sysadmin info]

va-scan Copyright 1999, Marchany

Principles of Unix System Principles of Unix System Management - Solaris 8Management - Solaris 8

Randy Marchany

VA Tech Computing Center

Blacksburg, VA 24060

540-231-9523

email: [email protected]


System Administration DutiesSystem Administration Duties

1. Installing System Patches

2. Making System Checklists

3. Editing system configuration files

4. Keeping track of SUID/SGID programs

5. Recording device file permissions

6. Keep track of world, group writable files, directories

7. Record encrypted checksum of all system binaries

8. Verify password strength for system, user accounts

9. Expiring inactive accounts

10. Restrict root access to the system console


System Administration DutiesSystem Administration Duties

11. Allow no guest accounts, no multiple users/account, 1 user/account

12. Disable r-commands

13. Monitor NFS usage using nfsstat, nfswatch. Check /etc/exports

14. Monitor NIS system usage

15. Monitor modem file device permissions

16. Disable UUCP or verify the computer hangs up the phone correctly

17. Install the LATEST version of Sendmail (8.9.x)

18. Disable tftp services

19 Verify FTP client and server configurations

20. Setup an email alias for the FTP account


System Administration DutiesSystem Administration Duties21. Set correct system-wide umask

22. Allow no .rhost, .netrc files

23. Verify backup/restore procedures

24. Check sticky bit file permissions

25. Check cron and at job files for completeness

26. Enable system accounting, system auditing functions

27. Check system-wide path definitions

28. Install tools: portsentry, logcheck, TCPWrappers, tripwire,lsof, CIS Security Benchmark document29. Check for IP forwarding in the kernel

30. Check X Windows security


SysAdmin Tricks/HintsSysAdmin Tricks/Hints1. Get a good idea of what is normal activity on your system. Use Unix performance command/scripts to monitor your system. Check user login times to get a feel for what is normal activity for a user.

2. Obtain checklists at irregular intervals. Never do your monitoring at regular intervals. Store the checklists offline.

3. Remember that 1 megabyte doesn't necessarily equal 1 megabyte. gigabyte gigabyte

Real math tells us 1Mb = 2**20= 1,048,576 bytes 1Gb = 2**30= 1,073,741,824 bytes BUT

to vendors, 1MB = 1,000,000 bytes and 1GB= 1,000,000,000 bytes. So, you may not be missing space. A vendor 1Gb disk gives you only 93.1% of expected capacity. Cute vendor trick!


SysAdmin Tricks/HintsSysAdmin Tricks/Hints4. Monitor your disk space.

Why are we concerned?

Because hackers can hide data in hidden dirs and this is one way to see if your usage totals add up.

5. System Things to Remember

- keep hard copy logs in a secure place with limited access. Be able to account for their whereabouts EXACTLY. - restrict root access - Do your backups and checklists - log internet activity by using TCP wrappers - Keep accurate physical network/system maps/contact people - Publicize problems AND solutions. Security through ignorance can backfire on you. - Educate your user community. - Install all relevant security patches, OS revision patches asap. - Limit physical access to the machines if possible.


SysAdmin Tricks/HintsSysAdmin Tricks/Hints

6. Some free third party system management tools to get:

perl - language for scanning text files, extracting data from them and formatting reports. Written by Larry Wall.

top - provides continuous, customizable display of system process status. Written by Phil LeFebvre.

lsof - finds out who has open files on a FS that prevent you from dismounting the FS.

nfswatch - dynamically charts NFS traffic on a host. Written by Dave Curry.

tcpdump - packet monitoring program for displaying packets to/from a system.


SysAdmin SysAdmin Tricks/HintsTricks/Hints

More Tools (cont'd)

Tripwire - system auditing package that runs a series of checks for basic system security. Written by Dan Farmer.

Crack - very powerful password cracking program that works on Unix systems that don't have shadow password files. Written by Alec Muffet.

7. Useful Unix commands

In addtion to commands like: find, ls, diff, last, lastcomm, ps, vmstat, iostat, su and the above mentioned tools, the 'strings' command is a useful tool to examine binary files for ascii strings.


Steps for Workstation Steps for Workstation ConfigurationConfiguration

- General steps to set up your workstation systems

1. MAIL - install correct versions of sendmail.cf on the server and clients. The config files should reflect the mail environment at your site.

2. NIS - define the servers and clients. Do NOT make the NIS domain name the same as your Internet domain name.

3. NFS - define the servers and clients.

4. Userids - Make sure all UID, GID values are unique across your ENTIRE network. Use Kerberos for more secure control. Use PID for UID

value if possible. Require your users to get a PID first.

5. Encryption - Kerberize/ssh/PGP login, passwd, ftp, any application programs. Define the Kerberos/SSH master, slave and client machines.

6. NTP - install NTP daemon on all machines to synchronize system clocks.


Steps for Workstation Steps for Workstation ConfigurationConfiguration

7. Install TCP wrappers - decide on the level of monitoring/restriction that is appropriate for your site.

8. SYSLOGS - modify syslog.conf files on machines to log what you want and route the logs to some central machine.

9. UNIX Software Consortiums - The CC maintains Unix software consortiums (Site Licenses) that provide you with OS and compilers for “free” to you. Check www.cc.vt.edu for more information.

10. Printer configuration - Best to use HP network printers. Use the JetAdmin utility (provided free by HP) to manage these printers.

11. Third Party Software - install software in common areas.

12. License Software - install FLEXLM clients/server code.


High Level Checklist - IHigh Level Checklist - I

1. Major Areas to consider

- System Checklist - Superuser Access - Login/password/user administration - Monitoring suid/sgid programs - System/User file/directory permissions

2. Hardware Inventory

- Record serial numbers of all systems, peripherals, network interfaces, personnel access privileges. - Bootable tapes/CD? A set for each system and where are they stored? - Is an install server available? Where is it? Where is the boot server?


High Level Checklist - IIHigh Level Checklist - II3. Software Inventory

- get kernel information - list system software products that are installed on the system (pkginfo) - list system configuration information (sysdef, prtconf, sysinfo) - list machine name, node name, OS release, OS version (uname -a) - list the machine architecture - list all the hardware the OS thinks is connected to the system (prtconf, sysinfo) - list NFS status - list inet services available on each machine (/etc/inetd.conf) - list host table entries (/etc/hosts) - list nameserver entries (/etc/resolv.conf) - list network status (netstat -a, netstat -nr) - list user/group definitions (/etc/group) - list passwd information (/etc/passwd, /etc/shadow) - list shadow passwd information (/etc/shadow) - search for /etc/hosts.equiv, /.rhosts, /etc/hosts.lpd - determine what internet services are provided (/etc/inetd.conf, /etc/services)


High Level Checklist - IIIHigh Level Checklist - III- Software Inventory (cont'd)

- NFS/NIS subsystems - active? server? client? (ps -ef |grep nisd) - what directories are exported? What directories are mounted? (/etc/dfs/dfstab) which ones come up at boot? (/etc/vfstab) - what systems are exporting directories (showmount -e) - what is the NIS domain name? (domainname, /etc/domainname)

4. Superuser access

- list of users who have root access - su command audited? - crontab file permissions? - can root login directly? - where is the sulog? - what users have root privileges?


High Level Checklist - IVHigh Level Checklist - IV

5. Login/password/user administration

- what are the default password characteristics? Length? TTL? (/etc/default/*) - How do you handle initial passwords? - review passwd, shadow passwd files - NIS? If so, check master passwd file. This could defeat shadow passwd. - Idle timeout feature enabled? - what is the adduser procedure? audit trail? - what is the removeuser procedure? audit trail? file removal? NIS db? - is the system running Kerberos? - when was the last login for a user?

6. SUID/SGID programs

- review all suid/sgid programs owned by root, daemon, bin or the groups bin, kmem, mail. - compare against initial checklist - minimum permission: 511 - maintain updated list of ALL suid/sgid programs


High Level Checklist - VHigh Level Checklist - V

6. System/user file/directory permissions

- system dir permissions should be minimum: 755 - system dirs used by root should be owned by root - UUCP, cron table, syslogs, system source code should be closed to general users. - monitor checksums for: login, su, passwd, cu, crypt, tip, rlogin - check device file permissions for disk, tape, network, ttys. Check device ownership - search for hidden directories, check all hidden files (.files) - find all writable directories - check user home dirs for minimum permissions: 710. Check .login, .profile permissions - what is the default umask? - what are default X setup commands? - find all unowned files - check all 'at' jobs owned by root and verify their function - restrict r-command usage


High Level Checklist - VIHigh Level Checklist - VI

7. General Steps

- - check /etc/host minimum permission: 660 - Eliminate .netrc files - verify active inetd services. Actively monitor or restrict rshd, rlogind, tftpd, rlogin, rcp, rsh, tftp, trpt. - use netstat -p tcp to check for failed network connections - enable logging on ftp accesses (in addition to TCP wrappers) - set permission of exported directories to be as limited as possible - OS audit tools in place? what are the audit classes? where is the audit log? - create checklist of all files in the system on a periodic basis. - monitor any attempt to change IFS in .profile or .login files - use 'strings' command to check any suspicious files. Use it to check dbms files. - Are syslogs routed to a central machine? Are syslogs archived?


High Level Checklist - VIIHigh Level Checklist - VII- General Information (Cont'd)

- is NTP running on the machine? where are the config files? - what are the Incident Response Team duties? who's on it? - are NFS netgroups used? how are they organized? who maintains them? - NIS mail aliases? how often are they monitored?


Boot/Shutdown OverviewBoot/Shutdown Overview

When to boot– After installing new HW– powerfail

Shutdown commands: init, shutdown Servers

– Use shutdown command. It notifies users.

Systems– Use init or shutdown to do a clean shutdown


Solaris 8 Installation ISolaris 8 Installation I Preparing to Install

– Determine System Type OS Server - typically an NIS or NFS server Standalone - has local disks (standard)

– Determine Required HW 32MB RAM, 500MB disk

– How much of Solaris do you want to install Core - min. software needed to run the OS End User - Core+Openwindows Developer - EndUser+lib, man pages. Entire - the whole thing. Recommended.


Solaris 8 Installation IISolaris 8 Installation II 3 Types of Installation

– JumpStart - basic factory install. Not recommended because the default partition sizes are too small.

– Interactive - You boot and configure the system. GUI menus guide you thru the whole process. Recommended .

– Custom JumpStart - You boot and identify what type of system you have. The boot server loads a predefined version of the OS. Recommended for lab environments.

You can set up a single system to be a Boot/Install Server. This speeds up installation times (20 minutes). The Boot server must be on the same subnet as the target. The Install Server doesn’t have to be. A single system can be a Boot and Install server.


Solaris 8 Installation IIISolaris 8 Installation III Need to know this before installation

– hostname - use fully qualified if not in NIS mode– network connectivity - primary network i/f, IP addr.– Type of Name service to be used -

NIS, NIS+, other (DNS) - use DNS to resolve hostname not NIS.

– domain name - NIS domain name – DNS server IP addr., IP host name– Subnet mask, netmask, time zone, – Which software group to install? End user, Developer, Entire,

entire + OEM support. Recommend last one since you can always remove software later.


Solaris 8 Installation IVSolaris 8 Installation IV More Need to know stuff

– What disks to install Solaris?– Auto-layout the FS? No, since the defaults are never big enough.

Lay them out manually.– Preserve existing data? Recommend initial installation.

