Learning Solaris 10 Check out the Zones F.A.Q. !

Recently tried the Linux Branded zone within OpenSolaris, part of the BrandZ project, added to Solaris 8/07. It is said to be working with only a defined number of Linux distributions, namely CentOS 3.x and Red Hat Enterprise Linux 3.x. So I went to the CentOS site and downloaded the DVD iso of CentOS 3.9 (i386).

Then created my zone :

• 
root@kiwi:~# zonecfg -z lx1
lx1: No such zone configured
Use ‘create’ to begin configuring a new zone.
zonecfg:lx1> create -t SUNWlx
zonecfg:lx1> add net
zonecfg:lx1:net> set address=172.22.1.1/16
zonecfg:lx1:net> set physical=rge0
zonecfg:lx1:net> end
zonecfg:lx1> set zonepath=/zones/lx1
zonecfg:lx1> exit

root@kiwi:~# zonecfg -z lx1 info
zonename: lx1
zonepath: /zones/lx1
brand: lx
autoboot: false
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: shared
net:
address: 172.22.1.1/16
physical: rge0
defrouter not specified

root@kiwi:~# ls -lh /zones/CentOS-3.9-i386-binDVD.iso
-rw-r–r– 1 nieuwenj staff 1.8G 2009-03-18 15:10 /zones/CentOS-3.9-i386-binDVD.iso


Next I have to install the zone by pointing the zoneadm command to the directory that contains the ISO file.

• 
  root@kiwi:/# zoneadm -z lx1 install -d /zones
  A ZFS file system has been created for this zone.

  Checking for valid Linux distribution ISO images...
/zones/CentOS-3.9-i386-binDVD.iso

  No supported Linux distributions found.

  Installation of CentOS to zone
'lx1' FAILED Thu Mar 19 14:24:26 CET 2009.

  Cleaning up after failed install...

  Installation of zone 'lx1' FAILED.

  See the log file:
'/zones/lx1/root/var/log/lx1.install.12491.log'
for details.

Doesn’t work, my ISO file is seen but it seems that it is not a supported version. Some more looks in the documentation shows that only 3.5 –> 3.8 are supported. Damn’, took me hours to download the 3.9 version. Let’s try some more.
Zoneadm probably calls some brand-specific check script so, using the Dtrace Toolkit (truss -t open would do…)

• 
root@kiwi:/opt/DTT# ./opensnoop -n zoneadm
UID PID COMM FD PATH
0 11904 zoneadm -1 /var/ld/ld.config
0 11904 zoneadm 3 /lib/libc.so.1
0 11904 zoneadm 3 /usr/lib/locale/en_US.UTF-8/en_US.UTF-8.so.3
0 11904 zoneadm 3 /usr/lib/locale/common/methods_unicode.so.3
0 11904 zoneadm 3 /lib/libzfs.so.1
0 11904 zoneadm -1 /usr/lib/locale/en_US.UTF-8/LC_MESSAGES/SUNW_OST_SGS.mo
0 11904 zoneadm -1 /usr/lib/locale/en_US.UTF-8/LC_MESSAGES/SUNW_OST_OSLIB.mo
0 11904 zoneadm 3 /usr/lib//libshare.so.1
0 11904 zoneadm 3 /lib/libxml2.so.2
0 11904 zoneadm 3 /lib/libpthread.so.1
0 11904 zoneadm 3 /lib/libz.so.1
0 11904 zoneadm 3 /lib/libm.so.2
0 11904 zoneadm 3 /lib/libsocket.so.1
0 11904 zoneadm 3 /lib/libnsl.so.1
0 11904 zoneadm 3 /dev/zfs
0 11904 zoneadm 4 /etc/mnttab
0 11904 zoneadm 5 /etc/dfs/sharetab
0 11904 zoneadm 6 /usr/lib/libzonecfg.so.1
0 11904 zoneadm 6 /etc/zones/lx1.xml
0 11904 zoneadm 7 /usr/share/lib/xml/dtd/zonecfg.dtd.1
0 11904 zoneadm 6 /usr/lib/brand/lx/config.xml
(…)


The first “lx-related” file is ‘/usr/lib/brand/lx/config.xml’

• 
root@kiwi:/usr/lib/brand/lx# cat config.xml
< ?xml version="1.0"?>
(…)

--install-- /usr/lib/brand/lx/lx_install --/install--


OK, the script is lx_install. After some reading, I see that the script will return more information if the variable verbose_mode is defined. So I change the code at the right function :

validate_iso_distros()
{
export verbose_mode=”t”
typeset cd


And we try again

• 
  root@kiwi:/# zoneadm -z lx1 uninstall
  Are you sure you want to uninstall zone lx1 (y/[n])? y
  The ZFS file system for this zone has been destroyed.
  root@kiwi:/#
  root@kiwi:/# zoneadm -z lx1 install -d /zones
  A ZFS file system has been created for this zone.

