UnixCBT feat. Solaris 10 EditionTraining Notes – 20060801.01
Table of ContentsApache Web Server - Notes.......................................................................................................................3BIND DNS Implementation - Notes..........................................................................................................6System Scheduler – Cron - Notes.............................................................................................................. 8File System Management - Notes............................................................................................................ 10Volume Management - Notes.................................................................................................................. 12File Transfer Protocol Daemon (FTPD) Implementation - Notes........................................................... 15GNU Privacy Guard (GPG) - Notes........................................................................................................ 17MySQL Implementation - Notes..............................................................................................................18NETSTAT - Notes................................................................................................................................... 19Network Configuration Overview - Notes...............................................................................................20Network File System(NFS) - Notes......................................................................................................... 22AutoFS - Notes.........................................................................................................................................23Network Mapper Nmap - Notes...............................................................................................................23Network Time Protocol (NTP) - Notes....................................................................................................24Quota Implementation & Management - Notes.......................................................................................25Samba – Windows Integration - Notes.................................................................................................... 25Remote Desktop Installation - Notes....................................................................................................... 26Samba Server Configuration - Notes....................................................................................................... 26System Security Overview - Notes.......................................................................................................... 27Sendmail MTA Features - Notes............................................................................................................. 27Snoop – Network Sniffer - Notes.............................................................................................................30TCPDump – Network Sniffer - Notes......................................................................................................30Snort Network Intrusion Detection System (NIDS) - Notes....................................................................31SYSLOG Implementation - Notes........................................................................................................... 32Log Rotation using logadm - Notes......................................................................................................... 32Zettabyte File System (ZFS) - Notes....................................................................................................... 33Solaris Zones - Notes............................................................................................................................... 34
Apache Web Server - Notes
SAMP - Solaris Apache MySQL PHP/PerlLAMP - Linux Apache MySQL PHP/Perl/Python
Modular & Reliable
2 Versions (1.3.33 & 2.0.50) are included with Solaris 10svcs -a | grep -i apache
Note: Apache2 documentation is available @: http://localhost/manualSteps to invoke Apache on Solaris 10: 1. cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf 2. update servername & server admin directives for main server 3. svcadm enable apache2 4. netstat -anP tcp | grep 80 && http://localhost/manual
Note: Typical classes of web server errors:200 - OK300 - Redirect400 - client error500 - server errors
Note: Apache ALWAYS maintains a DEFAULT HOST. Config is in httpd.conf and outside of ANY and ALL virtual hosts containersNote: Apache requires the following info. for the DEFAULT HOST: 1. ServerName linuxcbtsun1.linuxcbt.internal 2. ServerAdmin 3. DocumentRoot - where to serve content from 4. IP Address:Port to bind to - optional 5. Logging information - custom/combined & error logs
Note: Listen directive controls IPs and ports that Apache binds toNote: specify 'Listen' directive(s) in the DEFAULT HOST(httpd.conf)Note: You can specify multiple Listen DirectivesNote: Apache binds to ALL IP addresses when 'Listen' is specified without an IP address
DEFAULT HOST(IP:PORT) -Virtual Host 1 -Virtual Host 2
<Directory "/var/apache2/htdocs">Options Indexes FollowSymLinksAllowOverride NoneOrder allow,deny
Allow from all</Directory><Directory "/var/apache2/htdocs/temp">
Options FollowSymLinksAllowOverride None
Order allow,deny Allow from all</Directory>
Note: <Directory "/var/apache2/htdocs"> - applies to all sub-directories
###Order, Allow, Deny Rules###Note: Order is specified and Deny or Allow or combination followsNote: Allow|Deny supports the following attributes 1. IP Address - 127.0.0.1 2. IP Address range 3. IP Subnet Mask using CIDR or Class notation - 192.168.1.0/24 or 192.168.1.0/255.255.255.0 4. 192.168.1 5. ALL 6. Environment variables - referrer, user agents
Used to influence default doc: DirectoryIndex index.html index.html.var
LogFormat is used to define logging keywords that can be referencedApache can log to multiple log files, various keywords, simultaneously
###Alias Directive###Maps webspace location to file system location, usually non-document root
###Files Directive###Facilitates restrictions on matchings files regardless of location on server<Files noaccess.html> Order allow,deny Deny from all</Files>Note: When applied OUTSIDE of <Directory> block, applies to all instances of named file throughout the web server
Task: Create web-accessible directory, but, restrict access to certain IPsSteps: 1. mkdir /var/apache2/private 2. Create appropriate Alias - Alias /private/ /var/apache2/private/ 3. Create appropriate <Directory> block
###Virtual Hosts Support###2 Types of Virtual Hosts are supported: 1. IP-based - Each virtual host is associated with a distinct address 2. Name Based - All or a group of Virtual Hosts share a distinct address
###IP-based Virtual Hosting###Note: System requires multiple IP addressesNote: Default Apache Host binds to ALL IP addresses on port 80
Steps: 1. Implement appropriate 'Listen' directive 2. Configure Virtual Hosts 3. Restart Apache 4. Test configuration
Listen 192.168.1.50:80<VirtualHost 192.168.1.50:80>
ServerName linuxcbtsun1.linuxcbt.internalServerAdmin [email protected]
DocumentRoot /var/apache2/ipvhost1ErrorLog /var/apache2/logs/ipvhost1.error.logCustomLog /var/apache2/logs/ipvhost1.access.log
</VirtualHost>Note: Apache will serve content from the DocumentRoot of DEFAULT HOST if a request does NOT match any of the Virtual Hosts
Listen 192.168.1.51:80<VirtualHost 192.168.1.51:80>
ServerName linuxcbtsun3.linuxcbt.internalServerAdmin [email protected] /var/apache2/ipvhost2ErrorLog /var/apache2/logs/ipvhost2.error.logCustomLog /var/apache2/logs/ipvhost2.access.log combined
</VirtualHost>
###NameBased Virtual Hosting###Facilitates the sharing of 1 IP address by a group of web sitesSteps: 1. Define appropriate Listen directive(s) 2. Define appropriate NameVirtualHost directive(s) 3. Define Virtual Hosts 4. Restart Apache 5. Confirm configuration
Listen 80NameVirtualHost *:80 - means to permit NameBased Virtual Hosts on ALL IPsNote: NameVirtualHost directive MUST match VirtualHost directive
<VirtualHost *:80>ServerName linuxcbtsun1.linuxcbt.internalServerAdmin [email protected] /var/apache2/namevhost1ErrorLog /var/apache2/logs/namevhost1.error.logCustomLog /var/apache2/logs/namevhost2.access.log combined
</VirtualHost>
BIND DNS Implementation - Notes
Bind 9.xSUNWbind(client & server utilities) & SUNWbindr(SMF)
Steps to configure DNS:1. Create /etc/named.conf - primary named/BIND/DNS configuration file
options {directory "/var/named";
};
###Special zone indicating the root of the DNS hierarchy######Downloaded named.root from: ftp://ftp.rs.internic.net/domain/named.root##zone "." {
type hint;file "db.cache";
};
###Reverse Zones###zone "0.0.127.in-addr.arpa" {
type master;file "db.127.0.0";
};
zone "1.168.192.in-addr.arpa" {type master;file "db.192.168.1";
};zone "20.16.172.in-addr.arpa" {
type master;file "db.172.20.16";
};
###Forward Zones###zone "unixcbt.internal" {
type master;file "db.unixcbt.internal";
};
###Zone File Syntax###Note: @ is a variable, which indicates the name of the zone as configured in /etc/named.conf
svcadm enable dns/server
Note: With or without master domains, BIND functions as a caching-only NS
Our server is configured to be: 1. Caching-Only Server 2. Authoritative Server
###Mail Exchanger(MX) Record Setup###Note: Implement MX via 2 records 1. IN MX 10 mail.unixcbt.internal 2. mail IN A 192.168.1.197
###Slave DNS Server Configuration###Note: There really isn't a Slave DNS Server with BIND, however, there is a SLAVE ZONE
Steps: 1. copy the following files to slave server: a. db.127.0.0 - houses reverse, loopback zone info. b. db.cache - houses root hints c. named.conf - primary DNS BIND configuration file
Note: DNS BIND server can also be a slave server in addtion to caching-only and authoritative server.
