrypting
and decrypting data. Cryptographic services provide authentication and encryption
mechanisms
h i tto applications
li ti and
d users. Central
C t l tto the
th O Oracle
l SSolaris
l i C Cryptographic
t hi
Framework is the pktool command. The pktool command allows you to manage the
certificates and keys on multiple keystores including PKCS#11 tokens, Netscape
Security Services (NSS) tokens, and standard file-based keystores for OpenSSL. Oracle
Solaris Cryptographic Framework now supports the NSA Suite B algorithms.
• ZFS Dataset Encryption: When using ZFS dataset encryption, the ZFS dataset at rest
is encrypted, and can only be mounted by a user who can supply the cryptographic key
that is associated with the ZFS dataset. When the file system is mounted, it is no longer
cryptographically protected. Instead, normal Solaris access controls (ACLs, permission
bits, containment) apply. Encryption can be specified at the pool or dataset level (per-
mount point), and each dataset can have a unique encryption key. This is in contrast to
systems that do whole-disk.
• Basic Audit Reporting Tool: The Basic Audit Reporting Tool (BART) enables you to
comprehensively validate systems by performing file-level
file level checks of one or more
systems over time. Changes in a BART manifest across systems, or for one system over
time, can validate the integrity of your systems. BART provides manifest creation,
manifest comparison, and rules for scripting reports.

• Labeled IPsec: When labeled processes in a multilevel secure operating system, such
as Oracle Solaris Trusted Extensions, communicate across system boundaries, their
network traffic needs to be labeled and protected. Traditionally, this requirement is met
by using a physically separate network infrastructure to ensure that data belonging to
different labeled domains stays in separate physical infrastructures. Labeled IPsec/IKE,
which is new in Oracle Solaris 11, enables customers to reuse the same physical
network infrastructure for labeled communications by transferring labeled data within
separate labeled IPsec security associations, removing the need for a redundant and
expensive physical network infrastructure.
• Trusted Extension enhancements: To enable greater flexibility and security, Trusted

Extensions now enables per per-label
label and per-user
per user credentials allowing administrators to
require a unique password for each label. This password is in addition to the session
login password, thereby allowing administrators to set a per-zone encryption key for
each label of every user’s home directory. Trusted Extensions has now also added
support to explicitly set security labels on ZFS datasets, ensuring that ZFS file systems
for a specific security label cannot be mounted on a zone of a different label, and thus
cannot inadvertently upgrade or downgrade the classification of data.

Agenda


• Managing read
read-only
only zones

Oracle Solaris Cryptographic Framework
• Cryptography is the science of encrypting and decrypting

data.
• Oracle Solaris Cryptographic Framework command scope:
– Administrator commands

– User commands
– Binary signatures for third-party software
Cryptographic services provide authentication and encryption mechanisms to applications

and users.
• Administrator
d st ato cocommands:
a ds The e framework
a e o p provides
o des cocommands
a ds for
o ad
administrators,
st ato s, for
o
users, and for developers who supply providers. The cryptoadm command administers
a running cryptographic framework. The command is part of the CryptoManagement
rights profile. This profile can be assigned to a role for secure administration of the
cryptographic framework. The cryptoadm command allows you to:
- Display cryptographic provider information
- Disable or enable provider mechanisms
- Disable or enable the metaslot

• User commands: The Oracle Solaris Cryptographic Framework provides user-level

commands to check the integrity of files, to encrypt files, and to decrypt files.
– digest command: Computes a message digest for one or more files or for
stdin A digest is useful for verifying the integrity of a file
stdin. file. SHA1 and MD5 are
examples of digest functions.
– mac command: Computes a message authentication code (MAC) for one or more
files or for stdin. A MAC associates data with an authenticated message. A MAC
enables a receiver to verify that the message came from the sender and that the
message has not been tampered with. The sha1_mac and md5_hmac
mechanisms can compute a MAC.

