Logical Domains (LDoms) 1.1 Administration Guide
Contents
1. m If you do not want to minimize the LDoms control domain your entry should be similar to the following hostname imbulu Profiles oem profile Drivers ldm control secure abc driver 11 If you undo hardening during a JumpStart install you must run the following SMF command to restart the Logical Domains Manager svcadm enable svc ldoms l1dmd default Chapter3 Installing and Enabling Software 33 Installing Logical Domains Manager and Solaris Security Toolkit Software Manually Perform the following procedures to install the Logical Domains Manager and Solaris Security Toolkit Software manually m Install the Logical Domains Manager LDoms 1 1 Software Manually on page 34 m Optional Install the Solaris Security Toolkit 4 2 Software Manually on page 34 m Optional Harden the Control Domain Manually on page 35 WV Install the Logical Domains Manager LDoms 1 1 Software Manually Download the Logical Domains Manager 1 1 software the SUNW1dm package from the Sun Software Download site See Download the Software on page 23 for specific instructions 1 Use the pkgadd 1M command to install the SUNW1dm v package Use the G option to install the package in the global zone only and the d option to specify the path to the directory that contains the SUNWIdm v package pkgadd Gd SUNWldm v 2 Answer y for yes to all questions in the interactive prompts 3 Use the pkginfo 1 comman2. Documentation Support and Training Sun Function URL Documentation http docs sun com Support http www sun com support Training http www sun com training Sun Welcomes Your Comments Sun is interested in improving its documentation and welcomes your comments and suggestions You can submit your comments by going to http www sun com hwdocs feedback Please include the title and part number of your document with your feedback Logical Domains LDoms 1 1 Administration Guide part number 820 4913 10 Preface xvii xviii Logical Domains LDoms 1 1 Administration Guide December 2008 CHAPTER 1 Overview of the Logical Domains Software This chapter contains a brief overview of the Logical Domains software All of the Solaris OS functionality necessary to use Sun s Logical Domains technology is in the Solaris 10 11 06 release at a minimum with the addition of necessary patches However system firmware and the Logical Domains Manager are also required to use logical domains Refer to Required and Recommended Software in the Logical Domains LDoms 1 1 Release Notes for specific details Hypervisor and Logical Domains This section provides a brief overview of the SPARC hypervisor and the logical domains it supports The SPARC hypervisor is a small firmware layer that provides a stable virtualized machine architecture to which an operating system can be written Sun servers using
3. lt A basic type for a localizable string gt lt xs complexType name Info_Type gt lt xs simpleContent gt lt xs extension base xs string gt lt xs attribute ref xml lang gt lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt xs schema gt Appendix A XML Schemas 211 The ov core xsd Schema CODE EXAMPLE A 5 The ovf core xsd Schema lt xml version 1 0 encoding UTF 8 gt lt xs schema targetNamespace var opt SUNWldom envelope xmlns ovf var opt SUNWldom envelope xmlns xs http www w3 org 2001 XMLSchema xs include schemaLocation ovf section xsd xs import namespace http www w3 org XML 1998 namespace schemaLocation http www w3 org 2001 xml xsd lt A user defined annotation on an entity gt lt xs complexType name AnnotationSection_Type gt lt xs complexContent gt xs extension base ovf Section Type xsS sequence lt Several localized annotations can be included gt xs element name Annotation type ovf Info Type minOccurs 0 maxOccurs unbounded gt lt xS any namespace targetNamespace processContents lax minOccurs 0 maxOccurs unbounded gt lt xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt xs anyAttribute namespace any gt lt xs extension gt lt xs complexContent gt lt xs complexType gt lt Product info
4. lt xs attribute name StopAction type xs string gt xs anyAttribute namespace any gt lt xs complexType gt lt xs element gt lt xS any namespace targetNamespace processContents lax minOccurs 0 maxOccurs unbounded gt lt xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt lt A comma separated list of transports that the virtual machine supports to provide feedback gt xs anyAttribute namespace any gt lt xs extension gt lt xs complexContent gt lt xs complexType gt lt If this section is present it indicates that the virtual machine needs to be initially booted to install and configure the software gt lt xs complexType name InstallSection_Type gt lt xs complexContent gt xs extension base ovf Section Type xsS sequence xs any namespace targetNamespace processContents lax minOccurs 0 maxOccurs unbounded gt lt xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt Appendix A XML Schemas 217 CODE EXAMPLE A 5 The ov core xsd Schema Continued lt A comma separated list of transports that the virtual machine supports to provide feedback gt xs attribute name transport type xs string gt xs anyAttribute namespace any gt lt xs extension gt lt xs complexContent gt lt xs complexType gt l
5. lt xs element name Caption nillable true type cim cimString gt lt xs element name Description nillable true type cim cimString gt lt xs element name InstanceId nillable true type cim cimString gt lt xs element name VirtualSystemIdentifier nillable true type cim cimString gt lt xs element name VirtualSystemType nillable true type cim cimString gt lt xs complexType name CIM_VirtualSystemSettingData_Type gt lt xs Sequence gt lt xs element ref class Caption minOccurs 0 maxOccurs unbounded gt lt xs element ref class Description minOccurs 0 maxOccurs unbounded gt lt xs element ref class InstanceId minOccurs 0 gt lt xs element ref class VirtualSystemIdentifier minOccurs 0 gt lt xs element ref class VirtualSystemType minOccurs 0 gt lt xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt xs anyAttribute namespace any gt lt xs complexType gt lt xs element name CIM VirtualSystemSettingData type class CIM VirtualSystemSettingData Type lt xs schema gt 226 Logical Domains LDoms 1 1 Administration Guide December 2008 The cim common xsd Schema CODE EXAMPLE A 9 The cim common xsd Schema xml version 1 0 lt xs schema encoding utf 8 targetNamespace var opt SUNWldom common xmlns cim var opt SUNWldom common xmlns xs http www
6. 64 Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE 4 1 Sample XML Output From list constraints Subcommand Continued lt gprop GenericProperty key block_dev gt opt SUNW1dm domain_disks testdisk nv 53 1 lt gprop GenericProperty gt lt gprop GenericProperty key service_name gt primary vds0 lt gprop GenericProperty gt lt Item gt lt Section gt lt Content gt lt Envelope gt lt data gt lt LDM_interface gt The Content tag and the lt Section gt s inside the Content tag describe the primary domain and all the resources contained in the primary domain The rasd and gprop GenericProperty tags within lt Item gt s describe the properties needed for each resource You can go through each resource in each Section and construct CLI commands based on the resource s constraints The following sections identify some of the more common resources in the domain XML description and the equivalent CLI command for that resource Logical Domain Information 1dom info Section This section describes the primary domain s MAC address and host ID information Because this is the primary domain you cannot set this information it is automatically set CODE EXAMPLE 4 2 LDoms Information 1dom info Section Section xsi type ovf ResourceAllocationSection Type Item rasd OtherResourceType ldom info rasd OtherResourceType lt rasd Address gt 00 03 ba d8 ba
7. A single slice disk is also visible from the OS installation software and can be selected as a disk onto which you can install the OS In that case if you install the OS using the UNIX File System UFS then only the root partition must be defined and this partition must use all the disk space Any backend can be exported as a single slice disk except physical disks that can only be exported as full disks Note Before the Solaris 10 10 08 OS release a single slice disk appeared as a disk with a single partition s0 Such a disk was not visible with the format 1M command The disk also was not visible from the OS installation software and could not be selected as a disk device onto which the OS could be installed Virtual Disk Backend Options Different options can be specified when exporting a virtual disk backend These options are indicated in the options argument of the 1dm add vdsdev command as a comma separated list The valid options are ro slice and excl Read only ro Option The read only ro option specifies that the backend is to be exported as a read only device In that case the virtual disk assigned to the guest domain can only be accessed for read operations and any write operation to the virtual disk will fail Exclusive exc1 Option The exclusive exc1 option specifies that the backend in the service domain has to be opened exclusively by the virtual disk server when it is exported as a vi
8. Chapter 9 Other Information and Tasks 161 W List Constraints in a Machine Readable Format List constraints for all domains in a parseable format CODE EXAMPLE 9 17 Constraints for All Domains in a Machine Readable Format primary ldm list constraints p VERSION 1 0 DOMAIN name primary MAC mac addr 00 03 ba d8 b1 46 VCPU count 4 MEMORY size 805306368 IO dev pci 780 alias dev pci 7c0 alias VDS name primary vds0 vol disk 1dg2 opts dev 1ldoms nv72 1dg2 disk vol vol0 opts dev l1doms nv72 1dg1 disk VCC name primary vcc0 port range 5000 5100 VSW name primary vsw0 mac addr net dev e1000g0 dev switche0d DOMAIN name 1dg1 VCPU count 8 MEMORY 1ze 1073741824 VARIABLES boot device virtual devices 100 channel devices 200 disk 0 a nvramrc devalias vnet0 virtual devices 100 channel devices 200 networke 0 use nvramrc true VNET name vnet0 dev network 0 service primary vsw0 mac addr 01 14 4f fa 0 55 VDISK name vdisk0 vol vol0 primary vds0 Connecting to a Guest Console Over a Network You can connect to a guest console over a network if the 1isten_addr property is set to the IP address of the control domain in the vntsd 1M SMF manifest For example telnet host name 5001 Note Enabling network access to a console has security implications Any user can connect to a console and for this reason it is disabled by default 1
9. Item lt rasd OtherResourceType gt LDom Resource Type lt rasd OtherResourceType gt lt gprop GenericProperty key Property name gt Property Value lt gprop GenericProperty gt lt Item gt lt Section gt lt Envelope gt lt data gt lt cmd gt lt LDM_event gt Chapter 10 Using the XML Interface With the Logical Domains Manager 183 184 Event Types The three types of events to which you can subscribe are m Domain events m Resource events m Hardware events All the events correspond to Logical Domains Manager 1dm subcommands Domain Events Domain events describe what actions can be performed directly to a domain The following table shows the domain events which can be listed in the action tag in the LDM event message Domain Events Domain Events add domain remove domain bind domain unbind domain start domain stop domain domain reset panic domain These events always contain orily a Content tag in the OVF data section that describes to which domain the event happened To register for the domain events send an LDM interface message with the action tag set to reg domain events Unregistering for these events requires an LDM interface message with the action tag set to unreg domain events Logical Domains LDoms 1 1 Administration Guide December 2008 Resource Events Resource events occur when resources are added removed or changed in any domain
10. LDC 1dm 1M ldmd lofi logical domain Logical Domains LDoms Manager LUN M MAC MAU MB MD mem memory metadb 1M metaset 1M mhd 7I MIB minimizing MMF MMU mpgroup mtu logical domain channel Logical Domain Manager utility Logical Domains Manager daemon loopback file Discrete logical grouping with its own operating system resources and identity within a single computer system Provides a CLI to create and manage logical domains and allocate resources to domains logical unit number media access control address which LDoms can automatically assign or you can assign manually Modular Arithmetic Unit the cryptographic device for Sun UltraSPARC Tl based platforms megabyte machine description in the server database memory unit default size in bytes or specify gigabytes G kilobytes K or megabytes M Virtualized memory of the server that can be allocated to guest domains create and delete replicas of the SVM metadevice state database configure disk sets multihost disk control operations Management Information Base Installing the minimum number of core Solaris OS package necessary Multimode fiber memory management unit multipathing group name for virtual disk failover maximum transmission unit Glossary 237 N NAT ndpsldcc ndpsldcs NFS NIS NIU NTS NVRAM nxge O OS OVF P PA PCI PCIe PCI X pcpu physio PICL picld 1M 238
11. Network Address Translation Netra DPS Logical Domain Channel Client See also vdpcc Netra DPS Logical Domain Channel Service See also vdpcs 3 etwork file system Network Information Services Network Interface Unit Sun SPARC Enterprise T5120 and T5220 servers network terminal server non volatile random access memory Driver for Sun x8 Express 1 10G Ethernet Adapter operating system Open Virtualization Format physical address peripheral component interconnect bus PCI Express bus PCI Extended bus physical CPU physical input output Platform Information and Control Library PICL daemon Logical Domains LDoms 1 1 Administration Guide December 2008 PM praudit 1M PRI RA RAID RBAC RPC SASL SAX SC SCSI service domain SMA SMF SNMP SP SSH ssh 1 ssha 1M SunVTS Power management of virtual CPUs print contents of an audit trail file priority real address Redundant Array of Inexpensive Disks Role Based Access Control Remote Procedure Call Simple Authentication and Security Layer Simple API for XML parser which traverses an XML document The SAX parser is event based and used mostly for streaming data system controller also known as service processor Small Computer System Interface Logical domain that provides devices such as virtual switches virtual console connectors and virtual disk servers to other logical domains System Management Agent Serv
12. V Remove a Virtual Disk 1 Remove a virtual disk from a guest domain by using the following command l m rm vdisk disk name ldom 2 Stop exporting the corresponding backend from the service domain by using the following command l m rm vdsdev volume nameGQservice name 80 Virtual Disk Appearance When a backend is exported as a virtual disk it can appear in the guest domain either as a full disk or as a single slice disk The way it appears depends on the type of the backend and on the options used to export it Full Disk When a backend is exported to a domain as a full disk it appears in that domain as a regular disk with 8 slices s0 to s7 Such a disk is visible with the format 1M command The disk s partition table can be changed using either the mthard 1M or format 1M command A full disk is also visible to the OS installation software and can be selected as a disk onto which the OS can be installed Any backend can be exported as a full disk except physical disk slices that can only be exported as single slice disks Logical Domains LDoms 1 1 Administration Guide December 2008 Single Slice Disk When a backend is exported to a domain as a single slice disk it appears in that domain as a regular disk with 8 slices s0 to s7 However only the first slice s0 is usable Such a disk is visible with the format 1M command but the disk s partition table cannot be changed
13. gt type xs string use required gt gt Appendix A XML Schemas 207 The ovf envelope xsd Schema CODE EXAMPLE A 3 The ovf envelope xsd Schema lt xml version 1 0 encoding UTF 8 gt lt xs schema targetNamespace var opt SUNWldom envelope xmlns ovf var opt SUNWldom envelope xmlns xs http www w3 org 2001 XMLSchema lt Include virtual hardware schema gt xs include schemaLocation ovf section xsd xs include schemaLocation cim virtualhardware xsd xs include schemaLocation ovf core xsd gt lt Root element of a OVF package gt lt xs element name Envelope type ovf Envelope_Type gt lt xs complexType name Envelope_Type gt lt xs sequence gt lt References to all external files gt lt xs element name References type ovf References_Type gt lt Package level meta data gt lt xs element name Section type ovf Section Type minOccurs 0 maxOccurs unbounded gt lt Content A virtual machine or a vService gt lt xs element name Content type ovf Entity_Type minOccurs 0 maxOccurs unbounded gt xs any namespace targetNamespace processContents lax minOccurs 0 maxOccurs unbounded gt lt xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt lt xs attribute name Signed type xs boolean use optional gt lt xs attrib
14. 48 Logical Domains LDoms 1 1 Administration Guide December 2008 2 Assign virtual CPUs to the control domain For example the following command would assign 4 virtual CPUs to the control domain primary This leaves the remainder of the virtual CPUs available to a guest domain primary ldm set vcpu 4 primary 3 Assign memory to the control domain For example the following command would assign 4 gigabyte of memory to the control domain primary This leaves the remainder of the memory available to a guest domain primary ldm set memory 4G primary 4 Add a logical domain machine configuration to the system controller SC For example the following command would add a configuration called initial primary ldm add config initial 5 Verify that the configuration is ready to be used at the next reboot primary ldm list config factory default initial next poweron This list subcommand shows the initial configuration set will be used once you power cycle Rebooting to Use Logical Domains You must reboot the control service domain for the configuration changes to take effect and the resources to be released for other logical domains to use YV Reboot Shut down and reboot the primary domain which is also the service domain in our examples primary shutdown y g0 i6 Chapter 4 Setting Up Services and Logical Domains 49 Note Either a reboot or power cyc
15. 6 lt rasd Address gt lt gprop GenericProperty key hostid gt 0x83d8baf6 lt gprop GenericProperty gt lt Item gt lt Section gt In this example the logical domain information 1dom_info is as follows m MAC Address 00 03 ba d8 ba 6 m hostid 0x83d8baf6 Chapter 4 Setting Up Services and Logical Domains 65 Cryptographic mau Section This section describes the number of cryptographic units maus allocated to the primary domain Note Even though the mau section comes after the cpu section in the XML listing you must run the set mau subcommand before the set cpu subcommand because you cannot remove CPUs from a domain without also removing their corresponding cryptographic units CODE EXAMPLE 4 3 Cryptographic mau Section Section xsi type ovf VirtualHardwareSection Type Item lt rasd OtherResourceType gt mau lt rasd OtherResourceType gt lt rasd AllocationUnits gt 1 lt rasd AllocationUnits gt lt Item gt lt Section gt This section is equivalent to the following CLI command ldm set mau 1 primary CPU cpu Section This section describes the number of virtual cpus allocated to the primary domain CODE EXAMPLE 4 4 CPU cpu Section Section xsi type ovf VirtualHardwareSection Type Item rasd OtherResourceType cpu c rasd OtherResourceType lt rasd AllocationUnits gt 4 lt rasd AllocationUnits gt lt Item gt lt Section gt
16. Item rasd OtherResourceType memory rasd OtherResourceType lt rasd AllocationUnits gt 4G lt rasd AllocationUnits gt lt Item gt lt Section gt lt Content gt lt Envelope gt A memory resource is always contained within a lt Content gt section The only property is the lt rasd AllocationUnits gt tag which signifies the amount of memory Virtual Disk Server vds Resource CODE EXAMPLE 10 10 Example vds XML lt Envelope gt lt References gt Content xsi type ovf VirtualSystem Type id ldg1 Section xsi type ovf VirtualHardwareSection_Type gt Item lt rasd OtherResourceType gt vds lt rasd OtherResourceType gt lt gprop GenericProperty key service_name gt vdstmp lt gprop GenericProperty gt lt Item gt lt Section gt lt Content gt lt Envelope gt A virtual disk server vds resource can be in a lt Content gt section as part of a domain description or it can appear on its own in an lt Envelope gt section The only property is the lt gprop GenericProperty gt tag with a key of service name and which contains the name of the vds resource being described 190 Logical Domains LDoms 1 1 Administration Guide December 2008 Virtual Disk Server Volume vds_volume Resource CODE EXAMPLE 10 11 Example vds volume XML Envelope References Section xsi type ovf VirtualHardwareSection_Type gt Item lt rasd OtherResourceT
17. Powers off and powers on the host For Sun UItraSPARC T2 Processors Reboots the host no power off For Sun UItraSPARC T1 Processors Powers off the host Host powered off stays off until powered on at the SC Soft resets and reboots 170 Logical Domains LDoms 1 1 Administration Guide December 2008 Using LDoms With ALOM CMT The section describes information to be aware of in using Advanced Lights Out Manager ALOM chip multithreading CMT with the Logical Domains Manager For more information about using the ALOM CMT software refer to the Advanced Lights Out Management ALOM CMT v1 3 Guide Caution The ALOM CMT documentation refers to only one domain so you must be aware that the Logical Domains Manager is introducing multiple domains If a logical domain is restarted I O services for guest domains might be unavailable until the control domain has restarted This is because the control domain functions as a service domain in the Logical Domains Manager 1 1 software Guest domains appear to freeze during the reboot process Once the control domain has fully restarted the guest domains resume normal operations It is only necessary to shut down guest domains when power is going to be removed from the entire server An additional option is available to the existing ALOM CMT command bootmode normal reset nvram bootscript strong config config name The config config name option enables you to set t
18. This schema is an extension to the Open Virtualization Format OVF schema CODE EXAMPLE A 1414 Binding Type XML Schema lt xml version 1 0 encoding utf 8 lt xs schema targetNamespace var opt SUNWldom Binding xmlns class var opt SUNWldom Binding xmlns rasd var opt SUNWldom CIM ResourceAllocationSettingData xmlns xs http www w3 org 2001 XMLSchema xs import namespace var opt SUNWldom CIM ResourceAllocationSettingData schemaLocation cim rasd xsd gt lt xs complexType name Binding_Type gt lt xs Sequence gt lt xs element name Item type rasd CIM_ResourceAllocationSettingData_Type gt lt xs sequence gt lt xs complexType gt lt xs schema gt 232 Logical Domains LDoms 1 1 Administration Guide December 2008 Glossary This list defines terminology abbreviations and acronyms in the Logical Domains documentation A ALOM CMT API auditreduce 1M auditing authorization B bge BSM bsmconv 1M bsmunconv 1M Advanced Lights Out Manager chip multithreading which runs on the system controller and allows you to monitor and control your CMT server Application Programming Interface merge and select audit records from audit trail files Using the Solaris OS BSM to identify the source of security changes Setting up authorization using the Solaris OS RBAC Broadcom Gigabit Ethernet driver on Broadcom BCM57xx devices Basic Security module enable the
19. ensure that the slice does not start on the first block block 0 of the physical disk by using the prtvtoc 1M command If you directly or indirectly export a disk slice which starts on the first block of a physical disk you might overwrite the partition table of the physical disk and make all partitions of that disk inaccessible Chapter 6 Using Virtual Disks With Logical Domains 89 Configuring Virtual Disk Multipathing If a virtual disk backend is accessible through different service domains then you can configure virtual disk multipathing so that the virtual disk in a guest domain remains accessible if a service domain goes down An example of a virtual disk backend accessible through different service domains is a file on a network file system NFS server or a shared physical disk connected to several service domains To enable virtual disk multipathing you must export a virtual disk backend from the different service domains and add it to the same multipathing group mpgroup The mpgroup is identified by a name and is configured when the virtual disk backend is exported Figure 5 2 illustrates how to configure virtual disk multipathing In this example a multipathing group named foo is used to create a virtual disk whose backend is accessible from two service domains primary and alternate FIGURE 6 2 Configuring Virtual Disk Multipathing Virtual disk backend E NFS file or shared disk ZEN Active channel Backup chann
20. lt Section gt Where m The XML key property service_name is the service name for this instance of the virtual disk server in this case primary vds0 The service_name must be unique among all virtual disk server instances on the server This section is the equivalent of the following CLI command ldm add vds primary vds0O primary Chapter 4 Setting Up Services and Logical Domains 69 Virtual Disk Server Device vdsdev Section This section describes any device vdsdev exported by the virtual disk server that is allocated to the primary domain Section xsi type ovf VirtualHardwareSection_Type gt lt Item gt lt rasd OtherResourceType gt vds_volume lt rasd OtherResourceType gt lt gprop GenericProperty key vol_name gt vdsdev0 lt gprop GenericProperty gt gprop GenericProperty key Sservice_name gt primary vds0 lt gprop GenericProperty gt lt gprop GenericProperty key block_dev gt opt SUNW1dm domain_disks testdisk1 lt gprop GenericProperty gt lt gprop GenericProperty key vol_opts gt ro lt gprop GenericProperty gt lt gprop GenericProperty key mpgroup gt mpgroup name lt gprop GenericProperty gt lt Item gt lt Section gt Where m The XML key properties volume name vol name and service name service name are paired in the CLI command in this case vdsdev0 primary vds0 m The XML key property block dev is the backend argument in the equivalent CLI comma
21. pid 7 util 34 strand 100 vid 2 pid 8 util 35 strand 100 MEMORY ra 0x8000000 pa 0x78000000 size 1073741824 VARIABLES 166 Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE 9 18 Long Parseable List of Logical Domains Configurations Continued auto boot true boot device virtual devices 100 channel devices 200 disk 0 VNET name net dev network 0 service primary vsw0 primary mac addr 00 14 4 9 8f e7 VDISK name vdisk 2 vol disk 1ldg2 primary vds0 dev disk 0 server primary VCONS group group2 service primary vcc0 primary port 5000 Using Console Groups The virtual network terminal server daemon vntsd 1M enables you to provide access for multiple domain consoles using a single TCP port At the time of domain creation the Logical Domains Manager assigns a unique TCP port to each console by creating a new default group for that domain s console The TCP port is then assigned to the console group as opposed to the console itself The console can be bound to an existing group using the set vcons subcommand WV Combine Multiple Consoles Into One Group 1 Bind the consoles for the domains into one group The following example shows binding the console for three different domains 1dg1 1dg2 and 1dg3 to the same console group group1 primary ldm set vcons group groupi1 service primary vcc0O ldg1 primary ldm set vcons group groupl
22. Envelope References Content xsi type ovf VirtualSystem Type ovf id primary gt Section xsi type ovf ResourceAllocationSection_Type gt Item rasd OtherResourceType ldom info rasd OtherResourceType lt rasd Address gt 00 03 ba d8 ba 6 lt rasd Address gt lt gprop GenericProperty key hostid gt 0x83d8baf6 lt gprop GenericProperty gt lt Item gt lt Section gt lt Section xsi type ovf VirtualHardwareSection_Type gt lt Item gt lt rasd OtherResourceType gt cpux lt rasd OtherResourceType gt lt rasd AllocationUnits gt 4 lt rasd AllocationUnits gt lt Item gt lt Section gt lt Section xsi type ovf VirtualHardwareSection_Type gt lt Item gt lt rasd OtherResourceType gt mau lt rasd OtherResourceType gt lt rasd AllocationUnits gt 1 lt rasd AllocationUnits gt lt Item gt lt Section gt Chapter 4 Setting Up Services and Logical Domains 63 CODE EXAMPLE 4 1 Sample XML Output From list constraints Subcommand Continued Section xsi type ovf VirtualHardwareSection_Type gt Item lt rasd OtherResourceType gt memory lt rasd OtherResourceType gt lt rasd AllocationUnits gt 4G lt rasd AllocationUnits gt lt Item gt lt Section gt Section xsi type ovf VirtualHardwareSection_Type gt Item lt rasd OtherResourceType gt physio_device lt rasd OtherResourceType gt gprop GenericProperty key name gt pci 7c0 lt gprop GenericProperty gt lt Item gt
23. From the service domain assign the disk fdisk to guest domain 1dg1 for example service ldm add vdisk fdisk fdisk0 primary vds0 ldg1 4 After the guest domain is started and running the Solaris OS you can list the disk c0d5 for example and see that the disk is accessible and is a full disk that is a regular disk with 8 slices ldgl 1s 1 dev dsk c0d5s dev dsk c0d5s0 dev dsk c0d5s1 dev dsk c0d5s2 dev dsk c0d5s3 dev dsk c0d5s4 dev dsk c0d5s5 dev dsk c0d5s6 dev dsk c0d5s7 Logical Domains LDoms 1 1 Administration Guide December 2008 File or Volume Exported as a Single Slice Disk If the slice option is set then the file or volume is exported as a single slice disk In that case the virtual disk has only one partition s0 which is directly mapped to the file or volume backend The file or volume only contains data written to the virtual disk with no extra data like partitioning information or disk structure When a file or volume is exported as a single slice disk the system simulates a fake disk partitioning which makes that file or volume appear as a disk slice Because the disk partitioning is simulated you do not create partitioning for that disk Export a ZFS Volume as a Single Slice Disk 1 From the service domain create a ZFS volume zdisk0 for example to use as a single slice disk service zfs create V 100m ldoms domain test zdisk0 The size of the volume defines t
24. The data section for some of these events contains the lt Content gt tag with a Section tag giving a service name in the OVF data section The following table shows events which can be listed in the action tag in the lt LDM_event gt message Resource Events Resource Events add vdiskserverdevice remove vdiskserverdevice set vdiskserverdevice remove vdiskserver set vconscon remove vconscon set vswitch remove vswitch remove vdpcs The remaining resource events always contain only the Content tag in the OVF data section that describes to which domain the event happened Resource Events Resource Events Resource Events add vcpu add crypto add memory add io add variable add vconscon add vdisk add vdiskserver add vnet add vswitch add vdpcs add vdpcc set vcpu set crypto set memory set variable set vnet set vconsole set vdisk remove vcpu remove crypto remove memory remove io remove variable remove vdisk remove vnet remove vdpcc To register for the resource events send an LDM interface message with the action tag set to reg resource events Unregistering for these events requires an LDM interface message with the action tag set to unreg resource events Chapter 10 Using the XML Interface With the Logical Domains Manager 185 186 Hardware Events Hardware events pertain to changing the physical system hardware In the case of LDoms software the only hardware changes that can be made are those
25. adapted for the Logical Domains Manager to identify the source of security changes to the system to determine what was done when it was done by whom and what was affected m Compliance Determining if a system s configuration is in compliance with a predefined security profile using the Solaris Security Toolkit s auditing feature Solaris Security Toolkit and the Logical Domains Manager Chapter 3 tells you how to install the Solaris Security Toolkit to make it work with the Logical Domains Manager You would install the Solaris Security Toolkit on the control domain which is where the Logical Domains Manager runs You can also install the Solaris Security Toolkit on the other logical domains The only difference would be that you would use the 1dm control secure driver to harden the control domain and you would use another driver such as the secure driver to harden the other logical domains This is because the ldm control secure driver is specific to the control domain The ldm control secure driver is based on the secure driver and has been customized and tested for use with the Logical Domains Manager Refer to the Solaris Security Toolkit 4 2 Reference Manual for more information about the secure driver 10 Logical Domains LDoms 1 1 Administration Guide December 2008 Hardening The driver ldm_control secure driver that Solaris Security Toolkit uses to harden the Solaris OS on the control domain is specifically tailor
26. and physical network to which it is connected Managing a Virtual Switch This section describes adding a virtual switch to a domain setting options for a virtual switch and removing a virtual switch V Add a Virtual Switch Use the following command syntax to add a virtual switch ldm add vsw default vlan id vlan id pvideport vlan id vid vlan id1 vlan id2 mac addr num net dev device mode se vswitch name ldom Where m default vlan id vlan id specifies the default virtual local area network VLAN to which a virtual switch and its associated virtual network devices belong to implicitly in untagged mode It serves as the default port VLAN id pvid of the virtual switch and virtual network devices Without this option the default value of this property is 1 Normally you would not need to use this option It is provided only as a way to change the default value of 1 See Using VLAN Tagging With Logical Domains Software on page 122 for more information Chapter 7 Using a Virtual Network With Logical Domains 109 m pvid port vlan id specifies the VLAN to which the virtual switch needs to be a member in untagged mode See Using VLAN Tagging With Logical Domains Software on page 122 for more information m vid vlan id specifies one or more VLANs to which a virtual switch needs to be a member in tagged mode See Using VLAN Tagging With Logical Domains Software on page 122 for more inform
27. m set vdisk timeout seconds disk name ldom Specify the timeout in seconds If the timeout is set to 0 the timeout is disabled and I O is blocked while the service domain is down this is the default setting and behavior Alternatively the timeout can be set by adding the following line to the etc system file on the guest domain set vdc vdc timeout seconds Note If this tunable is set it overwrites any timeout setting done using the 1dm CLI Also the tunable sets the timeout for all virtual disks in the guest domain Chapter 6 Using Virtual Disks With Logical Domains 95 Virtual Disk and SCSI If a physical SCSI disk or LUN is exported as a full disk the corresponding virtual disk supports the user SCSI command interface uscsi 7D and multihost disk control operations mhd 7I Other virtual disks such as virtual disks having a file or a volume as a backend do not support these interfaces As a consequence applications or product features using SCSI commands such as SVM metaset or Solaris Cluster shared devices can be used in guest domains only with virtual disks having a physical SCSI disk as a backend Note SCSI operations are effectively executed by the service domain which manages the physical SCSI disk or LUN used as a virtual disk backend In particular SCSI reservations are done by the service domain Therefore applications running in the service domain and in guest domain
28. package after you install the LDoms and Solaris Security Toolkit packages It is not automatically installed with the other packages Refer to the Logical Domains LDoms Management Information Base 1 0 1 Administration Guide for more information about installing and using the LDoms MIB Installing the Logical Domains Manager and Solaris Security Toolkit Software Automatically If you use the instal1 1dm installation script you have several choices to specify how you want the script to run Each choice is described in the procedures that follow m Using the install 1dm script with no options does the following automatically Checks that the Solaris OS release is Solaris 10 11 06 at a minimum 24 Logical Domains LDoms 1 1 Administration Guide December 2008 a Verifies that the package subdirectories SUNWldm and SUNWjass are present a Verifies that the prerequisite Solaris Logical Domains driver packages SUNWldomr and SUNW1domu are present a Verifies that the SUNW1dm and SUNWjass packages have not been installed Note If the script does detect a previous version of SUNWjass during installation you must remove it You do not need to undo any previous hardening of your Solaris OS m Installs the Logical Domains Manager 1 1 software SUNW1dm package a Installs the Solaris Security Toolkit 4 2 software including required patches SUNWjass package Verifies that all packages are installed a Enables the Logical
29. respectively 5 Edit my ldm hardening driver and remove the pound sign from in front of the following line in the driver enable bsm fin 6 Execute my ldm driver opt SUNWjass bin jass execute d my ldm driver 7 Reboot the Solaris OS for auditing to take effect Use the Solaris OS bsmconv 1M Command 1 Add vs in the flags line of the etc security audit control file 2 Run the bsmconv 1M command etc security bsmconv For more information about this command refer to the Solaris 10 Reference Manual Collection or the man page 3 Reboot the Solaris Operating System for auditing to take effect Verify that BSM Auditing is Enabled 1 Type the following command auditconfig getcond 2 Check that audit condition auditing appears in the output Chapter 9 Other Information and Tasks 173 V Disable Auditing You can disable auditing in one of two ways depending on how you enabled it See Enabling and Using BSM Auditing on page 172 1 Do one of the following m Undo the Solaris Security Toolkit hardening run which enabled BSM auditing opt SUNWjass bin jass execute u m Use the Solaris OS bsmunconv 1M command etc security bsmunconv 2 Reboot the Solaris OS for the disabling of auditing to take effect V Print Audit Output Use one of the following to print BSM audit output m For example use the Solaris OS co
30. true type cim cimUnsignedLong gt lt xs element name Reservation nillable true type cim cimUnsignedLong gt lt xs element name Limit nillable true type cim cimUnsignedLong gt lt xs element name Weight nillable true type cim cimUnsignedInt lt xs element name AutomaticAllocation nillable true type cim cimBoolean gt lt xs element name AutomaticDeallocation nillable true type cim cimBoolean gt lt xs element name Parent nillable true type cim cimString gt lt xs element name Connection nillable true type cim cimString gt lt xs element name Address nillable true type cim cimString lt xs element name MappingBehavior nillable true gt lt xs complexType gt Appendix A XML Schemas 223 CODE EXAMPLE A 7 The cim rasd xsd Schema Continued xs simpleContent xs restriction base xs anyType gt lt xs simpleType gt lt xs union gt lt xs simpleType gt xs restriction base xs unsignedShort gt lt xs enumeration value 0 gt lt xs enumeration value 1 gt lt xs enumeration value 2 gt lt xs enumeration value 3 gt lt xs enumeration value 4 gt lt xs restriction gt lt xs simpleType gt lt xs simpleType gt lt xs restriction base xs unsignedShort gt xs minInclusive value 5 gt xs maxInclusive value 32768 gt lt xs restriction gt lt xs simpleType gt lt xs simpleType gt xs restriction ba
31. v Configure a Virtual Switch With an NIU Network Device 127 v Enable Hybrid Mode 128 v Disable Hybrid Mode 128 8 Migrating Logical Domains 129 Introduction to Logical Domain Migration 129 Overview of a Migration Operation 129 Software Compatibility 130 Authentication 131 Migrating an Active Domain 131 CPUs 131 Memory 132 Physical Input Output 132 Virtual Input Output 132 NIU Hybrid Input Output 133 Cryptographic Units 133 Delayed Reconfiguration 133 Operations on Other Domains 133 Migrating Bound or Inactive Domains 134 CPUs 134 Virtual Input Output 134 Performing a Dry Run 134 Monitoring a Migration in Progress 135 Canceling a Migration in Progress 135 Recovering From a Failed Migration 136 Examples 136 x Logical Domains LDoms 1 1 Administration Guide December 2008 Other Information and Tasks 139 Using CPU Power Management With LDoms 1 1 Software 139 Showing CPU Power Managed Strands in LDoms 1 1 Software 140 v List CPU Power Managed Strands 140 v List Power Managed CPUs 141 Entering Names in the CLI 142 File Names file and Variable Names var name 142 Virtual Disk Server backend and Virtual Switch Device Names 142 Configuration Name config name 143 AllOther Names 143 Listing Logical Domains Resources 143 Machine Readable Output 143 v Show Syntax Usage for 1dm Subcommands 143 Flag Definitions 147 Utilization Statistic Definition 148 Examples of Various Lists 148 Show Software Versions V 148 Genera
32. vsw is a component running in a service domain and managed by the virtual switch driver A virtual switch can be connected to some guest domains to enable network communications between those domains In addition if the virtual switch is associated also with a physical network interface then this allows network communications between guest domains and the physical network over the physical network interface A virtual switch also has a network interface vswn where n is a number corresponding to the instance of the virtual switch for example vsw0 for the first virtual switch in a service domain This interface allows the service domain to communicate with the other domains connected to that virtual switch It can be used like any regular network interface and configured with the ifconfig 1M command 107 Note When a virtual switch is added to a service domain its network interface is not plumbed So by default the service domain is unable to communicate with the guest domains connected to its virtual switch To enable network communications between guest domains and the service domain the network interface of the associated virtual switch must be plumbed and configured in the service domain See Enabling Networking Between the Control Service Domain and Other Domains on page 50 for instructions Virtual Network Device A virtual network vnet device is a virtual device that is defined in a domain connected to a virtual switc
