Wednesday, September 26, 2012

Creating Zones in Solaris 10

Zones are a feature of Solaris 10, which provide a form of visualization. When used with containers they can also provide flexible application isolation. A container is a method of controlling resources. I will not be going over containers in this guide. All Solaris 10 servers have a Global zone, which can host three types of zones. The three zone types are: Spare Root, Whole Root and Branded zones.

A Global zone is a physical machine or host for the other zones. This zone can effect or control the other zone types, but the global zone is protected from changes on hosted zones. The Whole Root zone is a almost full copy of the Solaris 10 OS in self contained area on the global zone. Any system files you have installed on the global zone will also be installed on the Whole Root zone as well. Where as the Spare zone, is a zone that shares the four of the main file systems with the the Global zone.


Solaris 11 also uses zones but it does it differently. The zones in Solaris 11 are similar to Branded zones in Solaris 10. If you want to build Solaris 10 Branded zones or Solaris 11 zones. This guide may not be as helpful to as a guide that covers branded or Solaris 11 zones zones.
Solaris 11 also uses zones but it does it differently. The zones in Solaris 11 are similar to Branded zones in Solaris 10. If you want to build Solaris 10


Topics covered
1. Creating Zones on Solaris 10
2. Fixing sudo
3. Creating local account


For the purpose of this guide. We will use the hostname, earth for our Global zone (host). We will create a zone named moon and a user named man. So in other words will but a man on the moon. We will also use shared interfaces for our networking.



Part 1: Creating Zones on Solaris 10
Zone creation (must be root)
root@earth> zonecfg  –z  moon
zonecfg:moon> create -b
zonecfg:moon> set zonepath=/export/zones/moon
zonecfg:moon> set autoboot=true

The -b option after create sub-command makes the zone a Whole Root. Leave it off if you want Spare zone. The zonepath setting tells the zonecfg command where to install the zone. The autoboot setting is optional but if don't set it to true, the zone may not come back up if you reboot the global zone. You will need to manually boot the zone.

Configuring the network interfaces
zonecfg:moon> add net
zonecfg:moon:net> set address=10.0.10.41/24
zonecfg:moon:net> set physical=rtls0
zonecfg:moon:net> set defrouter=10.0.10.1
zonecfg:moon:net> end
The /24 sets the subnet mask and is optional. Repeat the last step for every additional interface you need to configure.

Note you might want to run the ifconfig –a command on the global zone to see what interfaces you have configured.

Optional, check setup.
zonecfg:moon> info
zonepath: /export/home/moon
autoboot: true
pool:
limitpriv:
scheduling-class:
ip-type: shared
net:
        address: 10.0.10.41
        physical: rtls0
        defrouter: 10.0.10.1

Finish up
zonecfg:moon> verify
zonecfg:moon> commit
zonecfg:moon> exit

Install zone
root@earth> zoneadm -z moon  install
A ZFS file system has been created for this zone.
Preparing to install zone moon.
Creating list of files to copy from the global zone.
Copying 82181 files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize 783 packages on the zone.
Initialized 783 packages on zone.
Zone moon is initialized.
Installation of 1 packages was skipped.
The file contains a log of the zone installation.

Boot the zone
root@earth> zoneadm -z moon boot

Check the zone
root@earth> zoneadm list -cv
ID NAME     STATUS      PATH                      BRAND      IP
0   global        running        /                                  native          shared
-    moon        installed       /export/zones/moon    native          shared

Log into zone and finish zone setup.
root@earth> zlogin -C moon
The  –C  option will give you console access to the zone.

Select a Language

  0. English
  1. es
  2. fr
Please make a choice (0 - 2), or press h or ? for help: 0
Enter 0

Select a Locale
  0. English (C - 7-bit ASCII)
  1. Canada (English) (UTF-8)
  2. Canada-English (ISO8859-1)
  3. U.S.A. (UTF-8)
  4. U.S.A. (en_US.ISO8859-1)
  5. U.S.A. (en_US.ISO8859-15)
  6. Go Back to Previous Screen
Please make a choice (0 - 6), or press h or ? for help: 0
Any of these are fine, here I will chose 0

What type of terminal are you using?
  1) ANSI Standard CRT
  2) DEC VT52
  3) DEC VT100
  4) Heathkit 19
  5) Lear Siegler ADM31
  6) PC Console
  7) Sun Command Tool
  8) Sun Workstation
  9) Televideo 910
  10) Televideo 925
  11) Wyse Model 50
  12) X Terminal Emulator (xterms)
  13) CDE Terminal Emulator (dtterm)
  14) Other
Type the number of your choice and press Return:   13
Pick 13, don’t pick 12 it will crash the zone. (at least it does with my setup)

Enter the zones hostname

Below I have highlighted the answers I use on each screen.








