![[University of Arkansas]](./pic/uabanner.gif)
![[Computing Services]](./pic/ua-comp.gif)
Created, modified by Roy Hallquist
Kevin Allen
Updated March 27, 1996
by Peter Laws
Last updated: Thursday, 17-Oct-96 09:11:05
IF THE HOST YOU ARE WORKING ON IS CURRENTLY IN SERVICE, YOU MUST MAKE SURE THAT ALL APPROPRIATE FILESYSTEMS ARE BACKED UP TO TAPE OR VIA ADSTAR!!!!!!
If this machine has an OS on it already, the following files should be saved:
/etc/passwd /etc/shadow /etc/mail/aliases (if any) /etc/vfstab (if any) /etc/dfs/dfstab (if any) user's mail files in /var/mail /.../adsm/inclexcl.def (if ADSTAR installed) /etc/adsm/<HOST> /etc/hosts.allow (if tcpd installed) /var/spool/calendar/callog (if any)
Move these files to one of the slices that will be preserved.
Shut the system down:
SunOS 4.1.x users should login as root and type:
shutdown -h now
Solaris 2.x users should login as root and type:
shutdown -g60 -i0 -y
init 0 or pressing <Stop>
+ <A> may also be used, but
shutdown is the preferred method.
Boot from the CD-ROM
Insert the CD disk into the caddy and put the caddy into the drive.
If the prompt looks like a ">", you will probably
have to type new to get to the new command
mode of the PROM monitor. You should then get an
"ok" prompt.
At the "ok" prompt type:
boot cdrom
The system should boot from the CD-ROM drive. Depending on the PROM version installed, it may be necessary to type:
boot sd(0,6,2)
The system may say something like WARNING: clock
gained 184 days - CHECK AND RESET THE DATE! Ignore
this message (the number reflects the number of days since
the Solaris code was frozen).
When prompted to choose whether or not to
automatically reboot after installation, choose
"yes".
Beginning with Solaris 2.4, the installation program uses an Open Windows interface. These instructions were written for the older, text-based install procedures, but the information is the same.
Network Information
You will be asked for the hostname of the machine. Type it in:
Hostname: ajax
Warning: Do not use a fully
qualified domain name (like ajax.uark.edu),
but rather just use the first part of the name (like
ajax). Entering a fully qualified domain
name could render the computer unusable later in the
install process and require an OS reinstall.
Will this system be connected to a
network?
No >Yes
What is your Internet Protocol (IP)
address?
IP address: 130.184.75.23
You will be asked if the information is correct. Answer yes if it is, or say no and go back and fix it.
Do you want to configure this system as a client
of a name server? If so, which name service do you want
to use?
-- NIS+ Client -- NIS (formerly yp) Client XX Other -- None
Note: Of the Sun workstations on our campus that we support, the majority are set up for a single user (though they are capable of supporting many). Consequently, most hosts are not set up with NIS or NIS+. Workstations are set up with DNS so that hosts can use electronic mail and other services that require knowledge of host names.
Is this system part of a subnet?
>Yes No
You will then be asked for the netmask value. The default netmask is correct.
Netmask: 255.255.255.0
Now you get the chance to review the information you entered and to go back and change it if you need to.
Setting the Time
Specify Time Zone by:
XX Geographic Region -- Offset from GMT -- Time zone file
The U of A is in US, Central
What is the current date and time?
Year (4 digits) 1996
Month (1-12) 3
Day (1-31) 4
Hour (0-23) 16
Minute (0-59) 09
You will get a chance to review the information you have typed in.
You will be asked to choose between upgrade
and installation. Currently, DUST policy is to choose
installation, though this may change.
Type of System
XX Standalone -- Server -- Dataless Client
Software Group
Make appropriate choice. On a system with limited disk
space, choose End User. On a system with more
than 1 Gb of storage, choose Entire Distribution.
Disk Selection
Solaris allows you to decide which disks to use for installation. Make appropriate choice. Solaris will warn you if you choose an external disk as the boot device. Solaris allows this but it requires changes at the boot PROM level.
Preservation of existing data during upgrade/ installation.
Follow prompts as necessary. Note:
'/', '/var', and '/usr' can
not be preserved (well, they can, but
they'll be mounted as their own slices just with
different names).
