Logical Domains (LDoms) 1.1 Administration GuideTable Of Contents Previous ChapterNext ChapterBook Index



C H A P T E R  3

Installing and Enabling Software

This chapter describes how to install or upgrade the different software components required to enable the Logical Domains 1.1 software. Using the Logical Domains software requires the following components:

The Solaris OS and the system firmware must be installed or upgraded on your server before you install or upgrade the Logical Domains Manager. If your system is already using Logical Domains software, see Upgrading a System Already Using Logical Domains. Otherwise, see Installing Logical Domains Software on a New System.

Upgrading a System Already Using Logical Domains

Upgrading the Solaris OS

If your system is already configured with the Logical Domain software, then the control domain has to be upgraded. The other existing domains also have to be upgraded if you want to be able to use all features of the Logical Domains 1.1 software.

Refer to "Required Software and Patches" in the Logical Domains (LDoms) 1.1 Release Notes to find the Solaris 10 OS that you should use for this version of the Logical Domains software, and the required and recommended patches for the different domains. Refer to the Solaris 10 10/08 installation guide for complete instructions for upgrading the Solaris OS.

When upgrading the Solaris OS in the control domain, you need to save the Logical Domains constraints database file. This section contains information you need to know about saving and restoring the Logical Domains constraints database file.

Saving and Restoring the Logical Domains Constraints Database File

Whenever you upgrade the operating system on the control domain, you must save and restore the Logical Domains constraints database file that can be found in /var/opt/SUNWldm/ldom-db.xml.


Note - You must also save and restore the /var/opt/SUNWldm/ldom-db.xml file when you perform any other operation that is destructive to the control domain’s file data, such as a disk swap.


Preserving the Logical Domains Constraints Database File When Using Live Upgrade

If you are using live upgrade on the control domain, consider adding the following line to the /etc/lu/synclist file:


/var/opt/SUNWldm/ldom-db.xml     OVERWRITE

This causes the database to be copied automatically from the active boot environment to the new boot environment when switching boot environments. For more information about /etc/lu/synclist and synchronizing files between boot environments, refer to “Synchronizing Files Between Boot Environments” in the Solaris 10 8/07 Installation Guide: Solaris Live Upgrade and Upgrade Planning.

Upgrading From Solaris 10 OS Older Than Solaris 10 5/08 OS

If the control domain is upgraded from a Solaris 10 OS version older than Solaris 10 5/08 OS (or without patch 127127-11), and if volume manager volumes were exported as virtual disks, then the virtual disk backends must be re-exported with options=slice after the Logical Domain Manager has been upgraded. See Exporting Volumes and Backward Compatibility for more information.

Upgrading the Logical Domains Manager and the System Firmware

This section shows how to upgrade to LDoms 1.1 software.

First download the Logical Domains Manager and the Solaris Security Toolkit on the control domain, see Downloading Logical Domains Manager and Solaris Security Toolkit.

Then stop all domains (except the control domain) running on the platform:

procedure icon  Stop All Domains Running on the Platform, Except the Control Domain

  1. Bring down each domain to the ok prompt.

  2. Issue the stop-domain subcommand from the control domain for each domain.


    primary# ldm stop-domain ldom

  3. Issue the unbind-domain subcommand from the control domain for each domain.


    primary# ldm unbind-domain ldom

Upgrading to LDoms 1.1 Software

This section shows how to upgrade to LDoms 1.1 software.

Perform the procedure Upgrade From LDoms 1.0 Software if you want to use your existing LDoms 1.0 configurations with LDoms 1.1 software. Existing LDoms 1.0 configurations do not work in LDoms 1.1 software.

If you are upgrading from LDoms 1.0.1, 1.0.2, or 1.0.3 software, perform the procedure Upgrade From LDoms 1.0.1, 1.0.2, or 1.0.3. Existing LDoms 1.0.1, 1.0.2, and 1.0.3 configurations do work in LDoms 1.1 software.

procedure icon   Upgrade From LDoms 1.0 Software

Existing LDoms 1.0 configurations do not work in LDoms 1.1 software, so you need to save your LDoms 1.0 configurations before the upgrade to use them in LDoms 1.1 software. The following procedure describes a method for saving and rebuilding a configuration using XML constraints files and the -i option to the ldm add-domain command.

The basic process is to save the constraints information for each domain into an XML file, which can then be re-issued to the Logical Domains Manager after the upgrade to rebuild a desired configuration.

The procedure in this section works for guest domains, not the control domain. Although you can save the control (primary) domain’s constraints to an XML file, you cannot feed it back into the ldm add-domain -i command. However, you can use the resource constraints from the XML file to create the CLI commands to reconfigure your primary domain. See Rebuilding the Control Domain for instructions on how to translate typical XML output from an ldm list-constraints -x primary command into the CLI commands needed to reconfigure a primary domain.

