[zones-discuss] Annoying zone boot failure
After a recent system panic, the zones service failed to start due to the first zone failing to boot. The boot fails with ERROR: could not open master side of zone console for wiki to acquire slave handle: Device busy I tried detaching and reattaching the zone but this didn't change anything. Can this be fixed by removing the /dev/zcons/wiki symlinks or the underlying pseudo devices? When are the pseudo devices created? Thanks. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Run user script when start zone
On 03/21/12 01:50 AM, skeletor wrote: 20.03.2012 14:41, casper@oracle.com пишет: Have you tried making the zone into a zone with exclusive IP stack? (Using a vnic, etc) Then the zone can add the routes as needed Casper No, i havn't. I use share IP stack. For what you are trying to do, exclusive IP is the best option. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] how to unset a publisher in a zone?
On 02/20/12 10:06 PM, gerard henry wrote: hello all, after upgrading from S11X to S11, i'm unable to attach a zone due to a missing publisher. I'm trying to remove the old publisher but i have this: root@electre:~# pkg -R /zones/test_bd/root/ publisher PUBLISHER TYPE STATUS URI solaris (syspub) origin online file:///mnt/repo/ solaris (syspub) origin online proxy://http://localhost:1/ latp origin online http://electre:1/ root@electre:~# pkg -R /zones/test_bd/root/ unset-publisher solaris pkg unset-publisher: Removal failed for 'solaris': solaris is a system publisher and cannot be unset. there are 2 publishers with the same name, how can i correct this problem? I had the same problem a while back and I think I used set-publisher with -g to add the correct publisher and -G to remove the bad one. It wont let you remove the one with the queer URI (where doe that come from I wonder?), but it doesn't appear to do any harm. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] 7116113 bug in zone, what is the workaround?
On 02/20/12 10:48 PM, gerard henry wrote: hello, snip Enter user name for system maintenance (control-d to bypass): the bug ID 7116113 gives the following workaround: Increase the system/name-service/upgrade start method timeout_seconds to a value larger than 60 seconds. Say 300 seconds (5min). i tried: root@www2:~# svccfg -s svc:/system/name-service/upgrade:default start/timeout_seconds = 300 svccfg: Syntax error. Shouldn't you be using the setprop sub-command within svccfg? -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] how to unset a publisher in a zone?
On 02/21/12 03:31 PM, Edward Pilatowicz wrote: On Mon, Feb 20, 2012 at 02:56:23AM -0800, Ian Collins wrote: It wont let you remove the one with the queer URI (where doe that come from I wonder?), but it doesn't appear to do any harm. assuming that the queer uri is the proxy:// one, that one is automatically added into zones via the system-repository service. basically, every publisher and origin accessible in the gz is accessible to a ngz via these type special proxy origins. this ensures that ngz can install software that is in compatible with the gz. Thanks for the explanation Ed, that one had be somewhat baffled! -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] need help with zonecfg and networking
On 02/ 9/12 02:13 PM, Will Fiveash wrote: I used to be able to configure zones a while back but now I'm stumped (using released S11). What I want is a set of zones, each with a unique IP address such that they can ping each other and the global zone. I used to use a zonecfg of: create set zonepath=/zone/newzone set limitpriv=default,dtrace_proc,dtrace_user add net set physical=nge0 set address=10.0.0.2/8 end commit exit and that did want I want. Now I see: n line 19 of /tmp/createzone.qEaOyF: net: address cannot be specified if ip-type = exclusive ip-type is set to 'exclusive' by default. Zone master failed to verify master: Invalid argument You either need to set ip-type=shared in the config, or remove the address setting and give the zone a dedicated (v)nic. I don't use shared ip zones on 11, its easy to create a vnic and give it to the zone. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] need help with zonecfg and networking
On 02/ 9/12 02:24 PM, Will Fiveash wrote: On Wed, Feb 08, 2012 at 07:13:10PM -0600, Will Fiveash wrote: I used to be able to configure zones a while back but now I'm stumped (using released S11). What I want is a set of zones, each with a unique IP address such that they can ping each other and the global zone. I used to use a zonecfg of: create set zonepath=/zone/newzone set limitpriv=default,dtrace_proc,dtrace_user add net set physical=nge0 set address=10.0.0.2/8 end commit exit and that did want I want. Now I see: BTW, when I look at the man page I see this similar example: Example 3 Creating a Shared-IP Zone The following example creates a zone that shares an IP stack with the global zone, and is assigned a single IP address and default router. example# zonecfg -b -z shared zonecfg:shared create You probably want create -b zonecfg:shared set zonepath=/export/zones/shared zonecfg:shared set ip-type=shared zonecfg:shared add net zonecfg:shared:net set physical=nge0 zonecfg:shared:net set address=192.168.0.3/24 zonecfg:shared:net set defrouter=192.168.0.1 zonecfg:shared:net end zonecfg:shared exit I don't see a 'commit' in there before the exit. Did you have an old zone with the same name? Check with zonecfg -z shared export That fails because -b isn't supported and if I remove that then I see: Expand fails, that example works fine (with the commit). -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Unable to attach a zone sent from Express system to Solaris 11
On 02/ 2/12 09:04 PM, Ian Collins wrote: Hello again, I have just tried sending a zone from an Express system to a Solaris 11 system. I didn't find the cause on this system, but sending the original datasets to another Solaris 11 box and performing the upgrade attach there worked OK. Very odd. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Unable to attach a zone sent from Express system to Solaris 11
Hello again, I have just tried sending a zone from an Express system to a Solaris 11 system. The original ZFS filesystems were fileserver/zones 1.73G 29.2T 35K /zones fileserver/zones/agdos 731M 29.2T 33K /zones/agdos fileserver/zones/agdos/ROOT731M 29.2T 31K legacy fileserver/zones/agdos/ROOT/zbe731M 29.2T 499M legacy The dsconvert ran OK (I had to specify zbe as the boot environment). attach -u fails and the the log shows: pkg install: No solution was found to satisfy constraints maintained incorporations: None Plan Creation: dependency error(s) in proposed packages: followed by 5776 entries like No suitable version of required package pkg://solaris/developer/build/onbld@0.5.11,5.11-0.151.0.1.8:20110620T221620Z found: Reject: pkg://solaris/developer/build/onbld@0.5.11,5.11-0.151.0.1.8:20110620T221620Z Reason: All acceptable versions of 'require' dependency on pkg:/runtime/python-24 are obsolete It looks like every package is rejected. The zone's publishers look OK: pkg -R /zones/agdos/root publisher PUBLISHER TYPE STATUS URI solaris (syspub) origin online proxy://http://pkg.oracle.com/solaris/release/ solaris (syspub) origin online https://pkg.oracle.com/solaris/support/ Ideas? -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Problem booting Solaris 10 zone imported form Solaris 11 express
On 12/15/11 04:27 AM, Enda O'Connor wrote: On 12/14/11 03:30, Ian Collins wrote: Hello, I just tried booting a Solaris 10 branded zone after upgrading its host to Solaris 11 (from Express) and it migrated OK, but won't boot: # zoneadm -z sandpit boot zone 'sandpit': WARNING: vnic3:1: no matching subnet found in netmasks(4): 172.25.48.101; using default of 255.255.0.0. zone 'sandpit': Error: The installed version of Solaris 10 is not supported. zone 'sandpit': SPARC systems require patch 142909-17 zone 'sandpit': x86/x64 systems require patch 142910-17 zone 'sandpit': exec /usr/lib/brand/solaris10/s10_boot sandpit /zoneRoot/sandpit failed zone 'sandpit': ERROR: unable to unmount /zoneRoot/sandpit/root. The zone originally came from a Solaris 10 update 9 system. How do I go about patching it? actually, further to Mike's reply on how to reverse dsconvert, the message above should not have happened if zone was at update 9 level, as update 9 has 142909-17/142910-17, are you sure the zone was at update 9 kernel? Pretty sure, yes. The zone was exported from an older version (update 8) and attached (with -u) into an update 9 VM before conversion to a branded zone. I've probably still got the VM, so I'll fire it up and have a look. I believe update 9 was required for a branded zone in 11 Express. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Problem booting Solaris 10 zone imported form Solaris 11 express
