D72965GC30 - Oracle Solaris 11 - Advanced System Administration - SG - Vol 2 - 2013
D72965GC30 - Oracle Solaris 11 - Advanced System Administration - SG - Vol 2 - 2013
D72965GC30 - Oracle Solaris 11 - Advanced System Administration - SG - Vol 2 - 2013
a ble
f e r
ans
n - t r
a no
Oracle Solarisa s 11 Advanced
h
) Administration
ฺ
Systemo m i d e
a ilฺc t Gu
g m den
ld o@ Stu
o n a this Student Guide - Volume II
e r oฺr use
( c ic e to
a l do icens
on l
r o R
Ci ce
D72965GC30
Edition 3.0
March 2013
D81024
Author Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
publish, license, post, transmit, or distribute this document in whole or in part without
Anies Rahman the express authorization of Oracle.
Rosemary Martinak
The information contained in this document is subject to change without notice. If you
find any problems in the document, please report them in writing to: Oracle University,
Editors 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
Malavika Jinka
Restricted Rights Notice
Aju Kumar
Smita Kommini If this documentation is delivered to the United States Government or anyone using
the documentation on behalf of the United States Government, the following notice is
a ble
Graphic Designer
applicable:
f e r
U.S. GOVERNMENT RIGHTS
an s
Seema Bopaiah
- t r
The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or
n
o
disclose these training materials are restricted by the terms of the applicable Oracle
Publishers s an
license agreement and/or the applicable U.S. Government contract.
Preface
1 Introduction
Overview 1-2
Course Goals 1-3
Course Agenda: Day 1 1-4
a ble
Course Agenda: Day 2 1-5
f e r
Course Agenda: Day 3 1-6
ans
Course Agenda: Day 4 1-7 n - t r
o
Course Agenda: Day 5 1-8
s an
Introductions 1-9
) ha ฺ
Your Learning Center 1-10
l ฺ c om uide
Your Lab Environment 1-11
m ai nt G
@ g ude
2 Managing the Image Packaging ld o
System S t and Packages
(IPS)
Objectives 2-2 na thi s
ฺ r o
o 2-3 use
r
Workflow Orientation
e
(
Lesson Agendac ic 2-4 e to
l
Importance
a e ns with a Plan 2-5
do oficWorking
n l
ro RoPlanning for IPS and Package Management 2-6
e Identifying IPS Server System Requirements 2-7
Cic Planning for Boot Environment Management 2-8
Implementing the IPS and Package Management Plan 2-9
Quiz 2-10
Lesson Agenda 2-12
Configuring a Local IPS Package Repository 2-13
Creating a ZFS File System to Hold the Repository 2-14
Obtaining Software Packages from the Oracle Solaris Download Site 2-15
Making the Repository File Contents Available 2-16
Configuring the Repository Server Service 2-18
Starting the Repository Service 2-19
Setting the Local IPS Publisher 2-20
Testing IPS on the Local Server 2-21
Practice 2-1 Overview: Configuring a Local IPS Package Repository 2-22
Lesson Agenda 2-23
iii
Configuring Network Client Access to the Local IPS Server 2-24
Determining the Client Host and Domain Names 2-25
Checking Network Connectivity 2-26
Setting the Local IPS Publisher 2-27
Testing Client Access to the Local IPS Server 2-28
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
Practice 2-2 Overview: Configuring Network Client Access to the Local IPS
Server 2-29
Lesson Agenda 2-30
Introducing Signed Packages 2-31
Installing Signed Packages 2-32
Identifying Image Properties for Signed Packages 2-33
Configuring Image Properties for Signed Packages 2-35 a ble
f e r
Identifying Publisher Properties for Signed Packages 2-36
ans
Configuring Publisher Properties for Signed Packages 2-37
n - t r
o
Quiz 2-38
Introducing Variants and Facets 2-40 s an
Displaying and Changing Variants and Facets 2-41) ha ฺ
Managing Package History 2-42 l ฺ c om uide
Lesson Agenda 2-43 m ai nt G
@ g ude
ld o
Managing Package Publishers 2-44
S t
na thi s
Displaying Publisher Information 2-45
o ฺ r o se
Specifying Publisher Rankings 2-46
e r u
( c ic e to
Specifying Publisher Stickiness 2-47
a l do icens
Setting the Publisher Search Order 2-48
on l
Disabling and Enabling a Publisher 2-49
r o R Changing a Publisher Origin URI 2-50
Ci ce Quiz 2-51
Lesson Agenda 2-53
Managing Multiple Boot Environments 2-54
Listing the Boot Environments on the System 2-55
Mounting an Inactive Boot Environment 2-56
Installing a Package on an Inactive, Mounted Boot Environment 2-57
Uninstalling a Package on an Inactive, Mounted Boot Environment 2-58
Unmounting an Inactive Boot Environment 2-59
Creating a Backup of a Boot Environment 2-60
Creating a Boot Environment from an Existing Backup 2-61
Practice 2-3 Overview: Managing Multiple Boot Environments 2-62
Summary 2-63
iv
Workflow Orientation 3-3
Lesson Agenda 3-4
Reviewing Your Company’s Plan for an Oracle Solaris 11 Implementation 3-5
Planning for an Oracle Solaris 11 AI Installation 3-6
Automated Installation: Overview 3-7
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
Creating an AI Install Service with an ISC DHCP Server Setup 3-26
on l
Creating an AI Install Service Without a DHCP Setup 3-28
r o R Note About the AI SMF Service 3-29
Ci ce Adding a Client to the AI Install Service 3-30
AI Manifest 3-31
Identifying the Types of AI Manifests 3-32
Reviewing the Default AI Manifest (default.xml) 3-33
System Configuration Profiles (SC Profiles) 3-34
Adding an SC Profile to an Install Service 3-38
Creating a Custom AI Manifest 3-39
Selecting the AI Manifest 3-40
Criteria File: Examples 3-42
Adding Installation Criteria to an AI Manifest 3-43
Practice 3-2 Overview: Configuring the AI Server 3-44
Configuring the Client System 3-45
Identifying Client System Requirements 3-46
Using Secure Shell to Remotely Monitor an Installation 3-47
Implementing the Configuration 3-48
v
Reviewing Client Installation Messages 3-49
Practice 3-3: Deploying the OS on the Network Client 3-51
Lesson Agenda 3-52
Introducing the Distribution Constructor 3-53
Identifying System Requirements for Using the Distribution Constructor 3-54
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
Determining Ways to Save Data Storage Space 4-14
on l
Implementing the Data Storage Configuration and Backup Plan 4-15
r o R Quiz 4-16
Ci ce Lesson Agenda 4-18
Managing Data Redundancy with Mirrored Storage Pools 4-19
Creating a Mirrored Storage Pool 4-20
Adding Log Devices to a Storage Pool 4-21
Adding Cache Devices to a Storage Pool 4-22
Managing Devices in ZFS Storage Pools 4-23
Adding Devices to a Storage Pool 4-24
Attaching Devices to a Storage Pool 4-25
Taking Devices Offline in a Storage Pool 4-27
Detaching Devices from a Storage Pool 4-28
Bringing Devices Online in a Storage Pool 4-29
Replacing Devices in a Storage Pool 4-30
Designating Hot Spares in a Storage Pool 4-31
Removing Hot Spares in a Storage Pool 4-35
Practice 4-1 Overview: Managing Data Redundancy with a ZFS Mirrored Pool 4-36
vi
Lesson Agenda 4-37
Backing Up and Recovering Data with ZFS Snapshots 4-38
Creating and Destroying a ZFS Snapshot 4-39
Holding a ZFS Snapshot 4-40
Renaming a ZFS Snapshot 4-46
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
Introducing the mountpoint Property 4-82
on l
Automatic Mount Point Behavior 4-83
r o R Legacy Mount Point Behavior 4-84
Ci ce Managing Legacy Mount Points 4-85
share.nfs Property: Introduction 4-86
Setting the share.nfs Property 4-87
Unsharing ZFS File Systems 4-88
Sharing ZFS File Systems 4-89
Setting ZFS Quotas and Reservations 4-90
Introducing the quota, reservation, refquota, and used Properties 4-91
Setting Quotas for ZFS File Systems 4-92
Setting a User Quota on a ZFS File System 4-94
Setting a Group Quota on ZFS File System 4-95
Displaying User and Group Space Usage 4-96
Identifying User and Group Space Usage 4-97
Removing User and Group Quotas 4-98
Identifying Reservation Restrictions 4-99
Setting Space Reservation on a Data Set and Snapshot 4-100
vii
Setting Space Reservation on a Data Set 4-101
Displaying Reservation Values 4-102
Practice 4-4 Overview: Configuring ZFS Properties 4-103
Lesson Agenda 4-104
Troubleshooting ZFS Failures 4-105
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
Data Corruption: Overview 4-130
on l
Identifying the Type of Data Corruption 4-131
r o R Repairing a Corrupted File or Directory 4-133
Ci ce Repairing ZFS Storage Pool–Wide Damage 4-134
Practice 4-5 Overview: Troubleshooting ZFS Failures 4-135
Summary 4-136
viii
Load Balancing and Aggregation Policies 5-12
Aggregation Modes and Switches 5-13
IPMP: Introduction 5-14
IPMP Components 5-16
Comparing Link Aggregation and IPMP 5-18
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
Listing Reactive Network Profiles 5-40
on l
Enabling and Disabling Reactive Network Profiles 5-41
r o R Displaying Profile States 5-42
Ci ce Displaying Profiles and Their Auxiliary States 5-43
Creating a Backup of a Profile 5-44
Removing Reactive Network Profiles 5-45
Practice 5-1 Overview: Managing a Reactive Network 5-46
Lesson Agenda 5-47
Configuring Network File System (NFS) 5-48
Configuring the NFS Server 5-49
Checking the NFS Services Status 5-50
Configuring the NFS Client 5-51
Selecting a Different Version of NFS on a Server 5-52
Enabling the Automounter 5-53
Displaying NFS Server and Client Statistics 5-54
Practice 5-2 Overview: Configuring the Network File System 5-55
Lesson Agenda 5-56
Preparing for Link Aggregation 5-57
ix
Creating Link Aggregation 5-58
Modifying Link Aggregation 5-59
Deleting Link Aggregation 5-60
Practice 5-3 Overview: Configuring a Link Aggregation 5-61
Lesson Agenda 5-62
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
Summary 5-81
on l
r o R
6 Configuring Zones and the Virtual Network
Ci ce Objectives 6-2
Workflow Orientation 6-3
Lesson Agenda 6-4
Planning for a Virtual Network and Zones 6-5
Network Virtualization and Virtual Networks 6-6
Virtual Network Components 6-7
Introducing Zone Configuration by Using VNICs 6-8
Allocating System Resources to a Zone 6-9
Managing System Resource Allocation to a Zone 6-10
Resource Pool Allocation 6-12
How Resource Pools Work 6-13
Memory Resource Capping 6-14
Specifying Resource Capping Within a Zone 6-15
Implementing Controls on Network Resources 6-16
Managing Virtual Network Resources by Using Flows 6-17
x
Creating Flows and Selecting Flow Properties 6-18
Implementing the Virtual Network and Zones Plan 6-19
Quiz 6-20
Lesson Agenda 6-23
Creating a Virtual Network 6-24
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
Booting the Zone 6-46
on l
Checking the Virtual Network Configuration in a Zone 6-47
r o R Verifying That a Zone’s Virtual Network Interface Connection Is Operational 6-48
Ci ce Virtual Network Configuration 6-49
Removing the Virtual Network Without Removing the Zones 6-50
Verifying the State of the Configured Zones 6-51
Halting the Exclusive IP Zones 6-52
Verifying That the Zones Have Been Halted 6-53
Listing the VNICs That Were Configured for the Halted Zones 6-54
Deleting the VNICs 6-55
Quiz 6-56
Practice 6-2: Creating Two Zones by Using VNICs 6-59
Lesson Agenda 6-60
Allocating and Managing System Resources in a Zone 6-61
Allocating and Managing CPU Resources with Resource Pools 6-62
Enabling Services for Resource Pools 6-63
Configuring a Persistent Resource Pool 6-64
Displaying the Resource Pool Configuration File 6-65
xi
Modifying the Resource Pool Configuration File 6-67
Displaying and Committing the Modified Resource Pool Configuration File 6-69
Displaying the Resource Pool Configuration That Is Currently in Use 6-72
Displaying all Active Resource Pools 6-73
Binding the Zone to a Persistent Resource Pool 6-75
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
Displaying Flow Control Properties 6-96
on l
Setting a Priority Property 6-97
r o R Practices 6-4 and 6-5 Overview: Managing the Virtual Network Data Flow and
Ci ce Removing Part of the Virtual Network 6-98
Summary 6-99
xii
SMF Administrative Layers 7-17
Introducing SMF Repository Backups 7-19
Introducing SMF Repository Snapshots 7-20
Creating New Service Scripts 7-21
Implementing the Services Administration Plan 7-22
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
Quiz 7-23
Lesson Agenda 7-27
Configuring SMF Services 7-28
Creating and Exporting a Service 7-29
Creating and Exporting a Service: Example 7-30
Creating and Importing a Service: Example 7-33
Creating and Exporting a Service: Example 7-34 a ble
f e r
Modifying a Service’s Manifest 7-35
ans
Modifying a Service’s Manifest: Example 7-36
n - t r
o
Changing an Environment Variable for a Service 7-37
s an
Changing an Environment Variable for a Service: Example 7-38
) ha ฺ
Changing a Property for an inetd-Controlled Service 7-39
l ฺ c om uide
Changing a Property for an inetd-Controlled Service: Example 7-40
m ai nt G
Creating and Applying an SMF Profile 7-43
@ g ude
ld o S t
Creating and Applying an SMF Profile: Example 7-45
na thi s
Changing Services and Their Configurations by Using the netservices
Command 7-46 o ฺ r o se
e r u
( c ic e to
Practice 7-1 and Practice 7-2 Overview: Configuring SMF Services and Working with
a l do icens
Service Profiles 7-47
on l
Lesson Agenda 7-48
r o R Troubleshooting SMF Services 7-49
Ci ce Debugging a Service That Is Not Starting 7-50
Restoring a Service in Maintenance State 7-52
Restoring a Service in Maintenance State: Example 7-53
Reverting to an SMF Snapshot 7-55
Reverting to an SMF Snapshot: Example 7-56
Configuration Repository Failed Integrity Check Process 7-57
Repairing a Corrupt Repository 7-58
Repairing a Corrupt Repository: Example 7-61
Debugging the Services During a System Boot 7-63
Addressing system/filesystem/local:default Service Failures During Boot 7-64
Practice 7-3 Overview: Restoring and Recovering a Service 7-65
Summary 7-66
xiii
Workflow Orientation 8-3
Lesson Agenda 8-4
Planning for User Privileges and Roles Assignments 8-5
Process Rights Management and Privileges 8-6
Displaying Privilege Descriptions 8-7
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
Configuring and Managing Privileges 8-34
on l
Examining Process Privileges 8-35
r o R Determining the Privileges Available to the Shell 8-36
Ci ce Determining the Process Privileges to a Shell 8-38
Determining the Privileges on a Process 8-39
Displaying the Description of a Privilege 8-40
Managing User Privileges 8-41
Determining the Privileges Directly Assigned to You 8-42
Determining the Privileged Commands That You Can Use 8-43
Assigning Privileges to a User or Role 8-44
Limiting Privileges of a User or Role 8-45
Determining Privileges Needed by a Program Using the ppriv Debugging
Command 8-46
Using the ppriv Debugging Command to Examine Privilege Use in a Profile
Shell 8-47
Using the truss Command to Examine Privilege Use in a Regular Shell 8-48
Practice 8-1 Overview: Delegating Privileges to Users and Processes 8-49
Lesson Agenda 8-50
xiv
Configuring and Using RBAC 8-51
Creating a Role 8-52
Creating a Rights Profile 8-54
Creating a Rights Profile: Example 8-55
Cloning and Modifying a Rights Profile 8-56
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
xv
Determining Audit Service Defaults: Example 9-35
Preselecting Audit Classes 9-37
Configuring a User’s Audit Characteristics 9-38
Modifying the Audit Policy 9-40
Modifying the Audit Policy: Example 9-41
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
Practice 9-1 Overview: Configuring and Administering Oracle Solaris Auditing 9-60
on l
Lesson Agenda 9-61
r o R Managing Audit Records on Local Systems 9-62
Ci ce Displaying Audit Record Definitions 9-63
Merging Audit Files 9-64
Selecting Audit Events to Examine 9-66
Viewing Contents of Binary Audit Files 9-67
Practice 9-2 Overview: Managing Audit Records on Local Systems 9-68
Summary 9-69
xvi
Priority Ranges for Scheduling Classes 10-9
Combining FSS with Other Scheduling Classes 10-10
Using CPU Shares with the FSS 10-12
Scheduling Class on a System with Zones Installed 10-14
Implementing the Process Execution in an Appropriate Scheduling Class
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
Plan 10-15
Quiz 10-16
Lesson Agenda 10-20
Managing Process Scheduling Priority 10-21
Displaying Processes with the top Command 10-22
Displaying Process Class Information 10-24
Determining the Global Priority of a Process 10-25 a ble
f e r
Designating a Process Priority 10-27
ans
Modifying a Process Priority 10-29
n - t r
o
Lesson Agenda 10-30
Configuring the Fair Share Scheduler (FSS) 10-31 s an
Making FSS the Default Scheduling Class 10-32 ) ha ฺ
l ฺ c om uide
Manually Moving Processes from Other Classes into the FSS Class 10-33
m ai nt G
Manually Moving the init Process into the FSS Class 10-35
@ g ude
ld o S t
Manually Moving a Project’s Processes into the FSS Class 10-36
na thi
Tuning Scheduler Parameters 10-37s
o ฺ r o se
Practice 10-1 Overview: Modifying Process Scheduling Priority 10-38
e r u
( c ic e to
Lesson Agenda 10-39
a l do icens
Managing the Scheduling Class of Zones 10-40
on l
Configuring CPU Shares Configuration in a Non-Global Zone 10-41
r o R Configuring CPU Shares in a Non-Global Zone: Example 10-42
Ci ce Measuring CPU Performance in the Zones 10-43
Assigning CPU Shares to the Global Zone 10-44
Removing the CPU Shares Configuration from a Zone 10-45
Removing the CPU Shares Configuration from a Zone: Example 10-46
Practice 10-2 Overview: Configuring FSS in an Oracle Solaris Zone 10-47
Summary 10-48
xvii
Project/Task/Process Relationship 11-10
Resource Controls 11-11
Resource Control Values 11-12
Privilege Levels of Resource Controls 11-13
Enforcing Multiple Resource Controls 11-14
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
Displaying Currently Running Processes and Projects 11-37
on l
Creating a New Task 11-38
r o R Moving a Running Process into a New Task 11-39
Ci ce Deleting a Project 11-40
Administering Resource Controls and Attributes 11-41
Displaying the Default Resource Controls 11-42
Displaying Current Resource Control Settings 11-43
Displaying Information About a Given Resource Control 11-44
Enabling Global Resource Control Monitoring 11-45
Practice 11-1 Overview: Managing Resource Controls in Global and Non-Global
Zones 11-46
Lesson Agenda 11-47
Monitoring System Performance 11-48
Displaying Virtual Memory Statistics and Information 11-49
Displaying Virtual Memory Statistics 11-50
Displaying System Event Information 11-52
Displaying Swapping Statistics 11-53
Displaying Disk Usage Information 11-54
xviii
Displaying General Disk Usage Information 11-55
Displaying Disk Space Information 11-56
Monitoring System Activities 11-57
Checking File Access Operation Statistics 11-58
Checking Buffer Activity 11-59
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
/etc/dumpadm.conf File 12-13
on l
/etc/coreadm.conf File 12-15
r o RCore File Paths 12-17
Ci ce Implementing the System Messaging and Diagnostic Facilities Implementation
Plan 12-18
Quiz 12-19
Lesson Agenda 12-23
Configuring System Messaging 12-24
Setting Up Message Routing 12-25
Setting Up Message Routing: Example 12-26
Logging a Message by Using TCP Trace 12-27
Monitoring a syslog File in Real Time 12-28
Practice 12-1 Overview: Setting Up System Messaging 12-29
Lesson Agenda 12-30
Configuring System Crash Facilities 12-31
Displaying the Current Crash Dump Configuration 12-32
Modifying the Crash Dump Configuration 12-33
Saving the Crash Dump File 12-35
xix
Uncompressing the Crash Dump File 12-36
Displaying the Crash Dump File Contents 12-37
Displaying the Crash Dump File Contents: Example 12-38
Lesson Agenda 12-39
Configuring Dump Facilities for Business Application Failure 12-40
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
xx
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
M
Managing
i Services
S i and
d Service
S i Properties
P ti
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o
o © 2013, e
sOracle
c e r
Copyright
o u and/or its affiliates. All rights reserved.
c i t
l d o ( ense
ona lic
r o R
Ci ce
Objectives
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
AI INSTALLATION
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
MONITORING
DATA
RESOURCE
STORAGE
EVALUATION
PROCESSES
NETWORK
a ble
ENTERPRISE CONFIGURATION f e r
DATACENTER
ans
n - t r
SERVICES a no
h a sNETWORK
m ) ฺ
VIRTUALIZATION
e
o i d
ilฺc t Gu
AUDITING
a
m den
g
o@ Stu
PRIVILEGES
ld
a this
o n
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
Before o n begin thel lesson, take a moment to orient yourself in your job workflow. You have
you
ro R
successfully installed the operating system and have updated it. You have configured the data
C icestorage environment as well as the physical and virtual networks. In this lesson you manage
the SMF services and the service properties. As a system administrator, it is your
responsibility to ensure that the system and business processes that are running on the
system continue uninterrupted. To do this, you need to know which services are controlling
which functions so that you can take down or bring up a service as required.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a l do icens
on recognizes
Your company l the importance of ensuring that the right services are enabled and
R
ro on the system and that these services can be easily and quickly modified, recovered,
running
C iceand restored. Moreover, the company is interested in being able to have new services created
and supported by the SMF to meet emerging business needs.
In this section, you are introduced to the more advanced features of the SMF: manifests,
profiles, the service configuration repository, and repository backups using snapshots. You
are also introduced to service script creation.
SMF
SMF Manifests
svc.startd
svc.configd Daemon
SMF Daemon
a ble
Profiles f e r
an s
n - t r
SERVICES
SERVICES a no
SMF SERVICES
SERVICES h a s
Repository m ) e ฺ
o i d
ilฺc t Gu
DEPENDENT
Snapshots a
m den
SERVICES
g
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
When aosystem l
n is booted, the SMF consults the SMF profiles to determine which services
R
ro be enabled. The SMF then starts the svc.startd daemon, which in turn consults the
should
C iceSMF manifests to gather property and instance information about each service before starting
each service and its associated dependents. The SMF uses the Service Configuration
Repository (also known as the SMF Repository) to store state and configuration information
about each service instance in addition to per-service snapshots that are taken at the time
each service is successfully started and used as backups. The SMF repository is managed by
the svc.configd daemon.
You are to look at each feature in more detail next, beginning with the SMF profiles.
a l do icens
n is anl XML file that allows customization of services and instances delivered by
An SMFoprofile
R
rosystem. Profiles are available for configuration customization using a file rather than a set
ethe
Cic of scripts, or to customize configuration at deployment or installation time. All configurations
may be customized by using a profile, including adding instances for system-supplied
services.
Some profiles that are delivered with the operating system release include:
• /etc/svc/profile/generic_open.xml: This profile enables the standard services
that have been started by default in earlier releases.
• /etc/svc/profile/generic_limited_net.xml: This profile disables many of the
Internet services that have been started by default
f in earlier releases. The
network/ssh service is enabled to provide network connectivity.
• /etc/svc/profile/ns_*.xml: This profile enables services associated with the
name service that is configured to run on the system.
• /etc/svc/profile/platform_*.xml: This profile enables services associated with
particular hardware platforms.
<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM
'/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<!--
<header content omitted>
<service bundle type='profile' name='generic_open'
<service_bundle name='generic open'
xmlns:xi='http://www.w3.org/2003/XInclude' >
<!--
Include name service profile, as set by system id tools.
-->
a ble
<xi:include href='file:/etc/svc/profile/name_service.xml' />
f e r
ans
<!--
n - t r
-->
svc.startd(1M) services
a no
<service name='system/coreadm' version='1' type='service'>
h a s
<instance name='default' enabled='true'/>
m ) e ฺ
o i d
ilฺc t Gu
</service>
a
<service name='system/cron' version='1' type='service'>
m den
g
<instance name='default' enabled='true'/>
</service>
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on presents
This example l an excerpt from the /etc/svc/profile/generic_open.xml file.
R
rowas discussed, this profile enables the standard services that have been started by default
As
C icein earlier releases. Each service is listed in the same basic format:
<service name='system/coreadm' version='1' type='service'>
<instance name='default' enabled='true'/>
</service>
You learn how to create and apply your own profile in the next topic.
• /etc/svc/profile/generic.xml profile:
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
During o nfirst bootlafter a new installation or an upgrade, the
the
ro R
/etc/svc/profile/generic.xml profile is applied. This file is usually symbolically linked
C iceto generic_open.xml or generic_limited_net.xml. Also, if a profile called site.xml
is in /etc/svc/profile during the first boot or is added between boots, the contents of this
profile are applied.
Note: By using the site.xml profile, the initial set of enabled services may be customized
by the administrator.
Similar to manifests, profiles in /etc/svc/profile are applied during the early manifest
import. Profiles in /var/svc/profile are applied during the later manifest import.
Note: The generic_xxx profiles are mutually exclusive. Any conflicting definitions between
files in /etc/svc/profile/site are treated as conflicts, and the affected service
instances are put into the maintenance state.
a l do icens
n
An SMFomanifest is lan XML file that describes a service and a set of instances. Manifests are
R
ro to load the properties of that service and its instances into the repository.
eimported
Cic The preferred location for manifests is /lib/svc/manifest. Manifests stored there will be
imported and upgraded during the boot process before any services start. Running the import
process early ensures that the repository will contain information from the latest manifests
before the services are started. At other times, you can import information from these
manifests by running this command: svcadm restart manifest-import.
/var/svc/manifest remains available for compatibility purposes, but manifests located
there will not be imported or upgraded until the svc:/system/manifest-
import:default service runs runs, which is significantly later in the boot process.
process
The site subdirectory of /lib/svc/manifest and /var/svc/manifest is reserved for
site-specific use. Manifests in the site directory may be modified directly. Other manifests
included in the software release should not be modified because those modifications will be
lost during software upgrades. If you need to make changes to the set of properties included
in the generic manifests, you should either create a profile or use the svccfg command. You
learn how to create a profile in the next topic.
http://www.oracle.com/technetwork/articles/servers-storage-admin/howto-svcbundle-manifest-
profile-1866525.html, http://docs.oracle.com/cd/E26502_01/html/E29003/eqbrs.html#smft-5
and svcbundle (1M).
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
<?xml version="1.0"?>
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
<service
name='system/rbac'
type='service' a b le
f e r
version='1'>
ans
n - t r
<create_default_instance enabled='true' /
/>
a no
<single_instance /> h a s
m ) e ฺ
o
lฺc t Gu i d
---
a i
---
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
l an excerpt from rbac.xml manifest. A manifest file consists of the
on presents
This example
R
ro basic entries:
following
C ice • <service_bundle type: yp Identifies the name of the service. The type yp ((manifest))
indicates a simple service rather than a milestone, the package providing the service,
and the service name.
• <service: Identifies service category, type, name, and version
• <create_default_instance: Creates the default instance
• <single_instance/>: Identifies whether multiple instances of the service will run
• <dependency:
p y Identifies dependencies
p for this service
• <dependent: Identifies what service has this service as a dependent
• <exec_method: Defines how the service is started and stopped
• <property _group name: Identifies the service model to use
• <template>: Creates information to describe the service
<service
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
name='system/rbac'
type='service'
version='1'>
a ble
<single_instance />
f e r
ans
<dependency n - t r
name='usr' a no
type='service' h a s
m ) e ฺ
o i d
ilฺc t Gu
grouping='require_all'
restart_on='none'> a
m den
g
ld o@ Stu
<service_fmri value='svc:/system/filesystem/minimal' />
/ p y
</dependency>
o n a this
e r oฺr use
<dependent cic
( e to
a l do icens
name='manifest'
l
on grouping='optional_all'
ro R
e
Cic
restart_on='none'>
<service fmri value='svc:/system/manifest-import'
<service_fmri value 'svc /system/manifest import' />
</dependent>
<dependent
name='name-service-cache'
grouping='optional_all'
restart_on='none'>
<service_fmri value='svc:/system/name-service-cache' />
</dependent>
<exec_method
type='method'
name='refresh'
exec='/lib/svc/method/svc-rbac refresh'
timeout_seconds='300'>
a ble
</exec_method>
f e r
ans
<exec_method n - t r
o
type='method'
s an
name='stop'
) ha ฺ
exec=':true'
l ฺ c om uide
timeout_seconds='300'>
m ai nt G
@ g ude
</exec_method>
ld o S t
na thi s
o ฺ r o se type='framework'>
e r
<property_group name='startd'
u
( c
<propval
e to
ic name='duration' type='astring'
s
ldo lvalue='transient'
en
o n a i c />
r o R
</property_group>
e
Cic <property_group
property group name='options'
name 'options' type='application'>
type 'application'
</property_group>
</template>
</service>
</service_bundle>
/ i
a ble
You create your own service manifest in Practice 7.