The method that follows does not preserve actual bindings, only the constraints used to create those bindings. This means that, after this procedure, the domains will have the same virtual resources, but will not necessarily be bound to the same physical resources.

  1. For each domain, create an XML file containing the domain’s constraints.


    # ldm ls-constraints -x ldom > ldom.xml

  2. List all the logical domain configurations stored on the system controller.


    # ldm ls-config

  3. Remove each logical domain configuration stored on the system controller.


    # ldm rm-config config_name

  4. Disable the Logical Domains Manager daemon (ldmd).


    # svcadm disable ldmd

  5. Remove the Logical Domains Manager package (SUNWldm).


    # pkgrm SUNWldm

  6. Remove the Solaris Security Toolkit package (SUNWjass) if you are using that.


    # pkgrm SUNWjass

  7. Flash update the system firmware. For the entire procedure, see Upgrade System Firmware or Upgrade System Firmware Without an FTP Server.

  8. Reinstall the Logical Domain Manager and the Solaris Security Toolkit. See Installing the Logical Domains Manager and Solaris Security Toolkit .

  9. Reconfigure the primary domain manually. For instructions, see Set Up the Control Domain.

  10. Run the following commands for each guest domain’s XML file you created in Step 1.


    # ldm add-domain -i ldom.xml
# ldm bind-domain ldom
# ldm start-domain ldom

procedure icon   Upgrade From LDoms 1.0.1, 1.0.2, or 1.0.3

  1. Flash update the system firmware. For the entire procedure, see Upgrade System Firmware or Upgrade System Firmware Without an FTP Server.

  2. Disable the Logical Domains Manager daemon (ldmd).


    # svcadm disable ldmd

  3. Remove the old SUNWldm package.


    # pkgrm SUNWldm

  4. Add the new SUNWldm package.

    Specifying the -d option assumes that the package is in the current directory.


    # pkgadd -Gd . SUNWldm

  5. Refresh the Logical Domains Manager daemon (ldmd).


    # svcadm refresh ldmd

  6. Enable the Logical Domains Manager daemon (ldmd).


    # svcadm enable ldmd

  7. Use the ldm list command to verify that the Logical Domains Manager is running.

    You receive a message similar to the following, which is for the factory-default configuration. Note that the primary domain is active, which means that the Logical Domains Manager is running.


    # ldm list
NAME             STATE    FLAGS   CONS    VCPU  MEMORY   UTIL  UPTIME
primary          active   ---c-   SP      32    3264M    0.3%  19d 9m

Installing Logical Domains Software on a New System

Sun platforms supporting Logical Domains software come preinstalled with the Solaris 10 OS. Initially, the Logical Domains software is not enabled, and the platform appears as a single system hosting only one operating system. After the Solaris OS, system firmware, and Logical Domains Manager have been installed, the original system and instance of the Solaris OS become the control domain. That first domain of the platform is named primary, and you cannot change that name or destroy that domain. From there, the platform can be reconfigured to have multiple domains hosting different instances of the Solaris OS.

Updating the Solaris OS

On a brand new system, you may want to reinstall the OS so that it conforms to your installation policy. In that case, refer to "Required and Recommended Solaris OS" in the Logical Domains (LDoms) 1.1 Release Notes to find the Solaris 10 OS that you should use for this version of the Logical Domains software. Refer to your Solaris 10 OS installation guide for complete instructions for installing the Solaris OS. You can tailor your installation to the needs of your system.

If your system is already installed then it needs to be upgraded to the appropriate Solaris 10 OS that should be used for this version of the Logical Domains software. Refer to "Required Software and Patches" in the Logical Domains (LDoms) 1.1 Release Notes to find the Solaris 10 OS that you should use for this version of the Logical Domains software and the required and recommended patches. Refer to the Solaris 10 10/08 Release and Installation Collection for complete instructions for upgrading the Solaris OS.

Upgrading the System Firmware

procedure icon   Upgrade System Firmware

You can find system firmware for your platform at the SunSolve site:

http://sunsolve.sun.com

Refer to “Required System Firmware Patches” in the Logical Domains (LDoms) 1.1 Release Notes for required system firmware by supported servers.

This procedure describes how to upgrade system firmware using the flashupdate(1M) command on your system controller.

Refer to the administration guides or product notes for the supported servers for more information about installing and updating system firmware for these servers.

  1. Shut down and power off the host server from either management port connected to the system controller: serial or network.


