Projects

A project is a great Solaris facility essential to network-wide system architecture and administration. In essence it's rather simple but in general it's less-known or frequently misunderstood or underestimated by many engineers, unfortunately. Later on defining projects, in order to take full advantage of them (and their tasks) it's necessary to enable extended accounting, but that will be a topic for a later post.

A project is a collection of network-wide (physical or virtual) hosts processes that share a same tag defined as the project-id which is shared by a collection of internetwork-ed Solaris (physical or virtual) systems. Within each participating host those corresponding processes are further gathered on tasks by means of a common task-id. In the scope of a single host, a project has always one or more subordinate tasks.

The project-ids are gathered in a project database which can be local (/etc/project) or remote (NIS, LDAP or DNS). On this post I'll cover just the local case, but you can grasp an idea of how to implement it on NIS by reading other posts of mine.

For an appropriate project setup, it's useful to distinguish host's processes that derive from a login event from those that do not, because when a login is involved there's an additional way of defining the initial project to be associated with that login, and thus its main process and all its child/derived processes. In general, when processes are launched, the selected project will be deduced from the account which is used to launch the process according to the defined associations in the standard project database of the system.

By the way, a process is tied to a single project-id (project), but be aware that a user or a group can be assigned to multiple project-ids (projects). The processes that a user launches can be associated with any project that this user is associated to (either explicitly by user-name or implicitly by groups memberships) in the standard project database of the system. Of course, the super-user can assign any process to any project.

The raw view of the out-of-the-box project database is as follows:

$ cat /etc/project
system:0::::
user.root:1::::
noproject:2::::
default:3::::
group.staff:10::::

This database can also be listed more verbosely as:

$ projects -l
system
    projid : 0
    comment: ""
    users  : (none)
    groups : (none)
    attribs:
user.root
    projid : 1
    comment: ""
    users  : (none)
    groups : (none)
    attribs:
noproject
    projid : 2
    comment: ""
    users  : (none)
    groups : (none)
    attribs:
default
    projid : 3
    comment: ""
    users  : (none)
    groups : (none)
    attribs:
group.staff
    projid : 10
    comment: ""
    users  : (none)
    groups : (none)
    attribs:

As introduced, for logins events there's an extended user attribute "database" in /etc/user_attr which may or may not list the initial (but previously defined) project to be assigned to any user's processes since upon login. If no project is specified in /etc/user_attr then the search for the assignment will proceed to /etc/project looking for a match in the following order:

1. user.user-name
2. group.user-group
3. The special project called default (if present)

If no suitable project is not found, then the login event or process launch is denied.

Now let's try a few examples in order to get better acquainted with projects. Let's define the marketing project for the john account in /etc/user_attr:

# usermod -K project=marketing john

And to verify it:

# getent user_attr john
john::::project=marketing

or

# userattr project john
marketing

To remove any project for the john account in /etc/user_attr:

# usermod -K project= john

Assuming the primary group of the john account as mkt01, the (fall-back) alternatives in /etc/project for not using /etc/user_attr could be:

# projadd user.john
# projects -l user.john
user.john
        projid : ...
        comment: ""
        users  : (none)
        groups : (none)
        attribs:
or

# projadd group.mkt01
# projects -l group.mkt01
group.mkt01
        projid : ...
        comment: ""
        users  : (none)
        groups : (none)
        attribs:

or none of the above, as long as the default project is present:

# projects -l default
default
        projid : 3
        comment: ""
        users  : (none)
        groups : (none)
        attribs:

Now, another very important application of the project database is for the workloads that do not derive from a login event, but rather are typically started as services or similar background processes, such as the Apache HTTP server. Such "special kind" of workloads, when well planned and administered typically take advantage of projects for both extended accounting and resource control.

As an example, let's set up a dedicated project to an Apache HTTP server that has been just installed and is running under the webservd account. Well, that's not quite exactly the case because, in reality, what traditionally happens is that a root process is launched and forks some child processes that are assigned to a different low-privileged webservd (or other) account that (hopefully) cannot log in to the system. At first, one might think that the following output is due to no project being assigned anywhere for the webservd account, but that's only partially true:

$ id -p webservd
uid=80(webservd) gid=80(webservd) projid=3(default)

$ ps -o user,pid,ppid,project -p "`pgrep -f httpd`"
    USER   PID  PPID  PROJECT
    root   559     1  system
webservd   577   559  system
webservd   591   559  system
webservd   593   559  system
webservd   604   559  system
webservd   607   559  system
webservd   616   559  system
  
