Console Mode in Solaris 11 Gnome Desktop

How do I open a console window in the Solaris 11 Gnome Desktop?

This question comes up occasionally- especially in my transition courses where I have administrators migrating from previous version of Solaris.  In those versions of Solaris, administrators used the Java Desktop (Solaris 10) and the Common Desktop Environment also called CDE (Solaris 9).  The console window was a special window where system generated messages were displayed.  Any messages sent to /dev/console by syslogd appeared in this window.

When using the Gnome Desktop in Solaris 11, there is an option to open a terminal window, but not a console window.   To view the console messages from the Gnome Desktop, use these keystrokes:

Press Ctrl+Alt+F1 and the screen switches out of the GUI environment into console mode

solaris console login:

You can switch to several different consoles by pressing Alt+F1 (F2, F6)   The login prompt will change for each console

solaris vt2 login:

Press Alt F3

solaris vt3 login:

When you want to return back to the Gnome Desktop environment, press Alt+F7

Note:  The Ctrl+Alt_F# also works for servers installed with the Text Installer that do not have Gnome desktop installed. When using the Text console, sometimes you want to open another console window.  USe the Ctrl+Alt+F# to open a new console window while the other window is busy.  It does NOT work for Putty sessions though.

Remember, the Gnome Desktop is not just for x86 users, it’s also available on the SPARC platform.  If you want more details on how to setup and access the Gnome Desktop on the SPARC platform, go to my blog entry on this topic.

Viewing the Console During the Boot Process

On Solaris x86 systems, when the Gnome Desktop is installed, you don’t see the console messages displayed during the boot process.  You only see the white splash screen shown in figure 1:

 bootscreen
Figure 1

 

You could simply press Ctrl+Alt+F1 when you see the splash screen and the console screen will be shown.  The Ctrl+Alt+F1 toggles the screen from the GUI mode to the console mode.   But, the system will boot in a quiescent mode and the detailed boot messages will still not be displayed.

To change the configuration, so that boot messages are displayed during the boot process, edit the GRUB menu.   The GRUB menu can be changed either temporarily or permanently.

Make a temporary change to the boot screen by pressing the “e” key when the GRUB menu is displayed during the boot process as shown in figure 2

Grub

 Figure 2

 

The edit screen will open as shown in Figure 3:

edit_grub

Figure 3

Change the following line from “graphics“:

$multiboot /ROOT/solaris/@/$kern -B console=graphics -B $zfs_bootfs

to “text” as follows:

$multiboot /ROOT/solaris/@/$kern -B console=text -B $zfs_bootfs

After making the edit, press Ctrl+x to start the boot process in text mode.

By default, the system boots in a quiescent mode.  You can specify which messages you want to view during bootup.   Add -m verbose  to the end of the line as shown next, to display all of the SMF services as they start:

$multiboot /ROOT/solaris/@/$kern -B console=text -B $zfs_bootfs -m verbose

The following SMF messages will be displayed, showing all f the services starting up:

m_verbose

Add -v to the end of the line to display the kernel messages, but not the SMF service messages:

$multiboot /ROOT/solaris/@/$kern -B console=text -B $zfs_bootfs -v

kernel_msgs

Or view ALL of the boot messages by specifying both options as follows:

$multiboot /ROOT/solaris/@/$kern -B console=text -B $zfs_bootfs -m verbose -v

To make a permanent change to the boot process on the x86 platform, you’ll need to use the bootadm utility from the command line to modify the GRUB menu.  First display the current GRUB configuration as follows:

# bootadm list-menu
 the location of the boot loader configuration files is: /rpool/boot/grub
 default 0
 console graphics
 timeout 30
 0 Oracle Solaris 11.1

In the above example, the GRUB menu has one entry, entry 0 with a title of “Oracle Solaris 11.1."    To permanently change entry 0 in the GRUB menu so that it boots in verbose mode, type:

# bootadm change-entry -i 0 kargs="-v"

Also, you need to change the console to text as follows:

# bootadm set-menu console=text

Now, display the change:

# bootadm list-menu
 the location of the boot loader configuration files is: /rpool/boot/grub
 default 0
 console text
 timeout 30
 0 Oracle Solaris 11.1

The above list shows that the console is set to text, but it does not display the -v option which was also set.   You’ll need to list the details for entry 0 in the GRUB menu to see the boot string for that entry as follows:

# bootadm list-menu "Oracle Solaris 11.1"
 the location of the boot loader configuration files is: /rpool/boot/grub
 title: Oracle Solaris 11.1
 kernel: /platform/i86pc/kernel/amd64/unix
 kernel arguments: -v
 boot archive: /platform/i86pc/amd64/boot_archive
 bootfs: rpool/ROOT/solaris

Now, every time the system boots, you’ll see the kernel boot messages displayed.  After the system boots, the Gnome Desktop login will be displayed.

I hope this helps out and if you have questions, please submit them in the comment section at the bottom of this page.  Be sure to check out one of my online courses too!

