Resources Solaris 11
Solaris 11 Express
NWAM (Network Automagic) allows to draw IP addresses dynamically through different and manage them through a nice GUI.
It's however not needed to a system with a static, manually configured network configuration.
The following command sequence will allow to move back to the old Solaris 10 world if needed:
# svcadm disable svc:/network/physical:nwam
# svcadm enable svc:/network/physical:default
The nwam service has been retired. It's still there. Use:
# netadm enable -p ncp defaultfixed
This page describes how to map in Solaris 11 installed files to packages and vice versa.
OpenSolaris has a quite powerful package management system called IPS (Image Packaging System) which is very different from it's predecessor teh SOlaris 10 SVR4 packaging system.
Search queries may be accelerated by rebuilding the package index.
user@opensolaris:~# pkg rebuild-index
Example: Which is the package /usr/bin/pidgin belongs to an vice versa?
You are looking for the package which belongs to the file /usr/bin/pidgin:
user@opensolaris:~# pkg search -l /usr/bin/pidgin INDEX ACTION VALUE PACKAGE path file usr/bin/pidgin pkg:/email@example.com
The -l option performs a local search. Omitting it will allow you to search for files in packages which aren't yet installed.
The pkg command is doing the trick:
user@opensolaris:~# pkg contents -t file,link,hardlink -o action.name,mode,pkg.size,path,target \ communication/im/pidgin ACTION.NAME MODE PKG.SIZE PATH TARGET file 0644 314519 etc/gconf/schemas/purple.schemas file 0755 18232 usr/bin/otr_mackey file 0755 18688 usr/bin/otr_modify file 0755 19460 usr/bin/otr_parse file 0755 35452 usr/bin/otr_readforge file 0755 17612 usr/bin/otr_remac file 0755 19104 usr/bin/otr_sesskeys file 0755 1011364 usr/bin/pidgin file 0755 7965 usr/bin/purple-remote ...
Solaris 11 ships many Open Source Applications through it's repository. Research for the existing FOSS packages can be done by interactively quering the pkg.oracle.com repository. Solaris 11 users can do the same on the command line. All it takes is a command like:
$ pkg search gmake
to find the GNU-make package. The installation then happens through an IPS command like:
$ pkg install gnu-make
Below a list of other popular FOSS software which can be installed on Solaris 11:
Drupal 6 and 7 is an AMP application which works seemless on Solaris 10 and 11 no matter which processor architecture is being provided.
Drupal is known to work in all kinds of Solaris zones.
The application can be operated in a number of different configurations. The simplest configuration requires:
All these components are available in Oracle Solaris 10 and 11.
A simple installation on Oracle Solaris 11 installation has been tested with Drupal 7 patch level 23.
Solaris 11 comes by default with a relatively small OS nucleus. The required AMP stack is an optional package which needs to be installed with root privileges. Solaris 11 package installations are idempotent. This means that they are simple. You can launch the installation command multiple times. The system will install the required packages if needed only. No package will be installed multiple times. Nothing will happen in the case that the stack was already installed...
The installation of the AMP stack happens with the command:
sudo pkg install amp
This command will install an Apache 2.2 web server and a MySQL version 5.1
Drupal requires the Apache web server and MySQL to run.
All following commands will require root privileges which have the potential to damage the system when not being applied correctly!
Both services can be configured in the common platform independent way. A simple Drupal installation doesn't require any custom configuration.
The Drupal instance will work out of the box. Please consult the Drupal System requirements before you start your services. It may make sense to increase parameter for Php, Apache web server and the MySQL database for productive systems. These parameter changes will not be adopted automatically. They will be read when the service starts or restarts.
I assume that the Apache web server hasn't been running nor being used for a different purpose!
Having MySQL already being used is not a problem. Drupal will install a new database instance. I assume here that MySQL hasn't been started and used.
Both services need to be started with the following commands:
sudo svcadm enable svc:/application/database/mysql:version_51 sudo svcadm enable svc:/network/http:apache22
Both services should be in the state online after having started them. This can be checked with the following commands
sudo svcs -a | grep mysql sudo svcs -a | grep apache
The Solaris services will take care that the two applications will always run. The will get shutdown when the system will shutdown. They will be automatically be started when the systems gets started.
