[zones-discuss] New mailing list coming soon
With the impending shutdown of the opensolaris.org site, we are working on breathing some life into a new mailing list at java.net. It should come to life in the next few days. The details will be made available in a blog posting at https://blogs.oracle.com/zoneszone/entry/new_zones_mailing_list I look forward to seeing you on the new list. Mike ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Default router for local zone
On 11/15/12 10:57, Habony, Zsolt wrote: Hello, I have serious problem with routing of non-global zones shared-ip config. If I define a defrouter for a local zone, its route pops up in the global routing table, and global zone really starts to use it !! Though my intention is obviously to route a local-zone traffic to specific network, it breaks the functionality of the global zone. # netstat -rvn IRE Table: IPv4 Destination Mask Gateway Device Mxfrg Rtt Ref Flg Out In/Fwd --- -- - - --- --- - -- default 0.0.0.0 10.x.x.x 1500* 0 1 UG 3417722 0 default 0.0.0.0 10.x.x.x igb0:1 1500* 0 1 UG 1633463 0 default 0.0.0.0 139.x.x.x nxge1 1500* 0 1 UG 201645 0 I have found an earlier post, and would like to know if it is still the case: http://mail.opensolaris.org/pipermail/zones-discuss/2009-September/005528.html That post is still correct. In my case, we have a jumpstation, to administer the servers, and since I installed the local zone wiht a defrouter to the external network, my connection to global zone from jumpstation hangs, and then breaks. snoop shows, that e.g. pinging from jumpstation works for a while, then responses suddenly directed to the new default route, which is obviously not for global zone traffic. There are some very complex workarounds mentioned in the previous posts, is there a better one available now ? The easiest solution for your case would be to add a static route to the jumpstation: # route -p add jumpstation router_to_jumpstation I question whether that is really what you want, though. That would make it so that processes running in the zone would be able to connect to the jumpstation, unless there are firewall rules in place to prevent it. The most common reason for using shared-stack in Solaris 10 is because exclusive stack requires dedicated hardware. The Solaris 11 networking stack removes that limitation - exclusive stack can be used in a way that multiple network stacks are associated with a single physical nic. Because of this new capability, exclusive stack is the default in Solaris 11. Solaris 11 also introduces the solaris10 brand. The combination of exclusive stack improvements and the solaris10 brand would likely be good for your scenario. You could install Solaris 11 on a server and migrate your Solaris 10 native zone from where it is at to the new server as a solaris10 branded zone. Of course, if your application is supported on Solaris 11, there is no need to use the solaris10 brand - you could just use the solaris brand, which is the default in Solaris 11 and as such does no emulation. -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] S11 zone bug with migrated rpool/export ZFS
On 01/03/12 14:30, Mike Gerdts wrote: On Tue 03 Jan 2012 at 12:23PM, John D Groenveld wrote: In message201201031705.q03h5uwi000...@elvis.arl.psu.edu, John D Groenveld wr ites: My nightly backup consist of zone shutdown, detach, snapshot, attach, boot. FWIW, this is one of those cases where 'zoneadm attach -F' would probably be reasonable. Shortly after this thread was active, I made some changes that are now available in Solaris 11.1. Now, the attach in the cycle that John mentioned above will take about the same amount of time with or without the -F option. This is the 91 percent decrease in the time it takes to attach a zone mentioned in the Solaris 11.1 What's New document. http://www.oracle.com/technetwork/server-storage/solaris11/documentation/solaris11-1-whatsnew-1732377.pdf -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] ZFS snapshots as a backup solution?
On 08/12/12 05:48, Jordi Espasa Clofent wrote: Hi all, The most of my production machines looks like: * Solaris 10 Update 7 (now we're starting to migrate to Update 10) * All the FS in classical UFS but /opt with ZFS * All the zones inside /opt/zones * All the zones containing a app server (Glassfish) * All the critical app data is just managed/stored by a backend bbdd, so no data inside the zone but the app (Java files) itself In case I have some real and weird problem in the zone (or even in the global one) we proceed: - re-create the zone in another server (all the process is automated by backend scripts, it takes just 15/20 minutes) Zone cloning can take this down to a few seconds, especially if /opt/zones is a separate zfs file system from /opt. This will make it so that each zone gets its own file system (aka dataset). This is the key to making zone cloning go quickly. Once you have that setup, you can create a master zone that is configured as far as it makes sense in your situation. That may or may not include the glassfish installation and/or the J2EE application(s) being run by glassfish. Then, when you need to create a new zone (or recreate another one that is damaged): zoneadm -z badzone uninstall -F zoneadm -z badzone clone master cp /mumble/badzone.sysidcfg /opt/zones/badzone/root/etc/sysidcfg chmod 400 /opt/zones/badzone/root/etc/sysidcfg zoneadm -z badzone boot Depending on your environment, there may be other first-boot zone-specific setup that is required. You could extend this scheme so that each zone has a custom master that is never subjected to your workload. If something catastrophic happens to the zone that has the workload, you can always uninstall it then re-install from its master. To make it so that this is easy to do on a recovery system, you can make a copy of your master zone on some other system. primary# zoneadm -z master detach primary# zp=`zoneadm list -H -o name /opt/zones/master` primary# zfs snapshot $zp@replicate primary# zfs send -p $zp@replicate | ssh backup zfs recv $zp primary# zoneadm -z master attach backup# zoneadm -z master create -a /opt/zones/master backup# zoneadm -z master attach Depending on your situation, you may or may not want to repeat this with your other zones. Whenever you patch, install new packages in the global zone, or otherwise significantly change the content in a zone that was previously copied, you probably want to redo the copy. This works best if the packages and patches between primary and backup are exactly in sync. That allows you to move back to primary as well. - re-deploy the app in the zone (30/45 minutes) So, in total, if zoneX is crashing, to be able to be up un running again is gonna take around 45min-1h05 aprox. That's acceptable for us, but obviously it would be amazing if we can reduce this needed time. I'm just wondering if I can do it playing with some ZFS capability (as snapshots) since all the zones are always under /opt/zones, which, as I said, is ZFS. Thanks in advance for all the suggestions. ___ zones-discuss mailing list zones-discuss@opensolaris.org I assume that you are planning for horrible what-if scenarios. If you are actually experiencing somewhat frequent issues that lead to you needing to rebuild the zones from scratch, you should really figure out the root cause. It could be that you have more serious problems than just the occasional misbehaving zone. -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zone filesystems not mounting
On 08/08/12 10:56, John D Groenveld wrote: This morning's zoneadm -z search-1 attach -F and boot tripped over a funky mount: [Wednesday, August 8, 2012 10:56:46 AM EDT] Mounting rpool/var/zones/search-1/rpool/export at /tmp/tmp.zxa40u/export with ZFS temporary mount [Wednesday, August 8, 2012 10:56:46 AM EDT] Mounting rpool/var/zones/search-1/rpool/export/home at /tmp/tmp.zxa40u/export/home with ZFS temporary mount cannot unmount '/tmp/tmp.zxa40u/export/home': Device busy cannot unmount '/tmp/tmp.zxa40u/export': Device busy rmdir: directory /tmp/tmp.zxa40u: Directory not empty [Wednesday, August 8, 2012 10:56:47 AM EDT] Manual migration of export required. Potential conflicts in /var/opt/zones/search-1/root/export and rpool/var/zones/search-1/rpool/export. [Wednesday, August 8, 2012 10:56:47 AM EDT] Zone BE root dataset: rpool/var/zones/search-1/rpool/ROOT/solaris-4 [Wednesday, August 8, 2012 10:56:47 AM EDT] Cache: Using /var/pkg/publisher. Haven't seen this race condition in several months of daily zone detach/attach's. My other zones came up cleanly. Do you say race condition because you had something else (find, backups, etc.) that was crawling /tmp at the same time? Or is there something in Solaris that you are saying raced against this temporary mount? How would things be different if we chose any other location for temporary mounts? I'm running Solaris 11 SRU 8.5. The work-around was to halt the zone, detach, zfs umount rpool/var/zones/search-1/rpool/export/home and rpool/var/zones/search-1/rpool/export, attach and boot. Where in the zone machinery does the code set the zone mountpoints to global's TMPDIR? This looks to be part of the attach path that is looking for the Solaris 11 Express dataset layout. See migrate_export in /usr/lib/brand/shared/common.ksh. The mount point is chosen with mktemp -d. Note that this is a private implementation detail that you happen to be able to see because it is written in ksh. It may change at any time (sru, update, release) without notice. -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] monitor number of lwp in zone
On 04/26/12 10:33, Christian Meier wrote: Dear List, with the solaris resource control feature you are able to set the max number of LWP for a zone e.g bash-3.00# prctl -n zone.max-lwps -i zone v0136 zone: 20: v0136 NAMEPRIVILEGE VALUEFLAG ACTION RECIPIENT zone.max-lwps privileged120 - deny - system 2.15G max deny - with the rctladm you're able to generate warning if the limit was reached: Apr 26 16:34:52 g0057 genunix: privileged rctl zone.max-lwps (value 120) exceeded by process 15930 in zone v0136. is there a simple way to get the actual value of the zone(s)? actual known ways: prstat: /usr/bin/prstat -LZ with sed,grep and awk possible: /usr/bin/prstat -LZ -n 1,10 1 1 | sed '1,3d' | grep -v Total 0 216 111M 139M 6.8% 0:09:05 0.1% global 20 100 40M 23M 1.1% 0:00:32 0.0% v0136 Potential improvements on that are: $ ps -Leo zone | sort | uniq -c | sort -n 1 ZONE 110 z1 319 global $ ps -Lz z1 -o pid= | wc -l 109 The reason that these are improvements are: - We don't force ps to do any name lookups. If name lookups are broken for some reason (e.g. ldap server failure), you want to minimize the amount of monitoring that breaks. - No use of imprecise grep patterns that could match process names or substrings of other zones. - If you have a lot of zones, prstat may not list the least active ones. kstat: kstat -p unix:0:lwp_cache:buf_inuse unix:0:lwp_cache:buf_inuse 319 but I get only the sum of all lwp on the system, not for a special zone ps: ps -efZ -o zone,zoneid,lwp,args | grep global | wc -l 219 ps -efZ -o zone,zoneid,lwp,args | grep v0136 | wc -l 105 on Solaris 11 it is possible to get these values by zonestat e.g. $ zonestat -p -P zones -r processes,lwps 1 1 interval:processes:system-limit:global:66:0.22%:-:- interval:processes:system-limit:v0134:30:0.10%:-:- interval:lwps:system-limit:global:670:0.00%:-:- interval:lwps:system-limit:v0134:112:0.00%:-:- but for solaris 10? any hints are very welcome regards Christian ___ zones-discuss mailing list zones-discuss@opensolaris.org -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Difference between capped.memory and zone.max-shm-memory
On 04/18/12 16:57, Mike Gerdts wrote: On 04/18/12 16:42, Jordi Espasa Clofent wrote: El 2012-04-18 19.22, Hung-Sheng Tsao (LaoTsao) Ph.D escribió: hi may be one could add in solaris resource control used to be project based one need to setup project and limit the resoure pool then assign the poll to zone. it is not easy to use . since then many shortcut for resource pool control are added to zonecfg make it very easy to add resource control inside the zone The cuestion sill, more or less, there: It is possible to limit the amout of RAM that a zone can borrow from the global zone without rcapd? As far as I can understand, if a zone only uses zone.max-shm-memory instead, potencially can borrow all the available RAM. So? zone.max-swap can be used to limit the amount of memory that processes in a zone can reserve. Note that this has little to do with swap devices - the term swap in this sense means virtual memory. In order for a process to use RAM, those pages of RAM need to be backed by something that can be paged. Anonymous pages (those typically obtained via malloc()) are charged against malloc. The memory needed to hold executables and libraries are backed by the disk where they reside. I received a reply off-list that made me realize I misstated things a bit. Every reserved page of memory needs to have backing store. That backing store can be RAM, files on disk, memory mapped files, and perhaps somewhat less common backing stores (frame buffer memory?). Virtual memory (swap) is reserved as a result of system calls like brk() and sbrk() which is where malloc() gets its memory from. Also, when a process forks, pages that are read-write but not shared also reserve more memory. You can run a Solaris system without swap devices but that system will still have virtual memory (swap) - this helps accentuate the confusing and overlapping meanings of swap. When running without swap devices, the system will be unlikely to be able to use all of its available RAM because all reserved anonymous pages (many which may never be needed) will be backed by RAM. -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Difference between capped.memory and zone.max-shm-memory
On 04/18/12 16:42, Jordi Espasa Clofent wrote: El 2012-04-18 19.22, Hung-Sheng Tsao (LaoTsao) Ph.D escribió: hi may be one could add in solaris resource control used to be project based one need to setup project and limit the resoure pool then assign the poll to zone. it is not easy to use . since then many shortcut for resource pool control are added to zonecfg make it very easy to add resource control inside the zone The cuestion sill, more or less, there: It is possible to limit the amout of RAM that a zone can borrow from the global zone without rcapd? As far as I can understand, if a zone only uses zone.max-shm-memory instead, potencially can borrow all the available RAM. So? zone.max-swap can be used to limit the amount of memory that processes in a zone can reserve. Note that this has little to do with swap devices - the term swap in this sense means virtual memory. In order for a process to use RAM, those pages of RAM need to be backed by something that can be paged. Anonymous pages (those typically obtained via malloc()) are charged against malloc. The memory needed to hold executables and libraries are backed by the disk where they reside. -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Backing up my zones
On Sat, Feb 18, 2012 at 4:22 AM, David Cushing david.cush...@fundtech.com wrote: I’m looking for suggestions on capturing backups. Web searches have not been overly fruitful. Most discussion expects to shut down the zone and clone it. I will not be able to shut down the zones. The backups don’t need to be 100% perfect. I can fix issues from open files / work in progress. This is not a production database scenario. The biggest concern is full loss of the LUN. Secondary concern is stray users deleting or corrupting their folders. There are separate zpools for GZ and NGZ. All zones share a single ZFS file system but I intend on reconfiguring to have one file system per zone. Zones are full root. Since you seem to be running Solaris 10, I'll only cover that. You have an easy way to get a crash-consistent image: zfs snapshots. With all the zones in one filesystem, you can prepare for the backup with: zfs snapshot fsname@snapname You can have the backup software back up from fs mountpoint/.zfs/snapshots/snapname. That is, if you have tank/zones mounted at /zones, you would do: zfs snapshot tank/zones@backup Then you would have the backup software back up from /zones/.zfs/snapshots/backup. Netbackup allows you to automatically run scripts before and after backups. You could have the pre-backup script create the snapshot and the post-backup script could rename (zfs rename tank/zones@backup tank/zones/backup-`date ++%Y%m%d-%H%M`) or destroy the snapshot. FWIW, if you are seeing netbackup hang, you could probably use pfiles and/or truss on the netbackup process to see what it is trying to read. If the file is a pipe (see mkfifo), you should configure netbackup to skip that file. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] need help with zonecfg and networking
On Wed 08 Feb 2012 at 07:45PM, Will Fiveash wrote: When I do: create set zonepath=/zone/newzone set limitpriv=default,dtrace_proc,dtrace_user set ip-type=shared add net set physical=nge0 set address=10.0.0.2/8 end remove anet linkname=net0 commit exit I see: On line 19 of /tmp/createzone.yuaalI: anet resources can only be specified if ip-type = exclusive Zone master failed to verify master: Incompatible settings ? The default zone configuration (SYSdefault) contains an anet resource. anet resources require ip-type = exclusive. The command I inserted above will remove that default anet resource. The 'create -b' option is also a fine route to go, but is not ideal if you are trying to switch an already configured zone between exclusive and shared stack. -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] issue with zones and sysconfig
On Thu 09 Feb 2012 at 02:00PM, Will Fiveash wrote: On Thu, Feb 09, 2012 at 02:43:41PM -0500, Hung-Sheng Tsao (Lao Tsao ??) Ph.D. wrote: I ASS U ME that you have see this http://www.oracle.com/technetwork/articles/servers-storage-admin/o11-092-s11-zones-intro-524494.html That is good info, thanks. Of course now I see another problem. In that guide above there is an example of having zoneadm clone use the sysconfig created profile like so: Step 3: Create webzone-2 by Cloning webzone-1 Next create webzone-2 using the modified configuration (by using zonecfg), and then perform the clone of webzone-1 (by using zoneadm). Remember to add the full path to the system config template. Note how quickly the clone is completed. (We can see this by prepending the time command to our zonecfg clone command.) root@global:~# zonecfg -z webzone-2 -f /zones/webzone-2-profile root@global:/zones# time zoneadm -z webzone-2 clone -c /zones/webzone-2-template.xml webzone-1 However, the only description of -c I find in the S11 zoneadm man page is for list. Can someone confirm that -c sysconfig profile file works for clone? Also how do I use -c when creating a new zone that is not a clone? The man pages are a little hard to read due to separation between the generic options and the brand-specific options. Notice in zoneadm(1M) that you see: install [brand-specific options] ... The zone's brand may include additional options that govern how the software will be installed in the zone. See brands(5) for specific brand information. Thus begins the twisty passages, all looking the same. brands(5) refers to solaris(5), solaris10(5), and other man pages. To see the options available for solaris (the default) branded zones, you want to look at solaris(5). There you will see: install [-m manifest.xml] [-c config_profile.xml | dir] install [-a archive | -d path | -z ZBE] [-p] [-s] [-u] [-v] [-c config_profile.xml | dir] ... Also, if you do 'zoneadm help' you will see that the help messages refer to brands(5). If you do 'zoneadm -z somezone help' you will see that the help messages refer to the right brand's man page. e.g. # zoneadm -z z1 help install usage: install [brand-specific args] Install the configuration on to the system. All arguments are passed to the brand installation function; see solaris(5) for more information. -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] fix permissions on zone datasets
On Sun 05 Feb 2012 at 12:05AM, Matt Harrison wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have very cleverly managed to fudge the permissions on the entire zones dataset, hosing the 3 zones I had. I don't know what the permissions were or should be and I really don't want to have to reinstall them. If anyone can point me to some documents, googling only finds me info on resource permissions etc rather than the filesystem itself. Very grateful someone can advise. Many thanks There's no such thing as permissions on zone datasets. Perhaps you mean property values? Or perhaps you mean file system permissions. To give an accurate answer, it is important to know if you are using Solaris 10, Solaris 11 Express, or Solaris 11. Specific error messages that you are seeing would probably be helpful too. -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] S11 zoneadm attach when pkg.Oracle.COM is unreachable?
