Logical Domains (LDoms) 1.0.3Administration GuideSun Microsystems, Inc.Part No. 820-4894-10May 2008, Revision A

Copyright 2008 Sun Microsystems, Inc.

ContentsPreface1.xviiOverview of the Logical Domains SoftwareHypervisor and Logical DomainsLogical Domains ManagerCommand-Line InterfaceVirtual Input/Output445Virtual Network5Virtual Storage6Virtual Console6Dynamic Reconfiguration6Delayed Reconfiguration6Persistent Configurations7Security13Roles for Logical Domains2.19Security Considerations9Solaris Security Toolkit and the Logical Domains ManagerHardening1011Minimizing Logical Domains12iii

AuthorizationAuditing13Compliance3.1214Installing and Enabling SoftwareUpgrading the Solaris OS1515Saving and Restoring the Logical Domains Constraints Database FileUsing Live Upgrade on the Control DomainUpgrading to LDoms 1.0.3 Software 1616To Upgrade From LDoms 1.0 to LDoms 1.0.3 SoftwareFreshly Installing Software on the Control Domain1618 To Install the Solaris 10 OS To Upgrade System Firmware To Upgrade System Firmware Without an FTP Server To Downgrade System Firmware18192021Downloading Logical Domains Manager and Solaris Security Toolkit 1521To Download the Logical Domains Manager, Solaris Security Toolkit, andLogical Domains MIB 21Installing Logical Domains Manager and Solaris Security Toolkit22Using the Installation Script to Install the Logical Domains Manager 1.0.3 andSolaris Security Toolkit 4.2 Software 23 To Install Using the install-ldm Script With No Options To Install Using the install-ldm Script With the -d Option To Install Using the install-ldm Script With the -d none Option28 To Install Using the install-ldm Script With the -p Option242729Using JumpStart to Install the Logical Domains Manager 1.0.3 and SolarisSecurity Toolkit 4.2 Software 29iv To Set Up a JumpStart Server To Install Using JumpStart SoftwareLogical Domains (LDoms) 1.0.3 Administration Guide May 20083030

Installing Logical Domains Manager and Solaris Security Toolkit SoftwareManually 32 To Install the Logical Domains Manager (LDoms) 1.0.3 SoftwareManually 32 (Optional) To Install the Solaris Security Toolkit 4.2 SoftwareManually 33 (Optional) To Harden the Control Domain Manually To Validate Hardening To Undo Hardening3434Enabling the Logical Domains Manager Daemon 3335To Enable the Logical Domains Manager Daemon35Creating Authorization and Profiles and Assigning Roles for User AccountsManaging User AuthorizationsTo Add an Authorization for a User To Delete All Authorizations for a User To Add a Profile for a User To Delete All Profiles for a User 3737To Create a Role and Assign the Role to a UserOutput Messages383939Sun UltraSPARC T1 Processors39Sun UltraSPARC T2 Processors40Creating Default Services40To Create Default Services40Initial Configuration of the Control Domain 3737Setting Up Services and Logical Domains 3637Assigning Roles to Users4.36 Managing User Profiles35To Set Up the Control DomainRebooting to Use Logical Domains424244Contentsv

To Reboot44Enabling Networking Between the Control/Service Domain and OtherDomains 45 To Configure the Virtual Switch as the Primary InterfaceEnabling the Virtual Network Terminal Server Daemon Managing Virtual Disks4851Using Virtual Disks With Logical DomainsIntroduction to Virtual Disks535354 To Add a Virtual Disk To Export a Virtual Disk Backend Multiple Times To Change Virtual Disk Options To Change the Timeout Option To Remove a Virtual DiskVirtual Disk AppearanceFull Disk5456565657Virtual Disk Backend OptionsRead-only (ro) OptionSlice (slice) OptionVirtual Disk Backend5757Exclusive (excl) Option575859Physical Disk or Disk LUN 5656Single Slice Disk59To Export a Physical Disk as a Virtual DiskPhysical Disk Slicevi47To Create and Start a Guest DomainJump-Starting a Guest Domain5.46To Enable the Virtual Network Terminal Server DaemonCreating and Starting a Guest Domain60Logical Domains (LDoms) 1.0.3 Administration Guide May 200859455547

