~drscream

Solaris 11 tricks and hints

This page is not a full setup guide for Solaris 11 on SPARC. It’s basically a small tricks and hints list to help you around some issues I had. Most stuff is different to linux so please don’t be confused.

Boot from CDROM

Sometimes or for an installation it is required to boot from CDROM / DVD. If you have an already installed and configured system, you need to switch to init 0:

# In global zone type
$ init 0

If you have an uninstalled system, which is the default for freshly received hardware, you need to use the Integrated Lights Out Manager. It provides you with a web interface and ssh connection.

# Connect via SSH to the Integrated Lights Out Manager
# Default password is provided on the chassie (if not changed: changeme)
$ ssh root@<ip-of-ilom>

The Integrated Lights Out Manager provides you with lots of commands. For booting from CDROM you don’t need that much. The only reason you need ILOM is because you’re to lazy to connect a monitor to the machine.

# Connect to the host serial console via ILOM
-> start /HOST/CONSOLE

The system isn’t booted (because it isn’t installed), so you see the output of the waiting EEPROM. This allow you to boot via CDROM or other media.

# Boot from CDROM and use the text output because we would like
# to finish the installation via serial console
{0} ok
{0} ok boot cdrom - text

Setup or modify hostname

Normally the hostname is configured during setup, but maybe you mixed FQDN and hostname? In Solaris everything should be the FQDN.

svccfg -s system/identity:node setprop config/nodename="fqdn-my-host.example.com"
svccfg -s system/identity:node setprop config/loopback="fqdn-my-host.example.com"

# Refresh config changes and restart service
$ svcadm refresh system/identity:node
$ svcadm restart system/identity:node

Network setup global zone

Static network configuration is done via commands - not via a config files. The command will create all config files for you.

# Unplump an network interface to be sure it is working
$ ifconfig net0 plumb

# Maybe you need to deletate the IP to clear things before you add
# the IP stack
$ ipadm delete-ip net0
$ ipadm create-ip net0

# Add the IP address to the interface statically (/engine is a suffix
# which can be defined by yourself)
$ ipadm create-addr -T static -a local=10.43.1.47/24 net0/engine

# Assign a default route (also static, -p is persistent)
$ route -p add default 10.43.1.1

DNS setup

A system isn’t complete if you don’t have it configured to use DNS. In Solaris 11 the DNS client (/etc/resolv.conf) is managed by SMF - the awesome Service Management Facility.

# Configure /etc/resolv.conf
$ svccfg -s network/dns/client
svc:/network/dns/client> setprop config/search = astring: ("srv.example.com")
svc:/network/dns/client> setprop config/nameserver = net_address: (8.8.8.8 8.8.4.4)
svc:/network/dns/client> exit

The /etc/nsswitch.conf is also configured via SMF, we need to modify it to use DNS and not only host files.

# Configure /etc/nsswitch.conf
$ svccfg -s system/name-service/switch
svc:/system/name-service/switch> setprop config/host = astring: "files dns"
svc:/system/name-service/switch> exit

Your changes will not apply automatically. It requires a refresh and restart of the service.

# Refresh (load config changes), Restart (apply config changes)
$ svcadm refresh dns/client
$ svcadm restart dns/client

$ svcadm refresh name-service/switch
$ svcadm restart name-service/switch

If for some reason the /etc/resolv.conf isn’t written by the service you could force it via nscfg export:

$ nscfg export svc:/network/dns/client:default

Use NTP in Global Zone

You should always use NTP as it makes time problems so much less important. And it’s not that hard. Solaris already provides everything you need. Modify or create /etc/inet/ntp.conf with some defaults you require.

$ echo "server ntp.example.com"            > /etc/inet/ntp.conf
$ echo "driftfile /var/ntp/ntp.drift"     >> /etc/inet/ntp.conf
$ echo "statsdir /var/ntp/ntpstats/"      >> /etc/inet/ntp.conf
$ echo "filegen peerstats file peerstats type day enable" >> /etc/inet/ntp.conf
$ echo "filegen loopstats file loopstats type day enable" >> /etc/inet/ntp.conf

Enable the service and force a ntpdate at beginning.

