Separate name services in zones, Services | Sun Microsystems 10

Version 3.1-enSolaris 10 Container Guide - 3.1 4. Best Practices

Effective: 30/11/2009

4.1.9. Separate name services in zones

[ug] Name services include among other things the hosts database and the userids (passwd, shadow) and are configured with the file /etc/nsswitch.conf, which exists separately in each local zone. Name services are therefore defined in local zones independent of global zones. The most important aspects thereto are covered in this section.

If one adopts the recommendation stated in this document that no applications should run in the global zone, then the global zone also does not need to be integrated into NIS or LDAP. This further limits access from the outside and reduces the dependency of the global zone from other computers (name services server).

4.1.9.1. hosts database

[ug] Computers that should be addressable by name must be recorded here. No automatic copy of /etc/hosts from the global zone takes place when the zone is installed (completely in the sense that a separate OS environment exists in the local zone). It is of course a better alternative to use a name service such as NIS, DNS or LDAP. In an automatic installation, this can be set up via a sysidcfg file.

4.1.9.2.User database (passwd, shadow, user_attr)

[ug] User settings in local zones can be complemented by a name service as with a separate computer. Care should be taken that user names can be dissimilar in different zones; in particular in monitoring from the global zone (with ps) the names configured in the global zone are displayed. A copy of files from the global zone is not recommended, a name service such as NIS or LDAP is more suitable.

4.1.9.3. Services

[ug] The /etc/services or the corresponding name service must also be adjusted to the applications running in the zone.

4.1.9.4. Projects

[ug] To locally run resource management using a Fair Share Scheduler, or extended accounting, in a local zone, the corresponding name service database in /etc/project or the corresponding name service in the zone must be adjusted.

45

Image 52

Sun Microsystems 10 manual Separate name services in zones, Hosts database, Services, Projects

