//This article gathers a few notes concerning every day's administration of Solaris 10 or OpenSolaris. It does not tackle [[os:solaris:hardware|hardware issues]] nor [[os:solaris:lowlevel|partitions/boot loaders]] as those have separate pages. // ====== System administration ====== ===== SMF ===== ==== Enable/disable services ==== Since Solaris 10, the old (but nice ?) start/stop script in rc?.d have been replaced by SMF, the **Service Management Facility**. ^ svcs ^ ^ | svcs -x | lists services encountering problems | | svcs -a | lists all services including disabled ones | | svcs -l | provides information concerning a specific service | ^ svcadm ^ ^ | svcadm enable | to enable a service. e.g svcadm enable svc:/network/samba:default | | svcadm disable | to disable a service. | | svcadm -t enable | temporary enabling/disabling a service (won't persist over reboot) | ^ svcprop ^ ^ OpenSolaris uses the SMF too. It (unfortunately ?) ships with many services and will probably need some tuning if your host is a bit slow. A nice reading on that behalf: [[http://www.sun.com/security/docs/CIS_Solaris_10_Benchmark_v4.pdf|Solaris 10 Benchmark v4.0]]. ==== Useful services ==== ^ Name ^ Service Name ^ Comments ^ | Apache | Solaris: apache2, OpenSolaris: svc:/network/http:apache22 | Enable to set up your own web server | | CDE | svc:/application/graphical-login/cde-login:default | Disabled on Solaris: I use gdm. Does not exist on OpenSolaris | | DHCP | dhcpagent | disabled: I use static address | | Fiber Channel | svc:/system/device/fc-fabric:default | Keep enabled or the system won't reboot | | GDM | Solaris: svc:/application/gdm2-login:default, OpenSolaris: svc:/application/graphical-login/gdm:default | enabled | | GSS API | gss:default | Disable. //The GSS API is a security abstraction layer that is designed to make it easier for developers to integrate with different authentication schemes. It is most commonly used in applications for sites that use Kerberos for network authentication, though it can also allow applications to interoperate with other authentication schemes// (quoted from [[http://www.sun.com/security/docs/CIS_Solaris_10_Benchmark_v4.pdf|Solaris 10 Benchmark v4.0]]). | | IPFilter's service | ipmon | Enabled. used for zones | | IPv6 neighbour discovery daemon | svc:/network/routing/ndp:default | Disabled. I don't use IPv6 at home ! | | Kerberos | svc:/network/security/ktkt_warn:default | //"While Kerberos can be a security enhancement, if the local site is not currently using Kerberos then there is no need to enable this service"// ([[http://209.85.129.132/search?q=cache:ihJTK_LlC7MJ:www.sun.com/security/docs/CIS_Solaris_10_Benchmark_v4.pdf+solaris+ktkt_warn+unnecessary+services&hl=fr&ct=clnk&cd=4&gl=fr&client=firefox-a#16|according to here]]) | | metainit | svc:/system/metainit:default | disable. SVM initialization | | metasync | svc:/system/metasync:default | disable. SVM initialization | | Multicast DNS and DNS Service Discovery | multicast:default | disable | | N Port ID Virtualization | svc:/network/npiv_config:default | Do not disable or the syste, won't reboot. N_Port_ID Virtualization (NPIV) is a method for virtualizing a FibreChannel Port. With NPIV, one physical FibreChannel port can obtain many N_Port_IDs. | | PPD Cache Update | svc:/application/print/ppd-cache-update:default | disable | | Rlogin | network/login:rlogin | enable this for rlogin | | Samba | Solaris: svc:/network/samba:default, OpenSolaris: svc:/network/smb/client:default | enabled. On OpenSolaris, the Samba client is necessary for smbfs. | | Sendmail | svc:/network/smtp:sendmail | I don't need it. To remove sendmail packages, pkgrm SUNWsndmu and SUNWsndmr. Beware sendmail is required by fetchmail | | Time Slider | svc:/application/time-slider:default | For ZFS Snapshots | | VNC Configuration | svc:/system/xvm/vnc-config:default | disable | ==== List of online services ==== Currently, the list of online services on my OpenSolaris host are: STATE STIME FMRI legacy_run 20:36:20 lrc:/etc/rcS_d/S50yukonx legacy_run 20:36:59 lrc:/etc/rc2_d/S20sysetup legacy_run 20:36:59 lrc:/etc/rc2_d/S47pppd legacy_run 20:36:59 lrc:/etc/rc2_d/S72autoinstall legacy_run 20:36:59 lrc:/etc/rc2_d/S73cachefs_daemon legacy_run 20:37:00 lrc:/etc/rc2_d/S81dodatadm_udaplt legacy_run 20:37:00 lrc:/etc/rc2_d/S89PRESERVE legacy_run 20:37:00 lrc:/etc/rc2_d/S98deallocate disabled 20:36:57 svc:/system/xvm/ipagent:default online 20:36:04 svc:/system/svc/restarter:default online 20:36:05 svc:/network/loopback:default online 20:36:05 svc:/network/datalink-management:default online 20:36:06 svc:/system/filesystem/root:default online 20:36:06 svc:/network/physical:nwam online 20:36:07 svc:/system/scheduler:default online 20:36:07 svc:/system/boot-archive:default online 20:36:07 svc:/system/identity:node online 20:36:14 svc:/system/filesystem/usr:default online 20:36:14 svc:/system/device/local:default online 20:36:14 svc:/system/filesystem/minimal:default online 20:36:15 svc:/system/identity:domain online 20:36:15 svc:/system/hostid:default online 20:36:15 svc:/system/name-service-cache:default online 20:36:15 svc:/system/rmtmpfiles:default online 20:36:15 svc:/system/resource-mgmt:default online 20:36:15 svc:/system/cryptosvc:default online 20:36:15 svc:/network/ipfilter:default online 20:36:15 svc:/milestone/network:default online 20:36:15 svc:/system/sysevent:default online 20:36:16 svc:/system/power:default online 20:36:16 svc:/system/picl:default online 20:36:16 svc:/network/npiv_config:default online 20:36:16 svc:/system/device/fc-fabric:default online 20:36:16 svc:/milestone/devices:default online 20:36:17 svc:/system/manifest-import:default online 20:36:17 svc:/system/coreadm:default online 20:36:17 svc:/network/initial:default online 20:36:18 svc:/network/service:default online 20:36:18 svc:/network/dns/client:default online 20:36:18 svc:/milestone/name-services:default online 20:36:19 svc:/network/smb/client:default online 20:36:20 svc:/system/keymap:default online 20:36:20 svc:/milestone/single-user:default online 20:36:24 svc:/network/routing-setup:default online 20:36:24 svc:/network/routing/ndp:default online 20:36:55 svc:/system/filesystem/local:default online 20:36:56 svc:/system/sysidtool:net online 20:36:56 svc:/network/shares/group:default online 20:36:56 svc:/system/boot-archive-update:default online 20:36:56 svc:/system/cron:default online 20:36:56 svc:/network/shares/group:zfs online 20:36:56 svc:/network/rpc/bind:default online 20:36:56 svc:/application/stosreg:default online 20:36:56 svc:/system/sysidtool:system online 20:36:56 svc:/milestone/sysconfig:default online 20:36:56 svc:/system/sac:default online 20:36:57 svc:/system/dbus:default online 20:36:57 svc:/system/utmp:default online 20:36:57 svc:/system/filesystem/autofs:default online 20:36:57 svc:/network/inetd:default online 20:36:57 svc:/system/console-login:default online 20:36:57 svc:/system/filesystem/zfssnap-roleadd:default online 20:36:57 svc:/system/dumpadm:default online 20:36:57 svc:/application/desktop-cache/mime-types-cache:default online 20:36:58 svc:/application/desktop-cache/gconf-cache:default online 20:36:58 svc:/system/postrun:default online 20:36:58 svc:/application/desktop-cache/input-method-cache:default online 20:36:58 svc:/application/desktop-cache/pixbuf-loaders-installer:default online 20:36:58 svc:/application/opengl/ogl-select:default online 20:36:58 svc:/network/rpc/smserver:default online 20:36:58 svc:/network/login:rlogin online 20:36:58 svc:/application/pkg/update:default online 20:36:59 svc:/system/system-log:default online 20:36:59 svc:/network/ssh:default online 20:37:00 svc:/application/desktop-cache/desktop-mime-cache:default online 20:37:00 svc:/milestone/multi-user:default