1) Install from cdrom Note about disk partitions. Always reserve about 10 cylinders at the end of the disk and assign it to slice 7 for the Soltice Disk Suite database (metadb). 2) Add low level user accounts. Use the default low level password scheme on all new accounts and then reset them for password change with passwd -f # mkdir -p /export/home # useradd -d /export/home/kinscoe -g staff -s /bin/ksh -m kinscoe # passwd kinscoe # useradd -d /export/home/cscott -g staff -s /bin/ksh -m cscott # passwd cscott # passwd -f cscott # useradd -d /export/home/belliott -g staff -s /bin/ksh -m belliott # passwd belliott # passwd -f belliott # useradd -d /export/home/skamp -g staff -s /bin/csh -m skamp # passwd skamp # passwd -f skamp # useradd -d /export/home/kpmg -g staff -s /bin/ksh -m kpmg # passwd kpmg # passwd -f kpmg Nagios: # /usr/sbin/groupadd -g 5301 nagios # useradd -d /export/home/nagios -g nagios -s /bin/ksh -m nagios # passwd nagios (use the Nagios password from the keyword list) 3) Create /.profile and master profile /etc/profile 3A) edit /.profile and paste in: kinscoe@wsadmin01:/export/home/kinscoe> cat /.profile # local variables PATH=/usr/local/admin:/usr/local/bin:/bin:/usr/bin:/usr/openwin/bin:/sbin:/usr/sbin:/usr/ucb:/usr/local/sbin/:/usr/ccs/bin:/opt/bin:/usr/local/mysql/bin:/usr/j2se/jre/bin:/usr/local/jrun4/bin:/usr/local/apache1_3/bin:/opt/hpnp/bin MANPATH=/usr/local/man:/usr/share/man:/usr/openwin/share/man:/usr/dt/share/man:/usr/perl5/man:/usr/j2se/man:/opt/hpnp/man:/usr/local/X11R6/man LD_LIBRARY_PATH=/usr/local/lib:/usr/local/ssl/lib:/usr/local/mysql/lib/mysql:/usr/local/lib/tcl8.4:/usr/lib:/usr/openwin/lib:/usr/ccs/lib:/usr/ucblib:/usr/openwin/lib/libp:/opt/hpnp/lib:/usr/local/jrun4/lib CVSROOT=/usr/local/src/master JAVA_HOME=/usr/j2se/jre EDITOR=vi VISUAL=vi export LOGNAME PATH MANPATH LD_LIBRARY_PATH CVSROOT JAVA_HOME EDITOR VISUAL umask 022 # terminfo database has moved in Solaris 8 TERMINFO=/usr/share/lib/terminfo;export TERMINFO # for ksh set -o vi # set the prompt PS1='$LOGNAME'@`uname -n|awk -F. '{print $1}'`:'$PWD# ' 3B) Edit /etc/profile and paste in: #ident "@(#)profile 1.18 98/10/03 SMI" /* SVr4.0 1.3 */ # The profile that all logins get before using their own .profile. trap "" 2 3 PATH=$HOME/bin:/usr/local/bin:/bin:/usr/bin:/usr/ucb:/usr/openwin/bin:/sbin:/usr/sbin:/usr/ccs/bin:/opt/bin:/usr/local/mysql/bin:/usr/j2se/jre/bin:/usr/local/jrun4/bin:/opt/hpnp/bin MANPATH=/usr/share/man:/usr/local/man:/usr/openwin/share/man:/usr/dt/share/man:/usr/j2se/man:/usr/perl5/man:/opt/hpnp/man:/usr/local/X11R6/man LD_LIBRARY_PATH=/usr/local/ssl/lib:/usr/local/lib:/usr/local/mysql/lib/mysql:/usr/local/lib/tcl8.4:/usr/lib:/usr/openwin/lib:/usr/ccs/lib:/usr/ucblib:/usr/openwin/lib/libp:/opt/hpnp/lib:/usr/local/jrun4/lib CVSROOT=/usr/local/src/master JAVA_HOME=/usr/j2se/jre export LOGNAME PATH MANPATH LD_LIBRARY_PATH CVSROOT JAVA_HOME # terminfo database has moved in Solaris 8 TERMINFO=/usr/share/lib/terminfo;export TERMINFO # set the prompt #PS1='$LOGNAME@`hostnmame`:$PWD$' #PS1="[$LOGNAME@`hostname` \$PWD $]" #PS1=`uname -n|awk -F. '{print $1}'`:'$PWD> ' PS1='$LOGNAME'@`uname -n|awk -F. '{print $1}'`:'$PWD> ' # Login and -su shells get /etc/profile services. # -rsh is given its environment in its .profile. case "$0" in -sh | -ksh | -jsh) if [ ! -f .hushlogin ] then /usr/sbin/quota # Allow the user to break the Message-Of-The-Day only. trap "trap '' 2" 2 # /bin/cat -s /etc/motd trap "" 2 /bin/mail -E case $? in 0) echo "You have new mail." ;; 2) echo "You have mail." ;; esac fi esac umask 022 trap 2 3 4) Change root shell to ksh. Make sure you copy the previous record frst incase of mistake: root:x:0:1:Super-User:/:/bin/ksh #root:x:0:1:Super-User:/:/sbin/sh test that you can su - successfully and the you can remove the line: #root:x:0:1:Super-User:/:/sbin/sh 6) Add wsadmin01 and wsmon01 ip's to /etc/hosts 167.208.154.64 wsmon01 