Вы находитесь на странице: 1из 35

UnixCBT feat. Solaris 10 Edition

Training Notes – 20060801.01

Table of Contents

Apache Web Server - Notes

3

BIND DNS Implementation - Notes

6

System Scheduler – Cron - Notes

8

File System Management - Notes

10

Volume Management - Notes

12

File Transfer Protocol Daemon (FTPD) Implementation - Notes

15

GNU Privacy Guard (GPG) - Notes

17

MySQL Implementation - Notes

18

NETSTAT - Notes

19

Network Configuration Overview - Notes

20

Network File System(NFS) - Notes

22

AutoFS - Notes

23

Network Mapper Nmap - Notes

23

Network Time Protocol (NTP) - Notes

24

Quota Implementation & Management - Notes

25

Samba – Windows Integration - Notes

25

Remote Desktop Installation - Notes

26

Samba Server Configuration - Notes

26

System Security Overview - Notes

27

Sendmail MTA Features - Notes

27

Snoop – Network Sniffer - Notes

30

TCPDump – Network Sniffer - Notes

30

Snort Network Intrusion Detection System (NIDS) - Notes

31

SYSLOG Implementation - Notes

32

Log Rotation using logadm - Notes

32

Zettabyte File System (ZFS) - Notes

33

Solaris Zones - Notes

34

Apache Web Server - Notes

SAMP - Solaris Apache MySQL PHP/Perl LAMP - Linux Apache MySQL PHP/Perl/Python

Modular & Reliable

2 Versions (1.3.33 & 2.0.50) are included with Solaris 10 svcs -a | grep -i apache

Note: Apache2 documentation is available @: http://localhost/manual Steps to invoke Apache on Solaris 10:

1. cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf

2. update servername & server admin directives for main server

3. svcadm enable apache2

4. netstat -anP tcp | grep 80 && http://localhost/manual

Note: Typical classes of web server errors:

200

- OK

300

- Redirect

400

- client error

500

- server errors

Note: Apache ALWAYS maintains a DEFAULT HOST. Config is in httpd.conf and outside of ANY and ALL virtual hosts containers Note: Apache requires the following info. for the DEFAULT HOST:

1. ServerName linuxcbtsun1.linuxcbt.internal

2. ServerAdmin

3. DocumentRoot - where to serve content from

4. IP Address:Port to bind to - optional

5. Logging information - custom/combined & error logs

Note: Listen directive controls IPs and ports that Apache binds to Note: specify 'Listen' directive(s) in the DEFAULT HOST(httpd.conf) Note: You can specify multiple Listen Directives Note: Apache binds to ALL IP addresses when 'Listen' is specified without an IP address

DEFAULT HOST(IP:PORT) -Virtual Host 1 -Virtual Host 2

<Directory "/var/apache2/htdocs"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> <Directory "/var/apache2/htdocs/temp"> Options FollowSymLinks AllowOverride None

Order allow,deny Allow from all </Directory>

Note: <Directory "/var/apache2/htdocs"> - applies to all sub-directories

###Order, Allow, Deny Rules###

Note: Order is specified and Deny or Allow or combination follows Note: Allow|Deny supports the following attributes

1. IP Address - 127.0.0.1

2. IP Address range

3. IP Subnet Mask using CIDR or Class notation - 192.168.1.0/24 or

192.168.1.0/255.255.255.0

4. 192.168.1

5. ALL

6. Environment variables - referrer, user agents

Used to influence default doc: DirectoryIndex index.html index.html.var

LogFormat is used to define logging keywords that can be referenced Apache can log to multiple log files, various keywords, simultaneously

###Alias Directive### Maps webspace location to file system location, usually non-document root

###Files Directive### Facilitates restrictions on matchings files regardless of location on server <Files noaccess.html> Order allow,deny Deny from all </Files> Note: When applied OUTSIDE of <Directory> block, applies to all instances of named file throughout the web server

Task: Create web-accessible directory, but, restrict access to certain IPs Steps:

1. mkdir /var/apache2/private

2. Create appropriate Alias - Alias /private/ /var/apache2/private/

3. Create appropriate <Directory> block

###Virtual Hosts Support###

2 Types of Virtual Hosts are supported:

1. IP-based - Each virtual host is associated with a distinct address

2. Name Based - All or a group of Virtual Hosts share a distinct address

###IP-based Virtual Hosting### Note: System requires multiple IP addresses Note: Default Apache Host binds to ALL IP addresses on port 80

Steps:

1. Implement appropriate 'Listen' directive

2. Configure Virtual Hosts

3. Restart Apache

4. Test configuration

Listen 192.168.1.50:80 <VirtualHost 192.168.1.50:80> ServerName linuxcbtsun1.linuxcbt.internal ServerAdmin unixcbt@linuxcbtsun1.linuxcbt.internal

DocumentRoot /var/apache2/ipvhost1 ErrorLog /var/apache2/logs/ipvhost1.error.log CustomLog /var/apache2/logs/ipvhost1.access.log </VirtualHost> Note: Apache will serve content from the DocumentRoot of DEFAULT HOST if a request does NOT match any of the Virtual Hosts

Listen 192.168.1.51:80 <VirtualHost 192.168.1.51:80> ServerName linuxcbtsun3.linuxcbt.internal ServerAdmin unixcbt@linuxcbtsun1.linuxcbt.internal DocumentRoot /var/apache2/ipvhost2 ErrorLog /var/apache2/logs/ipvhost2.error.log CustomLog /var/apache2/logs/ipvhost2.access.log combined </VirtualHost>

###NameBased Virtual Hosting### Facilitates the sharing of 1 IP address by a group of web sites Steps:

1. Define appropriate Listen directive(s)

2. Define appropriate NameVirtualHost directive(s)

3. Define Virtual Hosts

4. Restart Apache

5. Confirm configuration

Listen 80 NameVirtualHost *:80 - means to permit NameBased Virtual Hosts on ALL IPs Note: NameVirtualHost directive MUST match VirtualHost directive

<VirtualHost *:80> ServerName linuxcbtsun1.linuxcbt.internal ServerAdmin unixcbt@linuxcbtsun1.linuxcbt.internal DocumentRoot /var/apache2/namevhost1 ErrorLog /var/apache2/logs/namevhost1.error.log CustomLog /var/apache2/logs/namevhost2.access.log combined </VirtualHost>

BIND DNS Implementation - Notes

Bind 9.x SUNWbind(client & server utilities) & SUNWbindr(SMF)

Steps to configure DNS:

1. Create /etc/named.conf - primary named/BIND/DNS configuration file

options { directory "/var/named";

};

###Special zone indicating the root of the DNS hierarchy### ###Downloaded named.root from: ftp://ftp.rs.internic.net/domain/named.root## zone "." { type hint; file "db.cache";

};

###Reverse Zones### zone "0.0.127.in-addr.arpa" { type master; file "db.127.0.0";

