D73488GC11 Ag

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY.
COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
D74867
Edition 1.1
D73488GC11
November 2011
Activity Guide
Solaris 11
Transition to Oracle
Oracle University and Knowledge Transfer Centre use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Disclaimer
This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and
print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way.
Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display,
perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization
of Oracle.
The information contained in this document is subject to change without notice. If you find any problems in the document, please
report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
Restricted Rights Notice

If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United
States Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS

The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted
by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract.
Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective
owners.
Author
David Giroux
Technical Contributors and Reviewers

Alta Elstad, Glenn Faden, Glynn Foster, Dave Miner, John Powell, Gary Riseborough,
Bart Smaalders
This book was published using: Oracle Tutor

Table of Contents
Practices for Lesson 1: Course Introduction.................................................................................................1-1
Practices for Lesson 1....................................................................................................................................1-2
Practices for Lesson 2: Introducing the Oracle Solaris 11 New Features and Enhancements .................2-1
Practices for Lesson 3: Managing Software Updates in Oracle Solaris 11 Express ..................................3-1
Practice 3-1: Configuring a Local IPS Package Repository ...........................................................................3-4
Practice 3-2: Configuring a Network Client to Access the IPS Server ............................................................3-8

Practice 3-3: Updating the Oracle Solaris 11 Image ......................................................................................3-10
Practice 3-4: Managing Software Packages ..................................................................................................3-11
Practice 3-5: Publishing a New Package .......................................................................................................3-21
Practice 3-6: Managing the Boot Environments .............................................................................................3-27
Practice 3-7: Testing Your Skills and Knowledge ...........................................................................................3-32
Practices for Lesson 4: Installing the Oracle Solaris 11 Operating System ...............................................4-1
Practice 4-1: Installing the Oracle Solaris 11 OS by Using the Text Installer .................................................4-4
Practice 4-2: Installing the Oracle Solaris 11 OS by Using the LiveCD Installer ............................................4-6
Practice 4-3: Installing the Oracle Solaris 11 OS by Using the Automated Installer .......................................4-9
Practice 4-4: Configuring Oracle Solaris 11 Instances ...................................................................................4-19
Practice 4-5: Customizing the Automated Installation ....................................................................................4-29
Practice 4-6: Test Your Skills and Knowledge ...............................................................................................4-39
Practices for Lesson 5: Administering Oracle Solaris 11 Zones .................................................................5-1
Practice 5-1: Migrating an Oracle Solaris 10 Zone to Oracle Solaris 11 ........................................................5-4
Practice 5-2: Migrating an Oracle Solaris 10 Global Zone to Oracle Solaris 11 (P2V) ...................................5-10
Practice 5-3: Monitoring Zone Resource Utilization .......................................................................................5-16
Practices for Lesson 6: Oracle Solaris 11 Express Network Enhancements .............................................6-1
Practice 6-1: Managing NWAM ......................................................................................................................6-4
Practice 6-2: Exploring the Capabilities of the ipadm Utility ...........................................................................6-12
Practice 6-3: Configuring Network Virtualization ............................................................................................6-16
Practice 6-4: Configuring IPMP ......................................................................................................................6-30
Practice 6-5: Configuring a Network Bridge ...................................................................................................6-44
Practice 6-6: Configuring a Link Aggregation .................................................................................................6-47
Practice 6-7: Monitoring the Network .............................................................................................................6-49
Practices for Lesson 7: Oracle Solaris 11 Storage Enhancements .............................................................7-1
Practice 7-1: Migrating a ZFS File System .....................................................................................................7-5
Practice 7-2: Splitting a Mirrored ZFS Storage Pool.......................................................................................7-10
Practice 7-3: Identifying ZFS Snapshot Differences .......................................................................................7-14
Practice 7-4: Configuring ZFS Deduplication .................................................................................................7-15
Practice 7-5: Configuring a COMSTAR iSCSI Target ....................................................................................7-17
Practices for Lesson 8: Oracle Solaris 11 Security Enhancements ............................................................8-1
Practice 8-1: Managing Encryption Keys .......................................................................................................8-4

Practice 8-2: Configuring a ZFS Encrypted Storage Pool ..............................................................................8-6
Practice 8-3: Configuring a ZFS Encrypted File System ................................................................................8-9
Practice 8-4: Configuring Read-Only Zones ...................................................................................................8-10
Practice 8-5: Configuring the Basic Audit Reporting Tool (BART) .................................................................8-14

Practices for Lesson 1: Course Introduction

Chapter 1 - Page 1
Chapter 1

Course Introduction
Practices for Lesson 1:

Practices for Lesson 1

Practices Overview
There is no practice for Lesson 1.
Practices for Lesson 1: Course Introduction

Chapter 1 - Page 2

Introducing the Oracle
Solaris 11 New Features and
Enhancements
Chapter 2
Practices for Lesson 2: Introducing the Oracle Solaris 11 New Features and Enhancements
Chapter 2 - Page 1

Practices Overview
There is no practice for Lesson 2.
Practices for Lesson 2: Introducing the Oracle Solaris 11 New Features and Enhancements
Chapter 2 - Page 2

Managing Software Updates
in Oracle Solaris 11 Express
Chapter 3
Practices for Lesson 3: Managing Software Updates in Oracle Solaris 11 Express

Chapter 3 - Page 1

Practices Overview
The managing software updates practices introduce you to the Image Packaging System (IPS).
These practices provide a guided, hands-on experience with managing software packages by
using IPS. During the practices, you apply package management best practices applicable to
the Oracle Solaris 11 operating system.
The key areas explored in the practices are:
• Configuring an IPS package repository

• Configuring network clients to access IPS
• Updating the current OS image (demonstration)
• Managing software updates using IPS
• Publishing a new package
• Managing boot environments
• Testing your skills and knowledge
Assumptions
Your lab environment is based on the Oracle VM VirtualBox virtualization software. VirtualBox is
a cross-platform virtualization application. It extends the capabilities of your existing computer
so that it can run multiple operating systems (inside multiple virtual machines) at the same time.
The following illustration shows the VirtualBox manager interface.
Figure 1: Oracle VM VirtualBox Manager

Chapter 3 - Page 2
The virtual machines (VMs) are configured on a private internal network (192.168.0). Each VM
can communicate with other VMs on the same private network (see Figure 2) but cannot
communicate with the local host machine or other machines on the same network as the local
host machine.

Figure 2: Lab Network Topology
Each virtual machine (VM) plays an import role in your lab as follows:
• Sol11 SuperServer: This VM provides network services, such as DNS, used by the VMs in
the lab.
Note: The Sol11 SuperServer VM must be started before any additional virtual machines
are started. The Sol11 SuperServer must always be running to perform the labs in this
guide.
• Sol11 Server1: This is the server in which you will configure IPS services.
• Sol11 Desktop: This is the IPS client machine.
Note: When performing your labs, power-off any unnecessary virtual machines. This helps
improve overall lab performance.
Note: When launching a virtual machine for the first time, you might see the First Run Wizard
appear. Click the Cancel button to continue.

Chapter 3 - Page 3
Practice 3-1: Configuring a Local IPS Package Repository

Overview
IPS manages software in units of packages. An IPS package is a collection of directories, files,
links, drivers, dependencies, groups, users, and license information in a defined format. This
collection represents the installable objects of a package. Packages have attributes such as a
package name and description. When you install or upgrade to the Oracle Solaris 11 release,
the system initially has one publisher configured: the solaris publisher. The default publisher has
the following repository origin:
http://pkg.oracle.com/solaris/release/

You can create your own local package repository. Having a local package repository is
necessary when your network clients do not have access to the web-based default repository.
Other reasons you might want to have a local copy of a package repository include:
• Performance: Having a local package repository allows clients to access packages at
local network speeds.
• Security: You might not want your clients systems to have access to the Internet.
• Replication: You want to ensure that an installation that you perform next year is
exactly the same as the installation you perform today.
In your lab environment, your virtual machine client cannot access the default publisher for
software update services. So your first task will be to create your own local package repository
and make it the default publisher so that the network client can be serviced by IPS.
Before You Begin

When creating a local package repository, you must first download the Oracle Solaris 11
repository image from the following site:
http://www.oracle.com/technetwork/server-storage/solaris11/downloads/index.html.
The repository image provides you with a complete archive of software packages to allow you to
set up a local network IPS repository that client systems can connect to.
The repository image is provided in two parts that must be concatenated. You use the following
command-line instructions to successfully create a full ISO image that can be burned to a dual-
layer DVD or directly mounted using the lofiadm command. You download parts A and B of
the repository ISO by clicking these links:
• Download Part A SPARC, x86 (2 GB)
• Download Part B SPARC, x86 (2 GB)
The following commands are used to concatenate parts A and B:
$ unzip sol-11-xxx-xxx-repo-full-iso-a.zip
$ unzip sol-11-xxx-xxx-repo-full-iso-b.zip
$ cat sol-11-xxx-xxx-repo-full.iso-a sol-11-xxx-xxx-repo-full.iso-b >
sol-11-xxx-xxx-repo-full.iso
Note: For training purposes, these steps have already been performed for you.
Note: The responses to the commands shown in practice are examples only. The values you
see during your lab experience might vary slightly.

Chapter 3 - Page 4
Task: Configure a Local IPS Package Repository

Perform these steps on the Sol11-Server1 machine to configure a local IPS package repository:
1. Verify that the Sol11-SuperServer and Sol11-Server1 virtual machines are running. This
can be determined by starting the Oracle VM VirtualBox Manager utility (refer to Figure 1)
and checking the run status for each virtual machine. If the virtual machines are not
running, start the Sol11-SuperServer VM first, followed by the Sol11-Server1 virtual
machine.
2. Log in to virtual machine Sol11-Server1 as user oracle. Use the password oracle1.
3. Run the su command to assume primary administrator privileges.

oracle@s11-serv1:~$ su –
Password: oracle1
root@s11-serv1:~#
4. Determine the hostname of this server.
root@s11-serv1:~# hostname
s11-serv1
5. Verify that this server can access DNS services.
root@s11-serv1:~# nslookup s11-serv1
Server: 192.168.0.100
Address: 192.168.0.100#53
Name: s11-serv1.mydomain.com
Address: 192.168.0.112
6. Verify that the /export/IPS file system has been configured on the system.
root@s11-serv1:~# zpool list
NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT
rpool 32G 9.47G 22.5G 29% 1.00x ONLINE -
root@s11-serv1:~# zfs list
NAME USED AVAIL REFER MOUNTPOINT
rpool 9.54G 22.0G 39K /rpool
rpool/ROOT 1.80G 22.0G 31K legacy
rpool/ROOT/solaris 1.80G 22.0G 1.53G /
rpool/ROOT/solaris/var 217M 22.0G 215M /var
rpool/dump 1.03G 22.0G 1.00G -
rpool/export 5.68G 22.0G 33K /export
rpool/export/IPS 5.68G 22.0G 5.68G /export/IPS
rpool/export/home 66K 22.0G 32K /export/home
rpool/export/home/oracle 34K 22.0G 34K
/export/home/oracle
rpool/swap 1.03G 22.0G 1.00G -
Normally, a local IPS repository has to be manually created on the local server. This
involves creating a ZFS file system on the local server for the IPS repository and copying
the repository files from the repository ISO image to the local repository.

Chapter 3 - Page 5
The following example shows you the steps used to copy the IPS repository from the
ISO image to a local ZFS file system. Do not run these commands in this lab. The
repository has already been installed on the local server for you.
# zfs create -o compression=on rpool/export/IPS
# lofiadm –a sol-11-xxx-xxx-repo-full.iso
# mount –F hsfs /dev/lofi/1 /mnt
# rsync –aP /mnt/repo /export/IPS
The package repository is very large (approximately 4.4 gigabytes). Depending on the
speed of your host machine, the rsync command can take a couple hours to complete.

7. Assess the current IPS configuration on the Sol11-Server1 system:
root@s11-serv1:~# svcs application/pkg/server
STATE STIME FMRI
disabled 17:00:56 svc:/application/pkg/server:default
root@s11-serv1:~# svcprop -p pkg/inst_root application/pkg/server
/var/pkgrepo
This system is not currently configured as an IPS server (the service is disabled). Note
the default location of the IPS repository determined by the pkg/inst_root property.
The /var/pkgrepo directory is not the correct location of your local repository.
8. Determine whether the IPS service is currently available:
root@s11-serv1:~# pkg search entire
pkg: Unable to contact valid package repository
Encountered the following error(s):
This is likely a network configuration problem.
Framework error: code: 6 reason: Couldn’t resolve host
“pkg.oracle.com’
URL: ‘http://pkg.oracle.com/solaris/release’. (happened 4 times)
Searching for a package is quick way of determining whether the IPS service is
available. Based on the results shown here, this system has no access to the IPS
service.
9. Set the application/pkg/server service pkg/inst_root property to the repository
location (/export/IPS/repo).
root@s11-serv1:~# svccfg –s application/pkg/server setprop \
pkg/inst_root=/export/IPS/repo
root@s11-serv1:~#
10. Set the application/pkg/server service pkg/readonly property to true.
pkg/readonly=true
11. Verify the application/pkg/server service inst_root property.
root@s11-serv1:~# svcprop -p pkg/inst_root \
application/pkg/server
/export/IPS/repo
12. Refresh the application/pkg/server service.
root@s11-serv1:~# svcadm refresh application/pkg/server

Chapter 3 - Page 6
13. Enable the application/pkg/server service.

root@s11-serv1:~# svcadm enable application/pkg/server
14. Verify that the application/pkg/server service is enabled.
root@s11-serv1:~# svcs application/pkg/server
STATE STIME FMRI
online 17:00:56 svc:/application/pkg/server:default
15. Use the pkgrepo refresh command to refresh the package repository.
root@s11-serv1:~# pkgrepo refresh –s /export/IPS/repo

Initiating repository refresh.
When you create a new package repository, you must refresh the repository catalog so
that package search operations will work correctly. This might take several minutes to
complete.
16. List the current package publishers.
root@s11-serv1:~# pkg publisher
PUBLISHER TYPE STATUS URI
Solaris origin online http://pkg.oracle.com/solaris/release/
The command output shows the current publisher. A publisher is a forward domain
name that identifies a person, group of persons, or an organization that publishes one or
more packages .The repository type origin is the location of a package repository that
contains both package metadata (package manifests and catalogs) and package content
(package files). The default publisher URI is http://pkg.oracle.com/solaris/release/.
17. Remove the current publisher URI (http://pkg.oracle.com/solaris/release/) and add a new
URI (http://s11-serv1.mydomain.com) to the preferred publisher name solaris. Show the
results.
root@s11-serv1:~# pkg set-publisher –G \
http://pkg.oracle.com/solaris/release/ \
–g http://s11-serv1.mydomain.com/ solaris
solaris origin online http://s11-serv1.mydomain.com
18. Test IPS on the local server by searching for the entire package.
INDEX ACTION VALUE PACKAGE
Pkg.fmri set solaris/entire pkg:/entire@ 0.5.11-0.175.0.0.0.2.0
19. Display the status of the IPS repository.
root@s11-serv1:~# pkgrepo info -s /export/IPS/repo
PUBLISHER PACKAGES STATUS UPDATED
solaris 4292 online 2011-10-23T20:10:52.513193Z
20. Display the IPS repository description.
root@s11-serv1:~# pkgrepo get -s /export/IPS/repo \
repository/description
SECTION PROPERTY VALUE
repository description This\ repository\ serves\ a\ copy\ of\
the\ Oracle\ Solaris\ 11\ Build\ 175b\ Package\ Repository.

Chapter 3 - Page 7
Practice 3-2: Configuring a Network Client to Access the IPS Server

Overview
Now that you have a local package repository setup, you must configure the network clients to
access the new repository. By default, clients are configured to use the publisher
http://pkg.oracle.com/solaris/release/. In this task, you reconfigure the client to access the
http://s11-serv1.mydomain.com/ package publisher.
Task: Configure a Network Client to Access the IPS Server

Perform these steps on the Sol11-Desktop machine to configure a network client to access the
IPS server:
1. Double-click Sol11-Desktop icon to launch the Sol11-Desktop virtual machine.
2. Log in to virtual machine Sol11-Desktop as user oracle. Use the password oracle1.
3. Right-click the desktop background and open a terminal window.
4. In the terminal window, run the su command to assume primary administrator privileges.
oracle@s11-desktop:~$ su –
Password: oracle1
root@s11-desktop:~#
5. Verify that this client can access DNS services by resolving the IPS server hostname.
root@s11-desktop:~# nslookup s11-serv1
Server: 192.168.0.100
Address: 192.168.0.100#53
Address: 192.168.0.112
6. Verify that this client can ping the IPS server.
root@s11-desktop:~# ping s11-serv1
s11-serv1 is alive
7. List the current package publishers.
root@s11-desktop:~# pkg publisher
Solaris origin online http://pkg.oracle.com/solaris/release/
8. Remove the current publisher URI (http://pkg.oracle.com/solaris/release/) and add a new

URI (http://s11-serv1.mydomain.com) to the preferred publisher name solaris.
root@s11-desktop:~# # pkg set-publisher –G \
http://pkg.oracle.com/solaris/release/ \
–g http://s11-serv1.mydomain.com/ solaris
9. Verify that the preferred publisher is http://s11-serv1.mydomain.com/.
root@s11-desktop:~# pkg publisher
solaris origin online http://s11-serv1.mydomain.com/

Chapter 3 - Page 8
10. Test the client access to the IPS server by opening the http://s11-serv1.mydomain.com
URL in the Firefox browser.

11. Using the package repository browser, search for the entire package:
12. Close the Firefox browser.


Chapter 3 - Page 9
Practice 3-3: Updating the Oracle Solaris 11 Image

Overview
IPS allows you to update the OS image to a new version of Oracle Solaris 11. Each package in
the image is updated from the publisher that provided the current installed version. If the original
publisher is non-sticky, then a newer version of the package that is compatible with this image
could be installed from another publisher. If a publisher is non-sticky, then a package that was
installed from this publisher could be updated from another publisher. A newly-added publisher
is sticky by default. You can use the pkg set-publisher command to set a publisher as
sticky or non-sticky.

A new boot environment (BE) is created when a full image update is performed. When the
system creates a new BE for the update, you can edit the default BE name. When you are
satisfied with the BE name, restart your system immediately. You must restart to boot into the
new BE. The new BE will be your default boot choice. Your current BE will be available as an
alternate boot choice.
Demonstration
For this practice, we’ve provided you with two Oracle Solaris 11 image update demonstrations.
The first demonstration shows you how to update an image using the pkg update command.
The second demonstration shows you how to update an image using the Package Manager
GUI.
Demonstration: - Updating an Image Using the pkg update Command
Demonstration: - Updating an Image Using Package Manager
Check with your instructor for demonstration availability.

Chapter 3 - Page 10
Practice 3-4: Managing Software Packages

Overview
After you have made the IPS server available to the network clients, the client system
administrators have the option to manage software updates either by using CLI commands or
by using GUI-based utilities. In this task, you work with the CLI commands and GUI-based
utilities to perform common software update tasks such as adding, removing, and searching for
packages. You also learn how to perform a “dry run” on package installations, which enables
you to see the changes that will occur on the system when a package is installed, without
actually installing the package. To demonstrate the IPS capabilities, you manage the apptrace

software package.
To run this lab, you must be logged in to the Sol11-Desktop virtual machine as the oracle user
and have obtained primary administrator privileges. See Practice 3-2 if you need help.
Task: Manage Software Packages

To begin, you manage client packages using the pkg command.
Perform these steps to manage software packages:
1. In a terminal window on the Sol11-Desktop virtual machine, determine whether the
apptrace software packages are current installed.
root@s11-desktop:~# pkg list apptrace
pkg list: no packages matching ‘apptrace’ installed
2. Search the IPS package repository for the apptrace software package.
root@s11-desktop:~# pkg search apptrace
pkg.description set Apptrace utility for application tracing,
including shared objects pkg:/developer/apptrace@0.5.11-0.175.0.0.0.2.1
pkg.summary set Apptrace Utility
pkg:/developer/apptrace@0.5.11-0.175.0.0.0.2.1
basename file usr/bin/apptrace
pkg.fmri set solaris/developer/apptrace
3. Display detailed information about the apptrace package.
root@s11-desktop:~# pkg info -r apptrace
Name: developer/apptrace
Summary: Apptrace Utility
Description: Apptrace utility for application tracing,
including shared objects
Category: Development/System
State: Not installed
Publisher: solaris
Version: 0.5.11
Build Release: 5.11
Branch: 0.175.0.0.0.2.1

Chapter 3 - Page 11
Packaging Date: October 19 2011 05:30:54 AM

Size: 159.64 kB
FMRI: FMRI:
pkg://solaris/developer/apptrace@0.5.11,5.11-
0.175.0.0.0.2.1:2011019T053054Z
Note that an FMRI is the fault management resource identifier. The FMRI is the identifier
for this package. The FMRI includes the package publisher, package name, and version.
The pkg command uses FMRIs, or portions of FMRIs, to operate on packages.
4. Perform a “dry run” on the apptrace package installation.

root@s11-desktop:~# pkg install -nv apptrace
Creating Plan…
Packages to install: 1
Estimated space available: 25.82 GB
Estimated space to be consumed: 15.78 MB
Create boot environment: No
Create backup boot environment: No
Rebuild boot archive: No
Changed packages:
solaris
developer/apptrace
None -> 0.5.11,5.11-0.175.0.0.0.2.1:2011019T053054Z
The dry run shows that one package will be installed. The package installation will not
impact on the boot environment. No currently install packages will be changed.
5. Install the apptrace package.
root@s11-desktop:~# pkg install apptrace
Creating plan...
DOWNLOAD PKGS FILES XFER (MB)

Completed 1/1 10/10 0.1/0.1
PHASE ACTIONS
Install Phase 29/29
PHASE ITEMS
Package State Update Phase 1/1
Image State Update Phase 2/2
6. Verify the apptrace package installation.
root@s11-desktop:~# pkg verify -v apptrace
PACKAGE STATUS

Chapter 3 - Page 12
pkg://solaris/developer/apptrace OK
7. Remove the apptrace package from the system image.
root@s11-desktop:~# pkg uninstall apptrace
Creating Plan…

PHASE ACTIONS
Removal Phase 26/26
PHASE ITEMS
Package Cache Update Phase 1/1
8. Verify that the apptrace package has been removed.
root@s11-desktop:~# pkg list apptrace
pkg list: no packages matching ‘apptrace’ installed
Now you will manage the apptrace package by using the graphical Package Manager utility.
9. On the desktop background, double-click the Add More Software icon. Select the solaris
publisher.
10. In the File menu, click Manage Publishers.

Chapter 3 - Page 13
11. Verify that the package publisher that you configured in Practice 3-1 is enabled and sticky.
Also, verify that the Origin points to the IPS server. Click OK.

Note: When a publisher is sticky, the client source updates from the same publisher that
provided the package originally.
12. In the Package Manager search field, type apptrace and click Return.
The status icon indicates that the apptrace package is not currently installed on this system.

Chapter 3 - Page 14
13. Select the apptrace package. Note the contents of the general tab at the bottom of the
display. This information is derived from the apptrace manifest.

14. Click the Files tab to view the files called out in the apptrace manifest.

Chapter 3 - Page 15
15. Click the Dependencies tab.

16. Click the Versions tab.

Chapter 3 - Page 16
17. Click the Install/Update button. Then click Proceed in the Install Confirmation dialog box.

18. Verify that the apptrace package installed successfully. Close the Install/Update dialog box.

Chapter 3 - Page 17
19. Select the apptrace package and click the Remove button. Then click Proceed in the
Remove Confirmation dialog box.

20. Verify that the apptrace package was successfully removed. Close the Remove dialog box.
21. Close the Package Manager window.

Chapter 3 - Page 18
Now you will manage the apptrace package by using a web browser.
22. Launch the Firefox browser and open the http://s11-serv1.mydomain.com
URL in the Firefox browser. In the Search Package field, enter apptrace and click Search.

23. Click Install to install the apptrace package and then click OK to open the package with
Package Manager. Then click Proceed in the Install/Update dialog box.

Chapter 3 - Page 19

24. Verify that the apptrace package is installed, click Close.
25. After the apptrace package is installed, click Close.

