Solaris: Install and Upgrade with CLI and VEN CTL
The following topic describes how to install the Solaris VEN by using packaging technology commands and the VEN CTL.
The VEN for Solaris supports two different Solaris machine architectures: SPARC and x86_64. The installation and upgrade steps for both machine architectures are identical but each architecture uses its own VEN package file.
Limitations and Requirements
General
In Illumio Core 19.3.1 and later releases, the Solaris VEN supports Solaris zones.
By default, the Solaris VEN is installed in the following directories:
/opt/illumio_ven/opt/illumio_ven_data
Installing the Solaris VEN in a custom directory is not supported. Do not change the default installation directory for the Solaris VEN or the Solaris VEN installation will fail.
Installing or activating the Solaris VEN on a workload running an LDAP client can take longer than on other workloads without an LDAP client.
The Solaris VEN requires the bash shell and the Solaris XCU4 utilities (POSIX-compliant tools) be installed on the Solaris host. Verify that both are installed on the host. The XCU4 utilities are installed using the Solaris SUNWxcu4 package, typically in the
/usr/xpg4/bin/directory. See the Oracle Solaris documentation for information about installing the XCU4 utilities.
IP Filter (Solaris version 11.3 and earlier)
Avoid making any changes to packet filtering with Packet Filter. Do not use Packet Filter while VEN software is installed.
The Solaris system's firewall state table limit is 65,536 entries. When that limit is reached, IP Filter drops packets. If you anticipate a high number of network connections, configure higher limits in the IP Filter state table. See "Tuning the IP Filter State Table (AIX/Solaris)" in the VEN Administration Guide.
Important
In Solaris 11.4, Packet Filter replaces IP Filter. When installing the VEN on Solaris 11.4, Illumio only supports Packet Filter. IP Filter is not supported in branded zones starting with Solaris 11.4.
Change Default Username
You can set an environment variable to change the username that owns the non-privileged portions of the installed software. The privileged portions of the installed software are always owned by root, and the software can only be run as root.
Environment Variable | Description |
|---|---|
| Existing username to override the default username |
You can reset this environment variable in your customized Solaris Response file or at a prompt during interactive installation.
About Solaris 11.4 Support
Prior to 11.4, Solaris used IP Filter as the firewall. In Solaris 11.4, Packet Filter is the only supported firewall.
The following details apply to Solaris 11.4 support by the VEN:
Support for Solaris 11.4 does not change the VEN installation or upgrade process on Solaris workloads; if you've written installation scripts, they don't require updates. Package installation remains the same for 11.4 as for earlier supported versions of Solaris.
Packet Filter support does not impact the PCE; viewing a workload that is running Solaris 11.4 in the PCE web console does not change. You can view all the workload details. Creating policy for workloads running Solaris 11.4 does not change.
Packet Filter does not support customizable table sizes. However, state tables in Solaris 11.4 use a 1 million state table size.
Important
For the complete list of all Solaris versions supported by the VEN in this release, see OS Support and Package Dependencies on the Illumio Support portal.
About the Solaris Response and Admin Files
In addition to the Solaris VEN, the VEN package includes two files to help with VEN installation on Solaris hosts: the Solaris Administration and Response files. For more information about these files, see Avoiding User Interaction When Adding Packages (pkgadd) in the Oracle Solaris Administration Guide.
Solaris Administration File
The Solaris Administration contains information about how the VEN installation or upgrade should proceed on the Solaris host. To perform a non-interactive VEN installation or upgrade (the VEN installation script will not
prompt for settings when it runs), you must customize the Administration file.
In addition to settings, the file contains commented-out instructions for changing the settings.
Caution
If you choose to provide custom values in the Administration file, you must delete these commented-out lines or the VEN installation or upgrade will fail. Commented-out lines in a Solaris Administration file are not supported with the Solaris pkgadd command.
# This file is used in case of upgradation # instance=ask allows multiple instance of the same software to be installed # and hence the UPDATE flag is passed to us in procedural scripts of IPS. mail= instance=ask partial=ask runlevel=ask # Require that our dependencies are met when installing. idepend=quit # However, if someone tries to uninstall us but another package depends on us, # we should just warn them & ask if they want to proceed anyway. rdepend=ask space=ask setuid=ask conflict=ask action=nocheck networktimeout=60 networkretries=3 authentication=quit keystore=/var/sadm/security proxy= basedir=default
Solaris Response File
The VEN package includes a template for the Solaris Response file. The template contains the environment variables that you can set when installing and upgrading the Solaris VEN.
In addition to the available environment variables, the template contains commented-out instructions for providing custom values for variables.
