Learnings on Solaris™: July 2014

Thursday, July 31, 2014

DNS loopback zone

The loopback zone is part of a DNS configuration.
Its purpose is to handle the 127.0.0.0/24 network.
By convention and good practice each DNS server must handle it.
Naturally, the above recommendation doesn't apply to DNS root servers.
In general the localhost number is 127.0.0.1.
Hence, the zone file is called db.127.0.0.

Consider the example given on the post DNS internal root.
The top-level (below DNS internal roots) internal DNS servers are:

NS00.business.corp
NS01.business.corp
NS02.business.corp

Each of them would have the following loopback zone configuration:
(the following are the contents of db.127.0.0)

;
;       Business Corp.
;
;       The loopback zone.
;       last update:    July 31, 2014.
;

$TTL 3h

@ IN SOA NS00.business.corp. hostmaster.business.corp. (
            1    ; Serial
            3h   ; Refresh after 3 hours
            1h   ; Retry after 1 hour
            1w   ; Expire after 1 week
            1h ) ; Negative caching TTL of 1 hour

; Authoritative name servers.

   IN NS NS00.business.corp.
   IN NS NS01.business.corp.
   IN NS NS02.business.corp.

; The localhost PTR record.

1 IN PTR localhost.

; End of File.

In this particular case /etc/named.conf must contain:

zone "0.0.127.in-addr.arpa." in {
type master;
file "db.127.0.0";
notify no;
};

Internal DNS server

Internal DNS servers are those behind a firewall which provide host name resolution only within an organization's internal internetwork (or Intranet) and don't directly connect to the Internet. They differ from DNS internal root servers (that define their own root zone) and external DNS servers (that use a standard DNS root hints and directly connect to the Internet for external name resolutions).

The key distinctive configuration is regarding the contents of the (conventionally) so called db.cache containing a custom root hints with pointers to the organization's DNS internal root servers instead of a standard DNS root hints used for ordinary Internet-wide resolution.

Considering the examples given on the DNS internal root post as a base, the top-level internal servers (right below DNS internal root servers) are:

NS00.business.corp
NS01.business.corp
NS02.business.corp

Each of them would have the following custom root hints configuration:
(the following is a partial excerpt of their db.cache)

;
;       Business Corp.
;
;       DNS internal root servers.
;       last update:    July 31, 2014.
;

.                     3600000 IN NS    A.business.corp.
                      3600000 IN NS    B.business.corp.
                      3600000 IN NS    C.business.corp.
                      3600000 IN NS    D.business.corp.

A.business.corp.      3600000 IN A     10.0.0.10
B.business.corp.      3600000 IN A     10.0.0.20
C.business.corp.      3600000 IN A     10.0.0.30
D.business.corp.      3600000 IN A     10.0.0.40

; End of File.

In this particular case, their (NS00 thru NS02) main configuration file, /etc/named.conf would contain:

zone "." in {
type hint;
file "db.cache";
recursion no;
};

DNS internal root

A DNS internal root is a DNS configuration for an internal root domain ".". The DNS internal root servers are positioned within the organization's network and behind a firewall. Their configuration somewhat mimics that of a standard DNS root hints but deals only with internal servers and internal top-level domains.

Using an internal root is more flexible and secure.
It's also more scalable than extensively forwarding.

As an example, assume that:

The internal DNS domain is business.corp.
The company's name is Business Corp.
The following networks are used:

192.168.0.0/16 (branch offices)
10.0.0.0/8 (headquarters)

The internal root servers are:

A.business.corp
B.business.corp
C.business.corp
D.business.corp

The top-level (below root) internal servers are:

NS00.business.corp
NS01.business.corp
NS02.business.corp

The internal root file conventionally called db.root could be:

;
;       Business Corp.
;
;       Internal DNS root and domains.
;       last update:    July 31, 2014.
;

$TTL 1d

. IN SOA A.business.corp. hostmaster.business.corp. (
            1    ; serial
            3h   ; refresh
            1h   ; retry
            1w   ; expire
            1h ) ; negative caching TTL

; The internal root servers.

