Solaris 11

Resources Solaris 11

NWAM (Network Auto Magic) Cheat Sheet

Solaris 11 Express

NWAM (Network Automagic) allows to draw IP addresses dynamically through different and manage them through a nice GUI.

It's however not needed to a system with a static, manually configured network configuration.

The following command sequence will allow to move back to the old Solaris 10 world if needed:

# svcadm disable svc:/network/physical:nwam
# svcadm enable svc:/network/physical:default

Solaris 11 11/11

The nwam service has been retired. It's still there. Use:

# netadm enable -p ncp defaultfixed

 

Solaris 11: Packages and Files

This page describes how to map in Solaris 11  installed files to packages and vice versa.

OpenSolaris has a quite powerful package management system called IPS (Image Packaging System) which is very different from it's predecessor teh SOlaris 10 SVR4 packaging system.

Search queries may be accelerated by rebuilding the package index.

user@opensolaris:~# pkg rebuild-index

Example: Which is the package /usr/bin/pidgin belongs to an vice versa?

How to find the OpenSolaris Package which belongs to a given File?

You are looking for the package which belongs to the file /usr/bin/pidgin:

user@opensolaris:~# pkg search -l /usr/bin/pidgin 
INDEX ACTION VALUE PACKAGE path file usr/bin/pidgin pkg:/communication/im/pidgin@0.5.11-0.134

 The -l option performs a local search. Omitting it will allow you to search for files in packages which aren't yet installed.

How to find the Files which belong to an OpenSolaris Package?

The pkg command is doing the trick:

user@opensolaris:~# pkg contents -t file,link,hardlink -o action.name,mode,pkg.size,path,target \
   communication/im/pidgin

ACTION.NAME MODE PKG.SIZE PATH
TARGET
file 0644 314519 etc/gconf/schemas/purple.schemas
file 0755 18232 usr/bin/otr_mackey
file 0755 18688 usr/bin/otr_modify
file 0755 19460 usr/bin/otr_parse
file 0755 35452 usr/bin/otr_readforge
file 0755 17612 usr/bin/otr_remac
file 0755 19104 usr/bin/otr_sesskeys
file 0755 1011364 usr/bin/pidgin
file 0755 7965 usr/bin/purple-remote
...

 

FOSS for Solaris 11

Solaris 11 ships many Open Source Applications through it's repository. Research for the existing FOSS packages can be done by interactively quering the pkg.oracle.com repository. Solaris 11 users can do the same on the command line. All it takes is a command like:

$ pkg search gmake

to find the GNU-make package. The installation then happens through an IPS command like:

$ pkg install gnu-make

Below a list of other popular FOSS software which can be installed on Solaris 11:

Drupal 6 and 7 on Oracle Solaris 11

Drupal 6 and 7 is an AMP application which works seemless on Solaris 10 and 11 no matter which processor architecture is being provided.

Drupal is known to work in all kinds of Solaris zones.

The application can be operated in a number of different configurations. The simplest configuration requires:

  • PHP
  • Apache webserver 2.2
  • MySQL

All these components are available in Oracle Solaris 10 and 11.

A simple installation on Oracle Solaris 11 installation has been tested with Drupal 7 patch level 23.

Installation of required Solaris 11 Packages

Solaris 11 comes by default with a relatively small OS nucleus. The required AMP stack is an optional package which needs to be installed with root privileges. Solaris 11 package installations are idempotent. This means that they are simple. You can launch the installation command multiple times. The system will install the required packages if needed only. No package will be installed multiple times. Nothing will happen in the case that the stack was already installed...

The installation of the AMP stack happens with the command:

sudo pkg install amp

This command will install an Apache 2.2 web server and a MySQL version 5.1

Starting the required Services

Drupal requires the Apache web server and MySQL to run. 

All following commands will require root privileges which have the potential to damage the system when not being applied correctly!

Both services can be configured in the common platform independent way. A simple Drupal installation doesn't require any custom configuration.

The Drupal instance will work out of the box. Please consult the Drupal System requirements before you start your services. It may make sense to increase parameter for Php, Apache web server and the MySQL database for productive systems. These parameter changes will not be adopted automatically. They will be read when the service starts or restarts.