Backup/restore system specific stuff.– Accept the FS layout– Mount remote FS? Can do this later.– Reboot after installation? Also, pick the root password.

Sample Custom Jumpstart Installation– Sample site: 2 subnets, 1 in the CC, 1 in EE– The CC has the install/boot server, EE has a boot server


Solaris 8 Installation VSolaris 8 Installation V Create a JumpStart Dir

– holds the JumpStart installation files. Copy the template from the Solaris installation CD.

– cp -r /export/Solaris_2.6/Misc/jumpstart_sample /jumpstart Share the JumpStart Dir Create the CC profile

– Create /jumpstart/cc_profile. Specify in this file the install_type, system_type, partitioning, cluster and swap FS

– Create /jumpstart/ee_profile with similar info. Edit /jumpstart/rules

– specify the subnet and rules file that applies to it


Solaris 8 Installation VISolaris 8 Installation VI Execute the check script to verify rules syntax

– cd /jumpstart– ./check– check creates a rules.ok file.

Setup the CC systems for installation– Setup the install server to download the appropriate OS– cd /export/install– ./add_install_client -c server:/jumpstart host_cc sun4c

Setup the CE systems for installation– ./add_install_client -c server:/jumpstart host_ee sun4c

Boot the systems and install the OS– from the OK prompt, enter: boot net - install


Solaris Patch AdministrationSolaris Patch AdministrationSun releases patches regularlyYou MUST maintain current patch levels.

Review Solaris Patch Report available from Sunsolve.

Determine Patch Status: showrev -p shows all applied patches pkgparam pkgid PATCHLIST shows patches

applied to the package pkgid


Solaris Patch AdministrationSolaris Patch Administration

Use the patchadd, patchrm commands to install or remove patches These commands replace installpatch, backoutpatch commands They cannot be used for Solaris 1 systems


Solaris Patch AdministrationSolaris Patch AdministrationPatches are available from

http://sunsolve.sun.comHackers read the Patch Reports. You must

install the recommended and security patches!


Solaris 8 - sys-unconfigSolaris 8 - sys-unconfig

Use when you need to change the host name of the machine. Use when you move a machines from one building to another. It wipes out all of the pertinent host/TCP/IP control files It restore the system to the out-of-box state BUT it does NOT affect

any user data files! It only modifies the TCP/IP pertinent files. Run the command, it will shutdown the system when it’s finished. You’ll be asked to re-enter the new TCP/IP info at the next reboot.


Solaris Software Solaris Software AdministrationAdministration

Installing, removing software from standalone systems, servers Software is delivered in packages.

– A collection of files/dirs in a defined format– Format: Application Binary Interface (ABI), a supplement to the System

V Interface Definition Pkgadd, pkgrm commands add/remove packages Pkginfo commands lists the software installed on the system Admintool is the GUI I/F Adding a Package

– Pkgadd uncompresses, copies files from the installation source to a local system disk

– Log info is stored in /var/sadm


Solaris Software Solaris Software AdministrationAdministration

Package Naming Convention - Sun products begin with SUNW, 3rd party packages use their own prefix (hpnp)

Most Sun software packages tell where they are installed– Example: SUNWvolr is installed in /. The “r” stands for root.

SUNWvolu is installed in /usr Best way to determine where it’s installed

– Look in the SUNW_PKGTYPE parm which is set in the package’s pkginfo file

Some Sun Packages (compilers) install in /opt Always use pkgrm to remove software Set up a spool directory if you want to install from it.

– Pkgadd -d device -s spooldir pkgid …….


Solaris 8 - Boot ProcessSolaris 8 - Boot Process

The Boot Process– BOOT PROM Phase

Runs self-test diagnostics Loads the bootblk program. This program loads the secondary boot program

located in the ufs on the default boot device.

– BOOT PROGRAMS Phase Loads the ufsboot program which loads the kernel

– KERNEL INITIALIZATION PHASE Kernel is initialized Loads modules needed to mount /

– INIT Phase Kernel starts the init process The init process starts the rc scripts


Solaris 8 Boot ProcessSolaris 8 Boot ProcessRun Levels Determine System State

0 - halt state 6 - reboot 3 - all system services w/networking 1 - single user

3 types of boot Interactive - you tell it where/which type Reconfiguration - after adding/deleting HW Recovery - hung system


Solaris 8 Boot ProcessSolaris 8 Boot Process

System Run Levels (who -r)– AKA init state, tells what services/resources are available to users– 0 - shutdown state, safe to power off system– 1 - single user, the term you issued this command becomes the

system console– 2 - multiuser - all services except NFS server, syslog– 3 - multiuser - normal run state, all services available– 4 - alternate multiuser - N/A– 5 - power-down state, - like 0 but will power off automatically– 6 - reboot - go to level 0 then level 3 or whatever level is the

default in /etc/inittab– S, s - single-user


Solaris 8 - /etc/inittabSolaris 8 - /etc/inittab

/etc/inittab contains a list of processes to start , monitor or restart whenever the system boots or changes run levels.

Format: ID:Run-level:ACTION:PROCESS– ID - unique identifies for the entry– RUN-level - run level the system must be to run the process– ACTION - keyword defines how the process is to be run

Initdefault - first process to run Sysinit - special initializations that must be run before logins Powerfail - run process only during powerfail cycle Wait - wait for process to finish before starting next one Respawn - restart it if it’s not there. OW, continue

– PROCESS - the actual command to execute


Solaris 8 - Run Level 3Solaris 8 - Run Level 3

What Happens When Moving to Run Level 3– Init is started. /etc/default/init contains the environment variables.– Init reads /etc/inittab to find the initdefault entry and run it– Init reads /etc/inittab to run any processes that have sysinit in the the

action field. Any initializations that need to be run before users login are run now.

– Init read /etc/inittab to run any processes that have 3 in the rstate field.– Commands that can be run at run level 3

/usr/sbin/shutdown - run only if init has received the powerfail signal /sbin/rc2 - defines the TZ, starts standard system processes, moves to run level

2 /sbin/rc3 - starts NFS resource sharing /usr/lib/saf/sac -t 30 - starts port monitors, UUCP network access /usr/lib/saf/ttymon - starts the ttymon process that monitors the console

for login attempts. Restarted if it fails.


Solaris 8 - Run Level ScriptsSolaris 8 - Run Level Scripts

Each run level has a set of scripts in /sbin. (rc0, rc1, rc2, rc3, rc5, rc6, rcS.

For each /sbin/rcX script, there’s an /etc/rcX.d directory that contains the scripts used in that run level. /etc/init.d files are linked to the corresponding /etc/rcX.d dirs.

Scripts are run in ascii sort order. Names are of form: KXXname or SXXname where xx is the numeric order the process is run and S denotes a process startup script, K denotes a process kill script.

Adding an RC script– Add the script to /etc/init.d - cp FN /etc/init.d– Create links to appropriate /etc/rcX.d - cd /etc/init.d; ln FN

/etc/rc2.d/SxxFN; ln FN /etc/rcn.d/KxxFN Removing an RC Script

– Cd /etc/rcX.d; mv FN .FN


Solaris 8 - RC Script ActionsSolaris 8 - RC Script Actions

/sbin/rc0 - /etc/rc0.d– Stops system services, daemons– Terminates all running processes– Unmounts all filesystems

/sbin/rc1 - /etc/rc1.d– Same as /sbin/rc0– Brings the system up to single-user mode

/sbin/rc2 - /etc/rc2.d– Mounts all local FS– Enables disk quotas if 1 FS was mounted w/quota option– Saves vi temp files in /usr/preserve– Removes any files in /tmp– Rebuilds device entries for reconfiguration boot– Configures system accounting



/sbin/rc2– Configures the default router– Sets NIS domain and ifconfig netmask– Reboots the system from install media or boot server if

either /.PREINSTAL or /AUTOINSTALL files exis– Starts inetd, rpcbind, named– Starts Kerberos client, kerbd– Starts either NIS (ypbind) or NIS+(rpc.nisd) – Starts keyserv, statd, lockd, xntpd, utmpd– Mounts all NFS entries– Starts ncsd (name service cache daemon)– Starts automount, cron, LP, sendmail, utmpd, vold


Solaris 8 - RC Script DutiesSolaris 8 - RC Script Duties

/sbin/rc3 - /etc/rc3.d– Clean up sharetab– Start nfsd– Start mountd– If the system is a boot server, starts rarpd, rpc, bootparamd, rpld– Starts snmpdx

/sbin/rc5 - /etc/rc0.d– Kills the printer and syslog daemons– Unmounts local and NFS FS– Stops NFS server and client processes– Stops NIS, RPC and cron services– Kills all active processes and initiates an interactive boot



/sbin/rc6 - /etc/rc0.d– Runs the /etc/rc0.d/K* scripts to stop system processes– Kills all active processes– Unmounts all FS– Runs the initdefault entries in /etc/inittab

/sbin/rcS - /etc/rcS.d– Set up a minimum network– Mount /usr– set the system name– Mounts /proc and /dev/fd– rebuilds the device entries for reconfig boots– Mounts FS needed for single user mode


Solaris 8 Boot ProcessSolaris 8 Boot Process

Reconfiguration Boot– Adding new devices (tape drives, disk drives, etc.)

Su Add the device driver

– Load driver CD/tape– Pkgadd -d devicename package-name

– Touch /reconfigure If you don’t do this, use the boot -r console command

– Shutdown the system Shutdown -i0 -gX -y

– Determine the SCSI address of connected devices Ok> probe-scsi-all Make sure you have an available SCSI address

– Install new device with proper SCSI address set


Solaris 8 - Reconfig BootSolaris 8 - Reconfig Boot

Adding a Peripheral Power up all peripherals. Power up the CPU unit last From the OK prompt, enter: probe-scsi-all If ok, enter: boot -r or boot (if you created /reconfigure) Adding a disk drive\

– System Disk - contains / and /usr– If damaged, two ways to recover

Reinstall entire OS from CD Replace system disk and restore from backups


Solaris 2.5 Boot ProcessSolaris 2.5 Boot Process Using the Boot Prom

– Use STOP-A keys to get boot prompt• 2 types of prompt (OK, >). Use the ‘n’ command to get the

OK prompt

– How to find out the PROM release level banner

– Changing the Default Boot Device probe-scsi-all prints all SCSI device #’s setenv boot-device disk[n] printenv boot-device to verify the change reset saves the new information


Solaris 8 Boot ProcessSolaris 8 Boot Process Run Level 3 (normal) Boot

– boot

Single User Boot– boot -s– Must enter root password to complete boot

Interactive Boot– boot -a

Need to know the kernel FN, kernel dir, kernel config file, root file device name


Solaris 8 Boot ProcessSolaris 8 Boot Process Recovery Boot

– Use when critical file (/etc/passwd) dies– Must use Solaris Install CD– Mount the CD then: boot cdrom -s– mount the problem disk: mount <dev> /a– cd /a/<problem dir>– Set term type: export TERM=sun– Remove the invalid entry– cd / ; umount /a; init 6


Solaris 8 - ShutdownSolaris 8 - ShutdownShutdown commands

– /usr/sbin/shutdown, init (0 1 2 3 6 S s), reboot, halt

Rebooting the system– /usr/sbin/shutdown -i6 -gX -y

Shutdown the system– init 0– /usr/sbin/shutdown -i0 -gX -y


Solaris 8 Disks ISolaris 8 Disks Iformat Utility

– main tool for maintaining, partitioning disks Searches for all attached disk drives Analyzes, repairs, formats, partitions, labels disks When to use?

