Tuesday, November 30, 2010

Interoperability between Windows and OpenIndiana shares using ZFS & ACL (and Solaris 11)

What I have always wanted to do is to have one location for all my users to store there files.
At the moment we have a Windows Home filesystem and Solaris Home filesystem and even though samba does a good job I have never been very happy with it. This is where ZFS and the ACL which is part of the NFS v4 allow me to finally achieve Windows & Solaris Interoperability.

This has been tested on OpenIndiana oi_147 and Windows Server 2008 running "Active Directory"

In this example:
Domain              = test.int
Windows 2008 server = windows     = 192.168.56.3
Solaris Server      = openindiana = 192.168.56.5
Setup Windows Server
-- Windows 2003 would do
-- Windows 2008 with patches
-- NTLMv2 authentication problem:
      http://support.microsoft.com/kb/957441/
-- Windows Server 2008 SP1 with Microsoft Kerberos hot fix KB951191:
-- or Windows Server 2008 SP2


Setup Solaris Server
-- Check DNS setup
# cat  /etc/resolv.conf
domain  test.int
nameserver  192.168.56.3
# grep  dns  /etc/nsswitch.conf
hosts:      files dns mdns
ipnodes:    files dns mdns 
-- Check software installed (SMB Server libraries and commands)
% pkg list smb
NAME (PUBLISHER)                              VERSION         STATE      UFOXI
service/file-system/smb                       0.5.11-0.148    installed  -----
system/file-system/smb                        0.5.11-0.148    installed  -----
If not then install it
$ pfexec install service/file-system/smb
-- Sync clocks on network (any time difference 5mins can cause problems)
$ pfexec ntpdate DC-host
or
$ pfexec rdate time-host
in our case:
$ pfexec ntpdate windows
--  Set up mapping of users and groups between systems
    Showing the most basic setup:

$ svcs \*idmap\*
STATE          STIME    FMRI
disabled       12:16:59 svc:/system/idmap:default
$ svcadm enable idmap
$ svcs \*idmap\*
STATE          STIME    FMRI
online         12:40:38 svc:/system/idmap:default
$ pfexec idmap add 'winuser:*@test.int' 'unixuser:*'
$ pfexec idmap add 'wingroup:*@test.int' 'unixgroup:*'
$ idmap list
add     winuser:*@test.int    unixuser:*
add     wingroup:*@test.int    unixgroup:*

-- Configure Kerberos: (AD uses Kerberos authentication)
    Edit /etc/krb5/krb5.conf and specify the fully qualifed AD domain name, in UPPERCASE, as the default realm. Also, specify the fully qualified host name for the domain controller at the kdc, admin_server and kpasswd_server

edit  /etc/krb5/krb5.conf to look like:
    [libdefaults]
        default_realm = TEST.INT

    [realms]
        TEST.INT = {
                kdc = windows.test.int
                admin_server = windows.test.int
                kpasswd_server = windows.test.int
                kpasswd_protocol = SET_CHANGE
        }

     [domain_realm]
         .test.int = TEST.INT

-- Start the smb (CIFS) services and check it is running
$ pfexec svcadm enable -r smb/server
$ svcs \*smb\*
STATE          STIME    FMRI
disabled       Nov_08   svc:/network/smb/client:default
online         15:21:01 svc:/network/smb/server:default
online         15:21:03 svc:/network/shares/group:smb
-- Need to join the AD domain with a Domain Administrator access
    If you are using Windows 2008 Domain then you will need an extra step.

$ ping windows
windows is alive 
$ pfexec smbadm join -u Administrator test.int
After joining test.int the smb service will be restarted automatically.
Would you like to continue? [no]: yes
Enter domain password:
Joining test.int ... this may take a minute ...
failed to find any domain controllers for test.int

$ tail /var/adm/messages
...openindiana smbd[1101]: [ID 700049 daemon.error] smbd: failed locating domain controller for test.int
....openindiana smbd[1134]: [ID 702911 daemon.notice] smbd_dc_update: test.int: located windows
....openindiana smbd[1134]: [ID 702911 daemon.notice] Failed to establish NETLOGON credential chain


Set the LAN manager authentication level on your Solaris system

$ pfexec sharectl set -p lmauth_level=2 smb
$ pfexec smbadm join -u Administrator test.int
After joining test.int the smb service will be restarted automatically.
Would you like to continue? [no]: yes
Enter domain password:
Joining test.int ... this may take a minute ...
Successfully joined test.int

Setup Solaris filesystem
As we said we are after a single fire-system (share) which works on both Operating System, so that any permissions work on both platforms and are transferable to the other one:

  -- Enable Cross-Protocol Locking
      - SMB assumes mandatory locking
      - UNIX advisory locking
  -- Mixed case
  -- Enable SMB sharing on share
$ pfexec zfs  create  -o nbmand=on  -o  casesensitivity=mixed rpool/export/homes

repeat next 2 lines cd for all users
$ pfexec zfs create rpool/export/homes/andrew
$ pfexec zfs set  sharesmb=name=andrew  rpool/export/homes/andrew

