Saturday, January 31, 2015

Solaris 11.2: How to Migrate a Kernel Zone


Become an administrator.
On the global zone, suspend the file system on the kernel zone to be migrated.

#zoneadm -z zonename suspend

For example, to suspend the kernel zone kzone1 on the global zone global:

global# zoneadm -z zkone1 suspend

Detach the kernel zone file system on the global zone.

#zoneadm -z zonename detach

For example, to detach the kernel zone kzone1 on the global zone global:

global#zoneadm -z kzone1 detach

Export the zone configuration and transfer the file to the new host.

# zonecfg -z zonename export | ssh root@newhost zonecfg -z zonename -f -

For example:

global# zonecfg -z kzone1 export | ssh root@global2 zonecfg -z kzone1 -f -

Attach the zone on the new host.

# zoneadm -z zonename attach

For example:

global2# zoneadm -z kzone1 attach

Boot the kernel zone on the new host to resume the migrated zone.

#zoneadm -z zonename boot

For example:

global2# zoneadm -z kone1 boot
Posted by at No comments:

Thursday, January 29, 2015

Solaris 11.2: Cloning a Kernel Zone


Cloning enables you to copy an existing configured and installed zone on your system to a new zone on the same system. The cloned zone includes any customizations of the existing zone. For example, added packages, modified zone resources, and file modifications on the source zone will appear in each cloned zone. Cloning a zone is an efficient way to add additional zones with a similar customized zone configuration.
You can clone a kernel zone in the following ways:
After a kernel zone is cloned, you can boot and log in to the new zone.

Example 1  Cloning a Kernel Zone by Using the zoneadm clone Command.

This example demonstrates how to clone the kernel zone kzone1 to the kernel zone kzone2 on the host global. For a step-by-step procedure, see Cloning a Non-Global Zone on the Same System in Creating and Using Oracle Solaris Zones .

global# zoneadm -z kzone1 halt
global# zonecfg -z kzone2 create -t kzone1
global# zoneadm -z kzone2 clone kzone1
Progress being logged to /var/log/zones/zoneadm.20140327T223951Z.kzone2.clone
Install Log: /system/volatile/install.100847/install_log
AI Manifest: /system/shared/ai.xml
Installation: Starting ...

Creating direct clone image...
Registering dynamic archive transfer
Pre-validating manifest targets before actual target selection
Pre-validation of manifest targets completed
Validating combined manifest and archive origin targets
Commencing transfer of stream: ...
Completed transfer of direct stream: ...
Archive transfer completed
Installation: Succeeded

 
Example 2  Cloning and Deploying a Kernel Zone by Using a Unified Archive

The following example demonstrates cloning and deploying the kernel zone kzone1 by using the archiveadm command. A Unified Archive is created for the kernel zone kzone1. The archive info is verified and the kernel zone kzone2 is cloned with the modified zone configuration from kzone1. For a step-by-step procedure, please see Using Unified Archives for System Recovery and Cloning in Oracle Solaris 11.2 .

global# archiveadm create -z kzone1 /var/tmp/kzone1.uar
Unified Archive initialized: /var/tmp/kzone1.uar. \
Logging to: /system/volatile/archive_log.26248
Dataset discovery completed... /
Media creation complete for zone(s)... -
Archive stream creation completed... -
Archive creation completed...
global# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
2 kzone1 running - solaris-kz excl
global# archiveadm info /var/tmp/kzone1.uar
Archive Information
Creation Time: 2014-04-10T17:12:12Z
Source Host: global
Architecture: i386
Operating System: Oracle Solaris 11.2 X86
Deployable Systems: kzone1
global# zonecfg -z kzone2 create -a /var/tmp/kzone1.uar
global# zoneadm -z kzone2 install -a /var/tmp/kone1.uar
global# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
2 kzone1 running - solaris-kz excl
- kzone2 configured - solaris-kz excl
Posted by at No comments:

Wednesday, January 28, 2015

Solaris: VNIC's and vlan tagging


Introduction
I know you can do vlan tagging without using a vnic, my personal preferences goes to vnics for a few reason. Mostly because they have there own mac address. And to simplify my interface manangement.
Bellow you'll find some quick and dirty examples.

