solaris 10 advanced sys admin student guide

7/3/2019 Solaris 10 Advanced Sys Admin Student Guide

http://slidepdf.com/reader/full/solaris-10-advanced-sys-admin-student-guide-55845b7d254da 1/794

Sun Microsystems, Inc.UBRM05-104

500 Eldorado Blvd.Broomfield, CO 80021

U.S.A.

Revision A.1

StudentGuide

Advanced System Administrationfor the Solaris™ 10Operating System

SA-202-S10



Please

Recycle

Copyright 2005 Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved.

This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, anddecompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization ofSun and its licensors, if any.

Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.

Sun, Sun Microsystems, the Sun logo, Solaris, JumpStart, Web Start, Solstice DiskSuite, SunBlade, SunSolve, Ultra, OpenBoot, Java, SunRay, Java Card and iPlanet are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.

All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. andother countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc.

UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd.

The OPEN LOOK andSun GraphicalUser Interface wasdevelopedby SunMicrosystems, Inc.for itsusers andlicensees.Sun acknowledgesthe pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry.Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees whoimplement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements.

Federal Acquisitions: Commercial Software – Government Users Subject to Standard License Terms and Conditions

Export Laws. Products, Services, and technical data delivered by Sun may be subject to U.S. export controls or the trade laws of othercountries. You will comply with all such laws and obtain all licenses to export, re-export, or import as may be required after delivery toYou. You will not export or re-export to entities on the most current U.S. export exclusions lists or to any country subject to U.S. embargoor terrorist controlsas specified in the U.S. export laws. You willnot use or provideProducts, Services, or technical data for nuclear, missile,or chemical biological weaponry end uses.

DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, ANDWARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSEOR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BELEGALLY INVALID.

THIS MANUAL IS DESIGNED TO SUPPORT AN INSTRUCTOR-LED TRAINING (ILT) COURSE AND IS INTENDED TO BEUSED FOR REFERENCE PURPOSES IN CONJUNCTION WITH THE ILT COURSE. THE MANUAL IS NOT A STANDALONETRAINING TOOL. USE OF THE MANUAL FOR SELF-STUDY WITHOUT CLASS ATTENDANCE IS NOT RECOMMENDED.

Export Commodity Classification Number (ECCN) assigned: 12 December 2001



Please

Recycle

Copyright 2005 Sun Microsystems Inc. 4150 Network Circle, Santa Clara, California 95054, Etats-Unis. Tous droits réservés.

Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l’utilisation, la copie, la distribution,et la décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit,sans l’autorisation préalable et écrite de Sun et de ses bailleurs de licence, s’il y en a.

Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licenciépar des fournisseurs de Sun.

Sun, Sun Microsystems, le logo Sun, Solaris, JumpStart, Web Start, Solstice DiskSuite, SunBlade, SunSolve, Ultra, OpenBoot, Java, Sun Ray,Java Card, et iPlanet sont des marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d’autrespays.

Toutes les marques SPARC sont utilisées sous licence sont des marques de fabrique ou des marques déposées de SPARC International, Inc.aux Etats-Unis et dans d’autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par SunMicrosystems, Inc.

UNIX est une marques déposée aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open Company, Ltd.

L’interfaces d’utilisation graphique OPEN LOOK et Sun™ a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés.Sun reconnaît les efforts de pionniers de Xerox pour larecherche et le développement du concept des interfaces d’utilisation visuelle ougraphique pour l’industrie de l’informatique. Sun détient une licence non exclusive de Xerox sur l’interface d’utilisation graphique Xerox,cette licence couvrant également les licenciés de Sun qui mettent en place l’interface d’utilisation graphique OPEN LOOK et qui en outre

se conforment aux licences écrites de Sun.

Législation en matière dexportations. Les Produits, Services et données techniques livrés par Sun peuvent être soumis aux contrôlesaméricains sur les exportations, ou à la législation commerciale dautres pays. Nous nous conformerons à lensemble de ces textes et nousobtiendrons toutes licences dexportation, de ré-exportation ou dimportation susceptibles dêtre requises après livraison à Vous. Vousnexporterez, ni ne ré-exporterez en aucun cas à des entités figurant sur les listes américaines dinterdiction dexportation les plus courantes,ni vers un quelconque pays soumis à embargo par les Etats-Unis, ou à des contrôles anti-terroristes, comme prévu par la législationaméricaine en matièredexportations. Vous nutiliserez, ni ne fournirez les Produits, Servicesou données techniques pour aucune utilisationfinale liée aux armes nucléaires, chimiques ou biologiques ou aux missiles.

LA DOCUMENTATION EST FOURNIE “EN L’ETAT” ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIESEXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, YCOMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L’APTITUDE A UNEUTILISATION PARTICULIERE OU A L’ABSENCE DE CONTREFAÇON.

CE MANUEL DE RÉFÉRENCE DOIT ÊTRE UTILISÉ DANS LE CADRE D’UN COURS DE FORMATION DIRIGÉ PAR UNINSTRUCTEUR (ILT). IL NE S’AGIT PAS D’UN OUTIL DE FORMATION INDÉPENDANT. NOUS VOUS DÉCONSEILLONS DEL’UTILISER DANS LE CADRE D’UNE AUTO-FORMATION.



vCopyright2005Sun Microsystems, Inc. All RightsReserved.Sun Services, RevisionA.1

Table of Contents

About This Course ............................................................Preface-xviiCourse Goals....................................................................... Preface-xviiCourse Map........................................................................ Preface-xviiiTopics Not Covered.............................................................Preface-xixHow Prepared Are You?.....................................................Preface-xxiIntroductions .......................................................................Preface-xxiiHow to Use Course Materials ..........................................Preface-xxiiiConventions........................................................................Preface-xxiv

Icons ............................................................................Preface-xxivTypographical Conventions..................................... Preface-xxv

Describing Interface Configuration ................................................1-1Objectives ........................................................................................... 1-1Controlling and Monitoring Network Interfaces.......................... 1-2

Displaying the MAC Address................................................. 1-2

Displaying the IP Address...................................................... 1-3Marking an Ethernet Interface as Down................................ 1-3Sending ICMP ECHO_REQUESTPackets..................................1-4Capturing and Inspecting Network Packets........................ 1-5

Configuring IPv4 Interfaces at Boot Time...................................... 1-6Introducing IPv4 Interface Files.............................................. 1-6Changing the System Host Name ......................................... 1-9

Performing the Exercises ................................................................ 1-12Exercise: The Solaris OS Network Commands (Level 1) ........... 1-13

Preparation............................................................................... 1-13Tasks ......................................................................................... 1-13

Exercise: The Solaris OS Network Commands (Level 2) ........... 1-14Preparation............................................................................... 1-14Task Summary......................................................................... 1-14Tasks ........................................................................................ 1-15

Exercise: The Solaris OS Network Commands (Level 3) ........... 1-17Preparation............................................................................... 1-17Task Summary......................................................................... 1-17Tasks and Solutions ............................................................... 1-18

Exercise Summary............................................................................ 1-20



vi Advanced System Administration for the Solaris™ 10 Operating SystemCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices,RevisionA.1

Describing the Client-Server Model ............................................... 2-1Objectives ........................................................................................... 2-1Introducing Client-Server Processes ............................................... 2-2

Introducing Client Processes................................................... 2-2Introducing Server Processes ................................................. 2-4

The Service Management Facility (SMF)........................................ 2-6SMF Service................................................................................ 2-6Service Identifiers..................................................................... 2-7Service States ............................................................................. 2-9Milestones ................................................................................ 2-10The svc.startd Daemon........................................................... 2-12The Service Configuration Repository................................. 2-12

Starting Server Processes ................................................................ 2-14Introducing the Internet Service Daemon (inetd) ............2-14The Impact of SMF on Network Services........................... 2-17Introducing Network Ports .................................................. 2-19

Starting Services That Use a Well-Known Port .................. 2-20Starting RPC Services ............................................................ 2-23Using the rpcinfoCommands ............................................ 2-26

Performing the Exercises ................................................................ 2-28Exercise: Observing the Solaris OS Network (Level 1)............... 2-29


Exercise: Observing the Solaris OS Network (Level 2)............... 2-31Preparation............................................................................... 2-31Task Summary......................................................................... 2-31Tasks ......................................................................................... 2-32

Exercise: Observing the Solaris OS Network (Level 3)............... 2-36Preparation............................................................................... 2-36Task Summary......................................................................... 2-36Tasks and Solutions................................................................ 2-37


Customizing the Solaris™ Management Console ........................ 3-1Objectives ........................................................................................... 3-1Introducing the Solaris Management Console Toolbox Editor

Actions.............................................................................................. 3-2Starting the Solaris Management Console ............................ 3-2Introducing the Solaris Management Console and the

Solaris Management Console Toolbox Editor ................... 3-4Adding a Toolbox URL ......................................................... 3-17Adding a Tool.......................................................................... 3-17

Using the Solaris Management Console Toolbox Editor ........... 3-18Adding Access to a Toolbox URL of a Solaris

Management Console.......................................................... 3-18Adding Access to a Tool ........................................................ 3-34

Performing the Exercises ................................................................ 3-57



viiCopyright 2005 SunMicrosystems, Inc. AllRightsReserved.SunServices,RevisionA.1

Exercise: Using the Solaris Management Console (Level 1)...... 3-58Preparation............................................................................... 3-58Task Summary......................................................................... 3-58

Exercise: Using the Solaris Management Console (Level 2)...... 3-59Preparation............................................................................... 3-59

Task Summary......................................................................... 3-59Tasks ........................................................................................ 3-60Exercise: Using the Solaris Management Console (Level 3)...... 3-67

Preparation............................................................................... 3-67Task Summary......................................................................... 3-67Tasks and Solutions ................................................................ 3-68


Managing Swap Configuration........................................................4-1Objectives ........................................................................................... 4-1Introducing Virtual Memory............................................................ 4-2

Physical RAM ............................................................................ 4-2

Swap Space ............................................................................... 4-3The swapfs File System ........................................................... 4-4Paging ........................................................................................ 4-5

Configuring Swap Space................................................................... 4-6Displaying the Current Swap Configuration........................ 4-6Adding Swap Space.................................................................. 4-8Removing Swap Space ............................................................. 4-9

Performing the Exercises ................................................................ 4-11Exercise: Managing swapUtility Configuration (Level 1) ......... 4-12


Exercise: Managing swapUtility Configuration (Level 2) ......... 4-14Preparation............................................................................... 4-14Task Summary......................................................................... 4-15Tasks ......................................................................................... 4-15

Exercise: Managing swapUtility Configuration (Level 3) ......... 4-18Preparation............................................................................... 4-18Task Summary......................................................................... 4-19Tasks and Solutions ............................................................... 4-19


Managing Crash Dumps and Core Files.........................................5-1

Objectives ........................................................................................... 5-1Managing Crash Dump Behavior.................................................... 5-2

The Crash Dump....................................................................... 5-2Displaying the Current Dump Configuration ...................... 5-3Changing the Crash Dump Configuration........................... 5-4

Managing Core File Behavior........................................................... 5-6Core Files.................................................................................... 5-6Displaying the Current Core File Configuration.................. 5-7Changing the Core File Configuration .................................. 5-9



viii Advanced System Administration for the Solaris™ 10 Operating SystemCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices,RevisionA.1

Performing the Exercises ................................................................ 5-14Exercise: Collecting the Crash Dump and Core Dump

(Level 1) .......................................................................................... 5-15Preparation............................................................................... 5-15Tasks ......................................................................................... 5-15

Exercise: Collecting the Crash Dump and Core Dump(Level 2) .......................................................................................... 5-16Preparation............................................................................... 5-16Task Summary......................................................................... 5-16Tasks ......................................................................................... 5-17

Exercise: Collecting the Crash Dump and Core Dump(Level 3) .......................................................................................... 5-19

Preparation............................................................................... 5-19Task Summary......................................................................... 5-19Tasks and Solutions................................................................ 5-20


Configuring NFS .............................................................................. 6-1Introducing the Benefits of NFS....................................................... 6-2

Benefits of Centralized File Access........................................ 6-3Benefits of Common Software Access.................................... 6-3

Introducing the Fundamentals of the NFS DistributedFile System ....................................................................................... 6-4

NFS Server................................................................................. 6-5NFS Client .................................................................................. 6-6NFSv4......................................................................................... 6-7Managing an NFS Server ........................................................ 6-8The NFS Server Files................................................................. 6-8The NFS Server Daemons..................................................... 6-11Managing the NFS Server Daemons .................................... 6-14NFS Server Commands.......................................................... 6-16Configuringthe NFS Server for Sharing Resources........... 6-17

Managing the NFS Client................................................................ 6-22NFS Client Files ....................................................................... 6-22NFS Client Daemons .............................................................. 6-23Managing the NFS Client Daemons.................................... 6-24NFS Client Commands........................................................... 6-25Configuring the NFS Client for Mounting Resources ....... 6-25

Enabling the NFS Server Logging ................................................. 6-31Fundamentals of NFS Server Logging................................. 6-31Configuring NFS Log Paths ................................................. 6-32Initiating NFS Logging.......................................................... 6-34Configuring the nfslogdDaemon Behavior..................... 6-35

Managing NFS With the Solaris Management ConsoleStorage Folder Tools ..................................................................... 6-36

Adding a Shared Directory on the NFS Server................... 6-36Mounting a Shared Directory on the NFS Client .............. 6-38



ixCopyright 2005 SunMicrosystems, Inc. AllRightsReserved.SunServices,RevisionA.1

Troubleshooting NFS Errors .......................................................... 6-40The rpcbind failureError.................................................. 6-40The servernotresponding Error...................................... 6-41The NFS client fails a reboot Error .......................... 6-41The service not responding Error.................................6-42

Theprogram not registered

Error.................................6-42The staleNFSfile handleError...................................... 6-43The unknown host Error ....................................................... 6-43The mountpointError .......................................................... 6-43The no such file Error...................................................... 6-44

Performing the Exercises ................................................................ 6-45Exercise: Configuring NFS (Level 1) ............................................. 6-46


Exercise: Configuring NFS (Level 2) ............................................. 6-48Preparation............................................................................... 6-48

Task Summary......................................................................... 6-48Tasks ......................................................................................... 6-49Exercise: Configuring NFS (Level 3) ............................................. 6-52

Preparation............................................................................... 6-52Task Summary......................................................................... 6-52Tasks and Solutions ................................................................ 6-53


Configuring AutoFS .........................................................................7-1Objectives ........................................................................................... 7-1Introducing the Fundamentals of AutoFS...................................... 7-2

AutoFS File System................................................................... 7-3The automountdDaemon....................................................... 7-4The automountCommand ......................................................7-4

Using Automount Maps ................................................................... 7-5Configuring the Master Map................................................... 7-6Identifying Mount Points for Special Maps.......................... 7-7Adding Direct Map Entries ..................................................... 7-8Adding Indirect Map Entries ................................................ 7-11Updating the Automount Maps ........................................... 7-13Stopping and Starting the Automount System................... 7-15

Performing the Exercises ................................................................ 7-17Exercise: Using the Automount Facility (Level 1)....................... 7-18


Exercise: Using the Automount Facility (Level 2)....................... 7-19Preparation............................................................................... 7-19Task Summary......................................................................... 7-19Tasks ......................................................................................... 7-20



x Advanced System Administration for the Solaris™ 10 Operating SystemCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices,RevisionA.1

Exercise: Using the Automount Facility (Level 3)....................... 7-24Preparation............................................................................... 7-24Task Summary......................................................................... 7-24Tasks and Solutions................................................................ 7-25


Describing RAID and the Solaris™ Volume Manager Software .. 8-1Objectives ........................................................................................... 8-1Introducing RAID .............................................................................. 8-2

RAID 0 ........................................................................................ 8-2RAID 1 ........................................................................................ 8-6RAID 5 ...................................................................................... 8-13Hardware Considerations ..................................................... 8-16

Introducing Solaris Volume Manager Software Concepts ........ 8-19Logical Volume ....................................................................... 8-19Soft Partitions .......................................................................... 8-20Introducing the State Database ............................................. 8-21

Introducing Hot Spares and Hot Spare Pools..................... 8-24

Configuring Solaris Volume Manager Software............................ 9-1Objectives ........................................................................................... 9-1Solaris Volume Manager Concepts ................................................. 9-2The State Database Replicas ............................................................. 9-3

Creating the State Database..................................................... 9-3Configuring RAID-0 ........................................................................ 9-14RAID-0 Striped Volumes ................................................................ 9-15

Creating a RAID-0 Volume .................................................. 9-16Configuring RAID-1 ........................................................................ 9-29

Building a Mirror of the Root (/) File System.............................. 9-31The Scenario............................................................................ 9-32Creating The RAID-0 Volumes ............................................. 9-32Creating The RAID-1 Volume............................................... 9-43Unmirroring the Root (/) File System................................. 9-60

Performing the Exercises ................................................................ 9-62Exercise: Mirroring the Root (/) File System (Level 1) ............... 9-63


Exercise: Mirroring the Root (/) File System (Level 2) ............... 9-65Preparation............................................................................... 9-65

Task Summary......................................................................... 9-66Tasks ......................................................................................... 9-66

Exercise: Mirroring the Root (/) File System (Level 3) ............... 9-69Preparation............................................................................... 9-69Task Summary......................................................................... 9-70Tasks and Solutions................................................................ 9-70




xiCopyright 2005 SunMicrosystems, Inc. AllRightsReserved.SunServices,RevisionA.1

Configuring Role-Based Access Control (RBAC) .......................10-1Objectives ......................................................................................... 10-1Introducing RBAC Fundamentals................................................. 10-2

Key RBAC Files ....................................................................... 10-2Roles.......................................................................................... 10-3

Assigning Rights Profiles To Users ..................................... 10-4Assigning Rights Profiles To Roles ..................................... 10-8Assigning Roles To Users ................................................... 10-11Using Roles ........................................................................... 10-12

Authorizations................................................................................ 10-13Assigning Authorizations.................................................... 10-15Assigning Authorizations To User Accounts .................. 10-16Assigning Authorizations To Roles.................................... 10-17Assigning Authorizations To Rights Profiles .................. 10-18

RBAC Configuration File Summary............................................ 10-19The /etc/user_attrFile.................................................... 10-19

The /etc/security/prof_attrFile................................ 10-20The /etc/security/exec_attrFile................................ 10-22The /etc/security/auth_attrFile............................... 10-24

Managing RBAC Using the Solaris Management Console...... 10-26Fundamentals of Managing RBAC..................................... 10-26

Performing the Exercises .............................................................. 10-59Exercise: Configuring RBAC (Level 1)........................................ 10-60

Preparation............................................................................. 10-60Task Summary....................................................................... 10-60

Exercise: Configuring RBAC (Level 2)........................................ 10-61Preparation............................................................................. 10-61

Task Summary....................................................................... 10-61Tasks ....................................................................................... 10-61Exercise: Configuring RBAC (Level 3)........................................ 10-65

Preparation............................................................................. 10-65Task Summary....................................................................... 10-65Tasks and Solutions ............................................................. 10-66

Exercise Summary.......................................................................... 10-72

Configuring System Messaging....................................................11-1Objectives ......................................................................................... 11-1Introducing the syslog Function.................................................. 11-2

The syslogConcept............................................................... 11-2The /etc/syslog.confFile ................................................ 11-3The syslogdDaemon and the m4Macro Processor ......... 11-8

Configuring the /etc/syslog.confFile................................... 11-12Message Routing................................................................... 11-12Stopping and Starting the syslogdDaemon.................... 11-13

Configuring syslogMessaging .................................................. 11-14Enabling TCP Tracing .......................................................... 11-14



xii Advanced System Administration for the Solaris™ 10 Operating SystemCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices,RevisionA.1

Monitoring a syslog File in Real Time ............................. 11-16Adding One-Line Entries to a System Log File ............... 11-18

Using the Solaris Management Console Log Viewer ............... 11-20Opening the Solaris Management Console Log

Viewer.................................................................................. 11-20

Viewing asyslog

Message File.......................................... 11-21Viewing a Management Tools Log File ............................. 11-23Browsing the Contents of a Management Tools

Log File ............................................................................... 11-25Displaying Management Tools Log Entry Details ........... 11-27Backing Up Management Tools Log File ......................... 11-29

Performing the Exercises .............................................................. 11-33Exercise: Using the syslog Function and Auditing Utilities

(Level 1) ........................................................................................ 11-34Preparation............................................................................. 11-34Tasks ....................................................................................... 11-34

Exercise: Using the syslog Function and Auditing Utilities(Level 2) ........................................................................................ 11-36Preparation............................................................................. 11-36Task Summary....................................................................... 11-36Tasks ....................................................................................... 11-37

Exercise: Using the syslog Function and Auditing Utilities(Level 3) ........................................................................................ 11-43

Preparation............................................................................. 11-43Task Summary....................................................................... 11-43Tasks and Solutions.............................................................. 11-44


Using Name Services .................................................................... 12-1Objectives ......................................................................................... 12-1Introducing the Name Service Concept........................................ 12-2

Domain Name System (DNS) ............................................... 12-4Network Information Service (NIS) ..................................... 12-5Network Information Service Plus (NIS+)......................... 12-7Lightweight Directory Access Protocol (LDAP) ................ 12-8Name Service Features Summary....................................... 12-10

Introducing the Name Service Switch File................................. 12-11Database Sources.................................................................. 12-13Status Codes........................................................................... 12-14Actions.................................................................................... 12-14

Configuring the Name Service Cache Daemon (nscd) ............ 12-16The nscdDaemon................................................................. 12-16Configuring the nscd Daemon ........................................... 12-16Stopping and Starting the nscdDaemon .......................... 12-18

Retrieving Name Service Information ........................................ 12-20The getentCommand......................................................... 12-20Using the getentCommand ............................................. 12-21



xiiiCopyright 2005 SunMicrosystems, Inc. AllRightsReserved.SunServices,RevisionA.1

Exercise: Reviewing Name Services............................................ 12-22Preparation............................................................................. 12-22Tasks ....................................................................................... 12-22Task Solutions....................................................................... 12-24


Configuring Name Service Clients................................................13-1Objectives ......................................................................................... 13-1Configuring a DNS Client .............................................................. 13-2

Configuring the DNS Client During Installation ............... 13-2Editing DNS Client Configuration Files .............................. 13-5

Setting Up an LDAP Client............................................................. 13-7Client Authentication ............................................................. 13-7Client Profile and Proxy Account......................................... 13-8Client Initialization ................................................................. 13-8Configuring the LDAP Client During Installation............ 13-9Initializing the Native LDAP Client................................... 13-12

Copying the /etc/nsswitch.ldapFile to the /etc/nsswitch.confFile .......................................................... 13-14

Listing LDAP Entries............................................................ 13-15Unconfiguring an LDAP Client .......................................... 13-16

Performing the Exercises .............................................................. 13-17Exercise: Configuring a System to Use DNS and LDAP

(Level 1) ........................................................................................ 13-18Preparation............................................................................. 13-18Tasks ....................................................................................... 13-18

Exercise: Configuring a System to Use DNS and LDAP(Level 2) ........................................................................................ 13-19

Preparation............................................................................. 13-19Task Summary....................................................................... 13-19Tasks ....................................................................................... 13-19

Exercise: Configuring a System to Use DNS and LDAP(Level 3) ........................................................................................ 13-21

Preparation............................................................................. 13-21Task Summary....................................................................... 13-21Tasks and Solutions .............................................................. 13-22


Configuring the Network Information Service (NIS)....................14-1

Objectives ......................................................................................... 14-1Introducing NIS Fundamentals ..................................................... 14-2

NIS Namespace Information................................................. 14-2NIS Domains............................................................................ 14-4NIS Processes.......................................................................... 14-6

Configuring the Name Service Switch.......................................... 14-9Changing Lookup Requests to Go From Files to NIS...... 14-10Changing Lookup Requests to Go From NIS to Files...... 14-11



xiv Advanced System Administration for the Solaris™ 10 Operating SystemCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices,RevisionA.1

Introducing NIS Security .............................................................. 14-13The securenets File ........................................................... 14-13The passwd.adjunctFile.................................................... 14-14

Configuring NIS Domain.............................................................. 14-16Generating NIS Maps ........................................................... 14-16

Configuring the NIS Master Server.................................... 14-20Testing the NIS Service ........................................................ 14-23Configuring the NIS Client.................................................. 14-24Configuring the NIS Slave Server....................................... 14-25Updating the NIS Map ......................................................... 14-27Updating the NIS Password Map....................................... 14-27Updating the NIS timezoneMap ...................................... 14-28

Building Custom NIS Maps.......................................................... 14-32Using the makeCommand................................................... 14-32Editing the NIS Makefile File........................................... 14-33

Troubleshooting NIS ..................................................................... 14-38

Troubleshooting NIS Server Failure Messages................. 14-38Troubleshooting NIS Client Failure Messages ................. 14-41Performing the Exercises .............................................................. 14-43Exercise: Configuring NIS (Level 1) ............................................ 14-44

Preparation............................................................................. 14-44Tasks ....................................................................................... 14-45

Exercise: Configuring NIS (Level 2) ............................................ 14-46Preparation............................................................................. 14-46Task Summary....................................................................... 14-47Tasks ....................................................................................... 14-48

Exercise: Configuring NIS (Level 3) ............................................ 14-55

Preparation............................................................................. 14-55Task Summary....................................................................... 14-56Tasks and Solutions............................................................. 14-57


Introduction to Zones.................................................................... 15-1Objectives ......................................................................................... 15-1Introducing Solaris Zones............................................................... 15-2

Server Consolidation Solutions............................................. 15-2Resource Sharing..................................................................... 15-3Zone Features .......................................................................... 15-4

Zone Concepts.................................................................................. 15-5Zone Types............................................................................... 15-5Zone Daemons........................................................................ 15-7Zone File Systems ................................................................... 15-7Zone Networking.................................................................... 15-9Zone Command Scope ........................................................... 15-9Zone States ............................................................................. 15-10

Configuring Zones......................................................................... 15-12



xvCopyright 2005 SunMicrosystems, Inc. AllRightsReserved.SunServices,RevisionA.1

Identifying Zone Components............................................ 15-12Allocating File System Space............................................... 15-12Using the zonecfgCommand ............................................ 15-13The zonecfgResources Parameters................................... 15-14Zone Configuration Walk-Through .................................. 15-16

Viewing the Zone Configuration File ................................ 15-19Using the zoneadmCommand .....................................................15-20Verifying a Configured Zone .............................................. 15-20Installing a Configured Zone .............................................. 15-21Booting a Zone....................................................................... 15-21Halting a Zone....................................................................... 15-22Rebooting a Zone .................................................................. 15-22Logging Into and Working With the Zone........................ 15-22Deleting a Zone ..................................................................... 15-24

Describing the Custom JumpStart Configurations.....................16-1Objectives ......................................................................................... 16-1

Introducing JumpStart Configurations......................................... 16-2Purpose of JumpStart ............................................................. 16-2Boot Services............................................................................ 16-3Identification Services ............................................................ 16-5Configuration Services ........................................................... 16-7Installation Services ................................................................ 16-8

Implementing a Basic JumpStart Server..................................... 16-11Spooling the Operating System Image .............................. 16-11Editing the sysidcfg File.................................................... 16-13Running the check Script .................................................... 16-21Running the add_install_clientScript........................ 16-23Booting the JumpStart Client .............................................. 16-26Exercise: Configuring a Software Installation

Procedure Using JumpStart.............................................. 16-26Task Preparation ................................................................... 16-26Task Summary....................................................................... 16-27Worksheet for Configuring a Software Installation

Procedure Using JumpStart Software............................. 16-28Tasks ...................................................................................... 16-29Task Solutions........................................................................ 16-33

Setting Up JumpStart Software Configuration Alternatives ... 16-34Introducing the JumpStart Client Boot Sequence ............ 16-35Setting Up a Boot-Only Server............................................ 16-42Setting Up Identification Service Alternatives ................. 16-46Setting Up Configuration Service Alternatives ................ 16-50Setting Up Installation Service Alternatives ..................... 16-63Troubleshooting JumpStart ................................................. 16-65Resolving Boot Problems..................................................... 16-65Resolving Identification Problems ..................................... 16-68



xvi Advanced System Administration for the Solaris™ 10 Operating SystemCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices,RevisionA.1

Resolving Configuration Problems .................................... 16-70Resolving Installation Problems ......................................... 16-71Resolving Begin and Finish Script Problems .................... 16-72Identifying Log Files............................................................ 16-73

Exercise: Configuring a Software Installation Procedure

Using JumpStart to Create a RAID-1 Volume and Adda Patch During the JumpStart Process ..................................... 16-74Preparation............................................................................. 16-74Task Summary....................................................................... 16-74Worksheet for Configuring a Software Installation

Procedure Using JumpStart Software............................. 16-75Tasks ...................................................................................... 16-76

Exercise Summary.......................................................................... 16-82Configuring NIS for JumpStart Procedures............................... 16-83

Performing a Flash Installation .................................................... 17-1Objectives ......................................................................................... 17-1

Introducing the Flash Installation Feature ................................... 17-2Uses of the Flash Installation Feature .................................. 17-2Flash Deployment Methods .................................................. 17-3Flash Installation Process....................................................... 17-3Flash Installation Requirements .......................................... 17-5Manipulating a Flash Archive.............................................. 17-6Creating a Flash Archive........................................................ 17-7Administering a Flash Archive.......................................... 17-10

Using a Flash Archive for Installation ........................................ 17-12Using a Flash Archive With JumpStart Software............ 17-20Locating the Installation Logs ............................................. 17-26Live Upgrade ......................................................................... 17-27WANboot ............................................................................... 17-27


Index...........................................................................................Index-1



Preface-xxiCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices,Revision A.1

Preface

AboutThisCourse

Course Goals

Upon completion of this course, you should be able to:

q Describe network basics

q Manage virtual file systems and core dumps

q Manage storage volumes

q Control access and configure system messaging

q Set up name services

q Perform advanced installation procedures



Course Map

Preface-xxii Advanced System Administration for the Solaris™ 10 Operating SystemCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices,Revision A.1

Course Map

The course map enables you to see what you have accomplished andwhere you are going in reference to the course goals.

D e s c r i b i n g

I n t e r f a c e

C o n f i g u r a t i o n

D e s c r i b i n g t h e

C l i e n t - S e r v e r

M o d e l

U s i n g

N a m e

S e r v i c e s

C o n f i g u r i n g

N a m e

S e r v i c e C l i e n t s


t h e N e t w o r k

I n f o r m a t i o n

S e r v i c e ( N I S )

D e s c r i b i n g N e t w o r k B a s i c s

M a n a g i n g

S w a p


M a n a g i n g

C r a s h D u m p s

a n d

C o r e F i l e s


N F S


A u t o F S


R o l e - B a s e d

A c c e s s C o n t r o l

( R B A C )


S y s t e m

M e s s a g i n g

M a n a g i n g V i r t u a l F i l e S y s t e m s a n d C o r e D u m p s

D e s c r i b i n g

R A I D a n d

S o l a r i s �

V o l u m e

M a n a g e r

S o f t w a r e

C u s t o m i z i n g

t h e S o l a r i s �

M a n a g e m e n t

C o n s o l e


S o l a r i s

V o l u m e

M a n a g e r

S o f t w a r e

M a n a g i n g S t o r a g e V o l u m e s

C o n t r o l l i n g A c c e s s a n d C o n f i g u r i n g S y s t e m M e s s a g i n g

S e t t i n g U p N a m e S e r v i c e s


t h e C u s t o m

J u m p S t a r t �

P r o c e d u r e

P e r f o r m i n g a

F l a s h

I n s t a l l a t i o n

P e r f o r m i n g A d v a n c e d I n s t a l l a t i o n P r o c e d u r e s

I n t r o d u c t i o n

t o

Z o n e s



Topics Not Covered

About This Course Preface-xxiiiCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

Topics Not Covered

This course does not cover the following topics. Many of these topics arecovered in other courses offered by Sun Educational Services:

q Basic UNIX® commands – Covered in SA-100: UNIX® EssentialsFeaturing the Solaris™ 10 Operating System

q The vi editor – Covered in SA-100: UNIX® Essentials Featuring theSolaris™ 10 Operating System

q Basic UNIX file security – Covered in SA-100: UNIX® EssentialsFeaturing the Solaris™ 10 Operating System

q Software package administration – Covered in SA-200: IntermediateSystem Administration for the Solaris™ 10 Operating System

q Patch maintenance – Covered in SA-200: Intermediate System

Administration for the Solaris™ 10 Operating Systemq Adding users using the Solaris Management Console

software – Covered in SA-200: Intermediate System Administration forthe Solaris™ 10 Operating System

q Basic system security – Covered in SA-100: UNIX® EssentialsFeaturing the Solaris™ 10 Operating System

q Administering initialization files – Covered in SA-200: IntermediateSystem Administration for the Solaris™ 10 Operating System

q Advanced file permissions – Covered in SA-200: Intermediate System

Administration for the Solaris™ 10 Operating System

q Backup and recovery – Covered in SA-200: Intermediate SystemAdministration for the Solaris™ 10 Operating System

q The lp print service and print commands – Covered inSA-200: Intermediate System Administration for the Solaris™ 10Operating System

q Process control – Covered in SA-200: Intermediate SystemAdministration for the Solaris™ 10 Operating System

q All the new features in Solaris 10 – Covered in SA-225S10: Solaris™

10 for Experienced System Administrators

q Hardware or software troubleshooting – Covered in ST-350: Sun™Systems Fault Analysis Workshop

q System tuning – Covered in SA-400: Enterprise System PerformanceManagement



Topics Not Covered

Preface-xxiv Advanced System Administration for the Solaris™10 Operating SystemCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices,Revision A.1

q Detailed shell programming – Covered in SA-245: Shell Programmingfor System Administrators

q Detailed network administration concepts – Covered inSA-300: Network Administration for the Solaris™ 10 Operating System

Refer to the Sun Educational Services catalog for specific informationon course content and registration.



How PreparedAre You?

About This Course Preface-xxvCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

How Prepared Are You?

To be sure you are prepared to take this course, can you answer yes to thefollowing questions?

q Can you install and boot the Solaris™ 10 Operating System(Solaris 10 OS) on a stand-alone workstation?

q Can you implement basic system security?

q Can you add users to the system using the Solaris ManagementConsole software?

q Can you use the pkgadd command to add software packages?

q Can you monitor and mount file systems?

q Can you manage disk devices and processes?

q Can you perform backups and restorations?



Introductions

Preface-xxvi Advanced System Administration for the Solaris™10 Operating SystemCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices,Revision A.1

Introductions

Now that you have been introduced to the course, introduce yourself tothe other students and the instructor, addressing the following items:

q Nameq Company affiliation

q Title, function, and job responsibility

q Experience related to topics presented in this course

q Reasons for enrolling in this course

q Expectations for this course



How to Use Course Materials

About This Course Preface-xxviiCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

How to Use Course Materials

To enable you to succeed in this course, these course materials use alearning module that is composed of the following components:

q Objectives – You should be able to accomplish the objectives aftercompleting a portion of instructional content. Objectives supportgoals and can support other higher-level objectives.

q Lecture – The instructor will present information specific to theobjective of the module. This information will help you learn theknowledge and skills necessary to succeed with the activities.

q Activities – The activities take on various forms, such as an exercise,self-check, discussion, and demonstration. Activities are used tofacilitate the mastery of an objective.

q

Visual aids – The instructor might use several visual aids to convey aconcept, such as a process, in a visual form. Visual aids commonlycontain graphics, animation, and video.

Note – Many system administration tasks for the Solaris OS can beaccomplished in more than one way. The methods presented in thecourseware reflect recommended practices used by Sun EducationalServices.



Conventions

Preface-xxviii Advanced System Administration for the Solaris™10 Operating SystemCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices,Revision A.1

Conventions

The following conventions are used in this course to represent varioustraining elements and alternative learning resources.

Icons

?

!

Discussion – Indicates a small-group or class discussion on the currenttopic is recommended at this time.

Note – Indicates additional information that can help students but is notcrucial to their understanding of the concept being described. Studentsshould be able to understand the concept or complete the task withoutthis information. Examples of notational information include keywordshortcuts and minor system adjustments.

Caution – Indicates that there is a risk of personal injury from anonelectrical hazard, or risk of irreversible damage to data, software, orthe operating system. A caution indicates that the possibility of a hazard(as opposed to certainty) might happen, depending on the action of theuser.

Power user – Indicates additional supportive topics, ideas, or otheroptional information.



Conventions

About This Course Preface-xxixCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

Typographical Conventions

Courier is used for the names of commands, files, directories, usernames, host names, programming code, and on-screen computer output;for example:

Use the ls -al command to list all files.host1# cd /home

Courier bold is used for characters and numbers that you type; forexample:

To list the files in this directory, type the following:# ls

Courier italics is used for variables and command-line placeholders

that are replaced with a real name or value; for example:To delete a file, use the rm filename command.

Courier italic bold is used to represent variables whose values are tobe entered by the student as part of an activity; for example:

Type chmod a+rwx filename to grant read, write, and executerights for filename.

Palatino italics is used for book titles, new words or terms, or words thatyou want to emphasize; for example:

Read Chapter 6 in the User’s Guide.

These are called class options.



1-1Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices,Revision A.1

Module 1

Describing InterfaceConfiguration

Objectives

The network interfaces that a system uses to communicate with othersystems on the network use both hardware and software configuration

components. When adding a network interface to a system, you mustconfigure specific files to establish a relationship between the hardwareand the software addresses.

Upon completion of this module, you should be able to:

q Control and monitor network interfaces

q Configure Internet Protocol Version 4 (IPv4) interfaces at boot time

The course map in Figure 1-1 shows how this module fits into the currentinstructional goal.

Figure 1-1 Course Map

D e s c r i b i n g

I n t e r f a c e




M o d e l




M a n a g e m e n t

C o n s o l e



Controlling and Monitoring Network Interfaces

1-2 Advanced System Administration for the Solaris™ 10 Operating SystemCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices,Revision A.1


Network commands, such as ifconfig, ping, and snoop, control andmonitor the functionality of network interfaces.

Displaying the MAC Address

The media access control (MAC) address is your computer’s uniquehardware address on a local area network (LAN). The MAC address isalso the Ethernet address on an Ethernet LAN. When you are connectedto a LAN, an address resolution table maps your computer’s physicalMAC address to an Internet Protocol (IP) address on the LAN. Two waysto display the MAC address or the Ethernet address are:

q Use the ifconfig -a command

q Use the boot programmable read-only memory (PROM) bannercommand

Note – The MAC address is displayed only if run as the root user.

# ifconfig -a

lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232

index 1 inet 127.0.0.1 netmask ff000000

hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2inet 192.168.30.41 netmask ffffff00 broadcast 192.168.30.255

ether 8:0:20:93:c9:af

The MAC address is listed as 8:0:20:93:c9:af in this example.

You can also retrieve the MAC address from a system that has not yetbeen booted by running the banner command at the ok prompt.

ok banner

Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 300MHz), Keyboard Present

OpenBoot 3.31 256 MB (60ns) memory installed, Serial #9685423.Ethernet address 8:0:20:93:c9:af, Host ID: 8093c9af.




Describing Interface Configuration 1-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

Displaying the IP Address

The ifconfig -a command displays the current configuration for thenetwork interfaces.

With the -a option, the ifconfig command displays the currentconfiguration for all network interfaces in the system.

# ifconfig -a



hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2

inet 192.168.30.41 netmask ffffff00 broadcast 192.168.30.255

ether 8:0:20:93:c9:af

The previous example shows that the loopback interface (lo0) is up,

running, and configured with an IP address of 127.0.0.1. The hme0interface is up, running, and configured with an IP address of192.168.30.41.

Marking an Ethernet Interface as Down

When an Ethernet interface is marked as down, it means that it cannotcommunicate. You can use the ifconfig command to mark an Ethernetinterface as up or down. For example, to mark the hme0 interface as down,

perform the commands:# ifconfig hme0 down

# ifconfig -a



hme0: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2


ether 8:0:20:93:c9:af

Note – The UP flag for hme0 is no longer present. When an interface is

flagged as UP, it is ready to communicate.





The following example shows that when you mark an interface as up, theUP status appears in the flags field of the ifconfig command output:

# ifconfig hme0 up

# ifconfig -a


index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2


ether 8:0:20:93:c9:af

Sending ICMP ECHO_REQUESTPackets

To determine if you can contact another system over the network, enterthe ping command:

# ping sys41sys41 is alive

The previous response indicates the host name sys41 is alive. A responseof no answer from sys41 indicates that you cannot contact host sys41.This implies a problem with host sys41, or a problem with the network.

For the ping command to succeed, the following conditions must besatisfied on both systems:

q The interface must be plumbed.

q The interface must be configured.

q The interface must be up.

q The interface must be physically connected.

q The interface must have valid routes configured.

For more information on ifconfig and plumbed, see the ifconfig manpage.

Note – Configuration of routes is an advanced networking topic. Detailednetwork administration concepts are covered in SA300: NetworkAdministration for the Solaris™ 10 Operating System.





Capturing and Inspecting Network Packets

You can use the snoop utility to capture and inspect network packets todetermine what kind of data is transferred between systems. You can usethe snoop utility to see what happens when one system uses the ping

command to communicate with another system. To view network trafficbetween two specific systems, perform the command:

# snoop sys41 sys42

sys41 -> sys42 ICMP Echo request (ID: 615 Sequence number: 0)

sys42 -> sys41 ICMP Echo reply (ID: 615 Sequence number: 0)

Use the -a option to enable audible clicks, which notify you of anynetwork traffic. Although noisy, the clicks are useful whentroubleshooting.

The following example shows how to turn on audible clicks for allnetwork traffic related to a Dynamic Host Configuration Protocol (DHCP)boot:

# snoop -a dhcp

Some additional snoop options include:

Note – Press Control-C to stop the snoop utility.

snoop Summary output

snoop -V Summary verbose output

snoop -v Detailed verbose output

snoop -ofilename Redirects the snooputility output tofilename in summary mode

snoop -i filename Displays packets that were previouslycaptured in filename



Configuring IPv4 Interfaces at Boot Time



This section describes the files and scripts involved with configuring IPv4network interfaces.

Introducing IPv4 Interface Files

You can get a basic understanding of network interfaces within theSolaris OS by learning the function of a few files and services. Theservices and files are the following:

q The svc:/network/physical:default service

q The /etc/hostname.xxn file

q The /etc/inet/hosts file

The svc:/network/physical:defaultService

The svc:/network/physical:default service calls the/lib/svc/method/net-physical method script. It is one of thestartup scripts that runs each time you boot the system. This script usesthe ifconfig utility to configure each interface with an IP address andother required network information. The script searches for files calledhostname.xxn in the /etc directory, where xx is an interface type and n

is the instance of the interface. For every file named /etc/hostname.xxn,

the script uses the ifconfig command with the plumb option to make thekernel ready to talk to this type of interface. The script then configuresthe named interface using other options to the ifconfig command. The/etc/hostname.hme0file is an example of an interface configuration file.

Note – In Solaris 8 and 9 OS, the /etc/rcS.d/S30network.shfile is usedto perform the same function. Before Solaris 8 OS, the/etc/rcS.d/S30rootusr.shfile was used.





The /etc/hostname.xxnFile

The /etc/hostname.xxn file contains an entry that configures acorresponding interface. The variable component of the file name isreplaced by an interface type and a number that differentiates between

multiple interfaces of the same type configured in the system. Table 1-1shows some examples.

The codes for the interface types are product codes. These codes originatefrom varying sources. For example, the qfe code is an abbreviation forQuad Fast Ethernet.

The /etc/hostname.hme0file contains either the host name or the IPaddress of the system that contains the hme0 interface. The host namecontained in the file must exist in the /etc/inet/hostsfile so that it can

be resolved to an IP address at system boot time. You can edit the/etc/hostname.hme0file to contain either the host name or the IPaddress from the /etc/inet/hosts file.

# cat /etc/hostname.hme0

sys41

or

# cat /etc/hostname.hme0

192.168.30.41

Table 1-1 The /etc/hostname.xxn File Entries and CorrespondingInterfaces

Entry Interface

/etc/hostname.hme0 First hme Ethernet interface in the system

/etc/hostname.hme1 Second hme Ethernet interface in the system

/etc/hostname.qfe0 First qfe Ethernet interface in the system

/etc/hostname.eri0 First eri Ethernet interface in the system





The /etc/inet/hostsFile

The /etc/inet/hosts file is a local database that associates the IPaddresses of hosts with their names. You can use the /etc/inet/hosts

file with, or instead of, other hosts databases, including the Domain Name

System (DNS), the Network Information Service (NIS) hosts map, and theNetwork Information Service Plus (NIS+) hosts table. Programs uselibrary interfaces to access information in the /etc/inet/hosts file.

The /etc/inet/hosts file contains at least the loopback and hostinformation. The file has one entry for each IP address of each host. If ahost has more than one IP address, this file will have one entry for eachaddress, on separate lines. The format of each line is:

IP-address official-host-name [aliases] . . .

Items are separated by any number of spaces or tab characters. The firstitem on a line is the host’s IP address. The second entry is the host’sofficial name. Subsequent entries on the same line are alternative namesfor the same machine, or nicknames. Nicknames are optional.

# cat /etc/inet/hosts

.

< output truncated>

.

127.0.0.1 localhost

.

< output truncated>

.

192.168.30.41 sys41 loghost #connection to hme interface

192.168.4.1 sys41 -internal #connection to qfe interface

.

<output truncated>

.

Note – The /etc/inet/hostsfile is the official (system V release 4) SVr4name of the hosts file. The symbolic link /etc/inet/hosts exists forBerkeley Software Distribution (BSD) compatibility.





Changing the System Host Name

The host name of a system is contained in three files on the system. Youmust modify all of these files, and perform a reboot, to successfullychange a system’s host name. The files that contain the host name of a

system are:

q The /etc/nodename file

q The /etc/hostname.xxn file


Note – If crash dump is enabled on the system, the system name needs tobe changed under /var/crash. Older versions of Solaris also had thehostname in files located under /etc/net/tic*/*.

Editing the/etc/nodenameFile

Each Solaris OS has a canonical name, which is the official name usedwhen referring to a system. By convention, the system name is the sameas the host name associated with the IP address of the primary networkinterface; for example, hostname.hme0.

The following example shows a system’s /etc/nodename file:

# cat /etc/nodenamesys41

You can change the canonical name by editing the /etc/nodename file,and rebooting the system.

If the machine’s network configuration is managed remotely anddelivered by the DHCP or remote procedure call (RPC) bootparamsprotocols, the /etc/nodenamefile is not used. The file is not used becausethe remote service delivers the canonical name.

Editing the/etc/hostname.xxnFile

The /etc/hostname.xxn file contains either the host name or the IPaddress of the system that contains the named interface.





Editing the/etc/inet/hostsFile

Network addresses are written in the conventional decimal-dot notation.

Host names are text strings up to 24 characters. Alphabetic characters,

numbers, the (-) sign, and a (.) are allowed in the host name. Periods areonly allowed when they serve to delimit components of domain stylenames. Spaces are not allowed in the host name. The first character mustbe an alphabetic character. The last character must not be a (-) or a (.).

No distinction is made between uppercase and lowercase characters,unless the NIS naming service is used. Uppercase characters in nameshave been known to cause problems with NIS.

A (#) indicates the beginning of a comment. After a comment character, allcharacters, up to the end of the line, are not interpreted.

Editing the/etc/inet/ipnodes File

The ipnodes file is a local database that associates the names of nodeswith their Internet Protocol (IP) addresses. The ipnodes file is populatedwith IPv4 addresses and host names during installation. If an attempt tochange the system IP address is made by editing the /etc/inet/hostsfile and the system is then rebooted, the IP address will NOT be changed.

The sys-unconfigCommand

You can use the /usr/sbin/sys-unconfig command to undo a system’sconfiguration.

You can use the /usr/sbin/sys-unconfig command to restore asystem’s configuration to an unconfigured state, ready to be reconfiguredagain.





The sys-unconfig command does the following:

q Saves the current /etc/inet/hosts file information in the/etc/inet/hosts.savedfile.

q If the current /etc/vfstab file contains Network File System (NFS)

mount entries, it saves the /etc/vfstab file to the/etc/vfstab.orig file.

q Restores the default /etc/inet/hosts file.

q Removes the default host name in the /etc/hostname.xxn files forall configured interfaces.

q Removes the default domain name in the /etc/defaultdomainfile.

q Restores the time zone to PST8PDT in the /etc/TIMEZONE file.

q Resets naming services to local files.

q

Removes the/etc/inet/netmasks

file.q Removes the /etc/defaultrouterfile.

q Removes the password set for the root user in the /etc/shadowfile.

q Removes the /etc/.rootkey file for NIS+.

q Executes all system configuration applications. These applicationsare defined by prior executions of a sysidconfig -a command.

q Removes the /etc/resolv.conf file for DNS clients.

q Disables Lightweight Directory Access Protocol (LDAP) byremoving:

q The /var/ldap/ldap_client_cachefile

q The /var/ldap/ldap_client_filefile

q The /var/ldap/ldap_client_credfile

q The /var/ldap/cachemgr.logfile

q Regenerates keys for the Secure Shell Daemon (sshd).

When the sys-unconfig command is finished, it performs a systemshutdown. The sys-unconfig command is a potentially dangerous utility

and can only be run by the root user.

When you restart the system, a configuration script prompts you toconfigure the system information. The sys-unconfig command is notavailable on diskless clients.



Performing the Exercises



You have the option to complete any one of three versions of a lab. Todecide which to choose, consult the following descriptions of the levels:

q Level 1 – This version of the lab provides the least amount ofguidance. Each bulleted paragraph provides a task description, butyou must determine your own way of accomplishing each task.

q Level 2 – This version of the lab provides more guidance. Althougheach step describes what you should do, you must determine whichcommands (and options) to input.

q Level 3 – This version of the lab is the easiest to accomplish becauseeach step provides exactly what you should input to the system. Thislevel also includes the task solutions for all three levels.



Exercise: The Solaris OS Network Commands (Level 1)



In this exercise, you use basic network-related commands.

Preparation

To prepare for this exercise, perform the following tasks:

q Check that you have two systems listed in each /etc/inet/hosts

file on each system.

q Work with a partner for this exercise, and perform all steps on bothsystems, unless noted otherwise.

Tasks

Complete the following steps:

Note – Be sure to work closely with your partner during the lab to ensureyou are both working on the same steps.

q Allow the snoop utility to run through this exercise.

q Use the ifconfig -a command to list the IP address, Ethernet

address, netmask, and current status of your primary networkinterface. Record this information. Start a snoop session on bothsystems, and monitor the output.

q Use the ping command to contact your partner’s system, and recordthe snoop output. On one system, mark the primary interface asdown. Record the new ifconfig output for this interface. Use theping command to contact that host, and record related snoop

output.







Preparation





Task Summary

Perform the following tasks:


q Use the ifconfig -a command to list the IP address, Ethernetaddress, netmask, and current status of your primary networkinterface. Record this information. Start a snoop session on bothsystems, and monitor the output.

q Use the ping command to contact your partner’s system, and record

the snoop output. On one system, mark the primary interface asdown. Record the new ifconfig output for this interface. Use theping command to contact that host, and record related snoop outputincluding:

q How many requests the ping command makes

q What the ping command requests have in common





Tasks

Complete the following steps using the ifconfig utility, the pingcommand, and the snoop utility.


1. On both systems, log in as the root user, and open a terminalwindow. Using the ifconfig -a command, display basicconfiguration information about your network interfaces.

For your primary interface (usually hme0), what does the ifconfigcommand report for the following attributes? Enter your values intoTable 1-2.

2. On both systems, open a new terminal window. In the new window,enter the snoop command to display the network traffic betweenyour two systems only.

3. Use the ping command to verify that your system can contact thenetwork interface on your partner’s system.

4. Observe the output from the snoop command. Which protocol doesthe ping command use?

Does the snoop output contain requests and replies (yes or no)?

Requests: Replies:

5. On one system, use the ifconfig command to mark its primaryinterface as down and then again to display its configurationinformation.

Has anything changed in the information that the ifconfigcommand reports?

________________________________________________

Table 1-2 Primary Interface Values

Attribute Value

IP address

Ethernet address

Interface up/down





6. On the system whose interface remains up, attempt to use the pingcommand to contact the system whose interface is down.

What does the ping command report?

________________________________________________

7. Observe the output from the snoop utility on both systems. Howdoes the snoop output differ from the ping command output beforeand after you marked the interface as down?

How many requests does the ping command send by default?

________________________________________________

Does the target system see the ping command requests? If so, howare these requests handled?

________________________________________________

8. On the system whose interface is down, use the ifconfig commandto mark its primary interface as up. Check that the change tookplace.

9. On the system whose interface remained up, use the ping commandto contact the other system.


________________________________________________

Does the snoop utility report a reply from the target host?

________________________________________________







Preparation





Task Summary



q Use the ifconfig -a command to list the IP address, Ethernetaddress, netmask, and current status of your primary networkinterface. Record this information. Start a snoop session on bothsystems, and monitor the output.

q Use the ping command to contact your partner’s system, and record

the snoop output. On one system, mark the primary interface asdown. Record the new ifconfig output for this interface. Use theping command to contact that host, and record related snoop outputincluding:

q How many requests the ping command makes

q What the ping command requests have in common





Tasks and Solutions

This section describes the tasks for you to perform, and lists the solutions.Complete the following steps using the ifconfig utility, the pingcommand, and the snoop utility.


1. On both systems, log in as the root user, and open a terminalwindow. Using the ifconfig -a command, display basicconfiguration information about your network interfaces.

For your primary interface (usually hme0), what does the ifconfigcommand report for the following attributes? Enter your values into

Table 1-3.

2. On both systems, open a new terminal window. In the new window,enter the snoop command to display the network traffic betweenyour two systems only.

# snoop host1 host2

3. Use the ping command to verify that your system can contact thenetwork interface on your partner’s system.

# ping host

4. Observe the output from the snoop command. Which protocol doesthe ping command use?

ICMP

Does the snoop output contain requests and replies (yes or no)?

Requests: Yes Replies: Yes

Table 1-3 Primary Interface Values

Attribute Value

IP address It varies according to the system in use.

Ethernet address It varies according to the system in use.

Interface up/down The interface should be UP.





5. On one system, use the ifconfig command to mark its primaryinterface as down and then again to display its configurationinformation. Warn your lab partner that the system’s interface willgo down.

# ifconfig hme0 down

# ifconfig hme0

Has anything changed in the information that the ifconfigcommand reports?

The ifconfig command no longer lists the interface as UP.

6. On the system whose interface remains up, attempt to use the pingcommand to contact the system whose interface is down.


After a time-out period, the ping command reports no answer fromhost.

7. Observe the output from the snoop utility on both systems. Howdoes the snoop output differ from the ping command output beforeand after you marked the interface as down?

The snoop utility only shows the ping command requests—no replies.

How many requests does the ping command send by default?

Twenty

Does the target system see the ping command requests? If so, howare these requests handled?

Yes it does, but it does not send a reply.

8. On the system whose interface is down, use the ifconfig commandto mark its primary interface as up. Check that the change tookplace.

# ifconfig hme0 up

# ifconfig hme0

9. On the system whose interface remained up, use the ping commandto contact the other system.


The host is alive.

Does the snoop utility report a reply from the target host?

Yes.



Exercise Summary


Exercise Summary

?

!

Discussion – Take a few minutes to discuss what experiences, issues, ordiscoveries you had during the lab exercise.

q Experiences

q Interpretations

q Conclusions

q Applications




Module 2

Describing theClient-ServerModel

Objectives

The client-server model describes the communication process betweentwo computers or programs. The client system makes a service request to

the server system, then the server system fulfills the request. Althoughprograms can use the client-server model internally in a single computer,the model is more widely used across a network. The client-server modelprovides a way to distribute services efficiently across multiple locationson a network.


q Describe client-server processes

q Start server processes



D e s c r i b i n g

I n t e r f a c e




M o d e l




M a n a g e m e n t

C o n s o l e



Introducing Client-Server Processes



The client-server model describes network services and the clientprograms of those services. One example of the client-server relationshipis the name server and resolver model of the DNS. Another example ofthe client and server relationship is the NFS.

Introducing Client Processes

Refer to Figure 2-2 for a client-server process relationship. The client is ahost or a process that uses services from another host or program, knownas a server. You can apply the client-server relationship to computerprograms within a single computer or use the relationship across anetwork to make one application server a host to one or more application

clients.

Figure 2-2 Client Processes

F i l e

S e r v e r

C l i e n t

N a m e

S e r v e r

C l i e n t

P r i n t

S e r v e r

C l i e n t




Describing the Client-Server Model 2-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

Examples of clients in the Solaris 10 OS include the following:

q For name services, a client is a host system that uses either the NIS+,NIS, DNS, or LDAP name service lookup provided by the nameservice server.

q

In file systems, the client is a system that remotely accesses theresources of a storage server, such as a server with large disk andnetwork capacity.

q For applications, such as sendmail or calendar manager, the clientaccesses services from a server process.





Introducing Server Processes

The server is a host or a process that provides services to another programknown as a client. Client-server computing is a key factor in supportingnetwork computing. The client-server model on the network can be

multilayered.

Refer to Figure 2-3 for an example of multiple hosts on a subnet that canbe clients to a single storage host server. Multiple hosts serve as aninterface to storage arrays. The storage clients rely on the storage server toaccess their data. In addition, one of the storage clients, such as a printerhost, can be configured to act as the interface for network printers. Toperform print operations from the storage host, the storage host mustassume a print client role when communicating with the print server roleof the printer host.

Figure 2-3 Server Processes

P r i n t e r A

P r i n t

S e r v e r

S t o r a g e

S e r v e r

S t o r a g e

A r r a y 1

S t o r a g e

A r r a y 2

C l i e n t 3 C l i e n t 4

C l i e n t 1 C l i e n t 2

P r i n t e r B

P r i n t e r C





Examples of servers in the Solaris 10 OS include the following:

q A host system providing name services to a network in NIS+, NIS,DNS, and LDAP.

q A host system providing disk space to the network, such as a server

with large disk and network capacity.q A host system providing windowing services to applications. The

client and the server can run on the same system or on separatesystems.

q A host system providing web services to client systems.



The Service Management Facility (SMF)



SMF provides a centralized configuration structure for managing systemservices and the interaction of a service with other services. SMF includesthe following:

q A mechanism to establish and formalize dependency relationshipsbetween services.

q Information on procedures to start, stop, and restart services.

q A centralized repository for information on startup behavior andservice status.

q A structured mechanism for Fault Management of system services.

q Detailed information about misconfigured services such as anexplanation of why a service is not running.

q Individual log files for each service.

SMF Service

A service can be described as an entity which provides a resource or list ofcapabilities to applications and other services, both local and remote. Aservice is not necessarily a running process, such as a web server. Aservice can also be the software state of a device, such as a configurednetwork device, or a mounted file system.

A system can have more than one occurrence of a service running. Forexample, a system can have more than one configured network interface,or more than one mounted file system.





Service Identifiers

Each instance of a service within SMF has a name which is referred to as a“Service Identifier.” This service identifier is in the form of a FaultManagement Resource Identifier or FMRI. The FMRI indicates the type of

service or category, and the name and instance of the service.

The service categories include the following:

q application

q device

q legacy

q milestone

q network

q platform

q site

q system

An example of an FMRI for a service instance is:

svc:/system/filesystem/root:default

Where:

q The prefix svc indicates that this service is managed by SMF

q The category of the service is system

q The service itself is a filesystem

q The instance of the service is the root file system

q The word default identifies the first, in this case only, instance ofthe service

Another example of an FMRI for a service is:

lrc:/etc/rc3_d/S90samba

Where:

q The prefix lrc (Legacy Run Control) indicates that this servicecurrently is not managed by SMF

q The pathname /etc/rc3_d refers to the directory /etc/rc3.d

where there is a script used to manage this service

q The name of the script is S90samba





Listing Service Information

Service instance names and the state of the service can be listed using thesvcs command.

# svcs

STATE STIME FMRI

legacy_run Feb_10 lrc:/etc/rc2_d/S10lu

legacy_run Feb_10 lrc:/etc/rc2_d/S20sysetup

legacy_run Feb_10 lrc:/etc/rc2_d/S90wbem

legacy_run Feb_10 lrc:/etc/rc2_d/S99dtlogin

legacy_run Feb_10 lrc:/etc/rc3_d/S81volmgt

(output removed)

online Feb_10 svc:/system/system-log:default

online Feb_10 svc:/system/fmd:default

online Feb_10 svc:/system/console-login:default

online Feb_10 svc:/network/smtp:sendmail

online Feb_10 svc:/milestone/multi-user:default

online Feb_10 svc:/milestone/multi-user-server:default

online Feb_10 svc:/system/zones:default

offline Feb_10 svc:/application/print/ipp-listener:default

offline Feb_10 svc:/application/print/rfc1179:default

maintenance 10:24:15 svc:/network/rpc/spray:default





Service States

The svcs command can be used to list service identifiers and the state ofthe service instance. A service can be either enabled or disabled. Servicestates can include the following:

q online

The service instance is enabled and has successfully started.

q offline

The service instance is enabled, but the service is not yet running oravailable to run.

q disabled

The service instance is not enabled and is not running.

q

legacy_runThe legacy service is not managed by SMF, but the service can beobserved. This state is only used by legacy services.

q uninitialized

This state is the initial state for all services before their configurationhas been read.

q maintenance

The service instance has encountered an error that must be resolvedby the administrator.

q degraded

The service instance is enabled, but is running at a limited capacity.





Milestones

A milestone is a special type of service which is made up of a defined setof other services.

A milestone can be regarded as a system state to reach. This system staterequires a defined set of services to be running. These services depend onother services being available. Hence, there is a hierarchy of dependencyrelationships. This is one of the core features managed by SMF. Currentlythere are 6 milestones.

q single-user

q multi-user

q multi-user-server

q network

q name-services

q sysconfig

q devices

Figure 2-4 shows the relationship between a milestone and services

Figure 2-4 SMF Milestone and Services

milestone

network system application

name-services net-physical filesystem print X11

/ /usr /var





Figure 2-5 shows an example of the dependency relationships.

Figure 2-5 SMF Dependency Relationships

To determine the current milestones

# svcs | grep milestone

online 9:58:42 svc:/milestone/name-services:default

online 9:58:53 svc:/milestone/network:default

online 9:58:54 svc:/milestone/devices:default

online 9:59:09 svc:/milestone/single-user:default

online 9:59:13 svc:/milestone/sysconfig:default

online 9:59:42 svc:/milestone/multi-user:default

online 9:59:51 svc:/milestone/multi-user-server:default

/ v a r / s v c / m a n i f e s t / m i l e s t o n e /

m u l t i - u s e r - s e r v e r . x m l

dependency list

dependency list

multi-user milestone

v a r / s v c / m a n i f e s t / m i l e s t o n e /

m u l t i - u s e r . x m l

e x e c / s b i n / r c 3

dependency list

single-user milestone

/ v a r / s v c / m a n i f e s t / m i l e s t o n e /

s i n g l e - u s e r . x m l

name-services milestone

filesystem

/ v a r / s v c / m a n i f e s t / s y s t e m /

f i l e s y s t e m / l o c a l - f s . x m l

method

/ l i b / s v c / m e t h o d / f s - l o c a l

milestone multiuser





The svc.startd Daemon

The svc.startd is the daemon which is responsible for maintaining thesystem services. It is svc.startd which ensures that the system boots tothe appropriate milestone. If no milestone is specified at boot up,

svc.startd boots to the built-in milestone “all” which includes all thesystem services.

Currently the milestones that can be used at boot time are:

q none

q single-user

q multi-user

q multi-user-server

q all

In order to boot the system to a specific milestone, the -m option ispassed to the boot command from OBP.

ok> boot -m milestone=single-user

The svc.startd daemon can be referred to as the master restarterdaemon because it is responsible for ensuring the correct running,starting, and restarting of system services. The svc.startd daemon canobtain information about services from the repository.

The svc.startd daemon is able to delegate responsibility for services toother delegated restarter daemons for example, the inetd daemon.

The Service Configuration Repository

The repository database stores information about the state of each serviceinstance. It also stores configuration information about the services andsystem. The repository is distributed among local memory and localdisk-based files. The disk-based database is /etc/svc/repository.db.

This file can only be manipulated using the SMF interface utilities svccfgand svcprop.





The repository is managed by the svc.configd daemon. Thesvc.configd daemon backs up the repository before applying anychanges issued by the SMF commands and utilities. These backup copiesof the repository ensure that fallback is possible.

A corrupt repository will prevent the system from booting. A corruptrepository can be repaired by booting the system to single user, andrunning the command:

# /lib/svc/bin/restore_repository

and following the instructions.



Starting Server Processes



To start services for server processes, you must know which files to usefor automatic service configuration. You must also know how to manuallystart the services.

Introducing the Internet Service Daemon (inetd)

The inetd daemon is a special network process that runs on each systemand starts server processes that do not automatically start at boot time.The inetd daemon is the server process for both the standard Internetservices and Sun Remote Procedure Call (Sun RPC) services. The inetddaemon starts at boot time by svc.startd. There is a legacyconfiguration file for inetd, /etc/inet/inetd.conf. Services listed in

this file are imported into the Service Management Facility (SMF) by theinetconv command. Once the inetd.conf file has been converted, usethe inetadm command to alter the characteristics of an inet service.Some services will allow you to change them with inetadm or svcadm,such as the spray service.





Notes:





The Impact of SMF on Network Services

The SMF has a major impact on network services in that each service canbe independently enabled or disabled using the inetadm command.

For example, consider the telnet facility:

# inetadm -l telnet

SCOPE NAME=VALUE

name="telnet"

endpoint_type="stream"

proto="tcp6"

isrpc=FALSE

wait=FALSE

exec="/usr/sbin/in.telnetd"

user="root"

default bind_addr=""default bind_fail_max=-1

default bind_fail_interval=-1

(output omitted)

The various parameters and values can be set using the inetadmcommand. The values can then be stored in the appropriate SMF referencefiles for each service. Changes can be maintained across system reboots.

To see whether or not the telnet facility is enabled, use the followingcommand:

# inetadm | grep telnet

enabled online svc:/network/telnet:default

To disable the telnet facility:

# inetadm -d telnet


disabled disabled svc:/network/telnet:default

To enable the telnet facility:

# inetadm -e telnet







To list the current state of all network facilities:

# inetadm

ENABLED STATE FMRI

enabled online svc:/network/rpc/gss:default

enabled online svc:/network/rpc/mdcomm:default

enabled online svc:/network/rpc/meta:defaultenabled online svc:/network/rpc/metamed:default

enabled online svc:/network/rpc/metamh:default

disabled disabled svc:/network/rpc/rex:default

enabled online svc:/network/rpc/rstat:default

enabled online svc:/network/rpc/rusers:default

disabled disabled svc:/network/rpc/spray:default

disabled disabled svc:/network/rpc/wall:default

enabled online svc:/network/security/ktkt_warn:default

disabled disabled svc:/network/tname:default


enabled online svc:/network/nfs/rquota:defaultdisabled disabled svc:/network/chargen:dgram

disabled disabled svc:/network/chargen:stream

disabled disabled svc:/network/daytime:dgram

disabled disabled svc:/network/daytime:stream

disabled disabled svc:/network/discard:dgram

disabled disabled svc:/network/discard:stream

disabled disabled svc:/network/echo:dgram

disabled disabled svc:/network/echo:stream

disabled disabled svc:/network/time:dgram

disabled disabled svc:/network/time:stream

enabled online svc:/network/ftp:default

disabled disabled svc:/network/comsat:default

enabled online svc:/network/finger:default

disabled disabled svc:/network/login:eklogin

disabled disabled svc:/network/login:klogin

enabled online svc:/network/login:rlogin

disabled disabled svc:/network/rexec:default

enabled online svc:/network/shell:default

disabled disabled svc:/network/shell:kshell

disabled disabled svc:/network/talk:default

(output omitted)

Note – When a network service is affected, any related services are alsoaffected. By disabling one service, a number of other services may becomeunavailable.





Introducing Network Ports

Network ports help transport protocols distinguish between multipleservice requests arriving at a given host computer. The TCP and UDPtransport protocols identify ports using a positive integer between 1 and

65535, which is called a port number. Network ports can be divided intotwo categories, well-known ports and ephemeral (short-lived) ports.

Port Numbers

There are two fundamental approaches to port assignments:

q Central authority:

q All users must agree to allow the central authority to assign allport numbers.

q The central authority is responsible for publishing the list ofport number assignments, called well-known port assignments.

q Well-known port assignments dictate software requirements ona system.

Note – See http://www.iana.org/assignments/port-numbersas theCentral Authority.

q Dynamic binding:

q The ports are unknown to the client in advance. The systemsoftware dynamically assigns ports to the programs that requirethem.

q To obtain the current port assignments on any computer, thesoftware generates a request to the target machine for the portnumber information. The target machine then responds withthe port number.

q These port number assignments are considered ephemeral sinceassignments are short lived, only lasting until the system is

rebooted.





Many system applications support network services. Each networkservice uses a port that represents an address space reserved for thatservice. If a port number is not pre-assigned, the operating system allowsan application to choose an unused port number. A client oftencommunicates with a server through a well-known port. Well-known

ports are stored in the/etc/inet/services

file. To view the well-knownport that the telnet service uses, perform the command:

# grep telnet /etc/inet/services

telnet 23/tcp

This example shows that the telnet service uses well-known port 23 anduses the TCP protocol.

Starting Services That Use a Well-Known Port

Services following the central authority approach that use a well-knownport includes:

q Services that start by default at system boot time

q Services that do not start automatically at boot, and must start ondemand

Starting Well-Known Services at Boot Time

One of the well-known services that starts at boot time is thesendmail

process. The sendmail process uses well-known port 25 to performnetwork services for email using the Simple Mail Transport Protocol(SMTP). You can confirm that the name has been translated to the portnumber by searching for the mail entry in the /etc/inet/servicesfile.To confirm the translation, perform the command:

# grep mail /etc/inet/services

smtp 25/tcp mail

The sendmail process is initialized by the startup script/lib/svc/method/smtp-sendmailwhen you boot the Solaris 10 OS.Because the sendmail process uses port 25, the sendmail process startslistening at port 25 for incoming mail activity soon after start up. There isno need for the inetd daemon to listen at port 25 for incoming sendmail

requests or to start sendmail, because the sendmail process is alreadyrunning.





Starting Well-Known Services on Demand

The telnet service is a well-known service that does not automaticallystart at boot time. Figure 2-6 shows the process by which well-knownservices are started on demand. The telnet service uses the inetd

daemon to listen for network requests, so that the telnet service does nothave to continually run on the system. When the inetd daemon receivesa network request at a port, it uses the information listed in the/etc/inet/servicesfile to determine which service to start.

Figure 2-6 Requesting a Well-Known Service

2 3

n

3 2

6

7

1

s y s 4 1 ( C l i e n t )

t e l n e t . . . i n . t e l n e t d

s y s 4 2 ( S e r v e r )

T r a f f i c o f i c o n

n n n n n

T r a f f i c o n

n n n n n

= p o r t n u m b e r n

T

i

m

e

4

i n . t e l n e t d ( p o r t n n n n ni n . t e l n e t d ( p o r t n n n n n )

5

n n n n n

2 3

i n e t d

t e l n e t s y s 4 2

8

i n . t e l n e t d





The steps to connect to the telnet service are:

1. The initiating host sys41 executes the network service to request aconnection to the receiving host sys42 by executing thetelnet sys42 command.

2. The telnet service is a well-known service. The port for this serviceis port 23.

3. The telnet packet requesting a connection goes to port 23 on thehost sys42.

4. Initially, the inetd daemon listens at port 23 for the telnet service.The telnet sys42 command on sys41 generates a request toport 23 that inetd recognizes as a telnet request because of theconfiguration entry in the /etc/inet/servicesfile.

5. The telnet service does not continuously run on a system waitingfor a connection. The inetd daemon must start the telnet service

dynamically on demand.

6. The inetd daemon executes the in.telnetd process. Thein.telnetd daemon takes control of the current telnet session’scommunication.

7. The in.telnetd daemon receives this session’s traffic and runs onport 23 until this telnet session ends.

Note – The inetd daemon continues to listen for new service requests.





Starting RPC Services

RPC services are services developed using a set of utilities developed bySun Microsystems, Inc. While RPC services are assigned a uniqueprogram number by the programmer when they are written, the RPC

services are not typically assigned to well-known ports.

Types of RPC services that follow the dynamic binding approach include:

q Services that start by default at system boot time

q Services that do not start automatically at boot and must start ondemand

Starting RPC Services at Boot Time

RPC services started at boot time with startup scripts run on availableports above 32768. The rpcbind process associates RPC programnumbers with port numbers. The rpcbind service must be running on theserver system for you to make RPC requests to the server. When an RPCservice starts at boot, it communicates the following information to therpcbind process:

q The port with which it is associated

q The RPC program number

If a client wants to make an RPC call to a given program number, it mustfirst contact the rpcbind service on the server machine to obtain the portaddress before it can send the RPC requests. If the RPC service hasregistered its current port number with the rpcbind daemon duringstartup, the current port number of the RPC service is returned to theclient.

When you boot the Solaris 10 OS, the /lib/svc/method/rpc-bindstartup script initializes the rpcbind service. The port number used bythe rpcbind daemon is listed in the /etc/inet/servicesfile. After thesystem starts up, the rpcbinddaemon starts listening at port 111. To view

the port number and protocol, perform the command:# grep rpcbind /etc/services

sunrpc 111/udp rpcbind

sunrpc 111/tcp rpcbind





Starting RPC Services on Demand

Some rpcbind services start only on demand. The port numbers areregistered with the rpcbind process during boot. Figure 2-7 shows thesteps involved in requesting an RPC port address. When a client

application requests a service, the rpcbind process returns the portnumber of the service to the client machine. The client machine generatesa new request using the port number that it just received for the requestedservice.

Figure 2-7 Requesting an RPC Address

n

= p o r t n u m b e r n

1

1 1 1

2

6

H o s t 1 ( C l i e n t )

s p r a y h o s t 2

4

3

s p r a y / 1 . . . r p c . s p r a y d

r p c . s p r a y d ( p o r t n n n n n )

H o s t 2 ( S e r v e r )

T

i

m

e

5

n n n n n n n n n n

n n n n n

n n n n n

r p c b i n d

i n e t d

S t a r t r p c b i n d ( p o r t 1 1 1 )





RPC services on demand, such as the sprayd service, are implemented asfollows:

1. The rpcbind daemon is started on all systems by a startup script.The sprayd service is listed in the /etc/rpc file and registers itscurrent port assignment and program number with the rpcbind

process during boot.

2. A user on host1 issues a spray command to host2. The sprayrequest is initially addressed to port 111 and contains the programnumber of the sprayd service.

3. The rpcbind daemon on the host2 server reads the programnumber and determines that the request is for the sprayd service.The rpcbinddaemon returns the current port number of the spraydservice to the host1 client.

4. The host1 client sends a second request to the port number of the

sprayd service on the host2 server. The inetd daemon receives therequest.

5. This rpc.sprayd daemon takes over the spray session’scommunication.





Using the rpcinfoCommands

The rpcinfo command makes an RPC call to an RPC server, and reportswhat it finds. Two frequently used options to the rpcinfo command are-p and -d.

Listing Registered RPC Services

To list all the services registered with the rpcbind process, enter therpcinfo command as follows:

rpcinfo -p [ host ]

For example:

# rpcinfo -p

program vers proto port service100000 4 tcp 111 rpcbind

100000 3 tcp 111 rpcbind


100000 4 udp 111 rpcbind



100232 10 udp 32772 sadmind

100083 1 tcp 32771

...

<output truncated>

...

This command returns a columnar output that includes the:

q Program number

q Version number of the RPC program number

q RPC protocol

q Port number

q RPC service

Note – Using the rpcinfo -p host command returns information aboutregistered RPC services on the specified host. Using the rpcinfo -p .host command forces rpcinfo to look at localhost if hostname andnodename are different.





Deleting RPC Service Registration

To unregister the RPC service given a specified prognum (programnumber) and versnum (version number), perform the rpcinfo command:

rpcinfo -d prognum versnum

For example:

# rpcinfo -d 100012 1

This command unregisters the RPC service with program number 100012and version number 1.

Note – When using the rpcinfo -d command to unregister an RPCservice, the RPC service can be identified using either the service name or

the program number.

The deleted RPC service that uses program number 100012 is sprayd. Toregister the sprayd service again, restart the inetd daemon as follows:

# svcadm disable svc:/network/rpc/spray:udp

# svcadm enable svc:/network/rpc/spray:udp



Exercise: Observing theSolaris OS Network (Level 1)


Exercise: Observing the Solaris OS Network (Level 1)

In this exercise, you use basic, network-related commands to observe theinetd daemon and the rpcbind services.

Preparation


q Check that you have two systems listed in the /etc/hosts file oneach system.

q Verify entries for the root user in /etc/ftpd/ftpusersfile toensure that the root user is not restricted from using the FTP serviceon both systems.


q Ensure that the sprayd process is running by issuing the followingcommand:

# inetadm -e svc:/network/rpc/spray:default

Tasks


q Monitor the network traffic throughout the exercise.

q Check that the FTP application is listed in the /etc/inetd.conffileand the /etc/services file. Record the name of the FTP serverdaemon. On both systems, check if the FTP application or serverdaemon is running. Use one system as the FTP client and the otheras the FTP server. Establish an FTP connection, and check again forftp command-related applications and daemons. Record yourobservations. Terminate your FTP connection.





q Check the port number assigned to the rpcbind service to make surethat it is a well-known port. Record the port number. Check andrecord the port number and program number assigned to the sprayddaemon. Check that your partner’s system can contact your systemusing the sprayddaemon. Unregister the sprayd service. Check that

the service has unregistered.q Check that the sprayd daemon does not function from your

partner’s system to your system. Restart the sprayd service, andcheck that the sprayd service is again a registered service, and thatthe sprayd service functions correctly between the two systems.Check the new port number assigned to the sprayd service and theprogram number that it uses.







Preparation







Task Summary


q Monitor the network traffic throughout the exercise.









Tasks

Perform the following tasks.

Task 1– Interaction Between theinetdDaemon and the FTPApplication

You must use two additional windows on the FTP client host for thissection of the exercise. Complete the following steps:

1. In a dedicated terminal window, open a snoop session between thetwo hosts used during this exercise. This snoop session should

remain active throughout this exercise.2. Display the entry for the FTP application in the /etc/inetd.conf

file, and record the name of the server daemon that is listed.

3. Check that the FTP application is a service with a well-known portlisted in the /etc/services file.

Is it listed?

_____________________________________________________________

4. Use the pgrep command to check if the ftp daemon is currentlyrunning.

Is it running?

_____________________________________________________________

Note – Determine which system acts as the FTP client and which acts asthe FTP server.





5. On the FTP client, in one window, establish an FTP connection to theFTP server.

6. On the FTP client in another window, check for daemons orapplications related to the FTP service.

What does thepgrep

command report?_____________________________________________________________

7. On the FTP server, in an available window, check for daemons andapplications related to the FTP service.

What does the pgrep command display?

_____________________________________________________________

8. On the FTP client, terminate your FTP connection to the server.

9. On both the FTP server and client, check for FTP-related daemonsand applications.


_____________________________________________________________

10. Observe the output from the snoop utility on both systems. WhatFTP-related login information does the snoop command display?

_____________________________________________________________

11. Change the client-server roles of the two systems, and repeat step 4through step 9.





Task 2 – The rpcbindService Operations


1. Use the rpcinfo command to display information for the rpcbindprocess.

Which port number does the rpcbind process use?

_____________________________________________________________

Which protocols does the rpcbind process use?

_____________________________________________________________

2. Check that the rpcbind service is listed in the /etc/services file,and that the listed port number matches the output from therpcinfo command in the previous step.

Does it?

_____________________________________________________________

3. Use the rpcinfo command to display information for the spraydservice.

Which port number is the sprayd service using?

_____________________________________________________________

Which program number is the sprayd service using?

_____________________________________________________________

4. Check the /etc/servicesfile to determine if the sprayd service hasbeen assigned a well-known port number.

Has it?

_____________________________________________________________

5. Check the /etc/rpc file to see if the sprayd service is listed.

Is it listed?

_____________________________________________________________

6. Check that your system will respond to the sprayd service requests.Have your partner run the spray command, and specify yoursystem as the target.

7. Use the rpcinfo command to unregister the sprayd service’s portnumber. Check that the sprayd service is no longer listed as aregistered port number.





8. Have your partner run the spray command, and specify yoursystem as the target again.

What message does the spray command return?

_____________________________________________________________

9. Use the inetadm command to re-enable the full spray service.10. Verify that the sprayd service is listed as a registered service.

What port number is the sprayd service using now?

_____________________________________________________________

Is the program number used by the sprayd service the same as theprogram number that was listed in step 3?

_____________________________________________________________

11. To check that the sprayd service can now contact your system, have

your partner run the spray command, and specify your system asthe target.

12. Stop the snoop processes running on both systems.







Preparation







Task Summary

Perform the following tasks:q Monitor the network traffic throughout the exercise.









Tasks and Solutions

This section describes the tasks for you to perform and lists the solutions.

Task 1 – Interaction Between the inetdDaemon and the FTPApplication

You must use two additional windows on the FTP client host for thissection of the exercise. Complete the following steps:

1. In a dedicated terminal window, open a snoop session between thetwo hosts used during this exercise. This snoop session should

remain active throughout this exercise.# snoop host1 host2

2. Check that the FTP application is a service with a well-known portlisted in the /etc/services file.

# grep ftp /etc/services

ftp-data 20/tcp

ftp 21/tcp

tftp 69/udp

Is it listed?Yes. It uses port 21.





3. Use the pgrep command to check if the ftp daemon is currentlyrunning.

# pgrep -xl ftpd

#

Is it running?

No. It should not be running yet.

Note – Determine which system acts as the FTP client and which acts asthe FTP server. On the FTP server, you must comment out the root entryin the /etc/ftpd/ftpusersfile.

4. On the FTP client, in one window, establish an FTP connection to theFTP server.

# ftp host1

Connected to host1.

220 host1 FTP server ready.

Name (host1:root):root

331 Password required for root.

Password:xxxxxxx

230 User root logged in.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp>

5. On the FTP client in another window, check for daemons or

applications related to the FTP service.# pgrep -l ftp

nnn ftp


The pgrep command should list the FTP application if the system is actingas an FTP client.

6. On the FTP server, in an available window, check for daemons andapplications related to the FTP service.

# pgrep -l ftp

nnnn in.ftpd


The pgrep command should list the in.ftpd daemon if the system isacting as an FTP server.





7. On the FTP client, terminate your FTP connection to the server.

ftp> bye

8. On both the FTP server and FTP client, check for FTP-relateddaemons and applications.

# pgrep -l ftpWhat does the pgrep command report?

Nothing. Both the FTP application and FTP server daemon haveterminated.

9. Observe the output from the snoop utility on both systems. WhatFTP-related login information does the snoop command display?

The login name and password in clear text.

10. Change the client-server roles of the two systems, and repeatstep 5 through step 9.

Task 2 – The rpcbindService Operations


1. Use the rpcinfo command to display information for the rpcbindprocess.

# rpcinfo -p |grep rpcbind



100000 2 tcp 111 rpcbind100000 4 udp 111 rpcbind



Which port number does the rpcbind process use?

111

Which protocols does the rpcbind process use?

Both TCP and UDP.

2. Check that the rpcbind service is listed in the /etc/services file,

and that the listed port number matches the output from therpcinfo command in step 1.

# grep rpcbind /etc/services

sunrpc 111/udp rpcbind

sunrpc 111/tcp rpcbind

Does it?Yes





3. Use the rpcinfo command to display information for the spraydservice.

# rpcinfo -p |grep sprayd

100012 1 udp 32777 sprayd

Which port number is the sprayd service using?

It varies among different systems.

Which program number is the sprayd service using?

100012

4. Check the /etc/servicesfile to determine if the sprayd service hasbeen assigned a well-known port number.

# grep sprayd /etc/services

#

Has it?

No

5. Check the /etc/rpc file to see if the sprayd service is listed.

# grep sprayd /etc/rpc

sprayd 100012 spray

Is it listed?

Yes

6. Check that your system will respond to the sprayd service requests.Have your partner run the spray command, and specify your

system as the target.# spray host1

7. Use the rpcinfo command to unregister the sprayd service’s portnumber. Check that the sprayd service is no longer listed as aregistered port number.

# rpcinfo -d sprayd 1

# rpcinfo -p | grep sprayd

8. Have your partner run the spray command, and specify yoursystem as the target again.

What message does the spray command return?# spray host1

spray: cannot clnt_create host:netpath: RPC: Program not registered

9. Use the inetadm command to re-enable the full spray service.

# inetadm -d svc:/network/rpc/spray:default






10. Verify that the sprayd service is listed as a registered service.

# rpcinfo -p | grep sprayd

100012 1 udp 32841 sprayd

What port number is the sprayd service using now?

It varies among different systems.Is the program number used by the sprayd service the same as theprogram number that was listed in step 3?

100012

11. To check that the sprayd service can now contact your system, haveyour partner run the spray command, and specify your system asthe target.

# spray host1

12. Stop the snoop processes running on both systems.

Press Control-C.



Exercise Summary


Exercise Summary

?

!

Discussion – Take a few minutes to discuss the experiences, issues, ordiscoveries that you had during the lab exercises.

q Experiences

q Interpretations

q Conclusions

q Applications




Module 3

Customizing theSolaris™ManagementConsole

Objectives

The Solaris™ Management Console uses a graphical user interface (GUI)

to display management tools that are stored in containers referred to astoolboxes. The console includes a default toolbox containing tools formanaging users, projects, and cron jobs. The toolbox also contains toolsfor mounting and sharing file systems and for managing disks and serialports. The Solaris Management Console toolbox editor application, whichlooks similar to the console, can add and modify toolboxes, add tools to atoolbox, and extend the functionality of a toolbox to other applications.


q Describe the Solaris Management Console toolbox editor actions

q Use the Solaris Management Console toolbox editor



D e s c r i b i n g

I n t e r f a c e




M o d e l




M a n a g e m e n t

C o n s o l e



Introducing theSolaris Management Console Toolbox Editor Actions


Introducing the Solaris Management Console ToolboxEditor Actions

This section describes how to start the Solaris Management Console

components and how to edit a toolbox to increase functionality withaccess to other Solaris Management Console servers or to legacyapplications.