33. xs enumeration value 23 gt USB Controller gt xs enumeration value 24 gt Graphics controller gt xs enumeration value 25 gt IEEE 1394 Controller gt lt xs enumeration value 26 Partitionable Unit gt xs enumeration value 27 Base Partitionable Unit gt xs enumeration value 28 gt Power Supply xs enumeration value 29 Cooling Device gt xs enumeration value 29 gt Cooling Device gt lt xs enumeration value 31 PS2 Controller gt xs enumeration value 32 SIO Controller gt xs enumeration value 33 gt Keyboard gt xs enumeration value 34 gt Pointing Device gt lt xs restriction gt lt xs simpleType gt lt xs simpleType gt lt xs restriction base xs unsignedShort gt xs minInclusive value 30 gt lt xs maxInclusive value 32769 gt lt xs restriction gt lt xs simpleType gt lt xs simpleType gt xs restriction base xs unsignedShort gt xs minInclusive value 32768 gt xs maxlInclusive value 65535 gt lt xs restriction gt lt xs simpleType gt lt xs union gt lt xs simpleType gt xs anyAttribute namespace any gt lt xs restriction gt lt xs simpleContent gt lt xs complexType gt lt xs element gt nillable true lt xs element name OtherResourceType type cim cimString gt lt xs element name
34. 1 Use the 1dm command to find the virtual network device instance for net c ldm list 1 ldg1 NETWORK NAME net a net c SERVICE DEVICE MAC primary vsw0 primary network 0 00 14 4 8 91 4 primary vsw0 primary network 2 00 14 4 8 dd 68 The virtual network device instance for net c is network 2 2 To find the corresponding network interface on 1dg1 log into 1dg1 and find the entry for this instance under devices uname n ldgi find devices virtual devices 100 type c name network 2 devices virtual devices 100 channel devices 200 network 2 vnet1 The network interface name is the part of the entry after the colon that is vnet1 Chapter 7 Using a Virtual Network With Logical Domains 113 3 Plumb vnet1 to see that it has the MAC address 00 14 4 8 dd 68 as shown in the 1dm list 1 output for net c in Step 1 ifconfig vneti1 vneti flags 1000842 lt BROADCAST RUNNING MULTICAST IPv4 gt mtu 1500 index 3 inet 0 0 0 0 netmask 0 ether 0 14 4f 8 dd 68 Assigning MAC Addresses Automatically or Manually You must have enough media access control MAC addresses to assign to the number of logical domains virtual switches and virtual networks you are going to use You can have the Logical Domains Manager automatically assign MAC addresses to a logical domain a virtual network vnet and a virtual switch vsw or you can manually assign MAC addresses from yo
35. 1 Administration Guide December 2008 V Restore the Factory Default Configuration From the System Controller If you remove the Logical Domains Manager before restoring the factory default configuration you can restore the factory default configuration from the system controller 1 Restore the factory default configuration from the system controller sc gt bootmode config factory default 2 Power cycle the system to load the factory default configuration Chapter 3 Installing and Enabling Software 43 44 Logical Domains LDoms 1 1 Administration Guide December 2008 CHAPTER 4 Setting Up Services and Logical Domains This chapter describes the procedures necessary to set up default services your control domain and guest domains Output Messages You receive different output messages from the commands you use to create default services and to set up the control primary domain depending on your platform m Sun UltraSPARC T1 processors m Sun UltraSPARC T2 and T2 Plus processors Sun UItraSPARC T1 Processors You receive the following notice after the setup commands for the primary domain if you are using a server with a Sun UltraSPARC T1 processor Notice the LDom Manager is running in configuration mode Any configuration changes made will only take effect after the machine configuration is downloaded to the system controller and the host is reset 45 Sun UltraSPARC T2 and T2 Pl
36. 4 suncluster3x secure driver 5 sunfire 15k sc secure driver Enter a number 1 to 5 2 The driver you selected may not perform all the LDoms specific operations specified in the LDoms Administration Guide Is this OK yes no no y The changes made by selecting this option can be undone through the Solaris Security Toolkit s undo feature This can be done with the opt SUNWjass bin jass execute u command Installing LDoms and Solaris Security Toolkit packages pkgadd n d var tmp install Product Logical Domain Manager a pkg admin SUNW1dm v Copyright 2006 Sun Microsystems Inc All rights reserved Use is subject to license terms Installation of lt SUNWldm gt was successful pkgadd n d var tmp install Product Solaris_Security_Toolkit a pkg_admin SUNWjass Copyright 2005 Sun Microsystems Inc All rights reserved Use is subject to license terms Installation of lt SUNWjass gt was successful Verifying that all packages are fully installed OK 28 Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE 3 2 Output From Choosing Customized Configuration Profile Continued Enabling services svc ldoms ldmd default Running Solaris Security Toolkit 4 2 0 driver secure driver Please wait opt SUNWjass bin jass execute q d secure driver Executing driver secure driver Solaris Security Toolkit hardening executed successfully log file var opt SUNWjass run 200701
37. Disk 86 File or Volume Exported as a Single Slice Disk 87 v Exporta ZFS Volume as a Single Slice Disk 87 Exporting Volumes and Backward Compatibility 88 Summary of How Different Types of Backends Are Exported 89 Guidelines 89 Configuring Virtual Disk Multipathing 90 v Configure Virtual Disk Multipathing 91 CD DVD and ISO Images 92 Contents vii v Export a CD or DVD From the Service Domain to the Guest Domain 93 Virtual Disk Timeout 95 Virtual Disk and SCSI 96 Virtual Disk and the format 1M Command 96 Using ZFS With Virtual Disks 97 Configuring a ZFS Pool in a Service Domain 97 Storing Disk Images With ZFS 97 Examples of Storing Disk Images With ZFS 98 Create a Disk Image Using a ZFS Volume 98 Create a Disk Image Using a ZFS File 98 Export the ZFS Volume 98 Export the ZFS File 99 4 4 v Assign the ZFS Volume or File to a Guest Domain 99 Creating a Snapshot of a Disk Image 99 v Create a Snapshot of a Disk Image 99 Using Clone to Provision a New Domain 100 Cloning a Boot Disk Image 100 Using Volume Managers in a Logical Domains Environment 101 Using Virtual Disks on Top of Volume Managers 101 Using Virtual Disks on Top of SVM 103 Using Virtual Disks When VxVM Is Installed 103 Using Volume Managers on Top of Virtual Disks 104 Using ZFS on Top of Virtual Disks 104 Using SVM on Top of Virtual Disks 104 Using VxVM on Top of Virtual Disks 105 7 Using a Virtual Network With Logical Domains 107 Introduction to a Vi
38. Domains Manager 199 Console console Resource CODE EXAMPLE 10 21 Example console XML lt Envelope gt lt References gt Content xsi type ovf VirtualSystem Type id ldg1 Section xsi type ovf VirtualHardwareSection_Type gt Item lt rasd OtherResourceType gt console lt rasd OtherResourceType gt lt gprop GenericProperty key port gt 6000 lt gprop GenericProperty gt gprop GenericProperty key service name vcc2 gprop GenericProperty gprop GenericProperty key group gt group name lt gprop GenericProperty gt lt Item gt lt Section gt lt Content gt lt Envelope gt A console resource is always contained within a lt Content gt section It can have lt gprop GenericProperty gt tags with the following keys m port Port to which to change this virtual console console m service name Virtual console concentrator vcc service to which to bind this console m group Name of the group to which to bind this console 200 Logical Domains LDoms 1 1 Administration Guide December 2008 Domain Migration This example shows what is contained in the lt data gt section for a migrate domain subcommand CODE EXAMPLE 10 22 Example migrate domain data Section Envelope lt References gt Content xsi type ovf VirtualSystem Type ovf id l1dg1 gt Content xsi type ovf VirtualSystem Type ovf id ldg1 Section xsi type ovf ResourceAllocationSection_Type
39. Export a CD or DVD From the Service Domain to the Guest Domain 1 Insert the CD or DVD in the CD or DVD drive 2 From the service domain check whether the volume management daemon vold 1M is running and online service svcs volfs STATE STIME FMRI online 12 28 12 svc system filesystem volfs default 3 Do one of the following m If the volume management daemon is not running or online go to step 5 m Ifthe volume management daemon is running and online as in the example in Step 2 do the following a Edit the etc vold conf file and comment out the line starting with the following words use cdrom drive Refer to the vold conf 1M man page for more information b From the service domain restart the volume management file system service service svcadm refresh volfs service svcadm restart volfs 4 From the service domain find the disk path for the CD ROM device services cdrw 1 Looking for CD devices Connected Device Device type EEE EEE D i Me r E N dev rdsk c1t0d0s2 MATSHITA CD RW CW 8124 DZ13 CD Reader Writer Chapter 6 Using Virtual Disks With Logical Domains 93 5 From the service domain export the CD or DVD disk device as a full disk service ldm add vdsdev dev dsk cit0d0s2 cdrom primary vds0 6 From the service domain assign the exported CD or DVD to the guest domain 1dg1 in this example service ldm add vd
40. K shell MANPATH SMANPATH opt SUNWldm man export MANPATH set PATH SPATH opt SUNWldm bin for C shell set MANPATH SMANPATH opt SUNW1dm man oe oe Virtual Input Output In a Logical Domains environment an administrator can provision up to 32 domains on a Sun Fire or SPARC Enterprise T1000 or T2000 server Though each domain can be assigned dedicated CPUs and memory the limited number of I O buses and physical I O slots in these systems makes it impossible to provide all domains exclusive access to the disk and network devices Though some physical devices can be shared by splitting the PCI Express PCIe bus into two see Configuring PCI Express Busses Across Multiple Logical Domains on page 71 it is not sufficient to provide all domains exclusive device access This lack of direct physical I O device access is addressed by implementing a virtualized I O model All logical domains with no direct I O access are configured with virtual I O devices that communicate with a service domain which runs a service to provide access to a physical device or its functions In this client server model virtual I O devices either communicate with each other or a service counterpart through interdomain communication channels called logical domain channels LDCs In Logical Domains 1 1 software the virtualized I O functionality comprises support for virtual networking storage and consoles Virtual Network The virtual
41. Logical Domains Manager on a system is shut down for any reason duplicate MAC addresses could occur while the Logical Domains Manager is down Automatic MAC allocation occurs at the time the logical domain or network device is created and persists until the device or the logical domain is removed Freed MAC Addresses When a logical domain or a device associated with an automatic MAC address is removed that MAC address is saved in a database of recently freed MAC addresses for possible later use on that system These MAC addresses are saved to prevent the exhaustion of Internet Protocol IP addresses from a Dynamic Host Configuration Protocol DHCP server When DHCP servers allocate IP addresses they do so for a period of time the lease time The lease duration is often configured to be quite long generally hours or days If network devices are created and removed at a high rate without the Logical Domains Manager reusing automatically allocated MAC addresses the number of MAC addresses allocated could soon overwhelm a typically configured DHCP server When a Logical Domains Manager is requested to automatically obtain a MAC address for a logical domain or network device it first looks to the freed MAC address database to see if there is a previously assigned MAC address it can reuse If there is a MAC address available from this database the duplicate MAC address detection algorithm is run If the MAC address had not been assigned to som
42. MEMORY UTIL UPTIME primary active c SP 32 3264M 0 3 19d 9m 20 Logical Domains LDoms 1 1 Administration Guide December 2008 Installing Logical Domains Software ona New System Sun platforms supporting Logical Domains software come preinstalled with the Solaris 10 OS Initially the Logical Domains software is not enabled and the platform appears as a single system hosting only one operating system After the Solaris OS system firmware and Logical Domains Manager have been installed the original system and instance of the Solaris OS become the control domain That first domain of the platform is named primary and you cannot change that name or destroy that domain From there the platform can be reconfigured to have multiple domains hosting different instances of the Solaris OS Updating the Solaris OS On a brand new system you may want to reinstall the OS so that it conforms to your installation policy In that case refer to Required and Recommended Solaris OS in the Logical Domains LDoms 1 1 Release Notes to find the Solaris 10 OS that you should use for this version of the Logical Domains software Refer to your Solaris 10 OS installation guide for complete instructions for installing the Solaris OS You can tailor your installation to the needs of your system If your system is already installed then it needs to be upgraded to the appropriate Solaris 10 OS that should be used for this version of the Logical Domains
43. OS bsmconv 1M command For further details about enabling verifying disabling printing output and rotating logs using BSM auditing with the Logical Domains Manager see Enabling and Using BSM Auditing on page 172 Compliance Solaris Security Toolkit does have its own auditing capabilities The Solaris Security Toolkit software can automatically validate the security posture of any system running the Solaris OS by comparing it with a predefined security profile Refer to Auditing System Security in the Solaris Security Toolkit 4 2 Administration Guide for more information about this compliance function Logical Domains LDoms 1 1 Administration Guide December 2008 CHAPTER 3 Installing and Enabling Software This chapter describes how to install or upgrade the different software components required to enable the Logical Domains 1 1 software Using the Logical Domains software requires the following components Supported platform refer to Supported Platforms in the Logical Domains LDoms 1 1 Release Notes for a list of supported platforms Control domain running an operating system at least equivalent to the Solaris 10 08 OS with any patches recommended in Required Software and Patches in the Logical Domains LDoms 1 1 Release Notes See Upgrading the Solaris OS on page 16 System firmware version 6 7 x for your Sun UltraSPARC T1 platform or system firmware version 7 2 x for your Sun UltraSPARC T2 o
44. Reboot the primary domain so that the change takes effect primary shutdown i6 g0 y 8 Add the leaf ci 780 in this example to the domain 1dg1 in this example that needs direct access primary ldm add io pci 780 ldgi Notice the LDom Manager is running in configuration mode Any configuration changes made will only take effect after the machine configuration is downloaded to the system controller and the host is reset If you have an Infiniband card you might need to enable the bypass mode on the pci 780 bus See Enabling the I O MMU Bypass Mode on a PCI Bus on page 75 for information on whether you need to enable the bypass mode 9 Reboot domain 1dg1 so that the change takes effect All domains must be inactive for this reboot If you are configuring this domain for the first time the domain will be inactive ldg1 shutdown i6 g0 y Chapter 5 Using PCI Busses With Logical Domains Software 73 10 Confirm that the correct leaf is still assigned to the primary domain and the correct leaf is assigned to domain 1dg1 primary ldm list bindings primary NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME primary active n cv SP 4 4G 0 4 18h 25m IO DEVICE PSEUDONYM OPTIONS pci 7c0 bus_b NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME ldg1 active n 5000 4 2G 10 35m IO DEVICE PSEUDONYM OPTIONS pcie780 bus a This output co
45. Solaris 10 OS Reference Manual collection or the vntsd 1M man page for information about how to use this daemon W Enable the Virtual Network Terminal Server Daemon Note Be sure you have created the default service vconscon on the control domain before you enable vntsd See Creating Default Services on page 46 for more information 1 Use the svcadm 1M command to enable the virtual network terminal server daemon vntsd 1M svcadm enable vntsd 2 Use the svcs 1 command to verify that the vntsd is enabled i svcs 1l vntsd fmri svc ldoms vntsd default enabled true state online next_state none state_time Sat Jan 27 03 14 17 2007 logfile var svc log ldoms vntsd default log restarter svc system svc restarter default contract_id 93 dependency optional_all error svc milestone network online dependency optional_all none svc system system log online 52 Logical Domains LDoms 1 1 Administration Guide December 2008 Creating and Starting a Guest Domain The guest domain must run an operating system that understands both the sun4v platform and the virtual devices presented by the hypervisor Currently this is the Solaris 10 11 06 OS at a minimum Refer to the Logical Domains LDoms 1 1 Release Notes for any specific patches that might be necessary Once you have created default services and reallocated resources from the control domain you can create and start a guest domain W Cr
46. This section is equivalent to the following CLI command ldm set vcpu 4 primary 66 Logical Domains LDoms 1 1 Administration Guide December 2008 Memory memory Section This section describes the amount of memory allocated to the primary domain CODE EXAMPLE 4 5 Memory memory Section lt Section gt xsi type ovf VirtualHardwareSection_Type lt Item gt lt rasd OtherResourceType gt memory lt rasd OtherResourceType gt lt rasd AllocationUnits gt 4G lt rasd AllocationUnits gt lt Item gt lt Section gt This section is equivalent to the following CLI command ldm set memory 4G primary Physical Input Output pbhysio_device Section This section describes the physical I O buses that you want to remain in the primary domain CODE EXAMPLE 4 6 Physical I O physio_device Section Section xsi type ovf VirtualHardwareSection Type Item lt rasd OtherResourceType gt physio_device lt rasd OtherResourceType gt gprop GenericProperty key name gt pci 7c0 lt gprop GenericProperty gt lt Item gt lt Section gt To set your primary domain with the same I O devices as previously configured you first need to list the I O devices that are configured on startup l m list 1 primary IO DEVICE PSEUDONYM OPTIONS pci 7c0 bus_b pcie780 bus a In CODE EXAMPLE 4 6 the bus previously configured to remain in the primary domain was
47. VirtualSystemCollection this section is used to specify the order in which the contained entities are to be powered on lt xs complexType name StartupSection_Type gt lt xs complexContent gt xs extension base ovf Section Type xsS sequence lt xs element name item minOccurs 0 maxOccurs unbounded gt 216 X Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE A 5 The ov core xsd Schema Continued lt xs complexType gt lt Id of entity in collection gt xs attribute name id type xs string gt lt Startup order Entities are started up starting with lower numbers first Items with same order identifier may be started up concurrently or in any order The order is reversed for shutdown gt lt xs attribute name order type xs int gt lt Delay in seconds to wait for the power on to complete gt xs attribute name startDelay type xs int gt Whether to resume power on sequence once the guest reports Ok gt xs attribute name waitingForGuest type xs boolean gt lt Delay in seconds to wait for the power on to complete gt xs attribute name stopDelay type xs int lt Stop action to use Valid values are powerOn default none gt lt xs attribute name StartAction type xs string gt lt Stop action to use Valid values are powerOff default guestShutdown suspend gt
48. a good guess is known gt xs attribute name estSize type xs integer use optional gt lt Compression type gzip or bzip2 gt lt xs attribute name compression type xs string use optional gt lt Chunk size except of last chunk gt lt xs attribute name chunkSize type xs long use optional gt xs anyAttribute namespace any gt lt xs complexType gt lt Base class for an entity gt lt xs complexType name Entity_Type abstract true gt lt xs sequence gt lt xs element name Info type ovf Info_Type minOccurs 0 maxOccurs unbounded gt lt xs element name Section type ovf Section Type minOccurs 0 maxOccurs unbounded gt lt xs sequence gt lt xs attribute name id type xs string use required gt lt xs complexType gt lt A Virtual Machine Entity gt lt xs complexType name VirtualSystem_Type gt lt xs complexContent gt Appendix A XML Schemas 209 CODE EXAMPLE A 3 The ov envelope xsd Schema Continued xs extension base ovf Entity Type lt xs extension gt lt xs complexContent gt lt xs complexType gt lt A Composite Service gt lt xs complexType name VirtualSystemCollection_Type gt lt xs complexContent gt lt xs extension base ovf Entity_Type gt lt xs sequence gt lt xs element name Content type ovf Entity Type minOccurs 0 maxOccurs unbounded gt xs any namespace tar
49. and remove vcpu subcommands are considered delayed reconfiguration operations if you have Solaris 10 5 08 OS or earlier running in the domain If you have Solaris 10 10 08 OS Logical Domains LDoms 1 1 Administration Guide December 2008 running in the domain the addition and removal of virtual input output devices do not result in a delayed configuration The set vswitch subcommand on an active logical domain is considered a delayed reconfiguration operation no matter what Solaris OS is running in the domain If you are using a Sun UltraSPARC T1 processor when the Logical Domains Manager is first installed and enabled or when the configuration is restored to factory default the LDoms Manager runs in the configuration mode In this mode reconfiguration requests are accepted and queued up but are not acted upon This allows a new configuration to be generated and stored to the SC without affecting the state of the running machine and therefore without being encumbered by any of the restrictions around things like delayed reconfiguration and reboot of I O domains Once a delayed reconfiguration is in progress for a particular logical domain any other reconfiguration requests for that logical domain are also deferred until the domain is rebooted or stopped and started Also when there is a delayed reconfiguration outstanding for one logical domain reconfiguration requests for other logical domains are severely restricted and will fail
50. and synchronizing concurrent write access to ensure data coherency The following example describes how to add the same virtual disk to two different guest domains through the same virtual disk service 1 Export the virtual disk backend two times from a service domain by using the following commands Idm add vdsdev options ro slice backend volumeleservice name ldm add vdsdev options ro slice backend volume2Gservice name The add vdsdev subcommand displays the following warning to indicate that the backend is being exported more than once Warning backend is already in use by one or more servers in guest ldom 2 Assign the exported backend to each guest domain by using the following commands The disk name can be different for 1dom1 and 1dom2 l m add vdisk timeoutsseconds disk name volumelGservice name 1dom1 ldm add vdisk timeoutsseconds disk name volume2Gservice name 1dom2 WV Change Virtual Disk Options After a backend is exported from the service domain you can change the virtual disk options by using the following command Idm set vdsdev options ro slice excl volume name Gservice name Chapter 6 Using Virtual Disks With Logical Domains 79 V Change the Timeout Option After a virtual disk is assigned to a guest domain you can change the timeout of the virtual disk by using the following command l m set vdisk timeout seconds disk name ldom
51. and trigger a failover following a service domain crash or shutdown FIGURE 7 4 Each Virtual Network Device Connected to Different Service Domains Refer to the Solaris 10 System Administration Guide IP Services for more information about how to configure and use IPMP groups 120 Logical Domains LDoms 1 1 Administration Guide December 2008 V Configure a Host Route If no explicit route is configured for a router in the network corresponding to the IPMP interfaces then one or more explicit host routes to target systems need to be configured for the IPMP probe based detection to work as expected Otherwise probe detection can fail to detect the network failures Configure a host route route add host destination IP gateway IP static For example route add host 192 168 102 1 192 168 102 1 static Refer to the Solaris 10 System Administration Guide IP Services IPMP Chapter 31 Administering IPMP Tasks Configuring Target Systems for more information Configuring and Using IPMP in the Service Domain Network failure detection and recovery can also be set up in a Logical Domains environment by configuring the physical interfaces in the service domain into a IPMP group To do this configure the virtual switch in the service domain as a network device and configure the service domain itself to act as an IP router Refer to the Solaris 10 System Administ
52. as resynchronizing but the resynchronization does not progress For example dev md dsk d0 is a RAID SVM volume exported as a virtual disk with the excl option to another domain and d0 is configured with some hot spare devices If a component of d0 fails SVM replaces the failing component with a hot spare and resynchronizes the SVM volume However the resynchronization does not start The volume is reported as resynchronizing but the resynchronization does not progress metastat d0 do Device c2t2d0s1 c4t12d0s1 dev dsk c10t600COFF0000000000015153295A4B100d0s1 330 No Resyncing Yes Hot spare pool hsp000 Interlace 32 blocks 20097600 blocks 9 6 GB Original device 20100992 blocks 9 6 GB Resyncing Start Block Dbase State Reloc 330 No Okay Yes 330 No Okay Yes In such a situation the domain using the SVM volume as a virtual disk has to be stopped and unbound to complete the resynchronization Then the SVM volume can be resynchronized using the metasync command metasync d0 Using Virtual Disks When VxVM Is Installed When the Veritas Volume Manager VxVM is installed on your system and if Veritas Dynamic Multipathing DMP is enabled on a physical disk or partition you want to export as virtual disk then you have to export that disk or partition without setting the non default excl option Otherwise you receive an error in var adm messages while binding a domain that uses such a di
53. based platforms This feature is enabled by an optional hybrid mode that provides for a virtual network vnet device where the DMA hardware resources are loaned to a vnet device in a guest domain for improved performance In the hybrid mode a vnet device in a guest domain can send and receive unicast traffic from an external network directly into the guest domain using the DMA hardware resources The broadcast traffic and unicast traffic to the other guest domains in the same system continue to be sent using the virtual I O communication mechanism Chapter 7 Using a Virtual Network With Logical Domains 125 FIGURE 7 6 Hybrid Virtual Networking NIU card ai Hypervisor A All packets Broadcast and multicast Unicast packets DMA The hybrid mode applies only for the vnet devices that are associated with a virtual switch vsw configured to use an NIU network device As the shareable DMA hardware resources are limited up to only three vnet devices per vsw can have DMA hardware resources assigned at a given time If more than three vnet devices have the hybrid mode enabled the assignment is done on a first come first served basis As there are two NIU network devices in a system there can be a total of six vnet devices on two different virtual switches with DMA hardware resources assigned Following are points you need to be aware of when using this feature m Hybrid mode option for a vnet device is treated as a suggestion only T
54. ce sans limitation ces droits de propri t intellectuelle peuvent inclure un ou plus des brevets am ricains list s l adresse http www sun com patents et un ou les brevets suppl mentaires ou les applications de brevet en attente aux Etats Unis et dans les autres pays Des parties de ce produit pourront tre d riv es des syst mes Berkeley BSD licenci s par l Universit de Californie UNIX est une marque d pos e aux Etats Unis et dans d autres pays et licenci e exclusivement par X Open Company Ltd Sun Sun Microsystems le logo Sun Java Solaris JumpStart OpenBoot Sun Fire Netra SunSolve Sun BluePrints Sun Blade Sun Ultra et SunVTS sont des marques de fabrique ou des marques d pos es de Sun Microsystems Inc ou ses filiales aux Etats Unis et dans d autres pays Toutes les marques SPARC sont utilis es sous licence et sont des marques de fabrique ou des marques d pos es de SPARC International Inc aux Etats Unis et dans d autres pays Les produits portant les marques SPARC sont bas s sur une architecture d velopp e par Sun Microsystems Inc Le logo Adobe PostScript est une marque d pos e de Adobe Systems Incorporated Les produits qui font l objet de ce manuel d entretien et les informations qu il contient sont regis par la legislation americaine en matiere de controle des exportations et peuvent etre soumis au droit d autres pays dans le domaine des exportations et importations Les utilisations finale
55. cpux lt rasd OtherResourceType gt lt rasd AllocationUnits gt 4 lt rasd AllocationUnits gt lt Item gt lt Section gt lt Content gt lt Envelope gt A cpu resource is always contained within a lt Content gt section The only property is the lt rasd AllocationUnits gt tag which specifies the number of virtual CPUs MAU mau Resource Note The mau resource is any LDoms supported cryptographic unit on an LDoms supported server Currently the two cryptographic units supported are the Modular Arithmetic Unit MAU and the Control Word Queue CWQ CODE EXAMPLE 10 8 Example mau XML Envelope References Content xsi type ovf VirtualSystem Type id ldg1 Section xsi type ovf VirtualHardwareSection_Type gt Item rasd OtherResourceType mau rasd OtherResourceType lt rasd AllocationUnits gt 1 lt rasd AllocationUnits gt lt Item gt lt Section gt lt Content gt lt Envelope gt A mau resource is always contained within a lt Content gt section The only property is the lt rasd AllocationUnits gt tag which signifies the number of MAUs or other cryptographic units Chapter 10 Using the XML Interface With the Logical Domains Manager 189 Memory memory Resource CODE EXAMPLE 10 9 Example memory XML lt Envelope gt lt References gt Content xsi type ovf VirtualSystem Type id ldg1 gt Section xsi type ovf VirtualHardwareSection_Type gt
56. create input for the Logical Domains Manager actions The exception to this is domain migration output See Domain Migration on page 201 Each resource is defined in a lt Section gt OVF section and is specified by a lt rasd OtherResourceType gt tag Logical Domain Information 1dom info Resource CODE EXAMPLE 10 6 Example 1dom info XML Output Envelope lt References gt Content xsi type ovf VirtualSystem Type id primary gt Section xsi type ovf ResourceAllocationSection type Item rasd OtherResourceType ldom info rasd OtherResourceType rasd Address 00 03 ba d8 ba f6 rasd Address lt gprop GenericPropertykey hostid gt 83d8baf6 lt gprop GenericProperty gt lt Item gt lt Section gt lt Content gt lt Envelope gt The 1dom_info resource is always contained within a lt Content gt section The two properties within the 1dom_info resource are optional properties m lt rasd Address gt tag which specifies the MAC address to be assigned to a domain m lt gprop GenericPropertykey hostid gt tag which specifies the host ID to be assigned to the domain 188 Logical Domains LDoms 1 1 Administration Guide December 2008 CPU cpu Resource CODE EXAMPLE 10 7 Example cpu XML Envelope References Content xsi type ovf VirtualSystem Type id ldg1 Section xsi type ovf VirtualHardwareSection_Type gt Item lt rasd OtherResourceType gt
57. domain can be configured for fault tolerance by configuring its virtual network devices to an IPMP group When setting up an IPMP group with virtual network devices in a active standby configuration set up the group to use probe based detection Link based detection and failover currently are not supported for virtual network devices in Logical Domains 1 1 software Chapter 7 Using a Virtual Network With Logical Domains 119 The following diagram shows two virtual networks vnet1 and vnet2 connected to separate virtual switch instances vsw0 and vsw1 in the service domain which in turn use two different physical interfaces e1000g0 and e1000g1 In the event of a physical interface failure the IP layer in LDom_A detects failure and loss of connectivity on the corresponding vnet through probe based detection and automatically fails over to the secondary vnet device FIGURE 7 3 Two Virtual Networks Connected to Separate Virtual Switch Instances vneto vneti e1000g1 Further reliability can be achieved in the logical domain by connecting each virtual network device vnet0 and vnet1 to virtual switch instances in different service domains as shown in the following diagram Two service domains Service 1 and Service 2 with virtual switch instances vsw1 and vsw2 can be set up using a split PCI configuration In this case in addition to network hardware failure LDom A can detect virtual network failure
58. gt Item rasd OtherResourceType ldom info rasd OtherResourceType gprop GenericProperty key target gt target host lt gprop GenericProperty gt lt gprop GenericProperty key username gt user name lt gprop GenericProperty gt lt gprop GenericProperty key password gt password lt gprop GenericProperty gt lt Item gt lt Section gt lt Content gt lt Envelope gt Where m First Content node without an 1dom info section is the source domain to migrate m Second Content node with an 1dom info section is the target domain to which to migrate The source and target domain names can be the same m The 1dom info section for the target domain describes the machine to which to migrate and the details needed to migrate to that machine m target host is the target machine to which to migrate user name is the login user name for the target machine Must be SASL 64 bit encoded m password is the password to use for logging into the target machine Must be SASL 64 bit encoded Note The Logical Domains Manager uses sas1_decode64 to decode the target user name and password and uses sas1 encode64 to encode these values SASL 64 encoding is equivalent to base64 encoding Chapter 10 Using the XML Interface With the Logical Domains Manager 201 202 Logical Domains LDoms 1 1 Administration Guide December 2008 APPENDIX A XML Schemas This appendix provides va
59. in a Service Domain To store the disk images first create a ZFS storage pool in the service domain For example this command creates the ZFS storage pool 1dmpool containing the disk c1t50d0 in the primary domain primary zpool create ldmpool cl1t50d0 Storing Disk Images With ZFS This example is going to create a disk image for guest domain 1dg1 To do so a ZFS for this guest domain is created and all disk images of this guest domain will be stored on that file system Primary zfs create ldmpool ldgi Disk images can be stored on ZFS volumes or ZFS files Creating a ZFS volume whatever its size is quick using the zfs create V command On the other hand ZFS files have to be created using the mk ile command The command can take some time to complete especially if the file to create is quite large which is often the case when creating a disk image Both ZFS volumes and ZFS files can take advantage of ZFS features such as snapshot and clone but a ZFS volume is a pseudo device while a ZFS file is a regular file Chapter 6 Using Virtual Disks With Logical Domains 97 If the disk image is to be used as a virtual disk onto which the Solaris OS is to be installed then it should be large enough to contain m Installed software about 6 gigabytes m Swap partition about 1 gigabyte m Extra space to store system data at least 1 gigabyte Therefore the size of a disk image to install the entire Solaris OS should be at
60. is the unique name assigned to the virtual network device you want to set m Idom specifies the logical domain from which to remove the virtual network device m Otherwise the command arguments are the same as described in Add a Virtual Network Device on page 111 V Remove a Virtual Network Device Use the following command syntax to remove a virtual network device ldm rm vnet f if name ldom Where m f attempts to force the removal of a virtual network device from a logical domain The removal might fail m if name interface name is the unique name assigned to the virtual network device you want to remove m Idom specifies the logical domain from which to remove the virtual network device 112 Logical Domains LDoms 1 1 Administration Guide December 2008 Determining the Solaris Network Interface Name Corresponding to a Virtual Network Device There is no way to determine the Solaris OS network interface name on a guest corresponding to a given virtual device directly from the output provided by the ldm list commands However you can do this by using a combination of the output from 1dm list 1 command and the entries under devices on the Solaris OS guest Find Solaris OS Network Interface Name In this example guest domain 1dg1 contains two virtual network devices net a and net c To find the Solaris OS network interface name in 1dg1 that corresponds to net c do the following
61. lt Section gt Section xsi type ovf VirtualHardwareSection_Type gt lt Item gt lt rasd OtherResourceType gt vsw lt rasd OtherResourceType gt lt rasd Address gt auto allocated lt rasd Address gt lt gprop GenericProperty key service_name gt primary vsw0 lt gprop GenericProperty gt lt gprop GenericProperty key dev_path gt e1000g0 lt gprop GenericProperty gt lt gprop GenericProperty key default vlan id gt 1 lt gprop GenericProperty gt lt gprop GenericProperty key pvid gt 1 lt gprop GenericProperty gt lt Item gt lt Section gt lt Section xsi type ovf VirtualHardwareSection_Type gt lt Item gt rasd OtherResourceType vcc rasd OtherResourceType gprop GenericProperty key Service name primary vcc0 gprop GenericProperty gprop GenericProperty key min_port gt 5000 lt gprop GenericProperty gt gprop GenericProperty key max_port gt 6000 lt gprop GenericProperty gt lt Item gt lt Section gt lt Section xsi type ovf VirtualHardwareSection_Type gt lt Item gt lt rasd OtherResourceType gt vds lt rasd OtherResourceType gt lt gprop GenericProperty key service_name gt primary vds0 lt gprop GenericProperty gt lt Item gt lt Section gt Section xsi type ovf VirtualHardwareSection_Type gt Item lt rasd OtherResourceType gt vds_volume lt rasd OtherResourceType gt lt gprop GenericProperty key vol name primary vds0 vol0 gprop GenericProperty
62. lt xs element name action type xs string minOccurs 0 gt lt START data gt lt xs element name data minOccurs 0 maxOccurs unbounded gt lt xs complexType gt lt xs choice minOccurs 1 maxOccurs unbounded gt lt OVF Evelope Version 0 9 gt lt xs element name Envelope type ovf Envelope_Type gt lt DATA response gt lt xs element name response type responseType minOccurs 0 maxOccurs 1 gt lt xs choice gt lt xs attribute name version type xs string use required gt lt xs complexType gt lt xs element gt lt END data gt lt CMD response gt lt xs element name response type responseType minOccurs 0 maxOccurs 1 gt lt xs sequence gt lt xs complexType gt lt xs element gt lt END cmd gt 204 Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE A 1 LDM_interface XML Schema Continued lt DOCUMENT response gt lt xs element name response type responseType minOccurs 0 maxOccurs 1 gt lt xs sequence gt xs attribute name version type xs string use required gt lt xs complexType gt lt xs element gt lt LDM interface document gt lt xs schema gt Appendix A XML Schemas 205 LDM Event XML Schema CODE EXAMPLE A 2 LDM Event XML Schema lt xml version 1 0 gt lt xs schema xmlns ovf var opt SUNWldom envelope xmlns x
63. namespace any processContents lax gt lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt xs complexType name cimShort gt lt xs simpleContent gt lt xs extension base xs short gt lt xs anyAttribute namespace any processContents lax gt lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt xs complexType name cimUnsignedInt gt lt xs simpleContent gt xs extension base xs unsignedInt gt lt xs anyAttribute namespace any processContents lax gt lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt xs complexType name cimInt gt lt xs simpleContent gt lt xs extension base xs int gt xs anyAttribute namespace any processContents lax gt lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt xs complexType name cimUnsignedLong gt lt xs simpleContent gt xs extension base xs unsignedLong gt xs anyAttribute namespace any processContents lax gt lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt xs complexType name cimLong gt lt xs simpleContent gt lt xs extension base xs long gt lt xs anyAttribute namespace any processContents lax gt lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt xs complexType name cimString gt lt xs simpleContent gt 228 Logical Domains LDoms 1 1 Administration Guid
64. responds with an lt LDM_interface gt response message stating whether the registration or unregistration was successful CODE EXAMPLE 10 4 Example Event Registration Response Message lt LDM_interface version 1 0 gt cmd lt action gt reg domain events lt action gt lt data version 3 0 gt lt response gt lt status gt success lt status gt lt response gt lt data gt lt response gt lt status gt success lt status gt lt response gt lt cmd gt lt response gt lt status gt success lt status gt lt response gt lt LDM_interface gt 182 Logical Domains LDoms 1 1 Administration Guide December 2008 The action string for each type of event is listed in the events subsection The lt LDM_event gt Messages Event messages have the same format as an incoming lt LDM_interface gt message with the exception that the start tag for the message is lt LDM_event gt The action tag of the message is the action that was performed to trigger the event The data section of the message describes the object associated with the event the details depend on the type of event that occurred CODE EXAMPLE 10 5 Example lt LDM_event gt Notification LDM event version 1 0 cmd lt action gt Event command here lt action gt data version 3 0 Envelope References Content xsi type ovf VirtualSystem Type ovf id ldg1 Section xsi type ovf ResourceAllocationSection type
65. role a password is required if the role is given a password This provides two layers of security If a user has not been assigned a role then the user cannot assume the role by doing the su role name command even if the user has the correct password Create a Role and Assign the Role to a User 1 Create a role roleadd A solaris ldoms read ldm read 2 Assign a password to the role passwd l1dm read 3 Assign the role to a user for example user 1 useradd R ldm read user 1 Chapter3 Installing and Enabling Software 39 4 Assign a password to the user user_1 passwd user_1 5 Assign access only to the user_1 account to become the 1dm_read account su user_1 6 Type the user password when or if prompted 7 Verify the user ID and access to the 1dm_read role id uid nn user_1 gid nn lt group name gt roles ldm read 8 Provide access to the user for 1dm subcommands that have read authorization su ldm read 9 Type the user password when or if prompted 10 Type the id command to show the user id uid nn ldm read gid nn group name Factory Default Configuration and Disabling Logical Domains The initial configuration where the platform appears as a single system hosting only one operating system is called the factory default configuration If you want to disable logical domains you probably also want to restore t