$ sharemgr show -vp
default nfs=()
smb smb=()
    * /var/smb/cvol     smb=()    ""
          c$=/var/smb/cvol     smb=(abe="false" guestok="false")    "Default Share"
zfs
    zfs/rpool/export/homes/andrew smb=()
      andrew=/export/homes/andrew

$ zfs get  nbmand,casesensitivity,sharesmb  rpool/export/homes/andrew
NAME                      PROPERTY         VALUE        SOURCE
rpool/export/homes/andrew  nbmand           on           inherited from rpool/export/homes
rpool/export/homes/andrew  casesensitivity  mixed        -
rpool/export/homes/andrew  sharesmb         name=andrew  local

$ pfexec chown  andrew:staff  /export/homes/andrew
 -- watch out for which ls / chmod commands
$ touch file1
$ which ls
/usr/gnu/bin/ls
$ ls -la
total 10
drwxr-xr-x   3 andrew   staff          4 Nov 18 18:42 .
drwxr-xr-x   4 root     root           4 Nov 18 18:33 ..
drwxr-x---   2 root     sys            3 Nov 18 18:34 .$EXTEND
-rw-r--r--   1 andrew   staff          0 Nov 18 18:42 file
$ /usr/bin/ls -lv
total 1
-rw-r--r--   1 andrew   staff          0 Nov 18 18:42 file
     0:owner@:read_data/write_data/append_data/read_xattr/write_xattr
         /read_attributes/write_attributes/read_acl/write_acl/write_owner
         /synchronize:allow
     1:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
     2:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
         :allow
$ /usr/bin/ls -lV
total 1
-rw-r--r--   1 andrew   staff          0 Nov 18 18:42 file
                 owner@:rw-p--aARWcCos:-------:allow
                 group@:r-----a-R-c--s:-------:allow
              everyone@:r-----a-R-c--s:-------:allow


-- Identity Mapping...
    - Unknown Windows identities are mapped to dynamically alloctaed UIDs/GIDs 
    - Unnown Unix identities are not mapped to Windows so they MUST exist in AD.

i.e.
idmap[501]: [ID 523480 daemon.notice] AD lookup of winname root@test.int failed, error code -9961
idmap[501]: [ID 523480 daemon.notice] AD lookup of winname sys@test.int failed, error code -9961
idmap[501]: [ID 523480 daemon.notice] AD lookup of winname staff@test.int failed, error code -9961

    - It is a good idea that well know accounts which may be used in ACL have a permanent map to a UNIX group
    i.e. lets bind UNIX group "winadmin"to Windows Group
$ idmap add "wingroup:Domain Admins@test.int"  unixgroup:winadmin

-- ACL Property on filesystem
   discard - New objects, no ACL entries are inherited
   noallow - New objects, only inheritable ACL entries that have access to type deny are inherited.
    restricted - New objects, the write_owner and write_acl permissions are removed when ACL entry is inherited.
    passthrough - New objects are created with a mode determined by the inheritable ACEs (Access Control Entries). [Sorry what is that in english]
    passthrough-x - As above, plus files are created with the execute (x) set.
$ pfexec zfs get aclinherit rpool/export/homes
NAME                        PROPERTY    VALUE          SOURCE
rpool/export/homes          aclinherit  restricted     default

$ pfexec zfs set aclinherit=passthrough-x rpool/export/homes
$ zfs get aclinherit  rpool/export/homes/andrew
NAME                      PROPERTY    VALUE          SOURCE
rpool/export/homes/andrew  aclinherit  passthrough-x  inherited from rpool/export/homes


ACL TABLE to be inserted here

What has changed in recent versions
    - deny ACL are not required in most cases now. exceptions: 0705 (g-rwx), 0060 (u-rwx)
    - aclmode has gone, which means that chmod will discard all ACLs
    - user and owner are treated together?


Possible Solution
    - Owner needs the correct permissions
    - Group needs the correct permissions
    - User Andrew

$ /bin/ls -ldv /export/homes/andrew
drwxr-xr-x   3 andrew   staff          3 Nov 30 12:40 /export/homes/andrew
     0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/read_xattr/write_xattr/execute/read_attributes
         /write_attributes/read_acl/write_acl/write_owner/synchronize:allow
     1:group@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:allow
     2:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:allow

$ /bin/ls -ldV /export/homes/andrew
drwxr-xr-x   3 andrew   staff          3 Nov 30 12:40 /export/homes/andrew
                 owner@:rwxp--aARWcCos:-------:allow
                 group@:r-x---a-R-c--s:-------:allow
              everyone@:r-x---a-R-c--s:-------:allow

-- So, A0 refers to position 0, A1 refers to position 1, etc....
-- The following commands will replace the ACL at position 0,1,2 with new ones
-- The only change is to add inheritance to the directories

pfexec /bin/chmod "A0=owner@:rwxp--aARWcCos:fd:allow" /export/homes/andrew
pfexec /bin/chmod "A1=group@:r-x---a-R-c--s:fd:allow"  /export/homes/andrew
pfexec /bin/chmod "A2=everyone@:r-x---a-R-c--s:fd-----:allow"  /export/homes/andrew