I assume that the Apache web server hasn't been running nor being used for a different purpose!

Having MySQL already being used is not a problem. Drupal will install a new database instance. I assume here that MySQL hasn't been started and used.

Both services need to be started with the following commands:

sudo svcadm enable svc:/application/database/mysql:version_51
sudo svcadm enable svc:/network/http:apache22

Both services should be in the state online after having started them. This can be checked with the following commands

sudo svcs -a | grep mysql
sudo svcs -a | grep apache

The Solaris services will take care that the two applications will always run. The will get shutdown when the system will shutdown. They will be automatically be started when the systems gets started.

Installing the Drupal Files

Download the Drupal installation bundle. Unpack the compressed file. Drupal comes in a directory structure with a top level directory named drupal-7.23 for Drupal 7 patch level 23. This directory has to become the Apache document root directory.

The following commands will do this trick for an Apache web server which has nothing in the default document root directory. It will wipe out the content of the current Apache document root!

The command below assumes that the user is in a directory in which the Drupal download is already unpacked.

sudo rm -rf /var/apache/2.2/htdocs
sudo mv drupal-7.23 /var/apache/2.2/htdocs

The Drupal files should be owned by the user webservd. The following commands change the ownership:

sudo chown -R webservd /var/apache/2.2/htdocs
sudo chgrp -R webservd /var/apache/2.2/htdocs

Drupal specific Installation and Postinstallation Tasks

The Drupal installation itself is platform independent. Direct your browser to the target system. The Drupal installation page should appear.

Follow the installation. The installation will require a few file operations as a postinstallation task. They are operating system independent.

Solaris Support for addon Modules

The Drupal technology is based on an extremely small Drupal core installation (as described here). Drupal has hundreds of contributed modules. The quality of the modules differs quite a bit. I have used several dozen of Drupal 6 and 7 modules and I never saw Solaris specific problems on Solaris 10 or 11.

Please leave a comment if you know about a Solaris specific issues. I'm happy to document them here.

Drupal and Solaris Hosting

Open Source application like Drupal don't come with official support statements. There are hosting companies who offer Drupal on Solaris like Strato. This page is managed by a Drupal 6 system hosted through a Solaris 10 instance (see Netcraft report).

 

Snappy for Solaris 11

 snappy is a fast compressor/decompressor library from Google. The software is available under the new BSD license.

snappy compiles without issues on Solaris 11. The sources for version 1.1.0 can be downloaded from Google.

It can be build the following way with a simple script. The script expects to find a decompressed source code tar bundle with the name snappy-1.1.0.tar .

script build-all.bash Comment
#!/usr/bin/bash
sudo pkg install gcc-45
sudo pkg install make
tar xvf snappy-1.1.0.tar
cd snappy-1.1.0
sh configure --prefix=/usr/local
make
sudo make install
cd ..
tar cvf snappy-1.1.0-bin.tar /usr/local/lib/libsnappy*
gzip snappy-1.1.0-bin.tar
script header
become super user and install gcc 4.5
become super user and install make
unpack the download bundle for version 1.1.0
change directory to the snappy directory
run the configure script. Installation in /usr/local/lib
Build the product
Become super user; install  under /usr/local
change directory back to the original directory
create a tar ball of the installation with all libraries
compress the tar ball with gzip 

 

There are chances that the target system may not have been configured as a development and build system. The two packages (gcc-45, make) will ensure that the build environment will be available.

Both packages are not needed at the run time of snappy. They can be removed if needed with the two commands:

$ pkg uninstall gcc-45
$ pkg uninstall make

 

FX (Fair Share) Scheduler, Cheat Sheet

 The Solaris 10 and 11 Fair Share Scheduler allow to run processes at a higher priority than normal processes and still lower than system processes.

This feature is quite helpful when giving demos if systems under extreme stress. It helps to give user interfaces a slightly higher priority which keeps them snappy.

The priocntl command allows to change the process scheduling classes and priorities. 

The next three commands allow to bump up visualization tools like xorg, jconsole or jvisualvm:

priocntl -s -c FX -m 60 -p 60 -i pid `pgrep Xorg`
priocntl -s -c FX -m 60 -p 60 -i pid `pgrep jconsole`
priocntl -s -c FX -m 60 -p 60 -i pid `pgrep jvisualvm`

It moves the processes in question to priority 60.

