OpenSolaris: Difference between revisions

From CSCWiki
Jump to navigation Jump to search
m (added to Software category)
 
(192 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Networking ==
Solaris is drugs; avoid it at all cost.


Create /etc/defaultroute with contents:
== pkg-get ==
129.97.134.1


Modify /etc/netmasks and add to the end:
pkgadd -d http://www.blastwave.org/pkg_get.pkg
129.97.134.1 255.255.255.0


Create /etc/hostname.e1000g0 (where e1000g0 is the interface name):
/opt/csw/bin/pkg-get -i gnupg vim
ginseng


Modify /etc/hosts so that it contains at least the following:
== PATH ==
127.0.0.1 localhost loghost
129.97.134.89 ginseng.csclub.uwaterloo.ca ginseng


Run the following:
Near the top of /etc/profile, add:
svcadm enable physical:default
/lib/svc/methods/net-physical:default


== OpenSolaris Packages ==
if [ "`id | cut -d= -f2 | cut -d\( -f1`" -eq 0 ]; then
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/sfw/bin"
else
PATH="/usr/local/bin:/usr/bin:/bin:/usr/sfw/bin"
fi


You should install the following build-related packages:
== Build Tools ==
pkg install SUNWarc SUNWsfwhea SUNWhea SUNWtoo


If you want gcc and Sun Studio:
You need to insert the Solaris 10 DVD; it should get auto-mounted in /cdrom/sol*. Then ls to /cdrom/sol*/Solaris\ 10/Products and install some packages:
pkg install gcc-dev sunstudio
pkgadd -d . SUNWgcc SUNWbinutils SUNWgmake


== LDAP ==
== Blastwave/CSW Packages ==


Install pkg-get:
Build openldap:
pkgadd -d http://www.blastwave.org/pkg_get.pkg
./configure --disable-slapd --prefix=/usr/local --sysconfdir=/etc/ldap
* In /opt/csw/etc/pkg-get.conf, set the primary url to http://mirror.csclub.uwaterloo.ca/blastwave/unstable.
make depend; make; make install


Install various packages:
Build nss_ldap:
/opt/csw/bin/pkg-get -i gnupg screen bash_completion bison gawk gsed puppet top iftop wireshark
CFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib\ -R/usr/local/lib \
./configure --with-ldap-conf-file=/etc/libnss-ldap.conf --prefix=/usr/local
* In config.h, change '#define HAVE_SASL_SASL_H 1' to '#undef HAVE_SASL_SASL_H'.
* In Makefile, change 'LIBS = -lldap...' to 'LIBS = $(LDFLAGS) -lldap...'.
make; make install


We want certain config files to be in /etc, rather than /opt/csw:
Install nss_ldap.so:
rm -f /opt/csw/etc/openldap/ldap.conf && ln -s /etc/ldap/ldap.conf /opt/csw/etc/openldap/ldap.conf
rm /usr/lib/nss_ldap.so.1
rm -f /etc/krb5/krb5.conf && ln -s /etc/krb5.conf /etc/krb5/krb5.conf
ln -s /usr/local/lib/nss_ldap.so /usr/lib/nss_ldap.so.1
rm -f /etc/krb5/krb5.keytab && ln -s /etc/krb5.keytab /etc/krb5/krb5.keytab


== Environment variables ==
Copy the following from caffeine:
/etc/ldap/ldap.conf
/etc/ldap/uw-ca.pem
/etc/libnss-ldap.conf


In /etc/default/login, change PATH and SUPATH:
== Kerberos ==


PATH=/usr/local/bin:/usr/gnu/bin:/opt/csw/bin:/opt/csw/gcc3/bin:/usr/bin:/bin:/usr/sfw/bin
scp caffeine:/etc/krb5.conf /etc/krb5/krb5.conf
SUPATH=/usr/local/sbin:/usr/local/bin:/usr/gnu/bin:/opt/csw/sbin:/opt/csw/bin:/opt/csw/gcc3/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/sfw/bin

Near the top of /etc/profile, add:

export PAGER=less

== nss_ldap ==

The native nss_ldap library doesn't support rfc2307bis, so we need to build padl's nss_ldap from source:
LDFLAGS=-L/opt/csw/lib CFLAGS=-I/opt/csw/include ./configure --with-ldap-conf-file=/etc/libnss-ldap.conf --prefix=/usr/local
LDADD=-L/opt/csw/lib\ -R/opt/csw/lib make; make install
ln -s /usr/local/lib/nss_ldap.so.1 /lib/nss_ldap.so.1