66. section can be here instead of lt Content gt gt Content xsi type ovf VirtualSystem Type id Domain name gt Section xsi type ovf ResourceAllocationSection_type gt Item lt rasd OtherResourceType gt LDom Resource Type lt rasd OtherResourceType gt lt gprop GenericProperty key Property name gt Property Value lt gprop GenericProperty gt lt Item gt lt Section gt lt Note More lt Section gt sections can be placed here gt lt Content gt lt Envelope gt lt response gt lt status gt success or failure lt status gt lt resp_msg gt Reason for failure lt resp_msg gt lt response gt lt data gt lt Note More Data sections can be placed here gt lt response gt lt status gt success or failure lt status gt lt resp_msg gt Reason for failure lt resp_msg gt lt response gt lt cmd gt lt Note More Command sections can be placed here gt lt response gt lt status gt success or failure lt status gt 180 Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE 10 2 Format of a Response to a Single Command Operating on a Single Object Continued lt resp_msg gt Reason for failure lt resp_msg gt lt response gt lt LDM_interface gt Overall Response This lt response gt section which is the direct child of the lt LDM_interface gt section indicates overall success or failure of the entire request Unless the i
67. services svc ldoms ldmd default Running Solaris Security Toolkit 4 2 0 driver server secure myname driver Chapter3 Installing and Enabling Software 29 CODE EXAMPLE 3 3 Output From Successful Run of the install ldm d Script Continued Please wait opt SUNWjass bin jass execute q d server secure myname driver Executing driver server secure myname driver Solaris Security Toolkit hardening executed successfully log file var opt SUNWjass run 20061114143128 jass install log txt It will not take effect until the next reboot Before rebooting make sure SSH or the serial line is setup for use after the reboot V Install and Do Not Harden Your System Run the install 1dm installation script with the d none option to specify not to harden your system using a Solaris Security Toolkit driver The installation script is part of the SUNW1dm package and is in the Install subdirectory Install install ldm d none If the process is successful you receive messages similar to the example shown in Code Example 3 5 CODE EXAMPLE 3 4 Output From Successful Run of the install ldm d none Script Install install 1dm d none Installing LDoms and Solaris Security Toolkit packages pkgadd n d var tmp install Product Logical Domain Manager a pkg admin SUNW1dm v Copyright 2006 Sun Microsystems Inc All rights reserved Use is subject to license terms Installation of lt SUNWldm gt was suc
68. simpleContent gt lt xs complexType gt Appendix A XML Schemas 229 CODE EXAMPLE A 9 The cim common xsd Schema Continued xs complexType name cimHexBinary gt lt xs simpleContent gt lt xs extension base xs hexBinary gt xs anyAttribute namespace any processContents lax gt lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt xs complexType name cimReference gt lt xs Sequence gt lt xs any namespace other maxOccurs unbounded gt lt xs sequence gt xs anyAttribute namespace any processContents lax lt xs complexType gt lt The following datatypes are used exclusively to define metadata fragments lt xs attribute name qualifier type xs boolean gt lt xs complexType name qualifierString gt lt xs simpleContent gt lt xs extension base cim cimString gt xs attribute ref cim qualifier use required gt lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt xs complexType name qualifierBoolean gt lt xs simpleContent gt lt xs extension base cim cimBoolean gt lt xs attribute ref cim qualifier use required gt lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt xs complexType name qualifierUInt32 gt lt xs simpleContent gt xs extension base cim cimUnsignedInt gt xs attribute ref cim qualifier use required gt lt xs extension gt lt xs simpleContent
69. software Refer to Required Software and Patches in the Logical Domains LDoms 1 1 Release Notes to find the Solaris 10 OS that you should use for this version of the Logical Domains software and the required and recommended patches Refer to the Solaris 10 10 08 Release and Installation Collection for complete instructions for upgrading the Solaris OS Upgrading the System Firmware VW Upgrade System Firmware You can find system firmware for your platform at the SunSolve site http sunsolve sun com Refer to Required System Firmware Patches in the Logical Domains LDoms 1 1 Release Notes for required system firmware by supported servers Chapter3 Installing and Enabling Software 21 22 This procedure describes how to upgrade system firmware using the flashupdate 1M command on your system controller m If you do not have access to a local FIP server see Upgrade System Firmware Without an FTP Server on page 23 m If you want to update the system firmware from the control domain refer to your system firmware release notes Refer to the administration guides or product notes for the supported servers for more information about installing and updating system firmware for these servers 1 Shut down and power off the host server from either management port connected to the system controller serial or network shutdown i5 g0 y 2 Use the flashupdate 1M command to upgrade the system firmware dependi
70. switch between the virtual network vnet devices in the various logical domains but with no connectivity to a network outside the box through a physical device In this mode plumbing the vsw as a network device and enabling IP routing in the service domain enables virtual networks to communicate outside the box using the Chapter 7 Using a Virtual Network With Logical Domains 117 service domain as a router This mode of operation is very essential to provide external connectivity to the domains when the physical network adapter is not GLDv3 compliant The advantages of this configuration are m The virtual switch does not need to use a physical device directly and can provide external connectivity even when the underlying device is not GLDv3 compliant m The configuration can take advantage of the IP routing and filtering capabilities of the Solaris OS FIGURE 7 2 Virtual Network Routing Hypervisor V Set Up the Virtual Switch to Provide External Connectivity to Domains 1 Create a virtual switch with no associated physical device If assigning an address ensure that the virtual switch has an unique MAC address primary ldm add vsw mac addr xx xx xx xx xx xx primary vsw0 primary 118 Logical Domains LDoms 1 1 Administration Guide December 2008 2 Plumb the virtual switch as a network device in addition to the physical network device being used by the domain See Configure the Virtual Switch as the Prima
71. system to use NIU Hybrid I O on this vnet if possible If it is not possible the system reverts to virtual I O This hybrid mode is considered a delayed reconfiguration if set on an active vnet See Using NIU Hybrid I O on page 125 for more information m pvid port vlan id specifies the VLAN to which the virtual network device needs to be a member in untagged mode See Using VLAN Tagging With Logical Domains Software on page 122 for more information m vid vlan id specifies one or more VLANs to which a virtual network device needs to be a member in tagged mode See Using VLAN Tagging With Logical Domains Software on page 122 for more information Chapter 7 Using a Virtual Network With Logical Domains 111 m if name interface name is a unique name to the logical domain assigned to this virtual network device instance for reference on subsequent set vnet or rm vnet subcommands m oswitch name is the name of an existing network service virtual switch to which to connect m Idom specifies the logical domain to which to add the virtual network device Vv Set Options for an Existing Virtual Network Device Use the following command syntax to set options for a virtual network device that already exists ldm set vnet mac addr num vswitchzsoswitch name modes hybrid pvid port vlan id vid vlan id1 vlan id2 if name ldom Where m mode left blank disables NIU Hybrid I O m if name interface name
72. target the state information is installed in the hypervisor Phase 4 Handoff After all state information is transferred the handoff occurs when the target domain resumes execution if the source was active and the source domain is destroyed From this point on the target domain is the sole version of the domain running Software Compatibility For a migration to occur both the source and target machines must be running compatible software m The hypervisor on the source and target machines both must support the most recent version of the LDoms 1 1 firmware If you see the following error you do not have the correct version of system firmware on either the source or target machine System Firmware version on downrev machine does not support Domain Migration Domain Migration of LDom source domain failed m A compatible version of the Logical Domains Manager must be running on both machines Note Since this is the first release of the migration feature both machines must be running LDoms 1 1 software and up to date firmware Refer to the Logical Domains LDoms 1 1 Release Notes for the latest firmware for your platform 130 Logical Domains LDoms 1 1 Administration Guide December 2008 Authentication Since the migration operation executes on two machines a user must be authenticated on both the source and target host In particular the user must have the solaris ldoms write authorization on both m
73. the hypervisor provide hardware features to support the hypervisor s control over a logical operating system s activities A logical domain is a discrete logical grouping with its own operating system resources and identity within a single computer system Each logical domain can be created destroyed reconfigured and rebooted independently without requiring a power cycle of the server You can run a variety of applications software in different logical domains and keep them independent for performance and security purposes Each logical domain is allowed to observe and interact with only those server resources made available to it by the hypervisor Using the Logical Domains Manager the system administrator specifies what the hypervisor should do through the control domain Thus the hypervisor enforces the partitioning of the resources of a server and provides limited subsets to multiple operating system environments This is the fundamental mechanism for creating logical domains The following diagram shows the hypervisor supporting two logical domains It also shows the layers that make up the Logical Domains functionality m Applications or user services m Kernel or operating systems m Firmware or hypervisor m Hardware including CPU memory and I O FIGURE 1 1 Hypervisor Supporting Two Logical Domains User Services Kernel Firmware Hardware The number and capabilities of each logical domain that a specific SP
74. the meta data into account used by a sparse disk gt xs attribute name populatedSize type xs long use optional lt Reference to a potential parent disk gt lt xs attribute name parentRef type xs string use optional gt lt xs complexType gt lt CPU Architecture requirements for the guest software gt lt xs complexType name CpuCompatibilitySection_Type gt lt xs complexContent gt lt xs extension base ovf Section_Type gt lt xs sequence gt lt xs element name Level maxOccurs unbounded gt lt xs complexType gt lt xs attribute name level type xs int use optional gt lt xs attribute name eax type xs string use optional gt lt xs attribute name ebx type xs string use optional gt lt xs attribute name ecx type xs string use optional gt lt xs attribute name edx type xs string use optional gt lt xs complexType gt lt xs element gt lt xS any namespace targetNamespace processContents lax minOccurs 0 maxOccurs unbounded xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt lt xs attribute name Vendor type xs string gt xs anyAttribute namespace any gt lt xs extension gt lt xs complexContent gt Appendix A XML Schemas 215 CODE EXAMPLE A 5 The ov core xsd Schema Continued lt xs complexType gt lt Specification of the operating sys
75. to the 1dm add vsw command You can change the VLANs to which a device belongs using 1dm set vnet or Idm set vsw command Port VLAN ID PVID The PVID indicates a VLAN to which the virtual network device needs to be a member in untagged mode In this case the vsw device provides the necessary tagging or untagging of frames for the vnet device over the VLAN specified by its PVID Any outbound frames from the virtual network that are untagged are tagged with its PVID by the virtual switch Inbound frames tagged with this PVID are untagged by the virtual switch before sending it to the vnet device Thus assigning a PVID to a vnet implicitly means that the corresponding virtual network port on the virtual switch is marked untagged for the VLAN specified by the PVID You can have only one PVID for a vnet device The corresponding virtual network interface when configured using the ifconfig 1M command without a VLAN ID and using only its device instance results in the interface being implicitly assigned to the VLAN specified by the virtual network s PVID For example if you were to plumb vnet instance 0 using the following command and if the pvid argument for the vnet has been specified as 10 the vnet0 interface would be implicitly assigned to belong to the VLAN 10 ifconfig vnetO plumb VLAN ID VID The VID indicates the VLAN to which a virtual network device or virtual switch needs to be a member in tagged mode The
76. trademarks are used under license and are trademarks or registered trademarks of SPARC International Inc in the U S and other countries Products bearing SPARC trademarks are based upon architecture developed by Sun Microsystems Inc The Adobe PostScript logo is a trademark of Adobe Systems Incorporated Products covered by and information contained in this service manual are controlled by U S Export Control laws and may be subject to the export or import laws in other countries Nuclear missile chemical biological weapons or nuclear maritime end uses or end users whether direct or indirect are strictly prohibited Export or reexport to countries subject to U S embargo or to entities identified on U S export exclusion lists including but not limited to the denied persons and specially designated nationals lists is strictly prohibited DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS REPRESENTATIONS AND WARRANTIES INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NON INFRINGEMENT ARE DISCLAIMED EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID Copyright 2008 Sun Microsystems Inc 4150 Network Circle Santa Clara California 95054 Etats Unis Tous droits r serv s Sun Microsystems Inc d tient les droits de propri t intellectuels relatifs la technologie incorpor e dans le produit qui est d crit dans ce document En particulier et
77. used for storing the SVM metadevice state database metadb 1M of the local disk set or for creating SVM volumes in the local disk set 104 Logical Domains LDoms 1 1 Administration Guide December 2008 Any virtual disk whose backend is a SCSI disk can be used in a SVM shared disk set metaset 1M Virtual disks whose backends are not SCSI disks cannot be added into a SVM share disk set Trying to add a virtual disk whose backend is not a SCSI disk into a SVM shared disk set fails with an error similar to the following metaset s test a c2d2 metaset domainl test failed to reserve any drives Using VxVM on Top of Virtual Disks For VxVM support in guest domains refer to the VXVM documentation from Symantec Chapter 6 Using Virtual Disks With Logical Domains 105 106 Logical Domains LDoms 1 1 Administration Guide December 2008 CHAPTER 7 Using a Virtual Network With Logical Domains This chapter describes how to use a virtual network with Logical Domains software Introduction to a Virtual Network A virtual network allows domains to communicate with each other without using any external physical networks A virtual network also can allow domains to use the same physical network interface to access a physical network and communicate with remote systems A virtual network is created by having a virtual switch to which you can connect virtual network devices Virtual Switch A virtual switch
78. w3 org 2001 XMLSchema elementFormDefault qualified gt lt The following are runtime attribute definitions gt xs attribute name Key type xs boolean xs attribute name Version type xs string gt lt The following section defines the extended WS CIM datatypes gt xs complexType name cimDateTime gt lt xs choice gt lt xs element name CIM DateTime type xs string nillable true gt lt xs element name Interval type xs duration gt lt xs element name Date type xs date gt lt xs element name Time type xs time gt lt xs element name Datetime type xs dateTime gt lt xs choice gt xs anyAttribute namespace any processContents lax gt lt xs complexType gt lt xs complexType name cimUnsignedByte gt lt xs simpleContent gt lt xs extension base xs unsignedByte gt xs anyAttribute namespace any processContents lax gt lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt xs complexType name cimByte gt lt xs simpleContent gt xs extension base xs byte gt xs anyAttribute namespace any processContents lax gt lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt xs complexType name cimUnsignedShort gt lt xs simpleContent gt lt xs extension base xs unsignedShort gt Appendix A XML Schemas 227 CODE EXAMPLE A 9 The cim common xsd Schema Continued lt xs anyAttribute
79. was performed during a JumpStart installation you must run the following SMF commands to restart the Logical Domains Manager daemon 1dmd and the virtual network terminal server daemon vntsd svcadm enable svc ldoms ldmd default Enabling the Logical Domains Manager Daemon The installation script install 1dm automatically enables the Logical Domains Manager daemon 1dmd If you have installed the Logical Domains Manager software manually you must enable the Logical Domains Manager daemon 1dmd which allows you to create modify and control the logical domains Logical Domains LDoms 1 1 Administration Guide December 2008 WV Enable the Logical Domains Manager Daemon 1 Use the svcadm 1M command to enable the Logical Domains Manager daemon 1dmd svcadm enable l1dmd 2 Use the 1dm list command to verify that the Logical Domains Manager is running You receive a message similar to the following which is for the factory default configuration Note that the primary domain is active which means that the Logical Domains Manager is running opt SUNWldm bin l1dm list NAME STATE FLAGS primary active c CONS VCPU MEMORY UTIL UPTIME SP 32 3264M 0 3 19d 9m Creating Authorization and Profiles and Assigning Roles for User Accounts You set up authorization and profiles and assign roles for user accounts using the Solaris OS Role Based Access Control RBAC adapted for the Logical Doma
80. 02142843 jass install log txt It will not take effect until the next reboot Before rebooting make sure SSH or the serial line is setup for use after the reboot WV Install With a Customized Hardening Driver Run the install 1dm installation script with the d option to specify a Solaris Security Toolkit customized hardening driver for example server secure myname driver The installation script is part of the SUNW1dm package and is in the Install subdirectory Install install ldm d server secure myname driver If the process is successful you receive messages similar to that in Code Example 3 4 CODE EXAMPLE 3 3 Output From Successful Run of the install ldm d Script Install install ldm d server secure driver The driver you selected may not perform all the LDoms specific operations specified in the LDoms Administration Guide Installing LDoms and Solaris Security Toolkit packages pkgadd n d var tmp install Product Logical_Domain_Manager a pkg_admin SUNW1dm v Copyright 2006 Sun Microsystems Inc All rights reserved Use is subject to license terms Installation of lt SUNWldm gt was successful pkgadd n d var tmp install Product Solaris_Security_Toolkit a pkg_admin SUNWjass Copyright 2005 Sun Microsystems Inc All rights reserved Use is subject to license terms Installation of lt SUNWjass gt was successful Verifying that all packages are fully installed OK Enabling
81. 1 service primary vcc0O l1dg2 primary ldm set vcons group group1 service primary vcc0O 1dg3 2 Connect to the associated TCP port localhost at port 5000 in this example telnet localhost 5000 primary vnts groupl1 h 1 c id n name q You are prompted to select one of the domain consoles 3 List the domains within the group by selecting 1 list primary vnts groupl1 h 1 c id n name q 1 DOMAIN ID DOMAIN NAME DOMAIN STATE 0 ldg1 online 1 ldg2 online 2 ldg3 online Chapter 9 Other Information and Tasks 167 Note To re assign the console to a different group or vcc instance the domain must be unbound that is it has to be in the inactive state Refer to the Solaris 10 OS vntsd 1M man page for more information on configuring and using SMF to manage vntsd and using console groups 168 Operating the Solaris OS With Logical Domains This section describes the changes in behavior in using the Solaris OS that occur once a configuration created by the Logical Domains Manager is instantiated that is domaining is enabled Note Any discussion about whether domaining is enabled pertains only to Sun UltraSPARC Tl based platforms Otherwise domaining is always enabled OpenBoot Firmware Not Available After Solaris OS Has Started If Domaining Is Enabled Domaining is enabled once a logical domains configuration created by the Logical Domains Manager is instantiated If d
82. 200 network 0 net virtual devices 100 channel devices 200 network 0 disk virtual devices 100 channel devices 200 disk 0 virtual console virtual devices console 1 name aliases 10 On the guest domain s console boot from disk 2 on slice f ok boot virtual devices 100 channel0 devices 200 disk 2 f v Boot device virtual devices 100 channel devices 200 disk 2 f File and args s SunOS Release 5 10 Version Generic_137137 09 32 bit Copyright 1983 2008 Sun Microsystems Inc All rights reserved Use is subject to license terms 58 Logical Domains LDoms 1 1 Administration Guide December 2008 11 Continue with the Solaris OS installation menu WV Install Solaris OS on a Guest Domain From a Solaris ISO File 1 Unbind the guest domain 1dg1 primary ldm unbind 1dg1 2 Add the Solaris ISO file solarisdvd iso as a secondary volume iso_vol primary vds0 and virtual disk vdisk iso for example primary ldm add vdsdev export solarisdvd iso iso volGprimary vdsO primary vdisk vdisk iso iso volGprimary vdsO 1dg1 3 Check to see that the Solaris ISO file is added as a secondary volume and virtual disk TOUT in the lists for virtual disks means the timeout set for the disk when added if any There is no timeout period specified for the virtual disk vdisk iso primary ldm list bindings NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME primar
83. 62 Logical Domains LDoms 1 1 Administration Guide December 2008 A Service Management Facility manifest is an XML file that describes a service For more information about creating an SMF manifest refer to the Solaris 10 System Administrator Collection Note To access a non English OS in a guest domain through the console the terminal for the console must be in the locale required by the OS Stopping a Heavily Loaded Domain Can Time Out An ldm stop domain command can time out before the domain completes shutting down When this happens an error similar to the following is returned by the Logical Domains Manager LDom ldg8 stop notification failed However the domain could still be processing the shutdown request Use the 1dm list domain command to verify the status of the domain For example ldm list domain 1dg8 NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME 1dg8 active s 5000 22 3328M 0 3 1d 14h 31m The preceding list shows the domain as active but the s flag indicates that the domain is in the process of stopping This should be a transitory state The following example shows the domain has now stopped ldm list domain 1dg8 NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME 1dg8 bound 5000 22 3328M Chapter 9 Other Information and Tasks 163 Determining Where Errors Occur by Mapping CPU and Memory Addresses The Solaris Fault Management A
84. 9 6 V Generate a Parseable Machine Readable List p Generate a parseable machine readable list of all domains Machine Readable List primary ldm list p ERSION 1 0 DOMAIN name primary state active flags t cv cons ncpu 1 mem 805306368 util 0 0 uptime 0 DOMAIN name 1dg1 state bound flags cons 5000 ncpu 1 mem 536870912 util uptime VI V Generate a Subset of a Long List o format Generate output as a subset of resources by entering one or more of the following format options If you specify more than one format delimit the items by a comma with no spaces m console output contains virtual console vcons and virtual console concentrator vcc service cpu output contains virtual CPU vcpu and physical CPU ecpu crypto cryptographic unit output contains Modular Arithmetic Unit mau and any other LDoms supported cryptographic unit such as the Control Word Queue CWQ disk output contains virtual disk vdisk and virtual disk server vds domain output contains variables var host ID nostid domain state flags and software state memory output contains memory network output contains media access control mac address virtual network switch vsw and virtual network vnet device physio physical input output contains peripheral component interconnect pci and network interface unit niu serial output contains virtual logical domain
85. AIN name 1dg src STATUS opzmigration progress 42 error no target t5440 sys 2 Chapter 8 Migrating Logical Domains 137 138 Logical Domains LDoms 1 1 Administration Guide December 2008 CHAPTER 9 Other Information and Tasks This chapter contains information and tasks about using the Logical Domains software that are not described in the preceding chapters Using CPU Power Management With LDoms 1 1 Software To use CPU Power Management PM with LDoms 1 1 software you first need to set the power management policy in ILOM 3 0 firmware This section summarizes the information that you need to use power management with LDoms software Refer to Monitoring Power Consumption in the Sun Integration Lights Out Management ILOM 3 0 CLI Procedures Guide for more details The power policy is the setting that governs system power usage at any point in time The Logical Domains Manager version 1 1 supports two power policies assuming that the underlying platform has implemented Power Management features m Performance The system is allowed to use all the power that is available m Elastic The system power usage is adapted to the current utilization level For example power up or down just enough system components to keep utilization within thresholds at all times even if the workload fluctuates For instructions on configuring the power policy using the ILOM 3 0 firmware CLI refer to Monitor
86. ARC hypervisor supports are server dependent features The hypervisor can allocate subsets of the overall CPU memory and I O resources of a server to a given logical domain This enables support of multiple operating systems simultaneously each within its own logical domain Resources can be rearranged between separate logical domains with an arbitrary granularity For example memory is assignable to a logical domain with an 8 kilobyte granularity Each virtual machine can be managed as an entirely independent machine with its own resources such as m Kernel patches and tuning parameters m User accounts and administrators m Disks Logical Domains LDoms 1 1 Administration Guide December 2008 m Network interfaces MAC addresses and IP addresses Each virtual machine can be stopped started and rebooted independently of each other without requiring a power cycle of the server The hypervisor software is responsible for maintaining the separation between logical domains The hypervisor software also provides logical domain channels LDCs so that logical domains can communicate with each other Using logical domain channels domains can provide services to each other such as networking or disk services The service processor SP also known as the system controller SC monitors and runs the physical machine but it does not manage the virtual machines The Logical Domains Manager runs the virtual machines Logical Domain
87. All 1dm Subcommands Continued cancel operation migration reconf lt ldom gt reconf cancel reconf lt ldom gt spconfig config add spconfig lt config_name gt set spconfig lt config_name gt remove spconfig lt config_name gt list spconfig variable var add variable lt var_name gt lt value gt lt ldom gt set variable lt var_name gt lt value gt lt ldom gt remove variable lt var_name gt lt ldom gt list variable lt var_name gt lt ldom gt vconscon vec add vconscon port range x y lt vcc_name gt lt ldom gt set vconscon port range lt x gt lt y gt lt vcc_name gt remove vconscon f lt vcc_name gt vconsole vcons set vcons port lt port num gt group group service lt vcc_server gt ldom vcpu add vcpu number lt ldom gt set vcpu number lt ldom gt remove vcpu number ldom vdisk add vdisk timeout seconds disk name volume name G service name ldom set vdisk timeout lt seconds gt volume lt volume_name gt lt service_name gt disk name lt ldom gt remove vdisk f disk name lt ldom gt vdiskserver vds add vdiskserver service name lt ldom gt remove vdiskserver f service name vdpcc ndpsldcc add vdpcc vdpcc name service name ldom remove vdpcc f vdpcc name lt ldom gt vdpcs ndpsldcs Chapter 9 Other Information and Tasks 145 CODE E
88. BSM disable the BSM Glossary 233 C CD CLI compliance config CMT constraints control domain CPU CWO DHCP DMA DMP DPS DR drd 1M DS DVD 234 compact disc command line interface Determining if a system s configuration is in compliance with a predefined security profile Name of logical domain configuration saved on the system controller chip multithreading To the Logical Domains Manager constraints are one or more resources you want to have assigned to a particular domain You either receive all the resources you ask to be added to a domain or you get none of them depending upon the available resources Domain that creates and manages other logical domains and services central processing unit Control Word Queue cryptographic unit for Sun UltraSPARC T2 based platforms Dynamic Host Configuration Protocol Direct Memory Access is the ability to directly transfer data between the memory and a device for example a network card without involving the CPU Dynamic Multipathing Veritas data plane software dynamic reconfiguration dynamic reconfiguration daemon for Logical Domains Manager Solaris 10 OS Domain Services module Solaris 10 OS digital versatile disc Logical Domains LDoms 1 1 Administration Guide December 2008 e1000g EFI ETM F FC_AL FMA fmd 1M format 1M fmthard 1M FTP G Gb guest domain GLDv3 H hardening HDD dr
89. D and handle the necessary tagging or untagging of Ethernet frames You can create multiple VLAN interfaces over a vnet device in a guest domain You can use the Solaris OS i fconfig 1M command to create a VLAN interface over a virtual network device the same way it is used to configure a VLAN interface over any other physical network device The additional requirement in the LDoms environment is that you must assign the vnet to the corresponding VLANs using the Logical Domains Manager CLI commands Refer to the 1dm 1M man page or the Logical Domains LDoms Manager 1 1 Man Page Guide for complete information about the Logical Domains Manager CLI commands Similarly you can configure VLAN interfaces over a virtual switch device in the service domain VLAN IDs 2 through 4094 are valid VLAN ID 1 is reserved as the default vlan id 122 Logical Domains LDoms 1 1 Administration Guide December 2008 When you create a vnet device on a guest domain you must assign it to the required VLANs by specifying a port VLAN ID and zero or more VLAN IDs for this vnet using the pvid and vid arguments to the 1dm add vnet command This configures the virtual switch to support multiple VLANs in the LDoms network and switch packets using both MAC address and VLAN IDs in the network Similarly any VLANs to which the vsw device itself should belong when plumbed as a network interface must be configured in the vsw device using the pvid and vid arguments
90. Domains Manager daemon 1dmd a Hardens the Solaris OS on the control domain with the Solaris Security Toolkit ldm control secure driver or one of the other drivers ending in secure driver that you select m Using the install 1dm script with option d allows you to specify a Solaris Security Toolkit driver other than a driver ending with secure driver This option automatically performs all the functions listed in the preceding choice with the added option a Hardens the Solaris OS on the control domain with the Solaris Security Toolkit customized driver that you specify for example the Server secure myname driver m Using the install 1dm script with option d and specifying none specifies that you do not want to harden the Solaris OS running on your control domain by using the Solaris Security Toolkit This option automatically performs all the functions except hardening listed in the preceding choices Bypassing the use of the Solaris Security Toolkit is not suggested and should only be done when you intend to harden your control domain using an alternate process m Using the install 1dm script with option p specifies that you only want to perform the post installation actions of enabling the Logical Domains Manager daemon 1dmd and running the Solaris Security Toolkit For example you would use this option if the SUNWl1dm and SUNWjass packages are preinstalled on your server See Enable the Logical Domains Manager Daemon and Run the So
91. Downloading Logical Domains Manager and Solaris Security Toolkit YV Download the Software 1 Download the zip file LDoms_Manager 1_1 zip from the Sun Software Download site You can find the software from this web site http www sun com 1ldoms Chapter 3 Installing and Enabling Software 23 2 Unzip the zip file unzip LDoms Manager 1 1 zip The Logical Domains Manager and the Solaris Security Toolkit are bundled in the same zip file Refer to Location of Logical Domains 1 1 Software in the Logical Domains LDoms 1 1 Release Notes for details about the structure of the file and what it includes Installing the Logical Domains Manager and Solaris Security Toolkit There are three methods of installing Logical Domains Manager and Solaris Security Toolkit software m Using the installation script to install the packages and patches This automatically installs both the Logical Domains Manager and the Solaris Security Toolkit software See Installing the Logical Domains Manager and Solaris Security Toolkit Software Automatically on page 24 m Using JumpStart to install the packages See Using JumpStart to Install the Logical Domains Manager 1 1 and Solaris Security Toolkit 4 2 Software on page 31 m Installing each package manually See Installing Logical Domains Manager and Solaris Security Toolkit Software Manually on page 34 Note Remember that you need to manually install the LDoms MIB software
92. He SE db out 175 XMPP The Logical Domains Manager implements an XMPP server which can communicate with numerous available XMPP client applications and libraries The LDoms Manager uses the following security mechanisms m Transport Layer Security TLS to secure the communication channel between the client and itself m Simple Authentication and Security Layer SASL for authentication PLAIN is the only SASL mechanism supported You must send in a user name and password to the server so it can authorize you before allowing monitoring or management operations Local Connections The LDoms Manager detects whether user clients are running on the same domain as itself and if so does a minimal XMPP handshake with that client Specifically the SASL authentication step after the setup of a secure channel through TLS is skipped Authentication and authorization are done based on the credentials of the process implementing the client interface Clients can choose to implement a full XMPP client or to simply run a streaming XML parser such as the 1ibxm12 Simple API for XML SAX parser Either way the client has to handle an XMPP handshake to the point of TLS negotiation Refer to the XMPP specification for the sequence needed XML Protocol After communication initialization is complete LDoms defined XML messages are sent next There are two general types of XML messages m Request and response messages use the lt LDM_in
93. ML lt Envelope gt lt References gt Content xsi type ovf VirtualSystem Type id ldg1 gt Section xsi type ovf VirtualHardwareSection_Type gt Item lt rasd OtherResourceType gt var lt rasd OtherResourceType gt lt gprop GenericProperty key name gt test_var lt gprop GenericProperty gt gprop GenericProperty key value gt test1 lt gprop GenericProperty gt lt Item gt lt Section gt lt Content gt lt Envelope gt A var resource is always contained within a lt Content gt section It can have lt gprop GenericProperty gt tags with the following keys m name Name of the variable m value Value of the variable Physical I O Device physio device Resource CODE EXAMPLE 10 17 Example physio device XML Envelope References Content xsi type ovf VirtualSystem Type id ldg1 gt Section xsi type ovf VirtualHardwareSection_Type gt Item rasd OtherResourceType physio device rasd OtherResourceType gprop GenericProperty key name gt pci 780 lt gprop GenericProperty gt Item lt Section gt lt Content gt lt Envelope gt A physio_device resource is always contained within a lt Content gt section The only property is the lt gprop GenericProperty gt tag with the following key property value m name Name of the I O device being described 196 Logical Domains LDoms 1 1 Administration Guide December 2008 SP Configuration
94. ResourceSubType nillable true type cim cimString gt lt xs element name PoolID nillable true type cim cimString gt lt xs element name ConsumerVisibility nillable true gt lt xs complexType gt lt xs simpleContent gt 222 Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE A 7 The cim rasd xsd Schema Continued xs restriction base xs anyType gt lt xs simpleType gt lt xs union gt lt xs simpleType gt xs restriction base xs unsignedShort gt lt xs enumeration value 0 gt lt xs enumeration value 2 gt lt xs enumeration value 3 gt lt xs enumeration value 4 gt lt xs restriction gt lt xs simpleType gt lt xs simpleType gt xs restriction base xs unsignedShort gt lt xs miniInclusive value 5 gt xs maxInclusive value 32768 gt lt xs restriction gt lt xs simpleType gt lt xs simpleType gt xs restriction base xs unsignedShort gt xs minInclusive value 32767 gt lt xs maxInclusive value 65535 lt xs restriction gt lt xs simpleType gt lt xs union gt lt xs simpleType gt xs anyAttribute namespace any gt lt xs restriction gt lt xs simpleContent gt lt xs complexType gt lt xs element gt lt xs element name HostResource nillable true type xs anyType gt lt xs element name AllocationUnits nillable true type cim cimString gt lt xs element name VirtualQuantity nillable
95. SS 4v SUN microsystems Logical Domains LDoms 1 1 Administration Guide Sun Microsystems Inc www sun com Part No 820 4913 10 December 2008 Revision A Submit comments about this document at http www sun com hwdocs feedback Copyright 2008 Sun Microsystems Inc 4150 Network Circle Santa Clara California 95054 U S A All rights reserved Sun Microsystems Inc has intellectual property rights relating to technology embodied in the product that is described in this document In particular and without limitation these intellectual property ae may include one or more of the U S patents listed at http www sun com patents and one or more additional patents or pending patent applications in the U S and in other countries U S Government Rights Commercial software Government users are subject to the Sun Microsystems Inc standard license agreement and applicable provisions of the FAR and its supplements Parts of the produci may be derived from Berkeley BSD systems licensed from the University of California UNIX is a registered trademark in the U S and in other countries exclusively licensed through X Open Company Ltd Sun Sun Microsystems the Sun logo Java Solaris JumpStart OpenBoot Sun Fire Netra SunSolve Sun BluePrints Sun Blade Sun Ultra and SunVTS are service marks trademarks or registered trademarks of Sun Microsystems Inc or its subsidiaries in the U S and other countries All SPARC
96. Schema Continued ref class ref class ref class ref class ref class ref class ref class ref class ref class ref class ref class ref class ref class ref class HostResource maxOccurs unbounded minOccurs AllocationUnits minOccurs 0 VirtualQuantity minOccurs 0 gt Reservation minOccurs 0 Limit minOccurs 0 gt Weight minOccurs 0 gt AutomaticAllocation minOccurs 0 gt AutomaticDeallocation minOccurs 0 gt Parent minOccurs 0 gt Connection maxOccurs unbounded minOccurs 0 gt Address minOccurs 0 gt MappingBehavior minOccurs 0 gt AddressOnParent minOccurs 0 BusNumber minOccurs 0 gt any namespace other processContents lax minOccurs 0 maxOccurs unbounded lt xs sequence gt xs anyAttribute namespace any gt lt xs complexType gt lt xs element name CIM ResourceAllocationSettingData type class CIM ResourceAllocationSettingData Type lt xs schema gt Appendix A XML Schemas 225 The cim vssd xsd Schema CODE EXAMPLE A 8 The cim vssd xsd Schema lt xml version 1 0 encoding utf 8 lt xs schema targetNamespace var opt SUNWldom CIM VirtualSystemSettingData xmlns class var opt SUNWldom CIM VirtualSystemSettingData xmlns cim var opt SUNWldom common xmlns xs http www w3 org 2001 XMLSchema xs import namespace var opt SUNWldom common schemaLocation cim common xsd
97. U is power managed and a no means the CPU is powered on It is assumed that 100 percent free CPUs are power managed by default hence the dash under PM ldm list devices a cpu VCPU PID FREE PM 0 0 no 1 0 yes 2 0 yes 3 0 yes 4 100 5 100 6 100 7 100 Chapter 9 Other Information and Tasks 141 b Use the parseable option p to the 1ist devices a cpu subcommand In the power management pm field a yes means the CPU is power managed and a no means the CPU is powered on It is assumed that 100 percent free CPUs are power managed by default hence the blank in that field ldm list devices a p cpu VERSION 1 4 VCPU pid 0 free 0 pm no pid 1 free 0 pm yes pid 2 free 0 pm yes pid 3 free 0 pm yes pid 4 free 0 pm no pid 5 free 0 pm yes pid 6 free 0 pm yes pid 7 free 0 pm yes pid 8 free 100 pm pid 9 free 100 pm pid 10 free 100 pm Entering Names in the CLI The following sections describe the restrictions on entering names in the Logical Domains Manager CLI File Names file and Variable Names var_name m First character must be a letter a number or a forward slash m Subsequent letters must be letters numbers or punctuation Virtual Disk Server backend and Virtual Switch Device Names m Must contain letters numbers or punctuation 142 Logical Domains LDoms 1 1 Administ