167.208.154.102 wsadmin01 7) Apply patches ftp://kinscoe@wsadmin01.harcourt.com:/pub/soft/patches/README.txt 7A) recommended patch cluster for Solaris 8 ftp://kinscoe@wsadmin01.harcourt.com:/pub/soft/patches/8_Recommended.zip # unzip 8_Recommended.zip # cd 8_Recommended # ./install_cluster # shutdown -y -g0 -i6 7B) apply the Solaris 8 MUP version 7 (on cdrom) # cd /cdrom/s8_maintenance_update_7_sparc NOTE there is a bug I discovered in the patch install (install_mu) to use this one instead: ftp://kinscoe.harcourt.com/pub/soft/patches/install_mu7.sh or use the automounter /net/kinscoe.harcourt.com/export/ftp/pub/soft/patches/install_mu7.sh if you run the install_mu from the cdrom you will see the message: *************************************************************** * Patch(es) 108987-08 112396-01 not installed - exiting. * ----------------------------------------------------------- * these are mandatory patch(es) for Solaris 8 MU7 (sparc) as * they resolve some patch database corruption issues. Please * install the patch(es) before applying the Maintenance Update. * The patch(es) may be obtained via SunSolve or your normal patch * distribution channels. *************************************************************** shutdown -y -g0 -i6 7C) Misc. patches mkdir /tmp/patches copy all the numeric zip files from ftp://kinscoe.harcourt.com/pub/soft/patches/ to /tmp/patches run this script ftp://kinscoe.harcourt.com/pub/soft/patches/install_misc.sh shutdown -y -g0 -i6 8) Install OpenSSH Notes: http://ws.harcourt.com/docs/howtos/installing_ssh.txt (under Solaris 8) 9) Tighten the server 9A) Edit /etc/inetd.conf and comment out all lines except: bpcd stream tcp nowait root /usr/openv/netbackup/bin/bpcd bpcd vopied stream tcp nowait root /usr/openv/netbackup/bin/vopied vopied bpjava-msvc stream tcp nowait root /usr/openv/netbackup/bin/bpjava-msvc bpjava-msvc -transient 9B) Minmialize the startup services http://ws.harcourt.com/docs/howtos/solaris_8_hardening.txt 10) Mirror the boot disks Is the Soltice Disk Suite installed? # metastat metastat: wsmon01: there are no existing databases Indicates it is installed however if you see: # metastat ksh: metastat: not found It is not installed. To install SDS follow these steps: First place the Solaris 8 Software 2 of 2 cd in the drive. # mount -F hsfs /dev/dsk/c1t6d0s0 /cdrom # pkgadd -d /cdrom/Solaris_8/EA/products/DiskSuite_4.2.1/sparc/Packages The following packages are available: 1 SUNWlvma Solaris Volume Management API's (sparc) 1.0,REV=2001.11.02.03.17 2 SUNWlvmg Solaris Volume Management Application (sparc) 1.0,REV=2001.11.14.03.19 3 SUNWlvmr Solaris Volume Management (root) (sparc) 1.0,REV=2001.11.14.03.19 4 SUNWmdg Solstice DiskSuite Tool (sparc) 4.2.1,REV=1999.11.04.18.29 5 SUNWmdja Solstice DiskSuite Japanese localization (sparc) 4.2.1,REV=1999.12.09.15.37 6 SUNWmdnr Solstice DiskSuite Log Daemon Configuration Files (sparc) 4.2.1,REV=1999.11.04.18.29 7 SUNWmdnu Solstice DiskSuite Log Daemon (sparc) 4.2.1,REV=1999.11.04.18.29 8 SUNWmdr Solstice DiskSuite Drivers (sparc) 4.2.1,REV=1999.12.03.10.00 9 SUNWmdu Solstice DiskSuite Commands (sparc) 4.2.1,REV=1999.11.04.18.29 10 SUNWmdx Solstice DiskSuite Drivers(64-bit) (sparc) 4.2.1,REV=1999.11.04.18.29 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: Install SUNWmdx, SUNWlvmr, SUNWmdu, SUNWlvma, SUNWlvmg, SUNWmdg, SUNWmdnr and SUNWmdnu. Verify the installation: # pkginfo | grep md system SUNWmdg Solstice DiskSuite Tool system SUNWmdnr Solstice DiskSuite Log Daemon Configuration Files system SUNWmdnu Solstice DiskSuite Log Daemon system SUNWmdr Solstice DiskSuite Drivers system SUNWmdu Solstice DiskSuite Commands system SUNWmdx Solstice DiskSuite Drivers(64-bit) # pkginfo | grep lv system SUNWlvma Solaris Volume Management API's system SUNWlvmg Solaris Volume Management Application system SUNWlvmr Solaris Volume Management (root) 10A) Prepare the mirror