Category: Solaris

Aug 23

IPMP on Solaris 10

Solaris has built-in IP Multi Pathing.  IPMP can be setup with either IP tracking or link based.  This is my notes on setting up link based IPMP on a LDOM with two virtual interfaces.

Setup the two interfaces:

# more /etc/hostname.vnet*
::::::::::::::
/etc/hostname.vnet0
::::::::::::::
myhostname netmask + broadcast + group sol10-ipmp up
::::::::::::::
/etc/hostname.vnet1
::::::::::::::
group sol10-ipmp up

After reboot ifconfig output:

# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
vnet0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.2.14.53 netmask fffff800 broadcast 10.2.15.255
groupname sol10-ipmp
ether 0:14:4f:fa:b5:34
vnet1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
groupname sol10-ipmp
ether 0:14:4f:fa:42:b5

Down the main interface:

# if_mpadm -d vnet0
# tail -1 /var/adm/messages
Aug 22 14:46:07 myhostname in.mpathd[285]: [ID 832587 daemon.error] Successfully failed over from NIC vnet0 to NIC vnet1

Ifconfig output:

# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
vnet0: flags=89000842<BROADCAST,RUNNING,MULTICAST,IPv4,NOFAILOVER,OFFLINE> mtu 0 index 2
inet 0.0.0.0 netmask 0
groupname sol10-ipmp
ether 0:14:4f:fa:b5:34
vnet1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
groupname sol10-ipmp
ether 0:14:4f:fa:42:b5
vnet1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 10.2.14.53 netmask fffff800 broadcast 10.2.15.255

Recover the main interface:

# if_mpadm -r vnet0

# tail -3 /var/adm/messages
Aug 22 14:46:30 myhostname in.mpathd[285]: [ID 620804 daemon.error] Successfully failed back to NIC vnet0
Aug 22 14:46:30 myhostname in.routed[656]: [ID 417587 daemon.error] IP_ADD_MEMBERSHIP ALLHOSTS: Address already in use
Aug 22 14:46:30 myhostname in.routed[656]: [ID 537788 daemon.warning] Could not join 224.0.0.9 on interface vnet0: Address already in use

# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
vnet0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.2.14.53 netmask fffff800 broadcast 10.2.15.255
groupname sol10-ipmp
ether 0:14:4f:fa:b5:34
vnet1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
groupname sol10-ipmp
ether 0:14:4f:fa:42:b5

Comments Off on IPMP on Solaris 10
comments

Posted in Solaris

Jul 15

Solaris SMF Not Updating resolv.conf

I recently had an issue where the Solaris SMF did not want to update my /etc/resolv.conf file. Even though "svccfg -s network/dns/client listprop config" showed the entries for my DNS client correctly and also trying the export the SMF simply refused to update the resolv.conf. I dug around in the scripts a little bit and saw the "delcust" option. AFter clearing everything out I could add my entries back in SMF DNS client and resolv.conf automatically updated when doing a refresh.

Found the delcust line here:

root@t41:/lib/svc/method# more dns-client
...
'unconfigure')
 # Permanently shutdown service
 svcadm disable $SMF_FMRI
 # Unroll any admin customization
 svccfg -s svc:/network/dns/client delcust
...

Try deleting customization:

root@t41:/lib/svc/method# svccfg -s svc:/network/dns/client delcust
Deleting customizations for service: network/dns/client

root@t41:/lib/svc/method# svcs -a | grep dns/client
online 14:21:02 svc:/network/dns/client:default

root@t41:/lib/svc/method# svcadm disable svc:/network/dns/client

root@t41:/lib/svc/method# svcs -a | grep dns/client
disabled 14:17:40 svc:/network/dns/client:default

root@t41:/lib/svc/method# svccfg -s network/dns/client listprop config
config application
config/value_authorization astring solaris.smf.value.name-service.dns.client

