Solaris 11.x Patching Procedure on Guest Domain( LDOM) with Zones

-

Solaris 11.x Patching 

we are working on upgrading the Solaris 11 operating systems to the latest version.

 we have  Oracle Corporation  sun4v SPARC T8-1 servers used for OVM(LDOM) on top of Physical servers we have installed LDOM Manager, and we are running Guest domains on top of the Control domain.

on Guest domains, we are also running multiple zones on a single Guest LDOM.

On Zone, we are running Oracle DB. Here is the step we followed for the patching Control Domain along with Guest LDOMs.

we have scheduled the CHG with planned Dates and obtained the required CAB Approvals.

on the Scheduled date, we will suppress the alerts and inform to SOC/GCC team to ignore the alerts.

 we are following the Live upgrade procedure for patching the servers.


Architecture: 

Here is our physical server design and architecture.


  • Solaris Zones
  • Solaris LDOM(Guest Domains / OVM)
  • Solaris Control Domain ( Physical Server)

Steps Involved / Followed:

  1. we will inform to DB team to start relocating the DB services to another node in the DB cluster.
  2. once DB services are relocated to another node, they will verify the application connections,
  3. if there are any active app connections DB team will work with the app team to bounce/flush the app connections to the DB node.
  4. The DB team will inform us once DB services/CRS are Disabled on the node, they request us to proceed with the patching activity.
  5. we will log in to zones and verify of any DB services running or not for precautionary, if found any DB services we will notify the DB team to stop the services, if didn't find any services we will proceed with the patching activity.

How to administer an Oracle Solaris 11 system using IPS, including how to deal with software package repositories, install and uninstall packages, and update systems.

Oracle Solaris 11 takes a new approach to lifecycle and package management to greatly simplify the process of managing system software helping to reduce the risk of operating system maintenance, including reducing unplanned and planned downtime. With Image Packaging System (IPS), administrators can install and update software from locally connected or remote software package repositories using a much-improved and modernized process.

Configuring IPS Repository:

IPS is a network-centric package management solution. Software developers, or publishers, make their software available in software package repositories from which administrators can install to their systems. Oracle Solaris 11 installations are configured to have a default publisher, solaris, which supplies software packages from the "release" repository: http://pkg.oracle.com/solaris/release. Administrators can install new software packages from this repository, search for package content, or mirror the contents of this repository locally if they are in a network-restricted environment within their data center. Administrators can quickly see what configuration a system has by using the pkg publisher command:

By using the below command we will verify IPS Repository is configured or not.

#pkg publisher

PUBLISHER TYPE STATUS URI
solaris origin online http://pkg.oracle.com/solaris/release/

How to register with IPS Repository:

we directly use the Oracle site for the repository service. wha we do is we will get the SSL Certificates to communicate with oracle site and configure them on solaris OS using Pkg set-publisher Command.


#pkg set-publisher -G '*' -g 'https://pkg.oracle.com/solaris/support/' -k ./pkg.oracle.com.key.pem -c ./pkg.oracle.com.certificate.pem --proxy http://ProxyServerIP:8080/ solaris

from the above command, we are configuring/connecting to the IPS Repository with certificates.

Verify IPS Repository working or not:

By using the below command we will verify Repository working or not.

#pkg update -nv

The above command will let us know how many packages will get updated and installed.

Pre-validations:

Verify the Bootable Environment which is active with the beadm command:
#beadm list --> This command will let us know available /active BE information.

Verify the Running kernel information:

#uname -a / uname -r 

Verify currently Mounted NFS Information on Zones:

#df -h 

Updating a System:

# pkg update --accept

Above Command will Download the Packages and plan the installations and updates also creating Boot Environments creation and activation.we just need to reboot the post command successful

Please find the output for above command below.

root@GuestDom1:~# pkg update --accept

            Packages to remove:            16
           Packages to install:           125
            Packages to update:           465
            Packages to change:             1
           Mediators to change:             3
       Create boot environment:           Yes
     Activate boot environment:           Yes
      Name of boot environment: 11.4.68.164.2
Create backup boot environment:            No

Removed Packages:

  database/mysql-57/library
  library/perl-5/sun-solaris-532
  library/security/openssl-11
  network/legacy-remote-utilities
  package/pkg-37
  ...
  11 additional removed packages. Use 'pkg history' to view the full list.