online 20:37:01 svc:/system/intrd:default online 20:37:01 svc:/system/fmd:default online 20:37:01 svc:/milestone/multi-user-server:default online 20:37:03 svc:/system/zones:default online 20:37:03 svc:/application/font/fc-cache:default online 20:37:10 svc:/application/desktop-cache/icon-cache:default online 20:37:12 svc:/system/filesystem/zfs/auto-snapshot:daily online 20:37:13 svc:/system/filesystem/zfs/auto-snapshot:monthly online 20:37:13 svc:/application/graphical-login/gdm:default online 20:37:13 svc:/network/http:apache22 online 20:37:13 svc:/system/filesystem/zfs/auto-snapshot:weekly online 20:37:19 svc:/system/hal:default online 20:37:19 svc:/system/filesystem/rmvolmgr:default online 20:37:28 svc:/system/filesystem/zfs/auto-snapshot:frequent online 20:37:28 svc:/system/filesystem/zfs/auto-snapshot:hourly online 20:37:28 svc:/application/time-slider:default ===== GUI ===== The host can be graphically administered using: * SMC (Solaris Management Console): user management, hosts editing, cron batches, SMF. Launch **/usr/sadm/bin/smc**. On Solaris only (not OpenSolaris). * [[http://www.webmin.com/|Webmin]]: web-based administration. Pretty good. * [[http://www.opensolaris.org/os/project/vpanels/|Visual Panels]]: this is an additional piece of software. I'm not a fan, but it's there if you want it. ===== How to add a new user ===== To add a new user, * use the graphical Solaris Management Console (smc&) * or manually: * make sure the home dir exists and is readable by the group, * then type: useradd -d -g -s /usr/bin/bash ===== Authentication ===== ==== Log failed logins ===== Set SYSLOG_FAILED_LOGINS in **/etc/default/login** ==== Password policy ===== The password policy is configured in **/etc/default/passwd**. The default settings are reasonable. Several parameters are commented out, but they have a default value. On the contrary, an unsecure setting could be as follows: MAXWEEKS= MINWEEKS= PASSLENGTH=4 HISTORY=0 MINDIFF=0 MINDIGIT=0 See more information [[http://www2.petervg.nl/cgi-bin/docs.cgi?a=read&doc=81|here]]. ==== Automatic login ===== On Solaris 10, to have the host automatically log in as a given user: # gdmsetup & --> set up for user you wish to log in # vi /etc/X11/gdm/gdm.conf ... SystemMenu=true # /etc/init.d/dtlogin stop # /usr/dt/bin/dtconfig -d # svcadm enable gdm2-login Now, automatic login is a bit disappointing, because you still have to provide user's **password**... :-( On OpenSolaris 2008.11, no such issue ! Use gdmsetup and it works. ===== System Path ===== The default path for Solaris 10 should be set in **/etc/default/login**: PATH=/usr/sfw/bin:/opt/csw/bin:/usr/sbin:/sbin:/usr/bin:/usr/openwin/bin SUPATH=/usr/sbin:/usr/bin PATH is the default path for users. SUPATH is the default path for root when running su. Both paths are overriden by user's .profile, .login, .cshrc or .bashrc. So, check those files out too. ===== System Locale ===== The configuration of locales is stored in /etc/default/init. To add a new locale, use **localeadm** For compilation messages in English: export LC_MESSAGES=en_US ===== System Date ===== To set/correct time, do: date 1334.00 to set clock to 13:34.00 ====== Networking ====== * To add a new computer, use the Solaris Management Console, Computers & Network, Computers, then selection Action / Add Computer. This basically adds an entry to /etc/hosts. * Check out files /etc/hostname, /etc/hostname. (hme0, yukonx...), /etc/nodename, /etc/inet/hosts, /etc/inet/ipnodes. * List possible interfaces: ifconfig -a plumb, then ifconfig * List routes: routeadm * GUI: network-admin ===== Static IP address ===== Specifying a static IP address consists in: * ethernet interface: an ether interface must exist and be named. I use the default name for mine: yukonx0 * make sure the networking service is enabled: either physical:default or physical:nwam. The former is the most 