26. Close the Firefox web browser.

Chapter 3 - Page 20
Practice 3-5: Publishing a New Package

Overview
Now that you have some experience managing software updates with IPS, let’s create a new
package and publish it to your IPS repository. The package you create and publish is called
new_package.
To run this lab you must be logged in to the Sol11-Desktop and So111-Server1 virtual machines
as the oracle user and have obtained primary administrator privileges.
Task: Publish a New Package

Perform these steps to publish a new package:
1. In a terminal window on the Sol11-Server1 virtual machine, enable IPS modification.
root@s11-serv1:~# svcadm disable application/pkg/server
pkg/readonly=false
A best practice is to make the IPS repository read-only when not actively adding
packages. This assumes this practice is being observed.
2. In a terminal window on the Sol11-Desktop virtual machine, create a new directory for the
new package named /var/tmp/new_package. Change directory to
/var/tmp/new_package.
root@s11-desktop:~# mkdir –p /var/tmp/new_package
root@s11-desktop:~# cd /var/tmp/new_package
3. Create a text file named ips_rocks in the /var/tmp/new_package directory.
root@s11-desktop:/var/tmp/new_package# vi ips_rocks
IPS makes software update easy!
4. Open a package publication transaction for your new package.
root@s11-desktop:/var/tmp/new_package# eval 'pkgsend -s \
http://s11-serv1.mydomain.com open new_package@1.0-1'
export
PKG_TRANS_ID=1300392779_pkg%3A%2F%2Fsolaris%2Fnew_package%401.0%2
C5.11-1%3A20110317T201259Z
In this example, the –s points to your IPS publisher. The “new_package” version is 1.0,
sub-version 1.
5. Copy/paste the output of the pkgsend open (in step 4) command and use it as your next
command.
root@s11-desktop:/var/tmp/new_package# export \
PKG_TRANS_ID=1300392779_pkg%3A%2F%2Fsolaris%2Fnew_package%401.0%2
C5.11-1%3A20110317T201259Z
The PKG_TRANS_ID environment variable is required to give context to any additional
pkgsend commands used to build the package.

Chapter 3 - Page 21
6. Add a destination directory for your text file when the package is installed.
root@s11-desktop:/var/tmp/new_package# pkgsend -s \
http://s11-serv1.mydomain.com add dir mode=0555 owner=root \
group=bin path=/export/new_package
7. Add your text file ips_rocks to your package.
http://s11-serv1.mydomain.com add file \
/var/tmp/new_package/ips_rocks mode=0555 owner=root group=bin \

path=/export/new_package/ips_rocks
8. Set a name attribute for your new package.
http://s11-serv1.mydomain.com add set name=description \
value="My first IPS package"
9. Close the package publication transaction for your new package.
http://s11-serv1.mydomain.com close
PUBLISHED
pkg://solaris/new_package@1.0,5.11-1:20110317T201259Z
10. In a terminal window on the Sol11-Serv1 virtual machine, disable IPS modification.
root@s11-serv1:~# svcadm disable application/pkg/server
pkg/readonly=true
11. Use the pkgrepo refresh command to update the repository catalog with your new
package.
root@s11-serv1:~# pkgrepo refresh -s /export/IPS/repo
root@s11-serv1:~#

Chapter 3 - Page 22
12. Open the web browser on the Sol11-Desktop virtual machine and search for your new
package.

13. Click the package link to view the package details.

Chapter 3 - Page 23

14. Using the web browser, display the contents of your package manifest.

Chapter 3 - Page 24

Note that there are four actions defined in the manifest.
15. In a terminal window on the Sol11-Desktop virtual machine, change directory to your home
directory and search the IPS repository for your new package.
root@s11-desktop:/var/tmp/new_package# cd ~
root@s11-desktop:~# pkg search new_package
basename dir export/new_package pkg:/new_package@1.0-1
pkg.fmri set solaris/new_package pkg:/new_package@1.0-1
16. Use the pkg CLI command to install your new package.
root@s11-desktop:~# pkg install new_package
DOWNLOAD PKGS FILES
XFER (MB)
Completed 1/1 1/1
0.0/0.0
PHASE ACTIONS
Install Phase 4/4
PHASE ITEMS
17. Verify that your new package has been installed on the desktop system.
root@s11-desktop:~# pkg list new_package
NAME (PUBLISHER) VERSION STATE UFOXI
new_package 1.0-1 installed -----

Chapter 3 - Page 25
18. Verify that the status of your new package is OK.

root@s11-desktop:~# pkg verify -v new_package
Verifying: PACKAGE STATUS
pkg://solaris/new_package OK
19. Display the contents of you new package.
root@s11-desktop:~# pkg contents new_package
PATH
export/new_package

export/new_package/ips_rocks
20. Verify that your new package performs correctly after installation.
root@s11-desktop:~# cat /export/new_package/ips_rocks
IPS makes software updates easy.

Chapter 3 - Page 26
Practice 3-6: Managing the Boot Environments
Overview
With multiple boot environments (BEs), the process of updating software becomes a low-risk
operation because you can create backup boot environments before making any software
updates to your system. If needed, you have the option of booting to a backup boot
environment.
During this practice, you will create a new full boot environment based on the current BE. The
current BE does not have the diffstat package installed. You make the new BE the active
boot environment and you update it with the diffstat package. You reboot to the original boot

environment to prove that the two BEs are now logically separated.
You also mount and update an inactive BE. You also create a clone and a snapshot of the
current BE.
To run this lab, you must be logged in to the Sol11-Server1 virtual machine as the oracle user
and have obtained root privileges. See Practice 3-2 if you need help.
Task: Manage the Boot Environments

Perform these steps to manage boot environment:
1. In a terminal window on the Sol11-Server1 virtual machine, list the current BEs.
root@s11-serv1:~# beadm list
BE Active Mountpoint Space Policy Created
-- ------ ---------- ----- ------ -------
solaris NR / 2.28G static 2011-08-05 14:13
The Active field indicates whether the boot environment is active now (N) and active on
reboot (R).
2. Clone the current active BE. Name the clone solaris-1.
root@s11-serv1:~# beadm create solaris-1
3. List the current BEs.
-- ------ ---------- ----- ------ -------
solaris-1 - - 161.0K static 2011-08-08 22:14
4. Activate the solaris-1 BE. Display the list of BEs. Note that solaris-1 is pending
activation on reboot.
root@s11-serv1:~# beadm activate solaris-1
-- ------ ---------- ----- ------ -------
solaris N / 460.0M static 2011-08-05 14:13
solaris-1 R - 2.28G static 2011-08-08 14:13

Chapter 3 - Page 27
5. Reboot the Sol11-Server1 virtual machine.

root@s11-serv1:~# init 6
Notice that solaris is now the default boot entry in the GRUB menu.

6. After Sol11-Server1 has rebooted, log in as the oracle user and su to root.
7. In a terminal window, list the current BEs.
-- ------ ---------- ----- ------ -------
solaris - - 3.96M static 2011-05-01 22:14
solaris-1 NR / 2.34G static 2011-08-08 14:13
Note that the solaris-1 image is now active.
8. Verify that the diffstat package is not currently installed on the new active BE.
root@s11-serv1:~# pkg list diffstat
pkg list: no packages matching “diffstat’ installed
9. Install the diffstat package on the new active BE.
root@s11-serv1:~# pkg install diffstat
Creating plan...
Completed 1/1 6/6 0.0/0.0

Chapter 3 - Page 28
PHASE ACTIONS
Install Phase 24/24
PHASE ITEMS
10. Activate the solaris BE. Display the list of BEs. Note that solaris is pending
activation on reboot.
root@s11-serv1:~# beadm activate solaris

-- ------ ---------- ----- ------ -------
solaris R - 2.29G static 2011-08-05 14:13
solaris-1 N / 74.98M static 2011-08-08 14:13
11. Reboot the Sol11-Server1 virtual machine. After Sol11-Server1 has rebooted, log in as the
oracle user and su to root.
12. Verify that the solaris image is now active and that the diffstat package is not
installed.
-- ------ ---------- ----- ------ -------
solaris-1 - - 78.95M static 2011-08-08 14:13
root@s11-serv1:~# pkg list diffstat
13. Mount the inactive BE.
root@s11-serv1:~# beadm mount solaris-1 /solaris-1
-- ------ ---------- ----- ------ -------
solaris-1 - /solaris-1 78.95M static 2011-08-08 14:13
14. Verify that the diffstat package is installed in the inactive package:
root@s11-serv1:~# pkg -R /solaris-1 verify -v diffstat
Verifying: PACKAGE STATUS
pkg://solaris/text/diffstat OK
15. Remove the diffstat package from the mounted inactive BE.
root@s11-serv1:~# pkg -R /solaris-1 uninstall diffstat
Creating Plan…

Chapter 3 - Page 29
PHASE ACTIONS
Removal Phase 19/19
PHASE ITEMS
Package Cache Update Phase 1/1
root@s11-serv1:~# pkg -R /solaris-1 list diffstat

16. Unmount the inactive BE.
root@s11-serv1:~# beadm unmount solaris-1
17. Create a snapshot of the solaris BE. Name the snapshot backup.
root@s11-serv1:~# beadm create solaris@backup
18. Display the list of snapshots associated with the solaris BE.
root@s11-serv1:~# beadm list -a solaris
BE/Dataset/Snapshot Active Mountpoint Space Policy Created
------------------- ------ ---------- ----- ------ -------
solaris
rpool/ROOT/solaris NR / 1.90G static 2011-08-05
22:14
rpool/ROOT/solaris/var NR /var 228.97M static 2011-08-05
22:14
rpool/ROOT/solaris/var@2011... - - 1.08M static 2011-08-08
14:13
rpool/ROOT/solaris/var@backup - - 0 static 2011-08-08
14:19
rpool/ROOT/solaris/var@install - - 144.55M static 2011-08-05
22:33
rpool/ROOT/solaris@2011... - - 1.08M static 2011-08-08
14:13
rpool/ROOT/solaris@backup - - 0 static 2011-08-08
14:19
rpool/ROOT/solaris@install - - 53.19M static 2011-08-05
22:33
19. Create a new boot environment from the solaris@backup snapshot. Name this BE
solaris-2.
root@s11-serv1:~# beadm create -e solaris@backup solaris-2
-- ------ ---------- ----- ------ -------
solaris NR / 2.35M static 2011-08-05 22:14
solaris-1 - - 79.18M static 2011-08-08 14:13
solaris-2 - - 135.0K static 2011-08-08 14:59

Chapter 3 - Page 30
20. Delete the solaris-2 BE and show the results.

root@s11-serv1:~# beadm destroy solaris-2
Are you sure you want to destroy solaris-2? This action cannot
be undone(y/[n]): y
-- ------ ---------- ----- ------ -------
solaris-1 - - 79.18M static 2011-08-08 14:13

21. Rename the original solaris-1 BE to solaris-alt.
root@s11-serv1:~# beadm rename solaris-1 solaris-alt
22. List the boot environments.
-- ------ ---------- ----- ------ -------
Solaris NR / 2.35G static 2011-08-08 14:59
solaris-alt - - 79.18M static 2011-08-05 22:14

Chapter 3 - Page 31
Practice 3-7: Testing Your Skills and Knowledge

Overview
In this practice, you get to apply the skills and knowledge you gained from the lecture and
guided practices. You are challenged with completing the following task(s) without the benefit of
a step-by-step guide.
Hint: Use all the available resources, such as man pages, student guide, activity guide, and
your instructor, to successfully complete each task.

Note: This practice is optional. Check with your instructor to determine if you have enough time
available to complete this practice. If you begin this practice and run out of time, set this practice
aside and return to it if time permits.
Task 1: Manage Software Packages

Perform this task on the Sol11-Server1 VM.
• Determine the current status of the IPS repository.
• Display detailed information about the snort software package.
• Determine if the snort package is currently installed in the system.
• Perform a "dry run" installation of the snort package.
• Install the snort package.
• Verify that the snort package was installed correctly.
• Remove the snort package.
Task 2: Manage the Boot Environment (BE)

• List the current bootable environments (BEs).
• Clone the active BE to a BE named solaris11.
• Activate BE solaris11 and reboot the system.
• Create a snapshot of the active BE (solaris11).
• Create a new boot environment named solaris11-1 from the BE snapshot.
• Activate the original BE (solaris) and reboot the system.
• Destroy the solaris11 and solars11-1 BEs.

Chapter 3 - Page 32

Installing the Oracle Solaris
11 Operating System
Chapter 4
Practices for Lesson 4: Installing the Oracle Solaris 11 Operating System

Chapter 4 - Page 1

Practices Overview
The practices for the lesson titled “Installing the Oracle Solaris 11 Operating System” introduce
you to the operating system installation methods and provide guided, hands-on experience with
both interactive and hands-free operating system installation. During the practices, you apply
Oracle Solaris 11 installation best practices.
The key areas explored in these practices are:
• Installing the Oracle Solaris 11 OS by using the Text installer

• Installing the Oracle Solaris 11 OS by using the LiveCD installer
• Installing the Oracle Solaris 11 OS by using the Automated Installer
Assumptions
As in the lesson titled “Managing Software Packages in Oracle Solaris 11,” your practice
environment is based on the Oracle VM VirtualBox virtualization software.
Remember: The virtual machines (VMs) are configured on a private internal network
(192.168.0). Each VM can communicate with other VMs on the same private network but cannot
communicate with the local host machine or other machines on the same network as the local
host machine.
The virtual machines (VM) you use in the practices are as follows:
• Sol11-SuperServer: This VM provides network services such as DNS used by the VMs
in the practice.
• Sol11-Server1: This is the server that provides IPS and AI services.

Chapter 4 - Page 2
• Sol11-Client1: This is the Automatic Installer network client machine.

• Text-Install: This is the system in which you will use the Text installer to install the OS.
• LiveCD-Install: This is the system in which you will use the LiveCD to install to the OS.
Note: The responses to the commands shown in practice are examples only. The values you
see during your practice experience might vary slightly.
Note: When launching a virtual machine for the first time, you might see the First Run Wizard

appear. Click the Cancel button to continue.

Chapter 4 - Page 3
Practice 4-1: Installing the Oracle Solaris 11 OS by Using the Text

Installer
Overview
When you install the Oracle Solaris 11 OS by using the Text installer, you must first download
the Oracle Solaris 11 Text installer image from the following site:
The Text installation download is in an ISO image format that can be burned to a CD/DVD or

used directly within Oracle VM Server or other virtualization software.
Note: For training purposes, the Text installer ISO has already been downloaded for you.
The ISO image file can be found in the /opt/ora/course_files directory of the
VirtualBox host machine.
Task: Install the Oracle Solaris 11 OS by Using the Text Installer

Perform these steps to install the Oracle Solaris 11 OS by using the Text installer:
1. Log in to the host machine and launch the Oracle VM VirtualBox Manager.
2. In the Oracle VM VirtualBox Manager window, click the Text-Install virtual machine icon (1).
3. Verify that the appropriate ISO image is mounted on the DVD (2). If the Text-Install ISO is
not mounted in the Text-Install virtual machine DVD drive, you can find the ISO file in the
/opt/ora/images directory on the host system.

Chapter 4 - Page 4
4. Click the Start button (3). This will boot the Text-Install virtual machine from the Text
installer on the DVD to begin the OS installation.
5. During the OS installation process, use the configuration data that follows to complete the
Text installation.
Note: The Text installer program may direct you to use the F2 or ESC + 2 keys to move to
the next step in the installation process. If ESC + 2 does not work, try using the F2 key.
• Keyboard layout: Use your local keyboard layout.

• Language: Use your local language.
• Installation menu: Install Oracle Solaris
• Disks: default
• Fdisk Partitions: Use the whole disk.
• Computer name: solaris-text
• Ethernet network configuration: Manually
- IP Address: 192.168.0.88
- Configure DNS: Yes
- DNS Server IP address: 192.168.0.100
- Search domain: mydomain.com
- Alternate Name Service: None
• Time zone: Use your local region.
• Date and time: Set to current date and time.
• Root password: oracle1
• User account:
- Your real name: oracle
- Username: oracle1
- Password: oracle1
6. After the Text installation has completed, use the F8 key to reboot the Oracle Solaris 11 OS
as directed.
7. After the system has successfully booted, log in to the system and verify that the
configuration setup in step 5 is operational.
8. Shut down (power-off) the Text-Install virtual machine.

Chapter 4 - Page 5
Practice 4-2: Installing the Oracle Solaris 11 OS by Using the LiveCD

Installer
Overview
When you install the Oracle Solaris 11 OS by using the LiveCD installer, you must first
download the Oracle Solaris 11 LiveCD install image from the following site:
The LiveCD installation download is in an ISO image format that can be burned to a CD/DVD or

Note: For training purposes, the LiveCD installer ISO has already been downloaded for
you. The ISO image file can be found in the /opt/ora/images directory of the VirtualBox
host machine.
Task: Install the Oracle Solaris 11 OS by Using the LiveCD Installer

Perform these steps to install the Oracle Solaris 11 OS by using the LiveCD installer:
1. Log in to the host machine and launch the Oracle VM VirtualBox Manager.
2. Select the LiveCD-Install virtual machine icon (1).

3. Verify that the appropriate ISO image is mounted on the DVD (2). If the LiveCD-Install ISO
is not mounted in the LiveCD-Install virtual machine DVD drive, you can find the ISO file in
the /opt/ora/images directory on the host system.

Chapter 4 - Page 6
4. Click the Start button (3). This will boot the LiveCD-Install virtual machine from the LiveCD
installer on the DVD to begin the OS installation.
Note: Choose the default boot option in the GRUB menu.
5. During the LiveCD desktop initialization, you are asked to select the keyboard layout and
language. Set these based on your local environment. Note that when navigating through
the installation, F2 usually works and is the hint that is displayed by default in the UI.
ESC + 2 is the fallback.
6. When the LiveCD desktop is initialized, double-click the Install Oracle Solaris icon to begin
the OS installation.

7. During the OS installation process, use the following configuration data to complete the
LiveCD installation:
• Disk: default
• Disk Partition: Use the whole disk.
• Time Zone, Date and Time: Click the city closest to your install location.
• Locale:
- Language: Set to your preference.
- Territory: Set to your preference.
• User account:
- Your real name: Oracle
- Log-in name: oracle1
- User password: oracle1
• Computer name: solaris-live
8. After the LiveCD installation has completed, reboot the Oracle Solaris OS as directed.

Chapter 4 - Page 7
9. After the system has successfully booted, shutdown (power-off) the LiveCD-Install virtual
machine.

Chapter 4 - Page 8
Practice 4-3: Installing the Oracle Solaris 11 OS by Using the

Automated Installer
Overview
Deploying the Oracle Solaris 11 operating system with the Automated Installer (AI) involves
three tasks:
• Verifying that the system meets AI requirements
• Configuring the AI server
• Deploying the OS to network clients

Before you install the Oracle Solaris 11 OS by using AI, you must first download the Oracle
Solaris 11 AI install image from the following site:
The AI installation download is in an ISO image format that can be burned to a CD or a DVD or
Note: For training purposes, the AI ISO has already been downloaded for you. The ISO
image file can be found in the /opt/ora/course_files directory of the Sol11-Server1
virtual machine.
Task 1: Verifying the System AI Requirements

Perform these steps to verify the system requirements for the AI OS installation:
1. Verify that the Sol11-SuperServer and Sol11-Server1 virtual machines are running.
This can be determined by viewing the Oracle VM VirtualBox Manager window (refer to
Figure 1) and checking the run status for each virtual machine. If the virtual machines are
not running, start them at this time.
2. Log in to virtual machine Sol11_Server1 as user oracle. Use the password oracle1.
3. In the terminal window, run the su command to assume primary administrator privileges.
root@s11-serv1:~$ su –
Password: oracle1
root@s11-serv1:~#
4. Determine the build number of the installed operating system.
root@s11-serv1:~# cat /etc/release
Oracle Solaris 11 11/11 X86
Copyright(c) 1983, 2011, Oracle and/or its affiliates. All
rights reserved.
Assembled 18 October 2011

Chapter 4 - Page 9
5. Verify that the operating system is configured with a static IP address.

root@s11-serv1:~# svcs network/physical:default
STATE STIME FMRI
online 15:02:57 svc:/network/physical:default
root@s11-serv1:~# ipadm show-addr
ADDROBJ TYPE STATE ADDR
…
net0/v4 static ok 192.168.0.112/24
…

6. Verify that DNS is operational.
root@s11-serv1:~# nslookup s11-serv1.mydomain.com
Server: 192.168.0.100
Address: 192.168.0.100#53
Address: 192.168.0.112
Task 2: Configuring the AI Server

After you have verified that the server meets the AI requirements, you are now ready to
configure the AI server. In this task, you configure the AI server to automatically install an
Oracle Solaris 11 desktop client using the AI default settings.
Note: Because you are not using the default IPS service, you will need to adjust the default AI
service accordingly.
Perform these steps to configure the AI server:

1. On the Sol11-Server1 virtual machine, enable the svc:/network/dns/multicast
server in the AI server.
root@s11-serv1:~# svcadm enable \
svc:/network/dns/multicast:default
root@s11-serv1:~# svcs | grep dns
online 15:03:05 svc:/network/dns/client:default
online 15:19:27 svc:/network/dns/multicast:default
2. Create a directory for your AI server.
root@s11-serv1:~# mkdir –p /export/ai/basic_ai
3. Verify that the netmasks file is configured appropriately for the DHCP service.
root@s11-serv1:~# getent netmasks 192.168.0.0
Note that DHCP requires that the network mask for the local subnet be configured in the
/etc/netmasks file. If an entry does not exist, update the netmasks file now.
# vi /etc/netmasks
…
192.168.0.0 255.255.255.0

Chapter 4 - Page 10
4. Use the installadm create-service command to create an AI service based on the

following information:
• Service name: basic_ai
• DHCP base IP address: 192.168.0.130
• DHCP IP address range: 5
• AI ISO image location: /opt/ora/course_files/sol-11-dev-175b-ai-x86.iso
• Target directory: /export/ai/basic_ai
root@s11-serv1:~# installadm create-service -n basic_ai \

-s /opt/ora/course_files/sol-11-dev-175b-ai-x86.iso \
-i 192.168.0.130 -c 5 -d /export/ai/basic_ai
Creating service from: /opt/ora/course_files/sol-11-dev-175b-ai-
x86.iso
Setting up the image ...
Creating service: basic_ai
Image path: /export/ai/basic_ai
Adding IP range to local DHCP configuration
Refreshing install services
Creating default-i386 alias.
Setting the default PXE bootfile in the local DHCP configuration
to 'default-i386/boot/grub/pxegrub'
Note: You can remove an AI service and associated clients by using the command
installadm delete-service -r svcname.
5. Use the installadm list command to verify that your AI service is installed.
root@s11-serv1:~# installadm list
Service Name Alias Of Status Arch Image Path
------------ -------- ------ ---- ----------
basic_ai - on x86 /export/ai/basic_ai
default-i386 basic_ai on x86 /export/ai/basic_ai
6. Use the installadm create-client command to add the client MAC addresses for
the Sol11-Client1 and Sol11-Client2 virtual machines to the basic_ai service.
root@s11-serv1:~# installadm create-client -e \
08:00:27:85:C7:D6 -n basic_ai
Adding host entry for 08:00:27:85:C7:D6 to local DHCP
configuration.
08:00:27:85:C7:D7 -n basic_ai
configuration.

Chapter 4 - Page 11
7. Use the installadm list –c command to verify that the client was added to AI server
basic_ai.
root@s11-serv1:~# installadm list -c
Service Name Client Address Arch Image Path
------------ -------------- ---- ----------
basic_ai 08:00:27:85:C7:D6 i386 /export/ai/basic_ai
08:00:27:85:C7:D7 i386 /export/ai/basic_ai
8. Create a directory to store your manifest files.

root@s11-serv1:~# mkdir –p /var/tmp/manifests
Note: Do not place manifest copies under the service directory that was created by the
installadm utility. The service directory structure is private to installadm and must
not be used for storage by users.
9. Copy the default manifest file to the /var/tmp/manifests/basic_ai.xml file.
root@s11-serv1:~# cp \
/export/ai/basic_ai/auto_install/manifest/default.xml \
/var/tmp/manifests/basic_ai.xml
10. Modify the /var/tmp/manifests/basic_ai.xml file XML tag elements by using the
following:
• AI instance name (ai_instance name): basic_ai
• Auto-reboot (auto_reboot): true
• IPS origin URI: http://s11-serv1.mydomain.com
• IPS package: entire@latest
• IPS package: solaris-small-server
11. Use the diff command to view the differences between the basic_ai.xml file and the
default.xml file.
root@s11-serv1:~# diff /var/tmp/manifests/basic_ai.xml \
/export/ai/basic_ai/auto_install/manifest/default.xml
10c10
< <ai_instance name="basic_ai" auto_reboot="true" >
---
> <ai_instance name="default">
48c48
< <origin name="http://s11-serv1.mydomain.com"/>
---
> <origin name="http://pkg.oracle.com/solaris/release"/>
61c61
< <name>pkg:/group/system/solaris-small-server</name>
---
> <name>pkg:/group/system/solaris-large-server</name>
12 Create a MAC address–based criteria manifest named criteria_basic_ai.xml in the
/var/tmp/manifests directory. Use the MAC addresses of the network clients S1ol11-
Client1 and Sol11-Client2.

