Quad9 – Free Secure DNS service from IBM, Global Cyber Alliance and Packet Clearing House

A Free secure DNS service from IBM Security, the Global Cyber Alliance and Packet Clearing House

Advertisements

 

more

Firmware upgrade on T4-1 Sparc server

disclaimer: Please refer vendor provided instructions and follow carefully.

SUMMARY:

  1. cd /tmp/patch/
  2. unzip 148822-05.zip
  3. cd 148822-05
  4. ./sysfwdownload Sun_System_Firmware-8_2_2_c-SPARC_T4-1.pkg
  5. /usr/sbin/shutdown -i0 -g0 -yOK> type #. to go to ILOM mode in console
  6. show /HOST/boodmode (note config parameter value for LDOM servers to set after upgrade)
  7. show /HOST/ (will display the current versions of Hypervisor, OpenBoot, Post and  sysfw_version)
  8. stop /SYS
  9. set /SYS keyswitch_state=Normal
  10. show /SP/firmware/localimage (This will display upload date and version, if by mistake wrong image uploaded, it will display invalid image)
  11. load -source /SP/firmware/localimage (show progress in … and will reboot ILOM on completion)
  12. set /HOST/bootmode=”config-name”” (This is important for the LDOM servers)
  13. start the system “start /SYS”
  14. console /HOST/console….

Detailed explanation, have patience and read below steps

Step: 1

Go to this Oracle site and find the suitable firmware level for your server or refer your internal engineering documents to know upgrade level.

http://www.oracle.com/technetwork/systems/patches/firmware/release-history-jsp-138416.html

I need upgrade to SysFW 8.2.2.c, this comes with Oracle Patch “148822-05

Step2: Login to oracle site with valid support id and download the patch. (Most of the enterprise organizations have engineering team, who test these patches and upload to internal repositories)

Step3: copy the “148822-05.zip” to the servers, where you need upgrade the firmware and unzip it.

Step4: Pre tasks

  • This firmware upgrade require down time. If you are planning on Production/Live servers, take proper down time from application teams.
  • Firmware upgrade require console, hence check your console access.
  • Take all LDOM guest configuration backup. Refer my previous article on saving and restoring Ldom guest configuration.
  • Check current configuration stored in Service Processor(SP). When you upgrade the firmware, it will reset SP bootmode configuration to default-factory. If you save the config name, it will be easy for you to reset. You can also check this from ILOM using “show /HOST/bootmode” save the config property value.
Step5: Load the firmware to System Processor (SP). ILOM has the mechanism to copy the image from OS using sysfwdownload tool. This tool always comes with your firmware patch and it’s recommended to use the same tool.

cd /tmp/patch/148822-05

./sysfwdownload [image].pkg (in my case the image name “Sun_System_Firmware-8_2_2_c-SPARC_T4-1.pkg

(if you observer image file name has all information like this firmware is for Sun Sparc hardware,it’s version is 8.2.2.c and it’s for Sparc T4-1 model. This is first level of defense to avoid loading wrong firmware image)

When downloading it will show progress in format “….(10%)….” it ends with download completed successfully

shutdown -i0 -g0 -y

OK> type #. to go to ILOM mode in console

show /HOST/boodmode (note config parameter value for LDOM servers)

show /HOST/ will display the current versions of Hypervisor, OpenBoot, Post and  sysfw_version

(sysfw_version is the one we mentioned above)

Verify downloaded image is correct or not with “show /SP/firmware/localimage” and verify upload date and Version. (Here second level of defense comes, if valid image is not uploaded instead of version it will show invalid image).

stop the system to poweroff competely “stop /SYS”

Verify the key_switch state “show /SYS keyswitch_state” it should be in normal state. If it’s in locked state change to normal

“set /SYS keyswitch_state=Normal” Check if value set properly.

After completing all pre checks now we are ready to upgrade the firmware

  load -source /SP/firmware/localimage

This will show progress in … and once it complete, it will reboot the ILOM.

Once it’s completed, change the bootmode “set /HOST/bootmode=”config-name”” (This is important for the LDOM servers)

start the system “start /SYS”

go to console to see the server boot progress

console /HOST/console

ILOM 3.0 Sparc Servers

First let’s start with how to access ILOM:

1. if NetMgmt port configured, using ssh you can login to the ILOM

2.If you configure SerialMgmt Port, then when you connect to serial port, you will access ILOM

3. if you connect to console thorught netmgmt or serial mgmt ports and you connect Operating System. Use #. (Hash symbol with . (dot)) which will take you to the ILOM.

