Category Archives: unix

how to: decommission a VCS cluster node

IT spending can be horribly wasteful sometimes. Companies will spend millions of dollars on the latest and greatest hardware, on which they install Windows 98! Get with the times people! In case someone bought enough hardware for multiple VCS clusters at your company, and put too many nodes in the wrong cluster, here’s how you can decommission a node safely while the cluster is online:

NOTE: I recommend you run these commands from a node that will remain active. Otherwise certain commands will not work.
Continue reading

Solaris 10 roles based access control (RBAC)

If you’ve ever used roles based access control (RBAC) in Solaris you know how useful it can be in managing user accounts and access to system level functionality. Here’s a brief synopsis of how RBAC works and what you can expect to see in /etc/user_attr:

# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# /etc/user_attr
#
# user attributes. see user_attr(4)
#
#pragma ident "@(#)user_attr.txt 1.9 07/10/17 SMI"
#
adm::::profiles=Log Management
jondoe::::type=normal;roles=addSoftware
addSoftware::::type=role;profiles=Software Installation,All
janedone::::type=normal;roles=addSoftware
lp::::profiles=Printer Management
root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no;min_label=admin_low;clearance=admin_high
mrsmith::::type=normal;roles=addSoftware

In this example we have a “role” called “addSoftware” and several users with access to that role. Roles available for assignment are listed in /etc/security/prof_attr and in there you will see “Software Installation” as an available role:

Software Installation:::Add application software to the system:help=RtSoftwareInstall.html;auths=solaris.admin.prodreg.read,
solaris.admin.prodreg.modify,solaris.admin.prodreg.delete,solaris.admin.dcmgr.admin,
solaris.admin.dcmgr.read,solaris.admin.patchmgr.*,solaris.smf.manage.servicetags

Assigning users this role allows them to use software installation and removal commands such as “pkginfo“, “pkgadd“, and “pkgrm” to name a few.

Root on the other hand has access to the “All” role. Lord knows what someone could do with that!

how to: domain information groper (dig) basics

If every IT administrator was issued a swiss army knife full of technical tools, dig would certainly be in it.  If you have ever hosted, registered, or administered a domain name or DNS server then you have likely run across this tool at some point.  Here are the basics of DNS and how to use dig to get the information you need:

NOTE: Headers and footers have been removed from these queries for ease of use.  In headers and footers you will see information regarding the version of dig you are using and how long your query took respectively.
Continue reading

how to: Solaris 10 IPMP

Redundant interface setup in Solaris 10 is relatively simple using IPMP.  Here are the basics for configuring IPMP on Solaris 10:

Verify link status for the interfaces you intended to configure in a fail-over group using IPMP:

root@localhost # dladm show-dev
nxge0           link: up        speed: 1000  Mbps       duplex: full
...
nxge7           link: unknown   speed: 0     Mbps       duplex: unknown
nxge4           link: up        speed: 1000  Mbps       duplex: full
...
nxge3           link: unknown   speed: 0     Mbps       duplex: unknown
e1000g0         link: up        speed: 1000  Mbps       duplex: full
e1000g1         link: up        speed: 1000  Mbps       duplex: full

In this example we’ll focus on interfaces nxge0 and nxge4.  Next create your interface configurations files in /etc/hostname.<interface> where <interface> “nxge0” and “nxge4” in our example of dladm show-dev above.  Here we’ll add the meat of the configuration as seen below:

root@localhost # cat /etc/hostname.nxge0
192.168.1.10 netmask 255.255.255.0 broadcast + group if-failover -failover deprecated up
addif 192.168.1.12 netmask 255.255.255.0 failover up
root@localhost # cat /etc/hostname.nxge4
192.168.1.11 netmask 255.255.252.0 broadcast + group if-failover -failover deprecated standby up

NOTE: All items in these files are on a single line.  Ensure that if you want to wrap text you terminate the first line with a “\“.  Additionally all items in these configuration files can follow the command “ifconfig” if you’re setting this interactively.  You must create the configuration files in order for these settings to take affect upon reboot.

As you can see from the configuration files above – each interface has a base IP address (192.168.1.10 and 192.168.1.11 above) and “nxge0” has one additional IP address from which all traffic will source (The “deprecated” option tells ifconfig not to source traffic from this address).  The “+ group” option tells ifconfig that this interface is part of the IPMP group “if-failover“.  The “-failover” option tells ifconfig not to fail this interface IP if the active member of the fail-over group fails (192.168.1.10 and 192.168.1.11 in our example).  The additional interface on “nxge0” (192.168.1.12 in our example) has the “failover” option telling ifconfig to fail this interface over should a member of the interface group it is operating on fails.  Finally the “standby” option tells interface “nxge4” to operate in standby mode for the group “if-failover“.

Be sure and test fail-over using if_mpadm.

how to: Add a new filesystem to an existing Solaris 10 zone

Real easy actually:
zonecfg -z <zone>
add fs
set directory=/app
set special=/dev/md/dsk/<softpart> (Assumes you’re using metadb)
set raw=/dev/md/rdsk/<softpart>
set type=ufs
add options logging
end
commit
exit

Now reboot your zone and your new filesystem is mounted on /app.