};

zone "1.168.192.in-addr.arpa" { type master; file "db.192.168.1";

}; zone "20.16.172.in-addr.arpa" { type master; file "db.172.20.16";

};

###Forward Zones### zone "unixcbt.internal" { type master; file "db.unixcbt.internal";

};

###Zone File Syntax### Note: @ is a variable, which indicates the name of the zone as configured in /etc/named.conf

svcadm enable dns/server

Note: With or without master domains, BIND functions as a caching-only NS

Our server is configured to be:

1. Caching-Only Server

2. Authoritative Server

###Mail Exchanger(MX) Record Setup### Note: Implement MX via 2 records

1. IN MX 10 mail.unixcbt.internal

###Slave DNS Server Configuration### Note: There really isn't a Slave DNS Server with BIND, however, there is a SLAVE ZONE

Steps:

1. copy the following files to slave server:

a. db.127.0.0 - houses reverse, loopback zone info.

b. db.cache - houses root hints

c. named.conf - primary DNS BIND configuration file

Note: DNS BIND server can also be a slave server in addtion to caching-only and authoritative server.

System Scheduler – Cron - Notes

Features:

1. Permits scheduling of scripts(shell/perl/python/ruby/PHP/etc.)/tasks on a per-

user basis via individual cron tables.

2. Permits recurring execution of tasks

3. Permits one-time execution of tasks via 'at'

4. Logs results(exit status but can be full output) of executed tasks

5. Facilitates restrictions/permissions via - cron.deny,cron.allow,at.*

Directory Layout for Cron daemon:

/var/spool/cron - and sub-directories of to store cron & at entries /var/spool/cron/atjobs - houses one-off, atjobs

- 787546321.a - corresponds to a user's atjob

/var/spool/cron/crontabs - houses recurring jobs for users

- username - these files house recurring tasks for each user

Cron command:

crontab - facilitates the management of cron table files -crontab -l - lists the cron table for current user - - reads /var/spool/cron/crontabs/root

###Cron table format###

m(0-59) h(0-23) dom(1-31) m(1-12) dow(0-6) command

10

3 * * * /usr/sbin/logadm - 3:10AM - every day

15

3 * * 0 /usr/lib/fs/nfs/nfsfind - 3:15 - every Sunday

30

3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean

1

2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1

m(0-59) h(0-23) dom(1-31) m(1-12) dow(0-6) command Note: (date/time/command) MUST be on 1 line

m

= minute(0-59)

h

= hour(0-23)

dom = day of the month(1-31)

m = month(1-12)

dow = day of the week(0-6) - 0=Sunday

Note: each line contains 6 fields/columns - 5 pertain to date & time of execution, and the 6th pertains to command to execute

#m h dom m dow

10 3 * * * /usr/sbin/logadm - 3:10AM - every day

* * * * * /usr/sbin/logadm - every minute,hour,dom,m,dow

*/5 * * * * /usr/sbin/logadm - every 5 minutes(0,5,10,15

)

1

0-4 * * * /usr/sbin/logadm - 1 minute after the hours 0-4

0

0,2,4,6,9 * * * /usr/sbin/logadm - top of the hours 0,2,4,6,9

1-9 0,2,4,6,9 * * * /usr/sbin/logadm - 1-9 minutes of hours 0,2,4,6,9

Note: Separate columns/fields using whitespace or tabs

###Create crontabs for root & unixcbt### Note: ALWAYS test commands prior to crontab/at submission

11 * * * * repquota -va >> /reports/`date +%F`.quota.report

Note: set EDITOR variable to desired editor export EDITOR=vim

###unixcbt - execute quota -v### #!/usr/bin/bash HOME=/export/home/unixcbt quota -v >> $HOME/`date +%F`.unixcbt.quota.report #END

Note: aim to reference scripts(shell/perl/python/ruby/PHP,etc.) instead of the various characters

Note:

Default Solaris install creates 'at.deny' & 'cron.deny' You MUST not be included in either file to be able to submit at & cron entries

Conversely, if cron.allow and at.allow files exist, you MUST belong to either file to submit at or cron entries

File System Management - Notes

###Recap of steps necessary to partition/slice & create file systems### Steps:

1. unmount existing file systems -umount /data2 /data3

2. confirm fdisk partitions via 'format' utility -format - select disk - select fdisk

3. use partition - modify to create slices on desired drives

DISK1

-slice 0 - /dev/dsk/c0t1d0s0

DISK2

-slice 0 - /dev/dsk/c0t2d0s0

4. Create file system using 'newfs /dev/rdsk/c0t0d0s0'

5. Use 'fsck /dev/rdsk/c0t1d0s0' to verify the consistency of the file system

6. Mount file systems at various mount points mount /dev/dsk/c0t1d0s0 /data2 && mount /dev/dsk/c0t2d0s0 /data3

7. create entries in Virtual File System Table (/etc/vfstab) file

###How to determine file system associated with device###

1. fstyp /dev/dsk/c0t0d0s0 - returns file system type

2. grep mount point from /etc/vfstab - returns matching line grep /var /etc/vfstab

3. cat /etc/mnttab - displays currently mounted file system

###Temporary File System (TEMPFS) Implementation### TempFS provides in-memory (RAM), very fast, storage and boosts application performance

Steps:

1. Determine available memory and the amount you can spare for TEMPFS

-prtconf - allocate 100MB

2. Execute mount command:

mkdir /tempdata && chmod 777 /tempdata && mount -F tmpfs -osize=100m swap /tempdata

Note: TEMPFS data does NOT persist/survive across reboots Note: TEMPFS data is lost when the following occurs:

1. TEMPFS mount point is unmounted: i.e. umount /tempdata

2. System reboot

Modify /etc/vfstab to include the TEMPFS mount point for reboots

swap - /tempdata tmpfs - yes -

###Swap File/Partition Creation### swap -l | -s - to display swap information

mkfile size location_of_file - to create swap file mkfile 512m /data2/swap2

swap -a /data2/swap2 - activates swap file

To remove swap file:

swap -d /data2/swap2 - removes swap space from kernel. does NOT remove file rm -rf /data2/swap2

###Swap Partition Creation### format - select disk - partition - select slice/modify swap -a /dev/dsk/c0t2d0s1

Modify /etc/vfstab

Volume Management - Notes

Solaris' Volume Management permits the creation of 5 object types:

1. Volumes(RAID 0(concatenation or stripe)/1(mirroring)/5(striping with parity)

2. Soft partitions - permits the creation of very large storage devices

3. Hot spare pools - facilitates provisioning of spare storage for use when RAID-

1/5 volume has failed i.e. MIRROR

-DISK1

-DISK2

-DISK3 - spare

4. State database replica - MUST be created prior to volumes - Contains configuration & status of ALL managed objects (volumes/hot spare

pools/Soft partitions/etc.)