Disclaimer: Is very unlikely that this needs to be done on productive systems. Apply on demo systems with care...

Solaris 11 Compatibility Checker available for Download

Oracle published a tool which allows to figure out if an application which works on Solaris 10 will work in an umodified way on Solaris 11. The "Oracle Solaris 11 Compitibilty Checker" is available as a free download.

The tool comes with a binary cecker which checks Solaris binaries for

It features as well a run time checker which is based on Dtrace. The run time checker will monitor an existing application and figure out if

All this happens in a Solaris 10 run time environment. The tool compares the access profile of the application with the APIs, frameworks and commands which are currently available in Solaris 11 Express. This means that no Solaris 11 or test installations are being needed.

A grain of salt: the total Solaris API is huge and there is a commonly accepted feature creep in all frame works. This leads to the same problem you'll have with an X-ray image: You're seeing things you never knew that they exist. There will be chances that you get some false positives which need to be sorted out by manual inspection. This is the usual problem with you'll see with all diagnostic tools.

The folks from ISV Engineering who wrote this tool implemented already the Solaris 10 binary checker and they know the applications of the world. Their checker comes with a build in database which represents the delta between Solaris 10 update 9 and Solaris 11 Express.

Why using it?

It's a good first indicator to make an assessment on the potential changes needed in an application. It will help a release manager to sleep better hence he'll know if an application is likely to need tweaking for Solaris 11.

Solaris 11 Version Schema

Solaris 11 is public available and the IPS package management is setting new standards in Solaris administration and version management.

Everyone who develops software for this platform will want to make sure that the application users are using the optimal Solaris 11 infrastructure. The Oracle binary guarantee warrants that an application will work on any Solaris 11 release no matter which minor revision the kernel has. It's however  a reasonable idea to ask a user to be at same minimum patch level you qualified your application on.

Which Solaris OS am I working on?

There are a number of ways to distinguish Solaris 10 systems from OpenSolaris or Solaris 11 Express systems.

One way is to parse the file /etc/release:

root@solaris:~# more /etc/release
Oracle Solaris 11 11/11 X86
Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights reserved.
Assembled 18 October 2011

It states that this is a Solaris 11 system being released 11/11. It means it got released in November 2011 by Oracle. This is the final Solaris 11. The version to build professional, long lasting software against.

Another option is the uname command:

root@solaris:~# uname -r
5.11

It'll let you know that you're working on a SunOS 5.11 platform. This is Solaris 11, or may be Solaris 11 Express, or may be Open Solaris. It's not very concise...

the option -v makes things even more confusing:

sschneid@solaris:~$ uname -v
11.0

You will know that you are on Solaris 11.

Being on Solaris 11 is a kind of cool. Oracle improves this product over time and there will be most likely update releases and patch bundles (SRU) as we know them from Solaris 10.

The above commands will allow only to figure out if this is a Solaris 11 and you can learn when it has been released. This date is likely to correlate with the update releases.

Which Solaris Patch Level am I working on?

Solaris 11 isn't using anymore System V packages it uses the new IPS. IPS doesn't distinguish between packages and patches for packages. It deals with packages and their revisions only.

Patches happen to be packages with higher minor version numbers. Oracle is now pursuing a uniform approach. IPS allows to check the concise version number of a package with the command pkg info <package name>

This allows to check the fine grained patch revision for any given package. The individual package granularity will be an overkill for most applications. Most applications will be happy to find a minimum Oracle patch level for the entire system. A check of the kernel package is all it takes. Most other packages of the OS will depend on the kernel revision.

Oracle has a concept of making update revisions freely available through the OTN license. Patch bundles in between update release are available for customers as Support Repository Updates (SRU). These SRUs are what you will want to rely on to operate a high quality Solaris 11 environment.

