oracle solaris 11 - best for enterprise applications
DESCRIPTION
This presentation details some of the basic features of Oracle Solaris 11 that can be used as building blocks to deploy an enterprise application. Specifically, it uses a simple deployment example to create an IPS package for an application, integrates that application with SMF to provide an initial level of continuous service availability, deployed in an Oracle Solaris Zone using network virtualization to throttle bandwidth. Using this simple deployment example, additional integrated services like Immutable Zones, Delegated Administration, Firewall or Load Balancing, an administrator can build up to a more advanced deployment scenario.TRANSCRIPT
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.1
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.2
Oracle Solaris 11 – Best for Enterprise ApplicationsName: Glynn FosterTitle: Principal Product Manager
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.3
A Simple Deployment Example
Key Technologies:
Installation using Image Packaging System
Integrated into Service Management Facility
Deployed into an OracleSolaris Zone with bandwidth resource management using network virtualization
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.4
Network repositories
Integrated packaging and patching
Automatic software dependencies
Integrated with SMF and Zones
System updates through ZFS Boot Environments
Fast reboot capability
Integrated Package Management
Image Packaging System (IPS)
RCDatabase
What it provides:
Single command for packaging and patching maintenance – familiar to Linux admins
How you benefit:
Fast and safe system updates with rollback
No more version ambiguity
Avoid you gettinginto an unsupportablesystem state
Minimized installs are easy
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.5
Key Terminology of IPS
PublisherAn entity that creates a package
RepositoryContains a selection of packages
PackageCollection of files, directories, links, services and other data wrapped up into a single bundle that can be installed
ManifestA file that describes how a package is assembled
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.6
Looking at Package Manifest Output
We can see a package manifest using pkg contents# pkg contents -m gzipset name=pkg.fmri value=pkg://solaris/compress/[email protected],5.11-0.175.1.0.0.24.0:20120904T170603Zset name=org.opensolaris.consolidation value=userlandset name=pkg.summary value="GNU Zip (gzip)”set name=pkg.description value="The GNU Zip (gzip) compression utility”set name=info.source-url value=ftp://ftp.gnu.org/gnu/gzip/gzip-1.4.tar.gzset name=info.classification value="org.opensolaris.category.2008:Applications/System Utilities”set name=info.upstream-url value=http://www.gnu.org/software/gzip/set name=org.opensolaris.arc-caseid value=PSARC/2000/488set name=variant.arch value=i386 value=sparcdepend fmri=pkg:/system/[email protected] type=require. . .
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.7
Breaking down a Package Manifest (part 1)
ActionDefine the software that comprises a packageset, file, dir, link, hardlink, driver, depend, license, user, group, signature, legacy
ActuatorA tag applied to an action that causes a system change when installed, uninstalled or updated
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.8
Breaking down a Package Manifest (part 2)
FacetSelectable subsets of packages (documentation, locales, man pages)
VariantProvides support for multiple exclusive software components (SPARC vs x86, optimized vs debug, global zone vs non-global zone)
MediatorAbility to deliver multiple implementations of software (GCC, Python, Java)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.9
Tools to Create Packages
pkgsend – Publish / Update packages pkgmogrify – Programmatically edit package manifests pkgdepend – Manage package dependencies pkgmerge – Create multi-variant packages pkglint – Sanity check package manifests pkgsign – Cryptographically sign a package pkgrepo – Create and manage package repositories pkgfmt – Create more human-readable package manifests
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.10
Package Dependencies
require – Causes another package to be installed require-any – Installs one of a set of packages conditional – If one package is installed, install a second group – Similar to require, but user can override optional – Establishes a minimum version incorporate – Constrain the version of another package parent – Incorporate enforced on a non-global zone exclude – Prevent another package from being installed