– Display partition info, partition a disk– Adding a drive to the system

prtvtoc command use to read the disk label. This contains partition

information.


Solaris 8 Disks IISolaris 8 Disks II– 1 filesystem/partition unless you use the DiskSuite

facility. Solaris calls disk partitions: disk slices. – Name Format: cXtYd0sZ

CX - disk controller X, tY - SCSI id Y, sZ - slice Z

– Solaris numbers partitions rather than lettering them. 0-7 -> a-h

– Default Partitions: 0 - root Kernel, OS files/dirs 1 - swap Solaris swap space 2 - the whole disk, use in non-system 3 - /export used for server systems


Solaris 8 Disks IIISolaris 8 Disks III– Default disk partitions (cont’d)

4 - /export/swap - used for diskless clients 5 - /opt - Solaris unbundled software 6 - /usr - system executables 7 - /home - user home dirs

– Multiple disk configuration split system disk from user/data disk makes recovery simpler can add multiple swap space to improve perf.


Solaris 8 Disks IVSolaris 8 Disks IV Partition Fields

– Number - partition/slice number– tag - usually FS name– flags - wm - writable & mountable

- wu - writable & umountable (defines swap)- rm - R/O, mountable

– Cylinders - start/end cylinder #– size - partition size in Mb– blocks - total # cyls, blocks in slice


Solaris 8 Disks VSolaris 8 Disks VAdministering disks

– Identify the disk - format– Format the disk - format/select/format– Display partion/slice info -

format/select/partition/print– Label the disk - format/select/type/select/label– Repair a disk - format/select/repair


Solaris 8 Disks VISolaris 8 Disks VISome formatting tips

– you must do a boot -r after adding any new HW so Solaris will recognize it for format.

– Use format -M for extended, diagnostic messages

– to label multiple disks with the same geometry (disk towers):

for i in X Y Z; do; prvtoc /dev/rdsk/XXX | fmhard -s - /dev/rdsk/cnt${i}d0s2; done


Solaris 8 Disks VIIISolaris 8 Disks VIIIAdding a System or secondary disk

– Connect the HW, boot -r or boot CDROM (system disk)

– Partition the disk– Create FS– Restore FS– Install Boot Block (system disk)


Solaris 8 Disks IXSolaris 8 Disks IX Connecting a System Disk

– Remove damaged disk– Add new disk– boot cdrom -s (local CDROM boot, single user)– boot net -s (network boot, single user)

Connecting a Secondary Disk– Connect HW– boot -r


Solaris 8 Disks XSolaris 8 Disks XHow to install a boot block

– good idea to have an alternate boot disk– /usr/sbin/installboot /usr/platform/`uname -

i`/lib/fs/ufs/bootblk /dev/rdsk/cNtNd0s0 Example: installboot

/usr/platform/sun4u/lib/fs/ufs/bootblk /dev/rdsk/c0t0d0s0

– reboot the system Init 6


Solaris 8 Volume Mgt.Solaris 8 Volume Mgt. Volume Mgt daemon (vold) provides access to

CDROM, Floppies under the /vol/dev mount point.– Diskettes: /vol/dev/[r]disketteX– CDROM: /vol/dev/[r]dsk/c0t6

CD Drive is at SCSI id 6 by default.

2 Special Mount points– /cdrom– /floppy


Solaris 8 Volume Mgt.Solaris 8 Volume Mgt. 2 sets of symbolic links

– File System Access /floppy/floppy0->/floppy/name->

/vol/dev/diskette0/name /cdrom/cdrom0->/cdrom/name-> /vol/

dev/dsk/c0t6/CD-name

– Raw Device Access /vol/dev/aliases/floppy0-> /vol/

dev/rdiskette0/name /vol/dev/aliases/cdrom0-> /vol/

dev/rdsk/c0t6/CD-name


Solaris 8 Volume Mgt.Solaris 8 Volume Mgt.Configuring Volume Mgt

– Starting vold Remove all CDROM, floppy disks su /etc/init.d/volmgt start

– Stopping vold su /etc/init.d/volmgt stop


Solaris 8 Volume MgtSolaris 8 Volume MgtFormatting/Using Floppies

– General steps Load unformatted Diskette Format diskette Add a UFS filesystem Eject the diskette

Solaris 8 can format diskettes for Solaris or MS-DOS use.


Solaris 8 Volume MgtSolaris 8 Volume Mgt Formatting a UFS diskette

– quit File Manager– Write-enable the diskette, load it– Enter: fdformat -v -U <options>

a series of dots show formatting progress a series of V’s under the dots show verification.

– Diskette is ready for tar, cpio or DOS Creating the UFS

– volcheck -v; newfs -v /vol/dev/aliases/floppy0; eject floppy; volcheck -v


Solaris 8 - Diskette SummarySolaris 8 - Diskette Summary

To Access Insert Find the Files In

Files on diskette diskette /vol/dev/aliases/floppy0

Enter: volcheck

Raw Data diskette /vol/dev/aliases/floppy0

Enter: volcheck

CD Files CD /cdrom/cdrom0


Solaris 8 - NTP SetupSolaris 8 - NTP Setup

Steps– Create /etc/inet/ntp.conf

server ntp-1.vt.edu version 3

– /etc/init.d/xntpd start You can add additional server lines in ntp.conf. ntp-2.vt.edu is the

other master timeserver on campus. NTP is used to time stamp syslogs and any other applications that

requires time synchronization


Solaris 8 DNS SetupSolaris 8 DNS Setup DNS

– Edit /etc/nsswitch.conf, change the “hosts” field to “dns files”– Know what your local DNS server address is.

See http://rdweb.cns.vt.edu/public/dns

– Create /etc/resolv.conf add the following fields

– domain xxx.vt.edu

– nameserver 128.173.4.247

– nameserver 128.173.4.113– done


Solaris 8 Sendmail SetupSolaris 8 Sendmail Setup

Solaris 8 ships with Sendmail 8.11.6 Use later versions available via anonymous ftp from

ftp.vt.edu:/pub/cc/Solaris/sendmail.tar This kit contains the cf files, sendmail 8.11 binaries and

install, backout scripts


Solaris 8 Filesystems ISolaris 8 Filesystems I

1. A Unix filesystem is a collections of directories and files.

2. Solaris supports 3 filesystem types: Disk-based, Network-based, pseudo.

3. Typical sysadmin filesystem duties include: making local/remote filesystems available to users, connecting/configuring new disks and making them available to the filesystem, designing/implementing a filesystem backup schedule, checking/correcting filesystem damage.

4. Disk-based filesystem types:

UFS - Unix File System based on BSD fast file system in BSD 4.3. Default filesystem type used by Solaris 2.3.

HSFS - CD-ROM filesystems: High Sierra, ISO9660 (official standard version of High Sierra), ISO9660 with Rock Ridge extensions which allow UFS structures (R/O) on a CD. 3rd party software may be sent in one of these formats so ASK!

PCFS - PC file system allows R/W access to DOS diskettes.


Solaris 8 - Filesystems IISolaris 8 - Filesystems II

5. Network based filesystems use NFS (Network File System) protocols.

6. Pseudo Filesystems are virtual/memory based filesystems used by Solaris and not by the sysadmin/users. Example: swap space.

7. TMPFS (TeMPorary File System) uses swap space to store temporary files. This is defined by the /tmp filesystem. Files in here are NOT permanent and are lost when the system is rebooted/shutdown. TRADEOFF: large /tmp takes away from swap space that can be used by programs so you can take a performance hit.

8. Process Filesystem (PROCFS) resides in memory and contains a list of active processes in the /proc directory. Debuggers use this FS to get info on a process. Do NOT delete this FS!


Solaris 8 - Filesystems IIISolaris 8 - Filesystems III

1. Filesystem Administrative commands:

clri - clears inodes df - display disk usage, free blocks and mounted filesystems. ff - list file names and stats for a file system. fsck - filesystem check and repair program. fsdb - filesystem debugger. fstyp - determines the FS type. labelit - lists/provides labels for the FS when copied to tape. Used by the 'volcopy' command only. mkfs - make a new FS mount - mount a FS to make it available to the users mountall - mount all the FS listed in /etc/vfstab ncheck - generate a list of path names with their inode numbers. umount - unmount a FS. Makes it unavailable to users. umountall - unmount the FS listed in /etc/vfstab. volcopy - makes an image copy of a file system.

use man command for more info. To get info on a specific FS type: man command_FStype EX: man mount_ufs


Solaris 8- Filesystems - IVSolaris 8- Filesystems - IV

1. To find out FS type:

- look in FS Type field of /etc/vfstab - look in /etc/default/fs to see default local FS type - look in /etc/dfs/fstypes to see default remote FS type - look in /etc/mnttab for mounted FS type info - Enter: devnm <mount-point> and use the fstype <raw-devicename> command (must be root to do this)

2. Default Solaris 8 FS( FS types):

/ - (UFS) the root directory. Critical system files (kernel /kernel/unix), device drivers, boot programs. /etc - (NFS) sysadmin configuration files. FS type is UFS if you select STANDALONE or SERVER during Solaris 8 installation. /usr - (UFS) system files/commands, directories that can be shared with other users. Man pages are stored here. /home - (NFS) user home directories. Can be UFS if you select SERVER or STANDALONE during Solaris 8 installation.


Solaris 8- Filesystems VSolaris 8- Filesystems V

- Default Solaris 8 Filesystem, FS types (Cont'd)

/var - (UFS) contains system logs, accounting logs, vi backup files. /opt - (NFS) default location of compilers, 3rd party software. Can UFS if you select SERVER or STANDALONE but QUICK INSTALL makes it too small so you should select CUSTOM INSTALL to make a bigger one. /tmp -(TMPFS) temporary files that are cleared on reboot. /proc -(PROCFS) list of active processes on the system.

/, /usr are needed to run a system.

- More on UFS

- the default Solaris 8 FS - can be up to 1 Tbyte in size but Solaris 8 does NOT provide 'striping' to allow this. You need DiskSuite package to do this. Individual files can be up to 2GB in size.


Solaris 8- Filesystems - VISolaris 8- Filesystems - VI

- UFS Planning and Strategies

1. Total size: 1 TByte if you use Online:Disksuite, otherwise as big as the slice you allocated for it.

2. Maximum File Size: 2Gbyte

3. Maximum number of files: depends.... # of inodes determines this. Default: 1 node / 2K of data. # of inodes is defined by the -i option of 'mkfs'

4. Types of UFS Blocks:

boot block - has the boot information used by Solaris. Superblock - has most of the FS to disk map info. inodes - used to store all info (disk sector, etc.) about a file except name. Storage/data block - where the actual data resides.


Solaris 8- Filesystems VIISolaris 8- Filesystems VII

- UFS Planning/Strategies

1. Distribute the workload across I/O devices. Distribute /home, /swap across drives as evenly as possible.

2. Keep projects/groups within the same filesystem.

3. Use as few FS per disk as possible. On the system drive, try to have /, /usr and /swap only. /var is ok also. Of course, if you only have 1 drive .........

