C H A P T E R 3 |
This chapter describes how to install and enable Logical Domains Manager 1.0.3 software and other software on a control domain on the supported servers. Refer to “Supported Servers” in the Logical Domains (LDoms) 1.0.3 Release Notes for a list of supported servers.
You can use what you need from this chapter depending on your platform. If you are using Logical Domains software on a new Sun UltraSPARC T2 platform, all the software should come preinstalled from the factory.
This section contains information you need to know about saving and restoring the Logical Domains constraints database file or performing a live upgrade on the control domain.
Whenever you upgrade the operating system on the control domain, you must save and restore the Logical Domains constraints database file that can be found in /var/opt/SUNWldm/ldom-db.xml.
Note - You must also save and restore the /var/opt/SUNWldm/ldom-db.xml file when you perform any other operation that is destructive to the control domain’s file data, such as a disk swap. |
If you are using live upgrade on the control domain, consider adding the following line to the /etc/lu/synclist file:
/var/opt/SUNWldm/ldom-db.xml OVERWRITE |
This causes the database to be copied automatically from the active boot environment to the new boot environment when switching boot environments. For more information about /etc/lu/synclist and synchronizing files between boot environments, refer to “Synchronizing Files Between Boot Environments” in the Solaris 10 8/07 Installation Guide: Solaris Live Upgrade and Upgrade Planning.
Existing LDoms 1.0.1 and 1.0.2 configurations work in LDoms 1.0.3 software, so you do not need to perform the following procedure if you are upgrading from LDoms 1.0.1 or 1.0.2 software to LDoms 1.0.3 software. However, you do need to use the following procedure if you want to use your existing LDoms 1.0 configurations with LDoms 1.0.3 software.
Existing LDoms 1.0 configurations do not work in LDoms 1.0.3 software. The following procedure describes a method for saving and rebuilding a configuration using XML constraints files and the -i option to the ldm start-domain command. This method does not preserve actual bindings, only the constraints used to create those bindings. This means that, after this procedure, the domains will have the same virtual resources, but will not necessarily be bound to the same physical resources.
The basic process is to save the constraints information for each domain into an XML file, which can then be re-issued to the Logical Domains Manager after the upgrade to rebuild a desired configuration. This procedure works for guest domains, not the control domain. Although you can save the control (primary) domain’s constraints to an XML file, you cannot feed it back into the ldm start-domain -i command.
Update to the latest version of the Solaris OS. For more information, see Step 2, To Install the Solaris 10 OS.
For each domain, create an XML file containing the domain’s constraints.
# ldm ls-constraints -x ldom > ldom.xml |
List all the logical domain configurations stored on the system controller.
# ldm ls-config |
Remove each logical domain configuration stored on the system controller.
# ldm rm-config config_name |
Disable the Logical Domains Manager daemon (ldmd).
# svcadm disable ldmd |
Remove the Logical Domains Manager package (SUNWldm).
# pkgrm SUNWldm |
Remove the Solaris Security Toolkit package (SUNWjass) if you are using that.
# pkgrm SUNWjass |
Flash update the system firmware. For the entire procedure, see To Upgrade System Firmware or To Upgrade System Firmware Without an FTP Server.
Download the LDoms 1.0.3 software package.
See To Download the Logical Domains Manager, Solaris Security Toolkit, and Logical Domains MIB for procedures for downloading and installing the Logical domains Manager, the Solaris Security Toolkit, and the Logical Domains MIB.
Reconfigure the primary domain manually. For instructions, see To Set Up the Control Domain.
Run the following commands for each guest domain’s XML file you created in Step 2.
# ldm create -i ldom.xml # ldm bind-domain ldom # ldm start-domain ldom |
The first domain that is created when the Logical Domains Manager software is installed is the control domain. That first domain is named primary, and you cannot change the name. The following major components are installed on the control domain.
Solaris 10 OS. Add any patches recommended in the Logical Domains (LDoms) 1.0.3 Release Notes, if necessary. See To Install the Solaris 10 OS.
System firmware version 6.5 for your Sun UltraSPARC T1 platform or system firmware version 7.0 for your Sun UltraSPARC T2 platform. See To Upgrade System Firmware.
Logical Domain Manager 1.0.3 software. See Installing Logical Domains Manager and Solaris Security Toolkit .
(Optional) Solaris Security Toolkit 4.2 software. See Installing Logical Domains Manager and Solaris Security Toolkit .
