Re: [zones-discuss] zones, upgrades, and vxvm
LU doesn't work for boxes with zones yet, afaik. zonepath on vxvm volumes won't work for upgrade from 3/05 (granted, upgrade from 3/05 with zones isn't supported anyway). I have no reason to think this would work with 1/06 either, vxconfigd has to run in order to present the volumes to the OS, and I don't think it can run while you're doing an upgrade. I seem to remember removing VxVM mountpoints from vfstab before initiating upgrade for S8. Incidentally I just asked this question regarding SVM volumes being present during upgrade, and the answer from our engineer is that yes, it should work. Haven't tried it yet though. CT William D. Hathaway wrote: Hi, A co-worker recently posted this question: "Does anyone know if you can put the zone root's on a Veritas Volume Manager volume and then have the ability to upgrade in the future? " My gut feeling is that if you using Live Upgrade this might work, but it would definitely not work using the old-school standard upgrade method. Anyone care to comment on the current or future supportability of this? Thanks! William Hathaway This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zones, upgrades, and vxvm
Hi David, Umm ... sorry, perhaps this is outdated, my notes have a section cut&pasted from a BigAdmin article "Understanding The Basics About Solaris Containers in the Solaris 10 OS" dated 8/05. It says that for 3/05, standard upgrade and LU don't know about non-global zones. Specifically: "To prevent a Solaris instance with non-global zones installed from being damaged by an upgrade attempt, code has been added to both standard upgrade and Live Upgrade to detect the presence of non-global zones and to refuse to upgrade if non-global zones are installed in Solaris 10 GA (3/05)." Is this not correct or did I misunderstand? CT [EMAIL PROTECTED] wrote: Just to clarify that upgrade from 3/05 when zones are present is supported for "standard" upgrade. It's the LU piece that is under development. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zones, upgrades, and vxvm
[EMAIL PROTECTED] wrote: Actually, that's not quite right. Standard upgrade is supported in upgrading from 3/05 to 1/06. Heh, I will have to eat crow then, a customer told me that he upgrade a box with zones from 3/05 to 1/06 and I said I don't know how you managed to do that, according to this document that's not possible. A little outdated information is a dangerous thing, filter timely or taste not from BigAdmin. :) CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Will ipf re-direct to my non-global zone?
I'm reading this section from the ipf how-to: "The rdr function is applied to packets that enter the firewall on the specified interface. When a packet comes in that matches a rdr rule, its destination address is then rewritten, it is pushed into ipf for filtering, and should it successfully run the gauntlet of filter rules, it is then sent to the unix routing code. Since this packet is still inbound on the same interface that it will need to leave the system on to reach a host, *the system gets confused*. Reflectors don't work. Neither does specifying the address of the interface the packet just came in on. Always remember that rdr destinations must exit out of the firewall host on a different interface." Does this mean I can't have my global zone redirect to a non-global zone living on the same box? Because I'm really using the loopback interface and not leaving the system on any physical interface? This applies whether my global and non-global zone share one interface, or have unique interfaces? I would like some clarification if Darren is around? Thanks! CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Will ipf re-direct to my non-global zone?
Here's the link to ipf-howto for Jeff. http://www.signaltonoise.net/library/ipf-howto.html Mike Ditto wrote: Christine Tran wrote: Does this mean I can't have my global zone redirect to a non-global zone living on the same box? Because I'm really using the loopback interface and not leaving the system on any physical interface? This applies whether my global and non-global zone share one interface, or have unique interfaces? I would like some clarification if Darren is around? Thanks! Christine, It should be possible to use rdr to redirect inbound traffic to another zone (IP address) on the same machine. This isn't mentioned in the ipf how-to because without zones, there is generally no reason to do this. Basically, when you use rdr, the inbound packet is modified before the IP stack sees it, so it will be correctly delivered to the modified destination if that destination is on the local machine or reachable through some interface other than the one on which the packet arrived. Customer was swearing up and down that he cannot use rdr to direct traffic onto a web server running inside a zone on a box that is also acting as a router and accepting inbound traffic. I don't know how much of this is a misconfiguration (he says he can redirect to another physical box, but not onto a zone on the same box). I was going to write to Darren directly but thought the list could benefit from the discussion. The use for this, and I'm guessing here, might be something like, I have widgetco.com with several autonomous subdivisions. I can't all have my zones called widgetco (so that all my customers can access via http://widgetco.com) so I have one big server that accepts and redirects to different zones and then the webserver there does URL rewrites. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] zones.cpu-shares and pools
Hi, I found an old email written by Amol a while ago stating in effect that zones.cpu-shares has no meaning when the system is carved up into different pools. I would like some clarification, directly, I have a customer who wants to attach one zone to one pool, and the rest of the box, global and the rest of non-global zones can use the default pool and use cpu shares. From Amol's old email, this cannot be done. Can someone confirm this? Any supporting docs from Sun would be appreciated as well. Thanks, CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] unable to run apache as non-root user in a zone
I am attempting to run apache as a non-root user in a non-global zone. I'm not able to start apache, my error_log says: Permission denied: mod_rewrite: could not create rewrite_log_lock Thinking that this may be related to a privilege issue, I ran ppriv -e -D and got: httpsd.worker[14906]: missing privilege "ZONE" (euid = 170, syscall = 5) needed at tdirenter+0x300 Server start FAILED What is "ZONE"? There is proc_zone but that doesn't sound right, "allow a process to send signals to processes in other zones"? Googling gives me some info on mod_rewrite, that I'm hitting some semaphore limits, shm and ipcs. This works fine when I start apache as a non-root user in the global zone. I would like to make this work in a non-global zone. What is privilege "ZONE"? Has anyone seen this? What should I do next? (OK, privdebug is a given.) CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Re: Question: Zones/Mpxio + Disk Array (HDS 9970V
Doug Scott wrote On 08/04/06 11:42,: create a zfs filesystem in the global zone for the zone. Something like $ zfs create mypool/export/zones/zone1 $ mkdir -p /export/zones/zone1 $ zfs set mountpoint=/export/zones/zone1 mypool/export/zones/zone1 With zonecfg set your zonepath=/export/zones/zone1 Wait a sec, this doc is pretty unequivocal about doing this: http://docs.sun.com/app/docs/doc/817-1592/6mhahuous?a=view CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Hmm ... tmpfs in zone?
Hi, I came across a zone example that looks like this: fs: dir: /tmp special: swap raw not specified type: tmpfs options: ["size=1024"] Hmm ... I think I know what the person is trying to do, give the zone its own swap space of 1024 (something, bit, byte, ectoplasmic unit - I just checked the manpage and size isn't a mount option). I'm surprised zonecfg let me get away with this, I just did it on S10U2. # zonecfg -z zone1 zonecfg:zone1> add fs zonecfg:zone1:fs> set dir=/tmp zonecfg:zone1:fs> set special=swap zonecfg:zone1:fs> set type=tmpfs zonecfg:zone1:fs> add options ["size=1024"] zonecfg:zone1:fs> end zonecfg:zone1> verify zonecfg:zone1> commit zonecfg:zone1> exit # zoneadm -z zone1 boot # zlogin zone1 # df -k |grep swap swap 8 0 8 0%/tmp swap 7025152 272 7024880 1%/etc/svc/volatile swap 7024912 32 7024880 1%/var/run Does this in fact do anything? Should my hands not have been smacked, why is zonecfg so accomodating? Have we published examples of how to do this anywhere? Should I file a bug? CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Hmm ... tmpfs in zone?