System Scheduler – Cron - Notes
Features: 1. Permits scheduling of scripts(shell/perl/python/ruby/PHP/etc.)/tasks on a per-user basis via individual cron tables. 2. Permits recurring execution of tasks 3. Permits one-time execution of tasks via 'at' 4. Logs results(exit status but can be full output) of executed tasks 5. Facilitates restrictions/permissions via - cron.deny,cron.allow,at.*
Directory Layout for Cron daemon:/var/spool/cron - and sub-directories of to store cron & at entries/var/spool/cron/atjobs - houses one-off, atjobs - 787546321.a - corresponds to a user's atjob
/var/spool/cron/crontabs - houses recurring jobs for users - username - these files house recurring tasks for each user
Cron command:crontab - facilitates the management of cron table files -crontab -l - lists the cron table for current user - - reads /var/spool/cron/crontabs/root
###Cron table format###
m(0-59) h(0-23) dom(1-31) m(1-12) dow(0-6) command10 3 * * * /usr/sbin/logadm - 3:10AM - every day15 3 * * 0 /usr/lib/fs/nfs/nfsfind - 3:15 - every Sunday30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1
m(0-59) h(0-23) dom(1-31) m(1-12) dow(0-6) command Note: (date/time/command) MUST be on 1 linem = minute(0-59)h = hour(0-23)dom = day of the month(1-31)m = month(1-12)dow = day of the week(0-6) - 0=Sunday
Note: each line contains 6 fields/columns - 5 pertain to date & time of execution, and the 6th pertains to command to execute
#m h dom m dow10 3 * * * /usr/sbin/logadm - 3:10AM - every day* * * * * /usr/sbin/logadm - every minute,hour,dom,m,dow*/5 * * * * /usr/sbin/logadm - every 5 minutes(0,5,10,15...)1 0-4 * * * /usr/sbin/logadm - 1 minute after the hours 0-40 0,2,4,6,9 * * * /usr/sbin/logadm - top of the hours 0,2,4,6,9
1-9 0,2,4,6,9 * * * /usr/sbin/logadm - 1-9 minutes of hours 0,2,4,6,9
Note: Separate columns/fields using whitespace or tabs
###Create crontabs for root & unixcbt###Note: ALWAYS test commands prior to crontab/at submission
11 * * * * repquota -va >> /reports/`date +%F`.quota.report
Note: set EDITOR variable to desired editorexport EDITOR=vim
###unixcbt - execute quota -v####!/usr/bin/bashHOME=/export/home/unixcbt quota -v >> $HOME/`date +%F`.unixcbt.quota.report#END
Note: aim to reference scripts(shell/perl/python/ruby/PHP,etc.) instead of the various characters
Note:Default Solaris install creates 'at.deny' & 'cron.deny'You MUST not be included in either file to be able to submit at & cron entries
Conversely, if cron.allow and at.allow files exist, you MUST belong to either file to submit at or cron entries
File System Management - Notes
###Recap of steps necessary to partition/slice & create file systems###Steps:1. unmount existing file systems -umount /data2 /data3
2. confirm fdisk partitions via 'format' utility -format - select disk - select fdisk
3. use partition - modify to create slices on desired drives DISK1 -slice 0 - /dev/dsk/c0t1d0s0 DISK2 -slice 0 - /dev/dsk/c0t2d0s0
4. Create file system using 'newfs /dev/rdsk/c0t0d0s0'
5. Use 'fsck /dev/rdsk/c0t1d0s0' to verify the consistency of the file system
6. Mount file systems at various mount points mount /dev/dsk/c0t1d0s0 /data2 && mount /dev/dsk/c0t2d0s0 /data37. create entries in Virtual File System Table (/etc/vfstab) file
###How to determine file system associated with device###1. fstyp /dev/dsk/c0t0d0s0 - returns file system type2. grep mount point from /etc/vfstab - returns matching line grep /var /etc/vfstab3. cat /etc/mnttab - displays currently mounted file system
###Temporary File System (TEMPFS) Implementation###TempFS provides in-memory (RAM), very fast, storage and boosts application performance
Steps:1. Determine available memory and the amount you can spare for TEMPFS -prtconf - allocate 100MB2. Execute mount command:
mkdir /tempdata && chmod 777 /tempdata && mount -F tmpfs -osize=100m swap /tempdata
Note: TEMPFS data does NOT persist/survive across rebootsNote: TEMPFS data is lost when the following occurs:1. TEMPFS mount point is unmounted: i.e. umount /tempdata2. System reboot
Modify /etc/vfstab to include the TEMPFS mount point for reboots
swap - /tempdata tmpfs - yes -
###Swap File/Partition Creation###swap -l | -s - to display swap information
mkfile size location_of_file - to create swap filemkfile 512m /data2/swap2
swap -a /data2/swap2 - activates swap file
To remove swap file:swap -d /data2/swap2 - removes swap space from kernel. does NOT remove filerm -rf /data2/swap2
###Swap Partition Creation###format - select disk - partition - select slice/modifyswap -a /dev/dsk/c0t2d0s1
Modify /etc/vfstab
Volume Management - NotesSolaris' Volume Management permits the creation of 5 object types: 1. Volumes(RAID 0(concatenation or stripe)/1(mirroring)/5(striping with parity) 2. Soft partitions - permits the creation of very large storage devices 3. Hot spare pools - facilitates provisioning of spare storage for use when RAID-1/5 volume has failed i.e. MIRROR -DISK1 -DISK2 -DISK3 - spare
4. State database replica - MUST be created prior to volumes - Contains configuration & status of ALL managed objects (volumes/hot spare pools/Soft partitions/etc.)
