Friday, March 22, 2013

How to Install and configure Solaris Web Server

logo-solaris


How to Install and configure Solaris Web Server

Set up a multipurpose Solaris web server

Contents  

Introduction

This HOWTO explains how to set up a multipurpose Solaris web server.

Purpose

The purpose of this howto is to provide instructions on how to install a multipurpose Web server on a Solaris box.

Scope

  • "OS:" Solaris 10, using zones.

  • "HW:" Via Epia 800 ITX board

  • "Utilities:"

  • Orca

  • Sendmail

  • tripwire replacement

  • "Applications:"

  • Apache

  • Twiki

  • Bugzilla

  • MySQL


References

 Overview 

ToDo

  1. Create FLAR

  2. Create install DVD

  3. Test Install DVD

  4. Install SE tool.

  5. Install ORCA.

  6. Install MySQL

  7. Install BugZilla

  8. Create FLAR

  9. Install

  10. Install Moodle

  11. Have Apache support SSL

  12. Have Apache support LDAP

  13. install LDAP server


 

  • AIDE: handle dead symlinks


  • AIDE: handle mnttab


 Steps 

Installing Solaris 10 on x86

  1. Download the media from

  2. Insert V1

  3. boot

  4. Select 1 Solaris Interactive

  5. Select a language: 0

  6. The X is openlook, so the cursor must be moved over the window to enable data entry in the window.


(true only if use of graphical environment, for this puspose normal text based instalation is OK)

  1. enter hostname

  2. Select geographical region

  3. Make sure the date and time are correct

  4. Enter root password, twice

  5. Confirm, Hostname, and region.

  6. Installer options

  7. Reboot automatically: Yes

  8. Eject CDs: Yes

  9. Notice; Ok

  10. Specify Media: CD/DVD

  11. Read and accept the license.

  12. Type of install: Custom

  13. Select software localizations: just select next, unless you want to start installing any other language than the default English.

  14. Select system locale: POSIX C

  15. Select products: Solaris Software Companion CD

  16. Additional Products: None

  17. Select Solaris software group: Entire Group

  18. Disk Selection: c0d0

  19. unless you have more disks and want to install onto secondary disk.

  20. "PLEASE NOTE;" This will destroy your disk by default.

  21. Select Disks for fdsik partition customization: c0d0

  22. Customize fdisk partition: Solaris everything

  23. Select the rest as unused.

  24. You will be asked about slices in the next step.

  25. Lay out file system: select the default

  26. You can slice this a lot of ways, and most will be dependent on what you want to use the system for.

  27. Install: this takes about 9 minutes.

  28. When primary installation is done, you need to manually eject the V1 boot CD. Go figure...

  29. When booting from the HD, it will be loading smf(5) descriptions x/87

  30. NFS version 4: default no

  31. Specify media: CD/DVD

  32. It will take three minutes to read the CD before you are prompted for install Now

  33. Installing V2 takes about 12-15 minutes.

  34. V3 takes about 5 minutes.

  35. V4 takes about 7? minutes.

  36. CCD takes about 20 minutes. 


Getting the network running

  1. Identify the Driver see BigAdmin HCL

  2. Transfer the driver to the Solaris box if not there

  3. e.g. through Mounting USB Key under solaris


 Rhine driver

  1. Get the driver from http://homepage2.nifty.com/mrym3/taiyodo/eng/

  2. Unpack it

  3. cp rh-1.0.24.tar.gz /tmp

  4. cd /tmp

  5. gzip -dc rh-1.0.24.tar.gz | tar -xvf -

  6. cd rh-1.0.24

  7. Follow the README.txt

  8. vi /etc/hosts

  9. Add the host name and ip address.

  10. Add: 172.16.0.1 defaultrouter # or whatever it is you have.

  11. vi /etc/hostname.rh0

  12. Add the hostname

  13. vi /etc/nsswitch.conf

  14. hosts: files dns

  15. vi /etc/resolv.conf

  16. Add you router, primary DNS and secondary DNS

  17. 'nameserver 172.16.0.1'


Sadly I do not know Unix well enough to do anything but reboot at this point: shutdown -g0 -i6 -y

Enabling sending mails through ISP

So when you are not prepared to RTFM and try it the easy way, you sometimes have to take the long route.