On 12/15/11 07:38 AM, Hung-Sheng Tsao (Lao Tsao 老曹) Ph.D. wrote: On 12/14/2011 1:27 PM, Ian Collins wrote: On 12/15/11 04:27 AM, Enda O'Connor wrote: On 12/14/11 03:30, Ian Collins wrote: Hello, I just tried booting a Solaris 10 branded zone after upgrading its host to Solaris 11 (from Express) and it migrated OK, but won't boot: # zoneadm -z sandpit boot zone 'sandpit': WARNING: vnic3:1: no matching subnet found in netmasks(4): 172.25.48.101; using default of 255.255.0.0. zone 'sandpit': Error: The installed version of Solaris 10 is not supported. zone 'sandpit': SPARC systems require patch 142909-17 zone 'sandpit': x86/x64 systems require patch 142910-17 zone 'sandpit': exec /usr/lib/brand/solaris10/s10_boot sandpit /zoneRoot/sandpit failed zone 'sandpit': ERROR: unable to unmount /zoneRoot/sandpit/root. The zone originally came from a Solaris 10 update 9 system. How do I go about patching it? actually, further to Mike's reply on how to reverse dsconvert, the message above should not have happened if zone was at update 9 level, as update 9 has 142909-17/142910-17, are you sure the zone was at update 9 kernel? Pretty sure, yes. The zone was exported from an older version (update 8) and attached (with -u) into an update 9 VM before conversion to a branded zone. I've probably still got the VM, so I'll fire it up and have a look. may be you need to run attach -U instead -U? There isn't a documented -U option. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Problem booting Solaris 10 zone imported form Solaris 11 express
On 12/15/11 07:48 AM, Frank Batschulat wrote: On Wed, 14 Dec 2011 19:48:09 +0100, Ian Collinsi...@ianshome.com wrote: may be you need to run attach -U instead -U? There isn't a documented -U option. zoneadm attach -U was a new feature we introduced with s10 Update 9 to perform a full update, pls. refer to page #4 here http://blogs.sun.com/batschul/resource/s10u9-zones-news.pdf Ah, thanks. I didn't think to check the Solaris 10 docs. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Problem booting Solaris 10 zone imported form Solaris 11 express
On 12/15/11 04:16 AM, Mike Gerdts wrote: snips At this point, the zone should be bootable on Solaris 11. I've filed: 7121298 dsconvert should prevent conversion if not at right S10 patch level Sorry for the troubles you had. I'm away for a couple of weeks, so I'll try this and report back on my return. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] New zone configuration screens
I just created my first zone on Solaris 11. Congratulations on the new configuration screens, they are a big improvement. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Problem booting Solaris 10 zone imported form Solaris 11 express
On 12/14/11 04:48 PM, John D Groenveld wrote: In message4ee8183b.2050...@ianshome.com, Ian Collins writes: The zone originally came from a Solaris 10 update 9 system. How do I go about patching it? Can you v2v the zone back to an S10 system and then apply the latest patches there? I was hoping no one would suggest that! -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Problem booting Solaris 10 zone imported form Solaris 11 express
On 12/14/11 05:06 PM, Mike Gerdts wrote: On Wed 14 Dec 2011 at 05:02PM, Ian Collins wrote: On 12/14/11 04:54 PM, Ian Collins wrote: On 12/14/11 04:48 PM, John D Groenveld wrote: In message4ee8183b.2050...@ianshome.com, Ian Collins writes: The zone originally came from a Solaris 10 update 9 system. How do I go about patching it? Can you v2v the zone back to an S10 system and then apply the latest patches there? I was hoping no one would suggest that! That's probably harder than it appears, the zone's root zfs filesystems have been migrated, so they can't be sent back to an older OS version. By this, do you mean that you ran /usr/lib/brand/shared/dsconvert? Yes. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Not Starting Properly?
On 12/ 2/11 06:07 AM, Derek McEachern wrote: System has 72GB RAM xeon cpu - 2 socket - 4 core - 16 thread zonereoot is on ufs filesystem on it's own drive, separate from OS. That (UFS) is a strange choice for a recent Solaris 10 version. You loose the useful zones/ZFS features such as cloning. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Not Starting Properly?
On 12/ 2/11 05:39 AM, Derek McEachern wrote: Have a peculiar problem that I haven't seen before. When starting a system that has about 35 - 40 zones on it occasionally we see that one of the zones doesn't come up properly. You can log into the zone but none of the /etc/rc3.d scripts have been run. The same zone, or a random one? What happens if you halt one or more zones before rebooting? Is there a threshold where the problem begins to occur? -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Not Starting Properly?
On 12/ 2/11 10:30 AM, Derek McEachern wrote: On Thu, Dec 1, 2011 at 2:48 PM, Ian Collins i...@ianshome.com mailto:i...@ianshome.com wrote: On 12/ 2/11 05:39 AM, Derek McEachern wrote: Have a peculiar problem that I haven't seen before. When starting a system that has about 35 - 40 zones on it occasionally we see that one of the zones doesn't come up properly. You can log into the zone but none of the /etc/rc3.d scripts have been run. The same zone, or a random one? What happens if you halt one or more zones before rebooting? Is there a threshold where the problem begins to occur? Random zone. We've been testing to see if there is a threshold of trying to start too many in parallel but so far we don't see anything. We saw the problem trying to start 3 zones in parallel but it was very intermittent. Like 1 out of every 4 tries at started all 40 zones we would see 1 failure. We ran some tests starting 10 zones in parallel and so far no errors. Our assumption was that if it was load related moving from 3 to 10 zones we would see problems. I have several systems that start 10 or more zones and I've never seen any problems. I agree with the comment elsewhere that you should be using SMF rather than rc scripts to start services. It is also possible to create SMF services with the appropriate dependencies to start your zones in the correct order. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Not Starting Properly?
On 12/ 2/11 10:36 AM, Derek McEachern wrote: We haven't made the jump to zfs yet :-) We do loose some useful features but haven't spent the time to port our stuff over to use zfs. Make the jump sooner rather than later or you will flounder on Solaris 11. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Expanding the set of packages installed into a Zone?
On 11/12/11 03:24 AM, Mike Gerdts wrote: On Fri 11 Nov 2011 at 09:41AM, Ian Collins wrote: On 11/11/11 09:20 AM, Mike Gerdts wrote: On Fri 11 Nov 2011 at 08:41AM, Ian Collins wrote: Solaris 11 Express with the latest updates from the support repo. I'm getting an odd problem creating zones and I wanted to check the package list: Package State Update Phase 45/45 Image State Update Phase 2/2 Installing: Additional Packages (output follows) Creating Planpkg: 'SUNWbip' matches multiple packages SUNWbip compatibility/packages/SUNWbip ERROR: failed to install package I removed SUNWbip from /usr/lib/brand/ipkg/pkgcreatezone and the zone installed OK. I'll add the package in the zone later. Someone should have a look at a proper fix! I believe that it is already fixed in pkg://solaris/system/zones/brand/ipkg@0.5.11,5.11-0.151.0.1.13:20111025T185520Z I think (but do not know) that you should be able to fix the problem you are seeing with: # pkg update pkg://solaris/system/zones/brand/ipkg Based on the dependencies in that package, it looks like that will also update pkg:/package/pkg to 0.5.11-0.151.0.1.13 as well. Odd, I had done a pkg update to get the latest bits, so pfexec pkg update pkg://solaris/system/zones/brand/ipkg No updates available for this image. The problem occurred both before and after the update. Oh well, I was only adding the zone to make sure the upgrade to Solaris 11 worked OK on supported Express system! That seems odd. What do the following tell you? pkg list -af system/zones/brand/ipkg pkg update -v pkg://solaris/system/zones/brand/ipkg@0.5.11,5.11-0.151.0.1.13:20111025T185520Z I was wrong in my comment, it turns out I had forgotten to reboot into the new BE. But as anyone who has tried it knows, the latest update creates an unbootable BE, so I had to work with the original. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Expanding the set of packages installed into a Zone?
