Question : How to create a network interface alias at OBP for jumpstart installation or network boot.
Sometimes when we want to do a jumpstart installation or a network boot the default network interface which is selected is not connected to the network. The command ‘boot net – install’ fails to run in this case. The workaround is to create a new alias for the network interface which we know has network connectivity.
1. Halt the system to the OBP (ok) prompt, e.g.:
# init 0
2. Display network device trees:
This will show the available ethernet devices available with their device paths (see step# 3); write down the one you want to use, just to double check later.
3. Select network device to create an alias:
ok> show-nets a. [email protected],[email protected],[email protected],[email protected],8c0000 b. NO SELECTION Enter Selection, q to quit: a --- (we select "a" in this example) [email protected],[email protected],[email protected],[email protected],8c0000 has been selected. Type ^Y ( Control-Y ) to insert it in the command line. e.g. ok nvalias mydev ^Y for creating devalias mydev for [email protected],[email protected],[email protected],[email protected],8c0000
4. Create the alias:
ok> nvalias net1 ^Y
“net1” is the alias you specify.
^Y is Control-Y (CTRL+Y) to paste the physical path of the network interface we copied in step #3.
5. Now start the network install or network boot :
ok> boot net – install
If savecore did not successfully run to retrieve system core image(crash dump) from the dump device during reboot following a system panic it is possible to attempt to retrieve the crash dump manually from the command line. The kernel core image gets copied into the dump device configured by the dumpadm command as part of the panic recovery code. The default dump device is primary swap space. Often, the kernel core image may remain intact for some time after the panic.
First, ensure there is sufficient space to save the core file. A kernel core file will not be larger than the amount of physical memory installed in the system, but most core dumps will be considerably smaller. Insufficient space is usually the reason the data on the dump device does not get copied to the savecore directory. The error/warning you may see in the messages file will be similar to
savecore: [ID 976488 auth.error] not enough space in /var/crash/rascal (49144 MB avail, 51525 MB needed)
The default destination for the saved core file is the directory configured by dumpadm. If an alternate destination is required then one can be given in the savecore command, see below. As root, run savecore from the command line, specifying an alternate destination directory if required.
# savecore -dv [new dump directory]
When network booting, the first part of the process is for the Client system to send out an Reverse Address Resolution Protocol request (RARP request) to request the corresponding IP address from the boot server. It’s important to know which interface will be used, as this can influence which ethernet address is sent onto the network.
The local-mac-address setting in the OBP controls whether the system uses the system’s ethernet address, as displayed by the OBP banner command, or uses the ethernet address associated with each specific interface.
To check if the system wide MAC address will be used:
ok> printenv local-mac-address local-mac-address = true
This means that the system will use the interface specific MAC address (ethernet address) when broadcasting it’s RARP request. This is typically the desired behaviour. If set to false, then ALL interfaces would use the system’s ethernet address, which is not desirable if any of these interfaces are to be connected to the same network.
When network booting, the boot command is typically:
ok> boot net
It should be noted, however, that this is actually instructing the system to boot from the device alias ‘net‘. To check what the current ‘net’ alias is at the OBP:
In the event that there are multiple ethernet devices in the system, one can plug an interface into the network, and watch each connection in series to determine which port has been connected to the network. An example on a T5210 follows; to check what the available network device paths are, at the OBP show-nets can be run:
ok> show-nets a) [email protected][email protected][email protected][email protected][email protected][email protected],1 b) [email protected][email protected][email protected][email protected][email protected][email protected] c) [email protected][email protected][email protected][email protected][email protected][email protected],1 d) [email protected][email protected][email protected][email protected][email protected][email protected] q) NO SELECTION Enter Selection, q to quit: q
And to check which of these are connected to a network, on a SPARC system:
ok> watch-net-all [email protected][email protected][email protected][email protected][email protected][email protected],1 Timed out waiting for Autonegotation to complete Check cable and try again Link Down [email protected][email protected][email protected][email protected][email protected][email protected] Timed out waiting for Autonegotation to complete Check cable and try again Link Down [email protected][email protected][email protected][email protected][email protected][email protected],1 Timed out waiting for Autonegotation to complete Check cable and try again Link Down [email protected][email protected][email protected][email protected][email protected][email protected] 1000 Mbps full duplex Link up Looking for Ethernet Packets. '.' is a Good Packet. 'X' is a Bad Packet. Type any key to stop. ....................................................
