Thursday, February 23, 2012

Solaris 11 Automated Install without a network boot

After my last blog about Solaris 11 Automated Installer quick setup guide in a zone I did some more reading and I realised that you don't require to boot the client with DHCP, but boot it from a local device (CD or USB).

If you check out the download page for solaris down you will see Automated Installer can be downloaded as an ISO or USB version. If you download this and put it on to a CD or USB you can boot your client with it. When you boot it you see

Oracle Solaris 11 11/11 Automated Install custom
Oracle Solaris 11 11/11 Automated Install
Oracle Solaris 11 11/11 Automated Install custom ttya
Oracle Solaris 11 11/11 Automated Install custom ttyb
Oracle Solaris 11 11/11 Automated Install ttya
Oracle Solaris 11 11/11 Automated Install ttyb
  • Picking Oracle Solaris 11 11/11 Automated Install custom means you will be prompted for a URL where your manifest is located on the network
  • Picking Oracle Solaris 11 11/11 Automated Install will install Solaris using a default manifest

Modifying the default settings:
If you have placed the AI image onto a USB then you can edit it and change the default manifest.

  • Mount the USB image (USB)
# ls /media/DataTraveler 2.0
.                        .volsetid                  jack                      sbin
..                       auto_install             lost+found               solaris.zlib
.catalog                 bin                      mnt                      solarismisc.zlib
.cdrom                   boot                     platform                 system
.image_info              dev                      proc                     tmp
.liveusb                 devices                  reconfigure
.SELF-ASSEMBLY-REQUIRED  export                   root
.transfer-manifest.xml   home                     save
Edit the default.xml file:
# vi /media/DataTraveler 2.0/auto_install/manifest/default.xml

You would think you could edit the default profile as well, but you can't since it uses the default one located at /usr/share/auto_install/sc_profiles/enable_sci.xml which is not accessible, since /usr is a lofi mount. I think this should be classed as a bug, since you would expect it to use /auto_install/sc_profiles.

I have just filed a BUG report with Oracle for this
This is the way it should be done, if this BUG did not exist!!!

Edit default system configuration file:
# cd /media/DataTraveler 2.0/auto_install/sc_profiles/
# vi enable_sci.xml

Or use the sample one:
# cd /media/DataTraveler 2.0/auto_install/sc_profiles/
# cp sc_sample.xml enable_sci.xml

This is the way you have to do it now. Long way!!! We have to replace the solaris.zlib on the image
As before we mount the USB image
# cd /media/DataTraveler 2.0

Mount the image
# lofiadm -a solaris.zlib
# mount -F hsfs /dev/lofi/1 /mnt

Now copy the whole image
# mkdir /export/newsolaris
# cd /mnt
# find . -depth -print | cpio -pdm /export/newsolaris
# cd /export/newsolaris

Now we finally get to making are changes
# cd ./share/auto_install/sc_profiles/
# ls -l
total 27
-r--r--r--   1 root     sys         3104 Feb 23 17:39 enable_sci.xml
-r--r--r--   1 root     sys         3104 Oct 21 00:04 sc_sample.xml
-r--r--r--   1 root     sys         4656 Oct 21 00:04 static_network.xml
# cp -ip sc_sample.xml enable_sci.xml
#

Now re-create the solaris.zlib image
# mkisofs -o /tmp/solaris.zlib -quiet -N -l -R -U -allow-multidot -no-iso-translate -cache-inodes -d -D -V "compress" /export/newsolaris
Warning: creating filesystem that does not conform to ISO-9660.

It needs to be compressed
# lofiadm -C lzma /tmp/solaris.zlib

Copy it back to the USB image
# cp /tmp/solaris.zlib /media/DataTraveler 2.0


If you want to create an ISO so that you can test it on VirtualBox. Try:
# /usr/bin/mkisofs -d -D -J -l -r -U -relaxed-filenames -b boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 4 -boot-info-table -c .catalog -V "my_volume_name" -o /var/tmp/output.iso "/media/DataTraveler 2.0"
Warning: creating filesystem that does not conform to ISO-9660.
Setting input-charset to 'UTF-8' from locale.
Size of boot image is 4 sectors -> No emulation
Size of boot image is 4 sectors -> No emulation
3.59% done, estimate finish Mon Feb 27 13:03:22 2012
7.17% done, estimate finish Mon Feb 27 13:03:22 2012
.....
96.77% done, estimate finish Mon Feb 27 13:03:33 2012
Total translation table size: 2048
Total rockridge attributes bytes: 45685
Total directory bytes: 290816
Path table size(bytes): 1864
Max brk space used 7e000
139507 extents written (272 MB)

Save it and try it out!
You still require a network since the install still uses a network IPS repository

I have tested it with VirtualBox booting of an iso file I created from the USB image.