Modify /etc/nsswitch.ldap to your liking. You should also copy /etc/libnss-ldap.conf from caffeine. Despite the fact that we link against csw's openldap libraries, we need to configure the native ldap library.
ldapclient manual -a credentialLevel=anonymous \
-a authenticationMethod=none \
-a domainName=csclub.uwaterloo.ca \
-a defaultSearchBase=dc=csclub,dc=uwaterloo,dc=ca \
-a defaultSearchScope=sub \
-a defaultServerList=ldap1.csclub.uwaterloo.ca,ldap2.csclub.uwaterloo.ca

In /etc/group, add the following to the bottom:
users::100:

== PAM ==


In /etc/pam.conf, after
In /etc/pam.conf, after
Line 53: Line 76:
other auth sufficient pam_krb5.so.1
other auth sufficient pam_krb5.so.1


You might want to also do this for 'login'.
You should also do this for 'login'.


You need to create /etc/krb5/krb5.keytab containing host/FQDN@CSCLUB.UWATERLOO.CA where FQDN = the fully qualified domain name of the host.
You need to create /etc/krb5/krb5.keytab containing host/fqdn@CSCLUB.UWATERLOO.CA where fqdn is the fully qualified domain name of the host.


== sudo ==
== sudo ==


The sudo in blastwave/csw does not inclue the '--secure-path' configure option. This means that commands such as 'sudo mount' will result in 'command not found' errors, as is not in the callee's path. You can build sudo from source:
The sudo in blastwave/csw does not inclue the '--secure-path' configure option or ldap support, so you should build sudo from source:
./configure --prefix=/usr/local --with-all-insults --with-exempt=sudo --with-pam --with-fqdn --with-logging=syslog --with-logfac=auth \
CFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib\ -R/usr/local/lib ./configure --prefix=/usr/local \
--with-secure-path=/opt/csw/sbin:/opt/csw/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
--with-secure-path=/usr/local/sbin:/usr/local/bin:/usr/gnu/bin:/opt/csw/sbin:/opt/csw/bin:/opt/csw/gcc3/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/sfw/bin \
--with-all-insults --with-exempt=sudo --with-pam --with-fqdn --with-logging=syslog --with-logfac=auth --with-env-editor \
--with-env-editor --with-timeout=15 --with-password-timeout=0 --disable-root-mailer --disable-setresuid --with-sendmail=/usr/sbin/sendmail \
--with-timeout=15 --with-password-timeout=0 --disable-root-mailer --disable-setresuid --with-sendmail=/usr/sbin/sendmail \
--with-ldap --with-ldap-conf-file=/etc/ldap/ldap.conf
--with-ldap --with-ldap-conf-file=/etc/ldap/ldap.conf
* In config.h, change '#define HAVE_DGETTEXT 1' to '#undef HAVE_DGETTEXT'
make; make install
make; make install


Line 71: Line 94:
When you add new disks you need to have Solaris rescan for disks. You can do this by adding '-r' as a kernel option (via grub).
When you add new disks you need to have Solaris rescan for disks. You can do this by adding '-r' as a kernel option (via grub).


You can view a list of disks by typing
To view a list of disks:
format
format


Line 78: Line 101:
This creates a RAID 1 zpool with component disks c2t0d0 and c2t1d0.
This creates a RAID 1 zpool with component disks c2t0d0 and c2t1d0.


To enable Kerberos security, modify /etc/nfssec.conf and uncomment the krb5 lines.
To create datasets (basically mountpoints within a zpool):
zpool create users/dtbartle


Also see [[User-data#ZFS]].
Quota can be managed via 'zfs get' and 'zfs set'. To query quota:
zfs get quota
To set quota for a user:
zfs set quota=2G users/dtbartle


== SNMP ==
To export over NFS:
zfs set sharenfs="sec=sys,rw=$ACCESS_LIST" users


The snmp daemon in Solaris doesn't support 64-bit counters, so you should compile net-snmp:
ACCESS_LIST may be as a colon-separated list of any of the following:
./configure --prefix=/usr/local --enable-mfd-rewrites '--with-mib-modules=host ucd-snmp/diskio' \
* hostname (e.g. glucose-fructose.csclub.uwaterloo.ca)
--disable-embedded-perl --with-sys-contact="syscom@csclub.uwaterloo.ca" --with-sys-location="MC 3015" \
* netgroup (e.g. in LDAP)
--with-default-snmp-version=3 --with-logfile="/var/log/snmpd.log" --with-persistent-directory="/var/net-snmp"
* domain name suffix (e.g. .csclub.uwaterloo.ca)
* In include/net-snmp/system/solaris.h add '#define NEW_MIB_COMPLIANT 1' to the bottom.
* network (e.g. @129.97.134.0/24)
make; make install
A minus sign (-) may prefix one of the above to indicate that access is to be denied.