Jerry Jelinek wrote On 08/18/06 17:21,: It is in the man page I just looked at (mount_tmpfs(1M)). Oy, sorry, I just looked at mount(1M). zonecfg doesn't know about every option on every filesystem, bundled and unbundled, that is available on Solaris. zoneadm does some basic validation of fs entries but it too does not know about all of the special options each filesystem might have. Well, is this worth at least a small bug do you think? The person is trying to do X, and this lets him think he has achieved X. On the other hand I may have a valid reason to assign to a zone a tmpfs. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] zone resource control, who gets signaled?
The zones.cpu-shares rctl has a set of threshhold actions: none, deny and signal=. Say if I set the action as signal=TERM, who actually gets signaled? Is it the process in the zone that's currently queuing to get on CPU, or is it zoneadmd (which presumably will pass it back?) I've always used (priv=priviledge,limit=n,action=none), that enforces the limit for me. What's the difference in behavior between "none" and "deny"? Thanks! CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zone resource control, who gets signaled?
Menno Lageman wrote: Nobody gets signaled, as 'signal' (and 'deny' for that matter) are not valid actions for zone.cpu-shares. This is because cpu-shares is not a limit that can be exceeded in the sense that for instance project.max-filedescriptor can be exceeded. Once a zone is at it's maximum allowed cpu share, it won't get scheduled so it can't exceed the limit. If you want to know what actions are possible for a rctl, see the rctladm(1M) output: # rctladm zone.cpu-shares zone.cpu-shares syslog=n/a [ no-basic no-deny no-signal no-syslog count ] 'no-deny' tells you that 'deny' is not a valid action for this rctl. Ditto for 'no-signal' and 'no-syslog'. Great! Thank you for clearing that up. Same question, for zone.max-lwps. # rctladm zone.max-lwps zone.max-lwps syslog=off [ no-basic count ] I guess, then, I can have action=signal=TERM? Who gets signaled, the process that wants another lwp, or zoneadmd, or something else? Not that I want to kill that process, I just want to know the mechanism. 'deny' would make more sense here? What would 'none' do, nothing, nullifying the limit? CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] [Fwd: Local Zone Awareness Application List]
Wynne Wang wrote: > Hi > > I'm engineer of China, customer want to know it the application work well > under local zone. Do we have such an application list of local zone > awareness? > > Such as Oracle? DB2? Siebel? > As far as I know Sun maintains no such list. There is a tool you can use, called srcheck (Solaris Ready Test Suite), there is a tool bundled in it that you can use to check your apps which you intend to run in a zone. Get it here: http://partneradvantage.sun.com/protected/solaris10/adoptionkit/general/tools.html You'll need a sunsolve login & password. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] [Fwd: Local Zone Awareness Application List]
Christine Tran wrote: > Wynne Wang wrote: >> Hi >> >> I'm engineer of China, customer want to know it the application work well >> under local zone. Do we have such an application list of local zone >> awareness? >> >> Such as Oracle? DB2? Siebel? >> > As far as I know Sun maintains no such list. D'ohh, Jeff Victor pointed out that yes, we do keep such a list but it's not publicly accessible. I'll follow up with Wynne. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] packages and inherit-pkg-dir
If I have an application (SUNW_PKG_ALLZONES = FALSE) that installs some in /opt and some in /var/opt, and I set my non-global zone to have an inherit-pkg-dir /opt, when I install the zone and when I patch the application in the global zone, will it install and patch my NGZ /var/opt, where portions of my package lives? I have a customer ask me whether it's enough give a NGZ zone an inherit-pkg-dir where part of the package lives, and the install and patching tools will know to patch the NGZ as well. In short, the customer wants a reliable way to make sure an app is delivered in multiple zones with minimal human administration of patches. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Patching for zones with own /usr
Hi, Customer has zones with 3 out of 4 default inherit-pkg-dir, each zone has its own /usr. They are reporting that a DST patch did not install correctly in the non-global zone. Perhaps related to this, last week I had another question about patching a zone which had an /opt inherit-pkg-dir. Assuming that SUNW_PKG_ALL_ZONES is false, if part of a package is installed in /opt, and part is installed in the zone's copy of /var, what should I do to install or patch? If I use pkgadd -G in the global zone, it only installs in the global zone. If I use pkgadd -G in the non-global zone, it can't write to /opt. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Patching for zones with own /usr
Jeff Victor wrote: Customer has zones with 3 out of 4 default inherit-pkg-dir, each zone has its own /usr. They are reporting that a DST patch did not install correctly in the non-global zone. Was that "3 out of 4 zones has all the default i-p-d's" or "the zones have 3 out of the 4 default i-p-d's" ?? If the latter, the answer is "that's not supported, and the results are not well understood." The latter. I seem to have missed this email thread, can you tell me about the "not supported, not well understood" part? Trim the alias if it's been discussed to death, or just point me to a link. Thanks! CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Patching for zones with own /usr
Jeff Victor wrote: See http://docs.sun.com/app/docs/doc/817-1592/6mhahuoog?a=view for some more info. Hmm ... this does not admonish that you should not use zero i-p-d or all four. I agree with Steffen that if this leads to an unsupported environment the customer should at least get a warning in the doc. I would say I'm fairly familiar with zones and this is news to me. I realize we can't itemize everything that may lead to an unsupported system (how would we know?) but my interpretation of the doc is that we make it easy for the customers to use a -b template or a default template, but they can pick and chose. I hope this is not unsupported, if I were a customer and I found this out through a service call I would be a little aggravated. Regarding the other customer's question about a zone with all four + /opt i-p-d, I believe their intention was to patchadd -G in each zone that requires it. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Re: Re: zonepath
F.V.(Phil)Porcella wrote: Last question for you all, (maybe it should get its own thread), I would like to incorporate the /export/home directories from the global zone, into the non-global zone. What is the best way to do this? Seems like I have 3 choices: 1 add inherit-pkg-dir, set dir=/export/home, end 2 add fs,set dir=/export/home, set special=/export/home,set type=lofs,add options [rw,nodevices], end OR 3 nfs mount /export/home from the global zone, to the NGS (CIS2) later on. Is there any prefered method to do this? Also, the passwords for the accounts, is there a recomended way to deal with that on the NGZ? No. 3 is definitely out. You can't have an NGZ nfs-mount something from the GZ on the same box. Bug. No. 1 is out if you want users in your NGZ to be able to write into those home dirs. inherit-pkg-dir is read-only. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] sparse zones and isolation of information in core files
Customer wants to know if several sparse-root zones share some library or text segments, and an application in a zone dumps core, could there be cases where there are "leaks" in the core file, containing information from other zones. I can't construct a scenario that would lead to this, but I've come here for a definite answer. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] how to find global-zone from zone
Paul Kraus wrote: > On 8/29/07, Brandorr <[EMAIL PROTECTED]> wrote: > >> In a related, but similar situation. How does one know that they are >> actually in a non-global zone vs a global zone? (Using a committed >> interface). > > `ps -ef` and look for pid 0,1,2,3; these should only be visible in a > global zone. > Gahh! The contortions! Just use "zonename"; if it comes back "global", you're in a global zone. If anything else, you're not. Attribute is "Evolving", is that better than looking for pids? And maybe one day there will be pid 0, 1, 2, 3 in a non-global zone. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] need clarification on zone-to-zone traffic on same node
Hi, I just need some clarification, this does not matter in any functional way. I have had it explained to me that zone-to-zone communication on same host does not actually use the loopback interface, it's a slip of speech. The system "loops traffic back" within the IP stack, and you can't glean any traffic snooping on lo0. I just glanced at CR 6423486 (now closed), the description reads: "When zones are implemented on a Solaris node they will communicate with each other over the loopback interface if a valid external route exists." Which is correct? CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] attaching an un-detached zone
Hi, Quick question, can I attach (-f) a zone on shared storage that hasn't been detached from another host? I don't have the hardware setup necessary to test this. -CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] -s option to zoneadm clone does not work
Hi, Possibly a discrepancy between the man page and U4 functionality? I'm on Solaris x86 U4, and # zoneadm clone -s tank/[EMAIL PROTECTED] zone1 -s: illegal option --s The -s is clearly documented in the man page. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] sharing "terminal server ports" to non-global zone
A customer is unable to share something called the "terminal server ports" to non-global zone. I don't know what these are, but here's the description: "Serial sensor interfaces are fed to a patch panel and then received by a digital terminal server. Terminal server sends output to a switch, to which the host is connected. Terminal server port driver installs in global zone, creates /dev/dty/tt1, /dev/tty/tt2 ..." He tried adding the device by "set match = /dev/dty/*" but the device does not appear in the non-global zone. Any thoughts? CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] sharing "terminal server ports" to non-global zone
Jerry Jelinek wrote: > Christine Tran wrote: >> A customer is unable to share something called the "terminal server >> ports" to non-global zone. I don't know what these are, but here's >> the description: >> >> "Serial sensor interfaces are fed to a patch panel and then received >> by a digital terminal server. Terminal server sends output to a >> switch, to which the host is connected. Terminal server port driver >> installs in global zone, creates /dev/dty/tt1, /dev/tty/tt2 ..." >> >> He tried adding the device by "set match = /dev/dty/*" but the device >> does not appear in the non-global zone. >> >> Any thoughts? > > Is it /dev/dty or /dev/tty? The example shows both. What version are > they running? There is a known bug with wildcard matching in u4: > > 6632938 zonecfg fnmatch device matching interface seems to be broken > Sorry, that's /dev/dty/* not /dev/tty/*, my typo. And thanks for the bug, this may be it. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Boot state completion?