5. Disk sets - used when clustering Solaris in failover mode
Note: Volume Management facilitates the creation of virtual disksNote: Virtual disks are accessible via: /dev/md/dsk & /dev/md/rdskRules regarding Volumes:1. State database replicas are required2. Volumes can be created using dedicated slices3. Volumes can be created on slices with state database replicas4. Volumes created by volume manager CANNOT be managed using 'format', however, can be managed using CLI-tools (metadb, metainit) and GUI tool (SMC)5. You may use tools such as 'mkfs', 'newfs', 'growfs'6. You may grow volumes using 'growfs'
###State Database Replicas###Note: At least 3 replicas are required for a consistent, functional, multi-user Solaris system.
3 - yields at least 2 replicas in the event of a failureNote: if replicas are on same slice or media and are lost, then Volume Management will fail, causing loss of data.Note: place replicas on as many distinct controllers/disks as possible
Note: Max of 50 replicas per disk set
Note: Volume Management relies upon Majority Consensu Algorithm (MCA) to determine the consistency of the volume information
3 replicas = 1.5(half) = 1-rounded-down +1 = 2 = MCA(half +1)
Note: try to create an even amount of replicas4 replicas = 2(half) + 1 = 3
State database replica is approximately 4MB by default - for local storage
Rules regarding storage location of state database replicas:1. dedicated partition/slice - c0t1d0s32. local partition that is to be used in a volume(RAID 0/1/5)3. UFS logging devices4. '/', '/usr', 'swap', and other UFS partitions CANNOT be used to store state database replicas
###Configure slices to accomodate State Database Replicas###c0t1d0s0 -c0t2d0s0 - RAID 0 (STRIPE) - 60GB
###Create RAID 0 (STRIPE) - NOT REDUNDANT###c0t1d0s0 -c0t2d0s0 - RAID 0 (STRIPE) - 60GB - /dev/md/dsk/d0Note: Volumes can be created using slices from a single or multiple disksNote: State database replicas serve for ALL volumes managed by Volume Manager
Note: RAID 0 Concatenation - exhausts DISK1 before writing to DISK2Note: RAID 0 Stripe - distributes data evenly across membersNote: Use the same size slices when using RAID0 with Striping
Note: after defining volume, create file systemnewfs /dev/md/rdsk/d0
###Suggested layout for creating volumes using volume manger###SERVER -DISK0 - SYSTEM DISK
VOLUME MANAGE SECONDARY DISKS -DISK1 - SECONDARY DISK -DISK2 - SECONDARY DISK
##RAID-1 Configuration###Note: RAID-1 relies upon submirrors or existing RAID-0 volumesc0t1d0s0 - /dev/md/dsk/d0c0t2d0s0 - /dev/md/dsk/d1/dev/md/dsk/d2
d0 - source sub-mirrord1 - destination sub-mirror
Create file system on mirrored volume '/dev/md/dsk/d2'newfs /dev/md/rdsk/d2
###RAID-5 Configuration###Steps:1. Ensure that 3 components(slices/disks) are available for configuration2. Ensure that components are identical in size
Slices for RAID-5c0t1d0s0 - 10GBc0t1d0s0 - 10GBc0t2d0s0 - 10GB
/dev/md/dsk/d0 = RAID-5 = 20GB
Note: You may attach components to RAID-5 volume, but they will not store parity information, however, their data will be protected.
###Using growfs to extend volumes###growfs extends mounted/unmounted volumes(UFS/ZFS)
Steps to grow a mounted/unmounted file syste1. Find free slice(s) to add as component(s) to volume using SMC or metattach CLI2. Add component slice - wait for initialization(concatenation) to complete3. execute 'growfs -M /d0 /dev/md/rdsk/d0'
Note: Once you've extended a volume, you CANNOT decrease it in size.Note: Concatenation of RAID-1/5 volumes yields an untrue RAID-1/5 volume.SLICE1SLICE2SLICE3SLICE4 - Concatenated - NOT a true RAID-1/5 member (no parity is stored)
Note: When extending RAID-1 volumes, extend each sub-mirror first, and then Solaris will automatically extend the RAID-1 volume. Then run 'growfs.'
###Soft Partitions###1. Provides an abstracted, extensible partition object2. Permits virtually unlimited segmentation of diskc0t1d0 - s0-9 (0-7 except 2, usable)
3. Permits creation of partitions on top of 1 or more slices
Steps:1. Clean up partitions on existing disks: c0t1d0 & c0t2d0
File Transfer Protocol Daemon (FTPD) Implementation - Noteswu-ftpdFTPD binds to TCP port 21 and is running by defaultSMF controls service configurationsvcs -l ftp - returns configuration
pkginfo -x | grep -i ftp - returns SUNWftpu|r packages
SUNWftpu - includes useful user packagesftpcount - dumps count per classftpwwho - returns connected users & process informationftpconfig - used to setup anonymous/guest FTP
SUNWftpr - includes server-side configuration files/etc/ftpd - ftpaccess - primary configuration file for wu-ftpd - ftphosts - allow|deny access to users from hosts - ftpservers - allows admin to define virtual hosts - ftpusers - users listed may NOT access the server via FTP - ftpconversions - facilitates tar, compress, gzip support
wu-ftpd supports both types of FTP connections: 1. PORT - Active FTP - Client -> TCP:21(Server-Control-Connection) - Client executes 'ls' -> results in server initiating a connection back to the client usually on TCP:20(ftp-data) 2. PASV - Passive FTP - Client -> TCP:21(Server-Control-Connection) - Client executes 'ls' -> results in server opening a high-port and instructing the client to source(initiate) a connection to the server. - Client sources data connection to high-port on server
###Anonymous FTP configuration###use 'ftpconfig' to provision anonymous accessNote: Guest connections are jailed using chroot()
###FTPD Class Support###Facilitates the grouping of users for the purpose of assigning directives3 Default Classes: 1. realusers - CAN login using shell(SSH/Telnet) - CAN browse the entire directory tree 2. guestusers - Temporary users - see chrooted envrionment 3. anonusers - General public - primarily for download capability
###Guest User Support###Jailed/chrooted environment
Steps: 1. useradd -d /home/guests/unixcbt4 -s /bin/true 2. mkdir /export/home/guests/unixcbt4 3. chown unixcbt4 /export/home/guests/unixcbt4 4. ftpconfig -d /export/home/guests/unixcbt4 - sets up chrooted environment 5. updated /etc/ftpd/ftpaccess - config file guestuser unixcbt4 6. restart ftp using svcadm restart ftp
Note: Guest users are similar to real users except guest users are chrooted/jailed.