These output are expected. The id command is deducing the project for new processes that would be launched in the event of a successful webservd log in to the system, which, of course, (and hopefully) will never happen. And it's truly expected that in a standard (out-of-the-box) setup the default project gets selected in the absence of any other explicit project assignments. But for the ps command listing the explanation is different. In this last case, all httpd child processes (577, 591, 593, 604, 607 and 616) derive from the same parent process (559) which was launched as root, thus inheriting the the system project that is associated to root. In Solaris, this launch actually happens from an SMF service (svc:/network/http:apache22) method which encapsulates the standard Apache HTTP server Control Interface (/usr/apache2/2.2/bin/apachectl; APACHECTL(8)) but unfortunately omits setting a project upon firing the service.

Fixes for problems such as the one above exemplified are certainly possible, but at first it's necessary to define a new project workload (www, for instance). As good practice, not that it's actually required (due to what was explained above), the webservd account should be assigned to this new project. One way to accomplish the task takes a single projadd -U command but for demonstration purposes I'll split it into a projadd followed by a projmod -a -U:

# projadd -c "World Wide Web" www
# projects -l www
www
        projid : 100
        comment: "World Wide Web"
        users  : (none)
        groups : (none)
        attribs:

# projmod -a -U webservd www
# projects -l www
www
        projid : 100
        comment: "World Wide Web"
        users  : webservd
        groups : (none)
        attribs:

By the way, if after creating a project it became necessary to alter some of its attributes and if there are processes already running under this project, it's possible to force them to update their project assignment by means of a projmod -A command. If one is uncertain and no processes are running yet under the project (as on the Apache HTTP server example above; no one is running assigned to the www project), just a harmless warning message is displayed:

# projmod -A www
projmod: Updating ... succeeded with following warning message.
WARNING: No process found ... The project is not updated.

Now focusing on the possible fixes to the issue of having background processes running under undesired projects such as the system project in the example above, there a two solutions that I know:

1) The simpler, but less than ideal "fix" is to "manually" move the processes to the desired project. The move does not required the inconvenience of restaring the processes (in this example, the Apache HTTP server processes). The disadvantage is that it does not integrate well in an automated management as it's not integrated into SMF. The "fix" consists on issuing the following command:

# pgrep -f httpd | xargs -t -l newtask -p www -c
newtask -p www -c 577
newtask -p www -c 616
newtask -p www -c 559
newtask -p www -c 591
newtask -p www -c 593
newtask -p www -c 607
newtask -p www -c 604

Et voilà!

# ps -o user,pid,ppid,project -p "`pgrep -f httpd`"
    USER   PID  PPID  PROJECT
    root   559     1  www
webservd   577   559  www
webservd   591   559  www
webservd   593   559  www
webservd   604   559  www
webservd   607   559  www
webservd   616   559  www

2) The more complicated "fix" is to deal with SMF. On this post I won't go too deep in how to properly or ideally accomplish the task. I'll just indicate the central change that has to be done letting clear that by not following the proper procedures to "patch" the SMF service, the "fix" could be lost when applying future updates or when performing system upgrades. I wish I'll have time to dedicate a post on how to properly do this, but for now I suggest doing just the following:

Identify the involved SMF method:

# svccfg -s apache22 listprop start/exec
start/exec astring     "/lib/svc/method/http-apache22 start"

# ll /lib/svc/method/http-apache22
-r-xr-xr-x   1 root  bin  ... /lib/svc/method/http-apache22

Edit the method and hard-code the /usr/bin/newtask command with the desired project (www) in the indicated line (138) as highlighted below:

# chmod 775 /lib/svc/method/http-apache22

# grep -n apachectl /lib/svc/method/http-apache22
138:... /usr/bin/newtask -p www ${APACHE_BIN}/apachectl ... 2>&1

# chmod 555 /lib/svc/method/http-apache22

The next time the service restarts everything shall be fine and under the new project. If, in addition, an immediate change is required but a standard restart would risk disturbing the services, just apply the solution (1) in addition.
 

Configuration profile - NIS

This is an example of a NIS client configuration profile.
This is useful to streamline installations:

• Associating a profile to an AI service
• Zone cloning

  
Assume all initial prerequisites stay the same.
The following are the necessary customizations.
 