98. XAMPLE 9 1 lt backend gt set vdiskserv lt volume_n remove vdisks vnet add vnet mac vid vid set vnet mac vid vi remove vnet vswitch vsw add vswitch vid vi mode lt m set vswitch net dev remove vswitc Verb aliases Alias rm ls Command aliases Alias cancel op create destroy remove reconf start stop bind unbind panic migrate Syntax Usage for All 1dm Subcommands Continued add vdpcs vdpcs name ldom remove vdpcs f vdpcs name vdiskserverdevice vdsdev add vdiskserverdevice options ro slice excl mpgroup lt mpgroup gt lt volume_name gt lt service_name gt erdevice options ro slice excl ame gt lt service_name gt erverdevice f lt volume_name gt lt service_name gt mpgroup lt mpgroup gt addr lt num gt mode hybrid pvid lt pvid gt 1 vid2 gt if name vswitch name lt ldom gt addr lt num gt mode hybrid pvid lt pvid gt d1l vid2 gt vswitch vswitch name if name lt l1dom gt f if name lt ldom gt default vlan id vid di vid2 gt mac addr num ode vswitch name ldom vid lt vidl1 vid2 gt lt vswitch_name gt pvid lt pvid gt net dev lt device gt pvid lt pvid gt mac addr lt num gt lt device gt mode lt mode gt h f vswitch name remove list Command cancel operation add domain remove domain cancel rec
99. achines The 1dm command line interface for migration allows the user to specify an optional alternate user name for authentication on the target host If this is not specified the user name of the user executing the migration command is used In both cases the user is prompted for a password for the target machine Migrating an Active Domain For the migration of an active domain to occur with LDoms 1 1 software there is a certain set of requirements and restrictions imposed on the source logical domain the source machine and the target machine The sections following describe these requirements and restrictions for each of the resource types CPUs Following are the requirements and restrictions on CPUs when performing a migration m The source and target machines must have the same processor type running at the same frequency m The target machine must have sufficient free strands to accommodate the number of strands in use by the domain In addition full cores must be allocated for the migrated domain If the number of strands in the source are less than a full core the extra strands are unavailable to any domain until after the migrated domain is rebooted m After a migration CPU dynamic reconfiguration DR is disabled for the target domain until it has been rebooted Once a reboot has occurred CPU DR becomes available for that domain m Either the source domain must have only a single strand or the guest OS must supp
100. action tag to describe the command to run Each cmd tag must include at least one data tag to describe the objects on which the command is to operate The data lag Each data section contains a description of an object pertinent to the command specified The format of the data section is based on the XML schema portion of the Open Virtualization Format OVF draft specification That schema defines an Envelope section which contains a References tag unused by LDoms and Content and Section sections For LDoms the Content section is used to identify and describe a particular domain The domain name in the id attribute of the Content node identifies the domain Within the Content section are one or more Section sections describing resources of the domain as needed by the particular command If you only need to identify a domain name then you do not need to use any Section tags Conversely if no domain identifier is needed for the command then you do need to provide a lt Section gt section describing the resources needed for the command outside of a Content section but still within the Envelope section A data section does not need to contain an Envelope tag in cases where the object information can be inferred This situation mainly applies to requests for monitoring all objects applicable to an action and event registration and unregistration requests To allow use
101. active t cv 1 768M 0 0 Os VCPU VID PID UTIL STRAND 0 0 0 0 100 MEMORY RA PA SIZE 0x4000000 0x4000000 768M IO DEVICE PSEUDONYM OPTIONS pci 780 bus_a pci 7c0 bus_b bypass on VCC NAME PORT RANGE veco 5000 5100 VSW NAME MAC NET DEV DEVICE MODE vsw0 08 00 20 aa bb e0 e1000g0 switch O prog promisc vswl 08 00 20 aa bb el routed VDS NAME VOLUME OPTIONS DEVICE vds0 myvol a slice disk a myvol b disk b Chapter 9 Other Information and Tasks 149 CODE EXAMPLE 9 4 Long List for All Domains Continued myvol c ro slice excl disk c vds1 myvol d disk d VDPCS NAME vdpcs0 vdpcsi NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME ldg1 bound 5000 1 512M VCPU VID PID UTIL STRAND 0 du 100 MEMORY RA PA SIZE 0x4000000 0x34000000 512M NETWORK NAME SERVICE DEVICE MAC mynet b vsw0 primary network 0 08 00 20 ab 9a 12 mynet a vsw0 primary network 1 08 00 20 ab 9a 11 DISK NAME VOLUME DEVICE SERVER mydisk a myvol a vds0 diske0 primary mydisk b myvol b vds0 disk 1 primary VDPCC NAME SERVICE myvdpcc a vdpcs0 primary myvdpcc b vdpcs0 primary VCONS NAME SERVICE PORT mygroup vcec0 primary 5000 150 Logical Domains LDoms 1 1 Administration Guide December 2008 V Generate an Extended List e Generate an extended list of all domains CODE EXAMPLE 9 5 Extended List for all Domains primary ldm list e Chapter 9 Other I
102. ags normal control vio service cons SP ncpu 4 mem 1073741824 util 0 6 uptime 64801 softstate Solaris running VCPU vid 0 pid 0 util 0 9 strand 100 vid 1 pid 1 util 0 5 strand 100 vid 2 pid 2 util 0 6 strand 100 vid 3 pid 3 util 0 6 strand 100 MEMORY ra 0x8000000 pa 0x8000000 size 1073741824 IO dev pci 780 alias bus_a dev pci 7c0 alias bus_b VDS name primary vds0 nclients 2 vol disk 1dg1 opts dev opt ldoms testdisk 1 vol disk 1dg2 opts dev opt ldoms testdisk 2 VCC name primary vcc0 nclients 2 port range 5000 5100 VSW name primary vsw0 nclients 2 mac addr 00 14 4f fb 42 5c net dev e1000g0 dev switch 0 mode prog promisc VCONS type SP DOMAIN name 1dg1 state active flags normal cons 5000 ncpu 2 mem 805306368 util 29 uptime 903 softstate Solaris running VCPU vid 0 pid 4 util 29 strand 100 vid 1 pid 5 util 29 strand 100 MEMORY ra 0x8000000 pa 0x48000000 size 805306368 VARIABLES auto boot true boot device virtual devices 100 channel devices 200 disk 0 VNET name net dev network 0 service primary vsw0 primary mac addr 00 14 4 9 8 e6 VDISK name vdisk 1 vol disk 1ldg1 primary vds0 dev disk 0 server primary VCONS group group1 service primary vcc0 primary port 5000 DOMAIN name 1dg2 state active flags normal cons 5001 ncpu 3 mem 1073741824 util 35 uptime 775 softstate Solaris running VCPU vid 0 pid 6 util 35 strand 100 vid 1
103. ain assign the disk pdisk to guest domain 1dg1 for example service ldm add vdisk pdisk c1t48d0 primary vds0 1dg1 Chapter 6 Using Virtual Disks With Logical Domains 83 3 After the guest domain is started and running the Solaris OS you can list the disk c0d1 for example and see that the disk is accessible and is a full disk that is a regular disk with 8 slices ldgl 1s 1 dev dsk c0d1s dev dsk c0d1s0 dev dsk c0d1s1 dev dsk c0d1s2 dev dsk c0d1s3 dev dsk c0d1s4 dev dsk c0d1s5 dev dsk c0d1s6 dev dsk c0d1s7 Physical Disk Slice A physical disk slice is always exported as a single slice disk In that case virtual disk drivers vds and vdc forward I O from the virtual disk and act as a pass through to the physical disk slice A physical disk slice is exported from a service domain by exporting the corresponding slice device If the device is different from slice 2 then it is automatically exported as a single slice disk whether or not you specify the slice option If the device is the slice 2 of the disk you must set the slice option to export only slice 2 as a single slice disk otherwise the entire disk is exported as full disk WV Export a Physical Disk Slice as a Virtual Disk 1 For example to export slice 0 of the physical disk c1t57d0 as a virtual disk you must export the device corresponding to that slice c1t57d0s0 from the service domain as follows services ldm add vds
104. ain subcommand from the control domain for each domain primary ldm unbind domain dom Upgrading to LDoms 1 1 Software This section shows how to upgrade to LDoms 1 1 software Perform the procedure Upgrade From LDoms 1 0 Software on page 18 if you want to use your existing LDoms 1 0 configurations with LDoms 1 1 software Existing LDoms 1 0 configurations do not work in LDoms 1 1 software If you are upgrading from LDoms 1 0 1 1 0 2 or 1 0 3 software perform the procedure Upgrade From LDoms 1 0 1 1 0 2 or 1 0 3 on page 20 Existing LDoms 1 0 1 1 0 2 and 1 0 3 configurations do work in LDoms 1 1 software WV Upgrade From LDoms 1 0 Software Existing LDoms 1 0 configurations do not work in LDoms 1 1 software so you need to save your LDoms 1 0 configurations before the upgrade to use them in LDoms 1 1 software The following procedure describes a method for saving and rebuilding a configuration using XML constraints files and the i option to the 1dm add domain command The basic process is to save the constraints information for each domain into an XML file which can then be re issued to the Logical Domains Manager after the upgrade to rebuild a desired configuration The procedure in this section works for guest domains not the control domain Although you can save the control primary domain s constraints to an XML file you cannot feed it back into the 1dm add domain i command However you can use the resou
105. aints on a VirtualSystemCollection gt lt xs complexType name ResourceAllocationSection_Type gt lt xs complexContent gt xs extension base ovf Section_Type gt lt xs Sequence gt lt xs element name Item Appendix A XML Schemas 219 CODE EXAMPLE A 6 The ov virtualhardware xsc Schema Continued type rasd CIM ResourceAllocationSettingData Type minOccurs 0 maxOccurs unbounded gt lt xs sequence gt lt xs extension gt lt xs complexContent gt lt xs complexType gt lt xs schema gt 220 Logical Domains LDoms 1 1 Administration Guide December 2008 The cim rasd xsd Schema CODE EXAMPLE A 7 The cim rasd xsd Schema lt xml version 1 0 encoding utf 8 lt xs schema targetNamespace var opt SUNWldom CIM ResourceAllocationSettingData xmlns class var opt SUNWldom CIM ResourceAllocationSettingData xmlns cim var opt SUNWldom common xmlns xs http www w3 org 2001 XMLSchema xs import namespace var opt SUNWldom common schemaLocation cim common xsd lt xs element name Caption nillable true type cim cimString gt lt xs element name Description nillable true type cim cimString lt xs element name InstanceId nillable true type cim cimString gt lt xs element name ResourceType nillable true gt lt xs complexType gt lt xs simpleContent gt lt xs restriction base xs anyType gt lt xs simpleType gt lt xs union gt lt x
106. al networks used within the package These descriptions are typically used as an aid when the package is deployed gt lt xs complexType name NetworkSection_Type gt lt xs complexContent gt xs extension base ovf Section Type xsS sequence lt xs element name Network maxOccurs unbounded gt lt xs complexType gt lt xs sequence gt lt xs element name Description type ovf Info Type minOccurs 0 maxOccurs unbounded gt xs any namespace targetNamespace processContents lax minOccurs 0 maxOccurs unbounded xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt lt xs attribute name name type xs string use required gt xs anyAttribute namespace any gt lt xs complexType gt lt xs element gt lt xS any namespace targetNamespace processContents lax minOccurs 0 maxOccurs unbounded gt lt xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt xs anyAttribute namespace any gt lt xs extension gt lt xs complexContent gt lt xs complexType gt lt Provides meta information description of the virtual disks in the package gt lt xs complexType name DiskSection_Type gt lt xs complexContent gt xs extension base ovf Section Type xsS sequence xs element name Disk type ovf VirtualDiskDesc Type minOccurs 0 maxOccurs unbo
107. and an error message similar to the following is shown Automatic MAC allocation failed Please set the vnet MAC address manually Duplicate MAC Address Detection To prevent the same MAC address from being allocated to different devices one Logical Domains Manager checks with other Logical Domains Managers on other systems by sending a multicast message over the control domain s default network interface including the address that the Logical Domain Manager wants to assign to Chapter 7 Using a Virtual Network With Logical Domains 115 the device The Logical Domains Manger attempting to assign the MAC address waits for one second for a response back If a different device on another LDoms enabled system has already been assigned that MAC address the Logical Domains Manager on that system sends back a response containing the MAC address in question If the requesting Logical Domains Manager receives a response it knows the chosen MAC address has already been allocated chooses another and iterates By default these multicast messages are sent only to other managers on the same subnet the default time to live TTL is 1 The TTL can be configured using the Service Management Facilities SMF property 1dmd hops Each Logical Domains Manager is responsible for m Listening for multicast messages m Keeping track of MAC addresses assigned to its domains m Looking for duplicates m Responding so that duplicates do not occur If the
108. ation m mac addr num is the MAC address to be used by this switch The number must be in standard octet notation for example 80 00 33 55 22 66 If you do not specify a MAC address the switch is automatically assigned an address from the range of public MAC addresses allocated to the Logical Domains Manager See Assigning MAC Addresses Automatically or Manually on page 114 for more information m net dev device is the path to the network device over which this switch operates m mode sc enables virtual networking support for prioritized processing of Solaris Cluster heartbeat packets in a Logical Domains environment Applications like Solaris Cluster need to ensure that high priority heartbeat packets are not dropped by congested virtual network and switch devices This option prioritizes Solaris Cluster heartbeat frames and ensures that they are transferred in a reliable manner You must set this option when running Solaris Cluster in a Logical Domains environment and using guest domains as Solaris Cluster nodes Do not set this option when you are not running Solaris Cluster software in guest domains because you could impact virtual network performance m vswitch_name is the unique name of the switch that is to be exported as a service Clients network can attach to this service m Idom specifies the logical domain in which to add a virtual switch V Set Options for an Existing Virtual Switch Use the following command s
109. bounded gt lt xs complexType gt lt xs sequence gt lt xs element name Description type ovf Info Type minOccurs 0 maxOccurs unbounded gt lt xS any namespace targetNamespace processContents lax minOccurs 0 maxOccurs unbounded gt xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt lt xs attribute name key type xs string gt xs attribute name type type xs string gt xs attribute name configurableByUser type xs boolean use optional gt xs attribute name configurableAtRuntime type xs boolean use optional gt lt xs attribute name defaultValue type xs string use optional gt xs anyAttribute namespace any gt lt xs complexType gt lt xs element gt lt xS any namespace targetNamespace processContents lax minOccurs 0 maxOccurs unbounded lt xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt lt A comma separated list of transports that are supported by the virtual machine to access the OVF environment gt lt xs attribute name transport type xs string use optional gt xs anyAttribute namespace any gt lt xs extension gt Appendix A XML Schemas 213 CODE EXAMPLE A 5 The ov core xsd Schema Continued lt xs complexContent gt lt xs complexType gt lt Provides descriptions for the logic
110. cal Domains 12 10 Authorization 13 Auditing 14 Compliance 14 3 Installing and Enabling Software 15 Upgrading a System Already Using Logical Domains 16 Upgrading the Solaris OS 16 Saving and Restoring the Logical Domains Constraints Database File 16 Preserving the Logical Domains Constraints Database File When Using Live Upgrade 17 Upgrading From Solaris 10 OS Older Than Solaris 10 5 08 OS 17 Upgrading the Logical Domains Manager and the System Firmware 17 v Stop All Domains Running on the Platform Except the Control Domain 17 Upgrading to LDoms 1 1 Software 18 v Upgrade From LDoms 1 0 Software 18 v Upgrade From LDoms 1 0 1 1 0 2 or 1 0 3 20 Installing Logical Domains Software on a New System 21 Updating the Solaris OS 21 Upgrading the System Firmware 21 v Upgrade System Firmware 21 v Upgrade System Firmware Without an FTP Server 23 Downloading Logical Domains Manager and Solaris Security Toolkit 23 v Download the Software 23 Installing the Logical Domains Manager and Solaris Security Toolkit 24 Installing the Logical Domains Manager and Solaris Security Toolkit Software Automatically 24 Using JumpStart to Install the Logical Domains Manager 1 1 and Solaris Security Toolkit 4 2 Software 31 Installing Logical Domains Manager and Solaris Security Toolkit Software Manually 34 iv Logical Domains LDoms 1 1 Administration Guide December 2008 Enabling the Logical Domains Manager Daemon 36 v Enable the Logical Domain
111. cessful pkgadd n d var tmp install Product Solaris_Security_Toolkit a pkg_admin SUNWjass Copyright 2005 Sun Microsystems Inc All rights reserved Use is subject to license terms Installation of lt SUNWjass gt was successful Verifying that all packages are fully installed OK Enabling services svc ldoms ldmd default Solaris Security Toolkit was not applied Bypassing the use of the Solaris Security Toolkit is not recommended and should only be performed when alternative hardening steps are to be taken 30 Logical Domains LDoms 1 1 Administration Guide December 2008 WV Enable the Logical Domains Manager Daemon and Run the Solaris Security Toolkit Only You might use this option if the SUNW1dm and SUNWjass packages are preinstalled on your server and you want to perform the post installation actions of enabling the Logical Domains Manager daemon 1dmd and running the Solaris Security Toolkit Run the install 1dm installation script with the p option to perform only the post installation actions of enabling 1dmd and running the Solaris Security Toolkit to harden your system Install install ldm p Verifying that all packages are fully installed OK Enabling services svc ldoms ldmd default Running Solaris Security Toolkit 4 2 0 driver ldm_control secure driver Please wait opt SUNWjass bin jass execute q d ldm control secure driver Solaris Security Toolkit hardening execu
112. change the network configuration of the new domain by using the sys unconfig 1M command To avoid this problem you can also create a snapshot of a disk image of an unconfigured system Create a Snapshot of a Disk Image of an Unconfigured System 1 Bind and start the original domain 2 Execute the sys unconfig 1M command 3 After the sys unconfig 1M command completes the domain halts Logical Domains LDoms 1 1 Administration Guide December 2008 4 Stop and unbind the domain do not reboot it 5 Take a snapshot of the domain boot disk image for example primary zfs snapshot 1dmpool 1dg1 disk0 unconfigured 6 At this point you have the snapshot of the boot disk image of an unconfigured system You can clone this image to create a new domain which when first booted asks for the configuration of the system If the original domain was configured with the Dynamic Host Configuration Protocol DHCP then a new domain using the cloned image also uses DHCP In that case you do not need to change the network configuration of the new domain because it automatically receives an IP address and its network configuration as it boots Note The host ID of a domain is not stored on the boot disk but it is assigned by the Logical Domains Manager when you create a domain Therefore when you clone a disk image the new domain does not keep the host ID of the original domain Using Volume Managers in a Logical Do
113. channel v1dc service virtual logical domain channel client v1dcc virtual data plane channel client vdpcc virtual data plane channel service vdpcs status output contains status about a domain migration in progress Chapter 9 Other Information and Tasks 153 The following examples show various subsets of output that you can specify CODE EXAMPLE 9 7 List CPU Information for the Control Domain ldm 1s o cpu primary NAME primary VCPU VID PID UTIL STRAND 0 0 1 0 100 1 1 0 6 100 2 2 0 2 100 3 3 0 5 100 CODE EXAMPLE 9 8 List Domain Information for a Guest Domain NAME ldm2 SOFT VARI ldm 1s o domain 1dm2 STATE active STATE Openboot initializing ABLES auto boot false boot device virtual devices 100 channel devices 200 disk 0 FLAGS t CODE EXAMPLE 9 9 Lists Memory and Network Information for a Guest Domain NAME ldm1l MAC i ldm 1s o network memory ldm1 00 14 4f f9 dd ae MEMORY RA PA 0x6800000 0x46800000 NETWORK NAME SERVICE SIZE 1500M DEVICE ldmi network0 primary vsw0 primary network 0 MAC 00 14 4 f fb 21 0 f 154 Logical Domains LDoms 1 1 Administration Guide December 2008 MODI E PVID VID W List a Variable List a variable for example boot device for a domain for example 1dg1 CODE EXAMPLE 9 10 Variable List for a Domain primary ldm list variable boot device
114. configuration of domain1 requires some extra steps primary metainit d0 3 1 c2t70d0s6 1 c2t80d0s6 1 c2t90d0s6 primary ldm add vdsdev options slice dev md dsk d0 vol3 primary vds0 primary ldm add vdisk vdisk3 vol3 primary vds0 domain1 m After domainl has been bound and started the exported volume appears as dev dsk c0d2s0 for example and you can use it domainl newfs dev rdsk c0d2s0 domainl mount dev dsk c0d2s0 mnt domainl echo test domain1 gt mnt file m After domainl has been stopped and unbound data stored on the virtual disk from domain1 can be directly accessed from the primary domain through SVM volume d0 primary mount dev md dsk dO0 mnt primary cat mnt file test domain1 Note A single slice disk cannot be seen by the format 1M command cannot be partitioned and cannot be used as an installation disk for the Solaris OS See Virtual Disk Appearance on page 80 for more information about this topic 102 Logical Domains LDoms 1 1 Administration Guide December 2008 Using Virtual Disks on Top of SVM When a RAID or mirror SVM volume is used as a virtual disk by another domain then it has to be exported without setting the exclusive exc1 option Otherwise if there is a failure on one of the components of the SVM volume then the recovery of the SVM volume using the metareplace command or using a hot spare does not start The metastat command sees the volume
115. d to verify that the SUNW1dm package for Logical Domains Manager 1 1 software is installed The revision REV information shown below is an example pkginfo 1 SUNWldm grep VERSION VERSION 1 1 REV 2007 08 23 10 20 WV Optional Install the Solaris Security Toolkit 4 2 Software Manually If you want to secure your system download and install the SUNWjass package The required patches 122608 03 and 125672 01 are included in the SUNWjass package See Download the Software on page 23 for specific instructions about downloading the software 34 Logical Domains LDoms 1 1 Administration Guide December 2008 See Chapter 2 in this document for more information about security considerations when using Logical Domains Manager software For further reference you can find Solaris Security Toolkit 4 2 documentation at http docs sun com 1 Use the pkgadd 1M command to install the SUNWjass package pkgadd d SUNWjass 2 Use the pkginfo 1 command to verify that the SUNWjass package for Solaris Security Toolkit 4 2 software is installed pkginfo 1 SUNWjass grep VERSION VERSION 4 2 0 Optional Harden the Control Domain Manually Perform this procedure only if you have installed the Solaris Security Toolkit 4 2 package Note When you use the Solaris Security Toolkit to harden the control domain you disable many system services and place certain restrictions on netwo
116. dev dev dsk cit57d0s0 c1t57d0s0 primary vds0 You do not need to specify the slice option because a slice is always exported as a single slice disk 2 From the service domain assign the disk pslice to guest domain 1dg1 for example service ldm add vdisk pslice c1t57d0s0 primary vds0 ldg1 84 Logical Domains LDoms 1 1 Administration Guide December 2008 3 After the guest domain is started and running the Solaris OS you can list the disk c0d13 for example and see that the disk is accessible ldgl 1s 1 dev dsk c0d13s dev dsk c0d13s0 dev dsk c0d13s1 dev dsk c0d13s2 dev dsk c0d13s3 dev dsk c0d13s4 dev dsk c0d13s5 dev dsk c0d13s6 dev dsk c0d13s7 Although there are 8 devices because the disk is a single slice disk only the first slice s0 is usable W Export Slice 2 To export slice 2 disk c1t57d0s2 for example you must specify the slice option otherwise the entire disk is exported ldm add vdsdev options slice dev dsk cit57d0s2 c1t57d0s2 primary vds0 File and Volume A file or volume for example from ZFS or SVM is exported either as a full disk or as single slice disk depending on whether or not the slice option is set File or Volume Exported as a Full Disk If you do not set the s1ice option a file or volume is exported as a full disk In that case virtual disk drivers vds and vdc forward I O from the virtual disk and manage the partitionin
117. disk client virtual data plane channel client in a Netra DPS environment virtual data plane channel service in a Netra DPS environment virtual disks are generic block devices backed by different types of physical devices volumes or files virtual disk server allows you to import virtual disks into a logical domain virtual disk server device is exported by the virtual disk server The device can be an entire disk a slice on a disk a file or a disk volume virtual local area network virtual logical domain channel service virtual logical domain channel client virtual network device implements a virtual Ethernet device and communicates with other vnet devices in the system using the virtual network switch vswitch virtual network terminal server daemon for Logical Domains consoles Solaris 10 OS Volume Management file system virtual network switch that connects the virtual network devices to the external network and also switches packets between them volume table of contents Veritas Dynamic Multipathing Veritas Volume Manager wide area network Glossary 241 XFP eXtreme Fast Path XML_ Extensible Markup Language XMPP Extensible Messaging and Presence Protocol Z ZFS Zettabyte File System Solaris 10 OS zpool 1M ZFS storage pool ZVOL ZFS Volume Emulation Driver 242 Logical Domains LDoms 1 1 Administration Guide December 2008
118. do not specify a MAC address in creating logical domain or a network device the Logical Domains Manager automatically allocates and assigns a MAC address to that logical domain or network device To obtain this MAC address the Logical Domains Manager iteratively attempts to select an address and then checks for potential collisions Before selecting a potential address the Logical Domains Manager first looks to see if it has a recently freed automatically assigned address saved in a database for this purpose see Freed MAC Addresses on page 116 If so the Logical Domains Manager selects its candidate address from the database If no recently freed addresses are available the MAC address is randomly selected from the 256K range of addresses set aside for this purpose The MAC address is selected randomly to lessen the chance of a duplicate MAC address being selected as a candidate The address selected is then checked against other Logical Domains Managers on other systems to prevent duplicate MAC addresses from actually being assigned The algorithm employed is described in Duplicate MAC Address Detection on page 115 If the address is already assigned the Logical Domains Manager iterates choosing another address and again checking for collisions This continues until a MAC address is found that is not already allocated or a time limit of 30 seconds has elapsed If the time limit is reached then the creation of the device fails
119. e December 2008 CODE EXAMPLE A 9 The cim common xsd Schema Continued xs extension base xs string gt xs anyAttribute namespace any processContents lax gt lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt xs complexType name cimBoolean gt lt xs simpleContent gt lt xs extension base xs boolean gt xs anyAttribute namespace any processContents lax gt lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt xs complexType name cimFloat gt lt xs simpleContent gt lt xs extension base xs float gt xs anyAttribute namespace any processContents lax gt lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt xs complexType name cimDouble gt lt xs simpleContent gt lt xs extension base xs double gt lt xs anyAttribute namespace any processContents lax gt lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt xs complexType name cimChar16 gt lt xs simpleContent gt lt xs restriction base cim cimString gt lt xs maxLength value 1 gt xs anyAttribute namespace any processContents lax gt lt xs restriction gt lt xs simpleContent gt lt xs complexType gt lt xs complexType name cimBase64Binary gt lt xs simpleContent gt lt xs extension base xs base64Binary gt xs anyAttribute namespace any processContents lax gt lt xs extension gt lt xs
120. e and set the slice option for all volumes you want to export as single slice disks Refer to the 1dm man page or the Logical Domains LDoms Manager 1 1 Man Page Guide for more information about this command m Add the following line to the etc system file on the service domain set vds vd volume force slice 1 Note Setting this tunable forces the export of all volumes as single slice disks and you cannot export any volume as a full disk Logical Domains LDoms 1 1 Administration Guide December 2008 Summary of How Different Types of Backends Are Exported Backend No Slice Option Slice Option Set Disk disk slice 2 Full disk Single slice disk4 Disk slice not slice 2 Single slice disk Single slice disk File Full disk Single slice disk Volume including ZFS SVM or VXVM Faull disk Single slice disk Export the entire disk A slice is always exported as a single slice disk d Export only slice 2 Guidelines Using the Loopback File 1o i Driver It is possible to use the loopback file lofi driver to export a file as a virtual disk However doing this adds an extra driver layer and impacts performance of the virtual disk Instead you can directly export a file as a full disk or as a single slice disk See File and Volume on page 85 Directly or Indirectly Exporting a Disk Slice To export a slice as a virtual disk either directly or indirectly for example through a SVM volume
121. e ovf VirtualHardwareSection_Type gt Item lt rasd OtherResourceType gt disk lt rasd OtherResourceType gt lt gprop GenericProperty key vdisk_name gt vdisk0 lt gprop GenericProperty gt lt gprop GenericProperty key service_name gt primary vds0 lt gprop GenericProperty gt lt gprop GenericProperty key vol_name gt vdsdev0 lt gprop GenericProperty gt lt gprop GenericProperty key timeout gt 60 lt gprop GenericProperty gt lt Item gt lt Section gt lt Content gt lt Envelope gt A disk resource is always contained within a lt Content gt section It must have lt gprop GenericProperty gt tags with the following keys m vdisk name Name of the virtual disk m Service name Name of the virtual disk server to which this virtual disk is to be bound m vol name Virtual disk service device with which this virtual disk is to be associated Optionally the disk resource can also have the following property m timeout Timeout value in seconds for establishing a connection between a virtual disk client vdc and a virtual disk server vds If there are multiple virtual disk vdisk paths then the vdc can try to connect to a different vds and the timeout ensures that a connection to any vds is established within the specified amount of time 192 Logical Domains LDoms 1 1 Administration Guide December 2008 Virtual Switch vsw Resource CODE EXAMPLE 10 1 3 Example vsw XML lt Envelo
122. e Domain and Other Domains on page 50 primary ldm add vsw mac addrz2 04 4f fb 9f 0d net dev e1000g0 primary vsw0 primary Chapter 4 Setting Up Services and Logical Domains 47 4 Verify the services have been created by using the list services subcommand Your output should look similar to the following primary ldm list services primary VDS NAME VOLUME OPTIONS DEVICE primary vds0 VCC NAME PORT RANGE primary vccO 5000 5100 VSW NAME MAC NET DEV DEVICE MODE primary vsw0 02 04 4 fb 9f 0d e1000g0 switchQ0 prog promisc Initial Configuration of the Control Domain Initially all system resources are allocated to the control domain To allow the creation of other logical domains you must release some of these resources W Set Up the Control Domain Note This procedure contains examples of resources to set for your control domain These numbers are examples only and the values used might not be appropriate for your control domain 1 Assign cryptographic resources to the control domain Note If you have any cryptographic devices in the control domain you cannot dynamically reconfigure CPUs So if you are not using cryptographic devices set mau to 0 The following example would assign one cryptographic resource to the control domain primary This leaves the remainder of the cryptographic resources available to a guest domain primary ldm set mau 1 primary
123. e boot environment to the new boot environment when switching boot environments For more information about etc lu synclist and synchronizing files between boot environments refer to Synchronizing Files Between Boot Environments in the Solaris 10 8 07 Installation Guide Solaris Live Upgrade and Upgrade Planning Upgrading From Solaris 10 OS Older Than Solaris 10 5 08 OS If the control domain is upgraded from a Solaris 10 OS version older than Solaris 10 5 08 OS or without patch 127127 11 and if volume manager volumes were exported as virtual disks then the virtual disk backends must be re exported with options slice after the Logical Domain Manager has been upgraded See Exporting Volumes and Backward Compatibility on page 88 for more information Upgrading the Logical Domains Manager and the System Firmware This section shows how to upgrade to LDoms 1 1 software First download the Logical Domains Manager and the Solaris Security Toolkit on the control domain see Downloading Logical Domains Manager and Solaris Security Toolkit on page 23 Then stop all domains except the control domain running on the platform V Stop All Domains Running on the Platform Except the Control Domain 1 Bring down each domain to the ok prompt Chapter 3 Installing and Enabling Software 17 2 Issue the stop domain subcommand from the control domain for each domain primary ldm stop domain dom 3 Issue the unbind dom
124. e domain running the virtual console concentrator vcc and virtual network terminal server instead of the systems controller The virtual console concentrator service functions as a concentrator for all domains console traffic and interfaces with the virtual network terminal server daemon vntsd and provides access to each console through a UNIX socket Dynamic Reconfiguration Dynamic reconfiguration DR is the ability to add or remove resources while the operating system is running The ability to perform dynamic reconfiguration of a particular resource type is dependent on having support in the OS running in the logical domain Support for dynamic reconfiguration of virtual CPUs is available in all versions of the Solaris 10 OS Dynamic reconfiguration of virtual I O devices is supported in logical domains running Solaris 10 10 08 at a minimum There is no support for dynamic reconfiguration of memory and physical I O devices To use the dynamic reconfiguration capability in the Logical Domains Manager CLI you must have the Logical Domains dynamic reconfiguration daemon drd 1M running in the domain you want to change Delayed Reconfiguration In contrast to dynamic reconfiguration operations that take place immediately delayed reconfiguration operations take effect after the next reboot of the OS or stop and start of the logical domain if no OS is running Any add or remove operations on active logical domains except add vcpu set vcpu
125. e enable bsm fin Finish Script 172 v Use the Solaris OS bsmconv 1M Command 173 v Verify that BSM Auditing is Enabled 173 xii Logical Domains LDoms 1 1 Administration Guide December 2008 10 v Disable Auditing 174 v Print Audit Output 174 v Rotate Audit Logs 174 Using the XML Interface With the Logical Domains Manager 175 XML Transport 175 XMPP 176 Local Connections 176 XML Protocol 176 Request and Response Messages 177 Requests 178 Responses 180 Events 182 Registration and Unregistration 182 The lt LDM_event gt Messages 183 Event Types 184 Domain Events 184 Resource Events 185 Hardware Events 186 AllEvents 186 Logical Domains Manager Actions 187 Logical Domains Manager Resources and Properties 188 Logical Domain Information ldom_info Resource 188 CPU cpu Resource 189 MAU mau Resource 189 Memory memory Resource 190 Virtual Disk Server vds Resource 190 Virtual Disk Server Volume vds_volume Resource 191 Disk disk Resource 192 Contents xiii Virtual Switch vsw Resource 193 Network network Resource 194 Virtual Console Concentrator vcc Resource 195 Variable var Resource 196 Physical I O Device physio_device Resource 196 SP Configuration spconfig Resource 197 Virtual Data Plane Channel Service vdpcs Resource 198 Virtual Data Plane Channel Client vdpcc Resource 199 Console console Resource 200 Domain Migration 201 A XML Schemas 203 LDM interface XML Schema 203 LDM Ev
126. e for All 1dm Subcommands Continued Options V Display version information Command s for each resource aliases in parens bindings list bindings e p lt ldom gt services list services e p lt ldom gt constraints list constraints x e p lt ldom gt devices list devices a p cpu crypto mau memory io domain dom add domain i lt file gt mac addr lt num hostid lt num gt lt ldom gt lt ldom gt remove domain a lt ldom gt list domain e 1 o lt format gt p lt ldom gt format is one or more of console cpu crypto disk domain memory network physio serial status start domain a i lt file gt lt ldom gt stop domain f a lt ldom gt bind domain i lt file gt lt ldom gt unbind domain lt ldom gt panic domain lt ldom gt migrate domain n dry run lt source_ldom gt lt user gt lt target_host gt lt target_ldom gt io add io bypass on bus lt ldom gt remove io bus lt ldom gt crypto mau add crypto number lt ldom gt set crypto number lt ldom gt remove crypto number ldom memory mem add memory number GMK lt ldom gt set memory number GMK lt ldom gt remove memory lt number gt GMK 1dom operation 144 Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE 9 1 Syntax Usage for
127. e of the server software or Solaris OS in the Search box to find the documents you need Application Title Part Number Format Release notes for LDoms Logical Domains LDoms 1 1 Release Notes 820 4914 10 HTML PDF Solaris man pages for LDoms Solaris 10 Reference Manual Collection N A HTML drd 1M man page vntsd 1M man page LDoms man page 1dm 1M man page N A SGML Logical Domains LDoms 1 1 Manager Man 820 4915 10 PDF Page Guide Basics for Logical Domains software Beginners Guide to LDoms Understanding and 820 0832 PDF Deploying Logical Domains Software Administration for LDoms MIB Logical Domains LDoms MIB 1 0 1 820 2319 10 HTML Administration Guide PDF Release notes for LDoms MIB Logical Domains LDoms MIB 1 0 1 Release 820 2320 10 HTML Notes PDE Administration for Libvirt for LDoms Libvirt for LDoms 1 0 1 Administration Guide 820 3839 10 HTML PDF Release Notes for Libvirt for LDoms Libvirt for LDoms 1 0 1 Release Notes 820 3838 10 HTML PDF Solaris OS including installation using Solaris 10 Collection N A HTML JumpStart and using the SMF PDF Security Solaris Security Toolkit 4 2 Administration 819 1402 10 HTML Guide PDF Security Solaris Security Toolkit 4 2 Reference Manual 819 1503 10 HTML PDF Security Solaris Security Toolkit 4 2 Release Notes 819 1504 10 HTML PDF Security Solaris Security Toolkit 4 2 Man Page Guide 819 1505 10 HTML PDF xvi Logical Domains LDoms 1 1 Administration Guide December 2008
128. e virtual disk server as a virtual disk to the guest domain You can export a physical disk disk slice volumes or file as a block device The following examples show a physical disk and a file m Physical Disk Example The first example adds a physical disk with these specifics primary ldm add vdsdev dev dsk cOt0d0s2 voliGprimary vdsO Where a dev dsk c0t0d0s2 is the path name of the actual physical device When adding a device the path name must be paired with the device name voll is a unique name you must specify for the device being added to the virtual disk server The volume name must be unique to this virtual disk server instance because this name is exported by this virtual disk server to the clients for adding When adding a device the volume name must be paired with the path name of the actual device a primary vdsO is the name of the virtual disk server to which to add this device m File Example This second example is exporting a file as a block device primary ldm add vdsdev backend vol1 primary vds0 Where backend is the path name of the actual file exported as a block device When adding a device the backend must be paired with the device name voll is a unique name you must specify for the device being added to the virtual disk server The volume name must be unique to this virtual disk server instance because this name is exported by this virtual disk server to the cl
129. eate and Start a Guest Domain 1 Create a logical domain For example the following command would create a guest domain named 1dg1 primary ldm add domain 1dg1 2 Add CPUs to the guest domain For example the following command would add four virtual CPUs to guest domain 1dg1 primary ldm add vcpu 4 1dg1 3 Add memory to the guest domain For example the following command would add 2 gigabytes of memory to guest domain 1dg1 primary ldm add memory 2G ldg1 4 Add a virtual network device to the guest domain For example the following command would add a virtual network device with these specifics to the guest domain 1dg1 primary ldm add vnet vnet1 primary vsw0 ldg1 Where m vnetl isa unique interface name to the logical domain assigned to this virtual network device instance for reference on subsequent set vnet or remove vnet subcommands Chapter 4 Setting Up Services and Logical Domains 53 m primary vsw0 is the name of an existing network service virtual switch to which to connect Note Steps 5 and 6 are simplified instructions for adding a virtual disk server device vdsdev to the primary domain and a virtual disk vdisk to the guest domain To learn how ZFS volumes and file systems can be used as virtual disks see Export a ZFS Volume as a Single Slice Disk on page 87 and Using ZFS With Virtual Disks on page 97 5 Specify the device to be exported by th