-- Make life easier lets do it as user andrew and gnu removed from path:
-- Add user andrew (owner) to the ACL
-- Add group staff (group) to the ACL

$ chmod "A+user:andrew:rwxpdDaARWcCos:fd-----:allow" /export/homes/andrew
$ chmod "A+group:staff:r-x---a-R-c--s:fd:allow"  /export/homes/andrew
$ chmod "A+group:winadmin:rwxpdDaARWcCos:fd-----:allow"   /export/homes/andrew

$ ls -ldV /export/homes/andrew
drwxr-xr-x+  3 andrew   staff          3 Nov 30 12:40 /export/homes/andrew
         group:winadmin:rwxpdDaARWcCos:fd-----:allow
            group:staff:r-x---a-R-c--s:fd-----:allow
            user:andrew:rwxpdDaARWcCos:fd-----:allow
                 owner@:rwxp--aARWcCos:fd-----:allow
                 group@:r-x---a-R-c--s:fd-----:allow
              everyone@:r-x---a-R-c--s:fd-----:allow

Hope it works....

Ref:
- Jarod Nash (LOSUG slides)
- http://wiki.genunix.org/wiki/index.php/CIFS_Service_Troubleshooting
- http://arc.opensolaris.org/caselog/PSARC/2010/029/20100126_mark.shellenbaum

Friday, October 29, 2010

Goodbye OpenSolaris/SXCE! Hello OpenIndiana

Finally did it. Being running Solaris Express Community Edition SXCE (last release was 129) on my work desktop for a few years now and was was planning to upgrade to OpenSolaris, but since we all knew what happened there I went for one better ;-)

  1. Downloaded iso from http://openindiana.org/download and burnt it to a DVD

  2. Booted my Sun Ultra 24 off the DVD:
    • OK! I put in a new disk in the box just to be safe

  3. Installed the software.
    • I did have a couple of devices not found which is strange since it is a Sun box
      Intel : 82X38/X48 Express MEI Controller
      Intel : 82801|(ICH9 Family) Thermal Subsystem


  4. First fix the root problem
    • open a Terminal
    • execute "su" and give the password you chose for your account at installation time
    • you will be informed that root's password has expired and prompted to change it
    • once changed you can exit the su session

  5. If you wish change Default User to have
    • System => Administration => Users and Groups
    • Enter Root password
    • Select Default User and select Properties
    • Select User profiles tab and find and select Primary Administrator

  6. Install some extra software (Office, medialib for flash to work
    • # pfexec pkg refresh
      # pfexec pkg install office
      # pfexec pkg install library/medialib
  7. Download and install Adobe Flash Player : Adobe Flash Player 10.1 x86
    • # bzip2 -dc flash_player_10_solaris_x86.tar.bz2| tar xf -
      # pfexec cp flash_player_10_solaris_r22_87_x86/libflashplayer.so /usr/lib/firefox/plugins
      # pfexec chown root:bin /usr/lib/firefox/plugins//libflashplayer.so
    li>Download and install Adobe Reader
    • Adobe Reader 9.2 x86
    • # chmod +x ./AdbeRdr9.4-1_i486solaris_enu.bin
      Extracting files, please wait. (This may take a while depending on the configuration of your machine)
      This installation requires 172 MB of free disk space.
      Enter installation directory for Adobe Reader 9.4 [/opt]
      Installing platform independent files ... Done
      Installing platform dependent files ... Done
      Setting up libraries ... Done
      Setting up desktop and menu icons ... Done
      Setting up the browser plugin ... Done
  8. Download and install Virtual Box

Monday, April 26, 2010

Complete local copy (mirror) of pkg.opensolaris.org

As you are aware with every official release of OpenSolaris, comes a full download of all the IPS packages (7GB), but what happens if you want to work on the pkg.opensolaris.org/dev releases and you want a local mirror. I have found this blog which does it. I have modified it slight since I think it had a couple of errors.

1. Create partition to store the packages. I have been told a complete will be around 65GB, but I am using a cut down version.
$ pfexec zfs create -o atime=off rpool/export/pkg
2. Create repository
pfexec pkgsend -s file:///export/pkg create-repository -–set-property publisher.prefix=opensolaris.org
3. Obtain list of packages you want.  In this case everything currently install and the release (134) I am interested in.
$ cd /export/pkg
$ pfexec pkg list -Hva | egrep “134:|install” > /tmp/pkglist.txt
$ head -1 /tmp/pkglist.txt
pkg://opensolaris.org/SUNWcs@0.5.11,5.11-0.134:20100302T005446Z

$ pfexec cat /tmp/pkglist.txt | sed 's/pkg:\/\/opensolaris\.org\///' \
       | cut -f 1 -d ' ' > /tmp/packages.txt
$ head -1 /tmp/packages.txt
SUNWcs@0.5.11,5.11-0.134:20100302T005446Z

4.Now download IPS package and place it into local repository.
$ for i in $(cat /tmp/packages.txt); 
do 
pfexec pkgrecv -s http://pkg.opensolaris.org/dev -d file:///export/pkg "$i"
done
5. You can test it to see all is there (http://localhost:80)