On Mon 16 Jan 2012 at 08:16PM, John D Groenveld wrote: Does attach -F ignore issues with reaching the repo? Yes. 1: Framework stall: URL: 'http://pkg.oracle.com/solaris/support/solaris/catalog/1/catalog.attrs'. (happened 2 times) 2: Framework error: code: 28 reason: Operation too slow. Less than 1024 bytes/sec transfered the last 30 seconds URL: 'http://pkg.oracle.com/solaris/support/solaris/catalog/1/catalog.attrs'. 3: http protocol error: code: 502 reason: Bad Gateway URL: 'http://pkg.oracle.com/solaris/support/solaris/catalog/1/catalog.attrs'. [Sat Jan 14 21:17:53 EST 2012] ERROR: Updating image format failed John groenv...@acm.org ___ zones-discuss mailing list zones-discuss@opensolaris.org -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] S11 zone bug with migrated rpool/export ZFS
On Tue 03 Jan 2012 at 12:23PM, John D Groenveld wrote: In message 201201031705.q03h5uwi000...@elvis.arl.psu.edu, John D Groenveld wr ites: My nightly backup consist of zone shutdown, detach, snapshot, attach, boot. FWIW, this is one of those cases where 'zoneadm attach -F' would probably be reasonable. Here's the output from that cron: Progress being logged to /var/log/zones/zoneadm.20120101T021243Z.search-1.attach Attaching... Installing: Using existing zone boot environment Zone BE root dataset: rpool/var/zones/search-1/rpool/ROOT/zbe-3 Cache: Using /var/pkg/publisher. Updating image format Updating non-global zone: Linking to image /. Updating non-global zone: Auditing packages. No updates necessary for this image. Updating non-global zone: Zone updated. Result: Attach Succeeded. Log saved in non-global zone as /var/opt/zones/search-1/root/var/log/zones/zoneadm.20120101T021243Z.search-1.attach Above was your last successful attach. The failed attach starts here: Progress being logged to /var/log/zones/zoneadm.20120102T021110Z.search-1.attach Attaching... Installing: Using existing zone boot environment Manual migration of export required. Potential conflicts in /var/opt/zones/search-1/root/export and rpool/var/zones/search-1/rpool/export. This error message is saying that it found two things that are supposed to be mounted at /export. Without understanding your zone configuration and dataset layout, it is kind hard to know exactly what is going on. Can you provide the following: %--- zfs list -o name,mountpoint,canmount,mounted -r rpool/var/zones/search-1 zonecfg -z search1 info dataset for ds in $(zonecfg -z z1 info dataset | nawk '$1 == name: {print $2}') do echo Dataset: $ds zfs list -o name,mountpoint,canmount,mounted,zone $ds done zonecfg -z search1 info fs %--- Also, any details about changes in the zone configuration and/or package updates since the previous successful backup would be helpful. -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] S11 zone bug with migrated rpool/export ZFS
On Tue 03 Jan 2012 at 04:02PM, John D Groenveld wrote: In message 20120103203031.gl24...@ultra24.us.oracle.com, Mike Gerdts writes: Can you provide the following: %--- zfs list -o name,mountpoint,canmount,mounted -r rpool/var/zones/search-1 # zfs list -o name,mountpoint,canmount,mounted -r rpool/var/zones/search-1 NAMEMOUNTPOINT CANMOUNT MOUNTED rpool/var/zones/search-1/var/opt/zones/search-1 on yes rpool/var/zones/search-1/rpool /var/opt/zones/search-1/root/rpool on yes rpool/var/zones/search-1/rpool/ROOT legacy noauto no rpool/var/zones/search-1/rpool/ROOT/zbe-3 /var/opt/zones/search-1/root noauto yes rpool/var/zones/search-1/rpool/export /var/opt/zones/search-1/root/export on yes rpool/var/zones/search-1/rpool/export/home /var/opt/zones/search-1/root/export/homeon yes I couldn't figure why from within the zone zfs mount was complaining that the export and export/home datasets were busy. Then from global I noticed rpool/var/zones/search-1/rpool/export and export/home had the temporary mountpoint which was completely unexpected. After I halt'd and detach'd my zone, umount'd the datasets and attach'd the zone the mountpoints corrected themselves. It kinda sounds like something from the global zone had stepped into some filesystems that were temporarily mounted during an attach process. This is backed up by the evil in the attach log: Lots of evil in attach log: [Sun Jan 1 21:11:30 EST 2012] Mounting rpool/var/zones/search-1/rpool/export/home at /tmp/tmp.7kayqJ/export/home with ZFS temporary mount cannot unmount '/tmp/tmp.7kayqJ/export/home': Device busy cannot unmount '/tmp/tmp.7kayqJ/export': Device busy rmdir: directory /tmp/tmp.7kayqJ: Directory not empty Do you by any chance have a /tmp cleaner (or something else that does a find or du) running at roughly the same time? If so, the -mount option to find or the -d option to du may be a help to prevent recurrence. /tmp/tmp.7kayqJ should have been created rwx by root only. zonecfg -z search1 info dataset for ds in $(zonecfg -z z1 info dataset | nawk '$1 == name: {print $2}') do echo Dataset: $ds zfs list -o name,mountpoint,canmount,mounted,zone $ds done zonecfg -z search1 info fs Going back to the beginning of the thread I see you had already given this info. Sorry 'bout that. # zonecfg -z search-1 info zonename: search-1 zonepath: /var/opt/zones/search-1 brand: solaris autoboot: true bootargs: -m verbose file-mac-profile: pool: limitpriv: scheduling-class: ip-type: exclusive hostid: fs-allowed: fs: dir: /ematrix special: tank/ematrix raw not specified type: zfs options: [] net: address not specified allowed-address not specified configure-allowed-address: true physical: vnic3 defrouter not specified capped-memory: physical: 3G Also, any details about changes in the zone configuration and/or package updates since the previous successful backup would be helpful. I made no changes. The other zones on the system had no issues. It's starting to look like a race with something else on the system. If there is something beyond your control that likes to walk through /tmp as root, you could probably add the following to the cron job. --%-- mkdir /var/attachtmp mount -F tmpfs - /var/attachtmp chmod 1777 /var/attachtmp export TMPDIR=/var/attachtmp # Do the stuff you normally do here unset TMPDIR umount /var/attachtmp rmdir /var/attachtmp --%-- Adjust as your environment requires. -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] S11 zone bug with migrated rpool/export ZFS
On Tue 03 Jan 2012 at 05:51PM, John D Groenveld wrote: In message 20120103220311.go24...@ultra24.us.oracle.com, Mike Gerdts writes: It kinda sounds like something from the global zone had stepped into some filesystems that were temporarily mounted during an attach process. This is backed up by the evil in the attach log: Lots of evil in attach log: [Sun Jan 1 21:11:30 EST 2012] Mounting rpool/var/zones/search-1/rpool/export/home at /tmp/tmp.7kayqJ/export/home with ZFS temporary mount cannot unmount '/tmp/tmp.7kayqJ/export/home': Device busy cannot unmount '/tmp/tmp.7kayqJ/export': Device busy rmdir: directory /tmp/tmp.7kayqJ: Directory not empty Do you by any chance have a /tmp cleaner (or something else that does a find or du) running at roughly the same time? If so, the -mount option to find or the -d option to du may be a help to prevent recurrence. /tmp/tmp.7kayqJ should have been created rwx by root only. Besides my backup cron, I don't run any custom bits in global. Nothing jumps out among the stock services that might be willy nilly performing IO in /tmp. Why shouldn't zoneadm's migration update umount -f these mounts once the migration has been performed? I think that's preferred to skipping the attach checks and balances with attach -F. In most cases, the use of umount -f has been avoided in this code as it is more likely to be hide some other problem that exists. I think I may see the other problem that exists, but it would require a bit of investigation to know for sure. By any chance are either of the following true? - The zone's /export/home file system has more files in it than it used to. In particular, are there now enough files in it that find will now generate more than 5120 bytes of output whereas before that wasn't the case? - The disk is busy doing other things such that these reads from the zone's /export/home are pretty slow to return? In any case, please let me know if you start to see this problem more regularly. I've opened a somewhat low priority bug: 7126819 migrate_export can get EBUSY while unmounting zone's rpool/export/home dataset If it repeats for you I'll bump the priority up. If a fix is important to you, please open a service request and ask for an escalation to be filed. -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] New zone configuration screens
On Thu 15 Dec 2011 at 09:16AM, Hung-Sheng Tsao (Lao Tsao ??) Ph.D. wrote: IMHO now create -b has totally different meaning in s11 vs s10 could create some confusion at time create -b works the same in Solaris 10 as it did in Solaris 11 - it creates a blank zone configuration. The thing that is different is create (without -b). The default configuration (from SYSdefault.xml now, previously form SUNWdefault.xml) has changed significantly due to the improvements in packaging and networking. Another question: what is attr do? how application take advantage of attr I think of attr as a way to add a comment or other arbitrary information to a zone configuration. For example, if you need to tag each zone with the cost center that is billed for the zone, you could do so with: # zonecfg -z myzone zonecfg:myzone add attr zonecfg:myzone:attr set name=cost-center zonecfg:myzone:attr set type=string zonecfg:myzone:attr set value=12345 zonecfg:myzone:attr end zonecfg:myzone exit You can get at the information with commands like: # zonecfg -z myzone info attr name=cost-center attr: name: cost-center type: string value: 12345 # zonecfg -z myzone info attr name=cost-center \ | nawk '$1 == value: { sub(\tvalue: , , $0); print $0 }' 12345 -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Problem booting Solaris 10 zone imported form Solaris 11 express
On Wed 14 Dec 2011 at 05:10PM, Ian Collins wrote: On 12/14/11 05:06 PM, Mike Gerdts wrote: On Wed 14 Dec 2011 at 05:02PM, Ian Collins wrote: On 12/14/11 04:54 PM, Ian Collins wrote: On 12/14/11 04:48 PM, John D Groenveld wrote: In message4ee8183b.2050...@ianshome.com, Ian Collins writes: The zone originally came from a Solaris 10 update 9 system. How do I go about patching it? Can you v2v the zone back to an S10 system and then apply the latest patches there? I was hoping no one would suggest that! That's probably harder than it appears, the zone's root zfs filesystems have been migrated, so they can't be sent back to an older OS version. By this, do you mean that you ran /usr/lib/brand/shared/dsconvert? Yes. You should be able to get out of the situation you are in with: 1. Reboot to the Solaris 11 Express BE root@global# beadm activate s11express-be-name root@global# init 6 2. Partially revert the work done by dsconvert In this example, the zone's zonepath is /zones/s10. root@global# zfs list -r /zones/s10 rpool/zones/s103.18G 11.3G51K /zones/s10 rpool/zones/s10/rpool 3.18G 11.3G31K /rpool rpool/zones/s10/rpool/ROOT 3.18G 11.3G31K legacy rpool/zones/s10/rpool/ROOT/zbe-0 3.18G 11.3G 3.18G / rpool/zones/s10/rpool/export 62K 11.3G31K /export rpool/zones/s10/rpool/export/home31K 11.3G31K /export/home The goal here is to move rpool/zones/s10/rpool/ROOT up one level. We need to do a bit of a dance to get it there. Do not reboot or issue 'zfs mount -a' in the middle of this. If something goes wrong and a reboot happens, it won't be disasterous - you will just need to complete the procedure when the next boot stops with svc:/filesystem/local problems. root@global# zfs set mountpoint=legacy rpool/zones/s10/rpool/ROOT/zbe-0 root@global# zfs set zoned=off rpool/zones/s10/rpool root@global# zfs rename rpool/zones/s10/rpool/ROOT/zbe-0 \ rpool/zones/s10/ROOT root@global# zfs set zoned=on rpool/zones/s10/rpool root@global# zfs set zoned=on rpool/zones/s10/ROOT Now the zone's dataset layout should look like: root@global# zfs list -r /zones/s10 NAMEUSED AVAIL REFER MOUNTPOINT rpool/zones/s103.19G 11.3G51K /zones/s10 rpool/zones/s10/ROOT 3.19G 11.3G31K legacy rpool/zones/s10/ROOT/zbe-0 3.19G 11.3G 3.19G legacy rpool/zones/s10/rpool93K 11.3G31K /rpool rpool/zones/s10/rpool/export 62K 11.3G31K /export rpool/zones/s10/rpool/export/home31K 11.3G31K /export/home 3. Boot the zone and patch root@global# zoneadm -z s10 boot root@global# zlogin s10 root@s10# ... (apply required patches) 4. Shutdown the zone root@s10# init 0 5. Revert the dataset layout to the way that dsconvert left it. Again, try to avoid reboots during this step. root@global# zfs set zoned=off rpool/zones/s10/ROOT root@global# zfs set zoned=off rpool/zones/s10/rpool root@global# zfs rename rpool/zones/s10/ROOT rpool/zones/s10/rpool/ROOT root@global# zfs set zoned=on rpool/zones/s10/rpool root@global# zfs inherit zoned rpool/zones/s10/rpool/ROOT 6. Reboot to Solaris 11 root@global# beadm activate solaris11-be-name root@global# init 6 At this point, the zone should be bootable on Solaris 11. I've filed: 7121298 dsconvert should prevent conversion if not at right S10 patch level Sorry for the troubles you had. -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Problem booting Solaris 10 zone imported form Solaris 11 express
On Wed 14 Dec 2011 at 05:02PM, Ian Collins wrote: On 12/14/11 04:54 PM, Ian Collins wrote: On 12/14/11 04:48 PM, John D Groenveld wrote: In message4ee8183b.2050...@ianshome.com, Ian Collins writes: The zone originally came from a Solaris 10 update 9 system. How do I go about patching it? Can you v2v the zone back to an S10 system and then apply the latest patches there? I was hoping no one would suggest that! That's probably harder than it appears, the zone's root zfs filesystems have been migrated, so they can't be sent back to an older OS version. By this, do you mean that you ran /usr/lib/brand/shared/dsconvert? -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Not Starting Properly?
On Thu 01 Dec 2011 at 10:39AM, Derek McEachern wrote: Have a peculiar problem that I haven't seen before. When starting a system that has about 35 - 40 zones on it occasionally we see that one of the zones doesn't come up properly. You can log into the zone but none of the /etc/rc3.d scripts have been run. /var/adm/messages is completely empty and when running who -r to see the run level it doesn't report anything. Take a look at the output of svcs -x. Most likely you have a service that svc:/milestone/multi-user-server:default depends on (directly or indirectly) that has timed out and as such is in maintenance. Because the dependency is not satisfied, this milestone doesn't come up so the rc3 scripts are not run. My guess is the timeout is because so many zones are starting at once that the disks are being thrashed. The resulting I/O backlog slows down the startup of services, which leads to timeouts, which lead to some services failing to even try to start. A google search and a 5 second read suggests that this link may be of help to adjust the timeout of services that require a longer timeout: http://www.runningunix.com/2009/01/changing-timeouts-on-smf-services/ -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Zones talk: Oracle Solaris 11 Summit at LISA 2011
Will you be at LISA 2011 or will you be hanging out in Boston looking for something to do on Tuesday, December 6? If so, I encourage you to come to the Oracle Solaris 11 Summit at the Sheraton Boston Hotel. LISA registration is not required to attend the free Oracle Solaris Summit. During the Summit, I'll be presenting Solaris 11 Zones. Several of my fellow engineers will be covering other areas such as installation, packaging, ZFS, networking, security, integration with other Oracle software, and Solaris Cluster. Solaris 11 brings much better integration between the various components of the operating system, and as such you will learn important things about zones in the other talks as well. Find the agenda and registration link at: http://www.oracle.com/us/dm/h2fy11/20741-wwmk11010781mpp004c003-oem-524681.html I will also be one of the panelists at the Oracle Solaris 11 Engineering Panel BoF sessions on Wednesday from 7:30 until 8:30 PM. http://www.usenix.org/events/lisa11/bofs.html#Solaris11_table And if that's not enough, you can also catch a variety of engineers at the Oracle demo booth. I'll be there from 2:00 - 4:00 on Wednesday. I hope to see you there! -- Mike Gerdts Solaris Core OS / Zones http://blogs.oracle.com/zoneszone/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Expanding the set of packages installed into a Zone?
On Fri 11 Nov 2011 at 09:41AM, Ian Collins wrote: On 11/11/11 09:20 AM, Mike Gerdts wrote: On Fri 11 Nov 2011 at 08:41AM, Ian Collins wrote: Solaris 11 Express with the latest updates from the support repo. I'm getting an odd problem creating zones and I wanted to check the package list: Package State Update Phase 45/45 Image State Update Phase 2/2 Installing: Additional Packages (output follows) Creating Planpkg: 'SUNWbip' matches multiple packages SUNWbip compatibility/packages/SUNWbip ERROR: failed to install package I removed SUNWbip from /usr/lib/brand/ipkg/pkgcreatezone and the zone installed OK. I'll add the package in the zone later. Someone should have a look at a proper fix! I believe that it is already fixed in pkg://solaris/system/zones/brand/ipkg@0.5.11,5.11-0.151.0.1.13:20111025T185520Z I think (but do not know) that you should be able to fix the problem you are seeing with: # pkg update pkg://solaris/system/zones/brand/ipkg Based on the dependencies in that package, it looks like that will also update pkg:/package/pkg to 0.5.11-0.151.0.1.13 as well. Odd, I had done a pkg update to get the latest bits, so pfexec pkg update pkg://solaris/system/zones/brand/ipkg No updates available for this image. The problem occurred both before and after the update. Oh well, I was only adding the zone to make sure the upgrade to Solaris 11 worked OK on supported Express system! That seems odd. What do the following tell you? pkg list -af system/zones/brand/ipkg pkg update -v pkg://solaris/system/zones/brand/ipkg@0.5.11,5.11-0.151.0.1.13:20111025T185520Z -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Expanding the set of packages installed into a Zone?
On Thu 10 Nov 2011 at 08:32PM, Ian Collins wrote: On 10/10/11 07:20 PM, Edward Pilatowicz wrote: On Fri, Oct 07, 2011 at 12:23:30PM -0700, Michael Speer wrote: All, I have two questions based on what I have been seeing where I don't see packages of interest being installed into a zone I create when the package exists in the global zone. 1) Where is the list of packages kept that will be installed into new zone? How does this list get modified? by default packages that get installed into a zone are specified in the default AI manifest used to install zones. you can find that manifest here: /usr/share/auto_install/manifest/zone_default.xml I can't see that file (or the auto_instal directory) on any of my systems. Has it moved? That file exists in Solaris 11 as part of the auto-install-common package: $ pkg search /usr/share/auto_install/manifest/zone_default.xml INDEX ACTION VALUEPACKAGE path file usr/share/auto_install/manifest/zone_default.xml pkg:/system/install/auto-install/auto-install-common@0.5.11-0.175.0.0.0.2.1482 With Solaris 11 Express, the list of packages was hard coded into scripts under /usr/lib/brand/ipkg. What are you running? -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Expanding the set of packages installed into a Zone?
On Thu 10 Nov 2011 at 02:42PM, Frank Batschulat wrote: fwiw, on 175b I do have the file but not the package installed which claims to deliver it ;-) That statement is worrisome. I think, however, it is not correct. :) osoldev.batschul./.= ls -la /usr/share/auto_install/manifest/zone_default.xml -r--r--r-- 1 root sys 2367 Sep 23 11:54 /usr/share/auto_install/manifest/zone_default.xml osoldev.batschul./.= pkg search /usr/share/auto_install/manifest/zone_default.xml INDEX ACTION VALUEPACKAGE path file usr/share/auto_install/manifest/zone_default.xml pkg:/system/install/auto-install/auto-install-common@0.5.11-0.175.0.0.0.2.1482 osoldev.batschul./.= pkg info -r auto-install Here you asked the one from the repo (-r == remote). I get the same results if I use the command you used. Without -r things look right. Name: system/install/auto-install Summary: Automated Installer Client Components Description: AI Client Components Category: System/Administration and Configuration State: Not installed Publisher: solaris Version: 0.5.11 Build Release: 5.11 Branch: 0.175.0.0.0.2.1482 Packaging Date: Wed Oct 19 12:26:41 2011 Size: 42.20 kB FMRI: pkg://solaris/system/install/auto-install@0.5.11,5.11-0.175.0.0.0.2.1482:20111019T122641Z -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Expanding the set of packages installed into a Zone?
On Thu 10 Nov 2011 at 02:53PM, Frank Batschulat wrote: On Thu, 10 Nov 2011 14:53:06 +0100, Mike Gerdts mike.ger...@oracle.com wrote: On Thu 10 Nov 2011 at 02:42PM, Frank Batschulat wrote: fwiw, on 175b I do have the file but not the package installed which claims to deliver it ;-) That statement is worrisome. I think, however, it is not correct. :) osoldev.batschul./.= ls -la /usr/share/auto_install/manifest/zone_default.xml -r--r--r-- 1 root sys 2367 Sep 23 11:54 /usr/share/auto_install/manifest/zone_default.xml osoldev.batschul./.= pkg search /usr/share/auto_install/manifest/zone_default.xml INDEX ACTION VALUE PACKAGE path file usr/share/auto_install/manifest/zone_default.xml pkg:/system/install/auto-install/auto-install-common@0.5.11-0.175.0.0.0.2.1482 osoldev.batschul./.= pkg info -r auto-install Here you asked the one from the repo (-r == remote). I get the same results if I use the command you used. Without -r things look right. dont think that looks right: osoldev.batschul./.= pkg info auto-install pkg: info: no packages matching the following patterns you specified are installed on the system. Try specifying -r to query remotely: auto-install Frank, I think you are short on coffee. The package name is auto-install-common, not auto-install. FWIW, I made the exact same mistake before I sent my last message. Found in my scrollback buffer: $ pkg list auto-install pkg list: no packages matching 'auto-install' installed $ pkg list auto-install-common NAME (PUBLISHER) VERSIONIFO system/install/auto-install/auto-install-common 0.5.11-0.175.0.0.0.2.1482 i-- I have a really good excuse - my coffee was still brewing. :) -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Old publishers stopping zoneadm attach -u in Solaris 11?