    # shutdown -i5 -g0 -y

  2. Use the flashupdate(1M) command to upgrade the system firmware, depending on your server.


    sc> flashupdate -s IP-address -f path/Sun_System_Firmware-
x_x_x_build_nn-server-name.bin
username: your-userid
password: your-password

    Where:

    • IP-address is the IP address of your FTP server.

    • path is the location in SunSolvesm or your own directory where you can obtain the system firmware image.

    • x_x_x is the version number of the System Firmware.

    • nn is the number of the build that applies to this release.

    • server-name is the name of your server. For example, the server-name for the Sun Fire T2000 server is Sun_Fire_T2000.

  3. Reset the system controller.


    sc> resetsc -y

  4. Power on and boot the host server.


    sc> poweron -c
ok boot disk

procedure icon   Upgrade System Firmware Without an FTP Server

If you do not have access to a local FTP server to upload firmware to the system controller, you can use the sysfwdownload utility, which is provided with your system firmware upgrade package on the SunSolve site:

http://sunsolve.sun.com

  1. Run the following commands within the Solaris OS.


    # cd firmware_location
# sysfwdownload system_firmware_file

  2. Shut down the Solaris OS instance.


    # shutdown -i5 -g0 -y

  3. Power off and update the firmware on the system controller.


    sc> poweroff -fy
sc> flashupdate -s 127.0.0.1

  4. Reset and power on the system controller.


    sc> resetsc -y
sc> poweron

Downloading Logical Domains Manager and Solaris Security Toolkit

procedure icon   Download the Software

  1. Download the zip file (LDoms_Manager-1_1.zip) from the Sun Software Download site. You can find the software from this web site:

    http://www.sun.com/ldoms

  2. Unzip the zip file.


    $ unzip LDoms_Manager-1_1.zip

    The Logical Domains Manager and the Solaris Security Toolkit are bundled in the same zip file. Refer to “Location of Logical Domains 1.1 Software” in the Logical Domains (LDoms) 1.1 Release Notes for details about the structure of the file and what it includes.

Installing the Logical Domains Manager and Solaris Security Toolkit

There are three methods of installing Logical Domains Manager and Solaris Security Toolkit software:


Note - Remember that you need to manually install the LDoms MIB software package after you install the LDoms and Solaris Security Toolkit packages. It is not automatically installed with the other packages. Refer to the Logical Domains (LDoms) Management Information Base 1.0.1 Administration Guide for more information about installing and using the LDoms MIB.


Installing the Logical Domains Manager and Solaris Security Toolkit Software Automatically

If you use the install-ldm installation script, you have several choices to specify how you want the script to run. Each choice is described in the procedures that follow.

  • Using the install-ldm script with no options does the following automatically:

    • Checks that the Solaris OS release is Solaris 10 11/06 at a minimum

    • Verifies that the package subdirectories SUNWldm/ and SUNWjass/ are present

    • Verifies that the prerequisite Solaris Logical Domains driver packages, SUNWldomr and SUNWldomu, are present

    • Verifies that the SUNWldm and SUNWjass packages have not been installed


      Note - If the script does detect a previous version of SUNWjass during installation, you must remove it. You do not need to undo any previous hardening of your Solaris OS.


    • Installs the Logical Domains Manager 1.1 software (SUNWldm package)

    • Installs the Solaris Security Toolkit 4.2 software including required patches (SUNWjass package)

    • Verifies that all packages are installed

    • Enables the Logical Domains Manager daemon, ldmd

    • Hardens the Solaris OS on the control domain with the Solaris Security Toolkit ldm_control-secure.driver or one of the other drivers ending in -secure.driver that you select.

  • Using the install-ldm script with option -d allows you to specify a Solaris Security Toolkit driver other than a driver ending with -secure.driver. This option automatically performs all the functions listed in the preceding choice with the added option:

    • Hardens the Solaris OS on the control domain with the Solaris Security Toolkit customized driver that you specify; for example, the server-secure-myname.driver.

  • Using the install-ldm script with option -d and specifying none specifies that you do not want to harden the Solaris OS running on your control domain by using the Solaris Security Toolkit. This option automatically performs all the functions except hardening listed in the preceding choices. Bypassing the use of the Solaris Security Toolkit is not suggested and should only be done when you intend to harden your control domain using an alternate process.

  • Using the install-ldm script with option -p specifies that you only want to perform the post-installation actions of enabling the Logical Domains Manager daemon (ldmd) and running the Solaris Security Toolkit. For example, you would use this option if the SUNWldm and SUNWjass packages are preinstalled on your server. See Enable the Logical Domains Manager Daemon and Run the Solaris Security Toolkit Only

procedure icon   Install With No Special Options

  •   Run the install-ldm installation script with no options.