$ pfexec /usr/lib/pkg.depotd -d /export/pkg -p 80

6. To make sure the repository is always available.

$ pfexec svccfg -s application/pkg/server setprop pkg/inst_root=/export/pkg
$ pfexec svcadm refresh pkg/server
$ pfexec svcadm enable pkg/server

London OpenSolaris User Group (LOSUG) - Finally did a talk

Autoinstaller: Past & Present

I gave a talk at the LOSUG meeting on Autoinstaller in OpenSolaris 2009.06 and will talk about what is new in 2010.03. He will talk about and demonstrate how to use Autoinstaller to install OpenSolaris to your own personnel specification, including Autoinstaller Manifests, pkg repository, creating IPS package and SMF service.

Thursday, January 21, 2010

Step-by-Step guide to Install OpenSolaris with Automated Installer (2009.06)

If you want to install OpenSolaris on to many computers then you will need to use Automated Installer (AI) which allows you to remotely install the Operating System hands free. This article will be a first of a few examples which will show you how to to do this.

To demonstrate the whole procedure of using AI to build and install OpenSolaris, local packages and finish scripts I am going to do this in a closed environment without a network. It is a complete OpenSolaris Automated Install (AI) example. All you will need is a computer (a good specification desktop or laptop) where we will install OpenSolaris and use VirtualBox as the AI install client. You will not require a network to do any this after you have you have download all the software requirements.
  1. Install OpenSolaris
  2. Download all the relevant software and save it on your system
  3. Install VirtualBox
  4. Setup server for static IP address
  5. Reboot
  6. Create a OpenSolaris VirtualBox client
  7. Setup up Automated Install server
  8. Give it a test
  9. Create new AI Manifests
  10. Create local repository to replace pkg.opensolaris.org
  11. Check repository
  12. You can now do your first auto install by booting VirtualBox client
  13. Setup local Repository for your Packages
  14. Create a test package
  15. Create the "jumpstart finish script" package
  16. FINISHpkg package information
  17. Add package to our local repository
  18. Need to alter AI Manifests
  19. Moment of truth..
1. Install OpenSolaris
2. Download all the relevant software and save it on your system
$ pfexec pkg install SUNWinstalladm-tools
$ pfexec mkdir /export/aiserver  /export/aiimages
$ ls -1 /export/aiimages
osol-0906-ai-x86.iso
osol-0906-x86.iso
osol-repo-0906-full.iso
VirtualBox-3.1.2-56127-SunOS.tar.gz

3. Install VirtualBox
$ cd /export/aiimages
$ pfexec gzip -dc VirtualBox-3.1.2-56127-SunOS.tar.gz | tar xf -
$ pfexec pkgadd -d VirtualBox-3.1.2-SunOS-r56127.pkg

4. Setup server for static IP address
$  ifconfig -a
e1000g0: flags=......
vboxnet0: flags=.....   inet 192.168.56.1 netmask ffffff00 broadcast 192.168.56.255
  • Disable auto magic network
$ pfexec svcadm disable network/physical:nwam
  • Edit the following /etc/hosts (hostname which I used was opensolaris)
  • Before
# Internet host table
#
::1  opensolaris opensolaris.local  localhost   loghost
127.0.0.1   opensolaris  opensolaris.local  localhost  loghost
  • After
# Internet host table
#
::1   loghost
127.0.0.1  localhost
192.168.56.1  opensolaris  opensolaris.local    loghost
  • And start up the network service
$ pfexec svcadm enable network/physical:default

5. Reboot (Just to make sure all is working)
  • If you want a network then you can active it (my interface is e1000g0)
  • $ pfexec  ifconfig e1000g0 plumb
    $ pfexec  ifconfig e1000g0 dhcp
    $ pfexec  cp  /etc/nsswitch.dns  /etc/nsswitch.conf
6. Create a OpenSolaris VirtualBox client
  • Ref: PXE booting with NAT , PXE Booting in VirtualBox
  • Start VirtualBox and create a OpenSolaris guest.
  • I will call it ai_client and save virtual disk in default location
  • Minimum disk size is 13GB
  • Set up network boot ai_client-> Settings -> System -> Motherboard (tab) -> Boot Order: (Select) Network
  • Move Network to the top of the list
  • You don't need to do the above, but make sure when you start the client you press F12 for boot menu then select (l) LAN
  • Set up the PXE, TFTP boot
$ mkdir $HOME/.VirtualBox/TFTP
  • Start the ai_client guest and with any luck you will see PXE software message, but it will fail since you have no tftp file to load
  • Now we are going to inform the VirualBox Client where to look for the boot server (note my machine is using the e1000 network interface)
$ VBoxManage setextradata "ai_client" "VBoxInternal/Devices/e1000/0/LUN#0/Config/NextServer" 192.168.56.1
$ VBoxManage getextradata "ai_client" enumerate
VirtualBox Command Line Management Interface Version 3.1.2
(C) 2005-2009 Sun Microsystems, Inc.
All rights reserved.