 Creating a vnic
#dladm create-vnic -l aggr0 host0
#ipadm create-if host0

The above example will create a vnic named host0 on a link aggregation called aggr0, ofcourse you can create vnics on normal interfaces or even on etherstubs.
You can drop the ipadm command if you are planning on using the vnic in a zone or for kvm.


 Creating a vnic with a vlan tag
#dladm create-vnic -l trunk0 -v 300 vm0
#ipadm create-if vm0

Same as above but this time we are using a trunk0 in my case this is an aggr that contains tagged traffic for VLAN 100,200 and 300. By adding the -v option followed by the vlan-tag all the traffic will be tagged before it is send along to the trunk.

 Managing a vnic
Some quick references to show all vnics and how to remove them.

 Showing the configure vnics:

#dladm show-vnic

Removing a vnic:

#dladm delete-vnic vm0

Configure additional MACs:
 you need to add all macs of zones if you are running smartos in qemu for example
#dladm set-linkprop -p secondary-macs=42:8e:a5:23:0e:5b vm0

Link Protection
Quick Reference

 Check the current configuration:

#dladm show-linkprop -p protection,allowed-ips vnic0

Disable link protection:

#dladm reset-linkprop -p protection vnic0

Enable anti MAC-spoofing:

#dladm set-linkprop -p protection=mac-nospoof vnic0

Enable anti IP-spoofing:

#dladm set-linkprop -p protection=ip-nospoof vnic0
#dladm set-linkprop -p allowed-ips=172.16.30.75,172.16.20.75 vnic0

Enable anti Client ID/DUID-spoofing:

#dladm set-linkprop -p protection=dhcp-nospoof vnic0

Properties
  • ip-nospoof: limit outgoing traffic from source IP's learned through DHCP or the allowed-ips property.
  • mac-nospoof: prevents zone admin from changing the mac address.
  • dhcp-nospoof: prevents Client ID/DUID spoofing for DHCP. Limited to the vnic's mac, other list can be specified using allowed-dhcp-cids.
  • restricted: only allows IPv4, IPv6 and ARP protocols.
Posted by at No comments:

Solaris: ps command truncating at 80 characters


Last week I got an issue where the application team raised the concern that "ps" command output truncated at 80 characters. They are trying to write a script that will find particular process based in a keyword. But due to the truncated "ps" command, they couldn't search the keyword. they request us(unix) to check that. Earlier I thought we can fix it easily, but later on when I dig into it, I found some more details and hurdles. finally, I got a solution and recommended the same to them. I just want to share those details in this post.
  • /usr/bin/ps  Deafult ps option of SVR4 (System V Release 4)
  • /usr/ucb/ps  BSD style options (ucb means University of California, Berkeley
    root@unixrock# ls -li /usr/bin/ps /usr/ucb/ps
    834 -r-xr-xr-x 66 root bin 5816 Jan 8 2007 /usr/bin/ps
    834 -r-xr-xr-x 66 root bin 5816 Jan 8 2007 /usr/ucb/ps
    root@unixrock#
    root@unixrock# ldd /usr/bin/ps /usr/ucb/ps
    /usr/bin/ps:
    libc.so.1 => /lib/libc.so.1
    libm.so.2 => /lib/libm.so.2
    /usr/ucb/ps:
    libc.so.1 => /lib/libc.so.1
    libm.so.2 => /lib/libm.so.2
    root@unixrock#

"psadmin" is the application user who is required full output of the process on "ps" command where they can see only first 80 characters. they also tried "/usr/ucb/ps auxwww" but same output. below output "psadmin" user can only seeing first 80 characters of PID 944.
psadmin@unixrock$ uname -a
SunOS unixrock 5.10 Generic_142910-17 i86pc i386 i86pc
psadmin@unixrock$
psadmin@unixrock$ id
uid=100(psadmin) gid=1(other)
psadmin@unixrock$
psadmin@unixrock$ /usr/ucb/ps auxwww|grep -i 944|grep -v grep
USER PID %CPU %MEM SZ RSS TT S START TIME COMMAND
noaccess 944 0.3 7.7133876119764 ? S 02:11:22 3:28 /usr/java/bin/java -server -Xmx128m -XX:+UseParallelGC -XX:ParallelGCThreads=4
psadmin@unixrock$

when we checked as root user, it is working fine as expected. But as normal user account can't do the same.