It happens that Oracle has been shipping the first SRU and the pkg info commands allows to understand versioning scheme:

schneid@solaris:~$ pkg info kernel
Name: system/kernel
Summary: Core Kernel
Description: Core operating system kernel, device drivers and other modules.
Category: System/Core
State: Installed
Publisher: solaris
Version: 0.5.11
Build Release: 5.11
Branch: 0.175.0.1.0.3.1
Packaging Date: November 10, 2011 06:49:35 PM
Size: 32.33 MB
FMRI: pkg://solaris/system/kernel@0.5.11,5.11-0.175.0.1.0.3.1:20111110T184935Z

The relevant information can be found in the Branch or in the FMRI attribute:

It can be deciphered as follows:

Higher SRUs levels shouldn't break anything. They're supposed to fix bugs. Higher update levels aren't supposed to break anything either. They may add new functionality without breaking old APIs.

Oracle is updating the support repositories on demand in between SRUs. Every update in the support repositories will lead to an increased version number of the package "entire".

Any software being implemented on a given Solaris 11 release will want to make sure that it requests the minimum version which is required but not more than needed.

MyOracle support discusses this topic in great detail in document 1378134.1 (The Oracle Solaris 11 Package Branch Version Scheme).

Where do I get which Software from?

Oracle offers a free (OTN license) access to Solaris 11 through http://pkg.oracle.com.  Directing the browser to this URL reveils the concise version which can be provisioned:

 

The public repository offers as well a Solaris 11 at build 151 level:

This product has been marketed by Oracle as Solaris 11 Express. It's a developer focused Solaris 11 snapshot from November 2010. It's of little interest for everyone who wants to invest into Solaris 11 after November 2011.

Solaris Binary Application Guarantee extended to Solaris 11

The Oracle Solaris Binary Application Guarantee is now covering Oracle Solaris 10 as well as 11. Oracle extended the program through 2013. The program covers a source code guarantee as well as a binary guarantee. Details can be found in the program description.

 

Solaris 11 Repository and Server Configuration

The creation of a Solaris 11 repository is straight forward. Finding the related documentation isn't (status April 2011). The product name and domain names changed in the last year.

Step 1: Provide a Location in your File System for a IPS Repository

A simple and professional way is to create a new ZFS file system for a repository:

# zfs create /export/repo

We need super user privileges anyhow. The root of the repository will be in /export/repo.

Step 2: Configure the SMF Services for the pkg Server

2.1 Enable the SMF Service for the Server

This is a one time operation. The server will stay up on it's own since it get's managed through SMF. Reboots of the system will not make a difference.

# svcadm enable application/pkg/server

2.2 Configure Properties of the Server

Set the port of the server to 10000 (in this case). The following command configures the SMF property of the service

# svccfg -s application/pkg/server setprop pkg/port=10000

Configure the root file system (here /export/repo) in SMF for the server:

# svccfg -s application/pkg/server setprop pkg/inst_root=/export/repo

The server is by default in read-only mode. Setting the following SMF property allows to post packages:

# svccfg -s application/pkg/server setprop pkg/readonly=false

2.3 Configure a Name for the Repository

It is common to pick the domain name of the server as publisher (here repo.scalingbits.com)

# pkgrepo set -s /export/repo publisher/prefix=repo.scalingbits.com

2.4 Restart the entire Server

Refresh and restart the server for the repository with the hep of SMF:

# svcadm refresh application/pkg/server
# svcadm restart application/pkg/server

Step 3: Check the Configuration

Point the browser to your configured hostname and port. The following page should appear:

The root directory of the repository /export/repo should have a sub directory (here repo.scalingbits.com) as well.

The pkgrepo info command allows to check the state of the repository:

nsschneid@solarisB163:~# pkgrepo info -s http://repo.scalingbits.com:10000
PUBLISHER PACKAGES STATUS UPDATED
repo.scalingbits.com 0 online 2011-04-18T13:43:04.374125Z

... shows a healthy repository without any packages installed.

Other Resources

Some more pointers I found:

 

 

Oracle posts "Oracle Solaris 11 Preflight Checker for Applications"

Oracle just updated their "Oracle Solaris 11 Preflight Checker for Applications". The tool is taking a multi pronged approach to figure out if a Solaris 10 application will work without any hick ups in Solaris 11.

The information listed above can be found in the User Guide which ships with the tool.