I thought it would take me two minutes to reconfigure sendmail.cf so that I could send mails to the internet, through my ISP.

Three days later, I'm wiser.

My original intention was to use my gmail account, but just getting mailx to send e-mails through my local ISP was challenge enough for now.

Please note, I don't know didly about sendmail, so I might have broken the first fifty rules....

But here are the short version of the steps I took:

  1. cd /etc/mail/cf/cf

  2. cp sendmail.mc sendmail.mc.org

  3. Re-write sendmail.mc

  4. /usr/ccs/bin/make sendmail.cf

  5. cp sendmail.cf ../../sendmail.cf

  6. svcadm -v refresh sendmail

  7. mailx -s "testing" My.Internet@account.net < sendmail.mc

  8. look at /etc/log/syslog if the mail doesn't arrive.


sendmail.mc

 

divert(-1) # # Copyright (c) 1983 Eric P. Allman # Copyright (c) 1988, 1993 # The Regents of the University of California. All rights reserved. # # Copyright 2004 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # ident "@(#)sendmail.mc 1.11 04/06/21 SMI" # # This is a configuration file for SunOS 5.8 (a.k.a. Solaris 8) and later # subsidiary machines. It has support for local and SMTP mail. The # confFALLBACK_SMARTHOST macro is enabled, which means that messages will # be sent to that host (which is set to mailhost.$m [$m is the local domain]) # if MX records are unavailable. A short-cut rule is also defined, which # says if the recipient host is in the local domain, send to it directly # instead of the smart host. # # If you want to customize this further, copy it to a name appropriate # for your environment and do the modifications there. # divert(0)dnl VERSIONID(`@(#)sendmail.mc 1.11 (Sun) 06/21/04') OSTYPE(`solaris8')dnl DOMAIN(`solaris-generic')dnl define(`confFALLBACK_SMARTHOST', `smtp.mail.net')dnl Dred.dwarf define(`confDOMAIN_NAME', `$w.$m')dnl dnl This is the domain that it will look like the e-mail comes from that domain. dnl If this isn't valid then the you get a 550 error from your isp. MASQUERADE_AS(`my-registered-domain.org') FEATURE(masquerade_envelope) dnl dnl The mail gateway of our ISP has to be used as a relay. dnl define(`SMART_HOST', `smtp.mail.net') # This according to http://www.sendmail.org/m4/intro.html should always be at the end. MAILER(`local')dnl MAILER(`smtp')dnl

 

AIDE


  1. Get the source code

  2. gzip -dc aide-0.11-rc2.tar.gz | tar -xf -

  3. ./configure

  4. Hmm this wasn't so simple

  5. getting the aide module from Sol9 x86 from sunfreeware.com

  6. mkdir -p /etc/aide/RCS


Template:Box File

LDAP server

http://www.bolthole.com/solaris/LDAP.html

[edit]

Orca


  • setenv PATH /opt/sfw/bin:/opt/sfw/gcc-3/bin:${PATH}:/usr/perl5/5.6.1/bin



  1. setenv PATH /usr/local/bin:/usr/sfw/bin:/opt/sfw/bin:/opt/sfw/lib/bin:${PATH}

  2. For x86

  3. edit /usr/local/lib/perl5/5.8.5/i86pc-solaris/Config.pm

  4. remove '-B/usr/css/bin'

  5. setenv CC gcc

  6. ln -s /opt/sfw/bin/gmake /opt/sfw/bin/make

  7. tar zxf orca-0.27.tar.gz

  8. cd orca-0.27

  9. ./configure --with-html-dir=/var/apache/htdocs/orca --with-ncsa-log=/var/apache/logs/access_log

  10. find . -name Makefile | xargs grep -w cc

  11. change CC = cc to CC = gcc in:

  12. ./packages/TimeDate-1.14/Makefile

  13. ./packages/Digest-MD5-2.20/Makefile

  14. make

  15. make install

  16. make orcallator_run_at_boot

  17. vi /usr/local/lib/orcallator.cfg

  18. edit /opt/RICHPse/bin/se

  19. for epia add i386*) MACH=i386;;

  20. /etc/init.d/orcallator start


 Disabling services

See JASS toolkit for securing the Solaris box.