On 11/11/11 02:39 AM, Mike Gerdts wrote: On Thu 10 Nov 2011 at 08:32PM, Ian Collins wrote: On 10/10/11 07:20 PM, Edward Pilatowicz wrote: On Fri, Oct 07, 2011 at 12:23:30PM -0700, Michael Speer wrote: All, I have two questions based on what I have been seeing where I don't see packages of interest being installed into a zone I create when the package exists in the global zone. 1) Where is the list of packages kept that will be installed into new zone? How does this list get modified? by default packages that get installed into a zone are specified in the default AI manifest used to install zones. you can find that manifest here: /usr/share/auto_install/manifest/zone_default.xml I can't see that file (or the auto_instal directory) on any of my systems. Has it moved? That file exists in Solaris 11 as part of the auto-install-common package: $ pkg search /usr/share/auto_install/manifest/zone_default.xml INDEX ACTION VALUEPACKAGE path file usr/share/auto_install/manifest/zone_default.xml pkg:/system/install/auto-install/auto-install-common@0.5.11-0.175.0.0.0.2.1482 With Solaris 11 Express, the list of packages was hard coded into scripts under /usr/lib/brand/ipkg. What are you running? Solaris 11 Express with the latest updates from the support repo. I'm getting an odd problem creating zones and I wanted to check the package list: Package State Update Phase 45/45 Image State Update Phase 2/2 Installing: Additional Packages (output follows) Creating Planpkg: 'SUNWbip' matches multiple packages SUNWbip compatibility/packages/SUNWbip ERROR: failed to install package -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Expanding the set of packages installed into a Zone?
On 11/11/11 08:01 AM, Ian Collins wrote: On 11/11/11 02:39 AM, Mike Gerdts wrote: On Thu 10 Nov 2011 at 08:32PM, Ian Collins wrote: On 10/10/11 07:20 PM, Edward Pilatowicz wrote: by default packages that get installed into a zone are specified in the default AI manifest used to install zones. you can find that manifest here: /usr/share/auto_install/manifest/zone_default.xml I can't see that file (or the auto_instal directory) on any of my systems. Has it moved? That file exists in Solaris 11 as part of the auto-install-common package: $ pkg search /usr/share/auto_install/manifest/zone_default.xml INDEX ACTION VALUEPACKAGE path file usr/share/auto_install/manifest/zone_default.xml pkg:/system/install/auto-install/auto-install-common@0.5.11-0.175.0.0.0.2.1482 With Solaris 11 Express, the list of packages was hard coded into scripts under /usr/lib/brand/ipkg. What are you running? Solaris 11 Express with the latest updates from the support repo. I'm getting an odd problem creating zones and I wanted to check the package list: Package State Update Phase 45/45 Image State Update Phase 2/2 Installing: Additional Packages (output follows) Creating Planpkg: 'SUNWbip' matches multiple packages SUNWbip compatibility/packages/SUNWbip ERROR: failed to install package I removed SUNWbip from /usr/lib/brand/ipkg/pkgcreatezone and the zone installed OK. I'll add the package in the zone later. Someone should have a look at a proper fix! -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Expanding the set of packages installed into a Zone?
On 11/11/11 09:20 AM, Mike Gerdts wrote: On Fri 11 Nov 2011 at 08:41AM, Ian Collins wrote: Solaris 11 Express with the latest updates from the support repo. I'm getting an odd problem creating zones and I wanted to check the package list: Package State Update Phase 45/45 Image State Update Phase 2/2 Installing: Additional Packages (output follows) Creating Planpkg: 'SUNWbip' matches multiple packages SUNWbip compatibility/packages/SUNWbip ERROR: failed to install package I removed SUNWbip from /usr/lib/brand/ipkg/pkgcreatezone and the zone installed OK. I'll add the package in the zone later. Someone should have a look at a proper fix! I believe that it is already fixed in pkg://solaris/system/zones/brand/ipkg@0.5.11,5.11-0.151.0.1.13:20111025T185520Z I think (but do not know) that you should be able to fix the problem you are seeing with: # pkg update pkg://solaris/system/zones/brand/ipkg Based on the dependencies in that package, it looks like that will also update pkg:/package/pkg to 0.5.11-0.151.0.1.13 as well. Odd, I had done a pkg update to get the latest bits, so pfexec pkg update pkg://solaris/system/zones/brand/ipkg No updates available for this image. The problem occurred both before and after the update. Oh well, I was only adding the zone to make sure the upgrade to Solaris 11 worked OK on supported Express system! Play time... I'm sure there's a documented way that is a bit more customer friendly, but there's another way that is much more fun... Here begins a short tour through some of the bowels of packaging. Most of what I discuss below is not an interface. It may change at any time. First, I went to: http://pkg.oracle.com/solaris/release/ I clicked advanced search, entered ipkg (because I knew this was the tail end of the package name) in the search field, selected Show all versions, then clicked the Advanced Search button. It showed me a list of packages, starting with: system/zones/brand/ipkg@0.5.11,5.11-0.151.0.1.13:20111025T185520Z which has a timestamp of October 25 (20111025). That looked promising. I clicked on the manifest and found the payload hash for pkgcreatezone from this line: file e95f13b8e67663890f420fc80814b62e473773e0 chash=51dc959c9d234ed9b2c33897a81c84bc86a77178 group=bin mode=0755 owner=root path=usr/lib/brand/ipkg/pkgcreatezone pkg.csize=6642 pkg.size=19838 That told me that I could find the new pkgcreatezone at http://pkg.oracle.com/solaris/release/file/1/e95f13b8e67663890f420fc80814b62e473773e0. Obvious, right? :) I saved that file, then used gzcat to see that all the package names are now fully qualified. Also, SUNWbip is no longer in the list. If SUNWbip were still needed, fully qualifying the name (e.g. pkg:/SUNWbip) would have done the trick. I really should have read all those caiman-discuss mails! -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Old publishers stopping zoneadm attach -u in Solaris 11?
On 11/10/11 02:40 PM, John D Groenveld wrote: In message4ebb2534.80...@ianshome.com, Ian Collins writes: I have removed all reference to them in the global zone: # pkg publisher PUBLISHER TYPE STATUS URI solaris origin online http://pkg.oracle.com/solaris/release/ IIRC I had to remove pkg.opensolaris.org from ZONE_ROOT/var/pkg/cfg_cache That file/directory is no longer present. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Old publishers stopping zoneadm attach -u in Solaris 11?
On 11/10/11 03:07 PM, Edward Pilatowicz wrote: you should safely be able to delete that publisher from the zones. (in s11, zones inherit publishers from the global zone so they don't actually need any local publisher configuration.) How would I do that form outside of the zone? -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Expanding the set of packages installed into a Zone?
On 10/10/11 07:20 PM, Edward Pilatowicz wrote: On Fri, Oct 07, 2011 at 12:23:30PM -0700, Michael Speer wrote: All, I have two questions based on what I have been seeing where I don't see packages of interest being installed into a zone I create when the package exists in the global zone. 1) Where is the list of packages kept that will be installed into new zone? How does this list get modified? by default packages that get installed into a zone are specified in the default AI manifest used to install zones. you can find that manifest here: /usr/share/auto_install/manifest/zone_default.xml I can't see that file (or the auto_instal directory) on any of my systems. Has it moved? -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Expanding the set of packages installed into a Zone?