Setting Up a Solaris Lab – VirtualBox

Virtual Environments provide an excellent “sandbox” for you to try out and get some real hands on experience with Oracle Solaris™ (x86).    I’ve run Oracle Solaris (x86) in both VirtualBox™ and VMware™, but I prefer VirtualBox.   After installing your Virtual Machine, you can add and clone additional Virtual Machines and start up more than one at a time to simulate a network of Solaris systems.  I tell my students to setup a local lab to practice everything they’ve learned in class.   For those who are using my book, setup a lab on your PC to follow the examples in my book.  If you are fortunate to have a SPARC server, you can download Solaris for that too.

You may download and install Solaris 10 or 11 for free.  It’s perfectly legal, but read the Oracle agreement and terms of use.

These instructions detail how to download and setup VirtualBox on an x86/AMD desktop or laptop.  VirtualBox does not run on the SPARC platform.  VirtualBox runs on everything that I’ve ever tried it on, so the hardware requirements are easily met.  The only problem I’ve run into is loading VirtualBox on another Virtual machine.  The VirtualBox.org website has good documentation and enough people use this product, so that any problem you encounter, is probably addressed there.

Overview:

There are two methods of installing Solaris as a Virtual Machine in VirtualBox.

1)      Install Solaris 10 or 11 from scratch using the Solaris media (allows customization)
This method is the same as installing Solaris on a x86 server.

2)      Install Solaris 10 or 11 using a prebuilt appliance or virtual machine (easiest)
This method is easiest for first time users, but does not allow customization.

I describe both methods in this post.

VirtualBox is a free program and can be downloaded from http://www.oracle.com/technetwork/server-storage/virtualbox/downloads/index.html   

VirtualBox can be installed on Windows, OS X, Linux and a Solaris (x86) host.  On the above website, click on the link for your host operating system, download and install Oracle VirtualBox using all of the defaults.

Before following the steps below, download and install VirtualBox onto a desktop or laptop.

 

Option 1 – Installing using the Solaris Media

After installing Virtual Box on your PC, download the Full DVD (ISO image) – Oracle Solaris 10 (x86) from Oracle (approx 2.1 GB download)

http://www.oracle.com/technetwork/server-storage/solaris10/downloads/index.html

Download the Full DVD ISO Image for x86 (not SPARC).

Download Solaris 11 from this URL:  http://www.oracle.com/technetwork/server-storage/solaris11/downloads/index.html
You’ll see several downloads listed, for beginners, I recommend the “Oracle Solaris Live Media for x86.”

Note: You will be using the x86 version of Solaris, not the SPARC version, so make sure you download the correct installation media.

If prompted for a login and password, signup for a free Oracle account.

1. After downloading the installation media, Install and Start VirtualBox on your PC by clicking on the icon:

1

 

2. Click on the New icon (Hilighted):

2

 

The Welcome screen will appear.

3. Click on Next and the Create New Virtual Machine window will be displayed.  Click on Next.

3

 

4. Enter a name for your Solaris Virtual Machine, select the OS type and version (version does not need to be exact).  Click on Next.

4

 

5. Select the amount of RAM.  Keep in mind, Windows (the host system) will be using some of the RAM too.    Make sure you leave at least 1GB for the Windows host.  Click on Next.

5

 

6. Create a New Hard disk.  I recommend 16GB which is the default.  Click on Next.

6

 

7. The Virtual creation wizard screen is displayed, use the default (VDI) and click on Next.

7

 

8. The Virtual Disk Storage details screen is displayed.  Use the default, Dynamically Allocated.  This will save disk space on your host system.

8

 

The Virtual disk location and size screen will be displayed.   You can select where the Virtual Machine and its disks will be created.  Choose a location that has 3-4GB of free space.

The system will create a folder named “Virtual Box VMs.”  All of your virtual machines and disks will be stored here.

9. Click Next when ready to move onto the next screen.

9

 

10. A summary screen is displayed.  Review it and click on Create.

10

 

The new machine will now be listed in your VirtualBox Manager:

11

 

11. Highlight the machine and select Settings:

12

 

The Settings screen will be displayed as follows:

13

 

12. Click on Storage, then click on the DVD.   The DVD will be labeled “Empty.”  Then click on the Attributes section (see highlight) and select the location of the Solaris Full DVD ISO image that you downloaded earlier.  Then select OK.

13.1

 

The VirtualBox manager window will be displayed.   The Storage section (see highlight) should show the CD/DVD using the ISO image selected in the previous step.

14

 

13. Click on START and the installation will begin.  The following window will begin the Solaris Installation program:

15

 

When the installation is complete, the Virtual Machine will still have the DVD mounted to the ISO image and will boot to it and restart the installation process.  When this happens, you’ll see the Black GRUB menu displayed again as follows:

16

 

14. Click on Devices, then CD/DVD devices, then “Remove Disk from Virtual Drive.”

This will unmount the DVD ISO image from the CD/DVD.