There are two remarkable features of the tool:

Building a Private Virtual Network (PVN) with Solaris Zones

This page describes step by step how to build a private virtual network with Solaris 11 zones.

Solaris 11 zones which operate in a private virtual network have the following advantage

The required resources are

This step-by-step tutorial will show how to configure an internal network with zones as shown in the diagram below:

You will learn how to...

To summarize it: This is your personal private lab in a box. Some call it a cloud.

All required operations can be performed with a few scripts as root from the global zone. There are no extra licenses required to operate your cloud in a box...

References:

The three sections of the how-to guide:

Preparation and Configuration of the global Zone

Disclaimer: All commands executed need root privileges and they make major changes to your system. Have a backup or a boot environment before you start experimenting.

1. Create a virtual Switch

The command:

$ dladm create-etherstub gbswitch0

Will create an internal virtual switch as shown in the diagram below:

You can control the success of this operation with the command

$ dladm show-etherstub
LINK
gbswitch0

The swith can de deleted with the command

$ dladm delete-etherstub gbswitch0

This virtual switch will be needed to operate our internal network.

2. Create a virtual Network Interface which connects the global Zone to the virtual Switch

The sequence of commands below will create a virtual network interface for the switch.

The idea is to operate an internal network in the IP range 192.168.0.0.

The name of the virtual network interface is vgb0. The IP address is 192.168.0.1

$ dladm create-vnic -l gbswitch0 vgb0
$ ipadm create-ip vgb0
$ ipadm create-addr -T static -a 192.168.0.1/24 vgb0/addr0

This result will be a Solaris global zone with a second network interface which isn't visible to the outside (the intranet):

virtual switch with virtual network interface

 

 The successful creation of a vnic (virtual network address) can be checked with the following command.

$ dladm show-vnic
LINK                OVER         SPEED  MACADDRESS        MACADDRTYPE       VID
vgb0 gbswitch0 40000 2:8:20:51:c8:5f random 0

and

$ ipadm show-addr vgb0
ADDROBJ           TYPE     STATE        ADDR
vgb0/addr0 static ok 192.168.0.1/24

You may need to delete the vnic. This can be achieved through the command:

$ dladm delete-vnic vgb0

3. Enable the IP Forwarding

I assume that the current system has a public network interface with the name net0.  I assumeas well that this is the only network interface. IP-forwarding is most likely disabled in this case. It needs to be enabled. The following command enables the IP forwarding through the interfaces net0 and vgb0:

$ ipadm set-ifprop -p forwarding=on -m ipv4 net0
$ ipadm set-ifprop -p forwarding=on -m ipv4 vgb0

The IP-forwarding can be disable after the private virtual network isn't needed anymore. This happens with the following commands:

$ ipadm set-ifprop -p forwarding=on -m ipv4 net0
$ ipadm set-ifprop -p forwarding=on -m ipv4 vgb0

4. Enable the Network Address Translation

The zones which will work through the private virtual network will find their way out of the system as well without NAT. The problem arises for IP packets on their back. Systems outside of the PVN will not know about this sub-net and they will not have routes to communicate back. The public interface of the global zone has to act as a proxy and it will have to know how to relay packets back. This is being done by the ipfilter service which is disabled by default.

The Network Address Translation is a service which needs to be configured first by creating the file /etc/ipf/ipnat.conf. The commands below enable the network address translation for the internal network 192.168.0.0.

$ echo "map $MyPublicNic 192.168.0.0/24 -> 0/32  portmap tcp/udp auto" > /etc/ipf/ipnat.conf
$ echo "map $MyPublicNic 192.168.0.0/24 -> 0/32" >> /etc/ipf/ipnat.conf

The last step is to start the ipfilter service

$ svcadm enable network/ipfilter

The diagram below demonstrates the configured components:

There are chances that you will have to stop the ipfilter service one day. The service can be stopped with this command:

$ svcadm disable network/ipfilter

5. Scripts

Enjoy the two scripts. Use them with caution.

5.1 Preparation of the global Zone

Change the variables at the beginning as needed.

The script will not check if certain files already exist nor if required services are already running  and network objects already exist!

