UnixCBT feat. Solaris 10 EditionTraining Notes – 20060801.01

Table of ContentsApache Web Server - Notes.......................................................................................................................3BIND DNS Implementation - Notes..........................................................................................................6System Scheduler – Cron - Notes.............................................................................................................. 8File System Management - Notes............................................................................................................ 10Volume Management - Notes.................................................................................................................. 12File Transfer Protocol Daemon (FTPD) Implementation - Notes........................................................... 15GNU Privacy Guard (GPG) - Notes........................................................................................................ 17MySQL Implementation - Notes..............................................................................................................18NETSTAT - Notes................................................................................................................................... 19Network Configuration Overview - Notes...............................................................................................20Network File System(NFS) - Notes......................................................................................................... 22AutoFS - Notes.........................................................................................................................................23Network Mapper Nmap - Notes...............................................................................................................23Network Time Protocol (NTP) - Notes....................................................................................................24Quota Implementation & Management - Notes.......................................................................................25Samba – Windows Integration - Notes.................................................................................................... 25Remote Desktop Installation - Notes....................................................................................................... 26Samba Server Configuration - Notes....................................................................................................... 26System Security Overview - Notes.......................................................................................................... 27Sendmail MTA Features - Notes............................................................................................................. 27Snoop – Network Sniffer - Notes.............................................................................................................30TCPDump – Network Sniffer - Notes......................................................................................................30Snort Network Intrusion Detection System (NIDS) - Notes....................................................................31SYSLOG Implementation - Notes........................................................................................................... 32Log Rotation using logadm - Notes......................................................................................................... 32Zettabyte File System (ZFS) - Notes....................................................................................................... 33Solaris Zones - Notes............................................................................................................................... 34

Apache Web Server - Notes

SAMP - Solaris Apache MySQL PHP/PerlLAMP - Linux Apache MySQL PHP/Perl/Python

Modular & Reliable

2 Versions (1.3.33 & 2.0.50) are included with Solaris 10svcs -a | grep -i apache

Note: Apache2 documentation is available @: http://localhost/manualSteps to invoke Apache on Solaris 10: 1. cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf 2. update servername & server admin directives for main server 3. svcadm enable apache2 4. netstat -anP tcp | grep 80 && http://localhost/manual

Note: Typical classes of web server errors:200 - OK300 - Redirect400 - client error500 - server errors

Note: Apache ALWAYS maintains a DEFAULT HOST. Config is in httpd.conf and outside of ANY and ALL virtual hosts containersNote: Apache requires the following info. for the DEFAULT HOST: 1. ServerName linuxcbtsun1.linuxcbt.internal 2. ServerAdmin 3. DocumentRoot - where to serve content from 4. IP Address:Port to bind to - optional 5. Logging information - custom/combined & error logs

Note: Listen directive controls IPs and ports that Apache binds toNote: specify 'Listen' directive(s) in the DEFAULT HOST(httpd.conf)Note: You can specify multiple Listen DirectivesNote: Apache binds to ALL IP addresses when 'Listen' is specified without an IP address

DEFAULT HOST(IP:PORT) -Virtual Host 1 -Virtual Host 2

<Directory "/var/apache2/htdocs">Options Indexes FollowSymLinksAllowOverride NoneOrder allow,deny

Allow from all</Directory><Directory "/var/apache2/htdocs/temp">

Options FollowSymLinksAllowOverride None

Order allow,deny Allow from all</Directory>

Note: <Directory "/var/apache2/htdocs"> - applies to all sub-directories

###Order, Allow, Deny Rules###Note: Order is specified and Deny or Allow or combination followsNote: Allow|Deny supports the following attributes 1. IP Address - 127.0.0.1 2. IP Address range 3. IP Subnet Mask using CIDR or Class notation - 192.168.1.0/24 or 192.168.1.0/255.255.255.0 4. 192.168.1 5. ALL 6. Environment variables - referrer, user agents

Used to influence default doc: DirectoryIndex index.html index.html.var

LogFormat is used to define logging keywords that can be referencedApache can log to multiple log files, various keywords, simultaneously

###Alias Directive###Maps webspace location to file system location, usually non-document root

###Files Directive###Facilitates restrictions on matchings files regardless of location on server<Files noaccess.html> Order allow,deny Deny from all</Files>Note: When applied OUTSIDE of <Directory> block, applies to all instances of named file throughout the web server

Task: Create web-accessible directory, but, restrict access to certain IPsSteps: 1. mkdir /var/apache2/private 2. Create appropriate Alias - Alias /private/ /var/apache2/private/ 3. Create appropriate <Directory> block

###Virtual Hosts Support###2 Types of Virtual Hosts are supported: 1. IP-based - Each virtual host is associated with a distinct address 2. Name Based - All or a group of Virtual Hosts share a distinct address

###IP-based Virtual Hosting###Note: System requires multiple IP addressesNote: Default Apache Host binds to ALL IP addresses on port 80

Steps: 1. Implement appropriate 'Listen' directive 2. Configure Virtual Hosts 3. Restart Apache 4. Test configuration

Listen 192.168.1.50:80<VirtualHost 192.168.1.50:80>

ServerName linuxcbtsun1.linuxcbt.internalServerAdmin unixcbt@linuxcbtsun1.linuxcbt.internal

DocumentRoot /var/apache2/ipvhost1ErrorLog /var/apache2/logs/ipvhost1.error.logCustomLog /var/apache2/logs/ipvhost1.access.log

</VirtualHost>Note: Apache will serve content from the DocumentRoot of DEFAULT HOST if a request does NOT match any of the Virtual Hosts

Listen 192.168.1.51:80<VirtualHost 192.168.1.51:80>

ServerName linuxcbtsun3.linuxcbt.internalServerAdmin unixcbt@linuxcbtsun1.linuxcbt.internalDocumentRoot /var/apache2/ipvhost2ErrorLog /var/apache2/logs/ipvhost2.error.logCustomLog /var/apache2/logs/ipvhost2.access.log combined

</VirtualHost>

###NameBased Virtual Hosting###Facilitates the sharing of 1 IP address by a group of web sitesSteps: 1. Define appropriate Listen directive(s) 2. Define appropriate NameVirtualHost directive(s) 3. Define Virtual Hosts 4. Restart Apache 5. Confirm configuration

Listen 80NameVirtualHost *:80 - means to permit NameBased Virtual Hosts on ALL IPsNote: NameVirtualHost directive MUST match VirtualHost directive

<VirtualHost *:80>ServerName linuxcbtsun1.linuxcbt.internalServerAdmin unixcbt@linuxcbtsun1.linuxcbt.internalDocumentRoot /var/apache2/namevhost1ErrorLog /var/apache2/logs/namevhost1.error.logCustomLog /var/apache2/logs/namevhost2.access.log combined

</VirtualHost>

BIND DNS Implementation - Notes

Bind 9.xSUNWbind(client & server utilities) & SUNWbindr(SMF)