    The installation script is part of the SUNWldm package and is in the Install subdirectory.


    # Install/install-ldm

    1. If one or more packages are previously installed, you receive this message.


      # Install/install-ldm
ERROR: One or more packages are already installed: SUNWldm SUNWjass.
If packages SUNWldm.v and SUNWjass are factory pre-installed, run
install-ldm -p to perform post-install actions.  Otherwise remove the
package(s) and restart install-ldm.

      If you want to perform post-installation actions only, go to Enable the Logical Domains Manager Daemon and Run the Solaris Security Toolkit Only.

    2. If the process is successful, you receive messages similar to the following examples.

    • Code Example 3-2 shows a successful run of the install-ldm script if you choose the following default security profile:

      a) Hardened Solaris configuration for LDoms (recommended)

    • Code Example 3-3 shows a successful run of the install-ldm script if you choose the following security profile:

      c) Your custom-defined Solaris security configuration profile

      The drivers that are displayed for you to choose are drivers ending with -secure.driver. If you write a customized driver that does not end with -secure.driver, you must specify your customized driver with the install-ldm -d option. (See Install With a Customized Hardening Driver.)


EXAMPLE 3-1   Output From Hardened Solaris Configuration for LDoms  
# Install/install-ldm
Welcome to the LDoms installer.
 
You are about to install the domain manager package that will enable
you to create, destroy and control other domains on your system. Given
the capabilities of the domain manager, you can now change the security
configuration of this Solaris instance using the Solaris Security
Toolkit.
 
Select a security profile from this list:
 
a) Hardened Solaris configuration for LDoms (recommended)
b) Standard Solaris configuration
c) Your custom-defined Solaris security configuration profile
 
Enter a, b, or c [a]: a
The changes made by selecting this option can be undone through the
Solaris Security Toolkit’s undo feature. This can be done with the
‘/opt/SUNWjass/bin/jass-execute -u’ command.
 
Installing LDoms and Solaris Security Toolkit packages.
pkgadd -n -d "/var/tmp/install/Product/Logical_Domain_Manager" -a pkg_admin SUNWldm.v
Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
 
Installation of <SUNWldm> was successful.
pkgadd -n -d "/var/tmp/install/Product/Solaris_Security_Toolkit" -a pkg_admin SUNWjass
Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
 
Installation of <SUNWjass> was successful. 
 
Verifying that all packages are fully installed.  OK.
Enabling services: svc:/ldoms/ldmd:default
Running Solaris Security Toolkit 4.2.0 driver ldm_control-secure.driver.
Please wait. . . 
/opt/SUNWjass/bin/jass-execute -q -d ldm_control-secure.driver
Executing driver, ldm_control-secure.driver
Solaris Security Toolkit hardening executed successfully; log file
/var/opt/SUNWjass/run/20070208142843/jass-install-log.txt.  It will not
take effect until the next reboot.  Before rebooting, make sure SSH or
the serial line is setup for use after the reboot.


EXAMPLE 3-2   Output From Choosing Customized Configuration Profile  
# Install/install-ldm
Welcome to the LDoms installer.
 
You are about to install the domain manager package that will enable
you to create, destroy and control other domains on your system. Given
the capabilities of the domain manager, you can now change the security
configuration of this Solaris instance using the Solaris Security
Toolkit.
 
Select a security profile from this list:
 
a) Hardened Solaris configuration for LDoms (recommended)
b) Standard Solaris configuration
c) Your custom-defined Solaris security configuration profile
 
Enter a, b, or c [a]: c
Choose a Solaris Security Toolkit .driver configuration profile from
this list
1) ldm_control-secure.driver
2) secure.driver
3) server-secure.driver
4) suncluster3x-secure.driver
5) sunfire_15k_sc-secure.driver
 
Enter a number 1 to 5: 2
The driver you selected may not perform all the LDoms-specific
operations specified in the LDoms Administration Guide.
Is this OK (yes/no)? [no] y
The changes made by selecting this option can be undone through the
Solaris Security Toolkit’s undo feature. This can be done with the
‘/opt/SUNWjass/bin/jass-execute -u’ command.
 
Installing LDoms and Solaris Security Toolkit packages.
pkgadd -n -d "/var/tmp/install/Product/Logical_Domain_Manager" -a pkg_admin SUNWldm.v
Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
 
Installation of <SUNWldm> was successful.
pkgadd -n -d "/var/tmp/install/Product/Solaris_Security_Toolkit" -a pkg_admin SUNWjass
Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
 
Installation of <SUNWjass> was successful. 
 