Auto Layout
Auto Layout will give default sizes for the various slices. Use these defaults rather than trying to start from scratch. However, please note the following exceptions take needed Mb from home):
"/"- root should be >20 MB.
"/opt"- is usually too small - should be in
the 200 Mb range (more if the disk is >2 Gb) since
this is where all OPTional packages go in addition to
/opt/local/.
"/var", where all the VARiable files, like
mail spools and print spools live, is usually too small.
Add some more is NeWSprint is being installed.
Mounting of remote file systems
Follow prompts to automatically mount file systems on
remote hosts. For example, /opt1/pub on
comp.uark.edu contains many useful utilities,
including pine. This can be mounted as /opt1/pub
on the local host. Note: experience
has shown that the remote mount test may fail even though
the mount works correctly.
The OS will now install itself and the machine will reboot if that option was chosen. The procedure will take from 40 minutes to 2 hours depending on options chosen and CD-ROM drive speed.
WARNING: If a fully qualified domain name was typed in for the hostname of the machine, the computer may hang when it reboots. Usually, you will see warnings that look like:
le0: bad address
during the boot procedure if you typed in a fully qualified domain name.
When the computer finishes booting, you will be asked:
What is your root password?
Pick a good one and type it in. The login:
prompt will appear.
Login as root and start Openwindows:
/usr/openwin/bin/openwin
If you are not going to patch from the CD (patches on the CD
are usually out of date by the time the CD ships!), you may wish
to eject the CD-ROM. This can be done at any time provided
that your present working directory is not on the CD (i.e.
/cdrom/cdrom0), by typing:
eject cd
Setup for domain name service. Edit the
/etc/nsswitch.conf file and make changes so that DNS
will be consulted (copy nsswitch.files to
nsswitch.conf if nsswitch.conf does
not exist) this file. Add the word dns after the
word files on the hosts: line.
hosts: files dns
Create the /etc/defaultrouter file. The
existence of this file prevents routed from running. The file
should contain only the IP address of the router the host's subnet
(the subnet is the second-to-last octet in the host's IP
address). Most, but not all, routers on this campus have an
130.184.subnet.5 address.
Example:
130.184.75.5
Edit the /etc/hosts file (this file is not
writeable - use :wq! to force a write and quit). It
should contain entries for localhost and the host on which you
are working, as well as the domainname or IP of any hosts which
were mounted remotely during initial configuration.
Example:
# # Internet host table # 127.0.0.1 localhost 130.184.75.20 babo.uark.edu babo loghost 130.184.253.197 comp.uark.edu comp timehost
Check the /etc/netmasks file. It should already be set up correctly and should contain a line that looks like this:
130.184.0.0 255.255.255.0
Create the /etc/resolv.conf file. An OS
installation does not create this file, so it must be
generated manually. It should contain the following lines:
domain uark.edu nameserver 130.184.7.103
Some system administrators choose to add other name servers to the list like this:
nameserver 130.184.7.93 nameserver 130.184.64.233 nameserver 192.35.82.2
Reboot the machine.
shutdown -g60 -i6 -y
That's the end of the absolute minimum Solaris install. Over the years, DUST has come up with a Standardized Solaris Environment that is considered the minimum configuration for Suns attached to the campus network.
Created August, 1995
by Peter Laws
Updated June 28, 1996
by Peter Laws
The purpose of the SSE is to 1) attempt to make all Solaris workstations "look the same", while allowing users/sysadmins the ability to change things; 2) give system support personnel a way to make global changes easily; 3) provide a minimum level of security; 4) provide usage statistics to aid future planning.
Overview
Berkeley Sendmail will be installed to enhance security.
TCPD, aka "tcp wrappers" will be used to enhance security and allow system support personnel to monitor and restrict access to Solaris workstations. A replacement for rpcbind that allows tcpd-style control will also be installed.
The ADSTAR network backup client will be installed to provide data security.
The default .cshrc will be modified to allow the system administrator to easily add paths and the .login will be modified to use qterm to correctly set the terminal environment variable.
Additions will be made to the crontab file to keep the system's clock up to date and to report disk usage statistics.
