Your OpenSolaris VPS (2009.06 release) is accessible only through SSH. All network services are disabled by default with the exception of SSH. The server comes with minimal software and changes (see Defaults for more information).
pkg set-publisher -G http://pkg.openindiana.org/legacy/ -g http://pkg-2.de.openindiana.org/legacy/ opensolaris.org pkg set-publisher -P -G http://pkg.openindiana.org/dev/ -g http://pkg-2.de.openindiana.org/dev/ openindiana.org
OpenSolaris no longer uses the old Solaris based packaging (e.g. pkgadd or pkgrm…). In the new packaging architecture in OpenSolaris, all the latest software is on a remote repository (called “publisher” in IPS). You can also peek at the available software using the browser.
IPS package management is done through the single pkg command:
Installing a package also installs all its dependency packages. Uninstalling will only remove the specified package, unless the -r option is also specified. You can also pass -n option to do a quick “dry run” of most of these commands.
Note 1: The default publisher is /release. You can also use a /contrib or another publisher with extra software that is not found in /release.
root@mask:~# pkg publisher PUBLISHER TYPE STATUS URI opensolaris.org (preferred) origin online http://pkg.opensolaris.org/release/ root@mask:~#
You should also be familiar with Solaris 10's SMF framework, which is in OpenSolaris as well. SMF is a framework for managing the services that run on your OpenSolaris server. To get started you only need to know two commands: svcs and svcadm. Running just “svcs -a” will show all the services that are either enabled or disabled.
root@fans:/# svcs ftp STATE STIME FMRI online 11:20:48 svc:/network/ftp:default root@fans:/#
That command shows FTP is running. To disable FTP to your server, you would do:
root@fans:/# svcadm disable ftp root@fans:/# svcs ftp STATE STIME FMRI disabled 11:43:56 svc:/network/ftp:default root@fans:/#
Since these are plain vanilla OpenSolaris builds, some packages are missing. Here is a short list of items we recommend installing to customize your environment:
In addition to specific packages as mentioned above, IPS also has “grouped” packages. Installing these packages installs all the components in that group. To install the latest stable versions of the common web infrastructure software (apache, mysql, php), run: pkg install amp. You can also see the official Getting Started Guide to Webstack.
The configuration directories are:
The /var (“variable data” location) is where all the logs and data files should reside in:
The binaries and libs for the above software reside in:
The web site data should be put in /usr/apache2/2.2/htdocs. The web server by default runs as the webservd user and group. You can also use Lighttpd or Nginx web servers instead of Apache (see below).
The following shows the SMF service names associated with apache and mysql:
root@mask:~# svcs mysql STATE STIME FMRI disabled Sep_02 svc:/application/database/mysql:version_51 root@mask:~# svcs apache22 STATE STIME FMRI disabled Sep_02 svc:/network/http:apache22 root@mask:~#
The gd.so module included with PHP is broken as of September 2009 in our OpenSolaris VPS server. Apache will fail to start because of this! You need to either disable PHP's gd.so module OR additional software needs to be installed. This is due to bug 9231.
To disable gd.so module, edit /etc/php/5.2/conf.d/gd.ini and place ; before the extension=gd.so line.
If you require gd.so module in PHP, you need to install the X11 packages. To do so run: pkg install SUNWxwplt. Please do this only if gd.so module is required. The X11 packages install lots of additional software and services that are not needed and uses up extra disk space.
Note: As a hack, you can copy the entire /usr/X11 contents from another OpenSolaris install to your OpenSolaris VPS. Contact us for additional information.
Apache 2.2 is broken as of September 2009 in our OpenSolaris VPS server. Apache may hang and will stop responding to HTTP requests. If you are seeing this, you need to make some minor changes, until we get official fix from Sun/OpenSolaris.
To use Lighttpd, simply install the Lighttpd binaries: pkg install SUNWlighttpd14. The associated SMF service is:
root@mask:~# svcs lighttpd14 STATE STIME FMRI online Sep_04 svc:/network/http:lighttpd14 root@mask:~#
The file system locations for the software: /usr/lighttpd/1.4, /etc/lighttpd/1.4, /var/lighttpd/1.4
To get PHP to work with lighttpd, enable mod_fastcgi module in /etc/lighttpd/1.4/lighttpd.conf and ensure the following fastcgi configuration is setup in lighttpd.conf:
fastcgi.server = ( ".php" => ( "localhost" => ( "socket" => "/tmp/php-fastcgi.socket", "bin-path" => "/usr/php/bin/php-cgi" ) ) )
Nginx requires some additional steps, since it is not yet part of the default OpenSolaris release. You can easily install Nginx since it is available on another IPS repository. We start off with adding a new webstack repository that contains Nginx:
root@mask:~# pkg set-publisher -O http://pkg.opensolaris.org/webstack/ webstack root@mask:~# pkg publisher PUBLISHER TYPE STATUS URI opensolaris.org (preferred) origin online http://pkg.opensolaris.org/release/ webstack origin online http://pkg.opensolaris.org/webstack/
Then, install nginx as usual:
root@mask:~# pkg search nginx INDEX ACTION VALUE PACKAGE basename dir opt/webstack-source/nginx pkg:/firstname.lastname@example.org basename dir var/nginx pkg:/email@example.com basename dir etc/nginx pkg:/firstname.lastname@example.org basename file usr/nginx/sbin/nginx pkg:/email@example.com description set nginx pkg:/firstname.lastname@example.org description set nginx pkg:/email@example.com pkg.summary set nginx pkg:/firstname.lastname@example.org pkg.summary set nginx pkg:/email@example.com root@mask:~# pkg install nginx ...