5. Disk sets - used when clustering Solaris in failover mode

Note: Volume Management facilitates the creation of virtual disks Note: Virtual disks are accessible via: /dev/md/dsk & /dev/md/rdsk Rules regarding Volumes:

1. State database replicas are required

2. Volumes can be created using dedicated slices

3. Volumes can be created on slices with state database replicas

4. Volumes created by volume manager CANNOT be managed using 'format', however, can

be managed using CLI-tools (metadb, metainit) and GUI tool (SMC)

5. You may use tools such as 'mkfs', 'newfs', 'growfs'

6. You may grow volumes using 'growfs'

###State Database Replicas### Note: At least 3 replicas are required for a consistent, functional, multi-user Solaris system.

3 - yields at least 2 replicas in the event of a failure

Note: if replicas are on same slice or media and are lost, then Volume Management

will fail, causing loss of data. Note: place replicas on as many distinct controllers/disks as possible

Note: Max of 50 replicas per disk set

Note: Volume Management relies upon Majority Consensu Algorithm (MCA) to determine the consistency of the volume information

3 replicas = 1.5(half) = 1-rounded-down +1 = 2 = MCA(half +1)

Note: try to create an even amount of replicas

4 replicas = 2(half) + 1 = 3

State database replica is approximately 4MB by default - for local storage

Rules regarding storage location of state database replicas:

1. dedicated partition/slice - c0t1d0s3

2. local partition that is to be used in a volume(RAID 0/1/5)

3. UFS logging devices

4. '/', '/usr', 'swap', and other UFS partitions CANNOT be used to store state

database replicas

###Configure slices to accomodate State Database Replicas### c0t1d0s0 - c0t2d0s0 - RAID 0 (STRIPE) - 60GB

###Create RAID 0 (STRIPE) - NOT REDUNDANT### c0t1d0s0 - c0t2d0s0 - RAID 0 (STRIPE) - 60GB - /dev/md/dsk/d0 Note: Volumes can be created using slices from a single or multiple disks Note: State database replicas serve for ALL volumes managed by Volume Manager

Note: RAID 0 Concatenation - exhausts DISK1 before writing to DISK2 Note: RAID 0 Stripe - distributes data evenly across members Note: Use the same size slices when using RAID0 with Striping

Note: after defining volume, create file system newfs /dev/md/rdsk/d0

###Suggested layout for creating volumes using volume manger### SERVER -DISK0 - SYSTEM DISK

VOLUME MANAGE SECONDARY DISKS -DISK1 - SECONDARY DISK -DISK2 - SECONDARY DISK

##RAID-1 Configuration### Note: RAID-1 relies upon submirrors or existing RAID-0 volumes c0t1d0s0 - /dev/md/dsk/d0 c0t2d0s0 - /dev/md/dsk/d1

/dev/md/dsk/d2

d0 - source sub-mirror d1 - destination sub-mirror

Create file system on mirrored volume '/dev/md/dsk/d2' newfs /dev/md/rdsk/d2

###RAID-5 Configuration### Steps:

1. Ensure that 3 components(slices/disks) are available for configuration

2. Ensure that components are identical in size

Slices for RAID-5 c0t1d0s0 - 10GB c0t1d0s0 - 10GB c0t2d0s0 - 10GB

/dev/md/dsk/d0 = RAID-5 = 20GB

Note: You may attach components to RAID-5 volume, but they will not store parity information, however, their data will be protected.

###Using growfs to extend volumes### growfs extends mounted/unmounted volumes(UFS/ZFS)

Steps to grow a mounted/unmounted file syste

1. Find free slice(s) to add as component(s) to volume using SMC or metattach CLI

2. Add component slice - wait for initialization(concatenation) to complete

3. execute 'growfs -M /d0 /dev/md/rdsk/d0'

Note: Once you've extended a volume, you CANNOT decrease it in size. Note: Concatenation of RAID-1/5 volumes yields an untrue RAID-1/5 volume.

SLICE1

SLICE2

SLICE3

SLICE4 - Concatenated - NOT a true RAID-1/5 member (no parity is stored)

Note: When extending RAID-1 volumes, extend each sub-mirror first, and then Solaris will automatically extend the RAID-1 volume. Then run 'growfs.'

###Soft Partitions###

1. Provides an abstracted, extensible partition object

2. Permits virtually unlimited segmentation of disk

c0t1d0 - s0-9 (0-7 except 2, usable)

3. Permits creation of partitions on top of 1 or more slices

Steps:

1. Clean up partitions on existing disks: c0t1d0 & c0t2d0

File Transfer Protocol Daemon (FTPD) Implementation - Notes

wu-ftpd FTPD binds to TCP port 21 and is running by default SMF controls service configuration svcs -l ftp - returns configuration

pkginfo -x | grep -i ftp - returns SUNWftpu|r packages

SUNWftpu - includes useful user packages ftpcount - dumps count per class ftpwwho - returns connected users & process information ftpconfig - used to setup anonymous/guest FTP

SUNWftpr - includes server-side configuration files /etc/ftpd

- ftpaccess - primary configuration file for wu-ftpd

- ftphosts - allow|deny access to users from hosts

- ftpservers - allows admin to define virtual hosts

- ftpusers - users listed may NOT access the server via FTP

- ftpconversions - facilitates tar, compress, gzip support

wu-ftpd supports both types of FTP connections:

1. PORT - Active FTP

- Client -> TCP:21(Server-Control-Connection)

- Client executes 'ls' -> results in server initiating a connection back to the client usually on TCP:20(ftp-data)

2. PASV - Passive FTP

- Client -> TCP:21(Server-Control-Connection)

- Client executes 'ls' -> results in server opening a high-port and instructing the client to source(initiate) a connection to the server.

- Client sources data connection to high-port on server

###Anonymous FTP configuration### use 'ftpconfig' to provision anonymous access Note: Guest connections are jailed using chroot()

###FTPD Class Support###

Facilitates the grouping of users for the purpose of assigning directives 3 Default Classes:

1. realusers - CAN login using shell(SSH/Telnet) - CAN browse the entire directory

tree

2. guestusers - Temporary users - see chrooted envrionment

3. anonusers - General public - primarily for download capability

###Guest User Support### Jailed/chrooted environment

Steps:

1. useradd -d /home/guests/unixcbt4 -s /bin/true

2. mkdir /export/home/guests/unixcbt4

3. chown unixcbt4 /export/home/guests/unixcbt4

4. ftpconfig -d /export/home/guests/unixcbt4 - sets up chrooted environment

5. updated /etc/ftpd/ftpaccess - config file guestuser unixcbt4

Note: Guest users are similar to real users except guest users are chrooted/jailed.

###Virtual Hosts###

wu-ftpd - supports 2 forms of virtual hosts:

1. Limited - relies upon primary config files /etc/ftpd{ftpaccess,ftpusers

}

Admin. may define unique attributes including the following:

a. banner

b. logfile

c. hostname

d. email

e. distinct IP address

2. Full - relies upon distinct config files in specified directory

a. offers everything included with limited virtual hosts mode

b. also adds distinct config files

c. Note: Full-mode will use default config files in /etc/ftpd if the full virtual hosts instance is unable to find a distinct file.

