Unix Linux Administration III

Unix Linux Administration III Class 7: Perl hashes. Solaris Zones and Containers.

Agenda • Heartbleed patching review. • Review lecture from week 6. • Review homework • Perl hashes. • Solaris zones and containers. • Class evaluations.

heartbleed Q. Centos/Redhat 6.x vulnerable? In many cases yes. Q. What version of openssl is impacted OpenSSL1.0.1 to 1.0.1f are affected Q. Is there a quick patch? A. Yes, using yum update your openssl instance and restart your impacted services e.g. httpd sudo yum clean all && sudo yum update "openssl*“ sudo service httpd restart

Review • subroutines - user defined functions. • subroutines identified using the ampersand & sub subroutine_name { statements; }; sub say_hello { print "hello, world\n"; }; • subroutines can be placed anywhere in the script. • all subs return values, some are undef. • arguments passed as one array (@_) • use my to create local instances of variables. • perl pragmas provide additional functionality. common examples include warnings, strict and cgi. • The CGI module provides many web service related functions and supports OO scripting.

Review: nagios configuration Two types of monitoring, system and network Two components; nagios daemon and plugins. Three primary config files nagios.cfg cgi.cfg resources.cfg Your file system layout can be based on environment, applications, platform or whatever meets your needs.

nagios config review cont. Objects define hosts, services, contacts and even commands. Macros are used extensively in Nagios. Macros can be customized. Templates used to simplify configurations and for inheritance. Test your config /usr/local/nagios/bin/nagios –v nagios.cfg Restart nagios service nagios restart

Review: plugins Plugins are independent programs that run outside Nagios. They can be written in any language the host supports. The plugins should be executable, provide a short text response, include a standardized return value (0-3). • 0 = OK • 1 = Warning • 2 = Critical • 3 = Unknown plugins exist under <nagroot>/libexec and should be defined in commands.cfg

Q3, Class 7, Unit 1 What we are going to cover: • The Perl hash % What you should leave this session with: • Theory behind the Perl hashes. • How to create a hash

Perl: Hash Array type where elements are indexed by scalars instead of integers Previously called associative arrays Each element is indexed by a “key” which can be any scalar value Elements of a hash are stored in a random order which the user canNOT rely upon to make decisions.

What is a Hash?(From a CS Point of View) A hash function or hash algorithm is a function for summarizing or probabilistically identifying data Such a summary is known as a hash value or simply a hash, and the process of computing such a value is known as hashing In this context it is used to create key lookup tables for very fast data lookups

Hash Variables Begin with “%” and must start with a letter Can thereafter, have numbers and underscores %foo is independent of $foo and @foo To reference a specific element of a hash use the following format $foo{key} Note the element is a scalar; starts with a ‘$”. Hashes use { } instead of [ ] as seen with arrays.

Literal Representation of Hashes Hash key/element pairs can be written in two ways $foo{bar} = ‘bob’; # key/value %foo = (‘bar’, ‘bob’); # key/value Order of key/value pairs is irrelevant %foo = (‘abc’, ‘def’, ‘qrs’, ‘tuv’); # same as %foo = (‘qrs’, ‘tuv’, ‘abc’, ‘def’);

Hash Functions: Assignment %foo = (‘a’, ‘b’, ‘c’, ‘d’); @bar = %foo; @bar is now a four element array with $bar[0] = ‘a’ or ‘c’, $bar[1] = ‘b’ or ‘d’, because there is not set order to a hash. Always yield an even number of elements $bob = %foo; $bob is a scalar of the form “X/Y” which is the efficiency of the hashing function

Hash Functions: keys keys (%hash) yields an array of all of the keys in a hash@keys = keys (%hash); In a scalar context ‘keys’ will yield the number of keys in the hash $number_of_keys_in_hash = keys (%hash); Common Use: foreach $key (keys (%hash)) {}

Hash Functions: values values (%hash) yields an array of the values in a hash@values = values (%hash); In a scalar context ‘values’ will yield the number of values in the hash $number_of_values_in_hash = values(%hash); Basically functions the same as the keys function