Verifying that all packages are fully installed.  OK.
Enabling services: svc:/ldoms/ldmd:default
Running Solaris Security Toolkit 4.2.0 driver secure.driver.
Please wait. . . 
/opt/SUNWjass/bin/jass-execute -q -d secure.driver
Executing driver, secure.driver
Solaris Security Toolkit hardening executed successfully; log file
/var/opt/SUNWjass/run/20070102142843/jass-install-log.txt.  It will not
take effect until the next reboot.  Before rebooting, make sure SSH or
the serial line is setup for use after the reboot.

procedure icon   Install With a Customized Hardening Driver

  •   Run the install-ldm installation script with the -d option to specify a Solaris Security Toolkit customized hardening driver; for example, server-secure-myname.driver.

    The installation script is part of the SUNWldm package and is in the Install subdirectory.


    # Install/install-ldm -d server-secure-myname.driver

    If the process is successful, you receive messages similar to that in Code Example 3-4.


EXAMPLE 3-3   Output From Successful Run of the install-ldm -d Script  
# Install/install-ldm -d server-secure.driver
The driver you selected may not perform all the LDoms-specific
operations specified in the LDoms Administration Guide.
Installing LDoms and Solaris Security Toolkit packages.
pkgadd -n -d "/var/tmp/install/Product/Logical_Domain_Manager" -a pkg_admin SUNWldm.v
Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
 
Installation of <SUNWldm> was successful.
pkgadd -n -d "/var/tmp/install/Product/Solaris_Security_Toolkit" -a pkg_admin SUNWjass
Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
 
Installation of <SUNWjass> was successful. 
 
Verifying that all packages are fully installed.  OK.
Enabling services: svc:/ldoms/ldmd:default
Running Solaris Security Toolkit 4.2.0 driver server-secure-myname.driver.
Please wait. . . 
/opt/SUNWjass/bin/jass-execute -q -d server-secure-myname.driver
Executing driver, server-secure-myname.driver
Solaris Security Toolkit hardening executed successfully; log file
/var/opt/SUNWjass/run/20061114143128/jass-install-log.txt.  It will not
take effect until the next reboot.  Before rebooting, make sure SSH or
the serial line is setup for use after the reboot.

procedure icon   Install and Do Not Harden Your System

  •   Run the install-ldm installation script with the -d none option to specify not to harden your system using a Solaris Security Toolkit driver.

    The installation script is part of the SUNWldm package and is in the Install subdirectory.


    # Install/install-ldm -d none

    If the process is successful, you receive messages similar to the example shown in Code Example 3-5.


EXAMPLE 3-4   Output From Successful Run of the install-ldm -d none Script  
# Install/install-ldm -d none
Installing LDoms and Solaris Security Toolkit packages.
pkgadd -n -d "/var/tmp/install/Product/Logical_Domain_Manager" -a pkg_admin SUNWldm.v
Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
 
Installation of <SUNWldm> was successful.
pkgadd -n -d "/var/tmp/install/Product/Solaris_Security_Toolkit" -a pkg_admin SUNWjass
Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
 
Installation of <SUNWjass> was successful. 
 
Verifying that all packages are fully installed.  OK.
Enabling services: svc:/ldoms/ldmd:default
Solaris Security Toolkit was not applied. Bypassing the use of the
Solaris Security Toolkit is not recommended and should only be
performed when alternative hardening steps are to be taken.

procedure icon   Enable the Logical Domains Manager Daemon and Run the Solaris Security Toolkit Only

You might use this option if the SUNWldm and SUNWjass packages are preinstalled on your server and you want to perform the post-installation actions of enabling the Logical Domains Manager daemon (ldmd) and running the Solaris Security Toolkit.

  •   Run the install-ldm installation script with the -p option to perform only the post-installation actions of enabling ldmd and running the Solaris Security Toolkit to harden your system.


    # Install/install-ldm -p
Verifying that all packages are fully installed.  OK.
Enabling services: svc:/ldoms/ldmd:default
Running Solaris Security Toolkit 4.2.0 driver ldm_control-secure.driver.
Please wait. . .
/opt/SUNWjass/bin/jass-execute -q -d ldm_control-secure.driver
Solaris Security Toolkit hardening executed successfully; log file
var/opt/SUNWjass/run/20070515140944/jass-install-log.txt.  It will not
take effect until the next reboot.  Before rebooting, make sure SSH or
the serial line is setup for use after the reboot.

Using JumpStart to Install the Logical Domains Manager 1.1 and Solaris Security Toolkit 4.2 Software

Refer to JumpStart Technology: Effective Use in the Solaris Operating Environment for complete information about using JumpStart.


caution icon

Caution - Do not disconnect from the virtual console during a network installation.


procedure icon   Set Up a JumpStart Server

  • If you have already set up a JumpStart server, proceed to Install Using JumpStart Software of this administration guide.