Steps to configure DNS:1. Create /etc/named.conf - primary named/BIND/DNS configuration file

options {directory "/var/named";

};

###Special zone indicating the root of the DNS hierarchy######Downloaded named.root from: ftp://ftp.rs.internic.net/domain/named.root##zone "." {

type hint;file "db.cache";

};

###Reverse Zones###zone "0.0.127.in-addr.arpa" {

type master;file "db.127.0.0";

};

zone "1.168.192.in-addr.arpa" {type master;file "db.192.168.1";

};zone "20.16.172.in-addr.arpa" {

type master;file "db.172.20.16";

};

###Forward Zones###zone "unixcbt.internal" {

type master;file "db.unixcbt.internal";

};

###Zone File Syntax###Note: @ is a variable, which indicates the name of the zone as configured in /etc/named.conf

svcadm enable dns/server

Note: With or without master domains, BIND functions as a caching-only NS

Our server is configured to be: 1. Caching-Only Server 2. Authoritative Server

###Mail Exchanger(MX) Record Setup###Note: Implement MX via 2 records 1. IN MX 10 mail.unixcbt.internal 2. mail IN A 192.168.1.197

###Slave DNS Server Configuration###Note: There really isn't a Slave DNS Server with BIND, however, there is a SLAVE ZONE

Steps: 1. copy the following files to slave server: a. db.127.0.0 - houses reverse, loopback zone info. b. db.cache - houses root hints c. named.conf - primary DNS BIND configuration file

Note: DNS BIND server can also be a slave server in addtion to caching-only and authoritative server.

System Scheduler – Cron - Notes

Features: 1. Permits scheduling of scripts(shell/perl/python/ruby/PHP/etc.)/tasks on a per-user basis via individual cron tables. 2. Permits recurring execution of tasks 3. Permits one-time execution of tasks via 'at' 4. Logs results(exit status but can be full output) of executed tasks 5. Facilitates restrictions/permissions via - cron.deny,cron.allow,at.*

Directory Layout for Cron daemon:/var/spool/cron - and sub-directories of to store cron & at entries/var/spool/cron/atjobs - houses one-off, atjobs - 787546321.a - corresponds to a user's atjob

/var/spool/cron/crontabs - houses recurring jobs for users - username - these files house recurring tasks for each user

Cron command:crontab - facilitates the management of cron table files -crontab -l - lists the cron table for current user - - reads /var/spool/cron/crontabs/root

###Cron table format###

m(0-59) h(0-23) dom(1-31) m(1-12) dow(0-6) command10 3 * * * /usr/sbin/logadm - 3:10AM - every day15 3 * * 0 /usr/lib/fs/nfs/nfsfind - 3:15 - every Sunday30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1

m(0-59) h(0-23) dom(1-31) m(1-12) dow(0-6) command Note: (date/time/command) MUST be on 1 linem = minute(0-59)h = hour(0-23)dom = day of the month(1-31)m = month(1-12)dow = day of the week(0-6) - 0=Sunday

Note: each line contains 6 fields/columns - 5 pertain to date & time of execution, and the 6th pertains to command to execute

#m h dom m dow10 3 * * * /usr/sbin/logadm - 3:10AM - every day* * * * * /usr/sbin/logadm - every minute,hour,dom,m,dow*/5 * * * * /usr/sbin/logadm - every 5 minutes(0,5,10,15...)1 0-4 * * * /usr/sbin/logadm - 1 minute after the hours 0-40 0,2,4,6,9 * * * /usr/sbin/logadm - top of the hours 0,2,4,6,9

1-9 0,2,4,6,9 * * * /usr/sbin/logadm - 1-9 minutes of hours 0,2,4,6,9

Note: Separate columns/fields using whitespace or tabs

###Create crontabs for root & unixcbt###Note: ALWAYS test commands prior to crontab/at submission

11 * * * * repquota -va >> /reports/`date +%F`.quota.report

Note: set EDITOR variable to desired editorexport EDITOR=vim

###unixcbt - execute quota -v####!/usr/bin/bashHOME=/export/home/unixcbt quota -v >> $HOME/`date +%F`.unixcbt.quota.report#END

Note: aim to reference scripts(shell/perl/python/ruby/PHP,etc.) instead of the various characters

Note:Default Solaris install creates 'at.deny' & 'cron.deny'You MUST not be included in either file to be able to submit at & cron entries

Conversely, if cron.allow and at.allow files exist, you MUST belong to either file to submit at or cron entries

File System Management - Notes

###Recap of steps necessary to partition/slice & create file systems###Steps:1. unmount existing file systems -umount /data2 /data3

2. confirm fdisk partitions via 'format' utility -format - select disk - select fdisk

3. use partition - modify to create slices on desired drives DISK1 -slice 0 - /dev/dsk/c0t1d0s0 DISK2 -slice 0 - /dev/dsk/c0t2d0s0

4. Create file system using 'newfs /dev/rdsk/c0t0d0s0'

5. Use 'fsck /dev/rdsk/c0t1d0s0' to verify the consistency of the file system

6. Mount file systems at various mount points mount /dev/dsk/c0t1d0s0 /data2 && mount /dev/dsk/c0t2d0s0 /data37. create entries in Virtual File System Table (/etc/vfstab) file

###How to determine file system associated with device###1. fstyp /dev/dsk/c0t0d0s0 - returns file system type2. grep mount point from /etc/vfstab - returns matching line grep /var /etc/vfstab3. cat /etc/mnttab - displays currently mounted file system

###Temporary File System (TEMPFS) Implementation###TempFS provides in-memory (RAM), very fast, storage and boosts application performance

Steps:1. Determine available memory and the amount you can spare for TEMPFS -prtconf - allocate 100MB2. Execute mount command:

mkdir /tempdata && chmod 777 /tempdata && mount -F tmpfs -osize=100m swap /tempdata

Note: TEMPFS data does NOT persist/survive across rebootsNote: TEMPFS data is lost when the following occurs:1. TEMPFS mount point is unmounted: i.e. umount /tempdata2. System reboot

Modify /etc/vfstab to include the TEMPFS mount point for reboots

swap - /tempdata tmpfs - yes -

###Swap File/Partition Creation###swap -l | -s - to display swap information

mkfile size location_of_file - to create swap filemkfile 512m /data2/swap2

swap -a /data2/swap2 - activates swap file

To remove swap file:swap -d /data2/swap2 - removes swap space from kernel. does NOT remove filerm -rf /data2/swap2

###Swap Partition Creation###format - select disk - partition - select slice/modifyswap -a /dev/dsk/c0t2d0s1

Modify /etc/vfstab

Volume Management - NotesSolaris' Volume Management permits the creation of 5 object types: 1. Volumes(RAID 0(concatenation or stripe)/1(mirroring)/5(striping with parity) 2. Soft partitions - permits the creation of very large storage devices 3. Hot spare pools - facilitates provisioning of spare storage for use when RAID-1/5 volume has failed i.e. MIRROR -DISK1 -DISK2 -DISK3 - spare

4. State database replica - MUST be created prior to volumes - Contains configuration & status of ALL managed objects (volumes/hot spare pools/Soft partitions/etc.)

