Solaris 10 global zone with 3 containers (web, app, and dba)
Virtual Solaris 10 utilizing Containers for N+ deployments
Description
VMWARE Solaris 10 with Containers
Overview
This project combines both virtual and container technology. The “virtual appliance” that this project applies to is an N+ tiered web application infrastructure. The infrastructure consists of a web server, an application (or middleware) and a database server utilizing Sun’s container technology combined with VMware virtual technology on a single windows server 2003.
This will allow for a very rapid deployment of a complete web application on the Solaris platform. It will also help lower hardware costs and I believe it will make the Solaris platform a viable technology for the SMB market.
Sections
1. System Description
2. Login and User information
3. Configuration
4. Performance “Tweaks”
5. Security
6. Software
7. If I had more time
8. My Contact Information
System Description
The virtual appliance was built on a Dell Latitude D600 with 1400 MHZ processor and 1 Gig of RAM. There are a total of 4 Solaris “servers” under one VMware install. The global zone named is usacosol10, there are 3 zones that are under the control of the global zone. Sun’s description of a “non global zone” is a container. A container allows you to deploy multiple systems under the global zone. Each system is independent and isolated from the other containers. Each container can be limited to resources that are specified and can be assigned per container.
The 3 containers under the global zone are usacoweb01x, usacoapp01x, and usacodba01x.
The IP’s for the systems are as follows; the default route is 192.168.0.250
usacosol10 192.168.0.155 (global zone)
usacoweb01x 192.168.0.156
usacoapp01x 192.168.0.157
usacodba01x 192.168.0.158
subnet is 255.255.255.0
Login and User information
There are two different ways to connect to the non global zones. From the global zone logged in as root you can use /usr/sbin/zlogin web-zone, or app-zone, or dba-zone. You can also add the –C for console.
You can also ssh to any of the systems that are part of this virtual appliance.
Root for all systems has the same password. root123
There are 3 users identified on the global zone. (All user passwords are root123)
webadmin
appadmin
dbaadmin.
The purpose of the 3 users on the global zone is to allow different groups the ability to administer each of the containers without needing root on the global zone. Each of the 3 logins have limited rights to the global zone. The primary purpose is to allow console access to the system the login associated with the system.
webadmin has sudo console access to usacoweb01x
appadmin has sudo console access to usacoapp01x
dabadmin has sudo console access to usacodba01x
Each account can only access their container. The command specified via sudo is;
/usr/local/bin/sudo /usr/sbin/zlogin –C web-zone (where web, app. and dba respectively for each zone.)
Note: Changes to Sudo have to be done on the global zone and are reflected on all of the containers.
Each non global zone has a local user setup webadmin, appadmin, and dbaadmin. (For their respective systems)
Configuration
Configuration of the zones is primarily the same. There are some differences.
usacoweb01x and usacoapp01x are configured to only use up to 20 % of the CPU. usacodba01x is configured to use up to 60 % of the CPU. These configurations can be changed using the zonecfg command from the global zone.
Due to limitations of memory on the host laptop I did not create restraints on the use of memory. If this virtual appliance was deployed on a server class machine you can limit maximum memory usage on each zone. See projadd, projmod, and rcapadm to set memory limits.
The inherited packages for this project are /lib, /platform, /sbin, and /usr. (And sub directories.) These directories are read only on the non-global zones and can only be modified from the global zone.) They are however still independent from a kernel perspective. If a system has an issue with say a library it is isolated to the zone.
Performance “Tweaks”
For usacodba01x the following shared memory settings have been added to /etc/system. These settings are based on 792 MB of memory, 2 database instances, and 100 concurrent users to each instance.
set shmsys:shminfo_shmmax=660000000
set shmsys:shminfo_shmmin=1
set shmsys:shminfo_shmseg=1627
set shmsys:shminfo_shmmni=1627
set semsys:seminfo_semmni=1627
set semsys:seminfo_semmns=4882
set semsys:seminfo_semmnu=864
set semsys:seminfo_semmsl=406
set semsys:seminfo_semopm=100
set semsys:seminfo_semume=2440
set semsys:seminfo_semvmx=32768
set semsys:seminfo_semaem=16384
set msgsys:msginfo_msgmap=2033
set msgsys:msginfo_msgmax=32550
set msgsys:msginfo_msgmnb=65100
set msgsys:msginfo_msgmni=813
set msgsys:msginfo_msgtql=803
set msgsys:msginfo_msgseg=8137
Security
The first approach to security is to limit the “footprint” of unused open ports that could be utilized / exposed to a security breach.