– encrypt command: Encrypts files or stdin with a symmetric cipher. The
encrypt –l command lists the algorithms that are available. Mechanisms that
are listed under a user-level library are available to the encrypt command. The
framework provides AES, DES, 3DES (Triple-DES), and ARCFOUR mechanisms
for user encryption.
– decrypt command: Decrypts files or stdin that were encrypted with the
encrypt command.
command The decrypt command uses the identical key and
mechanism that were used to encrypt the original file.
– pktool command: Allows you to manage the certificates and keys on multiple
keystores, including PKCS#11 tokens, Netscape Security Services (NSS) tokens,
and standard file-based keystore for OpenSSL.
• Binary signatures for third-party software: The elfsign command provides a
means to sign providers to be used with the Oracle Solaris Cryptographic Framework.
Typically, this command is run by the developer of a provider. The elfsign command
has subcommands to request a certificate from Oracle and to sign binaries. Another
subcommand verifies the signature. Unsigned binaries cannot be used by the Oracle
Solaris Cryptographic Framework. Signing one or more providers requires the certificate
from Oracle and the private key that was used to request the certificate.

Administrative Command: Examples
root@s11-serv1:~# cryptoadm list
User-level providers:
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
Provider: /usr/lib/security/$ISA/pkcs11_tpm.so

Kernel software providers:
des
aes
arcfour
blowfish
ecc
sha1
sha2
md4
md5
rsa
swrand
Kernel hardware providers:
The cryptoadm list command displays a list of the providers currently installed in the
system. Providers are cryptographic services that consumers use. Because providers plug in
to the framework, they are also called “plugins.” The cryptoadm list command separates
the providers into three categories: user-level providers, kernel software providers, and kernel
hardware providers.

Administrative Command: Examples
root@s11-serv1:~# cryptoadm list metaslot

System-wide Meta Slot Configuration:
------------------------------------
Status: enabled
Sensitive Token Object Automatic Migrate: enabled
Persistent object store slot: Sun Crypto Softtoken

Persistent object store token: Sun Software PKCS#11 softtoken
root@s11-serv1:~# cryptoadm list -m provider=aes
aes:
CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR,CKM_AES_CCM,CKM_AES_GCM,CKM_AES_GMAC
root@s11-serv1:~# cryptoadm list -p provider=aes
aes: all mechanisms are enabled.
root@s11-serv1:~# cryptoadm disable provider=aes mechanism=CKM_AES_GMAC
aes: all mechanisms are enabled, except CKM_AES_GMAC.
CKM AES GMAC.
root@s11-serv1:~# cryptoadm enable provider=aes mechanism=CKM_AES_GMAC
aes: all mechanisms are enabled.
The cryptoadm list metaslots command displays the system-wide configuration for a
metaslot. A metaslot is a single slot that presents a union of the capabilities of other slots that
are loaded in the framework. The metaslot eases the work of dealing with all of the
capabilities of the providers that are available through the framework. When an application
that uses the metaslot requests an operation, the metaslot figures out which actual slot should
perform the operation. Metaslot capabilities are configurable, but configuration is not required.
The metaslot is on by default.
The cryptoadm list –m command displays a list of mechanisms that can be used with the
installed providers or metaslot.
A mechanism
h i iis th
the application
li ti off a mode
d off an algorithm
l ith ffor a particular
ti l purpose.
Cryptographic algorithms are established, recursive computational procedures that encrypt or
hash input. Encryption algorithms can be symmetric or asymmetric. Symmetric algorithms use
the same key for encryption and decryption. Asymmetric algorithms, which are used in public-
key cryptography, require two keys. Hashing functions are also algorithms. If a provider is
specified, display the name of the specified provider and the mechanism list that can be used
with that provider. If the metaslot keyword is specified, display the list of mechanisms that can
b used
be d with
ith th
the metaslot.
t l t

The cryptoadm list –p command displays the mechanism policy (that is, which
mechanisms are available and which are not) for the installed providers.
The cryptoadm disable and cryptoadm enable commands allow you to disable or
enable
bl provider
id mechanisms.
h i

User Command: Examples
root@s11-serv1:~# digest -l
sha1
md5
sha256
sha384
Sha512

root@s11-serv1:~# digest -a sha1 /etc/release
E64eb9c537f90f6cba0cfd1e6b39fe9dd33cf552
root@s11-serv1:~# mac -l
Algorithm Keysize: Min Max (bits)
------------------------------------------
des_mac 64 64
sha1_hmac 8 512
md5_hmac 8 512
sha256_hmac 8 512
sha384_hmac 8 1024
sha512_hmac 8 1024
root@s11-serv1:~# mac -v -k mykey -a sha1_hmac /etc/release
sha1_hmac (/etc/release) = 913ced311df10f1708d9848641ca8992f4718057
This slide shows digest and mac command usage.