5. Disk sets - used when clustering Solaris in failover mode

Note: Volume Management facilitates the creation of virtual disksNote: Virtual disks are accessible via: /dev/md/dsk & /dev/md/rdskRules regarding Volumes:1. State database replicas are required2. Volumes can be created using dedicated slices3. Volumes can be created on slices with state database replicas4. Volumes created by volume manager CANNOT be managed using 'format', however, can be managed using CLI-tools (metadb, metainit) and GUI tool (SMC)5. You may use tools such as 'mkfs', 'newfs', 'growfs'6. You may grow volumes using 'growfs'

###State Database Replicas###Note: At least 3 replicas are required for a consistent, functional, multi-user Solaris system.

3 - yields at least 2 replicas in the event of a failureNote: if replicas are on same slice or media and are lost, then Volume Management will fail, causing loss of data.Note: place replicas on as many distinct controllers/disks as possible

Note: Max of 50 replicas per disk set

Note: Volume Management relies upon Majority Consensu Algorithm (MCA) to determine the consistency of the volume information

3 replicas = 1.5(half) = 1-rounded-down +1 = 2 = MCA(half +1)

Note: try to create an even amount of replicas4 replicas = 2(half) + 1 = 3

State database replica is approximately 4MB by default - for local storage

Rules regarding storage location of state database replicas:1. dedicated partition/slice - c0t1d0s32. local partition that is to be used in a volume(RAID 0/1/5)3. UFS logging devices4. '/', '/usr', 'swap', and other UFS partitions CANNOT be used to store state database replicas

###Configure slices to accomodate State Database Replicas###c0t1d0s0 -c0t2d0s0 - RAID 0 (STRIPE) - 60GB

###Create RAID 0 (STRIPE) - NOT REDUNDANT###c0t1d0s0 -c0t2d0s0 - RAID 0 (STRIPE) - 60GB - /dev/md/dsk/d0Note: Volumes can be created using slices from a single or multiple disksNote: State database replicas serve for ALL volumes managed by Volume Manager

Note: RAID 0 Concatenation - exhausts DISK1 before writing to DISK2Note: RAID 0 Stripe - distributes data evenly across membersNote: Use the same size slices when using RAID0 with Striping

Note: after defining volume, create file systemnewfs /dev/md/rdsk/d0

###Suggested layout for creating volumes using volume manger###SERVER -DISK0 - SYSTEM DISK

VOLUME MANAGE SECONDARY DISKS -DISK1 - SECONDARY DISK -DISK2 - SECONDARY DISK

##RAID-1 Configuration###Note: RAID-1 relies upon submirrors or existing RAID-0 volumesc0t1d0s0 - /dev/md/dsk/d0c0t2d0s0 - /dev/md/dsk/d1/dev/md/dsk/d2

d0 - source sub-mirrord1 - destination sub-mirror

Create file system on mirrored volume '/dev/md/dsk/d2'newfs /dev/md/rdsk/d2

###RAID-5 Configuration###Steps:1. Ensure that 3 components(slices/disks) are available for configuration2. Ensure that components are identical in size

Slices for RAID-5c0t1d0s0 - 10GBc0t1d0s0 - 10GBc0t2d0s0 - 10GB

/dev/md/dsk/d0 = RAID-5 = 20GB

Note: You may attach components to RAID-5 volume, but they will not store parity information, however, their data will be protected.

###Using growfs to extend volumes###growfs extends mounted/unmounted volumes(UFS/ZFS)

Steps to grow a mounted/unmounted file syste1. Find free slice(s) to add as component(s) to volume using SMC or metattach CLI2. Add component slice - wait for initialization(concatenation) to complete3. execute 'growfs -M /d0 /dev/md/rdsk/d0'

Note: Once you've extended a volume, you CANNOT decrease it in size.Note: Concatenation of RAID-1/5 volumes yields an untrue RAID-1/5 volume.SLICE1SLICE2SLICE3SLICE4 - Concatenated - NOT a true RAID-1/5 member (no parity is stored)

Note: When extending RAID-1 volumes, extend each sub-mirror first, and then Solaris will automatically extend the RAID-1 volume. Then run 'growfs.'

###Soft Partitions###1. Provides an abstracted, extensible partition object2. Permits virtually unlimited segmentation of diskc0t1d0 - s0-9 (0-7 except 2, usable)

3. Permits creation of partitions on top of 1 or more slices

Steps:1. Clean up partitions on existing disks: c0t1d0 & c0t2d0

File Transfer Protocol Daemon (FTPD) Implementation - Noteswu-ftpdFTPD binds to TCP port 21 and is running by defaultSMF controls service configurationsvcs -l ftp - returns configuration

pkginfo -x | grep -i ftp - returns SUNWftpu|r packages

SUNWftpu - includes useful user packagesftpcount - dumps count per classftpwwho - returns connected users & process informationftpconfig - used to setup anonymous/guest FTP

SUNWftpr - includes server-side configuration files/etc/ftpd - ftpaccess - primary configuration file for wu-ftpd - ftphosts - allow|deny access to users from hosts - ftpservers - allows admin to define virtual hosts - ftpusers - users listed may NOT access the server via FTP - ftpconversions - facilitates tar, compress, gzip support

wu-ftpd supports both types of FTP connections: 1. PORT - Active FTP - Client -> TCP:21(Server-Control-Connection) - Client executes 'ls' -> results in server initiating a connection back to the client usually on TCP:20(ftp-data) 2. PASV - Passive FTP - Client -> TCP:21(Server-Control-Connection) - Client executes 'ls' -> results in server opening a high-port and instructing the client to source(initiate) a connection to the server. - Client sources data connection to high-port on server

###Anonymous FTP configuration###use 'ftpconfig' to provision anonymous accessNote: Guest connections are jailed using chroot()

###FTPD Class Support###Facilitates the grouping of users for the purpose of assigning directives3 Default Classes: 1. realusers - CAN login using shell(SSH/Telnet) - CAN browse the entire directory tree 2. guestusers - Temporary users - see chrooted envrionment 3. anonusers - General public - primarily for download capability

###Guest User Support###Jailed/chrooted environment

Steps: 1. useradd -d /home/guests/unixcbt4 -s /bin/true 2. mkdir /export/home/guests/unixcbt4 3. chown unixcbt4 /export/home/guests/unixcbt4 4. ftpconfig -d /export/home/guests/unixcbt4 - sets up chrooted environment 5. updated /etc/ftpd/ftpaccess - config file guestuser unixcbt4 6. restart ftp using svcadm restart ftp

Note: Guest users are similar to real users except guest users are chrooted/jailed.