Download the Drupal installation bundle. Unpack the compressed file. Drupal comes in a directory structure with a top level directory named drupal-7.23 for Drupal 7 patch level 23. This directory has to become the Apache document root directory.
The following commands will do this trick for an Apache web server which has nothing in the default document root directory. It will wipe out the content of the current Apache document root!
The command below assumes that the user is in a directory in which the Drupal download is already unpacked.
sudo rm -rf /var/apache/2.2/htdocs sudo mv drupal-7.23 /var/apache/2.2/htdocs
The Drupal files should be owned by the user webservd. The following commands change the ownership:
sudo chown -R webservd /var/apache/2.2/htdocs sudo chgrp -R webservd /var/apache/2.2/htdocs
The Drupal installation itself is platform independent. Direct your browser to the target system. The Drupal installation page should appear.
Follow the installation. The installation will require a few file operations as a postinstallation task. They are operating system independent.
The Drupal technology is based on an extremely small Drupal core installation (as described here). Drupal has hundreds of contributed modules. The quality of the modules differs quite a bit. I have used several dozen of Drupal 6 and 7 modules and I never saw Solaris specific problems on Solaris 10 or 11.
Please leave a comment if you know about a Solaris specific issues. I'm happy to document them here.
Open Source application like Drupal don't come with official support statements. There are hosting companies who offer Drupal on Solaris like Strato. This page is managed by a Drupal 6 system hosted through a Solaris 10 instance (see Netcraft report).
snappy is a fast compressor/decompressor library from Google. The software is available under the new BSD license.
It can be build the following way with a simple script. The script expects to find a decompressed source code tar bundle with the name snappy-1.1.0.tar .
script header become super user and install gcc 4.5 become super user and install make unpack the download bundle for version 1.1.0 change directory to the snappy directory run the configure script. Installation in /usr/local/lib Build the product Become super user; install under /usr/local change directory back to the original directory create a tar ball of the installation with all libraries compress the tar ball with gzip
There are chances that the target system may not have been configured as a development and build system. The two packages (gcc-45, make) will ensure that the build environment will be available.
Both packages are not needed at the run time of snappy. They can be removed if needed with the two commands:
$ pkg uninstall gcc-45 $ pkg uninstall make
The Solaris 10 and 11 Fair Share Scheduler allow to run processes at a higher priority than normal processes and still lower than system processes.
This feature is quite helpful when giving demos if systems under extreme stress. It helps to give user interfaces a slightly higher priority which keeps them snappy.
The priocntl command allows to change the process scheduling classes and priorities.
The next three commands allow to bump up visualization tools like xorg, jconsole or jvisualvm:
priocntl -s -c FX -m 60 -p 60 -i pid `pgrep Xorg`
priocntl -s -c FX -m 60 -p 60 -i pid `pgrep jconsole`
priocntl -s -c FX -m 60 -p 60 -i pid `pgrep jvisualvm`
It moves the processes in question to priority 60.
Disclaimer: Is very unlikely that this needs to be done on productive systems. Apply on demo systems with care...
Oracle published a tool which allows to figure out if an application which works on Solaris 10 will work in an umodified way on Solaris 11. The "Oracle Solaris 11 Compitibilty Checker" is available as a free download.
The tool comes with a binary cecker which checks Solaris binaries for
It features as well a run time checker which is based on Dtrace. The run time checker will monitor an existing application and figure out if
All this happens in a Solaris 10 run time environment. The tool compares the access profile of the application with the APIs, frameworks and commands which are currently available in Solaris 11 Express. This means that no Solaris 11 or test installations are being needed.
A grain of salt: the total Solaris API is huge and there is a commonly accepted feature creep in all frame works. This leads to the same problem you'll have with an X-ray image: You're seeing things you never knew that they exist. There will be chances that you get some false positives which need to be sorted out by manual inspection. This is the usual problem with you'll see with all diagnostic tools.