   IN NS A.business.corp.
   IN NS B.business.corp.
   IN NS C.business.corp.
   IN NS D.business.corp.

; The internal root servers addresses.

A.business.corp.    IN A 10.0.0.10
B.business.corp.    IN A 10.0.0.20
C.business.corp.    IN A 10.0.0.30
D.business.corp.    IN A 10.0.0.40

; The internal domains and their authoritative servers.

business.corp.      IN NS NS00.business.corp.
                  IN NS NS01.business.corp.
                  IN NS NS02.business.corp.

10.in-addr.arpa.    IN NS NS00.business.corp.
IN NS NS01.business.corp.
                  IN NS NS02.business.corp.

168.192.in-addr.arpa.     IN NS NS00.business.corp.
IN NS NS01.business.corp.
                  IN NS NS02.business.corp.

; End of File.

Naturally, NS00 thru NS02 further delegate as necessary.
In this particular case, the /etc/named.conf of the root servers has:

zone "." in {
type master;
file "db.root";
recursion no;
};

NOTE

Not all of the root servers must be master for the "." zone.
Of course, at a minimum, just one of them needs to be, as usual.

Other internal DNS servers must use these internal DNS root servers.
These specifics are covered on another post: internal DNS servers.

DNS root hints

The DNS root hints is a DNS configuration for an external root domain ".".
This is typically necessary on external DNS servers on a DMZ.
This configuration contrasts with a DNS internal root.

It's necessary to keep track of an up to date root hints file.
The file is usually called db.cache or named.cache.
This file is easily obtainable from InterNIC:

Here's root hints as of today:

;       This file holds the information on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache . "
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC
;       under anonymous FTP as
;           file                /domain/named.cache
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
;
;       last update:    June 2, 2014
;       related version of root zone:   2014060201
;
; formerly NS.INTERNIC.NET
;
.                        3600000 IN NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA 2001:503:BA3E::2:30
;
; FORMERLY NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
B.ROOT-SERVERS.NET.      3600000      AAAA 2001:500:84::B
;
; FORMERLY C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
C.ROOT-SERVERS.NET.      3600000      AAAA 2001:500:2::C
;
; FORMERLY TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
D.ROOT-SERVERS.NET.      3600000      AAAA 2001:500:2D::D
;
; FORMERLY NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA 2001:500:2F::F
;
; FORMERLY NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
H.ROOT-SERVERS.NET.      3600000      AAAA 2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
I.ROOT-SERVERS.NET.      3600000      AAAA 2001:7FE::53
;
; OPERATED BY VERISIGN, INC.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
J.ROOT-SERVERS.NET.      3600000      AAAA 2001:503:C27::2:30
;
; OPERATED BY RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
K.ROOT-SERVERS.NET.      3600000      AAAA 2001:7FD::1
;
; OPERATED BY ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
L.ROOT-SERVERS.NET.      3600000      AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA 2001:DC3::35
; End of File

The above must be the contents of the conventionally called db.cache.
In this particular case /etc/named.conf must contain:

zone "." in {
type hint;
file "db.cache";
};

DNS daemon configuration

Right after DNS installation, as part of DNS configuration, one may think it's necessary to consider a number of details that affect how the daemon is to be run. The daemon accepts several options reasonably documented in named(1M).

# which named
/usr/sbin/named

# /usr/sbin/named -?
usage: named [-4|-6] [-c conffile] [-d debuglevel] [-f|-g]
             [-n number_of_cpus] [-p port] [-s]
             [-t chrootdir] [-u username]
             [-m {usage|trace|record|size|mctx}]

The diagnostic options (-d, -f, -g, -s and -m) are irrelevant here.
The above options which could be initially more relevant are highlighted.
Fortunately, there are associated SMF properties to manipulate them.
Both man pages and on-line documentation are complementary.
Thus, also check Managing DNS (Tasks).