Doing an nmap scan of the box you get:

21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 79/tcp open finger 80/tcp open http 111/tcp open rpcbind 513/tcp open login 514/tcp open shell 587/tcp open submission 898/tcp open sun-manageconsole 4045/tcp open lockd 7100/tcp open font-service

  1. svcadm -v disable ftp

  2. svcadm -v disable telnet

  3. svcadm -v disable bind

  4. this is rpcbin

  5. svcadm -v disable smtp

  6. svcadm -v disable

  7. svcadm -v disable

  8. svcadm -v disable

  9. svcadm -v disable

  10. svcadm -v disable

  11. svcadm -v disable

  12. svcadm -v disable



Disabling graphical/dtlogin

http://supportforum.sun.com/sunos/index.php?t=msg&th=2681&start=0&rid=0

  1. /usr/dt/bin/dtlogin -d

  2. after disabling of dtlogin will be very wise to kill the current opened login screen with command: /usr/dt/bin/dtlogin -kill

  3. mv /etc/rc2.d/S99dtlogin /etc/rc2.d/s99dtlogin

  4. above recommendation is suitable only for "home" servers and not for production


 

Fire wall

[ pass | block ] [ log ] [ in | out ] [ quick ]

  • ipfstat -i


(This will show the active filter list.)

  • ipmon


(This will do a kind of trail -f on the filter log, provided log i active.)

  • svc name ipfilter (You need restart to read the updated.)


 Solaris Zones

  1. zonecfg -z kochanski -f twiki.cfg

  2. zoneadm list -vc

  3. ID NAME STATUS PATH

  4. 0 global running /

  5. - kochanski configured /export/home/kochanski

  6. zoneadm -z kochanski install

  7. cp sysidcfg.twiki /export/home/kochanski/root/etc/sysidcfg

  8. zoneadm -z kochanski boot

  9. zlogin -C kochanski

  10. The '-C' give you the system console

  11. svcs -xv

  12. See if there are any services that arent running.


 Configuring sendmail

From global zone

  1. cd /etc/mail

  2. find . | cpio -pumvd /export/home/kochanski/root/etc/mail

  3. p - pass through

  4. u - Copies unconditionally.

  5. m - Retains previous file modification time.

  6. v - verbose

  7. d - target directory.

  8. cp resolv.conf /export/home/kochanski/root/etc

  9. cp nsswitch..conf /export/home/kochanski/root/etc


In kochanski zone

  1. cd /etc

  2. echo "dwarf" > domainname

  3. domainname dwarf

  4. echo "192.168.0.1 defaultrouter" >> hosts

  5. add to /etc/hosts <hostname>.<domainname>


 Services

  1. svcs -xv

  2. svcadm -v disable svc:/application/print/server:default


 Configuration files

 zone.cfg

set zonepath=/export/home/kochanski set autoboot=true add inherit-pkg-dir set dir=/lib end add inherit-pkg-dir set dir=/platform end add inherit-pkg-dir set dir=/sbin end add inherit-pkg-dir set dir=/usr end add net set address=192.168.0.221 set physical=rh0 end commit

 sysidcfg

name_service=NONE network_interface=PRIMARY {primary hostname=kochanski ip_address=192.168.0.221 netmask=255.255.255.0 protocol_ipv6=no default_route=192.168.0.1 } root_password=Secret timeserver=localhost timezone=CET terminal=vt100 system_locale=C security_policy=none