On 11/10/11 08:32 PM, Ian Collins wrote: On 10/10/11 07:20 PM, Edward Pilatowicz wrote: On Fri, Oct 07, 2011 at 12:23:30PM -0700, Michael Speer wrote: All, I have two questions based on what I have been seeing where I don't see packages of interest being installed into a zone I create when the package exists in the global zone. 1) Where is the list of packages kept that will be installed into new zone? How does this list get modified? by default packages that get installed into a zone are specified in the default AI manifest used to install zones. you can find that manifest here: /usr/share/auto_install/manifest/zone_default.xml I can't see that file (or the auto_instal directory) on any of my systems. Has it moved? Sorry to reply to my self, but I see this was added in build 167 and is there in Solaris 11. How about Solaris Express systems? -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] zone hostname that won't go away
This is an odd one! I have an exclusive IP zone I want to reconfigure (full up to date Solaris 11 Express). sys-unconfig runs though OK, but on reboot the old hostname reappears and the configure screens start at the system part of a subnet screen. Removing /etc/inet/hosts.saved form the zone fixed the problem. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zone v2v: Solaris 10 - Solaris 11 Express
On 10/12/11 09:38 AM, Maidak Alexander J wrote: I took a native zone from Solaris 10 and attempted to v2v migrate it to a Solaris 10 branded zone on Solaris 11 Express 151.0.1.8. I just detached the zone from Solaris 10 and did a zfs send|zfs recv for the zonepath dataset (/s10zone/zonepath) to Solaris 11. I issued: zonecfg -z s10zone create -a /s10zone/zonepath To copy over the zonecfg and then changed the brand from native to solaris10. I then moved the orginal Solaris 10 zonepath to /s10zone/s10zonepath, then I attached the zone with the -d option as follows: root@solaris11:/# zoneadm -z s10zone attach -d /s10zone/s10zonepath/root/ Log File: /var/tmp/s10zone.attach_log.swaW8f Attaching... Attach complete. Log File: /s10zone/zonepath/root/var/log/s10zone.attach2955.log root@solaris11:/# cat /s10zone/zonepath/root/var/log/s10zone.attach2955.log [Tuesday, October 11, 2011 01:39:46 PM CDT] Log File: /var/tmp/s10zone.attach_log.swaW8f [Tuesday, October 11, 2011 01:39:46 PM CDT] Attaching... [Tuesday, October 11, 2011 01:39:46 PM CDT] Sanity Check: Passed. Looks like a Solaris 10 image. [Tuesday, October 11, 2011 01:39:46 PM CDT ] directory [Tuesday, October 11, 2011 01:39:46 PM CDT] [Tuesday, October 11, 2011 01:39:46 PM CDT] cd /s10zone/s10zonepath/root/ find bin etc export home home1 infrtool kernel lib mnt net none opt platform sbin system usr var -xdev ( -type d -o -type f -o -type l ) -print | [Tuesday, October 11, 2011 01:39:46 PM CDT] cpio -pdm /s10zone/zonepath/root cpio: Cannot chown() /s10zone/zonepath/root/etc/globalname, errno 30, Read-only file system cpio: Unable to reset modification time for globalname, errno 30, Read-only file system cpio: Cannot chmod() /s10zone/zonepath/root/etc/globalname, errno 30, Read-only file system 11156672 blocks 3 error(s) [Tuesday, October 11, 2011 01:45:17 PM CDT] Sanity Check: Passed. Looks like a Solaris 10 image. [Tuesday, October 11, 2011 01:45:17 PM CDT] [Tuesday, October 11, 2011 01:45:18 PM CDT] Attach complete. Looked like everything went fine, great... Then I noticed that this cpio + find method did not migrate the . files/directories from the old zone root into the newly created zone root (example: .ssh). Is this a bug, or were my methods defective? Advice on this would be helpful. Have you tried the method documented here? http://download.oracle.com/docs/cd/E19963-01/html/821-1460/gjroc.html I have been using this without any problems for a while to migrate Solaris 10 zones. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] zones toast after updating Solaris 11 Express system
Before I go through the pain of logging a support call, has anyone seen or fixed the following problem: I ran an update on a fresh Solaris 11 Express system from the support repository and after restarting, all the systems zones are dead. The zone consoles report: SunOS Release 5.11 Version 151.0.1.8 64-bit Copyright (c) 1983, 2010, Oracle and/or its affiliates. All rights reserved. Requesting System Maintenance Mode (See /lib/svc/share/README for more information.) svc:/system/early-manifest-import:default signalled: SYS The log file shows: # more /var/svc/log/system-early-manifest-import:default.log svccfg: Loaded 100 smf(5) service descriptions /etc/svc system profiles not found: upgrade system profiles /lib/svc/method/manifest-import[447]: import_manifests: line 259: 1933: Bad system call(coredump) /lib/svc/method/manifest-import[447]: import_manifests: line 259: 2424: Bad system call(coredump) /lib/svc/method/manifest-import[447]: import_manifests: line 259: 3317: Bad system call(coredump) /lib/svc/method/manifest-import is crashing: 3482: lstat64(/etc/svc/volatile/manifest_import.3465, 0x08047CE0) = 0 3482: unlinkat() Err#89 ENOSYS 3482: Received signal #12, SIGSYS [default] 3482: siginfo: SIG#0 Any clues? -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Has the restriction on sharing from a zone been removed yet?
On 09/30/11 09:45 AM, Nico Williams wrote: On Thu, Sep 29, 2011 at 3:28 PM, Jeff Victorjeff.j.vic...@gmail.com wrote: The general rule is convince product management that there is a business reason to invest the engineer(s) and it will get done. IMO, for backports, the bar should be much higher. The vendor should compute the cost of the backport *including* the cost of opportunity, and including the further cost of opportunity involved in encouraging more backports by the mere fact of having done one backport (if the customer believes they can put off upgrading forever then the pressure to backport more and more features will rise). If the value of doing the backport *significantly* exceeds that cost, then, sure, do the backport. But adding sbm server support to a zone isn't a backport, it's a new innovative feature! I'm sure we aren't the only site who has consolidated older fileservers into zones and would like to use native services in those zones. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Has the restriction on sharing from a zone been removed yet?
On 09/29/11 09:50 AM, Edward Pilatowicz wrote: nfs server is now supported in a zone on s11. smb server is not. OK, thanks Ed. I thought the original ARC case for PRIV_SYS_SHARE would have enabled both? -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Has the restriction on sharing from a zone been removed yet?
Has the restriction on sharing ZFS filesystems vis nfs or smb from a zone been removed in the Solaris 11 branch yet? If not, will it be? Thanks. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Odd install failure
I just tried adding a new zone to an 11 Express system with a number of existing zones I I got the following failure: zoneadm -z ares install A ZFS file system has been created for this zone. Certificate '/var/pkg/ssl/OpenSolaris_extras.certificate.pem' has expired. Please install a valid certificate. Certificate '/var/pkg/ssl/OpenSolaris_extras.certificate.pem' has expired. Please install a valid certificate. ERROR: Unable to create the zone's ZFS dataset. I've never seen this one before.. Some of the ZFS filesystems are there: rpool/zoneRoot/ares62K 412G31K /zoneRoot/tait_ares rpool/zoneRoot/ares/ROOT 31K 412G31K legacy -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Odd install failure
On 05/ 5/11 11:36 AM, Ian Collins wrote: I just tried adding a new zone to an 11 Express system with a number of existing zones I I got the following failure: zoneadm -z ares install A ZFS file system has been created for this zone. ERROR: Unable to create the zone's ZFS dataset. It turns out this was an old problem - another pool have a filesystem called zoneRoot (but not the same mounpoint). Exporting this pool fixes the issue. I'd even filed a bug (a duplicate of *Bug 15594* https://defect.opensolaris.org/bz/show_bug.cgi?id=15594 which I see is fixed in b157) for this last year! -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Recommended cluster patch
On 02/20/11 09:21 AM, Sanjay Akula wrote: Installed latest Solaris 10 Recommended cluster patch, after applying the Recommended cluster patch system was rebooted -- -r and after system boot into multi user mode the new kernel patch did not loaded Generic_144488-06. The output of verbose output is as follows snip Need help on this issue. You've asked in the wrong place, try comp.unix.solaris or open a support call. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] unable to upgrade from b111 to b134
On 12/23/10 12:41 AM, gerard henry wrote: hello all, i have a sun x4150 with 4 zones (b111). I want to upgrade to b134, before upgrading to S11express. The process fails. As a workourand, i'm trying to move zones on another server in b134. So i'm tryng to follow the official document found here: What happens if you detach the zones, upgrade and then reattach with -u? -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Copy a working zone from one server to a second server
