Traditionally with older Solaris versions you had to leave /sbin/sh as the default root shell.
In Solaris 8 and 9, you’re supposed to do this because all the libraries for dynamic linking are in /usr/lib, which could well be on a separate /usr filesystem. This filesystem may not be accessible during the maintenance boot, and therefore it is regarded as a very bad practice to change the root shell.
To make sure the superuser is always going to be able to log in, you have a /sbin/sh assigned to root, and it’s a statically built binary, so it doesn’t need any of the external libraries:
vasanth$ file /sbin/sh
/sbin/sh: ELF 32-bit MSB executable SPARC Version 1, statically linked, stripped
vasanth$ ldd /sbin/sh
ldd: /sbin/sh: file is not a dynamic executable or shared object
But Solaris 10 has greatly improved this situation for you, and there are two major improvements. Here they are:
Standard libraries are in /lib now
Because of this, /lib directory is always accessible during your maintenance boots.
As a result of this, your /sbin/sh shell is now a regular executable using dynamic libraries:
solaris$ file /sbin/sh
/sbin/sh: ELF 32-bit MSB executable SPARC Version 1, dynamically linked, stripped
solaris$ ldd /sbin/sh
libgen.so.1 => /lib/libgen.so.1
libsecdb.so.1 => /lib/libsecdb.so.1
libc.so.1 => /lib/libc.so.1
libnsl.so.1 => /lib/libnsl.so.1
libcmd.so.1 => /lib/libcmd.so.1
libmp.so.2 => /lib/libmp.so.2
libmd5.so.1 => /lib/libmd5.so.1
libscf.so.1 => /lib/libscf.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libm.so.2 => /lib/libm.so.2
/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
/platform/SUNW,Ultra-5_10/lib/libmd5_psr.so.1
Built-in protection against non-executable root shells
If you change it to any other shell and it cannot be started for some reason, you will automatically get a standard /sbin/sh instead. The same kind of protection exists for sudo command as well.
These improvements make sure that there is nothing to stop you now from setting your root shell to anything you like.
