Solaris 10 install on SunFire v210 server.

Over the past few days I have been installing Solaris 10 on a SunFire V210 1U server. Having used Linux extensively for some time, some of my frustrations with Solaris are detailed below:-

The boot message identifies the os as "SunOS 5.10", this is actually Solaris 10..
The default shell is /bin/sh even though bash is present, bash is SO much more useable, why not use it?
Changing ip address after the initial installation requires editing four different files in differnt places. Why not have a /etc/rc.d/rc.inet1.conf or similar with all these settings in one file.

Installation

The version of Solaris used is 1 DVD of the SPARC edition, downloaded from Sun's website.
After power on, the system will drop to the Open Boot and will require telling what to use for it's boot device.

boot cdrom<cr>

It is cdrom even though the disk is a dvd.
Select the language and the terminal type and continue.
Select the net i/f to configure, on the SunFire we chose bge0.
IPv6 was enabled but unconfigured at this stage, an ipv4 address was specified and the server given a name (ns0 as it is a dns server). I think we should have given the fqdn here as later it had to be added to /etc/hosts.
As this is a stand alone server we selected Unix security rather than kerberos.
Specify a name server to use, one would assume that this would be written to /etc/resolv.conf, but as you will see later, it wasn't.
Specify the domain name.
Specify the timezone, in our case it was Europe/Great Britain, and set the date and time.
Set the root password.

Now the install proper starts. We selected Standard not flash install with no additional products and the entire distribution of Solaris.
Let the installation run on its own. At the end, reboot manually if prompted.

We created a remote user account so that we could disallow all remote root logins and only have root login enabled on the console.
If CONSOLE="" (blank), root is not allowed to log in at all and you will have to log in as a regular user and su to root. This is in /etc/default/login not /etc/securetty as in Linux:-

bash-3.00# cat  /etc/default/login
# If CONSOLE is set, root can only login on that device.
# Comment this line out to allow remote login by root.
#
CONSOLE=/dev/console

Create a /var/adm/loginlog to record failed login attempts:-

bash-3.00# touch /var/adm/loginlog
chgrp sys /var/adm/loginlog
chmod g-r /var/adm/loginlog
chmod o-r /var/adm/loginlog

This ensures that only root can read the log.

-bash-3.00# ls -l /var/adm/loginlog
-rw-------   1 root     sys            0 Aug 22 11:49 /var/adm/loginlog

Configuring the ILO controller
The SunFire V210 includes an "Integrated Lights-out" management controller (ALOM), this has an ethernet port on the rear panel marked "NET MGT <...>". From the system console one can gain access to the ILO interface by typing"#." (octothorpe full stop) and to return back to the system from ILO with "console".
From the console:-

-bash-3.00# #.
-bash-3.00# sc-ns0> console
Enter #. to return to ALOM.

-bash-3.00#

Useful ALOM setup & configuration info can be found thus:-

bash-3.00# /usr/platform/SUNW,Sun-Fire-V240/sbin/scadm help
(truncated info)
bash-3.00# /usr/platform/SUNW,Sun-Fire-V240/sbin/scadm show
(truncated info)
bash-3.00# /usr/platform/SUNW,Sun-Fire-V240/sbin/scadm set netsc_ipaddr 10.79.0.101
bash-3.00# /usr/platform/SUNW,Sun-Fire-V240/sbin/scadm set netsc_ipnetmask 255.255.252.0
bash-3.00# /usr/platform/SUNW,Sun-Fire-V240/sbin/scadm set netsc_ipgateway 10.79.0.49

The info for configuring the ILO does not seem to be available on Sun's website, it is only in the "Sun Fire V210 and V240 Server Documentation CD-ROM".
From the ILO console use the setupsc command to run through the initial configuration, setsc to change a specific variable and showsc to view the current settings. To reset all the settings to the factory defaults, use setdefaults.
From Solaris, one can view the ALOM version info with:-

/usr/platform/`uname -i`/sbin/scadm version -v

and to reset the ALOM password for "admin" use:-

/usr/platform/`uname -i`/sbin/scadm userpassword admin

Changing the default shell & prompt
The default shell for all users is /bin/sh, seeing as bash is provided on the system, it seemed sensible to use it as it is so much more user friendly. This is set in /etc/passwd, you will have to be root to alter it, and if you mess up the editing, your system will be unuseable, so take care!

bash-3.00# cat /etc/passwd | grep testuser
testuser:x:100:100::/export/home/testuser:/bin/sh

Change this to :-

testuser:x:100:100::/export/home/testuser:/usr/bin/bash

To make the prompt a bit more informative, create a ~/.profile:-

bash-3.00# cat ~/.profile
PS1="[\u@\h:\w]\$ "
export PS1

To alter this for all subsequently created users, some files in /etc/skel/ will need to be edited. More on this later when I've worked it out!
See the link in the links section below for more information on customizing the bash prompt.