Create /tmp/net-snmp.xml:
Snapshots are viewable at /users/dtbartle/.zfs/snapshot/
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type='manifest' name='net-snmp'>
<service name='system/net-snmp' type='service' version='1'>
<create_default_instance enabled='false' />
<single_instance/>
<dependency name='milestone' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/milestone/sysconfig' />
</dependency>
<dependency name='filesystem' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/filesystem/local' />
</dependency>
<!--
net-snmp needs nameservice resolution to connect to hosts.
-->
<dependency name='name-services' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/milestone/name-services' />
</dependency>
<dependent name='net-snmp_single-user' grouping='optional_all' restart_on='none'>
<service_fmri value='svc:/milestone/multi-user' />
</dependent>
<exec_method type='method' name='start' exec='/lib/svc/method/svc-net-snmp' timeout_seconds='60' />
<exec_method type='method' name='stop' exec=':kill' timeout_seconds='60' />
<exec_method type='method' name='refresh' exec=':kill -HUP' timeout_seconds='60' />
<property_group name='general' type='framework'>
<!--
to start stop syslog daemon
-->
<propval name='action_authorization' type='astring' value='solaris.smf.manage.net-snmp' />
</property_group>
<stability value='Unstable' />
<template>
<common_name>
<loctext xml:lang='C'>net-snmp</loctext>
</common_name>
<documentation>
<manpage title='net-snmp' section='1M' manpath='/usr/share/man' />
</documentation>
</template>
</service>
</service_bundle>


Import the manifest:
== SNMP ==
svccfg import /tmp/net-snmp.xml


Create /lib/svc/method/svc-net-snmp:
An SNMP daemon can be enabled via:
#!/bin/sh
svcadm enable sma
. /lib/svc/share/smf_include.sh
It can be configured via /etc/snmpd/conf/snmpd.conf.
# Start processes required for snmpd
if [ -x /usr/local/sbin/snmpd ]; then
/usr/local/sbin/snmpd
else
echo "snmpd is missing or not executable."
exit $SMF_EXIT_ERR_CONFIG
fi
exit $SMF_EXIT_OK

== rsyncd ==

Install SUNWrsync.

Create /tmp/rsync.xml:
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="manifest" name="rsync">
<service name="network/rsync" type="service" version="4">
<create_default_instance enabled="false"/>
<single_instance/>
<!--
If there's no network, then there's no point in running
-->
<dependency name="loopback" grouping="require_all" restart_on="error" type="service">
<service_fmri value="svc:/network/loopback:default"/>
</dependency>
<dependency name="physical" grouping="require_all" restart_on="error" type="service">
<service_fmri value="svc:/network/physical:default"/>
</dependency>
<dependency name="fs-local" grouping="require_all" restart_on="none" type="service">
<service_fmri value="svc:/system/filesystem/local"/>
</dependency>
<exec_method type="method" name="start" exec="/opt/csw/bin/rsync --daemon" timeout_seconds="60"/>
<exec_method type="method" name="stop" exec=":kill" timeout_seconds="60"/>
<exec_method type="method" name="refresh" exec=":kill -HUP" timeout_seconds="60"/>
<stability value="Unstable"/>
<template>
<common_name>
<loctext xml:lang="C">RSYNC daemon</loctext>
</common_name>
<documentation>
<manpage title="rsync" section="7"/>
<doc_link name="rsync.org" uri="http://www.rsync.org/docs/"/>
</documentation>
</template>
</service>
</service_bundle>

Import the manifest:
svccfg import /tmp/rsync.xml

== Service Management ==

To control services, use svcadm:
svcadm enable ssh
svcadm disable ssh
svcadm restart ssh

To install/delete services, use svccfg.