On 12/ 8/10 05:48 PM, Taylor, Matthew wrote: Thank you sir. I had forgotten, overlooked, or other wise failed to try doing a -F to force the attachment. I tried that and it shows as installed, then was able to boot it. Before that I got these errors: zoneadm -z myzone attach These packages installed on this system were not installed on the source system: SUNWebrg (1.1.0,REV=2006.04.06.22.41) SUNWeupdatemgru (0.1,REV=2005.07.01.10.54) SUNWezfsg (1.0,REV=2006.10.14.22.57) SUNWfbrg (1.1.0,REV=2006.04.06.22.48) SUNWfupdatemgru (0.1,REV=2005.07.01.10.54) SUNWfzfsg (1.0,REV=2006.10.14.23.04) SUNWj5dev (1.5.0,REV=2004.12.07.00.07) SUNWjato (2.1.2,REV=2005.01.09.23.05) SUNWjhdev (2.0,REV=2006.10.04) SUNWmcon (3.0.2,REV=2006.12.08.20.48) SUNWmconr (3.0.2,REV=2006.12.08.20.48) SUNWmcos (3.0.2,REV=2006.12.08.20.48) SUNWmcosx (3.0.2,REV=2006.12.08.20.48) SUNWmctag (3.0.2,REV=2006.12.08.20.48) SUNWtcatu (11.10.0,REV=2005.01.08.05.16) SUNWzfsgr (1.0,REV=2006.10.24.22.49) SUNWzfsgu (1.0,REV=2006.10.24.22.49) These patches installed on this system were not installed on the source system: 122860-06 122911-24 123661-05 125952-20 141104-02 Ah, so the two servers aren't identical. One more thing left to try: attach -u which should take care of the missing patches, but I'm not sure about the missing packages. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Copy a working zone from one server to a second server
On 12/ 8/10 05:03 PM, Taylor, Matthew wrote: I have three V245 servers with identical architecture, running latest Solaris 10. I have configured a whole root zone using shared IP on one of the servers. I was able to easily clone a second copy of the zone on the first server. I have everything in the zone the way I want it, locked down, user accounts created, correct patches and packages, etc. Is it possible to copy this working (but halted) zone from one server to a second server? I do not want to move / migrate it to a new server, I want to put a working copy over, change the zone name and host name, etc., and fire it up so I don't have to do all the work for each server. I have read and followed the Oracle white paper How to Move an Oracle® Solaris Container with no success. Unfortunately the examples in the paper are for sparse zones. The problem I hit is I can get the date copied over, and run zonefg with no problem, but when I try to attach the zone, let alone when I tried to boot it (just in case it just worked) I get a zone not installed error. What is the exact output when you attempt to attach the zone? Can you force (-F) the attach? I've copied zones between systems several times without errors. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] ON SMB/NFS server support for non-global zones
On 12/ 4/10 02:42 PM, Fabian R. Breschi wrote: Hello, I have installed SUNWsmba on a non-global zone as well as in the global zone The global zone is okay, while the non-global zone it doesn't looks like to reply correctly to incoming connections. Has anybody had this type of problem? maybe there's no support for SUNWsmba in a non-global zone? Samba works fine in zones, I have a number of former Samba servers visualised into zones. I was trying to figure out how to overcome the not-supported native NFS service for non-global zones, any suggestions? You can't. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] ON SMB/NFS server support for non-global zones
On 12/ 6/10 03:14 AM, Fabian R. Breschi wrote: On 12/ 4/10 02:42 PM, Fabian R. Breschi wrote: Hello, I have installed SUNWsmba on a non-global zone as well as in the global zone The global zone is okay, while the non-global zone it doesn't looks like to reply correctly to incoming connections. Has anybody had this type of problem? maybe there's no support for SUNWsmba in a non-global zone? Samba works fine in zones, I have a number of former Samba servers visualised into zones. Former means pkg:/SUNWsmba or pkg:/service/network/samba? Former means Solaris 8 9! The zones run on Solaris 10, using the bundled Samba. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 11/25/10 11:08 PM, Petr Benes wrote: I bet VBox can't run inside the local zone. See the rest of this thread! -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Unable to add physical device to new zone
On 11/19/10 03:40 AM, John D Groenveld wrote: In message4ce45077.3080...@ianshome.com, Ian Collins writes: zone 'test': WARNING: unable to add network interface 'rge0': link busy zone 'test': failed to add network device: Device busy Any ideas? Shot in the dark, does NWAM have a hold of it? Assuming you have console access: # svcadm disable svc:/network/physical:nwam # svcadm disable svc:/network/physical:default My WAG is based on some recent odd results from ifconfig(1M) on Solaris 11 Express that I need to investigate more. Yes, that was how I ended up fixing the problem. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] All zones continuously core dump after upgrade to Solaris Express
I run through the upgrade process on a system with half a dozen zones and on restart, they all get locked into a core dump/restart loop: Nov 19 07:57:50 i7 genunix: [ID 729207 kern.warning] WARNING: init(1M) for zone webhost (pid 3094) core dumped on signal 12: restarting automatically They all run through this cycle in tight loops. Oops. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] All zones continuously core dump after upgrade to Solaris Express
On 11/19/10 08:26 AM, John D Groenveld wrote: In message4ce57afe.9070...@ianshome.com, Ian Collins writes: I run through the upgrade process on a system with half a dozen zones and on restart, they all get locked into a core dump/restart loop: Nov 19 07:57:50 i7 genunix: [ID 729207 kern.warning] WARNING: init(1M) for zone webhost (pid 3094) core dumped on signal 12: restarting automatically They all run through this cycle in tight loops. I saw this on one Express upgrade. I usually halt, detach, image-update, and attach -u, but on my failed update I neglected to detach the zone. Whoops. I halted the zone, detached, and after some failed attempts to attach with zoneadm discovered that there was ZFS clone of the zone's zbe. I performed a zfs send -R of the source snapshot, destroyed the source ZFS and the dependant clone, and restored the original zbe. I was able to get the attach -u to subsequently worked. Also, I sacrificed a chicken but not sure whether that helped. Well that's me buggered, I don't have any on hand! I'm guessing this is a manifestation of the issue Zones Cloned by Using zoneadm clone Can Cause a Snapshot Name Collision When You Activate a Boot Environment (10990) mentioned in the release notes. I had assumed I wouldn't have this problem because I wasn't upgrading from 2009.06 and I haven't (consciously) used zoneadm clone. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] All zones continuously core dump after upgrade to Solaris Express
On 11/19/10 09:12 AM, Steve Lawrence wrote: What build are you upgrading from? 134 through 134b as recommended in the release notes. Is this during the attach -u portion of the upgrade for each zone? It happens after rebooting into the new BE. I didn't detach the zones before upgrading. Can you gather any core files (or pstacks of core files)? These might be at zonepath/root/ pstack is short: core '/tmp/xx/zoneRoot/webhost/root/core' of 3094:/sbin/init feef3c97 _fxstat (0, 8047560, 180, 8058927) + 7 08058973 st_init (fee201a8, 38, 0, fefccc54, 0, feffb804) + 8f 080543dc main (1, 8047f6c, 8047f74, feffb804) + 150 0805418d _start (1, 8047fe0, 0, 0, 7d8, 8047feb) + 7d I can send the core (it's only 2MB) if that helps. My guess is that init (in the zone) is starting using a downrev libc (aka libc not upgraded yet), and is making a system call that has changed. 12 is SIGSYS. -Steve On 11/18/10 11:14 AM, Ian Collins wrote: I run through the upgrade process on a system with half a dozen zones and on restart, they all get locked into a core dump/restart loop: Nov 19 07:57:50 i7 genunix: [ID 729207 kern.warning] WARNING: init(1M) for zone webhost (pid 3094) core dumped on signal 12: restarting automatically They all run through this cycle in tight loops. Oops. ___ zones-discuss mailing list zones-discuss@opensolaris.org -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] All zones continuously core dump after upgrade to Solaris Express
On 11/19/10 10:11 AM, Steve Lawrence wrote: On 11/18/10 12:38 PM, Ian Collins wrote: On 11/19/10 09:12 AM, Steve Lawrence wrote: What build are you upgrading from? 134 through 134b as recommended in the release notes. Is this during the attach -u portion of the upgrade for each zone? It happens after rebooting into the new BE. I didn't detach the zones before upgrading. Oh. I that case, you're zones are still downrev at build 134. You need to detach them, and attach them again with -u. I'm not sure if you'll be able to detach them successfully with zoneadm detach. If not, you'll need to boot back to the 134 BE, detach them, and upgrade again. OK, thanks Steve. This should be made clear in the release notes. The current note isn't strong enough. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Unable to add physical device to new zone
