cancel
Showing results for 
Search instead for 
Did you mean: 

Sync users on cluster nodes and solaris zones?

ant_oco
Level 2

We're implementing a 4 node VCS cluster (Sun servers) with multiple solaris zones in operation within the various service groups. The zones will failover from node to node as required under the control of VCS.

Are there any recommended utilities or best practice procedures to ensure that all users, groups, UIDs, GIDs and related info are kept in sync across the various physical server nodes and virtual zones within the cluster?

Any pointers appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions

joseph_dangelo
Level 6
Employee Accredited

The best reference for Solaris Zones relative to Storage Foundation HA is the Solaris Virtualization Guide.
https://sort.symantec.com/public/documents/sfha/5.1sp1/solaris/productguides/pdf/sfha_virtualization...

As far as maintaining consistency, once thing to consider here are the two methods used to impelement zones for high availability.

1. Shared Zone Root with Zone and Application Failover
2. Local Zone Root with Application Failover Only

If the first example, a non-global zone will be essentially portable and subject to patching considerations when detached and attached to a different Global Zone/Physical host.  This can be advantageous if your concern is in the number of "Operating/User Environemnts" and keeping that number to a minimum.  Also with the use of CFS for a Zone root, you can completely remove the delay associated with failing over the zone root storage. One other advantage here is in the ability to create a "Golden Zone Image" (one that has not been configured) and use flashsnap to provision new environments very quickly.  The disadvantage here is that you must be cognisant of the patch level on each Global Zone and avoid patch drift between the Global and Non-Global zones.  The zone detach feature introduced in Solaris 10 8/07 can be as much a help as it is a hinderance in my opinnion.

The second example will mitigate all patching concerns as the zone root itself is not "portable" but rather localized to the physical host.  This could still be a VxFS file system but not one that would be deported on imported on a reqular basis.  The VCS configuration here would simply localize the Zone Name attribute in the ContainerInfo property for the service group to each Global Zone and thus only the application would failover. This would require an independent zone for each physical host and as such you would be required to maintian user accounts accordingly. Keeping those users consistent can in some cases be as simple as LDAP.  I've seen customers implement directory services in a such a way to remidiate that issue. 

Hope this helps.

Joe D

View solution in original post

3 REPLIES 3

joseph_dangelo
Level 6
Employee Accredited

The best reference for Solaris Zones relative to Storage Foundation HA is the Solaris Virtualization Guide.
https://sort.symantec.com/public/documents/sfha/5.1sp1/solaris/productguides/pdf/sfha_virtualization...

As far as maintaining consistency, once thing to consider here are the two methods used to impelement zones for high availability.

1. Shared Zone Root with Zone and Application Failover
2. Local Zone Root with Application Failover Only

If the first example, a non-global zone will be essentially portable and subject to patching considerations when detached and attached to a different Global Zone/Physical host.  This can be advantageous if your concern is in the number of "Operating/User Environemnts" and keeping that number to a minimum.  Also with the use of CFS for a Zone root, you can completely remove the delay associated with failing over the zone root storage. One other advantage here is in the ability to create a "Golden Zone Image" (one that has not been configured) and use flashsnap to provision new environments very quickly.  The disadvantage here is that you must be cognisant of the patch level on each Global Zone and avoid patch drift between the Global and Non-Global zones.  The zone detach feature introduced in Solaris 10 8/07 can be as much a help as it is a hinderance in my opinnion.

The second example will mitigate all patching concerns as the zone root itself is not "portable" but rather localized to the physical host.  This could still be a VxFS file system but not one that would be deported on imported on a reqular basis.  The VCS configuration here would simply localize the Zone Name attribute in the ContainerInfo property for the service group to each Global Zone and thus only the application would failover. This would require an independent zone for each physical host and as such you would be required to maintian user accounts accordingly. Keeping those users consistent can in some cases be as simple as LDAP.  I've seen customers implement directory services in a such a way to remidiate that issue. 

Hope this helps.

Joe D

ant_oco
Level 2

Thanks for that. Useful input.

joseph_dangelo
Level 6
Employee Accredited

You are very welcome.