Chapter 4 - Page 12
root@s11-serv1:~# vi /var/tmp/manifests/criteria_basic_ai.xml
<ai_criteria_manifest>
<ai_criteria name="mac">
<range>
08:00:27:85:C7:D6
08:00:27:85:C7:D7
</range>
</ai_criteria>
</ai_criteria_manifest>

Note: If the AI client does not match the criteria for a service (in this case, a specific
MAC address), the AI service will use the default manifest when installing the OS.
13. Add the manifest_demo manifest and criteria manifest to the basic_ai service.
root@s11-serv1:~# installadm create-manifest –n basic_ai \
-f /var/tmp/manifests/basic_ai.xml \
-C /var/tmp/manifests/criteria_basic_ai.xml
When a custom AI manifest (basic_ai.xml in this example) is defined for this install
service and the client matches the criteria that have been specified (in the
criteria_basic_ai.xml file) for the custom AI manifest, the client will use that
manifest. In a case where the client characteristics match multiple AI manifests, the
client characteristics are evaluated in the order:
mac,ipv4,platform,arch,cpu,mem.
If the client does not match the criteria for any custom AI manifest, the client uses the
default AI manifest.
14. Use the installadm list –m command to verify that your manifests have been added
to the basic_ai service.
root@s11-serv1:~# installadm list -m
Service Name Manifest Status
------------ -------- ------
basic_ai basic_ai
orig_default Default
Default-i386 orig_default Default
root@s11-serv1:~# installadm list -m -n basic_ai
Manifest Status Criteria
-------- ------ --------
basic_ai mac = 08:00:27:85:C7:D6 - 08:00:27:85:C7:D7
orig_default Default none

Chapter 4 - Page 13
Task 3: Deploying the OS to a Network Client

After you have completed AI server configuration, it is time to test your work by deploying the
Oracle Solaris 11 operating system to a network client.
Perform these steps to deploy the OS to a network client:
1. On the host system, launch the Oracle VM VirtualBox Manager.

2. Verify that the Sol11-Server1 virtual machine is running (1).
3. Select the Sol11-Client1 virtual machine icon (2).
4. Click the Start button (3). This will boot the Sol11-Client1 virtual machine. If the AI server is
configured correctly, you should see the OS installation begin.
Note: If the Sol11-Client1 virtual machine fails to boot with a “No bootable medium found”
error, change the virtual machine adapter. To change the adapter type, open the Oracle VM
VirtualBox Manager, select the Sol11-Client1 virtual machine, and click Settings. In the
Settings dialogue box, select Network and click Advanced under Adapter 1. Select another
from the Adapter Type menu. Restart the Sol11-Client1 virtual machine.

Chapter 4 - Page 14
5. When the Sol11-Client1 system starts the GNU GRUB menu, select the Oracle Solaris
11 11/11 Text Installer and command line boot option.

Note: When you choose the “default” boot option, the interactive system configuration
menus you used during the “Text Install” practice will be available to you during this OS
installation. Also, the IPS server is not used.
Note: The OS installation will take a while to complete.
6. During the OS installation process, use the configuration data that follows to complete the
Text installation.
Note: The Text installer program directs you to use the F2 or ESC + 2 keys to move to the
next step in the installation process. If ESC + 2 does not work, try using the F2 key.
• Installation menu: Install Oracle Solaris
• Disks: default
• Fdisk Partitions: Use the whole disk.
• Computer name: s11-client1
• Ethernet network configuration: Automatic
• User account:
- Your real name: Oracle
- Username: oracle
- Password: oracle1
7. After the installation has completed, reboot (F8) the Sol11-Client1 virtual machine.
8. After Sol11-Client1 completes the initial boot, log in as the oracle user and su to root.

Chapter 4 - Page 15
9. Verify that the Sol11-Client1 virtual machine network configuration is setup correctly.
root@s11-client1:~# ipadm show-addr
…
net0/_b static ok 192.168.0.xxx/24
…
root@s11-client1:~# ping 192.168.0.112
192.168.0.112 is alive

10. Shut down (power-off) the Sol11-Client1 virtual machine.
11. Open the VirtualBox Manager window.

11 11/11 Automated Install boot option.

Chapter 4 - Page 16

Note: When you choose this boot option, the interactive system configuration is not
available to you during this OS installation. IPS is used during the OS installation.
Note: The OS installation will take a while to complete.
16. Note that the message traffic indicates that the IPS server is providing the installation
packages.

Chapter 4 - Page 17
17. Note the disk activity icon in the IPS server (Sol11-Server1) virtual machine window.
Green indicates a read operation is being performed.

18. The SCI tool will be invoked during the OS startup. Enter the following system
configuration information:

• Computer name: s11-client2
• Ethernet network configuration: Automatic
• User account:
- Your real name: oracle
- Username: oracle1
- Password: oracle1
19. After Sol11-Client2 completes the initial boot, log in as the oracle user and su to root.
20. Verify that the Sol11-Client2 virtual machine network configuration is setup correctly.
…
net0/_b static ok 192.168.0.xxx/24
…
root@s11-client2:~# ping 192.168.0.112
192.168.0.112 is alive
21. Shut down (power-off) the Sol11-Client2 virtual machine.

Chapter 4 - Page 18
Practice 4-4: Configuring Oracle Solaris 11 Instances

Overview
After the Oracle Solaris 11 operating system is installed, the instance must be configured with
attributes such as: hostname, IP address, naming services, and user credentials. The
sysconfig utility is the interface for configuring, reconfiguring, and unconfiguring the Solaris
instance. A Solaris instance is defined as a boot environment in either a global or a non-global
zone.

There are three operations that are performed using the sysconfig utility:
• Unconfiguration
• Configuration
• System configuration (SC) profile creation
During this practice, you work the sysconfig utility to unconfigure and configure Solaris 11
images. And create SC profiles.
Task 1: Unconfigure an Oracle Solaris 11 Image

Perform these steps to unconfigure a configured Solaris 11 image:
1. Open the Oracle VM VirtualBox Manager and start the Sol11-Client1 VM.
2. Log in to virtual machine Sol11_Server1 as user oracle and su to root.
3. Determine the current host name and IP address.
root@s11-client1:~# hostname
s11-client1
...
net0/_b dhcp ok 192.168.0.130/24
...
Note that the default network interface is net0.
4. Use the sysconfig utility to return the Solaris 11 to an unconfigured (pristine) state.
root@s11-client1:~# sysconfig unconfigure
This program will unconfigure your system.
The system will be reverted to a "pristine" state.
It will not have a name or know about other systems or networks.
Do you want to continue (y/[n])? y
Enter user name for system maintenance (control-d to bypass): root
Enter root password (control-d to bypass): solaris
root@unknown:~#

Chapter 4 - Page 19

root@unknown:~# hostname
unknown
root@unknown:~# ipadm show-addr
lo0/v4 static ok 127.0.0.1/8
lo0/v6 static ok ::1/128
6. Determine if the default user account oracle still exists.

root@unknow:~# logins | grep oracle
root@unknow:~#
At this point, you have a pristine system. The next time the system is booted, the
System Configuration Tool will be run. System Configuration Tool helps you establish a
new system configuration.
7. Reboot the system.
root@unknow:~# init 6
8. When the System Configuration Tool is available, use the following properties to configure
the system:
• Hostname: s11-client1
• Network type: Manually
• Network interface: net0
• Static IP address: 192.168.0.140
• Default route: none
• DNS: Configure DNS
• Name server address: 192.168.0.100
• DNS domain name: mydomain.com
• DNS search: mydomain.com
• Alternate Name Service: None
• Time zone: your local time zone
• Your real name: Oracle
• User login: oracle
• User password: oracle1

Chapter 4 - Page 20
...
Chapter 4 - Page 21
.

Exiting System Configuration Tool. Log is available at:

/var/tmp/install/sysconfig.log
Hostname: s11-client1
s11-client1 console login:
9. Log in to virtual machine Sol11_Client1 as user oracle and su to root.
root@s11-client1:~# hostname
s11-client1

lo0/v4 static ok 127.0.0.1/8
net0/v4 dhcp ok 192.168.0.140/24
net0/_a addrconf ok fe80::a00:27ff:fe85:c7d6/10
Task 2: Configure a Solaris 11 Image Using a System Configuration Profile
The sysconfig utility can be used to generate a system configuration (SC) profile using the
create-profile subcommand. The resulting XML profile can later be used with the
sysconfig configure command to configure systems non-interactively. Valid
SC profile names must include an .xml extension.
Perform these steps to configure a Solaris 11 image using an SC profile:
1. On the Sol11-Client1 virtual machine, create an SC profile using the following system
configuration attributes:
• Hostname: ilovesolaris11
• Network interface: net0
• Default route: none
• Name server address: 192.168.0.100
• Alternate name service: None
• Your real name: Oracle2
• User login: oracle2
root@s11-serv1:~# sysconfig create-profile \
-o /var/tmp/ilovesolaris11_profile.xml

Chapter 4 - Page 22
...
...
Chapter 4 - Page 23
2. Explore the newly created SC profile.

root@s11-client1:~# cd /var/tmp
root@s11-client1:var/tmp# more ilovesolaris11_profile.xml
<!DOCTYPE service_bundle SYSTEM
"/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="profile" name="sysconfig">
<service version="1" type="service" name="system/config-user">
<instance enabled="true" name="default">
<property_group type="application" name="root_account">

<propval type="astring" name="login" value="root"/>
<propval type="astring" name="password"
value="$5$EfU8S/co$6Z2XUtFxzwLBDWOcwQV1xI2IfGMOLbwObxU2rfsqD33"/>
<propval type="astring" name="type" value="role"/>
</property_group>
<property_group type="application" name="user_account">
<propval type="astring" name="login" value="oracle2"/>
value="$5$fJBtjKgl$doJrLWnN2tBx0IEaRJ6y0anM5GpF60O8A5HlaVBW1G."/>
<propval type="astring" name="type" value="normal"/>
<propval type="astring" name="description" value="Oracle2"/>
<propval type="count" name="gid" value="10"/>
<propval type="astring" name="shell" value="/usr/bin/bash"/>
<propval type="astring" name="roles" value="root"/>
<propval type="astring" name="profiles" value="System
Administrator"/>
<propval type="astring" name="sudoers" value="ALL=(ALL) ALL"/>
</property_group>
</instance>
</service>
<service version="1" type="service" name="system/timezone">
<property_group type="application" name="timezone">
<propval type="astring" name="localtime" value="US/Mountain"/>
</property_group>
</instance>
</service>
<service version="1" type="service" name="system/environment">
<instance enabled="true" name="init">
<property_group type="application" name="environment">
<propval type="astring" name="LC_ALL" value="C"/>
</property_group>
</instance>
</service>
<service version="1" type="service" name="system/identity">
<instance enabled="true" name="node">
<property_group type="application" name="config">

Chapter 4 - Page 24
<propval type="astring" name="nodename"

value="ilovesolaris11"/>
</property_group>
</instance>
</service>
<service version="1" type="service" name="system/keymap">
<property_group type="system" name="keymap">
<propval type="astring" name="layout" value="US-English"/>
</property_group>

</instance>
</service>
<service version="1" type="service" name="system/console-login">
<property_group type="application" name="ttymon">
<propval type="astring" name="terminal_type" value="sun-
color"/>
</property_group>
</instance>
</service>
<service version="1" type="service" name="network/physical">
<property_group type="application" name="netcfg">
<propval type="astring" name="active_ncp"
value="DefaultFixed"/>
</property_group>
</instance>
</service>
<service version="1" type="service" name="network/install">
<property_group type="application"
name="install_ipv4_interface">
<propval type="astring" name="address_type" value="static"/>
<propval type="net_address_v4" name="static_address"
value="192.168.0.141/24"/>
<propval type="astring" name="name" value="net0/v4"/>
</property_group>
<property_group type="application"
name="install_ipv6_interface">
<propval type="astring" name="stateful" value="yes"/>
<propval type="astring" name="stateless" value="yes"/>
<propval type="astring" name="address_type" value="addrconf"/>
</property_group>
</instance>
</service>

Chapter 4 - Page 25
<service version="1" type="service" name="system/name-

service/switch">
<propval type="astring" name="default" value="files"/>
<propval type="astring" name="host" value="files dns"/>
<propval type="astring" name="printer" value="user files"/>
</property_group>
<instance enabled="true" name="default"/>
</service>

service/cache">
</service>
<service version="1" type="service" name="network/dns/client">
<property type="net_address" name="nameserver">
<net_address_list>
<value_node value="192.168.0.100"/>
</net_address_list>
</property>
<propval type="astring" name="domain" value="mydomain.com"/>
<property type="astring" name="search">
<astring_list>
<value_node value="mydomain.com"/>
</astring_list>
</property>
</property_group>
</service>
</service_bundle>
root@s11-client1:/var/tmp#
3. Use the ilovesolaris11.xml profile to reconfigure the system.
root@s11-client1:~# sysconfig configure \
-c /var/tmp/ilovesolaris11_profile.xml
This program will re-configure your system.
Do you want to continue (y/[n])? y
...
ilovesolaris11 console login:
4. Log in to the system as user oracle2 and su to root.

Chapter 4 - Page 26
Task 3: Set the Host Name, Time Zone, and Naming Service
The primary repository for all naming services configuration is the SMF repository. You can use
the SMF utilities such as: svccfg , svcprop, and svcadm to set and modify any configuration
parameter for the host name and a naming service.
Perform these steps to reconfigure the host name, time zone, and naming service:
1. On the Sol11-Client1 virtual machine, change the host name to client5.
root@ilovesolaris11:~# svccfg -s svc:/system/identity:node \
setprop config/nodename=client5

root@ilovesolaris11:~# svcadm refresh svc:/system/identity:node
root@ilovesolaris11:~# svcadm restart identity:node
Hostname:client5
root@ilovesolaris11:~# exit
oracle@ilovesolaris11:~$ exit
logout
client5 console login: oracle2
Password: oracle2
oracle@client5:~$ su -
Password: oracle2
root@client5:~#
2. On the Sol11-Client1 virtual machine, change the time zone to US/Central.
root@client5:~# svccfg -s timezone:default \
setprop timezone/localtime=US/Central
root@client5:~# svcadm refresh timezone:default
root@client5:~# date
Wed Oct 26 07:39:32 CDT 2011
3. On the Sol11-Client1 virtual machine, configure the DNS naming service using these
properties.
• Nameserver address: 192.168.0.100
root@client5:~# svccfg
svc:> select dns/client
svc:/network/dns/client> setprop config/search=mydomain.com
svc:/network/dns/client> setprop config/nameserver=192.168.0.100
svc:/network/dns/client> select dns/client:default
svc:/network/dns/client:default> refresh
svc:/network/dns/client:default> validate
svc:/network/dns/client:default> select name-service/switch
svc:/system/name-service/switch> setprop config/host="files dns"
svc:/system/name-service/switch> select system/name-
service/switch:default
svc:/system/name-service/switch:default> refresh
svc:/system/name-service/switch:default> validate

Chapter 4 - Page 27
svc:/system/name-service/switch:default> exit
root@client5:~# svcadm enable dns/client
root@client5:~# svcadm refresh name-service/switch
root@client5:~# grep host /etc/nsswitch.conf
hosts: files dns
root@client5:~# tail -4 /etc/resolv.conf
# DO NOT EDIT THIS FILE. EDITS WILL BE LOST.
search mydomain.com
nameserver 192.168.0.100

root@client5:~# nslookup s11-serv1
Server: 192.168.0.100
Address: 192.168.0.100#53
Address: 192.168.0.112
root@client5:~#
4. Shut down and power-off the Sol11-Client1 virtual machine.

Chapter 4 - Page 28
Practice 4-5: Customizing the Automated Installation

Overview
Automatic Installation allows you to customize your Solaris 11 installations by adding system
configuration (SC) profiles. SC profiles are used to customize the system attributes such as
hostname, IP address, naming services, and use credentials of the AI clients.
Task 1: Customizing an AI Service

Now that you have AI working, you are ready to customize the AI service. In this task, you
configure the AI server to automatically install an Oracle Solaris 11 desktop client using the AI

custom system configuration profile.
Perform these steps to customize the AI service:

1. Disable the basic_ai AI service and show the results.
root@s11-serv1:~# installadm disable basic_ai
Stopping the service basic_ai
------------ -------- ------ ---- ----------
basic_ai - off x86 /export/ai/basic_ai
default-i386 basic_ai on x86 /export/ai/basic_ai
2. Remove the basic_ai AI service and show the results.
root@s11-serv1:~# installadm delete-service -r basic_ai
WARNING: The service you are deleting, or a dependent alias, is
the alias for the default i386 service.Without the default-i386
service, clients will fail to boot unless explicitly assigned to
a service using the create-client command.
Are you sure you want to delete alias, default-i386? [y/N]: y

Removing this service's bootfile from local DHCP configuration
Stopping the service default-i386
The installadm SMF service is being taken offline.
The installadm SMF service is no longer online because the last
install service has been disabled or deleted.
Removing host entry '08:00:27:85:C7:D7' from local DHCP
configuration.
Removing host entry '08:00:27:85:C7:D6' from local DHCP
configuration.
Stopping the service basic_ai
There are no services configured on this server.
3. Create a directory for the custom AI service.
root@s11-serv1:~# mkdir –p /export/ai/custom_ai

Chapter 4 - Page 29
4. Use the installadm create-service command to create another AI service based on

the following information:
• Service name: custom_ai
• DHCP base IP address: 192.168.0.135
• DHCP IP address range: 5
• AI ISO image location: /opt/ora/course_files/sol-11-dev-175b-ai-x86.iso
• Target directory: /export/ai/custom_ai
root@s11-serv1:~# installadm create-service -n custom_ai \

-s /opt/ora/course_files/sol-11-dev-175b-ai-x86.iso \
-i 192.168.0.135 -c 5 -d /export/ai/custom_ai
Creating service from: /opt/ora/course_files/sol-11-dev-175b-ai-
x86.iso
Setting up the image ...
Creating service: custom_ai
Image path: /export/ai/custom_ai
Adding IP range to local DHCP configuration
Creating default-i386 alias.
Setting the default PXE bootfile in the local DHCP configuration
to 'default-i386/boot/grub/pxegrub'
5. Use the installadm list command to verify that your AI service is installed.
------------ -------- ------ ---- ----------
custom_ai - on x86 /export/ai/custom_ai
default-i386 custom_ai on x86 /export/ai/custom_ai
6. Use the installadm create-client command to add the client MAC address
08:00:27:85:C7:D8 to the custom_ai service.
08:00:27:85:C7:D8 -n custom_ai
configuration.
7. Use the installadm list –c command to verify that the client was added to AI server
custom_ai.
root@s11-serv1:~# installadm list -c
------------ -------------- ---- ----------
custom_ai 08:00:27:85:C7:D8 i386 /export/ai/custom_ai

Chapter 4 - Page 30
8. Copy the /var/tmp/manifests/basic_ai.xml file to the

/var/tmp/manifests/custom_ai.xml file.
root@s11-serv1:~# cp /var/tmp/manifests/basic_ai.xml \
/var/tmp/manifests/custom_ai.xml
9. Modify the /var/tmp/manifests/custom_ai.xml file XML tag element by using the
following:
• Auto_install manifest:
• AI instance name (ai_instance name): custom_ai
• Auto-reboot (auto_boot): true

• IPS package: entire
10. Use the diff command to view the differences between the custom_ai.xml file and the
basic_ai.xml file.
root@s11-serv1:~# diff /var/tmp/manifests/custom_ai.xml \
/var/tmp/manifests/basic_ai.xml
27c27
< <ai_instance name="custom_ai" auto_reboot="true">
---
> <ai_instance name="basic_ai" auto_reboot="true">
11. Create a MAC address-based criteria manifest named criteria_custom_ai.xml in the
/var/tmp/manifests directory. Use the MAC addresses of the network client Sol11-
Client3.
root@s11-serv1:~# vi /var/tmp/manifests/criteria_custom_ai.xml
<ai_criteria_manifest>
<ai_criteria name="mac">
<value>
08:00:27:85:C7:D8
</value>
</ai_criteria>
</ai_criteria_manifest>
Note: If the AI client does not match the criteria for a service (in this case, a specific
MAC address), the AI service will use the default manifest when installing the OS.
12. Add the custom_ai manifest and criteria manifest to the custom_ai service and show
the results.
root@s11-serv1:~# installadm create-manifest –n custom_ai \
-f /var/tmp/manifests/custom_ai.xml \
–C /var/tmp/manifests/criteria_custom_ai.xml
root@s11-serv1:~# installadm list -c -m
------------ -------------- ---- ----------

Chapter 4 - Page 31
custom_ai 08:00:27:85:C7:D8 i386 /export/ai/custom_ai

Service Name Manifest Status
------------ -------- ------
custom_ai custom_ai
orig_default Default
default-i386 orig_default Default
13. Use the sysconfig utility to create a profile for Sol11-Client3 using the following
properties:

• IPv4 interface name: net0
• Default route: None
• DNS Server IP address: 192.168.0.100
• Time zone: choose your local time zone
• Your real name: oracle1
• Username: oracle1
-o /var/tmp/manifests/client3_profile.xml
Note: The sysconfig create-profile utility launches a system configuration tool similar to
the System Configuration Tool you used during the Text installation in Practice 4-1.