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
service instance
• Is located in /etc/svc/repository.db
• Is managed by the svc.configd
svc configd daemon
• Provides a consistent and persistent way to enable or
disable a service
a ble
• Provides a consistent view of service state f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on state andl configuration information about each service instance in the service
SMF stores
R
ro
configuration repository. The repository is distributed among local memory and local disk-
C icebased files and is stored in /etc/svc/repository.db.
The repository is managed by the svc.configd daemon. This daemon is the interface
between the repository and the user and ensures that a consistent picture of the repository is
presented to the user.
In turn, the repository provides a consistent and persistent way to enable or disable a service,
as well as a consistent view of the service state. This capability helps you debug service
configuration problems.
SMF Repository
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
manifest
manifest
system-profile
system-profile
a ble
f e r
ans
site-profile
site-profile n - t r
a no
h a s
admin
admin m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
The SMF
R onrepositorylconsists of four layers that can be used to help determine which settings
ro been customized by an administrator and which settings are delivered by the software.
have
C iceThe four layers are as follows:
• manifest: Imported full manifest files that completely define a service or an instance,
that is located in a standard location: /lib/svc/manifest or /var/svc/manifest
• system-profile: Specifically named profiles (/etc/svc/profile/generic.xml
or /etc/svc/profile/platform.xml) that are applied to the system and delivered
by the Solaris consolidations
• site-profile: Profiles that are site specific and are either applied from the
/ t / fil / it directory
/etc/svc/profile/site
/ di t or ffrom th
the /etc/svc/profile/site.xml
/ t / / fil / it l or
/var/svc/profile/site.xml file
• admin: Administrative customizations to the system done with svccfg add/set/del
subcommands as well as through enabling/disabling services through the command
line. Manifests and profiles imported and applied from nonstandard locations (that is,
outside of /lib/svc/manifest or /var/svc/manifest) are considered
customizations and are brought in at the admin layer.
the repository because of file contents, the information about that property includes the name
of that file.
Note: You can use the svccfg listprop command to explore layers. You can use the
svccfg listcust command only to list customizations
customizations.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
a l do icens
The SMF l takes the following backups of the repository:
onautomatically
R
r•o The boot backup is taken immediately before the first change to the repository is made
C ice du during
g eac
each syste
system sta
startup.
tup
• The manifest_import backups occur after svc:/system/early-manifest-
import:default or svc:/system/manifest-import:default completes, if the
service imported any new manifests or ran any upgrade scripts.
Four backups of each type are maintained by the system. The system deletes the oldest
backup when necessary. The backups are stored as /etc/svc/repository-type-
YYYYMMDD_HHMMSWS, where YYYYMMDD (year, month, day) and HHMMSS (hour, minute,
second)) are the date and time when the backup was taken. Note that the hour format
f is based
on a 24-hour clock.
You can restore the repository from these backups, if an error occurs. You learn how to do
this later in the lesson.
a l do icens
l repository provides a per-service snapshot at the time each service
on configuration
The service
isro
R
successfully started so that fallback is possible. The standard snapshots that are stored in
C icethe SMF repository are listed in the slide.
The SMF service always executes with the running snapshot. This snapshot is
automatically created if it does not exist.
When you change the property values of a service, the changes are incorporated into the
running snapshot when you execute the svcadm refresh command. You can use the
svccfg command to view or revert to instance configurations in a previous snapshot. You
learn how to revert to a previous snapshot later in this lesson.
service.
• Establish a name for the service and the category that this
service is in.
• Determine whether your service runs multiple instances.
• Identify any dependency relationships between this service
and any other services. r a ble
n s fe
• If a script is required to start and stop the process, create
- t r a
the script and place it in a local directory
directory, such as
n on
a
/usr/local/svc/method. as ) h eฺ
• Create a service manifest file for ฺyour m
co service. id
a by i l G u
• Incorporate the script into the g mSMF e n t using the svccfg
utility. d o @ Stud
o n al this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
n newlscripts to start and stop additional processes or services to customize a
You canocreate
R
ro For example, to eliminate the requirement for a manual start of a database server,
system.
C iceyou could create a script to start the database server automatically after the appropriate
network services have started. You can then create another script to terminate this service
and shut down the database server before the network services are stopped.
The procedure for service script creation is outlined in the steps in the slide. You learn how to
complete these steps in the next topic.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a. True
b. False
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:oan l
ro R
C ice
services?
a. /etc/svc/profile/generic_open.xml
b /etc/svc/profile/generic_limited_net.xml
b. /etc/svc/profile/generic limited net xml
c. /etc/svc/profile/ns_*.xml
d. etc/svc/profile/platform_*.xml
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:oan l
ro R
C ice
a. svc.ipfd
b. svc.configd
c svc.startd
c. svc startd
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:obn l
ro R
C ice
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:obn l
ro R
C ice
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a l do icens
on l
r o R
Ci ce
vi /usr/local/svc/method/servicename
2. Grant the execute permission on the script so it can be
executed byy usingg the followingg command:
chmod 544 /usr/local/svc/method/servicename
3. Change directories to /lib/svc/manifest/site and
edit the manifest .xml file for your new service. a b le
f e r
4. Import the new service into the SMF by using the following a n s
n -t r
command: svccfg import \ o
/lib/svc/manifest/site/servicename.xml s an
) ha ฺ
5. Verify that the new service is available
c o m using
by i d e the svcs
servicename command. ailฺ t G u
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
onstep 3: Anl explanation of each of the entries in the file is provided on the following
Notes for
R
ro
pages.
C iceNotes for step 4: When using the default manifest, /lib/svc/manifest, use the import
command as shown in this step; otherwise, use the manifest-import command.
# vi /usr/local/svc/method/newservice
#!/sbin/sh
#
# ident "@(#)newservice 1.14 04/08/30 SMI"
case "$1" in
’start’)
/usr/bin/newservice &
;;
’stop’)
/usr/bin/pkill -x -u 0 newservice
a ble
;; f e r
*)
ans
echo "Usage: $0 { start | stop }"
n - t r
;;
a no
esac
h a s
exit 0
m ) e ฺ
# chmod 544 /usr/local/svc/method/newservice
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on shown
In the example l in the slide, you are creating a new service called newservice. Here
R
ro see the steps for editing the new service script and granting execute permissions.
you
C ice
# cd /var/svc/manifest/site
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
# vi newservice.xml
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE service_bundle SYSTEM
'/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service bundle type
<service_bundle type='manifest'
manifest name
name=‘OPTnew:newservice'>
OPTnew:newservice >
<service name='site/newservice' type='service' version='1'>
<create_default_instance enabled=‘true'/>
<single_instance/>
<exec_method name='start' type='method'
a ble
exec=’/usr/local/svc/method/newservice start’
f e r
timeout_seconds=‘30'>
ans
</exec_method>
n - t r
no
<exec_method name='stop'
p type='method'
yp exec=':true'
timeout_seconds=‘30'>
s a
</exec_method>
) h a
<property_group name='startd' type='framework'>
m d e ฺ
o i
ilฺc t Gu
<propval name='duration' type='astring' value='transient'/>
</property_group>
a
m den
</service>
g
</service_bundle>
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
onare changing
Here you l directories to /var/svc/manifest/site and editing the manifest
R
ro file entries for your new service. Take a closer look at each of the entries in the file. To
.xml
C icebegin, you have the standard header:
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE service_bundle SYSTEM
'/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
Just below the header is the name of the service. The type (manifest) indicates a simple
service rather than a milestone, the package providing the service, and the service name.
<service_bundle type='manifest'
yp name=‘OPTnew:newservice'>
Next you have the service category, type, name, and version.
<service name='site/newservice' type='service' version='1'>
The next entry creates the instance and the entry below that specifies whether multiple
instances of the service will run.
<create_default_instance enabled=‘true'/>
<single_instance/>
i l i t /
timeout_seconds=‘30'>
</exec_method>
Next is the service model to use. The entry shows that the service will be started by
svc.startd. d Transient
T i t services
i are nott continuously
ti l running
i services.
i
<property_group name='startd' type='framework'>
<propval name='duration' type='astring'
a ble
value='transient'/>
f e r
</property_group>
an s
</service> n - t r
</service_bundle> a no
s
hado
Note: If you need to define dependencies for the service, you) can ฺ
so by using the following
entry: m
co Guid e
i l ฺ
<dependent
g ma dent
name=’newservice’
ld o@ Stu
n a thiall’
groupingo’require
grouping=’require_all’ s
e r oฺr use
restart_on=’none’>
( c ic e to value=’svc:/milestone/multi-user’ />
l d o ens<service_fmri
o a lic
n </dependent>
In
r o Rexample, you are ensuring that the service is associated with the multiuser milestone
this
C iceand that the multiuser milestone requires this service.
After you have completed editing the manifest file and have reviewed the file to make sure
that you have not missed any XML tags or introduced typing errors, it is a good practice to
validate the file by running the following command:
# svccfg validate /var/svc/manifest/site/newservice.xml
a l do icens
l the service into the SMF by using the svccfg import command.
onare importing
Here you
ro R
C iceNote: The SMF is creating a snapshot of this service to be stored in the service configuration
repository.
After the service has been imported into the SMF, your final step is to verify that it is visible to
the system by using the svcs command. Note that the service is online.
a l do icens
l to verify that it is possible to disable and enable the service by using
It is alsooangood practice
R
rosvcadm command, as shown in the example in the slide.
the
C ice
a l do icens
on be timesl when you need to modify a service’s manifest due to structural changes
There might
R
ro impact the execution method. To change the configuration of a service that is not
that
C icemanaged by the inetd service, you use the steps listed in the slide.
Notes for step 1: Many of the services have one or more configuration files that are used to
define the startup or other configuration information. These files can be changed while the
service is running. The contents of the files are checked only when the service is started.
Notes for step 2: The svcadm utility enables you to perform common service management
tasks, such as enabling, disabling, or restarting service instances.
# vi crmsvc.xml
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
on shown
In the example l in the slide, the decision has been made to modify the crmsvc
R
ro manifest. To make the modification to the service manifest, you use a text editor to
service’s
C icechange the crmsvc.xml to refer to monitor1.crm instead of monitor.crm. To
accomplish the change, you use the svcadm restart manifest-import command.
After the import, you restart and enable the service. Finally, you verify that the service is
online.
a l do icens
onstep1: The
Notes for l svcs utility provides detailed views of the service state of all service
ro R
instances in the service configuration repository.
C iceNotes for step 2: The -ss option selects the entity indicated by the fault management
resource identifier (FMRI) before executing any subcommands. The modification
subcommand setenv searches for the “start” property group in the currently selected entity
and, if an instance is currently selected, its parent is also searched. After the property is
located, all values that begin with envvar followed by a “=” are removed, and the value
“envvar=value” is added.
Notes for step 3: The svcadm command is used to manipulate service instances. The
command d iissues requests
t ffor actions
ti on services
i executing
ti within
ithi the
th SMF.
SMF AActions
ti ffor a
service are carried out by its assigned service restarter agent. The refresh subcommand
requests that the assigned restarter update the service's running configuration snapshot with
the values from the current configuration. Some of these values take effect immediately (for
example, dependency changes). Other values do not take effect until the next service restart.
Notes for step 5: The pargs -e command prints the parameter arguments and environment
variables that have been passed to the service.
# svcs system/cron
STATE STIME FMRI
online 13:02:52 svc:/system/cron:default
# svccfg -s system/cron:default setenv UMEM_DEBUG default
# svccfg
g -s system/cron:default
y / setenv LD_PRELOAD libumem.so
# svcadm refresh system/cron
# svcadm restart system/cron
# pargs -e `pgrep -f /usr/sbin/cron`
100657: /usr/sbin/cron
a ble
envp[0]: LOGNAME=root f e r
ans
envp[1]: LD_PRELOAD=libumem.so
envp[2]: PATH=/usr/sbin:/usr/bin n - t r
envp[3]: SMF_FMRI=svc:/network/ssh:default a no
envp[4]: SMF_METHOD=/lib/svc/method/svc-ssh
h a s
envp[5]: SMF_RESTARTER=svc:/network/svc/restarter:default
m ) e ฺ
o i d
envp[6]: TZ=GB
a ilฺc t Gu
envp[7]: UMEM_DEBUG=default
g m den
#
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on shown
In the example l in the slide, you are changing the environment variable for the ssh
R
ro to help with debugging. First, you verify that the service is up and running, and it is.
service
C iceNext, you set the UMEM_DEBUG and LD_PRELOAD environment variables by using the
svccfg -s command with the setenv subcommand. To make the changes effective, you
refresh and then restart the system by using the svcadm refresh and svcadm restart
commands. Finally, you verify that the change has been made by using the pargs -e
command. Here you can see that the two variables are present. The LD_PRELOAD
environment variable is envp[1], and the UMEM_DEBUG environment variable is envp[7].
inetadm -l FMRI.
2. Change the property for the service by using inetadm -m
FMRI property-name=value.
p p y
3. Verify that the property has changed by using inetadm -
l FMRI.
a ble
4. Confirm that the change has taken effect. e r
s f
- t r an
n no
s a
) h a
m d e ฺ
o i
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on a need tol impose more access controls on a particular Internet service, you can
If you have
R
roso by modifying the service’s property settings.
do
C iceNotes for step 1: The inetadm command enables you to observe or configure services
controlled by inetd, which is the delegated restarter for Internet services for the SMF. Its
basic responsibilities are to manage service states in response to administrative requests,
system failures, and service failures and, when appropriate, to listen for network requests for
services.
The inetadm -l command displays all the properties for the service identified by the FMRI.
Notes for step 2: The -m option is used to change the values of the specified properties of
the identified service instances. Each property for an inetd-controlled service is defined by a
property name and an assigned value. Supplying the property name without a specified value
resets the property to the default value.
Notes for step 3: You want to list the properties again to make sure that the appropriate
change has occurred.
SCOPE NAME=VALUE
name="telnet"
endpoint_type="stream"
proto="tcp6"
isrpc=FALSE
p
wait=FALSE
exec="/usr/sbin/in.telnetd"
user="root"
default bind_addr=""
a ble
default bind_fail_max=-1
f e r
default bind_fail_interval=-1
ans
default
default
max_con_rate=-1
max_copies=-1 n - t r
default con_rate_offline=-1
a no
default failrate_cnt=40
h a s
default failrate_interval=60
m ) e ฺ
default inherit_env=TRUE
o i d
default tcp_trace=FALSE
a ilฺc t Gu
default
g m den
tcp_wrappers=FALSEgrep inetd /etc/init.d/inetsvc
default connection_backlog=10
ld o@ Stu
default tcp_keepalive=FALSE
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on shown
In the example l in the slide, you enable the tcp_trace property for the telnet
R
ro As you can see, currently the tcp_trace property is set to FALSE.
service.
C ice
default tcp_keepalive=FALSE
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
oncan verify lthat the property has been changed.
Here you
R
ro
C ice
# tail -1 /var/adm/messages
Dec 15 08:04:39 client1 inetd[655]: [ID 317013 daemon.notice]
telnet[2390] from 192.168.0.100 34098
# grep /var/adm/messages /etc/syslog.conf
*.err;kern.debug;daemon.notice;mail.crit
.err;kern.debug;daemon.notice;mail.crit /var/adm/messages
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
The lastostep l
n is to confirm that the change has taken effect. First, you telnet to your host from
R
ro host. You then check the /var/adm/messages file to see if the telnet connection
another
C icewas logged, which as you can see it was. You then confirm the entry in /etc/syslog.conf,
which is configured to log this message. You have successfully changed the service property.
profile.xml.
2. Edit the profile.xml file to make any required changes.
a. Change the name of the profile in the service_bundle
service bundle
declaration.
b. Remove any services that should not be managed by this
profile.
r a ble
c. Add any services that should be managed by this profile. nsf
e
- t r a
y, change
d. If necessary, g the enabled flag n
g for selectedoservices.
n
a svccfg
3. When necessary, apply the new profile byausing
s
h ฺ
apply profile.xml. m) e co Guid
i l ฺ
g ma dent
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
n an SMF
You canocreate l profile that reflects which services you want enabled or disabled on
R
rocurrent system. Not all services need to be listed in a profile. Each profile needs to include
the
C iceonly those services that need to be enabled or disabled to make the profile useful.
The steps for how to create an SMF profile are shown in the slide.
Notes for step 1: The svccfg utility enables you to display and manipulate the contents of
the service configuration repository. The service profile subcommand extract prints a
service profile that represents the enabled status of the service instances in the repository to
standard output. You can redirect the output to a file by using extract> (as you are doing in
step 1).
Notes for step 2b: For each service, remove the three lines that describe the service. Each
service description starts with <service and ends with </service.
general/enabled, that are specified in the file and modifies them in the SMF repository.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
a l do icens
on shown
In the example l in the slide, you use the svccfg command to create a profile called
ro R
profile.xml that reflects which services are enabled or disabled on the current system.
C iceThe assumption is that you are in your own home directory while performing this task.
Note: It is a best practice to use profile as the default name for your profile. Also, you do
have the option of making a copy of an existing profile to edit instead of creating a new profile.
In the first line of the profile.xml file, you change the name of the profile in the
service_bundle declaration to profile. In the second line, you add the LDAP client
service to the profile. In the third line, you disable the sendmail service. You then apply the
profile.
a l do icens
on
The netservices lcommand switches system services between minimal network exposure
R
ro traditional network exposure. The switch is done with the generic_limited.xml and
and
C icegeneric_open.xml profiles. In addition, some service properties are changed by the
command to limit some services to a local-only mode or to the traditional mode, as
appropriate.
Note: The generic_limited_net profile and the local-only-mode service properties are
applied by default.
To have open or traditional network exposure, you use the /usr/sbin/netservices
open command.
To have limited network exposure, you use the /usr/sbin/netservices limited
command. This command changes properties to run some services in local mode, as well as
restricts which services are enabled with the generic_limited_net profile. The command
should be used only if the generic_open.xml profile is applied.
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on for thisl lesson are designed to reinforce the concepts that have been presented
The practices
R
inro
the lecture portion. These practices cover the following tasks:
C ice • Practice
act ce 7-1: Co
Configuring
gu g S SMF se services
ces
• Practice 7-2: Working with service profiles
• Practice 7-3: Restoring and recovering a service
Practices 7-1 and 7-2 should take you a total of about 40 minutes to complete.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a l do icens
on l
r o R
Ci ce
a l do icens
on a servicel that is disabled and not starting, you can debug it by using the steps
If you have
R
ro in the slide.
shown
C iceNotes for step 1: The -xx option provides additional information about the service instances
that are affected.
In the example, the print service is disabled. To find out more about the problem, you run
the svcs -xv command for the service. The output for the svcs -xv command provides
the following information:
• State: The state of the service and the date and time stamp
• Reason: Whyy the service is disabled
• See: The URL to a knowledge article on the issue
• See: Man page references to help resolve the issue
• Impact: What services have been affected by the problem
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
a l do icens
on a servicel in maintenance mode when it is unable to bring it up. As a system
SMF places
R
ro
administrator, it is your job to figure out what has caused the problem. The steps for restoring
C icea service in maintenance state are shown in the slide.
Notes for step 1: Normally, when a service instance is in maintenance state, all processes
associated with that instance have stopped. However, you should make sure before you
proceed. The svcs -p FRMI command lists all the processes that are associated with a
service instance as well as the PIDs for those processes.
Notes for step 2: Repeat this step for all processes that are displayed by the svcs
command.
Notes for step 3: The -x option provides you with details that you might find useful for
debugging the issue. You can also examine the appropriate service log files in
/var/svc/log for a list of errors.
# svcs time-slider:default
STATE STIME FMRI
maintenance 8:22:10 svc:/application/time-slider:default
# svcs -p time-slider:default
ti lid d f lt
STATE STIME FMRI
maintenance 8:23:06 svc:/application/time-slider:default
svcs -x time-slider:default
a ble
svc:/application/time-slider:default (GNOME Desktop Snapshot
f e r
Management Service)
ans
State: maintenance since Dec 15, 2011 08:22:41 AM MDT
n - t r
Reason: Start method exited with $SMF_EXIT_ERR_FATAL.
$SMF EXIT ERR FATAL
a no
See: http://sun.com/msg/SMF-8000-KS
h a s
See: zfs(1M)
m ) e ฺ
See: /var/svc/log/application-time-slider:default.log o i d
Impact: This service is not running.
a ilฺc t Gu
# svccfg delete time-slider:default g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on shown
In the example l in the slide, the time-slider: default service is in the
ro R
maintenance state. Your first step is to determine if any processes that are dependent on
C icethe service have not stopped using the svcs -p command. As you can see, no dependent
processes are listed, so your next step is to repair the service by using the svcs -x
command. The output from this command indicates that there is an issue with the start
method.
Note: You can examine the log for further details.
Your next step is to determine what in the execution method configuration in the time-
slide.xml manifest file is causing the problem. However, before you do that, you are going
to delete the corrupted service by using the svccfg d l t command.
f delete command
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
n openedl the time-slider.xml manifest file, found the problem with the start
Assumeoyou
R
ro fixed it, and imported the file into SMF. You are now ready to bring the service back
method,
C iceup. To do this, you first refresh the service by using the svcadm refresh command to make
sure SMF is reading the new service manifest file, enable the service, and then restore the
service by using the svcadm clear command. You then verify that the service is back
online, and it is. You have successfully restored the service.
a l do icens
If the service's l
on administrative customizations are wrong, you can fix the problem by reverting
toro
R
the last snapshot that started successfully. The steps for how to revert to a previous SMF
C icesnapshot are shown in the slide.
Notes for step 1a: You must use an FMRI that fully defines the instance. No shortcuts are
allowed.
Notes for step 1c: The start snapshot is the last snapshot in which the service successfully
started.
Notes for step 2: This step updates the repository with the configuration information from the
start snapshot.
Note: None of the file-backed properties (that is, properties delivered via manifests or profiles)
from the snapshot are restored. Instead, all the administrative customizations in the current
configuration are removed, and then all the administrative customizations from the selected
snapshot are propagated forward.
# svccfg
svc:> select system/console-login:default
svc:/system/console-login:default> listsnap
initial
last-import
previous
running
start r a ble
svc:/system/console-login:default> revert start
n s fe
svc:/system/console-login:default> quit - t r a
# svcadm
d refresh
f l l i d f lt no
h system/console-login:default
t /
n
s a
# svcs console-login:default
a
# svcadm restart system/console-login:default
) h eฺ
m
lฺco uid
online 18:15:32 svc:/system/console-login:default
ai nt G
m
g ude
d o @ S t
l
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on shown
In the example l in the slide, it is assumed that the console-login:default service
isro R
in the maintenance state. To resolve the issue, you have decided to revert to a previous
C iceSMF snapshot to bring the service back online. You have selected the start snapshot.
Note: The version of the snapshot you choose to use is based on what you are trying to
accomplish.
When you have selected the type of snapshot you want, you quit the service configuration.
You then refresh and restart the service. Your final step is to verify that the service is back
online.
/etc/svc/repository db
/etc/svc/repository.db
a ldo is S
ฺ r o n th
e
s and/or its affiliates. All rights reserved.
i c ero © t2013,
Copyright
o uOracle
o (c nse
n a ld lice
R o
When the repository daemon, svc.configd, is started, it does an integrity check of the
ro
configuration repository. If the integrity check fails, the svc.configd daemon writes a
C icemessage to the console similar to the one shown in the slide. The svc.startd daemon then
exits and starts sulogin to enable you to perform maintenance as shown on the next page.
Note: The repository can become corrupted due to one of the following reasons:
• Disk failure
• Hardware bug
• Software bug
• Accidental overwrite of the file
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
Notes for l
onstep 1: sulogin enables the root user to enter system maintenance mode to
R
ro the system.
repair
C iceNotes for step 2: Running this command takes you through the necessary steps to restore a
non-corrupt backup. SMF automatically takes backups of the repository at key system
moments. When started, the /lib/svc/bin/restore_repository command displays a
message similar to the following:
Repository Restore utility
See http://sun.com/msg/SMF-8000-MY for more information on the use of
this script to restore backup copies of the smf(5) repository.
If there are any problems which need human intervention, this script
will give instructions and then exit back to your shell.
Note that upon full completion of this script, the system will be
rebooted using reboot(1M), which will interrupt any active services.
/etc/svc/volatile/db_errors
-- copied --> /etc/svc/repository.db_old_YYYYMMDD_HHMMSS_errors
repository_to_restore
-- copied -->
> /etc/svc/repository.db
/etc/svc/repository db
and the system will be rebooted with reboot(1M).
Proceed [yes/no]?
a ble
Notes for step 4: The system reboots after the restore_repository command executes
f e r
all the listed actions.
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
# cd /lib/svc/bin
#:/lib/svc/bin# ./restore_repository
<output omitted>
manifest_import-20111215_035411
boot-20111214_124026
boot-20111215_150206
a ble
Please enter either a specific backup repository from the above list to restore it,
f e r
or one of the following choices:
ans
CHOICE ACTION
n - t r
----------------
boot
-----------------------------------------
restore the most recent post-boot backup
a no
manifest_import restore the most recent manifest_import backup
h a s
-seed- restore the initial starting repository (All
m ) e ฺ
o
customizations will be lost, including those
i d
ilฺc t Gu
made by the install/upgrade process.)
a
-quit- cancel script and quit
g m den
ld o@ Stu
Enter response [boot]: boot-20111215_150206
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on shown
In the example l in the slide, you are restoring the repository by using the most recent
ro R
epost-boot backup option. The confirmation for this selection is shown on the next page.
Cic
a l do icens
onare prompted
Here you l for the final confirmation. You enter yes to tell the system to remedy
R
rofault. After the restore_repository command executes all the listed actions, the
the
C icesystem reboots.
a l do icens
l services occur, sometimes a system will hang during the boot. You
on with starting
If problems
R
o use the steps shown in the slide to troubleshoot this problem.
cer
can
Ci Notes for step 2: There is an additional system state associated with the all milestone.
With the all milestone, all the services with a defined dependency on the multiuser-server
milestone are started, as well as any services that do not have a defined dependency. If you
have added services, such as third-party products, they may not be started automatically
unless you use the boot -m milestone=all command.
Notes for step 4b: This command verifies that the login process on the console will run.
a l do icens
l are not required to boot the system are mounted by the
onsystems that
Local file
ro R
svc:/system/filesystem/local:default service. When any of those file systems are
C iceunable to be mounted, the service enters a maintenance state. System startup continues, and
any services that do not depend on filesystem/local are started. Services that require
filesystem/local to be online before starting through dependencies are not started. To
change the configuration of the system so that a sulogin prompt appears immediately after
the service fails instead of allowing system startup to continue, you can use the steps shown
in the slide.
Note: When a failure occurs with the system/filesystem/local:default service, the
svcs -vx vx command should be used to identify the failure
failure. After the failure has been fixed
fixed,
the following command clears the error state and allows the system boot to continue: svcadm
clear filesystem/local.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on shouldl take you about 20 minutes to complete.
This practice
R
ro
C ice
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
Configuring
C fi i Privileges
P i il and
d
Role-Based Access Control
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o
o © 2013, e
sOracle
c e r
Copyright
o u and/or its affiliates. All rights reserved.
c i t
l d o ( ense
ona lic
r o R
Ci ce
Objectives
a l do icens
on l
r o R
Ci ce
AI INSTALLATION
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
MONITORING
RESOURCE DATA
EVALUATION STORAGE
PROCESSES
NETWORK
a ble
ENTERPRISE
CONFIGURATION
f e r
DATACENTER
ans
n - t r
a no
PRIVILEGES
h a sNETWORK
m ) ฺ
VIRTUALIZATION
e
o i d
AUDITING
a ilฺc t Gu
g m SERVICES d e n
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
Before o n begin thel lesson, take just a moment to orient yourself in your job workflow. You
you
R
ro successfully installed the operating system and have updated it. You have configured
have
C icethe data storage environment as well as the physical and virtual networks. You have also
ensured that all the system services are up and running. In the Oracle Solaris 11 Operating
System, the root, a process, and a non-root user need appropriate privileges to perform their
functions. To protect the integrity of system resources, the system administrator is responsible
for ensuring that both users and processes have been granted the appropriate level of
privilege.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
ensure that:
• Processes and users have the appropriate level of access
theyy need to p
perform their functions
• Company’s process rights management and role-based
access control requirements are met
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on is very
Your company l security conscious and wants to ensure that processes and users have
R
ro the level of access or privilege to system resources they need to perform their required
only
C icefunctions. The predeployment plan contains activities to investigate what features and
functionality Oracle Solaris 11 offers that would support the company’s security policy,
specifically in the area of process rights management and role-based access control.
