Question & Answer
Question
Answer
Every zone shares a common kernel that is running in the Global Zone. Since the kernel is shared amongst the zones, special challenges exist in applications that require specific kernel modules, in that, they have to be installed in the Global Zone.
Guardium S-TAP is one such application that requires special handling when installed in a zoned Solaris Operating Environment. Guardium S-TAP includes a kernel component, K-TAP, which, being a kernel module, has to be installed in the Global Zone. This presents a set of special situations:
2. S-TAP inspection engines require the IP address of the database server host to which it connects.
3. S-TAP inspection engines require the path of the database server executable.
By default, S-TAP connects to the loop back address 127.0.0.1. This will not work if the database server is installed in a non-Global Zone, as the loop back address refers to the "local host", which is the global zone, in this case.
Obtain the IP address of the non-Global zone using "ifconfig -a". For example to intercept database traffic for a database server installed in zone "dbserver01":
#ifconfig -a
....
....
*hme0:1: flags=1000843 mtu 1500 index 2
zone dbserver01
inet 192.168.1.201 netmask ffffff00 broadcast 192.168.1.255*
....
....
zone dbserver02
inet 192.168.1.202 netmask ffffff00 broadcast 192.168.1.255*
The IP address of the zone "dbserver01" is 192.168.1.201. S-TAP must connect to this IP address rather than 127.0.0.1 in order to intercept database traffic to and from the "dbserver01" zone.
When adding the inspection engine via S-TAP control page in GUI, or directly editing the guard_tap.ini file change:
[DB_0]
connect_to_ip=127.0.0.1
to
[DB_0]
connect_to_ip=192.168.1.201
Each zone being a self contained operating environment, path inside a particular zone is specific to that zone. For instance /opt/IBM/informix/11.70.UC3 can exist in each zone and are different from each other.
Since S-TAP is installed in the Global zone, the database executable in the non-Global zone must be accessible from the Global zone. If the file system in the non-Global zone is externally mounted via mechanisms like NFS, it is important that the mounted location has the required permission to be accessed from the global zone. Otherwise, the STAP will initially be green in the collector GUI, but will turn red and stay red.
Since each non-Global zone is a virtualized environment, paths inside a non-Global zone is accessible from the Global zone via a “zone path prefix”. The Solaris command “zoneadm” can be used to obtain the prefixes for the various zones. For example, from the Global zone:
#zoneadm list -cv
ID NAME STATUS PATH
0 global running /
2 dbserver01 running /data/zones/dbserver01
3 dbserver02 running /data/zones/dbserver02
In this example output, there are two non-Global zones dbserver01 and dbserver02 . The file structure inside each zone can be accessed from the global zone via /data/zones/dbserver01 and /data/zones/dbserver02 for the zones dbserver01 and dbserver02 respectively. If the database server that is of interest, is installed in /opt/IBM/informix/11.70.UC3 in the zone dbserver01, then the full path to that directory from the global zone would be:
- /data/zones/dbserver01/root//opt/IBM/informix/11.70.UC3
Note the directory node “root” intervening between the zone relative prefix and the install path inside the zone. When specifying the path to the database server executable and the install path to S-TAP, this full zone relative path from the global zone must be used. For example:
[DB_1]
connect_to_ip=192.168.1.201
…
…
# Path to the database server executable
db_exec_file=/data/zones/dbserver01/root//opt/IBM/informix/11.70.UC3/bin/oninit
# Path to the database server installation
db_install_dir=/data/zones/dbserver01/root//opt/IBM/informix/11.70.UC3
…
…
Monitoring multiple non-Global Zones
Database servers in multiple non-Global zones can be monitored by creating a separate DB section in the guard_tap.ini for each. Based on the example above, in order to monitor dbserver02 as well, the DB section would be:
[DB_2]
connect_to_ip=192.168.1.202
…
…
# Path to the database server executable
db_exec_file=/data/zones/dbserver02/root//opt/IBM/informix/11.70.UC3/bin/oninit
# Path to the database server installation
db_install_dir=/data/zones/dbserver02/root//opt/IBM/informix/11.70.UC3
…
…
Monitoring databases using the same port on some non-Global Zones but not others
Extra configuration is required to monitor databases with this specific requirement:
- Databases on different local zones that use the same database port
- Requirement is to monitor traffic from some of these databases but not all
- Set up inspection engines for databases that require monitoring as described in this technote
- Set ktap_fast_tcp_verdict=0 in the guard_tap.ini and restart S-TAP
- Install GIM (if used) and S-TAP in the Global Zone.
- Set the S-TAP inspection engine parameter “connect_to_ip” to the IP address of the non-global zone.
- Set the S-TAP inspection engine parameters “db_exec_file” and “db_install_dir” to the full path as accessed from the global zone.
- Databases in multiple non-Global zones can be monitored by creating a separate DB section as necessary.
Related Information
Was this topic helpful?
Document Information
Modified date:
23 February 2021
UID
swg21507773