 

15. Click on Machine, then RESET to restart from the Virtual Machine’s boot disk.

15.1

 

You’ll know that Solaris is installed and booting from the boot disk when it boots to the Blue GRUB menu as shown:

17

 

Option 2- Installing from an appliance

After downloading and installing Virtual Box on your PC, download the Solaris 11 appliance image from Oracle (approx 1.5GB download)

A list of prebuilt Solaris 11 virtual machines (appliances) are available here:

http://www.oracle.com/technetwork/server-storage/solaris11/downloads/virtual-machines-1355605.html

 

Scroll down and select  Oracle Solaris 11 VM for Oracle VM VirtualBox

Solaris 10 virtual machines are located at this URL: http://www.oracle.com/technetwork/server-storage/solaris10/solaris-vm-405695.html

Download and uncompress the files and remember where you put them for the next step.

 

1. Install and Start VirtualBox on your PC by clicking on the icon:

1

 

2. Click on FILE from the top toolbar, then IMPORT APPLIANCE from the pulldown menu and the following screen will open:

18

 

3. Select the location of the unzipped files (Appliance Image) that you downloaded and unzipped earlier:

19

4. Click OPEN

5. Click NEXT.  The Appliance Settings window will open.   On this screen, you can modify the appliance settings before importing (or leave everything as is).  You could change the amount of RAM allocated to the virtual machine or you could modify the location of the Virtual Disk Image.  Click on IMPORT when finished.

20

6. Click FINISH

The Virtual Machine will appear in the Oracle VM VirtualBox Manager window.  Highlight the machine and click on Start to start the machine up.

 

Install VirtualBox Additions Package

I recommend that you install the VirtualBox Additions package in the Solaris virtual machine.  This makes the mouse and graphics a little easier to work with. It also allows you to cut/paste from the virtual machine and also resize the VM window.

1. Login to the Solaris VM

2. Click on Devices from the top toolbar and select Install Guest Additions from the pulldown menu.
Note: If you are unable to get the mouse to move outside of the VM window, press the Right Control key on your keyboard to free up the mouse.

21

 

A window will open on the Solaris desktop.

22

 

3. Double click on the runasroot.sh icon and click on the RUN button when the popup window opens:

23

 

4.  Click on autorun.sh icon and click on the RUN button when the popup window opens.  A window will open on the Solaris Desktop labelled, “Installing VirtualBox Additions.”

24

5. Press ENTER as prompted.   Reboot the VirtualMachine and the installation is complete.

 

Create a Snapshot of the VM

Before using the virtual machine to practice, I recommend creating a Snapshot of the Solaris VM.  Then, if you really mess up the Solaris system, you simply restore the VM snapshot and try again.  To create the snapshot, follow these staps:

1. Shutdown Solaris by typing init 5 at the command prompt in a terminal window:

25

2. When the machine is powered down (be patient and give it time to shutdown and power off), click on the Snapshots icon in the Oracle VM VirtualBox Manager window:

26

 

3.When the snapshot window opens, click on the Camera icon:

27

 

4. You’ll be prompted for a name, enter a name and description. I like to add a description for each snapshot so that I know when each was taken.  Snapshots can be taken at any point in time.  Use them as you attempt new things with Solaris.

Have fun and good luck.  As always, feel free to post questions or comments for others to learn from.

 

Bill

Oracle Solaris 11 System Administration

I’m happy to announce the release of my new book, “Oracle ™ Solaris 11 System Administration.”  The book officially arrived June 21, 2013 but some warehouses are still waiting to receive their stock. Most should have it by July 1.   I have it available now at the UnixEd bookstore.  

Oracle Solaris 11 System Administration
Oracle Solaris 11 System Administration

 

This is my 10th Solaris book.  I started working on this book in early 2012 shortly after Solaris 11/11 was released. As with my previous books, I take my time to do it right.  I’m the only author, no co-authors.  I do this to maintain consistency in the writing style and to avoid organizational issues.  Other publishers take the fast track and hire multiple authors to create a book to get it to market first.  In my opinion, we have enough of those books and the inconsistencies drive me nuts.

I thought I was finished with this book last fall and then Solaris 11.1 was released during Oracle OpenWorld 2012.  Solaris 11.1 was the first major release of Solaris 11, and as many of you are aware, the first release typically has many changes.  Therefore, I put off releasing the book until I could update it to Solaris 11.1.  I’m glad I waited.  Currently, this is the only book that covers Solaris 11.1.  Throughout the book, I’ll explain the differences from Solaris 11/11.

Unlike my previous Solaris books, this book is a complete reference rather than a certification study guide.  If you want to use it to prep for the exam, it covers all of the topics in depth, it just doesn’t have the end of chapter questions and the exam review, which I feel is just a lot of fluff.  In addition, the exams change too often to make that material very useful after the first exam update.  I’ve published exam preps in the past but, not everyone wants to take the exam.  Many want a book that introduces a topic and takes the reader through everything the System Administrator should know about that topic, including step-by-step examples. That was my intention with this book. My previous books were published under Que, this book is through Prentice Hall.  I chose Prentice Hall because I have always been impressed with their technical books and their full line of Solaris references.  Prentice Hall has a great reputation in the Solaris community. Most of the Solaris books on my shelf are from Prentice Hall.