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="profile" name="sysconfig">
  <service version="1" type="service" name="system/config-user">
    <instance enabled="true" name="default">
      <property_group type="application" name="root_account">
        <propval type="astring" name="login" value="root"/>
        <propval type="astring" name="password" value="$5$..."/>
        <propval type="astring" name="type" value="role"/>
      </property_group>
      <property_group type="application" name="user_account">
        <propval type="astring" name="login" value="..."/>
        <propval type="astring" name="password" value="$5$..."/>
        <propval type="astring" name="type" value="normal"/>
        <propval type="astring" name="description" value="Primary Administrator"/>
        <propval type="count" name="gid" value="10"/>
        <propval type="astring" name="shell" value="/usr/bin/bash"/>
        <propval type="astring" name="roles" value="root"/>
        <propval type="astring" name="profiles" value="System Administrator"/>
        <propval type="astring" name="sudoers" value="ALL=(ALL) ALL"/>
      </property_group>
    </instance>
  </service>
  <service version="1" type="service" name="system/timezone">
    <instance enabled="true" name="default">
      <property_group type="application" name="timezone">
        <propval type="astring" name="localtime" value="..."/>
      </property_group>
    </instance>
  </service>
  <service version="1" type="service" name="system/environment">
    <instance enabled="true" name="init">
      <property_group type="application" name="environment">
        <propval type="astring" name="LANG" value="en_US.UTF-8"/>
      </property_group>
    </instance>
  </service>
  <service version="1" type="service" name="system/identity">
    <instance enabled="true" name="node">
      <property_group type="application" name="config">
        <propval type="astring" name="nodename" value="zone-1"/>
      </property_group>
    </instance>
  </service>
  <service version="1" type="service" name="system/keymap">
    <instance enabled="true" name="default">
      <property_group type="system" name="keymap">
        <propval type="astring" name="layout" value="US-English"/>
      </property_group>
    </instance>
  </service>
  <service version="1" type="service" name="system/console-login">
    <instance enabled="true" name="default">
      <property_group type="application" name="ttymon">
        <propval type="astring" name="terminal_type" value="sun-color"/>
      </property_group>
    </instance>
  </service>
  <service version="1" type="service" name="network/physical">
    <instance enabled="true" name="default">
      <property_group type="application" name="netcfg">
        <propval type="astring" name="active_ncp" value="DefaultFixed"/>
      </property_group>
    </instance>
  </service>
  <service version="1" type="service" name="network/install">
    <instance enabled="true" name="default">
      <property_group type="application" name="install_ipv4_interface">
        <propval type="astring" name="address_type" value="static"/>
        <propval type="net_address_v4" name="static_address" value="192.168.0.84/24"/>
        <propval type="astring" name="name" value="net9/v4"/>
      </property_group>
    </instance>
  </service>
  <service version="1" type="service" name="system/name-service/switch">
    <property_group type="application" name="config">
      <propval type="astring" name="default" value="files nis"/>
      <propval type="astring" name="printers" value="user files nis"/>
      <propval type="astring" name="netgroup" value="nis"/>
    </property_group>
    <instance enabled="true" name="default"/>
  </service>
  <service version="1" type="service" name="network/nis/domain">
    <property_group type="application" name="config">
      <propval type="hostname" name="domainname" value="business.corp"/>
      <property type="host" name="ypservers">
        <host_list>
          <value_node value="nis-2"/>
          <value_node value="nis-3"/>
        </host_list>
      </property>
    </property_group>
    <instance enabled="true" name="default"/>
  </service>
  <service version="1" type="service" name="network/nis/client">
    <instance enabled="true" name="default"/>
  </service>
  <service version="1" type="service" name="system/name-service/cache">
    <instance enabled="true" name="default"/>
  </service>
  <service version="1" type="service" name="network/dns/client">
    <instance enabled="false" name="default"/>
  </service>
  <service version="1" type="service" name="system/ocm">
    <instance enabled="true" name="default">
      <property_group type="application" name="reg">
        <propval type="astring" name="user" value=""/>
        <propval type="astring" name="password" value=""/>
        <propval type="astring" name="key" value=""/>
        <propval type="astring" name="cipher" value=""/>
        <propval type="astring" name="proxy_host" value=""/>
        <propval type="astring" name="proxy_user" value=""/>
        <propval type="astring" name="proxy_password" value=""/>
        <propval type="astring" name="config_hub" value=""/>
      </property_group>
    </instance>
  </service>
  <service version="1" type="service" name="system/fm/asr-notify">
    <instance enabled="true" name="default">
      <property_group type="application" name="autoreg">
        <propval type="astring" name="user" value=""/>
        <propval type="astring" name="password" value=""/>
        <propval type="astring" name="index" value=""/>
        <propval type="astring" name="private-key" value=""/>
        <propval type="astring" name="public-key" value=""/>
        <propval type="astring" name="client-id" value=""/>
        <propval type="astring" name="timestamp" value=""/>
        <propval type="astring" name="proxy-host" value=""/>
        <propval type="astring" name="proxy-user" value=""/>
        <propval type="astring" name="proxy-password" value=""/>
        <propval type="astring" name="hub-endpoint" value=""/>
      </property_group>
    </instance>
  </service>
</service_bundle>
   