Chapter 4 - Page 32
The System Configuration Summary should look similar to the following:

14. View the contents of the Sol11-Client3 profile.
root@s11-serv1:~# more /var/tmp/manifests/client3_profile.xml
<!DOCTYPE service_bundle SYSTEM
"/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="profile" name="sysconfig">
<service version="1" type="service" name="system/config-user">
<property_group type="application" name="root_account">
<propval type="astring" name="login" value="root"/>
value="$5$bypT4oRp$Dsy3J0FhJNBXqlxDtCJjlqk3k3ZHAg8cb98bPLs3kI9"/>
<propval type="astring" name="type" value="role"/>
</property_group>
<property_group type="application" name="user_account">
<propval type="astring" name="login" value="oracle1"/>
value="$5$LuaMBnZg$m2YIULH2KoMJeTIm2ahxm08rsKEmMQxYtK8KHMKwFr6"/>
<propval type="astring" name="type" value="normal"/>
<propval type="astring" name="description" value="Oracle"/>
<propval type="count" name="gid" value="10"/>
<propval type="astring" name="shell" value="/usr/bin/bash"/>
<propval type="astring" name="roles" value="root"/>

Chapter 4 - Page 33
<propval type="astring" name="profiles" value="System

Administrator"/>
<propval type="astring" name="sudoers" value="ALL=(ALL) ALL"/>
</property_group>
</instance>
</service>
<service version="1" type="service" name="system/timezone">
<property_group type="application" name="timezone">
<propval type="astring" name="localtime" value="US/Mountain"/>

</property_group>
</instance>
</service>
<service version="1" type="service" name="system/identity">
<instance enabled="true" name="node">
<propval type="astring" name="nodename" value="s11-client3"/>
</property_group>
</instance>
</service>
<service version="1" type="service" name="system/keymap">
<property_group type="system" name="keymap">
<propval type="astring" name="layout" value="US-English"/>
</property_group>
</instance>
</service>
<service version="1" type="service" name="system/console-login">
<property_group type="application" name="ttymon">
<propval type="astring" name="terminal_type" value="sun-color"/>
</property_group>
</service>
<service version="1" type="service" name="network/physical">
<property_group type="application" name="netcfg">
<propval type="astring" name="active_ncp"
value="DefaultFixed"/>
</property_group>
</instance>
</service>
<service version="1" type="service" name="network/install">
<property_group type="application" name="install_ipv4_interface">
<propval type="astring" name="address_type" value="static"/>
<propval type="net_address_v4" name="static_address"
value="192.168.0.142/24"/>

Chapter 4 - Page 34

</property_group>
<property_group type="application" name="install_ipv6_interface">
<propval type="astring" name="stateful" value="yes"/>
<propval type="astring" name="stateless" value="yes"/>
<propval type="astring" name="address_type" value="addrconf"/>
</property_group>
</instance>

</service>
service/switch">
<propval type="astring" name="default" value="files"/>
<propval type="astring" name="host" value="files dns"/>
<propval type="astring" name="printer" value="user files"/>
</property_group>
</service>
<service version="1" type="service" name="system/name-service/cache">
</service>
<service version="1" type="service" name="network/dns/client">
<property type="net_address" name="nameserver">
<net_address_list>
<value_node value="192.168.0.100"/>
</net_address_list>
</property>
<propval type="astring" name="domain" value="mydomain.com"/>
<property type="astring" name="search">
<astring_list>
<value_node value="mydomain.com"/>
</astring_list>
</property>
</property_group>
</service>
</service_bundle>
15. Add the system configuration profile manifest custom_ai service and show the results.
root@s11-serv1:~# installadm create-profile –n custom_ai \
-f /var/tmp/manifests/client3_profile.xml –p client3_profile \
-C /var/tmp/manifests/criteria_custom_ai.xml
Profile client3_profile.xml added to database.
root@s11-serv1:~# installadm list -p -n custom_ai

Chapter 4 - Page 35
Profile Criteria
------- --------
client3_profile mac = 08:00:27:85:C7:D8
16. Validate the system configuration profile.
root@s11-serv1:~# installadm validate -n custom_ai \
-p client3_profile
Validating static profile client3_profile...
Passed

Task 2: Deploying the OS to a Network Client
Oracle Solaris 11 operating system to a network client.
Perform these steps to deploy the OS to a network client:
1. On the host system, launch the Oracle VM VirtualBox Manager.

Note: Perform the next step as soon as possible.

Chapter 4 - Page 36
11 11/11 Automated Install boot option.

Note: When you choose this boot option, the interactive system configuration is not
available to you during this OS installation. IPS is used during the OS installation.
6. Note that the message traffic indicates that the IPS server is providing the installation
package. When the AI installation completes, you should see messages similar to these.

Chapter 4 - Page 37
7. After the OS installation is complete, reboot from the hard disk and log in as oracle1.
Check the system configuration to verify that the OS if configured according to the profile.
8. Shut down and power-off the Sol11-Client3 virtual machine.

Chapter 4 - Page 38
Practice 4-6: Test Your Skills and Knowledge

Overview
guided practices. You are challenged with completing the following task(s) without the benefit of
a step-by-step guide.

Task 1 : Remove an AI Service

• Determine the name of the current AI service.
• Remove the current AI service from the system.
Task 2: Manage the Boot Environment

Perform this task on the Sol11-Server1 VM. Add new AI service to the system using these AI
service configuration properties:
• AI service name: my_ai
• Source AI ISO image: /opt/ora/course_files/sol-11-dev-ai-175b.x86.iso
• DHCP base address: 192.168.0.160
• DHCP address count: 10
• Target directory: /export/ai/my_ai
Task 3: Add a Client to the AI Service

Perform this task on the Sol11-Server1 VM. Add a client to the my_ai AI service using these
properties:
• Client virtual machine: Sol11-Client4
• Client MAC address: 08:00:27:85:C7:D9
Task 4: Create a Manifest for the New AI Service

Perform this task on the Sol11-Server1 VM. Create a manifest for the my_ai service using the
manifest configuration properties:
• AI instance name (ai_instance name): my_ai
• Auto-reboot (auto_reboot): true
• IPS package: entire
• Criteria: MAC address 08:00:27:85:C7:D9

Chapter 4 - Page 39
Task 5: Create a System Configuration Profile for the AI Client

Perform this task on the Sol11-Server1 VM. Create a system configuration profile for AI client
Sol11-Client4 using the manifest configuration properties:
• IPv4 interface name: net0
• Default route: None

• DNS Server IP address: 192.168.0.100
• Time zone: choose your local time zone
• Your real name: oracle1
Task 6: Install the Oracle Solaris 11 OS on the AI Client

Oracle Solaris 11 operating system to the network client. Open the Oracle VM VirtualBox
Manager and start the Sol11-Client4 VM. Monitor the installation of the Oracle Solaris 11 OS on
the network client.

Chapter 4 - Page 40

Administering Oracle Solaris
11 Zones
Chapter 5
Practices for Lesson 5: Administering Oracle Solaris 11 Zones

Chapter 5 - Page 1

Practices Overview
The practices for the lesson titled “Administering Oracle Solaris 11 Zones” introduce you to the
virtual-to-virtual (V2V) and physical-to-virtual (P2V) methods for migrating Oracle Solaris 10
zones to solaris10 zones. These practices provide guided, hands-on experience with
migrating zones. During the practices, you apply Solaris 10 zone migration best practices
applicable to the Oracle Solaris 11 operating system.
The key areas explored in this practice are:

• Migrating Oracle Solaris 10 zones to Oracle Solaris 11 (V2V)
• Migrating Oracle Solaris 10 global zones to Oracle Solaris 11 (P2V)
• Monitoring zone resource utilization
Assumptions
As in the lessons titled “Managing Software Packages in Oracle Solaris 11” and “Installing the
Oracle Solaris 11 Operating System,” your practice environment is based on the Oracle VM
VirtualBox virtualization software.
(192.168.0). Each VM can communicate with other VMs on the same private network but not
with the local host machine or other machines on the same network as the local host machine.
The VMs you use in this practice are as follows:
• Sol11- SuperServer: This VM provides network services such as DNS and NFS used
by the VMs in the practice.

Chapter 5 - Page 2
• Sol10-Server1: This is the system you use as the source of the zone migration
practices.
• Sol11-Server1: This is the system you use as the target of the zone migration
practices.
Note: You will also need an IPS server running on the same subnet as the AI clients for this
practice. Be sure to have started the Sol11-Server1 VM before you begin the lab.
Note: The responses to the commands shown in these practices are examples only. The values
you see during your practice experience might vary slightly.

Chapter 5 - Page 3
Practice 5-1: Migrating an Oracle Solaris 10 Zone to Oracle Solaris 11

Overview
Oracle Solaris BrandZ technology provides the framework to create zones that are used to run
applications that cannot be run in an Oracle Solaris 11 environment. In the lab, you experience
working with the Oracle Solaris 10 zones. Oracle Solaris 10 Zone workloads running within
these Oracle Solaris 10 zones can take advantage of the enhancements made to the Oracle
Solaris kernel and utilize some of the innovative technologies available only on the Oracle
Solaris 11 release.
In this practice, you explore the virtual-to-virtual (V2V) process for migrating an Oracle Solaris

10 native zone to an Oracle Solaris 11 environment. To do this, you perform four key tasks:
• Assess the source Solaris 10 Zone
• Prepare the source system for migration
• Prepare the target system for migration
• Migrate from the Solaris 10 zone
Task 1: Assess the Source Solaris 10 Zone

Perform these steps to assess the source Solaris 10 zone:
1. Verify that the Sol11-SuperServer, Sol11-Server1, and Sol10-Server1 virtual machines are
running. This can be determined by viewing the Oracle VM VirtualBox Manager window
(refer to Figure 1) and checking the run status for each virtual machine. If the virtual
machines are not running, start them at this time.
2. Log in to virtual machine Sol10-Server1 as user root. Use the password cangetin.
3. In the terminal window, run the zoneadm list command to determine the state of the
zones currently configured on the system.
# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / native shared
- zone1 installed /export/zones/1 native shared
Note that zone1 is in the installed state.
4. Boot zone zone1.
# zoneadm –z zone1 boot
5. Log in to zone zone1.
# zlogin zone1
[Connected to zone 'zone1' pts/6]
Last login: Mon Mar 28 13:31:10 on console
Oracle Corporation SunOS 5.10 Generic Patch January
2005
#
6. Determine the zone’s hostname.
# hostname
zone1

Chapter 5 - Page 4
7. Determine the zone’s host ID.

# hostid
34dcc40c
8. Determine the zone’s domain.
# domainname
mydomain.com
9. Determine the zone’s network interface and IP configuration.
# ifconfig -a
lo0:1:

flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu
8232 index 1
inet 127.0.0.1 netmask ff000000
net0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu
1500 index 2
inet 192.168.0.116 netmask ffffff00 broadcast 192.168.0.255
10. Determine the zone’s disk usage.
# df -k
Filesystem kbytes used avail capacity Mounted on
/ 12221960 7965682 4134059 66% /
/dev 12221960 7965682 4134059 66% /dev
/lib 12221960 7965682 4134059 66% /lib
/platform 12221960 7965682 4134059 66% /platform
/sbin 12221960 7965682 4134059 66% /sbin
/usr 12221960 7965682 4134059 66% /usr
proc 0 0 0 0% /proc
ctfs 0 0 0 0% /system/contract
mnttab 0 0 0 0% /etc/mnttab
objfs 0 0 0 0% /system/object
swap 484308 328 483980 1%
/etc/svc/volatile
fd 0 0 0 0% /dev/fd
swap 484016 36 483980 1% /tmp
swap 484004 24 483980 1% /var/run
11. Exit from zone1 to the global zone.
# ~.
[Connection to zone ‘zone1’ pts/4 closed]
12. In the global zone, determine how zone1 is configured.
# zonecfg -z zone1 info
zonename: zone1
zonepath: /export/zones/1
brand: native
autoboot: false
bootargs:
pool:
limitpriv:

Chapter 5 - Page 5
scheduling-class:
ip-type: shared
hostid:
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin

inherit-pkg-dir:
dir: /usr
net:
address: 192.168.0.116
physical: net0
defrouter not specified
Task 2: Prepare the Source Solaris 10 Zone for Migration

Perform these steps to prepare the source Solaris 10 zone for migration:
1. Halt zone1.
# zoneadm –z zone1 halt
2. Place zone1 in the ready state.
# zoneadm -z zone1 ready
# zoneadm list -cv
1 zone1 ready /export/zones/1 native shared
When in the ready state, the zone is established. The kernel creates a "zsched"
process, the network interface is ready, file systems are mounted, and devices are
configured. The zone has unique ID. However, processes are not started. The zone
must be in the ready state for the migration to succeed.
3. Run the showmount –e command to determine whether the source system is configured
as an NFS server.
# showmount –e
export list for s10-serv1:
/export/share (everyone)
4. Create a gzip compressed cpio archive named 1.cpio.gz for zone1, which will still be
named zone1 on the target system.
# cd /export/zones/1
# find . -print | cpio -oP@ | gzip > /export/share/1.cpio.gz
7139590 blocks
Note: This will take awhile to complete. Perform the next task while the archive is being
built.

Chapter 5 - Page 6
Task 3: Prepare the Target System for Migration

Perform these steps to prepare the target system for migration:
1. Log in to virtual machine Sol11-Server1 as user oracle and su to root.
2. Mount the NFS share directory from the source system to the /export/share directory.
root@s11-serv1:~# showmount -e s10-serv1
root@s11- serv1:~# mkdir /export/share

root@s11- serv1:~# mount -F nfs s10-serv1:/export/share \
/export/share
3. List the contents of the /export/share directory.
root@s11-serv1:~# ls /export/share
1.cpio.gz
4. Check to see whether your IPS server is currently running. If not, start it now. Make sure
the IPS server is completely started before performing the next step.
5. Create an Oracle Solaris 10 Zone suitable for the migration.
root@s11-serv1:~# zonecfg -z zone1
zone1: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:zone1> create -t SYSsolaris10
zonecfg:zone1> set zonepath=/zones/zone1
zonecfg:zone1> set autoboot=true
zonecfg:zone1> select anet linkname=net0
zonecfg:zone1:anet> set allowed-address=192.168.0.116/24
zonecfg:zone1:anet> set configure-allowed-address=true
zonecfg:zone1:anet> end
zonecfg:zone1> set hostid=34dcc40c
zonecfg:zone1> verify
zonecfg:zone1> commit
zonecfg:zone1> exit
6. Verify that the zone1 configuration meets the Oracle Solaris 10 Zone migration
requirements.
root@s11-serv1:~# zonecfg -z zone1 info
zonename: zone1
zonepath: /zones/zone1
brand: solaris10
autoboot: true
bootargs:
file-mac-profile:
pool:
limitpriv:
scheduling-class:

Chapter 5 - Page 7
ip-type: exclusive
hostid: 34dcc40c
fs-allowed:
anet:
linkname: net0
lower-link: auto
allowed-address: 192.168.0.116/24
configure-allowed-address: true

allowed-dhcp-cids not specified
link-protection: "mac-nospoof, ip-nospoof"
mac-address: random
mac-prefix not specified
mac-slot not specified
vlan-id not specified
priority not specified
rxrings not specified
txrings not specified
mtu not specified
maxbw not specified
rxfanout not specified
Task 4: Migrate from the Solaris 10 Zone

Perform these steps to migrate the Solaris 10 zone:
1. After the zone1 archiving has completed (in Task 2), use the zoneadm attach
subcommand to attach the gzip image to zone1.
1.cpio.gz
root@s11-serv1:~# zoneadm -z zone1 attach -a \
/export/share/1.cpio.gz
Progress being logged to
/var/log/zones/zoneadm.20111026T145954Z.zone1.attach
Log File: /var/log/zones/zoneadm.20111026T145954Z.zone1.attach
Attaching...
Installing: This may take several minutes...
Attach complete.
Log saved in non-global zone as
/zones/zone1/root/var/log/zones/zoneadm.20111026T145954Z.zone1.at
tach
root@s11-serv1:~#
Note: This will take several minutes to complete.

Chapter 5 - Page 8
2. List the zones currently configured on the system.

root@s11-serv1:~# zoneadm list -cv
0 global running / solaris shared
- zone1 installed /zones/zone1 solaris10 excl
3 Boot the newly migrated zone.
root@s11-serv1:~# zoneadm –z zone1 boot
...
4. List the zones to verify that zone1 has successfully booted.

1 zone1 running /zones/zone1 solaris10 excl

Chapter 5 - Page 9
Practice 5-2: Migrating an Oracle Solaris 10 Global Zone to Oracle

Solaris 11 (P2V)
Overview
In this practice, you explore the physical-to-virtual (P2V) process for migrating an Oracle Solaris
10 global zone to an Oracle Solaris 11 environment. To do this, you perform four key tasks:
• Assess the source Solaris 10 global zone
• Prepare the source global zone for migration
• Prepare the target global zone for migration

• Migrate from the Solaris 10 global zone
Task 1: Assess the Source Solaris 10 Global Zone

Perform these steps to assess the source Solaris 10 global zone:
1. Verify that the Sol11-SuperServer, Sol10-Server1, and Sol11-Serv1 virtual machines are
2. Log in to virtual machine Sol10-Server1 as user root. Use the password cangetin.
3. In the terminal window, verify that the release of the Oracle Solaris 10 OS meets migration
requirements.
# cat /etc/release
Oracle Solaris 10 9/10 s10x_u9wos_14a X86
Copyright (c) 2010, Oracle and/or its affiliates. All rights
reserved.
Assembled 11 August 2010
4. Determine the global zone’s hostname.
# hostname
s10-serv1
5. Determine the global zone’s host ID.
# hostid
34dcc40c
6. Determine the global zone’s domain.
# domainname
mydomain.com
7. Determine the zone’s network interface and IP configuration.
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL>
mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
net0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 2
inet 192.168.0.115 netmask ffffff00 broadcast 192.168.0.255
ether 8:0:27:5e:d9:55

Chapter 5 - Page 10
8. Determine the zone’s disk usage.

# df -k
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c0t0d0s0 12221960 4049892 8049849 34% /
/devices 0 0 0 0% /devices
ctfs 0 0 0 0% /system/contract
proc 0 0 0 0% /proc
mnttab 0 0 0 0% /etc/mnttab
swap 726248 996 725252 1% /etc/svc/volatile
objfs 0 0 0 0% /system/object

sharefs 0 0 0 0% /etc/dfs/sharetab
fd 0 0 0 0% /dev/fd
swap 725336 84 725252 1% /tmp
swap 725288 36 725252 1% /var/run
/dev/dsk/c0t0d0s7 3741322 3729 3700180 1% /export/home
ora 1953261564 224403328 172885823612% /opt/ora
Task 2: Prepare the Source Global Zone for Migration

Perform these steps to prepare the source global zone for migration:
1. In the terminal window, run the zoneadm list command to determine the state of the
zones currently configured on the system.
# zoneadm list -cv
1 zone1 ready /export/zones/1 native shared
2. Halt the non-global zones.
# zoneadm –z zone1 boot
# zoneadm –z zone1 halt
3. Determine the NFS share directory.
# showmount -e
4. Create a flar image of the global zone in the NFS share directory.
# flarcreate -S -n s10-serv1 -x /export/zones \
-x /export/share -L cpio /export/share/s10-serv1.flar
Full Flash
Checking integrity...
Integrity OK.
Running precreation scripts...
Precreation scripts done.
Creating the archive...
10520784 blocks
Archive creation complete.
Running postcreation scripts...

Chapter 5 - Page 11
Postcreation scripts done.

Running pre-exit scripts...
Pre-exit scripts done.
Note: This will take awhile to complete. Perform the next task while the archive is being
built.
Task 3: Prepare the Target System for Migration

Perform these steps to prepare the target system for migration:
1. Verify that the s10-serv1 NFS share directory is mounted on the s11-serv1 machine.

root@s11- serv1:~# mount|grep /export/share
/export/share on s10-serv1:/export/share
remote/read/write/setuid/devices/rstchown/xattr/dev=8d80001 on
Sat Aug 13 04:58:40 2011
2. List the contents of the /export/share directory.
1.cpio.gz s10-serv1.flar
3. Create a Solaris 10 zone suitable for the global zone migration.
zonecfg:zone2> create -t SYSsolaris10
zonecfg:zone2> select anet linkname=net0
zonecfg:zone2:anet> set allowed-address=192.168.0.117/24
zonecfg:zone2:anet> set configure-allowed-address=true
zonecfg:zone2:anet> end
zonecfg:zone2> set hostid=34dcc40c
zonecfg:zone2> exit
4. Verify that the zone2 configuration meets the Solaris 10 global zone migration
requirements.
root@s11-serv1:~# zonecfg -z zone2 info
zonename: zone2
brand: solaris10
autoboot: true
bootargs:
file-mac-profile:
pool:
limitpriv:
scheduling-class:
ip-type: exclusive

Chapter 5 - Page 12
hostid: 34dcc40c
fs-allowed:
anet:
linkname: net0
lower-link: auto
allowed-address: 192.168.0.117/24
configure-allowed-address: true

link-protection: "mac-nospoof, ip-nospoof"
mac-address: random
mtu not specified
maxbw not specified

Chapter 5 - Page 13
Task 4: Migrate from the Solaris 10 Global Zone

Now that the target system is prepared, it is time to migrate from the Solaris 10 global zone.
Perform these tasks to migrate the Solaris 10 global zone:
1. After the global zone flar image has completed building (in Task 2), use the zoneadm
install subcommand to install the flar image in zone2.
root@s11- serv1:~# zoneadm -z zone2 install -a \
/export/share/s10-serv1.flar -u
A ZFS file system has been created for this zone.

/var/log/zones/zoneadm.20111026T154122Z.zone2.install
Installing: This may take several minutes...
Postprocessing: This may take a while...
Postprocess: The following zones in this image will be
unusable: zone1
Postprocess: These zonepaths could be removed from this image:
Postprocess: /export/zones/1
Postprocess: Updating the image to run within a zone
Postprocess: Migrating data
from: rpool/zones/zone2/rpool/ROOT/zbe-0
to: rpool/zones/zone2/rpool/export
Postprocess: A backup copy of /export is stored at
/export.backup.20111026T155332Z.
It can be deleted after verifying it was migrated correctly.
Result: Installation completed successfully.

/zones/zone2/root/var/log/zones/zoneadm.20111026T154122Z.zone2.in
stall
Note: This will take awhile to complete.
2. List the zones currently configured on the system.

3. Boot the newly migrated zone.

root@s11-serv1:~# zoneadm –z zone2 boot
zone 'zone2': WARNING: net0:2: no matching subnet found in
netmasks(4): 192.168.0.117; using default of 255.255.255.0.

Chapter 5 - Page 14
4. List the zones to verify that zone2 has successfully booted.

root@s11- serv1:~# zoneadm list -cv
5. Power-off the Sol10-Server1 virtual machine.

Chapter 5 - Page 15
Practice 5-3: Monitoring Zone Resource Utilization

Overview
Oracle Solaris 11 provides a powerful new zone monitoring utility: zonestat. The zonestat
utility allows you to gather reports on CPU, memory, and resource control utilization of the
currently running zones. Each zone’s utilization is reported as a percentage of both system
resources and the zone’s configured limits.
The zonestat utility prints a series of reports at the specified interval. It optionally also prints
one or more summary reports at a specified interval.

Task: Monitor Zone Resource Utilization
Perform the following steps to monitor zone resource utilization:
1. Use the zonestat utility to display a summary of memory utilization every five seconds.
root@s11-serv1:~# zonestat -z global -r physical-memory 5
Collecting data for first interval...
Interval: 1, Duration: 0:00:05
PHYSICAL-MEMORY SYSTEM MEMORY
mem_default 767M
ZONE USED PCT CAP %CAP
[total] 631M 82.2% - -
[system] 215M 28.1% - -
global 14.9M 1.94% - -
zone1 123M 15.8% - -
zone2 137M 18.3% - -
…
Use Control + C to escape the zonestat command.
2. Use the zonestat utility to report on the default processor set (pset) once a second for
one minute.
root@s11-serv1:~# zonestat -r default-pset 1 1m
Interval: 8, Duration: 0:00:08
PROCESSOR_SET TYPE ONLINE/CPUS MIN/MAX
pset_default default-pset 1/1 1/1
ZONE USED PCT CAP %CAP SHRS %SHR %SHRU
[total] 0.11 11.0% - - - - -
[system] 0.03 3.11% - - - - -
global 0.06 6.01% - - - - -
zone1 0.01 1.11% - - - - -
zone2 0.00 0.82% - - - - -
…

Chapter 5 - Page 16
3. Use the zonestat utility to monitor silently at 10-second intervals for one minute and then
produce a report on the total and high utilizations.
root@s11-serv1:~# zonestat -q -R total,high 10s 1m
Report: Total Usage
Start: Sat Oct 1 11:24:35 MDT 2011
End: Sat Oct 1 11:25:35 MDT 2011
Intervals: 6, Duration: 0:01:00
SUMMARY Cpus/Online: 1/1 Physical: 767M Virtual: 2000M
---------CPU---------- ----PHYSICAL----- -----VIRTUAL-----

ZONE USED %PART %CAP %SHRU USED PCT %CAP USED PCT %CAP
[total] 0.05 5.14% - - 635M 82.8% - 882M 44.0% -
[system]0.02 2.28% - - 213M 27.8% - 324M 16.2% -
global 0.02 2.31% - - 15.1M 1.97% - 355M 17.7% -
zone1 0.00 0.47% - - 122M 15.9% - 184M 9.20% -
zone2 0.00 0.06% - - 0 0.00% - 17.6M 0.88% -
Report: High Usage

Start: Sat Apr 2 11:24:35 MDT 2011
End: Sat Apr 2 11:25:35 MDT 2011
Intervals: 6, Duration: 0:01:00
SUMMARY Cpus/Online: 1/1 Physical: 767M Virtual: 2000M
---------CPU---------- ----PHYSICAL----- -----VIRTUAL-----
ZONE USED %PART %CAP %SHRU USED PCT %CAP USED PCT %CAP
[total] 0.06 6.53% - - 636M 82.8% - 882M 44.1% -
[system]0.02 2.42% - - 213M 27.8% - 325M 16.2% -
global 0.03 3.64% - - 15.1M 1.97% - 355M 17.7% -
zone1 0.00 0.67% - - 122M 15.9% - 184M 9.20% -
zone2 0.00 0.09% - - 0 0.00% - 17.6M 0.88% -

Chapter 5 - Page 17

Chapter 5 - Page 18

Oracle Solaris 11 Express
Network Enhancements
Chapter 6
Practices for Lesson 6: Oracle Solaris 11 Express Network Enhancements

Chapter 6 - Page 1

Practices Overview
The practices for the lesson titled “Oracle Solaris 11 Network Enhancements” introduce you to
the important new networking features found in Oracle Solaris 11. These practices provide
guided, hands-on experience in working with these new features. During the practices, you
apply network administration best practices applicable to the Oracle Solaris 11 operating
system.