Add values for DNS:

root@t41:/lib/svc/method# svccfg -s network/dns/client setprop config/nameserver = net_address: "(10.200.10.10)"
root@t41:/lib/svc/method# svccfg -s network/dns/client setprop config/domain = astring: domain1.com
root@t41:/lib/svc/method# svccfg -s network/dns/client setprop config/search = astring: '("domain1.com" "domain2.com")'

root@t41:/lib/svc/method# svccfg -s network/dns/client listprop config
config application
config/value_authorization astring solaris.smf.value.name-service.dns.client
config/nameserver net_address 10.200.10.10
config/domain astring domain1.com
config/search astring "domain1.com" "domain2.com"

root@t41:/lib/svc/method# svcadm refresh network/dns/client
root@t41:/lib/svc/method# more /etc/resolv.conf
...
domain domain1.com
search domain1.com domain2.com
nameserver 10.200.10.10

Check nsswitch also:

root@t41:/lib/svc/method# svccfg -s name-service/switch listprop config
config application
config/default astring files
config/value_authorization astring solaris.smf.value.name-service.switch
config/printer astring "user files"
config/host astring "files dns"

root@t41:/lib/svc/method# grep host /etc/nsswitch.conf
hosts: files dns

Comments Off on Solaris SMF Not Updating resolv.conf
comments

Posted in Solaris

Jul 10

Solaris Display xterm Remote

I had to do the following to display a X terminal remotely.

Solaris 10:
This initial Solaris install was done with the X packages, so I did not need to install anything specific for xauth or xterm.


$ ssh -X root@t41-ldom2
Password:
Last login: Wed Jul 10 10:07:30 2013
/usr/openwin/bin/xauth: creating new authority file /root/.Xauthority
Oracle Corporation SunOS 5.10 Generic Patch January 2005
root@ldom2:~# /usr/openwin/bin/xterm

Solaris 11:

First install a couple packages.  If you previously installed more of the X packages you might not need these two.

 


root@ldom1:~# pkg install pkg:/terminal/xterm@271-0.175.1.0.0.24.1317

root@ldom1:~# pkg install  pkg:/x11/session/xauth@1.0.7-0.175.1.0.0.24.1317

Login with -X


$ ssh -X root@t41-ldom1
Password:
Last login: Wed Jul 10 10:11:49 2013
Oracle Corporation SunOS 5.11 11.1 September 2012
You have new mail.
root@ldom1:~# xterm

Comments Off on Solaris Display xterm Remote
comments

Posted in Solaris

Jul 10

Using Bash for root user on Solaris 10

By default Solaris 10 use "/" as root's home directory and plain sh as a shell.  If you want to change to using the /root directory as home and bash as a shell for more consistency with Solaris 11 you can do the following.

...
Oracle Corporation SunOS 5.10 Generic Patch January 2005

root@ldom2:~# grep root /etc/passwd
root:x:0:0:Super-User:/root:/usr/bin/bash

root@ldom2:~# mkdir /root
root@ldom2:~# pwd
/root

root@ldom2:~# cat .profile
#
# Simple profile places /usr/bin at front, followed by /usr/sbin.
#
# Use less(1) or more(1) as the default pager for the man(1) command.
#
export PATH=/usr/bin:/usr/sbin

if [ -f /usr/bin/less ]; then
 export PAGER="/usr/bin/less -ins"
elif [ -f /usr/bin/more ]; then
 export PAGER="/usr/bin/more -s"
fi

#
# Define default prompt to <username>@<hostname>:<path><"($|#) ">
# and print '#' for user "root" and '$' for normal users.
#
# Currently this is only done for bash/pfbash(1).
#

case ${SHELL} in
*bash)
 typeset +x PS1="\u@\h:\w\\$ "
 ;;
esac

root@ldom2:~# cat .bashrc
#
# Define default prompt to <username>@<hostname>:<path><"($|#) ">
# and print '#' for user "root" and '$' for normal users.
#

typeset +x PS1="\u@\h:\w\\$ "

Logout and back in and your shell should be bash and prompt fixed as well.

Comments Off on Using Bash for root user on Solaris 10
comments

Posted in Bash, Solaris

Jul 01

Solaris 11 enable root user

Solaris use Role Based Access which is a better way to allow system access to defined users and only escalate permissions through roles.  Kind of like sudo.