In this topic, you learn how Oracle Solaris 11 supports process rights management and role-
based access control.
a l do icens
n management
Processorights l enables processes to be restricted at the command, user, role, or
R
ro level. The Oracle Solaris OS implements process rights management through
system
C iceprivileges. Privileges decrease the security risk that is associated with one user or one
process having full superuser capabilities on a system.
A system that enforces policy with privileges allows a gradation between user capabilities and
root capabilities. A user can be granted privileges to perform activities that are beyond the
capabilities of regular users, and root can be limited to fewer privileges than root currently
possesses. With RBAC, a command that runs with privileges can be isolated in a rights profile
and assigned to one user or role.
P i il
Privileges, th
then, can restrict
t i t programs andd processes tto jjustt th
the capabilities
biliti ththatt th
the program
requires. This capability is called the principle of least privilege. On a system that implements
least privilege, an intruder who captures a process can access only those privileges that the
process has. The rest of the system cannot be compromised.
a l do icens
l grouped on the basis of the area of the privilege. The areas of privilege
onare logically
Privileges
R
roas follows:
are
C ice • FILE pprivileges:
g Privileges
g that begin g with the string g file operate
p on file system
y
objects. For example, the file_dac_write privilege overrides discretionary access
control when writing to files.
• IPC privileges: Privileges that begin with the string ipc override IPC object access
controls. For example, the ipc_dac_read privilege enables a process to read remote
shared memory that is protected by DAC.
• NET privileges: Privileges that begin with the string net give access to specific
network
t k functionality.
f ti lit F For example,
l th
the net_rawaccess
t privilege
i il enables
bl a ddevice
i tto
connect to the network.
• PROC privileges: Privileges that begin with the string proc enable processes to modify
restricted properties of the process itself. PROC privileges include privileges that have a
very limited effect. For example, the proc_clock_highres privilege enables a
process to use high-resolution timers.
• SYS
S S pprivileges:
eges Privileges
eges tthat
at beg
begin with
t tthe
e st
string
g sys g
give
ep processes
ocesses u
unrestricted
est cted
access to various system properties. For example, the sys_linkdir privilege enables
a process to make and break hard links to directories.
currently in effect
• Inheritable privilege set, or I: Set of privileges that a
process can inherit across a call to exec
p
• Permitted privilege set, or P: Set of privileges that are
available for use
• Limit privilege set, or L: Outside limit of the privileges r a ble
n s fe
that are available to a process and its children. By default,
r a
- t
the limit set is all privileges
privileges. non a
a s
E (Effective): basic
m ) h eฺ
I (Inheritable): basic
i l ฺ co Guid
P (Permitted): basic
g ma dent
o@ Stu
L (Limit): all
ld
a this
o n
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on has four
Every process l sets of privileges that determine whether a process can use a
ro R
particular privilege. The kernel automatically calculates the effective set of privileges. You can
C icemodify the initial inheritable set of privileges. A program that is coded to use privileges can
reduce the program's permitted set of privileges. You can shrink the limit set of privileges.
• Effective privilege set, or E: Is the set of privileges that are currently in effect. A
process can add privileges that are in the permitted set to the effective set. A process
can also remove privileges from E.
• Inheritable privilege set, or I: Is the set of privileges that a process can inherit across a
call to exec. After the call to exec, the permitted and the effective sets are equal, except
in the special case of a setuid program.
program For a setuid program,
program after the call to exec,
exec
the inheritable set is first restricted by the limit set. Then, the set of privileges that were
inherited (I), minus any privileges that were in the limit set (L), are assigned to P and E
for that process.
the program's permitted set. In this way, unnecessary privileges cannot be exploited by
the program or a malicious process.
• Limit privilege set, or L: Is the outside limit of what privileges are available to a
process and its children
children. By default
default, the limit set is all privileges
privileges. Processes can shrink
the limit set but can never extend the limit set. L is used to restrict I. Consequently, L
restricts P and E at the time of execution.
If a user is assigned a profile with a program that has been assigned privileges, the user can
a b le
usually run that program. On an unmodified system, the program's assigned privileges are
f e r
ans
within the user's limit set. The privileges that have been assigned to the program become part
- t r
of the user's permitted set. To run the program that has been assigned privileges, the user
n
mustt run the
th program from
f a profile
fil shell.
h ll
a no
The kernel recognizes a basic privilege set. On an unmodified system, h a s each user's initial
inheritable set equals the basic set at login. Although you m ) modify
cannot e ฺ the basic set, you
can modify which privileges a user inherits from the ibasic
o
lฺc set. i d
u an unmodified system, a
On
user's privilege sets at login would appear similar a
m to the n t G
example shown in the slide.
g d e
Therefore, at login, all users have the basic
isld
o@set inS tu inheritable set, their permitted set, and
their
their effective set. A user's limit set a
n q
t h s
i the default limit set for the zone,, gglobal or
equivalent to
o
r in the
to the user. The rights c e roฺwould
non-global. To put more privileges
profile o u seuser's
include
effective set, you must assign a rights profile
commands to which you have added privileges.
c i t
l d o ( ense
o na lic
r o R
e
Cic
Users
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
Roles
a ble
f e r
Rights Supplementary
ans
Profiles - t
Rights Profiles
n r
a no
h a s
m ) e ฺ
o i d
Commands with
a
Authorizations ilฺc t GPrivileges u
Security Attributes g m den
l d o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
RBAC is on l
a security feature for controlling user access to tasks that would normally be
ro R
restricted to the superuser. RBAC collects superuser capabilities into rights profiles. Rights
C iceprofiles can contain authorizations, privileges, privileged commands, and other supplementary
rights profiles. Privileged commands are commands that execute with security attributes.
Rights profiles are assigned to special user accounts that are called roles. A user can then
assume a role to do a job that requires some of the superuser's capabilities.
Take a closer look at each of the key RBAC concepts, beginning with roles.
A role:
• Is a special type of user account that performs a set of
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
administrative tasks
• Contains one or more rights profiles
• Provides access to restricted functionality
Rights Profiles
a ble
f e r
Right
ans
n - t r
Right
Role User # roles john
a no
Operator John Operator
h a s
Rights Profiles
m ) e ฺ
o i d
Right a ilฺc t Gu
g m den
Right
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
l of user account that performs a set of administrative tasks. Usually, a
A role isoanspecial type
R
ro contains one or more rights profiles, and a user is associated with one or more roles to
role
C icegain access to restricted functionality. A role can be shared among users. Because of this,
roles are preferred in RBAC as they simplify the management of large numbers of users.
Note: A role cannot log in to the system. A user must be logged in to the system to assume a
role.
The graphic illustrates how the user John is assigned the Operator role, which contains
several rights profiles.
The roles assigned to a user can be displayed by using the roles command. In the code
example, the roles assigned to the user john are displayed. john has one role assigned to
him: the Operator role.
role
• Rights are commands or scripts run with special security
attributes.
a l do icens
A rightsoprofile l
n can consist of authorizations, commands with security attributes, and other
R
ro profiles. Rights profiles offer a convenient way to group security attributes.
erights
Cic New rights profiles can be created by editing this file. You are shown how to do this later in
this lesson.
The graphic illustrates rights profiles being assigned to the user john.
The profiles assigned to a user can be displayed by using the profiles command. In the
code example, the profiles assigned to the user john are displayed. john has three rights
profiles assigned to him: Operator, Basic Solaris User, and ALL.
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
All users l
onhave the Basic Solaris User profile by default. This profile grants users access
R
etoroall listed authorizations, as indicated by auths=.
Cic Note: An authorization is divided into hierarchies, which are separated by periods. For
example, in the solaris.network.autoconf.read authorization, the first level of the
hierarchy is solaris, followed by the second level, which is network.autoconf (automatic
configuration of the network), and the third level, which is read. Taken together,
this entry is giving the basic user the authority to display the rights profile. The
solaris.mail.mailq authorization enables the basic user to look at the mail queue, and
so on.
Note: Other default authorizations for every user can be defined in the
/etc/security/policy.conf file.
A semicolon in a rights profile means that a different type of information is being specified, an
example of which can be seen just before profiles=All. In this case, the Basic Solaris
User profile is being attached to the All profile. The last file is a help file.
Note: The profiles=All field grants unrestricted access to all Oracle Solaris OS
y a definition in a previously
commands that have not been restricted by y listed authorization.
# cat /etc/security/policy.conf
<header and copyright output omitted>
#
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
CONSOLE_USER=Console
_ User
# crypt(3c) Algorithms Configuration
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
# be used for new passwords. This is enforced only in crypt_gensalt(3c).
#
a ble
CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6
f e r
<output omitted>
ans
#PRIV_DEFAULT=basic
#PRIV_LIMIT=all
n - t r
#
# LOCK_AFTER_RETRIES specifies the default account locking policy for local a no
# user accounts (passwd(4)/shadow(4)). The default may be overridden by
h a s
# a user's user_attr(4) "lock_after_retries" value.
m ) e ฺ
o
# YES enables local account locking, NO disables local account locking.
i d
# The default value is NO.
a ilฺc t Gu
#
#LOCK_AFTER_RETRIES=NO g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on givenl to all new user accounts are defined in the
Rights profiles
R
ro
/etc/security/policy.conf file. The settings in this file determine the default privileges
C icethat users have. If they are not set, the default privileges are taken from the inherited set.
There are two different settings: PRIV_DEFAULT determines the default set on login, and
PRIV_LIMIT defines the Limit set on login. Individual users can have privileges assigned or
taken away through user_attr.
a ble
User
f e r
Authorization John
ans
Role Role n - t r
Operator Operator a no
h a s
m ) e ฺ
# auths john
l o
ฺc Gu i d
a i
m dent
solaris.admin.wusb.read,solaris.device.cdrw,sol
g
aris.device.mount.removable,solaris.mail.mailq,
o@ Stu
solaris.profmgr.read
ld
a this
o n
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on
An authorization is al name associated with the right to access restricted functionality.
ro R
eAuthorizations enforce policy at the user application level. Authorizations can be assigned
Cic directly to a role or to a user. Typically, authorizations are included in a rights profile. The
rights profile is then included in a role, and the role is assigned to a user. For example,
security policy at installation gives regular users the solaris.device.cdrw authorization.
This authorization enables users to read and write to a CD-ROM device.
The graphic illustrates that authorizations can be assigned to user accounts, to roles, or
embedded in a rights profile, which can be assigned to a user or a role.
The authorizations assigned to a user can be displayed by using the auths command. In the
code example
example, the authorizations assigned to the user john
j h are displayed.
displayed john
j h has all
Oracle Solaris authorizations assigned to him.
A privilege is a discrete right that can be granted to a command, a user, a role, or a system.
Privileges enable a process to succeed. For example, the proc_exec privilege allows a
process to call execve(). Regular users have basic privileges.
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
onattribute isl an attribute that enables a process to perform an operation. In a typical
A security
R
ro environment, a security attribute enables a process to perform an operation that is
eUNIX
Cic otherwise forbidden to regular users. For example, as seen in the lesson “Managing Services
and Service Properties,” the setuid and setgid programs have security attributes. In the
RBAC model, authorizations and privileges are security attributes in addition to the setuid
and setgid programs. These attributes can be assigned to a user. For example, a user with
the solaris.device.allocate authorization can allocate a device for exclusive use.
Privileges can be placed on a process. For example, a process with the file_flag_set
privilege can set immutable, no-unlink, or append-only file attributes.
RBAC RBAC
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
auth attr
auth_attr
user_attr Authorization
Users
a ble
RBAC RBAC
f e r
ans
Roles
n - t r
a no
prof_attr
h a s
exec_attr
m ) e ฺ
Profiles lฺc o i d
u Privileges
a i t G
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
l authorizations, and privileges commands are defined in four files.
onrights profiles,
The roles,
R
r•o user_attr: Contains the rights profiles and authorizations associated with users and
C ice roles that supplement
pp the /
/etc/passwd
/p and / /etc/shadow
/ files
• auth_attr: Contains authorization attributes
• exec_attr: Contains execution attributes
• prof_attr: Contains rights profiles
These files are interrelated as illustrated in the graphic.
Take a closer look at the contents of each file, beginning with the user_attr file.
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on
The user_attr filel uses colons (:) to separate the fields on each line. The first field is the
ro R
username as it appears in the /etc/passwd and /etc/shadow files. The middle fields are
C icereserved for future use, and the last field is a lsist of semicolon-separated (;) key-value pairs
that describe the security attributes to be applied when the user runs commands.
a l do icens
The predefined l
on authorizations are listed in the configuration file for authorization attributes
R
ro auth_attr, an example of which is shown here. Each entry in the auth_attr
named
C icedatabase consists of one line of text containing six fields separated by colons (:). The format
of each entry is:
name:res1:res2:short_desc:long_desc:attr
The description for each field is as follows:
• name: Name of the authorization. Authorization names are unique strings.
• res1: The characters RO in this field indicate it is read only and not modifiable by the
tools that update
p this database.
• res2: Reserved for future use
• short_description: Short description or terse name for the authorization
• long_description: Reserved for future use
• attr: An optional list of semicolon-separated (;) key-value pairs that describe the
attributes of an authorization. Zero or more keys may be specified. The keyword help,
identifies a help file in HTML.
Example: solaris.admin.usermgr.pswd
• .grant: Permits a user to delegate any assigned authorizations that begin with the
same prefix to other users. Example: solaris.admin.usermgr.grant
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
Network
Management:solaris:cmd:RO::/usr/sbin/dladm:euid=dladm;egid=netadm;privs=
sys_dl_config,net_rawaccess,proc_audit
Network Management:solaris:cmd:RO::/usr/sbin/dlstat:euid=dladm;egid=sys
Network
Management:solaris:cmd:RO::/usr/sbin/flowadm:euid=dladm;egid=sys;privs=s
ys_dl_config,net_rawaccess,proc_audit
Network
Management:solaris:cmd:RO::/usr/sbin/flowstat:euid=dladm;egid=sys
Network
a ble
f e r
Management:solaris:cmd:RO::/usr/sbin/ipadm:euid=netadm;egid=netadm;privs
ans
=sys_ip_config,net_rawaccess
Network Management:solaris:cmd:RO::/usr/bin/netstat:uid=0
n - t r
Network
k Management:solaris:cmd:RO::/usr/bin/rup:euid=0
l i d / /bi / id
a no
Network Management:solaris:cmd:RO::/usr/bin/ruptime:euid=0
h a s
Network Management:solaris:cmd:RO::/usr/bin/setuname:euid=0
m ) e ฺ
Network Management:solaris:cmd:RO::/usr/sbin/asppp2pppd:euid=0
o i d
ilฺc t Gu
Network Management:solaris:cmd:RO::/usr/sbin/ifconfig:uid=0
a
...
g m den
o@ Stu
<output truncated>
ld
a this
o n
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on attribute
An execution l is associated with a rights profile name. An execution attribute can be a
ro R
ecommand with no options or a script that contains a command with options. Each entry in the
Cic exec_attr database consists of one line of text containing seven fields separated by colons
(:). The basic format of each entry is:
name:policy:type:res1:res2:id:attr
The description for each field is as follows:
• name: Name of the profile. Profile names are case-sensitive.
• policy: Security policy that is associated with the profile entry. The valid policies are
suser ((standard Solaris superuser)
p ) and solaris. The solaris p policy
y recognizes
g
privileges; the suser policy does not.
• type: Type of object defined in the profile. The cmd type specifies that the ID field is a
command that would be executed by a shell.
• attr: An optional list of semicolon-separated (;) key-value pairs that describe the
security attributes to apply to the object upon execution. Zero or more keys may be
specified. The list of valid keywords depends on the policy enforced. The following
keywords are valid: euid,
euid uid,
uid egid,
egid gid, privs and limitprivs.
gid privs, limitprivs
- euid and uid: Contain a single user name or a numeric user ID. Commands
designated with euid run with the effective UID indicated, which is similar to
setting the setuid bit on an executable file. Commands designated with uid run
a ble
with both the real and effective UIDs.
f e r
- egid and gid: Contain a single group name or a numeric group ID. Commands ans
g
designated with egid n - t r
g run with the effective GID indicated, which is similar to
a no
setting the setgid bit on a file. Commands designated with gid run with both the
real and effective GIDs. h a s
m ) e ฺ
o i d
- privs: Contains a privilege set that will be added to the inheritable set before
running the command a ilฺc t Gu
g m den
- Limitprivs: Contains a privilege set that will be assigned to the limit set before
running the command ld o@ Stu
o n a this
Note: privs and limitprivs are valid only for the solaris policy.
r o ฺr use
e
ic shows
The example in the slide o commands and special security attributes for the Printer
tthe
( c e
a l do icens
Management rights profile.
on l
ro R
C ice
n - t
Administrator Message Edit:RO::Update administrator message files:auths=solaris.r
admin edit/etc/issue solaris admin edit/etc/motd;help RtAdminMsg html
admin.edit/etc/issue,solaris.admin.edit/etc/motd;help=RtAdminMsg.html
Audit Configuration:RO::Configure Solaris Audit:auths=solaris.smf.value.audit;he a no
lp=RtAuditCfg.html
h a s
)
Audit Control:RO::Control Solaris Audit:auths=solaris.smf.manage.audit;help=RtAu
m e ฺ
o i d
ilฺc t Gu
ditCtrl.html
Audit Review:RO::Review Solaris Auditing logs:help=RtAuditReview.html
a
m den
Contract Observer:RO::Reliably observe any/all contract
events:help=RtContractObserver.html g
<output omitted>
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on profilelis a mechanism that is used to bundle together the commands and
An execution
R
ro
eauthorizations needed to perform a specific function. Each entry in the prof_attr database
Cic consists of one line of text containing five fields separated by colons (:). The format of each
entry is:
profname:res1:res2:desc:attr
The description for each field is as follows:
• name: Name of the profile. Profile names are case-sensitive.
• res1: The characters RO in this field indicate it is read only and not modifiable by the
tools that update
p this database.
• res2: Reserved for future use
• desc: A long description that explains the purpose of the profile, including what type of
user would be interested in using it
Management;roleauth=role
johndoe::::type=normal;auths=solaris.system.date;roles=sysadmin
ld o@ Stu
Device Management:solaris:cmd:RO::/usr/sbin/rem_drv:uid=0
o n a this
Device Management:solaris:cmd:RO::/usr/sbin/update_drv:uid=0
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
Now that l with the contents of each of the four RBAC files, look at an example
onyou are familiar
ofro
R
how the fields in the files are related.
C iceThe first section of the graphic shows a portion of a user_attruser attr file. The user johndoe is a
normal user account. The user is given the role of sysadmin. The sysadmin role is a role
account. When assuming the sysadmin role, johndoe has access to specific rights profiles,
defined as Device Management, Filesystem Management, and Printer Management profiles.
From the sysadmin role entry in the first section to the next section, which is the prof_attr
file, you can see one relationship between the user_attr file and the prof_attr file.
The Device Management rights profile, which is defined in the prof_attr file, is assigned to
the sysadmin
d i role in the user_attr
tt file.
file
displayed in the fourth section. The Device Management profile is defined in the prof_attr
file as having all authorizations, beginning with the solaris.device. string, assigned to it.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on with your
In accordance l company’s predeployment testing plan, you have been given the task
R
eofroinvestigating how Oracle Solaris 11 supports process rights management and uses RBAC
Cic to grant appropriate privileges to users.
through privileges.
a. True
b False
b.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:oan l
ro R
C ice
process execution?
a. E
b I
b.
c. P
d. L le
r a b
s f e
- t r an
o n
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:oan l
ro R
C ice
a. user_attr
b. auth_attr
c exec_attr
c. exec attr
d. prof_attr
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:odn l
ro R
C ice
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:oan l
ro R
C ice
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
list the process privileges that are available to your shell using
ppriv $$.
# ps
PID TTY TIME CMD
990 pts/1 0:00 bash
993 pts/1 0:00 ps
a b le
# ppriv $$
f e r
990: bash
ans
flags = <none>
n - t r
E: all
a no
I: basic
h a s
P: all
m ) e ฺ
L: all o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on command
The ppriv l is used to inspect or modify process privilege sets and attributes. The
R
ro dollar sign ($$) passes the process number of the parent shell to the command.
double
C iceIn the example, you run the ps command to see what processes are currently running and to
verify what shell you are using. Here you can see that you are using the bash shell. Next, you
run the ppriv $$ command. Again, you see that the shell is bash. There are no flags set,
the effective (E), permitted (P), and limit (L) privilege sets are all set to all, and the inherited
(I) privilege set is set to basic.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
ppriv -v $$.
# ppriv -v $$
990:bash
flags = <none>
fl
E: contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,
dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,
<output omitted>
I: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,
a ble
proc_info, proc_session
P: contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,
f e r
dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,
ans
<output omitted>
n - t r
L: contract_event,contract
, _identity,contract
y, _observer,cpc
, p _cpu,dtrace
p ,
dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,
_kernel,
,
a no
<output omitted>
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on you canl use the -v option with the ppriv $$ command to display the names of
Alternatively,
R
roprivileges by privilege set, as shown in this example that contains partial output.
the
C iceTake a closer look at the privileges in the inheritable (I) privilege set. The privileges listed
here indicate that you will be able to link to any file, read any file, and write any file. You will
have access to the network, which means you will be able to perform network configuration
tasks. In addition, you can execute any process, run a process in another subshell
(proc_fork), display information about any processes, and look at any session in the
process.
ppriv –v pid.
# ppriv -v 476
476: /usr/sbin/cron
flags = <none>
E: contract_event,contract_identity,contract_observer,cpc_cpu,
dtrace_kernel,dtrace_proc,dtrace_user,file_chown,
a ble
<output omitted>
f e r
I: file_link_any,file_read,file_write,net_access,proc_exec,
ans
proc_fork,proc_info,proc_session
n - t r
P: contract
contract_event,contract_identity,contract_observer,
event,contract identity,contract observer,
cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown, a no
<output omitted> h a s
m ) e ฺ
L: contract_event,contract_identity,contract_observer,
o i d
ilฺc t Gu
cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,
a
<output omitted> g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
n -v lcommand with the process ID number (PID). The example presents the
Use theoppriv
R
ro output for the cron process.
partial
C ice
a l do icens
on to determine
If you need l the definition of a privilege that is listed for a process, you can do so
R
rousing the ppriv -vl command followed by the privilege name. There are two examples:
by
C icethe first is for the contract_event privilege and the second is for the proc_exec privilege.
a l do icens
Now that l familiar with how to determine what privileges a process has, look at
onyou are more
R
ro to manage user privileges, including how to assign privileges, limit privileges, and debug
how
C iceprivilege use.
The most secure way to manage privileges for users and roles is to confine the use of a
privilege to commands in a rights profile. The rights profile is then included in a role. The role
is assigned to a user. When the user assumes the assigned role, the privileged commands
are available to be run in a profile shell.
$ pp
ppriv -v $$
990: bash
flags = <none>
E: file_link_any,proc_clock_highres,proc_session
I: file_link_any,proc_clock_highres,proc_session
a ble
P: file_link_any,proc_clock_highres,proc_session f e r
L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,sys_time ans
$ ppriv -vl proc_clock_highres n - t r
Allows a process to use high resolution timers.
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
onprivilegesl that are listed in the effective set are in effect throughout your session. If
Note: The
R
ro have been directly assigned privileges in addition to the basic set, the privileges are listed
you
C icein the effective set.
In this example, the user always has access to the proc_clock_highres privilege. This
privilege allows a process to use high-resolution timers.
Note: To see the privileges that have been directly assigned to a role, you su to the role and
then run the ppriv -v $$ command just as you did for the user account.
use profiles.
$ profiles
Basic Solaris User
All
$ profiles -l
All
*
a ble
Basic Solaris User
f e r
/usr/bin/cdda2wav.bin
ans
privs=file_dac_read,sys_devices,proc_priocntl,net_privaddr
n - t r
/
/usr/bin/cdrecord.bin
/ /
privs=file_dac_read,sys_devices,proc_lock_memory,proc_priocntl,net_pri
a no
vaddr
h a s
/usr/bin/readcd.bin )
privs=file_dac_read,sys_devices,net_privaddr
m e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
When aouser l
n is not directly assigned privileges, the user obtains access to privileged
ro R
commands through a rights profile. Commands in a rights profile must be executed in a profile
C iceshell. To determine which privilege commands you can use or run, you need to see which
rights profiles have been assigned to you. To do this, you use the profiles command. To
see more details about the privileges, you can use the profiles -l command.
Note: To see the details of a specific privilege, you use the profiles -l command with the
privilege name, as in this example:
$ profiles -l Basic Solaris User
To see what roles and authorization privileges you have, you use the roles and auth
commands, respectively, as in this example:
$ roles
No roles
$ auths
solaris.admin.wusb.read,solaris.device.cdrw,solaris.device.mount
.removable,solaris.mail.mailq,solaris.profmgr.read
, q, p g
loginname.
# usermod -K defaultpriv=basic,proc_clock_highres jjones
# getent user_attr
user attr | grep jjones
jjones::::type=normal;defaultpriv=basic,proc_clock_highres
a ble
To assign privileges to a role, use rolemod -K key=values f e r
rolename. - t r an
n no
a
s realtime
# rolemod -K defaultpriv=basic,proc_clock_highres
) h a
# getent user_attr | grep realtime
m d e ฺ
o i
ilฺc t Gu
realtime::::type=role;defaultpriv=proc_clock_highres
a
m den
g
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
l a user or role with a particular privilege all the time. Very specific
onwant to assign
You might
ro R
privileges that affect a small part of the system are good candidates for assigning to a user or
C icerole. To assign privileges to a user, you use the usermod -K command followed by the
key=value pair you want to assign and the user’s login name.
Note: The -K key=value option is used to replace or add to a user’s or role's key=value
pair attributes. See user_attr(4) for a list of valid key=value pairs.
In the example, you enable user jjones to use high-resolution timers by assigning the
proc_clock_highres privilege to his basic default privileges. The values for the
defaultpriv keyword replace the existing values. Therefore, for the user to retain the
b i privileges,
basic privileges the value basic
b i must be specified
specified. In the default configuration
configuration, all users
have basic privileges. To verify that the privilege has been assigned, you look at the
user_attr entry for jjones. Here you can see how the privileges have been modified.
To assign privileges to a role, the same logic applies. You use the rolemod -K command
followed by key=value pair you want to assign and the role name. In the role example, you
use the same example, changing the user to role as appropriate. The role name is
realtime.
limit set.
2. Remove one of the privileges from the basic set or from
the limit set.
3. Test that the user or role can still perform other assigned
functions as required.
a ble
f e r
# usermod -K limitpriv=all,!sys_linkdir jjones
ans
# getent user_attr | grep jjones
jjones::::type=normal;defaultpriv=basic;limitpriv=all,!sys_linkdir
n - t r
a no
h a s
# rolemod -K limitpriv=all,!sys_linkdir realtime ) ฺ
o m i d e
ilฺc t Gu
# getent user_attr | grep realtime
a
realtime::::type=role;defaultpriv=basic;limitpriv=all,!sys_linkdir
m den
g
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
There may l
on be circumstances in which you want to limit the privileges that are available to a
R
ro or role. You can do this by reducing the basic set or by reducing the limit set. However,
user
C iceyou should have a very good reason why you want to limit the privileges, because such
limitations can have unintended side effects. To limit the privileges of a user or role, follow the
steps listed in the slide.
Caution for step 2: Do not remove the proc_fork or the proc_exec privilege. Without
these privileges, the user cannot use the system. In fact, these two privileges are only
reasonably removed from daemons that do not fork() or exec() other processes.
Notes for step 3: You must thoroughly test any user’s or role’s capabilities where you have
modified
difi d th
the b
basic
i sett or th
the lilimit
it sett ffor a user or role.
l It iis possible
ibl tto preventt a user or role
l
from being able to use the system when the basic set is less than the default. When you
modify the limit set to be less than all privileges, it is possible for processes that need to run
with an effective UID=0 to fail.