In fact, the -4 isn't that important after all.
By default, both IPv4 and IPv6 transports are used.
If IPv6 isn't being used as it's most probably still the case, disable it.
This is addressed by the -4 equivalent on options/ip_interfaces.

# svcprop -p options/ip_interfaces dns/server:default
all

# svccfg -s dns/server:default
...> setprop options/ip_interfaces = "IPv4"
...> refresh
...> exit

# svcprop -p options/ip_interfaces dns/server:default
IPv4

NOTE

The -u option may be useful for additional security.

Not running a daemon as root is at least a good practice.
For robustness it's better to use a local user account.
This avoids dependency on any directory service.

Note that /var/run/named is the default directory,
and in many circumstances there are dependencies on this
which requires a great deal of specific administration efforts.
This by exception administration is error prone and unreliable.

It's better to rely on immutable zones to mitigate security issues.
This is a unique feature of Solaris 11!

NOTE

The -t option isn't really of concern in face of immutable zones.

When rebooting a DNS server (or some other service) on immutable zones for maintenance, in addition to the -w (read-write mode) option also use the -s (single-user mode) option with the boot or reboot zoneadm subcommands.

gz# zoneadm -z dns-1 shutdown
gz# zoneadm -z dns-1 boot -w -s

or perhaps

gz# zoneadm -z dns-1 reboot -w -- -s

Tuesday, July 29, 2014

Configuration profile - DNS

This is an example of a DNS client configuration profile.
This is useful to streamline installations:

Assume all DNS services prerequisites and assumptions stay the same.
Also check the on-line documentation Managing DNS (Tasks) for details.

The following are the necessary customizations:

<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="profile" name="sysconfig">
<service version="1" type="service" name="system/config-user">
    <instance enabled="true" name="default">
      <property_group type="application" name="root_account">
        <propval type="astring" name="login" value="root"/>
        <propval type="astring" name="password" value="$5$..."/>
        <propval type="astring" name="type" value="role"/>
      </property_group>
      <property_group type="application" name="user_account">
        <propval type="astring" name="login" value="..."/>
        <propval type="astring" name="password" value="$5$..."/>
        <propval type="astring" name="type" value="normal"/>
        <propval type="astring" name="description" value="Primary Administrator"/>
        <propval type="count" name="gid" value="10"/>
        <propval type="astring" name="shell" value="/usr/bin/bash"/>
        <propval type="astring" name="roles" value="root"/>
        <propval type="astring" name="profiles" value="System Administrator"/>
        <propval type="astring" name="sudoers" value="ALL=(ALL) ALL"/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="system/timezone">
    <instance enabled="true" name="default">
      <property_group type="application" name="timezone">
        <propval type="astring" name="localtime" value="..."/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="system/environment">
    <instance enabled="true" name="init">
      <property_group type="application" name="environment">
        <propval type="astring" name="LANG" value="en_US.UTF-8"/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="system/identity">
    <instance enabled="true" name="node">
      <property_group type="application" name="config">
        <propval type="astring" name="nodename" value="zone-1"/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="system/keymap">
    <instance enabled="true" name="default">
