Solaris 11: DNS Client Configuration Using Svccfg

In Solaris 11, alot of configurations are being moved from configuration files into the Service Management Framework. Here we will discuss this change around the DNS client.
View Existing DNS Client Configuration

# svccfg -s network/dns/client listprop config config application config/value_authorization astring solaris.smf.value.name-service.dns.client config/domain astring test.local config/nameserver net_address 10.0.0.152

Update Existing DNS Client Configuration
Here we will update our name servers. In this case we are replacing the original with two different addresses.

# svccfg -s network/dns/client setprop config/nameserver = net_address: "(10.0.0.141 10.0.0.142)"

Here we are changing the domain to b.test.local.

# svccfg -s network/dns/client setprop config/domain = astring: b.test.local

And we are defining a previously undefined setting for the search domains, we are including test.local and b.test.local.

# svccfg -s network/dns/client setprop config/search = astring: '("test.local" "b.test.local")'

Here we are defining our name resolution order.

# svccfg -s name-service/switch setprop config/ipnodes = astring: '("files dns")' # svccfg -s name-service/switch setprop config/host = astring: '("files dns")'

Review Changed DNS Client Configuration

# svccfg -s network/dns/client listprop config config application config/value_authorization astring solaris.smf.value.name-service.dns.client config/domain astring b.test.local config/nameserver net_address 10.0.0.141 10.0.0.142 config/search astring "test.local" "b.test.local"

Review Changed Name Service Configuration

# svccfg -s name-service/switch listprop config config application config/default astring files config/value_authorization astring solaris.smf.value.name-service.switch config/printer astring "user files" config/ipnodes astring "files dns" config/host astring "files dns"

Export DNS Client Configuration
This command will build an /etc/resolv.conf based on your settings above.

# svcadm enable dns/client # nscfg export svc:/network/dns/client:default

# cat /etc/resolv.conf # # Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. # # # _AUTOGENERATED_FROM_SMF_V1_ # # WARNING: THIS FILE GENERATED FROM SMF DATA. # DO NOT EDIT THIS FILE. EDITS WILL BE LOST. # See resolv.conf(4) for details. domain b.test.local search test.local b.test.local nameserver 10.0.0.141 nameserver 10.0.0.142

If you manually edit the /etc/resolv.conf then your changes will be lost on a restart of the network/dns/client service or a reboot, as the warning says.
Export Name Service Configurations

# svcadm refresh name-service/switch

# cat /etc/nsswitch.conf # # _AUTOGENERATED_FROM_SMF_V1_ # # WARNING: THIS FILE GENERATED FROM SMF DATA. # DO NOT EDIT THIS FILE. EDITS WILL BE LOST. # See nsswitch.conf(4) for details. passwd: files group: files hosts: files dns ipnodes: files dns networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files netgroup: files automount: files aliases: files services: files printers: user files project: files auth_attr: files prof_attr: files tnrhtp: files tnrhdb: files sudoers: files

An Extra Trick
Now if you can’t be bothered to do things the new way they also put in an import mechanism, whereby you can take advantage of your existing knowledge and simply import your modified configuration files into the SMF to manage them going forward.
So modify up your /etc/resolv.conf and your /etc/nsswitch.conf and then import them with nscfg.

# nscfg import -f name-service/switch:default # nscfg import -f dns/client:default

TSERIES SERVER - ILOM

SEND BREAK ON A TSERIES SERVER

1) Login to the ILOM
2) From ILOM prompt type

->set /HOST send_break_action=break
Set ’send_break_action’ to ’break’

3) Login to the console of the server
->start /SP/console
Are you sure you want to start /SP/console (y/n)? y
Serial console started. To stop, type #.

Press Enter and you should see

c)ontinue, s)ync, r)eboot, h)alt?

4) Select from the options above

 

CAPTURE SNAPSHOT FROM ILOM

1)

-> cd /SP/diag/snapshot

2) specify the host and directory where the snapshot will be transferred.

