OpenSolaris: Difference between revisions
(→LDAP) |
m (added to Software category) |
||
(262 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
== Networking == |
|||
First, Solaris is drugs. Avoid it at all cost. |
|||
Create /etc/defaultroute with contents: |
|||
== pkg-get == |
|||
129.97.134.1 |
|||
Modify /etc/netmasks and add to the end: |
|||
129.97.134.1 255.255.255.0 |
|||
Create /etc/hostname.e1000g0 (where e1000g0 is the interface name): |
|||
ginseng |
|||
Modify /etc/hosts so that it contains at least the following: |
|||
127.0.0.1 localhost loghost |
|||
129.97.134.89 ginseng.csclub.uwaterloo.ca ginseng |
|||
Run the following: |
|||
svcadm enable physical:default |
|||
/lib/svc/methods/net-physical:default |
|||
== OpenSolaris Packages == |
|||
You should install the following build-related packages: |
|||
pkg install SUNWarc SUNWsfwhea SUNWhea SUNWtoo |
|||
If you want gcc and Sun Studio: |
|||
pkg install gcc-dev sunstudio |
|||
== Blastwave/CSW Packages == |
|||
Install pkg-get: |
|||
pkgadd -d http://www.blastwave.org/pkg_get.pkg |
pkgadd -d http://www.blastwave.org/pkg_get.pkg |
||
* In /opt/csw/etc/pkg-get.conf, set the primary url to http://mirror.csclub.uwaterloo.ca/blastwave/unstable. |
|||
Install various packages: |
|||
pkg-get -i gnupg |
|||
/opt/csw/bin/pkg-get -i gnupg screen bash_completion bison gawk gsed puppet top iftop wireshark |
|||
pkg-get -i vim |
|||
We want certain config files to be in /etc, rather than /opt/csw: |
|||
== LDAP == |
|||
rm -f /opt/csw/etc/openldap/ldap.conf && ln -s /etc/ldap/ldap.conf /opt/csw/etc/openldap/ldap.conf |
|||
rm -f /etc/krb5/krb5.conf && ln -s /etc/krb5.conf /etc/krb5/krb5.conf |
|||
rm -f /etc/krb5/krb5.keytab && ln -s /etc/krb5.keytab /etc/krb5/krb5.keytab |
|||
== Environment variables == |
|||
In /etc/default/login, change PATH and SUPATH: |
|||
PATH=/usr/local/bin:/usr/gnu/bin:/opt/csw/bin:/opt/csw/gcc3/bin:/usr/bin:/bin:/usr/sfw/bin |
|||
SUPATH=/usr/local/sbin:/usr/local/bin:/usr/gnu/bin:/opt/csw/sbin:/opt/csw/bin:/opt/csw/gcc3/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/sfw/bin |
|||
Near the top of /etc/profile, add: |
|||
export PAGER=less |
|||
== nss_ldap == |
|||
The native nss_ldap library doesn't support rfc2307bis, so we need to build padl's nss_ldap from source: |
|||
LDFLAGS=-L/opt/csw/lib CFLAGS=-I/opt/csw/include ./configure --with-ldap-conf-file=/etc/libnss-ldap.conf --prefix=/usr/local |
|||
LDADD=-L/opt/csw/lib\ -R/opt/csw/lib make; make install |
|||
ln -s /usr/local/lib/nss_ldap.so.1 /lib/nss_ldap.so.1 |
|||
Modify /etc/nsswitch.ldap to your liking. You should also copy /etc/libnss-ldap.conf from caffeine. Despite the fact that we link against csw's openldap libraries, we need to configure the native ldap library. |
|||
ldapclient manual -a credentialLevel=anonymous \ |
ldapclient manual -a credentialLevel=anonymous \ |
||
-a authenticationMethod=none \ |
-a authenticationMethod=none \ |
||
-a domainName=csclub.uwaterloo.ca \ |
|||
-a defaultSearchBase=dc=csclub,dc=uwaterloo,dc=ca \ |
-a defaultSearchBase=dc=csclub,dc=uwaterloo,dc=ca \ |
||
-a defaultSearchScope=sub \ |
-a defaultSearchScope=sub \ |
||
-a domainName=csclub.uwaterloo.ca \ |
|||
-a preferredServerList=ldap1.csclub.uwaterloo.ca,ldap2.csclub.uwaterloo.ca \ |
|||
-a defaultServerList=ldap1.csclub.uwaterloo.ca,ldap2.csclub.uwaterloo.ca |
-a defaultServerList=ldap1.csclub.uwaterloo.ca,ldap2.csclub.uwaterloo.ca |
||
In /etc/group, add the following to the bottom: |
|||
users::100: |
|||
== PAM == |
|||
In /etc/pam.conf, after |
|||
other auth required pam_unix_cred.so.1 |
|||
add |
|||
other auth sufficient pam_krb5.so.1 |
|||
You should also do this for 'login'. |
|||
You need to create /etc/krb5/krb5.keytab containing host/fqdn@CSCLUB.UWATERLOO.CA where fqdn is the fully qualified domain name of the host. |
|||
== sudo == |
|||
The sudo in blastwave/csw does not inclue the '--secure-path' configure option or ldap support, so you should build sudo from source: |
|||
./configure --prefix=/usr/local --with-all-insults --with-exempt=sudo --with-pam --with-fqdn --with-logging=syslog --with-logfac=auth \ |
|||
--with-secure-path=/usr/local/sbin:/usr/local/bin:/usr/gnu/bin:/opt/csw/sbin:/opt/csw/bin:/opt/csw/gcc3/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/sfw/bin \ |
|||
--with-env-editor --with-timeout=15 --with-password-timeout=0 --disable-root-mailer --disable-setresuid --with-sendmail=/usr/sbin/sendmail \ |
|||
--with-ldap --with-ldap-conf-file=/etc/ldap/ldap.conf |
|||
* In config.h, change '#define HAVE_DGETTEXT 1' to '#undef HAVE_DGETTEXT' |
|||
make; make install |
|||
== ZFS == |
|||
When you add new disks you need to have Solaris rescan for disks. You can do this by adding '-r' as a kernel option (via grub). |
|||
To view a list of disks: |
|||
format |
|||
To create a mirrored "zpool" (basically lvm/mdadm/fs all rolled into one): |
|||
zpool create users mirror c2t0d0 c2t1d0 |
|||
This creates a RAID 1 zpool with component disks c2t0d0 and c2t1d0. |
|||
To enable Kerberos security, modify /etc/nfssec.conf and uncomment the krb5 lines. |
|||
Also see [[User-data#ZFS]]. |
|||
== SNMP == |
|||
The snmp daemon in Solaris doesn't support 64-bit counters, so you should compile net-snmp: |
|||
./configure --prefix=/usr/local --enable-mfd-rewrites '--with-mib-modules=host ucd-snmp/diskio' \ |
|||
--disable-embedded-perl --with-sys-contact="syscom@csclub.uwaterloo.ca" --with-sys-location="MC 3015" \ |
|||
--with-default-snmp-version=3 --with-logfile="/var/log/snmpd.log" --with-persistent-directory="/var/net-snmp" |
|||
* In include/net-snmp/system/solaris.h add '#define NEW_MIB_COMPLIANT 1' to the bottom. |
|||
make; make install |
|||
Create /tmp/net-snmp.xml: |
|||
<?xml version="1.0"?> |
|||
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> |
|||
<service_bundle type='manifest' name='net-snmp'> |
|||
<service name='system/net-snmp' type='service' version='1'> |
|||
<create_default_instance enabled='false' /> |
|||
<single_instance/> |
|||
<dependency name='milestone' grouping='require_all' restart_on='none' type='service'> |
|||
<service_fmri value='svc:/milestone/sysconfig' /> |
|||
</dependency> |
|||
<dependency name='filesystem' grouping='require_all' restart_on='none' type='service'> |
|||
<service_fmri value='svc:/system/filesystem/local' /> |
|||
</dependency> |
|||
<!-- |
|||
net-snmp needs nameservice resolution to connect to hosts. |
|||
--> |
|||
<dependency name='name-services' grouping='require_all' restart_on='none' type='service'> |
|||
<service_fmri value='svc:/milestone/name-services' /> |
|||
</dependency> |
|||
<dependent name='net-snmp_single-user' grouping='optional_all' restart_on='none'> |
|||
<service_fmri value='svc:/milestone/multi-user' /> |
|||
</dependent> |
|||
<exec_method type='method' name='start' exec='/lib/svc/method/svc-net-snmp' timeout_seconds='60' /> |
|||
<exec_method type='method' name='stop' exec=':kill' timeout_seconds='60' /> |
|||
<exec_method type='method' name='refresh' exec=':kill -HUP' timeout_seconds='60' /> |
|||
<property_group name='general' type='framework'> |
|||
<!-- |
|||
to start stop syslog daemon |
|||
--> |
|||
<propval name='action_authorization' type='astring' value='solaris.smf.manage.net-snmp' /> |
|||
</property_group> |
|||
<stability value='Unstable' /> |
|||
<template> |
|||
<common_name> |
|||
<loctext xml:lang='C'>net-snmp</loctext> |
|||
</common_name> |
|||
<documentation> |
|||
<manpage title='net-snmp' section='1M' manpath='/usr/share/man' /> |
|||
</documentation> |
|||
</template> |
|||
</service> |
|||
</service_bundle> |
|||
Import the manifest: |
|||
svccfg import /tmp/net-snmp.xml |
|||
Create /lib/svc/method/svc-net-snmp: |
|||
#!/bin/sh |
|||
. /lib/svc/share/smf_include.sh |
|||
# Start processes required for snmpd |
|||
if [ -x /usr/local/sbin/snmpd ]; then |
|||
/usr/local/sbin/snmpd |
|||
else |
|||
echo "snmpd is missing or not executable." |
|||
exit $SMF_EXIT_ERR_CONFIG |
|||
fi |
|||
exit $SMF_EXIT_OK |
|||
== rsyncd == |
|||
Install SUNWrsync. |
|||
Create /tmp/rsync.xml: |
|||
<?xml version="1.0"?> |
|||
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> |
|||
<service_bundle type="manifest" name="rsync"> |
|||
<service name="network/rsync" type="service" version="4"> |
|||
<create_default_instance enabled="false"/> |
|||
<single_instance/> |
|||
<!-- |
|||
If there's no network, then there's no point in running |
|||
--> |
|||
<dependency name="loopback" grouping="require_all" restart_on="error" type="service"> |
|||
<service_fmri value="svc:/network/loopback:default"/> |
|||
</dependency> |
|||
<dependency name="physical" grouping="require_all" restart_on="error" type="service"> |
|||
<service_fmri value="svc:/network/physical:default"/> |
|||
</dependency> |
|||
<dependency name="fs-local" grouping="require_all" restart_on="none" type="service"> |
|||
<service_fmri value="svc:/system/filesystem/local"/> |
|||
</dependency> |
|||
<exec_method type="method" name="start" exec="/opt/csw/bin/rsync --daemon" timeout_seconds="60"/> |
|||
<exec_method type="method" name="stop" exec=":kill" timeout_seconds="60"/> |
|||
<exec_method type="method" name="refresh" exec=":kill -HUP" timeout_seconds="60"/> |
|||
<stability value="Unstable"/> |
|||
<template> |
|||
<common_name> |
|||
<loctext xml:lang="C">RSYNC daemon</loctext> |
|||
</common_name> |
|||
<documentation> |
|||
<manpage title="rsync" section="7"/> |
|||
<doc_link name="rsync.org" uri="http://www.rsync.org/docs/"/> |
|||
</documentation> |
|||
</template> |
|||
</service> |
|||
</service_bundle> |
|||
Import the manifest: |
|||
svccfg import /tmp/rsync.xml |
|||
== Service Management == |
|||
To control services, use svcadm: |
|||
svcadm enable ssh |
|||
svcadm disable ssh |
|||
svcadm restart ssh |
|||
To install/delete services, use svccfg. |
|||
To see why services failed to start: |
|||
svcs -xv |
|||
== External Links == |
== External Links == |
||
* http://docs.sun.com/app/docs/doc/819-5461 |
|||
https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10 |
|||
* http://www.solarisinternals.com/wiki/index.php/ZFS_Best_Practices_Guide |
|||
* https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10 |
|||
[[Category:Software]] |
Latest revision as of 21:33, 22 November 2009
Networking
Create /etc/defaultroute with contents:
129.97.134.1
Modify /etc/netmasks and add to the end:
129.97.134.1 255.255.255.0
Create /etc/hostname.e1000g0 (where e1000g0 is the interface name):
ginseng
Modify /etc/hosts so that it contains at least the following:
127.0.0.1 localhost loghost 129.97.134.89 ginseng.csclub.uwaterloo.ca ginseng
Run the following:
svcadm enable physical:default /lib/svc/methods/net-physical:default
OpenSolaris Packages
You should install the following build-related packages:
pkg install SUNWarc SUNWsfwhea SUNWhea SUNWtoo
If you want gcc and Sun Studio:
pkg install gcc-dev sunstudio
Blastwave/CSW Packages
Install pkg-get:
pkgadd -d http://www.blastwave.org/pkg_get.pkg * In /opt/csw/etc/pkg-get.conf, set the primary url to http://mirror.csclub.uwaterloo.ca/blastwave/unstable.
Install various packages:
/opt/csw/bin/pkg-get -i gnupg screen bash_completion bison gawk gsed puppet top iftop wireshark
We want certain config files to be in /etc, rather than /opt/csw:
rm -f /opt/csw/etc/openldap/ldap.conf && ln -s /etc/ldap/ldap.conf /opt/csw/etc/openldap/ldap.conf rm -f /etc/krb5/krb5.conf && ln -s /etc/krb5.conf /etc/krb5/krb5.conf rm -f /etc/krb5/krb5.keytab && ln -s /etc/krb5.keytab /etc/krb5/krb5.keytab
Environment variables
In /etc/default/login, change PATH and SUPATH:
PATH=/usr/local/bin:/usr/gnu/bin:/opt/csw/bin:/opt/csw/gcc3/bin:/usr/bin:/bin:/usr/sfw/bin SUPATH=/usr/local/sbin:/usr/local/bin:/usr/gnu/bin:/opt/csw/sbin:/opt/csw/bin:/opt/csw/gcc3/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/sfw/bin
Near the top of /etc/profile, add:
export PAGER=less
nss_ldap
The native nss_ldap library doesn't support rfc2307bis, so we need to build padl's nss_ldap from source:
LDFLAGS=-L/opt/csw/lib CFLAGS=-I/opt/csw/include ./configure --with-ldap-conf-file=/etc/libnss-ldap.conf --prefix=/usr/local LDADD=-L/opt/csw/lib\ -R/opt/csw/lib make; make install ln -s /usr/local/lib/nss_ldap.so.1 /lib/nss_ldap.so.1
Modify /etc/nsswitch.ldap to your liking. You should also copy /etc/libnss-ldap.conf from caffeine. Despite the fact that we link against csw's openldap libraries, we need to configure the native ldap library.
ldapclient manual -a credentialLevel=anonymous \ -a authenticationMethod=none \ -a domainName=csclub.uwaterloo.ca \ -a defaultSearchBase=dc=csclub,dc=uwaterloo,dc=ca \ -a defaultSearchScope=sub \ -a defaultServerList=ldap1.csclub.uwaterloo.ca,ldap2.csclub.uwaterloo.ca
In /etc/group, add the following to the bottom:
users::100:
PAM
In /etc/pam.conf, after
other auth required pam_unix_cred.so.1
add
other auth sufficient pam_krb5.so.1
You should also do this for 'login'.
You need to create /etc/krb5/krb5.keytab containing host/fqdn@CSCLUB.UWATERLOO.CA where fqdn is the fully qualified domain name of the host.
sudo
The sudo in blastwave/csw does not inclue the '--secure-path' configure option or ldap support, so you should build sudo from source:
./configure --prefix=/usr/local --with-all-insults --with-exempt=sudo --with-pam --with-fqdn --with-logging=syslog --with-logfac=auth \ --with-secure-path=/usr/local/sbin:/usr/local/bin:/usr/gnu/bin:/opt/csw/sbin:/opt/csw/bin:/opt/csw/gcc3/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/sfw/bin \ --with-env-editor --with-timeout=15 --with-password-timeout=0 --disable-root-mailer --disable-setresuid --with-sendmail=/usr/sbin/sendmail \ --with-ldap --with-ldap-conf-file=/etc/ldap/ldap.conf * In config.h, change '#define HAVE_DGETTEXT 1' to '#undef HAVE_DGETTEXT' make; make install
ZFS
When you add new disks you need to have Solaris rescan for disks. You can do this by adding '-r' as a kernel option (via grub).
To view a list of disks:
format
To create a mirrored "zpool" (basically lvm/mdadm/fs all rolled into one):
zpool create users mirror c2t0d0 c2t1d0
This creates a RAID 1 zpool with component disks c2t0d0 and c2t1d0.
To enable Kerberos security, modify /etc/nfssec.conf and uncomment the krb5 lines.
Also see User-data#ZFS.
SNMP
The snmp daemon in Solaris doesn't support 64-bit counters, so you should compile net-snmp:
./configure --prefix=/usr/local --enable-mfd-rewrites '--with-mib-modules=host ucd-snmp/diskio' \ --disable-embedded-perl --with-sys-contact="syscom@csclub.uwaterloo.ca" --with-sys-location="MC 3015" \ --with-default-snmp-version=3 --with-logfile="/var/log/snmpd.log" --with-persistent-directory="/var/net-snmp" * In include/net-snmp/system/solaris.h add '#define NEW_MIB_COMPLIANT 1' to the bottom. make; make install
Create /tmp/net-snmp.xml:
<?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <service_bundle type='manifest' name='net-snmp'> <service name='system/net-snmp' type='service' version='1'> <create_default_instance enabled='false' /> <single_instance/> <dependency name='milestone' grouping='require_all' restart_on='none' type='service'> <service_fmri value='svc:/milestone/sysconfig' /> </dependency> <dependency name='filesystem' grouping='require_all' restart_on='none' type='service'> <service_fmri value='svc:/system/filesystem/local' /> </dependency> <dependency name='name-services' grouping='require_all' restart_on='none' type='service'> <service_fmri value='svc:/milestone/name-services' /> </dependency> <dependent name='net-snmp_single-user' grouping='optional_all' restart_on='none'> <service_fmri value='svc:/milestone/multi-user' /> </dependent> <exec_method type='method' name='start' exec='/lib/svc/method/svc-net-snmp' timeout_seconds='60' /> <exec_method type='method' name='stop' exec=':kill' timeout_seconds='60' /> <exec_method type='method' name='refresh' exec=':kill -HUP' timeout_seconds='60' /> <property_group name='general' type='framework'> <propval name='action_authorization' type='astring' value='solaris.smf.manage.net-snmp' /> </property_group> <stability value='Unstable' /> <template> <common_name> <loctext xml:lang='C'>net-snmp</loctext> </common_name> <documentation> <manpage title='net-snmp' section='1M' manpath='/usr/share/man' /> </documentation> </template> </service> </service_bundle>
Import the manifest:
svccfg import /tmp/net-snmp.xml
Create /lib/svc/method/svc-net-snmp:
#!/bin/sh . /lib/svc/share/smf_include.sh # Start processes required for snmpd if [ -x /usr/local/sbin/snmpd ]; then /usr/local/sbin/snmpd else echo "snmpd is missing or not executable." exit $SMF_EXIT_ERR_CONFIG fi exit $SMF_EXIT_OK
rsyncd
Install SUNWrsync.
Create /tmp/rsync.xml:
<?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <service_bundle type="manifest" name="rsync"> <service name="network/rsync" type="service" version="4"> <create_default_instance enabled="false"/> <single_instance/> <dependency name="loopback" grouping="require_all" restart_on="error" type="service"> <service_fmri value="svc:/network/loopback:default"/> </dependency> <dependency name="physical" grouping="require_all" restart_on="error" type="service"> <service_fmri value="svc:/network/physical:default"/> </dependency> <dependency name="fs-local" grouping="require_all" restart_on="none" type="service"> <service_fmri value="svc:/system/filesystem/local"/> </dependency> <exec_method type="method" name="start" exec="/opt/csw/bin/rsync --daemon" timeout_seconds="60"/> <exec_method type="method" name="stop" exec=":kill" timeout_seconds="60"/> <exec_method type="method" name="refresh" exec=":kill -HUP" timeout_seconds="60"/> <stability value="Unstable"/> <template> <common_name> <loctext xml:lang="C">RSYNC daemon</loctext> </common_name> <documentation> <manpage title="rsync" section="7"/> <doc_link name="rsync.org" uri="http://www.rsync.org/docs/"/> </documentation> </template> </service> </service_bundle>
Import the manifest:
svccfg import /tmp/rsync.xml
Service Management
To control services, use svcadm:
svcadm enable ssh svcadm disable ssh svcadm restart ssh
To install/delete services, use svccfg.
To see why services failed to start:
svcs -xv