Solaris/Postinstall
Root Login
For this (test) environment, we want to have remote root logins.
Have root behave like a normal user again:
sudo rolemod -K type=normal root
Allow root to login from non-local devices:
$ grep CONS /etc/default/login # CONSOLE=/dev/console
Allow SSH root logins:
$ grep Root /etc/ssh/sshd_config PermitRootLogin yes $ sudo svcadm restart svc:/network/ssh:default
→ See also Completely disabling root logins on Solaris 11
Serial console
Network
DHCP
touch /etc/hostname.bge0 touch /etc/dhcp.bge0 svcadm disable svc:/network/physical:nwam svcadm enable svc:/network/physical:default
Static
$ cat /etc/hostname.bge0 10.0.0.123 $ mv /etc/dhcp.bge0 /etc/dhcp.bge0.disabled # To disable dhcpagent(1M) $ cat /etc/nodename bob $ cat /etc/inet/resolv.conf domain foo.org nameserver 10.0.0.1 $ grep ^hosts /etc/nsswitch.conf hosts: files dns $ echo 10.0.0.1 > /etc/defaultrouter $ svcadm disable svc:/network/physical:nwam $ svcadm enable svc:/network/physical:default
In any case, we have to fix /etc/inet/hosts, otherwise our hostname will resolve to 127.0.0.1:
$ grep -v ^\# /etc/inet/hosts ::1 localhost 127.0.0.1 localhost
Note: the loghost entries have been removed from /etc/inet/hosts because loghost is resolved via DNS here and does not point to localhost. This way the entries in /etc/syslog.conf actually point to a remote host rather than ourselves.
NFS mounted /home
$ zfs destroy -r rpool/export $ tail -2 /etc/auto_home # +auto_home * -sec=sys nfsserver:/home/& $ grep auto_home /etc/auto_master /home auto_home -browse $ grep ^default /etc/nfssec.conf default 1 - - - # default is AUTH_SYS
$ svcadm restart svc:/system/filesystem/autofs $ cd ~joe $ df -h . Filesystem size used avail capacity Mounted on nfsserver:/home/joe 54G 29G 22G 57% /home/joe
We might want to add sec=sys to the server's exported share otherwise we may not be able to mount it:
automountd[15601]: [ID 608284 daemon.error] nfsserver:/home/doe: does not support security "sys"
Note: GDM has a problem with auto-mounted /home directories. Setting both SupportAutomount=true and RelaxPermissions=2 did not help. Altering the UID of this particular user did the trick. However, we'll be better off with NIS; manually editing UIDs is just....plain rotten.
$ id joe uid=11(joe) gid=10(staff) $ ls -ld /home/joe drwx--x--x 40 1002 100 4096 Feb 12 13:27 /home/joe $ usermod -u 1002 joe
DNS server
The named(1M) manpage has some pretty good tutorial on how to setup BIND.
Transmit only over IPv4 networks:
svccfg -s svc:network/dns/server:default setprop options/ip_interfaces=IPv4 svcadm refresh svc:network/dns/server:default
Set configuration file:
svccfg -s svc:network/dns/server:default setprop options/configuration_file=/etc/bind/named.conf svcadm refresh svc:network/dns/server:default
Start named with the solaris.smf.manage.bind authorization:
groupadd -g 101 named useradd -d /var/named -s /bin/false -u 100 -g 101 -c "ISC BIND" named mkdir -m0700 /var/named chown named:named /var/named
usermod -A solaris.smf.manage.bind named
Now the named account is a normal useraccount:
$ tail -1 /etc/user_attr named::::type=normal;auths=solaris.smf.manage.bind
Modify the service properties:
svccfg -s svc:network/dns/server:default setprop start/user=named svccfg -s svc:network/dns/server:default setprop start/group=named svcadm refresh svc:/network/dns/server:default svcadm restart svc:/network/dns/server:default
Because only root has write access to create the default process-ID file (/var/run/named/named.pid), named must be configured to use an alternative path for the user dnsadmin.
# head /etc/named.conf
options {
directory "/var/named";
pid-file "/var/named/named.pid";
};
VNC server
Note: /usr/X11/bin/Xvnc is an inetd service and will only be started on demand! Xorg however will be running all the time.
