Intro Told Oms Use Nix

of 9
12 views
PDF
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Document Description
I N TH E AUGUST 2007 ISSU E OF ;LOGI N:, O C TAV E O R G E R O N an introduction to logical domains PA R T 2 : I N S TA L L AT I O N A N D C O N F I G U R AT I O N Octave Orgeron is a Solaris Systems Engineer and an OpenSolaris Community Leader. Currently working in the financial services industry, he also has experience in the e-commerce,Web hosting, marketing services, and IT technology markets. He specializes in virtualization, provisioning, grid computing, and high availability. unixconsol
Document Share
Document Tags
Document Transcript
  26 ;LOGIN: VOL. 32, NO. 5 OCTAVE ORGERON anintroductiontologicaldomains PART 2: INSTALLATION ANDCONFIGURATION OctaveOrgeronisaSolarisSystemsEngineerandanOpenSolarisCommunityLeader.Currentlyworkinginthefinancialservicesindustry,healsohasexperiencein thee-commerce,Webhosting,marketingservices,andIT technologymarkets.Hespecializesinvirtual-ization,provisioning,gridcomputing,andhighavail-ability. unixconsole@yahoo.com IN THE AUGUST 2007 ISSUE OF ; L O G I N : , I explained the Logical Domains (LDoms)technology from Sun and what you can dowith it.In this article,I will walk you throughthe installation process,explaining key re-quirements for proper installation,as wellas suggesting choices you should make dur-ing the process. Prerequisites For LDoms to function, you will need the correctplatform, firmware, OS release, patches, and theLogical Domain Manager software.Currently, LDoms are only supported on the Ultra-SPARC T1 (Niagara I) servers, as they are the onlyUltraSPARC platform with a hypervisor. You canfind more information about those servers on Sun’ssite [1]. In the future, more platforms will be sup-ported as the next-generation Niagara II servers arereleased.Each of these servers requires firmware updates tofully support LDoms [2]. The firmware will updateand enable the hypervisor software that is con-tained in the ALOM CMT service processor, whichprovides the platform lights-out management. Inthe installation section, you’ll find an example of updating the firmware on a Sun Fire T2000.It is important to have the correct Solaris version tosupport LDoms. Without the platform and driversupport, LDoms will not function properly. Thefollowing versions of Solaris are supported: I Solaris 10 11/06 Update 3 or higher [3] I Solaris Express Build 57 or higher [4]Solaris 10 is the commercial version of Solaris andSolaris Express is a preview of Solaris 11 based onthe OpenSolaris source code. Solaris 10 should beinstalled if you require commercial support fromboth Sun and third-party vendors. However, SolarisExpress can be utilized when such requirementsare not a concern. Solaris Express provides a pre-view of developments and features that you willnot find in Solaris 10. In this article, Solaris 10 willbe utilized. When installing the operating system,it is important to keep in mind that it will becomethe control domain for the platform. With Solaris 10, there are patches required to en-able full LDoms support. These patches should bedownloaded [2] and installed according to the in-stallation instructions included with them.  The last component, the Logical Domain Manager (LDM) software bundle[2], includes the required software packages, installation script, and point-ers to online resources. Installation Once the operating system and any required patches have been installed, theinstallation of the firmware and LDM software can begin.Upgrading the firmware is a multistep process that will require downtimefor your server. The first step is to download the corresponding firmwarepatch for your server [2]. The patch will contain a firmware image file, aninstallation tool, and some documentation. The installation tool, sysfw-download, will upload the image to the ALOM CMT service processor. Thefollowing example is based on a Sun Fire T2000 running Solaris 10: # unzip 126399-01.zip# cd 126399-01# ./sysfwdownload ./Sun_System_Firmware-6_4_4-Sun_Fire_T2000.bin.......... (10%).......... (20%).......... (30%).......... (40%).......... (51%).......... (61%).......... (71%).......... (81%).......... (92%).......... (100%)Download completed successfully. However, this does not upgrade the firmware. It merely uploads it to theALOM CMT service processor. To perform the upgrade, you will have tofirst shut down the server: # shutdown -y -g0 -i 5 now Once the server has shut down, you will have to switch to the ALOM CMTconsole in order to upgrade the firmware. The console can be reachedthrough the serial port or through the network management port [5]. It isimportant to ensure that the platform key switch is set to NORMAL to en-able the firmware upgrade. Once that is accomplished, the firmware can beupgraded with the flashupdate command: sc> setkeyswitch -y normalKeyswitch is in the NORMAL position.sc> flashupdate -s 127.0.0.1SC Alert: System poweron is disabled.......................................................................................................................................................................Update complete. Reset device to use new software.SC Alert: SC firmware was reloadedsc> resetscAre you sure you want to reset the SC [y/n]? y Once the ALOM CMT reboots, the firmware upgrade is completed. You willnotice a change in the versions of the hypervisor, OpenBoot PROM, and thePOST diagnostics: sc> showhostHost flash versions:Hypervisor 1.4.1 2007/04/02 16:37OBP 4.26.1 2007/04/02 16:26POST 4.26.0 2007/03/26 16:45 ;LOGIN: OCTOBER 2007 AN INTRODUCTION TO LOGICAL DOMAINS 27  At this point, the system can be powered on and the operating