Starting the Solaris Management Console

The Solaris Management Console has three primary components:

q The Solaris Management Console server

q The console

q The Solaris Management Console toolbox editor

Starting the Solaris Management Console Server

If you have trouble starting the Solaris Management Console, it might bebecause the Solaris Management Console server is not running or becauseit is somehow in a problem state.

Note – Open a system console window to view Solaris ManagementConsole load messages.

To determine if the Solaris Management Console server is running, asroot perform the command:

# /etc/init.d/init.wbem status

The goal of the web-based enterprise management system (wbem) is toallow users to remotely manage their hosts from a browser windowrunning on a remote host.

If the Solaris Management Console server is running, you see a responsesimilar to the following:

Solaris Management Console server version 2.1.0 running on port 898



Introducing the Solaris Management Console Toolbox Editor Actions

Customizing the Solaris™ Management Console 3-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

To stop the Solaris Management Console server, perform the command:

# /etc/init.d/init.wbem stop

The following message appears:

Shutting down Solaris Management Console server on port 898.

To start the Solaris Management Console server, perform the command:

# /etc/init.d/init.wbem start

After a short time, the following message appears on the console window:

Starting Solaris Management Console server version 2.1.0.

endpoint created: :898

Solaris Management Console server is ready.

Note – For more information, visit the Distributed Management TaskForce web site at http://www.dmtf.org.

Starting the Console

You can start the Solaris Management Console from the command line,from the Tools menu of the CDE front panel, or by double-clicking a

Solaris Management Console icon in the Applications Manager or in theFile Manager.

To start the console from the command line, perform the command:

# smc

Note – You can start Solaris Management Console as a regular user, butsome tools and applications might not load unless you log in to theSolaris Management Console server as root, or unless you assume arole-based access control (RBAC) role during Solaris ManagementConsole server login.





Starting the Toolbox Editor

To start the Solaris Management Console toolbox editor, perform thecommand:

# smc edit

You can start the Solaris Management Console toolbox editor as a normaluser, but you cannot save a server toolbox unless you log in as root.

Caution – In this module, you modify the contents of the SolarisManagement Console’s toolboxes. This module directs you to alter andsave both the Management Tool (root) toolbox and the This Computer(default) toolbox. Before you modify either toolbox, create backups ofboth toolboxes using the following commands:# cd /var/sadm/smc/toolboxes

# cp smc/smc.tbx smc.tbx.orig# cp this_computer/this_computer.tbx this_computer.tbx.orig

Introducing the Solaris Management Console and theSolaris Management Console Toolbox Editor

The Solaris Management Console contains a hierarchical collection offolders, tools, legacy applications, and links to other toolboxes. A toolboxcan include links to other toolboxes, individual tools, folders, and legacy

applications.

q A Solaris Management Console toolbox is a collection of tools thathave been registered using the smcregister utility.

q The root toolbox, or container, is called Management Tools. Thedefault behavior of the Management Tools is to look for a toolbox onthe local host and link to it when the Solaris Management Consolestarts. You can add multiple toolboxes to Management Tools.

q A toolbox Universal Resource Locator (URL), or link, is a pointer toanother toolbox that might be on the current Solaris Management

Console server or on any other Solaris Management Console server.q A tool is an application or applet that is compatible with the Solaris

Management Console that integrates easily into the Console. ASolaris Management Console tool is built using the SolarisManagement Console software development kit (SDK).





q A folder is a container that groups tools within a toolbox.

q A legacy application is an application that is not a SolarisManagement Console tool. A legacy application can be a command,X Application, or a URL.

The Solaris Management Console uses Extensible Markup Language(XML) files to store the configuration of toolboxes and tools. These can bereferenced by URL in the console. From the menu, select View, selectShow, and then select Location Bar in the console to see the URLs.

To access the root toolbox in the Solaris Management Console, the URL is:

http://hostname:898/toolboxes/smc.tbx

The default XML configuration file for this toolbox is located in:

/var/sadm/smc/toolboxes/smc/smc.tbx

The root toolbox is loaded by default when either the smc or smc editcommands are run on a server. This toolbox only allows access to othertoolboxes, not to the tools within those toolboxes. You access the toolboxfor the local computer through the URL:

http://hostname:898/toolboxes/this_computer.tbx

The default XML configuration file for this toolbox is located in:

/var/sadm/smc/toolboxes/this_computer/this_computer.tbx





Introducing the Solaris Management Console

To start the Solaris Management Console, perform the command:

# smc &

The Solaris Management Console window appears, as shown inFigure 3-2.

Figure 3-2 Solaris Management Console Window





When you select a toolbox in the Navigation pane, as shown in Figure 3-3,the set of tools in that toolbox are displayed in the View pane. You candouble-click a tool in the View pane to open the next layer within thetoolbox hierarchy.

Figure 3-3 This Computer Toolbox Window

A toolbox allows for the grouping of tools into a consistent, user-friendlyhierarchy. The default toolbox for a Solaris Management Console server iscalled This Computer. Table 3-1 describes the categories (or folders) andtools included in the default toolbox.

Table 3-1 Solaris Management Console Categories

Category Includes

System Status Processes, Log Viewer, System Information, and Performance

System Configuration Users, Projects, Computers and Networks, and Patches

Services Scheduled Jobs

Storage Disks, Mounts and Shares, and Enhanced Storage Tool

Devices and Hardware Serial Ports

Terminal Terminal is not a category. Clicking the Terminal icon launches aterminal window.





Double-click a specific folder to view the contents of that folder category.The tools that are stored within the folder are displayed in the View pane,as shown in Figure 3-4.

Figure 3-4 System Status Window

Double-click on a specific tool to launch that tool.





The View pane in Figure 3-5 displays the tool-specific information.

Figure 3-5 System Information Window

The first tool to be opened in the console requires authentication. Use theroot account details. The System Information window, shown inFigure 3-5, collects and displays system configuration information.





Introducing the Solaris Management Console Toolbox Editor

To start the Solaris Management Console toolbox editor, perform thecommand:

# smc edit &

You use the Solaris Management Console Editor Window to execute toolsduring daily administrative activities, as shown in Figure 3-6. You alsouse the Solaris Management Console toolbox editor to modify existingtoolboxes or to create additional toolboxes. You can use these toolboxes tomanage multiple servers from one toolbox or to group similar tools in atoolbox.

Figure 3-6 Solaris Management Console Editor Window

Select an item in the Navigation pane, as shown in Figure 3-7 onpage 3-11, to display the properties of the selected item in the View pane.





Figure 3-7 Management Tools Statistics

When displaying the root toolbox in the Solaris Management Consoletoolbox editor, as shown in Figure 3-7, you can only see the servertoolboxes that are linked to that root toolbox. You can use the contents of

a toolbox by opening it in the Solaris Management Console.

After creating or modifying any toolbox, you must save the toolboxchanges and reopen the toolbox in the Solaris Management Consolebefore you can access new tools.

Menu Bar

The menu bar is at the top of the toolbox editor and includes thefollowing menus:

q Toolbox

q Edit

q Action

q Go

q Help





By default, the Toolbox menu, as shown in Figure 3-8, includes thefollowing items:

Figure 3-8 Solaris Management Console Editor Window – ToolboxMenu

New Creates a new toolbox

Open Opens an existing toolbox in the current console windowSave Saves the current toolbox

Save As Saves the current toolbox configuration after you renamethe toolbox location

Exit Exits from the toolbox editor





By default, the Edit menu, as shown in Figure 3-9, includes only thefollowing item:

Figure 3-9 Solaris Management Console Editor Window – Edit Menu

Delete Deletes the objects that are selected in the Navigation pane





By default, the Action menu, as shown in Figure 3-10, includes thefollowing items:

Figure 3-10 Solaris Management Console Editor Window – Action Menu

Add Legacy Application Adds a legacy application that is not aSolaris Management Console tool. It could

be a command-line interface, an Xapplication, or a URL.

Add Toolbox URL Adds a link from an existing toolbox toanother toolbox, possibly on another server.

Add Tool Adds a tool to an existing toolbox.

Add Folder Adds a folder to an existing toolbox.

Move Up Moves the selected item in the Navigatepane up in the hierarchy.

Move Down Moves the selected item in the Navigatepane down in the hierarchy.

Properties Displays the assigned characteristics for theselected tool or toolbox.





The Go menu, as shown in Figure 3-11, includes the following items:

Figure 3-11 Solaris Management Console Editor Window – Go Menu

Up Level Moves up one level in the toolbox hierarchy, anddisplays the result in the Navigation and Viewpanes

Home Toolbox Opens your home toolbox, as defined in theConsole tab of the Preferences dialog box





By default, the Help menu, as shown in Figure 3-12, includes thefollowing items:

Figure 3-12 Solaris Management Console Editor Window – Help Menu

Overview Displays the help viewer with an Overview in thetopic pane. The Overview function also provides a

general description of the Solaris ManagementConsole.

Contents Displays the help viewer with table of contents in theNavigation pane.

Index Displays the help viewer with an index in theNavigation pane.

Search Displays the help viewer with a Find function in theNavigation pane.

About Console Displays the version number of Solaris ManagementConsole, copyright, and trademark information.





Adding a Toolbox URL

You can add access to the Toolbox URL from one Solaris ManagementConsole server to another Solaris Management Console server. Thisfunction provides a mechanism for centralizing control across multiple

Solaris Management Console servers.

To add access to a Solaris Management Console server toolbox from otherSolaris Management Console servers, follow these steps:

1. Open the toolbox to which you want to add the toolbox URL.

2. Select the node in the toolbox to which you want to add the toolboxURL.

3. Select the Add a Toolbox URL from the Action menu.

4. Follow the instructions in the Add Toolbox URL wizard.

5. Save the toolbox.

The new toolbox contents must be reloaded in the Solaris ManagementConsole before the changes become visible.

Adding a Tool

Adding access to a specific Solaris Management Console server tool from

other Solaris Management Console servers enables you to configure manydifferent support scenarios using the Solaris Management Consoletoolboxes. In a single toolbox, you can configure all tools from a numberof servers for a particular functionality. This access provides the capabilityto configure a single Solaris Management Console server for access, suchas a storage server, across all the Solaris Management Console servers.

To add access to a specific Solaris Management Console server tool fromother Solaris Management Console servers:

1. Open the toolbox to which you want to add the tool.

2. Select the node in the toolbox to which you want to add the tool.3. Select Add Tool from the Action menu.

4. Follow the instructions in the Add Tool wizard.

5. Save the toolbox.

The new toolbox contents must be reloaded in the Solaris ManagementConsole before the changes become visible.



Using the Solaris Management Console Toolbox Editor



You use the Solaris Management Console toolbox editor functions to:

q Provide visibility between the Solaris Management Console server

root toolbox and the default toolbox of additional SolarisManagement Console servers

q Provide visibility of specific Solaris Management Applicationsbetween the Solaris Management Console servers

q Create additional container mechanisms within the SolarisManagement Console server

q Provide access to legacy applications from within the SolarisManagement Console server

Adding Access to a Toolbox URL of a SolarisManagement Console

This section describes how to access the toolbox URL of a SolarisManagement Console server named sys44 from a Solaris ManagementConsole server named sys42. You will access the toolbox URL bycustomizing the configuration of the server on sys42 with a pointer thatpoints to the sys44 server’s URL. This procedure involves:

q Opening the toolbox

q Adding the toolbox URL

q Saving the toolbox





Opening the Toolbox

To open the toolbox, select the Management Tools (root) toolbox, asshown in Figure 3-13.

Figure 3-13 Management Tools Statistics

The system default toolbox URL (This Computer) will eventuallybecome a component of the local root toolbox (Management Tools).





Adding a Toolbox URL

To add a toolbox URL, complete the following steps:

1. Select Add Toolbox URL from the Action menu, as shown inFigure 3-14, and follow the steps in the Toolbox URL Wizard.

Figure 3-14 Action Menu – Add Toolbox URL





Note – These steps follow the prompts from the Toolbox URL Wizard.

The wizard displays a help screen along the left side of each window,as shown in Figure 3-15.

Figure 3-15 Toolbox URL Wizard – Step 1 Window

Note – To hide the help information, which expands the usable areawithin the wizard windows, click the gray box next to the word Help.

2. Click Next to continue.





In the Toolbox URL Wizard – Step 1 window, you either:

q Select Server Toolbox if the toolbox you want to add is on aSolaris Management Console server, which is the computerwhere the Solaris Management Console server is running.

q

Select Local Toolbox if the toolbox you want to add is on yourlocal computer, which is the computer from which you startedthe Solaris Management Console toolbox editor.

3. In this example, select Server Toolbox, as shown in Figure 3-16.







In the Toolbox URL Wizard – Step 2 window, you enter the name ofthe remote Solaris Management Console server from which toretrieve the toolbox.

5. In this example, enter sys44, as shown in Figure 3-17.







If the Solaris Management Console server is running and if anytoolboxes are accessible on the server, a list of toolboxes appears inthe Toolboxes field, as shown in Figure 3-18.


Note – If the remote host has not started its SMC service since it booted,

there may be a delay before the toolboxes are displayed.

7. Select the This Computer (default) toolbox from the Toolboxes list.







q Select Use Toolbox Defaults to use the name and descriptionspecified in the toolbox definition.

q Select Override Toolbox Settings to override the name and

description specified in the toolbox definition.9. In this example, use the toolbox defaults, as shown in Figure 3-19.








q Select Use Toolbox Defaults to use the existing toolbox icon.

q Select Override Toolbox Settings to select other toolbox icons,and then enter the full paths to the large and small icons.

11. In this example, use the toolbox defaults, as shown in Figure 3-20.







Note – Management scope defines what the tool’s action will update. Forexample, a tool can update local files on a server or a tool can updateinformation in an NIS database. You can configure a toolbox folder and aspecific tool with a scope of operation. You can create folders and toolsthat inherit the scope of operation from their parents, or you can configurethem to override their parents’ scope of operation.


q Select Inherit from Parent to specify that the toolbox inherits itsmanagement scope from the parent node.

q Select Override to override the management scope of the parentnode.

13. In this example, click Override, select the file management scopefrom the Management Scope pull-down menu, and then type the

name of the server where the file or name service resides (sys44), asshown in Figure 3-21.


14. Click Finish.





The Add Toolbox URL wizard updates the selected toolbox with theadditional toolbox URL, and returns you to the Solaris ManagementConsole toolbox editor window, as shown in Figure 3-22.

Figure 3-22 Solaris Management Console Editor Window – ManagementTools





15. To view the toolbox properties, select the new toolbox URL (sys42)in the Navigation pane.

Properties appear in View pane, as shown in Figure 3-23.

Figure 3-23 Toolbox URL Window





In the Toolbox URL window, you can:

q View the toolbox properties by selecting the toolbox URL in theNavigation pane and reading the contents in the View pane. Inthis example, sys42 is selected in the Navigation pane. Observethat the management scope is local files on server sys42, as

shown in Figure 3-23 on page 3-29.

q Also view the other toolbox properties by selecting the newtoolbox URL (sys44) in the Navigation pane and reading theview pane as shown in Figure 3-24.

Figure 3-24 Toolbox URL Window

In this example, the management scope defines the use of local fileson the system sys44.





Saving a Toolbox

Every time you make a change to a toolbox, save the changes to thattoolbox by using the Solaris Management Console toolbox editor, andthen reload that toolbox by using the Solaris Management Console.

To save and reload the toolbox, perform the following steps:

Caution – To ensure that you are saving the correct toolbox, select thetoolbox that you want to save.

1. Select the toolbox that you want to save. In this example, select theManagement Tools item in the Navigation pane, as shown inFigure 3-25.

Figure 3-25 Management Tools Window





2. To save the selected toolbox, select Save As from the Toolbox menu,as shown in Figure 3-26.

Figure 3-26 Toolbox Menu – Save As





3. In the Local Toolbox window, Figure 3-27, perform one of thefollowing:

q Select a toolbox from the list.

q Navigate to a different toolbox using the appropriate folder

icon.q Specify the root toolbox location by entering the absolute path

to the toolbox into the Filename box.

The absolute path name to the root toolbox is:/var/sadm/smc/toolboxes/smc/smc.tbx

Figure 3-27 Local Toolbox Window

4. Click Save.





After you save the toolbox, you are returned to the SolarisManagement Console toolbox editor window, as shown inFigure 3-28.

Figure 3-28 Solaris Management Console Editor Window – ToolboxSaved

Adding Access to a Tool

You can configure a tool so that other Solaris Management Consoleservers can access it. To add access to a tool, you must provide theinformation needed to clearly identify the location and function of thattool. This procedure involves:

q Opening the toolbox

q Adding a tool

q Saving the toolbox





Opening the Toolbox

Prior to adding a tool to a Solaris Management Console server, you mustbe certain that you have opened the toolbox in which you want the tool toreside

1. Open the toolbox in which you want the tool to reside.

The Solaris Management Console toolbox editor window displaysthe available toolbox structure contained within the root toolbox.These toolboxes include the root toolbox with its default toolbox andany additional toolboxes that have been added using the AddToolbox URL function.

2. Select Open from the Toolbox menu, as shown in Figure 3-29.

Figure 3-29 Toolbox Menu – Open





The default toolbox is listed, as shown in Figure 3-30.

Figure 3-30 Open Toolbox Window – Server Toolbox Tab

3. Select the This Computer (sys42) line entry.

4. Click Open.





The default toolbox opens, as shown in Figure 3-31. The ThisComputer (sys42) toolbox has been promoted to the top-listedtoolbox. You can now select this toolbox or folders within thistoolbox, for subsequent add operations.

Figure 3-31 Solaris Management Console Editor Window – DefaultToolbox Expanded





5. To add visibility to the disks from sys44 to the storage folder onsys42, double-click the Storage folder to select the folder and todisplay its current contents, as shown in Figure 3-32.

Figure 3-32 Solaris Management Console Editor Window – StorageFolder Expanded





Adding a Tool

To make the Solaris Management Console Tools visible between SolarisManagement Console servers, use the Add Tool function in the Actionmenu.

To make the Solaris Management Console Tools visible to other servers,follow these steps:

1. Select Add Tool from the Action menu, as shown in Figure 3-33.

Figure 3-33 Action Menu – Add Tool

The Add Tool wizard launches.





In the Tool Wizard – Step 1 window, you enter the name and anoptional port number of the Solaris Management Console serverfrom which to retrieve the tool.

2. In this example, enter server sys44, as shown in Figure 3-34.

Figure 3-34 Tool Wizard – Step 1 Window






In the Tool Wizard – Step 2 window, Figure 3-35:

q If the Solaris Management Console server is running and if anytools are accessible on that server, a list of tools is displayed.You can select the tool you want to add.

q

If the server is not running or the host is not currentlyaccessible, you can enter a tool class name for a tool that youknow is on the server in the Tool Class Name field.

q You can also specify a tool that is not on the server by enteringthe tool class name in the Tool Class Name field. If the tool islater added to the server, the tool will already be in the toolbox.


4. In this example, select a description by clicking the down arrow untilthe Disks tool is displayed, and then select the Disks tool, as shownin Figure 3-35.

5. Type a description.






7. Select Override Tool Settings to override the name and descriptionspecified in the tool definition, as shown in Figure 3-36.


8. Enter a tool name and description that enables you to differentiatebetween the Disks tools for the local system and those tools on theremote system.


10. Select Use Tool Defaults, as shown in Figure 3-37.


11. Click Next to use the default tool icons.





To override the management scope of the parent node in the ToolWizard – Step 5 window, Figure 3-38, either:

q Select File from the Management Scope pull down menu, andprovide the name of the server where the files are stored.

q

Select an alternate management scope (name service) and enterthe domain name in the Domain field.


12. In this example, select Override, select file as the management scope,and type sys44 in the Server field, as shown in Figure 3-38.






In the Tool Wizard – Step 6 window, Figure 3-39, you either:

q Select the Load tool when selected option to load each tool onlywhen the specified tool is selected in the Solaris ManagementConsole.

q

Select the Load tool when toolbox is opened option toimmediately load the tool when the This Computer (default)toolbox, which contains the specified tool, is selected.


14. In this example, select Load tool when selected, as shown inFigure 3-39.

15. Click Finish.





After the tool is added, you are returned to the Solaris ManagementConsole toolbox editor, and the sys44 disk tool is now displayed asa component of the sys42 Storage folder, as shown in Figure 3-40.

Figure 3-40 Solaris Management Console Editor Window – DisplayAdded Tool





Saving a Toolbox

Every time you make a change to a toolbox, you must save the changes tothe toolbox using the Solaris Management Console toolbox editor. Then,you must re-open the toolbox in the Solaris Management Console before

you can use the new tool. To save the current toolbox, follow these steps:1. Select Save As from the Toolbox menu, as shown in Figure 3-41.

Figure 3-41 Toolbox Menu – Save As

Caution – You must be certain to save the correct toolbox, because thissave operation overwrites the last toolbox that was saved.

If the root toolbox was the last toolbox that was saved, subsequent saveoperations point to the root toolbox at:


instead of the default toolbox at:

/var/sadm/smc/toolboxes/this_computer/this_computer.tbx.

2. Change your path to indicate:

/var/sadm/smc/toolboxes/this_computer/this_computer.tbx





Click Save, as shown in Figure 3-42.

Figure 3-42 Local Toolbox Window

The toolbox changes are saved, and you are returned to the SolarisManagement Console Editor window, as shown in Figure 3-43.

Figure 3-43 Solaris Management Console Editor Window – ChangesSaved





Testing Tool Access

To test the tool access between the Solaris Management Console servers,reload the updated toolboxes on the Solaris Management Console.

1. Start the Solaris Management Console:

# smc &

The Solaris Management Console window displays the last tool thatthe Solaris Management Console accessed, as shown in Figure 3-44.

Figure 3-44 Solaris Management Console Window – Updated Tools





Select Home Toolbox from the Go menu to load and reopen the HomeToolbox the root toolboxes, as shown in Figure 3-45.

Figure 3-45 Go Menu





The Solaris Management Console window displays the original roottoolbox, as shown in Figure 3-46.

Figure 3-46 Solaris Management Console Window – Home Toolbox





2. Double-click the This Computer (sys42) toolbox to open the toolbox,as shown in Figure 3-47.

Figure 3-47 Solaris Management Console Window – This ComputerExpanded





3. Double-click the Storage folder to open the folder, as shown inFigure 3-48.

Figure 3-48 Solaris Management Console Window – Storage FolderExpanded

The Disks tools are visible for servers sys42 and sys44.

4. Double-click the Disks tool for server sys42.





5. Because the preferences are set to force you to log in when opening atool, you must log in as shown in Figure 3-49:

a. Type or verify the name in the User Name field.

b. Type the password in the Password field.

c. Click OK.

Figure 3-49 Log In: User Name Window





After the system authenticates the login, the disks for system sys42

appear, as shown in Figure 3-50.

Figure 3-50 Solaris Management Console Window – sys42 Disks

6. To display the disks from system sys44, double-click the Disks(sys44) entry in the Navigation pane.





The disks for system sys44 appear, as shown in Figure 3-51. You arenot required to log in again because this tool is being accessed fromthe sys42 toolbox, and you have already authenticated your accessto this system.

Figure 3-51 Solaris Management Console Window – sys44 Disks





7. Close the toolbox by clicking on the turner icon next to the ThisComputer sys42 entry in the Navigation pane, as shown inFigure 3-52.

Figure 3-52 Solaris Management Console Window – Toolbox Closed



Exercise: Using the Solaris Management Console (Level 1)


Exercise: Using the Solaris Management Console(Level 1)

In this exercise, you launch the Solaris Management Console and the

toolbox editor, and you add a tool and a toolbox.

Preparation

To prepare for this exercise, refer to your lecture notes as necessary.

You are paired with another student so that, when necessary, the labscenarios can send commands between two systems, system1 andsystem2. Lab instructions uses the variable names system1 and system2.Use the translated names as follows:

system1:__________________ system2:__________________

Task Summary

In this exercise, you launch:

q The Solaris Management Console



After successfully launching the Solaris Management Console toolboxeditor, you update the capabilities of the Solaris Management Consoleserver by:

q Adding a Toolbox URL to an existing root toolbox

q Embedding a tool from a remote server into the default toolbox of alocal server






In this exercise, you launch the Solaris Management console and the


Preparation



system1:__________________ system2:__________________

Task Summary

Launch the following:




After successfully launching the Solaris Management Console toolboxeditor, you update the capabilities of the Solaris Management Consoleserver by:

q Adding a toolbox URL to an existing root toolbox






Tasks


Task 1 – Status, Stopping, and Starting the Solaris ManagementConsole


1. Log in to your system, and reboot the system to establish a knownstarting condition for the system’s operating system. Log in againafter the reboot is complete.

What is the current status of the Solaris Management Consoleserver?

______________________________________________________

2. Start the Solaris Management Console. Allow the toolboxes to launchcompletely before proceeding.


______________________________________________________

3. Exit the Solaris Management Console.


______________________________________________________

4. Stop the Solaris Management Console server.


______________________________________________________

5. Start the Solaris Management Console toolbox editor and be alert forthe toolbox open failure message.

______________________________________________________





6. Start the Solaris Management Console server.


______________________________________________________

What happens to the Solaris Management Console server when youshut down either the Solaris Management Console or the SolarisManagement Console toolbox editor?

______________________________________________________

______________________________________________________

What happens to the Solaris Management Console or the SolarisManagement Console toolbox editor when you shut down theSolaris Management Console server?

______________________________________________________

______________________________________________________

Task 2 – Opening a Toolbox

1. Start opening the root toolbox on system1 by selecting Open from theToolbox menu. Click the Server Toolbox tab and (single) clickManagement Tools from the list.

2. What is the URL for this toolbox?

______________________________________________________

3. To finish opening the root toolbox on this server (system1), clickOpen.





Task 3 – Adding a Toolbox URL


1. On system1, select the Add Toolbox URL from the Action menu. (Ifthis menu choice is not available, single click the Management Toolsnode in the left Navigation pane.)

How does the server toolbox selection differ from the local toolboxselection?

______________________________________________________

2. On system1, select Server Toolbox and then click Next.

3. On system1, enter the name of the Solaris Management Consoleserver (system2), and click Next.

What is the default port number used by the Solaris Management

Console?______________________________________________________

4. On system1, from the Toolboxes list, select the toolbox that containsall of the management tools for managing the services and theconfiguration of system2, and click Next.

What is the URL for this toolbox?

______________________________________________________

5. On system1, select the default toolbox name and description andclick Next.

6. On system1, select the default toolbox icons and click Next.

7. On system1, override the management scope of the parent node.

a. Select the file management scope from the Management Scopepull-down menu.

After viewing the list of selections from the Management Scopepull-down menu, what is another term that can be used todescribe management scope?

______________________________________________________

b. Enter the name of the server where the file or name serviceresides (system2), and click Finish.

How has the Solaris Management Console toolbox editordisplay changed?

______________________________________________________





Task 4 – Saving a Toolbox


1. On system1, select Management Tools in the Navigation pane.

2. Select Save As from the Toolbox menu.

Note – Prior to saving a Solaris Management Console Toolbox, youshould make a backup of the toolbox.

3. On system1, select the directory and file location of the root toolbox,and click Save.

What is directory location of the root toolbox?

______________________________________________________

Task 5 – Opening the Toolbox


1. On system1, select Open from the Toolbox menu.

2. On system1, select the default toolbox named This Computer(system1).

What is the URL for the default toolbox?

______________________________________________________

3. On system1, click Open.

4. On system1, double-click the Storage folder to select the folder anddisplay its contents.

What are the current contents of the Storage folder?

______________________________________________________





Task 6 – Adding a Tool


1. On system1, select Add Tool from the Action Menu.

2. On system1, enter server system2. Click Next.3. On system1, select the Disks tool, and click Next.

4. On system1, select Override Tool Settings to override the name anddescription specified in the tool definition.

5. On system1, enter a tool name and description that will enable youto differentiate between the Disks’ tools for the local system andthose tools on the remote system, then click Next.

Where are the name and description fields used?

______________________________________________________

6. On system1, click Use Tool Defaults, and click Next to use thedefault tool icons. Authenticate with root password as appropriate.

7. On system1, click Override to enable the fields for specifyingManagement Scope, Server and Domain.

8. On system1, select the appropriate management scope (file, in thisexample) from the Management Scope pull-down menu, but do notclick Next yet.

9. The management scope choices are ldap, dns, nisplus, nis, orfile. What is another way to describe management scope?

______________________________________________________

10. On system1, enter the name of the server (system2) in the Serverfield and click Next.

11. On system1, select Load tool when selected option.

What is the alternative to the loading the tool when selected option?

______________________________________________________

12. On system1, click Finish.





Task 7- Saving the Toolbox


1. On system1 and in the Solaris Management Console toolbox editor,select Save As from the Toolbox menu.

2. On system1, change your path to/var/sadm/smc/toolboxes/this_computer/this_computer.tbx,and click Save.

Caution – You must select the This Computer (default) toolbox during thesave operation to prevent writing over the Management Tools (root)toolbox.


______________________________________________________3. Exit the Solaris Management Console editor (using the Exit option

on the Toolbox menu) and start only the Solaris ManagementConsole from the command line.

Task 8 - Checking Tool Access


1. On system1, to re-open the root toolbox, select Home Toolbox fromthe Go menu.

What happens when you select the Home Toolbox?

______________________________________________________

2. On system1, double-click the This Computer (system1) toolbox toopen the toolbox.

How does double-clicking the This Computer (system1) toolboxdiffer from using the Home Toolbox in the Go menu?

______________________________________________________

3. On system1, double-click the Storage folder to open the folder.

What is the current contents of the Storage folder?

______________________________________________________

4. On system1, double-click the Disks tool for server system1.

5. On system1, log in because this is the first tool opened sincere-opening the Home Toolbox.





6. On system1, to display the disks from system system2, double-clickthe Disks (system2) entry in the Navigation pane.

7. On system1, close the toolbox by clicking the turner icon next to theThis Computer system1 entry in the Navigation pane.

8. Select Exit from the Console menu to exit the Solaris ManagementConsole.






In this exercise, you launch the Solaris Management Console and the


Preparation



system1:__________________ system2:__________________

Task Summary

Launch the following:




After successfully launching the Solaris Management Console toolboxeditor, update the capabilities of the Solaris Management Console serverby:

q Adding a toolbox URL to an existing root toolbox






Tasks and Solutions


Task 1 – Status, Stopping, and Starting the Solaris ManagementConsole


1. Log in to your system, and reboot the system to establish a knownstarting condition for the system’s operating system. Log in againafter the reboot is complete.

# init 6



Solaris Management Console server not running on port 898.

2. Start the Solaris Management Console. Allow the toolboxes to launchcompletely before proceeding.

# smc &

1694

#


# /etc/init.d/init.wbem statusSolaris Management Console server version 2.1.0 running on port 898.

3. Exit the Solaris Management Console.



Solaris Management Console server version 2.1.0 running on port 898.

4. Stop the Solaris Management Console server.

# /etc/init.d/init.wbem stop

Shutting down Solaris Management Console server on port 898.



Solaris Management Console server not running on port 898.





5. Start the Solaris Management Console toolbox editor and be alert forthe toolbox open failure message.

# smc edit &

1710

#Open Toolbox: http://server :898/toolboxes/smc.tbx failed

Open Toolbox: http://server :898/toolboxes/smc.tbx failed

This status message is generated when you stop wbem services andsubsequently attempt to launch the Solaris Management Console or SolarisManagement Console toolbox editor.

6. Open a Console window and start the Solaris Management Consoleserver.

# dtterm -C &

# /etc/init.d/init.wbem start

Starting Solaris Management Console server version 2.1.0.

endpoint created: :898

Solaris Management Console server is ready.



Solaris Management Console server version 2.1.0 running on port 898.

What happens to the Solaris Management Console server when youshut down either the Solaris Management Console or the SolarisManagement Console toolbox editor?

Shutting down either the Solaris Management Console or the Solaris

Management Console toolbox editor has no effect on the SolarisManagement Console server.

What happens to the Solaris Management Console or the SolarisManagement Console toolbox editor when you shut down theSolaris Management Console server?

Shutting down the Solaris Management Console server prevents the SolarisManagement Console or the Solaris Management Console toolbox editorfrom starting because you cannot open the toolbox.





Task 2 – Opening a Toolbox

To open a toolbox, on system1, open the Management Tools (root)toolbox.

1. Start opening the root toolbox on system1 by selecting Open from the

Toolbox menu. Click the Server Toolbox tab, and (single) click theManagement Tools from the list.

2. What is the URL for this toolbox?

http://system1:898/toolboxes/smc.tbx.

3. To finish opening the root toolbox on this server (system1), clickOpen.

Task 3 – Adding a Toolbox URL


1. On system1, select the Add Toolbox URL from the Action menu. (Ifthis menu choice is not available, single click the Management Toolsnode in the left Navigation pane.)

How does the server toolbox selection differ from the local toolboxselection?

A server toolbox means a computer where the Solaris Management Consoleserver is running, whereas a local toolbox means the computer from whichyou started the Solaris Management Console toolbox editor.

2. On system1, select Server Toolbox and then click Next.

3. On system1, enter the name of the Solaris Management Consoleserver (system2), and click Next.

What is the default port number used by the Solaris ManagementConsole?

The default Solaris Management Console port is 898.

4. On system1, from the Toolboxes list, select the toolbox that containsall of the management tools for managing the services and theconfiguration of system2, and click Next.

What is the URL for this toolbox?

The URL for this toolbox ishttp://system1:898/toolboxes/this_computer.tbx.

5. On system1, select the default toolbox name and description andclick Next.





6. On system1, select the default toolbox icons and click Next.

7. On system1, override the management scope of the parent node.

a. Select the file management scope from the Management Scopepull-down menu.

After viewing the list of selections from the Management Scopepull-down menu, what is another term that can be used todescribe management scope?

Management scope refers to name service.

b. Enter the name of the server where the file or name serviceresides (system2), and click Finish.

How has the Solaris Management Console toolbox editordisplay changed?

The Toolbox URL for the remote Solaris Management Console server

has been added to the local Solaris Management Console server roottoolbox.

Task 4 – Saving Toolbox


1. On system1, select Management Tools in the Navigation pane.

2. Click Save As from the Toolbox menu.

Note – Prior to saving a Solaris Management Console Toolbox, youshould make a backup of the toolbox.

3. On system1, select the directory and file location of the root toolbox,and click Save.

What is directory location of the root toolbox?






Task 5 – Opening the Toolbox


1. On system1, select Open from the Toolbox menu.

2. On system1, select the default toolbox named This Computer(system1).

What is the URL for the default toolbox?

The URL for the root toolbox is:

http://system1:898/toolboxes/this_computer .tbx

3. On system1, click Open.

4. On system1, double-click the Storage folder to select the folder anddisplay its contents.


The current contents of the Storage folder are:Tool (com.sun.admin.fsmgr.client.VFsMgr )Tool (com.sun.admin.diskmgr.client.VDiskMg r)Tool (com.sun.admin.volmgr.client.VVolMgr )

Task 6 – Adding a Tool


1. On system1, select Add Tool from the Action Menu.

2. On system1, enter server system2. Click Next.

3. On system1, select the Disks tool, and click Next.

4. On system1, select Override Tool Settings to override the name anddescription specified in the tool definition.

5. On system1, enter a tool name and description that will enable youto differentiate between the Disks’ tools for the local system andthose tools on the remote system, and click Next.

Where are the name and description fields used?

The name will be displayed in the Navigation pane of the SolarisManagement Console. If the tool is selected in the Navigation pane, it isalso displayed beneath the tool’s icon in the Information pane. Thedescription will be displayed in the Information pane if the tool is selected inthe View pane.

6. On system1, click Use Tool Defaults, and click Next to use thedefault tool icons. Authenticate with root password as appropriate.





7. On system1, click Override to enable the fields for specifyingManagement Scope, Server and Domain.

8. On system1, select the appropriate management scope (file, in thisexample) from the Management Scope pull-down menu, but do notclick Next yet.

9. The management scope choices are ldap, dns, nisplus, nis, orfile. What is another way to describe management scope?

Another way to describe management scope is name service

10. On system1, enter the name of the server (system2) in the Server:field and click Next.

11. On system1, select Load tool when selected option

What is the alternative to the Load tool when selected option?

The alternative to loading the tool when selected is to load the tool when the

toolbox is opened.12. On system1, click Finish.

Task 7 – Saving the Toolbox


1. On system1 and in the Solaris Management Console toolbox editor,select Save As from the Toolbox menu.

2. On system1, change your path to

/var/sadm/smc/toolboxes/this_computer/this_computer.tbx,and click Save.

Caution – You must select the This Computer (default) toolbox during thesave operation to prevent writing over the Management Tools (root)toolbox.


The current contents of the Storage folder are:Tool (com.sun.admin.fsmgr.client.VFsMgr)

Tool (com.sun.admin.diskmgr.client.VDiskMgr)Tool (com.sun.admin.volmgr.client.VVolMgr)Tool (com.sun.admin.diskmgr.client.VDiskMgr)

3. Exit the Solaris Management Console editor (using the Exit optionon the Toolbox menu) and start only the Solaris ManagementConsole from the command line.

# smc &





Task 8 – Checking Tool Access


1. On system1, to re-open the root toolbox, select Home Toolbox fromthe Go menu.

What happens when you select the Home Toolbox?

Clicking on the Home Toolbox re-opens the local system’s root toolbox.

2. On system1, double-click the This Computer (system1) toolbox toopen the toolbox.

How does double-clicking the This Computer (system1) toolboxdiffer from using the Home Toolbox in the Go menu?

Double-clicking the This Computer (system1) toolbox begins the process of drilling down through the local default toolbox, whereas the Home Toolbox

in the Go menu opens the local root toolbox.3. On system1, double-click the Storage folder to open the folder.

What is the current contents of the Storage folder?

The current contents of the Storage folder are:StorageMounts and SharesDisksEnhanced StorageDisks (system2)

4. On system1, double-click the Disks tool for server system1.5. On system1, log in because this is the first tool opened since re-

opening the Home Toolbox.

6. On system1, to display the disks from system system2, double-clickthe Disks (system2) entry in the Navigation pane.

7. On system1, close the toolbox by clicking the turner icon next to theThis Computer system1 entry in the Navigation pane.

8. Select Exit from the Console menu to exit the Solaris ManagementConsole.



Exercise Summary


Exercise Summary

?

!


q Experiences

q Interpretations

q Conclusions

q Applications




Module 4

Managing SwapConfiguration

Objectives

A system’s virtual memory is a combination of the available randomaccess memory (RAM) and disk space. Portions of the virtual memory are

reserved as swap space. Swap space can be defined as a temporarystorage location that is used when system’s memory requirements exceedthe size of available RAM.


q Describe virtual memory

q Configure swap space



M a n a g i n g

S w a p


M a n a g i n g

C r a s h D u m p s

a n d

C o r e F i l e s


N F S


A u t o F S




Introducing Virtual Memory



Virtual memory combines RAM and dedicated disk storage areas knownas swap space. Virtual memory management software maps copies of fileson disk to virtual addresses. Programs use these virtual addresses ratherthan real addresses to store instructions and data. Virtual memory makesit possible for the operating system (OS) to use a large range of memory.However, the kernel must translate the virtual memory addresses intoreal address in RAM before the actual program instruction is performedon a central processing unit (CPU).

Physical RAM

Physical memory refers to the actual RAM installed on a computer. When

working with swap space, RAM is the most critical resource in yoursystem. The amount of physical memory varies depending on the systemthat runs the Solaris 10 OS. The code for each active process and any datarequired by each process must be mapped into physical memory beforeexecution can take place.

Virtual and Physical Addresses

The Solaris 10 OS virtual memory management system maps the files ondisk to virtual addresses in virtual memory. The virtual memorymanagement system then translates the virtual addresses into real,physical addresses in physical memory, because programs requireinstructions or data in these files. The CPU uses the data and instructionswhen they are placed in physical memory.

Anonymous Memory Pages

Physical memory pages associated with a running process can containprivate data or stack information that does not exist in any file system ondisk. Since these memory pages contain information that is not also anamed file on the disk, these pages are known as anonymous memory

pages. Anonymous memory pages are backed by swap space; in otherwords, swap space is used as a temporary storage location for data whileit is swapped out of memory.




Managing Swap Configuration 4-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

Swap Space

While the amount of physical memory in a system is constant, the use ofthe physical memory varies. Often processes conflict over which one getsaccess to physical memory space. Sometimes a process must give up some

of its memory space allocation to another process. The process has someof its pages in RAM paged out. Anonymous memory pages are placed ina swap area, but unchanged file system pages are not placed in swapareas, because file system data exists as permanent storage on the disk,and can be removed from physical memory.

Swap Slices

The primary swap space on the system is a disk slice. In the Solaris 10 OS,the default location for the primary swap space is slice 1 of the boot disk,

which by default, starts at cylinder 0. You can change the default locationduring a custom installation. Each time you reboot the system, an entry inthe /etc/vfstab file determines the configuration of the swap partition.As additional swap space becomes necessary, you can configureadditional swap slices. Plan your swap slice location carefully. If you haveadditional storage space outside of the system disk, place the swap sliceon an additional drive to reduce the load on the system disk drive.

Swap Files

It is also possible to provide additional swap space on a system by usingswap files. Swap files are files that reside on a file system, and that havebeen created using the mkfile command. These files might be useful insome cases. For example, swap files are useful when additional swapspace is required, but there are no free disk slices and reslicing a disk toadd more swap is not a practical solution. Swap files can be permanentlyincluded in the swap configuration by creating an entry for the swap filein the /etc/vfstab file.





The swapfsFile System

When the kernel runs a process, swap space for any private data or stackspace for the process must be reserved. The reservation occurs in case thestack information or private data might need to be paged out of physical

memory, for example, if there are multiple processes contending forlimited memory space.

Because of the virtual swap space provided by the swapfs file system inthe Solaris 10 OS, there is less need for physical swap space on systemswith a large available memory. The decreased need for physical swapspace occurs because the swapfs file system provides virtual swap spaceaddresses rather than real physical swap space addresses in response toswap space reservation requests. Therefore, you need physical swap spaceon disk, only in the event that the physical RAM pages containing privatedata need to be paged out.

Figure 4-2 shows that the swap space resides outside the physical RAM asa swap partition or as a swap file.

Figure 4-2 Swap Space

S w a p S l i c e

S w a p F i l e

R A M

S w a p S p a c e





Paging

Paging is the transfer of selected memory pages between RAM and theswap areas. When you page private data to swap spaces, physical RAM ismade available for other processes to use. If you need the pages that were

paged out, you can retrieve them (page them in) from swap and mapthem back into physical memory. Moving these pages back into RAMmight require more paging (page outs) of other process’s pages to makeroom. Swapping is the movement of all modified data memory pagesassociated with a process, between RAM and a disk.

Use the pagesize command to display the size of a memory page inbytes. The default page size for the Solaris 10 OS is 8192 bytes.

# pagesize

8192

You can use the Multiple Page Size Support (MPSS) service to run legacyapplications with larger memory page sizes. Using larger page sizes cansignificantly improve the performance of programs using large amountsof memory. Large pages must be mapped to addresses that are multiplesof the page size. Use the pagesize command to display all supportedpage sizes.

# pagesize -a

8192

65536

5242884194304

Swapping does not typically occur in the Solaris OS. However, therequirement within the Solaris OS to reserve swap space prior toexecuting any process, makes it necessary that some amount of swapspace is available. The required amount of swap space varies from systemto system. The amount of available swap space must satisfy two criteria:

q It must be sufficient to supplement physical RAM to meet the needsof concurrently running processes.

q It must be sufficient to hold a crash dump (in a single slice).



Configuring Swap Space



The swap command provides a method of adding, deleting, andmonitoring the swap areas used by the kernel. Swap area changes madefrom the command line are not permanent and are lost after a reboot. Tocreate permanent additions to the swap space, create an entry in the/etc/vfstabfile. The entry in the /etc/vfstabfile is added to the swapspace at each reboot.

Displaying the Current Swap Configuration

Figure 4-3 shows the relationship between the used swap space, whichconsists of allocated and reserved swap spaces, and the available swapspace.

Figure 4-3 Swap Space Allocation

M e m o r y p a g i n g a f f e c t s t h e a m o u n t

o f m e m o r y a l l o c a t e d s p a c e

T a s k a c t i v a t i o n a f f e c t s t h e a m o u n t

o f m e m o r y r e s e r v e d s p a c e

A r r o w u p : s w a p - d s u b t r a c t s t h e

a m o u n t o f a v a i l a b l e s w a p s p a c e

A r r o w d o w n : s w a p - a a d d s t h e

a m o u n t o f a v a i l a b l e s w a p s p a c e

A l l o c a t e d

R e s e r v e d

A v a i l a b l e

s w a p - s

T o t a l S w a p A l l o c a t i o n





To view the current swap space allocation, complete the following steps:

1. List a summary of the system’s virtual swap space.

# swap -s

total: 41776k bytes allocated + 5312k reserved = 47088k used, 881536k

available

2. List the details of the system’s physical swap areas.

# swap -l

swapfile dev swaplo blocks free

/dev/dsk/c0t0d0s1 136,9 16 1048304 1048304

Note – There can be a discrepancy in available and free swap space sizebetween the swap -s and swap -l outputs. The swap -s output doesnot take into account pre-allocated swap space that has not yet been used

by a process.





Adding Swap Space

When the swap space requirements of the system exceed the current swapspace available, you can use the following procedures to add additionalswap space to your system.

Adding Swap Slices

To add a swap slice, complete the following steps:

1. Edit the /etc/vfstab file to add information describing the swapslice.

# vi /etc/vfstab

#device device mount FS fsck mount mount

#to mount to fsck point type pass at boot options

...2. Add the following line to create the swap slice.

/dev/dsk/c1t3d0s1 - - swap - no -

3. Use the swap -a command to add additional swap area.

# swap -a /dev/dsk/c1t3d0s1

Note – When the system is subsequently rebooted, the new swap slice/dev/dsk/c1t3d0s1, is automatically included as part of the swap spaceas a result of adding the entry to the /etc/vfstab file.

Adding Swap Files

To add a swap file, complete the following steps:

1. Identify a file system that has adequate space to create an additionalswap file, preferably on another drive.

2. Make a directory to hold the swap file.

# mkdir -p /usr/local/swap

3. Create a 20-Mbyte swap file named swapfile in the/usr/local/swap directory.

# mkfile 20m /usr/local/swap/swapfile





4. Add the swap file to the system’s swap space.

# swap -a /usr/local/swap/swapfile

5. List the details of the modified system swap space.

# swap -l

swapfile dev swaplo blocks free/dev/dsk/c0t0d0s1 136,9 16 1048304 1048304

/usr/local/swap/swapfile - 16 40944 40944

6. List a summary of the modified system swap space.

# swap -s


available

7. To use a swap file when the system is subsequently rebooted, add anentry for the swap file in the /etc/vfstab file.

# vi /etc/vfstab

#device device mount FS fsck mount mount#to mount to fsck point type pass at boot options

...

/usr/local/swap/swapfile - - swap - no -

Removing Swap Space

If you no longer need the additional swap space, you can delete the swapspace by removing the additional swap slices and swap files.

Removing Swap Slices

To remove a swap slice, complete the following steps:

1. Delete a swap slice from the current swap configuration.

# swap -d /dev/dsk/c1t3d0s1

2. To prevent the swap slice from being configured as part of the swapconfiguration during a reboot or change of run level, edit the/etc/vfstab file, and remove the swap slice entry from the file.





Removing Swap Files

To remove a swap file, complete the following steps:

1. Delete a swap file from the current swap configuration.

#swap -d /usr/local/swap/swapfile

2. Remove the file to free the disk space that it is occupying.

# rm /usr/local/swap/swapfile

3. To prevent the swap file from being configured as part of the swapconfiguration during a reboot or change of run level, edit the/etc/vfstab file, and remove the swap file entry.

Note – The output of the df -h command shows the space used by theswap file until it is removed.



Exercise: ManagingswapUtility Configuration (Level 1)


Exercise: Managing swapUtility Configuration (Level 1)

In this exercise, you add and remove a swap space.

Preparation

To prepare for this exercise:

q Each student will configure swap space on their assignedworkstation.

q Each student should unconfigure the additional swap space beforeexiting the lab exercise.

q Make sure that the /usr/local/swap directory exists on yoursystem.

q All students use disk slice 1 on their systems for this exercise.

Note – The actual swap statistics will vary depending on theconfiguration of each system.

To support disk requirements for the remaining labs in this course,partition the second disk using the information in Table 4-1.

Table 4-1 Partition InformationSlice Size Use

0 512 Mbytes Swap/dump

1 900 Mbytes Root (/) mirror

3 20 Mbytes State database replica






Tasks


q Obtain a report of the swap space usage on the system.

q List the swap areas that are configured on the system.

q Configure additional swap space using a swap file.

q Configure additional swap space using a disk partition.

q Unconfigure the additional swap space.

5 3000 Mbytes File system/ Flash

6 0 Mbytes Unassigned7 0 Mbytes Unassigned

Table 4-1 Partition Information (Continued)

Slice Size Use






In this exercise, you add and remove a swap space.

Preparation




q Make sure that the /usr/local/swap directory exists on yoursystem.




Table 4-2 Partition InformationSlice Size Use









Task Summary







Tasks

To determine the amount of disk space used by a swapfs file system,complete the following steps:

1. Run the swap -s command.

What is the total number of bytes actually allocated and currently inuse?

_____________________________________________________________

What is the number of bytes allocated and not currently in use, butreserved by processes for possible future use?

_____________________________________________________________

What is the total amount of swap space, both allocated and reserved?

_____________________________________________________________

What is the total swap space currently available for futurereservation and allocation?

_____________________________________________________________


6 0 Mbytes Unassigned7 0 Mbytes Unassigned


Slice Size Use





2. Run the swap -l command.

List the physical swap area configured on your system.

_____________________________________________________________

How much total swap space is in the listed swap device?

_____________________________________________________________

How much space is available for the listed device?

_____________________________________________________________

3. Run the df -h command.

Does the /usr file system have sufficient space to add 20 Mbytes ofswap space?

_____________________________________________________________

4. Create the /usr/local/swap directory if it does not already exist.

_____________________________________________________________

5. Create a 20-Mbyte swap file in the /usr/local/swap directory,and add it to the system swap space.

_____________________________________________________________

6. Use the swap -l command to verify that the new swap space isavailable.

_____________________________________________________________

7. Use the swap -s command to verify that the new swap space is

available.

How does the output differ between the swap -l command and theswap -s command?

_____________________________________________________________

8. Remove the swap file created in step 4.

9. Use the swap utility to verify that the swap space is no longeravailable.

10. Add a disk partition as a swap slice to your existing swap space.

11. Add the new swap partition to the /etc/vfstab file to make thepartition permanent. To verify this change, you must reboot thesystem.

12. After the reboot, verify that the additional swap space exists byusing the swap utility.

Is the newly listed swap partition the same as the one you added tothe /etc/vfstab file?

_____________________________________________________________





13. Verify the additional swap space exists using the df -h command.

Why is the newly created swap space listed in the /etc/vfstab filenot listed in the output of the df -h command?

_____________________________________________________________

14. To return the system to its initial swap configuration, remove theadditional swap space using the swap -d command.

15. So that the system maintains its initial swap configuration afterrebooting, remove the additional swap space entry from the/etc/vfstab file.

16. Verify that the additional swap space was unconfigured using theswap -l command.






In this exercise you add and remove a swap space.

Preparation




q Make sure that the /export directory exists on your system.




Table 4-3 Partition Information

Slice Size Use










Task Summary







Tasks and Solutions

This section describes the tasks you must perform, and lists the solutionsto these tasks. To determine the amount of disk space used by a swapfs

file system, complete the following steps:

1. Run the swap -s command.# swap -s


available

What is the total number of bytes actually allocated and currently inuse?

57,840 Kbytes

What is the number of bytes allocated and not currently in use butreserved by processes for possible future use?

6,680 Kbytes

What is the total amount of swap space, both allocated and reserved?

64,520 Kbytes

What is the total swap space currently available for futurereservation and allocation?

637,696 Kbytes

6 0 Mbytes Unassigned

7 0 Mbytes Unassigned


Slice Size Use





2. Run the swap -l command.

# swap -l


/dev/dsk/c0t0d0s1 136,9 16 1049312 1049312

List the physical swap area configured on your system.

/dev/dsk/c0t0d0s1

How much total swap space is in the listed swap device?

1,049,312 blocks

How much space is available for the listed device?

1,049,312 blocks

3. Run the df -h command.

# df -h

Filesystem size used avail capacity Mounted on

/dev/dsk/c0t0d0s0 883M 109M 721M 14% /

/devices 0K 0K 0K 0% /devices

ctfs 0K 0K 0K 0% /system/contract

proc 0K 0K 0K 0% /proc

mnttab 0K 0K 0K 0% /etc/mnttab

swap 623M 368K 623M 1% /etc/svc/volatile

objfs 0K 0K 0K 0% /system/object

/dev/dsk/c0t0d0s6 3.0G 2.4G 568M 82% /usr

fd 0K 0K 0K 0% /dev/fd

/dev/dsk/c0t0d0s3 1.8G 94M 1.7G 6% /var

swap 623M 104K 623M 1% /var/run

swap 623M 304K 623M 1% /tmp

/dev/dsk/c0t0d0s7 441M 1.0M 396M 1% /export/home

Does the /usr file system have sufficient space to add 20 Mbytes ofswap space?

Yes

4. Create the /usr/local/swap directory, if it does not already exist.

# mkdir -p /usr/local/swap

5. Create a 20-Mbyte swap file in the /usr/local/swap directory,

and add it to the system swap space.# mkfile 20m /usr/local/swap/swapfile

# swap -a /usr/local/swap/swapfile





6. Use the swap -l command to verify that the new swap space isavailable.

# swap -l


/dev/dsk/c0t0d0s1 136,9 16 1049312 1049312

/usr/local/swap/swapfile - 16 40944 40944

7. Use the swap -s command to verify that the new swap space isavailable.

# swap -s


available

How does the output differ between the swap -l command and theswap -s command?

The swap -l command output is a listing of each space, whereas the

swap -s command output only produces a cumulative report.8. Remove the swap file created in step 4.

# swap -d /usr/local/swap/swapfile

# rm /usr/local/swap/swapfile

9. Use the swap utility to verify that the swap space is no longeravailable.

# swap -l


/dev/dsk/c0t0d0s1 136,9 16 1049312 1049312

# swap -s


available

10. Add a disk partition as a swap slice to your existing swap space.

# swap -a /dev/dsk/c#t#d#s1

11. Add the new swap partition to the /etc/vfstab file to make thepartition permanent. To verify this change, you must reboot thesystem.

# vi /etc/vfstab

(add entry that matches your configuration)

/dev/dsk/c#t#d#s1 - - swap - no -

# init 6





12. After the reboot, verify that the additional swap space exists byusing the swap utility.

# swap -l


/dev/dsk/c0t0d0s1 136,9 16 1049312 1049312

/dev/dsk/c1t3d0s1 32,33 16 1052144 1052144

Is the newly listed swap partition the same as the one you added tothe /etc/vfstab file?

Yes

13. Verify the additional swap space exists using the df -h command.

Why is the newly created swap space listed in the /etc/vfstab filenot listed in the output of the df -h command?

The df -h output does not produce an entry for the additional swap utilitydevices, however the added swap space is reflected in the total swap space.

14. To return the system to its initial swap configuration, remove theadditional swap space using the swap -d command.

# swap -d /dev/dsk/c#t#d#s1

15. So that the system maintains its initial swap configuration afterrebooting, remove the additional swap space entry from the/etc/vfstab file.

# vi /etc/vfstab

16. Verify that the additional swap space was unconfigured using theswap -l command.

# swap -l


/dev/dsk/c0t0d0s1 136,9 16 1049312 1049312



Exercise Summary


Exercise Summary

?

!


q Experiences

q Interpretations

q Conclusions

q Applications




Module 5

ManagingCrashDumpsandCoreFiles

Objectives

When an operating system has a fatal error, it generates a crash dump file(crash dump). When a process has a fatal error, it generates a core file.

Upon completion of this module, you should be able to:q Manage crash dump behavior

q Manage core file behavior



M a n a g i n g

S w a p


M a n a g i n g

C r a s h D u m p s

a n d

C o r e F i l e s


N F S


A u t o F S




Managing Crash Dump Behavior



If a fatal operating system error occurs, the operating system prints amessage to the console, describing the error. The operating system thengenerates a crash dump by writing some of the contents of the physicalmemory to a predetermined dump device, which must be a local diskslice. You can configure the dump device by using the dumpadm command.After the operating system has written the crash dump to the dumpdevice, the system reboots. The crash dump is saved for future analysis tohelp determine the cause of the fatal error.

The Crash Dump

If the Solaris OS kernel encounters a problem that might endanger the

integrity of data or when the kernel encounters an unexpected hardwarefault, the panic routine is executed. Despite its name, a system panic is awell-controlled event where memory contents are copied to a diskpartition defined as a dump device. Whatever the cause, the crash dumpitself provides valuable information to help your support engineerdiagnose the problem.

When an operating system crashes, the savecore command isautomatically executed during a boot. The savecore command retrievesthe crash dump from the dump device and then writes the crash dump toa pair of files in your file system:

q The savecore command places kernel core information in the/var/crash/nodename/vmcore.X file, where nodename is the namereturned by uname -n, and X is an integer identifying the dump.

q The savecore command places name list information and symboltable information in the /var/crash/nodename/unix.X file.

Note – Within the crash dump directory, a file named bounds is created.The bounds file holds a number that is used as a suffix for the next dumpto be saved.



ManagingCrash Dump Behavior

Managing Crash Dumps and Core Files 5-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

Together, these data files form the saved crash dump. You can use thedumpadm command to configure the location of the dump device and thesavecore directory.

A dump device is usually disk space that is reserved to store system crash

dump information. By default, a system’s dump device is configured to bea swap slice. If possible, you should configure an alternate disk partitionas a dedicated dump device to provide increased reliability for crashdumps and faster reboot time after a system failure.

Displaying the Current Dump Configuration

To view the current dump configuration, enter the dumpadm commandwithout arguments, as shown in the following example:

# dumpadm Dump content: kernel pages

Dump device: /dev/dsk/c0t0d0s1 (swap)

Savecore directory: /var/crash/sys-02

Savecore enabled: yes

The previous example shows the set of default values:

q The dump content is set to kernel memory pages only

q The dump device is a swap disk partition

q The directory for savecore files is set to /var/crash/sys-02

q The savecore command is set to run automatically on reboot

The following example shows that the current configuration is located inthe /etc/dumpadm.conffile:

# cat /etc/dumpadm.conf

#

# dumpadm.conf

#

# Configuration parameters for system crash dump.

# Do NOT edit this file by hand -- use dumpadm(1m) instead.#

DUMPADM_DEVICE=/dev/dsk/c0t0d0s1

DUMPADM_SAVDIR=/var/crash/sys-02

DUMPADM_CONTENT=kernel

DUMPADM_ENABLE=yes





Changing the Crash Dump Configuration

The dumpadm command manages the configuration of the operatingsystem crash dump facility.

Note – Perform all modifications to the crash dump configuration byusing the dumpadm command, rather than attempting to edit the/etc/dumpadm.conffile. Editing the file might result in an inconsistentsystem dump configuration.

The syntax of the dumpadm command is:

/usr/sbin/dumpadm [-nuy] [-c content-type] [-d dump-device]

[-m mink | minm | min%] [-s savecore-dir ] [-r root-dir ]

where:

-n Modifies the dump configuration so it does not run thesavecore command automatically on reboot.

-u Forcibly updates the kerneldump configuration based onthe contents of the /etc/dumpadm.conffile.

-y Modifies the dump configuration so that the savecorecommand is run automatically on reboot. This is the default.

-c content-type Specifies the contents of the crash dump. The content-typecan be kernel, all, or curproc. The curproc content typeincludes the kernelmemory pages and the memory pages ofthe currently executing process.

-d dump-device Modifies the dump configuration to use the specified dumpdevice. The dump device can be an absolute path name orswap.



ManagingCrash Dump Behavior


-m mink

-m minm

-m min%

Creates a minfreefile in the current savecore-dir directoryindicating that the savecore command should maintain atleast the specified amount of free space in the file system inwhich the savecore-dir directory is located:

• k – Indicates a positive integer suffixed with the unit k,specifying kilobytes.

• m – Indicates a positive integer suffixed with the unit m,specifying megabytes.

• % – Indicates a percent (%) symbol, indicating that theminfree value is computed as the specified percentage ofthe total, current size of the file system that contains thesavecore-dir directory.

-r root-dir Specifies an alternative root directory relative to which the

dumpadm command should create files. If the -rargument isnot specified, the default root directory “/” is used.

-s savecore-dir Modifies the dump configuration to use the specifieddirectory to save files written by the savecore command. Thedefault savecore-dir directory is /var/crash/hostname,where hostname is the output of the uname -n command.



Managing Core File Behavior



When a process terminates abnormally, it typically produces a core file.You can use the coreadm command to specify the name or location of corefiles produced by abnormally terminating processes.

Core Files

A core file is a point-in-time copy (snapshot) of the RAM allocated to aprocess. The copy is written to a more permanent medium, such as a harddisk. A core file is useful in analyzing why a particular program crashed.

A core file is also a disk copy of the address space of a process, at a certainpoint-in-time. This information identifies items, such as the task name,

task owner, priority, and instruction queue, in execution at the time thatthe core file was created.

When a core file occurs, the operating system generates two possiblecopies of the core files, one copy known as the global core file and theother copy known as the per-process core file. Depending on the systemoptions in effect, one file, both files, or no files can be generated. Whengenerated, a global core file is created in mode 600 and is owned by thesuperuser. Non-privileged users cannot examine files with thesepermissions.

Ordinary per-process core files are created in mode 600 under thecredentials of the process. The owner of the process can examine files withthese permissions.





Displaying the Current Core File Configuration

You use the coreadm command without arguments to display the currentconfiguration.

# coreadm 1 global core file pattern:

2 global core file content: default

3 init core file pattern: core

4 init core file content: default

5 global core dumps: disabled

6 per-process core dumps: enabled

7 global setid core dumps: disabled

8 per-process setid core dumps: disabled

9 global core dump logging: disabled

Note – The line numbers in the example are not part of the configuration.They are part of the example only to assist with the following descriptionof the file.

Line 1 of the output identifies the name to use for core files placed in aglobal directory.

Line 2 of the output identifies that the content of core files is the defaultsetting. The resultant core file contains all the process information

pertinent to debugging.

Line 3 of the output identifies the default name that per-process core filesmust use. This name is set for the init process, meaning it is inherited byall other processes on the system.

Line 4 of the output indicates that the init core file content is the defaultcontent structure.

Line 5 indicates that global core files are disabled.

Line 6 indicates that core file generation in the current working directoryof a process is enabled.

Line 7 indicates that generation of global core files with setuid or setgidpermissions are disabled.





Line 8 indicates that generation of per process core files with setuid orsetgid permissions are disabled.

Line 9 identifies whether global core dump logging is enabled.

Caution – A process that has a setuidmode presents security issues withrespect to dumping core files. The files might contain sensitiveinformation in its address space to which the current non-privilegedowner of the process should not have access. Therefore, by default,setuid core files are not generated because of this security issue.

By viewing the /etc/coreadm.conf file, you can verify the sameconfiguration parameters that were displayed with the coreadm

command.

# cat /etc/coreadm.conf

## coreadm.conf

#

# Parameters for system core file configuration.

# Do NOT edit this file by hand -- use coreadm(1) instead.

#

COREADM_GLOB_PATTERN=

COREADM_GLOB_CONTENT=default

COREADM_INIT_PATTERN=core

COREADM_INIT_CONTENT=default

COREADM_GLOB_ENABLED=no

COREADM_PROC_ENABLED=yes

COREADM_GLOB_SETID_ENABLED=no

COREADM_PROC_SETID_ENABLED=no

COREADM_GLOB_LOG_ENABLED=no





Changing the Core File Configuration

The coreadm command allows you to control core file generationbehavior. For example, you can use the coreadm command to configure asystem so that all process core files are placed in a single system directory.

The flexibility of this configuration makes it easier to track problems byexamining the core files in a specific directory whenever a process ordaemon terminates abnormally. This flexibility also makes it easy to locateand remove core files on a system.

Note – You should make all modifications to the coreadm configuration atthe command line by using the coreadm command instead of editing the/etc/coreadm.conffile.

You can enable or disable two configurable core file paths, per-processand global, separately. If a global core file path is enabled and set to/corefiles/core, for example, then each process that terminatesabnormally produces two core files: one in the current working directory,and one in the /corefiles/core directory.

Note – If the directory defined in the global core file path does not exist,you must create it.

Users can run thecoreadm

command with the-p

option to specify the filename pattern for the operating system to use when generating aper-process core file.

coreadm [-p pattern] [pid ]...

Only the root user can run the following coreadm command options toconfigure system-wide core file options.

coreadm [-g pattern] [-i pattern] [-d option ... ] [-e option ... ]

‘‘The coreadm Command Options’’ on page 5-10 describes the core file

options.





The coreadmCommand Options

The following are some options to the coreadm command.

Note – A regular user can only use the -p option, the superuser can useall options.

-i pattern Sets the per-process core file name pattern from init topattern. This option is the same as the coreadm -ppattern 1 command, except that the setting ispersistent after a reboot.

-e option Enables the specified core file option, where option is:

q global – Enables core dumps by using the global

core pattern.

q process – Enables core dumps by using theper-process core pattern.

q global-setid – Enables setid core dumps byusing the global core pattern.

q proc-setid – Enables setid core dumps by usingthe per-process core pattern.

q log – Generates a syslog (3) message when a userattempts to generate a global core file.

-d option Disables the specified core file option; see the -eoption for descriptions of possible options. You canspecify multiple -e and -doptions by using thecommand line.

-u Updates system-wide core file options from thecontents of the configuration file /etc/coreadm.conf.If the configuration file is missing or contains invalidvalues, default values are substituted. Following theupdate, the configuration file is resynchronized with

the system core file configuration.-g pattern Sets the global core file name pattern to pattern. The

pattern must start with a forward slash (/), and cancontain any of the special embedded variablesdescribed in Table 5-1 on page 5-11.





A core file named pattern is a file system path name with embedded

variables. The embedded variables are specified with a leading percent (%)character. The operating system expands these variables from values ineffect when the operating system generates a core file. The possiblevariables are listed in Table 5-1.

-p pattern Sets the per-process core file name pattern to patternfor each of the specified process IDs (PIDs). The patterncan contain any of the special embedded variablesdescribed in Table 5-1 and does not have to begin witha forward slash (/). If patterndoes not begin with “/”,

it is evaluated relative to the current directory in effectwhen the process generates a core file.

A non-privileged user can only apply the -poption toprocesses owned by that user. The superuser can applythe -poption to any process.

-G content Set the global core file content. You specify content byusing pattern options listed in Table 5-1.

Table 5-1 Pattern Options for the coreadm Command

Option Meaning

%p PID

%u Effective user ID (EUID)

%g Effective group ID (EGID)

%f Executable file name

%n System node name (uname -n)

%m Machine hardware name (uname -m)

%t The time in seconds since midnight January 1, 1970

%d Executable file directory/name

%zZonename

%% Literal %





Examples of the coreadmCommand

Example 1 – Setting the Core File Name Pattern as a Regular User

When executed from a user’s $HOME/.profile or $HOME/.login file, the

following entry sets the core file name pattern for all processes run duringthe login session:

coreadm -p core.%f.%p $$

Note – The $$ variable is the PID of the currently running shell. Theper-process core file name pattern is inherited by all child processes.

Example 2 – Dumping a User’s Core Files Into a Subdirectory

The following command places all of the user’s core files into thecorefiles subdirectory of the user’s home directory, differentiated bythe system node name. This example is useful for users who use manydifferent systems, but share a single home directory across multiplesystems.

$ coreadm -p $HOME/corefiles/%n.%f.%p $$

Example 3 – Enabling and Setting the Core File Global Name Pattern

The following is an example of setting system-wide parameters that add

the executable file name and PID to the name of any core file that iscreated:

# coreadm -g /var/core/core.%f.%p -e global

For example, the core file name pattern /var/core/core.%f.%p causesthe xyz program with PID 1234 to generate the core file/var/core/core.xyz.1234.

Note – In the above coreadm examples, the corefiles file and the core

directory must be created manually. The coreadm command does notcreate them automatically.





To verify that this parameter is now part of the core file configuration, runthe coreadm command again:

# coreadm

global core file pattern: /var/core/core.%f.%p

global core file content: default

init core file pattern: coreinit core file content: default

global core dumps: enabled

per-process core dumps: enabled

global setid core dumps: disabled

per-process setid core dumps: disabled

global core dump logging: disabled

Example 4 – Checking the Core File Configuration for Specific PIDs

Running the coreadm command with a list of PIDs reports each process’sper-process core file name pattern, for example:

# coreadm 228 507

228: core default

507: /usr/local/swap/corefiles/%n.%f.%p default

Only the owner of a process or the superuser can query a process by usingthe coreadm command with a list of PIDs.

Example 5 – Setting up the System to Produce Core Files in the GlobalRepository only if the executables were run from /usr/bin or/usr/sbin

# mkdir -p /var/core/usr/bin

# mkdir -p /var/core/usr/sbin

# coreadm -G all -g /var/core/%d/%f %p %n

When using the all option in the previous command, examples of thecore file content include:

anon = anonymous private maps

data = writable private file mapping

stack = process stack

symtab = symbol table sections for loaded object files



Exercise: Collecting the Crash Dump and Core Dump (Level 1)


Exercise: Collecting the Crash Dump and Core Dump(Level 1)

In this exercise, you configure crash dumps and core files.

Preparation

To prepare for this exercise, refer to the material in the module.Partitioning of the second disk in the previous module is a prerequisite tothis lab.

Tasks


q Use the dumpadm command to view the current dump configuration.

q Use the dumpadm command to change the current dumpconfiguration to a new swap partition.

q Collect a pair of crash dump files.

q Use the coreadm command to view the default configuration forpotential core files.

q Configure the system to collect global and per-process core files.

q Collect a global and a per-process core file.







Preparation


Task Summary

In this exercise, you perform the following tasks:



q Collect a pair of crash dump files.








Tasks


Task 1 – Using thedumpadmCommand to Display the Core FileDirectory Location


1. Use the dumpadm command without arguments to view the currentdump configuration.

2. Fill in the configuration parameters from the output:

Dump content: _______________________________________________

Dump device: ________________________________________________

The savecore directory: _______________________________________

Is savecore enabled? _________________________________________

3. Use the dumpadm command to change the dump device to theexternal disk drive slice 5.

4. Run the sync command to flush all previously unwritten systembuffers out to disk, ensuring that all file modifications up to thatpoint are saved.

5. Force the kernel to save a live snapshot of the running system andwrite out a new set of crash dump files by using the savecore -L

command.

6. Make sure the crash dump succeeded by using the file commandon the files of the savecore directory.

Task 2 – Using thecoreadmCommand to Display DefaultConfiguration for Potential Core Files


1. Use the coreadm command to display the default initial

configuration.

2. Create the core file directory, and enable a global core file path.

3. Turn on logging to generate a message when a global core file isattempted.

4. Display the configuration information to verify the changes.





5. In another terminal window, create a new directory named/var/tmp/dir, and change to that directory.

6. Run the pwd command to see the current working directory.

7. Run the ps command to get the PID of the new shell, and send a

SIGFPE signal (Signal 8) to the new shell by using thekill

command. (The SIGFPE signal forces a core file.)

Note – The kill -8 command terminates the shell and the terminalwindow in which it is executed.

8. In the original terminal window, check to see if a core file exists inthe current working directory of the old shell. Use the file

command to verify that the core file is from the old shell.

9. Use the ls command to check for a core file in the /var/core

directory.

10. Observe the messages generated in the console window and the/var/adm/messages file due to coreadm logging being enabled.







Preparation


Task Summary




q Collect a pair of crash dumps.








Tasks and Solutions

This section describes the tasks you must perform and lists the solutionsto these tasks.

Task 1 – Using thedumpadmCommand to Display the Core FileDirectory Location


1. Use the dumpadm command with no arguments to view the currentdump configuration.

# dumpadm

2. Fill in the configuration parameters from the output:

Dump content: kernel pagesDump device: /dev/dsk/c0t0d0s1 (swap)

The savecore directory: /var/crash/sys42

Is savecore enabled? Yes

3. Use the dumpadm command to change the dump device to the seconddisk drive slice 5.

# dumpadm -d /dev/dsk/c# t# d# s5

4. Run the sync command to flush all previously unwritten systembuffers out to disk, ensuring that all file modifications up to thatpoint will be saved.

# sync

5. Force the kernel to save a live snapshot of the running system andwrite out a new set of crash dump files by using the savecore -L

command.

# savecore -L

6. Make sure the crash dump succeeded by using the file commandon the files of the savecore directory.

The output shown should be similar to the following:

# cd /var/crash/savecore_directory

# ls

bounds unix.0 vmcore.0

# file vmcore.0

vmcore.0: SunOS 5.10 s10_68 64-bit SPARC crash dump from ’sys-02’





Task 2 – Using thecoreadmCommand to Display DefaultConfiguration for Potential Core Files


1. Use the coreadm command to display the default initial

configuration.

The command and resulting output should be similar to the following:

# coreadm

global core file pattern:


init core file pattern: core

init core file content: default

global core dumps: disabled



per-process setid core dumps: disabledglobal core dump logging: disabled

2. Create the core file directory, and enable a global core file path.

# mkdir /var/core

# coreadm -e global -g /var/core/core.%f.%p

3. Turn on logging to generate a message when a global core file isattempted.

# coreadm -e log

4. Display the configuration information to verify the changes.

# coreadm

global core file pattern: /var/core/core.%f.%p


init core file pattern: core

init core file content: default

global core dumps: enabled



per-process setid core dumps: disabled

global core dump logging: enabled

5. In another terminal window, create a new directory named/var/tmp/dir, and change to that directory.

# mkdir /var/tmp/dir

# cd /var/tmp/dir





6. Run the pwd command to see the current working directory.

# pwd

/var/tmp/dir

7. Run the ps command to get the PID of the new shell, and send aSIGFPE signal (Signal 8) to the new shell by using the killcommand. (SIGFPE forces a core file.)

# ps

PID TTY TIME CMD

507 pts/2 0:00 ksh

570 pts/2 0:00 ps

# kill -8 PID

Note – The kill -8 command terminates the shell and the terminalwindow in which it is executed.

8. In the original terminal window, check to see if a core file exists inthe current working directory of the old shell. Use the file

command to verify that the core file is from the old shell.

# cd /var/tmp/dir

# ls

core

# file core

core: ELF 32-bit MSB core file SPARC Version 1, from ’sh’

9. Use the ls command to check for a core file in the /var/core

directory.# ls /var/core

core.ksh.507

10. Observe the messages generated in the console window and the/var/adm/messages file due to coreadm logging being enabled.

# tail /var/adm/messages

...

Nov 3 21:17:26 sys-02 savecore: [ID 748169 auth.error] saving system

crash dump in /var/crash/sys-02/*.0

Nov 3 21:22:24 sys-02 genunix: [ID 603404 kern.notice] NOTICE: core_log:

ksh[507] core dumped: /var/core/core.ksh.507



Exercise Summary


Exercise Summary

?

!


q Experiences

q Interpretations

q Conclusions

q Applications




Module 6

ConfiguringNFS

Objectives

The Network File System (NFS) is a client-server service that lets usersview, store, and update files on a remote computer as though they wereon the their own local computer.


q Describe the benefits of NFS

q Describe the fundamentals of the NFS distributed file system

q Manage an NFS server

q Manage an NFS client

q Enable the NFS server logging

q Manage NFS with the Solaris™ Management Console storage folder

tools

q Troubleshoot NFS errors



M a n a g i n g

S w a p


M a n a g i n g

C r a s h D u m p s

a n d

C o r e F i l e s


N F S


A u t o F S




Introducing theBenefits of NFS


Introducing the Benefits of NFS

The NFS service enables computers of different architectures runningdifferent operating systems to share file systems across a network.

You can implement the NFS environment on different operating systems(OS) because NFS defines an abstract model of a file system. Eachoperating system applies the NFS model to its file system semantics. Forexample, NFS file system operations, such as reading and writing, workas if they were accessing a local file.

Some of the benefits of the NFS service are that it:

q Allows multiple computers to use the same files, because all users onthe network can access the same data

q Reduces storage costs by sharing applications on computers insteadof allocating local disk space for each user application

q Provides data consistency and reliability, because all users can readthe same set of files

q Supports heterogeneous environments, including those found on apersonal computer (PC)

q Reduces system administration overhead

Note – The NFS was developed by Sun Microsystems and is recognized

as a file server standard. Its protocol uses the Remote Procedure Call(RPC) method of communication between computers on the Internet.Other sources of information for NFS are found athttp://docs.sun.com/app/docs/prod/solaris.10#hic, andhttp://www.citi.umich.edu for information about porting NFSV4 toLinux.



Introducing the Benefits of NFS

Configuring NFS 6-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

Benefits of Centralized File Access

The NFS service lets you share a whole or partial directory tree or a filehierarchy. Instead of placing copies of commonly used files on everysystem, the NFS service enables you to place one copy of the files on one

computer’s hard disk. All other systems can then access the files acrossthe network. When using the NFS service, remote file systems are almostindistinguishable from local file systems.

Note – In most UNIX environments, a file hierarchy that can be sharedcorresponds to a file system. Because NFS functions across operatingsystems, and the concept of a file system might be meaningless innon-UNIX environments, the use of the term file system refers to a filehierarchy that can be shared and mounted over NFS environments.

The files are centrally located, making the same files accessible to manyusers and systems simultaneously. This accessibility feature is usefulwhen giving a user access to a single home directory across multiplesystems or when providing access to various applications.

Benefits of Common Software Access

Systems can share one or more centrally located software packages,reducing the disk space requirements for individual systems.

Remote file sharing is almost transparent to the user and to anyapplication, because these resources appear as if they exist on the localsystem.



Introducing theFundamentals of the NFS Distributed File System


Introducing the Fundamentals of the NFS Distributed FileSystem

The Solaris 10 OS supports the sharing of remote file resources and

presents them to users as if they were local files and directories. Theprimary distributed file system (DFS) type supported by the Solaris 10 OSis NFS.

The NFS environment contains the following components:

q NFS server

q NFS client

The Solaris 10 OS supports versions 2, 3, and 4 NFS simultaneously. Thedefault is to use NFSv4 software when sharing a directory or accessing a

shared file. Version-related checks are applied whenever a client hostattempts to access a server’s file share. If all hosts in the network areinstalled with Solaris 10 OS, then all hosts should, by default, use theNFSv4 protocols.



Introducing the Fundamentals of the NFS DistributedFile System


NFS Server

The NFS server contains file resources shared with other systems on thenetwork. A computer acts as a server when it makes files and directorieson its hard disk available to the other computers on the network.

“NFS Server Configuration” shows how files and directories on an NFSserver are made available to NFS clients. The NFS server is sharing the/export/rdbms directory over NFS, as shown in Figure 6-2.

Figure 6-2 NFS Server Configuration

N F S S e r v e r ( H o s t 1 )

S h a r e d

D i r e c t o r i e s a n d

D i s k S t o r a g e

N F S s e r v e r

s h a r e s d i s k

s t o r a g e w i t h

N F S c l i e n t .

N F S C l i e n t ( H o s t 2 )

/ /

e x p o r t o p t

r d b m s

s h a r e l i b b i n

r d b m s

H o s t 1 # s h a r e / e x p o r t / r d b m s





NFS Client

The NFS client system mounts file resources shared over the network andpresents the file resources to users as if they were local files.

“NFS Client Configuration” shows how an NFS client uses the files anddirectories shared by an NFS server. The /export/rdbmsdirectory, sharedby the NFS server, is mounted on the NFS client on the /opt/rdbms

mount point. The resource mount point exists on the NFS client, and theNFS server shares the file resources with other computers on the network,as shown in Figure 6-3.

Figure 6-3 NFS Client Configuration

N F S S e r v e r ( H o s t 1 )

S h a r e d

D i r e c t o r i e s a n d

D i s k S t o r a g e

N F S s e r v e r

s h a r e s d i s k

s t o r a g e w i t h

N F S c l i e n t .

N F S C l i e n t ( H o s t 2 )

/ /

o p t e x p o r t

s h a r e l i b b i n

H o s t 2 # m o u n t H o s t 1 : / e x p o r t / r d b m s / o p t / r d b m s

r d b m s r d b m s





NFSv4

The Solaris 10 OS includes NFSv4 in addition to NFSv3 and NFSv2.

NFSv4 includes features that were not in the previous versions of NFS.These features include the following:

q Stateful connections.

q Single protocol, reducing the number of service-side daemons.

q Improved Firewall Support. NFSv4 uses the well-known portnumber 2049.

q Pseudo file systems which ensure the NFS client has seamless accessto all exported objects on the server and that portions of a server filesystem that are not explicitly exported are not visible to the client.Figure 6-4 on page 6-7 shows an example.

q Strong security.

q Extended attributes

q Delegation. In the Solaris 10 NFSv4 release, the NFS server can handover delegation of management of a shared file to the clientrequesting that file. It is the server that decides whether or not toapply delegation. By delegating read or write management control tothe client, this can greatly reduce the amount of network traffic thatwould otherwise be caused by clients making requests of the serverfor the current state of a shared file.

Figure 6-4 Views of the Server File System and Client File System

Server exports:

/export_fs/local/export_fs/projects/nfs4 /export_fs

export_fs export_fs

local

nfs4x

projects payroll

nfs4

local projects

nfs4

/

Exported director ies

Client view of server ’s export_fs dir:

Server file systems:

Server file systems:





Managing an NFS Server

You use NFS server files, NFS server daemons, and NFS server commandsto configure and manage an NFS server.

The NFS Server Files

You need several files to support NFS server activities on any computer.Table 6-1 lists these files and their functions.

Table 6-1 NFS Server Files

File Description

/etc/dfs/dfstab Lists the local resources to share at boot

time.

/etc/dfs/sharetab Lists the local resources currently beingshared by the NFS server. Do not edit thisfile.

/etc/dfs/fstypes Lists the default file system types forremote file systems.

/etc/rmtab Lists file systems remotely mounted byNFS clients. Do not edit this file.

/etc/nfs/nfslog.conf Lists information defining the location ofconfiguration logs used for NFS serverlogging.

/etc/default/nfslogd Lists configuration information describingthe behavior of the nfslogddaemon forNFSv2/3.

/etc/default/nfs Contains parameter values for NFSprotocols and NFS daemons.





The /etc/dfs/dfstabFile

The /etc/dfs/dfstab file contains the commands that share localdirectories. Each line of the dfstab file consists of a share command.

# cat /etc/dfs/dfstab

# Place share(1M) commands here for automatic execution

# on entering init state 3.

#

# Issue the command ’svcadm enable network/nfs/server’ to

# run the NFS daemon processes and the share commands, after adding

# the very first entry to this file.

#

# share [-F fstype] [ -o options] [-d "<text>"] <pathname> [resource]

# .e.g,

# share -F nfs -o rw=engineering -d "home dirs" /export/home2

share -F nfs -o ro -d "Shared data files" /usr/local/data

share -F nfs -o rw,root=sys-01 -d "Database files" /rdbms_files

Note – If the svc:/network/nfs/server service does not find anyshare commands in the /etc/dfs/dfstab file, it does not start the NFSserver daemons.

The contents of the /etc/dfs/dfstab file are read when:

q

The system enters the multi-user-server milestone.q The superuser runs the shareall command. The NFS daemons

must be running to share directories.

q The superuser enables the svc:/network/nfs/server service.

The /etc/dfs/sharetabFile

The /etc/dfs/sharetab file stores the results of the share commands.This file contains a table of local resources currently being shared. Thefollowing example shows that two nfs resources are shared in read-only

mode.

# cat /etc/dfs/sharetab

/usr/local/data - nfs ro Shared data files

/rdbms_files - nfs ro,root=sys01 Database files





The /etc/dfs/fstypesFile

The /etc/dfs/fstypes file lists a system’s distributed file system types.For each distributed file system type, there is a line beginning with the filesystem type, which is used with the -F option of the share and mount

commands. The file system type listed on the first line of this file is thedefault file system type when entering DFS administration commandswithout the -F fstypes option.

# cat /etc/dfs/fstypes

nfs NFS Utilities

autofs AUTOFS Utilities

cachefs CACHEFS Utilities

The /etc/rmtabFile

The /etc/rmtabfile contains a table of file systems remotely mounted byNFS clients. After a client successfully completes an NFS mount request,the mountd daemon on the server makes an entry in the /etc/rmtab file.This file also contains a line entry for each remotely mounted directorythat has been successfully unmounted, except that the mountd daemonreplaces the first character in the entry with the (#) character. For example:

# The format of this file follows the syntax

# hostname:fsname

# cat /etc/rmtab

sys-03:/usr/local/data

sys-02:/export/config

#ys-02:/export/config

The entries for unmounted directories, indicated with the (#) mark in thefirst character of the system name, are removed by the mountd daemonduring a system startup.

The /etc/default/nfs File

The /etc/default/nfs file lists parameters that can be set for NFSdaemon and NFS protocols. Each entry has a description of the item andthe default value if the item is commented out.

Details of each entry in this file can be found in man nfs.





The NFS Server Daemons

You need several daemons to support NFS activities. These daemons cansupport both NFS client and NFS server activity, NFS server activityalone, or logging of the NFS server activity.

To start the NFS server daemons or to specify the number of concurrentNFS requests that can be handled by the nfsd daemon, enable thesvc:/network/nfs/server service.

# svcadm -v enable nfs/server

svc:/network/nfs/server:default enabled.

If a system has entries in its /etc/dfs/dfstabfile, these server daemonsstart when the system enters multi-user-server milestone. Table 6-2lists the NFS server daemons.