Konstantin Gremliza wrote: > > Hi Brad, > > unfortunatly there is no > > who -r > > for smf. who -r still works in a zone. [EMAIL PROTECTED]> zonename zone1 [EMAIL PROTECTED]> who -r . run-level 3 Jan 24 14:53 3 0 S > i don't know if there is a rfe for this. the default milestone > is "all" , but you cannot query the state for this milestone The command is # svcprop -p options_ovr/milestone system/svc/restarter:default Please see SMF FAQ 1.5, 2.13. > so you > don't know when the graph is ready. the best thing i would consider is > running > > svcs -x. This is not the intended use for -x switch. My zone has been up for 6 minutes, AND I have output for svcs -x. It does not mean that my zone is not ready. [EMAIL PROTECTED]> uptime 2:59pm up 6 min(s), 0 users, load average: 0.00, 0.05, 0.03 [EMAIL PROTECTED]> svcs -x svc:/application/print/server:default (LP print server) State: disabled since Thu Jan 24 14:53:05 2008 Reason: Disabled by an administrator. See: http://sun.com/msg/SMF-8000-05 See: lpsched(1M) Impact: 2 dependent services are not running. (Use -v for list.) > if nothing shows up everything is ok. you could use zonemgr to run the > command in all the zones simultaneously, but somebody at sun should fix > this and many other things in smf too. If I want to know a zone is done booting, I would check the state of the zone with zoneadm. If it's "running", I have reasonable confidence that the zone is done booting. If it's "running" and some service has not finished and this hinders what I want to do, I would write the alias with detailed comments, and after that, possibly file a bug. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] NGZ wants lofs mount a global zone's NFS mount
I guess this situation is possible now? http://mail.opensolaris.org/pipermail/zones-discuss/2005-September/004340.html Because I'm reading CR 6600677 and it appears that *that* CR is a side effect of doing what this user was attempting to do. If one is able to configure an lofs mount in a NGZ, and the source of the lofs mount is itself an NFS-mounted filesystem on the global zone, was there ever a CR for the situation described in the mail archive? CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] [zfs-discuss] tricking install tools with quota and reservation
> Christine Tran wrote: >> Hi, >> >> I understands the upgrade issue surrounding the patching and upgrade >> tools. Can I get around this with some trickery using quota and >> reservation? I would quota and reserve for a pool/somezonepath some >> capacity, say 10GB, and in this way allocate a fixed capacity per zonepath. >> >> Will this work, or will the patching & upgrade tool not even run if they >> detect that zones are on zfs? >> >> Enda O'Connor wrote: upgrade of zones on zfs is just not supported yet patching does wok though for zones on zfs add 119254-50/119255-50 (SPARC/X86 ) and patching will eork Enda On second thoughts zones-discuss may be a more appropriate alias for this question. I understand the non-supported issue. My customer wants to know if he can take steps to make certain there's enough disk capacity for upgrade, using quota + reservation per filesystem. I just want to know if the upgrade tools will just exit when it finds zonepaths on ZFS, or will it run. I could set up a quick test but I don't have an environment ready immediately. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] How to add a ZFS to a Zone without rebooting?
Thilo Stallherm wrote: > Hi all, > > is it possible to add a ZFS to a running Zone without having to reboot > the Zone? I was able to do it. # zfs create tank/foo # zfs set mountpoint=legacy tank/foo # zfs set zoned=on tank/foo Create the mountpoint in the zone, mount it into the running zone # mkdir /zones/zone1/root/foo # mount -F zfs tank/foo /zones/zone1/root/foo I don't see it in my global zone: # df -k Filesystemkbytesused avail capacity Mounted on tank 94208 28 93416 1%/tank But it's in my non-global zone: [EMAIL PROTECTED]> df -k Filesystemkbytesused avail capacity Mounted on tank/foo 93441 24 93416 1%/foo Since you haven't presented the dataset to the zone, you need to umount from the global zone. [EMAIL PROTECTED]> zfs list no datasets available This won't work: umount /zones1/zone/root/foo umount: warning: /zones1/zone/root/foo not in mnttab umount: /zones1/zone/root/foo no such file or directory But this works: # umount tank/foo CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] zones on iSCSI targets
Hi, I have a customer who wants to do zones on iSCI targets. The concern I have is whether or not the install/upgrade tool can find and mount the zones when doing a standard upgrade. He can see and mount the zones in single-user. Anyone who has zones on iSCSI targets, AND who has done an upgrade (successful or not) please post back. Anyone who has zones on iSCSI targets present by Thumper zpools using "shareiscsi", please post back here as well. Thanks. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Lost network connectivity and NIC recognition
Anne Moore wrote: > James > > I am definitely using OpenSolaris as that's what I downloaded and installed, > (excuse me if it's not called "10"). > > <> > I feel sorry for you James. It appears you must put people down to feel > better about yourself. Why not go to a shrink for help?! Ann! He means you need local Solaris Service support. But you mentioned that you do not a service contract somewhere in your emails. > You gave a very obvious (LOL) answer that a novice level would give. I need > SENIOR level engineers helping out. I take care of 312 Solaris boxes, > including VM's. I tried all the trivial normal stuff like what you > suggested. > > You "SUN" guys/gals told me I could NOT migrate all of my zones from one > patch level to another. WRONG. I migrated 11 such zones and each is working > perfectly. IN fact, I think you should come to my Solaris classes. You would > learn quite a bit. > > Next time, ask a real engineer before you respond. > James *IS* one of our very senior engineers. Yes, one of those "real" ones. He's one of the coders of the features you're using (perhaps abusing.) If you read my email more carefully, I said that the migration you attempted IS NOT SUPPORTED. You have an unsupportable system when you modified the index and zones .xml file and move the zonepaths around. That it appears to work is not the point. Is it possible that your system hangs on patching and upgrade because you've attempted to do things we warned you not to do? Please don't bash people on opensolaris from whom you seek help. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] The quick & dirty guide to zones on iSCSI LUNs
What is iSCSI? SCSI over TCP/IP. iSCSI makes remote disks look local. The remote host with storage resource presents iscsi targets. The client accessing the storage is the initiator. iSCSI initiator was present in S10 3/05 and up. iSCSI target went into S10 8/07. Why zones on iSCSI? iSCSI frees you from the limitation of putting zones on local storage. The physical bits of the zoneroot can live anywhere accessible with a network connection. You can use the zone detach/attach function without SAN or shared storage. This ability circumvents a bunch of problems associated with zonepath on NFS mount, for example, see RFE 4963321: hosting root filesystems for zones on NFS servers. What's the catch? Speed of zone installation and patching depends on how fast your network is. Currently it doesn't look like you can do a standard upgrade on a box with zones on iSCSI LUNs because there's no iSCSI packages in the miniroot. What works? Installing and booting zones on iSCSI targets, patching in single-user mode, upgrading via LiveUpgrade. How to do it? This is a quick write-up. I used ZFS zvol but this is not necessary. ZFS makes creating iscsi targets PAINLESS and takes only one command. I placed the zonepath on a striped SVM volume because I was testing a specific config, for speed, and eventually I want to use an SVM mirror to provide redundancy for my zonepath. Most outputs are omitted, what's provided is for clarity. 