2016-03-29

block user to SU

for Solaris
# chown root:admin /usr/bin/su
# chmod 4750 /usr/bin/su

for Linux redhat
# chown root:admin /bin/su
# chmod 4750 /bin/su

SU command for group admin only

2016-03-08

Network Lab Solaris11 (My Short note)

Oracle Solaris 11 Networking Lab

 In Solaris 11 several new networking commands were added, some management practices have changed to make network administration easier and more robust. In this lab we will learn some new networking commands, compare them to the old ones and also work with network virtualization features, which are brand new in Solaris 11.


Solaris 11 Networking Basics

You have to configure network interfaces and network services (DNS) in Solaris.

We have configured our Solaris virtual machine initially to use Automatic network configuration. That means that it was configured using VirtualBox's internal DHCP server. In real life usually it's not the case. Usually you configure your Solaris servers using manual mode. We will learn how to do that. We will study the default IP and DNS configuration and then use it in manual mode. We will use a new feature called Vanity Naming with allows you to give network interfaces any names you want. Note that when we use these new Solaris 11 commands, all the changes are persistent and will sustain a reboot.

 We assume that you have used the 'Automatic' network option mode during the initial system configuration for your virtual machine. You have recieved your network configuration from the VirtualBox's internal DHCP server. Check if you can access the Internet:


root@solaris:~#  ping oracle.com
oracle.com is alive


 If you are behind a firewall, most likely you will not be able to ping the outside network. If this is the case, try to ping one of your internal sites.

 Check your current configuration and record it to use in the future, when we switch to the manual mode. Enter the following commands and observe the results.


root@solaris:~#  dladm show-link
root@solaris:~#  dladm show-phys
root@solaris:~#  dladm show-ether


 What did you learn from those commands? That you have one physical Ethernet interface, with the name 'net0', using device 'e1000g0', with nominal speed 1Gbps. Big change in Solaris 11: all network interfaces by default now have unified generic names like net0, net1 etc. More than that: you can even use your own names for network interfaces! More about this later.

 This is our datalink level inventory. Let's move up, on the IP level. Enter the following commands to figure out your current IP configuration.


root@solaris:~#  ipadm
NAME              CLASS/TYPE STATE        UNDER      ADDR
lo0               loopback   ok           --         --
   lo0/v4         static     ok           --         127.0.0.1/8
   lo0/v6         static     ok           --         ::1/128
net0              ip         ok           --         --
   net0/v4        dhcp       ok           --         10.0.2.15/24
   net0/v6        addrconf   ok           --         fe80::a00:27ff:fec0:3b0a/10


 OK, we've got the usual loopback interface and the 'net0' interface with IP address 10.0.2.15/24 which was assigned by DHCP server. Let's take a more detailed look at 'net0'.

 root@solaris:~#  ipadm show-ifprop net0
IFNAME      PROPERTY        PROTO PERM CURRENT    PERSISTENT DEFAULT    POSSIBLE
net0        arp             ipv4  rw   on         --         on         on,off
net0        forwarding      ipv4  rw   off        --         off        on,off
net0        metric          ipv4  rw   0          --         0          --
net0        mtu             ipv4  rw   1500       --         1500       68-1500
net0        exchange_routes ipv4  rw   on         --         on         on,off
net0        usesrc          ipv4  rw   none       --         none       --
net0        forwarding      ipv6  rw   off        --         off        on,off
net0        metric          ipv6  rw   0          --         0          --
net0        mtu             ipv6  rw   1500       --         1500       1280-1500
net0        nud             ipv6  rw   on         --         on         on,off
net0        exchange_routes ipv6  rw   on         --         on         on,off
net0        usesrc          ipv6  rw   none       --         none       --
net0        group           ip    rw   --         --         --         --
net0        standby         ip    rw   off        --         off        on,off


 A lot of information about IP properties of this net0 interface. You can learn about these network parameters later. Consider that your homework assignment. For now let's move on.