On Thu 10 Nov 2011 at 03:39PM, Ian Collins wrote: On 11/10/11 03:07 PM, Edward Pilatowicz wrote: you should safely be able to delete that publisher from the zones. (in s11, zones inherit publishers from the global zone so they don't actually need any local publisher configuration.) How would I do that form outside of the zone? pkg -R zoneroot unset-publisher ... -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Expanding the set of packages installed into a Zone?
On Fri 11 Nov 2011 at 08:41AM, Ian Collins wrote: On 11/11/11 08:01 AM, Ian Collins wrote: On 11/11/11 02:39 AM, Mike Gerdts wrote: On Thu 10 Nov 2011 at 08:32PM, Ian Collins wrote: On 10/10/11 07:20 PM, Edward Pilatowicz wrote: by default packages that get installed into a zone are specified in the default AI manifest used to install zones. you can find that manifest here: /usr/share/auto_install/manifest/zone_default.xml I can't see that file (or the auto_instal directory) on any of my systems. Has it moved? That file exists in Solaris 11 as part of the auto-install-common package: $ pkg search /usr/share/auto_install/manifest/zone_default.xml INDEX ACTION VALUEPACKAGE path file usr/share/auto_install/manifest/zone_default.xml pkg:/system/install/auto-install/auto-install-common@0.5.11-0.175.0.0.0.2.1482 With Solaris 11 Express, the list of packages was hard coded into scripts under /usr/lib/brand/ipkg. What are you running? Solaris 11 Express with the latest updates from the support repo. I'm getting an odd problem creating zones and I wanted to check the package list: Package State Update Phase 45/45 Image State Update Phase 2/2 Installing: Additional Packages (output follows) Creating Planpkg: 'SUNWbip' matches multiple packages SUNWbip compatibility/packages/SUNWbip ERROR: failed to install package I removed SUNWbip from /usr/lib/brand/ipkg/pkgcreatezone and the zone installed OK. I'll add the package in the zone later. Someone should have a look at a proper fix! I believe that it is already fixed in pkg://solaris/system/zones/brand/ipkg@0.5.11,5.11-0.151.0.1.13:20111025T185520Z I think (but do not know) that you should be able to fix the problem you are seeing with: # pkg update pkg://solaris/system/zones/brand/ipkg Based on the dependencies in that package, it looks like that will also update pkg:/package/pkg to 0.5.11-0.151.0.1.13 as well. I'm sure there's a documented way that is a bit more customer friendly, but there's another way that is much more fun... Here begins a short tour through some of the bowels of packaging. Most of what I discuss below is not an interface. It may change at any time. First, I went to: http://pkg.oracle.com/solaris/release/ I clicked advanced search, entered ipkg (because I knew this was the tail end of the package name) in the search field, selected Show all versions, then clicked the Advanced Search button. It showed me a list of packages, starting with: system/zones/brand/ipkg@0.5.11,5.11-0.151.0.1.13:20111025T185520Z which has a timestamp of October 25 (20111025). That looked promising. I clicked on the manifest and found the payload hash for pkgcreatezone from this line: file e95f13b8e67663890f420fc80814b62e473773e0 chash=51dc959c9d234ed9b2c33897a81c84bc86a77178 group=bin mode=0755 owner=root path=usr/lib/brand/ipkg/pkgcreatezone pkg.csize=6642 pkg.size=19838 That told me that I could find the new pkgcreatezone at http://pkg.oracle.com/solaris/release/file/1/e95f13b8e67663890f420fc80814b62e473773e0. Obvious, right? :) I saved that file, then used gzcat to see that all the package names are now fully qualified. Also, SUNWbip is no longer in the list. If SUNWbip were still needed, fully qualifying the name (e.g. pkg:/SUNWbip) would have done the trick. -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zone hostname that won't go away
On Mon 07 Nov 2011 at 09:46PM, Ian Collins wrote: This is an odd one! I have an exclusive IP zone I want to reconfigure (full up to date Solaris 11 Express). sys-unconfig runs though OK, but on reboot the old hostname reappears and the configure screens start at the system part of a subnet screen. Removing /etc/inet/hosts.saved form the zone fixed the problem. Thanks for reporting this. FWIW, I highly doubt that this will continue to be a problem because sys-unconfig has been modernized in Solaris 11. If you continue to see it after updating to Solaris 11 (available in two days), please report back. -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Can a guest LDOM discover the identity of the host system?
On Wed 19 Oct 2011 at 07:51PM, Patrick Stahl wrote: I'm fed up and want to write a scan that will run with root priviledge to look up from inside our logical domains and non-global zones to find the parents name / IP / host system / something tangible (or even obscure - I'll do a resolve after against something). I need to know the hook to look for. First off, you can reach the people that actually work on ldoms at ldoms-disc...@opensolaris.org. Back when I was a customer, played with ways to accomplish the same thing you are after. I considered two options: 1) While an ldom is being provisioned (and afterwards) you have the ability from the primary ldom to set ldom OBP settings. You can the same type of trick that SNEEP uses to store aribtrary information in OBP. Within the ldom, you can use eeprom(1M) to retrieve that information. Be sure to update this information if the ldom is migrated. I do not know the implications for live migration. http://wikis.sun.com/display/sneep/SNEEP+FAQ#SNEEPFAQ-storage If you run explorer on a regular basis, I believe it will capture this information. Then, if the ldom is down (and you've stored your explorer output outside of the ldom - such as on an NFS server) you can refer to the explorer to figure out which primary ldom you need to go to in order to find the dead guest ldom. 2) Create an in the box private network that always has the primary ldom at .1 (e.g. 192.168.200.1) and the ldoms at various other IPs on that network. That is, on every box, 192.168.200.1 is the primary ldom. You can then ssh 192.168.200.1 on any box and get to its parent. I used a technique very much like this on 15k's and 25k's to be able to get to the system controller across the dman network for years. I completely get what you are saying with CMDB, having been dismayed with the direction that I saw CMDB projects go when I was a customer. Perhaps what you need is a tool that is a sysadmin tool that actually understands what you do. http://blogs.oracle.com/eSTEP/entry/announcing_oracle_enterprise_manager_ops At Oracle OpenWorld, we're announcing a change to Oracle Enterprise Manager Ops Center. Until now, Ops Center has been sold as two distinct packs which each require the customer to acquire a software license. With these changes, the entire Ops Center product will now be included as a default part of all Systems support agreements -- at no extra charge! This means that every customer of Oracle's Servers, Storage, Network equipment, Operating Systems, and Virtualization technology will be able to add Ops Center to their data center management suite with zero barrier to entry. -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zone v2v: Solaris 10 - Solaris 11 Express
On Tue 11 Oct 2011 at 03:38PM, Maidak Alexander J wrote: I took a native zone from Solaris 10 and attempted to v2v migrate it to a Solaris 10 branded zone on Solaris 11 Express 151.0.1.8. I just detached the zone from Solaris 10 and did a zfs send|zfs recv for the zonepath dataset (/s10zone/zonepath) to Solaris 11. I issued: zonecfg -z s10zone create -a /s10zone/zonepath To copy over the zonecfg and then changed the brand from native to solaris10. I then moved the orginal Solaris 10 zonepath to /s10zone/s10zonepath, then I attached the zone with the -d option as follows: root@solaris11:/# zoneadm -z s10zone attach -d /s10zone/s10zonepath/root/ Log File: /var/tmp/s10zone.attach_log.swaW8f Attaching... Attach complete. Log File: /s10zone/zonepath/root/var/log/s10zone.attach2955.log root@solaris11:/# cat /s10zone/zonepath/root/var/log/s10zone.attach2955.log [Tuesday, October 11, 2011 01:39:46 PM CDT] Log File: /var/tmp/s10zone.attach_log.swaW8f [Tuesday, October 11, 2011 01:39:46 PM CDT] Attaching... [Tuesday, October 11, 2011 01:39:46 PM CDT] Sanity Check: Passed. Looks like a Solaris 10 image. [Tuesday, October 11, 2011 01:39:46 PM CDT ] directory [Tuesday, October 11, 2011 01:39:46 PM CDT] [Tuesday, October 11, 2011 01:39:46 PM CDT] cd /s10zone/s10zonepath/root/ find bin etc export home home1 infrtool kernel lib mnt net none opt platform sbin system usr var -xdev ( -type d -o -type f -o -type l ) -print | [Tuesday, October 11, 2011 01:39:46 PM CDT] cpio -pdm /s10zone/zonepath/root cpio: Cannot chown() /s10zone/zonepath/root/etc/globalname, errno 30, Read-only file system cpio: Unable to reset modification time for globalname, errno 30, Read-only file system cpio: Cannot chmod() /s10zone/zonepath/root/etc/globalname, errno 30, Read-only file system 11156672 blocks 3 error(s) [Tuesday, October 11, 2011 01:45:17 PM CDT] Sanity Check: Passed. Looks like a Solaris 10 image. [Tuesday, October 11, 2011 01:45:17 PM CDT] [Tuesday, October 11, 2011 01:45:18 PM CDT] Attach complete. Looked like everything went fine, great... Then I noticed that this cpio + find method did not migrate the . files/directories from the old zone root into the newly created zone root (example: .ssh). Is this a bug, or were my methods defective? Advice on this would be helpful. This looks like a bug to me. In /usr/lib/brand/shared/common.ksh, install_dir() is responsible for the cd find | cpio that you see logged above. 722 list=$(cd $source_dir ls -d * | egrep -v $filt) 723 flist=$(for i in $list 724 do 725 printf %s $i 726 done) 727 findopts=-xdev ( -type d -o -type f -o -type l ) -print 728 729 vlog cd \$source_dir\ find $flist $findopts | 730 vlog cpio $cpioopts \$ZONEROOT\ 731 732 # Ignore errors from cpio since we expect some errors depending on 733 # how the archive was made. 734 ( cd $source_dir find $flist $findopts | \ 735 cpio $cpioopts $ZONEROOT ) 736 The list ($list) generated on line 722 will not include dot files. It should probably look like: list=$(cd $source_dir ls -A | egrep -v $filt) Notice that ls -d * changed to ls -A. I've opened: 7099779 zoneadm attach -d loses dot files in root directory -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] ERROR: the zonepath must be a ZFS dataset.
On Wed 07 Sep 2011 at 07:42AM, Paul Kraus wrote: On Tue, Sep 6, 2011 at 5:11 PM, Mike Gerdts mike.ger...@oracle.com wrote: 3)zfs dataset requirement How does this negatively impact you or other users? As of Solaris 11 Express, this requirement means that you have to run 'zfs create' once to create a ZFS filesystem that will be the parent of an arbitrry number of zones. I personally would not advocate a configuration where each zone is not on its own file system because a disk hog in one zone can deny service to other zones. Be very careful here. If you allocate all of your Zones from a single zpool and do NOT use quotas (and reservations) you can have one Zone run the others out of disk space. Does the automatic (under the covers) zfs create in Solaris 11 also automate setting reasonable quotas and reservations ? I don't want folks who are less familiar with ZFS to make that mistake. Very good point - thanks for making it. While I was working for a Fortune 10 company and introduced zones early in Solaris 10's life, I ensured that every zone had its own file system on a SVM soft partition. This approach worked well for many years, but took a significant amount of effort to automate. The integration of ZFS and Zones simplifies this type of architecture greatly. We have used almost exclusively sparse root zones; for the space efficiency, the global patching model, and the security of a read only OS. I will be sorry to see the option of a sparse root zone go away. I understand your concerns here and I look forward to the day that I can talk about what Solaris 11 has to offer to address them. -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] ERROR: the zonepath must be a ZFS dataset.
On Tue 06 Sep 2011 at 10:09AM, Jeremy Loukinas wrote: First: root@opensolaris:~# zfs mount rpool/ROOT/opensolaris-1/ rpool/export/export rpool/export/home /export/home rpool /rpool zpool/zones /zones zpool /zpool root@opensolaris:~# Second: root@opensolaris:~# zonecfg -z test2 test2: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:test2 create zonecfg:test2 set zonepath=/zones/roots/test2 zonecfg:test2 exit root@opensolaris:~# zoneadm -z test2 install ERROR: the zonepath must be a ZFS dataset. The parent directory of the zonepath must be a ZFS dataset so that the zonepath ZFS dataset can be created properly. root@opensolaris:~# Am i missing something here? I found another post but it was from someone trying to create a zone in rpool.. If you did: zonecfg -z test2 'set zonepath=/zones/test2' all would be well. Alternatively, if you really want the zonepath to /zones/roots/test2: zfs create zones/roots -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] ERROR: the zonepath must be a ZFS dataset.
On Tue 06 Sep 2011 at 03:00PM, Hung-Sheng Tsao (Lao Tsao ??) Ph.D. wrote: I just did the same on s10u9 vbox bash-3.00# zfs list [snip] bash-3.00# zoneadm -z test1 install If zoneadm creates a dataset for this zone, at this point you would see: A ZFS file system has been created for this zone. Preparing to install zone test1. Creating list of files to copy from the global zone. Copying 16658 files to the zone. Initializing zone product registry. Determining zone package initialization order. Preparing to initialize 1128 packages on the zone. Initialized 1128 packages on zone. Zone test1 is initialized. The file /zones/roots/test1/root/var/sadm/system/logs/install_log contains a log of the zone installation. Solaris 10 allows zones to have their own ZFS datasets. Solaris 11 Express and OpenSolaris require zones to have their own ZFS datasets. The error messages provided by the original poster (and the prompt) suggest that Solaris 11 Express or a previous release of OpenSolaris was used. On 9/6/2011 1:39 PM, Mike Gerdts wrote: On Tue 06 Sep 2011 at 10:09AM, Jeremy Loukinas wrote: First: root@opensolaris:~# zfs mount rpool/ROOT/opensolaris-1/ rpool/export/export rpool/export/home /export/home rpool /rpool zpool/zones /zones zpool /zpool root@opensolaris:~# Second: root@opensolaris:~# zonecfg -z test2 test2: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:test2 create zonecfg:test2 set zonepath=/zones/roots/test2 zonecfg:test2 exit root@opensolaris:~# zoneadm -z test2 install ERROR: the zonepath must be a ZFS dataset. The parent directory of the zonepath must be a ZFS dataset so that the zonepath ZFS dataset can be created properly. root@opensolaris:~# Am i missing something here? I found another post but it was from someone trying to create a zone in rpool.. If you did: zonecfg -z test2 'set zonepath=/zones/test2' all would be well. Alternatively, if you really want the zonepath to /zones/roots/test2: zfs create zones/roots begin:vcard fn:Hung-Sheng Tsao (LaoTsao) , Ph.D. n:Tsao;Hung-Sheng org:HopBit GridComputing LLC adr:;;17 jade ln;Denville;NJ;07834;USA email;internet:laot...@gmail.com title:Founder and Principal tel;cell:9734950840 note;quoted-printable:HopBit GridComputing=0D=0A= =0D=0A= HPC: Arch and deaign and setup=0D=0A= Rockscluster:Setup and Configuration=0D=0A= Oracle GridEngine:Setup and Configuration=0D=0A= Oracle Cluster: Arch and Design=0D=0A= Oracle Solaris: Jumpstart, Zone etc=0D=0A= Oracle Exadata, Exalogic, SPARc Supercluster Arch and Design=0D=0A= url:http://laotsao.wordpress.com/ version:2.1 end:vcard ___ zones-discuss mailing list zones-discuss@opensolaris.org -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] ERROR: the zonepath must be a ZFS dataset.