• Managing NWAM
• Exploring the capabilities of the ipadm utility
• Creating IPMP configurations
• Configuring network virtualization
• Configuring a network bridge
• Configuring link aggregation
• Monitoring the network
Assumptions
As in previous lessons, your practice environment is based on the Oracle VM VirtualBox
virtualization software.

(192.168.0). Each VM can communicate with other VMs on the same private network (see
Figure 2) but cannot communicate with the local host machine or other machines on the same
network as the local host machine.

Chapter 6 - Page 2

Figure 2: Practice Network Topology
The virtual machines (VMs) you use in these practices are as follows:
• Sol11-SuperServer: This VM provides network services such as DNS and NFS used by
the VMs in the practice.
• Sol11-Server1: This is the system that you use to perform the network configuration
practices.
• Sol11-Desktop: This is the system that you use to perform the NWAM practice. You
also use this system to verify the results of the network configuration practices
performed on the Sol11-Server1 system.

Chapter 6 - Page 3
Practice 6-1: Managing NWAM

Overview
Network Auto-Magic (NWAM) is a technology that simplifies and automates network
configuration on Solaris 11. The key NWAM components are the Network Profiles, which allow
you to specify various network configurations to be created depending on the current network
conditions. The Network Profiles component is often commonly referred to as NWAM.
In this practice, you perform these tasks:
• Assess the current NWAM configuration.

• Create and deploy an NWAM profile.
Task 1: Assessing the Current NWAM Configuration

Note: For NWAM to configure the host’s network interface “auto-magically”, DHCP service must
be available. During the practice for Lesson 4, you configured DHCP by using the installadm
utility.
Perform these steps to configure an NWAM profile:
1. Verify that the Sol11-SuperServer and Sol11-Desktop virtual machines are running. This
can be determined by viewing the Oracle VM VirtualBox Manager window (refer to Figure
1) and checking the run status for each virtual machine. If the virtual machines are not
running, start them at this time.
2. Log in to virtual machine Sol11-Desktop system as user oracle.
3. Click the Network Preferences icon to determine which NCPs and network interfaces
(NCUs) are currently enabled by NWAM.
4. Open a terminal window, su to root.

Chapter 6 - Page 4
5. Display the current network configuration for this system.

root@s11-desktop:~# ipadm show-addr
lo0/v4 static ok 127.0.0.1/8
net0/_a static ok 192.168.0.111/24
6. List all available NWAM profiles and their current states.
root@s11-desktop:~# netadm list

TYPE PROFILE STATE
ncp Automatic disabled
ncp start_state online
ncu:phys net0 online
ncu:ip net0 online
loc aces online
loc Automatic offline
loc NoNet offline
loc User disabled
7. List the NWAM Automatic profile.
root@s11-desktop:~# netadm list Automatic
TYPE PROFILE STATE
ncp Automatic disabled
8. List the NWAM start_state profile.
root@s11-desktop:~# netadm list start_state
TYPE PROFILE STATE
ncp start_state online
ncu:ip net0 online
9. List the NWAM location profiles.
root@s11-desktop:~# netadm list -p loc
TYPE PROFILE STATE
loc aces online
loc NoNet offline
loc User disabled
10. Lists all the phys and ip network configuration units (NCUs) in the active network
configuration profiles (NCPs).
root@s11-desktop:~# netadm list -c phys
TYPE PROFILE STATE
root@s11-desktop:~# netadm list -c ip
TYPE PROFILE STATE

Chapter 6 - Page 5
ncu:ip net0 online

11. List all NWAM profiles and their auxiliary states.
root@s11-desktop:~# netadm list -x
TYPE PROFILE STATE AUXILIARY STATE
ncp Automatic disabled disabled by administrator
ncp start_state online active
ncu:phys net0 online interface/link is up
ncu:ip net0 online interface/link is up
loc aces online active

loc Automatic offline conditions for activation are unmet
loc NoNet offline conditions for activation are unmet
loc User disabled disabled by administrator
12. Use the netcfg export command to create backups of the start_state and aces
profiles.
root@s11-desktop:~# netcfg export -f start_state_ncp_backup ncp \
start_state
root@s11-desktop:~# netcfg export -f aces_loc_backup \
loc aces
root@s11-desktop:~# ls *backup
aces_loc_backup start_state_ncp_backup
13. Use the netcfg utility to select the start_state profile and list its NCUs.
root@s11-desktop:~# netcfg
netcfg> select ncp start_state
netcfg:ncp:start_state> list
NCUs:
phys net0
ip net0
14. Select the phys NCU and display its properties.
netcfg:ncp:start_state> select ncu phys net0
netcfg:ncp:start_state:ncu:net0> list
ncu:net0
type link
class phys
parent "start_state"
activation-mode manual
enabled true
netcfg:ncp:start_state:ncu:net0> end
15. Select the ip NCU and display its properties.
netcfg:ncp:start_state> select ncu ip net0
netcfg:ncp:start_state:ncu:net0> list
ncu:net0
type interface
class ip

Chapter 6 - Page 6
parent "start_state"
enabled true
ip-version ipv4
ipv4-addrsrc static
ipv4-addr "192.168.0.111"
netcfg:ncp:start_state:ncu:net0> end
netcfg:ncp:start_state> end
netcfg>
16. Select the aces location profile and list its properties.

netcfg> select loc aces
netcfg:loc:aces> list
loc:aces
enabled true
nameservices dns
nameservices-config-file "/etc/nsswitch.dns"
dns-nameservice-configsrc manual
dns-nameservice-domain "mydomain.com"
dns-nameservice-servers "192.168.0.100"
netcfg:loc:aces> end
netcfg> exit
root@s11-desktop:~#
Task 2: Create and Deploy an NWAM Profile

Perform these steps to configure an NWAM profile:
1. Create an NCP named oracle_profile.
root@s11-desktop:~# netcfg
netcfg> create ncp oracle_profile
2. Create a phys NCU for data link net1.
netcfg:ncp:oracle_profile> create ncu phys net1
Created ncu 'net1'. Walking properties ...
activation-mode (manual) [manual|prioritized]> manual
link-mac-addr> Press Return
link-autopush> Press Return
link-mtu> Press Return
netcfg:ncp:oracle_profile:ncu:net1> list
ncu:net1
type link
class phys
parent "oracle_profile"
enabled true

Chapter 6 - Page 7
netcfg:ncp:oracle_profile:ncu:net1> end
Committed changes
netcfg:ncp:oracle_profile> list
NCUs:
phys net1
3. Create an ip NCU for data link net1.
netcfg:ncp:oracle_profile> create ncu ip net1
Created ncu 'net1'. Walking properties ...
ip-version (ipv4,ipv6) [ipv4|ipv6]> ipv4

ipv4-addrsrc (dhcp) [dhcp|static]> static
ipv4-addr> 192.168.0.111
ipv4-default-route> Press Return
netcfg:ncp:oracle_profile:ncu:net1> list
ncu:net1
type interface
class ip
enabled true
ip-version ipv4
ipv4-addrsrc static
ipv4-addr "192.168.0.111"
ipv6-addrsrc dhcp,autoconf
netcfg:ncp:oracle_profile:ncu:net1> verify
All properties verified
netcfg:ncp:oracle_profile:ncu:net1> commit
Committed changes
netcfg:ncp:oracle_profile:ncu:net1> end
netcfg:ncp:oracle_profile> list ncu ip net1
ncu:net1
type interface
class ip
enabled true
ip-version ipv4
ipv4-addrsrc static
ipv4-addr "192.168.0.111"
ipv6-addrsrc dhcp,autoconf
netcfg:ncp:oracle_profile> end
netcfg>
4. Create a location (loc) NCP named classroom.
netcfg> create loc classroom

Chapter 6 - Page 8
activation-mode (manual) [manual|conditional-any|conditional-

all]> conditional-all
conditions> "system-domain is mydomain.com"
nameservices (dns) [dns|files|nis|ldap]> dns
nameservices-config-file ("/etc/nsswitch.dns")> Press Return
dns-nameservice-configsrc (dhcp) [manual|dhcp]> manual
dns-nameservice-domain> "mydomain.com"
dns-nameservice-servers> "192.168.0.100"
dns-nameservice-search> Press Return

dns-nameservice-sortlist> Press Return
dns-nameservice-options> Press Return
nfsv4-domain> Press Return
ipfilter-config-file> Press Return
ipfilter-v6-config-file> Press Return
ipnat-config-file> Press Return
ippool-config-file> Press Return
ike-config-file> Press Return
ipsecpolicy-config-file> Press Return
netcfg:loc:classroom> list
loc:classroom
activation-mode conditional-all
conditions "system-domain is mydomain.com"
enabled false
nameservices dns
nameservices-config-file "/etc/nsswitch.dns"
dns-nameservice-configsrc manual
dns-nameservice-domain "mydomain.com"
dns-nameservice-servers "192.168.0.100"
netcfg:loc:classroom> verify
All properties verified
netcfg:loc:classroom> commit
Committed changes
netcfg:loc:classroom> end
netcfg> exit
5. Use the netcfg list command to display all profiles that exist at the current scope.
root@s11-desktop:~# netcfg list
NCPs:
Automatic
oracle_profile
start_state
Locations:
aces
Automatic

Chapter 6 - Page 9
classroom
NoNet
User
6. Use the netcfg export command to create backups of your oracle_profile and
classroom profiles.
root@s11-desktop:~# netcfg export -f oracle_ncp_backup ncp \
oracle_profile
root@s11-desktop:~# netcfg export -f classroom_loc_backup \
loc classroom

7. Destroy the classroom profile and show the results.
root@s11-desktop:~# netcfg destroy loc classroom
NCPs:
Automatic
oracle_profile
start_state
Locations:
aces
Automatic
NoNet
User
8. Recover the classroom profile from your backup and show the results.
root@s11-desktop:~# netcfg -f classroom_loc_backup
Configuration read.
NCPs:
Automatic
oracle_profile
start_state
Locations:
aces
Automatic
classroom
NoNet
User
9. Use the netcfg enable command to enable classroom and oracle_profile
profiles.
root@s11-desktop:~# netadm enable classroom
Enabling loc 'classroom'
root@s11-desktop:~# netadm enable oracle_profile
Enabling ncp 'oracle_profile'
10. Reboot the system to verify that oracle_profile and classroom are the default NWAM
profiles.

Chapter 6 - Page 10
root@s11-desktop:~# init 6
11. After the system reboots, log in as oracle and su to root.
12. Open the Network Preferences dialog box.

Note that network interface net1 is now connected to the network.
13. Use the ping command to verify communication with a remote host.
root@s11-desktop:~# ping s11-ss
s11-ss is alive

Chapter 6 - Page 11
Practice 6-2: Exploring the Capabilities of the ipadm Utility
Overview
The ipadm command provides a set of subcommands that you use to manage network
interfaces, manage IP addresses, and manage TCP/IP protocol properties. The ipadm utility
replaces some of the ifconfig command functionality for IP interface-related tasks.
Task: Exploring the Capabilities of the ipadm Utility

Perform these steps to explore the capabilities of the ipadm utility:

2. Log in to virtual machine Sol11-Server1 system as user oracle and su to root.
3. In a terminal window, run the dladm show-phys command to determine the state of the
physical network interfaces currently configured in the system.
root@s11-serv1:~# dladm show-phys
LINK MEDIA STATE SPEED DUPLEX DEVICE
net0 Ethernet up 1000 full e1000g0
net1 Ethernet unknown 1000 full e1000g1
net3 Ethernet unknown 0 unknown e1000g3
4. Run the dladm show-link command to determine the state of each network link
currently configured in the system.
root@s11-serv1:~# dladm show-link
LINK CLASS MTU STATE OVER
net0 phys 1500 up --
net1 phys 1500 unknown --
zone1/net0 vnic 1500 up net0
5. Run the ipadm show-if command to show network interface configuration information.
root@s11-serv1:~# ipadm show-if
IFNAME CLASS STATE ACTIVE OVER
lo0 loopback ok yes --
net0 ip ok yes --

Chapter 6 - Page 12
6. Rename link net1 to training1 and show the results.

root@s11-serv1:~# dladm rename-link net1 training1
net0 Ethernet up 1000 full e1000g0
training1 Ethernet unknown 1000 full e1000g1

training0 phys 1500 unknown --
7. Run the ipadm command to create an IP interface for link training1 and show the
results.
root@s11-serv1:~# ipadm create-ip training1
net0 ip ok yes --
training1 ip down no --
8. Run the ipadm command to create the static IPv4 address 192.168.0.113/24 on the
interface training1 and show the results.
root@s11-serv1:~# ipadm create-addr -T static -a \
192.168.0.113/24 training1/v4
lo0/v4 static ok 127.0.0.1/8
net0/v4 static ok 192.168.0.112/24
training1/v4 static ok 192.168.0.113/24
net0/v6 addrconf ok fe80::a00:27ff:febb:669c/10
9. Run the ipadm command to show the current and persistent values of the IP address
properties for interface training1.
root@s11-serv1:~# ipadm show-addrprop training1/v4
ADDROBJ PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
training1/v4 broadcast r- 192.168.0.255 -- 192.168.0.255 --
training1/v4 deprecated rw off -- off on,off
training1/v4 prefixlen rw 24 24 24 1-30,32
training1/v4 private rw off -- off on,off

Chapter 6 - Page 13
training1/v4 reqhost r- -- -- -- --
training1/v4 transmit rw on -- on on,off
training1/v4 zone rw global -- global --
10. Run the ipadm command to show the interface properties for interface training1.
root@s11-serv1:~# ipadm show-ifprop training1
IFNAME PROPERTY PROTO PERM CURRENT PERSISTENT DEFAULT POSSIBLE
training1 arp ipv4 rw on -- on on,off
training1 forwarding ipv4 rw off -- off on,off
training1 metric ipv4 rw 0 -- 0 --

training1 mtu ipv4 rw 1500 -- 1500 68-1500
training1 exchange_routes ipv4 rw on -- on on,off
training1 usesrc ipv4 rw none -- none --
training1 forwarding ipv6 rw off -- off on,off
training1 metric ipv6 rw 0 -- 0 --
training1 mtu ipv6 rw 1500 -- 1500 1280-1500
training1 nud ipv6 rw on -- on on,off
training1 exchange_routes ipv6 rw on -- on on,off
training1 usesrc ipv6 rw none -- none --
training1 group ip rw -- -- -- --
training1 standby ip rw off -- off on,off
11. Run the ipadm command to show the TCP protocol properties.
root@s11-serv1:~# ipadm show-prop tcp
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
tcp ecn rw passive -- passive never,passive,
active
tcp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
tcp largest_anon_port rw 65535 -- 65535 32768-65535
tcp max_buf rw 1048576 -- 1048576 128000-
1073741824
tcp recv_buf rw 128000 -- 128000 2048-1048576
tcp sack rw active -- active never,passive,
active
tcp send_buf rw 49152 -- 49152 4096-1048576
tcp smallest_anon_port rw 32768 -- 32768 1024-65535
tcp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
12. Run the ipadm command to enable ipv4 forwarding and show the results.
root@s11-serv1:~# ipadm set-prop -p forwarding=on ipv4
root@s11-serv1:~# ipadm show-prop ip
ipv4 forwarding rw on on off on,off
ipv4 ttl rw 255 -- 255 1-255
ipv6 forwarding rw off -- off on,off
ipv6 hoplimit rw 255 -- 255 1-255
ipv6 hostmodel rw weak -- weak strong,
src-priority,
weak
src-priority,

Chapter 6 - Page 14
weak
13. Run the ipadm command to disable ipv4 forwarding.
root@s11-serv1:~# ipadm set-prop -p forwarding=off ipv4
14. Run the ipadm command to disable the training1 network interface and show the
results.
root@s11-serv1:~# ipadm disable-if -t training1

net0 ip ok yes --
training1 ip disabled no --
Note that the –t option makes the operation temporary.
15. Verify that the IP address object for the training1 interface is also disabled.
lo0/v4 static ok 127.0.0.1/8
net0/v4 static ok 192.168.0.112/24
training1/v4 static disabled 192.168.0.113/24
16. Delete the training1 network interface and show the results.
root@s11-serv1:~# ipadm delete-ip training1
net0 ip ok yes --
17. Rename the training1 data link to net1 and show the results.
root@s11-serv1:~# dladm rename-link training1 net1

Chapter 6 - Page 15
Practice 6-3: Configuring Network Virtualization

Overview
Network virtualization is the process of combining hardware network resources and software
network resources into a single administrative unit. The goal of network virtualization is to
provide systems and users with efficient, controlled, and secure sharing of the networking
resources. The end product of network virtualization is the virtual network. An internal virtual
network consists of one system using Solaris zones that are configured over at least one
pseudo-network interface. These containers can communicate with each other as though on the
same local network, providing a virtual network on a single host. The building blocks of the

virtual network are virtual network interface cards or virtual NICs (VNICs) and virtual switches
(etherstubs). Oracle Solaris network virtualization provides the internal virtual network solution.
In this practice, you explore Oracle Solaris 11 network virtualization. To do this, you perform
these key tasks:
• Configure two zones on a private virtual network.
• Configure the virtual network for public access.
• Secure the virtual network behind a firewall.
• Control network traffic flow.
Task 1: Configure Two Zones on a Private Virtual Network
The following illustration shows the topology of the virtual network that you create in this task.
Perform these steps to configure two zones on a private virtual network:


Chapter 6 - Page 16
3. In the terminal window, verify that the IPS publisher is configured correctly and is
operational.
solaris (preferred) origin online http://s11-serv1.mydomain.com/
pkg.fmri set solaris/entire pkg:/entire@0.5.11-0.175.0.0.0.2.0
4. Verify that an rpool/zones ZFS file system exits and is mounted as /zones.

root@s11-serv1:~# zfs list rpool/zones
rpool/zones 7.45G 14.5G 33K /zones
If the rpool/zones ZFS file system does not exist, run this command:
root@s11-serv1:~# zfs create -o mountpoint=/zones \
rpool/zones
5. Run the dladm utility to create an etherstub named stub0 and show the results.
root@s11-serv1:~# dladm create-etherstub stub0
root@s11-serv1:~# dladm show-etherstub
LINK
stub0
6. Use the dladm utility to create VNICs vnic0, vnic1, and vnic2. Attach these VNICs to
etherstub stub0.
root@s11-serv1:~# dladm create-vnic -l stub0 vnic0
7. Show the results of the previous step.
root@s11-serv1:~# dladm show-vnic
LINK OVER SPEED MACADDRESS MACADDRTYPE VID
zone1/net0 net0 1000 2:8:20:31:4f:75 random 0
zone2/net0 net0 1000 2:8:20:61:49:15 random 0
vnic0 stub0 0 2:8:20:4e:eb:76 random 0
vnic1 stub0 0 2:8:20:63:72:ff random 0
vnic2 stub0 0 2:8:20:a3:19:a2 random 0
8. Configure zone3 and display the results.
zonecfg:zone3> create
zonecfg:zone3> set ip-type=exclusive
zonecfg:zone3> add net

Chapter 6 - Page 17
zonecfg:zone3:net> set physical=vnic1

zonecfg:zone3:net> end
zonecfg:zone3> exit
root@s11-serv1:~# zonecfg -z zone3 info | more
zonename: zone3
brand: ipkg

autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: exclusive
hostid:
fs-allowed:
net:
address not specified
allowed-address not specified
physical: vnic1
anet:
linkname: net0
lower-link: auto
link-protection: mac-nospoof
mac-address: random
mtu not specified
maxbw not specified
9. Configure zone4 and display the results.

Chapter 6 - Page 18


zonecfg:zone4> exit
root@s11-serv1:~# zonecfg -z zone4 info | more
zonename: zone4
brand: ipkg
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: exclusive
hostid:
fs-allowed:
net:
address not specified
physical: vnic2
anet:
linkname: net0
lower-link: auto
link-protection: mac-nospoof
mac-address: random

Chapter 6 - Page 19
mtu not specified

maxbw not specified
10. Install zone3.
root@s11-serv1:~# zoneadm -z zone3 install
Image: Preparing at /zones/zone3/root.

Install Log: /system/volatile/install.15667/install_log
AI Manifest: /tmp/manifest.xml.GWaiLE
SC Profile: /usr/share/auto_install/sc_profiles/enable_sci.xml
Zonename: zone3
Installation: Starting ...
Creating IPS image

Installing packages from:
solaris
origin: http://s11-serv1.mydomain.com/
Completed 167/167 32062/32062 175.8/175.8
PHASE ACTIONS
Install Phase 44313/44313
PHASE ITEMS
Installation: Succeeded
Note: Man pages can be obtained by installing pkg:/system/manual

done.
Done: Installation completed in 663.629 seconds.
Next Steps: Boot the zone, then log into the zone console (zlogin -C)to
complete the configuration process.
/zones/zone3/root/var/log/zones/zoneadm.20111027T100036Z.zone3.install
Note that this step normally takes several minutes to complete.
11. Boot zone zone3 and show the results.
root@s11-serv1:~# zoneadm -z zone3 boot

Chapter 6 - Page 20

4 zone3 running /zones/zone3 solaris excl
12. Log in to zone3 and complete the system configuration.
root@s11-serv1:~# zlogin -C zone3
[Connected to zone 'zone3' console]
Use this configuration parameter:
• Computer name: zone3

• Network Interface: vnic1
• IP Address: 192.168.1.100
• DNS: Do not configure
• User account:
• Username: oracle
• Password: oracle1
When the system configuration is completed, use the ~. escape sequence to exit back
to the global zone.
13. Install zone4.
root@s11-serv1:~# zoneadm -z zone4 install

AI Manifest: /tmp/manifest.xml.Iia49J
SC Profile: /usr/share/auto_install/sc_profiles/enable_sci.xml
Zonename: zone4
Creating IPS image

solaris
Completed 167/167 32062/32062 175.8/175.8
PHASE ACTIONS

Chapter 6 - Page 21
PHASE ITEMS
Installation: Succeeded
Note: Man pages can be obtained by installing pkg:/system/manual

done.

Done: Installation completed in 659.419 seconds.
Next Steps: Boot the zone, then log into the zone console (zlogin -C)to
complete the configuration process.

/zones/zone4/root/var/log/zones/zoneadm.20111027T102236Z.zone4.install
Note that this step normally takes several minutes to complete.
14. Boot zone zone4 and show the results.
15. Log in to zone4 and complete the sysid configuration.
root@s11-serv1:~# zlogin -C zone4
[Connected to zone 'zone4' console]
Use this configuration parameter:
• Computer name: zone4
• Network Interface: vnic2
• IP Address: 192.168.1.101
• DNS: Do not configure
• User account:
• Username: oracle
• Password: oracle1

Chapter 6 - Page 22
When the system configuration is completed, use the ~. escape sequence to exit back
to the global zone.
16. Log in to zone3 and use the ping command to verify that the virtual network connecting
zone3 and zone4 is operational.
root@s11-serv1:~# zlogin zone3
root@zone3:~# ping 192.168.1.101
192.168.1.101 is alive
17. Exit back to the global zone.

