Friday, August 31, 2012

Custom JumpStart finish (extras)

Assume that the setup is according to Custom JumpStart framework setup.
For convenience, a finish script can reference /jumpstart/extras subdirectories:
 
# cd /jumpstart/extras
# ll -a
total ...
drwxr-xr-x   2 root   root      12 Aug 31 14:38 .
drwxr-xr-x   3 root   root       8 Aug 31 12:47 ..
-rw-r--r--   1 root   other     49 Aug 29 14:36 .bashrc
-rw-r--r--   1 root   other     30 Aug 29 14:32 .inputrc
-rw-r--r--   1 root   other    411 Aug 31 11:10 .profile
-rw-r--r--   1 root   other     20 Aug 29 14:32 .screenrc
-rwxr-xr-x   1 root   root     28M Aug 20 08:51 install_stb.sh
-rw-r--r--   1 root   sys      270 Aug 30 13:54 issue
-rw-r--r--   1 root   root    2.8K Aug 30 14:27 pam.conf
-rw-r--r--   1 root   root    1.1K Aug 30 13:50 syslog.conf
-r--r--r--   1 root   sys     1.2K Oct 10 08:39 site.xml
-rw-r-----   1 root   sys       11 Aug 30 13:52 user.allow
  
It may be good to document the contents of some of these files in more detail.
  
# cat issue

THIS IS ... INFORMATION SYSTEM.
ACCESS IS PROVIDED FOR AUTHORIZED USE ONLY.
YOU MUST COMPLY WITH THE POLICIES AND CONDITIONS.
COMMUNICATION CAN BE MONITORED AND DATA INSPECTED AND SEIZED.

  
# cat .screenrc
defscrollback 10000
  
# cat .bashrc
if [ "$LOGNAME" = "root" ]
then
    typeset +x PS1=
      '\[\e[31m\]\h\[\e[0m\]'
else
    typeset +x PS1=
      '\[\e[0;36m\]\u\[\e[0;34m\]@\[\e[2;34m\]\h\[\e[0m\]'
fi
typeset +x PS1=$PS1':\[\e[0;34m\]\w\[\e[0m\] \$ '
 
alias ll='ls -lh'
  
# cat .inputrc
$if term=xterm
"\e[3~":delete-char
$endif
 
# cat .profile
PATH=/usr/bin:/usr/sbin
PATH=$PATH:/usr/ccs/bin:/usr/ucb:/usr/openwin/bin:/usr/sfw/bin
[ -d /opt/sfw ] && PATH=/opt/sfw/bin:/opt/sfw/sbin:$PATH
 
MANPATH=/usr/man
 
if [ -d /opt/SUNWexplo ]
then
    PATH=$PATH:/opt/SUNWexplo/bin
    MANPATH=$MANPATH:/opt/SUNWexplo/man
fi
 
if [ -d /opt/SUNWlwact ]
then
    PATH=$PATH:/opt/SUNWlwact/bin
    MANPATH=$MANPATH:/opt/SUNWlwact/man
fi
 
if [ -d /opt/SUNWsneep ]
then
    PATH=$PATH:/opt/SUNWsneep/bin
    MANPATH=$MANPATH:/opt/SUNWsneep/man
fi
 
if [ -d /opt/CTEact ]
then
    PATH=$PATH:/opt/CTEact/bin
    MANPATH=$MANPATH:/opt/CTEact/man
fi
 
if [ -d /opt/CTEactx ]
then
    PATH=$PATH:/opt/CTEactx/bin
fi
 
if [ -d /opt/ocm ]
then
    PATH=$PATH:/opt/ocm/ccr/bin:/opt/ocm/bin
    MANPATH=$MANPATH:/opt/ocm/ccr/sysman
fi
 
if [ -d /opt/SUNWsasm ]
then
    PATH=$PATH:/opt/SUNWsasm/bin
fi
 
if [ -d /opt/SUNWsftransport ]
then
    PATH=$PATH:/opt/SUNWsftransport/bin
    MANPATH=$MANPATH:/opt/SUNWsftransport/man
fi
 
case `uname -p` in
 
sparc)
   
    if [ -d /usr/platform/`uname -i`/rsc ]
    then
        PATH=$PATH:/usr/platform/`uname -i`/rsc
    fi
 
