Solaris/Postinstall

From Segfault
Jump to: navigation, search

Root Login

For this (test) environment, we want to have remote root logins.

Have root behave like a normal user again:

sudo rolemod -K type=normal root

Allow root to login from non-local devices:

$ grep CONS /etc/default/login 
# CONSOLE=/dev/console

Allow SSH root logins:

$ grep Root /etc/ssh/sshd_config 
PermitRootLogin yes

$ sudo svcadm restart svc:/network/ssh:default

→ See also Completely disabling root logins on Solaris 11

Serial console

Serial Console

Network

DHCP

touch /etc/hostname.bge0
touch /etc/dhcp.bge0

svcadm disable svc:/network/physical:nwam
svcadm  enable svc:/network/physical:default

Static

$ cat /etc/hostname.bge0
10.0.0.123
 
$ mv /etc/dhcp.bge0  /etc/dhcp.bge0.disabled           # To disable dhcpagent(1M)

$ cat /etc/nodename 
bob

$ cat /etc/inet/resolv.conf
domain     foo.org
nameserver 10.0.0.1
$ grep ^hosts /etc/nsswitch.conf 
hosts:        files dns
$ echo 10.0.0.1 > /etc/defaultrouter
 
$ svcadm disable svc:/network/physical:nwam 
$ svcadm  enable svc:/network/physical:default

In any case, we have to fix /etc/inet/hosts, otherwise our hostname will resolve to 127.0.0.1:

$ grep -v ^\# /etc/inet/hosts 
::1        localhost
127.0.0.1  localhost

Note: the loghost entries have been removed from /etc/inet/hosts because loghost is resolved via DNS here and does not point to localhost. This way the entries in /etc/syslog.conf actually point to a remote host rather than ourselves.

NFS mounted /home

$ zfs destroy -r rpool/export

$ tail -2 /etc/auto_home 
# +auto_home
*       -sec=sys nfsserver:/home/&

$ grep auto_home /etc/auto_master 
/home           auto_home       -browse

$ grep ^default /etc/nfssec.conf 
default         1       -       -       -   # default is AUTH_SYS
$ svcadm restart svc:/system/filesystem/autofs
$ cd ~joe
$ df -h .
Filesystem           size   used  avail capacity  Mounted on
nfsserver:/home/joe       54G    29G    22G    57%    /home/joe

We might want to add sec=sys to the server's exported share otherwise we may not be able to mount it:

automountd[15601]: [ID 608284 daemon.error] nfsserver:/home/doe: does not support security "sys"

Note: GDM has a problem with auto-mounted /home directories. Setting both SupportAutomount=true and RelaxPermissions=2 did not help. Altering the UID of this particular user did the trick. However, we'll be better off with NIS; manually editing UIDs is just....plain rotten.

$ id joe
uid=11(joe) gid=10(staff)

$ ls -ld /home/joe
drwx--x--x  40 1002   100         4096 Feb 12 13:27 /home/joe
$ usermod -u 1002 joe

DNS server

The named(1M) manpage has some pretty good tutorial on how to setup BIND.

Transmit only over IPv4 networks:

svccfg -s svc:network/dns/server:default setprop options/ip_interfaces=IPv4
svcadm refresh svc:network/dns/server:default

Set configuration file:

svccfg -s svc:network/dns/server:default setprop options/configuration_file=/etc/bind/named.conf
svcadm refresh svc:network/dns/server:default

Start named with the solaris.smf.manage.bind authorization:

groupadd -g 101 named
useradd -d /var/named -s /bin/false -u 100 -g 101 -c "ISC BIND" named
mkdir -m0700 /var/named
chown named:named /var/named
usermod -A solaris.smf.manage.bind named  

Now the named account is a normal useraccount:

$ tail -1 /etc/user_attr
named::::type=normal;auths=solaris.smf.manage.bind

Modify the service properties:

svccfg -s svc:network/dns/server:default setprop  start/user=named
svccfg -s svc:network/dns/server:default setprop start/group=named
svcadm refresh svc:/network/dns/server:default

svcadm restart svc:/network/dns/server:default

Because only root has write access to create the default process-ID file (/var/run/named/named.pid), named must be configured to use an alternative path for the user dnsadmin.

# head /etc/named.conf
options {
   directory "/var/named";
   pid-file "/var/named/named.pid";
};

VNC server

Note: /usr/X11/bin/Xvnc is an inetd service and will only be started on demand! Xorg however will be running all the time.