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.11
Steps to Creating an IPS Package
1. Lay out your package as you want it – the proto area
2. Create an initial manifest from proto area with pkgsend generate
3. Modify generated manifest using pkgmogrify– Add package names, versions, facets, actuators, description, summary, …
– Modify file layout, permissions, owners, …
4. Evaluate package dependencies with pkgdepend generate
5. Resolve package dependencies with pkgdepend resolve
6. Verify manifest with pkglint
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.12
Step 1: Lay Out the Proto Area
We wish to create a simple package delivering the following files
We need to lay this out within the proto area
/usr/bin/mycmd/usr/lib/mycmd.so.1
/proto/usr/bin/mycmd/proto/usr/lib/mycmd.so.1
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.13
Step 2: Create an Initial Manifest
Pass the proto area through pkgsend generate
The first intermediate file mypkg.p5m.gen looks like this
# pkgsend generate proto | pkgfmt > mypkg.p5m.gen
dir path=usr owner=root group=bin mode=0755dir path=usr/bin owner=root group=bin mode=0755file usr/bin/mycmd path=usr/bin/mycmd owner=root group=bin mode=0555dir path=usr/lib owner=root group=bin mode=0755file usr/lib/mycmd.so.1 path=usr/lib/mycmd.so.1 owner=root group=bin mode=0555
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.14
Step 3: Generate Required Metadata
Create mypkg.mog with metadata we will integrate into the manifest
Now we use pkgmogrify to pull it together
set name=pkg.fmri [email protected],5.11-0set name=pkg.summary value=“This is an example package”set name=pkg.description value=“This is a full description”set name=variant.arch value=$(ARCH)set name=info.classification value=org.opensolaris.category.2008:Applications/Accessories<transform dir path=usr$->drop>
# pkgmogrify –DARCH=`uname -p` mypkg.p5m.gen mypkg.mog | pkgfmt > mypkg.p5m.mog
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.15
Step 3: Generate Required Metadata
The resulting file mypkg.p5m.mog looks like this
set name=pkg.fmri [email protected],5.11-0set name=pkg.summary value=“This is an example package”set name=pkg.description value=“This is a full description”set name=info.classification \ value=org.opensolaris.category.2008:Applications/Accessoriesset name=variant.arch value=i386dir path=usr/bin owner=root group=bin mode=0755file usr/bin/mycmd path=usr/bin/mycmd owner=root group=bin mode=0555dir path=usr/lib owner=root group=bin mode=0755file usr/lib/mycmd.so.1 path=usr/lib/mycmd.so.1 owner=root group=bin mode=0555
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.16
Step 4: Evaluate Package Dependencies
First we need to generate package dependencies with pkgdepend generate
# pkgdepend generate –md proto mypkg.p5m.mog > mypkg.p5m.dep
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.17
Step 4: Evaluate Package Dependencies
The resulting file mypkg.p5m.dep includes lines like thisdepend fmri=__TBD pkg.debug.depend.file=libpthread.so.1 pkg.debug.depend.path=usr/lib pkg.debug.depend.reason=usr/lib/mycmd.so.1 pkg.debug.depend.type=elf type=requiredepend fmri=__TBD pkg.debug.depend.file=libthread.so.1 pkg.debug.depend.path=usr/lib/64 pkg.debug.depend.reason=usr/bin/mycmd pkg.debug.depend.type=elf type=require
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.18
Step 5: Resolve Package Dependencies
Then we need to resolve those package dependencies using pkgdepend resolve
# pkgdepend resolve –m mypkg.p5m.dep
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.19
Step 5: Resolve Package Dependencies
The resulting file mypkg.p5m.dep.res shows the followingset name=pkg.fmri [email protected],5.11-0set name=pkg.summary value=“This is an example package”set name=pkg.description value=“This is a full description”set name=info.classification \ value=org.opensolaris.category.2008:Applications/Accessoriesset name=variant.arch value=i386dir path=usr/bin owner=root group=bin mode=0755file usr/bin/mycmd path=usr/bin/mycmd owner=root group=bin mode=0555dir path=usr/lib owner=root group=bin mode=0755file usr/lib/mycmd.so.1 path=usr/lib/mycmd.so.1 owner=root group=bin mode=0555depend file=pkg:/system/library/[email protected] type=requiredepend file=pkg:/system/[email protected] type=require