root@unixrock#
root@unixrock# /usr/ucb/ps auxwww|grep -i 944|grep -v grep
noaccess 944 0.3 7.7133876119764 ? S 02:11:22 3:29 /usr/java/bin/java -server -Xmx128m -XX:+UseParallelGC -XX:ParallelGCThreads=4 -classpath /usr/share/webconsole/private/container/bin/bootstrap.jar:/usr/share/webconsole/private/container/bin/commons-logging.jar:/usr/share/webconsole/private/container/bin/log4j.jar:/usr/java/lib/tools.jar:/usr/java/jre/lib/jsse.jar -Djava.security.manager -Djava.security.policy==/var/webconsole/domains/console/conf/console.policy -Djavax.net.ssl.trustStore=/var/webconsole/domains/console/conf/keystore.jks -Djava.security.auth.login.config=/var/webconsole/domains/console/conf/consolelogin.conf -Dcatalina.home=/usr/share/webconsole/private/container -Dcatalina.base=/var/webconsole/domains/console -Dcom.sun.web.console.home=/usr/share/webconsole -Dcom.sun.web.console.conf=/etc/webconsole/console -Dcom.sun.web.console.base=/var/webconsole/domains/console -Dcom.sun.web.console.logdir=/var/log/webconsole/console -Dcom.sun.web.console.native=/usr/lib/webconsole -Dcom.sun.web.console.appbase=/var/webconsole/domains/console/webapps -Dcom.sun.web.console.secureport=6789 -Dcom.sun.web.console.unsecureport=6788 -Dcom.sun.web.console.unsecurehost=127.0.0.1 -Dwebconsole.default.file=/etc/webconsole/console/default.properties -Dwebconsole.config.file=/etc/webconsole/console/service.properties -Dcom.sun.web.console.startfile=/var/webconsole/tmp/console_start.tmp -Djava.awt.headless=true -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.NoOpLog org.apache.catalina.startup.Bootstrap start
root 178 0.0 0.2 7112 2944 ? S 02:09:39 0:04 /usr/sbin/nscd
root 476 0.0 0.1 2072 944 ? S 02:10:10 0:00 /usr/sadm/lib/smc/bin/smcboot
root@unixrock#
root@unixrock#
root@unixrock# ps -ef|grep -i 944|grep -v grep
noaccess 944 1 0 02:11:23 ? 3:29 /usr/java/bin/java -server -Xmx128m -XX:+UseParallelGC -XX:ParallelGCThreads=4
root@unixrock#

we tried to set setuid (chmod u+s /usr/ucb/ps) to the executable file "/usr/ucb/ps", its works fine even executed by as a normal user, But its causes the impact for other applications which is looking for the same executable. Our requirements should be achieve without changing the current permissions. We tried SUDO, ACL privilege too, but no use, same conditions only.

root@unixrock# ls -ltr /usr/ucb/ps
-r-xr-xr-x 66 root bin 5816 Jan 8 2007 /usr/ucb/ps
root@unixrock#
root@unixrock# getfacl /usr/ucb/ps

 
# file: /usr/ucb/ps
# owner: root
# group: bin
user::r-x
group::r-x #effective:r-x
mask:r-x
other:r-x
root@unixrock#

 when I dig more, I found the path through RBAC (Role based access control). Here is the steps to achieve our requirements. Our change plan would be Create Profile --> Privilege to profile --> Creating Role --> Role to profile --> Role to user
For more about RBAC
Creating a profile by appending the below line on /etc/security/prof_attr and Ctrl+d for save the changes.

root@unixrock# cp -p /etc/security/prof_attr /etc/security/prof_attr_backup
root@unixrock#
root@unixrock# cat >>/etc/security/prof_attr
psquery:::Processes Query as Root:
root@unixrock#

 Privilege to profile by appending the below line on /etc/security/exec_attr and Ctrl+d for save the changes.

root@unixrock# cp -p /etc/security/exec_attr /etc/security/exec_attr_backup
root@unixrock#
root@unixrock#cat >>/etc/security/exec_attr
psquery:suser:cmd:::/usr/ucb/ps:privs=proc_owner;uid=0;euid=0;gid=0;egid=0
root@unixrock#

 Creating Role 

root@unixrock# roleadd -d /export/home/Rpsadmin -m Rpsadmin
root@unixrock# passwd Rpsadmin
New Password:
Re-enter new Password:
passwd: password successfully changed for Rpsadmin
root@unixrock#