From ILOM to go back to the Host Operating System then start the console service ->start /SP/console

-> start /SP/console  ==>ILOM CLI prompt
Are you sure you want to start /SP/console (y/n)? y

Serial console started.  To stop, type #.

bash-3.2#   –> OS prompt
Serial console stopped.

->  ==>ILOM CLI prompt

Notes on ILOM CLI follow hierarchial Architecture

ILOM Target types:

/SP – configuring ILOM service processor (SP)

/SYS – inventory/environmental and hardware management

/HOST – monitoring and managing host operating system.

Blade Platforms:

/CMM – Blade platform this replace SP, used to configure ILOM Chassis Monitoring Module

/CH – Blade platform this replace /SYS and provides inventory, environmentals and hardware management

ILOM CLI commands:

cd
create
delete
dump
exit
help
load
reset
set
show
start
stop
version

ILOM CLI Syntax:

command [options] [target] [properties

ex.,: set /SP/services/https port=80 servicestate=enabled

User Management ILOM CLI:

Roles in CLI: Admin|Operator (a), User Management (u), Console (c), Reset and Host control (r) and Read Only (o)

1. Add a local user

create /SP/users/user1 password=password  role=a|u|c|r|o|s

2.  Delete a local user

delete /SP/users/user1

 3. Change a local user’s properties

set /SP/users/user1  role=operator

 4. Display information about all local users

show -display [targets|properties|all ] -level all /SP/users

 5. Display information aboutLDAP settings

show /SP/clients/ldap

6. Change LDAP settings

set /SP/clients/ldap binddn=proxyuser bindpw=proxyuserpassword defaultrole=a|u|c|r|o|s address=ipaddress

 Set ILOM clock to sync with NTP server

set /SP/clients/ntp/server/1 address=ntpIPAddress

To configure IP on NetMgmt port set values to the /SP/network properties

Properties:
        commitpending = (Cannot show property)
        dhcp_server_ip = (none)
        ipaddress = (none)
        ipdiscovery = (none)
        ipgateway = (none)
        ipnetmask = (none)
        macaddress = xx:xxx:xx:xx:xx:xx
        managementport = /SYS/MB/SP/NETMGMT
        outofbandmacaddress = xx:xx:xx:xx:xx:xx
        pendingipaddress = (none) –>IPV4 address
        pendingipdiscovery = (none)
        pendingipgateway = (none)  –> Gateway
        pendingipnetmask = (none) –> Netmask
        pendingmanagementport = /SYS/MB/SP/NETMGMT
        sidebandmacaddress = xx:xx:xx:xx:xx:xx
        state = disabled

you can configure above values using set command

set /SP/network pendingipaddress=192.168.1.10

set /SP/network pendingipnetmask=255.255.255.0

set /SP/network pendingipgateway=192.168.1.1

Configuring SNMP and email alert:

set /SP/alertmgmt/rules/1…15 type=snmtrap snmp_version=3 comunity_or_username=username destination=ipaddress level=down|critical|major|minor

set /SP/alertmgmt/rules/1…15 type=email destination=somemail@abc.com level=down|critical|major|minor

To enable web access to ILOM, can http

set /SP/services/http port=80 secureredirect=enabled|disabled servicestate=enabled|disabled

set /SP/services/https port=xxx servicestate=enabled|disabled

HOST system commands (*warning: if your host is up and running, HOST commands can cause outage)

To start the host system ->start /SYS

To stop the host system -> stop /SYS

Force shutdown (required when host hung)->stop -f /SYS

Reset the host system  (required when host hung) ->reset /SYS

start a sessions to connect to host console -> /SP/console

stop the console session -> /SP/console

Filtering output options:

Users with admin roles -> show /SP/users -level all role==”a*”

SNMP trap alerts ->show /SP/alertmgmt -level all type==”snmptrap”

List services which are disabled -> show /SP/services -level all servicestate==disabled

List memory moduels with some part number -> show /SYS -level all type==”DIMM” fru_part_number==07014642

list all hard disks -> show /SYS -level all type==”Hard Disk”

How to backup the ILOM configuration

cd /SP/config

set passphrase=passphrase

set dump_uri=transfer_method://username:password@ipaddress_or_hostname/directorypath/filename

set dump_uri=scp://adminuser:userpswd@x.x.x.x/Backup/Lab9/SP-backup.config

How to Restore the ILOM configuration

Note: you have to login ILOM with user which has Admin,User Management, Console, Reset, Host control and Read only (a,u,c,r,o) roles.

cd /SP/config

set passphrase=passphrase

set load_uri=transfer_method://username:password@ipaddress_or_hostname/directorypath/filename

How to update ILOM Firmware

Pre requisite: Shutdown the host running on the hardware whose ILOM firmware you are upgrading