In NFSv4, the features provided by the mountd and lockd daemons areintegrated into the NFSv4 protocol. This reduces the number of daemonsrequired on the server and makes the NFS server implementation andmanagement easier.

In NFSv2 and NFSv3, the mount protocol is implemented by the separatemountd daemon which did not use an assigned, well-known portnumber. This made it very hard to use NFS through a firewall. INFSv4includes the mount protocol and uses the well-known port number 2049which improves support for NFS use through a firewall.

Table 6-2 NFS Server Daemons

Daemon Description NFSv4

mountd Handles file system mount requests from remotesystems, and provides access control.

No

nfsd Handles client file system requests. Yes

statd Works with the lockd daemon to provide crashrecovery functions for the lock manager.

No

lockd Supports record locking operations on NFS files. No

nfslogd Provides operational logging for NFSv2 and 3. No

nfsmapid NFS user and group ID mapping daemon Yes





The mountdDaemon

The mountddaemon handles NFS file system mount requests from remotesystems and provides access control. The mountd daemon checks the/etc/dfs/sharetabfile to determine whether a particular file or

directory is being shared and whether the requesting client haspermission to access the shared resource.

When an NFS client issues an NFS mount request, the mount command onthe client contacts the mountd daemon on the server. The mountd daemonprovides a file handle to the client.File handles are client references thatuniquely identify a file or directory on the server. File handles encode afile’s inode number, inode generation number, and disk device number.

In NFSv4 file handle and path name mapping is implemented into theNFSv4 protocol, removing the need for a separate mountd daemon. The

mountd daemon is only required for NFSv3 and NFSv2.

The NFS client mount process writes the file handle, along with otherinformation about the mounted resource, to the local /etc/mnttab file.

The mountd daemon is started by the svc:/network/nfs/serverservice.

The nfsdDaemon

When a client process attempts to access a remote file resource, the nfsddaemon on the NFS server receives the request and the resource’s filehandle, and then performs the requested operation. This daemon returnsany data to the requesting client process.

The nfsd daemon also handles file system data requests from clients.Only the superuser can start the nfsd daemon. The nfsd daemon isstarted by the svc:/network/nfs/server service.





The statdDaemon

The statd daemon works with the lock manager lockd daemon toprovide crash recovery functions for the lock manager. The server’s statddaemon tracks the clients that are holding locks on an NFS server. When

the NFS server reboots after a crash, the statd daemon on the servercontacts the statd daemon on the client, which informs the lockd

daemon to reclaim any locks on the server. When an NFS client rebootsafter a crash, the statd daemon on the client system contacts the statd

daemon on the server, which invokes the lockd daemon to clear anyprevious client process locks on the server.

The statd daemon is started by the svc:/network/nfs/statusservice. The statd daemon is not used by NFSv4.

The lockdDaemon

The lockd daemon supports record locking operations for NFS files. Thedaemon sends locking requests from the NFS client to the NFS server. Theserver’s lockd daemon enables local locking on the NFS server.

The lockd daemon is started by the svc:/network/nfs/lockmgrservice.

NFSv4 is stateful, unlike NFSv3 and NFSv2. File locking support isintegrated into the NFSv4 protocol. The lockd daemon is not used with

NFSv4.

The nfslogdDaemon

The nfslogd daemon provides operational logging for an NFS server.NFS logging is enabled when the share is made available. For all filesystems for which logging is enabled, the NFS kernelmodule records alloperations in a buffer file. The nfslogddaemon periodically processes thecontents of the buffer files to produce American Standard Code forInformation Interchange (ASCII) log files, as defined by the contents of

the/etc/default/nfslogd

file.

The nfslogd daemon also handles the mapping of file handles to pathnames. The daemon keeps track of these mappings in a file-handle-to-pathmapping table. After post-processing, the ASCII log files store the records.NFS logging is not supported in NFSv4. The nfslogd daemon is startedby the svc:/network/nfs/server service.





The nfsmapidDaemon

The nfsmapid daemon is implemented in NFSv4. The nfsmapiddaemon maps owner and group identification that both the NFSv4 clientand server use. There is no user interface to this daemon, but parameters

can be set in the /etc/default/nfs file.

The nfsmapid daemon is started by the svc:/network/nfs/mapidservice.

Managing the NFS Server Daemons

The NFS daemons start conditionally when the system transitionsthrough the run levels, or they start manually when enabling thesvc:/network/nfs/server service.

Note – The nfsd and mountd daemons are started if there is anuncommented share statement in the system’s /etc/dfs/dfstab file.

The svcs command can be used to show the dependencies of thenfs/server service.

# svcs | grep nfs

online 15:35:24 svc:/network/nfs/client:default

online 15:35:29 svc:/network/nfs/status:defaultonline 15:35:30 svc:/network/nfs/nlockmgr:default

online 15:35:30 svc:/network/nfs/server:default

online 15:35:31 svc:/network/nfs/mapid:default

online 15:35:32 svc:/network/nfs/rquota:default





# svcs -l nfs/server

fmri svc:/network/nfs/server:default

name NFS server

enabled true

state online

next_state none

state_time Mon Feb 28 15:35:30 2005

logfile /var/svc/log/network-nfs-server:default.log

restarter svc:/system/svc/restarter:default

contract_id 44

dependency require_any/error svc:/milestone/network (online)

dependency require_all/error svc:/network/nfs/nlockmgr (online)

dependency optional_all/error svc:/network/nfs/mapid (online)

dependency require_all/restart svc:/network/rpc/bind (online)

dependency optional_all/none svc:/network/rpc/keyserv (disabled)

dependency optional_all/none svc:/network/rpc/gss (online)

dependency require_all/error svc:/system/filesystem/local (online)

Starting the NFS Server Daemons

The svc:/network/nfs/server service starts the NFS server daemonswhen the system enters run level 3.

To start the NFS server daemons manually, place an entry in the/etc/dfs/dfstab file and perform the command:

# svcadm enable svc:/network/nfs/server

Stopping the NFS Server Daemons

By default, the NFS server daemons are shut down by the servicemanagement facility (SMF) when it leaves the multi-user-server

milestone.

To stop the NFS server daemons manually, perform the command:

# svcadm disable svc:/network/nfs/server





NFS Server Commands

Table 6-3 lists the NFS server commands.

Table 6-3 NFS Server Commands

Commands Description

share Makes a local directory on an NFS server availablefor mounting. It also displays the contents of the/etc/dfs/sharetabfile.

unshare Makes a previously available directoryunavailable for client side mount operations.

shareall Reads and executes share statements in the/etc/dfs/dfstabfile.

unshareall Makes previously shared resources unavailable.

dfshares Lists available shared resources from a remote orlocal NFS server.

dfmounts Displays a list of NFS server directories that arecurrently mounted.





Configuringthe NFS Server for Sharing Resources

The following sections describe the basic functionality of the NFS servercommands. These commands configure shared remote resources.

Making File Resources Available for NFS Mounting

When the mountd and nfsd daemons are running, you can use the sharecommand to make file resources available:

share [ -F nfs ] [ -o options ] [ -d description ] [ pathname ]

where:

Note – Unless you specify an option to the share command, for example,-F nfs, the system uses the file system type from the first line of the/etc/dfs/fstypesfile.

To share a file resource from the command line, you can use the sharecommand. For example, to share the /usr/local/data directory as aread-only shared resource, perform the command:

# share -o ro /usr/local/data

By default, NFS-mounted resources are available with read and write

privileges based on standard Solaris OS file permissions. Access decisionsare based on a comparison of the user ID (UID) of the client and theowner.

-F nfs Specifies the file system type. This option is not

typically required, because NFS is the defaultremote file system type.

-o options Controls a client’s access to an NFS shared resource.

-d description Describes the shared file resource.

pathname Specifies the absolute path name of the resource forsharing.





The following share command options shown in Table 6-4 restrict theread and write capabilities for NFS clients and enable superuser access toa mounted resource.

Table 6-4 The share Command Options

Options Definitions

ro Informs clients that the server accepts only read requests

rw Allows the server to accept read and write requests from theclient

root=client Informs clients that the root user on the specified client system orsystems can perform superuser-privileged requests on the sharedresource

ro=access-list Allows read requests from the specified access list

rw=access-list Allows read and write requests from the specified access list, asshown in Table 6-5

Table 6-5 Access List Options

Option Description

access-list=client:client Allows access based on a colon-separated list of one or

more clients.access-list=@network Allows access based on a network number (for

example, @192.168.100) or a network name (forexample, @mynet.com). The network name must bedefined in the /etc/networksfile.

access-list=.domain Allows access based on a Domain Name System (DNS)domain; the dot (.) identifies the value as a DNSdomain.

access-list=netgroup_name Allows access based on a configured net group

(Network Information Service [NIS] or NetworkInformation Service Plus [NIS+] only).

anon=n Sets n to be the effective user ID (EUID) of anonymoususers. By default, anonymous users are given the EUID60001 (UID_NOBODY). If n is set to -1, access is denied.





You can combine these options by separating each option with commas,which forms intricate access restrictions. The following examples showsome of the more commonly used options:

# share -F nfs -o ro directory

This command restricts access to NFS-mounted resources to read-onlyaccess.

# share -F nfs -o ro,rw=client1 directory

This command restricts access to NFS-mounted resources to read-onlyaccess; however, the NFS server accepts both read and write requests fromthe client named client1.

# share -F nfs -o root=client2 directory

This command allows the root user on the client named client2 to havesuperuser access to the NFS-mounted resources.

# share -F nfs -o ro,anon=0 directory

By setting the option anon=0, the EUID for access to shared resources byan anonymous user is set to 0. The access is also set to read-only.

While setting the EUID to 0, the same UID as the root user, might seem toopen up security access, the UID of 0 is converted to the user identity ofnobody. This has the effect that an anonymous user from a client host,

where the UID of that user is not known on the server host, is treated asthe user called nobody by the server (UID=60001).

# share -F nfs \

-o ro=client1:client2,rw=client3:client4,root=client4 directory

This command shares the directory to the four named hosts only. Thehosts, client1 and client2, have read-only access. The hosts client3and client4have read-write access. The root user from host client4 hasroot privilege access to the shared directory and its contents.





The share command writes information for all shared file resources to the/etc/dfs/sharetabfile. The file contains a table of the local sharedresources.

Note – If no argument is specified, the share command displays a list ofall the currently shared file resources.

# share

- /usr/local/data ro "Shared data files"

- /rdbms_files rw,root=sys01 "Database files"

Making File Resources Unavailable for Mounting

Use the unshare command to make file resources unavailable for mountoperations. This command reads the /etc/dfs/sharetabfile.

unshare [ -F nfs ] pathname

where:

For example, to make the /export/sys44_datadirectory unavailable forclient-side mount operations, perform the command:

# unshare /usr/local/data

Sharing and Unsharing All NFS Resources

Use the shareall and unshareall commands to share and unshare allNFS resources.

The shareall command, when used without arguments, shares allresources listed in the /etc/dfs/dfstab file.

shareall [ -F nfs ]

The unshareall command, when used without arguments, unsharescurrently shared file resources listed in the /etc/dfs/sharetabfile.

unshareall [ -F nfs ]

-F nfs Specifies NFS as the file system type. Because NFS is thedefault remote file system type, you do not have to specifythis option.

pathname Specifies the path name of the file resource to unshare.





Displaying Currently Shared NFS Resources

The dfshares command uses the NFS daemon, mountd, to displaycurrently shared NFS resources.

dfshares [ -F nfs ] [ host ]

The dfshares command displays resources currently being shared by thelocal server when used without a host argument.

# share -F nfs -o ro /usr/local/data

# dfshares

RESOURCE SERVER ACCESS TRANSPORT

sys-02:/usr/local/data sys-02 - -

By specifying one or more server names as arguments, the dfshares

command also displays file resources being shared by other servers. For

example:

# dfshares sys-01


sys-01:/usr/share/man sys-01 - -

Displaying NFS Mounted Resources

The dfmounts command displays remotely mounted NFS resourceinformation.

dfmounts [ -F nfs ] [ server ]

The dfmounts command, when used without arguments, displays a list ofdirectories on the local server that are currently mounted and alsodisplays a list of the client systems that currently have the shared resourcemounted.

# dfmounts

RESOURCE SERVER PATHNAME CLIENTS

- sys-02 /usr/local/data sys-03



Managing theNFS Client


Managing the NFS Client

NFS client files, NFS client daemons, and NFS client commands worktogether to manage the NFS client.

NFS Client Files

You need several files to support NFS client activities on any computer.Table 6-6 lists the files that support NFS client activities.

The /etc/vfstabFile

To mount remote file resources at boot time, enter the appropriate entriesin the client’s /etc/vfstab file. For example:



#

sys-02:/usr/local/data - /usr/remote_data nfs - yes soft,bg

Table 6-6 NFS Client Files

File Description

/etc/vfstab Defines file systems to be mounted locally.

/etc/mnttab Lists currently mounted file systems, includingautomounted directories. The contents of thisfile are maintained by the kernel and cannot beedited.

/etc/dfs/fstypes Lists the default file system types for remote filesystems.

/etc/default/nfs Contains parameters used by NFS protocols anddaemons.





The /etc/mnttabFile

The /etc/mnttab file system provides read-only access to the table ofmounted file systems for the current host. Mounting a file system adds anentry to the table of mounted file systems. Unmounting a file system

removes an entry from the table of mounted file systems.

Remounting a file system updates the information in the mounted filesystem table. The kernelmaintains a chronological list in the order of themount time. The first mounted file system is first on the list and the mostrecently mounted file system is last. Although the /etc/mnttab file is amount point for the mntfs file system, it appears as a regular filecontaining the current mount table information. The/lib/svc/method/fs-user script establishes the mntfs file systemduring the boot process.

The /etc/dfs/fstypesFile

As with an NFS server, NFS clients use the /etc/dfs/fstypesfile todetermine distributed file system support.

# cat /etc/dfs/fstypes

nfs NFS Utilities

autofs AUTOFS Utilities

cachefs CACHEFS Utilities

NFS Client Daemons

The NFS client daemons are started using thesvc:/network/nfs/client service. Table 6-7 lists the NFS clientdaemons.

Table 6-7 NFS Client Daemons

Daemon Description

statd Works with the lockddaemon to provide crash

recovery functions for the lock manager

lockd Supports record-locking operations on NFS files

nfs4cbd NFSv4 callback daemon.





Managing the NFS Client Daemons

Two NFS daemons, the statd daemon and the lockd daemon, run bothon the NFS servers and the NFS clients. These daemons startautomatically when a system enters the network milestone. This can be

seen by examining the dependencies for the network milestone.

# svcs -D milestone/network

STATE STIME FMRI

disabled 15:34:35 svc:/network/dns/client:default

disabled 15:34:37 svc:/network/nfs/cbd:default

disabled 15:34:38 svc:/network/rpc/bootparams:default

disabled 15:34:39 svc:/network/rarp:default

disabled 15:34:51 svc:/network/dns/server:default

disabled 15:34:52 svc:/network/slp:default

disabled 15:35:20 svc:/network/shell:kshell

online 15:35:03 svc:/milestone/single-user:defaultonline 15:35:04 svc:/network/initial:default

online 15:35:13 svc:/network/inetd:default


online 15:35:26 svc:/network/shell:default



online 16:31:18 svc:/network/nfs/nlockmgr:default

online 16:33:12 svc:/network/nfs/status:default

Both the statd and lockd daemons provide crash recovery and locking

services for NFS version 2 and 3. If a server crashes, clients can quicklyreestablish connections with files they were using. Therefore, the serverhas a record of the clients that were using its NFS resources. It contactseach client for information about which files were in use, which helps toprovide continuous operation. You can start both of these daemons usingthe svcadm command.

The lockd daemon is started by the SMF service nfs/nlockmgr.

# svcadm -v enable nfs/nlockmgr

svc:/network/nfs/nlockmgr:default enabled.

The statd daemon is started by the SMF service nfs/status.

# svcadm -v enable nfs/status

svc:/network/nfs/status:default enabled.

Neither daemon requires administrative intervention.





Restarting the NFS Client Daemons

The service management facility automatically starts the NFS clientdaemons when the system enters the networkmilestone, and shuts downNFS client daemons when the system enters the single-usermilestone.

To manually restart these daemons, perform the command:

# svcadm -v restart nfs/status

Action restart set for svc:/network/nfs/status:default.

# svcadm -v restart nfs/nlockmgr

Action restart set for svc:/network/nfs/nlockmgr:default.

#

NFS Client Commands

Table 6-8 lists the NFS client commands.

Configuring the NFS Client for Mounting Resources

The following sections describe some of the functions of the NFS clientutilities.

Table 6-8 NFS Client Commands

Command Description

dfshares Lists available shared resources from a remote orlocal NFS server

mount Attaches a file resource (local or remote) to aspecified local mount point

umount Unmounts a currently mounted file resource

mountall Mounts all file resources or a specific group of fileresources listed in the /etc/vfstab file with amount at boot value of yes

umountall Unmounts all non-critical local and remote fileresources





Displaying a Server’s Available Resources

You can use the dfshares command to list resources made available byan NFS server. To verify the resources that an NFS server is currentlymaking available, run the dfshares command with the server name as an

argument.# dfshares sys-02


sys-02:/usr/local/data sys-02 - -

sys-02:/rdbms_files sys-02 - -

Accessing the Remote File Resource

Enter the /usr/sbin/mount command to attach a local or remote fileresource to the file system hierarchy.

mount [ -F nfs ] [ -o options ] server :pathname mount_point

where:

Use the mount command to access a remote file resource. For example:

# mount sys-02:/rdbms_files /rdbms_files

-F nfs Specifies NFS as the file system type. The -F nfsoption is not necessary, because NFS is the defaultremote file system type specified in the/etc/dfs/fstypesfile.

-o options Specifies a comma-separated list of file-system

specific options, such as rw. The rwoption mountsthe file resource as read, write. The rooptionmounts the file resource as read-only. (The defaultis rw.)

server :pathname Specifies the name of the server and the path nameof the remote file resource. The names of theserver and the path name are separated by a colon(:).

mount_point Specifies the path name of the mount point on thelocal system (which must already exist).





When mounting a read-only remote resource, you can specify acomma-separated list of sources for the remote resource, which are thenused as a list of failover resources. This process works if the resourcemounted from all of the servers in the list is the same. For example:

# mount -o ro sys-45,sys-43,sys-41:/multi_homed_data /remote_shared_data

In this example, if the sys-45 server is unavailable, the request passes tothe next server on the list, sys-43, and then to the sys-41 server.

Unmounting the Remote File Resources From the Client

Use the umount command to detach local and remote file resources fromthe file system hierarchy. This command reads the /etc/mnttab file onthe client.

umount server :pathname | mount_point

The command can specify either the server :pathname option or themount_point option.

# umount /rdbms_files

Mounting All File Resources

Without any arguments, the /usr/sbin/mountall command mounts allfile resources listed in the /etc/vfstabfile with a mount atbootvalue of

yes.

To limit the action of this command to remote file resources, use the-r option.

mountall -r [ -F nfs ]

# mountall -r





Unmounting All Currently Mounted File Resources

When you use the umountall command without any arguments, itunmounts all currently mounted file resources except for the root (/),/usr, /var, /var/adm, /var/run, /proc, and /dev/fd directories. To

restrict the unmounting to only remote file systems, use the -r option.umountall -r [ -F nfs ]

# umountall -r

Note – Use the -F FSType with the mountall and umountall commandsto specify FSType as the file system type. You do not have to specify the-F nfs option, because NFS is listed as the default remote file systemtype.

Mounting Remote Resources at Boot Time

To mount the remote file resources at boot time, enter the appropriateentries in the client’s /etc/vfstab file. For example:



#

sys-02:/usr/local/data - /usr/remote_data nfs - yes soft,bg

where the fields in the /etc/vfstab file are:

device to

mount

The name of the server and the path name of the remotefile resource. The server host name and share name areseparated by a (:).

device to

fsck

NFS resources are not checked by the client because thefile system is not local to the client. This field is always(-) for NFS resources.

mount

point

The mount point for the resource.

FS type This field specifies the type of file system to be mounted.

fsck pass NFS resources are not checked by the client, because thefile system is not local to the client. This field is always(-) for NFS resources.





Note – If the /etc/vfstab file contains the file resource, the superusercan specify either server :pathname or mount_point on the commandline, because the mount command checks the /etc/vfstab file for moreinformation.

mount at

boot

This field can contain either of two values, yes or no. Ifthe field is set to the value yes, the specified resource ismounted every time the mountall command is run.

mount

options

A comma-separated list of mount options. See Table 6-9

on page 6-29 for a description of each option.

Table 6-9 The mount Command Options

Option Descriptionrw|ro Specifies whether the resource is mounted as

read/write or read-only. The default is read/write.

bg|fg During an NFS mount request, if the first mountattempt fails, retry in the background or foreground.The default is to retry in the foreground.

soft|hard When the number of retransmissions has reached thenumber specified in the retrans=n option, a filesystem mounted with the soft option reports an error

on the request, and stops trying. A file systemmounted with the hard option prints a warningmessage and continues to try to process the request.The default is a hardmount.

Although the soft option and the bgoption are notthe default settings, combining them usually results inthe fastest client boot when NFS mounting problemsoccur.





intr|nointr Enables or disables the use of keyboard interrupts tokill a process that hangs while waiting for a response

on a hard-mounted file system. The default is intr.

The intr option is not specifically required with thesoft option as this option allows the NFS mount totime out and fail if the mount is unsuccessful over theretry/retrans limits.

If the introption is applied with the hardoption, thisallows the user to interrupt a manually executedmount instruction, that is currently failing to mount,by using the Ctrl-C interrupt. If the nointr option is

applied with the hard option, the mount takes as longas is required to successfully mount.

The intr option is not applicable at boot time as themount operation is being performed by a daemonprocess that cannot send a Ctrl-C character to the NFSmount process.

suid|nosuid Indicates whether to enable setuid execution. Thedefault enables setuid execution.

timeo=n Sets the timeout to n tenths of a second. The defaulttimeout is 11, measured in one-tenth of a second(0.1 second) for User Datagram Protocol (UDP)transports, and 600 tenths of a second forTransmission Control Protocol (TCP).

retry=n Sets the number of times to retry the mount operation.The default is 10,000 times.

retrans=n Sets the number of NFS retransmissions to n. Thedefault is 5 for UDP. For the connection-oriented TCP,this option has no effect.

Table 6-9 The mount Command Options (Continued)

Option Description



Enabling theNFS Server Logging


Enabling the NFS Server Logging

Maintain an NFS activity log to:

q Track remote file accesses on your network

q Assist in debugging NFS failures

Fundamentals of NFS Server Logging

Note – Server logging is not supported in NFS version 4.

The NFS server logging feature records NFS transactions on the filesystem. The nfslogd daemon provides operational logging.

When you enable NFS server logging, the NFS kernel module writesrecords of all NFS operations on the file system into a buffer file. The dataincludes a time stamp, the client IP address, the UID of the requester, thefile handle of the resource being accessed, and the type of operation thatoccurs.

The nfslogdDaemon

The functions of the nfslogd daemon are that it:

q Converts the raw data from the logging operation into ASCIIrecords, and stores the raw data in ASCII log files.

q Resolves IP addresses to host names and UIDs to login names.

q Maps the file handles to path names, and records the mappings in afile-handle-to-path mapping table. Each tag in the/etc/nfs/nfslog.conffile corresponds to one mapping table.

Note – If the nfslogd daemon is not running, changes are not tracked to

the mappings in the file-handle-to-path table.





Configuring NFS Log Paths

The /etc/nfs/nfslog.conffile defines the path, file names, and type oflogging that the nfslogd daemon must use. There is a tag correspondingto each definition.

To configure NFS server logging, identify or create the tag entries for eachof the server’s shared resources. The global tag defines the defaultvalues.

The following is an example an nfslog.conf file:

# cat /etc/nfs/nfslog.conf

#ident "@(#)nfslog.conf 1.5 99/02/21 SMI"

#

# Copyright (c) 1999 by Sun Microsystems, Inc.

# All rights reserved.#

# NFS server log configuration file.

#

# <tag> [ defaultdir=<dir_path> ] \

# [ log=<logfile_path> ] [ fhtable=<table_path> ] \

# [ buffer=<bufferfile_path> ] [ logformat=basic|extended ]

#

global defaultdir=/var/nfs \

log=nfslog fhtable=fhtable buffer=nfslog_workbuffer

Use the following parameters with each tag, as needed:

defaultdir=dir_path Specifies the default parent directory. Allrelative path entries to this log can be seen.

log=logfile_path Specifies the relative or absolute path and thefile name for the ASCII log file.

fhtable=table_path Specifies relative or absolute path and the filename for the file-handle-to-path database file.

buffer=

bufferfile_path

Specifies the relative and absolute path and thefile name for the raw buffer file.

logformat=

basic|extended

Specifies the format when creating user-readable log files. The basic format produces alog file similar to the FTPdaemon. Theextended format gives a more detailed view.





If you do not specify an absolute path in the parameters, the nfslogd

daemon appends the name given to the path specified by the defaultdirparameter. To override the value specified by the defaultdir parameter,use an absolute path.

To easily identify the log files for different shared resources, place them inseparate directories. For example:

# cat /etc/nfs/nfslog.conf

#ident "@(#)nfslog.conf 1.5 99/02/21 SMI"

#

.

.

# NFS server log configuration file.

#

global defaultdir=/var/nfs \


public defaultdir=/var/nfs/public \


Note – Create the /var/nfs/publicdirectory before starting NFS serverlogging.

In the previous example, any file system shared with log=public usesthe following values:

q

The default directory is the /var/nfs/public directory.q The log is stored in the /var/nfs/public/nfslogfile.

q The /var/nfs/public/fhtablesfile stores thefile-handle-to-pathdatabase.

q The /var/nfs/public/nfslog_workbufferfile stores the buffer.





Initiating NFS Logging

To initiate NFS server logging, complete the following steps:

1. Become superuser.

2. Optional: Change the file system configuration settings. In the/etc/nfs/nfslog.conffile, either:

q Edit the default settings for all file systems by changing the datacorresponding to the global tag.

q Add a new tag for the specific file system.

If you do not need these changes, do not edit this file.

3. To share file systems using NFS server logging, you must first enableNFS server logging. Edit the /etc/dfs/dfstab file to add an entryfor file systems for which you want to enable NFS server logging.

Either:

q Specify a tag by entering the tag to use with the log=tag optionin the /etc/dfs/dfstab file.

q Use the log option without specifying a tag, which causes theoption to use the global tag as a default. The followingexample uses the default settings in the global tag:

share -F nfs -o log /export/sys44_data

4. Check that the NFS service is running on the server.

To start or restart themountd

,nfsd

, andnfslogd

daemons if theyare not running, perform the command:


If the /etc/nfs/nfslog.conffile exists and you execute thenfs.server script, the nfs.server script starts the nfslogddaemon.

5. Run the share command to verify that the correct options are listed.

# share

- /export/sys44_data ro,log ""

6. If you add the additional entries to the /etc/dfs/dfstab file,share the file system by rebooting the system or entering theshareall command.

# shareall





Configuring the nfslogdDaemon Behavior

The configuration information in the /etc/default/nfslogdfile controlsthe logging behavior of the nfslogd daemon.

The /etc/default/nfslogdfile defines default parameters used for NFSserver logging. Table 6-10 describes some of the NFS logging parameters.

Table 6-10 NFS Logging Parameters

Parameter Description

IDLE_TIME Sets the amount of time that the nfslogddaemon sleepsbefore checking the buffer file for more information. It alsodetermines how often the configuration file is checked. Thedefault value is 300 seconds. Increasing this number can

improve performance by reducing the number of checks.

MIN_PROCESSING_SIZE Sets the minimum number of bytes that the buffer file mustreach before processing and writing to the log file. The defaultvalue is 524,288 bytes. Increasing this number can improveperformance by reducing the number of times that the bufferfile is processed.

The MIN_PROCESSING_SIZEand the IDLE_TIME parametersdetermine how often the buffer file is processed.

UMASK Specifies the permissions for the log files set by the nfslogd

daemon. The default value is 0137.

CYCLE_FREQUENCY Determines the time that must pass before the log files arecleared. The default value is 24 hours. Use theCYCLE_FREQUENCYparameter to prevent the log files frombecoming too large.

MAX_LOGS_PRESERVE Determines the number of log files to save. The default valueis 10.



Managing NFS With the Solaris Management Console Storage Folder Tools


Managing NFS With the Solaris Management ConsoleStorage Folder Tools

You can manage the NFS system by using components of the storage

folder tools from the default tool box of the Solaris Management Console.The Mounts and Shares tool lets you view, create, and manage severaltypes of mounts and shares. This module uses the following terms:

q A share refers to making a directory on one computer available toother computers.

q A mount is the act of connecting a file or a directory to a shareddirectory.

Adding a Shared Directory on the NFS Server

Using the Solaris Management Console, you can share a directory to thenetwork.

To add a shared directory on the NFS server, complete the following steps:

1. Open the Solaris Management Console on the NFS server.

Note – The following steps display the contents of the Shared folderwithin the Mounts and Shares tool.

2. Click the turner icon to display the default toolbox called ThisComputer (nfs_servername).

3. Click the turner icon to display the Storage folder.

Note – When you access a tool for the first time, after opening the SolarisManagement Console, log in to the Solaris Management Console toauthenticate your access rights.

4. Click the turner icon to display the Mounts and Shares tool.





5. Click the Shares icon to display the currently shared resources fromthe Shares folder.

The Shared folder opens. The remaining steps add a shared directoryto the list of shared resources.

6. To start the Add Shared Directory wizard, select Add SharedDirectory from the Action menu.

7. To specify the directory name select one of the following options:

q Enter the name of the shared resource in the Directory location.

q Enter a description of the resource in the Description location.

q Configure the sharing options as follows:

1. Share this directory only, or share this directory and itssubdirectories.

2. Share this directory at each boot, or share this directoryaccording to the current demand.

8. To specify how to access the directory, complete the following steps:

a. Select Basic to set read or read/write permissions for all usersand systems that access the shared directory.

b. Select Advanced to further define authentication methods.Refer to the Help Index feature on the Solaris ManagementConsole to define the authentication methods.

9. Specify the directory access as either read/write or read-only.

10. Review your shared directory selections:a. To make any changes in your selections, click Back to back up

and modify an entry.

b. If you are satisfied with your selections, click Finish to createthe shared directory.

11. Return to the Solaris Management Console Shared directories folder,which displays the new shared directory.

You can now access the shared directory through NFS mounts.



Managing NFS With the Solaris Management Console Storage Folder Tools


Mounting a Shared Directory on the NFS Client

To mount a shared directory on the NFS client, complete the followingsteps:

1. Open the Solaris Management Console on the NFS client.

Note – The following steps display the contents of the Mounts folderwithin the Mounts and Shares tool.

2. Click the turner icon to display the default toolbox that is labeled asThis Computer (nfs_clientname).

3. Click the turner icon to display the Storage folder.

4. Click the Mount and Share icon to display the Mounts and Shares

tool.5. Click the turner icon to display the Mounts and Shares tool.

6. Click the Mount icon to display the currently mounted resources inthe Mounts folder.

The Mounts folder opens. The remaining steps add an NFS mounteddirectory to the list of mounted resources.

7. To start the Add NFS Mount wizard, select the Add NFS Mount fieldfrom the Action menu.

8. To identify the computer sharing the directory, enter the name of theNFS server in the Computer field.

9. To specify the mount point, enter the name of the NFS clientdirectory that will contain the contents of the shared directory.

If the mount point directory does not exist on the NFS client, youmust create it.

10. Specify whether to mount the directory at boot time or to manuallymount the directory before trying to access it.

11. Specify the kind of directory access as either read/write or read-only.

Note – Access rights for the NFS client mounts cannot exceed the accessrights defined on the NFS server for that shared resource.





12. Review your NFS mount selections:

a. To make any changes in your selections, click Back to back upand modify an entry.

b. If you are satisfied with your selections, click Finish to add the

NFS mount point.13. Select the Solaris Management Console Mounts folder, which

displays the newly created mount point.

You can now access the NFS mounted directory in the same way asyou would access the local file systems.



Troubleshooting NFS Errors



You can detect most NFS problems from console messages or from certainsymptoms that appear on a client system. Some common errors are:

q The rpcbind failure errorq The server not responding error

q The NFS client fails a reboot error

q The service not responding error

q The program not registered error

q The stale file handle error

q The unknown host error

q The mount point error

q The no such file error

The rpcbindfailureError

The following example shows the message that appears on the clientsystem during the boot process or in response to an explicit mountrequest.

nfs mount: server1:: RPC: Rpcbind failure

RPC: Timed Outnfs mount: retrying: /mntpoint

The error in accessing the server is due to:

q The combination of an incorrect Internet address and a correct hostor node name in the hosts database file supporting the client node.

q The hostsdatabase file that supports the client has the correct servernode, but the server node temporarily stops due to an overload.

To solve the rpcbind failure error condition when the server node is

operational, determine if the server is out of critical resources (forexample, memory, swap, or disk space).





The servernotrespondingError

The following message appears during the boot process or in response toan explicit mount request, and this message indicates a known server thatis inaccessible.

NFS server server2 not responding, still trying

Possible causes for the server not responding error are:

q The network between the local system and the server is down. Toverify that the network is down, enter the ping command(ping server2).

q The server (server2) is down.

The NFS client fails a rebootError

If you attempt to boot an NFS client and the client-node stops, waits, andechoes the following message:

Setting default interface for multicast: add net 224.0.0.0: gateway:

client_node_name.

these symptoms might indicate that a client is requesting an NFS mountusing an entry in the /etc/vfstab file, specifying a foreground mountfrom a non-operational NFS server.

To solve this error, complete the following steps:

1. To interrupt the failed client node press Stop-A, and boot the clientinto single-user mode.

2. Edit the /etc/vfstab file to comment out the NFS mounts.

3. To continue booting to the default run level (normally run level 3),press Control-D.

4. Determine if all the NFS servers are operational and functioning

properly.5. After you resolve problems with the NFS servers, remove the

comments from the /etc/vfstab file.

Note – If the NFS server is not available, an alternative to commenting outthe entry in the /etc/vfstabfile is to use the bgmount option so that theboot sequence can proceed in parallel with the attempt to perform theNFS mount.





The service not respondingError

The following message appears during the boot process or in response toan explicit mount request, and indicates that an accessible server is notrunning the NFS server daemons.

nfs mount: dbserver: NFS: Service not responding

nfs mount: retrying: /mntpoint

To solve the service not responding error condition, complete thefollowing steps:

1. Enter the who -r command on the server to see if it is at run level 3.If the server is not, change to run level 3 by entering the init 3

command.

2. Enter the ps -e command on the server to check whether the NFS

server daemons are running. If they are not, start them with thesvcadm enable svc:/network/nfs/server command.

The program not registeredError

The following message appears during the boot process or in response toan explicit mount request and indicates that an accessible server is notrunning the mountd daemon.

nfs mount: dbserver: RPC: Program not registered

nfs mount: retrying: /mntpoint

To solve the program not registered error condition, complete thefollowing steps:

1. Enter the who -r command on the server to check that it is at runlevel 3. If the server is not, change to run level 3 by performing theinit 3 command.

2. Enter the pgrep -fl mountd command. If the mountd daemon isnot running, start it using thesvcadm enable svc:/network/nfs/server command.

3. Check the /etc/dfs/dfstab file entries.





The staleNFSfile handleError

The following message appears when a process attempts to access aremote file resource with an out-of-date file handle.

stale NFS file handle

A possible cause for the stale NFS file handle error is that the fileresource on the server moved. To solve the stale NFS file handle errorcondition, unmount and mount the resource again on the client.

The unknown hostError

The following message indicates that the host name of the server on theclient is missing from the hosts table.

nfs mount: sserver1:: RPC: Unknown host

To solve the unknown host error condition, verify the host name in thehosts database that supports the client node.

Note – The preceding example misspelled the node name server1 assserver1.

The mountpointError

The following message appears during the boot process or in response toan explicit mount request and indicates a non-existent mount point.

mount: mount-point /DS9 does not exist.

To solve the mount point error condition, check that the mount pointexists on the client. Check the spelling of the mount point on the

command line or in the /etc/vfstab file on the client, or comment outthe entry and reboot the system.





The no such fileError

The following message appears during the boot process or in response toan explicit mount request, which indicates that there is an unknown fileresource name on the server.

No such file or directory

To solve the no such file error condition, check that the directory existson the server. Check the spelling of the directory on the command line orin the /etc/vfstab file.



Exercise: Configuring NFS (Level 1)



In this exercise, you configure an NFS server and client to share andmount the /usr/share/man file.

Preparation

Choose a partner for this lab. Determine which systems to configure asthe NFS server and the NFS client. Verify that entries for both systemsexist in the /etc/hosts file on both systems. Refer to your lecture notesas necessary to perform the following steps.

Tasks


q Select a system to act as an NFS server, and share the/usr/share/mandirectory. Perform the commands to verify that thedirectory is shared and that no NFS system mounts are present onthe server:

q share

q dfshares

q dfmounts

q On the NFS client system, rename the /usr/share/man directory tothe /usr/share/man.origdirectory. Make sure the man pages arenot available. Create a /usr/share/manmount point. Mount the/usr/share/man directory from the NFS server. Verify that the manpages are available.

q On the NFS client, record the default options used for the NFSmount. Unmount the /usr/share/man file, and verify the list ofremote mounts the server is providing.

q On the NFS server, unshare the /usr/share/man directory. In the

/etc/dfs/dfstab file, change the entry for this directory so that ituses the -o rw=bogus options. Share everything listed in the dfstabfile.

q On the NFS client, attempt to mount the /usr/share/man directoryfrom the NFS server. Record your observations.





q On the NFS server, unshare the /usr/share/man directory, andremove the entry for it from the /etc/dfs/dfstab file.

q On the NFS client, return the /usr/share/man directory to itsoriginal configuration.







Preparation


Task Summary



q share

q dfshares

q dfmounts


q On the NFS client, record the default options used for the NFSmount. Verify the list of mounts that the server provides. Unmountthe /usr/share/man file, and verify the list of remote mounts theserver is providing.

q On the NFS server, unshare the /usr/share/man directory. In the/etc/dfs/dfstab file, change the entry for this directory so that ituses the -o rw=bogus options. Share everything listed in the dfstabfile.








Tasks

Complete the following tasks.

Task 1– On the NFS Server


1. Edit the /etc/dfs/dfstab file. Add an entry to share the directory

that holds man pages._____________________________________________________________

2. Stop and start the NFS server daemons.

_____________________________________________________________

3. Verify that the /usr/share/mandirectory is shared and that no NFSmounts are present.

_____________________________________________________________

Task 2 – On the NFS Client


1. Rename the /usr/share/man directory so that you can no longeraccess the man pages on the client system. Verify that the man pagesare not available.

_____________________________________________________________

What message does the man command report?

_____________________________________________________________

2. Create a new man directory (/usr/share/man) to use as a mountpoint.

_____________________________________________________________

3. Mount the /usr/share/man directory from the server.





4. Verify that the man pages are available.

_____________________________________________________________

Are the man pages available?

_____________________________________________________________

5. Verify and record the default ro | rw options used for this mount.

_____________________________________________________________

6. Write a file into the NFS-mounted file system.

_____________________________________________________________

What is the result of trying to write to the NFS-mounted file system?

_____________________________________________________________

What conclusion can be reached by this exercise?

__________________________________________________________________________________________________________________________

_____________________________________________________________

7. Observe the list of remote mounts from the server. Unmount the/usr/share/man directory, and verify the list of remote mountsfrom the server.

Task 3 – On the NFS Server

Complete the following steps:1. Unshare the /usr/share/man directory.

_____________________________________________________________

2. Change the share statement in the /etc/dfs/dfstab file for the/usr/share/man directory to read:

share -o ro=bogus /usr/share/man

3. Share the /usr/share/man directory.

_____________________________________________________________






Complete the following step:

Attempt to mount the /usr/share/man directory again.

_____________________________________________________________What happens?

_____________________________________________________________



1. Unshare the /usr/share/man directory.

_____________________________________________________________

2. Edit the /etc/dfs/dfstab file to remove the entry for the/usr/share/man directory.

_____________________________________________________________



1. Return the /usr/share/man directory to its original configuration.

_____________________________________________________________2. Verify that the man pages are now available.

_____________________________________________________________







Preparation


Task Summary



q share

q dfshares

q dfmounts


q On the NFS client, record the default options used for the NFSmount. Verify the list of mounts that the server provides. Unmountthe /usr/share/man file, and verify the list of remote mounts theserver is providing.

q On the NFS server, unshare the /usr/share/man directory. In the/etc/dfs/dfstab file, change the entry for this directory so that ituses the -o rw=bogus options. Share everything listed in the dfstabfile.








Tasks and Solutions




1. Edit the /etc/dfs/dfstab file. Add an entry to share the directory

that holds man pages.share -o ro /usr/share/man

2. Start the NFS server daemons.


3. Verify that the NFS server service is online.

# svcs -a | grep nfs

disabled 09:04 svc:/network/nfs/cbd:default

online 09:04 svc:/network/nfs/client:default

online 09:04 svc:/network/nfs/status:default

online 09:04 svc:/network/nfs/nlockmgr:defaultonline 09:04 svc:/network/nfs/mapid:default

online 09:04 svc:/network/nfs/rquota:default

online 09:04 svc:/network/nfs/server:default

4. Verify that the /usr/share/mandirectory is shared and that no NFSmounts are present.

# share

- /usr/share/man ro ""

# dfshares


server :/usr/share/man server - -

# dfmounts

There is no output for the dfmounts command.







1. Rename the /usr/share/man directory so that you can no longeraccess the man pages on the client system. Verify that the man pagesare not available.

# mv /usr/share/man /usr/share/man.orig

# man ls

What message does the man command report?

No manual entry for ls.

2. Create a new man directory (/usr/share/man) to use as a mountpoint.

# cd /usr/share

# mkdir man

3. Verify that the NFS client service is online.

# svcs -a | grep nfs

disabled 18:10:23 svc:/network/nfs/rquota:ticlts

disabled 18:10:24 svc:/network/nfs/rquota:udp

disabled 18:10:56 svc:/network/nfs/server:default

online 18:10:12 svc:/network/nfs/cbd:default





4. Mount the /usr/share/man directory from the server.

# mount server :/usr/share/man /usr/share/man

5. Verify that the man pages are available.

# man ls

Are the man pages available?

Yes

6. Verify and record the default ro | rw options used for this mount.

# mount

The ro | rw option for the mount command is read/write (rw) bydefault.





7. Write a file into the NFS-mounted file system.

# touch /usr/share/man/test

touch: /usr/share/man/test cannot create

What is the result of trying to write to the NFS-mounted file system?

You cannot write to the file system.What conclusion can be reached by this exercise?

Even though the file system mount is read/write, by default, the actualro | rw permission is read-only, as defined when the directory was sharedon the NFS server.

8. Observe the list of remote mounts from the server. Unmount the/usr/share/man directory, and verify the list of remote mountsfrom the server.

# dfmounts server

# umount /usr/share/man# dfmounts server

No output from the dfmounts command indicates that there are no clientsmounting the file systems from the server. (This output still shows themount.)




# unshareall

2. Change the share statement in the /etc/dfs/dfstab file for the/usr/share/man directory to read:

share -o ro=bogus /usr/share/man

3. Share the /usr/share/man directory.

# shareall







Attempt to mount the /usr/share/man directory again.

#mount

server :/usr/share/man /usr/share/man

What happens?

The client reports the error message:

nfs mount: server:/usr/share/man: Permission denied




# unshareall

2. Edit the /etc/dfs/dfstab file to remove the entry for the/usr/share/man directory.



1. Return the /usr/share/man directory to its original configuration.

# cd /usr/share

# rmdir man

# mv man.orig man

2. Verify that the man pages are now available.

# man ls



Exercise Summary


Exercise Summary

?

!


q Experiences

q Interpretations

q Conclusions

q Applications




Module 7

ConfiguringAutoFS

Objectives

The AutoFS file system provides a mechanism for automatically mountingNFS file systems on demand and for automatically unmounting these file

systems after a predetermined period of inactivity. The mount points arespecified using local or distributed automount maps.


q Describe the fundamentals of the AutoFS file system

q Use automount maps



M a n a g i n g

S w a p


M a n a g i n g

C r a s h D u m p s

a n d

C o r e F i l e s


N F S


A u t o F S




Introducing theFundamentals of AutoFS


Introducing the Fundamentals of AutoFS

AutoFS is a file system mechanism that provides automatic mountingusing the NFS protocol. AutoFS is a client-side service. The AutoFS filesystem is initialized by the /lib/svc/ automount script, which runsautomatically when a system is booted. This script runs the automountcommand, which reads the AutoFS configuration files and also starts theautomount daemon automountd. The automountd daemon runscontinuously, mounting and unmounting remote directories on an as-needed basis.

Whenever a user on a client computer running the automountd daemontries to access a remote file or directory, the daemon mounts the remotefile system to which that file or directory belongs. This remote file systemremains mounted for as long as it is needed. If the remote file system is

not accessed for a defined period of time, theautomountd

daemonautomatically unmounts the file system.

The AutoFS service mounts and unmounts file systems as requiredwithout any user intervention. The user does not need to use the mount

and umount commands and does not need to know the superuserpassword.

The AutoFS file system enables you to do the following:

q Mount file systems on demand

q Unmount file systems automaticallyq Centralize the administration of AutoFS mounts through the use of a

name service, which can dramatically reduce administrationoverhead time

q Create multiple mount resources for read/write or read-only filesystems




Configuring AutoFS 7-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

The automount facility contains three components, as shown inFigure 7-2:

q The AutoFS file system

q The automountd daemon

q The automount command

Figure 7-2 The AutoFS Features

AutoFS File System

An AutoFS file system’s mount points are defined in the automount mapson the client system. After the AutoFS mount points are set up, activityunder the mount points can trigger file systems to be mounted under themount points. If the automount maps are configured, the AutoFS kernel

module monitors mount requests made on the client. If a mount request ismade for an AutoFS resource not currently mounted, the AutoFS servicecalls the automountd daemon, which mounts the requested resource.

R A M

A u t o m o u n t M a p s

M a s t e r m a p

D i r e c t m a p

I n d i r e c t m a p

S p e c i a l m a p

a u t o m o u n t - v

A u t o F S

a u t o m o u n t d

a u t o m o u n t d





The automountdDaemon

The /lib/svc/method/svc-autofs script starts the automountddaemon. The automountd daemon mounts file systems on demand andunmounts idle mount points.

Note – The automountd daemon is completely independent from theautomount command. Because of this separation, you can add, delete, orchange map information without having to stop and start the automountddaemon process.

The automountCommand

The automount command, called at system startup time, reads the mastermap to create the initial set of AutoFS mounts. These AutoFS mounts arenot automatically mounted at startup time, they are the points underwhich file systems are mounted on demand.



Using Automount Maps



The file system resources for automatic mounting are defined inautomount maps. Figure 7-3 shows maps defined in the /etc directory.

Figure 7-3 Configuring AutoFS Mount Points

The AutoFS map types are:

q Master map – Lists the other maps used for establishing the AutoFSfile system. The automount command reads this map at boot time.

q Direct map – Lists the mount points as absolute path names. Thismap explicitly indicates the mount point on the client.

q Indirect map – Lists the mount points as relative path names. Thismap uses a relative path to establish the mount point on the client.

q Special – Provides access to NFS servers by using their host names.

N F S C l i e n t

" v e n u e s "

/

a u t o _ m a s t e r

/ n e t - h o s t s [ o p t i o n s ]

/ h o m e a u t o _ h o m e [ o p t i o n s ]

/ - a u t o _ d i r e c t [ o p t i o n s ]

a u t o _ d i r e c t

/ o p t / m o r e a p p s p l u t o : / e x p o r t / o p t / a p p s

a u t o _ h o m e

E r n i e m a r s : / e x p o r t / h o m e / e r n i e

M a r y m a r s : / e x p o r t / h o m e / m a r y

e t c





The automount maps can be obtained from ASCII data files, NIS maps,NIS+ tables, or from an LDAP database. Together, these maps describeinformation similar to the information specified in the /etc/vfstab filefor remote file resources.

The source for automount maps is determined by the automount entry inthe /etc/nsswitch.conffile. For example, the entry:

automount: files

tells the automount command that it should look in the /etc directory forits configuration information. Using nis instead of files tells automountto check the NIS maps for its configuration information.

Configuring the Master Map

The auto_master map associates a directory, also called a mount point,with a map. The auto_mastermap is a master list specifying all the mapsthat the AutoFS service should check. Names of direct and indirect mapslisted in this map refer to files in the /etc directory or to name servicedatabases.

Associating a Mount Point With a Map

The following example shows an /etc/auto_masterfile.

# cat /etc/auto_master# Master map for automounter

#

+auto_master

/net -hosts -nosuid,nobrowse

/home auto_home -nobrowse

The general syntax for each entry in the auto_mastermap is:

mount point map name mount options

where:

mount point The full path name of a directory. If the directorydoes not exist, the AutoFS service creates one, ifpossible.





Note – The plus (+) symbol at the beginning of the +auto_master line inthis file directs the automountd daemon to look at the NIS, NIS+, orLDAP databases before it reads the rest of the map. If this line is

commented out, only the local files are searched unless the/etc/nsswitch.conffile specifies that NIS, NIS+, or LDAP should besearched.

Identifying Mount Points for Special Maps

There are two mount point entries listed in the default/etc/auto_masterfile.

# cat /etc/auto_master

#

# Copyright 2003 Sun Microsystems, Inc. All rights reserved.

# Use is subject to license terms.

#

# ident "@(#)auto_master 1.8 03/04/28 SMI"

#

# Master map for automounter

#

+auto_master



map name The name of a direct or indirect map. These mapsprovide mounting information. A relative pathname in this field requires AutoFS to consult the/etc/nsswitch.conffile for the location of themap.

mount options The general options for the map. The mountoptions are similar to those used for standard NFSmounts. However, the nobrowse option is anAutoFS-specific mount option.





The two mount points for special maps are:

Using the /netDirectory

Shared resources associated with the hosts map entry are mounted belowthe /net/hostname directory. For example, a shared resource named/documentation on host sys42 is mounted by the command:

# cd /net/sys42/documentation

Using the cd command to trigger the automounting of sys42’s resourceeliminates the need to log in to the system. Any user can mount theresource by executing the command to change to the directory thatcontains the shared resource. The resource remains mounted until apredetermined time period of inactivity has occurred.

The -nobrowse option prevents all the potential mount points from beingvisible. Only those resources that are actually mounted are visible.

Adding Direct Map Entries

The /- entry in the example master map defines a mount point for directmaps.



#

+auto_master



/- auto_direct -ro

The -hostsmap Provides access to all resources shared by NFSservers. The resources being shared by a server aremounted below the /net/hostnamedirectory, or, if

only the server’s IP address is known, below the/net/IPaddressdirectory. The server does nothave to be listed in the hosts database for thismechanism to work.

The auto_homemap

This map provides the mechanism to allow users toaccess their centrally located $HOMEdirectories.





The /-mount point is a pointer that informs the automount facility thatthe full path names are defined in the file specified by map_name (the/etc/auto_directfile in this example).

Note – The /- entry is not an entry in the default master map. This entryhas been added here as an example. The other entries in this examplealready exist in the auto_master file.

Even though the map_name entry is specified as auto_direct, theautomount facility automatically searches for all map-related files in the/etc directory; therefore, based upon the automount entry in the/etc/nsswitch.conffile, the auto_direct file is the/etc/auto_directfile. If the auto_direct file is to be stored in anotherdirectory, the absolute path name to the file should be used.

Note – An NIS or NIS+ master map can have only one direct map entry. Amaster map that is a local file can have any number of entries.

Creating a Direct Map

Direct maps specify the absolute path name of the mount point, thespecific options for this mount, and the shared resource to mount. For

example:# cat /etc/auto_direct

# Superuser-created direct map for automounter

#

/apps/frame -ro,soft server1:/export/framemaker,v6.0

/opt/local -ro,soft server2:/export/unbundled

/usr/share/man -ro,soft server3,server4,server5:/usr/share/man





The syntax for direct maps is:

key [ mount-options] location

where:

The following direct map entry specifies that the client mounts the/usr/share/man directory as read-only from the servers server3,

server4, or server5, as available./usr/share/man -ro server3,server4,server5:/usr/share/man

This entry uses a special notation, a comma-separated list of servers, tospecify a powerful automount feature—multiple locations for a fileresource. The automountd daemon automatically mounts the/usr/share/mandirectory as needed, from servers server3, server4, orserver5, with server proximity and administrator-defined weightsdetermining server selection. If the nearest server fails to respond withinthe specified timeout period, the next server which responds first isselected.

Note – Selection criteria for multiple servers, such as server proximity andadministrator-defined weights, is defined in the “Replicated File Systems”section of the automount man page.

key The full path name of the mount point for the directmaps.

mount-options The specific options for a given entry.

location The location of the file resource specified inserver:pathnamenotation.





Adding Indirect Map Entries

The /home entry defines a mount point for an indirect map. The mapauto_home lists relative path names only. Indirect maps obtain the initialpath of the mount point from the master map.



#

+auto_master



The Solaris 2.6 through the Solaris 10 OS releases support browsing ofindirect maps and special maps with the -browse option. This supportallows all of the potential mount points to be visible, regardless of

whether they are mounted. The -nobrowse option disables the browsingof indirect maps. Therefore, in this example, the /home automount pointdoes not provide browser functions for any directory other than those thatare currently mounted. The default for this option is -browse.

Creating an Indirect Map

Use the auto_home indirect map to list the location of home directoriesacross the network. For example,

# cat /etc/auto_home

# Home directory map for automounter#

+auto_home

stevenu host5:/export/home/stevenu

johnnyd host6:/export/home/johnnyd

wkd server1:/export/home/wkd

mary mars:/export/home/mary

The example /etc/auto_home file implies the following mount points:/home/stevenu, /home/johnnyd, /home/wkd, and /home/mary.Figure 7-4 on page 7-12 shows the /home/mary mount point.

The following describes the syntax for indirect maps:

key [ mount-options ] location





where:

.

Figure 7-4 The Mount Points

Reducing theauto_homeMap to a Single Line

The following entry reduces the auto_homefile to a single line. The use ofsubstitution characters specifies that for every login ID, the clientremotely mounts the /export/home/loginID directory from the NFSserver server1 onto the local mount point /home/loginID, as shown inFigure 7-4.

key Specifies the path name of the mount point relative tothe beginning of the path name specified in themaster map.

mount-options Specifies the options for a given entry.

location Specifies the location of the file resource specified inserver:pathnamenotation.

N F S S e r v e r

" m a r s "

e x p o r t

h o m e

e r n i e

N F S C l i e n t

" v e n u s "

M o u n t o n D e m a n d

b y a u t o m o u n t d

/

h o m e

a u t o _ h o m e

a u t o f s

a u t o _ h o m e

a u t o f s

e t c

m a r y

/

m a r y





Figure 7-5 shows that this entry uses the wildcard character (*) to matchany key. The wildcard character cannot be used in combination with anyother character. The substitution character (&) at the end of the location isreplaced with the matched key field. Using wildcard and substitutioncharacters works only when all home directories are on a single server (in

this example,server1

).

Figure 7-5 Mounting a Directory on a Local Mount Point

Updating the Automount Maps

When making changes to the master map or creating a direct map, run theautomount command to make the changes effective.

Running theautomountCommand

The syntax of the command is:

automount [-t duration] [-v]

where:

You can modify the master map entries or add entries for new maps.However, you must run the automount command to make these changeseffective.

You do not have to stop and restart the automountddaemon after makingchanges to existing entries in a direct map, because the daemon isstateless. You can modify existing entries in the direct map at any time.The new information is used when the automountddaemon next accessesthe map entry to perform a mount.

* s e r v e r 1 : / e x p o r t / h o m e / &

-t duration Specifies a time, in seconds, that the file systemremains mounted when not in use. The default is600 seconds (10 minutes).

-v Specifies verbose mode, which displays output asthe automount command executes.





Any modifications to indirect maps are automatically used by theautomountd daemon.

A modification is a change to options or resources. A change to the key(the mount point) or a completely new line is an added entry, a deleted

entry, or both.

Use Table 7-1 to determine whether you should run (or rerun) theautomount command.

Verifying AutoFS Entries in the /etc/mnttabFile

The /etc/mnttabfile is a file system that provides read-only access to thetable of mounted file systems for the current host. Mounting a file systemadds an entry to this table. Unmounting a file system removes the entryfrom this table. Each entry in the table is a line of fields separated byspaces in the form of:

special mount_point fstype options time

where:

Table 7-1 When to Run the automount Command

Automount Map Run if the Entry isAdded or Deleted

Run if the Entryis Modified

master map Yes Yes

Direct map Yes No

Indirect map No No

special The name of the resource to be mounted

mount_point The path name of the directory on which the filesystem is mounted

fstype The type of file system

options The mount options

time The time at which the file system was mounted





You can display the /etc/mnttabfile to obtain a snapshot of the mountedfile systems, including those mounted as an AutoFS file system type.

# grep autofs /etc/mnttab

-hosts /net autofs nosuid,indirect,ignore,nobrowse,dev=4e00001

1099678245

auto_home /home autofs indirect,ignore,nobrowse,dev=4e000021099678245

-hosts /net/sys-02/rdbms_files autofs

nosuid,ignore,nest,nobrowse,dev=4e000031099679619

-hosts /net/sys-02/usr autofs nosuid,ignore,nest,nobrowse,dev=4e00004

1099679619

Stopping and Starting the Automount System

The autofs service is enabled or disabled automatically as the systemtransitions between run levels, or you can enable or disable the servicemanually from the command line.

Stopping the Automount System

When the autofs service is disabled, it performs a forced unmount of allAutoFS file systems, and it then kills the automountd daemon.

The autofs service is disabled automatically when transitioning to thesingle-user milestone.

To disable the service, become superuser, and kill the automountddaemon by typing the following command:

# svcadm disable svc:/system/filesystem/autofs





Starting the Automount System

When the autofs service is enabled, the service management facilitystarts the automountd daemon, and then it runs the automount utility asa background task.

The service starts automatically when transitioning to multi-user

milestone.

To enable the service manually, become superuser, and start theautomountd daemon by performing the command:

# svcadm enable svc:/system/filesystem/autofs






You have the option to complete any one of three versions of a lab. Todecide which option to choose, consult the following descriptions of thelevels:






Exercise: Using the Automount Facility (Level 1)



In this exercise, you use the automount facility to automatically mountman pages and to mount a user’s home directory.

PreparationChoose a partner for this lab, and determine which system will beconfigured as the NFS server and which will serve as the NFS client.Verify that entries for both systems exist in the /etc/hosts file of eachsystem. Refer to the lecture notes as necessary to perform the steps listed.

Tasks


q On the server, perform the steps required to share the/usr/share/man directory.

q On the client, rename the /usr/share/man directory to/usr/share/man.origdirectory, and create a new mount point forthe /usr/share/mandirectory. Edit the master map so that it calls adirect map. Create the direct map to mount the /usr/share/mandirectory from the server. Use the automount command to updatethe automountd daemon. Test that the man pages work, and verifythe mount that occurs.

q Create a new, identical user on both the server and client that uses/export/home/username for the user’s home directory. On bothsystems, make the changes required in the /etc/passwd file to setthe home directory for this new user to the /home/username

directory.

q On the server, perform the steps required to share the /export/homedirectory.

q On both systems, make the changes required in the /etc/auto_homefile to allow both systems to automatically mount the/export/home/username directory when the new user calls for the/home/username directory. Test the new user login on both systems,and verify that the mounts take place. Log in as root when finished.

q On the server, unshare the /export/home and /usr/share/man

directories, and remove entries for these directories from the/etc/dfs/dfstab file. Stop the NFS server daemons.

q On the client, remove the direct map entry from the/etc/auto_master file, and update the automountd daemon withthe change. Return the /usr/share/man directory to its originalconfiguration.



Exercise: Using theAutomount Facility (Level 2)




PreparationChoose a partner for this lab, and determine which system will beconfigured as the NFS server and which will serve as the NFS client.Verify that entries for both systems exist in the /etc/hosts file of eachsystem. Refer to the lecture notes as necessary to perform the steps listed.

Task Summary



q On the client, rename the /usr/share/man directory to/usr/share/man.origdirectory, and create a new mount point forthe /usr/share/mandirectory. Edit the master map so that it calls adirect map. Create the direct map to mount /usr/share/mandirectory from the server. Use the automount command to updatethe automountd daemon. Test that the man pages work, and verifythe mount that occurs.


directory.


q On both systems, make the changes required in the /etc/auto_homefile to allow both systems to automatically mount the/export/home/username directory when the new user calls for the/home/username directory. Test the new user login on both systems,and verify that the mounts take place. Log in as root when finished.


directories and remove entries for these directories from the/etc/dfs/dfstab file. Stop the NFS server daemons.

q On the client, remove the direct map entry from the/etc/auto_master file, and update the automountd daemon withthe change. Return the /usr/share/man directory to its originalconfiguration.





Tasks


Task 1– On the Server Host


1. Edit the /etc/dfs/dfstab file, and add a line to share the manpages.

2. Use the pgrep command to check if the mountd daemon is running.

q If the mountd daemon is not running, start it.

q If the mountd daemon is running, share the new directory.

Task 2 – On the Client Host


1. Rename the /usr/share/man directory so that you cannot view theman pages installed on the client system.

_____________________________________________________________

2. Make a backup copy of the /etc/auto_master file called/etc/_auto_master and then edit the /etc/auto_master file andadd an entry for a direct map.

_____________________________________________________________

3. Use the vi editor to create a new file called /etc/auto_direct, andadd an entry to the file to share the man pages.

_____________________________________________________________

4. Run the automount command to update the list of directoriesmanaged by the automountd daemon.

_____________________________________________________________

5. Test the configuration, and verify that a mount for the

/usr/share/man directory exists after accessing the man pages._____________________________________________________________

What did you observe to indicate that the automount operation wassuccessful?

_____________________________________________________________





Task 3 – On the Server Host


1. Verify that the /export/home directory exists. If it does not exist,create it.

2. Add a user account with the following characteristics:

q User ID: 3001

q Primary group: 10

q Home directory: /export/home/usera

q Login shell:/bin/ksh

q User name: usera

3. Configure the password mechanism for usera so that this user must

assign a new password (123pass) at next login. Do this by executingthe passwd -f usera command.





q User ID: 3001q Primary group: 10


q Login shell: /bin/ksh

q User name: usera

3. Configure the password mechanism for usera so that this user mustassign a new password (123pass) at next login. Do this by executingthe passwd -f usera command.





Task 5 – On Both Systems


1. Edit the /etc/passwdfile, and change the home directory for userafrom the /export/home/useradirectory to /home/usera.

2. Make a backup copy of the /etc/auto_home file and call it/etc/_auto_home and then edit the /etc/auto_home file. Add thefollowing line, and replace username with usera:

username server :/export/home/usera



1. Edit the /etc/dfs/dfstab file, and add a line to share the/export/home directory.






Log in as the new user.Do both systems automatically mount the new user’s homedirectory?

_____________________________________________________________

Which directory is mounted, and what is the mount point:

q On the server?

________________________________________________________

q On the client?

________________________________________________________







1. Remove the entry for usera from the /etc/auto_homemap.

_____________________________________________________________2. Remove the entry for the auto_directmap from the

/etc/auto_mastermap and remove the /etc/auto_direct fileyou created earlier.

_____________________________________________________________

3. Reboot the client.

_____________________________________________________________

4. Remove the /usr/share/man directory.

_____________________________________________________________5. Rename the /usr/share/man.origdirectory to /usr/share/man.

_____________________________________________________________



1. After the client reboots as described in step 3 of ‘‘Task 8 – On theClient Host’’ on page 7-23, remove the entry for usera from the

/etc/auto_homemap._____________________________________________________________

2. Remove the entries from /etc/dfs/dfstab file.

_____________________________________________________________

3. Unshare mounted directories.

_____________________________________________________________







Preparation

Choose a partner for this lab, and determine which system will beconfigured as the NFS server and which will serve as the NFS client.Verify that entries for both systems exist in the /etc/hosts file of eachsystem. Refer to the lecture notes as necessary to perform the steps listed.

Task Summary



q On the client, rename the /usr/share/man directory to/usr/share/man.origdirectory, and create a new mount point forthe /usr/share/mandirectory. Edit the master map so that it calls adirect map. Create the direct map to mount /usr/share/mandirectory from the server. Use the automount command to update

theautomountd

daemon. Test that the man pages work, and verifythe mount that occurs.


directory.


q On both systems, make the changes required in the /etc/auto_home

file to allow both systems to automatically mount the/export/home/username directory when the new user calls for the/home/usernamedirectory. Test the new user log in on both systems,and verify that the mounts that happen. Log in as root whenfinished.






directories and remove entries for these directories from the/etc/dfs/dfstab file. Stop the NFS server daemons.

q On the client, remove the direct map entry from the/etc/auto_master file, and update the automountd daemon with

the change. Return the /usr/share/man directory to its originalconfiguration.

Tasks and Solutions

The following section provides the tasks with their solutions.



1. Edit the /etc/dfs/dfstab file, and add a line to share the manpages.

share -o ro /usr/share/man


# pgrep -fl mountd

820 /usr/lib/autofs/automountd

2256 /usr/lib/nfs/mountd




# shareall



1. Rename the /usr/share/man directory so that you cannot view the

man pages installed on the client system.# cd /usr/share/

# mv man man.orig





2. Make a backup copy of the /etc/auto_master file called/etc/_auto_master and then edit the /etc/auto_master file andadd an entry for a direct map.

# cp /etc/auto_master /etc/_auto_master

# vi /etc/auto_master

/- auto_direct

3. Use the vi editor to create a new file called /etc/auto_direct, andadd an entry to the file to share the man pages.

# vi /etc/auto_direct

/usr/share/man server :/usr/share/man

4. Run the automount command to update the list of directoriesmanaged by the automountd daemon.

# automount -v

5. Test the configuration, and verify that a mount for the

/usr/share/man directory exists after accessing the man pages.# man ls

<-- output from man command -- >

# mount | grep man

/usr/share/man on sys44:/usr/share/man

remote/read/write/setuid/dev=42c0003 on Thu Jan 6 08:07:26 2005

What did you observe to indicate that the automount operation wassuccessful?

This operation should automatically mount the directory in which themanuals are stored. In other words, the man command should work.




# ls /export/home

Note – Perform the next command if the /export/home directory doesnot exist.

# mkdir /export/home






q User ID: 3001

q Primary group: 10


q Login shell:/bin/ksh

q User name: usera

# useradd -u 3001 -g 10 -m -d /export/home/usera -s /bin/ksh usera




1. Verify that the /export/home directory exists. If it does not, create it.

# ls /export

# mkdir /export/home


q User ID: 3001

q Primary group: 10


q Login shell: /bin/ksh

q User name: usera

# useradd -u 3001 -g 10 -m -d /export/home/usera -s /bin/ksh usera








1. Edit the /etc/passwdfile, and change the home directory for userafrom the /export/home/useradirectory to /home/usera.

# vi /etc/passwd

2. Make a backup copy of the /etc/auto_home file and call it/etc/_auto_home and then edit the /etc/auto_home file. Add thefollowing line, and replace username with usera:

username server :/export/home/usera

# cp /etc/auto_home /etc/_auto_home



1. Edit the /etc/dfs/dfstab file, and add a line to share the/export/home directory.

share /export/home

2. Use the pgrep command to check if the mountddaemon is running.

# pgrep -fl mountd

820 /usr/lib/autofs/automountd

2256 /usr/lib/nfs/mountd




# shareall







Log in as the new user.

#su - usera

Do both systems automatically mount the new user’s homedirectory?

Yes, this should work.

Exit from the usera login.

# exit

Which directory is mounted, and what is the mount point:

# mount

q

On the server?The /home/username directory is mounted on the/export/home/username directory.

q On the client?

The /home/usernamedirectory is mounted on theserver :/export/home/username directory.


Complete the following steps:1. Remove the entry for usera from the /etc/auto_homemap.

2. Remove the entry for the auto_directmap from the/etc/auto_mastermap and remove the /etc/auto_direct fileyou created earlier.

3. Reboot the client.

# init 6

4. Remove the /usr/share/man directory.

# rmdir /usr/share/man

5. Rename the /usr/share/man.origdirectory to /usr/share/man.

# mv /usr/share/man.orig /usr/share/man







1. After the client reboots as described in step 3 of ‘‘Task 8 – On theClient Host’’ on page 7-29, remove the entry for usera from the/etc/auto_homemap.

2. Remove the entries from /etc/dfs/dfstab file.

3. Unshare mounted directories.

# unshareall



Exercise Summary


Exercise Summary

?

!


q Experiences

q Interpretations

q Conclusions

q Applications




Module 8

DescribingRAIDand the Solaris™VolumeManagerSoftware

Objectives

A redundant array of independent disks (RAID) configuration enables

you to expand the characteristics of a storage volume beyond the physicallimitations of a single disk. You can use a RAID configuration to increasestorage capacity as well as to improve disk performance and faulttolerance. The Solaris Volume Manager software can be run from thecommand line or a graphical user interface (GUI) tool to simplify systemadministration tasks on storage devices. Upon completion of this module,you should be able to:

q Describe RAID

q Describe Solaris Volume Manager software concepts



D e s c r i b i n g

R A I D a n d

S o l a r i s �

V o l u m e

M a n a g e r

S o f t w a r e



S o l a r i s

V o l u m e

M a n a g e r

S o f t w a r e



Introducing RAID


Introducing RAID

RAID is a classification of methods to back up and to store data onmultiple disk drives. There are six levels of RAID as well as anon-redundant array of independent disks (RAID 0). The Solaris VolumeManager software uses metadevices, which are product-specificdefinitions of logical storage volumes, to implement RAID 0, RAID 1,RAID 1+0 and RAID 5:

q RAID 0: Non-redundant disk array (concatenation and striping)

q RAID 1: Mirrored disk array

q RAID 5: Block-interleaved striping with distributed-parity

RAID 0

RAID-0 volumes, including both stripes and concatenations, arecomposed of slices and let you expand disk storage capacity. You caneither use RAID-0 volumes directly or use the volumes as the buildingblocks for RAID-1 volumes (mirrors). There are two types of RAID-0volumes:

q Concatenated volumes (or concatenations)

A concatenated volume writes data to the first available slice. Whenthe first slice is full, the volume writes data to the next available slice.

q Striped volumes (or stripes)A stripe distributes data equally across all slices in the stripe.

RAID-0 volumes allow you to expand disk storage capacity efficiently.These volumes do not provide data redundancy. If a single slice fails on aRAID-0 volume, the entire volume is inaccessible.



Introducing RAID

DescribingRAID and the Solaris™VolumeM anager Software 8-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

Concatenated Volumes

Figure 8-2 shows that in a concatenated RAID 0 volume, data is organizedacross disk slices, forming one logical storage unit.

Figure 8-2 RAID-0 Concatenation

A concatenation combines the capacities of several slices to get a largerstorage capacity. You can add more slices to the concatenation as thedemand for storage increases. You can add slices at anytime, even if otherslices are currently active.

P h y s i c a l

S l i c e A

P h y s i c a l

S l i c e B

R A I D 0

( C o n c a t e n a t i o n )

L o g i c a l V o l u m e

P h y s i c a l

S l i c e C

S o l a r i s � V o l u m e

M a n a g e r



Introducing RAID


The default behavior of concatenated RAID-0 volumes is to fill a physicalcomponent within the volume before beginning to store data onsubsequent components within the concatenated volume. However, thedefault behavior of UFS file systems within the Solaris OS is to distributethe load across devices assigned to the volume containing a file system.

This behavior makes it seem that concatenated RAID-0 volumes distributedata across the components of the volume in a round-robin, interlacedfashion.

This interlacing of data is a function of the UFS file system that ismounted in the concatenated volume and is not a function of theconcatenated volume itself.

You can also use a concatenation to expand any active and mounted UFSfile system without having to bring down the system. The capacity of aconcatenation is the total size of all the slices in the concatenation.



Introducing RAID


Striped Volumes

Figure 8-3 shows the arrangement of a striped RAID-0 volume. A RAID 0volume configured as a stripe arranges data across two or more slices.Striping alternates equally-sized segments of data across two or more

slices, forming one logical storage unit. These segments are interleavedround-robin, so that the combined space is created alternately from eachslice.

Figure 8-3 RAID-0 Stripe

Striping enables parallel data access because data can be retrieved frommultiple disks at the same time. Parallel access increases input/output(I/O) throughput because multiple disks in the volume are busy servicingI/O requests simultaneously.

I n t e r l a c e 4

I n t e r l a c e 1

I n t e r l a c e 5

I n t e r l a c e 2

I n t e r l a c e 6

I n t e r l a c e 3

P h y s i c a l

S l i c e A

P h y s i c a l

S l i c e B

P h y s i c a l

S l i c e C


M a n a g e r

R A I D 0

( S t r i p e )


I n t e r l a c e 4 I n t e r l a c e 5

I n t e r l a c e 2

I n t e r l a c e 6




Introducing RAID


You cannot convert an existing file system directly to a stripe. You mustfirst back up the file system, create the stripe, and then restore the filesystem to the stripe.

For sequential I/O operations on a stripe, the Solaris Volume Manager

software reads all the blocks in an interlace. An interlace is a groupedsegment of blocks on a particular slice. The Solaris Volume Managersoftware then reads all the blocks in the interlace on the second slice, andso on.

An interlace is the size of the logical data chunks on a stripe. Dependingon the application, different interlace values can increase performance foryour configuration. The performance increase comes from several diskhead-arm assemblies (HDAs) concurrently executing I/O operations.When the I/O request is larger than the interlace size, you might getbetter performance.

When you create a stripe, you can set the interlace value. After you createthe stripe, you cannot change the interlace value. You could back up thedata on it, delete the stripe, create a new stripe with a new interlace value,and then restore the data.

RAID 1

RAID-1 volumes, also known as mirror volumes in the Solaris Volume

Manager software, are typically composed of RAID-0 volumes andprovide the advantage of data redundancy. The disadvantage is thehigher cost incurred by requiring two RAID-1 devices wherever a singleRAID-0 device is mirrored. Typical topics to be considered whenconfiguring mirrors are:

q Trade-offs when using mirrors

q Uses of multiple submirrors

q RAID 0+1

q RAID 1+0

q Mirror read, write, and synchronization options

q Mirror configuration guidelines



Introducing RAID


Trade-Offs When Using Mirrors

A RAID-1 (mirror) volume maintains identical copies of the data inRAID-0 volumes. Mirroring requires more disks. You need at least twiceas much disk space as the amount of data to be mirrored.

After configuring a mirror, you can use it as if it were a physical slice.With multiple copies of data available, data access time is reduced if themirror read and write policies are properly configured. You then use readand write policies to distribute the access to the submirrors evenly acrossthe mirror. The mirror read and write policies are described in detail laterin this module.

You can mirror any file system, including existing file systems. You canalso use a mirror for any application, such as a database.

Using Multiple Submirrors

A mirror is made of two or more RAID-0 volumes configured as eitherstripes or concatenations. The mirrored RAID-0 volumes are calledsubmirrors. A mirror consisting of two submirrors is known as a two-waymirror, while a mirror consisting of three submirrors is known as athree-way mirror.

Creating a two-way mirror is usually sufficient for data redundancy.Creating a third submirror enables you to make online backups without

losing data redundancy while one submirror is offline for the backup.

When a submirror is offline, it is in a read-only mode. The Solaris VolumeManager software tracks all the changes written to the online submirror.When the submirror is brought back online, only the newly writtenportions are resynchronized. Other reasons for taking the submirroroffline include backups, troubleshooting, and repair.

You can attach or detach a submirror from a mirror at any time, though atleast one submirror must remain attached to the mirror at all times.Usually, you begin the creation of a mirror with only a single submirror,

after which you can attach additional submirrors, as shown in Figure 8-4.



Introducing RAID


Figure 8-4 RAID-1 Mirror

The Solaris Volume Manager software makes duplicate copies of the datalocated on multiple physical disks. The Solaris Volume Manager softwarepresents one virtual disk to the application. All disk writes are duplicated,

and disk reads come from one of the underlying submirrors. If thesubmirrors are not of equal size, the total capacity of the mirror is limitedby the size of the smallest submirror.

I n t e r l a c e 2

I n t e r l a c e 3

I n t e r l a c e 4

I n t e r l a c e 1

I n t e r l a c e 2

I n t e r l a c e 3

I n t e r l a c e 4

I n t e r l a c e 1

S u b m i r r o r 1

R A I D 1

( M i r r o r )


S u b m i r r o r 2 S u b m i r r o r 1

S u b m i r r o r 2


M a n a g e r

I n t 1

I n t 2

I n t 3

I n t 4

I n t 1

I n t 2

I n t 3

I n t 4



Introducing RAID


RAID 0+1

In RAID-0+1 volumes, stripes are mirrored to each other. In a pureRAID-0+1 configuration, the failure of one slice would cause the failure ofthe whole submirror.

Figure 8-5 shows an example of a RAID-0+1 configuration. A failure inslice A, B, or C causes a failure of the entire Submirror 1. A failure in sliceD, E, or F causes a failure of the entire Submirror 2. One failure in eachsubmirror of the RAID 0+1 mirror causes a failure of the entire mirror.

Figure 8-5 RAID-0+1 Mirror of Stripes

P h y s i c a l

S l i c e A

P h y s i c a l

S l i c e B

P h y s i c a l

S l i c e C

P h y s i c a l

S l i c e D

P h y s i c a l

S l i c e E

P h y s i c a l

S l i c e F

R A I D 0

( S t r i p e d )

V o l u m e

S u b m i r r o r 1

R A I D 0

( S t r i p e d )

V o l u m e

S u b m i r r o r 2

R A I D 1

( M i r r o r e d )



Introducing RAID


RAID 1+0

RAID-1+0 volumes consist of multiple mirrors striped together. RAID 1+0provides greater data security, because a failure of a single physical diskslice causes a failure for only one half of one of the submirrors, leaving

most of the configuration’s redundancy intact.

Figure 8-6 shows an example of a RAID-1+0 volume configuration.This example consists of three slices. Each of these three slices mirrorsitself. The RAID 0 stripe can tolerate three simultaneous physical slicefailures, one in each RAID-1 mirror, before the entire RAID-0 stripe isconsidered to have failed. This is a more fault-tolerant configuration, ascompared with the RAID-0+1 mirror. If both submirrors in any one of themirrors fail, one third of the data is lost, and the RAID-1+0 volume is alsoconsidered failed.

Figure 8-6 RAID 1+0 Stripe of Mirrors

P h y s i c a l

S l i c e A

P h y s i c a l

S l i c e D

P h y s i c a l

S l i c e B

P h y s i c a l

S l i c e E

P h y s i c a l

S l i c e C

P h y s i c a l

S l i c e F

R A I D 1

( M i r r o r )

L o g i c a l

V o l u m e

R A I D 1

( M i r r o r )

L o g i c a l

V o l u m e

R A I D 1

( M i r r o r )

L o g i c a l

V o l u m e

R A I D 0

( S t r i p e d )




Introducing RAID

Describing RAID and the Solaris™ Volume Manager Software 8-11Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

Mirror Options

Mirror performance can be modified by using the following options:

q Mirror read policy

q

Mirror write policy

Note – The mirror options listed here are representative of the optionspresented when configuring RAID-1 mirrors using the Solaris VolumeManager software.

You can define mirror options when you initially create the mirror or afteryou set up the mirror. You can distribute the load across the submirrors toimprove read performance. Table 8-1 describes the configurable mirrorread policies.

You can improve write performance by replicating all submirrorssimultaneously. If a failure occurs during this write, all submirrors will bein an unknown state. Table 8-2 describes the configurable mirror writepolicies.

Table 8-1 Mirror Read Policies

Read Policy Description

Round Robin (default) Balances the load across the submirrors

Geometric Enables the system to divide reads amongsubmirrors on the basis of a logical disk blockaddress

First Directs all reads to the first submirror

Table 8-2 Mirror Write Policies

Write Policy Description

Parallel (Default) Replicates a write to a mirror, and dispatchesthe write to all of the submirrorssimultaneously

Serial Specifies that writes to one submirror mustcomplete before initiating writes to the nextsubmirror



Introducing RAID


When a submirror is offline, any writes to the mirror are tracked in a dirtyregion log. When the submirror is brought back online, those regionsmust be updated or resynchronized.

Mirror Configuration Guidelines

The general configuration guidelines for configuring Solaris VolumeManager software mirrors are:

q Keep the slices of different submirrors on different disks and ondifferent controllers for the best data protection. Organizingsubmirrors across separate controllers reduces the impact of a singlecontroller failure and also improves mirror performance.

q Use the same type of disks and controllers in a single mirror.Particularly in old Small Computer System Interface (SCSI) devicesdifferent models or brands of disks or controllers can vary inperformance. Different performance levels can lead to a decrease inoverall performance.

q Use submirrors of the same size to reduce unused disk space.

q Mount the mirror device directly. Do not try and mount a submirrordirectly, unless it is offline and mounted as read-only. Do not mounta slice that is part of a submirror, or you might destroy data andcrash the system.

q Mirroring improves read performance, but reduces writeperformance. Mirroring improves read performance only in multi-

threaded or asynchronous I/O situations. There is no performancegain if there is only a single thread reading from the volume.

q Experiment with the mirror read policies to improve performance.For example, using the Solaris Volume Manager software, the defaultread mode is to alternate reads using a round-robin method amongthe disks. This mode is the default because it works best for UFSmultiuser, multiprocess activity.

q In some cases, the geometric read option improves performance byminimizing head motion and access time. This option is mosteffective when there is only one slice per disk, when only one

process at a time is using the file system, when I/O patterns aresequential, or when all accesses are read.



Introducing RAID


q Use the swap -l command to check for all swap devices. Mirror theslices specified as swap separately.

q Use only similarly configured submirrors within a mirror. Inparticular, if you create a mirror with an unlabeled submirror, youcannot attach any submirrors that contain disk labels.

RAID 5

RAID-5 volumes are striped volumes that use a distributed parity schemefor data protection. To fully understand RAID-5 volumes, you mustunderstand each of the following:

q Standard RAID-5 volume

q Requirements for RAID-5 volumes

q Suggestions for RAID-5 volumes

Standard RAID-5 Volume

RAID level 5 is similar to striping in that data is distributed across a set ofdisks. The difference between a RAID level 5 and striping is that in theRAID level 5, parity data is also distributed across the same set of disks.When a disk fails, lost data from the failing disk is rebuilt on the failedvolume from the other disks using the distributed data and parityinformation stored on the remaining (unfailed) disks in the RAID-5

volume.

A RAID-5 volume uses a storage capacity equivalent to one slice to storeparity information from the remainder of the RAID-5 volume’s slices. Theparity information is distributed across all slices in the volume. Like amirror, a RAID-5 volume increases data availability, but minimizeshardware cost. You cannot use a RAID-5 volume for the root (/) directory,the /usr directory, swap space, or existing file systems because themetadevice software is not loaded early enough in the Solaris OS bootprocess.



Introducing RAID


Figure 8-7 shows that the first three data interlaces are written to slices A,B, and C. The next item written is parity to Drive D. The pattern ofwriting data and parity results in both data and parity spread across alldisks in the RAID-5 volume. You can read each drive independently. Theparity protects against a single disk failure. In “RAID-5 Distributed

Parity”, if each disk were 2 Gbytes, the total capacity of the RAID-5volume would be 6 Gbytes. Parity information occupies the spaceequivalent to one drive.

Figure 8-7 RAID-5 Distributed Parity

P ( 4 - 6 )

I n t e r l a c e 7

I n t e r l a c e 1 0

I n t e r l a c e 1

P h y s i c a l

S l i c e A

I n t e r l a c e 4

P ( 7 - 9 )


I n t e r l a c e 2

P h y s i c a l

S l i c e B

I n t e r l a c e 5

I n t e r l a c e 8

P ( 1 0 - 1 2 )

I n t e r l a c e 3

P h y s i c a l

S l i c e C

P ( 1 - 3 )

I n t e r l a c e 9


I n t e r l a c e 6

P h y s i c a l

S l i c e D

R A I D 5



I n t e r l a c e 8

I n t e r l a c e 7

I n t e r l a c e 6

I n t e r l a c e 2

I n t e r l a c e 3

I n t e r l a c e 4

I n t e r l a c e 5

I n t e r l a c e 9



I n t e r l a c e 1


M a n a g e r



Introducing RAID


Requirements for RAID-5 Volumes

The general configuration guidelines for configuring RAID-5 volumes are:

q Create a RAID-5 volume with a minimum of three slices. The moreslices a RAID-5 volume contains, the longer read and writeoperations take when a slice fails.

q Do not stripe, concatenate, or mirror RAID-5 volumes.

q Do not create a RAID-5 volume from a slice that contains an existingfile system, because you will erase the data during the RAID-5initialization process.

q When you create a RAID-5 volume, you can define the interlacevalue. If you do not specify a value, a default value of 16 Kbytes isassigned.

q A RAID-5 volume (with no hot spares) can only handle a single slicefailure.

q To optimize performance, use slices across separate controllers whencreating RAID-5 volumes.

q Use disk slices of the same size. Creating a RAID-5 volume ofdifferent-sized slices results in unused disk space on the larger slices.

Suggestions for RAID 5 Volumes

The following general suggestions can help avoid common performance

problems when using RAID-5 volumes:

q Because of the complexity of parity calculations, volumes withgreater than about 20 percent writes should probably not be RAID-5volumes. If data redundancy on a write-heavy volume is needed,consider mirroring.

q If the slices in the RAID-5 volume reside on different controllers andthe accesses to the volume are primarily large sequential accesses,then setting the interlace value to 32 Kbytes might improveperformance.



Introducing RAID


Hardware Considerations

When planning your storage management configuration, keep in mindthat for any given application there are trade-offs in performance,availability, and hardware costs. You might need to experiment with the

different variables to determine what works best for your configuration. Afew categories of information that you must address during the storageplanning phase are:

q General storage guidelines

q Determining storage characteristics

q Storage performance guidelines

Note – While adding more drives to your configuration increases

redundancy, it also increases your overall Mean Time Between Failure(MTBF) by having more hardware.

