Installing PreciseMail In A Solaris Zone

Click here for the PDF version

Introduction

One of the major new features in the Solaris 10 operating system is the ability to partition a system into zones. Each zone runs an independent instance of Solaris that is walled off from other zones and from the main operating system. Applications in a zone run on their own virtual machine - they don’t have any knowledge that they’re sharing system resources with applications running in other zones.

This white paper provides step-by-step instructions for installing PreciseMail Anti-Spam Gateway (PMAS) in a Solaris 10 zone. There are several reasons why you might want to run PreciseMail inside a zone at your site:

  • Stability: The zone infrastructure insulates PreciseMail from crashes and system problems caused by other applications. It also prevents interaction problems with other applications.
  • Security: If malicious hackers gain access to one zone on a system, they won’t be able to affect PreciseMail operation from the compromised zone.
  • Cheap fail over: Each zone can be assigned its own IP address and hostname. If you create two identical zones running PreciseMail, one can be designated the primary email system for the site and the other can be designated the backup email system. If a software fault causes the primary zone to be unavailable, the backup zone will process all incoming email without interruption. Note that this helps insulate your site from software faults, but not hardware faults.
  • Per-application load balancing: When you configure a zone, you can specify which disks and network interfaces it will use. If your system has multiple network cards and/or hard disks, you can use this to split network traffic and disk I/O over several devices based on zone.
  • Multiple versions: You can run different versions of PreciseMail on the same system, each in their own zone. For example, you could install a beta version of PreciseMail in a new zone while a released version of PreciseMail filters your site’s mail in another zone. IT staff can test the beta version without having any affect on the production mail stream.

This white paper only covers zone installation for the pass-through proxy version of PreciseMail. Versions of PreciseMail that are integrated with an email server (such as PMDF, Sun Java Enterprise Messaging Server, or Sendmail) run in the same zone as the email server.

Creating A Zone For PreciseMail

To create a Solaris zone for PreciseMail to run in, perform the following steps:

1. Use the uname command to verify that your system is running a version of Solaris that supports zones. The 3 rd field in uname’s output should be 5.10 or higher.

$ uname -a
SunOS mneme 5.10 Generic sun4u sparc SUNW,Sun-Fire-V480 Solaris
$

2. Run the zonecfg command with root privileges. The zone in our example is named pmas_zone - you can use any name you like. As expected, zonecfg tells us that there isn’t currently any zone named pmas_zone on the system. Inside the interactive zonecfg utility, type create to begin setting up the new zone.

$ sudo zonecfg -z pmas_zone
pmas_zone: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:pmas_zone> create

3. Set the value of autoboot to true. This tells Solaris to automatically start the zone during the system boot process, so PreciseMail won’t be require administrative intervention to start after a power failure or a system reboot.

Set the value of zonepath to be a file system location where you want the PreciseMail zone to be located. All of the zone’s files, as well as all of PreciseMail’s files, will be stored there. Make sure that the location has enough disk space to store all of your site’s quarantined email messages. In the example below, /export/disk1 is the mountpoint of a Sun StorEdge S1 disk array that is dedicated to PreciseMail.

zonecfg:pmas_zone> set autoboot=true
zonecfg:pmas_zone> set zonepath=/export/disk1/pmas_zone

4. Use the add net command to set up networking support for the zone. You must specify both an IP address and a physical interface. The IP address must be unique - it can’t be used by any other system on the network (including the underlying operating system on the system that zone is running on). The physical networking device can be the same as the one used by the underlying operating system.

zonecfg:pmas_zone> add net
zonecfg:pmas_zone:net> set address=10.95.42.45
zonecfg:pmas_zone:net> set physical=bge0
zonecfg:pmas_zone:net> end

5. Now that the basic zone configuration is complete, type info to review the zone’s settings. All of the displayed settings should match the values entered in the previous steps. The inherit-pkg-dir listings contain the names of directories that the PreciseMail zone is going to share with the underlying operating system. Inside the PreciseMail zone, those directories are read-only. Because PreciseMail doesn’t need write access to any of those directories, we can accept the default configuration.

zonecfg:pmas_zone> info
zonepath: /export/disk1/pmas_zone
autoboot: true
pool:
inherit-pkg-dir:
     dir: /lib
inherit-pkg-dir:
     dir: /platform
inherit-pkg-dir:
     dir: /sbin
inherit-pkg-dir:
     dir: /usr
net:
     address: 10.95.42.45
     physical: bge0

6. Type verify to have the system make sure the zone settings are valid, then type commit to write the settings out to disk. Type exit to return to the system prompt.

zonecfg:pmas_zone> verify
zonecfg:pmas_zone> commit
zonecfg:pmas_zone> exit
$

7. As root, run the zoneadm list command to list all configured zones on the system. The zone you just finished creating should be listed, with a status of configured.

$ sudo zoneadm list -cv
ID NAME STATUS PATH
  0 global running /
  - pmas_zone configured /export/disk1/pmas_zone
$

8. If it doesn’t already exist, create the directory that the zone’s files are going to be located in. (This should be the same directory that you specified during zone creation.) The directory should only be accessible by its the root user for security reasons.

$ sudo mkdir -p /export/disk1/pmas_zone
$ sudo chmod 700 /export/disk1/pmas_zone
$ sudo chown root /export/disk1/pmas_zone
$

9. Use the zoneadm verify command to verify that the system is ready to install an instance of Solaris in the zone you’ve created.

$ sudo zoneadm -z pmas_zone verify
$

10. As root, run zoneadm install to install a new instance of Solaris in the zone. zoneadm will determine which files and packages it needs to install in the new zone, and then copy them in place. This process usually takes 10-20 minutes, depending on the number of files that need to be copied.