 What about routing table and DNS settings? We will need them when configuring our interfaces in manual mode.


root@solaris:~#  netstat -nr

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface
-------------------- -------------------- ----- ----- ---------- ---------
default              10.0.2.2             UG        4       1778 net0    
10.0.2.0             10.0.2.15            U         3          0 net0    
127.0.0.1            127.0.0.1            UH        2        796 lo0    

Routing Table: IPv6
  Destination/Mask            Gateway                   Flags Ref   Use    If
--------------------------- --------------------------- ----- --- ------- -----
::1                         ::1                         UH      2       8 lo0
fe80::/10                   fe80::a00:27ff:fec0:3b0a    U       2       0 net0

root@solaris:~#  cat /etc/resolv.conf

#
# _AUTOGENERATED_FROM_SMF_V1_
#
# WARNING: THIS FILE GENERATED FROM SMF DATA.
#   DO NOT EDIT THIS FILE.  EDITS WILL BE LOST.
# See resolv.conf(4) for details.

nameserver 192.168.1.1




 Note the warning in the 'resolv.conf' file. There are some changes in DNS configuration in Solaris 11, we'll talk about them later. Now, just write down your default router IP address (10.0.2.2 in case of VirtualBox installation) and your DNS server address(es) (most likely, yours are different from 192.168.1.1).

 Now, we are ready to change network management to Manual mode:


 root@solaris:~#  netadm enable -p ncp DefaultFixed

 Check again if you can access the Internet:


root@solaris:~#  ping oracle.com
ping: unknown host oracle.com


 Again, replace oracle.com with one of your internal hosts if you are behind a firewall.

 Most likely, the reason for this error message is that we can't access any DNS servers or they are not configured at all. Check the DNS server's IP address (replace 192.168.1.1 with you have recorded while in Automatic mode):


root@solaris:~#  ping 192.168.1.1
ping: sendto No route to host


 Routing is not configured. OK, the default gateway was 10.0.2.2 (internal VirtualBox address). Let's try it:


root@solaris:~#  ping 10.0.2.2
ping: sendto No route to host


 Nothing works! Let's start from the beginning. Check if the same physical links are available:

 root@solaris:~#  dladm show-phys
LINK              MEDIA                STATE      SPEED  DUPLEX    DEVICE
net0              Ethernet             unknown    1000   full      e1000g0


 OK, physical link is in place. What about IP links?


root@solaris:~#  ipadm
NAME              CLASS/TYPE STATE        UNDER      ADDR
lo0               loopback   ok           --         --
   lo0/v4         static     ok           --         127.0.0.1/8
   lo0/v6         static     ok           --         ::1/128


 Only loopback is available. Time to create an IP link from scratch:


root@solaris:~#  ipadm create-ip net0
root@solaris:~#  ipadm
NAME              CLASS/TYPE STATE        UNDER      ADDR
lo0               loopback   ok           --         --
   lo0/v4         static     ok           --         127.0.0.1/8
   lo0/v6         static     ok           --         ::1/128
net0              ip         down         --         --


 IP link is there, but there is no IP address assigned to it. Let's fix that.


root@solaris:~#  ipadm create-addr -a 10.0.2.15/24 net0/addr
root@solaris:~#  ipadm
NAME              CLASS/TYPE STATE        UNDER      ADDR
lo0               loopback   ok           --         --
   lo0/v4         static     ok           --         127.0.0.1/8
   lo0/v6         static     ok           --         ::1/128
net0              ip         ok           --         --
   net0/addr      static     ok           --         10.0.2.15/24


 Much better. Try pinging some addresses:


root@solaris:~#  ping oracle.com
ping: unknown host oracle.com
root@solaris:~#  ping 10.0.2.2
ping: sendto Network is unreachable