    if [ -d /opt/SUNWconn/man ]
    then
        PATH=$PATH:/opt/SUNWconn/man
        MANPATH=$MANPATH:/opt/SUNWconn/man:
                         /opt/SUNWconn/trunking/man
    fi
  
    if [ -d /opt/SUNWrtvc ]
    then
        PATH=$PATH:/opt/SUNWrtvc/bin
        MANPATH=$MANPATH:/opt/SUNWrtvc/man
    fi
 
    if [ -d /opt/SUNWswasr ]
    then
        [ -d /opt/SUNWswasr/bin ] &&
        PATH=$PATH:/opt/SUNWswasr/bin
        PATH=$PATH:/opt/SUNWswasr/asrassetbundle
    fi
  
    ;;
  
i386)
    ;;
  
esac      
 
if [ -e /opt/sfw/bin/vim ]
then
        EDITOR=/opt/sfw/bin/vim
else
        EDITOR=/usr/bin/vi
fi
 
PAGER="/usr/bin/less -ins"
 
case ${SHELL} in
*bash)
    source .bashrc
    ;;
esac
 
export PATH
export MANPATH
export EDITOR
export PAGER
   
# cat syslog.conf
*.err;kern.notice;auth.notice               /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit    /var/adm/messages

*.alert;kern.err;daemon.err                 operator
*.alert                                     root
*.emerg                                     *

auth.notice                                 /var/log/authlog
mail.debug                                  /var/log/syslog
 
# cat user.allow
root
prime
...
   
# cat pam.conf
ppp     auth     requisite  pam_deny.so.1
ppp     account  requisite  pam_deny.so.1
ppp     session  requisite  pam_deny.so.1
ppp     password requisite  pam_deny.so.1

krlogin auth     required   pam_unix_cred.so.1
krlogin auth     required   pam_krb5.so.1

rlogin  auth     requisite  pam_deny.so.1
rlogin  account  requisite  pam_deny.so.1
rlogin  session  requisite  pam_deny.so.1
rlogin  password requisite  pam_deny.so.1

krsh    auth     required   pam_unix_cred.so.1
krsh    auth     required   pam_krb5.so.1

rsh     auth     requisite  pam_deny.so.1
rsh     account  requisite  pam_deny.so.1
rsh     session  requisite  pam_deny.so.1
rsh     password requisite  pam_deny.so.1

ktelnet auth     required   pam_unix_cred.so.1
ktelnet auth     required   pam_krb5.so.1

telnet  auth     requisite  pam_deny.so.1
telnet  account  requisite  pam_deny.so.1
telnet  session  requisite  pam_deny.so.1
telnet  password requisite  pam_deny.so.1

passwd  auth     required   pam_passwd_auth.so.1
cron    account  required   pam_unix_account.so.1
cups    account  required   pam_unix_account.so.1

other   auth     requisite  pam_authtok_get.so.1
other   auth     required   pam_dhkeys.so.1
other   auth     required   pam_unix_cred.so.1
#other  auth     sufficient pam_krb5.so.1
other   auth     required   pam_unix_auth.so.1

other   account  requisite  pam_roles.so.1
other   account  requisite  pam_list.so.1   allow=/etc/user.allow
#other  account  sufficient pam_krb5.so.1
other   account  required   pam_unix_account.so.1

other   session  required   pam_unix_session.so.1

other   password required   pam_dhkeys.so.1
other   password requisite  pam_authtok_get.so.1
other   password requisite  pam_authtok_check.so.1    force_check
#other  password sufficient pam_krb5.so.1
other   password required   pam_authtok_store.so.1

# cat site.xml 
<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>

<!--
    Copyright (c) 2012 ...
    All rights reserved.

    This file, /var/svc/profile/site.xml, 
    is a distinguished location for
    a site-specific service profile,
    treated otherwise equivalently to
    generic_limited_net.xml file.
-->

<service_bundle type='profile' name='site'
         xmlns:xi='http://www.w3.org/2003/XInclude' >

  <!--
      Disable otherwise enabled CDE services.
  -->

  <service name='application/cde-printinfo'
    version='1' type='service'>
      <instance name='default' enabled='false' />
  </service>

  <service name='network/rpc/cde-ttdbserver'
    version='1' type='service'>
      <instance name='tcp' enabled='false' />
  </service>

  <service name='application/graphical-login/cde-login'
    version='1' type='service'>
      <instance name='default' enabled='false' />
  </service>

  <service name='network/rpc/cde-calendar-manager'
    version='1' type='service'>
      <instance name='default' enabled='false'/>
  </service>

  <!--
      Disable yet other services.
  -->

  <service name='system/webconsole' 
    version='0' type='service'>
      <instance name='console' enabled='false'/>
  </service>

</service_bundle>
  
Posted by at
Labels: , ,

Custom JumpStart finish script

Assume that the setup is according to Custom JumpStart framework setup.
Finish scripts are useful for carrying out customizations at the end of the installation.
In fact some X86 require it ending by the reboot command.
  