Hash Functions: each Acts as a combination of keys & values Returns a two element array with a key/value pair ($key, $value) = each (%hash); Common usage: while (($key, $value) = each (%hash)) { #perform some tasks on $key & $value}

Hash Functions: delete Removes a key/value pair from a hash delete $hash{$key};will remove the key/value pair referenced by $key from %hash

Hash sort and reverse You can add the sort or reverse to your hash functions to provide a simple ascii based sorted output. foreach $key (sort keys (%hash)) { “enter logic here” }; Or foreach $key (reverse keys (%hash)) { “enter logic here” }; *note the “spaceship <=> can be used to improve the sort function especially for numeric values.

Hash Slices Like array slices, hash slices allow for manipulation of a subset of a hash Assignment: @hash{key1, key2, key3} = (val1, val2, val3); Merging @bighash{keys %hash} = values %hash; %bighash= (%bighash, %hash); # Slower

Review Hashes are similar to the Arrays except the index is based on scalars. A Hash index keys can be ANY scalar value. Hash is defined by % HASH reference vs Array reference: $hash{key}; Array reference: $array[#];

Review key/value pairs • $hash{key} = "pandora"; or • %hash = ('key', 'pandora'); Hash functions • keys -> array of all keys in the hash • values -> array of all values in the hash • each -> combo of keys and values. • delete -> remove key/value pairs.

In class lab 7a • Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->

Q3, Class 7, Unit 2 What we are going to cover: • The Solaris Zones and Containers. What you should leave this session with: • Knowledge of how zones and containers work together. • Administrative basics for zones and containers.

Solaris Containers and Zones Zones and Containers are new to Solaris 10. Zones provide a method for multiple virtual environments to run on the same disk like Virtual PC, VMware or XEN. Containers are used to manage resources on a host. Zones are a subset of container functionality.

Zones vs Containers Containers are Oracle’s Solaris based operating system virtualization solution. Containers allow user to manage resources between applications and services. Zones are in fact one component of that strategy

Solaris Zones Zones provide virtual environments within a single physical machine. Zones are similar to VMware guests. Zones can provide isolation between applications. Zones can prevent one process or application from impacting another.

Zones provide: Security – a user or process in one zone is not able to directly impact another zone*. Isolation – multiple apps can exist on the same host yet be entirely separate of each other.

Zones provide: • Network Isolation – Normally two apps on the same server communicate at the socket level and as such never utilize the network stack. However, with zones applications in separate zones on the same host DO communicate over the network stack.

Zones provide: Virtualization – each zone is managed separately Granularity – resources can be shared between zones or allocated on a per zone basis. Standard environments – provides the same standard Solaris interface and application environments that on a given physical host

Zones, BSD jails, VMware guests Zones are often associated with BSD jails and there are some similarities. Zones are similar also to VMware however with VMware guests we don’t see shared disk typically. Zones typically use less than 1% of the available CPU. Using sparse zones, minimum disk requirements are under 100 mb.

Resource Management Resource management is one component of the Solaris 10 container technology Resource management provides the ability to: • Allocate resources such as CPU and memory • Monitor how resource allocations are being used. • Generate detailed accounting information Resource management provides a new daemon (rcapd) which controls physical memory

Consolidation and resource mgmt. RSM (resource mgmt) is an Oracle technology provided with Solaris containers that allows administrators to: • Allocate specific resources; CPU time, RAM and • Dynamically manage resource allocations. • Provide great accounting detail • The ability to cap daemons for zones.

Consolidation Consolidation has become a fundamental driver in the Corporate world over the last decade or so. Primarily driven as both more and better virtualization technologies entered the market.

Consolidation cont. Solaris provides functionality (Sparse Root Zone) to allow for shared files and configurations while limiting the resources available (CPU and Memory) to a given process, application or group of applications on the same host using Resource Pools.

Types of Zones: global or not? The Global zone is the default zone. This zone always exists. The Global zone provides system wide configuration and control. Non-Global or simply zones are created from the Global zone. There can be up to 8192 zones on a single host. Applications running in a non-global zone are isolated from applications running in other zones.