For all three systems we have shut down the following ports.
usacosol10:root:/ # svcs | grep send
maintenance 21:09:12 svc:/network/smtp:sendmail
Disable it with the svcadm command
usacosol10:root:/ # svcadm disable svc:/network/smtp:sendmail
usacosol10:root:/etc # inetadm | grep enable
enabled online svc:/application/font/stfsloader:default
enabled online svc:/application/x11/xfs:default
enabled offline svc:/application/print/rfc1179:default
enabled online svc:/network/rpc/gss:default
enabled online svc:/network/rpc/smserver:default
enabled online svc:/network/rpc/rstat:default
enabled online svc:/network/rpc/rusers:default
enabled online svc:/network/security/ktkt_warn:default
enabled online svc:/network/telnet:default
enabled online svc:/network/nfs/rquota:default
enabled online svc:/network/finger:default
enabled online svc:/network/login:rlogin
enabled online svc:/network/shell:default
enabled online svc:/network/rpc-100235_1/rpc_ticotsord:default
enabled online svc:/network/rpc-100083_1/rpc_tcp:default
enabled online svc:/network/rpc-100068_2-5/rpc_udp:default
turning ports off
usacosol10:root:/etc # inetadm -d svc:/application/x11/xfs:default
usacosol10:root:/etc # inetadm -d svc:/application/print/rfc1179:default
usacosol10:root:/etc # inetadm -d svc:/network/rpc/gss:default
usacosol10:root:/etc # inetadm -d svc:/network/rpc/smserver:default
usacosol10:root:/etc # inetadm -d svc:/network/rpc/rstat:default
usacosol10:root:/etc # inetadm -d svc:/network/rpc/rusers:default
usacosol10:root:/etc # inetadm -d svc:/network/telnet:default
usacosol10:root:/etc # inetadm -d svc:/network/nfs/rquota:default
usacosol10:root:/etc # inetadm -d svc:/network/finger:default
usacosol10:root:/etc # inetadm -d svc:/network/login:rlogin
usacosol10:root:/etc # inetadm -d svc:/network/shell:default
usacosol10:root:/etc # inetadm -d svc:/network/rpc-100235_1/rpc_ticotsord:default
usacosol10:root:/etc # inetadm -d svc:/network/rpc-100083_1/rpc_tcp:default
usacosol10:root:/etc # inetadm -d svc:/network/rpc-100068_2-5/rpc_udp:default
NOTE Some rpc may be needed for LDAP such as NIS and NIS+.
Looks lots better.
usacosol10:root:/etc # inetadm | grep enabled
enabled online svc:/application/font/stfsloader:default
enabled online svc:/network/security/ktkt_warn:default
usacosol10:root:/etc #
Modified all snmp public strings to noaccess.
Software
Below is the software that has been installed on all of the systems for this application.
Solaris 10 x86 32 bit.
http://www.sun.com/software/solaris/get.jsp
The software below was downloaded from http://sunfreeware.microlink.lv/programlistintel10.html
The descriptions are referenced from this web site.
* gcc-3.3.2-sol10-intel-local.gz The GNU C compiler and related programs - installs in /usr/local. This package includes the GNU C, C++, g77, Java, and OBJC compiler suites and support files. The Gnat ada programs are not included yet. It was compiled to use the SUN assembler and loader usually in /usr/ccs/bin if the SUNW developer packages are installed. This gcc package requires the installation of libiconv.
Apache has been downloaded to /export/home/x86 on usacoweb01x. It has not been installed.
* apache-2.0.53-sol10-intel-local.gz Apache 2 - the popular web server - installs in /usr/local/apache2. This apache package was configured with openssl support. The expat, libiconv, db-4.2.52.NC, gdbm, openssl-0.9.7g, and either the libgcc or gcc must be installed. Documentation can be found in /usr/local/apache2/doc/apache2. The configuration files in /usr/local/apache2/conf must be edited to fit your site's needs, including ssl support. If you have already
* libgcc-3.3-sol10-intel-local.gz This package includes the files sand links
* libgcc_s.so libstdc++.a libstdc++.so libstdc++.so.5.0.5
* libgcc_s.so.1 libstdc++.la libstdc++.so.5
Since these files are part of the gcc package, you may not need to install it if you already have gcc 3.3 installed. This package is created because some programs will not run without these libraries - installs in /usr/local/lib.