 Role to profile 

root@unixrock# rolemod -P "psquery" Rpsadmin
root@unixrock#
root@unixrock# cat /etc/user_attr |grep -i psadmin
Rpsadmin::::type=role;profiles=psquery
root@unixrock#

 Role to user 

root@unixrock# usermod -R Rpsadmin psadmin
root@unixrock#
root@unixrock# cat /etc/user_attr |grep -i psadmin
Rpsadmin::::type=role;profiles=psquery
psadmin::::type=normal;roles=Rpsadmin
root@unixrock#

 Checking the status.. 

root@unixrock# su - psadmin
Oracle Corporation SunOS 5.10 Generic Patch January 2005
$
$ id
uid=100(psadmin) gid=1(other)
$ su - Rpsadmin
Password:
$
$ id
uid=101(Rpsadmin) gid=1(other)
$
$ /usr/ucb/ps auxwww|grep -i 944|grep -v grep
noaccess 944 0.4 7.7133876119764 ? S 02:11:22 3:32 /usr/java/bin/java -server -Xmx128m -XX:+UseParallelGC -XX:ParallelGCThreads=4 -classpath /usr/share/webconsole/private/container/bin/bootstrap.jar:/usr/share/webconsole/private/container/bin/commons-logging.jar:/usr/share/webconsole/private/container/bin/log4j.jar:/usr/java/lib/tools.jar:/usr/java/jre/lib/jsse.jar -Djava.security.manager -Djava.security.policy==/var/webconsole/domains/console/conf/console.policy -Djavax.net.ssl.trustStore=/var/webconsole/domains/console/conf/keystore.jks -Djava.security.auth.login.config=/var/webconsole/domains/console/conf/consolelogin.conf -Dcatalina.home=/usr/share/webconsole/private/container -Dcatalina.base=/var/webconsole/domains/console -Dcom.sun.web.console.home=/usr/share/webconsole -Dcom.sun.web.console.conf=/etc/webconsole/console -Dcom.sun.web.console.base=/var/webconsole/domains/console -Dcom.sun.web.console.logdir=/var/log/webconsole/console -Dcom.sun.web.console.native=/usr/lib/webconsole -Dcom.sun.web.console.appbase=/var/webconsole/domains/console/webapps -Dcom.sun.web.console.secureport=6789 -Dcom.sun.web.console.unsecureport=6788 -Dcom.sun.web.console.unsecurehost=127.0.0.1 -Dwebconsole.default.file=/etc/webconsole/console/default.properties -Dwebconsole.config.file=/etc/webconsole/console/service.properties -Dcom.sun.web.console.startfile=/var/webconsole/tmp/console_start.tmp -Djava.awt.headless=true -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.NoOpLog org.apache.catalina.startup.Bootstrap start
root 178 0.2 0.2 7112 2944 ? S 02:09:39 0:04 /usr/sbin/nscd
root 476 0.0 0.1 2072 944 ? S 02:10:10 0:00 /usr/sadm/lib/smc/bin/smcboot
$

 Cool..!!!..We have done with RBAC.
I hope this post helps you, Please share your valuable comments or queries and like the page. 
Posted by at No comments:

Solaris: How to check which process is holding the port


Most of the time, we are in a situation as to how to find the process which is holding the same port cause the application issues. This post will help us whenever we are in same position. Yes, we can find the  process with using port in different methods. Let we start to search it.....

root@unixrock # ndd /dev/tcp tcp_listen_hash
TCP zone IP addr port seqnum backlog (q0/q/max)
----skipped------
281 ffffffff81d46440 0 ::ffff:127.0.0.1 00025 00000000 0/0/16
----skipped------

from the above output we can find the process of the port 25, please follow the below steps

root@unixrock # mdb -k
Loading modules:[unix krtld genunix specfs dtrace cpu.generic uppc pcplusmp ufs md mpt ip hook neti sctp arp usba fctl nca lofs audiosup cpc fcip random crypto zfs logindmux ptm sppp sata nfs]
>
> ffffffff81d46440::print tcp_t tcp_rq
tcp_rq = 0xffffffff8961f028
>
> 0xffffffff8961f028::q2stream
ffffffff87052e10
>
> ffffffff87052e10$ 0xffffffff874bc780::whereopen
file ffffffff893689d8
ffffffff88dc8900
>
> ffffffff88dc8900::ps
S PID PPID PGID SID UID FLAGS ADDR NAME
R 935 1 935 935 0 0x52010000 ffffffff88dc8900 sendmail
>
root@unixrock #