#!/bin/bash

MySwitch=gbswitch0
MyRootZoneNic=vgb0
MyRootZoneIp=192.168.0.1
MyInternalNet=192.168.0.0
MyPublicNic=net0

echo "** create a switch with name $MySwitch "
dladm create-etherstub $MySwitch
echo "* create a vnic with name $MyRootZoneNic "
dladm create-vnic -l $MySwitch $MyRootZoneNic
echo "* create ip for $MyRootZoneNic"
ipadm create-ip $MyRootZoneNic
echo "* create ip addr $MyRootZoneIp for $MyRootZoneNic"
ipadm create-addr -T static -a $MyRootZoneIp/24 $MyRootZoneNic/addr0
#echo "* enable ipv4 forwarding in root zone "
#routeadm -u -e ipv4-forwarding
echo "* Status check network plumbing:"
dladm show-vnic
echo "** create NAT configuration with ipf, enable forwarding"
ipadm set-ifprop -p forwarding=on -m ipv4 $MyPublicNic
ipadm set-ifprop -p forwarding=on -m ipv4 $MyRootZoneNic
cp /etc/ipf/ipnat.conf /etc/ipf/ipnat.conf.orig
echo "map $MyPublicNic $MyInternalNet/24 -> 0/32 portmap tcp/udp auto" > /etc/ipf/ipnat.conf
echo "map $MyPublicNic $MyInternalNet/24 -> 0/32" >> /etc/ipf/ipnat.conf
svcadm enable network/ipfilter

5.2 Cleanup, undo, deletion 

This script will swipe out the configuration which has been configured. It's simple and brutal...

#!/bin/bash

MySwitch=gbswitch0
MyRootZoneNic=vgb0
MyRootZoneIp=192.168.0.1
MyPublicNic=net0

echo "* disable ipv4 forwarding in root zone"
routeadm -u -d ipv4-forwarding
echo "* delete addr: $MyRootZoneNic"
ipadm delete-addr $MyRootZoneNic/addr0
ipadm delete-ip $MyRootZoneNic
echo "* delete vnic: $MyRootZoneNic"
dladm show-vnic
dladm delete-vnic $MyRootZoneNic
dladm show-vnic
echo "* delete a switch with name $MySwitch "
dladm show-etherstub
dladm delete-etherstub $MySwitch
dladm show-etherstub
echo "** delete NAT configuration with ipf"
ipadm set-ifprop -p forwarding=off -m ipv4 $MyPublicNic
ipadm set-ifprop -p forwarding=off -m ipv4 $MyRootZoneNic
svcadm disable network/ipfilter

Creating and Configuring the Zones

I expect the virtual switch and the global zone configuration steps already being solved at this point of time. See below:

This means that a virtual switch with the name gbswitch0 already exists.

A bit of planning is required in order to have all data for configure the zone. The following information is needed. The names which I'm going to use in my commands are already entered:

Configuration Information
Information optional Value
zone name mandatory zone1
zones home directory mandatory /zones
zone virtual network interface mandatory vnz1
ip address in private network mandatory 192.168.0.2
default router for private network mandatory 192.168.0.1
IP address of DNS server optional  
root password mandatory  
user name, full user name, user password optional  
time zone information optional  

1. Create a Virtual Network Interface for the Zones

The zone will have one interface. The interface will be virtual network interface vnz1 which will be attached to the virtual switch gbswitch0 The following commands will have to be executed in the global zone:

dladm create-vnic -l gbswitch0 vnz1

2. Declare the Zone

The commands below will configure a zone with the name zone1 and a network interface vnz1

$ zonecfg -z zone1 "create; set zonepath=/zones/zone1;set ip-type=exclusive; commit"
$ zoneadm -z zone1 install $ zonecfg -z zone1 "add net; set physical=vnz1;end"

3. Boot and Configure the Zone

The zone is now ready to be booted:

zoneadm -z zone1 boot

The zone is now running. The network configuration isn't complete and it takes a login through the zones console with a sys-config dialog. Enter

$ zlogin -C zone1

This will lead you into a sysconfig dialog. Choose a manual network configuration and provide the remaining information from the table above and configure the IP address and the default router. The configuration of name services and NIS is optional.

The zone should be ready for usage after these steps.