The folks from ISV Engineering who wrote this tool implemented already the Solaris 10 binary checker and they know the applications of the world. Their checker comes with a build in database which represents the delta between Solaris 10 update 9 and Solaris 11 Express.
It's a good first indicator to make an assessment on the potential changes needed in an application. It will help a release manager to sleep better hence he'll know if an application is likely to need tweaking for Solaris 11.
Solaris 11 is public available and the IPS package management is setting new standards in Solaris administration and version management.
Everyone who develops software for this platform will want to make sure that the application users are using the optimal Solaris 11 infrastructure. The Oracle binary guarantee warrants that an application will work on any Solaris 11 release no matter which minor revision the kernel has. It's however a reasonable idea to ask a user to be at same minimum patch level you qualified your application on.
There are a number of ways to distinguish Solaris 10 systems from OpenSolaris or Solaris 11 Express systems.
One way is to parse the file /etc/release:
root@solaris:~# more /etc/release
Oracle Solaris 11 11/11 X86
Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights reserved.
Assembled 18 October 2011
It states that this is a Solaris 11 system being released 11/11. It means it got released in November 2011 by Oracle. This is the final Solaris 11. The version to build professional, long lasting software against.
Another option is the uname command:
root@solaris:~# uname -r
It'll let you know that you're working on a SunOS 5.11 platform. This is Solaris 11, or may be Solaris 11 Express, or may be Open Solaris. It's not very concise...
the option -v makes things even more confusing:
sschneid@solaris:~$ uname -v
You will know that you are on Solaris 11.
Being on Solaris 11 is a kind of cool. Oracle improves this product over time and there will be most likely update releases and patch bundles (SRU) as we know them from Solaris 10.
The above commands will allow only to figure out if this is a Solaris 11 and you can learn when it has been released. This date is likely to correlate with the update releases.
Solaris 11 isn't using anymore System V packages it uses the new IPS. IPS doesn't distinguish between packages and patches for packages. It deals with packages and their revisions only.
Patches happen to be packages with higher minor version numbers. Oracle is now pursuing a uniform approach. IPS allows to check the concise version number of a package with the command pkg info <package name>.
This allows to check the fine grained patch revision for any given package. The individual package granularity will be an overkill for most applications. Most applications will be happy to find a minimum Oracle patch level for the entire system. A check of the kernel package is all it takes. Most other packages of the OS will depend on the kernel revision.
Oracle has a concept of making update revisions freely available through the OTN license. Patch bundles in between update release are available for customers as Support Repository Updates (SRU). These SRUs are what you will want to rely on to operate a high quality Solaris 11 environment.
It happens that Oracle has been shipping the first SRU and the pkg info commands allows to understand versioning scheme:
schneid@solaris:~$ pkg info kernel
Summary: Core Kernel
Description: Core operating system kernel, device drivers and other modules.
Build Release: 5.11
Packaging Date: November 10, 2011 06:49:35 PM
Size: 32.33 MB
The relevant information can be found in the Branch or in the FMRI attribute:
It can be deciphered as follows:
Higher SRUs levels shouldn't break anything. They're supposed to fix bugs. Higher update levels aren't supposed to break anything either. They may add new functionality without breaking old APIs.
Oracle is updating the support repositories on demand in between SRUs. Every update in the support repositories will lead to an increased version number of the package "entire".
Any software being implemented on a given Solaris 11 release will want to make sure that it requests the minimum version which is required but not more than needed.
MyOracle support discusses this topic in great detail in document 1378134.1 (The Oracle Solaris 11 Package Branch Version Scheme).
Oracle offers a free (OTN license) access to Solaris 11 through http://pkg.oracle.com. Directing the browser to this URL reveils the concise version which can be provisioned:
The public repository offers as well a Solaris 11 at build 151 level:
This product has been marketed by Oracle as Solaris 11 Express. It's a developer focused Solaris 11 snapshot from November 2010. It's of little interest for everyone who wants to invest into Solaris 11 after November 2011.