Problems

Running telnetd

Although ssh is a better choice than telnet, we needed telnet initially to set the machine up. Telnetd is usually started from inetd and configured from /etc/inetd.conf, but this has been retired in favour of inetadm, this is part of the SMF (System Management Function) and offers much more control over how services are run and monitored, but at the expense of a more complicated setup.
We found that telnetd was not running, so we typed :-

-bash-3.00# svcs network/telnet
STATE          STIME    FMRI
uninitialized  16:28:51 svc:/network/telnet:default

After more reading on how SMF works we issued:-

-bash-3.00# svcs -x
svc:/network/dns/client:default (DNS resolver)
 State: offline since Fri 02 Sep 2005 10:14:24 BST
Reason: Dependency file://localhost/etc/resolv.conf is absent.
   See: http://sun.com/msg/SMF-8000-E2
   See: resolver(3RESOLV)
Impact: 13 dependent services are not running.  (Use -v for list.)

This gave a clue, /etc/resolv.conf was absent. Why it had not been written during the install, I do not know. After creating a resolv.conf file, the service could be started:-

-bash-3.00# cat /etc/resolv.conf
nameserver 10.90.193.173

-bash-3.00# svcadm enable network/telnet
-bash-3.00# svcs network/telnet
STATE          STIME    FMRI
online         10:26:23 svc:/network/telnet:default

As can be seen, telnetd is now working!

Changing the ip address

Following a change of location after the inital install, it was necessary to change the ipaddress, subnetmask and default gateway to reflect the new location. Slackware Linux is really nice in this respect, /etc/rc.d/rc.inet1.conf has all the settings in one file and this makes address changes easy to do. However Solaris has four files in different places to alter, these are listed below:-
/etc/hosts,
/etc/netmasks,
/etc/hostname.bge0 &
/etc/inet/ipnodes

-bash-3.00# cat /etc/hosts
#
# Internet host table
#
127.0.0.1       localhost
10.64.64.116    ns0 ns0.mycompany.co.uk loghost
10.20.194.143   myworkstation myworkstation.mycompany.co.uk


-bash-3.00# cat etc/defaultrouter
10.64.64.49
-bash-3.00# cat etc/netmasks
#
# The netmasks file associates Internet Protocol (IP) address
# masks with IP network numbers.
#
#       network-number  netmask
#
# The term network-number refers to a number obtained from the Internet Network
# Information Center.
#
# Both the network-number and the netmasks are specified in
# "decimal dot" notation, e.g:
#
#               128.32.0.0 255.255.255.0
#
10.64.64.0      255.255.240.0
-bash-3.00#
-bash-3.00# cat /etc/hostname.bge0
ns0
-bash-3.00# cat /etc/inet/ipnodes
#
# Internet host table
#
::1     localhost
127.0.0.1       localhost
10.64.64.116    ns0     loghost
-bash-3.00#

The location of ipnodes has changed to /etc/inet/ipnodes in Solaris 10, we forgot to alter it, so the ipaddress did not change even after several reboots, as soon as this was changed the ipaddress changed correctly.

Sun Freeware

Sun provides an iso download of GNU freeware, for both Sparc and x86 hardware. Previous version of Solaris did not include bash, version 10 does, so I will not discuss installing. See a version 9 HOWTO. My usual editor is pico which is included in the Pine mail client package. (nano is a more featured version of pico and is available as a package from www.sunfreeware.com, (Currently only for Solaris 9) see below...) Pico can be installed as follows:-
FIXME:
This will install pico into /opt/sfw/bin/pico, to make it useful to users, create a symlink:-

bash-3.00# ln -s /opt/sfw/bin/pico /bin/pico

While you are at it, you could create a symlink for pine also!
Problems:- After logging in through ssh from my Slackware10 machine, on running pico we encountered the following error:-

bash-3.00# pico named.conf
Sorry, I don't know anything about your "linux" terminal.
bash-3.00#

