How to Control Access to a Single Console by Using Rights Profiles

Oracle^® VM Server for SPARC 3.2 Administration Guide

Document Information

Using This Documentation

Part I Oracle VM Server for SPARC 3.2 Software

Chapter 1 Overview of the Oracle VM Server for SPARC Software

About Oracle VM Server for SPARC and Oracle Solaris OS Versions

Hypervisor and Logical Domains

Logical Domains Manager

Oracle VM Server for SPARC Physical-to-Virtual Conversion Tool

Oracle VM Server for SPARC Configuration Assistant

Oracle VM Server for SPARC Management Information Base

Oracle VM Server for SPARC Troubleshooting

Chapter 2 Oracle VM Server for SPARC Security

Delegating the Management of Logical Domains by Using Rights

Using Rights Profiles and Roles

Logical Domains Manager Profile Contents

Controlling Access to a Domain Console by Using Rights

How to Control Access to All Domain Consoles by Using Roles

How to Control Access to All Domain Consoles by Using Rights Profiles

How to Control Access to a Single Console by Using Roles

How to Control Access to a Single Console by Using Rights Profiles

Enabling and Using Auditing

How to Enable Auditing

How to Disable Auditing

How to Review Audit Records

How to Rotate Audit Logs

Using Domain Console Logging

How to Enable or Disable Console Logging

Service Domain Requirements for Domain Console Logging

Chapter 3 Setting Up Services and the Control Domain

Output Messages

Creating Default Services

Initial Configuration of the Control Domain

Rebooting to Use Domains

Enabling Networking Between the Control/Service Domain and Other Domains (Oracle Solaris 10 Only)

Enabling the Virtual Network Terminal Server Daemon

Chapter 4 Setting Up Guest Domains

Creating and Starting a Guest Domain

Installing Oracle Solaris OS on a Guest Domain

Chapter 5 Configuring I/O Domains

I/O Domain Overview

General Guidelines for Creating an I/O Domain

Chapter 6 Creating a Root Domain by Assigning PCIe Buses

Creating a Root Domain by Assigning PCIe Buses

Chapter 7 Creating an I/O Domain by Using Direct I/O

Creating an I/O Domain by Assigning PCIe Endpoint Devices

Direct I/O Hardware and Software Requirements

Current Direct I/O Feature Limitations

Planning PCIe Endpoint Device Configuration

Rebooting the Root Domain With PCIe Endpoints Configured

Making PCIe Hardware Changes

Creating an I/O Domain by Assigning a PCIe Endpoint Device

Chapter 8 Creating an I/O Domain by Using PCIe SR-IOV Virtual Functions

SR-IOV Overview

SR-IOV Hardware and Software Requirements

Current SR-IOV Feature Limitations

Static SR-IOV

Dynamic SR-IOV

Enabling I/O Virtualization

Planning for the Use of PCIe SR-IOV Virtual Functions

Using Ethernet SR-IOV Virtual Functions

Using InfiniBand SR-IOV Virtual Functions

Using Fibre Channel SR-IOV Virtual Functions

I/O Domain Resiliency

Rebooting the Root Domain With Non-Resilient I/O Domains Configured

Chapter 9 Using Non-primary Root Domains

Non-primary Root Domains Overview

Non-primary Root Domain Requirements

Non-primary Root Domain Limitations

Non-primary Root Domain Examples

Chapter 10 Using Virtual Disks

Introduction to Virtual Disks

Virtual Disk Identifier and Device Name

Managing Virtual Disks

Virtual Disk Appearance

Virtual Disk Back End Options

Virtual Disk Back End

Configuring Virtual Disk Multipathing

CD, DVD and ISO Images

Virtual Disk Timeout

Virtual Disk and SCSI

Virtual Disk and the format Command

Using ZFS With Virtual Disks

Using Volume Managers in an Oracle VM Server for SPARC Environment

Chapter 11 Using Virtual Networks

Introduction to a Virtual Network

Oracle Solaris 10 Networking Overview

Oracle Solaris 11 Networking Overview

Maximizing Virtual Network Performance

Virtual Switch

Virtual Network Device

Viewing Network Device Configurations and Statistics

Controlling the Amount of Physical Network Bandwidth That Is Consumed by a Virtual Network Device