Setup SMF service for nginx.
root@mask:~# svccfg import /var/svc/manifest/network/http-nginx.xml root@mask:~# svcadm enable nginx root@mask:~# svcs nginx STATE STIME FMRI online Aug_01 svc:/network/http:nginx root@mask:~#
Installing the amp package above will also install MySQL 5.1. The file system locations for the software: /usr/mysql, /var/mysql/data, /etc/mysql/my.cnf. To start mysql, just do:
root@wolf:/# svcadm enable mysql root@wolf:/#
This will install MySQL and the setup the initial user tables in /var/mysql/data. You do not have to do anything else. There is no default password set. You should change the mysql passwords as soon as you install it.
Using IPS, you can easily install the latest version of JDK. The general syntax to install the JDK is: pkg install runtime/java
root@pana:~# pkg install SUNWj6dev DOWNLOAD PKGS FILES XFER (MB) Completed 2/2 970/970 65.30/65.30 PHASE ACTIONS Install Phase 1231/1231 root@pana:~#
This installs the JDK in /usr/java.
To install Python 2.6: pkg install SUNWPython26
IPS uses the Python programming language, this is one of the reasons Python is already included in your OS, though it is the 2.4 version:
root@pana:~# /usr/bin/python -V Python 2.4.4 root@pana:~#
You can use the GCC compiler to compile software. To do this, the GCC development cluster (gmake/autoconf/libtool…) needs to be installed: pkg install gcc-dev.
Sun Studio Express
These steps are for using Sun Studio Express in OpenSolaris. It is the recommend compiler on the OpenSolaris platform - it has been optimized for OpenSolaris. Install compilers and additional required packages:
Then, add the following contents to the end of /home/admin/.profile file (we recommend compiling as the admin user, until ready to install software).
DMAKE_MODE=parallel DMAKE_MAX_JOBS=4 CFLAGS="-fast" CXXFLAGS="-fast" export DMAKE_MAX_JOBS DMAKE_MODE CFLAGS CXXFLAGS export PATH="/opt/SunStudioExpress/bin:$PATH"
Be sure to now source the new .profile or log out and in again to get the new environment in the admin account. That should do it.
Note: Instead of running make, you can run: dmake. This will make your compile a lot faster!
Sendmail is the default mail software in OpenSolaris.
You can configure sendmail to either be a daemon listening for incoming mail or have it just be a client that can send out mail (the most secure). The latter is required if you have a web site or application that needs to send mail to users. You can use these steps to setup a secure **sendmail client**:
netstat -an |grep LISTEN should now show that sendmail ports 25 and 587 running on localhost in a secure environment.
Note: Some Unix operations (crontab/mail/mailx) also use sendmail client to send out mail.
You have full access to the networking stack in the OpenSolaris environment. You can manage firewalls (ipfilter) and listen on the wire for network traffic (snoop). Please look at the ipfilter howto for more information on how to use it.
As we've mentioned earlier, the OpenSolaris VPS servers from Entic.net are bare minimum installs. We do this on purpose - we want to provide the hardware and the base OS, the rest is up to you to customize and make your own.
There are, however, some minor changes which we feel are a must and have been done on your server:
svcadm disable rpc/bind svcadm disable autofs svcadm disable svc:/network/security/ktkt_warn:default useradd -s /bin/bash -m admin useradd -s /usr/bin/pfsh -d / suser usermod -K type=role root usermod -P "Primary Administrator" -R root admin usermod -P "Primary Administrator" -R root suser
We disable rpc/bind because RPC services are usually not required (even though the default rpc/bind service has a SMF property of config/local_only=true, we still disable it as an added security measure). We also disable a couple of services which we find running after the install (shown above).
We then create two users: admin and suser (more on suser below). We also make root a RBAC role, ensuring all direct root logins are disabled.
Both of these accounts are then given the “Primary Administrator” profile. This makes it so you can run commands as root using the “pfexec”: e.g. pfexec pkg install SUNWj6dev to install Java. In addition, since root is now a role, we also assign the root role to both admin and suser users.
suser: suser is a special account we create so we can login to your server, if there is ever a need. Since root is a role, we can no longer login as root directly. Please leave this account as is, if at all possible. It has been setup so no one can login to it, remotely.