Note that as the zone configuration (shown below) is using a net resource, the network/install service must refer to the corresponding name (net9), otherwise error or warning messages will appear during installation. The same goes to the IP address which must respect the value of allowed-address.

# zonecfg -z zone-1 info
zonename: zone-1
zonepath: /zone/zone-1
brand: solaris
autoboot: false
bootargs:
file-mac-profile: fixed-configuration
pool:
limitpriv:
scheduling-class:
ip-type: exclusive
hostid:
fs-allowed:
net:
    address not specified
    allowed-address: 192.168.0.84/24
    configure-allowed-address: true
    physical: net9
    defrouter not specified
attr:
    name: description
    type: string
    value: "zone-1"

Before the 1^st boot it's recommended to update the zone's /etc/hosts.
In fact, for NIS services this is a critical step before the 1^st boot:

# cat /zone/zone-1/root/etc/hosts
#
# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# Internet host table
#
::1             localhost
127.0.0.1       localhost                loghost
#
192.168.0.33    zone-1.business.corp     zone-1
#
192.168.0.202       nis-2.business.corp  nis-2
192.168.0.203       nis-3.business.corp  nis-3
   
Note that this is an immutable zone.
An immutable zone installation behavior has been already documented.
  

Immutable zone installation

This post is a kind of wrap up of a few others, such as:

• Immutable zones
• Zone cloning
• SMF info extraction
• Configuration profile

I will just show how an immutable zone gets installed.
On this example the zone won't have any specific services.
Well, at a minimum, for convenience, I choose make it a NIS client.

On a more real scenario, I would further refine the configuration profile.
For instance, I could add other pre-configured SMF services.

I assume all the premises of the aforementioned posts.
The immutable zone configuration and configuration profile are ready.

In fact, there are more than one installation method.
It can happen through:

• Automated Installer (AI); not shown on this post;
• From the scratch;
• Cloning;

   
There's nothing really special about installing "from the scratch":

# zoneadm -z zone-1 install -c /tmp/zone-1.xml
...

I like the cloning method because it's faster and tends to save space:

# zoneadm -z zone-1 clone -c /tmp/zone-1.xml template-zone
...

NOTE

The argument to the -c option must be an absolute path.
template-zone must not be an immutable zone already.

Here's the zone-1 zone's console on the 1^st boot:

# zlogin -C zone-1
[Connected to zone 'zone-1' console]
 
From another terminal just boot the zone:
 
# zoneadm -z zone-1 boot 

Now go back to the zone's console and watch:
 
[NOTICE: Read-only zone booting up read-write]
 
SunOS Release 5.11 Version 11.1 64-bit
Copyright (c) 1983, 2012, Oracle and/or its affiliates...
Hostname: unknown
Hostname: zone-1

[NOTICE: This read-only system transiently booted read/write]
[NOTICE: Now that self assembly has been completed, the system is rebooting]
[NOTICE: Zone rebooting]
 
SunOS Release 5.11 Version 11.1 64-bit
Copyright (c) 1983, 2012, Oracle and/or its affiliates...
Hostname: zone-1

zone-1 console login:

It's amazing how the system detects I'm installing an immutable zone and then upon installation boots the zone in read-write mode and after installation finishes, the zone is automatically rebooted to assume its immutability state. This saves administrators some work and makes sure no interactions are required.
   

NIS & hosts

Last year and early this year I have covered a great deal of NIS services.
I have tried to exemplify quite a few usual features and functionalities.
The last useful example I have developed was about NIS & logins.
This time I intend to provide an example dealing with new hosts.

It's clearly true that hosts are better managed with DNS services.
Anyway it's instructive to know how to do it in NIS services as well.

For brevity let's take all the assumptions presented in NIS & logins.
Fortunately, the task is much simpler than with accounts (logins & roles).
I'll update a couple of NIS maps and perform a rebuild on the NIS master.