  • If you have not already set up a JumpStart server, you must do so.

    Refer to the Solaris 10 10/08 Installation Guide: Custom JumpStart and Advanced Installations for complete information about this procedure.

  1. Refer to “Preparing Custom JumpStart Installations (Tasks)” in the Solaris 10 10/08 Installation Guide: Custom JumpStart and Advanced Installations, and perform the following steps.

    1. Read the task map in “Task Map: Preparing Custom JumpStart Installations.”

    2. Set up networked systems with the procedures in “Creating a Profile Server for Network Systems.”

    3. Create the rules file with the procedure in “Creating the rules File.”

  2. Validate the rules file with the procedure in “Validating the rules File.”

    The Solaris Security Toolkit provides profiles and finish scripts. Refer to the Solaris Security Toolkit 4.2 Reference Manual for more information about profiles and finish scripts.

procedure icon   Install Using JumpStart Software

  1. Change to the directory where you have downloaded the Solaris Security Toolkit package (SUNWjass).


    # cd /path-to-download

  2. Install SUNWjass so that it creates the JumpStart (jumpstart) directory structure.


    # pkgadd -R /jumpstart -d . SUNWjass

  3. Use your text editor to modify the /jumpstart/opt/SUNWjass/Sysidcfg/Solaris_10/sysidcfg file to reflect your network environment.

  4. Copy the /jumpstart/opt/SUNWjass/Drivers/user.init.SAMPLE file to the /jumpstart/opt/SUNWjass/Drivers/user.init file.


    # cp user.init.SAMPLE user.init

  5. Edit the user.init file to reflect your paths.

  6. To install the Solaris Security Toolkit package (SUNWjass) onto the target system during a JumpStart install, you must place the package in the JASS_PACKAGE_MOUNT directory defined in your user.init file. For example:


    # cp -r /path/to/LDoms_Manager-1_0_2/Product/SUNWjass /jumpstart/opt/SUNWjass/Packages

  7. To install the Logical Domains Manager package (SUNWldm.v) onto the target system during a JumpStart install, you must place the package from the download area in the JASS_PACKAGE_MOUNT directory defined in your user.init file. For example:


    # cp -r /path/to/LDoms_Manager-1_0_2/Product/SUNWldm.v /jumpstart/opt/SUNWjass/Packages

  8. If you experience problems with a multihomed JumpStart server, modify the two entries in the user.init file for JASS_PACKAGE_MOUNT and JASS_PATCH_MOUNT to the correct path to the JASS_HOME_DIR/Patches and JASS_HOME_DIR/Packages directories. Refer to the comments in the user.init.SAMPLE file for more information.

  9. Use the ldm_control-secure.driver as the basic driver for the Logical Domains Manager control domain.

    Refer to Chapter 4 in the Solaris Security Toolkit 4.2 Reference Manual for information about how to modify the driver for your use. The main driver in the Solaris Security Toolkit that is the counterpart to the ldm_control-secure.driver is the secure.driver.

  10. After completing the modifications to the ldm_control-secure.driver, make the correct entry in the rules file.

    • If you want to minimize the LDoms control domain, specify the minimal-ldm-control.profile in your rules file similar to the following.


      hostname imbulu - Profiles/minimal-ldm_control.profile Drivers/ldm_control-secure-abc.driver


      Note - You must manually install the LDoms MIB software package and Libvirt for LDoms packages after you install the LDoms and Solaris Security Toolkit packages. They are not automatically installed with the other packages.


    • If you do not want to minimize the LDoms control domain, your entry should be similar to the following.


      hostname imbulu - Profiles/oem.profile Drivers/ldm_control-secure-abc.driver

  11. If you undo hardening during a JumpStart install, you must run the following SMF command to restart the Logical Domains Manager.


    # svcadm enable svc:/ldoms/ldmd:default

Installing Logical Domains Manager and Solaris Security Toolkit Software Manually

Perform the following procedures to install the Logical Domains Manager and Solaris Security Toolkit Software manually:

procedure icon   Install the Logical Domains Manager (LDoms) 1.1 Software Manually

Download the Logical Domains Manager 1.1 software, the SUNWldm package, from the Sun Software Download site. See Download the Software for specific instructions.

  1. Use the pkgadd(1M) command to install the SUNWldm.v package. Use the -G option to install the package in the global zone only and the -d option to specify the path to the directory that contains the SUNWldm.v package.