Task 2: Configure the Virtual Network for Public Access
Now that you have constructed a virtual network connecting two zones, you attach it to the
global zone using vnic0 and then set up IPv4 forwarding to allow public access. The following
illustration shows the network topology that you build in this task.
Perform these steps to configure the virtual network for public access:
1. Use the dladm command to determine the VNICs that are currently configured in the
system.
root@s11-serv1:~# dladm show-vnic
LINK OVER SPEED MACADDRESS MACADDRTYPE VID
vnic0 stub0 0 2:8:20:31:6b:54 random 0
vnic1 stub0 0 2:8:20:81:cb:a1 random 0
zone3/vnic1 stub0 0 2:8:20:81:cb:a1 random 0
vnic2 stub0 0 2:8:20:71:27:b random 0
zone4/vnic2 stub0 0 2:8:20:71:27:b random 0
zone1/net0 net0 1000 2:8:20:31:4f:71 random 0
zone2/net0 net0 1000 2:8:20:91:ab:b1 random 0
zone3/net0 net0 1000 2:8:20:6f:62:db random 0
zone4/net0 net0 1000 2:8:20:4b:92:ea random 0

Chapter 6 - Page 23
2. Create an IP interface for vnic0 and show the results.

root@s11-serv1:~# ipadm create-ip vnic0
net0 ip ok yes --
vnic0 ip down no --
3. Run the ipadm command to create the static IPv4 address 192.168.1.102/24 on the
interface vnic0 and show the results.

192.168.1.102/24 vnic0/v4
lo0/v4 static ok 127.0.0.1/8
net0/v4 static ok 192.168.0.112/24
vnic0/v4 static ok 192.168.1.102/24
4. Run the ipadm command to enable IPv4 forwarding and show the results.
root@s11-serv1:~# ipadm set-prop -p forwarding=on ipv4
root@s11-serv1:~# ipadm show-prop ip
ipv4 forwarding rw on on off on,off
ipv4 ttl rw 255 -- 255 1-255
ipv6 forwarding rw off -- off on,off
ipv6 hoplimit rw 255 -- 255 1-255
src-priority,
weak
src-priority,
weak
5. Log in to the Sol11-Desktop system and use the ping command to verify access to a non-
global zone on the virtual network.
root@s11-desktop:~# ping 192.168.1.100
192.168.1.100 is alive
6. On the Sol11-Server1 virtual machine, log in to the zones in the virtual network and verify
that the zone can access a remote system.
…
root@zone3:~# ping 192.168.0.111
192.168.0.111 is alive
7. Move back to the global zone.

Chapter 6 - Page 24
Task 3: Secure the Virtual Network Behind a Firewall

Now that your virtual network can be accessed from remote systems, secure the virtual network
by placing it behind a firewall. The following illustration shows the network topology you build in
this task.

Perform these steps to secure the virtual network behind a firewall:
1. Create an IP filter configuration file that blocks all outgoing and incoming traffic except for
outgoing ICMP (ping) packets.
root@s11-serv1:~# vi /etc/ipf/ipf.conf
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
block out on net0 all
pass out quick on net0 proto icmp from any to any keep state
block in on net0 all
2. Enable IP filtering.
root@s11-serv1:~# ipf -E
3. Import the IP filter configuration from the IP file configuration file.
root@s11-serv1:~# ipf -f /etc/ipf/ipf.conf
4. Verify the IP filter configuration.
root@s11-serv1:~# ipfstat -io
block out on net0 all
pass out quick on net0 proto icmp from any to any keep state
block in on net0 all
5. Log in to the Sol11-Desktop system and use the ping command to verify that the virtual
network is secure.

Chapter 6 - Page 25

no answer from 192.168.1.100
6. Log in to zone3 in the virtual network and verify that the zone can access a remote system.
…
root@zone3:~# ping 192.168.0.111
192.168.0.111 is alive
7. Move back to the global zone.

Task 4: Control network Interface Data Flow
Now that you have some experience in working with virtual networks, let us take a look at
controlling data flow on a network interface. In this task, you create a policy for inbound HTTP
traffic. You do this by restricting HTTP data flow on vnic3.
Perform these steps to control virtual network data flow:
1. Display the status of the data links.
stub0 etherstub 9000 unknown --
vnic0 vnic 9000 up stub0
zone3/vnic1 vnic 9000 up stub0
zone4/vnic2 vnic 9000 up stub0
2. Create interface vnic3 and use the flowadm command to control HTTP data on vnic3.
root@s11-serv1:~# flowadm add-flow -l vnic3 \
-a transport=tcp,local_port=80 http1
3. Use the flowadm show-flow command to display the flow controls currently configured
in the system.
root@s11-serv1:~# flowadm show-flow
FLOW LINK IPADDR PROTO LPORT RPORT DSFLD
http1 vnic3 -- tcp 80 -- --
4. Throttle HTTP traffic across the vnic3 VNIC to 100 Mb/s.

root@s11-serv1:~# flowadm set-flowprop –p maxbw=100M \
http1

Chapter 6 - Page 26
5. Set the priority on vnic3 to low.

root@s11-serv1:~# dladm set-linkprop –p priority=low vnic3
6 Display the flow controls properties.
root@s11-serv1:~# flowadm show-flowprop http1
FLOW PROPERTY VALUE DEFAULT POSSIBLE
vnic2-throttle maxbw 100 -- --
root@s11-serv1:~# dladm show-linkprop –p priority vnic3
LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
vnic3 priority rw low high low, medium, high

Now, network interface vnic3 can be used to enforce the HTTP policy.
Task 5: Remove the Virtual Network

In this task, you remove the zones and the virtual network from the system.
Perform these steps to remove the virtual network:
1. Disable the IP filter.
root@s11-serv1:~# ipf -D
root@s11-serv1:~# ipfstat -io
empty list for ipfilter (out)
empty list for ipfilter (in)
2. Halt zones zone1, zone2, zone3, and zone4.

root@s11-serv1:~# zoneadm –z zone1 halt
root@s11-serv1:~# zoneadm list –cv
…
- zone3 installed /zones/zone3 solaris excl
- zone4 installed /zones/zone4 solaris excl
3. Uninstall zones zone1, zone2, zone3, and zone4.

root@s11-serv1:~# zoneadm –z zone1 uninstall
Are you sure you want to uninstall zone zone1 (y/[n])? y
/var/log/zones/zoneadm.20111027T102736Z.zone1.uninstall
oot@s11-serv1:~# zoneadm –z zone3 uninstall

Chapter 6 - Page 27

4. Delete zones zone1, zone2, zone3, and zone4.

root@s11-serv1:~# zonecfg –z zone1 delete
Are you sure you want to delete zone zone1 (y/[n])? y

5. Display the current IP interfaces.

net0 ip ok yes --
vnic0 ip ok yes --
6. Remove the IP interface from data link vnic0 and show the results.
root@s11-serv1:~# ipadm delete-ip vnic0
net0 ip ok yes --
7. Check to see whether there are any flows associated with vnic3. If a flow is present,
remove it.
FLOW LINK IPADDR PROTO LPORT RPORT DSFLD
vnic2-throttle vnic2 -- tcp 80 -- --
root@s11-serv1:~# flowadm remove-flow –l vnic3
root@s11-serv1:~#
8 Remove all the VNIC data links from the system.

root@s11-serv1:~# dladm delete-vnic vnic0
9. Remove the etherstub from the system.

root@s11-serv1:~# dladm delete-etherstub stub0

Chapter 6 - Page 28
10. Display the remaining data links.


Chapter 6 - Page 29
Practice 6-4: Configuring IPMP

Overview
IP network multipathing (IPMP) provides physical interface failure detection, transparent
network access failover, and packet load spreading for systems with multiple interfaces that are
connected to a particular local area network or LAN.
An IPMP configuration typically consists of two or more physical interfaces on the same system
that are attached to the same LAN. These interfaces can belong to an IPMP group in either of
the following configurations:

• Active-active configuration: In this configuration, all underlying interfaces are active.
An active interface is an IP interface that is currently available for use by the IPMP
group. By default, an underlying interface becomes active when you configure the
interface to become part of an IPMP group.
• Active-standby configuration: In this configuration, at least one interface is
administratively configured as a reserve. The reserve interface is called the standby
interface. Although idle, the standby IP interface is monitored by the multipathing
daemon to track the interface's availability, depending on how the interface is configured.
If link-failure notification is supported by the interface, link-based failure detection is
used. If the interface is configured with a test address, probe-based failure detection is
also used. If an active interface fails, the standby interface is automatically deployed as
needed. You can configure as many standby interfaces as you want for an IPMP group.
In this practice, you configure both active-active and active-standby configurations.
Task 1: Create an Active-Active IPMP Configuration

In this task you configure an active-active IPMP group consisting of two network interfaces
(net0 and net1).
Perform these steps to configure IPMP:
3. In a terminal window, use the ipadm command to display the IP network interfaces
currently configured in the system.
net0 ip ok yes --
4. Delete the net0 network interface and display the results.
root@s11-serv1:~# ipadm delete-ip net0
Aug 19 10:29:27 s11-serv1 in.ndpd[799]: Interface net0 has been
removed from kernel. In.ndpd will no longer use it

Chapter 6 - Page 30
When configuring IPMP, you must assign all network interfaces attached to the same
LAN to an IPMP group. In this step, you delete the net0 interface in preparation for
configuring it in an IPMP group.
5. Rename data link net0 to link1_ipmp0 and data link net1 to link1_ipmp0 and show
the results.
root@s11-serv1:~# dladm rename-link net0 link0_ipmp0

link0_ipmp0 phys 1500 unknown --
6. Create IP interfaces for data links link0_ipmp0 and link1_ipmp0. Show the results.
root@s11-serv1:~# ipadm create-ip link0_ipmp0
link0_ipmp0 ip down no --
7. Create an IPMP group named ipmp0.
root@s11-serv1:~# ipadm create-ipmp ipmp0
8. Add IP interfaces link0_ipmp0 and link1_ipmp0 to IPMP group ipmp0 and show the
results.
root@s11-serv1:~# ipadm add-ipmp –i link0_ipmp0 –i link1_ipmp0 \
ipmp0
root@s11-serv1:~# ipmpstat –g
GROUP GROUPNAME STATE FDT INTERFACES
ipmp0 ipmp0 ok -- link1_ipmp0 link0_ipmp0
9. Assign two static IP addresses to the IPMP interface to be used for data access.
root@s11-serv1:~# ipadm create-addr –T static \
–a 192.168.0.112/24 ipmp0/v4add1
–a 192.168.0.113/24 ipmp0/v4add2
10. Assign a static IP address to each IPMP subinterface to be used for link testing.
–a 192.168.0.142/24 link0_ipmp0/test
–a 192.168.0.143/24 link1_ipmp0/test
11. Display the data and test IP addresses.

Chapter 6 - Page 31
lo0/v4 static ok 127.0.0.1/8

link0_ipmp0/test static ok 192.168.0.142/24
ipmp0/v4add1 static ok 192.168.0.112/24
link0_ipmp0/_a static ok fe80::a00:27ff:fe36:a51c/10
link1_ipmp0/_a static ok fe80::a00:27ff:fe05:424a/10
12. Use the ipmpstat command to display IPMP address information.

root@s11-serv1:~# ipmpstat -an
ADDRESS STATE GROUP INBOUND OUTBOUND
:: down ipmp0 -- --
192.168.0.113 up ipmp0 link1_ipmp0 link1_ipmp0 link0_ipmp0
Note that the INBOUND traffic is restricted to one interface depending on which IP
address is used. The OUTBOUND traffic is spread across both interfaces.
13. Use the ipmpstat command to display IP interface information.
root@s11-serv1:~# ipmpstat -i
INTERFACE ACTIVE GROUP FLAGS LINK PROBE STATE
link1_ipmp0 yes ipmp0 ------- up ok ok
link0_ipmp0 yes ipmp0 --mbM-- up ok ok
The interface FLAGS are defined as:

i = Unusable due to being INACTIVE.
s = Masked STANDBY.
m = Nominated to send/receive IPv4 multicast for its IPMP group.
b = Nominated to send/receive IPv4 broadcast for its IPMP group.
M = Nominated to send/receive IPv6 multicast for its IPMP group.
d = Unusable due to being down.
h = Unusable due to being brought OFFLINE by in.mpathd (IPMP daemon) because
of a duplicate hardware address.
14. Use the ipmpstat command to display information about test address targets.
root@s11-serv1:~# ipmpstat -nt
INTERFACE MODE TESTADDR TARGETS
link1_ipmp0 multicast 192.168.0.143 192.168.0.100 192.168.0.111
link0_ipmp0 multicast 192.168.0.142 192.168.0.100 192.168.0.111
15. Use the ipmpstat command to display current probe information.
root@s11-serv1:~# ipmpstat -pn
TIME INTERFACE PROBE NETRTT RTT RTTAVG TARGET
1.07s link0_ipmp0 i2182 0.55ms 0.92ms 0.61ms 192.168.0.100

Chapter 6 - Page 32


^C
Task 2: Test the Active-Active IPMP Configuration

In this task you test the active-active IPMP configuration by causing one of the
subinterfaces to fail. Then you verify that the system is still accessible by using the
remaining interface.
Perform these steps to test the IPMP configuration:
1. Shut down the Sol11-Server1 virtual machine.
2. Open the VirtualBox Manager GUI and click the Settings utility for the Sol11-Server1 virtual
machine.

Chapter 6 - Page 33

3. Under the Network settings, select Adapter 2 and set the Attached to: field to Not
attached.
4. Start the Sol11-Server1 virtual machine.


Chapter 6 - Page 34
6. Use the ipmpstat command to display IPMP group information.

root@s11-serv1:~# ipmpstat -g
ipmp0 ipmp0 degraded 10.00s link1_ipmp0 [link0_ipmp0]
Note that link0_ipmp0 has been boxed ([link0_ipmp0]) indicated that it has failed.

link0_ipmp0 no ipmp0 ------- up failed failed
Interface link0_ipmp0 is no longer active.

-1.99s link0_ipmp0 i504 -- -- -- 192.168.0.100
0.25s link0_ipmp0 i506 -- -- -- 192.168.0.100
-1.02s link0_ipmp0 i505 -- -- -- 192.168.0.100
2.85s link1_ipmp0 i507 0.56ms 0.70m 0.70ms 192.168.0.100
^C
Note that link0_ipmp0 is failing probe tests.

9. Move to Sol11-Desktop virtual machine and ping the IPMP data IP addresses.
192.168.0.112 is alive
192.168.0.113 is alive
machine.
12. Under the Network settings, select Adapter 2 and set the Attached to: field to
Internal network.

Chapter 6 - Page 35

15. Use the ipmpstat command to verify that the IPMP group ipmp0 STATE is ok.
ipmp0 ipmp0 ok -- link1_ipmp0 link0_ipmp0
Task 3: Create an Active-Standby IPMP Configuration

In this task you reconfigure the IPMP group ipmp0 from an active-active configuration to active-
standby configuration.
Perform these steps to configure an active-standby IPMP configuration:
1. On the Sol11-Server1 virtual machine, display the data links.
link0_ipmp0 phys 1500 up --
2. Rename data link net2 to link2_ipmp0 and show the results.

Chapter 6 - Page 36

3. Create IP interfaces for data links link2_ipmp0 and show the results.
ipmp0 ipmp ok yes link0_ipmp0 link1_ipmp0

link0_ipmp0 ip ok yes --
link1_ipmp0 ip ok yes --
4. Add IP interfaces link2_ipmp0 to IPMP group ipmp0 and show the results.
root@s11-serv1:~# ipadm add-ipmp –i link2_ipmp0 ipmp0
ipmp0 ipmp0 ok 10.00s link2_ipmp0 link1_ipmp0 link0_ipmp0
5. Assign a static IP address to IPMP subinterface link2_ipmp0 to be used for link testing
and show the results.
–a 192.168.0.144/24 link2_ipmp0/test
lo0/v4 static ok 127.0.0.1/8
link0_ipmp0/_a static ok fe80::a00:27ff:fe36:a51c/10
link1_ipmp0/_a static ok fe80::a00:27ff:fe05:424a/10
link1_ipmp0/_a static ok fe80::a00:27ff:fe92:67eb/10
6. Show the current setting of the standby property for the link2_ipmp0 interface.
root@s11-serv1:~# ipadm show-ifprop –p standby link2_ipmp0
link2_ipmp0 standby ip rw off -- off on,off
Note that standby is currently turned off.

7. Set the standby property for the link2_ipmp0 interface to on and show the results.
root@s11-serv1:~# ipadm set-ifprop -p standby=on -m ip \
link2_ipmp0

Chapter 6 - Page 37
root@s11-serv1:~# ipadm show-ifprop -p standby link2_ipmp0

link2_ipmp0 standby ip rw on on off on,off
ipmp0 ipmp0 ok 10.00s link1_ipmp0 link0_ipmp0 (link2_ipmp0)
Note that interface link2_ipmp0 is enclosed in parenthesis. This indicates that the

interface is set to standby.
:: down ipmp0 -- --
Note that interface link2_ipmp0 is not actively used for INBOUND and OUTBOUND
traffic.
10. Use the ipmpstat command to display IPMP interface information.
link2_ipmp0 no ipmp0 is----- up ok ok
Note the flags for interface link2_ipmp0. This indicates that the interface is inactive
and set to standby.
Task 4: Test the Active-Standby IPMP Configuration

In this task, you test the active-standby IPMP configuration by causing one of the subinterfaces
to fail. Then you verify that the system is still accessible by using the remaining interface.
Perform these steps to test the IPMP configuration:

Chapter 6 - Page 38

machine.
3. Under the Network settings, select Adapter 2 and set the Attached to: field to Not
attached.

Chapter 6 - Page 39

ipmp0 ipmp0 degraded 10.00s link2_ipmp0 link1_ipmp0 [link0_ipmp0]
Note that link1_ipmp0 has been boxed ([link1_ipmp0]) indicated that it has failed.
Link2_ipmp0 yes ipmp0 -s----- up ok ok
link0_ipmp0 no ipmp0 ------- up failed failed
Interface link1_ipmp0 is no longer active but link2_ipmp0 is now active.

:: down ipmp0 -- --
Note that interface link2_ipmp0 is being used for INBOUND and OUTBOUND traffic.

Chapter 6 - Page 40

0.49s link0_ipmp0 i161 -- -- -- 192.168.0.100
-0.49s link0_ipmp0 i160 -- -- -- 192.168.0.100

2.31s link0_ipmp0 i162 -- -- -- 192.168.0.100
...
Note that interface link2_ipmp0 is actively probing targets.

10. Move to Sol11-Desktop virtual machine and ping the IPMP data IP addresses.
192.168.0.112 is alive
192.168.0.113 is alive
machine.
13. Under the Network settings, select Adapter 2 and set the Attached to: field to
Internal Network.

Chapter 6 - Page 41

ipmp0 ipmp0 ok 10.00s link1_ipmp0 link0_ipmp0 (link2_ipmp0)
Note that interface link2_ipmp0 has been placed backup in to standby and is
inactive. This indicates that the failed interface has been repaired.

17. Use the ipmpstat command to display IPMP interface information.
link2_ipmp0 no ipmp0 is----- up ok ok
Task 5: Remove the IPMP Configuration

In this task, you remove the IPMP group ipmp0 and return the network to its original
configuration.
Perform these steps to remove the IPMP configuration:
1. Remove all the subinterfaces from the IPMP group ipmp0 and show the results.
root@s11-serv1:~# ipadm remove-ipmp –i link0_ipmp0 \
–i link1_ipmp0 –i link2_ipmp0 ipmp0
ipmp0 ipmp0 failed -- --
2. Delete the IPMP group ipmp0.
root@s11-serv1:~# ipadm delete-ipmp ipmp0
root@s11-serv1:~#
3. Display the IP address that is currently configured in the system.
lo0/v4 static ok 127.0.0.1/8
ipmp0/v4add1 static inaccessible 192.168.0.112/24
ipmp0/v4add2 static inaccessible 192.168.0.113/24
link0_ipmp0/_a static ok fe80::a00:27ff:fe21:acc9/10
link1_ipmp0/_a static ok fe80::a00:27ff:fe9b:d7a6/10
link2_ipmp0/_a static ok fe80::a00:27ff:fec2:b659/10

Chapter 6 - Page 42
4. Delete the IP addresses and show the results.

root@s11-serv1:~# ipadm delete-addr ipmp0/v4add1
root@s11-serv1:~# ipadm delete-addr ipmp0/v4add2
root@s11-serv1:~# ipadm delete-addr link0_ipmp0/test

lo0/v4 static ok 127.0.0.1/8
link0_ipmp0/_a static ok fe80::a00:27ff:fe21:acc9/10
link1_ipmp0/_a static ok fe80::a00:27ff:fe9b:d7a6/10
link2_ipmp0/_a static ok fe80::a00:27ff:fec2:b659/10
5. Delete IP interfaces link0_ipmp0, link1_ipmp0, and link2_ipmp0. Show the results.
root@s11-serv1:~# ipadm delete-ip link0_ipmp0
6. Rename the data links to their original names and show the results.
root@s11-serv1:~# dladm rename-link link0_ipmp0 net0
7. Restart the svc:/network/physical:default service.
root@s11-serv1:~# svcadm restart svc:/network/physical:default
8. Verify that the net0 network interface has been configured correctly.
lo0/v4 static ok 127.0.0.1/8

Chapter 6 - Page 43
Practice 6-5: Configuring a Network Bridge

Overview
Bridges are used to connect separate network segments. When connected by a bridge, the
attached network segments communicate as if they were a single network segment. Bridging is
implemented at the data link layer (L2) of the networking stack. Bridges use a packet-forwarding
mechanism to connect subnetworks together.
In this practice, you create a bridge between two network interfaces (net0 and net3).
Task: Configure a Network Bridge

Perform these steps to configure a network bridge:
1. In a terminal window, display the bridges currently configured in the system.
root@s11-serv1:~# dladm show-bridge
root@s11-serv1:~#
No bridging devices are currently configured in the system.
2. List the network interfaces currently configured in the system.
3. List the network interfaces currently configured in the system.
4. Create an IP interface for data links net0 and net3 and show the results.
root@s11-serv1:~# ipadm create-ip net0
root@s11-serv1:~# ipadm create-ip net3
net0 ip down no --
net3 ip down no --
5. Use the ipadm command assign IP address 192.168.0.112 to network interface net0.
192.168.0.112/24 net0/v4
6. Use the ipadm command assign IP address 192.168.2.100 to network interface net3 and
show the results.
192.168.2.100/24 net3/v4

Chapter 6 - Page 44

net0 ip ok yes --
net3 ip ok yes --
lo0/v4 static ok 127.0.0.1/8
net0/v4 static ok 192.168.0.112/24
net3/v4 static ok 192.168.2.100/24

7. Create a bridge named tonowhere between interfaces net0 (forwarding) and net3
(discarding) and show the results.
root@s11-serv1:~# dladm create-bridge -l net0 -l \
net3 tonowhere
BRIDGE PROTECT ADDRESS PRIORITY DESROOT
tonowhere stp 32768/8:0:27:15:2:19 32768 32768/8:0:27:15:2:19
8. Display detailed information about the bridge tonowhere.
root@s11-serv1:~# dladm show-bridge -l tonowhere
LINK STATE UPTIME DESROOT
net0 forwarding 90 32768/8:0:27:15:2:19
net3 discarding 90 32768/8:0:27:15:2:19
9. Remove interface net3 from the bridge tonowhere and show the results.
root@s11-serv1:~# dladm remove-bridge -l net3 tonowhere
LINK STATE UPTIME DESROOT
net0 forwarding 319 32768/8:0:27:15:2:19
10. Try to remove the bridge tonowhere.
root@s11-serv1:~# dladm delete-bridge tonowhere
dladm: delete operation failed: link busy
11. Remove interface net0 from the bridge tonowhere and show the results.
root@s11-serv1:~# dladm remove-bridge -l net0 tonowhere
root@s11-serv1:~#
12. Remove the bridge tonowhere and show the results.
root@s11-serv1:~# dladm delete-bridge tonowhere
root@s11-serv1:~#
13 Delete the IP interface for data link net3.