Friday, October 23, 2009
Solaris 10 patch error codes
Exit Code Meaning
0 No error
1 Usage error
2 Attempt to apply a patch that's already been applied
3 Effective UID is not root
4 Attempt to save original files failed
5 pkgadd failed
6 Patch is obsoleted
7 Invalid package directory
8 Attempting to patch a package that is not installed
9 Cannot access /usr/sbin/pkgadd (client problem)
10 Package validation errors
11 Error adding patch to root template
12 Patch script terminated due to signal
13 Symbolic link included in patch
14 NOT USED
15 The prepatch script had a return code other than 0.
16 The postpatch script had a return code other than 0.
17 Mismatch of the -d option between a previous patch install and the current one.
18 Not enough space in the file systems that are targets of the patch.
19 $SOFTINFO/INST_RELEASE file not found
20 A direct instance patch was required but not found
21 The required patches have not been installed on the manager
22 A progressive instance patch was required but not found
23 A restricted patch is already applied to the package
24 An incompatible patch is applied
25 A required patch is not applied
26 The user specified backout data can't be found
27 The relative directory supplied can't be found
28 A pkginfo file is corrupt or missing
29 Bad patch ID format
30 Dryrun failure(s)
31 Path given for -C option is invalid
32 Must be running Solaris 2.6 or greater
33 Bad formatted patch file or patch file not found
34 Incorrect patch spool directory
35 Later revision already installed
36 Cannot create safe temporary directory
37 Illegal backout directory specified
38 A prepatch, prePatch or a postpatch script could not be executed
39 A compressed patch was unable to be decompressed
40 Error downloading a patch
41 Error verifying signed patch
42 Error unable to retrieve patch information from SQL DB.
43 Error unable to update the SQL DB.
44 Lock file not available
45 Unable to copy patch data to partial spool directory.
0 No error
1 Usage error
2 Attempt to apply a patch that's already been applied
3 Effective UID is not root
4 Attempt to save original files failed
5 pkgadd failed
6 Patch is obsoleted
7 Invalid package directory
8 Attempting to patch a package that is not installed
9 Cannot access /usr/sbin/pkgadd (client problem)
10 Package validation errors
11 Error adding patch to root template
12 Patch script terminated due to signal
13 Symbolic link included in patch
14 NOT USED
15 The prepatch script had a return code other than 0.
16 The postpatch script had a return code other than 0.
17 Mismatch of the -d option between a previous patch install and the current one.
18 Not enough space in the file systems that are targets of the patch.
19 $SOFTINFO/INST_RELEASE file not found
20 A direct instance patch was required but not found
21 The required patches have not been installed on the manager
22 A progressive instance patch was required but not found
23 A restricted patch is already applied to the package
24 An incompatible patch is applied
25 A required patch is not applied
26 The user specified backout data can't be found
27 The relative directory supplied can't be found
28 A pkginfo file is corrupt or missing
29 Bad patch ID format
30 Dryrun failure(s)
31 Path given for -C option is invalid
32 Must be running Solaris 2.6 or greater
33 Bad formatted patch file or patch file not found
34 Incorrect patch spool directory
35 Later revision already installed
36 Cannot create safe temporary directory
37 Illegal backout directory specified
38 A prepatch, prePatch or a postpatch script could not be executed
39 A compressed patch was unable to be decompressed
40 Error downloading a patch
41 Error verifying signed patch
42 Error unable to retrieve patch information from SQL DB.
43 Error unable to update the SQL DB.
44 Lock file not available
45 Unable to copy patch data to partial spool directory.
NFSv4 domain question during Solaris 10 Jumpstart
If you want to get rid of the NFSv4 domain question during Solaris 10 Jumpstart, you can follow any of the below methods.
1. Add the below line to sysidcfg file.
nfs4_domain=dynamic
2. Or put a script for nuking ${ROOTDIR}/etc/.UNCONFIGURED (if it exists) and touching ${ROOTDIR}/etc/.NFS4inst_state.domain in Finish Scripts.
3. Or you can use/Solaris_10/Misc/jumpstart_sample/set_nfs4_domain script from Jumpstart directory to place in Finish Scripts.
1. Add the below line to sysidcfg file.
nfs4_domain=dynamic
2. Or put a script for nuking ${ROOTDIR}/etc/.UNCONFIGURED (if it exists) and touching ${ROOTDIR}/etc/.NFS4inst_state.domain in Finish Scripts.
3. Or you can use
Tuesday, October 20, 2009
Zone Administration - Simple Steps
Prerequisites to configuration:
1. create a directory for the root of your non-global zone, mkdir /export/zones/mmvzone1.
chown root:root /export/zones/mmvzone1; chmod 700 /export/zones/mmvzone1
2. create a 1G partition for the non-global zone root file system
3. add filesystems to any volumes you have created from steps above
4. mount your additional space for the root of your new zone (add to vfstab in global zone 0)
a. if you get an error message during install check the state
4. zoneadm –z mmvzone1 ready
5. zoneadm list –v
a. should report the zone is “ready”
6. zoneadm –z mmvzone1 boot
7. zoneadm list –v
a. should report the zone is “running”
zlogin
8. zlogin –C mmvzone1
a. hit return
b. select 3 DEC VT100
c. enter hostname for the zone
d. hit esc-2 to continue
e. hit esc-2 to continue
f. be sure NO is checked for kerberos security
g. hit esc-2 to continue
h. hit esc-2 to continue
i. select DNS for name service
j. esc-2 to continue
k.enter abcd.com for domain
l. esc-2 to continue
m. enter [IP-ADDRESS] for the first IP
n. enter [IP-ADDRESS] for the second IP
o. esc-2 to continue
p. enter abcd.com for search domain
q. esc-2 to cont
r. confirm information
s. esc-2 to cont
t. choose NO for new name service information
u. esc-2 to cont
v. select americas for time zone
w. esc-2 to cont
x. select united states
y. esc-2
z. select central time
aa. esc-2
bb. confirm information
cc. esc-2
dd. enter root password
ee. esc-2 to continue
ff. zone should reboot
9. if a mistake is made you can zlogin –S mmvzone1 /usr/sbin/sys-unconfig (allows you to re-run the sysidcfg stage and correct and problems)
10. to disconnect from the console use “~.”