The Oracle Solaris Binary Application Guarantee is now covering Oracle Solaris 10 as well as 11. Oracle extended the program through 2013. The program covers a source code guarantee as well as a binary guarantee. Details can be found in the program description.
The creation of a Solaris 11 repository is straight forward. Finding the related documentation isn't (status April 2011). The product name and domain names changed in the last year.
A simple and professional way is to create a new ZFS file system for a repository:
# zfs create /export/repo
We need super user privileges anyhow. The root of the repository will be in /export/repo.
This is a one time operation. The server will stay up on it's own since it get's managed through SMF. Reboots of the system will not make a difference.
# svcadm enable application/pkg/server
Set the port of the server to 10000 (in this case). The following command configures the SMF property of the service
# svccfg -s application/pkg/server setprop pkg/port=10000
Configure the root file system (here /export/repo) in SMF for the server:
# svccfg -s application/pkg/server setprop pkg/inst_root=/export/repo
The server is by default in read-only mode. Setting the following SMF property allows to post packages:
# svccfg -s application/pkg/server setprop pkg/readonly=false
It is common to pick the domain name of the server as publisher (here repo.scalingbits.com)
# pkgrepo set -s /export/repo publisher/prefix=repo.scalingbits.com
Refresh and restart the server for the repository with the hep of SMF:
# svcadm refresh application/pkg/server # svcadm restart application/pkg/server
Point the browser to your configured hostname and port. The following page should appear:
The root directory of the repository /export/repo should have a sub directory (here repo.scalingbits.com) as well.
The pkgrepo info command allows to check the state of the repository:
nsschneid@solarisB163:~# pkgrepo info -s http://repo.scalingbits.com:10000
PUBLISHER PACKAGES STATUS UPDATED
repo.scalingbits.com 0 online 2011-04-18T13:43:04.374125Z
... shows a healthy repository without any packages installed.
Some more pointers I found:
Oracle just updated their "Oracle Solaris 11 Preflight Checker for Applications". The tool is taking a multi pronged approach to figure out if a Solaris 10 application will work without any hick ups in Solaris 11.
The information listed above can be found in the User Guide which ships with the tool.
There are two remarkable features of the tool:
This page describes step by step how to build a private virtual network with Solaris 11 zones.
Solaris 11 zones which operate in a private virtual network have the following advantage
The required resources are
This step-by-step tutorial will show how to configure an internal network with zones as shown in the diagram below:
You will learn how to...
To summarize it: This is your personal private lab in a box. Some call it a cloud.
All required operations can be performed with a few scripts as root from the global zone. There are no extra licenses required to operate your cloud in a box...
The three sections of the how-to guide:
Disclaimer: All commands executed need root privileges and they make major changes to your system. Have a backup or a boot environment before you start experimenting.
$ dladm create-etherstub gbswitch0
Will create an internal virtual switch as shown in the diagram below:
You can control the success of this operation with the command
$ dladm show-etherstub LINK
The swith can de deleted with the command
$ dladm delete-etherstub gbswitch0
This virtual switch will be needed to operate our internal network.
The sequence of commands below will create a virtual network interface for the switch.
The idea is to operate an internal network in the IP range 192.168.0.0.
The name of the virtual network interface is vgb0. The IP address is 192.168.0.1
$ dladm create-vnic -l gbswitch0 vgb0 $ ipadm create-ip vgb0
$ ipadm create-addr -T static -a 192.168.0.1/24 vgb0/addr0
This result will be a Solaris global zone with a second network interface which isn't visible to the outside (the intranet):
The successful creation of a vnic (virtual network address) can be checked with the following command.