###Virtual Hosts###wu-ftpd - supports 2 forms of virtual hosts: 1. Limited - relies upon primary config files /etc/ftpd{ftpaccess,ftpusers...} Admin. may define unique attributes including the following: a. banner b. logfile c. hostname d. email e. distinct IP address

2. Full - relies upon distinct config files in specified directory a. offers everything included with limited virtual hosts mode b. also adds distinct config files c. Note: Full-mode will use default config files in /etc/ftpd if the full virtual hosts instance is unable to find a distinct file.

###Limited Virtual Hosts Configuration###/etc/ftpaccess virtual 192.168.1.51 root /var/ftp2 virtual 192.168.1.51 hostname linuxcbtdb1.linuxcbt.internal virtual 192.168.1.51 banner /var/ftp2/.welcome_message.msg virtual 192.168.1.51 logfile /var/log/ftp2/xferlog virtual 192.168.1.51 allow unixcbt3

Note: Virtual hosts do not allow real & guest users access by default

###Full Virtual Hosts Configuration###/etc/ftpd/ftpservers address configuration_direction 192.168.1.51 /etc/ftpd/ftp2 192.168.1.52 /etc/ftpd/ftp3

GNU Privacy Guard (GPG) - NotesFeatures: 1. Public key pair generation & maintenance for all users on system. Keys are stored in ~/.gunpg 2. Encrypt/Decrypt files - based on communication partner's public key 3. Encrypt/Decrypt E-mails - based on recipient's public key 4. Generate/Manage digital signatures(means of proving identity)

###Install GPG### 1. www.sunfreeware.com 2. gunzip gnupg-1.2.6-sol10-intel-local.gz && pkgadd -d gnupg-1.2.6-sol10-intel-local

Note: GPG manages by default, 2 key chains: 1. Public - your public key, and potentially others a. use 'gpg --list-keys' to enumerate public keys 2. Private - your private key(s)

Note: gpg uses recipient's public key to encrypt communications(e-mail/files)

###Create Public/Private Key-Pair###gpg --gen-keyNote: 'gpg --gen-key' functions similarly to 'ssh-keygen' utilityNote: passphrase is associated with 'private key' of pub/priv pair

Note: GPG is compatible with PGP

###Import other's public keys###

MySQL Implementation - Notes

Included with the Software Companion DVD

pkginfo -x | grep -i mysqlNote: Current version of MySQL is NOT managed by SMF

Steps to Initialization of MySQL: 1. /usr/sfw/bin/mysql_install_db - initializes default DBs & tables /usr/sfw/bin/mysqladmin -u root password 'abc123' 2. groupadd mysql && useradd -g mysql mysql && echo $? 3. chgrp -R mysql /var/mysql && chmod -R 770 /var/mysql && echo $? 4. installf SUNWmysqlr /var/mysql d 770 root mysql 5. cp /usr/sfw/share/mysql/my-medium.cnf /etc/my.cnf (global configuration) 6. /usr/sfw/sbin/mysqld_safe --user=mysql& - starts MySQL 7. symlink ln /etc/sfw/mysql/mysql.server /etc/rc3.d/S99mysqlln /etc/sfw/mysql/mysql.server /etc/rc0.d/K00mysqlln /etc/sfw/mysql/mysql.server /etc/rc1.d/K00mysqlln /etc/sfw/mysql/mysql.server /etc/rc2.d/K00mysqlln /etc/sfw/mysql/mysql.server /etc/rcS.d/K00mysql

Note: MyISAM Tables usually contain at least 3 files: 1. .MYI - Index file 2. .MYD - Data File 3. .FRM - Form file(Describes Table Structure)

Note: Client options specified on command-line override all other instances of the opion.Order of options/directives to be processed usually resembles the following: 1. /etc/my.cnf - global config file 2. /var/mysql/my.cnf - data-server specific config file 3. ~/my.cnf - user-specific config file 4. command line options

Note: Drop test database using the following syntax: 'drop database test;'Note: You CANNOT drop the 'mysql' database because it contains the following critical information: 1. list of databases to manage 2. user table 3. privileges table

Note: MySQL creates 2 default users: 'root & anonymous'Note: The anonymous user matches all unmatched users

Create MySQL User using the following command:grant all privileges on *.* to 'unixcbt'@'localhost' IDENTIFIED BY 'abc123';

Note: After altering privileges, flush them to take effect using:flush privileges;

NETSTAT - Notes

Lists connections for ALL protocols & address families to and from machineAddress Families (AF) include: INET - ipv4 INET6 - ipv6 UNIX - Unix Domain Sockets(Solaris/FreeBSD/Linux/etc.)

Protocols Supported in INET/INET6 include: TCP, IP, ICMP(PING(echo/echo-reply)), IGMP, RAWIP, UDP(DHCP,TFTP,etc.)

Lists routing tableLists DHCP status for various interfacesLists net-to-media table - network to MAC(network card) table

###NETSTAT Usage###netstat - returns sockets by protocol using /etc/services for lookup/etc/nssswitch.conf is consulted by netstat to resolve names for IPs

netstat -a - returns ALL protocols for ALL address families (TCP/UDP/UNIX)

netstat -an - -n option disables name resolution of hosts & ports

netstat -i - returns the state of interfaces. pay attention to errors/collisions/queue columns when troubleshooting performance

netstat -m - returns streams(TCP) statistics

netstat -p - returns net-to-media info (MAC/layer-2 info.) i.e. arp

netstat -P protocol (ip|ipv6|icmp|icmpv6|tcp|udp|rawip|raw|igmp) - returns active sockets for selected protocol

netstat -r - returns routing table

netstat -D - returns DHCP configuration (lease duration/renewal/etc.)

netstat -an -f address_familynetstat -an -f inet|inet6|unixnetstat -an -f inet - returns ipv4 only information

netstat -n -f inetnetstat -anf inet -P tcpnetstat -anf inet -P udp

Network Configuration Overview - Notes

2-Modes 1. Local Files Mode - config is defined statically via key files 2. Network Client Mode - DHCP is used to auto-config interface(s)

Current Dell PE server has 3 NICs: 1. e1000g0 - plumbed (configured for network client mode) 2. iprb0 - unplumbed 3. iprb1 - unplumbed

1-Virtual Mandatory interface lo0 - loopback

Determine physical interfaces using 'dladm show-dev | show-link'Determine plumbed and loopback interfaces using 'ifconfig -a'

NIC naming within Solaris OS: i.e. e1000g0 - e1000g(driver name) 0(instance)

Layers 2 & 3 info. - ifconfig -a, or ifconfig e1000g0Layer 1 info. - dladm show-dev | show-link

###Key network configuration files###svcs -a | grep physicalsvcs -a | grep loopback

1. IP Address - /etc/hostname.e1000g0, /etc/hostname.iprb0 | iprb12. Domain name - /etc/defaultdomain - linuxcbt.internal3. Netmask - /etc/inet/netmasks - 192.168.1.0 255.255.255.04. Hosts database - /etc/hosts, /etc/inet/hosts - loopback & ALL interfaces5. Client DNS resolver file - /etc/resolv.conf6. Default Gateway - /etc/defaultrouter - 192.168.1.1, 172.16.20.1, 10.0.0.17. Node name - /etc/nodenameName service configuration file - /etc/nsswitch.conf

netstat -D - returns DHCP configuration for ALL interfacesifconfig -a - returns configuration for ALL interfaces