On Tue 06 Sep 2011 at 04:37PM, Hung-Sheng Tsao (Lao Tsao ??) Ph.D. wrote: current s10 zone user will not be unhappy when move to s11 1)there is no sparse zone in s11 (yet) 2)there is no v2v from s10 zone to s11 zone (yet) That is not correct. http://download.oracle.com/docs/cd/E19963-01/html/821-1460/gjogf.html 3)zfs dataset requirement How does this negatively impact you or other users? As of Solaris 11 Express, this requirement means that you have to run 'zfs create' once to create a ZFS filesystem that will be the parent of an arbitrry number of zones. I personally would not advocate a configuration where each zone is not on its own file system because a disk hog in one zone can deny service to other zones. While I was working for a Fortune 10 company and introduced zones early in Solaris 10's life, I ensured that every zone had its own file system on a SVM soft partition. This approach worked well for many years, but took a significant amount of effort to automate. The integration of ZFS and Zones simplifies this type of architecture greatly. A reason that it is of great benefit is that with the new way it is possible to create boot environments for each zone using ZFS clones. The beadm + ZFS + Zones integration is much better than Solaris 10's Live Uprade + ZFS + Zones. Once Solaris 11 is released, I'll be happy to talk about some other benefits of this new requirement. 4)people just does not like changes I think that is extreme. People that don't like changes should probably stick to old-world trades such as blacksmithing. People that work in any technology-driven business depend on change to make their operations more efficient, to serve more customers, to improve their own products, etc. Change without reason is bad. Change that offers benefits is good. If you don't want to endure the change that Solaris 11 has to offer, Solaris 10 is still available and will continue to be available for quite some time - there is nothing forcing anyone off of Solaris 10 for the next several years. My 2c On 9/6/2011 3:33 PM, Frank Batschulat wrote: On Tue, 06 Sep 2011 21:27:40 +0200, LaoTsao laot...@gmail.com wrote: interesting, IMHO, this type of change will make many many s10 users unhappy I assume you are refering to Mike's response that zones require their own seperate ZFS dataset going forward ? if so can you give some reasons why this would make current s10 users unhappy when switching ? thanks begin:vcard fn:Hung-Sheng Tsao (LaoTsao) , Ph.D. n:Tsao;Hung-Sheng org:HopBit GridComputing LLC adr:;;17 jade ln;Denville;NJ;07834;USA email;internet:laot...@gmail.com title:Founder and Principal tel;cell:9734950840 note;quoted-printable:HopBit GridComputing=0D=0A= =0D=0A= HPC: Arch and deaign and setup=0D=0A= Rockscluster:Setup and Configuration=0D=0A= Oracle GridEngine:Setup and Configuration=0D=0A= Oracle Cluster: Arch and Design=0D=0A= Oracle Solaris: Jumpstart, Zone etc=0D=0A= Oracle Exadata, Exalogic, SPARc Supercluster Arch and Design=0D=0A= url:http://laotsao.wordpress.com/ version:2.1 end:vcard ___ zones-discuss mailing list zones-discuss@opensolaris.org -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] acfs support in zone
On Sat 16 Jul 2011 at 08:33PM, Hung-Sheng Tsao (Lao Tsao ??) Ph.D. wrote: hi recent osc3.3u1 announce the support of acfs in zone cluster, but acfs cannot be zone rootpath questions 1)does zone support acfs outside of the solaris cluster I'm not yet familiar enough with ACFS to answer that question. (It is on my reading list.) You may want to ask this through support channels and if the answer is no, please explain why it is important to you and/or your customers and ask that an RFE be filed. If an RFE is filed, please let me know what the CR number is (change request - a 7 digit number). Feel free to share those reasons here too. 2)why the acfs cannot be zone's rootpath? As you can see with Solaris Express 2010.11, packaging and boot environment management is dependent on ZFS. Even if another file system such as ADFS supported the snapshot and clone operations similar to how ZFS works, there is no abstraction in the relevant code to be able to take advantage of another file system in place of ZFS. Even with Solaris 10, tools such as live upgrade would need significant work to work with and/or take advantage of any benefits of ACFS. -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] S10 zone migration with pax(1)
On Thu 16 Jun 2011 at 03:12AM, John D Groenveld wrote: In message 20110616022827.ga3...@mgerdts-laptop.us.oracle.com, Mike Gerdts wr ites: A quick look suggests that the differences between your 'pax -r' args and what attach uses is '-@ -p e'. See install_pax() in /usr/lib/brand/shared/common.ksh. If you update this line: ( cd $ARCHIVE_BASE pax -r -f $archive $filtopt ) to: ( cd $ARCHIVE_BASE pax -r -@ -p e -f $archive $filtopt ) give 'zoneadm -z myzone attach -a' another whirl, and report back, I would be most appreciative. Worked, thank you. John groenv...@acm.org I've opened: 7055457 zoneadm attach -a archive.pax does not preserve permissions Thanks for giving it a try and reporting back. -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] S10 zone migration with pax(1)
On Wed 15 Jun 2011 at 09:17PM, John D Groenveld wrote: Following this recipe to migrate my non-global S10 zones to S11X: URL:http://download.oracle.com/docs/cd/E19963-01/html/821-1460/gjroc.html cpio(1) fails due = 8GB filesize limit. (See largefile(5).) Using pax results in a zone with foobar'd permissions. S10# pax -w -@ -p e -x xustar -f /zones/my-zone.pax my-zone S11# zoneadm -z my-zone attach -a /zones/my-zone.pax However, If I extract my-zone.pax and attach with -d, the zone's permissions appears kosher. S11# pax -r -@ -p e -f /zones/my-zone.pax S11# zoneadm -z my-zone attach -d /zones/my-zone A quick look suggests that the differences between your 'pax -r' args and what attach uses is '-@ -p e'. See install_pax() in /usr/lib/brand/shared/common.ksh. If you update this line: ( cd $ARCHIVE_BASE pax -r -f $archive $filtopt ) to: ( cd $ARCHIVE_BASE pax -r -@ -p e -f $archive $filtopt ) give 'zoneadm -z myzone attach -a' another whirl, and report back, I would be most appreciative. I'm guessing zoneadm(1M)'s call to pax(1) with -a pax_archive is broken and zoneadm(1M)'s underlying use of cpio(1) with -d zone/root has the filesize limit. Sounds like reasonable guesses, but I wouldn't expect cpio would have an issue with stream size in pass mode. Do you have any file (including sparse files) with a size 4 GB? -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Solaris 10 zone migration to Solaris 11 Express
On Wed 06 Apr 2011 at 02:33AM, Ketan wrote: I was testing of migrating the solaris10 zone to solaris 11 express zone. I used cpio to create the archive with following syntax #find db_zone -print | cpio -oP@ | gzip /swdump/ovpidb_zone.cpio.gz Then i created a solaris10 brand zone on the Solaris 11 environment and tried to attach the zone but i got following error. *** zoneadm -z s10zone1 attach -a /home/vneb/ovpidb_zone.cpio.gz Log File: /var/tmp/s10zone1.attach_log.oFaavh Attaching... ERROR: The image was created with an incompatible libc.so.1 hwcap lofs mount. The zone will not boot on this platform. See the zone's documentation for the recommended way to create the archive. I 'm moving solaris 10u8 zone from M5000 to a Ldom2.0 Solaris11 express It sounds like the zone was running when you created the archive. As a result, the version of libc that is optimized for the SPARC64 CPU found in the M5000 was mounted on top of /lib/libc.so.1. On the T-series box that you are moving to, the CPU architecture is different and incompatible with the type of optimization done for the SPARC64 CPU. It looks like you were following the instructions at http://download.oracle.com/docs/cd/E19963-01/html/821-1460/gentextid-12093.html#gcglo but there shut down the zone while creating the archive step seems to be missing. -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Solaris 10 zone migration to Solaris 11 Express
On Wed 06 Apr 2011 at 08:11PM, Ketan wrote: Following is the output from the log file when i try to attach the zone /var/tmp/s10zone1.attach_log.djaOxj [Wednesday, April 6, 2011 08:49:45 PM CDT] Log File: /var/tmp/s10zone1.attach_log.djaOxj [Wednesday, April 6, 2011 08:49:45 PM CDT] Attaching... [Wednesday, April 6, 2011 08:49:45 PM CDT] gzipped cpio archive [Wednesday, April 6, 2011 08:49:46 PM CDT] [Wednesday, April 6, 2011 08:49:46 PM CDT] Analysing the archive [Wednesday, April 6, 2011 08:50:49 PM CDT] cd /zones gzcat /home/user1/db_zone.cpio.gz | cpio -idmfE /var/tmp/fs.cpio.NkaWyj cpio: Cannot mknod() db_zone/dev/cpu/self/cpuid, errno 22, Invalid argument cpio: Cannot chown() db_zone/dev/cpu/self/cpuid, errno 2, No such file or directory cpio: Unable to reset modification time for cpuid, errno 2, No such file or directory cpio: Cannot chmod() db_zone/dev/cpu/self/cpuid, errno 2, No such file or directory 1405280 blocks 4 error(s) [Wednesday, April 6, 2011 08:52:02 PM CDT] HWCAP: moe: /zones/db_zone/root/lib/libc.so.1: open failed: No such file or directory [Wednesday, April 6, 2011 08:52:02 PM CDT] ERROR: The image was created with an incompatible libc.so.1 hwcap lofs mount. The zone will not boot on this platform. See the zone's documentation for the recommended way to create the archive. Ahhh... it looks like you should have gotten the sparse zone error message instead of the incompatible libc message. I've created: 7034572 zone install and attach from archive should do sparse check before libc check After steve told me i checked the logs and found that lib files are missing from the zone which was being migrated (do not know the reason for it ).. and i just copied lib files from /lib to /zones/root/lib/ .. it went lil ahead but then it gave me following error Yikes! [Wednesday, April 6, 2011 09:17:39 PM CDT] Missing sbin/zonename at /zones/db_zone/root [Wednesday, April 6, 2011 09:17:39 PM CDT] Is this a sparse zone image? The image must be whole-root. [Wednesday, April 6, 2011 09:17:39 PM CDT] Missing usr/bin/chmod at /zones/db_zone/root [Wednesday, April 6, 2011 09:17:39 PM CDT] Is this a sparse zone image? The image must be whole-root. That's the sparse zone error message I was expecting. [Wednesday, April 6, 2011 09:17:39 PM CDT] Sanity Check: FAILED (see log for details). [Wednesday, April 6, 2011 09:17:39 PM CDT] ERROR: *** Attach FAILED *** *** so does this means we cannot migrate a sparse root zone to Solaris 11 express server ? or is it i 'm doing something wrong ? You can, but in order to do so, you need to be sure that the things that are not included in a sparse zone get included in the archive. This will cause the archive to be a lot larger and the zone will not be a sparse root zone on Solaris 11. To create the archive zoneadm -z db_zone ready cd $db_zone_zonepath/.. find db_zone -print | cpio -oP@ | gzip /swdump/db_zone.cpio.gz zoneadm -z db_zone halt This is mentioned on page 377 of System Administration Guilde: Oracle Solaris Zones, Oracle Solaris 10 Containers, and Resource Management: http://download.oracle.com/docs/cd/E19963-01/pdf/821-1460.pdf It is also at: http://download.oracle.com/docs/cd/E19963-01/html/821-1460/gjowt.html However, this does not appear in the examples. I completely missed it when I was reading the HTML version, but felt it stood out relatively well in the PDF version. -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zoneadm wants more ZFS when only ZFS exists
On Mon 07 Feb 2011 at 07:13PM, Darren Reed wrote: On 7/02/11 08:22 AM, Mike Gerdts wrote: ... If I was in the habit of upgrading, creating new BEs, validating those BEs, then deleting the old ones, why wouldn't the same apply to zones and thus result in mitigation of the problem you cite above? If the old global zone BEs and associated snapshots are deleted, there's probably not a big problem. However, the code paths for creating the zone BEs during beadm create and similar operations becomes more complicated having to deal with more scenarios. More complicated for the sake of flexibility that has no material benefit means that developers spend less time working on things that are of material benefit. Is there a reason that zfs create -o mountpoint=/zones rpool/zones then creating each zonepath as /zones/zonename is a problem? From the perspective of a developer that uses a test suite that creates zones using a shell script, the less changes required to my script the better. I suspect that ultimately the above will become part of the system installation configuration, but it would be nice if the zones tools kept the difference in requirements for disk configuration internal? Thus the same commands just work when building zones on Solaris10 11. I suppose in my case, it is rpool/zone and mountpoint=/zone. Darren What you are asking for seems to be within the scope of 6726123 zoneadm install should create zfs filesystems whenever possible -- Mike Gerdts Solaris Core OS / Zones ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zoneadm wants more ZFS when only ZFS exists
On Fri, Feb 4, 2011 at 11:32 PM, Darren Reed darren.r...@oracle.com wrote: On a test system that is using only ZFS, I'm trying to create a zone but it keeps failing with: netvirt-d1 ~# zoneadm -z exclusivetestzone1 install ERROR: the zonepath must be a ZFS dataset. The parent directory of the zonepath must be a ZFS dataset so that the zonepath ZFS dataset can be created properly. I don't get it. This restriction never used to exist. Zones need to be on ZFS with a particular dataset layout so that boot environments can be managed with beadm, pkg, etc. That is, zone boot environments have very similar requirements that global zone boot environments have. Why do I need to do something extra that is mandatory? If the parent of the zonepath is itself a ZFS dataset, it does happen automatically. Further to this, there's a script on Oracle's website here: http://download.oracle.com/docs/cd/E19963-01/821-1460/z.conf.start-1/index.html that also fails to configure create a zone that can be installed with b154 bits. To give an example (/tmp/ozone is the script from the above page)... / is rpool/ROOT/solaris # zfs create rpool/ROOT/solaris/zone # zfs set mountpoint=/zone rpool/ROOT/solaris/zone That needs to be fixed. It would cause zone boot environments to be contained within global zone boot environments. As new global zone boot environments are created, you will end up with roughly 2x the number of non-global zone BEs. I normally use: zfs create -o mountpoint=/zones rpool/zones and would appreciate feedback as to whether others feel that this should be the default behavior if the zonepath is /zones/zonename and /zones doesn't already exist. As you can see from this, the parent of the zonepath is /zone and that is a freshly created ZFS dataset. Furthermore, / which is the parent of /zone is also a ZFS dataset. Having /zone as a directory within / and not a dataset also results in the above error. Between zoneadm and zonecfg, I can't see anything that instructs me on how to resolve this. Am I missing something? -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] migrate from global zone ?
On Thu, Jan 20, 2011 at 1:25 AM, sang-suan gam sangsuan@gmail.com wrote: Hi All, how can one migrate oracle DB (2 instances) from the global zone to non-local zones ? thanks, sam Oracle Solaris 11 Express provides Oracle Solaris 10 Containers which are designed to solve such problems. http://download.oracle.com/docs/cd/E19963-01/821-1460/gjfbq/index.html http://download.oracle.com/docs/cd/E19963-01/821-1460/gjoak/index.html If you have a non-trivial installation (e.g. you are using ASM, you have SAN attached disk containing file systems for binaries and databases, etc.) you will likely need to do some additional configuration. Be sure to check with the database folks to ensure that you remain in a supported configuration. If you aren't able to move to Solaris 11 Express (even with Solaris 10 Containers), the process for migrating will be highly dependent on your configuration. The last time I read the oracle database installation instructions (several years ago) the recommendation was to have separate file systems for the oracle executables (e.g. /u01) and others for database files, indexes, etc. (e.g. /u02, /u03, ... or /sid/u01, /sid/u02, ...) If this is the case, then you likely need to do something along the lines of the following. This an off the cuff description of the process that is generic and almost certainly misses things that exist in your configuration. Test it on non-production machines first and consult with DBAs and Oracle Solaris and database support as needed. 1) Configure the zone with zonecfg. You will most likely need to set various resource controls (add rctl in zonecfg) for shared memory, etc. I suspect that current Oracle DB installation docs will describe what needs to be set. 2) Install the zone with zoneadm install. 3) Boot the zone and do any configuration needed. For example, add users and groups needed. 4) Shut down the database 5) Remove (or comment) the /etc/vfstab entries corresponding to the oracle databases and binaries from the global zone 6) Add fs entries to the zone's configuration (with zonecfg) corresponding to the entries removed from the global zone's /etc/vfstab. 7) Reboot the zone 8) Start the database in the zone. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Migrate a Zone with zfs root. This zone contains UFS SAN attached devices
On Sun, Jan 2, 2011 at 8:15 AM, Shawn Joy shawn@sun.com wrote: Hi All, How does one migrate a zone with a zfs root. This zone also contains UFS SAn attached devices. While you didn't specify a release of Solaris, I am assuming that you are working with Solaris 10. The instructions for this are at: http://docs.sun.com/app/docs/doc/817-1592/gcgnc?l=ena=view The instructions provided there are rather generic but are likely workable for your situation, assuming that the data served from the SAN is application data and not OS data. A step that is not mentioned is how to configure the storage devices and/or SAN fabric to allow the other host to see the disks. Zones likely do not add any complexity to that task - it should be just a migration of storage from one machine to the next when zones are not involved. If the zonepath is on the SAN, the move the zonepath for my-zone to the new host step is unlikely to involve tar or sftp. Rather, the steps will be along of shutting down the zone, detaching it, doing implementation-specific SAN-based storage migration tasks, attaching it, then booting it. Without knowing specifics about what storage is on the SAN vs. on local disk, it is hard to tell if there is anything especially tricky that you need to deal with. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Migrate a Zone with zfs root. This zone contains UFS SAN attached devices
On Sun, Jan 2, 2011 at 8:25 PM, Shawn Joy shawn@bulletproofsi.com wrote: Yes, I am running Solaris 10 and only the application data is on the SAN. I had seen this link previously. I understand this is explains moving the zfs root info. For the application data should I be doing the following. While Zone is on the original host. 1.) shut down the app and database and ensure they will not start on boot. 2.) unmount the UFS mount points. 3.) comment out the UFS entries in the zone vfstab. 4.) do the zone detach On the new host. 4.) reconfigure the SAN to ensure the new host can see the UFS SAN mount points. 5.) do the zone attach. 6.) boot the zone 7.) test mounting the UFS SAN devices 8.) correct the zone vfstab entries to ensure it contains the correct entries. 9.) halt the zone 10.) boot the zone to ensure the UFS SAN devices are mounted correctly at boot time. 11.) start the database and App. That sounds about right. Of course, backups are always a good thing to have just in case things go wrong for some reason. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] ON SMB/NFS server support for non-global zones
On Sun, Dec 5, 2010 at 11:38 AM, Nicolas Dorfsman n...@woup.net wrote: Le 5 déc. 2010 à 15:14, Fabian R. Breschi a écrit : On 12/ 4/10 02:42 PM, Fabian R. Breschi wrote: Hello, I was trying to figure out how to overcome the not-supported native NFS service for non-global zones, any suggestions? You can't. Fine so, the only workaround, I gues,s is to enable NFS shares from the global-zone pointing into the non-global zones shared dirs Be carefull. A zone should not NFS mount a directory from global zone (unsupported and could lead to a deadlock). You have to lofs mount. A bit more clarity on that caution is due - this only applies to an NFS mount from the global zone on which the non-global zone is running. Further, I thought that this was an interaction between UFS and NFS that could cause a problem and that the NFS share was coming from ZFS the problem didn't exist. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zone cpu usage
On Mon, Nov 1, 2010 at 6:10 PM, Li, Andrew1 andrew1...@citi.com wrote: Hi All, We're trying to work out why mpstat and ps -opcpu gives some very different results. The server we're looking at is a zone, when we do something like ps -ef -o pcpu | awk '{t+=$1} END {print t}' and compare it to mpstat 1, they're very different. Here is one sample output. # ps -ef -o pcpu | awk '{t+=$1} END {print t}' 10.2 # mpstat 2 CPU minf mjf xcal intr ithr csw icsw migr smtx srw syscl usr sys wt idl 0 6566 0 1958 427 43 1650 310 197 98 0 17080 40 43 0 16 1 7424 0 1718 1669 1337 1784 356 197 112 0 15446 44 43 0 14 Output from ps is saying 10% of CPU is used, whereas mpstat is saying 15% CPU are idle. The figures are almost the inverse of each other. This is done on two seperate terminals at the same time. The man page of ps on pcpu says: The ratio of CPU time used recently to CPU time available in the same period, expressed as a percentage. The meaning of ``recently'' in this context is unspecified. The CPU time available is determined in an unspecified manner. Does that mean pcpu is just some random numbers?! Of course it isn't random - it's just weighted such that the most recent utilization counts a bit more than not so recent utilization. This is similar to the way that the load average works. I had a quick look at the code in ps.c, looks like it's getting it from /proc into struct psinfo, but how are the values in psinfo calculated? Is mpstat zone aware or is it just reporting the stats from the global zone? Any pointers? Rather than using ps, use prstat -mL. It, like mpstat, will report only the data from the given time interval. That is, it doesn't use time decayed values like ps (or prstat with default options). You may still see a difference in CPU utilization. If there are operations that are happening by kernel threads that aren't attached to an LWP they will not be observable with prstat or ps. The easiest way to start to get a feel for what is happening is with something like: # dtrace -n 'profile-997 / curthread-t_lwp == 0 / { @s[stack()] = count(); } tick-5s { trunc(@s,10) ; exit(0)}' That is, 997 times per second it will look to see what is on each CPU. If it doesn't have an attached LWP, it adds the associated kernel thread's stack to the @s aggregation. After 5 seconds it trims off all but the most common 10 stacks from @s, then prints @s as it exits. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] installing packages in global zone
On Sat, Oct 16, 2010 at 6:54 PM, Pete Chan super_...@hotmail.com wrote: Mike thanks for the quick response. It seems that it may be sufficient to add a read-only mount to each zone as you recommended. I'll give that a try. However, now I am curious to know why I dont get a value (true or false) when I run #pkgparam SOMEpackage. When I installed SOMEpackage in the Global i did NOT use the -G option. Based on what i read and your explanation below not having the -G option will automatically install SOMEpackage on all the non-global zones. Are you saying that the developer of SOMEpackage can opt out of entering true or false for SUNW_PKG_THISZONE? In which case that means that the default may be true (even though its not explicit) and thats why SOMEpackage is not propagating to the non-global zones? I apreciate the help and explanations Mike. By default packages will install into all non-global zones that are that native brand. That is, if SUNW_PKG_THISZONE is not set to true, it should install into all native brand (or unbranded, depending on vintage of the OS) zones. Expanding on the assumptions I made earlier... uname -sr in the global zone should say SunOS 5.10. It should say the same in each non-global zone. If you are using Solaris 8/9 Containers then the brand is not native, and the packages will not propagate. Likewise, on OpenSolaris (SunOS 5.11 after SXCE) any non-global zone you have is a non-native (e.g. ipkg, solaris10) branded zone. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] installing packages in global zone
This is probably better suited for zones-discuss than security-discuss. I've set the reply accordingly. On Fri, Oct 15, 2010 at 3:02 PM, Pete Chan super_...@hotmail.com wrote: hello, i am trying to figure out how to install a package in a global zone under /opt and be able to access the binaries of the package from a non-global zone. in other words the users of these package do not have access to the global zone and only have access to the non-global. How do I propagate this installation to the non-global zone? The answer varies depending on whether you are running Solaris 10 or OpenSolaris. I'll assume you are running Solaris 10 in my answer. When you run a command like pkgadd -d . SOMEpackage in the global zone, the default behavior is that the package will automatically be installed in all non-global zones as well. This behavior can be changed via the -G option to pkgadd, which will cause it to install only in the global zone. If the developer that created SOMEpackage put SUNW_PKG_THIS_ZONE=true in the pkginfo file (SOMEpackage/pkginfo), then it will not automatically be installed in all of the non-global zones. In such a case, you will need to install the package in each zone individually. It may be sufficient to add a read-only lofs mount to each zone instead of installing it in all zones. That is, zonecfg -z zone1 add fs set special=/opt/SOMEpackage set dir=/opt/SOMEpackage set options=ro end verify commit exit Then reboot the zone or issue the appropriate mkdir and mount -F lofs -o ro ... commands to create the lofs mounts without rebooting. If you are on OpenSolaris (with the pkg command, not ancient SXCE which will act like Solaris 10) you will need to install the software in all zones that require it. The new way of doing things breaks the strong ties between software selection in the global zone and all non-global zones. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Need help on Solaris 10 LDoms; Hardware is T5140
On Thu, Sep 16, 2010 at 1:23 PM, Sanjay Akula sysadmin.ak...@gmail.com wrote: Hi Users, I'm new to Solaris 10 LDoms, I need some help to configure T5140 server and have a couple Ldoms Virtual machines in it. Help me please... Zones and LDoms are completely different. There is an ldoms list at ldoms-discuss. Since you haven't stated a specific problem, the most likely thing that people will do is point you at the documentation. A good starting point is: http://docs.sun.com/app/docs/coll/2502.2?l=en -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] whole root not installed ?!?