Additional zonecfg
1. following zone initialization to add additional filesystem resources and resource controls follow the following instructions
2. create the directories in the zone you are going to modify
3. zonecfg –z mmvzone2
4. add fs
5. set dir=/export/home
6. set special=/dev/md/dsk/d51
7. set raw=/dev/md/rdsk/d51
8. set type=ufs
9. set options=logging
10. end
11. verify
12. commit
13. exit
14. bounce the zone
Commands
1. ps with –Z
2. ipcs, pgrep, ptree, prstat with –z zonename option
Halt/Shutdown
1. from the global machine
2. growfs –M /zoneroot/root/filesystem /dev/md/rdsk/device
updating resources on the fly for a zone
-r –i zone
1. create a directory for the root of your non-global zone, mkdir /export/zones/mmvzone1.
chown root:root /export/zones/mmvzone1; chmod 700 /export/zones/mmvzone1
2. create a 1G partition for the non-global zone root file system
3. add filesystems to any volumes you have created from steps above
4. mount your additional space for the root of your new zone (add to vfstab in global zone 0)
Zoneconfig
- zonecfg –z mmvzone 1
- create
- set zonepath=/mmvzone1
- set autoboot=true
- add inherit-pkg-dir
- set dir=/opt
- end
- add net
- set address=[IP-ADDRESS]
- set physical=hme0
- end
- (could add a device here, but don’t believe it necessary for right now, we’ll see what we get by default)
- add rctl
- set name=zone.cpu-shares
- add value (priv=privileged,limit=20,action=none)
- end
- add attr
- set name=comment
- set type=string
- set value=”First test zone”
- end
- verify
- commit
- exit
Zoneadm
1. zoneadm –z mmvzone1 verify
2. zoneadm –z mmvzone1 install a. if you get an error message during install check the state
b. zoneadm –z mmvzone1 list –v
c. if state is “configured” make corrections specified in the messateg and install the zone again
d. if state is “incomplete” remove the zonec. if state is “configured” make corrections specified in the messateg and install the zone again
e. zoneadm –z mmvzone uninstall
f. make corrections and install the zone again
3. zoneadm list –iv
a. should report the zone is “installed”f. make corrections and install the zone again
3. zoneadm list –iv
4. zoneadm –z mmvzone1 ready
5. zoneadm list –v
a. should report the zone is “ready”
6. zoneadm –z mmvzone1 boot
7. zoneadm list –v
a. should report the zone is “running”
zlogin
8. zlogin –C mmvzone1
a. hit return
b. select 3 DEC VT100
c. enter hostname for the zone
d. hit esc-2 to continue
e. hit esc-2 to continue
f. be sure NO is checked for kerberos security
g. hit esc-2 to continue
h. hit esc-2 to continue
i. select DNS for name service
j. esc-2 to continue
k.enter abcd.com for domain
l. esc-2 to continue
m. enter [IP-ADDRESS] for the first IP
n. enter [IP-ADDRESS] for the second IP
o. esc-2 to continue
p. enter abcd.com for search domain
q. esc-2 to cont
r. confirm information
s. esc-2 to cont
t. choose NO for new name service information
u. esc-2 to cont
v. select americas for time zone
w. esc-2 to cont
x. select united states
y. esc-2
z. select central time
aa. esc-2
bb. confirm information
cc. esc-2
dd. enter root password
ee. esc-2 to continue
ff. zone should reboot
9. if a mistake is made you can zlogin –S mmvzone1 /usr/sbin/sys-unconfig (allows you to re-run the sysidcfg stage and correct and problems)
10. to disconnect from the console use “~.”