 Apache

AuthName "Foo for Thought" AuthType Basic AuthUserFile /home/johnson/foo.htpasswd Require valid-user
Is very good idea to redirect logs of Apache to different directory like /var/adm/httpd or /var/log/httpd

<example>

LogFormat "%h %l %u %t \"%r\" %>s %b" common

CustomLog /var/adm/httpd/access_log common

ErrorLog /var/adm/httpd/error_log common

</example>

  • make - SUNWgmake

  • wget - SUNWwgetu

  • lynx - SFWlynx

  • ncftpget

  • ncftp

  • gpg


In the global zone

  1. setenv PATH /opt/sfw/bin:${PATH}:/usr/sfw/bin

  2. perl -MCPAN -e 'install Net::SMTP;'


In the local zone http://develop.twiki.org/~develop/cgi-bin/view/TWiki/#Installation_and_configuration

  1. rm /var/apache/cgi-bin/test-cgi

  2. rm /var/apache/cgi-bin/printenv

  3. These are removed for security reasons, I seem to have come accross a mention that they should be removed.

  4. cd /var/apache

  5. mkdir twiki

  6. cd twiki

  7. gzip -dc /TWiki2005x11x06x7338beta.tgz | tar -xf -

  8. edit /ec/apache/httpd.conf

  9. /usr/apache/bin/apachectl configtest

  10. edit /var/apache/twiki/bin/setlib.cfg

  11. cp LocalSite.cfg.txt LocalSite.cfg

  12. chown twiki:twiki LocalSite.cfg

  13. chmod o+w,g+w LocalSite.cfg

  14. edit LocalSite.cfg

  15. /var/apache/twiki/lib/TWiki.cfg

  16. chmod +x /var/apache/twiki/bin/rdiffauth

  17. chmod +x /var/apache/twiki/bin/viewauth

  18. cp subdir-htaccess.txt data/.htaccess

  19. cp subdir-htaccess.txt lib/.htaccess

  20. cp subdir-htaccess.txt templates/.htaccess

  21. chown -R nobody *

  22. chmod -R 755 data

  23. chown twiki:twiki /var/apache/twiki/data/.htpasswd

  24. chown -x twiki/bin/configure

  25. remove '-H' from egrep and fgrep

  26. Remove \< and \> in the Param.pm


From within Twiki

  1. Update Main/TWikiAdminGroup


ISSUES

  1. cd /var/apache/twiki/data/ShadowRunGm/

  2. /usr/local/bin/ci -q -l WebPreferences.txt

  3. ci: WebPreferences.txt,v: no lock set by nobody


MySQL

Create the Zone

  1. zonecfg -z kryten /mysql.cfg

  2. zoneadm -z kryten install

  3. cp sysidcfg /export/home/kryten/root/etc/sysidcfg

  4. zoneadm -z kryten boot


 

Configure MySQL

You need to install the Sun package SUNWmysqlu as root.

  1. pkgadd -d . SUNWmysqlu


follow the instructions in /etc/sfw/mysql/README.solaris.mysql

  1. /usr/sfw/bin/mysql_install_db

  2. groupadd mysql

  3. useradd -g mysql mysql

  4. chgrp -R mysql /var/mysql

  5. chmod -R 770 /var/mysql

  6. installf SUNWmysqlr /var/mysql d 770 root mysql

  7. copy the correct cnf file from /usr/sfw/share/mysql to /etc/my.cnf

  8. E.g. cp /usr/sfw/share/mysql/my-huge.cnf /etc/my.cnf

  9. /usr/sfw/sbin/mysqld_safe --user=mysql &

  10. mysqladmin -u root password 'PASSWORD'

  11. cd /usr/sfw/mysql/mysql-test; ./mysql-test-run


 Bugzilla

Get the source source

Version 2.20 is being used here.