Virtual Device Identifier and Network Interface Name

Assigning MAC Addresses Automatically or Manually

Using Network Adapters With Domains

Configuring a Virtual Switch and the Service Domain for NAT and Routing

Configuring IPMP in an Oracle VM Server for SPARC Environment

Using VLAN Tagging

Using Private VLANs

Tuning Packet Throughput Performance

Using NIU Hybrid I/O

Using Link Aggregation With a Virtual Switch

Configuring Jumbo Frames

Oracle Solaris 11 Networking-Specific Feature Differences

Chapter 12 Migrating Domains

Introduction to Domain Migration

Overview of a Migration Operation

Software Compatibility

Security for Migration Operations

FIPS 140-2 Mode for Domain Migration

Domain Migration Restrictions

Migrating a Domain

Migrating an Active Domain

Migrating Bound or Inactive Domains

Monitoring a Migration in Progress

Canceling a Migration in Progress

Recovering From a Failed Migration

Migration Examples

Chapter 13 Managing Resources

Resource Reconfiguration

Resource Allocation

CPU Allocation

Configuring the System With Hard Partitions

Assigning Physical Resources to Domains

Using Memory Dynamic Reconfiguration

Using Resource Groups

Using Power Management

Using Dynamic Resource Management

Listing Domain Resources

Using Perf-Counter Properties

Chapter 14 Managing Domain Configurations

Managing Domain Configurations

Available Configuration Recovery Methods

Addressing Service Processor Connection Problems

Chapter 15 Handling Hardware Errors

Hardware Error-Handling Overview

Using FMA to Blacklist or Unconfigure Faulty Resources

Recovering Domains After Detecting Faulty or Missing Resources

Marking Domains as Degraded

Marking I/O Resources as Evacuated

Chapter 16 Performing Other Administration Tasks

Entering Names in the CLI

Updating Property Values in the /etc/system File

Connecting to a Guest Console Over the Network

Using Console Groups

Stopping a Heavily Loaded Domain Can Time Out

Operating the Oracle Solaris OS With Oracle VM Server for SPARC

Using Oracle VM Server for SPARC With the Service Processor

Configuring Domain Dependencies

Determining Where Errors Occur by Mapping CPU and Memory Addresses

Using Universally Unique Identifiers

Virtual Domain Information Command and API

Using Logical Domain Channels

Booting a Large Number of Domains

Cleanly Shutting Down and Power Cycling an Oracle VM Server for SPARC System

Logical Domains Variable Persistence

Adjusting the Interrupt Limit

Listing Domain I/O Dependencies

Part II Optional Oracle VM Server for SPARC Software

Glossary

Index

Language:

Restrict access to a domain console by enabling console authorization checking.

primary# svccfg -s vntsd setprop vntsd/authorization = true
primary# svcadm refresh vntsd
primary# svcadm restart vntsd

Add an authorization for a single domain to the authorization description database.
The following example entry adds the authorization for a domain console:
```
solaris.vntsd.console-domain:::Access domain Console::
```
Create a rights profile with an authorization to access a specific domain console.
- Oracle Solaris 10 OS: Edit the /etc/security/prof_attr file.
```
domain Console:::Access domain
Console:auths=solaris.vntsd.console-domain
```
  This entry must be on a single line.
- Oracle Solaris 11 OS: Use the profiles command to create a new profile.
```
primary# profiles -p "domain Console" \
'set desc="Access domain Console";
set auths=solaris.vntsd.console-domain'
```
Assign the rights profile to a user.
The following commands assign the profile to a user:
- Oracle Solaris 10 OS: Assign the rights profile.
```
primary# usermod -P "All,Basic Solaris User,domain Console" username
```
  Note that the All and Basic Solaris User profiles are required.
- Oracle Solaris 11 OS: Assign the rights profile.
```
primary# usermod -P +"domain Console" username
```