###Limited Virtual Hosts Configuration### /etc/ftpaccess virtual 192.168.1.51 root /var/ftp2 virtual 192.168.1.51 hostname linuxcbtdb1.linuxcbt.internal virtual 192.168.1.51 banner /var/ftp2/.welcome_message.msg virtual 192.168.1.51 logfile /var/log/ftp2/xferlog virtual 192.168.1.51 allow unixcbt3

Note: Virtual hosts do not allow real & guest users access by default

###Full Virtual Hosts Configuration### /etc/ftpd/ftpservers address configuration_direction

192.168.1.51 /etc/ftpd/ftp2

192.168.1.52 /etc/ftpd/ftp3

GNU Privacy Guard (GPG) - Notes

Features:

1. Public key pair generation & maintenance for all users on system. Keys are

stored in ~/.gunpg

2. Encrypt/Decrypt files - based on communication partner's public key

3. Encrypt/Decrypt E-mails - based on recipient's public key

4. Generate/Manage digital signatures(means of proving identity)

###Install GPG###

1. www.sunfreeware.com

2. gunzip gnupg-1.2.6-sol10-intel-local.gz && pkgadd -d gnupg-1.2.6-sol10-intel-

local

Note: GPG manages by default, 2 key chains:

1. Public - your public key, and potentially others a. use 'gpg --list-keys' to enumerate public keys

2. Private - your private key(s)

Note: gpg uses recipient's public key to encrypt communications(e-mail/files)

###Create Public/Private Key-Pair### gpg --gen-key Note: 'gpg --gen-key' functions similarly to 'ssh-keygen' utility Note: passphrase is associated with 'private key' of pub/priv pair

Note: GPG is compatible with PGP

###Import other's public keys###

MySQL Implementation - Notes

Included with the Software Companion DVD

pkginfo -x | grep -i mysql Note: Current version of MySQL is NOT managed by SMF

Steps to Initialization of MySQL:

1. /usr/sfw/bin/mysql_install_db - initializes default DBs & tables /usr/sfw/bin/mysqladmin -u root password 'abc123'

2. groupadd mysql && useradd -g mysql mysql && echo $?

3. chgrp -R mysql /var/mysql && chmod -R 770 /var/mysql && echo $?

4. installf SUNWmysqlr /var/mysql d 770 root mysql

5. cp /usr/sfw/share/mysql/my-medium.cnf /etc/my.cnf (global configuration)

6. /usr/sfw/sbin/mysqld_safe --user=mysql& - starts MySQL

7. symlink

ln /etc/sfw/mysql/mysql.server /etc/rc3.d/S99mysql ln /etc/sfw/mysql/mysql.server /etc/rc0.d/K00mysql ln /etc/sfw/mysql/mysql.server /etc/rc1.d/K00mysql ln /etc/sfw/mysql/mysql.server /etc/rc2.d/K00mysql

ln /etc/sfw/mysql/mysql.server /etc/rcS.d/K00mysql

Note: MyISAM Tables usually contain at least 3 files:

1. .MYI - Index file

2. .MYD - Data File

3. .FRM - Form file(Describes Table Structure)

Note: Client options specified on command-line override all other instances of the opion. Order of options/directives to be processed usually resembles the following:

1. /etc/my.cnf - global config file

2. /var/mysql/my.cnf - data-server specific config file

3. ~/my.cnf - user-specific config file

4. command line options

Note: Drop test database using the following syntax: 'drop database test;'

Note: You CANNOT drop the 'mysql' database because it contains the following critical information:

1. list of databases to manage

2. user table

3. privileges table

Note: MySQL creates 2 default users: 'root & anonymous' Note: The anonymous user matches all unmatched users

Create MySQL User using the following command:

grant all privileges on *.* to 'unixcbt'@'localhost' IDENTIFIED BY 'abc123';

Note: After altering privileges, flush them to take effect using:

flush privileges;

NETSTAT - Notes

Lists connections for ALL protocols & address families to and from machine Address Families (AF) include:

INET - ipv4 INET6 - ipv6 UNIX - Unix Domain Sockets(Solaris/FreeBSD/Linux/etc.)

Protocols Supported in INET/INET6 include:

TCP, IP, ICMP(PING(echo/echo-reply)), IGMP, RAWIP, UDP(DHCP,TFTP,etc.)

Lists routing table Lists DHCP status for various interfaces Lists net-to-media table - network to MAC(network card) table

###NETSTAT Usage### netstat - returns sockets by protocol using /etc/services for lookup /etc/nssswitch.conf is consulted by netstat to resolve names for IPs

netstat -a - returns ALL protocols for ALL address families (TCP/UDP/UNIX)

netstat -an - -n option disables name resolution of hosts & ports

netstat -i - returns the state of interfaces. pay attention to errors/collisions/queue columns when troubleshooting performance

netstat -m - returns streams(TCP) statistics

netstat -p - returns net-to-media info (MAC/layer-2 info.) i.e. arp

netstat -P protocol (ip|ipv6|icmp|icmpv6|tcp|udp|rawip|raw|igmp) - returns active sockets for selected protocol

netstat -r - returns routing table

netstat -D - returns DHCP configuration (lease duration/renewal/etc.)

netstat -an -f address_family netstat -an -f inet|inet6|unix netstat -an -f inet - returns ipv4 only information

netstat -n -f inet netstat -anf inet -P tcp netstat -anf inet -P udp

Network Configuration Overview - Notes

2-Modes

1. Local Files Mode - config is defined statically via key files

2. Network Client Mode - DHCP is used to auto-config interface(s)

Current Dell PE server has 3 NICs:

1. e1000g0 - plumbed (configured for network client mode)

2. iprb0 - unplumbed

3. iprb1 - unplumbed

1-Virtual Mandatory interface lo0 - loopback

Determine physical interfaces using 'dladm show-dev | show-link' Determine plumbed and loopback interfaces using 'ifconfig -a'

NIC naming within Solaris OS: i.e. e1000g0 - e1000g(driver name) 0(instance)

Layers 2 & 3 info. - ifconfig -a, or ifconfig e1000g0 Layer 1 info. - dladm show-dev | show-link

###Key network configuration files### svcs -a | grep physical svcs -a | grep loopback

1. IP Address - /etc/hostname.e1000g0, /etc/hostname.iprb0 | iprb1

2. Domain name - /etc/defaultdomain - linuxcbt.internal

3. Netmask - /etc/inet/netmasks - 192.168.1.0 255.255.255.0

4. Hosts database - /etc/hosts, /etc/inet/hosts - loopback & ALL interfaces

5. Client DNS resolver file - /etc/resolv.conf

6. Default Gateway - /etc/defaultrouter - 192.168.1.1, 172.16.20.1, 10.0.0.1

7. Node name - /etc/nodename

Name service configuration file - /etc/nsswitch.conf

netstat -D - returns DHCP configuration for ALL interfaces ifconfig -a - returns configuration for ALL interfaces