4. Default values for 'mkfs' command include:

default block size: 8Kb default fragment size: 1Kb default minimum free space: 10% of total disk capacity Default # of inodes: 1 per 2Kb of disk space


Solaris 8- Filesystems VIIISolaris 8- Filesystems VIII- FS that are currently mounted are listed in /etc/mnttab- FS that are mounted at boot are listed in /etc/vfstab. It has 7 fields:

Device to mount - block (/dev/dsk) device name or remote FS name of format: Remote-server:remote-FS-name

Device to fsck - corresponding raw (/dev/rdsk) device name of 1st field

Mount Point - default mount point for the FS

FS Type - type of FS (UFS, NFS, PROCFS, etc.)

Fsck Pass - used by fsck command to determine the order in which to check the FS on boot. A '-' means no check. NOTE: NFS FS should have a "-' in this field. fsck can operate in parallel so there can be multiple FS with the same pass #.

Automount? - automatically mount this FS on boot. NOT the automounter.

Mount Options - options for the mount command (RW, RO).


Solaris 8- Filesystems IXSolaris 8- Filesystems IX

- CREATING FILESYSTEMS

1. you should create FS after:

- adding/replacing disk drives - changing the partition map on a disk, Ex: making a FS larger - Doing a full restore of the filesystems on the disk - Changing other FS parameters (block size)

2. Disk must be formatted and partitioned (see 'format' command).

Syntax: newfs /dev/rdsk/device-name

3. To install boot block on a drive or make another drive an alternate boot disk:

- select a FS to us as the bootable FS - create it if necessary - enter: installboot /usr/lib/fs/ufs/bootblk /dev/rdsk/device-name


Solaris 8- Filesystems XSolaris 8- Filesystems XDetermining a FS Type

– df -k command– the FS field of /etc/vfstab– /etc/dfs/fstypes for remote files– grep <mount point> /etc/mnttab– devnm /<filesystem>– fstyp /dev/rdsk/<device name>


Solaris 8- Filesystems XISolaris 8- Filesystems XI Mount/Unmount FS

– mount, mountall, umount, umountall

Mounting FS– mount <FS> will use info from /etc/vfstab– mount NFSserver:/<FS> <local mnt pt>

Unmounting FS– List & kill processes using the FS

fuser -c -u <mount-point> lists the process fuser -c -k <mount-point> kills them


Solaris 8 - Swap Space Solaris 8 - Swap Space 1. Swap space partitions are used by the system when it doesn't have enough memory to handle a current process. tmpfs FS stores files in memory and allocates space in /tmp for swap. As you use space in /tmp, you take away swap.

2. Swap areas to be mounted at boot are defined in /etc/vfstab.

3. To look at existing swap space: swap -l OR swap -s (more useful)

4. To create additional swap space w/o reformatting the disk:

a. Create the file

- use: mkfile -v nnn[k|b|m] file name ex: mkfile -v 1m /swap2

b. Make it available for use: swap -a filename c. Verify it worked: swap -l d. To make it available at boot, put an entry in /etc/vfstab BUT make sure the FS the swap space is on is mounted first. e. To remove swap space: swap -d filename


Solaris 8 - Crash Dump SetupSolaris 8 - Crash Dump Setup

Steps– Create Crash Dump Directory

mkdir /var/adm/crash cd /var/adm/crash mkdir SYSTEM-NAME

– Reserve space for crash dump files Cd /var/adm/crash/SYSTEM-NAME Create a file , minfree, that contains a number spcecifying the min free space

that must be available for crash dumps. (in K)– Echo 500 > /var/adm/crash/dock/minfree

– Enable /Disable crash dumps Edit /etc/init.d/sysetup, uncomment lines that enable crash dumps, exit.

– Examine crash dump files usie isadc.sh (from sunsolve.sun.com) or /usr/sbin/crash


Solaris 8 - NFS ISolaris 8 - NFS I

- Summary of NFS system management tasks

1. Start/stop NFS operation 2. Create CacheFS to improve NFS server performance 2. Sharing/unsharing (exporting FS) FS as necessary 3. Mounting/unmounting NFS directories as needed 4. Modifying administrative files (/etc/dfs/dfstab, /etc/auto_master) 5. Verifying network status 6. Diagnosing and fixing NFS problems 7. Set up automounter maps

- Summary of NFS related commands:

nfsstat, ping, netstat, pkginfo, share, shareall


Solaris 8 - NFS IISolaris 8 - NFS II

-Setting up NFS Servers and Clients

1. Use 'pkginfo' command to make sure you have installed the following: Remote Procedure Call (RPC) Utilities, Network Support Utilities, TCP/IP Utilities, DFS Administration Utilities.

2. If you don't have them, install them using the 'pkgadd' command.

3. To START NFS server: sh /etc/init.d/nfs.server start client: sh /etc/init.d/nfs_client start

NOTE: this is usually done automatically at boot by the RC scripts.

4. To STOP NFS server: sh /etc/init.d/nfs_server stop client : sh /etc/init.d/nfs_client stop

5. Set up automatic sharing (export): edit /etc/dfs/dfstab, add entries, run 'shareall' command, verify by 'showmount -a' command.

6. Set up automatic mounting by placing entry in /etc/vfstab


Solaris 8 - NFS IIISolaris 8 - NFS III

- the 'share' command is used to make dirs available for NFS export. Remember the unique UID/GID is important for security. Command options: -o indicates more options follow

rw indicates R/W access to directory except those defined by ro=<hosts> Can be of form rw=<hosts>. This is the DEFAULT condition.

ro indicates R/O access to the directory except those defined by rw=<hosts>

anon=uid - allows you to specify a uid for YOUR system that the CLIENT systems root user (UID=0) will be when it's on your system. This prevents a client root from getting your root access. DEFAULT: client UID=0 -> server UID=60001 (nobody).

root=<hosts> - allows root on the listed hosts to BE root on your system. NOT recommended.


Solaris 8 - NFS IVSolaris 8 - NFS IV

-Setup the Cache FS (Cache Filesystem

- general purpose FS to improve NFS server performance. Used for heavy NFS loads, clients with slower links (PPP clients).- the NFS server has the exported FS (Back FS). - As the NFS clients access the Back FS, that piece is placed in the client’s Cache FS. Initial request may be slower but later ones will be faster.

- Steps

1. Create the Cache FS

cfsadmin -c <cache-dir>

2. Specify the FS to be mounted in the CacheFS

mount -F cachefs -o backfstype=fstype,cachedir=cachedir[,options] <Back FS> <mnt-pt>


Solaris 8 - NFS VSolaris 8 - NFS V

3. Verify the mount worked: cachefsstat <mnt-pt>

4. Put entry in /etc/vfstab- Specify cachefs for FS Type- put options in the MOUNT OPTIONS field

5. Modifying a FS in the cache- you must delete the cache, recreate it

mount FS; cfsadmin -d all <cacheFS>cfsadmin -c <cache FS>;reboot

6. Display Cache FS info: cfsadmin -l <cache FS>

7. Deleting a Cache FS: cfsadmin -d <cache id> <cache-dir>

<cache id> is the last line of cfsadmin -l

8. Checking Cache FS Integrity: fsck -F cachefs <cache-dir>


Solaris 8 - NFS VISolaris 8 - NFS VI

- NFS troubleshooting

1. Check to see if mountd daemon is running: ps -ef | grep mountd

2. Check to see if nfsd daemon is running: ps -ef | grep nfsd

3. If they're down, restart them from root: /usr/lib/nfs/mountd OR /usr/lib/nfs/nfsd -a 8

4. To see if server is up: ping <server>

5. To see if server nfsd daemon is responding, enter from client: /usr/sbin/rpcinfo -u <server> nfs

6. Check to see if server's mountd daemon is up: /usr/sbin/rpcinfo -u <server> mountd


Solaris 8 - Automounter ISolaris 8 - Automounter I1. Accessing NFS dirs via mount uses system resources even if you're not accessing anything in the NFS dirs. Automounter does the mount only when needed and unmounts the NFS dir when they're not being used. Good way to optimize the network resources.

2. Automounter does not use /etc/vfstab. It uses a series of 'maps' (direct or indirect). The local root map is called: /etc/auto_master. If NIS is used, information is in the MASTER map.

3. Three types of automount maps: master, indirect, direct All are located in /etc.

4. Master map format:

mount-point map mount-options | | | | | Normal NFS mount options (ro, rw, nosuid, etc.) | map name (can be indirect or direct) where to mount the files in the map - full absolute path name.


Solaris 8 - Automounter IISolaris 8 - Automounter II- Special cases for the mount point field

/- means use the mounts point in the map specified in the map field

/home means use /home as the local mount point for the entries in the map called /etc/auto_home. This technique can be used to automount home dirs in a lab situation.

/net tells automounter to look in the special map -hosts (NIS) and mount ALL of the FS that are available for export by the machines in the map. Easy but wasteful since it mounts ALL of the dirs and not just the one you need.

- INDIRECT MAPS

-contains the entries that are to be mounted under the mount point. - Special case: /etc/auto_home contains a list of users and where their home dirs are located. When a user logs in on a machine, automounter will mount their home dir. FORMAT: username mount-options host:home-dir/&


Solaris 8 - Automounter IIISolaris 8 - Automounter III

- DIRECT MAPS

- simplest to use. Format is similar to /etc/vfstab.

mount-point mount-options host:dir-name +map-name (NIS only)

- Special Case

- Multiple mounts. Example, consider the following direct map entry:

/usr/local -ro \ /bin ivy:/export/local/bin /share dock:/export/local/share /src -ro vtaix:/usr/local/src

This tells your system that /usr/local/bin is on machine ivy, /usr/local/share ison machine dock and /usr/local/src is on machine vtaix. The 3 dirs aremounted anytime a user does a 'cd' to the /usr/local tree. You may use thisscenario to access man pages on different machines.


Solaris 8 - Automounter IVSolaris 8 - Automounter IV- How does Automounter Navigate through the Maps?

- Maps are available locally or from NIS+ server.- At Boot

- automount reads the master map, /etc/auto_master and compares it with the mount table, /etc/mnttab- NOTE: it checks the server’s export list only at mount time. Once the FS are mounted, it doesn’t check with the server until the server’s FS are mounted/umounted so newly exported FS won’t be seen unless the server does a remount.


Solaris 8 - Automounter VSolaris 8 - Automounter VThe Automount Process

1. ping the server’s mount service2. request the server’s export list, sorts them by path name length so the mounting is done in order.3. mounts the FS at the mount points specified in maps.

Other Info

1. Map entry: +mapname reads a map file from NIS2. Order is determined by /etc/nsswitch.conf automount entry.


Solaris 8 - Automounter VISolaris 8 - Automounter VIAutomount Map Maintenance

- local files: text editor- NIS : make- NIS+ : nistbladm

- Run automount command after 1) add/mod auto_master, 2) add direct map

-How to modify the Master map- Use nistbladm to make changes to map- At each client, run automount command


Solaris 8 - Kernel ModsSolaris 8 - Kernel Mods The Kernel config file is /etc/system To display kernel parms

– Use sysdef -i command

To modify a kernel parameter– su root– Edit /etc/system

Add line of form: set parm=value Ex: set max_nprocs=500

– Reboot the system


Solaris 8 - Kernel ParametersSolaris 8 - Kernel Parameters

Tunable UFS Parameters– Ufs_ninode - max size of the inode table (default= max_nprocs

+16+maxusers+64)– Ncsize - # of dnlc (directory-name lookup cache) entries

(default=max_nprocs+16+maxusers+64) Tunable STREAMS Parameters

– Nstrpush - max # of STREAMS pushes allowed (9)– Strmsgsz - max size for the STREAMS message a user can generate.

