Transcription

Logical Domains (LDoms) 1.0.3Administration GuideSun Microsystems, Inc.www.sun.comPart No. 820-4894-10May 2008, Revision ASubmit comments about this document at: http://www.sun.com/hwdocs/feedback

Copyright 2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved.Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. Inparticular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed athttp://www.sun.com/patents and one or more additional patents or pending patent applications in the U.S. and in other countries.U.S. Government Rights - Commercial software. Government users are subject to the Sun Microsystems, Inc. standard license agreement andapplicable provisions of the FAR and its supplements.Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark inthe U.S. and in other countries, exclusively licensed through X/Open Company, Ltd.Sun, Sun Microsystems, the Sun logo, Java, Solaris, JumpStart, OpenBoot, Sun Fire, Netra, SunSolve, Sun BluePrints, Sun Blade, Sun Ultra, andSunVTS are service marks, trademarks, or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and othercountries. Products bearing SPARC trademarks are based upon architecture developed by Sun Microsystems, Inc.The Adobe PostScript logo is a trademark of Adobe Systems, Incorporated.Products covered by and information contained in this service manual are controlled by U.S. Export Control laws and may be subject to theexport or import laws in other countries. Nuclear, missile, chemical biological weapons or nuclear maritime end uses or end users, whetherdirect or indirect, are strictly prohibited. Export or reexport to countries subject to U.S. embargo or to entities identified on U.S. export exclusionlists, including, but not limited to, the denied persons and specially designated nationals lists is strictly prohibited.DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES,INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.Copyright 2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, Etats-Unis. Tous droits réservés.Sun Microsystems, Inc. détient les droits de propriété intellectuels relatifs à la technologie incorporée dans le produit qui est décrit dans cedocument. En particulier, et ce sans limitation, ces droits de propriété intellectuelle peuvent inclure un ou plus des brevets américains listés àl’adresse http://www.sun.com/patents et un ou les brevets supplémentaires ou les applications de brevet en attente aux Etats - Unis et dans lesautres pays.Des parties de ce produit pourront être dérivées des systèmes Berkeley BSD licenciés par l’Université de Californie. UNIX est une marquedéposée aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open Company, Ltd.Sun, Sun Microsystems, le logo Sun, Java, Solaris, JumpStart, OpenBoot, Sun Fire, Netra, SunSolve, Sun BluePrints, Sun Blade, Sun Ultra, etSunVTS sont des marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d’autres pays.Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc.aux Etats-Unis et dans d’autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par SunMicrosystems, Inc.Le logo Adobe PostScript est une marque déposée de Adobe Systems, Incorporated.Les produits qui font l’objet de ce manuel d’entretien et les informations qu’il contient sont regis par la legislation americaine en matiere decontrole des exportations et peuvent etre soumis au droit d’autres pays dans le domaine des exportations et importations. Les utilisationsfinales, ou utilisateurs finaux, pour des armes nucleaires, des missiles, des armes biologiques et chimiques ou du nucleaire maritime,directement ou indirectement, sont strictement interdites. Les exportations ou reexportations vers des pays sous embargo des Etats-Unis, ouvers des entites figurant sur les listes d’exclusion d’exportation americaines, y compris, mais de maniere non exclusive, la liste de personnes quifont objet d’un ordre de ne pas participer, d’une facon directe ou indirecte, aux exportations des produits ou des services qui sont regi par lalegislation americaine en matiere de controle des exportations et la liste de ressortissants specifiquement designes, sont rigoureusementinterdites.LA DOCUMENTATION EST FOURNIE "EN L’ETAT" ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES EXPRESSESOU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y COMPRIS NOTAMMENTTOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE

ContentsPreface1.xviiOverview of the Logical Domains SoftwareHypervisor and Logical DomainsLogical Domains ManagerCommand-Line InterfaceVirtual Input/Output445Virtual Network5Virtual Storage6Virtual Console6Dynamic Reconfiguration6Delayed Reconfiguration6Persistent Configurations7Security13Roles for Logical Domains2.19Security Considerations9Solaris Security Toolkit and the Logical Domains ManagerHardening1011Minimizing Logical Domains12iii