Additional zonecfg
1. following zone initialization to add additional filesystem resources and resource controls follow the following instructions
2. create the directories in the zone you are going to modify
3. zonecfg –z mmvzone2
4. add fs
5. set dir=/export/home
6. set special=/dev/md/dsk/d51
7. set raw=/dev/md/rdsk/d51
8. set type=ufs
9. set options=logging
10. end
11. verify
12. commit
13. exit
14. bounce the zone
Login
1. zlogin –C mmvzone1
2. zlogin –l c1196 mmvzone1
2. zlogin –l c1196 mmvzone1
Commands
1. ps with –Z
2. ipcs, pgrep, ptree, prstat with –z zonename option
Halt/Shutdown
zoneadm –z mmvzone1 halt
Boot
zoneadm –z mmvzone1 boot
Reboot
zoneadm –z mmvzone1reboot
Grow FileSystem
1. from the global machine
2. growfs –M /zoneroot/root/filesystem /dev/md/rdsk/device
updating resources on the fly for a zone
must run the following command from the global zone
prctl –n zone.cpu-shares –v Thursday, October 15, 2009
Kernel parameters comparison - Solaris9 and Solaris10
SERVER – Solaris9 – Oracle9i Vs SERVER – Solaris10 – Oracle10g
[ Solaris9] forceload:sys/shmsys
[Solaris10] recommended not set, server impact long time for boot up
[Solaris9] forceload:sys/semsys
[Solaris10] recommended not set, server impact long time for boot up
[ Solaris9] set shmsys:shminfo_shmmax=51539607552
[Solaris10] projmod -s -K “project.max-shm-memory=(priv,48g,deny)” user.oracle
[ Solaris9] set shmsys:shminfo_shmmin=1
[Solaris10] Obsolete in the Solaris 9 release, Solaris 10 also
[ Solaris9] set shmsys:shminfo_shmmni=2048
[Solaris10] projmod -s -K “project.max-shm-ids=(priv,2048,deny)” user.oracle
[ Solaris9] set shmsys:shminfo_shmseg=200
[Solaris10] Obsolete in the Solaris 9 release, Solaris 10 also
[ Solaris9] set semsys:seminfo_semmni=1000
[Solaris10] projmod -s -K “project.max-sem-ids=(priv,1000,deny)” user.oracle
[ Solaris9] set semsys:seminfo_semmns=32767
[Solaris10] Removed in the Solaris 10 release
[Solaris9] semsys:seminfo_semmnu=500
[Solaris10] Removed in the Solaris 10 release.
[ Solaris9] set semsys:seminfo_semmsl=2048.
[Solaris10] projmod -s -K “project.max-sem-nsems=(priv,4096,deny)” user.oracle
[ Solaris9] semsys:seminfo_semvmx=32767.
[Solaris10] Removed in the Solaris 10 release
[ Solaris9] set semsys:seminfo_semopm=2048
[Solaris10] projmod -s -K “process.max-sem-ops=(priv,2048,deny)” user.oracle
[ Solaris9] set maxusers=2048
[Solaris10] recommended not set
[ Solaris9] set max_nprocs=32778
[Solaris10] set max_nprocs=32778
[ Solaris9] set maxuprc=32773
[Solaris10] set maxuprc=32773
[ Solaris9] set rlim_fd_max=65536
[Solaris10] set rlim_fd_max=65536
[ Solaris9] set rlim_fd_cur=2048
[Solaris10] set rlim_fd_cur=2048
[ Solaris9] set noexec_user_stack=1
[Solaris10] set noexec_user_stack=1
*For Veritas NetBackup Performance
[ Solaris9] set msgsys:msginfo_msgtql=512
[Solaris10] Obsolete in the Solaris 10 release
[ Solaris9] set msgsys:msginfo_msgmnb=65536
[Solaris10] Obsolete in the Solaris 10 release
————————————————————————————————————————
Conclusion: the following are the important parameters:
*project.max-shm-ids: Maximum shared memory IDs for a project. Replaces shmmni
*project.max-sem-ids: Maximum semaphore IDs for a project.Replaces semmni
*project.max-msg-ids: Maximum message queue IDs for a project. Replaces msgmni
*project.max-shm-memory: Total amount of shared memory allowed for a project. Replaces shmmax
*process.max-sem-nsems: Maximum number of semaphores allowed per semaphore set.Replaces semmsl
*process.max-sem-ops: Maximum number of semaphore operations allowed per semop.Replaces semopm
*process.max-msg-qbytes: Maximum number of bytes of messages on a message queue. Replaces msgmnb
*process.max-msg-messages: Maximum number of messages on a message queue.Replaces msgtql
[ Solaris9] forceload:sys/shmsys
[Solaris10] recommended not set, server impact long time for boot up
[Solaris9] forceload:sys/semsys
[Solaris10] recommended not set, server impact long time for boot up
[ Solaris9] set shmsys:shminfo_shmmax=51539607552
[Solaris10] projmod -s -K “project.max-shm-memory=(priv,48g,deny)” user.oracle
[ Solaris9] set shmsys:shminfo_shmmin=1
[Solaris10] Obsolete in the Solaris 9 release, Solaris 10 also
[ Solaris9] set shmsys:shminfo_shmmni=2048
[Solaris10] projmod -s -K “project.max-shm-ids=(priv,2048,deny)” user.oracle
[ Solaris9] set shmsys:shminfo_shmseg=200
[Solaris10] Obsolete in the Solaris 9 release, Solaris 10 also
[ Solaris9] set semsys:seminfo_semmni=1000
[Solaris10] projmod -s -K “project.max-sem-ids=(priv,1000,deny)” user.oracle
[ Solaris9] set semsys:seminfo_semmns=32767
[Solaris10] Removed in the Solaris 10 release
[Solaris9] semsys:seminfo_semmnu=500
[Solaris10] Removed in the Solaris 10 release.
