Linux-UNIX: Solaris Zones configuration
Install and configure S-TAP® in the Solaris global Zones (kernel zones). Non-global zones (local zones) share the resource with global zone.
About this task
This procedure covers both Solaris global Zones (kernel zones) and Non-global zones (local zones).
Solaris versions 10 and later implement virtualized operating environments called Zones. Each zone is self-contained and has its own hostname, IP address, storage, and process space. Processes running in one zone are disassociated from the other zones. There is an over-arching zone called the global Zone and every other zone is called a non-global or local zone.
requires the IP address of the database server host to which it connects.By default, S-TAP connects to the loopback address 127.0.0.1. This loopback address refers to the "local host", which is the global zone. Instead, obtain the IP address of the non-global zone using ifconfig -a. For example, in the zone dbserver01:
#ifconfig -a .... .... *hme0:1: flags=1000843 mtu 1500 index 2 zone dbserver01inet 192.168.1.201 netmask ffffff00 broadcast 192.168.1.255* .... ....The IP address of the zone "dbserver01" is 192.168.1.201. S-TAP must connect to this IP address rather than 127.0.0.1, in order to intercept database traffic to and from the zone dbserver01. Assuming that dbserver01 is DB_0 is the guard_tap.ini file, you would change:You must edit the file guard_tap.ini itself. You cannot update this configuration in the GUI.
requires the path of the database server executable.
Each zone is a self-contained operating environment. The path inside a particular zone is specific to that zone. For example, /opt/IBM/informix/11.70.UC3 can exist in each zone and yet each zone has a unique path.
S-TAP is installed in the global zone, therefore the database executable in the non-global zone must be accessible from the global zone. If the file system in the non-global zone is externally mounted via mechanisms like NFS, it is important that the mounted location has the required permission to be accessed from the global zone. Otherwise, the S-TAP cannot access the database executable: the S-TAP status is initially green in the collector GUI, but then turns red and stays red.
Since each non-global zone is a virtualized environment, paths inside a non-global zone are accessible from the global zone via a zone path prefix, which is the local zone. The syntax for the path to a particular zone is: <localzone>/root/<database server installation location>. Use the Solaris command zoneadm to obtain the prefixes for the various zones. For example, from the global zone:
#zoneadm list -cv ID NAME STATUS PATH 0 global running / 2 dbserver01 running /data/zones/dbserver01 3 dbserver02 running /data/zones/dbserver02
In this example output, there are two non-global zones: dbserver01 and dbserver02. The file structure inside each zone can be accessed from the global zone via /data/zones/dbserver01 and /data/zones/dbserver02 for the zones dbserver01 and dbserver02 respectively. Assuming that the database server is installed in /opt/IBM/informix/11.70.UC3 in the zone dbserver01, then the full path to that directory from the global zone would be: /data/zones/dbserver01/root//opt/IBM/informix/11.70.UC3When specifying the path to the database server executable and the install path to S-TAP, you must use this full zone relative path from the global zone. Using the IP address, the database server executable, and installation path, the guard_tap.ini looks like:
[DB_1] connect_to_ip=192.168.1.201 … … # Path to the database server executable db_exec_file=/data/zones/dbserver01/root//opt/IBM/informix/11.70.UC3/bin/oninit Path to the database server installation db_install_dir=/data/zones/dbserver01/root//opt/IBM/informix/11.70.UC3 …
[DB_2] connect_to_ip=192.168.1.202 … … # Path to the database server executable db_exec_file=/data/zones/dbserver02/root//opt/IBM/informix/11.70.UC3/bin/oninit # Path to the database server installation db_install_dir=/data/zones/dbserver02/root//opt/IBM/informix/11.70.UC3 … …
- Install S-TAP on the master zone (global zone) or kernel zone regardless of the zone in which the database runs, since the local zones share information from the master/kernel zone.
- Manually set S-TAP parameter connect_to_ip in the guard_tap.ini file to the IP address of the non-global zone.
- When configuring the Inspection Engine, use the global/kernel zone values for the db_install_dir path and db_exec_file. These are the GUI parameters DB Install Dir, and Process Name, respectively. (From the global/kernel zone, S-TAP monitors access to databases in all zones.)
Add the IP addresses of all zones that you want to monitor to the
alternate_ips parameter in the guard_tap.ini file on the
Solaris database server or use the S-TAP Control page to
configure Alternate IPs. Typical parameter configuration:
- db_exec_file=/home/oracle18/app/oracle/product/188.8.131.52/dbhome_1/bin/oracle (the full path to oracle executable)
- K-TAP is not loaded in the local zone as it is only loaded on the global zone. It is visible on the local zones.
- S-TAP does not run in the local zones.