Linux-UNIX: Solaris Zones configuration

Install and configure S-TAP in the Solaris global Zones (kernel zones). Non-global zones (local zones) share the resource with global zone.

About this task

This procedure covers both Solaris global Zones (kernel zones) and Non-global zones (local zones).

Solaris versions 10 and later implement virtualized operating environments called Zones. Each zone is self-contained and has its own hostname, IP address, storage, and process space. Processes running in one zone are disassociated from the other zones. There is an over-arching zone called the global Zone and every other zone is called a non-global or local zone.

S-TAP requires special configuration when it's installed in a zoned Solaris operating environment, since K-TAP, a kernel module, has to be installed in the global Zone, and it is shared between the local zones. This specific requirements are:
  • S-TAP requires the IP address of the database server host to which it connects.
    By default, S-TAP connects to the loopback address 127.0.0.1. This loopback address refers to the "local host", which is the global zone. Instead, obtain the IP address of the non-global zone using ifconfig -a. For example, in the zone dbserver01:
    #ifconfig -a
     ....
     ....
     *hme0:1: flags=1000843 mtu 1500 index 2
     zone dbserver01inet 192.168.1.201 netmask ffffff00 broadcast 192.168.1.255*
     ....
     ....      
    The IP address of the zone "dbserver01" is 192.168.1.201. S-TAP must connect to this IP address rather than 127.0.0.1, in order to intercept database traffic to and from the zone dbserver01. Assuming that dbserver01 is DB_0 is the guard_tap.ini file, you would change:
    [DB_0]
     connect_to_ip=127.0.0.1 
    to
    [DB_0]
     connect_to_ip=192.168.1.201
    You must edit the file guard_tap.ini itself. You cannot update this configuration in the GUI.
  • S-TAP requires the path of the database server executable.

    Each zone is a self-contained operating environment. The path inside a particular zone is specific to that zone. For example, /opt/IBM/informix/11.70.UC3 can exist in each zone and yet each zone has a unique path.

    S-TAP is installed in the global zone, therefore the database executable in the non-global zone must be accessible from the global zone. If the file system in the non-global zone is externally mounted via mechanisms like NFS, it is important that the mounted location has the required permission to be accessed from the global zone. Otherwise, the S-TAP cannot access the database executable: the S-TAP status is initially green in the collector GUI, but then turns red and stays red.

    Since each non-global zone is a virtualized environment, paths inside a non-global zone are accessible from the global zone via a zone path prefix, which is the local zone. The syntax for the path to a particular zone is: <localzone>/root/<database server installation location>. Use the Solaris command zoneadm to obtain the prefixes for the various zones. For example, from the global zone:

    #zoneadm list -cv 
     ID NAME STATUS PATH
     0 global running /
     2 dbserver01 running /data/zones/dbserver01
     3 dbserver02 running /data/zones/dbserver02 

    In this example output, there are two non-global zones: dbserver01 and dbserver02. The file structure inside each zone can be accessed from the global zone via /data/zones/dbserver01 and /data/zones/dbserver02 for the zones dbserver01 and dbserver02 respectively. Assuming that the database server is installed in /opt/IBM/informix/11.70.UC3 in the zone dbserver01, then the full path to that directory from the global zone would be: /data/zones/dbserver01/root//opt/IBM/informix/11.70.UC3

    When specifying the path to the database server executable and the install path to S-TAP, you must use this full zone relative path from the global zone. Using the IP address, the database server executable, and installation path, the guard_tap.ini looks like:
    [DB_1]
     connect_to_ip=192.168.1.201
     …
     …
    # Path to the database server executable
     db_exec_file=/data/zones/dbserver01/root//opt/IBM/informix/11.70.UC3/bin/oninit
     Path to the database server installation
     db_install_dir=/data/zones/dbserver01/root//opt/IBM/informix/11.70.UC3
     …
diagram of databases and zones, and inspection engine configurations
Multiple zones: To monitor multiple non-global zones, create a DB section for each zone in the guard_tap.ini file. To monitor dbserver02, add another section that includes:
[DB_2]
connect_to_ip=192.168.1.202
…
…
# Path to the database server executable
db_exec_file=/data/zones/dbserver02/root//opt/IBM/informix/11.70.UC3/bin/oninit
# Path to the database server installation
db_install_dir=/data/zones/dbserver02/root//opt/IBM/informix/11.70.UC3
…
…

Procedure

  1. Install S-TAP on the master zone (global zone) or kernel zone regardless of the zone in which the database runs, since the local zones share information from the master/kernel zone.
  2. Manually set S-TAP parameter connect_to_ip in the guard_tap.ini file to the IP address of the non-global zone.
  3. When configuring the Inspection Engine, use the global/kernel zone values for the db_install_dir path and db_exec_file. These are the GUI parameters DB Install Dir, and Process Name, respectively. (From the global/kernel zone, S-TAP monitors access to databases in all zones.)
  4. Add the IP addresses of all zones that you want to monitor to the alternate_ips parameter in the guard_tap.ini file on the Solaris database server or use the S-TAP Control page to configure Alternate IPs.
    Typical parameter configuration:
    • db_exec_file=/home/oracle18/app/oracle/product/18.0.0.0/dbhome_1/bin/oracle (the full path to oracle executable)
    • db_install_dir=/home/oracle18/

Results

  • K-TAP is not loaded in the local zone as it is only loaded on the global zone. It is visible on the local zones.
  • S-TAP does not run in the local zones.