Tuesday, February 21, 2012

Solaris 11 Automated Installer quick setup guide in a zone

Setting up an Automated Install server with Solaris 11 is now very easy. See my recent Solaris SIG talk about it but here is a quick guide.
  • Setup zone:
# zonecfg -z aiserver 'create; set zonepath=/zones/aiserver'
  • Create system profile to speed install process up:
    • This allows you to setup hostname, server IP address, initial user, etc
# sysconfig create-profile -o sysconfig.xml
  • Install Zone with default manifest and using the system configuration create above:
# zoneadm -z aiserver install -c /var/tmp/sysconfig.xml
A ZFS file system has been created for this zone.
Progress being logged to /var/log/zones/zoneadm.20120221T133021Z.aiserver.install
       Image: Preparing at /zones/aiserver/root.

Install Log: /system/volatile/install.17908/install_log
AI Manifest: /tmp/manifest.xml.yhaq9I
SC Profile: /var/tmp/sysconfig.xml
    Zonename: aiserver
Installation: Starting ...

              Creating IPS image
              Installing packages from:
                  solaris
                      origin:  http://pkg.oracle.com/solaris/support/
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                              167/167 32064/32064  175.8/175.8

PHASE                                        ACTIONS
Install Phase                            44313/44313

PHASE                                          ITEMS
Package State Update Phase                   167/167
Image State Update Phase                         2/2
Installation: Succeeded

        Note: Man pages can be obtained by installing pkg:/system/manual done.
        Done: Installation completed in 127.429 seconds
  Next Steps: Boot the zone, then log into the zone console (zlogin -C) to complete the configuration process.

Log saved in non-global zone as /zones/aiserver/root/var/log/zones/zoneadm.20120221T133021Z.aiserver.install

# zoneadm -z aiserver boot
# zlogin -C -e\@ aiserver
  • Install auto-installer software in the zone
# svcadm enable /network/dns/multicast
# pkg list install/installadm
pkg list: no packages matching 'install/installadm' installed
# pkg install install/installadm
# pkg list install/installadm
NAME (PUBLISHER)                          &nbsVERSION                    IFO
install/installadm                         0.5.11-0.175.0.0.0.2.1482  i--
  • Create the boot service.
    • No need to specify an ISO since the software will download an image.

# installadm create-service -n solarisx86
Creating service from: pkg:/install-image/solaris-auto-install
OK to use default image path: /export/auto_install/solarisx86? [y/N]: y
Download: install-image/solaris-auto-install ...  Done
Install Phase ...  Done
Package State Update Phase ...  Done
Image State Update Phase ...  Done
Reading Existing Index ...  Done
Indexing Packages ...  Done

Creating service: solarisx86

Image path: /export/auto_install/solarisx86

Refreshing install services

Creating default-i386 alias.

No local DHCP configuration found. This service is the default
alias for all PXE clients. If not already in place, the following should
be added to the DHCP configuration:
        Boot server IP       : 193.xx.xx.xx
        Boot file            : default-i386/boot/grub/pxegrub

Refreshing install services

# ls -l /etc/netboot
total 6
drwxr-xr-x 19 root root 28 Feb 21 15:42 default-i386
drwxr-xr-x 19 root root 28 Feb 21 15:42 solarisx86
  • You are ready to boot PXE client towards this server

    Wednesday, February 01, 2012

    Solaris 11: Setting up Sendmail / SASL to handle SMTP AUTH

    I thought I would finally get SMTP AUTH working on my Solaris 11 servers, so that I could then setup my phone to send e-mail correctly. If you have seen my previous post you will see that Solaris 11 can't do it with the standard software.