'basic' networking service. The latter is a networking daemon that automatically configures your host. It's worth a try: on my OpenSolaris host, it worked straight out of the box and I consequently did not have to configure networking manually. On Solaris u5, however, I add to do it manually. * configure a few files (with nwam, most of these steps should be automatically done): * /etc/hostname.: specify your host's name:cify your host's name: $ more /etc/hostname.yukonx0 boureautic * /etc/hosts: set the loopback address and your static IP address: $ cat /etc/hosts # # Internet host table # #::1 localhost loghost boureautic 127.0.0.1 localhost loghost 192.168.0.2 boureautic * /etc/resolv.conf: set the appropriate DNS servers (those are the ones used by Free): nameserver 212.27.40.240 nameserver 212.27.40.241 * /etc/nsswitch.conf: make sure the line hosts sets "files" before "dns". hosts: files dns * for physical:default, set the default gateway: route add default 192.168.0.254. And then, automatically add the route at each reboot writing a script /etc/rc2.d/S99route * For a manual try, add the network interface with ifconfig: ifconfig yukonx0 192.168.0.2 netmask 255.255.255.0 up ===== Rlogin ===== To add the rlogin network service: svcs -l rlogin svcadm enable network/login:rlogin Note that svcadm enable -t network/login:rlogin only performs a temporary enable of rlogin (won't persist over reboot). ====== X ====== ===== Display windows remotely ===== This is basic on X Window, but from time to time I however encounter problems to do it. For remote display: export DISPLAY=:0.0 Also use **/usr/openwin/bin/xauth list** to list which entities are authorized. ===== XScreensaver ===== There's a known bug on Solaris 10 u5: when you log on, a message is displayed: "failed to execute child process "xscreensaver" (no such file or directory) screesaver functionality will not work in this session". To get rid of this message, do ln -s /usr/openwin/bin/xscreensaver /usr/bin/xscreensaver ===== GDM ===== On Solaris 10, stop dtlogin to use gdm: # /etc/init.d/dtlogin stop # /usr/dt/bin/dtconfig -d # svcadm disable cde-login # svcadm enable gdm2-login On OpenSolaris 2008.11, gdm refers to the service svc:/application/graphical-login/gdm:default. There is no CDE login. ===== XDMCP ===== To configure XDMCP, launch **gdmsetup** then click on the remote tabs and activate "same as local" ===== Fonts ===== * To display usable fonts, use **xfontsel** * To use a given font in a xterm, use -fn: xterm -fn -*-fixed-medium-*-*-*-14-*-*-*-*-*-*-* & or create an ~/XTerm file (or in ~/.Xdefaults) and specify the fonts, size (etc) you wish to use: XTerm*font: 9x15 ====== Software management ====== ^ Commands ^ Typical install directories ^ Local package database ^ Comments ^ | pkgadd -d | /usr, /usr/sfw, /opt/sfw | /var/sadm/pkg | Default package management utility on Solaris. Does not handle dependencies. | | pkg-get | /opt/csw | | Blastwave package management. Close to apt-get. Handles dependencies | | pkg install | | | Default package management utility for OpenSolaris | ===== Patches ===== On Solaris: use the Sun Connection Update Manager (last version is currently 1.0.4). To do so, it is mandatory to register Solaris. The command line tool is **/usr/sbin/updatemanager** (run as root). This will ask for registration if you haven't done so yet). This is a graphical interface. :!: :!: :!: I encountered a serious problem with patches: I patched the system with security or recommended patches, some of those patches failed, and then at the next reboot: kernel crash (impossible to boot, except in single user mode) :-( So beware... See [[http://forums.sun.com/thread.jspa?threadID=5355061&start=0&tstart=0|Sun's Forums]] and [[http://groups.google.com/group/comp.sys.sun.admin/browse_frm/thread/3d9a7cd5dea16dd4/99164957421cdb62?tvc=1&q=137137-09#99164957421cdb62|Google