(Optional) Logical Domains (LDoms) Management Information Base (MIB) software package. Refer to the Logical Domains (LDoms) Management Information Base (MIB) 1.0.1 Administration Guide for more information about installing and using the LDoms MIB.
The Solaris OS and the system firmware must be installed on your server before you install the Logical Domains Manager. After the Solaris OS, the system firmware, and the Logical Domains Manager have been installed, the original domain becomes the control domain.
Install the Solaris 10 OS if it has not already been installed. Refer to “Required and Recommended Software” in the Logical Domains (LDoms) 1.0.3 Release Notes to find the Solaris 10 OS that you should use for this version of the Logical Domains software. Refer to your Solaris 10 OS installation guide for complete instructions for installing the Solaris OS. You can tailor your installation to the needs of your system.
Note - For logical domains, you can install the Solaris OS only to an entire disk or a file exported as a block device. |
Minimization is optional. The Solaris Security Toolkit has the following JumpStart minimization profile for Logical Domains software:
Install the required patches if you are installing the Solaris 10 11/06 OS. Refer to “Required Solaris 10 11/06 OS Patches” in the Logical Domains (LDoms) 1.0.3 Release Notes for the list of required patches.
You can find system firmware for your platform at the SunSolve site:
Refer to “Required System Firmware Patches” in the Logical Domains (LDoms) 1.0.3 Release Notes for required system firmware by supported servers.
This procedure describes how to upgrade system firmware using the flashupdate(1M) command on your system controller.
If you do not have access to a local FTP server, see To Upgrade System Firmware Without an FTP Server.
If you want to update the system firmware from the control domain, refer to your system firmware release notes.
Refer to the administration guides or product notes for the supported servers for more information about installing and updating system firmware for these servers.
Shut down and power off the host server from either management port connected to the system controller: serial or network.
# shutdown -i5 -g0 -y |
Use the flashupdate(1M) command to upgrade the system firmware, depending on your server.
sc> flashupdate -s IP-address -f path/Sun_System_Firmware- x_x_x_build_nn-server-name.bin username: your-userid password: your-password |
sc> resetsc -y |
Power on and boot the host server.
sc> poweron -c ok boot disk |
If you do not have access to a local FTP server to upload firmware to the system controller, you can use the sysfwdownload utility, which is provided with your system firmware upgrade package on the SunSolve site:
Run the following commands within the Solaris OS.
# cd firmware_location # sysfwdownload system_firmware_file |
Shut down the Solaris OS instance.
# shutdown -i5 -g0 -y |
Power off and update the firmware on the system controller.
sc> poweroff -fy sc> flashupdate -s 127.0.0.1 |
Reset and power on the system controller.
sc> resetsc -y sc> poweron |
To Download the Logical Domains Manager, Solaris Security Toolkit, and Logical Domains MIB |
Download the tar file (LDoms_Manager-1_0_3-04.zip) containing the Logical Domains Manager package (SUNWldm), the Solaris Security Toolkit (SUNWjass) and installation script (install-ldm), and the Logical Domains Management Information Base package (SUNWldmib.v) from the Sun Software Download site. You can find the software from this web site:
$ unzip LDoms_Manager-1_0_3-04.zip |
The directory structure for the downloaded software is similar to the following:
There are three methods of installing Logical Domains Manager and Solaris Security Toolkit software:
Using the installation script to install the packages and patches. This automatically installs both the Logical Domains Manager and the Solaris Security Toolkit software. See Using the Installation Script to Install the Logical Domains Manager 1.0.3 and Solaris Security Toolkit 4.2 Software.
Using JumpStart to install the packages. See Using JumpStart to Install the Logical Domains Manager 1.0.3 and Solaris Security Toolkit 4.2 Software.
Installing each package manually. See Installing Logical Domains Manager and Solaris Security Toolkit Software Manually.
If you use the install-ldm installation script, you have several choices to specify how you want the script to run. Each choice is described in the procedures that follow.
Using the install-ldm script with no options does the following automatically:
Verifies that the package subdirectories SUNWldm/ and SUNWjass/ are present
Verifies that the prerequisite Solaris Logical Domains driver packages, SUNWldomr and SUNWldomu, are present
Verifies that the SUNWldm and SUNWjass packages have not been installed
Note - If the script does detect a previous version of SUNWjass during installation, you will need to remove it. You do not need to undo any previous hardening of your Solaris OS. |
Installs the Logical Domains Manager 1.0.3 software (SUNWldm package)
Installs the Solaris Security Toolkit 4.2 software including required patches (SUNWjass package)
Hardens the Solaris OS on the control domain with the Solaris Security Toolkit ldm_control-secure.driver or one of the other drivers ending in -secure.driver that you select.