In the first example, all sessions that originate from jjone’s initial login are prevented from
using the sys_linkdir privilege. After this change is implemented, the user jjones will no
longer be able to make hard links to directories or unlink directories even after he runs the su
command. The same scenario is used in the second example for a role.
a l do icens
on Solaris OS
The Oracle l provides two tools to debug privilege failure: the ppriv debugging
ro R
command (ppriv -eD) and the truss command.
C iceNote: The -ee option with the ppriv command interprets the remainder of the arguments as a
command line and runs the command line with specified privilege attributes and sets. The -D
option turns on privilege debugging for the process or command supplied.
The steps for using the ppriv debugging command on a failed command or process are
listed in the slide.
In the example, ppriv -eD touch is being used to determine why the command
/etc/acct/yearly has failed. The output indicates that the missing privilege is
file_dac_write and provides the euid and system call information. To determine which
system call is failing, you take the syscall number from the debugging output and locate it in
the /etc/name_to_sysnum file. Here you can see that the system call create64 is failing.
When you know the missing privilege, you can assign it to the program as needed.
jjones:~$ ls -l useful.script
-rw-r--r-- 1 aloe staff 2303 Dec 15 10:10 useful.script
jjones:~$ chown objadmin useful.script
chown: useful.script: Not owner
jj
jjones:~$
$ ppriv
i -eD chown objadmin
j i useful.script
i
chown[11444]: missing privilege "file_chown"
(euid = 130, syscall = 16) needed at zfs_zaccess+0x258
chown: useful.script: Not owner
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on command
The ppriv l can debug privilege use in a profile shell. If you assign a rights profile
toro
R
a user, and the rights profile includes commands with privileges, the commands must be
C iceentered in a profile shell. When the privileged commands are entered in a regular shell, the
commands do not execute with privilege.
In this example, the jjones user can assume the objadmin role. The objadmin role
includes the Object Access Management rights profile. This rights profile allows the
objadmin role to change permissions on files that objadmin does not own. In the example,
jjones’s attempt to change the permissions on the useful.script file fails. The user then
runs the ppriv debugging command to determine why the command failed and is shown that
the file_chown
file chown privilege is missing.
missing
To fix this issue, you assign the file_chown privilege to the jjones user.
a l do icens
on command
The truss l can debug privilege use in a regular shell, as shown in the example,
R
ro you are using the truss command to debug the failing touch process.
where
C ice
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on for thisl lesson are designed to reinforce the concepts that have been presented
The practices
R
inro
the lecture portion. These practices cover the following tasks:
C ice • Practice
act ce 88-1: Delegating
e egat g p privileges
eges to users
use s a and dp processes
ocesses
• Practice 8-2: Configuring role-based access control
Practice 8-1 should take you about 30 minutes to complete.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
• Creating a role
• Creating, cloning, or changing a rights profile
• Assigning a rights profile to a role
• Assigning a role to a user
• Assuming a role
r a ble
• Restricting an administrator to explicitly assigned rights nsfe
- t r a
• Assigning
g g a rights
g p
profile to a user on
a n
• Delegating authorization to a user a s
h
• Assigning authorization to a role om) ideฺ
a ฺc Gu
ilpolicy
• Modifying a system-wide RBAC m nt
g ude
d o @ S t
l
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a l do icens
ona role, youl use the roleadd command combined with one or more options. The
To create
R
ro common options are as follows:
emore
Cic • -u uid: Specifies
p the user ID of the new role
• -g gid: Specifies an existing group's integer ID or character-string name
• -m: Creates the new role’s home directory if it does not already exist
• -d dir: Specifies the home directory of the new role
• -c comment: Text string that provides a short description of the role
• -P profile: Assigns rights profiles to the role. Use commas (,) to separate multiple
rights profiles
profiles.
• rolename: Name of the new role. For restrictions on acceptable strings, see the
roleadd (1M) man page.
Note: To create a role, you must be an administrator with the User Management rights profile.
To assign a password to the role, you must be assigned the User Security rights profile.
prof_attr files, so there is no need to add an entry for these profiles in these two files.
However, if you had created a new rights profile, you would need to make a new entry in the
prof_attr file. You will look at how to do that next.
The changes to the /etc/passwd, /etc/shadow and user_attr
/etc/passwd /etc/shadow, user attr files are shown in the
example. The type of this account is role (type=role) and includes the rights profiles
Printer Management, Media Backup, and Media Restore.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a l do icens
on the ladministrator creates a rights profile for Sun Ray users in the LDAP
In this example,
R
ro
repository. The administrator has already created a Sun Ray version of the Basic Solaris User
C icerights profile, and has removed all rights profiles from the policy.conf file on the Sun Ray
server. The administrator verifies the contents.
• To enhance an existing
g rights
g p
profile:
a. Create a new profile.
b. Add the existing rights profile as a supplementary rights profile
c. Add the enhancements
a b le
• To remove content from an existing rights profile, clone thes f e r
n
profile, rename it, and then modify it. -tra on
a n or
2. Continue to modify the new rights profile by adding
s
removing supplementary rights profiles,) h a
authorizations,
m d e ฺ
and other security attributes. ilฺc o u i
m a nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
l Oracle Solaris provides are read-only. You can clone a provided rights
onprofiles that
The rights
R
ro for modification if its collection of security attributes is insufficient. For example, you
profile
C icemight want to add the solaris.admin.edit/path-to-system-file authorization to a
provided rights profile.
a l do icens
on the ladministrator adds several solaris.admin.edit authorizations to a site
In this example,
R
ro Management rights profile. The administrator verifies that the Network IPsec
IPsec
C iceManagement rights profile cannot be modified. Then, the administrator creates a rights profile
that includes the Network IPsec Management profile. The administrator verifies the contents.
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
l to a role, use the rolemod command. The rolemod command
ona rights profile
To assign
R
ro the definition of the specified role and makes the appropriate login-related changes
echanges
Cic to the system file and file system.
Note: The rolemod command modifies the entry for the specified role in the /etc/passwd,
/etc/shadow, and user_attr files.
You can use the following options with the rolemod command:
• -e expire: Date a role expires. Use this option to create temporary roles.
• -l new_logname: Specifies the new login name for the role
• -P P profile: Specifies one or more comma-separated
comma separated rights profiles, as defined in the
prof_attr file
• -s shell: Login shell for rolename. This shell must be a profile shell.
• Rolename: Name of the role you are modifying
In the example, the profile1 and profile2 profiles and the /usr/bin/pfksh profile
shell are assigned to the role named level1.
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
l to many roles. The useradd command can be used to define which
on have access
A user can
R
ro a new user has access to. To add roles to an existing user account, you use the
roles
C iceusermod command as shown in the steps displayed in the slide.
Notes for step 2: If you are assigned the User Security rights profile, you can create the
password. Otherwise, a user who is assigned the role must create it by using the su –
rolename command. Typically, because a role account is assigned to more than one user,
the superuser creates a role password and provides the users with the password.
Note: To remove all role access from a user account, you use the usermod command with
the -R “” option followed by the user login name.
# roles
a ble
sysadmin,oper,primaryadm
f e r
# su - sysadmin
ans
Password: <Type sysadmin password>
n - t r
no
$ /usr/ucb/whoami
Sysadmin
s a
$ ppriv $$
) h a
950: bash
m d e ฺ
flags = <none> o i
E: basic
a ilฺc t Gu
I: basic
g m den
P: basic
ld o@ Stu
L: all
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
l listed in the slide to assume a role.
n the steps
You canouse
R
ro for step 4: In contrast to the root role, the System Administrator role has the basic
Notes
C iceset of privileges in its effective (E) set.
In the example shown in the slide, you first determine which role you can assume. You then
assume the role of System Administrator. You then verify that you have assumed the System
Administrator role. Your final step is to view the capabilities for your role, which (as you can
see) are all basic except for the limit (L) privilege set, which by default is all.
Note: The command prompts displayed might differ based on the shell you are using.
a l do icens
n a role
You canorestrict l or user to a limited number of administrative actions in two ways.
R
r•o You can use the Stop rights profile. The Stop rights profile is the simplest way to create
C ice a restricted
est cted sshell.
e The e aut
authorizations
o at o s a and
d rights
g ts profiles
p o es tthat at a
are e ass
assigned
g ed in tthe
e
policy.conf file are not consulted. In the default configuration, the role or user is not
assigned the Basic Solaris User rights profile, the Console User rights profile, or the
solaris.device.cdrw authorization.
• You can modify the policy.conf file on a system, and require the role or user to use
that system for administrative tasks.
The rolemod -P command is used with the Stop rights profile, as shown in the example.
This command is especially useful f iff you have many profiles
f assigned to a role and you want
to limit the role to only a few profiles.
# profiles chris
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
The rights l
onprofiles assigned to a user can be listed with the profiles command. Every
R
ro has the All rights profile. It allows any command to be executed but with special
account
C icesecurity attributes.
Note: Other rights profiles given to all new user accounts are defined in the
/etc/security/policy.conf file.
To assign a rights profile to a user, you use the usermod command. This example shows the
Printer Management rights profile being assigned to the chris user account. If you run the
profiles command again for the user, you can see that the Printer Management rights
profile has been added.
The usermod command automatically updates the user_attr file for the specified user, as
shown in the example. The new line for the user chris shows the new profile assignment.
You can examine the contents of a rights profile with the -l option of the profiles
command. The individual commands in the rights profile can be seen, along with the special
security attributes with which they are executed. This example shows the user chris being
able to enable and disable a printer.
-A authorization loginname.
2. Verify that an entry has been made in the user_attr file
for the user.
3. View the authorizations for the user by using the auths
command.
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on can be
Authorizations l assigned to user accounts. Authorizations can also be assigned to
R
ro or embedded in a rights profile that can be assigned to a user or role.
roles
C iceTo delegate an authorization to a user, you use the usermod command with the -AA option,
the authorization, and the user login name.
Note: Only a user or role who has grant rights to the authorization can assign it to an account.
The roleadd command automatically updates the user_attr file.
To verify that the authorization has been assigned to the user, you can check the user_attr
file. You can also use the auths command for the user to see if the authorization is listed in
the entry.
# su - chris
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
on a regular
In this example, l user is not permitted to look at another user’s crontab file.
R
rogrant the user authorization to manage the other user’s crontab file you use the
To
C iceusermod command with the -A option to add an authorization. The user_attr file is
automatically modified with this new information. The chris account is a normal user
account (type=normal). You can see in the user_attr file that chris has had the
solaris.jobs.admin authorization and the Printer Management rights profile added
previously. Next, you use the auths command to see the authorizations assigned to chris.
With this authorization, chris can now view or modify other users’ crontab files.
“authorization” rolename.
2. Verify that an entry has been made in the user_attr file
for the role.
3. View the authorizations for the role by using the auths
command.
a ble
# rolemod -A "solaris.admin.usermgr.*“ level2
f e r
# auths level2
ans
solaris.admin.usermgr.*
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
onnumber of luser accounts require the same configuration and management of
If a large
R
ro
eauthorizations, it can be easier to assign the authorizations to a role and give the users
Cic access to the role. You can assign the authorization to the role by using the rolemod -A
command. The steps for completing this task are listed in the slide.
Note: The rolemod command automatically updates the user_attr file.
In the example, the solaris.admin.usermgr.* authorization is being assigned to the
level2 role. You use the auths command to verify that the authorization has been assigned
to the role.
basic user.
2. Using a text editor, modify the PRIV_DEFAULT=basic
default entry
y and reboot the system.
y
3. As a user, test the modification.
# vi /etc/security/policy.conf
a ble
# grep PRIV_DEFAULT /etc/security/policy.conf
f e r
# There are two different settings; PRIV_DEFAULT determines the default
ans
# Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the
n - t r
no
PRIV_DEFAULT=basic,!proc_info,!proc_session
# init 6
s a
<log in to the system>
) h a
# su - jjones
m d e ฺ
Oracle Corporation SunOS 5.11 11.0 November 2011 o i
jjones:~$ ps -A -o user -o pid -o comm | more
a ilฺc t Gu
USER PID COMMAND
g m den
jjones 1941 ps
ld o@ Stu
jjones 1935 –bash
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on l
The /etc/security/policy.conf file establishes a system-wide RBAC policy. There are
R
ro different settings for the system-wide policy: PRIV_DEFAULT, which determines the
two
C icedefault, and PRIV_DEFAULT=basic,!file_link_any, which can be used to modify the
default. The default is set to PRIV_DEFAULT=basic. You can modify this file to deny non-
administrative users specific privileges. The steps for performing this task are listed in the
slide.
The example shows how to deny a non-administrative user the privilege to look at the
processes of other users. You edit the PRIV_DEFAULT=basic entry as follows:
PRIV_DEFAULT=basic, !proc_info, !proc_session
For the changes to the policy to take place, you reboot the system. After you log back in to the
system, you su to the jjones user account and issue the command to access the
processes. The only processes the user can display are the user’s own processes.
Note: The -A and -o options used in the ps command are telling the system to write
information for all processes in the specified format, which in the example is by user, pid,
and command.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on shouldl take you about 30 minutes to complete.
This practice
R
ro
C ice
a l do icens
on l
r o R
Ci ce
Ci
ce r o R
on a l
(
l
c
e r
do icens
o ฺ r o
ic e to u
ld
se
o @
na thi s
m
S t
l ฺ c
g ude
)
ai nt G
s
om uide
ha ฺ
an
on - t r an
s
f e r a b
le
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
Securing
S i System
S t Resources
R
by Using Oracle Solaris Auditing
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o
o © 2013, e
sOracle
c e r
Copyright
o u and/or its affiliates. All rights reserved.
c i t
l d o ( ense
ona lic
r o R
Ci ce
Objectives
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
AI INSTALLATION
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
MONITORING
RESOURCE DATA
EVALUATION STORAGE
PROCESSES
a ble
NETWORK
f e r
ENTERPRISE
CONFIGURATION
ans
DATACENTER
n - t r
a no
h a sNETWORK
m ) ฺ
VIRTUALIZATION
e
o i d
AUDITING
a ilฺc t Gu
gmSERVICES d e n
PRIVILEGES @
ld o S tu
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Before o n begin thel lesson, take a moment to orient yourself in your job workflow. You have
you
ro R
successfully installed the operating system and have updated it. You have configured the data
C icestorage environment as well as the physical and virtual networks. You have also ensured that
all the system services are up and running and that both users and processes have been
granted the appropriate level of privilege. In order to monitor proper use of business
resources and assigned privileges, the Oracle Solaris 11 OS provides several security
features, one of which is the Oracle Solaris audit service. It is the system administrator’s
responsibility to configure, administer, and manage this service.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a l do icens
l your company is concerned with ensuring that their system resources
allncompanies,
As witho
R
rokept secure. As part of investigating ways to keep the system resources secure, your
eare
Cic company wants to evaluate the Oracle Solaris auditing service. By using the audit service,
your company hopes to be able to monitor and record specific, security-related events. They
also want to be able to detect suspicious activities by reviewing patterns of access and
access histories as well as discover attempts to circumvent the protections that have been put
in place to safeguard the system. In short, they want to keep a log of what was done, when it
was done, by whom, and what was affected.
Your company recognizes that setting up auditing takes a considerable amount of planning
and as a result
and, result, they have put together a plan that addresses each of the requirements listed
in the slide. As the system administrator responsible for configuring, administering, and
managing the Oracle Solaris audit service, you will need this information to do your job.
In this topic you are introduced to Oracle Solaris auditing and shown how the audit service
addresses each of these requirements.
a l do icens
Oracle o n auditing
Solaris l is a service. The audit service is controlled by the audit daemon,
R
ro and is enabled by default.
auditd,
C iceNote: The audit daemon controls the generation and location of audit trail files and the
generation of syslog messages based on its configuration.
When the audit service is first enabled, the following defaults are provided:
• All login events are audited. Both successful and unsuccessful login attempts are
audited.
Note: An event is a security-related system action that is audited.
• All users are audited for login,
login logout,
logout and role assumption events
events.
• The audit_binfile plug-in is active. The /var/audit directory stores audit records,
the size of an audit file is not limited, and the queue size is 100 records.
Note: An audit plug-in is a module that transfers the audit records in the audit queue to
a specified location. The audit_binfile plug-in creates binary audit files (the audit
trail). The audit trail is a collection of one or more audit files that store the audit data
from all systems that run the audit service by using the default plug-in,
audit_binfile. You will learn more about the audit plug-ins later in this lesson.
Audit Remote
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
Audit File
audit_binfile audit_remote
a ble
f e r
ans
Audit Queue
n - t r
a no
h a s
Local
m ) e ฺ
syslog
Storage audit_syslog o
lฺc t Gu i d
a isummary)
(text
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on processl begins when a specified, security-related audit event occurs that
The auditing
R
ro
generates an audit record.
C iceNote: The most common audit events are:
• System startup and system shutdown
• Login and logout
• Process creation or process destruction, or thread creation or thread destruction
• Opening, closing, creating, destroying, or renaming of objects
• Use of privilege capabilities or RBAC
• Identification
Id tifi ti actions
ti and
d authentication
th ti ti actions
ti
• Permission changes by a process or user
• Administrative actions, such as installing a package
• Site-specific applications
Now that you have a high-level understanding of how Oracle Solaris auditing works, take a
closer look at each part of the process, beginning with audit events.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
number:name:description:flags
a l do icens
on audit levents represent auditable actions on a system. Audit events are listed in
As discussed,
R
ro/etc/security/audit_event file. The /etc/security/audit_event file entry
the
C iceformat is shown in the slide. Each entry in the file contains four fields, with a colon separating
each field. Each event appears on its own line. The following is the format for an entry:
number:name:description:flags
The description and requirement for each field are as follows:
• number: Event number. Event number ranges are assigned as follows:
- 0: Reserved as an invalid event number
- 1 – 2047: Reserved for the Solaris Kernel events
- 2048 – 6143: Reserved for user-level audit events
- 6000 – 7999: Allocated for Solaris user-level audit events, includes SMF-related,
ilbd, netcfgd, TCSD, and hotplugd events
- 9035 – 9201: Reserved for the Solaris Trusted Extensions events
• name: Event name
AUE_logout, tracks when a user logs out of the system. lo is the audit_class designation for
login or logout. The second event example, AUE_reboot_solaris, tracks when a user
reboots the operating system. ss is the audit_class designation for a change in the system
state. The third event example, AUE_prof_cmd, tracks when a user executes the profile
command. d ua andd as are the
th audit_class
dit l d
designations
i ti ffor user administration
d i i t ti and d system-
t
wide administration respectively. The last event example, AUE_create_user, tracks when a
user executes the user create command. no audit_class designation indicates that this is an
invalid class and any event mapped solely to this class will not be audited.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
system
• Asynchronous: Events not associated with any process,
so no pprocess is available to be blocked and later woken
up
• Attributable: Events attributed to a user. All attributable
events are synchronous events. r a ble
n s fe
• Non-attributable: Events that occur at the kernel-interruptr a
- t
level or before a user is authenticated
authenticated. Most non-
non n on
attributable events are asynchronous events. a
as ) h eฺ
m
co Guid
i l ฺ
g ma dent
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
Oracle o n auditing
Solaris l handles these types of events:
R
r•o Synchronous: Events that are associated with a process in the system. Synchronous
C ice eevents
e ts are
a e the
t e majority
ajo ty of
o system
syste e events.
e ts
• Asynchronous: Events that are not associated with any process, so no process is
available to be blocked and later woken up. Initial system boot and PROM enter and exit
events are examples of asynchronous events.
• Attributable: Events that can be attributed to a user. The execve()system call can be
attributed to a user, so the call is considered an attributable event. All attributable events
are synchronous events.
• Non-attributable: Events that occur at the kernel-interrupt level or before a user is
authenticated. The na audit class handles audit events that are non-attributable. For
example, booting the system is a non-attributable event. Most non-attributable events
are asynchronous events. However, non-attributable events that have associated
processes, such as failed login, are synchronous events.
mask:name:description
a l do icens
l to an audit class or classes. Audit classes are convenient
on event belongs
Each audit
ro R
containers for large numbers of audit events. Audit classes are defined in the
C ice/etc/security/audit_class file. The /etc/security/audit_class file entry format
is shown in the slide. Each entry in the file contains three fields, with a colon separating each
field. The following is the format for an entry:
mask:name:description
The description and requirement for each field are as follows:
• mask: Class mask
• name: Class name
• description: Class description
Each class is represented as a bit in the class mask, which is an unsigned integer. There are
32 different classes available. Meta-classes can also be defined. You can have supersets
composed of multiple base classes, which will have more than 1 bit in the mask.
trails files.
The examples show the audit classes that you saw associated with the previous audit event
examples: login or logout (lo), change system state (as), user administration (ua), system-
wide administration ((as),
) and invalid class ((no).
) An example of the all
ll audit class is also
included.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
a l do icens
The default l classes as they appear in the /etc/security/audit_class
on list of audit file is
R
ro in the slide.
shown
C ice
0x00020000:as:system-wide administration
0x00040000:ua:user administration
0x00070000:am:administrative (meta-class)
0x00080000:aa:audit utilization
0x000f0000:ad:old administrative (meta-class)
0x00100000:ps:process start/stop
0x00200000:pm:process modify
0x00300000:pc:process (meta-class)
a ble
0x00400000:xp:X - privileged/administrative operations
f e r
0x00800000:xc:X - object create/destroy
ans
0x01000000:xs:X - operations that always silently fail, if bad
n - t r
o
0 01 00000
0x01c00000:xx:X
X - all
ll X events
t ((meta-class)
t l )
s an
ha ฺ
0x20000000:io:ioctl
0x40000000:ex:exec )
0x80000000:ot:other
l ฺ c om uide
0xffffffff:all:all classes (meta-class)
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on of thel default audit classes is shown in the slide.
A continuation
R
ero
Cic
monitor.
• Preselected audit class events are collected in the audit
q
queue.
• You can preselect events that specify:
– System-wide auditing defaults (system-wide audit mask)
a b le
– Exceptions for individual users (user-specific audit mask)
f e r
• When combined, these preselections constitute the -tran
s
process preselection mask
mask. non a
a s
m ) h eฺ
i l ฺ co Guid
g ma dent
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
l of which audit classes to monitor. The audit events of preselected
on is the choice
Preselection
R
ro classes are collected in the audit queue. Audit classes that are not preselected are not
audit
C iceaudited, so their events do not appear in the queue. For example, when you preselect the ps
and na audit classes, execve() system calls and system boot actions, among other events,
are recorded.
You can specify system-wide auditing defaults (referred to as the system-wide audit mask) by
preselecting events on a system, and you can specify exceptions to the system-wide auditing
defaults for individual users by preselecting events initiated by a particular user (referred to as
the user-specific audit mask). When combined, these preselections constitute the process
preselection mask.
mask When a user logs in in, the login process combines the preselected classes
to establish the process preselection mask for the user’s processes. The process preselection
mask specifies whether events in each audit class are to generate audit records.
Note: After the audit service is enabled, you can change the preselections.
You are shown how to modify the preselection mask later in this lesson.
a l do icens
Each audit l
on record records the occurrence of a single audited event. The record includes
ro R
information such as who did the action, which files were affected, what action was attempted,
C iceand where and when the action occurred.
The type of information that is saved for each audit event is defined by a set of audit tokens.
Each time an audit record is created for an event, the record contains some or all of the
tokens that are defined for the event. The nature of the event determines which tokens are
recorded.
An audit record always begins with a header token. The header token indicates where the
audit record begins in the audit trail. In the case of attributable events, the subject and the
process tokens refer to the values of the process that caused the event event. In the case of non
non-
attributable events, the process token refers to the system. Each audit token has a token type
identifier, which is followed by data that is specific to the token. Each token type has its own
format.
Note: For a listing of the audit token formats, see the “Oracle Solaris Auditing (Reference)”
chapter in Oracle Solaris Administration: Security Services.
a l do icens
on earlier,l an audit plug-in is a module that transfers an audit record from the audit
As discussed
R
ro to a specified location. The Oracle Solaris audit service provides the following plug-ins:
equeue
Cic • audit_binfile: Handles delivery y of an audit record from the audit q
queue to the binary
y
audit files.
• audit_remote: Handles secure delivery of binary audit records from the audit queue
to a configured remote server. The audit_remote plug-in uses the libgss() library
to authenticate the server. The transmission is protected for privacy and integrity.
• audit_syslog: Handles delivery of selected records from the audit queue to the
syslog log.
You can configure the systems at your site to use binary mode locally, to send binary files to a
remote repository, or to use syslog mode, or to use any combination of these modules.
However, at least one plug-in must be active. By default, the audit_binfile plug-in is
active.
Note: You are shown how to configure plug-ins in the next topic.
Audit Trail
a l do icens
l in audit logs (also called audit files). In turn, audit files are stored in
on are stored
Audit records
R
ro directories. The contents of all audit directories comprise the audit trail. The audit trail
audit
C icerequires dedicated file space. This space must be available and secure. A best practice is to
configure several audit directories for audit files.
Audit files are stored in audit directories in the following order:
• Primary audit directory: A directory where the audit files for a system are placed under
normal conditions. The ZFS files are used for the primary audit directory. You will be
shown how to set this up later in this lesson.
• Secondary audit directories: Directories where the audit files for a system are placed
iff the primary audit directory is full
f or not available
A directory is not used until a directory that is earlier in the list is full.
You are shown how to manage the audit files later in this lesson.
a l do icens
on Serverl (ARS) is the counterpart of the audit_remote(5) plug-in. Data sent by
Audit Remote
R
roaudit_remote plug-in can be captured, processed, and stored by the server according
the
C iceto its configuration.
It is necessary to configure ARS before it can be used to process a remote audit trail. ARS
configuration is two fold:
• The underlying security mechanisms used for secure audit data transport have to be
configured (a Kerberos realm with specific audit principles and a GSS-API mechanism).
See the audit_remote man page.
• The audit remote subsystem has to be configured.
The ARS configuration is divided between the configuration of server and group.
The server configuration allows changing common ARS parameters, while
the group keyword allows configuration of connection groups (sets of hosts sharing the same
local storage parameters).
a l do icens
on most auditl policy options are disabled to minimize storage requirements and
By default,
R
ro processing demands. These options are stored as properties of the audit service and
esystem
Cic determine the policy options that are in effect at system boot or when the service is restarted.
You can display a list of available policy options by running the auditconfig -lspolicy
command, as shown in this example.
The following policies add tokens to audit records: arge, argv, group, path, seq, trail,
windata_down, windata_up, and zonename. The windata_down and windata_up
policies are used by the Trusted Extensions feature of Oracle Solaris.
The remaining policies do not add tokens. The ahlt and cnt policies determine what
happens when audit records cannot be delivered, the public policy limits auditing of public
files, and the perzone policy establishes separate audit queues for non-global zones.
Note: For a description of each policy option and how each option affects the audit service,
see the “Determining Audit Policy” section in Oracle Solaris Administration: Security Services.
a l do icens
It is nowotime l
n to implement the Oracle Solaris auditing plan. Your assignment is to configure
R
roaudit service and logs as well as set up the audit service in both the global zone and non-
the
C iceglobal zones. You will then administer the audit service. Your final task will be to manage the
audit records.
daemon, auditd.
a. True
b False
b.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:oan l
ro R
C ice
a. True
b. False
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:oan l
ro R
C ice
a. audit_binfile
b. audit_remote
c audit_syslog
c. audit syslog
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:oan l
ro R
C ice
a. True
b. False
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:oan l
ro R
C ice
a l do icens
Answer:ocn l
ro R
C ice
a. all
b. cnt
c none
c.
d. zonename
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:obn l
ro R
C ice
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a l do icens
on l
r o R
Ci ce
a l do icens
Before o
you l
n enable auditing on your network, you can modify the defaults to satisfy your site
R
ro requirements. Best practice is to customize your audit configuration as much as
auditing
C icepossible before the first users log in.
If you have implemented zones, you can choose to audit all zones from the global zone.
Alternatively, to audit non-global zones individually, you can set the perzone policy in the
global zone. In the perzone configuration, each non-global zone administrator manages
auditing in their non-global zone.
a l do icens
onstep 6: Byl default, users are audited for the system-wide settings only.
Notes for
R
ro
C ice
# auditconfig -getflags
active user default audit flags = lo(0x1000,0x1000)
configured user default audit flags = lo(0x1000,0x1000)
# auditconfig -getnaflags
active non-attributable audit flags = lo(0x1000,0x1000)
configured
fi d non-attributable
ib bl audit
di flags
fl = lo(0x1000,0x1000)
l (0 1000 0 1000)
# auditconfig -getpolicy
configured audit policies = cnt
active audit policies = cnt
# auditconfig -getplugin
a ble
Plugin: audit_binfile (active)
f e r
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=0;
ans
n - t r
Plugin: audit_syslog
audit syslog (inactive)
a no
Attributes: p_flags=;
h a s
Plugin: audit_remote (inactive)
m ) e ฺ
o i d
Attributes: p_hosts=;p_retries=3;p_timeout=5;
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on shown
In the example l in the slide, you are looking at the defaults on an unconfigured system
R
ro regards to the audit service configuration. The first thing you do is look at the preselected
with
C iceclasses for attributable events.