If you have an environment where you just don't care and want users to access the system like in a traditional root manner you can do the following:

# rolemod -K type=normal root
# grep PermitRoot /etc/ssh/sshd_config
PermitRootLogin yes
# svcadm refresh svc:/network/ssh:default

Comments Off on Solaris 11 enable root user
comments

Posted in Solaris, SSH

Dec 10

Solaris Samba with Local Users

Most users would now be using Solaris 11 with the CIFS integrated modules and manage SMB sharing from ZFS directly.  So this post is not applicable to the "right" way of doing things.  I recently had to support a Solaris 11 Express server running samba and using local users.  So I made a few useful notes here.

Server specifics:

root@server1:/etc/samba# uname -a
SunOS server1 5.11 snv_151a i86pc i386 i86pc Solaris

# prtdiag
System Configuration: Sun Microsystems Sun Fire X2200 M2 with Quad Core Processor
BIOS Configuration: Sun Microsystems S39_3D12 10/06/2008
BMC Configuration: IPMI 1.5 (KCS: Keyboard Controller Style)
...

# smbd -V
Version 3.5.5

# svcs | grep samba
online         2011     svc:/network/samba:default

# ps -ef | grep mbd
root  1621     1   0   Nov 20 ?          64:55 /usr/sbin/nmbd -D
root  3421  1617   0   Dec 10 ?           0:07 /usr/sbin/smbd -D

...

Add user:


# useradd rrosso

# mkdir /server1/home/rrosso

# chown rrosso /server1/home/rrosso

# grep rrosso /etc/passwd
rrosso:x:151:10:Riaan Rossouw:/server1/home/rrosso:/bin/ksh

# pwconv

# smbpasswd -a rrosso
New SMB password:
Retype new SMB password:
Added user rrosso.

# pdbedit -L -v rrosso
Unix username:        rrosso
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1747637251-3107012253-2823653391-1004
Primary Group SID:    S-1-5-21-1747637251-3107012253-2823653391-513
Full Name:            Riaan Rossouw
Home Directory:       \\server1\rrosso
HomeDir Drive:
Logon Script:
Profile Path:         \\server1\rrosso\profile
Domain:               SERVER1
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Tue, 11 Dec 2012 14:00:22 EST
Password can change:  Tue, 11 Dec 2012 14:00:22 EST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Share specifics:


# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (256) below minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[Backups]"
...
[Backups]
comment = IT Backups Folder
path = /server1/backup
valid users = rrosso
read only = No
create mask = 0777
force create mode = 0777
force directory mode = 0777
force directory security mode = 0777
volume = FileServer
follow symlinks = No
...

Comments Off on Solaris Samba with Local Users
comments

Posted in Solaris

Dec 07

ZFS Grow rpool disk

Growing disks for virtual machines have become pretty trivial with tools like livecd's and gparted.  Recently I had to grow my Solaris 11 disk from 16GB to 20GB.  And of course on Solaris it's a ZFS volume.

I don't think gparted can re-size the Solaris2 partitions used by Solaris 11 so I did the re-size on a running system using format.  There might be a better way and I advise you NOT to do this on a critical system.  Nonetheless it worked for me on a Virtualbox as well as a KVM virtual machine.

Re-sizing the disk on the host side is out of scope and you can use a myriad of ways to accomplish that for instance lvextend when using LVM.  In this case I documented the re-sizing as was performed with Virtualbox.

Also note this only worked on Solaris x86.  On Sparc there is no expand option for the partition in the format tool.  There is a way to resize a system disk but it is pretty painful.  Search my blog for Growing Solaris LDOM rpool.

Re-size Disk:

$ vboxmanage showhdinfo Solaris11.vdi

Logical size:         16384 MBytes
 Current size on disk: 9818 MBytes

$ vboxmanage modifyhd Solaris11.vdi --resize 20000
 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%

$ vboxmanage showhdinfo Solaris11.vdi
 Logical size:         20000 MBytes
 Current size on disk: 9819 MBytes

Information before disk resize:

root@solaris:~# uname -a
 SunOS solaris 5.11 11.1 i86pc i386 i86pc

root@solaris:~# zpool status rpool
 pool: rpool
 NAME        STATE     READ WRITE CKSUM
 rpool       ONLINE       0     0     0
c3t0d0s0  ONLINE       0     0     0

root@solaris:~# df -h | grep rpool
 rpool/ROOT/solaris-2    16G   3.8G       7.0G    36%    /

root@solaris:~# format
 AVAILABLE DISK SELECTIONS:
 0. c3t0d0 <ATA-VBOX HARDDISK-1.0 cyl 2085 alt 2 hd 255 sec 63>
 /pci@0,0/pci8086,2829@d/disk@0,0
 Specify disk (enter its number): 0
 selecting c3t0d0
 [disk formatted]
 /dev/dsk/c3t0d0s0 is part of active ZFS pool rpool. Please see zpool(1M).