    # pkgadd -Gd . SUNWldm.v

  2. Answer y for yes to all questions in the interactive prompts.

  3. Use the pkginfo(1) command to verify that the SUNWldm package for Logical Domains Manager 1.1 software is installed.

    The revision (REV) information shown below is an example.


    # pkginfo -l SUNWldm | grep VERSION
VERSION=1.1,REV=2007.08.23.10.20

procedure icon  (Optional) Install the Solaris Security Toolkit 4.2 Software Manually

If you want to secure your system, download and install the SUNWjass package. The required patches (122608-03 and 125672-01) are included in the SUNWjass package. See Download the Software for specific instructions about downloading the software.

See Chapter 2 in this document for more information about security considerations when using Logical Domains Manager software. For further reference, you can find Solaris Security Toolkit 4.2 documentation at:

http://docs.sun.com

  1. Use the pkgadd(1M) command to install the SUNWjass package.


    # pkgadd -d . SUNWjass

  2. Use the pkginfo(1) command to verify that the SUNWjass package for Solaris Security Toolkit 4.2 software is installed.


    # pkginfo -l SUNWjass | grep VERSION
VERSION: 4.2.0

procedure icon  (Optional) Harden the Control Domain Manually

Perform this procedure only if you have installed the Solaris Security Toolkit 4.2 package.


Note - When you use the Solaris Security Toolkit to harden the control domain, you disable many system services and place certain restrictions on network access. Refer to Related Documentation in this document to find Solaris Security Toolkit 4.2 documentation for more information.


  1. Harden using the ldm_control-secure.driver.


    # /opt/SUNWjass/bin/jass-execute -d ldm_control-secure.driver

    You can use other drivers to harden your system. You can also customize drivers to tune the security of your environment. Refer to the Solaris Security Toolkit 4.2 Reference Manual for more information about drivers and customizing them.

  2. Answer y for yes to all questions in the interactive prompts.

  3. Shut down and reboot your server for the hardening to take place.


    # /usr/sbin/shutdown -y -g0 -i6

procedure icon   Validate Hardening

  •   Check whether the Logical Domains hardening driver (ldom_control-secure.driver) applied hardening correctly.

    If you want to check on another driver, substitute that driver’s name in this command example.


    # /opt/SUNWjass/bin/jass-execute -a ldom_control-secure.driver

procedure icon   Undo Hardening

  1. Undo the configuration changes applied by the Solaris Security Toolkit.


    # /opt/SUNWjass/bin/jass-execute -u

    The Solaris Security Toolkit asks you which hardening runs you want to undo.

  2. Select the hardening runs you want to undo.

  3. Reboot the system so that the unhardened configuration takes place.


    # /usr/sbin/shutdown -y -g0 -i6


    Note - If you undo hardening that was performed during a JumpStart installation, you must run the following SMF commands to restart the Logical Domains Manager daemon (ldmd) and the virtual network terminal server daemon (vntsd).



    # svcadm enable svc:/ldoms/ldmd:default

Enabling the Logical Domains Manager Daemon

The installation script install-ldm automatically enables the Logical Domains Manager daemon (ldmd). If you have installed the Logical Domains Manager software manually, you must enable the Logical Domains Manager daemon, ldmd, which allows you to create, modify, and control the logical domains.

procedure icon   Enable the Logical Domains Manager Daemon

  1. Use the svcadm(1M) command to enable the Logical Domains Manager daemon, ldmd.


    # svcadm enable ldmd

  2. Use the ldm list command to verify that the Logical Domains Manager is running.

    You receive a message similar to the following, which is for the factory-default configuration. Note that the primary domain is active, which means that the Logical Domains Manager is running.


    # /opt/SUNWldm/bin/ldm list
NAME             STATE    FLAGS   CONS    VCPU  MEMORY   UTIL  UPTIME
primary          active   ---c-   SP      32    3264M    0.3%  19d 9m

Creating Authorization and Profiles and Assigning Roles for User Accounts

You set up authorization and profiles and assign roles for user accounts using the Solaris OS Role-Based Access Control (RBAC) adapted for the Logical Domains Manager. Refer to the Solaris 10 System Administrator Collection for more information about RBAC.

Authorization for the Logical Domains Manager has two levels:

Following are the Logical Domains entries automatically added to the Solaris OS /etc/security/auth_attr file:

Managing User Authorizations

procedure icon   Add an Authorization for a User

Use the following steps as necessary to add authorizations in the /etc/security/auth_attr file for Logical Domains Manager users. Because the superuser already has solaris.* authorization, the superuser already has permission for solaris.ldoms.* authorizations.

  1. Create a local user account for each user who needs authorization to use the ldm(1M) subcommands.


    Note - To add Logical Domains Manager authorization for a user, a local (non-LDAP) account must be created for that user. Refer to the Solaris 10 System Administrator Collection for details.