  Checking for valid Linux distribution ISO images...
/zones/CentOS-3.9-i386-binDVD.iso

Checking ISOs against distro file "/usr/lib/brand/lx/distros/centos35.distro"...
ISO "/zones/CentOS-3.9-i386-binDVD.iso":

  Checking ISOs against distro file "/usr/lib/brand/lx/distros/centos36.distro"...
ISO "/zones/CentOS-3.9-i386-binDVD.iso":

  Checking ISOs against distro file "/usr/lib/brand/lx/distros/centos37.distro"...
ISO "/zones/CentOS-3.9-i386-binDVD.iso":

  Checking ISOs against distro file "/usr/lib/brand/lx/distros/centos38.distro"...
ISO "/zones/CentOS-3.9-i386-binDVD.iso":

  Checking ISOs against distro file "/usr/lib/brand/lx/distros/rhel35.distro"...
ISO "/zones/CentOS-3.9-i386-binDVD.iso":

  Checking ISOs against distro file "/usr/lib/brand/lx/distros/rhel36.distro"...
ISO "/zones/CentOS-3.9-i386-binDVD.iso":

  Checking ISOs against distro file "/usr/lib/brand/lx/distros/rhel37.distro"...
ISO "/zones/CentOS-3.9-i386-binDVD.iso":

  Checking ISOs against distro file "/usr/lib/brand/lx/distros/rhel38.distro"...
ISO "/zones/CentOS-3.9-i386-binDVD.iso":

  No supported Linux distributions found.

Installation of CentOS to zone
'lx1' FAILED Thu Mar 19 14:35:06 CET 2009.

Cleaning up after failed install...

  Installation of zone 'lx1' FAILED.

  See the log file:
'/zones/lx1/root/var/log/lx1.install.12836.log'
for details.


OK, it seems that I need a distro file for CentOS 3.9. Let’s copy the one for 3.8 and try to modify the relevant fields :

• 
#
# Installation information for the CentOS 3.8 distribution disc set:
#
# + Serial number (as found in the disc set's .discinfo file)
# + Version Name
# + Order CDs holding the distribution must be installed in
# + MB of disk space required to hold a full install of the distribution
#
distro_serial=1155307611.42
distro_version="3.8"


So I need to find the serial number of my 3.9 distro.

• 
root@kiwi:~# lofiadm -a /zones/CentOS-3.9-i386-binDVD.iso
/dev/lofi/1
root@kiwi:~# mount -F hsfs /dev/lofi/1 /linux
root@kiwi:~#
root@kiwi:~# cd /linux
root@kiwi:/linux# ls
./ ../ .discinfo
root@kiwi:/linux# cat .discinfo
1183469235.986110
final
i386
1,2,3
RedHat/base
RedHat/RPMS
RedHat/pixmaps


I just copy the serial number just found in the centos39.distro newly created file (with updated comments from 3.8 to 3.9)

• 
root@kiwi:/usr/lib/brand/lx/distros/# cat centos39.distro
(…)
#
# Installation information for the CentOS 3.9 distribution disc set:
#
# + Serial number (as found in the disc set’s .discinfo file)
# + Version Name
# + Order CDs holding the distribution must be installed in
# + MB of disk space required to hold a full install of the distribution
#
distro_serial=1183469235.986110
distro_version=”3.9″
set -A distro_cdorder 1 2 3
(…)

And let’s try again :

• 
root@kiwi:/# zoneadm -z lx1 uninstall
Are you sure you want to uninstall zone lx1 (y/[n])? y
The ZFS file system for this zone has been destroyed.
root@kiwi:/#
root@kiwi:/# zoneadm -z lx1 install -d /zones
A ZFS file system has been created for this zone.


Checking for valid Linux distribution ISO images...
(...)
Checking ISOs against distro file "/usr/lib/brand/lx/distros/centos39.distro"...
ISO "/zones/CentOS-3.9-i386-binDVD.iso":
Serial #1183469235.986110
Release Name "CentOS"
DVD, representing CDs #1,2,3
(...)
Distro "CentOS" (DVD) found.
Installing distribution 'CentOS (DVD)'...
Installing cluster 'desktop'
(...)
Installing miniroot for zone 'lx1'.
(...)
Found DVD (representing CDs 1,2,3), Serial #1183469235.986110
Release Name "CentOS"
(...)
seamonkey-chat ##################################################
(...)