# Force ntpdate
$ ntpdate 0.pool.ntp.org

# Enable NTP service
$ svcadm enable ntp

Solaris 11 Zone

Creating a Solaris 11 zone is really easy and there is already lots of documentation out there. First you need to create a ZFS filesystem on which you would like to store the zone. Second you will configure the zone via zonecfg and at last you will install it.

# Create zone file system via zfs
$ zfs create rpool/solaris11-zone

# Create zone via zonecfg with the minimal setup required
$ zonecfg -z solaris11-zone
zonecfg:solaris11-zone> create
zonecfg:solaris11-zone> set zonepath=/rpool/solaris11-zone
zonecfg:solaris11-zone> set autoboot=true
zonecfg:solaris11-zone> set bootargs="-m verbose"
zonecfg:solaris11-zone> verify
zonecfg:solaris11-zone> commit
zonecfg:solaris11-zone> exit

Be sure and verify if the zone is listed via zoneadm list -icv. The installation may take a bit of time to download the files from the IPS repository. Depending on your setup it might be faster using the CD/DVD install medium.

# Start installation
$ zoneadm -z solaris11-zone install

Boot the zone and finish the installation with the sysconfig tool. The configuration tool will automatically start after first boot. It will appear on the serial console of the zone.

# Boot the zone
$ zoneadm -z solaris11-zone boot

You should follow the configuration wizard to setup the zone profile. If your keyboard doesn’t provide the F2 key, use ESC+2.

# Use zlogin with -C option to use serial console connection
$ zlogin -C solaris11-zone

Very important, the profile has higher priority as all other zone configuration you make via svccfg or svcadm. So the profile will always overwrite your network, DNS and hostname settings. You can always start sysconfig configure again to make changes.

Solaris 10 branded zone

It is possible to install Solaris 10 branded zones on Solaris 11. I can recommend the official guide from the oracle blog: Solaris 10 branded zone VM Templates for Solaris 11 on OTN. It requires the download of solaris-10u10-x86.bin from Oracle which is a ca. 2 GB big script / blob image containing the Solaris 10 bits.

If you use it to create the Solaris 10 zone, be sure you’re using the CIDR syntax for the network setup. The script somehow get’s confused if you don’t provide that information.

# Create solaris 10 branded zone with Oracle script
$ ./solaris-10u11-sparc.bin -p /zones -a 10.1.1.2/24 -i net0 -z solaris10-zone

Delete Solaris zone

If you want to delete the zone, be sure you’re also deleting the virtual NICs the script created.

# Shutdown, Uninstall and Delete - Solaris 10 zone
$ zoneadm -z solaris10-zone shutdown
$ zoneadm -z solaris10-zone uninstall -F
$ zonecfg -z solaris10-zone delete -F

# Look for the virtual NICs
$ dladm show-vnic

# Delete the random NICs created by the script
$ dladm delete-vnic vnicZBI61549281

Configure LDAP authentication via SSH

If you already have an active directory it’s easy to also use that for SSH authentication, groups and user accounts on the Solaris machine. The following setup was done in an Solaris 11 zone, but should also be possible in an global zone. Maybe with some modifications also on Solaris 10.

SSL certificates and secure ldap connection

You should always use a TLS/SSL connection to the LDAP server. And most companies have their own PKI and ROOT certificate authority. This requires an import of the certificates to the LDAP certificate store.

# Create LDAP certificate store
$ /usr/sfw/bin/certutil -N -d /var/ldap/

Download the ROOT certificate and maybe the intermediate certificate. This depends on how good the active directory server is configured and if it provides a full certificate chain on request. Most servers are configured wrong, so I import the ROOT and ICA.

Download and check the SSL certificates (fingerprint, etc.)
Both files are provided in PEM format, the -t option provides the trust levels
$ /usr/sfw/bin/certutil -A -n "Primary ROOT CA" -i primary-root-ca.crt -t CT -d /var/ldap
$ /usr/sfw/bin/certutil -A -n "ICA SHA1" -i intermediate-ca.crt -t CT -d /var/ldap

# Verify if everything is there 
$ /usr/sfw/bin/certutil -L -d /var/ldap/

Configure LDAP via ldapclient

To configure LDAP it requires a valid user to bind to the active directory. It also requires that you’ve already configured the active directory to support unix extensions. You should not just copy & paste the following command, they require modification based on your active directory.