$ dladm show-vnic
LINK OVER SPEED MACADDRESS MACADDRTYPE VID
vgb0 gbswitch0 40000 2:8:20:51:c8:5f random 0
$ ipadm show-addr vgb0
ADDROBJ TYPE STATE ADDR
vgb0/addr0 static ok 192.168.0.1/24
You may need to delete the vnic. This can be achieved through the command:
$ dladm delete-vnic vgb0
I assume that the current system has a public network interface with the name net0. I assumeas well that this is the only network interface. IP-forwarding is most likely disabled in this case. It needs to be enabled. The following command enables the IP forwarding through the interfaces net0 and vgb0:
The IP-forwarding can be disable after the private virtual network isn't needed anymore. This happens with the following commands:
The zones which will work through the private virtual network will find their way out of the system as well without NAT. The problem arises for IP packets on their back. Systems outside of the PVN will not know about this sub-net and they will not have routes to communicate back. The public interface of the global zone has to act as a proxy and it will have to know how to relay packets back. This is being done by the ipfilter service which is disabled by default.
The Network Address Translation is a service which needs to be configured first by creating the file /etc/ipf/ipnat.conf. The commands below enable the network address translation for the internal network 192.168.0.0.
$ echo "map $MyPublicNic 192.168.0.0/24 -> 0/32 portmap tcp/udp auto" > /etc/ipf/ipnat.conf
$ echo "map $MyPublicNic 192.168.0.0/24 -> 0/32" >> /etc/ipf/ipnat.conf
The last step is to start the ipfilter service
$ svcadm enable network/ipfilter
The diagram below demonstrates the configured components:
There are chances that you will have to stop the ipfilter service one day. The service can be stopped with this command:
$ svcadm disable network/ipfilter
Enjoy the two scripts. Use them with caution.
Change the variables at the beginning as needed.
The script will not check if certain files already exist nor if required services are already running and network objects already exist!
echo "** create a switch with name $MySwitch "
dladm create-etherstub $MySwitch
echo "* create a vnic with name $MyRootZoneNic "
dladm create-vnic -l $MySwitch $MyRootZoneNic
echo "* create ip for $MyRootZoneNic"
ipadm create-ip $MyRootZoneNic
echo "* create ip addr $MyRootZoneIp for $MyRootZoneNic"
ipadm create-addr -T static -a $MyRootZoneIp/24 $MyRootZoneNic/addr0
#echo "* enable ipv4 forwarding in root zone "
#routeadm -u -e ipv4-forwarding
echo "* Status check network plumbing:"
echo "** create NAT configuration with ipf, enable forwarding"
ipadm set-ifprop -p forwarding=on -m ipv4 $MyPublicNic
ipadm set-ifprop -p forwarding=on -m ipv4 $MyRootZoneNic
cp /etc/ipf/ipnat.conf /etc/ipf/ipnat.conf.orig
echo "map $MyPublicNic $MyInternalNet/24 -> 0/32 portmap tcp/udp auto" > /etc/ipf/ipnat.conf
echo "map $MyPublicNic $MyInternalNet/24 -> 0/32" >> /etc/ipf/ipnat.conf
svcadm enable network/ipfilter
This script will swipe out the configuration which has been configured. It's simple and brutal...
echo "* disable ipv4 forwarding in root zone"
routeadm -u -d ipv4-forwarding
echo "* delete addr: $MyRootZoneNic"
ipadm delete-addr $MyRootZoneNic/addr0
ipadm delete-ip $MyRootZoneNic
echo "* delete vnic: $MyRootZoneNic"
dladm delete-vnic $MyRootZoneNic
echo "* delete a switch with name $MySwitch "
dladm delete-etherstub $MySwitch
echo "** delete NAT configuration with ipf"
ipadm set-ifprop -p forwarding=off -m ipv4 $MyPublicNic
ipadm set-ifprop -p forwarding=off -m ipv4 $MyRootZoneNic
svcadm disable network/ipfilter
I expect the virtual switch and the global zone configuration steps already being solved at this point of time. See below:
This means that a virtual switch with the name gbswitch0 already exists.