-> set dump_uri=ftp://@ip_address//

Enter remote user password: *******

Set 'dump_uri' to 'ftp://root@//tmp'

3) Check status of "snapshot"

-> show

/SP/diag/snapshot

Targets:

Properties:

dataset = normal

dump_uri = (Cannot show property)

encrypt_output = false

result = Running <-- check="" completed="" div="" for="" status="">

4) Check for the completion of snapshot

-> show

/SP/diag/snapshot

Targets:

Properties:

dataset = normal

dump_uri = (Cannot show property)

encrypt_output = false

result = Collecting data into

ftp://root@//tmp/v4v-t5120a-sp__2013-08-10T17-43-27.zip

Snapshot Complete.

Done.

 

References:

http://docs.oracle.com/cd/E24707_01/html/E24528/z400075b1422965.html

 

SWITCH BETWEEN ALOM AND ILOM ON SPARC TSERIES SERVERS

This switching between ALOM and ILOM is applicable on SPARC CMT servers(T-series).

SWITCH FROM ILOM TO ALOM:
If you have logged to ilom as a root user(you may be logged in as different user) and you want to switch to ALOM then run this below command, logout and log back in.

->set /SP/users/root cli_mode=alom

SWITCH FROM ALOM TO ILOM:
If you have logged to alom shell as a root user(you may be logged in as different user) and you want to switch to ILOM shell then run the below command, logout and log back in.

sc>userclimode root default

References:
http://docs.oracle.com/cd/E19745-01/820-7145-11/z400018e1008787.html#scrolltoc

 

ISSUE WITH UPLOADING FIRMWARE TO THE SERVICE PROCESSOR(sysfwdownload: download failure - status = 2)

I tried to load a firmware package from solaris 10 to the Service Processor on a T5240 machine and it failed with status = 2. Most of the time the issue will be due to the service processor being slow, having too many stale connections. There might be few other things which contributes to the issue. Check the solutions below, if this is not the issue you are seeing then you will have to contact oracle support with the snapshot of ilom, server patch level and the commands you are running.

ISSUE:

# pwd

/var/tmp/147310-08

# ls -ltr

total 31406

-r--r--r-- 1 root root 183 Sep 10 2012 LEGAL_LICENSE.TXT

-rwxr-xr-x 1 root root 8196 Jan 21 2013 sysfwdownload.README

-rwxr-xr-x 1 root root 21308 Jan 21 2013 sysfwdownload

-rwxr-xr-x 1 root root 184 Jan 21 2013 license.txt

-rwxr-xr-x 1 root root 11821 Jan 21 2013 Install.info

-rwxr-xr-x 1 root root 72 Jan 21 2013 copyright

-rwxr-xr-x 1 root root 15990784 Jan 21 2013 Sun_System_Firmware-7_4_5-SPARC_Enterprise_T5140+T5240.pkg

-rwxr-xr-x 1 root root 1291 Jan 21 2013 SPARC_Enterprise_T5140+T5240_metadata.xml

-rw-r--r-- 1 root root 12781 Feb 10 2013 README.147310-08

-rw-r--r-- 1 root root 19426 Feb 10 2013 147310-08.html

# ./sysfwdownload Sun_System_Firmware-7_4_5-SPARC_Enterprise_T5140+T5240.pkg

sysfwdownload: download failure - status = 2

SOLUTION 1:

Login to the ILOM/SC and reset the service processor.

sc>resetsc

Are you sure you want to reset the SC (y/n)? y

Performing reset on the SC

Once the service processor is up, now try to load the firmware from solaris operating system to the service processor.

#cd /var/tmp/147310-08

# ./sysfwdownload Sun_System_Firmware-7_4_5-SPARC_Enterprise_T5140+T5240.pkg

If resetting service processor didn't help then see solution 2 is applicable for you.