      <property_group type="system" name="keymap">
        <propval type="astring" name="layout" value="US-English"/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="system/console-login">
    <instance enabled="true" name="default">
      <property_group type="application" name="ttymon">
        <propval type="astring" name="terminal_type" value="sun-color"/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="network/physical">
    <instance enabled="true" name="default">
      <property_group type="application" name="netcfg">
        <propval type="astring" name="active_ncp" value="DefaultFixed"/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="network/install">
    <instance enabled="true" name="default">
      <property_group type="application" name="install_ipv4_interface">
        <propval type="astring" name="address_type" value="static"/>
        <propval type="net_address_v4" name="static_address" value="192.168.0.91/24"/>
        <propval type="astring" name="name" value="net11/v4"/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="system/name-service/switch">
    <property_group type="application" name="config">
      <propval type="astring" name="default" value="files"/>
      <propval type="astring" name="host" value="files dns"/>
      <propval type="astring" name="printer" value="user files"/>
    </property_group>
    <instance enabled="true" name="default"/>
</service>
<service version="1" type="service" name="system/name-service/cache">
    <instance enabled="true" name="default"/>
</service>
<service version="1" type="service" name="network/dns/client">
    <property_group type="application" name="config">
      <property type="net_address" name="nameserver">
        <net_address_list>
          <value_node value="10.0.1.10"/>
          <value_node value="10.0.1.20"/>
          <value_node value="10.0.1.30"/>
        </net_address_list>
      </property>
      <property type="astring" name="search">
        <astring_list>
          <value_node value="business.corp"/>
        </astring_list>
      </property>
    </property_group>
    <instance enabled="true" name="default"/>
</service>
<service version="1" type="service" name="system/ocm">
    <instance enabled="true" name="default">
      <property_group type="application" name="reg">
        <propval type="astring" name="user" value=""/>
        <propval type="astring" name="password" value=""/>
        <propval type="astring" name="key" value=""/>
        <propval type="astring" name="cipher" value=""/>
        <propval type="astring" name="proxy_host" value=""/>
        <propval type="astring" name="proxy_user" value=""/>
        <propval type="astring" name="proxy_password" value=""/>
        <propval type="astring" name="config_hub" value=""/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="system/fm/asr-notify">
    <instance enabled="true" name="default">
      <property_group type="application" name="autoreg">
        <propval type="astring" name="user" value=""/>
        <propval type="astring" name="password" value=""/>
        <propval type="astring" name="index" value=""/>
        <propval type="astring" name="private-key" value=""/>
        <propval type="astring" name="public-key" value=""/>
        <propval type="astring" name="client-id" value=""/>
        <propval type="astring" name="timestamp" value=""/>
        <propval type="astring" name="proxy-host" value=""/>
        <propval type="astring" name="proxy-user" value=""/>
        <propval type="astring" name="proxy-password" value=""/>
        <propval type="astring" name="hub-endpoint" value=""/>
      </property_group>
    </instance>
</service>
</service_bundle>