...
partition> pr
 Current partition table (original):
 Total disk cylinders available: 2085 + 2 (reserved cylinders)

Part      Tag    Flag     Cylinders        Size            Blocks
 0       root    wm       1 - 2084       15.96GB    (2084/0/0) 33479460
 1 unassigned    wm       0               0         (0/0/0)           0
 2     backup    wu       0 - 2086       15.99GB    (2087/0/0) 33527655
 8       boot    wu       0 -    0        7.84MB    (1/0/0)       16065

...

Total disk size is 2088 cylinders
 Cylinder size is 16065 (512 byte) blocks

Cylinders
 Partition   Status    Type          Start   End   Length    %
 =========   ======    ============  =====   ===   ======   ===
 1           Active    Solaris2          1  2087    2087    100

Physical disk information after resize at host level:

...
Total disk size is 2549 cylinders
 Cylinder size is 16065 (512 byte) blocks

Cylinders
 Partition   Status    Type          Start   End   Length    %
 =========   ======    ============  =====   ===   ======   ===
 1       Active    Solaris2          1  2087    2087     82

Tell the OS about the new size using expand:

...
partition> expand
 Expansion of label cannot be undone; continue (y/n) ? y
 The expanded capacity was added to the disk label.
 Disk label was written to disk.

 partition> pr
 Current partition table (original):
 Total disk cylinders available: 2546 + 2 (reserved cylinders)

Part      Tag    Flag     Cylinders        Size            Blocks
 0       root    wm       1 - 2084       15.96GB    (2084/0/0) 33479460
 2     backup    wu       0 - 2086       15.99GB    (2087/0/0) 33527655
 8       boot    wu       0 -    0        7.84MB    (1/0/0)       16065

Make the changes to the physical partition.  I removed the "backup" slice as well since I don't need it. 

...
partition> pr
 Current partition table (unnamed):
 Total disk cylinders available: 2546 + 2 (reserved cylinders)

Part      Tag    Flag     Cylinders        Size            Blocks
 0       root    wm       1 - 2545       19.50GB    (2545/0/0) 40885425
 8       boot    wu       0 -    0        7.84MB    (1/0/0)       16065

partition> label
 Ready to label disk, continue? y

Finally scrub and grow ZFS:

root@solaris:~# zpool scrub rpool

root@solaris:~# zpool status rpool
 pool: rpool
 state: ONLINE
 scan: scrub in progress since Fri Dec  7 14:21:25 2012
 11.8M scanned out of 8.57G at 670K/s, 3h43m to go
 0 repaired, 0.13% done
 config:

NAME        STATE     READ WRITE CKSUM
 rpool       ONLINE       0     0     0
 c3t0d0s0    ONLINE       0     0     0

root@solaris:~# zpool set autoexpand=on rpool

root@solaris:~# zpool get all rpool | grep size
 rpool  size          19.4G

 root@solaris:~# df -h | grep ROOT
 rpool/ROOT/solaris-2         19G  3.8G        10G    27%    /
 rpool/ROOT/solaris-2/var    19G   955M        10G     9%    /var

root@solaris:~# zpool set autoexpand=off rpool

4
comments

Posted in Solaris

Nov 06

Solaris Idmap Problems

When using the kernel enabled CIFS server on Solaris 11, we found that the idmap service picks Domain Controllers that are located across a WAN link, which cause two problems:
A) slow authentication; or even worse
B) idmap will use a server that disappears when a WAN link goes down which causes havoc

After watching the debug logs I can see that idmap scans the SRV records in DNS to get a list of Domain Controllers in the forest.  Even when config/site_name (not a well documented setting) is set in the SMF properties for idmap, the discovery process still cycles through the whole list of DC's in the forest.  If the first one is unreachable it keeps going until it finds one.  The list of SRV records is pretty much random since Active Directory assigned a weight of 100% to each SRV entry.  So in our case the discovery routine of idmap use basically a random server in a list of 21 Domain Controllers no matter where they live.  As long as its reachable through LDAP.