0=unlimited– Strctlsz - max size of the CTL part of a message– Strthresh - max size of dynamic memory the STREAMS subsytem can

consume in bytes.– Sadcnt - # number of sad devices


Solaris 8 - Kernel ParametersSolaris 8 - Kernel Parameters

Tunable Interprocess Communication (IPC) Parameters– Msginfo_msgmap - number of entries in the message map (100)– Msginfo_msgmax - max message size (2048)– Msginfo_msgmnb - max bytes on queue (4096)– Msginfo_msgmni - # of message queue identifiers (50)– Msginfo_msgssz - segment size of a message (8)– Msginfo_msgtql - # of system message headers (40)– Msgingo_msgseg - # of message segments

See answerbook for more info on tunable kernel parameters


Solaris 8 - TCP/IP ISolaris 8 - TCP/IP I

TCP/IP Network Administration

1. Transmission Control Protocol/Internet Protocol (TCP/IP) are the network communication protocols that are responsible for getting a packet of of information from one host to another.

2. Unix Network administration involves setting up the standard network config files. These files give the network daemons the info they need to communicate to other Internet systems.

3. Generic Unix network administration commands:

netstat, ping, route, ps, ifconfig, snoop, nfsstat

4. TCP/IP related files:

/etc/hostname.leX, /etc/nodename.leX, /etc/defaultdomain, /etc/hosts, /etc/defaultrouter


Solaris 8 - TCP/IP IISolaris 8 - TCP/IP II

SETTING UP YOUR HOST ON THE NETWORK

1. Hosts are defined by a hostname (your pick) and an IP address (from CNS). Contact [email protected] for your IP address. You can call it anything you want BUT we STRONGLY suggest the following format:

hostname.dept.vt.edu | | | | | | | mandatory. Signifies an Educational site | | mandatory. Stands for Virginia Tech | Optional but we suggest your dept. name (esm, cc, cs) your machine name

2. CNS will supply you with the address of your router and subnet mask.

3. The init scripts that controls TCP/IP configuration/startup at boot is /etc/rc2.d/S69inet, /etc/rc2.d/S71rpc, /etc/rc2.d/S72inetsvc


Solaris 8 - TCP/IP IIISolaris 8 - TCP/IP III4. Configure your hosts from the local files if you're not using NIS or NIS+. If so, set up the network info on the NIS or NIS+ master.

- create /etc/nodename and put your host name in it.

- create /etc/hostname.<interface-name> and put either the IP address or the hostname. <interface-name> is usually le0 for Sparcstations.

- put your hostname, IP address and aliases for your system in /etc/hosts.

Leave the 127.0.0.1 entry alone. It is a special case for loopback test.

- put your domain name (dept.vt.edu) in /etc/defaultdomain.

- put the address of your default router (128.173.XX.1 where XX is your building subnet number that is supplied by CNS) in /etc/defaultrouter. General rule: Divide subnet field/4, truncate result, multiply by 4. Example: IP address: 128.173.14.200 -> 14/4=3.5, 3*4=12, address of router= 128.173.12.1

- put your subnet mask (255.255.25x.0) in /etc/netmasks.


Solaris 8 - TCP/IP IVSolaris 8 - TCP/IP IV

CONFIGURE NETWORK DATABASES

1. /etc/hosts - contains the addres of host on our net. You should be using the VT nameserver to resolve addresses so this file should only have a loopback entry and one for your machine unless 3rd party software requires an entry.

2. /etc/nsswitch.conf - this files determines the search order for network information. For non-NIS systems, change the hosts entry from 'files' to 'dns files'. This tells the system to query the VT nameserver (dns) first and then the local files.

3. /etc/netmasks - contains the list of network and netmasks. The net mask determines which of the 32 bits apply to the network addr and which ones apply to the host address. This number is supplied to you by CNS.


Solaris 2. 6 - TCP/IP VSolaris 2. 6 - TCP/IP V

4. /etc/networks - maps network names to network numbers. Usually, no need to modify this file since we use the nameserver.

5. /etc/ethers - maps host names to ethernet addresses. Only needed if you use RARP for diskless machines.

6. /etc/protocols - list of the IP protocols running on the system. Created at installation and not modified by you.

7. /etc/services - lists the TCP and UDP services and their port numbers. Created at installation time and is only modified if you install 3r party client/server software.


Solaris 2. 6 - TCP/IP VISolaris 2. 6 - TCP/IP VIDEBUGGING TCP/IP PROBLEMS

1. Use 'netstat' command to get network information. Most frequently used options are -s, -r, -i

netstat -s - displays per-protocol stats for TCP, UDP, ICMP and IP. Check the error stats to see if there are problems.

netstat -i - displays I/O stats for each ethernet I/F connected to the system. Excessive I/O errors could be a problem with the I/F. High collision rates may be a CNS problem. Use with 'ping' command to see if packets are leaving your system.

netstat -r - displays the IP routing table. The router directs packets to/from your building's internal network.

2. The 'snoop' command can be used to capture network packets. BE CAREFUL. This is a network 'sniffer' command and has a dark side. Root users can run this but you must control root access.


Solaris 8 - TCP/IP VIISolaris 8 - TCP/IP VII

4. Make sure the inetd daemon is running. Use: ps -ef | grep inetd to see if it is. If not, check your syslog to see any error messages and restart it by running /etc/rc2.d/S69inet.

5. Use the 'ping' command to see if the network and remote system are up.

/usr/sbin/ping -s - continuallly sends packets to the target. Use this to see if packets are being lost.

6. Use the 'ifconfig' command to check the ethernet I/F status.

ifconfig -a - gives the IIP address, netmask, broadcast, and ethernet address for all of the ethernet I/F connected to your system.


Solaris Password File FieldsSolaris Password File Fields/etc/passwd

username - 2-8 chars password - contains an X. UID - user identification number GID - group identification number Comment - Full name of the user Homedir - location of the user’s home directory shell - default login shell


Solaris Shadow Password FileSolaris Shadow Password File /etc/shadow

username - user name password - encrypted password. LK - locked, NP - no

password for the account lastchg - # days between 1/1/70 and the last password change min - min. # days between password changes max - max. # days the password is valid inactive - # days an account can be inactive before it’s locked. expire - date account expires


Customizing User Customizing User EnvironmentEnvironment

Sets up the user environment at login– Default User Environment Templates are:

/etc/skel/local.login, /etc/skel/local.cshrc, /etc/skel/local.profile

Bourne $HOME/.profile Sets env. at loginC $HOME/.login “ “

$HOME/.cshrc Sets env. for all shells after login

Korn $HOME/.profile Sets env. at login

SHELL LOCATION PURPOSE


The User Add ProcessThe User Add ProcessCustomize User Initialization file in

/etc/skelAdd groupsSet User Account DefaultsAdd the User AccountShare the User Home Directory (option)Mount the User Home Directory


User Maintenance ProcessUser Maintenance ProcessModify a groupDelete a groupModify a User AccountDelete a User AccountDisable a User AccountChange a User PasswordChange User Password Aging


Solaris 8 Solaris 8 Setting Up Users - ISetting Up Users - I

1. Default User Account Policy

- Must abide by the VT Acceptable Use policy (ftp.vt.edu, handbooks) - good idea to keep a form since sysadmins change frequently. - Assign the user to a group

2. Usernames

- keep the same username across machines. Try for 1 username, 1 user rule. Some exceptions: syadmin accounts. SUGGESTION: make the username the same as the PID.

- RULES: 2-8 letters/numerals with the first character being a letter. At least 1 character must be lowercase, no underscores.


Solaris 8Solaris 8Setting up Users - IISetting up Users - II

3. UID - User IDentification code. This is how the OS identifies a user, NOT by the username. Must be unique. See below.

4. RULES:

- UID range: 0<UID<60000 but 0-99 are reserved for non general users. ANY username with UID=0 is ROOT! UID 1 is reserved for 'daemon', UID 2 is reserved for 'bin' - UID 60001 is reserved for the 'nobody' account (NFS,FTP). UID 60002 is reserved for the 'noaccess' account.

- UID must be unique across campus to avoid NFS security problem. One way to assure this is to require your users to get a VT PID and use that PID number as the Unix UID on your system. ADVANTAGE: no paperwork on your part since the CC has the PID forms. Unique UID guaranteed across campus. DISADVANTAGE: user has to do the footwork to get a PID first.


Solaris 8 Solaris 8 Setting Up the User - IIISetting Up the User - III

5. Before adding new users, check to make sure UIDs aren't in use. (unless you use the PID=UID rule.....hint!)

6. Group ID (GID) should be unique also but you can't use the PID rule here. GID RULES: - Range: 0<GID<60002 - GID 0 is root. GID 60001 is 'nobody', GID 60002 is 'noaccess' - Customary range is 100-60000 - Default is GID 1 (other). Group name-GID map is /etc/group file.

7. User information is stored in:

- NIS+ tables: Password field, shadow field - NIS maps: passwd map - local /etc/files: /etc/passwd, /etc/shadow........most common - Use ADMINTOOL/USER ACCOUNT MANAGER tool to add/change/modify users.


Solaris 8 Solaris 8 Setting up the User - IVSetting up the User - IV

- Setting up Groups

- info stored in NIS map (group), NIS+ table (Group) or /etc/group - User must belong to at least 1 group but they can belong to 16 groups max. - Use 'groups' command to see the group list for a user. - Users can change to their other groups via the ' newgrp' command. - FS access privileges are determined by the PRIMARY group. - 3 fields in /etc/group:

Group Name, Group password, GID, member list Group password is NOT used. If there is a password defined in this field, newgrp will prompt the user for it BUT there's no utility to SET the password. Go figure.....this is a relic from old Unix.

- Default group names: root, other, bin, sys, adm, uucp, mail, tty, lp, nuucp, staff, daemon, nobody, noaccess.


Solaris 8 Solaris 8 Setting up the User - VSetting up the User - V

- General steps BEFORE adding the user. Edit the system-wide user initialization files. These files define environment variables, display the MOTD, sets the default umask, etc. The MOTD is in /etc/motd.

1. su

2. Edit /etc/profile - system init file for bsh, ksh users Edit /etc/.login - system init file for csh users. These files set system wide environment variables and any other custom files. Good place to put LM_LICENSE_FILE environment variable definition.

3. Edit /etc/skel/local.login, local.cshrc, local.profile to add any other user specific information. USER ACCOUNT MANAGER (add user or copy user) will prompt you for the Skeleton Path field. Enter: /etc/skel to tell it where to get the user init files.


Solaris 8 Solaris 8 Setting up the User - VISetting up the User - VI

- More on Initialization files

Environment Variables - shell variables (like VMS logical names) that are exported to all child processes. 2 ways to set them:

C-shell: setenv variable-name B-shell, K-shell: VARIABLE-NAME=value; export VARIABLE-NAME NOTE: csh uses lowercase; bsh, ksh uses upper case.

-Common Shell variables used in the init files (csh, uppercase them for bsh and ksh):

arch - sets the user's system architecture (sun4, i386).calendar - sets the path to the OW Calendar executables.cdpath - used by the 'cd' command. This variable specifies a search list for relative directories. Allows to you to specify relative names instead of explicit names.