 First ping failure tells us that most likely DNS is not avalable. Second ping failure indicates that we can't reach even our default gateway. The reason for that is that Solaris turned on firewall service when we switched to manual mode. It's part of the Secure by Default configuration. You can check it:


root@solaris:~#  ipfstat -io
block out log all
pass out quick on lo0 all
pass out quick proto udp from any to any port = bootps
block in log all
pass in quick on lo0 all
pass in quick proto udp from any to any port = bootpc


 For this lab let's just disable the firewall. In real life you have to configure firewall rules for your new net0 interface.


root@solaris:~#  ipf -D
root@solaris:~#  ipfstat -io
empty list for ipfilter(out)
empty list for ipfilter(in)


 Ping the network again:

root@solaris:~#  ping 10.0.2.2
10.0.2.2 is alive
root@solaris:~#  ping 192.168.1.1  (replace 192.168.1.1 with your DNS server IP address)
ping: sendto No route to host


 Routing is not configured. Check:


root@solaris:~#  netstat -nr

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface
-------------------- -------------------- ----- ----- ---------- ---------
10.0.2.0             10.0.2.15            U         3          2 net0    
127.0.0.1            127.0.0.1            UH        2       1214 lo0    

Routing Table: IPv6
  Destination/Mask            Gateway                   Flags Ref   Use    If
--------------------------- --------------------------- ----- --- ------- -----
::1                         ::1                         UH      2      12 lo0


 Add the default gateway and check again:


root@solaris:~#  route -p add default 10.0.2.2
add net default: gateway 10.0.2.2
add persistent net default: gateway 10.0.2.2
root@solaris:~#  ping 192.168.1.1  (replace 192.168.1.1 with your DNS server IP address)
192.168.1.1 is alive
root@solaris:~#  ping oracle.com  (replace oracle.com with your internal site)
ping: unknown host oracle.com


 We can reach our DNS server, but our system is not configured to use it. If you think that editing your /etc/resolv.conf is enough, remember the warning in that file:


# WARNING: THIS FILE GENERATED FROM SMF DATA.
#   DO NOT EDIT THIS FILE.  EDITS WILL BE LOST.


 That means that in Solaris 11 name service configuration is different from what you used before.
To use DNS we have to configure the 'dns/client' service and also the 'name-service/switch' service which used to be configured via /etc/nsswitch.conf. Yes, it's a little bit more complicated, but it's more robust and manageable. It's a general direction in Solaris: most of the services are configured via SMF framework, not via config files. Here are the commands:


root@solaris:~#  svccfg -s dns/client 'setprop config/nameserver = net_address: 192.168.1.1'
root@solaris:~#  svccfg -s dns/client 'setprop config/domain = astring: "example.com" '  (replace example.com with your local default domain name or skip this step)
root@solaris:~#  svccfg -s name-service/switch 'setprop config/host = astring: "files dns" '
root@solaris:~#  svcadm refresh name-service/switch
root@solaris:~#  svcadm refresh dns/client



 Alternatively, you can edit the usual files /etc/resolv.conf and /etc/nsswitch.conf,
but you have to import them into the naming service configuration:

root@solaris:~#  nscfg import -f svc:/system/name-service/switch:default
root@solaris:~#  nscfg import -f svc:/network/dns/client:default
root@solaris:~#  svcadm refresh dns/client


 Now our ping finally reaches the Internet:


root@solaris:~#  ping oracle.com  (replace oracle.com with one of your internal hosts)
oracle.com is alive



 Do you remember the days when you were a junior Solaris system administrator
and wondered why all network interfaces in Solaris have these funny names?
le, bge, ce, xge, e1000g....
Now, as you can see, they all are called net0, net1, net2, ...
Much simpler, right? Even more than that: you can give your interfaces your own names.
Here is the example. Show what we've got now:


root@solaris:~#  dladm
root@solaris:~#  ipadm


 Imagine we want to use our network interfaces for different services on our Solaris box.
We have web server, application server etc. We can name our network interfaces web1, app0, db1 etc.
Start by deleting the net0 IP interface

 root@solaris:~#  ipadm delete-ip net0


 ...now rename the NIC

root@solaris:~#  dladm rename-link net0 web1
root@solaris:~#  dladm
 Add back in the IP interface and its address:

root@solaris:~#  ipadm create-ip web1
root@solaris:~#  ipadm create-addr -a 10.0.2.15/24 web1
root@solaris:~#  ipadm