Yes !!! we have found the process (sendmail) which using the port 25

we can use lsof utility to find the process with using port. although lsof will not be available on all solaris server, we have to install the lsof package. NOTE : This utlity can't be used in Non-global zones.

root@unixrock # /usr/local/bin/lsof -i :25
lsof: WARNING: access /.lsof_unixrock: No such file or directory
lsof: WARNING: created device cache file: /.lsof_unixrock
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sendmail 935 root 5u IPv4 0xffffffff81d46240 0t0 TCP localhost:smtp (LISTEN)
root@unixrock #

Yes, we have found the process with using port by using lsof utility.

Now our concern would be how to check the process with using port in non-global zone level. Yes, we have the option to do that by using our customized script. Please follow the steps... 

root@unixrock # cat /var/tmp/check_port.sh
#!/bin/ksh

 
CODE='---------------------------------------------'
PID=$(/usr/bin/ps -ef | sed 1d | awk '{print $2}')

 
if [ $# -eq 0 ]; then
read PORT?"Enter port you would like to know pid for: "
else
PORT=$1
fi

 
for f in $PID
do
/usr/proc/bin/pfiles $f 2>/dev/null | /usr/xpg4/bin/grep -q "port: $PORT"
if [ $? -eq 0 ]; then
echo $CODE
echo "Port: $PORT is being used by PID:\c"
/usr/bin/ps -ef -o pid -o args | egrep -v "grep|pfiles" | grep $f
fi
done
exit 0
root@unixrock #

 Copy the script and executed as mentioned below 

root@unixrock # /var/tmp/check_port.sh
Enter port you would like to know pid for: 25
---------------------------------------------
Port: 25 is being used by PID: 935 /usr/lib/sendmail -bl -q15m
root@unixrock #

 Yes...We have found the process with using the port by executing customized scripts.

I hope this post will help you all. If I found some other way, I will share with you all for the same.

Thanks for reading this post. Please leave your valuable comments and queries.
Posted by at No comments:

How to Identify Sparse or Whole Root Zones


First question in your mind is to identify the Non-Global Zone whether they Sparse or Whole Root Zone in real time. This post will help you to find those details in handy ways. Theoretically everyone having good knowledge about Sparse and Whole Root Zones. But in real time.....Please follow the Steps.

 Here We have 2 Non-Global zone, but we are not sure which one is Sparse or Whole Root Zones. Let we identify them. 


[root@unixrock ~]# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / native shared
1 unixrockLZ running /export/zones/unixrockLZ native shared
2 unixrockLZ1 running /export/zones/unixrockLZ1 native shared
[root@unixrock ~]#

There is a Command called "pkgcond" allows you to determine the type of target being operated on (global zone, non-global zone). more details you can refer man Page of pkgcond. I'm executing the command on one Local zone let we can see the result. 

[root@unixrockLZ ~]# pkgcond -n is_what
can_add_driver=1
can_remove_driver=1
can_update_driver=1
is_alternative_root=0
is_boot_environment=0
is_diskless_client=0
is_global_zone=0
is_mounted_miniroot=0
is_netinstall_image=0
is_nonglobal_zone=1
is_path_writable=1
is_running_system=0
is_sparse_root_nonglobal_zone=0
is_whole_root_nonglobal_zone=1
[root@unixrockLZ ~]#

you can see the parameter "is_whole_root_nonglobal_zone=1" is stating that this zone is whole Root. I'm executing the same command on another LZ, 

[root@unixrockLZ1 ~]# pkgcond -n is_what
can_add_driver=1
can_remove_driver=1
can_update_driver=1
is_alternative_root=0
is_boot_environment=0
is_diskless_client=0
is_global_zone=0
is_mounted_miniroot=0
is_netinstall_image=0
is_nonglobal_zone=1
is_path_writable=1
is_running_system=0
is_sparse_root_nonglobal_zone=1
is_whole_root_nonglobal_zone=0
[root@@unixrockLZ1 ~]#

you can see the parameter "is_sparse_root_nonglobal_zone=1" is stating that this zone is Sparse Root. is there any way to check the same details from Global zone, yes we can. just follow the steps 

[root@unixrock ~]# zonecfg -z unixrockLZ info
zonename: unixrockLZ
zonepath: /export/zones/unixrockLZ
brand: native
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class: FSS
ip-type: shared
hostid:
net:
address: 192.168.1.20/24
physical: e1000g0
[root@unixrock ~]#

above configuration is for Whole Root zone 

[root@unixrock ~]# zonecfg -z unixrockLZ1 info
zonepath: /export/zones/unixrockLZ1
brand: native
autoboot: true
bootargs:
pool:
limitpriv:
ip-type: shared
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin
inherit-pkg-dir:
dir: /usr
net:
address: 192.168.1.21/24
physical: e1000g0
[root@unixrock ~]#

If you find those inherit-pkg-dir of /lib, /platform, /sbin, /usr then blindly we can tell this is Sparse Root Zone. these files shared as Read Only file systems from its Global. FYI, Still we can't identify the GlobalZone Name from its non-global zone until unless you placed any script to find those details or "arp -a|grep -i SPLA" you might get more IP, But one of the IP is from Global, however its hard to find the details. I will post soon to find the Global Zone Name from non-global in easiest way. Thanks for reading this Post, if you have any doubt please comment, i will respond you.
Posted by at No comments:

How to Recover Solaris 11 Root Password


Last week I have encountered an issue where we were not able to switch as a root user (su - root), as someone unfortunately changed the root password. Now our goal is to reset the root password on Solaris 11 server.

High Level Plan:

  • Boot the server from bootable DVD. (here i'm using X86 server)
  • Import the root pool.
  • Mount the root pool dataset.
  • Edit the shadow file.
  • Reboot the server.
Boot the server from Bootable DVD and Select 3rd option, it will get into the shell prompt



Identify the root pool, Most of the time rpool is the default root pool. However, you can verify with the below command, this will show you all available pool details.

# zpool import |grep -i pool:
pool:rpool
pool:unixrepo
#

Import the root pool. (below example rpool is our root pool)

# zpool import -f -R /tmp/rpool rpool
#

Configure root pool dataset as legacy

# zfs set mountpoint=legacy rpool/ROOT/solaris
#

Mounting rpool dataset on /mnt

# mount -F zfs rpool/ROOT/solaris /mnt
#

Modifying the Root passwd

# cp /mnt/etc/shadow /mnt/etc/shadow_backup
# cp /mnt/etc/passwd /mnt/etc/passwd_backup
# TERM=vt100;export TERM
# EDITOR=vi;export EDITOR

Remove the encrypted password entry for root 

# vi /mnt/etc/shadow
root:$5$hzZlNEsJ$iuZHgU4xIQ72LfnmyPj7jzsyn.kbwdl0Ig4lbztnEQ4:16273::::::13888

After removing the encrypted password that line should be like below 

# grep -i root /mnt/etc/shadow
root::16273::::::13888
#

Now umount and set back the mountpoints and export the pool and reboot the server in single user mode. 

# umount /mnt
# zfs set mountpoint=/ rpool/ROOT/solaris
# zpool export rpool
# halt

For X86 : Boot from harddisk with single user mode by editing the grub menu with typing "e", then search the line which is start with $multiboot /ROOT and add -s at the end of the line and allow the system to boot from single user mode. here we can change our root passwd and reboot the server.

For Sparc: From OK prompt just enter boot -s that will allow you to enter single user mode.

COOL...You have successfully recovered the root passwd on Solaris 11. Please leave your valuable comments and queries.
Posted by at No comments:

Solaris 11 - Network Administration / Link Aggregation / IPMP


In this post we will be targeting some Advance features of Network administrations as like Link Aggregation, IPMP (IP Multipathing) features. Before going in deep we can see some basic concept of networking.

 
Basic Concepts :
  • Bandwidth : Bandwidth is bit rate for sending and receiving data over the network.
  • Failover     : Capability to have a backup component for the one becomes unavailable.
  • Load balancing : Distribution of workload to achieve best utilization.   
Link Aggregation:

Link Aggregation is combination of two or three physical interface on the system which are consider as a single logical unit (aggr) that provides best bandwidth, automatic fail over features, load balancing and redundancy benefits. Link Aggregation's Link should be in same Speed and same mode. We can administrate the link aggregation with using dladmcommand by adding, modifying, deleting links.