1.Login to ILOM CLI with user which has Admin role

2. ->version

3. Download the zip file packge and copy to TFTP server that is accessible from network

4.load -source <supported_protocol>://<server ip>/<path_to_firmware_image/<filename.xxx>

Do you want to preserve the configuration (y/n)?y

Once firmware loades it automaticall reboots to complete the firmware update

ILOM CLI is based on DMTF CLP (Distributed Management Task Force specification Server Management Command-Line Specification, Version 11.0a.8 Draft

Reference: http://www.fujitsu.com/downloads/SPARCE/manuals/sparc-t5e/ilom3.0-cli-en-01.pdf

http://www.dmtf.org/

Configuring Link Based IPMP Solaris 10

Basic requirements for IPMP

  1. All interfaces in an IPMP group must have uniqueMAC addresses
  2. All interfaces in an IPMP group must be of the same media type
  3. All interfaces in an IPMP group must be on the same IP link

Two types of IPMP:

  1. Link-Based FailureDetection
  2. Probe-Based FailureDetection

Terminology:

Data Addresses: Conventional address configured to interface.

Test Addresses: used by in.mpathd for probe based failure detection.

IP link:  Physical connection to  network switch

To configure link based IPMP, we do not required test address. So configure the two interface hostname files

Ex., nxge0 and nxge4

echo “myhost netmask + broadcast + group ipmp0 up” > /etc/hostname.nxge0

echo “group ipmp0 up” > /etc/hostname.nxge4

then restart the network services

svcadm disable network/physical

svcadm enable network/physical

Jan  7 18:26:52 myhost in.mpathd[1501]: No test address configured on interface nxge4; disabling ed failure detection on it

Jan  7 18:26:52 myhost in.mpathd[1501]: No test address configured on interface nxge0; disabling probe-based failure  on it

Then ifconfig output will look like below. Notice that nxge4 do not have  IP configured.

nxge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3

        inet 192.168.0.100netmask ffffff80 broadcast 165.40.63.127

        groupname ipmp0

        ether 0:xx:xx:xx:xx:xx

nxge4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4

        inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255

        groupname ipmp0

        ether 0:xx:xx:xx:xx:xx

Then verify the failover and back with ‘if_mpadm” command

root@myhost # if_mpadm -d nxge0

Jan  7 18:28:29 myhost in.mpathd[1501]: Successfully failed over from NIC nxge0 to NIC nxge4

root@myhost # if_mpadm -r nxge0

Jan  7 18:28:43 myhost in.mpathd[1501]: Successfully failed back to NIC nxge0

While testing ran a ping test

H:\>ping 192.168.0.100-t

Pinging 192.168.0.100with 32 bytes of data:

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=39ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Request timed out. –here tested failover to nxge4

Reply from 192.168.0.100: bytes=32 time=39ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Request timed out.—here tested failback to nxge0

Reply from 192.168.0.100: bytes=32 time=39ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Reply from 192.168.0.100: bytes=32 time=38ms TTL=244

Ping statistics for 192.168.0.100:

    Packets: Sent = 25, Received = 23, Lost = 2 (8% loss),

Approximate round trip times in milli-seconds:

    Minimum = 38ms, Maximum = 39ms, Average = 38ms

Control-C

Note: For trouble shooting you can test network connectivity from OK prompt with watch-net command

/pci@400/pci@2/pci@0/pci@6/network@0

1000 Mbps full duplex Link up

Looking for Ethernet Packets.

‘.’ is a Good Packet.  ‘X’ is a Bad Packet.

Type any key to stop.

………………………………………

/pci@400/pci@1/pci@0/pci@8/network@0

1000 Mbps link up

Looking for Ethernet Packets.

‘.’ is a Good Packet.

Type any key to stop.

…………………………………………

Reference

http://docs.oracle.com/cd/E23823_01/pdf/816-4554.pdf

http://sunaytripathi.wordpress.com/2010/03/25/solaris-10-networking-the-magic-revealed/#mozTocId342636.125

https://blogs.oracle.com/stw/entry/using_ipmp_with_link_based

Rename a guest domain (Solaris LDOM)

Disclaimer: I test following procedure to rename the guest domain. It worked for me, but it’s may not be the right procedure. Do not try on your prod environment

Rename the Guest domain:
==========================
Bring down the guest domain OS to OK prompt

bash-3.2# ldm list old-ldg1
NAME             STATE      FLAGS   CONS    VCPU  MEMORY   UTIL  UPTIME
old-ldg1 active     -t—-  5000    16    8G       6.2%  23h 17m