###Virtual Hosts###wu-ftpd - supports 2 forms of virtual hosts: 1. Limited - relies upon primary config files /etc/ftpd{ftpaccess,ftpusers...} Admin. may define unique attributes including the following: a. banner b. logfile c. hostname d. email e. distinct IP address
2. Full - relies upon distinct config files in specified directory a. offers everything included with limited virtual hosts mode b. also adds distinct config files c. Note: Full-mode will use default config files in /etc/ftpd if the full virtual hosts instance is unable to find a distinct file.
###Limited Virtual Hosts Configuration###/etc/ftpaccess virtual 192.168.1.51 root /var/ftp2 virtual 192.168.1.51 hostname linuxcbtdb1.linuxcbt.internal virtual 192.168.1.51 banner /var/ftp2/.welcome_message.msg virtual 192.168.1.51 logfile /var/log/ftp2/xferlog virtual 192.168.1.51 allow unixcbt3
Note: Virtual hosts do not allow real & guest users access by default
###Full Virtual Hosts Configuration###/etc/ftpd/ftpservers address configuration_direction 192.168.1.51 /etc/ftpd/ftp2 192.168.1.52 /etc/ftpd/ftp3
GNU Privacy Guard (GPG) - NotesFeatures: 1. Public key pair generation & maintenance for all users on system. Keys are stored in ~/.gunpg 2. Encrypt/Decrypt files - based on communication partner's public key 3. Encrypt/Decrypt E-mails - based on recipient's public key 4. Generate/Manage digital signatures(means of proving identity)
###Install GPG### 1. www.sunfreeware.com 2. gunzip gnupg-1.2.6-sol10-intel-local.gz && pkgadd -d gnupg-1.2.6-sol10-intel-local
Note: GPG manages by default, 2 key chains: 1. Public - your public key, and potentially others a. use 'gpg --list-keys' to enumerate public keys 2. Private - your private key(s)
Note: gpg uses recipient's public key to encrypt communications(e-mail/files)
###Create Public/Private Key-Pair###gpg --gen-keyNote: 'gpg --gen-key' functions similarly to 'ssh-keygen' utilityNote: passphrase is associated with 'private key' of pub/priv pair
Note: GPG is compatible with PGP
###Import other's public keys###
MySQL Implementation - Notes
Included with the Software Companion DVD
pkginfo -x | grep -i mysqlNote: Current version of MySQL is NOT managed by SMF
Steps to Initialization of MySQL: 1. /usr/sfw/bin/mysql_install_db - initializes default DBs & tables /usr/sfw/bin/mysqladmin -u root password 'abc123' 2. groupadd mysql && useradd -g mysql mysql && echo $? 3. chgrp -R mysql /var/mysql && chmod -R 770 /var/mysql && echo $? 4. installf SUNWmysqlr /var/mysql d 770 root mysql 5. cp /usr/sfw/share/mysql/my-medium.cnf /etc/my.cnf (global configuration) 6. /usr/sfw/sbin/mysqld_safe --user=mysql& - starts MySQL 7. symlink ln /etc/sfw/mysql/mysql.server /etc/rc3.d/S99mysqlln /etc/sfw/mysql/mysql.server /etc/rc0.d/K00mysqlln /etc/sfw/mysql/mysql.server /etc/rc1.d/K00mysqlln /etc/sfw/mysql/mysql.server /etc/rc2.d/K00mysqlln /etc/sfw/mysql/mysql.server /etc/rcS.d/K00mysql
Note: MyISAM Tables usually contain at least 3 files: 1. .MYI - Index file 2. .MYD - Data File 3. .FRM - Form file(Describes Table Structure)
Note: Client options specified on command-line override all other instances of the opion.Order of options/directives to be processed usually resembles the following: 1. /etc/my.cnf - global config file 2. /var/mysql/my.cnf - data-server specific config file 3. ~/my.cnf - user-specific config file 4. command line options
Note: Drop test database using the following syntax: 'drop database test;'Note: You CANNOT drop the 'mysql' database because it contains the following critical information: 1. list of databases to manage 2. user table 3. privileges table
Note: MySQL creates 2 default users: 'root & anonymous'Note: The anonymous user matches all unmatched users
Create MySQL User using the following command:grant all privileges on *.* to 'unixcbt'@'localhost' IDENTIFIED BY 'abc123';
Note: After altering privileges, flush them to take effect using:flush privileges;
NETSTAT - Notes
Lists connections for ALL protocols & address families to and from machineAddress Families (AF) include: INET - ipv4 INET6 - ipv6 UNIX - Unix Domain Sockets(Solaris/FreeBSD/Linux/etc.)
Protocols Supported in INET/INET6 include: TCP, IP, ICMP(PING(echo/echo-reply)), IGMP, RAWIP, UDP(DHCP,TFTP,etc.)
Lists routing tableLists DHCP status for various interfacesLists net-to-media table - network to MAC(network card) table
###NETSTAT Usage###netstat - returns sockets by protocol using /etc/services for lookup/etc/nssswitch.conf is consulted by netstat to resolve names for IPs
netstat -a - returns ALL protocols for ALL address families (TCP/UDP/UNIX)
netstat -an - -n option disables name resolution of hosts & ports
netstat -i - returns the state of interfaces. pay attention to errors/collisions/queue columns when troubleshooting performance
netstat -m - returns streams(TCP) statistics
netstat -p - returns net-to-media info (MAC/layer-2 info.) i.e. arp
netstat -P protocol (ip|ipv6|icmp|icmpv6|tcp|udp|rawip|raw|igmp) - returns active sockets for selected protocol
netstat -r - returns routing table
netstat -D - returns DHCP configuration (lease duration/renewal/etc.)