From here, it is clear that only [email protected][email protected][email protected][email protected][email protected][email protected] is connected to a network, and can see packets. As this is the only interface plugged in, this would be the port to use for our network boot. Check the local MAC address of this interface by cd’ing to it’s pathname in the OBP
and checking it’s properties:
ok> .properties local-mac-address 00 14 4f 46 52 30 mac-addresses 00 14 4f 46 52 30 ...
To set the ‘net’ device alias to this interface, you would use the following:
and then perform the network boot :
ok> boot net
knowing that this interface would send out ethernet address 00:14:4f:46:52:30 onto the subnet we are connected to. Alternately, if this is to be a one time boot, one could simply boot from the device path itself:
From the manpage of crontab command:
So touching an empty file /etc/cron.allow can deny all non-root user to use crontab. Make sure that there is no empty /etc/cron.deny file present. This may create a conflict.
# touch /etc/cron.allow
To allow a user or some users to use crontab, append the user name(s) into the file and make sure one user per line, i.e allow user “test1” and “test2” to use crontab:
# echo "test1" > /etc/cron.allow # echo "test2" >> /etc/cron.allow
Verify the cron access by creating the crontab entry for the use :
# su - test1 $ crontab -e
# su - test2 $ crontab -e
Often this is a requirement in production environments to disable the non-root users to create any crontab entry. There are three ways to achieve this :
1. Disable non-root user ssh to system, then non-root user is not able to use shell at all. Refer to this post for procedure.
2. Add user into file /etc/cron.deny, each user per line (Typical method which affect only list users):
# cat /etc/cron.deny johny
Note: Make sure no conflict between file /etc/cron.allow and /etc/cron.deny.
Verify denied user with creating crontab entry:
$ crontab -e You (johny) are not allowed to use this program (crontab) See crontab(1) for more information
3. Deprecate execute permission of crontab command (Aggressive approach which affects all non-root users):
Default permissions :
# ls -lrt /usr/bin/crontab -rwsr-xr-x 1 root root 57552 Apr 21 2015 /usr/bin/crontab
Change The permission (remove the setuid bit) :
# chmod 700 /usr/bin/crontab # ls -lrt /usr/bin/crontab -rwx------ 1 root root 57552 Apr 21 2015 /usr/bin/crontab
Note: Make sure you have backup file before change its file permission.
After package upgrade, this change will be reversed to default.
# stat /usr/bin/crontab File: ‘/usr/bin/crontab’ Size: 57552 Blocks: 120 IO Block: 4096 regular file Device: fd00h/64768d Inode: 10751442 Links: 1 Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2016-08-12 17:03:10.112443944 +0530 Modify: 2015-04-21 19:38:05.000000000 +0530 Change: 2016-03-14 14:03:30.347276747 +0530 Birth: -
Verify denied user with creating crontab entry:
$ crontab -e bash: /usr/bin/crontab: Permission denied
Follow the procedure below in case you have forgotten or want to reset the existing XSCF user password. (This procedure needs the user to be physically present at the server)
1. Connect directly to the serial port using the serial cable and a laptop.
2. Configure the settings on the terminal program you are using to have the following settings:
Baud rate: 9600 bps Data length: 8 bit Parity: None Stop: 1 bit Flow control: None Delay: Except for 0
3. When the login prompt appears, enter default for the login name:
Default user account: default Default password:
The default password is not input directly on the keyboard. Instead, after the default user account is input, the mode switch of the operator panel is operated as follows.
Change the panel mode switch to Service and press return…
(Operation : Locked state -> Service -> Return)
Leave it in that position for at least 5 seconds. Change the panel
mode switch to Locked, and press return…
(Operation : Wait more than 5 seconds -> Service state -> Locked -> Return) XSCF>
This mode switch operation is done within one minute. When one minute is passed, the authentication timeout occurs.