User Command: Examples
root@s11-serv1:~# pktool setpin

Enter token passphrase: changeme
Create new passphrase: cangetin
Re-enter new passphrase: cangetin
Passphrase changed.
root@s11-serv1:~# pktool genkey label=myaeskey keytype=aes keylen=256

Enter PIN for Sun Software PKCS#11 softtoken: cangetin
root@s11-serv1:~# pktool list objtype=key
Found 1 symmetric keys.
Key #1 - AES: myaeskey (256 bits)
root@s11-serv1:~# cat /newpool/mydata/newfile
This is a test.
root@s11-serv1 :~# encrypt -a aes -K myaeskey -i newfile –o newfile
Enter PIN for Sun Software PKCS#11 softtoken : cangetin
Ã¯Â¿Â½Ã¯Â¿Â½_ZtÃ¯Â¿Â½Ã¯Â¿Â½<<@Ã¯Â¿Â½Ã¯Â¿Â½ÃƒÂÃ¯Â¿Â½6Ã¯Â¿Â½Ã¯Â¿Â½y^Ã¯Â¿
root@s11-serv1:~# decrypt -a aes -K myaeskey -i newfile -o newfile
This is a test.
This slide shows pktool, encrypt, and decrypt command usage.

The pktool command allows users to manage the softtoken object store. The setpin
subcommand changes the passphrase used to authenticate a user to the softtoken object
store. setpin prompts you for the old passphrase. If the old passphrase matches, pktool
prompts for the new passphrase twice. If the two entries of the new passphrase match, it will
become the current passphrase for the token. The default passphrase is changeme.
The pktool genkey command generates a symmetric key in the specified keystore. The
genkey subcommand prompts the user to enter a PIN for a token-based keystore.
Next, the slide display shows the contents of the /newpool/mydata/newfile text file. The
encrypt command is used with the new key to encrypt this file. The next command shows
that the file is now encrypted. Finally, the file is decrypted by using the same key.

Agenda


• Managing read
read-only
only zones

ZFS Dataset Encryption
• Encrypted dataset support has been added to ZFS to

protect against:
– Theft of physical storage
– Man-in-the-middle attacks on the SAN

– Dataset-level secured deletion
• Data is encrypted at the dataset level.
• Benefits of ZFS encryption include the following:
– ZFS encryption is integrated with the ZFS command set.
– Y can use your existing
You i ti storage
t pools.
l
– ZFS encryption is inheritable to descendent file systems.
– Data is encrypted by using AES.
– ZFS encryption uses the Oracle Solaris Cryptographic
Framework.
Benefits of ZFS encryption include the following:

• ZFS encryption is integrated with the ZFS command set. Like other ZFS operations,
encryption
e c ypt o ope
operations,
at o s, suc
such as key ey cchanges
a ges a
and
d rekey,
e ey, a
are
e pe
performed
o ed oonline.
e
• You can use your existing storage pools as long as they are upgraded. You have the
flexibility of encrypting specific file systems.
• ZFS encryption is inheritable to descendent file systems. Key management can be
delegated through ZFS-delegated administration.
• Data is encrypted by using AES (Advanced Encryption Standard) with key lengths of
128,192, and 256 in the CCM and GCM operation modes.
• ZFS encryption uses the Oracle Solaris Cryptographic Framework, which automatically
gives it access to any available hardware acceleration or optimized software
implementations of the encryption algorithms.

ZFS Pool Encryption: Example
root@s11-serv1:~# zpool create -O encryption=on encryptedpool \

c7t4d0 c7t5d0
Enter passphrase for 'encryptedpool': cangetin
Enter again: cangetin

root@s11-serv1:~# zfs create encryptedpool/mysecrets
root@s11-serv1:~# zfs get encryption encryptedpool/mysecrets
NAME PROPERTY VALU SOURCE
encryptedpool/mysecrets encryption on local
root@s11-serv1:~# zfs get keysource encryptedpool/mysecrets
NAME PROPERTY VALUE SOURCE
encryptedpool/mysecrets keysource passphrase,prompt inherited from
encryptedpool
This slide shows an example of encrypting a ZFS pool.