$ cat /etc/X11/gdm/custom.conf [...] [xdmcp] Enable=true [security] DisallowTCP=false AllowRoot=true AllowRemoteRoot=true
$ grep ^vnc-server /etc/services vnc-server 5900/tcp # VNC Server $ svccfg -s svc:/application/x11/xvnc-inetd "setprop inetd/wait=true" $ svcadm refresh svc:/application/x11/xvnc-inetd $ svcadm restart svc:/application/x11/xvnc-inetd $ svcadm enable svc:/application/graphical-login/gdm
NTP client
$ grep ^server /etc/inet/ntp.conf server us.pool.ntp.org server ca.pool.ntp.org server mx.pool.ntp.org $ svcadm enable svc:/network/ntp
Root device mirror
$ zpool status rpool
pool: rpool
state: ONLINE
scrub: none requested
config:
NAME STATE READ WRITE CKSUM
rpool ONLINE 0 0 0
c0t0d0s0 ONLINE 0 0 0
$ prtvtoc /dev/rdsk/c0t0d0s2 | fmthard -s - /dev/rdsk/c0t8d0s2
$ zpool attach -f rpool c0t0d0s0 c0t8d0s0
Wait until resilvering is complete, then install the boot blocks:
installgrub /boot/grub/stage1 /boot/grub/stage2 /dev/rdsk/c0t8d0s0 # x86 installboot -F zfs /usr/platform/`uname -i`/lib/fs/zfs/bootblk /dev/rdsk/c0t8d0s0 # sparc
Note: if we're getting /dev/rdsk/c4t1d0s0: Cannot get disk geometry during fmthard, we might have to create an fdisk table first:
$ echo y | fdisk /dev/rdsk/c4t1d0p0 No fdisk table exists. The default partition for the disk is: a 100% "SOLARIS System" partition Type "y" to accept the default partition, otherwise type "n" to edit the partition table. y
Resize swap / dump
Running in a virtual machine, we're not using crashdumps right now and we want to disable swap as well:
$ zfs list | grep -E 'dump|swap' rpool/dump 256M 3.14G 256M - rpool/dump 512M 3.14G 512M - $ dumpadm -n $ zfs destroy -f rpool/dump # This might not work anyway :-\ $ swap -d /dev/zvol/dsk/rpool/swap $ zfs destroy rpool/swap $ zfs create -V 64M rpool/swap $ swap -a /dev/zvol/dsk/rpool/swap
Note: disabling crashdumps seems to be as far as we can get at this time. There's currently no way to disable the dumpdevice properly.
Package Installation
During the installation, a software group will be chosen and installed. On a running system, we can find out which group has been installed:
$ cat /var/sadm/system/admin/CLUSTER
CLUSTER=SUNWCmreq
The following groups exist
SUNWCrnet Reduced Networking Core System Support SUNWCreq Core System Support SUNWCuser End User System Support SUNWCprog Developer System Support SUNWCall Entire Distribution SUNWCXall Entire Distribution plus OEM support
In our case, "Core System Support" was chosen and modified, hence the "m" in "SUNWCreq". The contents of these "clusters" are listed in /var/sadm/system/admin/.clustertoc.
Installation via pkg
Install missing packages:
pkg install pkg:/system/locale/extra # Legacy locales[1]
Installation from CDROM
After choosing Core System Support Software Group (SUNWCreq) during the installation, the resulting OS environment is far from being usable. Let's install a few packages to make our life easier:
$ iostat -En | grep ^c c0t0d0 Soft Errors: 0 Hard Errors: 0 Transport Errors: 0 c1t0d0 Soft Errors: 0 Hard Errors: 1 Transport Errors: 0 $ mount -F hsfs -o ro /dev/dsk/c1t0d0p0 /mnt/cdrom $ cd /mnt/cdrom/Solaris_10/Product $ yes | pkgadd -d . SUNWbash SUNWdoc SUNWggrp SUNWless SUNWman SUNWwgetr SUNWwgetu \ SUNWsshdr SUNWsshr SUNWsshcu SUNWuiu8 SUNWsshdu SUNWsshu \ SUNWntp4r SUNWntp4u SUNWopensslr SUNWopenssl-commands \ SUNWgcmn SUNWgccruntime SUNWbinutils SUNWarc SUNWgcc SUNWgmake \ SUNWeu8os
Enable newly installed services:
svcadm enable ssh svcadm enable ntp
Installation from OpenCSW
With a minimal Solaris installation, there are still a quite a few packages left to install. Welcome to OpenCSW:
pkgadd -d http://get.opencsw.org/now export PATH=$PATH:/opt/csw/bin pkgutil -u pkgutil gpg --homedir=/var/opt/csw/pki --recv-keys 9306CC77 gpg --homedir=/var/opt/csw/pki --edit-key 9306CC77 trust
One could also install CSWcswpki:
pkgutil -y -i CSWcswpki CSWgnupg gpg –homedir=/var/opt/csw/pki –edit-key 9306CC77 trust
Enable GPG and MD5 checks in pkgutil.conf, probably choose a mirror near to you:
$ grep ^[a-z] /etc/opt/csw/pkgutil.conf mirror=http://mirror.opencsw.org/opencsw/testing pkgliststyle=1 show_current=false use_gpg=true use_md5=true wgetopts=-U pkgutil -nv
Install additional packages, if needed:
pkgutil -y -i CSWbash CSWbashcmplt CSWgzip CSWfindutils CSWfortune CSWiftop CSWlsof CSWncftp CSWnetcat \
CSWrsync CSWsudo CSWtcpdump CSWw3m CSWwget CSWgfile CSWless CSWggrep CSWbindutils CSWntp CSWsyslogng
Disable unneeded services, packages
Solaris 10
$ svcs | grep -c ^online
103
$ svcadm disable svc:/application/font/fc-cache:default \
svc:/application/opengl/ogl-select:default \
svc:/application/print/service-selector:default \
svc:/application/stosreg:default \
svc:/network/inetd:default \
svc:/network/ipsec/ipsecalgs:default \
svc:/network/iptun:default \
svc:/network/iscsi/initiator:default \
svc:/network/npiv_config:default \
svc:/network/physical:nwam \
svc:/network/routing/ndp \
svc:/network/rpc/gss:default \
svc:/network/rpc/smserver:default \
svc:/network/security/ktkt_warn:default \
svc:/platform/i86pc/acpihpd:default \
svc:/system/dbus:default \
svc:/system/device/audio:default \
svc:/system/fcoe_initiator:default \
svc:/system/filesystem/autofs \
svc:/system/filesystem/rmvolmgr:default \
svc:/system/hal:default \
svc:/system/keymap:default \
svc:/system/metainit:default \
svc:/system/metasync:default \
svc:/system/power:default \
svc:/system/sysidtool:net \
svc:/system/sysidtool:system \
$ svcs | grep -c ^online
69
Remove unneeded packages:
$ pkginfo | wc -l 927 $ yes y | pkgrm -Y MOZ17,GNOME2,EVO146,JAI,JAVAAPPS,GLOW,JDIC,JDS3,MUSCLE $ pkginfo | wc -l 557
Solaris 11
svcadm disable application/cups/scheduler \ network/eoib/eoib-post-upgrade \ network/ib/ib-management \ network/ilomconfig-interconnect \ network/ipmp \ network/iscsi/initiator \ network/routing/ndp \ network/routing/route \ system/console-reset \ system/devchassis:daemon \ system/filesystem/rmvolmgr \ system/fm/asr-notify:default \ system/hal \ system/ocm
We can also use netservices[2] to limit the network services running:
> When netservices is invoked with the limited command-line argument, all > network services except the secure shell daemon, sshd(1M), are either > disabled or constrained to respond to local requests only.