 
Before starting the aggregation, we have to make it sure physical interface should be have same mode as full-duplex  and same speed. By executing dladm show-link 

Creating aggregartion link with using two interface net1 and net2


root@unixrock:~# dladm create-aggr -l net1 -l net2 aggr0
root@unixrock:~#
root@unixrock:~# dladm show-link
LINK CLASS MTU STATE OVER
net0 phys 1500 up --
net1 phys 1500 up --
net3 phys 1500 up --
net2 phys 1500 up --
aggr0 aggr 1500 up net1 net2
root@unixrock:~#
root@unixrock:~# dladm show-aggr
LINK MODE POLICY ADDRPOLICY LACPACTIVITY LACPTIMER
aggr0 trunk L4 auto off short
root@unixrock:~#

To Add a another Link (net3) to an Aggregation (aggr0)

root@unixrock:~# dladm add-aggr -l net3 aggr0
root@unixrock:~# dladm show-link
LINK CLASS MTU STATE OVER
net0 phys 1500 up --
net1 phys 1500 up --
net3 phys 1500 up --
net2 phys 1500 up --
aggr0 aggr 1500 up net1 net2 net3
root@unixrock:~#

To assigning IP to the aggregation link

root@unixrock:~# ipadm create-addr -T static -a 192.168.113.142 aggr0
ipadm: cannot create address: No such interface
root@unixrock:~#

Opps......getting error says that No such interface, that means we have to probe the interface first

root@unixrock:~# ipadm create-ip aggr0
root@unixrock:~# ipadm create-addr -T static -a 192.168.113.142 aggr0
aggr0/v4
root@unixrock:~#

Yes...we have done the aggr0 aggregation link with using net1 net2 net3 physical link and assigned Ip address too.

root@unixrock:~# dladm show-link
LINK CLASS MTU STATE OVER
net0 phys 1500 up --
net1 phys 1500 up --
net3 phys 1500 up --
net2 phys 1500 up --
aggr0 aggr 1500 up net1 net2 net3
root@unixrock:~#
root@unixrock:~# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
net0/v4test static ok 192.168.113.139/24
aggr0/v4 static ok 192.168.113.142/24
lo0/v6 static ok ::1/128
root@unixrock:~#

To delete/remove the link from an Aggregation link

root@unixrock:~# dladm show-link
LINK CLASS MTU STATE OVER
net0 phys 1500 up --
net1 phys 1500 up --
net3 phys 1500 up --
net2 phys 1500 up --
aggr0 aggr 1500 up net1 net2 net3
root@unixrock:~# dladm remove-aggr -l net3 aggr0
root@unixrock:~#
root@unixrock:~# dladm show-link
LINK CLASS MTU STATE OVER
net0 phys 1500 up --
net1 phys 1500 up --
net3 phys 1500 unknown --
net2 phys 1500 up --
aggr0 aggr 1500 up net1 net2
root@unixrock:~#

 
IP Multipathing (IPMP)

IP Multipathing (IPMP) provides physical interface failure detection, Load balancing of packets, and transparent redundancy  features. IPMP which makes possible to assign the IP address to a group of network interface. if any one of the interface fails, the group can bind the IP address to another interface from the same IPMP group as transparent redundancy. IPMP can be configured for both IPv4 and IPv6. IPMP group will come up with ACTIVE - ACTIVE and ACTIVE- STANDBY
Advantage of IPMP
  • Fault tolerance
  • Spreading the load
  • Increased bandwidth
  • Transparent redundancy
  • Works even if its different switches
Components of IPMP
  • IPMP daemon : in.mapthd
  • IPMP service : svc:/network/ipmp:default
  • IPMP conf file : /etc/default/mpathd
  • IPMP Commands : ipadm, ipmpstat
Let we start Creating an IPMP group and Adding IP address to an IPMP group and Deleting and disable the IPMP group.
Creating ipmp0 group with using "ipadm create-ipmp" command

root@unixrock:/#
root@unixrock:/# ipadm create-ip net1
root@unixrock:/# ipadm create-ip net2
root@unixrock:/# ipadm create-ip net3
root@unixrock:/# ipadm create-ipmp ipmp0
root@unixrock:/# ipadm add-ipmp -i net1 -i net3 ipmp0
root@unixrock:/# ipmpstat -g
GROUP GROUPNAME STATE FDT INTERFACES
ipmp0 ipmp0 ok -- net3 net1
root@unixrock:/#