netstat -an -f address_familynetstat -an -f inet|inet6|unixnetstat -an -f inet - returns ipv4 only information
netstat -n -f inetnetstat -anf inet -P tcpnetstat -anf inet -P udp
Network Configuration Overview - Notes
2-Modes 1. Local Files Mode - config is defined statically via key files 2. Network Client Mode - DHCP is used to auto-config interface(s)
Current Dell PE server has 3 NICs: 1. e1000g0 - plumbed (configured for network client mode) 2. iprb0 - unplumbed 3. iprb1 - unplumbed
1-Virtual Mandatory interface lo0 - loopback
Determine physical interfaces using 'dladm show-dev | show-link'Determine plumbed and loopback interfaces using 'ifconfig -a'
NIC naming within Solaris OS: i.e. e1000g0 - e1000g(driver name) 0(instance)
Layers 2 & 3 info. - ifconfig -a, or ifconfig e1000g0Layer 1 info. - dladm show-dev | show-link
###Key network configuration files###svcs -a | grep physicalsvcs -a | grep loopback
1. IP Address - /etc/hostname.e1000g0, /etc/hostname.iprb0 | iprb12. Domain name - /etc/defaultdomain - linuxcbt.internal3. Netmask - /etc/inet/netmasks - 192.168.1.0 255.255.255.04. Hosts database - /etc/hosts, /etc/inet/hosts - loopback & ALL interfaces5. Client DNS resolver file - /etc/resolv.conf6. Default Gateway - /etc/defaultrouter - 192.168.1.1, 172.16.20.1, 10.0.0.17. Node name - /etc/nodenameName service configuration file - /etc/nsswitch.conf
netstat -D - returns DHCP configuration for ALL interfacesifconfig -a - returns configuration for ALL interfaces
Reboot system after transitioning from network client(DHCP) mode to local files(Static) mode
mv dhcp.e1000g0 to some other name or remove the file so that the DHCP agent is NOT invokedecho "linuxcbtsun1" > /etc/nodename
###Plumb/enable the iprb0 100Mb/s interface###Plumbing interfaces is analagous to enabling interfacesNote: 172.16.20.11 is a Linux host waiting to communicate with iprb0 interfaceSteps: 1. ifconfig iprb0 plumb up - this will enable iprb0 interface 2. ifconfig iprb0 172.16.20.10 netmask 255.255.255.0 - this will enable layer-3 IPv4 address
Steps to Unplumb an interface: 1. ifconfig iprb0 unplumb down
###Ensure that newly-plumbed interface settings persists across reboots###Steps include updating/creating the following files: 1. echo "172.16.20.10" > /etc/hostname.iprb0 2. create entry in /etc/hosts - 172.16.20.10 linuxcbtsun1 3. echo "172.16.20.0 255.255.255.0" >> /etc/inet/netmasks
Note: To down interface, execute:ifconfig interface_name downifconfig iprb0 down && ifconfig iprb0
###Sub-interfaces/Logical Interfaces###e1000g0(physical interface) - 192.168.1.50(Primary Apache website) 192.168.1.51(Secondary Apache website)
192.168.1.52(Used for SSH)
iprb0 - 172.16.20.10iprb1
Use 'ifconfig interface_name addif ip_address <netmask>'ifconfig e1000g0 addif 192.168.1.51 (RFC-1918 - defaults /24)
Note: This will automatically create an 'e1000g0:1' logical interfaceNote: Solaris places new logical interface in DOWN mode by defaultNote: use 'ifconfig e1000g0:1 up' to bring the interface up
Note: logical/sub-interfaces are contingent upon physical interfacesNote: if physical interface is down, so will the logical interface(s)Note: connections are sourced using IP address of physical interface
###Save logical/sub-interface configuration for persistence across reboots###
1. gedit /etc/hostname.e1000g0:1 - 192.168.1.512. gedit /etc/hostname.e1000g0:2 - 192.168.1.523. Optionally update /etc/hosts - /etc/inet/hosts4. Optionally update /etc/inet/netmasks - when subnetting
Note: To remove logical interface execute the following:ifconfig physical_interface_name removeif ip_addressifconfig iprb0 removeif 172.16.20.20
###/etc/nsswitch.conf - name service configuration information ###functions as a policy/rules file for various resolution: 1. DNS 2. passwd(/etc/passwd,/etc/shadow),group(/etc/group) 3. protocols(/etc/inet/protocols) 4. ethers or mac-to-IP mappings 5. hosts - where to look for hostname resolution: files(/etc/hosts) dns(/etc/resolv.conf)
Network File System(NFS) - Notes
Implemented by most if not all nix-type OSs(Solaris/AIX/Linux/FreeBSD)NFS seamlessly mounts remote file systems locally
NFS Components include: 1. NFS Client (mount(temporary access), /etc/vfstab) 2. NFS Server 3. AutoFS
NFS versions 3 & higher supports large files (>2GB)
NFS Major versions:2 - original3 - improved upon version 24 - current version
Note: Solaris 10 simultaneously supports ALL NFS versions/etc/default/nfs - contains defaults for NFS server & client
Note: client->server NFS connection involves negotiation of NFS version to use
###Steps for mounting remote file systems### 1. ensure that a local mount point exists & is emptyNote: local mount points with files and/or directories will be unavailable while a remote file system is locally-mounted
2. ensure that NFS server is available and sharing directories
3. mount locally the remote file system. mount -F nfs -o ro linuxcbtmedia:/tempnfs1 /tempnfs1 Note: use 'man mount' to determine mount options for various FSs
4. setup persistent mounts in /etc/vfstab file
###Steps for sharing local file systems locations### 1. ensure that NFS is running svcs -a | grep -i nfsNote: you may enable the NFS server and update share information independently
Start using: svcadm svc:network/nfs/serverNote: NFS Server will NOT start if there are NO directories to share
2. share -F nfs -d test_share /tempnfssun1 - exports for current session. Does NOT persist across reboots
3. Configure NFS sharing for persistence, using share command
share -F nfs -d test_share /tempnfssun1 shareall
Note: consult 'man share_nfs' for permissions info.
AutoFS - NotesFeatures: 1. Just-in-time mounting of file systems 2. Controlled by 'automountd' daemon 3. Managed via autofs service 4. References map files to determine file systems to mount 5. Obviates need to distribute root password to non-privileged users
/etc/default/autofs - contains configuration directives for autofs
###AutoFS Maps###3 Types: 1. Master map - /etc/auto_master 2. Direct map - /etc/auto_direct - facilitates direct mappings 3. Indirect map - /etc/auto_* - referenced from /etc/auto_master
###/etc/auto_master###Note: /etc/auto_master is always read by autofs(automountd daemon)/etc/nsswitch.conf - used to determine lookup location for automount
-hosts - references hosts defined in /etc/hosts & the hosts MUST export shares using NFS
Note: changes to /etc/auto_master(primary autofs policy file) usually requires a service restart: svcadm restart autofs
Note: AutoFS defaults to permitting client to browse potential mount points
###Direct mapping example###Note: Direct mappings seamlessly merge remote exports with local directoriesSteps: 1. create auto_direct mapping in /etc/auto_master: /- auto_direct -vers=3
Network Mapper Nmap - Notes
Performs network reconnaissance/vulnerability testing
www.insecure.org
Compilation Instructions: 1. export PATH=$PATH:/usr/ccs/bin 2. ./configure 3. make || gmake 4. gmake install - copies nmap to /usr/local/bin
Note: nmap can be run by any user on the system, however, only root, may perform more dangerous functions. i.e. SYN-based scans
###Check ports of hosts###nmap -v 192.168.1.102 as root, causes a SYN-based scan to occur:SYN -> SYN-ACK -> TerminationSYN -> SYN-ACK -> ACK - TCP-based scan performed by normal users