#ldm stop-domain old-ldg1
LDom old-ldg1 stopped

bash-3.2# ldm list old-ldg1
NAME             STATE      FLAGS   CONS    VCPU  MEMORY   UTIL  UPTIME
old-ldg1 bound      ——  5000    16    8G

Then run unbind command, it will change to inactive state

bash-3.2# ldm unbind old-ldg1
bash-3.2# ldm list old-ldg1
NAME             STATE      FLAGS   CONS    VCPU  MEMORY   UTIL  UPTIME
old-ldg1 inactive   ——          16    8G

Save the guest domain configuration to a xml

bash-3.2# ldm list-constraints -x old-ldg1 > /var/tmp/old-ldg1.xml

Create copy of the xmls

cp -p /var/tmp/old-ldg1.xml /var/tmp/new-ldg1.xml

bash-3.2# grep -i old-ldg1 /var/tmp/old-ldg1.xml
<Content xsi:type=”ovf:VirtualSystem_Type” ovf:id=”old-ldg1″>
<gprop:GenericProperty key=”vol_name”>old-ldg1_sys</gprop:GenericProperty>
<gprop:GenericProperty key=”vol_name”>old-ldg1_sys</gprop:GenericProperty>
<gprop:GenericProperty key=”block_dev”>/dev/zvol/dsk/root/vdsk_old-ldg1_sys</gprop:GenericProperty>
bash-3.2# cp /var/tmp/old-ldg1.xml /var/tmp/new-ldg1.xml
bash-3.2#perl -pi -e ‘s/old-ldg1/new-ldg1/g’ /var/tmp/new-ldg1.xml
bash-3.2# grep -i new-ldg1 /var/tmp/new-ldg1.xml
<Content xsi:type=”ovf:VirtualSystem_Type” ovf:id=”new-ldg1″>
<gprop:GenericProperty key=”vol_name”>new-ldg1_sys</gprop:GenericProperty>
<gprop:GenericProperty key=”vol_name”>new-ldg1_sys</gprop:GenericProperty>
<gprop:GenericProperty key=”block_dev”>/dev/zvol/dsk/root/vdsk_new-ldg1_sys</gprop:GenericProperty>

For ldm 3.x version please remove existing domain configuration to clear uuid. Thanks to Neeraj and Raphael for their comments

bash-3.2# ldm remove-domain old-ldg1

bash-3.2# ldm add-domain -i /var/tmp/new-ldg1.xml
bash-3.2# ldm list
NAME             STATE      FLAGS   CONS    VCPU  MEMORY   UTIL  UPTIME
primary          active     -n-cv-  UART    8     1G       1.1%  1d 3h 24m
new-ldg1 inactive   ——          16    8G
bash-3.2# ldm bind new-ldg1
bash-3.2# ldm start new-ldg1
LDom new-ldg1 started
bash-3.2# ldm list
NAME             STATE      FLAGS   CONS    VCPU  MEMORY   UTIL  UPTIME
primary          active     -n-cv-  UART    8     1G       4.8%  1d 3h 25m
new-ldg1 active     -t—-  5000    16    8G       3.5%  2s

Verify connecting to new guest domain console:

bash-3.2# telnet localhost 5000
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.

Connecting to console “new-ldg1” in group “new-ldg1” ….
Press ~? for control options ..

{0} ok
telnet> quit
Connection to localhost closed.
bash-3.2#

Backup guest domain configuration in xml and recreate the guest domain with xml file

This example is just to demonstrate how to save and restore guest domain.

Backup the xml file

#ldm list-constraints -x test-ldg1 > /var/tmp/test-ldg1.xml

bring down the guest domain OS -> stop the guest domain -> unbind the guest domain

# ldm list test-ldg1
NAME             STATE      FLAGS   CONS    VCPU  MEMORY   UTIL  UPTIME
test-ldg1 inactive   ——          16    8G

#ldm destroy test-ldg1

#ldm list (will not show test-ldg1 guest domain)

Impot the guest domain using backu xml file  /var/tmp/test-ldg1.xml

#ldm add-domain -i /var/tmp/test-ldg1.xml

Verify the domain details

# ldm list test-ldg1
NAME             STATE      FLAGS   CONS    VCPU  MEMORY   UTIL  UPTIME
test-ldg1 inactive   ——          16    8G

bind the guest domain -> start the domain -> start the OS on guest domain

#ldm add-domain -i /var/tmp/test-ldg1.xml

Status is inactive
test-ldg1 inactive   ——          16    8G

#ldm bind test-ldg1

Status is bound
test-ldg1 bound      ——  5000    16    8G

#ldm start test-ldg1
LDom test-ldg1 started

status is Active
test-ldg1 active     -t—-  5000    16    8G       3.8%  2s