Key: GUI/AutoresizeGuest, Value: on
Key: GUI/Fullscreen, Value: off
Key: GUI/InfoDlgState, Value: 400,450,normal
Key: GUI/LastCloseAction, Value: powerOff
Key: GUI/LastWindowPostion, Value: 430,184,720,474
Key: GUI/MiniToolBarAlignment, Value: bottom
Key: GUI/MiniToolBarAutoHide, Value: on
Key: GUI/SaveMountedAtRuntime, Value: yes
Key: GUI/Seamless, Value: off
Key: GUI/ShowMiniToolBar, Value: yes
Key: VBoxInternal/Devices/e1000/0/LUN#0/Config/NextServer, Value: 192.168.56.1

7. Setup up Automated Install server
$ pfexec installadm create-service -n 0906x86 -s /export/aiimages/osol-0906-ai-x86.iso  /export/aiserver/osol-0906-ai-x86
Setting up the target image at /export/aiserver/osol-0906-ai-x86 ...
Registering the service 0906x86._OSInstall._tcp.local

Detected that DHCP is not set up on this server.
If not already configured, please create a DHCP macro
named dhcp_macro_0906x86 with:
Boot server IP (BootSrvA) : 192.168.56.1
Boot file      (BootFile) : 0906x86
GRUB Menu      (GrubMenu) : menu.lst.0906x86
If you are running Sun's DHCP server, use the following
command to add the DHCP macro, dhcp_macro_0906x86:
/usr/sbin/dhtadm -g -A -m dhcp_macro_0906x86 -d :BootSrvA=192.168.56.1:BootFile=0906x86:GrubMenu=menu.lst.0906x86:

Additionally, if the site specific symbol GrubMenu
is not present, please add it as follows:
/usr/sbin/dhtadm -g -A -s GrubMenu -d Site,150,ASCII,1,0

Note: Be sure to assign client IP address(es) if needed
(e.g., if running Sun's DHCP server, run pntadm(1M)).
adding tftp to /etc/inetd.conf
Converting /etc/inetd.conf
copying boot file to /tftpboot/pxegrub.I86PC.OpenSolaris-1
Service discovery fallback mechanism set up
  • This will start a new service called install/server and populate /export/aiserver/osol-0906-ai-x86 and /tftpboot
  • When VirtualBox Client boots via PXE it will want to download specific file names off this tftpboot server, depending on the name of the VirtualBox client. We will create them manually
  • Before you ask! I am not using installadm install-client since it does not take a hostname
$ cd /tftpboot
$ ls -l
lrwxrwxrwx   1 root     root          27 Aug 28 10:50 0906x86 -> pxegrub.I86PC.OpenSolaris-1
drwxr-xr-x   6 root     sys            9 May 18  2009 I86PC.OpenSolaris-1
-rw-r--r--   1 root     root         325 Aug 28 10:50 menu.lst.0906x86
-rwxr-xr-x   2 root     root      139024 Aug 28 10:50 pxegrub.I86PC.OpenSolaris-1
-rw-r--r--   1 root     root         130 Aug 28 10:50 rm.0906x86

$ pfexec ln -s pxegrub.I86PC.OpenSolaris-1  ai_client.pxe
$ pfexec ln -s menu.lst.0906x86 menu.lst.ai_client.pxe

8. Give it a quick test
  • Try rebooting your client to see if it boots. We are not finished yet, but the VirtualBox Client should load the basic kernel. It will fail!

9. Create new AI Manifests
  • Ref: Administer the Manifest Files
  • Going to use the default Manifest but with a couple of modifications:
  • First point at our local copy of pkg.opensolaris.org repository which will be created next
  • Secondly - which we will leave for a little later - to add our own repository for our software
$ cd /export/aiserver/osol-0906-ai-x86/auto_install
$ pfexec cp default.xml  aibuild.xml
  • Edit aibuild.xml and replace
<main url="http://pkg.opensolaris.org/release" authname="opensolaris.org"/>
  • with
<main url="http://192.168.56.1" authname="opensolaris.org"/>
  • Then we need to process this manifest
$ pfexec /usr/sbin/installadm add -m aibuild.xml -n 0906x86

10. Create local repository to replace pkg.opensolaris.org
$ pfexec zfs create -o compression=on -o atime=off rpool/export/pkg
$ pfexec lofiadm -a /export/aiimages/osol-repo-0906-full.iso
/dev/lofi/1
$ pfexec mount -F hsfs /dev/lofi/1 /mnt
$ pfexec rsync -aP /mnt/repo /export/pkg
...wait....
  • Edit your repo settings
pfexec vi /export/pkg/repo/cfg_cache
  • replace
origins = http://pkg.opensolaris.org/release
  • with
origins = http://192.168.56.1
  • Configure and start the pkg-server
$ pfexec svccfg import /var/svc/manifest/application/pkg-server.xml
$ pfexec svccfg -s application/pkg/server setprop pkg/inst_root=/export/pkg/repo
$ pfexec svccfg -s application/pkg/server setprop pkg/readonly=true
$ pfexec svcadm refresh pkg/server
$ pfexec svcadm enable pkg/server

11. Check repository
  • Open the URL in your browser http://localhost and you should see all the packages

12.
You can now do your first auto install by booting VirtualBox client
  • After some time you should get a working OpenSolaris system in your VirtualBox client, but this is just a standard build
  • Now we want to add our packages and run a finished script to do some systems changes on first boot. At Last!!

