Info about Fysikdatorn's Solaris 2.4 Install server.
What is Fysikdatorn's Solaris 2.4 Install server?
Fysikdatorn's Solaris 2.4 Install server is prepatched with a number
of SunSoft patches JumpStart installation
directory tree. I mean if you install Solaris 2.4 from this server it comes up
with all those patches already applied. Moreover I took freedom to apply some
local patches and bells-n-whistles which I believe
you'll find very handy. Presumably all this shall save you a lot of time! The
server tree resides at unicc3e.unicc:/export/Install_2.4. In
order to bootstrap a Solaris 2.4 workstation you have to provide following
services from one of computers in your LAN (note that it doesn't have to be
Solaris 2.x workstation, SunOS 4.x or IRIX 5.x should do as well!):
- RARP service is usually provided by in.rarpd system daemon,
see corresponding manual page (HINT! you'll probably have to edit
/etc/hosts and /etc/ethers files and "push" them into NIS);
- TFTP bootstrap service usually have to be explicitely enabled
through /etc/inetd.conf config file, see corresponding manual
pages. When you get TFTP working, you have to install
unicc3e.unicc:/export/Install_2.4/export/exec/sparc.Solaris_2.4/lib/fs/nfs/inetboot
file as <client's IP-number in hex representation>.<client's kernel
architecture> (e.g.: 811001F0.SUN4M)in the directory you've
picked for TFTP server tree (usually /tftpboot).
- BOOTPARAMS RPC service is usually provided by rpc.bootparamd
system daemon, see corresponding manual pages (HINT! you'll probably have to
edit /etc/boorparams file and "push" it into NIS). Boot parameter entry
for the client being installed should look something like following:
yourhost: root=unicc3e.unicc:/export/Install_2.4/export/exec/kvm/sparc.sun4x.Solaris_2.4 install=unicc3e.unicc:/export/Install_2.4
just replace sun4x with client's kernel architecture!
When you get all the components working, you should be able to boot the
client from the network by issuing boot net command from PROM prompt and
perform manual SunOS installation procedure. If you don't want to have
windowing system started during installation procedure (for performance reasons
or you're short in memory), issue boot net - w command at PROM prompt.
Note that you may perform automatic installation as well! Just append extra
parameter to the boot parameter entry, namely
install_config=yourinstallserver:/some/where. What to put into
/some/where goes beyond the scope of this memo, refer to Solaris 2.4
installation manual instead!
Applied patches.
Refer to unicc3e.unicc:/export/Install_2.4/Patches/Applied
for the list of patches applied to the install server tree. Basically it's
almost all available patches, except 102292-01 (ff.core security) and 102319-01
(sendmail V8 point patch).
Note that you can't see these patches with showrev -p after you've
performed the installation from this install server. This is something you have
to "trade" for the convenience! Though you can find corresponding README files
on install client as /var/sadm/patches/<PATCH-ID>. Needless to
mention that you can't back them out either :-)
Local patches and bells-n-whistles.
Security tidbits.
- Problem
- /usr/openwin/bin/ff.core is a security hole (yes, even recommended
102292-01 patch);
- Workaround
- install /usr/openwin/bin/ff.core non set uid/gid and advice users to
use fdformat instead;
- Problem
- anybody can delete any file in /tmp;
- Workaround
- set sticky bit on /tmp at boot time in /etc/init.d/MOUNTFSYS;
- Problem
- anybody can write into /var/adm/messages;
- Workaround
- install /var/adm/messages with appropriate access permissions;
- Problem
- files transferred over FTP get universal write permissions;
- Workaround
- set system wide umask through /etc/init.d/umask.sh;
- Problem
- login failures are not logged anywhere;
- Workaround
- install /var/adm/loginlog to enable login failures' log;
- Problem
- in.ftpd lets users with expired accounts in;
- Workaround
- patch in.ftpd with beta patch obtained from Sun;
- Problem
- NFS is insecure;
- Workaround
- make it slightly more secure by enable NFS portmon feature in
/etc/system:
set nfs:nfs_portmon = 1
Performance enhancements.
- Problem
- TCP layer is not tuned for slow links;
- Workaround
- tune it up at boot time through /etc/init.d/inetinit:
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max 16
/usr/sbin/ndd -set /dev/tcp tcp_rexmit_interval_initial 1000
- Problem
- '
nice --20 <command>' freezes machine;
- Workaround
- prevent niced programs from hogging CPU by limiting ts_maxupri
parameter in /etc/system:
set TS:ts_maxupri = 20
- Problem
- some programs collecting kernel statistics (usually workload) expect to
find /unix kernel image, while it's not there;
- Workaround
- provide /unix -> ./kernel/unix symbolic link;
Administrativia.
- Problem
- /var/lp/logs/*, /var/mail/lp grow without bounds, every
single client contributes E-mail messages;
- Workaround
- install lp log files with appropriate access permissions;
- Problem
- external MIME codecs don't work;
- Workaround
- modify /etc/mail/mailx.rc to let MIME related headers passed to
external filters;
- Problem
- users can't FTP;
- Workaround
- install /etc/shells;
- Problem
- no support for /etc/nologin;
- Workaround
- patch /etc/.login and /etc/profile and make them check if
/etc/nologin is present;
- Problem
- /var/cron/log grows without bounds and eventually fills /;
- Workaround
- disable cron activity log in /etc/default/cron, log doesn't worth
anything anyway;
- Problem
- /var/mail/uucp grows without bounds, every single client contributes
E-mail messages;
- Workaround
- comment out everything from /var/spool/cron/crontabs/uucp by
default, uncomment those lines manually if really needed;
- Problem
- every OpenWindows session leaves huge file in /tmp thus reduces
amount of virtual memory available;
- Workaround
- comment out helpviewer from /usr/openwin/lib/openwin-init;
- Problem
- mail aliases are case sensitive;
- Workaround
- patch /usr/lib/nis/nissetup and make it create
mail_aliases.org_dir NIS+ map as case insensitive (if you already have
the map set up before, you'll have to delete and recreate it manually :-(;
Optional programs.
Mail me...