As many of you know me, I work on the Solaris certification exams with Oracle. As a Solaris Subject Matter Expert,  I have helped create the OCA (1Z0-821) and OCP (1Z0-822 and 1Z0-820) exams.  I know what you need to pass the test, so please just read the book, study it and you will have no problem passing the OCA.   In fact, this book covers many topics on the OCP exam such as configuring virtual networks, managing system resources, configuring zones, and managing IPS.   My second book (still in the works) will cover more advanced topics such as using the Automated Installer to install multiple hosts, Solaris Auditing, and System Performance Monitoring and Tuning. 

If you plan to take the exam, checkout my previous blog entry titled “Oracle Solaris 11 Certification Study Tips.”  

Take a look inside the book, you’ll find the table of contents and full description here.  This link also points you to other resources associated with this book including a discussion forum.   Review the table of contents and feel free to ask me questions.  Enjoy the book, keep it close by, and may the material in this book help you better your skills, enhance your career, and achieve your goals.

My Best Regards,

  Bill Calkins

Oracle Solaris 11 Certification Study Tips

For the past year and a half (beginning in Dec 2011), I have been working as a SME with Oracle on the development the Solaris 11 Certification exams.  My role has been to assist in writing exam questions for the OCA and OCP exams as well as technical editing for other members of the team.   At the same time, I have been working on my next book, “Oracle Solaris 11 System Administration” (http://unixed.com/solaris11book.html ) and providing Solaris training to administrators around the world.

Oracle Solaris 11 System Administration
Available Jun 21, 2013    (Prentice Hall)

Many of you have used my books in the past to prepare for the Solaris certification exams.  You know that I do not write Exam Cram style books.  I have never seen much value in providing a book that only provides answers to exam questions.  Typically, these exams are updated periodically and the Exam Prep book quickly falls out of date.   I have been approached by other publishers to write such books and I have declined their offer.  In some respects, these books devalue the certification process.  What is the value in passing the certification exam if you do not really know the material?  I have interviewed hundreds of system administrators for my clients and one of the first things we look for on an application is the candidate’s certifications (Human Resource people like to see this).  However, certification is only part of the picture; we also look at education and work history.  A certification will generally get you noticed and usually an interview.

During the interview process, you’ll be asked questions, much tougher than you were asked on the exam.  Typically, multiple senior level administrators will be involved.  If you don’t really know the material, you’re wasting everyone’s time.

I have been teaching Solaris and working as a senior level administrator for over 20 years.  I write my books to teach readers around the world, how to administer Solaris systems.  It helps that I also assist Oracle in the development of the certification exams, so that I can ensure that the material covered on the exams is also covered in my book.   I won’t give you actual exam questions and I won’t provide exam answers.  It’s my goal to teach you the art of administering a Solaris 11 system so that you are knowledgeable and can answer questions on the topics, regardless of how the question is phrased.  This book has 750 pages which will prepare you for the certification exam, but more importantly, it prepares you for the interview and ultimately the job.

Use this book to learn about administering Solaris 11 and to also prepare for the Oracle Solaris 11 System Administrator Exam.  There are two levels of certification that you can achieve;  OCA and OCP, both are described below:

Oracle Certified Associate (OCA), Oracle Solaris 11 System Administrator – 1Z0-821
This is the first level certification for Solaris 11 and is described on Oracle’s website.
On the Oracle webpage, click on the “Exam Topics” tab to view the current exam objectives.
Completing this exam is step 1.  You should also consider the OCP certification.

Oracle Certified Professional (OCP), Oracle Solaris 11 System Administrator – 1Z0-822
This is the next, and highest, level of certification for the Solaris 11 OS and is described on Oracle’s website. On the Oracle webpage, click on the “Exam Topics” tab to view the current exam objectives.  You must pass the 1Z0-821 OCA exam in addition to this exam to receive your OCP certification.
This is the certification that most employers are looking for.


Save money and take the 1Z0-822  beta exam before it ends on June 29, 2013.  It’s only $50!
 (discounted from $300)

For more information, visit the Oracle Certification blog


Oracle Certified Professional (OCP), Oracle Solaris 11 System Administrator – 1Z0-820 (Upgrade Exam)

If you are already certified on any previous version of Solaris, you’ll only need to take the upgrade exam to get your OCP certification.  This exam is for any previous version Oracle Certified Professional, Oracle Solaris System Administrator or any previous version Sun Certified System Administrator.  This exam gives existing certified professionals the highest level of certification for the Solaris 11 OS and is described on Oracle’s website.
On the Oracle webpage, click on the “Exam Topics” tab to view the current exam objectives.
When you complete this exam, you have the same level of certification as those who have taken both the 1Z0-821 and the 1Z0-822 exam.

Oracle Solaris 11 Installation and Configuration Certified Implementation Specialist– 1Z0-580
This certification is for Oracle Partners, not the general public.  All of the topics on this exam are covered in this book. Details for this exam are described on Oracle’s website.
On the Oracle webpage, click on the “Exam Topics” tab to view the current exam objectives.


1Z0-821 Study Tips

The following are study tips for the Oracle Certified Associate (OCA), Oracle Solaris 11 System Administrator – 1Z0-821 exam.

I have listed the current exam objectives followed by each chapter in my book that covers these objectives.  The chapter listed covers each exam objective in detail providing everything that you need to know to answer the questions that may be encountered on the exam.  In most cases, each chapter goes above and beyond what you need to know for the exam.  Throughout each chapter, you’ll see step by step examples.   Perform these examples until you can perform them from memory.