The finish scripts are placed in the /jumpstart directory:
 
# cd /jumpstart
# ll
total 145
-r-xr-xr-x   1 root   root     63K Aug 21 15:04 check
drwxr-xr-x   3 root   root      13 Aug 31 11:11 extras
-rw-r--r--   1 root   root    3.2K Aug 31 12:47 finish_x86
-rw-r--r--   1 root   root     693 Aug 31 07:49 profile_x86
-rw-r--r--   1 root   root     277 Aug 29 14:06 rules
-rw-r--r--   1 root   root     112 Aug 31 09:39 rules.ok
    
A finish script is referenced in the rules file:
 
# cat rules
 
# keyword & value             begin  profile        finish
# --------------------------- ------ -------------- -----------
  karch i86pc                 -      profile_x86    finish_x86    
    
The following is a sample finish script designed on X86.
It references the extras subdirectory in an effort to complement or simplify the work.

Read more »
Posted by at
Labels: , , , ,

Friday, August 24, 2012

Custom JumpStart sysid

Assume that the setup is according to Custom JumpStart framework installation.
Another important part of Custom JumpStart are the system identification (sysidcfg) files.
The system identification files contributes to a fully automated installation.
 
Each client requires a dedicated system identification subdirectory of /config.
Inside each subdirectory create a sysidcfg file for the client.
  
# mkdir /config/X86-client-1
  
The syntax of the sysidcfg file is well documented at sysidcfg(4) or at OTN.
Here's a sample of it:
 
# cat /config/client-1/sysidcfg
# The value can be any from /usr/share/lib/terminfo/*
terminal=vt100

# The value can be any from /usr/share/lib/keytables/type_6/kbd_layouts
keyboard=US-English 

# The value can be any from /usr/lib/locale
system_locale=C

# The value can be any from /usr/share/lib/zoneinfo
timezone=US/Eastern

# The system time setup
# Assume the clock is correct (NTP should be set later)
timeserver=localhost
  
# The network services secure-by-default option
# Except for SSH, disable or constrain all network services
service_profile=limited_net
  
# The possible values are:
#        NONE : traditional Unix way
#    kerberos : recommended if such infra-structure is available
security_policy=NONE
  
# The NFSv4 domain is dynamically derived from DNS
nfs4_domain=dynamic
  
# The desired initial root password hash taken from an /etc/shadow
root_password=...
 
# The basic networking setup
# If not sure of an interface name, such as e1000g0, try PRIMARY
# NONE can leave more advanced configuration to a finish script
network_interface=PRIMARY {
hostname=X86-client-1
ip_address=192.168.0.220
netmask=255.255.255.0
default_route=192.168.0.254
protocol_ipv6=no
}
 
# The naming service configuration
# Common values are: NONE, NIS, DNS or LDAP
name_service=DNS
{
domain_name=company.com
search=hq.company.com,company.com
name_server=192.168.0.5,10.0.0.5
}
  
# The auto-registration appeared with Update 9
# A value must be present in order keep installation fully unattended
auto_reg=none
    
Posted by at
Labels:

Custom JumpStart rules & profiles

Assume that the setup is according to Custom JumpStart framework installation.
Another important part of Custom JumpStart is the install rules and profiles files.
The rules selects which clients qualify and which profiles are used in each case.

All of the following is done in the /jumpstart directory:

# cd /jumpstart 

The syntax of the rules files is reasonably flexible to get the job done.
As an example, let's show one that distinguishes between X86 and SPARC clients.
 