* lsof-4.74-sol10-intel-local.gz lsof lists information about files that are open by the processes running on a UNIX system - installs in /usr/local. lsof is typically run as root. The lsof package is a 32-bit package for the x86 processor with a 32-bit kernel. A version for AMD 64-bit processors with the 64-bit Solaris 10 kernel is being worked on.
MySQL has been downloaded to /export/home/x86 on usacodba01x. It has not been installed.
* mysql-4.0.21-sol10-intel-local.gz MySQL is an SQL database server - installs in /usr/local/mysql. mysql requires that you install libgcc if you don't have gcc installed already. mysql requires a number of installation steps that can be found in the files in /usr/local/mysql/doc/mysql. I have only done the configure, make, make install steps and not the creation of the mysql user and group or the other steps that are needed. All the tests in the test suite executed correctly.
zlib packages be installed. The files /usr/local/lib/libgcc_s.so.1 and /usr/local/lib/libstdc++.so.5 from the libgcc or gcc packages are also needed.
* sudo-1.6.8p4-sol10-intel-local.gz Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. The sudoers file is installed in /usr/local/etc, rather than /etc. Note that in this version, the sudoers file cannot contain spaces or tabs before labels. This is different than in some earlier versions. Therefore, if you are moving your sudoers file from a previous version, you may need to do some minor editing - installs in /usr/local.
* tcp_wrappers-7.6-sol10-intel-local.gz The tcp_wrappers package allows you to monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services. It provides tiny daemon wrapper programs - installs in /usr/local. The package includes the libwrap.a file which is often used by other programs to include support for tcp_wrappers. This package was compiled to be used in the Advanced method for installation of the wrapper programs. See the README for installation details. If you are going to be using the IPV6 protocols in your systems, you need to download
* top-3.5.1-sol10-intel-local.gz top process analysis utility.
Note: Top only works on the Global Zone
* zlib-1.2.2-sol10-intel-local.gz zlib compression libraries - installs in /usr/local. This package has both libz.a and libz.so libraries. The package requires that libgcc_s.so.1 be in /usr/local/lib. This can be done by installing libgcc-3.3 or gcc or higher.
© Copyright 2005 Steven M. Christensen and Associates, Inc.
http://sunfreeware.microlink.lv/programlistintel10.html
If I had more time
Due to “life happening” I ran out of time. This bring said some of the other additions to this virtual appliance I had planned on including are.
Veritas for disk management
http://www.symantec.com/enterprise/sfbasic/index.jsp
Veritas 4.1 Notes
Download your free copy of Veritas Storage Foundation Basic for Linux and Solaris x64 servers. Note: This free version is limited to 4 user-data volumes, and/or 4 user-data file systems, and/or 2 processor sockets in a single physical system.
Solaris ZFS
http://www.sun.com/software/solaris/zfs.jsp
New disk / volume management from Sun.
Implement Sun SAR to meet SOX logging requirements.
Modify web server tcp settings to optimize web server performance. Specifically, if the settings we use on sol8 and 9 still apply.
These help limit TIME_WAIT issues on the web server
/usr/sbin/ndd -set /dev/tcp tcp_wscale_always 1
/usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat 279600
/usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 279600
These improve throughput between the web server and the app server.
set tcp:tcp_conn_hash_size=8192
set priority_paging=1
set maxpgio=25468
set slowscan=500
Configure Suns firewall between each of the systems to limit connections and communication protocols.
Configure a jump server on the global zone. This would allow a boot -net to repair non global zones if needed.
Lastly create script to easily change system names and ip addresses. (Although manually doing it take very little time)
My Contact Information
Jason E. Leohner
821 Fairhaven St.
Castle Rock, CO 80104
303-995-7105
jason.leohner@eds.com
jason_leohner@yahoo.com
AOL jeleohner
yahoo jason_leohner
Last updated: 06/04/2006
Operating system:
Solaris 10
Applications installed:
Software
Below is the software that has been installed on all of the systems for this application.
