Join my colleagues and myself at this year's Oracle OpenWorld. I have a session, hands-on-lab, and demo being held in and around Moscone. These are all heavily focused on 12c and ZFS analytics.
HOL10103 - Managing ZFS Storage Inside Oracle Database 12c Environments September 23, (Monday) 10:45 AM - Marriott Marquis - Salon 10A
CON2846 - Oracle Use and Best Practices for High-Performance Cloud Storage September 23, (Monday) 12:15 PM - Westin San Francisco - Franciscan II
DEMO3619 - Maintaining the Performance of Your Cloud Infrastructure Moscone South Lower Level, SC-152
9:45 PST - September 17, 2013
I recently needed to create a two port active:standby IPMP group to be served over Infiniband on Solaris 11. Wow that's a mouthful of terminology! Here's how I did it:
List available IB links
[root@adrenaline ~]# dladm show-ib LINK HCAGUID PORTGUID PORT STATE PKEYS net5 21280001CF4C96 21280001CF4C97 1 up FFFF net6 21280001CF4C96 21280001CF4C98 2 up FFFFPartition the IB links. My pkey will be 8001.
[root@adrenaline ~]# dladm create-part -l net5 -P 0x8001 p8001.net5 [root@adrenaline ~]# dladm create-part -l net6 -P 0x8001 p8001.net6 [root@adrenaline ~]# dladm show-part LINK PKEY OVER STATE FLAGS p8001.net5 8001 net5 unknown ---- p8001.net6 8001 net6 unknown ----Create test addresses for the newly created datalinks
[root@adrenaline ~]# ipadm create-ip p8001.net5 [root@adrenaline ~]# ipadm create-addr -T static -a 192.168.1.101 p8001.net5/ipv4 [root@adrenaline ~]# ipadm create-ip p8001.net6 [root@adrenaline ~]# ipadm create-addr -T static -a 192.168.1.102 p8001.net6/ipv4 [root@adrenaline ~]# ipadm show-addr ADDROBJ TYPE STATE ADDR p8001.net5/ipv4 static ok 192.168.1.101/24 p8001.net6/ipv4 static ok 192.168.1.102/24Create an IPMP group and add the IB datalinks
[root@adrenaline ~]# ipadm create-ipmp ipmp0 [root@adrenaline ~]# ipadm add-ipmp -i p8001.net5 -i p8001.net6 ipmp0Set one IB datalink to standby
[root@adrenaline ~]# ipadm set-ifprop -p standby=on -m ip p8001.net6Assign an IP address to the IPMP group
[root@adrenaline ~]# ipadm create-addr -T static -a 192.168.1.100/24 ipmp0/v4That's it! Final checks:
[root@adrenaline ~]# ipadm NAME CLASS/TYPE STATE UNDER ADDR ipmp0 ipmp ok -- -- ipmp0/v4 static ok -- 192.168.1.100/24 p8001.net5 ip ok ipmp0 -- p8001.net5/ipv4 static ok -- 192.168.1.101/24 p8001.net6 ip ok ipmp0 -- p8001.net6/ipv4 static ok -- 192.168.1.102/24 [root@adrenaline ~]# ping 192.168.1.100 192.168.1.100 is alive
13:52 PST - July 10, 2013
Configuring the Server
The default install of Solaris 11 does not come with a DNS server, but this can be added easily through IPS like so:
[paulie@griff ~]$ sudo pkg install service/network/dns/bindBefore enabling this service, the named.conf file needs to be modified to support the DNS structure. Here's what mine looks like:
[paulie@griff ~]$ cat /etc/named.conf
options {
directory "/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
forwarders { 208.67.222.222; 208.67.220.220; };
};
zone "hillvalley" {
type master;
file "/etc/namedb/master/hillvalley.db";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/namedb/master/1.168.192.db";
};
My forwarders use the OpenDNS servers, so any request that the local DNS server can't process goes through there. I've also setup two zones: hillvalley.db for my forward zone and 1.168.192.db for my reverse zone. We need both for a proper configuration. We also need to create some directories to support this file:
[paulie@griff ~]$ sudo mkdir /var/dump [paulie@griff ~]$ sudo mkdir /var/stats [paulie@griff ~]$ sudo mkdir -p /var/run/namedb [paulie@griff ~]$ sudo mkdir -p /etc/namedb/master [paulie@griff ~]$ sudo mkdir -p /etc/namedb/workingNow, let's populate the DNS server with a forward and reverse file.