Nmap can export to the following file types: 1. Normal 2. XML 3. Greppable
Network Time Protocol (NTP) - NotesSynchronizes the local system and can be configured to synch any NTP-aware host
Hierarchical in design - 1 through 16 strataLower stratum values are more accurate time sourcesStratum 1 servers are connected to external, more accurate time sources such as GPS
Note: Less latency usually results in more accurate time
External Time Source(GPS/Radio/etc.) -NTP - Stratum 1 -NTP Stratum 2 - Solaris Client/Server -...Note: A Solaris 10 NTP system can be both client & server
Note: configure NTP clients to synch to 3 or more clocks(time sources)
###Client configuration###xntpd or the ntp service searches for /etc/inet/ntp.conf
Note: NTP uses UDP 123 in source & destination ports
ntpdate ntp_server - synchronizes, one-off, local clockNote: ntpdate does NOT update local clock if xntpd is running locally
rdate - relies upon older time service
ntpq - NTP query utility runs interactively & non-interactivelyntpq -np - lists peers without name resolution - non-interactive invocationntpq - invokes interactive mode
ntptrace - traces path to time source
ntpq - queries local or remote NTP serversntptrace - traces path to external time sourcentpdate - updates local clock/etc/inet/ntp.conf - (server server_ip)svcadm enable ntp - starts NTP (Server and/or Client)
NTP Pool Site: www.pool.ntp.org (Derive NTP public servers from their lists)
Quota Implementation & Management - Notes
Features:Soft Limits - function as stage-1 or warning stage - if user exceeds soft limit, timer is invoked (default 7-days)i.e. 100MB - if user exceeds beyond timer, soft limit becomes hard limit
Hard Limits - functions as a storage ceiling - CANNOT be exceeded - if user meets hard limit, system will not allocate additional storage
File-system perspective of quotas:2 objects are monitored: 1. BLOCKS 2. INODES
FILE(test.txt) -> 1-INODE -> 1-or-more Data BLOCKS(default 1K)
Quota Tools: 1. edquota - facilitates the creation of quotas for users 2. quotacheck - checks for consistency in usage and quota policy 3. quotaon - enables quotas on file system 4. repquota - displays quota information
###Steps to enable quota support###1. modify /etc/vfstab - enable quotas per file system "Mount Options" column - 'rq'2. create empty 'quotas' file in root of desired file system touch /export/home/quotas && chmod 600 /export/home/quotas3. edquota unixcbt edquota -p unixcbt unixcbt2 unixcbt3 unixcbt4 - copies unixcbt's quota policy to users unixcbt2,3,44. quotacheck -va5. quota -v unixcbt6. quotaon -v /dev/dsk/c0t0d0s7 -enable quota support
Samba – Windows Integration - NotesIntegrates Unix-type systems with WindowsSMB(139)/CIFS(445) - 2 protocols used to communicate with Windows/Samba servers
Key Client Utilities: 1. smbtree - network neighborhood text utility It enumerates workgroups, hosts & shares smbtree -b - relies upon broadcasts for resolving workgroups/hosts smbtree -D - echoes discovered workgroups using broadcasts/master browser
2. smbclient - provides an FTP-like interface to SMB/CIFS servers smbclient service_name(//LINUXCBTWIN1/LinuxCBT)
Note: Most, if not all, Samba clients operate in case-insensitive mode smbclient //linuxcbtwin1/linuxcbtNote: when in smbclient interactive mode, prefix commands with '!' to execute locally on client, otherwise commands run on server
smbclient -L linuxcbtwin1 - enumerates the shares on the server\
smbclient -A ./.smbpaswd //linuxcbtwin1/solaris10
.smbpaswdusername=unixcbtpassword=abc123
3. smbtar - facilitates backups of remote shares smbtar -s linuxcbtwin1 -x solaris10 -t solaris10.tar - backup smbtar -s linuxcbtwin1 -x solaris10 -r -t solaris10.tar - restore
Remote Desktop Installation - NotesRequirements - www.sunfreeware.com: 1. libiconv 2. libgcc 3.3.2 or higher 3. libopenssl 0.9.7 4. rdesktop-1.4.1
Features RDesktop support for Remote Desktop Protocol (RDP) versions 4 & 5Connects to: 1. Windows XP - RDP-5 2. Windows 2000 - RDP-5 3. Windows 2003 - RDP-5 4. Windows NT Server 4 - Terminal Services Edition - RDP-4
###usage###
rdesktop -g 700x500 -a 16 server_name(192.168.1.102)
Samba Server Configuration - Notes/etc/sfw/smb.conf-example - modify & save as /etc/sfw/smb.conf
smb.conf - is the main configuration file for Samba server & many of the Samba clients search for key directives from the file.
Features: 1. File & Print sharing 2. Implemented as 2 daemons (smbd & nmbd) smbd - file & print sharing - connections based on SMB/CIFS protocols SMB - TCP 139 CIFS - TCP 445 nmbd - handles NETBIOS names using primarily UDP connectivity Browse list (master browser or derive current list from master browser) Names of servers - derived using broadcast or WINS UDP 137 & 138 3. Legacy service - does not currently benefit from SMF 4. Service is located in: /etc/init.d & referenced via run-levels 5. Configuration changes to /etc/sfw/smb.conf are read automatically
###Samba Security Modes###Default = security = user - relies upon local Unix accounts database & Samba
database to grant or deny access to shared resources 1. /etc/passwd 2. /etc/sfw/smbpasswd - handles translation of Windows auth to Unix auth 3. /etc/sfw/smbusers - provides translation between Unix & Windows users i.e. translation of Windows' 'guest' user to Unix' 'nobody' user
###User Authentication Mode###Note: NETBIOS names are restricted to 16 characters, however, 15 characters are configurablelinuxcbtsun1.linuxcbt.internal = FQDNNote: smbpasswd -a unixcbt - create permitted samba users in /etc/sfw/private/smbpasswd file - otherwise, access will be denied
###Samba Web Administration Tool (SWAT)###Steps to enable Swat: 1. create an /etc/services entry for SWAT - TCP:901 2. create an /etc/inetd.conf entry for SWAT swat stream tcp nowait root /usr/sfw/sbin/swat swat 3. Convert the inetd entry for SWAT to SMF using 'inetconv'
System Security Overview - Notes/var/adm/sulog - houses SU attemptsSU TIMESTAMP +||- TTY Switched_User_From_ToSU 06/17 11:13 + pts/4 root-unixcbt
/var/adm/loginlog - Does NOT exist by defaultNOte: houses failed logins after threshold(Default of 5)touch /var/adm/loginlog/etc/default/login
logins commandlogins -x -l unixcbt - returns info. from /etc/{passwd,shadow}logins -p - lists users without passwords
###Password Generation Encryption Algorithm###Note: Default in Solaris 10 is UNIX, legacy encryption - The weakest/etc/security/policy.conf - man policy.conf(4)Note: password encryption changes take effect at user's next password change
Sendmail MTA Features - NotesDefault configuration runs SendmailRuns as 2 daemons 1. queue runner - submits jobs into queue(PHP script/mailx/sendmail/etc.) a. it runs as a non-privileged user called 'smmsp' b. places messages into queue directory: /var/spool/mqueue c. mailq command dumps the current status of the queue(s)
2. MTA mode - message delivery to local/remote recipients b. it runs as root - to bind to well-known TCP:25
Note: Sendmail works with SMF
svcadm restart sendmailsvcs -l sendmail
Typical Mail Components in distributed mail environments: 1. MTA - Message Transfer Agent (Sendmail/Postfix/qmail) 2. MUA - Mail User Agent (mail, mutt, mailx, MS Outlook, Eudora, etc.) 3. MDA - Mail Delivery Agent (mail.local, procmail, etc.)