For the sake of this post, I'll add 2 new hosts.
They will be DNS servers, object of a later post about DNS services.
I intend no special relationship between NIS services and DNS services.

The new hosts will be:

• dns-1.business.corp
• dns-2.business.corp

  
If the NIS master is an immutable zones then reboot it in R/W mode.
Next proceed to update the hosts map source.

nis-1# cd /var/nis

nis-1# egrep -i 'dns' hosts
# DNS servers
192.168.0.84    dns-1.business.corp    dns-1
192.168.0.87    dns-2.business.corp    dns-2

Probably it will make sense to update at least some NIS netgroups. In this case no other updates seems necessary, but depending on the role of the host others may be necessary, of course. A more complex example would be the case of new NFS severs.

Let's say I already have a servers NIS netgroup.

nis-1# ypmatch -k servers netgroup
servers: (server-1a,-,business.corp) (server-1b,-,business.corp) ...

I'll create another NIS netgroup called dns-servers.
I won't repeat their names in the servers NIS netgroup.
I'll just append dns-servers to servers.

nis-1# cat netgroup
dns-servers \
(dns-1,-,business.corp) (dns-2,-,business.corp)

servers \
(server-1a,-,business.corp) (server-1b,-,business.corp) ... \
dns-servers
   
...

Note that the order of definition within /var/nis/netgroup is unimportant.
Furthermore, note that it's possible to mix triples with other netgroups.
Now I double-check every update so far.
When ready I proceed to rebuilding the NIS maps.

nis-1# cd /var/yp

nis-1# make
updated netid
pushed netid
updated netgroup
pushed netgroup
updated hosts
pushed hosts
updated ipnodes
pushed ipnodes

As everything seems fine, I proceed to the verifications:

nis-1# ypmatch -k dns-servers netgroup
dns-servers: (dns-1,-,business.corp) (dns-2,-,business.corp)
   
nis-1# ypmatch -k servers netgroup
servers: (server-1a,-,business.corp) ... dns-servers

Now that everything is fine I'm ready to reenter the immutable state.
This is simply accomplished by an ordered reboot.

From withing the non-global zone:
 
nis-1# init 6
 
From the global zone:
 
gz# zoneadm -z nis-1 shutdown -r
  
NOTE

It's important to note that during this processes there were no disruption of service to clients as all NIS clients should have been associated only to NIS slave servers.

  

NIS & logins - troubleshooting #1

Despite all the quality and stability of Solaris 11 sometimes things go wrong.
Before pinning up anything it's important to assess all the variables.

For instance, upon forcibly rebooting a x86 with a few Solaris 11 zones, one of them acting as a NFS server, within a NIS services infrastructure something odd happened; the following values simply vanished:

• The config/* of name-service/switch SMF service.
• The config/domainname of nis/domain SMF service.
• The sharectl nfsmapid_domain.

  
The resolution was simply reentering the correct values, of course.
But until narrow down to what was wrong the symptoms were diverse:

• The NIS users were not being able to log in.
• The NFS server was not resolving any uid and gid.
• The NIS clients were listing nobody for user and group.

Nevertheless it's most important to determine the cause.
In my specific case I suspect of the well known:

Using ZFS Storage Pools in VirtualBox

Yes, I'm using VirtualBox for composing many posts.
Yes, due to a video adapter failure the host system had to be halted for repair.
And, yes, I haven't enabled the cache flushing on the VMs.
  

NIS & roles

I've already posted about NIS & logins.
This post is a similar one but about NIS & roles.

A role is an account that is used to indirectly access the system.
As a login it posses the concepts of credential and home directory.
Those resources are conveniently centrally managed by NIS services.
Unfortunately NIS can't provide nowadays security requirements.
Nevertheless, it may still be very useful on restricted scenarios.

I reinstate the assumptions listed on NIS & logins.
Nevertheless I make one exception (just for illustration):
the NIS master host nis-1 is an immutable zones of host-1.

On this example, I'll create a role called nis.
The goal is to manage NIS through this role avoiding the cumbersome sudo.

