Sun, in Solaris 10, introduced a new feature called Zones, or Containers, which is a partitioning technology used to virtualize operating system services and provide an isolated and secure environment for running applications. There are two types of non-global zone root file system models: sparse and whole root. The sparse root zone model optimizes the sharing of objects while the whole root zone model provides the maximum configurability.
Important QAS setup information on installing in Solaris 10 Zones configuration:
1 - Time Synchronization configurations.
Time synchronization is actually a requirement of the Kerberos protocol and since QAS is built on Kerberos, also has this requirement. In Solaris 10 Zones, only the global zone is permitted to do time synchronization; therefore, if you want to run QAS in 'any' Solaris Zone configuration, it is required that the Global Zone be time-synchronized with Active Directory (AD). Since the Global Zone time controls the time in the other zones, we recommend disabling in the other zones.
To disable time synchronization for QAS on the sparse zone, run the below command:
# /opt/quest/bin/ vastool configure vas vasd timesync-interval 0
2 - The same version of QAS should be installed in any combination of global, whole root and sparse root configurations.
3 - The following symlinks must exist in the global zone in order for the sparse zones to work correctly:
For QAS 3.x run the following in the Global Zone:
# ln -s /opt/quest/lib/nss/nss_vas3.so.1 /usr/lib/nss_vas3.so.1
# ln -s /opt/quest/lib/nss/sparcv9/nss_vas3.so.1 /usr/lib/sparcv9/nss_vas3.so.1
# ln -s /opt/quest/lib/security/pam_vas3.so /usr/lib/security/pam_vas3.so
# ln -s /opt/quest/lib/security/sparcv9/pam_vas3.so /usr/lib/security/sparcv9/pam_vas3.so
For QAS 4.x run the following in the Global zone:
# ln -s /opt/quest/usr/lib/security/pam_vas3.so /usr/lib/security/pam_vas3.so
# ln -s /opt/quest/usr/lib/security/sparcv9/pam_vas3.so /usr/lib/security/sparcv9/pam_vas3.so
If /usr is shared, you need the following symlinks in the global zone pointing to counterpart files in /opt/quest/lib:
# ln -s /opt/quest/lib/nss/nss_vas4.so.1 /usr/lib/nss_vas4.so.1
# ln -s /opt/quest/usr/lib/security/pam_vas3.so /usr/lib/security/pam_vas3.so
4 - When attempting to join the domain with QAS in the sparse zone, the join will not complete successfully; this is to be expected. The join will end with this error:
Configuring Name Service Switch ... ERROR: NSS configuraton failed
* Add the QAS name service entry to the /etc/nsswitch.conf by running the following:
# /opt/quest/bin/vastool configure nss
* Configure PAM in the sparse root zone by running the following:
# /opt/quest/bin/vastool configure pam
* Start vasd manually, using the init script.
* Vasd will need to be integrated into SMF by running the following command:
/usr/sbin/svccfg import /opt/quest/libexec/vas/manifest/vasd.xml
5 - The installation of QAS into a sparse root zone must use the add-inherit-pkg-dir on /opt/quest. Each zone must have its own unique copy of /etc and /var therefore they should not be shared.
To see what is configured type the command on global zone machine:
$zonecfg -z <zonename> info
The above should show what is shared and what is not.
Show path where other files are stored for the sparse
Show where /etc is for the sparse
Moving from VAS 3.X to QAS 4.0
For Solaris Sparse root zones where the global zone is NOT joined.
To move from VAS 3.X to QAS 4.0, due to file name/location changes, in the global zone:
# rm /usr/lib/nss_vas3.so.1 /usr/lib/security/pam_vas3.so /usr/lib/security/sparcv9/pam_vas3.so /usr/lib/sparcv9/nss_vas3.so.1
# ln -s /opt/quest/lib/nss/nss_vas4.so.1 /usr/lib/nss_vas4.so.1
# ln -s /opt/quest/lib/nss/sparcv9/nss_vas4.so.1 /usr/lib/sparcv9/nss_vas4.so.1
# ln -s /opt/quest/usr/lib/security/pam_vas3.so /usr/lib/security/pam_vas3.so
# ln -s /opt/quest/usr/lib/security/sparcv9/pam_vas3.so /usr/lib/security/sparcv9/pam_vas3.so
The nss module was changed from vas3 to vas4, and the location of pam_vas3.so changed from /opt/quest/lib/... to /opt/quest/usr/lib/...
Due to the name being the same but location being different VAS 3.x and QAS 4.x cannot co-exist on the same system in different zones if they have sparce root zones. ( It can if they are whole zones. )
To upgrade, Quest suggests opening a connection to each zone, upgrading the global zone using ./install.sh -q upgrade, run the above commands, then upgrade the zones.