The trailing notices for Configuration profile - NIS still apply.
Of course, there's no need to declare the DNS servers on /etc/hosts.

DNS server configuration

Configuring DNS is complex enough to fit a single blog post.
It takes a lot of preparations in order to establish all the framework.
So, I'll try to organize what I'll explore by breaking down in further posts.

After DNS server installation, DNS daemon configuration may be necessary.
This is so unless the server will run on an immutable zones (recommended).

As an example I'll be working with the business.corp domain.

Here are the fundamental steps:

Define a DNS internal root and the Internal DNS servers.
Later on, address the external DNS requirements.

Possible types of root domain "." configuration:

External (DNS root hints);
Internal (DNS internal root).

Set the DNS loopback zone configuration (recommended);
Define the DNS configuration file;
Define the DNS zone data.

Configuration profile - NIS

This is an example of a NIS client configuration profile.
This is useful to streamline installations:

Assume all initial prerequisites stay the same.
The following are the necessary customizations.

<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="profile" name="sysconfig">
<service version="1" type="service" name="system/config-user">
    <instance enabled="true" name="default">
      <property_group type="application" name="root_account">
        <propval type="astring" name="login" value="root"/>
        <propval type="astring" name="password" value="$5$..."/>
        <propval type="astring" name="type" value="role"/>
      </property_group>
      <property_group type="application" name="user_account">
        <propval type="astring" name="login" value="..."/>
        <propval type="astring" name="password" value="$5$..."/>
        <propval type="astring" name="type" value="normal"/>
        <propval type="astring" name="description" value="Primary Administrator"/>
        <propval type="count" name="gid" value="10"/>
        <propval type="astring" name="shell" value="/usr/bin/bash"/>
        <propval type="astring" name="roles" value="root"/>
        <propval type="astring" name="profiles" value="System Administrator"/>
        <propval type="astring" name="sudoers" value="ALL=(ALL) ALL"/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="system/timezone">
    <instance enabled="true" name="default">
      <property_group type="application" name="timezone">
        <propval type="astring" name="localtime" value="..."/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="system/environment">
    <instance enabled="true" name="init">
      <property_group type="application" name="environment">
        <propval type="astring" name="LANG" value="en_US.UTF-8"/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="system/identity">
    <instance enabled="true" name="node">
      <property_group type="application" name="config">
        <propval type="astring" name="nodename" value="zone-1"/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="system/keymap">
    <instance enabled="true" name="default">
      <property_group type="system" name="keymap">
        <propval type="astring" name="layout" value="US-English"/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="system/console-login">
    <instance enabled="true" name="default">
      <property_group type="application" name="ttymon">
        <propval type="astring" name="terminal_type" value="sun-color"/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="network/physical">
    <instance enabled="true" name="default">
      <property_group type="application" name="netcfg">
        <propval type="astring" name="active_ncp" value="DefaultFixed"/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="network/install">
    <instance enabled="true" name="default">
      <property_group type="application" name="install_ipv4_interface">
        <propval type="astring" name="address_type" value="static"/>
        <propval type="net_address_v4" name="static_address" value="192.168.0.84/24"/>
        <propval type="astring" name="name" value="net9/v4"/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="system/name-service/switch">
    <property_group type="application" name="config">
      <propval type="astring" name="default" value="files nis"/>
      <propval type="astring" name="printers" value="user files nis"/>
      <propval type="astring" name="netgroup" value="nis"/>
    </property_group>
    <instance enabled="true" name="default"/>
</service>
<service version="1" type="service" name="network/nis/domain">
    <property_group type="application" name="config">
      <propval type="hostname" name="domainname" value="business.corp"/>
      <property type="host" name="ypservers">
        <host_list>
          <value_node value="nis-2"/>
          <value_node value="nis-3"/>
        </host_list>
      </property>
    </property_group>
    <instance enabled="true" name="default"/>
</service>
<service version="1" type="service" name="network/nis/client">
    <instance enabled="true" name="default"/>
</service>
<service version="1" type="service" name="system/name-service/cache">
    <instance enabled="true" name="default"/>
</service>
<service version="1" type="service" name="network/dns/client">
    <instance enabled="false" name="default"/>
</service>
<service version="1" type="service" name="system/ocm">
    <instance enabled="true" name="default">
      <property_group type="application" name="reg">
        <propval type="astring" name="user" value=""/>
        <propval type="astring" name="password" value=""/>
        <propval type="astring" name="key" value=""/>
        <propval type="astring" name="cipher" value=""/>
        <propval type="astring" name="proxy_host" value=""/>
        <propval type="astring" name="proxy_user" value=""/>
        <propval type="astring" name="proxy_password" value=""/>
        <propval type="astring" name="config_hub" value=""/>
      </property_group>
    </instance>
</service>
<service version="1" type="service" name="system/fm/asr-notify">
    <instance enabled="true" name="default">
      <property_group type="application" name="autoreg">
        <propval type="astring" name="user" value=""/>
        <propval type="astring" name="password" value=""/>
        <propval type="astring" name="index" value=""/>
        <propval type="astring" name="private-key" value=""/>
        <propval type="astring" name="public-key" value=""/>
        <propval type="astring" name="client-id" value=""/>
        <propval type="astring" name="timestamp" value=""/>
        <propval type="astring" name="proxy-host" value=""/>
        <propval type="astring" name="proxy-user" value=""/>
        <propval type="astring" name="proxy-password" value=""/>
        <propval type="astring" name="hub-endpoint" value=""/>
      </property_group>
    </instance>
</service>
</service_bundle>

Note that as the zone configuration (shown below) is using a net resource, the network/install service must refer to the corresponding name (net9), otherwise error or warning messages will appear during installation. The same goes to the IP address which must respect the value of allowed-address.

