Solaris


//Note: This is work in progress//

Notes on Solaris 10

Managing Volumes

New hard drives

Procedure for adding a new drive to a system and formatting the disk as UFS

 - install disk
 - halt system (reboot with reconfiguration: **reboot -- -r**)
 - attach drive to system interface (SATA,IDE,etc)
 - format disk
 - type format
 - if your system did not find the new disk, reload dev filesystem with **devfsadm -C** (this re-creates ///etc/devlink.tab//)
 - now you can use **format** to partition your disk
   Searching for disks...done
   AVAILABLE DISK SELECTIONS:
          0. c1d0 <DEFAULT cyl 19454 alt 2 hd 255 sec 63>
             /pci@0,0/pci-ide@5/ide@0/cmdk@0,0
          1. c2d0 <DEFAULT cyl 60798 alt 2 hd 255 sec 63>
             /pci@0,0/pci-ide@5/ide@1/cmdk@0,0
     Specify disk (enter its number): 1
   selecting c2d0
   Controller working list found
   [[disk|formatted, defect list found]]
   FORMAT MENU:
           disk       - select a disk
           type       - select (define) a disk type
           partition  - select (define) a partition table
           current    - describe the current disk
           format     - format and analyze the disk
           fdisk      - run the fdisk program
           repair     - repair a defective sector
           show       - translate a disk address
           label      - write label to the disk
           analyze    - surface analysis
           defect     - defect list management
           backup     - search for backup labels
           verify     - read and display labels
           save       - save new disk/partition definitions
           volname    - set 8-character volume name
           !<cmd>     - execute <cmd>, then return
           quit
   format> p
   Please run fdisk first.
   format> fdisk
   No fdisk table exists. The default partition for the disk is:
     a 100% "SOLARIS System" partition
   Type "y" to accept the default partition,  otherwise type "n" to edit the
    partition table.
   y
   format> p
   PARTITION MENU:
           0      - change `0' partition
           1      - change `1' partition
           2      - change `2' partition
           3      - change `3' partition
           4      - change `4' partition
           5      - change `5' partition
           6      - change `6' partition
           7      - change `7' partition
           select - select a predefined table
           modify - modify a predefined partition table
           name   - name the current table
           print  - display the current table
           label  - write partition map and label to the disk
           !<cmd> - execute <cmd>, then return
           quit
   partition> p
   Current partition table (original):
   Total disk cylinders available: 60797 + 2 (reserved cylinders)
   Part      Tag    Flag     Cylinders         Size            Blocks
     0 unassigned    wm       0                0         (0/0/0)             0
     1 unassigned    wm       0                0         (0/0/0)             0
     2     backup    wu       0 - 60797      465.74GB    (60798/0/0) 976719870
     3 unassigned    wm       0                0         (0/0/0)             0
     4 unassigned    wm       0                0         (0/0/0)             0
     5 unassigned    wm       0                0         (0/0/0)             0
     6 unassigned    wm       0                0         (0/0/0)             0
     7 unassigned    wm       0                0         (0/0/0)             0
     8       boot    wu       0 -     0        7.84MB    (1/0/0)         16065
     9 alternates    wm       1 -     2       15.69MB    (2/0/0)         32130
   partition> 6
   Part      Tag    Flag     Cylinders         Size            Blocks
     6 unassigned    wm       0                0         (0/0/0)             0
   Enter partition id tag[[unassigned]]: usr
   Enter partition permission flags[[wm]]: 
   Enter new starting cyl[[3]]: 
   Enter partition size[[0b,|0c, 3e, 0.00mb, 0.00gb]]: 465.70gb
   partition> p
   Current partition table (unnamed):
   Total disk cylinders available: 60797 + 2 (reserved cylinders)
   Part      Tag    Flag     Cylinders         Size            Blocks
     0 unassigned    wm       0                0         (0/0/0)             0
     1 unassigned    wm       0                0         (0/0/0)             0
     2     backup    wu       0 - 60797      465.74GB    (60798/0/0) 976719870
     3 unassigned    wm       0                0         (0/0/0)             0
     4 unassigned    wm       0                0         (0/0/0)             0
     5 unassigned    wm       0                0         (0/0/0)             0
     6        usr    wm       3 - 60796      465.71GB    (60794/0/0) 976655610
     7 unassigned    wm       0                0         (0/0/0)             0
     8       boot    wu       0 -     0        7.84MB    (1/0/0)         16065
     9 alternates    wm       1 -     2       15.69MB    (2/0/0)         32130
   partition> label
   Ready to label disk, continue? y
   format> volname
   Enter 8-character volume name (remember quotes)[[""]]:"datvol"
   Ready to label disk, continue? y
   format> q

Essentially we did:

 * Use fdisk for ix86 systems
 * Select the proper slice (number 6)
 * Assign all available space to the slice selected
 * label the disk
 * and assign a volume name

Now you need to make a new filesystem

    cat /etc/default/fs      
   LOCAL=ufs

This shows that our preferred locale filesystem is UFS. Therefore, **newfs** would do the right thing for us:

   newfs /dev/rdsk/c2d0s6
   newfs: construct a new file system /dev/rdsk/c2d0s6: (y/n)? y
   Warning: 774 sector(s) in last cylinder unallocated
   /dev/rdsk/c2d0s6:       976655610 sectors in 158961 cylinders of 48 tracks, 128 sectors
           476882.6MB in 9936 cyl groups (16 c/g, 48.00MB/g, 5824 i/g)
   super-block backups (for fsck -F ufs -o b=#) at:
    32, 98464, 196896, 295328, 393760, 492192, 590624, 689056, 787488, 885920,
   Initializing cylinder groups:
   ...............................................................................
   ...............................................................................
   ........................................
   super-block backups for last 10 cylinder groups at:
    975766304, 975864736, 975963168, 976061600, 976160032, 976258464, 976356896,
    976455328, 976553760, 976652192

And now you need to mount our newly created volume. We chose **/export** as mount point:

1. edit **/etc/vfstab**

   /dev/dsk/c2d0s6 /dev/rdsk/c2d0s6        /export ufs     2       yes     -

2. mount **/export**\ 3. use **df -h** to verify\

   /dev/dsk/c2d0s6       459G   65M  454G   1% /export

And we are done

RAID controllers

To show all drives:

 - From the ok prompt type 'select (disk controller path)'
 - show-volumes
 - (volume #) activate-volume
 - unselect-dev
 - Then probe-scsi-all should see  the drives

RAID software

   # raidctl
   Controller: 1
           Volume:c1t0d0
           Disk: 0.0.0
           Disk: 0.1.0
   # raidctl -d c1t0d0
   Deleting RAID volume c1t0d0 will destroy all data it contains, proceed (yes/no)? yes
   Volume c1t0d0 is deleted successfully!
   # raidctl -C <disk 1> <disk 2>

That will create a RAID 1 volume with 2 disks. If you need 3 disks or a different RAID level, use **-r <LEVEL>**. **1E** requires 3 disks (2 mirror. 1 spare)

Multipath

Display Properties

 luxadm display /path/to/rdsk/device

Network Filesystem

Note that jumpstart uses NFSv4 by default

ZFS

Creating Volumes

create a new volume mounted on /mypool/myvolume

 zfs create mypool/myvolume

create a new volume mounted on /myvolume

 zfs create -o mountpoint=/myvolume [-o sharenfs=on] mypool/myvolume

Sharing Volumes

 zfs set sharenfs=on mypool/myvolume

Network Configuration

DHCP

http://docsun.cites.uiuc.edu/sun_docs/C/solaris_9/SUNWaadm/SYSADV3/p13.html#IPCONFIG-64

 - Create empty files for **/etc/hostname.INTERFACE** and **/etc/dhcp.INTERFACE**
   - //rm /etc/hostname.INTERFACE; touch /etc/hostname.INTERFACE//. Where INTERFACE is something like nge0
   - //rm /etc/dhcp.INTERFACE; touch /etc/dhcp.INTERFACE//
 - //reboot//

Static

 - remove **/etc/dhcp.INTERFACE**. Where INTERFACE is something line nge0
 - put static IP number in ///etc/hostname.INTERFACE//
 - put hostname in ///etc/nodename//
 - put domain name in ///etc/defaultdomain//
 - put netmask in ///etc/inet/netmasks//
 - put router/gateway in ///etc/defaultrouter// (or use something like **route -p add 192.168.20.0/22 192.168.0.1**)
 - put fully-qualified hostname in ///etc/inet/hosts//. i.e.: hostname+defaultdomain. Example: **127.0.0.1 hostname.example.com hostname**
 - //reboot//

http://docsun.cites.uiuc.edu/sun_docs/C/solaris_9/SUNWaadm/SYSADV3/p13.html#IPCONFIG-64

Static IPv6

 - remove file **/etc/dhcp6.INTERFACE**. Where INTERFACE is something like **nge0**
 - put **addif AAAA::A/64 up** in ///etc/hostname6.INTERFACE//
 - put hostname plus static IP information in ///etc/inet/ipnodes//: **AAAA::A  myhost.example.com myhost myhost-v6**
 - do **/sbin/ifconfig INTERFACE inet6 plumb; /sbin/ifconfig INTERFACE inet6 addif AAAA::A/64 up** or **reboot** to activate

Wireless

WPA configuration on OpenSolaris/Nexenta

 dladm create-secobj -c wpa mykey
 # enter your psk twice
 dladm connect-wifi -e "<essid>” -k mykey <interface>

To disconnect

 dladm disconnect-wifi

Managing Services

Introduction

Solaris 10 has a new service management system that augments the traditional UNIX //rc.d// scripts and //init// run levels. At first, this might feel like just another thing to have to learn. But in all honesty, this new system is fantastic and addresses most (if not all) common shortcomings of the traditional //rc.d// system. The system is called //SMF//, or Service Management Facility. (Yeah, the acronyms are about as generic and boring as possible).

Most if not all of the features that SMF brings to the table can be implemented through shell scripts and other enhancements to the traditional //rc.d// system... however, these enhancements are not standard in Linux distributions and would take a lot of time to create, maintain, and deploy in a data center. Not to mention that custom deployment of these enhancements are prone to bugs and need to be tested thoroughly. This is simply too much to ask of every system administrator. How many of us recreate the wheel with things such as:

1) notification of a service that has gone down,

2) creating listeners or wrappers that restart a service if it crashes,

3) placing **descriptive** logs of problems in //syslog// when a service won't start,

4) backing up, restoring, and undoing changes made to service configurations, etc.

After you get used to this system, you will not want to be without it.

Existing //rc.d// scripts and //inittab// entries are still run. After the SMF services have been started, the //rc.d// entries are run just as a user would expect.

Overview

For people new to SMF, there is a lot to learn. Definitely check out http://docs.sun.com/app/docs/doc/817-1985/6mhm8o5rq?a=view for a detailed overview of the system. I'll give a basic overview here, plus any interesting technical notes I might come across.

When learning SMF, there are terms you will need to know. Obviously, The SMF framework manages services. However it is not always obvious what a service is as Sun has generalized most system services as SMF services. For example, not only is Apache considered a service, but reaching init state 3, or S (or any other init state) is also a service, called a //milestone//. This seems a little strange at first, but makes plenty of sense when you start to think about things like service dependancies.

To identify a service you use what Sun calls a Fault Management Resource Identifier (or FMRI)... which is pretty much like a URI whose protocol is 'svc' and that can have certain convenient shorthands. Examples are:

 svc://localhost/system/system-log:default
 svc:/system/system-log:default
 system/system-log:default

As you may have guessed from seeing //localhost// in the full form of the above example FMRI, SMF was designed to be used in conjunction with a network directory service, allowing service configuration and run-time data to be shared across multple OS instances. At the time of writing the network directory service is unavailable... but this is really exciting.

Something else important is that each service can have multiple instances. In the above FMRI examples, //system/system-log// is the service and //default// is the instance. Any given system can have multiple instances of the same service running, and even multiple versions of the same service running. The //system// is simply a category. There are other categories such as //application// and //milestone//.

SMF provides a lot more features, such as regular snapshots of working service configuration data, regular backups of the service repository, creation and application of profiles to ease batch service enabling or disabling, and more. To learn about the commands to interface with SMF, keep reading.

Commands

If you wish to see the currently configured services on your system, run the //svcs// command with no arguments. A listing will be provided of currently configured services, their current state, and their start time. If you run this command, you may also notice services with a different FMRI syntax, e.g., //lrc:/etc/rc3_d/S50/apache//. These are special FMRI's that identify services in the legacy //rc.d// system. You can monitor these services with the SMF framework, however you cannot administer them using SMF. You may have also noticed that no disabled services are shown in this list. If you wish to see all services, including those that are disabled, run the //svcs// command with the //-a// option. If you wish to see more detailed information about a service, run the //svcs// command with the //-l// argument followed by the FMRI of the service you wish to know more about. Here is an example I have run on my machine with it's output:

 svcs -l system/system-log:default
 fmri         svc:/system/system-log:default
 name         system log
 enabled      true
 state        online
 next_state   none
 state_time   Fri Jul 20 17:20:27 2007
 logfile      /var/svc/log/system-system-log:default.log
 restarter    svc:/system/svc/restarter:default
 contract_id  57 
 dependency   require_all/none svc:/milestone/sysconfig (online)
 dependency   require_all/none svc:/system/filesystem/local (online)
 dependency   optional_all/none svc:/system/filesystem/autofs (online)
 dependency   require_all/none svc:/milestone/name-services (online)

Note that the //svcs// command is very flexible with FMRIs. For example, if I had specified //svcs -l system-log//, I would have received the same output. If you wish to know more about the //svcs// command, then run the //svcs// command with the //-?// option or see its man page.

Currently all service configuration and run time data is stored locally in the //Service Configuration Repository// (yet another boring yet literal and descriptive component name.) You interact and manipulate this data using the //svccfg// and //svcprop// commands, which in turn interact with the //svc.configd// daemon.

SMF keeps a plethora of backups of your service configuration data stored in ///etc/svc/// which you can restore with the ///lib/svc/bin/restore_repository// command. For more info about restoring a corrupt repository, go to http://docs.sun.com/app/docs/doc/817-1985/6mhm8o5tf?a=view.

Other SMF commands are //inetadm// and //svcadm//. //inetadm// gives administrative control over inetd services. Running the //inetadm// command by itself lists available inetd services and their current state. Passing the //-l// option followed by a FMRI will give more detailed inforamtion about a given service. You can also enable and disable an inetd service by passing the //-e// and //-d// arguments to //inetadm//, respectfully, followed by the FMRI. For more information about //inetadm//, pass the command the //-?// option or see its man page.

//Make sure to look through your list of running inetd services and to disable the services you do not need.//

The //svcadm// command gives common administrative control over service instances. The most common subcommands to //svcadm// are //enable//, //disable//, //restart//, and //refresh//. Enabling and disabling a service is persistent across reboots. To enable or disable a service only temporarily, pass the //-t// option. Passing the //-r// option to the //enable// subcommand enables an FMRI and all services it depends on.

SMF keeps regular snapshots of service configurations. If a service configuration is incorrect, you can revert the service's configuration back to a previous snapshot. In summary, use the //svccfg// command to grab a list if available snapshots and to revert to a chosen snapshot, then use the //svcadm// command to refresh and restart the service. Here is an example I got from Sun's website that revert's the //console-login// service to the last successful configuration snapshot (called //start//):

 # svccfg
 svc:> select system/console-login:default
 svc:/system/console-login:default> listsnap
 initial
 running
 start
 svc:/system/console-login:default> revert start
 svc:/system/console-login:default> quit
 # svcadm refresh system/console-login
 # svcadm restart system/console-login

As mentioned above, you may create //profiles// for the purpose of enabling and disabling a batch of services at once. A profile is an XML file the lists a number of services and whether or not they should be enabled. You can choose what services are to be listed in the profile and what should be enabled. For some profile examples, check out the XML files in the ///var/svc/profiles// directory. To create your own profile, use the //svccfg// command to extract your current setup into an XML file that you can rename and edit. First, extract the current profile and save it to //profile.xml//.

 # svccfg extract > profile.xml

Then edit the profile to include only the services you want and what state they should be in (//enabled=true// or //enabled=false//). You can then apply a profile at any time with the //svccfg apply <profile>// command. So for our example:

 # svccfg apply profile.xml

If you want to create a new service from a given XML file, all you need to do is:

 # svccfg import /var/svc/manifest/application/management/sma.xml 

This will attempt to "refresh" the service once it's loaded into the database.

Configuring Services

Up until now we've been looking at commands that give us service status and allow us to enable/disable services and so on. But the work horse of the SMF system is the //svccfg// command. Browsing through the command page gives around 30 subcommands. We've already seen that we can use the //svccfg// command to list and revert to previous snapshots. However, this is only scratching the surface. I will not reproduce the manual here... Sun's documentation is clearly written. But we'll go through a couple examples so that you can see what the //svccfg// command may be used for.

In this example, we are setting the environment variable //UMEM_DEBUG// to the value //default// for the //system/cron// service:

 # svccfg -s system/cron:default setenv UMEM_DEBUG default

For the change to be made to the running service, you will need to //refresh// and //restart// the service with the //svcadm// command.

You can view a processes environment variables with the //pargs// command. First, we'll need to know the PID of the process we wish to know more about. We can use the //svcs -p// command to find out the PIDs of processes running in a given service. So for our //system/cron:default// example, we can get the PID of the running cron daemon and then pass this PID to the //pargs// command:

   # svcs -p system/cron:default
   STATE          STIME    FMRI
   online         Jul_20   svc:/system/cron:default
                  Jul_20        227 cron
     - pargs -e 227
   227:    /usr/sbin/cron
   envp[[0]]: LOGNAME=root
   envp[[1]]: LANG=C
   envp[[2]]: PATH=/usr/sbin:/usr/bin
   envp[[3]]: SMF_FMRI=svc:/system/cron:default
   envp[[4]]: SMF_METHOD=/lib/svc/method/svc-cron
   envp[[5]]: SMF_RESTARTER=svc:/system/svc/restarter:default
   envp[[6]]: TZ=America/Louisville

In addition, you will be using the //inetadm// command to configure your inetd controlled services. Use the //-l// option followed by an FMRI to show the current properties set for a service. Use the //-m// option to set properties.

Reviewing Service Configuration

 svcprop svc:/network/http:apache2

Some Extra Details

If the above overview wasn't enough for you then keep reading.

Most of the backend to SMF is located in the ///lib/svc// directory. The methods that actually start and stop services are stored in ///lib/svc/method//. Important programs that manage the services are stored in ///lib/svc/bin//. However, most users will never need to interact with the contents of these directories directly.

The rest of SMF's data is stored in the ///var/svc// directory. The //manifests//, which are XML files which store important information about each service, such as dependancies on other services and what to do in case of an error, are all stored in the ///var/svc/manifest// directory. You will find startup and error logs in ///var/svc/log//. And finally, the ///var/svc/profile// directory contains a collection of XML files called profiles that are templates giving a good base of defaults for what services to run in different situations. For example, there is a ///var/svc/profile/generic_open.xml// which by default starts a lot of network services, and there is ///var/svc/profile/generic_limited_net.xml// which by default does NOT start most network services. You can create your own profile by creating ///var/svc/profile/site.xml// which will be read and incorporated with any other profiles being loaded by the system.

The //svc.startd// daemon is responsible for starting and restarting services in Solaris. It manages all service dependancies, and is pretty much a replacement for //init//, although //init// initially starts the //svc.startd// daemon.

When installing Solaris 10, you are asked if you wish to enable remote services (which is insecure), or if you wish to only run minimal network services. Whichever option you chose, you can change this at any time later with the //netservices// command. To run in limited network mode run ///usr/sbin/netservices limited//. To run in open network mode, run ///usr/sbin/netservices open//.

Solaris Zones

Install the needed Sun packages: SUNWpoolr SUNWpool SUNWluzone SUNWzoner SUNWzoneu

First, check to see if the //zones// service has been started. If not, enable it so that zones will be started after a system reboot.

 svcs svc:/system/zones:default            # is service disabled?  If so...
 svcadm enable svc:/system/zones:default   # enable it

Now that the //zones// service has been started, let's create a zone. But first, let's setup a directory where we can install all non-global zones. I'll use ///export/home/zones// for these examples.

 mkdir -pm 0700 /export/home/zones

Now let's create a zone that hosts only one application: a VPN daemon. In this setup, the hostname will be set to //vpn// and we'll use ///export/home/zones/vpn// as the //zonepath//. We'll make it set it up to boot automatically at system boot with the default privileges. We'll give it an IP of 192.168.0.200 and give it access to the //pts//, //random//, and //zero// devices. Here's the complete command line session:

 zonecfg -z vpn
 zonecfg:vpn> create
 zonecfg:vpn> set zonepath=/export/home/zones/vpn
 zonecfg:vpn> set autoboot=true  # Need svc:/system/zones:default to be started
 zonecfg:vpn> set limitpriv="default"
 zonecfg:vpn> add net
 zonecfg:vpn:net> set address=192.168.0.200
 zonecfg:vpn:net> set physical=vmxnet0 # Solaris is running in vmware
 zonecfg:vpn:net> end
 zonecfg:vpn> add device
 zonecfg:vpn:device> set match=/dev/pts/*
 zonecfg:vpn:device> end
 zonecfg:vpn> add device
 zonecfg:vpn:device> set match=/dev/*random
 zonecfg:vpn:device> end
 zonecfg:vpn> add device
 zonecfg:vpn:device> set match=/dev/zero
 zonecfg:vpn:device> end
 zonecfg:vpn> add attr
 zonecfg:vpn:attr> set name=comment
 zonecfg:vpn:attr> set type=string
 zonecfg:vpn:attr> set value="Virtual Private Network daemon"
 zonecfg:vpn:attr> end
 zonecfg:vpn> verify
 zonecfg:vpn> commit
 zonecfg:vpn> exit
 zonecfg -z vpn info  # double check everything

Now, we make a decision. If we wish to enable security auditing in any non-global zones, then we must add the following line to the ///etc/security/audit_startup// file:

 /usr/sbin/auditconfig -setpolicy +zonename

And then execute the same line in the shell:

 auditconfig -setpolicy +zonename

Let the fun begin! Run the zoneadm tool to install our newly configured zone. Give it some time, as it will be copying a lot of files and installing packages into the new zone.

 zoneadm -z vpn install

After finishing, we can see the //installed// status of our new zone with the //zoneadm list// command:

 zoneadm list -iv

And then place the zone in the //ready// state (so that we can attach a console before booting):

 zoneadm -z vpn ready

And now for the time of truth: we boot the zone. First, make sure to have two terminals running. In the first terminal, attach a console so that you can answer the initial configuration questions upon boot:

 zlogin -C vpn

And now boot the zone in the other terminal.

 zoneadm -z vpn boot

Now, answer the questions in the attached console to finish the initial configuration.

Voila! You are now in your new zone. You can also login without the //-C// option to //zlogin// which opens a new psuedo terminal. To exit a console session, enter the tilde character followed by a period: //~.//

By default, zones are installed wide open with the //generic_open.xml// profile. Let's set this to limited for a more secure installation.

 zlogin vpn
 vpn# /usr/sbin/netservices limited

Modifying and Enhancing the User Environment

This section contains various notes I've taken while trying to make my environment a little more usable. Coming from a Linux background, I quickly realized the importance of having an environment I feel comfortable in. Upon logging into Solaris right after installation, I went into shock. First thing I noticed is that I was using the Bourne Shell. Not having tab completion was simply torturous. Being an avid //zsh// user, I felt myself panicking as most of my expressive power was gone. //zsh// comes installed in a default install of Solaris, but it was jacked for me. I've had to use //bash// instead. Also, there was no //nano// or //emacs//, and I was forced to remember //vi// commands that I had suppressed from my memory years ago. Sometimes I found myself simply using //sed// and //heredoc//s to avoid using //vi//. Also, having a bare minimum //PATH// by default didn't help. E.g., //wget// was already installed, but you would never know that unless you ran something like //find /usr -name wget//. Yep... there is no //locate// or //slocate//.

So, I set out to resolve my agonies and I've made the following notes along the way. Hopefully they are helpful to you.

Setting A More Liberal PATH Variable

By default, your //PATH// variable will contain something like ///usr/bin:/usr/openwin/bin//. On Solaris, binaries are split up all over the place, which means having to type ///usr/sadm/sysadm/smc// to start the //System Management Console// when really we should just be able to type //smc//. Let's edit ///etc/default/login// and ///etc/default/su// and set the //PATH// and //SUPATH// to something more helpful. You may need to make the files writable first:

 chmod o+w /etc/default/{login,su}

Now edit ///etc/default/login// and ///etc/default/su// and set the //PATH// and //SUPATH// variables to something like:

 PATH=/opt/csw/bin:/usr/sfw/bin:/usr/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/bin:/usr/ccs/bin:/usr/local/bin:/usr/sfw/bin
 SUPATH=/opt/csw/bin:/usr/sfw/bin:/usr/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/bin:/usr/ccs/bin:/usr/local/bin:/usr/sfw/bin

You may notice that the ///opt/csw/// doesn't exist on your system. This directory will be created after following the instructions below for adding software from [[http://blastwave.com]]. If you will not be installing software from http://blastwave.com then feel free to leave out ///opt/csw/bin// from the //PATH// and //SUPATH// variables above.

Compiling Software

 - download Solaris ISO
 - [[solaris#mounting_isos|Mount ISO]]
 - install the following packages from Solaris_10/Product inside the ISO
   pkgadd -d . SUNWhea SUNWbinutils SUNWarc SUNWlibmr SUNWlibm SUNWgccruntime SUNWgcc

Additional info (might be deprecated):

http://www.science.uva.nl/pub/solaris/solaris2.html#q6.2

   for tools (sccs, lex, yacc, make, nm, truss, ld, as):
       SUNWbtool, SUNWsprot, SUNWtoo, SUNWcpp
   for libraries & headers:
       SUNWhea, SUNWarc, SUNWlibm, SUNWlibms
       SUNWdfbh, SUNWcg6h, SUNWxwinc, SUNWolinc,
       SUNWxglh, SUNWlibC, SUNWzlib, SUNWscpu
   for 64 bit development (in S10 these have all been merged into
       the non-x versions):
       SUNWarcx, SUNWbtoox, SUNWdplx, SUNWscpux, SUNWsprox,
       SUNWtoox, SUNWlmsx, SUNWlmx, SUNWlibCx, SUNWzlibx
   for ucb compat:
       SUNWsra, SUNWsrh

Compiling Cfengine

Here is a quick example on how to compile Cfengine and install on /opt/local/cfengine with all the needed libraries self-contained within this directory

 - create a directory called ~/utilities/cfengine
 - download all the necessary software there
 - create a Makefile like the example below
 - run "make build_bdb build_openssl; sudo make install_bdb install_openssl; make build_cf; sudo make install_cf"
   Makefile
   cfengine-3.0.2.tar.gz  
   db-4.7.25.tar.gz  
   openssl-0.9.8k.tar.gz
  • *Makefile**
   CF:=cfengine-3.0.2
   DB:=db-4.7.25
   OSSL:=openssl-0.9.8k
   CFROOT:=/opt/local/cfengine
   # /opt/csw/gnu  (gnu make)
   # /usr/ccs/bin  (ar, ranlib)
   PATH:=/usr/sfw/bin:/opt/csw/gnu:/usr/ccs/bin:${PATH}
   export PATH
   CC:=gcc
   export CC
   CXX:=g++
   export CXX
   # debug # -xc99 -xtarget=native64 -xcode=pic32 -g -O0
   CFLAGS:=-O2 -m64
   export CFLAGS
   CXXFLAGS:=$(CFLAGS)
   export CXXFLAGS
   CPPFLAGS:=-I$(CFROOT)/include
   export CPPFLAGS
   LDFLAGS:=-L/usr/sfw/lib/64 -R/usr/sfw/lib/64
   export LDFLAGS
   # we only need 32-bit version, if 64-bit wanted use solaris64...
   ARCH := $(shell uname -m)
   ifeq ($(strip ${ARCH}),i86pc)
   OSSLTARGET := solaris64-x86_64-gcc
   else
   OSSLTARGET := solaris64-sparcv9-gcc
   endif
   help:
           @echo make all
           @echo make build_bdb
           @echo make build_cf
           @echo make build_openssl
           @echo
           @echo make install_bdb
           @echo make install_cf
           @echo make install_openssl
           @echo
           @echo make clean
           @echo make clean_cf
           @echo make clean_bdb
           @echo make clean_openssl
   all: build_cf install_cf
   install_cf:
           sudo make -C $(CF) install
   install_bdb:
           sudo make -C $(DB)/build_unix install
   build_cf: $(CF)/Makefile
           make -j 4 -C $(CF)
   build_bdb: $(DB)/Makefile
           make -j 4 -C $(DB)/build_unix
   $(CF)/Makefile: $(CF)
           cd $(CF) && ./configure --prefix=$(CFROOT) --with-berkeleydb=$(CFROOT) --with-openssl=$(CFROOT)
   $(DB)/Makefile: $(DB)
           cd $(DB)/build_unix && ../dist/configure --prefix=$(CFROOT)
   $(CF): $(CF).tar.gz
           gtar -xzvf $<
           touch $@
   $(DB): $(DB).tar.gz
           gtar -xzvf $<
           touch $@
   clean: clean_bdb clean_cf clean_openssl
   clean_cf:
           rm -rf $(CF)
   clean_bdb:
           rm -rf $(DB)
   install_openssl:
           sudo make -C $(OSSL) install
   # openssl does not like -j 4
   build_openssl: $(OSSL)/Makefile
           make -C $(OSSL)
   $(OSSL)/Makefile: $(OSSL)
           cd $(OSSL) && ./Configure --prefix=$(CFROOT) $(OSSLTARGET) shared
   $(OSSL): $(OSSL).tar.gz
           gtar -xzvf $<
           touch $@
   clean_openssl:
           rm -rf $(OSSL)

Managing Software

Tracking Packages

To figure out the name of the package that contains a given file, use:

   pkgchk -lp /path/to/file

Removing Software

   pkginfo -x | cut -f1 -d " " | grep gnome > /tmp/rmpackages
   pkgrm -n `cat /tmp/rmpackages`

You might need to drop the **-n** to make **pkgrm** interactively. Or if you are sure that you want to reply "yes" to all:

   yes | pkgrm `cat /tmp/rmpackages`

Getting Extra Software

After installing Solaris and blundering around for a little while, I realized that I would go crazy if I couldn't use my normal tools (e.g., nano, emacs, screen, etc.) There are two popular sites where you can install free software: http://sunfreeware.com and http://blastwave.com. Both sites are excellent, but there are some differences. One major difference is that on http://sunfreeware.com you will need to install package dependencies yourself. However, on http://blastwave.com, the //pkg-get// package will install package dependencies automatically for you. On a lot of packages, I find that http://sunfreeware.com has more recent versions of software packages whereas http://blastwave.com allows you to choose from //stable// and //unstable//, which might be more attractive for System Administrators looking for stability. We'll focus on http://blastwave.com first. For more in-depth instructions, read [[http://www.blastwave.org/howto.html]].

First, install //pkg-get// from http://blastwave.com.

 /usr/sbin/pkgadd -d http://www.blastwave.org/pkg_get.pkg

Edit the /opt/csw/etc/pkg-get.conf file and change the default [[http://www.blastwave.org/mirrors.php|mirror]] to something more appropriate. I used [[http://www.gtlib.gatech.edu/pub/blastwave/stable]]

 vi /opt/csw/etc/pkg-get.conf

When using //pkg-get// to install packages from http://blastwave.com, you will be asked to confirm certain questions. This gets annoying quickly, especially if you are installing a package with many dependencies. To turn this off, type the command:

 cp -p /var/pkg-get/admin-fullauto /var/pkg-get/admin

You can edit the ///var/pkg-get/admin// file to customize what types of confirmations to be asked by the //pkg-get// utility.

To get started check out the listing of available packages at [[http://www.blastwave.org/packages.php]]. Install packages using the //pkg-get install <pkgname>// syntax or //pkg-get -i <pkgname>//. To find out all available options, run //pkg-get// with no arguments.

Enabling and Setting Up GDM

I pulled these instructions from [[http://www.gnome.org/learn/access-guide/latest/sysadmin-27.html]].

 * Open the file ///etc/X11/gdm/gdm.conf// and uncomment the following line and set it to //true//:
 #AddGtkModules=false

This step enables the GtkModules. Next, uncomment the line:

 #GtkModulesList=gail:atk-bridge:dwellmouselistener:keymouselistener

This step loads all of the GtkModules to enable assistive technologies such as On-Screen Keyboard and Screen Reader and Magnifier. You can edit the line above further to load only the GtkModules that you require to support the user base. For optimum accessibility, include gail and atk-bridge.

 * Enter the following command to stop the dtlogin manager:
 /usr/dt/bin/dtconfig -d
 * Enter the following commands to configure GDM as the login manager:
 # svccfg import /var/svc/manifest/application/gdm2-login.xml
 # svcadm enable application/gdm2-login
 * Edit the file ///etc/passwd// to append the following to the end of the gdm line:

/etc/X11/gdm/home

 * Create the ///etc/X11/gdm/home// directory and assign ownership of the directory to the gdm user.
 * Restart your system.

//(Note: after enabling gdm with the //svcadm enable application/gdm2-login// command, my X display went foobar. I had to ssh into the machine to finish the commands and reboot. YMMV)//

There is a lot more information at [[http://library.gnome.org/admin/gdm/unstable/solaris.html.en]].

//TODO: provide instructions for reverting back to dt if desired//

Enabling and Setting Up Synergy with GDM

//Note: These instructions assume that this is a system that's being used using X11 for a single person.//

 - enable GDM as described above
 - pkg-get install synergy
 - edit **/etc/X11/gdm/Init** `/opt/csw/bin/synergyc HOSTNAME_or_IP; sysmodmap=/etc/X11/Xmodmap`
 - edit **/etc/X11/gdm/PreSession/Default** `/opt/csw/bin/synergyc HOSTNAME_or_IP; XSETROOT=\`gdmwhich xsetroot\``
 - edit or create a new file **/etc/X11/gdm/PostLogin/Default** `/usr/bin/pkill synergyc`
 - edit **/etc/X11/gdm/PostSession/Default** `/usr/bin/pkill synergyc; SESSREG=\`gdmwhich sessreg\``

Setting Up Alternative Window Managers

If you have installed any alternative window managers from http://blastwave.com or elsewhere, you may be wondering how to get them to show up as options in the GDM session list. For example, I installed fluxbox (//pkg-get -i fluxbox//) and want to make it my default window manager after logging into GDM. The directory ///usr/share/xsessions// holds a number of //.desktop// files that contain information about the available sessions that GDM is configured for. To add a session to GDM, we simply need to create our own //.desktop// file and add it to this directory. For my fluxbox example, create a file called ///usr/share/xsessions/fluxbox.desktop// with the following contents:

 [[Desktop|Entry]]
 Encoding=UTF-8
 Name=Fluxbox
 Comment=Fluxbox
 Exec=/opt/csw/bin/fluxbox
 Type=Application

For a different window manager, simply change the //Name// and //Comment// field with whatever you like, then update the //Exec// field to be the command that launches your window manager. Now the next time you login to GDM, you will see your entry in the Sessions menu.

Upon entering Fluxbox, I noticed that the default //PATH// had been changed. So I changed the //DefaultPath// option in the ///etc/X11/gdm/gdm.conf// file... but this still didn't help. I'm not sure why as the GDM documentation says that either the //DefaultPath// option will be used or the environment from ///etc/default/login// will be used. I ended up explicitly setting the //PATH// variable in the ///usr/share/xsessions/fluxbox.desktop// file:

 [[Desktop|Entry]]
 Encoding=UTF-8
 Name=Fluxbox
 Comment=Fluxbox
 Exec=env PATH=/opt/csw/bin:/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/ccs/bin:/usr/ucb:/usr/openwin/bin:/usr/dt/bin /opt/csw/bin/fluxbox
 Type=Application

Hint: If you want to run //fluxbox-generate_menu//, open the file ///opt/csw/bin/fluxbox-generate_menu// in your favorite editor and changing the top line to read //#!/bin/bash// instead of //#!/bin/sh//.

Using Live Upgrade

Upgrading to a new Solaris release with Live Upgrade is done by:

 * Patching current system [[Sunsolve|#72099 [[http://sunsolve.sun.com/search/document.do?assetkey=1-9-72099-1]]
 * Using lu* commands [[http://www.sun.com/software/solaris/howtoguides/liveupgradehowto.jsp]]

Mounting ISOs

Use lofiadmin to create a loopback device associated with a given .iso file:

 lofiadm -a /Users/Shared/Software/centos/CentOS-4.5-i386-binDVD.iso
 mount -F hsfs /dev/lofi/1 /Users/Shared/Software/centos/cd

When done undo with the following:

 umount /Users/Shared/Software/centos/cd
 lofiadmin -d /dev/lofi/1

Patching

Get a cluster of patches unzipped into /var/spool/patch/10_x86_Recommended

 cd /var/spool/patch/10_x86_Recommended
 ./install_cluster

For more installation messages refer to the installation logfile:

 /var/sadm/install_data/Solaris_10_x86_Recommended_Patch_Cluster_log

Use '/usr/bin/showrev -p' to verify installed patch-ids.

Jumpstart

Step-by-Step

First we setup the jumpstart server (stuff that you should type is in bold)

  - **ssh jumpserver**
  - edit /etc/hosts with hostname and IP of server
  - create /export/install/jumpstart/sys/HOSTNAME/sysidcfg
  - run **/export/install/jumpstart/bin/add-client sun4{v,u} MAC**. sun4v is T1000's, sun4u is v210z's
  - edit /etc/ethers with MAC, FQDN and hostname of server 

Now we boot from the network and send the install command to net boot

  - connect cable to serial console
  - type **#.** (shift + 3 + .) after a new-line character. You need to do this fast as soon as you press **ENTER**
  - on ALOM/ELOM set the password to the "admin" user
  - send "break" to the console (hint: type **break**)
  - type **console** to go back to the console. it should be on the "ok" prompt
  - type **boot net - install** 

Hardware Information

^ command ^ notes ^ ^ prtdiag -d | get information on fans | ^ ndd | get information on ethernet cards | ^ psrinfo -v | get information on CPU |

Examples:

     **ndd /dev/nge0 \?**
     ?                             (read only)
     autoneg_cap                   (read only)
     pause_cap                     (read only)
     asym_pause_cap                (read only)
     1000fdx_cap                   (read only)
     1000hdx_cap                   (read only)
     100T4_cap                     (read only)
     100fdx_cap                    (read only)
     100hdx_cap                    (read only)
     10fdx_cap                     (read only)
     10hdx_cap                     (read only)
     adv_autoneg_cap               (read only)
     adv_pause_cap                 (read and write)
     adv_asym_pause_cap            (read and write)
     adv_1000fdx_cap               (read and write)
     adv_1000hdx_cap               (read and write)
     adv_100T4_cap                 (read only)
     adv_100fdx_cap                (read and write)
     adv_100hdx_cap                (read and write)
     adv_10fdx_cap                 (read and write)
     adv_10hdx_cap                 (read and write)
     lp_autoneg_cap                (read only)
     lp_pause_cap                  (read only)
     lp_asym_pause_cap             (read only)
     lp_1000fdx_cap                (read only)
     lp_1000hdx_cap                (read only)
     lp_100T4_cap                  (read only)
     lp_100fdx_cap                 (read only)
     lp_100hdx_cap                 (read only)
     lp_10fdx_cap                  (read only)
     lp_10hdx_cap                  (read only)
     link_status                   (read only)
     link_speed                    (read only)
     link_duplex                   (read only)
     link_autoneg                  (read only)
     link_rx_pause                 (read only)
     link_tx_pause                 (read only)
     loop_mode                     (read only)
     **ndd /dev/nge0 link_speed** 
     100

Troubleshooting

Autofs

 - edit /etc/syslog.conf and ensure you can see all entries in /var/adm/messages `*.debug                                         /var/adm/messages`
 - edit /etc/default/autofs and ensure that you have the following values
   # Verbose mode.  Notifies of autofs mounts, unmounts, or other
   # non-essential events.  This equivalent to the "-v" argument.
   AUTOMOUNT_VERBOSE=TRUE
   # Verbose.  Log status messagess to the console.
   # This is equivalent to the "-v" argument.
   AUTOMOUNTD_VERBOSE=TRUE
   # Trace.  Expand each RPC call and display it on standard output.
   # This is equivalent to the "-T" argument.
   AUTOMOUNTD_TRACE=1
 - on Solaris 10 you can check the service log also 
   svcs -l autofs
   /var/svc/log/system-filesystem-autofs:default.log
 - if you are using LDAP to configure your autofs, enable logging at that level
   cat /etc/ldap/slapd.conf
   loglevel=256
 - also, on LDAP, ensure that you can query the entry that you are looking for
   ldapsearch -x -h myserver -b "automountMapName=auto_home,dc=example,dc=com" "(&(objectclass=automount)(automountKey=myuser))"

If your server is not returning anything, you might need to redo your index

   SLAPD_INIT="/etc/init.d/slapd"
   $SLAPD_INIT stop
   sleep 1
   if pgrep slapd > /dev/null; then
       /usr/sbin/slapindex
       chown -R openldap:openldap /var/lib/ldap/
       $SLAPD_INIT start
   else
       echo "Could not stop slapd" 1>&2
   fi

Single User Mode

Insert the CD/DVD for Solaris 10 and choose "Single user shell", or boot your SPARC based system with: **reboot -- -s**. Then your / (root) tree will be mounted in /a and you can do:

 cat /a/etc/vfstab
 umount /etc/mnttab
 /sbin/mount -F mntfs mnttab /etc/mnttab
 ... mount each drive from vfstab inside /a ...
 chroot /a /bin/bash
 ... then perform your changes ...

Simple uh?

commands

 truss /sbin/foo # same as strace in Linux

Sun Studio

   # download Sun Studio software
   wget 'http://link' -O Sun-Studio-SunOS.tar.bz2
   bunzip2 Sun-Studio-SunOS.tar.bz2
   tar xf Sun-Studio-SunOS.tar
   cd SunStudio12u1-SunOS-SPARC-pkgs
   sudo ./SunStudio12u1-SunOS-SPARC-pkgs.sh --non-interactive-accept-license --current-zone-only

Using SAR

Report all available data from start time (-s) to end time (-e) using the named file by (-f) (this sa21 represents the 21st day of this month):

 sar -A -e 17:00 -s 12:30 -f /var/adm/sa/sa21 | more

Sun Hardware

Serial Console

serial consoles on Sun hardware

Working with the SP

You can use the SP directly without using ALOM. ALOM interface is more user-friendly though.

 - connect a serial cable to the SER CONSOLE port
 - login as **root** / **changeme**
 - type **help**
 

To reboot a system you can do:

 - **stop /SYS**
 - **start /SYS**

To start the console you can do:

 - **start /SP/console** (or **start /SP/AgentInfo/console**)

Use **ESC + (** to exit back to the SP.

You can use **cd** to change to different targets and you can use **show** to show all properties under a target tree. This is very intuitive once you know UNIX.

Setting ALOM

 - connect serial cable to SER CONSOLE port
 - login as **root** / **changeme**
 - **create /SP/users/admin password=secret**
 - **set /SP/users/admin role=Administrator** (on other systems: **set /SP/users/admin permission=administrator**)
 - **set /SP/users/admin cli_mode=alom** (Sparc CPUS only)

serial consoles on Sun hardware

Say you need to get to the console that manages www.example.com (on a serial console device like administration:lsi):

 - '''dig www.example.com TXT''' to get the record on DNS that tells what console server manages '''www'''
   - www.example.com. 3600  IN      TXT     "0:14:4f:8x:xx:xx, FOOBAR13"
 - '''sudo ssh foobar''' to get to the box in question, in this case managed by '''foobar'''
 - '''connect 13''' 
 - '''#.''' to login as admin to the ALOM
 - '''help''' to see what you can do (see list below)

^ Command ^ Note ^ | ESC + Shift + B | Takes you to the "ok" prompt where you can type boot -r to reboot a system | | ESC + Shift + A | Ends the console session | | Shift + # + . | drops to the ALOM prompt |

ALOM commands

^ Command ^ Note ^ | console | connects to the console | | help | shows list of commands | | poweron | powers on the machine (boot or reset) | | powercycle | reboots the machine |

Status Monitoring

IO Stat

 iostat -xtnp 2

Firmware Upgrade

Local Upgrade (Solaris)

 - download firmware patch from SunSolve (sunsolve.sun.com)
 - unzip to /tmp/$PATCH
 - cd /tmp/$PATCH; /tmp/$PATCH/sysfwdownload Sun_System_Firmware-VERSION-Sun_Fire_SERVER.bin (this takes 10 - 15 min)
 - # init 0 (go into Ok promt (ALOM))
 - {0} ok #. (go into serial console)
 - sc> poweroff
 - sc> setkeyswitch -y normal
 - sc> flashupdate -s 127.0.0.1
 - sc> resetsc

Now login to the serial console, poweron the system and boot

 - sc> poweron
 - sc> console -f

Network Upgarde (tftp. No Solaris)

   sc> setupsc
   Entering Interactive setup mode. To exit and discard changes to that point, use Ctrl-C or to exit and save changes to that point, use Ctrl-Z.
   Do you wish to configure the enabled interfaces [y]? y
   Should the SC network interface be enabled [y]? y
   Should the SC interface connection type be set [ssh]? 
   ssh
   Should the SC email alerts be enabled [y]? n
   Do you wish to configure the network interface [y]? y
   Should the SC use DHCP to obtain its network configuration [y]? n
   Enter the SC IP address [100.100.100.100]? 192.168.1.203
   Enter the SC IP netmask [255.255.255.0]? 
   255.255.255.0
   Enter the SC IP gateway address [100.100.100.100]? 192.168.1.1  
   Do you wish to configure the network management interfaces [y]? y
   Enter the number of mail servers to configure [0]? 
   0
   Do you wish to configure the SC parameters [y]? n
   Do you wish to configure the platform diagnostic parameters [y]? n
   Your ALOM configuration profile has been successfully completed.  To activate your network configuration, please enter 'setsc netsc_commit true' at sc prompt.
   sc> setsc netsc_commit true
   sc> flashupdate -s 192.168.0.33 -f firmware/T5120-7_2_7_d-SPARC.pkg
   sc> resetsc

Advertisement