Current Sun-recommended patches will be installed.
cd /opt
ftp to babo and retrieve the following in binary mode:
/opt/local/SSE/SSE-2.5-patches.tar.Z /opt/local/SSE/SSE.files.tar.Z /opt/local/SSE/webstuff.tar.Z
untar:
zcat SSE.files.tar.Z | tar xvf -
SSE.files.tar will expand into /opt/install and contain the following files:
ADSTAR.tar.Z etc.default.login gunzip gzcat gzip hosts.allow in.identd local.cshrc local.login local.newsrc pico pilot pine qterm qtermtab rpcbind screenblank screenblank.sh sendmail-VERSION.tar.Z sendmail.install.sh tcpd
ADSTAR.tar.Z contains all files necessary for installation
of ADSTAR backup client. etc.default.login is
/etc/default/login. sendmail-VERSION.tar.Z
contains the latest version of Berkeley sendmail (v8.7.5 as of
Thursday, 17-Oct-96 09:11:05) and subsidiary files.
Create the following directories and links:
mkdir -p /opt/local/bin mkdir -p /opt/local/lib/netscape chmod -R 755 /opt/local/* ln -s /opt/local /usr/local (anything that goes in /usr/local actually goes in /opt/local) ln -s /var/mail /var/spool/mail (the mailboxes have moved since 4.1.x)
Setup your NIS domain name. Sendmail uses this to create the return address on electronic mail.
domainname .uark.edu domainname > /etc/defaultdomain
Run sendmail.install.sh script ('sh sendmail.install.sh')
and skip to number 3 below.
If script not available:
Kill the old sendmail daemon
sh /etc/init.d/sendmail stop
Setup host to use the Berkeley version of sendmail (v8.7.5 as of 4/5/1996).
mv /usr/lib/sendmail /usr/lib/sendmail.dist chmod 400 !$ mv /etc/mail/sendmail.cf /etc/mail/sendmail.cf.dist mv /etc/mail/sendmail.hf /etc/mail/sendmail.hf.dist chmod 400 /etc/mail/*.dist
Install new sendmail:
zcat /opt/install/sendmail.tar.Z | tar -xvf -
Files will install with correct ownership, mode (sendmail 4511).
Mail won't work until you restart the sendmail daemon, either by rebooting the machine or by restarting it manually (preferred):
sh /etc/init.d/sendmail start
All cases:
Test mail delivery, both sending and receiving. Also, tests that sendmail.cf is causing addresses to be parsed correctly:
host# /usr/lib/sendmail -bt >3,0 address_to_be_tested
Sendmail will parse the address and display the result.
Copy the following files from /opt/install to /etc/skel and make them mode 644:
local.cshrc local.login
On a 2.5 installation, these files should be named local.cshrc and local.login. Solaris will rename them when creating a new user with admintool (but not useradd). Add a softlink from .cshrc to local.cshrc if admin uses useradd routinely.
Copy /opt/install/etc.default.login to
/etc/default/login. The PATH= statement is the
default path if no other exists and allows sysadmins to control
users paths to an extent. Its value is assigned to 'dpath' in
the .cshrc.
Copy qterm from /opt/install to
/opt/local/bin and qtermtab from /opt/install
to /opt/local/lib. Make them mode 755.
Test by typing /opt/local/bin/qterm. It
should return the correct terminal type.
Ident.d - transmits the userid when connecting to other machines. If every host ran this daemon, it would cut way down on net.mischief. Known as a "good neighbor" protocol. TCPD, a.k.a. TCP wrappers allow control of which hosts and even which users on a host can connect to various network services.
Copy /opt/install/in.identd and
/opt/install/tcpd to /usr/sbin
and make them mode 755.
Copy /opt/install/hosts.allow to /etc
.
Create the TCPD log file:
touch /var/adm/tcpd_log
Edit /etc/services. It's not writable,
so do a :wq! when editing is complete. Add the following
line in the correct numerical spot in the 'host specific
functions' section:
ident 113/tcp auth tap # Identd - RFC931
Reconfigure /etc/inetd.conf to use wrappers
and identd.
The following services must be wrapped: ftp,
telnet, shell, login, exec, finger. Find each entry in
/etc/inetd.conf and change each service's
entry from this (using in.fingerd as an
example):
finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd
to this (use tabs to align columns):
finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
Add the following line below the 'name' line and use tabs to align columns:
ident stream tcp nowait root /usr/sbin/in.identd in.identd
Comment out lines for UUCP, tftp, and sprayd, if
not already done. These services are not needed.