Chapter 6 - Page 45

net0 ip ok yes --

Chapter 6 - Page 46
Practice 6-6: Configuring a Link Aggregation

Overview
Link aggregation allows you to enhance the network availability and performance by combining
multiple network interfaces together to form an aggregation of those interfaces, which acts as a
single network interface with greatly enhanced availability and performance. When you
aggregate multiple network interfaces, you create a new network interface on top of the
aggregated physical interfaces combined in the link layer.
Link aggregation requires at least two network interfaces. The network interfaces must be
unplumbed before they can be aggregated. In this practice, you aggregate four network

interfaces on the Sol11-Server1 system as the persistent network interface.
Note: Link aggregation is not a new technology in Oracle Solaris 11. This practice was added
so that in the “Monitoring the Network” practice (Practice 6-6) you have more robust examples
to work with when using the dlstat command.
Task: Configure a Link Aggregation

Perform these steps to configure a link aggregation:
1. Delete the IP interface for data link net0.
2. List the network links currently configured in the system.
3. Create a link aggregation named speedway0 consisting of network interfaces net0, net1,
net2, and net3, and show the results.
root@s11-serv1:~# dladm create-aggr -l net0 -l net1 \
-l net2 -l net3 speedway0
speedway0 aggr 1500 up net0 net1 net2 net3
root@s11-serv1:~# dladm show-aggr
LINK POLICY ADDRPOLICY LACPACTIVITY LACPTIMER FLAGS
speedway0 L4 auto off short -----

Chapter 6 - Page 47
4. Create an IP interface for data link speedway0 and show the results.
root@s11-serv1:~# ipadm create-ip speedway0
speedway0 ip down no --
5 Run the ipadm command to create the static IPv4 address for system s11-serv1 on the
interface speedway0, and show the results.
root@s11-serv1:~# ipadm create-addr -T static \

-a 192.168.0.112/24 speedway0/v4
lo0/v4 static ok 127.0.0.1/8
speedway0/v4 static ok 192.168.0.112/24
6. Log in to the Sol11-Desktop system and use the ping command to verify connectivity to
the Sol11-Serv1 server.
root@s11-desktop:~# ping s11-serv1
s11-serv1 is alive

Chapter 6 - Page 48
Practice 6-7: Monitoring the Network

Overview
Oracle Solaris 11 adds a variety of robust network utilities. For network observability, the new
wireshark and dlstat utilities have been added. Wireshark is a powerful network protocol
analyzer that lets you to capture and interactively browse the traffic running on a computer
network. dlstat lets you to generate reports containing runtime statistics about data links.
In this practice, you are presented with two tasks. In the first task you install and explore the
wireshark utility. In the second task, you install and explore the dlstat utility.

Task 1: Monitor the Network by Using Wireshark
Perform these steps to monitor the network by using Wireshark:
1. Verify that the Sol11-SuperServer, Sol11-Server1, and Sol11-Desktop virtual machines are
2. Log in to virtual machine Sol11-Desktop as user oracle and su to root.
3. On the Sol11-Desktop system, double-click the Add More Software icon to launch the
Package Manager service.
4. Use Package Manager to install the wireshark packages.

Chapter 6 - Page 49
5. To start Wireshark, open the Applications menu and select System Tools. Click the
Wireshark icon.

Chapter 6 - Page 50
6. Click the List Available Capture Interfaces icon to begin your capture:

7. Click the Options button for interface net1 and set the Capture Filter value to host
192.168.0.112 and the Capture File to /var/tmp/192.168.0.112.cap. Then click
the Start button.

Chapter 6 - Page 51
8. To generate network traffic between this system and 192.168.0.112, click the Package
Manager Refresh button. Now, using the Package Manager, install a new package.
9. After the package installation has completed, click the Stop The Running Live Capture
button to stop your capture.
10. Click the Close This Capture File button to close and save your capture.

11. From the Files menu in the Wireshark main screen, select Open and browse to the
/var/tmp directory. Select the 192.168.0.112.cap file and click Open.
12. Take a few minutes and read through the packet trace.

Chapter 6 - Page 52
13. Click the Statistics tab and select Summary.

Chapter 6 - Page 53
14. Click the Statistics tab and select Protocol Hierarchy.

15. Click the Statistics tab and select Endpoints.

Chapter 6 - Page 54
16. Click the Statistics tab and select IO Graphs.

17. Click the Close This Capture File button to close and save your capture.
18. In the Wireshark main screen, click File and then click Quit to close Wireshark.
Task 2: Monitor the Network by Using dlstat

Perform these steps to monitor the network by using the dlstat command:
1. Move back to the Sol11-Serv1 server.
2. Display statistics for all the network links.

root@s11-serv1:~# dlstat
LINK IPKTS RBYTES OPKTS OBYTES
net0 0 0 0 0
net1 0 0 0 0
net2 0 0 0 0
net3 0 0 0 0
speedway0 4.86K 464.59K 17.17K 24.14M
3. Display statistics for all physical network devices.
root@s11-serv1:~# dlstat show-phys
LINK TYPE INDEX PKTS BYTES
net0 rx 0 5.25K 464.55K
net1 rx 0 1.32K 93.89K
net2 rx 0 1.32K 93.89K

Chapter 6 - Page 55
net3 rx 0 1.32K 93.89K

speedway0 rx 0 5.25K 464.55K
speedway0 tx 0 4.86K 3.46M
speedway0 tx 1 885 831.00K

4. Display statistics for all network links.
root@s11-serv1:~# dlstat show-link
LINK TYPE ID INDEX PKTS BYTES
net0 rx local -- 0 0
net0 rx other -- 0 0
net0 rx sw -- 0 0
net0 tx local -- 0 0
net0 tx other -- 0 0
net0 tx sw -- 0 0
net1 rx sw -- 0 0
net1 tx sw -- 0 0
net2 rx sw -- 0 0
net2 tx sw -- 0 0
net3 rx sw -- 0 0
LINK TYPE ID INDEX PKTS BYTES
net3 tx sw -- 0 0
speedway0 rx local -- 0 0
speedway0 rx other -- 0 0
speedway0 rx hw 0 4.09K 373.20K
speedway0 rx hw 1 265 31.71K

Chapter 6 - Page 56

speedway0 tx local -- 0 0
speedway0 tx other -- 0 0
speedway0 tx hw 0 3.49K 4.94M
speedway0 tx hw 1 814 835.50K
5. Display statistics for all network link aggregation.
root@s11-serv1:~# dlstat show-aggr

LINK PORT IPKTS RBYTES OPKTS OBYTES
speedway0 -- 9.26K 751.05K 17.78K 20.82M
speedway0 net0 5.28K 466.74K 4.89K 3.46M
speedway0 net1 1.33K 94.77K 885 831.00K

Chapter 6 - Page 57

Overview
guided practices. You are challenged with completing the following tasks without the benefit of a
step-by-step guide.

Task 1: Configure NWAM

Perform this task on the Sol11-Desktop VM.
• Enable the start_state and aces profiles.
• Remove the current NCU for network interface net0.
• Create a new NCU for network interface net3. Assign IP address 192.168.0.111 to
net3.
• Test the new NWAM configuration.
Task 2: Configure a virtual network

• Create a private virtual network consisting of one etherstub and two virtual NICs.
o Create the etherstub and virtual NIC devices.
o Configure two non-global zones on the virtual network.
o Verify that the non-global zones on the virtual network can communicate with
each other.
• Remove the private virtual network.
o Remove the two non-global zones.
o Remove the virtual NIC and etherstub devices.
Task 3: Configure IPMP

• Create an Active-Standby IPMP configuration.
o Prepare network interfaces net0, net1, and net2 for using in an IPMP group.
o Create an IPMP group consisting of network interfaces net0, net1, and net2.
Make net2 the standby sublink.
o Test the new IPMP group.
• Remove the IPMP group.
o Restore network interface net0 to the original configuration (static IP address
192.168.0.112).
o Verify that network interface net0 is operational.

Chapter 6 - Page 58

Oracle Solaris 11 Storage
Enhancements
Chapter 7
Practices for Lesson 7: Oracle Solaris 11 Storage Enhancements

Chapter 7 - Page 1

Overview
The default file system for Oracle Solaris 11 is ZFS. ZFS is the root file system on Oracle
Solaris 11, and it offers a superior experience in terms of manageability, scalability, and data
integrity. ZFS presents a pooled storage model that completely eliminates the concept of
volumes and the associated problems of partitions, provisioning, wasted bandwidth, and
stranded storage. Thousands of file systems can draw from a common storage pool, each one
consuming only as much space as it actually needs. All operations are copy-on-write
transactions ensuring that the on-disk state is always valid. Additionally, blocks are

checksummed to prevent silent data corruption, allowing data to self-heal itself in replicated
(mirrored or RAIDZ) configurations. If one copy is damaged, ZFS detects it and uses another
copy to repair it. ZFS is also at the heart of Oracle Solaris 11 software installation and
management with the IPS packaging system, greatly reducing planned and unplanned
downtime with safe system upgrade capability. UFS is no longer supported as a root file system.
COMSTAR (Common Multiprotocol SCSI Target) is a software framework that enables you to
turn any Oracle Solaris 11 host into a SCSI target that can be accessed over the network by
initiator hosts. COMSTAR breaks down the huge task of handling a SCSI target subsystem into
independent functional modules. These modules are then glued together by the SCSI Target
Mode Framework (STMF).
These practices provide a guided, hands-on experience in working with the new ZFS
enhancements and with COMSTAR.
• Migrating UFS and ZFS file systems
• Splitting a mirrored ZFS storage pool
• Identifying ZFS snapshot differences
• Configuring ZFS deduplication
• Configuring an iSCSI target and an iSCSI initiator
Assumptions
virtualization software. Figure 1 shows the VirtualBox manager interface.

Chapter 7 - Page 2


The virtual machines (VM) you use in the practices are as follows:
• Sol11 SuperServer: This VM provides network services such as DNS used by the VMs
in the practices.
• Sol11-Server1: This is the system that you use to perform the storage enhancement
practices such as creating an iSCSI target and working with ZFS enhancements.
• Sol11-Desktop: You configure this system as an iSCSI initiator.

Chapter 7 - Page 3

Chapter 7 - Page 4
Practice 7-1: Migrating a ZFS File System

Overview
Oracle Solaris 11 features ZFS shadow migration. Using shadow migration, you can migrate
data from an old file system to a new file system while simultaneously allowing access and
modification of the new file system. ZFS shadow migration allows you to migrate file systems as
follows:
• Migrate a local or remote ZFS file system to a target ZFS file system.
• Migrate a local or remote UFS file system to a target ZFS file system.

Task 1: Prepare the Source File Systems
In this task, you create ZFS and UFS file systems on the Sol11-Server1 virtual machine. These
will be the source file systems used in the ZFS shadow migration.
Perform these steps to prepare the source file systems:
1. Verify that the Sol11-SuperServer, Sol11-Server1, and Sol11-Desktop virtual machines
are running. This can be determined by viewing the Oracle VM VirtualBox Manager window
machines are not running, start them now.
3. Determine the hostname and domain of this server.
root@s11-serv1:~# hostname
s11-serv1
root@s11-serv1:~# domainname
mydomain.com
root@s11-serv1:~# nslookup s11-serv1
Server: 192.168.0.100
Address: 192.168.0.100#53
Address: 192.168.0.112
5. List the disk drives currently configured in the system.
root@s11-serv1:~# format
AVAILABLE DISK SELECTIONS:
0. c3t0d0 <ATA-VBOX HARDDISK-1.0 cyl 2085 alt 2 hd 255 sec 63>
/pci@0,0/pci8086,2829@d/disk@0,0
/pci@0,0/pci8086,2829@d/disk@2,0
/pci@0,0/pci8086,2829@d/disk@3,0
/pci@0,0/pci8086,2829@d/disk@4,0
/pci@0,0/pci8086,2829@d/disk@5,0

Chapter 7 - Page 5

/pci@0,0/pci8086,2829@d/disk@6,0
/pci@0,0/pci8086,2829@d/disk@7,0
/pci@0,0/pci8086,2829@d/disk@8,0
/pci@0,0/pci8086,2829@d/disk@9,0
6. Create a UFS file system on disk drive 6.

specify disk (enter its number): 6
selecting c3t7d0
[disk formatted]
No Solaris fdisk partition found.
…
format> fdisk
No fdisk table exists. The default partition for the disk is: a
100% "SOLARIS System" partition
Type "y" to accept the default partition, otherwise type "n" to
edit the partition table.
y
format> partition
…
partition> modify
Select partitioning base:
0. Current partition table (Shadow)
1. All Free Hog
Choose base (enter number) [0]? 1
…
Do you wish to continue creating a new partition
table based on above table[yes]?
Free Hog partition[6]?
Enter size of partition '0' [0b, 0c, 0.00mb, 0.00gb]: 0
…
Okay to make this the current partition table[yes]?
Enter table name (remember quotes): "shadow"
Ready to label disk, continue? y
partition> quit
…

Chapter 7 - Page 6
format> quit
root@s11-serv1:~# newfs /dev/rdsk/c3t7d0s6
newfs: construct a new file system /dev/rdsk/c3t7d0s6: (y/n)? y
mkfs: bad value for rps: 1056 must be between 1 and 1000
mkfs: rps reset to default 60
/dev/rdsk/c3t7d0s6: 2101248 sectors in 513 cylinders of 128
tracks, 32 sectors
1026.0MB in 23 cyl groups (23 c/g, 46.00MB/g, 11264 i/g)
super-block backups (for fsck -F ufs -o b=#) at:

32, 94272, 188512, 282752, 376992, 471232, 565472, 659712,
753952, 848192,
1225152, 1319392, 1413632, 1507872, 1602112, 1696352, 1790592,
1884832,
1979072, 2073312
root@s11-serv1:~#
7. Mount the UFS file system.
root@s11-serv1:~# mkdir /export/UFS_data
root@s11-serv1:~# mount /dev/dsk/c3t7d0s6 /export/UFS_data
Note that the UFS file system contains a lost+found directory. This directory has no
meaning for ZFS and shadow migration might have problems with it. You can
temporarily remove this directory and recreate it later with fsck.
root@s11-serv1:~# rmdir /export/UFS_data/lost+found
8 Create a read-only ZFS file system.
root@s11-serv1:~# zfs create rpool/export/ZFS_data
9. Share the UFS and ZDS file systems as read-only and show the results.
root@s11-serv1:~# share –F nfs –o ro /export/UFS_data
root@s11-serv1:~# share –F nfs –o ro /export/ZFS_data
root@s11-serv1:~# showmount –e
/export/UFS_data (everyone)
/export/UFS_data (everyone)
10. Store some data in the UFS and ZFS file systems.
root@s11-serv1:~# cp /opt/ora/course_files/*iso \
/export/UFS_data
root@s11-serv1:~# cp /opt/ora/course_files/*iso \
/export/ZFS_data
Task 2: Migrate the File Systems

In this task, you migrate the ZFS and UFS file systems on the Sol11-Server1 virtual machine to
the Sol11-Desktop virtual machine.
Perform these steps to migrate file systems:
1. Log in to virtual machine Sol11-Desktop system as user oracle and su to root.

Chapter 7 - Page 7

root@s11-desktop:~# nslookup s11-serv1
Server: 192.168.0.100
Address: 192.168.0.100#53
Address: 192.168.0.112
3. Search for the shadow-migration package in the IPS repository.

root@s11-desktop:~# pkg search shadow-migration
pkg.fmri set solaris/system/file-system/shadow-migration pkg:/system/file-
system/shadow-migration@0.5.11-0.175.0.0.2.1
4. Display detailed information about the shadow-migration package.
root@s11-desktop:~# pkg info -r shadow-migration
Name: system/file-system/shadow-migration
Summary: Shadow Migration
Description: Shadow migration libraries and commands
Category: System/File System
State: Not installed
Publisher: solaris
Version: 0.5.11
Build Release: 5.11
Branch: 0.175.0.0.2.1
Packaging Date: October 19, 07:22:38 AM
Size: 498.15 kB
FMRI: pkg://solaris/system/file-system/shadow-
migration@0.5.11,5.11-0.171:20111019T072238Z
5. Install the shadow-migration package and show the results.
root@s11-desktop:~# pkg install shadow-migration
Services to restart: 1
Completed 1/1 14/14 0.2/0.2
PHASE ACTIONS
Install Phase 39/39
PHASE ITEMS

Chapter 7 - Page 8
root@s11-desktop:~# pkg list shadow-migration

NAME (PUBLISHER) VERSION IFO
system/file-system/shadow-migration 0.5.11-0.175.0.0.2.1 i--
6. Enable the shadow migration service and show the results.
root@s11-desktop:~# svcadm enable shadowd
root@s11-desktop:~# svcs shadowd
STATE STIME FMRI
online 16:39:35 svc:/system/filesystem/shadowd:default
7. Create the ZFS shadow migration file system for the UFS and ZFS file system exports.

root@s11-desktop:~# zfs create -o \
shadow=nfs://s11-serv1/export/UFS_data \
rpool/export/shadow_UFS_data
root@s11-desktop:~# zfs create -o \
shadow=nfs://s11-serv1/export/ZFS_data \
rpool/export/shadow_ZFS_data
8. Display statistics on in-progress shadow migrations until the migrations have completed.
root@s11-desktop:~# shadowstat
EST
BYTES BYTES ELAPSED
DATASET XFRD LEFT ERRORS TIME
…
9. After the shadow migrations have completed, list the contents of the shadow migration
directories.
root@s11-desktop:~# ls –l /export/shadow_UFS_data
total 557461
-rwxr-xr-x 1 root root 285511680 Oct 27 07:46 sol-11-dev-175b-ai-
x86.iso
root@s11-desktop:~# ls –l /export/shadow_ZFS_data
total 557461
-rwxr-xr-x 1 root root 285511680 Oct 27 07:46 sol-11-dev-175b-ai-
x86.iso

Chapter 7 - Page 9
Practice 7-2: Splitting a Mirrored ZFS Storage Pool

Overview
In Oracle Solaris 11, you can split a mirrored storage pool, which detaches a disk or disks in the
original mirrored pool to create another identical pool. In this practice, you configure a mirrored
ZFS pool. You then split the pool.
Task: Split a Mirrored ZFS Storage Pool

Perform these steps to split a mirrored ZFS storage pool:

1. Verify that the Sol11-SuperServer and Sol11-Server1 virtual machines
3. Run the zpool list command to display the ZFS pools currently configured in the
system.
rpool 32G 10G 22.0G 31% 1.00x ONLINE -
4. Run the zpool status command to determine which disks are currently configured in the
ZFS rpool.
root@s11-serv1:~# zpool status rpool
pool: rpool
state: ONLINE
scan: none requested
config:
NAME STATE READ WRITE CKSUM

rpool ONLINE 0 0 0
c3t0d0s0 ONLINE 0 0 0
errors: No known data errors

5. Run the format command to identify any additional disks configured in the system.
/pci@0,0/pci8086,2829@d/disk@0,0
/pci@0,0/pci8086,2829@d/disk@2,0
/pci@0,0/pci8086,2829@d/disk@3,0
/pci@0,0/pci8086,2829@d/disk@4,0

Chapter 7 - Page 10

/pci@0,0/pci8086,2829@d/disk@5,0
/pci@0,0/pci8086,2829@d/disk@6,0
/pci@0,0/pci8086,2829@d/disk@7,0
/pci@0,0/pci8086,2829@d/disk@8,0

/pci@0,0/pci8086,2829@d/disk@9,0
Specify disk (enter its number):
^D
root@s11-serv1:~#
6. Create a mirrored ZFS pool named newpool consisting of disks c3t2d0 and c3t3d0.
Show the results.
root@s11-serv1:~# zpool create newpool mirror c3t2d0 c3t3d0
newpool 1.02G 112K 1.02G 0% 1.00x ONLINE -
rpool 30.5G 8.35G 22.2G 27% 1.00x ONLINE -
root@s11-desktop:~# zpool status
pool: newpool
state: ONLINE
config:

newpool ONLINE 0 0 0
mirror-0 ONLINE 0 0 0
c3t2d0 ONLINE 0 0 0
c3t3d0 ONLINE 0 0 0
pool: rpool
state: ONLINE
config:

rpool ONLINE 0 0 0

Chapter 7 - Page 11

7. Create a file system named mydata in the newpool pool.
root@s11-serv1:~# zfs create newpool/mydata
8. Perform a “dry run” on splitting the newpool pool in to newpool and newpool1.
root@s11-serv1:~# zpool split -n newpool newpool1
would create 'newpool1' with the following layout:

newpool1
c3t3d0
root@s11-serv1:~#
9. Split the newpool pool in to newpool and newpool1 and show the results.
root@s11-serv1:~# zpool split newpool newpool1
root@s11-serv1:~# zpool status
pool: newpool
state: ONLINE
config:

c3t2d0 ONLINE 0 0 0
pool: rpool
state: ONLINE
config:

rpool ONLINE 0 0 0

10. Import the newpool1 pool and show the results.
root@s11-serv1:~# zpool import newpool1
pool: newpool
state: ONLINE

Chapter 7 - Page 12
config:

c3t2d0 ONLINE 0 0 0
pool: newpool1

state: ONLINE
config:

newpool1 ONLINE 0 0 0
c3t3d0 ONLINE 0 0 0
pool: rpool
state: ONLINE
config:

rpool ONLINE 0 0 0

11. Run the zfs list command to determine whether the mydata file system has been
replicated in the newpool1 pool.
newpool 126K 1016M 32K /newpool
newpool/mydata 31K 1016M 31K /newpool/mydata
newpool1 129K 1016M 32K /newpool1
newpool1/mydata 31K 1016M 31K /newpool1/mydata
...
root@s11-serv1:~#

Chapter 7 - Page 13
Practice 7-3: Identifying ZFS Snapshot Differences

Overview
In Oracle Solaris 11, you can determine ZFS snapshot differences by using the zfs diff
command. In this practice, you identify the differences between two file system snapshots.
Task: Identify ZFS Snapshot Differences

Perform these steps to identify ZFS snapshot differences:
1. Take a snapshot named before of the newpool/mydata file system.

root@s11-serv1:~# zfs snapshot newpool/mydata@before
2. Create a new file named newfile in the newpool/mydata file system.
root@s11-serv1:~# touch /newpool/mydata/newfile
3. Take another snapshot named after of the newpool/mydata file system:
root@s11-serv1:~# zfs snapshot newpool/mydata@after
4. List the ZFS snapshots by name and creation date.
root@s11-serv1:~# zfs list -r -t snapshot -o name,creation
NAME CREATION
newpool/mydata@before Mon Apr 6 14:54 2011
newpool/mydata@after Mon Apr 6 14:59 2011
rpool/ROOT/solaris@install Fri Mar 4 22:33 2011
5. Display the differences between the before and after snapshots.
root@s11-serv1:~# zfs diff newpool/mydata@before \
newpool/mydata@after
M /newpool/mydata/
+ /newpool/mydata/newfile
root@s11-serv1:~#

Chapter 7 - Page 14
Practice 7-4: Configuring ZFS Deduplication

Overview
In Oracle Solaris 11, you can use the deduplication property to remove redundant data from
your ZFS file systems. If a file system has the dedup property enabled, duplicate data blocks
are removed synchronously. The result is that only unique data is stored and common
components are shared between files. In this practice, you configure and test ZFS
deduplication.
Task: Configure ZFS Deduplication

Perform these steps to configure ZFS deduplication:
1. List all the ZFS pools currently configured in the system.
newpool 1.07G 169K 1.07G 0% 1.00x ONLINE -
newpool1 1.07G 130K 1.07G 0% 1.00x ONLINE -
2. Determine the current deduplication settings for the newpool pool.
root@s11-serv1:~# zpool get all newpool|grep dedup
newpool dedupditto 0 default
newpool dedupratio 1.00x -
root@s11-serv1:~#
3. Determine the current deduplication settings for the newpool/mydata file system.
root@s11-serv1:~# zfs get all newpool/mydata|grep dedup
newpool/mydata dedup off default
4. Enable deduplication on the newpool/mydata file system and show the results.
root@s11-serv1:~# zfs set dedup=on newpool/mydata
root@s11-serv1:~# zfs get all newpool/mydata|grep dedup
newpool/mydata dedup on local
5. Create directories dir1, dir2, and dir3 in the newpool/mydata file system.
root@s11-serv1:~# mkdir /newpool/mydata/dir1
6. Copy the /opt/ora/course_files/*.iso file to directories dir1, dir2, and dir3.
root@s11-serv1:~# cp /opt/ora/course_files/*.iso \
/newpool/mydata/dir1

Chapter 7 - Page 15
7. List all the ZFS pools in the system.

newpool 1.07G 302M 794M 27% 3.00x ONLINE -
newpool1 1.07G 130K 1.07G 0% 1.00x ONLINE -
8. Determine the current deduplication settings for the newpool pool.
root@s11-serv1:~# zpool get all newpool|grep dedup

newpool dedupditto 0 default
newpool dedupratio 3.00x -
root@s11-serv1:~#

Chapter 7 - Page 16
Practice 7-5: Configuring a COMSTAR iSCSI Target

Overview
Using COMSTAR, you can configure iSCSI target devices on Oracle Solaris 11 hosts. In this
practice, you create an iSCSI target on virtual machine Sol11-Server1. You then configure
Sol11-Desktop as the target initiator and test the iSCSI target access.
Task 1: Create an iSCSI Logical Unit Number (LUN)

Perform these steps on the Sol11-Server1 machine to create an iSCSI LUN:

1. Verify that the Sol11-SuperServer, Sol11-Server1, and Sol11-Desktop virtual machines
2. Log in to virtual machine Sol11-Server1 system as user oracle. Use the password
cangetin. Assume primary administrator privileges.
3. Determine the preferred IPS publisher.
solaris (preferred) origin online http://s11-serv1.mydomain.com/
4. Search the IPS repository for the storage-server package.
root@s11-serv1:~# pkg search storage-server
incorporate depend pkg:/storage-server@0.1,5.11-0.133
pkg:/consolidation/osnet/osnet-incorporation@0.5.11-0.175.0.0.2.1
pkg.fmri set solaris/storage-server
pkg:/storage-server@0.1-0.133
pkg.fmri set solaris/storage/storage-server
pkg:/storage/storage-server@0.1-0.175.0.0.2.1
5. Install the storage-server package on Sol11-Server1.
root@s11-serv1:~# pkg install \
pkg://solaris/storage/storage-server
Create backup boot environment: Yes
Services to restart: 4
Completed 49/49 6808/6848 118.7/118.7
PHASE ACTIONS
PHASE ITEMS
Loading smf(5)service descriptions: 35/35

Chapter 7 - Page 17
6. Enable the stmf service and verify that the service is in the online state.
root@s11-serv1:~# svcadm enable stmf
root@s11-serv1:~# svcs stmf
STATE STIME FMRI
online 9:38:37 svc:/system/stmf:default
7. List the disks currently configured in the system.
Searching for disks...done

/pci@0,0/pci8086,2829@d/disk@0,0
/pci@0,0/pci8086,2829@d/disk@2,0
/pci@0,0/pci8086,2829@d/disk@3,0
/pci@0,0/pci8086,2829@d/disk@4,0
/pci@0,0/pci8086,2829@d/disk@5,0
/pci@0,0/pci8086,2829@d/disk@6,0
/pci@0,0/pci8086,2829@d/disk@7,0
/pci@0,0/pci8086,2829@d/disk@8,0
/pci@0,0/pci8086,2829@d/disk@9,0
Specify disk (enter its number): ^D
8. Create a ZFS pool named iscsi using disk c3t4d0 and show the results.
root@s11-serv1:~# zpool create iscsi c3t4d0
root@s11-serv1:~# zpool list iscsi
iscsi 1.02G 112K 1.02G 0% 1.00x ONLINE -
9. Create a 500 MB ZFS volume named target in the iscsi zpool and show the results.
root@s11-serv1:~# zfs create -V 500m iscsi/target
iscsi 516M 500M 31K /iscsi
iscsi/target 516M 1016M 16K -
...