In this example, first we create a ZFS pool named encryptedpool with the encryption
property set to on. Then we create a ZFS file system named mysecrets in the encrypted
pool. The keysource property of the mysecrets file system shows that encryption
(passphrase,prompt) was inherited from the encrypted ZFS pool.

ZFS File System Encryption: Example
root@s11-serv1:~# pktool genkey keystore=file \

outkey=/myzfskey keytype=aes keylen=256
root@s11-serv1:~# zfs create -o encryption=aes-256-ccm \

-o keysource=raw,file:///myzfskey newpool/mysecretdata
root@s11-serv1:~# zfs get keysource newpool/mysecretdata
newpool/mysecretdata encryption aes-256-ccm local
root@s11-serv1:~# zfs get keysource newpool/mysecretdata
newpool/mysecretdata keysource raw,file:///myzfskey local
This slide shows an example of encrypting a ZFS file system within a pool.
In this example, first we generate a keystore file named /myfskey. Then we create a ZFS file
system named mysecretdata with the /myfskey keystore file. The keysource property of
the mysecretdata file system shows that the encryption key source comes from the
/myfskey keystore file.

Agenda


• Managing read
read-only
only zones

Read-Only (Immutable) Zones
• A zone with a read-only zone root is called a read-only

zone.
• They preserve a zone's integrity by using a read-only root
file systems.
y

• Modifications to system binaries or system configurations
are blocked.
• The file-mac-profile property:
– It is used to configure a read-only zone root.
– The zonecfg utility is used to set the file-mac-profile
file mac profile
property.
– By default, the file-mac-profile property is not set.
Read-Only Zones
A zone with a read-only zone root is called a read-only zone. An Oracle Solaris read-only
zone preserves the zone's
zone s configuration by implementing read-only
read only root file systems for non
non-
global zones. This zone extends the zone’s secure run-time boundary by adding additional
restrictions to the run-time environment. Unless performed as specific maintenance
operations, modifications to system binaries or system configurations are blocked.
The mandatory write access control (MWAC) kernel policy is used to enforce ile system write
privilege through a zonecfg file-mac-profile property. Because the global zone is not
subject to MWAC policy, the global zone can write to a non-global zone’s file system for
i t ll ti
installation, image
i updates,
d t and
d maintenance.
i t The
Th MWAC policy li iis d
downloaded
l d d when
h th the
zone enters the ready state. The policy is enabled at zone boot. To perform post-install
assembly and configuration, a temporary writable root-file system boot sequence is used.
Modifications to the zone's MWAC configuration only take effect with a zone reboot.

The file-mac-profile Property
• Defines which part of the file system is exempt from the

read-only policy
• Four possible values:
–

none
– strict
– fixed-configuration
– flexible-configuration
The file-mac-profile Property

The file-mac-profile property allows you to define which parts of the file system are
exempted from the read
read-only
only policy
policy, that is
is, which parts of the file system the zone is allowed
to write to.
There are currently four supported values for this property:
• none: This value makes the zone exactly the same as a normal, r/w zone. Setting the
value to none is equivalent to not setting the file-mac-profile property.
• strict: This value allows no exceptions to the read-only policy.
• fixed- configuration: The fixed-configuration
fixed configuration value allows the zone to write to
files in and below /var, except directories containing configuration files:
- /var/ld
- /var/lib/postrun
- /var/pkg
- /var/spool/cron,
- /var/spool/postrun
- /var/svc/manifest
- /var/svc/profiles
• flexible-configuration: This is similar to fixed-configuration, but allows
writing to files in /etc too.