Hello, I'm trying to create a physical IP zone but I can't remove the interface from the global zone. During install I got the following warning: WARNING: skipping network interface 'rge0' which is used in the global zone. So I unplumbed the interface: ifconfig rge0 inet unplumb ifconfig rge0 inet6 unplumb Then attempted to boot, but I get the following error: zone 'test': WARNING: unable to add network interface 'rge0': link busy zone 'test': failed to add network device: Device busy Any ideas? -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zones and storage pools
On 11/ 3/10 02:21 PM, Henrik Johansson wrote: On Nov 3, 2010, at 1:22 AM, Ian Collins wrote: On Nov 3, 2010, at 12:06 AM, Ian Collins wrote: On 11/ 3/10 11:56 AM, Henrik Johansson wrote: I would ideally like to do two things: 1. Have all filesystem configuration for the zone in the pool as we have with the global zone, only specify the pool(s) for the zone and all filesystems would be mounted inside the zone, this without giving away all control to the local zone. Why don't you want the zones to be able to manage their own filesystems? One of the main reasons for zoned filesystems is to allow filesystems to have mount points relative to the zone's root filesystem. It would depend on what kind of users we have in the zone and how the zone is used, for some it would be fine to give away all control for other we would like to keep them from deleting snapshots/datasets or changing properties like quota. If the zones is compromised or if a privileged users does something nasty we would like to be able to rollback it from the global zone only. I guess you can solve those two by setting the quota on the filesystem containing the zoned filesystem and replicating snapshots. I guess replication would solve the problem but with lots of overhead. What? no backups! The quota problem should work if we dedicated a dataset below the pool itself to the zone as it's root dataset. But for some zones we would really like to limit all zfs operations such as rename, destroy and create. The solution to this would be to make sure there are no users inside the zone with such privileges, as long as the zone is not compromised it would be fine. The only option there would be to deny root access to the zone's users. Changing properties for the zone could also affect the global zone and other zones on the same global zone, lets say you would enable gzip-9 compression and write lots of data, that would bypass all resource limits for the zone and drastically change the amount of cycles required for zones datasets . Even worse for zones in Solaris.Next you could enable deduplication which could eat the metadata part of the ARC. This would decrease the amount of separation provided by zones with resource management. I can see those being a problem if the cycles consumed by compression are not assigned to the zone (I'm not sure if they are or not), otherwise a zone cpu-cap would protect the rest of the system. As for dedup, don't enable it on the zone dataset pool! The zone is not accounted for the resources consumed by ZFS so that could be a problem. I don't and won't assign gzip compression or deduplication to any datasets, but a privileged user in the zone could do just that. I thought as much, but wasn't sure. I guess what you really want is some form of block on overriding inherited properties. Maybe raise this issue on zfs-discuss? -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] moving zone to another physical system
On 10/25/10 09:36 AM, Anil wrote: On 10/24/10 01:20 PM, Ian Collins wrote: On 10/25/10 09:06 AM, Anil wrote: I know we can do detach/attach to migrate zones, but is there another way (even a hack)? I am concerned about using zones, and if the global zone dies, I want to be able to move the zones to another system, with same or newer OS level. I have the zones on different ZFS pools, so I can move the actual zones by moving the disks. What are some recommendations? Read the zone migration documentation. The disaster recovery scenario you mention is described there. Which document are you referring to? I came across one where it says that you simply have to attach the zone (and it suggested it may work even if it complains it hasn't been detached properly). The administration guides at docs.sun.com. That didn't work. What exactly didn't work? I often send working zones to clone server at a remote site and I haven't had any problems. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 10/ 1/10 09:42 AM, Orvar Korvar wrote: Ok, now I am confused. I want to shut down all internet connection to my global zone. I dont want to shut down the global zone, only the internet connection. I want to reach internet only from local zones. Some of the local zones will have a server application running. Others will just be used for surfing. I will install VirtualBox in the local zones. I don't think you can install VirtualBox in a zone. If you are using VirtualBox, you can use the same networking tricks to get isolation as you would use for a zone. Is this possible or not? Some say yes, other say no? The response you didn't quote answered your question: On 09/30/10 08:38 AM, Glenn Faden wrote: Assuming you're using the shared IP stack (default), it is sufficient for the global zone interface(s) to be plumbed so that the non-global zones can use logical instances of the interface(s). So setting the GZ interfaces as down' will prevent network access to/from the global zone. I believe I should use exclusive-ip in the local zones? Or? You can, but you don't have to. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Possible to use zones for hardening? Security?
On 10/ 1/10 10:33 AM, Glenn Faden wrote: VBox definitely works in zones. It installs a global zone SMF service, VBoxService, to take care of loading the kernel modules since this can't be done by a NGZ. see http://www.virtualbox.org/changeset/24240 Ah, so I was correct is stating VirtualBox can't be *installed* in a zone. I didn't realise it could be run in a zone when installed in the global zone. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Add mountpoint to zone without a reboot
On 08/26/10 06:32 AM, Mike DeMarco wrote: Is it possible to add a new zfs filesystem to a zone without rebooting the zone? I have a need to add a filesystem to a zone for a couple of weeks but can not take an outage of the zone. Does it already have a filesystem? If so, can't you create a new one under that? Otherwise no, you'll have to reboot. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Can I recover zones from a dead system/disk?
On 08/26/10 08:33 AM, Robert Hartzell wrote: On 08/25/10 01:19 PM, Ian Collins wrote: Please post the config for the zone. ?xml version=1.0 encoding=UTF-8? !DOCTYPE zone PUBLIC -//Sun Microsystems Inc//DTD Zones//EN file:///usr/share/lib/xml/dtd/zonecfg.dtd.1 !-- DO NOT EDIT THIS FILE. Use zonecfg(1M) instead. -- zone name=bz1 zonepath=/export/zones/bz1 autoboot=false brand=ipkg ip-type=exclusive network address= physical=vnic2/ /zone I also noticed that I cant change the mount point from legacy because the data set is in a non global zone. All I really need is to recover the mysql database from the zone. Two points: Does the root of the zonepath (export/zones) exist? You can set the zoned property of the filesystem to off. I have imported zones by setting zoned off and mounting the zbe filesystem (before I found about about the -d option). -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Can I recover zones from a dead system/disk?
On 08/26/10 10:16 AM, Robert Hartzell wrote: Ok I was able to change the zoned property and mount to another location. I was able to recover the database... but still couldn't attach the zone. Now I can get back to working on getting the disk to boot again. Thanks for all the help. No problem, just remember - backups are a wonderful thing! -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Can I recover zones from a dead system/disk?
On 08/19/10 05:56 AM, Robert Hartzell wrote: On 08/17/10 03:28 PM, Ian Collins wrote: On 08/18/10 09:18 AM, Robert Hartzell wrote: I have 2 zones on a disk that I have mounted from a dead system. bertha/zones 6.86G 126G 24K /mnt/export/zones bertha/zones/bz1 6.05G 126G 24K /mnt/export/zones/bz1 bertha/zones/bz1/ROOT 6.05G 126G 21K legacy bertha/zones/bz1/ROOT/zbe 6.05G 126G 6.05G legacy bertha/zones/bz2 821M 126G 24K /mnt/export/zones/bz2 bertha/zones/bz2/ROOT 821M 126G 21K legacy bertha/zones/bz2/ROOT/zbe 821M 126G 821M legacy Can I somehow transfer these zones from this disk to a new system? Yes. You can send the filesystems over to the new system and attach the zones. See the instructions for migrating a zone for more details. One step that wasn't in the instructions is the use of the -d option to attach a zone that wasn't detached, so you want something like: zoneadm -z bz1 attach -d bertha/zones/bz1/ROOT/zbe That didn't work because the zone data set isn't mounted completely and I can't figure out how to get it mounted. I'm trying to get the disk to boot but seems to be stuck at: What exactly didn't work? You shouldn't have to mount anything for the steps outlined above to work. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Can I recover zones from a dead system/disk?
