17 Nov 2005
I'm too lazy to configure DNS through the Solaris installer, so (where douglas is the global zone, and webzone is the web server zone):
root@dougal # cd /zones/webzone/root/etc root@dougal # cp /etc/resolv.conf . root@dougal # cp /etc/nsswitch.dns nsswitch.confSo, let's install Apache (from sunfreeware.com, in this example):
webzone console # pkgadd -d apache-2.0.54-sol10-sparc-local The following packages are available: 1 SMCapache apache (sparc) 2.0.54 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: 1 Processing package instance... okay then, let's create a writable "file system" for the zone. Note that this does not have to be an actual filesystem, just a directory, as it is mounted with thefrom apache(sparc) 2.0.54 The Apache Group The selected base directory must exist before installation is attempted. Do you want this directory created now [y,n,?,q] y pkgadd: ERROR: unable to make directory . Installation of failed (internal error). No changes were made to the system. webzone console #
lofs loopback
file system:
root@dougal # mkdir /zones/webzone/usrlocal root@dougal # zonecfg -z webzone zonecfg:webzone> add fs zonecfg:webzone:fs> set dir=/usr/local zonecfg:webzone:fs> set special=/zones/webzone/usrlocal zonecfg:webzone:fs> set type=lofs zonecfg:webzone:fs> end zonecfg:webzone> exit root@dougal #Seem to have to reboot the zone to pick up this new config... Actually, because I'd made a bit of a mess of the filesystem config, I had to reboot the physical server. That is hopefully an admin error on my part. Otherwise, it's a serious issue with zones.
After that, it's a normal Apache installation on Solaris, within my zone (so long as everything goes into /usr/local - the rest of / is not writeable, even if I am root. This even seems to apply to /var/sadm/install/contents - there doesn't seem to be any information available about packages installed within the zone because of this.
This would seem to imply that making /var a writable filesystem is a sensible idea, which in hindsight seems obvious anyway, of course.
webzone console # pkgadd -d apache-2.0.54-sol10-sparc-local The following packages are available: 1 SMCapache apache (sparc) 2.0.54 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: 1 Processing package instance <SMCapache> from <apache-2.0.54-sol10-sparc-local> apache(sparc) 2.0.54 The Apache Group The selected base directory </usr/local/apache2> must exist before installation is attempted. Do you want this directory created now [y,n,?,q] y Using <usr/local/apache2> as the package base directory. ## Processing package information. ## Processing system information. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. ## Checking for setuid/setgid programs. Installing apache as <SMCapache> ## Installing part 1 of 1. /usr/local/apache2/bin/ab /usr/local/apache2/bin/apachectl /usr/local/apache2/bin/apr-config /usr/local/apache2/bin/apu-config ... etc ... /usr/local/apache2/modules/mod_usertrack.so /usr/local/apache2/modules/mod_vhost_alias.so [ verifying class <none> ] Installation of <SMCapache> was successful. webzone console # webzone console # /usr/local/apache2/bin/apachectl start ld.so.1: httpd: fatal: libssl.so.0.9.7: open failed: No such file or directory Killed webzone console #
... okay, we need OpenSSL, fair enough ...
... also need gdbm db expat libiconv libgcc - all normal sysadmin tasks for any Solaris system assuming that we use a sunfreeware.com install (actually, Solaris comes with Apache bundled, but I prefer SMC!)
Total packages installed (from ftp://ftp.mirror.ac.uk/sites/ftp.sunfreeware.com/pub/freeware/sparc/10/, my local mirror of sunfreeware.com):
- apache-2.0.54-sol10-sparc-local
- gdbm-1.8.3-sol10-sparc-local
- openssl-0.9.7g-sol10-sparc-local
- db-4.2.52.NC-sol10-sparc-local
- libgcc-3.3-sol10-sparc-local
- expat-1.95.5-sol10-sparc-local
- libiconv-1.8-sol10-sparc-local
webzone console # cd /usr/local/apache2/conf/ webzone console # cp httpd-std.conf httpd.conf webzone console # vi httpd.conf webzone console # /usr/local/apache2/bin/apachectl start... see that it's running ...
webzone console # ps -eaf|grep http
nobody 1194 1191 0 00:53:43 ? 0:00 /usr/local/apache2/bin/httpd -k start
nobody 1192 1191 0 00:53:43 ? 0:00 /usr/local/apache2/bin/httpd -k start
root 1191 549 0 00:53:42 ? 0:00 /usr/local/apache2/bin/httpd -k start
nobody 1193 1191 0 00:53:43 ? 0:00 /usr/local/apache2/bin/httpd -k start
nobody 1195 1191 0 00:53:43 ? 0:00 /usr/local/apache2/bin/httpd -k start
nobody 1196 1191 0 00:53:43 ? 0:00 /usr/local/apache2/bin/httpd -k start
root 1198 1020 0 00:53:57 pts/2 0:00 grep http
webzone console #
... check on the global zone ...
root@dougal # ps -eaf|grep http
nobody 1194 1191 0 00:53:43 ? 0:00 /usr/local/apache2/bin/httpd -k start
nobody 1192 1191 0 00:53:43 ? 0:00 /usr/local/apache2/bin/httpd -k start
root 1191 1 0 00:53:42 ? 0:00 /usr/local/apache2/bin/httpd -k start
nobody 1193 1191 0 00:53:43 ? 0:00 /usr/local/apache2/bin/httpd -k start
nobody 1195 1191 0 00:53:43 ? 0:00 /usr/local/apache2/bin/httpd -k start
nobody 1196 1191 0 00:53:43 ? 0:00 /usr/local/apache2/bin/httpd -k start
root 1200 1064 0 00:54:03 pts/3 0:00 grep http
root@dougal #
Using a remote client, I tried connecting to http://192.168.1.20/ and was refused. Connecting to http://192.168.1.21/ I got the default Apache install webpage.
That seems like success for the Apache install.
As you would expect if these were distinct machines, I can ssh into my "steve" account at the global zone (192.168.1.20), but there is no "steve" user on the webzone (192.168.1.21), so that ssh attempt fails.
Similarly, connecting to 192.168.1.20:80 from .21 fails, but 192.168.1.21:80 from .20 succeeds. So they do appear, at this level, to be different physical hosts.