Reboot system after transitioning from network client(DHCP) mode to local files(Static) mode

mv

dhcp.e1000g0 to some other name or remove the file so that the DHCP agent is

NOT

invoked

echo "linuxcbtsun1" > /etc/nodename

###Plumb/enable the iprb0 100Mb/s interface### Plumbing interfaces is analagous to enabling interfaces

Note: 172.16.20.11 is a Linux host waiting to communicate with iprb0 interface Steps:

1. ifconfig iprb0 plumb up - this will enable iprb0 interface

2. ifconfig iprb0 172.16.20.10 netmask 255.255.255.0 - this will enable layer-3

IPv4 address

Steps to Unplumb an interface:

###Ensure that newly-plumbed interface settings persists across reboots### Steps include updating/creating the following files:

1. echo "172.16.20.10" > /etc/hostname.iprb0

2. create entry in /etc/hosts - 172.16.20.10 linuxcbtsun1

3. echo "172.16.20.0 255.255.255.0" >> /etc/inet/netmasks

Note: To down interface, execute:

ifconfig interface_name down ifconfig iprb0 down && ifconfig iprb0

###Sub-interfaces/Logical Interfaces### e1000g0(physical interface) - 192.168.1.50(Primary Apache website) 192.168.1.51(Secondary Apache website) 192.168.1.52(Used for SSH)

iprb0 - 172.16.20.10

iprb1

Use 'ifconfig interface_name addif ip_address <netmask>' ifconfig e1000g0 addif 192.168.1.51 (RFC-1918 - defaults /24)

Note: This will automatically create an 'e1000g0:1' logical interface Note: Solaris places new logical interface in DOWN mode by default Note: use 'ifconfig e1000g0:1 up' to bring the interface up

Note: logical/sub-interfaces are contingent upon physical interfaces Note: if physical interface is down, so will the logical interface(s) Note: connections are sourced using IP address of physical interface

###Save logical/sub-interface configuration for persistence across reboots###

1. gedit /etc/hostname.e1000g0:1 - 192.168.1.51

2. gedit /etc/hostname.e1000g0:2 - 192.168.1.52

3. Optionally update /etc/hosts - /etc/inet/hosts

4. Optionally update /etc/inet/netmasks - when subnetting

Note: To remove logical interface execute the following:

ifconfig physical_interface_name removeif ip_address ifconfig iprb0 removeif 172.16.20.20

###/etc/nsswitch.conf - name service configuration information ### functions as a policy/rules file for various resolution:

1. DNS

2. passwd(/etc/passwd,/etc/shadow),group(/etc/group)

3. protocols(/etc/inet/protocols)

4. ethers or mac-to-IP mappings

5. hosts - where to look for hostname resolution: files(/etc/hosts)

dns(/etc/resolv.conf)

Network File System(NFS) - Notes

Implemented by most if not all nix-type OSs(Solaris/AIX/Linux/FreeBSD) NFS seamlessly mounts remote file systems locally

NFS Components include:

1. NFS Client (mount(temporary access), /etc/vfstab)

2. NFS Server

3. AutoFS

NFS versions 3 & higher supports large files (>2GB)

NFS Major versions:

2 - original

3 - improved upon version 2

4 - current version

Note: Solaris 10 simultaneously supports ALL NFS versions /etc/default/nfs - contains defaults for NFS server & client

Note: client->server NFS connection involves negotiation of NFS version to use

###Steps for mounting remote file systems###

1. ensure that a local mount point exists & is empty

Note: local mount points with files and/or directories will be unavailable while a

remote file system is locally-mounted

2. ensure that NFS server is available and sharing directories

3. mount locally the remote file system. mount -F nfs -o ro linuxcbtmedia:/tempnfs1 /tempnfs1 Note: use 'man mount' to determine mount options for various FSs

4. setup persistent mounts in /etc/vfstab file

###Steps for sharing local file systems locations###

1. ensure that NFS is running

svcs -a | grep -i nfs Note: you may enable the NFS server and update share information independently

Start using: svcadm svc:network/nfs/server Note: NFS Server will NOT start if there are NO directories to share

2. share -F nfs -d test_share /tempnfssun1 - exports for current session. Does NOT

persist across reboots

3. Configure NFS sharing for persistence, using share command

share -F nfs -d test_share /tempnfssun1 shareall

Note: consult 'man share_nfs' for permissions info.

AutoFS - Notes

Features:

1. Just-in-time mounting of file systems

2. Controlled by 'automountd' daemon

3. Managed via autofs service

4. References map files to determine file systems to mount

5. Obviates need to distribute root password to non-privileged users

/etc/default/autofs - contains configuration directives for autofs

###AutoFS Maps### 3 Types:

1. Master map - /etc/auto_master

2. Direct map - /etc/auto_direct - facilitates direct mappings

3. Indirect map - /etc/auto_* - referenced from /etc/auto_master

###/etc/auto_master### Note: /etc/auto_master is always read by autofs(automountd daemon) /etc/nsswitch.conf - used to determine lookup location for automount

-hosts - references hosts defined in /etc/hosts & the hosts MUST export shares using NFS

Note: changes to /etc/auto_master(primary autofs policy file) usually requires a service restart: svcadm restart autofs

Note: AutoFS defaults to permitting client to browse potential mount points

###Direct mapping example### Note: Direct mappings seamlessly merge remote exports with local directories Steps:

1. create auto_direct mapping in /etc/auto_master:

/- auto_direct -vers=3

Network Mapper Nmap - Notes

Performs network reconnaissance/vulnerability testing

www.insecure.org

Compilation Instructions:

1. export PATH=$PATH:/usr/ccs/bin

2. ./configure

3. make || gmake

4. gmake install - copies nmap to /usr/local/bin

Note: nmap can be run by any user on the system, however, only root, may perform more dangerous functions. i.e. SYN-based scans

###Check ports of hosts### nmap -v 192.168.1.102 as root, causes a SYN-based scan to occur:

SYN -> SYN-ACK -> Termination SYN -> SYN-ACK -> ACK - TCP-based scan performed by normal users

Nmap can export to the following file types:

1. Normal

2. XML

3. Greppable

Network Time Protocol (NTP) - Notes

Synchronizes the local system and can be configured to synch any NTP-aware host

Hierarchical in design - 1 through 16 strata Lower stratum values are more accurate time sources Stratum 1 servers are connected to external, more accurate time sources such as GPS

Note: Less latency usually results in more accurate time

External Time Source(GPS/Radio/etc.) -NTP - Stratum 1

-NTP Stratum 2 - Solaris Client/Server

-

Note: A Solaris 10 NTP system can be both client & server

Note: configure NTP clients to synch to 3 or more clocks(time sources)