130. ed so that the Logical Domains Manager can run with the OS The ldm control secure driver is analogous to the secure driver described in the Solaris Security Toolkit 4 2 Reference Manual The 1dm_control secure driver provides a baseline configuration for the control domain of a system running the Logical Domains Manager software It is intended to provide fewer system services than typical for a Solaris OS domain reserving the control domain for Logical Domains Manager operations rather than general usage The install 1dm script installs the Logical Domains Manager software if it is not already installed and enables the software Following is a short summary of the other notable changes from secure driver m The Telnet server is disabled from running You can use Secure Shell ssh instead You also can still use the Telnet client to access virtual consoles started by the Logical Domains virtual network terminal server daemon vntsd For example if a virtual console is running that is listening to TCP port 5001 on the local system you can access it as follows telnet localhost 5001 See Enabling the Logical Domains Manager Daemon on page 36 for instructions on enabling vntsd It is not automatically enabled m The following finish scripts have been added They enable the Logical Domains Manager to install and start Some of these added scripts must be added to any customized drivers you make and some are optional T
131. el Hypervisor 90 Logical Domains LDoms 1 1 Administration Guide December 2008 V Configure Virtual Disk Multipathing 1 Export the virtual backend from the primary service domain ldm add vdsdev mpgroup foo backend pathl volume primary vds0 Where backend path1 is the path to the virtual disk backend from the primary domain 2 Export the same virtual backend from the alternate service domain ldm add vdsdev mpgroup foo backend path2 volume alternate vds0 Where backend path2 is the path to the virtual disk backend from the alternate domain Note backend path1 and backend path2 are paths to the same virtual disk backend but from two different domains primary and alternate These paths might be the same or might be different depending on the configuration of the primary and alternate domains The volume name is a user choice It might be the same or different for both commands 3 Export the virtual disk to the guest domain Idm add vdisk disk name volume primary vds0 ldom Note Although the virtual disk backend is exported several times through different service domains you assign only one virtual disk to the guest domain and associate it with the virtual disk backend through any of the service domains Result of Virtual Disk Multipathing Once you configure the virtual disk with multipathing and start the guest domain the virtual disk accesses its backend thro
132. ent XML Schema 206 The ovf envelope xsd Schema 208 The ovf section xsdSchema 211 The ovf core xsdSchema 212 The ovf virtualhardware xsc Schema 219 The cim rasd xsdSchema 221 The cim vssd xsd Schema 226 The cim common xsdSchema 227 The GenericProperty XML Schema 231 Binding Type XML Schema 232 Glossary 233 xiv Logical Domains LDoms 1 1 Administration Guide December 2008 Preface The Logical Domains LDoms 1 1 Administration Guide provides detailed information and procedures that describe the overview security considerations installation configuration modification and execution of common tasks for the Logical Domains Manager 1 1 software on supported servers blades and server modules Refer to Supported Platforms in the Logical Domains LDoms 1 1 Release Notes for a list This guide is intended for the system administrators on these servers who have a working knowledge of UNIX systems and the Solaris Operating System Solaris OS Related Documentation The Logical Domains LDoms 1 1 Administration Guide and Release Notes are available at http docs sun com app docs prod ldoms hic The Beginners Guide to LDoms Understanding and Deploying Logical Domains Software can be found at the Sun BluePrints site at http www sun com blueprints 0207 820 0832 html You can find documents relating to your server software or Solaris OS at http docs sun com Preface Xv Type the nam
133. eone else since it was previously freed it will be reused and removed from the database 116 Logical Domains LDoms 1 1 Administration Guide December 2008 If a collision is detected the address is simply removed from the database The Logical Domains Manager then either tries the next address in the database or if none is available randomly picks a new MAC address Using Network Adapters With LDoms In a logical domains environment the virtual switch service running in a service domain can directly interact with GLDv3 compliant network adapters Though non GLDv3 compliant network adapters can be used in these systems the virtual switch cannot interface with them directly See Configuring Virtual Switch and Service Domain for NAT and Routing on page 117 for information about how to use non GLDv3 compliant network adapters Determine If a Network Adapter Is GLDv3 Compliant 1 Use the Solaris OS dladm 1M command where for example bge0 is the network device name i dladm show link bge0 bge0d type non vlan mtu 1500 device bge0 2 Look at type in the output m GLDv3 compliant drivers will have a type of non vlan or vlan m Non GLDv3 compliant drivers will have a type of 1egacy Configuring Virtual Switch and Service Domain for NAT and Routing The virtual switch vsw is a layer 2 switch that also can be used as a network device in the service domain The virtual switch can be configured to act only as a
134. feature is available for NIU network devices only Configure a Virtual Switch With an NIU Network Device For example do the following to configure a virtual switch with a NIU network device a For example determine an NIU network device grep nxge etc path to inst niu 80 network 0 0 nxge niuG80 networkG1 1 nxge b For example configure a virtual switch ldm add vsw net dev nxge0 primary vsw0 primary Chapter 7 Using a Virtual Network With Logical Domains 127 V Enable Hybrid Mode For example enable a hybrid mode for a vnet device while it is being created ldm add vnet mode hybrid vnet01 primary vsw0 ldom01 V Disable Hybrid Mode For example disable hybrid mode for a vnet device ldm set vnet mode vnet01 ldom01 128 Logical Domains LDoms 1 1 Administration Guide December 2008 CHAPTER O Migrating Logical Domains This chapter describes how to migrate logical domains from one host machine to another as of this release of LDoms 1 1 software Introduction to Logical Domain Migration Logical Domain Migration provides the ability to migrate a logical domain from one host machine to another The host where the migration is initiated is referred to as the source machine and the host where the domain is migrated to is referred to as the target machine Similarly once a migration is started the domain to be migrated is referred
135. g of the virtual disk The file or volume eventually becomes a disk image containing data from all slices of the virtual disk and the metadata used to manage the partitioning and disk structure When a blank file or volume is exported as full disk it appears in the guest domain as an unformatted disk that is a disk with no partition Then you need to run the format 1M command in the guest domain to define usable partitions and to write a valid disk label Any I O to the virtual disk fails while the disk is unformatted Chapter 6 Using Virtual Disks With Logical Domains 85 86 Note Before the Solaris 10 5 08 OS release when a blank file was exported as a virtual disk the system wrote a default disk label and created default partitioning This is no longer the case with the Solaris 10 5 08 OS release and you must run format 1M in the guest domain to create partitions Export a File as a Full Disk 1 From the service domain create a file diskO0 for example to use as the virtual disk service mkfile 100m ldoms domain test fdisk0O The size of the file defines the size of the virtual disk This example creates a 100 megabyte blank file to get a 100 megabyte virtual disk 2 From the service domain export the file as a virtual disk service ldm add vdsdev 1doms domain test fdisk0 fdisk0 primary vds0 In this example the slice option is not set so the file is exported as a full disk 3
136. getNamespace processContents lax minOccurs 0 maxOccurs unbounded gt lt xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt lt xs extension gt lt xs complexContent gt lt xs complexType gt lt xs schema gt 210 Logical Domains LDoms 1 1 Administration Guide December 2008 The ovf section xsd Schema CODE EXAMPLE A 4 The ov section xsd Schema lt xml version 1 0 encoding UTF 8 gt lt xs schema targetNamespace var opt SUNWldom envelope xmlns ovf var opt SUNWldom envelope xmlns xs http www w3 org 2001 XMLSchema xs import namespace http www w3 org XML 1998 namespace schemaLocation http www w3 org 2001 xml xsd lt The base class for a section Subclassing this is the most common form of extensibility gt lt xs complexType name Section_Type abstract true gt lt xs sequence gt lt The info element specifies the meaning of the section This is typically shown if the section is not understood by the importer gt lt xs element name Info type ovf Info_Type minOccurs 0 maxOccurs unbounded gt lt xs sequence gt lt Whether the import should fail or not if the section is not understood gt xs attribute name required type xs boolean use optional gt xs anyAttribute namespace any gt lt Subtypes defines more specific elements gt lt xs complexType gt
137. gical Domain Manager and the Solaris Security Toolkit See Installing the Logical Domains Manager and Solaris Security Toolkit on page 24 9 Reconfigure the primary domain manually For instructions see Set Up the Control Domain on page 48 10 Run the following commands for each guest domain s XML file you created in Step 1 l m add domain i dom xml l m bind domain ldom l m start domain ldom Chapter3 Installing and Enabling Software 19 WV Upgrade From LDoms 1 0 1 1 0 2 or 1 0 3 1 Flash update the system firmware For the entire procedure see Upgrade System Firmware on page 21 or Upgrade System Firmware Without an FTP Server on page 23 2 Disable the Logical Domains Manager daemon 1dmd svcadm disable 1dmd 3 Remove the old SUNW1dm package i pkgrm SUNW1dm 4 Add the new SUNW1dm package Specifying the d option assumes that the package is in the current directory pkgadd Gd SUNWldm 5 Refresh the Logical Domains Manager daemon 1dmd svcadm refresh ldmd 6 Enable the Logical Domains Manager daemon 1dmd svcadm enable ldmd 7 Use the 1dm list command to verify that the Logical Domains Manager is running You receive a message similar to the following which is for the factory default configuration Note that the primary domain is active which means that the Logical Domains Manager is running ldm list NAME STATE FLAGS CONS VCPU
138. gt lt xs complexType gt lt xs complexType name qualifierSInt64 gt lt xs simpleContent gt lt xs extension base cim cimLong gt xs attribute ref cim qualifier use required gt 230 Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE A 9 The cim common xsd Schema Continued lt xs extension gt lt xs simpleContent gt lt xs complexType gt lt lt xs complexType name qualifierSArray gt lt xs complexContent gt lt xs extension base cim qualifierString gt lt xs complexContent gt lt xs complexType gt gt lt The following element is to be used only for defining metadata gt lt xs element name DefaultValue type xs anySimpleType gt lt xs schema gt The GenericProperty XML Schema This schema is an extension to the Open Virtualization Format OVF schema CODE EXAMPLE A 10 The GenericProperty XML Schema lt xml version 1 0 encoding utf 8 lt xs schema targetNamespace var opt SUNWldom GenericProperty xmlns class var opt SUNWldom GenericProperty xmlns xs http www w3 org 2001 XMLSchema xs complexType name GenericProperty Type type xs string gt xs attribute name key type xs string use required gt lt xs complexType gt lt xs element name GenericProperty type class GenericProperty_Type gt lt xs schema gt Appendix A XML Schemas 231 Binding_Type XML Schema
139. h A virtual network device is managed by the virtual network driver and it is connected to a virtual network through the hypervisor using logical domain channels LDCs A virtual network device can be used as a network interface with the name vnetn where n is a number corresponding to the instance of the virtual network device and it can be used like any regular network interface and configured with the ifconfig 1M command FIGURE 7 1 Setting Up a Virtual Network Hypervisor 108 Logical Domains LDoms 1 1 Administration Guide December 2008 Following is a explanation for the example in Figure 6 1 m The virtual switch in the service domain is connected to the guest domains This allows guest domains to communicate with each other m The virtual switch also is connected to the physical network interface e1000g0 This allows guest domains to communicate with the physical network m The virtual switch network interface vsw0 is plumbed in the service domain so this allows the two guest domains to communicate with the service domain m The virtual switch network interface vsw0 in the service domain can be configured using the ifconfig 1M command m The virtual network interfaces vnet0 in the guest domains can be configured using the ifconfig 1M command Basically the virtual switch behaves like a regular physical network switch and switches network packets between the different systems such as guest domains service domain
140. hat means the DMA resources are assigned only when they are available and the device is capable of using them m Logical Domains Manager CLI commands do not validate the hybrid mode option that is it is possible to set the hybrid mode on any vnet or any number of vnet devices m Guest domains and the service domain need to run Solaris 10 10 08 OS at a minimum 126 Logical Domains LDoms 1 1 Administration Guide December 2008 m Up to a maximum of only three vnet devices per vsw can have DMA hardware resources loaned at a given time As there are two NIU network devices there can be a total of six vnet devices with DMA hardware resources loaned Note Set the hybrid mode only for three vnet devices per vsw so that they are guaranteed to have DMA hardware resources assigned m Hybrid mode is disabled by default for a vnet device It needs to be explicitly enabled with Logical Domains Manager CLI commands See Enable Hybrid Mode on page 128 Refer to the Logical Domains LDoms Manager 1 1 Man Page Guide or the 1dm man page for more details m The hybrid mode option cannot be changed dynamically while the guest domain is active a The DMA hardware resources are assigned only when a vnet device is active that is plumbed in the guest domain m TheSun x8 Express 1 10G Ethernet Adapter nxge driver is used for the NIU card but the same driver is also used for other 10 gigabit network cards However the NUI hybrid I O
141. he configuration on the next power on to another configuration including the factory default shipping configuration You can invoke the command whether the host is powered on or off It takes effect on the next host reset or power on W Reset the Logical Domain Configuration to the Default or Another Configuration Reset the logical domain configuration on the next power on to the default shipping configuration by executing this command in ALOM CMT software Sc bootmode config factory default You also can select other configurations that have been created with the Logical Domains Manager using the 1dm add config command and stored on the system controller SC The name you specify in the Logical Domains Manager Chapter 9 Other Information and Tasks 171 ldm add config command can be used to select that configuration with the ALOM CMT bootmode command For example assume you stored the configuration with the name 1dm configl1 Sc bootmode config z 1dm configi1 Refer to the 1dm 1M man page or the Logical Domains LDoms Manager 1 1 Man Page Guide for more information about the 1dm add config command 172 Enabling and Using BSM Auditing The Logical Domains Manager uses the Solaris OS Basic Security module BSM auditing capability BSM auditing provides the means to examine the history of actions and events on your control domain to determine what happened The history is kept in a log of what was do
142. he control domain Guest domain Domain that is managed by the control domain and uses services from the I O and service domains If you have an existing system and already have an operating system and other software running on your server that will be your control domain once you install the Logical Domains Manager You might want to remove some of your applications from the control domain once it is set up and balance the load of your applications throughout your domains to make the most efficient use of your system Command Line Interface The Logical Domains Manager provides a command line interface CLI for the system administrator to create and configure logical domains The CLI is a single command 1dm 1M with multiple subcommands To use the Logical Domains Manager CLI you must have the Logical Domains Manager daemon 1dmd running The 1dm 1M command and its subcommands are described in detail in the 1dm 1M man page and the Logical Domains LDoms Manager Man Page Guide The 1dm 1M man page is part of the SUNW1dm package and is installed when the SUNW1dm package is installed Logical Domains LDoms 1 1 Administration Guide December 2008 To execute the 1dm command you must have the opt SUNW1dm bin directory in your UNIX PATH variable To access the 1dm 1M man page add the directory path opt SUNW1dm man to the variable SMANPATH Both are shown as follows PATH SPATH opt SUNWldm bin export PATH for Bourne or
143. he scripts are marked as to whether they are required or optional install ldm fin Installs the SUNW1dm package Required enable 1ldmd fin Enables the Logical Domains Manager daemon 1dmd Required enable ssh root login fin Enables the superuser to directly log in through the Secure Shell ssh Optional m The following files have changed These changes are optional to make in any customized drivers you have and are marked as optional etc ssh sshd config Root account access is allowed for the entire network This file is not used in either driver Optional etc ipf ipf conf UDP port 161 SNMP is opened Optional etc host allow The Secure Shell daemon sshd is open for the entire network not just the local subnet Optional Chapter 2 Security 11 m The following finish scripts are disabled commented out You should comment out the disable rpc fin script in any customized driver you make The other changes are optional The scripts are marked as to whether they are required or optional enable ipfilter fin IP Filter a network packet filter is not enabled Optional disable rpc fin Leaves Remote Procedure Call RPC service enabled The RPC service is used by many other system services such as Network Information Services NIS and network file system NFS Required disable sma fin Leaves the System Management Agent NET SNMP enabled Optional disable ssh ro
144. he size of the virtual disk This example creates a 100 megabyte volume to get a 100 megabyte virtual disk 2 From the service domain export the device corresponding to that ZFS volume and set the slice option so that the volume is exported as a single slice disk service ldm add vdsdev options slice dev zvol dsk l1doms domain test zdisk0 zdisk0 primary vds0 3 From the service domain assign the volume zdisk0 to guest domain 1dg1 for example service ldm add vdisk zdisk0 zdisk0 primary vds0 ldg1 4 After the guest domain is started and running the Solaris OS you can list the disk c039 for example and see that the disk is accessible and is a single slice disk s0 ldgl 1s 1 dev dsk c0d9s dev dsk c0d9s0 dev dsk c0d9s1 dev dsk c0d9s2 dev dsk c0d9s3 dev dsk c0d9s4 dev dsk c0d9s5 dev dsk c0d9s6 dev dsk c0d9s7 Chapter 6 Using Virtual Disks With Logical Domains 87 88 Exporting Volumes and Backward Compatibility Before the Solaris 10 5 08 OS release the slice option did not exist and volumes were exported as single slice disks If you have a configuration exporting volumes as virtual disks and if you upgrade the system to the Solaris 10 5 08 OS volumes are now exported as full disks instead of single slice disks To preserve the old behavior and to have your volumes exported as single slice disks you need to do either of the following m Use the 1dm set vdsdev command in LDoms 1 1 softwar
145. his configuration so that the system regains access to all resources CPUs memory I O which might have been assigned to other domains This section describes how to remove all guest domains remove all Logical Domains configurations and revert the configuration to the factory default 40 Logical Domains LDoms 1 1 Administration Guide December 2008 V Remove All Guest Logical Domains 1 List all the logical domain configurations on the system controller primary ldm ls config 2 Remove all configurations config_name previously saved to the system controller SC Use the following command for each such configuration primary ldm rm config config_name Once you remove all the configurations previously saved to the SC the factory default domain would be the next one to use when the control domain primary is rebooted 3 Stop all guest domains using the a option primary ldm stop domain a 4 Unbind all guest domains primary ldm unbind domain dom Note You might not be able to unbind an I O domain in a split PCI configuration if it is providing services required by the control domain In this situation skip this step WV Restore the Factory Default Configuration 1 Select the factory default configuration primary ldm set config factory default 2 Stop the control domain primary shutdown i1 g0 y 3 Power cycle the sy
146. ice Management Facility Simple Network Management Protocol service processor also known as system controller Secure Shell Secure Shell command Secure Shell daemon Sun Validation Test Suite Glossary 239 svcadm 1M SVM TCP TLS U UDP UFS unicast USB uscsi 7D UTP V var VBSC vcc vconscon vcons vconsole vcpu manipulate service instances Solaris Volume Manager Transmission Control Protocol Transport Layer Security User Diagram Protocol UNIX File System Communication that takes place over a network between a single sender and a single receiver Universal Serial Bus user SCSI command interface unshielded twisted pair variable virtual blade system controller virtual console concentrator service with a specific port range to assign to the guest domains virtual console for accessing system level messages A connection is achieved by connecting to vconscon service in the control domain at a specific port virtual central processing unit Each of the cores of a server are represented as virtual CPUs For example an 8 core Sun Fire T2000 Server has 32 virtual CPUs that can be allocated between the logical domains 240 Logical Domains LDoms 1 1 Administration Guide December 2008 vdc vdpcc vdpcs vdisk vds vdiskserver vdsdev vdiskserverdevice VLAN vlde videc vnet vntsd 1M volfs 7FS vsw vswitch VTOC VxDMP VxVM W WAN virtual
147. ice from use by volfs If you have an International Organization for Standardization ISO image of a CD or DVD stored in file or on a volume and export that file or volume as a full disk then it appears as a CD or DVD in the guest domain When you export a CD DVD or an ISO image it automatically appears as a read only device in the guest domain However you cannot perform any CD control operations from the guest domain that is you cannot start stop or eject the CD from the guest domain If the exported CD DVD or ISO image is bootable the guest domain can be booted on the corresponding virtual disk For example if you export a Solaris OS installation DVD you can boot the guest domain on the virtual disk corresponding to that DVD and install the guest domain from that DVD To do so when the guest domain reaches the ok prompt use the following command ok boot virtual devices 100 channel devices 200 disk n f Where n is the index of the virtual disk representing the exported DVD Logical Domains LDoms 1 1 Administration Guide December 2008 Note If you export a Solaris OS installation DVD and boot a guest domain on the virtual disk corresponding to that DVD to install the guest domain then you cannot change the DVD during the installation So you might need to skip any step of the installation requesting a different CD DVD or you will need to provide an alternate path to access this requested media W
148. ients for adding When adding a device the volume name must be paired with the path name of the actual device a primary vdsO is the name of the virtual disk server to which to add this device 54 Logical Domains LDoms 1 1 Administration Guide December 2008 6 Add a virtual disk to the guest domain The following example adds a virtual disk to the guest domain 1dg1 primary ldm add vdisk vdisk1 voliGprimary vdsO 1dg1 Where m vdisk1 is the name of the virtual disk m voll is the name of the existing volume to which to connect m primary vdsO is the name of the existing virtual disk server to which to connect Note The virtual disks are generic block devices that are backed by different types of physical devices volumes or files A virtual disk is not synonymous with a SCSI disk and therefore excludes the target ID in the disk label Virtual disks in a logical domain have the following format cNdNsN where cN is the virtual controller dN is the virtual disk number and sN is the slice 7 Set auto boot and boot device variables for the guest domain The first example command sets auto boot to true for guest domain 1dg1 primary ldm set var auto boot true ldg1 The second example command sets boot device to vdisk for the guest domain ldg1 primary ldm set var boot device vdisk 1dg1 8 Bind resources to the guest domain 1dg1 and then list the domain to verify that it
149. igration On the source the percentage of the operation complete is displayed along with the target host and domain name Similarly on the target the percentage of the operation complete is displayed along with the source host and domain name CODE EXAMPLE 8 1 Monitoring a Migration in Progress ldm 1s o status ldg src NAME ldg src STATUS OPERATION PROGRESS TARGET migration 17 t5440 sys 2 Canceling a Migration in Progress Once a migration starts if the 1dm command is interrupted with a KILL signal the migration is terminated The target domain is destroyed and the source domain is resumed if it was active If the controlling shell of the 1dm command is lost the migration continues in the background A migration operation can also be canceled externally from the 1dm command using the cancel operation subcommand This terminates the migration in progress and the source domain resumes as the master domain Note Once a migration has been initiated suspending the 1dm 1M process does not pause the operation because it is the Logical Domains Manager daemon 1dmd on the source and target machines that are effecting the migration The 1dm process waits for a signal from the 1dmd that the migration has been completed before returning Chapter 8 Migrating Logical Domains 135 Recovering From a Failed Migration If the network connection is lost after the source has completed sending all the runti
150. in a Netra DPS environment A vdpcs resource can be either in a lt Content gt section as part of a domain description or it can appear on its own in an lt Envelope gt section The only property is the lt gprop GenericProperty gt tag with the following key property value m service name Name of the virtual data plane channel service vdpcs resource being described 198 Logical Domains LDoms 1 1 Administration Guide December 2008 Virtual Data Plane Channel Client vdpcc Resource CODE EXAMPLE 10 20 Example vdpcc XML lt Envelope gt lt References gt Content xsi type ovf VirtualSystem Type id ldg1 gt Section xsi type ovf VirtualHardwareSection_Type gt Item rasd OtherResourceType vdpcc rasd OtherResourceType gprop GenericProperty key vdpcc name vdpcc gprop GenericProperty gprop GenericProperty key service name 1dg1 vdpcs gprop GenericProperty gt lt Item gt lt Section gt lt Content gt lt Envelope gt This resource is only of interest in a Netra DPS environment A virtual data plane channel client resource is always contained within a lt Content gt section It can have lt gprop GenericProperty gt tags with the following keys m vdpcc name Name of the virtual data plane channel client vdpcc m service name Name of the virtual data plane channel service vdpcs to which this vdpcc is to be bound Chapter 10 Using the XML Interface With the Logical
151. ing Power Consumption in the Sun Integration Lights Out Management ILOM 3 0 CLI Procedures Guide 139 Showing CPU Power Managed Strands in LDoms 1 1 Software This section shows how to list power managed strands and virtual CPUs using LDoms 1 1 software V List CPU Power Managed Strands List power managed strands by doing one of the following a Use the 1ist 1 subcommand A dash in the UTIL column of the CPU means the strand is power managed ldm list 1 primary NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME primary active n cv SP 8 4G 4 3 7d 19h 43m SOFTSTATE Solaris running VCPU VID PID UTIL STRAND 0 0 0 0 00 1 1 00 2 2 aon 00 3 3 X 00 4 4 zm 00 5 5 E 00 6 6 num 00 7 7 aS 00 140 Logical Domains LDoms 1 1 Administration Guide December 2008 b Use the parseable option p to the list 1 subcommand A blank after util means the strand is power managed ldm 1s 1 p VCPU vid 0 pid 0 u vid 1 pid 1 u vid 2 pid 2 u vid 3 pid 3 u vid 4 pid 4 u vid 5 pid 5 u vid 6 pid 6 u vid 7 pid 7 u til strand 100 til strand 100 til strand 100 til strand 100 til strand 100 til strand 100 til 0 7 strand 100 til 0 7 strand 100 V List Power Managed CPUs List power managed CPUs by doing one of the following a Use the list devices a cpu subcommand In the power management PM column a yes means the CP
152. ing a virtual disk from a guest domain See Virtual Disk Backend Options on page 81 for a description of virtual disk options See Virtual Disk Timeout on page 95 for a description of the virtual disk timeout W Add a Virtual Disk 1 Export the virtual disk backend from a service domain ldm add vdsdev options ro slice excl mpgroup mpgroup backend volume nameQservice name 2 Assign the backend to a guest domain Idm add vdisk timeout seconds disk name volume nameGQservice name Idom Note A backend is actually exported from the service domain and assigned to the guest domain when the guest domain Idor is bound 78 Logical Domains LDoms 1 1 Administration Guide December 2008 V Export a Virtual Disk Backend Multiple Times A virtual disk backend can be exported multiple times either through the same or different virtual disk servers Each exported instance of the virtual disk backend can then be assigned to either the same or different guest domains When a virtual disk backend is exported multiple times it should not be exported with the exclusive exc1 option Specifying the exc1 option will only allow exporting the backend once The backend can be safely exported multiple times as a read only device with the ro option Caution When a virtual disk backend is exported multiple times applications running on guest domains and using that virtual disk are responsible for coordinating
153. ins Manager Refer to the Solaris 10 System Administrator Collection for more information about RBAC Authorization for the Logical Domains Manager has two levels m Read allows you to view but not modify the configuration m Read and write allows you to view and change the configuration Following are the Logical Domains entries automatically added to the Solaris OS etc security auth a m solaris ldoms Ll m solaris ldoms gran ttr file Dom administration t Delegate LDom configuration m solaris ldoms read View LDom configuration solaris l1doms write Manage LDom configuration Chapter3 Installing and Enabling Software 37 Managing User Authorizations W Add an Authorization for a User Use the following steps as necessary to add authorizations in the etc security auth_attr file for Logical Domains Manager users Because the superuser already has solaris authorization the superuser already has permission for solaris ldoms authorizations 1 Create a local user account for each user who needs authorization to use the 1dm 1M subcommands Note To add Logical Domains Manager authorization for a user a local non LDAP account must be created for that user Refer to the Solaris 10 System Administrator Collection for details 2 Do one of the following depending on which 1dm 1M subcommands you want the user to be able to access See TABLE 2 1 for a list of 1dm 1M com
154. ions 62 v Rebuild Guest Domain Configurations 62 Rebuilding the Control Domain 63 Logical Domain Information ldom_info Section 65 Cryptographic mau Section 66 CPU cpu Section 66 Memory memory Section 67 Physical Input Output physio_device Section 67 Virtual Switch vsw Section 68 Virtual Console Concentrator vcc Section 69 Virtual Disk Server vds Section 69 Virtual Disk Server Device vdsdev Section 70 5 Using PCI Busses With Logical Domains Software 71 Configuring PCI Express Busses Across Multiple Logical Domains 71 v Create a Split PCI Configuration 72 Enabling the I O MMU Bypass Mode ona PCI Bus 75 6 Using Virtual Disks With Logical Domains 77 Introduction to Virtual Disks 77 Managing Virtual Disks 78 v Adda Virtual Disk 78 vi Logical Domains LDoms 1 1 Administration Guide December 2008 4 4 v Export a Virtual Disk Backend Multiple Times 79 Change Virtual Disk Options 79 Change the Timeout Option 80 Remove a Virtual Disk 80 Virtual Disk Appearance 80 Full Disk 80 Single Slice Disk 81 Virtual Disk Backend Options 81 Read only ro Option 81 Exclusive excl Option 81 Slice slice Option 82 Virtual Disk Backend 83 Physical Disk or Disk LUN 83 v Export a Physical Disk as a Virtual Disk 83 Physical Disk Slice 84 v v Export a Physical Disk Slice as a Virtual Disk 84 ExportSlice2 85 File and Volume 85 File or Volume Exported as a Full Disk 85 v Exporta File as a Full
155. irtual network terminal server daemon vntsd and as a concentrator for all logical domain consoles For example the following command would add a virtual console concentrator service primary vcc0 with a port range from 5000 to 5100 to the control domain primary primary ldm add vcc port range 5000 5100 primary vcc0 primary 3 Create a virtual switch service vsw to enable networking between virtual network vnet devices in logical domains Assign a GLDv3 compliant network adapter to the virtual switch if each of the logical domains needs to communicate outside the box through the virtual switch For example the following command would add a virtual switch service primary vsw0 on network adapter driver e1000g0 to the control domain primary primary ldm add vsw net dev e1000g0 primary vsw0 primary This command automatically allocates a MAC address to the virtual switch You can specify your own MAC address as an option to the 1dm add vsw command However in that case it is your responsibility to ensure that the MAC address specified does not conflict with an already existing MAC address If the virtual switch being added replaces the underlying physical adapter as the primary network interface it must be assigned the MAC address of the physical adapter so that the Dynamic Host Configuration Protocol DHCP server assigns the domain the same IP address See Enabling Networking Between the Control Servic
156. is bound primary ldm bind domain 1dg1 primary ldm list domain 1dg1 NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME ldg1 bound 5001 4 2G 9 To find the console port of the guest domain you can look at the output of the preceding list domain subcommand You can see under the heading Cons that logical domain guest 1 1dg1 has its console output bound to port 5001 Chapter 4 Setting Up Services and Logical Domains 55 10 Connect to the console of a guest domain from another terminal by logging into the control domain and connecting directly to the console port on the local host ssh admin controldom domain telnet localhost 5001 11 Start the guest domain 1dg1 primary ldm start domain 1dg1 Installing Solaris OS on a Guest Domain This section provides instructions for several different ways you can install the Solaris OS on a guest domain WV Install Solaris OS on a Guest Domain From a DVD 1 Insert the Solaris 10 OS DVD into the DVD drive of the Sun SPARC Enterprise T5220 system for example 2 Stop the volume management daemon vold 1M on the primary domain primary svcadm disable volfs 3 Confirm on the primary domain that the DVD disk is mounted successfully by vold 1M 4 Stop and unbind the guest domain 1dg1 Then add the DVD with DVDROM media as a secondary volume dvd_vol primary vds0 and virtual disk vdisk_cd_media for example c0t0d0s2 is where the S
157. is stored on a ZFS volume or on a ZFS file you can create snapshots of this disk image by using the ZFS snapshot command Before you create a snapshot of the disk image ensure that the disk is not currently in use in the guest domain to ensure that data currently stored on the disk image are coherent There are several ways to ensure that a disk is not in use in a guest domain You can either m Stop and unbind the guest domain This is the safest solution and this is the only solution available if you want to create a snapshot of a disk image used as the boot disk of a guest domain m Alternatively you can unmount any slices of the disk you want to snapshot used in the guest domain and ensure that no slice is in use the guest domain In this example because of the ZFS layout the command to create a snapshot of the disk image is the same whether the disk image is stored on a ZFS volume or on a ZFS file WV Create a Snapshot of a Disk Image Create a snapshot of the disk image that was created for the 1dg1 domain for example primary zfs snapshot ldmpool ldgi disk0Gversion 1 Chapter 6 Using Virtual Disks With Logical Domains 99 100 Using Clone to Provision a New Domain Once you have created a snapshot of a disk image you can duplicate this disk image by using the ZFS clone command Then the cloned image can be assigned to another domain Cloning a boot disk image quickly creates a boot disk for a new guest domain wi
158. isk cdrom cdrom primary vds0 1dg1 Exporting a CD or DVD Multiple Times A CD or DVD can be exported multiple times and assigned to different guest domains See Export a Virtual Disk Backend Multiple Times on page 79 for more information 94 Logical Domains LDoms 1 1 Administration Guide December 2008 Virtual Disk Timeout By default if the service domain providing access to a virtual disk backend is down all I O from the guest domain to the corresponding virtual disk is blocked The I O automatically is resumed when the service domain is operational and is servicing I O requests to the virtual disk backend However there are some cases when file systems or applications might not want the I O operation to block but for it to fail and report an error if the service domain is down for too long It is now possible to set a connection timeout period for each virtual disk which can then be used to establish a connection between the virtual disk client on a guest domain and the virtual disk server on the service domain When that timeout period is reached any pending I O and any new I O will fail as long as the service domain is down and the connection between the virtual disk client and server is not reestablished This timeout can be set by doing one of the following m Using the 1dm add vdisk command ldm add vdisk timeout seconds disk name volume_name service_name Idom m Using the 1dm set vdisk command l
159. ist bindings primary IO DEVICE PSEUDONYM OPTIONS pcie780 bus a pci 7c0 bus_b 2 Determine the device path of the boot disk which needs to be retained primary df dev dsk c1t0d0s0 1309384 blocks 457028 files 3 Determine the physical device to which the block device c1t0d0s0 is linked primary 1s 1 dev dsk cit0d0s0 lrwxrwxrwx 1 root root 65 Feb 2 17 19 dev dsk cit0d0s0 gt devices pci 7c0 pci 0 pci l pci 0 2 LSILogic sas 2 sd 0 0 a In this example the physical device for the boot disk for domain primary is under the leaf pci 7c0 which corresponds to our earlier listing of bus_b This means that we can assign bus_a pci 780 of the PCle bus to another domain 72 Logical Domains LDoms 1 1 Administration Guide December 2008 4 Check etc path to inst to find the physical path of the onboard network ports primary grep e1000g etc path to inst 5 Remove the leaf that does not contain the boot disk pci 780 in this example from the primary domain primary ldm remove io pci 780 primary 6 Add this split PCI configuration split cfg in this example to the system controller primary ldm add config split cfg This configuration split cfg is also set as the next configuration to be used after the reboot Note Currently there is a limit of 8 configurations that can be saved on the SC not including the factory default configuration 7
160. iver for Intel PRO 1000 Gigabit family of network interface controllers extensible firmware interface Encoding Table Management module Solaris 10 OS Fiber Channel Arbitrated Loop Fault Management Architecture fault manager daemon Solaris 10 OS disk partitioning and maintenance utility populate label on hard disks File Transfer Protocol gigabit Uses services from the I O and service domains and is managed by the control domain Generic LAN Driver version 3 Modifying Solaris OS configuration to improve security hard disk drive Glossary 235 hypervisor I I O domain IB IDE IDR ILOM io ioctl IP IPMP ISO kaio KB KU LAN LDAP 236 Firmware layer interposed between the operating system and the hardware layer Domain that has direct ownership of and direct access to physical I O devices and that shares those devices to other logical domains in the form of virtual devices Infiniband Integrated Drive Electronics Interim Diagnostics Release Integrated Lights Out Manager I O devices such as internal disks and PCIe controllers and their attached adapters and devices input output control call Internet Protocol Internet Protocol Network Multipathing International Organization for Standardization kernel asynchronous input output kilobyte kernel update local area network Lightweight Directory Access Protocol Logical Domains LDoms 1 1 Administration Guide December 2008
161. ized driver with the install ldm d option See Install With a Customized Hardening Driver on page 29 26 Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE 3 1 Output From Hardened Solaris Configuration for LDoms Install install ldm Welcome to the LDoms installer You are about to install the domain manager package that will enable you to create destroy and control other domains on your system Given the capabilities of the domain manager you can now change the security configuration of this Solaris instance using the Solaris Security Toolkit Select a security profile from this list a Hardened Solaris configuration for LDoms recommended b Standard Solaris configuration c Your custom defined Solaris security configuration profile Enter a b or c a a The changes made by selecting this option can be undone through the Solaris Security Toolkit s undo feature This can be done with the opt SUNWjass bin jass execute u command Installing LDoms and Solaris Security Toolkit packages pkgadd n d var tmp install Product Logical Domain Manager a pkg admin SUNW1dm v Copyright 2006 Sun Microsystems Inc All rights reserved Use is subject to license terms Installation of lt SUNWldm gt was successful pkgadd n d var tmp install Product Solaris Security Toolkit a pkg admin SUNWjass Copyright 2005 Sun Microsystems Inc All rights reserved Use is subject to license term