To Export a Physical Disk Slice as a Virtual Disk To Export Slice 2File and Volume6161File or Volume Exported as a Full Disk To Export a File as a Full Disk6162File or Volume Exported as a Single Slice Disk 6062To Export a ZFS Volume as a Single Slice DiskExporting Volumes and Backward Compatibility6363Summary of How Different Types of Backends Are ExportedGuidelines64CD, DVD and ISO Images 6465To Export a CD or DVD From the Service Domain to the Guest Domain66Virtual Disk TimeoutVirtual Disk and SCSI6768Virtual Disk and the format(1M) CommandUsing ZFS With Virtual Disks6869Creating a Virtual Disk on Top of a ZFS Volume To Create a Virtual Disk on Top of a ZFS VolumeUsing ZFS Over a Virtual Disk 6970To Use ZFS Over a Virtual DiskUsing ZFS for Boot Disks 697172To Use ZFS for Boot Disks72Using Volume Managers in a Logical Domains EnvironmentUsing Virtual Disks on Top of Volume ManagersUsing Virtual Disks on Top of SVM7475Using Virtual Disks When VxVM Is Installed76Using Volume Managers on Top of Virtual Disks77Using ZFS on Top of Virtual Disks7477Contentsvii

Using SVM on Top of Virtual Disks77Using VxVM on Top of Virtual Disks6.Other Information and Tasks7879Restrictions on Entering Names in the CLI79File Names (file) and Variable Names (var name)79Virtual Disk Server backend and Virtual Switch device NamesConfiguration Name (config name)All Other Names80Machine-Readable Output80To Show Syntax Usage for ldm SubcommandsFlag Definitions8083Utilization Statistic DefinitionExamples of Various Lists8484 To Show Software Versions (-V) To Generate a Short List To Generate a Long List (-l) To Generate an Extended List (-e) To Generate a Parseable, Machine-Readable List (-p) To Show the Status of a Domain To List a Variable To List Bindings To List Configurations To List Devices90 To List Services92Listing Constraintsviii7980Using ldm list Subcommands 79848485868889899092 To List Constraints for One Domain To List Constraints in XML FormatLogical Domains (LDoms) 1.0.3 Administration Guide May 2008929388

To List Constraints in a Machine-Readable Format94The ldm stop-domain Command Can Time Out If the Domain Is HeavilyLoaded 95Determining the Solaris Network Interface Name Corresponding to a VirtualNetwork Device 96 To Find Solaris OS Network Interface Name96Assigning MAC Addresses Automatically or Manually97Range of MAC Addresses Assigned to Logical Domains SoftwareAutomatic Assignment Algorithm98Duplicate MAC Address Detection99Freed MAC Addresses99CPU and Memory Address MappingCPU Mapping 100100To Determine the CPU NumberMemory Mapping 100101To Determine the Real Memory AddressExamples of CPU and Memory Mapping101101Configuring Split PCI Express Bus to Use Multiple Logical Domains To Create a Split PCI ConfigurationUsing Console Groups106107To Combine Multiple Consoles Into One Group107Moving a Logical Domain From One Server to Another108 To Set Up Domains to Move To Move the DomainRemoving Logical Domains 103104Enabling the I/O MMU Bypass Mode on a PCI Bus 98108108109To Remove All Guest Logical DomainsOperating the Solaris OS With Logical Domains109110OpenBoot Firmware Not Available After Solaris OS Has Started If DomainingIs Enabled 110Contentsix

Power-Cycling a Server 110To Save Your Current Logical Domain Configurations to the SCResult of an OpenBoot power-off CommandResult of Solaris OS Breaks111111Results from Halting or Rebooting the Control DomainUsing LDoms With ALOM CMT 113To Reset the Logical Domain Configuration to the Default or AnotherConfiguration 113Enabling and Using BSM Auditing114 To Use the enable-bsm.fin Finish Script To Use the Solaris OS bsmconv(1M) Command To Verify that BSM Auditing is Enabled To Disable Auditing To Print Audit Output To Rotate Audit LogsSupported Network Adapters 111114115115116116116116To Determine If a Network Adapter Is GLDv3-Compliant117Configuring Virtual Switch and Service Domain for NAT and Routing 117To Set Up the Virtual Switch to Provide External Connectivity toDomains 118Configuring IPMP in a Logical Domains Environment118Configuring Virtual Network Devices into an IPMP Group in a LogicalDomain 119Configuring and Using IPMP in the Service DomainGlossaryx123Logical Domains (LDoms) 1.0.3 Administration Guide May 2008120111

FiguresFIGURE 1-1Hypervisor Supporting Two Logical Domains2FIGURE 5-1Virtual Disks With Logical DomainsFIGURE 6-1Two Virtual Networks Connected to Separate Virtual Switch Instances119FIGURE 6-2Each Virtual Network Device Connected to Different Service Domains120FIGURE 6-3Two Network Interfaces Configured as Part of IPMP Group54121xi

xiiLogical Domains (LDoms) 1.0.3 Administration Guide May 2008

TablesTABLE 1-1Logical Domain Roles 4TABLE 2-1The ldm Subcommands and User AuthorizationsTABLE 6-1Expected Behavior of Halting or Rebooting the Control (primary) Domain13112xiii

xivLogical Domains (LDoms) 1.0.3 Administration Guide May 2008

Code ExamplesCODE EXAMPLE 3-1Director