Reboot system after transitioning from network client(DHCP) mode to local files(Static) mode

mv dhcp.e1000g0 to some other name or remove the file so that the DHCP agent is NOT invokedecho "linuxcbtsun1" > /etc/nodename

###Plumb/enable the iprb0 100Mb/s interface###Plumbing interfaces is analagous to enabling interfacesNote: 172.16.20.11 is a Linux host waiting to communicate with iprb0 interfaceSteps: 1. ifconfig iprb0 plumb up - this will enable iprb0 interface 2. ifconfig iprb0 172.16.20.10 netmask 255.255.255.0 - this will enable layer-3 IPv4 address

Steps to Unplumb an interface: 1. ifconfig iprb0 unplumb down

###Ensure that newly-plumbed interface settings persists across reboots###Steps include updating/creating the following files: 1. echo "172.16.20.10" > /etc/hostname.iprb0 2. create entry in /etc/hosts - 172.16.20.10 linuxcbtsun1 3. echo "172.16.20.0 255.255.255.0" >> /etc/inet/netmasks

Note: To down interface, execute:ifconfig interface_name downifconfig iprb0 down && ifconfig iprb0

###Sub-interfaces/Logical Interfaces###e1000g0(physical interface) - 192.168.1.50(Primary Apache website) 192.168.1.51(Secondary Apache website)

192.168.1.52(Used for SSH)

iprb0 - 172.16.20.10iprb1

Use 'ifconfig interface_name addif ip_address <netmask>'ifconfig e1000g0 addif 192.168.1.51 (RFC-1918 - defaults /24)

Note: This will automatically create an 'e1000g0:1' logical interfaceNote: Solaris places new logical interface in DOWN mode by defaultNote: use 'ifconfig e1000g0:1 up' to bring the interface up

Note: logical/sub-interfaces are contingent upon physical interfacesNote: if physical interface is down, so will the logical interface(s)Note: connections are sourced using IP address of physical interface

###Save logical/sub-interface configuration for persistence across reboots###

1. gedit /etc/hostname.e1000g0:1 - 192.168.1.512. gedit /etc/hostname.e1000g0:2 - 192.168.1.523. Optionally update /etc/hosts - /etc/inet/hosts4. Optionally update /etc/inet/netmasks - when subnetting

Note: To remove logical interface execute the following:ifconfig physical_interface_name removeif ip_addressifconfig iprb0 removeif 172.16.20.20

###/etc/nsswitch.conf - name service configuration information ###functions as a policy/rules file for various resolution: 1. DNS 2. passwd(/etc/passwd,/etc/shadow),group(/etc/group) 3. protocols(/etc/inet/protocols) 4. ethers or mac-to-IP mappings 5. hosts - where to look for hostname resolution: files(/etc/hosts) dns(/etc/resolv.conf)

Network File System(NFS) - Notes

Implemented by most if not all nix-type OSs(Solaris/AIX/Linux/FreeBSD)NFS seamlessly mounts remote file systems locally

NFS Components include: 1. NFS Client (mount(temporary access), /etc/vfstab) 2. NFS Server 3. AutoFS

NFS versions 3 & higher supports large files (>2GB)

NFS Major versions:2 - original3 - improved upon version 24 - current version

Note: Solaris 10 simultaneously supports ALL NFS versions/etc/default/nfs - contains defaults for NFS server & client

Note: client->server NFS connection involves negotiation of NFS version to use

###Steps for mounting remote file systems### 1. ensure that a local mount point exists & is emptyNote: local mount points with files and/or directories will be unavailable while a remote file system is locally-mounted

2. ensure that NFS server is available and sharing directories

3. mount locally the remote file system. mount -F nfs -o ro linuxcbtmedia:/tempnfs1 /tempnfs1 Note: use 'man mount' to determine mount options for various FSs

4. setup persistent mounts in /etc/vfstab file

###Steps for sharing local file systems locations### 1. ensure that NFS is running svcs -a | grep -i nfsNote: you may enable the NFS server and update share information independently

Start using: svcadm svc:network/nfs/serverNote: NFS Server will NOT start if there are NO directories to share

2. share -F nfs -d test_share /tempnfssun1 - exports for current session. Does NOT persist across reboots

3. Configure NFS sharing for persistence, using share command

share -F nfs -d test_share /tempnfssun1 shareall

Note: consult 'man share_nfs' for permissions info.

AutoFS - NotesFeatures: 1. Just-in-time mounting of file systems 2. Controlled by 'automountd' daemon 3. Managed via autofs service 4. References map files to determine file systems to mount 5. Obviates need to distribute root password to non-privileged users

/etc/default/autofs - contains configuration directives for autofs

###AutoFS Maps###3 Types: 1. Master map - /etc/auto_master 2. Direct map - /etc/auto_direct - facilitates direct mappings 3. Indirect map - /etc/auto_* - referenced from /etc/auto_master

###/etc/auto_master###Note: /etc/auto_master is always read by autofs(automountd daemon)/etc/nsswitch.conf - used to determine lookup location for automount

-hosts - references hosts defined in /etc/hosts & the hosts MUST export shares using NFS

Note: changes to /etc/auto_master(primary autofs policy file) usually requires a service restart: svcadm restart autofs

Note: AutoFS defaults to permitting client to browse potential mount points

###Direct mapping example###Note: Direct mappings seamlessly merge remote exports with local directoriesSteps: 1. create auto_direct mapping in /etc/auto_master: /- auto_direct -vers=3

Network Mapper Nmap - Notes

Performs network reconnaissance/vulnerability testing

www.insecure.org

Compilation Instructions: 1. export PATH=$PATH:/usr/ccs/bin 2. ./configure 3. make || gmake 4. gmake install - copies nmap to /usr/local/bin

Note: nmap can be run by any user on the system, however, only root, may perform more dangerous functions. i.e. SYN-based scans

###Check ports of hosts###nmap -v 192.168.1.102 as root, causes a SYN-based scan to occur:SYN -> SYN-ACK -> TerminationSYN -> SYN-ACK -> ACK - TCP-based scan performed by normal users

Nmap can export to the following file types: 1. Normal 2. XML 3. Greppable

Network Time Protocol (NTP) - NotesSynchronizes the local system and can be configured to synch any NTP-aware host

Hierarchical in design - 1 through 16 strataLower stratum values are more accurate time sourcesStratum 1 servers are connected to external, more accurate time sources such as GPS

Note: Less latency usually results in more accurate time

External Time Source(GPS/Radio/etc.) -NTP - Stratum 1 -NTP Stratum 2 - Solaris Client/Server -...Note: A Solaris 10 NTP system can be both client & server