On 08/18/10 09:18 AM, Robert Hartzell wrote: I have 2 zones on a disk that I have mounted from a dead system. bertha/zones 6.86G 126G24K /mnt/export/zones bertha/zones/bz1 6.05G 126G24K /mnt/export/zones/bz1 bertha/zones/bz1/ROOT 6.05G 126G21K legacy bertha/zones/bz1/ROOT/zbe 6.05G 126G 6.05G legacy bertha/zones/bz2821M 126G24K /mnt/export/zones/bz2 bertha/zones/bz2/ROOT 821M 126G21K legacy bertha/zones/bz2/ROOT/zbe 821M 126G 821M legacy Can I somehow transfer these zones from this disk to a new system? Yes. You can send the filesystems over to the new system and attach the zones. See the instructions for migrating a zone for more details. One step that wasn't in the instructions is the use of the -d option to attach a zone that wasn't detached, so you want something like: zoneadm -z bz1 attach -d bertha/zones/bz1/ROOT/zbe -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Branded zones and external hardware
On 08/ 6/10 12:40 AM, Frank Batschulat (Home) wrote: On Thu, 05 Aug 2010 14:03:20 +0200, Richard L. Hamiltonrlha...@smart.net wrote: I would like to upgrade a Thumper we use as a staging server for backups form Solaris 10 to OpenSolaris. The backup application (NetVault) is only supported on Solaris. So my question is: can a branded Solaris 10 zone access the external tape vault? If so are there likely to be any issues with running an application like NetVault within a branded zone? Devices can be assigned to zones. With a disk, that could be a security issue (a corrupted filesystem could crash the whole system, for example). A tape probably wouldn't be as much of a threat, but that's not the same as saying it would be safe. In general, one should consider very carefully the security and reliability implications of assigning devices to zones. the problem with exporting the tape device to a NGZ, which although not supported can be achived as you mention, is that there's no way to exclusive assign that particular tape device to a particular NGZ or to restrict access from the GZ or any other NGZ to that same tape device. that might become a problem if several different users try to use that tape from different NGZs or a NGZ and the GZ, that access may produce a somewhat questionable end result that care must be taken here when setting up such configuration. NetVault will be the exclusive user of the tape unit, so we shouldn't have any issues with attempted multiple access. In some ways I would prefer to run it from a zone. All the other services currently sand-boxed in their own zones, so moving NetVault to a zone will make it the rule rather than the exception. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zones on NFS
On 08/ 6/10 01:43 AM, Prasoon Bansal wrote: Hello Benr, I had read all the reply of your query posted on this blog. Which blog? Your post appears to be an orphan. I have the same matching query with the others. As i had configured the non-global zone on nfs shared folder(nfsserver) and this shared folder is mapped onto another host(testzone). I am able to configured and see the status of non-global zone on both the hosts(nfsserver $ testzone). I sucessfully detach my test zone from nfsserver but not able to attached onto testzone as showing the error as zonepath is configured on nfs share folder, local file system must be configured. You should copy the zoneroot to the new host. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Branded zones and external hardware
hello, I would like to upgrade a Thumper we use as a staging server for backups form Solaris 10 to OpenSolaris. The backup application (NetVault) is only supported on Solaris. So my question is: can a branded Solaris 10 zone access the external tape vault? If so are there likely to be any issues with running an application like NetVault within a branded zone? Thanks, -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Has anyone managed to get a Samba PDC running an an OpenSolaris zone?
Hello, This may not be specific to a PDC, but I have have managed to get Samba running in a non-global zone by adding the sys_smb privilege to the zone's config, but none of the exported shares are visible to windows machines. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] booting zone after system restart fails with ERROR: no active dataset
On 05/29/10 10:16 AM, Ian Collins wrote: All the zones fail to bot with the same error r...@i7:~# zoneadm -z ldap boot zone 'ldap': ERROR: no active dataset. zone 'ldap': zoneadm: zone 'ldap': call to zoneadmd failed Another data point: I just tried creating another zone, with the following config: r...@i7:~# zonecfg -z test export create -b set zonepath=/zoneRoot/test set brand=ipkg set autoboot=true set ip-type=shared add net set address=192.168.42.44 set physical=rge0 set defrouter=192.168.42.3 end The install failed: r...@i7:~# zoneadm -z test install A ZFS file system has been created for this zone. ERROR: Unable to create the zone's ZFS dataset. It was partly added: r...@i7:~# zfs list -r rpool/zoneRoot/test NAME USED AVAIL REFER MOUNTPOINT rpool/zoneRoot/test 42K 542G21K /zoneRoot/test rpool/zoneRoot/test/ROOT21K 542G21K legacy A manual create worked: r...@i7:~# zfs create -o mountpoint=legacy rpool/zoneRoot/test/ROOT/zbe r...@i7:~# zfs list -r rpool/zoneRoot/test NAME USED AVAIL REFER MOUNTPOINT rpool/zoneRoot/test 63K 542G21K /zoneRoot/test rpool/zoneRoot/test/ROOT42K 542G21K legacy rpool/zoneRoot/test/ROOT/zbe21K 542G21K legacy I see in the truss output from the create: 4101: write(2, t o o m a n y a r g.., 19) = 19 4101: write(2, u s a g e :\n, 7) = 7 4101: write(2, \t c r e a t e [ - p ].., 122) = 122 4101: write(2, \n F o r t h e p r o.., 29) = 29 4101: write(2, z f s s e t | g e t, 11) = 11 4101: write(2, \n, 1) = 1 4101: write(2, \n F o r t h e d e l.., 41) = 41 4101: write(2, z f s a l l o w | u n.., 17) = 17 4101: write(2, \n, 1) = 1 4101: _exit(2) I have the full output if it helps. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] booting zone after system restart fails with ERROR: no active dataset
I've tracked down the cause. It was my backup copy of the zone ZFS tree on another pool: backup/zoneRoot 1.64G 89.3G26K /backup/zoneRoot backup/zoneRoot/svn 439M 89.3G24K /backup/zoneRoot/svn backup/zoneRoot/svn/ROOT 439M 89.3G21K legacy backup/zoneRoot/svn/ROOT/zbe 439M 89.3G 437M legacy Even though the mountpoints and ZFS names differ, their presence appears to have been causing confusion. When I export the backup pool, all boots and creates work. So my problem is solved, but there appears to be an issue with keeping backup copies on the same machine. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] booting zone after system restart fails with ERROR: no active dataset
On 05/29/10 12:25 AM, Jerry Jelinek wrote: On 05/26/10 17:14, Ian Collins wrote: I have just restarted a b133 host with several zones and no none of them will boot. They all report: # zoneadm -z svn boot zone 'svn': ERROR: no active dataset. zone 'svn': zoneadm: zone 'svn': call to zoneadmd failed I've seen this mentioned as an issue after an upgrade, but this system only has one BE (the active one) and all I have done is a restart. Is there any way to get them back? You haven't provided any information to enable anyone to help you. I thought I had, all I did was a reboot. Are the datasets still there? Yes. What does 'zfs list' show? rpool 46.3G 542G 81.5K /rpool rpool/ROOT 5.98G 542G21K legacy rpool/ROOT/opensolaris 5.98G 542G 5.93G / rpool/build 438M 542G 424M /build rpool/depot 42K 542G24K /depot rpool/dump 3.00G 542G 3.00G - rpool/export16.0M 542G23K /export rpool/export/home 16.0M 542G23K /export/home rpool/export/home/admin 15.9M 542G 15.9M /export/home/admin rpool/on 545M 542G 545M /rpool/on rpool/play 17.0G 542G27K /rpool/play rpool/play/test 6.68G 542G 6.68G /rpool/play/test rpool/play/vol10G 10.3G 552G 21.5M - rpool/swap 3.28G 545G 52.3M - rpool/vdi 14.2G 542G 13.9G /vdi rpool/zoneRoot 1.28G 542G26K /zoneRoot rpool/zoneRoot/svn 439M 542G24K /zoneRoot/svn rpool/zoneRoot/ftp 472M 542G24K /zoneRoot/ftp rpool/zoneRoot/ftp/ROOT 472M 542G21K legacy rpool/zoneRoot/ftp/ROOT/zbe 472M 542G 470M legacy rpool/zoneRoot/ldap32.9M 542G25K /zoneRoot/ldap rpool/zoneRoot/ldap/ROOT 32.9M 542G21K legacy rpool/zoneRoot/ldap/ROOT/zbe 32.8M 542G 369M legacy rpool/zoneRoot/pdc 369M 542G24K /zoneRoot/pdc rpool/zoneRoot/pdc/ROOT 369M 542G21K legacy rpool/zoneRoot/pdc/ROOT/zbe 369M 542G 366M legacy None of the zones boot. What is the zonepath of one of the zones which won't boot? Did you do anything with your BE's on this system since you installed the zone? zonepath=/zoneRoot/svn ls /zoneRoot/svn/ dev root There is only one BE. the system was installed with b133. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] booting zone after system restart fails with ERROR: no active dataset