The state of your Zone. Zone states relate to the non-global zones. The global zone must always be available. Zone states: Configured- zone configuration and storage allocated are complete but final post initial boot configuration is still pending. Incomplete- typically during install or uninstall process. Installed- initial configuration complete, zoneadm confirms configuration however, no virtual platform associated to the zone.

Zone state cont. Ready- virtual platform is defined, network interfaces plumbed and file systems mounted. Zone ID defined; however, no processes associated with this zone. Running- The zone enters this state when the first user process is created. This is the normal state for a zone. Shutting down + down – This state should only be visible during shut down.

Global zone features • Zone ID = 0 • Provides the single bootable instance of Solaris • Contains all system packages • May contain additional software, packages, files or data not installed using pkgadm • Maintains global zone configuration information. • Only zone aware of all zones (files, devices, etc). • Only zone from which a non-global zone can be configured, installed, managed or removed.

Non-global zone features. • Assigned zone ID on boot (dynamic value). • Shares the Solaris kernel that is booted from the global zone • Contains a subset of installed Solaris system packages • May contain additional software shared from global zone and some code that is not shared.

Non-global zone features cont. • May contain software, files or data not installed using pkgadm or shared from the global zone • Includes a complete product database including software shared from the global zone and installed directly into the zone. • Unaware of other zones, cannot manage other zones. • Maintains all its own local information such as hostname, network settings, etc.

zone file system models A non-global zone contains its own root file system. The size and configuration of the file system is based upon administration decisions. No technical limit on how much disk can be consumed by a zone however, there are methods to manage or control this: • Disk partitions • Soft partitions • Loopback file systems (managed with lofi and lofiadm)

Sparse Root Zones Installs a subset of the root packages locally. Shares local global zones packages shared out using a read-only loopback file system. This configuration requires less than 100mb of disk space to complete the base install.

Whole Root zones This configuration provides the most flexibility; however, it requires more disk space than a sparse root zone. Loopback file systems are NOT required in this configuration.

Networking your zone. Zones can communicate with other zones over the network. Each zone has its own set of binding. Zones run all of there own network services and daemons. Meaning: an httpd daemon on one zone will not conflict with another zone also running an httpd daemon even on the same port. Only the global zone can monitor traffic on all zones

Zone Daemons The zone management service utilizes the SMF framework: svc:/system/zones:default The two daemons that support zones are: • zoneadmd: 1 per zone • zsched: 1 per each Active zone (ready or running)

Zone daemons • The zoneadmd daemon starts when a zone needs to be managed. zoneadmd provides support for: • zone ID allocation, • system resource controls, • network interface, • loopback and conventional file systems. • zsched is started by zoneadmd and exists if the zone state is: running, ready, or shutting down. The zsched monitors the kernel threads within the zone.

Zone configuration Zones are configured using the zonecfg utility. zonecfg is also used to verify the zone. zonecfg can be run interactively or it can read in a configuration file. zonecfg can: • create or delete a zone configuration • add or remove resources in a configuration • set the properties for a resource in a configuration • query and verify a configuration and save or revert a configuration.

Zone configuration cont. • zonecfg when used in interactive mode can be scoped at the global or local zone level. zonecfg –z <zonename> Viewing a zone configuration file can done by viewing the zone xml file directly: • /etc/zones/<zonename>.xml or exporting the zone configuration: • zonecfg –z <zonename> export The data is printed to stdout*.

Installing a Zone After you have configured a zone the next step is to verify the install: • zoneadm –z <zonename> verify Once the zone is verified you can begin the installation: During this process the necessary files from the global zone will be copied to the local zone and product database will be populated. • zoneadm –z <zonename> install

Boot the zone Before the zone can be booted it needs to transition to a ready state*: • zoneadm –z <zonename> ready This step will plumb the interfaces and mount any required file systems. At this stage there are still no running processes in the zone. Now you boot the zone • zoneadm –z <zone_name> boot Use list to confirm that the zone has started • zoneadm –z <zone_name> list –v The zone state should be “running” at this point. *if you simply boot the zone Solaris it will pass the ready operation by default.

Unix Linux Administration III