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.20
Step 6: Check for errors
Verify any errors in the manifest using pkglint
# pkglint mypkg.p5m.dep.resLint engine setup ...Starting lint run ...
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.21
Creating a Repository for the Package
First we will need to create a package repository and set the publisher name
Once we have created the repository, we can publish the package
# pkgrepo create myrepository# pkgrepo –s myrepository set publisher/prefix=mypublisher
# pkgsend –s myrepository publish –d proto mypkg.p5m.dep.respkg://mypublisher/[email protected],5.11-0:20121107T121231ZPUBLISHED
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.22
Publishing the Package
Once we have created the repository, we can publish the package
# pkgsend –s myrepository publisher -d proto mypkg.p5m.dep.respkg://mypublisher/[email protected],5.11-0:20121107T121231ZPUBLISHED# pkgrepo -s myrepository infoPUBLISHER PACKAGE STATUS UPDATEDmyrepository 1 online 2012-11-07T12:12:32.514635Z
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.23
Manifests and profile creationthrough svcbundle
Service dependencies
Email/SNMP state notifications
Layered configuration management
Automatic Service Restart
Service Management Facility (SMF) What it provides:
Automatic restart for applications anddependent services
Easy management of services
How you benefit:
Protect your applicationsfrom hardware and softwarefailures
Get notified on importantsystem events
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.24
Key Terminology of SMF
ServiceHigher level object that is usually connected with a process or daemon
Service InstanceAn instance of a service – SMF has the ability to run multiple instances of a given service (e.g., Apache with different doc roots)
ManifestDescription of how a service is assembled including service instances
ProfileProvides additional service customization of configuration properties
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.25
Breaking down a Service Manifest
Delivered as an XML file located in /lib/svc/manifest– Name, description and type of service
– Dependencies of a service
– Executable methods of a service (stop, start, refresh)
– Properties and property groups
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.26
A Typical SMF Manifest
<service name=‘network/ssh’ type=‘service’ version=‘1’><create_default_instance enabled=‘false’ /><single_instance /><dependency name=‘fs-local’ grouping=‘require_all’ restart_on=‘none’ type=‘service’> <service_fmri value=‘svc:/system/filesystem/local’ /></dependency><exec_method type=‘method’ name=‘start’ exec=‘/lib/svc/method/sshd start’ timeout_seconds=‘60’ /><exec_method type=‘method’ name=‘stop’ exec=‘/lib/svc/method/sshd stop’’ timeout_seconds=‘60’ /><property_group name=‘general’ type=‘framework’> <propval name=‘action_authorization’ type=‘astring’ value=‘solaris.smf.manage.ssh’ /></property_group><template> <common_name><loctext xml:lang=‘C’>SSH server</loctext> <documentation><manpage title=‘sshd’ section=‘1M’ manpath=‘/usr/share/man’ /></documentation></template>
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.27
Creating an SMF Manifest (the easy way)
Fortunately svcbundle helps manifest creation
# svcbundle -o mycmd.xml -s service-name=application/mycmd -s start-method=“/usr/bin/mycmd”
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.28
Creating an SMF Manifest (the easy way)
The resulting mycmd.xml file looks like
<?xml version=“1.0” ?><!DOCTYPE service_bundle SYSTEM ‘/usr/share/lib/xml/dtd/service_bundle.dtd.1’><!— Manifest created by svcbundle (2012-Nov-08 01:51:01+1300)--><service_bundle type=“manifest” name=“application/mycmd”><service version=“1” type=“service” name=“application/mycmd”><dependency restart_on=“none” type=“service” name=“multi_user_dependency” group=“require_all”> <service_fmri value=‘svc:/milestone/multi-user” /></dependency><exec_method timeout_seconds=“60” type=“method” name=“star” exec=“/usr/bin/mycmd” /><exec_method timeout_seconds=“60” type=“method” name=“refresh” exec=“:true” />
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.29
Integrating into SMF
We could now simply copy into /lib/svc/manifest/site and restart the manifest-import service
Or integrate it into our IPS package using an actuator
# cp mycmd.xml /lib/svc/manifest/site# svcadm restart manifest-import# svcs application/mycmdSTATE STIME FMRIoffline 2:03:12 svc:/application/mycmd:default
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.30
Modifying the IPS manifest
We first copy the SMF manifest into our proto area
# mkdir -p /proto/lib/svc/manifest/site# cp mycmd.xml /proto/lib/svc/manifest/site
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.31
Generating the New IPS Manifest
And then restart the process of generating our manifest – the following snippet shows the additions
dir path=lib owner=root group=bin mode=0755dir path=lib/svc owner=root group=bin mode=0755dir path=lib/svc/manifest owner=root group=bin mode=0755dir path=lib/svc/manifest/site owner=root group=bin mode=0755file lib/svc/manifest/site/mycmd.xml path=lib/svc/manifest/site/mycmd.xml owner=root group=bin mode=0644
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.32
Generating the New Metadata
The next step is modifying mypkg.mog – the following snippet lists the diffferences
And continue as before
set name=pkg.fmri [email protected],5.11-0<transform dir path=lib(/.+)$->drop><transform file path=lib/svc/manifest/site(/.+)?->add restart_fmri svc:/system/manifest-import:default>
# pkgmogrify –DARCH=`uname -p` mypkg.p5m.gen mypkg.mog | pkgfmt > mypkg.p5m.mog
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.33
Creating the Package and Publishing
The resulting file mypkg.p5m.mog has the following changes
And the process continues until publication