Assigning IP to that ipmp0 group

root@unixrock:~# ipadm create-addr -T static -a 192.168.113.145 ipmp0/v4addr1
root@unixrock:~# ipadm create-addr -T static -a 192.168.113.146 ipmp0/v4addr2
root@unixrock:~# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
net0/v4test static ok 192.168.113.139/24
ipmp0/v4addr1 static ok 192.168.113.145/24
ipmp0/v4addr2 static ok 192.168.113.146/24
lo0/v6 static ok ::1/128
root@unixrock:~#

Remove the interface from IPMP group

root@unixrock:~# ipmpstat -g
GROUP GROUPNAME STATE FDT INTERFACES
ipmp0 ipmp0 ok -- net1 net3
root@unixrock:~#
root@unixrock:~# ipadm remove-ipmp -i net1 ipmp0
root@unixrock:~# ipmpstat -g
GROUP GROUPNAME STATE FDT INTERFACES
ipmp0 ipmp0 ok -- net3
root@unixrock:~#

Adding one Interface to the IPMP group

root@unixrock:~# ipmpstat -g
GROUP GROUPNAME STATE FDT INTERFACES
ipmp0 ipmp0 ok -- net3
root@unixrock:~# ipadm add-ipmp -i net2 ipmp0
root@unixrock:~# ipmpstat -g
GROUP GROUPNAME STATE FDT INTERFACES
ipmp0 ipmp0 ok -- net2 net3
root@unixrock:~#

To disable an IPMP group

root@unixrock:~# ipadm disable-if -t ipmp0
root@unixrock:~# ipmpstat -g
root@unixrock:~# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
net0/v4test static ok 192.168.113.139/24
lo0/v6 static ok ::1/128
ipmp0/v4addr1 static disabled 192.168.113.145
ipmp0/v4addr2 static disabled 192.168.113.146
root@unixrock:~#

To delete the IPMP group

root@unixrock:~# ipadm delete-ipmp ipmp0
root@unixrock:~# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
net0/v4test static ok 192.168.113.139/24
lo0/v6 static ok ::1/128
root@unixrock:~#

Encountered some issues and fixes
ERROR : ipadm: cannot delete IPMP interface ipmp0: IPMP group is not empty 

root@unixrock:~# ipadm delete-ipmp ipmp0
ipadm: cannot delete IPMP interface ipmp0: IPMP group is not empty
root@unixrock:~#
root@unixrock:~# ipmpstat -g
GROUP GROUPNAME STATE FDT INTERFACES
ipmp0 ipmp0 ok -- net1
root@unixrock:~# ipmpstat -i
INTERFACE ACTIVE GROUP FLAGS LINK PROBE STATE
net1 yes ipmp0 --mbM-- up disabled ok
root@unixrock:~# ipadm delete-ip net1
root@unixrock:~# ipadm delete-ipmp ipmp0
root@unixrock:~# ipadm show-if
IFNAME CLASS STATE ACTIVE OVER
lo0 loopback ok yes --
net0 ip ok yes --
net3 ip disabled no --
net2 ip disabled no --
root@unixrock:~#

ERROR: ipadm: cannot create interface net2: Operation not supported on disabled object 
ERROR: ipadm: persistent operation not supported for enable-if

root@unixrock:~# ipadm create-ip net2
ipadm: cannot create interface net2: Operation not supported on disabled object
root@unixrock:~#
root@unixrock:~# ipadm show-if
IFNAME CLASS STATE ACTIVE OVER
lo0 loopback ok yes --
net0 ip ok yes --
net3 ip disabled no --
net2 ip disabled no --
root@unixrock:~#
root@unixrock:~# ipadm enable-if net3
ipadm: persistent operation not supported for enable-if
root@unixrock:~#
root@unixrock:~# ipadm enable-if -t net3
root@unixrock:~# ipadm enable-if -t net2
root@unixrock:~#
root@unixrock:~# ipadm show-if
IFNAME CLASS STATE ACTIVE OVER
lo0 loopback ok yes --
net0 ip ok yes --
net2 ip down no --
net3 ip down no --
root@unixrock:~#

Thanks for reading this post. Please leave your valuable comments and queries; I will get back to you at earliest possible.

Posted by at No comments:
Subscribe to: Posts (Atom)