# cat rules

# keyword & value                     begin profile       finish
# ----------------------------------- ----- ------------- ------
  karch i86pc && memsize 1024-8192    -     profile_x86_s -
  karch i86pc && memsize 8193-65536   -     profile_x86_m -
  karch i86pc && memsize 65537-524288 -     profile_x86_l -
  karch sparc                         -     profile_sparc -
    
Edit each referenced profile accordingly.
Assume 192.168.0.12 as the IP address of the X86 Custom JumpStart server.
The difference between X86 and SPARC profiles are patch numbers and server IP.
I also assume at least an available pair of disks equal or close in size.
Instead of letting the installer compute the swap size (auto) I've chosen to have 4g.
   
# cat profile_x86_s
#
# keyword          value
# ---------------  ----------------------
  install_type     initial_install
  system_type      server
  cluster          SUNWCXall

  pool             rpool auto 4g auto mirror any any
  bootenv          installbe bename JumpStart dataset /var

  locale           en_US.UTF-8
  geo              N_America

  package          SFWncur        add nfs 192.168.0.12:/package
  package          SFWvim         add nfs 192.168.0.12:/package
  package          SFWscrn        add nfs 192.168.0.12:/package
  package          AZ-first-boot  add nfs 192.168.0.12:/package

  patch            121119-20          nfs 192.168.0.12:/patch
  patch            121431-84          nfs 192.168.0.12:/patch
  patch            123896-50          nfs 192.168.0.12:/patch
  patch            119789-11          nfs 192.168.0.12:/patch 
      
Finally, verify if everything is OK, generating the rules.ok file.
 
# cp -p  /install/Solaris_10/Misc/jumpstart_sample/check .
# ./check
Validating rules...
Validating profile profile_x86_s...
Validating profile profile_x86_m...
Validating profile profile_x86_l... 
Validating profile profile_sparc...
The custom JumpStart configuration is ok.
 
# ll rules*
...
  
Posted by at
Labels:

Thursday, August 23, 2012

Custom JumpStart SPARC clients

Assume that the setup is according to Custom JumpStart framework installation.
Adapt the paths and other minor items to SPARC instead of what was shown for X86.
As always I prefer to work with an ISC-DHCP server.
 
IMPORTANT
Make sure to change directories to  /install/Solaris_10/Tools before beginning. 
  
Assume 192.168.0.12 as the IP address of the SPARC Custom JumpStart server.
Adding support, for example, to a group of SPARC clients is done as:
  
# cd /install/Solaris_10/Tools
# export SERVER=js-01.company.com  # consider IP to avoid name resolution issues 
# ./add_install_client 
   -d
   -s $SERVER:/install
   -c $SERVER:/jumpstart
   -p $SERVER:/config
   `uname -i`
   `uname -m`

making /tftpboot

copying boot file to
  /tftpboot/inetboot.SUN4U.Solaris_10-1...

To enable SUNW.Sun-Fire-V890 in the DHCP server, ensure that
the following Sun vendor-specific options are defined
(SinstNM, SinstIP4, SinstPTH, SrootNM, SrootIP4,
SrootPTH, and optionally SbootURI, SjumpCF and SsysidCF),
and add a macro to the server named SUNW.Sun-Fire-V890,
containing the following option values:
  
 Install server      (SinstNM)  : js-01.company.com
 Install server IP   (SinstIP4) : 192.168.0.12
 Install server path (SinstPTH) : /install
 Root server name    (SrootNM)  : js-01
 Root server IP      (SrootIP4) : 192.168.0.12
 Root server path    (SrootPTH) : /install/Solaris_10/Tools/Boot
 Profile location    (SjumpsCF) : js-01.company.com:/jumpstart
 sysidcfg location   (SsysidCF) : js-01.company.com:/config

# ll /tftpboot
total 524
-rwxr-xr-x 1 root root ... inetboot.SUN4U.Solaris_10-1
-rw-r--r-- 1 root root ... rm.SUNW.SPARC-Enterprise
-rw-r--r-- 1 root root ... rm.SUNW.Sun-Fire-V890
lrwxrwxrwx 1 root root ... SUNW.SPARC-Enterprise
                           -> inetboot.SUN4U.Solaris_10-1
lrwxrwxrwx 1 root root ... SUNW.Sun-Fire-V890
                           -> inetboot.SUN4U.Solaris_10-1
lrwxrwxrwx 1 root root ... tftpboot
                           -> .
  
Next, follow the SPARC Custom JumpStart DHCP.
 
Posted by at
Labels:
Subscribe to: Comments (Atom)