Note: lo is the flag for the login/logout audit class. The format of the mask output is
(success,failure).
Next, you are looking at the preselected classes for non-attributable events.
Note: To see which events are assigned to a class, and therefore which events are being
recorded, you can run the auditrecord -c class command.
Your next step is to look at the default policy.
Note: The configured policy is a property of the audit service and is restored when you restart
the audit service. The active policy is the policy that is currently used by the kernel, but is not
a property of the audit service.
Next, you look at the default settings for the audit plug-ins. The audit_binfile plug-in is
active by default.
$ auditconfig -getqctrl
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
onlook at thel audit queue controls. The active policy is the policy that is currently used
Next, you
R
rothe kernel. The string no configured indicates that the system is using the default
by
C icesettings.
The final default configuration you look at is the audit_flag settings for existing users. First,
you run the who command to see who is on the system and then you run userattr
audit_flags command for each user.
a l do icens
on systemwide
To configure l auditing for attributable and non-attributable events, you use the
ro R command, as shown in the steps in the slide.
eauditconfig
Cic Notes for step 1: See steps 1 and 2 from the previous task for how to use these commands
to view the current preselected classes.
Notes for step 2b: The auditconfig -set*flags commands do not add classes to the
current kernel defaults. These commands replace the kernel defaults, so you must specify all
classes that you want to preselect.
In the example in the slide, the events in the three classes are being audited for success and
for failure. The second command in the example audits the events in the na class, and the
login events that are not attributable. lo and na are the only legal arguments to the -
setnaflags option.
audit_flags=fw:no loginname.
2. To set audit flags for a rights profile, use profiles -K
audit_flags=fw,as:no
g , “Profile_Name“.
# auditconfig -getflags
active user default audit flags = ss,lo(0x11000,0x11000)
a b le
configured user default audit flags = ss,lo(0x11000,0x11000)
f e r
# usermod -K audit_flags=pf:no jjones
ans
# userattr audit_flags jjones
n - t r
pf:no
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
l for each user are specified by the audit_flags keyword and are
on preselections
Audit class
R
ro in the user_attr database and prof_attr database. These definitions, plus the
stored
C icepreselected classes for the system, determine the user’s audit mask. Follow the steps listed in
the slide to configure the audit characteristics for a user.
Notes for step 1: The format of the audit_flags keyword is always -audit:never-
audit, as follows:
• always-audit: Lists the audit classes that are exceptions for this user. Exceptions to
the system-wide classes are prefixed by a caret (^). Added classes are not prefixed by a
caret.
• never-audit: i Lists
Li t th
the audit
dit classes
l th
thatt are never audited
dit d ffor th
the user, even if th
these
audit events are audited system-wide. Exceptions to the system-wide classes are
prefixed by a caret (^).
To specify multiple audit classes, you separate the classes with commas.
Notes for step 2: When you assign the rights profile to a user or a role, that user or role is
audited for those flags.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
–getpolicy.
2. View the available policy options by using auditconfig
–lspolicy.
p y
3. Enable or disable selected audit policy options by using
auditconfig [ -t ] -setpolicy
[prefix]policy[,policy...]. a b le
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
The audit l
onpolicy determines the characteristics of the audit records for the local host. You can
R
ro change, and temporarily change audit policies with the auditconfig command.
inspect,
C iceFollow the steps listed in the slide to modify the audit policy.
Notes for step 3: The options for the auditconfig [ t ] -setpolicy command are as
follows:
• -t: Creates a temporary, or active, policy. The policy setting is not restored when you
restart the audit service. This option is optional.
• prefix: A prefix value of + adds the list of policies to the current policy. A prefix
value of - removes the list of policies from the current policy. Without a prefix, the audit
policy is reset.
• policy: Selects the policy to be enabled or to be disabled.
A temporary policy is in effect until the audit service is refreshed, or until the policy is modified
by the auditconfig -setpolicy command.
$ auditconfig -lspolicy
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
on shown
In the example l in the slide, you are viewing the available policy options.
R
ro The perzone and ahlt policy options can be set only in the global zone.
Note:
C ice After reviewing the policy options
options, it is decided to disable the cnt policy and enable the ahlt
policy. With these settings, system use is halted when the audit queues are full and an
asynchronous event occurs. When a synchronous event occurs, the process that created the
thread hangs. These settings are appropriate when security is more important than
availability.
following options:
• Option 1: Replace the audit_warn email alias with
another email alias in the audit_warn script,
p , as follows:
ADDRESS=audit_warn # standard alias for audit alerts
• Option 2: le
r a b
– Redirect the audit_warn email to another mail account. s f e
– Run the newaliases command to rebuild the random - t r an
access database
d t b ffor th
the aliases
li fil
file. n on
a s
) h a
audit_warn: root
m d e ฺ
# newaliases o
lฺc t 156 i
ubytes total
/etc/mail/aliases: 14 aliases, longest 10 a ibytes, G
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
l if the audit directories are close to filling up or have already filled up,
on to be notified
If you want
R
o can set up an email to warn you of this. To send this mail to a valid email address, you
cer
you
Ci can follow one of the options shown in the slide. The /etc/security/audit_warn script
generates mail to an email alias that is called audit_warn.
Note: If the perzone policy is set, the non-global zone administrator must configure the
audit_warn alias in the non-global zone.
# cp /etc/security/audit_class \
/etc/security/audit_class.orig
2 Add new entries to the audit_class
2. audit class file by using
0xnumber:flag:description.
a l do icens
oncreate your
When you l own audit class, you can place it into just those audit events that you
R
ro to audit for your site. When you add the class on one system, you copy the change to all
want
C icesystems that are being audited. A best practice is to create audit classes before enabling the
audit service.
Note: You must choose free bits. Your choice can be overwritten by a future release of the
Oracle Solaris OS.
Notes for step 1: Although not required, it is a good practice to save a backup copy of the
audit_class file before you modify it.
Notes for step 2: The entry must be unique in the file. Do not use existing audit class masks.
In the example in the slide, a class to hold administrative commands that are executed in a
role is being created. The entry creates the new pf audit class.
Note: If you have customized the audit_class file, make sure that any user exceptions to
the system audit preselection mask are consistent with the new audit classes. Errors occur
when an audit_flags value is not a subset of the audit_class file.
# cp /etc/security/audit_event \
/etc/security/audit_event.orig
2 Change the class membership for an audit event by
2.
changing the class_list field in the audit event entry.
3. Verify the change by using auditconfig –setflags
a ble
class_list.
f e r
ans
# grep pf /etc/security/audit_class n - t r
0x08000000:pf:profile command a no
# vi /etc/security/audit_event h a s
116:AUE_PFEXEC:execve(2) with pfexec m ) e ฺ
o i d
enabled:pf
# auditconfig -setflags pf
a ilฺc t Gu
gm en
user default audit flags = pf(0x8001000,0x8001000)
@ Stud
d o
o n al this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
You might l
onwant to change an audit event’s class membership to reduce the size of an existing
R
ro class or to place the event in a class of its own. When you reconfigure audit event-
audit
C iceclass mappings on one system, you need to copy the change to all systems that are being
audited. A best practice is to change event-class mappings before users log in.
In the example in the slide, an existing audit event is being mapped to the pf audit class. By
default, the AUE_PFEXEC audit event is mapped to four classes: ps, ex, ua, and as. Using
the vi text editor, you change the mapping for the event to the pf audit class. The new class
replaces the existing classes. Replacement enables you to audit for events in the other
classes while not generating the records of the AUE_PFEXEC event. With the final command,
you verify that the change has been made successfully
successfully.
a l do icens
on l
r o R
Ci ce
a l do icens
l at least 200 MB of disk space per host. However, keep in mind that
onstep 2: Assign
Notes for
R
roamount of auditing you require will dictate the disk space requirements. You might find
the
C icethat your disk space requirements are far greater.
Notes for step 4: You might want to create additional file systems for the audit files. If so,
repeat this step as many times as necessary.
Notes for step 5: To protect the parent audit file system, you set three ZFS properties to off
for all file systems in the pool: devices, exec, and setuid.
Notes for step 6: Typically, compression is set on file systems. However, because all the file
systems in this pool contain audit files, compression is set at the pool level.
Notes for step 7: These quotas are used by the audit_warn alias to notify you when the
space is filling up.
Notes for step 8: By default, an audit file can grow to the size of the pool.
a l do icens
l ZFS file systems for the audit files, the next task is to allocate audit
onhave created
After you
R
ro for the audit trail. By default, the /var/audit directory holds audit files for the
space
C iceaudit_binfile plug-in.
Notes for step 2: The command presented for this step sets the /audit/example1/files
directory as the primary directory for audit files, and the default /var/audit directory as the
secondary directory.
Notes for step 3: The auditconfig -setplugin command sets the configured value.
This value is a property of the audit service, so it is restored when the service is refreshed or
restarted. The configured value becomes active when the audit service is refreshed or
restarted.
t t d
In the example shown in the slide you are activating the audit_binfile plug-in and setting
the storage for auditing. You are setting your ZFS file systems as the primary storage location
with the /var/audit as the secondary audit file directory. You then refresh the audit service.
man audit_remote.
2. To specify the remote hosts, use the p_hosts attribute as
follows:
# auditconfig
dit fi -setplugin
t l i audit_remote
dit t active
ti \
p_hosts=rhost1:16088:kerberos_v5
3. To specify the number of retries, use the p_retries attribute as
follows: r a ble
n s fe
# auditconfig -setplugin audit_remote active
- t r a\
p retries=5
p_retries 5 on n
4. To specify the length of a connection timeout, a s a
use the
p_timeout attribute as follows: ) h ฺ
o m i d e
# auditconfig -setplugin aaudit_remote ilฺc t Gu active \
p_timeout=3 m
g ude n
d o @ S t
5. Refresh the audit service n l
a thi byy s
using g audit -s.
o
oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
e r
( c ic e to
Copyright
a l do icens
l the OBJECT ATTRIBUTES section. The default port is the
onstep 1: Read
Notes for
ro R
solaris_audit IANA-assigned port, port 16162/tcp. The default mechanism is
C icekerberos-v5. The timeout default is 5 seconds. You can also specify a queue size for the
plug-in.
a l do icens
onstep 1: These
Notes for l classes must be preselected as either system defaults, or in a user’s
ro R
audit_flags attribute. Records are not collected for a class that is not preselected.
C iceNotes for step 3: The entry includes the location of the log file.
Notes for step 6: The audit service can generate extensive output.
In the example, the audit_syslog plug-in is being activated and the audit flags that are to
be activated for the log are indicated. You want to track failed login and login attempts, failed
changes in the system state, and successful uses of the profile command.
Next, you add the audit.notice entry to the syslog.conf file and then create the file by
using
us g tthe
e touc
touch co
command.
a d With
t tthe
e final
a ttwo
o co
commands,
a ds, you refresh
e es tthe
e sys og se
syslog service
ce
and the audit service.
a l do icens
l the entire system, including activities in zones. A system that has
onservice audits
The audit
R
ro non-global zones can run a single audit service to audit all zones identically, or it can
installed
C icerun one audit service per zone, including the global zone.
When you audit the non-global zones exactly as the global zone is audited, the audit service
runs in the global zone. The service collects audit records from the global zone and all the
non-global zones. The non-global zone administrators might not have access to the audit
records.
The advantages of per-zone auditing are a customized audit trail for each zone, and the ability
to disable auditing on a zone-by-zone basis. Each zone collects its own audit records. The
records
d are visible
i ibl tto th
the non-global
l b l zone and
d th
the global
l b l zone. These
Th advantages
d t can bbe
offset by the administrative overhead. Each zone administrator must administer auditing.
Each zone runs its own audit daemon, and has its own audit queue and audit logs. These
audit logs must be managed.
In this section you are shown how to configure the audit service for both situations.
a l do icens
Notes for l
onstep 1: Configuring a zone for auditing is the same as configuring a system with
R
rofollowing exceptions:
the
C ice • Do not enable pperzone audit ppolicy.y
• Do not enable the audit service. You enable the audit service after you have configured
the non-global zones for auditing.
• Set the zonename policy. This policy adds the name of the zone to every audit record.
Notes for step 2: If you modified the audit_class or audit_event file, copy it.
Otherwise, skip this step. You have two options. You can loopback mount the files, or you can
copyy the files. The non-global
g zone must be running.
g
The non-global zones are audited when the audit service is enabled in the global zone.
a l do icens
on in thel slide, you configure all the zones for auditing. You begin by checking the
In the example
R
ro audit policy to verify that auditing for the global zone has not been configured. Next,
current
C iceyou configure all zones for auditing by setting the zonename policy. You then verify that
zones are now part of the audit policy. By adding the zonename policy, the audit records will
be tagged with the zone name. Next you copy the modified audit_event and
audit_class configuration files from the global zone to the non-global zone called zone1.
You then verify that the audit configuration files are in the /etc/security file for zone1,
which they are. Your final step is to start the audit service.
a l do icens
onstep 2b: lSpecifically, do not add the perzone or ahlt policy to the non-global
Notes for
R
ro
zone.
C iceNotes for step 3: The global zone administrator must enable the audit service for the system.
# zlogin zone1
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
on shown
In the example l in the slide, an auditing is being set up in the non-global zone called
R
ro The assumption is that the global zone is already configured. The first step is to log in
zone1.
C iceto the zone. Then the audit files are configured by using the auditconfig command, to
include the audit condition, the user default audit flags, the active non-attributable audit flags,
and the audit policies. Next, the audit service is enabled. Then it is verified that auditing is
occurring in the zone by checking /var/audit, which in this example has been set up as
the primary audit directory. You then exit the non-global zone.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
# audit –s
# auditconfig -getcond
audit condition = auditing
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
Auditingois l
nan SMF service. You configure the service by using the auditconfig command
R
ro enable it with the audit -s command. The steps for enabling the audit service for all
and
C icezones are listed in the slide. You must be assigned the Audit Control rights profile to perform
these tasks.
Note: If the perzone audit policy is set in the global zone, zone administrators can enable,
refresh, and disable the service in their non-global zones.
Notes for step 2: The output should reflect that the audit condition is set to auditing,
as shown in the example.
Note: Before a zone administrator can enable the audit service in a non-global zone by using
the audit -s command, the following actions must be completed:
• The global zone administrator sets the perzone policy in the global zone and enables
auditing.
• The zone administrator of the non-global zone configures the audit service and per-user
exceptions.
# audit -t
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
onfor disablingl the audit service for all zones is shown in the slide. This action returns
The step
R
rosystem to the system state before auditing was enabled.
the
C iceNote: If the perzone audit policy is not set, auditing is disabled for all zones. If the perzone
audit policy is set in the global zone, the policy remains in effect in the non-global zones that
have enabled auditing. The non-global zone continues to collect audit records across global
zone reboots and non-global zone reboots until the zone administrator disables the non-
global zone by using the audit -t command from within the non-global zone.
command.
2. Update the preselection masks of users who are currently
being
g audited.
a. Terminate the users’ existing sessions.
b. Use the auditconfig -setflags command to
dynamically change each logged-in user’s preselection a b le
f e r
mask.
a n s
– Determine the logged-in user’s audit ID and audit session ID -by
n r
t using
th who
the h command. d n o
– Determine the user’s audit ID by using the getent s apasswd
loginname command. ) ha ฺ
– Change the user’s preselection mask l ฺ c i de
obymusinguauditconfig
a i t G –
setumask and auditconfig
g m den –setsmask.
– o@ mask
Verify that the preselection
ld S tuhas changed by using auditconfig
- g getpinfo.
p
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Any time l
onyou make configuration changes to the audit service after it has been enabled, you
R
roneed to refresh the service.
will
C ice Notes for step 1: When you refresh the audit service, all temporary configuration settings are
lost. Audit policy and queue controls enable temporary settings.
Notes for step 2: Audit records are generated based on the audit preselection mask that is
associated with each process. Refreshing the audit service does not change the masks of
existing processes. To explicitly reset the preselection mask for an existing process, you must
update each user’s preselection mask. To change the systemwide audit preselection mask,
the users must be logged in. You have two ways to complete this task. You can terminate the
existing sessions or use the auditconfig
dit fi command,
command as shown in steps 2a and 2b in the
slide.
Notes for step 2a: Users can log out and log back in, or you can manually terminate (kill)
active sessions. The new sessions will inherit the new preselection mask.
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on for thisl lesson are designed to reinforce the concepts that have been presented
The practices
R
inro
the lecture portion. These practices cover the following tasks:
C ice • Practice
act ce 99-1: Co
Configuring
gu g a andd ad
administering
ste g O Oracle
ac e So Solaris
a s aud
auditing
t g
• Practice 9-2: Managing audit records on local systems
Practice 9-1 should take you about 45 minutes to complete.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
l service has been up and running for a while, and you are now ready to
n the audit
Assumeothat
R
ro and analyze the data from the audit trail.
collect
C ice
# auditrecord –a
terminal login
program /usr/sbin/login See login(1)
/usr/dt/bin/dtlogin See dtlogin
event ID 6152 AUE_login
class lo (0x00001000)
header
subject
a ble
f e r
[text] error message
ans
return
n - t r
login: logout a no
program various See login(1)
h a s
event ID 6153 AUE_logout m ) e ฺ
o i d
class lo
a ilฺc t Gu
(0x00001000)
---
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
The audit l
onrecord definitions provide the audit event number, audit class, selection mask, and
R
ro format of an audit event. By viewing the audit record definitions, you can determine the
record
C iceset of audit tokens included in a specific type of audit record. The example in the slide
contains the partial audit record format for the login program. Here you can see that the lo
class format has three audit tokens: header, subject, and return with text being an
optional token.
Note: The -a option for the auditrecord command lists all audit event record definitions.
You can use the -h option to put the list in an HTML format that can be displayed in a
browser. After you have the *html file displayed in a browser, you can use the browser’s
Find tool to find specific audit record definitions
definitions.
a l do icens
l the contents of the entire audit trail, you can do so more easily by
on to analyze
If you need
R
ro all audit files in all the audit directories by using the auditreduce command. The
merging
C icecommand merges all the records from its input files into a single output file. The input files can
then be deleted. If you do not specify a path for your merged file, the auditreduce
command uses the /var/audit directory.
Notes for step 1: To complete this step, follow the instructions for creating a ZFS file system
for audit files that were covered earlier.
Notes for step 2b: All directories in the audit trail on the local system are merged. The
uppercase options (-Uppercase-option), which are used to manipulate files in the audit
t il iinclude,
trail l d b butt are nott lilimited
it d tto, th
the ffollowing:
ll i
• -A: Selects all of the files in the audit trail
• -C: Selects complete files only. This option ignores files with the suffix
not_terminated.
file.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
$ cd /var/audit/audit_summary.dir
$ auditreduce -c na -O nasumm
$ ls *nasumm
20111216183214.20111216215318.nasumm
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
n specific
You canoselect l kinds of records to examine from the audit trail or from a file by using
R
roauditreduce command. Some of the more commonly used options for the
the
C iceauditreduce command are as follows:
• -d: Selects all of the events on a particular date. The date format for argument is
yyymmdd. Other date options, -b and -a, select events before and after a particular
date.
• -u: Selects all of the events attributable to a particular user. The argument is a user
name. Another user option, -e, selects all of the events attributable to an effective user
ID.
• -c: Selects
S l t allll off th
the events
t iin a preselected
l t d audit
dit class.
l Th
The argumentt is
i an audit
dit
class name.
• -m: Selects all of the instances of a particular audit event. The argument is an audit
event.
• argument: Specific argument that a lowercase option requires. For example, the -c
option requires an argument of an audit class, such as ua.
• optional file: Is the name of an audit file
optional-file:
Note: For the full list of options, see the auditreduce(1M) man page.
In the example in the slide, all the records of audit events in the na class are collected into
one file.
Oracle Solaris 11 Advanced System Administration 9 - 66
Viewing Contents of Binary Audit Files
a ble
$ auditreduce -c lo | praudit -s
f e r
header,69,2,AUE_screenlock,,mach1,2011-12-16 08:02:56.348 -07:00
ans
subject,jjones,root,staff,jjones,staff,856,50036632,82 0 mach1
return,success,0
n - t r
sequence,1298
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on command
The praudit l enables you to view the contents of binary audit files. You can pipe
R
rooutput from the auditreduce command, or you can read a particular audit file. There are
the
C icethree praudit command options as listed in the slide.
Note: Each of the praudit commands displays the format in one token per line. For the
praudit -s and praudit -r commands, you can use the -l option to place each record
on one line. For the praudit -x command, you can use the -l option to place the XML
output for one record on one line.
In the example in the slide, the praudit -s command is being used to display audit records
in a short format.
a l do icens
on shouldl take you about 30 minutes to complete.
This practice
R
ro
C ice
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
Ci
ce r o R
on a l
(
l
c
e r
do icens
o ฺ r o
ic e to u
ld
se
o @
na thi s
m
S t
l ฺ c
g ude
)
ai nt G
s
om uide
ha ฺ
an
on - t r an
s
f e r a b
le
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
M
Managing
i Processes
P and
d Priorities
P i iti
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o
o © 2013, e
sOracle
c e r
Copyright
o u and/or its affiliates. All rights reserved.
c i t
l d o ( ense
ona lic
r o R
Ci ce
Objectives
a l do icens
on l
r o R
Ci ce
AI INSTALLATION
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
MONITORING
RESOURCE DATA
EVALUATION STORAGE
PROCESSES
a ble
NETWORK
f e r
ENTERPRISE
CONFIGURATION
ans
DATACENTER
n - t r
a no
h a sNETWORK
m ) ฺ
VIRTUALIZATION
e
o i d
AUDITING
a ilฺc t Gu
gmSERVICES d e n
PRIVILEGES @
ld o S tu
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Before o n begin thel lesson, take a moment to orient yourself in your job workflow. You have
you
ro R
successfully installed the operating system and have updated it. You have configured the data
C icestorage environment as well as the physical and virtual networks. You have also ensured that
all the system services are up and running that both users and processes have been granted
the appropriate level of privilege. You have also set up the Oracle Solaris audit service. In this
lesson you are shown how to manage the priority and scheduling of system and user
processes that the Oracle Solaris 11 operating system uses to run business functions. As the
system administrator, you are responsible for controlling and managing these system
processes to ensure the system operates smoothly.
Scheduling Class
• Managing Process Scheduling Priority
• Configuring the Fair Share Scheduler
• Managing the Scheduling Class of Zones
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a l do icens
on
Not all processes arel created to be equal, and given that there can be hundreds of processes
R
ro on the system at any time, it is important for a system administrator to be able to
active
C iceprioritize the processes and control their load distribution. Through these means, the system
administrator ensures that the system resources, such as CPU, memory, and network, are not
overused to the point where the system becomes bogged down or comes to a complete halt.
Understandably your company wants to ensure that its business applications run interrupted
and that they are available when needed. As part of the predeployment activities, your
company wants you to test the Oracle Solaris 11 process priority and scheduling class
functionality to determine the best approach for distributing process workload.
I this
In thi ttopic,
i you are iintroduced
t d d to
t process priorities
i iti andd the
th scheduling
h d li classes.
l
svc:/system/scheduler:default
Process Scheduler
Class Class Class a ble
f e r
ans
n - t r
a no
Process
Process Process
Process Process
Process h a s
Process Process m )
Process e ฺ
o i d
a ilฺc t Gu
m den
PrioritygQueue
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on job ofl the operating system is to arbitrate which processes get access to the
A fundamental
R
ro resources. The process scheduler, which is also called the dispatcher, is the portion
esystem’s
Cic of the kernel that controls allocation of the CPU to processes. It is managed by the SMF
service svc:/system/scheduler:default.
The process scheduler supports the concept of scheduling classes. Each class defines a
scheduling policy that is used to schedule processes within the class. The scheduling policy
of a process determines its position in the priority queue.
• Global priority:
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
Based on
R onschedulingl class, each process has a global priority that identifies its position in the
ro queue and its access to system resources, specifically CPU resources. The higher the
priority
C iceglobal priority number the greater the priority.
As a system administrator, you might want to specify that certain processes be given more
resources than others. You can do this by designating a priority for a process, thereby
impacting its global priority assignment and position in the priority queue. You can designate
a scheduling class for the process as well as a user priority. The user priority is based on the
process’s scheduling class and the priority range assigned to that scheduling class. By
designating a priority for a process, you as the system administrator can control how the
system should prioritize the running of each process
process, taking into account those processes that
by their nature and their system-assigned scheduling class have a higher priority.
Note: You will take a look at the priority ranges for each scheduling class in just a moment.
Based on changing business needs and requirements, you can always modify the priority of a
process. You learn how to designate and modify a process’s priority later in this lesson.
Timesharing (TS) Default class for processes and their associated kernel threads. Priorities
in this class are dynamically adjusted in an attempt to allocate processor
resources evenly.
Interactive (IA) Enhanced version of the TS class that applies to the in-focus window in
the GUI. Its intent is to give extra resources to processes associated with
that specific window.
Fair Share Scheduler This class is share based rather than priority based. Threads managed
a ble
(FSS) by FSS are scheduled based on their associated shares and the
f e r
processor's utilization.
an s
n - t r
Fixed-Priority (FX) Priorities for threads associated with this class are fixed.
no
fixed In other words
they do not vary dynamically over the lifetime of the thread.a
words,
h a s
System (SYS) Used to schedule kernel threads. Threads)in this class ฺ are “bound”
threads, which means that they run o m
c Gu complete.
until they i
blockd e
or
i l ฺ
a nt with a fixed-time duration
Real-Time (RT) mfixed-priority,
Threads in the RT classgare
de
called quantum. o@ t u
n a ld is S
ฺ r o e th
ero © t2013, s and/or its affiliates. All rights reserved.
uOracle
i c
Copyright
(c nse o
o
ld lice
o
The tablen a
shown in the slide identifies the process scheduling classes that can be configured
R
royour system. The RT class offers the highest scheduling priorities and can preempt other
on
C icescheduling class priorities.
Note: By default, any new processes that are created are assigned the TS class. However, as
discussed, you can change the scheduling class designation based on business requirements
and the importance of the application. You can also change the default scheduling class for
the entire system so that all the processes including the non-global zones will run in the same
scheduling class. You learn how to do this later in the lesson.
Although the TS scheduling class is the system’s default scheduling class, using the fair
share
h scheduler
h d l (FSS) as th the d
default
f lt scheduling
h d li class
l iis hi
highly
hl ddesirable.
i bl Th The FSS gives
i you
the control to specify that certain processes should be given more resources than others. This
is exceptionally beneficial when you are trying to balance workloads for multiple projects or
non-global zones. Because the FSS is recommended as the default scheduling class, a good
deal of time is spent in this lesson, teaching you how to use it.
a l do icens
on classes
The scheduling l have an assigned range of priorities. The table in the slide presents
R
roranges.
the
C iceThe higher the number, the greater the priority. This means that a real
real-time
time process will
always run before either a system process or a process that is assigned to any of the other
scheduling classes (FSS, FX, IA, TS).
Note: The priority of a process is inherited from the parent process.
a l do icens
As you o n saw, by ldefault, the FSS scheduling class uses the same range of priorities (0
just
R
ro 59) as the time sharing (TS), interactive (IA), and fixed priority (FX) scheduling
ethrough
Cic classes. Therefore, you should avoid having processes from these scheduling classes share
the same processor set. A mix of processes in the FSS, TS, IA, and FX classes could result in
unexpected scheduling behavior.
With the use of processor sets, you can mix TS, IA, and FX with FSS in one system.
However, all the processes that run on each processor set must be in one scheduling class,
so they do not compete for the same CPUs. The FX scheduler in particular should not be
used in conjunction with the FSS scheduling class unless processor sets are used. This
action prevents applications in the FX class from using priorities high enough to starve
applications in the FSS class.
You can mix processes in the TS and IA classes in the same processor set, or on the same
system without processor sets.
Because RT and FSS are using disjointed, or non-overlapping ranges of priorities, FSS can
coexist with the RT scheduling class within the same processor set. However, the FSS
schedulingg class does not have any
y control over processes that run in the RT class.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
class.
• For a new default scheduling class setting, non-global
zones obtain the new setting
g when booted or rebooted.
• To ensure that all zones get a fair share of the system
CPU resources, set the FSS as the system default
scheduling class. a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on zones use
Non-global l the default scheduling class for the system. If the system is updated
R
ro a new default scheduling class setting, non-global zones obtain the new setting when
with
C icebooted or rebooted.