Planning linked: 0/1 done; 1 working: zone:mdvp1udora121
Linked image 'zone:mdvp1udora121' output:
|  Packages to remove:  17
| Packages to install: 134
|  Packages to update: 409
|  Packages to change:   1
| Mediators to change:   4
|  Services to change:  17
|
| Removed Packages:
|
|   database/mysql-57/library
|   developer/oracle/odpi-312
|   library/perl-5/openscap-532
|   library/perl-5/sun-solaris-532
|   library/python/cx_oracle-37
|   ...
|   12 additional removed packages. Use 'pkg history' to view the full list.
|
| Release Notes:
|
| pkg://solaris/network/ssh
|   Updated versions of OpenSSH may change the default configuration
|   including addition or removal of ciphers or other features.
|
|   If this system has a customised sshd_config(5) or ssh_config(5)
|   file you should review and may need to update it before using the
|   updated version of OpenSSH delivered by this package.
|
|   Note that users may also have settings in their HOME/.ssh/config
|   that need updating.
|
|   If the sshd_config references features removed by this version the
|   svc:/network/ssh:default service may be in the maintenance
|   state on the next reboot or after installation of this package.
|
|   For more information review the release notes for OpenSSH
|   in /usr/share/doc/release-notes/openssh/
|
| pkg://solaris/system/network/ldap/openldap
|
|   OpenLDAP 2.6 CLI and developer changes
|
|   Please note that
|   - Common options '-h' and '-p' on ldap commands have been deprecated
|     since OpenLDAP 2.4 and were officially removed in 2.6.  Currently a
|     reprieve has been put in place to accept both options and display a
|     warning if used with remedial advice to use '-H URI'.  The warning
|     can be disabled if environment variable LDAP_OPT_REPRIEVE is set.
|     Beware though that a future update will remove those options or
|     worse repurpose them!  Stop using them now, and modify your scripts.
|
|   - Directory /usr/include/openldap is deprecated, headers are now in
|     standard location; /usr/include.  Modify projects as necessary, a
|     compatibility link has been provided which will be removed in the
|     future.
|
|
|
| pkg://solaris/system/file-system/smb
|   NOTICE: The old, insecure SMB1 client (ie smbfs) is provided only for
|   legacy application support and may be removed in a future Support
|   Repository Update (SRU) of Oracle Solaris.
|
| pkg://solaris/editor/vim/vim-core
|   Vim 9.0 brings incompatible change in vim scripts written in Lua; Lua arrays
|   are now one-based, while they used to be zero-based.
|
| pkg://solaris/system/core-os
|   From Oracle Solaris 11.4.66 onwards the default time stamp has
|   a fractional time stamp with a default precision of milliseconds.
|
|   To restore the original syslogd time stamp, change the time_precision
|   using svccfg:
|
|       svccfg -s system-log:default setprop config/time_precision = 0
|       svccfg -s system-log:default refresh
|
| pkg://solaris/system/core-os
|   From Oracle Solaris 11.4 SRU48 onwards, global crashdump directory
|   /var/share/crash is a separate file system. On upgrade to 11.4 SRU48
|   or later any existing contents of /var/share/crash will be preserved
|   in a directory /var/share/historical-crash.
|
|   Crash dumps can take up significant space, so after upgrading to
|   11.4 SRU48 you should examine the contents of /var/share/historical-crash
|   and remove the directory and crashdumps if they are no longer needed to
|   pursue diagnosis of an unsolved panic.
|
| pkg://solaris/system/network
|   From Oracle Solaris 11.4.61 onwards, systems which utilize dhcp options
|   to configure node DNS client "server list" and "domain" parameters and
|   where the dhcp server is also configured to supply a "Domain Search List"
|   (dhcp option 119), will have the DNS client "search" parameter configured
|   using the search list from the dhcp option.
|
| pkg://solaris/library/pcre
|   The previous version of the Perl Compatible Regular Expression library,
|   libpcre, will be removed in a future release of Oracle Solaris.
|   Software using libpcre should migrate to the current version, libpcre2.
`
Planning linked: 1/1 done
DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                            607/607   24387/24387  625.7/625.7  6.0M/s

Downloading linked: 0/1 done; 1 working: zone:Zone1
Downloading linked: 1/1 done
PHASE                                          ITEMS
Removing old actions                       9998/9998
Installing new actions                   22184/22184
Updating modified actions                12635/12635
Updating package state database                 Done
Updating package cache                       481/481
Updating image state                            Done
Creating fast lookup database                   Done
Executing linked: 0/1 done; 1 working: zone:Zone1
Linked image 'zone:mdvp1udora121' output:
|
| The following unexpected or editable files and directories were
| salvaged while executing the requested package operation; they
| have been moved to the displayed location in the image:
|
|   usr/lib/python3.7/vendor-packages/rad/server/com/oracle/solaris/rad/__pycache__ -> /tmp/tmp9c0pquuc/zones/mdvp1udora121/root/var/pkg/lost+found/usr/lib/python3.7/vendor-packages/rad/server/com/oracle/solaris/rad/__pycache__-20240507T020058Z
`
Executing linked: 1/1 done
Updating package cache                           1/1