Using the install-ldm script with option -d allows you to specify a Solaris Security Toolkit driver other than a driver ending with -secure.driver. This option automatically performs all the functions listed in the preceding choice with the added option:
Using the install-ldm script with option -d and specifying none specifies that you do not want to harden the Solaris OS running on your control domain by using the Solaris Security Toolkit. This option automatically performs all the functions except hardening listed in the preceding choices. Bypassing the use of the Solaris Security Toolkit is not suggested and should only be done when you intend to harden your control domain using an alternate process.
Using the install-ldm script with option -p specifies that you only want to perform the post-installation actions of enabling the Logical Domains Manager daemon (ldmd) and running the Solaris Security Toolkit. For example, you would use this option if the SUNWldm and SUNWjass packages are preinstalled on your server. See To Install Using the install-ldm Script With the -p Option
Run the installation script with no options.
The installation script is part of the SUNWldm package and is in the Install subdirectory.
# Install/install-ldm |
If one or more packages are previously installed, you receive this message.
# Install/install-ldm ERROR: One or more packages are already installed: SUNWldm SUNWjass. If packages SUNWldm.v and SUNWjass are factory pre-installed, run install-ldm -p to perform post-install actions. Otherwise remove the package(s) and restart install-ldm. |
If you want to perform post-installation actions only, go to To Install Using the install-ldm Script With the -p Option.
If the process is successful, you receive messages similar to the following examples.
Code Example 3-2 shows a successful run of the install-ldm script if you choose the following default security profile:
Code Example 3-3 shows a successful run of the install-ldm script if you choose the following security profile:
c) Your custom-defined Solaris security configuration profile
The drivers that are displayed for you to choose are drivers ending with -secure.driver. If you write a customized driver that does not end with -secure.driver, you must specify your customized driver with the install-ldm -d option. (See To Install Using the install-ldm Script With the -d Option.)
Run the installation script with the -d option to specify a Solaris Security Toolkit customized hardening driver; for example, server-secure-myname.driver.
The installation script is part of the SUNWldm package and is in the Install subdirectory.
# Install/install-ldm -d server-secure-myname.driver |
If the process is successful, you receive messages similar to that in Code Example 3-4.
To Install Using the install-ldm Script With the -d none Option |
Run the installation script with the -d none option to specify not to harden your system using a Solaris Security Toolkit driver.
The installation script is part of the SUNWldm package and is in the Install subdirectory.
# Install/install-ldm -d none |
If the process is successful, you receive messages similar to the example shown in Code Example 3-5.
You might use this option if the SUNWldm and SUNWjass packages are preinstalled on your server and you want to perform the post-installation actions of enabling the Logical Domains Manager daemon (ldmd) and running the Solaris Security Toolkit.
Run the installation script with the -p option to perform only the post-installation actions of enabling ldmd and running the Solaris Security Toolkit to harden your system.
# Install/install-ldm -p Verifying that all packages are fully installed. OK. Enabling services: svc:/ldoms/ldmd:default Running Solaris Security Toolkit 4.2.0 driver ldm_control-secure.driver. Please wait. . . /opt/SUNWjass/bin/jass-execute -q -d ldm_control-secure.driver Solaris Security Toolkit hardening executed successfully; log file var/opt/SUNWjass/run/20070515140944/jass-install-log.txt. It will not take effect until the next reboot. Before rebooting, make sure SSH or the serial line is setup for use after the reboot. |
Refer to JumpStart Technology: Effective Use in the Solaris Operating Environment for complete information about using JumpStart.
Caution - Do not disconnect from the virtual console during a network installation. |
If you have already set up a JumpStart server, proceed to To Install Using JumpStart Software of this administration guide.
If you have not already set up a JumpStart server, you must do so.
Refer to the Solaris 10 11/06 Installation Guide: Custom JumpStart and Advanced Installation for complete information about this procedure. You can find this installation guide at:
Refer to Chapter 3 “Preparing Custom JumpStart Installations (Tasks)” in the Solaris 10 11/06 Installation Guide: Custom JumpStart and Advanced Installation, and perform the following steps.