On Sat, Jul 3, 2010 at 6:36 AM, Daniel Dinu daniel.d...@gmail.com wrote: Hi guys, This is my version of Opensolaris: Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008 I have installed 2 zones on it: k...@opensolaris:~$ zoneadm list -cv ID NAME STATUS PATH BRAND IP 0 global running / native shared 4 zone1 running /vol1/zone1 ipkg shared 5 zone2 running /vol1/zone2 ipkg shared Filesystem used is zfs. k...@opensolaris:~$ zfs list NAME USED AVAIL REFER MOUNTPOINT rpool 4.79G 10.8G 81.5K /rpool rpool/ROOT 3.31G 10.8G 19K legacy rpool/ROOT/opensolaris 8.55M 10.8G 2.90G / rpool/ROOT/opensolaris-1 776K 10.8G 2.89G / rpool/ROOT/opensolaris-2 3.30G 10.8G 3.12G / rpool/dump 511M 10.8G 511M - rpool/export 5.60M 10.8G 21K /export rpool/export/home 5.58M 10.8G 21K /export/home rpool/export/home/kido 5.56M 10.8G 5.56M /export/home/kido rpool/exported 20K 100M 20K /rpool/exported rpool/swap 512M 11.2G 101M - rpool/zone1 243M 257M 22K /vol1/zone1 rpool/zone1/ROOT 243M 257M 19K legacy rpool/zone1/ROOT/zbe 243M 257M 243M legacy rpool/zone2 242M 4.76G 22K /vol1/zone2 rpool/zone2/ROOT 242M 4.76G 19K legacy rpool/zone2/ROOT/zbe 242M 4.76G 242M legacy zone1 is installed in /vol1/zone1 and zone2 in /vol1/zone2. zone1 was configured as a sparse root zone (I used create command). zone2 was configured as a whole root zone (I used create -b command). Still, the space used is the same for both zones, as depicted aboveOf course, I expected that zone2 to use more space than zone1 (GB vs. MB). Sparse root zones do not exist with OpenSolaris. When you use zonecfg's create (without -b), the file /etc/zones/SUNWdefault.xml is used as the initial configuration for the zone. With create -b, /etc/zones/SUNWblank.xml is used. On OpenSolaris, these files are the same because the new packaging system does not support sparse zones. In Solaris 10, SUNWdefault.xml listed /usr and several other directories as inherit-pkg-dir. Thus, the zones were sparse. SUNWblank.xml listed no inherit-pkg-dirs. Sparse zone support was just fully removed from the source: http://bugs.opensolaris.org/view_bug.do?bug_id=6939693 http://hg.genunix.org/onnv-gate.hg/rev/76969fc28795 In earlier days (such as a year ago when the release you are using was new), it seemed as though there was some interest in continuing to support sparse root zones with the ipkg brand (but no code released to support it). However, other factors have made sparse zones less important than they were 5+ years ago when Solaris 10 was released. Those that I have observed are - The new packaging system tends to lead to smaller installations by default - Typical hard drives are much larger - ZFS compression and deduplication can reduce the disk usage -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] whole root not installed ?!?
On Sat, Jul 3, 2010 at 7:35 AM, Daniel Dinu daniel.d...@gmail.com wrote: Thank you so much for your answer! So, when I thought that I cannot install a whole root zone, in fact I had 2 already installed...that's funny :) I have to admit that I checked the files in /etc/zones and I was a little bit surprised by their (lack of) content regarding inherited dirs, but I thought this should be hard-coded somewhere else...whatever... Is this documented somewhere else, besides bugs.opensolaris.org ? Cause I've read quite a few pages about zones before starting to install one, and I don't recall any mention of this...OK, I admit I didn't check bugs.opensolaris.org, but as a beginner I don't read the bugs database :) Completely misleading information is available at http://hub.opensolaris.org/bin/view/Community+Group+zones/faq#HQWhatisaglobalzoneSparserootzoneWholerootzoneLocalzone. Note that it talks about Solaris 10 rather than OpenSolaris and is correct from the Solaris 10 perspective. I'm not aware of any docs that are correct from the OpenSolaris perspective. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Can a guest LDOM discover the identity of the host system?
On Fri, Jul 2, 2010 at 2:47 PM, Richard L. Hamilton rlha...@smart.net wrote: That is...is there a mechanism provided to do this? As an afterthought, this also applies to non-global zones, although one can stick something in the oem-banner eeprom variable that is identically visible on all the zones, which is not the case on LDOMs. In many environments, the lack of visibility of such detail is considered to be a good thing. In many environments the lack of visibility equates to complexity. My workarounds and tricks are: Zones: When building the zone, either copy /etc/nodename to $zonepath/root/etc/globalname or add an equivalent lofs mount (be sure to set as read-only...). If you build from a standard template, you can add an lofs mount to your template that would automatically perform the lofs mount of the global zone's /etc/nodename to the non-global zone's /etc/globalname. LDoms: When building the ldom, use ldm set-variable to set nvramrc to have the same type of information that would be put in nvramrc by sneep. You should be sure that your migration process hooks into this to update it. Domains on 12k/15k/20k/25k: Look at the output of ndd -get /dev/dman man_get_hostinfo. The SC's IP address will be available there. You can telnet or ssh to the SC from the domain (assuming you are running the the default config). Domains on M-Series Look at the output of ifconfig sppp0. That will provide an IP address that you can use to log into the service processor to figure out which one it is. For zones (after Solaris 10) and LDoms, I think it is quite feasible to set up a in the box only network where the .1 address would be the global zone or primarly LDom. You could then have a very simple (internal) network facing service running on the global zone / primary ldom that spits out the nodename. Then, anyone in a non-global zone / guest LDom could simply connect to a well known port and read a line of text to get the name of the box where it is hosted. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] how dynamic is your zones network configuration?
On Sat, Jun 5, 2010 at 3:35 AM, Peter Tribble peter.trib...@gmail.com wrote: On Fri, Jun 4, 2010 at 6:38 PM, Edward Pilatowicz edward.pilatow...@oracle.com wrote: hey all, i had a quick questions for all the zones users out there. after you've configured and installed a zone with ip-type=shared (the default), how often do you change the network interfaces assigned to that zone via zonecfg(1m)? frequently? infrequently? never? only when moving from testing to production? etc... Almost never. The only time I've ever done this was when a network interface on a machine failed and I had to use a different interface temporarily before the hardware was repaired. Mind you, I've always regarded it as a bug that you have to specify the physical interface in the configuration rather than just assigning an address and letting the system find the correct interface for you. I'm with you on this. Since I wrote a tool to create and harden zones (analogous to zonemgr), I added logic for it to automatically select an appropriate interface. My implementation relies upon each interface being configured for IPMP with the IPMP group name set to the network number. Having this logic is very helpful when it comes time to migrate zones between machines - I don't have to worry about bge vs. e1000g, vs. ... That's for physical interfaces; I occasionally have to add extra IP addresses to a zone, using ifconfig to add them on the fly and zonecfg so they stick at boot. Wouldn't it be nice to have an option in zonecfg or zoneadm to apply the current configuration to the running zone? That could be used for adding/removing mounts, networks, resource controls, etc. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zoneadm clone -m copy does not really copy on ZFS zonepath
On Tue, Feb 16, 2010 at 8:47 AM, Christine Tran christine.t...@gmail.com wrote: On Sat, Feb 13, 2010 at 3:10 AM, Frank Batschulat (Home) frank.batschu...@sun.com wrote: a '-x nodataset' option for 'clone' like in 'install' is unlikely going to happen, in fact I will remove the '-x nodataset' option for 'install' completely soon in OSOL build 135 PSARC 2010/008 Remove zoneadm install sub-option -x nodataset http://opensolaris.org/jive/thread.jspa?messageID=448598 your ZFS problem is with 'move' ie. rename a file from one dataset to another while both datasets are still in the same pool ending up as a copy of the file because it crosses dataset ie. file system boundaries. there's a ZFS RFE open to improve that: 6483179 Provide an efficient way to rename a file to another dataset in same zpool http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6483179 6650426 RFE: support link(2) between ZFS filesystems http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6650426 Actually, this would be the 'proper' fix and will work for us. Do you know if there's priority to these two CRs? I will provide a business case write-up under another cover, if someone would like to add it to the CR. Meanwhile, I am stuck at U5, because as far as I can tell, U7 and U8 implements separate dataset per zone if it's on a ZFS. This completely breaks our application, which depended on the efficiency of mv within one filesystem. Does the data really need to be under the zonepath? If you were to do something like: zfs create -o mountpoint=/stuff rpool/stuff mkdir /stuff/z1 /stuff/z2 zonecfg -z z1 add fs set dir=/stuff set special=/stuff/z1 set options=rw end exit zonecfg -z z2 add fs set dir=/stuff set special=/stuff/z2 set options=rw end exit Adjust paths as needed to fit your application. From the global zone, you should be able to mv /stuff/z1/* /stuff/z2/* efficiently. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zoneadm clone -m copy does not really copy on ZFS zonepath
On Tue, Feb 16, 2010 at 9:08 AM, Christine Tran christine.t...@gmail.com wrote: Does the data really need to be under the zonepath? If you were to do something like: zfs create -o mountpoint=/stuff rpool/stuff mkdir /stuff/z1 /stuff/z2 zonecfg -z z1 add fs set dir=/stuff set special=/stuff/z1 set options=rw end exit zonecfg -z z2 add fs set dir=/stuff set special=/stuff/z2 set options=rw end exit Adjust paths as needed to fit your application. From the global zone, you should be able to mv /stuff/z1/* /stuff/z2/* efficiently. I think I have tried something like this, basically pre-make the zonepath as directories before cloning the zone? It doesn't work. I end up getting a new dataset mounted on the directory I've created. What I am suggesting is that there is another file system that is lofs mounted into each zone. Within z1 and z2 there are directories named /stuff that really come from rpool/stuff/{z1,z2}. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zoneadm clone -m copy does not really copy on ZFS zonepath
On Tue, Feb 16, 2010 at 12:21 PM, Glenn Faden glenn.fa...@sun.com wrote: Mike Gerdts wrote: On Tue, Feb 16, 2010 at 9:08 AM, Christine Tran christine.t...@gmail.com wrote: Does the data really need to be under the zonepath? If you were to do something like: zfs create -o mountpoint=/stuff rpool/stuff mkdir /stuff/z1 /stuff/z2 zonecfg -z z1 add fs set dir=/stuff set special=/stuff/z1 set options=rw end exit zonecfg -z z2 add fs set dir=/stuff set special=/stuff/z2 set options=rw end exit Adjust paths as needed to fit your application. From the global zone, you should be able to mv /stuff/z1/* /stuff/z2/* efficiently. I think I have tried something like this, basically pre-make the zonepath as directories before cloning the zone? It doesn't work. I end up getting a new dataset mounted on the directory I've created. What I am suggesting is that there is another file system that is lofs mounted into each zone. Within z1 and z2 there are directories named /stuff that really come from rpool/stuff/{z1,z2}. Mike, Your suggestion isn't suitable for Trusted Extensions because it conflicts with the labeling policy for LOFS mounts. All such LOFS mounts are forced to be read-only. Only the owning zone is permitted write access, and the label reported for files under the mount point is the label of the owning zone. In your workaround, the owner would be the global zone. What Christine requires is that the files get properly labeled and that they are mounted read-write. The fact that the functionality changed from U5 in such a way that prevents upgrading to U7 seems like a regression to me, and therefore is a bug that must be fixed. --Glenn I didn't realize that TX was involved. Perhaps hacking my previous suggestion (with zoneadm attach) into txzonemgr's clone() would be a workaround until the regression is fixed or cross-fs moves and links are supported in ZFS. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zoneadm clone -m copy does not really copy on ZFS zonepath
On Fri, Feb 12, 2010 at 4:47 PM, Christine Tran christine.t...@gmail.com wrote: Hi, I'm sorry to bug the OpenSolaris for a question that pertains to S10U8, but I am really stuck. I am doing a zoneadm clone -m copy, and I do not want a new ZFS dataset even though my zonepath is on a ZFS filesystem, for performance reasons particular to how I am using my zones. Unfortunately, zoneadm clone just ignores the -m copy, and makes me a new ZFS filesystem anyway; and by the speed with which it finished, it certainly is a snapshot operation underneath. I have tested with making the source zone on a separate UFS, have pre-made a dirname under my ZFS filesystem as the zonepath, nothing works. I always get a new ZFS filesystem. I see that zoneadm install has an -x nodataset switch, I need this for zone clone as well. I have not seen this filed as a bug against S10, is there a work-around to get the behavior I want? You can probably work around this by replacing zoneadm -z newzone clone -m copy master With: # do this once zoneadm -z master halt zoneadm -z master detach cd $master_zonepath tar cf $dir/master.tar . zoneadm -z master attach # do this for each zone to create mkdir $newzone_zonepath cd $newzone_zonepath tar xpf $dir/master.tar zonecfg -z newzone create -a $newzone_zonepath zoneadm -z newzone attach zoneadm -z newzone boot -s zlogin newzone sys-unconfig zoneadm -z newzone boot zlogin -C newzone You could certainly put the sys-unconfig before detaching the master zone and could put other steps before the multi-user boot of newzone to get a valid /etc/sysidcfg in place, thereby skipping the zlogin -C and interaction with sysidconfig. This is sort of a big deal for our application. We use labeled zones, a file move within a filesystem has a different performance profile than a move from one filesystem to another filesystem, even within one ZFS pool. We are doing tens of thousands of move per minute. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] [zfs-discuss] Zones on shared storage - a warning
On Fri, Jan 8, 2010 at 6:55 AM, Darren J Moffat darr...@opensolaris.org wrote: Frank Batschulat (Home) wrote: This just can't be an accident, there must be some coincidence and thus there's a good chance that these CHKSUM errors must have a common source, either in ZFS or in NFS ? What are you using for on the wire protection with NFS ? Is it shared using krb5i or do you have IPsec configured ? If not I'd recommend trying one of those and see if your symptoms change. Shouldn't a scrub pick that up? Why would there be no errors from zoneadm install, which under the covers does a pkg image create followed by *multiple* pkg install invocations. No checksum errors pop up there. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zones on shared storage - a warning
...@opensolaris.org/msg33041.html # fmdump -eV | grep cksum_actual | sort | uniq -c | sort -n | tail 2 cksum_actual = 0x14c538b06b6 0x2bb571a06ddb0 0x3e05a7c4ac90c62 0x290cbce13fc59dce *D 3 cksum_actual = 0x175bb95fc00 0x1767673c6fe00 0xfa9df17c835400 0x7e0aef335f0c7f00 *E 3 cksum_actual = 0x2eb772bf800 0x5d8641385fc00 0x7cf15b214fea800 0xd4f1025a8e66fe00 *B 4 cksum_actual = 0x0 0x0 0x0 0x0 4 cksum_actual = 0x1d32a7b7b00 0x248deaf977d80 0x1e8ea26c8a2e900 0x330107da7c4bcec0 5 cksum_actual = 0x14b8f7afe6 0x915db8d7f87 0x205dc7979ad73 0x4e0b3a8747b8a8 *C 6 cksum_actual = 0x1184cb07d00 0xd2c5aab5fe80 0x69ef5922233f00 0x280934efa6d20f40 *A 6 cksum_actual = 0x348e6117700 0x765aa1a547b80 0xb1d6d98e59c3d00 0x89715e34fbf9cdc0 *F 16 cksum_actual = 0xbaddcafe00 0x5dcc54647f00 0x1f82a459c2aa00 0x7f84b11b3fc7f80 *G 48 cksum_actual = 0x5d6ee57f00 0x178a70d27f80 0x3fc19c3a19500 0x82804bc6ebcfc0 and observe that the values in 'chksum_actual' causing our CHKSUM pool errors eventually because of missmatching with what had been expected are the SAME ! for 2 totally different client systems and 2 different NFS servers (mine vrs. Mike's), see the entries marked with *A to *G. This just can't be an accident, there must be some coincidence and thus there's a good chance that these CHKSUM errors must have a common source, either in ZFS or in NFS ? You saved me so much time with this observation. Thank you! -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zones on shared storage - a warning
On Fri, Jan 8, 2010 at 9:11 AM, Mike Gerdts mger...@gmail.com wrote: I've seen similar errors on Solaris 10 in the primary domain and on a M4000. Unfortunately Solaris 10 doesn't show the checksums in the ereport. There I noticed a mixture between read errors and checksum errors - and lots more of them. This could be because the S10 zone was a full root SUNWCXall compared to the much smaller default ipkg branded zone. On the primary domain running Solaris 10... I've written a dtrace script to get the checksums on Solaris 10. Here's what I see with NFSv3 on Solaris 10. # zoneadm -z zone1 halt ; zpool export pool1 ; zpool import -d /mnt/pool1 pool1 ; zoneadm -z zone1 boot ; sleep 30 ; pkill dtrace # ./zfs_bad_cksum.d Tracing... dtrace: error on enabled probe ID 9 (ID 43443: fbt:zfs:zio_checksum_error:return): invalid address (0x301b363a000) in action #4 at DIF offset 20 dtrace: error on enabled probe ID 9 (ID 43443: fbt:zfs:zio_checksum_error:return): invalid address (0x3037f746000) in action #4 at DIF offset 20 cccdtrace: error on enabled probe ID 9 (ID 43443: fbt:zfs:zio_checksum_error:return): invalid address (0x3026e7b) in action #4 at DIF offset 20 cc Checksum errors: 3 : 0x130e01011103 0x20108 0x0 0x400 (fletcher_4_native) 3 : 0x220125cd8000 0x62425980c08 0x16630c08296c490c 0x82b320c082aef0c (fletcher_4_native) 3 : 0x2f2a0a202a20436f 0x7079726967687420 0x2863292032303031 0x2062792053756e20 (fletcher_4_native) 3 : 0x3c21444f43545950 0x452048544d4c2050 0x55424c494320222d 0x2f2f5733432f2f44 (fletcher_4_native) 3 : 0x6005a8389144 0xc2080e6405c200b6 0x960093d40800 0x9eea007b9800019c (fletcher_4_native) 3 : 0xac044a6903d00163 0xa138c8003446 0x3f2cd1e100b10009 0xa37af9b5ef166104 (fletcher_4_native) 3 : 0xbaddcafebaddcafe 0xc 0x0 0x0 (fletcher_4_native) 3 : 0xc4025608801500ff 0x1018500704528210 0x190103e50066 0xc34b90001238f900 (fletcher_4_native) 3 : 0xfe00fc01fc42fc42 0xfc42fc42fc42fc42 0xfffc42fc42fc42fc 0x42fc42fc42fc42fc (fletcher_4_native) 4 : 0x4b2a460a 0x0 0x4b2a460a 0x0 (fletcher_4_native) 4 : 0xc00589b159a00 0x543008a05b673 0x124b60078d5be 0xe3002b2a0b605fb3 (fletcher_4_native) 4 : 0x130e010111 0x32000b301080034 0x10166cb34125410 0xb30c19ca9e0c0860 (fletcher_4_native) 4 : 0x130e010111 0x3a201080038 0x104381285501102 0x418016996320408 (fletcher_4_native) 4 : 0x130e010111 0x3a201080038 0x1043812c5501102 0x81802325c080864 (fletcher_4_native) 4 : 0x130e010111 0x3a0001c01080038 0x1383812c550111c 0x818975698080864 (fletcher_4_native) 4 : 0x1f81442e9241000 0x2002560880154c00 0xff10185007528210 0x19010003e566 (fletcher_4_native) 5 : 0xbab10c 0xf 0x53ae 0xdd549ae39aa1ba20 (fletcher_4_native) 5 : 0x130e010111 0x3ab01080038 0x1163812c550110b 0x8180a7793080864 (fletcher_4_native) 5 : 0x61626300 0x0 0x0 0x0 (fletcher_4_native) 5 : 0x8003 0x3df0d6a1 0x0 0x0 (fletcher_4_native) 6 : 0xbab10c 0xf 0x5384 0xdd549ae39aa1ba20 (fletcher_4_native) 7 : 0xbab10c 0xf 0x0 0x9af5e5f61ca2e28e (fletcher_4_native) 7 : 0x130e010111 0x3a201080038 0x104381265501102 0xc18c7210c086006 (fletcher_4_native) 7 : 0x275c222074650a2e 0x5c222020436f7079 0x7269676874203139 0x38392041540a2e5c (fletcher_4_native) 8 : 0x130e010111 0x3a0003101080038 0x1623812c5501131 0x8187f66a4080864 (fletcher_4_native) 9 : 0x8a000801010c0682 0x2eed0809c1640513 0x70200ff00026424 0x18001d16101f0059 (fletcher_4_native) 12 : 0xbab10c 0xf 0x0 0x45a9e1fc57ca2aa8 (fletcher_4_native) 30 : 0xbaddcafebaddcafe 0xbaddcafebaddcafe 0xbaddcafebaddcafe 0xbaddcafebaddcafe (fletcher_4_native) 47 : 0x0 0x0 0x0 0x0 (fletcher_4_native) 92 : 0x130e01011103 0x10108 0x0 0x200 (fletcher_4_native) Since I had to guess at what the Solaris 10 source looks like, some extra eyeballs on the dtrace script is in order. Mike -- Mike Gerdts http://mgerdts.blogspot.com/ zfs_bad_cksum.d Description: Binary data ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] How should max-swap be used?