SOLUTION 2:

You have to login to the ilom using "sunservice" account and your ilom user password. If the SP is running a 7.1.x based FW release (ILOM 2.0), the sunservice account is present by default and you can login directly (there is no need for getting an escalation mode key)

After you login to the ilom with the "sunservice" account, check the output of df -h and see if /coredump file system is filled up. If its filled up then this might be your issue.

Login: sunservice

Password:

Copyright 2007 Sun Microsystem, Inc. All rights reserved.

WARNING: The "sunservice" account is provided solely to allow

Sun Services to perform diagnosis and recovery tasks. Customer use of

the "sunservice" account may interfere with the correct operation of

ILOM and is not supported other than to perform recovery procedures as

documented by Sun Microsystems. Normal ILOM operations should always be

performed using the root account. Further usage of the "sunservice"

account implies your agreement with these terms.

[(flash)root@myilom:~]# df -h

Filesystem Size Used Available Use% Mounted on

/dev/mtdblock4 9.7M 9.7M 0 100% /

sushi 1.0M 308.0k 716.0k 30% /var

sashimi 1.0M 372.0k 652.0k 36% /var/log

tmpfs 62.3M 0 62.3M 0% /dev/shm

/dev/tffsa1 31.0M 29.1M 258.0k 99% /store

/dev/loop0 23.2M 4.9M 17.1M 22% /persist

/dev/loop1 3.9M 1.1M 2.5M 31% /conf

/dev/tffsa3 53.0M 53.0M 0 100% /coredump

cd to the coredump directory and remove the files with *core*. Do Not remove any other files which doesn't contain *core* in the file name.

After removal:

[(flash)root@myilom:/coredump]# df -h

Filesystem Size Used Available Use% Mounted on

/dev/mtdblock4 9.7M 9.7M 0 100% /

sushi 1.0M 308.0k 716.0k 30% /var

sashimi 1.0M 384.0k 640.0k 38% /var/log

tmpfs 62.3M 0 62.3M 0% /dev/shm

/dev/tffsa1 31.0M 29.1M 258.0k 99% /store

/dev/loop0 23.2M 4.9M 17.1M 22% /persist

/dev/loop1 3.9M 1.1M 2.5M 31% /conf

/dev/tffsa3 53.0M 4.0M 46.2M 8% /coredump

Now try to load the firmware from the solaris operating system to the service processor.

#cd /var/tmp/147310-08

# ./sysfwdownload Sun_System_Firmware-7_4_5-SPARC_Enterprise_T5140+T5240.pkg

ENABLE HTTPS ON ORACLE M SERIES SERVERS(XSCF)

If you have not enabled https on your M series servers, this is how you enable it.

Description from oracle-

Hypertext Transfer Protocol (HTTP) over an authenticated/encrypted connection allows you to use the XSCF web browser securely. This is called the HTTPS service. Authentication is provided with a certificate authority and private keys. To use the HTTPS service, you must enable it, and provide an optional port number. The default port is 443. To enable HTTPS service, use the sethttps command"

1) Login to your xscf of the server through ssh, assuming you have already configured network on xscf and enable ssh. If not, you can login through console/console server, configure network interface on xscf and then you can proceed with further steps.

2) Once you are in xscf, check the status of https

XSCF> showhttps

HTTPS status: disabled

3) Generate a self signed certificate.

XSCF> sethttps -c selfsign US California Irvine mycompany myemail@myemail.com

CA key and CA cert already exist. Do you still wish to update? [y|n] :y

Enter passphrase:

Verifying - Enter passphrase:

4) Check the HTTPS Status

XSCF> showhttps

HTTPS status: disabled

Server key: installed in Jul 16 12:46:20 MST 2013

CA key: installed in Jul 16 12:46:18 MST 2013

CA cert: installed in Jul 16 12:46:18 MST 2013

CSR:

-----BEGIN CERTIFICATE REQUEST-----

MIIB0zCCATwCAQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh

MQ8wDQYDVQQHEwZDdWx2ZXIxDTALBgNVBAoTBENpdHkxDDAKBgNVBAsTA1NQRTER

MA8GA1UEAxMIRUlTLVVOSVgxLTArBgkqhkiG9w0BCQEWHmVpcy11bml4LXNlcnZp

Y2VzQHNwZS5zb255LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA54QN

BSBfflQBtIgL3LqRKTqHixMP/TTmeMANy8yz723hcLDBTT9EarKkDb2IVqHE

ENb5mp8N7hJpGDzUPhn3XdD0+XoP2iaFeqQtihMqCob/bC21Me6gQDIdZoRK4sRj

FJ0ODjdB9sDj4KFKUkE4TIh3Jimz8wHn4VXbqGECAwEAAaAAMA0GCSqGSIb3DQEB

BAUAA4GBALMsMV5NugRnZwJfGiQbB6KNILMbCHg8xrF9IarFopt7uLDOxUoKvjQb

NDoGF+/tjxrADEZqSAmWeqiVZyI/0e2lU58si4TFZwEtjv6wopJVRkyg9XLfNe7

FB5DkBOI2Rihn6+SP0C3c/OOWNKo5BKekbeXennuWMJJbHDvRW6U

-----END CERTIFICATE REQUEST-----

It will be still disabled, we haven't enabled the https yet.

5) Now we shall enable https-

XSCF> sethttps -c enable

Continue? [y|n] :y

Please reset the XSCF by rebootxscf to apply the https settings.

6) Reset XSCF

XSCF> rebootxscf

The XSCF will be reset. Continue? [y|n] :y

execute S10ioxoffXSCF> -- complete

Jul 16 12:48:35 myhost XSCF[104]: XSCF shutdown sequence start

execute K000end -- complete

execute K100end -- complete

execute K101end -- complete

< Lines Omitted>

7) Once the XSCF is up check the https status, now it will be enabled.

XSCF> showhttps

HTTPS status: enabled

Server key: installed in Jul 16 12:52:04 MST 2013

CA key: installed in Jul 16 12:52:04 MST 2013

CA cert: installed in Jul 16 12:52:04 MST 2013

CSR:

-----BEGIN CERTIFICATE REQUEST-----

MIIB0zCCATwCAQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh

MQ8wDQYDVQQHEwZDdWx2ZXIxDTALBgNVBAoTBENpdHkxDDAKBgNVBAsTA1NQRTER

MA8GA1UEAxMIRUlTLVVOSVgxLTArBgkqhkiG9w0BCQEWHmVpcy11bml4LXNlcnZp

Y2VzQHNwZS5zb255LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA54QN

BSBfflQBtIgL3LqRKTqHixMP/TTmeMANy8yz723hcLDBTT9EarKkDb2IVqHE

ENb5mp8N7hJpGDzUPhn3XdD0+XoP2iaFeqQtihMqCob/bC21Me6gQDIdZoRK4sRj

FJ0ODjdB9sDj4KFKUkE4TIh3Jimz8wHn4VXbqGECAwEAAaAAMA0GCSqGSIb3DQEB

BAUAA4GBALMsMV5NugRnZwJfGiQbB6KNILMbCHg8xrF9IarFopt7uLDOxUoKvjQb

NDoGF+/tjxrADEZqSAmWeqiVZyI/0e2lU58si4TFZwEtjv6wopJVRkyg9XLfNe7

FB5DkBOI2Rihn6+SP0C3c/OOWNKo5BKekbeXennuWMJJbHDvRW6U

-----END CERTIFICATE REQUEST-----

8) Login to XSCF from your web browser and confirm everything is operational.

https://

REFERENCES-

http://docs.oracle.com/cd/E19580-01/821-2797-10/21ch9p.html

http://www.fujitsu.com/downloads/SPARCE/manuals/sparc-commone/mx-xscfref-en-03.pdf