Solaris 8 Solaris 8 Setting up the User - VIISetting up the User - VII

- More environment variables

deskset - sets the path to the OW Deskset executables history - sets the command history (C-shell only). You can use command recall features of C shell. home - defines the user home directory logname - defines the name of the user currently logged in. Set by login program. lpdest - sets the user's default printer. mail - sets the path to the user's mailbox. manpath - sets the path to the man pages. This is usually modified after a compiler installation. openwinhome - defines the path to the OW executables path - defines the command search path. Order is important. Defined by user .profile or .cshrc at login. prompt - defines the shell prompt for csh. PS1 - defines the shell prompt for bsh and ksh. shell - sets the default shell used by make, vi and other commands. term - defines the terminal type. Default is /usr/share/lib/terminfo.


Solaris User ManagementSolaris User ManagementUser Management CommandsTASK Environment Command

Add User NIS+ nistbladmnisclient

NIS useraddmake

None useradd

Modify User NIS+ nistbladmNIS usermod

makeNone usermod



Delete User NIS+ nistbladmnisclient

NIS userdelmake

None userdel

Set User NIS+ N/A NIS useradd -DDefaults NIS useradd -D

makeNone useradd -D



Disable User NIS+ nistbladmNIS vipw

makeNone vipw

Change User NIS+ nispasswdPassword NIS yppasswd

None passwd



Add a Group NIS+ nistbladmNIS groupadd

makeNone groupadd

Delete a Group NIS+ groupdelNIS groupdel

makeNone groupdel


Solaris User ManagementSolaris User ManagementUser/Group Management CommandsTASK Environment Command

Find User NIS+ nismatchNIS ypmatchNone grep

Add a Group NIS+ nispasswdPassword NIS yppasswd

None passwd



Disable User NIS+ nistbladmNIS vipw

makeNone vipw

Change User NIS+ nispasswdPassword NIS yppasswd

None passwd


Monitoring System Log FilesMonitoring System Log FilesMost are located in /var

LOG FILE USE/var/adm/aculog log of outgoing modem calls/var/adm/admin.log Admintool log/var/adm/lastlog history of last logins/var/adm/messages General system log/var/adm/pacct Per Process Accounting log/var/adm/sa/* Sys. Accounting files/var/adm/sulog SU command history/var/log/syslog Mail log, TCP Wrapper log/var/adm/utmp History of user logins/var/adm/wtmp History of system logins/var/cron/log /usr/sbin/cron logs


Some Search HintsSome Search HintsTo find large files:

– ls -s | sort -nr | more– find <dir> -size +nnn -print

To find old, inactive files:– Find <dir> -type f -mtime +<days> -print

To find core files:– find <dir> -name core -print


Solaris Configuration FilesSolaris Configuration FilesFound in /etc

– /etc/resolv.conf - defines NS locations– /etc/nsswitch.conf - defines the search order

for system DB (net or local)– /etc/inetd.conf - defines Internet services

allowed on the system– /etc/syslog.conf - defines where the system logs

reside


System AccountingSystem Accounting Programs that collect data about system usage

– monitor system usage– Troubleshooting– monitor system performance– maintain some security– performs chargeback

Most programs are in /usr/adm/acct or /usr/lib/acct


Types of AccountingTypes of Accounting Daily Accounting data collected

– Connect Accounting– length of time user was logged in

– tty line usage

– number of system reboots

– Process Accounting– User UID, GID of those using the process

– Start/End times of the process

– CPU time for the process

– Command name, memory used

– tty line controlling the process


Types of Accounting/ReportsTypes of Accounting/Reports– Disk Accounting

User UID, GID # of disk blocks used by the user

Daily Accounting Reports– Daily Report - line utilization by tty number– Daily Usage - system usage by UID– Daily Command Summary - system usage by

command listed in descending order of memory– Last Login - last time each user logged in


Accounting Quick ReferenceAccounting Quick Reference Setting up Accounting

– Install SUNWaccr, SUNWaccu packages– Install /etc/init.d/acct as the start script for run level 2

ln /etc/init.d/acct /etc/rc2.d/S22acct

– Install same file as stop script for level 0 ln /etc/init.d/acct /etc/rc0.d/K22acct

– Add entries for /usr/lib/acct/ckpacct, /usr/lib/acct/runacct, /usr/lib/acct/monacct to the end of /var/spool/cron/crontabs/adm


Accounting Quick ReferenceAccounting Quick ReferenceSetting up Accounting

– add entry for /usr/lib/acct/dodisk to the end of /var/spool/cron/crontabs/root

– Edit /etc/acct/holidays to include national and local holidays


Solaris 8 - SecuritySolaris 8 - Security

Use the checklists available at www.cc.vt.edu Sun Scholarpac WWW site– Two checklists that help you bring a system to a base level of

security– Install TCP Wrappers, CRACK, lsof, Sun’s patchdiag tool, ssh and

any other tools you deem fit for your environment.

Use the Solaris Security FAQ available from the net .


Solaris 8 SecuritySolaris 8 Security Securing Systems

– Display user’s login status: logins -x -l <username>– Search for no passwords: logins -p– Save failed login attempts: touch /var/adm/loginlog

chmod 600 loginlogchgrp sys loginlog

– Restrict root login to console: vi /etc/default/loginUncomment

CONSOLE line– Monitor su log: vi /etc/default/su

Uncomment SULOG line– Display root console access: vi /etc/default/su

Uncomment CONSOLEline


Solaris 8 SecuritySolaris 8 Security ACL (Access Control Lists)

– Similar to AIX ACL. It allows you to be more flexible in defining your file access permissions.

– You can deny write access to one group, allow it to another.– 2 commands: getfacl setfacl {-s -m -d]– A + in the perm field marks a file with an ACL. Use the getfacl

command to look at the ACL Setting an ACl

– Example: set file ch2.doc with the following perms: 740 with group ‘sysadmin’ having RW , ACL mask:RW setfacl -s u::7,g::4,o:0,g:sysadmin:6,m:6 ch2.doc

Reading the ACL– getfacl ch2.doc


Solaris Audit AdministrationSolaris Audit AdministrationAllows sysadmins to detect potential

security breachesLook for suspicious patternsThis is system admin auditing not audit

auditing...:-)Can record events in an audit trail and

analyze misuse by examining it.Can eat up LOTS of disk space


Solaris AuditingSolaris AuditingEnable Auditing: /usr/sbin/auditd

see audit_startup man page for more info

Audit Classes and Events– Auditable event - some system action defined

in /etc/security/audit by name, event number, class and description

see audit_event(4) man page for more info

Audit Record– a single audited event stored in a log


Solaris AuditingSolaris Auditing Audit Flags (+/-flag Example: +exec

file_read, file_write, file_creation, file_deletion, file_close, process, network (bind, accept, connect), login_logout, application, exec, all

Flags are stored in an audit control file Example

– flags: lo, ad, -all– dir: /etc/security/audit/audit.log

this says audit all login/logout, admin ops and failures of any type are to be recorded.


Solaris AuditingSolaris AuditingIndividual User Auditing: audit_user file

– allows you to audit different actions for different users

– 3 fields username:always_audit:never_audit

Process Audit Characteristics Process Preselection Mask: specifies whether

events in each audit event class should generate audit records.


Solaris AuditingSolaris Auditing Process Audit Characteristics

Audit ID: assigned when a use logs in. The sysadmin can always trace back to a user.

Audit Session ID: same as above Terminal ID: hostname and IP address followed by a unique #

that ids the physical device the user use to login. Console = 0.

Audit Costs Increased processing time Analysis processing time Disk storage costs


Solaris AuditingSolaris AuditingStrategies

– Random audits of certain % of users– Real-time monitoring of audit data for unusual

behaviors– Combining, compressing and reducing multiple

audit logs, offline storage


Solaris AuditingSolaris AuditingTo Configure Auditing

– Format/partition disk for audit partitions– Create audit_control file entries for the audit

filesystems– Define audit classes (audit_class(4)) in

/etc/security/audit_class– Set up event-to-class mapping(audit_event(4))

in /etc/security/audit_event


Solaris AuditingSolaris AuditingTo Configure Auditing

– Determine how much auditing needs to be done– Determine which machines will be audit servers– Determing which audit classes will be system-

wide– Decide on individual user auditing


Solaris AuditingSolaris AuditingCommand Reference

– allocate, audit, audit_startup, audit_warn, auditconfig, auditd, auditreduce, auditstat, bsmconv, bsmunconv, deallocate


Solaris NIS or NIS+?Solaris NIS or NIS+? Network Information Service (NIS)

Formerly Yellow Pages, it allows centralized mgt of common system/network DB such as password, host, NFS.

Anyone can become a member of an NIS domain allowing access to NIS DB.

NIS+ More secure because you define the client list. You can selectively allow access to specific NIS+ tables.

DISADV: Other vendors may not have NIS+ clients implemented yet.


Solaris NIS/NIS+ ConceptsSolaris NIS/NIS+ Concepts NIS/NIS+ uses a set of master map/tables that contain

common information for all members of the domain. This common information can be passwords, host table, ethernet address, automounter info, mail aliases, etc.

NIS/NIS+ files are stored in the following dirs– /usr/bin NIS+ user commands all– /usr/lib/nis NIS+ administrator commands all– /usr/sbin NIS+ daemons all– /usr/lib/ NIS+ shared libs all– /var/nis/data NIS+ server data files server– /var/nis NIS+ working files server– /var/nis Client info client


Solaris NIS/NIS+ ConceptsSolaris NIS/NIS+ Concepts NIS/NIS+ Principal are the clients that request NIS+ info.

A client can be a machine or a userid. NIS/NIS+ Credentials authenticate the Principal requesting

the NIS+ info. USER credentials define a userid access rights. MACHINE credentials define a client machine’s access rights.

DES credentials simply use DES to encrypt the authorization key for a principle. LOCAL credentials are a map between a UID and their PRINCIPAL name. NIS+ uses LOCAL info to get the DES info for that Principal.


Solaris NIS/NIS+ PlanningSolaris NIS/NIS+ Planning Plan your NIS/NIS+ layout

– Determine your server specs: 1 root server/hierarchy, 1 master/domain in the heirarchy, I slave for each domain, Master disk requirements (15-20MB disk/1000 clients, determine the admin group and members

Prepare the NIS/NIS+ namespace– Pick NIS/NIS+ domain names, make sure this name is not easily

guessed (NIS) and not related to anything.– Initialize the root server (nisserver)

Verify data in the /etc files is correct.– This data will be used to populate the NIS/NIS+ maps/tables..


Solaris NIS/NIS+ PlanningSolaris NIS/NIS+ Planning Populate the NIS/NIS+ maps/tables

– Data is taken from existing /etc files or NIS maps (nispopulate). Create credentials for the root domain clients, administrator clients (nisgrpadm, nisping).

Set up the root domain clients (nisclient)– Slave servers must be set up as clients first

Enable slave servers ( rpc.nisd) Set up root replicas (rpc.nisd, nisserver) Set up non-root domains (rpc.nisd, nisserver)

– Create any subdomains in the NIS/NIS+ namespace Populate table (nispopulate) Set up non-root domain clients (nisclient)


Solaris NIS/NIS+ SetupSolaris NIS/NIS+ Setup NIS/NIS+ Domain Setup Command Summary Create Root master server

– nisserver -r -d NEWDOMAIN.– nisserver -Y -r -r NEWDOMAIN.

Populate the root master tables from /etc files or NIS– nispopulate -F -p /files -d NEWDOMAIN.– nispopulate -Y -d NEWDOMAIN. -h NIS-HOSTNAME -a

NIS-IPADDR -y NISDOMAIN Add additional users to NIS+ admin group

– nisgrpadm -a admin.domain.USER/HOST.domain. Make a checkpoint of the NIS+ DB

– nisping -C domain.