Administering Read-Only Zones

• Setting a strict read-only zone.
zonecfg:zone1: set file-mac-profile=strict
• Setting a fixed-configuration read-only zone.

zonecfg:zone2: set file-mac-profile=fixed-configuration

• Setting a flexible-configuration read-only zone.
zonecfg:zone3: set file-mac-profile=flexible-configuration
• Displaying zone properties.

root@s11-serv1:
root@s11 serv1 zoneadm list -pp
0:global:running:/:UUID:solaris:shared:-:none
1:zone1:running:/export/zones/zone1:UUID \
:solaris:shared:R:strict
:solaris:shared:R:fixed-configuration
:solaris:shared:R:flexible-configuration
Administering Read-Only Zones

This slide shows examples of configuring and viewing read-only zones.
• strict: Read-only
Read only file system,
system no exceptions
exceptions.
- IPS packages cannot be installed.
- Persistently enabled SMF services are fixed.
- SMF manifests cannot be added from the default locations.
- Logging and auditing configuration files are fixed. Data can only be logged
remotely.
• fixed-configuration:
fi d fi ti P
Permits
it updates
d t tto /var/*
/ / directories,
di t i with
ith the
th exception
ti off
directories that contain system configuration components.
- IPS packages, including new packages, cannot be installed.
- Logging and auditing configuration files can be local. syslog and audit
configuration
fi i are fixed.
fi d

• flexible-configuration: Permits modification of files in /etc/* directories, changes to

root's home directory, and updates to /var/* directories. This configuration provides
closest functionality to the Oracle Solaris 10 native sparse root zone.
- IPS packages,
packages including new packages
packages, cannot be installed
installed.
- Logging and auditing configuration files can be local. syslog and audit
configuration can be changed.
• none: Standard, read-write, non-global zone, with no additional protection beyond the

existing zones boundaries
boundaries. Setting the value to none is equivalent to not setting
file-mac-profile property.

Agenda


• Managing read
read-only
only zones

Basic Audit Reporting Tool (BART)
BART:
• Is a tool that performs a file-level check of the software
contents of a system
• Enables you to determine what file file-level
level changes have

occurred on a system
• Compares changes to a known baseline
BART is a tool that performs a file-level check of the software contents of a system. BART
allows you to quickly, easily, and reliably gather information about the components of the
software stack that is installed on deployed systems. Using BART can greatly reduce the
costs of administering a network of systems by simplifying time-consuming administrative
tasks.
BART enables you to determine what file-level changes have occurred on a system, relative
to a known baseline. You use BART to create a baseline or control manifest from a fully
installed and configured system. You can then compare this baseline with a snapshot of the
system at a later time, generating a report that lists file-level changes that have occurred on
the system since it was installed
installed.

BART: Example
root@s11-serv1:/var/tmp# vi bartrules
IGNORE all
/export/home/oracle
CHECK all
root@s11-serv1:/var/tmp# bart create -r bartrules > \

bart-`hostname`-`date '+%d%m%Y-%H:%M:%S'`
root@s11-serv1:/var/tmp# ls bart*
bart-s11-serv1-12042011-17:04:35 bartrules
root@s11-serv1:/var/tmp# touch /export/home/oracle/newfile
bart-s11-serv1-12042011-17:08:34
root@s11-serv1:/var/tmp#
/ / bart compare \
bart-s11-serv1-12042011-17:04:35 \
bart-s11-serv1-12042011-17:08:34
/export/home/oracle:
size control:38 test:39
/export/home/oracle/newfile:
add
The slide shows an example of using BART.

In this example, first you create a BART rules file. In this case, BART ignores all file changes
on the system except for the file changes in the /export/home/oracle directory. Then you
run the BART report by using the BART rules file to create a comparison baseline. In a bart
compare report, the baseline is indicated by the “control” field.
Next, a new file is created in the /export/home/oracle directory and a second BART
report is generated. The second BART report is used to compare against the baseline report
created earlier. In a bart compare report, the BART report to be compared against the
baseline is indicated by the “test” field.
Finally, bart compare is run by using the baseline (control) and test BART report. The
results show that /export/home/oracle directory size was changed and
/export/home/oracle/newfile was added.