In the Global Zone

  1. cd /tmp

  2. gzip -dc bugzille.tar.gz | tar -xvf

  3. setenv PATH /usr/local/bin:${PATH}

  4. rehash

  5. which perl

  6. vi checksetup.pl

  7. set perl path to /usr/local/bin/perl

  8. ./checksetup.pl --check-modules

  9. perl -MCPAN -e 'install Bundle::Bugzilla'

  10. cd /export/home/kochanski/root/var/apache/htdocs

  11. gzip -dc bugzille.tar.gz | tar -xvf


On the MySQL server kryten:

  1. /usr/sfw/bin/mysql -u root -p

  2. create database bugzilla;

  3. use bugzilla

  4. grant all on bugzilla to bugzilla@kochanski identified by "PASSWORD"


 Apacher with mod_perl

 Mason

Mason installation

In the global zone.

  1. setenv PATH /usr/perl5/5.8.4/bin:${PATH}

  2. setenv PATH /opt/SUNWspro/bin:${PATH}

  3. setenv PERL5LIB /usr/apache/perl5/5.8.4/i86pc-solaris

  4. perl -MCPAN -e 'install HTML::Entities'

  5. perl -MCPAN -e 'install HTML::Mason'

  6. perl -MCPAN -e 'install Apache::Request'

  7. zlogin kochanski

  8. /usr/apache/bin/httpd -f /var/apachem/conf/httpd.conf


FLAR

Creating a FLAR

  1. flar create -c -n epia


 Creating the DVD


  1. mkdir /export/home/mydvd10

  2. cd /cdrom/sol_9_1203_sparc

  3. find s0 -print |cpio -pudm /export/home/mydvd10/s0

  4. cd /export/home/mydvd10

  5. /etc/init.d/volmgt stop

  6. for i in 1 2 3 4 5

  7. > do

  8. > dd if=/dev/dsk/c0t6d0s${i} of=s9u5.s${i} bs=512

  9. > done

  10. dd if=/dev/dsk/c0t6d0s0 of=s9u5.dvd.vtoc bs=512 count=1

  11. copy vtoc

  12. /etc/init.d/volmgt start

  13. restart volumen mgmt

  14. cd /export/home/mydvd10/s0/Solaris_10/Product

  15. rm -rf *

  16. cd /export/home/mydvd10/s0

  17. rm -rf 1of2_Doc_CD 1of2_Doc_CD SW_Supp_CD

  18. cp /epia.flar /export/home/mydvd10/s0/Solaris_10/Product

  19. rm /export/home/mydvd10/s0/.install_config/*

  20. cp /mydvd10.profile /export/home/mydvd10/s0/.install_config

  21. cd /

  22. ./check

  23. Validating rules...

  24. Validating profile bidvd9.profile...

  25. The custom JumpStart configuration is ok.

  26. cp rules.ok /export/home/mydvd10/s0/.install_config

  27. edit /export/home/mydvd10/s0/Solaris_10/Tools/Boot/usr/sbin/install.d/profind

  28. cd /export/home/mydvd10

  29. mkisofs -R -D -d -L -l -o s9u5.S0 s0

  30. dd if=/export/home/mydvd10/s9u5.S0 of=/export/home/mydvd10/s9u5.s0 bs=512 skip=1

  31. It is important to note that mkisofs creates a VTOC at offset 0 within this image. Use the dd command to remove this invalid VTOC from the HSFS image by skipping the first 512 byte block.

  32. 5636159+0 records in

  33. 5636159+0 records out

  34. rm /export/home/mydvd10/s9u5.S0

  35. it was only the count that was needed.

  36. bc

  37. 6026240-(5636159+1)

  38. 390080

  39. dd if=/dev/zero of=pad.s0 bs=512 count=390080

  40. 390080+0 records in

  41. 390080+0 records out

  42. lofiadm -a /bidvd9/s9u5.s1 /dev/lofi/1

  43. mount /dev/lofi/1 /mnt

  44. ls -al /mnt/etc/sysidcfg

  45. lrwxrwxrwx 1 root other 24 Nov 28 16:38 /mnt/etc/sysidcfg -> ../tmp/root/etc/sysidcfg