Storage Characteristics

When you classify storage characteristics, you provide guidelines forworking with the Solaris Volume Manager software RAID-0(concatenation and stripe) volumes, RAID-1 (mirror) volumes, andRAID-5 (striping with distributed parity) volumes.

While building your storage management plan, decide what types ofstorage devices to use. The storage characteristics guidelines help youcompare and contrast the various storage mechanisms and also help youchoose the best storage device.

Note – The storage mechanisms listed in Table 8-3 are not mutuallyexclusive. You can use them in combination to meet multiple goals. Forexample, you could create a RAID-1 volume for redundancy, and thencreate soft partitions on it to increase the number of possible discrete filesystems.

Table 8-3 Choosing Storage Mechanisms

Feature RAID-0Concatenation

RAID-0Stripe

RAID-1Mirror

RAID-5Stripe WithParity

Redundantdata

No No Yes Yes



Introducing RAID


You must consider many factors when optimizing redundant storage.Table 8-4 compares RAID-1 and RAID-5 volumes for the speed of writeoperations, random read operations, and the overall cost of theunderlying hardware.

General Storage Guidelines

The general configuration guidelines for planning your storageconfiguration are:

q RAID-0 devices (stripes and concatenations) do not provide data

redundancy.

q Concatenation works well for small, random I/O.

q Striping performs well for large, sequential I/O and for random I/Odistributions.

q Mirroring improves read performance

Improvedreadperformance

No Yes Dependson theunderlyingdevice

Yes

Improvedwriteperformance

No Yes No No

Table 8-4 Optimizing Redundant Storage

Factors RAID 1(Mirror) RAID 5 Non-Redundant

Write operations Faster Slower Neutral

Random read Slower Faster Neutral

Hardware cost Highest Higher Lowest

Performanceduring failure

Best Poor Data loss

Table 8-3 Choosing Storage Mechanisms (Continued)

Feature RAID-0Concatenation

RAID-0Stripe

RAID-1Mirror

RAID-5Stripe WithParity



Introducing RAID


q Because of the read-modify-write property of RAID-5 volumes,volumes with greater than about 20-percent writes should probablynot be RAID 5. In these write intensive situations, consider mirroringif data protection is required.

q RAID 5 writes are not as fast as mirrored writes, and mirrored writes

are not as fast as unprotected writes.

Performance Guidelines

When designing your storage configuration, consider the followingperformance guidelines:

q Whenever possible, distribute storage devices across multiple I/Ocontrollers, cables, and devices.

q Striping generally has the best performance, but it offers no data

protection. For write-intensive applications, RAID 1 performs betterthan RAID 5.

q RAID-1 and RAID-5 volumes both increase data availability.Mirroring improves random read performance.

q RAID-5 volumes have a lower hardware cost than RAID-1 volumes,while RAID-0 volumes have no additional hardware cost.

q Identify the most frequently accessed data, and increase the accessbandwidth for that data with mirroring or striping.

q Both stripes and RAID-5 volumes distribute data across multiple

disk drives and help balance the I/O load. You can also use RAID-1volumes to help balance the I/O load.

q Use available performance monitoring capabilities and generic tools,such as the iostat command, to identify the most frequentlyaccessed data. Then increase the “access bandwidth” to thefrequently accessed data, by striping RAID-1 volumes or RAID-5volumes.

q A stripe’s performance is better than that of a RAID 5 volume, butstripes do not provide data redundancy.

q

RAID 5 volume performance is lower than stripe performance forwrite operations, because the RAID-5 volume requires multiple I/Ooperations to calculate and store the parity.

q For raw random I/O reads, the stripe and the RAID-5 volume arecomparable. Both the stripe and RAID-5 volume split the data acrossmultiple disks, and the RAID-5 volume parity calculations are not afactor in reads, except after a component failure.



Introducing Solaris Volume Manager SoftwareConcepts


Introducing Solaris Volume Manager Software Concepts

The Solaris Volume Manager software lets you manage large numbers ofdisks and the data on those disks. Although there are many ways to usethe Solaris Volume Manager software, most tasks include:

q Increasing storage capacity

q Increasing data availability

q Making the administration of large storage devices easier

In some instances, the Solaris Volume Manager software can also improveI/O performance.

Logical Volume

The Solaris Volume Manager software uses virtual disks called logicalvolumes to manage physical disks and their associated data. Historically,a logical volume is functionally identical to a physical slice. However, alogical volume can span multiple disk members. The Solaris VolumeManager software converts I/O requests directed at a volume into I/Orequests to the underlying member disks.

You can create the Solaris Volume Manager software volumes from slices(disk partitions) or from other Solaris Volume Manager software volumes.

An easy way to create volumes is to use the GUI built into theSolaris™ Management Console. The Enhanced Storage tool within theSolaris Management Console lists all the existing volumes. By followingthe steps in the tool wizard, you can create any type of Solaris VolumeManager software volumes or components. You can also build andmodify volumes using command-line utilities in the Solaris VolumeManager software.





To create more storage capacity as a single volume, you can use theSolaris Volume Manager software to make the system treat a collection ofmany small slices as one large slice or device. After creating a largevolume from these slices, you can immediately begin by using it just asany other slice or device.

The Solaris Volume Manager software can increase the reliability andavailability of data by using RAID-1 volumes and RAID-5 volumes.Solaris Volume Manager software hot spares provide another level of dataavailability for RAID-1 volumes and RAID-5 volumes.

Note – In earlier versions of the Solaris OS, the Solaris Volume Managersoftware was known as Solstice DiskSuite™ software, and logicalvolumes were known as metadevices. Most of the associatedcommand-line tools begin with the prefix meta. Logical devices are located

under the /dev/md directory.

Soft Partitions

As disks become larger, and disk arrays present larger logical devices tothe Solaris OS, users must be able to subdivide disks or logical volumesinto more than eight sections, often to create manageable file systems orpartition sizes.

Soft partitions provide a mechanism for dividing large storage spaces intosmaller, more manageable, sizes. For example, large storage aggregationsprovide redundant storage of many gigabytes, but many scenarios wouldnot require as much space. Soft partitions allow you to subdivide thatstorage space into more manageable sections, each of which can have acomplete file system.

For example, you could create 1000 soft partitions on top of a RAID-1volume or RAID-5 volume so that each of your users can have a homedirectory on a separate file system. If a user needs more space at a laterdate, you can grow the soft partition.

Note – The Solaris Volume Manager software can support up to8192 logical volumes per disk set, but is configured for 128 (d0–d127) bydefault. For instructions on increasing the number of logical volumes,refer to the Solaris Volume Manager Administration Guide, part number806-6111-10.





Use soft partitioning to divide a slice or volume into as many divisions asneeded. Assign a name for each division or soft partition, just like youwould do for other storage volumes, such as stripes or mirrors. A softpartition, once named, can be directly accessed by applications, includingfile systems, as long as it is not included in another volume.

When you partition a disk and build a file system on the resulting slices,you cannot later extend a slice without modifying or destroying the diskformat. With soft partitions, you can extend portions up to the amount ofspace on the underlying device without moving or destroying data onother soft partitions.

Suggestions for Soft Partitioning

Consider the following factors when implementing soft partitions in yourstorage environment:

q You can build soft partitions on any slice. Creating a single slice thatoccupies the entire disk and then creating soft partitions on that sliceis the most efficient way to use soft partitions at the disk level.

q To expand and manage storage space, build stripes on top of yourdisk slices, and then build soft partitions on the stripes.

q You can grow soft partitions to use any available space on a volume.

q Create a RAID-1 volume or a RAID-5 volume, and then create softpartitions on the RAID 1 volume or RAID-5 volume for maximum

flexibility and higher availability.

Introducing the State Database

Before creating volumes using the Solaris Volume Manager software, statedatabase replicas must exist on the Solaris Volume Manager softwaresystem. The state database stores information on disk about the state ofyour Solaris Volume Manager software configuration. The state databaserecords and tracks changes made to your configuration. The SolarisVolume Manager software automatically updates the state database when

a configuration or state change occurs. For example, creating a newvolume is a configuration change, while a submirror failure is a statechange. This section addresses the following:

q The Solaris Volume Manager software state database

q Recommendations for state database replicas

q Suggestions for state database replicas





The Solaris Volume Manager Software State Database

The state database is a collection of multiple, replicated database copies.Each copy, called a state database replica, ensures that the data in thedatabase is always valid. Having copies of the state database protects

against data loss from single points-of-failure. The state database tracksthe location and status of all known state database replicas. During a statedatabase update, each replica state database is updated. The updates takeplace one at a time to protect against corrupting all updates if the systemcrashes.

The Solaris Volume Manager software state database containsconfiguration and status information for all volumes and hot spares. TheSolaris Volume Manager software maintains replicas (copies) of the statedatabase to provide redundancy and to prevent database corruptionduring a system crash.

If your system loses a state database replica, Solaris Volume Managersoftware must determine which state database replicas still containnon-corrupted data. The Solaris Volume Manager software determinesthis information by a majority consensus algorithm. This algorithmrequires that a majority (half + 1) of the state database replicas beavailable and in agreement with each other before any of them areconsidered non-corrupt. Because of the majority consensus algorithm, youshould create at least three state database replicas when you set up yourdisk configuration. A consensus can be reached as long as at least two ofthe three state database replicas are available.

During booting, the Solaris Volume Manager software ignores corruptedstate database replicas. In some cases, Solaris Volume Manager softwaretries to rewrite state database replicas that are corrupted. Otherwise thedatabases are ignored until you repair them. If a state database replicabecomes corrupt because its underlying slice encountered an error, youmust repair or replace the slice, and then recreate the replica.

If all state database replicas are lost, you could lose all data that is storedon your Solaris Volume Manager software volumes. You should create

enough state database replicas on separate drives and across controllers toprevent complete data loss. You should also save your initialconfiguration information, as well as your disk partition information.

To protect data, the Solaris Volume Manager software will not functionunless half of all state database replicas are available. The main functionsof the majority consensus algorithm are:





q The system will stay running if at least half of the state databasereplicas are available.

q The system will panic if fewer than half the state database replicasare available.

q

The system will not start the Solaris Volume Manager softwareunless a majority (half + 1) of the total number of state databasereplicas are available.

Recommendations for State Database Replicas

To avoid single points-of-failure, you should distribute state databasereplicas across slices, drives, and controllers. A majority of replicas mustsurvive a single component failure. The Solaris Volume Manager softwarerequires that half the replicas be available to run, and that a majority(half + 1) be available to boot. If you lose a replica (for example, due to a

device failure), you might run into problems when running SolarisVolume Manager software or when rebooting the system. When workingwith state database replicas, consider the following:

q You should create state database replicas on a dedicated slice of atleast 4 Mbytes per replica.

q You can put replicas on unused slices, and then use them on RAID-0,RAID-1, or RAID-5 volumes.

q You cannot create state database replicas on any slices in use.

q A minimum of three state database replicas are recommended. Thefollowing guidelines are recommended:

q For a system with only a single drive: put all three replicas inone slice.

q For a system with two to four drives: put two replicas on eachdrive.

q For a system with five or more drives: put one replica on eachdrive.

q Make sure that you have at least two extra replicas per mirror.

q You can add additional state database replicas to the system at anytime. The additional state database replicas help to ensure the SolarisVolume Manager software’s availability.





Caution – If you upgraded from Solstice DiskSuite software to SolarisVolume Manager software and have state database replicas at thebeginning of slices (as opposed to on separate slices), do not deleteexisting replicas and replace them with new ones in the same location.The default Solaris Volume Manager software state database replica size is

8192 blocks, while the default size in Solstice DiskSuite software was1034 blocks. If you delete a default-size state database replica fromSolstice DiskSuite software, and add a new default-size replica with theSolaris Volume Manager software, you will overwrite the first 7158 blocksof any file system occupying the rest of the shared slice, which destroysthe data.

Introducing Hot Spares and Hot Spare Pools

Hot spares and hot spare pools provide additional physical slices forautomatic recovery from RAID-1 mirror or RAID-5 volume failures.

Hot Spares

A hot spare is a slice (not a volume) that is functional and available, butnot in use. A hot spare is on reserve to substitute for a failed slice in asubmirror or RAID-5 volume. You cannot use a hot spare to hold data orstate database replicas until the hot spare is assigned as a member. A hotspare must be ready for immediate use in the event of a slice failure in thevolume with which it is associated. To use hot spares, invest in additionaldisks beyond those that the system requires to function.

Hot Spare Pools

A hot spare pool is a collection of slices. The Solaris Volume Managersoftware uses hot spare pools to provide increased data availability forRAID-1 volumes and RAID-5 volumes. The Solaris Volume Managersoftware reserves a hot spare for automatic substitution when a slicefailure occurs in either a submirror or a RAID-5 volume.

Note – Hot spares do not apply to RAID-0 volumes or to one-waymirrors. For automatic substitution to work, redundant data must beavailable.




Module 9

ConfiguringSolarisVolumeManagerSoftware

Objectives

The Solaris Volume Manager software provides commands and a

graphical user interface (GUI) tool to configure physical slices of disksinto logical volumes.


q Describe Solaris Volume Manager software concepts

q Build a RAID-0 (concatenated) volume

q Build a RAID-1 (mirror) volume for the root (/) file system

The course map in Figure 9-1 shows how this module fits into the current

instructional goal.


D e s c r i b i n g

R A I D a n d

S o l a r i s �

V o l u m e

M a n a g e r

S o f t w a r e



S o l a r i s

V o l u m e

M a n a g e r

S o f t w a r e



Solaris Volume Manager Concepts


Solaris Volume Manager Concepts

The Solaris Volume Manager software in the Solaris 9 and 10 OperatingSystem replaces the Solstice DiskSuite software used in releases of theSolaris OS prior to Solaris 9 OS.

The Solaris Volume Manager software is used to implement RAID 0,RAID 1, RAID 1+0, and RAID 5.

This module covers the configuration of the following:

q RAID 0: Non-redundant disk array (concatenation and striping)

q RAID 1: Mirrored disk array



The State Database Replicas

Configuring Solaris Volume Manager Software 9-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1


The state database stores information on disk about the state of yourSolaris Volume Manager software configuration. Multiple copies of thedatabase, called replicas, provide redundancy and protect against dataloss if a copy of the database is corrupted due to the system crashing orother failure. The state database replicas should be distributed acrossmultiple disks so that failure of a single disk only causes the loss of asingle state database replica.

If the system loses a state database replica, Solaris Volume Managersoftware uses a majority consensus algorithm to determine which statedatabase replicas still contain valid data. The algorithm requires that amajority (half +1) of the state database replicas are available before any ofthem are considered valid. The majority consensus algorithm requires that

you create at least three state database replicas before you build orcommit any metadevices. To reach a consensus, at least two of the threereplicas must be available.

The majority consensus algorithm:

q Makes sure that the system stays running if at least half of the statedatabase replicas are available.

q Causes the system to panic if fewer than half of the state databasereplicas are available.

q Prevents the system from starting the Solaris Volume Managersoftware unless a majority of the total number of state databasereplicas are available.

If insufficient state database replicas are available, you must boot intosingle-user mode and delete enough of the corrupt replicas to achieve amajority consensus.

State database replicas are stored in their own disk slices.

Creating the State Database

You can create state database replicas by using:

q The metadb -a command

q The Solaris Volume Manager software GUI





Creating the State Database Using the Command Line

To create state database replicas using the command line, use the metadbcommand. The syntax of the command is:

metadb -a [-f] [-c n] [-l nnnn] disk_slice

where:

Note – The metadb command without options reports the status of allreplicas.

The following example shows the creation of state database replicas:

# metadb -a -f c0t0d0s4 c0t0d0s5 c1t0d0s0 c1t0d0s1

# metadb

flags first blk block count

a u 16 8192 /dev/dsk/c0t0d0s4




This example lists the four replicas that were just created. Each replicabegins at block 16 of the assigned disk slice. Each replica is 8192 blocks, or4 Mbytes in size. The flags indicate that the replica is active and up to

date. If there are capital letters in the flags field, it is an indication that thereplica is corrupt.

Note – The previous example places the state database replicas on diskson different controllers. This is an appropriate fault tolerant configurationfor a production environment.

-a Adds a state database replica.

-f Forces the operation, even if no replicas exist. Usethis flag to force the creation of the initial replicas.

-c n Specifies the number of replicas to add to the slice.

-l nnnn Specifies the size of the new replicas, in blocks.

disk_slice Specifies the name of the disk_slice that willhold the replica.





Creating the State Database Using the Solaris ManagementConsole

The Enhanced Storage Tool within the Solaris Management Consoleprovides a GUI that guides you through Solaris Volume Manager tasks.

Complete the following steps to create the state database replicas:

1. To start the Solaris Management Console, perform the command:

# smc &

The Solaris Management Console appears, as shown in Figure 9-2.

Figure 9-2 Solaris Management Console Welcome Screen

2. Use the Navigation pane to traverse the Solaris ManagementConsole structure until you reach the Enhanced Storage Tool.

3. Click This Computer.

4. Select Storage.





5. Click Enhanced Storage, as shown in Figure 9-3, to display thecontents of the Enhanced Storage Tool.

Figure 9-3 Solaris Management Console: Storage Tool

Note – After you start the Solaris Management Console, you must log inafter you open the first tool.

6. Click the State Database Replica icon.





If the state database currently contains replicas, these replicas appearin the View pane. If no state database replicas exist, the View pane isempty, as shown in Figure 9-4.

Figure 9-4 Solaris Management Console: View Pane





7. To create a replica, select Create Replicas from the Action menu, asshown in Figure 9-5, and follow the instructions.

Figure 9-5 Solaris Management Console Window – Action Menu

A series of windows guide you through the creation of the statedatabase.

8. Select alternate disk sets when additional disk sets are available, asshown in Figure 9-6. In this configuration, no additional disk setshave been configured, so choose the default selection of <none>.

Figure 9-6 Create Replicas: Select Disk Sets Window





Note – A disk set is a set of shared disk drives that contain logical VolumeManager objects that can be shared exclusively but not concurrently byone or two hosts. Disk sets are enablers for host fail-over scenarios.


Note – Disk sets are described in ES-222: Solaris Volume ManagerAdministration.





When you choose disk slices on which to store the state databasereplicas, select at least three slices. Figure 9-7 shows that you canchoose to configure as many slices as are required by the size of yoursystem’s disk configuration. The size of these disk slices are pre-setusing the partitioning mechanism of the format utility.

Figure 9-7 Create Replicas: Select Components Window

10. Select a slice.

11. Click Add.

12. Continue adding slices until all the necessary slices are selected.

Note – Alternatively, to select multiple slices, hold down the Control keywhile you make your selections.






The default size of each replica is 8192 blocks or 4 Mbytes. Thewindow, as shown in Figure 9-8, enables you to increase the size ofthe replicas and the number of replicas per slice.

Figure 9-8 Create Replicas: Set Length and Count Window

14. Unless equipment limitations force you to assign multiple replicas toa device, accept the default replica count of 1.






Figure 9-9 shows the selections you have chosen for your statedatabase replicas. Additionally, this window shows the commandsthat the Storage Volume Manager uses to build your selectedconfiguration.

Figure 9-9 Create Replicas: Review Window

16. Double-check your selections to ensure that they meet the criteria ofyour state database replicas.

Note – Before you click Finish, click Show Commands to view and,optionally, log the commands used to accomplish the specified EnhancedStorage Tool operations.

17. Click Finish to complete the operation.





Figure 9-10 shows that the newly configured state database replicasappear in the View pane of the Solaris Management Console.

Figure 9-10 Solaris Management Console: New State Database ReplicasWindow

If at least three replicas are configured on separate disks, the systemtolerates a single disk failure and still maintains the majority consensus

algorithm. The majority consensus algorithm is necessary for the systemto remain running or for it to reboot to multiuser mode when required.

Note – The configuration represented in this example does not follow SunMicrosystems best practices. State database replicas should be distributedacross multiple devices and disk controllers wherever possible.



Configuring RAID-0


Configuring RAID-0

RAID-0 volumes allow you to expand disk storage capacity efficiently.These volumes do not provide data redundancy but can be used toexpand disk storage capacity. If a single slice fails on a RAID-0 volume,there is a loss of data. RAID-0 comes in two forms, stripes andconcatenations.

q Concatenated volumes (or concatenations)

A concatenated volume writes data to the first available slice. Whenthe first slice is full, the volume writes data to the next available slice.

q Striped volumes (or stripes)

A stripe distributes data equally across all slices in the stripe.



RAID-0 Striped Volumes



Figure 9-11 shows the arrangement of a RAID-0 volume configured as astripe. A RAID-0 volume configured as a stripe arranges data across twoor more slices. Striping alternates equally-sized segments of data acrosstwo or more slices, forming one logical storage unit. These segments areinterleaved round-robin, so that the combined space is created alternatelyfrom each slice.

Figure 9-11 RAID-0 Stripe

Striping enables parallel data access because multiple controllers canaccess the data at the same time. Parallel access increases Input/Output(I/O) performance because multiple disks in the volume can service I/Orequests simultaneously.

You cannot convert an existing file system directly to a striped volume.You must first back up the file system, create the striped volume, and thenrestore the file system to the striped volume.

I n t e r l a c e 4

I n t e r l a c e 1

I n t e r l a c e 5

I n t e r l a c e 2

I n t e r l a c e 6

I n t e r l a c e 3

P h y s i c a l

S l i c e A

P h y s i c a l

S l i c e B

P h y s i c a l

S l i c e C


M a n a g e r

R A I D 0

( S t r i p e )



I n t e r l a c e 2

I n t e r l a c e 6






Creating a RAID-0 Volume

Using the Command Line

In this example, the slice being used for the /export/home file system isalmost at capacity. A new slice from another disk is concatenated to it,making a RAID-0 concatenated volume. The existing slice is shown:

# df -h /export/home


/dev/dsk/c0t0d0s7 470M 395M 28M 94% /export/home

If the metadatabases are not already configured, they need to beconfigured before creating any metadevices.

# metadb -a -f -c 2 c3t2d0s7 c3t3d0s7

# metadbflags first blk block count


a u 8208 8192 /dev/dsk/c3t2d0s7


a u 8208 8192 /dev/dsk/c3t3d0s7

The concatenated volume must be referenced by a metadevice name. Themetainit command creates the metadevices. The syntax of the metainitcommand is:

metainit -f concat/stripe numstripes width component...

where:

-f Forces the metainit command to continue, even ifone of the slices contains a mounted file system oris being used as swap space. This option is usefulwhen configuring mirrors or concatenations onroot (/), swap, and /usr file systems.

concat/stripe Specifies the volume name of the concatenation or

stripe being defined.numstripes Specifies the number of individual stripes in the

metadevice. For a simple stripe, numstripes isalways 1. For a concatenation, numstripes is equalto the number of slices.





Metadevices are referenced by the letter d followed by a number. The newmetadevice will be called d0. The -f option is required, as one of theslices being included in the concatenated volume is mounted. As this is aconcatenation, the number of stripes is equal to the number of slices beingadded, in this case 2. The number of slices in each stripe is one, so thenumber 1 appears before each slice:

# metainit -f d0 2 1 c0t0d0s7 1 c3t2d0s0

d0: Concat/Stripe is setup

Note – The metastat command does not show information about softpartitioning.

The metastat command is used to check the configuration:

# metastat

d0: Concat/Stripe

Size: 3118752 blocks (1.5 GB)

Stripe 0:Device Start Block Dbase Reloc

c0t0d0s7 0 No Yes

Stripe 1:

Device Start Block Dbase Reloc

c3t2d0s0 2160 No Yes

Device Relocation Information:

Device Reloc Device ID

c0t0d0 Yes id1,dad@AST38420A=7AZ0VMFG

c3t2d0 Yes id1,sd@SFUJITSU_MAB3045S_SUN4.2G00F50615____

The d0 metadevice is shown, with the two stripes which make up theconcatenation. The new device is represented with block and characterspecial device files:

# ls -lL /dev/md/dsk

total 0

brw-r----- 1 root sys 85, 0 Oct 25 12:35 d0

width Specifies the number of slices that make up astripe. When the width is greater than 1, the slicesare striped.

component Specifies the logical name for the physical slice

(partition) on a disk drive, such as/dev/dsk/c0t0d0s1.





# ls -lL /dev/md/rdsk

total 0

crw-r----- 1 root sys 85, 0 Oct 25 12:35 d0

The new metadevice (d0) has been created but is not being used yet. The

/export/home file system is still mounted as a regular disk slice:# df -h /export/home


/dev/dsk/c0t0d0s7 470M 395M 28M 94% /export/home

It needs to be remounted using the new metadevice device files. Locatethe entry in the /etc/vfstab file which mounts the file system at boottime:

/dev/dsk/c0t0d0s7 /dev/rdsk/c0t0d0s7 /export/home ufs 2 yes -

Change the device files to the metadevice files:

/dev/md/dsk/d0/dev/md/rdsk/d0 /export/home ufs 2 yes -

Then un-mount and re-mount the file system using the new device files:

# umount /export/home

# mount /export/home



/dev/md/dsk/d0 470M 395M 28M 94% /export/home

The file system is now mounted using the metadevice device file. Noticethat the file system does not appear to be any bigger, and the capacity isstill at 94%. The existing file system needs to be grown into the new space.This is done with the growfs command. Use the option -M to specify amount point:

# growfs -M /export/home /dev/md/rdsk/d0

/dev/md/rdsk/d0: 3118752 sectors in 3094 cylinders of 16 tracks, 63

sectors

1522.8MB in 194 cyl groups (16 c/g, 7.88MB/g, 3776 i/g)

super-block backups (for fsck -F ufs -o b=#) at:

32, 16224, 32416, 48608, 64800, 80992, 97184, 113376, 129568, 145760,

2968096, 2984288, 3000480, 3016672, 3032864, 3049056, 3065248, 3081440,

3096608, 3112800,

The file system now occupies all the space in the d0metadevice:



/dev/md/dsk/d0 1.4G 395M 988M 29% /export/home





Using Solaris Management Console (SMC)

It is not possible to perform the same configuration using only SolarisManagement Console (SMC). When SMC performs the metainitcommand at the end of the slice selections, it doesn’t use the -f to force

the addition of a mounted file system to a metadevice. To configure theconcatenated volume in SMC, unmount the /export/home file system.

# umount /export/home

The same slices and file systems are used in this example as was used inthe previous command line example. It assumes the metastate databasesare already configured.

1. To check this, start the Solaris Management Console:

# smc &

2. Select the Volumes tool and Create Volume from the Action menu, asshown in Figure 9-12.

Figure 9-12 Select Create Volume

Every time you create a new volume, you can create additional statedatabase replicas. When creating RAID-0 volumes, it is usuallyunnecessary to create additional state database replicas.





3. Select Don’t Create State Database Replicas in the Create Volumewindow, as shown in Figure 9-13.

Figure 9-13 Create Volume Window






Every time you create a new volume, as shown in Figure 9-14, you canrelocate it on alternate disk sets.

Figure 9-14 Create Volume: Select Disk Set Window

5. Select the default of <none> and click Next to continue.





Figure 9-15 shows a selection of volume configurations that you cancreate.

Figure 9-15 Create Volume: Select Volume Type Window

6. Select Concatenation (RAID 0) and click Next to continue.





You can name the volume, as shown in Figure 9-16. In this exampled0 is being used:

Figure 9-16 Create Volume: Name Volume Window

7. Name the volume d0 and click Next to continue.





Select the slice already being used and an unused slice, as shown inFigure 9-17.

Figure 9-17 Create Volume: Select Components Window

8. Select the existing slice and click Add to move it to the Selected list.

9. Select an unused slice and click Add to move it to the Selected list.10. Click Next to continue.





You can select the order of presentation of the slices within thevolume, as shown in Figure 9-18.



Power user – A hot spare pool is a set of slices you can use to improve thefault tolerance of the system. To allow continued data accesses to a failedvolume until you can replace a failed slice, hot spares are automaticallyswapped in to replace the failed slice. After replacing the failed slice, thehot spare is automatically swapped back onto the replacement slice, asshown in Figure 9-19 on page 9-26.





RAID-0 does not have any data redundancy features and no hot sparepools have been created. The Hot Spare Pool window is shown inFigure 9-19.

Figure 9-19 Create Volume: Use Hot Spare Pool Window

12. Select No Hot Spare Pool and click Next to continue.





The Create Volume window provides a confirmation of yourselections. It also provides a summary of the commands necessary toaccomplish the identical task from the command line, as shown inFigure 9-20.

Figure 9-20 Create Volume: Review Window

13. Click Finish.





Figure 9-21 shows the metadevice for the newly created RAID-0volume.

Figure 9-21 Solaris Management Console: Volumes Window

This procedure has created the d0 concatenated metadevice. The/etc/vfstab file needs to be changed, the file system remounted andgrown before the extra space is available. First, change the standard

device files to the metadevice files:

/dev/dsk/c0t0d0s7 /dev/rdsk/c0t0d0s7 /export/home ufs 2 yes -

/dev/md/dsk/d0 /dev/md/rdsk/d0 /export/home ufs 2 yes -

# mount /export/home

# growfs -M /export/home /dev/md/rdsk/d0

/dev/md/rdsk/d0: 3118752 sectors in 3094 cylinders of 16 tracks, 63

sectors

1522.8MB in 194 cyl groups (16 c/g, 7.88MB/g, 3776 i/g)

super-block backups (for fsck -F ufs -o b=#) at:32, 16224, 32416, 48608, 64800, 80992, 97184, 113376, 129568, 145760,

2968096, 2984288, 3000480, 3016672, 3032864, 3049056, 3065248, 3081440,

3096608, 3112800,



/dev/md/dsk/d0 1.4G 395M 988M 29% /export/home



Configuring RAID-1


Configuring RAID-1

RAID-1 volumes are also known as mirrors and provide data redundancy.In a two-way mirror, the data is written to two disk slices of the same size.If one disk fails, the other will have an up-to-date copy of the data.

A RAID-1 volume maintains identical copies of the data in severalRAID-0 volumes. Mirroring requires more disks. You need at least twiceas much disk space as the amount of data to be mirrored.

After configuring a mirror, you can use it as if it were a physical slice.With multiple copies of data available, and correctly configured read andwrite policies, data access time is reduced.

You can mirror any file system, including existing file systems.

Using Multiple Submirrors

A mirror is made of two or more RAID-0 volumes. The mirrored RAID-0volumes are called submirrors. A mirror consisting of two submirrors isknown as a two-way mirror, while a mirror consisting of three submirrorsis known as a three-way mirror.

Creating a two-way mirror is usually sufficient for data redundancy. Athird submirror lets you maintain redundancy with one of the other two

submirrors offline.

When a submirror is offline, it is in a read-only mode. The Solaris VolumeManager software tracks all the changes written to the online submirror.When the submirror is brought back online, only the newly writtenportions are resynchronized. Typical reasons for taking the submirroroffline include backups, troubleshooting and repair.

You can attach or detach a submirror from a mirror at any time, though atleast one submirror must remain attached to the mirror at all times.Usually, you begin the creation of a mirror with only a single submirror,

after which you can attach additional submirrors.

Mirror Options

Mirror performance can be modified by using the following options:

q Mirror read policy

q Mirror write policy



Configuring RAID-1


Note – The mirror options listed here are representative of the optionspresented when configuring RAID-1 mirrors using the Solaris VolumeManager software.

You can define mirror options when you initially create the mirror or afteryou set up the mirror. You can distribute the load across the submirrors toimprove read performance. Table 9-1 describes the configurable mirrorread policies.

You can improve write performance by replicating all submirrorssimultaneously. If a failure occurs during this write, the submirror thathad the failure is put into maintenance state (errored state). Table 9-2describes the configurable mirror write policies.

When a submirror is offline, any writes to the mirror are tracked in a dirtyregion log. When the submirror is brought back online, those regionsmust be updated or resynchronized.

Table 9-1 Mirror Read Policies

Read Policy Description

Round Robin (default) Balances the load across the submirrors

Geometric Enables the system to divide reads among

submirrors on the basis of a logical disk blockaddress

First Directs all reads to the first submirror

Table 9-2 Mirror Write Policies

Write Policy Description

Parallel (Default) Replicates a write to a mirror, and dispatchesthe write to all of the submirrorssimultaneously

Serial Specifies that writes to one submirror mustcomplete before initiating writes to the nextsubmirror



Building a Mirror of the Root (/) File System



The procedure for building a mirror of the root (/) file system can beaccomplished using the command line exclusively but it is not possible touse the Solaris Management Console (SMC) exclusively. As seen duringRAID-0 configuration, SMC is not able to force the creation of ametadevice from a mounted file system.

Note – Remove the volume d0 created in the previous example to avoidconfusion during this procedure.

This section describes how to create a RAID-1 volume for the root (/) filesystem, which cannot be unmounted. To create a mirror, do the following:

1. Create a RAID-0 volume for the file system you want to mirror.2. Create a second RAID-0 volume to contain the second submirror of

the RAID-1 volume.

3. Create a one-way mirror using the RAID-0 volume that contains thefile system to be mirrored.

4. Use the metaroot command to update the system’s configuration, asthis is a root (/) mirror.

5. Reboot your system, as this is a root (/) mirror.

6. Attach the second submirror to the file system mirror.

7. Record the alternate boot path that is used in the event of a failure ofthe primary submirror, as this is a mirror of the root (/) file system.





The Scenario

The scenario assumes the root (/) file system is on disk slice c0t0d0s0.

1. A RAID-0 volume called d11 is created from slice c0t0d0s0.

2. A second RAID-0 volume is created as metadevice d12 from a sparedisk slice at c3t3d0s1.

3. A RAID-1 volume is created and named d10 using the RAID-0volumes named d11 and d12, as shown in Figure 9-22.

Figure 9-22 Mirror of Root (/) Partition

Creating The RAID-0 Volumes

The first step when building a mirror of the root (/) file system is to createRAID-0 volumes, which you later combine to form the mirror. EachRAID-0 volume becomes a submirror to the mirror. Use the metainitcommand to force the creation of the RAID-0 volume. The force (-f)option must be used because this is the root (/) file system, which cannotbe unmounted.

The following example shows how to use the metainit command to

create a RAID-0 volume:# /usr/sbin/metainit -f d11 1 1 c0t0d0s0


Caution – If converting an existing file system to a RAID-0 volume, boththe numstripes and width arguments must be 1, or the data is lost.

R A I D 1

V o l u m e

R A I D 0

V o l u m e

R A I D 0

V o l u m e

@ @ @ @

@





The command line forces the creation of volume d11. Volume d11 createsa concatenation composed of a single stripe, one slice wide, and it isstored on the /dev/dsk/c0t0d0s0disk slice.

Note – In this example, the root (/) file system is stored on the disk slice/dev/dsk/c0t0d0s0. Because the root (/) file system is stored at thatlocation, you must use of the -f option to force the creation of a volumeon the mounted partition.

To create an additional RAID-0 volume, for the secondary submirror ofthe root file system, use the Enhanced Storage Tool within the SolarisManagement Console.

To create additional volumes from the command line, use the metainit

command again:

# metainit d12 1 1 c3t3d0s1


To create the same metadevice from the GUI, complete the followingsteps:

1. Click the Volumes icon.

Any configured metadevice volumes appear on the View pane, asshown in Figure 9-23. If there are no metadevice volumes currentlyconfigured, the View pane remains empty.

Figure 9-23 Volumes Icon





2. Select Create Volume from the Action menu, as shown in Figure 9-24.

Figure 9-24 Solaris Management Console: Action Menu

3. Answer the prompts in the Create Volume Wizard window.





Every time you create a new volume, you can create additional statedatabase replicas. When creating RAID-0 volumes, it is usuallyunnecessary to create additional state database replicas.

4. Select Don’t Create State Database Replicas in the Create Volumewindow, as shown in Figure 9-25.

Figure 9-25 Create Volume Window






Every time you create a new volume, as shown in Figure 9-26, youcan relocate it on alternate disk sets.


6. If only one disk set exists on the system, select the default of <none>.






Figure 9-27 shows a selection of volume configurations that you cancreate.


8. Select Concatenation (RAID 0).






You can name the volume, as shown in Figure 9-28. In thisprocedure, build a mirror named d10. The two submirrors thatcomprise the mirror are d11 (for the first submirror) and d12 (for thesecond submirror). You have already created volume d11 from theslice that contains the root (/) file system, so this one is volume d12,

which contains the mirror of the root (/) file system.


10. Name the volume d12.






You can also select a slice that the new volume occupies, as shown inFigure 9-29. This volume is the secondary submirror of a mirror,therefore the size of this slice must be equal to or greater than thesize of the primary submirror of the mirror.


12. Select a slice equal to or greater than the size of the primarysubmirror RAID-0 volume.

13. Click Add to move it to the Selected list.






You can select the order of presentation of the slices within the stripegroup, if you are mirroring a file system that can span multipleslices, as shown in Figure 9-30.


Note – When mirroring root (/), you cannot span multiple slices.






A hot spare pool is a set of slices you can use to improve the faulttolerance of the system. To allow continued data accesses to a failedvolume until you can replace a failed slice, hot spares areautomatically swapped in to replace the failed slice. After replacingthe failed slice, the hot spare is automatically swapped back onto the

replacement slice.16. Because no hot spare pools have been created, select No Hot Spare

Pool, as shown in Figure 9-31.

Figure 9-31 Create Volume: Use Hot Spare Pool Window






The Create Volume: Review window provides a confirmation of yourselections. It also provides a summary of the commands necessary toaccomplish the identical task from the command line, as shown inFigure 9-32.


18. Click Finish.





Figure 9-33 shows the metadevice for the newly created RAID-0volume.

Figure 9-33 Solaris Management Console: Volumes Window

In this procedure, you created two RAID-0 volumes, d11 and d12. Thed11 volume contains the slice where the root (/) file system is stored, andthe d12 volume contains space for a copy of the root (/) file system.

Creating The RAID-1 Volume

You can create the RAID-1 volume using:

q The metainit command

q The Enhanced Storage Tool within the Solaris Management Console

The metainitCommand

The syntax for creating a RAID-1 volume by using the metainitcommand is:

metainit mirror -m submirror [read_options] [write_options] [pass_num]





where:

Note – If neither the -g nor -r options are specified, reads are made in around-robin order from all submirrors in the mirror. This process enablesload balancing across the submirrors.

The following command-line example creates a mirrored volume named

d10, and attaches a one-way mirror using volume d11. Volume d11 is asubmirror of the mirror named d10.

# /usr/sbin/metainit d10 -m d11

d10: Mirror is setup

mirror -m

submirror

Specifies the volume name of the mirror.The -m indicates that the configuration is a mirror.Submirror is a volume (stripe or concatenation) that

makes up the initial one-way mirror.

read_options The following read options for mirrors are available:• -g – Enables the geometric read option, which

results in faster performance on sequentialreads.

• -r – Directs all reads to the first submirror. Usethe -roption only when the devices thatcomprise the first submirror are substantiallyfaster than those of the second mirror. Youcannot use the -roption with the -goption.

write_options The following write option is available:

S – Performs serial writes to mirrors. The defaultsetting for this option is parallel write.

pass_num A number (0–9) at the end of an entry defining amirror that determines the order in which thatmirror is resynchronized during a reboot. Thedefault is 1. Smaller pass numbers areresynchronized first. Equal pass numbers are runconcurrently. If 0 is used, the resynchronization isskipped. Use 0 only for mirrors mounted asread-only, or as swap space.





The Enhanced Storage Tool

You can also create the mirror by using the Enhanced Storage Tool withinthe Solaris Volume Manager software.

To create a mirror:1. Click the Volumes icon.

The previously configured RAID-0 volumes are displayed, as shownin Figure 9-34. If these volumes are not displayed, you must firstconfigure the RAID-0 volumes before you can use them assubmirrors of the RAID-1 volume.

Figure 9-34 Solaris Management Console: Volume





2. Select Create Volume from the Action menu, as shown in Figure 9-35.

Figure 9-35 Solaris Management Console: Action Menu Window





Because the dirty region logs that are used to track which data blocksin the submirrors have been modified are recorded within the statedatabase replicas, when you create RAID-1 volumes, you can addadditional state database replicas. You do not have to createadditional replicas when creating RAID-1 volumes, but mirror

performance might suffer if you do not.3. Due to equipment limitations in the classroom, select Don’t Create

State Database Replicas, as shown in Figure 9-36.

Figure 9-36 Create Volume: Create State Database Replicas Window






You can relocate the mirror to alternate disk sets.

5. If only one disk set exists on the system, select the default of <none>,as shown in Figure 9-37.



Note – When you are mirroring root, you must use the local disk set.





The Create Volume: Select Volume Type Windowwindow displayswhich volume configurations you can create, as shown inFigure 9-38.


7. Choose Mirror (RAID 1).8. Click Next to continue.





In the Create Volume: Name Volume window, you can enter avolume name, as shown in Figure 9-39. Choose a pattern that is easyto remember so that it is easy to identify the volume types. Forexample, you could name the RAID-1 volumes with names ending inzero, such as d10. Then you can number the submirrors or RAID-0

volumes as d11 for the first submirror and d12 for the secondsubmirror.


9. Enter 10 as the volume name d field.






11. Select metadevice d11 for use as the primary submirror, as shown inFigure 9-40.

Figure 9-40 Create Volume: Select Primary Submirror Window






13. Bypass the Create Volume: Select Remaining Submirrors Windowwindow shown in Figure 9-41, because you are mirroring the rootpartition, which means that you must attach the secondarysubmirror by using the command line.

q When mirroring the root (/) partition, the procedure requires a

few additional steps prior to attaching the secondary submirror.

q When building a mirror that does not already contain data, youcan select the secondary submirror, as shown in Figure 9-41.

Figure 9-41 Create Volume: Select Remaining Submirrors Window






The Create Volume: Set Mirror Parameters window lets you set themirror parameters, as shown in Figure 9-42. These parameters weredescribed in the metainit command example that was used toconfigure a RAID-1 volume.

Figure 9-42 Create Volume: Set Mirror Parameters Window

15. To accept the defaults, click Next to continue.





Review your selections in the Create Volume: Review window, asshown in Figure 9-43. This window provides a confirmation of yourselections. It also provides a summary of the commands necessary toaccomplish the identical task from the command line.


16. Click Finish.





The RAID-1 volume named d10 is created, and the display isupdated, as shown in Figure 9-44. The primary submirror (d11) isattached to the mirror (d10), but the process of creating the mirroredpartition is not complete.

Figure 9-44 Solaris Management Console: Volumes

17. Go to the command line, and use the metaroot command to

complete building the mirror of the root (/) file system, as describedin ‘‘Executing the metaroot Command’’ on page 9-56.





Executing themetarootCommand

When creating mirrors of mounted file systems, you must update the/etc/vfstab file to change the mount point from a slice, such as/dev/dsk/c#t#d#s#, to a volume, such as /dev/md/dsk/d##. When

mirroring any mounted file system other than root (/), you can use the vieditor to update the /etc/vfstab file.

When mirroring the root (/) file system, use the metaroot command tomodify the /etc/vfstab and /etc/system files, as follows:

metaroot device

where device specifies either the metadevice or the conventional diskdevice (slice) used for the root (/) file system.

The following example shows that the /etc/vfstab file has beenupdated by the metaroot command to point to the RAID-1 mirroredmetadevice.

# metaroot d10

# grep md /etc/vfstab

/dev/md/dsk/d10 /dev/md/rdsk/d10 / ufs 1 no -

In addition to modifying the /etc/vfstab file to update the root (/) filesystem pointer, the metaroot command updates the /etc/system file tosupport the logical volumes. For example:

# tail /etc/system rootdev:/pseudo/md@0:0,10,blk

You must reboot the system before attaching the secondary submirror.When the system boots, it mounts the root file system using themetadevice device file. Enter the init command to reboot the system:

# init 6

After the reboot is complete, the root file system is mounted through thed10 metadevice:

# df -h /


/dev/md/dsk/d10 141M 111M 15M 88% /





The metastat command shows the state of the metadevices. Notice herethat only one submirror is in the d10 metadevice:

# metastat

d10: Mirror

Submirror 0: d11

State: OkayPass: 1

Read option: roundrobin (default)

Write option: parallel (default)

Size: 307440 blocks (150 MB)

d11: Submirror of d10

State: Okay


Stripe 0:

Device Start Block Dbase State Reloc Hot Spare

c0t0d0s0 0 No Okay Yes(output omitted)

Attach the secondary submirror by using the metattach command:

# metattach d10 d12

d10: submirror d12 is attached

Caution – Create a one-way mirror with the metainit command, andthen attach the additional submirrors with the metattach command. Ifthe metattach command is not used, no resynchronization operations

occur. As a result, data could become corrupted as the Solaris VolumeManager software assumes that both sides of the mirror are identical andcan be used interchangeably.

The metastat command shows the mirror synchronization taking place.

# metastat d10

d10: Mirror

Submirror 0: d11

State: Okay

Submirror 1: d12

State: Resyncing

Resync in progress: 83 % done

Pass: 1









State: Okay


Stripe 0:


c0t0d0s0 0 No Okay Yes


State: Resyncing


Stripe 0:



Updating theboot-devicePROM Variable

If you mirror your root (/) file system, record the alternate boot pathcontained in the boot-device PROM variable. In the following example,you determine the path to the alternate boot device by using the ls -lcommand on the slice that is being attached as the secondary submirror tothe root (/) mirror.

# ls -l /dev/dsk/c3t3d0s1

lrwxrwxrwx 1 root root 57 Oct 25 11:22 /dev/dsk/c3t3d0s1 -

> ../../devices/pci@1f,0/pci@1/pci@1/SUNW,isptwo@4/sd@3,0:b

Record the path that follows the /devices directory:

/pci@1f,0/pci@1/pci@1/SUNW,isptwo@4/sd@3,0:b

Caution – When using some disk controllers, the path to the device variesbetween the entries in the /devices directory and the entries in theOpenBoot™ programmable read-only memory (PROM). In theseinstances, follow the entries in the OpenBoot PROM.

If, for example, on one Ultra™ 5 workstation, the PCI-SCSI controllerreturns:

/pci@1f,0/pci@1/scsi@4,1/sd@2,0:b

from the /devices directory, yet the show-devs command from theOpenBoot PROM returned:

/pci@1f,0/pci@1/scsi@4,1/disk

then, the alternate boot path must be:

/pci@1f,0/pci@1/scsi@4,1/disk@2,0:b





If you do not adapt to the change when attempting to boot from thealternate boot device, you get an error stating:

can’t open boot device

To get the system to boot automatically from the alternate boot device in

the event of a primary root submirror failure, complete the followingsteps:

1. Use the OpenBoot nvalias command to define a backup_root

device alias for the secondary root mirror. For example:

ok nvalias backup_root /pci@1f,0/pci@1/pci@1/SUNW,isptwo@4/sd@3,0:b

2. Redefine the boot-device variable to reference both the primaryand secondary submirrors, in the order in which you want to accessthem. For example:

ok printenv boot-device

boot-device= disk netok setenv boot-device disk backup_root net

boot-device= disk backup_root net

In the event of primary root disk failure, the system automatically bootsfrom the secondary submirror. To test the secondary submirror, boot thesystem manually, as follows:

ok boot backup_root





Unmirroring the Root (/) File System

Follow this procedure to unmirror the root (/) file system. This procedureassumes that the root (/) file system is mirrored on a Solaris VolumeManager software volume named d10, and that the mirror consists of two

submirrors. The primary submirror is d11, and the secondary submirror isd12. To unmirror the root (/) file system, complete the following steps:

1. Run the metastat command on the mirror to verify that submirror 0is in the Okay state.

# metastat d10

d10: Mirror

Submirror 0: d11

State: Okay

Submirror 1: d12

State: Okay

Pass: 1Read option: roundrobin (default)




State: Okay


Stripe 0:




State: Okay


Stripe 0:



Device Relocation Information:

Device Reloc Device ID

c0t0d0 Yes id1,dad@AST38420A=7AZ0VMFG

c3t3d0 Yes id1,sd@SFUJITSU_MAB3045S_SUN4.2G00F52267____





2. Run the metadetach command on the mirror to make a one-waymirror.

# metadetach d10 d12

d10: submirror d12 is detached

3. Because this is a root (/) file system mirror, run the metarootcommand to update the /etc/vfstab and etc/system files.

# metaroot /dev/dsk/c0t0d0s0

# grep c0t0d0s0 /etc/vfstab

/dev/dsk/c0t0d0s0/dev/rdsk/c0t0d0s0/ufs1no-

4. Reboot the system.

# init 6

5. Run the metaclear command to clear the mirror and submirrors.

The -r option recursively deletes specified metadevices and hotspare pools, associated with the targeted metadevices specified in themetaclear command.

# metaclear -r d10

d10: Mirror is cleared

d11: Concat/Stripe is cleared

# metaclear d12

d12: Concat/Stripe is cleared

6. If you changed your boot-devicevariable to an alternate boot path,return it to it’s original setting.



Exercise: Mirroring the Root (/) File System (Level 1)



In this lab, you:

q Configure the Solaris Volume Manager software to create state

database replicasq Mirror the root (/) file system

q Update the default boot device

q Unmirror the root (/) file system

Preparation

This exercise mirrors the root (/) file system of the system disk.


As a setup requirement, the second disk on your system must bepartitioned with one slice that is equal to or larger than the root (/)partition of the system disk. You must also partition space for the statedatabase replicas on the second disk. You can choose how the remainingslices of the second disk must be partitioned.

This exercise is performed on each individual system, so there is no needto work with a partner for this exercise. Most steps in these proceduresare executable by using either the Enhanced Storage Tool within theSolaris Volume Manager software or by using the command line.

For this exercise, the solution to each step is presented using thecommand-line equivalent. The Enhanced Storage Tool within the SolarisVolume Manager software is open and used to display a visual record ofthe Solaris Volume Manager software’s activities.





Tasks


q Map the available disk slices to the requirements for state database

replicas and root (/) file system submirrors.q Create the state database.

q Build the mirror of the root (/) file system.

q Modify the OpenBoot PROM variables to use the mirrored device asan alternate boot path in the event of a failure of the primarysubmirror.

q Reboot the system using the secondary root (/) submirror to test themirror.

q Reboot the system using the primary root (/) submirror.

q Remove the mirror from the root (/) partition.

q Return your boot-device variable to it’s original setting






In this lab, you:





Preparation



This exercise is performed on each individual system, so there is no needto work with a partner for this exercise. Most steps in these proceduresare executable by using either the Enhanced Storage Tool within theSolaris Volume Manager Software or by using the command line.

For this exercise, the solution to each step is presented using thecommand-line equivalent. The Enhanced Storage Tool within the SolarisVolume Manager is open and used to display a visual record of the SolarisVolume Manager software’s activities.





Task Summary








q Remove the mirror from the root partition.

Tasks


1. Open the Enhanced Storage Tool within the Solaris ManagementConsole, and leave it open throughout this exercise to use it as amonitoring mechanism.

2. Fill in the blanks to record the information needed to complete thisexercise:

q Disk slice for the state database replica 1:________________________________________________________




q Disk slice for the state database replica 5 (optional):________________________________________________________

q Disk slice for the root file system primary submirror:________________________________________________________





q Metadevice to map to the root (/) file system primarysubmirror:________________________________________________________

q Disk slice for the root (/) file system secondary submirror:________________________________________________________

q Metadevice to map to the root (/) file system secondarysubmirror:________________________________________________________

q Metadevice to map to the root (/) file system mirror:________________________________________________________

3. Create a sufficient number of state database replicas to support themajority consensus algorithm used in the Solaris Volume Managersoftware.

What is the minimum number of state database replicas necessary to

support the majority consensus algorithm?

_____________________________________________________________

4. Create a RAID-0 volume to use as the root (/) file system’s primarysubmirror.

5. Create a RAID-0 volume on the secondary drive to use as the root (/)file system’s secondary submirror.

6. Create a RAID-1 volume as a one-way mirror using the root (/) filesystem primary submirror as the source of the mirror’s data.

7. Update the /etc/vfstab file to use the RAID-1 volume as themount point for the root (/) file system.


9. Attach the RAID-0 volume used as the root (/) file system’ssecondary submirror to the RAID-1 volume, and allow the mirrorsynchronization to complete before continuing.

What is the primary reason for using the command line to attach asecondary submirror to a mirror?

_____________________________________________________________

Note – To view the status of the resynchronization process, perform the/usr/sbin/metastat | grep Resync command.

10. Determine the path to the alternate root (/) device (as reported bythe Solaris 10 OS).

_____________________________________________________________





11. Use the init 0 command to enter the OpenBoot PROM and thenthe show-disks command to determine the path to the alternate root(/) device (as reported by the OpenBoot PROM).

_____________________________________________________________

12. Define a backup root (/

) device alias._____________________________________________________________

13. Add the backup root (/) device alias to the boot-device variable.

_____________________________________________________________

14. Test the ability to boot the secondary root (/) submirror.

_____________________________________________________________

15. Verify the status of the root (/) submirrors.

_____________________________________________________________

16. Detach one submirror to make the root (/) mirror a one-way mirror.

_____________________________________________________________

17. Update the /etc/vfstab file to redefine the root (/) mount pointusing the original disk slice and the /etc/system file to include theforceload statements.


19. Clear the mirror and submirrors.

20. If you changed your boot-devicevariable to an alternate boot path,

return it to it’s original setting by taking the system down to OBPlevel, changing the boot-device variable back to the original state,then bringing the system back up to multi-user milestone.






In this exercise, you:





Preparation



This exercise is performed on each individual system, so there is no needto work with a partner for this exercise. Most steps in these proceduresare executable by using either the Enhanced Storage Tool within theSolaris Volume Manager or by using the command line.

For this exercise, the solution to each step is presented using thecommand-line equivalent. The Enhanced Storage Tool within the SolarisVolume Manager is open and used to display a visual record of the SolarisVolume Manager software’s activities.





Task Summary








q Remove the mirror from the root (/) partition.

Tasks and Solutions

This sections provides the tasks and their solutions.

1. Open the Enhanced Storage Tool within the Solaris ManagementConsole, and leave it open throughout this exercise to use it as amonitoring mechanism.

# smc &

Note – The task solutions are presented using the command-lineequivalents because every task step can be performed by using thecommand line.

2. Fill in the blanks to record the information needed to complete thisexercise:

q Disk slice for the state database replica 1:

As defined for your lab system.











q Disk slice for the state database replica 5 (optional):


q Disk slice for the root (/) file system primary submirror:


q Volume to map to the root (/) file system primary submirror:


q Disk slice for the root (/) file system secondary submirror:


q Metadevice to map to the root (/) file system secondarysubmirror:


q Metadevice to map to the root (/) file system mirror:


3. Create a sufficient number of state database replicas to support themajority consensus algorithm used in the Solaris Volume Managersoftware.

# /usr/sbin/metadb -a -f c# t# d# s0

# /usr/sbin/metadb -a c# t# d# s1



What is the minimum number of state database replicas necessary tosupport the majority consensus algorithm?

Three state database replicas are recommended as the minimum to supportthe majority consensus algorithm.

4. Create a RAID-0 volume to use as the root (/) file system’s primarysubmirror.

# /usr/sbin/metainit -f d11 1 1 c# t# d# s#

(The variable points to the root (/) slice.)d11: Concat/Stripe is setup

5. Create a RAID 0 volume on the secondary drive to use as the root (/)file system’s secondary submirror.

# /usr/sbin/metainit d12 1 1 c# t# d# s#






6. Create a RAID-1 volume as a one-way mirror using the root (/) filesystem primary submirror as the source of the mirror’s data.

# /usr/sbin/metainit d10 -m d11

d10: Mirror is setup

7. Update the /etc/vfstab file to use the RAID-1 volume as themount point for the root (/) file system. Observe the changes to the/etc/vfstab and the /etc/system files.

# /usr/sbin/metaroot d10

# cat /etc/vfstab

# cat /etc/system


# init 6

9. Attach the RAID-0 volume used as the root (/) file system’s

secondary submirror to the RAID-1 volume, and allow the mirrorsynchronization to complete before continuing.

# /usr/sbin/metattach d10 d12

What is the primary reason for using the command line to attach asecondary submirror to a mirror?

The primary reason for using the command line to attach a secondarysubmirror to a mirror is to force a resynchronization of the data between theprimary and secondary submirror.

Note – To view the status of the resynchronization process, perform the/usr/sbin/metastat | grep Resync command.

10. Determine the path to the alternate root (/) device (as reported bythe Solaris 10 OS).

Varies by system. Use the ls -l command.

# ls -l /dev/dsk/c# t# d# s#

11. Use the init 0 command to enter the OpenBoot PROM and thenthe show-disks command to determine the path to the alternate root

(/) device (as reported by the OpenBoot PROM).Varies by system. Use the show-devs command.

ok show-devs





12. Define a backup root (/) device alias.

Varies by system. Use the nvalias command.

ok nvalias backup_root device_path

13. Add the backup root (/) device alias to the boot-device variable.

Varies by system. Use a combination of the printenv and setenvcommands.

ok printenv boot-device

boot-device = disk net

ok setenv boot-device disk backup_root

boot-device = disk backup_root

14. Test the ability to boot the secondary root (/) submirror.

ok boot backup_root

15. Verify the status of the root (/) submirrors.

# /usr/sbin/metastat d10

16. Detach one submirror to make the root (/) mirror a one-way mirror.

# /usr/sbin/metadetach d10 d12

17. Update the /etc/vfstab file to redefine the root (/) mount pointusing the original disk slice and the /etc/system file to include theforceload statements.

# /usr/sbin/metaroot /dev/dsk/c# t# d# s#


# init 6

19. Clear the mirror and submirrors.

# /usr/sbin/metaclear -r d10

# /usr/sbin/metaclear d12

20. If you changed your boot-devicevariable to an alternate boot path,return it to it’s original setting by taking the system down to OBPlevel, changing the boot-device variable back to the original state,then bringing the system back up to multi-user milestone.

# init 0

ok setenv boot-device disk

ok boot



Exercise Summary


Exercise Summary

?

!


q Experiences

q Interpretations

q Conclusions

q Applications




Module 10

ConfiguringRole-BasedAccessControl(RBAC)

Objectives

Role-based access control (RBAC) is an alternative to the all-or-nothing

superuser model. RBAC uses the security principle of least privilege. Nouser should be given more privilege than necessary for performing theuser’s job. RBAC makes it possible for an organization to separatesuperusers’ capabilities and assign these capabilities to specific users or tospecial user accounts that are called roles. Roles can be assigned tospecific individuals, according to their job needs. Upon completion of thismodule, you should be able to:

q Describe RBAC fundamentals

q Describe component interaction within RBAC

q Manage RBAC by using the Solaris™ Management Consoleq Manage RBAC by using the command line

The course map in Figure 10-1 shows how this module fits into thecurrent instructional goal.


Configure

Role-based

Access

Control(RBAC)

Configure

ste

essaging

Control System Access and Configure System Messaging



Introducing RBAC Fundamentals



In conventional UNIX systems, the root user (also referred to as thesuperuser) is the most powerful user, with the ability to read and write toany file, run all programs, and send kill signals to any process. Anyonewho can become superuser can modify a site’s firewall, alter the audittrail, and read confidential records.

In systems implementing RBAC, individual users can be assigned to roles,such as system administrator, network administrator, or operator. Rolesare associated with rights profiles. The rights profiles list the rights to runspecific commands and applications with escalated privileges.

Roles can also be assigned authorizations. An authorization grants accessto restricted functions in RBAC compliant applications. RBAC compliant

applications are linked to libsecdb so they can be checked for privileges.

Key RBAC Files

As well as roles, individual users may also be granted rights profiles andauthorizations to specific applications. The authorizations, roles, rightsprofiles, and privileged commands are defined in four files.

q The /etc/user_attr file

q The /etc/security/prof_attrfile

q The /etc/security/policy.conf file

q The /etc/security/exec_attrfile

The user_attr File

The /etc/user_attr file contains user and role information thatsupplements the /etc/passwd and /etc/shadow files. The/etc/user_attrfile lists the rights profiles and authorizations associatedwith users and roles.

When creating a new user account with no rights profiles, authorizationsor roles, nothing is added to the file:

# useradd -m -d /export/home/chris chris

64 blocks

# grep chris /etc/user_attr

#

As each of the RBAC features are explained, the automatic modificationsto this file are shown.




Configuring Role-Based Access Control (RBAC) 10-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

Roles

A role is a special identity, similar to a user account, for runningprivileged applications or commands that can be assumed by assignedusers only.

While no predefined roles are shipped with the Solaris 10 OS, predefinedrights profiles, or collections of privileges, can be associated with roles. Todefine a role, you assign the rights profiles to the role, as shown inFigure 10-2.

Figure 10-2 A role with two rights profiles

It is not possible to login as a role. A role can only be used by switchingthe user to the role with the su command. The roles command lists theroles a user has been assigned:

# roles rootNo roles

# roles chris

No roles

Note – You can also set up the root user as a role through a manualprocess. This approach prevents users from logging in directly as the rootuser. Therefore, they must log in as themselves first, and then use the sucommand to assume the role.

R i g h t s P r o f i l e

r i g h t

r i g h t

U s e r

J o h n

R o l e

O p e r a t o r


r i g h t

r i g h t





Assigning Rights Profiles To Users

A rights profile, is a collection of rights that can be assigned to a user, asshown in Figure 10-3. The rights are commands or scripts which are runwith special security attributes.

Figure 10-3 Rights Profile

Many examples of rights profiles are shipped with the Solaris 10 OS. Therights profile names and descriptions are defined in the/etc/security/prof_attr file. New rights profiles can be created byediting this file or using the Solaris Management Console (SMC). Thisexample shows a few lines from that file.

# cat /etc/security/prof_attr

(output omitted)All:::Execute any command as the user or role:help=RtAll.html

Log Management:::Manage log files:help=RtLogMngmnt.html

Media Backup:::Backup files and file systems:help=RtMediaBkup.html

Media Restore:::Restore files and file systems from

backups:help=RtMediaRestore.html

(output omitted)

Each line starts with the rights profile name. The middle fields are notused and the last two fields are a comment and a pointer to a help file.Help files are written in Hypertext Markup Language (HTML) and theycan be customized if required. These HTML help files exist in the/usr/lib/help/auths/locale/Cdirectory.


r i g h t

r i g h t

U s e r

J o h n


r i g h t

r i g h t





The rights profiles assigned to a user can be listed with the profilescommand or through the Solaris Management Console. This exampleshows the default profiles assigned to every new user account:

# profiles chris

Basic Solaris User

All

Every account has the All rights profile. It allows any command to beexecuted but with special security attributes. Other rights profiles given toall new user accounts are defined in the /etc/security/policy.conffile. The Basic Solaris User rights profile is listed in this file:

# grep 'PROFS' /etc/security/policy.conf

PROFS_GRANTED=Basic Solaris User

Rights profiles can be assigned to a user account with the usermod

command or the Solaris Management Console (SMC). This exampleshows the Printer Management rights profile being assigned to thechris user account:

# usermod -P "Printer Management" chris

# profiles chris

Printer Management

Basic Solaris User

All

This automatically updates the /etc/user_attr file as shown below:


chris::::type=normal;profiles=Printer Management

The new line for the user chris shows the new profile assignment. Thefile uses colons (:) to separate the fields on each line. The first field is theuser name as it appears in the /etc/passwd and /etc/shadow files.The middle fields are reserved for future use, and the last field is a list ofsemicolon-separated (;) key-value pairs that describe the securityattributes to be applied when the user runs commands.





The contents of a rights profile can be examined from the command linewith the -l option of the profiles command or in the SolarisManagement Console (SMC).

# profiles -l chris

Printer Management:/etc/init.d/lp euid=0, uid=0

/usr/bin/cancel euid=lp, uid=lp

/usr/bin/lpset egid=14

/usr/bin/lpstat euid=0

/usr/lib/lp/local/accept uid=lp

/usr/lib/lp/local/lpadmin uid=lp, gid=8

/usr/lib/lp/lpsched uid=0

/usr/sbin/accept euid=lp, uid=lp

/usr/sbin/lpadmin egid=14, uid=lp, gid=8

/usr/sbin/lpfilter euid=lp, uid=lp

/usr/sbin/lpforms euid=lp/usr/sbin/lpmove euid=lp

/usr/sbin/lpshut euid=lp

/usr/sbin/lpusers euid=lp

/usr/ucb/lpq euid=0

/usr/ucb/lprm euid=0

All:

*

The individual commands in the rights profile can be seen, along with thespecial security attributes with which they are executed.

This example shows the user chris being able to enable and disable aprinter.





The /etc/security/exec_attrFile

The /etc/security/exec_attrfile holds the execution attributes. Anexecution attribute is associated with a rights profile name.

An execution attribute can be a command with no options or a script thatcontains a command with options. The only way to add options to acommand is by using a script. You can use the (*) wildcard. Commandsshould have the full path.

Special security attributes refer to attributes, such as UID, EUID, GID, andEGID, that can be added to a process when the command is run. Only theusers and roles assigned access to this rights profile can run the commandwith special security attributes.

The commands and special security attributes for the Printer

Management rights profile are listed below:

# grep 'Printer Management' /etc/security/exec_attr

Printer Management:suser:cmd:::/etc/init.d/lp:euid=0;uid=0

Printer Management:suser:cmd:::/usr/bin/cancel:euid=lp;uid=lp

Printer Management:suser:cmd:::/usr/bin/lpset:egid=14

Printer Management:suser:cmd:::/usr/bin/lpstat:euid=0

Printer Management:suser:cmd:::/usr/lib/lp/local/accept:uid=lp

Printer Management:suser:cmd:::/usr/lib/lp/local/lpadmin:uid=lp;gid=8

Printer Management:suser:cmd:::/usr/lib/lp/lpsched:uid=0

Printer Management:suser:cmd:::/usr/sbin/accept:euid=lp;uid=lp

Printer Management:suser:cmd:::/usr/sbin/lpadmin:egid=14;uid=lp;gid=8Printer Management:suser:cmd:::/usr/sbin/lpfilter:euid=lp;uid=lp

Printer Management:suser:cmd:::/usr/sbin/lpforms:euid=lp

Printer Management:suser:cmd:::/usr/sbin/lpmove:euid=lp

Printer Management:suser:cmd:::/usr/sbin/lpshut:euid=lp

Printer Management:suser:cmd:::/usr/sbin/lpusers:euid=lp

Printer Management:suser:cmd:::/usr/ucb/lpq:euid=0

Printer Management:suser:cmd:::/usr/ucb/lprm:euid=0





Assigning Rights Profiles To Roles

The previous section described how to add rights profiles to useraccounts. If a large number of user accounts require the sameconfiguration and management of rights profiles, it can be easier to assign

the rights profiles to a role and give the users access to the role.Figure 10-4 shows the assignment of rights profiles to a role calledlevel1 and giving the john user account access to the role:

Figure 10-4 The assignment of profiles to roles.

Creating a Role

The roleadd command creates a role entry in the /etc/passwd,/etc/shadow, and /etc/user_attr files. Some common options include:

# roleadd -m -d /export/home/level1 -c "Level One Support" \

-P "Printer Management,Media Backup,Media Restore" level1

64 blocks

# passwd level1


r i g h t

r i g h t

U s e r

J o h n

R o l e

l e v e l 1


r i g h t

r i g h t

-c comment A text string that provides a short description ofthe role.

-d dir Specifies the home directory of the new role.

-m Creates the new role’s home directory if it doesnot already exist.

-P profile Assigns rights profiles to the role. Use commas (,)to separate multiple rights profiles.





New Password: level1

Re-enter new Password: level1

passwd: password successfully changed for level1

In this example, the roleadd command creates a new role called level1,

builds the home directory, and assigns the role with rights profiles ofPrinter Management, Media Backup, and Media Restore. The role cannot be used until a password is applied to it.

Note – The installation of the Solaris 10 OS has the Printer Management,Media Backup, and Media Restore rights profiles already defined in the/etc/security/exec_attrfile and the /etc/security/prof_attrfile.

The changes to the /etc/passwd, /etc/shadow, and/etc/user_attr files are shown below:

# grep level1 /etc/passwd

level1:x:102:1:Level One Support:/export/home/level1:/bin/pfsh

# grep level1 /etc/shadow

level1:CUs8aQ64vTrZ.:12713::::::

# grep level1 /etc/user_attr

level1::::type=role;profiles=Printer Management,Media Backup,Media

Restore

The type of this account is role (type=role) and includes the rightsprofiles Printer Management, Media Backup, and Media Restore.

Modifying a Role

To modify the login information of a role on a system, use the rolemod

command. The rolemod command changes the definition of the specifiedrole and makes the appropriate login-related changes to the system fileand file system. The fields in the rolemod command are:

-e expire Specifies the expiration date for a role.

-l new_logname Specifies the new login name for the role.

-P profile Specifies one or more comma-separated rightsprofiles, as defined in the/etc/security/prof_attrfile.




10-10 Advanced System Administration fortheSolaris™ 10 Operating SystemCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices,Revision A.1

This example modifies the role’s rights profiles.

# rolemod -P profile1,profile2 -s /usr/bin/pfksh level1

In this example, the rolemod command assigns the profile1 andprofile2 profiles and the /usr/bin/pfksh profile shell to the rolenamed level1.

Purpose of the Profile Shells

A profile shell is a special type of shell that enables access to theprivileged rights that are assigned to the rights profile. The standardUNIX shells can not be used, as they are not aware of the RBAC files, anddo not consult them.

When the user executes a command, the profile shell searches the role’srights profiles and associated rights. If the same command appears inmore than one profile, the profile shell uses the first matching entry. Theprofile shell executes the command with the attributes specified in theRBAC configuration files.

The profile shells are pfsh, pfcsh, and pfksh. These profile shellscorrespond to Bourne shell (sh), C shell (csh), and Korn shell (ksh),respectively.

-s shell Specifies the full path name of the program thatis used as the role’s shell when logging in.These shells are special versions of the Bourneshell (sh), C shell (csh), and Korn shell (ksh).





Assigning Roles To Users

A user can have access to many roles. The useradd command or SolarisManagement Console (SMC) can be used to define which roles a new userhas access to. The example shows the useradd command being used

with the -R option to define roles:

# useradd -m -d /export/home/paul -R level1 paul

64 blocks

# passwd paul

New Password: paul

Re-enter new Password: paul

passwd: password successfully changed for paul

The roles command lists the roles a user account has access to:

# roles paul

level1

The association between the paul user account and the level1 role isdefined automatically in the /etc/user_attr file:

# grep paul /etc/user_attr

paul::::type=normal;roles=level1

To add roles to an existing user account, use the usermod command orthe Solaris Management Console (SMC). This example shows access to thelevel1 role being given to chris with the usermod command:

# usermod -R level1 chris

To remove all role access from a user account, use the usermod commandor the Solaris Management Console (SMC). This example uses usermodto remove all role access from the chris account:

# usermod -R "" chris





Using Roles

As it is not possible to log in to a role account, log in as a regular userfirst. The roles command shows the roles available to your account.

$ iduid=103(paul) gid=1(other)

$ roles

level1

Switch the user to the role account with the su command.

$ su level1

Password: level1

$ id

uid=102(level1) gid=1(other)

The level1 role has the two default rights profiles and was configuredwith three extra rights profiles.

$ profiles

Printer Management

Media Backup

Media Restore

Basic Solaris User

All

The Printer Management rights profile has a right which allows thecancel command to be run as the lp user.

$ lpstat -t

scheduler is running

system default destination: laser

system for _default: host1 (as printer laser)

device for laser: /dev/null

_default accepting requests since Fri Oct 22 13:59:24 2004

laser accepting requests since Fri Oct 22 13:59:24 2004

printer laser disabled since Fri Oct 22 13:59:34 2004. available.

Changing Toner

laser-8 root 479 Oct 22 14:12$ cancel laser-8

laser-8: cancelled



Authorizations


Authorizations

An authorization grants access to restricted functions in RBAC compliantapplications. Some applications and commands in the Solaris 10 OS arewritten to check the authorizations of the user calling them. You cannotcreate new authorizations, however, you can create and assignauthorizations to new applications.

The predefined authorizations are listed in the authorization attributesconfiguration file named /etc/security/auth_attr.

# cat /etc/security/auth_attr

(output omitted)

solaris.jobs.:::Job Scheduler::help=JobHeader.html

solaris.jobs.admin:::Manage All Jobs::help=AuthJobsAdmin.html

solaris.jobs.grant:::Delegate Cron & At Administration::help=JobsGrant.html

solaris.jobs.user:::Manage Owned Jobs::help=AuthJobsUser.html(output omitted)

It identifies, by a unique string, what is being authorized. For example,the crontab command requires the solaris.jobs.admin authorizationfor a user to edit another user’s crontab file.

A hierarchy of authorizations can be established. Table 10-1 shows how ahierarchy can be established.

Caution – An authorization that ends with the suffix grantpermits a userto delegate any assigned authorizations that begin with the same prefix toother users.

Table 10-1 Role and Authorization Relationships

Authorization Action

solaris.admin.usermgr.read Provides read but no write access touser configuration files.

solaris.admin.usermgr.read

solaris.admin.usermgr.write

Provides read and write access touser configuration files. Cannotchange passwords.


solaris.admin.usermgr.write

solaris.admin.usermgr.pswd

Provides read, write, and passwordaccess to user configuration files.



Authorizations


For example, a role with the authorizations:

solaris.admin.usermgr.grant


Can delegate the solaris.admin.usermgr.readauthorization to

another user.

A role with the authorizations:

solaris.admin.usermgr.grant

solaris.admin.usermgr.*

Can delegate any of the authorizations with the solaris.admin.usermgrprefix to other users.

Default Authorizations

All users have the Basic Solaris User profile by default.

# profiles chris

Printer Management

Basic Solaris User

All

The Basic Solaris User profile grants users access to all listedauthorizations. The profiles=All field grants unrestricted access to all

Solaris OS commands that have not been restricted by a definition in apreviously listed authorization.

# grep ’Basic Solaris User’ /etc/security/prof_attr

Basic Solaris User:::Automatically assigned rights:

auths=solaris.profmgr.read,solaris.jobs.users,solaris.mail.

mailq,

solaris.admin.usermgr.read,solaris.admin.logsvc.read,

solaris.admin.fsmgr.read,solaris.admin.serialmgr.read,

solaris.admin.diskmgr.read,solaris.admin.procmgr.user,

solaris.compsys.read,solaris.admin.printer.read,

solaris.admin.prodreg.read,solaris.admin.dcmgr.read,

solaris.snmp.read,solaris.project.read,solaris.admin.patchm

gr.read,

solaris.network.hosts.read,solaris.admin.volmgr.read;profil

es=All; help=RtDefault.html



Authorizations


Other default authorizations for every user can be defined in the/etc/security/policy.conf file:

# grep 'AUTHS' /etc/security/policy.conf

AUTHS_GRANTED=solaris.device.cdrw

This authorization is in the default /etc/security/policy.conf fileas installed with the Solaris 10 OS.

Assigning Authorizations

Authorizations can be assigned to user accounts. Authorizations can alsobe assigned to roles or embedded in a rights profile which can be assignedto a user or role.

Figure 10-5 shows the authorization assignment permutations.

Figure 10-5 Authorization Assignment Permutations


A u t h o r i z a t i o n

U s e r

J o h n

R o l e

O p e r a t o r

U s e r

J o h n

U s e r

J o h n

U s e r

J o h n



R o l e

O p e r a t o r





Authorizations


Assigning Authorizations To User Accounts

The following example shows that a regular user is not permitted to lookat another user’s crontab file:

# su - chrisSun Microsystems Inc. SunOS 5.10 s10_68 Sep. 20, 2004

$ crontab -l root

crontab: you must be super-user to access another user's crontab file

$ exit

The authorization to manage other user’s crontab file can be granted tothe user from the command line or with the Solaris Management Console(SMC). This example shows the useradd command being used with the-A option to add an authorization:

# usermod -A solaris.jobs.admin chris

The /etc/user_attr user attributes file has been automaticallymodified with this new information.


chris::::type=normal;auths=solaris.jobs.admin;profiles=Printer Management

The chris account, is a normal user account (type=normal), he has hadthe solaris.jobs.admin authorization and the PrinterManagement rights profile added previously. Use the auths command tosee the authorizations assigned to a user:

# auths chris

solaris.admin.printer.read,solaris.admin.printer.modify,solaris.admin.pri

nter.delete,solaris.device.cdrw,solaris.profmgr.read,solaris.jobs.users,s

olaris.mail.mailq,solaris.admin.usermgr.read,solaris.admin.logsvc.read,so

laris.admin.fsmgr.read,solaris.admin.serialmgr.read,solaris.admin.diskmgr

.read,solaris.admin.procmgr.user,solaris.compsys.read,solaris.admin.prodr

eg.read,solaris.admin.dcmgr.read,solaris.snmp.read,solaris.project.read,s

olaris.admin.patchmgr.read,solaris.network.hosts.read,solaris.admin.volmg

r.read



Authorizations


With this authorization, he can view or modify other user’s crontab files:

# su - chris

Sun Microsystems Inc. SunOS 5.10 s10_68 Sep. 20, 2004

$ crontab -l root

#ident "@(#)root 1.21 04/03/23 SMI"

## The root crontab should be used to perform accounting data collection.

#

#

(output omitted)

$ exit

Assigning Authorizations To Roles

If a large number of user accounts require the same configuration andmanagement of authorizations, it can be easier to assign theauthorizations to a role and give the users access to the role.

The role can be created with the roleadd command or the SolarisManagement Console (SMC). This example uses the -P and -A options ofthe roleadd command to create a role called level2 with the rightsprofile Mail Management and the authorizationsolaris.admin.user.*.

# roleadd -m -d /export/home/level2 -P "Mail Management" \

-A "solaris.admin.usermgr.*" level2

64 blocks

# passwd level2

New Password: level2

Re-enter new Password: level2

passwd: password successfully changed for level2

# profiles level2

Mail Management

Basic Solaris User

All# auths level2

solaris.admin.usermgr.*

(output omitted)



Authorizations


Assigning Authorizations To Rights Profiles

A rights profile usually includes a list of commands and special securityattributes, the rights, as defined in the /etc/security/exec_attrfile.

# grep "^Mail" /etc/security/exec_attrMail Management:suser:cmd:::/etc/init.d/sendmail:uid=0;gid=sys

Mail Management:suser:cmd:::/usr/lib/sendmail:uid=0

Mail Management:suser:cmd:::/usr/sbin/editmap:euid=0

Mail Management:suser:cmd:::/usr/sbin/makemap:euid=0

Mail Management:suser:cmd:::/usr/sbin/newaliases:euid=0

It is also possible to include predefined authorizations from the/etc/security/auth_attr file in the rights profile by adding theauthorizations to the /etc/security/prof_attr file.

For example, the predefined Cron Management rights profile includescommands and authorizations. The /etc/security/prof_attr filedefines the authorizations.

# grep '^Cron' /etc/security/prof_attr

Cron Management:::Manage at and cron

jobs:auths=solaris.jobs.*;help=RtCronMngmnt.html

The /etc/security/exec_attr defines the commands and specialsecurity attributes.

# grep '^Cron' /etc/security/exec_attr

Cron Management:suser:cmd:::/etc/init.d/cron:uid=0;gid=sys

Cron Management:suser:cmd:::/usr/bin/crontab:euid=0

The rights profile can then be given to a user:

# usermod -P "Cron Management" paul

Or a role:

# rolemod -P "Cron Management" level2



RBAC Configuration File Summary



The four files used by RBAC are interrelated. Figure 10-6 shows how thesefiles are related.

Figure 10-6 RBAC Files

The /etc/user_attrFile

Figure 10-7 shows how the roles and users are associated within the file.

Figure 10-7 The /etc/user_attr File

u s e r _ a t t r

U s e r s

R o l e s

p r o f _ a t t r

P r o f i l e s

e x e c _ a t t r

P r i v i l e g e s

a u t h _ a t t r


u s e r _ a t t r

U s e r s

R o l e s

p r o f _ a t t r

P r o f i l e s

e x e c _ a t t r

P r i v i l e g e s

a u t h _ a t t r




RBAC Configuration FileSummary


Figure 10-8 shows a portion of a /etc/user_attr file. The user johndoeis a normal user account. The user is given the role of sysadmin. Thesysadmin role is a role account. When assuming the sysadmin role,johndoe has access to specific rights profiles, defined asDevice Management, Filesystem Management, and Printer

Managementprofiles.

Figure 10-8 User and Role Association

The /etc/security/prof_attrFile

The /etc/security/prof_attrfile holds the rights profiles, as shown inFigure 10-9.

Figure 10-9 The prof_attr File

In the following example, the Printer Management rights profile is asupplementary rights profile that is assigned to the Operator rightsprofile and the System Administrator rights profile.

# grep 'Printer Management' /etc/security/prof_attr

Operator:::Can perform simple administrative tasks:profiles=Printer

Management,Media Backup,All;help=RtOperator.html

r o o t : : : : t y p e = n o r m a l ; a u t h = s o l a r i s . * , s o l a r i s . g r a n t

s y s a d m i n : : : : t y p e = r o l e ; p r o f i l e s = D e v i c e M a n a g e m e n t , F i l e s y s t e m

M a n a g e m e n t , P r i n t e r M a n a g e m e n t

j o h n d o e : : : : t y p e = n o r m a l ; a u t h s = s o l a r i s . s y s t e m . d a t e ; r o l e s = s y s a d m i n

u s e r _ a t t r

U s e r s

R o l e s

p r o f _ a t t r

P r o f i l e s

e x e c _ a t t r

P r i v i l e g e s

a u t h _ a t t r






Printer Management:::Manage printers, daemons,

spooling:help=RtPrntAdmin.html;auths=solaris.admin.printer.read,solaris.a

dmin.printer.modify,solaris.admin.printer.delete

System Administrator:::Can perform most non-security administrative

tasks:profiles=Audit Review,Printer Management,Cron Management,Device

Management,File System Management,Mail Management,Maintenance and

Repair,Media Backup,Media Restore,Name Service Management,Network

Management,Object Access Management,Process Management,Software

Installation,User Management,All;help=RtSysAdmin.html

Figure 10-10 shows one relationship between the/etc/security/prof_attrand the /etc/user_attrfiles. The PrinterManagement rights profile, which is defined in the/etc/security/prof_attrfile, is assigned to the sysadmin role in the/etc/user_attr file.

Figure 10-10 User and Profile Association

F r o m t h e / e t c / s e c u r i t y / p r o f _ a t t r d a t a b a s e :

P r i n t e r M a n a g e m e n t : : : M a n a g e p r i n t e r s , d a e m o n s , \

s p o o l i n g : h e l p = R t P r n t A d m i n . h t m l ; a u t h s = s o l a r i s . a d m i n . p r i n t e r . r e a d , \

s o l a r i s . a d m i n . p r i n t e r . m o d i f y , s o l a r i s . a d m i n . p r i n t e r . d e l e t e

F r o m t h e / e t c / u s e r _ a t t r d a t a b a s e :

r o o t : : : : t y p e = n o r m a l ; a u t h = s o l a r i s . * , s o l a r i s . g r a n t

s y s a d m i n : : : : t y p e = r o l e ; p r o f i l e = D e v i c e M a n a g e m e n t , P r i n t e r M a n a g e m e n t

. . .





Figure 10-11 shows the relationship between the/etc/security/prof_attr and the /etc/security/auth_attrfiles.The Printer Management profile is defined in the/etc/security/prof_attrfile as having all authorizations, beginningwith the solaris.admin.printer. string, assigned to it. These

authorizations are defined in the/etc/security/auth_attr

file.

Figure 10-11 Profile and Authorization Association

The /etc/security/exec_attrFile

Figure 10-12 shows the /etc/security/exec_attrfile.

Figure 10-12 The exec_attr File


P r i n t e r M a n a g e m e n t : : : M a n a g e p r i n t e r s , d a e m o n s , s p o o l i n g : \

h e l p = R t P r n t A d m i n . h t m l ; a u t h s = s o l a r i s . a d m i n . p r i n t e r . r e a d , \

s o l a r i s . a d m i n . p r i n t e r . m o d i f y , s o l a r i s . a d m i n . p r i n t e r . d e l e t e

F r o m t h e / e t c / s e c u r i t y / a u t h _ a t t r d a t a b a s e :

s o l a r i s . a d m i n . p r i n t e r . m o d i f y : : : U p d a t e P r i n t e r I n f o r m a t i o n : : \

h e l p = A u t h P r i n t e r M o d i f y . h t m l

s o l a r i s . a d m i n . p r i n t e r . d e l e t e : : : D e l e t e P r i n t e r I n f o r m a t i o n : : \

h e l p = A u t h P r i n t e r D e l e t e . h t m l

s o l a r i s . a d m i n . p r i n t e r . : : : P r i n t e r I n f o r m a t i o n : : h e l p = A u t h P r i n t e r H e a d e r . h t m l

s o l a r i s . a d m i n . p r i n t e r . r e a d : : : V i e w P r i n t e r I n f o r m a t i o n : : \

h e l p = A u t h P r i n t e r R e a d . h t m l

e x e c _ a t t r

P r i v i l e g e s

a u t h _ a t t r


p r o f _ a t t r

P r o f i l e s

u s e r _ a t t r

U s e r s

R o l e s





Figure 10-13 shows the relationship between the/etc/security/exec_attr and /etc/security/prof_attrfiles.

Figure 10-13 Profile and Execution Association

The Printer Management rights profile lists commands with theappropriate security attributes assigned in the/etc/security/exec_attrfile.


P r i n t e r M a n a g e m e n t : : : M a n a g e p r i n t e r s , d a e m o n s ,

s p o o l i n g : h e l p = R t P r n t A d m i n . h t m l ; a u t h s = s o l a r i s . a d m i n . p r i n t e r . r e a d , s o l a r i s . a

d m i n . p r i n t e r . m o d i f y , s o l a r i s . a d m i n . p r i n t e r . d e l e t e

F r o m t h e / e t c / s e c u r i t y / e x e c _ a t t r d a t a b a s e :

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / s b i n / a c c e p t : e u i d = l p

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / u c b / l p q : e u i d = 0

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / e t c / i n i t . d / l p : e u i d = 0

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / b i n / l p s t a t : e u i d = 0

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / l i b / l p / l p s c h e d : u i d = 0

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / s b i n / l p f i l t e r : e u i d = l p

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / b i n / l p s e t : e g i d = 1 4

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / s b i n / l p a d m i n : e g i d = 1 4

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / s b i n / l p s y s t e m : u i d = 0

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / s b i n / l p m o v e : e u i d = l p

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / s b i n / l p s h u t : e u i d = l p

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / b i n / c a n c e l : e u i d = 0

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / b i n / d i s a b l e : e u i d = l p

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / s b i n / l p f o r m s : e u i d = l p

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / s b i n / r e j e c t : e u i d = l p

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / u c b / l p r m : e u i d = 0

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / b i n / e n a b l e : e u i d = l p

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / s b i n / l p u s e r s : e u i d = l p





The /etc/security/auth_attrFile

Figure 10-14 shows the /etc/security/auth_attrfile.