To perform the series of changes on nis-1 reboot it into read-write mode:
(when finished, reboot it once again to reenter the read-only mode)

host-1# zoneadm -z nis-1 reboot -w

Create the role account on the NIS master:

nis-1# roleadd -c "NIS" -K roleauth=user nis

nis-1# getent passwd nis
nis:x:103:10:NIS:/export/home/nis:/usr/bin/pfbash

nis-1# passwd nis
New Password:
Re-enter new Password:
passwd: password successfully changed for nis

Copy the role basic configuration to the appropriate maps' sources:

nis-1# grep nis /etc/passwd >> /var/nis/acct/passwd
nis-1# grep nis /etc/shadow >> /var/nis/acct/shadow

Clean up the local role account from the NIS master:

nis-1# roledel nis

Edit the group and home directory configuration on the passwd map.
It should look like as follows:

nis-1# grep nis /var/nis/acct/passwd
nis:x:103:1001:NIS:/home/nis:/usr/bin/pfbash

nis-1# grep nis /var/nis/group
nis::1001:

Edit the netgroup configuration.
It should look somewhat similar to:
 
nis-1# cat /var/nis/netgroup
...
nisadmin ... (-,nis,business.corp) ...
...

Edit the project configuration on the project map.
It should look like as follows:

nis-1# grep nis /var/nis/project
nisadmin:200:NISAdmin:nis::

nis-1# grep nis /var/nis/user_attr  
nis::::type=role;project=nisadmin;profiles=All;roleauth=user

Edit the automounter configuration on the auto_home map.
It should look like as follows:

nis-1# grep nis /var/nis/auto_home
nis nfs-1.business.corp:/export/home/&

Run make on the updated sources:

nis-1:/var/yp# make
updated passwd
pushed passwd
updated ageing
updated netid
pushed netid
updated project
pushed project
updated netgroup
pushed netgroup
updated auto.home
pushed auto.home
updated user_attr
pushed user_attr

Verify that the maps were correctly updated:

nis-2$ ypmatch -k nis passwd
nis: nis:...:103:1001:NIS:/home/nis:/usr/bin/pfbash
 
nis-2$ ypmatch -k nis auto.home
nis: nfs-1.business.corp:/export/home/&
 
nis-2$ ypmatch -k nisadmin project
nisadmin: nisadmin:102:NISAdmin:nis::

nis-2$ ypmatch -k nis user_attr
nis: nis::::project=nisadmin;type=role;roleauth=user;...
 
nis-2$ ypcat -k netgroup | grep nis
nisadmin (-,nis,business.corp)

Create and export the home directory:

nfs-1# zfs create \
> -o quota=1g \
> -o share.nfs.sec.sys.rw="desktops:servers" \
> rpool/export/home/nis

nfs-1# cp /etc/skel/.profile /export/home/nis
nfs-1# cp /etc/skel/.bashrc /export/home/nis

nfs-1# chown -R nis:root /export/home/nis

nfs-1# ll -a /export/home/nis
total 11
drwxr-xr-x   5 root     root    ... ..
drwxr-xr-x   2 nis      nis     ... .
-rw-r--r--   1 nis      nis     ... .profile
-r--r--r--   1 nis      nis     ... .bashrc

nfs-1# zfs set share.nfs=on rpool/export/home/nis

nfs-1# zfs get -o value share rpool/export/home/nis
VALUE
name=...,path=/export/home/nis,...,rw=servers:desktops

In addition to the update of NIS maps, if there were changes on any NIS netgroup that's referenced on some NFS share, then it's necessary to refresh the NFS service.

In order to be useful, roles must be associated with logins.
To associate the role nis with the login user2 alter the user_attr NIS map.

nis-1# grep nis /var/nis/user_attr  
nis::::project=project1;roles=nis

Then run make on the updated source:

nis-1:/var/yp# make
...
   
NOTE

It's important to note that during this processes there were no disruption of service to clients as all NIS clients should have been associated only to NIS slave servers.

  

Mercurial sample #1

There are excellent and comprehensive Mercurial references out there.
Nevertheless, it may be instructive to share my own learning process.
As an example I will take the NIS maps' source files directory tree:
 

├── acct
│   ├── passwd
│   └── shadow
├── aliases
├── auto_home
├── auto_master
├── ethers
├── group
├── hosts
├── ipnodes -> hosts
├── netgroup
├── netid
├── netmasks
├── networks
├── project
├── protocols
├── publickey
├── rbac
│   ├── auth_attr
│   ├── exec_attr
│   └── prof_attr
├── rpc
├── services
├── sudoers
└── user_attr

This directory tree will turn into a Mercurial repository on the NIS master.
Of course, this repository will be central and sysadmins will have their own.
This will help organize the shared management by several sysadmins.

The first concern is with the directory tree permissions.
The trouble is to share the directory tree with all sysadmins.
Giving root (sudo) access to sysadmins is a security problem.
Creating a group for the sysadmins may hit system limits.
The natural solution in Solaris is to share a role.