13.
Setup local Repository for your Packages
  • Ref: Creating Repositories and Setting Up a Mirror Repository
  • Before we create our own packages you need a local repository
  • Default location is "/var/pkg/repo" since using the existing configuration files. Not sure what needs to exist to use a new location!
$ pfexec svccfg -s pkg/server
svc:/application/pkg/server> add local
svc:/application/pkg/server> select local
svc:/application/pkg/server:local> addpg pkg application
svc:/application/pkg/server:local> addpg start method
svc:/application/pkg/server:local> setprop start/exec= astring: "/usr/lib/pkg.depotd -p %{pkg/port} -d %{pkg/inst_root} -t %{pkg/socket_timeout} -s %{pkg/threads} --log-access=%{pkg/log_access} --log-errors=%{pkg/log_errors}"
svc:/application/pkg/server:local> setprop pkg/inst_root = astring: "/var/pkg/repo"
svc:/application/pkg/server:local> setprop pkg/threads = count: 50
svc:/application/pkg/server:local> setprop pkg/port = count: 9000
svc:/application/pkg/server:local> exit
$ pfexec svcadm refresh pkg/server:local
$ pfexec svcadm enable pkg/server:local
$ svcs pkg/server
STATE          STIME    FMRI
online         12:45:40 svc:/application/pkg/server:local
online         12:44:12 svc:/application/pkg/server:default
  • Any errors can be located in the log file
$ svcs -l pkg/server:local
fmri         svc:/application/pkg/server:local
name         image packaging repository
enabled      true
state        online
next_state   none
state_time   22 January 2010 13:02:15 GMT
logfile      /var/svc/log/application-pkg-server:local.log
restarter    svc:/system/svc/restarter:default
contract_id  120
dependency   require_all/none svc:/system/filesystem/local (online)
dependency   optional_all/none svc:/system/filesystem/autofs (online)
dependency   optional_all/none svc:/network/ntp (disabled)
dependency   require_all/none svc:/milestone/network (online)
  • You can check all is well via the URL http://localhost:9000

14. Create a test package

$ cd /export
# pfexec bash
# mkdir pkgs
# cd pkgs
# mkdir -p opt/local
# echo "Hello" > opt/local/Hello.txt
# chmod 0600 opt/local/Hello.txt
# chmod 0755 opt  opt/local
# chown root:bin opt opt/local opt/local/Hello.txt
# cat > hellopkg.ips
set name=pkg.name            value="Hello"
set name=pkg.description     value="Hello Program"
dir mode=0755 owner=root group=bin path=/opt
dir mode=0755 owner=root group=bin path=/opt/local
file opt/local/Hello.txt mode=0600 owner=root group=bin path=/opt/local/Hello.txt
^D
# eval `pkgsend -s http://localhost:9000 open hellopkg@1.0-0`
# pfexec pkgsend -s http://localhost:9000 include hellopkg.ips
# pkgsend -s http://localhost:9000 close
  • You can then see the package at URL http://localhost:9000

15. Create the "jumpstart finish script" package

  • Now we are going to build a package which will do the job of the old Solaris Jumpstart finish script.
  • The package will be installed at build time.
  • The package will contain files which will setup any personnel settings.
  • The package may overwrite existing files.
  • The package will contain a SMF service which will be executed at first boot to alter the machine at run time

16. FINISHpkg package information

  • Here is an example list of files you can have in such a package, these files would allow for LDAP setup, automount setup, Network Setup, etc
  • The way you would create these files is to install OpenSolaris on a machine and set it up manually to the way you want it and transfer these files to this package.
/lib/svc/method/ai-finish
/etc/nsswitch.conf
/etc/auto_master
/etc/auto_direct
/etc/hosts.allow
/etc/hosts.equiv
/etc/X11/gdm/custom.conf
/etc/defaultdomain
/etc/mail/sendmail.cf
/etc/mail/cf/cf/dcs.mc
/etc/hosts.deny
/etc/resolv.conf
/etc/auto_local
/var/ldap/ldap_client_file
/var/ldap/ldap_client_cred
/var/svc/manifest/system/ai-finish.xml
/var/svc/profile/site.xml
  • In this example I will look at a subset of the above
/etc/X11/gdm/custom.conf
/var/svc/profile/site.xml
/lib/svc/method/ai-finish
/var/svc/manifest/system/ai-finish.xml
  • /etc/X11/gdm/custom.conf - so that we add the Reboot to the Login Window.
  • Staying as root
# cd /export/pkgs
# mkdir FINISHpkg
# cd FINISHpkg
# find /etc/X11/gdm/custom.conf -print | cpio -pdm .
  • Altered file (/export/pkgs/FINISHpkg/etc/X11/gdm/custom.conf) to set the following options:
[daemon]
RBACSystemCommandKeys=