Figure 10-14 The auth_attr File

The following is an example of an /etc/security/auth_attrfile, withsome typical values:

solaris.*:::Primary Administrator::help=PriAdmin.html

solaris.grant:::Grant All Rights::help=PriAdmin.html

...

solaris.device.:::Device Allocation::help=DevAllocHeader.html

solaris.device.allocate:::Allocate Device::help=DevAllocate.htmlsolaris.device.config:::Configure Device Attributes::help=DevConfig.html

solaris.device.grant:::Delegate Device Administration::help=DevGrant.html

solaris.device.revoke:::Revoke or Reclaim Device::help=DevRevoke.html

Note – The solaris.device. entry is defined as a heading, because itends in a dot (.). Headings are used by the GUI to organize families ofauthorizations.

p r o f _ a t t r

P r o f i l e s

a u t h _ a t t r


u s e r _ a t t r

U s e r s

R o l e s

e x e c _ a t t r

P r i v i l e g e s





Figure 10-15 shows the relationship between the/etc/security/auth_attr and the /etc/user_attr files. Thesolaris.system.date authorization, which is defined in the/etc/security/auth_attrfile, is assigned to the user johndoe in the/etc/user_attr file.

Figure 10-15 User, Role, and Authorization Association

Figure 10-16 shows how the fields of the four files are related.

Figure 10-16 Relationship Between the Four RBAC Files


s o l a r i s . * : : : P r i m a r y A d m i n i s t r a t o r : : h e l p = P r i A d m i n . h t m l

. . .

s o l a r i s . s y s t e m . d a t e : : : S e t D a t e & T i m e : : h e l p = S y s D a t e . h t m l

. . .




s o l a r i s . s y s t e m . d a t e : : : S e t D a t e & T i m e : : h e l p = S y s D a t e . h t m l


s y s a d m i n : : : : t y p e = r o l e ; p r o f i l e s = D e v i c e M a n a g e m e n t , F i l e s y s t e m

M a n a g e m e n t , P r i n t e r M a n a g e m e n t , A l l



P r i n t e r M a n a g e m e n t : : : M a n a g e p r i n t e r s , d a e m o n s ,

s p o o l i n g : h e l p = R t P r n t A d m i n . h t m l ; a u t h s = s o l a r i s . a d m i n . p r i n t e r . r e a d , s o l a r i s . a

d m i n . p r i n t e r . m o d i f y , s o l a r i s . a d m i n . p r i n t e r . d e l e t e

F r o m t h e / e t c / s e c u r i t y / e x e c _ a t t r d a t a b a s e :

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / s b i n / a c c e p t : e u i d = l p

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / u c b / l p q : e u i d = 0

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / e t c / i n i t . d / l p : e u i d = 0

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / b i n / l p s t a t : e u i d = 0

P r i n t e r M a n a g e m e n t : s u s e r : c m d : : : / u s r / l i b / l p / l p s c h e d : u i d = 0



Managing RBAC Using the Solaris Management Console



The Solaris Management Console in the Solaris 10 OS enables you toconfigure RBAC features using a GUI console. The GUI provides apoint-and-click method of configuring RBAC rights and roles. The GUIwizards prompt you for any necessary configuration parameters.

Note – Using the GUI assumes knowledge of the underlyingdependencies that are built into the RBAC feature.

Fundamentals of Managing RBAC

To set up privileged access using the RBAC GUI, follow these steps:

1. Build the user accounts that will be assigned the RBAC rightsprofiles and roles.

Note – step 1 is not required if the designated rights profiles and roles arebeing made available to existing users.

2. Build the rights profiles needed to support the privileged accessrequirements.

3. Build the role that will provide access to the rights profiles fordesignated users.



ManagingRBAC Using theSolaris Management Console


The following example grants an ordinary user access to administrativerights for package commands that require superuser access:

Figure 10-17 shows that access to the RBAC features begins with theSolaris Management Console.

Figure 10-17 Solaris Management Console – Users Window

To access RBAC features, perform the following steps:

1. Select Management Tools.

2. Click This Computer.

3. Click System Configuration.

4. Double-click the Users icon.





5. Log in as root, as shown in the Log In: User Name Window inFigure 10-18.

Figure 10-18 Log In: User Name Window

From this login, you have the necessary permissions to set up users,work with name services, and assign rights profiles and roles toother users.

Note – After other users have been granted the necessary accesspermissions, you can log in with those user login names on subsequentsessions.





After you log in, the View pane displays the set of tools used toperform traditional user administration tasks and the RBAC tasks, asshown in Figure 10-19.

Figure 10-19 Solaris Management Console – Users Tools Window

Table 10-2 defines the tools in the Users toolbox.

Table 10-2 Users Tools

Title Description

User Accounts Add (or modify) user accounts in several ways:individually, in multiples, or starting from atemplate.

User Templates Create a template. If you need to create multipleusers with similar attributes, you can first create atemplate for that type of user.

Rights(Rights Profiles)

Configure a named collection that includes threecomponents: commands, authorizations, andother previously created rights profiles.

AdministrativeRoles

Configure a role account with a specific set ofadministrative rights. You must use the sucommand to access a role, because you cannot login to a role.





6. Double-click the User Accounts icon to select the User Accountsfunctions.

The existing users appear in the View pane, as shown inFigure 10-20.

Figure 10-20 Solaris Management Console – User Accounts Window

Groups Manage access to groups.

Mailing Lists Add a new mailing list. You can also use this toolto view, add, or delete recipients in a mailing list.

Table 10-2 Users Tools (Continued)

Title Description





Building User Accounts

You can build a new user account that will be assigned access to all thepackage administration commands. Perform the following steps:

1. Select Add User from the Action menu, as shown in Figure 10-21.

Figure 10-21 Action Menu – Add User

2. Select With Wizard from the Add User submenu.





Note – The Add User Wizard works the same as the useradd commandand earlier GUI tools, such as AdminTool.

The Add User Wizard – Step 1 window appears, as shown inFigure 10-22.

Figure 10-22 Add User Wizard – Step 1 Window

3. Enter the following information:


The user ID number is the user’s unique numerical ID for thesystem. The displayed number is the next available UID for thesystem. If this user account is accessible across multiple standalonesystems, the UID should remain consistent to avoid file ownershipproblems between those systems.

User Name The login name for this user account. Enter user1 asthe user name.

Full Name A descriptive entry identifying the owner of thisaccount. Enter RBAC user1 as the full name.

Description Similar to the full name, this field further identifiesthe owner of this account. This entry populates thegecos field in the /etc/passwdfile. Enter Addeduserfor RBAC as the description.





5. Accept the default user ID number, as shown in the Add UserWizard – Step 2 window in Figure 10-23.







There are two password options in the Add User Wizard – Step 3window, as shown in Figure 10-24. With the first option, the newuser will be prompted to set the password when logging in for thefirst time. Alternatively, with the second option, you canimmediately assign the account password.


7. Enter and confirm 123pass as the password, as shown inFigure 10-24.






Group membership allows this user to share access permissions withother users within the same group, as shown in the Add UserWizard – Step 4 window in Figure 10-25. You can add this user toadditional groups’ common characteristics after account creation.Each user can belong to 15 additional groups that are also known as

secondary groups.9. When prompted with a choice for the new user’s primary group

membership, accept the default group assignment, as shown inFigure 10-25.







The home directory path defines where this user’s personal files arestored, as shown in the Add User Wizard – Step 5 window inFigure 10-26. When the account is created, the new user nameappends to the home directory path that is defined in this field. Forexample, if this user is named user1, then the home directory

becomes /export/home/user1.


11. Enter the name of the directory in which the user’s home directory

will be created (/export/home), as shown in Figure 10-26.






When you create a new user account, it is customary to also create amail account, as shown in the Add User Wizard – Step 6 window inFigure 10-27. You provide the user with a mailbox that is a file on themail server (also known as the inbox) that holds all newly receivedmail.


13. Click Next to accept the defaults, as shown in Figure 10-27.





14. Check each field for inadvertent errors, as shown in the Add UserWizard – Step 7 window in Figure 10-28. If you see any errors, stepback through the windows to correct them, and then step forwardagain to the confirmation window.

Figure 10-28 Add User Wizard – Review Window

15. When you are satisfied with the field inputs, click Finish to completebuilding the new user account.





After the new account is created, you are returned to the SolarisManagement Console Window, which displays the new account, asshown in Figure 10-29.

Figure 10-29 Solaris Management Console – User Accounts Window

To test the user account, perform the following steps:

1. Log in with the user name that was just created.

Note – The host name in this example is sys44, and the user name isuser1.

# telnet sys44

Trying 127.0.0.1...

Connected to sys44.

Escape character is ’^]’.

login: user1Password:


2. Execute a few commands to verify that the new account functions ascreated.

$ who

root console Oct 22 13:45 (:0)





root pts/4 Oct 22 09:29 (:0.0)

user1 pts/5 Oct 22 14:32 (sys44)

$ id

uid=4001(user1) gid=10(staff)

$ ls -a

. .. .cshrc .login .profile

$

3. Now that you have verified that the basic Solaris OS commands arefunctioning within the new user account, try executing morespecialized commands within this account. Use the pkginfo(package information) command and the pkgrm (package removal)command. These examples use the SUNWpppg package.

$ pkginfo -l SUNWpppg

PKGINST: SUNWpppg

NAME: GNU utilities for PPP

CATEGORY: system

ARCH: sparc

VERSION: 11.10.0,REV=2004.09.20.13.52

BASEDIR: /

VENDOR: Sun Microsystems, Inc.

DESC: Optional GNU utilities for use with PPP

PSTAMP: gaget20040920135926

INSTDATE: Oct 15 2004 18:15

HOTLINE: Please contact your local service provider

STATUS: completely installed

FILES: 12 installed pathnames

8 shared pathnames

8 directories

3 executables

190 blocks used (approx)

$ pkgrm SUNWpppg

pkgrm: not found

Note – The pkginfo command is stored in the /usr/bin directory, whichis in the default PATH variable for regular user accounts. The pkgrm isstored in the /usr/sbin directory, which is not in the default PATH forregular user accounts. You can modify the PATH variable to include thecommand’s path, or you can enter the absolute path of the command onthe command line.





$ /usr/sbin/pkgrm SUNWpppg

pkgrm: ERROR: You must be "root" for pkgrm to execute properly.

$

The user1 account can execute the pkginfo command because no special

privileges are required to get information on installed packages. However,to remove a software package requires root permissions; therefore, youmust give user1 superuser access to the system or give the user access toa restricted role account that has these specific rights. You should firstcreate the specific set of rights, and then create a role to which you canassign the rights.

Building Rights Profiles

The Solaris 10 OS includes many default sets of rights. These rightsprofiles include the sets of tasks that system administrators are required toperform. In a large enterprise, you might have separate administrators foreach of these rights, whereas, in a smaller company, a single administratorcould be responsible for one or more of these task categories.

As a primary administrator, you must decide between two scenarioswhen using profiles:

q The default collections of task sets fit your Information Technology(IT) organization; in which case, you can move directly to creatingroles for your users to assume when these task sets are required.

q

A task set collection must be defined to further subdivide the defaulttask sets. In this case, you must first create new rights profiles beforecreating roles.

In the earlier example, user1 required access permissions to the full set ofpackage administration commands. You can create a rights profile calledPackage Administration to add to the default rights profiles supplied withthe Solaris 10 OS release.





To add or build a rights profile, perform the following steps:

1. Double-click on Rights in the Navigation pane.

The View pane of the Solaris Management Console displays some ofthe categories for these collections of system administrator tasks, as

shown in the Solaris Management Console – Rights window inFigure 10-30.

Figure 10-30 Solaris Management Console – Rights Window





2. Select Add Right from the Action menu, as shown in Figure 10-31.

Figure 10-31 Action Menu – Add Right





The Add Right window – General tab appears. As shown inFigure 10-32, the window contains four tabs. Each tab configures oneor more aspects of a rights profile.

Figure 10-32 Add Right Window – General Tab

3. Select the General tab, and fill in the fields as follows:

Name The name that identifies the rights profile in therights window. This name corresponds to the lineentry in the /etc/security/prof_attrdatabase.

Description This description is also presented in the/etc/security/prof_attrfile as a definition ofthe rights profile.

Help FileName

This is a required field. It points to an HTML file inthe /usr/lib/help/profiles/locale/Cdirectory. You can copy and edit an existing file to

satisfy this requirement.





Note – You should create the help file before referencing the help file inthis window.

4. Select the Commands tab, as shown in Figure 10-33, and select thecommands that your rights profile will include as follows:

Figure 10-33 Add Right Window – Commands Tab

a. For each command that you want the rights profile to be able torun, select it, and click Add.

The command moves to the Commands Permitted list.

b. Click Set Security Attributes.





The Set Security Attributes window, as shown in Figure 10-34,appears. This window also appears when you double-click any ofthe commands in the Permitted Commands field.

Figure 10-34 Set Security Attributes Window

c. Define the security attributes for each permitted command. Youmust assign the UID, EUID, GID, and EGID permissions.

Note – The online man pages do not always define the required executionpermissions. However, the /etc/security/exec_attrfile is a goodsource for the proper execution permissions for most commands.

5. Search the /etc/security/exec_attrfile for the pkgrm command,and set the ownership accordingly.

6. Click OK to continue.





The View pane in the Solaris Management Console is updated toinclude the Package Administrator rights profile, as shown inFigure 10-35.

Figure 10-35 Solaris Management Console – Rights Window

7. If you need to make modifications to this rights profile, double-clickthe newly created Package Administrator entry to return to the

rights creation windows.

After the rights profile is completed, it can be assigned to either anexisting user or to a role.

Note – A user must be running a profile shell to execute the commands inan assigned rights profile.





Building the Role

Administrative roles run administrator shells, also known as profile shells.Because of the profile shell, you cannot log in to a role account. You mustlog in as a regular user, and then assume the role by using the su

command.

To build an administration role, complete the following steps:

1. To display existing roles, double-click Administrative Roles in theNavigation pane, as shown in Figure 10-36.

Figure 10-36 Solaris Management Console – Administrative RolesWindow

Note – By default, the Solaris 10 OS does not have any roles defined.





2. To create a role, select Add Administrative Role from the Actionmenu, as shown in Figure 10-37.

Figure 10-37 Action Menu – Add Administrative Role





The Add Administrative Role – Step 1 window appears, as shown inFigure 10-38.

Figure 10-38 Add Administrative Role – Step 1 Window

3. Complete the fields in “Add Administrative Role – Step 1 Window”as follows:

Role Name This is the name that you use to assume a specificrole with the su command. This name identifiesentries in the /etc/passwdand /etc/shadowfilesand in the /etc/user_attrdatabase.

Full Name This is an optional entry. If used, make this valueunique to this role.

Description This should clearly state the intent of this role.This entry populates the gcos field in the/etc/passwdfile.

Role IDNumber

This number, like the UID in user accounts,numerically identifies the role to the system.

Role Shell These shells allow the pfexec command toexecute specified commands with predefinedprocess attributes, such as a specific user orgroup IDs.






The Add Administrative Role – Step 2 window appears, as shown inFigure 10-39.


The role password follows the same characteristics as a regular useraccount password. A password must consist of between 6 and15 characters (case-sensitive letters, numbers, and special characters).Only the first 6 characters are used during authentication, but 15 areavailable for those users who want longer passwords.

5. Enter and confirm the password.






7. To build the administrative rights for this role, click the PackageAdministrator rights profile in the left column, as shown in the AddAdministrative Role – Step 3 window in Figure 10-40.


8. Click Add.

The rights are added to the Granted Rights in the right column.

Note – The help that is available on this screen is derived from the helpfiles that are indicated in the Right Properties: Package Administrationwindow.






The Add Administrative Role – Step 4 window enables you to definethe server and directory locations for the administrative role’s homedirectory, as shown in Figure 10-41.


10. Click Next to accept the default values, which creates a homedirectory based on the role name.





In Add Administrative Role – Step 5 window, you can provideaccess for this administrative role to a specific list of users, as shownin Figure 10-42. These are the users that will be allowed to assumethis role with the su command.

Figure 10-42 Add Administrative Role Window – Assign Users

11. Perform one of the following steps:

q To add a user, enter a valid user name, and click Add.

q To delete a user, click on the user’s name in the lower box, andclick Delete.






13. Check each field in the Add Administrative Role – Review windowfor inadvertent errors. If you discover any errors, step back throughthe windows to correct them, and then step forward again to thisconfirmation window, as shown in Figure 10-43.

Figure 10-43 Add Administrative Role Window – Review

14. When you are satisfied with the field inputs, click Finish to complete

building the new role account.





The new role is listed in the View pane of the Solaris ManagementConsole, as shown in Figure 10-44. Subsequent role modificationscan be made by double-clicking the role entry, stepping through themodification windows, and making the appropriate corrections.

Figure 10-44 Solaris Management Console – Administrative Role Window

To test the role, perform the following steps:

1. Log in as user1.

# telnet sys44

Trying 127.0.0.1...

Connected to sys44.


login: user1

Password:


2. Execute a few commands to verify the login.

$ whoroot console Oct 28 13:45 (:0)

root pts/6 Oct 2214:49 (:0.0)

user1 pts/7 Oct 2215:47 (sys44)

$ id

uid=4001(user1) gid=10(staff)

$ ls

$ ls -a

. .. .cshrc .login .profile





3. Remove the SUNWpppg package using the pkgrm (package removal)command.


pkgrm: ERROR: You must be "root" for pkgrm to execute properly.

4. To remove a software package requires root permissions. You mustgive user1 access to the pkguser role account that has these specificrights.

$ su - pkguser

Password:

5. Verify that you have switched to the role account.

$ /usr/ucb/whoami

pkguser

$ id

uid=5001(pkguser) gid=14(sysadmin)

$ echo $SHELL

/bin/pfsh

$

6. Perform the pkgrm command using the pkguser role account.


The following package is currently installed:

SUNWpppg GNU utilities for PPP

(sparc) 11.9.0,REV=2002.02.12.18.33

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <SUNWpppg>

## Verifying package dependencies.

## Processing package information.

## Removing pathnames in class <none>

/usr/share/man/man1m <shared pathname not removed>

/usr/share/man <shared pathname not removed>

/usr/share <shared pathname not removed>

/usr/lib/inet/ppp/passprompt.so

/usr/lib/inet/ppp/minconn.so

/usr/lib/inet/ppp <shared pathname not removed>

/usr/lib/inet <shared pathname not removed>

/usr/lib <shared pathname not removed>

/usr/bin/pppdump

/usr/bin <shared pathname not removed>

/usr <shared pathname not removed>

## Updating system information.





Removal of <SUNWpppg> was successful.

$

Note – One final test of role account access is to perform a privileged

command that the role cannot perform.

7. Execute the date command.

$ date

Fri Oct 22 16:02:57 BST 2004

8. Change the system time using the date command.

$ date

Fri Oct 22 16:02:57 BST 2004

$ date 10221600

date: Not owner

usage: date [-u] mmddHHMM[[cc]yy][.SS]date [-u] [+format]

date -a [-]sss[.fff]

In summary, you built a regular user account named user1. This accounthas access to perform regular user commands. However, when it isnecessary to perform a software package removal that requires rootaccess, user1 must switch to a role that is configured with the requiredexecution profile.

In the role of pkguser and using the Package Administrator rights profile,

user1 acquires the rights to remove a software package. However, it is thepkguser role that has the rights to remove the software package.

This pkguser role is not configured with full superuser access. Therefore,when you attempt to change the system date using this role, you areunsuccessful. The inability to access all superuser commandsdemonstrates the advantage of using RBAC instead of granting this accessthrough the superuser. You can configure each administrator to performonly those tasks required in their job, and access to other tasks can remainsecure.



Exercise: Configuring RBAC (Level 1)



In this exercise, you configure RBAC by using the command line in thefirst task and by using the Solaris Management Console in the secondtask.

Preparation

During the lab, you are directed to execute commands that do not work todemonstrate how the RBAC facility must be used by logged in users.

Discuss how to use the auths, profiles, and roles RBAC commands todetermine user privileges.

Task Summary


q Using the command-line tools, create a role that can shut down thesystem, and create a user named user9. Assign the role to user9 toenable user9 to shut down the system.

q Using the Solaris Management Console, create a user named user11,and create a role called tarback that can back up the /etc/shadow

file; make the tarback role accessible to user11.

If you have any problems that you cannot fix, see your instructor.







Preparation



Task Summary


q Using the command-line tools, create a role that can shut down thesystem, and create a user named user9. Assign the role to user9 toenable user9 to shut down the system.




Tasks


Task 1– Creating a User and a Role Using the Command-Line

Tools


1. Create a role named sdown. Give it a user ID of 5000 and a group IDof 10.

2. Create the profile named Shut.





3. Add the profile to the role.

4. Verify that the role is included in the /etc/user_attr file.

5. Create a user named user9 and assign it access to the sdown role.Give this user a user ID of 4009 and a group ID of 10.

6. Check the roles attributes for user9._____________________________________________________________

7. Assign the shutdown command to the profile.

8. Use the su command to test the configuration as user9.

9. As user9, shut down the system.

What is the result of this shutdown attempt? Why?

_____________________________________________________________

10. Execute the profiles command to determine which RBAC profiles

are associated with user9.

11. Execute the roles command to determine which RBAC roles areassociated with user9.

12. Assume the role sdown.

13. Shut down the system by using the init command.


_____________________________________________________________

_____________________________________________________________

14. List the commands that the sdown profile can execute.

_____________________________________________________________

_____________________________________________________________

15. Shut down the system using the shutdown command.


_____________________________________________________________

16. Log out of the sdown role.

_____________________________________________________________17. Log out as user9.

_____________________________________________________________





Task 2 – Creating a User and a Role Using the SolarisManagement Console


1. Create a new user account with the following specifications:

q Name: user11

q User ID number: next available

q Password: Set it now to user11

q Group ID number: Use the default

q Home directory: /export/home/user11 (just enter/export/home in the Solaris Management Console)

q Mailbox: /var/mail/user11 (on this system)

2. Confirm user attributes by double-clicking theuser11

entry andstepping through the attribute windows.

3. From the command line, check for user11 in the /etc/passwd file.

Why does user11 appear in the /etc/passwd file, but not in the/etc/user_attr file?

_____________________________________________________________

4. Create an administrative role named tarback with the followingspecifications:

q Name: tarback

q Role ID number: Next available

q Role shell: Any of the administrator shells

q Password: abc123

q Rights: As appropriate

. Note – A backup administrator must perform all backups of the media aswell as any necessary restores.

q Home directory: /export/home/tarback

q Assign users: user11

5. Confirm role attributes by double-clicking the tarback entry andstepping through the attribute windows.





6. From the command line, check for user and role creation.

Why does user11 now appear in the /etc/user_attr file?

_____________________________________________________________

Does the tarback role appear in both the /etc/passwd file and the

/etc/user_attr file?_____________________________________________________________

7. To test the role, log in as user11.

8. Execute several commands to verify that the account is functional.

9. Execute the tar command to back up the .profile file.

Can you back up this file?

10. Execute the tar command to back up the /etc/shadow file.


11. Switch to the tarback role.




_____________________________________________________________

What is the difference, if any, between the executing the tar

command as user11 and executing the tar command afterassuming the tarback role?

_____________________________________________________________

14. List the RBAC commands that can be executed using the tarbackrole.

15. Exit from SMC.







Preparation



Task Summary


q Using the command-line tools, create a role that can shut down thesystem, and create a user named user9. Assign the role to user9toenable user9 to shut down the system.








Tasks and Solutions

The following section describes the tasks you must perform, along withthe solutions to these tasks.

Task 1– Creating a User and a Role Using the Command-lineTools


1. Create a role named sdown. Give it a user ID of 5000 and a group IDof 10.

# roleadd -u 5000 -g 10 -m -d /export/home/sdown sdown

# passwd sdown

2. Create the profile named Shut by adding a line to the prof_attr

file.

# vi /etc/security/prof_attr

(output omitted for brevity)

Shut:::Able to shutdown the system:

3. Add the profile to the role.

# rolemod -P Shut sdown

4. Verify that the role is included in the /etc/user_attr file.

# more /etc/user_attr

5. Create a user nameduser9

and assign it access to thesdown

role.Give this user a user ID of 4009 and a group ID of 10.

# useradd -u 4009 -g 10 -m -d /export/home/user9 -s /bin/ksh \

-R sdown user9

# passwd user9

6. Check the roles attributes for user9.

# grep user9 /etc/user_attr

7. Assign the shutdown command to the profile.

# vi /etc/security/exec_attr

Shut:suser:cmd:::/usr/sbin/shutdown:uid=0

8. Use the su command to test the configuration as user9.

# su user9





9. As user9, without assuming the new role, shut down the system.

$ /usr/sbin/shutdown -i 6 -g 0

/usr/sbin/shutdown: Only root can run /usr/sbin/shutdown

What is the result of this shutdown attempt, and why?

This shutdown attempt fails because user9 has not assumed the sdownrole yet, and as a regular user, does not have the rights profile to execute theshutdown command.

10. Execute the profiles command to determine which RBAC profilesare associated with user9.

$ profiles

Basic Solaris User

All

11. Execute the roles command to determine which RBAC roles areassociated with user9.

$ roles

sdown

12. Assume the role sdown.

$ su sdown

Password:

$

13. Shut down the system by using the init command.

$ /usr/sbin/init 0

Insufficient privileges.

Depending on the users preferred shell, the message may also be "Must besuper-user".


This shut down attempt fails because, even after assuming the sdown role,user9 does not have the execution attribute to execute the initcommand.Depending on the users preferred shell, the message may also be"Must be super-user" .

14. List the commands that the sdown profile can execute.

$ profiles -l

Shut:

/usr/sbin/shutdown uid=0

All:

*





15. Shut down the system using the shutdown command.

$ /usr/sbin/shutdown -i 6 -g 0

Shutdown started. Fri Oct 22 16:15:28 BST 2004

Do you want to continue? (y or n): n


This command succeeds because the sdown role has execute permissionwhen issuing the shutdown command.

16. Log out of the sdown role.

$ <Control-D>

17. Log out as user9.

$ <Control-D>

Task 2 – Creating a User and a Role Using the SolarisManagement Console


1. Create a new user account with the following specifications:

Use the Add User Wizard in the Solaris Management Console.

q Name: user11

q Comment: user11 account

q User ID number: Accept Defaults

q Password: Set it now to user11

q Group ID number: Use the default

q Home directory: /export/home/user11 (just enter/export/home in the Solaris Management Console)

q Mailbox: /var/mail/user11 (on this system)

2. Confirm user attributes by double-clicking the user11 entry andstepping through the attribute tabs.





3. From the command line, check for user11 in the /etc/passwd file.

# grep user11 /etc/passwd

user11:x:4011:10:user for tarback role:/home/user11:/bin/sh


#

Why does user11 appear in the /etc/passwd file, but not in the/etc/user_attr file?

When a user account is created, a record of the user appears in the/etc/passwd file and the /etc/shadow file. The user record does notappear in the /etc/user_attr file until the user has been associated witha role.

4. Create an administrative role named tarback with the followingspecifications:

Use the Add Administrative Role wizard in the Solaris Management

Console.q Name: tarback

q Role ID number: Next available

q Role shell: Any of the administrator shells

q Password: abc123

q Rights: Choose appropriate rights to include:

The appropriate rights include Media Backup and Media Restore.

. Note – A backup administrator must perform all backups of the media aswell as any necessary restores.

q Home directory: /export/home/tarback(Enter /export/homein the Solaris Management Console)

q Assign users: user11

5. Confirm role attributes by double-clicking the tarback entry andstepping through the attribute tabs.





6. From the command line, check for user and role creation.


user11::::roles=tarback;type=normal

# grep tarback /etc/passwd

tarback:x:100:14:can tar the shadow file:/home/tarback:/bin/pfksh

# grep tarback /etc/user_attrtarback::::profiles=Media Backup,Media Restore;type=role

user11::::roles=tarback;type=normal

Why does user11 now appear in the /etc/user_attr file?

After associating user11with the tarback role, an entry that records thisrelationship should appear in the /etc/user_attr file.

Does the tarback role appear in both the /etc/passwd file and the/etc/user_attr file?

Because it is a role, tarback appears in both locations.

7. To test the role, log in as user11.

$ telnet localhost

Trying ...

Connected to localhost.


login: user11

Password:

Last login: Thu May 2 14:56:46 from sys44



$ id -a

uid=4011(user11) gid=10(staff) groups=10(staff)

$ pwd

/home/user11

9. Execute the tar command to back up the .profile file.

$ tar cvf .profile.tar .profile

a .profile 1K


The .profile file can be backed up.


$ tar cvf /etc/shadow.tar /etc/shadow

tar: /etc/shadow.tar: Permission denied


The /etc/shadow file cannot be backed up by a regular user.





11. Switch to the tarback role.

$ su - tarback

Password: abc123

$


$ id -a

uid=100(tarback) gid=14(sysadmin) groups=14(sysadmin)

$ pwd

/home/tarback


$ tar cvf /etc/shadow.tar /etc/shadow

a /etc/shadow 1K


Yes.

What is the difference, if any, between the executing the tar

command as user11 and executing the tar command afterassuming the tarback role?

The tarback role has the System Administrator rights for media backupand media restore. These rights enable any user that assumes the tarbackrole to backup or restore any file.

14. List the RBAC commands that can be executed using the tarbackrole.

$ profiles -l

Media Backup:

/usr/bin/mt euid=0

/usr/lib/fs/ufs/ufsdump euid=0, gid=sys

/usr/sbin/tar euid=0

Media Restore:

/usr/bin/cpio euid=0

/usr/bin/mt euid=0

/usr/lib/fs/ufs/ufsrestore euid=0

/usr/sbin/tar euid=0

All:

*

15. Exit from SMC.



Exercise Summary


Exercise Summary

?

!


q Experiences

q Interpretations

q Conclusions

q Applications




Module 11

ConfiguringSystemMessaging

Objectives

The syslog system messaging facility manages the system logs. You canmanually generate log messages by using the logger command. The

Solaris Management Console allows the graphical viewing of logsincluding SMC activity. Regardless of the type of information you want torecord, a messaging feature exists to record it.


q Describe the fundamentals of the syslog function

q Configure the /etc/syslog.conf file

q Configure syslog messaging

q Use the Solaris Management Console log viewer



Configure

Role-based

Access

Control

(RBAC)

Configure

ste

essaging

Control System Access and Configure System Messaging



Introducing thesyslogFunction



The syslog function, the syslogd daemon, and input from the/etc/syslog.conffile work together to facilitate system messaging forthe Solaris 10 OS.

The syslogConcept

The syslog function sends messages generated by the kernel and systemutilities and applications to the syslogd daemon, as shown in theFigure 11-2. With the syslog function you can control message logging,depending on the configuration of the /etc/syslog.conf file. Thedaemon can:

q Write messages to a system log

q Forward messages to a centralized log host

q Forward messages to a list of users

q Write messages to the system console

Figure 11-2 The syslog Structure

m 4 r e a d s / e t c / s y s l o g . c o n f

C e n t r a l L o g H o s t

U s e r

C o n s o l e

L o g F i l e

D e s t i n a t i o n M e s s a g e s

D a e m o n

k e r n e l

U s e r P r o c e s s e s

l o g g e r C o m m a n d

s y s l o g d

d a e m o n




Configuring System Messaging 11-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

The /etc/syslog.confFile

A configuration entry in the /etc/syslog.conf file consists of twotab-separated fields: selector and action.

The selector field has two components, a facility and a level writtenas facility.level. Facilities represent categories of system processesthat can generate messages. Levels represent the severity or importance ofthe message.

The action field determines where to send the message.

For example, when you place the following entry in the/etc/syslog.conffile, error messages for all facilities are sent to the/var/adm/messagesfile:

*.err /var/adm/messages

where:

Caution – Only use tabs as white space in the /etc/syslog.conffile.

The Solaris OS accesses the /usr/include/sys/syslog.hfile todetermine the correct facility.level sequencing order.

*.err Is the selector field. The asterisk (*) is thefacility , and the dot (.) is the delimiter. Theerr field is the level of the message.

/var/adm/messages Is the action field.





Selector Field

The selector field is a semicolon-separated list of priority specifications inthe following format:

facility.level;facility.level

In the selector field syntax, facility is a system facility. Table 11-1 showsvalues that the selector field (facility ) can contain.

Table 11-1 Selector Field (facility ) Options

Field Description

kern Messages generated by the kernel.

user Messages generated by user processes. This file does

not list the default priority for messages fromprograms or facilities.

mail The mail system.

daemon System daemons, such as the in.ftpd and thetelnetddaemons.

auth The authorization system, including the login, su,and ttymon commands.

syslog Messages generated internally by the syslogddaemon.

lpr The line printer spooling system, such as the lpr andlpc commands.

news Files reserved for the USENET network news system.

uucp The UNIX-to-UNIX copy (UUCP) system does not usethe syslog function.

cron The cron and at facilities, including crontab, at, andcron.

local0-7 Fields reserved for local use.

mark The time when the message was last saved. Themessages are produced internally by the syslogddaemon.

* All facilities, except the mark facility .





Note – You can use the asterisk (*) to select all facilities (for example*.err); however, you cannot use * to select all levels of a facility (forexample, kern.*)

In the selector field syntax, level is the severity or importance of themessage. Each level includes all the levels above (of a higher severity).Table 11-2 shows the levels in descending order of severity.

Note – Not all levels of severity are implemented for all facilities in thesame way. For more information, refer to the online manual pages.

Table 11-2 Selector Field (level) Options

Level Priority Description

emerg 0 Panic conditions that are normally broadcast toall users

alert 1 Conditions that should be corrected immediately,

such as a corrupted system database

crit 2 Warnings about critical conditions, such as harddevice errors

err 3 Errors other than hard device errors

warning 4 Warning messages

notice 5 Non-error conditions that might require specialhandling

info 6 Informational messages

debug 7 Messages that are normally used only whendebugging a program

none 8 Messages are not sent from the indicatedfacility to the selected file





Action Field

The action field defines where to forward the message. This field can haveany one of the following entries:

Note – You must manually create the /pathname full path and file name ifit does not already exist.

/pathname Full path name to the targeted file.

@host The @ sign denotes that messages must beforwarded to a remote host. Messages areforwarded to the syslogddaemon on the remotehost.

user1, user2 The user1 and user2 entries receive messages ifthey are logged in.

* All logged in users receive messages.





Entries in the /etc/syslog.confFile

The standard /etc/syslog.conf configuration file is:

#ident "@(#)syslog.conf 1.5 98/12/14 SMI" /* SunOS 5.0 */

#

# Copyright (c) 1991-1998 by Sun Microsystems, Inc.

# All rights reserved.

#

# The syslog configuration file.

#

# This file is processed by m4 so be careful to quote (" ") names

# that match m4 reserved words. Also, within ifdef’s, arguments

# containing commas must be quoted.

#

*.err;kern.notice;auth.notice /dev/sysmsg

*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages

*.alert;kern.err;daemon.err operator

*.alert root

*.emerg *

# If a non-loghost machine chooses to have authentication messages

# sent to the loghost machine, un-comment out the following line:

#auth.notice ifdef(‘LOGHOST’,/var/log/authlog, @loghost)

mail.debug ifdef(‘LOGHOST’,/var/log/syslog, @loghost)

#

# Non-loghost machines will use the following lines to cause "user"

# log messages to be logged locally.

#

ifdef(‘LOGHOST’,,

user.err /dev/sysmsg

user.err /var/adm/messages

user.alert ‘root, operator’

user.emerg *

)





The syslogdDaemon and the m4Macro Processor

Figure 11-3 shows how the syslogd daemon, the m4macro processor, andthe /etc/syslog.conffile interact in conceptual phases to determine thecorrect message routing.

Process

These conceptual phases are described as:

1. The syslogd daemon runs the m4macro processor.

2. The m4processor reads the /etc/syslog.conffile, processes any m4

statements in the input, and passes the output to the syslogddaemon.

3. The syslogd daemon uses the configuration information output bythe m4 processor to route messages to the appropriate places.

Figure 11-3 The m4Macro Processor

s y s l o g . c o n f

s y s l o g d

S e l e c t o r

F i e l d

A c t i o n

F i e l d

m 4





The syslogd daemon does not read the /etc/syslog.conffile directly.The syslogd daemon obtains its information as follows:

1. The syslogd daemon starts the m4 processor, which parses the/etc/syslog.conf file for m4 commands that it can interpret.

2. If the m4processor does not recognize any m4 commands on a line, itpasses the output back to the syslogd daemon as a two-columnoutput.

3. The syslogd daemon then uses the two-column output to routemessages to the appropriate destination.

If the m4 processor encounters an ifdef statement within the/etc/syslog.conffile, the ifdef statement is evaluated for a True orFalse condition. The message routing then occurs relative to the outputof the test.

Operation Phase 1

In the following examples, the syslogd daemon is running on the host1system. This section contains two examples of the host1 system’s/etc/hosts file.

These /etc/hosts file examples are excerpts of the /etc/hosts/ file.

Example A /etc/hosts:

192.9.200.1 host1 loghost192.9.200.2 host2

Example B /etc/hosts:

192.9.200.1 host1

192.9.200.2 host2 loghost

When the syslogd daemon starts at system boot, the syslogd daemonevaluates the /etc/hosts file, and checks the Internet Protocol (IP)address associated with the hostname as compared to the IP address

associated with loghost.

In Example A, host1 and loghost are both associated with IP address192.9.200.1. Therefore, the syslogd daemon runs the first commandline: /usr/ccs/bin/m4 -D LOGHOST, causing the m4 LOGHOST variable tobe defined as TRUE during the parsing of the /etc/syslog.conffile.





In Example B, host1 is associated with IP address 192.9.200.1, whilehost2 and loghost are both associated with IP address 192.9.200.2. Inthis example, the syslogd daemon runs the second command line,/usr/ccs/bin/m4 (no -D LOGHOST), causing the m4 LOGHOST variable tobe undefined during the parsing of the /etc/syslog.conf file.

Operation Phase 2

In the phase 2, the m4macro processor parses the /etc/syslog.conffile.For each line that is parsed, the m4 processor searches the line for m4statements, such as an ifdef statement. If no ifdef statement isencountered on the line, the m4 processor passes the line to the syslogddaemon.

If the m4 processor finds a line with an ifdef statement, the line isevaluated as follows:

q The ifdef (‘LOGHOST’, truefield, falsefield) command checksto see if the variable LOGHOST is defined.

q If the variable LOGHOST is defined, the entries from the truefieldfield are used; otherwise, entries from the falsefieldfield are used.

For example:

mail.debug ifdef(‘LOGHOST’, /var/log/syslog, @loghost)

If the variable LOGHOST variable is defined in phase 1, then the m4processor returns:

mail.debug /var/log/syslog

If the LOGHOST variable was evaluated as FALSE in phase 1, then the m4processor returns:

mail.debug @loghost

In either case, the output has an entry in the selector field and an entry inthe action field. The m4 processor then passes the output to the syslogd

daemon.





Operation Phase 3

For each line parsed in the /etc/syslog.conf file from phase 2, the m4processor produces output in a two-column field: a selector field and anaction field. The output is sent to the syslogd daemon, which uses the

information to route messages to their appropriate destinations. After theinformation is configured, the syslogddaemon continues to run with thisconfiguration.



Configuring the/etc/syslog.confFile


Configuring the /etc/syslog.confFile

The target locations for the syslog message files are defined within the/etc/syslog.conffile. You must restart the syslogd daemon wheneveryou make any changes to this file.

Message Routing

The following excerpt from the /etc/syslog.conf file shows howvarious events are logged by the system.

1 *.err;kern.notice;auth.notice /dev/sysmsg

2 *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages

3 *.alert;kern.err;daemon.err operator

4 *.alert root

5 *.emerg *

Note – Within the /etc/syslog.conf file, use a selector level of err toindicate that all events of priority error (and higher) are logged to thetarget defined in the action field.

In Line 1, every error event (*.err) and all kernel and authorizationfacility events of level notice, which are not error conditions butmight require special handling, will write a message to the /dev/sysmsg

file.

In Line 2, every error event (*.err), all kernel facility events of leveldebug, all daemon facility events of level notice, and all criticallevel mail events will record a message in the /var/adm/messagesfile.Therefore, errors are logged to both files.

Line 3 indicates that all alert level events, including the kernel errorlevel and daemon error level events, are sent to the user operator ifthis user is logged in.

Line 4 indicates that all alert level events are sent to the root user ifthe root user is logged in.

Line 5 indicates that any event that the system interprets as an emergencywill be logged to the terminal of every logged-in user.

To alter the event logging mechanism, edit the /etc/syslog.conffile,and restart the syslogd daemon.



Configuring the/etc/syslog.confFile


Stopping and Starting the syslogdDaemon

The syslogd daemon can be started automatically during boot ormanually from the command line.

Starting thesyslogdDaemon During Boot Operation

The /lib/svc/method/system-logfile starts the syslogd processduring each system boot.

The /etc/syslog.conf configuration file is read each time the syslogd

daemon starts.

Manually Stopping and Starting the syslogdDaemon

If the configuration file has been modified, you can manually stop or startthe syslogd daemon, or send it a refresh command, which causes thedaemon to reread the /etc/syslog.conffile.

To stop the syslogd daemon, perform the command:

# svcadm disable svc:/system/system-log:default

To start the syslogd daemon, perform the command:

# svcadm enable svc:/system/system-log:default

To send a refresh to the syslogd daemon, perform the command:

# svcadm refresh svc:/system/system-log:default



Configuring syslogMessaging



The inetd daemon uses the syslog command to record incomingnetwork connection requests made by using Transmission ControlProtocol (TCP).

Enabling TCP Tracing

The inetd daemon is the network listener process for many networkservices. The inetd daemon listens for service requests on the TCP andUser Datagram Protocol (UDP) ports associated with each of the serviceslisted in the inetd configuration file. When a request arrives, the inetddaemon executes the server program associated with the service. You canmodify the behavior of the inetd daemon to log TCP connections by

using the syslogd daemon.# inetadm -p

NAME=VALUE

bind_addr=""

bind_fail_max=-1

bind_fail_interval=-1

max_con_rate=-1

max_copies=-1

con_rate_offline=-1

failrate_cnt=40

failrate_interval=60

inherit_env=TRUE

tcp_trace=FALSE

tcp_wrappers=FALSE

Tracing for all services is enabled using the following command:

# inetadm -M tcp_trace=TRUE

# inetadm -p

NAME=VALUE

bind_addr=""

bind_fail_max=-1


max_con_rate=-1

max_copies=-1

con_rate_offline=-1

failrate_cnt=40


inherit_env=TRUE

tcp_trace=TRUE

tcp_wrappers=FALSE





Note – The Internet daemon inetd provides services for many networkprotocols, including the Telnet and File Transfer Protocol (FTP) protocols.

You can enable the trace option for each inetd-managed service to send

messages to the syslogd daemon. Use the inetadm command to modifythe settings of the service to enable TCP tracing. When you enable thetrace option, it uses the daemon.notice to log the client’s IP address andTCP port number, and the name of the service. To enable tracing TCPconnections automatically, each service may have its trace capabilityenabled separately.

For example, to allow tracing of telnet sessions, the following commandis issued:

# inetadm -m telnet tcp_trace=TRUE

# inetadm -l telnetSCOPE NAME=VALUE

name="telnet"

endpoint_type="stream"

proto="tcp6"

isrpc=FALSE

wait=FALSE

exec="/usr/sbin/in.telnetd"

user="root"

default bind_addr=""

default bind_fail_max=-1

default bind_fail_interval=-1default max_con_rate=-1

default max_copies=-1

default con_rate_offline=-1

default failrate_cnt=40

default failrate_interval=60

default inherit_env=TRUE

tcp_trace=TRUE

default tcp_wrappers=FALSEgrep inetd /etc/init.d/inetsvc

Note – The change is immediately recognized. There is no requirement torestart any daemon process.

The /etc/syslog.conf file configures the syslogd daemon so that itselectively distributes the messages sent to it from the inetd daemon.

# grep daemon.notice /etc/syslog.conf

*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages





All daemon messages of level notice or higher are sent to the/var/adm/messagesfile due to the daemon.notice entry in the/etc/syslog.conf file.

Note – The /var/adm/messagesfile must exist. If it does not exist, createit, and then stop and start the syslogd daemon, or messages will not bewritten to the file.

Monitoring a syslogFile in Real Time

You can monitor the designated syslog file, in the /var/adm directory, inreal time using the command tail -f. The tail -f command holds thefile open so that you can view messages being written to the file by the

syslogd daemon.

Viewing Messages In Real Time

To view messages sent to the /var/adm/messagesfile, perform thecommand:

# tail -f /var/adm/messages

Figure 11-4 shows the log entry generated by a telnet request to systemhost1 from IP address 192.9.200.1 on Port 45800. Table 11-3 lists each

field in this figure and its corresponding result.

Figure 11-4 The syslogd Daemon Logged Entry

Jun 14 13:15:39 host1 inetd[2359]:[ID 317013 daemon.notice] telnet[2361]

from 192.9.200.1 45800

%

# $ ! "

&

Table 11-3 The syslogd Logged Entry Description

Number Field Result

1 Date/time Jun 14 13:15:39

2 Local host name host1





To exit the /var/adm/messagesfile, press Control-C.

Note – Should any unusual activity occur, use scripts to automaticallyparse the log files, and then send the information to support personnel.

3 Process name/PIDnumber

inetd[2359]

4 MsgID number/selectorfacility.level

[ID 317013 daemon.notice]

5 Incoming request telnet

6 PPID number [2361]

7 IP address 192.9.200.1

8 Port number 45800

Table 11-3 The syslogd Logged Entry Description (Continued)

Number Field Result





Adding One-Line Entries to a System Log File

The logger command enables you to send messages to the syslogddaemon. A system administrator can write administrative shell scriptsthat report the status of backups, or other functions by using the logger

command.

The syntax of the logger command is:

logger [ -i ] [ -f file ] [ -p priority ] [ -t tag ] [ message ]

where:

You can specify the message priority as a facility.level pair. Forexample, -plocal3.info assigns the message priority of the info levelin the local3 facility . The default priority is user.notice.

Therefore, the following example logs the message System rebooted tothe syslogd daemon, using the default priority level notice and thefacility user:

# logger System rebooted

If theuser.notice

selector field is configured in the/etc/syslog.conf

file, the message is logged to the file designated for the user.noticeselector field. If the user.notice selector field is not configured in the/etc/syslog.conffile, you can either add the user.notice selectorfield to the /etc/syslog.conffile, or you can prioritize the output asfollows:

# logger -p user.err System rebooted

-i Logs the process ID of the logger command with eachline

-f file Uses the contents of file as the message to log (filemust exist)

-p priority Enters the message with the specified priority

-t tag Marks each line added to the log file with the specifiedtag

message Concatenates the string arguments of the message inthe order specified, separated by single-spacecharacters





Changing the priority of the message to user.err routes the message tothe /var/adm/messagesfile as indicated in the /etc/syslog.conffile.

A message priority can also be specified numerically. For example,logger-i-p 2 "crit" creates an entry in the message log that identifies

the user.crit-facility.levelpair as follows:Nov 3 09:49:34 hostname root[2838]: [ID 702911 user.crit] crit



Using the Solaris Management Console Log Viewer



You can use the Solaris Management Console Log Viewer application toview syslog message files. You can also use this application to view andcapture information from the Management Tool logs.

Opening the Solaris Management Console Log Viewer

To open the viewer, perform the following steps:

1. Use the smc command to open the Solaris Management Console:

# smc &

The Solaris Management Console application launches.

2. Select This Computer (hostname).3. Select System Status.

4. Select Log Viewer.

The initial Log Viewer is displayed, as shown in Figure 11-5.

Figure 11-5 Solaris Management Console – Log Viewer

The initial Log Viewer display lists Management Tools log entriesfrom the /var/sadm/wbem/logdirectory.





Viewing a syslogMessage File

To select Log files, use the Log File pull-down menu located on the iconbar of the Log Viewer window. Figure 11-6 shows that the Log Filepull-down menu lists both the wbem_log files that record Solaris

Management Console activity and the syslog message logs named/var/log/syslog and /var/adm/messages.

Figure 11-6 List of Log Files

To view a syslog messages log, perform the following steps:

1. Click the down arrow icon in the Log Files selection box.

2. Select the /var/adm/messages log that you want to view.

The selected message log appears in the Solaris ManagementConsole View pane, as shown in Figure 11-7 on page 11-22.

. Note – You cannot manipulate the syslog message logs. You can onlyview them chronologically as they were created.





Figure 11-7 Display of the syslog Generated Message File

Note – You can sort and filter the message logs by using command-linesorting and filtering tools, such as the sort and grep commands.





Viewing a Management Tools Log File

When you view the syslog messages files, you can only use the OpenLog Files or the Log Files Settings functions in the Action menu, as shownin Figure 11-8.

Figure 11-8 Action Menu

Select Open Log Files from the Action menu to display the Open Log Fileswindow. The Open Log Files window contains the same list of log filesdisplayed by the Log Viewer Log File pull-down menu. To view the log

files associated with the Solaris Management Console, you must load oneof the wbem_log files.

The wbem_log files exist, by default, in the /var/sadm/wbem/logdirectory. The most recent log is named wbem_log.





To open the wbem_log file, select the LogMM/DD/YEAR.HH:MM:SSfile, andthen click Open, as shown in Figure 11-9.

Figure 11-9 Action Menu Open Log File Window

The log file in Figure 11-9 is named Log09/25/2001.11:07:41, whichindicates the log file creation date and time.

The Log Viewer lets you view and manage log files for SolarisManagement Console tools and events. For example, log entries aregenerated for session open, session close, authentication success, andauthentication failure events.

You can also use the log view to select specific events, as shown inFigure 11-10. To view specific events, select an option from the View menu.

Figure 11-10 Display of wbem_log Generated Message File





Browsing the Contents of a Management Tools LogFile

The Filter option in the View menu lets you filter out unwanted logged

events to help you establish pattern recognition scenarios, which arehelpful when troubleshooting system irregularities.

Select Filter from the View menu to open the Log Filter window, as shownin Figure 11-11.

Figure 11-11 View Menu

The Log Filter window, as shown in Figure 11-12 on page 11-26, enablesyou to narrow the logged event report based on:

q The date and time that the log entries start and stop

q Log properties:

q Type – Logged events, which include informational, warning,or error events

q Identification – Logged events created by a specific user or

systemq Category – The event generation source, such as an application,

the system, or security event





Figure 11-12 Log Filter Window

The Log Viewer then filters the selected log file. Figure 11-12 showsthat the selected Log File is identified in the Log File box on the LogViewer icon bar. You can reload your display to show only the eventsthat fit the filtered criteria

To return to the Log Viewer, click Close.





Displaying Management Tools Log Entry Details

The Log Viewer shows an overview of the logged event’s details. To viewmore specific details of the logged event, double-click a specific log entryin the list.

Figure 11-13 shows the Log Viewer window. The bold column headings inthe View pane identify and display the contents of the fields that arecontained in the log file.

Figure 11-13 Log Viewer Window





The Log Entry Details Window, as shown in Figure 11-14, enables you toselect details about the selected logged event, and enables you to navigateto the next and previous event as follows:

q Click the down arrow to select the next logged event.

q

Click the up arrow to select the previous logged event.

Figure 11-14 Log Entry Details Window

To return to the Log Viewer window, click Close.





Backing Up Management Tools Log File

You can back up the wbem_log files at a predefined time interval or whenthey reach a predefined size limit.

To force a backup of the wbem_log:

1. Select Back Up Now from the Action menu, as shown inFigure 11-15.

Figure 11-15 Backup of wbem_log Generated Message File

2. A new window appears, as shown in Figure 11-16, warning you thatthe existing log will be renamed.

Figure 11-16 Warning: Back Up Now Window

Caution – If you have reached the maximum number of archive copiesand you want to keep the oldest archived log, copy the log before youcontinue with the backup procedure.





3. Click Backup to continue.

The current log is renamed to reflect the current date and time.Subsequent entries are recorded in the current wbem_log file. TheNew wbem_log Generated Message File window, as shown inFigure 11-17, shows that the old log has moved to wbem_log.1, and

that the Log Viewer display is clear.

Figure 11-17 New wbem_log Generated Message File

4. Select Log File Settings from the Action menu to modify theautomatic backup configuration setting on any selected log file, as

shown in Figure 11-18.

Figure 11-18 Action Menu – Log File Settings





5. In the Log File Settings window, shown in Figure 11-19:

a. Specify an alternate directory in which to store the wbem_logfiles.

b. Modify the maximum log file size.

c. Specify how many backed up wbem_log files to maintain.d. Enable or disable system logging, as shown in Figure 11-19.

Figure 11-19 Log File Settings Window

6. Do one of the following actions:

a. Click Cancel to return to the Log Viewer window.

b. Click OK to accept any changes.





7. To exit the Log Viewer application window, select Exit from theConsole menu, as shown in Figure 11-20.

Figure 11-20 Console Menu – Exit



Exercise: Using the syslogFunction and Auditing Utilities (Level 1)


Exercise: Using the syslogFunction and Auditing Utilities(Level 1)

In this lab, you use the syslog function to log messages locally and

remotely.

Preparation

This exercise requires installed manual (man) pages and two systems thatlist each other in the /etc/hosts file. Verify that the CONSOLE variable iscommented out in the /etc/default/loginfile on both systems. Exceptas noted otherwise, perform all steps on both systems. Refer to the lecturenotes as necessary to perform the steps listed.

Tasks


q Make a backup copy of the /etc/syslog.conf file. Use the tailcommand to observe messages as they appear in the/var/adm/messages file. Modify the /etc/init.d/inetsvcfile toenable message tracing. Verify that using the telnet commandgenerates messages that appear in the log file.

q Add an entry to the /etc/syslog.conf file that would sendlocal0.noticemessages to the /var/log/local0.logfile. Createa /var/log/local0.logfile. Use the tail command to monitor/var/log/local0.log. Use the logger command to send messagesfrom the local0 facility at different levels. Verify that messagesarrive in the /var/log/local0.logfile. Send multiple, identicallocal0 messages, followed by a different local0 message, andobserve the results in the /var/log/local0.logfile.

q Designate one system as system1 and the other as system2. Onsystem1, modify the local0.notice entry in the

/etc/syslog.conf file so that it sends messages to system2, andsends a refresh command to the syslogd daemon. On system2,use the tail command to monitor the /var/log/local0.logfile.On system1, send a local0.noticemessage using the loggercommand. Observe the results on system2.





q On both systems, uncomment the auth.notice entry in the/etc/syslog.conf file, and send a refresh command to thesyslogd daemon. Verify that both systems are listed in the/etc/hosts file, and identify which one is associated with theloghost alias in each file. On both systems, use the m4 processor

with and without the -D LOGHOST option, and record the output forthe auth.notice entry.

q On both systems, use the tail command to monitor the/var/log/authlog file. On system2, perform a remote login(rlogin) to the same system. Check the output from the tailcommand on both systems. Exit the rlogin session. On system2,make a backup copy of the /etc/hosts file. On system2, edit the/etc/hosts file so that the loghost alias is associated withsystem1. Repeat the rlogin session, and observe the output fromthe tail command on both systems.

q On system2, restore the original /etc/hosts file. On both systems,stop all tail commands, restore the original /etc/syslog.conffiles, and send a refresh command to the syslogd daemon.







remotely.

Preparation


Task Summary


q Make a backup copy of the /etc/syslog.conf file. Use the tailcommand to observe messages as they appear in the/var/adm/messages file. Modify the inetd service to enablemessage tracing. Verify that using the telnet command generatesmessages that appear in the log file.








q On both systems, uncomment the auth.notice entry in the/etc/syslog.conffile, and send a refresh command to the syslogddaemon. Verify that both systems are listed in the /etc/hosts file,and identify which one is associated with the loghost alias in eachfile. On both systems, use the m4 processor with and without

the -D LOGHOST option and record the output for the auth.noticeentry.



Tasks


Task 1 – Enabling and Logging inetdTrace Messages


1. Change the directory to /etc, and create a backup copy of the/etc/syslog.conf file.

2. Display the man page for the inetd process, and verify thefacility and level used by the inetd process when you run theprocess with the -t option.

Which facility and level pair is the inetd daemon using?

________________________________________________





3. Examine the /etc/syslog.conf file, and determine if the syslogddaemon would recognize inetd tracing messages.

Are inetd tracing messages recognized by the syslogddaemon (yesor no)?

________________________________________________To what destination will the syslogd daemon send the messages?

________________________________________________

4. Open a new terminal window, and use the tail command to viewnew entries as they are recorded in the /var/adm/messagesfile.

5. In an available window, use the telnet command to connect to yourown system. Exit the telnet session after you successfully log in.

6. Observe the window in which you are running the tail command.Do any new telnet-related messages appear in the

/var/adm/messages file (yes or no)?________________________________________________

7. Verify the current settings for the telnet sub-service of inetd:

# inetadm -p

NAME=VALUE

bind_addr=""

bind_fail_max=-1


max_con_rate=-1

max_copies=-1

con_rate_offline=-1

failrate_cnt=40


inherit_env=TRUE

tcp_trace=FALSE

tcp_wrappers=FALS

8. To enable connection logging, modify the inetd controls by settingthe following parameters using the inetadm command:


9. Verify the change using the command from step 7.10. Repeat step 5 and step 6. Do any new telnet-related messages

appear in the /var/adm/messagesfile? If yes, list them.

________________________________________________





Task 2 – Using theloggerCommand to Demonstrate HowLevels Operate


1. Edit the /etc/syslog.conffile so that it includes the following line:

local0.notice<TAB>/var/log/local0.log

2. Create a file called /var/log/local0.log.

3. Cause the syslogd daemon to reread the /etc/syslog.conffile bysending it a refresh command.

4. In the window in which the tail command is running, stop thetail process. Restart the tail command so that it displays the endof the /var/log/local0.logfile.

5. In an available window, use the logger utility to send a message

using thelocal0 facility

and thenotice level

.What, if any, new messages does the tail command display?

________________________________________________

6. In an available window, use the logger command to send a messageby using the local0 facility and the crit level.

What, if any, new messages does the tail command display?

________________________________________________

7. Run the logger command from step 5 three times. Examine theoutput from the tail command in the other window. How manynew messages appear in the /var/log/local0.logfile?

8. Run the logger command once.

Which new messages appear in the /var/log/local0.logfile?

________________________________________________

9. Stop the tail command in the window where it is running.





Task 3 – Logging Messages to Another System


Note – This step does not require you to change host names. In thefollowing steps, substitute the appropriate host name for system1 andsystem2.

1. On system1, edit the /etc/syslog.conffile, and change the linefor local0.notice so that it reads as follows:

local0.notice<TAB>@system2

2. On system1, create the file /var/log/local0.log and cause thesyslogd daemon to reread the /etc/syslog.conf file using arefresh command.

3. On system2, open a new terminal window, and use the tailcommand to view new entries as they arrive in the/var/log/local0.logfile.

4. On system1, use the logger command to generate a message byusing the local0.notice facility and level pair.

5. On system2, which message is displayed in the window running thetail command?

_____________________________________________________________

6. After verifying that system1 has successfully passed messages to

system2, stop the tail command on system2.

Task 4 – Logging Messages by Using the loghostAlias andifdefStatements


1. On both systems, edit the /etc/syslog.conf file, and uncommentthe line that identifies auth.notice messages.

auth.notice ifdef(’LOGHOST’, /var/log/authlog, @loghost)

Which two destinations are possible for these messages?

________________________________________________

2. On both systems, examine the /etc/inet/hosts file, and identifythe name of the host associated with the loghost alias.

3. On both systems, cause the syslogd daemon to reread the/etc/syslog.conf file by sending it a refresh command.





4. On both systems, run the following m4 commands, and record theline for auth.notice messages.

# /usr/ccs/bin/m4 -D LOGHOST /etc/syslog.conf

auth.notice /var/log/authlog

# /usr/ccs/bin/m4 /etc/syslog.conf

auth.notice @loghost

5. On both systems, open a terminal window, and use the tailcommand to view new entries as they arrive in the/var/log/authlog file.

6. On system2, use the rlogin command to log in to your own system,and then exit the connection.

On system2, which message is displayed in the window running thetail command?

________________________________________________

On system1, does a new message display in the window runningthe tail command (yes or no)?

________________________________________________

7. On system2, change to the /etc/inetdirectory, and make a backupcopy of the /etc/inet/hostsfile. Edit the /etc/inet/hostsfile toremove the loghost alias from the entry for system2, and add it tothe entry for system1.

8. On system2, force the syslogd daemon to reread the/etc/syslog.conf file by sending it a refresh command.



________________________________________________

On system1, which message is displayed in the window running thetail command?

________________________________________________





Task 5 – Completing the Exercise


1. On both systems, stop the tail command in any window where it isrunning.

2. On system2, replace the /etc/inet/hosts file with the backupcopy you made earlier.

3. On both systems, replace the /etc/syslog.conf file with thebackup copy you made earlier.

4. On both systems, ensure that the syslogd daemon rereads the/etc/syslog.conf file by sending it a refresh command.







remotely.

Preparation


Task Summary


q Make a backup copy of the /etc/syslog.conf file. Use the tailcommand to observe messages as they appear in the/var/adm/messages file. Modify the inetd service to enablemessage tracing. Verify that using the telnet command generatesmessages that appear in the log file.








q On both systems, uncomment the auth.notice entry in the/etc/syslog.conf file, and send a refresh command to thesyslogd daemon. Verify that both systems are listed in the/etc/hosts file, and identify which one is associated with theloghost alias in each file. On both systems, use the m4 processor

with and withoutthe -D LOGHOST option, and record the output for the auth.noticeentry.



Tasks and Solutions

The following section lists the tasks you must perform and the solutionsto these tasks.

Task 1 – Enabling and Logging inetdTrace Messages


1. Change the directory to /etc, and create a backup copy of the/etc/syslog.conf file.

# cd /etc

# cp syslog.conf syslog.conf.bak

2. Display the man page for the inetd process, and verify thefacility

andlevel

used by theinetd

process when you run theprocess with the -tcptrace option.

# man inetd

Which facility and level pair is the inetd daemon using?

daemon.notice





3. Examine the /etc/syslog.conf file, and determine if the syslogddaemon would recognize inetd tracing messages.

Are inetd tracing messages recognized by the syslogddaemon (yesor no)?

YesTo what destination will the syslogd daemon send the messages?

The /var/adm/messages file.

4. Open a new terminal window, and use the tail command to viewnew entries as they are recorded in the /var/adm/messagesfile.

# tail -f /var/adm/messages

5. In an available window, use the telnet command to connect to yourown system. Exit the telnet session after you successfully log in.

# telnet host

Trying nnn.nnn.nnn.nnn...Connected to host.

Escape character is '^]'.

login: root

Password:

Last login: Sat Nov 6 11:25:21 from sys-03


SunOS gk 2004-09-20 [on10_68]

# exit

6. Observe the window in which you are running the tail command.Do any new telnet-related messages appear in the/var/adm/messages file (yes or no)?

Before starting the inetd service with telnet tracing, no.

7. Modify the inetd service, and change the default value of thetcp_trace option to TRUE:






8. Verify that the inetd daemon is running with the tracing optionenabled.

# inetadm -p

NAME=VALUE

bind_addr=""

bind_fail_max=-1bind_fail_interval=-1

max_con_rate=-1

max_copies=-1

con_rate_offline=-1

failrate_cnt=40


inherit_env=TRUE

tcp_trace=TRUE

tcp_wrappers=FALSE

9. Repeat step 5 and step 6. Do any new telnet-related messagesappear in the /var/adm/messagesfile? If yes, list them.

A message similar to the following message appears:

Nov 6 14:19:21 sys-02 inetd[224]: [ID 317013 daemon.notice] telnet[1181]

from 192.168.201.21 32795

Task 2 – Using theloggerCommand to Demonstrate HowLevels Operate


1. Edit the /etc/syslog.conffile so that it includes the following line:

local0.notice <TAB> /var/log/local0.log


# touch /var/log/local0.log

3. Cause the syslogd daemon to reread the /etc/syslog.conffile bysending it a refresh command.

# svcadm refresh svc:/system/system-log:default

4. In the window in which the tail command is running, stop the

tail process. Restart the tail command so that it displays the endof the /var/log/local0.logfile.

# tail -f /var/log/local0.log





5. In an available window, use the logger utility to send a messageusing the local0 facility and the notice level.

# logger -p local0.notice Notice-level message


A message similar to the following appears:Nov 04 15:21:49 host root: [ID 702911 local0.notice] Notice-level message

6. In an available window, use the logger command to send a messageby using the local0 facility and the crit level.

# logger -p local0.crit Crit-level message


Nov 04 15:24:43 host1 root: [ID 702911 local0.crit] Crit-level message

A message similar to this displays because crit is a higher level thannotice, and the syslogd daemon is configured to recognize the notice

level and higher for the local0 facility .

7. Run the logger command from step 5 three times. Examine theoutput from the tail command in the other window. How manynew messages appear in the /var/log/local0.logfile?

One. The syslogd daemon will not report multiple instances of the samemessage until a different message is logged, or the syslogd “mark”interval is reached.

8. Run the logger command with the crit level message instead ofthe notice level message.

Which new messages appear in the /var/log/local0.logfile?

A message indicating that the previous message was repeated a number of times, and the new message, for example:

Nov 04 16:44:03 host last message repeated 4 times

Nov 04 16:44:38 host root: [ID 702911 local0.notice] "New notice-level

message"

9. Stop the tail command in the window where it is running.





Task 3 – Logging Messages to Another System


Note – This step does not require you to change host names. In thefollowing steps, substitute the appropriate host name for system1 andsystem2.

1. On system1, edit the /etc/syslog.conffile, and change the linefor local0.notice so that it reads as follows:

local0.notice<TAB>@system2


# touch /var/log/local0.log

3. On system1, cause the syslogd daemon to reread the/etc/syslog.conf file using svcadm.

Note – If you did not already edit the /etc/syslog.conf file on thesystem designated system2 from the previous task, do so now.

# svcadm refresh system/system-log

4. On system2, open a new terminal window, and use the tail

command to view new entries as they arrive in the

/var/log/local0.logfile.

# tail -f /var/log/local0.log

5. On system1, use the logger command to generate a message byusing the local0.notice facility and level pair.

# logger -p local0.notice Message from system1

6. On system2, which message is displayed in the window running thetail command?

A message similar to the following:

Nov 06 13:07:49 system1 root: [ID 702911 local0.notice] Message from

system1

7. After verifying that system1 has successfully passed messages tosystem2, stop the tail command on system2.





Task 4 – Logging Messages by Using the loghostAlias andifdefStatements


1. On both systems, edit the /etc/syslog.conf file, and uncomment

the line that identifies auth.notice messages.

auth.notice ifdef(’LOGHOST’, /var/log/authlog, @loghost)

Which two destinations are possible for these messages?

/var/log/authlog – This local host’s log file

@loghost – The syslog facility on the ”loghost“

2. On both systems, examine the /etc/inet/hosts file, and identifythe name of the host associated with the loghost alias.

In the default /etc/inet/hostsfile, the loghost alias is associated with

the host name of the local system.3. On both systems, cause the syslogd daemon to reread the

/etc/syslog.conf file by sending it a refresh command.

# svcadm refresh system/system-log

4. On both systems, run the following m4 commands, and record theline for auth.notice messages.

# /usr/ccs/bin/m4 -D LOGHOST /etc/syslog.conf

auth.notice /var/log/authlog

# /usr/ccs/bin/m4 /etc/syslog.conf

auth.notice @loghost5. On both systems, open a terminal window, and use the tail

command to view new entries as they arrive in the/var/log/authlog file.

# tail -f /var/log/authlog






# rlogin system2

Password: xxxxxx

...

# exitOn system2, which message is displayed in the window running thetail command?

A message similar to the following displays:

Mar 31 09:15:23 system2 login: [ID 254462 auth.notice] ROOT LOGIN

/dev/pts/7 FROM system2


No.

7. On system2, change to the /etc/inetdirectory, and make a backupcopy of the /etc/inet/hostsfile. Edit the /etc/inet/hostsfile toremove the loghost alias from the entry for system2, and add it tothe entry for system1.

# cd /etc/inet

# cp hosts hosts.bak

# vi hosts

8. On system2, force the syslogd daemon to reread the/etc/syslog.conf file using svcadm.

# svcadm refresh system/system-log9. On system2, use the rlogin command to log in to your own system,

and then exit the connection.

# rlogin system2

Password: xxxxxx

...

# exit


No.On system1, which message is displayed in the window running thetail command?

A message similar to the following displays:

Nov 06 09:34:46 system2 login: [ID 254462 auth.notice] ROOT LOGIN

/dev/pts/7 FROM system2





Task 5 – Completing the Exercise


1. On both systems, stop the tail command in any window where it isrunning.

2. On system2, replace the /etc/inet/hosts file with the backupcopy you made earlier.

3. On both systems, replace the /etc/syslog.conf file with thebackup copy you made earlier.

4. On both systems, ensure that the syslogd daemon rereads the/etc/syslog.conf file by sending it a refresh command.



Exercise Summary


Exercise Summary

?

!


q Experiences

q Interpretations

q Conclusions

q Applications




Module 12

UsingNameServices

Objectives

Name services centralize shared information on a network. There areseveral services that store and provide access to this information.


q Describe the name service concept

q Describe the name service switch file /etc/nsswitch.conf

q Describe the name service cache daemon (nscd)

q Get name service information



U s i n g

N a m e

S e r v i c e s


N a m e



t h e N e t w o r k






Introducing theName Service Concept


Introducing the Name Service Concept

The original text-based UNIX® name service was developed forstandalone UNIX systems and was then adapted for network use. WhileUNIX operating systems still support and use this text-based nameservice, it is not appropriate for large, complex networks. The nameservice concept uses domains, which are defined as a collection ofnetwork nodes.

The concept of a name service centralizes the shared information in anetwork. A single system, the name server, maintains the informationpreviously maintained on each individual host. The name servers provideinformation such as host names, Internet Protocol (IP) addresses, usernames, passwords, and automount maps.

Note – Clients may still require local text files, for example the/etc/inet/hosts file, to configure the network interface.

Other hosts in the name service domain (called clients), request theinformation from the name server. This name server system responds toclients, and translates, or resolves their requests from its memory-based(cached) or disk-based databases.

Figure 12-2 shows one possible name service scenario. Later, this moduledescribes alternatives to this scenario.

Figure 12-2 Name Service Scenario

/ e t c / n s s w i t c h . c o n f

/ e t c / h o s t s

C l i e n t D a t a b a s e

N a m e

S e r v e r

L o c a l

F i l e

!

#

"




Using Name Services 12-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

The basic process is as follows:

1. The client requires administrative data to be accessed due to someprocess request. The client references its local name service switchfile to determine the possible name service sources to search.

2. The name service switch file instructs the client to first search thelocal file for the information.

3. When the information is not located in the local files, the client’sname service switch file redirects the search to a network nameserver.

4. The name server searches its database and locates the information.

5. The name server returns the information to its requesting client.

The name service concept provides the following benefits:

q A single point of administration for name service dataq Consistent name service information for systems within the domain

q All clients have access to changed data

q Assurance that clients do not miss updates

In a file-based scheme, updates distributed by using File TransferProtocol (FTP) could be missed if a host was down or off thenetwork when the changes were propagated.

q Secondary servers prevent a single-point-of-failure

While a single master server is all that is required, the name servicescheme allows for the creation of secondary servers (sometimesreferred to as slaves or replicas). These secondary servers maintain acopy of the master server’s database, receive changes and updates tothe database from the master, and participate in client queryresolution. Therefore, they not only overcome a singlepoint-of-failure, but they also play a role in improved name serviceperformance by balancing the workload of answering client requestsamong multiple systems.





Domain Name System (DNS)

Domain Name System (DNS) is an Internet-wide naming system forresolving host names to IP addresses and IP addresses to host names.DNS supports name resolution for both local and remote hosts, and uses

the concept of domains to allow hosts with the same name to coexist onthe Internet, so long as they are in different domains. For example:

www.sun.com and www.microsoft.com

The collection of networked systems that use DNS is referred to as theDNS namespace. The DNS namespace is divided into a hierarchy ofdomains. A DNS domain is a group of systems. Each domain is usuallysupported by two or more name servers, a master name server, and one ormore slave name servers. Each server implements DNS by running thein.named

daemon. On the client’s side, DNS is implemented through theresolver. The resolver library resolves users’ queries. The resolver queries aname server, which then returns either the requested information or areferral to another DNS server.

Figure 12-3 shows that the DNS namespace for the Internet begins withthe nameless root domain and includes all subdomains, each of which isheaded by a top-level domain.

Figure 12-3 DNS Domain Structure

e d u c o m m i l

N a m e l e s s r o o t

a c m e s u n

a u s e n g u k c o r p

s o l a r i s

s o l a r i s . c o r p . s u n . c o m





The top-level domains are administered by various organizations, all ofwhich report to the governing authority called the Internet Corporationfor Assigned Names and Numbers (ICANN). Administration of thelower-level domains is delegated to the various organizations that areregistered domain name members within the top-level domain.

The top-level domain that you choose can depend on which one best suitsthe needs of your organization. Large organizations tend to use theorganizational domains, while small organizations or individuals oftenchoose to use a country code.

Everything below the connection to the domain falls into a zone ofauthority maintained by the connection to the domain. For example,everything below sun.com resides within the zone of authority for SunMicrosystems, Inc. and is, therefore, maintained by Sun Microsystems,Inc.

The DNS name servers store the host and IP address information in filescalled zone files. The svc:/network/dns/server:default servicestarts the DNS server during the boot process if the DNS server has beenconfigured.

Note – Setting up a DNS server is covered in SA-300-S10, NetworkAdministration for the Solaris 10 OS.

Network Information Service (NIS)

Network Information Service (NIS) was developed independently of DNSand has a slightly different focus. DNS focuses on making communicationeasier by using host names instead of numerical IP addresses. NIS focuseson making network administration more manageable by providingcentralized control over a variety of network information. NIS storesinformation about host names, IP addresses, users, groups, and others.This collection of network information is referred to as the NISnamespace.





NIS namespace information is stored in files called NIS maps. NIS mapswere designed to supplement many of the UNIX /etc files. These mapsstore much more than names and addresses. As a result, the NISnamespace has a large set of maps. NIS maps are database files createdfrom source files in the /etc directory (or in a directory that you specify).

By default, these maps are stored in the/var/yp/domainname

directoryon NIS servers. For example, the set of maps that contain hostsinformation include:

q hosts.byaddr

q hosts.byname

Note – You can obtain a list of the full set of maps from an NIS-configuredsystem by running the ypwhich -m command.

NIS uses domains to define who can access the host names, userinformation, and other administrative data in its namespace. However,NIS does not use a domain hierarchy to store its data; therefore, the NISnamespace is flat.

You cannot look up addresses on the Internet by using just NIS. However,organizations that want to use NIS and also want to look up addresses onthe Internet can combine NIS with DNS. You can use NIS to manage alllocal information and use DNS for Internet host lookup. The Solaris OSalso allows you to set up the /etc/nsswitch.conffile so that lookup

requests for hosts do the following:q Query DNS

q Query DNS and then NIS, if the requests are not found by DNS

q Query NIS and then DNS, if the requests are not found by NIS

NIS uses a client-server arrangement similar to DNS. Replicated NISservers provide services to NIS clients. The principal server is called amaster server, and, for reliability, it has a backup, or a slave server. Bothmaster and slave servers use the NIS information retrieval software andboth store NIS maps.

Each server implements NIS by running the ypserv daemon. All NISclients and servers must run the ypbind daemon to exchange NISinformation. The svc:/network/nis/server:default service startsthe NIS server during the boot process. NIS processes are only started ifthe NIS server has been configured.





Network Information Service Plus (NIS+)

Network Information Service Plus (NIS+) is similar to NIS but providesmany more features. NIS+ is not an extension of NIS. NIS+ is a differentsoftware program.

Note – NIS+ is a mature and stable naming service. Sun’s customers haveindicated a preference for using IETF standards for naming services basedon Lightweight Directory Access Protocol (LDAP). Sun is indicatingformally that there are plans for NIS+ to be removed sometime after theSolaris 10 OS release, however, removal will not occur in the next releaseof the Solaris OS.

You can configure the NIS+ name service to match the requirements of the

organization using it. NIS+ enables you to store information aboutmachine addresses, security information, mail information, Ethernetinterfaces, and network services in central locations where all machineson a network can have access to the information. This configuration ofnetwork information is referred to as the NIS+ namespace.

The NIS+ namespace is hierarchical and is similar in structure to theUNIX directory tree. The hierarchical structure allows an NIS+ namespaceto be configured to conform to the logical hierarchy of an organization.The namespace’s layout of information is unrelated to its physicalarrangement. Therefore, an NIS+ namespace can be divided into multiple

domains that can be administered independently. Clients might haveaccess to information in other domains in addition to their own if theyhave the appropriate permissions.

NIS+ uses a client-server model to store and gain access to theinformation contained in an NIS+ namespace. Each domain is supportedby a set of servers. The principal server is called the root server, and thebackup servers are called replica servers. The network information isstored in standard NIS+ tables in an internal NIS+ database. Both root andreplica servers run NIS+ server software as well as maintain copies ofNIS+ tables. Unlike NIS, the NIS+ namespace is dynamic because updatescan occur and be put into effect at any time by any authorized user.Changes made to the NIS+ data on the root server are automatically andincrementally propagated to the replica servers.





NIS+ includes a sophisticated security system to protect the structure ofthe namespace and its information. NIS+ uses authentication andauthorization to verify whether a client’s request for information shouldbe fulfilled. Authentication determines whether the information requesteris a valid user on the network. Authorization determines whether a

particular user is allowed to have or to modify the information requested.

Each server implements NIS+ by running the rpc.nisd daemon. NIS+clients and servers run the nis_cachemgrdaemon to enhance data accessperformance. The svc:/network/rpc/nisplus:default servicestarts the NIS+ name service during the boot process. NIS+ processes areonly started if a NIS+ server has been configured and enabled with thesvcadm enable svc:/network/rpc/nisplus:default command.

Lightweight Directory Access Protocol (LDAP)

LDAP is the protocol clients use to communicate with a directory server.It is a vendor independent protocol and can be used on common TCP/IPnetworks.

LDAP Directory Server

A directory server is not necessarily an LDAP server. However, in thecontext of this module, the term Directory Server is synonymous withLDAP Server. The Solaris 10 Operating System comes with an LDAP client

and LDAP server. The LDAP Directory Server is called the Sun Java™System Directory Server.

The Sun Java System Directory Server must be set up and then configuredto support Solaris LDAP clients.





Directory Entries

A directory server stores information in a Directory Information Tree(DIT). Clients can query the directory server for information or makechanges to the information stored on the server.

The hierarchy of the directory tree structure is similar to that of the UNIXfile system. Entries are named according to their position in this treestructure by a distinguished name (DN). The DN is similar to an absolutepath name in UNIX. A Relative Distinguished Name (RDN) is similar to arelative path name in UNIX. As in the UNIX file system, sibling directoryentries must have unique RDNs.

A directory entry is composed of attributes that have a type and one ormore values. The syntax for each attribute defines the allowed values, orthe allowed data type of the attribute values, such as American Standard

Code for Information Interchange (ASCII) characters or a numerical data.LDAP also defines how those values are interpreted during a directoryoperation, for example, determining if a search or compare is casesensitive.

Like the DNS namespace, LDAP names start with the least significantcomponent and proceed to the most significant; in other words, those justbelow root. The DN is constructed by concatenating the sequence ofcomponents up to the root of the tree.

Figure 12-4 shows an example of a Solaris LDAP Directory InformationTree.

Figure 12-4 Solaris LDAP Directory Information Tree

D i r e c t o r y R o o t

d c = s u n e d , d c = c o m

o u = S e r v i c e s o u = H o s t s o u = P e o p l e

D N = " c n = J o h n J o n e s , o u = P e o p l e , d c = s u n e d , d c = c o m "

c n = J o h n J o n e s c n = m a i l s e r v e r c n = t e l n e t





Name Service Features Summary

Table 12-1 lists and compares the name services available in theSolaris OS.

Table 12-1 Name Service Features

Feature DNS NIS NIS+ LDAP

Namespace Hierarchical Flat Hierarchical Hierarchical

Data storage Files/resourcerecords

Two columnmaps

Multicolumn tables Directories(varied)

Server types

Master/slave/caching only/

forwarding

Master/slave

Root master/non-root master/replica

Master/replica

Transport IP IP IP IP

Scale Wide areanetwork (WAN)

Local areanetwork (LAN)

LAN WAN



Introducing theName Service Switch File


Introducing the Name Service Switch File

The name service switch file determines which name services a systemuses to search for information, and in which order the name servicerequest is resolved. All Solaris OS systems use the /etc/nsswitch.conffile as the name service switch file. The nsswitch.conffile is loaded withthe contents of a template file during the installation of the Solaris OS,depending on the name service that is selected, as shown in Table 12-2.

The following example is the /etc/nsswitch.conffile configured tosupport the NIS name service using the /etc/nsswitch.nis template.

#

# /etc/nsswitch.nis:

## An example file that could be copied over to /etc/nsswitch.conf; it

# uses NIS (YP) in conjunction with files.

#

# "hosts:" and "services:" in this file are used only if the

# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# NIS service requires that svc:/network/nis/client:default be enabled

# and online.

# the following two lines obviate the "+" entry in /etc/passwd and

/etc/group.passwd: files nis

group: files nis

# consult /etc "files" only if nis is down.

hosts: nis [NOTFOUND=return] files

Table 12-2 Name Service Template Files

Name Service Name Service Template

Local files /etc/nsswitch.files

DNS /etc/nsswitch.dns

NIS /etc/nsswitch.nis

NIS+ /etc/nsswitch.nisplus

LDAP /etc/nsswitch.ldap





# Note that IPv4 addresses are searched for in all of the ipnodes

databases before searching the hosts databases.

ipnodes: files

#ipnodes: nis [NOTFOUND=return] files

networks: nis [NOTFOUND=return] files

protocols: nis [NOTFOUND=return] files

rpc: nis [NOTFOUND=return] files

ethers: nis [NOTFOUND=return] files

netmasks: nis [NOTFOUND=return] files

bootparams: nis [NOTFOUND=return] files

publickey: nis [NOTFOUND=return] files

netgroup: nis

automount: files nisaliases: files nis

# for efficient getservbyname() avoid nis

services: files nis

sendmailvars: files

printers: user files nis

auth_attr: files nis

prof_attr: files nis

project: files nis

The /etc/nsswitch.conffile includes a list of databases that are sourcesof information about IP addresses, users, and groups. Data for these cancome from a variety of sources. For example, host names and hostaddresses, are located in the /etc/inet/hosts file, NIS, NIS+, LDAP, orDNS. Each database has zero or more sources; the sources and theirlookup order are specified in the /etc/nsswitch.conffile.





Database Sources

There is an entry in the /etc/nsswitch.conffile for each database. Sometypical examples of these entries are:

q ipnodes: filesq passwd: files nis

q hosts: nis [NOTFOUND=return] files

The information sources are listed in the order that they are searched, andthese sources are defined in Table 12-3.

There might be a single information source listed, in which case the searchterminates if the information is not found. If two or more sources arelisted, the first listed source is searched before moving on to the nextlisted source. The relationships between these name service keywords,when found in the nsswitch.conf file, is further explained in Table 12-4

on page 12-14 and Table 12-5 on page 12-14.

Table 12-3 Information Sources

Information

SourcesDescription

files Specifies that entries be obtained from a file stored inthe client’s /etc directory. For example, /etc/hosts.

nisplus Specifies that entries be obtained from an NIS+ table.For example, the hosts table.

nis Specifies that entries be obtained from an NIS map. Forexample, the hostsmap.

dns Specifies that host information be obtained from DNS.

ldap Specifies that entries be obtained from the LDAPdirectory.

user Specifies that printer information be obtained from the${HOME}/.printersfile





Status Codes

When multiple information sources are specified, it is sometimesnecessary to define precisely the circumstances under which each sourceis searched. When a name service is referenced, the attempt to search this

source can return one of the following status codes, as shown inTable 12-4.

Actions

For each status code, two actions are possible, as shown in Table 12-5.

Table 12-4 Status Message Codes

StatusMessage Meaning of Message

SUCCESS The requested entry was found in the specified source.

UNAVAIL The source is not configured on this system and cannotbe used. In other words, the NIS or NIS+ processescould not be found or contacted.

NOTFOUND The source responded with No such entry. In otherwords, the table, map, or file was accessed, but it didnot contain the needed information.

TRYAGAIN The source is busy. It might respond if tried again. Inother words, the name service is running and wascontacted but could not service the request at thatmoment.

Table 12-5 Status Code Actions

Action Meaning of Action

return Stop looking for the information.

continueTry the next source, if there is one.





When the action is not explicitly specified, the default action is to continuethe search using the next specified information source, as follows:

q SUCCESS = return

q UNAVAIL = continue

q NOTFOUND = continue

q TRYAGAIN = continue

For example:

ipnodes: files

In this example, the /etc/inet/ipnodesfile is searched for the first entrythat matches the requested host name. If no matches are found, anappropriate error is returned, and no further information sources aresearched.

Another example:

passwd: files nis

In this example, the appropriate files in the /etc directory are searchedfor the corresponding password entry. If the entry is not found, the NISmaps are searched for the entry. If no entry is found in the NIS maps, anappropriate error is returned, and no further information sources aresearched.