BART: Example
root@s11-serv1:/var/tmp# vi /export/home/oracle/newfile
This is a test.

bart s11 ser 1 12042011 17 04 35 bart
bart-s11-serv1-12042011-17:04:35 bart-s11-serv1-12042011-17:11:50
s11 ser 1 12042011 17 11 50
root@s11-serv1:/var/tmp# bart compare bart-s11-serv1-12042011-17:08:34
bart-s11-serv1-12042011-17:11:50
/export/home/oracle/newfile:
size control:0 test:16
mtime control:4da4db66 test:4da4dc11
contents control:d41d8cd98f00b204e9800998ecf8427e
test:02bcabffffd16fe0fc250f08cad95e0c
Next, a text message is added to the /export/home/oracle/newfile file and a third

BART report is run. Using the second BART report, a new baseline is run against the third
BART report. The results show that in the “test” report, /export/home/oracle/newfile
has grown by 16 bytes. The modified timestamp and file contents have changed.

Quiz
ZFS encryption is not inherited to descendent file systems.

a. True
b. False

Answer: b

Quiz
When configuring a read-only zone, which file-mac-

profile property value provides the closest functionality to
the Oracle Solaris 10 native sparse root zone?
a. none

b. strict
c. fixed-configuration
d. flexible-configuration
Answer: d

Quiz
Which command is used to display the zone file-mac-

profile property value?
a. zonestat

b zoneadm list -p
b. p
c. zoneadm –z zone_name info
d. zonestat –p file-mac-profile
Answer: b

Quiz
Basic Audit Reporting Tool (BART) is a tool that performs a file-

level check of the software contents of a system and enables
you to determine what file-level changes have occurred on a
system.

a. True
b. False
Answer: a

Summary

• Describe the new security features and enhancements
• Explore the Oracle Solaris cryptographic framework

• Encrypt ZFS data
• Manage read-only zones
• Use the Basic Audit Reporting Tool (BART) to audit
system files

Practice 8 Overview:
Oracle Solaris 11 Security Enhancements
• Managing encryption keys
• Configuring a ZFS-encrypted pool

• Configuring a ZFS
ZFS-encrypted
encrypted file system
• Exploring the Basic Audit Reporting Tool


D73488GC11 SG

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

D73488GC11 SG

Uploaded by

Copyright:

Available Formats

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY.

COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle University and Knowledge Transfer Centre use only

Dave Giroux Disclaimer

This document contains proprietary y information and is protected by

Oracle University and Knowledge Transfer Centre use only

Oracle University and Knowledge Transfer Centre use only

2 Introducing the Oracle Solaris 11 New Features and Enhancements

3 Managing Software Packages in Oracle Solaris 11

Configuring the IPS Clients 3-12

Oracle University and Knowledge Transfer Centre use only

4 Installing the Oracle Solaris 11 Operating System

Oracle Solaris 11 LiveCD Installer: Disk 4-16

Oracle University and Knowledge Transfer Centre use only

5 Administering Oracle Solaris 11 Zones

Oracle University and Knowledge Transfer Centre use only

6 Oracle Solaris 11 Network Enhancements

Accessing a Virtual Network Configuration 6-30

Oracle University and Knowledge Transfer Centre use only

7 Oracle Solaris 11 Storage Enhancements

Oracle University and Knowledge Transfer Centre use only

8 Oracle Solaris 11 Security Enhancements

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Oracle University and Knowledge Transfer Centre use only

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Transition to Oracle Solaris 11 1 - 2

The goals of this course are to:

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Transition to Oracle Solaris 11 1 - 3

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Transition to Oracle Solaris 11 1 - 4

• Practices are run in a virtual environment.

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Transition to Oracle Solaris 11 1 - 5

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Transition to Oracle Solaris 11 1 - 6

Your Learning Center

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Transition to Oracle Solaris 11 1 - 7

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Oracle University and Knowledge Transfer Centre use only

Oracle University and Knowledge Transfer Centre use only

Transition to Oracle Solaris 11 2 - 2

• Oracle Solaris 11 new features and enhancements

Oracle University and Knowledge Transfer Centre use only

Transition to Oracle Solaris 11 2 - 3

Oracle Solaris 11 New Features

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Transition to Oracle Solaris 11 2 - 4

Oracle Solaris 11 Features and Enhancements

• New operating system installation features

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Solaris 11 introduces a new, modern software installation architecture, offering a