Validate the rules file with the procedure in “Validating the rules File.”
The Solaris Security Toolkit provides profiles and finish scripts. Refer to the Solaris Security Toolkit 4.2 Reference Manual for more information about profiles and finish scripts.
Change to the directory where you have downloaded the Solaris Security Toolkit package (SUNWjass).
# cd /path-to-download |
Install SUNWjass so that it creates the JumpStart (jumpstart) directory structure.
# pkgadd -R /jumpstart -d . SUNWjass |
Use your text editor to modify the /jumpstart/opt/SUNWjass/Sysidcfg/Solaris_10/sysidcfg file to reflect your network environment.
Copy the /jumpstart/opt/SUNWjass/Drivers/user.init.SAMPLE file to the /jumpstart/opt/SUNWjass/Drivers/user.init file.
# cp user.init.SAMPLE user.init |
To install the Solaris Security Toolkit package (SUNWjass) onto the target system during a JumpStart install, you must place the package in the JASS_PACKAGE_MOUNT directory defined in your user.init file. For example:
# cp -r /path/to/LDoms_Manager-1_0_2/Product/SUNWjass /jumpstart/opt/SUNWjass/Packages |
To install the Logical Domains Manager package (SUNWldm.v) onto the target system during a JumpStart install, you must place the package from the download area in the JASS_PACKAGE_MOUNT directory defined in your user.init file. For example:
# cp -r /path/to/LDoms_Manager-1_0_2/Product/SUNWldm.v /jumpstart/opt/SUNWjass/Packages |
If you experience problems with a multihomed JumpStart server, modify the two entries in the user.init file for JASS_PACKAGE_MOUNT and JASS_PATCH_MOUNT to the correct path to the JASS_HOME_DIR/Patches and JASS_HOME_DIR/Packages directories. Refer to the comments in the user.init.SAMPLE file for more information.
Use the ldm_control-secure.driver as the basic driver for the Logical Domains Manager control domain.
Refer to Chapter 4 in the Solaris Security Toolkit 4.2 Reference Manual for information about how to modify the driver for your use. The main driver in the Solaris Security Toolkit that is the counterpart to the ldm_control-secure.driver is the secure.driver.
After completing the modifications to the ldm_control-secure.driver, make the correct entry in the rules file.
If you want to minimize the LDoms control domain, specify the minimal-ldm-control.profile in your rules file similar to the following.
hostname imbulu - Profiles/minimal-ldm_control.profile Drivers/ldm_control-secure-abc.driver |
If you do not want to minimize the LDoms control domain, your entry should be similar to the following.
hostname imbulu - Profiles/oem.profile Drivers/ldm_control-secure-abc.driver |
If you undo hardening during a JumpStart install, you must run the following SMF command to restart the Logical Domains Manager.
# svcadm enable svc:/ldoms/ldmd:default |
Perform the following procedures to install the Logical Domains Manager and Solaris Security Toolkit Software manually:
To Install the Logical Domains Manager (LDoms) 1.0.3 Software Manually.
(Optional) To Install the Solaris Security Toolkit 4.2 Software Manually.
To Install the Logical Domains Manager (LDoms) 1.0.3 Software Manually |
Download the Logical Domains Manager 1.0.3 software, the SUNWldm package, from the Sun Software Download site. See To Download the Logical Domains Manager, Solaris Security Toolkit, and Logical Domains MIB for specific instructions.
Use the pkgadd(1M) command to install the SUNWldm.v package. Use the -G option to install the package in the global zone only and the -d option to specify the path to the directory that contains the SUNWldm.v package.
# pkgadd -Gd . SUNWldm.v |
Answer y for yes to all questions in the interactive prompts.
Use the pkginfo(1) command to verify that the SUNWldm package for Logical Domains Manager 1.0.3 software is installed.
The revision (REV) information shown below is an example.
# pkginfo -l SUNWldm | grep VERSION VERSION=1.0.3,REV=2007.08.23.10.20 |
(Optional) To Install the Solaris Security Toolkit 4.2 Software Manually |
If you want to secure your system, download and install the SUNWjass package. The required patches (122608-03 and 125672-01) are included in the SUNWjass package. See To Download the Logical Domains Manager, Solaris Security Toolkit, and Logical Domains MIB for specific instructions about downloading the software.