Solaris 10 x86 32 bit.
http://www.sun.com/software/solaris/get.jsp
The software below was downloaded from http://sunfreeware.microlink.lv/programlistintel10.html
The descriptions are referenced from this web site.
* gcc-3.3.2-sol10-intel-local.gz The GNU C compiler and related programs - installs in /usr/local. This package includes the GNU C, C++, g77, Java, and OBJC compiler suites and support files. The Gnat ada programs are not included yet. It was compiled to use the SUN assembler and loader usually in /usr/ccs/bin if the SUNW developer packages are installed. This gcc package requires the installation of libiconv.
Apache has been downloaded to /export/home/x86 on usacoweb01x. It has not been installed.
* apache-2.0.53-sol10-intel-local.gz Apache 2 - the popular web server - installs in /usr/local/apache2. This apache package was configured with openssl support. The expat, libiconv, db-4.2.52.NC, gdbm, openssl-0.9.7g, and either the libgcc or gcc must be installed. Documentation can be found in /usr/local/apache2/doc/apache2. The configuration files in /usr/local/apache2/conf must be edited to fit your site's needs, including ssl support. If you have already
* libgcc-3.3-sol10-intel-local.gz This package includes the files sand links
* libgcc_s.so libstdc++.a libstdc++.so libstdc++.so.5.0.5
* libgcc_s.so.1 libstdc++.la libstdc++.so.5
Since these files are part of the gcc package, you may not need to install it if you already have gcc 3.3 installed. This package is created because some programs will not run without these libraries - installs in /usr/local/lib.
* lsof-4.74-sol10-intel-local.gz lsof lists information about files that are open by the processes running on a UNIX system - installs in /usr/local. lsof is typically run as root. The lsof package is a 32-bit package for the x86 processor with a 32-bit kernel. A version for AMD 64-bit processors with the 64-bit Solaris 10 kernel is being worked on.
MySQL has been downloaded to /export/home/x86 on usacodba01x. It has not been installed.
* mysql-4.0.21-sol10-intel-local.gz MySQL is an SQL database server - installs in /usr/local/mysql. mysql requires that you install libgcc if you don't have gcc installed already. mysql requires a number of installation steps that can be found in the files in /usr/local/mysql/doc/mysql. I have only done the configure, make, make install steps and not the creation of the mysql user and group or the other steps that are needed. All the tests in the test suite executed correctly.
zlib packages be installed. The files /usr/local/lib/libgcc_s.so.1 and /usr/local/lib/libstdc++.so.5 from the libgcc or gcc packages are also needed.
* sudo-1.6.8p4-sol10-intel-local.gz Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. The sudoers file is installed in /usr/local/etc, rather than /etc. Note that in this version, the sudoers file cannot contain spaces or tabs before labels. This is different than in some earlier versions. Therefore, if you are moving your sudoers file from a previous version, you may need to do some minor editing - installs in /usr/local.
* tcp_wrappers-7.6-sol10-intel-local.gz The tcp_wrappers package allows you to monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services. It provides tiny daemon wrapper programs - installs in /usr/local. The package includes the libwrap.a file which is often used by other programs to include support for tcp_wrappers. This package was compiled to be used in the Advanced method for installation of the wrapper programs. See the README for installation details. If you are going to be using the IPV6 protocols in your systems, you need to download
* top-3.5.1-sol10-intel-local.gz top process analysis utility.
Note: Top only works on the Global Zone
* zlib-1.2.2-sol10-intel-local.gz zlib compression libraries - installs in /usr/local. This package has both libz.a and libz.so libraries. The package requires that libgcc_s.so.1 be in /usr/local/lib. This can be done by installing libgcc-3.3 or gcc or higher.
© Copyright 2005 Steven M. Christensen and Associates, Inc.
http://sunfreeware.microlink.lv/programlistintel10.html
VMware Tools installed:
No
Size:
1956 MB
Torrent available:
Yes
(What is BitTorrent?)
Primary account
Username: root
Password: root123
Submitted by: jleohner
Download link provided by the submitter, not VMware. Report broken downloads here.
« BACK...