  46. rm /mnt/etc/sysidcfg

  47. cp /export/home/mydvd10/sysidcfg /mnt/etc/sysidcfg

  48. umount /mnt

  49. lofiadm -d /dev/lofi/1

  50. cat s9u5.dvd.vtoc s9u5.s0 pad.s0 s9u5.s1 s9u5.s2 s9u5.s3 s9u5.s4 s9u5.s5 >bidvd9.image


 mydvd10.profile

install_type flash_install archive_location local_file /cdrom/Solaris_10/Product/epia.flar partitioning explicit # # 2.0GB swap on a 36GB disk # 4 cylinders on slice 7 for SVM's MetaData # filesys rootdisk.s0 free / filesys rootdisk.s1 1:1450 swap filesys rootdisk.s7 1451:4 unnamed

rules

any - - mydvd10.profile -

profind

cdrom() { # Factory JumpStart is only allowed with factory # stub images, indicated by the file /tmp/.preinstall # if [ -f /tmp/.preinstall ]; then mount -o ro -F lofs ${CD_CONFIG_DIR} ${SI_CONFIG_DIR} >/dev/null 2>&1 if [ $? -eq 0 ]; then verify_config "defaults" "CDROM" fi fi gettext " <<< using DVD install_config >>>"; echo # bidvd9 rmdir ${SI_CONFIG_DIR} # bidvd9 ln -s /cdrom/.install_config ${SI_CONFIG_DIR} # bidvd9 }

[edit]

sysidcfg

system_locale=en_US timezone=US/Pacific network_interface=primary {hostname=barossa ip_address=192.168.0.2 netmask=255.255.255.0 default_route=none protocol_ipv6=no} terminal=vt100 security_policy=NONE root_password=Q7jsh1m6IztTU name_service=NONE timeserver=localhost

HW tested

Box 1

Motherboard: Via Epia 800 ITX board

Box 2

  • NIC: D-Link, DFE-530TX, DL10030B


Trouble shooting

Sendmail

Mail not going out

Users report

Mail not going out of local zone, even thought the configuration is the same as the global zone.

/var/log/syslog

Nov 15 23:21:37 kochanski sendmail[8431]: [ID 801593 mail.info] jAFMLbUS008431: from=<root@kochanski.dwarf>, size=357, class=0, nrcpts=1, msgid=<200511152221.jAFMLbDt008430@kochanski.dwarf>, proto=ESMTP, daemon=MTA-v4, relay=localhost [127.0.0.1] Nov 15 23:21:37 kochanski sendmail[8430]: [ID 801593 mail.info] jAFMLbDt008430: to=valid@inter.net, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30073, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (jAFMLbUS008431 Message accepted for delivery) Nov 15 23:21:37 kochanski sendmail[8433]: [ID 801593 mail.info] jAFMLbUS008431: to=<hclaville@gmail.com>, ctladdr=<root@kochanski.dwarf> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=120357, relay=smtp.net [nnn.nnn.nnn.nnn], dsn=5.1.1, stat=User unknown Nov 15 23:21:37 kochanski sendmail[8433]: [ID 801593 mail.info] jAFMLbUS008431: jAFMLbUS008433: DSN: User unknown

 Solution

So, it turns out, root don't get spoofed, after creating the twiki user and su twiki, sending e-mails worked as expected.

Connection refused by [127.0.0.1]Connection refused by [127.0.0.1]

Feb 15 22:11:06 myhost sendmail[3047]: [ID 801593 mail.info] m1FLB6Je003047: to=nospam@spamcity.org, ctladdr=mailadmin (100/1), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30065, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]

 Solution

remove /etc/mail/submit.cf see: http://www.sunmanagers.org/pipermail/sunmanagers/2006-February/039507.html

Building Digest::SHA1


  1. download the Digest::SHA1

  2. perl Makefile.PL cc=gcc ld=gcc

  3. edit Makefile

  4. Replace FPIC with fPIC

  5. Remove -xO3 -xspace -xildoff from OPTIMIZE =

  6. Leaving 'OPTIMIZE ='


Thank you for reading
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)