1. create the targets 2. client discovery of target 3. label disk, lay down SVM, filesystem 4. configure zones 5. apply recommended patch cluster, LU patch cluster 6. lucreate, luupgrade, luactivate nvd is a box running snv_80 but S10 8/07 is just as good. Client is running S10 8/07. nvd# zpool create tran1 c0t18d0 c0t19d0 nvd# zpool create tran2 c0t20d0 c0t21d0 nvd# zfs create -V 16g tran1/xmen nvd# zfs create -V 16g tran2/hulk nvd# zfs set shareiscsi=on tran1/xmen nvd# zfs set shareiscsi=on tran2/hulk nvd# iscsitadm list target -v Target: tran1/xmen iSCSI Name: iqn.1986-03.com.sun:02:4a46145b-8b71-69ab-8cee-c8a9c4367f0a Target: tran2/hulk iSCSI Name: iqn.1986-03.com.sun:02:f57bbbf8-3504-4d9e-8c2b-ddfa45cfb641 ~> iscsiadm add static-config iqn.1986-03.com.sun:02:4a46145 b-8b71-69ab-8cee-c8a9c4367f0a,129.154.158.154 ~> iscsiadm add static-config iqn.1986-03.com.sun:02:f57bbbf 8-3504-4d9e-8c2b-ddfa45cfb641,129.154.158.154 ~> iscsiadm modify discovery --static enable ~> devfsadm -i iscsi ~> iscsiadm list target -S Target: iqn.1986-03.com.sun:02:f57bbbf8-3504-4d9e-8c2b-ddfa45cfb641 OS Device Name: /dev/rdsk/c5t0103BA681D5F2A0047E84932d0s2 Target: iqn.1986-03.com.sun:02:4a46145b-8b71-69ab-8cee-c8a9c4367f0a OS Device Name: /dev/rdsk/c5t0103BA681D5F2A0047E84934d0s2 ~> format [...] 8. c5t0103BA681D5F2A0047E84932d0 /scsi_vhci/[EMAIL PROTECTED] 9. c5t0103BA681D5F2A0047E84934d0 /scsi_vhci/[EMAIL PROTECTED] > label > partition [Striping, nologging and noatime for speed] ~> metainit d30 1 2 c5t0103BA681D5F2A0047E84932d0s0 c5t0103BA681D5F2A0047E84934d0s0 -i 32k ~> newfs -v /dev/md/dsk/d30 ~> mount -F ufs -o nologging,noatime /dev/md/dsk/d30 /zones [You need the mount-at-boot option == yes, otherwise it would not mount at boot, despite what the mount(1M) manpage says] ~> vi vfstab /dev/md/dsk/d30 /dev/md/rdsk/d30 /zones ufs 1 yes nologging,noatime ~> zonecfg -z zone1 zonecfg:zone1> create zonecfg:zone1> set zonepath=/zones/zone1 [...] ~> zoneadm -z zone1 install ~> zoneadm -z zone1 boot {1} ok boot -s Entering System Maintenance Mode [iSCSI Initiator is present] ~> modinfo |grep -i iscsi 36 13252e8 2b4a0 271 1 iscsi (Sun iSCSI Initiator v20061003-0) [Target LUNS are present] ~> iscsiadm list target Target: iqn.1986-03.com.sun:02:f57bbbf8-3504-4d9e-8c2b-ddfa45cfb641 Target: iqn.1986-03.com.sun:02:4a46145b-8b71-69ab-8cee-c8a9c4367f0a [boot zones, apply patch cluster and LU patch cluster. sunsolve.sun.com has a new content management system. The old Infodoc 72099 is now Document ID 206844: Solaris[TM] Live Upgrade Software: Minimum Patch Requirements. Make sure you apply all the required patches. This will minimize your LU headaches.] [Create and discover new targets for your /zones on the ABE. This is d40 for me.] ~> lucreate -c s10u3 -C /dev/dsk/c1t0d0s0 -n s10u4 -m /:/dev/dsk/c2t0d0s0:ufs -m -:/dev/dsk/c2t0d0s1:swap -m /zones:/dev/md/dsk/d40:ufs -l /var/adm/lu_error.log ~> luupgrade -u -n s10u4 -s /net/depot/export/solarisdvd.s10s_u4dvd/latest ~> luactivate s10u4 You're done. Hooray! Longer write-up with output later. On deck: zone detach and attach, upgrade on attach. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] The quick & dirty guide to zones on iSCSI LUNs
roush wrote: > Sun Cluster plans to support an iSCSI disk as a quorum device. > Sun Cluster accesses the iSCSI disk early in the boot process. > When the iSCSI disk is on the same subnet as the cluster machines, > things work. When the iSCSI disk is on a different subnet > the system cannot find the iSCSI disk (ENXIO). However, > after Solaris is fully up we have no access problems. > Solaris automatically boots up zones in many configurations. > The point at which Solaris boots zones is later, so > you may or may not hit this problem. I would be > interested to hear whether you encounter this problem or not. > Hi Ellard, No, I have not encountered this problem. The targets mount just in time for my zones. But it sounds to me like a dependency on svc:/network/routing/route:default for cluster could help this along? CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] The quick & dirty guide to zones on iSCSI LUNs
Follow up on this previous item: > On deck: zone detach and attach, upgrade on attach. To be able to do the above requires that there be some kind of preservation of the data on top of iscsi targets. I tried putting iscsi targets into metasets which could be taken and released. Does not appear to work right now. I filed RFE 6691027: iscsi targets should support metasets. I had to use disksets because currently, zones on ZFS is still not supported. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Moving the zonepath (directory) to another file system
On Wed, Nov 19, 2008 at 2:16 PM, Amol Chiplunkar <[EMAIL PROTECTED]> wrote: > I would also look at zoneadm -z move > e.g. zoneadm -z /large-filesystempath/ > Unless you are particular about '/zones' path, you don't even have to > remount it as /zones This is a unique problem. Turns out we're not the only one. We had to move the zonepath somewhere else, but the "somewhere else" needs to have the same mountpoint. It's the underlying devices that we want to change. Obviously, zoneadm move will move /oldzonepath to /newzonepath but how will I remount to /oldzonepath, I can't change zonepath with zonecfg. Eventually I had to manually edit the stuff in /etc/zones, not that I advocate anyone to do this, but it worked for us. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Package minimization question
Cross-posted, pardon me for duplicates. I'm building a system starting with SUNWCrnet, it needs zones and TX. Using the fine Solaris Package Companion tool, I'm down to the following: [C] SUNWCzoneXXSolaris Zones [P] SUNWzoner PASSEDSolaris Zones (Root) [P] SUNWzoneu XXSolaris Zones (Usr) x [P] SUNWadmfrSystem & Network Administration Framework Configuration x [P] SUNWadmfwSystem & Network Administration Framework x [P] SUNWctplsPortable layout services for Complex Text Layout support x [P] SUNWdtcorSolaris Desktop /usr/dt filesystem anchor x [P] SUNWj5rt JDK 5.0 Runtime Env. (1.5.0_14) x [P] SUNWmfrunMotif RunTime Kit x [P] SUNWpool Resource Pools x [P] SUNWpoolrResource Pools (Root) x [P] SUNWxwdv X Windows System Window Drivers x [P] SUNWxwfntX Window System platform required fonts x [P] SUNWxwiceX Window System Inter-Client Exchange (ICE) Components x [P] SUNWxwplrX Window System platform software configuration x [P] SUNWxwpltX Window System platform software x [P] SUNWxwrtlX Window System & Graphics Runtime Library Links in /usr /lib [C] SUNWCts XXSolaris Trusted Extensions [P] SUNWtsgXXTrusted Extensions global [P] SUNWtsuXXTrusted Extensions, (Usr) [P] SUNWtsrXXTrusted Extensions, (Root) x [P] SUNWctplsPortable layout services for Complex Text Layout support x [P] SUNWdtbasCDE application basic runtime environment x [P] SUNWdtcorSolaris Desktop /usr/dt filesystem anchor x [P] SUNWmfrunMotif RunTime Kit x [P] SUNWxwcftX Window System common (not required) fonts x [P] SUNWxwdv X Windows System Window Drivers x [P] SUNWxwfntX Window System platform required fonts x [P] SUNWxwiceX Window System Inter-Client Exchange (ICE) Components x [P] SUNWxwoptX Window System Optional Clients x [P] SUNWxwplrX Window System platform software configuration x [P] SUNWxwpltX Window System platform software x [P] SUNWxwrtlX Window System & Graphics Runtime Library Links in /usr /lib The x indicates missing packages not in SUNWCrnet. I wonder if the X Window, Motif, CDE and Text Layout is *really* necessary. I don't have a problem adding pools and the two admin packages. Other boxes built without these packages have worked fine so far. However, eventually they will need support, and I don't want to be in that place where I have to explain why a headless box that runs no graphics needs X, and un-supportability. Thanks! CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] exclusive-ip zone and non-observability