A clone of 11.4.45.119.2 exists and has been updated and activated.
On the next boot the Boot Environment be://rpool/11.4.68.164.2 will be
mounted on '/'.  Reboot when ready to switch to this updated BE.

Updating package cache                           1/1
root@GuestDom1:~# beadm list
BE Name       Flags Mountpoint Space  Policy Created
------------- ----- ---------- ------ ------ ----------------
11.4.34.94.4  -     -          4.48G  static 2021-07-05 07:13
11.4.42.113.1 -     -          4.34G  static 2022-02-17 06:41
11.4.45.119.2 N     /          3.80G  static 2022-06-10 03:44
11.4.68.164.2 R     -          17.09G static 2024-05-07 01:59

R --> Status shows next reboot that kernel will be active.

#reboot --> Reboot the server to take new kernel to activate.


First we have shutdown the running zones on Guest LDOM with below commands.

#zoneadm list -cv - to list the running zones.

root@GuestDom1:~# zoneadm list -cv
  ID NAME             STATUS      PATH                         BRAND      IP
   0 global           running     /                            solaris    shared
   1 Zone1    running     /zones/Zone1         solaris    excl
root@GuestDom1:~#

Shutdwon the Zones on Guest Domains with below command

root@GuestDom1:~# zoneadm -z Zone1 Shutdown   --> it will shutdown the zone

root@GuestDom1:~# zoneadm list -cv
  ID NAME             STATUS      PATH                         BRAND      IP
   0 global           running     /                            solaris    shared
   1 Zone1    Shutdown     /zones/Zone1         solaris    excl
root@GuestDom1:~#

Once Zones powered Off/shutdown, we have completed above given process to complete the Guest Domain Patching/update activity.





Comments

Post a Comment

Popular posts from this blog

Veritas Cluster Server (VCS) Commands - Cheat Sheet

-
 LLT and GRAB VCS uses two components, LLT and GAB to share data over the private networks among systems. These components provide the performance and reliability required by VCS. LLT LLT (Low Latency Transport) provides fast, kernel-to-kernel comms and monitors network connections. The system admin configures the LLT by creating a configuration file (llttab) that describes the systems in the cluster and private network links among them. The LLT runs in layer 2 of the network stack GAB GAB (Group membership and Atomic Broadcast) provides the global message order required to maintain a synchronised state among the systems, and monitors disk comms such as that required by the VCS heartbeat utility. The system admin configures GAB driver by creating a configuration file ( gabtab). LLT and GAB files /etc/llthosts --> The file is a database, containing one entry per system, that links the LLT system ID with the hosts name. The file is identical on each server in the cluster. /etc...
Read more

Solaris 11.4 Network Administration Cheatsheet

-
 Here we discuss the Commonly used Network Commands for Solaris network Administration. How to list the Physical Network card's information : # dladm show-phys LINK            MEDIA         STATE      SPEED  DUPLEX    DEVICE net0            Ethernet      down       0      unknown   i40e0 net1            Ethernet      down       0      unknown   i40e1 net2            Ethernet      down       0      unknown   i40e2 net3            Ethernet      down       0      unknown   i40e3 net4            Ethernet    ...
Read more

Oracle Logical Domains (LDOM) Back up & Restoration from Backup Files

-
Saving Domain Configurations for Future Rebuilding The basic process is to save the resource constraints information for each domain into an XML file, which can then be re-issued to the Logical Domains Manager, for example, after a hardware failure to rebuild a desired configuration. Restore a Domain Configuration From an XML File ( ldm add-domain )  works for guest domains, but not for the control ( primary ) domain. You can save the  primary  domain's constraints to an XML file, but you cannot feed the file back into the  ldm add-domain -i  command. However, you can use the  ldm init-system  command and the resource constraints from the XML file to reconfigure your  primary  domain. You can also use the  ldm init-system  command to reconfigure other domains that are described in the XML file, but those domains are left inactive when the configuration is complete. The method that follows does not preserve actual bindings, only the ...
Read more