On Thu, Dec 31, 2009 at 10:13 AM, Philip philip.l.nel...@nasa.gov wrote: I have been unable to determine whether or not the max-swap resource control refers only to on-disk swap or to physical memory plus on disk swap. In short, if I wanted a container to have access to 1gb of physical memory plus 1gb of on-disk swap, would the following configuration do the job? capped-memory: physical: 1G [swap: 1G] Oddly enough, swap in Solaris tends to have very little to do with swap devices, other than when you are just about to start complaining about really bad performance. To get the behavior you intend, you need to set swap to 2G and physical to 1G. (I say intend, because I really doubt that anyone would really want to page or swap 1 GB to swap devices.) I've tried to explain this a few times before... http://opensolaris.org/jive/thread.jspa?messageID=255547 http://opensolaris.org/jive/thread.jspa?messageID=174225 http://mail.opensolaris.org/pipermail/zones-discuss/2008-September/004251.html -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone and Apache 2.2
On Sun, Dec 27, 2009 at 9:35 PM, godefroy montegommery dunkell...@hotmail.com wrote: Hi, I hope it is the correct place to post this. I have created a zone to run Apache 2 on it. After having installed the packages for apache, I have tried to start it, without any success : r...@zoneapache:/usr/apache2/2.2/bin# ./apachectl start r...@zoneapache:/usr/apache2/2.2/bin# ./apachectl stop [b]httpd (no pid file) not running[/b] Here is what i found in the error log : r...@zoneapache:/var/apache2/2.2/logs# cat error_log [Sun Dec 27 18:45:21 2009] [alert] (EAI 8)node name or service name not known: mod_unique_id: unable to find IPv4 address of zoneApache Configuration Failed What could be the cause of this error? Looks to me like something in mod_unique_id.so is calling gethostbyname() to find the IP address or fully qualified name for zoneApache. My guess is that if you try getent hosts zoneApache it will return nothing, suggesting a DNS or /etc/{hosts,nsswitch.conf,resolv.conf} configuration problem. Do your debugging in the zone, not in the global zone. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Zones on shared storage - a warning
I've been playing around with zones on NFS a bit and have run into what looks to be a pretty bad snag - ZFS keeps seeing read and/or checksum errors. This exists with S10u8 and OpenSolaris dev build snv_129. This is likely a blocker for anything thinking of implementing parts of Ed's Zones on Shared Storage: http://hub.opensolaris.org/bin/view/Community+Group+zones/zoss The OpenSolaris example appears below. The order of events is: 1) Create a file on NFS, turn it into a zpool 2) Configure a zone with the pool as zonepath 3) Install the zone, verify that the pool is healthy 4) Boot the zone, observe that the pool is sick r...@soltrain19# mount filer:/path /mnt r...@soltrain19# cd /mnt r...@soltrain19# mkdir osolzone r...@soltrain19# mkfile -n 8g root r...@soltrain19# zpool create -m /zones/osol osol /mnt/osolzone/root r...@soltrain19# zonecfg -z osol osol: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:osol create zonecfg:osol info zonename: osol zonepath: brand: ipkg autoboot: false bootargs: pool: limitpriv: scheduling-class: ip-type: shared hostid: zonecfg:osol set zonepath=/zones/osol zonecfg:osol set autoboot=false zonecfg:osol verify zonecfg:osol commit zonecfg:osol exit r...@soltrain19# chmod 700 /zones/osol r...@soltrain19# zoneadm -z osol install Publisher: Using opensolaris.org (http://pkg.opensolaris.org/dev/ http://pkg-na-2.opensolaris.org/dev/). Publisher: Using contrib (http://pkg.opensolaris.org/contrib/). Image: Preparing at /zones/osol/root. Cache: Using /var/pkg/download. Sanity Check: Looking for 'entire' incorporation. Installing: Core System (output follows) DOWNLOAD PKGS FILESXFER (MB) Completed46/46 12334/1233493.1/93.1 PHASEACTIONS Install Phase18277/18277 No updates necessary for this image. Installing: Additional Packages (output follows) DOWNLOAD PKGS FILESXFER (MB) Completed36/36 3339/333921.3/21.3 PHASEACTIONS Install Phase 4466/4466 Note: Man pages can be obtained by installing SUNWman Postinstall: Copying SMF seed repository ... done. Postinstall: Applying workarounds. Done: Installation completed in 2139.186 seconds. Next Steps: Boot the zone, then log into the zone console (zlogin -C) to complete the configuration process. 6.3 Boot the OpenSolaris zone r...@soltrain19# zpool status osol pool: osol state: ONLINE scrub: none requested config: NAME STATE READ WRITE CKSUM osol ONLINE 0 0 0 /mnt/osolzone/root ONLINE 0 0 0 errors: No known data errors r...@soltrain19# zoneadm -z osol boot r...@soltrain19# zpool status osol pool: osol state: DEGRADED status: One or more devices has experienced an unrecoverable error. An attempt was made to correct the error. Applications are unaffected. action: Determine if the device needs to be replaced, and clear the errors using 'zpool clear' or replace the device with 'zpool replace'. see: http://www.sun.com/msg/ZFS-8000-9P scrub: none requested config: NAME STATE READ WRITE CKSUM osol DEGRADED 0 0 0 /mnt/osolzone/root DEGRADED 0 0 117 too many errors errors: No known data errors r...@soltrain19# zlogin osol uptime 5:31pm up 1 min(s), 0 users, load average: 0.69, 0.38, 0.52 -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zones on shared storage - a warning
On Tue, Dec 22, 2009 at 8:02 PM, Mike Gerdts mger...@gmail.com wrote: I've been playing around with zones on NFS a bit and have run into what looks to be a pretty bad snag - ZFS keeps seeing read and/or checksum errors. This exists with S10u8 and OpenSolaris dev build snv_129. This is likely a blocker for anything thinking of implementing parts of Ed's Zones on Shared Storage: http://hub.opensolaris.org/bin/view/Community+Group+zones/zoss The OpenSolaris example appears below. The order of events is: 1) Create a file on NFS, turn it into a zpool 2) Configure a zone with the pool as zonepath 3) Install the zone, verify that the pool is healthy 4) Boot the zone, observe that the pool is sick [snip] An off list conversation and a bit of digging into other tests I have done shows that this is likely limited to NFSv3. I cannot say that this problem has been seen with NFSv4. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Alias delegated data sets
I've been thinking about how to manage delegated datasets in zones and I keep thinking that it would be a good idea to allow datasets to be aliased. As I've been looking at Ops Center 2.5, I see that zpools that it creates are named by UUID (ugh!). # zonecfg -z soltrain3 info zonepath zonepath: /var/mnt/oc-zpools/7ab867cb-fd95-49a3-a305-398b194c6537/e173fecb-13a7-4223-ad5e-dc629648e7c8 While a UUID as a zpool name is an extreme example, I would like to hide the overall storage hierarchy[1] chosen by the global zone administrator from the non-global zone administrator. The suggested interface change to zonecfg would be: # zonecfg -z soltrain3 zonecfg:soltrain3 add dataset zonecfg:soltrain3:dataset set name=z7ab867cb-fd95-49a3-a305-398b194c6537/delegated zonecfg:soltrain3:dataset set alias=tank Then within the zone, the administrator would do operations like: # zfs create -o mountpoint=/myapp tank/myapp There would need to be corresponding changes in the kernel[2] to do this translation. Not only would this affect the usage and output of zfs(1M) but also the contents of /etc/mnttab to indirectly affect df Are there reasons why this would be a bad idea? Are there better ideas waiting in the wings? 1. Suppose in one architecture there is one zpool for the entire system, shared by all zones. In another, there is a zpool per zone, and in yet another there is a zpool for the stuff that belongs to the sysadmin and one that belongs to the application admin. Over time there may be a migration from one to the next. I'd like such global zone administrative decisions to be hidden from the non-global zone admin. 2. Assuming complete hiding and userland portions of zfs(1M) would not have access to data required to do mapping. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] s10 p2v
On Tue, Nov 24, 2009 at 6:41 AM, Dr. Hung-Sheng Tsao hung-sheng.t...@sun.com wrote: hi Is there p2v in s10 to move from physical host to zone env? It seems that cpio of the apps directory should work regards That general mechanism works for p2v regardless if the source is a Solaris 10 or Solaris 2.6. The key things to watch out for are: - be sure the app doesn't need anything that doesn't work in the zone (kernel modules, NFS serving, etc.) - watch out for customizations to editable files that are part of Solaris. That is, be sure that the required entries from /etc/passwd and others are brought over. If package selection or patch level is different between the source and destination, simply copying these files is not safe - a merge is required. - newer releases of Solaris tend to run fewer services. If the application has some dependency on telnet into the box working, you may need to enable this on the destination. Key helpers in this process are: - the /var/sadm/install/contents file. It will tell you what was installed by packages. - the output of pkginfo. Compare it to the packages that existed on the media for the source machine. If you can't account for some of the packages there, you may need to find third party sysv packages to install. Going forward, I suggest using separate file systems for application data. That is, don't put applications in the root or zone root file system. This simplifies the process of a similar migration next time. The way things look right now, I think that you will need to do a v2p (inverse of p2v) to create something that looks like a S10 global zone to use S10 Containers on OpenSolaris, or if you decide to transition to a global zone in LDoms, Xen, VMware, etc. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Deduplicated zones
On Sat, Nov 21, 2009 at 10:45 AM, Henrik Johansson henr...@henkis.net wrote: Hi all, If anyone is interested or have comments. I did a very quick test with zones on a deduped zpool and the footprint seems quite low, a little over 10MB per zone after the initial for OSOL default installed zone. http://sparcv9.blogspot.com/2009/11/dedupliation-with-zones.html (I know the spelling is wrong in the URL, not trivial to change without making a new post thought) Regards Henrik http://sparcv9.blogspot.com The last time that I played with zones on OpenSolaris, the set of software installed was small enough to not be terribly useful. I expect that as the size of the zone grows to accommodate a useful set of software, the dedup ratio will be even more favorable. About a year ago I was looking into how much duplicate data there is in Solaris 10 zones that had been live anywhere between a day and 18 months. The majority were sparse root zones, with a 500 MB soft partition allocated as the zone path. Any whole root zones were created in a similar manner with a zone path of 4 - 8 GB. I assumed that the deduplication would be done at a 4 KB block size (ASIS on NetApp) and as such calculated the md5 hash of each 4 KB block then analyzed from there. I believe the sample size was around 120 zones. What I found was that there was that deduplication would be likely to reduce storage needs for zone roots by 75%. In other words, sort -u md5list | wc -l was 25% of wc -l md5list. This number would surely go up if the zones were full root zones or if the file system would rewrite empty blocks with a consistent pattern (e.g. write 0's over empty blocks). In my case the vast majority of application binaries and data were not in the sample as they are stored in file systems other than the zonepath. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Uninheriting a directory
Suppose I have some (SXCE, S10) zones with /opt in in the inherit-pkg-dir list and I want to have that no longer be the case. It seems to me that I could do: zonecfg -z optzone create -t badzone set zonepath=/zones/optzone remove inherit-pkg-dir dir=/opt zoneadm -z optzone install zoneadm -z badzone halt cd /zones/optzone/root find opt | cpio -pdump@ /zones/badzone/root vi /etc/zones/badzone.xml (remove inherit-pkg-dir for /opt line) zoneadm -z badzone boot I know that it is unsupported. Experimentation suggests that it works. What thorny issues exist (aside from resources priorities) that make it so that something like this isn't supported? FWIW, I suspect that the real implementation would probably be more like: zoneadm -z badzone detach zoneadm -z badzone attach -u --uninherit /opt Where a single letter option would be added instead of --uninherit. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] how to have zones with a different solaris 10 version than the host
On Mon, Nov 9, 2009 at 2:39 PM, Thomas Elsgaard thomas.elsga...@gmail.com wrote: Hi Guys I have 2 SUN sparc machines that i would like to consolidate to one machine using the zone/container concept, but the application requires a different version of solaris 10 than the one installed on the host server, how can i handle this? Application requires: Solaris 10 10/08 Is this a hard requirement, or must be at least ... requirement? Are you ever able to apply patches on top of Solaris 10 10/08? For the vast majority of applications, Solaris 10 10/08 + a bunch of patches is indistinguishable from Solaris 10 5/09. Any application that has a hard requirement for Solaris 10 10/08 (without any patches, updates, or upgrades) is not an application you can afford to have attached to a machine attached to the network. And my host machine where i would like to have the applications to run in a zone is running Solaris 10 5/09 Is there anyway that i can have a zone runing 10 10/08 on the global zone where the server is running 10 5/09 ? and how is this done? My guess is that the right way forward for you is to install a box with Solaris 10 10/09 on a box, then use update on attach to migrate your 10 10/08 and 10 5/09 boxes to the current release that is all patched up (minus a late breaking Sun Alert or two). Others have mentioned using the S10 brand that is part of an upcoming OpenSolaris release. I think that I read that this is first supported with Solaris 10 10/09, so it would be of no use to you. LDoms would likely work just fine, but you should consider whether there is really a significant difference between Solaris 10 10/08 + patches to address reliability and security issues compared to Solaris 10 10/09. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Jumstart server in non-global zone
On Sat, Oct 17, 2009 at 2:08 AM, Bernd Schemmer bernd.schem...@gmx.de wrote: So I just need DHCP server and TFTP server run in non-global zone and share images in global zone via NFS, right? I can create/edit client macro and point it to download image from global zone. Yes, I'm not sure if the DHCP Server and TFTP server can work with the shared IP stack -- in my environment I created one zone with a exlusive NIC for the DHCP and TFTP server. I use a virtual NIC for this. This can be done with a shared stack as well. http://mail.opensolaris.org/pipermail/install-discuss/2007-March/001838.html -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] How to enable a service of a zone that is not running...
On Sun, Sep 27, 2009 at 10:50 AM, Brad Diggs bradley.di...@sun.com wrote: I would like to svcadm enable a service of a non-global zone who's state is not 'running'. Is that possible? If so, how? Thanks in advance, Brad Brad Diggs Principal Field Technologist You can cause it to become enabled on the next boot with: echo svcadm enable $fmri $zonepath/root/var/svc/profile/upgrade This will get processed when manifest-import runs early in the zone boot process. I'm not so sure that this is considered to be an interface, so it may break at any time. It is probably best to ask on smf-discuss if you care about the stability of this mechanism. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Defaultrouter problem?
On Sun, Sep 27, 2009 at 1:18 PM, James Carlson carls...@workingcode.com wrote: Stefano Pini wrote: The steps above configure perfectly all the 9 NGZ and they run well. The problem is on the Global Zone: the clients that use GZ to manage the system get diconnected regularly or sometimes can't connect! When that happens, trying traceroute to clients from GZ console seems that it uses a bad defrouter, the one on another vlan, not the right one!!! (for example 10.1.117.254 on bge17000 insted of 10.1.115.254 on bge15000) When you're in the global zone, all of those interfaces, subnets and default routes are the same. There's no special one reserved only for the global zone's use. The global zone can (and will!) use any of them. If they're not actually usable by the global zone, then you've got a problem. Possible solutions include: - Use exclusive stack zones instead. If you do that, though, you won't be able to have groups of zones sharing a single interface. (You could do something like this with VNICs, but not on S10, as S10 doesn't have those.) - Direct the traffic originating from the global zone using IP Filter. You could filter based on source address and use the on keyword to direct that traffic to go out via a particular interface, just as your desired default route would do (if it worked). - Stop using default routes, and use network specific routes. If the networks that the global zone must reach are distinct from the ones that the non-global zones must reach, then you should be able to come up with a set of routes that will direct traffic appropriately based on remote address. (A routing protocol may help.) - Modify your default routers so that they know how to deal with traffic from the global zone. The standard deployment mechanism that I have been using for 3+ years involves having the global zone and non-global zones on different subnets. In my case, I use link-based IPMP and as such there are no global zone interfaces that are up on the networks that the global zone is not supposed to use. I have had absolutely no problems like those described by Stefano with this configuration, despite having a sizable deployment. As such, I know that either there is a workable configuration or there is a regression. Note that I have had problems with this configuration WRT zone interfaces becoming the primary(? - that is, not a virtual) IP on a given NIC. Those problems should no longer be a problem. Also, prior to the defaultrouter property on zone network interfaces, it also required some customization to the zone boot process such that after the first zone on a network plumbed its address, I would then have to add the new default route. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Per-zone CPU Usage Reporting?