Hi, I am putting 2 applications that talk to each other on two non-global zones of type exclusive-ip. I do this for one reason only, that is to be able to observe traffic between the two applications for troubleshooting if and when things go wrong. Unfortunately, this will run afoul of security guidelines, which says one should not be able to observe anything from the outside. Encryption is just not in the picture right now. I'm trying to think of a way to make traffic observable from the global zone only, and obscured to everyone else outside the box. I thought of not cabling the interfaces and turning off ip_restrict_interzone_loopback, but that just backs me right into the corner of not being able to snoop anything on the lo0 channel. I don't have anything here that I can use, do I? Just making sure. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] exclusive-ip zone and non-observability
> Hi, > > I am putting 2 applications that talk to each other on two non-global > zones of type exclusive-ip. I do this for one reason only, that is to > be able to observe traffic between the two applications for > troubleshooting if and when things go wrong. Unfortunately, this will > run afoul of security guidelines, which says one should not be able to > observe anything from the outside. Encryption is just not in the > picture right now. I'm trying to think of a way to make traffic > observable from the global zone only, and obscured to everyone else > outside the box. I thought of not cabling the interfaces and turning > off ip_restrict_interzone_loopback, but that just backs me right into > the corner of not being able to snoop anything on the lo0 channel. I > don't have anything here that I can use, do I? Just making sure. > Bad form here, to follow up my own post, but, how feasible would it be to flap ip_restrict_interzone_loopback off and on, off for production and on for diagnostic? I'm reading comments lines 560 - 570 of http://cvs.opensolaris.org/source/xref/netvirt/usr/src/uts/common/inet/ip/ip.c CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] exclusive-ip zone and non-observability
On Tue, Dec 16, 2008 at 12:36 PM, James Carlson wrote: > Using the existing Clearview interfaces (integrated back in November > for build 103; see CR 4085089), you should be able to snoop lo0 just > fine. > Unfortunately this is Solaris 10 8/07, we may be able to go to 10/08 but Nevada is definitely not an option. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] exclusive-ip zone and non-observability
On Tue, Dec 16, 2008 at 6:13 PM, Fredrich Maney wrote: > Instead of snooping the traffic, why not do it through DTrace? That > should meet your security requirements nicely. > > fpsm > Heh! No SUNWCdtrace cluster either. In fact, I may have to sell "observability" down the river because I see that snoop is in SUNWrcmdc and that's not in the SUNWCrnet, either. And that needs Kerberos, yadda yadda ... ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Package minimization question
My apologies for being late replying. I've thought of posting the cluster I use but it seems that everyone has has a special build particular to their needs.For example, most people would not use kerberos, but it's in rnet. You could make a case for SUNWbip, SUNWrcmdc, NTP ... how much do you really need? USB serial driver ... ? > Btw, I see you are using the "tree view" for SPC. How do you like it? It's OK. It's good to realize the "tree" view isn't comprehensive; if a package doesn't belong in a mini-cluster, it won't show up in the tree view, althought it will show up in the package view. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] ip_restrict_interzone_loopback again
Hi, Has anyone *actually* observe that you can communicate between zones with the cable removed when /dev/ip ip_restrict_interzone_loopback is set to 0? Here's my setup, s10u5. global: 192.168.1.60/24 e1000g0, cabled zone1: 192.168.1.61/24 e1000g1, cabled zone2: 192.168.1.62/24 e1000g2, not cabled by default ip_restrict_interzone_loopback is 0, no need to do anything there. zone2 is pretty much by himself, unable to communicate to global or zone1. If I understand correctly, he should be able to communicate with the global zone and zone1, even without the cable. This is not the case. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] ip_restrict_interzone_loopback again
On Fri, Jan 23, 2009 at 4:27 AM, Jon Anderson wrote: > Hi, > > Do you have more details on your zone configuration? If you are > using exclusive stack zones then this is expected. > Hmm, I thought the exact opposite. zones of type exclusive-ip type, plumbed on different interfaces, will drive their traffic out one IF and into the other. I believe Steffen Weiberle did some test to measure the delay as opposed to using the internal loopback mechanism. Unless ip_restrict_interzone_loopback is 0 (the default is 1 on OS). You can have zones of type exclusive-ip plumbed on different interfaces but not cabled up if this parameter is set to 0. This is what I gleaned from reading what little there is about this param. Otherwise ... how could you ever have traffic going from zone1:e1000g1 to zone2:e1000g2 without a cable? Anyhow, this may be a JASS problem because JASS will enable ipfilter on the global zone but JASS's mod to ipf.conf does not pass lo0 traffic. And yet, ... my understanding is that the internal loopback "mechanism" does not really involve lo0. By the time we got it sorted out last night we were all out of gas, so we didn't get to the bottom of it. If you can describe exactly how I can get traffic from zone1:e1000g1 to zone2:e1000g2 without cabling up the interfaces, that would solve my problem. Thanks. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] ip_restrict_interzone_loopback again
>> Unless ip_restrict_interzone_loopback is 0 (the default is 1 on OS). >> You can have zones of type exclusive-ip plumbed on different >> interfaces but not cabled up if this parameter is set to 0. > > Where is this documented? This is what started the whole kerfuffle for me, https://www.opensolaris.org/jive/thread.jspa?threadID=84543&tstart=-1 particularly "which have their local IP addresses on different interfaces", I zeroed in on this and conveniently ignored the "shared-stack zone" which I'm noticing just now. But how could that be ... shared-stack zone with IP address on different interface? This thing cannot exist? Here it is. I need exclusive stack so I can snoop traffic when bad things happen. When bad things are not happening, traffic must not be snoopable, sayeth the people in charge. I have this brilliant idea (based on what I read) that I can conviently shunt traffic to the NIC or internally, at will, using this nifty param. Bad things happen, shunt it outside to observe. Bad things go away, shunt it back inside, remove the cable. This cannot work, you say? This is S10U5, OS is not an option. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] ip_restrict_interzone_loopback again
> You can add multiple physicals to a shared stack zone, they are > just added as logicals. You need the underlying interface plumbed > in the global zone though. An exclusive stack doesn't know anything > about other zones' network configuration. OK, I'm beginning to see. Like this, you mean? global zone: plumb e1000g1 0.0.0.0 plumb e1000g2 0.0.0.0 zone1: e1000g1:1 192.168.1.61 zone2: e1000g2:1 192.168.1.62 ip_restrict_interzone_loopback = 0 traffic from zone1 <-> zone2 shunted internally ip_restrict_interzone_loopback = 1, cabled to a switch traffic from zone1 <-> zone2 forced out the NIC, and observable with snoop > One issue would be if the ill for source and destination > was the same then we would still send via loopback. You mean if zone1 and zone2 were plumbed on e1000g1:1, and e1000g1:2, traffic will never be observable no matter what. I can live with this. Did I get this right? CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] What is the workaround to CR6176743