The zone is

  • ready for additional software installation
  • the zone can reach any other zone in the private virtual network
  • the zone can reach out to the intranet when needed through the NAT services of the global zone

 The zone is otherwise private for the outside intranet.

Repeat the same steps for a second zone and you end up with a private virtual network with multiple zones.

 

4. Scripts

4.1 Zone Configuration and installation

#!/bin/bash

MySwitch=gbswitch0
MyZoneNic=vnz1
MyZone=zone1
MyZoneIp=192.168.0.2
MyRootZoneIp=192.168.0.1

echo "** create VNIC $MyZoneNic in global zone"
dladm create-vnic -l $MySwitch $MyZoneNic
echo "** starting creation of zone: $MyZone"

# Configure and install the zone zonecfg -z $MyZone "create; set zonepath=/zones/$MyZone;set ip-type=exclusive; com
mit"
zoneadm -z $MyZone verify
zoneadm -z $MyZone install
zonecfg -z $MyZone "add net; set physical=$MyZoneNic;end"
echo "** Booting zone $MyZone "
zoneadm -z $MyZone boot
echo "** sleep for 30 seconds and hope for the zone to come for post config "
sleep 30
zoneadm list -v

Kick off the sys-config by logging into the zlogin

 $ zlogin -C zone1

4.2 Deletion of the Zone

This script is a kind of brutal. It wipes out the entire zone...

#!/bin/bash

MyZoneNic=vnz1
MyZoneIp=192.168.0.2
MyZone=zone1

zoneadm list -v
zoneadm -z $MyZone halt
zoneadm -z $MyZone uninstall -F
zonecfg -z $MyZone delete -F
zoneadm list -v
dladm show-vnic
dladm delete-vnic $MyZoneNic
dladm show-vnic

 

Accessing the Private Virtual Network

Accessing the private virtual network is no different to access any lab network through a gate way system

1. Accessing internal Web Servers with an Apache Reverse Proxy Server Configuration

The global zone can be configured to run an Apache web server as reverse proxy. This allows to direct a browser to web port of the global zone public network interface and work with a specific web server of the internal private virtual network.

The following example assumes that zone1 offers a http service through port 80 at the internal IP address 192.168.0.2.

digram with reverse proxy and virtual private network

It will be made available to 11.1.2.3

1.1. Configure configuration file of Apache 2.2 in global zone

The proxy server gets configured through the httpd.conf file with the following directives:

/etc/apache2/2.2/httpd.conf:

...

ServerName myglobalZone.public.name.com

...

ProxyRequests Off

ProxyPass / http://192.168.0.2/

ProxyPassReverse / http://192.168.0.2/

...

 

The three directives avoid that the Apache server acts as a regular proxy (ProxyRequests Off). The ProxyPass and ProxyPassReverse directives teach the server to relay all http requests ( / ) to 192.168.0.2/ and the responses back. The ending slashes matter!

1.2. Start the Apache Server in the global zone

Start or restart the server with the following priviledged Solaris command in the global zone:

$ svcadm restart svc:/network/http:apache22

The svcadm command starts the Apache server on Solaris as a service. This command assures that the service is up even after a reboot of the system. This is all it takes on the proxy side!

This setup of the reverse proxy does the job for pretty much every simple web server behind it.

Warning: The web server in the private network may have to know that it's http service is getting exposed by a reverse proxy. Some web applications generate URLs on the fly. This post configuration is however completly application specific

2. ssh Tunnels

A more ad-hoc and very safe way to access a port in your private virtual network is a ssh tunnel.

The user on system admin will need an account in the global zone of the Solaris 11 system (IP address: 11.1.2.3). The account name being used in this example is guest.

ssh tunnels allow to plumb a port of a remote system to your local system. The following command will plumb the port 80 of zone1 to port 7777 of the desktop the user admin is using:

$ ssh -L 7777:192.168.0.2:80 guest@11.1.2.3

The command will lead to a shell session of user guest in the global zone. Besides this you will get the tunnel to be established. The user on system admin can now direct a browser to http://localhost:7777 a use the web server from zone1. The diagram below shows the interactions of the three systems.
 

ssh Tunnel to private virtual network

The -L can be used multiple times in a single command. It'll tunnel any number of ports needed.

References