The exam will not simply ask you simple questions like, “Which command is used to create a ZFS file system?”    Instead, it will be more like, “The following output illustrates the ZFS file system structure on another server.  Choose the option which duplicate this file system on the current server?”

The question may require more than one correct answer, like this: “Choose the steps required to migrate a Solaris 10 server to a solaris10 brand zone?”  Multiple correct answers will need to be selected.  If you get one answer wrong, the entire question is wrong.

Therefore, you need to not only know the material in the book, but you need to be able to interpret a scenario and understand the best practice for resolving a particular system issue.  I try to point these out throughout the book.  There will be multiple methods for performing a task in Solaris, but some are better than others and considered “best practice.”

The following numbered items are exam objectives for the 1Z0-821 exam.  Each exam objective has sub-objectives which are prefixed with a bullet (•).  For each, I have specified the chapter(s) that you need to study to prepare for the questions that you may encounter.

1. Installing Oracle Solaris 11 using an Interactive Installer

  • Plan for an Oracle Solaris 11 operating system installation
  • Install the Oracle Solaris 11 operating system by using an interactive installer
  • Verify the operating system installation
  • Troubleshoot installation issues
  • Access Open Boot PROM

Chapter 1 covers the methods of installing the OS.
Chapter 3, beginning on pg 124 covers OpenBoot including accessing the OpenBoot PROM

2. Updating and Managing Software Packages

  • Explain the image packaging system (IPS)
  • Update the Oracle Solaris 11 operating system by using IPS
  • Manage software packages by using Package Manager and the command line interface
  • Administer boot environments using Package Manager and the command line interface
  • Troubleshoot software update issues

Chapter 2 covers IPS, installing software, updating the software, managing and administering IPS from the command line, Boot Environments (BEs), and troubleshooting updates (fixing , verifying and reinstalling packages)

3. Administering Services

  • Explain the role of the Service Management Facility (SMF)
  • Administer SMF services
  • Boot and shut down a system
  • Troubleshoot service and boot issues

Chapter 3 booting, rebooting,  and shutting down the system (including fast reboot and milestones).  Openboot and SMF are described including administering SMF.
Chapter 3 also covers boot and shutdown procedures including configuring the OpenBoot PROM.  Troubleshooting boot issues and setting up the notification service are also covered in this chapter.

4. Setting Up and Administering Data Storage

  • Describe ZFS
  • Administer ZFS Storage Pools
  • Administer ZFS File Systems
  • Administer ZFS Snapshots and Clones
  • Troubleshoot file systems and storage issues

Chapter 5 describes ZFS concepts, administration of ZFS storage pools and file systems, administering ZFS Snapshots and Clones, and troubleshooting ZFS problems.
Chapter 4 covers administering Storage Devices.

5. Administering Oracle Solaris Zones

  • Explain Oracle Solaris Zones
  • Determine the current zones configuration and resource utilization on the system
  • Administer an Oracle Solaris zone
  • Troubleshoot zone and resource utilization issues

Chapter 6 describes Solaris zones: Complete description of immutable zones, creating and administering zones, containing resources, and troubleshooting zones.

6. Administering a Physical Network

  • Explain basic networking concepts
  • Configure a network interface
  • Administer a network interface
  • Verify network operation
  • Determine datalink availability
  • Troubleshoot network issues

Chapter  9 describes how to setup networking in Solaris 11, it provides a description of virtual networking and the components that make up a VNET including how to setup a virtual network between non-global zones.

7. Setting Up and Administering User Accounts

  • Explain key user management concepts
  • Set up user accounts
  • Manage user accounts
  • Manage user initialization files
  • Use shell metacharacters
  • Configure user disk quotas
  • Troubleshoot user account and quota issues

Chapter 7, User and Security Administration, covers these seven objectives.

8. Controlling Access to Systems and Files

  • Control access to systems
  • Control access to files
  • Use authentication
  • Troubleshoot access and authentication issues

Chapter 7, User and Security Administration, covers these four objectives.

9. Managing System Processes and Scheduling System Tasks

  • Manage system processes
  • Schedule system administration tasks
  • Troubleshoot process issues
  • Monitor system logs
  • Explain the use of core files, core dump files and crash dump files

Chapter 8, Managing System Processes

 


1Z0-820 (Upgrade Exam) Study Tips

The following are study tips for the Oracle Certified Professional (OCP) Upgrade Exam, Oracle Solaris 11 System Administrator – 1Z0-820 exam.

1. Transitioning to Oracle Solaris 11

  • Describe key considerations for transitioning from Oracle Solaris 10 to Oracle Solaris 11

My book’s Preface describes “What’s New In Solaris 11” and chapter 1 describes the requirements for installing Solaris 11 including supported hardware platforms.