AuthorizationAuditing13Compliance3.1214Installing and Enabling SoftwareUpgrading the Solaris OS1515Saving and Restoring the Logical Domains Constraints Database FileUsing Live Upgrade on the Control DomainUpgrading to LDoms 1.0.3 Software 1616To Upgrade From LDoms 1.0 to LDoms 1.0.3 SoftwareFreshly Installing Software on the Control Domain1618 To Install the Solaris 10 OS To Upgrade System Firmware To Upgrade System Firmware Without an FTP Server To Downgrade System Firmware18192021Downloading Logical Domains Manager and Solaris Security Toolkit 1521To Download the Logical Domains Manager, Solaris Security Toolkit, andLogical Domains MIB 21Installing Logical Domains Manager and Solaris Security Toolkit22Using the Installation Script to Install the Logical Domains Manager 1.0.3 andSolaris Security Toolkit 4.2 Software 23 To Install Using the install-ldm Script With No Options To Install Using the install-ldm Script With the -d Option To Install Using the install-ldm Script With the -d none Option28 To Install Using the install-ldm Script With the -p Option242729Using JumpStart to Install the Logical Domains Manager 1.0.3 and SolarisSecurity Toolkit 4.2 Software 29iv To Set Up a JumpStart Server To Install Using JumpStart SoftwareLogical Domains (LDoms) 1.0.3 Administration Guide May 20083030

Installing Logical Domains Manager and Solaris Security Toolkit SoftwareManually 32 To Install the Logical Domains Manager (LDoms) 1.0.3 SoftwareManually 32 (Optional) To Install the Solaris Security Toolkit 4.2 SoftwareManually 33 (Optional) To Harden the Control Domain Manually To Validate Hardening To Undo Hardening3434Enabling the Logical Domains Manager Daemon 3335To Enable the Logical Domains Manager Daemon35Creating Authorization and Profiles and Assigning Roles for User AccountsManaging User AuthorizationsTo Add an Authorization for a User To Delete All Authorizations for a User To Add a Profile for a User To Delete All Profiles for a User 3737To Create a Role and Assign the Role to a UserOutput Messages383939Sun UltraSPARC T1 Processors39Sun UltraSPARC T2 Processors40Creating Default Services40To Create Default Services40Initial Configuration of the Control Domain 3737Setting Up Services and Logical Domains 3637Assigning Roles to Users4.36 Managing User Profiles35To Set Up the Control DomainRebooting to Use Logical Domains424244Contentsv

To Reboot44Enabling Networking Between the Control/Service Domain and OtherDomains 45 To Configure the Virtual Switch as the Primary InterfaceEnabling the Virtual Network Terminal Server Daemon Managing Virtual Disks4851Using Virtual Disks With Logical DomainsIntroduction to Virtual Disks535354 To Add a Virtual Disk To Export a Virtual Disk Backend Multiple Times To Change Virtual Disk Options To Change the Timeout Option To Remove a Virtual DiskVirtual Disk AppearanceFull Disk5456565657Virtual Disk Backend OptionsRead-only (ro) OptionSlice (slice) OptionVirtual Disk Backend5757Exclusive (excl) Option575859Physical Disk or Disk LUN 5656Single Slice Disk59To Export a Physical Disk as a Virtual DiskPhysical Disk Slicevi47To Create and Start a Guest DomainJump-Starting a Guest Domain5.46To Enable the Virtual Network Terminal Server DaemonCreating and Starting a Guest Domain60Logical Domains (LDoms) 1.0.3 Administration Guide May 200859455547

To Export a Physical Disk Slice as a Virtual Disk To Export Slice 2File and Volume6161File or Volume Exported as a Full Disk To Export a File as a Full Disk6162File or Volume Exported as a Single Slice Disk 6062To Export a ZFS Volume as a Single Slice DiskExporting Volumes and Backward Compatibility6363Summary of How Different Types of Backends Are ExportedGuidelines64CD, DVD and ISO Images 6465To Export a CD or DVD From the Service Domain to the Guest Domain66Virtual Disk TimeoutVirtual Disk and SCSI6768Virtual Disk and the format(1M) CommandUsing ZFS With Virtual Disks6869Creating a Virtual Disk on Top of a ZFS Volume To Create a Virtual Disk on Top of a ZFS VolumeUsing ZFS Over a Virtual Disk 6970To Use ZFS Over a Virtual DiskUsing ZFS for Boot Disks 697172To Use ZFS for Boot Disks72Using Volume Managers in a Logical Domains EnvironmentUsing Virtual Disks on Top of Volume ManagersUsing Virtual Disks on Top of SVM7475Using Virtual Disks When VxVM Is Installed76Using Volume Managers on Top of Virtual Disks77Using ZFS on Top of Virtual Disks7477Contentsvii