I am running into this: https://opensolaris.org/jive/thread.jspa?threadID=79673 r...@ender:/# zoneadm -z web boot zone 'web': Error: error mounting zone root dataset. zone 'web': zoneadm: zone 'web': call to zoneadmd failed When I go to check the CR, there's nothing in the workaround. I just need to boot my zone. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] What is the workaround to CR6176743
On Thu, Jan 29, 2009 at 9:20 AM, Jerry Jelinek wrote: > > You haven't provided much information so its hard > to help you. What build are you running? The > issue described in the thread you reference should > be fixed in the OpenSolaris 2008.11 release. Do > you have a second BE mounted, as is described in > that thread? If so and you unmount it, does the > zone boot? > Hi, I'm running OpenSolaris 2008.11 on bare metal. This is a very basic zone, I made a ZFS filesystem for it, and put the zonepath there. I build it, boot it, poke around, and shut it down. Now I get the previous message when I try to boot it. I don't have a 2nd BE mounted, unless this is something OS does for me out of the box. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] What is the workaround to CR6176743
> What is the output of 'mount -p' and 'zfs list' on this > system? r...@ender:/# mount -p rpool/ROOT/opensolaris - / zfs - no /devices - /devices devfs - no /dev - /dev dev - no ctfs - /system/contract ctfs - no proc - /proc proc - no mnttab - /etc/mnttab mntfs - no swap - /etc/svc/volatile tmpfs - no xattr objfs - /system/object objfs - no sharefs - /etc/dfs/sharetab sharefs - no /usr/lib/libc/libc_hwcap1.so.1 - /lib/libc.so.1 lofs - no fd - /dev/fd fd - no rw swap - /tmp tmpfs - no xattr swap - /var/run tmpfs - no xattr rpool/export - /export zfs - no rw,devices,setuid,nonbmand,exec,xattr,atime rpool/export/home - /export/home zfs - no rw,devices,setuid,nonbmand,exec,xattr,atime rpool/export/home/ctran - /export/home/ctran zfs - no rw,devices,setuid,nonbmand,exec,xattr,atime rpool - /rpool zfs - no rw,devices,setuid,nonbmand,exec,xattr,atime rpool/zones/web/ROOT/zbe - /zones/web/root zfs - no rw,devices,setuid,nonbmand,exec,xattr,atime rpool/zones - /zones zfs - no rw,devices,setuid,nonbmand,exec,xattr,atime rpool/zones/web - /zones/web zfs - no rw,devices,setuid,nonbmand,exec,xattr,atime r...@ender:/# zfs list NAME USED AVAIL REFER MOUNTPOINT rpool 4.78G 29.7G72K /rpool rpool/ROOT4.10G 29.7G18K legacy rpool/ROOT/opensolaris4.10G 29.7G 4.03G / rpool/dump 256M 29.7G 256M - rpool/export 31.0M 29.7G19K /export rpool/export/home 31.0M 29.7G19K /export/home rpool/export/home/ctran 31.0M 29.7G 31.0M /export/home/ctran rpool/zones407M 29.7G20K /zones rpool/zones/web407M 29.7G21K /zones/web rpool/zones/web/ROOT 407M 29.7G18K legacy rpool/zones/web/ROOT/zbe 407M 29.7G 407M legacy ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] What is the workaround to CR6176743
On Thu, Jan 29, 2009 at 10:44 AM, Jerry Jelinek wrote: > It would be nice to try to understand more about > what you did so we could try to figure out why > the dataset was left mounted when you halted the zone. > If there is anything unusual you can recall, please > let me know. I don't think I did anything special -- I did recall trying to zfs umount and remount a few things, rpool/zones I think, because that's the one I explicitly created. It seems not to have work. > In the meantime, to get your zone working again, you > should be able to manually unmount the dataset: > > # umount /zones/web/root Not working for me. r...@ender:/# umount /zones/web/root cannot unmount '/zones/web/root': No such file or directory r...@ender:/# zfs umount rpool/zones/web/ROOT/zbe cannot unmount 'rpool/zones/web/ROOT/zbe': legacy mountpoint use umount(1M) to unmount this filesystem I'm stuck, mount thinks it's there but it's not really there. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] a little scripting problem with zonecfg
I'm writing a script that adds an LOFS to a zone, using a pre-made batch file it works but I rather generate this on the fly. It looks something like this: if [ something ]; then zonecfg -z $myzone << EOF add fs set dir=/tmp/foo set special=/tmp/foo set type=lofs add options rw add options nodevices end commit exit EOF zoneadm -z $ZONENAME boot This should work, but I get a syntax error at line 78: `end of file' unexpected, (script is only 77 lines long, btw.) I also tried cat > /tmp/foo << EOF ... EOF zonecfg -z $myzone -f /tmp/foo but same problem. How can I solve this? I prefer not to keep a batch file around to slice & dice with sed. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] a little scripting problem with zonecfg
On Fri, Feb 13, 2009 at 8:16 PM, Jordan Vaughan wrote: > Hi Cristine, > > I tried both methods on OpenSolaris 2008.11 and they worked for me. My > guess is that there's something wrong with your script. Perhaps you forgot > to close a control construct (e.g., end an if block with fi). Errmm, well, it's wacky. You can't have any white space in front of your 'EOF'. It has to be absolutely first letters on the line. Was driving me crazy because I coded out a test snippet and *that* worked, but in my script proper I had white space indentation. Feh! CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Failing to NFS mount on non-global zone
> fs: >dir: /netapp/tacacs >special: /syslog-local/netapp/tacacs >raw not specified >type: lofs >options: [] > fs: >dir: /netapp/syslog >special: /syslog-local/netapp/syslog >raw not specified >type: lofs >options: [] > [Connected to zone 'syslog' pts/2] > bash-3.00# cat /etc/vfstab | grep netapp > 192.168.0.25:/volB/netapp/syslog - /netapp/syslog nfs - no hard,intr,bg,xattr > 192.168.0.25:/volA/netapp/tacacs - /netapp/tacacs nfs - no hard,intr,bg,xattr You LOFS-mount the directory *and* you NFS-mount it inside the zone? How about one or the other? Why not just NFS mount the directory from syslog and that's that? In fact, my memory is fuzzy but I don't think you can LOFS an NFS-mount done by the global zone. There's a credential problem, the NFS client is really one client (the global zone) but access to the mount looks different when it's done from the global zone or the non-global zone. There's a bug on record for this, I think. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Routing issue with zones installed
> The problem I have is when creating shared IP zones on another subnet, > such as the 192.168.0.0/19: subnet 192.168.96.0/19 is unreachable and > they cannot connet to the outside world through 192.168.96.1. It can't work this way. Your zone on 192.168.0.0/19 will never see 192.168.96.1 because that gateway is not local to it. Your defaultrouter has to be on same segment. You can get around this if you set 192.168.96.1 up with another interface local to 192.168.0.0/19, multi-home your router. Then you'll have to add another default route on your global zone. If you're doing this on nge0, you'll also have to zone your switch. > Is there any way to use server0 as a router from inside the shared IP > zone so that the global zone forwards packets from one subnet to the > other and be able to reach 192.168.96.1? Yes, you can do it as described above. I assume you mean server0 is your global zone. CT -- http://www.apress.com/book/view/1430218916 --- Pro OpenSolaris - Finger lickin' good. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zones in opensolaris (os200811) differs from zones in solaris 10?