###Client configuration### xntpd or the ntp service searches for /etc/inet/ntp.conf

Note: NTP uses UDP 123 in source & destination ports

ntpdate ntp_server - synchronizes, one-off, local clock Note: ntpdate does NOT update local clock if xntpd is running locally

rdate - relies upon older time service

ntpq - NTP query utility runs interactively & non-interactively ntpq -np - lists peers without name resolution - non-interactive invocation ntpq - invokes interactive mode

ntptrace - traces path to time source

ntpq - queries local or remote NTP servers ntptrace - traces path to external time source ntpdate - updates local clock /etc/inet/ntp.conf - (server server_ip) svcadm enable ntp - starts NTP (Server and/or Client)

NTP Pool Site: www.pool.ntp.org (Derive NTP public servers from their lists)

Quota Implementation & Management - Notes

Features:

Soft Limits - function as stage-1 or warning stage

- if user exceeds soft limit, timer is invoked (default 7-days)

i.e. 100MB - if user exceeds beyond timer, soft limit becomes hard limit

Hard Limits - functions as a storage ceiling - CANNOT be exceeded

- if user meets hard limit, system will not allocate additional storage

File-system perspective of quotas:

2 objects are monitored:

1. BLOCKS

2. INODES

FILE(test.txt) -> 1-INODE -> 1-or-more Data BLOCKS(default 1K)

Quota Tools:

1. edquota - facilitates the creation of quotas for users

2. quotacheck - checks for consistency in usage and quota policy

3. quotaon - enables quotas on file system

4. repquota - displays quota information

###Steps to enable quota support###

1. modify /etc/vfstab - enable quotas per file system "Mount Options" column - 'rq'

2. create empty 'quotas' file in root of desired file system touch /export/home/quotas && chmod 600 /export/home/quotas

3. edquota unixcbt edquota -p unixcbt unixcbt2 unixcbt3 unixcbt4 - copies unixcbt's quota policy to

users unixcbt2,3,4

4. quotacheck -va

5. quota -v unixcbt

6. quotaon -v /dev/dsk/c0t0d0s7 -enable quota support

Samba – Windows Integration - Notes

Integrates Unix-type systems with Windows SMB(139)/CIFS(445) - 2 protocols used to communicate with Windows/Samba servers

Key Client Utilities:

1. smbtree - network neighborhood text utility It enumerates workgroups, hosts & shares smbtree -b - relies upon broadcasts for resolving workgroups/hosts smbtree -D - echoes discovered workgroups using broadcasts/master browser

2. smbclient - provides an FTP-like interface to SMB/CIFS servers smbclient service_name(//LINUXCBTWIN1/LinuxCBT)

Note: Most, if not all, Samba clients operate in case-insensitive mode smbclient //linuxcbtwin1/linuxcbt Note: when in smbclient interactive mode, prefix commands with '!' to execute locally on client, otherwise commands run on server

smbclient -L linuxcbtwin1 - enumerates the shares on the server\

smbclient -A ./.smbpaswd //linuxcbtwin1/solaris10

.smbpaswd username=unixcbt

password=abc123

3. smbtar - facilitates backups of remote shares smbtar -s linuxcbtwin1 -x solaris10 -t solaris10.tar - backup smbtar -s linuxcbtwin1 -x solaris10 -r -t solaris10.tar - restore

Remote Desktop Installation - Notes

Requirements - www.sunfreeware.com:

1. libiconv

2. libgcc 3.3.2 or higher

3. libopenssl 0.9.7

4. rdesktop-1.4.1

Features RDesktop support for Remote Desktop Protocol (RDP) versions 4 & 5 Connects to:

1. Windows XP - RDP-5

2. Windows 2000 - RDP-5

3. Windows 2003 - RDP-5

4. Windows NT Server 4 - Terminal Services Edition - RDP-4

###usage###

rdesktop -g 700x500 -a 16 server_name(192.168.1.102)

Samba Server Configuration - Notes

/etc/sfw/smb.conf-example - modify & save as /etc/sfw/smb.conf

smb.conf - is the main configuration file for Samba server & many of the Samba clients search for key directives from the file.

Features:

1. File & Print sharing

2. Implemented as 2 daemons (smbd & nmbd)

smbd - file & print sharing - connections based on SMB/CIFS protocols SMB - TCP 139 CIFS - TCP 445 nmbd - handles NETBIOS names using primarily UDP connectivity Browse list (master browser or derive current list from master browser) Names of servers - derived using broadcast or WINS UDP 137 & 138

3. Legacy service - does not currently benefit from SMF

4. Service is located in: /etc/init.d & referenced via run-levels

5. Configuration changes to /etc/sfw/smb.conf are read automatically

###Samba Security Modes### Default = security = user - relies upon local Unix accounts database & Samba

database to grant or deny access to shared resources

1. /etc/passwd

2. /etc/sfw/smbpasswd - handles translation of Windows auth to Unix auth

3. /etc/sfw/smbusers - provides translation between Unix & Windows users

i.e. translation of Windows' 'guest' user to Unix' 'nobody' user

###User Authentication Mode### Note: NETBIOS names are restricted to 16 characters, however, 15 characters are configurable linuxcbtsun1.linuxcbt.internal = FQDN Note: smbpasswd -a unixcbt - create permitted samba users in /etc/sfw/private/smbpasswd file - otherwise, access will be denied

###Samba Web Administration Tool (SWAT)### Steps to enable Swat:

1. create an /etc/services entry for SWAT - TCP:901

2. create an /etc/inetd.conf entry for SWAT swat stream tcp nowait root /usr/sfw/sbin/swat swat

3. Convert the inetd entry for SWAT to SMF using 'inetconv'

System Security Overview - Notes

/var/adm/sulog - houses SU attempts SU TIMESTAMP +||- TTY Switched_User_From_To SU 06/17 11:13 + pts/4 root-unixcbt

/var/adm/loginlog - Does NOT exist by default NOte: houses failed logins after threshold(Default of 5) touch /var/adm/loginlog /etc/default/login

logins command logins -x -l unixcbt - returns info. from /etc/{passwd,shadow} logins -p - lists users without passwords

###Password Generation Encryption Algorithm### Note: Default in Solaris 10 is UNIX, legacy encryption - The weakest /etc/security/policy.conf - man policy.conf(4) Note: password encryption changes take effect at user's next password change

Sendmail MTA Features - Notes

Default configuration runs Sendmail Runs as 2 daemons

1. queue runner - submits jobs into queue(PHP script/mailx/sendmail/etc.)

a. it runs as a non-privileged user called 'smmsp'

b. places messages into queue directory: /var/spool/mqueue

c. mailq command dumps the current status of the queue(s)

2. MTA mode - message delivery to local/remote recipients

b. it runs as root - to bind to well-known TCP:25

Note: Sendmail works with SMF

svcadm restart sendmail svcs -l sendmail

Typical Mail Components in distributed mail environments:

1. MTA - Message Transfer Agent (Sendmail/Postfix/qmail)

2. MUA - Mail User Agent (mail, mutt, mailx, MS Outlook, Eudora, etc.)

3. MDA - Mail Delivery Agent (mail.local, procmail, etc.)

Config files:

1. /etc/mail/sendmail.cf - primary config file for Sendmail MTA

2. /etc/mail/submit.cf - primary config file for Sendmail MSP (smmsp)

Config files macros using m4 language:

1. /etc/mail/cf/cf/sendmail.mc

2. /etc/mail/cf/cf/submit.mc

Note: Sendmail does NOT understand m4 files. Use m4 to generate updated .cf files if necessary

####/etc/aliases - used for local mail delivery### Contains key aliases for 'postmaster' & system daemons

unixcbt:unixcbt@linuxcbtsun1

unixcbt@localhost

unixcbt@linuxcbtsun1

unixcbt@linuxcbtsun1.linuxcbt.internal

/etc/mail/local-host-names unixcbt.internal

unixcbt@linuxcbtsun1.unixcbt.internal

newaliases - generates updated DB for aliases

###per-user mail###

1. Sendmail stores mail using the older mbox format, which stores all mail in 1

potentially huge ASCII text files

2. /var/mail/username - flagged with the STICKY bit

###Mail delivery using local tools### sendmail is monolothic - 1 program does it all (client/server/MSP/MTA)

sendmail -v unixcbt

Note: MSP submits to: /var/spool/clientmqueue

###Virtual Domains/Users Support### /etc/mail/relay-domains /etc/mail/local-host-names unixcbt.internal

Virtual Users:

Create: /etc/mail/virtusertable Populate with mappings: virtual_email_address local_mailbox|remote_email unixcbt@unixcbt.internal unixcbt

Configure /etc/mail/sendmail.cf via /etc/mail/cf/cf/sendmail.mc

- FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db') makemap hash virtusertable - creates the DB file:

/etc/mail/virtusertable.db

###Relay Domains### /etc/mail/relay-domains

Houses domains that sendmail should relay; local and/or remote linuxcbt.com

192.168.1.100

###IMAP/POP2|3 Support###

Differences between IMAP & POP

1. IMAP stores messages on server

2. POP downloads messages to client

Note: IMAP server must support mbox mail storage format and optionally Maildir mail storage format

Download IMAP2004g from sunfreeware.com

###Configure INETD control of IMAP & POP3 services### /etc/inetd.conf pop3 stream tcp nowait root /usr/local/sbin/ipop3d ipop3d imap stream tcp nowait root /usr/local/sbin/imapd imapd

Note: use 'inetconv' to convert INETD entries in /etc/inetd.conf to SMF

###Evolution MUA - Connect to POP3 & IMAP Service### Installed openssl-0.9.8 to support IMAP2004g

Configure Evolution Note: Retrieving & Sending messages are distinct functions

1. SMTP - Sending

2. IMAP/POP3/MS Exchange/etc. - Retrieval

Snoop – Network Sniffer - Notes

Features:

1. Packet capturing facilities (ALL levels of OSI model, minus physical)

2. Packet playback/replay facility

3. Sniffs on first detected, non-loopback interface - output to STDOUT

4. MUST be executed as root

Note: Try to snoop to output of file as opposed to STDOUT for performance reasons (to minimize packet loss)

snoop snoop -o snoop1.out - redirects captured traffic to file named 'snoop1.out' and returns a packet-count to STDOUT

Note: If connected to a switched environment, MIRROR the traffic to the Sun box in order for traffic to be available to snoop

snoop -i snoop1.out - reads the captured files Note: snoop captures packets until killed with CTRL-C or disk runs out of space

snoop -i snoop1.out -p 11573,11577 - extracts packet ranges 11573-11577 snoop -v -i snoop1.out - VERBOSE (ALL OSI layers, 2-7) snoop -V -i snoop1.out - SUMMARY (Returns interesting packet payload)

Note: snoop supports Boolean primitivies (host,tcp,udp,ip) & Boolean operators (AND,OR,NOT)

snoop -i snoop1.out tcp port 80

Note: snoop -o output_file - captures layers 2-7

snoop -o snoop1.out udp

snoop -o snoop1.out 192.168.1.50 192.168.1.102

###FTP Traffic Snoop### snoop -o snoop_ftp_traffic.out host 192.168.1.102 linuxcbtsun1 and tcp and port 21

TCPDump – Network Sniffer - Notes

www.tcpdump.org

Packet Capturing - captures packets from network interfaces

Note: 2 major utilities supporting TCPDump's format include:

1. Ethereal - GUI protocol analyzer/Sniffer

2. Snort NIDS - Sniffer/Logger/NIDS

TCPDump supports 3 qualifiers to assist in creating expressions:

1. Type - host|net|port i.e. host 192.168.1.102

2. Direction - src|dst|src or dst|src and dst

3. Protocol - tcp|udp|ip

Syntax:

tcpdump options expression

tcpdump tcpdump -D - returns available interfaces tcpdump -i interface_name - binds to specific interface tcpdump -q suppresses some packet header information tcpdump -n - avoids name resoltion - improves performance

Snort Network Intrusion Detection System (NIDS) - Notes

Features:

1. Packet Capturing - libpcap.a(tcpdump.org)

2. Packet Logging - Captures are stored to disk (ASCII/TCPDump Formats)

3. Network Intrusion Detection Mode

Note: Software Companion DVD includes Snort 2.0(older version)

Requirements:

1. libpcap

2. libpcre

###Configuring Snort### ./configure --with-libpcap-libraries=/opt/sfw/lib --with-libpcre- includes=/opt/sfw/include --with-libpcre-libraries=/opt/sfw/lib

Appended to PATH: /usr/sfw/bin:/usr/ccs/bin

make

make install

###Snort as a Sniffer### snort -v - Dumps link headers(Layers 3(IPs) & 4(Ports) of the OSI Model) snort -v -i e1000g0 snort -vd -i e1000g0 - Dumps Application Layer (Layer-7 of OSI Model) snort -ve -i e1000g0 - Dumps data-link layer (Layer-2 of OSI Model) snort -vde -i e1000g0 - Dumps Layers 2,3,4,7 of OSI Model

###Snort as a Packet Logger### Note: Identical to sniffer, except, data is directed to file. Improves I/O. snort -L snortlog.1 Note: Snort defaults to '/var/log/snort' to store binary log and alert file

snort -L snortlog.1 -l ./log

Note: Snort supports TCPDump's Boolean primitives and operators. Additionally, Snort support Berkeley Packet Filters (BPFs) snort options BPFs

SYSLOG Implementation - Notes

Note: Syslog is the default logging handler/router in Solaris Note: Defaults to UDP:514 Note: Segment your Syslog Host(s) on a distinct subnet, protected by ACLs

pkgchk -lP /usr/sbin/syslogd

Syslog can log to the following locations:

1. remote host

2. local file (Suggested destination because of I/O performance)

3. console

4. specific users

5. *

Note: Syslog processes 3 pieces information represented by 2 fields:

/etc/syslog.conf - primary configuration file for Syslog man syslog.conf

1: selector(*.emerg) 2: action(/dev/console) *.emerg /dev/console Selector = facility(user).severity_level(debug) Action = target for log entry (files, console, remote host)

###Syslog Recognized Facilities### USER,KERN,MAIL(Postfix,Sendmail),DAEMON(programs),AUTH,LPR,NEWS,CRON,AUDIT ,LOCAL0-7(provides 8 usable facilities),MARK,*

### 8 Syslog Recognized Severity Levels###

1. EMERG - yields least output

2. ALERT

3. CRIT

4. ERROR

5. WARNING

6. NOTICE

7. INFO

8. DEBUG - yields most output

Note: restart syslog after changing /etc/syslog.conf

local0.info /var/log/ciscofirewall1.log touch /var/log/ciscofirewall1.log svcadm restart system-log

Log Rotation using logadm - Notes

which logadm pkgchk -lP /usr/sbin/logadmd - member of SUNWcsu logadm is configured to run daily in root's crontab crontab -l

/etc/logadm.conf - default configuration file Note: don't memorize all parameters. Execute 'logadm -h' Note: command-line directives override /etc/logadm.conf directives

Note: logadm preserves 10 backups of log files named logname.0-.9 Note: logadm supports shell wildcards '*', '?'

Zettabyte File System (ZFS) - Notes

Features:

1. 256 quadrillion zettabytes (Terabytes - Petabytes - Exabytes - Zettabytes(1024

Exabytes))

2. RAID-0/1 & RAID-Z(RAID-5 with enhancements) (2-required virtual devices)

3. Snapshots - read-only copies of file systems or volumes

4. Creates volumes

5. Uses storage pools to manage storage - aggregates virtual devices

6. File systems attached to pools grow dynamically as storage is added

7. File systems may span multiple physical disks

8. ZFS is transactional

9. Pools & file systems are auto-mounted. No need to maintain /etc/vfstab

10. Supports file system hierarchies: /pool1/{home(5GB),var(10GB),etc.}

11. Supports reservation of storage: /pool1/{home(10GB),var}

12. Provides a secure web-based management tool-https://localhost:6789/zfs

###ZFS - CLI### zpool list - lists known pools zpool create pool_name(alphanumeric, _,-,:,.)

Pool Name Constraints (DO NOT USE THESE NAMES FOR YOUR POOL NAMES):

1. mirror

2. raidz

zpool create pool_name device_name1, device_name2, device_name3, etc. zpool create pool1 c0t1d0|/dev/dsk/c0t1d0

ZFS Pool Statuses:

1. ONLINE

2. DEGRADED

3. FAULTED

4. OFFLINE

5. UNAVAILABLE

zfs list - returns ZFS dataset info. zfs mount - returns pools and mount points zpool status - returns virtual devices that constitute pools Note: ZFS requires a minimum of 128MB virtual device to create a pool

zpool destroy pool1 - Destroys pool and associated file systems

###Create file systems within pool1### zfs create pool1/home - creates file system named 'home' in pool1 Note: Default action of 'zfs create pool1/home' assigns all storage available to 'pool1', to 'pool1/home'

###Set quota on existing file system###

zfs set quota=10G pool1/home

###Create user-based file system beneath pool1/home### zfs create pool1/home/unixcbt Note: ZFS inherits properties from immediate ancestor

zfs get -r compression pool1 - returns compression property for file systems associated with 'pool1'

###Rename File System### zfs rename pool1/home/unixcbt pool1/home/unixcbt2

###Extending dynamically, pool storage### zpool add pool1 c0t2d0

###ZFS Redundancy/Replication###

1. Mirroring - RAID-1

2. RAID-5 - RAID-Z

Virtual Devices:

1. c0t1d0 - 36GB

2. c0t2d0 - 36GB

Note: Redundancy/Replication is associated directly with the pool

zpool create poolmirror1 mirror c0t1d0 c0t2d0

###ZFS Snapshots### Features:

1. Read-only copies of volumes or file systems

2. Use no additional space, initially

zfs list -t snapshot - returns available snapshots

Solaris Zones - Notes

Features:

1. Virtualization - i.e. VMWare

2. Solaris Zones can host only instances of Solaris. Not other OSs.

3. Limit of 8192 zones per Solaris host

4. Primary zone(global) has access to ALL zones

5. Non-global zones, do NOT have access to other non-global zones

6. Default non-global zones derive packages from global zone

7. Program isolation - zone1(Apache), zone2(MySQL)

8. Provides 'z' commands to manage zones: zlogin, zonename, zoneadm,zonecfg

###Features of GLOBAL zone###

1. Solaris ALWAYS boots(cold/warm) to the global zone

2. Knows about ALL hardware devices attached to the system

3. Knows about ALL non-global zones

###Features of NON-GLOBAL zones###

1. Installed at a location on the filesystem of the GLOBAL zone 'zone root path'

/export/home/zones/{zone1,zone2,zone3, }

3.

Manage distinct hostname and tables files

4. Cannot communicate with other non-global zones by default. NIC must be used,

which means, use standard network API(TCP)

5. GLOBAL zone admin. can delegate non-global zone administration

###Zone Configuration### Use: zonecfg - to configure zones Note: zonecfg can be run: interactively, non-interactively, command-file modes

Requirements for non-global zones:

1. hostname

2. zone root path. i.e. /export/home/zones/testzone1

3. IP address - bound to logical or physical interface

Zone Types:

1. Sparse Root Zones - share key files with global zone

2. Whole Root Zones - require more storage

Steps for configuring non-global zone:

1. mkdir /export/home/zones/testzone1 && chmod 700 /export/home/zones/testzone1

2. zonecfg -z testzone1

3. create

4. set zonepath=/export/home/zones/testzone1 - sets root of zone

5. add net ; set address=192.168.1.60

6. set physical=e1000g0

7. (optional) set autoboot=true - testzone1 will be started when system boots

8. (optional) add attr ; set name=comment; set type=string; set value="TestZone1"

9. verify zone - verifies zone for errors

10. commit changes - commit

11. Zone Installation - zoneadm -z testzone1 install - places zone, 'testzone1'

into 'installed' state. NOT ready for production

12. zoneadm -z testzone1 boot - boots the zone, changing its state

###Zlogin - is used to login to zones### Note: each non-global zone maintains a console. Use 'zlogin -C zonename' after installing zone to complete zone configuration

Note: Zlogin permits login to non-global zone via the following:

1. Interactive - i.e. zlogin -l username zonename

2. Non-interactive - zlogin options command

3. Console mode - zlogin -C zonename

4. Safe mode - zlogin -S

zoneadm -z testzone1 reboot - reboots the zone zlogin testzone1 shutdown