Config files: 1. /etc/mail/sendmail.cf - primary config file for Sendmail MTA 2. /etc/mail/submit.cf - primary config file for Sendmail MSP (smmsp)
Config files macros using m4 language: 1. /etc/mail/cf/cf/sendmail.mc 2. /etc/mail/cf/cf/submit.mc
Note: Sendmail does NOT understand m4 files. Use m4 to generate updated .cf files if necessary
####/etc/aliases - used for local mail delivery###Contains key aliases for 'postmaster' & system daemons
unixcbt:unixcbt@linuxcbtsun1
unixcbt@localhostunixcbt@[email protected]/etc/mail/local-host-names [email protected]
newaliases - generates updated DB for aliases
###per-user mail###1. Sendmail stores mail using the older mbox format, which stores all mail in 1 potentially huge ASCII text files2. /var/mail/username - flagged with the STICKY bit
###Mail delivery using local tools###sendmail is monolothic - 1 program does it all (client/server/MSP/MTA)
sendmail -v unixcbt
Note: MSP submits to: /var/spool/clientmqueue
###Virtual Domains/Users Support###/etc/mail/relay-domains/etc/mail/local-host-names unixcbt.internal
Virtual Users:Create: /etc/mail/virtusertablePopulate with mappings: virtual_email_address local_mailbox|[email protected] unixcbt
Configure /etc/mail/sendmail.cf via /etc/mail/cf/cf/sendmail.mc
- FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')makemap hash virtusertable - creates the DB file:/etc/mail/virtusertable.db
###Relay Domains###/etc/mail/relay-domainsHouses domains that sendmail should relay; local and/or remotelinuxcbt.com192.168.1.100
###IMAP/POP2|3 Support###Differences between IMAP & POP 1. IMAP stores messages on server 2. POP downloads messages to client
Note: IMAP server must support mbox mail storage format and optionally Maildir mail storage format
Download IMAP2004g from sunfreeware.com
###Configure INETD control of IMAP & POP3 services###/etc/inetd.confpop3 stream tcp nowait root /usr/local/sbin/ipop3d ipop3dimap stream tcp nowait root /usr/local/sbin/imapd imapd
Note: use 'inetconv' to convert INETD entries in /etc/inetd.conf to SMF
###Evolution MUA - Connect to POP3 & IMAP Service###Installed openssl-0.9.8 to support IMAP2004gConfigure EvolutionNote: Retrieving & Sending messages are distinct functions 1. SMTP - Sending 2. IMAP/POP3/MS Exchange/etc. - Retrieval
Snoop – Network Sniffer - NotesFeatures: 1. Packet capturing facilities (ALL levels of OSI model, minus physical) 2. Packet playback/replay facility 3. Sniffs on first detected, non-loopback interface - output to STDOUT 4. MUST be executed as root
Note: Try to snoop to output of file as opposed to STDOUT for performance reasons (to minimize packet loss)
snoopsnoop -o snoop1.out - redirects captured traffic to file named 'snoop1.out'and returns a packet-count to STDOUT
Note: If connected to a switched environment, MIRROR the traffic to the Sun box in order for traffic to be available to snoop
snoop -i snoop1.out - reads the captured filesNote: snoop captures packets until killed with CTRL-C or disk runs out of space
snoop -i snoop1.out -p 11573,11577 - extracts packet ranges 11573-11577snoop -v -i snoop1.out - VERBOSE (ALL OSI layers, 2-7)snoop -V -i snoop1.out - SUMMARY (Returns interesting packet payload)
Note: snoop supports Boolean primitivies (host,tcp,udp,ip) & Boolean operators (AND,OR,NOT)
snoop -i snoop1.out tcp port 80
Note: snoop -o output_file - captures layers 2-7
snoop -o snoop1.out udp
snoop -o snoop1.out 192.168.1.50 192.168.1.102
###FTP Traffic Snoop###snoop -o snoop_ftp_traffic.out host 192.168.1.102 linuxcbtsun1 and tcp and port 21
TCPDump – Network Sniffer - Noteswww.tcpdump.org
Packet Capturing - captures packets from network interfaces
Note: 2 major utilities supporting TCPDump's format include: 1. Ethereal - GUI protocol analyzer/Sniffer 2. Snort NIDS - Sniffer/Logger/NIDS
TCPDump supports 3 qualifiers to assist in creating expressions: 1. Type - host|net|port i.e. host 192.168.1.102 2. Direction - src|dst|src or dst|src and dst 3. Protocol - tcp|udp|ip
Syntax:
tcpdump options expression
tcpdumptcpdump -D - returns available interfacestcpdump -i interface_name - binds to specific interfacetcpdump -q suppresses some packet header informationtcpdump -n - avoids name resoltion - improves performance
Snort Network Intrusion Detection System (NIDS) - Notes
Features: 1. Packet Capturing - libpcap.a(tcpdump.org) 2. Packet Logging - Captures are stored to disk (ASCII/TCPDump Formats) 3. Network Intrusion Detection Mode
Note: Software Companion DVD includes Snort 2.0(older version)
Requirements: 1. libpcap 2. libpcre
###Configuring Snort###./configure --with-libpcap-libraries=/opt/sfw/lib --with-libpcre-includes=/opt/sfw/include --with-libpcre-libraries=/opt/sfw/lib
Appended to PATH: /usr/sfw/bin:/usr/ccs/bin
makemake install
###Snort as a Sniffer###snort -v - Dumps link headers(Layers 3(IPs) & 4(Ports) of the OSI Model)snort -v -i e1000g0snort -vd -i e1000g0 - Dumps Application Layer (Layer-7 of OSI Model)snort -ve -i e1000g0 - Dumps data-link layer (Layer-2 of OSI Model)snort -vde -i e1000g0 - Dumps Layers 2,3,4,7 of OSI Model
###Snort as a Packet Logger###Note: Identical to sniffer, except, data is directed to file. Improves I/O.snort -L snortlog.1Note: Snort defaults to '/var/log/snort' to store binary log and alert file
snort -L snortlog.1 -l ./log
Note: Snort supports TCPDump's Boolean primitives and operators.Additionally, Snort support Berkeley Packet Filters (BPFs)snort options BPFs
SYSLOG Implementation - Notes
Note: Syslog is the default logging handler/router in SolarisNote: Defaults to UDP:514Note: Segment your Syslog Host(s) on a distinct subnet, protected by ACLs
pkgchk -lP /usr/sbin/syslogd
Syslog can log to the following locations: 1. remote host 2. local file (Suggested destination because of I/O performance) 3. console 4. specific users 5. *
Note: Syslog processes 3 pieces information represented by 2 fields:/etc/syslog.conf - primary configuration file for Syslogman syslog.conf
1: selector(*.emerg) 2: action(/dev/console)*.emerg /dev/consoleSelector = facility(user).severity_level(debug)Action = target for log entry (files, console, remote host)
###Syslog Recognized Facilities###USER,KERN,MAIL(Postfix,Sendmail),DAEMON(programs),AUTH,LPR,NEWS,CRON,AUDIT,LOCAL0-7(provides 8 usable facilities),MARK,*
### 8 Syslog Recognized Severity Levels###1. EMERG - yields least output2. ALERT3. CRIT4. ERROR5. WARNING6. NOTICE7. INFO8. DEBUG - yields most output
Note: restart syslog after changing /etc/syslog.conf
local0.info /var/log/ciscofirewall1.logtouch /var/log/ciscofirewall1.logsvcadm restart system-log
Log Rotation using logadm - Noteswhich logadmpkgchk -lP /usr/sbin/logadmd - member of SUNWcsulogadm is configured to run daily in root's crontabcrontab -l
/etc/logadm.conf - default configuration fileNote: don't memorize all parameters. Execute 'logadm -h'Note: command-line directives override /etc/logadm.conf directives
Note: logadm preserves 10 backups of log files named logname.0-.9Note: logadm supports shell wildcards '*', '?'