On 05/29/10 09:51 AM, Jerry Jelinek wrote: On 05/28/10 15:16, Ian Collins wrote: What does 'zfs list' show? rpool 46.3G 542G 81.5K /rpool rpool/ROOT 5.98G 542G 21K legacy rpool/ROOT/opensolaris 5.98G 542G 5.93G / rpool/build 438M 542G 424M /build rpool/depot 42K 542G 24K /depot rpool/dump 3.00G 542G 3.00G - rpool/export 16.0M 542G 23K /export rpool/export/home 16.0M 542G 23K /export/home rpool/export/home/admin 15.9M 542G 15.9M /export/home/admin rpool/on 545M 542G 545M /rpool/on rpool/play 17.0G 542G 27K /rpool/play rpool/play/test 6.68G 542G 6.68G /rpool/play/test rpool/play/vol10G 10.3G 552G 21.5M - rpool/swap 3.28G 545G 52.3M - rpool/vdi 14.2G 542G 13.9G /vdi rpool/zoneRoot 1.28G 542G 26K /zoneRoot rpool/zoneRoot/svn 439M 542G 24K /zoneRoot/svn rpool/zoneRoot/ftp 472M 542G 24K /zoneRoot/ftp rpool/zoneRoot/ftp/ROOT 472M 542G 21K legacy rpool/zoneRoot/ftp/ROOT/zbe 472M 542G 470M legacy rpool/zoneRoot/ldap 32.9M 542G 25K /zoneRoot/ldap rpool/zoneRoot/ldap/ROOT 32.9M 542G 21K legacy rpool/zoneRoot/ldap/ROOT/zbe 32.8M 542G 369M legacy rpool/zoneRoot/pdc 369M 542G 24K /zoneRoot/pdc rpool/zoneRoot/pdc/ROOT 369M 542G 21K legacy rpool/zoneRoot/pdc/ROOT/zbe 369M 542G 366M legacy None of the zones boot. What is the zonepath of one of the zones which won't boot? Did you do anything with your BE's on this system since you installed the zone? zonepath=/zoneRoot/svn ls /zoneRoot/svn/ dev root There is only one BE. the system was installed with b133. The svn zone won't boot because there is no zfs dataset for the zonepath root. There should be two datasets named rpool/zoneRoot/svn/ROOT and rpool/zoneRoot/svn/ROOT/zbe. I'm sorry, that was a slip of the past buffer, the datasets are there: rpool/zoneRoot 1.28G 542G26K /zoneRoot rpool/zoneRoot/svn 439M 542G24K /zoneRoot/svn rpool/zoneRoot/svn/ROOT 439M 542G21K legacy rpool/zoneRoot/svn/ROOT/zbe 439M 542G 437M legacy It looks like you have datasets for other zones with zonepaths of /zoneRoot/ftp, /zoneRoot/ldap and /zoneRoot/pdc. What is the error you get when you try to boot one of those zones? All the zones fail to bot with the same error r...@i7:~# zoneadm -z ldap boot zone 'ldap': ERROR: no active dataset. zone 'ldap': zoneadm: zone 'ldap': call to zoneadmd failed -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] booting zone after system restart fails with ERROR: no active dataset
On 05/27/10 11:14 AM, Ian Collins wrote: I have just restarted a b133 host with several zones and no none of them will boot. They all report: # zoneadm -z svn boot zone 'svn': ERROR: no active dataset. zone 'svn': zoneadm: zone 'svn': call to zoneadmd failed I've seen this mentioned as an issue after an upgrade, but this system only has one BE (the active one) and all I have done is a restart. Is there any way to get them back? Anyone? I'd really hate to loose these zones and if there is a lurking bug, it could catch anyone on a production box. -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] booting zone after system restart fails with ERROR: no active dataset
I have just restarted a b133 host with several zones and no none of them will boot. They all report: # zoneadm -z svn boot zone 'svn': ERROR: no active dataset. zone 'svn': zoneadm: zone 'svn': call to zoneadmd failed I've seen this mentioned as an issue after an upgrade, but this system only has one BE (the active one) and all I have done is a restart. Is there any way to get them back? -- Ian. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Strange error with ZFS Live Upgrade and Zones
So what is the error? Casper, I posted the lucreate error and the extract from a debug run up thread. The system I was attempting to upgrade was a fresh install of update 7. lucreate/delete worked fine before installing the update 8 LU packages. Ian. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Strange error with ZFS Live Upgrade and Zones
I see a similar error attempting to create a BE in update 7 with one zone (common) after adding the update 8 LU packages: Creating clone for rpool/ROOT/10u7ZFSa/zoneRoot/com...@10u8 on rpool/ROOT/10u8/zoneRoot/common-10u8. cannot mount 'rpool/ROOT/10u8/zoneRoot/common-10u8': legacy mountpoint use mount(1M) to mount this filesystem ERROR: Failed to mount dataset rpool/ROOT/10u8/zoneRoot/common-10u8 From the log: COMMAND=/sbin/zfs clone rpool/ROOT/10u7ZFSa/zoneRoot/com...@10u8 rpool/ROOT/10u8/zoneRoot/common-10u8 + gettext Executing ZFS clone command: %s. + /etc/lib/lu/luprintf -lp2D - Executing ZFS clone command: %s. /sbin/zfs clone rpool/ROOT/10u7ZFSa/zoneRoot/com...@10u8 rpool/ROOT/10u8/zoneRoot/common-10u8 luclonefs: DEBUG(*): Executing ZFS clone command: /sbin/zfs clone rpool/ROOT/10u7ZFSa/zoneRoot/com...@10u8 rpool/ROOT/10u8/zoneRoot/common-10u8. + gettext Creating clone for %s on %s. + /etc/lib/lu/luprintf -lp1 Creating clone for %s on %s. rpool/ROOT/10u7ZFSa/zoneRoot/com...@10u8 rpool/ROOT/10u8/zoneRoot/common-10u8 luclonefs: Creating clone for rpool/ROOT/10u7ZFSa/zoneRoot/com...@10u8 on rpool/ROOT/10u8/zoneRoot/common-10u8. + /sbin/sh -c /sbin/zfs clone rpool/ROOT/10u7ZFSa/zoneRoot/com...@10u8 rpool/ROOT/10u8/zoneRoot/common-10u8 ERRMSG= + [ 0 -ne 0 ] + /etc/lib/lu/luprintf -lp2D - %s luclonefs: DEBUG(*): + lulib_dataset_mounted rpool/ROOT/10u8/zoneRoot/common-10u8 + [ -x /sbin/zfs ] + /sbin/zfs get -Ho value mounted rpool/ROOT/10u8/zoneRoot/common-10u8 is_mounted=no + [ 0 -ne 0 -o no = no ] + return 0 + [ 0 -eq 1 ] + /sbin/zfs get -Ho value mountpoint rpool/ROOT/10u7ZFSa/zoneRoot/common src_mntprop=/zoneRoot/common + [ /zoneRoot/common = legacy ] + /sbin/zfs get -Ho value mountpoint rpool/ROOT/10u7ZFSa/zoneRoot/common src_mountpoint=/zoneRoot/common + [ /zoneRoot/common != / ] + [ -f /zoneRoot/common/lu_moved ] abe_ds=rpool/ROOT/10u7ZFSa/zoneRoot/common-10u8 abe_mountpoint=/zoneRoot/common-10u8 + [ rpool/ROOT/10u8/zoneRoot/common-10u8 = rpool/ROOT/10u7ZFSa/zoneRoot/common-10u8 ] + return 0 + /sbin/zfs set zpdata:rbe=10u8 rpool/ROOT/10u8/zoneRoot/common-10u8 + /sbin/zfs set zpdata:zn=common rpool/ROOT/10u8/zoneRoot/common-10u8 + echo /zoneRoot/common + sed s:^//:/: pbe_rawzp=/zoneRoot/common + zfs get -Ho value mountpoint rpool/ROOT/10u7ZFSa/zoneRoot/common mount_prop=/zoneRoot/common + [ /zoneRoot/common = legacy ] + /sbin/zfs get -Ho value mountpoint rpool/ROOT/10u8/zoneRoot/common-10u8 newpath=legacy newrawpath=legacy + /sbin/zfs mount rpool/ROOT/10u8/zoneRoot/common-10u8 cannot mount 'rpool/ROOT/10u8/zoneRoot/common-10u8': legacy mountpoint use mount(1M) to mount this filesystem + [ 1 -ne 0 ] + gettext Failed to mount dataset %s + /etc/lib/lu/luprintf -Eelp2 Failed to mount dataset %s rpool/ROOT/10u8/zoneRoot/common-10u8 luclonefs: ERROR: Failed to mount dataset rpool/ROOT/10u8/zoneRoot/common-10u8 + [ -n rpool/ROOT/10u7ZFSa/zoneRoot/common ] + /sbin/zfs set canmount=noauto rpool/ROOT/10u8/zoneRoot/common-10u8 + zonecfg -R /.alt.tmp.b-Mdh.mnt -z common set -F zonepath=legacy legacy is not an absolute path. + read zonename + rm -f /tmp/.luclonefs.28833.dslist + [ 0 = 1 ] + /usr/lib/lu/luumount -f -i /etc/lu/ICF.2 -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