Groups]]: looks like others encountered the same problem... On OpenSolaris: launch **/usr/sbin/updatemanager** ===== pkgadd, pkginfo etc ===== This is Solaris's default package management utilities. Typical prefixes: * Sun's packages are prefixed with SUNW (e.g SUNWvbox, SUNWless). * Blastwave's package are prefixed with CSW (e.g CSWperl, CSWpkgutil). Those packages can be installed with Solaris's package tools (pkgadd, pkgrm etc) or with Blastwave's higher level utility pkg-get or pkgutil. Typical installation directories: /usr, /usr/sfw and /opt/sfw * by default, mozilla is in /usr/sfw/bin/mozilla on Solaris 10. * by default, java is in /usr/bin/java on Solaris 10. Install a pre-compiled package: 1/ unzip it (gunzip, bunzip2, unzip...) and 2/ pkgadd. For example: $ pfexec pkgadd -d pkgutil-1.4\,REV\=2009.01.20-SunOS5.8-i386-CSW.pkg The following packages are available: 1 CSWpkgutil pkgutil - installs Solaris packages easily (i386) 1.4,REV=2009.01.20 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: List all packages: pkginfo. For example: $ pkginfo [..] system SUNWopenssl-commands OpenSSL Commands (Usr) system SUNWopenssl-include OpenSSL Header Files system SUNWopenssl-libraries OpenSSL Libraries (Usr) [..] Get details of a package: pkginfo -l. For example: $ pkginfo -l SUNWopenssl-commands PKGINST: SUNWopenssl-commands NAME: OpenSSL Commands (Usr) CATEGORY: system ARCH: i386 VERSION: 11.11,REV=2008.10.30.20.37 VENDOR: Sun Microsystems, Inc. DESC: OpenSSL Commands (Use) HOTLINE: Please contact your local service provider STATUS: completely installed Listing the contents of a package: pkgchk -l pkgchk -l CSWpkgutil Pathname: /opt/csw Type: directory Expected mode: 0755 Expected owner: root Expected group: bin Referenced by the following packages: CSWpkgutil CSWcommon CSWzlib Current status: installed Pathname: /opt/csw/bin Type: directory [..] Removing a package: pkgrm Installed packages are located in /var/sadm/pkg. On Solaris, to search in which package a given command is included, search in /var/sadm/install/contents. For example grep xxx /var/sadm/install/contents ===== pkg-get ===== pkg-get should be seen as a front-end to Solaris's default package management commands. It * automatically downloads a given package * automatically installs its dependencies ... two tasks pkgadd does not handle. Unfortunately, pkg-get will only work for Blastwave-like package (ibiblio). To install pkg-get, * Get pkg-get from [[http://www.blastwave.org/mirrors#pkg-get|Blastwave]]. * Install it: pkgadd -d pkg_get-3.8.4-SunOS5.8-all-CSW.pkg. The procedure is perfectly described on [[http://www.blastwave.org/howto.html|Blastwave's]] site. Check its digest with: digest -v -a md5 pkg_get.pkg * Then configure it in /opt/csw/etc/pkg-get.conf. Set up the mirror to use, the tree version (stable, unstable, testing), and the download directory (by default: /var/pkg-get/donwloads). url=http://ibiblio.org/pub/packages/solaris/csw/unstable PKGGET_DOWNLOAD_DIR=/tmp * Then use pkg-get to install Blastwave packages. To install a package: pkg-get install , e.g pkg-get install gnupg pkg-get install bzip2 To remove a package: pkg-get remove To upgrade a package: pkg-get upgrade This will upgrade all packages for which a new version exists. It consists in uninstalling the old version (remove) and then installing the new version (install). At first, seeing a remove operation may be surprising, but in the end, it works :-) ===== pkgutil ===== Blastwave has recently replaced pkg-get by pkgutil. To install pkgutil, * get the package * do: pkgadd -d * then use pkgutil to handle other packages. ===== IPS ===== OpenSolaris introduces a new package management system. Perhaps I don't know how to use it, but I don't like it very much :-( It takes ages to run... IPS packages are typically prefixed by IPS (e.g IPSgnutls, IPSiconv...), but IPS commands