$ cat /etc/X11/gdm/custom.conf
[...]
[xdmcp]
Enable=true

[security]
DisallowTCP=false
AllowRoot=true
AllowRemoteRoot=true
$ grep ^vnc-server /etc/services 
vnc-server      5900/tcp                        # VNC Server
 
$ svccfg -s svc:/application/x11/xvnc-inetd "setprop inetd/wait=true"
$ svcadm refresh svc:/application/x11/xvnc-inetd
$ svcadm restart svc:/application/x11/xvnc-inetd
$ svcadm enable  svc:/application/graphical-login/gdm

NTP client

$ grep ^server /etc/inet/ntp.conf
server us.pool.ntp.org
server ca.pool.ntp.org
server mx.pool.ntp.org

$ svcadm enable svc:/network/ntp

Root device mirror

$ zpool status rpool
   pool: rpool
  state: ONLINE
  scrub: none requested
 config:
 
       NAME        STATE     READ WRITE CKSUM
       rpool       ONLINE       0     0     0
         c0t0d0s0  ONLINE       0     0     0
 
$ prtvtoc /dev/rdsk/c0t0d0s2 | fmthard -s - /dev/rdsk/c0t8d0s2
$ zpool attach -f rpool c0t0d0s0 c0t8d0s0

Wait until resilvering is complete, then install the boot blocks:

installgrub /boot/grub/stage1 /boot/grub/stage2 /dev/rdsk/c0t8d0s0                # x86
installboot -F zfs /usr/platform/`uname -i`/lib/fs/zfs/bootblk /dev/rdsk/c0t8d0s0 # sparc


Note: if we're getting /dev/rdsk/c4t1d0s0: Cannot get disk geometry during fmthard, we might have to create an fdisk table first:

$ echo y | fdisk /dev/rdsk/c4t1d0p0
  No fdisk table exists. The default partition for the disk is:
      a 100% "SOLARIS System" partition
  Type "y" to accept the default partition,  otherwise type "n" to edit the
  partition table.
  y

Resize swap / dump

Running in a virtual machine, we're not using crashdumps right now and we want to disable swap as well:

$ zfs list | egrep 'dump|swap'
rpool/dump               256M  3.14G   256M  -
rpool/dump               512M  3.14G   512M  -
 
$ dumpadm -n
$ zfs destroy -f rpool/dump              # This might not work anyway :-\

$ swap -d /dev/zvol/dsk/rpool/swap
$ zfs destroy rpool/swap
$ zfs create -V 64M rpool/swap
$ swap -a /dev/zvol/dsk/rpool/swap 
 

Note: disabling crashdumps seems to be as far as we can get at this time. There's currently no way to disable the dumpdevice properly.

Package Installation

During the installation, a software group will be chosen and installed. On a running system, we can find out which group has been installed:

$ cat /var/sadm/system/admin/CLUSTER
CLUSTER=SUNWCmreq

The following groups exist

SUNWCrnet    Reduced Networking Core System Support
SUNWCreq     Core System Support
SUNWCuser    End User System Support
SUNWCprog    Developer System Support
SUNWCall     Entire Distribution
SUNWCXall    Entire Distribution plus OEM support

In our case, "Core System Support" was chosen and modified, hence the "m" in "SUNWCreq". The contents of these "clusters" are listed in /var/sadm/system/admin/.clustertoc.

Installation via pkg

Install missing packages:

pkg install pkg:/system/locale/extra                                       # Legacy locales[1]

Installation from CDROM

After choosing Core System Support Software Group (SUNWCreq) during the installation, the resulting OS environment is far from being usable. Let's install a few packages to make our life easier:

$ iostat -En | grep ^c
c0t0d0           Soft Errors: 0 Hard Errors: 0 Transport Errors: 0
c1t0d0           Soft Errors: 0 Hard Errors: 1 Transport Errors: 0 

$ mount -F hsfs -o ro /dev/dsk/c1t0d0p0 /mnt/cdrom
$ cd /mnt/cdrom/Solaris_10/Product
$ yes | pkgadd -d . SUNWbash SUNWdoc SUNWggrp SUNWless SUNWman SUNWwgetr SUNWwgetu \
                    SUNWsshdr SUNWsshr SUNWsshcu SUNWuiu8 SUNWsshdu SUNWsshu \
                    SUNWntp4r SUNWntp4u SUNWopensslr SUNWopenssl-commands \
                    SUNWgcmn SUNWgccruntime SUNWbinutils SUNWarc SUNWgcc SUNWgmake \
                    SUNWeu8os