Note: configure NTP clients to synch to 3 or more clocks(time sources)

###Client configuration###xntpd or the ntp service searches for /etc/inet/ntp.conf

Note: NTP uses UDP 123 in source & destination ports

ntpdate ntp_server - synchronizes, one-off, local clockNote: ntpdate does NOT update local clock if xntpd is running locally

rdate - relies upon older time service

ntpq - NTP query utility runs interactively & non-interactivelyntpq -np - lists peers without name resolution - non-interactive invocationntpq - invokes interactive mode

ntptrace - traces path to time source

ntpq - queries local or remote NTP serversntptrace - traces path to external time sourcentpdate - updates local clock/etc/inet/ntp.conf - (server server_ip)svcadm enable ntp - starts NTP (Server and/or Client)

NTP Pool Site: www.pool.ntp.org (Derive NTP public servers from their lists)

Quota Implementation & Management - Notes

Features:Soft Limits - function as stage-1 or warning stage - if user exceeds soft limit, timer is invoked (default 7-days)i.e. 100MB - if user exceeds beyond timer, soft limit becomes hard limit

Hard Limits - functions as a storage ceiling - CANNOT be exceeded - if user meets hard limit, system will not allocate additional storage

File-system perspective of quotas:2 objects are monitored: 1. BLOCKS 2. INODES

FILE(test.txt) -> 1-INODE -> 1-or-more Data BLOCKS(default 1K)

Quota Tools: 1. edquota - facilitates the creation of quotas for users 2. quotacheck - checks for consistency in usage and quota policy 3. quotaon - enables quotas on file system 4. repquota - displays quota information

###Steps to enable quota support###1. modify /etc/vfstab - enable quotas per file system "Mount Options" column - 'rq'2. create empty 'quotas' file in root of desired file system touch /export/home/quotas && chmod 600 /export/home/quotas3. edquota unixcbt edquota -p unixcbt unixcbt2 unixcbt3 unixcbt4 - copies unixcbt's quota policy to users unixcbt2,3,44. quotacheck -va5. quota -v unixcbt6. quotaon -v /dev/dsk/c0t0d0s7 -enable quota support

Samba – Windows Integration - NotesIntegrates Unix-type systems with WindowsSMB(139)/CIFS(445) - 2 protocols used to communicate with Windows/Samba servers

Key Client Utilities: 1. smbtree - network neighborhood text utility It enumerates workgroups, hosts & shares smbtree -b - relies upon broadcasts for resolving workgroups/hosts smbtree -D - echoes discovered workgroups using broadcasts/master browser

2. smbclient - provides an FTP-like interface to SMB/CIFS servers smbclient service_name(//LINUXCBTWIN1/LinuxCBT)

Note: Most, if not all, Samba clients operate in case-insensitive mode smbclient //linuxcbtwin1/linuxcbtNote: when in smbclient interactive mode, prefix commands with '!' to execute locally on client, otherwise commands run on server

smbclient -L linuxcbtwin1 - enumerates the shares on the server\

smbclient -A ./.smbpaswd //linuxcbtwin1/solaris10

.smbpaswdusername=unixcbtpassword=abc123

3. smbtar - facilitates backups of remote shares smbtar -s linuxcbtwin1 -x solaris10 -t solaris10.tar - backup smbtar -s linuxcbtwin1 -x solaris10 -r -t solaris10.tar - restore

Remote Desktop Installation - NotesRequirements - www.sunfreeware.com: 1. libiconv 2. libgcc 3.3.2 or higher 3. libopenssl 0.9.7 4. rdesktop-1.4.1

Features RDesktop support for Remote Desktop Protocol (RDP) versions 4 & 5Connects to: 1. Windows XP - RDP-5 2. Windows 2000 - RDP-5 3. Windows 2003 - RDP-5 4. Windows NT Server 4 - Terminal Services Edition - RDP-4

###usage###

rdesktop -g 700x500 -a 16 server_name(192.168.1.102)

Samba Server Configuration - Notes/etc/sfw/smb.conf-example - modify & save as /etc/sfw/smb.conf

smb.conf - is the main configuration file for Samba server & many of the Samba clients search for key directives from the file.

Features: 1. File & Print sharing 2. Implemented as 2 daemons (smbd & nmbd) smbd - file & print sharing - connections based on SMB/CIFS protocols SMB - TCP 139 CIFS - TCP 445 nmbd - handles NETBIOS names using primarily UDP connectivity Browse list (master browser or derive current list from master browser) Names of servers - derived using broadcast or WINS UDP 137 & 138 3. Legacy service - does not currently benefit from SMF 4. Service is located in: /etc/init.d & referenced via run-levels 5. Configuration changes to /etc/sfw/smb.conf are read automatically

###Samba Security Modes###Default = security = user - relies upon local Unix accounts database & Samba

database to grant or deny access to shared resources 1. /etc/passwd 2. /etc/sfw/smbpasswd - handles translation of Windows auth to Unix auth 3. /etc/sfw/smbusers - provides translation between Unix & Windows users i.e. translation of Windows' 'guest' user to Unix' 'nobody' user

###User Authentication Mode###Note: NETBIOS names are restricted to 16 characters, however, 15 characters are configurablelinuxcbtsun1.linuxcbt.internal = FQDNNote: smbpasswd -a unixcbt - create permitted samba users in /etc/sfw/private/smbpasswd file - otherwise, access will be denied

###Samba Web Administration Tool (SWAT)###Steps to enable Swat: 1. create an /etc/services entry for SWAT - TCP:901 2. create an /etc/inetd.conf entry for SWAT swat stream tcp nowait root /usr/sfw/sbin/swat swat 3. Convert the inetd entry for SWAT to SMF using 'inetconv'

System Security Overview - Notes/var/adm/sulog - houses SU attemptsSU TIMESTAMP +||- TTY Switched_User_From_ToSU 06/17 11:13 + pts/4 root-unixcbt

/var/adm/loginlog - Does NOT exist by defaultNOte: houses failed logins after threshold(Default of 5)touch /var/adm/loginlog/etc/default/login

logins commandlogins -x -l unixcbt - returns info. from /etc/{passwd,shadow}logins -p - lists users without passwords

###Password Generation Encryption Algorithm###Note: Default in Solaris 10 is UNIX, legacy encryption - The weakest/etc/security/policy.conf - man policy.conf(4)Note: password encryption changes take effect at user's next password change

Sendmail MTA Features - NotesDefault configuration runs SendmailRuns as 2 daemons 1. queue runner - submits jobs into queue(PHP script/mailx/sendmail/etc.) a. it runs as a non-privileged user called 'smmsp' b. places messages into queue directory: /var/spool/mqueue c. mailq command dumps the current status of the queue(s)

2. MTA mode - message delivery to local/remote recipients b. it runs as root - to bind to well-known TCP:25

Note: Sendmail works with SMF

svcadm restart sendmailsvcs -l sendmail

Typical Mail Components in distributed mail environments: 1. MTA - Message Transfer Agent (Sendmail/Postfix/qmail) 2. MUA - Mail User Agent (mail, mutt, mailx, MS Outlook, Eudora, etc.) 3. MDA - Mail Delivery Agent (mail.local, procmail, etc.)