On Fri, Sep 18, 2009 at 8:30 AM, Mads Toftum m...@toftum.dk wrote: On Fri, Sep 18, 2009 at 09:27:54AM -0400, Jeff Victor wrote: Has anyone written a tool to provide per-zone reporting of CPU usage - that can be shared? I know someone who wants to do this. There's http://asyd.net/home/projects/zonestats vh Mads Toftum The approach used there and by prstat -Z will miss all short-running programs. If you don't have many short running processes, this is not a big deal. However, if you have a print server, software builds, and sometimes misbehaving applications, such approaches miss the bulk of the workload. I've solved this, but in code I sadly can't share. All the info needed to recreate it is linked from: http://www.opensolaris.org/jive/thread.jspa?threadID=82217#306092 -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zones patching issues using attach -u
On Tue, Sep 15, 2009 at 2:02 PM, Jerry Jelinek gerald.jeli...@sun.com wrote: Gael wrote: Hello I have been experimenting a few ways to speed up patching a bunch of machines running whole zones (parallel patching, zoneadm attach -u). I have encountered one issue with the attach -u way... Before initiating a case with sun, I was wondering if it was a well known issue... The GZ is initially running Solaris 10 U6 with kernel patch 13-08 (and other patches from the same period). I start by applying 119254-70, 119313-28 and 12-05 while the machine is in multiuser mode, then I shutdown and detach the zones. I bring back the machine in single user mode and apply a collection of about 190 patches (smpatch analyze output from a few days ago) which brings the machine at the kernel version 141414-10. The patching appears to go fine for the GZ apss8003:/var/sadm/patch #pkginfo -p apss8003:/var/sadm/patch # But when zoneadm attaching -u the zones, pkginfo reports multiple partially failing packages adds ... apss8003:/var/sadm/patch #zlogin test pkginfo -p system SUNWcsr Core Solaris, (Root) system SUNWgssc GSSAPI CONFIG V2 system SUNWkrbr Kerberos version 5 support (Root) system SUNWntpr NTP, (Root) system SUNWppror PatchPro core functionality (Root) system SUNWsacom Solstice Enterprise Agents 1.0.3 files for root file system # cat /zones/test/root//var/sadm/system/logs/update_log | egrep partially|corrupt|pathname does not exist| = SUNWcsr pkgadd: ERROR: source path /var/sadm/pkg/SUNWcsr/save/pspool/SUNWcsr/reloc/var/svc/manifest/network/ldap/client.xml is corrupt pathname does not exist Installation of SUNWcsr on zone test partially failed. = SUNWgssc pkgadd: ERROR: source path /var/sadm/pkg/SUNWgssc/save/pspool/SUNWgssc/reloc/var/svc/manifest/network/rpc/gss.xml is corrupt pathname does not exist Installation of SUNWgssc on zone test partially failed. = SUNWkrbr pkgadd: ERROR: source path /var/sadm/pkg/SUNWkrbr/save/pspool/SUNWkrbr/reloc/var/svc/manifest/network/security/kadmin.xml is corrupt pathname does not exist Installation of SUNWkrbr on zone test partially failed. = SUNWntpr pkgadd: ERROR: source path /var/sadm/pkg/SUNWntpr/save/pspool/SUNWntpr/reloc/var/svc/manifest/network/ntp.xml is corrupt pathname does not exist Installation of SUNWntpr on zone test partially failed. = SUNWppror pkgadd: ERROR: source path /var/sadm/pkg/SUNWppror/save/pspool/SUNWppror/reloc/var/svc/manifest/system/installupdates.xml is corrupt pathname does not exist Installation of SUNWppror on zone test partially failed = SUNWsacom pkgadd: ERROR: source path /var/sadm/pkg/SUNWsacom/save/pspool/SUNWsacom/reloc/var/svc/manifest/application/management/snmpdx.xml is corrupt pathname does not exist Installation of SUNWsacom on zone test partially failed. If creating a new zone after the patching, there is no partial packages in that newly build zone. The patch list being a little bit lengthy, I can send it privately when asked... This is bug: 6857294 zoneadm attach leads to partially installed packages I believe a T patch might be available for the S10 SVr4 packaging code if you need it, but I see that the fix has not yet been integrated into the nv SVr4 packaging code. It is scheduled for b124. Jerry I stumbled across this a while back with SUNWservicetagr. My workaround was: d=/var/sadm/pkg/SUNWservicetagr/save/pspool/SUNWservicetagr/reloc/var/svc/manifest/network mkdir -p $d cp /var/svc/manifest/network/st*.xml $d In the last week or so the CR (6833642) logged due to the case that I opened related to this was changed to cause known and is now related to 6857294. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Shareing files between zones
On Sun, Sep 13, 2009 at 12:30 AM, Illya Kysil ikysil+opensolaris@gmail.com wrote: Hi Sam, The easier way is to mount the storage (either NFS or CIFS or other) in the global zone and configure the lofs filesystems in non-global zones. A file system that is NFS mounted in the global zone is inaccessible via lofs in non-global zones. If you have seen such behavior work, my guess is that if you snooped the traffic, you would see that the NFS traffic is really between the NFS server and the non-global zone. If the directory is already exported via NFS (from a different machine) simply mount it in each non-global zone. I do not know if CIFS has the same restriction. If the storage is local storage, it can be lofs mounted in a variety of ways. Consider a system with z1 and z2 with zonepaths of /zones/z1 and /zones/z2. Suppose the data to be stored is needed at /data in each zone. Option 1: Create /data in global, lofs mount to local zones. global# zonecfg -z z1 add fs set dir=/data set special=/data set type=lofs end exit global# zonecfg -z z2 add fs set dir=/data set special=/data set type=lofs end exit Reboot each zone or issue the appropriate mount command from the global zone. Option 2: Create /data in z1, lofs mount to z2 z1# mkdir /data global# zonecfg -z z2 add fs set dir=/data set special=/data set type=lofs end exit Reboot z2 or issue the appropriate mount command from the global zone. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] NFS zones via file based zpools or lofi/loopback
On Wed, Aug 19, 2009 at 12:17 PM, Michael Barrettmichael.barr...@sun.com wrote: Say you create a zpool based on a file that lives on a NFS mount. Then you mount that zpool to a local mount point and give it to your zone to live on. I'm assuming that under the covers this is just another version of this loopback method: http://blogs.sun.com/jph/entry/containers_on_nfs Is there anyone out there running like this? Any performance issues that jumped out at you? The key thing that jumps out at me is avoiding double buffering of data through the forcedirectio option to the NFS mount. This is discussed in my reply to Ed's proposal to do this in May. http://mail.opensolaris.org/pipermail/zones-discuss/2009-May/005031.html -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Memory/Cpu Utilization Reporting
On Thu, Aug 6, 2009 at 10:23 PM, Alexander J. Maidakajmai...@mchsi.com wrote: I have a number of systems running Solaris zones. I'm looking for a tool that will do the following: 1) Capture/store the cpu utilization of the global zone and all non-global zones 2) Capture/store the memory utilization of the global zone and all non-global zones 3) Post the graphics to a website that can display both historical and realtime data. Last time I looked there weren't any tools that did this in an accurate way. Admittedly, it has been a while. The approach I took was: On every global zone: 1) Enable task accounting. In 2005 Adrian Cockroft had a few blog posts about this. See http://perfcap.blogspot.com/ 2) Process task accounting records every 2 minutes, summing by zone 3) Send task accounting and various kstats related to memory, network, etc., and other data (vmstat, iostat, etc.) to a central server as soon as the data is gathered. This is over a TCP session. The central server (really a zone with adequate storage) 1) Read data from clients as it comes in 2) Store a copy of the raw data just in case you need to do other types of analysis (excel, R, etc.) 3) Update rrd files. There is then a simple CGI program that is able to present the RRD files. The beauty of this is that I never configure anything. The part that goes on every global zone is baked into the server installation procedure. New zones are picked up as soon as they first boot. I am able to store 2 minute resolution data for ~ 40 days, 10 minute resolution for ~6 months, and 30 minute resolution for 3 years in about 200 MB per global zone plus about 10 MB per zone. The CGI interface can tell me somewhat detailed data about activity that has happened in the past few minutes and any other period up to 3 years ago with a response time of a couple seconds or less. I would love to hear that there is a pre-baked tool out there that can have this level of simplicity, but have a prettier interface than the CGI interface that I came up with. The core of this tool was written (pre-S10 days) over the course of a weekend due to my dissatisfaction with the tool that I had to use that would page me all night long but took over 10 minutes to give me historical data (last 30 minutes, did it do the same thing last week?). Someone I was talking to recently appropriately tagged this as software written out of spite. I like that. :) You might get other insights at sysadmin-discuss as well. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Survey of networking feature use in native Solaris 10 zones
On Thu, Jul 23, 2009 at 7:32 PM, Jordan Vaughanjordan.vaug...@sun.com wrote: Hello zones community members, I'm one of the engineers working on Solaris 10 Containers (S10Cs) for OpenSolaris (http://www.opensolaris.org/os/project/s10brand). I'm currently evaluating networking requirements for S10Cs. Our ultimate goal is to achieve networking feature parity with native Solaris 10 zones: we will want S10Cs to do everything that native Solaris 10 zones can do. I would appreciate any input you can provide regarding what you (or your customers) currently do with your native Solaris 10 zones (both exclusive- and shared-stack zones), especially the commands (arp, snoop, traceroute, etc.), protocols, and other features/services (SMA, Solstice, IPMP, NAT, IP Filter, DHCP client/server, IP tunnels, PPP, IPsec, etc.) that you use most frequently. Your input will help us prioritize networking features and set realistic expectations for our product. I'll assume that everything that works in a S10 non-global zone with a shared stack will continue to work in a Solaris 10 container. That is, pretty much anything that doesn't need raw access just works. In order to attract Solaris 10 non-global zones to being S10Cs, the S10C needs to be able to leverage the capabilities of crossbow to get a dedicated IP stack. I don't care if I can us dladm to configure vnics in an S10C or not. I would need some way to tune IP, TCP, UDP, etc. parameters. Ideally this would be via nddconfig[1]. 1.http://src.opensolaris.org/source/xref/sst/gate/src/Files/etc/init.d/nddconfig In order to attract Solaris 10 global zones to being S10Cs, a more somewhat complete feature set is need. A key barrier I would expect to see to application installations is the need for ndd -get and ndd -set to work as they do in Solaris 10 because is part of some applications' pre-installation checks. If Clearview IPMP is not able to provide an IPMP'd interface to the zone that can be independently tuned (e.g. ndd -set /dev/tcp ...) , then IPMP needs to be supported within the S10C. In all cases I need to be able to access tagged VLANs. I don't care much as to whether this happens by creating vnic's in the global zone or some other method. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] sysidcfg file can not be cloned?
On Tue, Jul 21, 2009 at 6:04 AM, taiyo Kno-re...@opensolaris.org wrote: Hello World, When I clone zone(s) from a template zone I created and modified for my specific purpose, all of my customized files/directories in the source zone are cloned/generated to new zones. However it seems only sysidcfg file can not be cloned even though it is there in the /etc directory of source zone. Is this an expected behavior by system design of zone cloning? Thanks, Robinky As a zone is being cloned, the new zone has sys-unconfig run in it. See /usr/lib/brand/native/postclone for details. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Using zones for simple usage
On Mon, Jul 13, 2009 at 12:53 PM, Harry Putnamrea...@newsguy.com wrote: After reading only a little about zones.. I doubt I really get the expected usage one might put a zone to. My case is very homespun just a home lan with at most... 6 machines. 1 vista(laptop) 3 winXP 1 linux 1 Opensolaris (2009.6 still using b111) I've been mainly a linux user until recently but use 3 winXP machines for video and photography processing since I work largely with all Adobe tools. I'm more experienced with admin type chores on linux.. I'm using the Opensol machine for most backup type jobs across the lan. Or in cases where the backup may originate on a windows machine such as with `Retrospect', the opensol machine is the recipient only. I wondered if there would be any advantage to creating a zone where only the backup chores were handled, nothing else. I can't be sure if that is even the kind of thing one would do with a zone, but it seems kind of likely it would be handy to have an area where nothing but backup chores were in order. Another zone I've thought about would be for nameservice to my home lan. Maybe a mail server might be another zone usage. I hoped to hear from a few experienced `zones' users about such a usage. Zones are handy when you need an added degree of isolation. The time that I could see such a need for typical home usage would be if you have an internet-facing web server or similar. I would put the web server in a zone and have my router set up to forward http packets to that zone. If someone breaks through the web server's security and gets shell access, they get shell access only to the things that are on the web server. Presumably the web server zone doesn't have access to sensitive things, like your tax records. In a business situation, there are several other use cases. Longer term, management of zones (e.g. applying software updates) takes extra effort. As such, I wouldn't break things up into separate zones any more than makes sense to satisfy your needs. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zones on shared storage proposal
, but they will be utilising the vdev_disk backend and they will have an additional layer of indirection through lofi. XXX: impact of multiple zpools on arc and l2 arc? talk to mark maybee. -- C.7 Phased delivery Customers have been asking for a simple mechanisms to allow hosting of zones on NFS since the introduction of zones. Hence we'd like to get this functionality into the hands of customers as quickly as possible. Also, the approach taken by this proposal to supporting zones on shared storage is different from what was originally anticipated, hence we'd like to get practical experience with this approach at customer sites asap to determine if there are situations where this approach may not meet their requires. To accelerate the delivery of the previously proposed features, we plan to deliver them in three phases: Sounds quite reasonable. [snip] --- -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Upgrading solaris10 branded zones
source so no community involvement. d) This is complex, legacy code which is a hairball. e) This code is fragile and there might be strong pushback for changing it further in S10. f) There is no re-use or other benefit to this work. 2) Enhance the zones update on attach code to do a real upgrade The idea here is that we improve the 'update on attach' code so it can use a Solaris 10 CD image as the source of the pkgs instead of the global zone. We would also enhance the code so it uses the full pkg list from the CD image instead of just the system software pkgs that have to be updated to sync the zone. The global zone admin would run this new code to upgrade specific solaris10 branded zones. They could either upgrade the zone in place or clone the zone and upgrade the clone, providing similar functionality to LU. Pros: a) I think this would be a simpler project. b) This code could be easily re-used to provide a true single zone upgrade on attach feature for a S10 native zone backport - lots of people want that. c) We know this code. d) This code is open source and readily re-usable. Cons: a) Upgrade would be done by the global zone admin, not the zone admin, so the zone admin is no longer the one in control. b) Because LU wouldn't work this might cause a perception of incompatibility between the solaris10 branded zone and a bare metal system. c) This doesn't solve the problem of using LU to apply patches to an ABE within the zone. S10u7 just came out, I think you said that this is targeted to support S10u8, and it would be able to upgrade from S10u8 to S10u9. Will S10u10 ever exist? Will it see a lot of adoption before S10u9 exists? If it is only good for a maximum one time upgrade with several years of patching afterward, this option doesn't seem to be worth it. Please send me any comments on preferences for one solution or the other, as well as any other thoughts on this topic. Thanks, Jerry ___ zones-discuss mailing list zones-discuss@opensolaris.org Clearly I am more in the make Live Upgrade work camp. If the zfs userland components can be made to work in the solaris9 brand, there's benefit for it as well. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] S10 brand spec.
On Tue, May 12, 2009 at 6:28 AM, Jerry Jelinek gerald.jeli...@sun.com wrote: [snip] Zones have been part of S10 since its FCS, so in general S10 is already zone-aware and does the right thing in most cases. Commands that are zone-aware will continue to work as they do today in S10 native zones. One set of commands which does require emulation are the S10 SVr4 packaging and patch commands. Those commands are zone-aware and in some cases will check if they are running in the global zone and refuse to function if not. If running in the global zone they will also attempt to look for other zones to operate on. Any thoughts on supporting live upgrade? That is, I would like live upgrade within the branded zone to work as it does for a S10 global zone. I don't care about it from the upgrade standpoint, but it is a very helpful tool for patching. Having a zfs zonepath is an acceptable prerequisite. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] S10 brand spec.
On Tue, May 12, 2009 at 8:02 AM, Jerry Jelinek gerald.jeli...@sun.com wrote: Mike Gerdts wrote: Any thoughts on supporting live upgrade? That is, I would like live upgrade within the branded zone to work as it does for a S10 global zone. I don't care about it from the upgrade standpoint, but it is a very helpful tool for patching. Having a zfs zonepath is an acceptable prerequisite. Mike, We know that we need to come up with some sort of solution for being able to upgrade a solaris10-branded zone. We have this on our list of things to look at but we haven't started on that yet. I don't know if we'll try to make live-upgrade work inside a branded zone or if we'll try something else. Making live-upgrade work would probably be hard but until we get into it, we don't know how hard. It might be that we do something else since its already easy to clone a zone. I suspect that making live upgrade work within a zone would be significantly easier if ZFS was a prerequisite. It looks as though the ipkg brand already has support for mounting the appropriate dataset on boot and attach. Delegated datasets can be snapshotted and cloned within the non-global zone. It seems as though the only missing bits (without having read the LU code) are: - Live Upgrade shouldn't try to read or update OBP through PICL or otherwise - The brand needs to trick live upgrade into thinking that it is in the global zone I don't care so much if Live Upgrade or something else is chosen, I just see the lack of a live upgrade work-alike as a potential blocker to adoption. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] IPKG Brand for S10/SX:CE
On Thu, Apr 23, 2009 at 12:49 PM, Ben Rockwood b...@cuddletech.com wrote: Has any one invested time trying to get IPKG branded zones working on S10/SX:CE? I'm starting down that road and have had fairly good progress to date but would love to collaborate. Yes, I have done an ipkg zone on SXCE. My motivation was to be able to use AI to install the 2008.11 preview on an LDom. My notes appear below. I believe that they are fairly complete for initial bootstrapping. Note that there is a bit of git r done in it, rather than generating appropriate source code fixes. What do you perceive as the motivation for ipkg zones on S10? If I squint just right, I think that I can see the mapping of packages, patches, update releases, etc. to IPS constructs. Is this what you have in mind, or something else? I assume that with SXCE your plan of attack would be to leverage the work done for the opensolaris distro for ips branded zones. Is that a reasonable assumption? Anyway, here was my first run through this effort. Starting point is a SXCE 108 T5120 with SUWNCXall, zfs root 1. Get pkg-gate from mercurial $ hg clone ssh://a...@hg.opensolaris.org/hg/pkg/gate destination directory: gate requesting all changes adding changesets adding manifests adding file changes added 1040 changesets with 13427 changes to 7444 files 4779 files updated, 0 files merged, 0 files removed, 0 files unresolved 2. Build pkg $ export PATH=$PATH:/apps/studio12/SUNWspro/bin $ cd gate/src $ make $ make packages 3. Install packages # cd gate/packages # pkgadd -d . all 4. Fake global zone's notion of entire Modify /usr/lib/brand/ipkg/pkgcreatezone. Just before the point where it would error out, force it to match the SXCE build of the global zone. entire_fmri=ent...@0.5.11,5.11-0.108 if [[ -z $entire_fmri ]]; then fail_incomplete $f_no_entire fi 5. Create the zone # zonecfg -z ipkg ipkg: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:ipkg create -t SUNWipkg zonecfg:ipkg set zonepath=/zones/ipkg zonecfg:ipkg set autoboot=false # set up network as well zonecfg:ipkg verify zonecfg:ipkg commit zonecfg:ipkg exit 6. Install the zone # export http_proxy=insert proxy here # zoneadm -z ipkg install -P opensolaris.org=http://pkg.opensolaris.org/dev/ A ZFS file system has been created for this zone. pkg: No image found. Publisher: Using opensolaris.org (http://pkg.opensolaris.org/dev/). done. root ...Refreshing Catalog Sanity Check: Looking for 'entire' incorporation. Installing: Core System (output follows) DOWNLOADPKGS FILES XFER (MB) Completed 26/26 2790/2790 52.48/52.48 PHASEACTIONS Install Phase 6147/6147 Installing: Additional Packages (output follows) DOWNLOADPKGS FILES XFER (MB) Completed 32/32 5449/5449 31.63/31.63 PHASEACTIONS Install Phase 7083/7083 PHASE ITEMS Indexing Packages 60/60 Note: Man pages can be obtained by installing SUNWman Postinstall: Copying SMF seed repository ... done. Postinstall: Applying workarounds. Done: Installation completed in 576 seconds. Next Steps: Boot the zone, then log into the zone console (zlogin -C) to complete the configuration process 7. Configure the zone # zoneadm -z ipkg boot ; zlogin -C ipkg [Connected to zone 'ipkg' console] Hostname: ipkg Loading smf(5) service descriptions: 1/68 8. Install installadm, java These steps could be done more efficiently... it was trial and error to get the packages I needed. r...@ipkg:~# pkg install SUNWinstalladm-tools DOWNLOADPKGS FILES XFER (MB) Completed 13/13 1641/1641 9.43/9.43 PHASEACTIONS Install Phase 2175/2175 PHASE ITEMS Reading Existing Index 9/9 Indexing Packages 74/74 I did the same for SUNWless, SUNWmkcd, SUNWrsync. I forget whether I needed to this for SUNWdsd or not. Import the services... r...@ipkg:~# svcadm restart manifest-import Beyond this I got into a fair amount of trial and error, specifically related to getting AI and DHCP to work. This isn't really needed for a generic ipkg zone, however. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zones on multiple subnets
On Tue, Feb 24, 2009 at 7:19 PM, Bangalore, Suresh suresh.bangal...@railcorp.nsw.gov.au wrote: Hi Gurus I need to setup zones as shown below. Zone1: 10.10.10.X with default router 10.10.10.1 Zone2: 10.10.20.X with default router 10.10.20.1 And Global zone 10.10.30.X with default router 10.10.30.1 Is this achievable. As shown above, I need the zones to have a separate default router than the default router for the global zone. I don't have the luxury of using dedicated ports to achieve this. Any suggestions/workarounds are greatly appreciated. What is the netmask? That is, the story is completely different between: 10.10.10.x/16 10.10.20.x/16 10.10.30.x/16 And 10.10.10.x/24 10.10.20.x/24 10.10.30.x/24 If it is the second, then you are dealing with three distinct subnets and life is much easier. If you really only have one subnet, I'm not sure there is a solution. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Moving zones between different sparc architecture
On Mon, Feb 16, 2009 at 11:01 AM, Moore, Joe joe.mo...@siemens.com wrote: Octave Orgeron wrote: Ben Rockwood wrote: pol.barthel...@sun.com wrote: Hello, It is supported to move zones from a sun4u to a sun4v or vice-versa ? I'm not certain if its supported, but it does work. This should work fine for zones, but I would recommend installing a full oem build on the global zone to be sure. However, with LDoms it's a little harder as the platform differences matter between T1, T2, and T2+ matters. As an alternative to installing the full OEM cluster, you can install just the sun4v architecture packages on the sun4u machine (and sun4u on the sun4v machine) as described at http://www.sun.com/bigadmin/content/submitted/hybrid_build.jsp As with any zone movement, the packages and patches must match on the source and destination systems before Solaris 10u6 where Upgrade on Attach was introduced. (unless you go all the way back to s10 GA, where zones didn't have such checks) If you are going down this route, keep in mind Dave Miner's cautions about supportability. This discussion was really aimed at the replacement for flash archives, but so is the bigadmin article. http://mail.opensolaris.org/pipermail/install-discuss/2006-March/002515.html -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Does update on attach add information from the new systems kernel patch ?