Caution
If you choose to provide custom values in the Response file, you must delete these commented-out lines or the VEN installation or upgrade will fail. Commented-out lines in a Solaris Response file are not supported with the Solaris pkgadd command.
#Parameter : VEN_NONPRIV_USER #Type : String #Description : VEN non-privileged user. If unspecified (VEN_NONPRIV_USER=""), then the default account "ilo-ven" is used. If that account does not exist on the system, it is created automatically. If specified VEN_NONPRIV_USER="foo"), the provided account is used. If that account does not exist on the system, then the installer fails. All non-root-owned files that the VEN creates are owned by that user and that user's primary group. For further information about this feature, refer to the Illumio VEN deployment documentation. VEN_NONPRIV_USER="" #Parameter : VEN_PKI_CLIENT_CERT #Type : String #Description : PKI (public key infrastructure) authentication certificate. Use with VEN_PKI_CLIENT_KEY. When specified, these fields are appended to runtime_env.yml. Then, they may be used to activate the VEN. I.e., ``$ /opt/illumio_ven/illumio-ven-ctl activate'' uses these fields to authenticate the VEN with the PCE. VEN_PKI_CLIENT_CERT="" VEN_PKI_CLIENT_KEY="" VEN_KERBEROS_MANAGEMENT_SERVER_SPN="" VEN_KERBEROS_LIBRARY_PATH="" VEN_ACTIVATION_CODE="" VEN_MANAGEMENT_SERVER="" VEN_INSTALL_ACTION="" #Parameter : VEN_NO_SUSPEND #Type : Number #Description : Custom setting to disable suspend. 1 - disable, 0 - default VEN_NO_SUSPEND=0
If you leave the Response file as is, the VEN installation script uses the default values for these environment variables by displaying them at the prompts during an interactive installation or silently during installation (because you're using the Administration file).
To Use Customized Response and Administration Files
To customize the Response and Administration file for your Solaris VEN installation or upgrade, perform these steps:
Extract the Response and Administration files from the VEN package. See Installation Preparation for information.
Copy and rename the files from the following directories for your machine architecture:
sudo bash # cp illumio-ven/root/opt/illumio_ven/etc/templates/admin /tmp/admin.custom # cp illumio-ven/root/opt/illumio_ven/etc/templates/response /tmp/response.custom
This command example suggests copying the files to the
/tmpdirectory; however, you can copy the files to any directory.Edit the files to set your own values. See Solaris Response File and Solaris Administration File for the requirements when customizing these files.
Installation Preparation
Download the VEN package from the Illumio Support portal. See the "Obtain the VEN Packages" topic for information.
The Solaris VEN software downloaded from the Illumio Support portal is provided as a compressed tar archive file that contains one file for each of the supported Solaris machine architectures: SPARC and x86_64:
illumio-ven-<ven_version>.sol5.sparc.pkgillumio-ven-<ven_version>.sol5.i386.pkg
Extract the Solaris VEN software:
# gunzip illumio-ven-<ven_version>.<architecture>.pkg.tgz # tar -xvf illumio-ven-<ven_version>.<architecture>.pkg.tar
Install your trusted root CA certificate in the following directory with this exact specified filename:
/etc/certs/ca-certificates.crt
Ways to Install the Solaris VEN
You can install the Solaris VEN by specifying the Solaris pkgadd command and running the interactive VEN installation script; referred to as a “basic” installation in this topic.
Alternatively, you can use a Solaris Administration file or Solaris Response file (or both) to perform a non-interactive installation or set custom installation values (or both); referred to as an “advanced” installation in this topic.
Behavior During Each Type of Installation
SOLARIS FILES | BEHAVIOR |
|---|---|
None | The VEN installation script performs a basic installation wherein you are prompted to set installation values or accept the default values. |
Administration file only | The VEN installation script runs without prompting you for installation values (non-interactive) and uses only the default installation values; you cannot specify custom values. |
Response file only | The VEN installation script launches an interactive installation; however, the prompts contain your custom values or the default value if not set. Press Enter to accept. |
Both Administration and Response files | The VEN installation script runs without prompting you for installation values (non-interactive) and uses your custom values or the default value if not set. This method is the most automated of all the ways to install the Solaris VEN. |
Basic Installation
Complete the tasks to prepare for Solaris VEN installation. See Installation Preparation for information.
To install the Solaris VEN, enter the following command:
# pkgadd -d . illumio-ven-<ven_version>.<architecture>.pkg
Important
When installing the Solaris VEN, enter the correct package for the Solaris machine architecture (SPARC or x86_64) you want to install:
illumio-ven-<ven_version>.sol5.sparc.pkgillumio-ven-<ven_version>.sol5.i386.pkg
The interactive VEN installation scripts starts.