To see why services failed to start:
svcs -xv


== External Links ==
== External Links ==
* http://docs.sun.com/app/docs/doc/819-5461
https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10
* http://www.solarisinternals.com/wiki/index.php/ZFS_Best_Practices_Guide
http://ashtech.net/~syntax/blog/archives/50-Solaris-10-Partitioning,-RAID,-and-ZFS.html
* https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10

[[Category:Software]]

Latest revision as of 21:33, 22 November 2009

Networking

Create /etc/defaultroute with contents: 

129.97.134.1

Modify /etc/netmasks and add to the end: 

129.97.134.1 255.255.255.0

Create /etc/hostname.e1000g0 (where e1000g0 is the interface name): 

ginseng

Modify /etc/hosts so that it contains at least the following: 

127.0.0.1 localhost loghost
129.97.134.89 ginseng.csclub.uwaterloo.ca ginseng

Run the following: 

svcadm enable physical:default
/lib/svc/methods/net-physical:default

OpenSolaris Packages

You should install the following build-related packages: 

pkg install SUNWarc SUNWsfwhea SUNWhea SUNWtoo

If you want gcc and Sun Studio: 

pkg install gcc-dev sunstudio

Blastwave/CSW Packages

Install pkg-get: 

pkgadd -d http://www.blastwave.org/pkg_get.pkg
* In /opt/csw/etc/pkg-get.conf, set the primary url to http://mirror.csclub.uwaterloo.ca/blastwave/unstable.

Install various packages: 

/opt/csw/bin/pkg-get -i gnupg screen bash_completion bison gawk gsed puppet top iftop wireshark

We want certain config files to be in /etc, rather than /opt/csw: 

rm -f /opt/csw/etc/openldap/ldap.conf && ln -s /etc/ldap/ldap.conf /opt/csw/etc/openldap/ldap.conf
rm -f /etc/krb5/krb5.conf && ln -s /etc/krb5.conf /etc/krb5/krb5.conf
rm -f /etc/krb5/krb5.keytab && ln -s /etc/krb5.keytab /etc/krb5/krb5.keytab

Environment variables

In /etc/default/login, change PATH and SUPATH: 

PATH=/usr/local/bin:/usr/gnu/bin:/opt/csw/bin:/opt/csw/gcc3/bin:/usr/bin:/bin:/usr/sfw/bin
SUPATH=/usr/local/sbin:/usr/local/bin:/usr/gnu/bin:/opt/csw/sbin:/opt/csw/bin:/opt/csw/gcc3/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/sfw/bin

Near the top of /etc/profile, add: 

export PAGER=less

nss_ldap

The native nss_ldap library doesn't support rfc2307bis, so we need to build padl's nss_ldap from source: 

LDFLAGS=-L/opt/csw/lib CFLAGS=-I/opt/csw/include ./configure --with-ldap-conf-file=/etc/libnss-ldap.conf --prefix=/usr/local
LDADD=-L/opt/csw/lib\ -R/opt/csw/lib make; make install
ln -s /usr/local/lib/nss_ldap.so.1 /lib/nss_ldap.so.1

Modify /etc/nsswitch.ldap to your liking. You should also copy /etc/libnss-ldap.conf from caffeine. Despite the fact that we link against csw's openldap libraries, we need to configure the native ldap library. 

ldapclient manual -a credentialLevel=anonymous \
    -a authenticationMethod=none \
    -a domainName=csclub.uwaterloo.ca \
    -a defaultSearchBase=dc=csclub,dc=uwaterloo,dc=ca \
    -a defaultSearchScope=sub \
    -a defaultServerList=ldap1.csclub.uwaterloo.ca,ldap2.csclub.uwaterloo.ca

In /etc/group, add the following to the bottom: 

users::100:

PAM

In /etc/pam.conf, after 

other auth required   pam_unix_cred.so.1

add 

other auth sufficient   pam_krb5.so.1

You should also do this for 'login'.

You need to create /etc/krb5/krb5.keytab containing host/fqdn@CSCLUB.UWATERLOO.CA where fqdn is the fully qualified domain name of the host.

sudo

The sudo in blastwave/csw does not inclue the '--secure-path' configure option or ldap support, so you should build sudo from source: 

./configure --prefix=/usr/local --with-all-insults --with-exempt=sudo --with-pam --with-fqdn --with-logging=syslog --with-logfac=auth \
  --with-secure-path=/usr/local/sbin:/usr/local/bin:/usr/gnu/bin:/opt/csw/sbin:/opt/csw/bin:/opt/csw/gcc3/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/sfw/bin \
  --with-env-editor --with-timeout=15 --with-password-timeout=0 --disable-root-mailer --disable-setresuid --with-sendmail=/usr/sbin/sendmail \
  --with-ldap --with-ldap-conf-file=/etc/ldap/ldap.conf
* In config.h, change '#define HAVE_DGETTEXT 1' to '#undef HAVE_DGETTEXT'
make; make install

ZFS

When you add new disks you need to have Solaris rescan for disks. You can do this by adding '-r' as a kernel option (via grub).