Here we go !
Wait ! No, an error after successful installation of hundreds of packages :

• 
Install of zone 'lx1' from
FAILED.

  Installation of CentOS to zone
'lx1' FAILED Thu Mar 19 20:55:48 CET 2009.


  Looking in the logfile :
ERROR: Unable to locate some needed packages:
gaim expectk tcl-html tcllib


  Seems I don’t really need these packages anyway…

  
root@kiwi:/usr/lib/brand/lx/distros# grep gaim *
rhel_centos_common: gaim \
root@kiwi:/usr/lib/brand/lx/distros# grep expectk *
centos38.distro: expectk \
centos39.distro: expectk \
root@kiwi:/usr/lib/brand/lx/distros# grep tcl-html *
centos38.distro: tcl-html \
centos39.distro: tcl-html \
root@kiwi:/usr/lib/brand/lx/distros# grep tcllib *
centos38.distro: tcllib”
centos39.distro: tcllib”


So let’s update rhel_centos_common and centos39.distro and remove all the lines that refer to packages that seem not to be there in CentOS 3.9…
And try another install afterwards…

• 
Completing installation; this may take a few minutes.
Setting up the initial lx brand environment.
System configuration modifications complete.
Installation of CentOS to zone
'lx1' completed Thu Mar 19 21:29:31 CET 2009.

  Installation of zone 'lx1' completed successfully.


Yope ! Finally….

• 
root@kiwi:~# zoneadm -z lx1 boot
root@kiwi:~# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / native shared
3 lx1 running /zones/lx1 lx shared
(…)
root@kiwi:~# zlogin lx1
[Connected to zone ‘lx1′ pts/6]
(…)
-bash-2.05b# top
08:39:41 up 5 min, 1 user, load average: 1.23, 0.79, 0.41
12 processes: 10 sleeping, 2 running, 0 zombie, 0 stopped
CPU states: cpu user nice system irq softirq iowait idle


-bash-2.05b# uname -a
Linux lx1 2.4.21 BrandZ fake linux i686 i686 i386 GNU/Linux


T: OpenSolaris, CentOS, BrandZ, Zones

Oddly enough, it appears that using Sun Secure Global desktop (SGD) from OpenSolaris doesn’t work from scratch. When my browsers try to connect to the server after authenticating, the browser never stop “Loading…” and times out after a while with an error message of style :”Failed to install”…

After some investigation, I found out that SGD is actually what’s left of a company called Tarantella, bought by Sun in 2005.

Now going to my home directory, there is a “hidden” directory called .tarantella

#cd ~/.tarantella/tcc/4.41.907/
#ls -l
total 3245
-rwxr-xr-x 1 nieuwenj staff 4368592 Aug 7 2008 ttatcc

Which seems to prove that the installation of the client started. Unfortunately,
# ldd ttatcc
libXm.so.4 => (file not found)

After going to a machine where SGD works, I see that I need SUNWmfrun, the Motif runtime software package. After googling, it appears that the package is part of Solaris 10 and even the early builds of OpenSolaris but it is no longer part of the OpenSolaris 2008.05 & 2008.11 distributions. Fortunately, I still have an iso of build79 of OpenSolaris ( a Solaris 10 iso or DVD would do )…

# lofiadm -a /downloads/laptop/iso/sol-nv-b79b-x86-dvd.iso
/dev/lofi/1
# mount -F hsfs /dev/lofi/1 /a
# cd /a/Solaris_11/Product
# pkgadd -d . -G SUNWmfrun
# pkgadd -d . -G SUNWxwrtl


The latter being a package that links the Motif libraries from /usr/dt to /usr/lib, where “ld” can find it.

There you go, retry to start SGD and you see a small (Motif) window popping up, asking something security-related. Then SGD finally starts…

The steps of the procedure can be found in various places but I like to summarize the information my own way.

Starting point : OpenSolaris 2008.11 snv_101a_rc1b X86 The procedure seems to be valid for build 101 to 105 (Crossbow requires some small changes)
Problem : there are no native drivers available for (Open)Solaris so we need to use NDIS, essentially a way to use the Windows drivers on a Solaris box.
Procedure :

• Make sure that you are running a 32-bits OpenSolaris kernel. If you have a 64-bits capable CPU, OpenSolaris will boot a 64-bits kernel by default.