Forward file
[paulie@griff ~]$ cat /etc/namedb/master/hillvalley.db
$TTL 3h
@ IN SOA griff.hillvalley. paulie.griff.hillvalley. (
2013022744
28800
3600
604800
38400
)
hillvalley. IN NS griff.hillvalley.
delorean IN A 192.168.1.1 ; Router
biff IN A 192.168.1.101 ; NFS Server
griff IN A 192.168.1.102 ; DNS Server
buford IN A 192.168.1.103 ; LDAP Server
marty IN A 192.168.1.104 ; Workstation
doc IN A 192.168.1.105 ; Laptop
jennifer IN A 192.168.1.106 ; Boxee
lorraine IN A 192.168.1.107 ; Boxee
Reverse File
[paulie@griff ~]$ cat /etc/namedb/master/1.168.192.db
$TTL 3h
@ IN SOA griff.hillvalley. paulie.griff.hillvalley. (
2013022744
28800
3600
604800
38400
)
IN NS griff.hillvalley.
1 IN PTR delorean.hillvalley. ; Router
101 IN PTR biff.hillvalley. ; NFS Server
102 IN PTR griff.hillvalley. ; DNS Server
103 IN PTR buford.hillvalley. ; LDAP Server
104 IN PTR marty.hillvalley. ; Workstation
105 IN PTR doc.hillvalley. ; Laptop
106 IN PTR jennifer.hillvalley. ; Boxee
107 IN PTR lorraine.hillvalley. ; Boxee
For referencing how these files works:
- paulie is the admin user account name
- griff is the hostname of the DNS server
- hillvalley is the domain name of the network
- I love BTTF
[paulie@griff ~]$ sudo svcadm enable dns/server [paulie@griff ~]$ sudo svcs | grep dns/server online 22:32:20 svc:/network/dns/server:defaultConfiguring the Client
We will need the IP address (192.168.1.102), hostname (griff), and domain name (hillvalley) to configure DNS with these commands:
[paulie@buford ~]$ sudo svccfg -s network/dns/client setprop config/nameserver = net_address: 192.168.1.102 [paulie@buford ~]$ sudo svccfg -s network/dns/client setprop config/domain = astring: hillvalley [paulie@buford ~]$ sudo svccfg -s network/dns/client setprop config/search = astring: hillvalley [paulie@buford ~]$ sudo svccfg -s name-service/switch setprop config/ipnodes = astring: '"files dns"' [paulie@buford ~]$ sudo svccfg -s name-service/switch setprop config/host = astring: '"files dns"'Verify the configuration is correct:
[paulie@buford ~]$ svccfg -s network/dns/client listprop config config application config/value_authorization astring solaris.smf.value.name-service.dns.client config/nameserver net_address 192.168.1.102 config/domain astring hillvalley config/search astring hillvalleyAnd enable:
[paulie@buford ~]$ sudo svcadm enable dns/clientNow we need to test that the DNS server is working using both forward and reverse DNS lookups:
[paulie@buford ~]$ nslookup lorraine Server: 192.168.1.102 Address: 192.168.1.102#53 Name: lorraine.hillvalley Address: 192.168.1.107 [paulie@buford ~]$ nslookup 192.168.1.1 Server: 192.168.1.102 Address: 192.168.1.102#53 1.1.168.192.in-addr.arpa name = delorean.hillvalley.
7:24 PST - March 4, 2013
Configuring the Server
Solaris 11 ships with OpenLDAP to use as an LDAP server. To configure, you're going to need a simple slapd.conf file and an LDIF schema file to populate the database. First, let's look at the slapd.conf configuration:
# cat /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema pidfile /var/openldap/run/slapd.pid argsfile /var/openldap/run/slapd.args database bdb suffix "dc=buford,dc=hillvalley" rootdn "cn=admin,dc=buford,dc=hillvalley" rootpw secret directory /var/openldap/openldap-data index objectClass eqYou may want to change the lines suffix and rootdn to better represent your network naming schema. My LDAP server's hostname is buford and domain name is hillvalley. You will need to add additional domain components (dc=) if the name is longer. This schema assumes the LDAP manager will be called admin. Its password is 'secret'. This is in clear-text just as an example, but you can generate a new one using slappasswd:
[paulie@buford ~]$ slappasswd
New password:
Re-enter new password:
{SSHA}MlyFaZxG6YIQ0d/Vw6fIGhAXZiaogk0G
Replace 'secret' with the entire hash, {SSHA}MlyFaZxG6YIQ0d/Vw6fIGhAXZiaogk0G, for the rootpw line.
Now, let's create a basic schema for my network.