system booted.Now that the firmware has been updated, it is time to install the LDM soft-ware. The software bundle includes the following: I SUNWldm.v: LDM Software I SUNWjass: Solaris Security Toolkit (a.k.a. JASS)The LDM software is fairly small and contained within a single package. Itcontains the libraries, configuration daemon, command-line interface, SMFservice, and man pages for the LDM software.The Solaris Security Toolkit [6] or JASS is a security-hardening framework.This framework includes configurations that are called drivers. These driv-ers can disable services, change permissions, lock accounts, enable securityfeatures, etc., in a reproducible manner. The toolkit can easily be extendedand customized for your environment. It is distributed with other Sun prod-ucts, such as the management software for E25k, to provide recommendedsecurity settings. This is a purely optional component; the LDM softwarewill function without JASS. However, its addition does provide a consistentand flexible security framework. JASS is included with the LDM software bundle to help secure and hardenthe primary domain. This is accomplished through the ldm_control-securedriver, which is specifically designed for the primary domain and its servic-es. It will disable all unnecessary services, enable many security features,and lock down access to only SSH.The LDM software bundle can be installed manually, through Jumpstart, orthrough the use of the included install-ldm script. This script is includedwith the software bundle to automate the installation. It will present youwith options for hardening the primary domain with JASS. The first option,“a,” will install the LDM and JASS software with the driver specifically forthe primary domain applied; this is the recommended option. The secondoption, “b,” will only install the LDM and JASS software but will not applyany drivers. The last option, “c,” will install the LDM and JASS software butgive you the option of selecting a driver to apply. Here is a sample installa-tion session: # Install/install-ldmWelcome to the LDoms installer.You are about to install the domain manager package that will enable you tocreate, destroy and control other domains on your system. Given the capa-bilities of the domain manager, you can now change the security configura-tion of this Solaris instance using the Solaris Security Toolkit.Select a security profile from this list:a) Hardened Solaris configuration for LDoms (recommended)b) Standard Solaris configurationc) Your custom-defined Solaris security configuration profileEnter a, b, or c [a]: aThe changes made by selecting this option can be undone through theSolaris Security Toolkit’s undo feature. This can be done with the’/opt/SUNWjass/bin/jass-execute -u’ command. At this point the LDM and JASS software is installed. It is now time to rebootthe primary domain. 28 ;LOGIN: VOL. 32, NO. 5  ConfiguringthePrimaryDomain The primary domain is the first service and the control domain for the plat-form. Now that all of the prerequisites are installed, it is time to configurethe primary domain. The first step is to ensure that the required SMF servic-es are running: # svcs -a | grep ldomonline 18:34:15 svc:/ldoms/ldmd:defaultonline 18:34:15 svc:/ldoms/vntsd:default The svc:/ldoms/ldmd:default service is responsible for managing the ldmddaemon, which communicates directly with the hypervisor for configura-tion and management tasks. The svc:/ldoms/vntsd:default service is respon-sible for providing the virtual network terminal services through the vntsddaemon. If these SMF services are not running, enable them with the svcadm command.At this point it is good practice to add the following to your $PATH and $MANPATH shell configuration: PATH=$PATH:/opt/SUNWldm/binMANPATH=$MANPATH:/opt/SUNWldm/man After all of the prerequisites are installed, all of the resources in the platformare assigned to the primary domain. This can be verified with the ldm com-mand: # ldm listName State Flags Cons VCPU Memory Util Uptimeprimary active -t-cv SP 32 32G 0.6% 1h 13m As you can see, all 32 VCPUs and 32 GB of memory are assigned to the pri-mary domain. To enable the creation of other logical domains, resourcesmust be freed and basic services configured. The primary domain should begiven at least one CPU core, or 4 VCPUs and 2 to 4 GB of memory: # ldm set-mau 1 primary# ldm set-vcpu 4 primary# ldm set-mem 4G primary In this example, a cryptographic thread of a MAU, 4 VCPUs, and 4 GB of memory are assigned to the primary domain. For these settings to take ef-fect, the primary domain must be rebooted. However, before rebooting theprimary domain it is good practice to configure the basic services that willsupport the creation of additional logical domains without causing furtherreboots.Creating the virtual console concentrator or VCC service is essential to pro-viding console access to any logical domains created in the future. Only theprimary domain can be reached directly via the hardware console; all otherlogical domains must be reached through the VCC service. When you createthe VCC service, a range of TCP ports must be specified. Each of these portscan be bound to one LDom and can be accessed through the telnet com-mand. # ldm add-vcc port-range=5000-5100 primary-vcc0 primary It is important to note that instances of services or devices can be freelynamed. In the example here, our instance of the VCC service is called “pri-mary-vcc0.” The naming conventions used throughout this article take theform of  <ldom>-<virtual service or device><instance> . ;LOGIN: OCTOBER 2007 AN INTRODUCTION TO LOGICAL DOMAINS 29
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x