Enable newly installed services:

svcadm enable ssh
svcadm enable ntp

Installation from OpenCSW

With a minimal Solaris installation, there are still a quite a few packages left to install. Welcome to OpenCSW:

pkgadd -d http://get.opencsw.org/now
export PATH=$PATH:/opt/csw/bin
pkgutil -u pkgutil

gpg --homedir=/var/opt/csw/pki --recv-keys 9306CC77
gpg --homedir=/var/opt/csw/pki --edit-key 9306CC77 trust

One could also install CSWcswpki:

pkgutil -y -i CSWcswpki CSWgnupg
gpg –homedir=/var/opt/csw/pki –edit-key 9306CC77 trust

Enable GPG and MD5 checks in pkgutil.conf, probably choose a mirror near to you:

$ grep ^[a-z] /etc/opt/csw/pkgutil.conf
mirror=http://mirror.opencsw.org/opencsw/testing
pkgliststyle=1
show_current=false
use_gpg=true
use_md5=true
wgetopts=-U pkgutil -nv

Install additional packages, if needed:

pkgutil -y -i CSWbash CSWbashcmplt CSWgzip CSWfindutils CSWfortune CSWiftop CSWlsof CSWncftp CSWnetcat \
              CSWrsync CSWsudo CSWtcpdump CSWw3m CSWwget CSWgfile CSWless CSWggrep CSWbindutils CSWntp CSWsyslogng

Disable unneeded services, packages

Solaris 10

$ svcs  | grep -c ^online
103
 
$ svcadm disable svc:/application/font/fc-cache:default \
               svc:/application/opengl/ogl-select:default \
               svc:/application/print/service-selector:default \
               svc:/application/stosreg:default \
               svc:/network/inetd:default \
               svc:/network/ipsec/ipsecalgs:default \
               svc:/network/iptun:default \
               svc:/network/iscsi/initiator:default \
               svc:/network/npiv_config:default \
               svc:/network/physical:nwam \
               svc:/network/routing/ndp \
               svc:/network/rpc/gss:default \
               svc:/network/rpc/smserver:default \
               svc:/network/security/ktkt_warn:default \
               svc:/platform/i86pc/acpihpd:default \
               svc:/system/dbus:default \
               svc:/system/device/audio:default \
               svc:/system/fcoe_initiator:default \
               svc:/system/filesystem/autofs \
               svc:/system/filesystem/rmvolmgr:default \
               svc:/system/hal:default \
               svc:/system/keymap:default \
               svc:/system/metainit:default \
               svc:/system/metasync:default \
               svc:/system/power:default \
               svc:/system/sysidtool:net \
               svc:/system/sysidtool:system \

$ svcs  | grep -c ^online
69

Remove unneeded packages:

$ pkginfo | wc -l
927

$ yes y | pkgrm -Y MOZ17,GNOME2,EVO146,JAI,JAVAAPPS,GLOW,JDIC,JDS3,MUSCLE

$ pkginfo | wc -l
557

Solaris 11

svcadm disable application/cups/scheduler \
 network/eoib/eoib-post-upgrade \
 network/ib/ib-management \
 network/ilomconfig-interconnect \
 network/ipmp \
 network/iscsi/initiator \
 network/routing/ndp \
 network/routing/route \
 system/console-reset \
 system/devchassis:daemon \
 system/filesystem/rmvolmgr \
 system/fm/asr-notify:default \
 system/hal \
 system/ocm

We can also use netservices[2] to limit the network services running:

> When netservices is invoked with the limited command-line argument, all
> network services except the secure shell daemon, sshd(1M),  are  either
> disabled or constrained to respond to local requests only.
$ netstat -an -f inet > a
$ netservices limited
$ netstat -an -f inet > b

$ diff a b  | grep LISTEN
< *.25               *.*                  0      0  128000      0 LISTEN
< *.587              *.*                  0      0  128000      0 LISTEN
> 127.0.0.1.25       *.*                  0      0  128000      0 LISTEN
> 127.0.0.1.587      *.*                  0      0  128000      0 LISTEN

Misc

SUNWslocate

mkdir -p -m0755 /usr/local/{,s}bin
ln -s `which slocate` /usr/local/bin/locate

corefiles

mkdir -m1733 /var/core
coreadm -e global -e global-setid -e process -e log
coreadm -g /var/core/core.%f.%p -G all

auto-boot

While setting eeprom 'auto-boot?=false' prevents the system from automatic booting after POST, the system will still automatically boot after a system panic, where POST is being bypassed. To disable automatic booting, we need to set the following in /etc/system:

 set halt_on_panic=1  

To check if halt_on_panic is supported on pre Solaris 8 systems:

 $ echo halt_on_panic | sudo adb -k
 physmem 176b3
 symbol not found              # Not supported

forcedeth

In Linux, forcedeth will provide support for those crappy Nvidia onboard NICs. The nfo driver (and now nge) will do this for Solaris 10:

 nfo0: nForce mac type 7 (vid: 0x10de, did: 0x00df, revid: 0xa2)
 nfo0: ilr 0x1401010a
 nfo0: MII PHY (0x01410cc2) found at 1
 nfo0: PHY control:1140<ANE,FDUPLEX,1000M>, status:7949<100_BASEX_FD,100_BASEX,10_BASE_FD,
       10_BASE,MFPRMBLSUPR,CANAUTONEG,EXTENDED>,advert:de1<ASM_DIR,PAUSE,100BASE_TX_FD,100BASE_TX,
       10BASE_T_FD,10BASE_T>, lpar:0
 nfo0: xstatus:3000<1000BASET_FD,1000BASET>
 nfo0: nfo: type "ether" mac address 00:11:09:ea:13:66
 PCI-device: pci1462,250@5, nfo0
 nfo0 is /pci@0,0/pci1462,250@5
 nfo0: auto-negotiation started
 pseudo-device: devinfo0
 devinfo0 is /pseudo/devinfo@0
 WARNING: nfo0: auto-negotiation failed: timeout
 nfo0: nfo_sol_linkchanged: called, time:50344
 nfo0: auto-negotiation done, advert:de1<ASM_DIR,PAUSE,100BASE_TX_FD,100BASE_TX,10BASE_T_FD,10BASE_T>,
       lpable:45e1<PAUSE,100BASE_TX_FD,100BASE_TX,10BASE_T_FD,10BASE_T>
 nfo0: Link up: 100 Mbps full duplex with symmetric flow control

power.conf line (20) failed to convert mount point to prom name

Some this happens when Solaris is booting:

/usr/sbin/pmconfig: /etc/power.conf line (20) failed to convert
mount point to prom name: Invalid argument

Though harmless, this can be solved indeed. The short answer is to uninstall the CPR subsystem:

pkgrm SUNWpmu SUNWpmr SUNWcpr SUNWpmowu SUNWpmowr SUNWpmowm

Failed to update microcode from version 0x6 to 0xc

When starting Solaris in a virtual machine, this might get displayed early during bootup:

Warning: CPU0: Failed to update microcode from version 0x6 to 0xc

There's a workaround too:

> This is because the Operating system is trying to update the processor's
> microcode with the new version. Since it is an Virtual OS, VMware
> doesnt allow it to update the code. To over come this issue. There 
> is an work around for Solaris Operating system. Run the command given below

# mv /platform/i86pc/ucode /platform/i86pc/ucode.disabled

Password restrictions

For a test installation, we don't want to impose special password requirements:

$ grep ^[A-Z] /etc/default/passwd 
MAXWEEKS=
MINWEEKS=
PASSLENGTH=4
NAMECHECK=NO
MINSPECIAL=0
MINDIGIT=0

Also, let's allow root SSH logins for the same test installation:

$ grep ^PermitRoot /etc/ssh/sshd_config 
PermitRootLogin yes

$ sudo svcadm restart svc:/network/ssh

Note: root SSH login may still not work, as root is still a role-account.

lsof

In lieu of lsof, we can use pfiles(1) to list open files and (network) sockets for processes:

pfiles $$
4574:   -bash
 Current rlimit: 256 file descriptors
  0: S_IFCHR mode:0620 dev:558,0 ino:27275103 uid:0 gid:7 rdev:221,1
     O_RDWR|O_NOCTTY|O_LARGEFILE
     /dev/pts/1

To get the equivalent of "netstat -p"[3] (listing which process is using which network port), we can do something like this:

$ for p in `ls /proc/`; do pfiles "$p"; done
[...]
314:    /sbin/dhcpagent
 Current rlimit: unlimited file descriptors
[...]
 2: S_IFSOCK mode:0666 dev:568,0 ino:24788 uid:0 gid:0 size:0
     O_RDWR
       SOCK_STREAM
       SO_REUSEADDR,SO_SNDBUF(49152),SO_RCVBUF(128000)
       sockname: AF_INET 127.0.0.1  port: 4999
       congestion control: newreno

Links

References