[security]
SupportAutomount=true

[greeter]
SystemMenu=true
  • Add a site.xml file which is used to modify default services on boot.
# cd /export/pkgs/FINISHpkg
# mkdir -p var/svc/profile
# cat /export/pkgs/FINISHpkg/var/svc/profile/site.xml
<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type="profile" name="default">

   <!-- lets switch off sendmail -->
   <service name='network/smtp' version='1' type='service'>
      <instance name='sendmail' enabled='false'/>
   </service>

   <!-- Lets Start a service -->
   <service name='network/ftp' version='1' type='service'>
       <instance name='default' enabled='true'/>
   </service>
   -->
</service_bundle>
# cd /export/pkgs/FINISHpkg
# mkdir -p var/svc/manifest/system lib/svc/method
# cat /export/pkgs/FINISHpkg/var/svc/manifest/system/ai-finish.xml
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<!--
 Created by Andrew Watkins 22nd Jan 2010
 References:
    /var/svc/manifest/network
    http://opensolaris.org/os/community/smf
    http://www.sun.com/bigadmin
-->

<service_bundle type='manifest' name='ai-finish'>
<service
    name='system/ai-finish' type='service' version='1'>

    <property_group name='startd' type='framework'>
            <propval name='duration' type='astring' value='transient' />
    </property_group>

    <instance name='install' enabled='true'>
        <dependency name='filesystem-local'
                grouping='require_all'
                restart_on='none'
                type='service'>
                <service_fmri value='svc:/system/filesystem/local:default' />
        </dependency>

        <!--
            We want the ai-finish service to complete before
            user action begins.
        -->
        <dependent
                name='ai-finish_multi-user'
                grouping='optional_all'
                restart_on='none'>
                <service_fmri
                        value='svc:/milestone/multi-user' />
        </dependent>
        <exec_method
                type='method'
                name='start'
                exec='/lib/svc/method/ai-finish %i'
                timeout_seconds='0' />

        <exec_method
                type='method'
                name='stop'
                exec=':true'
                timeout_seconds='0' />
    </instance>
    <stability value='Unstable' />

    <template>
        <common_name>
                <loctext xml:lang='C'>
                ai-finish
                </loctext>
        </common_name>
        <description>
                <loctext xml:lang='C'>
                        AI finish script
                </loctext>
        </description>
    </template>
</service>

</service_bundle>

# cat /export/pkgs/FINISHpkg/lib/svc/method/ai-finish 

#!/bin/sh -x

. /lib/svc/share/smf_include.sh

LC_ALL=C; export LC_ALL

RM=/usr/bin/rm
SED=/usr/bin/sed
MYHOST=`/usr/bin/hostname`
REBOOT="no"

RETVAL=$SMF_EXIT_OK

install() {
    # Disable nwam & enable dhcp
    # In our network we need this since we use Microsoft DNS/DHCP and nwam does not configure dhcp correctly to pass nodename to DHCP server
    # Not sure what will happen in a VirtualBox client but again it shows what can be done
    if [ -s "/etc/nwam/llp" ]; then
        #If nwam has found a interface it will populate the above file so we will use it
        echo "disable nwam"
        svcadm disable svc:/network/physical:nwam
        INTERFACE=`awk ' { print $1 } ' /etc/nwam/llp`
        echo "Found interface: $INTERFACE"
        if [ -n "$INTERFACE" ]; then
           REBOOT="yes"
           echo "inet $MYHOST" > /etc/hostname.$INTERFACE
           cp /etc/default/dhcpagent /tmp
           sed -e s/#.*CLIENT_ID=/CLIENT_ID=$MYHOST/ -e 's/#.*REQUEST_HOSTNAME=no/REQUEST_HOSTNAME=yes/' /tmp/dhcpagent > /etc/default/dhcpagent
           touch /etc/dhcp.$INTERFACE

           echo "Starrting network/physical:default"
           svcadm enable svc:/network/physical:default

           # reset name_service to ldap to always use ldap
           # In our example this will not run
           if [ -h /var/svc/profile/name_service.xml -a -f  /var/svc/profile/ns_ldap.xml -a -f /var/ldap/ldap_client_file ]; then
              rm /var/svc/profile/name_service.xml
              ln -s /var/svc/profile/ns_ldap.xml /var/svc/profile/name_service.xml
           fi
        fi
    fi
}

case "$1" in
'install')
    # Run it
    install

    # Disable this service so that it doesn't run again.
    /usr/sbin/svcadm disable system/ai-finish

    if [ "$REBOOT" = "yes" ]; then
       echo "Rebooting"
       ( sleep 30; init 6 ) &
    fi
    echo "Finished"
    if [ $? -ne 0 ] ; then
        exit $SMF_EXIT_ERR_CONFIG
    fi
    ;;