Using SVM on Top of Virtual Disks77Using VxVM on Top of Virtual Disks6.Other Information and Tasks7879Restrictions on Entering Names in the CLI79File Names (file) and Variable Names (var name)79Virtual Disk Server backend and Virtual Switch device NamesConfiguration Name (config name)All Other Names80Machine-Readable Output80To Show Syntax Usage for ldm SubcommandsFlag Definitions8083Utilization Statistic DefinitionExamples of Various Lists8484 To Show Software Versions (-V) To Generate a Short List To Generate a Long List (-l) To Generate an Extended List (-e) To Generate a Parseable, Machine-Readable List (-p) To Show the Status of a Domain To List a Variable To List Bindings To List Configurations To List Devices90 To List Services92Listing Constraintsviii7980Using ldm list Subcommands 79848485868889899092 To List Constraints for One Domain To List Constraints in XML FormatLogical Domains (LDoms) 1.0.3 Administration Guide May 2008929388

To List Constraints in a Machine-Readable Format94The ldm stop-domain Command Can Time Out If the Domain Is HeavilyLoaded 95Determining the Solaris Network Interface Name Corresponding to a VirtualNetwork Device 96 To Find Solaris OS Network Interface Name96Assigning MAC Addresses Automatically or Manually97Range of MAC Addresses Assigned to Logical Domains SoftwareAutomatic Assignment Algorithm98Duplicate MAC Address Detection99Freed MAC Addresses99CPU and Memory Address MappingCPU Mapping 100100To Determine the CPU NumberMemory Mapping 100101To Determine the Real Memory AddressExamples of CPU and Memory Mapping101101Configuring Split PCI Express Bus to Use Multiple Logical Domains To Create a Split PCI ConfigurationUsing Console Groups106107To Combine Multiple Consoles Into One Group107Moving a Logical Domain From One Server to Another108 To Set Up Domains to Move To Move the DomainRemoving Logical Domains 103104Enabling the I/O MMU Bypass Mode on a PCI Bus 98108108109To Remove All Guest Logical DomainsOperating the Solaris OS With Logical Domains109110OpenBoot Firmware Not Available After Solaris OS Has Started If DomainingIs Enabled 110Contentsix

Power-Cycling a Server 110To Save Your Current Logical Domain Configurations to the SCResult of an OpenBoot power-off CommandResult of Solaris OS Breaks111111Results from Halting or Rebooting the Control DomainUsing LDoms With ALOM CMT 113To Reset the Logical Domain Configuration to the Default or AnotherConfiguration 113Enabling and Using BSM Auditing114 To Use the enable-bsm.fin Finish Script To Use the Solaris OS bsmconv(1M) Command To Verify that BSM Auditing is Enabled To Disable Auditing To Print Audit Output To Rotate Audit LogsSupported Network Adapters 111114115115116116116116To Determine If a Network Adapter Is GLDv3-Compliant117Configuring Virtual Switch and Service Domain for NAT and Routing 117To Set Up the Virtual Switch to Provide External Connectivity toDomains 118Configuring IPMP in a Logical Domains Environment118Configuring Virtual Network Devices into an IPMP Group in a LogicalDomain 119Configuring and Using IPMP in the Service DomainGlossaryx123Logical Domains (LDoms) 1.0.3 Administration Guide May 2008120111

FiguresFIGURE 1-1Hypervisor Supporting Two Logical Domains2FIGURE 5-1Virtual Disks With Logical DomainsFIGURE 6-1Two Virtual Networks Connected to Separate Virtual Switch Instances119FIGURE 6-2Each Virtual Network Device Connected to Different Service Domains120FIGURE 6-3Two Network Interfaces Configured as Part of IPMP Group54121xi

xiiLogical Domains (LDoms) 1.0.3 Administration Guide May 2008

TablesTABLE 1-1Logical Domain Roles 4TABLE 2-1The ldm Subcommands and User AuthorizationsTABLE 6-1Expected Behavior of Halting or Rebooting the Control (primary) Domain13112xiii

xivLogical Domains (LDoms) 1.0.3 Administration Guide May 2008

Code ExamplesCODE EXAMPLE 3-1Director