4.Use the showuser -l command to confirm your current user info.
User Name: xxxxx UID: 100 Status: Enabled Minimum: 0 Maximum: 99999 Warning: 7 Inactive: -1 Last Change: Mar xx, 20xx Password Expires: Never Password Inactive: Never Account Expires: Never Privileges: useradm platadm fieldeng
5.Use the deleteuser command to delete your forgotten user or create a new user for XSCF
6. Using the commands below, set user account, password and privileges.
XSCF> deleteuser xxxxx XSCF> adduser xxxxx XSCF> password xxxxxxxx XSCF> setprivileges xxxxxx
7. You can use the exit command to logout and try your new user account.
A system with non-global zones will share one kernel for all zones (the global zone as well as all configured non-global zone). As a result, there is only one date/time on the entire setup and this time is usually controlled by the global zone only. By default, the privilege to change the date and time is not available inside a non-global zone and therefore the NTP service will fail to adjust the time.
The default configuration for non-global zones assumes that the time synchronization is done in the global zone and that there is no need to adjust the system time from inside a non-global zone. If the administrator of a non-global zone is able to change the system time then these changes will affect all running zones (including the global zone) and this may be considered a security risk.
The time synchronization can be delegated to a non-global zone if required. Please keep in mind that multiple time adjustments from different sources will likely cause problems and that only one zone should run the NTP service. If you want to delegate the NTP synchronization to a non-global zone then it is recommended to disable the NTP service in the global zone.
As mentioned above, the ability to adjust the time is controlled by a Solaris privilege. The privilege name for this is called sys_time and the information for this privilege can be viewed by using the ppriv command:
# ppriv -lv sys_time sys_time Allows a process to manipulate system time using any of the appropriate system calls: stime, adjtime, ntp_adjtime and the IA specific RTC calls.
If you are unsure whether the sys_time privilege is currently available to you then you can use the following command (as root) to check whether the privilege is available:
# ppriv -v $$ | grep sys_time
By default the command will only show output in the global zone but not in any non-global zone. By default the sys_time privilege is not assigned to a non-global zone. Starting with Solaris 10 Update 3 (11/06) the available privileges of a non-global zone can be changed by using the limitpriv option of the zonecfg command. In the default configuration the limitpriv setting would be empty:
global-zone# zonecfg -z zonename info limitpriv limitpriv:
If you want to add the sys_time privilege to a zone then you can use the zonecfg command to modify the property and reboot the zone to activate the change:
global-zone# zonecfg -z zonename set limitpriv="default,sys_time" global-zone# zoneadm -z zonename reboot
Once the sys_time privilege is available in the non-global zone you can continue to setup NTP as usual, i.e. configure the /etc/ntp.conf file and enable the ntp service.
An Oracle Solaris 11 package has the following version format:
# pkg list entire NAME (PUBLISHER) VERSION IFO entire 0.5.11-0.175.1.14.0.5.0 i--
|name||package name, including ‘/’ characters|
|release_version||well-known version number, either same as open source version or 0.5.11 for Solaris internal packages.|
|release||5.11 for Solaris 11|
|trunk_id||build number for tip development gate, w/ leading 0 needed to permit delivering express releases from development trains and still permitting update to later express bits.|
|update||0 for FCS, 1 for update 1, etc|
|SRU||SRU number for this update|
|reserved||Currently reserved for future use.|
|build_id||Build number of the Solaris Update or the SRU or respin value for the trunk_id|
|nightly_id||Identifier for the individual nightly builds|
|IDR_id||IDR (interim diagnostic relief) identifier|
|IDR_number||Revision number for above IDR.|
The post describes few basic commands to check the health of a ZFS pool.
1. Basic Storage Pool Health Status
The simplest way to request a quick overview of pool health status by zpool status -x command.