  2. Do one of the following depending on which ldm(1M) subcommands you want the user to be able to access.

    See TABLE 2-1 for a list of ldm(1M) commands and their user authorizations.

    • Add a read-only authorization for a user using the usermod(1M) command.


      # usermod -A solaris.ldoms.read username

    • Add a read and write authorization for a user using the usermod(1M) command.


      # usermod -A solaris.ldoms.write username

procedure icon   Delete All Authorizations for a User

  •   Delete all authorizations for a local user account (the only possible option).


    # usermod -A ‘‘ username

Managing User Profiles

The SUNWldm package adds two system-defined RBAC profiles in the /etc/security/prof_attr file for use in authorizing access to the Logical Domains Manager by non-superusers. The two LDoms-specific profiles are:

  • LDoms Review:::Review LDoms configuration:auths=solaris.ldoms.read

  • LDoms Management:::Manage LDoms domains:auths=solaris.ldoms.*

One of the preceding profiles can be assigned to a user account using the following procedure.

procedure icon   Add a Profile for a User

  •   Add an administrative profile for a local user account; for example, LDoms Management.


    # usermod -P “LDoms Management” username

procedure icon   Delete All Profiles for a User

  •   Delete all profiles for a local user account (the only possible option).


    # usermod -P ‘‘ username

Assigning Roles to Users

The advantage of using this procedure is that only a user who has been assigned a specific role can assume the role. In assuming a role, a password is required if the role is given a password. This provides two layers of security. If a user has not been assigned a role, then the user cannot assume the role (by doing the su role_name command) even if the user has the correct password.

procedure icon   Create a Role and Assign the Role to a User

  1. Create a role.


    # roleadd -A solaris.ldoms.read ldm_read

  2. Assign a password to the role.


    # passwd ldm_read

  3. Assign the role to a user; for example, user_1.


    # useradd -R ldm_read user_1

  4. Assign a password to the user (user_1).


    # passwd user_1

  5. Assign access only to the user_1 account to become the ldm_read account.


    # su user_1

  6. Type the user password when or if prompted.

  7. Verify the user ID and access to the ldm_read role.


    $ id
uid=nn(user_1) gid=nn(<group name>)
$ roles
ldm_read

  8. Provide access to the user for ldm subcommands that have read authorization.


    # su ldm_read

  9. Type the user password when or if prompted.

  10. Type the id command to show the user.


    $ id
uid=nn(ldm_read) gid=nn(<group name>)

Factory Default Configuration and Disabling Logical Domains

The initial configuration where the platform appears as a single system hosting only one operating system is called the factory default configuration. If you want to disable logical domains, you probably also want to restore this configuration so that the system regains access to all resources (CPUs, memory, I/O), which might have been assigned to other domains.

This section describes how to remove all guest domains, remove all Logical Domains configurations, and revert the configuration to the factory default.

procedure icon   Remove All Guest Logical Domains

  1. List all the logical domain configurations on the system controller.


    primary# ldm ls-config

  2. Remove all configurations (config_name) previously saved to the system controller (SC). Use the following command for each such configuration.


    primary# ldm rm-config config_name

    Once you remove all the configurations previously saved to the SC, the factory-default domain would be the next one to use when the control domain (primary) is rebooted.

  3. Stop all guest domains using the -a option.


    primary# ldm stop-domain -a

  4. Unbind all guest domains.


    primary# ldm unbind-domain ldom


    Note - You might not be able to unbind an I/O domain in a split-PCI configuration if it is providing services required by the control domain. In this situation, skip this step.


procedure icon  Restore the Factory Default Configuration

  1. Select the factory default configuration.


    primary# ldm set-config factory-default

  2. Stop the control domain.


    primary# shutdown -i1 -g0 -y

  3. Power cycle the system controller so that the factory-default configuration is reloaded.


    sc> poweroff
sc> poweron

procedure icon  Disable the Logical Domains Manager

procedure icon  Removing the Logical Domains Manager

After restoring the factory default configuration and disabling the Logical Domains Manager, you can remove the Logical Domains Manager software.

procedure icon  Restore the Factory Default Configuration From the System Controller

If you remove the Logical Domains Manager before restoring the factory default configuration, you can restore the factory default configuration from the system controller.

  1. Restore the factory default configuration from the system controller.


    sc> bootmode config=factory-default

  2. Power cycle the system to load the factory default configuration.



Logical Domains (LDoms) 1.1 Administration Guide820-4913-10Table Of Contents Previous ChapterNext ChapterBook Index

Copyright © 2008, Sun Microsystems, Inc. All rights reserved.