Config files: 1. /etc/mail/sendmail.cf - primary config file for Sendmail MTA 2. /etc/mail/submit.cf - primary config file for Sendmail MSP (smmsp)

Config files macros using m4 language: 1. /etc/mail/cf/cf/sendmail.mc 2. /etc/mail/cf/cf/submit.mc

Note: Sendmail does NOT understand m4 files. Use m4 to generate updated .cf files if necessary

####/etc/aliases - used for local mail delivery###Contains key aliases for 'postmaster' & system daemons

unixcbt:unixcbt@linuxcbtsun1

unixcbt@localhostunixcbt@linuxcbtsun1unixcbt@linuxcbtsun1.linuxcbt.internal/etc/mail/local-host-names unixcbt.internalunixcbt@linuxcbtsun1.unixcbt.internal

newaliases - generates updated DB for aliases

###per-user mail###1. Sendmail stores mail using the older mbox format, which stores all mail in 1 potentially huge ASCII text files2. /var/mail/username - flagged with the STICKY bit

###Mail delivery using local tools###sendmail is monolothic - 1 program does it all (client/server/MSP/MTA)

sendmail -v unixcbt

Note: MSP submits to: /var/spool/clientmqueue

###Virtual Domains/Users Support###/etc/mail/relay-domains/etc/mail/local-host-names unixcbt.internal

Virtual Users:Create: /etc/mail/virtusertablePopulate with mappings: virtual_email_address local_mailbox|remote_emailunixcbt@unixcbt.internal unixcbt

Configure /etc/mail/sendmail.cf via /etc/mail/cf/cf/sendmail.mc

- FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')makemap hash virtusertable - creates the DB file:/etc/mail/virtusertable.db

###Relay Domains###/etc/mail/relay-domainsHouses domains that sendmail should relay; local and/or remotelinuxcbt.com192.168.1.100

###IMAP/POP2|3 Support###Differences between IMAP & POP 1. IMAP stores messages on server 2. POP downloads messages to client

Note: IMAP server must support mbox mail storage format and optionally Maildir mail storage format

Download IMAP2004g from sunfreeware.com

###Configure INETD control of IMAP & POP3 services###/etc/inetd.confpop3 stream tcp nowait root /usr/local/sbin/ipop3d ipop3dimap stream tcp nowait root /usr/local/sbin/imapd imapd

Note: use 'inetconv' to convert INETD entries in /etc/inetd.conf to SMF

###Evolution MUA - Connect to POP3 & IMAP Service###Installed openssl-0.9.8 to support IMAP2004gConfigure EvolutionNote: Retrieving & Sending messages are distinct functions 1. SMTP - Sending 2. IMAP/POP3/MS Exchange/etc. - Retrieval

Snoop – Network Sniffer - NotesFeatures: 1. Packet capturing facilities (ALL levels of OSI model, minus physical) 2. Packet playback/replay facility 3. Sniffs on first detected, non-loopback interface - output to STDOUT 4. MUST be executed as root

Note: Try to snoop to output of file as opposed to STDOUT for performance reasons (to minimize packet loss)

snoopsnoop -o snoop1.out - redirects captured traffic to file named 'snoop1.out'and returns a packet-count to STDOUT

Note: If connected to a switched environment, MIRROR the traffic to the Sun box in order for traffic to be available to snoop

snoop -i snoop1.out - reads the captured filesNote: snoop captures packets until killed with CTRL-C or disk runs out of space

snoop -i snoop1.out -p 11573,11577 - extracts packet ranges 11573-11577snoop -v -i snoop1.out - VERBOSE (ALL OSI layers, 2-7)snoop -V -i snoop1.out - SUMMARY (Returns interesting packet payload)

Note: snoop supports Boolean primitivies (host,tcp,udp,ip) & Boolean operators (AND,OR,NOT)

snoop -i snoop1.out tcp port 80

Note: snoop -o output_file - captures layers 2-7

snoop -o snoop1.out udp

snoop -o snoop1.out 192.168.1.50 192.168.1.102

###FTP Traffic Snoop###snoop -o snoop_ftp_traffic.out host 192.168.1.102 linuxcbtsun1 and tcp and port 21

TCPDump – Network Sniffer - Noteswww.tcpdump.org

Packet Capturing - captures packets from network interfaces

Note: 2 major utilities supporting TCPDump's format include: 1. Ethereal - GUI protocol analyzer/Sniffer 2. Snort NIDS - Sniffer/Logger/NIDS

TCPDump supports 3 qualifiers to assist in creating expressions: 1. Type - host|net|port i.e. host 192.168.1.102 2. Direction - src|dst|src or dst|src and dst 3. Protocol - tcp|udp|ip

Syntax:

tcpdump options expression

tcpdumptcpdump -D - returns available interfacestcpdump -i interface_name - binds to specific interfacetcpdump -q suppresses some packet header informationtcpdump -n - avoids name resoltion - improves performance

Snort Network Intrusion Detection System (NIDS) - Notes

Features: 1. Packet Capturing - libpcap.a(tcpdump.org) 2. Packet Logging - Captures are stored to disk (ASCII/TCPDump Formats) 3. Network Intrusion Detection Mode

Note: Software Companion DVD includes Snort 2.0(older version)

Requirements: 1. libpcap 2. libpcre

###Configuring Snort###./configure --with-libpcap-libraries=/opt/sfw/lib --with-libpcre-includes=/opt/sfw/include --with-libpcre-libraries=/opt/sfw/lib

Appended to PATH: /usr/sfw/bin:/usr/ccs/bin

makemake install

###Snort as a Sniffer###snort -v - Dumps link headers(Layers 3(IPs) & 4(Ports) of the OSI Model)snort -v -i e1000g0snort -vd -i e1000g0 - Dumps Application Layer (Layer-7 of OSI Model)snort -ve -i e1000g0 - Dumps data-link layer (Layer-2 of OSI Model)snort -vde -i e1000g0 - Dumps Layers 2,3,4,7 of OSI Model

###Snort as a Packet Logger###Note: Identical to sniffer, except, data is directed to file. Improves I/O.snort -L snortlog.1Note: Snort defaults to '/var/log/snort' to store binary log and alert file

snort -L snortlog.1 -l ./log

Note: Snort supports TCPDump's Boolean primitives and operators.Additionally, Snort support Berkeley Packet Filters (BPFs)snort options BPFs

SYSLOG Implementation - Notes

Note: Syslog is the default logging handler/router in SolarisNote: Defaults to UDP:514Note: Segment your Syslog Host(s) on a distinct subnet, protected by ACLs

pkgchk -lP /usr/sbin/syslogd

Syslog can log to the following locations: 1. remote host 2. local file (Suggested destination because of I/O performance) 3. console 4. specific users 5. *

