Paulie's World

Things I do ...

Join my colleagues and myself at this year's Oracle OpenWorld. I have a session, hands-on-lab, and demo being held in and around Moscone. These are all heavily focused on 12c and ZFS analytics.

HOL10103 - Managing ZFS Storage Inside Oracle Database 12c Environments 

September 23, (Monday) 10:45 AM - Marriott Marquis - Salon 10A
CON2846 - Oracle Use and Best Practices for High-Performance Cloud Storage 

September 23, (Monday) 12:15 PM - Westin San Francisco - Franciscan II
DEMO3619 - Maintaining the Performance of Your Cloud Infrastructure

Moscone South Lower Level, SC-152
8:45 PST - September 17, 2013
I recently needed to create a two port active:standby IPMP group to be served over Infiniband on Solaris 11. Wow that's a mouthful of terminology! Here's how I did it:

List available IB links

[root@adrenaline ~]# dladm show-ib
LINK         HCAGUID         PORTGUID        PORT STATE  PKEYS
net5         21280001CF4C96  21280001CF4C97  1    up     FFFF
net6         21280001CF4C96  21280001CF4C98  2    up     FFFF
Partition the IB links. My pkey will be 8001.
[root@adrenaline ~]# dladm create-part -l net5 -P 0x8001 p8001.net5
[root@adrenaline ~]# dladm create-part -l net6 -P 0x8001 p8001.net6
[root@adrenaline ~]# dladm show-part
LINK         PKEY  OVER         STATE    FLAGS
p8001.net5   8001  net5         unknown  ----
p8001.net6   8001  net6         unknown  ----
Create test addresses for the newly created datalinks
[root@adrenaline ~]# ipadm create-ip p8001.net5
[root@adrenaline ~]# ipadm create-addr -T static -a 192.168.1.101 p8001.net5/ipv4
[root@adrenaline ~]# ipadm create-ip p8001.net6
[root@adrenaline ~]# ipadm create-addr -T static -a 192.168.1.102 p8001.net6/ipv4
[root@adrenaline ~]# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
p8001.net5/ipv4   static   ok           192.168.1.101/24
p8001.net6/ipv4   static   ok           192.168.1.102/24
Create an IPMP group and add the IB datalinks
[root@adrenaline ~]# ipadm create-ipmp ipmp0
[root@adrenaline ~]# ipadm add-ipmp -i p8001.net5 -i p8001.net6 ipmp0
Set one IB datalink to standby
[root@adrenaline ~]# ipadm set-ifprop -p standby=on -m ip p8001.net6
Assign an IP address to the IPMP group
[root@adrenaline ~]# ipadm create-addr -T static -a 192.168.1.100/24 ipmp0/v4
That's it! Final checks:
[root@adrenaline ~]# ipadm
NAME              CLASS/TYPE STATE        UNDER      ADDR
ipmp0             ipmp       ok           --         --
   ipmp0/v4       static     ok           --         192.168.1.100/24
p8001.net5        ip         ok           ipmp0      --
   p8001.net5/ipv4 static    ok           --         192.168.1.101/24
p8001.net6        ip         ok           ipmp0      --
   p8001.net6/ipv4 static    ok           --         192.168.1.102/24

[root@adrenaline ~]# ping 192.168.1.100
192.168.1.100 is alive
12:52 PST - July 10, 2013
Configuring the Server
The default install of Solaris 11 does not come with a DNS server, but this can be added easily through IPS like so:
[paulie@griff ~]$ sudo pkg install service/network/dns/bind
Before enabling this service, the named.conf file needs to be modified to support the DNS structure. Here's what mine looks like:
[paulie@griff ~]$ cat /etc/named.conf
options {
        directory       "/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        forwarders { 208.67.222.222; 208.67.220.220; };
};

zone "hillvalley" {
        type master;
        file "/etc/namedb/master/hillvalley.db";
};

zone "1.168.192.in-addr.arpa" {
        type master;
        file "/etc/namedb/master/1.168.192.db";
};
My forwarders use the OpenDNS servers, so any request that the local DNS server can't process goes through there. I've also setup two zones: hillvalley.db for my forward zone and 1.168.192.db for my reverse zone. We need both for a proper configuration. We also need to create some directories to support this file:
[paulie@griff ~]$ sudo mkdir /var/dump
[paulie@griff ~]$ sudo mkdir /var/stats
[paulie@griff ~]$ sudo mkdir -p /var/run/namedb
[paulie@griff ~]$ sudo mkdir -p /etc/namedb/master
[paulie@griff ~]$ sudo mkdir -p /etc/namedb/working
Now, let's populate the DNS server with a forward and reverse file.