2. Managing Software Packages in Oracle Solaris 11

  • Describe the Image Packaging System (IPS)
  • Plan for moving to IPS
  • Configure a local package repository
  • Configure network client systems to use IPS
  • Manage packages using IPS
  • Manage signed packages and package properties
  • Update the OS image by using IPS
  • Publish a software package by using IPS
  • Manage boot environments

Chapter 2 covers IPS, installing software, updating the software, managing and administering IPS from the command line, Boot Environments (BEs), and troubleshooting updates (fixing , verifying and reinstalling packages)

3. Installing the Oracle Solaris 11 Operating System

  • Describe Oracle Solaris 11 installation options
  • Plan for an Oracle Solaris 11 installation
  • Perform Attended and Unattended Installations
  • Configure an AI server
  • Configure an AI client
  • Install Oracle Solaris 11 by using AI
  • Compare a JumpStart OS installation to an AI OS installation
  • Convert a JumpStart configuration to an AI configuration
  • Describe the distribution constructor

Chapter 1 covers the methods of installing the OS.
Refer to my blog entry on AI for information related to the information on the Automated Installer that you will need to know.

4. Administering Oracle Solaris 11 Zones

  • Describe the new zone features and enhancements
  • Create a Solaris 11 zone
  • Log on and off, start up, shut down, and halt zones
  • Describe other RMAN improvements
  • Allocate system resources to a Solaris zone
  • Identify current zone configuration and zone resource allocations on the system
  • Configure a Solaris 10 zone
  • Perform a virtual-to-virtual migration of zones present in the source system (V2V)
  • Migrate a physical Solaris 10 system to a Solaris 10 zone (P2V)
  • Configure a non-global zone by using AI
  • Monitor zone resource consumption
  • Delegate zone administration
  • Manage the Scheduling Class of a zone
  • Monitor the FSS
  • Configure the FSS

Chapter 6 describes Solaris zones: Complete description of immutable zones, creating and administering zones, containing resources, and troubleshooting zones.

5. Oracle Solaris 11 Network

  • Configure systems on a local network using the new facilities and commands
  • Manage the network using new Solaris 11 management utilities
  • Configure NFS server and clients and administer NFS services
  • Configure Network Auto-Magic (NWAM)
  • Configure IPMP
  • Configure network virtualization
  • Configure a network bridge
  • Monitor the network using the new Solaris 11 network monitoring utilities

Chapter  9 describes how to setup networking in Solaris 11, it provides a description of virtual networking and the components that make up a Virtual Network including how to setup a virtual network between non-global zones.

6. Oracle Solaris 11 Storage

  • Create, destroy and query a ZFS storage pool
  • Create, destroy and query a ZFS file system
  • Create, destroy and query a ZFS snapshot
  • Create and destroy a ZFS clone
  • Configure data backup and restore
  • Manage ZFS properties
  • Describe the new storage features and enhancements
  • Split a mirrored ZFS storage pool
  • Identify ZFS snapshot differences
  • Configure ZFS deduplication
  • Configure COMSTAR
  • Perform Shadow Migration

Chapter 5 describes ZFS concepts, administration of ZFS storage pools and file systems, administering ZFS Snapshots and Clones, and troubleshooting ZFS problems.
Chapter 4 covers administering Storage Devices.

7. Oracle Solaris 11 Security

  • Describe the new security features and enhancements
  • Describe the Oracle Solaris cryptographic framework
  • Encrypt ZFS data
  • Use the Basic Audit Reporting Tool (BART) to audit system files
  • Configure Solaris Auditing
  • Configure and Use RBAC
  • Configure and manage privileges

Chapter 7, User and Security Administration, covers these objectives.
Chapter 5 covers ZFS encryption.

8. Services and Processes

  • Configure SMF Services
  • Manage process scheduling priority

Chapter 8, Managing System Processes covers these objectives.

9. Monitoring and Troubleshooting

  • Monitor system resources
  • Configure system crash facilities
  • Configure dump facilities for business application failure

Chapter 8 (beginning on pg 581) describes how to configure core files and crash dumps.
Chapter 3 (beginning on page 237) describes how to configure syslog and rsyslog.

 

The Solaris 11 Immutable Zone

I’ve been asked several times by my students:

1)   “What is the advantage of an immutable zone?”

2)  “How does the immutable zone compare to the sparse root zone in Solaris 10?”

3)  “What’s the advantage of the four different types of read-only non-global zones in Solaris 11?”

Background Information:  Solaris 10 Zones

In Solaris 10, a non-global zone’s root file system could be either whole root or sparse.  The whole root zone provided the greatest configuration flexibility because all the required Solaris packages are copied to the zone’s private file system and the root file system is read-writable.

In Solaris 10, a sparse root zone shares parts of the root file system with the global zone.  The sparse root zone implemented a read-only loopback file system from the global zone and it installed only a subset of the system root packages locally. The majority of the root file system was shared (inherited) from the global zone, which saved a great deal of disk space.   The sparse root file system provided a smaller foot print requiring less disk space and a read-only root file system that could not be modified.  Although the read-only sparse root zone provided security against unauthorized or accidental changes, the disadvantage is that it was difficult to make authorized modifications to the root file system.  In addition, with advances in ZFS file systems such as ZFS data deduplication, sparse root zones are no longer required and have been discontinued and replaced with immutable zones.