Note: Syslog processes 3 pieces information represented by 2 fields:/etc/syslog.conf - primary configuration file for Syslogman syslog.conf

1: selector(*.emerg) 2: action(/dev/console)*.emerg /dev/consoleSelector = facility(user).severity_level(debug)Action = target for log entry (files, console, remote host)

###Syslog Recognized Facilities###USER,KERN,MAIL(Postfix,Sendmail),DAEMON(programs),AUTH,LPR,NEWS,CRON,AUDIT,LOCAL0-7(provides 8 usable facilities),MARK,*

### 8 Syslog Recognized Severity Levels###1. EMERG - yields least output2. ALERT3. CRIT4. ERROR5. WARNING6. NOTICE7. INFO8. DEBUG - yields most output

Note: restart syslog after changing /etc/syslog.conf

local0.info /var/log/ciscofirewall1.logtouch /var/log/ciscofirewall1.logsvcadm restart system-log

Log Rotation using logadm - Noteswhich logadmpkgchk -lP /usr/sbin/logadmd - member of SUNWcsulogadm is configured to run daily in root's crontabcrontab -l

/etc/logadm.conf - default configuration fileNote: don't memorize all parameters. Execute 'logadm -h'Note: command-line directives override /etc/logadm.conf directives

Note: logadm preserves 10 backups of log files named logname.0-.9Note: logadm supports shell wildcards '*', '?'

Zettabyte File System (ZFS) - Notes

Features: 1. 256 quadrillion zettabytes (Terabytes - Petabytes - Exabytes - Zettabytes(1024 Exabytes)) 2. RAID-0/1 & RAID-Z(RAID-5 with enhancements) (2-required virtual devices) 3. Snapshots - read-only copies of file systems or volumes 4. Creates volumes 5. Uses storage pools to manage storage - aggregates virtual devices 6. File systems attached to pools grow dynamically as storage is added 7. File systems may span multiple physical disks 8. ZFS is transactional 9. Pools & file systems are auto-mounted. No need to maintain /etc/vfstab 10. Supports file system hierarchies: /pool1/{home(5GB),var(10GB),etc.} 11. Supports reservation of storage: /pool1/{home(10GB),var} 12. Provides a secure web-based management tool-https://localhost:6789/zfs

###ZFS - CLI###zpool list - lists known poolszpool create pool_name(alphanumeric, _,-,:,.)Pool Name Constraints (DO NOT USE THESE NAMES FOR YOUR POOL NAMES): 1. mirror 2. raidz

zpool create pool_name device_name1, device_name2, device_name3, etc.zpool create pool1 c0t1d0|/dev/dsk/c0t1d0

ZFS Pool Statuses: 1. ONLINE 2. DEGRADED 3. FAULTED 4. OFFLINE 5. UNAVAILABLE

zfs list - returns ZFS dataset info.zfs mount - returns pools and mount pointszpool status - returns virtual devices that constitute poolsNote: ZFS requires a minimum of 128MB virtual device to create a pool

zpool destroy pool1 - Destroys pool and associated file systems

###Create file systems within pool1###zfs create pool1/home - creates file system named 'home' in pool1Note: Default action of 'zfs create pool1/home' assigns all storage available to 'pool1', to 'pool1/home'

###Set quota on existing file system###

zfs set quota=10G pool1/home

###Create user-based file system beneath pool1/home###zfs create pool1/home/unixcbtNote: ZFS inherits properties from immediate ancestor

zfs get -r compression pool1 - returns compression property for file systems associated with 'pool1'

###Rename File System###zfs rename pool1/home/unixcbt pool1/home/unixcbt2

###Extending dynamically, pool storage###zpool add pool1 c0t2d0

###ZFS Redundancy/Replication### 1. Mirroring - RAID-1 2. RAID-5 - RAID-Z

Virtual Devices: 1. c0t1d0 - 36GB 2. c0t2d0 - 36GB

Note: Redundancy/Replication is associated directly with the pool

zpool create poolmirror1 mirror c0t1d0 c0t2d0

###ZFS Snapshots###Features: 1. Read-only copies of volumes or file systems 2. Use no additional space, initially

zfs list -t snapshot - returns available snapshots

Solaris Zones - NotesFeatures: 1. Virtualization - i.e. VMWare 2. Solaris Zones can host only instances of Solaris. Not other OSs. 3. Limit of 8192 zones per Solaris host 4. Primary zone(global) has access to ALL zones 5. Non-global zones, do NOT have access to other non-global zones 6. Default non-global zones derive packages from global zone 7. Program isolation - zone1(Apache), zone2(MySQL) 8. Provides 'z' commands to manage zones: zlogin, zonename, zoneadm,zonecfg

###Features of GLOBAL zone### 1. Solaris ALWAYS boots(cold/warm) to the global zone 2. Knows about ALL hardware devices attached to the system 3. Knows about ALL non-global zones

###Features of NON-GLOBAL zones### 1. Installed at a location on the filesystem of the GLOBAL zone 'zone root path' /export/home/zones/{zone1,zone2,zone3,...} 2. Share packages with GLOBAL zone

3. Manage distinct hostname and tables files 4. Cannot communicate with other non-global zones by default. NIC must be used, which means, use standard network API(TCP) 5. GLOBAL zone admin. can delegate non-global zone administration

###Zone Configuration###Use: zonecfg - to configure zonesNote: zonecfg can be run: interactively, non-interactively, command-file modes

Requirements for non-global zones: 1. hostname 2. zone root path. i.e. /export/home/zones/testzone1 3. IP address - bound to logical or physical interface

Zone Types: 1. Sparse Root Zones - share key files with global zone 2. Whole Root Zones - require more storage

Steps for configuring non-global zone: 1. mkdir /export/home/zones/testzone1 && chmod 700 /export/home/zones/testzone1 2. zonecfg -z testzone1 3. create 4. set zonepath=/export/home/zones/testzone1 - sets root of zone 5. add net ; set address=192.168.1.60 6. set physical=e1000g0 7. (optional) set autoboot=true - testzone1 will be started when system boots 8. (optional) add attr ; set name=comment; set type=string; set value="TestZone1" 9. verify zone - verifies zone for errors 10. commit changes - commit

11. Zone Installation - zoneadm -z testzone1 install - places zone, 'testzone1' into 'installed' state. NOT ready for production 12. zoneadm -z testzone1 boot - boots the zone, changing its state

###Zlogin - is used to login to zones###Note: each non-global zone maintains a console. Use 'zlogin -C zonename' after installing zone to complete zone configuration

Note: Zlogin permits login to non-global zone via the following: 1. Interactive - i.e. zlogin -l username zonename 2. Non-interactive - zlogin options command 3. Console mode - zlogin -C zonename 4. Safe mode - zlogin -S

zoneadm -z testzone1 reboot - reboots the zonezlogin testzone1 shutdown