$ netstat -an -f inet > a $ netservices limited $ netstat -an -f inet > b $ diff a b | grep LISTEN < *.25 *.* 0 0 128000 0 LISTEN < *.587 *.* 0 0 128000 0 LISTEN > 127.0.0.1.25 *.* 0 0 128000 0 LISTEN > 127.0.0.1.587 *.* 0 0 128000 0 LISTEN
Misc
SUNWslocate
mkdir -p -m0755 /usr/local/{,s}bin
ln -s `which slocate` /usr/local/bin/locate
corefiles
mkdir -m1733 /var/core coreadm -e global -e global-setid -e process -e log coreadm -g /var/core/core.%f.%p -G all
auto-boot
While setting eeprom 'auto-boot?=false' prevents the system from automatic booting after POST, the system will still automatically boot after a system panic, where POST is being bypassed. To disable automatic booting, we need to set the following in /etc/system:
set halt_on_panic=1
To check if halt_on_panic is supported on pre Solaris 8 systems:
$ echo halt_on_panic | sudo adb -k physmem 176b3 symbol not found # Not supported
- How to Prevent Automatic System Reboot Following System Panic on a SPARC Based System? (Doc ID 1003268.1)
forcedeth
In Linux, forcedeth will provide support for those crappy Nvidia onboard NICs. The nfo driver (and now nge) will do this for Solaris 10:
nfo0: nForce mac type 7 (vid: 0x10de, did: 0x00df, revid: 0xa2)
nfo0: ilr 0x1401010a
nfo0: MII PHY (0x01410cc2) found at 1
nfo0: PHY control:1140<ANE,FDUPLEX,1000M>, status:7949<100_BASEX_FD,100_BASEX,10_BASE_FD,
10_BASE,MFPRMBLSUPR,CANAUTONEG,EXTENDED>,advert:de1<ASM_DIR,PAUSE,100BASE_TX_FD,100BASE_TX,
10BASE_T_FD,10BASE_T>, lpar:0
nfo0: xstatus:3000<1000BASET_FD,1000BASET>
nfo0: nfo: type "ether" mac address 00:11:09:ea:13:66
PCI-device: pci1462,250@5, nfo0
nfo0 is /pci@0,0/pci1462,250@5
nfo0: auto-negotiation started
pseudo-device: devinfo0
devinfo0 is /pseudo/devinfo@0
WARNING: nfo0: auto-negotiation failed: timeout
nfo0: nfo_sol_linkchanged: called, time:50344
nfo0: auto-negotiation done, advert:de1<ASM_DIR,PAUSE,100BASE_TX_FD,100BASE_TX,10BASE_T_FD,10BASE_T>,
lpable:45e1<PAUSE,100BASE_TX_FD,100BASE_TX,10BASE_T_FD,10BASE_T>
nfo0: Link up: 100 Mbps full duplex with symmetric flow control
power.conf line (20) failed to convert mount point to prom name
Some this happens when Solaris is booting:
/usr/sbin/pmconfig: /etc/power.conf line (20) failed to convert mount point to prom name: Invalid argument
Though harmless, this can be solved indeed. The short answer is to uninstall the CPR subsystem:
pkgrm SUNWpmu SUNWpmr SUNWcpr SUNWpmowu SUNWpmowr SUNWpmowm
Failed to update microcode from version 0x6 to 0xc
When starting Solaris in a virtual machine, this might get displayed early during bootup:
Warning: CPU0: Failed to update microcode from version 0x6 to 0xc
There's a workaround too:
> This is because the Operating system is trying to update the processor's > microcode with the new version. Since it is an Virtual OS, VMware > doesnt allow it to update the code. To over come this issue. There > is an work around for Solaris Operating system. Run the command given below # mv /platform/i86pc/ucode /platform/i86pc/ucode.disabled
Password restrictions
For a test installation, we don't want to impose special password requirements:
$ grep ^[A-Z] /etc/default/passwd MAXWEEKS= MINWEEKS= PASSLENGTH=4 NAMECHECK=NO MINSPECIAL=0 MINDIGIT=0
Also, let's allow root SSH logins for the same test installation:
$ grep ^PermitRoot /etc/ssh/sshd_config PermitRootLogin yes $ sudo svcadm restart svc:/network/ssh
Note: root SSH login may still not work, as root is still a role-account.
lsof
In lieu of lsof, we can use pfiles(1) to list open files and (network) sockets for processes:
pfiles $$
4574: -bash
Current rlimit: 256 file descriptors
0: S_IFCHR mode:0620 dev:558,0 ino:27275103 uid:0 gid:7 rdev:221,1
O_RDWR|O_NOCTTY|O_LARGEFILE
/dev/pts/1
To get the equivalent of "netstat -p"[3] (listing which process is using which network port), we can do something like this:
$ for p in `ls /proc/`; do pfiles "$p"; done [...] 314: /sbin/dhcpagent Current rlimit: unlimited file descriptors [...] 2: S_IFSOCK mode:0666 dev:568,0 ino:24788 uid:0 gid:0 size:0 O_RDWR SOCK_STREAM SO_REUSEADDR,SO_SNDBUF(49152),SO_RCVBUF(128000) sockname: AF_INET 127.0.0.1 port: 4999 congestion control: newreno
Links
- circular dependency on CSWgzip?
- Open HA Cluster Installation Guide
- Oracle Solaris Tunable Parameters Reference Manual (September 2013)
- sysstat - Solaris' key system statistics at a glance