On Thu, Apr 30, 2009 at 11:25 AM, solarg wrote: > hello all, > i'm wondering how to create a sparse zone in os2008.11: > - in solaris 10, just use "create" instead of "create -b" does a "sparse" > zone > - in os2008.11, you have to add manually: > add inherit-pkg-dir Ermmm ... I don't think zones in OS is of the same type as zones in S10. They are of type ipkg, and in 10, they can be of type native, branded, etc. Zones in OS are independent of the global zone, they pull their own packages using the package manager. You may even say that the concept of "sparse" and "whole" doesn't apply to zone in OS. CT -- http://www.apress.com/book/view/1430218916 --- Pro OpenSolaris - It's what's for dinner. ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] zoneadmd not present for running zone
I realize that zoneadmd is a private interface, but, here´s a question. Can I have a running zone and no zoneadmd running, at all? If yes, what does it mean? -- http://www.apress.com/book/view/1430218916 --- Pro OpenSolaris - 57 varieties. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] pkg install AMP in a sparse zone
On Mon, May 18, 2009 at 9:59 AM, Jerry Jelinek wrote: > Thanks for the write-up. It is helpful for us to > know what peoples concerns are for the sparse vs. whole > root configurations. Our application make and destroy zones as needed. We've built up a set of tools to create, clone, and tear down zones. We're concerned more with how fast we can build one and move one, than in how much memory we're saving by sharing in-memory footprints. (At one time this was a point to be made but I don't think anyone ever made any measurement, I could be wrong.) To make ipkg zones, we'd have to have access to a repository or maintain a local one (to date I don't think anyone's done this yet, right? The default repo is still at a opensolaris.org space.) Machines behind air gaps may never be able to run OS, and if they do, we'd have a harder time making zones on the fly for them. 1. ipkg zones take longer to build 2. and require an internet connection CT -- http://www.apress.com/book/view/1430218916 --- Pro OpenSolaris - The breakfast of champions. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] pkg install AMP in a sparse zone
> Installing from a repo is orthogonal to the sparse > vs. whole root discussion. That is tracked as: > > 1947 Offline zone creation is impossible I'm not complaining, just describing what's important to me (and my shop) re:zones going forward. This thread started out as "no sparse zone on OS", sorry to have interrupted. CT -- http://www.apress.com/book/view/1430218916 --- Pro OpenSolaris - The breakfast of champions. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] sysidcfg requires zlogin
On Wed, Jul 15, 2009 at 3:32 PM, Patrick J. McEvoy wrote: > I am trying to pre-configure zones with sysidcfg as described in: > > > http://docs.sun.com/app/docs/doc/817-1592/z.login.task-38?l=en&a=view&q=sysidcfg+and+containers > > Basically: > >clone a zone >zoneadm -z ready >edit /root/etc/sysidcfg >zoneadm -z boot > > The problem is that after the zone boots I still have to do an initial > "zlogin -C" > to the zone to get the system to look at /etc/sysidcfg. How can I kick the > zone > so that it configures and comes up on the net without my having to do an > interactive > login (and without having to write an expect script...)? > If you have a correct sysidcfg, you will never need to go thru the system identification prompt at zlogin -C. Please post your sysidcfg. Here's a barebone one that works for me: name_service=NONE root_password=xyzmno system_locale=C timeserver=localhost timezone=GMT terminal=vt100 security_policy=NONE nfs4_domain=dynamic network_interface=primary { hostname=${ZONENAME} protocol_ipv6=no} YMMV. If you have an exclusive-ip zone you will have to touch /etc/hostname.NIC in the zone as well. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zone 'from scratch'
On Sat, Nov 21, 2009 at 2:31 AM, nikolay wrote: > So the best way for me is 'downgrading' my OS (have no idea how to do > this)??? What the f...k these containers are needed for? I have only one > sparc workstation, so have no machine to install Solaris 9 (but it's crucial > for some software I work with)... He means you need an imprint of a ready-installed S9 OS to put inside your S9 container, on your S10 platform, not that you need to downgrade your S10 platform. You can't create an S9 container from a set of install CDs. Please be courteous and professional when you ask for help here. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] routing-setup doesn't wait for zones
I'm about to make a change to the dependency of routing-setup, I just want to check first if this has been filed as a CR and has been fixed. The problem is that zones and routing-setup both trace their dependency back to milestone/network, but no relationship to each other. I have a priori knowledge of non-global shared-ip zones and their address, and I load them into static-routes. Sometime during system boot, routing-setup is run, with no guanrantee that zones have finished booting. Solaris then tries to add routes, but balks, as it should, since my physical interface is 0.0.0.0 and my zones'virtual interfaces have not been plumbed. The solution to this is to make zones a dependency of routing-setup. We're not actively routing so I don't see this interfering with anything. My question is: has this issue been reported, filed, and fixed? A quick search of defect and bugs does not turn up anything that looks like this problem. Checking first, thanks. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] zoneadm clone "-m copy" does not really "copy" on ZFS zonepath
Hi, I'm sorry to bug the OpenSolaris for a question that pertains to S10U8, but I am really stuck. I am doing a zoneadm clone -m copy, and I do not want a new ZFS dataset even though my zonepath is on a ZFS filesystem, for performance reasons particular to how I am using my zones. Unfortunately, zoneadm clone just ignores the "-m copy", and makes me a new ZFS filesystem anyway; and by the speed with which it finished, it certainly is a snapshot operation underneath. I have tested with making the source zone on a separate UFS, have pre-made a dirname under my ZFS filesystem as the zonepath, nothing works. I always get a new ZFS filesystem. I see that zoneadm install has an -x nodataset switch, I need this for zone clone as well. I have not seen this filed as a bug against S10, is there a work-around to get the behavior I want? This is sort of a big deal for our application. We use labeled zones, a file move within a filesystem has a different performance profile than a move from one filesystem to another filesystem, even within one ZFS pool. We are doing tens of thousands of move per minute. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zoneadm clone "-m copy" does not really "copy" on ZFS zonepath