    Build Cyrus SASL
    # sudo pkg install pkg:/developer/build/make system/header developer/gcc-3 text/gnu-grep database/berkeleydb-5

    # echo $PATH
    /usr/sbin:/usr/bin
    # export PATH=$PATH:/usr/gnu/bin:/usr/sfw/bin
    • At this time it will not compile, so alter the following lines.
    # gzip -dc cyrus-sasl-2.1.25 | tar xf -
    # cd cyrus-sasl-2.1.25

    # vi ./lib/saslutil.c ./plugins/kerberos4.c ./plugins/digestmd5.c utils/Makefile.am
    ./lib/saslutil.c
    85c85
    extern int gethostname(char *, int);
    change to:
    extern int gethostname(char *, unsigned int);

    ./plugins/kerberos4.c
    113c113
    extern int gethostname(char *, int);
    change to:
    extern int gethostname(char *, unsigned int);

    ./plugins/digestmd5.c
    106c106
    extern int gethostname(char *, int);
    change to:
    extern int gethostname(char *, unsigned int);

    ./utils/Makefile.am
    59a60,62
    add the following lines:
    saslpasswd2_LDFLAGS = -rpath $(libdir)
    dbconverter_2_LDFLAGS = -rpath $(libdir)
    pluginviewer_LDFLAGS = -rpath $(libdir)
    • Now we are ready for building.
    # ./configure --enable-cram --enable-digest --enable-plain \
              --enable-login --disable-krb4 --disable-anon \
              --disable-gssapi --with-saslauthd=/var/run/saslauthd
    # make
    # sudo make install
    •  Add the following links:
    # sudo ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
    # sudo ln -s /usr/local/lib/libsasl2.so.2.0.25 /usr/lib/libsasl2.so.2
    Build Sendmail
    • Stop existing sendmail processes.
    # sudo svcadm disable svc:/network/smtp:sendmail
    # sudo svcadm disable svc:/network/sendmail-client:default

    # gzip -dc sendmail.8.14.5.tar.gz | tar xf -
    # cd sendmail-8.14.5
    • Set up sendmail FEATURES (SSL, SASL, DB)
    # cat > devtools/Site/site.config.m4
    dnl ### Changes to disable the default NIS support
    APPENDDEF(`confENVDEF', `-UNIS')

    dnl ### Changes for STARTTLS support
    APPENDDEF(`confENVDEF',`-DSTARTTLS')
    APPENDDEF(`confLIBS', `-lssl -lcrypto')
    APPENDDEF(`confLIBDIRS', `-L/usr/local/lib -L/usr/lib -R/usr/lib')
    APPENDDEF(`confINCDIRS', `-I/usr/include/openssl')

    dnl ### SASL support
    APPENDDEF(`confENVDEF', `-DSASL=2')
    APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')
    APPENDDEF(`confINCDIRS', `-I/usr/local/sasl -I/usr/include')

    dnl ### Berkley DB support
    APPENDDEF(`confENVDEF', `-DNEWDB')
    APPENDDEF(`confINCDIRS', `-I/usr/include')
    APPENDDEF(`confLIBDIRS', `-L/usr/lib')

    dnl ### TCP Wrapper
    APPENDDEF(`confENVDEF', `-DTCPWRAPPERS')
    APPENDDEF(`conf_sendmail_LIBS', `-lwrap')
    EOF
    #
    •  Build Sendmail
    # ./Build -c
    /* It should build but ignore the gtroff:error at the end */
    # sudo mv /usr/lib/sendmail /usr/lib/sendmail_orig
    # sudo cp obj.SunOS.5.11.i86pc/sendmail/sendmail /usr/lib/sendmail
    # sudo sudo chgrp smmsp /usr/lib/sendmail
    # sudo sudo chmod g+s,u-ws /usr/lib/sendmail
    • Now a Vendor and SASL support to sendmail.cf file (I hope you know what you are doing here)
    • Edit sendmil.mc add add the extra lines:
    define(`VENDOR_NAME', `Berkeley')
    define(`confAUTH_OPTIONS', `A')dnl
    TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
    define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl


    # cd /etc/mail/cf/cf
    # cat sendmail.mc
    divert(0)dnl
    VERSIONID(`sendmail.mc (Sun)')
    define(`VENDOR_NAME', `Berkeley')
    OSTYPE(`solaris11')dnl
    DOMAIN(`solaris-generic')dnl
    define(`confAUTH_OPTIONS', `A')dnl
    TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
    define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confFALLBACK_SMARTHOST', `mailhost$?m.$m$.')dnl
    MAILER(`local')dnl
    MAILER(`smtp')dnl

    LOCAL_NET_CONFIG
    R$* < @ $* .$m. > $* $#esmtp $@ $2.$m $: $1 < @ $2.$m. > $3
    #
    # sudo make sendmail.cf
    # sudo cp sendmail.cf ../../sendmail.cf

    # sudo /usr/lib/sendmail -bt -d0 < /dev/null
    Version 8.14.5
    Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
        NAMED_BIND NDBM NETINET NETINET6 NETUNIX NEWDB PIPELINING
        SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG
    Setup sasl authentication server
    • Now lets set up SASL plugin via a Sendmail.conf
    # sudo cat > /usr/local/lib/sasl2/Sendmail.conf
    pwcheck_method: saslauthd
    EOF
    #
    • For authentication to work the saslauthd has to be started, so you can start in as a one off process (good for debugging) and at boot time.
    # sudo /usr/local/sbin/saslauthd -n 1 -V -d -a pam
    saslauthd[398] :main : num_procs : 1
    saslauthd[398] :main : mech_option: NULL
    saslauthd[398] :main : run_path : /var/run/saslauthd
    saslauthd[398] :main : auth_mech : pam
    saslauthd[398] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept
    saslauthd[398] :detach_tty : master pid is: 0
    saslauthd[398] :ipc_init : listening on socket: /var/run/saslauthd/mux
    saslauthd[398] :main : using process model
    saslauthd[398] :get_accept_lock : acquired accept lock
    • To set it up ant boot time we should set up a services, but for now we will stick to init.d files.
    cat > /etc/init.d/saslauthd
    #!/usr/sbin/sh
    #
    NAME=saslauthd
    DAEMON="/usr/local/sbin/${NAME}"
    DESC="SASL Authentication Daemon"

    # -a Selects the authentication mechanism to use.
    # -n Number of worker processes to create.
    # -V Enable verbose logging
    # -d Debugging (don't detach from tty, implies -V)

    case "$1" in
    'start')
    ${DAEMON} -n 1 -V -d -a pam
    ;;

    'stop')
    pgrep saslauthd
    ;;

    *)
    echo "Usage: $0 { start | stop }"
    exit 1
    ;;
    esac
    EOF
    #
    # sudo ln init.d/saslauthd rc0.d/K38saslauthd
    # sudo ln init.d/saslauthd rc1.d/K38saslauthd
    # sudo ln init.d/saslauthd rc2.d/S82saslauthd
    # sudo ln init.d/saslauthd rcS.d/K38saslauthd
    • Time for some testing, via first the SASL daemon.
    # cyrus-sasl-2.1.25/saslauthd/testsaslauthd -u RealUser -p MyPassword
    0: OK "Success."
    • We need the encrypted username and password to test sendmail:
    # perl -MMIME::Base64 -e 'print encode_base64("\000MyUser\000MyPassword")'
    AE15VXNlcgBNeVBhc3N3b3Jk
    • Test the sendmail part:
    # sudo /usr/lib/sendmail -bv  -O LogLevel=14 -bs -Am
    220 mailer5.dcs.bbk.ac.uk ESMTP Sendmail 8.14.5/8.14.5; Tue, 31 Jan 2012 09:52:24 GMT
    EHLO localhost
    250-mailer5.dcs.bbk.ac.uk Hello root@localhost, pleased to meet you
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-EXPN
    250-VERB
    250-8BITMIME
    250-SIZE
    250-DSN
    250-ETRN
    250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
    250-DELIVERBY
    250 HELP
    AUTH PLAIN AE15VXNlcgBNeVBhc3N3b3Jk
    235 2.0.0 OK Authenticated
    quit
    221 2.0.0 mailer5.dcs.bbk.ac.uk closing connection
    • That is it.
    refernces:
    - Guía Instalación de Sendmail con SMTP-AUTH y (tema #2688)
    - Sendmail-SMTP-AUTH-TLS-Howto
    - OpenSolaris Sendmail Auth