$ sudo zoneadm -z pmas_zone install
Preparing to install zone <pmas_zone>.
Creating list of files to copy from the global zone.
Copying <7959> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <947> packages on the zone.
Initialized <947> packages on zone.
Zone <pmas_zone> is initialized.
The file </export/disk1/pmas_zone/root/var/sadm/system/logs/install_log> contains a log of the zone installation.
$

11. Run the zoneadm list command to verify that the zone has been installed. The PreciseMail zone should be listed with a status of installed.

$ sudo zoneadm list -iv
ID NAME STATUS PATH
  0 global running /
  - pmas_zone installed /export/disk1/pmas_zone
$

12. Boot the zone’s virtual machine by running zoneadm boot as the root user. The Solaris boot process for a zone is roughly the same as the boot process for a regular non-zone system, and usually takes a few minutes to perform.

$ sudo zoneadm -z pmas_zone boot
$

13. As root, run zoneadm list to verify that the zone has been booted. The PreciseMail zone should be listed with a status of running.

$ sudo zoneadm list -v
      ID NAME STATUS PATH
      0 global running /
      1 pmas_zone running /export/disk1/pmas_zone
$

14. Use the zlogin command to connect to the zone’s console. You must have root privileges to run this command. Once you’re connected to the zone’s console, you’ll be asked to go through a set of standard Solaris system identification questions. The questions and their format are exactly the same as the questions you’re asked during the Solaris 10 installation process. After you’ve finished with the system identification questions, the zone will reboot. (Note that the underlying operating system, hardware, and any other zones on the system are not affected by this reboot. Only the zone that’s being configured reboots.)

$ sudo zlogin -C pmas_zone
[...]
rebooting system due to change(s) in /etc/default/init

15. When the zone finishes rebooting, it will present you with a console login prompt. Login as root, using the password you specified in the previous step. At this point, the zone is fully operational. You can add users, perform site-specific customizations, and install third-party software.

SunOS Release 5.10 Version Generic 64-bit
Copyright 1983-2005 Sun Microsystems, Inc. All rights reserved.
Hostname: clio.process.com

clio.process.com console login: root
Password: ******

Nov 15 15:33:14 clio.process.com login: ROOT LOGIN /dev/console
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
#

Installing PreciseMail In The Zone

Now that the zone is operational, the PreciseMail proxy can be installed. Connect directly to the zone using ssh or telnet, and run the pkgadd command as root. Follow the instructions in the PreciseMail Anti-Spam Gateway Installation Guide for Solaris - you don’t need to do anything differently when installing PreciseMail in a Solaris zone.

$ sudo pkgadd -d .

The following packages are available:
        1 PMAS      PreciseMail Anti-Spam Gateway (Proxy)
                            (sparc) 2.3

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: 1

Processing package instance <PMAS> from </export/home/lamont>

PreciseMail Anti-Spam Gateway (Proxy)(sparc) 2.3
        Copyright (c) 2005 Process Software, LLC. All rights reserved.

Configuring PreciseMail Directories
-----------------------------------

PreciseMail places its files in a private directory structure. This
directory structure can be located on any disk, but the disk must have
sufficient free space to hold all of the PreciseMail images, temporary
files, and log files.

A symbolic link will be created that links '/pmas' to the
directory that you specify. For example, if you specify
'/opt/pmas' as the installation location, a directory
'/opt/pmas' will be created and a symbolic link will be created
that links '/pmas' to '/opt/pmas'.

Under which directory will PreciseMail be installed: [?,q] /opt/pmas
Using </> as the package base directory.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.

[...]

Installation of <PMAS> was successful.
$

Install Apache (or your web server of choice) in the zone to provide support for the PreciseMail web-based user interface. If you’re using the version of Apache that is included in the Solaris 10 distribution, it should already be installed in the zone.

When you’re configuring the PreciseMail proxy, remember to configure it with the zone’s hostname - not the hostname of the system that the zone is running on. The hostname of the system used for the examples in this paper is mneme.process.com, and the hostname assigned to the PreciseMail zone is clio.process.com. When configuring the PreciseMail proxy in this example, the hostname clio.process.com was used.

After you’ve finished configuring PreciseMail for your site, start the proxy by running the pmas start script as root.

$ sudo /etc/init.d/pmas start
$

You can use the ps command to verify that the PreciseMail proxy is running inside the zone.

$ ps -ef | grep ptsmtp
root 14766 14575 0 16:26:28 ? 0:00 /pmas/bin/ptsmtp
$

About PreciseMail Anti-Spam Gateway

PreciseMail Anti-Spam Gateway is an enterprise software solution that eliminates spam, phishing and virus threats at the Internet gateway or mail server. It has a proven 98% spam detection accuracy rate out-of-the-box without filtering legitimate messages. PreciseMail Anti-Spam Gateway has a highly sophisticated filtering engine based on a combination of proven heuristic, DNS blacklisting, and Bayesian artificial intelligence technologies, which automatically learn how to separate spam messages from legitimate email. As a result, PreciseMail Anti-Spam Gateway can determine whether email is spam instead of passively reacting to known spammers by creating rules that block them after a spam attack occurs.

About Process Software

Process Software is a premier supplier of communications software solutions to mission critical environments. With over 20 years in business, we were early innovators of email software and anti-spam technology. Process Software has a proven track record of success with thousands of customers, including many Global 2000 and Fortune 1000 companies.

 

 

Home > Support > PreciseMail Anti-Spam Gateway > Installing PreciseMail In A Solaris Zone

Search: