OpenSolaris: Difference between revisions

Solaris is drugs; avoid it at all cost.

Solaris 10 Packages

If you choose to only install "core" packages, make sure you also select "GNU wget" and "Volume Manager". You can then install additional packages later from the Solaris 10 DVD. To do so, insert the DVD and it should get auto-mounted in /cdrom/sol*. Then ls to /cdrom/sol*/Solaris\ 10/Products and install packages:

pkgadd -d . PKGNAME

You should install the patch manager:

pkgadd -d . SUNWctpls SUNWmfrun SUNWj3rt SUNWccccrr SUNWccccr SUNWccsign SUNWppror SUNWpprou SUNWj5rt

You need the update manager to configure the patch manager:

pkgadd -d . SUNWccfw SUNWcctpx SUNWccfw SUNWccinv SUNWcsmauth SUNWupdatemgru SUNWupdatemgrr

You should install the following build-related packages:

pkgadd -d . SUNWdoc SUNWman SUNWarc SUNsfwhea SUNhea

If you want ssh:

pkgadd -d . SUNWsshc SUNWsshr SUNWsshu SUNWsshdr SUNWsshdu

If you want X applications to work:

pkadd -d . SUNWxwfnt SUNWxwice SUNWxwrtl SUNWxwplr SUNWxwplt

If wyou want the SNMP daemon:

pkgadd -d . SUNWsmagt SUNWsmmgr
sudo svccfg import /var/svc/manifest/application/management/sma.xml

Blastwave/CSW Packages

Install pkg-get:

pkgadd -d http://www.blastwave.org/pkg_get.pkg
* In /opt/csw/edit/pkg-get.conf, and set the primary url to http://mirror.csclub.uwaterloo.ca/blastwave/unstable.

Install various packages:

/opt/csw/bin/pkg-get -i gnupg screen less vim bash_completion openldap_client openldap_devel \
  sasl_gssapi ntp nrpe gcc3core gcc3g++ gmake puppet wget top iftop wireshark

We want certain config files to be in /etc, rather than /opt/csw:

rm -f /opt/csw/etc/openldap/ldap.conf && ln -s /etc/ldap/ldap.conf /opt/csw/etc/openldap/ldap.conf
rm -f /etc/krb5.conf && ln -s /etc/krb5/krb5.conf /etc/krb5.conf
rm -f /etc/krb5.keytab && ln -s /etc/krb5/krb5.keytab /etc/krb5.keytab
mv /opt/csw/etc/ssh /etc && ln -s /etc/ssh /opt/csw/etc/ssh

It's usefull to have some binaries symlinked:

ln -s gmake /opt/csw/bin/make
ln -s /opt/csw/bin/bash /bin/bash

Solaris Patching/Updating

To update blastwave:

pkg-get -U; pkg-get -u

Note that pkg-get will ask to remove a package and then ask to install the same package; this is normal and this is how pkg-get upgrades packages.

PATH

Near the top of /etc/profile, add:

if [ "`id | cut -d= -f2 | cut -d\( -f1`" -eq 0 ]; then
 PATH="/opt/csw/sbin:/opt/csw/bin:/opt/csw/gcc3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/sfw/bin"
else
 PATH="/opt/csw/bin:/opt/csw/gcc3/bin:/usr/local/bin:/usr/bin:/bin:/usr/sfw/bin"
fi

nss_ldap

The native nss_ldap library doesn't support rfc2307bis, so we need to build padl's nss_ldap from source:

./configure --with-ldap-conf-file=/etc/libnss-ldap.conf --prefix=/usr/local
LDADD=-L/opt/csw/lib\ -R/opt/csw/lib make; make install
rm /usr/lib/nss_ldap.so.1 && ln -s /usr/local/lib/nss_ldap.so /usr/lib/nss_ldap.so.1

Despite the fact that we link against csw's openldap libraries, we need to configure the native ldap library:

ldapclient manual -a credentialLevel=anonymous \
    -a authenticationMethod=none \
    -a domainName=csclub.uwaterloo.ca \
    -a defaultSearchBase=dc=csclub,dc=uwaterloo,dc=ca \
    -a defaultSearchScope=sub \
    -a defaultServerList=ldap1.csclub.uwaterloo.ca,ldap2.csclub.uwaterloo.ca

PAM

In /etc/pam.conf, after

other auth required   pam_unix_cred.so.1

add

other auth sufficient   pam_krb5.so.1

You should also do this for 'login'.

You need to create /etc/krb5/krb5.keytab containing host/fqdn@CSCLUB.UWATERLOO.CA where fqdn is the fully qualified domain name of the host.

sudo

The sudo in blastwave/csw does not inclue the '--secure-path' configure option or ldap support, so you should build sudo from source:

./configure --prefix=/usr/local --with-all-insults --with-exempt=sudo --with-pam --with-fqdn --with-logging=syslog --with-logfac=auth \
  --with-secure-path=/opt/csw/sbin:/opt/csw/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --with-env-editor \
  --with-timeout=15 --with-password-timeout=0 --disable-root-mailer --disable-setresuid --with-sendmail=/usr/sbin/sendmail \
  --with-ldap --with-ldap-conf-file=/etc/ldap/ldap.conf
* In config.h, change '#define HAVE_DGETTEXT 1' to '#undef HAVE_DGETTEXT'
make; make install

ZFS

When you add new disks you need to have Solaris rescan for disks. You can do this by adding '-r' as a kernel option (via grub).

To view a list of disks:

format

To create a mirrored "zpool" (basically lvm/mdadm/fs all rolled into one):

zpool create users mirror c2t0d0 c2t1d0

This creates a RAID 1 zpool with component disks c2t0d0 and c2t1d0.

To create datasets (basically mountpoints within a zpool):

zpool create users/dtbartle

To disable atime, devices, and setuid:

zpool set atime=off users
zpool set devices=off users
zpool set setuid=off users

Quota can be managed via 'zfs get' and 'zfs set'. To query quota:

zfs get quota

To set quota for a user:

zfs set quota=2G users/dtbartle

To disable quota for a user:

zfs set quota=none users/dtbartle

To export over NFS:

zfs set sharenfs="sec=sys,rw=$ACCESS_LIST,nosuid" users

ACCESS_LIST may be as a colon-separated list of any of the following:

• hostname (e.g. glucose-fructose.csclub.uwaterloo.ca)
• netgroup (e.g. in LDAP)
• domain name suffix (e.g. .csclub.uwaterloo.ca)
• network (e.g. @129.97.134.0/24)

A minus sign (-) may prefix one of the above to indicate that access is to be denied.

Snapshots are viewable at /users/$USER/.zfs/snapshot/

SNMP

An SNMP daemon can be enabled via:

svcadm enable sma

It can be configured via /etc/snmpd/conf/snmpd.conf.

Puppet

Make sure that your .cshrc file is empty, as running 'which' invoke csh.

External Links

• http://docs.sun.com/app/docs/doc/819-5461
• http://www.solarisinternals.com/wiki/index.php/ZFS_Best_Practices_Guide
• https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10