162. laris Security Toolkit Only on page 31 Chapter3 Installing and Enabling Software 25 V Install With No Special Options Run the install 1ldm installation script with no options The installation script is part of the SUNW1dm package and is in the Install subdirectory Install install ldm a If one or more packages are previously installed you receive this message Install install ldm ERROR One or more packages are already installed SUNWldm SUNWjass If packages SUNWldm v and SUNWjass are factory pre installed run install ldm p to perform post install actions Otherwise remove the package s and restart install ldm If you want to perform post installation actions only go to Enable the Logical Domains Manager Daemon and Run the Solaris Security Toolkit Only on page 31 b If the process is successful you receive messages similar to the following examples m Code Example 3 2 shows a successful run of the instal1l 1dm script if you choose the following default security profile a Hardened Solaris configuration for LDoms recommended m Code Example 3 3 shows a successful run of the install ldm script if you choose the following security profile C Your custom defined Solaris security configuration profile The drivers that are displayed for you to choose are drivers ending with secure driver If you write a customized driver that does not end with secure driver you must specify your custom
163. ldgi boot device virtual devices 100 channel devices 200 disk 0 a W List Bindings List resources that are bound for a domain for example 1dg1 CODE EXAMPLE 9 11 Bindings List for a Domain primary ldm list bindings ldg1 NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME ldg1 bound 5000 1 512M VCPU VID PID UTIL STRAND 0 1 100 MEMORY RA PA SIZE 0x4000000 0x34000000 512M NETWORK NAME SERVICE DEVICE MAC mynet b vsw0 primary network O 08 00 20 ab 9a 12 PEER MAC vsw0 primary 08 00 20 aa bb e0 mynet a ldg1 08 00 20 ab 9a 11 mynet c ldg2 08 00 20 ab 9a 22 NAME SERVICE DEVICE MAC mynet a vsw0 primary network l 08 00 20 ab 9a 11 PEER MAC vsw0 primary 08 00 20 aa bb e0 mynet b ldg1 08 00 20 ab 9a 12 mynet c ldg2 08 00 20 ab 9a 22 DISK NAME VOLUME DEVICE SERVER mydisk a myvol a vds0 diske0 primary mydisk b myvol b vds0 disk 1 primary VDPCC Chapter 9 Other Information and Tasks 155 CODE EXAMPLE 9 11 Bindings List for a Domain Continued NAME SERVICE myvdpcc a vdpcs0 primary myvdpcc b vdpcs0 primary VCONS NAME SERVICE PORT mygroup vcec0 primary 5000 W List Configurations List logical domain configurations that have been stored on the SC CODE EXAMPLE 9 12 Configurations List primary ldm list config factory default 3guests foo next poweron primary reconfig primary Meaning of Labels The labels to the right of the configurati
164. le primary ifconfig e1000g0 down unplumb 5 To migrate properties of the physical network device e1000g0 to the virtual switch vsw0 device do one of the following m If networking is configured using a static IP address reuse the IP address and netmask of e1000g0 for vsw0 primary ifconfig vsw0 IP of e1000g0 netmask netmask of e1000g0 broadcast up m If networking is configured using DHCP enable DHCP for vsw0 primary ifconfig vsw0 dhcp start 6 Make the required configuration file modifications to make this change permanent primary mv etc hostname e1000g0 etc hostname vsw0 primary mv etc dhcp e1000g0 etc dhcp vsw0 Note If necessary you can also configure the virtual switch as well as the physical network device In this case plumb the virtual switch as in Step 2 and do not unplumb the physical device skip Step 4 You must then configure the virtual switch with either a static IP address or a dynamic IP address You can obtain a dynamic IP address from a DHCP server For additional information and an example of this case see Configuring Virtual Switch and Service Domain for NAT and Routing on page 117 Chapter 4 Setting Up Services and Logical Domains 51 Enabling the Virtual Network Terminal Server Daemon You must enable the virtual network terminal server daemon vntsd to provide access to the virtual console of each logical domain Refer to the
165. le instantiates the new configuration Only a power cycle actually boots the configuration saved to the service processor SP which is then reflected in the list config output 50 Enabling Networking Between the Control Service Domain and Other Domains By default networking between the control service domain and other domains in the system is disabled To enable this the virtual switch device should be configured as a network device The virtual switch can either replace the underlying physical device e1000g0 in this example as the primary interface or be configured as an additional network interface in the domain Note Perform the following configuration steps from the domain s console as the procedure could temporarily disrupt network connectivity to the domain Configure the Virtual Switch as the Primary Interface 1 Print out the addressing information for all interfaces primary ifconfig a 2 Plumb the virtual switch In this example vsw0 is the virtual switch being configured primary ifconfig vsw0 plumb 3 Optional To obtain the list of all virtual switch instances in a domain you can list them primary usr sbin dladm show link grep vsw vsw0 type non vlan mtu 1500 device vsw0 Logical Domains LDoms 1 1 Administration Guide December 2008 4 Unplumb the physical network device assigned to the virtual switch net dev which is e1000g0 in this examp
166. least 8 gigabytes Examples of Storing Disk Images With ZFS The following examples 1 Create a 10 gigabyte image on a ZFS volume or file 2 Export the ZFS volume or file as a virtual disk The syntax to export a ZFS volume or file is the same but the path to the backend is different 3 Assign the exported ZFS volume or file to a guest domain When the guest domain is started the ZFS volume or file appears as a virtual disk on which the Solaris OS can be installed V Create a Disk Image Using a ZFS Volume For example create a 10 gigabyte disk image on a ZFS volume primary zfs create V 10gb ldmpool 1dg1 disk0 V Create a Disk Image Using a ZFS File For example create a 10 gigabyte disk image on a ZFS volume primary zfs create l1dmpool 1dg1 disk0 primary mkfile 10g 1dmpool 1dg1 disk0 file WV Export the ZFS Volume Export the ZFS volume as a virtual disk primary ldm add vdsdev dev zvol dsk 1dmpool 1dg1 disk0 1dg1_disk0 primary vds0 98 Logical Domains LDoms 1 1 Administration Guide December 2008 V Export the ZFS File Export the ZFS file as a virtual disk primary ldm add vdsdev 1dmpool 1dg1 disk0 file 1dg1_disk0 primary vds0 Vv Assign the ZFS Volume or File to a Guest Domain Assign the ZFS volume or file to a guest domain in this example 1dg1 primary ldm add vdisk disk0 1dg1_disk0 primary vds0 1dg1 Creating a Snapshot of a Disk Image When your disk image
167. lready been defined for the guest domain primary mkfile n 20g export install disk primary ldm add vdsdev export install disk install volGprimary vdsO0 primary ldm add vdisk vdisk install install volGprimary vdsO 1dg1 Chapter 4 Setting Up Services and Logical Domains 57 7 Bind and start the guest domain 1dg1 primary ldm bind 1dg1 primary ldm start ldgi LDom ldgl started primary telnet localhost 5000 Trying 127 0 0 1 Connected to localhost Escape character is Connecting to console ldgi in group ldgl1 Press for control options 8 Create the device aliases that you need In this example an alias for disk 2 is created ok show disks virtual devices 100 channel devices 200 disk 3 virtual devices 100 channel devices 200 disk 2 virtual devices 100 channel devices 200 disk 1 virtual devices 100 channel devices 200 disk 0 q NO SELECTION Enter Selection q to quit b 9 Show the device aliases in the client OpenBoot PROM In this example see the device aliases for vdisk cd media which is the Solaris DVD and vdisk install which is the disk space ok devalias vdisk install virtual devices 100 channel devices 200 disk 3 vdisk cd media virtual devices 100 channel devices 200 disk 2 vdisk iso virtual devices 100 channel devices 200 disk 1 vdiskl virtual devices 100 channel devices 200 disk 0 vneti virtual devices 100 channel devices
168. m does not yield virtual CPUs to the hypervisor the utilization of CPUs in the guest operating system will always show as 100 The utilization statistic reported for a logical domain is the average of the virtual CPU utilizations for the virtual CPUs in the domain A dash in the UTIL column means that the strand is power managed Examples of Various Lists Note The actual output might vary slightly from what is shown here W Show Software Versions V View the current software versions installed and you receive a listing similar to the following CODE EXAMPLE 9 2 Software Versions Installed primary ldm V Logical Domain Manager v 1 1 Hypervisor control protocol v 1 3 Using Hypervisor MD v 0 1 System PROM Hypervisor v 1 7 0 Hypervisor 1 7 0 2008 11 19 10 20 OpenBoot v 4 30 0 OBP 4 30 0 2008 11 18 13 44 148 Logical Domains LDoms 1 1 Administration Guide December 2008 W Generate a Short List Generate a short list for all domains CODE EXAMPLE 9 3 Short List for All Domains primary ldm list NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME primary active t cv 4 1G 0 5 3d 21h 7m ldgi active t 5000 8 1G 23 2m V Generate a Long List 1 Generate a long list for all domains CODE EXAMPLE 94 Long List for All Domains primary ldm list 1 NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME primary
169. main Configurations For each logical domain create an XML file containing the domain s constraints ldm l1s constraints x ldom gt ldom xml Rebuild Guest Domain Configurations Run the following commands for each guest domain s XML file you created l m add domain i dom xml l m bind domain ldom l m start domain ldom Logical Domains LDoms 1 1 Administration Guide December 2008 Rebuilding the Control Domain This section provides instructions for how to translate typical XML output from an ldm list constraints x primary command into the CLI commands needed to reconfigure a primary domain The resources and properties that you use to translate XML into CLI commands are shown in bold type in the sample XML output Refer to the 1dm man page or the Logical Domains LDoms Manager 1 1 Man Page Guide for complete information about the CLI commands A sample output from a 1dm list constraints x primary command follows CODE EXAMPLE 4 1 Sample XML Output From list constraints Subcommand lt xml version 1 0 gt LDM interface version 1 1 xmlns xsi http www w3 org 2001 XMLSchema instance xsi noNamespaceSchemaLocation schemas combined v3 xsd xmlns ovf schemas envelope xmlns rasd schemas CIM ResourceAllocationSettingData xmlns vssd schemas CIM VirtualSystemSettingData xmlns gprop schemas GenericProperty xmlns bind Schemas Binding data version 3 0 gt
170. mains Environment This section describes using volume managers in a Logical Domains environment Using Virtual Disks on Top of Volume Managers Any Zettabyte File System ZFS Solaris Volume Manager SVM or Veritas Volume Manager VxVM volume can be exported from a service domain to a guest domain as a virtual disk A volume can be exported either as a single slice disk if the slice option is specified with the 1dm add vdsdev command or as a full disk Note The remainder of this section uses an SVM volume as an example However the discussion also applies to ZFS and VxVM volumes Chapter 6 Using Virtual Disks With Logical Domains 101 The following example shows how to export a volume as a single slice disk For example if a service domain exports the SVM volume dev md dsk d0 to domainl as a single slice disk and domain sees that virtual disk as dev dsk c0d2 then domain1 only has an s0 device that is dev dsk c0d2s0 The virtual disk in the guest domain for example dev dsk c0d2s0 is directly mapped to the associated volume for example dev md dsk d0 and data stored onto the virtual disk from the guest domain are directly stored onto the associated volume with no extra metadata So data stored on the virtual disk from the guest domain can also be directly accessed from the service domain through the associated volume Examples m If the SVM volume d0 is exported from the primary domain to domaini then the
171. malformed or unknown object In addition to the lt response gt section the lt data gt section can contain other information This information is in the same format as an incoming lt data gt field describing the object that caused a failure See The lt data gt Tag on page 179 This additional information is especially useful in the following cases m When a command fails against a particular lt data gt section but passes for any additional lt data gt sections m When an empty data section is passed into a command and fails for some domains but passes for others Chapter 10 Using the XML Interface With the Logical Domains Manager 181 Events In lieu of polling you can subscribe to receive event notifications of certain state changes that occur There are three types of events to which you can subscribe individually or collectively See Event Types on page 184 for complete details Registration and Unregistration Use an lt LDM_interface gt message to register for events See The lt LDM_interface gt Tag on page 178 The action tag details the type of event for which to register or unregister and the lt data gt section is left empty CODE EXAMPLE 10 3 Example Event Registration Request Message lt LDM_interface version 1 0 gt lt cmd gt lt action gt reg domain events lt action gt lt data version 3 0 gt lt cmd gt lt LDM_interface gt The Logical Domains Manager
172. mand aliases supported by the Logical Domains Manager CLI The supported strings in the action tag are as follows LDoms Actions list bindings list devices list domain bind domain remove io remove mau remove memory set spconfig add variable list variable remove vconscon set vcpu remove vdisk add vdpcc remove vdpcs add vnet add vswitch reg domain events unreg resource events reg all events LDoms Actions list services add domain start domain unbind domain add mau add memory remove reconf remove spconfig set variable add vconscon set vconsole remove vcpu add vdiskserver remove vdpcc add vdiskserverdevice set vnet set vswitch unreg domain events reg hardware events unreg all events LDoms Actions list constraints remove domain stop domain add io set mau set memory add spconfig list spconfig remove variable set vconscon add vcpu add vdisk remove vdiskserver add vdpcs remove vdiskserverdevice remove vnet remove vswitch reg resource events unreg hardware events migrate domain Chapter 10 Using the XML Interface With the Logical Domains Manager 187 Logical Domains Manager Resources and Properties Following are the Logical Domains Manager resources and the properties that can be defined for each of those resources The resources and properties are shown in bold type in the XML examples These examples show resources not binding output The constraint output can be used to
173. mands and their user authorizations m Add a read only authorization for a user using the usermod 1M command usermod A solaris ldoms read username m Add a read and write authorization for a user using the usermod 1M command usermod A solaris ldoms write username W Delete All Authorizations for a User Delete all authorizations for a local user account the only possible option usermod A username Managing User Profiles The SUNW1dm package adds two system defined RBAC profiles in the etc security prof attr file for use in authorizing access to the Logical Domains Manager by non superusers The two LDoms specific profiles are 38 Logical Domains LDoms 1 1 Administration Guide December 2008 L LDoms Review Review LDoms configuration auths solaris ldoms read m LDoms Management Manage LDoms domains auths solaris ldoms One of the preceding profiles can be assigned to a user account using the following procedure Add a Profile for a User Add an administrative profile for a local user account for example LDoms Management usermod P LDoms Management username Delete All Profiles for a User Delete all profiles for a local user account the only possible option usermod P username Assigning Roles to Users The advantage of using this procedure is that only a user who has been assigned a specific role can assume the role In assuming a
174. me the migration fails NIU Hybrid Input Output A domain using NIU Hybrid I O resources can be migrated A constraint specifying NIU Hybrid I O resources is not a hard requirement of a logical domain If such a domain is migrated to a machine that does not have available NIU resources the constraint is preserved but not fulfilled Cryptographic Units You cannot migrate a logical domain that has bound cryptographic units Attempts to migrate such a domain fail Delayed Reconfiguration Any active delayed reconfiguration operations on the source or target hosts prevent a migration from starting Delayed reconfiguration operations are blocked while a migration is in progress Operations on Other Domains While a migration is in progress on a machine any operation which could result in the modification of the Machine Description MD of the domain being migrated is blocked This includes all operations on the domain itself as well as operations such as bind stop and start on other domains on the machine Chapter 8 Migrating Logical Domains 133 Migrating Bound or Inactive Domains Because a bound or inactive domain is not executing at the time of the migration there are fewer restrictions than when you migrate an active domain CPUs You can migrate a bound or inactive domain between machines running different processor types and machines that are running at different frequencies The Solaris OS image in the guest must su
175. me state information to the target but before the target can acknowledge that the domain has been resumed the migration operation terminates and the source is placed in an error state This indicates that user interaction is required to determine whether or not the migration was completed successfully In such a situation take the following steps m Determine whether the target domain has resumed successfully The target domain will be in one of two states a If the migration completed successfully the target domain is in the normal state If the migration failed the target cleans up and destroys the target domain m If the target is resumed it is safe to destroy the source domain in the error state If the target is not present the source domain is still the master version of the domain and it must be recovered To do this execute the cancel command on the source machine This clears the error state and restores the source domain back to its original condition Examples CODE EXAMPLE 8 2 shows how a domain called 1dg1 can be migrated to a machine called t5440 sys 2 CODE EXAMPLE 8 2 Migrating a Guest Domain ldm migrate domain ldg1 t5440 sys 2 Target Password CODE EXAMPLE 8 3 shows that a domain can be renamed as part of the migration In this example 1dg src is the source domain and it is renamed to 1dg tgt on the target machine t5440 sys 2 as part of the migration In addition the user name root o
176. mmands auditreduce 1M and praudit 1M to print audit output auditreduce c vs praudit auditreduce c vs a 20060502000000 praudit m Use the Solaris OS praudit x command to print XML output W Rotate Audit Logs Use the Solaris OS audit n command to rotate audit logs 174 Logical Domains LDoms 1 1 Administration Guide December 2008 cHAPTER 10 Using the XML Interface With the Logical Domains Manager This chapter explains the Extensible Markup Language XML communication mechanism through which external user programs can interface with Logical Domains software These basic topics are covered m Transport How communications are initiated between an external program and the Logical Domains LDoms Manager m Protocol Format of XML messages sent to and received from the Logical Domains Manager m Events Logical Domains Manager alert notifications For various schemas to use with the Logical Domains Manager see Appendix A XML Transport External programs use the Extensible Messaging and Presence Protocol XMPP RFC 3920 to communicate with the Logical Domains Manager XMPP is supported for both local and remote connections and is on by default To shut off a remote connection set the 1dmd xmpp enable SMF property to false and restart the Logical Domains Manager svcadm disable 1dmd svccfg s ldom ldmd setprop ldmd xmpp enabled false svcadm refresh ldmd svcadm enable ldmd
177. n a Single Object LDM interface version 1 0 gt cmd lt action gt Place command here lt action gt lt data version 3 0 gt lt Envelope gt lt References gt lt Note a lt Section gt section can be here instead of lt Content gt gt Content xsi type ovf VirtualSystem Type id Domain name gt Section xsi type ovf ResourceAllocationSection type Item lt rasd OtherResourceType gt LDom Resource Type lt rasd OtherResourceType gt lt gprop GenericProperty key Property name gt Property Value lt gprop GenericProperty gt lt Item gt lt Section gt lt Note More Sections sections can be placed here gt lt Content gt lt Envelope gt lt data gt lt Note More Data sections can be placed here gt lt cmd gt lt Note More Commands sections can be placed here gt lt LDM_interface gt The lt LDM_interface gt Tag All commands sent to the LDoms Manager must start with the lt LDM_interface gt tag Any document sent into the LDoms Manager must have only one lt LDM_interface gt tag contained within it The lt LDM_interface gt tag must include a version attribute as shown in CODE EXAMPLE 10 1 178 Logical Domains LDoms 1 1 Administration Guide December 2008 The lt cmd gt Tag Within the lt LDM_interface gt tag the document must include at least one cmd tag Each cmd section must have only one action tag Use the
178. n the target machine is explicitly specified CODE EXAMPLE 8 3 Migrating and Renaming a Guest Domain ldm migrate ldg src root t5440 sys 2 ldg tgt Target Password 136 Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE 8 4 shows a sample failure message if the target domain does not have migration support that is if you are running an LDoms version prior to version 1 1 CODE EXAMPLE 8 4 Migration Failure Message ldm migrate ldg1 t5440 sys 2 Target Password Failed to establish connection with ldmd 1m on target t5440 sys 2 Check that the l1dmd service is enabled on the target machine and that the version supports Domain Migration Check that the xmpp enabled and incoming migration enabled properties of the ldmd service on the target machine are set to true using svccfg 1M CODE EXAMPLE 8 5 shows how to obtain status on a target domain while the migration is in progress In this example the source machine is t5440 sys 1 CODE EXAMPLE 8 5 Obtaining Target Domain Status ldm ls o status ldg tgt NAME ldg tgt STATUS OPERATION PROGRESS SOURCE migration 55 t5440 sys 1 CODE EXAMPLE 8 6 shows how to obtain parseable status on the source domain while the migration is in progress In this example the target machine is t5440 sys 2 CODE EXAMPLE 8 6 Obtaining Source Domain Parseable Status ldm 1s o status p ldg src VERSION 1 3 DOM
179. n to access this data then you should export the ZFS or SVM volume using the slice option For more information about this option see Virtual Disk Backend on page 83 Virtual Disk Backend The virtual disk backend is the location where data of a virtual disk are stored The backend can be a disk a disk slice a file or a volume such as ZFS SVM or VxVM A backend appears in a guest domain either as a full disk or as single slice disk depending on whether the slice option is set when the backend is exported from the service domain By default a virtual disk backend is exported non exclusively as a readable writable full disk Physical Disk or Disk LUN A physical disk or disk LUN is always exported as a full disk In that case virtual disk drivers vds and vdc forward I O from the virtual disk and act as a pass through to the physical disk or disk LUN A physical disk or disk LUN is exported from a service domain by exporting the device corresponding to the slice 2 s2 of that disk without setting the slice option If you export the slice 2 of a disk with the slice option only this slice is exported and not the entire disk Export a Physical Disk as a Virtual Disk 1 For example to export the physical disk cl1t48d0 as a virtual disk you must export slice 2 of that disk c1t48d0s2 from the service domain as follows service ldm add vdsdev dev dsk cit48d0s2 ci1t48d0Gprimary vdsO 2 From the service dom
180. ncoming XML document is malformed the lt response gt section includes only a lt status gt tag If this response status indicates success all commands on all objects have succeeded If this response status is a failure and there is no lt resp_msg gt tag then one of the commands included in the original request failed The lt resp_msg gt tag is used only to describe some problem with the XML document itself Command Response The lt response gt section under the lt cmd gt section alerts the user to success or failure of that particular command The lt status gt tag shows if that command succeeds or fails As with the overall response if the command fails the lt response gt section includes only a lt resp_msg gt tag if the contents of the lt cmd gt section of the request is malformed Otherwise the failed status means one of the objects the command ran against caused a failure Object Response Finally each lt data gt section in a lt cmd gt section also has a lt response gt section This shows if the command being run on this particular object passes or fails If the status of the response is SUCCESS there is no lt resp_msg gt tag in the lt response gt section If the status is FAILURE there are one or more lt resp_msg gt tags in the lt response gt field depending on the errors encountered when running the command against that object Object errors can result from problems found when running the command or a
181. nd which is the location where data of a virtual disk are stored in this case opt SUNW1dm domain disks testdiskl1 m The optional XML key property vol opts is one or more of the following comma separated within one string ro slice excl m The optional XML key property mpgroup is the name of the multipath failover group This section is equivalent to the following CLI command ldm add vdsdev options ro mpgroup mpgroup name opt SUNWldm domain disks testdisk1 vdsdev0 primary vds0 70 Logical Domains LDoms 1 1 Administration Guide December 2008 CHAPTER 5 Using PCI Busses With Logical Domains Software This chapter describes how to configure PCI express busses across multiple logical domains and how to enable the I O MMU bypass mode on a PCI bus Configuring PCI Express Busses Across Multiple Logical Domains Note For Sun UltraSPARC T 2 based servers such as the Sun SPARC Enterprise T5120 and T5220 servers you would assign a Network Interface Unit NIU to the logical domain rather than use this procedure The PCI Express PCle bus on a Sun UltraSPARC T1 based server consists of two ports with various leaf devices attached to them These are identified on a server with the names pci 780 bus a and pci 7c0 bus b In a multidomain environment the PCIe bus can be programmed to assign each leaf to a separate domain using the Logical Domains Manager Thus you can enable more than one domain
182. ne when it was done by whom and what was affected If you want to use this auditing capability this section describes how to enable verify disable print output and rotate audit logs You can find further information about BSM auditing in the Solaris 10 System Administration Guide Security Services You can enable BSM auditing in one of two ways When you want to disable auditing be sure you use the same method that you used in enabling The two methods are m Use the enable bsm fin finish script in the Solaris Security Toolkit The enable bsm fin script is not used by default by the ldm control secure driver You must enable the finish script in your chosen driver m Use the Solaris OS bsmconv 1M command Here are the procedures for both methods W Use the enable bsm fin Finish Script 1 Copy the Idm control secure driver to my ldm driver where my ldm driver is the name for your copy of the 1dm control secure driver 2 Copy the 1dm control config driver to my ldm config driver where my ldm config driver is the name for your copy of the ldm control config driver Logical Domains LDoms 1 1 Administration Guide December 2008 3 Copy the 1dm_control hardening driver to my ldm hardening driver where my ldm hardening driver is the name for your copy of the ldm control hardening driver 4 Edit my Idm driver to refer to the new configuration and hardening drivers my ldm control driver and my Idm hardening driver
183. network support is implemented using two components the virtual network and virtual network switch device The virtual network vnet device emulates an Ethernet device and communicates with other vnet devices in the system using a point to point channel The virtual switch vsw device mainly functions as a multiplexor of all the virtual network s incoming and outgoing packets The vsw device interfaces directly with a physical network adapter on a service domain and sends and receives packets on a virtual network s behalf The vsw device also functions as a simple layer 2 switch and switches packets between the vnet devices connected to it within the system Chapter 1 Overview of the Logical Domains Software 5 Virtual Storage The virtual storage infrastructure enables logical domains to access block level storage that is not directly assigned to them through a client server model It consists of two components a virtual disk client vdc that exports as a block device interface and a virtual disk service vds that processes disk requests on behalf of the virtual disk client and submits them to the physical storage residing on the service domain Although the virtual disks appear as regular disks on the client domain all disk operations are forwarded to the physical disk through the virtual disk service Virtual Console In a Logical Domains environment console I O from all domains except the primary domain is redirected to a servic
184. nfirms that the PCIe leaf bus b and the devices below it are assigned to domain primary and bus a and its devices are assigned to 1dg1 74 Logical Domains LDoms 1 1 Administration Guide December 2008 Enabling the I O MMU Bypass Mode on a PCI Bus If you have an Infiniband Host Channel Adapter HCA card you might need to turn the I O memory management unit MMU bypass mode on By default Logical Domains software controls PCIe transactions so that a given I O device or PCIe option can only access the physical memory assigned within the I O domain Any attempt to access memory of another guest domain is prevented by the I O MMU This provides a higher level of security between the I O domain and all other domains However in the rare case where a PCIe or PCI X option card does not load or operate with the I O MMU bypass mode off this option allows you to turn the I O MMU bypass mode on However if you turn the bypass mode on there no longer is a hardware enforced protection of memory accesses from the I O domain The bypass on option turns on the I O MMU bypass mode This bypass mode should be enabled only if the respective I O domain and I O devices within that I O domain are trusted by all guest domains This example turns on the bypass mode primary ldm add io bypass on pci 780 1dg1 The output shows bypass on under OPTIONS Chapter 5 Using PCI Busses With Logical Domains Software 75 76 Logical Domains LDoms 1 1 Admi
185. nformation and Tasks NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME primary active t cv 1 768M 0 0 Os VCPU VID PID UTIL STRAND 0 0 0 0 100 MEMORY RA PA SIZE 0x4000000 0x4000000 768M IO DEVICE PSEUDONYM OPTIONS pcie780 bus a pci 7c0 bus_b bypass on VLDC NAME primary VCC NAME PORT RANGE vccO 5000 5100 VSW NAME MAC NET DEV DEVICE MODE vsw0 08 00 20 aa bb e0 e1000g0 switch O prog promisc vswl 08 00 20 aa bb el routed VDS NAME VOLUME OPTIONS DEVICE vds0 myvol a slice disk a myvol b disk b myvol c ro slice excl disk c vds1 myvol d disk d VDPCS NAME vdpcs0 vdpcsi VLDCC 151 CODE EXAMPLE 9 5 Extended List for all Domains Continued NAME SERVICE DESC hvctl primary primary hvctl vildcc0O primary primary ds NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME ldg1 bound 5000 1 512M VCPU VID PID UTIL STRAND 0 1 100 MEMORY RA PA SIZE 0x4000000 0x34000000 512M VLDCC NAME SERVICE DESC vldccO primary primary ds NETWORK NAME SERVICE DEVICE MAC mynet b vsw0 primary network 0 08 00 20 ab 9a 12 mynet a vsw0 primary network 1 08 00 20 ab 9a 11 DISK NAME VOLUME DEVICE SERVER mydisk a myvol a vds0 diske0 primary mydisk b myvol b vds0 disk 1 primary VDPCC NAME SERVICE myvdpcc a vdpcs0 primary myvdpcc b vdpcs0 primary VCONS NAME SERVICE PORT mygroup vcec0 primary 5000 152 Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE
186. ng on your server sc gt flashupdate s IP address f path Sun_System Firmware x_x_x_build_nn server name bin username your userid password your password Where IP address is the IP address of your FTP server path is the location in SunSolve or your own directory where you can obtain the system firmware image x_x_x is the version number of the System Firmware nn is the number of the build that applies to this release server name is the name of your server For example the server name for the Sun Fire T2000 server is Sun_Fire_T2000 3 Reset the system controller sc gt resetsc y 4 Power on and boot the host server Sc poweron c ok boot disk Logical Domains LDoms 1 1 Administration Guide December 2008 WV Upgrade System Firmware Without an FTP Server If you do not have access to a local FTP server to upload firmware to the system controller you can use the sysfwdownload utility which is provided with your system firmware upgrade package on the SunSolve site http sunsolve sun com 1 Run the following commands within the Solaris OS cd firmware location sysfwdownload system firmware file 2 Shut down the Solaris OS instance shutdown i5 g0 y 3 Power off and update the firmware on the system controller sc gt poweroff fy sc gt flashupdate s 127 0 0 1 4 Reset and power on the system controller sc gt resetsc y Sc poweron
187. nistration Guide December 2008 CHAPTER 6 Using Virtual Disks With Logical Domains This chapter describes how to use virtual disks with Logical Domains software Introduction to Virtual Disks A virtual disk contains two components the virtual disk itself as it appears in a guest domain and the virtual disk backend which is where data is stored and where virtual I O ends up The virtual disk backend is exported from a service domain by the virtual disk server vds driver The vds driver communicates with the virtual disk client vdc driver in the guest domain through the hypervisor using a logical domain channel LDC Finally a virtual disk appears as dev r dsk cXdYs2Z devices in the guest domain The virtual disk backend can be physical or logical Physical devices can include the following m Physical disk or disk logical unit number LUN m Physical disk slice Logical devices can be any of the following m File on a file system such as ZFS or UFS m Logical volume from a volume manager such as ZFS VxVM or Solaris Volume Manager SVM m Any disk pseudo device accessible from the service domain 77 FIGURE 6 1 Virtual Disks With Logical Domains A Service Domain Guest Domain virtual disk virtual disk backend dev r dsk cXdYsZ Hypervisor Managing Virtual Disks This section describes adding a virtual disk to a guest domain changing virtual disk and timeout options and remov
188. ns on the system controller Refer to the 1dm 1M man page or the Logical Domains LDoms Manager Man Page Guide In addition there is an ALOM CMT Version 1 3 command that enables you to select a configuration to boot see Using LDoms With ALOM CMT on page 171 Logical Domains LDoms 1 1 Administration Guide December 2008 CHAPTER 2 Security This chapter describes the Solaris Security Toolkit software and how you can use it to secure the Solaris OS in your logical domains Security Considerations The Solaris Security Toolkit software informally known as the JumpStart Architecture and Security Scripts JASS toolkit provides an automated extensible and scalable mechanism to build and maintain secure Solaris OS systems The Solaris Security Toolkit provides security for devices critical to the management of your server including the control domain in the Logical Domains Manager The Solaris Security Toolkit 4 2 software package SUNWjass provides the means to secure the Solaris Operating System on your control domain through the use of the install ldm script by m Letting the Solaris Security Toolkit automatically harden your control domain by using the Logical Domains Manager install script instal1 1dm and the control driver specific to the Logical Domains Manager ldm_control secure driver m Selecting an alternative driver when using the install script m Selecting no driver when using the install
189. ntifier ID indicates the VLAN of which a virtual network and virtual switch need to be a member in tagged mode m mode sc for SunCluster heartbeat support Chapter 10 Using the XML Interface With the Logical Domains Manager 193 Network network Resource CODE EXAMPLE 10 14 Example network XML lt Envelope gt lt References gt Content xsi type ovf VirtualSystem Type id ldg1 gt Section xsi type ovf VirtualHardwareSection_Type gt Item lt rasd OtherResourceType gt network lt rasd OtherResourceType gt gprop GenericProperty key vnet_name gt 1dg1 vnet0 lt gprop GenericProperty gt lt gprop GenericProperty key service_name gt primary vsw0 lt gprop GenericProperty gt lt rasd Address gt 00 14 4f f c 00 01 lt rasd Address gt lt Item gt lt Section gt lt Content gt lt Envelope gt A network resource is always contained within a lt Content gt section It must have lt gprop GenericProperty gt tags with the following keys m vnet name Name of the virtual network vnet m service name Name of the virtual switch vswitch to which this virtual network is to be bound Optionally the network resource can also have the following properties m lt rasd Address gt Assigns a MAC address to the virtual switch m pvid Port virtual local area network VLAN identifier ID indicates the VLAN of which the virtual network needs to be a member in untagged mode m vid Vir
190. oad area in the JASS_PACKAGE_MOUNT directory defined in your user init file For example cp r path to LDoms Manager 1 0 2 Product SUNWldm v jumpstart opt SUNWjass Packages 8 If you experience problems with a multihomed JumpStart server modify the two entries in the user init file for JASS PACKAGE MOUNT and JASS PATCH MOUNT to the correct path to the JASS HOME DIR Patches and JASS HOME DIR Packages directories Refer to the comments in the user init SAMPLE file for more information 9 Use the 1dm control secure driver as the basic driver for the Logical Domains Manager control domain Refer to Chapter 4 in the Solaris Security Toolkit 4 2 Reference Manual for information about how to modify the driver for your use The main driver in the Solaris Security Toolkit that is the counterpart to the ldm control secure driver is the secure driver 10 After completing the modifications to the 1dm control secure driver make the correct entry in the rules file m If you want to minimize the LDoms control domain specify the minimal ldm control profile in your rules file similar to the following hostname imbulu Profiles minimal ldm control profile Drivers ldm control secure abc driver Note You must manually install the LDoms MIB software package and Libvirt for LDoms packages after you install the LDoms and Solaris Security Toolkit packages They are not automatically installed with the other packages
191. of the OVF specification s schema to properly define all types of objects two additional OVF types have been defined m gprop GenericProperty tag See The GenericProperty XML Schema on page 231 m Binding tag See Binding Type XML Schema on page 232 The lt gprop GenericProperty gt tag was defined to handle any object s property for which the OVF specification does not have a definition The property name is defined in the key attribute of the node and the value of the property is the contents of the node The binding tag is used in the list bindings subcommand output to define resources that are bound to other resources Chapter 10 Using the XML Interface With the Logical Domains Manager 179 Responses An outgoing XML response closely matches the structure of the incoming request in terms of the commands and objects included with the addition of a lt Response gt section for each object and command specified as well as an overall lt Response gt section for the request The lt Response gt sections provide status and message information as described in CODE EXAMPLE 10 2 Following is the structure of a response to a basic XML request CODE EXAMPLE 10 2 Format of a Response to a Single Command Operating on a Single Object lt LDM_interface version 1 0 gt lt cmd gt lt action gt Place command here lt action gt lt data version 3 0 gt lt Envelope gt lt References gt lt Note a lt Section gt
192. olaris OS media resides primary ldm stop 1dg1 primary ldm unbind 1dg1 primary ldm add vdsdev dev dsk c0t0d0s2 dvd volGprimary vdsO primary ldm add vdisk vdisk cd media dvd volGprimary vds0 ldgi 56 Logical Domains LDoms 1 1 Administration Guide December 2008 5 Check to see that the DVD is added as a secondary volume and virtual disk TOUT in the lists for virtual disks means the timeout set for the disk when added if any In this example the virtual disk vdisk_cd_media would wait 60 seconds before timing out and sending an error message while trying to connect to the virtual disk server primary ldm list bindings NAME STATE FLAGS CONS VCPU primary active n cv SP 4 VDS NAME VOLUME OPTIONS primary vds0 voll iso_vol dvd vol install vol NAME STATE FLAGS CONS VCPU ldg1 inactive 60 DISK NAME VOLUME vdisk1 voll primary vds0 vdisk_iso iso_vol primary vds0 vdisk_cd_media dvd_vol primary vds0 vdisk_install install_vol primary vds0 MEMORY UTIL UPTIME 4G 0 2 22h 45m DEVICE dev dsk c1t1d0s2 export solarisdvd iso dev dsk c0t0d0s2 export install disk MEMORY UTIL UPTIME 6G TOUT DEVICE SERVER 60 6 Create and add another disk install disk on which to install the Solaris OS This is an example of using a disk space on an existing file system to install the OS You can also use a physical disk to install the OS if it has a