Chapter 7 - Page 18
10. Create a logical unit number (LUN) for the target volume and show the results.
root@s11-serv1:~# stmfadm create-lu \
/dev/zvol/rdsk/iscsi/target
Logical unit created: 600144F00419C10000004E43CD2D0001
root@s11-serv1:~# stmfadm list-lu
LU Name: 600144F00419C10000004E43CD2D0001
Note: Your LUN will be different from the one shown in this example.
11. Allow all systems to access the LUN by making it viewable. Show the results.
root@s11-serv1:~# stmfadm add-view \

600144F08372430000004DF6308F0001
root@s11-serv1:~# stmfadm list-view -l \
600144F08372430000004DF6308F0001
View Entry: 0
Host group : All
Target group : All
LUN : 0
Task 2: Create an iSCSI Target

Perform these steps on the Sol11-Server1 machine to create an iSCSI target:
1. Enable the target service and verify that the service is in the online state.
root@s11-serv1:~# svcadm enable svc:/network/iscsi/target:default
root@s11-serv1:~# svcs iscsi/target
STATE STIME FMRI
online 9:50:50 svc:/network/iscsi/target:default
2. Create the iSCSI target and show the results.
root@s11-serv1:~# itadm create-target
Target iqn.1986-03.com.sun:02:12bffc2f-49f9-cab1-9a7b-
84fae994aa2e successfully created
root@s11-serv1:~# itadm list-target -v
TARGET NAME
STATE SESSIONS
iqn.1986-03.com.sun:02:12bffc2f-49f9-cab1-9a7b-84fae994aa2e
online 0
alias: -
auth: none (defaults)
targetchapuser: -
targetchapsecret: unset
tpg-tags: default
Task 3: Configure an iSCSI Initiator

Perform these steps on the Sol11-Desktop machine to configure an iSCSI initiator:
1. Log in to virtual machine Sol11-Desktop system as user oracle. Use the password
cangetin. Assume primary administrator privileges.

Chapter 7 - Page 19
2. Enable the initiator service and verify that the service is in the online state.
root@s11-desktop:~# svcadm enable network/iscsi/initiator
root@s11-desktop:~# svcs network/iscsi/initiator
STATE STIME FMRI
online 9:29:00 svc:/network/iscsi/initiator:default
3. Open a second terminal window and use ssh to log in to the Sol11-Server1 machine and
su to root.
4. In the Sol11-Server1 terminal window, determine the host IP address (for network interface
net0) and iSCSI target identifier.

...
speedway0/v4 static ok 192.168.0.112/24
...
root@s11-serv1:~# itadm list-target
TARGET NAME STATE
SESSIONS
iqn.1986-03.com.sun:02:12bffc2f-49f9-cab1-9a7b-84fae994aa2e online 0
5. Move back to the Sol11-Desktop terminal window. Configure the iSCSI initiator for static
discovery of the iSCSI target on the Sol11-Server1 machine and show the results.
root@s11-desktop:~# iscsiadm add static-config \
iqn.1986-03.com.sun:02:12bffc2f-49f9-cab1-9a7b-
84fae994aa2e,192.168.0.112
root@s11-desktop:~# iscsiadm list static-config
Static Configuration Target: iqn.1986-03.com.sun:02:12bffc2f-
49f9-cab1-9a7b-84fae994aa2e,192.168.0.112:3260
6. Enable the static discovery method and show the results.
root@s11-desktop:~# iscsiadm modify discovery --static enable
root@s11-desktop:~# iscsiadm list discovery
Discovery:
Static: enabled
Send Targets: disabled
iSNS: disabled
7. Verify that the iSCSI target on Sol11-Server1 can be discovered.
root@s11-desktop:~# iscsiadm list target
Target: iqn.1986-03.com.sun:02:12bffc2f-49f9-cab1-9a7b-
84fae994aa2e
Alias: -
TPGT: 1
ISID: 4000002a0000
Connections: 1

Chapter 7 - Page 20
8. Run the devfsadm command to reconfigure the /dev namespace to recognize the iSCSI
disk.
root@s11-desktop:~# devfsadm -i iscsi
9. Use the format utility to verify that the iSCSI disk is configured in the system.
root@s11-desktop:~# format
0. c0t600144F08372430000004DF6308F0001d0 <SUN -COMSTAR -1.0
cyl 498 alt 2 hd 64 sec 32>

/scsi_vhci/disk@g600144f08372430000004df6308f0001
...
Specify disk (enter its number): ^D
10. Create a new ZFS pool named iscsi using the iSCSI disk and show the results.
root@s11-desktop:~# zpool create iscsi \
c0t600144F08372430000004DF6308F0001d0
root@s11-desktop:~# zpool status iscsi
pool: iscsi
state: ONLINE
config:

iscsi ONLINE 0 0 0
c0t600144F08372430000004DF6308F0001d0 ONLINE 0 0 0
11. Create a new ZFS volume named storage using the iscsi zpool and show the results.
root@s11-desktop:~# zfs create iscsi/storage
root@s11-desktop:~# zfs list
iscsi 124K 452M 32K /iscsi
iscsi/storage 31K 452M 31K /iscsi/storage
...

Chapter 7 - Page 21

Overview
guided practices. You are challenged with completing the following tasks without the benefit of a
step-by-step guide.

Task 1: Configure an iSCSI Target

• Create an iSCSI Logical Unit Number (LUN). Use disk 7 (c3t8d0).
• Create an iSCSI Target.
Task 2: Configure an iSCSI Initiator

Perform this task on the Sol11-Desktop VM.
• Configure iSCSI initiator
• Test the iSCSI device.

Chapter 7 - Page 22

Oracle Solaris 11 Security
Enhancements
Chapter 8
Practices for Lesson 8: Oracle Solaris 11 Security Enhancements

Chapter 8 - Page 1

Practices Overview
The Oracle Solaris 11 operating system features powerful new security enhancements such as
ZFS data encryption, a new cryptographic framework, Secure by Default, and the Basic Audit
Reporting Tool (BART). The cryptographic framework and Secure by Default are not new
technologies but have been enhanced in Oracle Solaris 11.
The practices for Lesson 8 provide a guided, hands-on experience in working with the new
security enhancements found in the Oracle Solaris 11 operating system. The key areas
explored in these practices are:

• Encryption keys
• ZFS data encryption
• Read-only zones
• Basic Audit Reporting Tool
Assumptions
virtualization software. Figure 1 shows the VirtualBox manager interface.


Chapter 8 - Page 2

The virtual machines (VM) you use in these practices are as follows:
• Sol11X SuperServer: This VM provides network services such as DNS used by the VMs
in the practices.
• Sol11X-Server1: This is the system you use to perform the security enhancement
practices.

Chapter 8 - Page 3
Practice 8-1: Managing Encryption Keys

Overview
Cryptography is the science of encrypting and decrypting data. Cryptographic services provide
authentication and encryption mechanisms to applications and users. Central to the Oracle
Solaris cryptographic framework is the pktool command. The pktool command allows you to
manage the certificates and keys on multiple keystores including PKCS#11 tokens, Netscape
Security Services (NSS) tokens, and standard file-based keystores for OpenSSL.
Task: Manage Encryption Keys

Perform these steps to manage encryption keys:
1. Verify that the Sol11X-SuperServer and Sol11-Server1 virtual machines are running. This
2. Log in to virtual machine Sol11X-Server1 as user oracle and su to root.
3. Take a few minutes and familiarize yourself with the pktool man page.
root@s11-serv1:~# man pktool
4. Change the default passphrase (changeme) used to authenticate you (the user) to the
PKCS#11 token.
root@s11-serv1:~# pktool setpin
Enter token passphrase: changeme
Create new passphrase: oracle1
Re-enter new passphrase: oracle1
Passphrase changed.
5. Generate a 256 bit AES symmetric key labeled myaeskey and show the results.
root@s11-serv1:~# pktool genkey label=myaeskey keytype=aes \
keylen=256
Enter PIN for Sun Software PKCS#11 softtoken: oracle1
root@s11-serv1:~# pktool list objtype=key
Enter PIN for Sun Software PKCS#11 softtoken: oracle1
Found 1 symmetric keys.
Key #1 - AES: myaeskey (256 bits)
6. Edit the /newpool/mydata/newfile file with a simple message.
root@s11-serv1:~# vi /newpool/mydata/newfile
This is a test.
7. Encrypt the /newpool/mydata/newfile file by using your AES key.
root@s11-serv1:~# encrypt -a aes -K myaeskey \
-i /newpool/mydata/newfile -o /newpool/mydata/newfile
Enter PIN for Sun Software PKCS#11 softtoken : oracle1
8. Display the contents of the /newpool/mydata/newfile file.
root@s11-serv1:~# cat /newpool/mydata/newfile
ï¿½ï¿½_Ztï¿½ï¿½<<@ï¿½ï¿½Ã ï¿½6ï¿½ï¿½y^ï¿½.vkï¿½ï¿½ï¿½p

Chapter 8 - Page 4
9. Decrypt the /newpool/mydata/newfile file by using your AES key.

root@s11-serv1:~# decrypt -a aes -K myaeskey \
-i /newpool/mydata/newfile -o /newpool/mydata/newfile
Enter PIN for Sun Software PKCS#11 softtoken : oracle1
10. Display the contents of the /newpool/mydata/newfile file.
root@s11-serv1:~# cat /newpool/mydata/newfile
This is a test.

Chapter 8 - Page 5
Practice 8-2: Configuring a ZFS Encrypted Storage Pool

Overview
In this practice, you create an encrypted ZFS pool with a file system that inherits the encryption
properties.
Task: Configure a ZFS Encrypted Storage Pool

Perform these steps to configure a ZFS encrypted storage pool:
1. Run the format command to identify any additional disks configured in the system.


0. c3t0d0 <ATA -VBOX HARDDISK -1.0 cyl 2085 alt 2 hd 255 sec 63>
/pci@0,0/pci8086,2829@d/disk@0,0
/pci@0,0/pci8086,2829@d/disk@2,0
/pci@0,0/pci8086,2829@d/disk@3,0
/pci@0,0/pci8086,2829@d/disk@4,0
/pci@0,0/pci8086,2829@d/disk@5,0
/pci@0,0/pci8086,2829@d/disk@6,0
/pci@0,0/pci8086,2829@d/disk@7,0
Specify disk (enter its number):
^D
root@s11-serv1:~#
2. Run the zpool status command to determine which disks are currently configured in the
ZFS pools.
pool: iscsi
state: ONLINE
config:

iscsi ONLINE 0 0 0
c3t4d0 ONLINE 0 0 0
pool: newpool

Chapter 8 - Page 6
state: ONLINE
config:

c3t2d0 ONLINE 0 0 0

pool: newpool1
state: ONLINE
config:

newpool1 ONLINE 0 0 0
c3t3d0 ONLINE 0 0 0
pool: rpool
state: ONLINE
config:

rpool ONLINE 0 0 0

3. Use the available disk to create an encrypted ZFS pool named encyptedpool. For the
encryptedpool pool, make the passphrase oracle1.
root@s11-serv1:~# zpool create -O encryption=on \
encryptedpool c3t5d0
Enter passphrase for 'encryptedpool': oracle123
Enter again: oracle123
4. Create a ZFS file system named encryptedpool/mysecrets.
root@s11-serv1:~# zfs create encryptedpool/mysecrets

Chapter 8 - Page 7
5. Display the encryption property of the encryptedpool/mysecrets file system.

root@s11-serv1:~# zfs get encryption encryptedpool/mysecrets
NAME PROPERTY VALUE SOURCE
encryptedpool/mysecrets encryption on inherited from
encryptedpool
6. Display the keysource property of the encryptedpool/mysecrets file system.
root@s11-serv1:~# zfs get keysource encryptedpool/mysecrets
encryptedpool/mysecrets keysource passphrase,prompt inherited from

encryptedpool

Chapter 8 - Page 8
Practice 8-3: Configuring a ZFS Encrypted File System

Overview
In this practice, you create an encrypted ZFS file system using a raw key that you create.
Task: Configure a ZFS Encrypted File System

Perform these steps to configure a ZFS encrypted file system:
1. Generate a 256 bit AES raw key in a keystore file named /myzfskey.
root@s11-serv1:~# pktool genkey keystore=file \

outkey=/myzfskey keytype=aes keylen=256
2. Create an encrypted ZFS file system named newpool/mysecretdata by using the
aes-256-ccm algorithm and the key you generated in the previous step.
root@s11-serv1:~# zfs create -o encryption=aes-256-ccm \
-o keysource=raw,file:///myzfskey newpool/mysecretdata
3. Display the encryption property of the newpool/mysecretdata file system.
root@s11-serv1:~# zfs get encryption newpool/mysecretdata
newpool/mysecretdata encryption aes-256-ccm local
4. Display the keysource property of the newpool/mysecretdata file system.
root@s11-serv1:~# zfs get keysource newpool/mysecretdata
newpool/mysecretdata keysource raw,file:///myzfskey local

Chapter 8 - Page 9
Practice 8-4: Configuring Read-Only Zones

Overview
In this practice, you create and test a new zone that has its root file system protected against
modifications by the zone.
Task: Configure a Read-Only Zone

Perform these steps to create and test a read-only non-global zone:
1. On the Sol11-Server1 VM, display the current data links.

2. Create a virtual NIC over data link speedway0 and show the results.
root@s11-serv1:~# dladm create-vnic -l speedway0 vnic0
vnic0 vnic 1500 up speedway0
3. Create a read-only non-global zone using virtual NIC vnic0. Set the file-mac-profile
property to fixed-configuration.
Use 'create' to begin configuring a new zone
zonecfg:zone6> set brand=solaris
zonecfg:zone6> set zonepath= /zones/zone6
zonecfg:zone6> set file-mac-profile=fixed-configuration

Chapter 8 - Page 10
zonecfg:zone6> exit
Note that the fixed-configuration value permits updates to /var/* directories,
with the exception of directories that contain system configuration components.
- IPS packages, including new packages, cannot be installed.
- Persistently enabled SMF services are fixed.
- SMF manifests cannot be added from the default locations.
- Logging and auditing configuration files can be local. syslog and audit configuration
are fixed.
4. Use the sysconfig create-profile command to create a profile for zone6 using the

following configuration properties:
• Host name: zone6
• Network interface: vnic0
• IP Address: 192.168.0.166
• DNS server IP address: 192.168.0.100
• Domain search: mydomain.com
• User name: Oracle1
-o /var/tmp/zone6_cfg.xml

Chapter 8 - Page 11

5. Install zone6 using the profile created in the previous step.
root@s11-serv1:~# zoneadm -z zone6 install \
-c /var/tmp/zone6_cfg.xml

AI Manifest: /tmp/manifest.xml.B9aGNj
SC Profile: /var/tmp/zone6_cfg.xml
Zonename: zone6
Creating IPS image

solaris
...
6. Boot zone6.
Note: Wait one minute until the zone configuration completes.
7. Display the current value of the zone file-mac-profile property.
root@s11-serv1:~# zonecfg -z zone6 info file-mac-profile
file-mac-profile: fixed-configuration

Chapter 8 - Page 12
8. Log in to zone6.
root@s11-zone6:~#
9. Verify that the zone6 IPS publisher is configured correctly.
root@s11-zone6:~# pkg publisher
solaris (syspub) origin online proxy://http://s11-serv1.mydomain.com/
10. Verify that the apptrace package is not currently installed in the zone.
root@s11-zone6:~# pkg list apptrace

pkg list: no packages matching 'apptrace' installed
11. Attempt to install the apptrace package in the zone.
root@s11-zone6:~# pkg install apptrace
pkg install: Could not complete the operation on /var/pkg/lock:
read-only filesystem.
12. Exit from zone6.
root@s11-zone6:~# exit

Chapter 8 - Page 13
Practice 8-5: Configuring the Basic Audit Reporting Tool (BART)

Overview
In this practice, you create a BART rules file and apply it to a BART report. You then compare
BART reports to determine whether changes occurred in the /export/home/oracle
directory.
Task: Explore BART

Perform these steps to explore BART:

1. Change directory to /var/tmp and create a BART rules file named bartrules that
contains these rules:
IGNORE all
/export/home/oracle
CHECK all
root@s11-serv1:~# cd /var/tmp
root@s11-serv1:~# vi bartrules
IGNORE all
/export/home/oracle
CHECK all
2. Create a BART report by using the rules file that you created in the previous step and
display the results.
root@s11-serv1:/var/tmp# bart create -r bartrules > \
bart-`hostname`-`date '+%d%m%Y-%H:%M:%S'`
root@s11-serv1:/var/tmp# ls bart*
bart-s11-serv1-12042011-17:04:35 bartrules
3. View the contents of the BART report.
root@s11-serv1:/var/tmp# more bart-s11-serv1-12042011-17:04:35
! Version 1.0
! Tuesday, April 12, 2011 (17:04:35)
# Format:
#fname D size mode acl dirmtime uid gid
#fname P size mode acl mtime uid gid
#fname S size mode acl mtime uid gid
#fname F size mode acl mtime uid gid contents
#fname L size mode acl lnmtime uid gid dest
#fname B size mode acl mtime uid gid devnode
#fname C size mode acl mtime uid gid devnode
/export/home/oracle D 38 40755
owner@:list_directory/read_data/add_file/write_data/add_subdirectory/ap
pend_data/read_xattr/write_xattr/execute/read_attributes/write_attribut
es/read_acl/write_acl/write_owner/synchronize:allow,group@:list_directo
ry/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:al
low,everyone@:list_directory/read_data/read_xattr/execute/read_attribut
es/read_acl/synchronize:allow 4da4d977 101 10
/export/home/oracle/.ICEauthority F 2545 10060
owner@:read_data/write_data/append_data/read_xattr/write_xattr/read_att

Chapter 8 - Page 14
ributes/write_attributes/read_acl/write_acl/write_owner/synchronize:all
ow,group@:read_xattr/read_attributes/read_acl/synchronize:allow,everyon
e@:read_xattr/read_attributes/read_acl/synchronize:allow 4da49230 101
10 722a18de3360a057fd9231e184107740
4. Create a file named newfile in the /export/home/oracle directory.
root@s11-serv1:/var/tmp# touch /export/home/oracle/newfile
5. Create another BART report by using the rules file and display the results.

bart-s11-serv1-12042011-17:08:34
6. Compare the two BART reports.
root@s11-serv1:/var/tmp# bart compare \
bart-s11-serv1-12042011-17:04:35 \
bart-s11-serv1-12042011-17:08:34
/export/home/oracle:
size control:5 test:6
7. Edit the /export/home/oracle/newfile file by adding a simple message.
root@s11-serv1:/var/tmp# vi /export/home/oracle/newfile
This is a test.
8. Create another BART report by using the rules file and display the results.
bart-s11-serv1-12042011-17:04:35 bart-s11-serv1-12042011-17:11:50
9. Compare the second and third BART reports.
root@s11-serv1:/var/tmp# bart compare \
bart-s11-serv1-12042011-17:08:34 bart-s11-serv1-12042011-17:11:50
/export/home/oracle/newfile:
size control:0 test:16
mtime control:4da4db66 test:4da4dc11
contents control:d41d8cd98f00b204e9800998ecf8427e
test:02bcabffffd16fe0fc250f08cad95e0c

Chapter 8 - Page 15

Chapter 8 - Page 16

D73488GC11 Ag

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

D73488GC11 Ag

Uploaded by

Copyright:

Available Formats

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY.

COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Restricted Rights Notice

Oracle University and Knowledge Transfer Centre use only

U.S. GOVERNMENT RIGHTS

Technical Contributors and Reviewers

This book was published using: Oracle Tutor

Oracle University and Knowledge Transfer Centre use only

Practice 8-1: Managing Encryption Keys .......................................................................................................8-4

Oracle University and Knowledge Transfer Centre use only

Practices for Lesson 1: Course Introduction

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Oracle University and Knowledge Transfer Centre use only

Practices for Lesson 1

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Managing Software Updates in Oracle Solaris 11 Express

Practices for Lesson 3

Oracle University and Knowledge Transfer Centre use only

Figure 1: Oracle VM VirtualBox Manager

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Managing Software Updates in Oracle Solaris 11 Express

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Managing Software Updates in Oracle Solaris 11 Express

Practice 3-1: Configuring a Local IPS Package Repository

Oracle University and Knowledge Transfer Centre use only

Before You Begin

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Managing Software Updates in Oracle Solaris 11 Express

Task: Configure a Local IPS Package Repository

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Managing Software Updates in Oracle Solaris 11 Express

Oracle University and Knowledge Transfer Centre use only

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Managing Software Updates in Oracle Solaris 11 Express

13. Enable the application/pkg/server service.

Oracle University and Knowledge Transfer Centre use only

Practices for Lesson 3: Managing Software Updates in Oracle Solaris 11 Express

Practice 3-2: Configuring a Network Client to Access the IPS Server

Task: Configure a Network Client to Access the IPS Server

Oracle University and Knowledge Transfer Centre use only

8. Remove the current publisher URI (http://pkg.oracle.com/solaris/release/) and add a new

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Managing Software Updates in Oracle Solaris 11 Express

Oracle University and Knowledge Transfer Centre use only

12. Close the Firefox browser.

Practices for Lesson 3: Managing Software Updates in Oracle Solaris 11 Express

Practice 3-3: Updating the Oracle Solaris 11 Image

Oracle University and Knowledge Transfer Centre use only

Check with your instructor for demonstration availability.

Copyright © 2011, Oracle and/or its affiliates. All rights reserved.