Forward file
[paulie@griff ~]$ cat /etc/namedb/master/hillvalley.db 
$TTL 3h
@       IN      SOA     griff.hillvalley. paulie.griff.hillvalley. (
        2013022744
        28800
        3600
        604800
        38400
)

hillvalley.     IN      NS      griff.hillvalley.

delorean        IN      A       192.168.1.1   ; Router
biff            IN      A       192.168.1.101 ; NFS Server
griff           IN      A       192.168.1.102 ; DNS Server
buford          IN      A       192.168.1.103 ; LDAP Server
marty           IN      A       192.168.1.104 ; Workstation
doc             IN      A       192.168.1.105 ; Laptop
jennifer        IN      A       192.168.1.106 ; Boxee
lorraine        IN      A       192.168.1.107 ; Boxee
Reverse File
[paulie@griff ~]$ cat /etc/namedb/master/1.168.192.db 
$TTL 3h
@       IN      SOA     griff.hillvalley. paulie.griff.hillvalley. (
        2013022744
        28800
        3600
        604800
        38400
)

        IN      NS      griff.hillvalley.

1       IN      PTR     delorean.hillvalley.    ; Router
101     IN      PTR     biff.hillvalley.        ; NFS Server
102     IN      PTR     griff.hillvalley.       ; DNS Server
103     IN      PTR     buford.hillvalley.      ; LDAP Server
104     IN      PTR     marty.hillvalley.       ; Workstation
105     IN      PTR     doc.hillvalley.         ; Laptop
106     IN      PTR     jennifer.hillvalley.    ; Boxee
107     IN      PTR     lorraine.hillvalley.    ; Boxee
For referencing how these files works:
  • paulie is the admin user account name
  • griff is the hostname of the DNS server
  • hillvalley is the domain name of the network
  • I love BTTF
Feel free to tweak this example to match your own network. Finally, enable the DNS service and check that it's online:
[paulie@griff ~]$ sudo svcadm enable dns/server
[paulie@griff ~]$ sudo svcs | grep dns/server
online         22:32:20 svc:/network/dns/server:default
Configuring the Client
We will need the IP address (192.168.1.102), hostname (griff), and domain name (hillvalley) to configure DNS with these commands:
[paulie@buford ~]$ sudo svccfg -s network/dns/client setprop config/nameserver = net_address: 192.168.1.102
[paulie@buford ~]$ sudo svccfg -s network/dns/client setprop config/domain = astring: hillvalley
[paulie@buford ~]$ sudo svccfg -s network/dns/client setprop config/search = astring: hillvalley
[paulie@buford ~]$ sudo svccfg -s name-service/switch setprop config/ipnodes = astring: '"files dns"'
[paulie@buford ~]$ sudo svccfg -s name-service/switch setprop config/host = astring: '"files dns"'
Verify the configuration is correct:
[paulie@buford ~]$ svccfg -s network/dns/client listprop config
config                      application        
config/value_authorization astring     solaris.smf.value.name-service.dns.client
config/nameserver          net_address 192.168.1.102
config/domain              astring     hillvalley
config/search              astring     hillvalley
And enable:
[paulie@buford ~]$ sudo svcadm enable dns/client
Now we need to test that the DNS server is working using both forward and reverse DNS lookups:
[paulie@buford ~]$ nslookup lorraine
Server:         192.168.1.102
Address:        192.168.1.102#53

Name:   lorraine.hillvalley
Address: 192.168.1.107

[paulie@buford ~]$ nslookup 192.168.1.1
Server:         192.168.1.102
Address:        192.168.1.102#53

1.1.168.192.in-addr.arpa        name = delorean.hillvalley.
6:24 PST - March 4, 2013
Configuring the Server
Solaris 11 ships with OpenLDAP to use as an LDAP server. To configure, you're going to need a simple slapd.conf file and an LDIF schema file to populate the database. First, let's look at the slapd.conf configuration:
# cat /etc/openldap/slapd.conf
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

pidfile         /var/openldap/run/slapd.pid
argsfile        /var/openldap/run/slapd.args

database        bdb
suffix          "dc=buford,dc=hillvalley"
rootdn          "cn=admin,dc=buford,dc=hillvalley"
rootpw          secret
directory       /var/openldap/openldap-data
index           objectClass     eq
You may want to change the lines suffix and rootdn to better represent your network naming schema. My LDAP server's hostname is buford and domain name is hillvalley. You will need to add additional domain components (dc=) if the name is longer. This schema assumes the LDAP manager will be called admin. Its password is 'secret'. This is in clear-text just as an example, but you can generate a new one using slappasswd:
[paulie@buford ~]$ slappasswd
New password: 
Re-enter new password: 
{SSHA}MlyFaZxG6YIQ0d/Vw6fIGhAXZiaogk0G
Replace 'secret' with the entire hash, {SSHA}MlyFaZxG6YIQ0d/Vw6fIGhAXZiaogk0G, for the rootpw line. Now, let's create a basic schema for my network.
# cat /etc/openldap/schema/hillvalley.ldif
dn: dc=buford,dc=hillvalley
objectClass: dcObject
objectClass: organization
o: bufford.hillvalley
dc: buford