Zettabyte File System (ZFS) - Notes
Features: 1. 256 quadrillion zettabytes (Terabytes - Petabytes - Exabytes - Zettabytes(1024 Exabytes)) 2. RAID-0/1 & RAID-Z(RAID-5 with enhancements) (2-required virtual devices) 3. Snapshots - read-only copies of file systems or volumes 4. Creates volumes 5. Uses storage pools to manage storage - aggregates virtual devices 6. File systems attached to pools grow dynamically as storage is added 7. File systems may span multiple physical disks 8. ZFS is transactional 9. Pools & file systems are auto-mounted. No need to maintain /etc/vfstab 10. Supports file system hierarchies: /pool1/{home(5GB),var(10GB),etc.} 11. Supports reservation of storage: /pool1/{home(10GB),var} 12. Provides a secure web-based management tool-https://localhost:6789/zfs
###ZFS - CLI###zpool list - lists known poolszpool create pool_name(alphanumeric, _,-,:,.)Pool Name Constraints (DO NOT USE THESE NAMES FOR YOUR POOL NAMES): 1. mirror 2. raidz
zpool create pool_name device_name1, device_name2, device_name3, etc.zpool create pool1 c0t1d0|/dev/dsk/c0t1d0
ZFS Pool Statuses: 1. ONLINE 2. DEGRADED 3. FAULTED 4. OFFLINE 5. UNAVAILABLE
zfs list - returns ZFS dataset info.zfs mount - returns pools and mount pointszpool status - returns virtual devices that constitute poolsNote: ZFS requires a minimum of 128MB virtual device to create a pool
zpool destroy pool1 - Destroys pool and associated file systems
###Create file systems within pool1###zfs create pool1/home - creates file system named 'home' in pool1Note: Default action of 'zfs create pool1/home' assigns all storage available to 'pool1', to 'pool1/home'
###Set quota on existing file system###
zfs set quota=10G pool1/home
###Create user-based file system beneath pool1/home###zfs create pool1/home/unixcbtNote: ZFS inherits properties from immediate ancestor
zfs get -r compression pool1 - returns compression property for file systems associated with 'pool1'
###Rename File System###zfs rename pool1/home/unixcbt pool1/home/unixcbt2
###Extending dynamically, pool storage###zpool add pool1 c0t2d0
###ZFS Redundancy/Replication### 1. Mirroring - RAID-1 2. RAID-5 - RAID-Z
Virtual Devices: 1. c0t1d0 - 36GB 2. c0t2d0 - 36GB
Note: Redundancy/Replication is associated directly with the pool
zpool create poolmirror1 mirror c0t1d0 c0t2d0
###ZFS Snapshots###Features: 1. Read-only copies of volumes or file systems 2. Use no additional space, initially
zfs list -t snapshot - returns available snapshots
Solaris Zones - NotesFeatures: 1. Virtualization - i.e. VMWare 2. Solaris Zones can host only instances of Solaris. Not other OSs. 3. Limit of 8192 zones per Solaris host 4. Primary zone(global) has access to ALL zones 5. Non-global zones, do NOT have access to other non-global zones 6. Default non-global zones derive packages from global zone 7. Program isolation - zone1(Apache), zone2(MySQL) 8. Provides 'z' commands to manage zones: zlogin, zonename, zoneadm,zonecfg
###Features of GLOBAL zone### 1. Solaris ALWAYS boots(cold/warm) to the global zone 2. Knows about ALL hardware devices attached to the system 3. Knows about ALL non-global zones
###Features of NON-GLOBAL zones### 1. Installed at a location on the filesystem of the GLOBAL zone 'zone root path' /export/home/zones/{zone1,zone2,zone3,...} 2. Share packages with GLOBAL zone
3. Manage distinct hostname and tables files 4. Cannot communicate with other non-global zones by default. NIC must be used, which means, use standard network API(TCP) 5. GLOBAL zone admin. can delegate non-global zone administration
###Zone Configuration###Use: zonecfg - to configure zonesNote: zonecfg can be run: interactively, non-interactively, command-file modes
Requirements for non-global zones: 1. hostname 2. zone root path. i.e. /export/home/zones/testzone1 3. IP address - bound to logical or physical interface
Zone Types: 1. Sparse Root Zones - share key files with global zone 2. Whole Root Zones - require more storage
Steps for configuring non-global zone: 1. mkdir /export/home/zones/testzone1 && chmod 700 /export/home/zones/testzone1 2. zonecfg -z testzone1 3. create 4. set zonepath=/export/home/zones/testzone1 - sets root of zone 5. add net ; set address=192.168.1.60 6. set physical=e1000g0 7. (optional) set autoboot=true - testzone1 will be started when system boots 8. (optional) add attr ; set name=comment; set type=string; set value="TestZone1" 9. verify zone - verifies zone for errors 10. commit changes - commit
11. Zone Installation - zoneadm -z testzone1 install - places zone, 'testzone1' into 'installed' state. NOT ready for production 12. zoneadm -z testzone1 boot - boots the zone, changing its state
###Zlogin - is used to login to zones###Note: each non-global zone maintains a console. Use 'zlogin -C zonename' after installing zone to complete zone configuration
Note: Zlogin permits login to non-global zone via the following: 1. Interactive - i.e. zlogin -l username zonename 2. Non-interactive - zlogin options command 3. Console mode - zlogin -C zonename 4. Safe mode - zlogin -S
zoneadm -z testzone1 reboot - reboots the zonezlogin testzone1 shutdown
Top Related