*)
    echo "Usage: $0 { install }"
    exit $SMF_EXIT_ERR_CONFIG
    ;;
esac

exit $SMF_EXIT_OK
  • I have not add many comments here but I hope there is enough information to help you
  • Create the manifest for this package
# cd /export/pkgs/FINISHpkg
# cat > /export/pkgs/FINISHpkg/FINISHpkg.ips
set name=pkg.name            value="FINISHpkg"
set name=pkg.description     value="setup machine we want it"
dir  mode=0755 owner=root group=root path=/etc
dir  mode=0755 owner=root group=root path=/etc/X11
dir  mode=0755 owner=root group=root path=/etc/X11/gdm
dir  mode=0755 owner=root group=sys path=/var
dir  mode=0755 owner=root group=sys path=/var/svc
dir  mode=0755 owner=root group=sys path=/var/svc/manifest
dir  mode=0755 owner=root group=sys path=/var/svc/profile
file etc/X11/gdm/custom.conf mode=0644 owner=root group=root path=/etc/X11/gdm/custom.conf
file var/svc/profile/site.xml mode=0644 owner=root group=root path=/var/svc/profile/site.xml
file lib/svc/method/ai-finish mode=0754 owner=root group=bin path=/lib/svc/method/ai-finish
file var/svc/manifest/system/ai-finish.xml mode=0644 owner=root group=sys path=/var/svc/manifest/system/ai-finish.xml
^D

17. Add package to our local repository

# eval `pkgsend -s http://localhost:9000 open FINISHpkg@1.0-0`
# pkgsend -s http://localhost:9000 include FINISHpkg.ips
# pkgsend -s http://localhost:9000 close
  • Check it appears in the repository

18. Need to alter
AI Manifests

  • Here are 2 new manifest files to replace the early one
  • I have highted the changes
# cd /export/aiserver/osol-0906-ai-x86/auto_install
# cat aibuild.xml
<!--
CDDL HEADER START

The contents of this file are subject to the terms of the
Common Development and Distribution License (the "License").
You may not use this file except in compliance with the License.

You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
or http://www.opensolaris.org/os/licensing.
See the License for the specific language governing permissions
and limitations under the License.

When distributing Covered Code, include this CDDL HEADER in each
file and include the License file at usr/src/OPENSOLARIS.LICENSE.
If applicable, add the following below this CDDL HEADER, with the
fields enclosed by brackets "[]" replaced with your own identifying
information: Portions Copyright [yyyy] [name of copyright owner]

CDDL HEADER END

Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
-->

<ai_criteria_manifest>
<ai_embedded_manifest>
<ai_manifest name="default">
  <ai_pkg_repo_default_authority>
      <main url="http://192.168.56.1" authname="opensolaris.org"/>
      <mirror url=""/>
</ai_pkg_repo_default_authority>
  <ai_pkg_repo_addl_authority>
      <main url="http://192.168.56.1:9000" authname="local"/>
  </ai_pkg_repo_addl_authority>
<!--
By default the latest build available, in the specified IPS
repository, is installed.
If another build is required, the build number has
to be appended to the 'entire' package in following
form:

<pkg_name="entire@0.5.11-0.build#/>
-->
<ai_install_packages>
<!--
Due to dependency issues, entire must be listed first
in the package list, followed by SUNWcsd, and then SUNWcs.
Any additional packages must be listed after SUNWcs.
-->
<pkg name="entire"/>
<pkg name="SUNWcsd"/>
<pkg name="SUNWcs"/>
<pkg name="babel_install"/>
      <!-- You can add more packages if you want -->
      <!-- <pkg name="openoffice"/> -->
      <pkg name="FINISHpkg"/>
</ai_install_packages>
<ai_uninstall_packages>
<pkg name="babel_install"/>
<pkg name="slim_install"/>
</ai_uninstall_packages>
<ai_auto_reboot>
      false
  </ai_auto_reboot>
</ai_manifest>
</ai_embedded_manifest>

<sc_manifest_file name="AI" URI="./scbuild.xml"/>

</ai_criteria_manifest>

# cat scbuild.xml
<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="profile" name="name">
<service name="ai_properties" version="1" type="service">
<instance name="default" enabled="true">
<property_group name="ai" type="application">
        <propval name="username" type="astring" value="guest"/>
        <!--passwd = letmein -->
        <propval name="userpass" type="astring" value="eAcu7bKjwwxb6"/>
<propval name="description" type="astring" value="default_user"/>
<!--default root passsord -->
<propval name="rootpass" type="astring" value="$5$VgppCOxA$ycFmYW4ObRRHhtsGEygDdexk5bugqgSiaSR9niNCouC"/>
<propval name="timezone" type="astring" value="GB"/>
        <propval name='hostname' type='astring' value='ai_client'/>
</property_group>
</instance>
</service>
</service_bundle>

# /usr/sbin/installadm add -m aibuild.xml -n 0906x86

19. Moment of truth..
  • Now boot your VirtualBox client and lets see what happens...and wait.....
  • login on root/opensolaris
  • monitor the process cat /tmp/install_log
  • You will have to manually reboot the client when finished since I have set auto_reboot=false
  • When you reboot you must make sure you change the setting to boot off disk. either press F12 in intro screen or deselect Network (Settings -> System -> Motherboard (tab) -> Boot Order: (UnSelect) Network