As discussed earlier, the recommended scheduler to use with zones is the FSS. The
preferred way then is to set the FSS to be the system default scheduling class and then
configure CPU shares for the zones. All zones then benefit from getting a fair share of the
system CPU resources.
You learn how to configure CPU shares for zones later in this lesson.
a l do icens
As part o l
ofnthe predeployment test, you have been given the assignment to learn how to
ro R
edetermine, designate, modify, and monitor scheduling priorities and classes for the processes
Cic running on the system. You have also been tasked with learning how to make the FSS the
default scheduling class for zones, and then how to configure CPU shares for the zones.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:obn l
ro R
C ice
designations?
a. Fair share scheduler (FSS)
b Real
b. Real-time
time (RT)
c. System (SYS)
d. Time sharing (TS) le
r a b
s f e
- t r an
o n
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:obn l
ro R
C ice
a l do icens
Answer:oan l
ro R
C ice
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:oan l
ro R
C ice
Class
• Managing Process Scheduling Priority
• Configuring the Fair Share Scheduler
• Managing the Scheduling Class of Zones
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a l do icens
on l
r o R
Ci ce
# top 10 -s 10
last pid: 1121; load avg: 0.20, 0.14, 0.12; up 0+01:50:30 14:10:30
87 processes: 83 sleeping, 3 running, 1 on cpu
CPU states: 81.8% idle, 5.1% user, 13.1% kernel, 0.0% iowait, 0.0% swap
Kernel: 609 ctxsw, 9 trap, 327 intr, 1935 syscall, 4 flt
a ble
Memory: 1024M phys mem, 84M free mem, 977M total swap, 977M free swap
f e r
ans
PID
991
USERNAME NLWP PRI NICE SIZE
oracle 2 59 0 87M
RES
19M
STATE
sleep
TIME
0:11
CPU
4.03%
COMMAND
n - t
gnome-terminal r
733 oracle
l 3 59 0 65M 53M run 0:23
0 23 3
3.82%
82% X
Xorg
a no
929
934
oracle
oracle
20 59
1 56
0 160M 140M
0 12M 5552K
run
run
2:01
0:06
1.75%
1.46%
java
h a s
xscreensaver
1120 root 1 59 0 4296K 2480K cpu 0:00 0.25%
m ) top
e ฺ
o i d
ilฺc t Gu
917 oracle 1 49 0 107M 36M sleep 0:01 0.22% nautilus
913
11
oracle
root
1 59
18 59
0
0
27M
12M
15M
11M a
sleep
m den
sleep
0:01
0:41
0.08%
0.06%
metacity
svc.configd
g
o@ Stu
536 root 7 59 0 9420K 1856K sleep 0:03 0.04% VBoxService
ld
a this
o n
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
A quicko
and l way to view the processes running on the system that are using the
n convenient
R
ro CPU resources is by using the top command. The output of the command is very
emost
Cic similar to the prstat command.
Note: The top utility iteratively examines all active processes on the system and reports
statistics in descending order–based CPU usage.
The command displays the following information:
• Last pid: Last process ID assigned to a process
• Load avg: These are the CPU load averages. The averages are based on one-, five-,
and 15-minute intervals.
• up: System uptime and current time
• Number of processes currently active on the system and their respective states
• CPU states by percentage: Shows the percentage of CPU time in the following modes:
idle, user, kernel, iowait, and swap.
• Kernel: Statistics on the following kernel-related activity: context switches, traps,
interrupts,
p , system
y calls,, and page
p g faults.
a l do icens
- zombie: Process is terminated, and the parent is not waiting.
on l
- stop: Process is stopped.
r•o
R
TIME: Cumulative execution time for the process, given in hours, minutes, and seconds.
Ci ce • CPU: Percentageg of recent CPU time used by y the p
process
• COMMAND: Command name of the process
-l.
# priocntl -l
CONFIGURED CLASSES
==================
a ble
TS (Time Sharing)
f e r
Configured TS User Priority Range: -60 through 60
an s
n - t r
SDC (System Duty
Duty-Cycle
Cycle Class)
a no
FSS (Fair Share)
h a s
Configure FSS User Priority Range: -60 through
m ) 60eฺ
i l ฺ c Guid
o
ma d0 ethrough nt 60
FX (Fixed priority)
Configured FX User Priority g Range:
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
To display l
onprocess scheduling classes and priority ranges, you use the priocntl -l
ro R
ecommand.
Cic Note: The priocntl command is used to display or set scheduling parameters for a
specified process. You can also use it to display the current configuration information for the
system's process scheduler (as is being done here) or you can use it to execute a command
with specified scheduling parameters (which will be looked at in the next few slides).
In the output example, you can see all the classes being used at this time: system class
(SYS), time sharing (TS), fixed priority (FX), and interactive (IA). You can also see the priority
ranges for the time sharing (-60 through 60), fixed priority (0 through 60), and interactive (-60
th
throughh 60).
60) YYou needd tto kknow th
these ranges when
h you d designate
i t th
the priority
i it off a process,
which will be looked at in the next few slides.
$ ps -ecl
F S UID PID PPID CLS PRI ADDR SZ WCHAN TTY TIME CMD
19 T 0 0 0 SYS 96 f00d05a8 0 ? 0:03 sched
8 S 0 1 0 TS 50 ff0f4678 185 ff0f4848 ? 36:51 init
19 S 0 2 0 SYS 98 ff0f4018 0 f00c645c ? 0:01 pageout
19 S 0 3 0 SYS 60 ff0f5998 0 f00d0c68 ? 241:01 fsflush
8 S
8 S
0
0
269
204
1
1
TS
TS
58
43
ff0f5338 303
ff2f6008 50
ff49837e
ff2f606e
? 0:07
console 0:02
sac
sh
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
The –eo n displays
option l information about every process that is currently running. The -c
R
ro displays information about scheduler properties. The –l option generates a long listing.
option
C iceThe command displays the following information:
• F: Flags associated with the process
• S: State of the process. States include:
- O: Process is running on a processor.
- S: Sleeping. Process is waiting for an event to complete.
- R: Runnable. Process is on run queue.
Z Zombie
- Z: Z bi state.t t Process
P terminated
t i t d and
d parentt nott waiting.
iti
- T: Process is stopped, either by a job control signal or because it is being traced.
• UID: Effective user ID number of the process
• PID: Process ID of the process
• CLS: Scheduling class
controlling terminal.
• TIME: Cumulative execution time for the process
• CMD: Command name
In the example in the slide
slide, the values in the priority (PRI) column show that the pageout
process has the highest priority (98), whereas the sh process has the lowest priority (43).
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
a l do icens
on in the lfirst topic, you can designate the priority of a process. To do this, you use
As discussed
R
ropriocntl command. The steps listed in the slide show how to designate the scheduling
ethe
Cic class as well as the user priority.
Notes for step 1: The options that are used with the priocntl command are as follows:
• -e: Executes a specified command with the class and scheduling parameters
associated with a set of processes
• -c class: Specifies the class to be set. The valid class arguments are:
- RT for real-time
- TS S for
o ttime
e ssharing
a g
- IA for interactive
- FSS for fair-share
- FX for fixed priority
• -m user-limit: When you use the -p option in conjunction with this option, it
specifies the maximum amount you can raise or lower the priority.
• -p user-priority: Designates the user priority
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
p user-priority pid.
2. Verify the process status using ps -ecl | grep
command-name.
# priocntl -s -p 30 3084
# ps -ecf | grep myprog
root 3093 2909 RT 130 09:09:34 pts/3 0:00 /bin/bash /root/myprog
a ble
root 3124 2771 IA 32 09:15:25 pts/1 0:00 grep myprog
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
onof changingl business priorities, you might need to modify the priority of a running
Because
R
ro To do this, you use the priocntl command. The steps in the slide show how to
process.
C icecomplete this task.
Notes for step 1: The options that are used with the priocntl command are as follows:
• -s: Sets the scheduling parameters associated with a set of processes
• -p user-priority: Designates the user priority
In the example in the slide, you are changing the current user priority on a process called
myprog (PID 3093). You now want the myprog process to have a priority of 30. You then
verifyy the change.
g Here yyou can see that the myprog
yp g p process now has a g global p
priority
y of
130. The system added 100 to the RT priority of 30 to create the global priority.
Class
• Managing Process Scheduling Priority
• Configuring the Fair Share Scheduler
• Managing the Scheduling Class of Zones
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a l do icens
on l
r o R
Ci ce
# dispadmin -l
a ble
CONFIGURED CLASSES
f e r
==================
ans
n - t r
SYS(System Class)
a no
TS(Time Sharing)
h a s
SDC(System Duty-Cycle Class)
m ) e ฺ
FSS(Fair Share) o i d
FX(Fixed Priority) a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
l class enables you to allocate CPU time based on shares instead of
n scheduling
The fairoshare
R
ropriority scheme of the time sharing (TS) scheduling class. To make FSS the default
the
C icescheduling class for the system, you use the dispadmin -d command, as shown in the
slide.
Note: The dispadmin command displays or changes process scheduler parameters while
the system is running. The -d option sets or displays the name of the default scheduling class
to be used on reboot when starting svc:/system/scheduler:default.
This command does not change the scheduling classes of the currently running process,
which you can see if you run the dispadmin –l command, as shown in the second
example.
l H
Here you can see allll th
the classes
l currently
tl bbeing
i used.
d Th
The commanddddoes,
however, impact any new processes that might be created. The new processes will all be
assigned the FSS class.
-c FSS -i all.
a l do icens
n
You canomanually l all processes into the FSS scheduling class without changing the
move
R
ro scheduling class and rebooting (assuming you have not made the FSS the default
default
C icescheduling class). To move all the processes from other classes into the FSS class, use the
priocntl command as shown in the slide.
Note: This is only a temporary change. After reboot, all processes will again run in the default
scheduling class.
The options that are used with the priocntl command are as follows:
• -s: Sets the upper limit on the user priority range and changes the current priority
• -c class: Specifies
p the class to be set
• -i idtype: Specifies one or more processes to which the priocntl command is to
apply. The -i all option specifies to apply the priocntl command to all existing
processes.
Note: For a complete list of valid idtype arguments, see the priocntl man page.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
-s -c FSS -i pid 1.
# ps -ecf | grep init
root 1 0 TS 59 07:42:52 ? 0:00 /sbin/init
# priocntl -s -c FSS -i pid 1
# ps -ef -o class,zone,fname | grep init
FSS global init
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
To move l
onthe init process into the FSS class, use the priocntl command with the init
R
ro ID number (PID 1) as shown in the slide.
eprocess
Cic Note: Because you are specifying only the init process for the global zone (PID 1), any
init processes that are associated with non-global zones are not affected.
In the example in the slide, you begin by displaying the scheduling class for the init
process. Notice that the scheduling class is TS. You then run the command to move the init
process into the FSS class. Your final step is to verify that the change has been made, and it
has.
Note: Again, this is only a temporary change. After reboot, the init process will again run in
its default scheduling class.
# ps -o user,pid,uid,projid,project,class
USER PID UID PROJID PROJECT CLS
root 2771 0 1 user.root TS
root 3000 0 1 user.root TS
a ble
# priocntl -s -c FSS -i projid 1
f e r
# ps -o user,pid,uid,projid,project,class
ans
USER PID UID PROJID PROJECT CLS
n - t r
root
t 2771 0 1 user.root
t FSS
a no
root 3015 0 1 user.root FSS
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
n manually
You canoalso l move a project’s processes from their current scheduling class to the
R
ro scheduling class. The commands for completing this task are identical to moving
FSS
C iceprocesses into FSS with one exception. Instead of specifying a process, you specify a project
ID number, as shown in the slide. As with the processes, this change is only temporary. After
reboot, the project’s processes will again run in the default scheduling class.
In the example in the slide, you start by displaying the current scheduling class for the current
projects. As you can see, you have one project (PROJID 1) that has a scheduling class of
TS. Using the priocntl command, you move the project’s processes into the FSS class.
Your last step is to verify the change.
a l do icens
You canouse l
n the dispadmin command to display or change process scheduler parameters
R
ro the system is running. For example, you can use dispadmin to examine and tune the
while
C iceFSS scheduler's time quantum value. Time quantum is the amount of time that a thread is
allowed to run before it must relinquish the processor. You can specify the resolution that is
used for displaying time quantum values. If no resolution is specified, time quantum values
are displayed in milliseconds by default. You might find it easier to work with smaller digits;
specifying 10 is much easier than specifying 100000 for quantum values.
In the example in the slide, you are tuning the time quantum parameter for FSS by modifying
the resolution. First, you display the current time quantum for the FSS scheduler.
As you can see
see, currently
currently, the quantum values are specified in 1/1000th of a second.
second By using
the -r option, you change the time quantum to 1/100th of a second.
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on for thisl lesson are designed to reinforce the concepts that have been presented
The practices
R
inro
the lecture portion. These practices cover the following tasks:
C ice • Practice
act ce 10-1:
0 Modifying
od y g tthe e sc
scheduling
edu g p priority
o ty for o ap process
ocess
• Practice 10-2: Configuring CPU shares and FSS in an Oracle Solaris zone
Practice 10-1 should take you about 30 minutes to complete.
Class
• Managing Process Scheduling Priority
• Configuring the Fair Share Scheduler
• Managing the Scheduling Class of Zones
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
l is that FSS has been made the default scheduling class for the
onassumption
Note: The
ro R
system.
C ice
-z zone.
2. Set the number of shares for the global zone by using
set cpu-shares=number.
p
3. Exit zonecfg.
4. Verify the configuration change by using zonecfg -z
a ble
zone info.
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
le
limitpriv:
scheduling-class:
r a b
ip-type: exclusive
s f e
an
hostid:
fs-allowed:
[cpu-shares: 80]
n - t r
net:
a no
address not specified
allowed-address not specified
h a s
physical: vnic1
m ) e ฺ
o i d
ilฺc t Gu
defrouter not specified
rctl:
a
m den
name: zone.cpu-shares
g
ld o@ Stu
value: (priv=privileged,limit=80,action=none)
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on shown
In the example l in the slide, you configure the CPU shares for hrzone from the global
R
ro by using the zonecfg -z command. You set the CPU shares to 80, exit, and then
zone
C iceconfirm the configuration change. Here, you can see that hrzone now has 80 CPU shares.
# prstat –Z
…
…
…
ZONEID NPROC SWAP RSS MEMORY TIME CPU ZONE
1 27 34M 43M 4.2% 0:20:09 8.3% hrzone
2 27 34M 43M 4.2% 0:16:15 2.4% itzone
a ble
f e r
0 98 348M 451M 44% 0:00:50 0.3% global
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on prstatl displays separate reports about processes and zones at the same time.
In this mode,
R
ro output of the command is as follows:
The
C ice • ZONEID: ID number of the zone
• NPROC: Number of processes in the zone
• SWAP: Total virtual memory size of the process, including all mapped files and devices,
in kilobytes (K), megabytes (M), or gigabytes (G)
• RSS: Resident set size of the process in kilobytes (K), megabytes (M), or gigabytes (G)
• MEMORY: Percentage of memory used by a specified collection of processes
• TIME: Cumulative execution time for the process
• CPU: Percentage of recent CPU time used by the process
• ZONE: Zone name
As the output is dynamically updated, you will notice the percentage of CPU time shifting
closer to the ratio you specified. Assuming that you allocated more CPU shares to hrzone,
you will see a higher percentage of CPU time being used by that zone.
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
n assignl CPU shares to the global zone by using the prctl -n zone.cpu-
You canoalso
R
ro command, as shown in the slide.
shares
C iceThe options for the prctl -nn zone.cpu-shares
zone.cpu shares command are as follows:
• –n: Specifies the name of the resource
• –v value: Specifies the value for the resource control for a set operation
• –r: Replaces the first resource control value with the new value specified through the –
v option
• –i idtype: Specifies the type of the id operands. Valid idtypes are process, task,
project, and zone
In the example in the slide, you are assigning 60 CPU shares to the global zone. Again, you
are making the assumption that FSS is the default scheduling class for the global zone.
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on the CPUlshares configuration from either the global zone or a non-global zone,
To remove
R
ro the zonecfg –z clear cpu-shares command. The steps for completing this task
euse
Cic are listed in the slide.
le
ip-type: exclusive
hostid:
r a b
fs-allowed:
s f e
an
net:
address not specified
n - t r
no
allowed-address not specified
configure-allowed-address:
i true
physical: vnic1
s a
defrouter not specified
) h a
…
m d e ฺ
o i
ilฺc t Gu
…
…
a
m den
# zoneadm –z hrzone shutdown –r
g
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on shown
In the example l in the slide, you remove the CPU shares configuration from hrzone by
R
ro the zonecfg –z clear cpu-shares command. You then confirm the configuration
using
C icechange. The CPU shares entry is no longer part of the zones configuration. Your final step is
to reboot the zone by using the shutdown –r command to make the configuration changes
effective.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on shouldl take you about 30 minutes to complete.
This practice
R
ro
C ice
a l do icens
on l
r o R
Ci ce
E l ti
Evaluating System
S t Resources
R
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o
o © 2013, e
sOracle
c e r
Copyright
o u and/or its affiliates. All rights reserved.
c i t
l d o ( ense
ona lic
r o R
Ci ce
Objectives
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
In this lesson, l
on “Evaluating the System Resources,” you are introduced to resource controls
R
ro shown how to configure system resources to use them. You are also introduced to a
and
C icenumber of system utilities that you can use to monitor the usage of these system resources.
MONITORING
RESOURCE DATA
EVALUATION STORAGE
PROCESSES NETWORK
CONFIGURATION
a ble
f e r
ENTERPRISE
ans
DATACENTER
n - t r
a no
h a sNETWORK
m ) ฺ
VIRTUALIZATION
e
o i d
AUDITING
a ilฺc t Gu
gmSERVICES d e n
PRIVILEGES @
ld o S tu
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Before o n begin thel lesson, take a moment to orient yourself in your job workflow. Up to this
you
R
ro you have been configuring all the pieces of your system to create a fully functional and
point
C icesecure operating environment. In this lesson you are first shown how to optimize the use of
your system resources by configuring the resources and then allocating them. You are then
shown how to monitor the usage of these resources to ensure that the system resources have
been appropriately allocated to the existing processes.
Performance Evaluation
• Configuring and Administering System Resources
• Monitoring System Performance
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a l do icens
As part o l
ofnthe predeployment testing activities, your company has put a plan in place that
ro R
eaddresses what business application processes should be given priority. The company knows
Cic that Oracle Solaris 11 supports resource management, so they are looking to you to create a
resource configuration that presents the least compromise to the service goals of the
business while working within the limitations of the system’s capabilities. The plan also calls
for system resources to be monitored on a regular basis and resource controls to be adjusted
as necessary to ensure the continued optimal use of the system’s resources.
In this topic you are introduced to resource controls as a means of controlling system
resource allocation. You are also introduced to a number of tools for monitoring resource
usage.
usage
a l do icens
You have l
onalready learned about resource management in the context of zones, where you
ro R
controlled your resource allocations through the use of resource pools. In this lesson, you
C iceexpand your understanding of resource management.
The ability to minimize cross-workload performance compromises, along with the facilities that
monitor resource usage, is referred to as resource management. Resource management
enables you to control how applications use available system resources. You can allocate
system resources, such as processor time and memory, to ensure that your applications have
the required response times. You can then monitor how the allocations are being used and
adjust the allocations as necessary to address the needs of the business.
You can also
Y l use resource managementt tto increase
i resource usage. B By categorizing
t i i and d
prioritizing usage, you can effectively use reserve capacity during off-peak periods, thereby
often eliminating the need for additional processing power.
for a workload
• Scheduling: Makes a sequence of allocation decisions at
specific
p intervals
• Partitioning: Binds a workload to a subset of the system’s
available resources
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
The Oracle l
on Solaris operating system uses three types of resource management control
ro R
mechanisms: constraints, scheduling, and partitioning.
C iceThe constraint mechanism enables you to set bounds on the consumption of specific
resources for a workload. You can use bounds to control ill-behaved applications that might
negatively compromise system performance or availability through unregulated resource
requests. An example of a constraint mechanism is a resource capping.
Scheduling mechanism refers to making a sequence of allocation decisions at specific
intervals. An application that has had a scheduling mechanism applied to it leaves the
resource available for another application’s use if it does not need its current allocation.
S h d li b
Scheduling-based d resource managementt enables bl ffullll usage off an undercommitted
d itt d
configuration, while providing controlled allocations in a critically committed or overcommitted
situation. An example of a scheduling mechanism is the fair share scheduler (FSS).
A partitioning mechanism is used to bind a workload to a subset of the system’s available
resources. This binding guarantees that a known amount of resources is always available to
the workload. An example of a partitioning mechanism is a resource pool.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on workloadl response, you must first be able to identify the workloads that are
To optimize
R
ro on the system you are analyzing. This information can be difficult to obtain by using
erunning
Cic either a purely process-oriented or a user-oriented method alone. In the Oracle Solaris
system, you have two additional facilities that can be used to separate and identify workloads:
the project and the task. The project provides a network-wide administrative identifier for
related work. The task collects a group of processes into a manageable entity that represents
a workload component.
Project 1
a ble
f e r
Process 1 Process 4 Process 6
ans
n - t r
Process 2 Process 5
a no 7
Process
h a s
Process 3 m ) e ฺProcess 8
o i d
a ilฺc t Gu
g m den Process 9
o @ t u
n a ld is S
ฺ r o e th
ero © t2013, s and/or its affiliates. All rights reserved.
uOracle
i c
Copyright
(c nse o
o
ld lice
o
A user or n a
group can belong to one or more projects. These projects can be used to represent
R
roworkloads in which the user (or group of users) is allowed to participate. This membership
the
C icecan then be the basis of chargeback that is based on, for example, usage or initial resource
allocations. Although a user must be assigned to a default project, the processes that the user
launches can be associated with any of the projects of which that user is a member.
Each successful login into a project creates a new task that contains the login process. The
task is a process collective that represents a set of work over time. A task can also be viewed
as a workload component. Each task is automatically assigned a task ID.
As illustrated by the graphic, each process is a member of one task, and each task is
associated
i t d with
ith one project.
j t
a l do icens
n resourcel controls at the process, task, project, and zone levels. You can find a
You canoset
R
roof the available resource controls for each level on the resource_controls man page.
list
C iceExamples of a few resource controls are provided in the slide.
Threshold Value:
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
You define l
on the constraints for a resource control through threshold values and privilege levels.
Aro
R
threshold value on a resource control constitutes a point at which local actions can be
C icetriggered or global actions, such as logging, can occur.
Note: Local actions are taken on a process that attempts to exceed the control value. Global
actions apply to resource control values for every resource control on the system.
For each threshold value that is placed on a resource control, you can associate one or more
actions. There are three types of local actions: none, deny, and signal=. These are defined
in the slide.
Note
• The deny action is useful for monitoring resource usage without affecting the progress of
applications.
• Not all of the actions can be applied to every resource control. For example, a process
cannot exceed the number of CPU shares assigned to the project of which it is a member.
Therefore, a deny action is not allowed on the project.cpu-shares resource control.
Each threshold value on a resource control must be associated with a privilege level. You will
look at these privilege levels next.
Privilege levels:
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a l do icens
on level forl a resource control must be one of these three types: basic,
The privilege
R
ro
privileged (priv), or system. The definitions for all the types are shown in the slide.
C iceA resource control is guaranteed to have one system value, which is defined by the system,
or resource provider. The system value represents how much of the resource the current
implementation of the operating system is capable of providing.
You can define any number of privileged values, and only one basic value is allowed.
Operations that are performed without specifying a privilege value are assigned a basic
privilege by default.
The example shows the task.max-lwps resource control. It has been assigned a privilege
level of privileged (priv), which means only the user or current process can modify this
limit, a threshold value of 1K, and the deny action.
a l do icens
More thanonone resourcel control can exist on a resource. A resource control can exist at each
ro R
containment level in the process model. If resource controls are active on the same resource
C iceat different container levels, the smallest container’s control is enforced first. Thus, action is
taken on process.max-cpu-time before task.max-cpu-time if both controls are
encountered simultaneously.
Use the utilities in the following table to set and modify resource
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
controls:
Utility Description
prctl Get or set the resource controls of running processes, tasks, and projects.
projadd Administer a new project on the system, to include specifying resource control
attributes.
a ble
f e r
projmod Modify a project’s information on the system, to include modifying a project’s
an s
resource control attributes.
n - t r
rctladm Display or modify the global state of system resource controls.
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
You canosetn and modifyl the resource controls through the utilities listed in the table shown in
R
roslide. You learn how to configure the resource controls by using each of these utilities
the
C icelater in this lesson.
projname:projid:comment:user-list:group-list:attributes
# cat /etc/project
system:0:::: a ble
f e r
user.root:1::::
ans
noproject:2::::
n - t r
default:3::::
a no
group.staff:10::::
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on controls
The resource l facility is configured through the project database.
R
ro Updates to entries in the project database, whether to the /etc/project file or to a
Note:
C icerepresentation of the database in a network naming service, are not applied to currently active
projects. The updates are applied to new tasks that join the project when either the login or
the newtask command is used.
Each entry in the project database consists of one line of text containing six fields
separated by colons (:). The format of each entry is shown in the slide. The description for
each field is as follows:
• projname: Name of the project
• projid: Project’s unique numerical ID (PROJID) within the system. Project IDs below
100 are reserved for the use of the operating system.
• comment: Description of the project
these exceptions.
• attributes: Semicolon-separated list of name-value pairs, the most frequent use of
which is resource controls. See the project man page for a list of accepted name-
value pairs.
An example of the default /etc/project file is shown in the slide.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
limited.
• You can specify limits for both the global and non-global
zones usingg either:
– zonecfg command (limits are persistent)
– prctl command (limits are not persistent)
a ble
• Examples of zone-wide resource controls include: e r
n s f
– zone.cpu-cap: Limits the amount of CPU resource for r athe
zone o n -t
– zone.cpu-shares: Number of fair shareaschedulers a n (FSS)
CPU shares for the zone m ) h eฺ
i l ฺ co amount
u id
– zone.max-locked-memory:
m
Total
a nt G of physical
locked memory that is @ g uto
available
o dea zonet
ld s S
ฺ r o na thi
e r se and/or its affiliates. All rights reserved.
o © 2013,uOracle
( c ic e to
Copyright
a l do icens
onresourcelcontrols limit the total resource usage of all process entities within a
Zone-wide
R
ro These limits are specified for both the global and non-global zones by using the
zone.
C icezonecfg command.
You can also specify these limits for running processes by using the prctl command.
However, the limits you specify through the prctl command are not persistent. They are in
effect only until the system is rebooted.
Some examples of zone-wide resource controls are shown in the slide. For a complete listing
and description of the zone-wide resource controls, see the “Setting Zone-Wide Resource
Controls” section of Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10
Z
Zones, andd Resource
R M
Management. t
a l do icens
Oracle o
Solaris l
n 11 supports a number of performance tools that enable you to view the current
R
ro consumption of workloads that are running on your system. By using these tools,
resource
C iceyou can evaluate whether you must restrict access to a given resource or isolate particular
workloads from other workloads.
In this lesson you learn how to use the vmstat, iostat, and df utilities to evaluate memory
and disk resource usage. You also learn how to use the sar utility to monitor system
activities.
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
As part o l
ofnthe predeployment testing effort, you have been assigned the task of configuring
R
ro resources, putting resource controls in place, and then monitoring the use of these
esystem
Cic resources.
In the topics that follow, you learn how to complete each of these tasks.
a l do icens
Answer:oan l
ro R
C ice
zone levels.
a. True
b False
b.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:oan l
ro R
C ice
privilege level.
a. True
b False
b.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:oan l
ro R
C ice
action?
task.max-lwps=(priv,1K,deny)
a task.max
a. task max-lwps=
lwps=
b. priv
c. 1K
a ble
d. deny f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:odn l
ro R
C ice
You can specify limits for both the global and non-global zones
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:obn l
ro R
C ice
Evaluation
• Configuring and Administering System Resources
• Monitoring System Performance
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
• Defining a project
• Obtaining project membership information
• Modifying a project
• Adding attributes and attribute values to a project
• Substituting attributes and attribute values for a project
r a ble
• Removing attributes or attribute values from a project nsfe
- t r a
• p y g currently
Displaying y running
gpprojects
j on
a n
• Creating a new task a s
• Moving a running process into a new m ) h eฺ
task
i l ฺ co Guid
• Deleting a project ma nt g ude
d o @ S t
l
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
# projects -l
system
projid : 0
comment: ""
users : (none)
groups : (none)
attribs:
a ble
user.root
f e r
projid : 1
ans
comment: ""
n - t r
o
an
users : (none)
( )
groups : (none)
ha ฺ s
attribs: )
<continued on next slide>
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
noproject
projid : 2
comment: ""
users : (none)
groups : (none)
attribs:
default
projid : 3
a ble
comment: ""
f e r
users : (none)
ans
groups : (none)
n - t r
attribs:
tt ib
a no
group.staff
h a s
projid : 10
m ) e ฺ
o i d
ilฺc t Gu
comment: ""
users : (none) a
m den
groups : (none) g
attribs:
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on
The continuation of lthe default /etc/project file is shown in the example in the slide.
ro R
C ice
projects -l.