See Chapter 2 in this document for more information about security considerations when using Logical Domains Manager software. For further reference, you can find Solaris Security Toolkit 4.2 documentation at:
Perform this procedure only if you have installed the Solaris Security Toolkit 4.2 package.
Note - When you use the Solaris Security Toolkit to harden the control domain, you disable many system services and place certain restrictions on network access. Refer to Related Documentation in this book to find Solaris Security Toolkit 4.2 documentation for more information. |
Harden using the ldm_control-secure.driver.
# /opt/SUNWjass/bin/jass-execute -d ldm_control-secure.driver |
You can use other drivers to harden your system. You can also customize drivers to tune the security of your environment. Refer to the Solaris Security Toolkit 4.2 Reference Manual for more information about drivers and customizing them.
Answer y for yes to all questions in the interactive prompts.
Shut down and reboot your server for the hardening to take place.
# /usr/sbin/shutdown -y -g0 -i6 |
Undo the configuration changes applied by the Solaris Security Toolkit.
# /opt/SUNWjass/bin/jass-execute -u |
The Solaris Security Toolkit asks you which hardening runs you want to undo.
Reboot the system so that the unhardened configuration takes place.
# /usr/sbin/shutdown -y -g0 -i6 |
# svcadm enable svc:/ldoms/ldmd:default |
The installation script install-ldm automatically enables the Logical Domains Manager Daemon (ldmd). If you have installed the Logical Domains Manager software manually, you must enable the Logical Domains Manager daemon, ldmd, which allows you to create, modify, and control the logical domains.
Use the svcadm(1M) command to enable the Logical Domains Manager daemon, ldmd.
# svcadm enable ldmd |
Use the ldm list command to verify that the Logical Domains Manager is running.
You receive a message similar to the following, which is for the factory-default configuration. Note that the primary domain is active, which means that the Logical Domains Manager is running.
# /opt/SUNWldm/bin/ldm list NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME primary active ---c- SP 32 3264M 0.3% 19d 9m |
You set up authorization and profiles and assign roles for user accounts using the Solaris OS Role-Based Access Control (RBAC) adapted for the Logical Domains Manager. Refer to the Solaris 10 System Administrator Collection for more information about RBAC.
Authorization for the Logical Domains Manager has two levels:
Read – allows you to view, but not modify the configuration.
Read and write – allows you to view and change the configuration.
Following are the Logical Domains entries automatically added to the Solaris OS /etc/security/auth_attr file:
Use the following steps as necessary to add authorizations in the /etc/security/auth_attr file for Logical Domains Manager users. Because the superuser already has solaris.* authorization, the superuser already has permission for solaris.ldoms.* authorizations.
Create a local user account for each user who needs authorization to use the ldm(1M) subcommands.
Note - To add Logical Domains Manager authorization for a user, a local (non-LDAP) account must be created for that user. Refer to the Solaris 10 System Administrator Collection for details. |
Do one of the following depending on which ldm(1M) subcommands you want the user to be able to access.
See TABLE 2-1 for a list of ldm(1M) commands and their user authorizations.
The SUNWldm package adds two system-defined RBAC profiles in the /etc/security/prof_attr file for use in authorizing access to the Logical Domains Manager by non-superusers. The two LDoms-specific profiles are:
LDoms Review:::Review LDoms configuration:auths=solaris.ldoms.read
LDoms Management:::Manage LDoms domains:auths=solaris.ldoms.*
One of the preceding profiles can be assigned to a user account using the following procedure.
The advantage of using this procedure is that only a user who has been assigned a specific role can assume the role. In assuming a role, a password is required if the role is given a password. This provides two layers of security. If a user has not been assigned a role, then the user cannot assume the role (by doing the su role_name command) even if the user has the correct password.
# roleadd -A solaris.ldoms.read ldm_read |
Assign a password to the role.
# passwd ldm_read |
Assign the role to a user; for example, user_1.
# useradd -R ldm_read user_1 |
Assign a password to the user (user_1).
# passwd user_1 |
Assign access only to the user_1 account to become the ldm_read account.
# su user_1 |
Verify the user ID and access to the ldm_read role.
$ id uid=nn(user_1) gid=nn(<group name>) $ roles ldm_read |
Provide access to the user for ldm subcommands that have read authorization.
# su ldm_read |
Type the id command to show the user.
$ id uid=nn(ldm_read) gid=nn(<group name>) |
Copyright © 2008, Sun Microsystems, Inc. All rights reserved.