After setting the root password the system will reboot

Log in as root

Fixing sudo
For some reason sudo sometimes will not work after the zone comes up. Do the following command to fix root. From the inside the new zone
# ldd /usr/local/bin/sudo
libpam.so.1 =>     /usr/lib/libpam.so.1
libdl.so.1 =>      /usr/lib/libdl.so.1
libintl.so.8 =>    /usr/local/lib/libintl.so.8
libsocket.so.1 =>  /usr/lib/libsocket.so.1
libnsl.so.1 =>     /usr/lib/libnsl.so.1
libc.so.1 =>       /usr/lib/libc.so.1
libcmd.so.1 =>     /lib/libcmd.so.1
libiconv.so.2 =>   /usr/local/lib/libiconv.so.2
libsec.so.1 =>     /usr/lib/libsec.so.1
libgcc_s.so.1 =>     (file not found)
libmp.so.2 =>      /lib/libmp.so.2
libmd.so.1 =>      /lib/libmd.so.1
libscf.so.1 =>     /lib/libscf.so.1
libgcc_s.so.1 =>     (file not found)
libavl.so.1 =>     /lib/libavl.so.1
libdoor.so.1 =>    /lib/libdoor.so.1
libuutil.so.1 =>   /lib/libuutil.so.1
libgen.so.1 =>     /lib/libgen.so.1
libm.so.2 =>       /lib/libm.so.2
/platform/SUNW,Sun-Blade-T6300/lib/libc_psr.so.1
        /platform/SUNW,Sun-Blade-T6300/lib/libmd_psr.so.1
The two lines that are bold need to have their links fixed. Run command below to fix.

# ln -s  /usr/sfw/lib/libgcc_s.so.1  /usr/lib/libgcc_s.so.1
# ldd /usr/local/bin/sudo

libpam.so.1 =>     /usr/lib/libpam.so.1
libdl.so.1 =>      /usr/lib/libdl.so.1
libintl.so.8 =>    /usr/local/lib/libintl.so.8
libsocket.so.1 =>  /usr/lib/libsocket.so.1
libnsl.so.1 =>     /usr/lib/libnsl.so.1
libc.so.1 =>       /usr/lib/libc.so.1
libcmd.so.1 =>     /lib/libcmd.so.1
libiconv.so.2 =>   /usr/local/lib/libiconv.so.2
libsec.so.1 =>     /usr/lib/libsec.so.1
libgcc_s.so.1 =>   /usr/lib/libgcc_s.so.1
libmp.so.2 =>      /lib/libmp.so.2
libmd.so.1 =>      /lib/libmd.so.1
libscf.so.1 =>     /lib/libscf.so.1
libgcc_s.so.1 =>   /usr/lib/libgcc_s.so.1
libavl.so.1 =>     /lib/libavl.so.1
libdoor.so.1 =>    /lib/libdoor.so.1
libuutil.so.1 =>   /lib/libuutil.so.1
libgen.so.1 =>     /lib/libgen.so.1
libm.so.2 =>       /lib/libm.so.2
        /platform/SUNW,Sun-Blade-T6300/lib/libc_psr.so.1
        /platform/SUNW,Sun-Blade-T6300/lib/libmd_psr.so.1
This should fix sudo.
Note: For the user to be able to use sudo they need to belong to the sysadmin(14) group.

Create a local account
# mkdir –p /export/home
# useradd -u 2056 -g 2001 -G 14 -m -d /export/home/man -g gid -s /bin/bash man
# passwd man
New Password:
Re-enter new Password:
passwd: password successfully changed for man
~. will take you out of the zlogin console.

Now your zone is complete. Login to the zone as the new user and test sudo. If all everything is working then your done. This post is a little long. maybe I should have broken it up. If you have any questions please comment below.

Other related posts
Uninstall and delete a zone in Solaris 10
Faster Solaris 10 Zone Creation
Set the Default Route on Solaris
Add Zone Function to Solaris 10 Core build
How-to change the IP address on a Solaris server

2 comments:

  1. This was very helpful. Thanks!

    ReplyDelete
  2. I glad I was able to help. Also checkout my "Faster Solaris 10 Zone Creation " guide, linked to above. There is enough info to script the zone creation if you wanted to. Maybe that should be my nest post?

    ReplyDelete