193. olume Manager VxVM is installed in the service domain and Veritas Dynamic Multipathing VxDMD is enabled for physical disks then physical disks have to be exported without the non default exc1 option Otherwise the export fails because the virtual disk server vds is unable to open the physical disk device See Using Virtual Disks When VxVM Is Installed on page 103 for more information m If you are exporting the same virtual disk backend multiple times from the same virtual disk service see Export a Virtual Disk Backend Multiple Times on page 79 for more information By default the backend is opened non exclusively That way the backend still can be used by applications running in the service domain while it is exported to another domain Note that this is a new behavior starting with the Solaris 10 5 08 OS release Before the Solaris 10 5 08 OS release disk backends were always opened exclusively and it was not possible to have a backend opened non exclusively Slice s1ice Option A backend is normally exported either as a full disk or as a single slice disk depending on its type If the slice option is specified then the backend is forcibly exported as a single slice disk 82 Logical Domains LDoms 1 1 Administration Guide December 2008 This option is useful when you want to export the raw content of a backend For example if you have a ZFS or SVM volume where you have already stored data and you want your guest domai
194. omaining is enabled the OpenBoot firmware is not available after the Solaris OS has started because it is removed from memory To reach the ok prompt from the Solaris OS you must halt the domain You can use the Solaris OS halt command to halt the domain Power Cycling a Server Whenever performing any maintenance on a system running LDoms software that requires power cycling the server you must save your current logical domain configurations to the SC first Logical Domains LDoms 1 1 Administration Guide December 2008 W Save Your Current Logical Domain Configurations to the SC Use the following command ldm add config config name Do Not Use the psradm 1M Command on Active CPUs in a Power Managed Domain Do not attempt to change an active CPU s operational status in a power managed domain by using the psradm 1M command This only applies if your platform supports power management Result of Solaris OS Breaks If domaining is not enabled the Solaris OS normally goes to the OpenBoot prompt after a break is issued The behavior described in this section is seen in two situations 1 You press the L1 A key sequence when the input device is set to keyboard 2 You enter the send break command when the virtual console is at the telnet prompt If domaining is enabled you receive the following prompt after these types of breaks c ontinue s ync r eboot h alt Type the letter that
195. on name mean the following m current last booted configuration only as long as it matches the currently running configuration that is until you initiate a reconfiguration After the reconfiguration the annotation changes to next poweron m next poweron configuration to be used at the next power cycle 156 Logical Domains LDoms 1 1 Administration Guide December 2008 W List Devices List all server resources bound and unbound CODE EXAMPLE 9 13 List of All Server Resources primary ldm list devices a VCPU PID FREE PM 0 0 NO 1 0 YES 2 0 YES 3 0 YES 4 100 5 100 x 6 100 IE 7 100 ES 8 100 9 100 5E 10 100 i 11 100 12 100 13 100 iat 14 100 15 100 16 100 UE 17 100 RED 18 100 x as 19 100 20 100 rl 21 100 FSE 22 100 lt gt 23 100 24 100 E 25 100 i 26 100 E 27 100 T d 28 100 LE 29 100 EE 30 100 Tx 31 100 m MAU CPUSET 0 1L 25 2 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 BOUND ldg2 Chapter 9 Other Information and Tasks 157 CODE EXAMPLE 9 13 List of All Server Resources Continued 20 21 22 23 24 25 26 27 28 29 30 31 MEMORY PA SIZE BOUND 0x0 512K _sys_ 0x80000 1536K _sys_ 0x200000 62M _sys_ 0x4000000 768M primary 0x34000000 512M ldg1 0x54000000 8M _sys_ 0x54800000 2G ldg2 0xd4800000 29368M IO DEVICE PSEUDONYM BOUND OPTIONS pcie780 bus a yes pci 7c0 bus_b yes bypa
196. onf start domain stop domain bind domain unbind domain panic domain migrate domain 146 Logical Domains LDoms 1 1 Administration Guide December 2008 Flag Definitions The following flags can be shown in the output for a domain 1dm list If you use the long parseable options 1 p for the command the flags are spelled out for example flags normal control vio service If not you see the letter abbreviation for example n cv The list flag values are position dependent Following are the values that can appear in each of the six columns from left to right Column 1 m s starting or stopping m placeholder Column 2 m nnormal m t transition Column 3 m ddelayed reconfiguration m placeholder Column 4 m ccontrol domain m placeholder Column 5 m v virtual I O service domain m placeholder Column 6 m s source domain in a migration m t target domain in a migration m e error occurred during a migration m placeholder Chapter 9 Other Information and Tasks 147 Utilization Statistic Definition The per virtual CPU utilization statistic UTIL is shown on the long 1 option of the 1dm list command The statistic is the percentage of time that the virtual CPU spent executing on behalf of the guest operating system A virtual CPU is considered to be executing on behalf of the guest operating system except when it has been yielded to the hypervisor If the guest operating syste
197. onfiguration m Read and write allows you to view and change the configuration The changes are not made to the Solaris OS but are added to the authorization file by the package script postinstall when the Logical Domains Manager is installed Similarly the authorization entries are removed by the package script preremove The following table lists the 1dm subcommands with the corresponding user authorization that is needed to perform the commands TABLE2 1 The 1dm Subcommands and User Authorizations Idm Subcommand User Authorization add solaris ldoms write bind domain solaris ldoms write list solaris ldoms read list solaris ldoms read panic domain solaris ldoms write remove solaris ldoms write set solaris ldoms write start domain solaris ldoms write stop domain solaris ldoms write unbind domain solaris ldoms write Refers to all the resources you can add list remove or set Chapter2 Security 13 14 Auditing Auditing the Logical Domains Manager CLI commands is done with Solaris OS Basic Security module BSM auditing Refer to the Solaris 10 System Administration Guide Security Services for detailed information about using Solaris OS BSM auditing BSM auditing is not enabled by default for the Logical Domains Manager however the infrastructure is provided You can enable BSM auditing in one of two ways m Run the enable bsm fin finish script in the Solaris Security Toolkit m Use the Solaris
198. onsole 1 name aliases 6 On the guest domain s console boot from disk 2 on slice f ok boot virtual devices 100 channel0 devices 200 disk 1 f v Boot device virtual devices 100 channel devices 200 disk 1 f File and args s SunOS Release 5 10 Version Generic_137137 09 32 bit Copyright 1983 2008 Sun Microsystems Inc All rights reserved Use is subject to license terms 7 Continue with the Solaris OS installation menu 60 Logical Domains LDoms 1 1 Administration Guide December 2008 V Jump Start a Guest Domain To jump start a guest domain use a normal JumpStart procedure with the following profile syntax changes from a regular Solaris OS JumpStart procedure to a JumpStart procedure specific to LDoms as shown in the following two examples Normal JumpStart Profile filesys c1t1d0s0 free filesys c1ti1d0s1 2048 swap filesys clt1d0s5 120 sparel filesys c1ti1d0s6 120 spare2 Virtual disk device names in a logical domain differ from physical disk device names in that they do not contain a target ID tN in the device name Instead of the normal cNtNdNsN format virtual disk device names are of the format cNdNsN where cN is the virtual controller dN is the virtual disk number and SN is the slice Modify your JumpStart profile to reflect this change as in the following profile example Actual Profile Used for a Logical Domain filesys c0d0s0 free filesys c0d0s1 2048 swap filesys c0d0
199. ort CPU DR so that the domain can be shrunk to a single strand before migration Conditions in the guest domain that would cause a CPU DR removal Chapter 8 Migrating Logical Domains 131 to fail would also cause the migration attempt to fail For example processes bound to CPUs within the guest domain or processor sets configured in the source logical domain can cause a migration operation to fail Memory There must be sufficient free memory on the target machine to accommodate the migration of the source domain In addition following are a few properties that must be maintained across the migration m It must be possible to create the same number of identically sized memory blocks m The physical addresses of the memory blocks do not need to match but the same real addresses must be maintained across the migration Physical Input Output The logical domain to be migrated must not contain any physical I O devices If a domain has any physical I O devices the migration fails Virtual Input Output All virtual I O VIO services used by the source domain must be available on the target machine In other words the following conditions must exist m Each logical volume used in the source logical domain must also be available on the target host and must refer to the same storage Caution If the logical volume used by the source as a boot device exists on the target but does not refer to the same storage the migration appea
200. ot login fin ssh root login cannot be disabled set term type fin Unneeded legacy script Optional Minimizing Logical Domains The Solaris OS can be configured with different quantities of packages depending on your needs Minimization reduces this set of packages to the bare minimum required to run your desired applications Minimization is important because it reduces the amount of software containing potential security vulnerabilities and also reduces the level of effort associated with keeping the installed software properly patched The logical domain minimization activity provides JumpStart support for installing a minimized Solaris OS that still fully supports any domain The Solaris Security Toolkit provides a JumpStart profile minimal ldm control profile for minimizing a logical domain for LDoms which installs all the Solaris OS packages necessary for LDoms and LDoms MIB support If you want to use the LDoms MIB on the control domain you need to add that package separately after you install the LDoms and Solaris Security Toolkit packages It is not installed automatically with the other software Refer to the Logical Domains LDoms MIB 1 0 1 Administration Guide for more information about installing and using the LDoms MIB 12 Logical Domains LDoms 1 1 Administration Guide December 2008 Authorization Authorization for the Logical Domains Manager has two levels m Read allows you to view but not modify the c
201. pcc a vdpcs0 primary myvdpcc b vdpcs0 primary VCONS NAME SERVICE mygroup vec0 160 Logical Domains LDoms 1 1 Administration Guide December 2008 W List Constraints in XML Format List constraints in XML format for a particular domain for example 1dg1 CODE EXAMPLE 9 16 Constraints for a Domain in XML Format primary ldm list constraints x 1dg1 lt xml version 1 0 gt lt LDM_interface version 1 0 gt lt data version 2 0 gt lt ldom gt lt ldom_info gt ldom name ldg1 ldom name ldom info cpu lt number gt 8 lt number gt lt cpu gt lt memory gt lt size gt 1G lt size gt lt memory gt lt network gt lt vnet_name gt vnet0 lt vnet_name gt lt service_name gt primary vsw0 lt service_name gt lt mac_address gt 01 14 4f fa 0 55 lt mac_address gt lt network gt lt disk gt lt vdisk_name gt vdisk0 lt vdisk_name gt lt service_name gt primary vds0 lt service_name gt lt vol_name gt vol0 lt vol_name gt lt disk gt lt var gt lt name gt boot device lt name gt lt value gt virtual devices 100 channel devices 200 disk 0 a lt value gt lt var gt lt var gt lt name gt nvramrc lt name gt lt value gt devalias vnetO virtual devices 100 channel devices 200 network 0 lt value gt lt var gt lt var gt lt name gt use nvramrc lt name gt lt value gt true lt value gt lt var gt lt 1dom gt lt data gt lt LDM_interface gt
202. pci 7c0 If there are no other physio device sections in the XML the pci 780 bus must be removed Chapter 4 Setting Up Services and Logical Domains 67 This section is equivalent to the following CLI command ldm remove io pci 780 primary Virtual Switch vsw Section This section describes any virtual switches vsws allocated to the primary domain Section xsi type ovf VirtualHardwareSection_Type gt lt Item gt lt rasd OtherResourceType gt vsw lt rasd OtherResourceType gt lt rasd Address gt auto allocated lt rasd Address gt lt gprop GenericProperty key service_name gt primary vsw0 lt gprop GenericProperty gt lt gprop GenericProperty key dev_path gt e1000g0 lt gprop GenericProperty gt gprop GenericProperty key mode gt sce lt gprop GenericProperty gt lt gprop GenericProperty key default vlan id gt 1 lt gprop GenericProperty gt lt gprop GenericProperty key pvid gt 1 lt gprop GenericProperty gt lt Item gt lt Section gt Where m The lt rasd Address gt tag describes the MAC address to be used for the virtual switch If the value of this tag is auto allocated you do not need to supply a MAC address m The XML key property service name is the name of the virtual switch in this case primary vsw0 m The XML key property dev path is the path name for the actual network device in this case net dev e1000g m The XML key property mode indicates sc for SunCluster hea
203. pe gt lt Reference lt Section lt Item gt ras ras Envelope Content xsi type ovf VirtualSystem Type id ldg1 gprop GenericProperty key service name vswl ldgl gprop GenericProperty gt lt gprop GenericProperty key dev path gt bge0 lt gprop GenericProperty gt gprop GenericProperty key mode gt se lt gprop GenericProperty gt lt gprop GenericProperty key pvid gt 12345678 lt gprop GenericProperty gt lt gprop GenericProperty key vid gt 87654321 lt gprop GenericProperty gt lt Item gt lt Section gt lt Content gt s gt xsi type ovf VirtualHardwareSection Type d OtherResourceType gt vsw lt rasd OtherResourceType gt d Address gt 00 14 4f fc 00 01 lt rasd Address gt A vsw resource can be either in a lt Content gt section as part of a domain description or it can appear on its own in an lt Envelope gt section It must have lt gprop GenericProperty gt tags with the following keys m service name Name to be assigned to the virtual switch m Gev path Path of the network device to be associated with this virtual switch Optionally the vsw resource can also have the following properties m lt rasd Address gt Assigns a MAC address to the virtual switch m pvid Port virtual local area network VLAN identifier ID indicates the VLAN of which the virtual network needs to be a member in untagged mode m vid Virtual local area network VLAN ide
204. pport the processor type on the target machine Virtual Input Output For an inactive domain there are no checks performed against the virtual input output VIO constraints So the VIO servers do not need to exist for the migration to succeed As with any inactive domain the VIO servers need to exist and be available at the time the domain is bound Performing a Dry Run When you provide the n option to the migrate domain subcommand migration checks are performed but the source domain is not migrated Any requirement that is not satisfied is reported as an error This allows you to correct any configuration errors before attempting a real migration Note Because of the dynamic nature of logical domains it is possible for a dry run to succeed and a migration to fail and vice versa 134 Logical Domains LDoms 1 1 Administration Guide December 2008 Monitoring a Migration in Progress When a migration is in progress the source and target domains are displayed differently in the status output In particular the short version of the status output shows a new flag indicating the state of the migrating domain The source domain shows a s to indicate that it is the source of the migration The target domain shows a t to indicate that it is the target of a migration If an error occurs that requires user intervention an e is displayed In the long form of the status output additional information is displayed about the m
205. r T2 Plus platform at a minimum See Upgrading the System Firmware on page 21 LDoms 1 1 software installed and enabled on the control domain See Installing the Logical Domains Manager and Solaris Security Toolkit on page 24 Optional the Solaris Security Toolkit 4 2 software See Installing the Logical Domains Manager and Solaris Security Toolkit on page 24 Optional the Logical Domains LDoms Management Information Base MIB software package Refer to the Logical Domains LDoms Management Information Base MIB 1 0 1 Administration Guide for more information about using the LDoms MIB Optional Libvirt for LDoms 1 0 1 software packages Refer to the Libvirt for LDoms 1 0 1 Administration Guide for more information about using Libvirt for LDoms The Solaris OS and the system firmware must be installed or upgraded on your server before you install or upgrade the Logical Domains Manager If your system is already using Logical Domains software see Upgrading a System Already Using Logical Domains on page 16 Otherwise see Installing Logical Domains Software on a New System on page 21 16 Upgrading a System Already Using Logical Domains Upgrading the Solaris OS If your system is already configured with the Logical Domain software then the control domain has to be upgraded The other existing domains also have to be upgraded if you want to be able to use all features of the Logical Domains 1 1
206. r to the values in the corresponding fields of the line m If you find such an entry the PA is in the domain the entry is listed under and the corresponding real address within the domain is given by ra PA pa m If you do not find such an entry the PA is not in any domain Examples of CPU and Memory Mapping Suppose you have a logical domain configuration as shown in CODE EXAMPLE 9 18 and you want to determine the domain and the virtual CPU corresponding to physical CPU number 5 and the domain and the real address corresponding to physical address 0x7e816000 Looking through the VCPU entries in the list for the one with the pid field equal to 5 you can find the following entry under logical domain 1dg1 vid 1 pid 5 util 29 strand 100 Hence the physical CPU number 5 is in domain 1dg1 and within the domain it has virtual CPU number 1 Looking through the MEMORY entries in the list you can find the following entry under domain 1dg2 ra 0x8000000 pa 0x78000000 size 1073741824 Where 0x78000000 lt 0x7e816000 lt 0x78000000 1073741824 1 that is pa lt PA lt pa size 1 Chapter 9 Other Information and Tasks 165 Hence the PA is in domain 1dg2 and the corresponding real address is 0x8000000 0x7e816000 0x78000000 0xe816000 CODE EXAMPLE 9 18 Long Parseable List of Logical Domains Configurations primary ldm 1s 1 p VERSION 1 0 DOMAIN name primary state active fl
207. ration Guide December 2008 Configuration Name config_name The logical domain configuration name config_name that you assign to a configuration stored on the system controller must have no more than 64 characters All Other Names The remainder of the names such as the logical domain name Idom service names vswitch name service name odpcs service name and vcc name virtual network name if name and virtual disk name disk name must be in the following format m First character must be a letter or number m Subsequent characters must be letters numbers or any of the following characters _ Listing Logical Domains Resources This section shows the syntax usage for the 1dm subcommands defines some output terms such as flags and utilization statistics and provides examples that are similar to what you actually see as output Machine Readable Output If you are creating scripts that use 1dm list command output always use the p option to produce the machine readable form of the output See Generate a Parseable Machine Readable List p on page 153 for more information W Show Syntax Usage for 1dm Subcommands Look at syntax usage for all 1dm subcommands CODE EXAMPLE 9 1 Syntax Usage for All 1dm Subcommands primary ldm help Usage ldm help command options properties operands ldm V Chapter 9 Other Information and Tasks 143 CODE EXAMPLE 9 1 Syntax Usag
208. ration Guide IP Services for information on setting up IP routing Once configured the virtual switch sends all packets originating from virtual networks and destined for an external machine to its IP layer instead of sending the packets directly via the physical device In the event of a physical interface failure the IP layer detects failure and automatically re routes packets through the secondary interface Since the physical interfaces are directly being configured into a IPMP group the group can be set up for either link based or probe based detection The following diagram shows two network interfaces e1000g0 and e1000g1 configured as part of an IPMP group The virtual switch instance vsw0 has been plumbed as a network device to send packets to its IP layer Chapter 7 Using a Virtual Network With Logical Domains 121 FIGURE 7 5 Two Network Interfaces Configured as Part of IPMP Group IP routing vneto lt gt vswO Using VLAN Tagging With Logical Domains Software As of the release of Solaris 10 10 08 OS and LDoms 1 1 software 802 10 VLAN Tagging support is available in the Logical Domains network infrastructure Note Tagged VLANs are not supported in any of the previous releases for LDoms networking components The virtual switch vsw and virtual network vnet devices support switching of Ethernet packets based on the virtual local area network VLAN identifier I
209. rce constraints from the XML file to create the CLI commands to reconfigure your primary domain See Rebuilding the Control Domain on page 63 for instructions on how to translate typical XML output from an 1dm list constraints x primary command into the CLI commands needed to reconfigure a primary domain 18 Logical Domains LDoms 1 1 Administration Guide December 2008 The method that follows does not preserve actual bindings only the constraints used to create those bindings This means that after this procedure the domains will have the same virtual resources but will not necessarily be bound to the same physical resources 1 For each domain create an XML file containing the domain s constraints ldm 1ls constraints x ldom gt Idom xml 2 List all the logical domain configurations stored on the system controller ldm 1ls config 3 Remove each logical domain configuration stored on the system controller Idm rm config config name 4 Disable the Logical Domains Manager daemon 1dmd svcadm disable 1dmd 5 Remove the Logical Domains Manager package SUNW1dm pkgrm SUNWldm 6 Remove the Solaris Security Toolkit package SUNWjass if you are using that pkgrm SUNWjass 7 Flash update the system firmware For the entire procedure see Upgrade System Firmware on page 21 or Upgrade System Firmware Without an FTP Server on page 23 8 Reinstall the Lo
210. rchitecture FMA reports CPU errors in terms of physical CPU numbers and memory errors in terms of physical memory addresses If you want to determine within which logical domain an error occurred and the corresponding virtual CPU number or real memory address within the domain then you must perform a mapping CPU Mapping The domain and the virtual CPU number within the domain which correspond to a given physical CPU number can be determined with the following procedures V Determine the CPU Number 1 Generate a long parseable list for all domains primary ldm 1s 1 p 2 Look for the entry in the list s VCPU sections that has a pid field equal to the physical CPU number m If you find such an entry the CPU is in the domain the entry is listed under and the virtual CPU number within the domain is given by the entry s vid field m If you do not find such an entry the CPU is not in any domain Memory Mapping The domain and the real memory address within the domain which correspond to a given physical memory address PA can be determined as follows 164 Logical Domains LDoms 1 1 Administration Guide December 2008 V Determine the Real Memory Address 1 Generate a long parseable list for all domains primary ldm 1s 1 p 2 Look for the line in the list s MEMORY sections where the PA falls within the inclusive range pa to pa size 1 that is pa lt PA lt pa size 1 Here pa and size refe
211. represents what you want the system to do after these types of breaks Results From Halting or Rebooting the Control Domain The following table shows the expected behavior of halting or rebooting the control primary domain Chapter 9 Other Information and Tasks 169 Note The question in TABLE 9 1 regarding whether domaining is enabled pertains only to the Sun UltraSPARC T1 processors Otherwise domaining is always enabled TABLE 9 1 Expected Behavior of Halting or Rebooting the Control primary Domain Domaining Command Enabled Other Domain Configured Behavior halt Disabled Enabled Enabled reboot Disabled Enabled Enabled shutdown i 5 Disabled Enabled Enabled N A No Yes N A Yes N A Yes For Sun UItraSPARC T1 Processors Drops to the ok prompt For Sun UItraSPARC T1 Processors System either resets and goes to the OpenBoot ok prompt or goes to the following prompt r eboot o k prompt or h alt For Sun UItraSPARC T2 Processors Host powered off and stays off until powered on at the SC Soft resets and boots up if the variable auto boot true Soft resets and halts at ok prompt if the variable auto boot false For Sun UItraSPARC T1 Processors Powers off and powers on the host For Sun UItraSPARC T1 Processors Powers off and powers on the host For Sun UItraSPARC T2 Processors Reboots the host no power off For Sun UItraSPARC T1 Processors
212. rious XML schemas for your use with the Logical Domains Manager LDM interface XML Schema This schema is a snapshot of the Open Virtualization Format OVF Draft Specification version 0 98 CODE EXAMPLE A 1 LDM_interface XML Schema lt xml version 1 0 gt xs schema xmlns ovf var opt SUNWldom envelope xmlns xs http www w3 org 2001 XMLSchema xs import namespace var opt SUNWldom envelope schemaLocation ovf envelope xsd xs annotation lt xs documentation gt Copyright 2007 Sun Microsystems Inc All rights reserved Use is subject to license terms lt xs documentation gt lt xs annotation gt lt xs simpleType name statusStringType gt lt xs restriction base xs string gt 203 CODE EXAMPLE A 1 LDM_interface XML Schema Continued lt xs enumeration value success gt lt xs enumeration value failure gt lt xs restriction gt lt xs simpleType gt lt xs complexType name responseType gt lt xs sequence gt lt xs element name status type statusStringType xs element name resp msg type xs string minOccurs 0 maxOccurs unbounded gt lt xs sequence gt lt xs complexType gt lt LDM interface document gt lt xs element name LDM_interface gt lt xs complexType gt lt xs sequence gt lt START cmd gt lt xs element name cmd minOccurs 1 maxOccurs unbounded gt lt xs complexType gt lt xs Sequence gt
213. rk access Refer to Related Documentation on page xv in this document to find Solaris Security Toolkit 4 2 documentation for more information 1 Harden using the 1dm control secure driver opt SUNWjass bin jass execute d ldm control secure driver You can use other drivers to harden your system You can also customize drivers to tune the security of your environment Refer to the Solaris Security Toolkit 4 2 Reference Manual for more information about drivers and customizing them 2 Answer y for yes to all questions in the interactive prompts 3 Shut down and reboot your server for the hardening to take place usr sbin shutdown y g0 i6 Chapter 3 Installing and Enabling Software 35 36 V Validate Hardening Check whether the Logical Domains hardening driver 1Ldom control secure driver applied hardening correctly If you want to check on another driver substitute that driver s name in this command example opt SUNWjass bin jass execute a ldom control secure driver WV Undo Hardening 1 Undo the configuration changes applied by the Solaris Security Toolkit opt SUNWjass bin jass execute u The Solaris Security Toolkit asks you which hardening runs you want to undo 2 Select the hardening runs you want to undo 3 Reboot the system so that the unhardened configuration takes place usr sbin shutdown y g0 i6 Note If you undo hardening that
214. rmation about a virtual appliance gt lt xs complexType name ProductSection_Type gt lt xs complexContent gt xs extension base ovf Section Type xsS sequence xs element name Product type ovf Info Type minOccurs 0 maxOccurs unbounded gt lt xs element name Vendor type ovf Info Type minOccurs 0 maxOccurs unbounded gt lt xs element name Version type xs string minOccurs 0 gt lt xs element name Full version type xs string minOccurs 0 gt lt xs element name ProductUrl type xs string minOccurs 0 gt lt xs element name VendorUrl type xs string minOccurs 0 gt lt xs element name AppUrl type xs string minOccurs 0 gt 212 Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE A 5 The ov core xsd Schema Continued xs any namespace targetNamespace processContents lax minOccurs 0 maxOccurs unbounded gt xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt xs anyAttribute namespace any gt lt xs extension gt lt xs complexContent gt lt xs complexType gt lt Configuration parameters that can be passed to the virtual machine for application level configuration gt lt xs complexType name PropertySection_Type gt lt xs complexContent gt xs extension base ovf Section Type xsS sequence lt xs element name Property maxOccurs un
215. roadcast up ldom1 ifconfig vnet21000 plumb ldom1 ifconfig vnet21000 192 168 2 101 netmask Oxffffff00 broadcast up ldom1 ifconfig vnet22000 plumb ldom1 ifconfig vnet22000 192 168 3 101 netmask Oxffffff00 broadcast up For more information about how to configure VLAN interfaces in the Solaris OS refer to Administering Virtual Local Area Networks in the Solaris System Administration Guide IP Services 124 Logical Domains LDoms 1 1 Administration Guide December 2008 Using NIU Hybrid I O LDoms 1 1 virtual I O framework implements a hybrid 1 O model for improved functionality and performance The hybrid I O model combines direct and virtualized I O to allow flexible deployment of I O resources to virtual machines It is particularly useful when direct I O does not provide full capability for the virtual machine or direct I O is not persistently or consistently available to the virtual machine This could be because of resource availability or virtual machine migration The hybrid I O architecture is well suited to the Network Interface Unit NIU a network I O interface integrated on chip on Sun UltraSPARC T2 based platforms This allows the dynamic assignment of Direct Memory Access DMA resources to virtual networking devices and thereby provides consistent performance to applications in the domain As of the release of Solaris 10 10 08 OS and LDoms 1 1 software NIU hybrid I O is available for Sun UltraSPARC T2
216. rs to succeed but the machine is not usable as it is unable to access its boot device The domain has to be stopped the configuration issue corrected and then the domain restarted Otherwise the domain could be left in an inconsistent state m For each virtual network device in the source domain a virtual network switch must exist on the target host with the same name as the virtual network switch the device is attached to on the source host For example if vnet0 in the source domain is attached to a virtual switch service name switch y then there must be a logical domain on the target host providing a virtual switch service named switch y 132 Logical Domains LDoms 1 1 Administration Guide December 2008 Note The switches do not have to be connected to the same network for the migration to occur though the migrated domain can experience networking problems if the switches are not connected to the same network MAC addresses used by the source domain that are in the automatically allocated range must be available for use on the target host m A virtual console concentrator vcc service must exist on the target host and have at least one free port Explicit console constraints are ignored during the migration The console for the target domain is created using the target domain name as the console group and using any available port on the first vcc device in the control domain If there is a conflict with the default group na
217. rtbeat support Some of the values in this section are default values such as the default vlan id 1 and pvid 1 so the section is equivalent to the following CLI command ldm add vswitch net dev e1000g primary vsw0 primary 68 Logical Domains LDoms 1 1 Administration Guide December 2008 Virtual Console Concentrator vcc Section This section describes any virtual console concentrator vcc allocated to the primary domain lt Section xsi type ovf VirtualHardwareSection_Type gt lt Item gt lt rasd OtherResourceType gt vec lt rasd OtherResourceType gt lt gprop GenericProperty key service_name gt primary vcc0 lt gprop GenericProperty gt lt gprop GenericProperty key min_port gt 5000 lt gprop GenericProperty gt lt gprop GenericProperty key max_port gt 6000 lt gprop GenericProperty gt lt Item gt lt Section gt Where m The XML key property service name is the name of the vcc service in this case primary vccO This section is the equivalent of the following CLI command ldm add vcc port range 5000 6000 primary vcc0 primary Virtual Disk Server vds Section This section describes any virtual disk server vds allocated to the primary domain Section xsi type ovf VirtualHardwareSection_Type gt Item lt rasd OtherResourceType gt vds lt rasd OtherResourceType gt lt gprop GenericProperty key service_name gt primary vds0 lt gprop GenericProperty gt lt Item gt
218. rtual Network 107 Virtual Switch 107 viii Logical Domains LDoms 1 1 Administration Guide December 2008 Virtual Network Device 108 Managing a Virtual Switch 109 v Adda Virtual Switch 109 v Set Options for an Existing Virtual Switch 110 v Remove a Virtual Switch 111 Managing a Virtual Network Device 111 v Add a Virtual Network Device 111 v Set Options for an Existing Virtual Network Device 112 v Remove a Virtual Network Device 112 Determining the Solaris Network Interface Name Corresponding to a Virtual Network Device 113 v Find Solaris OS Network Interface Name 113 Assigning MAC Addresses Automatically or Manually 114 Range of MAC Addresses Assigned to Logical Domains Software 114 Automatic Assignment Algorithm 115 Duplicate MAC Address Detection 115 Freed MAC Addresses 116 Using Network Adapters With LDoms 117 v Determine If a Network Adapter Is GLDv3 Compliant 117 Configuring Virtual Switch and Service Domain for NAT and Routing 117 v Set Up the Virtual Switch to Provide External Connectivity to Domains 118 Configuring IPMP in a Logical Domains Environment 119 Configuring Virtual Network Devices into an IPMP Group in a Logical Domain 119 v Configurea Host Route 121 Configuring and Using IPMP in the Service Domain 121 Using VLAN Tagging With Logical Domains Software 122 Port VLAN ID PVID 123 VLANID VID 123 Contents ix v Assign VLANs to a Virtual Switch and Virtual Network Device 124 Using NIU Hybrid I O 125
219. rtual disk to another domain When a backend is opened exclusively it is not accessible by Chapter 6 Using Virtual Disks With Logical Domains 81 other applications in the service domain This prevents the applications running in the service domain from inadvertently using a backend that is also being used by a guest domain Note Some drivers do not honor the excl option and will disallow some virtual disk backends from being opened exclusively The excl option is known to work with physical disks and slices but the option does not work with files It may or may not work with pseudo devices such as disk volumes If the driver of the backend does not honor the exclusive open the backend exc1 option is ignored and the backend is not opened exclusively Because the exc1 option prevents applications running in the service domain from accessing a backend exported to a guest domain do not set the excl option in the following situations m When guest domains are running if you want to be able to use commands such as format 1M or luxadm 1M to manage physical disks then do not export these disks with the exc1 option m When you export an SVM volume such as a RAID or a mirrored volume do not set the excl option Otherwise this can prevent SVM from starting some recovery operation in case a component of the RAID or mirrored volume fails See Using Virtual Disks on Top of SVM on page 103 for more information m If the Veritas V
220. ry Interface on page 50 for more information about plumbing the virtual switch 3 Configure the virtual switch device for DHCP if needed See Configure the Virtual Switch as the Primary Interface on page 50 for more information about configuring the virtual switch device for DHCP 4 Create the etc dhcp vsw file if needed 5 Configure IP routing in the service domain and set up required routing tables in all the domains For information about how to do this refer to the section on Packet Forwarding and Routing on IPv4 Networks in Chapter 5 Configuring TCP IP Network Services and IPv4 Administration in the System Administration Guide IP Services in the Solaris Express System Administrator Collection Configuring IPMP in a Logical Domains Environment Internet Protocol Network Multipathing IPMP provides fault tolerance and load balancing across multiple network interface cards By using IPMP you can configure one or more interfaces into an IP multipathing group After configuring IPMP the system automatically monitors the interfaces in the IPMP group for failure If an interface in the group fails or is removed for maintenance IPMP automatically migrates or fails over the failed interface s IP addresses In a Logical Domains environment either the physical or virtual network interfaces can be configured for failover using IPMP Configuring Virtual Network Devices into an IPMP Group in a Logical Domain A logical
221. s Installation of SUNWjass was successful Verifying that all packages are fully installed OK Enabling services svc ldoms ldmd default Running Solaris Security Toolkit 4 2 0 driver ldm_control secure driver Please wait opt SUNWjass bin jass execute q d ldm control secure driver Executing driver ldm control secure driver Solaris Security Toolkit hardening executed successfully log file var opt SUNWjass run 20070208142843 jass install log txt It will not take effect until the next reboot Before rebooting make sure SSH or the serial line is setup for use after the reboot Chapter3 Installing and Enabling Software 27 CODE EXAMPLE 3 2 Output From Choosing Customized Configuration Profile Install install ldm Welcome to the LDoms installer You are about to install the domain manager package that will enable you to create destroy and control other domains on your system Given the capabilities of the domain manager you can now change the security configuration of this Solaris instance using the Solaris Security Toolkit Select a security profile from this list a Hardened Solaris configuration for LDoms recommended b Standard Solaris configuration c Your custom defined Solaris security configuration profile Enter a b or c a c Choose a Solaris Security Toolkit driver configuration profile from this list 1 ldm_control secure driver 2 secure driver 3 server secure driver
222. s http www w3 org 2001 XMLSchema xs import namespace var opt SUNWldom envelope schemaLocation ovf envelope xsd lt xs annotation gt lt xs documentation gt Copyright 2007 Sun Microsystems Inc All rights reserved Use is subject to license terms lt xs documentation gt lt xs annotation gt lt LDM interface document gt lt xs element name LDM_event gt lt xs complexType gt lt xs Sequence gt lt START cmd gt lt xs element name cmd minOccurs 1 maxOccurs unbounded gt lt xs complexType gt lt xs sequence gt lt xs element name action type xs string minOccurs 0 gt lt START data gt lt xs element name data minOccurs 0 maxOccurs unbounded gt lt xs complexType gt lt xs choice minOccurs 1 maxOccurs unbounded gt lt OVF Evelope Version 0 9 gt lt xs element name Envelope type ovf Envelope_Type gt lt xs choice gt lt xs attribute name version type xs string use required gt lt xs complexType gt lt xs element gt lt END data gt lt xs sequence gt lt xs complexType gt 206 Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE A 2 LDM Event XML Schema Continued lt xs element gt lt xs sequence gt lt xs attribute name version lt xs complexType gt lt xs element gt lt LDM interface document lt xs schema gt END cmd
223. s ou utilisateurs finaux pour des armes nucleaires des missiles des armes biologiques et chimiques ou du nucleaire maritime directement ou indirectement sont strictement interdites Les exportations ou reexportations vers des pays sous embargo des Etats Unis ou vers des entites figurant sur les listes d exclusion d exportation americaines y compris mais de maniere non exclusive la liste de personnes qui font objet d un ordre de ne pas participer d une facon directe ou indirecte aux exportations des produits ou des services qui sont regi par la legislation americaine en matiere de controle des exportations et la liste de ressortissants specifiquement designes sont rigoureusement interdites LA DOCUMENTATION EST FOURNIE EN L ETAT ET TOUTES AUTRES CONDITIONS DECLARATIONS ET GARANTIES EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES DANS LA MESURE AUTORISEE PARLA LOI APPLICABLE Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE ALA QUALITE CA Adobe PostScript 2 Contents Preface xv Overview of the Logical Domains Software 1 Hypervisor and Logical Domains 1 Logical Domains Manager 3 Roles for Logical Domains 4 Command Line Interface 4 Virtual Input Output 5 Virtual Network 5 Virtual Storage 6 Virtual Console 6 Dynamic Reconfiguration 6 Delayed Reconfiguration 6 Persistent Configurations 8 Security 9 Security Considerations 9 Solaris Security Toolkit and the Logical Domains Manager Hardening 11 Minimizing Logi
224. s Manager The Logical Domains Manager is used to create and manage logical domains There can be only one Logical Domains Manager per server The Logical Domains Manager maps logical domains to physical resources Chapter 1 Overview of the Logical Domains Software 3 Roles for Logical Domains All logical domains are the same except for the roles that you specify for them There are multiple roles that logical domains can perform TABLE 1 1 Logical Domain Roles Domain Role Description Control domain Domain in which the Logical Domains Manager runs allowing you to create and manage other logical domains and allocate virtual resources to other domains There can be only one control domain per server The initial domain created when installing Logical Domains software is a control domain and is named primary Service domain Domain that provides virtual device services to other domains such as a virtual switch a virtual console concentrator and a virtual disk server I O domain Domain that has direct ownership of and direct access to physical I O devices such as a network card in a PCI Express controller Shares the devices with other domains in the form of virtual devices when the I O domain is also the control domain The number of I O domains you can have is dependent on your platform architecture For example if you are using a Sun UltraSPARC T1 processor you can have a maximum of two I O domains one of which also must be t