# zpool status -x all pools are healthy
You can list the pool state for a specific pool by specifying the pool name as follows:
# zpool status -x tank pool 'tank' is healthy
2. Detailed Health Status
You can request a more detailed health summary by using the -v option to see if pool state is ONLINE.
Example of a pool in ONLINE state.
# zpool status -v tank pool: tank state: ONLINE scrub: none requested config: NAME STATE READ WRITE CKSUM tank ONLINE 0 0 0 mirror ONLINE 0 0 0 c1t0d0 ONLINE 0 0 0 c1t1d0 ONLINE 0 0 0 errors: No known data errors
Example of a pool in DEGRADED state.
# zpool status -v tank pool: tank state: DEGRADED status: One or more devices could not be opened. Sufficient replicas exist for the pool to continue functioning in a degraded state. action: Attach the missing device and online it using zpool online see: http://www.sun.com/msg/ZFS-8000-2Q scrub: none requested config: NAME STATE READ WRITE CKSUM tank DEGRADED 0 0 0 mirror DEGRADED 0 0 0 c1t0d0 FAULTED 0 0 0 cannot open c1t1d0 ONLINE 0 0 0 errors: No known data errors
– If all virtual devices are ONLINE, then the pool is also ONLINE.
– If any one of the virtual devices is DEGRADED or UNAVAILABLE, then the pool is also DEGRADED.
– If a top-level virtual device is FAULTED or OFFLINE, then the pool is also FAULTED.
– A pool in the ONLINE state is running fine without any issues detected. You can run zpool scrub [poolname] to check data integrity.
– A pool in the DEGRADED state continues to run, but you might not achieve the same level of data redundancy or data throughput than if the pool were online.
– A pool in the FAULTED or UNAVAIL state is usually inaccessible, however there may be occasions where reads succeed, however writes will fail.
Upgrading the ZFS filesystem and zpool versions is a one-way operation. Once upgraded, the versions cannot be downgraded. This will prevent booting from older boot environments if support for the upgraded zpool/filesystem version is not available within those boot environments. Thus it is important to chcek the zpool version before the upgrade.
The current zpool version can be checked with either of the following commands:
# zpool upgrade # zpool get version [zpool name]
# zpool upgrade This system is currently running ZFS pool version 29. All pools are formatted using this version.
# zpool get version datapool NAME PROPERTY VALUE SOURCE datapool version 29 default
The current ZFS filesystem version can be checked with:
# zfs upgrade # zfs get version [ZFS filesystem name]
# zfs upgrade This system is currently running ZFS filesystem version 5. All filesystems are formatted with the current version.
# zfs get version datapool/datafs NAME PROPERTY VALUE SOURCE datapool/datafs version 5 -
A list of available versions can be obtained using:
# zpool upgrade -v This system is currently running ZFS pool version 29. The following versions are supported: VER DESCRIPTION --- -------------------------------------------------------- 1 Initial ZFS version 2 Ditto blocks (replicated metadata) 3 Hot spares and double parity RAID-Z 4 zpool history 5 Compression using the gzip algorithm 6 bootfs pool property 7 Separate intent log devices 8 Delegated administration 9 refquota and refreservation properties 10 Cache devices 11 Improved scrub performance 12 Snapshot properties 13 snapused property 14 passthrough-x aclinherit 15 user/group space accounting 16 stmf property support 17 Triple-parity RAID-Z 18 Snapshot user holds 19 Log device removal 20 Compression using zle (zero-length encoding) 21 Reserved 22 Received properties 23 Slim ZIL 24 System attributes 25 Improved scrub stats 26 Improved snapshot deletion performance 27 Improved snapshot creation performance 28 Multiple vdev replacements 29 RAID-Z/mirror hybrid allocator For more information on a particular version, including supported releases, see the ZFS Administration Guide.
# zfs upgrade -v The following filesystem versions are supported: VER DESCRIPTION --- -------------------------------------------------------- 1 Initial ZFS filesystem version 2 Enhanced directory entries 3 Case insensitive and File system unique identifier (FUID) 4 userquota, groupquota properties 5 System attributes For more information on a particular version, including supported releases, see the ZFS Administration Guide.