# cat /etc/openldap/schema/hillvalley.ldif dn: dc=buford,dc=hillvalley objectClass: dcObject objectClass: organization o: bufford.hillvalley dc: buford dn: ou=groups,dc=buford,dc=hillvalley objectCLass: top objectClass: organizationalunit ou: groups dn: ou=users,dc=buford,dc=hillvalley objectClass: top objectClass: organizationalunit ou: users dn: cn=world,ou=groups,dc=buford,dc=hillvalley objectClass: top objectClass: posixGroup cn: world gidNumber: 1001 dn: uid=paulie,ou=users,dc=buford,dc=hillvalley objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: Paul Johnson uid: paulie uidNumber: 1001 gidNumber: 1001 homeDirectory: /paulie/ loginShell: /usr/bin/bash userPassword: secretI've created a single group, world, and a single user, paulie. Both share the uid and gid of 1001. LDAP supports lots of additional variables for configuring a user and group account, but I've kept it basic in this example. Once again, be sure to change the domain components to match your network. Feel free to also change the user and group details. I've left the userPassword field in clear-text as 'secret'. The same slappasswd method above applies here as well. It's time to turn on the server, but first, let's change some ownership permissions:
[paulie@buford ~]$ sudo chown -R openldap:openldap /var/openldap/... and now ...
[paulie@buford ~]$ sudo svcadm enable ldap/serverCheck that it worked:
[paulie@buford ~]$ svcs | grep ldap online 12:13:49 svc:/network/ldap/server:openldap_24Neat, now let's add our schema file to the database:
[paulie@buford ~]$ ldapadd -D "cn=admin,dc=buford,dc=hillvalley" -f /etc/openldap/schema/hillvalley.ldif Enter bind password: adding new entry dc=buford,dc=hillvalley adding new entry ou=groups,dc=buford,dc=hillvalley adding new entry ou=users,dc=buford,dc=hillvalley adding new entry cn=world,ou=groups,dc=buford,dc=hillvalley adding new entry uid=paulie,ou=users,dc=buford,dc=hillvalleyThat's it! Our LDAP server is up, populated, and ready to authenticate against.
Configuring the Client
I'm going to turn my example server, buford.hillvalley, into an LDAP client as well. To do this, we need to run the `ldapclient` command to map our new user and group data:
[paulie@buford ~]$ ldapclient manual \ -a credentialLevel=proxy \ -a authenticationMethod=simple \ -a defaultSearchBase=dc=buford,dc=hillvalley \ -a domainName=buford.hillvalley \ -a defaultServerList=192.168.1.103 \ -a proxyDN=cn=admin,dc=buford,dc=hillvalley \ -a proxyPassword=secret \ -a attributeMap=group:gidnumber=gidNumber \ -a attributeMap=passwd:gidnumber=gidNumber \ -a attributeMap=passwd:uidnumber=uidNumber \ -a attributeMap=passwd:homedirectory=homeDirectory \ -a attributeMap=passwd:loginshell=loginShell \ -a attributeMap=shadow:userpassword=userPassword \ -a objectClassMap=group:posixGroup=posixgroup \ -a objectClassMap=passwd:posixAccount=posixaccount \ -a objectClassMap=shadow:shadowAccount=posixaccount \ -a serviceSearchDescriptor=passwd:ou=users,dc=buford,dc=hillvalley \ -a serviceSearchDescriptor=group:ou=groups,dc=buford,dc=hillvalley \ -a serviceSearchDescriptor=shadow:ou=users,dc=buford,dc=hillvalleyAs usual, change the host and domain names as well as the IP address held in defaultServerList and the proxyPassword. The command should respond back that the system was configured properly, however, additional changes will need to be made if you use DNS for hostname lookups (most people use DNS, so run these commands).
svccfg -s name-service/switch setprop config/host = astring: \"files dns ldap\" svccfg -s name-service/switch:default refresh svcadm restart name-service/cacheNow, we need to change how users login so that the client knows that there is an extra LDAP server to authenticate against. This should not lockout local worries. Examine the two files /etc/pam.d/login and /etc/pam.d/other. Change any instance of
auth required pam_unix_auth.so.1to
auth binding pam_unix_auth.so.1 server_policyAfter this line, add the following new line:
auth required pam_ldap.so.1That's it! Finally, reboot your system and see if you can login with your newly created user.
13:18 PST - February 21, 2013
About once a year, I'll find a way to lock myself out of a Solaris system. Here's how to get out of this scenario. You'll need a Solaris 11 Live CD or Live USB stick.
- Boot up from the Live CD/USB
- Select the 'Text Console' option from the GRUB menu
- Login to the solaris console using the username/password of jack/jack
- Switch to root
$ sudo su password jack
- Mount the solaris boot environment in a temporary directory
# beadm mount solaris /a
- Edit the shadow file
# vi /a/etc/shadow
- Find your username and remove the password hash
Convert username:iEwei23SamPleHashonf0981:15746::::::17216 to username::15746::::::17216
- Allow empty passwords at login
$ vi /a/etc/default/login Switch this line PASSREQ=YES to PASSREQ=NO
- Update the boot archive
# bootadm update-archive -R /a
- Reboot and remove the Live CD/USB from system
# rebootIf prompted for a password, hit return since this has now been blanked.
7:31 PST - February 11, 2013