Solaris NIS/NIS+ SetupSolaris NIS/NIS+ Setup Initialize a new client machine

– nisclient -i -d NEWDOMAIN. -h ROOTHOSTNAME Initialize users as NIS+ clients

– nisclient -u Convert a client machine to server

– rpc.nisd– rpc.nisd -Y– rpc.nisd -Y -B

Convert a server to a root replica– nisserver -R -d NEWDOMAIN. -h CLIENTNAME

Conver a server to nonroot master– nisserver -M -d NEWSUBDOMAIN.NEWDOMAIN. -h HOST


Solaris NIS/NIS+Solaris NIS/NIS+ Prerequisites

– Root host /etc/passwd must contain entries for you and every other admin, you must have a Root Domain Name, the Root Admin Group Name, the UIDs of all the admins.

Add Root Domain Name, make sure correct /etc/nisswitch.conf is used, clean out leftover NIS+ files or processes– domainname NEWDOMAIN– domainname > /etc/defaultdomain– more /etc/nsswitch.conf (search order is nisplus, files), if you

make any changes, restart ncsd daemon - sh /etc/init.d/ncsd stop; sh /etc/init.d/ncsd start


Solaris NIS/NIS+ Root Solaris NIS/NIS+ Root DomainDomain

Restart keyserv daemon, clean leftover NIS stuff– ps -e |grep keyserv; kill -9 PID ;

rm -f /etc/.rootkey;keyserv– ls /var/nis; rm -rf /var/nis/*; ps -ef |grep nis_cachemgr; kill

-9 PID– Do the same for rpc.nisd and rpc.nispasswdd

Name the root domain admin group– setenv NIS_GROUP admin.NEWDOMAIN.

Create the root dir– nisinit -r– This creates the /var/nis tree



Start the NIS+ daemon– rpc.nisd -Y -B -S 0– Edit /etc/init.d/rpc, add -B to the EMULYP line. (NIS

compatability only) Verify root objects were created properly

– ls -l /var/nis/data; nisls -l DOMAINNAME.; niscat -o DOMAINNAME.

Create Root Domain Subdirs– /usr/lib/nis/nissetup -Y

Create DES credentials for root master server– nisaddcred des– Root server requires DES creds so its request can be auth’d



Create the Root Domain admin group– nisgrpadm -c admin.NEWDOMAIN.

Add rootmaster to the Root Domain Admin group– nisgrpadm -a admin.NEWDOMAIN. HOSTNAME.

Update the root domain’s public keys– /usr/lib/nis/nisupdkeys NEWDOMAIN.– /usr/lib/nis/nisupdkeys org_dir.NEWDOMAIN.– /usr/lib/nis/nisupdkeys groups_dir.NEWDOMAIN.

Start the NIS+ cache manager– nis_cachemgr

Restart the NIS+ daemon– ps -e | grep rpc.nisd; kill -9 PID; rpc.nisd



Add your LOCAL credentials to the root domain– nisaddcred -p UID -P PRINCIPAL-NAME local– The PRINCIPAL-NAME is your userid+domainname -

marchany.root.domain. Add your DES credentials to the root domain

– nisaddcred -p unix.UID@NEWDOMAIN. -P PRINCIPAL-NAME des

Add credentials for the other admins Add yourself and other admins to the root domain admin

group– nisgrpadm -a admin.NEWDOMAIN. PRINCIPAL-NAME


Solaris NIS/NIS+ Client SetupSolaris NIS/NIS+ Client Setup Prequisites

– The Admin must have valid DES creds, modify rights to the NIS+ cred table

– The client must have an entry in /etc/hosts for the root server, a unique hostname

Create DES credentials for the client system– Login root master server. – nisaddcred -p unix.CLIENTNAME@NEWDOMAIN. -P

CLIENTNAME.NEWDOMAIN. des– where CLIENTNAME is the client hostname

Login client, assign new domain name, check /etc/nsswitch.conf, restart ncsd if needed, clean out old NIS+ files


Solaris NIS/NIS+ Client SetupSolaris NIS/NIS+ Client Setup Initialize the client

– check the client’s /etc/hosts and make sure the root server entry is correct.

– nisinit -c -H ROOTMASTERNAME

Kill and restart the keyserv daemon Enter: keylogin -r Reboot the client


Solaris 8 - Backup ISolaris 8 - Backup I

- Filesystem Backup Strategies

1. MOST IMPORTANT: You have a REGULAR backup schedule and you FOLLOW it!!!!!!!!!

2. Preparing to do backups:

- decide on frequency. Most common: 1 full backup monthly, weekly incr. - know the name of the backup device (remote or local). - know the type of drive (8mm, 4mm, etc.).

- 8mm or 4mm is more practical since disks have GB capacity. - Forget QIC-150 format.

-know the names of the FS you want to backup. -have a good estimate of the number of tapes you'll need.


Solaris 8 - Backup IISolaris 8 - Backup II

DETERMINE THE FILESYSTEM RAW DEVICE NAME

1. To find out FS Raw device name, look in /etc/vfstab under the 'device to fsck' column. Use this name with the 'ufsdump' command.

2. Another way: if the FS is already mounted, enter: devnm <mount-point> then substitute 'rdsk' for the 'dsk' part of the output.

DETERMINE THE TAPE DRIVE TYPE

1. Assuming there's a tape drive attached to the system, enter: mt -f /dev/rmt/# status where # is the unit number of the tape drive, typically 0 or 1.

2. To poll a system to locate all the tape drives connected to it, enter:

for drive in 0 1 2 3 4 5 6 7; do; mt -f /dev/rmt/$drive status; done; exit


Solaris 8 - Backup IIISolaris 8 - Backup III

DETERMINE # OF TAPES NEEDED FOR BACKUP

1. Enter: /usr/sbin/df -k <mountpoint>2. Divide FS size by the tape capacity, e.g. 5GB for 8mm tape, to see how many tapes are needed.3. To see how many tapes will be needed before doing an INCREMENTAL backup, enter:

ufsdump S backup-device Filesystem

The S option returns an estimate of the size in bytes. Divide this number by the tape capacity to get an estimate of the number of tapes.


Solaris 8 - Backup IVSolaris 8 - Backup IV

1. Backup commands: tar - good for single directory backups, not so good handling tape errors, symlinks. ufsdump - dumps the ENTIRE FS. Takes longer but it gets everything according to the level.

2. ufsdump levels - - the level number (0-9) tells the dump program to save everything that was saved by a HIGHER level dump program. Level 0 is a FULL backup. A level 5 dump will save all files saved by Levels 5-9 but NOT levels 0-4. Level 5 is typically used for incremental backups.

3. DOING A FULL BACKUP

- shut down to single user: cd /; shutdown; halt then boot -s - load a tape into the drive - Enter: /usr/bin/ufsdump 0ucf /dev/rmt/unit# <FS Name> - replace the tape as needed, label it and save it in a SECURE place. - reboot the system


Solaris 8 - Backup - VSolaris 8 - Backup - V

4. DOING A INCREMENTAL BACKUP

- Shut the system down and reboot into single user mode. - load the tape drive - enter: ufsdump [1-9] /dev/rmt/unit# <FS Name> - load tapes as needed

5. DOING A FULL BACKUP TO A REMOTE DEVICE

- Shutdown and reboot in single user mode - Make sure the remote machine is up: Enter: rsh <hostname> cat /etc/motd If you get a valid response, your system is in the remote system's /.rhosts file. If not, you need to add your system name to the server's /.rhosts file. NOTE: This is a SECURITY problem if left in all the time.

- Generic command format: ufsdump options host:device <FS name>

- You must add system name to server /.rhosts, system IP address to server's /etc/hosts - Look at 3rd party network backup software (Legato, Adstar)


Solaris 8 - Backup VISolaris 8 - Backup VIBackup files

– ufsdump 0ucf /dev/rmt/0 /homeVerify backup

– ufsrestore tf /dev/rmt/0Incremental Backup

– ufsdump 5ucf /dev/rmt/0 /usrBackup to Remote System

– ufsdump 0ucf remote:/dev/rmt/0 /home


Solaris 8 - Restore ISolaris 8 - Restore I

- COMMANDS:

tar xvf tar-file OR ufsrestore <options> <device< <FS-to-restore>

1. If run from root, files are restored with the original owner, last modification, and access permissions. If not, then the restored files belong to the UID that is running the restore !!!! SECURE THE BACKUP TAPES!!!!

- FINDING WHICH TAPE TO USE IN THE RESTORE

1. To restore an entire FS:

- you need the most recent level 0 backup tape and the most recent incremental tape (for each level).

2. To find an individual file on the set of tapes:

- Find out the approximate date the file was lost. - Work backward through your backup tape schedule from highest to lowest level and most recent to least recent.


Solaris 8 - Restore IISolaris 8 - Restore II

- get the tape, load it in the drive - enter: ufsrestore ta archive-name filename (for tape Archives) ufsrestore tf device-name filename (for single tapes)

RESTORING / or /USR FILE SYSTEMS

1. Shut down system. Replace the bad disk drive. 2. Boot single user from Solaris Installation CD. 3. Partition the disk using the format command 4. Make a new FS (newfs command), verify (fsck command) each partition except swap. 5. Enter: mount /dev/dsk/cNtNdNsN /mnt 6. Enter: cd /mnt 7. Create the tape devices: tapes 8. Write-protect the tapes. 9. Restore the FS using level 0 then level X: ufsrestore rvf /dev/rmt/X10. Remove the symbol table file: rm restoresymtable11. Enter: cd /12. Enter: umount /mnt; fsck /dev/rdsk/<device name>; init 613. Repeat steps 8-12 to restore /usr


Solaris 8 - Restore IIISolaris 8 - Restore IIIRestoring User files

Sun recommends restoring them to /tmp to make sure they’re ok and then move them to the proper place.

1. su, load the proper backup tape on the drive.2. Enter: cd /var/tmp (or whatever temporary space you want)3. Enter: ufsrestore if /dev/rmt/<unit#>4. Create a list of files to be restored by entering the following commands at the 'restore> ' prompt. - ls - cd dir-name - to add/remove a name to the list, enter: add <filename> delete <filename> - to keep original modes on the files, enter: setmodes - When done creating the list, enter: extract - Answer the prompts. - you'll get a 'restore>' prompt when it's done. Enter: quit5. Verify the files/dirs were restored using the ls command with the proper mode.6. Use the 'mv' command to move the files to the target.


Solaris 8 - Restore IVSolaris 8 - Restore IV- RESTORING INDIVIDUAL FILES (another way)

1. su, load the tape.2. Enter: cd /var/tmp3. Enter: ufsrestore xf /dev/rmt/<unit#> filename4. Enter: n for the 'set owner/mode for '.'? [yn] prompt5.When done, verify everything is ok using the 'ls' command.6. Use the 'mv' command to move the file to its final resting place.

NOTE: you cannot use 'ufsrestore' to restore files from a set of tapes created by the Solaris 1.x 'dump' command.