set name=pkg.fmri [email protected],5.11-0file lib/svc/manifest/site/mycmd.xml path=lib/svc/manifest/site/mycmd.xml owner=root group=bin mode=0644 restart_fmri=svc:/system/manifest-import:default
# pkgsend –s myrepository publish –d proto mypkg.p5m.dep.respkg://mypublisher/[email protected],5.11-0:20121107T140327ZPUBLISHED
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.34
Adding the Repository
To add the repository we use pkg set-publisher
# pkg set-publisher –p myrepository# pkg publisherPUBLISHER TYPE STATUS P LOCATIONsolaris origin online F https://pkg.oracle.com/solaris/releasemypublisher origin online F file:///myrepository
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.35
Resource management
Independent software stacks
Oracle Solaris 10 Environments
Immutable (Read-Only) Zones
Delegated Administration
Physical/Virtual to Virtual Migration
Application consolidation
Oracle Solaris Zones What it provides:
Isolated and secure virtual environments
Low overhead virtualization with resource management
Simplified management and resource control
How you benefit:
Consolidate yourapplications withouttaking a performancepenalty
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.36
Creating a Zone
To create a zone, we use the zonecfg command to configure, and zoneadm command to install
# zonecfg -z myzoneUse ‘create’ to begin configuring a new zonezonecfg:myzone> createCreate: Using system default template ‘SYSdefault’zonecfg:myzone> set zonepath=/zones/myzonezonecfg:myzone> set autoboot=truezonecfg:myzone> verifyzonecfg:myzone> commitzonecfg:myzone> exit# zoneadm -z myzone install
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.37
Installing a Package in a Zone
Let’s check to see what the IPS configuration is
root@myzone:~# pkg publisherPUBLISHER TYPE STATUS P LOCATIONsolaris (syspub) origin online T <system-repository>mypublisher (syspub) origin online F <system-repository>
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.38
Installing a Package in a Zone (part 2)
And now install our package
root@myzone: ~# pkg install mypkg Packages to install: 1 Create boot environment: NoCreate backup boot environment: No Services to change: 1
DOWNLOAD PKGS FILES XFER (MB) SPEEDCompleted 1/1 3/3 1.1/1.1 2.1M/s
PHASE ITEMSInstalling new actions 15/15Updating package state database DoneCreating fast lookup database Done
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.39
Installing a Package in a Zone (part 3)
And we can check the state of the service
root@myzone:~# svcs application/mycmdSTATE STIME FMRIonline 7:02:48 svc:/application/mycmd:default
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.40
Virtual NICs and switches
Independent hardware lanes
Quality of Service
Integrated with Zones forExclusive IP by default
Virtualizing the network
Network virtualization What it provides:
Virtualized NICs that look and act likephysical NICs
Easy resource management
How you benefit:
Protect applications fromnetwork events withbandwidth management
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.41
Checking the IP configuration
We can check the state of the global zone
# dladm show-physLINK MEDIA STATE SPEED DUPLEX DEVICEnet0 Ethernet up 1000 full e1000g0# ipadm show-addrADDROBJ TYPE STATE ADDRlo0/v4 static ok 127.0.0.1/8net0/v4 dhcp ok 10.0.2.15/24lo0/v6 static ok ::1/128net0/v6 addrconf ok fe80::a0:27ff:fe01:a06d/10# dladm show-vnicLINK OVER SPEED MACADDRESS MACADDTYPE VIDmyzone/net0 net0 1000 2:8:20:fb:b1:76 random 0
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.42
Checking the IP configuration (part 2)
And check the state of the non-global zone myzone
root@myzone:~# ipadm show-addrADDROBJ TYPE STATE ADDRlo0/v4 static ok 127.0.0.1/8net0/v4 dhcp ok 10.0.2.16/24lo0/v6 static ok ::1/128net0/v6 addrconf ok fe80::8:20ff:fefb:b176/10
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.43
Checking the IP configuration (part 3)
And we confirm in the zone configuration# zonecfg -z myzone infozonename: myzonezonepath: /zones/myzonebrand: solarisautoboot: truebootargs:file-mac-profile:pool:limitpriv:scheduling-class:ip-type:exclusive
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.44
Management of Bandwidth Property
We can simply make the change to be persistent across reboot
And check the maxbw property once set
# zonecfg -z myzonezonecfg:myzone> select anet linkname=net0zonecfg:myzone:anet> set maxbw=100Mzonecfg:myzone:anet> endzonecfg:myzone> verifyzonecfg:myzone> commitzonecfg:myzone> exit
root@myzone:~# dladm show-linkprop maxbwLINK PROPERTY PERM VALUE DEFAULT POSSIBLEnet0 maxbw rw 100 -- --
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.45
Using Basic Building Blocks to Scale Larger
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.46
Next Steps?
Rapid zone cloning of dev/test/production environments using ZFS Lock down non-global zone with Immutable Zones Encrypt data with ZFS Encryption Delegating maintenance with Zone Delegated Administration Manage non-global zones remotely with Zones on Shared Storage Isolate network traffic on shared physical network with VLAN VNICs Increase application availability using Integrated Load Balancer Protect against attack with integrated Firewall
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.47
More Information
Image Packaging Systemhttp://www.oracle.com/technetwork/server-storage/solaris11/technologies/ips-323421.html
Service Management Facilityhttp://www.oracle.com/technetwork/server-storage/solaris11/technologies/smf-1690889.html
Oracle Solaris Zoneshttp://www.oracle.com/technetwork/server-storage/solaris11/technologies/virtualization-306056.html
Oracle Solaris Network Virtualizationhttp://www.oracle.com/technetwork/server-storage/solaris11/technologies/networkvirtualization-312278.html
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.48
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.49