On Sat, Feb 13, 2010 at 3:10 AM, Frank Batschulat (Home) wrote: > a '-x nodataset' option for 'clone' like in 'install' is unlikely going to > happen, in > fact I will remove the '-x nodataset' option for 'install' completely soon in > OSOL build 135 > > PSARC 2010/008 Remove zoneadm install sub-option "-x nodataset" > http://opensolaris.org/jive/thread.jspa?messageID=448598 > > your ZFS problem is with 'move' ie. rename a file from one dataset to another > while both datasets are still in the same pool ending up as a copy of the file > because it crosses dataset ie. file system boundaries. there's a ZFS RFE > open to improve that: > > 6483179 Provide an efficient way to rename a file to another dataset in same > zpool > http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6483179 > > 6650426 RFE: support link(2) between ZFS filesystems > http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6650426 Actually, this would be the 'proper' fix and will work for us. Do you know if there's priority to these two CRs? I will provide a business case write-up under another cover, if someone would like to add it to the CR. Meanwhile, I am stuck at U5, because as far as I can tell, U7 and U8 implements separate dataset per zone if it's on a ZFS. This completely breaks our application, which depended on the efficiency of "mv" within one filesystem. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zoneadm clone "-m copy" does not really "copy" on ZFS zonepath
> Does the data really need to be under the zonepath? If you were to do > something like: > > zfs create -o mountpoint=/stuff rpool/stuff > mkdir /stuff/z1 /stuff/z2 > > zonecfg -z z1 > add fs > set dir=/stuff > set special=/stuff/z1 > set options=rw > end > exit > > zonecfg -z z2 > add fs > set dir=/stuff > set special=/stuff/z2 > set options=rw > end > exit > > Adjust paths as needed to fit your application. From the global zone, > you should be able to mv /stuff/z1/* /stuff/z2/* efficiently. I think I have tried something like this, basically pre-make the zonepath as directories before cloning the zone? It doesn't work. I end up getting a new dataset mounted on the directory I've created. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] networking
On Tue, Feb 16, 2010 at 4:59 PM, Dombrowski, Neil wrote: > For an example, let's say zone1 has a default route using gateway 172.16.1.1 > and zone2 has a default router using gateway 192.168.0.1. If I am logged into > the global zone, and it needs to send a packet to 10.10.10.10, will it use > one of the non-global-zone's default route? It will round-robin between the two gateways IF it has interfaces local to that network. That is, you need something like this: assume 24-bit mask, e1000g0 172.16.1.10 and e1000g1 192.168.0.10 (the 10 is just an example.) If you only have one interface local to one gateway, it will use that gateway. What I'm guessing is that you have your zones plumbed on a virtual interface, but nothing plumbed on the actual interface, from the global zone's perspective. In your ifconfig -a output, when you've removed all the entries for zones, do you actually have an interface that can reach a router? CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zoneadm clone "-m copy" does not really "copy" on ZFS zonepath
On Sat, Feb 13, 2010 at 3:10 AM, Frank Batschulat (Home) wrote: > > > a '-x nodataset' option for 'clone' like in 'install' is unlikely going to > happen, in > fact I will remove the '-x nodataset' option for 'install' completely soon in > OSOL build 135 OK, I need my sanity confirmed because I am not sure what's happening on my laptop, (OpenSolaris question this time.) I have created test ipkg type zones on this laptop before, I have not done an upgrade but I've allowd Package Manager to update packages as far as it's abled. You say you will remove -x nodataset option, implying it hasn't been done yet, but here's what happened this morning when I tried to create a new zone. r...@fiat~> cat /etc/release OpenSolaris 2008.11 snv_101b_rc2 X86 Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 19 November 2008 r...@fiat~> zonecfg -z pink pink: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:pink> create zonecfg:pink> set zonepath=/zone/pink zonecfg:pink> add net zonecfg:pink:net> set physical=e1000g0 zonecfg:pink:net> set address=192.168.20.1/24 zonecfg:pink:net> end zonecfg:pink> verify zonecfg:pink> commit zonecfg:pink> info zonename: pink zonepath: /zone/pink brand: ipkg autoboot: false bootargs: pool: limitpriv: scheduling-class: ip-type: shared net: address: 192.168.20.1/24 physical: e1000g0 defrouter not specified zonecfg:pink> exit r...@fiat~> zoneadm -z pink install -x nodataset Error: no zonepath dataset. OK, I will create a dataset: r...@fiat~> zfs list NAME USED AVAIL REFER MOUNTPOINT rpool26.4G 71.5G72K /rpool rpool/ROOT 19.8G 71.5G18K legacy rpool/ROOT/opensolaris 19.8G 71.5G 19.6G / rpool/dump 1.97G 71.5G 1.97G - rpool/export 2.70G 71.5G19K /export rpool/export/home2.70G 71.5G19K /export/home rpool/export/home/ctran 2.70G 71.5G 2.70G /export/home/ctran rpool/swap 1.97G 73.5G 3.81M - r...@fiat~> zfs create rpool/pink r...@fiat~> zfs set mountpoint=/zone/pink rpool/pink r...@fiat~> zfs list NAME USED AVAIL REFER MOUNTPOINT rpool26.4G 71.5G74K /rpool rpool/ROOT 19.8G 71.5G18K legacy rpool/ROOT/opensolaris 19.8G 71.5G 19.6G / rpool/dump 1.97G 71.5G 1.97G - rpool/export 2.70G 71.5G19K /export rpool/export/home2.70G 71.5G19K /export/home rpool/export/home/ctran 2.70G 71.5G 2.70G /export/home/ctran rpool/pink 18K 71.5G18K /zone/pink rpool/swap 1.97G 73.5G 3.81M - Try to install again r...@fiat~> zoneadm -z pink install zoneadm: zone 'pink': zone is incomplete; uninstall required. Oops ... r...@fiat~> zoneadm -z pink uninstall Are you sure you want to uninstall zone pink (y/[n])? y cannot open 'rpool/pink/ROOT': dataset does not exist Error: no active dataset. cannot open 'rpool/pink/ROOT': dataset does not exist cannot open 'rpool/pink/ROOT': dataset does not exist cannot open 'rpool/pink/ROOT': dataset does not exist Error: destroying ZFS dataset. But the uninstall wiped out the dataset I created for "pink", while at the same time complaining it cannot find rpool/pink/ROOT r...@fiat~> zfs list NAME USED AVAIL REFER MOUNTPOINT rpool26.4G 71.5G72K /rpool rpool/ROOT 19.8G 71.5G18K legacy rpool/ROOT/opensolaris 19.8G 71.5G 19.6G / rpool/dump 1.97G 71.5G 1.97G - rpool/export 2.70G 71.5G19K /export rpool/export/home2.70G 71.5G19K /export/home rpool/export/home/ctran 2.70G 71.5G 2.70G /export/home/ctran rpool/swap 1.97G 73.5G 3.81M - What's happening? I have created and manipulated zones on this laptop before, it was very vanilla and I did not mess with dataset manually, I know I didn't dream this. CT ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] zoneadm clone "-m copy" does not really "copy" on ZFS zonepath
Hi, A work-around for this issue has been provided by SunSupport. The direct parent of a zonepath must not be a dataset. That is /tank/myzone will result in a new dataset being created. /tank/some_empty_dir/myzone will get you a zonepath that's just a directory. Yay, SunSupport! CT ___ zones-discuss mailing list zones-discuss@opensolaris.org