Solaris 11 – Immutable Zones

Immutable zones are read-only zones, but still contain “whole root” file systems.  The immutable zone can be configured as a completely read-only zone or it can be partially read-only.  The immutable zone is controlled by a mandatory write access control (MWAC) kernel policy.  This MWAC policy enforces the zone’s root file system write privilege through a zonecfg file-mac-profile property. The policy is enabled at zone boot.

By default, a zone’s file-mac-profile property is not set in a non-global zone. The default policy for a nonglobal zone is to have a writable root file system. In a Solaris read-only zone, the file-mac-profile property is used to configure a read-only zone root. A read-only root restricts access to the run-time environment from inside the zone. Through the zonecfg utility, the file-mac-profile can be set to one of the following values.

     file-mac-profile Values

none
  • Standard, read-write, non-global zone, with no additional protection beyond the existing zones boundaries. Setting the value to none is equivalent to not setting the file-mac-profile property.
strict
  • Read-only file system, no exceptions.
  • IPS packages cannot be installed.
  • Persistently enabled SMF services are fixed.
  • SMF manifests cannot be added from the default locations.
  • Logging and auditing configuration files are fixed. Data can only be logged remotely.
fixed-configuration
  • Permits updates to /var/* directories, with the exception of directories that contain system configuration components.
  • IPS packages, including new packages, cannot be installed.
  • Persistently enabled SMF services are fixed.
  • SMF manifests cannot be added from the default locations.
  • Logging and auditing configuration files can be local. syslog and the audit configuration files are fixed.
flexible-configuration
  • Permits modification of files in /etc/* directories, changes to root’s home directory, and updates to /var/* directories. This configuration provides the closest functionality to the Oracle Solaris 10 native sparse root zone.
  • IPS packages, including new packages, cannot be installed.
  • Persistently enabled SMF services are fixed.
  • SMF manifests cannot be added from the default locations.
  • Logging and auditing configuration files can be local. syslog and the audit configuration can be changed.

All of the profiles except none will cause the /var/pkg directory and its contents to be read-only from inside the zone.

I like to explain things by using examples.  The following examples explain each immutable zone model by taking you through the creation of each of the four types immutable zones.

Create a Simple Zone (read-writeable)

It’s not required, but I prefer to put my non-global zones on their own ZFS pool, so I create a storage pool named “zones” as follows:

root@solaris:~# zpool create zones c7t2d0

Now, let’s create a simple exclusive-IP zone with no restrictions:

root@solaris:~# zonecfg -z testzone
Use ‘create’ to begin configuring a new zone.

zonecfg:testzone> create
create: Using system default template ‘SYSdefault’

zonecfg:testzone> set zonepath=/zones/testzone

zonecfg:testzone> exit

Use the # zonecfg command to view the zone configuration as follows.

root@solaris:~# zonecfg -z testzone info

zonename: testzone
zonepath: /zones/testzone
brand: solaris
autoboot: false
bootargs:
file-mac-profile:
pool:
…<output has been truncated>…

Notice that the file-mac-profile property is not set.  Not setting the value of the file-mac-profile property is equivalent to setting the value to none. This value can be set to any of the four file-mac-profile values described in the previous table.  The zone is a standard, read-write, non-global zone, with no additional protection beyond the existing zone’s boundaries.

Install the zone as follows:

root@solaris:~# zoneadm -z testzone install

Boot the zone and connect to the zone console as follows:

root@solaris:~# zoneadm -z testzone boot; zlogin –C testzone

You’ll be asked to answer the typical system configuration questions ( network, time zone, user and root accounts, name services). After completing the system configuration tool, log into the zone console.

The following examples will illustrate that the root file system is unrestricted to the root user.  I’ll create the directory /usr/local:

root@testzone:~# mkdir /usr/local

No errors are displayed because /usr is writeable.

Set the Zone to Immutable: strict

The strict configuration profile provides the tightest security because all file systems, except  /tmp are read-only.    This is more strict that the Oracle Solaris 10 sparse root zone.  It’s equivalent to booting from the DVD, a read-only file system.  Nothing can be changed, added or deleted in this zone including the /root directory and the /export file system.

Shut the zone down and reconfigure it with a strict profile as follows:

root@solaris:~# zonecfg -z testzone set file-mac-profile=strict

Verify that the file-mac-profile property was set on the zone by typing:

root@solaris:~# zonecfg -z testzone info

zonename: testzone
zonepath: /zones/testzone
brand: solaris
autoboot: false
bootargs:
file-mac-profile: strict
pool:
limitpriv:
..<output has been truncated>…

You can also get a quick overview of the file-mac-profile property by typing:

root@solaris:~# zoneadm list -p

0:global:running:/::solaris:shared:-:none
2:testzone:running:/zones/testzone:2d5ef993-e195-6f6b-98f9-994934362693:solaris:excl:R:strict

Notice that the global zone has a policy of none and the testzone has a strict policy.  The R in the second to last field indicates that the non-global zone is Read-Only.