Provide custom VEN installation and configuration values at the prompts or accept the defaults.
Solaris VEN installation is complete. The next step is to activate the Solaris VEN.
Advanced Installation
Complete the tasks to prepare for Solaris VEN installation. See Installation Preparation for information.
Prepare the Solaris Administration and Response files for use in the installation. See To Use Customized Response and Administration Files for information.
Enter the following command to perform a customized, non-interactive installation:
# pkgadd -d . -a pkgadd -a /tmp/admin.custom -r /tmp/response.custom illumio-ven-<ven_version>.<architecture>.pkg
Where the paths to the customized Administration and the Response files are the same ones you created when you extracted and copied them locally or to a network share. See To Use Customized Response and Administration Files for information.
Important
When installing the Solaris VEN, enter the correct package for the Solaris machine architecture (SPARC or x86_64) you want to install:
illumio-ven-<ven_version>.sol5.sparc.pkgillumio-ven-<ven_version>.sol5.i386.pkg
Solaris VEN installation is complete. The next step is to activate the Solaris VEN.
Activate a Solaris VEN After Installation
After installing the VEN package on the Solaris host, activate the VEN with the Illumio VEN CTL (illumio-ven-ctl). The --activate option activates the workload and pairs the Solaris VEN with the PCE.
Tip
You can activate the Solaris VEN by using the VEN CTL or by specifying the values in the appropriate environment variables in the Solaris Response file. See Solaris Response File for information.
Note
Activating the Solaris VEN on a workload that is running an LDAP client can take longer than on workloads not using LDAP.
At a minimum, to activate the Solaris VEN using the VEN CTL, you need the hostname or IP address of the PCE, an activation code (called a pairing key in the PCE web console) generated from a pairing profile, and any other available options, such as the workload policy state, label assignment, workload name, and more.
The following example shows how to activate the VEN and set its policy state to Illuminated:
# /opt/illumio_ven/illumio-ven-ctl activate --activation-code <code> --management-server <fqdn:port>
Upgrade the Solaris VEN
Important
Illumio strongly recommends that you upgrade VENs only during maintenance windows.
Note
If the VEN was activated prior to the upgrade, it does not need to be activated again after the upgrade completes.
Illumio supports both Solaris machine architectures: SPARC and x86_64. The upgrade steps for both machine architectures are identical but each architecture uses its own VEN package file.
For the supported upgrade paths for the Solaris VEN, see Upgrade VEN on the Illumio Support portal (login required).
Requirement: To upgrade the Solaris VEN, you must perform the upgrade by using the Solaris Administration file. Using the Response file with the upgrade is optional.
Download the new version of the VEN package from the Illumio Support site. See "Obtain the VEN Packages" for information.
Extract the Solaris VEN software. See Installation Preparation for information.
Prepare the Solaris Administration file for the upgrade. See To Use Customized Response and Administration Files for information.
At a minimum, you must set the following values in the Administration file for the upgrade:
mail= instance=overwrite conflict=nocheck action=nocheck
Stop the VEN if it's running:
illumio-ven-ctl stop
Enter the following command to perform a non-interactive installation:
# pkgadd -d . -a /tmp/admin.custom illumio-ven-<ven_version>. <architecture>.pkg
Where the path to the customized Administration file is the same one you created when you extracted and copied it locally or to a network share.
Note
If you also need to customize settings for the upgrade, use a customized Response file for the upgrade and include the
-rargument in the upgrade command; for example:-r /tmp/response.custom. See Solaris Response File for information.
Uninstall the Solaris VEN
Important
Before you uninstall the VEN software from a Solaris workload, unpair the VEN running on the workload from the PCE. See "Deactivate and Unpair VENs" in the VEN Administration Guide.
Enter the following commands to uninstall the VEN:
sudo bash # cd /tmp # pkgrm illumio-ven
The following command output and prompts appear in the command window. Respond to the required prompts to uninstall the VEN:
The following package is currently installed: illumio-ven illumio-ven (i386) <ven_version>.sol5.i386 Do you want to remove this package? [y,n,?,q] y ## Removing installed package instance <illumio-ven> This package contains scripts which will be executed with super-user permission during the process of removing this package. Do you want to continue with the removal of this package [y,n,?,q] y ## Verifying package <illumio-ven> dependencies in global zone ## Processing package information. ## Executing preremove script. VEN_DATA : /opt/illumio_ven_data Stopping venAgentMonitor: ...done Stopping venAgentMgr: ...done Stopping venVtapServer: ...done Stopping venPlatformHandler: ...done ## Removing pathnames in class <none> . . . ## Executing postremove script. ## Updating system information. Removal of <illumio-ven> was successful.