First you should always use host names, because otherwise the ssl certificate can not be validated against the IP address in normal circumstances.

Because the ldapclient will modify the /etc/nsswitch.conf to not use DNS anymore, things might break during the setup. As a workaround you can modify the /etc/hosts file and add the hostname and ip address of the active directory servers.

# Modify /etc/hosts for the setup via ldapclient
$ echo -e '10.1.3.3\teddie.ad.example.com\n10.1.3.4\tkrusty.ad.example.com' >> /etc/hosts

The next ldapclient is a long command with many arguments, read it carefully and make the modification required for your setup. For the defaultServerList option it is important to always use double quotes " for the complete parameter.

ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=tls:simple \
-a domainName=ad.example.com \
-a defaultSearchBase=DC=ad,DC=example,DC=com \
-a proxyDN="CN=SERVICE_ACCOUNT,OU=Service-Accounts,DC=ad,DC=example,DC=com" \
-a proxyPAssword=SERVICE_ACCOUNT_PASSWORD \
-a defaultSearchScope=sub \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=ad,dc=example,dc=com?sub \
-a serviceSearchDescriptor=group:dc=ad,dc=example,dc=com?sub \
-a followReferrals=false \
-a "defaultServerList=eddie.ad.example.com krusty.ad.example.com"

The command will take some time to complete. You can check the log files in /var/adm/ if you like to see what is happening. There is also the -v option for verbose output.

Fix DNS problem because of ldapclient setup

Back to the DNS problem and the /etc/nsswitch.conf change. I’m sure there must be another way around it but I have not found it yet. We need to reconfigure the name-service/switch to use DNS for hosts and not ldap.

# Use the svccfg command to modify the hosts setup in nsswitch.conf
$ svccfg
svc:> select name-service/switch
svc:/system/name-service/switch> setprop config/host = "files [SUCCESS=return] dns"
svc:/system/name-service/switch> select system/name-service/switch:default
svc:/system/name-service/switch:default> refresh
svc:/system/name-service/switch:default> validate
svc:/system/name-service/switch:default> exit

If everything is okay and valid you can use id to verify if your user account is working.

$ id firstname.lastname.from.ad

Configure PAM / SSH to use LDAP

Without SSH authentication LDAP isn’t that helpful for me as system administrator. So we configure PAM to use LDAP for authentication. By default SunSSH uses PAM so everything should be fine.

All PAM configuration is stored in /etc/pam.d on Solaris 11. It requires some changes on every configuration file in that folder. I only show the modified and added lines:

==> login <==
auth sufficient         pam_unix_auth.so.1
auth required           pam_ldap.so.1

==> other <==
auth sufficient         pam_unix_auth.so.1
auth required           pam_ldap.so.1

account required        pam_ldap.so.1

==> passwd <==
auth required           pam_ldap.so.1

==> pfexec <==
auth sufficient         pam_unix_auth.so.1

==> tpdlogin <==
auth sufficient         pam_unix_auth.so.1

As you can see there is only a small modification of the pam_unix_auth.so.1 to sufficient. And we add the pam_ldap.so.1 as required.

Automatically create HOME directory on first login

Users should now be able to login with active directory user and password already. But they still don’t have a home directory, which is not awesome. Using auto_master to create HOME folders on access is helpful.

I’ve copied and modified a script and placed it in /opt/bin/auto_home.sh. The script can be downloaded from GitHub Gist. You also need to modify /etc/auto_master to use the script if someone access /home during login.

# Modify or add the followin line to /etc/auto_master
/home		/opt/bin/auto_home.sh

A restart of the autofs service is required to make the new script work.

$ svcadm restart autofs

Secure SSH by require an LDAP group

Not everybody should be able to SSH to the machine, so you should protect SSH by using a group. Simple modify the /etc/ssh/sshd_config and add the option AllowGroups. You can use active directory groups which makes it even easier.

# Modify /etc/ssh/sshd_config and add:
AllowGroups sshadmin

Send your comment by mail.