Not able to login into Non-globalzones (NGZ) after

Patching.
Yesterday I faced an issue, where in I was unable to login into NGZs after
kernel patching. Though the zlogin was working perfectly.
Initially I think the cause is ssh key, then I tried to login into the NGZ from the network, it was showing ssh
connection refused.
I have checked the ssh services via zlogin. There were many services related to network which were not
running including ssh. All services were depending on /system/sysidtool:net service which is in disbale
mode. I tried to enable /system/sysidtool:net service but No luck.
# svcs -vx
# svcs -a | grep -i /system/sysidtool:net
# svcadm enable /system/sysidtool:net
# svcs -a | grep -i /system/sysidtool:net
# svcs -vx
Then I examine the logs for this service failure and found:
[ Aug 27 09:15:49 Method "start" exited with status 0 ]
[ Aug 27 09:36:58 Enabled. ]
[ Aug 27 09:37:01 Executing start method ("/lib/svc/method/sysidtool-net") ]
/etc/.UNCONFIGURED not found. System already configured, /lib/svc/method/sysidtool-net exiting.
[ Aug 27 09:37:01 Method "start" exited with status 0 ]
[ Aug 27 14:58:06 Enabled. ]
[ Aug 27 14:58:12 Executing start method ("/lib/svc/method/sysidtool-net") ]
ifconfig: status: SIOCGLIFFLAGS: fjgi0: no such interface
ifconfig: setifflags: SIOCGLIFFLAGS: fjgi0: no such interface
ifconfig: status: SIOCGLIFFLAGS: fjgi7: no such interface
ifconfig: setifflags: SIOCGLIFFLAGS: fjgi7: no such interface
Terminated
At this point of time I checked the Interfaces, but all were up and running fine
in Global as well as in Non-global zone.
Then one particular line got my attention:
/etc/.UNCONFIGURED not found. System already configured, /lib/svc/method/sysidtool-net exiting.

I checked /etc/.UNCONFIGURE with ls -la in the NGZ and found one file with
name .UNCONFIGURE, which was of 0 Zero size.
I removed this file and restarted the NZG, all went in favor and all services
started successfully.
# cd /etc
# ls -la
# rm .UNCONFIGURE
# zoneadm -z zone-name reboot

Prasad
29 August, 2011, 1:48

Hi Yogesh,
Thats a nice post.
If you examine further this error occurs because of the following reasons:
1.) If you have done detach and attach of the zones to global zone.
2) If you have invoked a sys-unconfig and ran reboot.
If you check on this system, please verify Timezone of the non-global zone it might have changed to default
PST. And also changes in /etc/nsswitch.conf will be lost, that needs to be restored.
Unfortunately, these changes will not be caught as all the services on the system come up as usual..
Thanks.
Prasad

ramdev
29 August, 2011, 3:43

Good one Yogesh, can you please consider Prasads points and chck the Timezone and name switch
configuration were not reset to defaults.

Yogesh Raheja
29 August, 2011, 4:28

Hi Prasad,
Thanks for your valuable comments..
1.) I havent performed detach/attach on the server.
2.) No sys-unconfig invoked as I was performing only Bundle patching.

I need to check the TIMEZONE and /etc/nsswitch.conf files for any config. changes.

Yogesh Raheja
29 August, 2011, 12:57

Hi Prasad/Ram, No changes have been found in nsswitch.conf and the TIMEZONE is also looking
good.

Prasad
29 August, 2011, 14:41

Ok. Thats good.. cool.. In my earlier experience.. I have faced above said issues during detach and attach
of zones and also with sys-unconfig.. But you may help investigate further and know which patch is doing
that, it would be helpful if we are getting this issue persistently across other servers as well. Thanks for
bringing this up..

Ram
12 September, 2011, 18:24

I was facing same issue today. Resolved by removing .UNCONFIGURED file. After that I was getting
Couldnt agree a key exchange algorithm while using Putty. Resolved that by using following commands:
/lib/svc/method/sshd -c
svcadm restart ssh
Thanks a lot

Ramdev
13 September, 2011, 2:08

@ram thanks for sharing the information to us

Yogesh Raheja
13 September, 2011, 10:02

@Ram, yes sometimes it would required to restart the sshd or to reboot the zone.

Yogesh Raheja
13 September, 2011, 10:02

sorry not sometimeinfact every time..:)

krishna

27 October, 2011, 12:09

HI,
I checked /etc/.UNCONFIGURE with ls -la in the NGZ and found one file with name .UNCONFIGURE, which
was of 0 Zero size.
In the above line I have a doubt is that NGZ or GZ, because Our issue is not able to login into NGZ. So how
can i do it with out login.

Yogesh Raheja

@Krishna, login into the NGZ from GZ via zlogin and rm /etc/.unconfigure file from NGZ and reboot your
NGZ. It will restart all the services without issues. Try it and you will be able to login via ssh.

Eliza

Thank you for posting this. I have 8 theoretically identical zones (all built from the same build script on the
same server) and one of the 8 had this issue. After removing the .UNCONFIGURE file all of the services
were able to start.

Yogesh Raheja

@Eliza, its a great pleasure that our post worked for your issue. thanks for you interest in Gurkulindia.

Shahul

Just curious what the command /lib/svc/method/sshd -c does?

Yogesh Raheja

@Shahul, Purpose of /lib/svc/method/sshd -c is to create rsa and dsa key if they are not present in the
server before restarting ssh. Though it wont require in many cases and restarting of ssh is enough. Also you
can check /lib/svc/method/sshd file which will give you more idea. Hope this helps.

deepa K R

http://docs.oracle.com/cd/E19683-01/817-1592/gbcyr/index.html.
To prevent the system from displaying the sysidtool questions upon initial zone login, delete the file
zonepath/root/etc/.UNCONFIGURED,

Solaris 10: Configuring netmasks and default gateway

in zones
The command, zonecfg, has no provision for defining the netmask of network
resources. Modifying /etc/netmask file resident within the designated zone does
not configure the netmask of the new interface. This procedure details how to
set the netmask of a network resource within a zone to the desired value.

Netmasks Configuration
Within the context of the global zone, the zonecfg command is used to define a
network resource:
on the global zone:
1.

zonecfg -z rhzone
zonecfg:rhzone> add net
zonecfg:rhzone> set address=10.1.0.1
zonecfg:rhzone> set physical=e1000g0
zonecfg:rhzone> end
zonecfg:rhzone> export
zonecfg:rhzone> exit

zoneadm -z rhzone reboot

on the zone rhzone
1.

vi /etc/netmasks

adding the line

10.1.0.0 255.255.255.0
then saving the file and rebooting the zone, yields:
login: root
password: xxxxxx
#ifconfig -a
e1000g0 <> inet 10.1.0.1 netmask 255.0.0.0 <- a class A netmask, unchanged by
the modification of the /etc/netmask file within the zone.
The CORRECT procedure to define the netmask on the network resource of the zone
is to use one of the steps below:

1. Within the context of the global zone, define the network resource on the
target zone using the zonecfg command. Prior to rebooting the zone, modify
the /etc/netmask on the global zone, adding the desired netmask for the target
zone.
or
2. After the network resource has been defined on the zone, and the zone has
been rebooted, use the ifconfig command from the global zone to configure the
netmask of the target zone network resource. Of course, this procedure will not
persist beyond a zone reboot.

Default Router Configuration

defrouter option is intended to use on separate interfaces.
From S10U6 and later release, defrouter option can be used for creating default
router for non-global zone.
However, the defrouter option is intended for zones that are using separate
interfaces, or at least separate subnets. If zones are using the same interface
and the same subnet, they really arent separated.

4 Comments on Solaris 10: Configuring netmasks and

default gateway in zones

Ram

We can set IP without rebooting zone from global

ifconfig e1000g0 addif 10.1.0.1 netmask 255.255.255.0 broadcast 10.1.0.225 zone up
Thanks, Ram
@Ram, Is this for existing zone. If yes, I think we need reboot (need to test

). And if a new zone is

build then it would not be up unless IP is assigned.

Yogesh.Raheja

@Ram, you are absolutely right, testedwe can do this without reboot.

thanks

Ramdev

In this case running ifconfig after the zonecfg ( to add new interface ) do exactly same as zonecfg followed
by reboot. The actual reason for reboot after zonecfg ( not only for network configuration but for any other
configuration ) here is just to test the configuration we made is faultless and the IP configuration is persistent
across reboot. thanks

Solaris 10 : Zone/Container creation: This post explains some of the

basic questions and procedures involved in Zone/container creation.
1) Where will the Container reside?
# mkdir -p /export/zones
2) Configure the Container:
Command zonecfg, located in /usr/sbin like all other Zone Commands, is used to configure the Container.
The Zone name will be sol10zone. Feel free to change the name if desired.
# zonecfg -z sol10zone
sol10zone: No such zone configured (normal message)
Use create to begin configuring a new zone.
zonecfg:sol10zone> create
zonecfg:sol10zone> set zonepath=/export/zones/sol10zone
zonecfg:sol10zone> set autoboot=true
zonecfg:sol10zone> add net
zonecfg:sol10zone:net> set physical=hme0
zonecfg:sol10zone:net> set address=129.148.195.32 (use unique ip address!)
zonecfg:sol10zone:net> end
zonecfg:sol10zone> verify
zonecfg:sol10zone> exit
#
Now your Container is setup but not yet installed with Solaris [TM] 10 OE.
3) Install the Container:
# zoneadm -z sol10zone install
Preparing to install zone .
Creating list of files to copy from the global zone.
Copying files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize packages on the zone.
Initialized packages on zone.
Zone is initialized.
Installation of packages was skipped.

The file contains a log of the zone installation.

Note that zoneadm is located in /usr/sbin as well.

4) Boot the Container:

# zoneadm -z sol10zone boot
5) Connect to the Console of your Container:
# zlogin -C sol10zone
[Connected to zone 'sol10zone' console]
Press return. (can take several mins)
Now, respond to some basic questions of a Solaris [TM] installation, such as:
o Define the Locale
o Define the Term
o Define the TZ
o Define the root password
o Define the Name Service
Once this is done, the Container will perform a final reboot:
rebooting system due to change(s) in /etc/default/init
[NOTICE: Zone rebooting]
SunOS Release 5.10 Version Generic 64-bit
Copyright 1983-2005 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
Hostname: sol10zone
sol10zone console login:
6) Log into the Container:
# zlogin -C sol10zone
[Connected to zone 'sol10zone' console]
sol10zone console login: root
Password:
Last login: Wed Feb 9 12:06:08 on console
Feb 9 12:46:23 sol10zone login: ROOT LOGIN /dev/console
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
# ifconfig -a
lo0:1: flags=2001000849 mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
hme0:1: flags=1000843 mtu 1500 index 2
inet 10.16.10.254 netmask ff000000 broadcast 10.255.255.255

# uname -a
SunOS sol10zone 5.10 Generic sun4u sparc SUNW,Ultra-5_10
You are now done.