dn: ou=groups,dc=buford,dc=hillvalley
objectCLass: top
objectClass: organizationalunit
ou: groups

dn: ou=users,dc=buford,dc=hillvalley
objectClass: top
objectClass: organizationalunit
ou: users

dn: cn=world,ou=groups,dc=buford,dc=hillvalley
objectClass: top
objectClass: posixGroup
cn: world
gidNumber: 1001

dn: uid=paulie,ou=users,dc=buford,dc=hillvalley
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: Paul Johnson
uid: paulie
uidNumber: 1001
gidNumber: 1001
homeDirectory: /paulie/
loginShell: /usr/bin/bash
userPassword: secret
I've created a single group, world, and a single user, paulie. Both share the uid and gid of 1001. LDAP supports lots of additional variables for configuring a user and group account, but I've kept it basic in this example. Once again, be sure to change the domain components to match your network. Feel free to also change the user and group details. I've left the userPassword field in clear-text as 'secret'. The same slappasswd method above applies here as well. It's time to turn on the server, but first, let's change some ownership permissions:
[paulie@buford ~]$ sudo chown -R openldap:openldap /var/openldap/
... and now ...
[paulie@buford ~]$ sudo svcadm enable ldap/server
Check that it worked:
[paulie@buford ~]$ svcs | grep ldap
online         12:13:49 svc:/network/ldap/server:openldap_24
Neat, now let's add our schema file to the database:
[paulie@buford ~]$ ldapadd -D "cn=admin,dc=buford,dc=hillvalley" -f /etc/openldap/schema/hillvalley.ldif
Enter bind password: 
adding new entry dc=buford,dc=hillvalley
adding new entry ou=groups,dc=buford,dc=hillvalley
adding new entry ou=users,dc=buford,dc=hillvalley
adding new entry cn=world,ou=groups,dc=buford,dc=hillvalley
adding new entry uid=paulie,ou=users,dc=buford,dc=hillvalley
That's it! Our LDAP server is up, populated, and ready to authenticate against.

Configuring the Client
I'm going to turn my example server, buford.hillvalley, into an LDAP client as well. To do this, we need to run the `ldapclient` command to map our new user and group data:
[paulie@buford ~]$ ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a defaultSearchBase=dc=buford,dc=hillvalley \
-a domainName=buford.hillvalley \
-a defaultServerList=192.168.1.103 \
-a proxyDN=cn=admin,dc=buford,dc=hillvalley \
-a proxyPassword=secret \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=homeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=posixgroup \
-a objectClassMap=passwd:posixAccount=posixaccount \
-a objectClassMap=shadow:shadowAccount=posixaccount \
-a serviceSearchDescriptor=passwd:ou=users,dc=buford,dc=hillvalley \
-a serviceSearchDescriptor=group:ou=groups,dc=buford,dc=hillvalley \
-a serviceSearchDescriptor=shadow:ou=users,dc=buford,dc=hillvalley
As usual, change the host and domain names as well as the IP address held in defaultServerList and the proxyPassword. The command should respond back that the system was configured properly, however, additional changes will need to be made if you use DNS for hostname lookups (most people use DNS, so run these commands).
svccfg -s name-service/switch setprop config/host = astring: \"files dns ldap\"
svccfg -s name-service/switch:default refresh
svcadm restart name-service/cache
Now, we need to change how users login so that the client knows that there is an extra LDAP server to authenticate against. This should not lockout local worries. Examine the two files /etc/pam.d/login and /etc/pam.d/other. Change any instance of
auth required            pam_unix_auth.so.1
to
auth binding            pam_unix_auth.so.1 server_policy
After this line, add the following new line:
auth required           pam_ldap.so.1
That's it! Finally, reboot your system and see if you can login with your newly created user.
12:18 PST - February 21, 2013
About once a year, I'll find a way to lock myself out of a Solaris system. Here's how to get out of this scenario. You'll need a Solaris 11 Live CD or Live USB stick.
  • Boot up from the Live CD/USB
  • Select the 'Text Console' option from the GRUB menu
  • Login to the solaris console using the username/password of jack/jack
  • Switch to root
$ sudo su
password jack
  • Mount the solaris boot environment in a temporary directory
# beadm mount solaris /a
  • Edit the shadow file
# vi /a/etc/shadow
  • Find your username and remove the password hash
Convert
username:iEwei23SamPleHashonf0981:15746::::::17216
to
username::15746::::::17216
  • Allow empty passwords at login
$ vi /a/etc/default/login
Switch this line
PASSREQ=YES
to
PASSREQ=NO
  • Update the boot archive
# bootadm update-archive -R /a
  • Reboot and remove the Live CD/USB from system
# reboot
If prompted for a password, hit return since this has now been blanked.
6:31 PST - February 11, 2013

Blog Archive by Year

2014 2013 2012 2011 2010 2009
Powered by Perl