Another example:


In this example, the NIS maps are searched for the entry. If the source(NIS) is not running, the system returns the status UNAVAIL, and continuesto search the /etc/inet/hosts file. If the entry returns the statusNOTFOUND, an appropriate error is returned, and the search is terminatedwithout searching the /etc/inet/hosts file.



Configuring the Name Service Cache Daemon (nscd)



To properly use the name service cache daemon (nscd), you must be ableto perform the following:

q Describe the purpose of the name service cache daemonq Configure the name service cache daemon

q Stop and start the name service cache daemon

The nscdDaemon

The nscd daemon is a process that provides a cache for the most commonname service requests. The nscd daemon starts during multiuser boot.The /etc/nscd.conf configuration file controls the behavior of the nscd

daemon. The nscd daemon provides caching for the passwd, group,hosts, ipnodes, exec_attr, prof_attr, and user_attr databases.Solaris OS system calls automatically reference the nscd cache if the nscdcache holds the type of data needed. Standardized calls retrieve thecached data. The calls take the form of getX byY , such as gethostbyname,gethostbyaddr, and so on.

The data in each cache has a separately defined, time-to-live. Modifyingthe local database, /etc/inet/hosts, for example, causes thecorresponding cache to become invalidated upon the next call to the nscd

daemon.

Configuring the nscdDaemon

The /etc/nscd.conf file contains the configuration information for thenscd daemon. Each line specifies either an attribute and a value, or anattribute, a cache name, and a value. An example of an attribute and a valueis:

logfile /var/adm/nscd.log

An example of an attribute, a cache name, and a value is:

enable-cache hosts no

# cat /etc/nscd.conf

#

# Copyright (c) 1994-2001 by Sun Microsystems, Inc.



Configuring theName Service Cache Daemon (nscd)


# All rights reserved.

#

#ident "@(#)nscd.conf 1.6 01/01/26 SMI"

#

#

# Currently supported cache names: passwd, group, hosts, ipnodes

# exec_attr, prof_attr, user_attr

#

# logfile /var/adm/nscd.log

# enable-cache hosts no

debug-level 0

positive-time-to-live passwd 600

negative-time-to-live passwd 5suggested-size passwd 211

keep-hot-count passwd 20

old-data-ok passwd no

check-files passwd yes

positive-time-to-live group 3600

negative-time-to-live group 5

suggested-size group 211

keep-hot-count group 20

old-data-ok group no

check-files group yes

positive-time-to-live hosts 3600

negative-time-to-live hosts 5

suggested-size hosts 211

keep-hot-count hosts 20

old-data-ok hosts no

check-files hosts yes

positive-time-to-live ipnodes 3600

negative-time-to-live ipnodes 5

suggested-size ipnodes 211keep-hot-count ipnodes 20

old-data-ok ipnodes no

check-files ipnodes yes

positive-time-to-live exec_attr 3600

negative-time-to-live exec_attr 300

suggested-size exec_attr 211





keep-hot-count exec_attr 20

old-data-ok exec_attr no

check-files exec_attr yes

positive-time-to-live prof_attr 3600

negative-time-to-live prof_attr 5

suggested-size prof_attr 211

keep-hot-count prof_attr 20

old-data-ok prof_attr no

check-files prof_attr yes

positive-time-to-live user_attr 3600

negative-time-to-live user_attr 5

suggested-size user_attr 211

keep-hot-count user_attr 20

old-data-ok user_attr no

check-files user_attr yes

Stopping and Starting the nscdDaemon

Proper updates to the name service databases notify the nscd daemon toupdate its cache, as needed. However, the nscd daemon’s cache mightbecome out of date due to various abnormal circumstances or due tohand-editing files. A common way to force the nscd daemon to update itscache is to stop and start the daemon.

Disabling thenscdDaemon

The nscd daemon is managed by the service management facility (SMF),under the service identifier:

svc:/system/name-service-cache:default

The Solaris 10 OS installation has the name-service-cache service enabledby default. To stop and disable it, which prevents it from being started onsubsequent boots, use the svcadm command as follows:

# svcadm disable system/name-service-cache:default



Configuring theName Service Cache Daemon (nscd)


Enabling thenscdDaemon

You can manually start the nscd daemon and cause it to be started onsubsequent boots, by using the svcadm command as follows:

# svcadm enable system/name-service-cache:default

Restarting thenscdDaemon

When modifying role based access control (RABC) configuration or whiletesting name service clients, clearing the cache by restarting the daemoncan be helpful in removing old cached data:

# svcadm restart system/name-service-cache:default



Retrieving Name Service Information


Retrieving Name Service Information

There are many tools available for acquiring information stored within thevarious name service information sources. Selecting the correct tool canreduce troubleshooting time when isolating name service malfunctions.The getent command provides a generic retrieval interface to searchmany name service databases.

The getentCommand

As a system administrator, you can query name service informationsources with tools, such as the ypcat, nslookup, niscat, and ldaplist

commands.

You can use the ypcat command to query the NIS namespace. You canuse the nslookup command to query the DNS namespace. However,when trying to isolate a problem, using one of these tools can returndifferent results than standard system search operations, because thensswitch.conf file is not referenced by these commands.

The getent command has these advantages:

q The primary advantage is that the command searches theinformation sources in the order in which they are configured in thename service switch file.

q A secondary advantage is that by using the name service switch file,the defined status message codes and actions are tested as they arecurrently configured. Therefore, if a return action is improperlyplaced in the name service switch file, the getent command findsthe problem, whereas the specific name service commands used totest the name service information sources, such as ypcat ornslookup, do not find the problem because they directly use thename service database without referencing the nsswitch.conf file.



Retrieving NameService Information


Using the getentCommand

The getent command retrieves a list of entries from the administrativedatabase specified by database. The sources for the database are specifiedin the /etc/nsswitch.conffile. The syntax is:

getent database [key ]...

where:

For the following examples, the /etc/nsswitch.conffile is configured tosearch files and then to search NIS.

# getent passwd lp

lp:x:71:8:LinePrinter Admin:/usr/spool/lp:

# getent group 10

staff::10:

# getent hosts sys44

192.168.30.44 sys44 loghost

The previous example assumes that the /etc/nsswitch.conffile isconfigured to search files and then to search NIS. If the/etc/nsswitch.conffile is configured to search NIS and then to searchfiles, the output of the final search would be:

# getent hosts sys44192.168.30.44 sys44

Notice the absence of loghost in this output. The loghost alias is afeature of the sys44 entry in the /etc/inet/hosts file but not the NISmap. Therefore, when the /etc/nsswitch.conffile search order isaltered, the getent command looks up the entry in the NIS map beforeconsulting the /etc/inet/hosts file.

database The name of the database to be examined. This name canbe passwd, group, hosts, ipnodes, services,protocols, ethers, networks, or netmasks.

key A value that corresponds to an entry in a database. Thekey must be in a format appropriate for searching on the

respective database. For example, it can be a user nameor numeric user ID (UID) for passwd, or a host name orIP address for hosts. The key cannot be a wildcardcharacter.



Exercise: Reviewing Name Services



In this lab, you evaluate your understanding of the name servicesconcepts presented in this module.

Preparation

If necessary, refer to your lecture notes to answer these exercise questions.

Tasks

Answer the following questions:

1. List the name services that can be configured in the/etc/nsswitch.conffile.

_________________________________________________________

_________________________________________________________

2. Which name service is selected by default during the installation ofthe Solaris 10 OS?

_________________________________________________________

3. What are the two main services provided by DNS?

__________________________________________________________________________________________________________________

4. What types of information are stored within the NIS+ namespace?

_________________________________________________________

_________________________________________________________

5. Which file is referred to as the name service switch file, and why?

_________________________________________________________

_________________________________________________________

6. If you decide to use the LDAP for name service resolution, whichtemplate file would you use to create the name service switch file?

_________________________________________________________

_________________________________________________________





7. How is the following entry in the name service switch fileinterpreted?


_________________________________________________________

_________________________________________________________8. Is the following an appropriate entry to the /etc/nsswitch.conf

file? Why or why not?

group: dns files nis

_________________________________________________________

_________________________________________________________





Task Solutions

1. List the name services that can be configured in the/etc/nsswitch.conffile.

Local files, DNS, NIS, NIS+, and LDAP.2. Which name service is the default selection during the installation of

the Solaris 10 OS?

NIS+ is selected by default during a Solaris 10 OS installation.

3. What are the two main services provided by DNS?

DNS provides host name-to-IP address translation and IP address-to-hostname translation.

4. What types of information are stored within the NIS+ namespace?

The NIS+ namespace stores information about workstation addresses,security information, mail information, Ethernet interfaces, printers, andnetwork services.

5. Which file is referred to as the name service switch file, and why?

The /etc/nsswitch.conf file is referred to as the name service switchfile because the operating system uses it to determine where to go for anyinformation lookups. This file indicates whether DNS, NIS, NIS+, LDAP,or local files are to be used for name service resolution. If more than onename service is to be used, this file indicates the order in which theseservices should be accessed.

6. If you decide to use the LDAP for name service resolution, whichtemplate file would you use to create the name service switch file?

/etc/nsswitch.ldap

7. How is the following entry in the name service switch fileinterpreted?


Assuming that the NIS name service is running and available, the syntaxfor this entry means that the NIS hosts table is searched. If an NIS server isbusy or unavailable, the local files are searched. If an NIS server has no map

entry for a host lookup, the system would not reference the local files.8. Is the following an appropriate entry to the /etc/nsswitch.conf

file? Why or why not?

group: dns files nis

This is not an appropriate entry in the /etc/nsswitch.conffile, becausedns only applies to the hosts entry in the name service switch file.



Exercise Summary


Exercise Summary

?

!


q Experiences

q Interpretations

q Conclusions

q Applications




Module 13

ConfiguringNameService Clients

Objectives

This module explains how to configure a client to use DNS or LDAP asthe name service. Setting up the DNS server is described in the

SA-300-S10: Network Administration for the Solaris™ 10 Operating Systemcourse. Setting up the LDAP server is described in the IN-351: UsingLDAP as a Naming Service course.


q Configure a DNS client

q Configure an LDAP client



U s i n g

N a m e

S e r v i c e s


N a m e



t h e N e t w o r k






Configuring a DNS Client



Name resolution using the Internet domain name system begins with theclient-side resolver. The resolver is a set of routines that are built into theresolver library. The client resolver code is controlled by the followingfiles:

Configuring the DNS Client During Installation

During the system identification phase of a Solaris 10 OS installation, youuse several windows to configure the name service. You use function keysor the Escape key to continue through the different windows, dependingon the type of installation. For this demonstration, the Escape keys areused.

Note – Text in these screens has been edited for readability, and to fit onthe page.

/etc/resolv.conf Contains directives to specify the scope of aquery

/etc/nsswitch.conf Contains the reference to DNS for the hostsentry




Configuring Name Service Clients 13-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

To configure the system to use DNS, complete the following steps:

1. In the Name Service window, select DNS as the name service, thenpress Esc-2 to continue.

--Name Service----------

On this screen you must provide name service information. Select the

name service that will be used by this system, or None if your system

will either not use a name service at all, or if it will use a name

service not listed here.

> To make a selection, use the arrow keys to highlight the option

and press Return to mark it [X].

Name service

[ ] NIS+

[ ] NIS

[X] DNS

[ ] LDAP

[ ] None

Esc-2_Continue Esc-6_Help

2. In the Domain Name window, enter the DNS domain name to which

the client will belong and press Esc-2 to continue.

--Domain Name----------

On this screen you must specify the domain where this system resides.

Make sure you enter the name correctly including capitalization and

punctuation.

Domain name: suned.sun.com






3. In the DNS Server Address window, enter the IP addresses of up tothree DNS servers that the client will use for lookups, then pressEsc-2 to continue.

--DNS Server Addresses----------

On this screen you must enter the IP address of your DNS server(s). You

must enter at least one address. IP addresses must contain four sets of

numbers separated by periods (for example 129.200.9.1).

Server’s IP address: 192.168.30.61

Server’s IP address:

Server’s IP address:


4. In the DNS Search List window, enter search suffixes that willsupplement searches for names that are not fully qualified (namesthat do not include a complete domain name), then press Esc-2 tocontinue.

--DNS Search List----------

On this screen you can enter a list of domains that will be searched when

a DNS query is made. If you do not enter any domains, DNS will only

search the DNS domain chosen for this system. The domains entered, when

concatenated, may not be longer than 250 characters.

Search domain: suned.sun.com

Search domain: training.sun.com

Search domain: classroom.sun.com

Search domain:Search domain:

Search domain:






5. In the Confirm Information window, verify that you have providedaccurate information, then press Esc-2 to continue.

--Confirm Information----------

> Confirm the following information. If it is correct, press F2;to change any information, press F4.

Name service: DNS


Server address(es): 192.168.30.61

Search domain(s): suned.sun.com

training.sun.com

classroom.sun.com

Esc-2_Continue Esc-4_Change Esc-6_Help

Editing DNS Client Configuration Files

The installation window only allows the selection of DNS with the defaultof local files for the name service. Therefore, to use DNS with anothername service, such as NIS or LDAP, you must manually modify theconfiguration files after the system is configured.

Editing the/etc/resolv.confFile

The /etc/resolv.conffile contains configuration directives for the DNSresolver. The directives include:

nameserver Specifies the IP address of a name server for the DNSdomain in which the host is located. You can list up tothree name servers, one on each line.

domain Specifies the local domain name. Specifying the localdomain name allows queries using just the host name.

search Provides a list of domain names, separated by spaces ortabs, that is appended to unqualified name queriesuntil a match is found. When used without thepresence of the domain directive, the first domain listedin the search list is the local domain.





Domain and search are both valid directives used in the/etc/resolv.conffile, and if both appear together, the last directivelisted is used.

The following resolv.conf example shows two name servers for the

suned.sun.com domain. It also specifies two domain names,training.sun.com, and sun.com, to append to any requests receivedthat are not fully qualified.

# cat /etc/resolv.conf

nameserver 192.168.10.11


domain suned.sun.com training.sun.com sun.com

Copying the/etc/nsswitch.dnsFile to the/etc/nsswitch.confFile

To configure a client to use DNS in combination with the system’s localfiles, copy the /etc/nsswitch.dnsfile to the /etc/nsswitch.conffile.This action only changes the hosts entry as follows:

# cat /etc/nsswitch.conf

...

hosts: files dns

...

Note – If you want to add DNS name resolution to a system currentlyrunning a name service, such as NIS or NIS+, you cannot copy ansswitch template into the nsswitch.conf file. You must manually editthe current nsswitchfile, and place the dns keyword on the hosts line inthe specific location, along with other keywords.

The following example shows that DNS is queried after NIS and the/etc/hosts file.

# cat /etc/nsswitch.conf

...

hosts: files nis dns...



Setting Up an LDAP Client



Native LDAP is the client implementation of the LDAP name service. AnLDAP server, such as the Sun Java Directory Server that is bundled withthe Solaris 10 OS, must exist on the network.

Note – The LDAP server cannot be a client of itself. Getting thisconfiguration to work properly requires changes to the LDAP server andthe LDAP client.

Client Authentication

An LDAP client must establish a session with an LDAP server. Thisauthentication process is known as binding. After a client is authenticated,it can then perform operations, such as “search and modify,” on the data.Authorization is the granting of access to controlled system resources.Solaris OS LDAP clients have read-only access to name service data, suchas host names, email aliases, and net groups. Users have read-write accessto certain data, such as their own passwords. Privileged administratoraccounts have read-write access to other data. When finished, the clientunbinds, or closes, the session.

Details on how the client is authenticated and what data the client is

authorized to access is maintained on the LDAP server. To simplifySolaris OS client setup and to avoid having to reenter the sameinformation for each and every client, a single client profile is created onthe directory server.





Client Profile and Proxy Account

A single client profile defines the configuration parameters for a group ofSolaris OS clients allowed to access the LDAP database.

A client profile:

q Contains the client’s credential information

q Describes how authentication is to take place

q Provides the client with various configuration parameters

A proxy account is created to allow multiple clients to bind to the serverwith the same access privileges. Only one name and password is neededfor all the clients in a group to bind to the LDAP server, rather thanconfiguring each client with its own account name and password.

Client Initialization

The client profile and proxy account are created as part of the Sun JavaDirectory Server setup procedures on the Solaris 10 OS. By default, theclient profile named default and the proxy account proxyagent arecreated under a special profile directory entry.

When the Solaris LDAP client is initialized, a copy of the client profile is

retrieved from the server and stored on disk. On the LDAP client, theldap_cachemgr daemon is responsible for maintaining and updating thechanges to the client profile information. The ldap_cachemgr daemonkeeps a copy of the profile in memory and uses it when binding to theserver.





Configuring the LDAP Client During Installation

To configure the LDAP client, perform the following steps:

1. In the Name Service window, select LDAP as the name service, and

press Esc-2 to continue.--Name Service----------

On this screen you must provide name service information. Select the

name service that will be used by this system, or None if your system

will either not use a name service at all, or if it will use a name

service not listed here.

> To make a selection, use the arrow keys to highlight the option

and press Return to mark it [X].

Name service

[ ] NIS+

[ ] NIS

[ ] DNS

[X] LDAP

[ ] None


Note – When you specify LDAP as the name service, the client host namemust exist in the ou=hosts container on the LDAP server.

2. In the Domain Name window, enter the domain name where thesystem is located and press Esc-2 to continue.

--Domain Name----------

On this screen you must specify the domain where this system resides.

Make sure you enter the name correctly including capitalization and

punctuation.







3. In the LDAP Profile window, enter the profile name and server IPaddress, and press Esc-2 to continue.

--LDAP Profile----------

On this screen you must specify the name of the LDAP profile to be used

to configure this system, as well as the IP address of the server thatcontains the profile.

Profile name: sunedprofile

Profile server IP address: 192.168.0.1


4. In the LDAP Proxy Bind window, select No and press Esc-2 tocontinue.

--Provide LDAP Proxy Bind Information----------

If the profile you are using specifies a proxy credential level and the

authentication method is NOT none, provide LDAP proxy bind information.

> Use the arrow keys to select the option and press Return to

mark it [X].

Specify LDAP Proxy Bind Information

[X] No

[ ] Yes






5. In the Confirm Information window, verify that you have providedaccurate information, and press Esc-2 to continue.

--Confirm Information----------

> Confirm the following information. If it is correct, press F2;

to change any information, press F4.

Name service: LDAP


Profile name: sunedprofile

Profile server IP address: 192.168.0.1

Specify LDAP Proxy Bind Information: No

Esc-2_Continue Esc-4_Change Esc-6_Help

Note – The information that must be supplied during the installation issome of the same information that you would enter using the ldapclientcommand.





Initializing the Native LDAP Client

You execute the ldapclient command on the client system once toinitiate the client as a native LDAP client. The required command-linearguments include the LDAP server’s IP address.

The following example describes a typical client initialization:

# ldapclient init -a proxyPassword=proxy \

-a proxyDN=cn=proxyagent,ou=profile,dc=suned,dc=sun,dc=com\

-a domainname=suned.sun.com 192.168.0.100

System successfully configured

where:

Clients bind to the directory using a proxy account. Different proxyaccounts can be configured so that LDAP users only have access to the

directory data that they should have access to. This is different for ananonymous account, which has access to all of the data stored in thedirectory.

Each proxy account should have a password. The password is stored onthe LDAP client.

The ldapclient command creates two files in the /var/ldap directoryon the LDAP client. These files contain the information that the LDAPclients use when binding to and accessing the LDAP database.

Note – The two files in the /var/ldap directory are currently ASCII files,but might not be in the future. The ldapclientlist command is the bestway to see this information.

The ldap_client_credfile contains the proxy agent information that theclient uses for LDAP authentication; for example:

initInitializes the host as an LDAP client

proxyPassword The password for the proxyagent

proxyDN The DN for the proxyagent

domainname The domain for which the server is configured

192.168.0.100 LDAP server IP address





# cat /var/ldap/ldap_client_cred

#

# Do not edit this file manually; your changes will be lost.Please use

ldapclient (1M) instead.

#

NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=suned,dc=sun,dc=com

NS_LDAP_BINDPASSWD= {NS1}ecc423aad0

The ldap_client_file file contains the configuration information fromthe client profile in the LDAP server database; for example:

# cat /var/ldap/ldap_client_file

#

# Do not edit this file manually; your changes will be lost.Please use

ldapclient (1M) instead.

#

NS_LDAP_FILE_VERSION= 2.0

NS_LDAP_SERVERS= 192.168.0.100

NS_LDAP_SEARCH_BASEDN= dc=suned,dc=sun,dc=com

NS_LDAP_AUTH= simple

NS_LDAP_SEARCH_REF= FALSE

NS_LDAP_SEARCH_SCOPE= one

NS_LDAP_SEARCH_TIME= 30

NS_LDAP_CACHETTL= 43200

NS_LDAP_PROFILE= default

NS_LDAP_CREDENTIAL_LEVEL= proxy

NS_LDAP_BIND_TIME= 10

Note – Do not modify the /var/ldap/ldap_client_filefile directly.

You can also use the ldapclient command to view the current client’slocal configuration. Refer to the ldapclient man page for a descriptionof these attributes.

# ldapclient list

NS_LDAP_FILE_VERSION= 2.0

NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=suned,dc=sun,dc=com

NS_LDAP_BINDPASSWD= {NS1}ecc423aad0NS_LDAP_SERVERS= 192.168.0.100

NS_LDAP_SEARCH_BASEDN= dc=suned,dc=sun,dc=com

NS_LDAP_AUTH= simple

NS_LDAP_SEARCH_REF= FALSE

NS_LDAP_SEARCH_SCOPE= one

NS_LDAP_SEARCH_TIME= 30

NS_LDAP_PROFILE= default

NS_LDAP_CREDENTIAL_LEVEL= proxy

NS_LDAP_BIND_TIME= 10





Copying the /etc/nsswitch.ldapFile to the/etc/nsswitch.confFile

During LDAP client initialization, the /etc/nsswitch.ldapfile is copied

over the/etc/nsswitch.conf

file.

The default nsswitch.conf file for an LDAP client follows.

# more nsswitch.conf

#

# An example file that could be copied over to /etc/nsswitch.conf; it

# uses LDAP in conjunction with files.

#

# "hosts:" and "services:" in this file are used only if the

# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# LDAP service requires that svc:/network/ldap/client:default be enabled

# and online.


/etc/group.

passwd: files ldap

group: files ldap

# consult /etc "files" only if ldap is down.

hosts: ldap [NOTFOUND=return] files

# Note that IPv4 addresses are searched for in all of the ipnodes

databases

# before searching the hosts databases.

ipnodes: ldap [NOTFOUND=return] files

networks: ldap [NOTFOUND=return] files

protocols: ldap [NOTFOUND=return] files

rpc: ldap [NOTFOUND=return] files

ethers: ldap [NOTFOUND=return] files

netmasks: ldap [NOTFOUND=return] files

bootparams: ldap [NOTFOUND=return] files

publickey: ldap [NOTFOUND=return] files

netgroup: ldap

automount: files ldap

aliases: files ldap

# for efficient getservbyname() avoid ldap

services: files ldap





printers: user files ldap

auth_attr: files ldap

prof_attr: files ldap

project: files ldap

Listing LDAP Entries

You use the ldaplist command to list the naming information from theLDAP servers. This command uses the application programming interface(API) to access the information. Refer to the ldaplist man page foradditional information.

Without any arguments, the ldaplist command returns all of thecontainers in the current search baseDN. For example:

# ldaplist

dn: ou=Hosts,dc=suned,dc=sun,dc=com

dn: ou=Group,dc=suned,dc=sun,dc=com

dn: ou=rpc,dc=suned,dc=sun,dc=com

dn: ou=protocols,dc=suned,dc=sun,dc=com

dn: ou=networks,dc=suned,dc=sun,dc=com

dn: ou=netgroup,dc=suned,dc=sun,dc=com

dn: ou=aliases,dc=suned,dc=sun,dc=com

dn: ou=people,dc=suned,dc=sun,dc=com

dn: ou=services,dc=suned,dc=sun,dc=com

dn: ou=Ethers,dc=suned,dc=sun,dc=com

dn: ou=profile,dc=suned,dc=sun,dc=com

dn: nismapname=auto_home,dc=suned,dc=sun,dc=com

dn: nismapname=auto_direct,dc=suned,dc=sun,dc=com

dn: nismapname=auto_master,dc=suned,dc=sun,dc=com





Unconfiguring an LDAP Client

To unconfigure an LDAP client, use the ldapclient command with theuninit option. This command removes the client files from the/var/ldapdirectory and restores the previous /etc/nsswitch.conffile.

The ldap_cachemgr process is also stopped. The changes to the clientname service configuration are dynamic; therefore, no reboot is needed.

# ldapclient uninit

System successfully unconfigured



Exercise: Configuring a System to Use DNS and LDAP (Level 1)


Exercise: Configuring a System to Use DNS and LDAP(Level 1)

In this exercise, you configure the Solaris 10 OS client system to use DNS

and LDAP as name services.

Preparation

Refer to the lecture notes to perform the tasks listed. The instructor’ssystem is configured as a DNS server and as an LDAP server for theclassroom network, using a domain name of suned.sun.com.

Tasks


q Configure your system to use DNS, and verify that you can resolveother systems in your domain.

q Configure the system to be an LDAP client, and verify that you canresolve other systems in the classroom network.








Preparation


Task Summary


q Configure your system to use DNS and verify that you can resolveother systems in your domain.

q Configure the system to be an LDAP client and verify that you canresolve other systems in the classroom network.

Tasks


1. Add DNS to the name service by copying the /etc/nsswitch.dnsfile to the /etc/nsswitch.conffile.

2. Create the /etc/resolv.conffile, and:

a. Add a name server directive by using the address192.168.30.30.

b. Add a domain directive by using suned.sun.com.

3. Verify that you can access another system in the classroom by usingthe ping command. First, use only the host name, and then use thefully qualified domain name – hostname.suned.sun.com.





4. Use the ldapclient command to initialize the system. The name ofthe profile is default.

5. Verify the name service switch file has been updated with the LDAPconfiguration.

6. Verify that you can access another system in the classroom by usingthe ping command.

7. Display the directory information tree (DIT) containers.

8. Display the Hosts container.

9. Unconfigure the LDAP client.

10. Verify the LDAP configuration has been removed from the nameservice switch file.








Preparation


Task Summary


q Configure your system to use DNS and verify that you can resolveother systems in your domain.

q Configure the system to be an LDAP client and verify that you canresolve other systems in the classroom network.





Tasks and Solutions


1. Add DNS to the name service by copying the /etc/nsswitch.dns

file to the /etc/nsswitch.conffile.# cp /etc/nsswitch.dns /etc/nsswitch.conf

2. Create the /etc/resolv.conffile, and:

a. Add a name server directive by using the address192.168.30.30.

b. Add a domain directive by using suned.sun.com.

# vi /etc/resolv.conf

Use vi to create the /etc/resolv.conf file, and insert thefollowing lines:


domain suned.sun.com

3. Verify that you can access another system in the classroom by usingthe ping command. First, use only the host name, and then use thefully qualified domain name, hostname.suned.sun.com.

# ping sys43

sys43 is alive

# ping sys43.suned.sun.com

sys43.suned.sun.com is alive

4. Use the ldapclient command to initialize the system. The name ofthe profile is default.

# ldapclient -v init -a proxyPassword=proxy \

-a proxyDN=cn=proxyagent,ou=profile,dc=suned,dc=sun,dc=com \

-a domainname=suned.sun.com 192.168.30.30

5. Verify the name service switch file has been updated with the LDAPconfiguration.

# more /etc/nsswitch.conf

6. Verify that you can access another system in the classroom by using

the ping command.# ping sys43

sys43 is alive

7. Display the DIT containers.

# ldaplist





8. Display the Hosts container.

# ldaplist hosts

9. Unconfigure the LDAP client.

# ldapclient -v uninit

10. Verify the LDAP configuration has been removed from the nameservice switch file.

# more /etc/nsswitch.conf



Exercise Summary


Exercise Summary

?

!


q Experiences

q Interpretations

q Conclusions

q Applications




Module 14

ConfiguringtheNetworkInformationService(NIS)

Objectives

Network Information Service (NIS) enables you to create central

repositories for administrative files on server systems within a singleUNIX domain. The NIS client-server relationship requires that eachsystem must be configured as an NIS client and that at least one systemmust be configured as an NIS master server.


q Describe NIS fundamentals

q Configure the name service switch file

q Describe NIS security

q Configure an NIS domain

q Build custom NIS maps

q Troubleshoot NIS



U s i n g

N a m e

S e r v i c e s


N a m e



t h e N e t w o r k






Introducing NIS Fundamentals



NIS facilitates the creation of server systems that act as central repositoriesfor several of the administrative files found on UNIX systems. Thebenefits of NIS include:

q Centralized administration of configuration files

q Better scaling of configuration file administration as networks grow

Figure 14-2 shows that NIS is organized into named administrativedomains. Conceptually, within each domain there is one NIS masterserver, zero or more slave servers, and one or more clients.

Figure 14-2 NIS Domains

NIS Namespace Information

NIS makes network administration more manageable by providingcentralized control over a variety of network information. NIS storesinformation about host names and their IP addresses, users, groups, andothers. This collection of network information is called the NISnamespace.

NIS maps can replace or be used with the configuration files that exist oneach UNIX system.

NIS maps are located in the /var/yp/domainname directory (wheredomainname is the name of the NIS domain). There are two files (.pagand .dir files) for each map in this directory.

A S C I I

F i l e s

P u s h

L o o k u pL o o k u p L o o k u p L o o k u pL o o k u p

m a k e

M a p s

C l i e n t

M a s t e r

S e r v e r

C l i e n t C l i e n t

S l a v e

S e r v e r

C l i e n t

M a p s




Configuring the Network Information Service (NIS) 14-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

Map Contents and Sort Keys

Each map contains a key and value pair. The key represents data used toperform the lookup in the map, while the value represents data returnedafter a successful lookup. The maps are the results of sorting the data

based on different keys.

For example, the /var/yp/domainname/hosts.byaddr.pagmapcontains the data for the hosts map indexed by host IP addresses.Similarly, the /var/yp/domainname/hosts.byname.pagmap containsthe same host data using the host name as the lookup key. For the domainname training, the NIS map files list for the hosts map are:

q The /var/yp/training/hosts.byname.pagfile

q The /var/yp/training/hosts.byname.dirfile

q The /var/yp/training/hosts.byaddr.pagfile

q The /var/yp/training/hosts.byaddr.dirfile

The syntax for the NIS maps is:

map.key .pag and map.key .dir

where:

Sometimes searches are made using names. At other times, searches maybe performed using an ID number. It is worth noting that searches can beforced to occur on the appropriate NIS map file. For example:

# ypmatch -k chris passwd.bynamechris: chris:MWnTvQ5PGuiYo:100:1::/export/home/chris:/usr/bin/ksh

# ypmatch -k chris passwd.byuid

Can’t match key chris in map passwd.byuid. Reason: no such key in map.

# ypmatch -k 100 passwd.byuid

100: chris:MWnTvQ5PGuiYo:100:1::/export/home/chris:/usr/bin/ksh

map The base name of the map (hosts, passwd, and so on).

key The map’s sort key (byname, byaddr, and so on).

pag The map’s data.

dir An index to the *.pag file. If the *.pagfile is small, the*.dir file might be empty.





Commands to Read Maps

You can use two commands to read maps:

q ypcat [ -k ] mname – The ypcat command prints out values inthe NIS name service map specified by the mname argument, whichcan be either a map name or a map nickname.

# ypcat hosts

192.168.30.30 instructor instructor. loghost


127.0.0.1 localhost


192.168.30.41 sys41

192.168.30.34 sys34

q ypmatch [ -k ] value mname – The ypmatch command printsthe values associated with one or more keys from the NIS name

services map specified by the mname argument, which can be either amap name or a map nickname.

# ypmatch sys44 hosts

sys44: 192.168.30.44 sys44 loghost

# ypmatch usera passwd

usera: usera:LojyTdiQev5i2:3001:10::/export/home/usera:/bin/ksh

NIS Domains

An NIS domain is a collection of hosts and interconnecting networks thatare organized into a single administrative authority. NIS uses domains toarrange the hosts, users, and networks in its namespace. An NISnamespace does not use a domain hierarchy. Each NIS domain contains:

q One NIS master server

q NIS slave servers (optional)

q NIS clients

The NIS Master Server

Within each domain, the NIS master server:

q Contains the original source ASCII files used to build the NIS maps

q Contains the NIS maps generated from the ASCII files

q Provides a single point-of-control for the entire NIS domain





NIS Slave Servers

Within each domain, the NIS slave servers:

q Do not contain the original source ASCII files used to build the NISmaps

q Contain copies of the NIS maps copied from the NIS master server

q Provide a backup for NIS map information

q Provide redundancy in case of server failures

q Provide load sharing on large networks

NIS Clients

Within each domain, the NIS clients:

q Do not contain the original source ASCII files used to build the NISmaps

q Do not contain any NIS maps

q Bind to the master server or to a slave server to obtain access to theadministrative file information contained in that server’s NIS maps

q Dynamically rebind to another server in case of server failure

q Make all appropriate system calls aware of NIS

Note – All hosts in the NIS environment are clients. All NIS clients thatare configured as NIS master server and NIS slave servers contain copiesof the NIS maps to support the server function.





NIS Processes

The main daemons involved in the running of an NIS domain are:

q The ypserv daemon

q The ypbind daemon

q The rpc.yppasswdd daemon

q The ypxfrd daemon

q The rpc.ypupdated daemon

Figure 14-3 shows a domain and its NIS daemons.

Figure 14-3 NIS Processes and Daemons

A S C I I

F i l e s

P u s h

y p b i n d y p b i n d y p b i n d y p b i n d


M a p s

C l i e n t

M a s t e r

S e r v e r


S l a v e

S e r v e r

C l i e n t

M a p s

D a e m o n s

y p s e r v

y p b i n d

y p s e r v

y p b i n d

r p c . y p p a s s w d d

y p x f r d

r p c . y p u p d a t e d

m a k e

D a e m o n s





The ypservDaemon

The ypserv daemon:

q Runs on master and slave servers

q

Answers ypbind requests from clientsq Responds to client information requests

The ypbindDaemon

The ypbind daemon:

q Runs on all NIS client systems

q Makes initial client-to-server binding requests

q Stores binding information in the /var/yp/binding/domainname

directory

q Rebinds to another server if the connection is lost with the initialserver

q Requests NIS map information at the library-call level

The rpc.yppasswddDaemon

The rpc.yppasswdd daemon:

q

Allows users to change their passwordsq Updates the passwd and shadow files on the master server

q Updates the NIS password map

q Provides or “pushes” the NIS password map to all slave servers

The ypxfrdDaemon

The ypxfrd daemon:

q Runs on the NIS master server only

q Responds to requests, generated in the slave servers by using theypxfr command to pull the maps from the master

q Transfers NIS maps





The rpc.ypupdatedDaemon

The rpc.ypupdated daemon:

q Runs on the NIS master server only

q

Updates NIS maps using the configuration stored in the/var/yp/updaters file

Note – The rpc.ypupdated daemon and the /var/yp/updaters filerelate to systems running secure Remote Procedure Call (RPC) services.By default, the updating master’s Makefile is not used to authenticatechanging any conventional NIS maps.



Configuring the Name Service Switch



The name service switch is a file named /etc/nsswitch.conf. This filecontrols how a client host or application obtains network information. Atemplate file is provided for each of the Solaris OS name services to assistyou in configuring the respective name services. When you select NIS asthe name service, the /etc/nsswitch.nis configuration file loads intothe default /etc/nsswitch.conf file.

# cat /etc/nsswitch.nis

#

# /etc/nsswitch.nis:

#

# An example file that could be copied over to /etc/nsswitch.conf; it

# uses NIS (YP) in conjunction with files.

#

# "hosts:" and "services:" in this file are used only if the# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.


/etc/group.

passwd: files nis

group: files nis

# consult /etc "files" only if nis is down.


# Note that IPv4 addresses are searched for in all of the ipnodesdatabases

# before searching the hosts databases.

ipnodes: nis [NOTFOUND=return] files








netgroup: nis

automount: files nis

aliases: files nis

# for efficient getservbyname() avoid nis





services: files nis

printers: user files nis



project: files nis

The name service switch file is a database list. Each entry is followed byordered lists of information that help locate specific information from therespective databases. Although you can customize the nsswitch.conffile to specify any search order, the most common search orders are:

q Search files and then NIS

q Search NIS and then files

q Search files, then NIS, then DNS

Changing Lookup Requests to Go From Files to NIS

A default /etc/nsswitch.nis file is provided with the Solaris 10 OS.This file helps specific databases send lookup requests to local files andthen to NIS maps:

passwd: files nis

group: files nis

automount: files nis

aliases: files nis

services: files nis



project: files nis

Using the passwd database as an example, the entry states that userinformation lookup is performed first by using the /etc/passwd and/etc/shadow files. If the information does not exist in these local files,then the password lookup requests search the NIS maps on the NIS

server.





Changing Lookup Requests to Go From NIS to Files

The default /etc/nsswitch.nisfile, provided with the Solaris 10 OS, isalso configured so that specific databases can send lookup requests first tothe NIS maps and then to the local files. The databases that follow this

procedure are:









Using the hosts database as an example, the entry states that hostslookup requests first search the NIS maps on the NIS server. If these mapsdo not contain the information, then the hosts lookup requests search the/etc/inet/hosts file on the client system.

To further define this search, use a status message and a name serviceswitch action option. The [NOTFOUND=return] condition works asfollows:

q If the NIS maps source does not respond or is unavailable, itindicates that the map cannot be accessed. You must continue to

search the local file for the map.q If you get a “no such entry” response from the NIS maps, it indicates

that the NOTFOUND condition is configured with the return action,which causes the system to stop looking for the information.Therefore, when the entry is not found in the NIS map file, stop thesearch.

The NIS client requests information from the NIS server as usual. If theinformation is not found, the NIS client requests the information from theDNS server directly. The NIS client is configured as a DNS client so that it

can request the information directly from the DNS server. Therefore, youdo not need to configure the Makefile file. Using this method, you canconfigure the hosts database information source in the/etc/nsswitch.conffile to recognize both NIS and DNS.





The following line requests information first from the NIS namespace andthen, if the information is not found, it searches the DNS namespace.

hosts: nis dns

Figure 14-4 shows the process of searching NIS and DNS namespaces. If

the information is not located in the NIS namespace, the NIS serverreturns a status of NOTFOUND. In the name service switch, the defaultaction for the NOTFOUND status is to continue the search with the nextlisted information source. In this case, the next information source is DNS;therefore, the client requests the information from the DNS namespace.

Figure 14-4 Searching NIS and DNS Namespaces

N I S C l i e n t N I S S e r v e r D N S S e r v e r

T

i

m

e

!

"



Introducing NIS Security



Just as NIS makes the network information more manageable, it can alsocreate inadvertent security holes. Two methods of closing these securityholes are using the securenets file to restrict access to a single host or toa subnetwork, and using the passwd.adjunct file to limit access to thepassword information across the network.

The securenets File

The /var/yp/securenetsfile limits access to NIS services. If the/var/yp/securenetsfile exists on an NIS server, the server only answersqueries or supplies maps to hosts and networks whose IP addresses existin the file.

The server must be able to access itself. To access itself, the server can be apart of the subnet that is allowed to access the server, or you can add thefollowing entry:

host 127.0.0.1

The following example describes a securenets file

where:

q The server is configured to access itself.

q A class C network is configured for access.

q Two specific hosts, 13.13.14.1 and 13.13.14.2, are configured toaccess the NIS information.

# Each line contains two fields separated by white space.

(output omitted for brevity)

#

host 127.0.0.1

255.255.255.0 150.10.1.0

host 13.13.14.1

host 13.13.14.2





If you modify entries in the /var/yp/securenetsfile, you must stop andrestart the ypserv and ypxfrd daemons. To restart the daemons, stop andrestart the NIS services with:

# svcadm disable svc:/network/nis/server:default

# svcadm enable svc:/network/nis/server:default

Caution – Stopping and starting NIS services results in a short period ofname services being unavailable.

The passwd.adjunctFile

Note – Refer to “Using NIS with C2 Security” in the “System

Administration Guide: Naming and Directory Services (DNS, NIS, andLDAP)” book on docs.sun.com for more information about thepassword.adjunctfile.

The passwd.adjunct file prevents unauthorized users from seeing theencrypted passwords that normally form part of the output when viewingthe NIS passwd maps.

Encrypted passwords are normally hidden from the user in the/etc/shadow file. With the default NIS configuration, however, the

encrypted password string is shown as part of the passwd maps.

The following example shows that the user passwd is hidden from viewwhen viewing the /etc/passwd file:

# grep usera /etc/passwd

usera:x:3001:10::/export/home/usera:/bin/ksh





When the ypmatch command runs against the usera account value in thepasswd map, the following output appears:

# ypmatch -k usera passwd

usera: usera:LojyTdiQev5i2:3001:10::/export/home/usera:/bin/ksh

The encrypted user password is included as part of the NIS passwdmaps.To maintain the same security, the system configures the passwd.adjunctfile. The passwd.adjunct file contains the account name preceded by ##in the password field. Subsequent attempts to gain account information,using the ypcat or ypmatch commands, returns the password entry fromthe passwd.adjunct file, as follows:

# ypmatch -k usera passwd

usera: usera:##usera:3001:10::/export/home/usera:/bin/ksh

One method to enable the passwd.adjunct file is to follow the

procedures to configure C2 security features. These procedures are locatedon the Sun Product Documentation Web site at http://docs.sun.com.



Configuring NIS Domain



To generate NIS maps, you need the source files. You can find source filesin the /etc directory on the master server. Do not to keep the source filesin the /etc directory, because the contents of the maps are then the sameas the contents of the local files that control access to the master server.This is a special problem for the /etc/passwd and /etc/shadow files,because all users would have access to the master server’s root passwordthat would be available to all NIS clients through the passwd map.

To locate the source files in another directory, modify the/var/yp/Makefilefile:

q Change the INETDIR line to DIR=/your-choice

q Change the DIR=/etc line to DIR=/your-choice

q Change the PWDIR=/etc line to PWDIR=/your-choice

q Copy files from /etc, /etc/inet, and /etc/services toDIR=/your-choice

where your-choice is the name of the directory that you are using tostore the source files. This process enables you to keep the local files onthe server separate from those files used for NIS.

Caution – Before you make any modifications to the /var/yp/Makefile

file, save a copy of the original Makefile file.

Generating NIS Maps

The NIS configuration script, /usr/sbin/ypinit, and the make utilitygenerate NIS maps. The ypinit command reads the /var/yp/Makefilefile for source file locations, and converts ASCII source files into NISmaps.

Note – For security reasons and to prevent unauthorized root access, thefiles that build the NIS password maps should not contain an entry for theroot user. To make sure of this, copy the files to an alternative directory,and modify the PWDIR entry in the Makefile file.



ConfiguringNIS Domain


Locating Source Files

The source files are located in the /etc directory on the master server, butthe files can be copied into another directory, such as /etc/yp_dir shownin Figure 14-5.

Figure 14-5 Important Files on the NIS Master (Part 1)

Figure 14-5 also shows the location of the defaultdomainfile that residesin the /etc directory. The /etc/defaultdomainfile sets the NIS domainname during system boot.

/

d e f a u l t d o m a i n

p a s s w d

s h a d o w

. . .

y p _ d i r

h o s t s

p a s s w d

s h a d o w

A n y a d d i t i o n a l A S C I I f i l e s t h a t a r e

u s e d f o r b u i l d i n g N I S m a p s .

. . .

h o s t s

e t c





The ypinit script calls the program make, which uses the Makefile filelocated in the /var/yp directory. Figure 14-6 shows a default Makefile inthe /var/ypdirectory, which contains the commands needed to transformthe source files into the NIS maps.


The /var/yp directory contains a subdirectory named after the NISdomain name. This domainname directory is the repository for the NIS

maps created by theypinit

script. The/var/yp/binding/domainname

directory contains the ypservers file where the names of the NIS masterserver and NIS slave servers are stored.

.

.

.

/

* . t i m e

M a k e f i l e

. . .

h o s t s . b y a d d r . d i r

h o s t s . b y a d d r . p a g

N I S M a p s

v a r

d o m a i n n a m e

d o m a i n n a m e

y p s e r v e r s

b i n d i n g

y p





Figure 14-7 shows that the /usr/lib/netsvc/ypdirectory contains theypstop and ypstart commands that stop and start NIS services,respectively.


Dependencies of the NIS MakefileFile

The NIS Makefileworks by using a set of dependencies. When the makecommand is executed, it is effectively a make all command. The secondsection of the Makefile contains the target line all, which determines

which maps are built. Theall

target entries are matched withdependency entries in the fourth section of the Makefile to match themwith the final dependencies that define which code segments in thesection three of the Makefile are executed to construct the specified NISmaps. Section one of the Makefile contains macros that are called out insection three. These macros redirect the make utility to the alternatelocations of source files when you choose to use a source file directoryother than the /etc directory.

Note – These sections of the Makefile are described in detail later in this

module.

/

y p s t a r t

y p s t o p

u s r

l i b

n e t s v c

y p





Converting ASCII Source Files Into NIS Maps

To build new maps on the master server, perform the command:

# /usr/sbin/ypinit -m

The ypinit command prompts for a list of other machines to become NISslave servers. Type the name of the server on which you are working,along with the names of your NIS slave servers. The ypinit commandasks whether you want the procedure to terminate at the first nonfatalerror or to continue despite nonfatal errors.

The ypinit command asks whether the existing files in the/var/yp/domainnamedirectory can be destroyed. This message isdisplayed only if NIS has been previously installed. You must answer yesto install a new version of NIS maps. After the ypinit command has

constructed the list of servers, it invokes the make command.

This program uses the instructions contained in the Makefile file (eitherthe default one or the one you modified) located in the /var/yp directory.The make command strips any remaining comment lines from the sourcefiles and runs the makedbm function on them, creating the appropriatemaps and establishing the name of the master server in each map.

Configuring the NIS Master Server

To set up the NIS name service master server, perform the following steps:

1. Determine which machines on your network domain will be NISservers. There should be one NIS master server, and there can be asmany NIS slave servers as needed. All systems within the domainare NIS clients.

2. Choose an NIS domain name. This is usually less than 32 charactersin length. The maximum length is 256 characters, and it is casesensitive.





3. Enter the domainname command to set the local NIS domain.

# domainname domainname

For example:

# domainname classroom.Central.Sun.COM

4. Create an /etc/defaultdomainfile with the domain name. Youmust maintain the format established by the original files and updatethe text files in the /etc directory (all of the files that are used forNIS maps) on the master server with information about the domain.

5. If the files do not already exist, use the touch command to createzero-length files with the following names: /etc/ethers,/etc/bootparams, /etc/locale, /etc/timezone, /etc/netgroup,and /etc/netmasks. These files are necessary for the creation of thecomplete set of NIS maps as directed in the Makefilefile. When youinitialize NIS, you receive error messages for each of these files if

they do not exist.6. Install an updated Makefile file in the /var/yp directory if you

intend to use NIS on the system that functions as your JumpStart™software (JumpStart) server. Performing this installation providesentries that create a map for the /etc/locale file, so that the localeinformation does not have to be provided by the sysidcfg file.

Note – The lab at the end of this module shows you how to create theupdated Makefile file.

7. Create or populate the /etc/localefile, and make an entry for eachdomain on your network using the following format:

domainname locale

For example:

classroom.Central.Sun.COM en_US





8. Initialize the master server by using the local /etc files. Enter theypinit -m command.

# ypinit -m

a. When the program prompts you for a list of slave servers andafter you complete your list, press Control-D. You can makeentries for all slaves now, or you can rerun the ypinit -mcommand after you determine whether you need more or lessslave servers.

b. The program asks if you want to terminate it on the first fatalerror. If you answer n, the procedure reports any error andattempts to complete the creation of the NIS database files. Ifyou answer y, the process aborts with the first error. You cancorrect the error and restart the ypinit program.

9. Copy the /etc/nsswitch.nisfile to the /etc/nsswitch.conffile.

If necessary, modify the file.The following example shows the text feedback displayed as theprogram begins:

# ypinit -m

In order for NIS to operate successfully, we have to construct a list of

the NIS servers. Please continue to add the names for YP servers in order

of preference, one per line. When you are done with the list, type a

<control D> or a return on a line by itself.

next host to add: server1

next host to add: <Control-D>

The current list of yp servers looks like this:

server1

Is this correct? [y/n: y] y

Installing the YP database will require that you answer a few questions.

Questions will all be asked at the beginning of the procedure.

Do you want this procedure to quit on non-fatal errors? [y/n: n] n

OK, please remember to go back and redo manually whatever fails. If you

don't, some part of the system (perhaps the yp itself) won't work.

Note – If you have to restart the ypinit program, you are prompted to

destroy the/var/yp

/domainname

directory. Answery.

10. Start the NIS daemons on the master server with the followingcommand:


11. If you want to stop the NIS service running on the NIS master,perform the command:

# svcadm disable svc:/network/nis/server:default





Testing the NIS Service

There are a number of commands that you can use to obtain informationfrom and about the NIS database. You can also use these commands totest the functionality of the NIS service. You do not have to be the

superuser to use these commands.

The most commonly used NIS commands are:

Using the ypcatCommand

The following example prints the information from the hosts database.

$ ypcat hosts

192.168.30.30 instructor instructor1

127.0.0.1 localhost loghost

192.168.30.45 sys45

192.168.30.44 sys44

192.168.30.43 sys43

192.168.30.42 sys42

192.168.30.41 sys41

...

<output truncated>

...

Using the ypmatchCommand

The following example matches individual host entries.

# ypmatch sys41 localhost hosts

192.168.30.41 sys41

127.0.0.1 localhost loghost

The following example matches a specific user in the password database.

# ypmatch user5 passwd

user5:.dJJ.oofIqCLs:4005:10::/export/home/user5:/bin/ksh

ypcat Prints values from an NIS map

ypmatch Prints the value of one or more keys from an NIS map

ypwhich Returns the name of the NIS server that supplies theNIS map services to an NIS client





Using the ypwhichCommand

Perform the ypwhich command to identify the NIS server the client isbound to:

$ ypwhich

sys44

When used with the -m option, the ypwhich command provides a list ofall databases and the name of the master server for each map.

$ ypwhich -m

...

<output truncated>

...

timezone.byname sys44

netmasks.byaddr sys44

netid.byname sys44bootparams sys44

netgroup.byhost sys44

netgroup.byuser sys44

netgroup sys44

...

<output truncated>

...

Configuring the NIS Client

All systems within an NIS domain that are not configured as servers areconfigured as clients. To configure the NIS client, complete the followingsteps:

1. Edit the /etc/inet/hosts file to ensure that the NIS master serverand all slave servers have been defined.

2. Execute the domainname domainname command to set the local NISdomain.


For example:






3. Create or populate the /etc/defaultdomainfile with the domainname.

4. To initialize the system as an NIS client, perform the command:

# ypinit -c

5. When the system prompts you for a list of NIS servers, enter thenames of the NIS master and all slave servers.

6. Copy the /etc/nsswitch.nis file to the /etc/nsswitch.conffile.If necessary, modify the file.

Note – To exit the ypinit command without building a specific list of NISservers, press Control-D. The client then broadcasts to bind the firstavailable server during subsequent ypbind operations. When notoperating in broadcast mode, clients can only bind to servers that arelisted in their /var/yp/binding/domainname/ypservers file.

7. Start NIS with the following command:

# svcadm enable svc:/network/nis/client:default

8. On the newly configured NIS client, test the NIS functionality byperforming the command:

# ypwhich -m

The output shows a list of maps together with the NIS master serverfor each map.

Configuring the NIS Slave Server

You should have at least one NIS slave server to provide backup if theNIS master server becomes unavailable. To configure an NIS slave server,complete the following steps on the system that you want to designate asthe slave server:

1. Edit the /etc/inet/hostsfile to ensure that the NIS master and allNIS slave servers have been defined.

2. Execute the domainname command to set the local NIS domain.


For example:


3. Create or populate the /etc/defaultdomainfile with the domainname.

4. Initialize the system as an NIS client by performing the command:

# ypinit -c





5. When the system prompts for a list of NIS servers, enter the NISmaster host followed by the name of the local host and all other NISslave servers on the local network.

6. Copy the /etc/nsswitch.nisfile to the /etc/nsswitch.conffile.If necessary, modify the file.

7. On the NIS master, ensure that the ypserv process is running byperforming the command:

# pgrep -fl ypserv

If it is not running, refer to the previous section on how to start NISdaemons on the master.

8. Return to the proposed NIS slave system, and enter the ypstartcommand to start the ypbind daemon.

# svcadm enable svc:/network/nis/client:default

9. Initialize the system as an NIS slave by performing the command:# ypinit -s master

where master is the name of the NIS master.

Note – If you did not add the name of the NIS slave server when youinitially configured the NIS master server using the ypinit command,enter the ypinit -m command once more on the NIS master server. In theprocess of updating the NIS master, the script prompts you forconfirmation when it is about to destroy the existing domain database.

Confirm by entering y.

10. Before starting the ypserv daemon on the slave server, stop theclient with the command:

# svcadm disable svc:/network/nis/client:default

11. When the NIS server is started, it also starts the ypbind clientdaemon.


12. To test NIS client functionality on the newly configured NIS slaveserver, perform the command:

# ypwhich -m

The output shows a list of maps together with the NIS master serverfor each map.





Updating the NIS Map

Because database files change with time, you must update your NISmaps. To update the NIS maps (on the master server), complete thefollowing steps:

1. Update the text files in your source directory (typically, /etc, unlessit was changed in the Makefile file).

2. Change to the /var/yp directory.

# cd /var/yp

3. Refresh the NIS database maps using the make utility.

# /usr/ccs/bin/make

Updating the NIS Password Map

If the NIS master is running the rpc.yppasswdd daemon, any clientsystem can update the NIS password map by using the yppasswd orpasswd commands, as shown in Figure 14-8.

Figure 14-8 Updating the NIS Password Map

A S C I I

F i l e s

P u s h

y p p a s s w d p a s s w d

M a s t e r S e r v e r R u n s

r p c . y p p a s s w d


U p d a t e

M a p s

C l i e n t

M a s t e r

S e r v e r


S l a v e

S e r v e r

C l i e n t

M a p s





To update the password map complete the following steps:

1. Run the rpc.yppasswdd daemon on the NIS master server

# /usr/lib/netsvc/yp/rpc.yppasswdd /$PWDIR /passwd -m passwd

When users change their NIS passwords, the rpc.yppasswdd

daemon updates the NIS master’s /$PWDIR/passwd file and passwdmap. The passwd map is then pushed to all slave servers.

2. Enter the passwd command on any NIS client.

$ passwd

Changing NIS password for user1 on server1.

Old password:

New password:

Retype new password:

NIS entry changed on server1

Updating the NIS timezoneMap

The following steps manually update the NIS timezone map on themaster server and propagate all maps to the slave servers:

1. Edit the source file on the NIS master.

# vi /etc/timezone

2. Remake and push the NIS maps to the slave servers.

# cd /var/yp; /usr/ccs/bin/make

a. If the push from the master server fails, the following commandruns on the slave server and manually “pulls” only thetimezone map from the master server.

# /usr/lib/netsvc/yp/ypxfr timezone.byname

b. To pull all of the maps from the master server at once, performthe command:

# ypinit -s nis_master





Sometimes maps fail to propagate, and you must manually use the ypxfr

command to retrieve new map information. To automate the updatingand propagating of NIS maps on slave servers, you can install shell scriptsto run as cron jobs. Because maps have different rates of change,scheduling a map transfer by using the crontab command enables you to

set specific propagation intervals for individual maps.

The Solaris OS provides several template scripts in the/usr/lib/netsvc/ypdirectory that you can use and modify to meetyour local site requirements. These scripts are useful when slave serversare down during NIS map propagations.

Figure 14-9 shows you how to update passwd maps using slave serverswith scripts. When slave servers are down, they might not receive theupdate unless you run a “safety valve” script.

Figure 14-9 Updating passwd Maps on Slave Servers With Scripts

P u l l

S l a v e S e r v e r R u n s

/ u s r / l i b / n e t s v c / y p / y p x f r _ 1 p e r h o u r


M a p s

C l i e n t

M a s t e r

S e r v e r


S l a v e

S e r v e r

C l i e n t

M a p s





Using the ypxfr_1perhourScript

The following text lists the contents of the ypxfr_1perhour script that, ifrun hourly using the cron daemon, ensures that the NIS slave server’spasswd map is never more than one hour out of date.

#! /bin/sh

#

# Copyr 1990 Sun Microsystems, Inc.

#ident "@(#)ypxfr_1perhour.sh 1.2 00/05/01 SMI"

#

# ypxfr_1perhour.sh - Do hourly NIS map check/updates

#

PATH=/bin:/usr/bin:/usr/lib/netsvc/yp:$PATH

export PATH

# set -xv

ypxfr passwd.byname

ypxfr passwd.byuid

Using the ypxfr_1perdayScript

The following output details the contents of the ypxfr_1perday script. Ifrun daily using the cron daemon, the script ensures that the NIS slaveserver’s NIS maps for the group, protocols, networks, services, andypservers keys are never more than one day out of date.

#! /bin/sh

#


#ident "@(#)ypxfr_1perday.sh 1.2 00/05/01 SMI"

#

# ypxfr_1perday.sh - Do daily NIS map check/updates

#


export PATH

# set -xv

ypxfr group.byname

ypxfr group.bygid

ypxfr protocols.byname

ypxfr protocols.bynumber

ypxfr networks.byname

ypxfr networks.byaddr

ypxfr services.byname

ypxfr ypservers





Using the ypxfr_2perdayScript

The following output details the contents of the ypxfr_2perday script. Ifrun twice daily using the cron daemon, the script ensures that the NISslave server’s NIS maps for the hosts, ethers, netgroups keys, and

mail aliases are never more than 12 hours out of date.#! /bin/sh

#


#ident "@(#)ypxfr_2perday.sh 1.2 00/05/01 SMI"

#

# ypxfr_2perday.sh - Do twice-daily NIS map check/updates

#


export PATH

# set -xv

ypxfr hosts.byname

ypxfr hosts.byaddr

ypxfr ethers.byaddr

ypxfr ethers.byname

ypxfr netgroup

ypxfr netgroup.byuser

ypxfr netgroup.byhost

ypxfr mail.aliases



Building Custom NISMaps


Building Custom NIS Maps

As system requirements or configurations change, you must keep thename service configuration the same as the system configuration.

Using the makeCommand

You can learn how to make customized NIS maps by using the/usr/ccs/bin/make command and the /var/yp/Makefile file. Themake utility and the Makefile file:

q Are used by programmers to build programs

q Are used by administrators to build NIS maps

q Can be generalized to build customized NIS maps

Building Targets

The make utility receives its instructions from the Makefile file. TheMakefile file uses variable definitions (called macros), targets, anddependencies.

You can use macros as variables, similar to those used in a shell script.You must define a macro at the beginning of the Makefile file. Prefix thename of the macro with a dollar sign ($) when using it throughout the

Makefile file.

The make utility builds targets. Targets need dependencies. Dependenciescan represent other targets that must be completely built before theoriginal target is considered “made.” This structure enables you to nestthe target and dependency pairs to an arbitrary depth, letting you buildcomplex hierarchical code structures.

When making NIS maps, you should keep the target and dependencyrelationship very basic.





Editing the NIS MakefileFile

The NIS Makefile file is located in the /var/yp directory and iscomposed of four main sections:

q The first section contains macro definitions.q The second section contains the first target, all.

q The third section defines the final target and dependencies.

q The fourth section contains entries for each of the dependencies.

Configuring the Sections ofMakefile

The first section of the Makefile file contains the following macrodefinitions:

#B=-b

B=

DIR =/etc

INETDIR=/etc/inet

RBACDIR=/etc/security

PWDIR =/etc

DOM = ‘domainname‘

NOPUSH = ""

ALIASES = /etc/mail/aliases

YPDIR=/usr/lib/netsvc/yp

SBINDIR=/usr/sbin

YPDBDIR=/var/yp

YPPUSH=$(YPDIR)/yppush

MAKEDBM=$(SBINDIR)/makedbm

MULTI=$(YPDIR)/multi

REVNETGROUP=$(SBINDIR)/revnetgroup

STDETHERS=$(YPDIR)/stdethers

STDHOSTS=$(YPDIR)/stdhosts

MKNETID=$(SBINDIR)/mknetid

MKALIAS=$(YPDIR)/mkalias

The second section of the Makefile file contains the first target, all.all: passwd group hosts ipnodes ethers networks rpc services protocols

netgroup bootparams aliases publickey netid netmasks c2secure

timezone auto.master auto.home

auth.attr exec.attr prof.attr user.attr audit.user





The all target has several dependencies, each of which represents one ofthe NIS maps to be built. This feature enables the entire set of NIS maps tobe built by typing:

# cd /var/yp; /usr/ccs/bin/make

The all target is not considered to be built until each of its targets is firstbuilt. Each of the targets for all depends on another target.

When adding custom maps to NIS, the name of the new map to be builtshould be added to the all target list (auto.direct in the followingexample).

all: passwd group hosts ipnodes ethers networks rpc services protocols


timezone auto.master auto.home auto.direct

auth.attr exec.attr prof.attr user.attr audit.user

Note – The fourth section of the Makefile file is covered before the thirdsection, because the fourth section continues the dependency threadintroduced by the all target.

The entry in the fourth section of the Makefile file for each of thedependencies in the all target is:

passwd: passwd.time

group: group.time

project: project.time

hosts: hosts.time

ipnodes: ipnodes.time

ethers: ethers.time

networks: networks.time

rpc: rpc.time

services: services.time

protocols: protocols.time

netgroup: netgroup.time

bootparams: bootparams.time

aliases: aliases.time

publickey: publickey.time

netid: netid.time

passwd.adjunct: passwd.adjunct.time

group.adjunct: group.adjunct.time

netmasks: netmasks.time

timezone: timezone.time

auto.master: auto.master.time





auto.home: auto.home.time

auth.attr:auth.attr.time

exec.attr:exec.attr.time

prof.attr:prof.attr.time

user.attr:user.attr.time

audit.user:audit.user.time

$(DIR)/netid:

$(DIR)/timezone:

$(DIR)/auto_master:

$(DIR)/auto_home:

$(PWDIR)/shadow:

$(DIR)/auth_attr:

$(DIR)/exec_attr:

$(DIR)/prof_attr:

$(DIR)/user_attr:

$(DIR)/audit_user:

ageing: ageing.time

These entries are used by the make process to establish relationshipsbetween the timestamp controls and their respective maps in addition toidentifying the location of the source files for the maps.

Using the previous example of an auto.directmap, add a new map tothe NIS domain by appending the appropriate entries to the end of this“second level” target and dependency pair.

...

auto.direct: auto.direct.time

...

$(DIR)/auto_direct:

After you modify the auto.direct map, the final lines from the fourthsection of the Makefile file would look like:

...




auth.attr:auth.attr.time

exec.attr:exec.attr.time

prof.attr:prof.attr.time

user.attr:user.attr.time

audit.user:audit.user.time

$(DIR)/netid:

$(DIR)/timezone:

$(DIR)/auto_master:





$(DIR)/auto_home:

$(DIR)/auto_direct:

$(PWDIR)/shadow:

...

The target is the auto.direct map, which depends on theauto.direct.time target.

The third section of the Makefile file defines the final target anddependencies, as well as instructions on how to build each map in thedomain.

Edit the Makefile file by adding the following lines to build a newauto_directmap:

auto.direct.time: $(DIR)/auto_direct

-@if [ -f $(DIR)/auto_direct ]; then \sed -e "/^#/d" -e s/#.*$$// $(DIR)/auto_direct \

| $(MAKEDBM) - $(YPDBDIR)/$(DOM)/auto.direct; \

touch auto.direct.time; \

echo "updated auto.direct"; \

if [ ! $(NOPUSH) ]; then \

$(YPPUSH) auto.direct; \

echo "pushed auto.direct"; \

else \

: ; \

fi \else \

echo "couldn't find $(DIR)/auto_direct"; \

fi

Caution – You can copy and paste lines from a section to another map;however, the proper use of tabs and spaces in the Makefile file is critical.Look up the make command in the online manual pages for the correctusage of tabs and spaces.





The following are some points to consider:

q You must indent subsequent lines of make instructions by using tabs.

q You can use make macros in the instructions.

q Instructions that begin with the at (@) sign are not echoed to the

terminal screen. Removing the @ sign is useful for debugging newinstructions.

q Instructions that begin with a leading dash (–) before the @ sign donot echo error messages to the terminal screen.



Troubleshooting NIS


Troubleshooting NIS

If only one or two clients are experiencing symptoms that indicate NISbinding difficulty, the problems are probably on those clients. If many NISclients are failing to bind properly, the problem probably exists on one ormore of the NIS servers.

Troubleshooting NIS Server Failure Messages

This section addresses some common errors associated with NIS serverconfiguration.

No Server Available

If your domain name is set correctly, the ypbind daemon is running, andyou get messages indicating that the client cannot communicate with aserver, it can indicate a number of different problems:

q Does the client have a /var/yp/binding/domainname/ypserversfile containing a list of servers to which it can bind? If not, enter theypinit -c command, and specify the servers that this client shouldbind to, in the order of preference.

q If the client has a /var/yp/binding/domainname/ypservers file,does it have enough servers listed in it if a couple of servers should

become unavailable? If not, add additional servers to the list byusing the ypinit -c command.

Note – For reasons of security and administrative control, specify theservers that a client should bind to in the client’s ypservers file ratherthan have the client search for servers through broadcasting. Broadcastingslows down the network, as well as the client, and prevents you frombalancing the server load by listing different servers for different clients.



Troubleshooting NIS


q If none of the servers listed in the client’s ypservers file areavailable, the client searches for an operating server by usingbroadcast mode. If there is a functioning server on the client’ssubnet, the client will find it. If there are no functioning servers onthe client’s subnet, you can solve the problem in several ways:

q If the client does not have a server on the subnet or have a routeto one, install a new slave server on that subnet.

q Make sure that your routers are configured to pass broadcastpackets so that the client can use broadcast to find a server onanother subnet. Use the netstat -rn command to verify theroute.

q If there should be a working route to a server on anothernetwork, check to see if the route exists with ping andnetstat -nr on both servers. If neither daemon is running,start them with SMF.

q Do the servers listed in a clients ypservers file have entries in the/etc/inet/hostsfile? If not, add the servers to the NIS maps hostsinput file, and rebuild your maps by using the ypinit -c orypinit -s commands.

q Is the /etc/nsswitch.conffile set up to consult the client’s localhosts file in addition to NIS?

The ypwhichCommand Displays Are Inconsistent

When you use the ypwhich command several times on the same client,the resulting output varies because the NIS server changes, which isnormal. The binding of the NIS client to the NIS server changes over timewhen the network or the NIS servers are busy. Whenever possible, thenetwork becomes stable at a point where all clients get an acceptableresponse time from the NIS servers. As long as your client machine getsNIS service, it does not matter where the service comes from. Forexample, an NIS server machine can get its own NIS services fromanother NIS server on the network.



Troubleshooting NIS


Network or Servers Are Overloaded

NIS can hang if the network or NIS servers are so overloaded that theypserv daemon cannot get a response back to the client ypbind processwithin the time-out period.

Under these circumstances, every client on the network experiences thesame or similar problems. In most cases, the condition is temporary. Themessages usually go away when the NIS server reboots and restarts theypserv daemon, or when the load on the NIS servers or network itselfdecreases.

Server Malfunction

Make sure the servers are up and running. If you are not physically nearthe servers, use the ping NIS_server command.

NIS Daemons Not Running

If the servers are up and running and you can find a client machinebehaving normally, perform the ypwhich command on the client, asfollows:

# ypwhich

If the ypwhich command does not respond, kill the ypwhich command.

# pkill ypwhich

Log in as the root user on the NIS server, and check if the NIS daemons

are running by performing the command:

# pgrep -fl yp

Note – Do not use the -f option with the ps command, because thisoption attempts to translate user IDs into names, which causes more nameservice lookup requests that might not succeed.

If either the ypbind or ypserv daemons are not running, stop and thenrestart the NIS services by performing the commands:

# svcadm disable network/nis/server:default

# svcadm enable network/nis/server:default



Troubleshooting NIS


If both the ypserv and ypbind processes are running on the NIS server,and the ypwhich command does not respond, the ypserv process hasprobably hung. You must restart the process. Log in as root on the server,and kill the ypserv process.

# pkill ypserv

Start the ypserv process by restarting the NIS services. Perform thecommands:



Troubleshooting NIS Client Failure Messages

This section addresses some common errors associated with NIS clientconfiguration.

Missing or Incorrect Domain Name

One client has problems, the other clients are operating normally, butypbind is running on the problem client. The client might not be set to thecorrect domain.

On the client, perform the domainname command to see which domainname is set.

# domainname

suned.Sun.COM

Compare the output with the actual domain name in the /var/ypdirectory on the NIS master server. The actual NIS domain is shown as asubdirectory in the /var/yp directory and reported with the domainnamecommand on the master server.

# domainname

suned.sun.com



Troubleshooting NIS


If the domain name returned by running the domainname command on aclient is not the same as the server domain name listed as a directory inthe /var/yp directory, the domain name specified in the client’s/etc/defaultdomainfile is incorrect. Log in as superuser, and correct theclient’s domain name in the client’s /etc/defaultdomainfile to ensure

that the domain name is correct every time the machine boots. Thenreboot the machine.

Note – The domain name is case sensitive.

Client Not Bound to Server

If your domain name is set correctly, the ypbind daemon is running, andcommands still hang, then make sure that the client is bound to a serverby running the ypwhich command.

# ypwhich

NIS_server

The server to which this client is currently bound can be the NIS masterserver or any NIS slave server that answers the ypbind broadcast.

If you have just started the ypbind daemon, then enter the ypwhich

command several times (typically, the first ypwhich command entryreports that the domain is not bound and the second command entrysucceeds).



Exercise: Configuring NIS (Level 1)




q Configure the following:

q An NIS master server

q An NIS slave server

q An NIS client

q Test the dynamic rebind feature

q Add a custom map to NIS

Preparation

Choose two partners for this lab, and determine which systems toconfigure as the NIS master server, the NIS slave server, and the NISclient.

NIS_master : ____________________________________

NIS_slave: _____________________________________

NIS_client: _____________________________________

domainname: _____________________________________

On all systems, verify that the entries for all three hosts exist in the/etc/hosts file. Refer to your lecture notes as necessary to perform thesteps listed.





Tasks


q Create and configure an NIS master server. Select an NIS domain

name to use for your group of three systems. Set the domain name,and record its name in the /etc/defaultdomainfile. Enter thetouch command to create any files in the /etc directory that arerequired by the target all in the Makefile file. Edit the automountmaster map and indirect map to comment out “+” entries.

q On the system to be the NIS master server, share the /export/home

directory by using NFS. Create three user accounts and setpasswords for these users. Configure the /etc/passwd file and theautomount indirect map to allow the users to mount their homedirectories from the NIS master. Use the ypinit -m command to

initialize the NIS master. Configure the/etc/nsswitch.conf

file forNIS, and start the NIS server daemons.

q Create and configure an NIS slave server. Set the NIS domain nameto be the same as in the NIS master. Use the ypinit -c command toconfigure the system as an NIS client. Configure the/etc/nsswitch.conffile for NIS, and start the NIS client daemons.Use the ypinit -s command to configure the system as an NISslave server. Stop and restart the NIS daemons. Verify the list ofservers found in the ypservers map.

q Create and configure an NIS client system. Set the NIS domain name

to be the same as in the NIS master. Use the ypinit -c command toconfigure the system as an NIS client. Configure the/etc/nsswitch.conffile for NIS, and start the NIS client daemons.Test the configuration with the ypwhich command.

q Test the dynamic rebind feature by stopping the NIS services on theNIS master server. Monitor the NIS client with the ypwhichcommand, and observe when the client binds to the slave server.Start the NIS services on the NIS master.

q Make the appropriate changes in the /var/yp/Makefile file tosupport a new automount direct map called auto_direct. Create

the direct map in the /etc file. Configure the direct map and NFSshares to allow all three systems to automatically mount the manpages from the NIS master server.

q Test if the new users can log in on all three systems. Verify that theirhome directories automatically mount. Verify that the man pages areavailable through the automount service on all three systems.







q Configure the following



q An NIS client



Preparation


NIS_master : ____________________________________

NIS_slave: _____________________________________

NIS_client: _____________________________________

domainname: _____________________________________

On all systems, verify that entries for all three hosts exist in the/etc/hosts file. Refer to your lecture notes as necessary to perform thesteps listed.





Task Summary








q Create and configure an NIS slave server. Set the NIS domain nameto be the same as in the NIS master. Use the ypinit -c command toconfigure the system as an NIS client. Configure the/etc/nsswitch.conffile for NIS and start the NIS client daemons.Use the ypinit -s command to configure the system as an NISslave server. Stop and restart the NIS daemons. Verify the list ofservers found in the ypservers map.











Tasks

This section describes how to create and test the NIS master server, slaveserver, and client. Perform the following tasks.

Task 1 – Setting Up the NIS Master


1. Change the directory to /var/yp, and make a backup copy of theMakefile file.

2. In the /var/yp/Makefile, remove the aliases entry from the targetall.

3. Verify that the /etc/hosts file contains entries for the systems thatwill become the NIS slave server and the NIS client.

4. Select a name to use as your NIS domain name. Set it by using thedomainname command.

5. Populate the defaultdomain file with your domain name.

6. Use the touch command to create the ethers, bootparams, andnetgroup files in the /etc directory.

7. Create the /etc/timezonefile, and include an appropriate entry foryour time zone and NIS domain.

8. Edit the /etc/auto_master file, and comment out the

+auto_master entry.9. Edit the /etc/auto_home file, and comment out the +auto_home

entry. Add a new entry that supports automatically mounting alluser home directories located in the /export/home directory on theNIS master server.

10. Configure the NIS master to share the /export/home directory:

a. Create an entry in the /etc/dfs/dfstabfile to share the users’home directories.

b. Check if the mountd and nfsdNFS server daemons are running.

c. If the NFS server daemons are not running, start them. Thedirectory listed in /etc/dfs/dfstabwill be automaticallyshared.

d. If the NFS server daemons are already running, perform thecommand to share the new directory listed in the/etc/dfs/dfstab file.





11. Create one user account for each member of your lab team.

Note – Create their respective home directories in /export/home; forexample: /export/home/user1 for user1, /export/home/user2 foruser2

, and so on.

12. Create a password for each new user account.

13. To enable using the automount service to mount these users’ homedirectories, you must modify the users’ entries in the /etc/passwd

file on the NIS master server.

Edit the /etc/passwd file, and change the home directory for eachuser from /export/home/username to /home/username.

14. Copy the /etc/nsswitch.nis template to the/etc/nsswitch.conffile.

15. Set up this system as an NIS master server:

a. Use the ypinit -m command to start the setup process.

The ypinit command lists the current system as an NIS server,and then prompts you for the next host to add as an NIS slaveserver.

b. Enter the name of the system that you want to use as an NISslave server. Press Control-D when the list is complete.

c. Specify that you do not want the ypinit command to quit on

nonfatal errors.The ypinit command then proceeds to build the requiredmaps.

Note – If the initialization process is successful, the ypinit commanddisplays a message indicating that the current system was set up as amaster server without any errors. This message is displayed even ifnonfatal errors occur in the procedure.

d. If the initialization process fails, correct the problems indicatedby the error messages and repeat Steps a, b, and c.

16. Start the NIS daemons.

17. Verify that this system is the NIS master by using the ypwhichcommand.





Task 2 – Setting Up the NIS Slave Server


1. Verify that the /etc/hosts file contains entries for the NIS masterserver and that the system that will become the NIS client.

2. Set the NIS domain for this system by using the domainnamecommand.


4. Use the ypinit command as follows to set up this system as an NISclient:

a. Use the ypinit -c command to start the setup process.

b. When prompted for a list of NIS servers, enter the name of theNIS master server followed by the name of the local host (which

subsequently becomes a slave server). Press Control–D toterminate the list.



7. Verify that this system is using NIS and is bound to the NIS masterby using the ypwhich command.

8. Initialize the system as an NIS slave. Indicate that you do not wantthe ypinit command to quit on nonfatal errors.

The ypinit command then proceeds to retrieve the required mapsfrom the master server.

If the initialization process is successful, the ypinit commanddisplays a message that indicates that the NIS database was set upwithout any errors.

Note – If you did not add the name of the NIS slave server when youinitially configured the NIS master, this process might fail. To correct theproblem, enter the ypinit -m command once more on the NIS master,

and add the slave server’s host name. In the process of updating the NISmaster, the script prompts you for confirmation when it is about todestroy the existing domain database. Confirm by typing y. Then,initialize the slave server again.

9. Stop and restart the NIS daemons on the slave server.





10. On the newly configured NIS slave server, test the NIS functionalityby entering the following commands:

# ypwhich -m

# ypcat hosts

Note – The output of the ypwhich command should include the name ofeach map it provides to the NIS domain and include the name of themaster server that controls the maps.

11. List the ypservers map known to the local domain. The outputshould include the names of the master and slave servers.

Task 3 – Setting Up the NIS Client

Complete the following steps:1. Verify that the /etc/hosts file contains entries for the NIS master

and slave servers.

2. Set the NIS domain for this system using the domainname command.


4. Set up this system as an NIS client:


b. Enter the name of the NIS master server and the NIS slave

server (in order of preference), and press Control-D to terminatethe list.



7. Verify that this system is using NIS by using the ypwhich command.





Task 4 – Testing Dynamic Rebind


1. Confirm that the NIS client is bound to the NIS master server byusing the ypwhich command.

Note – The output should list the name of the NIS master server.

2. Test the client’s ability to bind to the NIS slave server when themaster becomes unavailable:

Note – This process only works if you entered the names of both the NISmaster and the NIS slave servers when you set up the client system byusing the ypinit -c command. The NIS client searches only for serverslisted in the /var/yp/binding/domainname/ypservers file, which theypinit -c command creates.

a. On the NIS master server, stop the NIS services.

b. On the NIS client, determine to which NIS server it is bound. Itcan take a minute or two for the client to bind to the NIS slave.

Allow a few moments to pass, and then repeat the ypwhichcommand. Do this until you see that the NIS client has bound tothe slave server.

3. On the NIS master, start the NIS services.





Task 5 – Adding a Custom Map to the NIS Master Database

If entries for an auto_directmap do not exist in the Makefile file thatyou are using, complete the following steps to add them:

1. On the NIS master server, edit the /var/yp/Makefilefile, and make

the following changes:

a. Add auto.direct to the list of maps associated with the targetall. These entries exist in the second section of the/var/yp/Makefile file:

all: passwd group hosts ipnodes ethers networks rpc services protocols


timezone auto.master auto.home

auth.attr exec.attr prof.attr user.attr audit.user auto.direct

b. Add entries for the new map in the fourth section of the

/var/yp/Makefile file. Place a corresponding entry forauto.direct and auto_direct below the entries forauto.home and auto_home; for example:




$(DIR)/auto_master:

$(DIR)/auto_home:

$(DIR)/auto_direct:

c. In the third section of the Makefile file, add the code required

to build theauto_direct

map. Duplicate the lines associatedwith auto.home, and substitute auto.direct or auto_directfor each instance of auto.home or auto_home in that code. Theresult should look like this:


-@if [ -f $(DIR)/auto_direct ]; then \

sed -e "/^#/d" -e s/#.*$$// $(DIR)/auto_direct \





$(YPPUSH) auto.direct; \echo "pushed auto.direct"; \

else \

: ; \

fi \

else \


fi

d. Save the modified Makefile file, and exit the editor.





2. On the master server, edit the /etc/auto_master file to include anentry for the new direct map. Add the following line:

/- auto_direct -nosuid

3. On the master server, create a file called /etc/auto_direct, andinsert the following line in it. Substitute the name of the masterserver for master_server .

/usr/share/man -ro master_server:/usr/share/man2

4. On all three hosts, rename the existing /usr/share/mandirectory to/usr/share/man2.

5. On the master server, add an entry to the /etc/dfs/dfstab file toshare the /usr/share/man2 directory.

6. Share the directory.

7. Start the NIS daemons on the servers.

Note – If the daemons are already running, perform the/usr/lib/netsvc/yp/ypstop command to stop them.

8. On the master server, change the directory to /var/yp.

9. Update the NIS maps by running the make utility.

The make command hangs when it tries to push the newauto.direct map to the slave server. Press Control-C to stop themake command when this happens.

10. On the NIS slave server, use the ypxfr command to transfer theauto.direct map for the first time.

11. On the NIS master server, update the NIS maps again by running themake command. This time the make command should completesuccessfully.

12. On all three hosts, use the init 6 command to reboot.

13. Verify that you can use the user accounts you created earlier to log into the NIS slave server and in to the NIS client.

14. On the NIS slave and NIS client, verify that your home directory

automatically mounts from the NIS master server.

15. On all systems, attempt to access the /usr/share/man directory byusing the man command.

If the content of the man page for the ls command is displayed,your configuration of the direct map in NIS is correct.







q Configure the following



q An NIS client



Preparation


NIS_master : ____________________________________

NIS_slave: _____________________________________

NIS_client: _____________________________________

domainname: _____________________________________

On all systems, verify that entries for all three hosts exist in the/etc/hosts file. Refer to your lecture notes as necessary to perform thesteps listed.





Task Summary








q Create and configure an NIS slave server. Set the NIS domain nameto be the same as in the NIS master. Use the ypinit -c command toconfigure the system as an NIS client. Configure the/etc/nsswitch.conffile for NIS and start the NIS client daemons.Use the ypinit -s command to configure the system as an NISslave server. Stop and restart the NIS daemons. Verify the list ofservers found in the ypservers map.











Tasks and Solutions

This section describes how to create and test the NIS master server, slaveserver, and client.

Task 1 – Setting Up the NIS Master


1. Change the directory to /var/yp, and make a backup copy of theMakefile file.

# cd /var/yp

# cp Makefile Makefile.orig

2. In the /var/yp/Makefile, remove the aliases entry from the targetall.

3. Verify that the /etc/hosts file contains entries for the systems thatwill become the NIS slave server and the NIS client.

4. Select a name to use as your NIS domain name. Set it by using thedomainname command.

# domainname yourdomain

Note – Replace yourdomain with your chosen domain name.

5. Populate thedefaultdomain

file with your domain name.

# cd /etc

# domainname > defaultdomain

6. Use the touch command to create the ethers, bootparams, andnetgroup files in the /etc directory.

# cd /etc ; touch ethers bootparams netgroup





7. Create the /etc/timezonefile, and include an appropriate entry foryour time zone and NIS domain.

For example, the following entry would set the time zone forsystems located within an NIS domain called yourdomain.

your_timezone yourdomain

Note – Replace your_timezone time zone with your local time zone andyourdomain with your own domain name. To see an example of a timezone entry, cat the /etc/TIMEZONE file.

# cat /etc/timezone

US/Mountain suned.sun.com

8. Edit the /etc/auto_master file, and comment out the

+auto_master entry.# Master map for automounter#

# +auto_master



9. Edit the /etc/auto_home file, and comment out the +auto_homeentry. Add a new entry that supports automatically mounting alluser home directories located in the /export/home directory on theNIS master server.

# Home directory map for automounter

#

# +auto_home

* master_server :/export/home/&





10. Configure the NIS master to share the /export/home directory:

a. Create an entry in the /etc/dfs/dfstabfile to share the users’home directories.

share -d “home dirs” /export/home

b. Check if the mountd and nfsdNFS server daemons are running.# svcs -a | grep nfs | egrep -e "server|client"

disabled Jan_03 svc:/network/nfs/server:default

online Jan_03 svc:/network/nfs/client:default

c. If the NFS server daemons are not running, start them. Thedirectory listed in /etc/dfs/dfstabwill be automaticallyshared.

# svcadm enable svc:/network/nfs/server:default

# svcs -a | grep nfs | egrep -e "server|client"



d. If the NFS server daemons are already running, perform thecommand to share the new directory listed in the/etc/dfs/dfstab file.

# shareall

11. Create one user account for each member of your lab team.

Note – Create their respective home directories in /export/home; forexample: /export/home/user1 for user1, /export/home/user2 foruser2, and so on. If you use the Solaris Management Console applicationto create the user accounts, the account is configured to use theautomount command, and the /export/home/user1directory istranslated to the /home/user1 directory.

# mkdir -p /export/home/user1

# useradd -d /export/home/user1 user1

# chown -R user1 /export/home/user1

12. Create a password for each new user account.

# passwd user1

New Password:

Re-enter new Password:

passwd: password successfully changed for user1





13. To enable using the automount service to mount these users’ homedirectories, you must modify the users’ entries in the /etc/passwd

file on the NIS master server.

Edit the /etc/passwd file, and change the home directory for eachuser from /export/home/username to /home/username.

From:

user1:x:1001:1::/export/home/user1:/bin/sh

To:

user1:x:1001:1::/home/user1:/bin/sh


# cd /etc ; cp nsswitch.nis nsswitch.conf

15. Set up this system as an NIS master server:

a. Use the ypinit -m command to start the setup process.

# ypinit -m

The ypinit command lists the current system as an NIS server,and then prompts you for the next host to add as an NIS slaveserver.

b. Enter the name of the system that you want to use as an NISslave server. Press Control-D when the list is complete.

next host to add: master_server

next host to add: slave_server

next host to add: <Control–D>(list of servers)

is this list correct? [y/n: y] y

c. Specify that you do not want the ypinit command to quit onnonfatal errors.

...quit on nonfatal errors? [y/n: n] n

The ypinit command then proceeds to build the requiredmaps.

Note – If the initialization process is successful, the ypinit commanddisplays a message indicating that the current system was set up as amaster server without any errors. This message is displayed even ifnonfatal errors occur in the procedure.

d. If the initialization process fails, correct the problems indicatedby the error messages and repeat Steps a, b, and c.





16. Verify the status of the NIS server daemon.

# svcs -a | grep nis | grep server

online 1:54:32 svc:/network/nis/server:default

17. Start the NIS server daemon if it is not running.

# svcadm enable network/nis/server:default18. Verify that this system is the NIS master by using the ypwhich

command.