 Cleaning up... Undo it all

root@solaris:~#  ipadm delete-ip web1
root@solaris:~#  dladm rename-link web1 net0
root@solaris:~#  ipadm create-ip net0
root@solaris:~#  ipadm create-addr -a 10.0.2.15/24 net0
root@solaris:~#  ipadm


 You may need to restart your DNS client service after this exercise:


root@solaris:~#  svcadm disable dns/client
root@solaris:~#  svcadm enable dns/client
r

 One word of advice: having this kind of freedom, please try to avoid long discussions about network interface naming, similar to what you have already had regarding host naming policies.


Exercise N.2: Network Virtualization

You want to create Virtual Network Interface Cards (VNICs) to use them with your Zones. You want to build and manage your application's network infrastructure completely inside the box for development and testing purposes.


We will create VNICs, assign IP addresses to them and learn how to limit bandwidth on them.

 First we show the links. Links can be physical or virtual. Note
that for physical NICs, we use a new naming scheme net0, net1, etc.
that hides the actual device name.

 root@solaris:~#  dladm show-link
 Show only the physical ethernet NICs:
 root@solaris:~#  dladm show-ether
 And to see the actual hardware devices used for the netX NICs:
 root@solaris:~#  dladm show-phys
 The next command shows a bit more information like the physical
location:
 root@solaris:~#  dladm show-phys -L
 So now we create a VNIC that we call vnic1, using net0 as it's underlying datalink.
Note that VNICs are first-class NICs in terms of visibility (e.g. snoop)
 root@solaris:~#  dladm create-vnic -l net0 vnic1
 Show the VNICs:
 root@solaris:~#  dladm show-vnic
 We can easily limit bandwith on a VNIC:
 root@solaris:~#  dladm set-linkprop -p maxbw=40 vnic1
root@solaris:~#  dladm show-vnic
 Now we create an IP interface. This is analgous to plumbing the interface:
 root@solaris:~#  ipadm create-ip vnic1
 Now we assign a persistent IP address to the VNIC:
 root@solaris:~#  ipadm create-addr -a 10.2.3.4/24 vnic1
 Ping the VNIC:
 root@solaris:~#  ping 10.2.3.4
 Show all available datalinks, both physical and virtual
 root@solaris:~#  dladm show-link
 Finally list all IP addresses:
 root@solaris:~#  ipadm show-addr
 Now we tear down what we've just created:
 root@solaris:~#  ipadm delete-addr vnic1/v4
root@solaris:~#  ipadm delete-ip vnic1
root@solaris:~#  dladm delete-vnic vnic1
root@solaris:~#  dladm show-link


Now you see how new networking commands work. Of course, you can still use the old-style ifconfig, but the new commands are easier to use and, most importantly, they make presistent changes.

 Find more..... here:
How to get started configuring your network in Oracle Solaris 11 http://www.oracle.com/technetwork/articles/servers-storage-dev/s11-network-config-1632927.html
How to Script Oracle Solaris 11 Zones Creation for a Network-In-a-Box Configuration
http://www.oracle.com/technetwork/articles/servers-storage-admin/o11-118-s11-script-zones-524499.html
How to Restrict Your Application Traffic Using Oracle Solaris 11 Network Virtualization and Resource Management
http://www.oracle.com/technetwork/articles/servers-storage-admin/o11-095-s11-app-traffic-525038.html


Credit By https://github.com/oraclesolaris/solaris-11-hands-on-labs/blob/master/Networking%20Lab.html