2. Add a project by using projadd -U username -p
projid
p j project.
p j
3. View the projects file again to verify that the new project
has been added.
a ble
# projects –l
f e r
# projadd -U jjones -p 4115 testproj
ans
# projects –l
n - t r
<output omitted>
i d
a no
testproj
h a s
projid : 4115
m ) e ฺ
o i d
ilฺc t Gu
comment: ""
users : jjones a
m den
groups : (none) g
attribs:
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
ona project, lyou add it by using the projadd command. The steps listed in the slide
To define
R
ro how to define a project.
eshow
Cic Notes for step 1: Check to see what projects have been defined in the system and determine
what project ID number is available for your project.
Notes for step 2: The options that are used with the projadd command are as follows:
• -U user: Specifies a user for the project. Multiple users can be specified by using a
comma-separated list.
• -p projid: Sets the project ID for the new project
Note: The projid should be specified as a non-negative
non negative decimal integer below
UID_MAX as defined in limits.h. The projid defaults to the next available unique
number above the highest number currently assigned. For example, if projids 100,
105, and 200 are assigned, the next default projid is 201. projids between 0 and 99
are reserved by the Oracle Solaris operating system.
For a full list of options, see the projadd man page.
In the example in the slide, after you have checked the project file, you create a new project
called testproj with project ID 4115 and assign it to the user jjones. You then verify that
your new project has been added to the projects file.
# /usr/bin/id -p
uid=0(root) gid=0(root) projid=4015(testproj)
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
oninformationl about project membership, you use the id –p command. The id
To obtain
R
ro
ecommand is used to return user identity. The –p option provides information about the current
Cic project membership of the invoking process.
In the example in the slide, you are displaying the identity of the current user, which in this
case is root. You can see that the project you just created, testproj (4015), has been
assigned to this user.
a l do icens
l associated with a project, such as giving the project a new name or
onthe information
To modify
R
ro ID or adding a comment, you use the projmod command, as shown in the steps
eproject
Cic listed in the slide.
For a list of the options you can use with the projmod command, see the projmod man
page.
In the example in the slide, you are making several modifications to the testproj project.
You are adding a group called testers by using the –G option, and you are adding a short
description of the project, “Oracle Solaris test team”, by using the –c option. You
then verify that your modifications are reflected in the projects file.
name=value project.
2. Add another value to the existing list of values by using the
same options.
p
3. View the projects file to verify that the attribute and
attribute values have been added.
a ble
f e r
# projmod -a -K "task.max-lwps=(priv,100,deny)" testproj
ans
# projmod -a -K "task.max-lwps=(priv,1000,signal=KILL)" testproj
n - t r
# p
projects
j –l
<output omitted> a no
testproj
h a s
projid : 4115
m ) e ฺ
o i d
ilฺc t Gu
comment: “Oracle Solaris test team"
users : jjones a
m den
groups : testers g
ld o@ Stu
attribs: task.max-lwps=(priv,100,deny),(priv,1000,signal=KILL)
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
n use thel projmod command to edit project attributes. The steps for adding an
You canoalso
R
ro are shown in the slide.
attribute
C iceThe -KK option specifies a replacement list of attributes. Attributes are delimited by semicolons
(;). When the -K option is used with the –a option, the attribute or attribute value is added.
Notes for step 1: The value consists of a privilege level, a threshold value, and an action
associated with reaching the threshold.
Notes for step 2: Multiple values are separated by commas.
In the example in the slide, you are adding a resource control attribute to the project that will
est ct the
restrict t e maximum
a u number
u be o of lightweight
g t eg tp processes
ocesses ((max-lwps)
a ps) to 100.
00 Youou tthen
e add
another resource control attribute that generates a KILL signal to the project if the number of
lightweight processes exceeds 1000.
Your last step is to verify that the attribute and attribute values have been added to the
projects file, and they have.
-K name=value project.
2. View the projects file to verify that the attribute and
attribute values have been replaced.
p
# projmod -s -K "task.max-lwps=(priv,120,deny),(priv,800,signal=KILL)“ testproj
# projects –l
<output omitted>
a ble
testproj
f e r
projid : 4115
comment: “Oracle Solaris test team"
an s
users : jjones
n - t r
groups
g p : testers
attribs: task.max-lwps=(priv,120,deny),(priv,800,signal=KILL)
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
n
You canosubstitute l
attributes and attribute values for a project by using the projmod
ro R
command with the –s and –K options, as shown in the steps in the slide.
C iceNotes for step 1: If the attribute does not exist, it is created.
Notes for step 2: Multiple values are separated by commas.
In the example in the slide, you are replacing the current task.max-lwps values that you
defined previously with the new values shown.
To verify that the substitution has been made, you view the projects file. You can see here
that the substitution for the resource control attribute has been made.
a l do icens
on to removel an attribute or attribute value from a project, you use the –r and –K
If you want
R
ro with the projmod command, as shown in the steps listed in the slide.
options
C iceIn the first example, you are removing the attribute value that restricts the maximum number
of lightweight processes (max-lwps) to 120. You then verify that the attribute value has been
removed from the project’s attribute entry in the projects file, and it has. The second
attribute value that you added previously still remains.
In the second example, you are removing the entire resource control attribute. If you were to
view the projects file again, you would see nothing listed in the attribs field.
# prstat -JR
…
…
…
PROJID NPROC SWAP RSS MEMORY TIME CPU PROJECT
a ble
4015 2 312K 7328K 0.7% 2:35:44 50% testproj
f e r
1 3 2912K 17M 1.6% 0:00:00 0.3% user.root
ans
0 99 142M 170M 17% 0:00:47 0.0% system
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
onstatisticall information, such as memory and CPU usage, for the processes and
To display
R
ro that are currently running on the system, you can use the prstat –JR command, as
eprojects
Cic shown in this example.
The command displays the following information:
• PROJID: ID number of the project
• NPROC: Number of processes in the project
• SWAP: Total virtual memory size of the process, including all mapped files and devices,
in kilobytes (K), megabytes (M), or gigabytes (G)
• RSS:SS Resident
es de t set ssize
eoof tthe
epprocess
ocess in kilobytes
obytes ((K),
), megabytes
egabytes ((M),
), or
o gigabytes
g gabytes (G)
• MEMORY: Percentage of memory used by a specified collection of processes
• TIME: Cumulative execution time for the process
• CPU: Percentage of recent CPU time used by the process
• PROJECT: Project name
# newtask -v -p testproj
16
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
ona new taskl and associate it with a project, you use the newtask command, as
To create
R
ro in the slide. You can use the –v option with this command to obtain the system task
eshown
Cic ID. The –p option specifies the project. The newtask command creates a new task in the
specified project and places the user’s default shell in this task.
For a full list of options, see the newtask man page.
In the example in the slide, you are creating a task for the testproj project. The task ID is
16.
a l do icens
onhandling al critical process that cannot be restarted in order to place it into a new
If you are
R
ro you can take a running process and put it into an existing project by creating a new
project,
C icetask. To associate a running process with a new task in an existing project, use the newtask
command, as shown in the steps in the slide.
Note: To perform this task, you must either be the superuser, have the required rights profile,
or be the owner of the process and be a member of the new project.
Notes for step 1: Check to see what projects have been defined in the system and determine
what project ID number is available for your project.
Notes for step 2: The options that are used with the newtask command are as follows:
• –p project_name: Specifies the project name
• –c pid: Specifies the process ID of the process that is being mapped to the task
In the example in the slide, you have a running process called test1 that you want to map to
a task associated with the testproj project. First, you determine the process ID for test1;
it is 8103. You then map the running process’s PID to testproj by using the newtask
command, which generates a new task with the task ID 15. Your last step is to verify that the
new taskk is
i mapped d to the
h running
i process, and d iit iis.
# projdel testproj
a ble
f e r
# projects –l
ans
<output omitted>
n - t r
no
# su - jjones
jj
# projects
s a
default
) h a
m d e ฺ
o i
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
onlonger needl a project, you can delete it by using the projdel command. The steps
If you no
R
ro in the slide show how to remove a project from the /etc/project file.
listed
C iceNotes for step 3: You should no longer see the deleted project listed.
In the example in the slide, you are deleting the testproj project by using the projdel
command. You then verify that the project no longer appears in the projects file. Next, you
log in as the user jjones to again verify that the project is no longer assigned to this user. As
you can see, the testproj project is no longer associated with jjones. The only project
assigned to jjones is the default project.
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on you learn
In this section, l how to display the default resource controls for the system; how to
R
ro information for a specific resource control; how to display the current resource control
display
C icesettings for a process, task, project, or zone; and how to set up system-wide resource control
monitoring.
# prctl $$
process: 3320: bash
NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT
process.max-port-events
privileged 65
65.5K
5K - deny -
system 2.15G max deny -
…
…
le
task.max-cpu-time
usage 0s
r a b
system 18.4Es inf none -
s f e
an
…
…
n - t r
no --
project.max-contracts
privileged 10.0K - deny
system 2.15G max deny
s a
…
) h a
…
m d e ฺ
zone.max-lofi o
lฺc t Gu i
usage 0
a i
system 18.4E max
g
deny m den -
o@ Stu
…
…
ld
a this
o n
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
To determine l
on what resource controls are available for a process, such as the current shell that
R
eisrorunning, you use the prtcl $$ command.
Cic Note: $$ refers to the current shell process.
This command can be used only on a system on which you have not set or changed the
resource controls. There can be only non-default entries in the /etc/system file or in the
project database.
Note: The prtcl command can be used to get or set the resource controls of running
processes, tasks, projects, and zones.
In the example in the slide, which contains only a partial sample, the resource controls that
are available for the bash process are listed. They include resource controls for processes,
tasks, projects, and zones. The threshold value, flags, actions, and recipient are listed for
each resource control attribute.
Note: For a complete list of local flags, global flags, and their definitions, see
rctlblk_set_value (3C).
You will have a chance to see the full list of available resources during the practice.
a l do icens
on what the
To determine l resource control settings are for a process, project, task, or zone, you
R
ro use the prctl -i command with the process, project, task, or zone ID.
ecan
Cic In the example in the slide, you want to display the current resource control settings for a
particular task. You run the ps -o command to determine the task ID for the currently running
process. The task ID is 96. You then run the prctl command for task 96 to display the
current control settings for that task.
a l do icens
l about a specific resource control, use the prtcl command with the -n
oninformation
To display
R
ro to specify the name of the resource control, followed by the resource control attribute
eoption
Cic and $$.
# rctladm
process.max-port-events syslog=off [ deny count ]
process.max-msg-messages syslog=off [ deny count ]
process.max-msg-qbytes
process.max-sem-ops
syslog=off
syslog=off
[
[
deny
deny
bytes
count
]
]
a ble
…
f e r
…
ans
task.max-cpu-time syslog=off
- t r
[ no-deny cpu-time no-obs inf seconds ]
n no
task.max-processes syslog=off [ count ]
task.max-lwps
…
syslog=notice [ count ]
s a
… h a
) count e] ฺ
zone.max-lofi syslog=off [ no-basic deny
o m
c denyGbytes id ]]
zone.max-swap syslog=off [ no-basic
i l ฺ u
deny bytes
ma dent
zone.max-locked-memory syslog=off [ no-basic
…
g
…
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
onhave set alresource control, you can enable system-wide resource controls to
After you
R
ro resource consumption and log a notification to syslog when a resource control
monitor
C icethreshold value is exceeded.
To enable the global syslog attribute of a resource control, use the rctladm -e syslog
command with the global syslog attribute for the resource control, as shown in the slide.
Note: The rctladm command is used to display or modify the global state of system
resource controls. For a list of options that can be used with this command, see the rctladm
man page.
In the example in the slide, you are enabling the global syslog attribute of task.max-lwps.
By using the rctladm command without arguments, you can view the global logging state of
each resource control on a system-wide basis, as shown in the second example. In the
example in the slide, you can see that because you have enabled global resource control
monitoring for the task.max-lwps resource control, syslog messaging for that resource
control has been set to notice. When the threshold for this resource control value is
exceeded, a log entry will be generated in the /var/adm/messages file.
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on for thisl lesson are designed to reinforce the concepts that have been presented
The practices
R
inro
the lecture portion. These practices cover the following tasks:
C ice • Practice
act ce 11-1: Managing
a ag g resource
esou ce co controls
t o s in g global
oba a andd non-global
o g oba zones
o es
• Practice 11-2: Evaluating system performance levels
Practice 11-1 should take you about 30 minutes to complete.
Evaluation
• Configuring and Administering System Resources
• Monitoring System Performance
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
l statistics and information about system events, such as CPU load,
onvirtual memory
To obtain
R
ro number of context switches, device interrupts, and system calls, you can use the
epaging,
Cic vmstat command. You can also use this command to display statistics on swapping, cache
flushing, and interrupts. In this section, you focus on using the vmstat command to display
virtual memory statistics, system event information, and swapping statistics.
Note: To see information about how to use vmstat to gather other types of virtual memory-
related statistics, see Oracle Solaris Administration: Common Tasks.
# vmstat 5
kthr memory page disk faults cpu
r b w swap free re mf pi p fr de sr s0 s1 s2 s3 in sy cs us sy id
0 0 0 11456 4120 1 41 19 1 3 0 2 0 4 0 0 48 112 130 4 14 82
0 0 1 10132 4280 0 4 44 0 0 0 0 0 23 0 0 211 230 144 3 35 62
0 0 1 10132 4616 0 0 20 0 0 0 0 0 19 0 0 150 172 146 3 33 64
0 0 1 10132 5292 0 0 9 0 0 0 0 0 21 0 0 165 105 130 1 21 78
1 1 1 10132 5496 0 0 5 0 0 0 0 0 23 0 0 183 92 134 1 20 79
a ble
1 0 1 10132 5564 0 0 25 0 0 0 0 0 18 0 0 131 231 116 4 34 62
f e r
1 0 1 10124 5412 0 0 37 0 0 0 0 0 22 0 0 166 179 118 1 33 67
ans
1 0 1 10124 5236 0 0 24 0 0 0 0 0 14 0 0 109 243 113 4 56 39
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on command
The vmstat l reports virtual memory statistics regarding kernel thread (kthr),
R
ro memory (memory), disk (disk), trap (faults), and CPU (cpu) activity. A five-second
virtual
C iceinterval is a good choice for live monitoring.
Note: For a description of each field, see the vmstat man page.
By using this command, you can determine virtual memory performance and identify memory
bottlenecks. Turn your attention to the page and cpu fields. In the page field you want to look
for po (page outs) and sr (scan rate). When both are consistently high (more than 100 per
second) at the same time, the page daemon is being forced to steal free memory from running
processes.
Note: The free column (located in the memory section to the right of the swap column) may
not be a good indication of the available memory in the system. This is because, after
memory pages are used by the file system buffer cache, they are not returned to the free list.
When the page daemon detects a memory shortfall, it scans for pages that can be freed.
Pages are then freed from the file system buffer cache for the use of applications.
available memory. However, on the first line of the output, the system is consuming very little
CPU time and the idle time is very high, which means more memory is available.
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
# vmstat -s
0 swap ins
0 swap outs
0 pages swapped in
0 pages swapped out
522586 total address trans. faults taken
17006 page ins
25 page outs
23361 pages paged in
28 pages paged out
a ble
45594 total reclaims
f e r
45592 reclaims from free list
ans
0 micro (hat) faults
n - t r
no
522586 minor (as) faults
16189 major faults
98241 copy-on-write faults
s a
137280 zero fill page faults
) h a
45052 pages examined by the clock daemon
m d e ฺ
o i
ilฺc t Gu
0 revolutions of the clock hand
26 pages freed by the clock daemon
a
m den
2857 forks
g
78 vforks
<output omitted>
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
onsystem event
To display l information (specifically the system events that have occurred since
R
rolast reboot), you use the vmstat –s command, as shown in the slide. This command can
ethe
Cic give you an indication of what is occurring in the system that might be causing a load on the
system memory. The number of reclaims from free list is an indication of how quickly the
system was running out of memory. Because programs require memory to run, it might
explain why there is a load on the system.
Other system events that can impact memory are the number of forks that have occurred.
Note: Forks refer to the number of processes launching subprocesses.
Each subprocess that is launched creates a workload that requires memory and CPU
resources to run.
# vmstat -S
kthr memory page disk faults cpu
r b w swap free si so pi po fr de sr dd f0 s1 -- in sy cs us sy id
0 0 0 862608 364792 0 0 1 0 0 0 0 0 0 0 0 406 394 213 1 0 99
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
onswappingl statistics, use the vmstat command with the -S option. With this
To display
R
ro
ecommand, you can evaluate the workload created by one job running in the background.
Cic
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
onspecificallyl interested in monitoring disk usage, you can use the iostat command,
If you are
R
inro
both a normal and an extended format. If you want to find out about disk space, you can
C iceuse the df command.
# iostat 5
tty sd0 sd1 sd2 sd3 cpu
tin tout kps tps serv kps tps serv kps tps serv kps tps serv us sy wt id
0 3 138 4 51 1 0 7 0 0 0 0 0 0 4 10 0 86
0 47 0 0 0 0 0 0 0 0 0 0 0 0 8 18 0 74
0 16 50 18 3 0 0 0 0 0 0 0 0 0 8 18 0 74
0 16 0 0 0 0 0 0 0 0 0 0 0 0 8 18 0 74
a ble
f e r
an s
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
The iostat l
on utility provides statistics on terminal, disk, tape I/O, and CPU usage activity. The
R
ro line of output shows the statistics from the last time the system was booted. Each
first
C icesubsequent line shows the interval statistics. The default is to show statistics for the terminal
(tty), disks (fd and sd), and CPU (cpu).
Note: For a description of each field, see the iostat man page.
With this command, you can determine which disks are taking more time to service
transactions by comparing the service times (serv column under each disk) for each disk. In
the example in the slide, you can see that the service time for transactions for the sd1 disk is
7 milliseconds as compared to the 51 milliseconds it is taking the sd0 disk to service
transactions Based on this information
transactions. information, you could determine that the sd0d0 disk is taking longer
to service transactions; however, you need to keep in mind the nature of the transactions,
which can impact the length of time it takes a disk to service a transaction.
# df -h | more
Filesystem Size Used Avail Use% Mounted on
rpool/ROOT/solaris 14G 3.5G 11g 25% /
swap 1.2G
1 2G 388K 1.2G
1 2G 1% /etc/svc/volatile
/usr/lib/libc/libc_hwcap3.so.1
14G 3.5G 11g 25% /lib/libc.so.1
swap 1.2G 56K 1.2G 1% /tmp
swap 1.2G 60K 1.2G 1% /var/run
a ble
ora 202G 60G 142G 30% /opt/ora
f e r
rpool/export 11g 35K 11g 1% /export
ans
rpool/export/home 11g 34K 11g 1% /export/home
n - t r
rpool/export/home/jholt
11g 31K 11g 1% /export/home/jholt a no
rpool/export/home/oracle
h a s
11g 5.0M 11g 1% /export/home/oracle
m ) e ฺ
o i d
ilฺc t Gu
rpool/export/home/tshane
11g 31K 11g a
1% /export/home/tshane
m den
g
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
n amountl of disk space occupied by the mounted file systems, the amount of used
othe
To show
R
ro available space, and how much of the file system’s total capacity has been used, you can
eand
Cic use the df -h command, as shown in the slide.
Note: The usable disk space that the df command reports reflects only 90 percent of full
capacity. This is because the reporting statistics allow for 10 percent above the total available
space. The percentage of disk space actually reported by the df command is used space
divided by usable space.
In the example in the slide, you can see that the ZFS file system has used up 3.5 GB out of
14 GB, which equates to 25% of the file system’s total capacity.
a l do icens
ona numberlof system activities that you can monitor by using the sar utility. In this
There are
R
ro you focus on five: file access operation statistics, buffer activity, system call statistics,
section,
C icedisk activity, and unused memory. You conclude this section by learning about how to collect
data automatically.
For a full list of activities you can monitor with the sar utility, see Oracle Solaris
Administration: Common Tasks.
# sar -a
00:00:00 iget/s
i / namei/s
i/ dirbk/s
di bk/
01:00:00 0 3 0
02:00:00 0 3 0
03:00:00 0 3 0
04:00:00 0 3 0
a ble
05:00:00
06:00:00
0
0
3
3
0
0
f e r
07:00:00 0 3 0
ans
08:00:00 0 3 0
n - t r
08:20:01
08:40:00
0
0
3
3
0
0
a no
09:00:00 0 3 0
h a s
09:20:01 0 10 0
m ) e ฺ
09:40:01 0 1 0
o i d
10:00:02 0 5 0
a ilฺc t Gu
Average 0 4 0
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
onfile accessl operation statistics, use the sar -a command. The -a option is helpful
To display
R
eforroviewing how disk-dependent an application is. The output of the command is as follows:
Cic • g / Number of requests
iget/s: q made for inodes that were not in the directory
y name look-
up cache (DNLC)
• namei/s: Number of file system path searches per second
• dirbk/s: Number of directory block reads issued per second
Note: You can set the number of displays you want displayed by time intervals in seconds.
For example, if you want four displays provided every 10 seconds, you use the command:
# sar –a
a 10 4
The amount of time reflects how heavily programs and applications are using the file systems.
The larger the reported values for these operating system routines, the more time the kernel is
spending to access user files. At the system level, if this number is high, then you need to be
concerned.
# sar -b
100 do 0
@ St1u 91
Average 0 1
n a l i s 0 0
ฺ r o e th
ero © t2013, s and/or its affiliates. All rights reserved.
uOracle
i
(c nsec
Copyright
o
o
ld lice
o n
To display
a
buffer activity, use the sar -b command.
R
ro The buffer is used to cache metadata. Metadata includes inodes, cylinder group blocks,
eNote:
Cic and indirect blocks.
The most important entries are the cache hit ratios %rcache and %wcache. These entries
measure the effectiveness of system buffering. If %rcache falls below 90 percent or if
%wcache falls below 65 percent, you might be able to improve performance by increasing the
buffer space. In the example in the slide, the %rcache and %wcache buffers are not causing
any slowdowns. All the data is within acceptable limits.
# sar -c
49 do
@ 0.01 S tu 57842 55544
Average 302 66
l
na thi
0.02
s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
onsystem call
To display l statistics, such as number of system calls, reads, writes, and forks, use
R
rosar –c command. Typically, reads and writes account for about half of the total system
ethe
Cic calls. However, the percentage varies greatly with the activities that are being performed by
the system.
Note: For a description of each field, see the sar man page.
This information is useful when you are developing metrics or want to use dtrace to track
down a very high number of system calls.
# sar -d
a l do icens
l use the sar -d command. The output will provide you with
ondisk activity,
To display
ro R
einformation about the name of the device that is being monitored (device), the percentage of
Cic time the device was busy servicing a transfer request(%busy), the average number of
requests (avque), the number of read/write transfers in seconds (r+w/s), the number of
block transfers (blks/s), average wait time (avwait), and average time it took for a request
to be completed by the device (avserv).
Note: For a description of each field, see the sar man page.
Queue lengths and wait times are measured when something is in the queue. If %busy is
small, large queues and service times probably represent the periodic efforts by the system to
ensure that
th t altered
lt d blocks
bl k are promptly tl written
itt tto th
the di
disk.
k If any off these
th numbers
b are ttoo
high for your application, there could be a disk issue.
# sar -r
le
05:00:00 44784 1714743
06:00:00 44794 1715186
r a b
07:00:00 44793 1715159
s f e
an
08:00:00 44786 1714914
08:20:00
08:40:01
44805 1715576
44797 1715347
n - t r
09:00:00 44761 1713948
a no
09:20:00
09:40:00
44802 1715478
41770 1682239
h a s
10:00:00 35401 1610833
m ) e ฺ
o i d
ilฺc t Gu
10:20:00 34295 1599141
10:40:00 33943 1598425
a
m den
11:00:00 30500 1561959
g
Average 43312 1699242
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
To display l
onunused memory, use the sar -r command. The output will provide you with the
R
ro of currently unused memory pages and swap-file disk blocks. The freemem column
enumber
Cic displays the average number of pages available to user processes. The freeswap column
displays the average number of disk blocks available for page swapping.
By monitoring these numbers over time to establish a trend, you can determine if you are in
danger of running out of memory and then take appropriate action to correct the situation.
a ble
# svcadm enable system/sar:default
f e r
# crontab -e sys
ans
…
n - t r
…
a no
…
h a s
#0 * * * 0-6 /usr/lib/sa/sa1
m ) e ฺ
#20,40 8-17 * * 1-5 /usr/lib/sa/sa1 o i d
a ilฺc t Gu
5 18 * * 1-5 /usr/lib/sa/sa2 -s 8:00 -e 18:01 -i 1200 -A
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
ofnhaving to lmanually gather system performance information, you can set up
Insteado
ro R
automatic data collection by following the steps listed in the slide.
C iceNotes for step 1: This command writes a special record that marks the time when the
counters are reset to zero (boot time).
Notes for step 2: You do not edit a crontab file directly. Instead, you use the crontab -e
command to make changes to an existing crontab file.
Notes for step 3: By uncommenting this entry, the sa2 script will run every day Monday
through Friday at 6:05 PM. The monitoring start time is 8 AM and ends at 6:01 PM. The
performance data interval is every 1200 seconds (every 20 minutes). The -A option at the end
of the entry means that the script will report overall system performance. The data files are
placed in the /var/adm/sa directory. Each file is named sadd, where dd is the current date.
Note: For other ways to set up automatic data collection, see “Collecting System Activity Data
Automatically (sar)” in Oracle Solaris Administration: Common Tasks.
Commands Description
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
vmstat -S
S Displays swapping statistics
a l do icens
ondisplayed lin the slide contains a list of the system monitoring commands you
The table
R
ro in this topic.
covered
C ice
a l do icens
on shouldl take you about 30 minutes to complete.
This practice
R
ro
C ice
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
Monitoring
M it i and
d Troubleshooting
T bl h ti
Software Failures
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o
o © 2013, e
sOracle
c e r
Copyright
o u and/or its affiliates. All rights reserved.
c i t
l d o ( ense
ona lic
r o R
Ci ce
Objectives
a l do icens
on l
r o R
Ci ce
AI INSTALLATION
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
RESOURCE DATA
EVALUATION STORAGE
PROCESSES
a ble
NETWORK
f e r
ENTERPRISE
CONFIGURATION
ans
DATACENTER
n - t r
a no
h a sNETWORK
m ) ฺ
VIRTUALIZATION
e
o i d
AUDITING
a ilฺc t Gu
gmSERVICES d e n
PRIVILEGES @
ld o S tu
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Before o n start the llesson, orient yourself in the job workflow. You have reached the end of
you
R
roworkflow. You have successfully performed all major administrative tasks: installation,
the
C icesoftware updates, data storage management, network, zones, and services configuration.
You have also put system security controls in place with role-based access control (RBAC)
and Oracle Solaris auditing. You have ensured that the system resources are being used
appropriately with the resource controls that you have set up for the processes running on the
system. In this last lesson, you configure the facilities that you will need to monitor and
capture issues with the software.
Implementation
• Configuring System Messaging
• Configuring System Crash Facilities
• Configuring Dump Facilities for Business Application
Failure
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a l do icens
Knowing
R onwhat issuesl the operating system is encountering and what actions to take to correct
ro issues is an important part of your role as a system administrator. Recognizing this,
those
C iceyour company has developed a plan that identifies the system monitoring and diagnostic tools
that they want in place to quickly and efficiently identify and resolve issues that might occur
within the Oracle Solaris operating system. The plan includes time for you to be trained on
how to configure and use these tools. In addition to system logging, your company wants you
to set up crash and core dump files so that any major issues with the operating system or with
any processes or applications can be captured and sent to a support engineer for analyses
and resolutions.
In this section,
section you are introduced to system messaging and crash and core dump file
configuration.
a l do icens
n that you
The firstothing l need to do to set up system messaging is to identify target locations for
R
rosyslog message files. The target locations are defined in the /etc/syslog.conf file.
the
C iceNote: A configuration entry in the /etc/syslog.conf file consists of two tab-separated tab separated
fields: selector and action. The selector field has two components: a facility and a level
written as facility.level. Facilities represent categories of system processes that can
generate messages. Levels represent the severity or importance of the message. The action
field determines where to send the message. This is the target location.