[ Solaris9] set semsys:seminfo_semmsl=2048.
[Solaris10] projmod -s -K “project.max-sem-nsems=(priv,4096,deny)” user.oracle
[ Solaris9] semsys:seminfo_semvmx=32767.
[Solaris10] Removed in the Solaris 10 release
[ Solaris9] set semsys:seminfo_semopm=2048
[Solaris10] projmod -s -K “process.max-sem-ops=(priv,2048,deny)” user.oracle
[ Solaris9] set maxusers=2048
[Solaris10] recommended not set
[ Solaris9] set max_nprocs=32778
[Solaris10] set max_nprocs=32778
[ Solaris9] set maxuprc=32773
[Solaris10] set maxuprc=32773
[ Solaris9] set rlim_fd_max=65536
[Solaris10] set rlim_fd_max=65536
[ Solaris9] set rlim_fd_cur=2048
[Solaris10] set rlim_fd_cur=2048
[ Solaris9] set noexec_user_stack=1
[Solaris10] set noexec_user_stack=1
*For Veritas NetBackup Performance
[ Solaris9] set msgsys:msginfo_msgtql=512
[Solaris10] Obsolete in the Solaris 10 release
[ Solaris9] set msgsys:msginfo_msgmnb=65536
[Solaris10] Obsolete in the Solaris 10 release
————————————————————————————————————————
Conclusion: the following are the important parameters:
*project.max-shm-ids: Maximum shared memory IDs for a project. Replaces shmmni
*project.max-sem-ids: Maximum semaphore IDs for a project.Replaces semmni
*project.max-msg-ids: Maximum message queue IDs for a project. Replaces msgmni
*project.max-shm-memory: Total amount of shared memory allowed for a project. Replaces shmmax
*process.max-sem-nsems: Maximum number of semaphores allowed per semaphore set.Replaces semmsl
*process.max-sem-ops: Maximum number of semaphore operations allowed per semop.Replaces semopm
*process.max-msg-qbytes: Maximum number of bytes of messages on a message queue. Replaces msgmnb
*process.max-msg-messages: Maximum number of messages on a message queue.Replaces msgtql
Accessing Single User mode using SSH
For pre-Solaris 10 servers:
# route add default `head -1 /etc/defaultrouter`
Restart ssh
# /etc/init.d/openssh start
or whatever ssh software is running.
For Solaris 10 servers:
Execute the below commands:
# svcadm enable system/vxvm/vxvm-reconfig
# svcadm enable system/filesystem/local
# svcadm enable milestone/sysconfig
# svcadm enable system/utmp
If the server is under NIS, please execute the below commands also:
# svcadm enable system/identity:domain
# svcadm enable system/sysidtool:net
# svcadm enable network/rpc/bind
# svcadm enable network/nis/client
Finally start ssh service:
# svcadm enable network/ssh
# route add default `head -1 /etc/defaultrouter`
Restart ssh
# /etc/init.d/openssh start
or whatever ssh software is running.
For Solaris 10 servers:
Execute the below commands:
# svcadm enable system/vxvm/vxvm-reconfig
# svcadm enable system/filesystem/local
# svcadm enable milestone/sysconfig
# svcadm enable system/utmp
If the server is under NIS, please execute the below commands also:
# svcadm enable system/identity:domain
# svcadm enable system/sysidtool:net
# svcadm enable network/rpc/bind
# svcadm enable network/nis/client
Finally start ssh service:
# svcadm enable network/ssh
Subscribe to:
Posts (Atom)