disk Copy the boot disk partitions to the mirror disk: # prtvtoc /dev/rdsk/c0t0d0s2 | fmthard -s - /dev/rdsk/c0t1d0s2 Create the metadb state database: # metadb -a -f -c2 /dev/rdsk/c0t0d0s7 /dev/rdsk/c0t1d0s7 Create the boot mirror: # metainit -f d10 1 1 c0t0d0s0 d10: Concat/Stripe is setup # metainit d20 1 1 c0t1d0s0 d20: Concat/Stripe is setup # metainit d30 -m d10 d30: Mirror is setup Create the swap mirror: # metainit -f d11 1 1 c0t0d0s1 d11: Concat/Stripe is setup # metainit d21 1 1 c0t1d0s1 d21: Concat/Stripe is setup # metainit d31 -m d11 d31: Mirror is setup Edit the vfstab: # cp /etc/vfstab /etc/vfstab.orig.kinscoe # metaroot d30 Modify the swap line to look like this: /dev/md/dsk/d31 - - swap - no - Restart the server so that the root and swap are now operating on the mirror set: # lockfs -fa # init 6 You should see messages similar to below on startup: WARNING: forceload of misc/md_trans failed WARNING: forceload of misc/md_raid failed WARNING: forceload of misc/md_hotspares failed WARNING: forceload of misc/md_sp failed You can safely ignore these. It has to do with the fact we have not defined a "hotspare" disk to the RAID. Since we will not be doing RAID 5 I did not see the need for it. AFTER REBOOT: Attach the second submirrors to the mirrors: # metattach d30 d20 d30: submirror d20 is attached # metattach d31 d21 d31: submirror d21 is attached Enable the mirror disk to be bootable: # installboot /usr/platform/`uname -i`/lib/fs/ufs/bootblk /dev/rdsk/c0t1d0s0 # ls -l /dev/rdsk/c0t1d0s0 lrwxrwxrwx 1 root root 45 Sep 11 18:42 /dev/rdsk/c0t1d0s0 -> ../../devices/pci@1f,4000/scsi@3/sd@1,0:a,raw Verify the mirrors have been synchronized: # metastat | grep "progress" Resync in progress: 21 % done Shutdown and apply nvram changes to support a secondary boot disk: # shutdown -y -g0 -i0 (this is the value from the ls -l command above) Now what is misleading about the 64 bit architecture is "sd" is no longer used but rather "disk" so you will need to check this address against the devalias command at the nvram prompt. ok devalias vx-rootdisk2 /pci@6,4000/scsi@4/disk@0,0:a mirror /pci@1f,4000/scsi@3/1,0:a disk /pci@1f,4000/scsi@3/disk@0,0 disk0 /pci@1f,4000/scsi@3/disk@0,0 disk1 /pci@1f,4000/scsi@3/disk@1,0 disk2 /pci@1f,4000/scsi@3/disk@2,0 disk3 /pci@1f,4000/scsi@3/disk@3,0 scsi /pci@1f,4000/scsi@3 diskx0 /pci@1f,4000/scsi@2/disk@0,0 diskx1 /pci@1f,4000/scsi@2/disk@1,0 diskx2 /pci@1f,4000/scsi@2/disk@2,0 diskx3 /pci@1f,4000/scsi@2/disk@3,0 cdrom /pci@1f,4000/scsi@2/disk@6,0:f tape /pci@1f,4000/scsi@2/tape@4,0 scsix /pci@1f,4000/scsi@2 Since "disk1" matches up with our disk address we can use that. ok nvalias mirror /pci@1f,4000/scsi@3/sd@1,0:a ok nvalias mirror /pci@1f,4000/scsi@3/sd@8,0:a or for 64-bit (PCI cards) ok nvalias mirror /pci@1f,4000/scsi@3/disk@1,0 Test booting from the mirror ok boot mirror If you see this error: Can't open boot device Check your alias and make sure it's correct. You may need to use the commands: probe-scsi-all, probe-pci or probe-ide. When you boot up it is normal to see the message: WARNING: md: d41: /dev/dsk/c2t0d0s0 needs maintenance since you are now booting up off the mirror and therefore the mirror is now broken. Now to set it up so that the system will automatically find the first good disk: # eeprom boot-device=disk0:a disk1:a (from the unix prompt) or ok setenv boot-device disk0:a disk1:a (from the ok prompt) boot-device = disk0:a disk1:a Documentation: Keep backups of your of configuration in case of corruption. Regular usage of metastat, metastat -p, and prtvtoc can help. 11) Setup any data mirrors. Refer to http://ws.harcourt.com/docs/howtos/Plan%20to%20format%20and%20mirror%20wsdb03.doc for notes... 12) Install standard toolkit 12A) lsof 12B) top 12C) chkrootkit 12D) tcpdump 12E) expect 12F) lynx 12G) wget 12H) md5 12I) ntop 12J) rsync 12K) tcpdump 12L) scsiinfo 4.7 12M) sysinfo 4.2.1 12N) sudo