/etc/inetd.conf isn't writable. Use :wq! when
editing is complete.
Force inetd to re-read /etc/inetd.conf:
kill -HUP <PID of inetd>
Test identd:
telnet 130.236.254.1 114
This will return your userid if identd is working correctly.
Enable system logging
Shutdown syslogd:
sh /etc/init.d/syslog stop
Edit /etc/syslog.conf and add an entry for local2.debug (under mail.debug) as follows (must use tabs between):
local2.debug /var/adm/tcpd_log
Restart syslogd:
sh /etc/init.d/syslog start
Replace rpcbind
Kill the old rpcbind and (allegedly) save its state:
kill -TERM <PID of rpcbind>
Make backup of /usr/sbin/rpcbind and
make it mode 400. Copy new version from
/opt/install and make it mode 555.
"Warmstart" the new rpcbind:.
/usr/sbin/rpcbind -w
The -w will supposedly keep the preserved
state. If it doesn't, the machine needs to be restarted.
Query the host's admin regarding from which hosts s/he
expects to be connecting and which services will likely be used.
Modify /etc/hosts.allow to suit local conditions.
Make sure that ajax & babo have access.
Note: ADSTAR server must be made aware of the new host's requirements before the system can be enabled. Install client, but comment out dsmc line in crontab file if a workorder has not been started.
Copy /opt/install/ADSTAR.tar.Z to
/opt/local
Untar ADSTAR.tar.Z
zcat ADSTAR.tar.Z | tar -xvf -
Edit /opt/local/adsm/dsm.sys and
/opt/adsm/dsm.opt, changing 'ajax' to name of host.
Review inclexcl.def and modify to taste.
Install by typing ./dsm.install. Answer
y, /usr/bin, y, n
to the questions that the script asks you.
setenv EDITOR vi
crontab -e (this allows editing of the
crontab file)
Add the following lines to the file:
# Local Additions
0 0 * * * /usr/bin/rdate timehost >/dev/null 2>&1
0 23 * * * /opt/local/adsm/dsmc I -TAPEPROMPT=no
0 0 1 * * df -k | mail service@babo.uark.edu
0 1 * * 6 find / -type f -name core -print -exec rm -f {} \;
Note: Line 1 sets system time to comp's
system time every 12 hours. Comp's clock is synced to the NBS'
atomic clock. Line 2 causes the ADSTAR client to do an
incremental backup everyday at about 11 pm. Also make sure
that backups are not done between 0000 and 0600 hours.
Comment out line enabling ADSTAR (dsmc I) unless server has
been set up! Line 3 sends a report of disk usage to the DUST
office on the first of each month. Line 4 removes all core
files at 1 am every Saturday. The first column is minutes.
To spread the load on various servers, the minutes column should
be set to the last octet of the host's IP number mod 60 (i.e.
IP is 130.184.253.197 = minute 17).
crontab -e uucp
Comment out all commands as UUCP is seldom, if ever used.
Patches
(Assuming the host has 1 GB or more ...) Move the
/opt/2.5_Recommended.tar.Z file to /tmp.
Untar the the patch cluster. It will create it's own subdirectory.
mv /opt/SSE-2.5-patches.tar.Z /tmp zcat SSE-2.5-patches.tar.Z | tar xvf -
Install the cluster
cd /tmp/2.5_Recommended ./install_cluster
Note: This may take a while. Also, the
sendmail and rpcbind patches should have been removed from the
2.5_Recommended.tar.Z file long before this point was
reached.
Reboot when script is complete.
shutdown -g60 -i6 -y
demouser
Use admintool to create demouser account. Use uid 911.
Logout once account is created and login as demouser.
Openwindows (or CDE) should start, all commands should function normally.
Specifically, test Pine and Netscape.