will also display other packages (SUNW, CSW...) * install a package: pkg install * in which package is a given command: pkg search -r There's a nice comparison between [[http://opensolaris.org/os/community/documentation/apt_ips/|Debian's apt-get and IPS or pkgadd / IPS: here]]. ===== Using other packages ===== Unpack a debian package: /usr/xpg4/bin/ar x package.deb gunzip data.tar.gz tar -xvf data.tar ====== Developer's corner ====== ===== Bash ===== A very simple .bashrc on Solaris: export PATH=/usr/bin/amd64:$PATH:/opt/csw/bin:. export PS1="[\u@\w] " on OpenSolaris: PS1='${LOGNAME}@$(/usr/bin/hostname):$( [[ "${LOGNAME}" == "root" ]] && printf "%s" "${PWD/${HOME}/~}# " || printf "%s" "${PWD/${HOME}/~}\$ ")' export PATH=$PATH:/usr/local/bin:/usr/share/bin ===== 32-bit vs 64-bit ===== To know whether your architecture is 32 or 64 bit: **isainfo -b** There's a very interesting article on [[http://blog.thilelli.net/post/2007/09/13/64-bit-system-kernel-but-32-bit-binaries|Blog'o thnet]]. To summarize, on 64-bit processors, the kernel, device drivers and some key applications (or those with a high performance issue) are 64-bit, but all other applications are usually 32-bit. There are no //emulation libraries// on Solaris 64 to run 32-bit libraries: there are two different system calls. To check whether a given application is 32 or 64 bit, run file: $ file /usr/bin/amd64/ls /usr/bin/amd64/ls: ELF 64-bit LSB executable AMD64 Version 1, dynamically linked, stripped This also means that on 64-bit hosts, you should set your PATH to locate 64-bit applications before 32-bit ones. For example /usr/bin/amd64 should be set before /usr/bin. ===== Compilers etc ===== For **Solaris**, there's a [[http://developers.sun.com/solaris/articles/build_sw_on_solaris.html|very interesting article on the subject here]]. Mainly, what I get of out it is: * no need to install a gcc package (such as CSWgcc) because gcc is usually installed by default in /usr/sfw (mine is version 3.4.3). * no need to install gmake (3.80) either: it's already installed in /usr/sfw. * put /usr/sfw/bin at the top of your path, and remove /usr/ucb (or leave it at the end of your path - because it points to an 'old' cc). * install Sun Studio to get cc (among other things). Actually, cc is said to be better than gcc (faster code), but gcc is perhaps better known by GNU/Free addicts. Anyway, if cc is installed, add /opt/SUNWspro/bin to your path. For example, export PATH=/usr/bin/amd64:/usr/sfw/bin:/opt/csw/bin:/usr/ccs/bin:/usr/openwin/bin:/usr/bin:/bin:. export LD_LIBRARY_PATH=/usr/sfw/lib/amd64:/lib/amd64:/usr/lib/amd64:/usr/sfw/lib:/lib:/usr/lib:/opt/csw/lib:. export MAKE=gmake For **OpenSolaris**, install SUNWgcc and SUNWgmake. ===== Library path ===== According to [[http://developers.sun.com/solaris/articles/build_sw_on_solaris.html|Rich Teer]]'s article, programs should actually be linked with the -R option. This strategy reduces the need for a LD_LIBRARY_PATH. However, in situations where the program hasn't been linked that way, there are 2 different ways to configure your library path on Solaris: * set the common LD_LIBRARY_PATH and LD_LIBRARY_PATH_64 environment variables * or use the //crle// (Configuration Runtime Linker Environment) command. To list your current paths: crle or crle -64 To set new paths: crle -l -l ... Typical required paths are: /lib, /usr/lib, /opt/csw/lib, /opt/SUNWspro/lib. {{tag> SMF svcadm service svcs FMRI gss kerberos gdm metainit ipv6 networking address route routeadm ifconfig plumb dns sendmail metasync vnc useradd passwd policy dtlogin dtconfig locale LC_MESSAGES date network-admin hostname resolv.conf nsswitch.conf files rlogin DISPLAY xscreensaver failed xdmcp gdmsetup xfontsel fonts xterm pkgadd pkg-get pkgutil IPS pkg Debian updatemanager packagemanager pkginfo pkgchk pkgrm url ibiblio bash PATH PS1 prompt isainfo crle gmake}}