A bit of planning is required in order to have all data for configure the zone. The following information is needed. The names which I'm going to use in my commands are already entered:
|zones home directory||mandatory||/zones|
|zone virtual network interface||mandatory||vnz1|
|ip address in private network||mandatory||192.168.0.2|
|default router for private network||mandatory||192.168.0.1|
|IP address of DNS server||optional|
|user name, full user name, user password||optional|
|time zone information||optional|
The zone will have one interface. The interface will be virtual network interface vnz1 which will be attached to the virtual switch gbswitch0 The following commands will have to be executed in the global zone:
dladm create-vnic -l gbswitch0 vnz1
The commands below will configure a zone with the name zone1 and a network interface vnz1
$ zonecfg -z zone1 "create; set zonepath=/zones/zone1;set ip-type=exclusive; commit"
$ zoneadm -z zone1 install $ zonecfg -z zone1 "add net; set physical=vnz1;end"
The zone is now ready to be booted:
zoneadm -z zone1 boot
The zone is now running. The network configuration isn't complete and it takes a login through the zones console with a sys-config dialog. Enter
$ zlogin -C zone1
This will lead you into a sysconfig dialog. Choose a manual network configuration and provide the remaining information from the table above and configure the IP address and the default router. The configuration of name services and NIS is optional.
The zone should be ready for usage after these steps.
The zone is
The zone is otherwise private for the outside intranet.
Repeat the same steps for a second zone and you end up with a private virtual network with multiple zones.
echo "** create VNIC $MyZoneNic in global zone"# Configure and install the zone zonecfg -z $MyZone "create; set zonepath=/zones/$MyZone;set ip-type=exclusive; com
dladm create-vnic -l $MySwitch $MyZoneNic
echo "** starting creation of zone: $MyZone"
zoneadm -z $MyZone verify
zoneadm -z $MyZone install
zonecfg -z $MyZone "add net; set physical=$MyZoneNic;end"
echo "** Booting zone $MyZone "
zoneadm -z $MyZone boot
echo "** sleep for 30 seconds and hope for the zone to come for post config "
zoneadm list -v
Kick off the sys-config by logging into the zlogin
$ zlogin -C zone1
This script is a kind of brutal. It wipes out the entire zone...
zoneadm list -v
zoneadm -z $MyZone halt
zoneadm -z $MyZone uninstall -F
zonecfg -z $MyZone delete -F
zoneadm list -v
dladm delete-vnic $MyZoneNic
Accessing the private virtual network is no different to access any lab network through a gate way system
The global zone can be configured to run an Apache web server as reverse proxy. This allows to direct a browser to web port of the global zone public network interface and work with a specific web server of the internal private virtual network.
The following example assumes that zone1 offers a http service through port 80 at the internal IP address 192.168.0.2.
It will be made available to 126.96.36.199
The proxy server gets configured through the httpd.conf file with the following directives:
ProxyPass / http://192.168.0.2/
ProxyPassReverse / http://192.168.0.2/
The three directives avoid that the Apache server acts as a regular proxy (ProxyRequests Off). The ProxyPass and ProxyPassReverse directives teach the server to relay all http requests ( / ) to 192.168.0.2/ and the responses back. The ending slashes matter!
Start or restart the server with the following priviledged Solaris command in the global zone:
$ svcadm restart svc:/network/http:apache22
The svcadm command starts the Apache server on Solaris as a service. This command assures that the service is up even after a reboot of the system. This is all it takes on the proxy side!
This setup of the reverse proxy does the job for pretty much every simple web server behind it.
Warning: The web server in the private network may have to know that it's http service is getting exposed by a reverse proxy. Some web applications generate URLs on the fly. This post configuration is however completly application specific
A more ad-hoc and very safe way to access a port in your private virtual network is a ssh tunnel.
The user on system admin will need an account in the global zone of the Solaris 11 system (IP address: 188.8.131.52). The account name being used in this example is guest.
ssh tunnels allow to plumb a port of a remote system to your local system. The following command will plumb the port 80 of zone1 to port 7777 of the desktop the user admin is using:
$ ssh -L 7777:192.168.0.2:80 firstname.lastname@example.org
The command will lead to a shell session of user guest in the global zone. Besides this you will get the tunnel to be established. The user on system admin can now direct a browser to http://localhost:7777 a use the web server from zone1. The diagram below shows the interactions of the three systems.
The -L can be used multiple times in a single command. It'll tunnel any number of ports needed.