# ypwhich -m

Task 2 – Setting Up the NIS Slave Server


1. Verify that the /etc/hosts file contains entries for the NIS master

server and that the system that will become the NIS client.2. Set the NIS domain for this system by using the domainname

command.


Note – Replace yourdomain with the NIS domain name you used to setup the NIS master server.


# cd /etc# domainname > defaultdomain

4. Use the ypinit command as follows to set up this system as an NISclient:


# ypinit -c

b. When prompted for a list of NIS servers, enter the name of theNIS master server followed by the name of the local host (whichsubsequently becomes a slave server). Press Control–D to

terminate the list.next host to add: master_server


next host to add: <Control–D>

(list of servers)







# cd /etc ; cp nsswitch.nis nsswitch.conf

6. Verify the status of the NIS daemons.

# svcs -a | grep nis | egrep -e "server|client"disabled 19:14:06 svc:/network/rpc/nisplus:default

disabled 19:14:06 svc:/network/nis/server:default

disabled 19:14:06 svc:/network/nis/client:default

disabled 19:14:13 svc:/network/nis/passwd:default

disabled 19:14:13 svc:/network/nis/update:default

disabled 19:14:13 svc:/network/nis/xfr:default

7. Start the NIS server and client daemons if they were not running.


# svcadm enable network/nis/client:default

8. Verify that this system is using NIS and is bound to the NIS masterby using the ypwhich command.

# ypwhich

9. Initialize the system as an NIS slave.

# ypinit -s master_server

Indicate that you do not want the ypinit command to quit onnonfatal errors.

...quit on nonfatal errors? [y/n: n] n

The ypinit command then proceeds to retrieve the required maps

from the master server.

Transferring audit_user...

Transferring user_attr...

Transferring prof_attr...

Transferring exec_attr...

...

...

If the initialization process is successful, the ypinit commanddisplays a message that indicates that the NIS database was set upwithout any errors.

...

...

Transferring ypservers...

Transferring passwd.byname...

sys43's nis data base has been set up without any errors.





Note – If you did not add the name of the NIS slave server when youinitially configured the NIS master, this process might fail. To correct theproblem, enter the ypinit -m command once more on the NIS master,and add the slave server’s host name. In the process of updating the NISmaster, the script prompts you for confirmation when it is about todestroy the existing domain database. Confirm by typing y. Then,initialize the slave server again.

10. Stop and restart the NIS daemons on the slave server.



11. On the newly configured NIS slave server, test the NIS functionalityby entering the following commands:

# ypwhich -m

# ypcat hosts

Note – The output of the ypwhich command should include the name ofeach map it provides to the NIS domain and include the name of themaster server that controls the maps.

12. List the ypservers map known to the local domain. The outputshould include the names of the master and slave servers.

# ypcat -k ypservers

master_server

slave_server

Task 3 – Setting Up the NIS Client


1. Verify that the /etc/hosts file contains entries for the NIS masterand slave servers.

2. Set the NIS domain for this system using the domainname command.


Note – Replace yourdomain with the NIS domain name you used to setup the NIS master server.






# cd /etc

# domainname > defaultdomain

4. Set up this system as an NIS client:

a. Use the ypinit -c command to start the setup process.# ypinit -c

b. Enter the name of the NIS master server and the NIS slaveserver (in order of preference), and press Control-D to terminatethe list.

next host to add: master_server


next host to add: <Control–D>

(list of servers)



# cd /etc

# cp nsswitch.nis nsswitch.conf

6. Verify the status of the NIS client daemon.

# svcs -a | grep nis | grep client

disabled 18:55:45 svc:/network/nis/client:default

7. Start the NIS client daemon.

# svcadm enable network/nis/client:default

8. Verify that this system is using NIS by using the ypwhich command.

# ypwhich -m

Task 4 – Testing Dynamic Rebind


1. Confirm that the NIS client is bound to the NIS master server byusing the ypwhich command.

# ypwhichmaster_server

Note – The output should list the name of the NIS master server.





2. Test the client’s ability to bind to the NIS slave server when themaster becomes unavailable:

Note – This process only works if you entered the names of both the NIS

master and the NIS slave servers when you set up the client system byusing the ypinit -c command. The NIS client searches only for serverslisted in the /var/yp/binding/domainname/ypservers file, which theypinit -c command creates.

a. On the NIS master server, stop the NIS server services.


b. On the NIS client, determine to which NIS server it is bound. Itcan take a minute or two for the client to bind to the NIS slave.

Allow a few moments to pass, and then repeat the ypwhich

command. Do this until you see that the NIS client has bound tothe slave server.

# ypwhich

3. On the NIS master, start the NIS server services.






Task 5 – Adding a Custom Map to the NIS Master Database

If entries for an auto_directmap do not exist in the Makefile file thatyou are using, complete the following steps to add them:

1. On the NIS master server, edit the /var/yp/Makefilefile, and make

the following changes:

a. Add auto.direct to the list of maps associated with the targetall. These entries exist in the second section of the/var/yp/Makefile file:

all: passwd group hosts ipnodes ethers networks rpc services protocols \

netgroup bootparams aliases publickey netid netmasks c2secure \

timezone auto.master auto.home \

auth.attr exec.attr prof.attr user.attr audit.user auto.direct

b. Add entries for the new map in the fourth section of the

/var/yp/Makefile file. Place a corresponding entry forauto.direct and auto_direct below the entries forauto.home and auto_home; for example:




$(DIR)/auto_master:

$(DIR)/auto_home:

$(DIR)/auto_direct:

c. In the third section of theMakefile

file, add the code requiredto build the auto_direct map. Duplicate the lines associatedwith auto.home, and substitute auto.direct or auto_directfor each instance of auto.home or auto_home in that code. Theresult should look like this:


-@if [ -f $(DIR)/auto_direct ]; then \

sed -e "/^#/d" -e s/#.*$$// $(DIR)/auto_direct \




if [ ! $(NOPUSH) ]; then \$(YPPUSH) auto.direct; \

echo "pushed auto.direct"; \

else \

: ; \

fi \

else \


fi

d. Save the modified Makefile file, and exit the editor.





2. On the master server, edit the /etc/auto_master file to include anentry for the new direct map. Add the following line:

/- auto_direct -nosuid

3. On the master server, create a file called /etc/auto_direct, andinsert the following line in it. Substitute the name of the masterserver for master_server .

/usr/share/man -ro master_server:/usr/share/man2

4. On all three hosts, rename the existing /usr/share/man directory to/usr/share/man2.

# mv /usr/share/man /usr/share/man2

5. On the master server, add an entry to the /etc/dfs/dfstab file toshare the /usr/share/man2 directory.

# vi /etc/dfs/dfstab

share -o ro /usr/share/man2

6. Share the directory.

# shareall

7. Start the NFS daemons on the servers.

Note – If the daemons are already running, perform the svcadm commandto stop them.

# svcadm disable network/nfs/server:default# svcadm enable network/nfs/server:default

8. On the master server, change the directory to /var/yp.

# cd /var/yp

9. Update the NIS maps by running the make utility.

# /usr/ccs/bin/make

updated netid

pushed netid

updated auto.master

pushed auto.master

updated auto.direct

<Control-C>

*** auto.direct.time removed.

#

The make command hangs when it tries to push the newauto.direct map to the slave server. Press Control-C to stop themake command when this happens.





10. On the NIS slave server, use the ypxfr command to transfer theauto.direct map for the first time.

# /usr/lib/netsvc/yp/ypxfr auto.direct

11. On the NIS master server, update the NIS maps again by running themake command. This time the make command should completesuccessfully.

# cd /var/yp

# /usr/ccs/bin/make

updated netid

pushed netid

updated auto.direct

pushed auto.direct

12. On all three hosts, use the init 6 command to reboot.

# init 6

13. Verify that you can use the user accounts you created earlier to log into the NIS slave server and in to the NIS client.

14. On the NIS slave and NIS client, verify that your home directoryautomatically mounts from the NIS master server.

$ pwd

15. On all systems, attempt to access the /usr/share/man directory byusing the man command.

$ man ls

If the content of the man page for the ls command is displayed,

your configuration of the direct map in NIS is correct.



Exercise Summary


Exercise Summary

?

!


q Experiences

q Interpretations

q Conclusions

q Applications




Module 15

Introduction toZones

Objectives

This module introduces the zones software partitioning technology, a newfeature included in the Solaris™ 10 Operating System (Solaris 10 OS).


q Identify the different zones features

q Understand how and why zone partitioning is used

q Configure zones

q Install zones

q Boot zones

The following course map shows how this module fits into the currentinstructional goal.


C o n f i g u r e

C u s t o m

J u m p S t a r t

P e r f o r m a

F l a s h


P e r f o r m A d v a n c e d I n s t a l l a t i o n P r o c e d u r e s


t o

Z o n e s



Introducing Solaris Zones



Solaris zones technology enables software partitioning of a Solaris 10 OSto support multiple independent operating systems with independentprocess space, allocated resources, and users. Zones are ideal forenvironments that consolidate a number of applications on a single server.The cost and complexity of managing numerous machines makes itadvantageous to consolidate several applications on larger, more scalableservers.

Server Consolidation Solutions

When planning to consolidate servers, there are many solutions in themarketplace. Consumers can choose from three categories of server

consolidation solutions:q Domains and Partitions - These are consolidation schemes based on

hardware solutions. This includes Sun Fire™ Domains and IBMLPARs.

q Virtual Machine - This is an application-level consolidation solutions.This includes IBM VM and VMware.

q Operating System Partitions - This is an operating system-levelsolution. This includes FreeBSD Jails and Linux Vservers

Solaris Zones are in the Operating System Partitioning category.

Zones provide virtual operating system services that look like differentSolaris instances to users and applications. This architecture isolatesprocesses, hides the underlying platform, and enables the globaladministrator to allow the use of system resources on a granular level.This separation can create a more secure environment, where multipleapplications that previously had to run on different physical systems cancoexist, in different zones, on one machine.




Introduction to Zones 15-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

Resource Sharing

Zones allow the root user of the global zone to dedicate system resourcesto individual zones. Each zone maintains their own root password anduser information, separate from other zones and the global system. Each

zone exists with separate process and file system space, and can onlymonitor and interact with local processes. A single processor and singledisk system can support several zones, each with separate resources,users, and process space as shown in Figure 15-2.

Figure 15-2 Typical Zones Environment





Zones allow multiple Solaris instances to operate at the same time on asingle hardware platform. File systems, processors, and networkinterfaces can be shared by multiple zones. Allotment of physicalresources to more than one instance allows scaling and sharing ofavailable resources on an as-needed basis. Individual zones can gain files

and configurations from the global zone.

Zone Features

q Security – Network services can be run in a zone, limiting thepotential damage in the event of a security violation. Processesrunning within a zone, even one with superuser credentials, cannotaffect activity in other zones. Certain activities, such as rebooting orshutting down the system as a whole, are only permitted in theglobal zone. An administrator logged into the global zone can

monitor the activity of applications running in other zones andcontrol the system as a whole. The global (default) zone is perpetual.

q Isolation – Zones allow the deployment of multiple applications onthe same machine, even if the applications operate in different trustdomains, require exclusive use of a global resource, or presentdifficulties with global configurations. Individual zones have theirown set of users and their own root password. When rebooted, anyother zones running on the system are unaffected.

q Virtualization – Zones provide an artificial environment that canhide such details as physical devices, the system's primary Internetprotocol (IP) address, and host name from the application. Since thesame environment can be maintained on different physicalmachines, this can be useful in supporting rapid deployment andredeployment of applications.

q Granularity – Zones can provide isolation at arbitrary granularity. Azone does not require a dedicated central processing unit (CPU),physical device, or chunk of physical memory. These resources canbe multiplexed across a number of zones running within a singlesystem, or allocated on a per-zone basis, using resource managementfeatures available in the OS.

q Transparency – Except when necessary to achieve security andisolation, zones avoid changing the environment in whichapplications execute. Zones do not present a new API or applicationbinary interface (ABI) to which applications must be ported. Instead,they provide the standard Solaris interfaces and applicationenvironment, with some restrictions on applications attempting toperform privileged operations.



ZoneConcepts


Zone Concepts

You must understand the following concepts to understand the SolarisZones software partitioning technology:

q Zone typesq Zone daemons

q Zone file systems

q Zone networking

q Zone command scope

q Zone states

Zone Types

The Solaris Operating System supports two types of zones:

q Global zone

q Non-global zone

Global Zones

Every Solaris system contains a global zone (Figure 15-2 on page 15-3).The global zone has two functions. The global zone is both the defaultzone for the system and the zone used for system-wide administrativecontrol. The global zone is the only zone from which a non-global zonecan be configured, installed, managed, or uninstalled. All processes run inthe global zone if no non-global zones are created by the globaladministrator.

Only the global zone is bootable from the system hardware.Administration of the system infrastructure, such as physical devices,routing, or dynamic reconfiguration (DR), is only possible in the globalzone. Additionally, the global zone contains a complete installation of the

Solaris system software packages. It can contain additional software notinstalled through packages.



Zone Concepts


The global zone is the only zone from which a non-global zone can beconfigured, installed, managed, or uninstalled. Appropriately privilegedprocesses running in the global zone can access objects associated withother zones. Unprivileged processes in the global zone might be able toperform operations not allowed to privileged processes in a non-global

zone. For example, users in the global zone can view information aboutevery process in the system. If this capability presents a problem for yoursite, you can restrict access to the global zone.

The global zone provides a complete database containing informationabout all installed components. It holds configuration information specificto the global zone only, such as the global zone host name and file systemtable. The global zone is the only zone that is aware of all devices and allfile systems.

Each zone, including the global zone, is assigned a zone name. The global

zone always has the name global. Each zone is also given a uniquenumeric identifier, which is assigned by the system when the zone isbooted. The global zone is always mapped to zone ID 0.

Non-Global Zone

The non-global zones contain an installed subset of the complete SolarisOperating System software packages. They can also contain Solarissoftware packages shared from the global zone and additional installedsoftware packages not shared from the global zone. Non-global zones can

contain additional software created on the non-global zone that are notinstalled through packages or shared from the global zone.

The non-global zones share operation under the Solaris kernel bootedfrom the global zone. They are assigned a non-zero zone ID by the systemwhen the zone is booted and must have a user defined name.

The non-global zone is not aware of the existence of any other zones. Itcannot install, manage, or uninstall itself or any other zones.



ZoneConcepts


Zone Daemons

The system uses two daemons to control zone operation: zoneadmd andzsched.

The zoneadmd daemon is the primary process for managing the zone’svirtual platform. There is one zoneadmd process running for each active(ready, running, or shutting down) zone on the system.

The zoneadmd daemon is responsible for:

q Managing zone booting and shutting down

q Allocating the zone ID and starting the zsched system process.

q Setting zone-wide resource controls

q Preparing the zone’s devices as specified in the zone configuration

q Plumbing virtual network interfaces

q Mounting loopback and conventional file systems

Unless the zoneadmd daemon is already running, it is automaticallystarted by the zoneadm command.

Every active zone has an associated kernel process, zsched. The zschedprocess enables the zones subsystem to keep track of per-zone kernelthreads. Kernel threads doing work on behalf of the zone are owned

by zsched.

Zone File Systems

The Sparse Root Model installs a minimal number of files from the globalzone when zones are first initialized. In this model, only certain rootpackages are installed in the non-global zone. These include a subset ofthe required root packages that are normally installed in the global zone,as well as any additional root packages that the global administratormight have selected. In this way, an administrator could have differentversions of an operating system running concurrently on one physicalsystem. Any files that need to be shared between a zone and the globalzone can be mounted through the NFS as read-only file systems.



Zone Concepts


By default, the directories /lib, /platform, /sbin, and /usr aremounted in this manner. An example of shared file systems is shown inFigure 15-3.

Figure 15-3 Shared File System Example

Once a zone is installed it is no longer dependent on the global zoneunless a file system is mounted using NFS. If a critical file is removedfrom a zone, only that zone is affected. If a critical file is removed from theglobal zone, and the global zone operating system fails, then each zonewould also fail. If the global operating system did not fail, and the zonewas not in need of that removed file, the zones would be unaffected.

For files that are mounted using NFS, the removal of a critical file from theglobal zone would be the same as if it were in a typical client-serversituation. The zone's dependence on the file would determine the effect ofits removal on the zone.

Note – A non-global zone cannot be an NFS server.

/

e x p o r t

z o n e s

s b i n u s r v a r

z o n e b z o n e c z o n e a

/ / /

e t c

s b i n u s r e t c v a r





ZoneConcepts


After it is installed a zone behaves as if it were separate from the globalzone. If an application or patch is to be added to the global zone it doesnot become available to zones, unless the file system the application isadded too is mounted by the zones. Even if the file system is mounted,there might be libraries, header files and other necessary installed files

that are not available to the zone. If an application or patch is added to azone a similar issue may take place. A zone is not able to write back tomounted file systems, which may be necessary for the proper installationof an application or patch. Currently, an application or patch being addedto the global zone requires each zone to be reinstalled.

Zone Networking

Each non-global zone that requires network connectivity has one or morededicated IP addresses. These addresses are associated with logical

network interfaces that can be placed in a zone by using the ifconfigcommand. For example, if the primary network interface in the globalzone is ce0, then the non-global’s logical network interface is ce0:1.

Zone interfaces configured by zonecfg will automatically be plumbedand placed in the zone when it is booted. The ifconfig command can beused to add or remove logical interfaces when the zone is running. Onlythe global zone administrator can modify the interface configuration andthe network routes.

You can configure IPMP in the global zone, then extend the functionalityto non-global zones. The functionality is extended by placing the zones IPaddress in an IPMP group when you configure the zone. Then, if one ofthe interfaces in the global zone fails, the non-global zone addresses willmigrate to another network interface card.

Zone Command Scope

A single global zone acts as the underlying support for each deployedzone. Configuration changes can affect the global system, a zone, or a

resource type within a zone. The level which a command affects isreferred to as its scope. The global scope affects every zone; the resourcescope only affects the zone or parameter with which you are working. Forexample, the zonecfg command prompts change to represent the currentscope of a command or subcommand.



Zone Concepts


Zone States

To understand the operability of a zone we need to understand its state.Zones behave like typical Solaris 10 OS installations, but do not haveresources such as power-on self-test (POST) or OpenBoot Programmable

Read-only Memory (OBP). Instead, theses settings and tests are managedby the global zone. As a zone is configured, enabled, and used, its statusfield in the zoneadm command output changes. Figure 15-4 shows thezone states.

Figure 15-4 Zone States

The possible zone states are defines as:

q Undefined – In this state, the zone’s configuration has not beencompleted and committed to stable storage. This state also occurswhen a zone’s configuration has been deleted.

q Configured – In this state, the zone’s configuration is complete andcommitted to stable storage. However, those elements of the zone’sapplication environment that must be specified after initial boot arenot yet present.

q Incomplete – This is a transitional state. During an install or uninstall

operation, zoneadm sets the state of the target zone to incomplete.Upon successful completion of the operation, the state is set to thecorrect state. However, a zone that is unable to complete the installprocess will stop in this state.

U n d e f i n e d

C o n f i g u r e d

C r e a t e

D e l e t e

I n s t a l l e d

R e a d y R u n n i n g

I n s t a l l

U n i n s t a l l

R e b o o t

S h u t t i n g D o w n

H

a

l

t

R

e

a

d

y



ZoneConcepts


q Installed – During this state, the zones configuration is instantiatedon the system. The zoneadm command is used to verify that theconfiguration can be successfully used on the designated Solarissystem. Packages are installed under the zones root path. In thisstate, the zone has no associated virtual platform.

q Ready – In this state, the virtual platform for the zone is established.The kernel creates the zsched process, network interfaces areplumbed, file systems are mounted, and devices are configured. Aunique zone ID is assigned by the system. At this stage, no processesassociated with the zone have been started.

q Running – In this state, the user processes associated with the zoneapplication environment are running. The zone enters the runningstate as soon as the first user process associated with the applicationenvironment (init) is created.

q Shutting – down and Down - These states are transitional states thatare visible while the zone is being halted. However, a zone that isunable to shut down for any reason will stop in one of these states.



Configuring Zones


Configuring Zones

To configure a zone, you must perform these tasks:

q Identify the components that will make up the zone.

q Configure the Zone’s resources.

q Configure the zone.

q Verify and commit the configured zone.

Identifying Zone Components

When planning zones for your environment, you must consider thecomponents that make up each zones configuration. These components

include:q A zone name

q A zone path to the zone’s root

q The zone network interfaces

q The file systems mounted in zones

q The configured devices in zones

Allocating File System Space

There are no limits on how much disk space can be consumed by a zone.The global zone administrator is responsible for space restriction. Even asmall single processor system can support a number of zones runningsimultaneously. The nature of the packages installed in the global zoneaffects the space requirements of the non-global zones that are created.The number of packages and space requirements are factors.

q As a general guideline, about 100 megabytes of free disk space pernon-global zone is required when the global zone has been installedwith all of the standard Solaris packages.

q By default, any additional packages installed in the global zone alsopopulate the non-global zones. The amount of disk space requiredmust be increased accordingly. The directory location in the non-global zone for these additional packages is specified through theinherit-pkg-dir resource.



Configuring Zones


You can use soft partitions to divide disk slices or logical volumes intopartitions. You can use these partitions as zone roots, and thus limit per-zone disk consumption. The soft partition limit is 8192 partitions.

An additional 40 megabytes of RAM per zone are suggested, but not

required on a machine with sufficient swap space.

Using the zonecfgCommand

The zonecfg command is used to configure a zone. The zonecfgcommand can be used in interactive mode, in command-line mode, or incommand-file mode. The following operations can be performed usingthis command:

q You can create or delete a zone configuration.

q You can set properties for resources added to a configuration.

q You can query or verify a configuration.

q You can commit to a configuration.

q You can revert to a previous configuration.

q You can exit from a zonecfg session.

Note – There are many other operations that can be accomplished withthe zonecfg command, but are outside of the scope of this course.

There are several subcommands to configure and provision zones withinthe zonecfg utility, as shown in Table 15-1. Several subcommands affectthe environment, depending on the current scope. The zonecfg promptindicates if the scope is global or resource scope. Many of thesubcommands also allow the –f, or force, flag. If this flag is given, thesubcommand does not use interactive questioning safeguards.

Table 15-1 The zonecfg Subcommands

Command Descriptionadd Add a resource to the zone.

cancel Exits from resources scope back to global. Partiallyspecified resources are abandoned.



Configuring Zones


The zonecfgResources Parameters

Resource types within the zonecfg utility include the following:

q zone name – Defines the zone name and identifies the zone to theconfiguration utility.

commit Verifies settings and commits proper settings frommemory to disk. The revert subcommand will

return to this point.

create Create an in-memory configuration for the specifiedzone.

delete Delete the configuration from memory.

end Verify that parameters have been assigned and returnto the global scope.

export Print the configuration to stdout, or to the outputfile specified, in form that can be used in a commandfile.

info Display current configuration for resource settings orglobal zonepath, autoboot,or pool.

remove Removes one or more resource depending on scope.

select Find a resource whose parameters are matchedwithin the curly braces and change to its scope.

set Set an in-memory value for a parameter.

verify Verify the in-memory configuration. All resourceshave required properties specified and thezonepath is specified for the zone.

revert Discard any in-memory configurations and return tothe last time a commit was performed.

exit Commit current in-memory settings and exit thezonecfgutility. This command will automaticallycommit the configuration information to stablestorage.

Table 15-1 The zonecfg Subcommands (Continued)

Command Description



Configuring Zones


q zonepath – Defines the zone path resource and is the path to thezone root.

q fs – Assigns resource parameters for file systems. Use of thespecial parameter allows the local zone to mount global systemresources under separate directories. Table 15-2 shows parameters

associated with the fs resource.

q Inherit-pkg-dir – Gives access to software packages from theglobal system. The contents of software packages in theinherit-pkg-dir directory are inherited by the non-global zone ina read-only mode. The default inherit-pkg-dir resources are:/lib, /platform, /sbin, and /usr.

q net – Provisions logical interfaces of the global systems interfaces tonon-global zones. The network interfaces are plumbed when thezone transitions from the installed state to the ready state.

q device – References devices for the select, add, or removecommands. Each zone can have devices that should be configuredwhen the zone transitions from the installed state to the ready state.

q attr – Enables the global administrator to assign generic-attributesettings, such as name type and value. The type must be int, uint(unsigned), Boolean or string.

Table 15-2 The fs Resource Parameters

dir File system to mount from global zone

special Where to make the global file system available on thezone

type How zone kernel interacts with the file system

options Allow parameters similar to those found with the

mount command



Configuring Zones


Zone Configuration Walk-Through

To create a zone, you must log into the global system as root or rolebased access control (RBAC)-allowed user. The following shows anexample of configuring a zone named work-zone:

1 global# zonecfg -z work-zone

2 zonecfg:work-zone> create

3 zonecfg:work-zone> set zonepath=/export/work-zone

4 zonecfg:work-zone> set autoboot=true

5 zonecfg:work-zone> add fs

6 zonecfg:work-zone:fs> set dir=/mnt

7 zonecfg:work-zone:fs> set special=/dev/dsk/c0t0d0s7

8 zonecfg:work-zone:fs> set raw=/dev/rdsk/c0t0d0s2

9 zonecfg:work-zone:fs> set type=ufs

10 zonecfg:work-zone:fs> add options [logging]

11 zonecfg:work-zone:fs> end12 zonecfg:work-zone> add inherit-pkg-dir

13 zonecfg:work-zone:inherit-pkg-dir> set dir=/usr/sfw

14 zonecfg:work-zone:inherit-pkg-dir> end

15 zonecfg:work-zone> add net

16 zonecfg:work-zone:net> set physical=ce0

17 zonecfg:work-zone:net> set address=192.168.0.1

18 zonecfg:work-zone:net> end

19 zonecfg:work-zone> add device

20 zonecfg:work-zone:device> set match=/dev/sound/*

21 zonecfg:work-zone:device> end

22 zonecfg:work-zone> add attr23 zonecfg:work-zone:attr> set name=comment

24 zonecfg:work-zone:attr> set type=string

25 zonecfg:work-zone:attr> set value="The work zone."

26 zonecfg:work-zone:attr> end

27 zonecfg:work-zone> verify

28 zonecfg:work-zone> commit

29 zonecfg:work-zone> exit

Line 1 - This line starts the zonecfg utility in interactive mode. The zoneis called work-zone.

Line 2 - This line begins the in-memory configuration.



Configuring Zones


Line 3 - The zone path resource, /export/work-zone in this example, isthe path to the zone root. Each zone has a path to its root directory that isrelative to the global zone’s root directory. This path must exist atinstallation time. The global zone directory is required to have restrictedvisibility. It must be owned by root with the mode 700.

Line 4 - This indicates that a zone should be booted automatically atsystem boot.

Line 5- This line begins the file system configuration section in thisprocedure.

Line 6- Set the mount point for the file system, /mnt in this example.

Line 7- Specify that /dev/dsk/c0t0d0s7blocked special file in the globalzone is to be mounted as /mnt in the work-zone.

Line 8- Specify that /dev/rdsk/c0t0d0s7 raw special file. The zoneadmddaemon automatically runs the fsck command in non-interactive checkonly mode on this device before it mounts the file system.

Line 9- This line specifies that the file system type is UFS.

Line 10 - This line specifies the file system-specific option, enable filesystem logging in this procedure.

Line 11 - This line ends the file system configuration section in thisprocedure.

Line 12 - This line begins the configuration of a shared file system that isloopback-mounted from the global zone.

Line 13 - This line specifies that /usr/sfw is to be loopback mounted fromthe global zone.

Line 14 - This line ends the mount loopback section in this procedure.

Line 15 - This line begins the network configuration section in thisprocedure.

Line 16 - This line specifies the physical network interface to be used bythis zone is a GigaSwift.



Configuring Zones


Line 17 - This line specifies the IP address for the network interface,192.168.0.1 in this procedure.

Line 18 - This line ends the network configuration section in thisprocedure.

Line 19- This line begins the device configuration section in thisprocedure.

Line 20- This line sets the device match, /dev/sound/* in this procedure.

Line 21 - This line ends the device configuration section in this procedure.

Line 22 - This line begins the attribute configuration section in thisprocedure.

Line 23 - This line sets the name of the name of the attribute, comment inthis procedure.

Line 24 - This line sets the type of attribute as a string of characters.

Line 25 - This line assigns a value to the string of characters, “The workzone.” in this procedure.

Line 26 - This line ends the attribute configuration section in thisprocedure.

Line 27- This line verifies the current configuration for correctness. Itensure that all resources have all of their required properties specified.

Line 28- This line commits the current configuration from memory tostable storage. Until the in-memory configuration is committed, changescan be removed with the revert subcommand. A configuration must becommitted to be used by the zoneadm command. This operation isattempted automatically when you complete a zonecfg session. Becauseonly a correct configuration can be committed, the commit operationautomatically does a verify.

Line 29- This line exits the zonecfg session. You can use the -F (force)option with exit.

The zone is now ready to install, boot, and use.



Configuring Zones


Viewing the Zone Configuration File

When you commit the zone configuration to stable storage, the file isstored in the /etc/zones directory in XML format. For example:

# more /etc/zones/work-zone.xml<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE zone PUBLIC "-//Sun Microsystems Inc//DTD Zones//EN"

"file:///usr/share/lib/xml/dtd/zo

necfg.dtd.1">

<zone name="work-zone" zonepath="/export/work-zone" autoboot="true">

....



Using the zoneadmCommand



The zoneadm command is the primary tool used to install and administernon-global zones. Operations using the zoneadm command must be runfrom the global zone. The following tasks can be performed using thezoneadm command:

q Verify a zone’s configuration

q Install a zone

q Boot a zone

q Reboot a zone

q Display information about a running zone

q Uninstall a zone

q

Remove a zone using the zonecfg command

Verifying a Configured Zone

You can verify a zone prior to installing it. If you skip this procedure, theverification is performed automatically when you install the zone. Youmust be the global administrator in the global zone to perform thisprocedure.

You use the zoneadm -z zone_name verify command to verify a zone’sconfiguration. For example:

global# zoneadm -z work-zone verify

Warning: /export/work-zone does not exist, so it cannot be verified. When

zoneadm install is run, install will try to create /export/work-zone, and

verify will be tried again, but the verify may fail if: the parent

directory of /export/work-zone is group- or other-writable or

/export/work-zone overlaps with any other installed zones.

In this example, a message is displayed warning the administrator thatthe zonepath does not exist. This illustrates the type of messages output

by the zoneadm command.

If no error messages are displayed, you can install the zone.



Using thezoneadmCommand


Installing a Configured Zone

You use the zoneadm -z zone_name install command to performinstallation tasks for a non-global zone. You must be the globaladministrator to perform the zone installation. For example:

global# zoneadm -z work-zone install

You use the zoneadm list -iv command to list the installed zones andverify the status:

global# zoneadm list -iv

ID NAME STATE PATH

0 global running /

- work-zone installed /export/work-zone

In this example, the work-zone has reached the installed state. The zoneID will be assigned during the zone boot process.

Booting a Zone

Booting a zone places the zone in the running state. If you set theautoboot resource property in a zones configuration to true, that zone isautomatically booted when the global zone is booted. The default settingis false.

A zone can be manually booted from the ready state or from the installedstate. You use the zoneadm -z zone_name boot command to boot azone:

global# zoneadm -z work-zone ready

global# zoneadm -z work-zone boot

global# zoneadm list -v

ID NAME STATE PATH

0 global running /

1 work-zone running /export/work-zone

In this example, the work-zone has reached the running state. The zoneID 1 has been assigned during the zone boot process.





Halting a Zone

The zoneadm halt command is used to remove both the applicationenvironment and the virtual platform for a zone. The zone is then broughtback to the installed state. All processes are killed, devices are

unconfigured, network interfaces are unplumbed, file systems areunmounted, and the kernel data structures are destroyed.

global# zoneadm -z work-zone halt


ID NAME STATE PATH

0 global running /

- work-zone installed /export/work-zone

The halt command does not run any shutdown scripts within the zone.

Rebooting a Zone

The zoneadm reboot command is used to reboot a zone. The zone ishalted and then booted again.

global# zoneadm -z work-zone reboot


ID NAME STATE PATH

0 global running /

2 work-zone running /export/work-zone

In this example, before rebooting the zone ID is set to 1. After the zone isrebooted, the zone ID has changed to 2.

Logging Into and Working With the Zone

Use the zlogin command to log in to and access the deployed zone fromthe global zone. Be aware that root users are not allowed to log in bydefault. To log into the zone as if you were on its console use the -C

option.# zlogin -C work-zone

[Connected to zone 'work-zone' console]

You are asked to provide a terminal type, host name, time zone, and root

password.





Note – If using a CDE terminal window, choose dtterm. If using anothertype of window, choose vt100.

After you enter the appropriate information, you see the following

output:

System identification is completed.

rebooting system due to change(s) in /etc/default/init

[NOTICE: zone rebooting]

SunOS Release 5.10 Version s10 64-bit

Copyright 1983-2004 Sun Microsystems, Inc. All rights reserved.

Use is subject to license terms.

Hostname: twilight

The system is coming up. Please wait.

starting rpc services: rpcbind done.

syslog service starting.Creating new rsa public/private host key pair

Creating new dsa public/private host key pair

The system is ready.

twilight console login: root

Password:

Dec 16 12:37:07 twilight login: ROOT LOGIN /dev/console

Sun Microsystems Inc. SunOS 5.10 s10 Dec 2004

After using the console interface to log into the zone, take a look at howthe operating system views its resources.

twilight# hostname

twilight

twilight# uname -a

SunOS twilight 5.10 s10 sun4u sparc SUNW,Netra-T12

twilight# df -k

File system kbytes used avail capacity Mounted on

/ 678457 69941 547455 12% /

/dev 678457 69941 547455 12% /dev

/lib 33265565 1893804 31039106 6% /lib

/platform 33265565 1893804 31039106 6% /platform

/sbin 33265565 1893804 31039106 6% /sbin

/usr 33265565 1893804 31039106 6% /usr

proc 0 0 0 0% /proc

mnttab 0 0 0 0% /etc/mnttab

fd 0 0 0 0% /dev/fd

swap 7949040 32 7949008 1% /var/run

swap 7949008 0 7949008 0% /tmp

twilight# ps -ef |grep z





UID PID PPID C STIME TTY TIME CMD

root 6965 6965 0 12:35:38 ? 0:00 zsched

twilight# ifconfig -a

lo0:1: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1

inet 127.0.0.1 netmask ff000000

ce0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index

2 inet 192.168.0.1 netmask ffffff00 broadcast 192.168.0.255

twilight# ~.

[Connection to zone 'work-zone' console closed]

Note – The zone is now up and running. If you add (or delete) resourcesto the running zone using the zonecfg command, you must restart thezone for the changes to take effect.

To remove a resource from a domain, run the zonecfg command andchoose the remove subcommand with a reference to the device andparameters.

# zonecfg –z work-zone

zonecfg:work-zone> remove net physical=ce0

zonecfg:work-zone> commit

zonecfg:work-zone> exit

Deleting a Zone

When deleting a zone, be sure to back up any files that you want to keep.The first stage in deleting a zone is halting the Solaris 10 OS and freeingthe system memory.

In the following example, the zone is removed from the global system:

Caution – This operation is not a graceful or controlled shutdown of thezone. Data loss is possible to processes running in the zone.

# zoneadm list -cp

0:global:running:/

3:work-zone:running:/export/work-zone

# zoneadm -z work-zone halt

# zoneadm list -cp

0:global:running:/





-:work-zone:installed:/zones/work-zone

At this point, the zone is not using system resources other than file systemspace. Uninstall the zone to remove the zone's file usage.

# zoneadm -z work-zone uninstall

Are you sure you want to uninstall zone work-zone (y/[n])? y# zoneadm list -cp

0:global:running:/

-:work-zone:configured:/export/work-zone

The final step is to delete the configuration of the zone from the globalsystem with the delete subcommand.

# zonecfg -z work-zone delete

Are you sure you want to delete zone work-zone (y/[n])? y

# zoneadm list -cp

0:global:running:/




Module 16

Describing the CustomJumpStartConfigurations

Objectives

JumpStart provides a mechanism for automatically installing the

Solaris 10 OS on multiple systems simultaneously. The Custom JumpStartprovides a mechanism to install multiple different systems with minimalor no user intervention during the installation process.


q Describe the JumpStart configurations

q Implement a basic JumpStart server

q Set up JumpStart software configuration alternatives

q Troubleshoot the JumpStart configurations

q Configure a naming service to support JumpStart



C o n f i g u r e

C u s t o m

J u m p S t a r t

P e r f o r m a

F l a s h




t o

Z o n e s



Introducing JumpStart Configurations



JumpStart is an automatic installation process available in theSolaris 10 OS. JumpStart enables you to install the Solaris OSautomatically and configure it differently, depending on thecharacteristics of client systems. JumpStart uses these identifyingcharacteristics to select the correct configuration for each client system.

Purpose of JumpStart

System administrators who need to install multiple systems with similarconfigurations can use JumpStart to automate the installation process.JumpStart eliminates the need for operator intervention during theinstallation process.

The advantages of using JumpStart include the following:

q It lets system administrators avoid the lengthy question-and-answersession that is part of the interactive installation process.

q It lets system administrators install different types of systems easily.

q It allows automatic installation of the Solaris 10 OS and unbundledsoftware.

q It simplifies administration tasks when widely used applicationsmust be updated frequently.

JumpStart provides considerable time savings when multiple or ongoinginstallations are required for networked computing environments.

Four main services support the software installation process usingJumpStart:

q Boot services

q Identification services

q Configuration services

q Installation services




Describing the Custom JumpStart Configurations 16-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

Configuring JumpStart programs requires setting up these services on oneor more networked servers. You can configure a single server to provideall four services for JumpStart, or you can configure the servicesseparately on different servers.

Figure 16-2 shows a typical JumpStart configuration.

Figure 16-2 JumpStart Server Component Services

Boot Services

To boot the JumpStart client using the network, clients require supportfrom a server that can respond to their Reverse Address ResolutionProtocol (RARP), Trivial File Transfer Protocol (TFTP), andBOOTPARAMS requests. A system that provides these services is called aboot server. You can configure a boot server to provide any of the otherrequired JumpStart services, or to only provide boot services.

J u m p S t a r t

S e r v e r

R o u t e r

B o o t , C o n f i g u r a t i o n ,

I d e n t i f i c a t i o n , a n d I n s t a l l a t i o n

S e r v i c e s

B o o t S e r v i c e s

B o o t S e r v e r

J u m p S t a r t C l i e n t









If other servers provide identification, configuration, and installationservices, the boot server identifies those servers for the JumpStart client.To support client RARP requests, the boot server must reside on the samesubnet as the client, but the servers that provide these other services canreside on other network segments.

For boot operations to proceed, the following must be properlyconfigured on the boot server:

q The /etc/ethers file


q The /tftpboot directory

q The /etc/bootparams file

q The /etc/dfs/dfstab file

q

The TFTP service in SMF/INETD

The /etc/ethersand /etc/inet/hostsfiles configure the boot server tosupport RARP requests from JumpStart clients.

For each JumpStart client that the boot server supports, the /tftpbootdirectory must contain a symbolic link that points to a network bootstrapprogram. The inetd daemon must be configured to start the in.tftpd

daemon on demand.

The boot server provides access to a boot image (a root (/) file system)

that all JumpStart clients on the subnet use during the network bootprocess. The /etc/bootparams file lists the location of this root (/) filesystem and the locations of other directories that the JumpStart clientrequires. The /etc/dfs/dfstab file is used to configure JumpStartservers to share the directories that they provide.

You can configure boot services using the add_install_client script.The add_install_client script allows you to specify all of theinformation required in the files that support boot services. This scriptalso creates the required files in the /tftpboot directory andappropriately modifies the inetd service configuration to support tftprequests.





Identification Services

JumpStart clients require support from a server to automatically get theanswers to system identification questions that the client systems issue.The identification service is often provided by a boot server, but the

service can be provided by any network server configured to provideidentification.

JumpStart clients can obtain identification information from differentsources, including:

q The /etc/inet/hosts file on the boot server

q The sysidcfg file,

q A name service such as:

q NIS (Network Information Service)

q NIS+ (Network Information Service Plus) .

q LDAP (Lightweight Directory Access Protocol)

You can use a combination of these sources to answer the client’sidentification requests. Identification information provided in a sysidcfgfile overrides information provided by other sources.

Configuring a server to provide identification services is, for the mostpart, a manual process. You must manually edit the sysidcfg file, and

share the directory where it resides. During the installation process,JumpStart clients use the Network File System (NFS) service to mount thedirectory that contains the sysidcfg file.

If you use a name service, configuring identification services involvesupdating the name service in the appropriate way. This may involveediting the source files and running commands to update the nameservice.

If the JumpStart client cannot obtain a response from a server for anyidentification item, the client interrupts the automatic identification

process and asks for the information.





Listing Identification Items and Their Sources

Table 16-1 lists the identification items that JumpStart clients usingSPARC® technology require, and also lists the sources in the Solaris 10Operating System that can provide the information. In earlier releases of

the Solaris Operating System, the list of items and usable sourcessometimes differed.

For more information, refer to the Solaris 10 Release and InstallationCollection online at http://docs.sun.com.

Table 16-1 JumpStart Client Identification Items

Identification Item Configurable Withthe sysidcfgFile?

Configurable With a NameService?

Name service Yes Yes

Domain name Yes No

Name server Yes No

Network interface Yes No

Host name Yes Yes

IP address Yes Yes

Netmask Yes Yes

Dynamic Host ConfigurationProtocol (DHCP)

Yes No

Internet Protocol Version 6 (IPv6) Yes No

Default router Yes No

Root password Yes No

Security policy Yes No

Locale Yes Yes if NIS or NIS+,No if DNS or LightweightDirectory Access Protocol(LDAP)

Terminal Type Yes No

Time zone Yes Yes

Date and time Yes Yes

Power management (autoshutdown)

No No





Configuration Services

JumpStart clients require support from a server to obtain answers forsystem configuration questions that they issue. A system that providesthis service is called a configuration server.

A configuration server provides information that specifies how theSolaris Operating System installation proceeds on the JumpStart client.Configuration information can include:

q Installation type

q System type

q Disk partitioning and file system specifications

q Configuration cluster selection

q Software package additions or deletions

On the configuration server, files known as profile files store theconfiguration information. A file called rules.ok on the configurationserver allows JumpStart clients to select an appropriate profile file.

Associating a Configuration With a Client

A configuration server shares a directory, for example the/export/config directory, that minimally contains the files shown in

Table 16-2.

Table 16-2 Files in the /export/configDirectory

File Description

The rulesfile The rules file associates classes of clients with specificinstallation profiles. Classes in the rulesfile areidentified using predefined keywords that include:• hostname

• arch

• domainname• memsize

• model

Clients select a profile by matching their owncharacteristics with an entry in the rulesfile.





Installation Services

JumpStart clients require support from a server to find an image of theSolaris OS to install. A system that provides this service is called an installserver. An install server shares a Solaris OS image from a CD-ROM, DVD,or local disk. JumpStart clients use the NFS service to mount theinstallation image during the installation process.

Sources of the Operating System Image

An install server provides the Solaris Operating System image by sharingone of the following:

q The Solaris 10 OS Software 1 CD-ROM

q The Solaris 10 OS Software DVD

q A spooled image of the Solaris 10 Operating System obtained fromeither the CD-ROM or DVD media

q A Flash installation image

The profile(class) files

The profile files specify how the installation is toproceed and what software is to be installed. A separate

profile file can exist for each class of JumpStart client onyour network.

The checkscript

Run the check script after creating the rules andprofile files. The check script verifies the syntax in therules and profile files. If there are no syntax errors, thecheck script creates the rules.okfile.

The rules.okfile

The check script creates the rules.okfile from therulesfile. The JumpStart installation procedure readsthe rules.okfile during the automatic installationprocess (the rulesfile is not read).

Optionalbegin andfinish scripts

The JumpStart client uses begin and finish scripts toperform preinstallation and postinstallation tasks. Youcan use these scripts to further customize theinstallation process, such as configuring powermanagement on the JumpStart client. The begin andfinish scripts are located in the configuration directoryhierarchy shared by the configuration server.

Table 16-2 Files in the /export/configDirectory (Continued)

File Description





CD-ROM and DVD

An install server can provide installation services by sharing either theSolaris 10 OS Software 1 CD-ROM or the Solaris 10 OS Software DVD.

The Solaris 10 OS Software 1 CD-ROM and the Solaris 10 OS SoftwareDVD both contain a boot image and an installation image. Sharing eitherof these supports both boot services and installation services.

The installation image found on the Solaris 10 OS Software 1 CD-ROMonly supports installing the Core (SUNWCreq) and Reduced Networking(SUNWCmreq) configuration clusters. The Solaris 10 OS Software 2, 3, and 4CD-ROMs contain the remainder of the installation image, but there is nosupport for changing CD-ROMs in the middle of a JumpStart installationprocedure.

Beginning with the Solaris 8 2/02 release, the Solaris™ Media Kit hasbeen available on either CD-ROM or DVD media.

The Spooled Image

An install server can provide installation services by sharing a spooledimage on a local disk. When you spool the Solaris Operating Systemimage from CD-ROM or DVD, the result is a directory that contains theboot image and the installation image:

The setup_install_server script enables you to spool the boot andinstallation images from the Solaris OS 1 CD-ROM or from the DVD.

The boot image JumpStart clients can boot from the root (/) filesystem contained in the boot image. For example, ifyou spool the Solaris 10 OS into a directory called/export/install, the boot image would be locatedin the /export/install/Solaris_10/Tools/Bootdirectory.

The installationimage

JumpStart clients install the Solaris Operating Systemfrom the installation image.

For example, if you spool the Solaris 10 Operating

System into a directory called /export/install, theinstallation image would be located in the/export/install/Solaris_10/Productdirectory.





The add_to_install_server script enables you to spool additionalinstallation image data from CD-ROMs 2, 3, and 4 .

The setup_install_server script with the -b option enables you tospool only the boot image from the Solaris OS 1 CD-ROM or from the

DVD. The script supports creating a boot image on a boot server. The bootserver would then be configured to direct the JumpStart client to aseparate install server for the installation image.

A Flash Install Image

Flash installation is significantly faster than the current JumpStartinstallation or a network installation method. Flash allows detailedcustomization of the Solaris Operating System, hardware configuration,and third-party software packages prior to creation of the clones. Inaddition, Flash installation can provide enterprise-level disaster recoverywhen necessary.



Implementing a Basic JumpStart Server



A JumpStart server configuration includes:

q A single server that provides boot, identification, configuration, and

installation servicesq Boot and installation services provided by the Solaris 10 OS boot and

installation images spooled to the local disk of the server

q Identification services provided by files on the server and asysidcfg file, with no name service in place

q Configuration services provided by a rules file that contains anentry for a single JumpStart client, and a profile file that installs theentire Solaris 10 OS distribution into a single slice on the JumpStartclient

The following tasks are required to configure a single JumpStart server toprovide basic software installation services using JumpStart:

1. Spool the operating system image.

2. Edit the sysidcfg file.

3. Edit the rules and profile files.

4. Run the check script.

5. Run the add_install_client script.

6. Boot the client.

Spooling the Operating System Image

Spooling the Solaris OS boot and installation image to disk is the mostcommon method of supplying boot and installation services to JumpStartclients. You can spool the boot image and installation image to differentservers. The following example shows how one server provides both bootand installation services.

When you use the Solaris 10 CD-ROM source media, you must use thesetup_install_server script to spool the Solaris 10 OS image from theSolaris 10 OS Software 1 CD-ROM and use the add_to_install_server

script to spool the Solaris 10 OS image from the remaining CD-ROMs.



Implementing a BasicJumpStart Server


The Solaris 10 OS Software CD-ROM provides the boot image and therequired portion of the installation image to install the Core(SUNWCreq)and Minimal Network (SUNCmreq) configuration clusters. Theremaining CD-ROMs provide the rest of the installation image, containingthe data required to install the Minimal Core Metacluster (SUNWCmreq),

End User (SUNWCuser

), Developer (SUNWCprog

), Entire Distribution(SUNWCall), and the Entire Distribution with OEM Support configurationcluster (SUNWCXall).

When you use the Solaris 10 DVD source media, you are using thesetup_install_server script to spool the Solaris 10 OS boot image andcomplete installation image to disk.

When the spooling procedure is complete, the server has the dataavailable to support boot and installation services for JumpStart clients.The spooled image also contains the add_install_client script that lets

you configure boot and installation support for specific JumpStart clients.

To spool the Solaris 10 OS boot and installation images to a local disk,complete the following steps:

1. Create a directory with at least five Gbytes of space available to holdthe Solaris OS image. Conventionally the /export/install

directory is used.

# mkdir /export/install

2. Insert the Solaris 10 OS Software 1 CD-ROM in the CD-ROM drive

or the Solaris 10 OS DVD in the DVD drive. Allow thevold

daemonto automatically mount the media.

3. Change the directory to the location of the setup_install_serverscript.

# cd /cdrom/cdrom0/s0/Solaris_10/Tools

4. Run the setup_install_server script to copy the Solaris 10 OSboot and installation images to the local disk (this process can takeabout one hour).

# ./setup_install_server /export/install

5. When the setup_install_server script finishes, change thedirectory to root (/), and eject the CD-ROM or DVD.

# cd /

# eject cdrom





6. If you use CD-ROM media, insert the Solaris 10 OS Software 2CD-ROM in the CD-ROM drive, and allow the vold daemon toautomatically mount it.

a. Change the directory to the location of theadd_to_install_server script.

# cd /cdrom/cdrom0/Solaris_10/Tools

b. Run the add_to_install_server script to copy the remainderof the installation image to the local disk (this process can takeabout 20 minutes).

# ./add_to_install_server /export/install

c. When add_to_install_serverfinishes, change the directoryto root (/), and eject the CD-ROM.

# cd /

# eject cdrom

7. Repeat step 6 for the remaining CD-ROMS.

Note – The same procedure is used if the Language CD-ROM is required.

Editing the sysidcfgFile

JumpStart clients use information in the sysidcfg file to answeridentification questions. If the JumpStart client cannot obtain a responsefor an identification question, the client interrupts the automaticidentification process and asks for the information.

To provide complete identification services in the absence of a nameservice, the JumpStart server must provide information in the sysidcfg

file that answers the following questions:

q What netmask will the client use?

q Will the client be configured to use IPv6 networking?

q What is the Internet Protocol (IP) address of the default router?

q What security policy will the client implement?

q What name service will the client use?

q What time zone will the client use?





q What system locale (region/country) will the client use?

q What system will provide the initial time-of-day information?

q What is the root user’s password?

The sysidcfg file can contain:q Identification information that all JumpStart clients can use

q Information that is client-specific

Locating thesysidcfgFile

The sysidcfg file cannot be given any other name. For example, youwould create a generic sysidcfgfile in the /export/configdirectory ona JumpStart server. The sysidcfg files that contain client-specificinformation must exist in separate directories. For example, the/export/config/client1/sysidcfgdirectory.

JumpStart clients learn of the location of the sysidcfg file from theBOOTPARAMS information that they obtain from the boot server. When yourun the add_install_client script on the boot server, use the -poption,and specify the server and path where the sysidcfg file is stored. Thefollowing command indicates that the sysidcfg file that client1 uses isfound on the server, server1 in the /export/config directory.

# ./add_install_client -c server1:/export/config -p

server1:/export/config client1 sun4u

The server, server1, must share the /export/configdirectory using theNFS service before the client can mount it.

Note – Other options to the add_install_client command arediscussed later in this module.

Constructing thesysidcfg

FileThe sysidcfg file lets you specify many different identification items.Entries in the sysidcfg file must conform to the following rules:

q Independent keywords can be listed in any order.

q Keywords are not case sensitive.





q Keyword values can be optionally enclosed in single (’) or double (")quotation marks.

q Dependent keyword values must be enclosed in curly braces ({}) totie them to their associated independent keyword.

q

Only the first instance of a keyword is valid. If a keyword isspecified more than once, only the first keyword specified is used.

Table 16-3 lists the keywords and arguments used in the construction ofthe sysidcfg file.

Table 16-3 Keywords and Arguments Used in Constructing the sysidcfg File

Keywords Arguments

name_service {domain_name} name_service=NIS, NIS+, DNS, LDAP, OTHER, NONE

Options for NIS and NIS+:{domain_name=domain_name

name_server=hostname(ip_address)}

Options for DNS:{domain_name=domain_name

name_server=ip_address,ip_address,

ip_address (three maximum)search=domain_name,domain_name,

domain_name,domain_name,domain_name,domain_name

(six maximum, the total length is less than or equal to250 characters)}

Options for LDAP:{domain_name=domain_nameprofile=profile_nameprofile_server=ip_address}





network_interface, hostname,ip_address , netmask

network_interface=primary or value ( eg:hme0 )

{primary hostname=hostnameip_address=ip_addressnetmask=netmaskprotocol_ipv6=yes/no}

If DHCP is used, specify:{dhcp protocol_ipv6=yes/no}

If DHCP is not used, specify:{hostname=host_name

default_route=ip_address

ip_address=ip_address

netmask=netmask

protocol_ipv6=yes/no}

root_password root_password=root_password

(encrypted password from /etc/shadow)

security_policy security_policy=kerberos, NONE

Options for kerberos:{default_realm=FQDN

admin_server=FQDN kdc=FQDN1,FQDN2,FQDN3}

where FQDN is a fully qualified domain name.

You can list a maximum of three key distributioncenters (KDCs), but at least one is required.

system_locale system_locale=locale

(entry from the /usr/lib/localefile)

terminal terminal=terminal_type

(entry from the /usr/share/lib/terminfodatabase) for the installation.

timezone timezone=timezone

(entry from /usr/share/lib/zoneinfofile)

timeserver timeserver=localhost, hostname, or ip_addr

Table 16-3 Keywords and Arguments Used in Constructing the sysidcfgFile (Continued)

Keywords Arguments





To configure a generic sysidcfg file on a JumpStart server, complete thefollowing steps:

1. Create a directory to hold the sysidcfg file. Typically the/export/config directory holds the sysidcfg file.

# mkdir /export/config

2. Change the directory to /export/config, and create a file calledsysidcfg using a text editor.

# cd /export/config

# vi sysidcfg

3. In the sysidcfg file, add the following lines. Substitute values thatare appropriate for your systems, location, and network.

network_interface=hme0 { primary

protocol_ipv6=no

netmask=netmask_value

default_route=router_IP}security_policy=none

name_service=none

timezone=timezone

system_locale=locale

timeserver=timeserver_IP

root_password=Hx23475vABDDM

a. For the netmask_value, enter the correct netmask for yournetwork.

b. For the router_IP value, enter the IP address of the system

that will act as your default router, or none if no router is to bespecified.

c. For the timezone value, enter the correct time zone for yourlocation. Time zones are listed in the directory structure belowthe /usr/share/lib/zoneinfodirectory. For example, theUS/Mountain time zone refers to the/usr/share/lib/zoneinfo/US/Mountaindirectory.

d. For the locale value, enter the correct system locale for yourlocation. Locales are listed in the /usr/lib/locale directory.

e. For the timeserver_IP value, enter the IP address of thesystem that provides the time-of-day to the JumpStart client. Ifyou specify localhost as the time server, the system’s time isassumed to be correct and the installation procedure does notprompt for the date and time.

f. Save the sysidcfg file, and exit your edit session.





The following example shows entries in a sysidcfg file for a JumpStartclient with a single hme0 network interface:

network_interface=hme0 { primary protocol_ipv6=no

netmask=255.255.255.0

default_route=192.10.10.100}

security_policy=nonename_service=none

timezone=US/Mountain

system_locale=en_US

timeserver=192.10.10.100






Editing the rules and Profile files

In order to provide configuration services, the JumpStart server providesa rules.ok file that allows the JumpStart client to select a profile file.

The rules file enables groups of clients with the same characteristics tobe grouped together as a class. Consequently the profile file is frequentlyreferred to as the class file.

The profile file must contain all the information normally provided duringinteractive installation about the disk partitioning and the softwareselection for the JumpStart client. If the JumpStart client cannot obtain aresponse from a server for any configuration item, the client interrupts theautomatic configuration process and asks for the information.

Each entry in the rules.ok file lists one or more identifyingcharacteristics that JumpStart clients can match. When a client finds anentry in rules.ok that it matches, it uses the profile associated with thatentry. Clients use only the first entry in the rules.ok file that they match.

If a JumpStart client checks all the entries in rules.ok but does not find amatch, the client begins an interactive configuration session.

The rulesFile Syntax

Entries in the rules file conform to the following syntax:[!] match_key match_value [&& [!] match_key match_value]* \

begin profile finish

where:

match_key A predefined keyword that describes an attribute of thesystem being installed. The keyword can be: any,hostname, model, arch, installed, network,domainname, karch, totaldisk, disksize, or

memsize.





The example

hostname client1 - profile1 -

causes a JumpStart client called client1 to use a profile file calledprofile1. The dash (-) characters before and after the profile1 fileindicate that the client1 system does not run a begin or a finish script.

To configure a simple rules and profile file on a JumpStart server,complete the following steps:

1. Create a directory to hold the rules file if this directory does notalready exist. Usually, the /export/config directory holds therules file.


2. Change the directory to /export/config, and create a file calledrules using a text editor.

# cd /export/config

# vi rules

3. In the rules file, add the following line. For client_name,substitute the name of your JumpStart client.

hostname client_name - profile1 -

4. Save the rules file, and exit your edit session.

match_value The value (or range of values) selected by the systemadministrator for the match_key .You can use multiple keywords in a rule. Join multiplekeywords with the logical AND symbol, (&&).You can use the logical NOT symbol (!) in front of a

keyword to express negation. In other words, toexpress that the install client’s value for match_key does not equal the match_value specified in the rule.

begin The name of a begin script. This is a Bourne Shell scriptto be run before the installation is started. Use a (-) toindicate that no begin script runs.

profile The name of the profile (class) file.

finish The name of a finish script. This Bourne Shell scriptruns after the installation is completed. Use a (-) to

indicate that no finish script runs.





5. Create a file called profile1 by using a text editor.

# vi profile1

Add the following lines to the profile1 file:

install_type initial_install

system_type standalone

partitioning explicit

filesys cx tx dx s1 128 swap

filesys cx tx dx s0 free /

cluster SUNWCXall

a. For cx tx dx s0, enter the correct designation for slice 0 on theJumpStart client’s boot disk.

b. For cx tx dx s1, enter the correct designation for slice 1 on theJumpStart client’s boot disk.

6. Save the profile1 file, and exit your edit session.

For example, a simple profile file can contain the following information:




filesys c0t0d0s0 free /

filesys c0t0d0s1 512 swap

cluster SUNWCXall

package SUNWman delete

This profile file declares that the JumpStart client performs an initialinstallation as a standalone system, uses partitioning that allocates512 Mbytes to the swap area, allocates the remainder of the disk space tothe root (/) file system, the client installs the Entire Distribution withOEM support configuration cluster, and then removes the man pages.

Running the checkScript

Before a JumpStart client can use a configuration provided by a JumpStartserver, you must run the check script to produce a file called rules.ok.The check script validates the syntax of the rules file and the profilefiles. If the validation completes successfully, the check script creates therules.ok file.





This procedure assumes that the rules and profile file that you intend touse exist in the /export/config directory, and that the Solaris 10 OS hasbeen spooled below the /export/install directory. To run the checkscript on a JumpStart server, complete the following steps:

1. Change the directory to the location of the check script.

# cd /export/install/Solaris_10/Misc/jumpStart_sample

2. Copy the check script to the /export/config directory.

# cp check /export/config

3. Change the directory to /export/config, and run the check script.

# cd /export/config

# ./check

Validating rules...

Validating profile profile1...

The custom JumpStart configuration is ok.

#

4. If the check script reports an error, edit the rules or profile file tocorrect the problem indicated. In the following example, theprofile1 file contains a spelling error. For the example, themisspelling of the keyword, filesys, causes the check script toreport the following output:

Validating rules...


Error in file "profile1", line 4

fileys c0t0d0s0 free /ERROR: Invalid keyword

5. Once the rules or profile file have been edited to correct any errors,run the check script again.

# cd /export/config

# ./check

Validating rules...



#





Running the add_install_clientScript

The add_install_client script configures the boot server to provide thenetwork boot services that JumpStart clients require. Options to theadd_install_client script also let you specify what servers and what

directories offer identification, configuration, and installation services.

Before you run the add_install_client script, edit the/etc/inet/hosts and /etc/ethers files on the boot server, and add aJumpStart client entry to each file. The following example shows how anentry for client1 in the /etc/inet/hosts file appears:

192.10.10.4 client1

An entry for client1 in /etc/ethers could appear as follows:

8:0:20:10c:88:5b client1

Note – The add_install_client script must be run from thedirectory where the installation image or boot image resides.

The add_install_client script options and arguments must match howyou have configured the services on the servers that you intend to use. Inthe following example, one server provides all the services for JumpStart.Run the add_install_client script only on the server that provides theboot image.

You must run the add_install_client script once for each JumpStartclient.

For this basic JumpStart configuration procedure, theadd_install_client script requires that you specify the followinginformation:

q The server and path where the rules and profile files are located(the -c option)

q The server and path where the sysidcfg file is located(the -p option)

q The installation server

q The name of the client

q The kernel architecture of the client





The following procedure assumes that the Solaris 10 OS boot andinstallation images have been spooled below the /export/installdirectory, and that the rules, profile, and sysidcfg files you intend touse exist in the /export/config directory. To run theadd_install_client script on a JumpStart server, complete the

following steps:1. Edit the /etc/inet/hosts file, and add an entry for the JumpStart

client.

2. Edit the /etc/ethers file, and add an entry for the JumpStart client.

3. Change the directory to the location of the add_install_clientscript on the server.

# cd /export/install/Solaris_10/Tools

The following example supplies the required information for a client

called client1:# ./add_install_client -c server1:/export/config -p


saving original /etc/dfs/dfstab in /etc/dfs/dfstab.orig

Adding "share -F nfs -o ro,anon=0 /export/install" to /etc/dfs/dfstab

making /tftpboot

enabling tftp in /etc/inetd.conf

starting rarpd

starting bootparamd

starting nfsd's

starting nfs mountd

updating /etc/bootparams

copying inetboot to /tftpboot

#

The add_install_client script automatically makes the changesrequired to support RARP, TFTP, the bootparams file, and NFS requestsfrom the client, but it only causes the server to share the installationdirectory. Sharing the installation directory allows the JumpStart client tomount a root (/) file system during the network boot process, and to gainaccess to the installation image.

Note – The following example shows that for the client to mount theconfiguration directory from the server, you must manually edit the/etc/dfs/dfstab file and add an entry to share the configurationdirectory:

share -o ro /export/config





This line in the /etc/dfs/dfstab file would share the /export/configdirectory as a read-only directory.


4. Run thesvcs

command to check that NFS services are enabled.# svcs -a |grep nfs

STATE STIME FMRI

disabled 14:56:34 svc:/network/nfs/mapid:default






online 14:57:13 svc:/network/nfs/rquota:ticlts

online 14:57:13 svc:/network/nfs/rquota:udp

5. Use the svcadm command to enable the NFS services if required:

# svcadm enable network/nfs/server:default

6. Check that the NFS service is online.

# svcs -a |grep nfs

STATE STIME FMRI









bash-2.05b#

7. Verify that the /export/config and /export/install directoriesare currently shared.

# share

- /export/install ro,anon=0 ""

- /export/config ro ""





Booting the JumpStart Client

After the JumpStart server has been configured to provide all of therequired services, you can initiate the installation process on theJumpStart client.

To boot the JumpStart client, perform the following steps:

1. Bring the JumpStart client to run state 0.

# init 0

2. Boot the client to initiate the software installation using JumpStart.Use the nowin option to use the text-only installation to allowviewing all errors that may occur.

ok boot net - install nowin

Exercise: Configuring a Software InstallationProcedure Using JumpStart

In this lab, you configure a JumpStart server to support one install client.

Task Preparation

Before beginning this lab, ensure that you have removed NIS from your/etc/nsswitch.conffile, and unconfigured NIS. This includes thefollowing steps on the NIS master, as well as a subset of these steps on theNIS slave and client:

cd /etc

cp nsswitch.files nsswitch.conf

rm /etc/defaultdomain

svcadm disable svc:/network/nis/client:default

svcadm disable svc:/network/nis/server:default

cd /var/yp

rm -r <domainname>





Task Summary


q Verify that the /etc/bootparams, /etc/timezone, /etc/ethers,

and /etc/netmasks files exist and have the correct entries for theJumpStart client.

q Locate the Solaris 10 OS Software 1 CD-ROM. The JumpStart servershares this CD-ROM to allow the client to install the operatingsystem.

q Determine the Ethernet (MAC) address of the client system.

q Unshare any NFS shared directories and remove any sharecommands from the /etc/dfs/dfstab file.

q This exercise demonstrates loading the Core configuration cluster

from a shared Solaris 10 OS Software 1 CD-ROM. You can only loadthe Core and Minimal Network configuration clusters usingJumpStart procedures in this way. Software installations using theDeveloper, Entire Distribution, or Entire Distribution with OEMsupport configuration clusters require loading a Solaris 10 OS imageto disk from the Solaris 10 OS Software CD-ROMs, and using thatimage to load JumpStart clients. Refer to your lecture notes asnecessary to perform the steps listed.





Worksheet for Configuring a Software InstallationProcedure Using JumpStart Software

Complete the following worksheet before you begin.

Install server name: _____________________________________________

Timehost server name: __________________________________________

Note – Without an assigned timehost entry for one of the SolarisOperating System, the JumpStart process becomes interactive, promptingyou for time information.

Directory containing the Solaris Operating System installation image:______________________________________________________

Configuration server name: ______________________________________

Configuration directory: ________________________________________

Boot server name: _________________________________________________

Directory containing the boot image: ______________________________

JumpStart client’s name: ___________________________________________

JumpStart client’s IP address: ____________________________________

JumpStart client’s Ethernet address: _______________________________

JumpStart client’s architecture: ___________________________________





Tasks


1. On the JumpStart server, log in as root. Open a terminal window,

and change the directory to the /etc directory.# cd /etc

2. Edit the /etc/ethersfile, and add an entry for the JumpStart client,for example:

8:0:20:2f:100:3d client1

3. Edit the /etc/hosts file, and add an entry for the JumpStart client,if one does not already exist. Add the timehost alias to theJumpStart server's entry, for example:

192.10.200.1 server1 loghost timehost

192.10.200.100 client14. Edit or check the /etc/netmasksfile to be certain that it contains the

network number and subnet mask for your network, for example:

192.10.200.0 255.255.255.0

5. Insert the Solaris 10 OS Software 1 CD-ROM in the CD-ROM drive.Create the /export/config directory.


6. Change the directory to/cdrom/cdrom0/s0/Solaris_10/Misc/jumpstart_sample.

# cd /cdrom/cdrom0/s0/Solaris_10/Misc/jumpstart_sample

7. Copy the content of the jumpstart_sampledirectory to the/export/config directory. This step places sample configurationfiles, used by JumpStart, in the /export/config directory, whichyou use to complete the exercise.

# cp -r * /export/config

8. Change the directory to /export/config. Move the rules file torules.orig.

# cd /export/config

# mv rules rules.orig9. Create a new file called rules that contains the following entry.

Enter the name of your JumpStart client instead of client1:

hostname client1 - host_class finish_script





10. Edit the /export/config/host_classfile so that it specifies aninitial install; a standalone system type; explicit partitioning; the EndUser software cluster; and partitions for root (/), swap, and /usr. Usepartition sizes and device names appropriate for the JumpStart clientsystem; for example:

install_type initial_installsystem_type standalone


cluster SUNWCreq

filesys c0t0d0s0 300 /


filesys c0t0d0s6 free /usr

11. In the /export/configdirectory, create a file called finish_script

that contains the following lines.

#!/bin/sh

touch /a/noautoshutdown

This command configures the JumpStart client to avoid using theautoshutdown power-saving feature.

12. Change the permissions on finish_script to 755.

# chmod 755 finish_script

13. Run the /export/config/checkprogram, and correct any problemsin the rules or host_class files that it reports. Verify that therules.ok file exists after the check program completes successfully.

# ./check

14. In the /export/config directory, create a file called sysidcfg thatcontains the following lines. The string pVKN72yW0kCMs is a13-character encrypted string for the password cangetin. You couldreplace this string with a different encrypted password string bycopying one from your own /etc/shadow file. Use the netmaskappropriate to your network, as indicated by your instructor.


netmask=255.255.255.0

default_route=none }

name_service=none

timezone=US/Mountainsystem_locale=C

timeserver=localhost

security_policy=none

root_password=pVKN72yW0kCMs





15. Edit the /etc/dfs/dfstab file to add an entry for the/export/config directory as follows:


16. Run the svcs command to see if the NFS service is online.

# svcs -a |grep nfs

STATE STIME FMRI









17. If the NFS service is disabled, enable it using the svcadm command.


18. Check that the NFS service is now online.

# svcs -a |grep nfs

STATE STIME FMRI

disabled 14:56:34 svc:/network/nfs/cbd:defaultonline 14:57:13 svc:/network/nfs/client:default







19. If the NFS service is already running, run the shareall command:

# shareall

20. Change the directory to /cdrom/cdrom0/s0/Solaris_10/Tools.# cd /cdrom/cdrom0/s0/Solaris_10/Tools





21. Use the add_install_clientprogram to add support for yourJumpStart client. The following command example is appropriate fora server that will provide access to the operating system using amounted Solaris 10 Software 1 CD-ROM. Replace server1 with thename of your JumpStart server, client1 with the name of your

JumpStart client, and sun4x with the client architecture, for examplesun4u, for the type of client system that you are using.


server1:/export/config client1 sun4x

What action does the add_install_clientprogram report that ittakes regarding the files and daemons in Table 16-4?

22. Boot the JumpStart client.


Table 16-4 Results of add_install_clientProgram

File or Daemon Action

/etc/dfs/dfstabfile

/etc/inetd.conffile

/etc/nsswitch.conffile

/tftpbootfile

in.rarpddaemon

rpc.bootparamddaemon





Task Solutions

23. What actions does the add_install_client program report thatit takes regarding the files and daemons in Table 16-5?



/etc/dfs/dfstabfile Copies the original to dfstab.orig, andadds a line to share slice 0 of the CD

/etc/inetd.conffile Enables tftp

/etc/nsswitch.conf

fileChanges the bootparams entry

/tftpbootfile Creates the directory, copiesinetboot.SUN4U.Solaris_10-1 into it

rarpddaemon Starts this daemon

bootparamddaemon Starts this daemon



Setting Up JumpStart Software Configuration Alternatives



JumpStart supports a range of alternative server and client configurations.Depending on your network configuration, available server resources,and the client configurations that you want, you can:

q Set up all JumpStart services on a single server

q Configure one server per subnet to provide boot services separatelyfrom the other JumpStart services

q Configure boot, identification, configuration, and installationservices on separate servers

q Configure begin scripts and finish scripts to further customizesoftware installation on JumpStart clients

q Configure a name service to provide identification information

The flexibility in server and client configuration lets you build JumpStartservices to meet your specific software installation needs.





Introducing the JumpStart Client Boot Sequence

To understand the services that a boot server provides, it is useful toknow how a JumpStart client boots using the network, as shown inFigure 16-3.

Figure 16-3 The JumpStart Boot Process

C l i e n t S e r v e r

1

2

T

i

m

e

C l i e n t i s s u e s a R A R P b r o a d c a s t t o

t h e n e t w o r k

3

C l i e n t u s e s t f t p t o r e q u e s t

i t s b o o t p r o g r a m

7 6

C l i e n t r u n s i n e t b o o t p r o g r a m

C l i e n t s e n d s a w h o a m i r e q u e s t

9

1 1

1 2

1 3

1 4

1 5

C l i e n t s e n d s a g e t f i l e r e q u e s t

T h e i n e t b o o t b o o t p r o g r a m

m o u n t s t h e / r o o t f i l e s y s t e m

P a s s e s t r a n s l a t e d I n t e r n e t a d d r e s s

b a c k i n t h e R A R P r e s p o n s e

4 5

S e r v e r s e a r c h e s f o r a s y m b o l i c l i n k

p o i n t i n g t o a b o o t p r o g r a m

S e r v e r r e t u r n s i n e t b o o t

p r o g r a m

8

S e r v e r l o o k s u p t h e h o s t n a m e ,

a n d r e s p o n d s t o c l i e n t

1 0

S e r v e r r e t u r n s i n f o r m a t i o n o b t a i n e d

f r o m t h e / e t c / b o o t p a r a m s f i l e

C l i e n t l o a d s i t s k e r n e l a n d

s t a r t s t h e i n i t p r o g r a m

C l i e n t m o u n t s t h e c o n f i g u r a t i o n

d i r e c t o r y a n d r u n s s y s i d t o o l

C l i e n t u s e s b o o t p a r a m s i n f o r m a t i o n

t o m o u n t t h e i n s t a l l a t i o n d i r e c t o r y

C l i e n t r u n s t h e s u n i n s t a l l p r o g r a m

t o i n s t a l l t h e o p e r a t i n g e n v i r o n m e n t





Figure 16-3 on page 16-35 shows the JumpStart client boot process. Thefollowing steps describe how a JumpStart client boots from a boot server,and starts the installation process:

1. When a JumpStart client boots, the boot PROM broadcasts a RARPrequest to the local subnet.

2. The in.rarpd daemon on the boot server processes the client’sRARP request by:

a. Looking up the client’s Ethernet address and host name in the/etc/ethers file

b. Checking for a corresponding host name in the /etc/hosts file

c. Returning the associated IP address to the client

3. The client’s boot programmable read-only memory (PROM) sends aTFTP request for a network bootstrap program.

4. The in.tftpddaemon on the boot server processes the client’s TFTPrequest. The daemon searches the /tftpbootdirectory for a file witha hexadecimal representation of the client’s IP address. Thehexadecimal representation is the name of the file. This file is asymbolic link that points to a network bootstrap program.

5. The in.tftpd daemon on the boot server returns the networkbootstrap program to the JumpStart client.

6. The JumpStart client runs the network bootstrap program.

7. The network bootstrap program issues a whoami request to discover

the JumpStart client’s host name.8. The rpc.bootparamd daemon on the boot server looks up the

client’s host name, and returns it to the client.

9. The network bootstrap program issues a getfile request to obtainthe location of the root (/) file system.

10. The server responds with the location of the root (/) file system,obtained from the appropriate source:

q The /etc/bootparams file.

q A name service such as NIS , NIS+, LDAP.

11. After the client obtains its boot parameters, the network bootstrapprogram mounts the root (/) file system from the boot server.

12. The client loads its kernel and starts the init program. When theJumpStart client finishes booting, it attempts to find configurationinformation.





13. The client searches for the configuration server usingBOOTPARAMS information. The client mounts the configurationdirectory, and runs the sysidtool daemon.

14. The client uses BOOTPARAMS information to locate and mount theSolaris Operating System installation image.

15. The client runs the suninstall program and installs the SolarisOperating System.

For boot operations to continue, the following files and directories mustbe properly configured on the boot server:

q The /etc/ethers file


q The /tftpboot directory

q The /etc/bootparams fileq The /etc/dfs/dfstab file

The /etc/ethers and /etc/inet/hosts Files

A JumpStart client initially obtains its IP address through a RARP requestwhile it boots. To obtain the RARP request, an entry for the client mustexist in the /etc/ethers and /etc/inet/hosts files on the boot server.

Generally, you configure this information by editing these files manually,

and by updating the name service, if one is in place. With this informationavailable in either the /etc/ethers and /etc/inet/hosts files or in aname service, such as NIS or NIS+ on a boot server, the JumpStart clientshould be able to obtain the IP address and host name it needs to continuethe boot process.





The /tftpboot Directory

JumpStart clients retrieve a network bootstrap program from the/tftpboot directory when they issue requests to the in.tftpd daemonrunning on the boot server. The in.tftpd daemon uses a symbolic link

that is a hexadecimal representation of the client’s IP address. Thissymbolic link locates a network bootstrap program to return to the/tftpboot directory. Different network bootstrap programs exist fordifferent Solaris Operating System releases and client architectures.

In the following example, the symbolic link called C00A0A04 points to thenetwork bootstrap program called inetboot.SUN4U.Solaris_10-1.

# cd /tftpboot

# ls -l

total 280

lrwxrwxrwx 1 root other 26 Nov 110 17:31 C00A0A04 ->

inetboot.SUN4U.Solaris_10-1

The add_install_client script creates the required files in the/tftpboot directory when you run it to configure boot support for aJumpStart client. The platform group argument that you specify to theadd_install_client script selects the bootstrap program appropriatefor the client’s kernel architecture. Running the add_install_client

script from a Solaris 10 OS image automatically selects a bootstrapprogram specific to the Solaris 10 OS.

Note – Use the bc utility for a quick conversion from IP numbers tohexadecimal numbers. Run the bc utility, and press the Return key. Thenenter obase=16. Enter each of the IP fields, one at a time, to get thehexadecimal conversion. Thus, 192 = C0, 10 = 0A, 10 = 0A, and 4 = 04.Putting it all together, the resultant hexadecimal IP number is C00A0A04.Press <Control-D> to exit the bc utility.





Describing the/etc/bootparamsFile

JumpStart clients retrieve information from the network when they issuerequests to the rpc.bootparamddaemon that runs on the boot server. Therpc.bootparamd daemon references either:

q The /etc/bootparams file

q A naming service such as NIS, NIS+, LDAP

and returns the information to the client. The client system uses thisinformation to mount the directories that it requires using the NFSservice.

The add_install_clientscript updates the /etc/bootparamsfile whenyou run it to configure boot support for a JumpStart client. The/etc/bootparams file contains one entry for each JumpStart client that

the boot server supports. Each entry lists the servers and directories thatprovide boot, identification, configuration, and installation services.

The options and arguments that you specify when you run theadd_install_client script determine the content of the/etc/bootparamsfile. The following example describes an example entryin the /etc/bootparams file for a JumpStart client named client1:

client1

root=server1:/export/install/Solaris_10/Tools/Boot

install=server1:/export/install

boottype=:insysid_config=server1:/export/config

install_config=server1:/export/config

rootopts=:rsize=32768

The add_install_client command that creates the /etc/bootparamsentry in the following example is:








Table 16-6 describes the example entries in the /etc/bootparams file.

Table 16-6 Entries in the /etc/bootparams File

Entry Definition

client1 Specifies the JumpStart client name.

root=server1:/export/

install/

Solaris_10/Tools/Boot

Lists the boot server name and directorywhere the root (/) file system is found.This path is derived from the server anddirectory where you run theadd_install_client script.

install=server1:/

export/install

The server name and directory where theSolaris Operating System installationimage is found. Unless you use the -soption, this path is derived from theserver and directory where you run theadd_install_client script.

boottype=:in Indicates that client1 is an install client.This entry is the default client typecreated by the add_install_clientscript.

sysid_config=server1:/

export/config

Lists the server name and directory wherethe sysidcfgfile is found. This path istaken from the -poption and argument to

theadd_install_client

script.install_config=server1:/

export/config

Lists the server name and directory wherethe rules and profile files are found. Thispath is taken from the -coption andargument to the add_install_clientscript.

rootopts=:rsize=32768 Lists the mount options for the root (/)file system and the NFS read size.





The /etc/dfs/dfstab File

JumpStart clients require access to directories that servers make availableusing NFS. Placing an entry for a directory in the /etc/dfs/dfstab fileon a server lets the server automatically share the directory when it boots.

The add_install_client script creates only one entry in the/etc/dfs/dfstabfile on the boot server. This entry shares the location ofthe boot and installation images. For example:

share -F nfs -o ro,anon=0 /export/install

The ro and anon=0 options for the share directory in this example letJumpStart clients mount the directory as read-only and retain their rootuser privileges for the mount.

You must share any other directory that JumpStart clients require with the

server that provides it. Generally, you must manually edit the/etc/dfs/dfstabfile to create entries for these directories. For example,if a separate server provides JumpStart configuration information, the/etc/dfs/dfstab file on that server must contain an entry for it:


Before a JumpStart client can boot and obtain all of the NFS resources itrequires, every directory listed as an argument to theadd_install_client script must be shared by the server on which itresides.





Setting Up a Boot-Only Server

Network configuration considerations or limits on server resources mightrequire that you create JumpStart boot-only servers. A boot serverresponds to RARP, TFTP, and BOOTPARAMS requests from JumpStart

clients and provides a boot image using the NFS service.

In the BOOTPARAMS information that the boot server offers, it identifiesidentification, configuration, and installation services.

Two main configuration steps are required to create a JumpStart bootserver:

q Running the setup_install_server script with the -b option tospool a boot image from CD-ROM or DVD

q

Running the add_install_client script with options andarguments that show a list of servers and the identification,configuration, and installation services that they provide

It is also possible to provide boot services from a shared CD-ROM orDVD, but this is not the most common or practical configuration, and canbe a security issue.

Subnet Restrictions

JumpStart clients broadcast RARP requests when they attempt to bootfrom the network. Broadcast network traffic is normally not forwarded tonetworks other than the one where the broadcast traffic originated. Thissituation requires that a JumpStart boot server exist on the same subnet towhich JumpStart clients are directly connected.

The initial network requests for boot-related services are the onlyJumpStart client requests that are limited by these subnet restrictions.Identification services can be provided by a sysidcfg file made availableto the client by using NFS or by binding the JumpStart client to a nameservice in use. Configuration and installation services are also made

available using the NFS service. The NFS service and name servicesgenerally allow for network traffic to route among subnets, but theservices that depend on them can be provided by servers on differentsubnets from the one to which the client is directly attached.





Note – An alternative to this restriction would be to use a DHCPinstallation. More information on this topic can be found athttp://docs.sun.com/app/docs/doc/817-5504, Solaris 10 InstallationGuide: Network-Based Installations.

Often, a single server provides all of the JumpStart services. It might benecessary for various reasons to configure servers other than the bootserver to respond to identification, configuration, or installation requestsfrom JumpStart clients. In these cases, it is useful to create a boot serveron the subnet where JumpStart clients reside.

Figure 16-4 shows a JumpStart network configuration with a separateboot server.

Figure 16-4 The JumpStart Boot Server

J u m p S t a r t

S e r v e r

R o u t e r

B o o t , C o n f i g u r a t i o n ,

I d e n t i f i c a t i o n , a n d I n s t a l l a t i o n

S e r v i c e s

B o o t S e r v i c e s

B o o t S e r v e r










Executing thesetup_install_serverScript

To spool only the boot image from a Solaris 10 OS Software 1 CD-ROM orfrom the DVD, run the setup_install_serverscript with the -boption.In the Solaris 10 Operating System, the setup_install_server script

spools a boot image that occupies about 400 Mbytes of disk space. AllJumpStart clients that boot from this server use the same boot image.

To spool the Solaris 10 Operating System boot image to a local disk,complete the following steps on the system chosen as a boot server:

1. Create an empty directory with at least 400 Mbytes of space availableto hold the Solaris Operating System boot image. The/export/install directory is usually used for this purpose.

# mkdir /export/install

2. Insert the Solaris 10 OS Software 1 CD-ROM in the CD-ROM drive,or the Solaris 10 OS DVD in the DVD drive. Allow the vold

command to automatically mount the media.

3. Change the directory to the location of the setup_install_serverscript.


4. Run the setup_install_server script with the -b option to copythe Solaris 10 Operating System boot image to the local disk. Thisprocess can take up to 30 minutes.

# ./setup_install_server -b /export/install

5. When setup_install_serverfinishes, change directory to root (/),and eject the CD-ROM or DVD.

# cd /

# eject cdrom

Executing theadd_install_clientScript

The add_install_client script configures the boot server to offer thenetwork boot services that JumpStart clients require. When you configurea boot-only server, you must specify options to the add_install_clientscript to indicate which servers and which directories provideidentification, configuration, and installation services.





You must run the add_install_client script once for each JumpStartclient.

Before you run the add_install_client script, update the/etc/inet/hosts and /etc/ethers information for the JumpStart

client.

If a name service is not in use, edit the /etc/inet/hosts and/etc/ethersfiles on the boot server, and add an entry to each file for theJumpStart client. For example, an entry for client1 in the/etc/inet/hosts file could appear as follows:

192.10.10.4 client1

An entry for client1 in the /etc/ethers file could appear as follows:

8:0:20:10c:88:5b client1

If a name service is in use, you must edit the /etc/inet/hosts and/etc/ethers files on the appropriate name service server, and run thecommands required to update the name service maps or tables.

The /etc/inet/hosts file on the boot server must also contain an entryfor each server you specify when you run the add_install_clientscript.

The add_install_client script automatically makes the changes

required for the boot server to support RARP, TFTP, BOOTPARAMS ,and NFS requests from the client. The add_install_client scriptautomatically causes the boot server to share the /export/install

directory, if that is where the boot image is spooled. Sharing the/export/install directory lets the JumpStart client mount the bootimage during the network boot process.

The following procedure assumes that the Solaris 10 OS boot image hasbeen spooled below the /export/installdirectory on the boot server. Italso assumes that the JumpStart Server has the sysidcfg file, rules.okfile, and class file located in the /export/config directory.

To run the add_install_client script on a boot server, complete thefollowing steps:

1. Update the /etc/inet/hosts information to add an entry for theJumpStart client.

2. Update the /etc/ethers information to add an entry for theJumpStart client.





3. Change the directory to the location of the add_install_clientscript on the server.


Run the add_install_client script, and specify server and client

information as follows:

# ./add_install_client -c 192.168.1.1:/export/config -p

192.168.1.1:/export/config -s 192.168.2.1:/export/install clientA

sun4u

saving original /etc/dfs/dfstab in /etc/dfs/dfstab.orig

Adding "share -F nfs -o ro,anon=0 /export/install/Solaris_10/Tools/Boot"

to /etc/dfs/dfstab

making /tftpboot


starting rarpdstarting bootparamd

starting nfsd's

starting nfs mountd



#

When you complete this procedure, and meet conditions on the otherservers, you can initiate the installation process on a JumpStart client.