So, adjust the directory tree owner and group:
(the mode was already set according to NIS maps' source files)

nis-1# chown -R nis:nis /var/share/nis

nis-1# ls -lh /var/nis/*
total ...
-rw-r-----   1 nis     nis  ...  aliases
-rw-r-----   1 nis     nis  ...  auto_home
-rw-r-----   1 nis     nis  ...  auto_master
-rw-r-----   1 nis     nis  ...  ethers
-rw-r-----   1 nis     nis  ...  group
-rw-r-----   1 nis     nis  ...  hosts
lrwxrwxrwx   1 root    root ...  ipnodes -> hosts
-rw-r-----   1 nis     nis  ...  netgroup
-rw-r-----   1 nis     nis  ...  netid
-rw-r-----   1 nis     nis  ...  netmasks
-rw-r-----   1 nis     nis  ...  networks
-rw-r-----   1 nis     nis  ...  project
-rw-r-----   1 nis     nis  ...  protocols
-rw-r-----   1 nis     nis  ...  publickey
-rw-r-----   1 nis     nis  ...  rpc
-rw-r-----   1 nis     nis  ...  services
-r--r-----   1 nis     nis  ...  sudoers
-rw-r-----   1 nis     nis  ...  user_attr

/var/nis/acct:
total ...
-rw-r-----   1 nis     nis  ...  passwd
-r--------   1 nis     nis  ...  shadow
 
/var/nis/rbac:
total ...
-rw-r-----   1 nis     nis  ...  auth_attr
-rw-r-----   1 nis     nis  ...  exec_attr
-rw-r-----   1 nis     nis  ...  prof_attr
 
Log in as a user who has been granted the above role:

$ su - nis
Password:
Oracle Corporation    SunOS 5.11    11.1    December 2013
  
$ who am i
user2      pts/1      ...

Go to the NIS sources directory and do some adjustment:

$ cd /var/nis

$ rm ipnodes
$ ln -s hosts ipnodes

Create the Mercurial repository and minimal configuration file:

$ hg init

$ hg root
/var/share/nis

$ cat ~/.hgrc
[ui]
username = NIS role

Create a baseline (the initial snapshot or changeset):

$ hg status
? acct/passwd
? acct/shadow
? aliases
? auto_home
? auto_master
? ethers
? group
? hosts
? ipnodes
? netgroup
? netid
? netmasks
? networks
? project
? protocols
? publickey
? rbac/auth_attr
? rbac/exec_attr
? rbac/prof_attr
? rpc
? services
? sudoers
? user_attr

$ hg add
adding acct/passwd
adding acct/shadow
adding aliases
adding auto_home
adding auto_master
adding ethers
adding group
adding hosts
adding ipnodes
adding netgroup
adding netid
adding netmasks
adding networks
adding project
adding protocols
adding publickey
adding rbac/auth_attr
adding rbac/exec_attr
adding rbac/prof_attr
adding rpc
adding services
adding sudoers
adding user_attr
 
$ hg status
A acct/passwd
A acct/shadow
A aliases
A auto_home
A auto_master
A ethers
A group
A hosts
A ipnodes
A netgroup
A netid
A netmasks
A networks
A project
A protocols
A publickey
A rbac/auth_attr
A rbac/exec_attr
A rbac/prof_attr
A rpc
A services
A sudoers
A user_attr 
  
$ hg commit -m "Baseline"

$ hg summary
parent: 0:79f1ad4f096b tip
 Baseline
branch: default
commit: (clean)
update: (current)

$ hg tip
changeset:   0:79f1ad4f096b
tag:         tip
user:        NIS role
date:        Wed Apr 09 15:10:24 2014 -0300
summary:     Baseline
  

NIS maps' source files

The first (somewhat boring) step for installing a NIS master is the creation of the source files location and its appropriate contents at a stable location on the NIS master virtual file system hierarchy. Furthermore, for security reasons it's better to create 2 additional subdirectories within it in order to segregate user account information from RBAC information from general information. Instead of a traditional directory structure, I'll use two Solaris specific technologies, ZFS and VARSHARE together with a Revision Control System. Simply use ordinary directories isn't the best approach where management and control are required.