On Mon, Feb 2, 2009 at 9:07 AM, Geoff Shipman geoff.ship...@sun.com wrote: Jerry, Thanks for the update on the /etc/release file. The customer is more concerned regarding the kernel patch info not listed in the NGZ. From uname output in the NGZ we can see the kernel matches the global value. Its the lack of showrev -p data for that kernel revision that customer is concerned with. The apparent inaccuracy of showrev -p scared me a bit, so I took a look at an Update 4 zone that I attached to an Update 6 machine: # uname -srv SunOS 5.10 Generic_137137-09 # cat /etc/release Solaris 10 8/07 s10s_u4wos_12b SPARC Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 16 August 2007 # showrev -p | nawk '$2 == 137137-09 { print $1, $2 }' Patch: 137137-09 That all looks OK (aside from the debatable /etc/release - it is update not upgrade...). Are you sure that the zone you are dealing with was attached properly? Was it maybe attached with -F (force, ignoring broken stuff) rather than -u (update on attach)? -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] native p2v code review
-unconfig can hang if the zone is still in the process of 704 # booting when we try to run sys-unconfig. Wait until the boot is 705 # done, which we do by checking for sulogin, or waiting 30 seconds, 706 # whichever comes first. 707 # Wouldn't it be more correct to wait for svc:/milestone/single-user:default to be online? 720 for i in 0 1 2 3 4 5 6 7 8 9 721 do 722 pgrep -z $ZONENAME sulogin /dev/null 21 break 723 sleep 3 724 done 725 726 if [[ $i -eq 9 ]]; then 727 verbose $e_nosmf 728 fi Wasted final sleep. 726 should pgrep again. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zone p2v proposal
On Mon, Dec 8, 2008 at 9:43 AM, Jerry Jelinek gerald.jeli...@sun.com wrote: The native brand installer will accept the following new arguments: -a {path} - specifies a path to an archive to unpack into the zone -d {path} - specifies a path to a tree of files as the source for the installation. -p- preserve system configuration (either -p or -u required). -s- install silently -u- sys-unconfig(1M) the zone after installing it -v- verbose output from the install process The -p, -s, -u and -v options are only allowed when -a or -d is provided. If -a or -d is not given, then the zone is installed using the existing mechanism. Can an option be added to not make another copy of the data? That is, if I have already gotten the bits in place on disk that I am happy with, please don't copy them again (mv and zfs set mountpoint are OK if needed). Usage scenarios: 1) I restored a physical system from backups and need to attach it as a zone. For example mkdir /zones/oops metainit d1234 -p d50 8G echo /dev/md/dsk/d1234 /dev/md/rdsk/d1234 /zones/oops ufs 1 yes - /etc/vfstab mount /zones/oops chmod 700 /zones/oops mkdir /zones/oops/root use your favorite backup/restore tool to restore to /zones/oops/root p2v it 2) Create zones as clones of / zfs snapshot rpool/ROOT/snv_...@zonemaster zfs clone rpool/ROOT/snv_1...@zonemaster rpool/zones/new mkdir /zones/new/root mv /zones/new/* /zones/new/root p2v it, with sys-unconfig -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zone p2v proposal
On Fri, Dec 12, 2008 at 6:45 PM, Jerry Jelinek gerald.jeli...@sun.com wrote: Mike Gerdts wrote: On Mon, Dec 8, 2008 at 9:43 AM, Jerry Jelinek gerald.jeli...@sun.com wrote: The native brand installer will accept the following new arguments: -a {path} - specifies a path to an archive to unpack into the zone -d {path} - specifies a path to a tree of files as the source for the installation. -p- preserve system configuration (either -p or -u required). -s- install silently -u- sys-unconfig(1M) the zone after installing it -v- verbose output from the install process The -p, -s, -u and -v options are only allowed when -a or -d is provided. If -a or -d is not given, then the zone is installed using the existing mechanism. Can an option be added to not make another copy of the data? That is, if I have already gotten the bits in place on disk that I am happy with, please don't copy them again (mv and zfs set mountpoint are OK if needed). Mike, I'll think about that. What if -d {zonepath} just skipped the copy of the bits? Thanks, Jerry That sounds reasonable. This seems to imply that the argument to -d will be a directory that has a subdirectory named root which is the actual root of the thing to be turned into a zone. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zone p2v proposal
On Mon, Dec 8, 2008 at 9:43 AM, Jerry Jelinek [EMAIL PROTECTED] wrote: SUMMARY: This fast-track enhances the Solaris Zones [1] subsystem to address an existing RFE [2] requesting a physical to virtual (or p2v) capability for installing native-branded zones based on an existing system image. This capability is very similar to what already exists for solaris8 and solaris9 branded zones [3,4], which are installed using an archive of an existing system image, but in this case there is no brand module and the zone brand is 'native'. Patch binding is requested for this native p2v capability. The stability of these interfaces is documented in the interface table below. DETAILS: This new feature is primarily an extension to the native-brand zone installation code so that the zone can be installed using an archive of a system, as is already done with the solaris8 and solaris9 brands. However, because there is no brand module, part of the installation process uses the zone update on attach [5] feature to sync the zone image up so that it is usable on the system. Because update on attach does not allow zone downgrades, the system image being installed and p2v-ed must not be newer than the host OS release or the installation will fail with an error. In addition to the update on attach during zone installation, there are a variety of other modifications which must be applied to the image so that it is usable within a zone. Again, this is very similar to what happens today with the solaris8 and solaris9 brands during installation. The image modifications fall into the following areas: 1) SMF services that are not usable within a zone should be deleted or disabled as necessary (for S8 and S9 we dealt with rc scripts instead). This implies that the source system can be S8, S9, or S10. I don't see anywhere else in the proposal that explicitly states that S8 and S9 can be attached and upgraded, so I suspect I am reading my wishes into your words. Assuming the S8 and S9 are supported source systems, is there any real difference in the resulting zone if the following paths are taken: src-s9# lucreate -c s9 -n s10 ... src-s9# luupgrade -s /mnt/s10media -n s10 ... src-s9# luactivate s10 src-s10# flarcreate ... /net/server/src-10.flar dst-s10# zoneadm install -a /net/server/src-10.flar ... vs. (upgrade on attach - not branded) src-s9# flarcreate ... /net/server/src-9.flar dst-s10# zoneadm install -a /net/server/src-9.flar 2) Network configuration must be adjusted depending on if the zone is shared-stack or exclusive. 3) NFS serving must be disabled [6]. 4) The vfstab must be adjusted so that local file systems from the original system are disabled. 5) Any zones installed on the original system will be uninstalled and deleted from the image (zones do not nest). All of these modifications happen transparently as part of the zone installation, as is the case with the solaris8 and solaris9 brands. Will config files be removed or will services just be disabled (and hollow packages removed)? That is, will destructive things be done that prevent the implementation of some future v2p (e.g. zone to ldom or xen) transition? Or is it believed that the typical packages that are not appropriate for non-global zones lack configuration that would be interesting in a p2v - v2p world? -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zone p2v proposal
On Mon, Dec 8, 2008 at 12:37 PM, James Carlson [EMAIL PROTECTED] wrote: I think answering that would answer the previous poster's question about the difference between doing an upgrade before flar creation and just importing a flar from S9: the former results in a native zone using this new functionality, while the latter results in a non-native brand without upgrade. I was asking under the assumption that an upgrade from a minor release or two was supported. Typically if I am moving a S8 or S9 physical into a zone, I really want to do an upgrade (or similar) as well. Not being able to do this in one step is not that big of a deal - after all I do seem to have workable alternatives: 1) On S8 or S9, use live upgrade to upgrade to S10, then install/attach the S10 BE as unbranded. 2) Attach the S8 or S9 BE as a branded zone, then use live upgrade (?) to populate a S10 BE which in turn gets installed/attached as an unbranded zone. I bet I can write a script to make that look like a single command. Then, with time Jerry will follow up with a more elegant solution than duct-tape and chewing gum one I come up with. :) -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Statistics: monitoring resource use of zones
On Tue, Nov 18, 2008 at 11:30 AM, Enda O'Connor [EMAIL PROTECTED] wrote: So sometimes an update might be meaningless, ie I can have an x86 FCS system ( from cat /etc/release ) but it has grub,zfs and all the latest zones functionality, just by adding 137137-09, plus the near 30 patches requires to get that on board. To me they probably need a patch automation tool to tell them what is currently available in terms of patching, and they see what they need from that. Interface changes always have an associated ARC case ID with them, right? Why not make it so that the software that delivers an interface delivers some metadata that says that the interface specified in the ARC case is on the system. Any time a patch or installation delivers, removes, or deprecates a feature (interface) this metadata would get updated. A stable interface is then needed to query and update that metadata. The important (worthy of marketing or release notes attention) could get a corresponding feature-based meta package, allowing administrators to easily install the feature. http://mgerdts.blogspot.com/2008/03/solaris-wish-list-feature-based-meta.html A nice extension on that would be a means to for software to register as a consumer of the interface. Perhaps that is just a soft dependency in the packaging software. Another thought would be to add dtrace probes at the entry points to the interfaces so that a interface watch daemon could track interface users (e.g. by using process contract decorations). -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Statistics: monitoring resource use of zones
On Mon, Nov 17, 2008 at 7:44 PM, Jeff Victor [EMAIL PROTECTED] wrote: Hi Kevin, I believe that you cannot patch your way from U1 to U5 - i.e. that the system is missing some functionality that would be there if you had applied the updates - but your point is still valid. I will look into the correctness of using patch levels to detect feature availability. Huh? There are very few features delivered in Solaris updates that aren't delivered via patches. So few that I can only think of one time where it has made a difference (postgres version different between updates). When really important features are released as new packages genesis patches are delivered to deliver the feature. This is how the U1 + patches system below has zfs on it even though zfs didn't come out until U2. All of the functionality that this script cares about for this comes as part of the recommended patch set. Consider this system: # cat /etc/release Solaris 10 1/06 s10s_u1wos_19a SPARC Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 07 December 2005 # uname -rv 5.10 Generic_127111-09 That puts it somewhere in between U4 and U5 for kernel patches. Because the recommended bundle was used, it puts it somewhere in between for other aspects (e.g. libzonecfg, etc.) as well. Let's take a look at the checks that zonestat does for updates: 356 # For zones with RAM caps (U4+), get current values for RAM usage and Cap. 357 if ($update3) { 358open (RCAP, /usr/bin/svcs -H rcap|); # svcs -H rcap disabled May_03 svc:/system/rcap:default Exists but disabled. 440 if ($update4) { 441open(PRCTL, /bin/prctl -Pi zone -n zone.cpu-cap $z|); 442while (PRCTL) { Not at update 5's kernel and related patch set yet, so I wouldn't expect that this would work. However, let's take a look at another system that was installed with update 4 but has update 5+ patches. # cat /etc/release Solaris 10 8/07 s10s_u4wos_12b SPARC Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 16 August 2007 # uname -rv 5.10 Generic_137111-08 # prctl -Pi zone -n zone.cpu-cap zone: 3: zone.cpu-cap system 4294967295 inf deny - -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Statistics: monitoring resource use of zones
On Mon, Nov 17, 2008 at 8:05 PM, Glenn Brunette [EMAIL PROTECTED] wrote: Jeff, This actually hits on a similar request that I have (but for different reasons). I would like a stable interface from which I could tell the update revision of a system. This seems to be another case for feature-based meta packages. http://mgerdts.blogspot.com/2008/03/solaris-wish-list-feature-based-meta.html I describe it for the simplicity of installing software, but with a bit of thought it could be possible to extend it to this use as well. In a past life working on JASS, we were told to not test for patch or update levels but rather to test whether a specific feature is present, and while I understand the merits of this methodology, it does not always provide a complete solution (without making significant assumptions about how the system was installed/maintained). For As a very heavy user of JASS, this methodology is appreciated. It has made the software continue to be quite useful long after Sun stopped providing updates. (Any news on open sourcing it?) -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Statistics: monitoring resource use of zones
On Sun, Nov 16, 2008 at 7:40 PM, Jeff Victor [EMAIL PROTECTED] wrote: To me, the clearest example would be a kstat, per zone, which provides the total amount of CPU time for all of the processes in each zone, since the zone booted. This would enable tools like zonestat to request the datum occasionally, in order to determine CPU time per quantum of elapsed time. zonestat shouldn't be needed to give this information. Per zone, project, and user data should be available that allows prstat to display this information. When I use prstat -mz or prstat -ma, I would expect the collected microstate accounting data would be used to populate the display. Other fine points about this include: - Currently prstat shows time decayed summaries in the bottom panel, even when microstate data is displayed at the top. Time decayed data is confusing, particularly when trying to correlate application events that last just several seconds to CPU consumption. - It should be able to omit per-process displays. In this mode, it would be able to skip the walk of every process in /proc. - It should be able to display all zones, projects, or users. The display only gives the top (and optionally bottom) consumers today and makes it useless for displaying activity of all users, projects, or zones. Whether this information is accessible via proc or someplace under /system is a question I don't have a good answer for. The next things on my list after the items listed above are: - Give performance data per service. A while back process contract decorations (PSARC/2008/046) were added, which would probably be a big help. - There's an increasing number of kernel tasks taken care of in task queues. My understanding is they don't get charged to any process. Having a way to observe the impact of these taskq tasks could help administrators understand the relative impact of things like zfs crypto and zfs compression. Dtrace can give the answers above but it shouldn't be that hard for the end user. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Zone Statistics: monitoring resource use of zones
On Sun, Nov 9, 2008 at 7:54 PM, Jeff Victor [EMAIL PROTECTED] wrote: It has become clear that there is a need to monitor resource consumption of workloads in zones, and an easy method to compare consumption to resource controls. In order to understand how a software tool could fulfill this need, I created an OpenSolaris project and a prototype to get started. If this sounds interesting, you can find the project and Perl script at: http://opensolaris.org/os/project/zonestat/ . If you have any comments, or suggestions for improvement, please let me know on this e-mail list or via private e-mail. I've had such needs for a while and have developed some tools to help my organization with that. Unfortunately, I'm not able to share that code. I am able to share suggestions... I am in a habit of: #! /usr/bin/perl -w use strict; That catches a lot of mistakes that may be masked by: close STDERR; which I never do. :) Please do not use /etc/release as a test of kernel functionality. Those that patch to an equivalent level as the update release have a similar level of functionality. A better mechanism would be to check for specific kernel patches. See http://blogs.sun.com/patch/entry/solaris_10_kernel_patchid_progression for kernel patch ID's through Update 6. The blog entry was posted just before U5 shipped, so the U6 info should be checked for accuracy. # Get amount and cap of memory locked by processes in each zone. # kstat -p caps:*:lockedmem_zone_* conveniently summarizes all zones for us. # open(KSTAT, /usr/bin/kstat -p caps:*:lockedmem_zone_* |); while (KSTAT) { You could just use Sun::Solaris::Kstat rather than forking another perl script. My feeling on capped memory is that if it becomes an issue and capped swap is not really close to capped memory, the over-consumptive zone has too high of a chance of causing horrible I/O problems for all zones. That is, the cap is likely to do more harm than good. This may change if swap can go onto solid state disk. I only mention this, because I don't see a purpose in capping RSS, rather I cap swap. FWIW, I tend to use the term reserved memory instead of swap because that is less confusing to most people. For CPU related stats, take a look at a discussion I started a while back: http://mail.opensolaris.org/pipermail/perf-discuss/2005-November/002048.html One project I would like to kick off sometime is doing per user, per project, and per zone microstate accounting. Presumably this data would be available through kstat. The tricky part here is to not introduce a big load on the system in the process of doing this. The above discussion and/or others in a similar vein have led me to think that collecting stats as processes exit and periodically through a kernel thread would be the way to go. This approach won't be accurate to subsecond intervals, but generally speaking you don't need better data than per minute. Such a thread should have no more impact on the system than a single user running prstat or top with a similar interval. Further, it would be good data for prstat (e.g. -a) to use. A follow-on to that would be to have a way to track usage of kernel taskq work. As more in-kernel functionality comes into existence, it becomes harder to see where the utilization is. For example, a kstat that counted the relative amount of time in zfs crypto versus zfs gzip9 operations would be helpful to the support person that is trying to answer the call why does vmstat say my system is pegged while prstat shows no processes consuming CPU? Sure, dtrace can get that information - but it is hard for the typical person to write and pretty expensive to run as regular monitoring. But, now I'm a bit off topic. The use of mdb rules out use by most users. I dislike tools that make users (e.g. application owners) ask me for root access. I haven't looked closely to see which, if any, of the other commands also require some elevated privileges. Most (all?) other commands have the full path set but mdb doesn't. Perhaps $ENV{PATH} = ... would be a good thing to add. I didn't have a chance to check logic closely or run it on a test system. I'll offer more feedback if needed when I get a chance to test it. It is a great start and I can't wait to see it progress. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Update on attach and upgrades
On Thu, Nov 6, 2008 at 8:16 AM, Jerry Jelinek [EMAIL PROTECTED] wrote: Henrik Johansson wrote: The easiest way would probably be to identify packages that are not to be updated, in my experience packages do not differ that much between local zones in production environments, but that is only based on the system I have worked with. I always keep zones as similar as possible, but full zones still leaves the possibility to make some changes to the packages and patches in case its necessary. Unfortunately we have no way to know which pkgs you deliberately want to be different between the global and non-global zone and which you want to be in sync. Thats why a list where the user could control that would be needed. Isn't that the purpose of pkgadd -G? -G Add package(s) in the current zone only. When used in the global zone, the package is added to the global zone only and is not propagated to any existing or yet-to-be- created non-global zone. When used in a non-global zone, the package(s) are added to the non-global zone only. This option causes package installation to fail if, in the pkginfo file for a package, SUNW_PKG_ALLZONES is set to true. See pkginfo(4). A package added to the global zone with pkgadd -G should not be upgraded in the non-global zone. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Confirming Zone running Container
On Thu, Oct 2, 2008 at 2:23 PM, Nicolas Dorfsman [EMAIL PROTECTED] wrote: Sure. But I think it's a bad idea. We must not create a hole where the operating system is secured. Even if you think it doesn't mind because you know the existence of this file(hole), what could be the consequence in the next future...the guy who is using this container may not know...even the guy who will get your job in the far future. The overall availability of a server comes from a number of factors which include security and usability. If the level of separation that you are worried about is a critical factor, I'd suggest not using zones. They are good but they can leak information about each other. If an organization does not have a good process for documenting the relationship between real and virtual machines[1], the availability of the services running in a zone can be dramatically enhanced by allowing those that care and feed for software within a zone to know the name of the global zone. They can then use this information when they contact the helpdesk/sysadmin team/whatever to ask for help on their broken virtualized OS instance. Another case is if an application has application-level clustering to provide HA. It doesn't take too paranoid of an application administrator to say that it is a good idea to be sure that the various redundant virtual OS instances are not all on a single physical machine. Zones are wonderful, but to date I haven't seen a widely available tool that makes this type of information and management easy to do without implementing some large and/or costly virtualization management framework. FWIW, there are ways[2] that the global zone's identity leaks into non-global zones but not in a reliable enough way to answer the question in a generic sense. To answer the OP, a common way to do this is with something like: zonecfg -z myzone add fs set type=lofs set options=ro set special=/etc/nodename set dir=/etc/globalname end verify commit exit Next time the zone boots, /etc/globalname will be a file that has the same contents as the global zone's /etc/nodename. It is not modifiable in the non-global zone. 1. Let's pretend that a zone is a virtual machine. I could make the same argument using longer sentences if that makes someone happy. 2. For example, if you know all global zones are on the 192.168.1.0/24 subnet, the following will give you a pretty good clue. Other zones on the same machine will be false positives - but naming standards and dedicated subnets will often times help you find what you are looking for. #! /bin/bash for ip in 192.168.2.{1..255} ; do route get $ip | grep 8232 /dev/null echo Global zone: $ip done -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org