Setting Up Identification Service Alternatives

JumpStart clients can obtain the identification information that theyrequire from different sources, including the /etc/inet/hosts file on aboot server, the sysidcfg file, or a name service, such as NIS ,NIS+, orLDAP. Identification information provided in a sysidcfg file takesprecedence over information provided by other sources.

Configuring/etc/inet/hosts and /etc/ethersFiles

If a name service is not in use, a JumpStart client obtains its IP addressand host name from the /etc/inet/hosts file found on the boot server.

If a name service is in use, the maps or tables that contain/etc/inet/hostsand /etc/ethers information must include entries forthe JumpStart client.





Configuring thesysidcfg File

JumpStart clients use information in the sysidcfg file to answeridentification questions. Information in this file replaces identificationinformation available to the client from other sources. If the JumpStart

client cannot obtain a response for an identification question, the clientinterrupts the automatic identification process and asks for theinformation.

The Solaris OS JumpStart clients require a sysidcfg file to answeridentification questions that cannot be provided by default from a nameservice, including entries with information regarding:

q Default router (if not using router discovery)

q IPv6

q Kerberos configuration

q Naming service

The sysidcfg file allows you to specify nearly all of the identificationinformation that a JumpStart client requires. The sysidcfg file cancontain:

q Identification information that all JumpStart clients can use

q Information that is client-specific

If you supply client-specific information in the sysidcfg file, you mustcreate a separate sysidcfg file for each client. You must name the filesysidcfg on each system. Therefore, if you specify client-specificinformation in the sysidcfg file, you must place each unique sysidcfgfile in a separate directory.





Locating thesysidcfgFile

Typically, you would create a generic sysidcfg file in the/export/configdirectory on a JumpStart server. The sysidcfg files thatcontain client-specific information must exist in separate directories. For

example, the /export/config/client1/sysidcfgdirectory.

JumpStart clients learn of the location of the sysidcfg file fromBOOTPARAMS information that they obtain from the boot server. Whenyou run the add_install_client script on the boot server, use the -p

option, and specify the server and path where the sysidcfg file is stored.The following command indicates that the sysidcfg file that client1will use is found on the server, server1, in the /export/configdirectory.



The server, server1, must share the /export/config directory by usingthe NFS service before the client can mount it.

Constructing thesysidcfgFile

The sysidcfg file lets you specify many different identification items.Entries in the sysidcfg file must conform to the following rules:

q Independent keywords can be listed in any order.

q Keywords are not case sensitive.

q Keyword values can be optionally enclosed in single (’) or double(") quotation marks.

q Dependent keywords must be enclosed in curly braces ({}) to tiethem to their associated independent keyword.

q For all keywords except the network_interface keyword, onlythe first instance of a keyword is valid. If a keyword is specifiedmore than once, only the first keyword specified is used.





Examples of the sysidcfgFile

The following is an example of the sysidcfg file configuring a singlenetwork interface:


netmask=255.255.255.0



name_service=none


system_locale=en_US



Note – The encrypted root_password entry in this example representsthe password cangetin.

The following example shows a sysidcfg file which is used to configuremultiple network interfaces. The capability to configure multiple networkinterfaces in the sysidcfg file was introduced in Solaris 9 (9/04).

network_interface=hme0 { primary hostname=sys01

ip_address=192.168.2.10

protocol_ipv6=no

netmask=255.255.255.0


network_interface=qfe0 { hostname=sys01

ip_address=192.168.2.101

protocol_ipv6=no netmask=255.255.255.0


network_interface=qfe1 { hostname=sys02

ip_address=192.168.2.111



network_interface=qfe2 { dhcp protocol_ipv6=no }

network_interface=qfe3 { ip_address=192.168.2.121




name_service=none






system_locale=en_US



Setting Up Configuration Service Alternatives

You can customize how JumpStart clients load and configure theSolaris OS. Entries in the rules.ok and profile files establish the basicSolaris OS configuration that a JumpStart client uses. Begin and finishscripts further customize the software installation process.

Examples ofrulesFile Entries

The following is an example of the rules file entries.#

# The first five rules listed here demonstrate specifics:

#

hostname client1 - host_class set_root_pw

hostname client2 - class_basic_user -

network 192.43.34.0 && ! model 'SUNW,Ultra-5_10' - class_net3 -

model 'SUNW,Ultra-5_10' - class_ultra complete_ultra

memsize 64-106 && arch sparc - class_prog_user -

#

# The following rule matches any system.

any - - class_generic -

In this rules file example:

q The first rule matches a machine on a network called client1. Theclass file is host_class. The finish script is set_root_pw.

q The second rule matches a machine with host name client2. Theclass file is class_basic_user.

q The third rule matches any machine on network 192.43.34 that isnot an Ultra™ 5 or 10 system architecture. The class file is

class_net3. This rule does not specify a begin or finish script.

q The fourth rule matches a machine that is an Ultra 5 or 10 systemarchitecture. The class file is class_ultra. There is a finish scriptcalled complete_ultra.

q The fifth rule matches a machine using SPARC architecture and witha memory size between 64 and 106 Mbytes. The class file isclass_prog_user.

q The sixth rule matches any machine. The class file isclass_generic. This rule does not specify a begin or finish script.





Begin Scripts

Begin scripts are Bourne scripts that JumpStart clients run before installingthe Solaris OS. Begin scripts allow you to perform a variety of tasks on theJumpStart client. Typically, you would use a begin script to back up data

from the client before proceeding with the Solaris OS installation.

The following example begin script causes the JumpStart client to copy itsexisting /etc/passwd and /etc/shadow files to a directory on an NFSserver:

#!/bin/sh

HOSTNAME=`/bin/uname -n`

mount 192.10.10.100:/backup /mnt

if [ ! -d /mnt/${HOSTNAME} ]; then

mkdir /mnt/${HOSTNAME}

fi

if [ -d /mnt/${HOSTNAME} ]; then

mount /dev/dsk/c0t0d0s0 /a

cp /a/etc/passwd /a/etc/shadow /mnt/${HOSTNAME}

umount /a

fi

umount /mnt

This example script works only if the following conditions exist:

q The server using the IP address 192.10.10.100 shares the /backupdirectory in read-write mode and with the anon=0 option set

q The JumpStart client has a previously installed root (/) file systemavailable as /dev/dsk/c0t0d0s0

This example script shows that a begin script can mount disk resourcesfrom other systems, mount resources from the client itself, and copy filesbetween those mounted directories. File systems that exist on the client

are available using their standard logical device names. NFS providesaccess to shared directories on the network. The mount points /a and/mnt are available in the root (/)file system when the JumpStart clientmounts from the boot server.





For a client to use a begin script, the script must be associated with a rulethat the client selects from the rules file. For example, the rule:

hostname client1 begin1 config1 -

would cause a JumpStart client called client1 to use the begin script

called begin1.

Profile (Class) File

A profile file is a text file that determines how the Solaris OperatingSystem installation proceeds on a JumpStart client. Profile files aresometimes called class files. Rules listed in the rules file allow classes ofclients to select an appropriate profile file. Although you usually associatea different profile with every rule, you can use the same profile formultiple rules.

The following example shows that for a client to use a profile file, theprofile must be associated with the rule the client selects from the rules

file:

hostname client1 - config1 -

The rule.ok file would cause a JumpStart client called client1 to usethe profile file called config1.

An entry in a profile file consists of one keyword and its associated

parameters. Each keyword controls one element of the Solaris OperatingSystem software installation. Each profile consists of multiple entries.Profile file names must match the names used in the rules file.





Keywords and Arguments

Table 16-7 lists the keywords and parameters used in a profile file tospecify how the Solaris OS installation proceeds on the JumpStart client.

Table 16-7 Keywords and Arguments for Profile Files

Keywords Arguments

install_type initial_install | upgrade |

flash_install | flash_upgrade

system_type standalone | server

partitioning default | existing | explicit

cluster cluster_name add | delete

package package_name add | deleteusedisk disk_name

dontuse disk_name

locale locale_name

num_clients number

client_swap size

client_arch kernel_architecture

filesys device size file_systemoptional_parameters

metadb slice [size in blocks] [number]

patch patch_id_list | patch_file

patch_location

archive_location retrieval_type location





The cluster keyword requires a parameter that lists name of theconfiguration cluster you want to install. Table 16-8 defines theconfiguration cluster names according to the common names used forthem during the interactive installation routine.

See the Solaris™ 10 System Release and Installation Collection for adescription of the clusters and packages available on the Solaris 10Software Distribution CD-ROMs.

Table 16-8 Possible Entries for thecluster

Keyword

Interactive Installation Name Configuration ClusterName

Reduced Network SUNWCrnet

Core SUNWCreq

End User SUNWCuser

Developer SUNWCprog

Entire Distribution SUNWCall

Entire Distribution Plus OEM Support SUNWCXall





Examples of Profile Files

The following example describes a profile file that uses defaultpartitioning, except that the swap partition size set to 128 Mbytes. Theclient installs the developer configuration cluster (SUNWCprog) and adds

the NIS packages, SUNWypr and SUNWypu. The manual pages from thiscluster (SUNWman) are deleted because the client mounts them from theserver named server1.

# Select software for programmers



partitioning default

filesys any 128 swap # specify size of swap

filesys server1:/usr/share/man - /usr/share/man ro,soft

cluster SUNWCprog


package SUNWypr add

package SUNWypu add

The following example describes a profile file that installs the EntireDistribution configuration cluster (SUNWCall), and removes the SUNWmanpackage. The example uses explicit partitioning and declares the slicesand sizes assigned to the root (/), swap, /usr, /var, and /opt filesystems.



partitioning explicitfilesys c0t0d0s0 150 /


filesys c0t0d0s6 800 /usr

filesys c0t0d0s7 free /var

filesys c0t1d0s7 all /opt

cluster SUNWCall






Creating RAID-1 Volumes using the Profile File

The filesys keyword can be used in the profile file to create RAID-1volumes on the client system.

The syntax of the profile filesys keyword is:filesys [mirror[:name] slice slice size file_system [mount_options]

The following example creates a mirror called d12 consisting of twocomponents, slice c0t0d0s0 and c1t3d0s0. The size of the mirror is850 Mbytes and is used as the mount point for the root file system.

filesys mirror:d12 c0t0d0s0 c1t3d0s0 850 /

If a name is not provided for the mirror, one is automatically provided.

The mirror keyword causes one state database replica to be put on eachslice in the mirror automatically. The administrator may choose to createadditional metastate databases.

The following profile example creates RAID-1 volumes ( mirrors) for theroot (/), /usr, and /var file systems:


cluster SUNWCXall

filesys mirror c0t0d0s0 c1t3d0s0 850 /

filesys mirror:d10 c0t0d0s1 c1t3d0s1 1000 /var


filesys c1t3d0s3 512

metadb c0t0d0s4 count 4

metadb c1t3d0s4 count 4

filesys mirror c0t0d0s6 c1t3d0s6 5000 /usr

filesys c0t0d0s7 free /export/home

filesys c1t3d0s7 free





The following list describes this example:

1. The installation type is an initial installation.

2. The Entire Distribution Plus OEM software cluster is to be installed.

3. The root (/) file system is created and mirrored on the slices

c0t0d0s0 c1t3d0s0 and is 850 Mbytes in size. The resulting RAIDvolumes are automatically assigned names as none is specified.

4. The /var file system is created and mirrored on the slicesc0t0d0s1 and c1t3d0s1. The RAID-1 volume is called d10.

5. The swap slice is created on c0t0d0s3 and is 512 Mbytes in size.

6. Slice c1t3d0s3 is 512MB in size but is not allocated to any filesystem.

7. Four state database replicas are created on slice c0t0d0s4 and slicec1t3d0s4.

8. The /usr filesystem is created and mirrored on slices c0t0d0s6and c1t3d0s6. The name of the RAID-1 volume is automaticallyassigned.

9. The /export/home file system is created on the remaining freespace on disk c0t0d0.

10. Slice c1t3d0s7 is created on the remaining free space on c1t3d0

but is not allocated to any file system.





Installing Packages That are not Part of the Installation Media

The package keyword previously was only used to add or deletepackages from the installation that were part of the installation media.The keyword has been enhanced to allow package installations that are

not part of the installation media. Previously this was only possible byusing a finish script.

Packages to be installed can be obtained from the following sources:

q NFS server

q HTTP server

q Local device

q Local file

The syntax for the entry in the profile varies depending on the locationselected, as shown in Table 16-9.

Table 16-9 Package Syntax

Package Source Syntax example

NFS package SUNWnew add nfs sys01:/var/spool/pkg/Solaris_10

or

package SUNWnew add

nfs://sys01/var/spool/pkg/Solaris_10

HTTP package SUNWnew add http://sys01/solaris10

or

package SUNWnew add http://sys01/solaris10 proxy

sys02:8080

local_device package SUNWnew add local_device c0t6d0s0

/solaris10/pkg ufs

local_file package SUNWnew add local_file /solaris10/pkg





Adding Patches Using the patchKeyword

The patch keyword has been introduced to allow patches to be installedduring the JumpStart process. Previously patches had to be installedeither manually or with a finish script. Patches can be obtained from the

following sources:q NFS server

q HTTP server

q Local device

q Local file

Table 16-10 Patch keyword syntax

Source Syntax Example

NFS patch list_file nfs://sys01/solaris_10/patches

patch 112345-06,122223-01 nfs

sys01:/solaris_10/patches

HTTP patch 112233-01,223344-04

http://sys01/solaris10/patches

patch list_file http://sys01/solaris10/patches

local_device patch 112233-01,223344-04 local_device c0t6d0s0

/solaris10/Patches

patch list_file local_device c0t6d0s0

/solaris10/Patches

local_file patch 112233-01,223344-04 local_file

/solaris10/Patches

patch list_file local_file /solaris10/Patches





Finish Scripts

Finish scripts are Bourne scripts that JumpStart clients run after installingthe Solaris Operating System but before they reboot. Finish scripts allowyou to perform a variety of post-installation tasks on the JumpStart client,

including:q Setting the power-management configuration

q Retrieving backed-up data from a server on the network

q Copying selected files from a JumpStart server to the client

The following example finish script causes the JumpStart client to turn offautomatic shutdown for power management, retrieve its backed-up/etc/passwd and /etc/shadow files from a directory on an NFS server,and copy a file from the configuration server to the JumpStart client.

#!/bin/sh


HOSTNAME=`/bin/uname -n`

mount 192.10.10.100:/backup /mnt

if [ -d /mnt/${HOSTNAME} ]; then

echo "Copying passwd and shadow..."

cp /mnt/${HOSTNAME}/passwd /a/etc/passwd

cp /mnt/${HOSTNAME}/shadow /a/etc/shadowfi

umount /mnt

mkdir /a/labfiles

cp ${SI_CONFIG_DIR}/files/setup.tar /a/labfiles

This example script works if the following conditions exist:

q The server using the IP address 192.10.10.100 shares the /backup

directory.q The passwd and shadow files exist in the /backup/client_name

directory on the server that shares it, where client_name is the hostname of the JumpStart client.

q The configuration server has the file called setup.tar in the filesdirectory. The files directory must exist in the directory that thisserver shares, and the client uses it as ${SI_CONFIG_DIR}.





Typically ${SI_CONFIG_DIR} refers to the /export/configdirectory on the configuration server. ${SI_CONFIG_DIR}specifically refers to the directory associated with theinstall_config item that the client found in the /etc/bootparamsfile. The ${SI_CONFIG_DIR} variable is one of several JumpStart

software-specific variables that you can use in begin and finishscripts.

Note – For more information on JumpStart software variables availablefor use in begin and finish scripts, refer to the Solaris 10 Release andInstallation Collection. In the Solaris 10 OS and earlier releases back toSolaris 2.5.1, JumpStart clients automatically mount all of their filesystems below the /a directory, before the finish script runs. The clientuses its boot image to construct the directory that it will use on reboot.The directory hierarchy is mounted under the /a directory in the boot

image. This temporary mount point allows finish scripts to make changesto the client’s directory hierarchy by prefixing the absolute path name ofthe files and directories to be modified, created, or deleted with the /a.This directory allows you to write finish scripts that copy files into theclient’s file systems without mounting them within the script.

The touch/a/noautoshutdown command is the only method available toautomatically disable the power management feature on the JumpStartclient. Without this file in the client’s root (/) directory, the client askspower management configuration questions when it boots.

For a client to use a finish script, the script must be associated with therule that the client selects from the rules.ok file. For example, considerthe rule:

hostname client1 begin1 config1 finish1

This rule would cause a JumpStart client called client1 to use the finishscript called finish1.

The NFSv4 Finish script

A sample script is delivered as part of the JumpStart sample files in theCD’s s0/Solaris_10/Misc/jumpstart_sample directory. This finishscript allows the user to specify the NFS4 domain, within the script, andhave the sysidcfg finish.sh script call it.





The provided script sets the NFSMAPID_DOMAIN setting in/etc/default/nfs and create the /etc/.NFS4inst_state.domainstate file.

Upon first system boot, sysidnfs4 is executed by sysidconfig as

explained above, but the existence of the state file prevents any furtherprompts for the name of the NFSv4 domain.

The NFSv4 finish script (edited for brevity) is shown below:

# cat /cdrom/cdrom0/s0/Solaris_10/Misc/jumpstart_sample/set_nfs4_domain

#!/bin/sh

#

# @(#)set_nfs4_domain 1.1 04/11/08 SMI

#

...

#

echo "setting NFSv4 domain"

...

NFS4_DOMAIN=foo.bar

...

FILE=/a/etc/default/nfs

STATE=/a/etc/.NFS4inst_state.domain

VAR=NFSMAPID_DOMAIN

VALUE=${NFS4_DOMAIN}

...

TFILE=${FILE}.$$

sed -e "s/^#[ ]*${VAR}=.*\$/${VAR}=${VALUE}/" ${FILE} > ${TFILE}

mv ${TFILE} ${FILE}

...

IFILE=‘echo ${FILE} | sed -e "s|^/a||g"‘

PERM=‘grep "^${IFILE} e" /a/var/sadm/install/contents |

(read f1 f2 f3 f4 f5 ; echo $f4)‘

chmod ${PERM} ${FILE}

touch ${STATE}

exit 0





Setting Up Installation Service Alternatives

In addition to the standard JumpStart installation configurations, you cancreate alternatives for installation.

Using CD and DVD Sources

You can set up boot and installation services directly from theSolaris 10 OS Software 1 CD-ROM or from the Solaris 10 OS SoftwareDVD. To do this, you must also configure identification and configurationservices in the same manner as when you use a spooled Solaris OS image.

The installation image found on the Solaris 10 OS Software 1 CD-ROMonly supports installing the Core and Minimal Network configurationclusters. The Solaris 10 OS Software 2, 3, and 4 CD-ROMs contain the

remainder of the installation image, but there is no support for changingCD-ROMs in the middle of a JumpStart installation procedure.

The Solaris 10 DVD contains an installation image that supports installingall configuration clusters through the Entire Distribution with OperatingSystem support.

To set up boot and installation services from CD-ROM or DVD, completethe following steps:

1. Insert the Solaris 10 OS Software 1 CD-ROM in the CD-ROM drive

or the Solaris 10 OS Software DVD in the DVD drive. Allow the volddaemon to automatically mount the media.

2. Change the directory to the location of the add_install_clientscript.


3. Run the add_install_client script, and specify the server andclient information as follows:

# ./add_install_client -c server:/config_path -p server:/sysid_path

client_name platform_group

a. For the server :/config_path value, enter the name of theserver and path where the rules and profile files are located.

b. For the server :/sysid_path value, enter the name of theserver and path where the sysidcfg file is located.





c. For the client_name field, enter the name of the JumpStartclient.

d. For the platform_group field, enter the correct kernelarchitecture for the JumpStart client, for example, sun4u.

The add_install_client script automatically makes the changesrequired to support RARP, TFTP, BOOTPARAMS, and NFS requests fromthe client, but this script only causes the server to share the/cdrom/sol_10_sparc/s0directory. Sharing the/cdrom/sol_10_sparc/s0directory lets the JumpStart client to mount aroot (/) file system during the network boot process and to gain access tothe installation image.

You must manually configure the appropriate servers to share the otherdirectories you name in the add_install_client command.

Using a Flash Source

You can also use a Flash source as an alternative installation service. TheFlash installation feature lets you to create a single reference installation ofthe Solaris 10 OS on a master system. You can replicate the installation onother systems known as clones.

The Flash installation utilities are available as part of the Solaris OS.Before the Flash archive is created and deployed, you must decide how tointegrate the installation process into your specific environment. Some

items to consider are:

q Building support for custom hardware and driver configurations atinstallation time, which eliminates the need to re-create the archivein the future. The recommended installation for the required level ofsupport on the master is Entire Distribution + OEM support.

q Selecting the name conventions for each archive in advance.

q Allocating the contents of each archive or customized multiplearchives, including third-party software and package additions ordeletions. At least one archive must contain the Solaris 10 OS files.

q Using the Solaris Installation.





There are certain advantages to using a Flash archive for the installation.These include:

q Reduction in installation time

q Greater portability, as the Flash archive can be used on more than

one system architectureq The ability to include third-party software in the installation source

In comparison, the advantages of using the standard JumpStartsuninstall method for the installation include:

q Able to be more selective with the installation options based on thearchitecture and system build of the JumpStart client

q Layout of storage media can be more greatly controlled

Troubleshooting JumpStart

If any of the four main JumpStart services are improperly configured, theJumpStart clients can:

q Fail to boot

q Fail to find a Solaris OS image to load

q Ask questions interactively for configuration

q Fail to partition disks or create file systems, and fail to load the

Operating System

Resolving Boot Problems

Problems in the JumpStart client boot process are usually associated withRARP, TFTP, or BOOTPARAMS configuration issues. If the client issueserror messages or fails to proceed with the boot process, it usually meansthat one of these services is not properly configured.





Resolving RARP Problems

If the JumpStart client fails to boot and repeatedly issues the followingmessage:

Timeout waiting for ARP/RARP packet

then the JumpStart client cannot obtain RARP services from a boot server.Check to make sure in.rarpd is running on the server. This messageprobably indicates that the /etc/ethers or /etc/inet/hostsfile on theboot server is not correctly configured. To correct this problem, edit thesefiles, and ensure that the MAC address and host name for the client in the/etc/ethers file, and that the IP address and host name for the client inthe /etc/inet/hosts file are correct.

Other problems to check for that can cause this error message:

q Name service not updated to reflect new entries in the /etc/ethersor /etc/inet/hosts files

q Physical network connections

Enter the commands required to update the name service in use. Usually,the messages these commands issue will indicate whether an update forthe /etc/ethers or /etc/inet/hosts files was successful.

Check all of the physical network connections between the client and theboot server to eliminate a potential source of the updating problem.

Resolving TFTP Problems

If the JumpStart client issues the following message once and stopsbooting:

Timeout waiting for ARP/RARP packet

this message indicates that the JumpStart server cannot obtain TFTPservices from a boot server.

Usually, this error message indicates that there is no entry for theJumpStart client in the /tftpboot directory on the boot server. An easyway to solve this problem is to run the rm_install_client script andthen the add_install_client script for this client. For example:


# ./rm_install_client client1







Other problems to check for that can cause this message to appear:

q The incorrect platform group argument to the add_install_clientscript was used (For example, specifying sun4m for a sun4u system).

q The boot server is not configured to allow the in.tftpd daemon to

run on demand.

If you specify the incorrect platform group for the client when you run theadd_install_client script, the client might hang, or issue additionalerror messages and panic early in the boot process. To solve this problem,run the rm_install_client script and then the add_install_clientscript, and specify the correct platform group.

If the boot server is not configured to allow the in.tftpd daemon to runon demand, the client hangs. Usually, the add_install_client scriptautomatically modifies the boot server to provide this service. To correct

this problem, run the following commands to enable the TFTP service.

Check to see if the TFTP service is available:

# inetadm | grep tftp

If the command does produce any output, edit the/etc/inet/inetd.conffile and ensure the following line is present:

# vi /etc/inet/inetd.conf

# TFTPD - tftp server (primarily used for booting)

tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot

If the line is commented out, uncomment it.

Run the command to import the service into SMF:

# inetconv

Check that the tftp service is now available:

# inetadm | grep ftp

enabled online svc:/network/ftp:defaultenabled online svc:/network/tftp/udp6:default

#





ResolvingBOOTPARAMS Problems

If the JumpStart client obtains RARP and TFTP responses, but stopsbooting after displaying a numeric value, such as:

23e00

the JumpStart client is unable to obtain BOOTPARAMS information from aboot server. This value indicates that the client was able to load itsnetwork bootstrap program. If no information for the client exists in the/etc/bootparamsfile, or if the rpc.bootparamddaemon is not running,this portion of the boot process fails.

If no entry exists in the /etc/bootparams file for the JumpStart client,create an entry by running the add_install_client script thatautomatically starts the rpc.bootparamd daemon.

The SMF starts the rpc.bootparamddaemon when the boot server boots.Logic in the /var/svc/milestone/network/tftp-udp6.xml file checksfor the /tftpboot directory, and starts the rpc.bootparamd daemon ifthe directory exists. Check if the rpc.bootparamd daemon is running:

# pgrep -fl bootparamd

If the rpc.bootparamd process is not running, check whether the/tftpboot directory exists. If it exists, manually start therpc.bootparamd process with the following commands:

# svcs -a | grep bootparamsdisabled 14:12 svc:/network/rpc/bootparams:default

# svcadm enable network/rpc/bootparams:default

# svcs | grep bootparams

online 14:20:33 svc:/network/rpc/bootparams:default

#

Resolving Identification Problems

Problems in the JumpStart client identification process usually relate toidentification information missing from the sysidcfg file or from a nameservice. If a JumpStart client cannot obtain a response from a server forany identification item, the client interrupts the automatic identificationprocess and asks for the information. The client usually indicates whatinformation is missing, but not necessarily from what source.





ResolvingsysidcfgProblems

In the absence of a name service, if the JumpStart client interrupts theidentification or installation process to obtain any of the followingidentification items, check the sysidcfg file on the JumpStart server, and

correct the problem you find:q Will the client be configured to use IPv6 networking?

q What netmask will the client use?

q What is the IP address of the default router?


q What name service will the client use?

q What time zone will the client use?

q What system locale will the client use?

q What system will provide the time-of-day information?

q What is the root user’s password?

Resolving Name Service Problems

If you use a name service, and the JumpStart client interrupts theidentification process to obtain identification items other than thefollowing, check the corresponding map or table information in the nameservice, and correct the problem you find:

q Will the client implement IPv6 protocols?

q What is the IP address of the default router?


q What is the root log in password?

The previous items can only be provided using the sysidcfg file.

You can use the sysidcfg file to provide information that a name servicecould otherwise provide. You must verify the content of the sysidcfgfile

or any information that it provides. Information provided in thesysidcfg file overrides information in name services.





Resolving Configuration Problems

Problems in the JumpStart client configuration process usually relate toimproperly configured rules or profile files. If a JumpStart client cannotobtain a response from a server for any configuration item, or if the

configuration information it finds is incompatible with the client’shardware, it interrupts the automatic configuration process.

The information that the client requests usually indicates what is missingor improperly configured. Incompatible configuration information causesthe client to display a panel that describes the problem.

ResolvingrulesFile Problems

Sometimes the JumpStart client completes its identification tasks, but then

issues the following messages:

Checking rules.ok file...

Warning: Could not find matching rule in rules.ok

Press the return key for an interactive Solaris install program...

These messages indicate that it cannot find an entry in the rules.ok filethat it matches.

Usually this happens because administrators fail to run the check scriptto generate an up-to-date rules.ok file. To correct this problem, verify

that the rules file contains an entry that matches the client, and then runthe check script. For example:

# ./check

Checking validity of rules...

Checking validity of profile1 file...

The auto-install configuration is ok.

#

Resolving Profile (Class) File Problems

If the JumpStart client completes its identification tasks, but then displaysan error message, such as:

ERROR: Field 2 - Disk is not valid on this system (c0t4d0s0)

it indicates that a configuration error exists in the profile file it hasselected.

To correct this error, edit the profile file that the client uses, and correct theproblem indicated.





Resolving Installation Problems

Problems in the JumpStart client installation process usually relate to NFSconfiguration problems. If a server fails to share a directory that aJumpStart client requires, the installation cannot proceed.

Resolving NFS Problems

If the JumpStart client obtains RARP and TFTP responses, but panics anddisplays an error message similar to the following:

panic - boot: Could not mount filesystem

Program terminated

ok

the client cannot mount the root (/

) file system defined in the/etc/bootparams file.

To correct this problem, edit the /etc/dfs/dfstabfile on the boot serverto ensure that it contains an entry that shares the required directorystructure. Check the /etc/bootparams file on the boot server todetermine what directory to share. For example, the /etc/dfs/dfstab

file could contain the following entry to share the /export/install

directory:

share -F nfs -o ro,anon=0 /export/install

The -o ro,anon=0 options are required for the client to use the root (/)file system properly.

Run the following commands to stop and start the NFS daemons on theboot server:

# svcadm disable network/nfs/server:default


If the JumpStart client issues an error message that indicates that it cannotmount any directory it requires or automatically begins an interactiveinstallation session, verify the configuration of the /etc/dfs/dfstab fileon the servers that provide the directories that the client requires. Makeany required change in the servers’/etc/dfs/dfstab files, and stop andrestart the NFS server daemons on those servers.

Any directory listed in the /etc/bootparamsfile on the boot server mustbe shared by the server providing the directory.





Resolving Begin and Finish Script Problems

Begin and finish script problems can be the most troublesome of all issuesrelated to JumpStart. Any error possible in a shell script is possible in oneof these scripts. Debugging begin and finish scripts might involve

multiple attempts at booting the JumpStart client, or otherwiseperforming trial runs of the scripts.

After writing begin or finish scripts, you must verify that these scripts arereferenced in the appropriate rule in the rules file. You must alsoremember to run the check script to regenerate the rules.ok file.

Resolving Syntax Problems

If the JumpStart client boots, displays the GUI interface in one window,

and then the window disappears after the begin script runs, a syntax errormight exist in your begin script.

To check for this problem on the JumpStart client, open a terminalwindow, and examine the /tmp/begin.log file. This file containsstandard output and error messages that the begin script generates.Correct any error it reports in the begin script and try booting the clientagain.

The JumpStart client behaves similarly when it encounters errors in finishscripts. If the JumpStart client abruptly closes the window in which thefinish script is running, it is probable that a syntax error exists in yourfinish script.

To check for this problem, after the JumpStart client reboots, examine the/var/sadm/system/logs/finish.logfile. This file contains standardoutput and error messages that the finish script generates. Correct anyerror it reports in the finish script, and try booting the client again.





Identifying Log Files

JumpStart clients retain the following log files during the installationprocess:

/tmp/begin.log/tmp/finish.log

/tmp/install_log

/var/sadm/system/logs/sysidtool.log

These logs contain standard output and error messages from beginscripts, finish scripts, the Solaris OS software installation process, and thesystem identification process that the client performs.

JumpStart clients retain a corresponding set of log files after theinstallation process completes and the system reboots:

/var/sadm/system/logs/begin.log

/var/sadm/system/logs/finish.log

/var/sadm/system/logs/install_log

/var/sadm/system/logs/sysidtool.log



Exercise: Configuring a Software Installation Procedure Using JumpStart to Createa


Exercise: Configuring a Software Installation ProcedureUsing JumpStart to Create a RAID-1 Volume and Add aPatch During the JumpStart Process

In this lab, you configure a JumpStart server to support one install client.The profile file used creates a mirror for the root file system, and adds apatch.

Preparation

Load the Solaris 10 OS 1 CD-ROM in the CD drive and let the VolumeManger daemon mount it automatically.

Task Summary


q Verify that the /etc/bootparams, /etc/timezone, /etc/ethers,and /etc/netmasks files exist and have the correct entries for theJumpStart client.

q Determine the Ethernet (MAC) address of the client system.

q Unshare any NFS shared directories and remove any share

commands from the /etc/dfs/dfstab file.



Exercise: Configuringa Software InstallationProcedure UsingJumpStart to Create a


Worksheet for Configuring a Software InstallationProcedure Using JumpStart Software

Complete the following worksheet before you begin.

Install server name: _____________________________________________

Timehost server name: __________________________________________

Note – Without an assigned timehost entry for one of the SolarisOperating System, the JumpStart process becomes interactive, promptingyou for time information.

Location of the Solaris Operating System installation image:______________________________________________________

Configuration server name: ______________________________________

Configuration directory: ________________________________________

Boot server name: _________________________________________________

Directory containing the boot image: ______________________________

JumpStart client’s name: ___________________________________________

JumpStart client’s IP address: ____________________________________

JumpStart client’s Ethernet address: _______________________________

JumpStart client’s architecture: ___________________________________





Tasks


1. On the JumpStart server, log in as root. Open a terminal window,

and change the directory to the /etc directory.# cd /etc

2. Edit the /etc/ethersfile, and add an entry for the JumpStart client,for example:

8:0:20:2f:100:3d client1

3. Edit the /etc/hosts file, and add an entry for the JumpStart client,if one does not already exist.

192.10.200.1 server1 loghost

192.10.200.100 client1

4. Edit or check the /etc/netmasksfile to be certain that it contains thenetwork number and subnet mask for your network, for example:

192.10.200.0 255.255.255.0

5. Insert the Solaris 10 OS Software 1 CD-ROM in the CD-ROM drive.

6. Create the /export/config directory.


7. Change directory to/cdrom/cdrom0/s0/Solaris_10/Misc/jumpstart_sample.

# cd /cdrom/cdrom0/s0/Solaris_10/Misc/jumpstart_sample

8. Copy the content of the jumpstart_sampledirectory to the/export/config directory. This step places sample configurationfiles, used by JumpStart, in the /export/config directory, whichyou use to complete the exercise.

# cp -r * /export/config

9. Change the directory to /export/config. Move the rules file torules.orig.

# cd /export/config

# mv rules rules.orig

10. Create a new file called rules that contains the following entry.Enter the name of your JumpStart client instead of client1:

hostname client1 - mirror_class finish_script





11. Edit the /export/config/mirror_class file so that it specifies aninitial install, a standalone system type, explicit partitioning, theMinimum Required software cluster, and partitions for root (/),swap, and /usr. A mirror is specified for the root (/) file system. Usepartition sizes and device names appropriate for the JumpStart client

system, for example:install_type initial_install


cluster SUNWCreq

metadb c0t0d0s5

metadb c1t3d0s5

filesys mirror:d10 c0t0d0s0 c1t3d0s1 850 /

filesys c0t0d0s3 1000 /var


filesys c0t0d0s6 3000 /usrfilesys c0t0d0s7 500 /export/home

12. In the /export/configdirectory, create a file called finish_script

that contains the following lines.

#!/bin/sh


These commands configure the JumpStart client to avoid using theautoshutdown power-saving feature.

13. Change the permissions on finish_script to 644.

# chmod 644 finish_script

14. Run the /export/config/checkprogram, and correct any problemsin the rules or host_class files that it reports. Verify that therules.ok file exists after the check program completes successfully.

# ./check





15. In the /export/config directory, create a file called sysidcfg thatcontains the following lines. The string pVKN72yW0kCMs is a13-character encrypted string for the password cangetin. You couldreplace this string with a different encrypted password string bycopying one from your own /etc/shadow file.

network_interface=hme0 { primary protocol_ipv6=nonetmask=255.255.255.0

default_route=none}

name_service=none


system_locale=C

timeserver=localhost


root_password=pVKN72yW0kCMs

16. Edit the /etc/dfs/dfstab file to add an entry for the/export/config directory as follows:


17. Run the svcs command to see if the NFS service is online.

# svcs -a |grep nfs

STATE STIME FMRI



disabled 14:56:36 svc:/network/nfs/server:defaultonline 14:56:56 svc:/network/nfs/status:default





18. If the NFS service is disabled, enable it using the svcadm command.






19. Check that the NFS service is now online.

# svcs -a |grep nfs

STATE STIME FMRI



online 16:01:13 svc:/network/nfs/status:defaultonline 16:01:13 svc:/network/nfs/nlockmgr:default





20. If the NFS service is already running, run the shareall command:

# shareall

21. Change the directory to /export/install/Solaris_10/Tools.


22. Use the add_install_clientprogram to add support for yourJumpStart client. The following command example is appropriate fora server that provides access to the operating system using amounted Solaris 10 Software 1 CD-ROM. Replace server1 with thename of your JumpStart server, client1 with the name of yourJumpStart client, and sun4x with the appropriate client architecture,for example sun4u.

# ./add_install_client -c server1:/export/config

-p server1:/export/config client1 sun4x

What action does the add_install_clientprogram report that ittakes regarding the files and daemons in Table 16-11?



/etc/dfs/dfstabfile

/etc/inetd.conffile

/etc/nsswitch.conffile

/tftpbootdirectory

in.rarpddaemon

rpc.bootparamddaemon





23. Boot the JumpStart client.


24. Once the installation is completed, log in as the root user and checkthe status of the mirror.

# metastatd10: Mirror

Submirror 0: d11

State: Okay

Pass: 1





State: Okay

Size: 1740816 blocks (850 MB)Stripe 0:



d12: Concat/Stripe


Stripe 0:

Device Start Block Dbase Reloc

c1t3d0s1 0 No Yes

Device Relocation Information:Device Reloc Device ID

c1t3d0 Yes id1,sd@SSEAGATE_ST39103LCSUN9.0GLSA5755800007027HQUZ

c0t0d0 Yes id1,dad@AST38410A=5CS0BGD6

# metadb

flags first blk block count

a m p luo 16 8192 /dev/dsk/c0t0d0s5

a p luo 8208 8192 /dev/dsk/c0t0d0s5



a p luo 8208 8192 /dev/dsk/c1t3d0s5a p luo 16400 8192 /dev/dsk/c1t3d0s5

#





25. What actions does the add_install_client program report thatit takes regarding the files and daemons in Table 16-12?



/etc/dfs/dfstabfile Copies the original to dfstab.orig, andadds a line to share slice 0 of the CD

/etc/inetd.conffile Enables tftp

/etc/nsswitch.conf

fileChanges the bootparams entry

/tftpboot directory Creates the directory, copiesinetboot.SUN4U.Solaris_10-1 into it

in.rarpddaemon Starts this daemon

rpc.bootparamd

daemonStarts this daemon



Exercise Summary


Exercise Summary

?

!


q Experiences

q Interpretations

q Conclusions

q Applications



Configuring NIS for JumpStart Procedures



Note – This section is provided as a reference to use at a later date. Thereis not a lab associated with this section.

JumpStart clients can use the NIS to obtain most of the identificationinformation that they would otherwise obtain from the /etc/inet/hostsfile on the boot server and the sysidcfg file on a configuration server.Configuring NIS to support JumpStart procedures involves editing filesand running commands on the NIS master server in use.

Solaris OS name services cannot provide responses for the IPv6, Kerberos,default route, and root password questions that clients ask. Thesysidcfg file offers the only means of automatically supplying these

responses to clients. NIS can supply all of the other essential identificationinformation that clients require.

Information supplied in the sysidcfg file overrides any information youmake available in NIS. The following sections describe how to configurethe files that NIS uses to create maps, and the procedures required toupdate NIS with the information you provide in those files. The followingsections assume that a functional NIS domain exists, and that allJumpStart servers participate in the NIS domain as NIS clients.

A change to any file that is represented by a map in an NIS domainrequires that you complete the following steps on the NIS master server.

1. Edit and save the file that requires the change.

2. Change the directory to /var/yp.

# cd /var/yp

3. Run the make command.

# /usr/ccs/bin/make

Configuring the/etc/inet/hostsFile

The NIS map that represents the /etc/inet/hosts file can hold threeidentification items that JumpStart clients use:

q The JumpStart client’s IP address

q The JumpStart client’s host name

q The timehost alias





JumpStart clients recognize the timehost alias if it exists in a NIS map.JumpStart clients do not use the timehost alias directly from the/etc/inet/hosts file.

To configure NIS to respond to RARP requests from the JumpStart client,

edit the /etc/inet/hosts file on the NIS master server to include anentry for the JumpStart client. The following example shows an entry forclient1 in the /etc/inet/hosts file:

192.10.10.4 client1

Note – Enabling RARP support in NIS also requires changes to the/etc/ethers file on the NIS master server.

To configure NIS to supply time-of-day information that the JumpStart

clients require, you must add a timehost entry to the /etc/inet/hostsfile. For example, the following entry would let JumpStart clients obtaintheir time-of-day information from the system that uses the IP address192.10.10.1.

192.10.10.1 server1 timehost

Usually, you would associate the timehost alias with a JumpStart serveror the NIS master server.

After you complete the changes to the /etc/inet/hosts file, you must

update the associated NIS map by running the /usr/ccs/bin/makecommand.

Configuring the/etc/ethersFile

To configure NIS to respond to RARP requests that JumpStart clientsissue, you must edit the /etc/ethers file on the NIS master server toinclude an entry for the JumpStart client. For example, an entry forclient1 in the /etc/ethers file could appear as follows:

8:0:20:10c:88:5b client1

After you complete the changes to the /etc/ethersfile, you must updatethe associated NIS map by running the /usr/ccs/bin/make command.





Configuring the/etc/localeFile

To configure NIS to respond to localization requests issued by JumpStartclients, you must create and configure an /etc/locale file on the NISmaster server, and update the NIS Makefile to use it. The /etc/locale

file does not exist in a default Solaris 10 Operating System installation,and no reference to this file exists in the default /var/yp/Makefile file.

Use a text editor to create an /etc/locale file with the appropriatecontent. The following example shows an entry for client1 in the/etc/locale file:

client1 en_US

An entry for all systems in the NIS domain called Central.Sun.Com inthe /etc/locale file could appear as follows:

Central.Sun.COM en_US

Note – For a list of possible locale entries for this file, run thelocale -a command, or list the locales found in the /usr/lib/localedirectory.





To update the /var/yp/Makefile file on the NIS master server so that itincludes the locale map, make the following changes:

1. Change the directory to /var/yp, and edit the Makefile file.

# cd /var/yp

# vi Makefile

a. Add the following text after the existing *.time entries.

Note – All beginning white space must be tabs.

b. The entry in the Makefile file for the timezone map containsidentical code except for the map name, therefore, duplicate thetimezone entry, and replace timezone with locale.

locale.time: $(DIR)/locale

-@if [ -f $(DIR)/locale ]; then \

sed -e "/^#/d" -e s/#.*$$// $(DIR)/locale \

| awk ’{for (i = 2; i<=NF; i++) print $$i, $$0}’ \

| $(MAKEDBM) - $(YPDBDIR)/$(DOM)/locale.byname; \

touch locale.time; \

echo "updated locale"; \


$(YPPUSH) locale.byname; \

echo "pushed locale"; \

else \

: ; \

fi \

else \

echo "couldn’t find $(DIR)/locale"; \

fi

c. Append the word locale to the line beginning with the wordall.

d. Add the following line after theauto.home: auto.home.time entry:

locale: locale.time

e. Save the file, and exit the editor.

2. Update the NIS maps by running the make command.

# cd /var/yp

# /usr/ccs/bin/make

...

<Control>-C

#





Note – The make command hangs when it tries to push the new localemap to slave servers. Press Control-C to stop the make command if thecommand hangs.

3. On any slave servers that exist in this NIS domain, run the ypxfrcommand to transfer the locale.bynamemap for the first time.

# /usr/lib/netsvc/yp/ypxfr locale.byname

4. On the NIS master server, again update the NIS maps by running themake command.

# cd /var/yp

# /usr/ccs/bin/make

The make command should complete successfully.

Configuring the/etc/timezoneFileTo configure NIS to respond to time zone requests that JumpStart clientsissue, you must create or edit the /etc/timezone file on the NIS masterserver to include an entry for the client. The /etc/timezone file does notexist in a default Solaris 10 OS installation. For example, an entry forclient1 in /etc/timezone could appear as follows:

US/Mountain client1

An entry for all systems in the NIS domain called Central.Sun.COM in/etc/timezone could appear as follows:

US/Mountain Central.Sun.COM

After you have completed the changes to the /etc/timezone file, youmust update the associated NIS map by running the /usr/ccs/bin/makecommand.

Note – Possible time zone entries for this file exist in the/usr/share/lib/zoneinfodirectory.





Configuring the/etc/netmasksFile

To configure NIS to respond to requests for netmask information thatJumpStart clients issue, you must edit the /etc/netmasks file on the NISmaster server. The /etc/netmasks file must include an entry for the

network to which the JumpStart client is directly connected.

The /etc/netmasks file contains network masks that implement IPsubnets. This file supports both standard subnetting, as specified inRFC-1050, and variable length subnets, as specified in RFC-15110. Eachline in the /etc/netmasksfile should consist of the network number, anynumber of spaces or tab characters, and the network mask to use on thatnetwork. You can specify network numbers and masks in theconventional IP ‘.’ (dot) notation (such as IP host addresses, but use zerosfor the host section). For example, you could use:

192.10.10.0 255.255.255.0

to specify that the Class C network 192.10.10.0 should use 24 bits toidentify the network, and 8 bits to identify the host.

Note – Refer to the man page for the netmasks syntax for more examplesof subnet masks.

After you complete the changes to the /etc/netmasks file, enter the/usr/ccs/bin/make command to update the associated NIS map.

Configuring the/etc/bootparamsFile

Even though it is possible for NIS to provide BOOTPARAMS informationto JumpStart clients, the BOOTPARAMS information is obtained from theJumpStart boot server. The boot server is often not the same system thatacts as the NIS master server.

Each time you run the add_install_client script on a boot server toprovide boot support for a JumpStart client, the script checks the

/etc/nsswitch.conffile for the bootparams entry. If the bootparamsentry in the /etc/nsswitch.conffile lists the nis source before thefiles source, the add_install_client script reverses their order. Forexample, the following entry in the /etc/nsswitch.conffile beforerunning the add_install_client script:

bootparams: nis files





would change to the following entry after running theadd_install_client script:

bootparams: files nis

Typically, a JumpStart boot server would participate in NIS as a client.

The add_install_clientscript changes the /etc/nsswitch.conffile tocause JumpStart clients to obtain their BOOTPARAMS information fromthe /etc/bootparams file on the boot server, instead of changing the filefrom NIS. In most JumpStart configurations, this is the most practicalsituation.

Configuring thesysidcfgFile With NIS

If you use NIS to supply all of the identification items it can possibly offerto JumpStart clients, only four items are required in the sysidcfg file.

These items answer the IPv6, Kerberos, default router, and rootpasswordquestions in the Solaris 10 Operating System.

The following example sysidcfg file causes the client to not implementIPv6 nor Kerberos security, sets the default route to be 192.10.10.100,and sets the root password to cangetin. Use values that are appropriatefor your own systems and network.





The absence of the root_password entry does not interfere with thesystem identification process the client performs before installing theSolaris OS. Without this entry in the sysidcfg file however, the clientasks for a root password the first time it reboots after the Solaris OSinstallation completes. NIS cannot supply the root password. Rerun themake command after any changes to these maps.




Module 17

Performing aFlash Installation

Objectives

The Solaris Flash installation feature enables you to create a singlereference installation of the Solaris OS on a system, which is called the

master system. You can replicate this OS installation on a number ofsystems, called clone systems.


q Describe the Flash installation feature

q Manipulate a Flash archive

q Use a Flash archive for installation

q WANboot Flash installation



C o n f i g u r e

C u s t o m

J u m p S t a r t

P e r f o r m a

F l a s h




t o

Z o n e s



Introducing the Flash Installation Feature



The Flash installation feature lets you create a single reference installationof the Solaris 10 OS on a master system, and then replicate the installationon other systems known as clones.

The Flash installation utilities are installed as part of the Solaris 10 OS.Before the Flash archive is created and deployed, you must decide how tointegrate the installation process into your specific environment. Someitems for consideration are:

q Including support for custom hardware and driver configurations atinstallation time, eliminating the need to re-create the archive in thefuture. The recommended installation for the required level ofsupport on the master is Entire Distribution + OEM support.

q

Selecting the naming conventions for each archive in advance.q Deciding upon the contents of each archive or customized multiple

archives, including third-party software and package additions ordeletions. At least one archive must contain the Solaris 10 OS files.

q Install the Flash archive on the clone.

Having a planning sheet serves as an important tool to help you makedecisions and to document the archive creation and installation process.After you determine the content of the archive, you can proceed to theactual installation process.

Note – The master and clone systems must have the same kernelarchitectures, for example, sun4u.

Uses of the Flash Installation Feature

You can build multiple customized configurations on the master system

by using packages from a predefined pool. Flash installation issignificantly faster than the current JumpStart or Solaris networkinstallation methods. Flash allows detailed customization of the SolarisOS, hardware configuration, and third-party software packages prior tothe creation of the clones. In addition, Flash installation can act as anenterprise-level disaster recovery when necessary.




Performing a Flash Installation 17-3Copyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices, RevisionA.1

Flash Deployment Methods

The Flash installation process is integrated into the existing customJumpStart software framework. The installation process is specified bykeywords in the JumpStart profile on the JumpStart server during

JumpStart setup. You can also deploy Flash during installation from theSolaris 10 OS CD-ROM or DVD. Flash archive extraction includes thecopying of files from the archive to the clone. The Flash installationbypasses procedural scripts in the package-based JumpStart installation,making the process of building a clone machine extremely fast. Flasheliminates the need for finish scripts or for the customization of theJumpStart software image.

If you already have an installed clone, you can update the system byapplying a differential archive which only overwrites the files specified inthe archive rather than the whole system.

Flash Installation Process

Flash installation is a three-stage process involving:

q Installing and customizing the master system

q Creating a Flash archive on the master system

q Deploying the Flash archive to the clone system

Installing the Master

The Flash installation feature uses one or more archives created from amaster system that acts as a reference configuration. The master system isan installed system that has been customized as required. Customizationcan include adding or removing software packages, adding third-party orunbundled software products, and modifying configuration files, such asthe SMF method scripts and run control script, and by enabling ordisabling SMF managed services. Further customization can be donewhen creating the archive.





Creating the Flash Archive

The Flash archive is derived from the current installation on the mastersystem. You can easily transfer the archive as a large file from server toserver to deploy it to the clone systems. To make managing multiple

archives easier to manage, you can add identification information usingthe command line. You can create the archive when the system is runningin single-user mode, multiuser mode, or being booted from theSolaris 10 OS 1 CD-ROM, or DVD.

During installation you must specify a directory and a location where theFlash archive resides. Options during installation are:

q Network file system (NFS) server

q Hypertext Transfer Protocol (HTTP) server

q File Transfer Protocol (FTP) server

q Local or remote tape

q Compact Disc Read-Only Memory (CD-ROM)

q Local drive of clone machine

Deploying the Flash Archive to the Clone

You can install the Flash archive on to the clone using:

q An interactive install

q A custom JumpStart procedure

The interactive method requires you to boot the system to be cloned fromthe Solaris 10 OS 1 CD-ROM, or DVD.

To initiate the JumpStart procedure, the required JumpStart services mustbe configured on an appropriate server. The Flash archive is extracted onto the clone, replacing the package-based installation process.

Note – Although most files on the master system are configured beforethe archives are created, some network files might need re-configurationafter being deployed to the clone systems.





Flash Installation Requirements

The following sections describe the Flash installation hardware andsoftware requirements, dependencies, and limitations.

Hardware Requirements

The recommended system specifications for a Flash installation are:

q A SPARC system for the clone and a SPARC system for the master(or an UltraSPARC® system for the clone and an UltraSPARC systemfor the master).

q The master and the clone must have the same kernel architecture,such as sun4u.

q Before you create the archive, you must install and configure themaster with the exact software, hardware, and peripheral devicepackage that you want on the clone. For example, to create a clonethat uses an Elite3D framebuffer, (even if the master does not use theElite3D card), you must include the necessary Solaris OS softwaresupport in the archive.

Software Requirements

The recommended software specifications for a Flash installation is:

The Flash utility comes with Solaris 10 OS and is installed as part ofthe Solaris OS. Flash utilities are also available with the minimumSolaris software group (SUNWCuser). The Entire Distribution + OEMsoftware group is recommended for you to be able to include all filesand driver support when creating the Flash archive.

# more /var/sadm/system/admin/CLUSTER

CLUSTER=SUNWCXall

Limitations of the Flash Utility

There are certain limitations to the Flash utility, including, but not limitedto, the configuration of the Solaris Volume Manager software and thecurrent versions of the Solaris OS:

q Flash does not support metadevices or non-UFS file systems.

q You can only create the archive from material available on the mastersystem.





Manipulating a Flash Archive

The Flash installation process involves creation of the Flash archive priorto the deployment of the Flash archive to the clones.

Note – Ensure that the master is running as stable as possible duringarchive creation.

The Flash installation utility comprises two commands:

q You can use the /usr/sbin/flarcreate command to create anarchive on the master.

q You can use the /usr/sbin/flar archive administration commandto extract information from an archive, to split an archive, or to

combine archives.

For additional information about the Flash archive process, view theonline man pages.

The next section introduces the various Flash utility commands.





Creating a Flash Archive

The syntax for the flarcreate command is:

flarcreate -n name [-R root] [-A old_root] [-t [-p posn] [-b blocksize]]

[-i date] [-u section [-d path ]] [-U key=value] [-m master][-H] [-S] [-c] [-M] [-I] [-f [ list_file | - ] [-F]]

[-a author] [-e descr | -E descr_file] [-T type]

[[-x exclude_dir/file][-x exclude_dir/file]...] [-X

list_file]

[[-y include_dir/file [-y include_dir/file]...]

[-z filter_list_file]

archive

where:

-n Specify the name of the archive.

-R Specify the root of the Flash archive in the currently runningsystem is not to be used.

-A Location of source master image.

-i Set alternative creation date.

-S Do not include sizing information in the archive.

-c Compress the archive using the compress command.

-t Create an archive on a tape device.-m Specify the name of the master on which you created the

archive.

-M Do not create a manifest. Used when creating differentialarchives.

-a Specify the author of the archive.

-e Specify the description of the archive.

-x Exclude the named directory or file from the archive.

-X Exclude the named files in the file list.

-y Include the named directory or file

-z Include files prefixed with a plus sign and exclude filesprefixed with a minus sign in the file list.

archive Specify the path to the Flash archive.





Examples

The following example shows the creation of a Flash archive used toinstall other systems. The master should be as quiescent as possible:

q Run the system in single-user mode

q Shut down any applications you want to archive

q Shut down any applications that use extensive system resources

# flarcreate -n flash_root_archive -c -R / -e root_archive \

-x /export/flash -a admin_operator -S /export/flash/flash_archive1

Determining which filesystems will be included in the archive...

Determining the size of the archive...

The archive will be approximately 517.98MB.

Creating the archive...

2034098 blocks

Archive creation complete.

In the example :

-n flash_root is the name of the Flash archive

-c causes the archive to be compressed

-R / creates the archive rooted at the root (/) directory

-e root_archive is the description of the archive

-x /export/flash excludes this directory from the archive

-a admin_operator is the author of the archive-S do not include sizing information

Note – Be sure that you have enough disk space to contain the Flasharchives that you build. In the above example, the /export/flashdirectory is large enough to contain the 518 Mbyte archive.





The following example creates a Flash archive and customizes the files tobe included in the archive:

# flarcreate -n local_apps -x /usr/local/ \

> -y /usr/local/custom_scripts local_archive

-n local_appsis the name of the archive

-x /usr/local is excluded from the archive

-y /usr/local/custom_scripts is included on the archive

The archive is created from the root (/) directory as -R has not beenspecified.

Differential Archives

If you have previously installed a clone using a Flash archive, it is now

possible to update that system with changes by using a differentialarchive. If the master has been updated, for example, by applying patches,or packages have been added or removed, these changes cam be appliedas a differential archive. The differential archive only overwrites filesspecified in the archive, rather than the entire installation on the clone.

A list of new, changed or deleted files is generated, called a manifest.

A differential archive fails if the clone has been manually updated after itwas Flash installed from the master source.

A differential archive requires two images to compare. A source masterimage, such as the original master flash configuration that has been leftuntouched, and an updated master image. By default this updated masterimage is the updated image, but it can be an image stored elsewhere. Thedifferential archive is made up of just the differences between the twoimages.

The unchanged master image can be:

q A live upgrade boot environment mounted onto a directory

q An unchanged clone system mounted onto a directory using NFS

q An expanded flash archive on the local system

For more information on using Differential Flash archives see the Solaris10 Release and Installation Collection, Solaris 10 Installation Guide,Solaris Flash Archives.





Administering a Flash Archive

You use the /usr/sbin/flar command to perform archiveadministration. The syntax for the flar command is:

flar -i archive

flar -c archive

flar -s archive

where:

Keywords exclusive to Flash and identification of the archive can beviewed from the online manual pages.

To list the header data that is created with the archive, use the flar -i

command:

# flar -i flash_archive1

archive_id=f67e46f0096ab9ac580cea5ba3ffeb72files_archived_method=cpio

creation_date=20041005160703

creation_master=sys65

content_name=build68

creation_node=sys65

creation_hardware_class=sun4u

creation_platform=SUNW,UltraSPARC-IIi-cEngine

creation_processor=sparc

creation_release=5.10

creation_os_name=SunOS

creation_os_version=s10_68files_compressed_method=compress

content_architectures=sun4u

type=FULL

-i Retrieves information about archives that have been created

-c Combines the individual sections that make up an existing

archive into a new archive-s Splits an archive into one file for each section of the archive





The header of the archive file contains the following identificationparameters for the archive:

q content_name – The name of the archive (in this case,flash_directoryname_archive)

q

creation_date – The date that the archive is created (from themaster)

q creation_master – The name of the master (in this case, sys65)

q Other information about the archive

You can also use additional keywords for administering the archive.



Using a Flash Archive for Installation



The third and final stage of the Flash installation is the deployment of thearchive onto the clone. This process can create multiple clones of themaster.

You can use any of the Solaris OS installation methods to install Flasharchives. This module describes the procedures to:

q Install Flash archives with the Solaris Web Start program

q Install Flash archives with the Solaris OS suninstall program

q Install Flash archives with a JumpStart installation

Interactive Lab

You can perform interactive installation of the Solaris OS by using thesuninstall program. The Solaris suninstall program only installs theSolaris OS software. After you install the Solaris OS software, you mustuse other installation programs to install additional software.

1. Insert the Solaris 10 OS 1 CD-ROM, or DVD.

2. Boot the Flash clone system from the Boot PROM prompt as follows:

ok boot cdrom -nowin

After the pre-installation phase completes, a series of character-based

curses screens appear.

Note – The text screens shown in this installation sequence have beenedited for brevity and readability. Depending on your installation method,you press the appropriate function key or it’s Escape key equivalent.

Read the curses-based content, answer any relevant prompts, anduse the function or escape key sequences to progress to the nextprompt. The installation proceeds the same as a standard installationuntil you reach the Solaris Interactive Installation screen.



Using a FlashArchive for Installation


Solaris Interactive Installation

On the following screens, you can accept the defaults or you can

customize how Solaris software will be installed by:

- Selecting the type of Solaris software to install

- Selecting disks to hold software you’ve selected

- Selecting unbundled products to be installed with Solaris

- Specifying how file systems are laid out on the disks

After completing these tasks, a summary of your selections (called a

profile) will be displayed.

There are two ways to install your Solaris software:

- "Standard" installs your system from a standard Solaris Distribution.

Selecting "Standard" allows you to choose between initial installand upgrade, if your system is upgradable.

- "Flash" installs your system from one or more Flash Archives.

F2_Standard F4_Flash F5_Exit F6_Help

You can select either a standard installation or a Flash installation.

3. Press F4 to select a Flash installation.

Follow the prompts that follow and answer the relevant questionsuntil you come to the Flash Archive Retrieval Method window.

Flash Archive Retrieval Method

On this screen you must select a method to retrieve the Flash archive.

The retrieval method depends on where the archive is stored. For

example, if the archive is stored on a tape, select "Local Tape".

Available Retrieval Methods

========================================

[ ] HTTP[S]

[ ] FTP

[X] NFS

[ ] Local File

[ ] Local Tape

[ ] Local Device

F2_Continue F5_Cancel F6_Help

When performing Flash archive installations, you can select any oneof six retrieval methods. One commonly used version is to retrievethe archive from the master as NFS-shared files.





4. Select NFS, and press F2 to continue.

When you select a retrieval method, you must select a specificlocation. In the NFS retrieval method, the next screen prompts youfor the server and location. Remember to use the IP address of theserver instead of the server name.

Flash Archive Addition

Please specify the path to the network file system where the Flash

archive is located. For example:

NFS Location: syrinx:/export/archive.flar

=========================================================================

NFS Location: 192.168.30.30:/export/install/flash_archive1

F2_Continue F5_Cancel F6_Help

5. Press F2 to continue.

Next, you add a Flash archive. If the NFS file system is mounted andshared, and if you can locate the Flash archive within the file system,you are prompted for additional Flash archive names. A Solaris OSimage must exist on a clone system before you can install additionalFlash archives. The first Flash archive you install must also contain abootable Solaris OS image.

Flash Archive Selection

You selected the following Flash archives to use to install this system.

If you want to add another archive to install select "New".

Retrieval Method Name

====================================================================

NFS build74L1

F2_Continue F3_Go Back F4_Edit F5_New F6_Help






Select Disks

On this screen you must select the disks for installing Solaris software.

Start by looking at the Suggested Minimum field; this value is the

approximate space needed to install the software you’ve selected. Keepselecting disks until the Total Selected value exceeds the Suggested

Minimum value.

NOTE: ** denotes current boot disk

Disk Device Available Space

=========================================================================

[X] ** c0t0d0 19457 MB (F4 to edit)

[ ] c1t0d0 8633 MB

Total Selected: 19457 MBSuggested Minimum: 2171 MB

F2_Continue F3_Go Back F4_Edit F5_Exit F6_Help

The Select Disks window identifies where you want to install theFlash archive. This disk is now the boot disk for the clone system.


The system is queried and you are given the opportunity to preserveany existing data on the target disk. If you decide to preserve datayou then select the file systems to preserve.






File System and Disk Layout

The summary below is your current file system and disk layout, based on

the information you’ve supplied.

NOTE: If you choose to customize, you should understand file systems,

their intended purpose on the disk, and how changing them may affect the

operation of the system.

File sys/Mnt point Disk/Slice Size

========================================================================

/ c0t0d0s0 5000 MB

swap c0t0d0s1 512 MB

overlap c0t0d0s2 19457 MB

/export/home c0t0d0s7 13945 MB

F2_Continue F3_Go Back F4_Customize F5_Exit F6_Help

The File System and Disk Layout window appears. This screenvaries according to your disk partition specification in thepreconfigured profile files. Explicit partitioning configures the diskas specified in the profile file, while existing partitioning specifiesthat you should leave the disk as currently configured. The existingspecification brings up the next screen where you are prompted tocustomize the existing partitions.






The Mount Remote File Systems window appears. If your Flasharchives are stored on the master Flash archive server, press F2 tocontinue.

-Profile

The information shown below is your profile for installing Solaris

software.

It reflects the choices you’ve made on previous screens.

========================================================================

Installation Option: Flash

Boot Device: c0t0d0

Client Services: None

Software: 1 Flash Archive

NFS: build74L1

File System and Disk Layout: / c0t0d0s0 3227 MB

swap c0t0d0s1 512 MB

/export/home c0t0d0s7 15718 MB

Esc-2_Begin Installation F4_Change F5_Exit F6_Help

The profiling phase of the Flash installation is now complete.





10. Review your selections and make changes, if necessary. If you aresatisfied with the selections, press F2 to begin the installation.

When you start the installation, you see the volume table of contents(VTOC) information. The Solaris Flash Install install window,provides a progress slide bar and numerical indication of how far the

installation has progressed.

The next screen shows the steps involved in completing the Flashinstallation. After you install the Flash archive, the cleanup scriptscomplete the installation housekeeping tasks, and the system eitherreboots or prompts you to reboot, depending on your earlierconfiguration.

Customizing system files

- Mount points table (/etc/vfstab)

- Unselected disk mount points

(/var/sadm/system/data/vfstab.unselected)

- Network host addresses (/etc/hosts)

Cleaning devices

Customizing system devices

- Physical devices (/devices)

- Logical devices (/dev)

Installing boot information

- Installing boot blocks (c0t0d0s0)

Installation log location- /a/var/sadm/system/logs/install_log (before reboot)

- /var/sadm/system/logs/install_log (after reboot)

Flash installation complete

Executing JumpStart postinstall phase...

The begin script log ’begin.log’

is located in /var/sadm/system/logs after reboot.

Pausing for 90 seconds at the "Reboot" screen. The wizard will continue

to the next step unless you select "Pause". Enter ’p’ to pause. Enter ’c’

to continue. [c]





11. Reboot the system to complete the installation operation.

Notice that the device configuration might not correspond to thedevices on the system. It is usual to encounter errors on the firstreboot after a Flash install, because the actual device configurationmight differ between master and clone systems. The first reboot

reconfigures the devices.

Rebooting with command: boot

Boot device: /pci@1f,0/ide@d/disk@0,0:a File and args:



Use is subject to license terms.

SUNW,eri0 : 100 Mbps half duplex link up

Configuring devices.

Hostname: sys41

Loading smf(5) service descriptions: 118/118checking ufs filesystems

/dev/rdsk/c0t0d0s7: is logging.

Creating new rsa public/private host key pair

Creating new dsa public/private host key pair

sys41 console login:





Using a Flash Archive With JumpStart Software

When you use Flash archives as the input source for JumpStart software,you must reconfigure a few of the JumpStart software configuration filesto point to the Flash archive locations.

Network Files

When you use the JumpStart software method to deploy an archive to aclone, the clone follows a standard network boot process. The bootprocess uses Reverse Address Resolution Protocol (RARP) to get itsInternet address and host name that are preconfigured on the mastersystem files (/etc/ethers and /etc/inet/hosts).

# more /etc/ethers

8:0:20:93:c9:af sys41

8:0:20:9e:dc:04 sys42

8:0:20:b5:98:25 sys43

8:0:20:99:f2:22 sys44

# more /etc/inet/hosts

.

.(output truncated )

.

192.168.30.30 instructor

192.168.30.41 sys41

192.168.30.42 sys42

192.168.30.43 sys43

192.168.30.44 sys44





JumpStart Keywords

The JumpStart process uses keywords (added to the JumpStart profileinstallation file) to determine specific configurations for the JumpStartprocess. The Flash keywords new to JumpStart are:

q install_type flash_install

where:

q archive_location [retrieval_type] [location]

where:

Examples of locations:

archive_location nfs [server_ip:/path/filename]

archive_location http [server_ip:port_path/filename]

archive_location [local_tape_device_position]

Certain JumpStart profile keywords are incompatible with thedeployment of the Flash archives. Because a Flash deployment does notuse the package add process, these keywords are incompatible in a Flashenvironment. Other packages are used for upgrades, which are not a partof Flash. Incompatible keywords are:

q cluster

q package

q

isa_bitsq geo

q backup_media

q layout_constraint

The flash_S10 file is a sample profile file for JumpStart using a Flasharchive.

install_type Standard keyword

flash_install The type of installation being performed

archive_location The new keyword for JumpStart software

retrieval_type The file system type argument

location The absolute path to the archive





# cat flash_S10

install_type flash_install

archive_location nfs 192.168.30.30:/flash/flash_archive1



filesys c0t0d0s0 free /

The rules file now points to the flash_S10 profile file. You must run thecheck script to rebuild the rules.ok file.

# cat rules

any - - flash_S10 -

# ./check

Validating rules...

Validating profile ultra1_prof


The sysidcfg file is a standard JumpStart configuration file.

# cat sysidcfg

system_locale=en_US


timeserver=192.168.30.xx

network_interface=primary{netmask=255.255.255.0 protocol_ipv6=no}

name_service=none


Note – Configuration files, such as the profile file, the rules files, and thesysidcfgfile, are stored in the NFS directory that is invoked by using theadd_install_client command.

Add the host name for the clone, the path to the sysidcfg file, and thepath to the configuration directory using the add_install_clientutilityfrom the Solaris OS Installation CD 1, under the/cdrom/Solaris_10_sparc/s0/Solaris_10/Tools directory:

# ./add_install_client -p instructor:/export/config \

-c instructor:/export/config sys41 sun4u

making /tftpboot








The add_install_client command shares the Solaris OS CD for theclone to boot. You must still share the /flash directory prior to bootingthe clone:

Run the svcs command to check that NFS services are enabled.

# svcs *nfs*STATE STIME FMRI









Use the svcadm command to enable the NFS services if required:

# svcadm enable network/nfs/server

Check that the NFS service is online

# svcs *nfs*

STATE STIME FMRI


online 14:57:13 svc:/network/nfs/client:defaultonline 16:01:13 svc:/network/nfs/status:default






#

# share -o ro,anon=0 /flash

Check the shares:

# share

- /export ro,anon=0 ""

- /flash ro,anon=0 ""

Check the /etc/bootparams file to make sure that the command pointsto the correct installation directories:





# more /etc/bootparams

sys41 root=instructor:/export/install/Solaris_10/Tools/Boot

install=instructor:/export/install boottype=:in

sysid_config=instructor:/export/config

install_config=instructor:/export/config rootopts=:rsize=32768

JumpStart Using a Flash Archive

Use either the init 0 or the shutdown command to bring the clone to theok prompt, then boot the clone to the network.




Use is subject to license terms.SUNW,hme0 : 100 Mbps half duplex link up

whoami: no domain name

Configuring devices.

Using RPC Bootparams for network configuration information.

Attempting to configure interface hme0...

Configured interface hme0

Beginning system identification...

Searching for configuration file(s)...

Using sysid configuration file 192.168.30.30:/export/config/sysidcfg

Search complete.

Discovering additional network configuration...Completing system identification...

Starting remote procedure call (RPC) services: done.

System identification complete.

Starting Solaris installation program...

Searching for JumpStart directory...

Using rules.ok from 192.168.30.30:/export/config.

Checking rules.ok file...

Using profile: flash_S10

Executing JumpStart preinstall phase...

Searching for SolStart directory...

Checking rules.ok file...Using begin script: install_begin

Using finish script: patch_finish

Executing SolStart preinstall phase...

Executing begin script "install_begin"...

Begin script install_begin execution completed.

Processing default locales





- Specifying default locale (en_US.ISO8859-1)

Processing profile

- Opening Flash archive

- Validating Flash archive

- Selecting all disks

- Configuring boot device

- Using disk (c0t0d0) for "rootdisk"

- Configuring swap (c0t0d0s1)

- Configuring / (c0t0d0s0)

- Configuring /export (c0t0d0s7)

- Deselecting unmodified disk (c1t0d0)

Verifying disk configuration

Verifying space allocation

NOTE: 1 archives did not include size information

Preparing system for Flash install

Configuring disk (c0t0d0)

- Creating Solaris disk label (VTOC)

Creating and checking UFS file systems

- Creating / (c0t0d0s0)

- Creating /export (c0t0d0s7)

Beginning Flash archive processing

Predeployment processing

16 blocks

16 blocks

16 blocks

No local customization defined

Extracting archive: build74L1

Extracted 0.00 MB ( 0% of 1670.59 MB archive)

Extracted 1.00 MB ( 0% of 1670.59 MB archive)Extracted 2.00 MB ( 0% of 1670.59 MB archive)

. (output truncated)

Extracted 1670.00 MB ( 99% of 1670.59 MB archive)

Extracted 1670.59 MB (100% of 1670.59 MB archive)

Extraction complete





Postdeployment processing

No local customization defined

Customizing system files

- Mount points table (/etc/vfstab)

- Unselected disk mount points

(/var/sadm/system/data/vfstab.unselected)



Cleaning devices

Customizing system devices

- Physical devices (/devices)

- Logical devices (/dev)

Installing boot information

- Installing boot blocks (c0t0d0s0)

Installation log location

- /a/var/sadm/system/logs/install_log (before reboot)

- /var/sadm/system/logs/install_log (after reboot)

Flash installation complete

Executing JumpStart postinstall phase...

The begin script log ’begin.log’

is located in /var/sadm/system/logs after reboot.

syncing file systems... done

rebooting...

Resetting ...

After the clone system has completely rebooted, log in to the clone anduse the ping command to verify connectivity to the master.

Locating the Installation Logs

The error and message log resides in the /var/adm/messagesfile.The detailed installation log resides in the/var/sadm/install_data/install_logfile.





Live Upgrade

Solaris Live Upgrade can be used to upgrade a system. Live Upgradecreates a copy of the existing OS and this copy can be upgraded. Thesystem administrator can then boot from the new environment with the

minimum of down time. If any problems or failures occur, it is possible torevert to the old OS by a single reboot. For more information on LiveUpgrade consult the Solaris 10 OS Release and Installation Collection, Solaris10 OS Installation Guide, and the Solaris OS Live Upgrade and InstallationPlanning Guide.

WANboot

Introducing the Basics of WANboot

WANboot is an automatic installation process. It encompasses the existingJumpStart framework. WANboot enables automatic installation ofmultiple Solaris 10 systems across the WAN. WANboot builds on theexisting JumpStart capabilities and provides enhancements to securityand scalability to enable system administrator to install multiple systemsconnected by a WAN such as the Internet.

Advantages of WANboot

The advantages of WANboot over basic JumpStart include:q No requirement for JumpStart boot servers when clients and

installation servers are on different subnets

q Clients and servers can authenticate using SHA (Secure HashAlgorithms)

q Clients may download the OS using HTTPS, providing enhancedsecurity

q NFS is not used by WANboot

Limitations of WANboot

q WANboot requires a minimum firmware revision, OBP 4.14. AWANboot installation can be performed with earlier versions of OBPby using the Solaris 10 OS CD-ROM 1, or DVD.

q WANboot only supports installation using Flash archives.

For further information regarding WANboot refer to the Solaris 10 Releaseand Installation Collection, Network Based Installations.



Exercise Summary


Exercise Summary

?

!


q Experiences

q Interpretations

q Conclusions

q Applications



Index-1Copyright 2005 SunMicrosystems, Inc. AllRightsReserved.SunServices,RevisionA.1

Symbols# (pound) 2-18* (asterisk) 11-3

. (period) 11-3/etc/bootparams file 16-4,

16-37, 16-38, 16-40, 16-41, 16-89/etc/coreadm.conf file 5-8/etc/default/nfslogd file 6-9/etc/defaultdomain file 14-17/etc/dfs/dfstab file 6-9, 6-10,

6-15, 16-4, 16-38, 16-42/etc/dfs/fstypes file 6-9, 6-25/etc/dfs/sharetab file 6-9,

6-10, 6-13/etc/dumpadm.conffile 5-3, 5-4/etc/ethers file 16-4, 16-38/etc/hostname.eri0 file 1-7/etc/hostname.hme0 file 1-7/etc/hostname.hme1 file 1-7/etc/hostname.qfe0 file 1-7/etc/hostname.xxnfile 1-6, 1-7/etc/hosts file 1-7, 12-2/etc/inet/hosts file 1-6, 1-8,

16-4, 16-38/etc/inet/hosts/ file 1-8/etc/inet/inetd.conf

file 2-16, 2-18/etc/inet/service file 2-23/etc/inet/services file 2-25/etc/mnttab file 6-13, 6-25/etc/mnttab file system 7-15/etc/netmasks file 16-88, 16-89

/etc/nfs/nfslog.conf file 6-9/etc/nodename file 1-9/etc/nsswitch.conf file 12-14/etc/nsswitch.conf

switch 14-9/etc/passwd file 16-61/etc/rc2.d/S88sendmail

script 2-22/etc/rcS.d/S30Network.sh

file 1-6/etc/rcS.d/S30network.sh

file 1-6/etc/rcS.d/S30rootusr.sh

file 1-6/etc/rcS.d/s70buildmnttab.

sh script 6-25/etc/rmtab file 6-9, 6-11/etc/security/auth_attr

database 10-27/etc/security/exec_attr

database 10-7/etc/security/prof_attr

databasedatabase 10-22/etc/shadow file 16-61/etc/syslog.conf file 11-1,

11-2, 11-3, 11-7/etc/timezone file 16-88/etc/user_attrdatabase 10-2/etc/vfstab file 4-3, 4-6, 4-8,

4-9/tftpbootdirectory 16-38,

16-68/tftpboot file 16-4

Index



Index-2 Advanced System Administration for the Solaris™ 10 Operating SystemCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices,RevisionA.1

/usr/include/sys/syslog.h file 11-3/usr/lib/help/auths/locale/C

directory 10-4/usr/sbin/flar command 17-10/usr/sbin/in.rarpddaemon 16-37/usr/sbin/sys-unconfig

command 1-10/var/adm/messages file 11-3/var/crash/nodename/unix.Xfile 5-2/var/crash/nodename/vmcore.X

file 5-2/var/yp/Makefile file 16-86/var/yp/securenets file 14-13

A

action field 11-3, 11-6add_install_clientscript 16-23,

16-40, 16-68, 16-89addresses

Ethernet 1-2anonymous memory pages 4-2AutoFS file system 7-2automount

maps 7-5script 7-2

automount command 7-2, 7-14

automount systemstarting 7-16stopping 7-16

automountddaemon 7-2

Bbanner command 1-2begin script 16-52boot programmable read only memory

See boot PROMboot PROM 1-2bounds file 5-2

Ccanonical host name 1-9check script 16-21client 2-3client processes 2-2client-server 2-1, 2-4

introducing 2-2relationship 2-2, 12-8

clone 17-2commands

/usr/sbin/flar 17-10/usr/sbin/sys-unconfig 1-10automount 7-2, 7-14banner 1-2coreadm 5-6, 5-9, 5-10, 5-12dfshares 6-23dumpadm 5-2, 5-3, 5-4flarcreate 17-7ifconfig 1-3ifconfig -a 1-2, 1-3make 14-16, 16-87mount 6-11pagesize 4-5ping 1-4, 1-5rpcbind 2-28rpcinfo 2-28savecore 5-2, 5-3share 6-10, 6-11, 6-17, 6-19shareall 6-10swap -a 4-8swap -l 8-13sys-unconfig 1-11uname -n 5-2, 5-5unshare 6-17, 6-22ypinit 14-20ypstop 14-19ypwhich -m 12-6

core filedefinition 5-6paths 5-9pattern 5-11

coreadmcommand 5-6, 5-7, 5-8, 5-9, 5-10,5-12

crash dump 5-2



Index Index-3Copyright 2005 SunMicrosystems, Inc. AllRightsReserved.SunServices,RevisionA.1

Ddaemons/usr/sbin/in.rarpd 16-37automountd 7-2in.tftpd 16-68inetd 2-16Internet Service. See inetdlockd 6-12mountd 6-11, 6-12nfsd 6-12, 6-13nfslogd 6-9, 6-12, 6-14, 6-34nscd 12-18rpc.spayd 2-27rpc.yppasswdd 14-7rpc.ypupdated 14-8statd 6-12syslogd 11-2, 11-8ypbind 12-7, 14-7ypserv 14-7ypxfrd 14-7

databases/etc/security/auth_attr 10-27passwd 14-10

delimiter 11-3dfshares command 6-23dfstab file 6-10directories/tftpboot 16-38, 16-68/usr/lib/help/auths/locale/C 10-4

DNS 1-8, 2-2, 2-4, 12-7, 13-2configure 13-3edit client configuration files 13-6namespace 12-4

Domain Name System. See DNSdump device 5-2dumpadm command 5-2, 5-3, 5-4Dynamic Host Configuration Protocol

(DHCP) 1-5, 1-9

Eerr field 11-3Ethernet

address 1-2displaying 1-2marking interfaces up and down 1-3

Ffacility 11-3file systems/etc/mnttab 7-15AutoFS 7-2mntfs 6-25swapfs 4-4UFS 8-4

files/etc/bootparams 16-4, 16-37, 16-38,

16-40, 16-41, 16-89/etc/coreadm.conf 5-8/etc/default/nfslogd 6-9/etc/defaultdomain 14-17/etc/dfs/dfstab 6-9, 6-10, 6-15, 16-4,

16-38, 16-42/etc/dfs/fstypes 6-9, 6-25/etc/dfs/sharetab 6-9, 6-10, 6-13/etc/dumpadm.conf 5-3, 5-4/etc/ethers 16-4, 16-38/etc/hostname.eri0 1-7/etc/hostname.hme0 1-7/etc/hostname.hme1 1-7/etc/hostname.qfe0 1-7/etc/hostname.xxn 1-6, 1-7/etc/hosts 1-7, 12-2/etc/inet/hosts 1-6, 1-8, 16-4, 16-38/etc/inet/hosts/ 1-8/etc/inet/inetd.conf 2-16, 2-18/etc/inet/service 2-23/etc/inet/services 2-25/etc/mnttab 6-13/etc/netmasks 16-88, 16-89/etc/nfs/nfslog.conf 6-9/etc/nodename 1-9/etc/nsswitch.conf 12-14/etc/passwd 16-61/etc/rcS.d/S30network.sh

1-6/etc/rcS.d/S30rootusr.sh 1-6/etc/rmtab 6-9, 6-11/etc/shadow 16-61/etc/syslog.conf 11-2, 11-3, 11-7/etc/timezone 16-88/etc/vfstab 4-3, 4-6, 4-8, 4-9/tftpboot 16-4/usr/include/sys/syslog.h 11-3



Index-4 Advanced System Administration for the Solaris™ 10 Operating SystemCopyright2005 SunMicrosystems, Inc. AllRights Reserved.SunServices,RevisionA.1

/var/adm/messages 11-3/var/crash/nodename/unix.X 5-2/var/crash/nodename/vmcore.X 5-

2/var/yp/Makefile 16-86/var/yp/securenets

14-13bounds 5-2dfstab 6-10hostname.xxn 1-6Makefile 14-19minfree 5-5name service switch 14-10passwd.adjunct 14-14profile 16-19, 16-53rules 16-8, 16-19sysidcfg 16-5, 16-13, 16-43

ypservers 14-18finish script 16-61flarcreate command 17-7flash

deployment 17-3installation 17-2, 17-3installation logs 17-26limitations of 17-5

flash archiveadministration 17-10creation 17-4

extraction 17-3JumpStart installation 17-19flash installation/usr/sbin/flar command 17-6/usr/sbin/flarcreate

command 17-6hardware requirements 17-5

folder 3-5

G

GUI 10-30

Hhang-up signal. See HUP signalhostname.xxn file 1-6hot spare 8-26

hot spare pool 8-26HTML 10-4HTTP 17-4HUP signalHypertext Markup Language

(HTML) 10-4Hypertext Transfer Protocol (HTTP) 17-4

IICMP ECHO_REQUEST packets 1-4ifconfig -a command 1-2, 1-3ifconfig command 1-3ifconfigutility 1-6in.ftpd server process 2-18in.tftpddaemon 16-68

inetd daemon 2-16init process 5-7Internet Protocol (IP) address 1-2Internet service daemon 2-16IPv4 1-6IPv4 Interface

describing and configuring 1-6

J

JumpStartboot problems 16-67client 16-4

booting 16-26, 16-36configuration services 16-7identification items 16-6installation services 16-9spooled image 16-10

configuring 16-3identification services 16-5procedure 16-2

process 16-37serverboot services 16-4component services 16-3implementing 16-11

troubleshooting 16-67versus Flash installation 17-2



Index Index-5Copyright 2005 SunMicrosystems, Inc. AllRightsReserved.SunServices,RevisionA.1

LLAN 1-2LDAP 2-4, 12-9, 13-8

client 13-8authentication 13-8configure 13-10unconfigure 13-18

legacy application 3-2, 3-5, 3-14, 4-5local area network

See LANlockddaemon 6-12log host 11-2logical storage volumes 8-2, 9-2loopback interface 1-3

Mm4macro processor 11-8MAC address 1-2majority consensus algorithm 8-24make command 14-16, 16-87Makefile file 14-19management scope 3-28management tools 3-4master 17-2media access control (MAC) address 1-2

metadevices 8-2, 9-2minfree file 5-5mirror

configuring 8-7, 9-31one-way 8-26read policies 8-11, 9-32write policies 8-11, 9-32

mntfs file system 6-25mount command 6-11mountddaemon 6-11, 6-12MPSS 4-5

Multiple Page Size Support service(MPSS) 4-5

Nname service cache daemon 12-18name service switch file 14-10naming service 12-2Network 1-8network file system

See NFSNetwork File System (NFS) 2-2Network Information Service (NIS) 12-6Network Information Service Plus

(NIS+) 12-8network interfaces 1-2network packets, capturing 1-5network ports 2-21NFS 2-2, 6-2, 16-5, 16-43, 17-4

benefits 6-2client daemons 6-24mounting 6-18server files 6-9troubleshooting errors 6-43

NFS client 6-24daemons 6-27files 6-24utilities 6-24

NFS file system.See NFSNFS server

commands 6-9daemons 6-9, 6-12files 6-9managing 6-9

nfsd daemon 6-12, 6-13nfslogddaemon 6-9, 6-12, 6-14, 6-34NIS 1-8, 2-4, 12-6, 12-7, 14-10, 16-89

client, configuring 14-24commands 14-23domains 14-2, 14-4fundamentals 14-2

maps 14-2master server, configuring 14-20processes 14-6slave servers 14-5status codes 12-15troubleshoot 14-39

NIS+ 1-8, 12-8nscd daemon 12-18



Ppagesize command 4-5paging 4-5panic routine 5-2passwddatabase 14-10passwd.adjunct file 14-14physical addresses 4-2physical memory 4-2ping command 1-4, 1-5port assignments 2-21processinit 5-7rpcbind 2-25sendmail 2-22

profile 16-53profile file 16-19, 16-53PROM 1-2protocols

Dynamic HostConfigurationProtocol.See DHCP 1-5

RRAID 8-13

/etc/security/prof_attr 10-22/etc/user_attr 10-2

redundant array of independent disksSee RAID

relationships, client-server 12-8

remote procedure calls (RPC) 1-9Reverse Address Resolution Protocol. SeeRARP

right 10-4role

definition 10-3modify 10-9

role-based access control.See RBACroot toolbox 3-4root user 3-3, 10-3routine, panic 5-2

RPC 1-9rpc.spayddaemon 2-27rpc.yppasswdddaemon 14-7rpc.ypupdateddaemon 14-8rpcbind command 2-28rpcbindprocess 2-25rpcinfo command 2-28rules file 16-8, 16-19

solaris 10 advanced sys admin student guide

Documents