# zonecfg -z zone-1 info
zonename: zone-1
zonepath: /zone/zone-1
brand: solaris
autoboot: false
bootargs:
file-mac-profile: fixed-configuration
pool:
limitpriv:
scheduling-class:
ip-type: exclusive
hostid:
fs-allowed:
net:
    address not specified
    allowed-address: 192.168.0.84/24
    configure-allowed-address: true
    physical: net9
    defrouter not specified
attr:
    name: description
    type: string
    value: "zone-1"

Before the 1^st boot it's recommended to update the zone's /etc/hosts.
In fact, for NIS services this is a critical step before the 1^st boot:

# cat /zone/zone-1/root/etc/hosts
#
# Copyright 2009 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# Internet host table
#
::1             localhost
127.0.0.1       localhost                loghost
#
192.168.0.33    zone-1.business.corp     zone-1
#
192.168.0.202       nis-2.business.corp nis-2
192.168.0.203       nis-3.business.corp nis-3

Note that this is an immutable zone.
An immutable zone installation behavior has been already documented.

Configuration profile

A system configuration profile is to avoid interactions during installations.
solaris(5) describes its usage as -c option to subcommands.
They are the roughly equivalent to Solaris 10 sysidcfg files.

The main benefits are:

Consistency;
Simplicity;
Speed;

They can be used during bare-metal system installations but also during zone installations and even a combination of both. In any case, the benefits are immense and it's worth while take some time to learn how to deal with system configuration profiles.

A system configuration profile is a somewhat complex XML file.
Instead of building it from the scratch, the following approach seems best:

Generate a baseline by using sysconfig create-profile;
Manually edit the baseline accordingly.

The 1^st step is rather easy.
Simply do:

$ sysconfig create-profile -o <output_xml_file>

The 2^nd step may be much harder in at first.
That is, while you have to research what excerpts have to be inserted.
The ultimate help are the on-line manuals and some SMF info extraction.

NOTE

A configuration profile is focused on a client-side configuration.
It can't configure for instance a DNS server.
That's another story.
See sysconfig(1M).

I have already given examples on applying a system configuration profile.
Please, refer to the following other posts:

Examples of system configuration profiles:

Monday, July 28, 2014

Immutable zone installation

This post is a kind of wrap up of a few others, such as:

I will just show how an immutable zone gets installed.
On this example the zone won't have any specific services.
Well, at a minimum, for convenience, I choose make it a NIS client.

On a more real scenario, I would further refine the configuration profile.
For instance, I could add other pre-configured SMF services.

I assume all the premises of the aforementioned posts.
The immutable zone configuration and configuration profile are ready.

In fact, there are more than one installation method.
It can happen through:

Automated Installer (AI); not shown on this post;
From the scratch;
Cloning;

There's nothing really special about installing "from the scratch":

# zoneadm -z zone-1 install -c /tmp/zone-1.xml
...

I like the cloning method because it's faster and tends to save space:

# zoneadm -z zone-1 clone -c /tmp/zone-1.xml template-zone
...

NOTE

The argument to the -c option must be an absolute path.
template-zone must not be an immutable zone already.

Here's the zone-1 zone's console on the 1^st boot:

# zlogin -C zone-1
[Connected to zone 'zone-1' console]

From another terminal just boot the zone:

# zoneadm -z zone-1 boot

Now go back to the zone's console and watch:

[NOTICE: Read-only zone booting up read-write]

SunOS Release 5.11 Version 11.1 64-bit
Copyright (c) 1983, 2012, Oracle and/or its affiliates...
Hostname: unknown
Hostname: zone-1

[NOTICE: This read-only system transiently booted read/write]
[NOTICE: Now that self assembly has been completed, the system is rebooting]
[NOTICE: Zone rebooting]

SunOS Release 5.11 Version 11.1 64-bit
Copyright (c) 1983, 2012, Oracle and/or its affiliates...
Hostname: zone-1

zone-1 console login:

It's amazing how the system detects I'm installing an immutable zone and then upon installation boots the zone in read-write mode and after installation finishes, the zone is automatically rebooted to assume its immutability state. This saves administrators some work and makes sure no interactions are required.