The output of env showed that TERM=linux, a quick TERM=vt100 set the environment correctly and pico could run.
Nano can be installed as follows:-
Download ftp://ftp.sunfreeware.com/pub/freeware/sparc/9/nano-1.2.4-sol9-sparc-local.gz to /var/spool/pkg and ensure the browser has saved it with the gz extension. If not, check it is a .gz file with "file" and mv it to a .gz.
Unzip it with gunzip nano-1.2.4-sol9-sparc-local.gz
Use pkgadd to install it (From the SunFreeWare FAQ... The pkgadd command must be run as root. Do NOT put a ., ./, or the directory name in front of the file name in pkgadd!)
Both pico (& pine) and nano have dependencies, you will have to follow the above procedure to install them as well. They are listed on the www.sunfreeware.com website next to the desired package.

Running Bind 9.3

Solaris 10 ships with BIND 9.3 as the dns server software, it can be started with the following command. This is controlled by the .xml file in /var/svc/manifest/network/dns/server.xml. This file contains the dependencies for the named service to start.

bash-3.00# svcadm enable network/dns/server:default

The status can be observed:-

bash-3.00# svcs -l network/dns/server:default
fmri         svc:/network/dns/server:default
enabled      true
state        online
next_state   none
state_time   Mon Dec 05 11:55:26 2005
logfile      /var/svc/log/network-dns-server:default.log
restarter    svc:/system/svc/restarter:default
contract_id  325
dependency   require_all/none file://localhost/etc/named.conf (online)
dependency   require_all/none svc:/system/filesystem/minimal (online)
dependency   require_any/error svc:/network/loopback (online)
dependency   optional_all/error svc:/milestone/network (online)
bash-3.00#

named.conf lives in /etc/named.conf and the zone files location can be configured to be the usual /var/named/. The directory ownership was changed to root:sys as named runs as root without any changes.
According to the Solaris10 weblog documentation ( here), the upgrade to version 10 automatically runs rndc-confgen -a to generate an /etc/rndc.key file. To use rndc to control the name server, you will have to run rndc-confgen -a manually and then copy the contents of /etc/rndc.key to /etc/named.conf.

[root@ns0:/var/named]$ rndc-confgen -a
[root@ns0:/var/named]$ more /etc/rndc.key
key "rndc-key" {
        algorithm hmac-md5;
        secret "7g2h7UiHLsr9OWERdg22PQ==";
};

[root@ns0:/var/named]$ pico /etc/named.conf
options {
        directory "/var/named";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;
};

key "rndc-key" {
        algorithm hmac-md5;
        secret "6d1e1TiAJfx8AWVFcw50EQ==";
};


controls {
      inet 127.0.0.1 port 953
              allow { 127.0.0.1; } keys { "rndc-key"; };
};
.
.
.
rest of file.....

To test your configuration and zone files for syntax, use named-checkconf which will return without any messages for a correct named.conf and named-checkzone to check zone files which returns the results of a test load of the zone and gives output if all is ok. Both give an error message if there is a problem. Also remember to check the logs to ensure that slave zones are being loaded correctly or that the correct allow-transfer statements are present for your secondaries to pull a copy from you.

[root@ns0:/var/named]$ named-checkconf
[root@ns0:/var/named]$ named-checkzone myorg.int myorg.int.hosts
zone myorg.int/IN: loaded serial 2005120801
OK
[root@ns0:/var/named]$

Setting up ntp

Depending on if you want to serve time to other hosts or just act as a client, you need to configure and copy either /etc/inet/ntp.client or /etc/inet/ntp.server to /etc/inet/ntp.conf. Edit the file with lines "server ntp0" & "server ntp1" or just the ip addresses and start the service with svcadm:-

[root@ns0:/etc/inet]$ cp ntp.server ntp.conf
[root@ns0:/etc/inet]$
[root@ns0:/etc/inet]$ svcadm enable ntp
[root@ns0:/etc/inet]$
[root@ns0:/etc/inet]$ svcs -xv ntp
svc:/network/ntp:default (Network Time Protocol (NTP))
 State: online since Thu Dec 08 16:38:39 2005
   See: man -M /usr/share/man -s 1M xntpd
   See: man -M /usr/share/man -s 1M ntpdate
   See: man -M /usr/share/man -s 1M ntpq
   See: /var/svc/log/network-ntp:default.log
Impact: None.
[root@ns0:/etc/inet]$

Links

Hardware

Solaris 10 Install