Create sub-datasets of rpool/VARSHARE which will provide boot environments (BEs) independence and allow for ZFS snapshots and specific properties such as ZFS compression and ZFS deduplication. If on an immutable zone, be aware that a preliminary boot -w will be required in order to take snapshots, which is probably an inconvenience; NIS maps need to be frequently changed and taking a ZFS snapshot before each change would require 2 reboots. Because of this, one could consider a Version Control System such as Mercurial in order to streamline the management of the source maps by not requiring any reboots leaving ZFS snapshots would be left for more long term backup strategy. But thinking twice, that's not a good idea because no NIS client should be pointing to the NIS master but instead to a NIS slave. Rebooting the NIS master isn't an issue after all.
  
# zfs create -p rpool/VARSHARE/nis/acct
# zfs create -p rpool/VARSHARE/nis/rbac

# zfs list -t all -r rpool/VARSHARE 
NAME                    USED AVAIL REFER MOUNTPOINT
rpool/VARSHARE          124K 13.9G   48K /var/share
rpool/VARSHARE/nis       95K 13.9G   33K /var/share/nis
rpool/VARSHARE/nis/acct  31K 13.9G   31K /var/share/nis/acct
rpool/VARSHARE/nis/rbac  31K 13.9G   31K /var/share/nis/rbac 
  
# chmod -R 750 /var/share/nis
  
Following the Solaris best practice, a symbolic link is created.

# ln -s /var/share/nis /var/nis
# ls -lh /var | grep ^l
...
lrwxrwxrwx   1 root     root ... nis -> ../var/share/nis
... 
 
# ls -lh /var/share/nis
...
drwxr-x---   2 root     root ... acct
drwxr-x---   2 root     root ... rbac

Next the initial maps' sources are created.
   
# cd /var/share/nis 
 
# cp /etc/{group,project} .
# cp /etc/{passwd,shadow} acct
# cp /etc/security/{prof_attr,exec_attr,auth_attr} rbac
 
# touch ethers netgroup netid
# sed -e '/^[^#]/d' < /etc/mail/aliases > ./aliases
# sed -e '/^[^#]/d' < /etc/hosts > ./hosts  
# sed -e '/^[^#]/d' < /etc/auto_master > ./auto_master
# sed -e '/^[^#]/d' < /etc/auto_home > ./auto_home
# sed -e '/^[^#]/d' < /etc/networks > ./networks
# sed -e '/^[^#]/d' < /etc/netmasks > ./netmasks
# sed -e '/^[^#]/d' < /etc/protocols > ./protocols 
# sed -e '/^[^#]/d' < /etc/services > ./services
# sed -e '/^[^#]/d' < /etc/rpc > ./rpc
# sed -e '/^[^#]/d' < /etc/publickey > ./publickey  
# sed -e '/^[^#]/d' < /etc/user_attr > ./user_attr
# sed -e '/^[^#]/d' < /etc/sudoers > ./sudoers

# ln -s hosts ipnodes 
  
# chmod -R o= /var/share/nis

# ls -lh /var/nis/*
total ...
-rw-r-----   1 root     root ... aliases
-rw-r-----   1 root     root ... auto_home
-rw-r-----   1 root     root ... auto_master
-rw-r-----   1 root     root ... ethers
-rw-r-----   1 root     root ... group
-rw-r-----   1 root     root ... hosts
lrwxrwxrwx   1 root     root ... ipnodes -> hosts
-rw-r-----   1 root     root ... netgroup
-rw-r-----   1 root     root ... netid
-rw-r-----   1 root     root ... netmasks
-rw-r-----   1 root     root ... networks
-rw-r-----   1 root     root ... project
-rw-r-----   1 root     root ... protocols
-rw-r-----   1 root     root ... publickey
-rw-r-----   1 root     root ... rpc
-rw-r-----   1 root     root ... services
-r--r-----   1 root     root ... sudoers
-rw-r-----   1 root     root ... user_attr

/var/nis/acct:
total ...
-rw-r-----   1 root     root ... passwd
-r--------   1 root     root ... shadow
 
/var/nis/rbac:
total ...
-rw-r-----   1 root     root ... auth_attr
-rw-r-----   1 root     root ... exec_attr
-rw-r-----   1 root     root ... prof_attr

Now the contents of the copied files must be appropriately adjusted according to the best practices and requirements. I'm assuming all the defaults of a fresh installation so certain source files require cleanup:

# cd /var/nis 

# cat /dev/null > acct/passwd
# cat /dev/null > acct/shadow 
# cat /dev/null > ./group
# cat /dev/null > ./project

Now the source files and respective structure for the NIS maps are set.
Now proceed to install and configure the NIS master and its NIS slaves.