WEBSTUFF
Untar webstuff.tar.Z
zcat webstuff.tar.Z | tar -xvf -
A directory named www-install should be created containing the following files:
XKeysymDB moz2_0x.zip netscape raplayer xanim xplay xv
Copy the following files into /opt/local/bin
and make them all mode 755:
lynx moz2_0x.zip netscape raplayer xanim xplay xv
For Netscape to support Java applets:
mv moz2_0x.zip /usr/local/lib/netscape
Eliminate keyboard problems while using Netscape:
mv /usr/openwin/lib/X11/XKeysymDB /usr/openwin/lib/X11/XKeysymDB.dist mv /opt/install/www-install/XKeysymDB /usr/openwin/lib/X11
Allow users to take advantage of helper apps:
cp /opt/install/local.mailcap /opt/local/lib mv /opt/install/local.mailcap /etc/skel
SunOS-style screenblanker
Note: This screen saver is only needed on hosts that do not run CDE and are not left logged into Openwindows. CDE provides it's own screen saver when no one is logged in, when a user lets the console sit idle for x number of minutes or when the screen locking feature is used.
The only screen saver that comes with Solaris - other than CDE - is the one that runs under X. You may wish to install one that works even in the "whitescreen" command line mode.
Put files in their correct places.
mv /opt/install/screenblank /opt/local/bin mv /opt/install/screenblank.sh /etc/init.d/screenblank ln -s /etc/init.d/screenblank /etc/rc2.d/S95screenblank
The file /etc/init.d/screenblank looks like this:
#! /bin/sh
# Start a screenblank process for each framebuffer
# screenblank from jef@acme.com
SCREENBLANK='/opt/local/bin/screenblank -delay 300'
if [ -x $SCREENBLANK ]; then
for FRAMEBUFFER in /dev/fbs/*
do
echo "Starting screenblank for $FRAMEBUFFER"
$SCREENBLANK -f $FRAMEBUFFER
done
fi
The delay may be changed as necessary.
Users
Use the useradd command:
useradd -c "First Lastname" -u uid -m -k /etc/skel
-s /bin/csh -d /export/home/dir -g group loginid
Note: useradd will not copy
/etc/skel/local.cshrc (and others) to
$HOME/.cshrc. This is a bug.
Use User Account Manager from Admintool
Man pages
Man pages don't normally get installed with the End User installation that's specified for the IPC. If they are needed, they will have to be added manually. Man pages take about 9 megabytes.
Insert the Solaris 2.5 CD-ROM in a local CD drive, or
mount one locally over the net. If Solaris doesn't
automount the cd, type volcheck.
Change to the directory with the operating system packages. There are about 100 separate packages, each name starting with SUNW.
cd /cdrom/Solaris_2.5/s0/Solaris_2.5
Add the package. Type:
pkgadd -d `pwd` SUNWman
Setup printing
Setup the printers. This example shows how to setup remote printing to the mainframe laser. Always use bsd.
Define the remote system to Solaris
lpsystem -t bsd uafsysb.uark.edu
Add the printer
lpadmin -p p31dbp -s uafsysb.uark.edu\!p31dbp
-f allow:all -I any -T unknown
One of the printers on the system should be defined as the default printer.
lpadmin -d p31dbp
Start up the printer
accept p31dpb
enable p31dbp
Sometimes the print queue must be "cleaned out". Try some of these methods.
Stop the print service:
sh /etc/init.d/lp stop
Clean out the print queue:
cd /var/spool/lp/tmp
rm -r */*
Restart the print service and clean out its internal queue:
sh /etc/init.d/lp start
lpc
clean all
quit
NFS Mount a remote file system
Dan Martin opened up a trial (note the word trial, please,
but understand that it has been there since about 1993!) period for
sharing of /opt1/pub off of comp.uark.edu.
The directory is currently shareable read-only to all. To set up a
machine to access /opt1/pub, there are two options:
For either option, create a mount point
/opt1/pub on the local host. Permissions
for /opt1 need to be set to mode 755, owned
by root, group other.
To mount manually:
mount -o soft comp.uark.edu:/opt1/pub /opt1/pub
To mount automagically at boot, modify
/etc/vfstab on the local host. Add a line that
looks like:
comp.uark.edu:/opt1/pub - /opt1/pub nfs - yes ro,soft
/opt1/pub will then be mounted "read only"
when booted. Mounting this way ensures that there are no
path surprises. If you are NFS-literate and comfy with the
idea, mount wherever you'd like.
![[Home Page]](./pic/bhome.gif)
![[Table of Contents]](./pic/btoc.gif)
![[Send Mail]](./pic/bmail.gif)