Contents

Solaris 10 Container Guide Table of contents III Network limitation IPQoS Duplicating zones with zoneadm detach/attach and zfs clone Disclaimer VII Introduction Solaris Containers and Solaris Zones Overview Ug Characteristics of Solaris 10 Zones Zones and security Zones and software installationZones and privileges Zones and resource management CPU resourcesProcessor sets in a resource pool Fair share scheduler in a resource pool Memory resource management Network resource management IPQoS = IP Quality of ServiceUser interfaces for zones Zones and high availability Branded zones Linux and Solaris 8/Solaris 9 compatibility Solaris container cluster aka zone cluster Virtualization technologies compared App Server Domains/physical partitions Logical partitions Dd Logical partitions Containers Solaris zones in an OS Dd Container Solaris zones in an OS Consolidation in one computer Dd Consolidation in one computer Summary of virtualization technologies App Physical Logical Resource Virtualisation Management Solution Grid computing with isolationRequirement Assessment Global Zone System Small web servers Multi-network consolidation Dd Use case Multi-network consolidation Multi-network monitoring Dd Use case Multi-network monitoring Multi-network backup Dd Use case Multi-network backup Consolidation development/test/integration/production Consolidation of test systems Dd Use case Consolidation of test systems Training systems Requirements Server consolidation Dd Use case Server consolidation Confidentiality of data and processes Dd Use case Confidentiality of data and processes Test systems for developers Dd Use case Developer test systems Solaris 8 and Solaris 9 containers for development Solaris 8 and Solaris 9 containers as revision systems Hosting for several companies on one computer Dd Use case Hosting for different companies on one computer SAP portals in Solaris containers Da Use case SAP portals in Solaris containers Upgrade- and Patch-management in a virtual environment Da Live upgrade Flying zones Service-oriented Solaris server infrastructure DC1 DC2 Solaris Container Cluster aka zone cluster Concepts Sparse-root zones− /lib − /platform − /sbin − /usr Whole-root zones Whole-root Var Usr Comparison between sparse-root zones and whole-root zonesPlatform ~3.6 GB Software in zones Software installations in Solaris and zones Software installation by the global zone usage in all zones Installation by the local zone usage in the local zone Data storage Program/application storage Opt/staroffice Root disk layoutZFS within a zone Volume manager in local zones Options for using ZFS in local zonesNFS and local zones Network concepts Introduction into networks and zones Network address management for zonesShared IP instance and routing between zones Ndd -set /dev/ip iprestrictinterzoneloopback Exclusive IP instance Plumb, snoop1M, dhcp5 or ipfilter5 is possibleInterface = InterfacenameInstance + VLAN-ID Firewalls between zones IP filter Zones and limitations in the network Ipmp Static configuration of devices Dynamic configuration of devices Separate name services in zones ServicesHosts database Projects Paradigms Applications in local zones only One application per zone Clustered containers Client Solaris Container Cluster Configuration and administration Automated provisioning of services Automatic configuration of zones by scriptInstallation and administration of a branded zone Lifecycle management Patching with live upgradePatching a system with local zones Patching with zoneadm attach -u Patching with upgrade serverMoving zones between architectures sun4u/sun4v Backup and recovery of zones ∙ create /zones/zone1 Backup of zones with ZFS Using boot arguments in zonesManagement and monitoring Migration of a zone to another system Consolidating log information of zones Monitoring zone workloadExtended accounting with zones Auditing operations in the zone DTrace of processes within a zone Global# dtrace -n iostart@zonename = count Resource management Types of resource managementCapping of CPU time for a zone General resource pools Lightweight processes LWP Fair share scheduler FSSFair share scheduler in a zone Projects, projadd, projmod, projdel Limiting memory resources RcapstatAssessing memory requirements for global and local zones Limiting virtual memory Limiting locked memory Network limitation IPQoSIPC limits Semaphore, shared memory, message queues Privileges and resource management Solaris container navigator Dd Planning a Solaris container Dd Self-qualification of an application in a container 4zonecfgbrand=native Configuration files Installation and configurationDd File /etc/zones/index Special commands for zones Command Description Command Description Swap VarVar/crash Metadb Configuring a sparse root zone required Actions Configuring a whole root zone required Actions Zone installation Zone initialization with sysidcfg Uninstalling a zone Starting zones automatically Optional settingsChanging the set of privileges of a zone Using a device in a local zone Storage within a zone Local zone mounts a UFS file system from a device Zone1# ls /dev/dsk C1d0s0 Using a DVD drive in the local zone User level NFS server in a local zone Version 3.1-enSolaris 10 Container Guide 3.1 5. Cookbooks Several zones share a file system ZFS in a zoneTank 30.2M 10G 18K None Tank/zone1 16.3M 983M Mnt User attributes for ZFS within a zone Configuring a zone by command file or template Automatic quick installation of zonesWith zonecfg -z zone export -f file of an existing zone − zonecfg -z zone -f file Accelerated automatic creation of zones on a ZFS file system Zones hardening Change network configuration for shared IP instances Set default router for shared IP instanceNetwork Network interfaces for exclusive IP instances IP filter between shared IP zones on a system Set interceptloopback IP filter between exclusive IP zones on a system Zones, networks and routingGlobal and local zone with shared network Implementation NetworkNetwork Zone 1 /etc/hostname.bge1 Zone 2 /etc/hostname.bge2 Zones in separate networks using the shared IP instance Ifconfig bge1 plumb downZoneadm -z zone1 ready Zoneadm -z zone2 ready Set defrouter=192.168.202.2 Zonecfg set ip-type=exclusive Zones in separate networks using exclusive IP instancesZone 1 /etc/hostname.bge1 Zone2 192.168.202.1 are now active 192.168.101.201 Zone 1 /etc/hostname.bge1 Zone1 192.168.201.1,192.168.200.1 and zone2192.168.202.1 Zoneadm -z zone1 boot, zoneadm -z zone2 boot Zone 1 /etc/hostname.bge3 /etc/defaultrouter Load Balancer Boot arguments in zones Booting a zoneRoot password for system maintenance control-d to bypass Software installation per mount Zone migration among systems Software installation with provisioning system∙ Detach the zone with zoneadm -z zone detach Zone migration within a system Global# zoneadm List -vcGlobal Running Native Shared Test Export/home/zone/test Global# zoneadm -z test halt Global Running Native Shared Test Installed Container/test Duplicating zones with zoneadm clone ID Name Status Path Brand 100 Duplicating zones with zoneadm detach/attach and zfs clone 101 Moving a zone between a sun4u and a sun4v system 102 103 Using live upgrade to patch a system with local zones Shutting down a zoneLucreate -c s10-807 -n s10-807+1 -m //dev/dsk/c1t0d0s4ufs Lumount s10-807+1 Reboot Luactivate s10-807+1 init 105 DTrace in a local zone Zone1# dtrace -l tail +2 zone1#Zone accounting Zone audit Limiting the /tmp-size within a zone Swap Tmp Tmpfs Yes Size=250mLimiting the CPU usage of a zone CPU capping Resource pools with processor sets 108 Global # svcs dynamic Dynamic resource pools for zones109 Limiting the physical main memory consumption of a project Implementing memory resource management for zonesRcapadm -z zone1 -m 40m 110 Zone.max-swap Privileged 180MB Deny System 16.0EB Max Global # prctl -i zone zone1 Zone 22 zone1111 Solaris Container in OpenSolaris OpenSolaris generalIpkg-Branded zones 112 Cookbook Installing an ipkg zone Cookbook Configuring an ipkg zone113 References 114