If the idmap service would just use the DC's listed in the specific site we specify for this CIFS server this would be a much more stable service.  It's possible this could be a bug that needs to be reported to Sun (Oracle) I am not sure.

My work around:

In my case I made local firewall rules on the inferior Windows Domain Controllers to block the specific Solaris CIFS server from connecting to them.  So the idmap logs will still show the unsuccessful attempts connecting to non reachable servers during discovery, but at least it will not be able to use them.  Whereas without the firewall block idmap would happily attach to a reachable DC in India or Australia.

PS C:\Users\Administrator.DOMAIN> netsh advfirewall firewall add rule name="Block Solaris IDMAPD" dir=In new remoteip="172.19.8.62/32,172.19.8.64/32,172.21.8.33/32" Action="Block" protocol="Any" Profile="Domain,Private,Public" enable="no

Ok.

PS C:\Users\Administrator.DOMAIN> netsh advfirewall firewall show rule name="Block Solaris IDMAPD"

Rule Name:                            Block Solaris IDMAPD
----------------------------------------------------------------------
Enabled:                              No
Direction:                            In
Profiles:                             Domain,Private,Public
Grouping:
LocalIP:                              Any
RemoteIP:                             172.19.8.62/32,172.19.8.64/32,172.21.8.33/32
Protocol:                             Any
Edge traversal:                       No
Action:                               Block
Ok.

PS C:\Users\Administrator.DOMAIN> netsh advfirewall firewall set rule name="Block Solaris IDMAPD" new enable="yes"

Updated 1 rule(s).
Ok.

Log entries looks  like this:

# pwd
/var/svc/log

# tail -f system-idmap:default.log
LDAP: frdc001.domain.com:389: Can't connect to the LDAP server
frdc001.sonosite.com: Can't connect to the LDAP server - Operation now in progress
LDAP: dedc002.domain.com:389: Can't connect to the LDAP server
dedc002.sonosite.com: Can't connect to the LDAP server - Operation now in progress
Using server usdc001.sonosite.com:3268

** Note:
Unfortunately the "Using server" log entry is specific to SunOS 5.11 151.0.1.8 which I think translates to Solaris 11 Express.  Even with debugging turned on for all, discovery or ldap I did not get the "Using server" entries on 5.11 11.0.

Check what DNS shows in the forest.  Our case 21 DC's:

# dig _ldap._tcp.domain.com SRV +short
;; Truncated, retrying in TCP mode.
0 100 389 frdc001.domain.com.
<snip>
0 100 389 indc002.domain.com.

Set Debugging Higher. Play with these. All might be too high, especially in a working server:

# svccfg -s idmap setprop 'debug/all = integer: 0'
# svccfg -s idmap setprop 'debug/ldap = integer: 1'
# svccfg -s idmap setprop 'debug/discovery = integer: 1'

Refresh the service to reload configuration change:

# svcadm refresh svc:/system/idmap:default

Set site_name :

# svccfg -s idmap setprop 'config/site_name = astring: US'
# svcadm refresh svc:/system/idmap:default

If the site name is not set the discovery process will complain that no site found.  It does not really affect anything since it goes and use any DC in the forest anyhow but I would think if site is set the discovery should behave better.

Check the SRV record for US site as we configured in Active Directory:

# dig _ldap._tcp.US._sites.domain.com SRV +short
0 100 389 usdc101.domain.com.
<snip>
0 100 389 usdc001.domain.com.

Check the CA site:

# dig _ldap._tcp.CA._sites.domain.com SRV +short
0 100 389 cadc001.domain.com.
0 100 389 cadc002.domain.com.

Check if this service is running. Might be required:

# svcs name-service-cache
STATE          STIME    FMRI
online         Jun_04   svc:/system/name-service-cache:default

TODO:

- Check how the Solaris ZFS appliance does this.  It does not appear to suffer the same fate.

Links:

http://docs.oracle.com/cd/E19082-01/819-3194/adsetup-2/index.html

Comments Off on Solaris Idmap Problems
comments

Posted in CIFS, Solaris

Newer Entries »