17 Nov 2005

I'm too lazy to configure DNS through the Solaris installer, so (where douglas is the global zone, and webzone is the web server zone):

root@dougal # cd /zones/webzone/root/etc
root@dougal # cp /etc/resolv.conf .
root@dougal # cp /etc/nsswitch.dns nsswitch.conf
So, let's install Apache (from sunfreeware.com, in this example):
webzone console # pkgadd -d apache-2.0.54-sol10-sparc-local

The following packages are available:
  1  SMCapache     apache
                   (sparc) 2.0.54

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: 1

Processing package instance  from 

apache(sparc) 2.0.54
The Apache Group

The selected base directory  must exist before
installation is attempted.

Do you want this directory created now [y,n,?,q] y
pkgadd: ERROR: unable to make directory .

Installation of  failed (internal error).
No changes were made to the system.
webzone console #
... okay then, let's create a writable "file system" for the zone. Note that this does not have to be an actual filesystem, just a directory, as it is mounted with the lofs loopback file system:
root@dougal # mkdir /zones/webzone/usrlocal
root@dougal # zonecfg -z webzone
zonecfg:webzone> add fs
zonecfg:webzone:fs> set dir=/usr/local
zonecfg:webzone:fs> set special=/zones/webzone/usrlocal
zonecfg:webzone:fs> set type=lofs
zonecfg:webzone:fs> end
zonecfg:webzone> exit
root@dougal #
Seem to have to reboot the zone to pick up this new config... Actually, because I'd made a bit of a mess of the filesystem config, I had to reboot the physical server. That is hopefully an admin error on my part. Otherwise, it's a serious issue with zones.

After that, it's a normal Apache installation on Solaris, within my zone (so long as everything goes into /usr/local - the rest of / is not writeable, even if I am root. This even seems to apply to /var/sadm/install/contents - there doesn't seem to be any information available about packages installed within the zone because of this.

This would seem to imply that making /var a writable filesystem is a sensible idea, which in hindsight seems obvious anyway, of course.

webzone console # pkgadd -d apache-2.0.54-sol10-sparc-local

The following packages are available:
  1  SMCapache     apache
                   (sparc) 2.0.54

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: 1

Processing package instance <SMCapache> from <apache-2.0.54-sol10-sparc-local>

apache(sparc) 2.0.54
The Apache Group

The selected base directory </usr/local/apache2> must exist before
installation is attempted.

Do you want this directory created now [y,n,?,q] y
Using <usr/local/apache2> as the package base directory.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

Installing apache as <SMCapache>

## Installing part 1 of 1.
/usr/local/apache2/bin/ab
/usr/local/apache2/bin/apachectl
/usr/local/apache2/bin/apr-config
/usr/local/apache2/bin/apu-config
  ... etc ...

/usr/local/apache2/modules/mod_usertrack.so
/usr/local/apache2/modules/mod_vhost_alias.so
[ verifying class <none> ]

Installation of <SMCapache> was successful.
webzone console #
webzone console # /usr/local/apache2/bin/apachectl start
ld.so.1: httpd: fatal: libssl.so.0.9.7: open failed: No such file or directory
Killed
webzone console #

... okay, we need OpenSSL, fair enough ...

... also need gdbm db expat libiconv libgcc - all normal sysadmin tasks for any Solaris system assuming that we use a sunfreeware.com install (actually, Solaris comes with Apache bundled, but I prefer SMC!)

Total packages installed (from ftp://ftp.mirror.ac.uk/sites/ftp.sunfreeware.com/pub/freeware/sparc/10/, my local mirror of sunfreeware.com):

  • apache-2.0.54-sol10-sparc-local
  • gdbm-1.8.3-sol10-sparc-local
  • openssl-0.9.7g-sol10-sparc-local
  • db-4.2.52.NC-sol10-sparc-local
  • libgcc-3.3-sol10-sparc-local
  • expat-1.95.5-sol10-sparc-local
  • libiconv-1.8-sol10-sparc-local
webzone console # cd /usr/local/apache2/conf/
webzone console # cp httpd-std.conf httpd.conf
webzone console # vi httpd.conf
webzone console # /usr/local/apache2/bin/apachectl start
... see that it's running ...
webzone console # ps -eaf|grep http
  nobody  1194  1191   0 00:53:43 ?           0:00 /usr/local/apache2/bin/httpd -k start
  nobody  1192  1191   0 00:53:43 ?           0:00 /usr/local/apache2/bin/httpd -k start
    root  1191   549   0 00:53:42 ?           0:00 /usr/local/apache2/bin/httpd -k start
  nobody  1193  1191   0 00:53:43 ?           0:00 /usr/local/apache2/bin/httpd -k start
  nobody  1195  1191   0 00:53:43 ?           0:00 /usr/local/apache2/bin/httpd -k start
  nobody  1196  1191   0 00:53:43 ?           0:00 /usr/local/apache2/bin/httpd -k start
    root  1198  1020   0 00:53:57 pts/2       0:00 grep http
webzone console #
... check on the global zone ...
root@dougal # ps -eaf|grep http
  nobody  1194  1191   0 00:53:43 ?           0:00 /usr/local/apache2/bin/httpd -k start
  nobody  1192  1191   0 00:53:43 ?           0:00 /usr/local/apache2/bin/httpd -k start
    root  1191     1   0 00:53:42 ?           0:00 /usr/local/apache2/bin/httpd -k start
  nobody  1193  1191   0 00:53:43 ?           0:00 /usr/local/apache2/bin/httpd -k start
  nobody  1195  1191   0 00:53:43 ?           0:00 /usr/local/apache2/bin/httpd -k start
  nobody  1196  1191   0 00:53:43 ?           0:00 /usr/local/apache2/bin/httpd -k start
    root  1200  1064   0 00:54:03 pts/3       0:00 grep http
root@dougal #

Using a remote client, I tried connecting to http://192.168.1.20/ and was refused. Connecting to http://192.168.1.21/ I got the default Apache install webpage.

That seems like success for the Apache install.

As you would expect if these were distinct machines, I can ssh into my "steve" account at the global zone (192.168.1.20), but there is no "steve" user on the webzone (192.168.1.21), so that ssh attempt fails.

Similarly, connecting to 192.168.1.20:80 from .21 fails, but 192.168.1.21:80 from .20 succeeds. So they do appear, at this level, to be different physical hosts.

Articles - Solaris Zones
Share on Twitter Share on Facebook Share on LinkedIn Share on Identi.ca Share on StumbleUpon

Get the Book:

Buy my 600-page Shell Scripting Book...


Or from other Amazon in other countries: USA, Germany, France, Spain, Italy, Canada, Japan, India, Brazil
Or from other retailers

Buy this Tutorial in Paperback or for Kindle:


USA, UK, Germany, France, Spain, Italy
Or Kindle in these countries: Canada, Australia, Japan, India, Brazil, Mexico

Buy this Tutorial as a DRM-Free PDF

(Free Sample)

$9.99 US Dollars

£4.99 UK Pounds

€6.99 Euros

You can join our Shell Scripting community on Facebook:

DefectiveByDesign.org