225. s Manager Daemon 37 Creating Authorization and Profiles and Assigning Roles for User Accounts 37 Managing User Authorizations 38 Managing User Profiles 38 Assigning Roles to Users 39 Factory Default Configuration and Disabling Logical Domains 40 v Remove All Guest Logical Domains 41 Restore the Factory Default Configuration 41 v Disable the Logical Domains Manager 42 v Removing the Logical Domains Manager 42 vw Restore the Factory Default Configuration From the System Controller 43 Setting Up Services and Logical Domains 45 Output Messages 45 Sun UltraSPARC T1 Processors 45 Sun UltraSPARC 12 and T2 Plus Processors 46 Creating Default Services 46 v Create Default Services 46 Initial Configuration of the Control Domain 48 v Set Up the Control Domain 48 Rebooting to Use Logical Domains 49 v Reboot 49 Enabling Networking Between the Control Service Domain and Other Domains 50 v Configure the Virtual Switch as the Primary Interface 50 Enabling the Virtual Network Terminal Server Daemon 52 vw Enable the Virtual Network Terminal Server Daemon 52 Contents v Creating and Starting a Guest Domain 53 v Create and Start a Guest Domain 53 Installing Solaris OS on a Guest Domain 56 v Install Solaris OS on a Guest Domain From a DVD 56 v Install Solaris OS on a Guest Domain From a Solaris ISO File 59 v Jump Start a Guest Domain 61 Saving Logical Domain Configurations for Future Rebuilding 62 v Save All Logical Domain Configurat
226. s should not issue SCSI commands to the same physical SCSI disks otherwise this can lead to an unexpected disk state Virtual Disk and the format 1M Command The format 1M command works in a guest domain with virtual disks exported as full disk Single slice disks are not seen by the format 1M command and it is not possible to change the partitioning of such disks Virtual disks whose backends are SCSI disks support all ormat 1M subcommands Virtual disks whose backends are not SCSI disks do not support some format 1M subcommands such as repair and defect In that case the behavior of format 1M is similar to the behavior of Integrated Drive Electronics IDE disks 96 Logical Domains LDoms 1 1 Administration Guide December 2008 Using ZFS With Virtual Disks This section describes using the Zettabyte File System ZFS to store virtual disk backends exported to guest domains ZFS provides a convenient and powerful solution to create and manage virtual disk backends ZFS enables m Storing disk images in ZFS volumes or ZFS files m Using snapshots to backup disk images m Using clones to duplicate disk images and provision additional domains Refer to the Solaris ZFS Administration Guide in the Solaris 10 System Administrator Collection for more information about using the ZFS In the following descriptions and examples the primary domain is also the service domain where disk images are stored Configuring a ZFS Pool
227. s simpleType gt lt xs restriction base xs unsignedShort gt lt xs enumeration value 1 gt lt Other gt lt xs enumeration value 2 gt lt Computer System gt lt xs enumeration value 3 gt lt Processor gt lt xs enumeration value 4 gt lt Memory gt xs enumeration value 5 gt IDE Controller gt xs enumeration value 6 gt Parallel SCSI HBA gt xs enumeration value 7 gt FC HBA gt xs enumeration value 8 gt lt iSCSI HBA gt lt xs enumeration value 9 gt lt IB HCA gt lt xs enumeration value 10 gt lt Ethernet Adapter gt xs enumeration value 11 gt Other Network Adapter gt xs enumeration value 12 I O Slot gt xs enumeration value 13 gt I O Device gt xs enumeration value 14 gt Floppy Drive gt xs enumeration value 15 gt CD Drive gt xs enumeration value 16 gt DVD drive gt xs enumeration value 17 gt Disk Drive gt xs enumeration value 18 gt Tape Drive gt Appendix A XML Schemas 221 CODE EXAMPLE A 7 The cim rasd xsd Schema Continued xs enumeration value 19 gt Storage Extent gt xs enumeration value 20 gt Other storage device gt xs enumeration value 21 Serial port gt xs enumeration value 22 Parallel port gt
228. s5 120 sparel filesys c0d0s6 120 spare2 Note You must use the MAC address of the virtual network vnet device as reported by the 1dm 1M command for your jumpstart configuration and not the one reported in the banner for the guest Chapter 4 Setting Up Services and Logical Domains 61 62 Saving Logical Domain Configurations for Future Rebuilding The basic process is to save the constraints information for each domain into an XML file which can then be re issued to the Logical Domains Manager for example after a hardware failure to rebuild a desired configuration Rebuild Guest Domain Configurations on page 62 works for guest domains not the control domain You can save the control primary domain s constraints to an XML file but you cannot feed it back into the Idm add domain i command However you can use the resource constraints from the XML file to create the CLI commands to reconfigure your primary domain See Rebuilding the Control Domain on page 63 for instructions on how to translate typical XML output from an ldm list constraints x primary command into the CLI commands needed to reconfigure a primary domain The method that follows does not preserve actual bindings only the constraints used to create those bindings This means that after this procedure the domains will have the same virtual resources but will not necessarily be bound to the same physical resources Save All Logical Do
229. script and applying your own Solaris hardening The SUNWjass package is located with the Logical Domains LDoms Manager 1 1 software package SUNW1dm at Sun s software download web site You have the option to download and install the Solaris Security Toolkit 4 2 software package at the same time you download and install the Logical Domains Manager 1 1 software The Solaris Security Toolkit 4 2 software package includes the required patches to enable the Solaris Security Toolkit software to work with the Logical Domains Manager Once the software is installed you can harden your system with Solaris Security Toolkit 4 2 software Chapter 3 tells you how to install and configure the Solaris Security Toolkit and harden your control domain Following are the security functions available to users of the Logical Domains Manager provided by the Solaris Security Toolkit m Hardening Modifying Solaris OS configurations to improve a system s security using the Solaris Security Toolkit 4 2 software with required patches to enable the Solaris Security Toolkit to work with the Logical Domains Manager m Minimizing Installing the minimum number of core Solaris OS packages necessary for LDoms and LDoms Management Information Base MIB support m Authorization Setting up authorization using the Solaris OS Role Based Access Control RBAC adapted for the Logical Domains Manager m Auditing Using the Solaris OS Basic Security module BSM
230. se xs unsignedShort xs minInclusive value 32767 gt lt xs maxInclusive value 65535 gt lt xs restriction gt lt xs simpleType gt lt xs union gt lt xs simpleType gt xs anyAttribute namespace any gt lt xs restriction gt lt xs simpleContent gt lt xs complexType gt lt xs element gt lt xs element name AddressOnParent nillable true type cim cimString gt lt xs element name BusNumber nillable true type cim cimUnsignedShort gt lt xs complexType name CIM_ResourceAllocationSettingData_Type gt lt xs sequence gt lt xs element ref class Caption minOccurs 0 maxOccurs unbounded gt lt xs element ref class Description minOccurs 0 maxOccurs unbounded gt lt xs element ref class InstanceId minOccurs 0 gt lt xs element ref class ResourceType minOccurs 0 gt lt xs element ref class OtherResourceType minOccurs 0 gt lt xs element ref class ResourceSubType minOccurs 0 gt lt xs element ref class PoolID minOccurs 0 gt lt xs element ref class ConsumerVisibility minOccurs 0 gt 224 Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE A 7 The XS Q gt XS XS XS XS XS XS XS XS XS XS XS XS XS XS element element element element element element element element element element element element element element cim rasd xsd
231. sk vd setup vd di open by name dev dsk c4t12d0s2 errno 16 vds add vd Failed to add vdisk ID 0 Chapter 6 Using Virtual Disks With Logical Domains 103 You can check if Veritas DMP is enabled by checking multipathing information in the output of the command vxdisk list for example i vxdisk list Disk 3 Device devicetag type info flags pubpaths guid udid site Disk 3 Disk 3 auto format none online ready private autoconfig invalid block dev vx dmp Disk 3s2 char dev vx rdmp Disk 3s2 SEAGATES 5FST336753LSUN36G 5FDISKS 5F3032333948303144304E0000 Multipathing information numpaths c4t12d0s2 1 state enabled Alternatively if Veritas DMP is enabled on a disk or a slice that you want to export as a virtual disk with the excl option set then you can disable DMP using the vxdmpadm command For example vxdmpadm f disable path dev dsk c4t12d0s2 Using Volume Managers on Top of Virtual Disks This section describes using volume managers on top of virtual disks Using ZFS on Top of Virtual Disks Any virtual disk can be used with ZFS A ZFS storage pool zpoo1 can be imported in any domain that sees all the storage devices that are part of this zpoo1 regardless of whether the domain sees all these devices as virtual devices or real devices Using SVM on Top of Virtual Disks Any virtual disk can be used in the SVM local disk set For example a virtual disk can be
232. software Refer to Required Software and Patches in the Logical Domains LDoms 1 1 Release Notes to find the Solaris 10 OS that you should use for this version of the Logical Domains software and the required and recommended patches for the different domains Refer to the Solaris 10 10 08 installation guide for complete instructions for upgrading the Solaris OS When upgrading the Solaris OS in the control domain you need to save the Logical Domains constraints database file This section contains information you need to know about saving and restoring the Logical Domains constraints database file Saving and Restoring the Logical Domains Constraints Database File Whenever you upgrade the operating system on the control domain you must save and restore the Logical Domains constraints database file that can be found in var opt SUNW1dm 1dom db xml Note You must also save and restore the var opt SUNW1dm 1dom db xm1 file when you perform any other operation that is destructive to the control domain s file data such as a disk swap Logical Domains LDoms 1 1 Administration Guide December 2008 Preserving the Logical Domains Constraints Database File When Using Live Upgrade If you are using live upgrade on the control domain consider adding the following line to the etc 1u synclist file var opt SUNW1dm 1dom db xml OVERWRITE This causes the database to be copied automatically from the activ
233. spconfig Resource CODE EXAMPLE 10 18 Example spconfig XML lt Envelope gt lt Section xsi type ovf ResourceAllocationSection_type gt lt Item gt lt rasd OtherResourceType gt spconfig lt rasd OtherResourceType gt lt gprop GenericProperty key spconfig_name gt primary lt gprop GenericProperty gt lt gprop GenericProperty key spconfig_status gt current lt gprop GenericProperty gt lt Item gt lt Section gt lt Envelope gt A service processor SP configuration spconfig resource always appears on its own in an lt Envelope gt section It can have lt gprop GenericProperty gt tags with the following keys m spconfig_name Name of a configuration to be stored on the SP m spconfig status The current status of a particular SP configuration This property is used in the output of an 1dm list spconfig command Chapter 10 Using the XML Interface With the Logical Domains Manager 197 Virtual Data Plane Channel Service vdpcs Resource CODE EXAMPLE 10 19 Example vdpcs XML lt Envelope gt lt References gt Content xsi type ovf VirtualSystem Type id ldg1 gt Section xsi type ovf VirtualHardwareSection_Type gt Item lt rasd OtherResourceType gt vdpes lt rasd OtherResourceType gt gprop GenericProperty key service name dg1 vdpcs gprop GenericProperty gt lt Item gt lt Section gt lt Content gt lt Envelope gt This resource is only of interest
234. ss on V List Available Memory List the amount of memory available to be allocated primary ldm list devices mem MEMORY PA SIZE 0x14e000000 2848M 158 Logical Domains LDoms 1 1 Administration Guide December 2008 W List Services List the services that are available CODE EXAMPLE 9 14 Services List primary ldm list services VDS NAME VOLUME OPTIONS DEVICE primary vds0 VCC NAME PORT RANGE primary vccO 5000 5100 VSW NAME MAC NET DEV DEVICE MODE primary vsw0 00 14 4f f9 68 d0 e1000g0 switch 0 prog promisc Listing Constraints To the Logical Domains Manager constraints are one or more resources you want to have assigned to a particular domain You either receive all the resources you ask to be added to a domain or you get none of them depending upon the available resources The list constraints subcommand lists those resources you requested assigned to the domain Chapter 9 Other Information and Tasks 159 W List Constraints for One Domain List constraints for one domain for example 1dg1 CODE EXAMPLE 9 15 Constraints List for One Domain primary ldm list constraints 1dg1 DOMAIN ldgi VCPU COUNT 1 MEMORY SIZE 512M NETWORK NAME SERVICE DEVICE MAC mynet b vsw0 network 0 08 00 20 ab 9a 12 mynet b vsw0 network 0 08 00 20 ab 9a 12 DISK NAME VOLUME mydisk a myvol a vds0 mydisk b myvol b vds0 VDPCC NAME SERVICE myvd
235. stem controller so that the factory default configuration is reloaded Sc poweroff Sc poweron Chapter3 Installing and Enabling Software 41 Vv Disable the Logical Domains Manager Disable the Logical Domains Manager from the control domain primary svcadm disable ldmd Note Disabling the Logical Domains Manager does not stop any running domains but does disable the ability to create a new domains change the configuration of existing domains or monitor the state of the domains Caution If you disable the Logical Domains Manager this disables some services such as error reporting or power management In the case of error reporting if you are in the factory default configuration you can reboot the sole domain to restore error reporting However this is not the case with power management In addition some system management or monitoring tools rely on the Logical Domains Manager V Removing the Logical Domains Manager After restoring the factory default configuration and disabling the Logical Domains Manager you can remove the Logical Domains Manager software Remove the Logical Domains Manager software primary pkgrm SUNWl1dm Note If you remove the Logical Domains Manager before restoring the factory default configuration you can restore the factory default configuration from the system controller as shown in the following procedure 42 Logical Domains LDoms 1
236. t xs schema gt 218 Logical Domains LDoms 1 1 Administration Guide December 2008 The ovf virtualhardware xsc Schema CODE EXAMPLE A 6 The ovf virtualhardware xsc Schema lt xml version 1 0 encoding UTF 8 gt lt xs schema targetNamespace var opt SUNWldom envelope xmlns ovf var opt SUNWldom envelope xmlns xs http www w3 org 2001 XMLSchema xmlns vssd var opt SUNWldom CIM VirtualSystemSettingData xmlns rasd var opt SUNWldom CIM ResourceAllocationSettingData xs import namespace http www w3 org XML 1998 namespace schemaLocation http www w3 org 2001 xml xsd xs include schemaLocation ovf section xsd gt xs import namespace var opt SUNWldom CIM VirtualSystemSettingData schemaLocation cim vssd xsd gt xs import namespace var opt SUNWldom CIM ResourceAllocationSettingData schemaLocation cim rasd xsd gt Specifies the virtual hardware for a virtual machine gt lt xs complexType name VirtualHardwareSection_Type gt lt xs complexContent gt xs extension base ovf Section Type xsS sequence xs element name System type vssd CIM VirtualSystemSettingData Type minOccurs 0 gt lt xs element name Item type rasd CIM ResourceAllocationSettingData Type minOccurs 0 maxOccurs unbounded gt lt xs sequence gt lt xs extension gt lt xs complexContent gt lt xs complexType gt lt Specifies a section for resource constr
237. te a Short List 149 Generate a Long List 1 149 Generate an Extended List e 151 Generate a Parseable Machine Readable List p 153 Generate a Subset of a Long List o format 153 List a Variable 155 List Bindings 155 List Configurations 156 List Devices 157 List Available Memory 158 4 4 4 4 4 4 4 4 4 List Services 159 Contents xi Listing Constraints 159 v List Constraints for One Domain 160 v List Constraints in XML Format 161 v List Constraints in a Machine Readable Format 162 Connecting to a Guest Console Over a Network 162 Stopping a Heavily Loaded Domain Can Time Out 163 Determining Where Errors Occur by Mapping CPU and Memory Addresses 164 CPU Mapping 164 v Determine the CPU Number 164 Memory Mapping 164 v Determine the Real Memory Address 165 Examples of CPU and Memory Mapping 165 Using Console Groups 167 v Combine Multiple Consoles Into One Group 167 Operating the Solaris OS With Logical Domains 168 OpenBoot Firmware Not Available After Solaris OS Has Started If Domaining Is Enabled 168 Power Cycling a Server 168 v Save Your Current Logical Domain Configurations to the SC 169 Do Not Use the psradm 1M Command on Active CPUs in a Power Managed Domain 169 Result of Solaris OS Breaks 169 Results From Halting or Rebooting the Control Domain 169 Using LDoms With ALOM CMT 171 v Reset the Logical Domain Configuration to the Default or Another Configuration 171 Enabling and Using BSM Auditing 172 v Use th
238. ted successfully log file var opt SUNWjass run 20070515140944 jass install log txt It will not take effect until the next reboot Before rebooting make sure SSH or the serial line is setup for use after the reboot Using JumpStart to Install the Logical Domains Manager 1 1 and Solaris Security Toolkit 4 2 Software Refer to JumpStart Technology Effective Use in the Solaris Operating Environment for complete information about using JumpStart Caution Do rot disconnect from the virtual console during a network installation W Set Up a JumpStart Server m If you have already set up a JumpStart server proceed to Install Using JumpStart Software on page 32 of this administration guide m If you have not already set up a JumpStart server you must do so Refer to the Solaris 10 10 08 Installation Guide Custom JumpStart and Advanced Installations for complete information about this procedure 1 Refer to Preparing Custom JumpStart Installations Tasks in the Solaris 10 10 08 Installation Guide Custom JumpStart and Advanced Installations and perform the following steps Chapter 3 Installing and Enabling Software 31 a Read the task map in Task Map Preparing Custom JumpStart Installations b Set up networked systems with the procedures in Creating a Profile Server for Network Systems c Create the rules file with the procedure in Creating the rules File 2 Validate the rules file with
239. tem installed in the guest gt lt xs complexType name OperatingSystemSection_Type gt lt xs complexContent gt xs extension base ovf Section Type lt xs Sequence gt lt xs element name Description type ovf Info_Type minOccurs 0 maxOccurs unbounded gt lt xS any namespace targetNamespace processContents lax minOccurs 0 maxOccurs unbounded xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt lt The IDs are the enumeration used in CIM_OperatingSystem_Type gt lt xs attribute name id type xs string gt xs anyAttribute namespace any gt lt xs extension gt lt xs complexContent gt lt xs complexType gt lt End User License Agreement gt lt xs complexType name EulaSection_Type gt lt xs complexContent gt xs extension base ovf Section_Type gt lt xs sequence gt lt Contains the license agreement in plain text Several different locales can be specified gt lt xs element name License type ovf Info_Type minOccurs 1 maxOccurs unbounded gt lt xS any namespace targetNamespace processContents lax minOccurs 0 maxOccurs unbounded gt xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt xs anyAttribute namespace any gt lt xs extension gt lt xs complexContent gt lt xs complexType gt lt For a
240. terface gt tag This type of XML message is used for communicating commands and getting results back from the LDoms Manager analogous to executing commands using the command line interface CLI This tag is also used for event registration and unregistration m Event messages use the lt LDM_event gt tag This type of XML message is used to asynchronously report events posted by the LDoms Manager 176 Logical Domains LDoms 1 1 Administration Guide December 2008 Request and Response Messages The XML interface into LDoms has two different formats m One format for sending commands into the LDoms Manager m Another format for LDoms Manager to respond on the status of the incoming message and the actions requested within that message The two formats share many common XML structures but are separated in this discussion for a better understanding of the differences between them This document also contains an XML Schema which details the combined incoming and outgoing XML See LDM Event XML Schema on page 206 Chapter 10 Using the XML Interface With the Logical Domains Manager 177 Requests An incoming XML request to the LDoms Manager at its most basic level includes a description of a single command operating on a single object More complicated requests can handle multiple commands and multiple objects per command Following is the structure of a basic XML command CODE EXAMPLE 10 1 Format of a Single Command Operating o
241. the procedure in Validating the rules File The Solaris Security Toolkit provides profiles and finish scripts Refer to the Solaris Security Toolkit 4 2 Reference Manual for more information about profiles and finish scripts W Install Using JumpStart Software 1 Change to the directory where you have downloaded the Solaris Security Toolkit package SUNWjass cd path to download 2 Install SUNWjass so that it creates the JumpStart jumpstart directory structure pkgadd R jumpstart d SUNWjass 3 Use your text editor to modify the jumpstart opt SUNWjass Sysidcfg Solaris 10 sysidcfg file to reflect your network environment 4 Copy the jumpstart opt SUNWjass Drivers user init SAMPLE file to the jumpstart opt SUNWjass Drivers user init file cp user init SAMPLE user init 5 Edit the user init file to reflect your paths 6 To install the Solaris Security Toolkit package SUNWjass onto the target system during a JumpStart install you must place the package in the JASS PACKAGE MOUNT directory defined in your user init file For example T cp r path to LDoms_Manager 1_0_2 Product SUNWjass jumpstart opt SUNWjass Packages 32 Logical Domains LDoms 1 1 Administration Guide December 2008 7 To install the Logical Domains Manager package SUNW1dm v onto the target system during a JumpStart install you must place the package from the downl
242. thout having to perform the entire Solaris OS installation process For example if the disk0 created was the boot disk of domain 1dg1 do the following to clone that disk to create a boot disk for domain 1dg2 primary zfs create ldmpool 1ldg2 primary zfs clone ldmpool ldg1 disk0Gversion 1 1dmpool 1dg2 disk0 Then 1dompool 1dg2 disk0 can be exported as a virtual disk and assigned to the new 1dg2 domain The domain 1dg2 can directly boot from that virtual disk without having to go through the OS installation process Cloning a Boot Disk Image When a boot disk image is cloned the new image is exactly the same as the original boot disk and it contains any information that has been stored on the boot disk before the image was cloned such as the host name the IP address the mounted file system table or any system configuration or tuning Because the mounted file system table is the same on the original boot disk image and on the cloned disk image the cloned disk image has to be assigned to the new domain in the same order as it was on the original domain For example if the boot disk image was assigned as the first disk of the original domain then the cloned disk image has to be assigned as the first disk of the new domain Otherwise the new domain is unable to boot If the original domain was configured with a static IP address then a new domain using the cloned image starts with the same IP address In that case you can
243. to as the source domain and the shell of a domain created on the target machine is referred to as the target domain while the migration is in progress Overview of a Migration Operation The Logical Domains Manager on the source machine accepts the request to migrate a domain and establishes a secure network connection with the Logical Domains Manager running on the target machine Once this connection has been established the migration occurs The migration itself can be broken down into different phases Phase 1 After connecting with the Logical Domains Manager running in the target host information about the source machine and domain are transferred to the target host This information is used to perform a series of checks to determine whether a migration is possible The checks differ depending on the state of the source domain For example if the source domain is active a different set of checks are performed than if the domain is bound or inactive 129 Phase 2 When all checks in Phase 1 have passed the source and target machines prepare for the migration In the case where the source domain is active this includes shrinking the number of CPUs to one and suspending the domain On the target machine a domain is created to receive the source domain Phase 3 For an active domain the next phase is to transfer all the runtime state information for the domain to the target This information is retrieved from the hypervisor On the
244. to the service processor SP when a user adds removes or sets an SP configuration Currently the only three events of this type are m add spconfig m set spconfig m remove spconfig The hardware events always contain only a lt Section gt tag in the OVF data section which describes which SP configuration to which the event is happening To register for these events send an lt LDM_interface gt message with the lt action gt tag set to reg hardware events Unregistering for these events requires an lt LDM_interface gt message with the lt action gt tag set to unreg hardware events All Events You can also register to listen for all three type of events without having to register for each one individually To register for all three types of events simultaneously send an lt LDM_interface gt message with the lt action gt tag set to reg all events Unregistering for these events require an lt LDM_interface gt message with the action tag set to unreg all events Logical Domains LDoms 1 1 Administration Guide December 2008 Logical Domains Manager Actions The commands specified in the lt action gt tag with the exception of events commands correspond to those of the LDoms command line interface For details about Logical Domains Manager Idm subcommands refer to the Logical Domains LDoms Manager 1 1 Man Page Guide or the 1dm man page Note The XML interface does not support the verb or com
245. tual local area network VLAN identifier ID indicates the VLAN of which a virtual network and virtual switch need to be a member in tagged mode m mode hybrid to enable hybrid I O for that virtual network 194 Logical Domains LDoms 1 1 Administration Guide December 2008 Virtual Console Concentrator vcc Resource CODE EXAMPLE 10 15 Example vcc XML lt Envelope gt lt References gt Content xsi type ovf VirtualSystem Type id ldg1 gt Section xsi type ovf VirtualHardwareSection_Type gt Item rasd OtherResourceType vcc rasd OtherResourceType gprop GenericProperty key service_name gt vec1 lt gprop GenericProperty gt gprop GenericProperty key min_port gt 6000 lt gprop GenericProperty gt gprop GenericProperty key max_port gt 6100 lt gprop GenericProperty gt lt Item gt lt Section gt lt Content gt lt Envelope gt A vcc resource can be either in a Content section as part of a domain description or it can appear on its own in an lt Envelope gt section It can have lt gprop GenericProperty gt tags with the following keys m service name Name to be assigned to the virtual console concentrator service m min port Minimum port number to be associated with this vcc m max port Maximum port number to be associated with this vcc Chapter 10 Using the XML Interface With the Logical Domains Manager 195 Variable var Resource CODE EXAMPLE 10 16 Example var X
246. ugh the service domain it has been associated with the primary domain in this example If this service domain becomes unavailable then the virtual disk tries to access its backend through a difference service domain that is part of the same multipathing group Chapter 6 Using Virtual Disks With Logical Domains 91 Caution When defining a multipathing group mpgroup ensure that the virtual disk backends that are part of the same mpgroup are effectively the same virtual disk backend If you add different virtual disks backends into the same mpgroup you might see some unexpected behavior and you can potentially lose or corrupt data stored on the backends 92 CD DVD and ISO Images You can export a compact disc CD or digital versatile disc DVD the same way you export any regular disk To export a CD or DVD to a guest domain export slice 2 of the CD or DVD device as a full disk that is without the slice option Note You cannot export the CD or DVD drive itself you only can export the CD or DVD that is inside the CD or DVD drive Therefore a CD or DVD must be present inside the drive before you can export it Also to be able to export a CD or DVD that CD or DVD cannot be in use in the service domain In particular the Volume Management file system vol fs 7FS service must not use the CD or DVD See Export a CD or DVD From the Service Domain to the Guest Domain on page 93 for instructions on how to remove the dev
247. unded gt lt xS any namespace targetNamespace processContents lax minOccurs 0 maxOccurs unbounded gt xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt xs anyAttribute namespace any gt 214 Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE A 5 The ov core xsd Schema Continued lt xs extension gt lt xs complexContent gt lt xs complexType gt lt Disk gt lt xs complexType name VirtualDiskDesc_Type gt lt A logical ID for the virtual disk within this package gt lt xs attribute name diskId type xs string use required gt lt A file reference to the virtual disk file If this is not specified a blank virtual disk is created of the given size gt xs attribute name fileRef type xs string use optional gt lt Capacity in bytes The capacity can be specified as either a size or as a reference to a property using property name gt xs attribute name capacity type xs string use required gt lt Format of the disk The format is an URL that identifies the disk type e g http www vmware com format vmdk html sparse gt lt xs attribute name format type xs string use required gt lt Populated size of disk This is an estimation of how much storage the disk needs if backed by a non pre allocated aka sparse disk This size does not take
248. ur own pool of assigned MAC addresses The 1dm subcommands that set MAC addresses are add domain add vsw set vsw add vnet and set vnet If you do not specify a MAC address in these subcommands the Logical Domains Manager assigns one automatically The advantage to having the Logical Domains Manager assign the MAC addresses is that it utilizes the block of MAC addresses dedicated for use with logical domains Also the Logical Domains Manager detects and prevents MAC address collisions with other Logical Domains Manager instances on the same subnet This frees you from having to manually manage your pool of MAC addresses MAC address assignment happens as soon as a logical domain is created or a network device is configured into a domain In addition the assignment is persistent until the device or the logical domain itself is removed Range of MAC Addresses Assigned to Logical Domains Software Logical domains have been assigned the following block of 512K MAC addresses 00 14 4F F8 00 00 00 14 4F FF FF FF 114 Logical Domains LDoms 1 1 Administration Guide December 2008 The lower 256K addresses are used by the Logical Domains Manager for automatic MAC address allocation and you cannot manually request an address in this range 00 14 4F F8 00 00 00 14 4F FB FF FF You can use the upper half of this range for manual MAC address allocation 00 14 4F FC 00 00 00 14 4F FF FF FF Automatic Assignment Algorithm When you
249. us Processors You receive the following message after the first operation that cannot be performed dynamically on any device or for any service on the primary domain if you are using a server with a Sun UltraSPARC T2 or T2 Plus processor Initiating delayed reconfigure operation on LDom primary All configuration changes for other LDoms are disabled until the LDom reboots at which time the new configuration for LDom primary will also take effect You receive the following notice after every subsequent operation on the primary domain until reboot if you are using a server with a Sun UltraSPARC T2 or T2 Plus processor Notice LDom primary is in the process of a delayed reconfiguration Any changes made to this LDom will only take effect after it reboots Creating Default Services You must create the following virtual default services initially to be able to use them later m vdiskserver virtual disk server m vswitch virtual switch service m vconscon virtual console concentrator service W Create Default Services 1 Create a virtual disk server vds to allow importing virtual disks into a logical domain For example the following command adds a virtual disk server primary vds0 to the control domain primary primary ldm add vds primary vds0 primary 46 Logical Domains LDoms 1 1 Administration Guide December 2008 2 Create a virtual console concentrator vcc service for use by the v
250. ute name manifest type xs boolean use optional gt xs anyAttribute namespace any gt lt xs complexType gt lt xs complexType name References_Type gt lt xs sequence gt lt xs element name File type ovf File Type minOccurs 0 maxOccurs unbounded gt 208 Logical Domains LDoms 1 1 Administration Guide December 2008 CODE EXAMPLE A 3 The ov envelope xsd Schema Continued xs any namespace targetNamespace processContents lax minOccurs 0 maxOccurs unbounded gt lt xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt xs anyAttribute namespace any gt lt xs complexType gt lt Type for an external reference to a resource gt lt xs complexType name File Type lt xs sequence gt xs any namespace targetNamespace processContents lax minOccurs 0 maxOccurs unbounded gt xs any namespace other processContents lax minOccurs 0 maxOccurs unbounded gt lt xs sequence gt lt Reference key used in other parts of the package gt lt xs attribute name id type xs string use required gt lt Same as using a single part element gt lt xs attribute name href type xs string use required gt lt Size in bytes of the files if known gt lt xs attribute name size type xs integer use optional gt lt Estimated size in bytes of the files if
251. virtual network device sends and receives tagged frames over the VLANs specified by its VIDs The virtual switch passes any frames that are tagged with the specified VID between the virtual network device and the external network Chapter 7 Using a Virtual Network With Logical Domains 123 WV Assign VLANs to a Virtual Switch and Virtual Network Device 1 Assign the virtual switch vsw to two VLANs for example Configure VLAN 21 as untagged and VLAN 20 as tagged Assign the virtual network vnet to three VLANs for example Configure VLAN 20 as untagged and VLAN 21 and 22 as tagged ldm add vsw net dev e1000g0 pvid 21 vid 20 primary vsw0 primary ldm add vnet vnet01 primary vsw0 pvid 20 vid 21 22 ldom1 2 Plumb the VLAN interfaces This example assumes that the instance number of these devices is 0 in the domains and the VLANs are mapped to these subnets VLAN Subnet 20 192 168 1 0 netmask 255 255 255 0 21 192 168 2 0 netmask 255 255 255 0 22 192 168 3 0 netmask 255 255 255 0 a Plumb the VLAN interface in the service primary domain primary ifconfig vsw0 plumb primary ifconfig vsw0 192 168 2 100 netmask Oxffffff00 broadcast up primary ifconfig vsw20000 plumb primary ifconfig vsw20000 192 168 1 100 netmask Oxffffff00 broadcast up b Plumb the VLAN interface in the guest 1dom1 domain ldom1 ifconfig vnetO plumb ldom1 ifconfig vnetO 192 168 1 101 netmask Oxffffff00 b
252. with an appropriate error message Even though attempts to remove virtual I O devices on an active logical domain are handled as a delayed reconfiguration operation if you are running the Solaris 10 5 08 OS or earlier some configuration change does occur immediately in the domain This means the device will stop functioning as soon as the associated Logical Domains Manager CLI operation is invoked This issue does not apply if you are running the Solaris 10 10 08 OS in the domain since the entire removal happens immediately as part of a virtual I O dynamic reconfiguration operation The Logical Domains Manager subcommand remove reconf cancels delayed reconfiguration operations You can list delayed reconfiguration operations by using the 1dm list domain command Refer to the 1dm 1M man page or the Logical Domains LDoms Manager Man Page Guide for more information about how to use the delayed reconfiguration feature Note You cannot use the 1dm remove reconf command if any other 1dm remove commands have been issued on virtual I O devices The 1dm remove reconf command fails in these circumstances Chapter 1 Overview of the Logical Domains Software 7 8 Persistent Configurations The current configuration of a logical domain can be stored on the system controller SC using the Logical Domains Manager CLI commands You can add a configuration specify a configuration to be used remove a configuration and list the configuratio
253. with direct access to physical devices instead of using I O virtualization When the Logical Domains system is powered on the control primary domain uses all the physical device resources so the primary domain owns both the PCIe bus leaves 71 Caution All internal disks on the supported servers are connected to a single leaf If a control domain is booted from an internal disk do not remove that leaf from the domain Also ensure that you are not removing the leaf with the primary network port If you remove the wrong leaf from the control or service domain that domain would not be able to access required devices and would become unusable If the primary network port is on a different bus than the system disk then move the network cable to an onboard network port and use the Logical Domains Manager to reconfigure the virtual switch vsw to reflect this change W Create a Split PCI Configuration The example shown here is for a Sun Fire T2000 server This procedure also can be used on other Sun UltraSPARC T1 based servers such a Sun Fire T1000 server and a Netra T2000 server The instructions for different servers might vary slightly from these but you can obtain the basic principles from the example Mainly you need to retain the leaf that has the boot disk and remove the other leaf from the primary domain and assign it to another domain 1 Verify that the primary domain owns both leaves of the PCI Express bus primary ldm l
254. y active n cv SP 4 AG 0 2 22h 45m VDS NAME VOLUME OPTIONS DEVICE primary vds0 voll dev dsk citi1d0s2 iso vol export solarisdvd iso dvd vol dev dsk c0t0d0s2 install vol export install disk NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME ldg1 inactive 60 6G DISK NAME VOLUME TOUT DEVICE SERVER vdisk1 voll primary vds0 vdisk_iso iso_vol primary vds0 vdisk_cd_media dvd_vol primary vds0 60 vdisk_install install_vol primary vds0 Chapter 4 Setting Up Services and Logical Domains 59 4 Bind and start the guest domain 1dg1 primary ldm bind 1dg1 primary ldm start l1dg1 LDom ldgl started primary telnet localhost 5000 Trying 127 0 0 1 Connected to localhost Escape character is Connecting to console ldgi in group ldg1 Press for control options 5 Show the device aliases in the client OpenBoot PROM In this example see the device aliases for vdisk iso which is the Solaris ISO image and vdisk install which is the disk space ok devalias vdisk install virtual devices 100 channel devices 200 disk 3 vdisk cd media virtual devices 100 channel devices 200 disk 2 vdisk iso virtual devices 100 channel devices 200 disk 1 vdiskl virtual devices 100 channel devices 200 disk 0 vneti virtual devices 100 channel devices 200 network 0 net virtual devices 100 channel devices 200 network 0 disk virtual devices 100 channel devices 200 disk 0 virtual console virtual devices c
255. yntax to set options for a virtual switch that already exists ldm set vsw pvid port vlan id vid vlan id1 vlan id2 mac addr num net dev device mode sc vswitch_name Where m mode left blank stops special processing of Solaris Cluster heartbeat packets m Otherwise the command arguments are the same as described in Add a Virtual Switch on page 109 110 Logical Domains LDoms 1 1 Administration Guide December 2008 V Remove a Virtual Switch Use the following command syntax to remove a virtual switch l m rm vsw f vswitch_name Where m f attempts to force the removal of a virtual switch The removal might fail m vswitch_name is the name of the switch that is to be removed as a service Managing a Virtual Network Device This section describes adding a virtual network device to a domain setting options for an existing virtual network device and removing a virtual network device V Add a Virtual Network Device Use the following command syntax to add a virtual network device ldm add vnet mac addr num mode hybrid pvid port vlan id vid vlan idl vlan id2 if name vswitch_name ldom Where m mac addr num is the MAC address for this network device The number must be in standard octet notation for example 80 00 33 55 22 66 See Assigning MAC Addresses Automatically or Manually on page 114 for more information m mode hybrid to request the
256. ype gt vds_volume lt rasd OtherResourceType gt gprop GenericProper gprop GenericProper gprop GenericProper gprop GenericProper opt SUNW1dm domain gprop GenericProper gprop GenericProper gprop GenericProper gprop GenericProper Item Section Envelope Cy Cy ty Cy _ di Cy ty key vol_name gt vdsdev0 lt gprop GenericProperty gt key service_name gt primary vds0 lt key block_dev gt sks testdisk1 lt gprop GenericProperty gt key vol_opts gt ro lt Cy ty key mpgroup gt mpgroup name lt A vds_volume resource can be in a lt Content gt section as part of a domain description or it can appear on its own in an Envelope section It must have lt gprop GenericProperty gt tags with the following keys m vol name Name of the volume m Service name Name of the virtual disk server to which this volume is to be bound m block dev File or device name to be associated with this volume Optionally a vds volume resource can also have the following properties m vol opts One or more of the following comma separated within one string ro slice excl m mpgroup Name of the multipath failover group Chapter 10 Using the XML Interface With the Logical Domains Manager 191 Disk disk Resource CODE EXAMPLE 10 12 Example disk XML lt Envelope gt lt References gt Content xsi type ovf VirtualSystem Type id ldg1 Section xsi typ
Download Pdf Manuals
Related Search