Solaris 8 - Disk Use ISolaris 8 - Disk Use ITHINGS TO MONITOR:

1. Available disk space, use the 'df' command2. Files & directories, use the 'ls', 'du', 'quot', 'find' commands3. Overloaded FS4. Quotas5. Repairing bad disks

SYSTEM LOG FILES - /var/adm, /var/log aculog - log of outgoing modem callsadmin.log - log of Admin_Tool utilitylastlog - history of last loginsmessages - the general system log filepacct - per process accounting info (if accounting is enabled)sa - this directory contains system accounting filessulog - history of su commandsutmp, wtmp - history of user, system loginslp/logs - LP print service logs/var/log/syslog* - mail logs, TCPwrapper logs


Solaris 8 - Disk Use IISolaris 8 - Disk Use II

1. To find large files

- cd <dir> - Enter: ls -s |sort -nr |more - this give the files sorted by block size in reverse order

2. To find files that exceed a certain size NNN blocks

find <dir> -size +NNN -print

3. Finding large directories

du -s <dir> OR du -a <dir>

4. To find out who is using the most disk space

quot <FS name> OR quot -a <FS name>

Quotas must be enabled for this to work.


Solaris 2.5 - Disk Use IIISolaris 2.5 - Disk Use IIIQUOTAS

- two limits: hard, soft limits. Non-root users cannot exceed hard quota limit. Users can exceed soft limits for a short period of time.

- Decide what FS will use quotas.

- SETUP:

1. edit /etc/rc2.d/S01MOUNTFSYS, have it init quotas at boot time. 2. edit /etc/vfstab, add mount option 'rq' to the quota'd FS entry. 3. create /<FS name>/quotas file 4. use 'edquota' tool to set up the limits for the quotas. 5. Enable quotas with the 'quotaon' command.

- ADMINISTRATION:

1. edquota, quot, quota, quotaon, quotaoff, quotacheck, repquota commands handle administration.


Solaris 2.5 - Disk Quota ISolaris 2.5 - Disk Quota ISETUP:

1. edit /etc/rc2.d/S01MOUNTFSYS

- add following lines after the 'fi' line:

# Enable checking quota echo -n 'checking quotas:' > /dev/console /usr/sbin/quotacheck -a > /dev/console 2>&1 echo 'done' > /dev/console /usr/sbin/quotaon -a

2. edit /etc/vfstab to activate quotas for the individual FS

- add 'rq' to the mount options field for the FS entry. - Enter: cd /<FS name> - Enter: touch quotas - Enter: chmod 600 quotas


Solaris 2.5 - Disk Quotas IISolaris 2.5 - Disk Quotas II

3. Change the default time limit for limits. Default soft limit time: 1 week. The time limit applies to the entire FS.

- su - enter: edquota -t - 1 entry for each FS with a quotas file in it, time limit=0 means default. Change number with new number. Can be month, day, hour, min, sec (ex: 1 day, 2 months)

4. Set up User Quotas

- enter: edquota <username> - Change appropriate limits. Limits are in number of 1K blocks.

5. Once done for one user, you can replicate for others

- enter: edquota -p <username-with-quotas> <user-list>


Solaris 2.5 - Performance ISolaris 2.5 - Performance I

- Monitoring Performance

1. General tools/commands: sar, sadc, vmstat, iostat, df, ps, Perfmeter, uptime.

2. General measure of system activity:

System Load Ave. - Ave # of processes in the kernel run Q during a specified time interval.

3. Process is in the run Q if: - not waiting for an external event ( echo character) - not in a wait state - not stopped via ctl-Z.

4. It's not very accurate because: - it marks as runable all jobs waiting for Disk I/O (NFS also). SLA can climb if the NFS servers are down because the NFS process is runable. - doesn't account for scheduling priority.


Solaris 2.5 - Performance IISolaris 2.5 - Performance II

Performance Monitoring Commands

1. uptime - reports SLA for 1, 5, 15 minute intervals

SLA > 10 - may have an overworked CPU 4<SLA<7 - borderline 0<SLA<3 - OK

These measurements should taken over a period of time (1 day) and averaged out to determine an overall SLA.

2. vmstat - reports virtual memory stats, shows CPU load, paging, etc.

Procs - # of procs in run queue (r), blocked (b), waiting for resources, swapped (w), waiting for processing resources to finish.

Memory - currently available swap space (swap), free list size (free) Page - Pages reclaimed (re), minor faults (mf), Kbytes paged in (pi), Kbytes pages out (po), Kbytes freed (fr), short term memory shortfall (de), pages scanned by clock algorithm (sr)


Solaris 2.5 - Performance IIISolaris 2.5 - Performance IIIvmstat output (cont'd)

Disk - # of disk ops/second

CPU - CPU usage times, user time (us), System time (sys), idle time (id). These numbers are %.

Hints:

Page stats are accrued from last report. It includes page-ins from process starts. If po > 0 for numerous obs, then you may have memory problem. if de > 0 then you have serious memory problem.

vmstat -s gives total system values since boot.vmstat -S gives swapping stats in addition to paging stats.vmstat -c gives cache flushing stats since boot.


Solaris 2.5 - Performance IVSolaris 2.5 - Performance IV

iostat gives disk I/O stats.

iostat <interval> reports stats every <interval> seconds. The first line givesstats since boot and each line after that gives the interval stats.

- each disk gives block/second (bps), transactions/second (tps) and average service time in msec (serv).

- iostat -xtc gives extended disk stats for each disk:

r/s - reads/sec w/s - writes/sec Kr/s - Kbytes/sec wait - average queue length actv - average # of transactions being actively serviced %w - % time the Q is not empty %b - % time the disk is busy


Solaris 2.5 - Performance VSolaris 2.5 - Performance V

Performance Meter (perfmeter)

- graphical display of the following usage parameters:

CPU, Ethernet packets/second, Jobs swapped/second, # of device interrupts/second, Disk transfers/second, # of context switches/second, ave. # of runable processes/minute, Ethernet collision/second.

- This commands gives you almost immediate feedback of system activity.

AUTOMATIC COLLECTION OF SYSTEM ACTIVITY

3 commands: sadc, sa1, sa2

sadc - periodically collects system data and saves it in a file (1 per day). Data files are placed in /var/adm/sa/saXX where XX is the date. Should be run at boot (/etc/init.d/perf) and periodically via cron file entry which runs the sa1 command.sa2 - invokes sar command and writes the ascii output to a file.


Solaris 2.5 - Performance VISolaris 2.5 - Performance VISETTING UP AUTOMATIC DATA COLLECTION

1. edit /etc/init.d/perf

- uncomment line that has 'sadc' in it.

2. edit /var/spool/cron/crontabs/sys

- uncomment lines that have 'sa1‘ in them.

COLLECTING SYSTEM ACTIVITY DATA WITH sar COMMAND

sar -a - gives file access operations sar -b - gives system buffer activity sar -c - gives system call activity sar -d - gives disk activity stats. sar -g - gives page-out and free memory stats sar -u - gives cpu utilization sar -A - gives overall system performance stats


VT Scholarpac SupportVT Scholarpac Support1. VT is a member of the Sun Scholarpac Consortium. Primary contact is Randy Marchany, 1-9523 ([email protected]). Secondary contact is Wanda Baber([email protected]). Sun Sales rep is Cole Clark ([email protected]). See www.cc.vt.edu for info.

2. Scholarpac software is stored on dock.cc.vt.edu. This machine is the Solaris license server, the Answerbook online library, a Solaris Patch Archive as well as IMSL, Mathematica and Matlab server. Solaris Compiler, Sparcworks software is available online from this system.

3. To access the license server:

- install the Sun license software on your machine. - Create a local mount point for the license file directory, for example, /sun_license. - NFS mount dock.cc.vt.edu:/scholarpac/license_dir to your local mount point. - set the environment variable LM_LICENSE_FILE to point to the /sun_license/licenses_combined file. Note that /sun_license was used from the previous example. - Test the connection by using the -xlicinfo option of a compiler command.


make - Imake - I

Make utility builds software kits by issuing the commands needed to build the software.

It uses dependencies to describe the software components.– C source program - test.c– cc -c test.c -> compile test.c, place object code in test.o– Test.o depends on test.c. If test.c changes, so does test.o

Make knows which files have been modified and figures out what files have to be updated.

If the components are newer than the whole, then the whole is rebuilt.


Make - IIMake - II

Makefile– Make looks for makefile(Makefile) for instructions– Sample line:

General format: TARGET: DEPENDS; COMMANDS Test: test.c test1.c

<TAB> cc -O -o test test.c test1.c– Means the target, Test, depends on test.c and test1.c. If either of these 2 files is

modified then Test is rebuilt.

– Makefile contains the commands needed to build a program Separate dependency line for each component and target Program: main.o sub1.o sub2.0

cc main.o sub1.o sub2.o -o Program Main.o: main.c ; cc -O -c main.c Sub1.o: sub1.c ; cc -O -c sub1.c Sub2.o: sub2.c ; cc -O -c sub2.c


Using Make to Build FreewareUsing Make to Build Freeware

Most Freeware (ssh, pgp) use make and configure scripts to build the software

General steps:– Setenv LM_LICENSE_FILE license-file– Set path=( $path /usr/ccs/bin /opt/SUNWspro/bin)

You may have to put /opt/SUNWspro/bin ahead of /usr/ucb

– Cc -xlicinfo to verify compiler works– Cd src-tree– ./Configure– Make– Make install


Make - IVMake - IV


SSH - ISSH - I


SSH - IISSH - II


Workstation Config SummaryWorkstation Config Summary


VT Scholarpac VT Scholarpac SupportSupport

4. dock.cc.vt.edu has online Answerbooks for Solaris 8. Point your browser to dock.cc.vt.edu:8888 to get access.

5. To install Solaris Scholarpac Software, Compilers, Sparcworks:

- Option 1: get the CD from the CC by contacting Kathy Williams ([email protected]), install from CD and RETURN it. - Option 2: install over the net from dock.cc.vt.edu. - NFS mount dock.cc.vt.edu:/vt/scholarpac - For compilers, cd Compilers and run spro_install or spro_install_tool. - For other packages, cd to the appropriate directory - follow the installation prompts.


What's Up, Dock?What's Up, Dock?

1. dock.cc.vt.edu:/vt is a software repository for a wide variety of platforms.

2. What's in the directories?

/3rdparty - Contains mathematica 3.0 installation kits for Sun, HP, IBM, DEC, SGI. (RESTRICTED), CRACK, gzip/gunzip, lsof,

nfswatch, sas6.11, TCP wrapper code

/online_docs- Online documentation for HP-UX, IBM AIX and DEC

/scholarpac - Sun Compilers (Compilers), Solstice Backup (Backup_x.x.x), CDE1.01, Disksuite 4.1, HP JetAdmin, Sun Patches


What's Up, Dock?What's Up, Dock?

OTHER RESOURCES AT VT FOR SUN SYSTEM MANAGERS

1. The VT Sun Users Group consists of the Sun System managers on campus. The mailing list is at: [email protected]. To become a member, contact Randy Marchany ([email protected]). This mailing list is reflected to the local newsgroup vt.sys.sun. Other newsgroups: comp.sys.sun.admin, comp.unix.admin, comp.unix.solaris, comp.security.misc, comp.security.unix

2. Sun Resources at ftp.vt.edu

Located in the /pub/cc/Solaris directory. Contains: -security checklist, some of the standard freeware tools

What’s Up Dock?


ToolsToolsMy Personal Favorites:

– COPS, TRIPWIRE– SATAN, ISS– SWATCH, NFSWATCH– TCP Wrappers– Sniffers (IPTRACE, TCPDUMP)– CRACK– PHF_Trace

sysadmin info]

Documents

system checklists

system patches

system accounting

system binaries

system things

system configuration

basic system security

system auditing functions