Within the /etc/syslog.conf file, you use a selector level of err to indicate that all events
of priority error (and higher) are logged to the target defined in the action field.
In the example in the slide, partial contents of the /etc/syslog.conf file are displayed. In
the first line, every error event (*.err) and all kernel and authorization facility events of level
notice, which are not error conditions but might require special handling, will write a message
to the /dev/sysmsg file.
logged in.
The fifth line, which is taken from the “log messages to be logged locally” section of the
/etc/syslog.conf file, indicates that any event that the system interprets as an
emergency will be logged to the terminal of every logged-in user.
Note: You will have the opportunity to examine the /etc/syslog.conf file in full during the
practice on setting up system messaging.
To alter the event logging mechanism, edit the /etc/syslog.conf file and restart the
syslogd daemon. a b le
f e r
Note: You must restart the syslogd daemon whenever you make any changes to the
ans
/etc/syslog.conf file. n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
a l do icens
on daemon
The syslogd l can be started automatically during boot or it can be manually started
R
ro the command line. During each system boot, the /lib/svc/method/system-log file
from
C icestarts the syslogd process. The /etc/syslog.conf configuration file is read each time
the syslogd daemon starts.
If you have modified the configuration file, you can manually stop or start the syslogd
daemon, or send it a refresh command, which causes the daemon to reread the
/etc/syslog.conf file. The example in the slide shows the commands for stopping,
starting, and refreshing the syslogd daemon.
Note: Oracle Solaris 11.1 includes an enhanced version of the syslog daemon called
l for message logging
rsyslog logging. The rsyslogl daemon provides enhanced features
features, such as
failover log destinations, high precision timestamps, queued operations, and filter any
message part. These advanced features of rsyslog makes it suitable for enterprise-class,
encryption-protected applications, while being easy to set up and use. By default, the
rsyslog daemon is not enabled. Administrators can switch to this new logging daemon by
disabling svc:/system/system-log:default and enabling svc:/system/system-
log:rsyslog using SMF administrative utilities.
a l do icens
n up system
osetting
A part of l messaging includes enabling TCP tracing. Use the inetadm
ro R
command to modify the settings of a service to enable the trace option. When you enable
C iceTCP tracing, the inetd daemon uses the syslog command to record incoming network
connection requests made by using TCP. The client’s IP address, TCP port number, and the
name of the service are logged.
You can enable tracing on all services or on each service separately.
Note: The change is immediately recognized. There is no requirement to restart any daemon
process.
By default, the /etc/syslog.conf file is configured such that the syslogd daemon
selectively distributes the messages that are sent to it from the inetd daemon to the
/var/adm/messages file. This message distribution is achieved through the
daemon.notice entry in the /etc/syslog.conf file.
In the example in the slide, all daemon messages of level notice or higher are sent to the
/var/adm/messages file.
Note: The /var/adm/messages file must exist. If it does not exist, create it, and then stop
and start the syslogd
l d daemon; otherwise
otherwise, messages will not be written to the file
file.
# inetadm -l telnet
SCOPE NAME=VALUE
name="telnet"
endpoint_type="stream"
proto tcp6
proto="tcp6"
isrpc=FALSE
wait=FALSE
exec="/usr/sbin/in.telnetd"
user="root"
a ble
default bind_addr=""
f e r
default bind_fail_max=-1
ans
default bind_fail_interval=-1
n - t r
no
default max_con_rate=-1
default max_copies=-1
s a
default con_rate_offline=-1
) h a
default failrate_cnt=40
m d e ฺ
o i
ilฺc t Gu
default failrate_interval=60
default inherit_env=TRUE
a
m den
default tcp_trace=TRUE
g
default tcp_wrappers=FALSE
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on youl are enabling TCP tracing on telnet sessions. You then verify that the
In this example,
R
ro option is enabled, and it is.
tracing
C iceNote: The -mm option changes the values of the specified properties of the identified service
instances.
If you want to enable TCP tracing on all services, use the following command:
# inetadm -M tcp_trace=TRUE
Note: The -M option changes the value of the specified inetd default property or properties.
syslogd daemon.
• You can write administrative shell scripts that report the
status of backups or other functions.
a ble
f e r
ans
# logger System rebooted
n - t r
a no
h a s
m ) e ฺ
# logger -p user.err System rebooted o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on command
The logger l enables you to send messages to the syslogd daemon. By using the
R
ro command, you can write administrative shell scripts that report the status of backups
logger
C iceor other functions. The slide gives you the syntax for the command. The description for each
option is as follows:
• i: Logs the process ID of the logger command with each line
• -f file: Uses the contents of the file as the message to log (file must exist)
• -p priority: Enters the message with the specified priority
• -t tag: Marks each line that is added to the log file with the specified tag
• message: g Concatenates the string
g arguments
g of the messageg in the order specified,
p ,
separated by single-space characters
You can specify message priority as a facility.level pair. For example, -p
local3.info assigns a message priority of info level in the local3 facility. The
default priority is user.notice.
In the second example, the message System rebooted is logged to the syslogd daemon,
by using the default priority level notice and facility user.
You can also specify a message priority numerically. For example, logger -i -p 2
"crit" creates an entry in the message log that identifies the user.crit-
facility.level pair as follows:
Nov 3 09:49:34 hostname
h root[2838]:
[ ] [ [ID 702911 user.crit]i ] crit
i
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
o ฺ r o se
e r u
( c ic e to
a l do icens
on l
r o R
Ci ce
# cat /etc/dumpadm.conf
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
#
# dumpadm.conf
#
# Configuration
g parameters
p for system
y crash dump.
p
# Do NOT edit this file by hand -- use dumpadm(1m) instead.
#
DUMPADM_DEVICE=/dev/zvol/dsk/rpool/dump
DUMPADM_SAVDIR=/var/crash/client1
a ble
DUMPADM_CONTENT=kernel f e r
DUMPADM_ENABLE=no ans
DUMPADM_CSAVE=on n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
Now you l
onfocus on configuring the crash and core dump files. You begin with the crash dump.
R
ro /etc/dumpadm.conf file contains the crash dump configuration of the current system.
The
C iceAs you can see in the example in the slide
slide, the default values are set as follows:
• DUMPADM_DEVICE=/dev/zvol/dsk/rpool/dump: The default dump device is
dedicated to a ZFS volume.
Note: You can choose an unused disk partition to use as a dedicated dump device. The
traditional method is to use a swap disk partition. Whichever device you choose, be sure
that the dump device is large enough to handle the dump content. A good rule of thumb
is 50% of the p
physical
y memory.y
• DUMPADM_SAVDIR=/var/crash/client1: The directory for the savecore files is
set to /var/crash/client1.
• DUMPADM_CONTENT=kernel: The dump content is set to kernel memory pages only.
# cat /etc/coreadm.conf
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
#
# coreadm.conf
#
# Parameters for system core file configuration.
# Do NOT edit this file by hand -- use coreadm(1) instead.
#
COREADM_GLOB_PATTERN=
COREADM_GLOB_CONTENT=default
a ble
COREADM_INIT_PATTERN=core
f e r
COREADM_INIT_CONTENT=default
ans
COREADM_GLOB_ENABLED=no
n - t r
COREADM_PROC_ENABLED=yes
a no
COREADM_GLOB_SETID_ENABLED=no
h a s
COREADM_PROC_SETID_ENABLED=no
m ) e ฺ
o i d
ilฺc t Gu
COREADM_GLOB_LOG_ENABLED=no
a
m den
g
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on l
The /etc/coreadm.conf file contains the current core dump configuration.
R
royou can see in the example in the slide, the default values for the /etc/coreadm.conf
As
C icefile are set as follows:
• COREADM_GLOB_PATTERN=: Identifies the name to use for the core files placed in a
global directory
• COREADM_GLOB_CONTENT=default: Identifies that the content of the core files has
the default setting. The resultant core file contains all the process information that is
pertinent to debugging.
• COREADM_INIT_PATTERN=core: Identifies the default name that the per-process core
files must use. This name is set for the init process, meaning that it is inherited by all
other processes on the system.
• COREADM_INIT_CONTENT=default: Indicates that the init core file content has the
default content structure.
• COREADM_GLOB_ENABLED=no: Indicates that the global core files are disabled
– Defaults to core
– Is enabled by default
– If enabled, produces a core file when a process terminates
abnormally
– Is inherited by a new process from its parent process
Per-process files are owned and can be viewed only by the
a b le
process owner. fe r
a n s
• Global core file path:
- t r
– Defaults to core non a
– Is disabled by default h a s
) withethe
mfile ฺ same
– If enabled, produces an additional c o
core
lฺ t Gu i d
content as the per-process coreaifile
g m den
d o @ Sthe
Global core files are owned by t u superuser. Non-privileged
l ese files.
nathese s
users
use s ca
cannot
o read
ead
ฺro use thies
r o
e © t2013,
c i c
Copyright
o Oracle and/or its affiliates. All rights reserved.
l d o ( ense
As you o
just lic/etc/coreadm.conf file, there are two configurable core file paths:
nasaw in the
o R and global. A per-process core file path defaults to core and is enabled by
per-process
r
e
Cic default. If enabled, the per-process core file path causes a core file to be produced when the
process terminates abnormally. The per-process path is inherited by a new process from its
parent process. When generated, a per-process core file is owned by the owner of the
process with read/write permissions for the owner. Only the owning user can view this file.
A global core file path also defaults to core but is disabled by default. If it is enabled, an
additional core file with the same content as the per-process core file is produced by using the
global core file path. When generated, a global core file is owned by the superuser with
read/write permissions only for the superuser.
superuser Non
Non-privileged
privileged users cannot view this file
file.
• System messaging
• Crash and core dump files
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on
The predeployment ltesting effort is nearly at an end. Your final testing activities will be to
ro R
configure system messaging and the crash and core dump files.
C iceIn this assignment, you learn how to complete each of these tasks.
message type?
*.err;kern.debug;daemon.notice;mail.crit
a /dev/sysmsg
a.
b. /var/adm/messages
ble
c. operator
r a
d. root sfe an
- t r
non
s a
) h eฺa
m
co Guid
i l ฺ
g ma dent
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
Answer:obn l
ro R
C ice
You must always restart the syslogd daemon after you modify
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:oan l
ro R
C ice
a. True
b. False
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:obn l
ro R
C ice
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
Answer:oan l
ro R
C ice
Implementation
• Configuring System Messaging
• Configuring System Crash Facilities
• Configuring Dump Facilities for Business Application
Failure
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a l do icens
on l
r o R
Ci ce
a l do icens
To set up l
onmessage routing between two hosts (for example, host1 and host2), perform the
R
ro listed in the slide. Steps 1 and 2 are performed on the first host, host1. The remaining
steps
C icesteps are performed on the second host, host2.
Note for step 1: Following our example, the @hostname would be host2.
root@host1:~# vi /etc/syslog.conf
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2014, Oracle and/or its affiliatesฺ
<content omitted>
local0.notice @host2
root@host1:~# svcadm refresh system/system-log
root@host2:~# touch /var/log/local0.log
g g
root@host2:~# vi /etc/syslog.conf
root@host2:~# grep local0 /etc/syslog.conf
local0.notice /var/log/local0.log
root@host2:~# svcadm refresh system-log
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on in thel slide, the local0.notice entry is added to the /etc/syslog.conf
In the example
R
roon the host system to enable users to record messages. The destination of the message is
file
C icehost2. After you have modified the configuration, restart the syslog daemon by using the
refresh command. Next, you create a log file on host2 for the local0 log messages. You
then edit the /etc/syslog.conf file configuration on host2 to include the
local0.notice entry. Notice that the destination of the message is the log that you created
in an earlier step. Finally, you restart the syslog daemon to activate the configuration
change. Now if any message is written to this log, it will be displayed.
# inetadm -m tcp_trace=TRUE
# inetadm –l telnet
SCOPE NAME=VALUE
name= telnet
name=”telnet”
endpoint_type=”stream”
<output omitted>
default bind_addr=""
default bind_fail_max=-1
a ble
default bind_fail_interval=-1
f e r
default max_con_rate=-1
ans
default max_copies=-1
n - t r
default
default
con rate offline=-1
con_rate_offline
failrate_cnt=40
1
a no
default failrate_interval=60
h a s
default inherit_env=TRUE
m ) e ฺ
o i d
ilฺc t Gu
default tcp_trace=TRUE
default tcp_wrappers=FALSE a
m den
default connection_backlog=10 g
default tcp_keepalive=FALSE
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on TCP tracing
You enable l with the inetadm command, as shown in the slide. The -M option is
R
ro to change the values of the specified inetd default property. To verify that TCP tracing
used
C iceis enabled, use the inetadm -p command.
In the example in the slide, you enable TCP tracing, and then verify that it is enabled. In the
example in the slide, you can see that tcp_trace is now set to TRUE.
Note: To disable TCP tracing, set tcp_trace to FALSE.
# tail –f /var/adm/messages
…
…
Dec 20 06:10:05 client1 inetd[655]: [ID 317013 daemon.notice]
ftp[3044] from 192.168.0.100 61017
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
n
You canomonitor thel designated syslog file in the /var/adm directory, in real time, by using
R
rotail -f /var/adm/messages command. The tail -f command holds the file open so
the
C icethat you can view the messages that are being written to the file by the syslogd daemon. To
exit the /var/adm/messages file, press Ctrl + C.
In the example in the slide, you can see that a TCP tracing-related notice message has been
generated by the syslog daemon. The message contains the following general information:
• The date and time stamp when the message was generated (Aug 18 06:10:05)
• The local host name (client1)
• The process name and PID number for the process that was involved in the action
(inetd[655])
• The message ID number (ID 317013)
• The facility that generated the message; for example, the kernel, a system daemon, or
the syslogd daemon (daemon)
• Level of severity for the message; for example, emergency, error, warning, notice, or
information (notice)
• The problem or event (ftp[3044] from 192.168.0.112 61017)
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on for thisl lesson are designed to reinforce the concepts that have been presented
The practices
R
inro
the lecture portion. These practices cover the following tasks:
C ice • Practice
act ce 12-1: Sett
Settingg up system
syste messaging
essag g
• Practice 12-2: Configuring system and application crash facilities
Practice 12-1 should take about 30 minutes to complete.
Implementation
• Configuring System Messaging
• Configuring System Crash Facilities
• Configuring Dump Facilities for Business Application
Failure
a ble
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
l to configure system messaging, you will next look at how to configure
onyou know how
Now that
R
rosystem crash facilities.
the
C ice
a l do icens
on l
r o R
Ci ce
# dumpadm
Dump content: kernel pages
Dump device: /dev/zvol/dsk/rpool/dump
Savecore directory: /var/crash/client1
Savecore enabled: no
a ble
Save compressed: on
f e r
ans
n - t r
a no
h a s
m ) e ฺ
o i d
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
n current ldump configuration, use the dumpadm command without arguments, as
To viewothe
R
ro in the slide.
eshown
Cic Note: The configuration in the slide example matches the configuration that you saw earlier in
the /etc/dumpadm.conf file.
# dumpadm –y -d /dev/dsk/c0t1d0s1
Dump content: kernel
a b le
Dump device: /dev/dsk/c0t1d0s1 (dedicated) fe r
a n s
Savecore directory: /var/crash/client1
- t r
Savecore enabled: yes
y
n on
Save compressed: on a s
) h a
m d e ฺ
o i
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on in the ltopic on planning system messaging and diagnostic facilities
As discussed
R
ro
eimplementation, if you want to modify the configuration of the crash dump file, you use the
Cic dumpadm command.
You can use several options with this command, as shown in the slide. The description for
each option is as follows:
• -n: Specifies that savecore should not be run when the system reboots. Although this
is the default setting, this dump configuration is not recommended. If system crash
information is written to the swap device and savecore is not enabled, the crash dump
information is overwritten when the system begins to swap.
• -u: Forcibly
F ibl updates
d t th the kkernell d
dump configuration
fi ti b based
d on th
the contents
t t off th
the
/etc/dumpadm.conf file. Normally, this option is used only on reboot when starting
svc:/system/dumpadm:default, when the dumpadm settings from the previous
boot must be restored. Your dump configuration is saved in the configuration file for this
purpose.
• -y: Modifies the dump configuration to automatically execute the savecore command
on reboot
dump files by creating a minfree file in the current savecore directory. This
parameter can be specified in KB (nnnk), MB (nnnm), or file system size percentage
(nnn%).
• -s savecore dir: Specifies an alternative directory for storing crash dump files
s savecore-dir: files. The
default savecore-dir directory is /var/crash/hostname, where host name is the
output of the uname -n command.
• -r root-dir: Specifies an alternative root directory relative to which the dumpadm
a ble
command should create files. If the -r argument is not specified, the default root
f e r
directory “/” is used.
ans
• -z on | off: Modifies the dump p configuration
g n
to control the operation
p - t r
of the
a no
savecore command on reboot. The on setting enables the saving of a core file in a
a s
compressed format. The off setting automatically uncompresses the crash dump file.
h
m ) e ฺdump device,
In the example in the slide, the kernel pages are dumped o to i d
a different
/dev/dsk/c0t1d0s1, which is labeled as a dedicated a ilฺc dump
t G u In addition, the dump
device.
g
configuration is set to automatically execute themsavecore
d e n command upon reboot by using
the -y option.
ld o@ Stu
o n a this
e r oฺr use
( c ic e to
a l do icens
on l
R
ero
Cic
# savecore -L
dumping to /dev/dsk/c0t1d0s1
/dev/dsk/c0t1d0s1, offset 65536
65536, content:
content
kernel
0:04 100% done
100% done: 103879 pages dumped, dump succeeded
a ble
savecore: System dump time: Tue Oct 18 10:23:31 2011 f e r
ans
g compressed
savecore: Saving p system
y crash dumpp ino n - t r
/var/crash/client1/vmdump.0
s an
savecore: Decompress the crash dump withha
) ฺ
om ide
'savecore -vf /var/crash/client1/vmdump.0'
a ilฺc t Gu
g m den
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
n contentsl of the crash dump file to the dump device that you have designated, use
To saveothe
R
rosavecore -L command. The -L option saves a crash dump of the live running Oracle
ethe
Cic Solaris system without actually rebooting or altering the system in any way. This option forces
savecore to save a live snapshot of the system to the dump device, and then immediately to
retrieve the data and to write it to a new set of crash dump files in the specified directory. Live
system crash dumps can be performed only if you have configured your system to have a
dedicated dump device by using the dumpadm command.
The vmdump.0 file that you see in the example in the slide contains the recently created
dump in compressed format.
/var/crash/hostname/vmdump.0.
a l do icens
onhave savedl the contents of the crash dump file to the dump device, you can
After you
R
ro
uncompress the vmdump.0 file by using the savecore -vf command, as shown in the slide.
C iceIn the example in the slide, notice that this command (specifically the -ff option)
uncompresses the file to vmcore.0.
following steps:
1. Change directories to the /var/crash directory.
2. List the files in the crash directory
2 directory.
3. Use the file command to access the crash dump file, either
vmcore.0 or vmdump.0.
ble
4. View the contents of the file by using the string command. fera
a n s
n -t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
n contentsl of the crash dump files, you first need to go to the /var/crash
To viewothe
ro R
edirectory. Next, you list the files that are in the directory. You should see these files listed:
Cic bounds, unix.0, vmcore.0, and vmdump.0. To view the contents of the vmcore.0 and
vmdump.0 files, use the file command, and then the string command.
From this point, you send the crash dump files to an Oracle Solaris support engineer for
analysis to determine what caused the system to crash.
# cd /var/crash/client1
root@client1:/var/crash/client1# ls
bounds unix.0 vmcore.0 vmdump.0
root@client1:/var/crash/client1# file vmcore.0
vmcore.0: SunOS 5.11 11.0 64-bit Intel live dump from ‘client1‘
root@client1 / ar/crash/client# strings vmcore.0
root@client1:/var/crash/client# mcore 0 | more
SunOS
s11-desktop
5.11
11.0
a ble
i86pc
f e r
i86pc
ans
aefffed4-f452-6dbc-f11e-cdb35c1bc0a2
n - t r
.symtab
symtab
.strtab a no
.shstrtab
h a s
_END_
m ) e ฺ
o i d
_START_
__return_from_main a ilฺc t Gu
… g m den
…
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on the lcontents of the vmcore.0 file is displayed. The contents represent the
In this example,
R
ro
processes that are running in memory at the time the system crash occurred.
C iceTo display the vmdump.0 file, you use the same set of commands.
When you view the contents of the vmdump.0 file and compare it to the vmcore.0 file, you
find that the contents of the two files are the same.
Implementation
• Configuring System Messaging
• Configuring System Crash Facilities
• Configuring Dump Facilities for Business Application
Failure
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on l
r o R
Ci ce
a l do icens
on l
r o R
Ci ce
# coreadm
global core file pattern: /var/core/core.%f.%p
global core file content: default
init core file pattern: core
init core file content: default
ble
global core dumps: disabled
per-process core dumps: enabled
fe r a
global setid core dumps: disabled
a n s
- t r
non
per-process setid core dumps: disabled
global core dump logging: disabled
s a
) h eฺa
m
co Guid
i l ฺ
g ma dent
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
n current lcore dump configuration, use the coreadm command without arguments,
To viewothe
R
easroshown in the slide.
Cic Note: The configuration in the slide example matches the configuration that you saw earlier in
the /etc/coreadm.conf file.
# coreadm -e log
# coreadm
global core file pattern: /var/core/core.%f.%p
global core file content: default
r a ble
init core file pattern: core
n s fe
init core file content: default - t r a
global core dumps: enabled n on
per-process core dumps: enabled s a
global setid core dumps: disabled) h
a
m d e ฺ
o i
ilฺc t Gu
per-process setid core dumps: disabled
a
m
global core dump logging: enabledn g ude
d o @ S t
l
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on in the lfirst topic on planning system messaging and diagnostic facilities
As discussed
R
ro
eimplementation, if you want to modify the configuration of the core dump file, you use the
Cic coreadm command, as shown in the slide.
The coreadm command enables you to control the behavior of core file generation. For
example, you can use the coreadm command to configure a system such that all process
core files are placed in a single system directory. The flexibility of this configuration makes it
easier to track problems by examining the core files in a specific directory whenever a
process or daemon terminates abnormally.
This flexibility also makes it easy to locate and remove the core files on a system.
In the example in the slide, assume that you have already configured and enabled the global
core file path and now you want to enable global logging. This will generate a message when
the system creates a global core file. To enable global logging, use the coreadm -e
command followed by the log core file option. You then verify the change by displaying the
current core dump configuration.
Note: You can view the dump creation messages in /var/adm/messages.
• -i pattern: Sets the per-process core file name pattern from init to pattern
Note: For a list of pattern options, see the coreadm man pages. This option is the same
as the coreadm –p pattern 1 command that is described in the following list,
except that the setting is persistent after a reboot.
• -d option: Disables the specified core file option. See the -e option for descriptions
of possible options. You can specify multiple -e and -d options on the command line.
• -e option: Enables the specified core file option, where option can be any one of the
following: a ble
f e r
- global: Enables core dumps by using the global core pattern
ans
- process: Enables core dumps by using the per-process core pattern n - t r
o
an
- global-setid: Enables setid core dumps by using the global core pattern
s
ha ฺ
- proc-setid: Enables setid core dumps by using the per-process core pattern
)
l ฺ c om uide
- log: Generates a syslog (3) message when a user attempts to generate a global
core file
m ai nt G
•
@ g ude
-u: Updates system-wide core file options from the contents of the configuration file
ld o S t
/etc/coreadm.conf. If the configuration file is missing or contains invalid values,
na thi s
default
f
o ฺ r o
values are substituted. Following the update, the configuration
se
f file
f is
r u
resynchronized with the system core file configuration.
e
• ( c ic e to
-p pattern: Sets the per-process core file name pattern to pattern for each of the
l do icens
specified process IDs (PIDs). The pattern can contain any of the special embedded
a
on l
variables and does not have to begin with a slash (/). If pattern does not begin with
r o R
“/,” it is evaluated relative to the current directory that is in effect when the process
Ci ce generates a core file.
g
• -G content: Sets the global core file content. You can specify content by using pattern
options.
A core file name pattern is a file system path name with embedded variables. The embedded
variables are specified with a leading percent (%) character. The operating system expands
these variables from the values that are in effect when the OS generates a core file.
Note: Only the root user can run the following coreadm command options to configure
system-wide core file options: coreadm [-g pattern] [-i pattern] [-d option
... ] [-e option ... ]. Users can run only the coreadm command with the -p option
to specify the file name pattern for the operating system to use when generating a per-
process core file.
$HOME/corefiles/%f.%p $$.
$ coreadm -p $HOME/corefiles/%f.%p $$
a l do icens
ondeterminelwhether you want to set a per-process or global core file, you can set the
After you
R
ro file name pattern. You can set a core file name pattern on a global, zone, or per-process
core
C icebasis. In addition, you can set the per-process defaults that persist across a system reboot.
To set a per-process file name pattern, use the coreadm -p command followed by
$HOME/corefiles/%f.%p $$.
Note: This command sets up a per-process core dump that will save core dumps in the
$HOME/core directory by the name of the file or program being executed (%f) and the
process ID (%p). The $$ symbols represent a placeholder for the process ID of the currently
running shell. The per-process core file name pattern is inherited by all child processes.
To set a global file name pattern, use the coreadm -g command followed by
/var/core/%f.%p.
After you have set a per-process or global core file name pattern, you must enable it.
coreadm –e process.
• To enable the global core file path, use
coreadm -e g global -g g /var/core/core.%f.%p.
/ / / p
• To verify the configuration, use coreadm.
# coreadm
a b le
global core file pattern: /var/core/core.%f.%p
e r
global core file content: default
a n sf
init core file pattern: core n - tr
init core file content: default
a no
global core dumps: enabled
h a s
per-process core dumps: enabled m ) e ฺ
o i d
ilฺc t Gu
global setid core dumps: disabled
a
g
per-process setid core dumps:
d n
m disabled
e
o@ Senabled
global core dump logging: tu ld is
o n a th
ฺ r e
s and/or its affiliates. All rights reserved.
i c ero © t2013,
Copyright
o uOracle
o (c nse
n a ld lice
R o
To verify either configuration change, you use the coreadm command to display the current
ro dump configuration. In the example in the slide, you can see that both core dump files
ecore
Cic are enabled.
Note: When a process terminates abnormally, it produces a core file in the current directory
by default. If the global core file path is enabled, each abnormally terminating process might
produce two files: one in the current working directory and one in the global core file location.
a l do icens
n contentsl of a core dump file, you first need to go to the /var/core directory.
To viewothe
R
ro you list the files that are in the directory. To view the contents of a file, use the file
eNext,
Cic command, and then the string command, just as you did to view the contents of the crash
dump file.
From this point, you send the core dump files to an Oracle Solaris support engineer for
analysis to determine what caused the system to crash.
# cd /var/core
root@client1:/var/core# ls /var/core
core.bash.3811
root@client1:/var/core# file core*
core.bash.3811:ELF 32-bit LSB core file 80386 Version 1, from 'bash'
root@client1 / ar/core# strings core.bash.3811
root@client1:/var/core# core bash 3811 | more
CORE
pMND-
bash
-bash
a ble
CORE
f e r
i86pc
ans
CORE
n - t r
CORE
CORE a no
CORE
h a s
pMND-
m ) e ฺ
o i d
bash
-bash a ilฺc t Gu
… g m den
…
ld o@ Stu
o n a this
e r oฺr© 2013,uOracle
se and/or its affiliates. All rights reserved.
( c ic e to
Copyright
a l do icens
on in thel slide, the contents of a core dump file for a damaged bash process are
In the example
R
ro
displayed.
C ice
a ble
f e r
ans
n - t r
o
s an
) ha ฺ
l ฺ c om uide
m ai nt G
@ g ude
ld o S t
na thi s
ฺ r o se and/or its affiliates. All rights reserved.
o © 2013,uOracle
e r
( c ic e to
Copyright
a l do icens
on shouldl take about 30 minutes to complete.
This practice
R
ro
C ice
a l do icens
on you were
In this lesson, l introduced to system logs and learned how to monitor system
ro R
messages. You also learned how to configure the system to generate crash and core dump
C icefiles.
Ci
ce r o R
on a l
(
l
c
e r
do icens
o ฺ r o
ic e to u
ld
se
o @
na thi s
m
S t
l ฺ c
g ude
)
ai nt G
s
om uide
ha ฺ
an
on - t r an
s
f e r a b
le