To view a list of disks: 

format

To create a mirrored "zpool" (basically lvm/mdadm/fs all rolled into one): 

zpool create users mirror c2t0d0 c2t1d0

This creates a RAID 1 zpool with component disks c2t0d0 and c2t1d0.

To enable Kerberos security, modify /etc/nfssec.conf and uncomment the krb5 lines.

Also see User-data#ZFS.

SNMP

The snmp daemon in Solaris doesn't support 64-bit counters, so you should compile net-snmp: 

./configure --prefix=/usr/local --enable-mfd-rewrites '--with-mib-modules=host ucd-snmp/diskio' \
  --disable-embedded-perl --with-sys-contact="syscom@csclub.uwaterloo.ca" --with-sys-location="MC 3015" \
  --with-default-snmp-version=3 --with-logfile="/var/log/snmpd.log" --with-persistent-directory="/var/net-snmp"
* In include/net-snmp/system/solaris.h add '#define NEW_MIB_COMPLIANT 1' to the bottom.
make; make install

Create /tmp/net-snmp.xml: 

<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type='manifest' name='net-snmp'>
  <service name='system/net-snmp' type='service' version='1'>
    <create_default_instance enabled='false' />
    <single_instance/>
    <dependency name='milestone' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/milestone/sysconfig' />
    </dependency>
    <dependency name='filesystem' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/system/filesystem/local' />
    </dependency>
    <dependency name='name-services' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/milestone/name-services' />
    </dependency>
    <dependent name='net-snmp_single-user' grouping='optional_all' restart_on='none'>
      <service_fmri value='svc:/milestone/multi-user' />
    </dependent>
    <exec_method type='method' name='start' exec='/lib/svc/method/svc-net-snmp' timeout_seconds='60' />
    <exec_method type='method' name='stop' exec=':kill' timeout_seconds='60' />
    <exec_method type='method' name='refresh' exec=':kill -HUP' timeout_seconds='60' />
    <property_group name='general' type='framework'>
      <propval name='action_authorization' type='astring' value='solaris.smf.manage.net-snmp' />
    </property_group>
    <stability value='Unstable' />
    <template>
      <common_name>
        <loctext xml:lang='C'>net-snmp</loctext>
      </common_name>
      <documentation>
        <manpage title='net-snmp' section='1M' manpath='/usr/share/man' />
      </documentation>
    </template>
  </service>
</service_bundle>

Import the manifest: 

svccfg import /tmp/net-snmp.xml

Create /lib/svc/method/svc-net-snmp: 

#!/bin/sh
. /lib/svc/share/smf_include.sh

# Start processes required for snmpd

if [ -x /usr/local/sbin/snmpd ]; then
  /usr/local/sbin/snmpd
else
  echo "snmpd is missing or not executable."
  exit $SMF_EXIT_ERR_CONFIG
fi

exit $SMF_EXIT_OK

rsyncd

Install SUNWrsync.

Create /tmp/rsync.xml: 

<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="manifest" name="rsync">
  <service name="network/rsync" type="service" version="4">
    <create_default_instance enabled="false"/>
    <single_instance/>
    <dependency name="loopback" grouping="require_all" restart_on="error" type="service">
      <service_fmri value="svc:/network/loopback:default"/>
    </dependency>
    <dependency name="physical" grouping="require_all" restart_on="error" type="service">
      <service_fmri value="svc:/network/physical:default"/>
    </dependency>
    <dependency name="fs-local" grouping="require_all" restart_on="none" type="service">
      <service_fmri value="svc:/system/filesystem/local"/>
    </dependency>
    <exec_method type="method" name="start" exec="/opt/csw/bin/rsync --daemon" timeout_seconds="60"/>
    <exec_method type="method" name="stop" exec=":kill" timeout_seconds="60"/>
    <exec_method type="method" name="refresh" exec=":kill -HUP" timeout_seconds="60"/>
    <stability value="Unstable"/>
    <template>
      <common_name>
        <loctext xml:lang="C">RSYNC daemon</loctext>
      </common_name>
      <documentation>
        <manpage title="rsync" section="7"/>
        <doc_link name="rsync.org" uri="http://www.rsync.org/docs/"/>
      </documentation>
    </template>
  </service>
</service_bundle>

Import the manifest: 

svccfg import /tmp/rsync.xml

Service Management

To control services, use svcadm: 

svcadm enable ssh
svcadm disable ssh
svcadm restart ssh

To install/delete services, use svccfg.

To see why services failed to start: 

svcs -xv

External Links

Retrieved from "https://wiki.csclub.uwaterloo.ca/index.php?title=OpenSolaris&oldid=2256"