Boot the zone and log back into the testzone console as follows:

root@solaris:~# zoneadm -z testzone boot

Try to create a subdirectory in the /usr/local directory that you created earlier:

root@testzone:/usr/local# mkdir /usr/local/bin
mkdir: Failed to make directory “bin”; Read-only file system

The /usr file system is read-only.    The strict profile allows no exceptions to the read-only policy.  Everything in the root filesystem is read only, including /var/tmp, the /root home directory, and /export as illustrated in the following examples:

root@testzone:/# touch /var/adm/foo
touch: cannot create /var/adm/foo: Read-only file system

root@testzone:/# touch /export/foo
touch: cannot create /export/foo: Read-only file system

root@testzone:~# touch /root/foo
touch: cannot create /root/foo: Read-only file system

The only file system that is writeable is /tmp:

root@testzone:/# touch /tmp/foo

In a strict configuration, I can change a service state, but it is not persistent because the SMF repository is read-only as shown next:

# svcadm disable ssh

The SMF repository is changed in memory, but not on disk.  Therefore, the service is disabled now, but the next time the system boots, this service will return to its default state.  The change is not a persistent change.

When the immutable zone is in strict mode:

  • IPS packages cannot be installed.
  • Persistently enabled SMF services are fixed.
  • SMF manifests cannot be added from the default locations.
  • Logging and auditing configuration files are fixed (ie. syslog.conf).  Data can only be logged remotely, so syslog cannot write to the /var/adm/messages file.

However, you can always shut the zone down, change the file-mac-profile property back to none and install packages, update the packages and modify services.  When finished, set the zone back to a strict policy.  But, there is even an easier method.  Simply boot the zone using the -w (write) option as follows:

# zoneadm –z testzone boot -w

As the zone boots, the following message is displayed in the testzone console:

[NOTICE: Read-only zone booting up read-write]

From the global zone, view the testzone properties as follows:

root@solaris:~# zoneadm -z testzone list -p
    6:testzone:running:/zones/testzone:2d5ef993-e195-6f6b-98f9-994934362693:solaris:excl:W:strict

Notice the W (write) in the second to last field.

Log into the zone and make the required changes.  In the example, I log into the zone and create a new directory in /usr/local and disable the ssh service as follows:

root@testzone:~# mkdir /usr/local/bin

root@testzone:~# svcadm disable ssh

Because the zone is in a writeable state, the service changes were saved in the repository (on disk) and will be persistent across reboots.

Set the Zone to Immutable: fixed-configuration

A fixed-configuration zone provides more flexibility than the strict profile and allows log files to be created and modified in /var.  A non-global zone is set with a fixed-configuration by setting the file-mac-profile and booting the zone as follows:

root@solaris:~# zonecfg -z testzone set file-mac-profile=fixed-configuration

root@solaris:~# zoneadm -z testzone boot

A fixed-configuration profile allows the zone to write to files in and below /var, except directories containing configuration files:

  • /var/ld
  • /var/lib/postrun
  • /var/pkg
  • /var/spool/cron,
  • /var/spool/postrun
  • /var/svc/manifest
  • /var/svc/profiles

When the zone is booted, view the zone properties as follows:

root@solaris:~# zoneadm -z testzone list -p
2:testzone:running:/zones/testzone:2d5ef993-e195-6f6b-98f9-994934362693:solaris:excl:R:fixed-configuration

Notice that the global zone has a policy of none and the testzone has a fixed-configuration policy.  The R in the second to last field indicates that the non-global zone is Read-Only.

Log into the zone console and the following examples will show that the root file system is still read-only and some of the directories in /var are writeable.  For example, /var/tmp and /tmp are writeable:

root@testzone:~# touch /var/tmp/foo

root@testzone:~# touch /tmp/foo

The /var directories which contain configuration files are still read-only as shown when I try to create a file in /var/spool/cron/crontabs:

root@testzone:/# touch /var/spool/cron/crontabs/foo
touch: cannot create /var/spool/cron/crontabs/foo: Read-only file system

The /export and the /root home directories are also read-only as shown:

root@testzone:/# touch /export/foo
touch: cannot create /export/foo: Read-only file system

root@testzone:~# touch /root/foo
touch: cannot create /root/foo: Read-only file system

Set the Zone to Immutable: flexible-configuration

The flexible-configuration provides the closest functionality to the Oracle Solaris 10 sparse root zone.  The flexible configuration is equal to the fixed-configuration, but it also allows write access to files in the /etc, /var, and /root home directories.

Set the flexible-configuration on testzone and boot the zone as follows:

root@solaris:~# zonecfg -z testzone set file-mac-profile=flexible-configuration

root@solaris:~# zoneadm -z testzone boot

List the properties for testzone as follows:

root@solaris:~# zoneadm -z testzone list -p
3:testzone:running:/zones/testzone:2d5ef993-e195-6f6b-98f9-994934362693:solaris:excl:R:flexible-configuration

Verify write access to the /etc, /var and /root directories as follows:

root@testzone:~# touch /etc/hosts

root@testzone:~# touch /etc/foo

root@testzone:/# touch /root/foo

The /export file system is still read-only:

root@testzone:/# touch /export/foo
touch: cannot create /export/foo: Read-only file system

Summary

I’ve provided an explanation and given a few examples of immutable zones for Solaris 11.  Send me a comment below if there is anything I can help clear up for you.