  # isainfo -v
32-bit i386 applications
sse4.1 ssse3 ahf cx16 mon sse3 sse2 sse fxsr mmx cmov sep cx8 tsc fpu

  If you get the same output, go to the next point, you are already running a 32-bits kernel. If you see output that relates to “amd64″, this means that you are running a 64-bits kernel. In that case, you need to update the GRUB boot loader so that it adds a choice for you to boot a 32-bits kernel.

  # bootadm list-menu
The location for the active GRUB menu is: /rpool/boot/grub/menu.lst
default 0
timeout 3
0 OpenSolaris 2008.11 snv_101a_rc1b X86

  In my case, the GRUB boot menu is /rpool/boot/grub/menu.lst
  Update the menu with the following lines :

  
# cat /rpool/boot/grub/menu.lst
splashimage /boot/grub/splash.xpm.gz
background 215ECA
timeout 3
default 0
#———- ADDED BY BOOTADM - DO NOT EDIT ———-
title OpenSolaris 2008.11 snv_101a_rc1b X86
findroot (pool_rpool,0,a)
bootfs rpool/ROOT/opensolaris
splashimage /boot/solaris.xpm
foreground d25f00
background 115d93
kernel$ /platform/i86pc/kernel/$ISADIR/unix -B $ZFS-BOOTFS,console=graphics
module$ /platform/i86pc/$ISADIR/boot_archive
#———————END BOOTADM——————–
#———- ADDED BY JC - DO NOT EDIT ———-
title OpenSolaris 2008.11 snv_101a_rc1b X86 32 bits
kernel$ /platform/i86pc/kernel/unix -B $ZFS-BOOTFS,console=graphics
module$ /platform/i86pc/boot_archive
#———————END JC——————–

  Then reboot your box & choose to boot a 32-bits kernel

• Fetch all the required packages & files and store them in a common directory
  • Broadcom driver : From the HP support site
  • Last version of the NDIS driver : on the OpenSolaris NDIS page
  • The flex package : ( You need to be connected to the Internet )
    # pkg install -v pkg:/SUNWflexlex
  • The onbld package : From Sun download center
    Bunzip, untar & add the pkg using # pkgadd -d .
• Unzip the ndis archive
  • # gzip -dc ndis-1.2.1.tar.gz | tar xvf -
• Extract the Windows driver archive, rename the relevant files & convert the .inf file to ascii instead of UTF encoding
  • # mv Bcm_wlan_drivers.exe Bcm_wlan_drivers.exe.7z
# p7zip -d Bcm_wlan_drivers.exe.7z
# mv bcmwl5.sys ndis-1.2.1/i386/ndis.sys
# iconv -futf-16 -t ascii bcmwl5.inf > ndis-1.2.1/i386/ndis.inf
# cd ndis-1.2.1/i386/
• Follow the building procedure :
  • # make ndiscvt
# ./ndiscvt -i ndis.inf -s ndis.sys -o ndis.h
# make ndis
# cp bcmndis /kernel/drv/bcmndis
# make ndisapi
# cp ndisapi /kernel/misc
• Find the identifier of your network card : in my case “pci14e4,4315”
  # scanpci -v
pci bus 0×0006 cardnum 0×00 function 0×00: vendor 0×14e4 device 0×4315
Broadcom Corporation BCM4312 802.11b/g
CardVendor 0×1028 card 0×000b (Dell Wireless 1395 WLAN Mini-Card)

• Load the driver module
  • # add_drv -i ‘”pci14e4,4315″‘ bcmndis
• Check that OpenSolaris now shows your newly configured network card
  • # ifconfig -a
    (…)
    bcmndis0: flags=201004803 mtu 1500 index 3
    inet 0.0.0.0 netmask ff000000
    ether 0:22:5f:2e:9a:d1
    
• Start configuring with Nwam, wificonfig, …

Sources :

• OpenSolaris NDIS website & related links
• OpenSolaris Wireless FAQ

OpenSolaris

Another blueprint dedicated to only the security features of Solaris zones
Go to the document

Another good recap of the zones from a security point of view

Go to the document

A good tech article about Sun WebServer, including some troubleshooting techniques.

Go to the article

Go to the article

Becoming finally easier…

Go to the article

This guide is an introduction to configuring the Sun Fire X4500 server as a disk-cache media server for the Symantec Veritas NetBackup application. It provides an example of configuring the ZFS file system on the Solaris 10 08/07 OS and configuring the NetBackup 6.5 application to utilize the Sun Fire X4500 server as its media server.

Go to the document